2018-11-02 09:55:28 +00:00
|
|
|
.. SPDX-License-Identifier: BSD-3-Clause
|
|
|
|
Copyright(c) 2018 Intel Corporation.
|
|
|
|
|
|
|
|
Federal Information Processing Standards (FIPS) CryptoDev Validation
|
|
|
|
====================================================================
|
|
|
|
|
|
|
|
Overview
|
|
|
|
--------
|
|
|
|
|
|
|
|
Federal Information Processing Standards (FIPS) are publicly announced standards
|
|
|
|
developed by the United States federal government for use in computer systems by
|
|
|
|
non-military government agencies and government contractors.
|
|
|
|
|
|
|
|
This application is used to parse and perform symmetric cryptography
|
2022-05-30 15:52:44 +00:00
|
|
|
computation to the NIST Cryptographic Algorithm Validation Program (CAVP) and
|
|
|
|
Automated Crypto Validation Protocol (ACVP) test vectors.
|
2018-11-02 09:55:28 +00:00
|
|
|
|
|
|
|
For an algorithm implementation to be listed on a cryptographic module
|
|
|
|
validation certificate as an Approved security function, the algorithm
|
2022-05-30 15:52:44 +00:00
|
|
|
implementation must meet all the requirements of FIPS 140-2 (in case of CAVP)
|
|
|
|
and FIPS 140-3 (in case of ACVP) and must successfully complete the
|
|
|
|
cryptographic algorithm validation process.
|
2018-11-02 09:55:28 +00:00
|
|
|
|
|
|
|
Limitations
|
|
|
|
-----------
|
|
|
|
|
2022-05-30 15:52:44 +00:00
|
|
|
CAVP
|
|
|
|
----
|
|
|
|
|
|
|
|
* The version of request file supported is ``CAVS 21.0``.
|
2018-11-02 09:55:28 +00:00
|
|
|
* If the header comment in a ``.req`` file does not contain a Algo tag
|
|
|
|
i.e ``AES,TDES,GCM`` you need to manually add it into the header comment for
|
|
|
|
example::
|
|
|
|
|
|
|
|
# VARIABLE KEY - KAT for CBC / # TDES VARIABLE KEY - KAT for CBC
|
|
|
|
|
|
|
|
* The application does not supply the test vectors. The user is expected to
|
2022-05-30 15:52:44 +00:00
|
|
|
obtain the test vector files from `CAVP
|
2018-11-02 09:55:28 +00:00
|
|
|
<https://csrc.nist.gov/projects/cryptographic-algorithm-validation-
|
|
|
|
program/block-ciphers>`_ website. To obtain the ``.req`` files you need to
|
|
|
|
email a person from the NIST website and pay for the ``.req`` files.
|
|
|
|
The ``.rsp`` files from the site can be used to validate and compare with
|
|
|
|
the ``.rsp`` files created by the FIPS application.
|
|
|
|
|
|
|
|
* Supported test vectors
|
2018-11-02 09:55:29 +00:00
|
|
|
* AES-CBC (128,192,256) - GFSbox, KeySbox, MCT, MMT
|
2018-11-02 09:55:32 +00:00
|
|
|
* AES-GCM (128,192,256) - EncryptExtIV, Decrypt
|
2018-11-02 09:55:34 +00:00
|
|
|
* AES-CCM (128) - VADT, VNT, VPT, VTT, DVPT
|
2018-11-02 09:55:33 +00:00
|
|
|
* AES-CMAC (128) - Generate, Verify
|
2018-11-02 09:55:30 +00:00
|
|
|
* HMAC (SHA1, SHA224, SHA256, SHA384, SHA512)
|
2018-11-02 09:55:31 +00:00
|
|
|
* TDES-CBC (1 Key, 2 Keys, 3 Keys) - MMT, Monte, Permop, Subkey, Varkey,
|
|
|
|
VarText
|
2018-11-02 09:55:28 +00:00
|
|
|
|
2022-05-30 15:52:44 +00:00
|
|
|
ACVP
|
|
|
|
----
|
|
|
|
|
|
|
|
* The application does not supply the test vectors. The user is expected to
|
|
|
|
obtain the test vector files from `ACVP <https://pages.nist.gov/ACVP>`_
|
|
|
|
website.
|
|
|
|
* Supported test vectors
|
|
|
|
* AES-CBC (128,192,256) - AFT, MCT
|
|
|
|
* AES-GCM (128,192,256) - AFT
|
|
|
|
* AES-CMAC (128,192,256) - AFT
|
2022-10-07 16:58:29 +00:00
|
|
|
* AES-CTR (128,192,256) - AFT, CTR
|
2022-09-16 08:59:43 +00:00
|
|
|
* AES-GMAC (128,192,256) - AFT
|
2022-06-29 12:35:05 +00:00
|
|
|
* AES-XTS (128,256) - AFT
|
2022-05-30 15:52:44 +00:00
|
|
|
* HMAC (SHA1, SHA224, SHA256, SHA384, SHA512)
|
2022-06-29 12:35:06 +00:00
|
|
|
* SHA (1, 256, 384, 512) - AFT, MCT
|
2022-08-12 11:52:01 +00:00
|
|
|
* TDES-CBC - AFT, MCT
|
|
|
|
* TDES-ECB - AFT, MCT
|
2022-10-12 06:12:36 +00:00
|
|
|
* RSA
|
2022-09-27 07:30:43 +00:00
|
|
|
* ECDSA
|
2022-05-30 15:52:44 +00:00
|
|
|
|
|
|
|
|
2018-11-02 09:55:28 +00:00
|
|
|
Application Information
|
|
|
|
-----------------------
|
|
|
|
|
|
|
|
If a ``.req`` is used as the input file after the application is finished
|
|
|
|
running it will generate a response file or ``.rsp``. Differences between the
|
|
|
|
two files are, the ``.req`` file has missing information for instance if doing
|
|
|
|
encryption you will not have the cipher text and that will be generated in the
|
|
|
|
response file. Also if doing decryption it will not have the plain text until it
|
|
|
|
finished the work and in the response file it will be added onto the end of each
|
|
|
|
operation.
|
|
|
|
|
|
|
|
The application can be run with a ``.rsp`` file and what the outcome of that
|
|
|
|
will be is it will add a extra line in the generated ``.rsp`` which should be
|
|
|
|
the same as the ``.rsp`` used to run the application, this is useful for
|
|
|
|
validating if the application has done the operation correctly.
|
|
|
|
|
|
|
|
|
|
|
|
Compiling the Application
|
|
|
|
-------------------------
|
|
|
|
|
|
|
|
* Compile Application
|
|
|
|
|
2020-10-21 08:17:20 +00:00
|
|
|
To compile the sample application see :doc:`compiling`.
|
2018-11-02 09:55:28 +00:00
|
|
|
|
|
|
|
* Run ``dos2unix`` on the request files
|
|
|
|
|
|
|
|
.. code-block:: console
|
|
|
|
|
|
|
|
dos2unix AES/req/*
|
2022-02-09 11:36:23 +00:00
|
|
|
dos2unix GCM/req/*
|
2018-11-02 09:55:28 +00:00
|
|
|
dos2unix CCM/req/*
|
|
|
|
dos2unix CMAC/req/*
|
|
|
|
dos2unix HMAC/req/*
|
|
|
|
dos2unix TDES/req/*
|
2022-02-09 11:36:23 +00:00
|
|
|
dos2unix SHA/req/*
|
2018-11-02 09:55:28 +00:00
|
|
|
|
|
|
|
Running the Application
|
|
|
|
-----------------------
|
|
|
|
|
|
|
|
The application requires a number of command line options:
|
|
|
|
|
|
|
|
.. code-block:: console
|
|
|
|
|
2020-10-21 08:17:20 +00:00
|
|
|
./dpdk-fips_validation [EAL options]
|
2018-11-02 09:55:28 +00:00
|
|
|
-- --req-file FILE_PATH/FOLDER_PATH
|
|
|
|
--rsp-file FILE_PATH/FOLDER_PATH
|
|
|
|
[--cryptodev DEVICE_NAME] [--cryptodev-id ID] [--path-is-folder]
|
2020-10-09 20:08:21 +00:00
|
|
|
--mbuf-dataroom DATAROOM_SIZE
|
2018-11-02 09:55:28 +00:00
|
|
|
|
|
|
|
where,
|
|
|
|
* req-file: The path of the request file or folder, separated by
|
|
|
|
``path-is-folder`` option.
|
|
|
|
|
|
|
|
* rsp-file: The path that the response file or folder is stored. separated by
|
|
|
|
``path-is-folder`` option.
|
|
|
|
|
|
|
|
* cryptodev: The name of the target DPDK Crypto device to be validated.
|
|
|
|
|
|
|
|
* cryptodev-id: The id of the target DPDK Crypto device to be validated.
|
|
|
|
|
|
|
|
* path-is-folder: If presented the application expects req-file and rsp-file
|
|
|
|
are folder paths.
|
|
|
|
|
2020-10-09 20:08:21 +00:00
|
|
|
* mbuf-dataroom: By default the application creates mbuf pool with maximum
|
|
|
|
possible data room (65535 bytes). If the user wants to test scatter-gather
|
|
|
|
list feature of the PMD he or she may set this value to reduce the dataroom
|
2021-07-29 16:48:05 +00:00
|
|
|
size so that the input data may be divided into multiple chained mbufs.
|
2020-10-09 20:08:21 +00:00
|
|
|
|
2018-11-02 09:55:28 +00:00
|
|
|
|
2019-03-06 16:22:42 +00:00
|
|
|
To run the application in linux environment to test one AES FIPS test data
|
2018-11-02 09:55:28 +00:00
|
|
|
file for crypto_aesni_mb PMD, issue the command:
|
|
|
|
|
|
|
|
.. code-block:: console
|
|
|
|
|
2020-10-21 08:17:20 +00:00
|
|
|
$ ./dpdk-fips_validation --vdev crypto_aesni_mb --
|
2018-11-02 09:55:28 +00:00
|
|
|
--req-file /PATH/TO/REQUEST/FILE.req --rsp-file ./PATH/TO/RESPONSE/FILE.rsp
|
|
|
|
--cryptodev crypto_aesni_mb
|
|
|
|
|
2019-03-06 16:22:42 +00:00
|
|
|
To run the application in linux environment to test all AES-GCM FIPS test
|
2018-11-02 09:55:28 +00:00
|
|
|
data files in one folder for crypto_aesni_gcm PMD, issue the command:
|
|
|
|
|
|
|
|
.. code-block:: console
|
|
|
|
|
2020-10-21 08:17:20 +00:00
|
|
|
$ ./dpdk-fips_validation --vdev crypto_aesni_gcm0 --
|
2018-11-02 09:55:28 +00:00
|
|
|
--req-file /PATH/TO/REQUEST/FILE/FOLDER/
|
|
|
|
--rsp-file ./PATH/TO/RESPONSE/FILE/FOLDER/
|
|
|
|
--cryptodev-id 0 --path-is-folder
|