APU2 hardware acceleration: crypto module not loading?

I am running OpenWrt on a PC Engines APU2, with a SoC that supports AES-NI. For that the ccp-crypto module is needed, but it refuses to load:

[    9.700375] kmodloader: 1 module could not be probed
[    9.705437] kmodloader: - ccp-crypto - 0

Modules loaded:

# lsmod|grep ccp
ccp                    53248  0 
sha1_generic           12288  2 sha1_ssse3,ccp
sha256_generic         16384  2 sha256_ssse3,ccp

Anyone know how to fix this? The dependencies are loaded.

# modinfo ccp-crypto
module:		/lib/modules/4.14.155/ccp-crypto.ko
license:	GPL
depends:	rsa_generic,akcipher,ccp
retpoline:	Y
# lsmod|egrep "rsa_generic|akcipher"
akcipher               12288  1 rsa_generic
asn1_decoder           12288  1 rsa_generic
mpi                    20480  1 rsa_generic
rsa_generic            16384  0

Works for me ...

root@blackhole1:~# lsmod | grep ccp
akcipher               12288  2 ccp_crypto,rsa_generic
ccp                    57344  1 ccp_crypto
ccp_crypto             24576  0 
rsa_generic            16384  1 ccp_crypto
sha1_generic           12288  2 sha1_ssse3,ccp
sha256_generic         20480  2 sha256_ssse3,ccp
root@blackhole1:~# dmesg | grep ccp
[    9.235400] ccp 0000:00:08.0: 5 command queues available
[    9.242424] ccp 0000:00:08.0: ccp enabled
[    9.246663] ccp 0000:00:08.0: enabled
root@blackhole1:~# ubus call system board
	"kernel": "4.19.85",
	"hostname": "blackhole1",
	"system": "AMD GX-412TC SOC",
	"model": "PC Engines apu2",
	"board_name": "pc-engines-apu2",
	"release": {
		"distribution": "OpenWrt",
		"version": "SNAPSHOT",
		"revision": "r11583-68fb38548b",
		"target": "x86/64",
		"description": "OpenWrt SNAPSHOT r11583-68fb38548b"

I've switched all my vpns to wireguard a while ago, that's why AES-NI isn't so important to me anymore ...:wink:

Just a rough guess: Maybe that's related to your openssl library settings!? "Engines" support enabled!?

So did I but I'd like to fix it either way :wink: .

I have no engine enabled indeed. What engine should I enable? Devcrypto? Should I enable 'build chosen engines into libcrypto' as well?

I've made the following openssl related change in my builds to keep in line with master ...

As I said before, I have no evidence that this change will help! :wink:

That's in 19.07 as well, that's probably why the crypto engine was disabled now on my 19.07 builds. Will adapt my config and report back.

So I recompiled and have the crypto engine installed now, but the ccp_crypto module is still not loaded. /dev/crypto is present now though; so there's progress.

The OpenSSL configuration looks like this (CIPHERS used to be the default, ALL):

# OpenSSL example configuration file.
# This is mostly being used for generation of certificate requests.

# Note that you can include other files from the main configuration
# file using the .include directive.
#.include filename

# This definition stops the following lines choking if HOME isn't
# defined.
HOME			= .

#oid_file		= $ENV::HOME/.oid
oid_section		= new_oids

# To use this configuration file with the "-extfile" option of the
# "openssl x509" utility, name here the section containing the
# X.509v3 extensions to use:
# extensions		=
# (Alternatively, use a configuration file that has only
# X.509v3 extensions in its main [= default] section.)



# To enable an engine, install the package, and uncomment it here:

default_algorithms = ALL

# Leave this alone and configure algorithms with CIPERS/DIGESTS below
default_algorithms = ALL

# Configuration commands:
# Run 'openssl engine -t -c -vv -pre DUMP_INFO devcrypto' to see a
# list of supported algorithms, along with their driver, whether they
# are hw accelerated or not, and the engine's configuration commands.

# USE_SOFTDRIVERS: specifies whether to use software (not accelerated)
# drivers (0=use only accelerated drivers, 1=allow all drivers, 2=use
# if acceleration can't be determined) [default=2]

# CIPHERS: either ALL, NONE, or a comma-separated list of ciphers to
# enable [default=ALL]
# It is recommended to disable the ECB ciphers; in most cases, it will
# only be used for PRNG, in small blocks, where performance is poor,
# and there may be problems with apps forking with open crypto
# contexts, leading to failures.  The CBC ciphers work well:

# DIGESTS: either ALL, NONE, or a comma-separated list of digests to
# enable [default=NONE]
# It is strongly recommended not to enable digests; their performance
# is poor, and there are many cases in which they will not work,
# especially when calling fork with open crypto contexts.  Openssh,
# for example, does this, and you may not be able to login.

openssl engine -pre DUMP_INFO devcrypto output:

Information about ciphers supported by the /dev/crypto engine:
Cipher DES-CBC, NID=31, /dev/crypto info: id=1, CIOCGSESSION (session open call) failed
Cipher DES-EDE3-CBC, NID=44, /dev/crypto info: id=2, CIOCGSESSION (session open call) failed
Cipher BF-CBC, NID=91, /dev/crypto info: id=3, CIOCGSESSION (session open call) failed
Cipher CAST5-CBC, NID=108, /dev/crypto info: id=4, CIOCGSESSION (session open call) failed
Cipher AES-128-CBC, NID=419, /dev/crypto info: id=11, driver=cbc-aes-aesni (software)
Cipher AES-192-CBC, NID=423, /dev/crypto info: id=11, driver=cbc-aes-aesni (software)
Cipher AES-256-CBC, NID=427, /dev/crypto info: id=11, driver=cbc-aes-aesni (software)
Cipher RC4, NID=5, /dev/crypto info: id=12, CIOCGSESSION (session open call) failed
Cipher AES-128-CTR, NID=904, /dev/crypto info: id=21, driver=ctr-aes-aesni (software)
Cipher AES-192-CTR, NID=905, /dev/crypto info: id=21, driver=ctr-aes-aesni (software)
Cipher AES-256-CTR, NID=906, /dev/crypto info: id=21, driver=ctr-aes-aesni (software)
Cipher AES-128-ECB, NID=418, /dev/crypto info: id=23, driver=ecb-aes-aesni (software)
Cipher AES-192-ECB, NID=422, /dev/crypto info: id=23, driver=ecb-aes-aesni (software)
Cipher AES-256-ECB, NID=426, /dev/crypto info: id=23, driver=ecb-aes-aesni (software)

Information about digests supported by the /dev/crypto engine:
Digest MD5, NID=4, /dev/crypto info: id=13, driver=unknown. CIOCGSESSION (session open) failed
Digest SHA1, NID=64, /dev/crypto info: id=14, driver=sha1-avx (software), CIOCCPHASH capable
Digest RIPEMD160, NID=117, /dev/crypto info: id=102, driver=unknown. CIOCGSESSION (session open) failed
Digest SHA224, NID=675, /dev/crypto info: id=103, driver=sha224-avx (software), CIOCCPHASH capable
Digest SHA256, NID=672, /dev/crypto info: id=104, driver=sha256-avx (software), CIOCCPHASH capable
Digest SHA384, NID=673, /dev/crypto info: id=105, driver=unknown. CIOCGSESSION (session open) failed
Digest SHA512, NID=674, /dev/crypto info: id=106, driver=unknown. CIOCGSESSION (session open) failed

if you want, i can send you my working (master) build configuration.

Thanks. Could you post your diffconfig? You can PM it if you prefer.

Hi there, I ran into the same problem. I tried everything with my build config but can't get the ccp_crypto module loaded. I'm on the 19.07.0-rc2 branch.

I tried compiling with option Enable engine support and libopenssl-devcrypto but no success. Same when selecting Enable engine support and Build chosen engines into libcrypto.

I have the same settings in my openssl config as @Borromini. I followed this guide.

Does anyone has any idea what I am missing?

@dibdot was so kind to share his config with me but I didn't have time to test it yet. Will keep you in the loop.

Yes, thank you! I'll do some further testing.

I want to report that I flashed the latest coreboot mainline [v4.11.0.1] and now ccp_crypto is loaded at boot!

@Borromini I hope this solves your problem too!


Good to know, thanks! I am a bit nervous about replacing coreboot, it's a remote production machine and I have no immediate backup if it breaks (nor can I fix it).

flashrom is a breeze, but after flashing you need to reboot and the boot order changed on my machine. I had to use a serial connection to fix the boot order in the SeaBIOS. So don't try this when having only remote access.

1 Like

Good to know. Do you have multiple storage devices installed? I just have an SSD inside.

I have a SSD for openwrt, and also a sdcard for backup purposes.

it's giving me grief! I SSH into my OpenWRT router, wget the bios, but get an error when trying to flash it. Am i missing a trick?

root@Odin:~# flashrom -w apu2_v4.11.0.1.rom -p internal:boardmismatch=force
flashrom v1.0 on Linux 4.14.131 (x86_64)
flashrom is free software, get the source code at https://flashrom.org

Using clock_gettime for delay loops (clk_id: 1, resolution: 1ns).
Critical error: open(/dev/mem): No such file or directory
Error accessing low megabyte, 0x100000 bytes at 0x0000000000000000
/dev/mem mmap failed: No such file or directory
Failed getting access to coreboot low tables.
Critical error: open(/dev/mem): No such file or directory
Error accessing DMI, 0x10000 bytes at 0x00000000000f0000
/dev/mem mmap failed: No such file or directory
Found chipset "AMD FCH".
Enabling flash write... Critical error: open(/dev/mem): No such file or directory
Error accessing SB600 SPI registers, 0x1000 bytes at 0x00000000fec10000
/dev/mem mmap failed: No such file or directory
Error: Programmer initialization failed.

ah, this will be my problem; from https://openwrt.org/toh/pcengines/apu2

To update the APU firmware with flashrom on OpenWrt, you must have a kernel with support for /dev/mem (compile with CONFIG_KERNEL_DEVMEM=y ).

So, no dice for me since I used ImageBuilder rather than compiling from source.

Just try building your openwrt with CONFIG_KERNEL_DEVMEM=y. It's not a very big deal. If you've tried image builder, you can do this too.

Or, alternatively, boot from a debian stick and try to flash coreboot: https://teklager.se/en/knowledge-base/apu-bios-upgrade/

1 Like

Thanks. Yeah, I really should set up a build machine; one for 2020!

In the meantime, I did try booting from Debian but couldn't apt-get flashrom once in a rescue shell. I guess I'll have to install Debian to the apu2 (being careful not to overwrite my OpenWRT installation) and do it that way.

Thanks for the tips.

1 Like