From f3cc9406ca14b252ab5ea1e81a5e5d8e253c7c1a Mon Sep 17 00:00:00 2001
From: Kenneth Kasilag <kenneth@kasilag.me>
Date: Sat, 11 Apr 2026 03:29:42 +0000
Subject: [PATCH] openssh: allow cryptodev ioctls

When OpenSSL is built with the devcrypto engine, crypto
operations are serviced via ioctl() calls on /dev/crypto.

The pre-auth child inherits the open fd from the monitor
but the seccomp filter only whitelists FIONREAD and
TIOCGWINSZ, causing any cryptodev ioctl to trigger SIGSYS.

The child is killed immediately after authentication
succeeds, during the keystate transfer phase where it
first attempts to perform a cipher or MAC operation
through the devcrypto engine:
```
  monitor_child_preauth: preauth child terminated
  by signal 31
```

As this was tested on the Airoha AN7581 with Cortex-A53
cores, signal 31 on aarch64 is SIGSYS, confirming seccomp
violation rather than a code defect.

Add a BPF rule that allows ioctl commands with type byte
'c' (0x63), which is the ioctl type used by all cryptodev
operations (CIOCGSESSION, CIOCCRYPT, CIOCFSESSION, etc.).

The rule matches on the type byte rather than the exact
ioctl command values because cryptodev is an out-of-tree
kernel module and its header is not available at OpenSSH
build time.

The rule is gated on ALLOW_CRYPTODEV_IOCTL, defined by
the build system only when libopenssl-devcrypto is enabled.

Signed-off-by: Kenneth Kasilag <kenneth@kasilag.me>
---
 net/openssh/Makefile                          |  6 +-
 .../patches/910-seccomp_allow_ioctl.patch     | 62 +++++++++++++++++++
 2 files changed, 67 insertions(+), 1 deletion(-)
 create mode 100644 net/openssh/patches/910-seccomp_allow_ioctl.patch

diff --git a/net/openssh/Makefile b/net/openssh/Makefile
index 050c358288479e..bdf6725e005f49 100644
--- a/net/openssh/Makefile
+++ b/net/openssh/Makefile
@@ -10,7 +10,7 @@ include $(TOPDIR)/rules.mk
 PKG_NAME:=openssh
 PKG_REALVERSION:=10.3p1
 PKG_VERSION:=10.3_p1
-PKG_RELEASE:=2
+PKG_RELEASE:=3
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_REALVERSION).tar.gz
 PKG_SOURCE_URL:=https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/ \
@@ -201,6 +201,10 @@ ifeq ($(BUILD_VARIANT),with-pam)
 TARGET_LDFLAGS += -lpthread
 endif
 
+ifeq ($(CONFIG_PACKAGE_libopenssl-devcrypto),y)
+TARGET_CFLAGS += -DALLOW_CRYPTODEV_IOCTL
+endif
+
 define Build/Compile
 	$(MAKE) -C $(PKG_BUILD_DIR) \
 		DESTDIR="$(PKG_INSTALL_DIR)" \
diff --git a/net/openssh/patches/910-seccomp_allow_ioctl.patch b/net/openssh/patches/910-seccomp_allow_ioctl.patch
new file mode 100644
index 00000000000000..9ae032e386f043
--- /dev/null
+++ b/net/openssh/patches/910-seccomp_allow_ioctl.patch
@@ -0,0 +1,62 @@
+From 275730c69326cefeb62aedc3a08cec88ff9c295e Mon Sep 17 00:00:00 2001
+From: Kenneth Kasilag <kenneth@kasilag.me>
+Date: Sat, 11 Apr 2026 03:29:42 +0000
+Subject: [PATCH] openssh: allow cryptodev ioctls
+
+When OpenSSL is built with the devcrypto engine, crypto
+operations are serviced via ioctl() calls on /dev/crypto.
+
+The pre-auth child inherits the open fd from the monitor
+but the seccomp filter only whitelists FIONREAD and
+TIOCGWINSZ, causing any cryptodev ioctl to trigger SIGSYS.
+
+The child is killed immediately after authentication
+succeeds, during the keystate transfer phase where it
+first attempts to perform a cipher or MAC operation
+through the devcrypto engine:
+```
+  monitor_child_preauth: preauth child terminated
+  by signal 31
+```
+
+As this was tested on the Airoha AN7581 with Cortex-A53
+cores, signal 31 on aarch64 is SIGSYS, confirming seccomp
+violation rather than a code defect.
+
+Add a BPF rule that allows ioctl commands with type byte
+'c' (0x63), which is the ioctl type used by all cryptodev
+operations (CIOCGSESSION, CIOCCRYPT, CIOCFSESSION, etc.).
+
+The rule matches on the type byte rather than the exact
+ioctl command values because cryptodev is an out-of-tree
+kernel module and its header is not available at OpenSSH
+build time.
+
+The rule is gated on ALLOW_CRYPTODEV_IOCTL, defined by
+the build system only when libopenssl-devcrypto is enabled.
+
+Signed-off-by: Kenneth Kasilag <kenneth@kasilag.me>
+---
+ sandbox-seccomp-filter.c     | 11 +++++++++++
+ 1 files changed, 11 insertions(+)
+
+--- a/sandbox-seccomp-filter.c
++++ b/sandbox-seccomp-filter.c
+@@ -452,6 +452,17 @@ static const struct sock_filter preauth_
+ 	SC_ALLOW_ARG(__NR_socketcall, 0, SYS_SHUTDOWN),
+ 	SC_DENY(__NR_socketcall, EACCES),
+ #endif
++#if defined(__NR_ioctl) && defined(ALLOW_CRYPTODEV_IOCTL)
++	/* Allow ioctls with type 'c' for /dev/crypto */
++	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_ioctl, 0, 6),
++	BPF_STMT(BPF_LD+BPF_W+BPF_ABS,
++	    offsetof(struct seccomp_data, args[1])),
++	BPF_STMT(BPF_ALU+BPF_AND+BPF_K, 0x0000FF00),
++	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, 0x00006300, 0, 1),
++	BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW),
++	BPF_STMT(BPF_LD+BPF_W+BPF_ABS,
++	    offsetof(struct seccomp_data, nr)),
++#endif
+ #if defined(__NR_ioctl) && defined(__s390__)
+ 	/* Allow ioctls for ICA crypto card on s390 */
+ 	SC_ALLOW_ARG(__NR_ioctl, 1, Z90STAT_STATUS_MASK),