[Openswan Users] Netkey + Openswan + OCF && H/W accelerators drivers == kernel crash/panic
satpal parmar
systems.satpal at gmail.com
Thu Oct 13 22:49:06 EDT 2011
On Wed, Oct 12, 2011 at 8:34 PM, David McCullough <
david_mccullough at mcafee.com> wrote:
>
> Jivin satpal parmar lays it down ...
> >
> >
> >
> > On Wed, Oct 12, 2011 at 9:21 AM, David McCullough <
> david_mccullough at mcafee.com> wrote:
> >
> >
> >
> > Jivin satpal parmar lays it down ...
> >
> > > Hi David
> > >
> > > Thanks for your prompt response. Below are few details that you
> may be helpful in solving my crash issue.
> > >
> >
> > > 1. I am using TI's AM3872 chip based SoC (for some reason TI do
> not map this device into any of their OMAP2/OMAP3 classification ). You can
> find few more details about thier OCF driver in following <
> http://processors.wiki.ti.com/index.php/Installing_AM389x_C6A816x_DM816x_Crypto_Support>
> wiki page.
> >
> > I'll have to check there code and see if I can include their driver
> into OCF
> > releases ;-)
> >
> > tcrypt looks something like ocfbench or more options.
> >
> > Have you tried loading their tcrypt driver or loading the ocfbench
> driver ?
> >
> >
> > No yet. Need more understanding and confidence to play with so many
> variables. Dealing with far to many black boxes. Will update you if I decide
> to try.
> >
> >
> > > 2. Ping is first thing I am doing after boot up. So no load on
> CPU of any
> > > kind. Ping works fine without OCF (and cryptosoft, cryptodev) and
> H/W driver.
> > > In fact I am able to ping with OCF + cryptosoft (see log below).
> Only when I
> > > enable H/W accelerator support ping is crashing. So one may
> conclude driver
> > > is the culprit.
> >
> >
> > That would be my conclusion :-)
> >
> >
> > > But I am able to do standalone testing of H/W accelerators using
> drivers,
> > > cryptodev and cryptotest as mentioned in wiki entry. So my doubt
> is if the
> > > interface for ipsec stack (NETKEY in my case) is consistent with
> h/w
> > > driver I am using.
> >
> >
> > The driver you are using is a linux cryptoAPI HW driver.
> >
> > Very interesting observation/conclusion. Becoz my theoretical
> understanding says my driver must be OCF driver as OCF is for best for
> enabling H/W accelerators support for openswan otherwise whats the point of
> using OCF!
>
>
> They are using OCF only for user space acceleration. Still a legitimate
> reason, but not the best one.
>
Right.
>
>
> > It does not need OCF, though OCF can help you to use it.
> >
> >
> > I assume OCF now only be useful if I need userland exposure for
> performance related testing using cryptotest like utility.
>
>
> Yes, if you want openssl (and openssl linked apps) or openswans pluto to
> use the drivers (no point for openswan in my opinion).
>
> > cryptosoft will use these drivers and should be the best way to
> accelerate openswan using those drivers at this point.
> >
> >
> > Now this is little confusing. When we say no OCF it means no cryptosoft
> also right? And what you mean by 'best way to accelerate openswan'
>
> Yes.
>
> If you use klips, OCF is the best way to accelerate it. If you use netkey
> then you do not need OCF at all.
>
Thats what i understand from whole discussion.
>
> > So you need ocf+cryptosoft loaded.
> >
> > I need cryptosoft which need OCF and hence I need both right?
>
> No, I don't hink you "need" OCF at all as you want to use netkey.
>
> > > I am not very confident of my understanding of ipsec
> > > (netkey) + OCF + h/w driver intersection and interfaces.
> >
> >
> > You should be able to use netkey with these drivers. Thats means
> you do not
> > need to use klips for your ipsec stack unless there is
> functionality you
> > want from klips that netkey does not provide.
> >
> > No plans for KLIPS. My kernel is KLIPS virgin.
>
>
> Then you do not need OCF unless you want userspace to use your HW drivers.
>
>
> > If you are happy with netkey as your stack, then you can jus
> tignore using
> > OCF and move on. Check the performance and see if it seems HW
> accelerated.
> > You can compare by turning the following on/off:
> >
> > <*> Support for Netra AES hw engine (NEW)
> > <*> Support for Netra DES hw engine (NEW)
> > <*> Support for Netra SHA/MD5 hw engine (NEW
> >
> > If you are not happy with netkey or the performance, compile and
> install
> > OCF and cryptosoft and try again.
> >
> >
> > WIl try this first thing tmrw.
>
Well I was not very lucky. I tried pinging after removing OCF completely.
Still getting the same crash.
> >
> >
> > If you are getting crashes it may be due to the openswan/ocf
> processing.
>
I do not think openswan (netkey ) /ocf processing is issue. I tried without
OCF. same crash.
Unfortunately I cannot compile out NETKEY and test Openswan. Netkey is the
only variable left now.
> > Try changing the following parameters for openswan+ocf before
> running the
> > ping:
> >
> > echo 0 > /sys/modules/ipsec/paramaters/ipsec_ocf_batch
> > echo 0 > /sys/modules/ipsec/paramaters/ipsec_ocf_cbimm
> >
>
Instead of doing this I completely removed OCF out of loop by compiling it
out. FRom our last discussion we concluded I do not need OCF. So I thought
why add another blackbox.
> > That should make it a little less likely to crash (assuming the
> usual cause
> > of driver issues being locking/reentrancy :-)
> >
> >
> > > 3. I am not sure if I correctly understand what you mean when you
> said I am using OCF or not. I think I am using it correctly as mention in TI
> wiki entry. Here is snippet from my config file and log from board
> >
> > > Hope above information will be useful. Apart from this I have few
> queries :
> >
> >
> > Seems you are using it. Seems the crash is related to cryptosofts
> use of
> > your cryptoAPI driver.
> >
> > [...]
> >
> > >
> > > a) When I am not using OCF and H/W accelerator which (s/w)crypto
> library is used by ipsec for encryption ?
> > >
> > > b) When we have support of both cryptosoft (software emulation of
> H/W accelerators) and H/W accelerators (drivers ) how IPsec choose which
> one to use? Is it a good practice? Do we have any reason to do that?
> > >
> > > c) Do I need cryptosoft or cryptodev when I am using h/w
> acclerators? AFAIU I do not need cryptosoft (why use s/w emulation when i
> have h/w !). But not sure about cryptodev if it is used by OCF to provide
> interface to IPsec stack.
> >
> >
> >
> > Because your crypto driver is a linux native cryptoAPI driver, if
> you want
> > to use openswan+OCF (and not netkey) then you will have to use
> cryptosoft.
> >
> >
> > But I have Netkey. For me in this whole discussion openswan means NETKEY
> +Pluto
> >
> >
> >
> > > d) I did't get your 'There is no cryptoAPI-->OCF driver, only
> the OCF-->cryptoAPI driver (cryptosoft).' point. Can you elaborate more on
> it please.
> >
> >
> >
> > cryptosoft os a translation driver. It translates from the OCF
> driver API
> > to the cryptoAPI interface. This allows OCF to use the kernels
> native
> > cryptoAPI drivers, but not the reverse.
> >
> > So netkey cannot use OCF, but, OCF can use cryptoAPI (even while
> netkey is
> > using cryptoAPI), Confused, I don't blame you :-)
> >
> >
> > Will read these lines couple of more times :)
>
> os == is (you have to watch for typos ;-)
>
>
> Also, I may have confused you earlier, I thought you had an OCF driver
> for
> some reason. I was wrong, its a cryptoAPI driver that you have and it has
> very little to do with OCF really, except that OCF can use it via
> cryptosoft ;-)
>
> So we can conclude our discussion as: H/w accelerator drivers I am using
are based on 2.6 native crypto API. Since this crypto API is designed to be
used with in-kernel IPsec stack Netkey I do not need anything extra to
glue things. This arrangement should work on its own. They introduce OCF to
test it from userspace using Openssl/Cryptotest tool which uses Cryptodev.
Cryptosoft do many thing one of them is translation for
userland utilities so that they can talk with scatter list based Native
Crypto API used to support NETKEY the default IP stack in 2.6 kernel.
>From my testing we have:
1. cryptotest--->cryptodev--->cryptosoft--->Native crypto
API--->driver--->H/W accelerator path working.
2. Ping--->netkey---->native crypto API---> drivers ----> H/W accelerators
path crashing. Its crashing even when I ping from other machine to this
machine.
Only thing different in two paths is interface used to talk to Native crypto
API. I will now focus my investigation on this area now.
If you have any other observation or input please do share.
Thanks
SP
> Cheers,
> Davidm
>
> > > On Thu, Oct 6, 2011 at 10:48 AM, David McCullough <
> david_mccullough at mcafee.com> wrote:
> > >
> > >
> > >
> > > Jivin Paul Wouters lays it down ...
> > >
> > > > On Wed, 5 Oct 2011, satpal parmar wrote:
> > > >
> > >
> > > > > First let??me thank Paul. Only??because??of
> ??prompt??responses to all my queries I was able to??achieve??my ??milestone
> of run??Openswan (2.6.33) on my ARM Soc running
> > >
> > > > > linux 2..6.37 (netkey).
> > > >
> > > > Feel free to do a write up on the wiki at
> http://gsoc.xelerance.com/ :)
> > > >
> > >
> > > > > After going through mailing lists and google reading
> ??I came up I with??following??queries:??
> > > > >
> > > > > 1. Whats best way to go solving problem of????add H/W
> accelerator support for Openswan? No much on??Goggling??on this.
> > >
> > > >
> > > > I'd say OCF is the way to go, especially if OCF has
> support for that vendor.
> > >
> > >
> > > Yep, if they have provided an OCF driver thats the easiest
> place to start.
> > >
> > > > > 2. Should I use OCF or CryptoAPI? From what I
> read??Linux??native??crypto??api do not support H/W accelerators. Do I
> really need any of these? Whats NSS good for?
> > >
> > > > > I know last question is naive!
> > > >
> > > > If you built in support for both OCF and CryptoAPI, then
> KLIPS will first try to use OCF and if no hardware is found, use cryptoapi
> > > >
> > >
> > > > > 3. Is NETKEY??compatible??with OCF? ??If Yes, do I need
> to recompile my openswan with OCF support? If no as this link says, what my
> best next option? KLIPs?
> > >
> > > >
> > > > Yes, you can use OCF with NETKEY using the "cryptosoft"
> driver
> > >
> > >
> > > Ok, just to be sure you don't mis-interpret that:
> > >
> > > 1. You cannot accelerate NETKEY with OCF. NETKEY uses
> cryptoAPI. There is
> > > no cryptoAPI-->OCF driver, only the OCF-->cryptoAPI
> driver (cryptosoft).
> > >
> > > 2. You can use the kernels cryptoAPI drivers (SW and HW)
> with OCF by using
> > > the OCF cryptosoft driver. This allows OCF and NETkey to
> use the same
> > > crypto drivers (available in newish kernels).
> > >
> > >
> > >
> > > > > 4. Should openswan (2.6.33) ??+ linux kernel 2.6.37
> (netwkey ??and OCF support enabled) ??| H/W drivers from vendors combo work
> ? Anything missing or any mismatch
> > >
> > > > > for H?W accelerator support.
> > > >
> > > > It should work, but a lot depend on the vendor, and if
> they supply non-free code then it might be a little outdated.
> > > >
> > >
> > > > > 5. What Flags/compiler option/??libraries I MAY need to
> enable to make??things??work fine.????
> > >
> > > >
> > > > For kernel OCF mode, you need no special flags/options.
> Just make the OCF modules for your kernel.
> > > > For KLIPS you need to enable CONFIG_KLIPS_OCF.
> > > > For userland OCF (eg for IKE), you need openssl installed
> and enable HAVE_OCF=true
> > > >
> > > > I don't see anything that seems to relate to OCF or KLIPS
> or NETKEY in the below crash.
> > > > Perhaps David can shed more light on that.
> > >
> > >
> > > Hmm, other than the fact that it seems to be DMA related,
> and any OCF
> > > driver worth having will be using DMA.
> > >
> > > It might be useful to know your platform, what crypto
> driver (the vendor
> > > OCF driver) you are using.
> > >
> > > What sort of load are you running when this fails. Are you
> even using OCF ?
> > > If you unload the vendor OCF driver and just use cryptosoft
> to do crypto do
> > > you get the crash ?
> > >
> > > Cheers,
> > > Davidm
> > >
> > >
> > > > > root at R3BTS-CP-PFS1.0# ping 192.168.11.45
> > > > > PING 192.168.11.Unable to handle kernel paging request
> at virtual address 70207000
> > > > > 45 (192.168.11.4pgd = ef8e4000
> > > > > 5): 56 data byte[70207000] *pgd=00000000s
> > > > >
> > > > > Internal error: Oops: 805 [#1]
> > > > > last sysfs file:
> /sys/devices/virtual/dmb_gpio/dmb_gpio1/dev
> > > > > Modules linked in:
> > >
> > > > > CPU: 0 ?? ??Not tainted ??(2.6.37-svn3005 #11)
> > >
> > > > > PC is at v7_dma_clean_range+0x1c/0x34
> > > > > LR is at dma_cache_maint_page+0x34/0x3c
> > >
> > > > > pc : [<c00446cc>] ?? ??lr : [<c0041854>] ?? ??psr:
> 00000113
> > > > > sp : ee8ffea0 ??ip : c0444000 ??fp : ee8ffeac
> > > > > r10: 00000001 ??r9 : efa480d8 ??r8 : 00000000
> > > > > r7 : 00000000 ??r6 : 00000001 ??r5 : efa480d8 ??r4 :
> efa480e8
> > > > > r3 : 0000003f ??r2 : 00000040 ??r1 : 70207000 ??r0 :
> 70207000
> > > > > Flags: nzcv ??IRQs on ??FIQs on ??Mode SVC_32 ??ISA ARM
> ??Segment user
> > > > > Control: 10c5387d ??Table: af8e4019 ??DAC: 00000015
> > >
> > > > > Process ping (pid: 657, stack limit = 0xee8fe2e8)
> > > > > Stack: (0xee8ffea0 to 0xee900000)
> > > > > fea0: ee8ffec4 ee8ffeb0 c004187c c004182c c0044718
> efa48080 ee8ffef4 ee8ffec8
> > > > > fec0: c0041b34 c0041868 00000001 00000000 efa4818c
> eea8cc80 efa4814c 00000006
> > > > > fee0: 00000009 c042fcc0 ee8fff14 ee8ffef8 c0223788
> c0041aec efa4818c eea8cc80
> > > > > ff00: 00000001 efa4814c ee8fff34 ee8fff18 c0223fe0
> c02236dc 00000000 00000100
> > > > > ff20: 00000018 00000001 ee8fff4c ee8fff38 c005ee58
> c0223f24 ee8fe000 00000100
> > > > > ff40: ee8fff84 ee8fff50 c005f44c c005edf4 ee8fff6c
> ee8fff60 c00489dc 00000074
> > > > > ff60: 00000000 0000000e 0002e9ec 00000000 ee8fe000
> 001ecc60 ee8fff94 ee8fff88
> > > > > ff80: c005f51c c005f3d8 ee8fffac ee8fff98 c0031080
> c005f4e0 ffffffff fa200000
> > > > > ffa0: 00000000 ee8fffb0 c02f27bc c003100c 0000000e
> 0002e9ec 00000000 00000000
> > > > > ffc0: 00000040 00000001 0000000e 0002e9ec 00000000
> bec6ce64 001ecc60 bec6ce64
> > > > > ffe0: 0002e9ec bec6ca40 0002e914 000ed420 80000010
> ffffffff 92e25cdc 09e80cd2
> > >
> > > > > Backtrace:??
> > >
> > > > > [<c0041820>] (dma_cache_maint_page+0x0/0x3c) from
> [<c004187c>] (___dma_page_cpu_to_dev+0x20/0x2c)
> > > > > [<c004185c>] (___dma_page_cpu_to_dev+0x0/0x2c) from
> [<c0041b34>] (dma_map_sg+0x54/0xf4)
> > > > > [<c0041ae0>] (dma_map_sg+0x0/0xf4) from [<c0223788>]
> (nss_sham_update_cdma_start+0xb8/0x120)
> > > > > [<c02236d0>] (nss_sham_update_cdma_start+0x0/0x120)
> from [<c0223fe0>] (nss_sham_done_task+0xc8/0x108)
> > >
> > > > > ??r7:efa4814c r6:00000001 r5:eea8cc80 r4:efa4818c
> > >
> > > > > [<c0223f18>] (nss_sham_done_task+0x0/0x108) from
> [<c005ee58>] (tasklet_action+0x70/0xc0)
> > >
> > > > > ??r7:00000001 r6:00000018 r5:00000100 r4:00000000
> > >
> > > > > [<c005ede8>] (tasklet_action+0x0/0xc0) from
> [<c005f44c>] (__do_softirq+0x80/0x108)
> > >
> > > > > ??r5:00000100 r4:ee8fe000
> > >
> > > > > [<c005f3cc>] (__do_softirq+0x0/0x108) from [<c005f51c>]
> (irq_exit+0x48/0x94)
> > > > > [<c005f4d4>] (irq_exit+0x0/0x94) from [<c0031080>]
> (asm_do_IRQ+0x80/0xa0)
> > > > > [<c0031000>] (asm_do_IRQ+0x0/0xa0) from [<c02f27bc>]
> (__irq_usr+0x3c/0xa0)
> > > > > Exception stack(0xee8fffb0 to 0xee8ffff8)
> > >
> > > > > ffa0: ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ??
> ?? ?? 0000000e 0002e9ec 00000000 00000000
> > >
> > > > > ffc0: 00000040 00000001 0000000e 0002e9ec 00000000
> bec6ce64 001ecc60 bec6ce64
> > > > > ffe0: 0002e9ec bec6ca40 0002e914 000ed420 80000010
> ffffffff
> > >
> > > > > ??r5:fa200000 r4:ffffffff
> > > > > Code: e3a02004 e1a02312 e2423001 e1c00003 (ee070f3a)??
> > >
> > > > > ---[ end trace 70e1f34cfd579ce9 ]---
> > > > > Kernel panic - not syncing: Fatal exception in
> interrupt
> > >
> > > > > Backtrace:??
> > >
> > > > > [<c003fb44>] (dump_backtrace+0x0/0x110) from
> [<c02f0564>] (dump_stack+0x18/0x1c)
> > >
> > > > > ??r7:c00446d0 r6:ee8ffce7 r5:c00446ce r4:c040f390
> > >
> > > > > [<c02f054c>] (dump_stack+0x0/0x1c) from [<c02f05c8>]
> (panic+0x60/0x17c)
> > > > > [<c02f0568>] (panic+0x0/0x17c) from [<c003fed8>]
> (die+0x284/0x2d8)
> > >
> > > > > ??r3:00000100 r2:c0420b42 r1:00000000 r0:c038591e
> > >
> > > > > [<c003fc54>] (die+0x0/0x2d8) from [<c0042384>]
> (__do_kernel_fault+0x6c/0x8c)
> > > > > [<c0042318>] (__do_kernel_fault+0x0/0x8c) from
> [<c02f4594>] (do_page_fault+0x1f0/0x20c)
> > >
> > > > > ??r9:00000805 r8:70207000 r7:ee946180 r6:e57178c0
> r5:ee8ffe58
> > >
> > > > > r4:c03e4518
> > > > > [<c02f43a4>] (do_page_fault+0x0/0x20c) from
> [<c02f45d4>] (do_translation_fault+0x24/0xa8)
> > > > > [<c02f45b0>] (do_translation_fault+0x0/0xa8) from
> [<c00312a4>] (do_DataAbort+0x3c/0x9c)
> > >
> > > > > ??r7:ee8ffe58 r6:00000805 r5:c03e4568 r4:c03e4518
> > >
> > > > > [<c0031268>] (do_DataAbort+0x0/0x9c) from [<c02f256c>]
> (__dabt_svc+0x4c/0x60)
> > > > > Exception stack(0xee8ffe58 to 0xee8ffea0)
> > >
> > > > > fe40: ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ??
> ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 70207000 70207000
> > >
> > > > > fe60: 00000040 0000003f efa480e8 efa480d8 00000001
> 00000000 00000000 efa480d8
> > > > > fe80: 00000001 ee8ffeac c0444000 ee8ffea0 c0041854
> c00446cc 00000113 ffffffff
> > >
> > > > > ??r8:00000000 r7:00000000 r6:00000001 r5:ee8ffe8c
> r4:ffffffff
> > >
> > > > > [<c0041820>] (dma_cache_maint_page+0x0/0x3c) from
> [<c004187c>] (___dma_page_cpu_to_dev+0x20/0x2c)
> > > > > [<c004185c>] (___dma_page_cpu_to_dev+0x0/0x2c) from
> [<c0041b34>] (dma_map_sg+0x54/0xf4)
> > > > > [<c0041ae0>] (dma_map_sg+0x0/0xf4) from [<c0223788>]
> (nss_sham_update_cdma_start+0xb8/0x120)
> > > > > [<c02236d0>] (nss_sham_update_cdma_start+0x0/0x120)
> from [<c0223fe0>] (nss_sham_done_task+0xc8/0x108)
> > >
> > > > > ??r7:efa4814c r6:00000001 r5:eea8cc80 r4:efa4818c
> > >
> > > > > [<c0223f18>] (nss_sham_done_task+0x0/0x108) from
> [<c005ee58>] (tasklet_action+0x70/0xc0)
> > >
> > > > > ??r7:00000001 r6:00000018 r5:00000100 r4:00000000
> > >
> > > > > [<c005ede8>] (tasklet_action+0x0/0xc0) from
> [<c005f44c>] (__do_softirq+0x80/0x108)
> > >
> > > > > ??r5:00000100 r4:ee8fe000
> > >
> > > > > [<c005f3cc>] (__do_softirq+0x0/0x108) from [<c005f51c>]
> (irq_exit+0x48/0x94)
> > > > > [<c005f4d4>] (irq_exit+0x0/0x94) from [<c0031080>]
> (asm_do_IRQ+0x80/0xa0)
> > > > > [<c0031000>] (asm_do_IRQ+0x0/0xa0) from [<c02f27bc>]
> (__irq_usr+0x3c/0xa0)
> > > > > Exception stack(0xee8fffb0 to 0xee8ffff8)
> > >
> > > > > ffa0: ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ??
> ?? ?? 0000000e 0002e9ec 00000000 00000000
> > >
> > > > > ffc0: 00000040 00000001 0000000e 0002e9ec 00000000
> bec6ce64 001ecc60 bec6ce64
> > > > > ffe0: 0002e9ec bec6ca40 0002e914 000ed420 80000010
> ffffffff
> > >
> > > > > ??r5:fa200000 r4:ffffffff
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > >
> > > >
> > >
> > > --
> > > David McCullough, david_mccullough at mcafee.com,
> Ph:+61 734352815
> > > McAfee - SnapGear http://www.mcafee.com
> http://www.uCdot.org
> > >
> > >
> > >
> > >
> > >
> >
> > --
> > David McCullough, david_mccullough at mcafee.com, Ph:+61
> 734352815
> > McAfee - SnapGear http://www.mcafee.com
> http://www.uCdot.org
> >
> >
> >
> >
> >
>
> --
> David McCullough, david_mccullough at mcafee.com, Ph:+61 734352815
> McAfee - SnapGear http://www.mcafee.com http://www.uCdot.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20111014/f786502c/attachment-0001.html
More information about the Users
mailing list