From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mga12.intel.com (mga12.intel.com [192.55.52.136]) by dpdk.org (Postfix) with ESMTP id 2E1431B3A4 for ; Fri, 2 Nov 2018 10:55:54 +0100 (CET) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga001.fm.intel.com ([10.253.24.23]) by fmsmga106.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 02 Nov 2018 02:55:53 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.54,455,1534834800"; d="scan'208";a="104701229" Received: from silpixa00399502.ir.intel.com (HELO silpixa00399502.ger.corp.intel.com) ([10.237.223.218]) by fmsmga001.fm.intel.com with ESMTP; 02 Nov 2018 02:55:52 -0700 From: "Kovacevic, Marko" To: akhil.goyal@nxp.com Cc: dev@dpdk.org, roy.fan.zhang@intel.com, arkadiuszx.kusztal@intel.com, "Kovacevic, Marko" Date: Fri, 2 Nov 2018 09:55:35 +0000 Message-Id: <20181102095535.7906-9-marko.kovacevic@intel.com> X-Mailer: git-send-email 2.9.5 In-Reply-To: <20181102095535.7906-1-marko.kovacevic@intel.com> References: <20181026110716.42093-1-marko.kovacevic@intel.com> <20181102095535.7906-1-marko.kovacevic@intel.com> Subject: [dpdk-dev] [PATCH v7 8/8] doc: add fips validation application guide X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Nov 2018 09:55:54 -0000 Document explains how to run the fips sample app and instructions users need to parser all the request files and generate the response files. Signed-off-by: Marko Kovacevic Signed-off-by: Fan Zhang Acked-by: Arek Kusztal --- doc/guides/rel_notes/release_18_11.rst | 5 + doc/guides/sample_app_ug/fips_validation.rst | 132 +++++++++++++++++++++++++++ doc/guides/sample_app_ug/index.rst | 1 + 3 files changed, 138 insertions(+) create mode 100644 doc/guides/sample_app_ug/fips_validation.rst diff --git a/doc/guides/rel_notes/release_18_11.rst b/doc/guides/rel_notes/release_18_11.rst index 376128f..8fa0441 100644 --- a/doc/guides/rel_notes/release_18_11.rst +++ b/doc/guides/rel_notes/release_18_11.rst @@ -285,6 +285,11 @@ New Features this application doesn't need to launch dedicated worker threads for vhost enqueue/dequeue operations. +* **Added Cryptodev Fips Validation Example Application.** + + Added an example application to parse and perform symmetric cryptography + computation to the NIST Cryptographic Algorithm Validation Program (CAVP) + test vectors. API Changes ----------- diff --git a/doc/guides/sample_app_ug/fips_validation.rst b/doc/guides/sample_app_ug/fips_validation.rst new file mode 100644 index 0000000..aeacfac --- /dev/null +++ b/doc/guides/sample_app_ug/fips_validation.rst @@ -0,0 +1,132 @@ +.. SPDX-License-Identifier: BSD-3-Clause + Copyright(c) 2018 Intel Corporation. + +Federal Information Processing Standards (FIPS) CryptoDev Validation +==================================================================== + +Overview +-------- + +Federal Information Processing Standards (FIPS) are publicly announced standards +developed by the United States federal government for use in computer systems by +non-military government agencies and government contractors. + +This application is used to parse and perform symmetric cryptography +computation to the NIST Cryptographic Algorithm Validation Program (CAVP) test +vectors. + +For an algorithm implementation to be listed on a cryptographic module +validation certificate as an Approved security function, the algorithm +implementation must meet all the requirements of FIPS 140-2 and must +successfully complete the cryptographic algorithm validation process. + +Limitations +----------- + +* Only NIST CAVP request files are parsed by this application. +* The version of request file supported is ``CAVS 21.0`` +* If the header comment in a ``.req`` file does not contain a Algo tag + i.e ``AES,TDES,GCM`` you need to manually add it into the header comment for + example:: + + # VARIABLE KEY - KAT for CBC / # TDES VARIABLE KEY - KAT for CBC + +* The application does not supply the test vectors. The user is expected to + obtain the test vector files from `NIST + `_ website. To obtain the ``.req`` files you need to + email a person from the NIST website and pay for the ``.req`` files. + The ``.rsp`` files from the site can be used to validate and compare with + the ``.rsp`` files created by the FIPS application. + +* Supported test vectors + * AES-CBC (128,192,256) - GFSbox, KeySbox, MCT, MMT + * AES-GCM (128,192,256) - EncryptExtIV, Decrypt + * AES-CCM (128) - VADT, VNT, VPT, VTT, DVPT + * AES-CMAC (128) - Generate, Verify + * HMAC (SHA1, SHA224, SHA256, SHA384, SHA512) + * TDES-CBC (1 Key, 2 Keys, 3 Keys) - MMT, Monte, Permop, Subkey, Varkey, + VarText + +Application Information +----------------------- + +If a ``.req`` is used as the input file after the application is finished +running it will generate a response file or ``.rsp``. Differences between the +two files are, the ``.req`` file has missing information for instance if doing +encryption you will not have the cipher text and that will be generated in the +response file. Also if doing decryption it will not have the plain text until it +finished the work and in the response file it will be added onto the end of each +operation. + +The application can be run with a ``.rsp`` file and what the outcome of that +will be is it will add a extra line in the generated ``.rsp`` which should be +the same as the ``.rsp`` used to run the application, this is useful for +validating if the application has done the operation correctly. + + +Compiling the Application +------------------------- + +* Compile Application + + .. code-block:: console + + make -C examples/fips_validation + +* Run ``dos2unix`` on the request files + + .. code-block:: console + + dos2unix AES/req/* + dos2unix AES_GCM/req/* + dos2unix CCM/req/* + dos2unix CMAC/req/* + dos2unix HMAC/req/* + dos2unix TDES/req/* + +Running the Application +----------------------- + +The application requires a number of command line options: + + .. code-block:: console + + ./fips_validation [EAL options] + -- --req-file FILE_PATH/FOLDER_PATH + --rsp-file FILE_PATH/FOLDER_PATH + [--cryptodev DEVICE_NAME] [--cryptodev-id ID] [--path-is-folder] + +where, + * req-file: The path of the request file or folder, separated by + ``path-is-folder`` option. + + * rsp-file: The path that the response file or folder is stored. separated by + ``path-is-folder`` option. + + * cryptodev: The name of the target DPDK Crypto device to be validated. + + * cryptodev-id: The id of the target DPDK Crypto device to be validated. + + * path-is-folder: If presented the application expects req-file and rsp-file + are folder paths. + + +To run the application in linuxapp environment to test one AES FIPS test data +file for crypto_aesni_mb PMD, issue the command: + +.. code-block:: console + + $ ./fips_validation --vdev crypto_aesni_mb -- + --req-file /PATH/TO/REQUEST/FILE.req --rsp-file ./PATH/TO/RESPONSE/FILE.rsp + --cryptodev crypto_aesni_mb + +To run the application in linuxapp environment to test all AES-GCM FIPS test +data files in one folder for crypto_aesni_gcm PMD, issue the command: + +.. code-block:: console + + $ ./fips_validation --vdev crypto_aesni_gcm0 -- + --req-file /PATH/TO/REQUEST/FILE/FOLDER/ + --rsp-file ./PATH/TO/RESPONSE/FILE/FOLDER/ + --cryptodev-id 0 --path-is-folder diff --git a/doc/guides/sample_app_ug/index.rst b/doc/guides/sample_app_ug/index.rst index 74b12af..65c12d9 100644 --- a/doc/guides/sample_app_ug/index.rst +++ b/doc/guides/sample_app_ug/index.rst @@ -57,6 +57,7 @@ Sample Applications User Guides performance_thread ipsec_secgw bbdev_app + fips_validation **Figures** -- 2.9.5