OpenSSL Software Foundation,...
Transcript of OpenSSL Software Foundation,...
OpenSSL Software Foundation, Inc.1829 Mount Ephraim Road
Adamstown, MD 21710 USA+1 8776736775
Instructions for CMVP Testing Android 4.1 on ARMv7 with NEONDecember 5, 2012
http://opensslfoundation.com/testing/validation2.0/platforms/androidxm/TestingInstructionsandroidxm4.1.pdf
Table of Contents1 Overview.................................................................................................................................................12 Inventory.................................................................................................................................................2
2.1 Hardware .........................................................................................................................................22.2 Software...........................................................................................................................................2
3 Preparation..............................................................................................................................................33.1 Setup................................................................................................................................................33.2 Preparing the Test Environment......................................................................................................43.3 Access to Device.............................................................................................................................4
4 Testing.....................................................................................................................................................64.1 Device Information..........................................................................................................................64.2 CrossCompilation...........................................................................................................................64.3 Test Suite Execution........................................................................................................................74.4 Corruption Tests..............................................................................................................................8
5 Processing Test Vectors...........................................................................................................................9
1 OverviewPlatform testing instructions for the OpenSSL FIPS Object Module v2.0 validation. This target device is the BeagleBoardxM evaluation board. This device features the DM3730CBP 1GHz ARMv7 processor which is NEON capable, running Android 4.0. Detailed technical specifications for this device, including the FCC Part 15 statement, are
1 of 11
Instructions for CMVP Testing Android 4.1 on ARMv7 with NEON
given in the document at http://beagleboard.org/static/BBxMSRM_latest.pdf.
USB device id is 20100720.
2 Inventory
2.1 Hardware Hardware supplied by OSF:
• Special Computing BeagleboardxM device (OSF00005)
• Power supply
• MicroSD card containing an Android 4.1 O/S image (installed in uSD port). (OSF00118)
Hardware supplied by test facility:
• N/A
2.2 SoftwareSoftware supplied by OSF:
(all software should be installed in the same directory on Linux host system as described in the following section):
• the fileopensslfipsecp2.0.2.tar.gz
from http://opensslfoundation.com/testing/validation2.0/source/
• the filemkrespdir.pl
from http://opensslfoundation.com/testing/validation2.0/testvectors/
• the filesetenvandroidecp4.1.sh
from http://openssl.com/testing/validation2.0/platforms/android/
When all downloads are complete the TOP directory should contain the following files (as shown by the "ls l" command):
2 of 11
Instructions for CMVP Testing Android 4.1 on ARMv7 with NEON
opensslfipsecp2.0.2.tar.gz mkrespdir.plsetenvandroidecp4.1.sh
Software supplied by the test lab:
• The .tar.gz or .zip file containing a set of test vector request files. Note an example of such a testvector data set can be found at http://opensslfoundation.com/testing/validation2.0/testvectors/tv.tar.gz
3 Preparation
3.1 SetupHardware Setup
Insert the 4Gb thumb drive into one of the USB ports. The microSD card should already be inserted into the uSD connector used for booting. Connect an Ethernet cable to the RJ45 port. Connect a USB cable between the "OTG" USB port on the Beagleboard (the one miniUSB jack, not one of the four regular sized USB jacks) and the host build system (testhub). Connection of a digital LCD monitor, USB keyboard, and USB mouse is optional, but if a monitor is used it should be connected and powered up before the Beagleboard is powered up. Connect the power supply. The Beagleboard device takes about a minute to boot.
Host System Setup
Do
$ lsusb | grep Google Bus 001 Device 024: ID 18d1:9018 Google Inc. $
To confirm the Beagleboard device USB connection is visible on the host system.
Done one time only:
Log in as root and create the file /etc/udev/rules.d/51android.rules with contents:
SUBSYSTEM=="usb", SYSFS{idVendor}=="18d1", MODE="0666"
Execute the following to change the user mode for the rules file:
3 of 11
Instructions for CMVP Testing Android 4.1 on ARMv7 with NEON
$ chmod a+r /etc/udev/rules.d/51android.rules$ restart udev
Note the MAC address changes with each reboot.
3.2 Preparing the Test EnvironmentAll commands are typed on the Linux host system, though some commands (those executed via “adb shell”) will be remotely executed on the Android target device. You will be able to cutandpaste from this document (fortunately, as some of these commands are fairly complex). We could script these commands more heavily but thought you might prefer to have full visibility.
In this document commands entered and executed on the Linux host system are bolded. Commands entered on the Linux host system but executed on the target device are shown in blue.
The five files identified in the Inventory section should reside in a single directory on the Linux host system; in this document we refer to this directory as TOP. The filesystem should have at least 500Mb of free space (the "df h ." command will show the amount of available space under the Avail column). Open a command shell on the Linux host system (use of an unprivileged account is highly recommended), anbd change the working directory to TOP. Unpack the compressed files:
$ bunzip2 c androidndkr8blinuxx86.tar.bz2 | tar xf $ gunzip c androidsdk_r20.0.3linux.tgz | tar xf $ gunzip c tv.tar.gz | tar xf (unpack this test lab supplied file as appropriate)
(first we start the communications service)
Open a separate command shell as root ("sudo su "), and change to the directory containing the files that were just unpacked. Then start the background service. Note this must be done with root privilege:
# androidsdklinux/platformtools/adb startserver
3.3 Access to DeviceFor remote access via the OSF testhub server:
$ ssh [email protected] OSF testhub server Last login: Thu Dec 15 14:23:03 2011 from 4.30.38.37 fipstest@testhub:~$ cd /mnt/share/osf/TOPandroid4.1fipstest@testhub:/mnt/osf/TOPAndroid4.1
4 of 11
Instructions for CMVP Testing Android 4.1 on ARMv7 with NEON
(next we establish that the Linux host system can talk to the Android device)
We strongly recommend that you not use the root shell for any testing. The USB cable to the Android target device and the Linux host system should have been connected before the Android target device was powered up.
$ androidsdklinux/platformtools/adb devicesList of devices attached 20100720 device
If you see only the one line
List of devices attached
then the USB connection has not been initialized; try powering down the Android target device, confirming that the USB is connected at both ends, and powering it back up.
If more than one device is displayed, for instance:
List of devices attached 20100720 device 02885003435f8057 device
then more than one Android device is currently connected to the Linux host system. In that case the specific device of interest will need to be specified with the "s <device serial>" option to subsequent androidsdklinux/tools/adb invocations:
androidsdklinux/platformtools/adb s 20100720 <subcommand> <...options...>
For clarity the the "s <device serial>" option is not shown in the following discussion.
5 of 11
Instructions for CMVP Testing Android 4.1 on ARMv7 with NEON
4 TestingThis section assumes the bolded commands are being typed on the testhub server (see section 3.2) with a current directory of /mnt/osf/TOPandroidxm/.
For remote access via the OSF testhub server:
$ ssh [email protected] OSF testhub server Last login: Thu Dec 15 14:23:03 2011 from 4.30.38.37 fipstest@testhub:~$ cd /mnt/share/osf/TOPandroid4.1fipstest@testhub:/mnt/osf/TOPAndroid4.1
4.1 Device InformationNote at this point the processor type of the Android test device can be displayed:
$ androidsdklinux/platformtools/adb shellshould see “$"prompt from a shell executing on the Android target deviceroot@android:/ # cat /proc/cpuinfo Processor : ARMv7 Processor rev 2 (v7l) BogoMIPS : 996.74 Features : swp half thumb fastmult vfp edsp thumbee neon vfpv3 CPU implementer : 0x41 CPU architecture: 7 CPU variant : 0x3 CPU part : 0xc08 CPU revision : 2
Hardware : OMAP3 Beagle Board Revision : 0020 Serial : 0000000000000000 root@android:/ # cat /proc/version Linux version 2.6.37gf39966b (x0179557@sditapps03) (gcc version 4.6.xgoogle 20120106 (prerelease) (GCC) ) #1 Fri Aug 17 12:20:54 IST 2012root@android:/ # getprop ro.build.version.release 4.1.1root@android:/ # exit (return to shell on Linux host system)
4.2 CrossCompilationFirst we set the environment variables to define the target platform, and confirm the pathnames are correct:
6 of 11
Instructions for CMVP Testing Android 4.1 on ARMv7 with NEON
$ . setenvandroidecp4.1.sh (note the leading dot "." followed by a space " ")$ rm rf opensslfipsecp2.0.2$ gunzip c opensslfipsecp2.0.2.tar.gz | tar xf $ cd opensslfipsecp2.0.2$ armlinuxandroideabigcc version armlinuxandroideabigcc (GCC) 4.6.xgoogle 20120106 (prerelease) Copyright (C) 2011 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Next we perform the actual crosscompilation to generate the binaries:
$ ./configshould see several screens of output$ makeshould see lots of output$ make build_algvsshould see lots of output$ cd .. (back to TOP directory)
Copy the test suite program to the Android target device:
$ androidsdklinux/platformtools/adb push opensslfipsecp2.0.2/test/fips_algvs/data/local/tmp/
1181 KB/s (531250 bytes in 0.438s) (exact counts may vary)$
Note that "opensslfipsecp2.0.2/test/fips_algvs" and "/data/local/tmp/" are separate command line arguments separated by whitespace.
4.3 Test Suite ExecutionAt this point we can execute the fips_test_suite program on the Android target device. Note that the "with NEON" and "without NEON" cases can be run using the same executable (rebuilding from source is not necessary):
$ androidsdklinux/platformtools/adb shell$ cd /data/local/tmp$ unset OPENSSL_armcap (with NEON)$ export OPENSSL_armcap=0 (without NEON)$ ./fips_algvs fips_test_suite
7 of 11
Instructions for CMVP Testing Android 4.1 on ARMv7 with NEON
FIPSmode test application FIPS 2.0rc1 unvalidated test module xx XXX xxxx
DRBG AES256CTR DF test started DRBG AES256CTR DF test OK 1. NonApproved cryptographic operation test...
.
.
.should see the typical fips_test_suite output; note it will take a long time to run; the "./test/fips_test_suite post" command will exercise the POST only and run much more quickly$ exit
The fips_test_suite program can be invoked with different command line options for the various demonstrations such as KAT corruption.
4.4 Corruption TestsNote the corruption tests are run automatically for the fips_test_suite option as invoked in Section 4.3 above. The tests are shown in the output from that option from the point where the line
13. Induced test failure check...
is printed. Each specific test is preceded by one of the lines
Testing induced failure of XXXXTesting operation failure with XXXX
and the conclusion of all the corruption tests should end with the lines
Induced failure test completed with 0 errors successful as expected
8 of 11
Instructions for CMVP Testing Android 4.1 on ARMv7 with NEON
5 Processing Test VectorsA subdirectory containing all the test vector files should be present at the root of the source code workarea. Create the "fipstest.sh" script:
$ perl opensslfipsecp2.0.2/fips/fipsalgtest.pl minimalscript generatescript=fipstests.sh dir=TV
(you may see lots of informative or nonfatal warning messages depending on the content of the test vector directory)OSF_2859_OE10_
Note that the fipsalgtest.pl program will automatically locate the test vector files if they are present in the current directory, and are the only such set of test vector files. The dir=TV option can be used to search just the subdirectory TV for the test vector files.
Note for this platform the ./resp/ subdirectories in the test vector directory tree must exist. Use the mkrespdir.pl utility to generate any missing subdirectories:
$ perl mkrespdir.pl TVmaking OE3/OSF_2464_OE3/AES/resp touching OE3/OSF_2464_OE3/AES/resp/CBCGFSbox128.rsp touching OE3/OSF_2464_OE3/AES/resp/CBCGFSbox192.rsp touching OE3/OSF_2464_OE3/AES/resp/CBCGFSbox256.rsp touching OE3/OSF_2464_OE3/AES/resp/CBCKeySbox128.rsp
.
.
.touching OE3/OSF_2464_OE3/XTS/resp/XTSGenAES128.rsp touching OE3/OSF_2464_OE3/XTS/resp/XTSGenAES256.rsp making OE3/OSF_2464_OE3_Part3_RSAPSS_0salt/RSA/resp touching OE3/OSF_2464_OE3_Part3_RSAPSS_0salt/RSA/resp/SigGenPSS_1862.rsp touching OE3/OSF_2464_OE3_Part3_RSAPSS_0salt/RSA/resp/SigVerPSS_1862.rsp $
Copy the fipstest.sh program and testvectors to the Android target device:OpenSSL_SN_Platform_6.zip
$ androidsdklinux/platformtools/adb push fipstests.sh /storage/sdcard0/705 KB/s (30512 bytes in 0.042s) (actual number may differ)$ androidsdklinux/platformtools/adb push TV /storage/sdcard0/TVpush: tv/OSF_2464_Template_Part3_RSAPSS_0salt/RSA/req/SigGenPSS_1862.req > /mnt/sdcard/OSF_2464_Template_Part3_RSAPSS_0salt/RSA/req/SigGenPSS_1862.req push: tv/OSF_2464_Template_Part3_RSAPSS_0salt/RSA/req/SigVerPSS_1862.req >
9 of 11
Instructions for CMVP Testing Android 4.1 on ARMv7 with NEON
.
.
.push: OE2/OSF_2464_OE2_Part2_ECPrime/ECDSA/resp/SigVer.rsp > /data/local/tmp/OE2/OSF_2464_OE2_Part2_ECPrime/ECDSA/resp/SigVer.rsp push: OE2/OSF_2464_OE2_Part2_ECPrime/ECDSA/resp/PKV.rsp > /data/local/tmp/OE2/OSF_2464_OE2_Part2_ECPrime/ECDSA/resp/PKV.rsp 518 files pushed. 0 files skipped. 958 KB/s (70139190 bytes in 71.488s)
...where TV is the name of the subdirectory containing the test vector files.
Invoke a shell on the Android target device to run the fipstest.sh script. At this point the /data/local/tmp/ directory on the Android target device should contain the fipstest.sh program and two subdirectories:
$ androidsdklinux/platformtools/adb shell$ unset OPENSSL_armcap (with NEON)$ export OPENSSL_armcap=0 (without NEON)$ cd /data/local/tmp $ ls l rwxrwxrwx root root 572630 20121117 17:22 fips_algvs $ cd /storage/sdcard0$ ls l drwxrwxrx root root 20000101 00:26 TVrwrwrw root root 44427 20111027 16:43 fipstest.sh
Now invoke the fipstest.sh program. Note this will take a long time (several hours) to complete:
$ /data/local/tmp/fips_algvsRunning command line: ../test/fips_dssvs pqg Running command line: ../test/fips_dssvs keypair Running command line: ../test/fips_dssvs siggen Running command line: ../test/fips_dssvs sigver Running command line: ../test/fips_dssvs pqgver Running command line: ../test/fips_dssvs pqg
.
.
.Running command line: ../test/fips_gcmtest encrypt Running command line: ../test/fips_gcmtest encrypt Running command line: ../test/fips_gcmtest encrypt Running command line: ../test/fips_gcmtest xts
10 of 11
Instructions for CMVP Testing Android 4.1 on ARMv7 with NEON
Running command line: ../test/fips_gcmtest xts Running command line: ../test/fips_ecdhvs ecdhgen Completed with 0 errors $ exit
Copy the testvector directory back to the Linux host system:
$ androidsdklinux/platformtools/adb pull /storage/sdcard0/TV TV.results pull: building file list...pull: /mnt/sdcard/OE12/OSF_2464_OE12/DRBG80090/req/CTR_DRBG.req > OE12.results/OSF_2464_OE12/DRBG80090/req/CTR_DRBG.reqpull: /mnt/sdcard/OE12/OSF_2464_OE12/DRBG80090/req/HMAC_DRBG.req > OE12.results/OSF_2464_OE12/DRBG80090/req/HMAC_DRBG.reqpull: /mnt/sdcard/OE12/OSF_2464_OE12/DRBG80090/req/Dual_EC_DRBG.req >
.
.
. pull: /mnt/sdcard/OE12/OSF_2464_OE12_Part3_RSAPSS_0salt/RSA/req/SigGenPSS_1862.req > OE12.results/OSF_2464_OE12_Part3_RSAPSS_0salt/RSA/req/SigGenPSS_1862.req pull: /mnt/sdcard/OE12/OSF_2464_OE12_Part3_RSAPSS_0salt/RSA/resp/SigGenPSS_1862.rsp > OE12.results/OSF_2464_OE12_Part3_RSAPSS_0salt/RSA/resp/SigGenPSS_1862.rsp pull: /mnt/sdcard/OE12/OSF_2464_OE12_Part3_RSAPSS_0salt/RSA/resp/SigVerPSS_1862.rsp > OE12.results/OSF_2464_OE12_Part3_RSAPSS_0salt/RSA/resp/SigVerPSS_1862.rsp 518 files pulled. 0 files skipped. 2172 KB/s (153917478 bytes in 69.179s) $
The resulting directory TV.results can then be zipped/tarred and exported for analysis.
$ tar cf TV.results | gzip c > TV.results.tar.gz$ scp TV.results.tar.gz somename@someost:/somedir
11 of 11