From 24ae06675739d4c37699b1ecf0a3394de0c1fbcc Mon Sep 17 00:00:00 2001
From: Sean Khan <datapronix@protonmail.com>
Date: Sat, 21 Sep 2024 16:32:23 -0400
Subject: [PATCH] nss-cfi: Fix crash on IPQ807x when utilizing NSS cores for
 crypto tasks
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This commit addresses a crash that occurs when running crypto tasks on
IPQ807x devices explicitly utilizing the NSS cores. The crash was
reproducible in scenarios involving cryptographic operations offloaded
to the NSS cores (e.g., using cryptodev with OpenSSL or running the
crypto test module).

IMPORTANT: This fix should not be misunderstood as a general-purpose
performance boost for all cryptographic workloads. If your goal is to
accelerate AES encryption across the board (e.g., using OpenSSL for
routine file encryption), this approach is **not** practical.

The primary benefit of leveraging the NSS cores for cryptographic operations
is within VPN-oriented use cases, such as OpenVPN or IPsec, where the
offloading to NSS cores can reduce CPU load and improve throughput.

It’s critical to note that this fix will **not** accelerate encryption
for protocols like Wireguard. Wireguard’s design uses ChaCha20-Poly1305
rather than AES, and it cannot easily be offloaded to hardware.

Additionally, Wireguard uses short-lived cryptographic keys that rotate
frequently. This frequent key rotation makes it difficult to interface
with hardware offloading mechanisms, which are typically optimized for
long-lived sessions like those found in IPsec.

Signed-off-by: Sebastian Gottschall <s.gottschall@dd-wrt.com>
Signed-off-by: Sean Khan <datapronix@protonmail.com>
---
 qca-nss-cfi/Makefile                          |  2 +-
 .../0007-cryptoapi-v2.0-fix-crash.patch       | 72 +++++++++++++++++++
 2 files changed, 73 insertions(+), 1 deletion(-)
 create mode 100644 qca-nss-cfi/patches/0007-cryptoapi-v2.0-fix-crash.patch

diff --git a/qca-nss-cfi/Makefile b/qca-nss-cfi/Makefile
index 844769b..1253173 100644
--- a/qca-nss-cfi/Makefile
+++ b/qca-nss-cfi/Makefile
@@ -1,7 +1,7 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=qca-nss-cfi
-PKG_RELEASE:=2
+PKG_RELEASE:=3
 
 PKG_SOURCE_URL:=https://git.codelinaro.org/clo/qsdk/oss/lklm/nss-cfi.git
 PKG_SOURCE_PROTO:=git
diff --git a/qca-nss-cfi/patches/0007-cryptoapi-v2.0-fix-crash.patch b/qca-nss-cfi/patches/0007-cryptoapi-v2.0-fix-crash.patch
new file mode 100644
index 0000000..ee8e901
--- /dev/null
+++ b/qca-nss-cfi/patches/0007-cryptoapi-v2.0-fix-crash.patch
@@ -0,0 +1,72 @@
+--- a/cryptoapi/v2.0/nss_cryptoapi_aead.c
++++ b/cryptoapi/v2.0/nss_cryptoapi_aead.c
+@@ -97,9 +97,9 @@ int nss_cryptoapi_aead_init(struct crypt
+ 	bool need_fallback;
+ 
+ 	BUG_ON(!ctx);
+-	NSS_CRYPTOAPI_SET_MAGIC(ctx);
+ 
+ 	memset(ctx, 0, sizeof(struct nss_cryptoapi_ctx));
++	NSS_CRYPTOAPI_SET_MAGIC(ctx);
+ 
+ 	ctx->user = g_cryptoapi.user;
+ 	ctx->stats.init++;
+--- a/cryptoapi/v2.0/nss_cryptoapi_ahash.c
++++ b/cryptoapi/v2.0/nss_cryptoapi_ahash.c
+@@ -231,8 +231,10 @@ int nss_cryptoapi_ahash_setkey(struct cr
+ void nss_cryptoapi_ahash_done(void *app_data, struct nss_crypto_hdr *ch, uint8_t status)
+ {
+ 	struct ahash_request *req = app_data;
+-	struct nss_cryptoapi_ctx *ctx = crypto_tfm_ctx(req->base.tfm);
++       struct crypto_ahash *ahash = crypto_ahash_reqtfm(req);
++       struct nss_cryptoapi_ctx *ctx = crypto_ahash_ctx(ahash);
+ 	struct nss_cryptoapi_req_ctx *rctx = ahash_request_ctx(req);
++
+ 	uint8_t *hw_hmac;
+ 	int error;
+ 
+@@ -268,7 +270,7 @@ void nss_cryptoapi_ahash_done(void *app_
+ 	 * Decrement cryptoapi reference
+ 	 */
+ 	nss_cryptoapi_ref_dec(ctx);
+-	req->base.complete(&req->base, error);
++       ahash_request_complete(req, error);
+ }
+ 
+ /*
+--- a/cryptoapi/v2.0/nss_cryptoapi_skcipher.c
++++ b/cryptoapi/v2.0/nss_cryptoapi_skcipher.c
+@@ -92,9 +92,9 @@ int nss_cryptoapi_skcipher_init(struct c
+ 	struct nss_cryptoapi_ctx *ctx = crypto_skcipher_ctx(tfm);
+ 
+ 	BUG_ON(!ctx);
+-	NSS_CRYPTOAPI_SET_MAGIC(ctx);
+ 
+ 	memset(ctx, 0, sizeof(struct nss_cryptoapi_ctx));
++	NSS_CRYPTOAPI_SET_MAGIC(ctx);
+ 
+ 	ctx->user = g_cryptoapi.user;
+ 	ctx->stats.init++;
+@@ -220,11 +220,11 @@ int nss_cryptoapi_skcipher_setkey(struct
+ void nss_cryptoapi_skcipher_done(void *app_data, struct nss_crypto_hdr *ch, uint8_t status)
+ {
+ 	struct skcipher_request *req = app_data;
+-	struct nss_cryptoapi_ctx *ctx = skcipher_request_ctx(req);
++       struct crypto_skcipher *cipher = crypto_skcipher_reqtfm(req);
++       struct nss_cryptoapi_ctx *ctx = crypto_skcipher_ctx(cipher);
+ 	int error;
+ 
+ 	BUG_ON(!ch);
+-
+ 	/*
+ 	 * Check cryptoapi context magic number.
+ 	 */
+@@ -256,7 +256,7 @@ void nss_cryptoapi_skcipher_done(void *a
+ 	 * Decrement cryptoapi reference
+ 	 */
+ 	nss_cryptoapi_ref_dec(ctx);
+-	req->base.complete(&req->base, error);
++       skcipher_request_complete(req, error);
+ }
+ 
+ /*