From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 6EC0242830 for ; Fri, 24 Mar 2023 14:34:08 +0100 (CET) Received: from mails.dpdk.org (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 67666406B8; Fri, 24 Mar 2023 14:34:08 +0100 (CET) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by mails.dpdk.org (Postfix) with ESMTP id 831084021F for ; Fri, 24 Mar 2023 14:34:07 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1679664847; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=rEvC7+cNxeeNV3zcrpaAqdOpdQMmQ/0xfi9IOowo22c=; b=bybu37bq6i0Rqqb0LmNVEZjwL+j4ElNHnHl5DVf/FwfcWM2LFe0Zj5GZeBJ3Xm2v9fDQPa gmv+GMNtB/5Gyy4Z8caJHoFAA4fdpHyEWhdfAfIPKirbnEAmVwx2OcUK5ElzNnNc6HtuOi kQCCy+KVu7/Jb7c1G2YWagU0lcr3quw= Received: from mimecast-mx02.redhat.com (mx3-rdu2.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-611-lTLtCceGNJ6xpW2Qp-0M0Q-1; Fri, 24 Mar 2023 09:34:03 -0400 X-MC-Unique: lTLtCceGNJ6xpW2Qp-0M0Q-1 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.rdu2.redhat.com [10.11.54.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id F3D891C08990; Fri, 24 Mar 2023 13:34:02 +0000 (UTC) Received: from RHTPC1VM0NT (unknown [10.22.10.240]) by smtp.corp.redhat.com (Postfix) with ESMTPS id BE6F22166B29; Fri, 24 Mar 2023 13:34:02 +0000 (UTC) From: Aaron Conole To: jspewock@iol.unh.edu Cc: ci@dpdk.org, Brandon Lo Subject: Re: [PATCH v5 4/4] doc: add readme file for acvp_tool References: <20230315172837.29736-1-jspewock@iol.unh.edu> <20230315172837.29736-5-jspewock@iol.unh.edu> Date: Fri, 24 Mar 2023 09:34:02 -0400 In-Reply-To: <20230315172837.29736-5-jspewock@iol.unh.edu> (jspewock@iol.unh.edu's message of "Wed, 15 Mar 2023 13:28:38 -0400") Message-ID: User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.2 (gnu/linux) MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.1 on 10.11.54.6 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain X-BeenThere: ci@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK CI discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ci-bounces@dpdk.org jspewock@iol.unh.edu writes: > From: Brandon Lo > > This readme file contains instructions to set up > and use the acvp_tool. > > Signed-off-by: Brandon Lo > > doc: updated out-of-date acvp_tool readme > > Signed-off-by: Jeremy Spewock > --- This part of the signature looks a bit strange - was it intended to be two patches? Or was it two patches squashed together? > tools/acvp/README | 129 ++++++++++++++++++++++++++++++++++++++++++++++ > 1 file changed, 129 insertions(+) > create mode 100644 tools/acvp/README > > diff --git a/tools/acvp/README b/tools/acvp/README > new file mode 100644 > index 0000000..23a1aef > --- /dev/null > +++ b/tools/acvp/README > @@ -0,0 +1,129 @@ > +The ACVP tool is a general tool for interacting with the NIST ACVP API > +in order to test different cryptographic implementations. > + > +It produces machine-readable output for parsing in a CI environment. > + > +Supported Algorithms > +-------------------- > +* AES-CBC > +* AES-CMAC > +* AES-GMAC > +* HMAC-SHA-1 > +* TDES-CBC > +* AES-CTR > + > +Requirements > +------------ > + > +There are also python packages you need to download from the requirements.txt file: > +* pyotp > +* requests > + > +Along with these, you will also need to install the `nasm` package using your local package manager. > + > +The tool expects that you have all the credential files from NIST: > +* Client certificate (usually a .cer file from NIST) > +* Key file for the certificate > +* Time-based one-time password seed file (usually a .txt file from NIST) > + > +The path to each file must be stored in an environment variable: > +* $ACVP_SEED_FILE = Path to the TOTP seed .txt file (given by NIST). > +* $ACVP_CERT_FILE = Path to the client .cer/.crt file (given by NIST). > +* $ACVP_KEY_FILE = Path to the certificate key file (generated by user). > + > +If you do not have the required files from NIST, you must email them > +to create demo credentials. > +https://pages.nist.gov/ACVP/#access > + > + > +Setup > +----- > + > +After setting the environment variables as described in the > +"Requirements" section, you will need to edit the acvp_config.json file. > + > +The acvp_config.json file is expected to be a json object > +containing two keys: "url" and "algorithms" > + > +"url" must be the base URL string of the API you want to use. > +"algorithms" must be an array of algorithm objects as detailed in the > +ACVP API specification here: > +https://github.com/usnistgov/ACVP/wiki/ACVTS-End-User-Documentation . In the case of the supported algorithms listed above, the only thing that will need to change in the config file is the `"algorithm"` field to match the name of the algorithm you would like to test. > +* In order to test AES-CTR you'll also have to remove the key `"ivGenMode"` > + > +Now you can use the acvp_tool.py script to register a test session, > +upload the results, and download the verdict. > + > +In order to run the DPDK sample application, there are a few libraries which must be installed: > +* Intel IPSec Multi-buffer (v1.3) > +``` > +git clone https://github.com/intel/intel-ipsec-mb.git > +cd intel-ipsec-mb > +git checkout v1.3 > +make -j 4 > +make install > +``` > +* FIPS Object Module > +``` > +curl -o openssl-fips-2.0.16.tar.gz https://www.openssl.org/source/openssl-fips-2.0.16.tar.gz > +tar xvfm openssl-fips-2.0.16.tar.gz > +cd openssl-fips-2.0.16 > +./config > +make > +make install > +``` > +* OpenSSL library > +``` > +curl -o openssl-1.0.2o.tar.gz https://www.openssl.org/source/openssl-1.0.2o.tar.gz > +export CFLAGS='-fPIC' > +tar xvfm openssl-1.0.2o.tar.gz > +cd openssl-1.0.2o > +./config shared fips > +make depend > +make > +``` > +Usage > +----- > +### Interacting with ACVP API > +To see all options available, use the --help flag. > + > +First, register and download a new test session with the tool: > + > + acvp_tool.py --request $DOWNLOAD_PATH > +The file written to $DOWNLOAD_PATH will contain both the session information and the test vectors. > + > +You should use the DPDK FIPS validation example application to test > +the vectors in this file. The example application will generate > +the result file which is uploaded back to the ACVP API. > + > +After running tests with the vector file, you can submit the result: > + > + acvp_tool.py --response $RESULT_PATH --upload > +where $RESULT_PATH is the path of the file containing the answers. > + > +Once you submit your results, you can do > + > + acvp_tool.py --response $RESULT_PATH --verdict $VERDICT_PATH > +where $VERDICT_PATH is where you want to save the verdict information. > +The verdict file will contain the result of each test case submitted. > + > +You can also combine the options: > + > + acvp_tool.py --response $RESULT_PATH --upload --verdict $VERDICT_PATH > + > +### Using the DPDK FIPS Validation Example Application > +First, you have to make sure that you configure DPDK to build the FIPS sample application before you compile with ninja > +``` > +#inside dpdk/ > +meson build --werror > +meson configure -Dexamples=fips_validation build > +sudo ninja -C build > +``` > +Once this has finished, you can now run the sample application and validate the test vectors. In order to run this validation step, you have to supply a valid crypto device and either a `*.json` or `*.req` file with vectors for validation. You can use the virtual device `crypto_aesni_mb` provided by the Intel IPSec Multi-buffer library and pass the JSON file containing test vectors from the ACVP API using `--req-file`. > + > +Example usage: > + > + #inside dpdk/ > + build/examples/dpdk-fips_validation --vdev crypto_aesni_mb -- --req-file aes-cbc-vectors.json --rsp-file aes-cbc-answers.rsp --cryptodev crypto_aesni_mb` > + > +The file path passed into `--rsp-file` will contain the validated vectors from the sample applications and can be passed to the ACVP API to receive a verdict on your results. > \ No newline at end of file