[PATCH] crypto: padlock-sha - Disable broken driver

[PATCH] crypto: padlock-sha - Disable broken driver

[Eric Biggers]

This driver is known broken, as it computes the wrong SHA-1 and SHA-256
hashes.  Correctness needs to be the first priority for cryptographic
code.  Just disable it, allowing the standard (and actually correct)
SHA-1 and SHA-256 implementations to take priority.

Reported-by: larryw3i <larryw3i@yeah.net>
Closes: https://lore.kernel.org/r/3af01fec-b4d3-4d0c-9450-2b722d4bbe39@yeah.net/
Closes: https://lists.debian.org/debian-kernel/2025/09/msg00019.html
Closes: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1113996
Cc: stable@vger.kernel.org
Cc: AlanSong-oc@zhaoxin.com
Cc: CobeChen@zhaoxin.com
Cc: GeorgeXue@zhaoxin.com
Cc: HansHu@zhaoxin.com
Cc: LeoLiu-oc@zhaoxin.com
Cc: TonyWWang-oc@zhaoxin.com
Cc: YunShen@zhaoxin.com
Signed-off-by: Eric Biggers <ebiggers@kernel.org>
---

This patch is targeting crypto/master

 drivers/crypto/Kconfig | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/crypto/Kconfig b/drivers/crypto/Kconfig
index a6688d54984c..16ea3e741350 100644
--- a/drivers/crypto/Kconfig
+++ b/drivers/crypto/Kconfig
@@ -38,11 +38,11 @@ config CRYPTO_DEV_PADLOCK_AES
 	  If unsure say M. The compiled module will be
 	  called padlock-aes.
 
 config CRYPTO_DEV_PADLOCK_SHA
 	tristate "PadLock driver for SHA1 and SHA256 algorithms"
-	depends on CRYPTO_DEV_PADLOCK
+	depends on CRYPTO_DEV_PADLOCK && BROKEN
 	select CRYPTO_HASH
 	select CRYPTO_SHA1
 	select CRYPTO_SHA256
 	help
 	  Use VIA PadLock for SHA1/SHA256 algorithms.

base-commit: 59b0afd01b2ce353ab422ea9c8375b03db313a21
-- 
2.51.2

Re: [PATCH] crypto: padlock-sha - Disable broken driver

[AlanSong-oc]

On 11/17/2025 2:39 AM, Eric Biggers wrote:

> This driver is known broken, as it computes the wrong SHA-1 and SHA-256
> hashes.  Correctness needs to be the first priority for cryptographic
> code.  Just disable it, allowing the standard (and actually correct)
> SHA-1 and SHA-256 implementations to take priority.
>  

Following Herbert Xu's 
suggestion（https://lore.kernel.org/linux-crypto/aFkdNoQFmr8-x4cu@gondor.apana.org.au/）, 
we have prepared a new version of the patch to address this issue. Since 
the code needs to remain compatible with older platforms, we are still 
conducting extensive testing. Once the testing is complete, I will 
submit the finalized patch immediately.

Best Regards
AlanSong-oc

Re: [PATCH] crypto: padlock-sha - Disable broken driver

[larryw3i]

On 11/17/25 17:03, AlanSong-oc wrote:
> I will submit the finalized patch immediately. 
Dear AlanSong-oc,

I also want to nag a few more words. I think after a period of time, 
most of your machines without external graphics cards may not be able to 
install Debian properly (I don't know if KX-7000 is the same). It seems 
that GNOME 49 no longer uses X11 by default but Wayland. However, as far 
as I know, Wayland requires a graphics card driver to work. I have over 
ten laptops with your CPUs built-in here. The operating system I 
installed is Debian testing, but now GNOME is not working and I have to 
use XFCE4.  😭

Regards,

larryw3i

Re: [PATCH] crypto: padlock-sha - Disable broken driver

[Herbert Xu]

On Sun, Nov 16, 2025 at 10:39:26AM -0800, Eric Biggers wrote:
> This driver is known broken, as it computes the wrong SHA-1 and SHA-256
> hashes.  Correctness needs to be the first priority for cryptographic
> code.  Just disable it, allowing the standard (and actually correct)
> SHA-1 and SHA-256 implementations to take priority.

...
 
> diff --git a/drivers/crypto/Kconfig b/drivers/crypto/Kconfig
> index a6688d54984c..16ea3e741350 100644
> --- a/drivers/crypto/Kconfig
> +++ b/drivers/crypto/Kconfig
> @@ -38,11 +38,11 @@ config CRYPTO_DEV_PADLOCK_AES
>  	  If unsure say M. The compiled module will be
>  	  called padlock-aes.
>  
>  config CRYPTO_DEV_PADLOCK_SHA
>  	tristate "PadLock driver for SHA1 and SHA256 algorithms"
> -	depends on CRYPTO_DEV_PADLOCK
> +	depends on CRYPTO_DEV_PADLOCK && BROKEN

It's only broken on ZHAOXIN, so this should be conditional on
CPU_SUP_ZHAOXIN.

Thanks,
-- 
Email: Herbert Xu <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

Re: [PATCH] crypto: padlock-sha - Disable broken driver

[Eric Biggers]

On Tue, Nov 18, 2025 at 11:34:50AM +0800, Herbert Xu wrote:
> On Sun, Nov 16, 2025 at 10:39:26AM -0800, Eric Biggers wrote:
> > This driver is known broken, as it computes the wrong SHA-1 and SHA-256
> > hashes.  Correctness needs to be the first priority for cryptographic
> > code.  Just disable it, allowing the standard (and actually correct)
> > SHA-1 and SHA-256 implementations to take priority.
> 
> ...
>  
> > diff --git a/drivers/crypto/Kconfig b/drivers/crypto/Kconfig
> > index a6688d54984c..16ea3e741350 100644
> > --- a/drivers/crypto/Kconfig
> > +++ b/drivers/crypto/Kconfig
> > @@ -38,11 +38,11 @@ config CRYPTO_DEV_PADLOCK_AES
> >  	  If unsure say M. The compiled module will be
> >  	  called padlock-aes.
> >  
> >  config CRYPTO_DEV_PADLOCK_SHA
> >  	tristate "PadLock driver for SHA1 and SHA256 algorithms"
> > -	depends on CRYPTO_DEV_PADLOCK
> > +	depends on CRYPTO_DEV_PADLOCK && BROKEN
> 
> It's only broken on ZHAOXIN, so this should be conditional on
> CPU_SUP_ZHAOXIN.
> 

I.e., it's apparently broken on at least every CPU that has this
hardware that's been released in the last 14 years.  How confident are
you that it still works on VIA CPUs from 2011 and earlier and is worth
maintaining for them?

- Eric

Re: [PATCH] crypto: padlock-sha - Disable broken driver

[AlanSong-oc]

On 11/17/2025 6:08 PM, larryw3i wrote:
> On 11/17/25 17:03, AlanSong-oc wrote:
>> I will submit the finalized patch immediately.
> Dear AlanSong-oc,
> 
> I also want to nag a few more words. I think after a period of time,
> most of your machines without external graphics cards may not be able to
> install Debian properly (I don't know if KX-7000 is the same). It seems
> that GNOME 49 no longer uses X11 by default but Wayland. However, as far
> as I know, Wayland requires a graphics card driver to work. I have over
> ten laptops with your CPUs built-in here. The operating system I
> installed is Debian testing, but now GNOME is not working and I have to
> use XFCE4.  😭

Thank you for reporting the issue on the Zhaoxin platform. However, I
would suggest not discussing the unrelated display problem in this patch
email. Regarding the display issue you encountered, as far as I know,
using Wayland for display does not require a dedicated graphics driver.
Wayland can operate using the generic SimpleDRM driver. However, I have
not checked whether SimpleDRM is enabled or available in Debian. If you
need the proper graphics driver for the Zhaoxin platform, I recommend
contacting the OEM or Zhaoxin customer support.

Best Regards
AlanSong-oc

Re: [PATCH] crypto: padlock-sha - Disable broken driver

[larryw3i]

Thank you! AlanSong-oc,

I just noticed SimpleDRM, I'll try it.

Regards,

larryw3i

On 11/18/25 16:22, AlanSong-oc wrote:
> generic SimpleDRM driver

Re: [PATCH] crypto: padlock-sha - Disable broken driver

[AlanSong-oc]

On 11/18/2025 12:02 PM, Eric Biggers wrote:
> On Tue, Nov 18, 2025 at 11:34:50AM +0800, Herbert Xu wrote:
>> On Sun, Nov 16, 2025 at 10:39:26AM -0800, Eric Biggers wrote:
>>> This driver is known broken, as it computes the wrong SHA-1 and SHA-256
>>> hashes.  Correctness needs to be the first priority for cryptographic
>>> code.  Just disable it, allowing the standard (and actually correct)
>>> SHA-1 and SHA-256 implementations to take priority.
>>
>> ...
>>
>>> diff --git a/drivers/crypto/Kconfig b/drivers/crypto/Kconfig
>>> index a6688d54984c..16ea3e741350 100644
>>> --- a/drivers/crypto/Kconfig
>>> +++ b/drivers/crypto/Kconfig
>>> @@ -38,11 +38,11 @@ config CRYPTO_DEV_PADLOCK_AES
>>>       If unsure say M. The compiled module will be
>>>       called padlock-aes.
>>>
>>>  config CRYPTO_DEV_PADLOCK_SHA
>>>     tristate "PadLock driver for SHA1 and SHA256 algorithms"
>>> -   depends on CRYPTO_DEV_PADLOCK
>>> +   depends on CRYPTO_DEV_PADLOCK && BROKEN
>>
>> It's only broken on ZHAOXIN, so this should be conditional on
>> CPU_SUP_ZHAOXIN.
>>
> 
> I.e., it's apparently broken on at least every CPU that has this
> hardware that's been released in the last 14 years.  How confident are
> you that it still works on VIA CPUs from 2011 and earlier and is worth
> maintaining for them?

Given the lack of a verification platform for the current padlock-sha
driver, and the fact that these CPUs are rarely used today, extending
the existing padlock-sha driver to support the ZHAOXIN platform is very
difficult. To address the issues encountered when using the padlock-sha
driver on the ZHAOXIN platform, would it be acceptable to submit a
completely new driver that aligns with the previous advice?

Best Regards
AlanSong-oc

Re: [PATCH] crypto: padlock-sha - Disable broken driver

[Herbert Xu]

On Wed, Dec 17, 2025 at 12:30:57PM +0800, AlanSong-oc wrote:
>
> Given the lack of a verification platform for the current padlock-sha
> driver, and the fact that these CPUs are rarely used today, extending
> the existing padlock-sha driver to support the ZHAOXIN platform is very
> difficult. To address the issues encountered when using the padlock-sha
> driver on the ZHAOXIN platform, would it be acceptable to submit a
> completely new driver that aligns with the previous advice?

Perhaps it would be easier if you just added Zhaoxin support to
lib/crypto instead?

Cheers,
-- 
Email: Herbert Xu <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

Re: [PATCH] crypto: padlock-sha - Disable broken driver

[AlanSong-oc]

On 12/17/2025 12:56 PM, Herbert Xu wrote:
> On Wed, Dec 17, 2025 at 12:30:57PM +0800, AlanSong-oc wrote:
>>
>> Given the lack of a verification platform for the current padlock-sha
>> driver, and the fact that these CPUs are rarely used today, extending
>> the existing padlock-sha driver to support the ZHAOXIN platform is very
>> difficult. To address the issues encountered when using the padlock-sha
>> driver on the ZHAOXIN platform, would it be acceptable to submit a
>> completely new driver that aligns with the previous advice?
> 
> Perhaps it would be easier if you just added Zhaoxin support to
> lib/crypto instead?

Sincere thanks for your helpful suggestion. I will add ZHAOXIN platform
support to lib/crypto.

Best Regards
AlanSong-oc