xref: /dpdk/doc/guides/sample_app_ug/fips_validation.rst (revision 96db98db69f759cdb54c02ef72c4cae760b01ab3) 
1..  SPDX-License-Identifier: BSD-3-Clause
2    Copyright(c) 2018 Intel Corporation.
3
4Federal Information Processing Standards (FIPS) CryptoDev Validation
5====================================================================
6
7Overview
8--------
9
10Federal Information Processing Standards (FIPS) are publicly announced standards
11developed by the United States federal government for use in computer systems by
12non-military government agencies and government contractors.
13
14This application is used to parse and perform symmetric cryptography
15computation to the NIST Cryptographic Algorithm Validation Program (CAVP) and
16Automated Crypto Validation Protocol (ACVP) test vectors.
17
18For an algorithm implementation to be listed on a cryptographic module
19validation certificate as an Approved security function, the algorithm
20implementation must meet all the requirements of FIPS 140-2 (in case of CAVP)
21and FIPS 140-3 (in case of ACVP) and must successfully complete the
22cryptographic algorithm validation process.
23
24Limitations
25-----------
26
27CAVP
28----
29
30* The version of request file supported is ``CAVS 21.0``.
31* If the header comment in a ``.req`` file does not contain a Algo tag
32  i.e ``AES,TDES,GCM`` you need to manually add it into the header comment for
33  example::
34
35      # VARIABLE KEY - KAT for CBC / # TDES VARIABLE KEY - KAT for CBC
36
37* The application does not supply the test vectors. The user is expected to
38  obtain the test vector files from `CAVP
39  <https://csrc.nist.gov/projects/cryptographic-algorithm-validation-
40  program/block-ciphers>`_ website. To obtain the ``.req`` files you need to
41  email a person from the NIST website and pay for the ``.req`` files.
42  The ``.rsp`` files from the site can be used to validate and compare with
43  the ``.rsp`` files created by the FIPS application.
44
45* Supported test vectors
46    * AES-CBC (128,192,256) - GFSbox, KeySbox, MCT, MMT
47    * AES-GCM (128,192,256) - EncryptExtIV, Decrypt
48    * AES-CCM (128) - VADT, VNT, VPT, VTT, DVPT
49    * AES-CMAC (128) - Generate, Verify
50    * HMAC (SHA1, SHA224, SHA256, SHA384, SHA512)
51    * TDES-CBC (1 Key, 2 Keys, 3 Keys) - MMT, Monte, Permop, Subkey, Varkey,
52      VarText
53
54ACVP
55----
56
57* The application does not supply the test vectors. The user is expected to
58  obtain the test vector files from `ACVP  <https://pages.nist.gov/ACVP>`_
59  website.
60* Supported test vectors
61    * AES-CBC (128,192,256) - AFT, MCT
62    * AES-GCM (128,192,256) - AFT
63    * AES-CMAC (128,192,256) - AFT
64    * HMAC (SHA1, SHA224, SHA256, SHA384, SHA512)
65
66
67Application Information
68-----------------------
69
70If a ``.req`` is used as the input file after the application is finished
71running it will generate a response file or ``.rsp``. Differences between the
72two files are, the ``.req`` file has missing information for instance if doing
73encryption you will not have the cipher text and that will be generated in the
74response file. Also if doing decryption it will not have the plain text until it
75finished the work and in the response file it will be added onto the end of each
76operation.
77
78The application can be run with a ``.rsp`` file and what the outcome of that
79will be is it will add a extra line in the generated ``.rsp`` which should be
80the same as the ``.rsp`` used to run the application, this is useful for
81validating if the application has done the operation correctly.
82
83
84Compiling the Application
85-------------------------
86
87* Compile Application
88
89    To compile the sample application see :doc:`compiling`.
90
91*  Run ``dos2unix`` on the request files
92
93    .. code-block:: console
94
95         dos2unix AES/req/*
96         dos2unix GCM/req/*
97         dos2unix CCM/req/*
98         dos2unix CMAC/req/*
99         dos2unix HMAC/req/*
100         dos2unix TDES/req/*
101         dos2unix SHA/req/*
102
103Running the Application
104-----------------------
105
106The application requires a number of command line options:
107
108    .. code-block:: console
109
110         ./dpdk-fips_validation [EAL options]
111         -- --req-file FILE_PATH/FOLDER_PATH
112         --rsp-file FILE_PATH/FOLDER_PATH
113         [--cryptodev DEVICE_NAME] [--cryptodev-id ID] [--path-is-folder]
114         --mbuf-dataroom DATAROOM_SIZE
115
116where,
117  * req-file: The path of the request file or folder, separated by
118    ``path-is-folder`` option.
119
120  * rsp-file: The path that the response file or folder is stored. separated by
121    ``path-is-folder`` option.
122
123  * cryptodev: The name of the target DPDK Crypto device to be validated.
124
125  * cryptodev-id: The id of the target DPDK Crypto device to be validated.
126
127  * path-is-folder: If presented the application expects req-file and rsp-file
128    are folder paths.
129
130  * mbuf-dataroom: By default the application creates mbuf pool with maximum
131    possible data room (65535 bytes). If the user wants to test scatter-gather
132    list feature of the PMD he or she may set this value to reduce the dataroom
133    size so that the input data may be divided into multiple chained mbufs.
134
135
136To run the application in linux environment to test one AES FIPS test data
137file for crypto_aesni_mb PMD, issue the command:
138
139.. code-block:: console
140
141    $ ./dpdk-fips_validation --vdev crypto_aesni_mb --
142    --req-file /PATH/TO/REQUEST/FILE.req --rsp-file ./PATH/TO/RESPONSE/FILE.rsp
143    --cryptodev crypto_aesni_mb
144
145To run the application in linux environment to test all AES-GCM FIPS test
146data files in one folder for crypto_aesni_gcm PMD, issue the command:
147
148.. code-block:: console
149
150    $ ./dpdk-fips_validation --vdev crypto_aesni_gcm0 --
151    --req-file /PATH/TO/REQUEST/FILE/FOLDER/
152    --rsp-file ./PATH/TO/RESPONSE/FILE/FOLDER/
153    --cryptodev-id 0 --path-is-folder
154