Hi David<div><br></div><div>Thanks for your prompt response. Below are few details that you may be helpful in solving my crash issue. </div><div><br></div><div>1. I am using TI's AM3872 chip based SoC (for some reason TI do not map this device into any of their OMAP2/OMAP3 classification ). You can find few more details about thier OCF driver in<a href="http://processors.wiki.ti.com/index.php/Installing_AM389x_C6A816x_DM816x_Crypto_Support"> following</a> wiki page. </div>
<div><br></div><div>2. Ping is first thing I am doing after boot up. So no load on CPU of any kind. Ping works fine without OCF (and cryptosoft, cryptodev) and H/W driver. In fact I am able to ping with OCF + cryptosoft (see log below). Only when I enable H/W accelerator support ping is crashing. So one may conclude driver is the culprit. But I am able to do standalone testing of H/W accelerators using drivers, cryptodev and cryptotest as mentioned in wiki entry. So my doubt is if the interface for ipsec stack (NETKEY in my case) is consistent with h/w driver I am using. I am not very confident of my understanding of ipsec (netkey) + OCF + h/w driver intersection and interfaces. </div>
<div><br></div><div>3. I am not sure if I correctly understand what you mean when you said I am using OCF or not. I think I am using it correctly as mention in TI wiki entry. Here is snippet from my config file and log from board </div>
<div><div><br></div><div># OCF Configuration</div><div>#</div><div>CONFIG_OCF_OCF=m</div><div># CONFIG_OCF_RANDOMHARVEST is not set</div><div>CONFIG_OCF_CRYPTODEV=m</div><div>CONFIG_OCF_CRYPTOSOFT=m</div><div># CONFIG_OCF_SAFE is not set</div>
<div># CONFIG_OCF_IXP4XX is not set</div></div><div><br></div><div><div>oot@R3BTS-CP-PFS1.0# cp /home/ipsec.secrets /etc/</div><div>root@R3BTS-CP-PFS1.0# cd lib/modules/2.6.37-svn3005/kernel/crypto/ocf/</div><div>root@R3BTS-CP-PFS1.0# ls</div>
<div>cryptodev.ko cryptosoft.ko ocf.ko</div><div>root@R3BTS-CP-PFS1.0# insmod ocf.ko </div><div>ocf: module license 'BSD' taints kernel.</div><div>Disabling lock debugging due to kernel taint</div><div>root@R3BTS-CP-PFS1.0# insmod cryptosoft.ko </div>
<div>root@R3BTS-CP-PFS1.0# sh /home/start_ipsec.sh </div><div>ipsec_setup: Stopping Openswan IPsec...</div><div>ipsec_setup: stop ordered, but IPsec appears to be already stopped!</div><div>ipsec_setup: doing cleanup anyway...</div>
<div>ipsec_setup: Starting Openswan IPsec U2.6.33/K2.6.37-svn3005...</div><div>104 "test" #1: STATE_MAIN_I1: initiate</div><div>003 "test" #1: ignoring unknown Vendor ID payload [4f456d406b6753464548407f]</div>
<div>003 "test" #1: received Vendor ID payload [Dead Peer Detection]</div><div>003 "test" #1: received Vendor ID payload [RFC 3947] method set to=109 </div><div>106 "test" #1: STATE_MAIN_I2: sent MI2, expecting MR2</div>
<div>003 "test" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no NAT detected</div><div>108 "test" #1: STATE_MAIN_I3: sent MI3, expecting MR3</div><div>003 "test" #1: received Vendor ID payload [CAN-IKEv2]</div>
<div>004 "test" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_128 prf=oakley_sha group=modp2048}</div><div>117 "test" #2: STATE_QUICK_I1: initiate</div><div>004 "test" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x3e088f38 <0x444a8a6a xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=none}</div>
<div>root@R3BTS-CP-PFS1.0# sh /home/start_ipsec.sh </div><div>ipsec_setup: Stopping Openswan IPsec...</div><div>ipsec_setup: Starting Openswan IPsec U2.6.33/K2.6.37-svn3005...</div><div>117 "test" #3: STATE_QUICK_I1: initiate</div>
<div>004 "test" #3: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0xb3c2cf68 <0xebc46bcd xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=none}</div><div>root@R3BTS-CP-PFS1.0# clear</div>
</div><div><br></div><div><div>root@R3BTS-CP-PFS1.0# /etc/init.d/ipsec status <font class="Apple-style-span" color="#CC0000">------------------->IPSEC status</font></div><div>IPsec running - pluto pid: 940</div><div>pluto pid 940</div>
<div>2 tunnels up</div><div>some eroutes exist</div><div>root@R3BTS-CP-PFS1.0# tail -f /var/log/messages &</div><div>root@R3BTS-CP-PFS1.0# Jan 1 00:06:19 (none) authpriv.warn pluto[940]: "test" #2: responding to Quick Mode proposal {msgid:3109c7c4}</div>
<div>Jan 1 00:06:19 (none) authpriv.warn pluto[940]: "test" #2: us: 10.100.207.232<10.100.207.232>[+S=C]</div><div>Jan 1 00:06:19 (none) authpriv.warn pluto[940]: "test" #2: them: 192.168.11.45<192.168.11.45>[+S=C]</div>
<div>Jan 1 00:06:19 (none) authpriv.warn pluto[940]: "test" #2: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1</div><div>Jan 1 00:06:19 (none) authpriv.warn pluto[940]: "test" #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2</div>
<div>Jan 1 00:06:19 (none) authpriv.warn pluto[940]: "test" #2: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2</div><div>Jan 1 00:06:19 (none) authpriv.warn pluto[940]: "test" #2: STATE_QUICK_R2: IPsec SA established tunnel mode {ESP=>0x1e7828f1 <0xc482ffbd xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=none}</div>
<div>Jan 1 00:06:20 (none) authpriv.warn pluto[940]: "test" #3: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK {using isakmp#1 msgid:138cc3de proposal=defaults pfsgroup=OAKLEY_GROUP_MODP2048}</div>
<div>Jan 1 00:06:20 (none) authpriv.warn pluto[940]: "test" #3: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2</div><div>Jan 1 00:06:20 (none) authpriv.warn pluto[940]: "test" #3: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0xb3c2cf68 <0xebc46bcd xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=none}</div>
</div><div><br></div><div>oot@R3BTS-CP-PFS1.0# lsmod <font class="Apple-style-span" color="#FF0000">------------------->loaded modules</font></div><div>cryptosoft 11387 0 - Live 0xbf00c000</div><div>ocf 16852 1 cryptosoft, Live 0xbf000000 (P)</div>
<div><br></div><div><div>root@R3BTS-CP-PFS1.0# ping 192.168.11.45</div><div>PING 192.168.11.45 (192.168.11.45): 56 data bytes</div><div>64 bytes from <a href="http://192.168.11.45">192.168.11.45</a>: seq=0 ttl=64 time=0.967 ms</div>
<div>64 bytes from <a href="http://192.168.11.45">192.168.11.45</a>: seq=1 ttl=64 time=0.697 ms</div><div>64 bytes from <a href="http://192.168.11.45">192.168.11.45</a>: seq=2 ttl=64 time=0.664 ms</div><div>64 bytes from <a href="http://192.168.11.45">192.168.11.45</a>: seq=3 ttl=64 time=0.652 ms</div>
</div><div><br></div><div>Hope above information will be useful. Apart from this I have few queries :</div><div><br></div><div>a) When I am not using OCF and H/W accelerator which (s/w)crypto library is used by ipsec for encryption ?</div>
<div><br></div><div>b) When we have support of both cryptosoft (software emulation of H/W accelerators) and H/W accelerators (drivers ) how IPsec choose which one to use? Is it a good practice? Do we have any reason to do that?</div>
<div><br></div><div>c) Do I need cryptosoft or cryptodev when I am using h/w acclerators? AFAIU I do not need cryptosoft (why use s/w emulation when i have h/w !). But not sure about cryptodev if it is used by OCF to provide interface to IPsec stack. </div>
<div><br></div><div>d) I did't get your 'There is no cryptoAPI-->OCF driver, only the OCF-->cryptoAPI driver (cryptosoft).' point. Can you elaborate more on it please. </div><div><br></div><div>At last apologies for my late response I was on leave as its festival season here. Will be prompt in my response in future.</div>
<div><br></div><div><br></div><div>@Paul.</div><div><br></div><div>Thanks for adding David into this loop! </div><div><br></div><div><br></div><div>-SP</div><div><br></div><div><br><div class="gmail_quote">On Thu, Oct 6, 2011 at 10:48 AM, David McCullough <span dir="ltr"><<a href="mailto:david_mccullough@mcafee.com">david_mccullough@mcafee.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;"><br>
Jivin Paul Wouters lays it down ...<br>
<div class="im">> On Wed, 5 Oct 2011, satpal parmar wrote:<br>
><br>
</div>> > First let??me thank Paul. Only??because??of ??prompt??responses to all my queries I was able to??achieve??my ??milestone of run??Openswan (2.6.33) on my ARM Soc running<br>
<div class="im">> > linux 2..6.37 (netkey).<br>
><br>
> Feel free to do a write up on the wiki at <a href="http://gsoc.xelerance.com/" target="_blank">http://gsoc.xelerance.com/</a> :)<br>
><br>
</div>> > After going through mailing lists and google reading ??I came up I with??following??queries:??<br>
> ><br>
> > 1. Whats best way to go solving problem of????add H/W accelerator support for Openswan? No much on??Goggling??on this.<br>
<div class="im">><br>
> I'd say OCF is the way to go, especially if OCF has support for that vendor.<br>
<br>
</div>Yep, if they have provided an OCF driver thats the easiest place to start.<br>
<br>
> > 2. Should I use OCF or CryptoAPI? From what I read??Linux??native??crypto??api do not support H/W accelerators. Do I really need any of these? Whats NSS good for?<br>
<div class="im">> > I know last question is naive!<br>
><br>
> If you built in support for both OCF and CryptoAPI, then KLIPS will first try to use OCF and if no hardware is found, use cryptoapi<br>
><br>
</div>> > 3. Is NETKEY??compatible??with OCF? ??If Yes, do I need to recompile my openswan with OCF support? If no as this link says, what my best next option? KLIPs?<br>
<div class="im">><br>
> Yes, you can use OCF with NETKEY using the "cryptosoft" driver<br>
<br>
</div>Ok, just to be sure you don't mis-interpret that:<br>
<br>
1. You cannot accelerate NETKEY with OCF. NETKEY uses cryptoAPI. There is<br>
no cryptoAPI-->OCF driver, only the OCF-->cryptoAPI driver (cryptosoft).<br>
<br>
2. You can use the kernels cryptoAPI drivers (SW and HW) with OCF by using<br>
the OCF cryptosoft driver. This allows OCF and NETkey to use the same<br>
crypto drivers (available in newish kernels).<br>
<br>
<br>
<br>
> > 4. Should openswan (2.6.33) ??+ linux kernel 2.6.37 (netwkey ??and OCF support enabled) ??| H/W drivers from vendors combo work ? Anything missing or any mismatch<br>
<div class="im">> > for H?W accelerator support.<br>
><br>
> It should work, but a lot depend on the vendor, and if they supply non-free code then it might be a little outdated.<br>
><br>
</div>> > 5. What Flags/compiler option/??libraries I MAY need to enable to make??things??work fine.????<br>
<div class="im">><br>
> For kernel OCF mode, you need no special flags/options. Just make the OCF modules for your kernel.<br>
> For KLIPS you need to enable CONFIG_KLIPS_OCF.<br>
> For userland OCF (eg for IKE), you need openssl installed and enable HAVE_OCF=true<br>
><br>
> I don't see anything that seems to relate to OCF or KLIPS or NETKEY in the below crash.<br>
> Perhaps David can shed more light on that.<br>
<br>
</div>Hmm, other than the fact that it seems to be DMA related, and any OCF<br>
driver worth having will be using DMA.<br>
<br>
It might be useful to know your platform, what crypto driver (the vendor<br>
OCF driver) you are using.<br>
<br>
What sort of load are you running when this fails. Are you even using OCF ?<br>
If you unload the vendor OCF driver and just use cryptosoft to do crypto do<br>
you get the crash ?<br>
<br>
Cheers,<br>
Davidm<br>
<div class="im"><br>
> > root@R3BTS-CP-PFS1.0# ping 192.168.11.45<br>
> > PING 192.168.11.Unable to handle kernel paging request at virtual address 70207000<br>
> > 45 (192.168.11.4pgd = ef8e4000<br>
> > 5): 56 data byte[70207000] *pgd=00000000s<br>
> ><br>
> > Internal error: Oops: 805 [#1]<br>
> > last sysfs file: /sys/devices/virtual/dmb_gpio/dmb_gpio1/dev<br>
> > Modules linked in:<br>
</div>> > CPU: 0 ?? ??Not tainted ??(2.6.37-svn3005 #11)<br>
<div class="im">> > PC is at v7_dma_clean_range+0x1c/0x34<br>
> > LR is at dma_cache_maint_page+0x34/0x3c<br>
</div>> > pc : [<c00446cc>] ?? ??lr : [<c0041854>] ?? ??psr: 00000113<br>
> > sp : ee8ffea0 ??ip : c0444000 ??fp : ee8ffeac<br>
> > r10: 00000001 ??r9 : efa480d8 ??r8 : 00000000<br>
> > r7 : 00000000 ??r6 : 00000001 ??r5 : efa480d8 ??r4 : efa480e8<br>
> > r3 : 0000003f ??r2 : 00000040 ??r1 : 70207000 ??r0 : 70207000<br>
> > Flags: nzcv ??IRQs on ??FIQs on ??Mode SVC_32 ??ISA ARM ??Segment user<br>
> > Control: 10c5387d ??Table: af8e4019 ??DAC: 00000015<br>
<div class="im">> > Process ping (pid: 657, stack limit = 0xee8fe2e8)<br>
> > Stack: (0xee8ffea0 to 0xee900000)<br>
> > fea0: ee8ffec4 ee8ffeb0 c004187c c004182c c0044718 efa48080 ee8ffef4 ee8ffec8<br>
> > fec0: c0041b34 c0041868 00000001 00000000 efa4818c eea8cc80 efa4814c 00000006<br>
> > fee0: 00000009 c042fcc0 ee8fff14 ee8ffef8 c0223788 c0041aec efa4818c eea8cc80<br>
> > ff00: 00000001 efa4814c ee8fff34 ee8fff18 c0223fe0 c02236dc 00000000 00000100<br>
> > ff20: 00000018 00000001 ee8fff4c ee8fff38 c005ee58 c0223f24 ee8fe000 00000100<br>
> > ff40: ee8fff84 ee8fff50 c005f44c c005edf4 ee8fff6c ee8fff60 c00489dc 00000074<br>
> > ff60: 00000000 0000000e 0002e9ec 00000000 ee8fe000 001ecc60 ee8fff94 ee8fff88<br>
> > ff80: c005f51c c005f3d8 ee8fffac ee8fff98 c0031080 c005f4e0 ffffffff fa200000<br>
> > ffa0: 00000000 ee8fffb0 c02f27bc c003100c 0000000e 0002e9ec 00000000 00000000<br>
> > ffc0: 00000040 00000001 0000000e 0002e9ec 00000000 bec6ce64 001ecc60 bec6ce64<br>
> > ffe0: 0002e9ec bec6ca40 0002e914 000ed420 80000010 ffffffff 92e25cdc 09e80cd2<br>
</div>> > Backtrace:??<br>
<div class="im">> > [<c0041820>] (dma_cache_maint_page+0x0/0x3c) from [<c004187c>] (___dma_page_cpu_to_dev+0x20/0x2c)<br>
> > [<c004185c>] (___dma_page_cpu_to_dev+0x0/0x2c) from [<c0041b34>] (dma_map_sg+0x54/0xf4)<br>
> > [<c0041ae0>] (dma_map_sg+0x0/0xf4) from [<c0223788>] (nss_sham_update_cdma_start+0xb8/0x120)<br>
> > [<c02236d0>] (nss_sham_update_cdma_start+0x0/0x120) from [<c0223fe0>] (nss_sham_done_task+0xc8/0x108)<br>
</div>> > ??r7:efa4814c r6:00000001 r5:eea8cc80 r4:efa4818c<br>
<div class="im">> > [<c0223f18>] (nss_sham_done_task+0x0/0x108) from [<c005ee58>] (tasklet_action+0x70/0xc0)<br>
</div>> > ??r7:00000001 r6:00000018 r5:00000100 r4:00000000<br>
<div class="im">> > [<c005ede8>] (tasklet_action+0x0/0xc0) from [<c005f44c>] (__do_softirq+0x80/0x108)<br>
</div>> > ??r5:00000100 r4:ee8fe000<br>
<div class="im">> > [<c005f3cc>] (__do_softirq+0x0/0x108) from [<c005f51c>] (irq_exit+0x48/0x94)<br>
> > [<c005f4d4>] (irq_exit+0x0/0x94) from [<c0031080>] (asm_do_IRQ+0x80/0xa0)<br>
> > [<c0031000>] (asm_do_IRQ+0x0/0xa0) from [<c02f27bc>] (__irq_usr+0x3c/0xa0)<br>
> > Exception stack(0xee8fffb0 to 0xee8ffff8)<br>
</div>> > ffa0: ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 0000000e 0002e9ec 00000000 00000000<br>
<div class="im">> > ffc0: 00000040 00000001 0000000e 0002e9ec 00000000 bec6ce64 001ecc60 bec6ce64<br>
> > ffe0: 0002e9ec bec6ca40 0002e914 000ed420 80000010 ffffffff<br>
</div>> > ??r5:fa200000 r4:ffffffff<br>
> > Code: e3a02004 e1a02312 e2423001 e1c00003 (ee070f3a)??<br>
<div class="im">> > ---[ end trace 70e1f34cfd579ce9 ]---<br>
> > Kernel panic - not syncing: Fatal exception in interrupt<br>
</div>> > Backtrace:??<br>
<div class="im">> > [<c003fb44>] (dump_backtrace+0x0/0x110) from [<c02f0564>] (dump_stack+0x18/0x1c)<br>
</div>> > ??r7:c00446d0 r6:ee8ffce7 r5:c00446ce r4:c040f390<br>
<div class="im">> > [<c02f054c>] (dump_stack+0x0/0x1c) from [<c02f05c8>] (panic+0x60/0x17c)<br>
> > [<c02f0568>] (panic+0x0/0x17c) from [<c003fed8>] (die+0x284/0x2d8)<br>
</div>> > ??r3:00000100 r2:c0420b42 r1:00000000 r0:c038591e<br>
<div class="im">> > [<c003fc54>] (die+0x0/0x2d8) from [<c0042384>] (__do_kernel_fault+0x6c/0x8c)<br>
> > [<c0042318>] (__do_kernel_fault+0x0/0x8c) from [<c02f4594>] (do_page_fault+0x1f0/0x20c)<br>
</div>> > ??r9:00000805 r8:70207000 r7:ee946180 r6:e57178c0 r5:ee8ffe58<br>
<div class="im">> > r4:c03e4518<br>
> > [<c02f43a4>] (do_page_fault+0x0/0x20c) from [<c02f45d4>] (do_translation_fault+0x24/0xa8)<br>
> > [<c02f45b0>] (do_translation_fault+0x0/0xa8) from [<c00312a4>] (do_DataAbort+0x3c/0x9c)<br>
</div>> > ??r7:ee8ffe58 r6:00000805 r5:c03e4568 r4:c03e4518<br>
<div class="im">> > [<c0031268>] (do_DataAbort+0x0/0x9c) from [<c02f256c>] (__dabt_svc+0x4c/0x60)<br>
> > Exception stack(0xee8ffe58 to 0xee8ffea0)<br>
</div>> > fe40: ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 70207000 70207000<br>
<div class="im">> > fe60: 00000040 0000003f efa480e8 efa480d8 00000001 00000000 00000000 efa480d8<br>
> > fe80: 00000001 ee8ffeac c0444000 ee8ffea0 c0041854 c00446cc 00000113 ffffffff<br>
</div>> > ??r8:00000000 r7:00000000 r6:00000001 r5:ee8ffe8c r4:ffffffff<br>
<div class="im">> > [<c0041820>] (dma_cache_maint_page+0x0/0x3c) from [<c004187c>] (___dma_page_cpu_to_dev+0x20/0x2c)<br>
> > [<c004185c>] (___dma_page_cpu_to_dev+0x0/0x2c) from [<c0041b34>] (dma_map_sg+0x54/0xf4)<br>
> > [<c0041ae0>] (dma_map_sg+0x0/0xf4) from [<c0223788>] (nss_sham_update_cdma_start+0xb8/0x120)<br>
> > [<c02236d0>] (nss_sham_update_cdma_start+0x0/0x120) from [<c0223fe0>] (nss_sham_done_task+0xc8/0x108)<br>
</div>> > ??r7:efa4814c r6:00000001 r5:eea8cc80 r4:efa4818c<br>
<div class="im">> > [<c0223f18>] (nss_sham_done_task+0x0/0x108) from [<c005ee58>] (tasklet_action+0x70/0xc0)<br>
</div>> > ??r7:00000001 r6:00000018 r5:00000100 r4:00000000<br>
<div class="im">> > [<c005ede8>] (tasklet_action+0x0/0xc0) from [<c005f44c>] (__do_softirq+0x80/0x108)<br>
</div>> > ??r5:00000100 r4:ee8fe000<br>
<div class="im">> > [<c005f3cc>] (__do_softirq+0x0/0x108) from [<c005f51c>] (irq_exit+0x48/0x94)<br>
> > [<c005f4d4>] (irq_exit+0x0/0x94) from [<c0031080>] (asm_do_IRQ+0x80/0xa0)<br>
> > [<c0031000>] (asm_do_IRQ+0x0/0xa0) from [<c02f27bc>] (__irq_usr+0x3c/0xa0)<br>
> > Exception stack(0xee8fffb0 to 0xee8ffff8)<br>
</div>> > ffa0: ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 0000000e 0002e9ec 00000000 00000000<br>
<div class="im">> > ffc0: 00000040 00000001 0000000e 0002e9ec 00000000 bec6ce64 001ecc60 bec6ce64<br>
> > ffe0: 0002e9ec bec6ca40 0002e914 000ed420 80000010 ffffffff<br>
</div>> > ??r5:fa200000 r4:ffffffff<br>
> ><br>
> ><br>
> ><br>
> ><br>
> ><br>
><br>
><br>
<font color="#888888"><br>
--<br>
David McCullough, <a href="mailto:david_mccullough@mcafee.com">david_mccullough@mcafee.com</a>, Ph:+61 734352815<br>
McAfee - SnapGear <a href="http://www.mcafee.com" target="_blank">http://www.mcafee.com</a> <a href="http://www.uCdot.org" target="_blank">http://www.uCdot.org</a><br>
</font></blockquote></div><br></div>