IPQ806x NSS Drivers

I rebuilt at this commit from a couple days ago “kernel: bump 5.4 to 5.4.140”

Don’t see any obvious commits that would cause major issues since that time.

Is it complaining about your config file in the log?

I successfully compiled HEAD+5.4.142 by first building the build bot R7800 config, then make clean and rebasing against kong's branch and my own nss config. Let me try this again a bit later today going right for the NSS code + 5.4.142.

1 Like

It built fine/I cannot reproduce the original error I reported :man_shrugging:

1 Like

Hi, need help, can i use the branch openwrt-21.02-ipq806x-nss-qsdk11 on quarkysg's repo? is this stable? if not please suggest me which branch should i try.

Also, do i need to select the nss modules under kernel? if yes please let know which ones from the below to be selected. im no system programmer, pls help

I would suggest you try @ACwifidude repo. Mine does not include the NSS firmware. If you manage to get hold of the 11.2 NSS firmware, feel free to use my repo. My R7800 is running it now, with 63 days uptime.

Otherwise pls try @ACwifidude repo.

First two posts should get you started.

great documentation there, thanks a lot. i ll check and get back

@quarky thanks

I have a AP with IPQ6018 chipset and QSDK build.

I am running a go program to create tunnels to other APs and am using Noise Protocol Framework for the encryption/decryption part (AEAD Cipher --> AES-256-GCM).

The cryptoapi module which supports gcm is already loaded -

cat /proc/crypto
name         : gcm(aes)
driver       : nss-gcm
module       : qca_nss_cfi_cryptoapi
priority     : 10000
refcnt       : 1
selftest     : passed
internal     : no
type         : aead
async        : yes
blocksize    : 16
ivsize       : 12
maxauthsize  : 16
geniv        : <none>

name         : seqiv(rfc4106(gcm(aes)))
driver       : nss-rfc4106-gcm
module       : qca_nss_cfi_cryptoapi
priority     : 10000
refcnt       : 1
selftest     : passed
internal     : no
type         : aead
async        : yes
blocksize    : 16
ivsize       : 8
maxauthsize  : 16
geniv        : <none>

name         : rfc4106(gcm(aes))
driver       : nss-rfc4106-gcm
module       : qca_nss_cfi_cryptoapi
priority     : 10000
refcnt       : 1
selftest     : passed
internal     : no
type         : aead
async        : yes
blocksize    : 16
ivsize       : 8
maxauthsize  : 16
geniv        : <none>

lsmod | grep qca_nss_cfi_cryptoapi
authenc                16384  1 qca_nss_cfi_cryptoapi
qca_nss_cfi_cryptoapi   53248  1 qca_nss_ipsecmgr

My question is, if the cryptoapi module is loaded, will the encryption-decryption part automatically be accelerated or would i have to do something ?

Your ‘go’ program is likely running in user space?

If so you will not get any benefit from the crypto cores. You’ll likely get worst performance as moving data from user to kernel space is slow. This is especially apparent if your payload is small. Better off using openssl that’s compiled with the -O3 flag.

If your tunnel is running in kernel space, then it’ll have speed up benefits.

I have read through this thread with a lot of interest.

Does anyone know if the vendor-provided firmware for the R7800 supports the NSS cores for offloading?

I think you missed some part then...

There are many NSS firmware and they need to be synced with the QSDK used. (the driver part)
So yes the vendor-provided firmware support NSS cores but use an ancient NSS firmware and it doesn't make sense to use that as we have more recent version that accomplish the same task but better code and feature.

Obviously I did. This is a long thread. Thanks for replying.

hello
which firmware is the best these days for r7800 to be able to achieve 1gbit on wan? thanks!

3 Likes

Hi, found your post with example of using nsshtb, you are created 3 separate classid with different speed limits. How you filter between them?
Usually it was like this

tc filter add dev eth0 parent 1:0 protocol ip prio 50 u32 match ip dst 192.168.10.2 flowid 1:2

but in this case I've got

RTNETLINK answers: Not supported
We have an error talking to the kernel

What am I doing wrong?

Hi everyone.
Could anybody please explain, how to add NSS support to my custom firmware which was obtained by building from sources according to the official instructions?
Router Linksys EA8500, source code from https://git.openwrt.org, v21.02.1.
Is it possible to add NSS support to code from the official repo?

I have a community build if you want to try it out. Should give you full line speed.

Thanks, but I am building firmware with some changes and with a lot of integrated software. Only in that way software fits into the router memory. rtorrent, rutorrent and all corresponding dependencies (python, PHP etc), stubby, wireguard, some luci applications and so on.

If you clone my git repository (instructions are in post #2 of the community build thread) - you then have everything you need to make your own firmware (you have 21.02 + the basics to make NSS work). You can add any software packages you want on top. :sunglasses:

1 Like

Hi folks,

I managed to get the NSS firmware to accelerate multicast traffic using the QCA Muticast Snooping (qca-mcs) module.

So far it seems stable with IGMPv2. I've only tested with IGMPv2 as my ISP uses v2 for the IPTV service. It should work with v3 as well. Have not tested MLD tho.

To get it to work, the qca-mcs kernel module has to be loaded, and I had to patch igmpproxy to configure qca-mcs via netlink.

From my test, without NSS acceleration, multicast traffic will consume about 5-10% of CPU for sirq. Once NSS takes over, sirq load goes down to near zero.

If you are interested in also testing out multicast acceleration using NSS for your ipq806x router, let me know. I'll be pushing the igmpproxy patches up to my Github repo soon.

8 Likes

Hi folks,

I have also pushed macvlan interface NSS acceleration support for qca-nss-ecm into my GitHub repo. The patch can be found here.

If you're using NSS acceleration for your ipq806x router and used macvlan, it will not be accelerated by the NSS firmware without this patch.

8 Likes