From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 7FCF242852 for ; Mon, 27 Mar 2023 18:52:19 +0200 (CEST) Received: from mails.dpdk.org (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 7C32741140; Mon, 27 Mar 2023 18:52:19 +0200 (CEST) Received: from mail-il1-f226.google.com (mail-il1-f226.google.com [209.85.166.226]) by mails.dpdk.org (Postfix) with ESMTP id DE8DA410D0 for ; Mon, 27 Mar 2023 18:52:17 +0200 (CEST) Received: by mail-il1-f226.google.com with SMTP id h7so4925383ila.5 for ; Mon, 27 Mar 2023 09:52:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=iol.unh.edu; s=unh-iol; t=1679935937; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=mzmTDx0wy5JgPQxklameSlNNQF1ipaq2GWjQLSWvbwg=; b=aBEXbz/Pz4A3E31rHfOeJnTHmmTghiiK8Kt9ivwQFxGYIN0Iuvi2jYs/Xys4ytt0gD uKrKqBZ0OMu4Wxwy/CrxtC6P60JvevxJzoKA0dJwx0QP7WbZshwcP0r6oHeeZG5jMbzj H/vgaYUwHmWQlbtWX94lZ+/PS+07NEl32as8o= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1679935937; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=mzmTDx0wy5JgPQxklameSlNNQF1ipaq2GWjQLSWvbwg=; b=r2eXjA2YUrkLdxspL+xoyFKkhUbZOdU9RMY/zTKd+CDewhXjlfZ0tGR+Zn899bMGd+ Ro4QsZvCeVOrTBwhD5+S4/T573aH77Cvm7kTql+JUMOr53qsRydp/NAvfcW9YtYIgv0R hXpNbdaxAUDqbn+eBoQmG2DMbO5rrl7OCnh0GyG2CKTDLDquH3T49a0fqodHwXYCAlzt Wa4enfr6TPuFiJpkeOFWpvS5HIn0y38Jm4y7T8AS1hNGTp9VXG7UDU6oHS/XTC9R5+K6 B/JcnPwBr1ucRYM1nqkX/zpvmwLcLN3XDKDGSGmy1u3+X0ul8WsZAwk4F4xuxO3mCIGR EbFg== X-Gm-Message-State: AAQBX9cmSG3A+bLijoaojqgq4bcD2OwSiLgnMKUkHWfbAIrycMataKZe MO4m1EC5kD5W4o9r2fXgKJhq/roX+1pgsXJGA1W7Swcgi/Gb6BqX8ur0ZuliZRxbMdPfOG7yPIC U59m5ZiiBYuY1SQoDcWCimpVhjF1P+ZWKIaf1PT6YqkwGx7JkqoUV3rR5pKadxQ7NgX5du+eiLF uBUczOE9LgF2aH17NYkjRI X-Google-Smtp-Source: AKy350ZPs8n9JLv+Jp19Z/ZWxXhLTnameyPl6+wSh6nHVDHYYTEhsS3uiz44SywR5igwti85VUp36k5FXtJz X-Received: by 2002:a92:da11:0:b0:325:b002:89b4 with SMTP id z17-20020a92da11000000b00325b00289b4mr9668604ilm.25.1679935937140; Mon, 27 Mar 2023 09:52:17 -0700 (PDT) Received: from postal.iol.unh.edu (postal.iol.unh.edu. [2606:4100:3880:1234::84]) by smtp-relay.gmail.com with ESMTPS id c1-20020a023301000000b003eaee322970sm3832325jae.46.2023.03.27.09.52.16 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 27 Mar 2023 09:52:17 -0700 (PDT) X-Relaying-Domain: iol.unh.edu Received: from iol.unh.edu (unknown [IPv6:2606:4100:3880:1270:18f3:d3c6:6ea1:6406]) by postal.iol.unh.edu (Postfix) with ESMTP id 8CBCA605246B; Mon, 27 Mar 2023 12:52:16 -0400 (EDT) From: jspewock@iol.unh.edu To: ci@dpdk.org Cc: Jeremy Spewock Subject: [PATCH v6 4/4] doc: add readme file for acvp_tool Date: Mon, 27 Mar 2023 12:51:41 -0400 Message-Id: <20230327165141.7916-6-jspewock@iol.unh.edu> X-Mailer: git-send-email 2.40.0 In-Reply-To: <20230327165141.7916-2-jspewock@iol.unh.edu> References: <20230327165141.7916-2-jspewock@iol.unh.edu> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-BeenThere: ci@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK CI discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ci-bounces@dpdk.org From: Jeremy Spewock updated out-of-date acvp_tool readme Signed-off-by: Jeremy Spewock --- tools/acvp/README | 129 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 129 insertions(+) create mode 100644 tools/acvp/README diff --git a/tools/acvp/README b/tools/acvp/README new file mode 100644 index 0000000..23a1aef --- /dev/null +++ b/tools/acvp/README @@ -0,0 +1,129 @@ +The ACVP tool is a general tool for interacting with the NIST ACVP API +in order to test different cryptographic implementations. + +It produces machine-readable output for parsing in a CI environment. + +Supported Algorithms +-------------------- +* AES-CBC +* AES-CMAC +* AES-GMAC +* HMAC-SHA-1 +* TDES-CBC +* AES-CTR + +Requirements +------------ + +There are also python packages you need to download from the requirements.txt file: +* pyotp +* requests + +Along with these, you will also need to install the `nasm` package using your local package manager. + +The tool expects that you have all the credential files from NIST: +* Client certificate (usually a .cer file from NIST) +* Key file for the certificate +* Time-based one-time password seed file (usually a .txt file from NIST) + +The path to each file must be stored in an environment variable: +* $ACVP_SEED_FILE = Path to the TOTP seed .txt file (given by NIST). +* $ACVP_CERT_FILE = Path to the client .cer/.crt file (given by NIST). +* $ACVP_KEY_FILE = Path to the certificate key file (generated by user). + +If you do not have the required files from NIST, you must email them +to create demo credentials. +https://pages.nist.gov/ACVP/#access + + +Setup +----- + +After setting the environment variables as described in the +"Requirements" section, you will need to edit the acvp_config.json file. + +The acvp_config.json file is expected to be a json object +containing two keys: "url" and "algorithms" + +"url" must be the base URL string of the API you want to use. +"algorithms" must be an array of algorithm objects as detailed in the +ACVP API specification here: +https://github.com/usnistgov/ACVP/wiki/ACVTS-End-User-Documentation . In the case of the supported algorithms listed above, the only thing that will need to change in the config file is the `"algorithm"` field to match the name of the algorithm you would like to test. +* In order to test AES-CTR you'll also have to remove the key `"ivGenMode"` + +Now you can use the acvp_tool.py script to register a test session, +upload the results, and download the verdict. + +In order to run the DPDK sample application, there are a few libraries which must be installed: +* Intel IPSec Multi-buffer (v1.3) +``` +git clone https://github.com/intel/intel-ipsec-mb.git +cd intel-ipsec-mb +git checkout v1.3 +make -j 4 +make install +``` +* FIPS Object Module +``` +curl -o openssl-fips-2.0.16.tar.gz https://www.openssl.org/source/openssl-fips-2.0.16.tar.gz +tar xvfm openssl-fips-2.0.16.tar.gz +cd openssl-fips-2.0.16 +./config +make +make install +``` +* OpenSSL library +``` +curl -o openssl-1.0.2o.tar.gz https://www.openssl.org/source/openssl-1.0.2o.tar.gz +export CFLAGS='-fPIC' +tar xvfm openssl-1.0.2o.tar.gz +cd openssl-1.0.2o +./config shared fips +make depend +make +``` +Usage +----- +### Interacting with ACVP API +To see all options available, use the --help flag. + +First, register and download a new test session with the tool: + + acvp_tool.py --request $DOWNLOAD_PATH +The file written to $DOWNLOAD_PATH will contain both the session information and the test vectors. + +You should use the DPDK FIPS validation example application to test +the vectors in this file. The example application will generate +the result file which is uploaded back to the ACVP API. + +After running tests with the vector file, you can submit the result: + + acvp_tool.py --response $RESULT_PATH --upload +where $RESULT_PATH is the path of the file containing the answers. + +Once you submit your results, you can do + + acvp_tool.py --response $RESULT_PATH --verdict $VERDICT_PATH +where $VERDICT_PATH is where you want to save the verdict information. +The verdict file will contain the result of each test case submitted. + +You can also combine the options: + + acvp_tool.py --response $RESULT_PATH --upload --verdict $VERDICT_PATH + +### Using the DPDK FIPS Validation Example Application +First, you have to make sure that you configure DPDK to build the FIPS sample application before you compile with ninja +``` +#inside dpdk/ +meson build --werror +meson configure -Dexamples=fips_validation build +sudo ninja -C build +``` +Once this has finished, you can now run the sample application and validate the test vectors. In order to run this validation step, you have to supply a valid crypto device and either a `*.json` or `*.req` file with vectors for validation. You can use the virtual device `crypto_aesni_mb` provided by the Intel IPSec Multi-buffer library and pass the JSON file containing test vectors from the ACVP API using `--req-file`. + +Example usage: + + #inside dpdk/ + build/examples/dpdk-fips_validation --vdev crypto_aesni_mb -- --req-file aes-cbc-vectors.json --rsp-file aes-cbc-answers.rsp --cryptodev crypto_aesni_mb` + +The file path passed into `--rsp-file` will contain the validated vectors from the sample applications and can be passed to the ACVP API to receive a verdict on your results. \ No newline at end of file -- 2.40.0