15:00:53 <xek> #startmeeting barbican
15:00:53 <opendevmeet> Meeting started Mon Feb  3 15:00:53 2025 UTC and is due to finish in 60 minutes.  The chair is xek. Information about MeetBot at http://wiki.debian.org/MeetBot.
15:00:53 <opendevmeet> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
15:00:53 <opendevmeet> The meeting name has been set to 'barbican'
15:01:00 <xek> #topic Roll Call
15:01:06 <rajiv> Heyy
15:01:06 <xek> Courtesy ping for dmendiza[m] ade_lee d34dh0r53 Luzi tosky tobias-urdin jjung mharley lpiwowar
15:01:17 <xek> o/
15:01:20 <xek> As usual our agenda can be found here:
15:01:28 <xek> #link https://etherpad.openstack.org/p/barbican-weekly-meeting
15:02:24 <rajiv> hope dmendiza[m] would be joining ?
15:02:58 <dmendiza[m]> 🙋
15:03:06 <rajiv> :)
15:03:29 <xek> #topic Review Past Meeting Action Items
15:03:43 <xek> #link https://meetings.opendev.org/meetings/barbican/2025/barbican.2025-01-27-15.08.html
15:03:50 <xek> There were no action items
15:03:56 <xek> #topic Liaison Updates
15:05:09 <xek> #link https://releases.openstack.org/epoxy/schedule.html
15:05:56 <xek> I see we have an Oslo feature freeze Feb 10 - Feb 14
15:06:29 <xek> which hat bitten us in the past, since castellan is in oslo
15:07:58 <xek> #topic Open Discussion
15:08:42 <rajiv> Hi Doug, i wanted your view on https://bugs.launchpad.net/barbican/+bug/2036506/comments/34
15:09:18 <dmendiza[m]> looking ...
15:11:44 <dmendiza[m]> rajiv: looks like they fixed their docs?  But yeah, it's either CKM_AES_CBC or CKM_AES_GCM
15:11:54 <dmendiza[m]> GCM is preferred
15:12:13 <rajiv> Thales docs were updated after several follow-ups
15:12:32 <rajiv> i wanted to confirm here before proceeding with upgrades in production
15:12:59 <rajiv> second, Default was CKM_AES_CBC_PAD, if i change to CKM_AES_KEY_WRAP_KWP, will old keys be impacted ?     Old secrets can still be unwrapped using CKM_AES_CBC_PAD.     New secrets will be wrapped using CKM_AES_KEY_WRAP_KWP.
15:13:03 <rajiv> is the above correct ?
15:13:35 <dmendiza[m]> I think so ... probably worth testing in a staging environment
15:14:35 <rajiv> i dint have any issues in QA, also the patch was implement > HSM firmware was upgraded > the barbican.conf wasnt upgraded but all operations work well.
15:14:56 <rajiv> Hence do i need to update the barbican.conf before or after upgrading the device firmware ?
15:16:26 <dmendiza[m]> I would update the device firmware first
15:17:19 <rajiv> okay, to confirm, rollout the patch > update device firmware > deploy updated barbican.conf
15:20:10 <rajiv> apart enabling HSM device logging, is there a way to check the current key mechanisms used by barbican currently ?
15:21:04 <dmendiza[m]> Barbican will use whatever is in the conf file for new secrets
15:21:16 <dmendiza[m]> and the metadata from the secret for existing secrets
15:21:31 <dmendiza[m]> I'm not sure we have any logging in any of the methods though.
15:21:43 <dmendiza[m]> Could be a good patch to contribute to enable debugging, rajiv
15:22:28 <rajiv> cool, noted :) do i need to raise a document request for CKM_AES_CBC or CKM_AES_GCM updated in docu ?
15:23:46 <rajiv> lastly, The only point to remember is CKM_AES_CBC and CKM_AES_CBC_PAD must not be used as wrapping mechanism as Luna HSM do not allow them to use as wrapping mechanism in FIPS mode and Barbican don’t support CKM_AES_GCM for wrapping. We have latest release firmware 7.8.7 and  both CKM_AES_CBC and CKM_AES_GCM are supported for Encryption/Decryption So I don’t think so both of them will be deprecated in FIPS mode for encryption/decryption.
15:25:02 <dmendiza[m]> Yeah, that sounds right.
15:25:15 <rajiv> then the below barbican.conf should be good right ?
15:25:17 <rajiv> encryption_mechanism = CKM_AES_GCM hmac_key_type = CKK_GENERIC_SECRET hmac_keygen_mechanism = CKM_GENERIC_SECRET_KEY_GEN hmac_mechanism = CKM_SHA256_HMAC key_wrap_mechanism = CKM_AES_KEY_WRAP_KWP aes_gcm_generate_iv = True
15:26:28 <dmendiza[m]> lgtm
15:27:15 <rajiv> aes_gcm_generate_iv. should be True, right ?
15:29:47 <dmendiza[m]> I'm not sure ... I was looking over my notes, and I've tested it with aes_gcm_generate_iv=False
15:30:09 <dmendiza[m]> What that does is let the HSM auto-generate the IV
15:30:20 <dmendiza[m]> when set to True it is Barbican that pre-generates the IV
15:30:50 <rajiv> okay, based on the docu :
15:30:51 <rajiv> # Generate IVs for CKM_AES_GCM mechanism. (boolean value) # Deprecated group/name - [p11_crypto_plugin]/generate_iv aes_gcm_generate_iv=True
15:35:37 <rajiv> have we confirm kmip support be deprecated ? we are implementing https://github.com/sapcc/PyKMIP/blob/master/kmip/services/server/barbican.py
15:38:01 <dmendiza[m]> It's untested, and probably won't work
15:38:07 <dmendiza[m]> so yeah, not currently supported by the core team
15:39:32 <rajiv> thanks for answers :)
15:40:45 <xek> Great :) Let's check the bug list...
15:40:53 <xek> #topic Bug Review
15:41:18 <xek> There were no new bugs reported since our last meeting
15:41:39 <xek> That's it for today! See y'all next week!
15:41:40 <xek> #endmeeting