Move non-upstream NSS packages back into repo

To keep fork as closely synced with upstream, move NSS packages back
into repository. Not sure why they were moved out from my original fork.
* nss-firmware
* qca-nss-crypto
* qca-nss-cfi

Removed the following:
* mhz (already available in packages repo)
* qrtr (unecessary, and has been broken for years)

Also moved packages out of `qca` and back into root directory.

firmware/nss-firmware/Makefile

@@ -0,0 +1,95 @@
+#
+# Copyright (C) 2022 OpenWrt.org
+#
+# This is free software, licensed under the GNU General Public License v2.
+# See /LICENSE for more information.
+#
+
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=nss-firmware
+PKG_SOURCE_DATE:=2022-07-12
+PKG_SOURCE_VERSION:=ade6bff594377c9d9c79b45e39bf104303d919bc
+PKG_MIRROR_HASH:=af0521893064b7bc52baab263e12c7db5462461ddac30d02647ed76d999b59fb
+PKG_RELEASE:=1
+
+PKG_SOURCE_PROTO:=git
+PKG_SOURCE_URL:=https://github.com/quic/qca-sdk-nss-fw.git
+
+PKG_LICENSE_FILES:=LICENSE.md
+
+PKG_MAINTAINER:=Robert Marko <robimarko@gmail.com>
+
+include $(INCLUDE_DIR)/package.mk
+
+RSTRIP:=:
+STRIP:=:
+
+VERSION_PATH=$(PKG_BUILD_DIR)/QCA_Networking_2022.SPF_12.0.0/ED1
+
+NSS_VER:=12.1
+NSS_REL:=022
+NSS_PROFILE:=R
+
+define Package/nss-firmware-default
+	TITLE:=NSS firmware
+	SECTION:=firmware
+	CATEGORY:=Firmware
+	URL:=$(PKG_SOURCE_URL)
+	DEPENDS:=@TARGET_qualcommax
+endef
+
+define Package/nss-firmware-ipq8074
+$(Package/nss-firmware-default)
+	IPQ_PLATFORM=IPQ8074
+	DEPENDS+= @TARGET_qualcommax_ipq807x
+	NSS_SOC:=HK
+endef
+
+define Package/nss-firmware-ipq6018
+$(Package/nss-firmware-default)
+	IPQ_PLATFORM=IPQ6018
+	DEPENDS+= @TARGET_qualcommax_ipq60xx
+	NSS_SOC:=CP
+endef
+
+define Package/nss-firmware-ipq5018
+$(Package/nss-firmware-default)
+	IPQ_PLATFORM=IPQ5018
+	DEPENDS+= @TARGET_qualcommax_ipq50xx
+	NSS_SOC:=MP
+endef
+
+define Build/Compile
+endef
+
+define Package/nss-firmware/install
+	$(eval NSS_ARCHIVE := $(VERSION_PATH)/$(IPQ_PLATFORM).ATH.12.0.0/BIN-NSS.FW.$(NSS_VER)-$(NSS_REL)-$(NSS_SOC).$(NSS_PROFILE).tar.bz2)
+	mkdir -p $(PKG_BUILD_DIR)/$(IPQ_PLATFORM)
+	$(TAR) -C $(PKG_BUILD_DIR)/$(IPQ_PLATFORM) -xf $(NSS_ARCHIVE) --strip-components=1
+	$(INSTALL_DIR) $(1)/lib/firmware/
+	$(INSTALL_DATA) \
+		$(PKG_BUILD_DIR)/$(IPQ_PLATFORM)/retail_router0.bin \
+		$(1)/lib/firmware/qca-nss0-retail.bin
+ifeq ($(NSS_SOC),HK)
+	$(INSTALL_DATA) \
+		$(PKG_BUILD_DIR)/$(IPQ_PLATFORM)/retail_router1.bin \
+		$(1)/lib/firmware/qca-nss1-retail.bin
+endif
+endef
+
+define Package/nss-firmware-ipq8074/install
+	$(call Package/nss-firmware/install,$1)
+endef
+
+define Package/nss-firmware-ipq6018/install
+	$(call Package/nss-firmware/install,$1)
+endef
+
+define Package/nss-firmware-ipq5018/install
+	$(call Package/nss-firmware/install,$1)
+endef
+
+$(eval $(call BuildPackage,nss-firmware-ipq8074))
+$(eval $(call BuildPackage,nss-firmware-ipq6018))
+$(eval $(call BuildPackage,nss-firmware-ipq5018))

qca-nss-cfi/Makefile

@@ -0,0 +1,87 @@
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=qca-nss-cfi
+PKG_RELEASE:=1
+
+PKG_SOURCE_URL:=https://git.codelinaro.org/clo/qsdk/oss/lklm/nss-cfi.git
+PKG_SOURCE_PROTO:=git
+PKG_SOURCE_DATE:=2022-12-15
+PKG_SOURCE_VERSION:=5cd07ce299ee3ce62dbe4f6783ad36361e57583b
+PKG_MIRROR_HASH:=e449eee24fccc09b1cf0f1367bb54cedadcc46a30423934744e78272443197e7
+
+PKG_BUILD_PARALLEL:=1
+
+include $(INCLUDE_DIR)/kernel.mk
+include $(INCLUDE_DIR)/package.mk
+
+ifneq (, $(findstring $(CONFIG_TARGET_SUBTARGET), "ipq807x"))
+#4.4/5.4 + ipq807x/ipq60xx/ipq50xx
+  CFI_OCF_DIR:=ocf/v2.0
+  CFI_CRYPTOAPI_DIR:=cryptoapi/v2.0
+else
+#4.4 Kernel + ipq806x
+  CFI_CRYPTOAPI_DIR:=cryptoapi/v1.1
+  CFI_OCF_DIR:=ocf/v1.0
+  CFI_IPSEC_DIR:=ipsec/v1.0
+endif
+
+define KernelPackage/qca-nss-cfi-cryptoapi
+  SECTION:=kernel
+  CATEGORY:=Kernel modules
+  SUBMENU:=Cryptographic API modules
+  DEPENDS:=@TARGET_qualcommax +kmod-qca-nss-crypto +kmod-crypto-authenc
+  TITLE:=Kernel driver for NSS cfi
+  FILES:=$(PKG_BUILD_DIR)/$(CFI_CRYPTOAPI_DIR)/qca-nss-cfi-cryptoapi.ko
+  AUTOLOAD:=$(call AutoLoad,59,qca-nss-cfi-cryptoapi)
+endef
+
+define Build/InstallDev
+	$(INSTALL_DIR) $(1)/usr/include/qca-nss-cfi
+	$(CP) $(PKG_BUILD_DIR)/$(CFI_CRYPTOAPI_DIR)/../exports/* $(1)/usr/include/qca-nss-cfi
+	$(CP) $(PKG_BUILD_DIR)/include/* $(1)/usr/include/qca-nss-cfi
+endef
+
+define KernelPackage/qca-nss-cfi/Description
+This package contains a NSS cfi driver for QCA chipset
+endef
+
+EXTRA_CFLAGS+= \
+	-DCONFIG_NSS_DEBUG_LEVEL=4 \
+	-I$(LINUX_DIR)/crypto/ocf \
+	-I$(STAGING_DIR)/usr/include/qca-nss-crypto \
+	-I$(STAGING_DIR)/usr/include/crypto \
+	-I$(STAGING_DIR)/usr/include/qca-nss-drv
+
+ifneq (, $(findstring $(CONFIG_TARGET_SUBTARGET), "ipq807x"))
+EXTRA_CFLAGS+= -I$(STAGING_DIR)/usr/include/qca-nss-clients
+endif
+
+# Build individual packages if selected
+ifneq ($(CONFIG_PACKAGE_kmod-qca-nss-cfi-cryptoapi),)
+MAKE_OPTS+= \
+	cryptoapi=y \
+	NSS_CRYPTOAPI_ABLK=n \
+	NSS_CRYPTOAPI_SKCIPHER=y
+endif
+
+ifeq ($(CONFIG_TARGET_BOARD), "qualcommax")
+	SOC:=$(CONFIG_TARGET_SUBTARGET)
+endif
+
+define Build/Compile
+	+$(MAKE) -C "$(LINUX_DIR)" $(strip $(MAKE_OPTS)) \
+		CROSS_COMPILE="$(TARGET_CROSS)" \
+		ARCH="$(LINUX_KARCH)" \
+		M="$(PKG_BUILD_DIR)" \
+		EXTRA_CFLAGS="$(EXTRA_CFLAGS)" \
+		CC="$(TARGET_CC)" \
+		CFI_CRYPTOAPI_DIR=$(CFI_CRYPTOAPI_DIR) \
+		CFI_OCF_DIR=$(CFI_OCF_DIR) \
+		CFI_IPSEC_DIR=$(CFI_IPSEC_DIR) \
+		SoC=$(SOC) \
+		$(KERNEL_MAKE_FLAGS) \
+		$(PKG_JOBS) \
+		modules
+endef
+
+$(eval $(call KernelPackage,qca-nss-cfi-cryptoapi))

qca-nss-cfi/patches/0001-cryptoapi-v2.0-fix-SHA1-header-include.patch

@@ -0,0 +1,62 @@
+From 1569ac3b6bbcae9c3f4898e0d34aec8f88297ee6 Mon Sep 17 00:00:00 2001
+From: Robert Marko <robimarko@gmail.com>
+Date: Sun, 22 Jan 2023 21:45:23 +0100
+Subject: [PATCH 1/5] cryptoapi: v2.0: fix SHA1 header include
+
+SHA1 header has been merged to the generic SHA one,
+and with that the cryptohash.h was dropped.
+
+So, fix include in kernels 5.8 and newer.
+
+Signed-off-by: Robert Marko <robimarko@gmail.com>
+---
+ cryptoapi/v2.0/nss_cryptoapi.c       | 5 +++++
+ cryptoapi/v2.0/nss_cryptoapi_aead.c  | 5 +++++
+ cryptoapi/v2.0/nss_cryptoapi_ahash.c | 5 +++++
+ 3 files changed, 15 insertions(+)
+
+--- a/cryptoapi/v2.0/nss_cryptoapi.c
++++ b/cryptoapi/v2.0/nss_cryptoapi.c
+@@ -39,7 +39,12 @@
+ 
+ #include <crypto/aes.h>
+ #include <crypto/des.h>
++#if LINUX_VERSION_CODE < KERNEL_VERSION(5, 11, 0)
+ #include <crypto/sha.h>
++#else
++#include <crypto/sha1.h>
++#include <crypto/sha2.h>
++#endif
+ #include <crypto/hash.h>
+ #include <crypto/md5.h>
+ #include <crypto/ghash.h>
+--- a/cryptoapi/v2.0/nss_cryptoapi_aead.c
++++ b/cryptoapi/v2.0/nss_cryptoapi_aead.c
+@@ -39,7 +39,12 @@
+ 
+ #include <crypto/aes.h>
+ #include <crypto/des.h>
++#if LINUX_VERSION_CODE < KERNEL_VERSION(5, 11, 0)
+ #include <crypto/sha.h>
++#else
++#include <crypto/sha1.h>
++#include <crypto/sha2.h>
++#endif
+ #include <crypto/hash.h>
+ #include <crypto/algapi.h>
+ #include <crypto/aead.h>
+--- a/cryptoapi/v2.0/nss_cryptoapi_ahash.c
++++ b/cryptoapi/v2.0/nss_cryptoapi_ahash.c
+@@ -38,7 +38,12 @@
+ 
+ #include <crypto/aes.h>
+ #include <crypto/des.h>
++#if LINUX_VERSION_CODE < KERNEL_VERSION(5, 11, 0)
+ #include <crypto/sha.h>
++#else
++#include <crypto/sha1.h>
++#include <crypto/sha2.h>
++#endif
+ #include <crypto/hash.h>
+ #include <crypto/algapi.h>
+ #include <crypto/aead.h>

qca-nss-cfi/patches/0002-cryptoapi-v2.0-make-ablkcipher-optional.patch

@@ -0,0 +1,116 @@
+From 26cca5006bddb0da57398452616e07ee7b11edb1 Mon Sep 17 00:00:00 2001
+From: Robert Marko <robimarko@gmail.com>
+Date: Sun, 22 Jan 2023 22:01:34 +0100
+Subject: [PATCH 2/5] cryptoapi: v2.0: make ablkcipher optional
+
+albkcipher has been removed from the kernel in v5.5, so until it has been
+converted to skcipher, lets make it optional to at least have hashes
+working.
+
+Signed-off-by: Robert Marko <robimarko@gmail.com>
+---
+ cryptoapi/v2.0/Makefile                |  3 +++
+ cryptoapi/v2.0/nss_cryptoapi.c         | 10 ++++++++++
+ cryptoapi/v2.0/nss_cryptoapi_private.h |  2 ++
+ 3 files changed, 15 insertions(+)
+
+--- a/cryptoapi/v2.0/Makefile
++++ b/cryptoapi/v2.0/Makefile
+@@ -5,7 +5,10 @@ NSS_CRYPTOAPI_MOD_NAME=qca-nss-cfi-crypt
+ obj-m += $(NSS_CRYPTOAPI_MOD_NAME).o
+ $(NSS_CRYPTOAPI_MOD_NAME)-objs = nss_cryptoapi.o
+ $(NSS_CRYPTOAPI_MOD_NAME)-objs += nss_cryptoapi_aead.o
++ifneq "$(NSS_CRYPTOAPI_ABLK)" "n"
+ $(NSS_CRYPTOAPI_MOD_NAME)-objs += nss_cryptoapi_ablk.o
++ccflags-y += -DNSS_CRYPTOAPI_ABLK
++endif
+ $(NSS_CRYPTOAPI_MOD_NAME)-objs += nss_cryptoapi_ahash.o
+ 
+ obj ?= .
+--- a/cryptoapi/v2.0/nss_cryptoapi.c
++++ b/cryptoapi/v2.0/nss_cryptoapi.c
+@@ -1367,6 +1367,7 @@ struct aead_alg cryptoapi_aead_algs[] =
+ /*
+  * ABLK cipher algorithms
+  */
++#if defined(NSS_CRYPTOAPI_ABLK)
+ static struct crypto_alg cryptoapi_ablkcipher_algs[] = {
+ 	{
+ 		.cra_name = "cbc(aes)",
+@@ -1466,6 +1467,7 @@ static struct crypto_alg cryptoapi_ablkc
+ 		},
+ 	}
+ };
++#endif
+ 
+ /*
+  * AHASH algorithms
+@@ -2189,7 +2191,9 @@ void nss_cryptoapi_add_ctx2debugfs(struc
+  */
+ void nss_cryptoapi_attach_user(void *app_data, struct nss_crypto_user *user)
+ {
++#if defined(NSS_CRYPTOAPI_ABLK)
+ 	struct crypto_alg *ablk = cryptoapi_ablkcipher_algs;
++#endif
+ 	struct aead_alg *aead = cryptoapi_aead_algs;
+ 	struct ahash_alg *ahash = cryptoapi_ahash_algs;
+ 	struct nss_cryptoapi *sc = app_data;
+@@ -2212,6 +2216,7 @@ void nss_cryptoapi_attach_user(void *app
+ 		      g_cryptoapi.user = user;
+ 	}
+ 
++#if defined(NSS_CRYPTOAPI_ABLK)
+ 	for (i = 0; enable_ablk && (i < ARRAY_SIZE(cryptoapi_ablkcipher_algs)); i++, ablk++) {
+ 		info = nss_cryptoapi_cra_name_lookup(ablk->cra_name);
+ 		if(!info || !nss_crypto_algo_is_supp(info->algo))
+@@ -2222,6 +2227,7 @@ void nss_cryptoapi_attach_user(void *app
+ 			ablk->cra_flags = 0;
+ 		}
+ 	}
++#endif
+ 
+ 	for (i = 0; enable_aead && (i < ARRAY_SIZE(cryptoapi_aead_algs)); i++, aead++) {
+ 		info = nss_cryptoapi_cra_name_lookup(aead->base.cra_name);
+@@ -2257,7 +2263,9 @@ void nss_cryptoapi_attach_user(void *app
+  */
+ void nss_cryptoapi_detach_user(void *app_data, struct nss_crypto_user *user)
+ {
++#if defined(NSS_CRYPTOAPI_ABLK)
+ 	struct crypto_alg *ablk = cryptoapi_ablkcipher_algs;
++#endif
+ 	struct aead_alg *aead = cryptoapi_aead_algs;
+ 	struct ahash_alg *ahash = cryptoapi_ahash_algs;
+ 	struct nss_cryptoapi *sc = app_data;
+@@ -2270,6 +2278,7 @@ void nss_cryptoapi_detach_user(void *app
+ 	 */
+ 	atomic_set(&g_cryptoapi.registered, 0);
+ 
++#if defined(NSS_CRYPTOAPI_ABLK)
+ 	for (i = 0; enable_ablk && (i < ARRAY_SIZE(cryptoapi_ablkcipher_algs)); i++, ablk++) {
+ 		if (!ablk->cra_flags)
+ 			continue;
+@@ -2277,6 +2286,7 @@ void nss_cryptoapi_detach_user(void *app
+ 		crypto_unregister_alg(ablk);
+ 		nss_cfi_info("%px: ABLK unregister succeeded, algo: %s\n", sc, ablk->cra_name);
+ 	}
++#endif
+ 
+ 	for (i = 0; enable_aead && (i < ARRAY_SIZE(cryptoapi_aead_algs)); i++, aead++) {
+ 		if (!aead->base.cra_flags)
+--- a/cryptoapi/v2.0/nss_cryptoapi_private.h
++++ b/cryptoapi/v2.0/nss_cryptoapi_private.h
+@@ -250,12 +250,14 @@ extern void nss_cryptoapi_aead_tx_proc(s
+ /*
+  * ABLKCIPHER
+  */
++#if defined(NSS_CRYPTOAPI_ABLK)
+ extern int nss_cryptoapi_ablkcipher_init(struct crypto_tfm *tfm);
+ extern void nss_cryptoapi_ablkcipher_exit(struct crypto_tfm *tfm);
+ extern int nss_cryptoapi_ablk_setkey(struct crypto_ablkcipher *cipher, const u8 *key, unsigned int len);
+ extern int nss_cryptoapi_ablk_encrypt(struct ablkcipher_request *req);
+ extern int nss_cryptoapi_ablk_decrypt(struct ablkcipher_request *req);
+ extern void nss_cryptoapi_copy_iv(struct nss_cryptoapi_ctx *ctx, struct scatterlist *sg, uint8_t *iv, uint8_t iv_len);
++#endif
+ 
+ /*
+  * AHASH

qca-nss-cfi/patches/0003-cryptoapi-v2.0-remove-setting-crypto_ahash_type-for-.patch

@@ -0,0 +1,137 @@
+From 797b5166783cda0886038ffb22f5386b9363a961 Mon Sep 17 00:00:00 2001
+From: Robert Marko <robimarko@gmail.com>
+Date: Sun, 22 Jan 2023 22:08:27 +0100
+Subject: [PATCH 3/5] cryptoapi: v2.0: remove setting crypto_ahash_type for
+ newer kernels
+
+Upstream has stopped exporting crypto_ahash_type and removed setting it
+on ahash algos since v4.19 as its easily identifiable by the struct type
+and its being set in the core directly, so lets do the same.
+
+Signed-off-by: Robert Marko <robimarko@gmail.com>
+---
+ cryptoapi/v2.0/nss_cryptoapi.c | 24 ++++++++++++++++++++++++
+ 1 file changed, 24 insertions(+)
+
+--- a/cryptoapi/v2.0/nss_cryptoapi.c
++++ b/cryptoapi/v2.0/nss_cryptoapi.c
+@@ -1495,7 +1495,9 @@ static struct ahash_alg cryptoapi_ahash_
+ 				.cra_blocksize   = MD5_HMAC_BLOCK_SIZE,
+ 				.cra_ctxsize     = sizeof(struct nss_cryptoapi_ctx),
+ 				.cra_alignmask   = 0,
++#if LINUX_VERSION_CODE < KERNEL_VERSION(4, 19, 0)
+ 				.cra_type        = &crypto_ahash_type,
++#endif
+ 				.cra_module      = THIS_MODULE,
+ 				.cra_init        = nss_cryptoapi_ahash_cra_init,
+ 				.cra_exit        = nss_cryptoapi_ahash_cra_exit,
+@@ -1521,7 +1523,9 @@ static struct ahash_alg cryptoapi_ahash_
+ 				.cra_blocksize   = SHA1_BLOCK_SIZE,
+ 				.cra_ctxsize     = sizeof(struct nss_cryptoapi_ctx),
+ 				.cra_alignmask   = 0,
++#if LINUX_VERSION_CODE < KERNEL_VERSION(4, 19, 0)
+ 				.cra_type        = &crypto_ahash_type,
++#endif
+ 				.cra_module      = THIS_MODULE,
+ 				.cra_init        = nss_cryptoapi_ahash_cra_init,
+ 				.cra_exit        = nss_cryptoapi_ahash_cra_exit,
+@@ -1547,7 +1551,9 @@ static struct ahash_alg cryptoapi_ahash_
+ 				.cra_blocksize   = SHA224_BLOCK_SIZE,
+ 				.cra_ctxsize     = sizeof(struct nss_cryptoapi_ctx),
+ 				.cra_alignmask   = 0,
++#if LINUX_VERSION_CODE < KERNEL_VERSION(4, 19, 0)
+ 				.cra_type        = &crypto_ahash_type,
++#endif
+ 				.cra_module      = THIS_MODULE,
+ 				.cra_init        = nss_cryptoapi_ahash_cra_init,
+ 				.cra_exit        = nss_cryptoapi_ahash_cra_exit,
+@@ -1573,7 +1579,9 @@ static struct ahash_alg cryptoapi_ahash_
+ 				.cra_blocksize   = SHA256_BLOCK_SIZE,
+ 				.cra_ctxsize     = sizeof(struct nss_cryptoapi_ctx),
+ 				.cra_alignmask   = 0,
++#if LINUX_VERSION_CODE < KERNEL_VERSION(4, 19, 0)
+ 				.cra_type        = &crypto_ahash_type,
++#endif
+ 				.cra_module      = THIS_MODULE,
+ 				.cra_init        = nss_cryptoapi_ahash_cra_init,
+ 				.cra_exit        = nss_cryptoapi_ahash_cra_exit,
+@@ -1599,7 +1607,9 @@ static struct ahash_alg cryptoapi_ahash_
+ 				.cra_blocksize   = SHA384_BLOCK_SIZE,
+ 				.cra_ctxsize     = sizeof(struct nss_cryptoapi_ctx),
+ 				.cra_alignmask   = 0,
++#if LINUX_VERSION_CODE < KERNEL_VERSION(4, 19, 0)
+ 				.cra_type        = &crypto_ahash_type,
++#endif
+ 				.cra_module      = THIS_MODULE,
+ 				.cra_init        = nss_cryptoapi_ahash_cra_init,
+ 				.cra_exit        = nss_cryptoapi_ahash_cra_exit,
+@@ -1625,7 +1635,9 @@ static struct ahash_alg cryptoapi_ahash_
+ 				.cra_blocksize   = SHA512_BLOCK_SIZE,
+ 				.cra_ctxsize     = sizeof(struct nss_cryptoapi_ctx),
+ 				.cra_alignmask   = 0,
++#if LINUX_VERSION_CODE < KERNEL_VERSION(4, 19, 0)
+ 				.cra_type        = &crypto_ahash_type,
++#endif
+ 				.cra_module      = THIS_MODULE,
+ 				.cra_init        = nss_cryptoapi_ahash_cra_init,
+ 				.cra_exit        = nss_cryptoapi_ahash_cra_exit,
+@@ -1655,7 +1667,9 @@ static struct ahash_alg cryptoapi_ahash_
+ 				.cra_blocksize   = MD5_HMAC_BLOCK_SIZE,
+ 				.cra_ctxsize     = sizeof(struct nss_cryptoapi_ctx),
+ 				.cra_alignmask   = 0,
++#if LINUX_VERSION_CODE < KERNEL_VERSION(4, 19, 0)
+ 				.cra_type        = &crypto_ahash_type,
++#endif
+ 				.cra_module      = THIS_MODULE,
+ 				.cra_init        = nss_cryptoapi_ahash_cra_init,
+ 				.cra_exit        = nss_cryptoapi_ahash_cra_exit,
+@@ -1681,7 +1695,9 @@ static struct ahash_alg cryptoapi_ahash_
+ 				.cra_blocksize   = SHA1_BLOCK_SIZE,
+ 				.cra_ctxsize     = sizeof(struct nss_cryptoapi_ctx),
+ 				.cra_alignmask   = 0,
++#if LINUX_VERSION_CODE < KERNEL_VERSION(4, 19, 0)
+ 				.cra_type        = &crypto_ahash_type,
++#endif
+ 				.cra_module      = THIS_MODULE,
+ 				.cra_init        = nss_cryptoapi_ahash_cra_init,
+ 				.cra_exit        = nss_cryptoapi_ahash_cra_exit,
+@@ -1707,7 +1723,9 @@ static struct ahash_alg cryptoapi_ahash_
+ 				.cra_blocksize   = SHA224_BLOCK_SIZE,
+ 				.cra_ctxsize     = sizeof(struct nss_cryptoapi_ctx),
+ 				.cra_alignmask   = 0,
++#if LINUX_VERSION_CODE < KERNEL_VERSION(4, 19, 0)
+ 				.cra_type        = &crypto_ahash_type,
++#endif
+ 				.cra_module      = THIS_MODULE,
+ 				.cra_init        = nss_cryptoapi_ahash_cra_init,
+ 				.cra_exit        = nss_cryptoapi_ahash_cra_exit,
+@@ -1733,7 +1751,9 @@ static struct ahash_alg cryptoapi_ahash_
+ 				.cra_blocksize   = SHA256_BLOCK_SIZE,
+ 				.cra_ctxsize     = sizeof(struct nss_cryptoapi_ctx),
+ 				.cra_alignmask   = 0,
++#if LINUX_VERSION_CODE < KERNEL_VERSION(4, 19, 0)
+ 				.cra_type        = &crypto_ahash_type,
++#endif
+ 				.cra_module      = THIS_MODULE,
+ 				.cra_init        = nss_cryptoapi_ahash_cra_init,
+ 				.cra_exit        = nss_cryptoapi_ahash_cra_exit,
+@@ -1759,7 +1779,9 @@ static struct ahash_alg cryptoapi_ahash_
+ 				.cra_blocksize   = SHA384_BLOCK_SIZE,
+ 				.cra_ctxsize     = sizeof(struct nss_cryptoapi_ctx),
+ 				.cra_alignmask   = 0,
++#if LINUX_VERSION_CODE < KERNEL_VERSION(4, 19, 0)
+ 				.cra_type        = &crypto_ahash_type,
++#endif
+ 				.cra_module      = THIS_MODULE,
+ 				.cra_init        = nss_cryptoapi_ahash_cra_init,
+ 				.cra_exit        = nss_cryptoapi_ahash_cra_exit,
+@@ -1785,7 +1807,9 @@ static struct ahash_alg cryptoapi_ahash_
+ 				.cra_blocksize   = SHA512_BLOCK_SIZE,
+ 				.cra_ctxsize     = sizeof(struct nss_cryptoapi_ctx),
+ 				.cra_alignmask   = 0,
++#if LINUX_VERSION_CODE < KERNEL_VERSION(4, 19, 0)
+ 				.cra_type        = &crypto_ahash_type,
++#endif
+ 				.cra_module      = THIS_MODULE,
+ 				.cra_init        = nss_cryptoapi_ahash_cra_init,
+ 				.cra_exit        = nss_cryptoapi_ahash_cra_exit,

qca-nss-cfi/patches/0004-cryptoapi-v2.0-aead-add-downstream-crypto_tfm_alg_fl.patch

@@ -0,0 +1,28 @@
+From 8db77add1a794bdee8eef0a351e40bf1cdf6dfa9 Mon Sep 17 00:00:00 2001
+From: Robert Marko <robimarko@gmail.com>
+Date: Sun, 22 Jan 2023 22:09:51 +0100
+Subject: [PATCH 4/5] cryptoapi: v2.0: aead: add downstream
+ crypto_tfm_alg_flags
+
+crypto_tfm_alg_flags newer made it upstream, but as a temporary stopgap
+until a better solution is figured out lets add it.
+
+Signed-off-by: Robert Marko <robimarko@gmail.com>
+---
+ cryptoapi/v2.0/nss_cryptoapi_aead.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/cryptoapi/v2.0/nss_cryptoapi_aead.c
++++ b/cryptoapi/v2.0/nss_cryptoapi_aead.c
+@@ -61,6 +61,11 @@
+ #include <nss_cryptoapi.h>
+ #include "nss_cryptoapi_private.h"
+ 
++static inline u32 crypto_tfm_alg_flags(struct crypto_tfm *tfm)
++{
++	return tfm->__crt_alg->cra_flags & ~CRYPTO_ALG_TYPE_MASK;
++}
++
+ /*
+  * nss_cryptoapi_aead_ctx2session()
+  *	Cryptoapi function to get the session ID for an AEAD

qca-nss-cfi/patches/0005-cryptoapi-v2.0-remove-dropped-flags.patch

@@ -0,0 +1,97 @@
+From 62bbb188e1a72d28916e1eca31f4cb9fbbf51cd1 Mon Sep 17 00:00:00 2001
+From: Robert Marko <robimarko@gmail.com>
+Date: Sun, 22 Jan 2023 22:11:06 +0100
+Subject: [PATCH 5/5] cryptoapi: v2.0: remove dropped flags
+
+Upstream has dropped these flags as there was no use for them, so lets do
+the same.
+
+Signed-off-by: Robert Marko <robimarko@gmail.com>
+---
+ cryptoapi/v2.0/nss_cryptoapi_aead.c  | 6 ------
+ cryptoapi/v2.0/nss_cryptoapi_ahash.c | 4 ----
+ 2 files changed, 10 deletions(-)
+
+--- a/cryptoapi/v2.0/nss_cryptoapi_aead.c
++++ b/cryptoapi/v2.0/nss_cryptoapi_aead.c
+@@ -207,7 +207,6 @@ int nss_cryptoapi_aead_setkey_noauth(str
+ 	ctx->info = nss_cryptoapi_cra_name2info(crypto_tfm_alg_name(tfm), keylen, 0);
+ 	if (!ctx->info) {
+ 		nss_cfi_err("%px: Unable to find algorithm with keylen\n", ctx);
+-		crypto_aead_set_flags(aead, CRYPTO_TFM_RES_BAD_KEY_LEN);
+ 		return -ENOENT;
+ 	}
+ 
+@@ -239,7 +238,6 @@ int nss_cryptoapi_aead_setkey_noauth(str
+ 	status = nss_crypto_session_alloc(ctx->user, &data, &ctx->sid);
+ 	if (status < 0) {
+ 		nss_cfi_err("%px: Unable to allocate crypto session(%d)\n", ctx, status);
+-		crypto_aead_set_flags(aead, CRYPTO_TFM_RES_BAD_FLAGS);
+ 		return status;
+ 	}
+ 
+@@ -271,14 +269,12 @@ int nss_cryptoapi_aead_setkey(struct cry
+ 	 */
+ 	if (crypto_authenc_extractkeys(&keys, key, keylen) != 0) {
+ 		nss_cfi_err("%px: Unable to extract keys\n", ctx);
+-		crypto_aead_set_flags(aead, CRYPTO_TFM_RES_BAD_KEY_LEN);
+ 		return -EIO;
+ 	}
+ 
+ 	ctx->info = nss_cryptoapi_cra_name2info(crypto_tfm_alg_name(tfm), keys.enckeylen, crypto_aead_maxauthsize(aead));
+ 	if (!ctx->info) {
+ 		nss_cfi_err("%px: Unable to find algorithm with keylen\n", ctx);
+-		crypto_aead_set_flags(aead, CRYPTO_TFM_RES_BAD_KEY_LEN);
+ 		return -ENOENT;
+ 	}
+ 
+@@ -299,7 +295,6 @@ int nss_cryptoapi_aead_setkey(struct cry
+ 	 */
+ 	if (keys.authkeylen > ctx->info->auth_blocksize) {
+ 		nss_cfi_err("%px: Auth keylen(%d) exceeds supported\n", ctx, keys.authkeylen);
+-		crypto_aead_set_flags(aead, CRYPTO_TFM_RES_BAD_KEY_LEN);
+ 		return -EINVAL;
+ 	}
+ 
+@@ -342,7 +337,6 @@ int nss_cryptoapi_aead_setkey(struct cry
+ 	status = nss_crypto_session_alloc(ctx->user, &data, &ctx->sid);
+ 	if (status < 0) {
+ 		nss_cfi_err("%px: Unable to allocate crypto session(%d)\n", ctx, status);
+-		crypto_aead_set_flags(aead, CRYPTO_TFM_RES_BAD_FLAGS);
+ 		return status;
+ 	}
+ 
+--- a/cryptoapi/v2.0/nss_cryptoapi_ahash.c
++++ b/cryptoapi/v2.0/nss_cryptoapi_ahash.c
+@@ -192,7 +192,6 @@ int nss_cryptoapi_ahash_setkey(struct cr
+ 
+ 	ctx->info = nss_cryptoapi_cra_name2info(crypto_tfm_alg_name(tfm), 0, crypto_ahash_digestsize(ahash));
+ 	if (!ctx->info) {
+-		crypto_ahash_set_flags(ahash, CRYPTO_TFM_RES_BAD_KEY_LEN);
+ 		return -EINVAL;
+ 	}
+ 
+@@ -215,7 +214,6 @@ int nss_cryptoapi_ahash_setkey(struct cr
+ 	status = nss_crypto_session_alloc(ctx->user, &data, &ctx->sid);
+ 	if (status < 0) {
+ 		nss_cfi_warn("%px: Unable to allocate crypto session(%d)\n", ctx, status);
+-		crypto_ahash_set_flags(ahash, CRYPTO_TFM_RES_BAD_FLAGS);
+ 		return status;
+ 	}
+ 
+@@ -299,7 +297,6 @@ int nss_cryptoapi_ahash_init(struct ahas
+ 		 */
+ 		ctx->info = nss_cryptoapi_cra_name2info(crypto_tfm_alg_name(tfm), 0, 0);
+ 		if (!ctx->info) {
+-			crypto_ahash_set_flags(ahash, CRYPTO_TFM_RES_BAD_KEY_LEN);
+ 			return -EINVAL;
+ 		}
+ 
+@@ -314,7 +311,6 @@ int nss_cryptoapi_ahash_init(struct ahas
+ 		status = nss_crypto_session_alloc(ctx->user, &data, &ctx->sid);
+ 		if (status < 0) {
+ 			nss_cfi_err("%px: Unable to allocate crypto session(%d)\n", ctx, status);
+-			crypto_ahash_set_flags(ahash, CRYPTO_TFM_RES_BAD_FLAGS);
+ 			return status;
+ 		}
+ 

qca-nss-crypto/Makefile

@@ -0,0 +1,70 @@
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=qca-nss-crypto
+PKG_RELEASE:=1
+
+PKG_SOURCE_URL:=https://git.codelinaro.org/clo/qsdk/oss/lklm/nss-crypto.git
+PKG_SOURCE_PROTO:=git
+PKG_SOURCE_DATE:=2022-12-15
+PKG_SOURCE_VERSION:=3c5a574ce99d7f0b9f892002020f1bf9bfc57a81
+PKG_MIRROR_HASH:=ff487c5574481f548eef7b61129fa7be1d83ae285dcc3356a06be237440d8782
+
+PKG_BUILD_PARALLEL:=1
+
+include $(INCLUDE_DIR)/kernel.mk
+include $(INCLUDE_DIR)/package.mk
+
+# v1.0 is for Akronite
+# v2.0 is for Hawkeye/Cypress/Maple
+ifneq (, $(findstring $(CONFIG_TARGET_SUBTARGET), "ipq807x"))
+NSS_CRYPTO_DIR:=v2.0
+else
+NSS_CRYPTO_DIR:=v1.0
+endif
+
+define KernelPackage/qca-nss-crypto
+	SECTION:=kernel
+	CATEGORY:=Kernel modules
+	SUBMENU:=Cryptographic API modules
+	DEPENDS:=@TARGET_qualcommax +kmod-qca-nss-drv
+	TITLE:=Kernel driver for NSS crypto driver
+	FILES:=$(PKG_BUILD_DIR)/$(NSS_CRYPTO_DIR)/src/qca-nss-crypto.ko \
+	$(PKG_BUILD_DIR)/$(NSS_CRYPTO_DIR)/tool/qca-nss-crypto-tool.ko
+	AUTOLOAD:=$(call AutoProbe,qca-nss-crypto)
+endef
+
+define KernelPackage/qca-nss-crypto/Description
+This package contains a NSS crypto driver for QCA chipset
+endef
+
+define Build/InstallDev
+	$(INSTALL_DIR) $(1)/usr/include/qca-nss-crypto
+	$(CP) $(PKG_BUILD_DIR)/$(NSS_CRYPTO_DIR)/include/* $(1)/usr/include/qca-nss-crypto
+endef
+
+EXTRA_CFLAGS+= \
+	-DCONFIG_NSS_DEBUG_LEVEL=4 \
+	-I$(STAGING_DIR)/usr/include/qca-nss-crypto \
+	-I$(STAGING_DIR)/usr/include/qca-nss-drv \
+	-I$(PKG_BUILD_DIR)/$(NSS_CRYPTO_DIR)/include \
+	-I$(PKG_BUILD_DIR)/$(NSS_CRYPTO_DIR)/src
+
+ifeq ($(CONFIG_TARGET_BOARD), "qualcommax")
+	SOC:=$(CONFIG_TARGET_SUBTARGET)
+endif
+
+define Build/Compile
+	+$(MAKE) -C "$(LINUX_DIR)" \
+		CC="$(TARGET_CC)" \
+		CROSS_COMPILE="$(TARGET_CROSS)" \
+		ARCH="$(LINUX_KARCH)" \
+		M="$(PKG_BUILD_DIR)" \
+		EXTRA_CFLAGS="$(EXTRA_CFLAGS)" \
+		NSS_CRYPTO_DIR=$(NSS_CRYPTO_DIR) \
+		SoC=$(SOC) \
+		$(KERNEL_MAKE_FLAGS) \
+		$(PKG_JOBS) \
+		modules
+endef
+
+$(eval $(call KernelPackage,qca-nss-crypto))

qca-nss-crypto/patches/0001-nss-crypto-fix-SHA1-header-include.patch

@@ -0,0 +1,27 @@
+From 0c6c593783f2d64a429ad38523661a915aa462fc Mon Sep 17 00:00:00 2001
+From: Robert Marko <robimarko@gmail.com>
+Date: Sun, 13 Mar 2022 13:44:47 +0100
+Subject: [PATCH 1/3] nss-crypto: fix SHA1 header include
+
+SHA1 header has been merged to the generic SHA one,
+and with that the cryptohash.h was dropped.
+
+So, fix include in kernels 5.8 and newer.
+
+Signed-off-by: Robert Marko <robimarko@gmail.com>
+---
+ v2.0/src/nss_crypto_hlos.h | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/v2.0/src/nss_crypto_hlos.h
++++ b/v2.0/src/nss_crypto_hlos.h
+@@ -55,7 +55,9 @@
+ #include <linux/interrupt.h>
+ #include <linux/delay.h>
+ #include <linux/vmalloc.h>
++#if LINUX_VERSION_CODE < KERNEL_VERSION(5, 8, 0)
+ #include <linux/cryptohash.h>
++#endif
+ #include <crypto/sha.h>
+ #include <crypto/aes.h>
+ #include <crypto/des.h>

qca-nss-crypto/patches/0002-nss-crypto-replace-ioremap_nocache-with-ioremap.patch

@@ -0,0 +1,94 @@
+From 8baa8e747247403c6f814ea5dc3e463c70e0415f Mon Sep 17 00:00:00 2001
+From: Robert Marko <robimarko@gmail.com>
+Date: Tue, 8 Jun 2021 22:14:34 +0200
+Subject: [PATCH 2/3] nss-crypto: replace ioremap_nocache() with ioremap
+
+ioremap_nocache() was dropped in kernel 5.5 as regular
+ioremap() was exactly the same.
+
+So, simply replace all of the ioremap_nocache() calls
+with ioremap().
+
+Signed-off-by: Robert Marko <robimarko@gmail.com>
+---
+ v1.0/src/nss_crypto_dtsi.c               | 4 ++--
+ v1.0/src/nss_crypto_platform.c           | 4 ++--
+ v2.0/src/hal/ipq50xx/nss_crypto_ce5.c    | 4 ++--
+ v2.0/src/hal/ipq60xx/nss_crypto_eip197.c | 2 +-
+ v2.0/src/hal/ipq807x/nss_crypto_eip197.c | 2 +-
+ 5 files changed, 8 insertions(+), 8 deletions(-)
+
+--- a/v1.0/src/nss_crypto_dtsi.c
++++ b/v1.0/src/nss_crypto_dtsi.c
+@@ -311,11 +311,11 @@ static int nss_crypto_probe(struct platf
+ 	e_ctrl->dev = &pdev->dev;
+ 
+ 	e_ctrl->cmd_base = crypto_res.start;
+-	e_ctrl->crypto_base = ioremap_nocache(e_ctrl->cmd_base, resource_size(&crypto_res));
++	e_ctrl->crypto_base = ioremap(e_ctrl->cmd_base, resource_size(&crypto_res));
+ 	nss_crypto_assert(e_ctrl->crypto_base);
+ 
+ 	e_ctrl->bam_pbase = bam_res.start;
+-	e_ctrl->bam_base = ioremap_nocache(e_ctrl->bam_pbase, resource_size(&bam_res));
++	e_ctrl->bam_base = ioremap(e_ctrl->bam_pbase, resource_size(&bam_res));
+ 	nss_crypto_assert(e_ctrl->bam_base);
+ 
+ 	e_ctrl->bam_ee = bam_ee;
+--- a/v1.0/src/nss_crypto_platform.c
++++ b/v1.0/src/nss_crypto_platform.c
+@@ -134,11 +134,11 @@ static int nss_crypto_probe(struct platf
+ 	e_ctrl->bam_ee = res->bam_ee;
+ 
+ 	e_ctrl->cmd_base = res->crypto_pbase;
+-	e_ctrl->crypto_base = ioremap_nocache(res->crypto_pbase, res->crypto_pbase_sz);
++	e_ctrl->crypto_base = ioremap(res->crypto_pbase, res->crypto_pbase_sz);
+ 	nss_crypto_assert(e_ctrl->crypto_base);
+ 
+ 	e_ctrl->bam_pbase = res->bam_pbase;
+-	e_ctrl->bam_base = ioremap_nocache(res->bam_pbase, res->bam_pbase_sz);
++	e_ctrl->bam_base = ioremap(res->bam_pbase, res->bam_pbase_sz);
+ 	nss_crypto_assert(e_ctrl->bam_base);
+ 
+ 	/*
+--- a/v2.0/src/hal/ipq50xx/nss_crypto_ce5.c
++++ b/v2.0/src/hal/ipq50xx/nss_crypto_ce5.c
+@@ -288,7 +288,7 @@ int nss_crypto_ce5_engine_init(struct pl
+ 	 * remap the I/O addresses for crypto
+ 	 */
+ 	eng->crypto_paddr = crypto_res->start;
+-	eng->crypto_vaddr = ioremap_nocache(crypto_res->start, resource_size(crypto_res));
++	eng->crypto_vaddr = ioremap(crypto_res->start, resource_size(crypto_res));
+ 	if (!eng->crypto_vaddr) {
+ 		nss_crypto_warn("%px: unable to remap crypto_addr(0x%px)\n", node, (void *)eng->crypto_paddr);
+ 		nss_crypto_engine_free(eng);
+@@ -299,7 +299,7 @@ int nss_crypto_ce5_engine_init(struct pl
+ 	 * remap the I/O addresses for bam
+ 	 */
+ 	eng->dma_paddr = bam_res->start;
+-	eng->dma_vaddr = ioremap_nocache(bam_res->start, resource_size(bam_res));
++	eng->dma_vaddr = ioremap(bam_res->start, resource_size(bam_res));
+ 	if (!eng->dma_vaddr) {
+ 		iounmap(eng->crypto_vaddr);
+ 		nss_crypto_warn("%px: unable to remap dma_addr(0x%px)\n", node, (void *)eng->dma_paddr);
+--- a/v2.0/src/hal/ipq60xx/nss_crypto_eip197.c
++++ b/v2.0/src/hal/ipq60xx/nss_crypto_eip197.c
+@@ -490,7 +490,7 @@ int nss_crypto_eip197_engine_init(struct
+ 	 * remap the I/O addresses
+ 	 */
+ 	paddr = res->start + offset;
+-	vaddr = ioremap_nocache(paddr, resource_size(res));
++	vaddr = ioremap(paddr, resource_size(res));
+ 	if (!vaddr) {
+ 		nss_crypto_warn("%px: unable to remap crypto_addr(0x%px)\n", node, (void *)paddr);
+ 		return -EIO;
+--- a/v2.0/src/hal/ipq807x/nss_crypto_eip197.c
++++ b/v2.0/src/hal/ipq807x/nss_crypto_eip197.c
+@@ -490,7 +490,7 @@ int nss_crypto_eip197_engine_init(struct
+ 	 * remap the I/O addresses
+ 	 */
+ 	paddr = res->start + offset;
+-	vaddr = ioremap_nocache(paddr, resource_size(res));
++	vaddr = ioremap(paddr, resource_size(res));
+ 	if (!vaddr) {
+ 		nss_crypto_warn("%px: unable to remap crypto_addr(0x%px)\n", node, (void *)paddr);
+ 		return -EIO;

qca-nss-crypto/patches/0003-nss-crypto-fix-SHA-header-include-in-5.15.patch

@@ -0,0 +1,44 @@
+From 96da3ca01ac172e5d858209b3d3d9aefad04423c Mon Sep 17 00:00:00 2001
+From: Robert Marko <robimarko@gmail.com>
+Date: Sun, 13 Mar 2022 13:47:24 +0100
+Subject: [PATCH 3/3] nss-crypto: fix SHA header include in 5.15
+
+SHA header was split into SHA-1 and SHA-2 headers in kernel 5.11, so
+fix the include for newer kernels.
+
+Signed-off-by: Robert Marko <robimarko@gmail.com>
+---
+ v2.0/src/nss_crypto_ctrl.c | 6 ++++++
+ v2.0/src/nss_crypto_hlos.h | 4 ++++
+ 2 files changed, 10 insertions(+)
+
+--- a/v2.0/src/nss_crypto_ctrl.c
++++ b/v2.0/src/nss_crypto_ctrl.c
+@@ -38,7 +38,13 @@
+ #include <linux/debugfs.h>
+ #include <linux/log2.h>
+ #include <linux/completion.h>
++#include <linux/version.h>
++#if LINUX_VERSION_CODE < KERNEL_VERSION(5, 11, 0)
+ #include <crypto/sha.h>
++#else
++#include <crypto/sha1.h>
++#include <crypto/sha2.h>
++#endif
+ #include <crypto/des.h>
+ #include <crypto/aes.h>
+ #include <crypto/md5.h>
+--- a/v2.0/src/nss_crypto_hlos.h
++++ b/v2.0/src/nss_crypto_hlos.h
+@@ -58,7 +58,11 @@
+ #if LINUX_VERSION_CODE < KERNEL_VERSION(5, 8, 0)
+ #include <linux/cryptohash.h>
+ #endif
++#if LINUX_VERSION_CODE < KERNEL_VERSION(5, 11, 0)
+ #include <crypto/sha.h>
++#else
++#include <crypto/sha1.h>
++#endif
+ #include <crypto/aes.h>
+ #include <crypto/des.h>
+ #include <crypto/ghash.h>