IPQ806x NSS Drivers

For Developers
1649

Hi Quarky,

Thanks for your hard for two years. Recently, I'm intrested in NSS crypto too. Here is some information I got. Just FYI. You can see there is kernel module for speed up OpenVPN(use OpenSSL) :
https://source.codeaurora.org/quic/qsdk/oss/lklm/nss-clients/tree/openvpn/src?h=NHSS.QSDK.12.0.5.r1

This is the first patch to introduce OpenVPN Data Channel Acceleration(DCA) support in user space:
https://source.codeaurora.org/quic/qsdk/oss/system/openwrt/commit/?h=NHSS.QSDK.12.0.5.r1&id=30ab539b8e9b3e212e3ccf03b7f5d5a5866a43dd

You can also search with key word "vpn". Found more commits:
https://source.codeaurora.org/quic/qsdk/oss/system/openwrt/log/?qt=grep&q=vpn&h=NHSS.QSDK.12.0.5.r1

Seems that only IPQ807x and IPQ60xx support OpenVPN DCA in QSDK. No support for IPQ806x for now.
I will test this on IPQ807x when I borrow one. Hope these information help and you can port these patches to IPQ806x.

1650

@quarky - What do I need to run Crypto NSS?
I have nss-cfi and nss-crypto modules installed and it doesn't work.
When I try openssl benchmark I have an error like below. What am I missing?

[   65.124631] nss_cryptoapi_ablk_aes_setkey[279]:nss_crypto_session_alloc failed - status: 1
[   75.354139] nss_cryptoapi_ablk_aes_setkey[279]:nss_crypto_session_alloc failed - status: 1
[   85.594617] nss_cryptoapi_3des_cbc_setkey[681]:nss_crypto_session_alloc failed - status: 1
[   95.833780] nss_cryptoapi_ablk_aes_setkey[279]:nss_crypto_session_alloc failed - status: 1
[  106.073658] nss_cryptoapi_ablk_aes_setkey[279]:nss_crypto_session_alloc failed - status: 1

I have OpenWrt based on qdsk10

1651

Yeah, the qvpn NSS interfaces seems to be available for Hakweye SoCs only. From what I read from the QSDK sources, it looks like the qvpn NSS interfaces does the encryption/decryption directly on the received packets. If that's the case, it would mean that OpenVPN has to be patched to work with it, otherwise it will not work.

I was kind of excited to be able to try out later QSDK firmware initially as it has OpenVPN support, but was dissapointed when I found out that it's only for Hawkeye SoCs.

Anyway, I'm currently trying to figure out how to use the ipq806x NSS crypto for AEAD encryptions. From what I can piece together, if OpenVPN is patched to call NSS crypto engine directly using the cryptodev APIs (i.e. by passing OpenSSL) and using AEAD (i.e. hmac-sha1/sha256-aes-cbc) cipher, performance may improve, or it may not. In any case, it's an interesting project for me to try.

1652

At the moment the performance is so bad that it's not worth the effort to turn it on for production use.

If you are interested to try, you need the following:

  1. All the patches (minimally the 2xx) for the qca-nss-cfi drivers I've pushed here:
  1. Enable the cryptodev-linux package/driver
  2. Enable OpenSSL to use crypto engine support for cryptodev engine.

The patches are for QSDK 11.2r1 drivers, but it should apply properly to QSDK 10.0 drivers. I don't think it changes much.

OpenSSL and OpenVPN will just work if you use aes-128/256-cbc cipher, just not fast.

HTH.

1653 

root@OpenWrt:~# uname -a
Linux OpenWrt 5.4.51 #0 SMP Thu Jul 30 17:26:08 2020 armv7l GNU/Linux
root@OpenWrt:~# uptime
 07:59:43 up 5 days, 11:32,  load average: 0.00, 0.00, 0.00

Thanks to all involved. Doing well as a wired router with those three packages loaded at getting line speed with a r7800 (940mbps).

Wifi is the same speed as a normal build.

What’s next for NSS offloading? Any thing else needed to accelerate wifi?

1654

Hi Quarky,

I would like to share with you the IPQ807x OpenVPN performance. It's at least 790Mbps. It's more because I see my PC is bottleneck when test the performance.

How to set up?

IPQ807x is as server; My PC is as a client. Run iperf in IPQ807x and My PC.

root@OpenWrt:/tmp/etc# Fri Jul  3 09:37:01 2020 DCA: Received PING packet:0x55b7895700
root@OpenWrt:/tmp/etc# cat openvpn-sample_server.conf 
persist-key
persist-tun
enable-dca
auth SHA1
ca /lib/uci/upload/cbid.openvpn.sample_server.ca
cert /lib/uci/upload/cbid.openvpn.sample_server.cert
cipher AES-128-CBC
#comp-lzo no
dev tun
dh /lib/uci/upload/cbid.openvpn.sample_server.dh
ifconfig-pool-persist /tmp/ipp.txt
keepalive 10 120
key /lib/uci/upload/cbid.openvpn.sample_server.key
port 1194
proto udp
server 10.8.0.0 255.255.255.0
status /tmp/openvpn-status.log
user nobody
verb 3
root@OpenWrt:/tmp/etc# iperf -c 10.8.0.6 -t 30 -P 2                                                                                                                                                                
Fri Jul  3 09:36:20 2020 DCA: Received PING packet:0x55b7895700                                                                                                                                                    
------------------------------------------------------------
Client connecting to 10.8.0.6, TCP port 5001
TCP window size: 45.0 KByte (default)
------------------------------------------------------------
[  4] local 10.8.0.1 port 37954 connected with 10.8.0.6 port 5001
[  3] local 10.8.0.1 port 37952 connected with 10.8.0.6 port 5001
[ ID] Interval       Transfer     Bandwidth
[  4]  0.0-30.0 sec  1.37 GBytes   393 Mbits/sec
[  3]  0.0-30.0 sec  1.40 GBytes   401 Mbits/sec
[SUM]  0.0-30.0 sec  2.77 GBytes   **793 Mbits/sec**
1655

wow near gigabit perf with openvpn is massive o.O that soc is a beast

1656

If he tested on the QSDK OpenVPN should be offloaded to NSS there.
But Quad A53 cores are beastly though, it looks like my AX3600 will finally arrive after 2 months

1657

Very good performance. In fact I would say it’s excellent for a consumer router. The boost most likely comes from the crypto as well as the in kernel routing of network packets. Would you mind trying with WireGuard as well?

I think WG will give you line speed.

1658

You’re tempting me to get one to play with. Heh heh.

1659

So hard to resist ahahah

1660

Well, they are relatively affordable.
Around 100EUR, but its IPQ8071A so the weakest model and it does not come with 2.5 or 10G ethernet like 3-4 more expensive model come with

1661

The only issue with the AX3600 is that it only have 4 ports, inclusive of WAN. ipq8071 is probably a massive step up from what I have owned, so it’ll be a lot of SoC for me to mess with.

I think I can still wring more juice out of the ipq806x SoC. So let’s see how it goes.

2 Likes
1662

Added the open-SSL luci collection and the following 3 packages during menuconfig:


CONFIG_PACKAGE_kmod-qca-nss-drv=y
CONFIG_PACKAGE_kmod-qca-nss-gmac=y
CONFIG_PACKAGE_kmod-qca-nss-ecm-standard=y

Previously this simple config compiled without issue. Anything new in the build or am I selecting the wrong package combo for basic router + wifi acceleration?

1663

What is broken ?

1664

Make fails about halfway thru. I’ll run it again later today with a little more verbosity and see if it gives me something more specific.

1665

I had the same problem with the latest changes on @ansuel's github. I'm compiling right now, for the second time, to check if it goes through this time. I'll let you know the outcome.

1666

Can someone provide a log before i test it myself?

1667

This is what I got just now...

Applying ./patches/subsys/999-mac80211-add-option-for-NSS-support.patch using plaintext: 
patching file net/mac80211/Kconfig
patching file local-symbols
patching file net/mac80211/ieee80211_i.h
Hunk #2 succeeded at 996 (offset 4 lines).
patching file net/mac80211/iface.c
Hunk #3 succeeded at 1139 (offset 5 lines).
Hunk #4 succeeded at 1296 (offset 5 lines).
  CC      coreutils/tee.o
patching file net/mac80211/rx.c
Hunk #2 FAILED at 2513.
Hunk #3 FAILED at 4389.
2 out of 3 hunks FAILED -- saving rejects to file net/mac80211/rx.c.rej
Patch failed!  Please fix ./patches/subsys/999-mac80211-add-option-for-NSS-support.patch!
1 Like
1668

@ACwifidude @rog i pushed the fix. can you test if all works?

1 Like