Mediatek EIP-93 crypto driver (MT7621) - finally pushed upstream... [in progress]

Community Builds, Projects & Packages
21

I don't know.

@drbrains
@cotequeiroz
Can you help here with this question?

22

nvm, forget my question. It always uses 22, checked the wrong column

1 Like
23

Hello! I would like to know if support for the EIP93 module has been added in the current version, or if there is any information on when it is planned. Thank you!

24

Since 23.05 rc1 was branched June 2023, it's probably not in the stable 23.05 release. But it was added to main snapshot September 2023. So if you run main snapshot, you should have it.

1 Like
25

lsmod | grep eip93
Is not in 23.05.4 (((

26

yeah you need snapshot https://downloads.openwrt.org/snapshots/targets/ramips/mt7621/kmods/6.6.44-1-111c1bf28ed04f05c2010d88ab962bb9/kmod-crypto-hw-eip93_6.6.44-r1_mipsel_24kc.ipk

1 Like
27

@Ansuel I saw you are also upstreaming this EIP-93 driver [1]. Would you share some test data(such as how many gains we can get ) if you have? Thanks!

[1] https://lwn.net/Articles/1001663/

28

Error 404
No chance to get it working on 23.05.x?

29

Btw it’s landed to upstream kernel now: https://patchwork.kernel.org/project/linux-crypto/cover/20250114123935.18346-1-ansuelsmth@gmail.com/

30

How to enable ESP-HW-offload? I am on UniElec 7621-06 with stock OpenWrt 24.10.1.

When I do the following config for ESP:

connections {
  r1 {
    local_addrs = %any
    remote_addrs = 192.168.216.135
    remote_port = 500
    fragmentation = yes
    local {
      auth = psk
    }
    remote {
      auth = psk
    }
    children {
      tun1 {
        local_ts = 0.0.0.0/0
        remote_ts = 0.0.0.0/0
        hw_offload = yes
        priority = 1
        start_action = start
        esp_proposals = aes128ctr-sha256
        mode = tunnel
        life_time = 4180s
        rekey_time = 3800s
        dpd_action = start
        if_id_in = 301
        if_id_out = 301
      }
    }
    version = 2
    mobike = no
    encap = yes
    rekey_time = 28800s
    over_time = 48m
    proposals = aes128ctr-sha256-modp1024
    dpd_delay = 10s
    keyingtries = 0
  }
}

secrets {
  ike-r1 {
    secret = ****
  }
}
pools {
}

I get the following in the log lines:

Wed Jun 25 10:31:44 2025 daemon.info ipsec: 03[CFG] selected proposal: ESP:AES_CTR_128/HMAC_SHA2_256_128/NO_EXT_SEQ
Wed Jun 25 10:31:44 2025 daemon.info ipsec: 03[KNL] HW offload is not supported by device wan
Wed Jun 25 10:31:44 2025 daemon.info ipsec: 03[KNL] failed to configure HW offload
Wed Jun 25 10:31:44 2025 daemon.info ipsec: 03[KNL] HW offload is not supported by device wan
Wed Jun 25 10:31:44 2025 daemon.info ipsec: 03[KNL] failed to configure HW offload
Wed Jun 25 10:31:44 2025 daemon.info ipsec: 03[IKE] unable to install inbound and outbound IPsec SA (SAD) in kernel
Wed Jun 25 10:31:44 2025 daemon.info ipsec: 03[IKE] failed to establish CHILD_SA, keeping IKE_SA
31

@drbrains I have enabled /dev/crypto on my MT7621 router with OpenWRT 24.10.4. But many of the ciphers does not seem to be working?

root@OpenWrt:/etc/ssl# openssl engine -t -c -vv -pre DUMP_INFO
(dynamic) Dynamic engine loading support
[Failure]: DUMP_INFO
844DE077:error:13000089:engine routines:int_ctrl_helper:invalid cmd name:crypto/engine/eng_ctrl.c:90:
844DE077:error:13000089:engine routines:ENGINE_ctrl_cmd_string:invalid cmd name:crypto/engine/eng_ctrl.c:258:
[ unavailable ]
SO_PATH: Specifies the path to the new ENGINE shared library
NO_VCHECK: Specifies to continue even if version checking fails (boolean)
ID: Specifies an ENGINE id name for loading
LIST_ADD: Whether to add a loaded ENGINE to the internal list (0=no,1=yes,2=mandatory)
DIR_LOAD: Specifies whether to load from 'DIR_ADD' directories (0=no,1=yes,2=mandatory)
DIR_ADD: Adds a directory from which ENGINEs can be loaded
LOAD: Load up the ENGINE specified by other settings
(devcrypto) /dev/crypto engine
Information about ciphers supported by the /dev/crypto engine:
Cipher DES-CBC, NID=31, /dev/crypto info: id=1, driver=cbc(des-eip93) (hw accelerated)
Cipher DES-EDE3-CBC, NID=44, /dev/crypto info: id=2, driver=cbc(des3_ede-eip93) (hw accelerated)
Cipher BF-CBC, NID=91, /dev/crypto info: id=3, CIOCGSESSION (session open call) failed
Cipher CAST5-CBC, NID=108, /dev/crypto info: id=4, CIOCGSESSION (session open call) failed
Cipher AES-128-CBC, NID=419, /dev/crypto info: id=11, CIOCGSESSION (session open call) failed
Cipher AES-192-CBC, NID=423, /dev/crypto info: id=11, CIOCGSESSION (session open call) failed
Cipher AES-256-CBC, NID=427, /dev/crypto info: id=11, CIOCGSESSION (session open call) failed
Cipher RC4, NID=5, /dev/crypto info: id=12, CIOCGSESSION (session open call) failed
Cipher AES-128-CTR, NID=904, /dev/crypto info: id=21, driver=ctr(aes-eip93) (hw accelerated)
Cipher AES-192-CTR, NID=905, /dev/crypto info: id=21, driver=ctr(aes-eip93) (hw accelerated)
Cipher AES-256-CTR, NID=906, /dev/crypto info: id=21, driver=ctr(aes-eip93) (hw accelerated)
Cipher AES-128-ECB, NID=418, /dev/crypto info: id=23, CIOCGSESSION (session open call) failed
Cipher AES-192-ECB, NID=422, /dev/crypto info: id=23, CIOCGSESSION (session open call) failed
Cipher AES-256-ECB, NID=426, /dev/crypto info: id=23, CIOCGSESSION (session open call) failed

Information about digests supported by the /dev/crypto engine:
Digest MD5, NID=4, /dev/crypto info: id=13, driver=md5-generic (software), CIOCCPHASH capable
Digest SHA1, NID=64, /dev/crypto info: id=14, driver=sha1-generic (software), CIOCCPHASH capable
Digest RIPEMD160, NID=117, /dev/crypto info: id=102, driver=unknown. CIOCGSESSION (session open) failed
Digest SHA224, NID=675, /dev/crypto info: id=103, driver=sha224-generic (software), CIOCCPHASH capable
Digest SHA256, NID=672, /dev/crypto info: id=104, driver=sha256-generic (software), CIOCCPHASH capable
Digest SHA384, NID=673, /dev/crypto info: id=105, driver=sha384-generic (software), CIOCCPHASH capable
Digest SHA512, NID=674, /dev/crypto info: id=106, driver=sha512-generic (software), CIOCCPHASH capable

[DES-CBC, DES-EDE3-CBC, AES-128-CTR, AES-192-CTR, AES-256-CTR]
[ available ]
USE_SOFTDRIVERS: specifies whether to use software (not accelerated) drivers (0=use only accelerated drivers, 1=allow all drivers, 2=use if acceleration can't be determined) [default=2]
CIPHERS: either ALL, NONE, or a comma-separated list of ciphers to enable [default=ALL]
DIGESTS: either ALL, NONE, or a comma-separated list of digests to enable [default=NONE]
DUMP_INFO: dump info about each algorithm to stderr; use 'openssl engine -pre DUMP_INFO devcrypto'
root@OpenWrt:/etc/ssl#
32

i'm using openwrt-24.10.2 on mt7621a, with eip93 driver enabled.
when trying to establish IPsec connection with hw-offload enabled, 'device wan doesn't support hw offload'.
How did you manage to get an IPsec connection working with ESP-HW-offload? The MT7621 Ethernet driver (mtk_eth_soc) doesn't seem to support it, and I can't find much documentation. I'm stuck here—any pointers or patches would help!"

33

The EIP93 driver version in OpenWrt doesn't support ESP Offload. Most likely, you'll need a different branch.

34

You should still be able to take advantage of crypto offload. This will enable higher performance than software encryption.

35

I've tried the branch you mentioned. It enables ESP-HW-offload in the kernel, but the issue seems to be with the ethernet driver (mtk_eth_soc), which doesn't support esp-hw-offload. I'm wondering how you guys get this working with StrongSwan—in my case, it's still saying 'device wan doesn't support hardware offload'.