From 2ffd5034a6f62bb000d4da495b60b1856d8bd0f0 Mon Sep 17 00:00:00 2001
From: Sean Khan <datapronix@protonmail.com>
Date: Wed, 30 Apr 2025 03:18:00 -0400
Subject: [PATCH] treewide: mark various qca-nss modules as BROKEN
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Several QCA NSS modules compile successfully but do not
function properly at runtime. This is due to either faulty
implementation or deliberate disabling of certain features in the NSS
firmware by Qualcomm.

Based on extensive testing with NSS firmware 11.4:
- Only 22 out of 64 dynamic interface types succeed in creation.
- All others return NACK, indicating lack of support or broken
  implementation.

Modules affected include DTLS, IPSEC, TLS, CAPWAP, GRE redirect paths,
VXLAN, CLMAP and more.

OpenVPN support is partially enabled on crypto core, but requires patching
userspace OpenVPN to function — outside scope here. Wireguard is preferred
as it already achieves line-rate performance without relying on NSS offload.

Marking these kernel packages as BROKEN to prevent false expectations
and discourage their use, though they're available should Qualcomm
ever release a firmware that supports them. (NOT GOING TO HAPPEN...)

Signed-off-by: Sean Khan <datapronix@protonmail.com>
---
 qca-nss-clients/Makefile | 48 ++++++++++++++++++++++++----------------
 qca-nss-macsec/Makefile  |  9 ++++----
 2 files changed, 34 insertions(+), 23 deletions(-)

diff --git a/qca-nss-clients/Makefile b/qca-nss-clients/Makefile
index b8d5d56..d152b06 100644
--- a/qca-nss-clients/Makefile
+++ b/qca-nss-clients/Makefile
@@ -111,7 +111,8 @@ define KernelPackage/qca-nss-drv-dtlsmgr
   DEPENDS:=@(TARGET_qualcommax_ipq807x||TARGET_qualcommax_ipq60xx) \
 	   +kmod-qca-nss-drv \
 	   +@NSS_DRV_DTLS_ENABLE \
-	   +kmod-qca-nss-cfi-cryptoapi
+	   +kmod-qca-nss-cfi-cryptoapi \
+	   @BROKEN
   FILES:=$(PKG_BUILD_DIR)/dtls/$(DTLSMGR_DIR)/qca-nss-dtlsmgr.ko
 endef
 
@@ -127,7 +128,8 @@ define KernelPackage/qca-nss-drv-tlsmgr
   DEPENDS:=@(TARGET_qualcommax_ipq807x||TARGET_qualcommax_ipq60xx) \
 	   +kmod-qca-nss-drv \
 	   +@NSS_DRV_TLS_ENABLE \
-	   +kmod-qca-nss-cfi-cryptoapi
+	   +kmod-qca-nss-cfi-cryptoapi \
+	   @BROKEN
   FILES:=$(PKG_BUILD_DIR)/tls/qca-nss-tlsmgr.ko
 endef
 
@@ -247,9 +249,9 @@ define KernelPackage/qca-nss-drv-profile
   SECTION:=kernel
   CATEGORY:=Kernel modules
   SUBMENU:=Network Devices
+  TITLE:=Profiler for QCA NSS driver (IPQ806x)
   DEPENDS:=@TARGET_ipq806x \
 	   +kmod-qca-nss-drv
-  TITLE:=Profiler for QCA NSS driver (IPQ806x)
   FILES:=$(PKG_BUILD_DIR)/profiler/qca-nss-profile-drv.ko
 endef
 
@@ -266,7 +268,8 @@ define KernelPackage/qca-nss-drv-ipsecmgr
 	   +kmod-qca-nss-drv \
 	   +@NSS_DRV_IPSEC_ENABLE \
 	   +kmod-qca-nss-cfi-cryptoapi \
-	   +PACKAGE_kmod-qca-nss-drv-l2tpv2:kmod-qca-nss-drv-l2tpv2
+	   +PACKAGE_kmod-qca-nss-drv-l2tpv2:kmod-qca-nss-drv-l2tpv2 \
+	   @BROKEN
   FILES:=$(PKG_BUILD_DIR)/ipsecmgr/$(IPSECMGR_DIR)/qca-nss-ipsecmgr.ko
   AUTOLOAD:=$(call AutoLoad,60,qca-nss-ipsecmgr)
 endef
@@ -284,7 +287,8 @@ define KernelPackage/qca-nss-drv-ipsecmgr-klips
 	   @LINUX_5_4 \
 	   +kmod-qca-nss-drv-ipsecmgr \
 	   +kmod-qca-nss-cfi-cryptoapi \
-	   +PACKAGE_kmod-qca-nss-drv-vxlanmgr:kmod-qca-nss-drv-vxlanmgr
+	   +PACKAGE_kmod-qca-nss-drv-vxlanmgr:kmod-qca-nss-drv-vxlanmgr \
+	   @BROKEN
   FILES:=$(PKG_BUILD_DIR)/ipsecmgr/$(IPSECMGR_DIR)/plugins/klips/qca-nss-ipsec-klips.ko
 endef
 
@@ -301,7 +305,8 @@ define KernelPackage/qca-nss-drv-ipsecmgr-xfrm
 	   +kmod-qca-nss-drv-ipsecmgr \
 	   +kmod-qca-nss-ecm \
 	   +PACKAGE_kmod-qca-nss-drv-vxlanmgr:kmod-qca-nss-drv-vxlanmgr \
-	   +kmod-ipsec
+	   +kmod-ipsec \
+	   @BROKEN
   FILES:=$(PKG_BUILD_DIR)/ipsecmgr/$(IPSECMGR_DIR)/plugins/xfrm/qca-nss-ipsec-xfrm.ko
 endef
 
@@ -313,11 +318,12 @@ define KernelPackage/qca-nss-drv-capwapmgr
   SECTION:=kernel
   CATEGORY:=Kernel modules
   SUBMENU:=Network Devices
+  TITLE:=NSS CAPWAP manager for QCA NSS
   DEPENDS:=@(TARGET_qualcommax_ipq807x||TARGET_qualcommax_ipq60xx) \
 	   +kmod-qca-nss-drv \
 	   +kmod-qca-nss-drv-dtlsmgr \
-	   +@NSS_DRV_TRUSTSEC_ENABLE
-  TITLE:=NSS CAPWAP manager for QCA NSS
+	   +@NSS_DRV_TRUSTSEC_ENABLE \
+	   @BROKEN
   FILES:=$(PKG_BUILD_DIR)/capwapmgr/qca-nss-capwapmgr.ko
 endef
 
@@ -422,6 +428,7 @@ define KernelPackage/qca-nss-drv-netlink
   SECTION:=kernel
   CATEGORY:=Kernel modules
   SUBMENU:=Network Devices
+  TITLE:=NSS NETLINK manager for QCA NSS driver
   DEPENDS:=@TARGET_qualcommax \
 	   +kmod-qca-nss-drv \
 	   +@NSS_DRV_IPV6_ENABLE \
@@ -445,7 +452,6 @@ define KernelPackage/qca-nss-drv-netlink
 	   +PACKAGE_kmod-qca-nss-drv-tunipip6:kmod-qca-nss-drv-tunipip6 \
 	   +PACKAGE_kmod-qca-nss-drv-vxlanmgr:kmod-qca-nss-drv-vxlanmgr \
 	   +@(PACKAGE_kmod-qca-nss-drv-gre):NSS_DRV_GRE_REDIR_ENABLE
-  TITLE:=NSS NETLINK manager for QCA NSS driver
   FILES:=$(PKG_BUILD_DIR)/netlink/qca-nss-netlink.ko
 endef
 
@@ -463,7 +469,8 @@ define KernelPackage/qca-nss-drv-ovpn-mgr
 	   +@NSS_DRV_QVPN_ENABLE \
 	   +kmod-qca-nss-cfi-cryptoapi \
 	   +kmod-ipt-conntrack \
-	   +kmod-tun
+	   +kmod-tun \
+	   @BROKEN
   FILES:=$(PKG_BUILD_DIR)/openvpn/src/qca-nss-ovpn-mgr.ko
 endef
 
@@ -478,7 +485,8 @@ define KernelPackage/qca-nss-drv-ovpn-link
   TITLE:=Kernel driver for interfacing NSS OpenVPN manager with ECM
   DEPENDS:=@(TARGET_qualcommax_ipq807x||TARGET_qualcommax_ipq60xx) \
 	   +kmod-qca-nss-drv-ovpn-mgr \
-	   +kmod-qca-nss-ecm
+	   +kmod-qca-nss-ecm \
+	   @BROKEN
   FILES:=$(PKG_BUILD_DIR)/openvpn/plugins/qca-nss-ovpn-link.ko
 endef
 
@@ -490,11 +498,12 @@ define KernelPackage/qca-nss-drv-pvxlanmgr
   SECTION:=kernel
   CATEGORY:=Kernel modules
   SUBMENU:=Network Devices
+  TITLE:=NSS connection manager for PVxLANs
   DEPENDS:=@TARGET_qualcommax \
 	   +kmod-qca-nss-drv \
 	   +@NSS_DRV_PVXLAN_ENABLE \
-	   +kmod-vxlan
-  TITLE:=NSS connection manager for PVxLANs
+	   +kmod-vxlan \
+	   @BROKEN
   FILES:=$(PKG_BUILD_DIR)/pvxlanmgr/qca-nss-pvxlanmgr.ko
 endef
 
@@ -506,10 +515,10 @@ define KernelPackage/qca-nss-drv-eogremgr
   SECTION:=kernel
   CATEGORY:=Kernel modules
   SUBMENU:=Network Devices
+  TITLE:=NSS EOGRE manager for QCA NSS driver
   DEPENDS:=@TARGET_qualcommax \
 	   +kmod-qca-nss-drv \
 	   +kmod-qca-nss-drv-gre
-  TITLE:=NSS EOGRE manager for QCA NSS driver
   FILES:=$(PKG_BUILD_DIR)/eogremgr/qca-nss-eogremgr.ko
 endef
 
@@ -521,11 +530,12 @@ define KernelPackage/qca-nss-drv-clmapmgr
   SECTION:=kernel
   CATEGORY:=Kernel modules
   SUBMENU:=Network Devices
+  TITLE:=NSS clmap manager for QCA NSS driver
   DEPENDS:=@TARGET_qualcommax \
 	   +kmod-qca-nss-drv \
 	   +@NSS_DRV_CLMAP_ENABLE \
-	   +kmod-qca-nss-drv-eogremgr
-  TITLE:=NSS clmap manager for QCA NSS driver
+	   +kmod-qca-nss-drv-eogremgr \
+	   @BROKEN
   FILES:=$(PKG_BUILD_DIR)/clmapmgr/qca-nss-clmapmgr.ko
 endef
 
@@ -537,11 +547,11 @@ define KernelPackage/qca-nss-drv-vxlanmgr
   SECTION:=kernel
   CATEGORY:=Kernel modules
   SUBMENU:=Network Devices
+  TITLE:=NSS VxLAN manager for QCA NSS driver
   DEPENDS:=@TARGET_qualcommax \
 	   +kmod-qca-nss-drv \
 	   +@NSS_DRV_VXLAN_ENABLE \
 	   +kmod-vxlan
-  TITLE:=NSS VxLAN manager for QCA NSS driver
   FILES:=$(PKG_BUILD_DIR)/vxlanmgr/qca-nss-vxlanmgr.ko
   AUTOLOAD:=$(call AutoLoad,51,qca-nss-vxlanmgr)
 endef
@@ -554,11 +564,11 @@ define KernelPackage/qca-nss-drv-match
  SECTION:=kernel
  CATEGORY:=Kernel modules
  SUBMENU:=Network Devices
+ TITLE:=NSS Match for QCA NSS driver
  DEPENDS:=@TARGET_qualcommax \
 	   +kmod-qca-nss-drv \
 	   +@NSS_DRV_MATCH_ENABLE \
 	   +@NSS_DRV_WIFIOFFLOAD_ENABLE
- TITLE:=NSS Match for QCA NSS driver
  FILES:=$(PKG_BUILD_DIR)/match/qca-nss-match.ko
 endef
 
@@ -600,10 +610,10 @@ define KernelPackage/qca-nss-drv-wifi-meshmgr
   SECTION:=kernel
   CATEGORY:=Kernel modules
   SUBMENU:=Network Devices
+  TITLE:=NSS WiFi-Mesh manager for QCA NSS driver
   DEPENDS:=@TARGET_qualcommax \
 	   +kmod-qca-nss-drv \
 	   +@NSS_DRV_WIFI_MESH_ENABLE
-  TITLE:=NSS WiFi-Mesh manager for QCA NSS driver
   FILES:=$(PKG_BUILD_DIR)/wifi_meshmgr/qca-nss-wifi-meshmgr.ko
   AUTOLOAD:=$(call AutoLoad,51,qca-nss-wifi-meshmgr)
 endef
diff --git a/qca-nss-macsec/Makefile b/qca-nss-macsec/Makefile
index c3deca3..a08143b 100644
--- a/qca-nss-macsec/Makefile
+++ b/qca-nss-macsec/Makefile
@@ -20,8 +20,9 @@ define KernelPackage/qca-nss-macsec
   SECTION:=kernel
   CATEGORY:=Kernel modules
   SUBMENU:=Network Devices
-  DEPENDS:=@(TARGET_qualcommax||TARGET_ipq60xx) \
-  				 +libc
+  DEPENDS:=@(TARGET_qualcommax_ipq807x||TARGET_ipq60xx) \
+  				 +libc \
+  				 @BROKEN
   TITLE:=Kernel driver for NSS macsec
   FILES:=$(PKG_BUILD_DIR)/qca-nss-macsec.ko
   AUTOLOAD:=$(call AutoLoad,52,qca-nss-macsec)
@@ -35,8 +36,8 @@ QCA_NSS_MACSEC_CONFIG_OPTS+= TOOL_PATH=$(TOOLCHAIN_DIR)/bin/ \
                 SYS_PATH=$(LINUX_DIR) \
                 TOOLPREFIX=$(TARGET_CROSS) \
                 KVER=$(LINUX_VERSION) \
-		CFLAGS="$(TARGET_CFLAGS)" \
-		LDFLAGS="$(TARGET_LDFLAGS)" \
+                CFLAGS="$(TARGET_CFLAGS)" \
+                LDFLAGS="$(TARGET_LDFLAGS)" \
                 ARCH=$(LINUX_KARCH)
 
 define Build/InstallDev