1d30ea906Sjfb8856606..  SPDX-License-Identifier: BSD-3-Clause
2d30ea906Sjfb8856606    Copyright(c) 2018 Intel Corporation.
3d30ea906Sjfb8856606
4d30ea906Sjfb8856606Federal Information Processing Standards (FIPS) CryptoDev Validation
5d30ea906Sjfb8856606====================================================================
6d30ea906Sjfb8856606
7d30ea906Sjfb8856606Overview
8d30ea906Sjfb8856606--------
9d30ea906Sjfb8856606
10d30ea906Sjfb8856606Federal Information Processing Standards (FIPS) are publicly announced standards
11d30ea906Sjfb8856606developed by the United States federal government for use in computer systems by
12d30ea906Sjfb8856606non-military government agencies and government contractors.
13d30ea906Sjfb8856606
14d30ea906Sjfb8856606This application is used to parse and perform symmetric cryptography
15d30ea906Sjfb8856606computation to the NIST Cryptographic Algorithm Validation Program (CAVP) test
16d30ea906Sjfb8856606vectors.
17d30ea906Sjfb8856606
18d30ea906Sjfb8856606For an algorithm implementation to be listed on a cryptographic module
19d30ea906Sjfb8856606validation certificate as an Approved security function, the algorithm
20d30ea906Sjfb8856606implementation must meet all the requirements of FIPS 140-2 and must
21d30ea906Sjfb8856606successfully complete the cryptographic algorithm validation process.
22d30ea906Sjfb8856606
23d30ea906Sjfb8856606Limitations
24d30ea906Sjfb8856606-----------
25d30ea906Sjfb8856606
26d30ea906Sjfb8856606* Only NIST CAVP request files are parsed by this application.
27d30ea906Sjfb8856606* The version of request file supported is ``CAVS 21.0``
28d30ea906Sjfb8856606* If the header comment in a ``.req`` file does not contain a Algo tag
29d30ea906Sjfb8856606  i.e ``AES,TDES,GCM`` you need to manually add it into the header comment for
30d30ea906Sjfb8856606  example::
31d30ea906Sjfb8856606
32d30ea906Sjfb8856606      # VARIABLE KEY - KAT for CBC / # TDES VARIABLE KEY - KAT for CBC
33d30ea906Sjfb8856606
34d30ea906Sjfb8856606* The application does not supply the test vectors. The user is expected to
35d30ea906Sjfb8856606  obtain the test vector files from `NIST
36d30ea906Sjfb8856606  <https://csrc.nist.gov/projects/cryptographic-algorithm-validation-
37d30ea906Sjfb8856606  program/block-ciphers>`_ website. To obtain the ``.req`` files you need to
38d30ea906Sjfb8856606  email a person from the NIST website and pay for the ``.req`` files.
39d30ea906Sjfb8856606  The ``.rsp`` files from the site can be used to validate and compare with
40d30ea906Sjfb8856606  the ``.rsp`` files created by the FIPS application.
41d30ea906Sjfb8856606
42d30ea906Sjfb8856606* Supported test vectors
43d30ea906Sjfb8856606    * AES-CBC (128,192,256) - GFSbox, KeySbox, MCT, MMT
44d30ea906Sjfb8856606    * AES-GCM (128,192,256) - EncryptExtIV, Decrypt
45d30ea906Sjfb8856606    * AES-CCM (128) - VADT, VNT, VPT, VTT, DVPT
46d30ea906Sjfb8856606    * AES-CMAC (128) - Generate, Verify
47d30ea906Sjfb8856606    * HMAC (SHA1, SHA224, SHA256, SHA384, SHA512)
48d30ea906Sjfb8856606    * TDES-CBC (1 Key, 2 Keys, 3 Keys) - MMT, Monte, Permop, Subkey, Varkey,
49d30ea906Sjfb8856606      VarText
50d30ea906Sjfb8856606
51d30ea906Sjfb8856606Application Information
52d30ea906Sjfb8856606-----------------------
53d30ea906Sjfb8856606
54d30ea906Sjfb8856606If a ``.req`` is used as the input file after the application is finished
55d30ea906Sjfb8856606running it will generate a response file or ``.rsp``. Differences between the
56d30ea906Sjfb8856606two files are, the ``.req`` file has missing information for instance if doing
57d30ea906Sjfb8856606encryption you will not have the cipher text and that will be generated in the
58d30ea906Sjfb8856606response file. Also if doing decryption it will not have the plain text until it
59d30ea906Sjfb8856606finished the work and in the response file it will be added onto the end of each
60d30ea906Sjfb8856606operation.
61d30ea906Sjfb8856606
62d30ea906Sjfb8856606The application can be run with a ``.rsp`` file and what the outcome of that
63d30ea906Sjfb8856606will be is it will add a extra line in the generated ``.rsp`` which should be
64d30ea906Sjfb8856606the same as the ``.rsp`` used to run the application, this is useful for
65d30ea906Sjfb8856606validating if the application has done the operation correctly.
66d30ea906Sjfb8856606
67d30ea906Sjfb8856606
68d30ea906Sjfb8856606Compiling the Application
69d30ea906Sjfb8856606-------------------------
70d30ea906Sjfb8856606
71d30ea906Sjfb8856606* Compile Application
72d30ea906Sjfb8856606
73*2d9fd380Sjfb8856606    To compile the sample application see :doc:`compiling`.
74d30ea906Sjfb8856606
75d30ea906Sjfb8856606*  Run ``dos2unix`` on the request files
76d30ea906Sjfb8856606
77d30ea906Sjfb8856606    .. code-block:: console
78d30ea906Sjfb8856606
79d30ea906Sjfb8856606         dos2unix AES/req/*
80d30ea906Sjfb8856606         dos2unix AES_GCM/req/*
81d30ea906Sjfb8856606         dos2unix CCM/req/*
82d30ea906Sjfb8856606         dos2unix CMAC/req/*
83d30ea906Sjfb8856606         dos2unix HMAC/req/*
84d30ea906Sjfb8856606         dos2unix TDES/req/*
85d30ea906Sjfb8856606
86d30ea906Sjfb8856606Running the Application
87d30ea906Sjfb8856606-----------------------
88d30ea906Sjfb8856606
89d30ea906Sjfb8856606The application requires a number of command line options:
90d30ea906Sjfb8856606
91d30ea906Sjfb8856606    .. code-block:: console
92d30ea906Sjfb8856606
93*2d9fd380Sjfb8856606         ./dpdk-fips_validation [EAL options]
94d30ea906Sjfb8856606         -- --req-file FILE_PATH/FOLDER_PATH
95d30ea906Sjfb8856606         --rsp-file FILE_PATH/FOLDER_PATH
96d30ea906Sjfb8856606         [--cryptodev DEVICE_NAME] [--cryptodev-id ID] [--path-is-folder]
97*2d9fd380Sjfb8856606         --mbuf-dataroom DATAROOM_SIZE
98d30ea906Sjfb8856606
99d30ea906Sjfb8856606where,
100d30ea906Sjfb8856606  * req-file: The path of the request file or folder, separated by
101d30ea906Sjfb8856606    ``path-is-folder`` option.
102d30ea906Sjfb8856606
103d30ea906Sjfb8856606  * rsp-file: The path that the response file or folder is stored. separated by
104d30ea906Sjfb8856606    ``path-is-folder`` option.
105d30ea906Sjfb8856606
106d30ea906Sjfb8856606  * cryptodev: The name of the target DPDK Crypto device to be validated.
107d30ea906Sjfb8856606
108d30ea906Sjfb8856606  * cryptodev-id: The id of the target DPDK Crypto device to be validated.
109d30ea906Sjfb8856606
110d30ea906Sjfb8856606  * path-is-folder: If presented the application expects req-file and rsp-file
111d30ea906Sjfb8856606    are folder paths.
112d30ea906Sjfb8856606
113*2d9fd380Sjfb8856606  * mbuf-dataroom: By default the application creates mbuf pool with maximum
114*2d9fd380Sjfb8856606    possible data room (65535 bytes). If the user wants to test scatter-gather
115*2d9fd380Sjfb8856606    list feature of the PMD he or she may set this value to reduce the dataroom
116*2d9fd380Sjfb8856606    size so that the input data may be dividied into multiple chained mbufs.
117*2d9fd380Sjfb8856606
118d30ea906Sjfb8856606
1194418919fSjohnjiangTo run the application in linux environment to test one AES FIPS test data
120d30ea906Sjfb8856606file for crypto_aesni_mb PMD, issue the command:
121d30ea906Sjfb8856606
122d30ea906Sjfb8856606.. code-block:: console
123d30ea906Sjfb8856606
124*2d9fd380Sjfb8856606    $ ./dpdk-fips_validation --vdev crypto_aesni_mb --
125d30ea906Sjfb8856606    --req-file /PATH/TO/REQUEST/FILE.req --rsp-file ./PATH/TO/RESPONSE/FILE.rsp
126d30ea906Sjfb8856606    --cryptodev crypto_aesni_mb
127d30ea906Sjfb8856606
1284418919fSjohnjiangTo run the application in linux environment to test all AES-GCM FIPS test
129d30ea906Sjfb8856606data files in one folder for crypto_aesni_gcm PMD, issue the command:
130d30ea906Sjfb8856606
131d30ea906Sjfb8856606.. code-block:: console
132d30ea906Sjfb8856606
133*2d9fd380Sjfb8856606    $ ./dpdk-fips_validation --vdev crypto_aesni_gcm0 --
134d30ea906Sjfb8856606    --req-file /PATH/TO/REQUEST/FILE/FOLDER/
135d30ea906Sjfb8856606    --rsp-file ./PATH/TO/RESPONSE/FILE/FOLDER/
136d30ea906Sjfb8856606    --cryptodev-id 0 --path-is-folder
137