Thales Luna HSM Firmware above v7.4.0 doesnt support CKM_AES_CBC_PAD with FIPS Mode Enabled
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Barbican |
Fix Released
|
Undecided
|
Douglas Mendizábal |
Bug Description
Hi,
After discussing with Thales Engineering, Thales Luna HSM Firmware above v7.4.0 doesnt support CKM_AES_CBC_PAD wrapping mechanism. Unless we fix this in Barbican, we cannot upgrade to the latest Thales HSM firmware version.
Can i setup a call with Thales Engineering to discuss this further ?
I also found SoftHSM also doesnt support CKM_AES_CBC_PAD wrapping mechanism, more details are provided here :
https:/
https:/
Please let me know if we need to test on my Thales Luna A790 network device or if further information is required.
Regards,
Rajiv
Rajiv Mucheli (rajiv.mucheli) wrote : | #1 |
Rajiv Mucheli (rajiv.mucheli) wrote : | #2 |
correct link : https:/
the wrap and unwrap key mechanism is CKM_AES_CBC_PAD
Changed in barbican: | |
assignee: | nobody → Douglas Mendizábal (dougmendizabal) |
status: | New → In Progress |
Douglas Mendizábal (dougmendizabal) wrote : | #3 |
According to Thales docs, CKM_AES_CBC_PAD is not supported for Wrap only when FIPS mode is enabled:
https:/
Rajiv Mucheli (rajiv.mucheli) wrote : | #4 |
Hi Doug,
Thanks for looking into this, until 7.3.3 wrapping is supported with FIPS MODE ENABLED. Is it possible to support this higher hsm firmware versions like 7.7.1 or higher with FIPS MODE ON ?
summary: |
Thales Luna HSM Firmware above v7.4.0 doesnt support CKM_AES_CBC_PAD + with FIPS Mode Enabled |
OpenStack Infra (hudson-openstack) wrote : Fix proposed to barbican (master) | #5 |
Fix proposed to branch: master
Review: https:/
Rajiv Mucheli (rajiv.mucheli) wrote : | #6 |
Hi Doug,
Thanks for the efforts, unfortunately i get the below error while post upgrading from 7.3.3 to 7.7.1 :
2024-10-28 09:59:08,910 7 INFO barbican.
2024-10-28 09:59:09,056 7 INFO barbican.
2024-10-28 09:59:09,183 7 INFO barbican.
2024-10-28 09:59:09,540 7 ERROR barbican.
2024-10-28 09:59:09,540 7 ERROR barbican.
2024-10-28 09:59:09,540 7 ERROR barbican.
2024-10-28 09:59:09,540 7 ERROR barbican.
2024-10-28 09:59:09,540 7 ERROR barbican.
2024-10-28 09:59:09,540 7 ERROR barbican.
2024-10-28 09:59:09,540 7 ERROR barbican.
2024-10-28 09:59:09,540 7 ERROR barbican.
2024-10-28 09:59:09,540 7 ERROR barbican.
2024-10-28 09:59:09,540 7 ERROR barbican.
2024-10-28 09:59:09,540 7 ERROR barbican.
2024-10-28 09:59:09,540 7 ERROR barbican.
2024-10-28 09:59:09,540 7 ERROR barbican.
2024-10-28 09:59:09,839 7 ERROR barbican.api.app [-] Failed to sync secret_stores table.: barbican.
2024-10-28 09:59:09,839 7 ERROR barbican.api.app Traceback (most recent call last):
2024-10-28 09:59:09,839 7 ERROR barbican.api.app File "/var/lib/
2024-10-28 09:59:09,839 7 ERROR barbican.api.app repositories.
2024-10-28 09:59:09,839 7 ERROR barbican.api.app File "/var/lib/
2024-10-28 09:59:09,839 7 ERROR barbican.api.app _initialize_
2024-10-28 09:59:09,839 7 ERROR barbican.api.app File "/var/lib/
Rajiv Mucheli (rajiv.mucheli) wrote : | #7 |
on disabling Secure Trust Channel on the device i can resolve 0x5 CKR_GENERAL_ERROR but i get the below while trying to create secrets on
Existing projects :
0xc0 CKR_SIGNATURE_
New projects :
0x71 CKR_MECHANISM_
Douglas Mendizábal (dougmendizabal) wrote : | #8 |
Rajiv, the patch is currently a WIP. You may want to wait to test it after the test is passing the gates.
Rajiv Mucheli (rajiv.mucheli) wrote : | #9 |
Hi, looks like Patch# 5 passed the tests, right time to test ?
Douglas Mendizábal (dougmendizabal) wrote : | #10 |
Hi @Rajiv, yeah, I'd be interested to know if this patch works with your luna device. The luna device I have access to is older, so I'm using CKM_AES_CBC_PAD as the wrapping algorithm. I'd be interested to know if this works for you with CKM_AES_
Rajiv Mucheli (rajiv.mucheli) wrote : | #11 |
Hi Doug,
i get :
./lunacm
lunacm (64-bit) v10.7.0-255. Copyright (c) 2023 Thales Group. All rights reserved.
Error getting PKCS #11 function pointers: 54
barbican logs show :
2024-11-07 11:25:00,834 7 ERROR barbican.
2024-11-07 11:25:00,834 7 ERROR barbican.
2024-11-07 11:25:00,834 7 ERROR barbican.
2024-11-07 11:25:00,834 7 ERROR barbican.
2024-11-07 11:25:00,834 7 ERROR barbican.
2024-11-07 11:25:00,834 7 ERROR barbican.
Douglas Mendizábal (dougmendizabal) wrote : | #12 |
Rajiv, The Barbican logs you pasted make it seem like your environment does not have the latest patch. Specifically:
2024-11-07 11:25:00,834 7 ERROR barbican.
line 878 in the latest patch (Patchset 5) is mech.mechanism = self.hmac_mechanism
It looks like Patchset 3 is the one with _check_error in line 878. Please ensure you're using Patchest 5 and try again.
Rajiv Mucheli (rajiv.mucheli) wrote : | #13 |
i am unsure if its a vendor issue now, i get the below if STC is disabled on the HSM config :
root@barbican-
lunacm (64-bit) v10.7.0-255. Copyright (c) 2023 Thales Group. All rights reserved.
Error getting PKCS #11 function pointers: 54
root@barbican-
Barbican logs are :
2024-11-11 08:50:41,087 7 ERROR barbican.
2024-11-11 08:50:41,087 7 ERROR barbican.
2024-11-11 08:50:41,087 7 ERROR barbican.
2024-11-11 08:50:41,087 7 ERROR barbican.
2024-11-11 08:50:41,087 7 ERROR barbican.
2024-11-11 08:50:41,087 7 ERROR barbican.
2024-11-11 08:50:41,087 7 ERROR barbican.
2024-11-11 08:50:41,087 7 ERROR barbican.
Douglas Mendizábal (dougmendizabal) wrote : | #14 |
@Rajiv, Check `vtl verify` to ensure you are set up to connect to the HSM correctly. It should show the relevant partition in slot O.
If `vtl verify` works then it's likely that your barbican process does not have the correct linux permissions to use the client software.
Depending on how you're running the barbican process, you may need to add theh `hsmusers` group to the user running the process or edit the devstack systemd unit to ensure barbican-svc is running with the GID corresponding to `hsmusers`.
Rajiv Mucheli (rajiv.mucheli) wrote : | #15 |
Hi Doug,
There seem to be issues with STC configuration post upgrading to 7.7.1 version, disabling STC works well on minimal client 10.7.0 and 10.7.2. I have raised a vendor ticket to validate this.
Regards,
Rajiv
Rajiv Mucheli (rajiv.mucheli) wrote : | #16 |
Hi Doug,
Firmware 7.7.0 and above introduced a new token format config/
Thanks for the efforts, to confirm this patch will be compatible with firmware 7.3.3 as well right ? i am asking this since, i will need to introduce this patch first and then upgrade the HSM firmware.
Lastly, my locust and tempest tests are also green, hence i presume everything works well ? the barbican backend docu is also updated. I will ask Thales to update their documentations
Regards,
Rajiv
OpenStack Infra (hudson-openstack) wrote : Fix merged to barbican (master) | #17 |
Reviewed: https:/
Committed: https:/
Submitter: "Zuul (22348)"
Branch: master
commit 0d4101fa5da52f2
Author: Douglas Mendizábal <email address hidden>
Date: Fri Oct 25 16:45:58 2024 -0400
Configure mechanism for wrapping pKEKs
The PKCS#11 backend key-wraps (encrypts) the project-specific Key
Encryption Keys (pKEKs) using the master encryption key (MKEK).
The mechanism for wrapping/unwrapping the keys was hard-coded to use
CKM_
mechanism configurable.
This is necessary to fix Bug #2036506 because some PKCS#11 devices and
software implementations no longer allow CKM_AES_CBC_PAD to be used for
key wrapping.
Supported key wrap mechanisms now include:
* CKM_AES_CBC_PAD
* CKM_AES_
* CKM_AES_
Closes-Bug: #2036506
Change-Id: Ic2009a2a55622b
Changed in barbican: | |
status: | In Progress → Fix Released |
OpenStack Infra (hudson-openstack) wrote : Fix proposed to barbican (master) | #18 |
Fix proposed to branch: master
Review: https:/
OpenStack Infra (hudson-openstack) wrote : Fix proposed to barbican (stable/2024.2) | #19 |
Fix proposed to branch: stable/2024.2
Review: https:/
Rajiv Mucheli (rajiv.mucheli) wrote (last edit ): | #20 |
To confirm which mechanism is Barbican supporting now, CKM_AES_CBC_PAD ?
But Thales firmware doc says mechanism this cannot wrap on FIPS mode enabled :
https:/
This also needs to be updated in the Thales Openstack Barbican integration guide.
Douglas Mendizábal (dougmendizabal) wrote : | #21 |
@Rajiv, thanks for testing the patch. Now that the change has merged barbican supports these mechanisms:
* CKM_AES_
* CKM_AES_
* CKM_AES_CBC_PAD
If available, you should use CKM_AES_
OpenStack Infra (hudson-openstack) wrote : Fix merged to barbican (master) | #22 |
Reviewed: https:/
Committed: https:/
Submitter: "Zuul (22348)"
Branch: master
commit 7b36764cd12781b
Author: Douglas Mendizabal <email address hidden>
Date: Thu Nov 14 15:39:37 2024 -0500
Fix typo in wrap_key function
This patch fixes a typo in one of the mechanisms in the
PKCS11.
Closes-Bug: #2036506
Change-Id: I0b4b43cc64a2c1
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to barbican (master) | #23 |
Related fix proposed to branch: master
Review: https:/
OpenStack Infra (hudson-openstack) wrote : Related fix merged to barbican (master) | #24 |
Reviewed: https:/
Committed: https:/
Submitter: "Zuul (22348)"
Branch: master
commit bae6737cb33ebe4
Author: Douglas Mendizabal <email address hidden>
Date: Tue Nov 19 14:45:18 2024 -0500
Increase unit testing coverage for PKCS#11
This patch adds a few tests to increase the test coverage for the
PKCS#11 backend.
Related-Bug: #2036506
Change-Id: I3a95d3c1bedb42
OpenStack Infra (hudson-openstack) wrote : Fix merged to barbican (stable/2024.2) | #25 |
Reviewed: https:/
Committed: https:/
Submitter: "Zuul (22348)"
Branch: stable/2024.2
commit b5841df387e5ab3
Author: Douglas Mendizábal <email address hidden>
Date: Fri Oct 25 16:45:58 2024 -0400
Configure mechanism for wrapping pKEKs
The PKCS#11 backend key-wraps (encrypts) the project-specific Key
Encryption Keys (pKEKs) using the master encryption key (MKEK).
The mechanism for wrapping/unwrapping the keys was hard-coded to use
CKM_
mechanism configurable.
This is necessary to fix Bug #2036506 because some PKCS#11 devices and
software implementations no longer allow CKM_AES_CBC_PAD to be used for
key wrapping.
Supported key wrap mechanisms now include:
* CKM_AES_CBC_PAD
* CKM_AES_
* CKM_AES_
This patch also includes two additional patches so they can all be
tested at the same time:
Fix typo in wrap_key function
This patch fixes a typo in one of the mechanisms in the
PKCS11.
and
Increase unit testing coverage for PKCS#11
This patch adds a few tests to increase the test coverage for the
PKCS#11 backend.
Closes-Bug: #2036506
Change-Id: Ic2009a2a55622b
(cherry picked from commit 0d4101fa5da52f2
(cherry picked from commit 7b36764cd12781b
(cherry picked from commit bae6737cb33ebe4
OpenStack Infra (hudson-openstack) wrote : Fix proposed to barbican (stable/2024.1) | #26 |
Fix proposed to branch: stable/2024.1
Review: https:/
OpenStack Infra (hudson-openstack) wrote : Fix merged to barbican (stable/2024.1) | #27 |
Reviewed: https:/
Committed: https:/
Submitter: "Zuul (22348)"
Branch: stable/2024.1
commit 6945564c4c3c820
Author: Douglas Mendizábal <email address hidden>
Date: Fri Oct 25 16:45:58 2024 -0400
Configure mechanism for wrapping pKEKs
The PKCS#11 backend key-wraps (encrypts) the project-specific Key
Encryption Keys (pKEKs) using the master encryption key (MKEK).
The mechanism for wrapping/unwrapping the keys was hard-coded to use
CKM_
mechanism configurable.
This is necessary to fix Bug #2036506 because some PKCS#11 devices and
software implementations no longer allow CKM_AES_CBC_PAD to be used for
key wrapping.
Supported key wrap mechanisms now include:
* CKM_AES_CBC_PAD
* CKM_AES_
* CKM_AES_
This patch also includes two additional patches so they can all be
tested at the same time:
Fix typo in wrap_key function
This patch fixes a typo in one of the mechanisms in the
PKCS11.
and
Increase unit testing coverage for PKCS#11
This patch adds a few tests to increase the test coverage for the
PKCS#11 backend.
Closes-Bug: #2036506
Change-Id: Ic2009a2a55622b
(cherry picked from commit 0d4101fa5da52f2
(cherry picked from commit 7b36764cd12781b
(cherry picked from commit bae6737cb33ebe4
(cherry picked from commit b5841df387e5ab3
OpenStack Infra (hudson-openstack) wrote : Fix proposed to barbican (stable/2023.2) | #28 |
Fix proposed to branch: stable/2023.2
Review: https:/
OpenStack Infra (hudson-openstack) wrote : Fix merged to barbican (stable/2023.2) | #29 |
Reviewed: https:/
Committed: https:/
Submitter: "Zuul (22348)"
Branch: stable/2023.2
commit 20e4946cb8ae5c3
Author: Douglas Mendizábal <email address hidden>
Date: Fri Oct 25 16:45:58 2024 -0400
Configure mechanism for wrapping pKEKs
The PKCS#11 backend key-wraps (encrypts) the project-specific Key
Encryption Keys (pKEKs) using the master encryption key (MKEK).
The mechanism for wrapping/unwrapping the keys was hard-coded to use
CKM_
mechanism configurable.
This is necessary to fix Bug #2036506 because some PKCS#11 devices and
software implementations no longer allow CKM_AES_CBC_PAD to be used for
key wrapping.
Supported key wrap mechanisms now include:
* CKM_AES_CBC_PAD
* CKM_AES_
* CKM_AES_
This patch also includes two additional patches so they can all be
tested at the same time:
Fix typo in wrap_key function
This patch fixes a typo in one of the mechanisms in the
PKCS11.
and
Increase unit testing coverage for PKCS#11
This patch adds a few tests to increase the test coverage for the
PKCS#11 backend.
Closes-Bug: #2036506
Change-Id: Ic2009a2a55622b
(cherry picked from commit 0d4101fa5da52f2
(cherry picked from commit 7b36764cd12781b
(cherry picked from commit bae6737cb33ebe4
(cherry picked from commit b5841df387e5ab3
(cherry picked from commit 6945564c4c3c820
OpenStack Infra (hudson-openstack) wrote : Fix proposed to barbican (stable/2023.1) | #30 |
Fix proposed to branch: stable/2023.1
Review: https:/
OpenStack Infra (hudson-openstack) wrote : Change abandoned on barbican (stable/2023.1) | #31 |
Change abandoned by "Dr. Jens Harbott <email address hidden>" on branch: stable/2023.1
Review: https:/
Reason: stable/2023.1 branch of openstack/barbican is about to be deleted. To be able to do that, all open patches need to be abandoned. Please cherry pick the patch to unmaintained/2023.1 if you want to further work on this patch.
FYI : https:/ /opendev. org/openstack/ barbican/ src/branch/ master/ barbican/ plugin/ crypto/ pkcs11. py#L142
My production is running on Openstack Barbican Zed Release, i am planning to upgrade to Bobcat once the release is available