From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id F3C79428C5 for ; Mon, 3 Apr 2023 20:40:23 +0200 (CEST) Received: from mails.dpdk.org (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id EE90540A7E; Mon, 3 Apr 2023 20:40:23 +0200 (CEST) Received: from mail-pj1-f97.google.com (mail-pj1-f97.google.com [209.85.216.97]) by mails.dpdk.org (Postfix) with ESMTP id 5CD22400D6 for ; Mon, 3 Apr 2023 20:40:22 +0200 (CEST) Received: by mail-pj1-f97.google.com with SMTP id fy10-20020a17090b020a00b0023b4bcf0727so31555473pjb.0 for ; Mon, 03 Apr 2023 11:40:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=iol.unh.edu; s=unh-iol; t=1680547221; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=aMj98PsKH8WsF2XvClqSwRZOf/Mc2pZmiK3i2doI17w=; b=gAxFmtblTYGJd0hNKRSMpz9qy6eyjTdea6riYGEFTFShwqVGHq8Mk3TRbo5+0eLLsa DvJbPoWKc5UIOBDm3pTwn/IqFLaL8ZEhnGUTrGy/DibVtav+KiBzA0wVs4Q3l2yjfCWM LRcrj4uhgYpkx+HflpoSuaSvHXo/2C5s9HIC4= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1680547221; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=aMj98PsKH8WsF2XvClqSwRZOf/Mc2pZmiK3i2doI17w=; b=A/U5Ah2wupC1BNDV+isu/r5faHKKT2ZJMFLomyIViJqvbPB2hF/38dwk3padzTOOae Lrut3Ou4mUY1y2Xwv6ei08XGPZ6lXQaCGFqOmqiI3IYUrtCRen9luC5uIaoyJNw3zOaG kKzECMIgf3BXBqBzYPoPeLAIY6H9IJHYsBFLVKkUN8NFjdyE5+/g33mpDFvnMOWlQb0+ qHRXH28uKghmgCkITvRF5KtHErN2I+u4ZaDZe3cIQd2XS75UI9KH+RAP27ssL4T1H+1D F5tUXC05KW2bTG28sEEpE7qOwsUqbEPO87pBvcxFX5U1gsiSjS7pfsddgtZhOb/YsAV9 dirw== X-Gm-Message-State: AAQBX9d5t9CdrjTtN6stq3v9xjqnDPIpXY6HRETVgQaVM/tztZoE4vzD T+Wj6qiJbwkkhy0539ENCOlDBR+WQUlCxbiA19jougVSA+7CEC7OH6Y7ILpDOfpgJOXLZH41LSj 7y5jjDCkwwOQmyle5bbyOY0hDXMdv77388L3iuGkVJMxpoBZN1dwWIgO7K57wu6lND8AHFRe16i vb7x8bIOcd2qrZnHvSPZcl X-Google-Smtp-Source: AKy350Z9Bt0j7njBKOrVVf6R5WeU35mMBetXXFbnXMNc4KZXY88h56nccqzYLNpvqmfGOo+7HGmgzoVZcaA+ X-Received: by 2002:a17:90b:3a81:b0:237:ae7c:1594 with SMTP id om1-20020a17090b3a8100b00237ae7c1594mr40536943pjb.8.1680547221520; Mon, 03 Apr 2023 11:40:21 -0700 (PDT) Received: from postal.iol.unh.edu (postal.iol.unh.edu. [2606:4100:3880:1234::84]) by smtp-relay.gmail.com with ESMTPS id ei3-20020a17090ae54300b0022c1e608796sm1572253pjb.15.2023.04.03.11.40.21 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 03 Apr 2023 11:40:21 -0700 (PDT) X-Relaying-Domain: iol.unh.edu Received: from iol.unh.edu (unknown [IPv6:2606:4100:3880:1220:58fe:317e:37bd:a524]) by postal.iol.unh.edu (Postfix) with ESMTP id A837E605246B; Mon, 3 Apr 2023 14:40:20 -0400 (EDT) From: jspewock@iol.unh.edu To: ci@dpdk.org Cc: Brandon Lo , Jeremy Spewock Subject: [PATCH v7 4/4] doc: add readme file for acvp_tool Date: Mon, 3 Apr 2023 14:39:30 -0400 Message-Id: <20230403183930.12001-6-jspewock@iol.unh.edu> X-Mailer: git-send-email 2.40.0 In-Reply-To: <20230403183930.12001-2-jspewock@iol.unh.edu> References: <20230403183930.12001-2-jspewock@iol.unh.edu> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-BeenThere: ci@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK CI discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ci-bounces@dpdk.org From: Brandon Lo This readme file contains instructions to set up and use the acvp_tool. Signed-off-by: Brandon Lo Signed-off-by: Jeremy Spewock --- tools/acvp/README | 118 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 118 insertions(+) create mode 100644 tools/acvp/README diff --git a/tools/acvp/README b/tools/acvp/README new file mode 100644 index 0000000..e89828a --- /dev/null +++ b/tools/acvp/README @@ -0,0 +1,118 @@ +The ACVP tool is a general tool for interacting with the NIST ACVP API +in order to test different cryptographic implementations. + +It produces machine-readable output for parsing in a CI environment. + +Supported Algorithms +-------------------- +* AES-CBC +* AES-CMAC +* AES-GMAC +* HMAC-SHA-1 +* TDES-CBC +* AES-CTR + +Requirements +------------ + +There are also python packages you need to download from the requirements.txt file: +* pyotp +* requests + +Along with these, you will also need to install the `nasm` package using your local package manager. + +The tool expects that you have all the credential files from NIST: +* Client certificate (usually a .cer file from NIST) +* Key file for the certificate +* Time-based one-time password seed file (usually a .txt file from NIST) + +The path to each file must be stored in an environment variable: +* $ACVP_SEED_FILE = Path to the TOTP seed .txt file (given by NIST). +* $ACVP_CERT_FILE = Path to the client .cer/.crt file (given by NIST). +* $ACVP_KEY_FILE = Path to the certificate key file (generated by user). + +If you do not have the required files from NIST, you must email them +to create demo credentials. +https://pages.nist.gov/ACVP/#access + + +Setup +----- + +After setting the environment variables as described in the +"Requirements" section, you will need to edit the acvp_config.json file. + +The acvp_config.json file is expected to be a json object +containing two keys: "url" and "algorithms" + +"url" must be the base URL string of the API you want to use. +"algorithms" must be an array of algorithm objects as detailed in the +ACVP API specification here: +https://github.com/usnistgov/ACVP/wiki/ACVTS-End-User-Documentation . In the case of the supported algorithms listed above, the only thing that will need to change in the config file is the `"algorithm"` field to match the name of the algorithm you would like to test. +* In order to test AES-CTR you'll also have to remove the key `"ivGenMode"` + +Now you can use the acvp_tool.py script to register a test session, +upload the results, and download the verdict. + +In order to run the DPDK sample application, there are a few libraries which must be installed: +* Intel IPSec Multi-buffer (v1.3) +``` +git clone https://github.com/intel/intel-ipsec-mb.git +cd intel-ipsec-mb +git checkout v1.3 +make -j 4 +make install +``` +* FIPS Object Module +``` +curl -o openssl-fips-2.0.16.tar.gz https://www.openssl.org/source/openssl-fips-2.0.16.tar.gz +tar xvfm openssl-fips-2.0.16.tar.gz +cd openssl-fips-2.0.16 +./config +make +make install +``` +Usage +----- +### Interacting with ACVP API +To see all options available, use the --help flag. + +First, register and download a new test session with the tool: + + acvp_tool.py --request $DOWNLOAD_PATH +The file written to $DOWNLOAD_PATH will contain both the session information and the test vectors. + +You should use the DPDK FIPS validation example application to test +the vectors in this file. The example application will generate +the result file which is uploaded back to the ACVP API. + +After running tests with the vector file, you can submit the result: + + acvp_tool.py --response $RESULT_PATH --upload +where $RESULT_PATH is the path of the file containing the answers. + +Once you submit your results, you can do + + acvp_tool.py --response $RESULT_PATH --verdict $VERDICT_PATH +where $VERDICT_PATH is where you want to save the verdict information. +The verdict file will contain the result of each test case submitted. + +You can also combine the options: + + acvp_tool.py --response $RESULT_PATH --upload --verdict $VERDICT_PATH + +### Using the DPDK FIPS Validation Example Application +First, you have to make sure that you configure DPDK to build the FIPS sample application before you compile with ninja +``` +#inside dpdk/ +meson --werror -Dexamples=fips_validation build +ninja -C build +``` +Once this has finished, you can now run the sample application and validate the test vectors. In order to run this validation step, you have to supply a valid crypto device and either a `*.json` or `*.req` file with vectors for validation. You can use the virtual device `crypto_aesni_mb` provided by the Intel IPSec Multi-buffer library and pass the JSON file containing test vectors from the ACVP API using `--req-file`. + +Example usage: + + #inside dpdk/ + build/examples/dpdk-fips_validation --vdev crypto_aesni_mb -- --req-file aes-cbc-vectors.json --rsp-file aes-cbc-answers.rsp --cryptodev crypto_aesni_mb` + +The file path passed into `--rsp-file` will contain the validated vectors from the sample applications and can be passed to the ACVP API to receive a verdict on your results. \ No newline at end of file -- 2.40.0