Add basic crypto support...

package/qca-nss/qca-nss-cfi/Makefile

@@ -0,0 +1,90 @@
+include $(TOPDIR)/rules.mk
+include $(INCLUDE_DIR)/kernel.mk
+
+PKG_NAME:=qca-nss-cfi
+PKG_RELEASE:=1
+
+PKG_SOURCE_URL:=https://git.codelinaro.org/clo/qsdk/oss/lklm/nss-cfi.git
+PKG_SOURCE_PROTO:=git
+PKG_MIRROR_HASH:=skip
+PKG_SOURCE_VERSION:=5cd07ce299ee3ce62dbe4f6783ad36361e57583b
+PKG_VERSION:=1
+
+PKG_BUILD_PARALLEL:=1
+
+include $(INCLUDE_DIR)/package.mk
+
+ifeq ($(CONFIG_TARGET_ipq),y)
+subtarget:=$(SUBTARGET)
+else
+subtarget:=$(CONFIG_TARGET_BOARD)
+endif
+
+# v1.0 is for Akronite
+# v2.0 is for Hawkeye/Cypress/Maple
+ifneq (, $(findstring $(subtarget), "ipq807x" "ipq807x_64" "ipq60xx" "ipq60xx_64"))
+  CFI_OCF_DIR:=ocf/v2.0
+  CFI_CRYPTOAPI_DIR:=cryptoapi/v2.0
+else
+  CFI_CRYPTOAPI_DIR:=cryptoapi/v1.1
+ #  CFI_OCF_DIR:=ocf/v1.0
+  # CFI_IPSEC_DIR:=ipsec/v1.0
+endif
+
+define KernelPackage/qca-nss-cfi-cryptoapi
+  SECTION:=kernel
+  CATEGORY:=Kernel modules
+  SUBMENU:=Network Devices
+  DEPENDS:=@TARGET_ipq806x||TARGET_ipq_ipq806x||TARGET_ipq_ipq807x||TARGET_ipq_ipq807x_64||TARGET_ipq807x||TARGET_ipq807x_64||TARGET_ipq_ipq60xx||TARGET_ipq_ipq60xx_64 \
+		+kmod-qca-nss-crypto +kmod-crypto-authenc
+  TITLE:=Kernel driver for NSS cfi
+  FILES:=$(PKG_BUILD_DIR)/$(CFI_CRYPTOAPI_DIR)/qca-nss-cfi-cryptoapi.ko
+  AUTOLOAD:=$(call AutoLoad,59,qca-nss-cfi-cryptoapi)
+endef
+
+define Build/InstallDev/qca-nss-cfi
+	$(INSTALL_DIR) $(1)/usr/include/qca-nss-cfi
+	$(CP) $(PKG_BUILD_DIR)/$(CFI_CRYPTOAPI_DIR)/../exports/* $(1)/usr/include/qca-nss-cfi
+	$(CP) $(PKG_BUILD_DIR)/include/* $(1)/usr/include/qca-nss-cfi
+endef
+
+define Build/InstallDev
+	$(call Build/InstallDev/qca-nss-cfi,$(1))
+endef
+
+define KernelPackage/qca-nss-cfi/Description
+This package contains a NSS cfi driver for QCA chipset
+endef
+
+EXTRA_CFLAGS+= \
+	-DCONFIG_NSS_DEBUG_LEVEL=4 \
+	-I$(STAGING_DIR)/usr/include/qca-nss-crypto \
+	-I$(STAGING_DIR)/usr/include/crypto \
+	-I$(STAGING_DIR)/usr/include/qca-nss-drv
+
+ifneq (, $(findstring $(subtarget), "ipq807x" "ipq807x_64" "ipq60xx" "ipq60xx_64"))
+EXTRA_CFLAGS+= -I$(STAGING_DIR)/usr/include/qca-nss-clients
+endif
+
+# Build individual packages if selected
+ifneq ($(CONFIG_PACKAGE_kmod-qca-nss-cfi-cryptoapi),)
+MAKE_OPTS+= \
+	cryptoapi=y \
+	NSS_CRYPTOAPI_ABLK=n \
+	NSS_CRYPTOAPI_SKCIPHER=y
+endif
+
+define Build/Compile
+	$(KERNEL_MAKE) $(strip $(MAKE_OPTS)) \
+		M="$(PKG_BUILD_DIR)" \
+		EXTRA_CFLAGS="$(EXTRA_CFLAGS)" \
+		CC="$(TARGET_CC)" \
+		CFI_CRYPTOAPI_DIR=$(CFI_CRYPTOAPI_DIR) \
+		CFI_OCF_DIR=$(CFI_OCF_DIR) \
+		CFI_IPSEC_DIR=$(CFI_IPSEC_DIR) \
+		SoC=$(subtarget) \
+		modules
+endef
+
+$(eval $(call KernelPackage,qca-nss-cfi-cryptoapi))
+# $(eval $(call KernelPackage,qca-nss-cfi-ocf))

package/qca-nss/qca-nss-cfi/patches/0001-cryptoapi-v2.0-fix-SHA1-header-include.patch

@@ -0,0 +1,62 @@
+From 1569ac3b6bbcae9c3f4898e0d34aec8f88297ee6 Mon Sep 17 00:00:00 2001
+From: Robert Marko <robimarko@gmail.com>
+Date: Sun, 22 Jan 2023 21:45:23 +0100
+Subject: [PATCH 1/5] cryptoapi: v2.0: fix SHA1 header include
+
+SHA1 header has been merged to the generic SHA one,
+and with that the cryptohash.h was dropped.
+
+So, fix include in kernels 5.8 and newer.
+
+Signed-off-by: Robert Marko <robimarko@gmail.com>
+---
+ cryptoapi/v2.0/nss_cryptoapi.c       | 5 +++++
+ cryptoapi/v2.0/nss_cryptoapi_aead.c  | 5 +++++
+ cryptoapi/v2.0/nss_cryptoapi_ahash.c | 5 +++++
+ 3 files changed, 15 insertions(+)
+
+--- a/cryptoapi/v2.0/nss_cryptoapi.c
++++ b/cryptoapi/v2.0/nss_cryptoapi.c
+@@ -39,7 +39,12 @@
+ 
+ #include <crypto/aes.h>
+ #include <crypto/des.h>
++#if LINUX_VERSION_CODE < KERNEL_VERSION(5, 11, 0)
+ #include <crypto/sha.h>
++#else
++#include <crypto/sha1.h>
++#include <crypto/sha2.h>
++#endif
+ #include <crypto/hash.h>
+ #include <crypto/md5.h>
+ #include <crypto/ghash.h>
+--- a/cryptoapi/v2.0/nss_cryptoapi_aead.c
++++ b/cryptoapi/v2.0/nss_cryptoapi_aead.c
+@@ -39,7 +39,12 @@
+ 
+ #include <crypto/aes.h>
+ #include <crypto/des.h>
++#if LINUX_VERSION_CODE < KERNEL_VERSION(5, 11, 0)
+ #include <crypto/sha.h>
++#else
++#include <crypto/sha1.h>
++#include <crypto/sha2.h>
++#endif
+ #include <crypto/hash.h>
+ #include <crypto/algapi.h>
+ #include <crypto/aead.h>
+--- a/cryptoapi/v2.0/nss_cryptoapi_ahash.c
++++ b/cryptoapi/v2.0/nss_cryptoapi_ahash.c
+@@ -38,7 +38,12 @@
+ 
+ #include <crypto/aes.h>
+ #include <crypto/des.h>
++#if LINUX_VERSION_CODE < KERNEL_VERSION(5, 11, 0)
+ #include <crypto/sha.h>
++#else
++#include <crypto/sha1.h>
++#include <crypto/sha2.h>
++#endif
+ #include <crypto/hash.h>
+ #include <crypto/algapi.h>
+ #include <crypto/aead.h>

package/qca-nss/qca-nss-cfi/patches/0002-cryptoapi-v2.0-make-ablkcipher-optional.patch

@@ -0,0 +1,116 @@
+From 26cca5006bddb0da57398452616e07ee7b11edb1 Mon Sep 17 00:00:00 2001
+From: Robert Marko <robimarko@gmail.com>
+Date: Sun, 22 Jan 2023 22:01:34 +0100
+Subject: [PATCH 2/5] cryptoapi: v2.0: make ablkcipher optional
+
+albkcipher has been removed from the kernel in v5.5, so until it has been
+converted to skcipher, lets make it optional to at least have hashes
+working.
+
+Signed-off-by: Robert Marko <robimarko@gmail.com>
+---
+ cryptoapi/v2.0/Makefile                |  3 +++
+ cryptoapi/v2.0/nss_cryptoapi.c         | 10 ++++++++++
+ cryptoapi/v2.0/nss_cryptoapi_private.h |  2 ++
+ 3 files changed, 15 insertions(+)
+
+--- a/cryptoapi/v2.0/Makefile
++++ b/cryptoapi/v2.0/Makefile
+@@ -5,7 +5,10 @@ NSS_CRYPTOAPI_MOD_NAME=qca-nss-cfi-crypt
+ obj-m += $(NSS_CRYPTOAPI_MOD_NAME).o
+ $(NSS_CRYPTOAPI_MOD_NAME)-objs = nss_cryptoapi.o
+ $(NSS_CRYPTOAPI_MOD_NAME)-objs += nss_cryptoapi_aead.o
++ifneq "$(NSS_CRYPTOAPI_ABLK)" "n"
+ $(NSS_CRYPTOAPI_MOD_NAME)-objs += nss_cryptoapi_ablk.o
++ccflags-y += -DNSS_CRYPTOAPI_ABLK
++endif
+ $(NSS_CRYPTOAPI_MOD_NAME)-objs += nss_cryptoapi_ahash.o
+ 
+ obj ?= .
+--- a/cryptoapi/v2.0/nss_cryptoapi.c
++++ b/cryptoapi/v2.0/nss_cryptoapi.c
+@@ -1367,6 +1367,7 @@ struct aead_alg cryptoapi_aead_algs[] =
+ /*
+  * ABLK cipher algorithms
+  */
++#if defined(NSS_CRYPTOAPI_ABLK)
+ static struct crypto_alg cryptoapi_ablkcipher_algs[] = {
+ 	{
+ 		.cra_name = "cbc(aes)",
+@@ -1466,6 +1467,7 @@ static struct crypto_alg cryptoapi_ablkc
+ 		},
+ 	}
+ };
++#endif
+ 
+ /*
+  * AHASH algorithms
+@@ -2189,7 +2191,9 @@ void nss_cryptoapi_add_ctx2debugfs(struc
+  */
+ void nss_cryptoapi_attach_user(void *app_data, struct nss_crypto_user *user)
+ {
++#if defined(NSS_CRYPTOAPI_ABLK)
+ 	struct crypto_alg *ablk = cryptoapi_ablkcipher_algs;
++#endif
+ 	struct aead_alg *aead = cryptoapi_aead_algs;
+ 	struct ahash_alg *ahash = cryptoapi_ahash_algs;
+ 	struct nss_cryptoapi *sc = app_data;
+@@ -2212,6 +2216,7 @@ void nss_cryptoapi_attach_user(void *app
+ 		      g_cryptoapi.user = user;
+ 	}
+ 
++#if defined(NSS_CRYPTOAPI_ABLK)
+ 	for (i = 0; enable_ablk && (i < ARRAY_SIZE(cryptoapi_ablkcipher_algs)); i++, ablk++) {
+ 		info = nss_cryptoapi_cra_name_lookup(ablk->cra_name);
+ 		if(!info || !nss_crypto_algo_is_supp(info->algo))
+@@ -2222,6 +2227,7 @@ void nss_cryptoapi_attach_user(void *app
+ 			ablk->cra_flags = 0;
+ 		}
+ 	}
++#endif
+ 
+ 	for (i = 0; enable_aead && (i < ARRAY_SIZE(cryptoapi_aead_algs)); i++, aead++) {
+ 		info = nss_cryptoapi_cra_name_lookup(aead->base.cra_name);
+@@ -2257,7 +2263,9 @@ void nss_cryptoapi_attach_user(void *app
+  */
+ void nss_cryptoapi_detach_user(void *app_data, struct nss_crypto_user *user)
+ {
++#if defined(NSS_CRYPTOAPI_ABLK)
+ 	struct crypto_alg *ablk = cryptoapi_ablkcipher_algs;
++#endif
+ 	struct aead_alg *aead = cryptoapi_aead_algs;
+ 	struct ahash_alg *ahash = cryptoapi_ahash_algs;
+ 	struct nss_cryptoapi *sc = app_data;
+@@ -2270,6 +2278,7 @@ void nss_cryptoapi_detach_user(void *app
+ 	 */
+ 	atomic_set(&g_cryptoapi.registered, 0);
+ 
++#if defined(NSS_CRYPTOAPI_ABLK)
+ 	for (i = 0; enable_ablk && (i < ARRAY_SIZE(cryptoapi_ablkcipher_algs)); i++, ablk++) {
+ 		if (!ablk->cra_flags)
+ 			continue;
+@@ -2277,6 +2286,7 @@ void nss_cryptoapi_detach_user(void *app
+ 		crypto_unregister_alg(ablk);
+ 		nss_cfi_info("%px: ABLK unregister succeeded, algo: %s\n", sc, ablk->cra_name);
+ 	}
++#endif
+ 
+ 	for (i = 0; enable_aead && (i < ARRAY_SIZE(cryptoapi_aead_algs)); i++, aead++) {
+ 		if (!aead->base.cra_flags)
+--- a/cryptoapi/v2.0/nss_cryptoapi_private.h
++++ b/cryptoapi/v2.0/nss_cryptoapi_private.h
+@@ -250,12 +250,14 @@ extern void nss_cryptoapi_aead_tx_proc(s
+ /*
+  * ABLKCIPHER
+  */
++#if defined(NSS_CRYPTOAPI_ABLK)
+ extern int nss_cryptoapi_ablkcipher_init(struct crypto_tfm *tfm);
+ extern void nss_cryptoapi_ablkcipher_exit(struct crypto_tfm *tfm);
+ extern int nss_cryptoapi_ablk_setkey(struct crypto_ablkcipher *cipher, const u8 *key, unsigned int len);
+ extern int nss_cryptoapi_ablk_encrypt(struct ablkcipher_request *req);
+ extern int nss_cryptoapi_ablk_decrypt(struct ablkcipher_request *req);
+ extern void nss_cryptoapi_copy_iv(struct nss_cryptoapi_ctx *ctx, struct scatterlist *sg, uint8_t *iv, uint8_t iv_len);
++#endif
+ 
+ /*
+  * AHASH

package/qca-nss/qca-nss-cfi/patches/0003-cryptoapi-v2.0-remove-setting-crypto_ahash_type-for-.patch

@@ -0,0 +1,137 @@
+From 797b5166783cda0886038ffb22f5386b9363a961 Mon Sep 17 00:00:00 2001
+From: Robert Marko <robimarko@gmail.com>
+Date: Sun, 22 Jan 2023 22:08:27 +0100
+Subject: [PATCH 3/5] cryptoapi: v2.0: remove setting crypto_ahash_type for
+ newer kernels
+
+Upstream has stopped exporting crypto_ahash_type and removed setting it
+on ahash algos since v4.19 as its easily identifiable by the struct type
+and its being set in the core directly, so lets do the same.
+
+Signed-off-by: Robert Marko <robimarko@gmail.com>
+---
+ cryptoapi/v2.0/nss_cryptoapi.c | 24 ++++++++++++++++++++++++
+ 1 file changed, 24 insertions(+)
+
+--- a/cryptoapi/v2.0/nss_cryptoapi.c
++++ b/cryptoapi/v2.0/nss_cryptoapi.c
+@@ -1495,7 +1495,9 @@ static struct ahash_alg cryptoapi_ahash_
+ 				.cra_blocksize   = MD5_HMAC_BLOCK_SIZE,
+ 				.cra_ctxsize     = sizeof(struct nss_cryptoapi_ctx),
+ 				.cra_alignmask   = 0,
++#if LINUX_VERSION_CODE < KERNEL_VERSION(4, 19, 0)
+ 				.cra_type        = &crypto_ahash_type,
++#endif
+ 				.cra_module      = THIS_MODULE,
+ 				.cra_init        = nss_cryptoapi_ahash_cra_init,
+ 				.cra_exit        = nss_cryptoapi_ahash_cra_exit,
+@@ -1521,7 +1523,9 @@ static struct ahash_alg cryptoapi_ahash_
+ 				.cra_blocksize   = SHA1_BLOCK_SIZE,
+ 				.cra_ctxsize     = sizeof(struct nss_cryptoapi_ctx),
+ 				.cra_alignmask   = 0,
++#if LINUX_VERSION_CODE < KERNEL_VERSION(4, 19, 0)
+ 				.cra_type        = &crypto_ahash_type,
++#endif
+ 				.cra_module      = THIS_MODULE,
+ 				.cra_init        = nss_cryptoapi_ahash_cra_init,
+ 				.cra_exit        = nss_cryptoapi_ahash_cra_exit,
+@@ -1547,7 +1551,9 @@ static struct ahash_alg cryptoapi_ahash_
+ 				.cra_blocksize   = SHA224_BLOCK_SIZE,
+ 				.cra_ctxsize     = sizeof(struct nss_cryptoapi_ctx),
+ 				.cra_alignmask   = 0,
++#if LINUX_VERSION_CODE < KERNEL_VERSION(4, 19, 0)
+ 				.cra_type        = &crypto_ahash_type,
++#endif
+ 				.cra_module      = THIS_MODULE,
+ 				.cra_init        = nss_cryptoapi_ahash_cra_init,
+ 				.cra_exit        = nss_cryptoapi_ahash_cra_exit,
+@@ -1573,7 +1579,9 @@ static struct ahash_alg cryptoapi_ahash_
+ 				.cra_blocksize   = SHA256_BLOCK_SIZE,
+ 				.cra_ctxsize     = sizeof(struct nss_cryptoapi_ctx),
+ 				.cra_alignmask   = 0,
++#if LINUX_VERSION_CODE < KERNEL_VERSION(4, 19, 0)
+ 				.cra_type        = &crypto_ahash_type,
++#endif
+ 				.cra_module      = THIS_MODULE,
+ 				.cra_init        = nss_cryptoapi_ahash_cra_init,
+ 				.cra_exit        = nss_cryptoapi_ahash_cra_exit,
+@@ -1599,7 +1607,9 @@ static struct ahash_alg cryptoapi_ahash_
+ 				.cra_blocksize   = SHA384_BLOCK_SIZE,
+ 				.cra_ctxsize     = sizeof(struct nss_cryptoapi_ctx),
+ 				.cra_alignmask   = 0,
++#if LINUX_VERSION_CODE < KERNEL_VERSION(4, 19, 0)
+ 				.cra_type        = &crypto_ahash_type,
++#endif
+ 				.cra_module      = THIS_MODULE,
+ 				.cra_init        = nss_cryptoapi_ahash_cra_init,
+ 				.cra_exit        = nss_cryptoapi_ahash_cra_exit,
+@@ -1625,7 +1635,9 @@ static struct ahash_alg cryptoapi_ahash_
+ 				.cra_blocksize   = SHA512_BLOCK_SIZE,
+ 				.cra_ctxsize     = sizeof(struct nss_cryptoapi_ctx),
+ 				.cra_alignmask   = 0,
++#if LINUX_VERSION_CODE < KERNEL_VERSION(4, 19, 0)
+ 				.cra_type        = &crypto_ahash_type,
++#endif
+ 				.cra_module      = THIS_MODULE,
+ 				.cra_init        = nss_cryptoapi_ahash_cra_init,
+ 				.cra_exit        = nss_cryptoapi_ahash_cra_exit,
+@@ -1655,7 +1667,9 @@ static struct ahash_alg cryptoapi_ahash_
+ 				.cra_blocksize   = MD5_HMAC_BLOCK_SIZE,
+ 				.cra_ctxsize     = sizeof(struct nss_cryptoapi_ctx),
+ 				.cra_alignmask   = 0,
++#if LINUX_VERSION_CODE < KERNEL_VERSION(4, 19, 0)
+ 				.cra_type        = &crypto_ahash_type,
++#endif
+ 				.cra_module      = THIS_MODULE,
+ 				.cra_init        = nss_cryptoapi_ahash_cra_init,
+ 				.cra_exit        = nss_cryptoapi_ahash_cra_exit,
+@@ -1681,7 +1695,9 @@ static struct ahash_alg cryptoapi_ahash_
+ 				.cra_blocksize   = SHA1_BLOCK_SIZE,
+ 				.cra_ctxsize     = sizeof(struct nss_cryptoapi_ctx),
+ 				.cra_alignmask   = 0,
++#if LINUX_VERSION_CODE < KERNEL_VERSION(4, 19, 0)
+ 				.cra_type        = &crypto_ahash_type,
++#endif
+ 				.cra_module      = THIS_MODULE,
+ 				.cra_init        = nss_cryptoapi_ahash_cra_init,
+ 				.cra_exit        = nss_cryptoapi_ahash_cra_exit,
+@@ -1707,7 +1723,9 @@ static struct ahash_alg cryptoapi_ahash_
+ 				.cra_blocksize   = SHA224_BLOCK_SIZE,
+ 				.cra_ctxsize     = sizeof(struct nss_cryptoapi_ctx),
+ 				.cra_alignmask   = 0,
++#if LINUX_VERSION_CODE < KERNEL_VERSION(4, 19, 0)
+ 				.cra_type        = &crypto_ahash_type,
++#endif
+ 				.cra_module      = THIS_MODULE,
+ 				.cra_init        = nss_cryptoapi_ahash_cra_init,
+ 				.cra_exit        = nss_cryptoapi_ahash_cra_exit,
+@@ -1733,7 +1751,9 @@ static struct ahash_alg cryptoapi_ahash_
+ 				.cra_blocksize   = SHA256_BLOCK_SIZE,
+ 				.cra_ctxsize     = sizeof(struct nss_cryptoapi_ctx),
+ 				.cra_alignmask   = 0,
++#if LINUX_VERSION_CODE < KERNEL_VERSION(4, 19, 0)
+ 				.cra_type        = &crypto_ahash_type,
++#endif
+ 				.cra_module      = THIS_MODULE,
+ 				.cra_init        = nss_cryptoapi_ahash_cra_init,
+ 				.cra_exit        = nss_cryptoapi_ahash_cra_exit,
+@@ -1759,7 +1779,9 @@ static struct ahash_alg cryptoapi_ahash_
+ 				.cra_blocksize   = SHA384_BLOCK_SIZE,
+ 				.cra_ctxsize     = sizeof(struct nss_cryptoapi_ctx),
+ 				.cra_alignmask   = 0,
++#if LINUX_VERSION_CODE < KERNEL_VERSION(4, 19, 0)
+ 				.cra_type        = &crypto_ahash_type,
++#endif
+ 				.cra_module      = THIS_MODULE,
+ 				.cra_init        = nss_cryptoapi_ahash_cra_init,
+ 				.cra_exit        = nss_cryptoapi_ahash_cra_exit,
+@@ -1785,7 +1807,9 @@ static struct ahash_alg cryptoapi_ahash_
+ 				.cra_blocksize   = SHA512_BLOCK_SIZE,
+ 				.cra_ctxsize     = sizeof(struct nss_cryptoapi_ctx),
+ 				.cra_alignmask   = 0,
++#if LINUX_VERSION_CODE < KERNEL_VERSION(4, 19, 0)
+ 				.cra_type        = &crypto_ahash_type,
++#endif
+ 				.cra_module      = THIS_MODULE,
+ 				.cra_init        = nss_cryptoapi_ahash_cra_init,
+ 				.cra_exit        = nss_cryptoapi_ahash_cra_exit,

package/qca-nss/qca-nss-cfi/patches/0004-cryptoapi-v2.0-aead-add-downstream-crypto_tfm_alg_fl.patch

@@ -0,0 +1,28 @@
+From 8db77add1a794bdee8eef0a351e40bf1cdf6dfa9 Mon Sep 17 00:00:00 2001
+From: Robert Marko <robimarko@gmail.com>
+Date: Sun, 22 Jan 2023 22:09:51 +0100
+Subject: [PATCH 4/5] cryptoapi: v2.0: aead: add downstream
+ crypto_tfm_alg_flags
+
+crypto_tfm_alg_flags newer made it upstream, but as a temporary stopgap
+until a better solution is figured out lets add it.
+
+Signed-off-by: Robert Marko <robimarko@gmail.com>
+---
+ cryptoapi/v2.0/nss_cryptoapi_aead.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/cryptoapi/v2.0/nss_cryptoapi_aead.c
++++ b/cryptoapi/v2.0/nss_cryptoapi_aead.c
+@@ -61,6 +61,11 @@
+ #include <nss_cryptoapi.h>
+ #include "nss_cryptoapi_private.h"
+ 
++static inline u32 crypto_tfm_alg_flags(struct crypto_tfm *tfm)
++{
++	return tfm->__crt_alg->cra_flags & ~CRYPTO_ALG_TYPE_MASK;
++}
++
+ /*
+  * nss_cryptoapi_aead_ctx2session()
+  *	Cryptoapi function to get the session ID for an AEAD

package/qca-nss/qca-nss-cfi/patches/0005-cryptoapi-v2.0-remove-dropped-flags.patch

@@ -0,0 +1,97 @@
+From 62bbb188e1a72d28916e1eca31f4cb9fbbf51cd1 Mon Sep 17 00:00:00 2001
+From: Robert Marko <robimarko@gmail.com>
+Date: Sun, 22 Jan 2023 22:11:06 +0100
+Subject: [PATCH 5/5] cryptoapi: v2.0: remove dropped flags
+
+Upstream has dropped these flags as there was no use for them, so lets do
+the same.
+
+Signed-off-by: Robert Marko <robimarko@gmail.com>
+---
+ cryptoapi/v2.0/nss_cryptoapi_aead.c  | 6 ------
+ cryptoapi/v2.0/nss_cryptoapi_ahash.c | 4 ----
+ 2 files changed, 10 deletions(-)
+
+--- a/cryptoapi/v2.0/nss_cryptoapi_aead.c
++++ b/cryptoapi/v2.0/nss_cryptoapi_aead.c
+@@ -207,7 +207,6 @@ int nss_cryptoapi_aead_setkey_noauth(str
+ 	ctx->info = nss_cryptoapi_cra_name2info(crypto_tfm_alg_name(tfm), keylen, 0);
+ 	if (!ctx->info) {
+ 		nss_cfi_err("%px: Unable to find algorithm with keylen\n", ctx);
+-		crypto_aead_set_flags(aead, CRYPTO_TFM_RES_BAD_KEY_LEN);
+ 		return -ENOENT;
+ 	}
+ 
+@@ -239,7 +238,6 @@ int nss_cryptoapi_aead_setkey_noauth(str
+ 	status = nss_crypto_session_alloc(ctx->user, &data, &ctx->sid);
+ 	if (status < 0) {
+ 		nss_cfi_err("%px: Unable to allocate crypto session(%d)\n", ctx, status);
+-		crypto_aead_set_flags(aead, CRYPTO_TFM_RES_BAD_FLAGS);
+ 		return status;
+ 	}
+ 
+@@ -271,14 +269,12 @@ int nss_cryptoapi_aead_setkey(struct cry
+ 	 */
+ 	if (crypto_authenc_extractkeys(&keys, key, keylen) != 0) {
+ 		nss_cfi_err("%px: Unable to extract keys\n", ctx);
+-		crypto_aead_set_flags(aead, CRYPTO_TFM_RES_BAD_KEY_LEN);
+ 		return -EIO;
+ 	}
+ 
+ 	ctx->info = nss_cryptoapi_cra_name2info(crypto_tfm_alg_name(tfm), keys.enckeylen, crypto_aead_maxauthsize(aead));
+ 	if (!ctx->info) {
+ 		nss_cfi_err("%px: Unable to find algorithm with keylen\n", ctx);
+-		crypto_aead_set_flags(aead, CRYPTO_TFM_RES_BAD_KEY_LEN);
+ 		return -ENOENT;
+ 	}
+ 
+@@ -299,7 +295,6 @@ int nss_cryptoapi_aead_setkey(struct cry
+ 	 */
+ 	if (keys.authkeylen > ctx->info->auth_blocksize) {
+ 		nss_cfi_err("%px: Auth keylen(%d) exceeds supported\n", ctx, keys.authkeylen);
+-		crypto_aead_set_flags(aead, CRYPTO_TFM_RES_BAD_KEY_LEN);
+ 		return -EINVAL;
+ 	}
+ 
+@@ -342,7 +337,6 @@ int nss_cryptoapi_aead_setkey(struct cry
+ 	status = nss_crypto_session_alloc(ctx->user, &data, &ctx->sid);
+ 	if (status < 0) {
+ 		nss_cfi_err("%px: Unable to allocate crypto session(%d)\n", ctx, status);
+-		crypto_aead_set_flags(aead, CRYPTO_TFM_RES_BAD_FLAGS);
+ 		return status;
+ 	}
+ 
+--- a/cryptoapi/v2.0/nss_cryptoapi_ahash.c
++++ b/cryptoapi/v2.0/nss_cryptoapi_ahash.c
+@@ -192,7 +192,6 @@ int nss_cryptoapi_ahash_setkey(struct cr
+ 
+ 	ctx->info = nss_cryptoapi_cra_name2info(crypto_tfm_alg_name(tfm), 0, crypto_ahash_digestsize(ahash));
+ 	if (!ctx->info) {
+-		crypto_ahash_set_flags(ahash, CRYPTO_TFM_RES_BAD_KEY_LEN);
+ 		return -EINVAL;
+ 	}
+ 
+@@ -215,7 +214,6 @@ int nss_cryptoapi_ahash_setkey(struct cr
+ 	status = nss_crypto_session_alloc(ctx->user, &data, &ctx->sid);
+ 	if (status < 0) {
+ 		nss_cfi_warn("%px: Unable to allocate crypto session(%d)\n", ctx, status);
+-		crypto_ahash_set_flags(ahash, CRYPTO_TFM_RES_BAD_FLAGS);
+ 		return status;
+ 	}
+ 
+@@ -299,7 +297,6 @@ int nss_cryptoapi_ahash_init(struct ahas
+ 		 */
+ 		ctx->info = nss_cryptoapi_cra_name2info(crypto_tfm_alg_name(tfm), 0, 0);
+ 		if (!ctx->info) {
+-			crypto_ahash_set_flags(ahash, CRYPTO_TFM_RES_BAD_KEY_LEN);
+ 			return -EINVAL;
+ 		}
+ 
+@@ -314,7 +311,6 @@ int nss_cryptoapi_ahash_init(struct ahas
+ 		status = nss_crypto_session_alloc(ctx->user, &data, &ctx->sid);
+ 		if (status < 0) {
+ 			nss_cfi_err("%px: Unable to allocate crypto session(%d)\n", ctx, status);
+-			crypto_ahash_set_flags(ahash, CRYPTO_TFM_RES_BAD_FLAGS);
+ 			return status;
+ 		}
+ 

package/qca-nss/qca-nss-cfi/patches/0007-compile-only-cryptoapi.patch

@@ -0,0 +1,32 @@
+From a8a573c5ce83bdddca9a60c62161638a5fd906d4 Mon Sep 17 00:00:00 2001
+From: Ansuel Smith <ansuelsmth@gmail.com>
+Date: Sat, 13 Jun 2020 12:57:14 +0200
+Subject: [PATCH 1/3] compile only cryptoapi
+
+---
+ Makefile | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/Makefile
++++ b/Makefile
+@@ -4,14 +4,12 @@
+ 
+ export BUILD_ID = \"Build Id: $(shell date +'%m/%d/%y, %H:%M:%S')\"
+ 
+-ifneq (,$(filter $(ocf), y))
+-obj-m += $(CFI_OCF_DIR)/
+-endif
++# ifneq (,$(filter $(ocf), y))
++# obj-m += $(CFI_OCF_DIR)/
++# endif
+ 
+-ifneq (,$(filter $(cryptoapi), y))
+ obj-m += $(CFI_CRYPTOAPI_DIR)/
+-endif
+ 
+-ifeq ($(SoC),$(filter $(SoC),ipq806x))
+-obj-m += $(CFI_IPSEC_DIR)/
+-endif
++# ifeq ($(SoC),$(filter $(SoC),ipq806x))
++# obj-m += $(CFI_IPSEC_DIR)/
++# endif

package/qca-nss/qca-nss-cfi/patches/0008-cryptoapi-v1.1-support-5.4.patch

@@ -0,0 +1,69 @@
+From 202f57bae49947a04301ac8ac9bdc00f28f09355 Mon Sep 17 00:00:00 2001
+From: Ansuel Smith <ansuelsmth@gmail.com>
+Date: Sat, 13 Jun 2020 12:58:26 +0200
+Subject: [PATCH 2/3] wip: support 5.4
+
+---
+ cryptoapi/v1.1/nss_cryptoapi.c      |  1 -
+ cryptoapi/v1.1/nss_cryptoapi_ablk.c | 12 ++++++------
+ cryptoapi/v1.1/nss_cryptoapi_aead.c |  2 +-
+ 3 files changed, 7 insertions(+), 8 deletions(-)
+
+--- a/cryptoapi/v1.1/nss_cryptoapi.c
++++ b/cryptoapi/v1.1/nss_cryptoapi.c
+@@ -231,7 +231,6 @@ static struct crypto_alg cryptoapi_ablkc
+ 		.cra_u          = {
+ 			.ablkcipher = {
+ 				.ivsize         = CTR_RFC3686_IV_SIZE,
+-				.geniv          = "seqiv",
+ 				.min_keysize    = AES_MIN_KEY_SIZE + CTR_RFC3686_NONCE_SIZE,
+ 				.max_keysize    = AES_MAX_KEY_SIZE + CTR_RFC3686_NONCE_SIZE,
+ 				.setkey         = nss_cryptoapi_ablk_aes_setkey,
+--- a/cryptoapi/v1.1/nss_cryptoapi_ablk.c
++++ b/cryptoapi/v1.1/nss_cryptoapi_ablk.c
+@@ -108,7 +108,7 @@ EXPORT_SYMBOL(nss_cryptoapi_skcipher_ctx
+ int nss_cryptoapi_ablkcipher_init(struct crypto_tfm *tfm)
+ {
+ 	struct nss_cryptoapi_ctx *ctx = crypto_tfm_ctx(tfm);
+-	struct crypto_ablkcipher *sw_tfm;
++	struct crypto_cipher *sw_tfm;
+ 
+ 	nss_cfi_assert(ctx);
+ 
+@@ -122,20 +122,20 @@ int nss_cryptoapi_ablkcipher_init(struct
+ 
+ 	nss_cryptoapi_set_magic(ctx);
+ 
+-	if (!(crypto_tfm_alg_flags(tfm) & CRYPTO_ALG_NEED_FALLBACK))
++	if (!(crypto_tfm_alg_type(tfm) & CRYPTO_ALG_NEED_FALLBACK))
+ 		return 0;
+ 
+ 	/* Alloc fallback transform for future use */
+-	sw_tfm = crypto_alloc_ablkcipher(crypto_tfm_alg_name(tfm), 0, CRYPTO_ALG_ASYNC |
+-									CRYPTO_ALG_NEED_FALLBACK);
++	sw_tfm = crypto_alloc_cipher(crypto_tfm_alg_name(tfm), 0, CRYPTO_ALG_ASYNC |
++ 									CRYPTO_ALG_NEED_FALLBACK);
+ 	if (IS_ERR(sw_tfm)) {
+ 		nss_cfi_err("unable to alloc software crypto for %s\n", crypto_tfm_alg_name(tfm));
+ 		return -EINVAL;
+ 	}
+ 
+ 	/* set this tfm reqsize same to fallback tfm */
+-	tfm->crt_ablkcipher.reqsize = crypto_ablkcipher_reqsize(sw_tfm);
+-	ctx->sw_tfm = crypto_ablkcipher_tfm(sw_tfm);
++	tfm->crt_ablkcipher.reqsize = sizeof(struct nss_cryptoapi_ctx);
++	ctx->sw_tfm = crypto_cipher_tfm(sw_tfm);
+ 
+ 	return 0;
+ }
+--- a/cryptoapi/v1.1/nss_cryptoapi_aead.c
++++ b/cryptoapi/v1.1/nss_cryptoapi_aead.c
+@@ -103,7 +103,7 @@ int nss_cryptoapi_aead_init(struct crypt
+ 
+ 	nss_cryptoapi_set_magic(ctx);
+ 
+-	if (!(crypto_tfm_alg_flags(tfm) & CRYPTO_ALG_NEED_FALLBACK))
++	if (!(crypto_tfm_alg_type(tfm) & CRYPTO_ALG_NEED_FALLBACK))
+ 		return 0;
+ 
+ 	/* Alloc fallback transform for future use */

package/qca-nss/qca-nss-cfi/patches/0009-cryptoapi-v1.1-convert-to-skcipher.patch

@@ -0,0 +1,696 @@
+From e3a53a6d11b2c1770545a2820a58c117799bcb70 Mon Sep 17 00:00:00 2001
+From: Ansuel Smith <ansuelsmth@gmail.com>
+Date: Tue, 16 Jun 2020 18:12:34 +0200
+Subject: [PATCH 3/3] Convert ablkcipher to skcipher
+
+---
+ cryptoapi/v1.1/nss_cryptoapi.c         | 149 +++++++++++--------------
+ cryptoapi/v1.1/nss_cryptoapi_ablk.c    | 136 +++++++++++-----------
+ cryptoapi/v1.1/nss_cryptoapi_debugfs.c |   1 +
+ cryptoapi/v1.1/nss_cryptoapi_private.h |  16 +--
+ 4 files changed, 145 insertions(+), 157 deletions(-)
+
+--- a/cryptoapi/v1.1/nss_cryptoapi.c
++++ b/cryptoapi/v1.1/nss_cryptoapi.c
+@@ -66,7 +66,7 @@ struct aead_alg cryptoapi_aead_algs[] =
+ 			.cra_name       = "echainiv(authenc(hmac(sha1),cbc(aes)))",
+ 			.cra_driver_name = "nss-hmac-sha1-cbc-aes",
+ 			.cra_priority   = 10000,
+-			.cra_flags      = CRYPTO_ALG_ASYNC | CRYPTO_ALG_NOSUPP_SG | CRYPTO_ALG_NEED_FALLBACK,
++			.cra_flags      = CRYPTO_ALG_ASYNC | CRYPTO_ALG_NOSUPP_SG | CRYPTO_ALG_NEED_FALLBACK | CRYPTO_ALG_KERN_DRIVER_ONLY,
+ 			.cra_blocksize  = AES_BLOCK_SIZE,
+ 			.cra_ctxsize    = sizeof(struct nss_cryptoapi_ctx),
+ 			.cra_alignmask  = 0,
+@@ -87,7 +87,7 @@ struct aead_alg cryptoapi_aead_algs[] =
+ 			.cra_name       = "seqiv(authenc(hmac(sha1),rfc3686(ctr(aes))))",
+ 			.cra_driver_name = "nss-hmac-sha1-rfc3686-ctr-aes",
+ 			.cra_priority   = 10000,
+-			.cra_flags      = CRYPTO_ALG_ASYNC | CRYPTO_ALG_NOSUPP_SG | CRYPTO_ALG_NEED_FALLBACK,
++			.cra_flags      = CRYPTO_ALG_ASYNC | CRYPTO_ALG_NOSUPP_SG | CRYPTO_ALG_NEED_FALLBACK | CRYPTO_ALG_KERN_DRIVER_ONLY,
+ 			.cra_blocksize  = AES_BLOCK_SIZE,
+ 			.cra_ctxsize    = sizeof(struct nss_cryptoapi_ctx),
+ 			.cra_alignmask  = 0,
+@@ -108,7 +108,7 @@ struct aead_alg cryptoapi_aead_algs[] =
+ 			.cra_name       = "echainiv(authenc(hmac(sha1),cbc(des3_ede)))",
+ 			.cra_driver_name = "nss-hmac-sha1-cbc-3des",
+ 			.cra_priority   = 300,
+-			.cra_flags      = CRYPTO_ALG_ASYNC | CRYPTO_ALG_NOSUPP_SG,
++			.cra_flags      = CRYPTO_ALG_ASYNC | CRYPTO_ALG_NOSUPP_SG | CRYPTO_ALG_KERN_DRIVER_ONLY,
+ 			.cra_blocksize  = DES3_EDE_BLOCK_SIZE,
+ 			.cra_ctxsize    = sizeof(struct nss_cryptoapi_ctx),
+ 			.cra_alignmask  = 0,
+@@ -129,7 +129,7 @@ struct aead_alg cryptoapi_aead_algs[] =
+ 			.cra_name       = "echainiv(authenc(hmac(sha256),cbc(aes)))",
+ 			.cra_driver_name = "nss-hmac-sha256-cbc-aes",
+ 			.cra_priority   = 10000,
+-			.cra_flags      = CRYPTO_ALG_ASYNC | CRYPTO_ALG_NOSUPP_SG | CRYPTO_ALG_NEED_FALLBACK,
++			.cra_flags      = CRYPTO_ALG_ASYNC | CRYPTO_ALG_NOSUPP_SG | CRYPTO_ALG_NEED_FALLBACK | CRYPTO_ALG_KERN_DRIVER_ONLY,
+ 			.cra_blocksize  = AES_BLOCK_SIZE,
+ 			.cra_ctxsize    = sizeof(struct nss_cryptoapi_ctx),
+ 			.cra_alignmask  = 0,
+@@ -150,7 +150,7 @@ struct aead_alg cryptoapi_aead_algs[] =
+ 			.cra_name       = "seqiv(authenc(hmac(sha256),rfc3686(ctr(aes))))",
+ 			.cra_driver_name = "nss-hmac-sha256-rfc3686-ctr-aes",
+ 			.cra_priority   = 10000,
+-			.cra_flags      = CRYPTO_ALG_ASYNC | CRYPTO_ALG_NOSUPP_SG | CRYPTO_ALG_NEED_FALLBACK,
++			.cra_flags      = CRYPTO_ALG_ASYNC | CRYPTO_ALG_NOSUPP_SG | CRYPTO_ALG_NEED_FALLBACK | CRYPTO_ALG_KERN_DRIVER_ONLY,
+ 			.cra_blocksize  = AES_BLOCK_SIZE,
+ 			.cra_ctxsize    = sizeof(struct nss_cryptoapi_ctx),
+ 			.cra_alignmask  = 0,
+@@ -171,7 +171,7 @@ struct aead_alg cryptoapi_aead_algs[] =
+ 			.cra_name       = "echainiv(authenc(hmac(sha256),cbc(des3_ede)))",
+ 			.cra_driver_name = "nss-hmac-sha256-cbc-3des",
+ 			.cra_priority   = 300,
+-			.cra_flags      = CRYPTO_ALG_ASYNC | CRYPTO_ALG_NOSUPP_SG,
++			.cra_flags      = CRYPTO_ALG_ASYNC | CRYPTO_ALG_NOSUPP_SG | CRYPTO_ALG_KERN_DRIVER_ONLY,
+ 			.cra_blocksize  = DES3_EDE_BLOCK_SIZE,
+ 			.cra_ctxsize    = sizeof(struct nss_cryptoapi_ctx),
+ 			.cra_alignmask  = 0,
+@@ -192,75 +192,66 @@ struct aead_alg cryptoapi_aead_algs[] =
+ /*
+  * ABLK cipher algorithms
+  */
+-static struct crypto_alg cryptoapi_ablkcipher_algs[] = {
++static struct skcipher_alg cryptoapi_skcipher_algs[] = {
+ 	{
+-		.cra_name       = "cbc(aes)",
+-		.cra_driver_name = "nss-cbc-aes",
+-		.cra_priority   = 10000,
+-		.cra_flags      = CRYPTO_ALG_TYPE_ABLKCIPHER | CRYPTO_ALG_NOSUPP_SG | CRYPTO_ALG_ASYNC | CRYPTO_ALG_NEED_FALLBACK,
+-		.cra_blocksize  = AES_BLOCK_SIZE,
+-		.cra_ctxsize    = sizeof(struct nss_cryptoapi_ctx),
+-		.cra_alignmask  = 0,
+-		.cra_type       = &crypto_ablkcipher_type,
+-		.cra_module     = THIS_MODULE,
+-		.cra_init       = nss_cryptoapi_ablkcipher_init,
+-		.cra_exit       = nss_cryptoapi_ablkcipher_exit,
+-		.cra_u          = {
+-			.ablkcipher = {
+-				.ivsize         = AES_BLOCK_SIZE,
+-				.min_keysize    = AES_MIN_KEY_SIZE,
+-				.max_keysize    = AES_MAX_KEY_SIZE,
+-				.setkey         = nss_cryptoapi_ablk_aes_setkey,
+-				.encrypt        = nss_cryptoapi_ablk_aes_encrypt,
+-				.decrypt        = nss_cryptoapi_ablk_aes_decrypt,
+-			},
++		.base = {
++			.cra_name       = "cbc(aes)",
++			.cra_driver_name = "nss-cbc-aes",
++			.cra_priority   = 10000,
++			.cra_flags      = CRYPTO_ALG_TYPE_SKCIPHER | CRYPTO_ALG_NOSUPP_SG | CRYPTO_ALG_ASYNC | CRYPTO_ALG_NEED_FALLBACK | CRYPTO_ALG_KERN_DRIVER_ONLY,
++			.cra_blocksize  = AES_BLOCK_SIZE,
++			.cra_ctxsize    = sizeof(struct nss_cryptoapi_ctx),
++			.cra_alignmask  = 0,
++			.cra_module     = THIS_MODULE,
+ 		},
++		.init       = nss_cryptoapi_skcipher_init,
++		.exit       = nss_cryptoapi_skcipher_exit,
++		.ivsize         = AES_BLOCK_SIZE,
++		.min_keysize    = AES_MIN_KEY_SIZE,
++		.max_keysize    = AES_MAX_KEY_SIZE,
++		.setkey         = nss_cryptoapi_ablk_aes_setkey,
++		.encrypt        = nss_cryptoapi_ablk_aes_encrypt,
++		.decrypt        = nss_cryptoapi_ablk_aes_decrypt,
+ 	},
+ 	{
+-		.cra_name       = "rfc3686(ctr(aes))",
+-		.cra_driver_name = "nss-rfc3686-ctr-aes",
+-		.cra_priority   = 30000,
+-		.cra_flags      = CRYPTO_ALG_TYPE_ABLKCIPHER | CRYPTO_ALG_NOSUPP_SG | CRYPTO_ALG_ASYNC | CRYPTO_ALG_NEED_FALLBACK,
+-		.cra_blocksize  = AES_BLOCK_SIZE,
+-		.cra_ctxsize    = sizeof(struct nss_cryptoapi_ctx),
+-		.cra_alignmask  = 0,
+-		.cra_type       = &crypto_ablkcipher_type,
+-		.cra_module     = THIS_MODULE,
+-		.cra_init       = nss_cryptoapi_ablkcipher_init,
+-		.cra_exit       = nss_cryptoapi_ablkcipher_exit,
+-		.cra_u          = {
+-			.ablkcipher = {
+-				.ivsize         = CTR_RFC3686_IV_SIZE,
+-				.min_keysize    = AES_MIN_KEY_SIZE + CTR_RFC3686_NONCE_SIZE,
+-				.max_keysize    = AES_MAX_KEY_SIZE + CTR_RFC3686_NONCE_SIZE,
+-				.setkey         = nss_cryptoapi_ablk_aes_setkey,
+-				.encrypt        = nss_cryptoapi_ablk_aes_encrypt,
+-				.decrypt        = nss_cryptoapi_ablk_aes_decrypt,
+-			},
++		.base = {
++			.cra_name       = "rfc3686(ctr(aes))",
++			.cra_driver_name = "nss-rfc3686-ctr-aes",
++			.cra_priority   = 30000,
++			.cra_flags      = CRYPTO_ALG_TYPE_SKCIPHER | CRYPTO_ALG_NOSUPP_SG | CRYPTO_ALG_ASYNC | CRYPTO_ALG_NEED_FALLBACK | CRYPTO_ALG_KERN_DRIVER_ONLY,
++			.cra_blocksize  = AES_BLOCK_SIZE,
++			.cra_ctxsize    = sizeof(struct nss_cryptoapi_ctx),
++			.cra_alignmask  = 0,
++			.cra_module     = THIS_MODULE,
+ 		},
++		.init       = nss_cryptoapi_skcipher_init,
++		.exit       = nss_cryptoapi_skcipher_exit,
++		.ivsize         = CTR_RFC3686_IV_SIZE,
++		.min_keysize    = AES_MIN_KEY_SIZE + CTR_RFC3686_NONCE_SIZE,
++		.max_keysize    = AES_MAX_KEY_SIZE + CTR_RFC3686_NONCE_SIZE,
++		.setkey         = nss_cryptoapi_ablk_aes_setkey,
++		.encrypt        = nss_cryptoapi_ablk_aes_encrypt,
++		.decrypt        = nss_cryptoapi_ablk_aes_decrypt,
+ 	},
+ 	{
+-		.cra_name       = "cbc(des3_ede)",
+-		.cra_driver_name = "nss-cbc-3des",
+-		.cra_priority   = 1000,
+-		.cra_flags      = CRYPTO_ALG_TYPE_ABLKCIPHER | CRYPTO_ALG_NOSUPP_SG | CRYPTO_ALG_ASYNC,
+-		.cra_blocksize  = DES3_EDE_BLOCK_SIZE,
+-		.cra_ctxsize    = sizeof(struct nss_cryptoapi_ctx),
+-		.cra_alignmask  = 0,
+-		.cra_type       = &crypto_ablkcipher_type,
+-		.cra_module     = THIS_MODULE,
+-		.cra_init       = nss_cryptoapi_ablkcipher_init,
+-		.cra_exit       = nss_cryptoapi_ablkcipher_exit,
+-		.cra_u          = {
+-			.ablkcipher = {
+-				.ivsize         = DES3_EDE_BLOCK_SIZE,
+-				.min_keysize    = DES3_EDE_KEY_SIZE,
+-				.max_keysize    = DES3_EDE_KEY_SIZE,
+-				.setkey         = nss_cryptoapi_3des_cbc_setkey,
+-				.encrypt        = nss_cryptoapi_3des_cbc_encrypt,
+-				.decrypt        = nss_cryptoapi_3des_cbc_decrypt,
+-			},
++		.base = {
++			.cra_name       = "cbc(des3_ede)",
++			.cra_driver_name = "nss-cbc-3des",
++			.cra_priority   = 1000,
++			.cra_flags      = CRYPTO_ALG_TYPE_SKCIPHER | CRYPTO_ALG_NOSUPP_SG | CRYPTO_ALG_ASYNC | CRYPTO_ALG_KERN_DRIVER_ONLY,
++			.cra_blocksize  = DES3_EDE_BLOCK_SIZE,
++			.cra_ctxsize    = sizeof(struct nss_cryptoapi_ctx),
++			.cra_alignmask  = 0,
++			.cra_module     = THIS_MODULE,
+ 		},
++		.init       = nss_cryptoapi_skcipher_init,
++		.exit       = nss_cryptoapi_skcipher_exit,
++		.ivsize         = DES3_EDE_BLOCK_SIZE,
++		.min_keysize    = DES3_EDE_KEY_SIZE,
++		.max_keysize    = DES3_EDE_KEY_SIZE,
++		.setkey         = nss_cryptoapi_3des_cbc_setkey,
++		.encrypt        = nss_cryptoapi_3des_cbc_encrypt,
++		.decrypt        = nss_cryptoapi_3des_cbc_decrypt,
+ 	},
+ };
+ 
+@@ -277,14 +268,14 @@ static nss_crypto_user_ctx_t nss_cryptoa
+ 
+ 	sc->crypto = crypto;
+ 
+-	for (i = 0; i < ARRAY_SIZE(cryptoapi_ablkcipher_algs); i++) {
+-		rc = crypto_register_alg(&cryptoapi_ablkcipher_algs[i]);
++	for (i = 0; i < ARRAY_SIZE(cryptoapi_skcipher_algs); i++) {
++		rc = crypto_register_skcipher(&cryptoapi_skcipher_algs[i]);
+ 		if (rc) {
+-			nss_cfi_trace("Ablk registration failed, algo: %s\n", cryptoapi_ablkcipher_algs[i].cra_name);
+-			cryptoapi_ablkcipher_algs[i].cra_flags = 0;
++			nss_cfi_trace("Ablk registration failed, algo: %s\n", cryptoapi_skcipher_algs[i].base.cra_name);
++			cryptoapi_skcipher_algs[i].base.cra_flags = 0;
+ 			continue;
+ 		}
+-		nss_cfi_info("Ablk registration succeeded, algo: %s\n", cryptoapi_ablkcipher_algs[i].cra_name);
++		nss_cfi_info("Ablk registration succeeded, algo: %s\n", cryptoapi_skcipher_algs[i].base.cra_name);
+ 	}
+ 
+ 	for (i = 0; i < ARRAY_SIZE(cryptoapi_aead_algs); i++) {
+@@ -317,7 +308,7 @@ static nss_crypto_user_ctx_t nss_cryptoa
+ static void nss_cryptoapi_unregister(nss_crypto_user_ctx_t cfi)
+ {
+ 	struct nss_cryptoapi *sc = &gbl_ctx;
+-	int i, ret = 0;
++	int i;
+ 
+ 	nss_cfi_info("unregister nss_cryptoapi\n");
+ 
+@@ -326,16 +317,12 @@ static void nss_cryptoapi_unregister(nss
+ 	 */
+ 	atomic_set(&gbl_ctx.registered, 0);
+ 
+-	for (i = 0; i < ARRAY_SIZE(cryptoapi_ablkcipher_algs); i++) {
+-		if (!cryptoapi_ablkcipher_algs[i].cra_flags) {
+-			continue;
+-		}
+-		ret = crypto_unregister_alg(&cryptoapi_ablkcipher_algs[i]);
+-		if (ret) {
+-			nss_cfi_err("Ablk unregister failed, algo: %s\n", cryptoapi_ablkcipher_algs[i].cra_name);
++	for (i = 0; i < ARRAY_SIZE(cryptoapi_skcipher_algs); i++) {
++		if (!cryptoapi_skcipher_algs[i].base.cra_flags) {
+ 			continue;
+ 		}
+-		nss_cfi_info("Ablk unregister succeeded, algo: %s\n", cryptoapi_ablkcipher_algs[i].cra_name);
++		crypto_unregister_skcipher(&cryptoapi_skcipher_algs[i]);
++		nss_cfi_info("Ablk unregister succeeded, algo: %s\n", cryptoapi_skcipher_algs[i].base.cra_name);
+ 	}
+ 
+ 	for (i = 0; i < ARRAY_SIZE(cryptoapi_aead_algs); i++) {
+--- a/cryptoapi/v1.1/nss_cryptoapi_ablk.c
++++ b/cryptoapi/v1.1/nss_cryptoapi_ablk.c
+@@ -102,12 +102,12 @@ int nss_cryptoapi_skcipher_ctx2session(s
+ EXPORT_SYMBOL(nss_cryptoapi_skcipher_ctx2session);
+ 
+ /*
+- * nss_cryptoapi_ablkcipher_init()
+- * 	Cryptoapi ablkcipher init function.
++ * nss_cryptoapi_skcipher_init()
++ * 	Cryptoapi skcipher init function.
+  */
+-int nss_cryptoapi_ablkcipher_init(struct crypto_tfm *tfm)
++int nss_cryptoapi_skcipher_init(struct crypto_skcipher  *tfm)
+ {
+-	struct nss_cryptoapi_ctx *ctx = crypto_tfm_ctx(tfm);
++	struct nss_cryptoapi_ctx *ctx = crypto_skcipher_ctx(tfm);
+ 	struct crypto_cipher *sw_tfm;
+ 
+ 	nss_cfi_assert(ctx);
+@@ -122,31 +122,31 @@ int nss_cryptoapi_ablkcipher_init(struct
+ 
+ 	nss_cryptoapi_set_magic(ctx);
+ 
+-	if (!(crypto_tfm_alg_type(tfm) & CRYPTO_ALG_NEED_FALLBACK))
++	if (!(crypto_tfm_alg_type(&tfm->base) & CRYPTO_ALG_NEED_FALLBACK))
+ 		return 0;
+ 
+ 	/* Alloc fallback transform for future use */
+-	sw_tfm = crypto_alloc_cipher(crypto_tfm_alg_name(tfm), 0, CRYPTO_ALG_ASYNC |
++	sw_tfm = crypto_alloc_cipher(crypto_tfm_alg_name(&tfm->base), 0, CRYPTO_ALG_ASYNC |
+  									CRYPTO_ALG_NEED_FALLBACK);
+ 	if (IS_ERR(sw_tfm)) {
+-		nss_cfi_err("unable to alloc software crypto for %s\n", crypto_tfm_alg_name(tfm));
++		nss_cfi_err("unable to alloc software crypto for %s\n", crypto_tfm_alg_name(&tfm->base));
+ 		return -EINVAL;
+ 	}
+ 
+ 	/* set this tfm reqsize same to fallback tfm */
+-	tfm->crt_ablkcipher.reqsize = sizeof(struct nss_cryptoapi_ctx);
++	crypto_skcipher_set_reqsize(tfm, sizeof(struct nss_cryptoapi_ctx));
+ 	ctx->sw_tfm = crypto_cipher_tfm(sw_tfm);
+ 
+ 	return 0;
+ }
+ 
+ /*
+- * nss_cryptoapi_ablkcipher_exit()
+- * 	Cryptoapi ablkcipher exit function.
++ * nss_cryptoapi_skcipher_exit()
++ * 	Cryptoapi skcipher exit function.
+  */
+-void nss_cryptoapi_ablkcipher_exit(struct crypto_tfm *tfm)
++void nss_cryptoapi_skcipher_exit(struct crypto_skcipher *tfm)
+ {
+-	struct nss_cryptoapi_ctx *ctx = crypto_tfm_ctx(tfm);
++	struct nss_cryptoapi_ctx *ctx = crypto_skcipher_ctx(tfm);
+ 	struct nss_cryptoapi *sc = &gbl_ctx;
+ 	nss_crypto_status_t status;
+ 
+@@ -158,7 +158,7 @@ void nss_cryptoapi_ablkcipher_exit(struc
+ 	}
+ 
+ 	if (ctx->sw_tfm) {
+-		crypto_free_ablkcipher(__crypto_ablkcipher_cast(ctx->sw_tfm));
++		crypto_free_skcipher(__crypto_skcipher_cast(ctx->sw_tfm));
+ 		ctx->sw_tfm = NULL;
+ 	}
+ 
+@@ -183,9 +183,9 @@ void nss_cryptoapi_ablkcipher_exit(struc
+  * nss_cryptoapi_ablk_aes_setkey()
+  * 	Cryptoapi setkey routine for aes.
+  */
+-int nss_cryptoapi_ablk_aes_setkey(struct crypto_ablkcipher *cipher, const u8 *key, unsigned int keylen)
++int nss_cryptoapi_ablk_aes_setkey(struct crypto_skcipher *cipher, const u8 *key, unsigned int keylen)
+ {
+-	struct crypto_tfm *tfm = crypto_ablkcipher_tfm(cipher);
++	struct crypto_tfm *tfm = crypto_skcipher_tfm(cipher);
+ 	struct nss_cryptoapi_ctx *ctx = crypto_tfm_ctx(tfm);
+ 	struct nss_cryptoapi *sc = &gbl_ctx;
+ 	struct nss_crypto_key cip;
+@@ -255,10 +255,10 @@ int nss_cryptoapi_ablk_aes_setkey(struct
+ 
+ 		/* set flag to fallback tfm */
+ 		crypto_tfm_clear_flags(ctx->sw_tfm, CRYPTO_TFM_REQ_MASK);
+-		crypto_tfm_set_flags(ctx->sw_tfm, crypto_ablkcipher_get_flags(cipher) & CRYPTO_TFM_REQ_MASK);
++		crypto_tfm_set_flags(ctx->sw_tfm, crypto_skcipher_get_flags(cipher) & CRYPTO_TFM_REQ_MASK);
+ 
+ 		 /* Set key to the fallback tfm */
+-		ret = crypto_ablkcipher_setkey(__crypto_ablkcipher_cast(ctx->sw_tfm), key, keylen);
++		ret = crypto_skcipher_setkey(__crypto_skcipher_cast(ctx->sw_tfm), key, keylen);
+ 		if (ret) {
+ 			nss_cfi_err("Failed to set key to the sw crypto");
+ 
+@@ -266,7 +266,7 @@ int nss_cryptoapi_ablk_aes_setkey(struct
+ 			 * Set back the fallback tfm flag to the original flag one after
+ 			 * doing setkey
+ 			 */
+-			crypto_ablkcipher_set_flags(cipher, crypto_tfm_get_flags(ctx->sw_tfm));
++			crypto_skcipher_set_flags(cipher, crypto_tfm_get_flags(ctx->sw_tfm));
+ 		}
+ 		return ret;
+ 	default:
+@@ -289,23 +289,23 @@ int nss_cryptoapi_ablk_aes_setkey(struct
+ 	return 0;
+ 
+ fail:
+-	crypto_ablkcipher_set_flags(cipher, flag);
++	crypto_skcipher_set_flags(cipher, flag);
+ 	return -EINVAL;
+ }
+ 
+ /*
+- * nss_cryptoapi_ablkcipher_done()
++ * nss_cryptoapi_skcipher_done()
+  * 	Cipher operation completion callback function
+  */
+-void nss_cryptoapi_ablkcipher_done(struct nss_crypto_buf *buf)
++void nss_cryptoapi_skcipher_done(struct nss_crypto_buf *buf)
+ {
+ 	struct nss_cryptoapi_ctx *ctx;
+-	struct ablkcipher_request *req;
++	struct skcipher_request *req;
+ 	int err = 0;
+ 
+ 	nss_cfi_assert(buf);
+ 
+-	req = (struct ablkcipher_request *)nss_crypto_get_cb_ctx(buf);
++	req = (struct skcipher_request *)nss_crypto_get_cb_ctx(buf);
+ 
+ 	/*
+ 	 * check cryptoapi context magic number.
+@@ -319,7 +319,7 @@ void nss_cryptoapi_ablkcipher_done(struc
+ 	nss_crypto_buf_free(gbl_ctx.crypto, buf);
+ 
+ 	nss_cfi_dbg("after transformation\n");
+-	nss_cfi_dbg_data(sg_virt(req->dst), req->nbytes, ' ');
++	nss_cfi_dbg_data(sg_virt(req->dst), req->cryptlen, ' ');
+ 
+ 	/*
+ 	 * Passing always pass in case of encrypt.
+@@ -337,7 +337,7 @@ void nss_cryptoapi_ablkcipher_done(struc
+  * 	Cryptoapi: obtain sg to virtual address mapping.
+  * 	Check for multiple sg in src and dst
+  */
+-int nss_cryptoapi_ablk_checkaddr(struct ablkcipher_request *req)
++int nss_cryptoapi_ablk_checkaddr(struct skcipher_request *req)
+ {
+ 	/*
+ 	 * Currently only single sg is supported
+@@ -356,7 +356,7 @@ int nss_cryptoapi_ablk_checkaddr(struct
+ 	/*
+ 	 * If the size of data is more than 65K reject transformation
+ 	 */
+-	if (req->nbytes > NSS_CRYPTOAPI_MAX_DATA_LEN) {
++	if (req->cryptlen > NSS_CRYPTOAPI_MAX_DATA_LEN) {
+ 		nss_cfi_err("Buffer length exceeded limit\n");
+ 		return -EINVAL;
+ 	}
+@@ -368,10 +368,10 @@ int nss_cryptoapi_ablk_checkaddr(struct
+  * nss_cryptoapi_ablk_transform()
+  * 	Crytoapi common routine for encryption and decryption operations.
+  */
+-struct nss_crypto_buf *nss_cryptoapi_ablk_transform(struct ablkcipher_request *req, struct nss_cryptoapi_ablk_info *info)
++struct nss_crypto_buf *nss_cryptoapi_ablk_transform(struct skcipher_request *req, struct nss_cryptoapi_ablk_info *info)
+ {
+-	struct crypto_ablkcipher *cipher = crypto_ablkcipher_reqtfm(req);
+-	struct nss_cryptoapi_ctx *ctx = crypto_ablkcipher_ctx(cipher);
++	struct crypto_skcipher *cipher = crypto_skcipher_reqtfm(req);
++	struct nss_cryptoapi_ctx *ctx = crypto_skcipher_ctx(cipher);
+ 	struct nss_crypto_buf *buf;
+ 	struct nss_cryptoapi *sc = &gbl_ctx;
+ 	nss_crypto_status_t status;
+@@ -382,7 +382,7 @@ struct nss_crypto_buf *nss_cryptoapi_abl
+ 	nss_cfi_assert(ctx);
+ 
+ 	nss_cfi_dbg("src_vaddr: 0x%px, dst_vaddr: 0x%px, iv: 0x%px\n",
+-			sg_virt(req->src), sg_virt(req->dst), req->info);
++			sg_virt(req->src), sg_virt(req->dst), req->iv);
+ 
+ 	info->params->cipher_skip = 0;
+ 	info->params->auth_skip = 0;
+@@ -419,19 +419,19 @@ struct nss_crypto_buf *nss_cryptoapi_abl
+ 	/*
+ 	 * Get IV location and memcpy the IV
+ 	 */
+-	iv_size = crypto_ablkcipher_ivsize(cipher);
++	iv_size = crypto_skcipher_ivsize(cipher);
+ 	iv_addr = nss_crypto_get_ivaddr(buf);
+ 
+ 	switch (ctx->cip_alg) {
+ 	case NSS_CRYPTO_CIPHER_AES_CBC:
+ 	case NSS_CRYPTO_CIPHER_DES:
+-		memcpy(iv_addr, req->info, iv_size);
++		memcpy(iv_addr, req->iv, iv_size);
+ 		break;
+ 
+ 	case NSS_CRYPTO_CIPHER_AES_CTR:
+ 		((uint32_t *)iv_addr)[0] = ctx->ctx_iv[0];
+-		((uint32_t *)iv_addr)[1] = ((uint32_t *)req->info)[0];
+-		((uint32_t *)iv_addr)[2] = ((uint32_t *)req->info)[1];
++		((uint32_t *)iv_addr)[1] = ((uint32_t *)req->iv)[0];
++		((uint32_t *)iv_addr)[2] = ((uint32_t *)req->iv)[1];
+ 		((uint32_t *)iv_addr)[3] = ctx->ctx_iv[3];
+ 		break;
+ 
+@@ -446,7 +446,7 @@ struct nss_crypto_buf *nss_cryptoapi_abl
+ 	/*
+ 	 * Fill Cipher and Auth len
+ 	 */
+-	cipher_len = req->nbytes;
++	cipher_len = req->cryptlen;
+ 	auth_len = 0;
+ 
+ 	nss_crypto_set_data(buf, sg_virt(req->src), sg_virt(req->dst), cipher_len);
+@@ -463,12 +463,12 @@ struct nss_crypto_buf *nss_cryptoapi_abl
+ }
+ 
+ /*
+- * nss_cryptoapi_ablkcipher_fallback()
+- *	Cryptoapi fallback for ablkcipher algorithm.
++ * nss_cryptoapi_skcipher_fallback()
++ *	Cryptoapi fallback for skcipher algorithm.
+  */
+-int nss_cryptoapi_ablkcipher_fallback(struct nss_cryptoapi_ctx *ctx, struct ablkcipher_request *req, int type)
++int nss_cryptoapi_skcipher_fallback(struct nss_cryptoapi_ctx *ctx, struct skcipher_request *req, int type)
+ {
+-	struct crypto_ablkcipher *orig_tfm = crypto_ablkcipher_reqtfm(req);
++	struct crypto_skcipher *orig_tfm = crypto_skcipher_reqtfm(req);
+ 	int err;
+ 
+ 	if (!ctx->sw_tfm) {
+@@ -476,16 +476,16 @@ int nss_cryptoapi_ablkcipher_fallback(st
+ 	}
+ 
+ 	/* Set new fallback tfm to the request */
+-	ablkcipher_request_set_tfm(req, __crypto_ablkcipher_cast(ctx->sw_tfm));
++	skcipher_request_set_tfm(req, __crypto_skcipher_cast(ctx->sw_tfm));
+ 
+ 	ctx->queued++;
+ 
+ 	switch (type) {
+ 	case NSS_CRYPTOAPI_ENCRYPT:
+-		err = crypto_ablkcipher_encrypt(req);
++		err = crypto_skcipher_encrypt(req);
+ 		break;
+ 	case NSS_CRYPTOAPI_DECRYPT:
+-		err = crypto_ablkcipher_decrypt(req);
++		err = crypto_skcipher_decrypt(req);
+ 		break;
+ 	default:
+ 		err = -EINVAL;
+@@ -495,7 +495,7 @@ int nss_cryptoapi_ablkcipher_fallback(st
+ 		ctx->completed++;
+ 
+ 	/* Set original tfm to the request */
+-	ablkcipher_request_set_tfm(req, orig_tfm);
++	skcipher_request_set_tfm(req, orig_tfm);
+ 
+ 	return err;
+ }
+@@ -504,13 +504,13 @@ int nss_cryptoapi_ablkcipher_fallback(st
+  * nss_cryptoapi_ablk_aes_encrypt()
+  * 	Crytoapi encrypt for aes(aes-cbc/rfc3686-aes-ctr) algorithms.
+  */
+-int nss_cryptoapi_ablk_aes_encrypt(struct ablkcipher_request *req)
++int nss_cryptoapi_ablk_aes_encrypt(struct skcipher_request *req)
+ {
+ 	struct nss_crypto_params params = { .req_type = NSS_CRYPTO_REQ_TYPE_ENCRYPT };
+-	struct nss_cryptoapi_ablk_info info = {.cb_fn = nss_cryptoapi_ablkcipher_done,
++	struct nss_cryptoapi_ablk_info info = {.cb_fn = nss_cryptoapi_skcipher_done,
+ 						.params = &params};
+-	struct crypto_ablkcipher *cipher = crypto_ablkcipher_reqtfm(req);
+-	struct nss_cryptoapi_ctx *ctx = crypto_ablkcipher_ctx(cipher);
++	struct crypto_skcipher *cipher = crypto_skcipher_reqtfm(req);
++	struct nss_cryptoapi_ctx *ctx = crypto_skcipher_ctx(cipher);
+ 	struct nss_cryptoapi *sc = &gbl_ctx;
+ 	struct nss_crypto_buf *buf;
+ 
+@@ -520,7 +520,7 @@ int nss_cryptoapi_ablk_aes_encrypt(struc
+ 	nss_cryptoapi_verify_magic(ctx);
+ 
+ 	if (ctx->fallback_req)
+-		return nss_cryptoapi_ablkcipher_fallback(ctx, req, NSS_CRYPTOAPI_ENCRYPT);
++		return nss_cryptoapi_skcipher_fallback(ctx, req, NSS_CRYPTOAPI_ENCRYPT);
+ 
+ 	/*
+ 	 * Check if previous call to setkey couldn't allocate session with core crypto.
+@@ -539,9 +539,9 @@ int nss_cryptoapi_ablk_aes_encrypt(struc
+ 	 * According to RFC3686, AES-CTR algo need not be padded if the
+ 	 * plaintext or ciphertext is unaligned to block size boundary.
+ 	 */
+-	if (nss_cryptoapi_check_unalign(req->nbytes, AES_BLOCK_SIZE) && (ctx->cip_alg != NSS_CRYPTO_CIPHER_AES_CTR)) {
++	if (nss_cryptoapi_check_unalign(req->cryptlen, AES_BLOCK_SIZE) && (ctx->cip_alg != NSS_CRYPTO_CIPHER_AES_CTR)) {
+ 		nss_cfi_err("Invalid cipher len - Not aligned to algo blocksize\n");
+-		crypto_ablkcipher_set_flags(cipher, CRYPTO_TFM_RES_BAD_BLOCK_LEN);
++		crypto_skcipher_set_flags(cipher, CRYPTO_TFM_RES_BAD_BLOCK_LEN);
+ 		return -EINVAL;
+ 	}
+ 
+@@ -571,13 +571,13 @@ int nss_cryptoapi_ablk_aes_encrypt(struc
+  * nss_cryptoapi_ablk_aes_decrypt()
+  * 	Crytoapi decrypt for aes(aes-cbc/rfc3686-aes-ctr) algorithms.
+  */
+-int nss_cryptoapi_ablk_aes_decrypt(struct ablkcipher_request *req)
++int nss_cryptoapi_ablk_aes_decrypt(struct skcipher_request *req)
+ {
+ 	struct nss_crypto_params params = { .req_type = NSS_CRYPTO_REQ_TYPE_DECRYPT };
+-	struct nss_cryptoapi_ablk_info info = {.cb_fn = nss_cryptoapi_ablkcipher_done,
++	struct nss_cryptoapi_ablk_info info = {.cb_fn = nss_cryptoapi_skcipher_done,
+ 						.params = &params};
+-	struct crypto_ablkcipher *cipher = crypto_ablkcipher_reqtfm(req);
+-	struct nss_cryptoapi_ctx *ctx = crypto_ablkcipher_ctx(cipher);
++	struct crypto_skcipher *cipher = crypto_skcipher_reqtfm(req);
++	struct nss_cryptoapi_ctx *ctx = crypto_skcipher_ctx(cipher);
+ 	struct nss_cryptoapi *sc = &gbl_ctx;
+ 	struct nss_crypto_buf *buf;
+ 
+@@ -587,7 +587,7 @@ int nss_cryptoapi_ablk_aes_decrypt(struc
+ 	nss_cryptoapi_verify_magic(ctx);
+ 
+ 	if (ctx->fallback_req)
+-		return nss_cryptoapi_ablkcipher_fallback(ctx, req, NSS_CRYPTOAPI_DECRYPT);
++		return nss_cryptoapi_skcipher_fallback(ctx, req, NSS_CRYPTOAPI_DECRYPT);
+ 
+ 	/*
+ 	 * Check if previous call to setkey couldn't allocate session with core crypto.
+@@ -606,9 +606,9 @@ int nss_cryptoapi_ablk_aes_decrypt(struc
+ 	 * According to RFC3686, AES-CTR algo need not be padded if the
+ 	 * plaintext or ciphertext is unaligned to block size boundary.
+ 	 */
+-	if (nss_cryptoapi_check_unalign(req->nbytes, AES_BLOCK_SIZE) && (ctx->cip_alg != NSS_CRYPTO_CIPHER_AES_CTR)) {
++	if (nss_cryptoapi_check_unalign(req->cryptlen, AES_BLOCK_SIZE) && (ctx->cip_alg != NSS_CRYPTO_CIPHER_AES_CTR)) {
+ 		nss_cfi_err("Invalid cipher len - Not aligned to algo blocksize\n");
+-		crypto_ablkcipher_set_flags(cipher, CRYPTO_TFM_RES_BAD_BLOCK_LEN);
++		crypto_skcipher_set_flags(cipher, CRYPTO_TFM_RES_BAD_BLOCK_LEN);
+ 		return -EINVAL;
+ 	}
+ 
+@@ -638,9 +638,9 @@ int nss_cryptoapi_ablk_aes_decrypt(struc
+  * nss_cryptoapi_3des_cbc_setkey()
+  * 	Cryptoapi DES3 CBC setkey function.
+  */
+-int nss_cryptoapi_3des_cbc_setkey(struct crypto_ablkcipher *cipher, const u8 *key, unsigned int keylen)
++int nss_cryptoapi_3des_cbc_setkey(struct crypto_skcipher *cipher, const u8 *key, unsigned int keylen)
+ {
+-	struct crypto_tfm *tfm = crypto_ablkcipher_tfm(cipher);
++	struct crypto_tfm *tfm = crypto_skcipher_tfm(cipher);
+ 	struct nss_cryptoapi_ctx *ctx = crypto_tfm_ctx(tfm);
+ 	struct nss_cryptoapi *sc = &gbl_ctx;
+ 	struct nss_crypto_key cip = { .algo = NSS_CRYPTO_CIPHER_DES };
+@@ -693,7 +693,7 @@ int nss_cryptoapi_3des_cbc_setkey(struct
+ 	return 0;
+ 
+ fail:
+-	crypto_ablkcipher_set_flags(cipher, flag);
++	crypto_skcipher_set_flags(cipher, flag);
+ 	return -EINVAL;
+ }
+ 
+@@ -701,7 +701,7 @@ fail:
+  * nss_cryptoapi_3des_cbc_encrypt()
+  * 	Cryptoapi DES3 CBC encrypt function.
+  */
+-int nss_cryptoapi_3des_cbc_encrypt(struct ablkcipher_request *req)
++int nss_cryptoapi_3des_cbc_encrypt(struct skcipher_request *req)
+ {
+ 	struct nss_cryptoapi *sc = &gbl_ctx;
+ 	struct nss_cryptoapi_ctx *ctx = crypto_tfm_ctx(req->base.tfm);
+@@ -727,14 +727,14 @@ int nss_cryptoapi_3des_cbc_encrypt(struc
+ 		return -EINVAL;
+ 	}
+ 
+-	if (nss_cryptoapi_check_unalign(req->nbytes, DES3_EDE_BLOCK_SIZE)) {
++	if (nss_cryptoapi_check_unalign(req->cryptlen, DES3_EDE_BLOCK_SIZE)) {
+ 		nss_cfi_err("Invalid cipher len - Not aligned to algo blocksize\n");
+-		crypto_ablkcipher_set_flags(crypto_ablkcipher_reqtfm(req), CRYPTO_TFM_RES_BAD_BLOCK_LEN);
++		crypto_skcipher_set_flags(crypto_skcipher_reqtfm(req), CRYPTO_TFM_RES_BAD_BLOCK_LEN);
+ 		return -EINVAL;
+ 	}
+ 
+ 	info.params = &params;
+-	info.cb_fn = nss_cryptoapi_ablkcipher_done;
++	info.cb_fn = nss_cryptoapi_skcipher_done;
+ 
+ 	buf = nss_cryptoapi_ablk_transform(req, &info);
+ 	if (!buf) {
+@@ -762,7 +762,7 @@ int nss_cryptoapi_3des_cbc_encrypt(struc
+  * nss_cryptoapi_3des_cbc_decrypt()
+  * 	Cryptoapi DES3 CBC decrypt function.
+  */
+-int nss_cryptoapi_3des_cbc_decrypt(struct ablkcipher_request *req)
++int nss_cryptoapi_3des_cbc_decrypt(struct skcipher_request *req)
+ {
+ 	struct nss_cryptoapi *sc = &gbl_ctx;
+ 	struct nss_cryptoapi_ctx *ctx = crypto_tfm_ctx(req->base.tfm);
+@@ -788,14 +788,14 @@ int nss_cryptoapi_3des_cbc_decrypt(struc
+ 		return -EINVAL;
+ 	}
+ 
+-	if (nss_cryptoapi_check_unalign(req->nbytes, DES3_EDE_BLOCK_SIZE)) {
++	if (nss_cryptoapi_check_unalign(req->cryptlen, DES3_EDE_BLOCK_SIZE)) {
+ 		nss_cfi_err("Invalid cipher len - Not aligned to algo blocksize\n");
+-		crypto_ablkcipher_set_flags(crypto_ablkcipher_reqtfm(req), CRYPTO_TFM_RES_BAD_BLOCK_LEN);
++		crypto_skcipher_set_flags(crypto_skcipher_reqtfm(req), CRYPTO_TFM_RES_BAD_BLOCK_LEN);
+ 		return -EINVAL;
+ 	}
+ 
+ 	info.params = &params;
+-	info.cb_fn = nss_cryptoapi_ablkcipher_done;
++	info.cb_fn = nss_cryptoapi_skcipher_done;
+ 
+ 	buf = nss_cryptoapi_ablk_transform(req, &info);
+ 	if (!buf) {
+--- a/cryptoapi/v1.1/nss_cryptoapi_debugfs.c
++++ b/cryptoapi/v1.1/nss_cryptoapi_debugfs.c
+@@ -55,6 +55,7 @@
+  */
+ void nss_cryptoapi_debugfs_add_stats(struct dentry *parent, struct nss_cryptoapi_ctx *session_ctx)
+ {
++	pr_info("add stats");
+ 	debugfs_create_u64("queued", S_IRUGO, parent, &session_ctx->queued);
+ 	debugfs_create_u64("completed", S_IRUGO, parent, &session_ctx->completed);
+ 	debugfs_create_u64("queue_failed", S_IRUGO, parent, &session_ctx->queue_failed);
+--- a/cryptoapi/v1.1/nss_cryptoapi_private.h
++++ b/cryptoapi/v1.1/nss_cryptoapi_private.h
+@@ -141,16 +141,16 @@ int nss_cryptoapi_sha256_3des_encrypt(st
+ int nss_cryptoapi_sha256_3des_decrypt(struct aead_request *req);
+ 
+ /* ABLKCIPHER */
+-int nss_cryptoapi_ablkcipher_init(struct crypto_tfm *tfm);
+-void nss_cryptoapi_ablkcipher_exit(struct crypto_tfm *tfm);
+-int nss_cryptoapi_ablk_aes_setkey(struct crypto_ablkcipher *cipher, const u8 *key, unsigned int len);
+-int nss_cryptoapi_3des_cbc_setkey(struct crypto_ablkcipher *cipher, const u8 *key, unsigned int len);
++int nss_cryptoapi_skcipher_init(struct crypto_skcipher *tfm);
++void nss_cryptoapi_skcipher_exit(struct crypto_skcipher *tfm);
++int nss_cryptoapi_ablk_aes_setkey(struct crypto_skcipher *cipher, const u8 *key, unsigned int len);
++int nss_cryptoapi_3des_cbc_setkey(struct crypto_skcipher *cipher, const u8 *key, unsigned int len);
+ 
+-int nss_cryptoapi_ablk_aes_encrypt(struct ablkcipher_request *req);
+-int nss_cryptoapi_ablk_aes_decrypt(struct ablkcipher_request *req);
++int nss_cryptoapi_ablk_aes_encrypt(struct skcipher_request *req);
++int nss_cryptoapi_ablk_aes_decrypt(struct skcipher_request *req);
+ 
+-int nss_cryptoapi_3des_cbc_encrypt(struct ablkcipher_request *req);
+-int nss_cryptoapi_3des_cbc_decrypt(struct ablkcipher_request *req);
++int nss_cryptoapi_3des_cbc_encrypt(struct skcipher_request *req);
++int nss_cryptoapi_3des_cbc_decrypt(struct skcipher_request *req);
+ 
+ #endif /* __NSS_CRYPTOAPI_PRIVATE_H */
+ 

package/qca-nss/qca-nss-cfi/patches/0010-cryptoapi-v1.1-fix-SHA1-header-include.patch

@@ -0,0 +1,286 @@
+--- a/cryptoapi/v1.1/nss_cryptoapi.c
++++ b/cryptoapi/v1.1/nss_cryptoapi.c
+@@ -38,7 +38,12 @@
+ #include <crypto/ctr.h>
+ #include <crypto/des.h>
+ #include <crypto/aes.h>
++#if LINUX_VERSION_CODE < KERNEL_VERSION(5, 11, 0)
+ #include <crypto/sha.h>
++#else
++#include <crypto/sha1.h>
++#include <crypto/sha2.h>
++#endif
+ #include <crypto/hash.h>
+ #include <crypto/algapi.h>
+ #include <crypto/aead.h>
+--- a/cryptoapi/v1.1/nss_cryptoapi_ablk.c
++++ b/cryptoapi/v1.1/nss_cryptoapi_ablk.c
+@@ -36,7 +36,12 @@
+ #include <crypto/ctr.h>
+ #include <crypto/des.h>
+ #include <crypto/aes.h>
++#if LINUX_VERSION_CODE < KERNEL_VERSION(5, 11, 0)
+ #include <crypto/sha.h>
++#else
++#include <crypto/sha1.h>
++#include <crypto/sha2.h>
++#endif
+ #include <crypto/hash.h>
+ #include <crypto/algapi.h>
+ #include <crypto/aead.h>
+@@ -65,8 +70,8 @@ struct nss_cryptoapi_ablk_info {
+ int nss_cryptoapi_skcipher_ctx2session(struct crypto_skcipher *sk, uint32_t *sid)
+ {
+ 	struct crypto_tfm *tfm = crypto_skcipher_tfm(sk);
+-	struct crypto_ablkcipher **actx, *ablk;
+-	struct ablkcipher_tfm *ablk_tfm;
++	struct crypto_skcipher **actx;
++	struct crypto_tfm *ablk_tfm;
+ 	struct nss_cryptoapi_ctx *ctx;
+ 
+ 	if (strncmp("nss-", crypto_tfm_alg_driver_name(tfm), 4))
+@@ -82,16 +87,16 @@ int nss_cryptoapi_skcipher_ctx2session(s
+ 	 * ablkcipher that is created when the skcipher is created.
+ 	 * Hence we derive the required ablkcipher through ablkcipher_tfm.
+ 	 */
+-	ablk_tfm = crypto_ablkcipher_crt(*actx);
++	ablk_tfm = crypto_skcipher_tfm(*actx);
+ 	if (!ablk_tfm)
+ 		return -EINVAL;
+ 
+-	ablk = ablk_tfm->base;
++	/* ablk = ablk_tfm->base;
+ 	if (!ablk)
+-		return -EINVAL;
++		return -EINVAL; */
+ 
+ 	/* Get the nss_cryptoapi context stored in the ablkcipher */
+-	ctx = crypto_ablkcipher_ctx(ablk);
++	ctx = crypto_skcipher_ctx(sk);
+ 
+ 	nss_cfi_assert(ctx);
+ 	nss_cryptoapi_verify_magic(ctx);
+@@ -189,7 +194,7 @@ int nss_cryptoapi_ablk_aes_setkey(struct
+ 	struct nss_cryptoapi_ctx *ctx = crypto_tfm_ctx(tfm);
+ 	struct nss_cryptoapi *sc = &gbl_ctx;
+ 	struct nss_crypto_key cip;
+-	uint32_t flag = CRYPTO_TFM_RES_BAD_KEY_LEN;
++// 	uint32_t flag = CRYPTO_TFM_RES_BAD_KEY_LEN;
+ 	nss_crypto_status_t status;
+ 	int ret;
+ 
+@@ -278,7 +283,7 @@ int nss_cryptoapi_ablk_aes_setkey(struct
+ 	if (status != NSS_CRYPTO_STATUS_OK) {
+ 		nss_cfi_err("nss_crypto_session_alloc failed - status: %d\n", status);
+ 		ctx->sid = NSS_CRYPTO_MAX_IDXS;
+-		flag = CRYPTO_TFM_RES_BAD_FLAGS;
++// 		flag = CRYPTO_TFM_RES_BAD_FLAGS;
+ 		goto fail;
+ 	}
+ 
+@@ -289,7 +294,7 @@ int nss_cryptoapi_ablk_aes_setkey(struct
+ 	return 0;
+ 
+ fail:
+-	crypto_skcipher_set_flags(cipher, flag);
++// 	// crypto_skcipher_set_flags(cipher, flag);
+ 	return -EINVAL;
+ }
+ 
+@@ -541,7 +546,7 @@ int nss_cryptoapi_ablk_aes_encrypt(struc
+ 	 */
+ 	if (nss_cryptoapi_check_unalign(req->cryptlen, AES_BLOCK_SIZE) && (ctx->cip_alg != NSS_CRYPTO_CIPHER_AES_CTR)) {
+ 		nss_cfi_err("Invalid cipher len - Not aligned to algo blocksize\n");
+-		crypto_skcipher_set_flags(cipher, CRYPTO_TFM_RES_BAD_BLOCK_LEN);
++		// crypto_skcipher_set_flags(cipher, CRYPTO_TFM_RES_BAD_BLOCK_LEN);
+ 		return -EINVAL;
+ 	}
+ 
+@@ -608,7 +613,6 @@ int nss_cryptoapi_ablk_aes_decrypt(struc
+ 	 */
+ 	if (nss_cryptoapi_check_unalign(req->cryptlen, AES_BLOCK_SIZE) && (ctx->cip_alg != NSS_CRYPTO_CIPHER_AES_CTR)) {
+ 		nss_cfi_err("Invalid cipher len - Not aligned to algo blocksize\n");
+-		crypto_skcipher_set_flags(cipher, CRYPTO_TFM_RES_BAD_BLOCK_LEN);
+ 		return -EINVAL;
+ 	}
+ 
+@@ -645,7 +649,7 @@ int nss_cryptoapi_3des_cbc_setkey(struct
+ 	struct nss_cryptoapi *sc = &gbl_ctx;
+ 	struct nss_crypto_key cip = { .algo = NSS_CRYPTO_CIPHER_DES };
+ 	struct nss_crypto_key *cip_ptr = &cip;
+-	uint32_t flag = CRYPTO_TFM_RES_BAD_KEY_LEN;
++// 	uint32_t flag = CRYPTO_TFM_RES_BAD_KEY_LEN;
+ 	nss_crypto_status_t status;
+ 
+ 	/*
+@@ -680,7 +684,7 @@ int nss_cryptoapi_3des_cbc_setkey(struct
+ 	if (status != NSS_CRYPTO_STATUS_OK) {
+ 		nss_cfi_err("nss_crypto_session_alloc failed - status: %d\n", status);
+ 		ctx->sid = NSS_CRYPTO_MAX_IDXS;
+-		flag = CRYPTO_TFM_RES_BAD_FLAGS;
++// 		flag = CRYPTO_TFM_RES_BAD_FLAGS;
+ 		goto fail;
+ 	}
+ 
+@@ -693,7 +697,7 @@ int nss_cryptoapi_3des_cbc_setkey(struct
+ 	return 0;
+ 
+ fail:
+-	crypto_skcipher_set_flags(cipher, flag);
++// 	crypto_skcipher_set_flags(cipher, flag);
+ 	return -EINVAL;
+ }
+ 
+@@ -729,7 +733,7 @@ int nss_cryptoapi_3des_cbc_encrypt(struc
+ 
+ 	if (nss_cryptoapi_check_unalign(req->cryptlen, DES3_EDE_BLOCK_SIZE)) {
+ 		nss_cfi_err("Invalid cipher len - Not aligned to algo blocksize\n");
+-		crypto_skcipher_set_flags(crypto_skcipher_reqtfm(req), CRYPTO_TFM_RES_BAD_BLOCK_LEN);
++		// crypto_skcipher_set_flags(crypto_skcipher_reqtfm(req), CRYPTO_TFM_RES_BAD_BLOCK_LEN);
+ 		return -EINVAL;
+ 	}
+ 
+@@ -790,7 +794,7 @@ int nss_cryptoapi_3des_cbc_decrypt(struc
+ 
+ 	if (nss_cryptoapi_check_unalign(req->cryptlen, DES3_EDE_BLOCK_SIZE)) {
+ 		nss_cfi_err("Invalid cipher len - Not aligned to algo blocksize\n");
+-		crypto_skcipher_set_flags(crypto_skcipher_reqtfm(req), CRYPTO_TFM_RES_BAD_BLOCK_LEN);
++		// crypto_skcipher_set_flags(crypto_skcipher_reqtfm(req), CRYPTO_TFM_RES_BAD_BLOCK_LEN);
+ 		return -EINVAL;
+ 	}
+ 
+--- a/cryptoapi/v1.1/nss_cryptoapi_aead.c
++++ b/cryptoapi/v1.1/nss_cryptoapi_aead.c
+@@ -38,7 +38,12 @@
+ #include <crypto/ctr.h>
+ #include <crypto/des.h>
+ #include <crypto/aes.h>
++#if LINUX_VERSION_CODE < KERNEL_VERSION(5, 11, 0)
+ #include <crypto/sha.h>
++#else
++#include <crypto/sha1.h>
++#include <crypto/sha2.h>
++#endif
+ #include <crypto/hash.h>
+ #include <crypto/algapi.h>
+ #include <crypto/aead.h>
+@@ -216,7 +221,7 @@ int nss_cryptoapi_aead_aes_setkey(struct
+ 	struct nss_cryptoapi *sc = &gbl_ctx;
+ 	struct nss_crypto_key cip;
+ 	struct nss_crypto_key auth;
+-	uint32_t flag = CRYPTO_TFM_RES_BAD_KEY_LEN;
++// 	uint32_t flag = CRYPTO_TFM_RES_BAD_KEY_LEN;
+ 	nss_crypto_status_t status;
+ 	bool ctr_mode = false;
+ 	bool cbc_mode = false;
+@@ -335,7 +340,7 @@ int nss_cryptoapi_aead_aes_setkey(struct
+ 	if (status != NSS_CRYPTO_STATUS_OK) {
+ 		nss_cfi_err("nss_crypto_session_alloc failed - status: %d\n", status);
+ 		ctx->sid = NSS_CRYPTO_MAX_IDXS;
+-		flag = CRYPTO_TFM_RES_BAD_FLAGS;
++// 		flag = CRYPTO_TFM_RES_BAD_FLAGS;
+ 		goto fail;
+ 	}
+ 
+@@ -346,7 +351,7 @@ int nss_cryptoapi_aead_aes_setkey(struct
+ 	return 0;
+ 
+ fail:
+-	crypto_aead_set_flags(aead, flag);
++// 	crypto_aead_set_flags(aead, flag);
+ 	return -EINVAL;
+ }
+ 
+@@ -361,7 +366,7 @@ int nss_cryptoapi_sha1_3des_setkey(struc
+ 	struct nss_cryptoapi *sc = &gbl_ctx;
+ 	struct nss_crypto_key cip = { .algo = NSS_CRYPTO_CIPHER_DES };
+ 	struct nss_crypto_key auth = { .algo = NSS_CRYPTO_AUTH_SHA1_HMAC };
+-	uint32_t flag = CRYPTO_TFM_RES_BAD_KEY_LEN;
++// 	uint32_t flag = CRYPTO_TFM_RES_BAD_KEY_LEN;
+ 	nss_crypto_status_t status;
+ 
+ 	/*
+@@ -410,7 +415,7 @@ int nss_cryptoapi_sha1_3des_setkey(struc
+ 	if (status != NSS_CRYPTO_STATUS_OK) {
+ 		nss_cfi_err("nss_crypto_session_alloc failed - status: %d\n", status);
+ 		ctx->sid = NSS_CRYPTO_MAX_IDXS;
+-		flag = CRYPTO_TFM_RES_BAD_FLAGS;
++// 		flag = CRYPTO_TFM_RES_BAD_FLAGS;
+ 		goto fail;
+ 	}
+ 
+@@ -424,7 +429,7 @@ int nss_cryptoapi_sha1_3des_setkey(struc
+ 	return 0;
+ 
+ fail:
+-	crypto_aead_set_flags(aead, flag);
++// 	crypto_aead_set_flags(aead, flag);
+ 	return -EINVAL;
+ }
+ 
+@@ -439,7 +444,7 @@ int nss_cryptoapi_sha256_3des_setkey(str
+ 	struct nss_cryptoapi *sc = &gbl_ctx;
+ 	struct nss_crypto_key cip = { .algo = NSS_CRYPTO_CIPHER_DES };
+ 	struct nss_crypto_key auth = { .algo = NSS_CRYPTO_AUTH_SHA256_HMAC };
+-	uint32_t flag = CRYPTO_TFM_RES_BAD_KEY_LEN;
++// 	uint32_t flag = CRYPTO_TFM_RES_BAD_KEY_LEN;
+ 	nss_crypto_status_t status;
+ 
+ 	/*
+@@ -488,7 +493,7 @@ int nss_cryptoapi_sha256_3des_setkey(str
+ 	if (status != NSS_CRYPTO_STATUS_OK) {
+ 		nss_cfi_err("nss_crypto_session_alloc failed - status: %d\n", status);
+ 		ctx->sid = NSS_CRYPTO_MAX_IDXS;
+-		flag = CRYPTO_TFM_RES_BAD_FLAGS;
++// 		flag = CRYPTO_TFM_RES_BAD_FLAGS;
+ 		goto fail;
+ 	}
+ 
+@@ -502,7 +507,7 @@ int nss_cryptoapi_sha256_3des_setkey(str
+ 	return 0;
+ 
+ fail:
+-	crypto_aead_set_flags(aead, flag);
++// 	crypto_aead_set_flags(aead, flag);
+ 	return -EINVAL;
+ }
+ 
+@@ -722,7 +727,7 @@ struct nss_crypto_buf *nss_cryptoapi_aea
+ 	 */
+ 	if ((info->cip_len & (crypto_aead_blocksize(aead) - 1)) && (ctx->cip_alg != NSS_CRYPTO_CIPHER_AES_CTR)) {
+ 		nss_cfi_dbg("Invalid cipher len - Not aligned to algo blocksize\n");
+-		crypto_aead_set_flags(aead, CRYPTO_TFM_RES_BAD_BLOCK_LEN);
++		// crypto_aead_set_flags(aead, CRYPTO_TFM_RES_BAD_BLOCK_LEN);
+ 		return NULL;
+ 	}
+ 
+--- a/cryptoapi/v1.1/nss_cryptoapi_debugfs.c
++++ b/cryptoapi/v1.1/nss_cryptoapi_debugfs.c
+@@ -37,7 +37,12 @@
+ #include <crypto/ctr.h>
+ #include <crypto/des.h>
+ #include <crypto/aes.h>
++#if LINUX_VERSION_CODE < KERNEL_VERSION(5, 11, 0)
+ #include <crypto/sha.h>
++#else
++#include <crypto/sha1.h>
++#include <crypto/sha2.h>
++#endif
+ #include <crypto/hash.h>
+ #include <crypto/algapi.h>
+ #include <crypto/aead.h>
+--- a/ocf/v2.0/nss_cfi_ocf.c
++++ b/ocf/v2.0/nss_cfi_ocf.c
+@@ -41,7 +41,12 @@
+ #include <linux/delay.h>
+ #include <crypto/aes.h>
+ #include <crypto/des.h>
++#if LINUX_VERSION_CODE < KERNEL_VERSION(5, 11, 0)
+ #include <crypto/sha.h>
++#else
++#include <crypto/sha1.h>
++#include <crypto/sha2.h>
++#endif
+ #include <crypto/md5.h>
+ #include <cryptodev.h>
+ 

package/qca-nss/qca-nss-cfi/patches/0011-cryptoapi-v1.0-fix-SHA1-header-include.patch

@@ -0,0 +1,237 @@
+--- a/cryptoapi/v1.0/nss_cryptoapi.c
++++ b/cryptoapi/v1.0/nss_cryptoapi.c
+@@ -38,7 +38,12 @@
+ #include <crypto/ctr.h>
+ #include <crypto/des.h>
+ #include <crypto/aes.h>
++#if LINUX_VERSION_CODE < KERNEL_VERSION(5, 11, 0)
+ #include <crypto/sha.h>
++#else
++#include <crypto/sha1.h>
++#include <crypto/sha2.h>
++#endif
+ #include <crypto/hash.h>
+ #include <crypto/algapi.h>
+ #include <crypto/aead.h>
+--- a/cryptoapi/v1.0/nss_cryptoapi_ablk.c
++++ b/cryptoapi/v1.0/nss_cryptoapi_ablk.c
+@@ -37,7 +37,12 @@
+ #include <crypto/ctr.h>
+ #include <crypto/des.h>
+ #include <crypto/aes.h>
++#if LINUX_VERSION_CODE < KERNEL_VERSION(5, 11, 0)
+ #include <crypto/sha.h>
++#else
++#include <crypto/sha1.h>
++#include <crypto/sha2.h>
++#endif
+ #include <crypto/hash.h>
+ #include <crypto/algapi.h>
+ #include <crypto/aead.h>
+@@ -175,7 +180,7 @@ int nss_cryptoapi_ablk_aes_setkey(struct
+ 	struct nss_cryptoapi_ctx *ctx = crypto_tfm_ctx(tfm);
+ 	struct nss_cryptoapi *sc = &gbl_ctx;
+ 	struct nss_crypto_key cip;
+-	uint32_t flag = CRYPTO_TFM_RES_BAD_KEY_LEN;
++// 	uint32_t flag = CRYPTO_TFM_RES_BAD_KEY_LEN;
+ 	nss_crypto_status_t status;
+ 	bool ctr_mode = false;
+ 	bool cbc_mode = false;
+@@ -277,7 +282,7 @@ int nss_cryptoapi_ablk_aes_setkey(struct
+ 	if (status != NSS_CRYPTO_STATUS_OK) {
+ 		nss_cfi_err("nss_crypto_session_alloc failed - status: %d\n", status);
+ 		ctx->sid = NSS_CRYPTO_MAX_IDXS;
+-		flag = CRYPTO_TFM_RES_BAD_FLAGS;
++// 		flag = CRYPTO_TFM_RES_BAD_FLAGS;
+ 		goto fail;
+ 	}
+ 
+@@ -290,7 +295,7 @@ int nss_cryptoapi_ablk_aes_setkey(struct
+ 	return 0;
+ 
+ fail:
+-	crypto_ablkcipher_set_flags(cipher, flag);
++// 	crypto_ablkcipher_set_flags(cipher, flag);
+ 	return -EINVAL;
+ }
+ 
+@@ -645,7 +650,7 @@ int nss_cryptoapi_3des_cbc_setkey(struct
+ 	struct nss_cryptoapi *sc = &gbl_ctx;
+ 	struct nss_crypto_key cip = { .algo = NSS_CRYPTO_CIPHER_DES };
+ 	struct nss_crypto_key *cip_ptr = &cip;
+-	uint32_t flag = CRYPTO_TFM_RES_BAD_KEY_LEN;
++// 	uint32_t flag = CRYPTO_TFM_RES_BAD_KEY_LEN;
+ 	nss_crypto_status_t status;
+ 
+ 	/*
+@@ -680,7 +685,7 @@ int nss_cryptoapi_3des_cbc_setkey(struct
+ 	if (status != NSS_CRYPTO_STATUS_OK) {
+ 		nss_cfi_err("nss_crypto_session_alloc failed - status: %d\n", status);
+ 		ctx->sid = NSS_CRYPTO_MAX_IDXS;
+-		flag = CRYPTO_TFM_RES_BAD_FLAGS;
++// 		flag = CRYPTO_TFM_RES_BAD_FLAGS;
+ 		goto fail;
+ 	}
+ 
+@@ -693,7 +698,7 @@ int nss_cryptoapi_3des_cbc_setkey(struct
+ 	return 0;
+ 
+ fail:
+-	crypto_ablkcipher_set_flags(cipher, flag);
++// 	crypto_ablkcipher_set_flags(cipher, flag);
+ 	return -EINVAL;
+ }
+ 
+--- a/cryptoapi/v1.0/nss_cryptoapi_aead.c
++++ b/cryptoapi/v1.0/nss_cryptoapi_aead.c
+@@ -38,7 +38,12 @@
+ #include <crypto/ctr.h>
+ #include <crypto/des.h>
+ #include <crypto/aes.h>
++#if LINUX_VERSION_CODE < KERNEL_VERSION(5, 11, 0)
+ #include <crypto/sha.h>
++#else
++#include <crypto/sha1.h>
++#include <crypto/sha2.h>
++#endif
+ #include <crypto/hash.h>
+ #include <crypto/algapi.h>
+ #include <crypto/aead.h>
+@@ -225,7 +230,7 @@ int nss_cryptoapi_aead_aes_setkey(struct
+ 	struct nss_cryptoapi *sc = &gbl_ctx;
+ 	struct nss_crypto_key cip;
+ 	struct nss_crypto_key auth;
+-	uint32_t flag = CRYPTO_TFM_RES_BAD_KEY_LEN;
++// 	uint32_t flag = CRYPTO_TFM_RES_BAD_KEY_LEN;
+ 	nss_crypto_status_t status;
+ 	bool ctr_mode = false;
+ 	bool cbc_mode = false;
+@@ -346,7 +351,7 @@ int nss_cryptoapi_aead_aes_setkey(struct
+ 	if (status != NSS_CRYPTO_STATUS_OK) {
+ 		nss_cfi_err("nss_crypto_session_alloc failed - status: %d\n", status);
+ 		ctx->sid = NSS_CRYPTO_MAX_IDXS;
+-		flag = CRYPTO_TFM_RES_BAD_FLAGS;
++// 		flag = CRYPTO_TFM_RES_BAD_FLAGS;
+ 		goto fail;
+ 	}
+ 
+@@ -363,7 +368,7 @@ int nss_cryptoapi_aead_aes_setkey(struct
+ 	return 0;
+ 
+ fail:
+-	crypto_aead_set_flags(aead, flag);
++// 	crypto_aead_set_flags(aead, flag);
+ 	return -EINVAL;
+ }
+ 
+@@ -378,7 +383,7 @@ int nss_cryptoapi_sha1_3des_setkey(struc
+ 	struct nss_cryptoapi *sc = &gbl_ctx;
+ 	struct nss_crypto_key cip = { .algo = NSS_CRYPTO_CIPHER_DES };
+ 	struct nss_crypto_key auth = { .algo = NSS_CRYPTO_AUTH_SHA1_HMAC };
+-	uint32_t flag = CRYPTO_TFM_RES_BAD_KEY_LEN;
++// 	uint32_t flag = CRYPTO_TFM_RES_BAD_KEY_LEN;
+ 	nss_crypto_status_t status;
+ 
+ 	/*
+@@ -427,7 +432,7 @@ int nss_cryptoapi_sha1_3des_setkey(struc
+ 	if (status != NSS_CRYPTO_STATUS_OK) {
+ 		nss_cfi_err("nss_crypto_session_alloc failed - status: %d\n", status);
+ 		ctx->sid = NSS_CRYPTO_MAX_IDXS;
+-		flag = CRYPTO_TFM_RES_BAD_FLAGS;
++// 		flag = CRYPTO_TFM_RES_BAD_FLAGS;
+ 		goto fail;
+ 	}
+ 
+@@ -446,7 +451,7 @@ int nss_cryptoapi_sha1_3des_setkey(struc
+ 	return 0;
+ 
+ fail:
+-	crypto_aead_set_flags(aead, flag);
++// 	crypto_aead_set_flags(aead, flag);
+ 	return -EINVAL;
+ }
+ 
+@@ -461,7 +466,7 @@ int nss_cryptoapi_sha256_3des_setkey(str
+ 	struct nss_cryptoapi *sc = &gbl_ctx;
+ 	struct nss_crypto_key cip = { .algo = NSS_CRYPTO_CIPHER_DES };
+ 	struct nss_crypto_key auth = { .algo = NSS_CRYPTO_AUTH_SHA256_HMAC };
+-	uint32_t flag = CRYPTO_TFM_RES_BAD_KEY_LEN;
++// 	uint32_t flag = CRYPTO_TFM_RES_BAD_KEY_LEN;
+ 	nss_crypto_status_t status;
+ 
+ 	/*
+@@ -510,7 +515,7 @@ int nss_cryptoapi_sha256_3des_setkey(str
+ 	if (status != NSS_CRYPTO_STATUS_OK) {
+ 		nss_cfi_err("nss_crypto_session_alloc failed - status: %d\n", status);
+ 		ctx->sid = NSS_CRYPTO_MAX_IDXS;
+-		flag = CRYPTO_TFM_RES_BAD_FLAGS;
++// 		flag = CRYPTO_TFM_RES_BAD_FLAGS;
+ 		goto fail;
+ 	}
+ 
+@@ -529,7 +534,7 @@ int nss_cryptoapi_sha256_3des_setkey(str
+ 	return 0;
+ 
+ fail:
+-	crypto_aead_set_flags(aead, flag);
++// 	crypto_aead_set_flags(aead, flag);
+ 	return -EINVAL;
+ }
+ 
+--- a/cryptoapi/v1.0/nss_cryptoapi_ahash.c
++++ b/cryptoapi/v1.0/nss_cryptoapi_ahash.c
+@@ -35,7 +35,12 @@
+ #include <linux/debugfs.h>
+ 
+ #include <crypto/aes.h>
++#if LINUX_VERSION_CODE < KERNEL_VERSION(5, 11, 0)
+ #include <crypto/sha.h>
++#else
++#include <crypto/sha1.h>
++#include <crypto/sha2.h>
++#endif
+ #include <crypto/hash.h>
+ #include <crypto/algapi.h>
+ #include <crypto/scatterwalk.h>
+@@ -151,7 +156,7 @@ int nss_cryptoapi_ahash_setkey(struct cr
+ 	struct nss_cryptoapi *sc = &gbl_ctx;
+ 	struct nss_crypto_key auth;
+ 	struct nss_crypto_key cipher = { .algo = NSS_CRYPTO_CIPHER_AES_CBC };
+-	uint32_t flag = CRYPTO_TFM_RES_BAD_KEY_LEN;
++// 	uint32_t flag = CRYPTO_TFM_RES_BAD_KEY_LEN;
+ 	nss_crypto_status_t status;
+ 	uint32_t algo_keylen;
+ 
+@@ -203,7 +208,7 @@ int nss_cryptoapi_ahash_setkey(struct cr
+ 	if (status != NSS_CRYPTO_STATUS_OK) {
+ 		nss_cfi_err("nss_crypto_session_alloc failed - status: %d\n", status);
+ 		ctx->sid = NSS_CRYPTO_MAX_IDXS;
+-		flag = CRYPTO_TFM_RES_BAD_FLAGS;
++// 		flag = CRYPTO_TFM_RES_BAD_FLAGS;
+ 		goto fail;
+ 	}
+ 
+@@ -222,7 +227,7 @@ fail:
+ 	 * fails for a context, a new setkey should occur in a different
+ 	 * context while the old one gets freed.
+ 	 */
+-	crypto_ahash_set_flags(ahash, flag);
++// 	crypto_ahash_set_flags(ahash, flag);
+ 	return -EINVAL;
+ }
+ 
+--- a/cryptoapi/v1.0/nss_cryptoapi_debugfs.c
++++ b/cryptoapi/v1.0/nss_cryptoapi_debugfs.c
+@@ -38,7 +38,12 @@
+ #include <crypto/ctr.h>
+ #include <crypto/des.h>
+ #include <crypto/aes.h>
++#if LINUX_VERSION_CODE < KERNEL_VERSION(5, 11, 0)
+ #include <crypto/sha.h>
++#else
++#include <crypto/sha1.h>
++#include <crypto/sha2.h>
++#endif
+ #include <crypto/hash.h>
+ #include <crypto/algapi.h>
+ #include <crypto/aead.h>

package/qca-nss/qca-nss-crypto/Makefile

@@ -0,0 +1,77 @@
+include $(TOPDIR)/rules.mk
+include $(INCLUDE_DIR)/kernel.mk
+
+PKG_NAME:=qca-nss-crypto
+PKG_RELEASE:=1
+
+PKG_SOURCE_URL:=https://git.codelinaro.org/clo/qsdk/oss/lklm/nss-crypto.git
+PKG_SOURCE_PROTO:=git
+PKG_SOURCE_VERSION:=3c5a574ce99d7f0b9f892002020f1bf9bfc57a81
+PKG_MIRROR_HASH:=skip
+PKG_VERSION:=1
+
+PKG_BUILD_PARALLEL:=1
+
+include $(INCLUDE_DIR)/package.mk
+
+ifeq ($(CONFIG_TARGET_ipq),y)
+subtarget:=$(SUBTARGET)
+else
+subtarget:=$(CONFIG_TARGET_BOARD)
+endif
+
+# v1.0 is for Akronite
+# v2.0 is for Hawkeye/Cypress/Maple
+ifneq (, $(findstring $(subtarget), "ipq807x" "ipq807x_64" "ipq60xx" "ipq60xx_64" "ipq50xx" "ipq50xx_64"))
+NSS_CRYPTO_DIR:=v2.0
+else
+NSS_CRYPTO_DIR:=v1.0
+endif
+
+define KernelPackage/qca-nss-crypto/Default
+  SECTION:=kernel
+  CATEGORY:=Kernel modules
+  SUBMENU:=Network Devices
+  DEPENDS:=@TARGET_ipq806x||TARGET_ipq_ipq806x||TARGET_ipq_ipq807x||TARGET_ipq_ipq807x_64||TARGET_ipq807x||TARGET_ipq807x_64||TARGET_ipq_ipq50xx||TARGET_ipq_ipq50xx_64||TARGET_ipq_ipq60xx||TARGET_ipq_ipq60xx_64 \
+		   +@NSS_DRV_CRYPTO_ENABLE +kmod-qca-nss-drv
+endef
+
+define KernelPackage/qca-nss-crypto
+  $(call KernelPackage/qca-nss-crypto/Default)
+  TITLE:=Kernel driver for NSS crypto driver
+  FILES:=$(PKG_BUILD_DIR)/$(NSS_CRYPTO_DIR)/src/qca-nss-crypto.ko \
+	$(PKG_BUILD_DIR)/$(NSS_CRYPTO_DIR)/tool/qca-nss-crypto-tool.ko
+  AUTOLOAD:=$(call AutoLoad,52,qca-nss-crypto)
+endef
+
+define KernelPackage/qca-nss-crypto/Description
+This package contains a NSS crypto driver for QCA chipset
+endef
+
+define Build/InstallDev/qca-nss-crypto
+	$(INSTALL_DIR) $(1)/usr/include/qca-nss-crypto
+	$(CP) $(PKG_BUILD_DIR)/$(NSS_CRYPTO_DIR)/include/* $(1)/usr/include/qca-nss-crypto
+endef
+
+define Build/InstallDev
+	$(call Build/InstallDev/qca-nss-crypto,$(1))
+endef
+
+EXTRA_CFLAGS+= \
+	-DCONFIG_NSS_DEBUG_LEVEL=4 \
+	-I$(STAGING_DIR)/usr/include/qca-nss-crypto \
+	-I$(STAGING_DIR)/usr/include/qca-nss-drv \
+	-I$(PKG_BUILD_DIR)/$(NSS_CRYPTO_DIR)/include \
+	-I$(PKG_BUILD_DIR)/$(NSS_CRYPTO_DIR)/src
+
+define Build/Compile
+	$(KERNEL_MAKE) \
+		CC="$(TARGET_CC)" \
+		M="$(PKG_BUILD_DIR)" \
+		EXTRA_CFLAGS="$(EXTRA_CFLAGS)" \
+		NSS_CRYPTO_DIR=$(NSS_CRYPTO_DIR) \
+		SoC="$(subtarget)" \
+		modules
+endef
+
+$(eval $(call KernelPackage,qca-nss-crypto))

package/qca-nss/qca-nss-crypto/patches/0000-kernel-5.4-support.patch

@@ -0,0 +1,42 @@
+--- a/v1.0/tool/nss_crypto_bench.c
++++ b/v1.0/tool/nss_crypto_bench.c
+@@ -75,8 +75,8 @@ static DECLARE_WAIT_QUEUE_HEAD(tx_comp);
+ static DECLARE_WAIT_QUEUE_HEAD(tx_start);
+ static struct task_struct *tx_thread = NULL;
+ 
+-static struct timeval init_time;
+-static struct timeval comp_time;
++static struct timespec64 init_time;
++static struct timespec64 comp_time;
+ static spinlock_t op_lock;
+ static nss_crypto_handle_t crypto_hdl;
+ 
+@@ -782,7 +782,7 @@ static int crypto_bench_tx(void *arg)
+ 		crypto_bench_debug("#");
+ 
+ 		/* get start time */
+-		do_gettimeofday(&init_time);
++		ktime_get_real_ts64(&init_time);
+ 
+ 		/**
+ 		 * Request submission
+@@ -812,8 +812,8 @@ static int crypto_bench_tx(void *arg)
+ 		 * Calculate time and output the Mbps
+ 		 */
+ 
+-		init_usecs  = (init_time.tv_sec * 1000 * 1000) + init_time.tv_usec;
+-		comp_usecs  = (comp_time.tv_sec * 1000 * 1000) + comp_time.tv_usec;
++		init_usecs  = (init_time.tv_sec * 1000 * 1000) + (init_time.tv_nsec / NSEC_PER_USEC);
++		comp_usecs  = (comp_time.tv_sec * 1000 * 1000) + (comp_time.tv_nsec / NSEC_PER_USEC);
+ 		delta_usecs = comp_usecs - init_usecs;
+ 
+ 		reqs_completed = param.num_reqs - atomic_read(&tx_reqs);
+@@ -870,7 +870,7 @@ static void crypto_bench_done(struct nss
+ 	nss_crypto_buf_free(crypto_hdl, buf);
+ 
+ 	if (atomic_dec_and_test(&tx_reqs)) {
+-		do_gettimeofday(&comp_time);
++		ktime_get_real_ts64(&comp_time);
+ 
+ 		wake_up_interruptible(&tx_comp);
+ 		param.num_loops--;

package/qca-nss/qca-nss-crypto/patches/0001-nss-crypto-fix-SHA1-header-include.patch

@@ -0,0 +1,27 @@
+From 0c6c593783f2d64a429ad38523661a915aa462fc Mon Sep 17 00:00:00 2001
+From: Robert Marko <robimarko@gmail.com>
+Date: Sun, 13 Mar 2022 13:44:47 +0100
+Subject: [PATCH 1/3] nss-crypto: fix SHA1 header include
+
+SHA1 header has been merged to the generic SHA one,
+and with that the cryptohash.h was dropped.
+
+So, fix include in kernels 5.8 and newer.
+
+Signed-off-by: Robert Marko <robimarko@gmail.com>
+---
+ v2.0/src/nss_crypto_hlos.h | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/v2.0/src/nss_crypto_hlos.h
++++ b/v2.0/src/nss_crypto_hlos.h
+@@ -55,7 +55,9 @@
+ #include <linux/interrupt.h>
+ #include <linux/delay.h>
+ #include <linux/vmalloc.h>
++#if LINUX_VERSION_CODE < KERNEL_VERSION(5, 8, 0)
+ #include <linux/cryptohash.h>
++#endif
+ #include <crypto/sha.h>
+ #include <crypto/aes.h>
+ #include <crypto/des.h>

package/qca-nss/qca-nss-crypto/patches/0002-nss-crypto-replace-ioremap_nocache-with-ioremap.patch

@@ -0,0 +1,94 @@
+From 8baa8e747247403c6f814ea5dc3e463c70e0415f Mon Sep 17 00:00:00 2001
+From: Robert Marko <robimarko@gmail.com>
+Date: Tue, 8 Jun 2021 22:14:34 +0200
+Subject: [PATCH 2/3] nss-crypto: replace ioremap_nocache() with ioremap
+
+ioremap_nocache() was dropped in kernel 5.5 as regular
+ioremap() was exactly the same.
+
+So, simply replace all of the ioremap_nocache() calls
+with ioremap().
+
+Signed-off-by: Robert Marko <robimarko@gmail.com>
+---
+ v1.0/src/nss_crypto_dtsi.c               | 4 ++--
+ v1.0/src/nss_crypto_platform.c           | 4 ++--
+ v2.0/src/hal/ipq50xx/nss_crypto_ce5.c    | 4 ++--
+ v2.0/src/hal/ipq60xx/nss_crypto_eip197.c | 2 +-
+ v2.0/src/hal/ipq807x/nss_crypto_eip197.c | 2 +-
+ 5 files changed, 8 insertions(+), 8 deletions(-)
+
+--- a/v1.0/src/nss_crypto_dtsi.c
++++ b/v1.0/src/nss_crypto_dtsi.c
+@@ -311,11 +311,11 @@ static int nss_crypto_probe(struct platf
+ 	e_ctrl->dev = &pdev->dev;
+ 
+ 	e_ctrl->cmd_base = crypto_res.start;
+-	e_ctrl->crypto_base = ioremap_nocache(e_ctrl->cmd_base, resource_size(&crypto_res));
++	e_ctrl->crypto_base = ioremap(e_ctrl->cmd_base, resource_size(&crypto_res));
+ 	nss_crypto_assert(e_ctrl->crypto_base);
+ 
+ 	e_ctrl->bam_pbase = bam_res.start;
+-	e_ctrl->bam_base = ioremap_nocache(e_ctrl->bam_pbase, resource_size(&bam_res));
++	e_ctrl->bam_base = ioremap(e_ctrl->bam_pbase, resource_size(&bam_res));
+ 	nss_crypto_assert(e_ctrl->bam_base);
+ 
+ 	e_ctrl->bam_ee = bam_ee;
+--- a/v1.0/src/nss_crypto_platform.c
++++ b/v1.0/src/nss_crypto_platform.c
+@@ -134,11 +134,11 @@ static int nss_crypto_probe(struct platf
+ 	e_ctrl->bam_ee = res->bam_ee;
+ 
+ 	e_ctrl->cmd_base = res->crypto_pbase;
+-	e_ctrl->crypto_base = ioremap_nocache(res->crypto_pbase, res->crypto_pbase_sz);
++	e_ctrl->crypto_base = ioremap(res->crypto_pbase, res->crypto_pbase_sz);
+ 	nss_crypto_assert(e_ctrl->crypto_base);
+ 
+ 	e_ctrl->bam_pbase = res->bam_pbase;
+-	e_ctrl->bam_base = ioremap_nocache(res->bam_pbase, res->bam_pbase_sz);
++	e_ctrl->bam_base = ioremap(res->bam_pbase, res->bam_pbase_sz);
+ 	nss_crypto_assert(e_ctrl->bam_base);
+ 
+ 	/*
+--- a/v2.0/src/hal/ipq50xx/nss_crypto_ce5.c
++++ b/v2.0/src/hal/ipq50xx/nss_crypto_ce5.c
+@@ -288,7 +288,7 @@ int nss_crypto_ce5_engine_init(struct pl
+ 	 * remap the I/O addresses for crypto
+ 	 */
+ 	eng->crypto_paddr = crypto_res->start;
+-	eng->crypto_vaddr = ioremap_nocache(crypto_res->start, resource_size(crypto_res));
++	eng->crypto_vaddr = ioremap(crypto_res->start, resource_size(crypto_res));
+ 	if (!eng->crypto_vaddr) {
+ 		nss_crypto_warn("%px: unable to remap crypto_addr(0x%px)\n", node, (void *)eng->crypto_paddr);
+ 		nss_crypto_engine_free(eng);
+@@ -299,7 +299,7 @@ int nss_crypto_ce5_engine_init(struct pl
+ 	 * remap the I/O addresses for bam
+ 	 */
+ 	eng->dma_paddr = bam_res->start;
+-	eng->dma_vaddr = ioremap_nocache(bam_res->start, resource_size(bam_res));
++	eng->dma_vaddr = ioremap(bam_res->start, resource_size(bam_res));
+ 	if (!eng->dma_vaddr) {
+ 		iounmap(eng->crypto_vaddr);
+ 		nss_crypto_warn("%px: unable to remap dma_addr(0x%px)\n", node, (void *)eng->dma_paddr);
+--- a/v2.0/src/hal/ipq60xx/nss_crypto_eip197.c
++++ b/v2.0/src/hal/ipq60xx/nss_crypto_eip197.c
+@@ -490,7 +490,7 @@ int nss_crypto_eip197_engine_init(struct
+ 	 * remap the I/O addresses
+ 	 */
+ 	paddr = res->start + offset;
+-	vaddr = ioremap_nocache(paddr, resource_size(res));
++	vaddr = ioremap(paddr, resource_size(res));
+ 	if (!vaddr) {
+ 		nss_crypto_warn("%px: unable to remap crypto_addr(0x%px)\n", node, (void *)paddr);
+ 		return -EIO;
+--- a/v2.0/src/hal/ipq807x/nss_crypto_eip197.c
++++ b/v2.0/src/hal/ipq807x/nss_crypto_eip197.c
+@@ -490,7 +490,7 @@ int nss_crypto_eip197_engine_init(struct
+ 	 * remap the I/O addresses
+ 	 */
+ 	paddr = res->start + offset;
+-	vaddr = ioremap_nocache(paddr, resource_size(res));
++	vaddr = ioremap(paddr, resource_size(res));
+ 	if (!vaddr) {
+ 		nss_crypto_warn("%px: unable to remap crypto_addr(0x%px)\n", node, (void *)paddr);
+ 		return -EIO;

package/qca-nss/qca-nss-crypto/patches/0003-nss-crypto-fix-SHA-header-include-in-5.15.patch

@@ -0,0 +1,44 @@
+From 96da3ca01ac172e5d858209b3d3d9aefad04423c Mon Sep 17 00:00:00 2001
+From: Robert Marko <robimarko@gmail.com>
+Date: Sun, 13 Mar 2022 13:47:24 +0100
+Subject: [PATCH 3/3] nss-crypto: fix SHA header include in 5.15
+
+SHA header was split into SHA-1 and SHA-2 headers in kernel 5.11, so
+fix the include for newer kernels.
+
+Signed-off-by: Robert Marko <robimarko@gmail.com>
+---
+ v2.0/src/nss_crypto_ctrl.c | 6 ++++++
+ v2.0/src/nss_crypto_hlos.h | 4 ++++
+ 2 files changed, 10 insertions(+)
+
+--- a/v2.0/src/nss_crypto_ctrl.c
++++ b/v2.0/src/nss_crypto_ctrl.c
+@@ -38,7 +38,13 @@
+ #include <linux/debugfs.h>
+ #include <linux/log2.h>
+ #include <linux/completion.h>
++#include <linux/version.h>
++#if LINUX_VERSION_CODE < KERNEL_VERSION(5, 11, 0)
+ #include <crypto/sha.h>
++#else
++#include <crypto/sha1.h>
++#include <crypto/sha2.h>
++#endif
+ #include <crypto/des.h>
+ #include <crypto/aes.h>
+ #include <crypto/md5.h>
+--- a/v2.0/src/nss_crypto_hlos.h
++++ b/v2.0/src/nss_crypto_hlos.h
+@@ -58,7 +58,11 @@
+ #if LINUX_VERSION_CODE < KERNEL_VERSION(5, 8, 0)
+ #include <linux/cryptohash.h>
+ #endif
++#if LINUX_VERSION_CODE < KERNEL_VERSION(5, 11, 0)
+ #include <crypto/sha.h>
++#else
++#include <crypto/sha1.h>
++#endif
+ #include <crypto/aes.h>
+ #include <crypto/des.h>
+ #include <crypto/ghash.h>

package/qca-nss/qca-nss-crypto/patches/0004-fix-conversion.patch

@@ -0,0 +1,11 @@
+--- a/v1.0/src/nss_crypto_ctrl.c
++++ b/v1.0/src/nss_crypto_ctrl.c
+@@ -1223,7 +1223,7 @@ enum nss_crypto_max_ivlen nss_crypto_get
+ 
+ 	idx = &ctrl->idx_info[session_idx];
+ 	if (nss_crypto_chk_idx_isfree(idx))
+-		return NSS_CRYPTO_MAX_BLKLEN_NULL;
++		return NSS_CRYPTO_MAX_IVLEN_NULL;
+ 
+ 	return idx->iv_len;
+ }

package/qca-nss/qca-nss-drv/Config.in

@@ -19,10 +19,10 @@ comment "Build Options"
 #	bool
 #	default n
 #	prompt "Enable CLMAP"
-#config NSS_DRV_CRYPTO_ENABLE
-#	bool
-#	default n
-#	prompt "Enable CRYPTO"
+config NSS_DRV_CRYPTO_ENABLE
+	bool
+	default n
+	prompt "Enable CRYPTO"
 #config NSS_DRV_DTLS_ENABLE
 #	bool
 #	default n