Safexcel 15600000.crypto failed with error -16

rmandrad · November 4, 2025, 8:19am

it needs cryptodev i believe … at least on openwrt i have a /dev/crypto but this is out of kernel … i guess AF_ALG may work … let me setup openssl.cnf

rmandrad · November 4, 2025, 9:06am

ok so I changed the priority from 300 to 400 and enabled the AFALG on openssl.cnf

now getting

Nov 04 08:59:36 bpi-r4-8g (udev-worker)[3158]: inside-secure/eip197b/ifpp.bin: /usr/lib/udev/rules.d/50-firmware.rules:3 Failed to write ATTR{/sys/devices/platform/soc/15600000.crypto/firmware/inside-secure!eip197b!ifpp.bin/loading}="-1", ignoring: No such file or directory
Nov 04 08:59:36 bpi-r4-8g (udev-worker)[3175]: ifpp.bin: /usr/lib/udev/rules.d/50-firmware.rules:3 Failed to write ATTR{/sys/devices/platform/soc/15600000.crypto/firmware/ifpp.bin/loading}="-1", ignoring: No such file or directory

meaning we need the firmware … i will try to get them from openwrt

rmandrad · November 4, 2025, 9:21am

weird … still don’t see any activity on /proc/interrupts for crypto

see this on dmesg

crypto-safexcel 15600000.crypto: FW(1) for PE 0 failed to start

get’s stuck below

io_submit(0x7f87871000, 1, [{aio_data=0, aio_lio_opcode=IOCB_CMD_PREAD, aio_fildes=4, aio_buf=0x5580c92dc0, aio_nbytes=16, aio_offset=0, aio_flags=IOCB_FLAG_RESFD, aio_resfd=5}]) = 1
read(5, 0x7fe1576658, 8)                = ? ERESTARTSYS (To be restarted if SA_RESTART is set)
--- SIGALRM {si_signo=SIGALRM, si_code=SI_KERNEL} ---
rt_sigaction(SIGALRM, {sa_handler=0x5580b91be0, sa_mask=[ALRM], sa_flags=SA_RESTART}, {sa_handler=0x5580b91be0, sa_mask=[ALRM], sa_flags=SA_RESTART}, 8) = 0
rt_sigreturn({mask=[]})                 = 5
read(5,

kvic · November 4, 2025, 11:29am

a bit update on my debug on OpenWrt Snapshot (kernel 6.12.55)

Test algo: aes128 aka aes-128-cbc in user space; cbc(aes) in kernel space.

I did some tracing and can rule out any issue between user/kernel communication. I can also confirm the request from “openssl speed” reaches crypto-safexcel driver.

Inside safexcel_skcipher_send(), the request is subsequently sent to hardware. There is no result coming back from hardware.

This corroborates with not even one triggered interrupt in /proc/interrupt. I can also confirm the driver does register handlers to the interrupts.

Hmm…so what could be possible cause? DTS? Or does it require MTKHNAT driver loaded at the same time ?

I suspect EIP197 never tested to work on MT7988A…

frank-w · November 4, 2025, 11:49am

can you post you config.gz grepped by crypto?

crypto_dev options seem to be vendor-specific and i see no generic crypto-dev (except eip93 which does not match the eip197) and no mtk specific. maybe in openwrt+sdk it works because the hnat driver binds it. i guess without help from mtk we are stuck here

rmandrad · November 4, 2025, 12:07pm

agree … the dts i used for crypto actually is from the mtk feeds.

zgrep CRYPTO /proc/config.gz
CONFIG_RT2X00_LIB_CRYPTO=y
CONFIG_CRYPTO=y
CONFIG_CRYPTO_ALGAPI=y
CONFIG_CRYPTO_ALGAPI2=y
CONFIG_CRYPTO_AEAD=y
CONFIG_CRYPTO_AEAD2=y
CONFIG_CRYPTO_SIG=y
CONFIG_CRYPTO_SIG2=y
CONFIG_CRYPTO_SKCIPHER=y
CONFIG_CRYPTO_SKCIPHER2=y
CONFIG_CRYPTO_HASH=y
CONFIG_CRYPTO_HASH2=y
CONFIG_CRYPTO_RNG=y
CONFIG_CRYPTO_RNG2=y
CONFIG_CRYPTO_RNG_DEFAULT=y
CONFIG_CRYPTO_AKCIPHER2=y
CONFIG_CRYPTO_AKCIPHER=y
CONFIG_CRYPTO_KPP2=y
CONFIG_CRYPTO_KPP=y
CONFIG_CRYPTO_ACOMP2=y
CONFIG_CRYPTO_HKDF=y
CONFIG_CRYPTO_MANAGER=y
CONFIG_CRYPTO_MANAGER2=y
CONFIG_CRYPTO_USER=y
# CONFIG_CRYPTO_SELFTESTS is not set
CONFIG_CRYPTO_NULL=y
CONFIG_CRYPTO_PCRYPT=y
CONFIG_CRYPTO_CRYPTD=y
CONFIG_CRYPTO_AUTHENC=m
# CONFIG_CRYPTO_KRB5ENC is not set
# CONFIG_CRYPTO_BENCHMARK is not set
CONFIG_CRYPTO_RSA=y
CONFIG_CRYPTO_DH=y
CONFIG_CRYPTO_DH_RFC7919_GROUPS=y
CONFIG_CRYPTO_ECC=y
CONFIG_CRYPTO_ECDH=y
# CONFIG_CRYPTO_ECDSA is not set
# CONFIG_CRYPTO_ECRDSA is not set
# CONFIG_CRYPTO_CURVE25519 is not set
CONFIG_CRYPTO_AES=y
# CONFIG_CRYPTO_AES_TI is not set
# CONFIG_CRYPTO_ANUBIS is not set
# CONFIG_CRYPTO_ARIA is not set
# CONFIG_CRYPTO_BLOWFISH is not set
# CONFIG_CRYPTO_CAMELLIA is not set
# CONFIG_CRYPTO_CAST5 is not set
# CONFIG_CRYPTO_CAST6 is not set
# CONFIG_CRYPTO_DES is not set
# CONFIG_CRYPTO_FCRYPT is not set
# CONFIG_CRYPTO_KHAZAD is not set
# CONFIG_CRYPTO_SEED is not set
# CONFIG_CRYPTO_SERPENT is not set
CONFIG_CRYPTO_SM4=y
# CONFIG_CRYPTO_SM4_GENERIC is not set
# CONFIG_CRYPTO_TEA is not set
# CONFIG_CRYPTO_TWOFISH is not set
# CONFIG_CRYPTO_ADIANTUM is not set
# CONFIG_CRYPTO_ARC4 is not set
CONFIG_CRYPTO_CHACHA20=m
CONFIG_CRYPTO_CBC=y
CONFIG_CRYPTO_CTR=y
CONFIG_CRYPTO_CTS=y
CONFIG_CRYPTO_ECB=y
# CONFIG_CRYPTO_HCTR2 is not set
# CONFIG_CRYPTO_LRW is not set
# CONFIG_CRYPTO_PCBC is not set
CONFIG_CRYPTO_XTS=y
CONFIG_CRYPTO_NHPOLY1305=y
# CONFIG_CRYPTO_AEGIS128 is not set
CONFIG_CRYPTO_CHACHA20POLY1305=m
CONFIG_CRYPTO_CCM=y
CONFIG_CRYPTO_GCM=y
CONFIG_CRYPTO_GENIV=m
CONFIG_CRYPTO_SEQIV=m
CONFIG_CRYPTO_ECHAINIV=m
# CONFIG_CRYPTO_ESSIV is not set
# CONFIG_CRYPTO_BLAKE2B is not set
CONFIG_CRYPTO_CMAC=y
CONFIG_CRYPTO_GHASH=y
CONFIG_CRYPTO_HMAC=y
# CONFIG_CRYPTO_MD4 is not set
CONFIG_CRYPTO_MD5=m
CONFIG_CRYPTO_MICHAEL_MIC=m
CONFIG_CRYPTO_POLYVAL=y
# CONFIG_CRYPTO_RMD160 is not set
CONFIG_CRYPTO_SHA1=m
CONFIG_CRYPTO_SHA256=y
CONFIG_CRYPTO_SHA512=y
CONFIG_CRYPTO_SHA3=y
# CONFIG_CRYPTO_SM3_GENERIC is not set
# CONFIG_CRYPTO_STREEBOG is not set
# CONFIG_CRYPTO_WP512 is not set
CONFIG_CRYPTO_XCBC=m
CONFIG_CRYPTO_XXHASH=m
CONFIG_CRYPTO_CRC32C=y
CONFIG_CRYPTO_CRC32=y
CONFIG_CRYPTO_DEFLATE=y
CONFIG_CRYPTO_LZO=y
# CONFIG_CRYPTO_842 is not set
# CONFIG_CRYPTO_LZ4 is not set
# CONFIG_CRYPTO_LZ4HC is not set
CONFIG_CRYPTO_ZSTD=y
# CONFIG_CRYPTO_ANSI_CPRNG is not set
CONFIG_CRYPTO_DRBG_MENU=y
CONFIG_CRYPTO_DRBG_HMAC=y
# CONFIG_CRYPTO_DRBG_HASH is not set
# CONFIG_CRYPTO_DRBG_CTR is not set
CONFIG_CRYPTO_DRBG=y
CONFIG_CRYPTO_JITTERENTROPY=y
CONFIG_CRYPTO_JITTERENTROPY_MEMORY_BLOCKS=64
CONFIG_CRYPTO_JITTERENTROPY_MEMORY_BLOCKSIZE=32
CONFIG_CRYPTO_JITTERENTROPY_OSR=1
CONFIG_CRYPTO_USER_API=m
CONFIG_CRYPTO_USER_API_HASH=m
CONFIG_CRYPTO_USER_API_SKCIPHER=m
CONFIG_CRYPTO_USER_API_RNG=m
# CONFIG_CRYPTO_USER_API_RNG_CAVP is not set
CONFIG_CRYPTO_USER_API_AEAD=m
CONFIG_CRYPTO_USER_API_ENABLE_OBSOLETE=y
CONFIG_CRYPTO_NHPOLY1305_NEON=y
CONFIG_CRYPTO_GHASH_ARM64_CE=y
CONFIG_CRYPTO_SHA3_ARM64=y
CONFIG_CRYPTO_SM3_NEON=y
CONFIG_CRYPTO_SM3_ARM64_CE=y
CONFIG_CRYPTO_POLYVAL_ARM64_CE=y
CONFIG_CRYPTO_AES_ARM64=y
CONFIG_CRYPTO_AES_ARM64_CE=y
CONFIG_CRYPTO_AES_ARM64_CE_BLK=y
CONFIG_CRYPTO_AES_ARM64_NEON_BLK=y
CONFIG_CRYPTO_AES_ARM64_BS=y
CONFIG_CRYPTO_SM4_ARM64_CE=y
CONFIG_CRYPTO_SM4_ARM64_CE_BLK=y
CONFIG_CRYPTO_SM4_ARM64_NEON_BLK=y
CONFIG_CRYPTO_AES_ARM64_CE_CCM=y
CONFIG_CRYPTO_SM4_ARM64_CE_CCM=y
CONFIG_CRYPTO_SM4_ARM64_CE_GCM=y
CONFIG_CRYPTO_HW=y
# CONFIG_CRYPTO_DEV_ATMEL_ECC is not set
# CONFIG_CRYPTO_DEV_ATMEL_SHA204A is not set
# CONFIG_CRYPTO_DEV_CCP is not set
# CONFIG_CRYPTO_DEV_NITROX_CNN55XX is not set
# CONFIG_CRYPTO_DEV_QAT_DH895xCC is not set
# CONFIG_CRYPTO_DEV_QAT_C3XXX is not set
# CONFIG_CRYPTO_DEV_QAT_C62X is not set
# CONFIG_CRYPTO_DEV_QAT_4XXX is not set
# CONFIG_CRYPTO_DEV_QAT_420XX is not set
# CONFIG_CRYPTO_DEV_QAT_DH895xCCVF is not set
# CONFIG_CRYPTO_DEV_QAT_C3XXXVF is not set
# CONFIG_CRYPTO_DEV_QAT_C62XVF is not set
CONFIG_CRYPTO_DEV_SAFEXCEL=m
# CONFIG_CRYPTO_DEV_CCREE is not set
# CONFIG_CRYPTO_DEV_HISI_SEC is not set
# CONFIG_CRYPTO_DEV_AMLOGIC_GXL is not set
# CONFIG_CRYPTO_KRB5 is not set
CONFIG_CRYPTO_HASH_INFO=y
CONFIG_CRYPTO_LIB_UTILS=y
CONFIG_CRYPTO_LIB_AES=y
CONFIG_CRYPTO_LIB_ARC4=y
CONFIG_CRYPTO_LIB_GF128MUL=y
CONFIG_CRYPTO_LIB_BLAKE2S_GENERIC=y
CONFIG_CRYPTO_ARCH_HAVE_LIB_CHACHA=y
CONFIG_CRYPTO_LIB_CHACHA_GENERIC=m
CONFIG_CRYPTO_LIB_CHACHA=m
CONFIG_CRYPTO_LIB_DES=m
CONFIG_CRYPTO_LIB_POLY1305_RSIZE=9
CONFIG_CRYPTO_ARCH_HAVE_LIB_POLY1305=y
CONFIG_CRYPTO_LIB_POLY1305_GENERIC=y
CONFIG_CRYPTO_LIB_POLY1305=m
CONFIG_CRYPTO_LIB_SHA1=y
CONFIG_CRYPTO_LIB_SHA1_ARCH=y
CONFIG_CRYPTO_LIB_SHA256=y
CONFIG_CRYPTO_LIB_SHA256_ARCH=y
CONFIG_CRYPTO_LIB_SHA512=y
CONFIG_CRYPTO_LIB_SHA512_ARCH=y
CONFIG_CRYPTO_LIB_SM3=y
CONFIG_CRYPTO_CHACHA20_NEON=m
CONFIG_CRYPTO_POLY1305_NEON=m

rmandrad · November 4, 2025, 1:24pm

there are actually quite a number of changes on mtk-sdk namely the load of the firmware & others … so yes mtk will be needed to upstream … the problem is going to be is that safexcel code is not from mtk and what will be the impact on others … my opinion is that safexcel / eip was a bad choice

kvic · November 4, 2025, 4:36pm

Apparently EIP197 does work for Mediatek if you built from their MTK Feed.

Here is a quick test on MediaTek’s OpenWrt 24.10 Snapshot (kernel 6.6) with crypto-safexcel driver.

root@OpenWrt:~# openssl speed -evp aes128 -elapsed -engine afalg
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes  16384 bytes
AES-128-CBC        632.22k     2647.42k    10495.06k    38950.57k   205744.81k   291782.66k

MediaTek also included crypto-eip driver. But crashed the kernel at runtime.

Conclusion

The good news is we probably could figure out and make it work on OpenWrt Snapshot (kernel 6.12) or mainline kernel.

The bad news. EIP197’s performance is a rather disappointment. At this point, I wonder if folks are motivated to pursue further.

I hope it’s just picking the wrong cipher or some issue in crypto-safexcel driver. I had expected to see much better performance in EIP197…

I expect it could do line rate at 10Gbps at least for such a high-end SoC. But it only manages to achieve ~2.3 Gbps of aes-128-cbc only in the most favourable/largest data chunk size. And much worse than CPU acceleration across the board.

Cheers

EDIT

EIP197 has four ring queues. I think I only used and saturated one queue in the above test. With four queues in full steam, 2.33 x 4 = ~10Gbps. See…if you try to sue MTK marketing, they perhaps could get away with it in the court.

rmandrad · November 4, 2025, 5:06pm

weird - in openwrt i get

version: 3.5.4
built on: Sat Oct  4 22:17:02 2025 UTC
options: bn(64,64)
compiler: aarch64-openwrt-linux-musl-gcc -fPIC -pthread -Wa,--noexecstack -Wall -O3 -pipe -mcpu=cortex-a73+crc+crypto+rdma -fno-caller-saves -fno-plt -fhonour-copts -ffunction-sections -fdata-sections -Wformat -Werror=format-security -fstack-protector -D_FORTIFY_SOURCE=1 -Wl,-z,now -Wl,-z,relro -O3 -DPIC -fPIC -pipe -mcpu=cortex-a73+crc+crypto+rdma -fno-caller-saves -fno-plt -fhonour-copts -ffunction-sections -fdata-sections -Wformat -Werror=format-security -fstack-protector -O3 -fPIC -fuse-ld=mold -znow -zrelro -DOPENSSL_USE_NODELETE -DOPENSSL_PIC -DOPENSSL_BUILDING_OPENSSL -DZLIB -DZLIB_SHARED -DNDEBUG -D_FORTIFY_SOURCE=1 -DPIC
CPUINFO: OPENSSL_armcap=0x3d
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes  16384 bytes
AES-128-CBC     128033.53k   313802.97k   506319.27k   594162.35k   630295.21k   633596.59k