New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
FS#1262 - CAAM breaking strongswan on WDR4900v1 #6636
Comments
casasfernando: As commented by Yousong Zhou in [[https://bugs.lede-project.org/index.php?do=details&task_id=561|this]] bug report the issue was probably caused by commit c00e5a4 "mpc85xx: enable the crypto acceleration driver in the kernel config instead of packaging it". I can confirm that reverting this commit solves the problem. |
yousong: Hi, FC7, please consider posting the tested patch to the mailing list. Thank you. |
achim71: Looking at the master git repo, this issue is still not fixed the caam module is still build in and not as an module. |
achim71: Hello Yousong Zhou, i test the 18.06 branch now. If it's still broken i'll try to revert the changes from https://git.openwrt.org/?p=openwrt/openwrt.git;a=commitdiff;h=c00e5a4f09115ec976fac7dc380f576ef6a24fab apply them to the 4.9 config and submit the patch to the author. Hope it is not too late. |
achim71: Finished the patch but is nbd@nbd.name an valid e-mail address? Now with the caam modules loaded strongswan still fails wit above message. Withoud the modules loaded it works so it is now configurable by the user without having to build your own kernel. |
achim71: Added inclusion of the caam_pkc.komodule to the patch. Found that the caamrng.ko module does not load. |
tim-seoss: I think this issue is also stopping macsec from working on a WDR4900 18.06-RC1 (the same commands work correctly on a TP Link Archer C7 v2) root@testap: |
tim-seoss: Looking at https://community.nxp.com/thread/338432 would the correct fix be to remove the crypto node from the device tree for the WDR4900 root@testap:~# find /sys/firmware/devicetree/ -iname *crypto* |
tim-seoss: patch here to remove the crypto device tree node: http://lists.infradead.org/pipermail/openwrt-devel/2018-July/013128.html |
achim71: Great your patch works fine here too. Tested with openwrt master on WDR 4900. Strongswan now works as expected and no caam enc types show up under /proc/crypto. |
casasfernando:
Strongswan seems to be trying to use CAAM crypto hardware device on this router through the kernel but the device doesn't seem to be present or available causing strongswan to fail while trying to add a SA to the kernel.
Everytime strongswan is trying to add a SA to the kernel the following error messages are logged in strongswan and the kernel log. The kernel log error message seems to be generated by the CAAM code (I checked the kernel source to confirm this).
Strongswan log:
12[KNL] received netlink error: No such device (19)
12[KNL] unable to add SAD entry with SPI c88d8084 (FAILED)
12[KNL] received netlink error: No such device (19)
12[KNL] unable to add SAD entry with SPI 0e9ded44 (FAILED)
12[IKE] unable to install inbound and outbound IPsec SA (SAD) in kernel
Linux kernel log:
[6311485.194242] Job Ring Device allocation for transform failed
[6311485.201338] Job Ring Device allocation for transform failed
[6311497.457066] Job Ring Device allocation for transform failed
[6311497.464231] Job Ring Device allocation for transform failed
CAAM must either be disabled or built as a kernel module for this specific router since hardware support is not there and it can only cause potential problems like in this case with Strongswan.
I'm tagging the bug as critical since as reported above Strongswan is not usable on this router due to this bug in the kernel configuration.
The text was updated successfully, but these errors were encountered: