[Openswan Users] Netkey + Openswan + OCF && H/W accelerators drivers == kernel crash/panic

David McCullough david_mccullough at mcafee.com
Tue Oct 11 23:51:08 EDT 2011


Jivin satpal parmar lays it down ...
> Hi David
> 
> Thanks for your prompt response. Below are few details that you may be helpful in solving my crash issue. 
> 
> 1. I am using TI's AM3872 chip based SoC (for some reason TI do not map this device into any of their OMAP2/OMAP3 classification ). You can find few more details about thier OCF driver in following <http://processors.wiki.ti.com/index.php/Installing_AM389x_C6A816x_DM816x_Crypto_Support>  wiki page. 

I'll have to check there code and see if I can include their driver into OCF
releases ;-)

tcrypt looks something like ocfbench or more options.

Have you tried loading their tcrypt driver or loading the ocfbench driver ?

> 2. Ping is first thing I am doing after boot up. So no load on CPU of any
> kind. Ping works fine without OCF (and cryptosoft, cryptodev) and H/W driver.
> In fact I am able to ping with OCF + cryptosoft (see log below). Only when I
> enable H/W accelerator support ping is crashing.  So one may conclude driver
> is the culprit.

That would be my conclusion :-)

> But I am able to do standalone testing of H/W accelerators using drivers,
> cryptodev  and cryptotest as mentioned in wiki entry. So my doubt is if the
> interface for ipsec stack (NETKEY in my case) is consistent with h/w
> driver I am using.

The driver you are using is a linux cryptoAPI HW driver.  It does not need
OCF,  though OCF can help you to use it.

cryptosoft will use these drivers and should be the best way to accelerate
openswan using those drivers at this point.

So you need ocf+cryptosoft loaded.

> I am not very confident of my understanding of ipsec
> (netkey) + OCF + h/w driver intersection and interfaces. 

You should be able to use netkey with these drivers.  Thats means you do not
need to use klips for your ipsec stack unless there is functionality you
want from klips that netkey does not provide.

If you are happy with netkey as your stack,  then you can jus tignore using
OCF and move on.  Check the performance and see if it seems HW accelerated.
You can compare by turning the following on/off:

	<*>   Support for Netra AES hw engine (NEW)
	<*>   Support for Netra DES hw engine (NEW)
	<*>   Support for Netra SHA/MD5 hw engine (NEW

If you are not happy with netkey or the performance,  compile and install
OCF and cryptosoft and try again.

If you are getting crashes it may be due to the openswan/ocf processing.
Try changing the following parameters for openswan+ocf before running the
ping:
	
	echo 0 > /sys/modules/ipsec/paramaters/ipsec_ocf_batch
	echo 0 > /sys/modules/ipsec/paramaters/ipsec_ocf_cbimm

That should make it a little less likely to crash (assuming the usual cause
of driver issues being locking/reentrancy :-)

> 3. I am not sure if I correctly understand what you mean when you said I am using OCF or not. I think I am using it correctly as mention in TI wiki entry. Here is snippet from my config file and log from board 
> Hope above information will be useful. Apart from this I have few queries :

Seems you are using it.  Seems the crash is related to cryptosofts use of
your cryptoAPI driver.

[...]
> 
> a) When I am not using OCF and H/W accelerator which (s/w)crypto library is used by ipsec for encryption ?
> 
> b) When we have support of both cryptosoft (software emulation of H/W accelerators)  and H/W accelerators (drivers ) how IPsec choose which one to use? Is it a good practice? Do we have any reason to do that?
> 
> c) Do I need cryptosoft or cryptodev when I am using h/w acclerators? AFAIU I do not need cryptosoft (why use s/w emulation when i have h/w !). But not sure about cryptodev if it is used by OCF  to provide interface to IPsec stack. 


Because your crypto driver is a linux native cryptoAPI driver,  if you want
to use openswan+OCF (and not netkey) then you will have to use cryptosoft.


> d) I did't get your 'There is no cryptoAPI-->OCF driver,  only the OCF-->cryptoAPI driver (cryptosoft).' point. Can you elaborate more on it please. 


cryptosoft os a translation driver.  It translates from the OCF driver API
to the cryptoAPI interface.  This allows OCF to use the kernels native
cryptoAPI drivers, but not the reverse.

So netkey cannot use OCF,  but,  OCF can use cryptoAPI (even while netkey is
using cryptoAPI),  Confused,  I don't blame you :-)


> At last apologies for my late response I was on leave as its festival
> season here. Will be prompt in my response in future.

No problems,.

Cheers,
Davidm


> On Thu, Oct 6, 2011 at 10:48 AM, David McCullough <david_mccullough at mcafee.com> wrote:
> 
> 
> 
> 	Jivin Paul Wouters lays it down ...
> 	
> 	> On Wed, 5 Oct 2011, satpal parmar wrote:
> 	>
> 	
> 	> > First let??me thank Paul. Only??because??of ??prompt??responses to all my queries I was able to??achieve??my ??milestone of run??Openswan (2.6.33) on my ARM Soc running
> 	
> 	> > linux 2..6.37 (netkey).
> 	>
> 	> Feel free to do a write up on the wiki at http://gsoc.xelerance.com/ :)
> 	>
> 	
> 	> > After going through mailing lists and google reading ??I came up I with??following??queries:??
> 	> >
> 	> > 1. Whats best way to go solving problem of????add H/W accelerator support for Openswan? No much on??Goggling??on this.
> 	
> 	>
> 	> I'd say OCF is the way to go, especially if OCF has support for that vendor.
> 	
> 	
> 	Yep,  if they have provided an OCF driver thats the easiest place to start.
> 	
> 	> > 2. Should I use OCF or CryptoAPI? From what I read??Linux??native??crypto??api do not support H/W accelerators. Do I really need any of these? Whats NSS good for?
> 	
> 	> > I know last question is naive!
> 	>
> 	> If you built in support for both OCF and CryptoAPI, then KLIPS will first try to use OCF and if no hardware is found, use cryptoapi
> 	>
> 	
> 	> > 3. Is NETKEY??compatible??with OCF? ??If Yes, do I need to recompile my openswan with OCF support? If no as this link says, what my best next option? KLIPs?
> 	
> 	>
> 	> Yes, you can use OCF with NETKEY using the "cryptosoft" driver
> 	
> 	
> 	Ok,  just to be sure you don't mis-interpret that:
> 	
> 	1. You cannot accelerate NETKEY with OCF.  NETKEY uses cryptoAPI.  There is
> 	  no cryptoAPI-->OCF driver,  only the OCF-->cryptoAPI driver (cryptosoft).
> 	
> 	2. You can use the kernels cryptoAPI drivers (SW and HW) with OCF by using
> 	  the OCF cryptosoft driver.  This allows OCF and NETkey to use the same
> 	  crypto drivers (available in newish kernels).
> 	
> 	
> 	
> 	> > 4. Should openswan (2.6.33) ??+ linux kernel 2.6.37 (netwkey ??and OCF support enabled) ??| H/W drivers from vendors combo work ? Anything missing or any mismatch
> 	
> 	> > for H?W accelerator support.
> 	>
> 	> It should work, but a lot depend on the vendor, and if they supply non-free code then it might be a little outdated.
> 	>
> 	
> 	> > 5. What Flags/compiler option/??libraries I MAY need to enable to make??things??work fine.????
> 	
> 	>
> 	> For kernel OCF mode, you need no special flags/options. Just make the OCF modules for your kernel.
> 	> For KLIPS you need to enable CONFIG_KLIPS_OCF.
> 	> For userland OCF (eg for IKE), you need openssl installed and enable HAVE_OCF=true
> 	>
> 	> I don't see anything that seems to relate to OCF or KLIPS or NETKEY in the below crash.
> 	> Perhaps David can shed more light on that.
> 	
> 	
> 	Hmm,  other than the fact that it seems to be DMA related,  and any OCF
> 	driver worth having will be using DMA.
> 	
> 	It might be useful to know your platform,  what crypto driver (the vendor
> 	OCF driver) you are using.
> 	
> 	What sort of load are you running when this fails.  Are you even using OCF ?
> 	If you unload the vendor OCF driver and just use cryptosoft to do crypto do
> 	you get the crash ?
> 	
> 	Cheers,
> 	Davidm
> 	
> 
> 	> > root at R3BTS-CP-PFS1.0# ping 192.168.11.45
> 	> > PING 192.168.11.Unable to handle kernel paging request at virtual address 70207000
> 	> > 45 (192.168.11.4pgd = ef8e4000
> 	> > 5): 56 data byte[70207000] *pgd=00000000s
> 	> >
> 	> > Internal error: Oops: 805 [#1]
> 	> > last sysfs file: /sys/devices/virtual/dmb_gpio/dmb_gpio1/dev
> 	> > Modules linked in:
> 	
> 	> > CPU: 0 ?? ??Not tainted ??(2.6.37-svn3005 #11)
> 	
> 	> > PC is at v7_dma_clean_range+0x1c/0x34
> 	> > LR is at dma_cache_maint_page+0x34/0x3c
> 	
> 	> > pc : [<c00446cc>] ?? ??lr : [<c0041854>] ?? ??psr: 00000113
> 	> > sp : ee8ffea0 ??ip : c0444000 ??fp : ee8ffeac
> 	> > r10: 00000001 ??r9 : efa480d8 ??r8 : 00000000
> 	> > r7 : 00000000 ??r6 : 00000001 ??r5 : efa480d8 ??r4 : efa480e8
> 	> > r3 : 0000003f ??r2 : 00000040 ??r1 : 70207000 ??r0 : 70207000
> 	> > Flags: nzcv ??IRQs on ??FIQs on ??Mode SVC_32 ??ISA ARM ??Segment user
> 	> > Control: 10c5387d ??Table: af8e4019 ??DAC: 00000015
> 	
> 	> > Process ping (pid: 657, stack limit = 0xee8fe2e8)
> 	> > Stack: (0xee8ffea0 to 0xee900000)
> 	> > fea0: ee8ffec4 ee8ffeb0 c004187c c004182c c0044718 efa48080 ee8ffef4 ee8ffec8
> 	> > fec0: c0041b34 c0041868 00000001 00000000 efa4818c eea8cc80 efa4814c 00000006
> 	> > fee0: 00000009 c042fcc0 ee8fff14 ee8ffef8 c0223788 c0041aec efa4818c eea8cc80
> 	> > ff00: 00000001 efa4814c ee8fff34 ee8fff18 c0223fe0 c02236dc 00000000 00000100
> 	> > ff20: 00000018 00000001 ee8fff4c ee8fff38 c005ee58 c0223f24 ee8fe000 00000100
> 	> > ff40: ee8fff84 ee8fff50 c005f44c c005edf4 ee8fff6c ee8fff60 c00489dc 00000074
> 	> > ff60: 00000000 0000000e 0002e9ec 00000000 ee8fe000 001ecc60 ee8fff94 ee8fff88
> 	> > ff80: c005f51c c005f3d8 ee8fffac ee8fff98 c0031080 c005f4e0 ffffffff fa200000
> 	> > ffa0: 00000000 ee8fffb0 c02f27bc c003100c 0000000e 0002e9ec 00000000 00000000
> 	> > ffc0: 00000040 00000001 0000000e 0002e9ec 00000000 bec6ce64 001ecc60 bec6ce64
> 	> > ffe0: 0002e9ec bec6ca40 0002e914 000ed420 80000010 ffffffff 92e25cdc 09e80cd2
> 	
> 	> > Backtrace:??
> 	
> 	> > [<c0041820>] (dma_cache_maint_page+0x0/0x3c) from [<c004187c>] (___dma_page_cpu_to_dev+0x20/0x2c)
> 	> > [<c004185c>] (___dma_page_cpu_to_dev+0x0/0x2c) from [<c0041b34>] (dma_map_sg+0x54/0xf4)
> 	> > [<c0041ae0>] (dma_map_sg+0x0/0xf4) from [<c0223788>] (nss_sham_update_cdma_start+0xb8/0x120)
> 	> > [<c02236d0>] (nss_sham_update_cdma_start+0x0/0x120) from [<c0223fe0>] (nss_sham_done_task+0xc8/0x108)
> 	
> 	> > ??r7:efa4814c r6:00000001 r5:eea8cc80 r4:efa4818c
> 	
> 	> > [<c0223f18>] (nss_sham_done_task+0x0/0x108) from [<c005ee58>] (tasklet_action+0x70/0xc0)
> 	
> 	> > ??r7:00000001 r6:00000018 r5:00000100 r4:00000000
> 	
> 	> > [<c005ede8>] (tasklet_action+0x0/0xc0) from [<c005f44c>] (__do_softirq+0x80/0x108)
> 	
> 	> > ??r5:00000100 r4:ee8fe000
> 	
> 	> > [<c005f3cc>] (__do_softirq+0x0/0x108) from [<c005f51c>] (irq_exit+0x48/0x94)
> 	> > [<c005f4d4>] (irq_exit+0x0/0x94) from [<c0031080>] (asm_do_IRQ+0x80/0xa0)
> 	> > [<c0031000>] (asm_do_IRQ+0x0/0xa0) from [<c02f27bc>] (__irq_usr+0x3c/0xa0)
> 	> > Exception stack(0xee8fffb0 to 0xee8ffff8)
> 	
> 	> > ffa0: ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 0000000e 0002e9ec 00000000 00000000
> 	
> 	> > ffc0: 00000040 00000001 0000000e 0002e9ec 00000000 bec6ce64 001ecc60 bec6ce64
> 	> > ffe0: 0002e9ec bec6ca40 0002e914 000ed420 80000010 ffffffff
> 	
> 	> > ??r5:fa200000 r4:ffffffff
> 	> > Code: e3a02004 e1a02312 e2423001 e1c00003 (ee070f3a)??
> 	
> 	> > ---[ end trace 70e1f34cfd579ce9 ]---
> 	> > Kernel panic - not syncing: Fatal exception in interrupt
> 	
> 	> > Backtrace:??
> 	
> 	> > [<c003fb44>] (dump_backtrace+0x0/0x110) from [<c02f0564>] (dump_stack+0x18/0x1c)
> 	
> 	> > ??r7:c00446d0 r6:ee8ffce7 r5:c00446ce r4:c040f390
> 	
> 	> > [<c02f054c>] (dump_stack+0x0/0x1c) from [<c02f05c8>] (panic+0x60/0x17c)
> 	> > [<c02f0568>] (panic+0x0/0x17c) from [<c003fed8>] (die+0x284/0x2d8)
> 	
> 	> > ??r3:00000100 r2:c0420b42 r1:00000000 r0:c038591e
> 	
> 	> > [<c003fc54>] (die+0x0/0x2d8) from [<c0042384>] (__do_kernel_fault+0x6c/0x8c)
> 	> > [<c0042318>] (__do_kernel_fault+0x0/0x8c) from [<c02f4594>] (do_page_fault+0x1f0/0x20c)
> 	
> 	> > ??r9:00000805 r8:70207000 r7:ee946180 r6:e57178c0 r5:ee8ffe58
> 	
> 	> > r4:c03e4518
> 	> > [<c02f43a4>] (do_page_fault+0x0/0x20c) from [<c02f45d4>] (do_translation_fault+0x24/0xa8)
> 	> > [<c02f45b0>] (do_translation_fault+0x0/0xa8) from [<c00312a4>] (do_DataAbort+0x3c/0x9c)
> 	
> 	> > ??r7:ee8ffe58 r6:00000805 r5:c03e4568 r4:c03e4518
> 	
> 	> > [<c0031268>] (do_DataAbort+0x0/0x9c) from [<c02f256c>] (__dabt_svc+0x4c/0x60)
> 	> > Exception stack(0xee8ffe58 to 0xee8ffea0)
> 	
> 	> > fe40: ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 70207000 70207000
> 	
> 	> > fe60: 00000040 0000003f efa480e8 efa480d8 00000001 00000000 00000000 efa480d8
> 	> > fe80: 00000001 ee8ffeac c0444000 ee8ffea0 c0041854 c00446cc 00000113 ffffffff
> 	
> 	> > ??r8:00000000 r7:00000000 r6:00000001 r5:ee8ffe8c r4:ffffffff
> 	
> 	> > [<c0041820>] (dma_cache_maint_page+0x0/0x3c) from [<c004187c>] (___dma_page_cpu_to_dev+0x20/0x2c)
> 	> > [<c004185c>] (___dma_page_cpu_to_dev+0x0/0x2c) from [<c0041b34>] (dma_map_sg+0x54/0xf4)
> 	> > [<c0041ae0>] (dma_map_sg+0x0/0xf4) from [<c0223788>] (nss_sham_update_cdma_start+0xb8/0x120)
> 	> > [<c02236d0>] (nss_sham_update_cdma_start+0x0/0x120) from [<c0223fe0>] (nss_sham_done_task+0xc8/0x108)
> 	
> 	> > ??r7:efa4814c r6:00000001 r5:eea8cc80 r4:efa4818c
> 	
> 	> > [<c0223f18>] (nss_sham_done_task+0x0/0x108) from [<c005ee58>] (tasklet_action+0x70/0xc0)
> 	
> 	> > ??r7:00000001 r6:00000018 r5:00000100 r4:00000000
> 	
> 	> > [<c005ede8>] (tasklet_action+0x0/0xc0) from [<c005f44c>] (__do_softirq+0x80/0x108)
> 	
> 	> > ??r5:00000100 r4:ee8fe000
> 	
> 	> > [<c005f3cc>] (__do_softirq+0x0/0x108) from [<c005f51c>] (irq_exit+0x48/0x94)
> 	> > [<c005f4d4>] (irq_exit+0x0/0x94) from [<c0031080>] (asm_do_IRQ+0x80/0xa0)
> 	> > [<c0031000>] (asm_do_IRQ+0x0/0xa0) from [<c02f27bc>] (__irq_usr+0x3c/0xa0)
> 	> > Exception stack(0xee8fffb0 to 0xee8ffff8)
> 	
> 	> > ffa0: ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 0000000e 0002e9ec 00000000 00000000
> 	
> 	> > ffc0: 00000040 00000001 0000000e 0002e9ec 00000000 bec6ce64 001ecc60 bec6ce64
> 	> > ffe0: 0002e9ec bec6ca40 0002e914 000ed420 80000010 ffffffff
> 	
> 	> > ??r5:fa200000 r4:ffffffff
> 	> >
> 	> >
> 	> >
> 	> >
> 	> >
> 	>
> 	>
> 	
> 	--
> 	David McCullough,      david_mccullough at mcafee.com,  Ph:+61 734352815
> 	McAfee - SnapGear      http://www.mcafee.com         http://www.uCdot.org
> 	
> 
> 
> 
> 

-- 
David McCullough,      david_mccullough at mcafee.com,  Ph:+61 734352815
McAfee - SnapGear      http://www.mcafee.com         http://www.uCdot.org


More information about the Users mailing list