OpenWrt/LEDE Project

  • Status Closed
  • Percent Complete
    100%
  • Task Type Bug Report
  • Category Base system
  • Assigned To No-one
  • Operating System All
  • Severity Critical
  • Priority Very Low
  • Reported Version All
  • Due in Version Undecided
  • Due Date Undecided
  • Votes 2
  • Private
Attached to Project: OpenWrt/LEDE Project
Opened by FC7 - 07.01.2018
Last edited by Yousong Zhou - 22.07.2018

FS#1262 - CAAM breaking strongswan on WDR4900v1

Strongswan seems to be trying to use CAAM crypto hardware device on this router through the kernel but the device doesn’t seem to be present or available causing strongswan to fail while trying to add a SA to the kernel.
Everytime strongswan is trying to add a SA to the kernel the following error messages are logged in strongswan and the kernel log. The kernel log error message seems to be generated by the CAAM code (I checked the kernel source to confirm this).

Strongswan log:

12[KNL] received netlink error: No such device (19)
12[KNL] unable to add SAD entry with SPI c88d8084 (FAILED)
12[KNL] received netlink error: No such device (19)
12[KNL] unable to add SAD entry with SPI 0e9ded44 (FAILED)
12[IKE] unable to install inbound and outbound IPsec SA (SAD) in kernel

Linux kernel log:

[6311485.194242] Job Ring Device allocation for transform failed
[6311485.201338] Job Ring Device allocation for transform failed
[6311497.457066] Job Ring Device allocation for transform failed
[6311497.464231] Job Ring Device allocation for transform failed

CAAM must either be disabled or built as a kernel module for this specific router since hardware support is not there and it can only cause potential problems like in this case with Strongswan.

I’m tagging the bug as critical since as reported above Strongswan is not usable on this router due to this bug in the kernel configuration.


Closed by  Yousong Zhou
22.07.2018 01:07
Reason for closing:  Fixed
Additional comments about closing:  

Fixed in master, openwrt-18.06, lede-17.01

FC7 commented on 07.01.2018 11:01

As commented by Yousong Zhou in this bug report the issue was probably caused by commit c00e5a4 "mpc85xx: enable the crypto acceleration driver in the kernel config instead of packaging it".

I can confirm that reverting this commit solves the problem.

Project Manager
Yousong Zhou commented on 26.01.2018 03:24

Hi, FC7, please consider posting the tested patch to the mailing list. Thank you.

Achim Gottinger commented on 28.05.2018 09:55

Looking at the master git repo, this issue is still not fixed the caam module is still build in and not as an module.
So I assume strongswan is still broken. With Version 17 I disabled the caam module on an TL 4900 to get strongswan working, but I hoped an fix will make it into the next release so I don't need to maintain an local build and apckage environment.

Project Manager
Yousong Zhou commented on 28.05.2018 14:47

Hi, @FC7, @Achim , please prepare a patch and send a mail cc-ing felix the author of the commit to move forward the issue. Not every developer read every reports here and not every developer have/know these hardware to be sure of reverting changes. Thank you.

Achim Gottinger commented on 31.05.2018 13:49

Hello Yousong Zhou, i test the 18.06 branch now. If it's still broken i'll try to revert the changes from https://git.openwrt.org/?p=openwrt/openwrt.git;a=commitdiff;h=c00e5a4f09115ec976fac7dc380f576ef6a24fab apply them to the 4.9 config and submit the patch to the author. Hope it is not too late.

Achim Gottinger commented on 31.05.2018 16:55

Finished the patch but is nbd@nbd.name an valid e-mail address?

Now with the caam modules loaded strongswan still fails wit above message. Withoud the modules loaded it works so it is now configurable by the user without having to build your own kernel.

Achim Gottinger commented on 31.05.2018 18:08

Added inclusion of the caam_pkc.komodule to the patch. Found that the caamrng.ko module does not load.

Tim Small commented on 03.07.2018 19:45

I think this issue is also stopping macsec from working on a WDR4900 18.06-RC1 (the same commands work correctly on a TP Link Archer C7 v2)

root@testap:~# ip link add link eth0.2 macsec0 type macsec encrypt on
root@testap:~# ip macsec add macsec0 tx sa 0 pn 1 on key 00 abadcafeabadcafeabadcafeabadcafe
RTNETLINK answers: No such device
root@testap:~# dmesg | tail -1
[ 4211.912234] Job Ring Device allocation for transform failed
root@testap:~# uname -a
Linux testap 4.9.109 #0 Mon Jun 18 19:31:49 2018 ppc GNU/Linux

Tim Small commented on 03.07.2018 20:19

Looking at https://community.nxp.com/thread/338432 would the correct fix be to remove the crypto node from the device tree for the WDR4900

root@testap:~# find /sys/firmware/devicetree/ -iname \*crypto\*
/sys/firmware/devicetree/base/soc@ffe00000/crypto@30000

Tim Small commented on 04.07.2018 13:57

patch here to remove the crypto device tree node:

http://lists.infradead.org/pipermail/openwrt-devel/2018-July/013128.html

Achim Gottinger commented on 06.07.2018 19:40

Great your patch works fine here too. Tested with openwrt master on WDR 4900. Strongswan now works as expected and no caam enc types show up under /proc/crypto.

Loading...

Available keyboard shortcuts

Tasklist

Task Details

Task Editing