]> Git Repo - linux.git/blame - crypto/Kconfig
projects / linux.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
crypto: jitter - add interface for gathering of raw entropy
[linux.git] / crypto / Kconfig
CommitLineData
b2441318 1# SPDX-License-Identifier: GPL-2.0
685784aa
DW		 2#
3# Generic algorithms support
4#
5config XOR_BLOCKS
6 tristate
7
1da177e4 8#
9bc89cd8 9# async_tx api: hardware offloaded memory transfer/transform support
1da177e4 10#
9bc89cd8 11source "crypto/async_tx/Kconfig"
1da177e4 12
9bc89cd8
DW		 13#
14# Cryptographic API Configuration
15#
2e290f43 16menuconfig CRYPTO
c3715cb9 17 tristate "Cryptographic API"
7033b937 18 select CRYPTO_LIB_UTILS
1da177e4
LT		 19 help
20 This option provides the core Cryptographic API.
21
cce9e06d
HX		 22if CRYPTO
23
f1f142ad 24menu "Crypto core or helper"
584fffc8 25
ccb778e1
NH		 26config CRYPTO_FIPS
27 bool "FIPS 200 compliance"
f2c89a10 28 depends on (CRYPTO_ANSI_CPRNG || CRYPTO_DRBG) && !CRYPTO_MANAGER_DISABLE_TESTS
1f696097 29 depends on (MODULE_SIG || !MODULES)
ccb778e1 30 help
d99324c2
GU		 31 This option enables the fips boot option which is
32 required if you want the system to operate in a FIPS 200
ccb778e1 33 certification. You should say no unless you know what
e84c5480 34 this is.
ccb778e1 35
5a44749f
VD		 36config CRYPTO_FIPS_NAME
37 string "FIPS Module Name"
38 default "Linux Kernel Cryptographic API"
39 depends on CRYPTO_FIPS
40 help
41 This option sets the FIPS Module name reported by the Crypto API via
42 the /proc/sys/crypto/fips_name file.
43
44config CRYPTO_FIPS_CUSTOM_VERSION
45 bool "Use Custom FIPS Module Version"
46 depends on CRYPTO_FIPS
47 default n
48
49config CRYPTO_FIPS_VERSION
50 string "FIPS Module Version"
51 default "(none)"
52 depends on CRYPTO_FIPS_CUSTOM_VERSION
53 help
54 This option provides the ability to override the FIPS Module Version.
55 By default the KERNELRELEASE value is used.
56
cce9e06d
HX		 57config CRYPTO_ALGAPI
58 tristate
6a0fcbb4 59 select CRYPTO_ALGAPI2
cce9e06d
HX		 60 help
61 This option provides the API for cryptographic algorithms.
62
6a0fcbb4
HX		 63config CRYPTO_ALGAPI2
64 tristate
65
1ae97820
HX		 66config CRYPTO_AEAD
67 tristate
6a0fcbb4 68 select CRYPTO_AEAD2
1ae97820
HX		 69 select CRYPTO_ALGAPI
70
6a0fcbb4
HX		 71config CRYPTO_AEAD2
72 tristate
73 select CRYPTO_ALGAPI2
149a3971
HX		 74 select CRYPTO_NULL2
75 select CRYPTO_RNG2
6a0fcbb4 76
b95bba5d 77config CRYPTO_SKCIPHER
5cde0af2 78 tristate
b95bba5d 79 select CRYPTO_SKCIPHER2
5cde0af2 80 select CRYPTO_ALGAPI
6a0fcbb4 81
b95bba5d 82config CRYPTO_SKCIPHER2
6a0fcbb4
HX		 83 tristate
84 select CRYPTO_ALGAPI2
85 select CRYPTO_RNG2
5cde0af2 86
055bcee3
HX		 87config CRYPTO_HASH
88 tristate
6a0fcbb4 89 select CRYPTO_HASH2
055bcee3
HX		 90 select CRYPTO_ALGAPI
91
6a0fcbb4
HX		 92config CRYPTO_HASH2
93 tristate
94 select CRYPTO_ALGAPI2
95
17f0f4a4
NH		 96config CRYPTO_RNG
97 tristate
6a0fcbb4 98 select CRYPTO_RNG2
17f0f4a4
NH		 99 select CRYPTO_ALGAPI
100
6a0fcbb4
HX		 101config CRYPTO_RNG2
102 tristate
103 select CRYPTO_ALGAPI2
104
401e4238
HX		 105config CRYPTO_RNG_DEFAULT
106 tristate
107 select CRYPTO_DRBG_MENU
108
3c339ab8
TS		 109config CRYPTO_AKCIPHER2
110 tristate
111 select CRYPTO_ALGAPI2
112
113config CRYPTO_AKCIPHER
114 tristate
115 select CRYPTO_AKCIPHER2
116 select CRYPTO_ALGAPI
117
4e5f2c40
SB		 118config CRYPTO_KPP2
119 tristate
120 select CRYPTO_ALGAPI2
121
122config CRYPTO_KPP
123 tristate
124 select CRYPTO_ALGAPI
125 select CRYPTO_KPP2
126
2ebda74f
GC		 127config CRYPTO_ACOMP2
128 tristate
129 select CRYPTO_ALGAPI2
8cd579d2 130 select SGL_ALLOC
2ebda74f
GC		 131
132config CRYPTO_ACOMP
133 tristate
134 select CRYPTO_ALGAPI
135 select CRYPTO_ACOMP2
136
2b8c19db
HX		 137config CRYPTO_MANAGER
138 tristate "Cryptographic algorithm manager"
6a0fcbb4 139 select CRYPTO_MANAGER2
2b8c19db
HX		 140 help
141 Create default cryptographic template instantiations such as
142 cbc(aes).
143
6a0fcbb4
HX		 144config CRYPTO_MANAGER2
145 def_tristate CRYPTO_MANAGER || (CRYPTO_MANAGER!=n && CRYPTO_ALGAPI=y)
146 select CRYPTO_AEAD2
147 select CRYPTO_HASH2
b95bba5d 148 select CRYPTO_SKCIPHER2
946cc463 149 select CRYPTO_AKCIPHER2
4e5f2c40 150 select CRYPTO_KPP2
2ebda74f 151 select CRYPTO_ACOMP2
6a0fcbb4 152
a38f7907
SK		 153config CRYPTO_USER
154 tristate "Userspace cryptographic algorithm configuration"
5db017aa 155 depends on NET
a38f7907
SK		 156 select CRYPTO_MANAGER
157 help
d19978f5 158 Userspace configuration for cryptographic instantiations such as
a38f7907
SK		 159 cbc(aes).
160
326a6346
HX		 161config CRYPTO_MANAGER_DISABLE_TESTS
162 bool "Disable run-time self tests"
00ca28a5 163 default y
0b767f96 164 help
326a6346
HX		 165 Disable run-time self tests that normally take place at
166 algorithm registration.
0b767f96 167
5b2706a4
EB		 168config CRYPTO_MANAGER_EXTRA_TESTS
169 bool "Enable extra run-time crypto self tests"
6569e309 170 depends on DEBUG_KERNEL && !CRYPTO_MANAGER_DISABLE_TESTS && CRYPTO_MANAGER
5b2706a4
EB		 171 help
172 Enable extra run-time self tests of registered crypto algorithms,
173 including randomized fuzz tests.
174
175 This is intended for developer use only, as these tests take much
176 longer to run than the normal self tests.
177
1da177e4
LT		 178config CRYPTO_NULL
179 tristate "Null algorithms"
149a3971 180 select CRYPTO_NULL2
1da177e4
LT		 181 help
182 These are 'Null' algorithms, used by IPsec, which do nothing.
183
149a3971 184config CRYPTO_NULL2
dd43c4e9 185 tristate
149a3971 186 select CRYPTO_ALGAPI2
b95bba5d 187 select CRYPTO_SKCIPHER2
149a3971
HX		 188 select CRYPTO_HASH2
189
5068c7a8 190config CRYPTO_PCRYPT
3b4afaf2
KC		 191 tristate "Parallel crypto engine"
192 depends on SMP
5068c7a8
SK		 193 select PADATA
194 select CRYPTO_MANAGER
195 select CRYPTO_AEAD
196 help
197 This converts an arbitrary crypto algorithm into a parallel
198 algorithm that executes in kernel threads.
199
584fffc8
SS		 200config CRYPTO_CRYPTD
201 tristate "Software async crypto daemon"
b95bba5d 202 select CRYPTO_SKCIPHER
b8a28251 203 select CRYPTO_HASH
584fffc8 204 select CRYPTO_MANAGER
1da177e4 205 help
584fffc8
SS		 206 This is a generic software asynchronous crypto daemon that
207 converts an arbitrary synchronous software crypto algorithm
208 into an asynchronous algorithm that executes in a kernel thread.
1da177e4 209
584fffc8
SS		 210config CRYPTO_AUTHENC
211 tristate "Authenc support"
212 select CRYPTO_AEAD
b95bba5d 213 select CRYPTO_SKCIPHER
584fffc8
SS		 214 select CRYPTO_MANAGER
215 select CRYPTO_HASH
e94c6a7a 216 select CRYPTO_NULL
1da177e4 217 help
584fffc8 218 Authenc: Combined mode wrapper for IPsec.
cf514b2a
RE		 219
220 This is required for IPSec ESP (XFRM_ESP).
1da177e4 221
584fffc8
SS		 222config CRYPTO_TEST
223 tristate "Testing module"
00ea27f1 224 depends on m || EXPERT
da7f033d 225 select CRYPTO_MANAGER
1da177e4 226 help
584fffc8 227 Quick & dirty crypto test module.
1da177e4 228
266d0516
HX		 229config CRYPTO_SIMD
230 tristate
ffaf9156
JK		 231 select CRYPTO_CRYPTD
232
735d37b5
BW		 233config CRYPTO_ENGINE
234 tristate
235
f1f142ad
RE		 236endmenu
237
238menu "Public-key cryptography"
3d6228a5
VC		 239
240config CRYPTO_RSA
05b37465 241 tristate "RSA (Rivest-Shamir-Adleman)"
3d6228a5
VC		 242 select CRYPTO_AKCIPHER
243 select CRYPTO_MANAGER
244 select MPILIB
245 select ASN1
246 help
05b37465 247 RSA (Rivest-Shamir-Adleman) public key algorithm (RFC8017)
3d6228a5
VC		 248
249config CRYPTO_DH
05b37465 250 tristate "DH (Diffie-Hellman)"
3d6228a5
VC		 251 select CRYPTO_KPP
252 select MPILIB
253 help
05b37465 254 DH (Diffie-Hellman) key exchange algorithm
3d6228a5 255
7dce5981 256config CRYPTO_DH_RFC7919_GROUPS
05b37465 257 bool "RFC 7919 FFDHE groups"
7dce5981 258 depends on CRYPTO_DH
1e207964 259 select CRYPTO_RNG_DEFAULT
7dce5981 260 help
05b37465
RE		 261 FFDHE (Finite-Field-based Diffie-Hellman Ephemeral) groups
262 defined in RFC7919.
263
264 Support these finite-field groups in DH key exchanges:
265 - ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192
266
267 If unsure, say N.
7dce5981 268
4a2289da
VC		 269config CRYPTO_ECC
270 tristate
38aa192a 271 select CRYPTO_RNG_DEFAULT
4a2289da 272
3d6228a5 273config CRYPTO_ECDH
05b37465 274 tristate "ECDH (Elliptic Curve Diffie-Hellman)"
4a2289da 275 select CRYPTO_ECC
3d6228a5 276 select CRYPTO_KPP
3d6228a5 277 help
05b37465
RE		 278 ECDH (Elliptic Curve Diffie-Hellman) key exchange algorithm
279 using curves P-192, P-256, and P-384 (FIPS 186)
3d6228a5 280
4e660291 281config CRYPTO_ECDSA
05b37465 282 tristate "ECDSA (Elliptic Curve Digital Signature Algorithm)"
4e660291
SB		 283 select CRYPTO_ECC
284 select CRYPTO_AKCIPHER
285 select ASN1
286 help
05b37465
RE		 287 ECDSA (Elliptic Curve Digital Signature Algorithm) (FIPS 186,
288 ISO/IEC 14888-3)
289 using curves P-192, P-256, and P-384
290
291 Only signature verification is implemented.
4e660291 292
0d7a7864 293config CRYPTO_ECRDSA
05b37465 294 tristate "EC-RDSA (Elliptic Curve Russian Digital Signature Algorithm)"
0d7a7864
VC		 295 select CRYPTO_ECC
296 select CRYPTO_AKCIPHER
297 select CRYPTO_STREEBOG
1036633e
VC		 298 select OID_REGISTRY
299 select ASN1
0d7a7864
VC		 300 help
301 Elliptic Curve Russian Digital Signature Algorithm (GOST R 34.10-2012,
05b37465
RE		 302 RFC 7091, ISO/IEC 14888-3)
303
304 One of the Russian cryptographic standard algorithms (called GOST
305 algorithms). Only signature verification is implemented.
0d7a7864 306
ea7ecb66 307config CRYPTO_SM2
05b37465 308 tristate "SM2 (ShangMi 2)"
d2825fa9 309 select CRYPTO_SM3
ea7ecb66
TZ		 310 select CRYPTO_AKCIPHER
311 select CRYPTO_MANAGER
312 select MPILIB
313 select ASN1
314 help
05b37465
RE		 315 SM2 (ShangMi 2) public key algorithm
316
317 Published by State Encryption Management Bureau, China,
ea7ecb66
TZ		 318 as specified by OSCCA GM/T 0003.1-2012 -- 0003.5-2012.
319
320 References:
05b37465 321 https://datatracker.ietf.org/doc/draft-shen-sm2-ecdsa/
ea7ecb66
TZ		 322 http://www.oscca.gov.cn/sca/xxgk/2010-12/17/content_1002386.shtml
323 http://www.gmbz.org.cn/main/bzlb.html
324
ee772cb6 325config CRYPTO_CURVE25519
05b37465 326 tristate "Curve25519"
ee772cb6
AB		 327 select CRYPTO_KPP
328 select CRYPTO_LIB_CURVE25519_GENERIC
05b37465
RE		 329 help
330 Curve25519 elliptic curve (RFC7748)
ee772cb6 331
f1f142ad 332endmenu
cd12fb90 333
f1f142ad 334menu "Block ciphers"
1da177e4 335
f1f142ad 336config CRYPTO_AES
cf514b2a 337 tristate "AES (Advanced Encryption Standard)"
f1f142ad
RE		 338 select CRYPTO_ALGAPI
339 select CRYPTO_LIB_AES
1da177e4 340 help
cf514b2a 341 AES cipher algorithms (Rijndael)(FIPS-197, ISO/IEC 18033-3)
1da177e4 342
f1f142ad
RE		 343 Rijndael appears to be consistently a very good performer in
344 both hardware and software across a wide range of computing
345 environments regardless of its use in feedback or non-feedback
346 modes. Its key setup time is excellent, and its key agility is
347 good. Rijndael's very low memory requirements make it very well
348 suited for restricted-space environments, in which it also
349 demonstrates excellent performance. Rijndael's operations are
350 among the easiest to defend against power and timing attacks.
71ebc4d1 351
f1f142ad 352 The AES specifies three key sizes: 128, 192 and 256 bits
71ebc4d1 353
f1f142ad 354config CRYPTO_AES_TI
cf514b2a 355 tristate "AES (Advanced Encryption Standard) (fixed time)"
f1f142ad
RE		 356 select CRYPTO_ALGAPI
357 select CRYPTO_LIB_AES
f606a88e 358 help
cf514b2a
RE		 359 AES cipher algorithms (Rijndael)(FIPS-197, ISO/IEC 18033-3)
360
f1f142ad
RE		 361 This is a generic implementation of AES that attempts to eliminate
362 data dependent latencies as much as possible without affecting
363 performance too much. It is intended for use by the generic CCM
364 and GCM drivers, and other CTR or CMAC/XCBC based modes that rely
365 solely on encryption (although decryption is supported as well, but
366 with a more dramatic performance hit)
f606a88e 367
f1f142ad
RE		 368 Instead of using 16 lookup tables of 1 KB each, (8 for encryption and
369 8 for decryption), this implementation only uses just two S-boxes of
370 256 bytes each, and attempts to eliminate data dependent latencies by
371 prefetching the entire table into the cache at the start of each
372 block. Interrupts are also disabled to avoid races where cachelines
373 are evicted when the CPU is interrupted to do something else.
a4397635 374
f1f142ad 375config CRYPTO_ANUBIS
cf514b2a 376 tristate "Anubis"
f1f142ad
RE		 377 depends on CRYPTO_USER_API_ENABLE_OBSOLETE
378 select CRYPTO_ALGAPI
1da177e4 379 help
cf514b2a 380 Anubis cipher algorithm
1da177e4 381
f1f142ad
RE		 382 Anubis is a variable key length cipher which can use keys from
383 128 bits to 320 bits in length. It was evaluated as a entrant
384 in the NESSIE competition.
a10f554f 385
cf514b2a
RE		 386 See https://web.archive.org/web/20160606112246/http://www.larc.usp.br/~pbarreto/AnubisPage.html
387 for further information.
c494e070 388
f1f142ad 389config CRYPTO_ARIA
cf514b2a 390 tristate "ARIA"
f1f142ad 391 select CRYPTO_ALGAPI
db131ef9 392 help
cf514b2a 393 ARIA cipher algorithm (RFC5794)
db131ef9 394
f1f142ad
RE		 395 ARIA is a standard encryption algorithm of the Republic of Korea.
396 The ARIA specifies three key sizes and rounds.
397 128-bit: 12 rounds.
398 192-bit: 14 rounds.
399 256-bit: 16 rounds.
a7d85e06 400
cf514b2a
RE		 401 See:
402 https://seed.kisa.or.kr/kisa/algorithm/EgovAriaInfo.do
db131ef9 403
f1f142ad 404config CRYPTO_BLOWFISH
cf514b2a 405 tristate "Blowfish"
f1f142ad
RE		 406 select CRYPTO_ALGAPI
407 select CRYPTO_BLOWFISH_COMMON
584fffc8 408 help
cf514b2a 409 Blowfish cipher algorithm, by Bruce Schneier
584fffc8 410
f1f142ad
RE		 411 This is a variable key length cipher which can use keys from 32
412 bits to 448 bits in length. It's fast, simple and specifically
413 designed for use on "large microprocessors".
ecd6d5c9 414
cf514b2a 415 See https://www.schneier.com/blowfish.html for further information.
f1f142ad
RE		 416
417config CRYPTO_BLOWFISH_COMMON
418 tristate
91652be5 419 help
f1f142ad
RE		 420 Common parts of the Blowfish cipher algorithm shared by the
421 generic c and the assembler implementations.
91652be5 422
f1f142ad 423config CRYPTO_CAMELLIA
cf514b2a 424 tristate "Camellia"
f1f142ad 425 select CRYPTO_ALGAPI
64470f1b 426 help
cf514b2a 427 Camellia cipher algorithms (ISO/IEC 18033-3)
64470f1b 428
f1f142ad
RE		 429 Camellia is a symmetric key block cipher developed jointly
430 at NTT and Mitsubishi Electric Corporation.
431
432 The Camellia specifies three key sizes: 128, 192 and 256 bits.
433
cf514b2a 434 See https://info.isl.ntt.co.jp/crypt/eng/camellia/ for further information.
f1f142ad
RE		 435
436config CRYPTO_CAST_COMMON
437 tristate
e497c518 438 help
f1f142ad
RE		 439 Common parts of the CAST cipher algorithms shared by the
440 generic c and the assembler implementations.
e497c518 441
f1f142ad 442config CRYPTO_CAST5
cf514b2a 443 tristate "CAST5 (CAST-128)"
f1f142ad
RE		 444 select CRYPTO_ALGAPI
445 select CRYPTO_CAST_COMMON
584fffc8 446 help
cf514b2a 447 CAST5 (CAST-128) cipher algorithm (RFC2144, ISO/IEC 18033-3)
584fffc8 448
f1f142ad 449config CRYPTO_CAST6
cf514b2a 450 tristate "CAST6 (CAST-256)"
f1f142ad
RE		 451 select CRYPTO_ALGAPI
452 select CRYPTO_CAST_COMMON
17fee07a 453 help
cf514b2a 454 CAST6 (CAST-256) encryption algorithm (RFC2612)
17fee07a 455
f1f142ad 456config CRYPTO_DES
cf514b2a 457 tristate "DES and Triple DES EDE"
f1f142ad
RE		 458 select CRYPTO_ALGAPI
459 select CRYPTO_LIB_DES
f19f5111 460 help
cf514b2a
RE		 461 DES (Data Encryption Standard)(FIPS 46-2, ISO/IEC 18033-3) and
462 Triple DES EDE (Encrypt/Decrypt/Encrypt) (FIPS 46-3, ISO/IEC 18033-3)
463 cipher algorithms
f19f5111 464
f1f142ad 465config CRYPTO_FCRYPT
cf514b2a 466 tristate "FCrypt"
f1f142ad 467 select CRYPTO_ALGAPI
b95bba5d 468 select CRYPTO_SKCIPHER
1c49678e 469 help
cf514b2a
RE		 470 FCrypt algorithm used by RxRPC
471
472 See https://ota.polyonymo.us/fcrypt-paper.txt
1c49678e 473
f1f142ad 474config CRYPTO_KHAZAD
cf514b2a 475 tristate "Khazad"
f1f142ad
RE		 476 depends on CRYPTO_USER_API_ENABLE_OBSOLETE
477 select CRYPTO_ALGAPI
478 help
cf514b2a 479 Khazad cipher algorithm
f1f142ad
RE		 480
481 Khazad was a finalist in the initial NESSIE competition. It is
482 an algorithm optimized for 64-bit processors with good performance
483 on 32-bit processors. Khazad uses an 128 bit key size.
484
cf514b2a
RE		 485 See https://web.archive.org/web/20171011071731/http://www.larc.usp.br/~pbarreto/KhazadPage.html
486 for further information.
f1f142ad
RE		 487
488config CRYPTO_SEED
cf514b2a 489 tristate "SEED"
f1f142ad
RE		 490 depends on CRYPTO_USER_API_ENABLE_OBSOLETE
491 select CRYPTO_ALGAPI
492 help
cf514b2a 493 SEED cipher algorithm (RFC4269, ISO/IEC 18033-3)
f1f142ad
RE		 494
495 SEED is a 128-bit symmetric key block cipher that has been
496 developed by KISA (Korea Information Security Agency) as a
497 national standard encryption algorithm of the Republic of Korea.
498 It is a 16 round block cipher with the key size of 128 bit.
499
cf514b2a
RE		 500 See https://seed.kisa.or.kr/kisa/algorithm/EgovSeedInfo.do
501 for further information.
f1f142ad
RE		 502
503config CRYPTO_SERPENT
cf514b2a 504 tristate "Serpent"
f1f142ad
RE		 505 select CRYPTO_ALGAPI
506 help
cf514b2a 507 Serpent cipher algorithm, by Anderson, Biham & Knudsen
f1f142ad
RE		 508
509 Keys are allowed to be from 0 to 256 bits in length, in steps
510 of 8 bits.
511
cf514b2a 512 See https://www.cl.cam.ac.uk/~rja14/serpent.html for further information.
f1f142ad
RE		 513
514config CRYPTO_SM4
515 tristate
516
517config CRYPTO_SM4_GENERIC
cf514b2a 518 tristate "SM4 (ShangMi 4)"
f1f142ad
RE		 519 select CRYPTO_ALGAPI
520 select CRYPTO_SM4
521 help
cf514b2a
RE		 522 SM4 cipher algorithms (OSCCA GB/T 32907-2016,
523 ISO/IEC 18033-3:2010/Amd 1:2021)
f1f142ad
RE		 524
525 SM4 (GBT.32907-2016) is a cryptographic standard issued by the
526 Organization of State Commercial Administration of China (OSCCA)
527 as an authorized cryptographic algorithms for the use within China.
528
529 SMS4 was originally created for use in protecting wireless
530 networks, and is mandated in the Chinese National Standard for
531 Wireless LAN WAPI (Wired Authentication and Privacy Infrastructure)
532 (GB.15629.11-2003).
533
534 The latest SM4 standard (GBT.32907-2016) was proposed by OSCCA and
535 standardized through TC 260 of the Standardization Administration
536 of the People's Republic of China (SAC).
537
538 The input, output, and key of SMS4 are each 128 bits.
539
cf514b2a 540 See https://eprint.iacr.org/2008/329.pdf for further information.
f1f142ad
RE		 541
542 If unsure, say N.
543
544config CRYPTO_TEA
cf514b2a 545 tristate "TEA, XTEA and XETA"
f1f142ad
RE		 546 depends on CRYPTO_USER_API_ENABLE_OBSOLETE
547 select CRYPTO_ALGAPI
548 help
cf514b2a 549 TEA (Tiny Encryption Algorithm) cipher algorithms
f1f142ad
RE		 550
551 Tiny Encryption Algorithm is a simple cipher that uses
552 many rounds for security. It is very fast and uses
553 little memory.
554
555 Xtendend Tiny Encryption Algorithm is a modification to
556 the TEA algorithm to address a potential key weakness
557 in the TEA algorithm.
558
559 Xtendend Encryption Tiny Algorithm is a mis-implementation
560 of the XTEA algorithm for compatibility purposes.
561
562config CRYPTO_TWOFISH
cf514b2a 563 tristate "Twofish"
f1f142ad
RE		 564 select CRYPTO_ALGAPI
565 select CRYPTO_TWOFISH_COMMON
566 help
cf514b2a 567 Twofish cipher algorithm
f1f142ad
RE		 568
569 Twofish was submitted as an AES (Advanced Encryption Standard)
570 candidate cipher by researchers at CounterPane Systems. It is a
571 16 round block cipher supporting key sizes of 128, 192, and 256
572 bits.
573
cf514b2a 574 See https://www.schneier.com/twofish.html for further information.
f1f142ad
RE		 575
576config CRYPTO_TWOFISH_COMMON
577 tristate
578 help
579 Common parts of the Twofish cipher algorithm shared by the
580 generic c and the assembler implementations.
581
582endmenu
583
584menu "Length-preserving ciphers and modes"
26609a21 585
059c2a4d 586config CRYPTO_ADIANTUM
cf514b2a 587 tristate "Adiantum"
059c2a4d 588 select CRYPTO_CHACHA20
48ea8c6e 589 select CRYPTO_LIB_POLY1305_GENERIC
059c2a4d 590 select CRYPTO_NHPOLY1305
c8a3315a 591 select CRYPTO_MANAGER
059c2a4d 592 help
cf514b2a
RE		 593 Adiantum tweakable, length-preserving encryption mode
594
595 Designed for fast and secure disk encryption, especially on
059c2a4d
EB		 596 CPUs without dedicated crypto instructions. It encrypts
597 each sector using the XChaCha12 stream cipher, two passes of
598 an ε-almost-∆-universal hash function, and an invocation of
599 the AES-256 block cipher on a single 16-byte block. On CPUs
600 without AES instructions, Adiantum is much faster than
601 AES-XTS.
602
603 Adiantum's security is provably reducible to that of its
604 underlying stream and block ciphers, subject to a security
605 bound. Unlike XTS, Adiantum is a true wide-block encryption
606 mode, so it actually provides an even stronger notion of
607 security than XTS, subject to the security bound.
608
609 If unsure, say N.
610
f1f142ad 611config CRYPTO_ARC4
cf514b2a 612 tristate "ARC4 (Alleged Rivest Cipher 4)"
f1f142ad
RE		 613 depends on CRYPTO_USER_API_ENABLE_OBSOLETE
614 select CRYPTO_SKCIPHER
615 select CRYPTO_LIB_ARC4
7ff554ce 616 help
cf514b2a 617 ARC4 cipher algorithm
7ff554ce 618
f1f142ad
RE		 619 ARC4 is a stream cipher using keys ranging from 8 bits to 2048
620 bits in length. This algorithm is required for driver-based
621 WEP, but it should not be for other purposes because of the
622 weakness of the algorithm.
623
624config CRYPTO_CHACHA20
cf514b2a 625 tristate "ChaCha"
f1f142ad
RE		 626 select CRYPTO_LIB_CHACHA_GENERIC
627 select CRYPTO_SKCIPHER
be1eb7f7 628 help
cf514b2a 629 The ChaCha20, XChaCha20, and XChaCha12 stream cipher algorithms
be1eb7f7 630
f1f142ad
RE		 631 ChaCha20 is a 256-bit high-speed stream cipher designed by Daniel J.
632 Bernstein and further specified in RFC7539 for use in IETF protocols.
cf514b2a
RE		 633 This is the portable C implementation of ChaCha20. See
634 https://cr.yp.to/chacha/chacha-20080128.pdf for further information.
be1eb7f7 635
f1f142ad
RE		 636 XChaCha20 is the application of the XSalsa20 construction to ChaCha20
637 rather than to Salsa20. XChaCha20 extends ChaCha20's nonce length
638 from 64 bits (or 96 bits using the RFC7539 convention) to 192 bits,
cf514b2a
RE		 639 while provably retaining ChaCha20's security. See
640 https://cr.yp.to/snuffle/xsalsa-20081128.pdf for further information.
be1eb7f7 641
f1f142ad
RE		 642 XChaCha12 is XChaCha20 reduced to 12 rounds, with correspondingly
643 reduced security margin but increased performance. It can be needed
644 in some performance-sensitive scenarios.
584fffc8 645
f1f142ad 646config CRYPTO_CBC
cf514b2a 647 tristate "CBC (Cipher Block Chaining)"
f1f142ad 648 select CRYPTO_SKCIPHER
93b5e86a
JK		 649 select CRYPTO_MANAGER
650 help
cf514b2a
RE		 651 CBC (Cipher Block Chaining) mode (NIST SP800-38A)
652
653 This block cipher mode is required for IPSec ESP (XFRM_ESP).
93b5e86a 654
f1f142ad 655config CRYPTO_CFB
cf514b2a 656 tristate "CFB (Cipher Feedback)"
f1f142ad 657 select CRYPTO_SKCIPHER
23e353c8 658 select CRYPTO_MANAGER
23e353c8 659 help
cf514b2a
RE		 660 CFB (Cipher Feedback) mode (NIST SP800-38A)
661
662 This block cipher mode is required for TPM2 Cryptography.
23e353c8 663
f1f142ad 664config CRYPTO_CTR
cf514b2a 665 tristate "CTR (Counter)"
f1f142ad 666 select CRYPTO_SKCIPHER
584fffc8 667 select CRYPTO_MANAGER
76cb9521 668 help
cf514b2a 669 CTR (Counter) mode (NIST SP800-38A)
76cb9521 670
f1f142ad 671config CRYPTO_CTS
cf514b2a 672 tristate "CTS (Cipher Text Stealing)"
f1f142ad 673 select CRYPTO_SKCIPHER
f1939f7c
SW		 674 select CRYPTO_MANAGER
675 help
cf514b2a
RE		 676 CBC-CS3 variant of CTS (Cipher Text Stealing) (NIST
677 Addendum to SP800-38A (October 2010))
678
f1f142ad
RE		 679 This mode is required for Kerberos gss mechanism support
680 for AES encryption.
f1939f7c 681
f1f142ad 682config CRYPTO_ECB
cf514b2a 683 tristate "ECB (Electronic Codebook)"
f1f142ad
RE		 684 select CRYPTO_SKCIPHER
685 select CRYPTO_MANAGER
4a49b499 686 help
cf514b2a 687 ECB (Electronic Codebook) mode (NIST SP800-38A)
4a49b499 688
f1f142ad 689config CRYPTO_HCTR2
cf514b2a 690 tristate "HCTR2"
f1f142ad
RE		 691 select CRYPTO_XCTR
692 select CRYPTO_POLYVAL
693 select CRYPTO_MANAGER
78c37d19 694 help
cf514b2a
RE		 695 HCTR2 length-preserving encryption mode
696
697 A mode for storage encryption that is efficient on processors with
698 instructions to accelerate AES and carryless multiplication, e.g.
699 x86 processors with AES-NI and CLMUL, and ARM processors with the
700 ARMv8 crypto extensions.
701
702 See https://eprint.iacr.org/2021/1441
78c37d19 703
f1f142ad 704config CRYPTO_KEYWRAP
cf514b2a 705 tristate "KW (AES Key Wrap)"
f1f142ad
RE		 706 select CRYPTO_SKCIPHER
707 select CRYPTO_MANAGER
2cdc6899 708 help
cf514b2a
RE		 709 KW (AES Key Wrap) authenticated encryption mode (NIST SP800-38F
710 and RFC3394) without padding.
2cdc6899 711
f1f142ad 712config CRYPTO_LRW
cf514b2a 713 tristate "LRW (Liskov Rivest Wagner)"
61c581a4 714 select CRYPTO_LIB_GF128MUL
f1f142ad
RE		 715 select CRYPTO_SKCIPHER
716 select CRYPTO_MANAGER
f1f142ad 717 select CRYPTO_ECB
f3c923a0 718 help
cf514b2a
RE		 719 LRW (Liskov Rivest Wagner) mode
720
721 A tweakable, non malleable, non movable
f1f142ad
RE		 722 narrow block cipher mode for dm-crypt. Use it with cipher
723 specification string aes-lrw-benbi, the key must be 256, 320 or 384.
724 The first 128, 192 or 256 bits in the key are used for AES and the
725 rest is used to tie each cipher block to its logical position.
f3c923a0 726
cf514b2a
RE		 727 See https://people.csail.mit.edu/rivest/pubs/LRW02.pdf
728
f1f142ad 729config CRYPTO_OFB
cf514b2a 730 tristate "OFB (Output Feedback)"
f1f142ad
RE		 731 select CRYPTO_SKCIPHER
732 select CRYPTO_MANAGER
f979e014 733 help
cf514b2a
RE		 734 OFB (Output Feedback) mode (NIST SP800-38A)
735
736 This mode makes a block cipher into a synchronous
f1f142ad
RE		 737 stream cipher. It generates keystream blocks, which are then XORed
738 with the plaintext blocks to get the ciphertext. Flipping a bit in the
739 ciphertext produces a flipped bit in the plaintext at the same
740 location. This property allows many error correcting codes to function
741 normally even when applied before encryption.
f979e014 742
f1f142ad 743config CRYPTO_PCBC
cf514b2a 744 tristate "PCBC (Propagating Cipher Block Chaining)"
f1f142ad
RE		 745 select CRYPTO_SKCIPHER
746 select CRYPTO_MANAGER
124b53d0 747 help
cf514b2a
RE		 748 PCBC (Propagating Cipher Block Chaining) mode
749
750 This block cipher mode is required for RxRPC.
124b53d0 751
f1f142ad
RE		 752config CRYPTO_XCTR
753 tristate
754 select CRYPTO_SKCIPHER
755 select CRYPTO_MANAGER
1da177e4 756 help
cf514b2a
RE		 757 XCTR (XOR Counter) mode for HCTR2
758
759 This blockcipher mode is a variant of CTR mode using XORs and little-endian
760 addition rather than big-endian arithmetic.
761
f1f142ad 762 XCTR mode is used to implement HCTR2.
1da177e4 763
f1f142ad 764config CRYPTO_XTS
cf514b2a 765 tristate "XTS (XOR Encrypt XOR with ciphertext stealing)"
f1f142ad
RE		 766 select CRYPTO_SKCIPHER
767 select CRYPTO_MANAGER
768 select CRYPTO_ECB
90831639 769 help
cf514b2a
RE		 770 XTS (XOR Encrypt XOR with ciphertext stealing) mode (NIST SP800-38E
771 and IEEE 1619)
772
773 Use with aes-xts-plain, key size 256, 384 or 512 bits. This
774 implementation currently can't handle a sectorsize which is not a
775 multiple of 16 bytes.
90831639 776
f1f142ad
RE		 777config CRYPTO_NHPOLY1305
778 tristate
e5835fba 779 select CRYPTO_HASH
f1f142ad 780 select CRYPTO_LIB_POLY1305_GENERIC
534fe2c1 781
f1f142ad 782endmenu
534fe2c1 783
f1f142ad 784menu "AEAD (authenticated encryption with associated data) ciphers"
1da177e4 785
f1f142ad 786config CRYPTO_AEGIS128
e3d2eadd 787 tristate "AEGIS-128"
f1f142ad
RE		 788 select CRYPTO_AEAD
789 select CRYPTO_AES # for AES S-box tables
1da177e4 790 help
e3d2eadd 791 AEGIS-128 AEAD algorithm
2729bb42 792
f1f142ad 793config CRYPTO_AEGIS128_SIMD
e3d2eadd 794 bool "AEGIS-128 (arm NEON, arm64 NEON)"
f1f142ad
RE		 795 depends on CRYPTO_AEGIS128 && ((ARM || ARM64) && KERNEL_MODE_NEON)
796 default y
e3d2eadd
RE		 797 help
798 AEGIS-128 AEAD algorithm
799
800 Architecture: arm or arm64 using:
801 - NEON (Advanced SIMD) extension
584fffc8 802
f1f142ad 803config CRYPTO_CHACHA20POLY1305
e3d2eadd 804 tristate "ChaCha20-Poly1305"
f1f142ad
RE		 805 select CRYPTO_CHACHA20
806 select CRYPTO_POLY1305
807 select CRYPTO_AEAD
808 select CRYPTO_MANAGER
b9f535ff 809 help
e3d2eadd
RE		 810 ChaCha20 stream cipher and Poly1305 authenticator combined
811 mode (RFC8439)
b9f535ff 812
f1f142ad 813config CRYPTO_CCM
cf514b2a 814 tristate "CCM (Counter with Cipher Block Chaining-MAC)"
f1f142ad 815 select CRYPTO_CTR
53964b9e 816 select CRYPTO_HASH
f1f142ad
RE		 817 select CRYPTO_AEAD
818 select CRYPTO_MANAGER
53964b9e 819 help
e3d2eadd
RE		 820 CCM (Counter with Cipher Block Chaining-Message Authentication Code)
821 authenticated encryption mode (NIST SP800-38C)
d2825fa9 822
f1f142ad 823config CRYPTO_GCM
cf514b2a 824 tristate "GCM (Galois/Counter Mode) and GMAC (GCM MAC)"
f1f142ad
RE		 825 select CRYPTO_CTR
826 select CRYPTO_AEAD
827 select CRYPTO_GHASH
828 select CRYPTO_NULL
829 select CRYPTO_MANAGER
4f0fc160 830 help
e3d2eadd
RE		 831 GCM (Galois/Counter Mode) authenticated encryption mode and GMAC
832 (GCM Message Authentication Code) (NIST SP800-38D)
833
834 This is required for IPSec ESP (XFRM_ESP).
4f0fc160 835
f1f142ad
RE		 836config CRYPTO_SEQIV
837 tristate "Sequence Number IV Generator"
838 select CRYPTO_AEAD
839 select CRYPTO_SKCIPHER
840 select CRYPTO_NULL
841 select CRYPTO_RNG_DEFAULT
842 select CRYPTO_MANAGER
fe18957e 843 help
e3d2eadd
RE		 844 Sequence Number IV generator
845
f1f142ad 846 This IV generator generates an IV based on a sequence number by
e3d2eadd
RE		 847 xoring it with a salt. This algorithm is mainly useful for CTR.
848
849 This is required for IPsec ESP (XFRM_ESP).
fe18957e 850
f1f142ad
RE		 851config CRYPTO_ECHAINIV
852 tristate "Encrypted Chain IV Generator"
853 select CRYPTO_AEAD
854 select CRYPTO_NULL
855 select CRYPTO_RNG_DEFAULT
856 select CRYPTO_MANAGER
1da177e4 857 help
e3d2eadd
RE		 858 Encrypted Chain IV generator
859
f1f142ad
RE		 860 This IV generator generates an IV based on the encryption of
861 a sequence number xored with a salt. This is the default
862 algorithm for CBC.
1da177e4 863
f1f142ad 864config CRYPTO_ESSIV
e3d2eadd 865 tristate "Encrypted Salt-Sector IV Generator"
f1f142ad 866 select CRYPTO_AUTHENC
1da177e4 867 help
e3d2eadd
RE		 868 Encrypted Salt-Sector IV generator
869
870 This IV generator is used in some cases by fscrypt and/or
f1f142ad
RE		 871 dm-crypt. It uses the hash of the block encryption key as the
872 symmetric key for a block encryption pass applied to the input
873 IV, making low entropy IV sources more suitable for block
874 encryption.
1da177e4 875
f1f142ad
RE		 876 This driver implements a crypto API template that can be
877 instantiated either as an skcipher or as an AEAD (depending on the
878 type of the first template argument), and which defers encryption
879 and decryption requests to the encapsulated cipher after applying
880 ESSIV to the input IV. Note that in the AEAD case, it is assumed
881 that the keys are presented in the same format used by the authenc
882 template, and that the IV appears at the end of the authenticated
883 associated data (AAD) region (which is how dm-crypt uses it.)
1da177e4 884
f1f142ad
RE		 885 Note that the use of ESSIV is not recommended for new deployments,
886 and so this only needs to be enabled when interoperability with
887 existing encrypted volumes of filesystems is required, or when
888 building for a particular system that requires it (e.g., when
889 the SoC in question has accelerated CBC but not XTS, making CBC
890 combined with ESSIV the only feasible mode for h/w accelerated
891 block encryption)
1da177e4 892
f1f142ad 893endmenu
b5e0b032 894
f1f142ad 895menu "Hashes, digests, and MACs"
b5e0b032 896
f1f142ad 897config CRYPTO_BLAKE2B
3f342a23 898 tristate "BLAKE2b"
f1f142ad 899 select CRYPTO_HASH
584fffc8 900 help
3f342a23 901 BLAKE2b cryptographic hash function (RFC 7693)
584fffc8 902
3f342a23
RE		 903 BLAKE2b is optimized for 64-bit platforms and can produce digests
904 of any size between 1 and 64 bytes. The keyed hash is also implemented.
584fffc8 905
3f342a23 906 This module provides the following algorithms:
f1f142ad
RE		 907 - blake2b-160
908 - blake2b-256
909 - blake2b-384
910 - blake2b-512
584fffc8 911
3f342a23
RE		 912 Used by the btrfs filesystem.
913
f1f142ad 914 See https://blake2.net for further information.
584fffc8 915
f1f142ad 916config CRYPTO_CMAC
3f342a23 917 tristate "CMAC (Cipher-based MAC)"
f1f142ad
RE		 918 select CRYPTO_HASH
919 select CRYPTO_MANAGER
584fffc8 920 help
3f342a23
RE		 921 CMAC (Cipher-based Message Authentication Code) authentication
922 mode (NIST SP800-38B and IETF RFC4493)
584fffc8 923
f1f142ad 924config CRYPTO_GHASH
3f342a23 925 tristate "GHASH"
f1f142ad 926 select CRYPTO_HASH
61c581a4 927 select CRYPTO_LIB_GF128MUL
52ba867c 928 help
3f342a23 929 GCM GHASH function (NIST SP800-38D)
52ba867c 930
f1f142ad 931config CRYPTO_HMAC
3f342a23 932 tristate "HMAC (Keyed-Hash MAC)"
f1f142ad
RE		 933 select CRYPTO_HASH
934 select CRYPTO_MANAGER
584fffc8 935 help
3f342a23
RE		 936 HMAC (Keyed-Hash Message Authentication Code) (FIPS 198 and
937 RFC2104)
938
939 This is required for IPsec AH (XFRM_AH) and IPsec ESP (XFRM_ESP).
584fffc8 940
f1f142ad 941config CRYPTO_MD4
3f342a23 942 tristate "MD4"
f1f142ad 943 select CRYPTO_HASH
044ab525 944 help
3f342a23 945 MD4 message digest algorithm (RFC1320)
044ab525 946
f1f142ad 947config CRYPTO_MD5
3f342a23 948 tristate "MD5"
f1f142ad 949 select CRYPTO_HASH
1da177e4 950 help
3f342a23 951 MD5 message digest algorithm (RFC1321)
1da177e4 952
f1f142ad 953config CRYPTO_MICHAEL_MIC
3f342a23 954 tristate "Michael MIC"
f1f142ad 955 select CRYPTO_HASH
1da177e4 956 help
3f342a23
RE		 957 Michael MIC (Message Integrity Code) (IEEE 802.11i)
958
959 Defined by the IEEE 802.11i TKIP (Temporal Key Integrity Protocol),
960 known as WPA (Wif-Fi Protected Access).
961
962 This algorithm is required for TKIP, but it should not be used for
963 other purposes because of the weakness of the algorithm.
1da177e4 964
f1f142ad
RE		 965config CRYPTO_POLYVAL
966 tristate
f1f142ad 967 select CRYPTO_HASH
61c581a4 968 select CRYPTO_LIB_GF128MUL
1da177e4 969 help
3f342a23
RE		 970 POLYVAL hash function for HCTR2
971
972 This is used in HCTR2. It is not a general-purpose
f1f142ad 973 cryptographic hash function.
fb4f10ed 974
f1f142ad 975config CRYPTO_POLY1305
3f342a23 976 tristate "Poly1305"
f1f142ad
RE		 977 select CRYPTO_HASH
978 select CRYPTO_LIB_POLY1305_GENERIC
1da177e4 979 help
3f342a23 980 Poly1305 authenticator algorithm (RFC7539)
1da177e4 981
f1f142ad
RE		 982 Poly1305 is an authenticator algorithm designed by Daniel J. Bernstein.
983 It is used for the ChaCha20-Poly1305 AEAD, specified in RFC7539 for use
984 in IETF protocols. This is the portable C implementation of Poly1305.
985
986config CRYPTO_RMD160
3f342a23 987 tristate "RIPEMD-160"
f1f142ad 988 select CRYPTO_HASH
1da177e4 989 help
3f342a23 990 RIPEMD-160 hash function (ISO/IEC 10118-3)
1da177e4 991
f1f142ad
RE		 992 RIPEMD-160 is a 160-bit cryptographic hash function. It is intended
993 to be used as a secure replacement for the 128-bit hash functions
994 MD4, MD5 and its predecessor RIPEMD
995 (not to be confused with RIPEMD-128).
1da177e4 996
3f342a23 997 Its speed is comparable to SHA-1 and there are no known attacks
f1f142ad 998 against RIPEMD-160.
1da177e4 999
f1f142ad 1000 Developed by Hans Dobbertin, Antoon Bosselaers and Bart Preneel.
3f342a23
RE		 1001 See https://homes.esat.kuleuven.be/~bosselae/ripemd160.html
1002 for further information.
f1f142ad
RE		 1003
1004config CRYPTO_SHA1
3f342a23 1005 tristate "SHA-1"
f1f142ad
RE		 1006 select CRYPTO_HASH
1007 select CRYPTO_LIB_SHA1
c08d0e64 1008 help
3f342a23 1009 SHA-1 secure hash algorithm (FIPS 180, ISO/IEC 10118-3)
c08d0e64 1010
f1f142ad 1011config CRYPTO_SHA256
3f342a23 1012 tristate "SHA-224 and SHA-256"
f1f142ad
RE		 1013 select CRYPTO_HASH
1014 select CRYPTO_LIB_SHA256
1015 help
3f342a23 1016 SHA-224 and SHA-256 secure hash algorithms (FIPS 180, ISO/IEC 10118-3)
de61d7ae 1017
3f342a23
RE		 1018 This is required for IPsec AH (XFRM_AH) and IPsec ESP (XFRM_ESP).
1019 Used by the btrfs filesystem, Ceph, NFS, and SMB.
aa762409 1020
f1f142ad 1021config CRYPTO_SHA512
3f342a23 1022 tristate "SHA-384 and SHA-512"
f1f142ad 1023 select CRYPTO_HASH
1da177e4 1024 help
3f342a23 1025 SHA-384 and SHA-512 secure hash algorithms (FIPS 180, ISO/IEC 10118-3)
584fffc8 1026
f1f142ad 1027config CRYPTO_SHA3
3f342a23 1028 tristate "SHA-3"
f1f142ad 1029 select CRYPTO_HASH
e4e712bb 1030 help
3f342a23 1031 SHA-3 secure hash algorithms (FIPS 202, ISO/IEC 10118-3)
e4e712bb 1032
f1f142ad
RE		 1033config CRYPTO_SM3
1034 tristate
e4e712bb 1035
f1f142ad 1036config CRYPTO_SM3_GENERIC
3f342a23 1037 tristate "SM3 (ShangMi 3)"
f1f142ad
RE		 1038 select CRYPTO_HASH
1039 select CRYPTO_SM3
1da177e4 1040 help
3f342a23
RE		 1041 SM3 (ShangMi 3) secure hash function (OSCCA GM/T 0004-2012, ISO/IEC 10118-3)
1042
1043 This is part of the Chinese Commercial Cryptography suite.
1da177e4 1044
f1f142ad
RE		 1045 References:
1046 http://www.oscca.gov.cn/UpFile/20101222141857786.pdf
1047 https://datatracker.ietf.org/doc/html/draft-shen-sm3-hash
584fffc8 1048
f1f142ad 1049config CRYPTO_STREEBOG
3f342a23 1050 tristate "Streebog"
f1f142ad
RE		 1051 select CRYPTO_HASH
1052 help
3f342a23
RE		 1053 Streebog Hash Function (GOST R 34.11-2012, RFC 6986, ISO/IEC 10118-3)
1054
1055 This is one of the Russian cryptographic standard algorithms (called
1056 GOST algorithms). This setting enables two hash algorithms with
1057 256 and 512 bits output.
584fffc8 1058
f1f142ad
RE		 1059 References:
1060 https://tc26.ru/upload/iblock/fed/feddbb4d26b685903faa2ba11aea43f6.pdf
1061 https://tools.ietf.org/html/rfc6986
d2825fa9 1062
f1f142ad 1063config CRYPTO_VMAC
3f342a23 1064 tristate "VMAC"
f1f142ad
RE		 1065 select CRYPTO_HASH
1066 select CRYPTO_MANAGER
747c8ce4 1067 help
f1f142ad
RE		 1068 VMAC is a message authentication algorithm designed for
1069 very high speed on 64-bit architectures.
747c8ce4 1070
3f342a23 1071 See https://fastcrypto.org/vmac for further information.
747c8ce4 1072
f1f142ad 1073config CRYPTO_WP512
3f342a23 1074 tristate "Whirlpool"
f1f142ad
RE		 1075 select CRYPTO_HASH
1076 help
3f342a23
RE		 1077 Whirlpool hash function (ISO/IEC 10118-3)
1078
1079 512, 384 and 256-bit hashes.
747c8ce4 1080
f1f142ad 1081 Whirlpool-512 is part of the NESSIE cryptographic primitives.
747c8ce4 1082
3f342a23
RE		 1083 See https://web.archive.org/web/20171129084214/http://www.larc.usp.br/~pbarreto/WhirlpoolPage.html
1084 for further information.
747c8ce4 1085
f1f142ad 1086config CRYPTO_XCBC
3f342a23 1087 tristate "XCBC-MAC (Extended Cipher Block Chaining MAC)"
f1f142ad
RE		 1088 select CRYPTO_HASH
1089 select CRYPTO_MANAGER
1090 help
3f342a23
RE		 1091 XCBC-MAC (Extended Cipher Block Chaining Message Authentication
1092 Code) (RFC3566)
747c8ce4 1093
f1f142ad 1094config CRYPTO_XXHASH
3f342a23 1095 tristate "xxHash"
f1f142ad
RE		 1096 select CRYPTO_HASH
1097 select XXHASH
1da177e4 1098 help
3f342a23
RE		 1099 xxHash non-cryptographic hash algorithm
1100
1101 Extremely fast, working at speeds close to RAM limits.
1102
1103 Used by the btrfs filesystem.
1da177e4 1104
f1f142ad 1105endmenu
584fffc8 1106
f1f142ad 1107menu "CRCs (cyclic redundancy checks)"
584fffc8 1108
f1f142ad 1109config CRYPTO_CRC32C
ec84348d 1110 tristate "CRC32c"
f1f142ad
RE		 1111 select CRYPTO_HASH
1112 select CRC32
1113 help
ec84348d
RE		 1114 CRC32c CRC algorithm with the iSCSI polynomial (RFC 3385 and RFC 3720)
1115
1116 A 32-bit CRC (cyclic redundancy check) with a polynomial defined
1117 by G. Castagnoli, S. Braeuer and M. Herrman in "Optimization of Cyclic
1118 Redundancy-Check Codes with 24 and 32 Parity Bits", IEEE Transactions
1119 on Communications, Vol. 41, No. 6, June 1993, selected for use with
1120 iSCSI.
1121
1122 Used by btrfs, ext4, jbd2, NVMeoF/TCP, and iSCSI.
584fffc8 1123
f1f142ad 1124config CRYPTO_CRC32
ec84348d 1125 tristate "CRC32"
f1f142ad
RE		 1126 select CRYPTO_HASH
1127 select CRC32
04ac7db3 1128 help
ec84348d
RE		 1129 CRC32 CRC algorithm (IEEE 802.3)
1130
1131 Used by RoCEv2 and f2fs.
04ac7db3 1132
f1f142ad 1133config CRYPTO_CRCT10DIF
ec84348d 1134 tristate "CRCT10DIF"
f1f142ad
RE		 1135 select CRYPTO_HASH
1136 help
ec84348d
RE		 1137 CRC16 CRC algorithm used for the T10 (SCSI) Data Integrity Field (DIF)
1138
1139 CRC algorithm used by the SCSI Block Commands standard.
04ac7db3 1140
f1f142ad 1141config CRYPTO_CRC64_ROCKSOFT
ec84348d 1142 tristate "CRC64 based on Rocksoft Model algorithm"
f1f142ad
RE		 1143 depends on CRC64
1144 select CRYPTO_HASH
ec84348d
RE		 1145 help
1146 CRC64 CRC algorithm based on the Rocksoft Model CRC Algorithm
1147
1148 Used by the NVMe implementation of T10 DIF (BLK_DEV_INTEGRITY)
1149
1150 See https://zlib.net/crc_v3.txt
584fffc8 1151
f1f142ad 1152endmenu
584fffc8 1153
f1f142ad 1154menu "Compression"
584fffc8
SS		 1155
1156config CRYPTO_DEFLATE
a9a98d49 1157 tristate "Deflate"
584fffc8 1158 select CRYPTO_ALGAPI
f6ded09d 1159 select CRYPTO_ACOMP2
584fffc8
SS		 1160 select ZLIB_INFLATE
1161 select ZLIB_DEFLATE
3c09f17c 1162 help
a9a98d49 1163 Deflate compression algorithm (RFC1951)
584fffc8 1164
a9a98d49 1165 Used by IPSec with the IPCOMP protocol (RFC3173, RFC2394)
3c09f17c 1166
0b77abb3 1167config CRYPTO_LZO
a9a98d49 1168 tristate "LZO"
0b77abb3 1169 select CRYPTO_ALGAPI
ac9d2c4b 1170 select CRYPTO_ACOMP2
0b77abb3
ZS		 1171 select LZO_COMPRESS
1172 select LZO_DECOMPRESS
1173 help
a9a98d49
RE		 1174 LZO compression algorithm
1175
1176 See https://www.oberhumer.com/opensource/lzo/ for further information.
0b77abb3 1177
35a1fc18 1178config CRYPTO_842
a9a98d49 1179 tristate "842"
2062c5b6 1180 select CRYPTO_ALGAPI
6a8de3ae 1181 select CRYPTO_ACOMP2
2062c5b6
DS		 1182 select 842_COMPRESS
1183 select 842_DECOMPRESS
35a1fc18 1184 help
a9a98d49
RE		 1185 842 compression algorithm by IBM
1186
1187 See https://github.com/plauth/lib842 for further information.
0ea8530d
CM		 1188
1189config CRYPTO_LZ4
a9a98d49 1190 tristate "LZ4"
0ea8530d 1191 select CRYPTO_ALGAPI
8cd9330e 1192 select CRYPTO_ACOMP2
0ea8530d
CM		 1193 select LZ4_COMPRESS
1194 select LZ4_DECOMPRESS
1195 help
a9a98d49
RE		 1196 LZ4 compression algorithm
1197
1198 See https://github.com/lz4/lz4 for further information.
0ea8530d
CM		 1199
1200config CRYPTO_LZ4HC
a9a98d49 1201 tristate "LZ4HC"
0ea8530d 1202 select CRYPTO_ALGAPI
91d53d96 1203 select CRYPTO_ACOMP2
0ea8530d
CM		 1204 select LZ4HC_COMPRESS
1205 select LZ4_DECOMPRESS
1206 help
a9a98d49
RE		 1207 LZ4 high compression mode algorithm
1208
1209 See https://github.com/lz4/lz4 for further information.
35a1fc18 1210
d28fc3db 1211config CRYPTO_ZSTD
a9a98d49 1212 tristate "Zstd"
d28fc3db
NT		 1213 select CRYPTO_ALGAPI
1214 select CRYPTO_ACOMP2
1215 select ZSTD_COMPRESS
1216 select ZSTD_DECOMPRESS
1217 help
a9a98d49
RE		 1218 zstd compression algorithm
1219
1220 See https://github.com/facebook/zstd for further information.
d28fc3db 1221
f1f142ad
RE		 1222endmenu
1223
1224menu "Random number generation"
17f0f4a4
NH		 1225
1226config CRYPTO_ANSI_CPRNG
a9a98d49 1227 tristate "ANSI PRNG (Pseudo Random Number Generator)"
17f0f4a4
NH		 1228 select CRYPTO_AES
1229 select CRYPTO_RNG
17f0f4a4 1230 help
a9a98d49
RE		 1231 Pseudo RNG (random number generator) (ANSI X9.31 Appendix A.2.4)
1232
1233 This uses the AES cipher algorithm.
1234
1235 Note that this option must be enabled if CRYPTO_FIPS is selected
17f0f4a4 1236
f2c89a10 1237menuconfig CRYPTO_DRBG_MENU
a9a98d49 1238 tristate "NIST SP800-90A DRBG (Deterministic Random Bit Generator)"
419090c6 1239 help
a9a98d49
RE		 1240 DRBG (Deterministic Random Bit Generator) (NIST SP800-90A)
1241
1242 In the following submenu, one or more of the DRBG types must be selected.
419090c6 1243
f2c89a10 1244if CRYPTO_DRBG_MENU
419090c6
SM		 1245
1246config CRYPTO_DRBG_HMAC
401e4238 1247 bool
419090c6 1248 default y
419090c6 1249 select CRYPTO_HMAC
5261cdf4 1250 select CRYPTO_SHA512
419090c6
SM		 1251
1252config CRYPTO_DRBG_HASH
a9a98d49 1253 bool "Hash_DRBG"
826775bb 1254 select CRYPTO_SHA256
419090c6 1255 help
a9a98d49
RE		 1256 Hash_DRBG variant as defined in NIST SP800-90A.
1257
1258 This uses the SHA-1, SHA-256, SHA-384, or SHA-512 hash algorithms.
419090c6
SM		 1259
1260config CRYPTO_DRBG_CTR
a9a98d49 1261 bool "CTR_DRBG"
419090c6 1262 select CRYPTO_AES
d6fc1a45 1263 select CRYPTO_CTR
419090c6 1264 help
a9a98d49
RE		 1265 CTR_DRBG variant as defined in NIST SP800-90A.
1266
1267 This uses the AES cipher algorithm with the counter block mode.
419090c6 1268
f2c89a10
HX		 1269config CRYPTO_DRBG
1270 tristate
401e4238 1271 default CRYPTO_DRBG_MENU
f2c89a10 1272 select CRYPTO_RNG
bb5530e4 1273 select CRYPTO_JITTERENTROPY
f2c89a10
HX		 1274
1275endif # if CRYPTO_DRBG_MENU
419090c6 1276
bb5530e4 1277config CRYPTO_JITTERENTROPY
a9a98d49 1278 tristate "CPU Jitter Non-Deterministic RNG (Random Number Generator)"
2f313e02 1279 select CRYPTO_RNG
bb897c55 1280 select CRYPTO_SHA3
bb5530e4 1281 help
a9a98d49
RE		 1282 CPU Jitter RNG (Random Number Generator) from the Jitterentropy library
1283
1284 A non-physical non-deterministic ("true") RNG (e.g., an entropy source
1285 compliant with NIST SP800-90B) intended to provide a seed to a
1286 deterministic RNG (e.g. per NIST SP800-90C).
1287 This RNG does not perform any cryptographic whitening of the generated
1288
1289 See https://www.chronox.de/jent.html
bb5530e4 1290
69f1c387
SM		 1291config CRYPTO_JITTERENTROPY_TESTINTERFACE
1292 bool "CPU Jitter RNG Test Interface"
1293 depends on CRYPTO_JITTERENTROPY
1294 help
1295 The test interface allows a privileged process to capture
1296 the raw unconditioned high resolution time stamp noise that
1297 is collected by the Jitter RNG for statistical analysis. As
1298 this data is used at the same time to generate random bits,
1299 the Jitter RNG operates in an insecure mode as long as the
1300 recording is enabled. This interface therefore is only
1301 intended for testing purposes and is not suitable for
1302 production systems.
1303
1304 The raw noise data can be obtained using the jent_raw_hires
1305 debugfs file. Using the option
1306 jitterentropy_testing.boot_raw_hires_test=1 the raw noise of
1307 the first 1000 entropy events since boot can be sampled.
1308
1309 If unsure, select N.
1310
026a733e
SM		 1311config CRYPTO_KDF800108_CTR
1312 tristate
a88592cc 1313 select CRYPTO_HMAC
304b4ace 1314 select CRYPTO_SHA256
026a733e 1315
f1f142ad 1316endmenu
9bc51715 1317menu "Userspace interface"
f1f142ad 1318
03c8efc1
HX		 1319config CRYPTO_USER_API
1320 tristate
1321
fe869cdb 1322config CRYPTO_USER_API_HASH
9bc51715 1323 tristate "Hash algorithms"
7451708f 1324 depends on NET
fe869cdb
HX		 1325 select CRYPTO_HASH
1326 select CRYPTO_USER_API
1327 help
9bc51715
RE		 1328 Enable the userspace interface for hash algorithms.
1329
1330 See Documentation/crypto/userspace-if.rst and
1331 https://www.chronox.de/libkcapi/html/index.html
fe869cdb 1332
8ff59090 1333config CRYPTO_USER_API_SKCIPHER
9bc51715 1334 tristate "Symmetric key cipher algorithms"
7451708f 1335 depends on NET
b95bba5d 1336 select CRYPTO_SKCIPHER
8ff59090
HX		 1337 select CRYPTO_USER_API
1338 help
9bc51715
RE		 1339 Enable the userspace interface for symmetric key cipher algorithms.
1340
1341 See Documentation/crypto/userspace-if.rst and
1342 https://www.chronox.de/libkcapi/html/index.html
8ff59090 1343
2f375538 1344config CRYPTO_USER_API_RNG
9bc51715 1345 tristate "RNG (random number generator) algorithms"
2f375538
SM		 1346 depends on NET
1347 select CRYPTO_RNG
1348 select CRYPTO_USER_API
1349 help
9bc51715
RE		 1350 Enable the userspace interface for RNG (random number generator)
1351 algorithms.
1352
1353 See Documentation/crypto/userspace-if.rst and
1354 https://www.chronox.de/libkcapi/html/index.html
2f375538 1355
77ebdabe
EP		 1356config CRYPTO_USER_API_RNG_CAVP
1357 bool "Enable CAVP testing of DRBG"
1358 depends on CRYPTO_USER_API_RNG && CRYPTO_DRBG
1359 help
9bc51715
RE		 1360 Enable extra APIs in the userspace interface for NIST CAVP
1361 (Cryptographic Algorithm Validation Program) testing:
1362 - resetting DRBG entropy
1363 - providing Additional Data
1364
77ebdabe
EP		 1365 This should only be enabled for CAVP testing. You should say
1366 no unless you know what this is.
1367
b64a2d95 1368config CRYPTO_USER_API_AEAD
9bc51715 1369 tristate "AEAD cipher algorithms"
b64a2d95
HX		 1370 depends on NET
1371 select CRYPTO_AEAD
b95bba5d 1372 select CRYPTO_SKCIPHER
72548b09 1373 select CRYPTO_NULL
b64a2d95
HX		 1374 select CRYPTO_USER_API
1375 help
9bc51715
RE		 1376 Enable the userspace interface for AEAD cipher algorithms.
1377
1378 See Documentation/crypto/userspace-if.rst and
1379 https://www.chronox.de/libkcapi/html/index.html
b64a2d95 1380
9ace6771 1381config CRYPTO_USER_API_ENABLE_OBSOLETE
9bc51715 1382 bool "Obsolete cryptographic algorithms"
9ace6771
AB		 1383 depends on CRYPTO_USER_API
1384 default y
1385 help
1386 Allow obsolete cryptographic algorithms to be selected that have
1387 already been phased out from internal use by the kernel, and are
1388 only useful for userspace clients that still rely on them.
1389
cac5818c 1390config CRYPTO_STATS
9bc51715 1391 bool "Crypto usage statistics"
a6a31385 1392 depends on CRYPTO_USER
cac5818c 1393 help
9bc51715
RE		 1394 Enable the gathering of crypto stats.
1395
1396 This collects data sizes, numbers of requests, and numbers
1397 of errors processed by:
1398 - AEAD ciphers (encrypt, decrypt)
1399 - asymmetric key ciphers (encrypt, decrypt, verify, sign)
1400 - symmetric key ciphers (encrypt, decrypt)
1401 - compression algorithms (compress, decompress)
1402 - hash algorithms (hash)
1403 - key-agreement protocol primitives (setsecret, generate
1404 public key, compute shared secret)
1405 - RNG (generate, seed)
cac5818c 1406
f1f142ad
RE		 1407endmenu
1408
ee08997f
DK		 1409config CRYPTO_HASH_INFO
1410 bool
1411
27bc50fc 1412if !KMSAN # avoid false positives from assembly
4a329fec
RE		 1413if ARM
1414source "arch/arm/crypto/Kconfig"
1415endif
1416if ARM64
1417source "arch/arm64/crypto/Kconfig"
1418endif
2f164822
MZ		 1419if LOONGARCH
1420source "arch/loongarch/crypto/Kconfig"
1421endif
e45f710b
RE		 1422if MIPS
1423source "arch/mips/crypto/Kconfig"
1424endif
6a490a4e
RE		 1425if PPC
1426source "arch/powerpc/crypto/Kconfig"
1427endif
c9d24c97
RE		 1428if S390
1429source "arch/s390/crypto/Kconfig"
1430endif
0e9f9ea6
RE		 1431if SPARC
1432source "arch/sparc/crypto/Kconfig"
1433endif
28a936ef
RE		 1434if X86
1435source "arch/x86/crypto/Kconfig"
1436endif
27bc50fc 1437endif
e45f710b 1438
1da177e4 1439source "drivers/crypto/Kconfig"
8636a1f9
MY		 1440source "crypto/asymmetric_keys/Kconfig"
1441source "certs/Kconfig"
1da177e4 1442
cce9e06d 1443endif # if CRYPTO
Empty description
This page took 1.126732 seconds and 4 git commands to generate.