[Openswan Users] Netkey + Openswan + OCF && H/W accelerators drivers == kernel crash/panic

David McCullough david_mccullough at mcafee.com
Fri Oct 14 00:01:25 EDT 2011


Jivin satpal parmar lays it down ...
...
> 
> So we can conclude our discussion as: H/w accelerator drivers I am using
> are based on 2.6 native crypto API. Since this crypto API is designed to
> be used with in-kernel IPsec stack  Netkey I do not need anything  extra to
> glue things. This arrangement should work on its own. They introduce OCF to
> test it from userspace using Openssl/Cryptotest tool which uses Cryptodev.
> Cryptosoft do many thing one of them is translation for userland utilities
> so that they can talk with scatter list based Native Crypto API used to
> support NETKEY the default IP stack in 2.6 kernel.  
> 
> from my testing we have:
> 
> 
> 1. cryptotest--->cryptodev--->cryptosoft--->Native crypto API--->driver--->H/W accelerator path working.
> 
> 
> 2. Ping--->netkey---->native crypto API---> drivers ----> H/W accelerators path crashing.  Its crashing even when I ping from other machine to this machine. 
> 
> 
> Only thing different in two paths is interface used to talk to Native
> crypto API. I will now focus my investigation on this area now. 

Sounds like you have it all correct now.  Sounds like the HW crypto driver
has some bugs when working with netkey,  they may even be generic bugs that
cryptodev avoids.

> If you have any other observation or input please do share. 

Given that (1) above is working,  you could try openswan+klips+ocf as the
crypto path will be similar to (1).  It is possible that you can get an
accelerated ipsec via this approach without crashing it like you do with
netkey.

Other than that I would look into the locking the HW crypto driver,  it
may be re-entering itself when used with netkey,  or, not protecting it's
critical sections well enough.  Though death on ping is pretty lame,  its
not exactly stressing anything much at 2 packets/s ;-)

Cheers,
Davidm



> 	>       > On Thu, Oct 6, 2011 at 10:48 AM, David McCullough <david_mccullough at mcafee.com> wrote:
> 	>       >
> 	>       >
> 	>       >
> 	>       >       Jivin Paul Wouters lays it down ...
> 	>       >
> 	>       >       > On Wed, 5 Oct 2011, satpal parmar wrote:
> 	>       >       >
> 	>       >
> 	>       >       > > First let??me thank Paul. Only??because??of ??prompt??responses to all my queries I was able to??achieve??my ??milestone of run??Openswan (2.6.33) on my ARM Soc running
> 	>       >
> 	>       >       > > linux 2..6.37 (netkey).
> 	>       >       >
> 	>       >       > Feel free to do a write up on the wiki at http://gsoc.xelerance.com/ :)
> 	>       >       >
> 	>       >
> 	>       >       > > After going through mailing lists and google reading ??I came up I with??following??queries:??
> 	>       >       > >
> 	>       >       > > 1. Whats best way to go solving problem of????add H/W accelerator support for Openswan? No much on??Goggling??on this.
> 	>       >
> 	>       >       >
> 	>       >       > I'd say OCF is the way to go, especially if OCF has support for that vendor.
> 	>       >
> 	>       >
> 	>       >       Yep,  if they have provided an OCF driver thats the easiest place to start.
> 	>       >
> 	>       >       > > 2. Should I use OCF or CryptoAPI? From what I read??Linux??native??crypto??api do not support H/W accelerators. Do I really need any of these? Whats NSS good for?
> 	>       >
> 	>       >       > > I know last question is naive!
> 	>       >       >
> 	>       >       > If you built in support for both OCF and CryptoAPI, then KLIPS will first try to use OCF and if no hardware is found, use cryptoapi
> 	>       >       >
> 	>       >
> 	>       >       > > 3. Is NETKEY??compatible??with OCF? ??If Yes, do I need to recompile my openswan with OCF support? If no as this link says, what my best next option? KLIPs?
> 	>       >
> 	>       >       >
> 	>       >       > Yes, you can use OCF with NETKEY using the "cryptosoft" driver
> 	>       >
> 	>       >
> 	>       >       Ok,  just to be sure you don't mis-interpret that:
> 	>       >
> 	>       >       1. You cannot accelerate NETKEY with OCF.  NETKEY uses cryptoAPI.  There is
> 	>       >         no cryptoAPI-->OCF driver,  only the OCF-->cryptoAPI driver (cryptosoft).
> 	>       >
> 	>       >       2. You can use the kernels cryptoAPI drivers (SW and HW) with OCF by using
> 	>       >         the OCF cryptosoft driver.  This allows OCF and NETkey to use the same
> 	>       >         crypto drivers (available in newish kernels).
> 	>       >
> 	>       >
> 	>       >
> 	>       >       > > 4. Should openswan (2.6.33) ??+ linux kernel 2.6.37 (netwkey ??and OCF support enabled) ??| H/W drivers from vendors combo work ? Anything missing or any mismatch
> 	>       >
> 	>       >       > > for H?W accelerator support.
> 	>       >       >
> 	>       >       > It should work, but a lot depend on the vendor, and if they supply non-free code then it might be a little outdated.
> 	>       >       >
> 	>       >
> 	>       >       > > 5. What Flags/compiler option/??libraries I MAY need to enable to make??things??work fine.????
> 	>       >
> 	>       >       >
> 	>       >       > For kernel OCF mode, you need no special flags/options. Just make the OCF modules for your kernel.
> 	>       >       > For KLIPS you need to enable CONFIG_KLIPS_OCF.
> 	>       >       > For userland OCF (eg for IKE), you need openssl installed and enable HAVE_OCF=true
> 	>       >       >
> 	>       >       > I don't see anything that seems to relate to OCF or KLIPS or NETKEY in the below crash.
> 	>       >       > Perhaps David can shed more light on that.
> 	>       >
> 	>       >
> 	>       >       Hmm,  other than the fact that it seems to be DMA related,  and any OCF
> 	>       >       driver worth having will be using DMA.
> 	>       >
> 	>       >       It might be useful to know your platform,  what crypto driver (the vendor
> 	>       >       OCF driver) you are using.
> 	>       >
> 	>       >       What sort of load are you running when this fails.  Are you even using OCF ?
> 	>       >       If you unload the vendor OCF driver and just use cryptosoft to do crypto do
> 	>       >       you get the crash ?
> 	>       >
> 	>       >       Cheers,
> 	>       >       Davidm
> 	>       >
> 	>       >
> 	>       >       > > root at R3BTS-CP-PFS1.0# ping 192.168.11.45
> 	>       >       > > PING 192.168.11.Unable to handle kernel paging request at virtual address 70207000
> 	>       >       > > 45 (192.168.11.4pgd = ef8e4000
> 	>       >       > > 5): 56 data byte[70207000] *pgd=00000000s
> 	>       >       > >
> 	>       >       > > Internal error: Oops: 805 [#1]
> 	>       >       > > last sysfs file: /sys/devices/virtual/dmb_gpio/dmb_gpio1/dev
> 	>       >       > > Modules linked in:
> 	>       >
> 	>       >       > > CPU: 0 ?? ??Not tainted ??(2.6.37-svn3005 #11)
> 	>       >
> 	>       >       > > PC is at v7_dma_clean_range+0x1c/0x34
> 	>       >       > > LR is at dma_cache_maint_page+0x34/0x3c
> 	>       >
> 	>       >       > > pc : [<c00446cc>] ?? ??lr : [<c0041854>] ?? ??psr: 00000113
> 	>       >       > > sp : ee8ffea0 ??ip : c0444000 ??fp : ee8ffeac
> 	>       >       > > r10: 00000001 ??r9 : efa480d8 ??r8 : 00000000
> 	>       >       > > r7 : 00000000 ??r6 : 00000001 ??r5 : efa480d8 ??r4 : efa480e8
> 	>       >       > > r3 : 0000003f ??r2 : 00000040 ??r1 : 70207000 ??r0 : 70207000
> 	>       >       > > Flags: nzcv ??IRQs on ??FIQs on ??Mode SVC_32 ??ISA ARM ??Segment user
> 	>       >       > > Control: 10c5387d ??Table: af8e4019 ??DAC: 00000015
> 	>       >
> 	>       >       > > Process ping (pid: 657, stack limit = 0xee8fe2e8)
> 	>       >       > > Stack: (0xee8ffea0 to 0xee900000)
> 	>       >       > > fea0: ee8ffec4 ee8ffeb0 c004187c c004182c c0044718 efa48080 ee8ffef4 ee8ffec8
> 	>       >       > > fec0: c0041b34 c0041868 00000001 00000000 efa4818c eea8cc80 efa4814c 00000006
> 	>       >       > > fee0: 00000009 c042fcc0 ee8fff14 ee8ffef8 c0223788 c0041aec efa4818c eea8cc80
> 	>       >       > > ff00: 00000001 efa4814c ee8fff34 ee8fff18 c0223fe0 c02236dc 00000000 00000100
> 	>       >       > > ff20: 00000018 00000001 ee8fff4c ee8fff38 c005ee58 c0223f24 ee8fe000 00000100
> 	>       >       > > ff40: ee8fff84 ee8fff50 c005f44c c005edf4 ee8fff6c ee8fff60 c00489dc 00000074
> 	>       >       > > ff60: 00000000 0000000e 0002e9ec 00000000 ee8fe000 001ecc60 ee8fff94 ee8fff88
> 	>       >       > > ff80: c005f51c c005f3d8 ee8fffac ee8fff98 c0031080 c005f4e0 ffffffff fa200000
> 	>       >       > > ffa0: 00000000 ee8fffb0 c02f27bc c003100c 0000000e 0002e9ec 00000000 00000000
> 	>       >       > > ffc0: 00000040 00000001 0000000e 0002e9ec 00000000 bec6ce64 001ecc60 bec6ce64
> 	>       >       > > ffe0: 0002e9ec bec6ca40 0002e914 000ed420 80000010 ffffffff 92e25cdc 09e80cd2
> 	>       >
> 	>       >       > > Backtrace:??
> 	>       >
> 	>       >       > > [<c0041820>] (dma_cache_maint_page+0x0/0x3c) from [<c004187c>] (___dma_page_cpu_to_dev+0x20/0x2c)
> 	>       >       > > [<c004185c>] (___dma_page_cpu_to_dev+0x0/0x2c) from [<c0041b34>] (dma_map_sg+0x54/0xf4)
> 	>       >       > > [<c0041ae0>] (dma_map_sg+0x0/0xf4) from [<c0223788>] (nss_sham_update_cdma_start+0xb8/0x120)
> 	>       >       > > [<c02236d0>] (nss_sham_update_cdma_start+0x0/0x120) from [<c0223fe0>] (nss_sham_done_task+0xc8/0x108)
> 	>       >
> 	>       >       > > ??r7:efa4814c r6:00000001 r5:eea8cc80 r4:efa4818c
> 	>       >
> 	>       >       > > [<c0223f18>] (nss_sham_done_task+0x0/0x108) from [<c005ee58>] (tasklet_action+0x70/0xc0)
> 	>       >
> 	>       >       > > ??r7:00000001 r6:00000018 r5:00000100 r4:00000000
> 	>       >
> 	>       >       > > [<c005ede8>] (tasklet_action+0x0/0xc0) from [<c005f44c>] (__do_softirq+0x80/0x108)
> 	>       >
> 	>       >       > > ??r5:00000100 r4:ee8fe000
> 	>       >
> 	>       >       > > [<c005f3cc>] (__do_softirq+0x0/0x108) from [<c005f51c>] (irq_exit+0x48/0x94)
> 	>       >       > > [<c005f4d4>] (irq_exit+0x0/0x94) from [<c0031080>] (asm_do_IRQ+0x80/0xa0)
> 	>       >       > > [<c0031000>] (asm_do_IRQ+0x0/0xa0) from [<c02f27bc>] (__irq_usr+0x3c/0xa0)
> 	>       >       > > Exception stack(0xee8fffb0 to 0xee8ffff8)
> 	>       >
> 	>       >       > > ffa0: ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 0000000e 0002e9ec 00000000 00000000
> 	>       >
> 	>       >       > > ffc0: 00000040 00000001 0000000e 0002e9ec 00000000 bec6ce64 001ecc60 bec6ce64
> 	>       >       > > ffe0: 0002e9ec bec6ca40 0002e914 000ed420 80000010 ffffffff
> 	>       >
> 	>       >       > > ??r5:fa200000 r4:ffffffff
> 	>       >       > > Code: e3a02004 e1a02312 e2423001 e1c00003 (ee070f3a)??
> 	>       >
> 	>       >       > > ---[ end trace 70e1f34cfd579ce9 ]---
> 	>       >       > > Kernel panic - not syncing: Fatal exception in interrupt
> 	>       >
> 	>       >       > > Backtrace:??
> 	>       >
> 	>       >       > > [<c003fb44>] (dump_backtrace+0x0/0x110) from [<c02f0564>] (dump_stack+0x18/0x1c)
> 	>       >
> 	>       >       > > ??r7:c00446d0 r6:ee8ffce7 r5:c00446ce r4:c040f390
> 	>       >
> 	>       >       > > [<c02f054c>] (dump_stack+0x0/0x1c) from [<c02f05c8>] (panic+0x60/0x17c)
> 	>       >       > > [<c02f0568>] (panic+0x0/0x17c) from [<c003fed8>] (die+0x284/0x2d8)
> 	>       >
> 	>       >       > > ??r3:00000100 r2:c0420b42 r1:00000000 r0:c038591e
> 	>       >
> 	>       >       > > [<c003fc54>] (die+0x0/0x2d8) from [<c0042384>] (__do_kernel_fault+0x6c/0x8c)
> 	>       >       > > [<c0042318>] (__do_kernel_fault+0x0/0x8c) from [<c02f4594>] (do_page_fault+0x1f0/0x20c)
> 	>       >
> 	>       >       > > ??r9:00000805 r8:70207000 r7:ee946180 r6:e57178c0 r5:ee8ffe58
> 	>       >
> 	>       >       > > r4:c03e4518
> 	>       >       > > [<c02f43a4>] (do_page_fault+0x0/0x20c) from [<c02f45d4>] (do_translation_fault+0x24/0xa8)
> 	>       >       > > [<c02f45b0>] (do_translation_fault+0x0/0xa8) from [<c00312a4>] (do_DataAbort+0x3c/0x9c)
> 	>       >
> 	>       >       > > ??r7:ee8ffe58 r6:00000805 r5:c03e4568 r4:c03e4518
> 	>       >
> 	>       >       > > [<c0031268>] (do_DataAbort+0x0/0x9c) from [<c02f256c>] (__dabt_svc+0x4c/0x60)
> 	>       >       > > Exception stack(0xee8ffe58 to 0xee8ffea0)
> 	>       >
> 	>       >       > > fe40: ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 70207000 70207000
> 	>       >
> 	>       >       > > fe60: 00000040 0000003f efa480e8 efa480d8 00000001 00000000 00000000 efa480d8
> 	>       >       > > fe80: 00000001 ee8ffeac c0444000 ee8ffea0 c0041854 c00446cc 00000113 ffffffff
> 	>       >
> 	>       >       > > ??r8:00000000 r7:00000000 r6:00000001 r5:ee8ffe8c r4:ffffffff
> 	>       >
> 	>       >       > > [<c0041820>] (dma_cache_maint_page+0x0/0x3c) from [<c004187c>] (___dma_page_cpu_to_dev+0x20/0x2c)
> 	>       >       > > [<c004185c>] (___dma_page_cpu_to_dev+0x0/0x2c) from [<c0041b34>] (dma_map_sg+0x54/0xf4)
> 	>       >       > > [<c0041ae0>] (dma_map_sg+0x0/0xf4) from [<c0223788>] (nss_sham_update_cdma_start+0xb8/0x120)
> 	>       >       > > [<c02236d0>] (nss_sham_update_cdma_start+0x0/0x120) from [<c0223fe0>] (nss_sham_done_task+0xc8/0x108)
> 	>       >
> 	>       >       > > ??r7:efa4814c r6:00000001 r5:eea8cc80 r4:efa4818c
> 	>       >
> 	>       >       > > [<c0223f18>] (nss_sham_done_task+0x0/0x108) from [<c005ee58>] (tasklet_action+0x70/0xc0)
> 	>       >
> 	>       >       > > ??r7:00000001 r6:00000018 r5:00000100 r4:00000000
> 	>       >
> 	>       >       > > [<c005ede8>] (tasklet_action+0x0/0xc0) from [<c005f44c>] (__do_softirq+0x80/0x108)
> 	>       >
> 	>       >       > > ??r5:00000100 r4:ee8fe000
> 	>       >
> 	>       >       > > [<c005f3cc>] (__do_softirq+0x0/0x108) from [<c005f51c>] (irq_exit+0x48/0x94)
> 	>       >       > > [<c005f4d4>] (irq_exit+0x0/0x94) from [<c0031080>] (asm_do_IRQ+0x80/0xa0)
> 	>       >       > > [<c0031000>] (asm_do_IRQ+0x0/0xa0) from [<c02f27bc>] (__irq_usr+0x3c/0xa0)
> 	>       >       > > Exception stack(0xee8fffb0 to 0xee8ffff8)
> 	>       >
> 	>       >       > > ffa0: ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 0000000e 0002e9ec 00000000 00000000
> 	>       >
> 	>       >       > > ffc0: 00000040 00000001 0000000e 0002e9ec 00000000 bec6ce64 001ecc60 bec6ce64
> 	>       >       > > ffe0: 0002e9ec bec6ca40 0002e914 000ed420 80000010 ffffffff
> 	>       >
> 	>       >       > > ??r5:fa200000 r4:ffffffff
> 	>       >       > >
> 	>       >       > >
> 	>       >       > >
> 	>       >       > >
> 	>       >       > >
> 	>       >       >
> 	>       >       >
> 	>       >
> 	>       >       --
> 	>       >       David McCullough,      david_mccullough at mcafee.com,  Ph:+61 734352815
> 	>       >       McAfee - SnapGear      http://www.mcafee.com         http://www.uCdot.org
> 	>       >
> 	>       >
> 	>       >
> 	>       >
> 	>       >
> 	>
> 	>       --
> 	>       David McCullough,      david_mccullough at mcafee.com,  Ph:+61 734352815
> 	>       McAfee - SnapGear      http://www.mcafee.com         http://www.uCdot.org
> 	>
> 	>
> 	>
> 	>
> 	>
> 	
> 	--
> 	David McCullough,      david_mccullough at mcafee.com,  Ph:+61 734352815
> 	McAfee - SnapGear      http://www.mcafee.com         http://www.uCdot.org
> 	
> 
> 
> 
> 

-- 
David McCullough,      david_mccullough at mcafee.com,  Ph:+61 734352815
McAfee - SnapGear      http://www.mcafee.com         http://www.uCdot.org


More information about the Users mailing list