[FS#1262] CAAM breaking strongswan on WDR4900v1

Sun Jan 7 02:54:04 PST 2018

A new Flyspray task has been opened.  Details are below. 

User who did this - FC7 (casasfernando) 

Attached to Project - LEDE Project
Summary - CAAM breaking strongswan on WDR4900v1
Task Type - Bug Report
Category - Base system
Status - Unconfirmed
Assigned To - 
Operating System - All
Severity - Critical
Priority - Very Low
Reported Version - All
Due in Version - Undecided
Due Date - Undecided
Details - Strongswan seems to be trying to use CAAM crypto hardware device on this router through the kernel but the device doesn't seem to be present or available causing strongswan to fail while trying to add a SA to the kernel.
Everytime strongswan is trying to add a SA to the kernel the following error messages are logged in strongswan and the kernel log. The kernel log error message seems to be generated by the CAAM code (I checked the kernel source to confirm this).

Strongswan log:

12[KNL] received netlink error: No such device (19)
12[KNL] unable to add SAD entry with SPI c88d8084 (FAILED)
12[KNL] received netlink error: No such device (19)
12[KNL] unable to add SAD entry with SPI 0e9ded44 (FAILED)
12[IKE] unable to install inbound and outbound IPsec SA (SAD) in kernel

Linux kernel log:

[6311485.194242] Job Ring Device allocation for transform failed
[6311485.201338] Job Ring Device allocation for transform failed
[6311497.457066] Job Ring Device allocation for transform failed
[6311497.464231] Job Ring Device allocation for transform failed

CAAM must either be disabled or built as a kernel module for this specific router since hardware support is not there and it can only cause potential problems like in this case with Strongswan.

I'm tagging the bug as critical since as reported above Strongswan is not usable on this router due to this bug in the kernel configuration.   

More information can be found at the following URL:
https://bugs.lede-project.org/index.php?do=details&task_id=1262