xref: /dpdk/doc/guides/sample_app_ug/fips_validation.rst (revision f64adb6714e07daf2a1d4fe3ee3172f3f4a80c07) 
1..  SPDX-License-Identifier: BSD-3-Clause
2    Copyright(c) 2018 Intel Corporation.
3
4Federal Information Processing Standards (FIPS) CryptoDev Validation
5====================================================================
6
7Overview
8--------
9
10Federal Information Processing Standards (FIPS) are publicly announced standards
11developed by the United States federal government for use in computer systems by
12non-military government agencies and government contractors.
13
14This application is used to parse and perform symmetric cryptography
15computation to the NIST Cryptographic Algorithm Validation Program (CAVP) test
16vectors.
17
18For an algorithm implementation to be listed on a cryptographic module
19validation certificate as an Approved security function, the algorithm
20implementation must meet all the requirements of FIPS 140-2 and must
21successfully complete the cryptographic algorithm validation process.
22
23Limitations
24-----------
25
26* Only NIST CAVP request files are parsed by this application.
27* The version of request file supported is ``CAVS 21.0``
28* If the header comment in a ``.req`` file does not contain a Algo tag
29  i.e ``AES,TDES,GCM`` you need to manually add it into the header comment for
30  example::
31
32      # VARIABLE KEY - KAT for CBC / # TDES VARIABLE KEY - KAT for CBC
33
34* The application does not supply the test vectors. The user is expected to
35  obtain the test vector files from `NIST
36  <https://csrc.nist.gov/projects/cryptographic-algorithm-validation-
37  program/block-ciphers>`_ website. To obtain the ``.req`` files you need to
38  email a person from the NIST website and pay for the ``.req`` files.
39  The ``.rsp`` files from the site can be used to validate and compare with
40  the ``.rsp`` files created by the FIPS application.
41
42* Supported test vectors
43    * AES-CBC (128,192,256) - GFSbox, KeySbox, MCT, MMT
44    * HMAC (SHA1, SHA224, SHA256, SHA384, SHA512)
45
46Application Information
47-----------------------
48
49If a ``.req`` is used as the input file after the application is finished
50running it will generate a response file or ``.rsp``. Differences between the
51two files are, the ``.req`` file has missing information for instance if doing
52encryption you will not have the cipher text and that will be generated in the
53response file. Also if doing decryption it will not have the plain text until it
54finished the work and in the response file it will be added onto the end of each
55operation.
56
57The application can be run with a ``.rsp`` file and what the outcome of that
58will be is it will add a extra line in the generated ``.rsp`` which should be
59the same as the ``.rsp`` used to run the application, this is useful for
60validating if the application has done the operation correctly.
61
62
63Compiling the Application
64-------------------------
65
66* Compile Application
67
68    .. code-block:: console
69
70         make -C examples/fips_validation
71
72*  Run ``dos2unix`` on the request files
73
74    .. code-block:: console
75
76         dos2unix AES/req/*
77         dos2unix AES_GCM/req/*
78         dos2unix CCM/req/*
79         dos2unix CMAC/req/*
80         dos2unix HMAC/req/*
81         dos2unix TDES/req/*
82
83Running the Application
84-----------------------
85
86The application requires a number of command line options:
87
88    .. code-block:: console
89
90         ./fips_validation [EAL options]
91         -- --req-file FILE_PATH/FOLDER_PATH
92         --rsp-file FILE_PATH/FOLDER_PATH
93         [--cryptodev DEVICE_NAME] [--cryptodev-id ID] [--path-is-folder]
94
95where,
96  * req-file: The path of the request file or folder, separated by
97    ``path-is-folder`` option.
98
99  * rsp-file: The path that the response file or folder is stored. separated by
100    ``path-is-folder`` option.
101
102  * cryptodev: The name of the target DPDK Crypto device to be validated.
103
104  * cryptodev-id: The id of the target DPDK Crypto device to be validated.
105
106  * path-is-folder: If presented the application expects req-file and rsp-file
107    are folder paths.
108
109
110To run the application in linuxapp environment to test one AES FIPS test data
111file for crypto_aesni_mb PMD, issue the command:
112
113.. code-block:: console
114
115    $ ./fips_validation --vdev crypto_aesni_mb --
116    --req-file /PATH/TO/REQUEST/FILE.req --rsp-file ./PATH/TO/RESPONSE/FILE.rsp
117    --cryptodev crypto_aesni_mb
118
119To run the application in linuxapp environment to test all AES-GCM FIPS test
120data files in one folder for crypto_aesni_gcm PMD, issue the command:
121
122.. code-block:: console
123
124    $ ./fips_validation --vdev crypto_aesni_gcm0 --
125    --req-file /PATH/TO/REQUEST/FILE/FOLDER/
126    --rsp-file ./PATH/TO/RESPONSE/FILE/FOLDER/
127    --cryptodev-id 0 --path-is-folder
128