Performing Self-Test
The cryptographic module enforces security rules to ensure that the Juniper Networks Junos OS Evolved in FIPS mode meets the security requirements of FIPS 140-3 Level 1. To validate the output of cryptographic algorithms approved for FIPS and test the integrity of some system modules, the device performs series of known answer test (KAT) self-tests. If a failure occurs, the system logs an error in the syslog messages and results in a FIPS error status. A device reboot may be required to recover the device.
You can view the self test details for MACsec library from syslog messages using the
file show /var/log/filename | match FIPS
command:
root@user:fips> file show /var/log/filename | match FIPS Sep 19 11:39:04 host dot1xd[25429]: FIPS_KNOWN_ANSWER_TEST: root :AES128-CMAC Known Answer Test: Passed Sep 19 11:39:04 host dot1xd[25429]: FIPS_KNOWN_ANSWER_TEST: root :AES256-CMAC Known Answer Test: Passed Sep 19 11:39:04 host dot1xd[25429]: FIPS_KNOWN_ANSWER_TEST: root :AES-ECB Known Answer Test: Passed Sep 19 11:39:04 host dot1xd[25429]: FIPS_KNOWN_ANSWER_TEST: root :AES-KEYWRAP Known Answer Test: Passed Sep 19 11:39:04 host dot1xd[25429]: FIPS_KNOWN_ANSWER_TEST: root :KBKDF Known Answer Test: Passed Sep 19 11:39:04 host dot1xd[25429]: FIPS Known Answer Tests passed
You can view the self test details for MACsec chip using the show trace
application securityd | match KAT
command:
2024-09-19 10:51:43.018130572 re0:securityd:11989:TRACE_INFO lltp_info message = "MACSECV2_DRV: macsecv2_drv_pg_aes_kats_test: ASIC 0 PG 0 AES-256-GCM KAT encryption passed." 2024-09-19 10:51:43.018480633 re0:securityd:11989:TRACE_INFO lltp_info message = "MACSECV2_DRV: macsecv2_drv_pg_aes_kats_test: ASIC 0 PG 0 AES-256-GCM KAT decryption passed." 2024-09-19 10:51:43.018829898 re0:securityd:11989:TRACE_INFO lltp_info message = "MACSECV2_DRV: macsecv2_drv_pg_aes_kats_test: ASIC 0 PG 1 AES-256-GCM KAT encryption passed." 2024-09-19 10:51:43.019178702 re0:securityd:11989:TRACE_INFO lltp_info message = "MACSECV2_DRV: macsecv2_drv_pg_aes_kats_test: ASIC 0 PG 1 AES-256-GCM KAT decryption passed." 2024-09-19 10:51:43.019526878 re0:securityd:11989:TRACE_INFO lltp_info message = "MACSECV2_DRV: macsecv2_drv_pg_aes_kats_test: ASIC 0 PG 2 AES-256-GCM KAT encryption passed." 2024-09-19 10:51:43.019863898 re0:securityd:11989:TRACE_INFO lltp_info message = "MACSECV2_DRV: macsecv2_drv_pg_aes_kats_test: ASIC 0 PG 2 AES-256-GCM KAT decryption passed." 2024-09-19 10:51:43.020212185 re0:securityd:11989:TRACE_INFO lltp_info message = "MACSECV2_DRV: macsecv2_drv_pg_aes_kats_test: ASIC 0 PG 3 AES-256-GCM KAT encryption passed." 2024-09-19 10:51:43.020560356 re0:securityd:11989:TRACE_INFO lltp_info message = "MACSECV2_DRV: macsecv2_drv_pg_aes_kats_test: ASIC 0 PG 3 AES-256-GCM KAT decryption passed." 2024-09-19 10:51:43.020857951 re0:securityd:11989:TRACE_INFO lltp_info message = "MACSECV2_DRV: macsecv2_drv_pg_aes_kats_test: ASIC 0 PG 4 AES-256-GCM KAT encryption passed." 2024-09-19 10:51:43.021196366 re0:securityd:11989:TRACE_INFO lltp_info message = "MACSECV2_DRV: macsecv2_drv_pg_aes_kats_test: ASIC 0 PG 4 AES-256-GCM KAT decryption passed." 2024-09-19 10:51:43.021544409 re0:securityd:11989:TRACE_INFO lltp_info message = "MACSECV2_DRV: macsecv2_drv_pg_aes_kats_test: ASIC 0 PG 5 AES-256-GCM KAT encryption passed." 2024-09-19 10:51:43.021863317 re0:securityd:11989:TRACE_INFO lltp_info message = "MACSECV2_DRV: macsecv2_drv_pg_aes_kats_test: ASIC 0 PG 5 AES-256-GCM KAT decryption passed." 2024-09-19 10:51:43.022211587 re0:securityd:11989:TRACE_INFO lltp_info message = "MACSECV2_DRV: macsecv2_drv_pg_aes_kats_test: ASIC 0 PG 6 AES-256-GCM KAT encryption passed." 2024-09-19 10:51:43.022566737 re0:securityd:11989:TRACE_INFO lltp_info message = "MACSECV2_DRV: macsecv2_drv_pg_aes_kats_test: ASIC 0 PG 6 AES-256-GCM KAT decryption passed." 2024-09-19 10:51:43.022915235 re0:securityd:11989:TRACE_INFO lltp_info message = "MACSECV2_DRV: macsecv2_drv_pg_aes_kats_test: ASIC 0 PG 7 AES-256-GCM KAT encryption passed." 2024-09-19 10:51:43.023263471 re0:securityd:11989:TRACE_INFO lltp_info message = "MACSECV2_DRV: macsecv2_drv_pg_aes_kats_test: ASIC 0 PG 7 AES-256-GCM KAT decryption passed." 2024-09-19 10:51:43.023611761 re0:securityd:11989:TRACE_INFO lltp_info message = "MACSECV2_DRV: macsecv2_drv_pg_aes_kats_test: ASIC 0 PG 8 AES-256-GCM KAT encryption passed." 2024-09-19 10:51:43.023960636 re0:securityd:11989:TRACE_INFO lltp_info message = "MACSECV2_DRV: macsecv2_drv_pg_aes_kats_test: ASIC 0 PG 8 AES-256-GCM KAT decryption passed." 2024-09-19 10:51:43.023961748 re0:securityd:11989:TRACE_INFO lltp_info message = "MACSECV2_DRV: macsecv2_drv_aes_kats_test: ASIC 0 KAT test is complete, validation successful" 2024-09-19 10:51:43.023962866 re0:securityd:11989:TRACE_INFO lltp_info message = "MACSECV2_DRV: macsecv2_drv_fips_run_kat - KAT passed for asic 0" 2024-09-19 10:51:43.024006290 re0:securityd:11989:TRACE_INFO lltp_info message = "MACSECV2_DRV: macsecv2_drv_init - called macsecv2_drv_fips_run_kat, status 0" 2024-09-19 10:51:43.024020752 re0:securityd:11989:TRACE_INFO lltp_info message = "virtual void SecdPicPdBt::initializeHardwareBlock(uint32_t) - Checking KAT status on 0/0, fpc i2c d24, pic i2c d21, block_num 0" 2024-09-19 10:51:43.024024112 re0:securityd:11989:TRACE_INFO lltp_info message = "void SecdPicPdBt::checkFIPSKAT(u_int8_t) - KAT passed for asic 0" 2024-09-19 10:51:43.024052157 re0:securityd:11989:TRACE_NOTICE lltp_notice message = "SECD_MACSEC_KAT_STATUS: /Chassis[0]/Fpc[0]/Pic[0], asic 0: succeeded"