IPQ807X NSS Build

This topic is to discuss community builds (not supported by Openwrt) for target IPQ807X that include the QCA QSDK software - https://git.codelinaro.org/clo/qsdk + Openwrt

1 Like

The current build is on @bitthief repo - https://github.com/bitthief/openwrt latest branch ipq807x-5.15-pr-final

other people have their own repo perhaps can add their own experiences - for my own use case I have seen marginal improvements - I have ECM compiled for macvlan support and I haven't seen ECM been used ... ecm_dumpsh shows no accel being used! the major pro I feel is the use of nss-drv...

From a crypto perspective - nss-crypto-cfi is outstanding however nss-crypto compiles

others can jump in and provide their own comments

note - I took some patches from @qosmio nss-packages and @ACwifidude repo in order to be able to compile with macvlan support (there is another community build for IPQ806x that is useful to follow)

3 Likes

There are any install files for testing or need to create a clone in my OpenWrt repo and try to compile?

Hi @ccost1974 you need to build your own image. Note that @bitthief repo is now using the main branch

thanks. I will try (first time)

1 Like

Has anyone tried building the latest @bitthief repo?

I see nss-cfi and crypto commits have been cherry picked from @robimarko repo https://github.com/robimarko/openwrt/tree/ipq807x-5.15-pr-nss-drv.

Thinking of spinning up a build this weekend.

yes ... and it is working ... apart from few a messages noting that nss_cryptoapi_ahash_export is not supported (which is right as it is not available on 5.15)

1 Like

Are you sure that skcipher is working correctly?

For me it was crashing when using tcrypt, so I am trying to get the upstream driver for EIP197 working instead of resorting to this multi part QCA crap

1 Like

I am not getting any crashes ... unsure if it makes any change but I am also using ecm

let me know what you were doing when you get the crash and I will try to reproduce

as I said i just getting these messages (probably worth removing them or just shown them once)

[ 1785.122265] nss_cryptoapi_ahash_export[463]:ffffff801a37c500: ahash .export is not supported
[ 1785.130491] nss_cryptoapi_ahash_export[463]:ffffff801a37cd00: ahash .export is not supported
[ 1785.139069] nss_cryptoapi_ahash_export[463]:ffffff801a37c500: ahash .export is not supported
[ 1785.147634] nss_cryptoapi_ahash_export[463]:ffffff801a37cd00: ahash .export is not supported

Those are stupid prints as QCA added a API call that they dont support at all.
Are you sure that you are using AES algos from NSS and not just the crypto extension ones?

For me testing with tcrypt in mode 500 would insta crash

so I am compiling the nss-drv with NSS_DRV_CRYPTO_ENABLE=y ...

found why I am not having the crashes ... so I don't have tcrypt!

insmod tcrypt.ko mode=500 sec=1

Failed to find tcrypt. Maybe it is a built in module

this is the output of /proc/crypto only showing what is loaded with qca_nss_cfi_cryptoapi

name         : hmac(sha512)
driver       : nss-hmac-sha512
module       : qca_nss_cfi_cryptoapi
priority     : 1000
refcnt       : 1
selftest     : passed
internal     : no
type         : ahash
async        : yes
blocksize    : 128
digestsize   : 64

name         : hmac(sha384)
driver       : nss-hmac-sha384
module       : qca_nss_cfi_cryptoapi
priority     : 1000
refcnt       : 1
selftest     : passed
internal     : no
type         : ahash
async        : yes
blocksize    : 128
digestsize   : 48

name         : hmac(sha256)
driver       : nss-hmac-sha256
module       : qca_nss_cfi_cryptoapi
priority     : 1000
refcnt       : 1
selftest     : passed
internal     : no
type         : ahash
async        : yes
blocksize    : 64
digestsize   : 32

name         : hmac(sha224)
driver       : nss-hmac-sha224
module       : qca_nss_cfi_cryptoapi
priority     : 1000
refcnt       : 1
selftest     : passed
internal     : no
type         : ahash
async        : yes
blocksize    : 64
digestsize   : 28

name         : hmac(sha1)
driver       : nss-hmac-sha1
module       : qca_nss_cfi_cryptoapi
priority     : 1000
refcnt       : 1
selftest     : passed
internal     : no
type         : ahash
async        : yes
blocksize    : 64
digestsize   : 20

name         : hmac(md5)
driver       : nss-hmac-md5
module       : qca_nss_cfi_cryptoapi
priority     : 1000
refcnt       : 1
selftest     : passed
internal     : no
type         : ahash
async        : yes
blocksize    : 64
digestsize   : 16

name         : sha512
driver       : nss-sha512
module       : qca_nss_cfi_cryptoapi
priority     : 1000
refcnt       : 1
selftest     : passed
internal     : no
type         : ahash
async        : yes
blocksize    : 128
digestsize   : 64

name         : sha384
driver       : nss-sha384
module       : qca_nss_cfi_cryptoapi
priority     : 1000
refcnt       : 1
selftest     : passed
internal     : no
type         : ahash
async        : yes
blocksize    : 128
digestsize   : 48

name         : sha256
driver       : nss-sha256
module       : qca_nss_cfi_cryptoapi
priority     : 1000
refcnt       : 1
selftest     : passed
internal     : no
type         : ahash
async        : yes
blocksize    : 64
digestsize   : 32

name         : sha224
driver       : nss-sha224
module       : qca_nss_cfi_cryptoapi
priority     : 1000
refcnt       : 1
selftest     : passed
internal     : no
type         : ahash
async        : yes
blocksize    : 64
digestsize   : 28

name         : sha1
driver       : nss-sha1
module       : qca_nss_cfi_cryptoapi
priority     : 1000
refcnt       : 1
selftest     : passed
internal     : no
type         : ahash
async        : yes
blocksize    : 64
digestsize   : 20

name         : md5
driver       : nss-md5
module       : qca_nss_cfi_cryptoapi
priority     : 1000
refcnt       : 1
selftest     : passed
internal     : no
type         : ahash
async        : yes
blocksize    : 64
digestsize   : 16

name         : gcm(aes)
driver       : nss-gcm
module       : qca_nss_cfi_cryptoapi
priority     : 10000
refcnt       : 1
selftest     : passed
internal     : no
type         : aead
async        : yes
blocksize    : 16
ivsize       : 12
maxauthsize  : 16
geniv        : <none>

name         : seqiv(rfc4106(gcm(aes)))
driver       : nss-rfc4106-gcm
module       : qca_nss_cfi_cryptoapi
priority     : 10000
refcnt       : 1
selftest     : passed
internal     : no
type         : aead
async        : yes
blocksize    : 16
ivsize       : 8
maxauthsize  : 16
geniv        : <none>

name         : rfc4106(gcm(aes))
driver       : nss-rfc4106-gcm
module       : qca_nss_cfi_cryptoapi
priority     : 10000
refcnt       : 1
selftest     : passed
internal     : no
type         : aead
async        : yes
blocksize    : 16
ivsize       : 8
maxauthsize  : 16
geniv        : <none>

name         : authenc(hmac(sha256),cbc(des3_ede))
driver       : nss-hmac-sha256-cbc-3des
module       : qca_nss_cfi_cryptoapi
priority     : 300
refcnt       : 1
selftest     : passed
internal     : no
type         : aead
async        : yes
blocksize    : 8
ivsize       : 8
maxauthsize  : 32
geniv        : <none>

name         : authenc(hmac(sha1),cbc(des3_ede))
driver       : nss-hmac-sha1-cbc-3des
module       : qca_nss_cfi_cryptoapi
priority     : 300
refcnt       : 1
selftest     : passed
internal     : no
type         : aead
async        : yes
blocksize    : 8
ivsize       : 8
maxauthsize  : 20
geniv        : <none>

name         : authenc(hmac(sha512),cbc(aes))
driver       : nss-hmac-sha512-cbc-aes
module       : qca_nss_cfi_cryptoapi
priority     : 10000
refcnt       : 1
selftest     : passed
internal     : no
type         : aead
async        : yes
blocksize    : 16
ivsize       : 16
maxauthsize  : 64
geniv        : <none>

name         : authenc(hmac(sha384),cbc(aes))
driver       : nss-hmac-sha384-cbc-aes
module       : qca_nss_cfi_cryptoapi
priority     : 10000
refcnt       : 1
selftest     : passed
internal     : no
type         : aead
async        : yes
blocksize    : 16
ivsize       : 16
maxauthsize  : 48
geniv        : <none>

name         : authenc(hmac(sha256),cbc(aes))
driver       : nss-hmac-sha256-cbc-aes
module       : qca_nss_cfi_cryptoapi
priority     : 10000
refcnt       : 1
selftest     : passed
internal     : no
type         : aead
async        : yes
blocksize    : 16
ivsize       : 16
maxauthsize  : 32
geniv        : <none>

name         : authenc(hmac(sha1),cbc(aes))
driver       : nss-hmac-sha1-cbc-aes
module       : qca_nss_cfi_cryptoapi
priority     : 10000
refcnt       : 1
selftest     : passed
internal     : no
type         : aead
async        : yes
blocksize    : 16
ivsize       : 16
maxauthsize  : 20
geniv        : <none>

name         : echainiv(authenc(hmac(sha256),cbc(des3_ede)))
driver       : nss-hmac-sha256-cbc-3des
module       : qca_nss_cfi_cryptoapi
priority     : 300
refcnt       : 1
selftest     : passed
internal     : no
type         : aead
async        : yes
blocksize    : 8
ivsize       : 8
maxauthsize  : 32
geniv        : <none>

name         : echainiv(authenc(hmac(sha1),cbc(des3_ede)))
driver       : nss-hmac-sha1-cbc-3des
module       : qca_nss_cfi_cryptoapi
priority     : 300
refcnt       : 1
selftest     : passed
internal     : no
type         : aead
async        : yes
blocksize    : 8
ivsize       : 8
maxauthsize  : 20
geniv        : <none>

name         : echainiv(authenc(hmac(sha512),cbc(aes)))
driver       : nss-hmac-sha512-cbc-aes
module       : qca_nss_cfi_cryptoapi
priority     : 10000
refcnt       : 1
selftest     : passed
internal     : no
type         : aead
async        : yes
blocksize    : 16
ivsize       : 16
maxauthsize  : 64
geniv        : <none>

name         : echainiv(authenc(hmac(sha384),cbc(aes)))
driver       : nss-hmac-sha384-cbc-aes
module       : qca_nss_cfi_cryptoapi
priority     : 10000
refcnt       : 1
selftest     : passed
internal     : no
type         : aead
async        : yes
blocksize    : 16
ivsize       : 16
maxauthsize  : 48
geniv        : <none>

name         : seqiv(authenc(hmac(sha512),rfc3686(ctr(aes))))
driver       : nss-hmac-sha512-rfc3686-ctr-aes
module       : qca_nss_cfi_cryptoapi
priority     : 10000
refcnt       : 1
selftest     : passed
internal     : no
type         : aead
async        : yes
blocksize    : 16
ivsize       : 8
maxauthsize  : 64
geniv        : <none>

name         : seqiv(authenc(hmac(sha384),rfc3686(ctr(aes))))
driver       : nss-hmac-sha384-rfc3686-ctr-aes
module       : qca_nss_cfi_cryptoapi
priority     : 10000
refcnt       : 1
selftest     : passed
internal     : no
type         : aead
async        : yes
blocksize    : 16
ivsize       : 8
maxauthsize  : 48
geniv        : <none>

name         : echainiv(authenc(hmac(md5),cbc(des3_ede)))
driver       : nss-hmac-md5-cbc-3des
module       : qca_nss_cfi_cryptoapi
priority     : 300
refcnt       : 1
selftest     : passed
internal     : no
type         : aead
async        : yes
blocksize    : 8
ivsize       : 8
maxauthsize  : 16
geniv        : <none>

name         : seqiv(authenc(hmac(sha256),rfc3686(ctr(aes))))
driver       : nss-hmac-sha256-rfc3686-ctr-aes
module       : qca_nss_cfi_cryptoapi
priority     : 10000
refcnt       : 1
selftest     : passed
internal     : no
type         : aead
async        : yes
blocksize    : 16
ivsize       : 8
maxauthsize  : 32
geniv        : <none>

name         : echainiv(authenc(hmac(sha256),cbc(aes)))
driver       : nss-hmac-sha256-cbc-aes
module       : qca_nss_cfi_cryptoapi
priority     : 10000
refcnt       : 1
selftest     : passed
internal     : no
type         : aead
async        : yes
blocksize    : 16
ivsize       : 16
maxauthsize  : 32
geniv        : <none>

name         : seqiv(authenc(hmac(sha1),rfc3686(ctr(aes))))
driver       : nss-hmac-sha1-rfc3686-ctr-aes
module       : qca_nss_cfi_cryptoapi
priority     : 10000
refcnt       : 1
selftest     : passed
internal     : no
type         : aead
async        : yes
blocksize    : 16
ivsize       : 8
maxauthsize  : 20
geniv        : <none>

name         : seqiv(authenc(hmac(md5),rfc3686(ctr(aes))))
driver       : nss-hmac-md5-rfc3686-ctr-aes
module       : qca_nss_cfi_cryptoapi
priority     : 10000
refcnt       : 1
selftest     : passed
internal     : no
type         : aead
async        : yes
blocksize    : 16
ivsize       : 8
maxauthsize  : 16
geniv        : <none>

name         : echainiv(authenc(hmac(sha1),cbc(aes)))
driver       : nss-hmac-sha1-cbc-aes
module       : qca_nss_cfi_cryptoapi
priority     : 10000
refcnt       : 1
selftest     : passed
internal     : no
type         : aead
async        : yes
blocksize    : 16
ivsize       : 16
maxauthsize  : 20
geniv        : <none>

name         : echainiv(authenc(hmac(md5),cbc(aes)))
driver       : nss-hmac-md5-cbc-aes
module       : qca_nss_cfi_cryptoapi
priority     : 10000
refcnt       : 1
selftest     : passed
internal     : no
type         : aead
async        : yes
blocksize    : 16
ivsize       : 16
maxauthsize  : 16
geniv        : <none>

name         : cbc(des3_ede)
driver       : nss-cbc-des-ede
module       : qca_nss_cfi_cryptoapi
priority     : 10000
refcnt       : 1
selftest     : passed
internal     : no
type         : skcipher
async        : yes
blocksize    : 8
min keysize  : 24
max keysize  : 24
ivsize       : 8
chunksize    : 8
walksize     : 8

name         : ecb(aes)
driver       : nss-ecb-aes
module       : qca_nss_cfi_cryptoapi
priority     : 10000
refcnt       : 1
selftest     : passed
internal     : no
type         : skcipher
async        : yes
blocksize    : 16
min keysize  : 16
max keysize  : 32
ivsize       : 0
chunksize    : 16
walksize     : 16

name         : rfc3686(ctr(aes))
driver       : nss-rfc3686-ctr-aes
module       : qca_nss_cfi_cryptoapi
priority     : 30000
refcnt       : 1
selftest     : passed
internal     : no
type         : skcipher
async        : yes
blocksize    : 16
min keysize  : 20
max keysize  : 36
ivsize       : 8
chunksize    : 16
walksize     : 16

name         : cbc(aes)
driver       : nss-cbc-aes
module       : qca_nss_cfi_cryptoapi
priority     : 10000
refcnt       : 1
selftest     : passed
internal     : no
type         : skcipher
async        : yes
blocksize    : 16
min keysize  : 16
max keysize  : 32
ivsize       : 16
chunksize    : 16
walksize     : 16

cat /proc/crypto |grep tcrypt

doesn't show anything

You do realize that tcrypto is in-kernel crypto testing module that you load with the mode= parameter based on what you want to test?

i do ... I don't have the kernel configured with CRYPTO_TEST [=y]

recompiling now

NO, no no.
Just select the kmod from menuconfig, tcrypt is useless if built-in

1 Like

yes it crashes not only tcrypt but i also tried cryptsetup ...

So then its as expected, I gave up on trying to figure out why user becomes NULL once its supposed to be freed

2 Likes

if I do "insmod tcrypt.ko mode=423 sec=5" it doesn't crash and tests nss-sha256 also mode 602 (skcipher) 503 (acipher) don't crash

hashes work, but AES doesnt

1 Like

do you know what ? I got the eip197v1 firmware from the xiaomi 10g ... and it doesn't crash

insmod tcrypt.ko mode=500 sec=1

[  239.284074] testing speed of async ecb(aes) (nss-ecb-aes) encryption

/sys/kernel/debug/qca-nss-crypto/eip197v1/ctx0# ls -ltr
-r--r--r--    1 root     root             0 Jan 27 06:37 tx_packets
-r--r--r--    1 root     root             0 Jan 27 06:37 tx_bytes
-r--r--r--    1 root     root             0 Jan 27 06:37 rx_packets
-r--r--r--    1 root     root             0 Jan 27 06:37 rx_dropped
-r--r--r--    1 root     root             0 Jan 27 06:37 rx_bytes
-r--r--r--    1 root     root             0 Jan 27 06:37 qcom,aes128-ecb
-r--r--r--    1 root     root             0 Jan 27 06:37 fail_version
-r--r--r--    1 root     root             0 Jan 27 06:37 fail_index
-r--r--r--    1 root     root             0 Jan 27 06:37 fail_dma
/sys/kernel/debug/qca-nss-crypto/eip197v1/ctx0# cat qcom,aes128-ecb
8

however it gets stuck ... all of the debugfs stats for nss-crypto and cryptoapi don't show any failures ...

I managed to spin up a new build on my DL-WRX36, my first since based on the master branch.

I did have problems with wan activity causing a boot loop. Removing this cable, no more boot loops.
I tracked it down to the ipq807x: replace clock patches commit.

Reverting this commit fixed this issue.

2 Likes