On Tue, Mar 28, 2023 at 4:27 AM Ali Alnubani <alialnu@nvidia.com> wrote:
> -----Original Message-----
> From: jspewock@iol.unh.edu <jspewock@iol.unh.edu>
> Sent: Monday, March 27, 2023 7:52 PM
> To: ci@dpdk.org
> Cc: Jeremy Spewock <jspewock@iol.unh.edu>
> Subject: [PATCH v6 4/4] doc: add readme file for acvp_tool
>
> From: Jeremy Spewock <jspewock@iol.unh.edu>
>
> updated out-of-date acvp_tool readme

This only describes the diff with Brandon's patch. The original commit message should have been kept instead and expanded if needed.

>
> Signed-off-by: Jeremy Spewock <jspewock@iol.unh.edu>
> ---
[..]
> +* FIPS Object Module
> +```
> +curl -o openssl-fips-2.0.16.tar.gz https://www.openssl.org/source/openssl-
> fips-2.0.16.tar.gz
> +tar xvfm openssl-fips-2.0.16.tar.gz
> +cd openssl-fips-2.0.16
> +./config
> +make
> +make install
> +```

Is this module required even with recent versions of openssl?

In recent testing of the dependencies, when this module wasn't present there is inconsistent behavior that leads to errors.
 

> +* OpenSSL library
> +```
> +curl -o openssl-1.0.2o.tar.gz https://www.openssl.org/source/openssl-
> 1.0.2o.tar.gz
> +export CFLAGS='-fPIC'
> +tar xvfm openssl-1.0.2o.tar.gz
> +cd openssl-1.0.2o
> +./config shared fips
> +make depend
> +make
> +```

OpenSSL 1.0.2 is deprecated and probably vulnerable (https://www.openssl.org/news/vulnerabilities-1.0.2.html).
You're also only building locally here, and you aren't pointing DPDK build to it, so I doubt it's making a difference.

After doing some testing, it seems that this library is not needed in order to run the application and get passing vectors.
 

Can you please double check these dependencies?


These dependencies were actually taken from the test plan documentation written for running the FIPS sample application. This was the only documentation I could find that mentions the required libraries in order to run the sample application so I followed it as closely as I could. The only thing I had to change was the version of the IPsec library because it wouldn't build with this older outdated version. This documentation should likely be updated:

https://git.dpdk.org/tools/dts/tree/test_plans/fips_cryptodev_test_plan.rst
 
[..]
> +### Using the DPDK FIPS Validation Example Application
> +First, you have to make sure that you configure DPDK to build the FIPS
> sample application before you compile with ninja
> +```
> +#inside dpdk/
> +meson build --werror
> +meson configure -Dexamples=fips_validation build

You can combine them into a single command:
meson --werror  -Dexamples=fips_validation build

> +sudo ninja -C build

You're only making local changes here. If sudo wasn't required for the meson commands, it won't be required for this one.

Additionally, I see the following warnings when applying the patch:

Applying: doc: add readme file for acvp_tool
.git/rebase-apply/patch:63: trailing whitespace.
* In order to test AES-CTR you'll also have to remove the key `"ivGenMode"`
.git/rebase-apply/patch:133: trailing whitespace.

Fixed in v7.
 

- Ali

Thanks,
Jeremy