This commit addresses a crash that occurs when running crypto tasks on
IPQ807x devices explicitly utilizing the NSS cores. The crash was
reproducible in scenarios involving cryptographic operations offloaded
to the NSS cores (e.g., using cryptodev with OpenSSL or running the
crypto test module).
IMPORTANT: This fix should not be misunderstood as a general-purpose
performance boost for all cryptographic workloads. If your goal is to
accelerate AES encryption across the board (e.g., using OpenSSL for
routine file encryption), this approach is **not** practical.
The primary benefit of leveraging the NSS cores for cryptographic operations
is within VPN-oriented use cases, such as OpenVPN or IPsec, where the
offloading to NSS cores can reduce CPU load and improve throughput.
It’s critical to note that this fix will **not** accelerate encryption
for protocols like Wireguard. Wireguard’s design uses ChaCha20-Poly1305
rather than AES, and it cannot easily be offloaded to hardware.
Additionally, Wireguard uses short-lived cryptographic keys that rotate
frequently. This frequent key rotation makes it difficult to interface
with hardware offloading mechanisms, which are typically optimized for
long-lived sessions like those found in IPsec.
Signed-off-by: Sebastian Gottschall <s.gottschall@dd-wrt.com>
Signed-off-by: Sean Khan <datapronix@protonmail.com>
Update to comply with APK's `pkgver` format.
Rather than stick with the same convention as upstream `qca-ssdk` and
`qca-nss-dp` which uses:
```
$(PKG_NAME)-$(PKG_SOURCE_DATE)~$(PKG_SOURCE_VERSION)
```
i.e. `qca-ssdk-2024.06.13~c451136b.tar.zst`
Add in the QSDK version as part of the release since we
have options to build for both 11.4 and 12.5. This makes it easier to
debug build related issues, by knowing exactly which QSDK version is
being built against.
Example:
```
qca-nss-drv-11.4.0.5.2021.06.24~dc14ca2.tar.zst
qca-nss-drv-12.5.2024.04.06~53a0dc1.tar.zst
qca-nss-clients-11.4.0.5.2021.08.17~153998d.tar.zst
qca-nss-clients-12.5.2024.03.05~9a53b18.tar.zst
```
Signed-off-by: Sean Khan <datapronix@protonmail.com>
Because of the way these modules will hook into the kernel certain
applications that use devcrypto will try to offload to it. This just
kernel panics and user confusion.
These modules are broken on IPQ807x and there has been no work upstream
to fix it in over 3 years. Luckily these modules aren't required to get
offloading for over 95% of use cases (mostly just affects
IPSec/OpenVPN).
Rather than removing, I'm disabling these modules from showing up
in default build options when "@BROKEN" isn't explicitly enabled.
Signed-off-by: Sean Khan <datapronix@protonmail.com>
note: qca-nss-crypto, and qca-nss-cfi are non-code change releases, but
align with naming scheme upstream anyways.
Signed-off-by: Sean Khan <datapronix@protonmail.com>
To keep fork as closely synced with upstream, move NSS packages back
into repository. Not sure why they were moved out from my original fork.
* nss-firmware
* qca-nss-crypto
* qca-nss-cfi
Removed the following:
* mhz (already available in packages repo)
* qrtr (unecessary, and has been broken for years)
Also moved packages out of `qca` and back into root directory.
