13d0fad56SMarko Kovacevic.. SPDX-License-Identifier: BSD-3-Clause 23d0fad56SMarko Kovacevic Copyright(c) 2018 Intel Corporation. 33d0fad56SMarko Kovacevic 43d0fad56SMarko KovacevicFederal Information Processing Standards (FIPS) CryptoDev Validation 53d0fad56SMarko Kovacevic==================================================================== 63d0fad56SMarko Kovacevic 73d0fad56SMarko KovacevicOverview 83d0fad56SMarko Kovacevic-------- 93d0fad56SMarko Kovacevic 103d0fad56SMarko KovacevicFederal Information Processing Standards (FIPS) are publicly announced standards 113d0fad56SMarko Kovacevicdeveloped by the United States federal government for use in computer systems by 123d0fad56SMarko Kovacevicnon-military government agencies and government contractors. 133d0fad56SMarko Kovacevic 143d0fad56SMarko KovacevicThis application is used to parse and perform symmetric cryptography 153d0fad56SMarko Kovaceviccomputation to the NIST Cryptographic Algorithm Validation Program (CAVP) test 163d0fad56SMarko Kovacevicvectors. 173d0fad56SMarko Kovacevic 183d0fad56SMarko KovacevicFor an algorithm implementation to be listed on a cryptographic module 193d0fad56SMarko Kovacevicvalidation certificate as an Approved security function, the algorithm 203d0fad56SMarko Kovacevicimplementation must meet all the requirements of FIPS 140-2 and must 213d0fad56SMarko Kovacevicsuccessfully complete the cryptographic algorithm validation process. 223d0fad56SMarko Kovacevic 233d0fad56SMarko KovacevicLimitations 243d0fad56SMarko Kovacevic----------- 253d0fad56SMarko Kovacevic 263d0fad56SMarko Kovacevic* Only NIST CAVP request files are parsed by this application. 273d0fad56SMarko Kovacevic* The version of request file supported is ``CAVS 21.0`` 283d0fad56SMarko Kovacevic* If the header comment in a ``.req`` file does not contain a Algo tag 293d0fad56SMarko Kovacevic i.e ``AES,TDES,GCM`` you need to manually add it into the header comment for 303d0fad56SMarko Kovacevic example:: 313d0fad56SMarko Kovacevic 323d0fad56SMarko Kovacevic # VARIABLE KEY - KAT for CBC / # TDES VARIABLE KEY - KAT for CBC 333d0fad56SMarko Kovacevic 343d0fad56SMarko Kovacevic* The application does not supply the test vectors. The user is expected to 353d0fad56SMarko Kovacevic obtain the test vector files from `NIST 363d0fad56SMarko Kovacevic <https://csrc.nist.gov/projects/cryptographic-algorithm-validation- 373d0fad56SMarko Kovacevic program/block-ciphers>`_ website. To obtain the ``.req`` files you need to 383d0fad56SMarko Kovacevic email a person from the NIST website and pay for the ``.req`` files. 393d0fad56SMarko Kovacevic The ``.rsp`` files from the site can be used to validate and compare with 403d0fad56SMarko Kovacevic the ``.rsp`` files created by the FIPS application. 413d0fad56SMarko Kovacevic 423d0fad56SMarko Kovacevic* Supported test vectors 43cd255ccfSMarko Kovacevic * AES-CBC (128,192,256) - GFSbox, KeySbox, MCT, MMT 44*f64adb67SMarko Kovacevic * HMAC (SHA1, SHA224, SHA256, SHA384, SHA512) 453d0fad56SMarko Kovacevic 463d0fad56SMarko KovacevicApplication Information 473d0fad56SMarko Kovacevic----------------------- 483d0fad56SMarko Kovacevic 493d0fad56SMarko KovacevicIf a ``.req`` is used as the input file after the application is finished 503d0fad56SMarko Kovacevicrunning it will generate a response file or ``.rsp``. Differences between the 513d0fad56SMarko Kovacevictwo files are, the ``.req`` file has missing information for instance if doing 523d0fad56SMarko Kovacevicencryption you will not have the cipher text and that will be generated in the 533d0fad56SMarko Kovacevicresponse file. Also if doing decryption it will not have the plain text until it 543d0fad56SMarko Kovacevicfinished the work and in the response file it will be added onto the end of each 553d0fad56SMarko Kovacevicoperation. 563d0fad56SMarko Kovacevic 573d0fad56SMarko KovacevicThe application can be run with a ``.rsp`` file and what the outcome of that 583d0fad56SMarko Kovacevicwill be is it will add a extra line in the generated ``.rsp`` which should be 593d0fad56SMarko Kovacevicthe same as the ``.rsp`` used to run the application, this is useful for 603d0fad56SMarko Kovacevicvalidating if the application has done the operation correctly. 613d0fad56SMarko Kovacevic 623d0fad56SMarko Kovacevic 633d0fad56SMarko KovacevicCompiling the Application 643d0fad56SMarko Kovacevic------------------------- 653d0fad56SMarko Kovacevic 663d0fad56SMarko Kovacevic* Compile Application 673d0fad56SMarko Kovacevic 683d0fad56SMarko Kovacevic .. code-block:: console 693d0fad56SMarko Kovacevic 703d0fad56SMarko Kovacevic make -C examples/fips_validation 713d0fad56SMarko Kovacevic 723d0fad56SMarko Kovacevic* Run ``dos2unix`` on the request files 733d0fad56SMarko Kovacevic 743d0fad56SMarko Kovacevic .. code-block:: console 753d0fad56SMarko Kovacevic 763d0fad56SMarko Kovacevic dos2unix AES/req/* 773d0fad56SMarko Kovacevic dos2unix AES_GCM/req/* 783d0fad56SMarko Kovacevic dos2unix CCM/req/* 793d0fad56SMarko Kovacevic dos2unix CMAC/req/* 803d0fad56SMarko Kovacevic dos2unix HMAC/req/* 813d0fad56SMarko Kovacevic dos2unix TDES/req/* 823d0fad56SMarko Kovacevic 833d0fad56SMarko KovacevicRunning the Application 843d0fad56SMarko Kovacevic----------------------- 853d0fad56SMarko Kovacevic 863d0fad56SMarko KovacevicThe application requires a number of command line options: 873d0fad56SMarko Kovacevic 883d0fad56SMarko Kovacevic .. code-block:: console 893d0fad56SMarko Kovacevic 903d0fad56SMarko Kovacevic ./fips_validation [EAL options] 913d0fad56SMarko Kovacevic -- --req-file FILE_PATH/FOLDER_PATH 923d0fad56SMarko Kovacevic --rsp-file FILE_PATH/FOLDER_PATH 933d0fad56SMarko Kovacevic [--cryptodev DEVICE_NAME] [--cryptodev-id ID] [--path-is-folder] 943d0fad56SMarko Kovacevic 953d0fad56SMarko Kovacevicwhere, 963d0fad56SMarko Kovacevic * req-file: The path of the request file or folder, separated by 973d0fad56SMarko Kovacevic ``path-is-folder`` option. 983d0fad56SMarko Kovacevic 993d0fad56SMarko Kovacevic * rsp-file: The path that the response file or folder is stored. separated by 1003d0fad56SMarko Kovacevic ``path-is-folder`` option. 1013d0fad56SMarko Kovacevic 1023d0fad56SMarko Kovacevic * cryptodev: The name of the target DPDK Crypto device to be validated. 1033d0fad56SMarko Kovacevic 1043d0fad56SMarko Kovacevic * cryptodev-id: The id of the target DPDK Crypto device to be validated. 1053d0fad56SMarko Kovacevic 1063d0fad56SMarko Kovacevic * path-is-folder: If presented the application expects req-file and rsp-file 1073d0fad56SMarko Kovacevic are folder paths. 1083d0fad56SMarko Kovacevic 1093d0fad56SMarko Kovacevic 1103d0fad56SMarko KovacevicTo run the application in linuxapp environment to test one AES FIPS test data 1113d0fad56SMarko Kovacevicfile for crypto_aesni_mb PMD, issue the command: 1123d0fad56SMarko Kovacevic 1133d0fad56SMarko Kovacevic.. code-block:: console 1143d0fad56SMarko Kovacevic 1153d0fad56SMarko Kovacevic $ ./fips_validation --vdev crypto_aesni_mb -- 1163d0fad56SMarko Kovacevic --req-file /PATH/TO/REQUEST/FILE.req --rsp-file ./PATH/TO/RESPONSE/FILE.rsp 1173d0fad56SMarko Kovacevic --cryptodev crypto_aesni_mb 1183d0fad56SMarko Kovacevic 1193d0fad56SMarko KovacevicTo run the application in linuxapp environment to test all AES-GCM FIPS test 1203d0fad56SMarko Kovacevicdata files in one folder for crypto_aesni_gcm PMD, issue the command: 1213d0fad56SMarko Kovacevic 1223d0fad56SMarko Kovacevic.. code-block:: console 1233d0fad56SMarko Kovacevic 1243d0fad56SMarko Kovacevic $ ./fips_validation --vdev crypto_aesni_gcm0 -- 1253d0fad56SMarko Kovacevic --req-file /PATH/TO/REQUEST/FILE/FOLDER/ 1263d0fad56SMarko Kovacevic --rsp-file ./PATH/TO/RESPONSE/FILE/FOLDER/ 1273d0fad56SMarko Kovacevic --cryptodev-id 0 --path-is-folder 128