<div dir="ltr"><div dir="ltr"></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Mar 28, 2023 at 4:27 AM Ali Alnubani <<a href="mailto:alialnu@nvidia.com">alialnu@nvidia.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">> -----Original Message-----<br>
> From: <a href="mailto:jspewock@iol.unh.edu" target="_blank">jspewock@iol.unh.edu</a> <<a href="mailto:jspewock@iol.unh.edu" target="_blank">jspewock@iol.unh.edu</a>><br>
> Sent: Monday, March 27, 2023 7:52 PM<br>
> To: <a href="mailto:ci@dpdk.org" target="_blank">ci@dpdk.org</a><br>
> Cc: Jeremy Spewock <<a href="mailto:jspewock@iol.unh.edu" target="_blank">jspewock@iol.unh.edu</a>><br>
> Subject: [PATCH v6 4/4] doc: add readme file for acvp_tool<br>
> <br>
> From: Jeremy Spewock <<a href="mailto:jspewock@iol.unh.edu" target="_blank">jspewock@iol.unh.edu</a>><br>
> <br>
> updated out-of-date acvp_tool readme<br>
<br>
This only describes the diff with Brandon's patch. The original commit message should have been kept instead and expanded if needed.<br>
<br>
> <br>
> Signed-off-by: Jeremy Spewock <<a href="mailto:jspewock@iol.unh.edu" target="_blank">jspewock@iol.unh.edu</a>><br>
> ---<br>
[..]<br>
> +* FIPS Object Module<br>
> +```<br>
> +curl -o openssl-fips-2.0.16.tar.gz <a href="https://www.openssl.org/source/openssl-" rel="noreferrer" target="_blank">https://www.openssl.org/source/openssl-</a><br>
> fips-2.0.16.tar.gz<br>
> +tar xvfm openssl-fips-2.0.16.tar.gz<br>
> +cd openssl-fips-2.0.16<br>
> +./config<br>
> +make<br>
> +make install<br>
> +```<br>
<br>
Is this module required even with recent versions of openssl?<br></blockquote><div><br></div><div>In recent testing of the dependencies, when this module wasn't present there is inconsistent behavior that leads to errors.</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<br>
> +* OpenSSL library<br>
> +```<br>
> +curl -o openssl-1.0.2o.tar.gz <a href="https://www.openssl.org/source/openssl-" rel="noreferrer" target="_blank">https://www.openssl.org/source/openssl-</a><br>
> 1.0.2o.tar.gz<br>
> +export CFLAGS='-fPIC'<br>
> +tar xvfm openssl-1.0.2o.tar.gz<br>
> +cd openssl-1.0.2o<br>
> +./config shared fips<br>
> +make depend<br>
> +make<br>
> +```<br>
<br>
OpenSSL 1.0.2 is deprecated and probably vulnerable (<a href="https://www.openssl.org/news/vulnerabilities-1.0.2.html" rel="noreferrer" target="_blank">https://www.openssl.org/news/vulnerabilities-1.0.2.html</a>).<br>
You're also only building locally here, and you aren't pointing DPDK build to it, so I doubt it's making a difference.<br></blockquote><div><br></div><div>After doing some testing, it seems that this library is not needed in order to run the application and get passing vectors.</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<br>
Can you please double check these dependencies?<br>
<br></blockquote><div><br></div><div>These dependencies were actually taken from the test plan documentation written for running the FIPS sample application. This was the only documentation I could find that mentions the required libraries in order to run the sample application so I followed it as closely as I could. The only thing I had to change was the version of the IPsec library because it wouldn't build with this older outdated version. This documentation should likely be updated:</div><div><br></div><div><a href="https://git.dpdk.org/tools/dts/tree/test_plans/fips_cryptodev_test_plan.rst">https://git.dpdk.org/tools/dts/tree/test_plans/fips_cryptodev_test_plan.rst</a><br></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
[..]<br>
> +### Using the DPDK FIPS Validation Example Application<br>
> +First, you have to make sure that you configure DPDK to build the FIPS<br>
> sample application before you compile with ninja<br>
> +```<br>
> +#inside dpdk/<br>
> +meson build --werror<br>
> +meson configure -Dexamples=fips_validation build<br>
<br>
You can combine them into a single command:<br>
meson --werror -Dexamples=fips_validation build<br>
<br>
> +sudo ninja -C build<br>
<br>
You're only making local changes here. If sudo wasn't required for the meson commands, it won't be required for this one.<br>
<br>
Additionally, I see the following warnings when applying the patch:<br>
<br>
Applying: doc: add readme file for acvp_tool<br>
.git/rebase-apply/patch:63: trailing whitespace.<br>
* In order to test AES-CTR you'll also have to remove the key `"ivGenMode"`<br>
.git/rebase-apply/patch:133: trailing whitespace.<br></blockquote><div><br></div><div>Fixed in v7.</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<br>
- Ali<br></blockquote><div><br></div><div>Thanks,</div><div>Jeremy </div></div></div>