Crypto initiate session returns invalid session index

karhoey · March 26, 2018, 9:26am

Using IPQ806x, I have added cryptographic hardware accelerators packages to improve openssl speed performance, and they seems properly installed.

However I found that the crypto offload is not running.

Regardless what openssl commands, e.g. openssl speed md5, the syslog will return a error namely "unable to allocate session: status 6".

From my debugging, I found the cipher algorithm supported between nss_cfi_ocf.c and nss_crypto.h are not match, at nss_cfi_ocf.c line 58:

static struct nss_cfi_ocf_algo cfi_algo[CRYPTO_ALGORITHM_MAX + 1] = {
[CRYPTO_AES_CBC] = {
NSS_CRYPTO_CIPHER_AES_CBC,
NSS_CRYPTO_MAX_KEYLEN_AES,
NSS_CRYPTO_MAX_IVLEN_AES,
NSS_CRYPTO_MAX_BLKLEN_AES,
0,
NSS_CFI_OCF_ALGO_TYPE_IS_CIPHER
},

referred to cryptodev.h and nss_crypto.h, you will get

cfi_algo[11].core_algo = 1

So at nss_cfi_ocf.c line 186 function nss_cfi_ocf_newsession:

If you send cipher algo of 1, the code will refer to cipher algo of 11.

Then the crypto session will get invalid session index thus unable to request any crypto transaction to hardware.

Is it the firmware bug or I have missed out something caused the allocate session failed?

Please correct me if I am wrong, thank you all!

slh · March 26, 2018, 11:27am

While the krait 300 derived ipq8065 SOC should have these hardware accelerators, it is not yet understood how to enable them, making it not available at this moment.

quarky · March 26, 2018, 11:36am

You can refer to the IPQ806x NSS QCA Drivers thread for the nss-crypto enabling progress. Think I’m close to enabling it. Do join me if you’re interested. My understanding of the Linux kernel inner workings are elementary at best at the moment, so progress is slow ...

tmomas · March 26, 2018, 1:24pm

which is this one:

karhoey · March 27, 2018, 6:24am

Hi @slh,

Do you included these module in your firmware compilation?

CONFIG_DEFAULT_kmod-crypto-qcrypto=y
CONFIG_DEFAULT_kmod-qca-nss-crypto=y
CONFIG_PACKAGE_kmod-qca-nss-crypto=y

karhoey · March 27, 2018, 7:31am

Thanks @quarky and @tmomas. glad to meet you in IPQ806x LEDE development journey!

Out of the two crypto drivers namely cryptodev-linux and OCF, I am testing the latter one currently, do you think that would make a difference?

quarky · March 27, 2018, 9:40am

Current builds of lede/OpenWrt does not have any crypto h/w device enabled, so it does not make any difference which one you test for the IPQ806x routers.

Wish me luck in activating the nss-crypto devices.

quarky · March 28, 2018, 6:19am

@karhoey how did you add NSS crypto support to OpenSSL?

karhoey · March 28, 2018, 6:39am

Firstly I installed these packages into firmware, then I double check from enabling nss_cfi_err debug message which looks like
kern.alert kernel: [ 254.558762] nss_crypto_session_alloc[1043]:new index - 0 (used - 1, max - 64),
from there I learned that one crypto session has been allocated.

Please correct me if I am wrong..

quarky · March 28, 2018, 6:40am

What version of lede/openwrt are you using? Which source tree and branch are you using?

karhoey · March 28, 2018, 6:45am

Actually I test from QSDK https://wiki.codeaurora.org/xwiki/bin/QSDK/, not yet think how to port into LEDE..

karhoey · March 28, 2018, 8:11am

@quarky

Seeing this results, with this high CPU usage, I think the NSS crypto engine is not triggered, am I right?

# time -v openssl speed -evp md5 -engine cryptodev
Doing md5 for 3s on 16 size blocks: 1282483 md5's in 2.70s
Doing md5 for 3s on 64 size blocks: 1102655 md5's in 2.68s
Doing md5 for 3s on 256 size blocks: 740989 md5's in 2.67s
Doing md5 for 3s on 1024 size blocks: 322873 md5's in 2.65s
Doing md5 for 3s on 8192 size blocks: 51618 md5's in 2.66s

The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
md5               7599.90k    26332.06k    71046.14k   124763.00k   158967.92k
	Command being timed: "openssl speed -evp md5 -engine cryptodev"
	User time (seconds): 13.36
	System time (seconds): 0.11
	Percent of CPU this job got: 89%
	Elapsed (wall clock) time (h:mm:ss or m:ss): 0m 15.01s

quarky · March 28, 2018, 8:27am

@karhoey yes, it's done using the router CPU instead of the crypto engine.

What router are you using? Can you post the git URL that you cloned?

What router are you running your custom built firmware on?

I'm interested to look at the codes that you first posted in this thread.

Thanks.

karhoey · March 28, 2018, 8:38am

Sure, here you go.

Follow the CAF Download Steps

I use the following tag

repo init -u git://codeaurora.org/quic/qsdk/releases/manifest/qstak -b release -m caf_AU_LINUX_QSDK_RELEASE_DANDELION_RB_TARGET_ALL.0.1.453.056.054.xml --repo-url=git://codeaurora.org/tools/repo.git --repo-branch=caf-stable

I am using Compex AP148.