Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

FS#1262 - CAAM breaking strongswan on WDR4900v1 #6636

Closed
openwrt-bot opened this issue Jan 7, 2018 · 11 comments
Closed

FS#1262 - CAAM breaking strongswan on WDR4900v1 #6636

openwrt-bot opened this issue Jan 7, 2018 · 11 comments
Labels

Comments

@openwrt-bot
Copy link

casasfernando:

Strongswan seems to be trying to use CAAM crypto hardware device on this router through the kernel but the device doesn't seem to be present or available causing strongswan to fail while trying to add a SA to the kernel.
Everytime strongswan is trying to add a SA to the kernel the following error messages are logged in strongswan and the kernel log. The kernel log error message seems to be generated by the CAAM code (I checked the kernel source to confirm this).

Strongswan log:

12[KNL] received netlink error: No such device (19)
12[KNL] unable to add SAD entry with SPI c88d8084 (FAILED)
12[KNL] received netlink error: No such device (19)
12[KNL] unable to add SAD entry with SPI 0e9ded44 (FAILED)
12[IKE] unable to install inbound and outbound IPsec SA (SAD) in kernel

Linux kernel log:

[6311485.194242] Job Ring Device allocation for transform failed
[6311485.201338] Job Ring Device allocation for transform failed
[6311497.457066] Job Ring Device allocation for transform failed
[6311497.464231] Job Ring Device allocation for transform failed

CAAM must either be disabled or built as a kernel module for this specific router since hardware support is not there and it can only cause potential problems like in this case with Strongswan.

I'm tagging the bug as critical since as reported above Strongswan is not usable on this router due to this bug in the kernel configuration.

@openwrt-bot
Copy link
Author

casasfernando:

As commented by Yousong Zhou in [[https://bugs.lede-project.org/index.php?do=details&task_id=561|this]] bug report the issue was probably caused by commit c00e5a4 "mpc85xx: enable the crypto acceleration driver in the kernel config instead of packaging it".

I can confirm that reverting this commit solves the problem.

@openwrt-bot
Copy link
Author

yousong:

Hi, FC7, please consider posting the tested patch to the mailing list. Thank you.

@openwrt-bot
Copy link
Author

achim71:

Looking at the master git repo, this issue is still not fixed the caam module is still build in and not as an module.
So I assume strongswan is still broken. With Version 17 I disabled the caam module on an TL 4900 to get strongswan working, but I hoped an fix will make it into the next release so I don't need to maintain an local build and apckage environment.

@openwrt-bot
Copy link
Author

yousong:

Hi, @fc7, @achim , please prepare a patch and send a mail cc-ing felix the author of the commit to move forward the issue. Not every developer read every reports here and not every developer have/know these hardware to be sure of reverting changes. Thank you.

@openwrt-bot
Copy link
Author

achim71:

Hello Yousong Zhou, i test the 18.06 branch now. If it's still broken i'll try to revert the changes from https://git.openwrt.org/?p=openwrt/openwrt.git;a=commitdiff;h=c00e5a4f09115ec976fac7dc380f576ef6a24fab apply them to the 4.9 config and submit the patch to the author. Hope it is not too late.

@openwrt-bot
Copy link
Author

achim71:

Finished the patch but is nbd@nbd.name an valid e-mail address?

Now with the caam modules loaded strongswan still fails wit above message. Withoud the modules loaded it works so it is now configurable by the user without having to build your own kernel.

@openwrt-bot
Copy link
Author

achim71:

Added inclusion of the caam_pkc.komodule to the patch. Found that the caamrng.ko module does not load.

@openwrt-bot
Copy link
Author

tim-seoss:

I think this issue is also stopping macsec from working on a WDR4900 18.06-RC1 (the same commands work correctly on a TP Link Archer C7 v2)

root@testap:# ip link add link eth0.2 macsec0 type macsec encrypt on
root@testap:
# ip macsec add macsec0 tx sa 0 pn 1 on key 00 abadcafeabadcafeabadcafeabadcafe
RTNETLINK answers: No such device
root@testap:# dmesg | tail -1
[ 4211.912234] Job Ring Device allocation for transform failed
root@testap:
# uname -a
Linux testap 4.9.109 #0 Mon Jun 18 19:31:49 2018 ppc GNU/Linux

@openwrt-bot
Copy link
Author

tim-seoss:

Looking at https://community.nxp.com/thread/338432 would the correct fix be to remove the crypto node from the device tree for the WDR4900

root@testap:~# find /sys/firmware/devicetree/ -iname *crypto*
/sys/firmware/devicetree/base/soc@ffe00000/crypto@30000

@openwrt-bot
Copy link
Author

tim-seoss:

patch here to remove the crypto device tree node:

http://lists.infradead.org/pipermail/openwrt-devel/2018-July/013128.html

@openwrt-bot
Copy link
Author

achim71:

Great your patch works fine here too. Tested with openwrt master on WDR 4900. Strongswan now works as expected and no caam enc types show up under /proc/crypto.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

1 participant