1 .. SPDX-License-Identifier: BSD-3-Clause
2 Copyright(c) 2018 Intel Corporation.
4 Federal Information Processing Standards (FIPS) CryptoDev Validation
5 ====================================================================
10 Federal Information Processing Standards (FIPS) are publicly announced standards
11 developed by the United States federal government for use in computer systems by
12 non-military government agencies and government contractors.
14 This application is used to parse and perform symmetric cryptography
15 computation to the NIST Cryptographic Algorithm Validation Program (CAVP) test
18 For an algorithm implementation to be listed on a cryptographic module
19 validation certificate as an Approved security function, the algorithm
20 implementation must meet all the requirements of FIPS 140-2 and must
21 successfully complete the cryptographic algorithm validation process.
26 * Only NIST CAVP request files are parsed by this application.
27 * The version of request file supported is ``CAVS 21.0``
28 * If the header comment in a ``.req`` file does not contain a Algo tag
29 i.e ``AES,TDES,GCM`` you need to manually add it into the header comment for
32 # VARIABLE KEY - KAT for CBC / # TDES VARIABLE KEY - KAT for CBC
34 * The application does not supply the test vectors. The user is expected to
35 obtain the test vector files from `NIST
36 <https://csrc.nist.gov/projects/cryptographic-algorithm-validation-
37 program/block-ciphers>`_ website. To obtain the ``.req`` files you need to
38 email a person from the NIST website and pay for the ``.req`` files.
39 The ``.rsp`` files from the site can be used to validate and compare with
40 the ``.rsp`` files created by the FIPS application.
42 * Supported test vectors
43 * AES-CBC (128,192,256) - GFSbox, KeySbox, MCT, MMT
44 * AES-GCM (128,192,256) - EncryptExtIV, Decrypt
45 * AES-CMAC (128) - Generate, Verify
46 * HMAC (SHA1, SHA224, SHA256, SHA384, SHA512)
47 * TDES-CBC (1 Key, 2 Keys, 3 Keys) - MMT, Monte, Permop, Subkey, Varkey,
50 Application Information
51 -----------------------
53 If a ``.req`` is used as the input file after the application is finished
54 running it will generate a response file or ``.rsp``. Differences between the
55 two files are, the ``.req`` file has missing information for instance if doing
56 encryption you will not have the cipher text and that will be generated in the
57 response file. Also if doing decryption it will not have the plain text until it
58 finished the work and in the response file it will be added onto the end of each
61 The application can be run with a ``.rsp`` file and what the outcome of that
62 will be is it will add a extra line in the generated ``.rsp`` which should be
63 the same as the ``.rsp`` used to run the application, this is useful for
64 validating if the application has done the operation correctly.
67 Compiling the Application
68 -------------------------
72 .. code-block:: console
74 make -C examples/fips_validation
76 * Run ``dos2unix`` on the request files
78 .. code-block:: console
81 dos2unix AES_GCM/req/*
87 Running the Application
88 -----------------------
90 The application requires a number of command line options:
92 .. code-block:: console
94 ./fips_validation [EAL options]
95 -- --req-file FILE_PATH/FOLDER_PATH
96 --rsp-file FILE_PATH/FOLDER_PATH
97 [--cryptodev DEVICE_NAME] [--cryptodev-id ID] [--path-is-folder]
100 * req-file: The path of the request file or folder, separated by
101 ``path-is-folder`` option.
103 * rsp-file: The path that the response file or folder is stored. separated by
104 ``path-is-folder`` option.
106 * cryptodev: The name of the target DPDK Crypto device to be validated.
108 * cryptodev-id: The id of the target DPDK Crypto device to be validated.
110 * path-is-folder: If presented the application expects req-file and rsp-file
114 To run the application in linuxapp environment to test one AES FIPS test data
115 file for crypto_aesni_mb PMD, issue the command:
117 .. code-block:: console
119 $ ./fips_validation --vdev crypto_aesni_mb --
120 --req-file /PATH/TO/REQUEST/FILE.req --rsp-file ./PATH/TO/RESPONSE/FILE.rsp
121 --cryptodev crypto_aesni_mb
123 To run the application in linuxapp environment to test all AES-GCM FIPS test
124 data files in one folder for crypto_aesni_gcm PMD, issue the command:
126 .. code-block:: console
128 $ ./fips_validation --vdev crypto_aesni_gcm0 --
129 --req-file /PATH/TO/REQUEST/FILE/FOLDER/
130 --rsp-file ./PATH/TO/RESPONSE/FILE/FOLDER/
131 --cryptodev-id 0 --path-is-folder