From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id C9C3D41E94 for ; Tue, 14 Mar 2023 21:19:26 +0100 (CET) Received: from mails.dpdk.org (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id C43FD40E5A; Tue, 14 Mar 2023 21:19:26 +0100 (CET) Received: from mail-qv1-f99.google.com (mail-qv1-f99.google.com [209.85.219.99]) by mails.dpdk.org (Postfix) with ESMTP id 95EA740A7E for ; Tue, 14 Mar 2023 21:19:25 +0100 (CET) Received: by mail-qv1-f99.google.com with SMTP id m6so4266331qvq.0 for ; Tue, 14 Mar 2023 13:19:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=iol.unh.edu; s=unh-iol; t=1678825165; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=Onpla+6BrlVVAXYHM7HR72R7d9TDWeVpj3qe/ZcyV98=; b=MKfDKaiPGE+igUz5oLAs6z7N7T58vJ3F2wLy0Dn6wJW+z5gvUveBRwEge/GgfZp61D a1NK5TO4F40rhNb+W0lV/WiLk90ayWBgMXGM80/zTRITzGK8sxk7rcoHIcRhu1lR6stv rXpUFlhEcHdtCxynaBc6HCVbW/lSR+FzQvMpA= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1678825165; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Onpla+6BrlVVAXYHM7HR72R7d9TDWeVpj3qe/ZcyV98=; b=f/3wN37TWuJYQBIhU6XQB8lSL/S9It6Zk/Kbt93dFeRHtaG1UbCNEO0mzb/ea2ROY7 zIg4C1hGSmr5mvc+OWpp3H8CDdyYcfQojkup1F/7OWruhaeLqGZ9r+93Nx1GK8VbVYvO shJgM8p+pODhj0t3ssri13NtBCqkllm7pvIBoeMIZmLzw3qNv0TnWt4lphN+TdjJ0A5K YhWc5b03flCcWO2EPEeF27x+I7QYnyRPVQXC1xnI/VbhCYFlNM88D4PAclRqAlk1MGP7 V+TCTRk2/1Zeu2U0y4npeG0c/ZVE7rD6XR37Nf/1cExQyp2P0mLBHjz0tPCyljgDVBPZ fvpw== X-Gm-Message-State: AO0yUKUvULROpKa8YzG0AMQDGgNCeUA0BAKF/hAfWvhqHxqXJ8QK9kvK OXiMahRok6naHCtpbz3jUYEhC+Ll4yzYJR50OJ0FIfYxz9GoDW/V9SRbsF7uxsKMeySS8KdndfD L6fgRanlVZXXzaJXbSXAuZW9bcm7xvanst7Gt1JUo/TqXPrFnB1X3gbdacqmKPO5slxaoLxhMGT ekZZ0n X-Google-Smtp-Source: AK7set/OJEKQes7X30YWNHBuu2hGa4i3aZY6KPZ5EHxV21+zB76YkPh3S1qw0d0YtSaK2IDkm7dR31xC06q+ X-Received: by 2002:a05:622a:1311:b0:3ba:18c2:99e7 with SMTP id v17-20020a05622a131100b003ba18c299e7mr70430935qtk.45.1678825165057; Tue, 14 Mar 2023 13:19:25 -0700 (PDT) Received: from postal.iol.unh.edu (postal.iol.unh.edu. [132.177.123.84]) by smtp-relay.gmail.com with ESMTPS id k17-20020a05620a415100b0072058b2c9acsm279515qko.6.2023.03.14.13.19.24 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 14 Mar 2023 13:19:25 -0700 (PDT) X-Relaying-Domain: iol.unh.edu Received: from iol.unh.edu (unknown [IPv6:2606:4100:3880:1257::1083]) by postal.iol.unh.edu (Postfix) with ESMTP id 89A20605246B; Tue, 14 Mar 2023 16:19:24 -0400 (EDT) From: jspewock@iol.unh.edu To: ci@dpdk.org Cc: Jeremy Spewock Subject: [PATCH v4 2/2] doc: updated out-of-date acvp_tool readme Date: Tue, 14 Mar 2023 16:18:18 -0400 Message-Id: <20230314201818.19560-4-jspewock@iol.unh.edu> X-Mailer: git-send-email 2.39.2 In-Reply-To: <20230314201818.19560-2-jspewock@iol.unh.edu> References: <20230314201818.19560-2-jspewock@iol.unh.edu> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-BeenThere: ci@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK CI discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ci-bounces@dpdk.org From: Jeremy Spewock this updates the readme to show current coverage of algorithms as well as how to setup a proper environment and run tests. Signed-off-by: Jeremy Spewock --- tools/acvp/README | 76 +++++++++++++++++++++++++++++++++++++++++------ 1 file changed, 67 insertions(+), 9 deletions(-) diff --git a/tools/acvp/README b/tools/acvp/README index 0cd3acc..23a1aef 100644 --- a/tools/acvp/README +++ b/tools/acvp/README @@ -3,23 +3,33 @@ in order to test different cryptographic implementations. It produces machine-readable output for parsing in a CI environment. +Supported Algorithms +-------------------- +* AES-CBC +* AES-CMAC +* AES-GMAC +* HMAC-SHA-1 +* TDES-CBC +* AES-CTR Requirements ------------ -There are also packages you need to download from the requirements.txt file: +There are also python packages you need to download from the requirements.txt file: * pyotp * requests +Along with these, you will also need to install the `nasm` package using your local package manager. + The tool expects that you have all the credential files from NIST: * Client certificate (usually a .cer file from NIST) * Key file for the certificate * Time-based one-time password seed file (usually a .txt file from NIST) The path to each file must be stored in an environment variable: -$ACVP_SEED_FILE = Path to the TOTP seed .txt file (given by NIST). -$ACVP_CERT_FILE = Path to the client .cer/.crt file (given by NIST). -$ACVP_KEY_FILE = Path to the certificate key file (generated by user). +* $ACVP_SEED_FILE = Path to the TOTP seed .txt file (given by NIST). +* $ACVP_CERT_FILE = Path to the client .cer/.crt file (given by NIST). +* $ACVP_KEY_FILE = Path to the certificate key file (generated by user). If you do not have the required files from NIST, you must email them to create demo credentials. @@ -38,34 +48,82 @@ containing two keys: "url" and "algorithms" "url" must be the base URL string of the API you want to use. "algorithms" must be an array of algorithm objects as detailed in the ACVP API specification here: -https://github.com/usnistgov/ACVP/wiki/ACVTS-End-User-Documentation +https://github.com/usnistgov/ACVP/wiki/ACVTS-End-User-Documentation . In the case of the supported algorithms listed above, the only thing that will need to change in the config file is the `"algorithm"` field to match the name of the algorithm you would like to test. +* In order to test AES-CTR you'll also have to remove the key `"ivGenMode"` Now you can use the acvp_tool.py script to register a test session, upload the results, and download the verdict. - +In order to run the DPDK sample application, there are a few libraries which must be installed: +* Intel IPSec Multi-buffer (v1.3) +``` +git clone https://github.com/intel/intel-ipsec-mb.git +cd intel-ipsec-mb +git checkout v1.3 +make -j 4 +make install +``` +* FIPS Object Module +``` +curl -o openssl-fips-2.0.16.tar.gz https://www.openssl.org/source/openssl-fips-2.0.16.tar.gz +tar xvfm openssl-fips-2.0.16.tar.gz +cd openssl-fips-2.0.16 +./config +make +make install +``` +* OpenSSL library +``` +curl -o openssl-1.0.2o.tar.gz https://www.openssl.org/source/openssl-1.0.2o.tar.gz +export CFLAGS='-fPIC' +tar xvfm openssl-1.0.2o.tar.gz +cd openssl-1.0.2o +./config shared fips +make depend +make +``` Usage ----- - +### Interacting with ACVP API To see all options available, use the --help flag. First, register and download a new test session with the tool: + acvp_tool.py --request $DOWNLOAD_PATH -The file written to $DOWNLOAD_PATH will contain both the session information -and the test vectors. +The file written to $DOWNLOAD_PATH will contain both the session information and the test vectors. You should use the DPDK FIPS validation example application to test the vectors in this file. The example application will generate the result file which is uploaded back to the ACVP API. After running tests with the vector file, you can submit the result: + acvp_tool.py --response $RESULT_PATH --upload where $RESULT_PATH is the path of the file containing the answers. Once you submit your results, you can do + acvp_tool.py --response $RESULT_PATH --verdict $VERDICT_PATH where $VERDICT_PATH is where you want to save the verdict information. The verdict file will contain the result of each test case submitted. You can also combine the options: + acvp_tool.py --response $RESULT_PATH --upload --verdict $VERDICT_PATH + +### Using the DPDK FIPS Validation Example Application +First, you have to make sure that you configure DPDK to build the FIPS sample application before you compile with ninja +``` +#inside dpdk/ +meson build --werror +meson configure -Dexamples=fips_validation build +sudo ninja -C build +``` +Once this has finished, you can now run the sample application and validate the test vectors. In order to run this validation step, you have to supply a valid crypto device and either a `*.json` or `*.req` file with vectors for validation. You can use the virtual device `crypto_aesni_mb` provided by the Intel IPSec Multi-buffer library and pass the JSON file containing test vectors from the ACVP API using `--req-file`. + +Example usage: + + #inside dpdk/ + build/examples/dpdk-fips_validation --vdev crypto_aesni_mb -- --req-file aes-cbc-vectors.json --rsp-file aes-cbc-answers.rsp --cryptodev crypto_aesni_mb` + +The file path passed into `--rsp-file` will contain the validated vectors from the sample applications and can be passed to the ACVP API to receive a verdict on your results. \ No newline at end of file -- 2.39.2