IPQ806x NSS Drivers

First two posts should get you started.

great documentation there, thanks a lot. i ll check and get back

@quarky thanks

I have a AP with IPQ6018 chipset and QSDK build.

I am running a go program to create tunnels to other APs and am using Noise Protocol Framework for the encryption/decryption part (AEAD Cipher --> AES-256-GCM).

The cryptoapi module which supports gcm is already loaded -

cat /proc/crypto
name         : gcm(aes)
driver       : nss-gcm
module       : qca_nss_cfi_cryptoapi
priority     : 10000
refcnt       : 1
selftest     : passed
internal     : no
type         : aead
async        : yes
blocksize    : 16
ivsize       : 12
maxauthsize  : 16
geniv        : <none>

name         : seqiv(rfc4106(gcm(aes)))
driver       : nss-rfc4106-gcm
module       : qca_nss_cfi_cryptoapi
priority     : 10000
refcnt       : 1
selftest     : passed
internal     : no
type         : aead
async        : yes
blocksize    : 16
ivsize       : 8
maxauthsize  : 16
geniv        : <none>

name         : rfc4106(gcm(aes))
driver       : nss-rfc4106-gcm
module       : qca_nss_cfi_cryptoapi
priority     : 10000
refcnt       : 1
selftest     : passed
internal     : no
type         : aead
async        : yes
blocksize    : 16
ivsize       : 8
maxauthsize  : 16
geniv        : <none>

lsmod | grep qca_nss_cfi_cryptoapi
authenc                16384  1 qca_nss_cfi_cryptoapi
qca_nss_cfi_cryptoapi   53248  1 qca_nss_ipsecmgr

My question is, if the cryptoapi module is loaded, will the encryption-decryption part automatically be accelerated or would i have to do something ?

Your ‘go’ program is likely running in user space?

If so you will not get any benefit from the crypto cores. You’ll likely get worst performance as moving data from user to kernel space is slow. This is especially apparent if your payload is small. Better off using openssl that’s compiled with the -O3 flag.

If your tunnel is running in kernel space, then it’ll have speed up benefits.

I have read through this thread with a lot of interest.

Does anyone know if the vendor-provided firmware for the R7800 supports the NSS cores for offloading?

I think you missed some part then...

There are many NSS firmware and they need to be synced with the QSDK used. (the driver part)
So yes the vendor-provided firmware support NSS cores but use an ancient NSS firmware and it doesn't make sense to use that as we have more recent version that accomplish the same task but better code and feature.

Obviously I did. This is a long thread. Thanks for replying.

hello
which firmware is the best these days for r7800 to be able to achieve 1gbit on wan? thanks!

3 Likes

Hi, found your post with example of using nsshtb, you are created 3 separate classid with different speed limits. How you filter between them?
Usually it was like this

tc filter add dev eth0 parent 1:0 protocol ip prio 50 u32 match ip dst 192.168.10.2 flowid 1:2

but in this case I've got

RTNETLINK answers: Not supported
We have an error talking to the kernel

What am I doing wrong?

Hi everyone.
Could anybody please explain, how to add NSS support to my custom firmware which was obtained by building from sources according to the official instructions?
Router Linksys EA8500, source code from https://git.openwrt.org, v21.02.1.
Is it possible to add NSS support to code from the official repo?

I have a community build if you want to try it out. Should give you full line speed.

Thanks, but I am building firmware with some changes and with a lot of integrated software. Only in that way software fits into the router memory. rtorrent, rutorrent and all corresponding dependencies (python, PHP etc), stubby, wireguard, some luci applications and so on.

If you clone my git repository (instructions are in post #2 of the community build thread) - you then have everything you need to make your own firmware (you have 21.02 + the basics to make NSS work). You can add any software packages you want on top. :sunglasses:

1 Like

Hi folks,

I managed to get the NSS firmware to accelerate multicast traffic using the QCA Muticast Snooping (qca-mcs) module.

So far it seems stable with IGMPv2. I've only tested with IGMPv2 as my ISP uses v2 for the IPTV service. It should work with v3 as well. Have not tested MLD tho.

To get it to work, the qca-mcs kernel module has to be loaded, and I had to patch igmpproxy to configure qca-mcs via netlink.

From my test, without NSS acceleration, multicast traffic will consume about 5-10% of CPU for sirq. Once NSS takes over, sirq load goes down to near zero.

If you are interested in also testing out multicast acceleration using NSS for your ipq806x router, let me know. I'll be pushing the igmpproxy patches up to my Github repo soon.

7 Likes

Hi folks,

I have also pushed macvlan interface NSS acceleration support for qca-nss-ecm into my GitHub repo. The patch can be found here.

If you're using NSS acceleration for your ipq806x router and used macvlan, it will not be accelerated by the NSS firmware without this patch.

7 Likes

i have no idea about what a macvlan is, but it's amazing to see you still developing stuff on NSS :slight_smile: Thanks a lot, as far as i can remember all started from you, and now we have more than decent NSS firmwares working
And yes, i'm still hoping to see you managing crypto engines :slight_smile:

macvlan is another type of virtual interface that can be configured in Linux. I used it in my ipq806x router and noticed that it is not accelerated, and by chance noticed that support for macvlan was only added to later QSDK version in early 2021. So I 'back-ported' it to my repo.

My next interest is probably on 6rd acceleration, as my ISP uses that for IPv6.

For crypto, will probably have to wait for the OpenVPN DCO kernel module to be completed before we can attempt to use the crypto engine in the ipq806x SoC.

2 Likes

Would be cool to have all this in a somewhat newer release in the future.
From what I understand it will never be pushed to OpenWRT official releases?

2 Likes

can anyone advice here? thx

Well, the build from @ACwifidude is quite nice.
It's based on the work talked about in this thread.

Here's the link to @ACwifidude's build

1 Like