1 # SPDX-License-Identifier: GPL-2.0
3 # Generic algorithms support
9 # async_tx api: hardware offloaded memory transfer/transform support
11 source "crypto/async_tx/Kconfig"
14 # Cryptographic API Configuration
17 tristate "Cryptographic API"
18 select CRYPTO_LIB_UTILS
20 This option provides the core Cryptographic API.
24 menu "Crypto core or helper"
27 bool "FIPS 200 compliance"
28 depends on (CRYPTO_ANSI_CPRNG || CRYPTO_DRBG) && !CRYPTO_MANAGER_DISABLE_TESTS
29 depends on (MODULE_SIG || !MODULES)
31 This option enables the fips boot option which is
32 required if you want the system to operate in a FIPS 200
33 certification. You should say no unless you know what
36 config CRYPTO_FIPS_NAME
37 string "FIPS Module Name"
38 default "Linux Kernel Cryptographic API"
39 depends on CRYPTO_FIPS
41 This option sets the FIPS Module name reported by the Crypto API via
42 the /proc/sys/crypto/fips_name file.
44 config CRYPTO_FIPS_CUSTOM_VERSION
45 bool "Use Custom FIPS Module Version"
46 depends on CRYPTO_FIPS
49 config CRYPTO_FIPS_VERSION
50 string "FIPS Module Version"
52 depends on CRYPTO_FIPS_CUSTOM_VERSION
54 This option provides the ability to override the FIPS Module Version.
55 By default the KERNELRELEASE value is used.
61 This option provides the API for cryptographic algorithms.
84 config CRYPTO_SKCIPHER
86 select CRYPTO_SKCIPHER2
90 config CRYPTO_SKCIPHER2
101 select CRYPTO_ALGAPI2
110 select CRYPTO_ALGAPI2
112 config CRYPTO_RNG_DEFAULT
114 select CRYPTO_DRBG_MENU
116 config CRYPTO_AKCIPHER2
118 select CRYPTO_ALGAPI2
120 config CRYPTO_AKCIPHER
122 select CRYPTO_AKCIPHER2
127 select CRYPTO_ALGAPI2
136 select CRYPTO_ALGAPI2
144 config CRYPTO_MANAGER
145 tristate "Cryptographic algorithm manager"
146 select CRYPTO_MANAGER2
148 Create default cryptographic template instantiations such as
151 config CRYPTO_MANAGER2
152 def_tristate CRYPTO_MANAGER || (CRYPTO_MANAGER!=n && CRYPTO_ALGAPI=y)
155 select CRYPTO_AKCIPHER2
160 select CRYPTO_SKCIPHER2
163 tristate "Userspace cryptographic algorithm configuration"
165 select CRYPTO_MANAGER
167 Userspace configuration for cryptographic instantiations such as
170 config CRYPTO_MANAGER_DISABLE_TESTS
171 bool "Disable run-time self tests"
174 Disable run-time self tests that normally take place at
175 algorithm registration.
177 config CRYPTO_MANAGER_EXTRA_TESTS
178 bool "Enable extra run-time crypto self tests"
179 depends on DEBUG_KERNEL && !CRYPTO_MANAGER_DISABLE_TESTS && CRYPTO_MANAGER
181 Enable extra run-time self tests of registered crypto algorithms,
182 including randomized fuzz tests.
184 This is intended for developer use only, as these tests take much
185 longer to run than the normal self tests.
188 tristate "Null algorithms"
191 These are 'Null' algorithms, used by IPsec, which do nothing.
195 select CRYPTO_ALGAPI2
196 select CRYPTO_SKCIPHER2
200 tristate "Parallel crypto engine"
203 select CRYPTO_MANAGER
206 This converts an arbitrary crypto algorithm into a parallel
207 algorithm that executes in kernel threads.
210 tristate "Software async crypto daemon"
211 select CRYPTO_SKCIPHER
213 select CRYPTO_MANAGER
215 This is a generic software asynchronous crypto daemon that
216 converts an arbitrary synchronous software crypto algorithm
217 into an asynchronous algorithm that executes in a kernel thread.
219 config CRYPTO_AUTHENC
220 tristate "Authenc support"
222 select CRYPTO_SKCIPHER
223 select CRYPTO_MANAGER
227 Authenc: Combined mode wrapper for IPsec.
229 This is required for IPSec ESP (XFRM_ESP).
232 tristate "Testing module"
233 depends on m || EXPERT
234 select CRYPTO_MANAGER
236 Quick & dirty crypto test module.
247 menu "Public-key cryptography"
250 tristate "RSA (Rivest-Shamir-Adleman)"
251 select CRYPTO_AKCIPHER
252 select CRYPTO_MANAGER
257 RSA (Rivest-Shamir-Adleman) public key algorithm (RFC8017)
260 tristate "DH (Diffie-Hellman)"
264 DH (Diffie-Hellman) key exchange algorithm
266 config CRYPTO_DH_RFC7919_GROUPS
267 bool "RFC 7919 FFDHE groups"
269 select CRYPTO_RNG_DEFAULT
271 FFDHE (Finite-Field-based Diffie-Hellman Ephemeral) groups
274 Support these finite-field groups in DH key exchanges:
275 - ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192
281 select CRYPTO_RNG_DEFAULT
284 tristate "ECDH (Elliptic Curve Diffie-Hellman)"
288 ECDH (Elliptic Curve Diffie-Hellman) key exchange algorithm
289 using curves P-192, P-256, and P-384 (FIPS 186)
292 tristate "ECDSA (Elliptic Curve Digital Signature Algorithm)"
297 ECDSA (Elliptic Curve Digital Signature Algorithm) (FIPS 186,
299 using curves P-192, P-256, P-384 and P-521
301 Only signature verification is implemented.
304 tristate "EC-RDSA (Elliptic Curve Russian Digital Signature Algorithm)"
307 select CRYPTO_STREEBOG
311 Elliptic Curve Russian Digital Signature Algorithm (GOST R 34.10-2012,
312 RFC 7091, ISO/IEC 14888-3)
314 One of the Russian cryptographic standard algorithms (called GOST
315 algorithms). Only signature verification is implemented.
317 config CRYPTO_CURVE25519
318 tristate "Curve25519"
320 select CRYPTO_LIB_CURVE25519_GENERIC
322 Curve25519 elliptic curve (RFC7748)
329 tristate "AES (Advanced Encryption Standard)"
331 select CRYPTO_LIB_AES
333 AES cipher algorithms (Rijndael)(FIPS-197, ISO/IEC 18033-3)
335 Rijndael appears to be consistently a very good performer in
336 both hardware and software across a wide range of computing
337 environments regardless of its use in feedback or non-feedback
338 modes. Its key setup time is excellent, and its key agility is
339 good. Rijndael's very low memory requirements make it very well
340 suited for restricted-space environments, in which it also
341 demonstrates excellent performance. Rijndael's operations are
342 among the easiest to defend against power and timing attacks.
344 The AES specifies three key sizes: 128, 192 and 256 bits
347 tristate "AES (Advanced Encryption Standard) (fixed time)"
349 select CRYPTO_LIB_AES
351 AES cipher algorithms (Rijndael)(FIPS-197, ISO/IEC 18033-3)
353 This is a generic implementation of AES that attempts to eliminate
354 data dependent latencies as much as possible without affecting
355 performance too much. It is intended for use by the generic CCM
356 and GCM drivers, and other CTR or CMAC/XCBC based modes that rely
357 solely on encryption (although decryption is supported as well, but
358 with a more dramatic performance hit)
360 Instead of using 16 lookup tables of 1 KB each, (8 for encryption and
361 8 for decryption), this implementation only uses just two S-boxes of
362 256 bytes each, and attempts to eliminate data dependent latencies by
363 prefetching the entire table into the cache at the start of each
364 block. Interrupts are also disabled to avoid races where cachelines
365 are evicted when the CPU is interrupted to do something else.
369 depends on CRYPTO_USER_API_ENABLE_OBSOLETE
372 Anubis cipher algorithm
374 Anubis is a variable key length cipher which can use keys from
375 128 bits to 320 bits in length. It was evaluated as a entrant
376 in the NESSIE competition.
378 See https://web.archive.org/web/20160606112246/http://www.larc.usp.br/~pbarreto/AnubisPage.html
379 for further information.
385 ARIA cipher algorithm (RFC5794)
387 ARIA is a standard encryption algorithm of the Republic of Korea.
388 The ARIA specifies three key sizes and rounds.
394 https://seed.kisa.or.kr/kisa/algorithm/EgovAriaInfo.do
396 config CRYPTO_BLOWFISH
399 select CRYPTO_BLOWFISH_COMMON
401 Blowfish cipher algorithm, by Bruce Schneier
403 This is a variable key length cipher which can use keys from 32
404 bits to 448 bits in length. It's fast, simple and specifically
405 designed for use on "large microprocessors".
407 See https://www.schneier.com/blowfish.html for further information.
409 config CRYPTO_BLOWFISH_COMMON
412 Common parts of the Blowfish cipher algorithm shared by the
413 generic c and the assembler implementations.
415 config CRYPTO_CAMELLIA
419 Camellia cipher algorithms (ISO/IEC 18033-3)
421 Camellia is a symmetric key block cipher developed jointly
422 at NTT and Mitsubishi Electric Corporation.
424 The Camellia specifies three key sizes: 128, 192 and 256 bits.
426 See https://info.isl.ntt.co.jp/crypt/eng/camellia/ for further information.
428 config CRYPTO_CAST_COMMON
431 Common parts of the CAST cipher algorithms shared by the
432 generic c and the assembler implementations.
435 tristate "CAST5 (CAST-128)"
437 select CRYPTO_CAST_COMMON
439 CAST5 (CAST-128) cipher algorithm (RFC2144, ISO/IEC 18033-3)
442 tristate "CAST6 (CAST-256)"
444 select CRYPTO_CAST_COMMON
446 CAST6 (CAST-256) encryption algorithm (RFC2612)
449 tristate "DES and Triple DES EDE"
451 select CRYPTO_LIB_DES
453 DES (Data Encryption Standard)(FIPS 46-2, ISO/IEC 18033-3) and
454 Triple DES EDE (Encrypt/Decrypt/Encrypt) (FIPS 46-3, ISO/IEC 18033-3)
460 select CRYPTO_SKCIPHER
462 FCrypt algorithm used by RxRPC
464 See https://ota.polyonymo.us/fcrypt-paper.txt
468 depends on CRYPTO_USER_API_ENABLE_OBSOLETE
471 Khazad cipher algorithm
473 Khazad was a finalist in the initial NESSIE competition. It is
474 an algorithm optimized for 64-bit processors with good performance
475 on 32-bit processors. Khazad uses an 128 bit key size.
477 See https://web.archive.org/web/20171011071731/http://www.larc.usp.br/~pbarreto/KhazadPage.html
478 for further information.
482 depends on CRYPTO_USER_API_ENABLE_OBSOLETE
485 SEED cipher algorithm (RFC4269, ISO/IEC 18033-3)
487 SEED is a 128-bit symmetric key block cipher that has been
488 developed by KISA (Korea Information Security Agency) as a
489 national standard encryption algorithm of the Republic of Korea.
490 It is a 16 round block cipher with the key size of 128 bit.
492 See https://seed.kisa.or.kr/kisa/algorithm/EgovSeedInfo.do
493 for further information.
495 config CRYPTO_SERPENT
499 Serpent cipher algorithm, by Anderson, Biham & Knudsen
501 Keys are allowed to be from 0 to 256 bits in length, in steps
504 See https://www.cl.cam.ac.uk/~rja14/serpent.html for further information.
509 config CRYPTO_SM4_GENERIC
510 tristate "SM4 (ShangMi 4)"
514 SM4 cipher algorithms (OSCCA GB/T 32907-2016,
515 ISO/IEC 18033-3:2010/Amd 1:2021)
517 SM4 (GBT.32907-2016) is a cryptographic standard issued by the
518 Organization of State Commercial Administration of China (OSCCA)
519 as an authorized cryptographic algorithms for the use within China.
521 SMS4 was originally created for use in protecting wireless
522 networks, and is mandated in the Chinese National Standard for
523 Wireless LAN WAPI (Wired Authentication and Privacy Infrastructure)
526 The latest SM4 standard (GBT.32907-2016) was proposed by OSCCA and
527 standardized through TC 260 of the Standardization Administration
528 of the People's Republic of China (SAC).
530 The input, output, and key of SMS4 are each 128 bits.
532 See https://eprint.iacr.org/2008/329.pdf for further information.
537 tristate "TEA, XTEA and XETA"
538 depends on CRYPTO_USER_API_ENABLE_OBSOLETE
541 TEA (Tiny Encryption Algorithm) cipher algorithms
543 Tiny Encryption Algorithm is a simple cipher that uses
544 many rounds for security. It is very fast and uses
547 Xtendend Tiny Encryption Algorithm is a modification to
548 the TEA algorithm to address a potential key weakness
549 in the TEA algorithm.
551 Xtendend Encryption Tiny Algorithm is a mis-implementation
552 of the XTEA algorithm for compatibility purposes.
554 config CRYPTO_TWOFISH
557 select CRYPTO_TWOFISH_COMMON
559 Twofish cipher algorithm
561 Twofish was submitted as an AES (Advanced Encryption Standard)
562 candidate cipher by researchers at CounterPane Systems. It is a
563 16 round block cipher supporting key sizes of 128, 192, and 256
566 See https://www.schneier.com/twofish.html for further information.
568 config CRYPTO_TWOFISH_COMMON
571 Common parts of the Twofish cipher algorithm shared by the
572 generic c and the assembler implementations.
576 menu "Length-preserving ciphers and modes"
578 config CRYPTO_ADIANTUM
580 select CRYPTO_CHACHA20
581 select CRYPTO_LIB_POLY1305_GENERIC
582 select CRYPTO_NHPOLY1305
583 select CRYPTO_MANAGER
585 Adiantum tweakable, length-preserving encryption mode
587 Designed for fast and secure disk encryption, especially on
588 CPUs without dedicated crypto instructions. It encrypts
589 each sector using the XChaCha12 stream cipher, two passes of
590 an ε-almost-∆-universal hash function, and an invocation of
591 the AES-256 block cipher on a single 16-byte block. On CPUs
592 without AES instructions, Adiantum is much faster than
595 Adiantum's security is provably reducible to that of its
596 underlying stream and block ciphers, subject to a security
597 bound. Unlike XTS, Adiantum is a true wide-block encryption
598 mode, so it actually provides an even stronger notion of
599 security than XTS, subject to the security bound.
604 tristate "ARC4 (Alleged Rivest Cipher 4)"
605 depends on CRYPTO_USER_API_ENABLE_OBSOLETE
606 select CRYPTO_SKCIPHER
607 select CRYPTO_LIB_ARC4
609 ARC4 cipher algorithm
611 ARC4 is a stream cipher using keys ranging from 8 bits to 2048
612 bits in length. This algorithm is required for driver-based
613 WEP, but it should not be for other purposes because of the
614 weakness of the algorithm.
616 config CRYPTO_CHACHA20
618 select CRYPTO_LIB_CHACHA_GENERIC
619 select CRYPTO_SKCIPHER
621 The ChaCha20, XChaCha20, and XChaCha12 stream cipher algorithms
623 ChaCha20 is a 256-bit high-speed stream cipher designed by Daniel J.
624 Bernstein and further specified in RFC7539 for use in IETF protocols.
625 This is the portable C implementation of ChaCha20. See
626 https://cr.yp.to/chacha/chacha-20080128.pdf for further information.
628 XChaCha20 is the application of the XSalsa20 construction to ChaCha20
629 rather than to Salsa20. XChaCha20 extends ChaCha20's nonce length
630 from 64 bits (or 96 bits using the RFC7539 convention) to 192 bits,
631 while provably retaining ChaCha20's security. See
632 https://cr.yp.to/snuffle/xsalsa-20081128.pdf for further information.
634 XChaCha12 is XChaCha20 reduced to 12 rounds, with correspondingly
635 reduced security margin but increased performance. It can be needed
636 in some performance-sensitive scenarios.
639 tristate "CBC (Cipher Block Chaining)"
640 select CRYPTO_SKCIPHER
641 select CRYPTO_MANAGER
643 CBC (Cipher Block Chaining) mode (NIST SP800-38A)
645 This block cipher mode is required for IPSec ESP (XFRM_ESP).
648 tristate "CTR (Counter)"
649 select CRYPTO_SKCIPHER
650 select CRYPTO_MANAGER
652 CTR (Counter) mode (NIST SP800-38A)
655 tristate "CTS (Cipher Text Stealing)"
656 select CRYPTO_SKCIPHER
657 select CRYPTO_MANAGER
659 CBC-CS3 variant of CTS (Cipher Text Stealing) (NIST
660 Addendum to SP800-38A (October 2010))
662 This mode is required for Kerberos gss mechanism support
666 tristate "ECB (Electronic Codebook)"
667 select CRYPTO_SKCIPHER2
668 select CRYPTO_MANAGER
670 ECB (Electronic Codebook) mode (NIST SP800-38A)
675 select CRYPTO_POLYVAL
676 select CRYPTO_MANAGER
678 HCTR2 length-preserving encryption mode
680 A mode for storage encryption that is efficient on processors with
681 instructions to accelerate AES and carryless multiplication, e.g.
682 x86 processors with AES-NI and CLMUL, and ARM processors with the
683 ARMv8 crypto extensions.
685 See https://eprint.iacr.org/2021/1441
687 config CRYPTO_KEYWRAP
688 tristate "KW (AES Key Wrap)"
689 select CRYPTO_SKCIPHER
690 select CRYPTO_MANAGER
692 KW (AES Key Wrap) authenticated encryption mode (NIST SP800-38F
693 and RFC3394) without padding.
696 tristate "LRW (Liskov Rivest Wagner)"
697 select CRYPTO_LIB_GF128MUL
698 select CRYPTO_SKCIPHER
699 select CRYPTO_MANAGER
702 LRW (Liskov Rivest Wagner) mode
704 A tweakable, non malleable, non movable
705 narrow block cipher mode for dm-crypt. Use it with cipher
706 specification string aes-lrw-benbi, the key must be 256, 320 or 384.
707 The first 128, 192 or 256 bits in the key are used for AES and the
708 rest is used to tie each cipher block to its logical position.
710 See https://people.csail.mit.edu/rivest/pubs/LRW02.pdf
713 tristate "PCBC (Propagating Cipher Block Chaining)"
714 select CRYPTO_SKCIPHER
715 select CRYPTO_MANAGER
717 PCBC (Propagating Cipher Block Chaining) mode
719 This block cipher mode is required for RxRPC.
723 select CRYPTO_SKCIPHER
724 select CRYPTO_MANAGER
726 XCTR (XOR Counter) mode for HCTR2
728 This blockcipher mode is a variant of CTR mode using XORs and little-endian
729 addition rather than big-endian arithmetic.
731 XCTR mode is used to implement HCTR2.
734 tristate "XTS (XOR Encrypt XOR with ciphertext stealing)"
735 select CRYPTO_SKCIPHER
736 select CRYPTO_MANAGER
739 XTS (XOR Encrypt XOR with ciphertext stealing) mode (NIST SP800-38E
742 Use with aes-xts-plain, key size 256, 384 or 512 bits. This
743 implementation currently can't handle a sectorsize which is not a
744 multiple of 16 bytes.
746 config CRYPTO_NHPOLY1305
749 select CRYPTO_LIB_POLY1305_GENERIC
753 menu "AEAD (authenticated encryption with associated data) ciphers"
755 config CRYPTO_AEGIS128
758 select CRYPTO_AES # for AES S-box tables
760 AEGIS-128 AEAD algorithm
762 config CRYPTO_AEGIS128_SIMD
763 bool "AEGIS-128 (arm NEON, arm64 NEON)"
764 depends on CRYPTO_AEGIS128 && ((ARM || ARM64) && KERNEL_MODE_NEON)
767 AEGIS-128 AEAD algorithm
769 Architecture: arm or arm64 using:
770 - NEON (Advanced SIMD) extension
772 config CRYPTO_CHACHA20POLY1305
773 tristate "ChaCha20-Poly1305"
774 select CRYPTO_CHACHA20
775 select CRYPTO_POLY1305
777 select CRYPTO_MANAGER
779 ChaCha20 stream cipher and Poly1305 authenticator combined
783 tristate "CCM (Counter with Cipher Block Chaining-MAC)"
787 select CRYPTO_MANAGER
789 CCM (Counter with Cipher Block Chaining-Message Authentication Code)
790 authenticated encryption mode (NIST SP800-38C)
793 tristate "GCM (Galois/Counter Mode) and GMAC (GCM MAC)"
798 select CRYPTO_MANAGER
800 GCM (Galois/Counter Mode) authenticated encryption mode and GMAC
801 (GCM Message Authentication Code) (NIST SP800-38D)
803 This is required for IPSec ESP (XFRM_ESP).
809 select CRYPTO_MANAGER
810 select CRYPTO_RNG_DEFAULT
813 tristate "Sequence Number IV Generator"
816 Sequence Number IV generator
818 This IV generator generates an IV based on a sequence number by
819 xoring it with a salt. This algorithm is mainly useful for CTR.
821 This is required for IPsec ESP (XFRM_ESP).
823 config CRYPTO_ECHAINIV
824 tristate "Encrypted Chain IV Generator"
827 Encrypted Chain IV generator
829 This IV generator generates an IV based on the encryption of
830 a sequence number xored with a salt. This is the default
834 tristate "Encrypted Salt-Sector IV Generator"
835 select CRYPTO_AUTHENC
837 Encrypted Salt-Sector IV generator
839 This IV generator is used in some cases by fscrypt and/or
840 dm-crypt. It uses the hash of the block encryption key as the
841 symmetric key for a block encryption pass applied to the input
842 IV, making low entropy IV sources more suitable for block
845 This driver implements a crypto API template that can be
846 instantiated either as an skcipher or as an AEAD (depending on the
847 type of the first template argument), and which defers encryption
848 and decryption requests to the encapsulated cipher after applying
849 ESSIV to the input IV. Note that in the AEAD case, it is assumed
850 that the keys are presented in the same format used by the authenc
851 template, and that the IV appears at the end of the authenticated
852 associated data (AAD) region (which is how dm-crypt uses it.)
854 Note that the use of ESSIV is not recommended for new deployments,
855 and so this only needs to be enabled when interoperability with
856 existing encrypted volumes of filesystems is required, or when
857 building for a particular system that requires it (e.g., when
858 the SoC in question has accelerated CBC but not XTS, making CBC
859 combined with ESSIV the only feasible mode for h/w accelerated
864 menu "Hashes, digests, and MACs"
866 config CRYPTO_BLAKE2B
870 BLAKE2b cryptographic hash function (RFC 7693)
872 BLAKE2b is optimized for 64-bit platforms and can produce digests
873 of any size between 1 and 64 bytes. The keyed hash is also implemented.
875 This module provides the following algorithms:
881 Used by the btrfs filesystem.
883 See https://blake2.net for further information.
886 tristate "CMAC (Cipher-based MAC)"
888 select CRYPTO_MANAGER
890 CMAC (Cipher-based Message Authentication Code) authentication
891 mode (NIST SP800-38B and IETF RFC4493)
896 select CRYPTO_LIB_GF128MUL
898 GCM GHASH function (NIST SP800-38D)
901 tristate "HMAC (Keyed-Hash MAC)"
903 select CRYPTO_MANAGER
905 HMAC (Keyed-Hash Message Authentication Code) (FIPS 198 and
908 This is required for IPsec AH (XFRM_AH) and IPsec ESP (XFRM_ESP).
914 MD4 message digest algorithm (RFC1320)
920 MD5 message digest algorithm (RFC1321)
922 config CRYPTO_MICHAEL_MIC
923 tristate "Michael MIC"
926 Michael MIC (Message Integrity Code) (IEEE 802.11i)
928 Defined by the IEEE 802.11i TKIP (Temporal Key Integrity Protocol),
929 known as WPA (Wif-Fi Protected Access).
931 This algorithm is required for TKIP, but it should not be used for
932 other purposes because of the weakness of the algorithm.
934 config CRYPTO_POLYVAL
937 select CRYPTO_LIB_GF128MUL
939 POLYVAL hash function for HCTR2
941 This is used in HCTR2. It is not a general-purpose
942 cryptographic hash function.
944 config CRYPTO_POLY1305
947 select CRYPTO_LIB_POLY1305_GENERIC
949 Poly1305 authenticator algorithm (RFC7539)
951 Poly1305 is an authenticator algorithm designed by Daniel J. Bernstein.
952 It is used for the ChaCha20-Poly1305 AEAD, specified in RFC7539 for use
953 in IETF protocols. This is the portable C implementation of Poly1305.
956 tristate "RIPEMD-160"
959 RIPEMD-160 hash function (ISO/IEC 10118-3)
961 RIPEMD-160 is a 160-bit cryptographic hash function. It is intended
962 to be used as a secure replacement for the 128-bit hash functions
963 MD4, MD5 and its predecessor RIPEMD
964 (not to be confused with RIPEMD-128).
966 Its speed is comparable to SHA-1 and there are no known attacks
969 Developed by Hans Dobbertin, Antoon Bosselaers and Bart Preneel.
970 See https://homes.esat.kuleuven.be/~bosselae/ripemd160.html
971 for further information.
976 select CRYPTO_LIB_SHA1
978 SHA-1 secure hash algorithm (FIPS 180, ISO/IEC 10118-3)
981 tristate "SHA-224 and SHA-256"
983 select CRYPTO_LIB_SHA256
985 SHA-224 and SHA-256 secure hash algorithms (FIPS 180, ISO/IEC 10118-3)
987 This is required for IPsec AH (XFRM_AH) and IPsec ESP (XFRM_ESP).
988 Used by the btrfs filesystem, Ceph, NFS, and SMB.
991 tristate "SHA-384 and SHA-512"
994 SHA-384 and SHA-512 secure hash algorithms (FIPS 180, ISO/IEC 10118-3)
1000 SHA-3 secure hash algorithms (FIPS 202, ISO/IEC 10118-3)
1005 config CRYPTO_SM3_GENERIC
1006 tristate "SM3 (ShangMi 3)"
1010 SM3 (ShangMi 3) secure hash function (OSCCA GM/T 0004-2012, ISO/IEC 10118-3)
1012 This is part of the Chinese Commercial Cryptography suite.
1015 http://www.oscca.gov.cn/UpFile/20101222141857786.pdf
1016 https://datatracker.ietf.org/doc/html/draft-shen-sm3-hash
1018 config CRYPTO_STREEBOG
1022 Streebog Hash Function (GOST R 34.11-2012, RFC 6986, ISO/IEC 10118-3)
1024 This is one of the Russian cryptographic standard algorithms (called
1025 GOST algorithms). This setting enables two hash algorithms with
1026 256 and 512 bits output.
1029 https://tc26.ru/upload/iblock/fed/feddbb4d26b685903faa2ba11aea43f6.pdf
1030 https://tools.ietf.org/html/rfc6986
1035 select CRYPTO_MANAGER
1037 VMAC is a message authentication algorithm designed for
1038 very high speed on 64-bit architectures.
1040 See https://fastcrypto.org/vmac for further information.
1043 tristate "Whirlpool"
1046 Whirlpool hash function (ISO/IEC 10118-3)
1048 512, 384 and 256-bit hashes.
1050 Whirlpool-512 is part of the NESSIE cryptographic primitives.
1052 See https://web.archive.org/web/20171129084214/http://www.larc.usp.br/~pbarreto/WhirlpoolPage.html
1053 for further information.
1056 tristate "XCBC-MAC (Extended Cipher Block Chaining MAC)"
1058 select CRYPTO_MANAGER
1060 XCBC-MAC (Extended Cipher Block Chaining Message Authentication
1063 config CRYPTO_XXHASH
1068 xxHash non-cryptographic hash algorithm
1070 Extremely fast, working at speeds close to RAM limits.
1072 Used by the btrfs filesystem.
1076 menu "CRCs (cyclic redundancy checks)"
1078 config CRYPTO_CRC32C
1083 CRC32c CRC algorithm with the iSCSI polynomial (RFC 3385 and RFC 3720)
1085 A 32-bit CRC (cyclic redundancy check) with a polynomial defined
1086 by G. Castagnoli, S. Braeuer and M. Herrman in "Optimization of Cyclic
1087 Redundancy-Check Codes with 24 and 32 Parity Bits", IEEE Transactions
1088 on Communications, Vol. 41, No. 6, June 1993, selected for use with
1091 Used by btrfs, ext4, jbd2, NVMeoF/TCP, and iSCSI.
1098 CRC32 CRC algorithm (IEEE 802.3)
1100 Used by RoCEv2 and f2fs.
1102 config CRYPTO_CRCT10DIF
1103 tristate "CRCT10DIF"
1106 CRC16 CRC algorithm used for the T10 (SCSI) Data Integrity Field (DIF)
1108 CRC algorithm used by the SCSI Block Commands standard.
1110 config CRYPTO_CRC64_ROCKSOFT
1111 tristate "CRC64 based on Rocksoft Model algorithm"
1115 CRC64 CRC algorithm based on the Rocksoft Model CRC Algorithm
1117 Used by the NVMe implementation of T10 DIF (BLK_DEV_INTEGRITY)
1119 See https://zlib.net/crc_v3.txt
1125 config CRYPTO_DEFLATE
1127 select CRYPTO_ALGAPI
1128 select CRYPTO_ACOMP2
1132 Deflate compression algorithm (RFC1951)
1134 Used by IPSec with the IPCOMP protocol (RFC3173, RFC2394)
1138 select CRYPTO_ALGAPI
1139 select CRYPTO_ACOMP2
1141 select LZO_DECOMPRESS
1143 LZO compression algorithm
1145 See https://www.oberhumer.com/opensource/lzo/ for further information.
1149 select CRYPTO_ALGAPI
1150 select CRYPTO_ACOMP2
1152 select 842_DECOMPRESS
1154 842 compression algorithm by IBM
1156 See https://github.com/plauth/lib842 for further information.
1160 select CRYPTO_ALGAPI
1161 select CRYPTO_ACOMP2
1163 select LZ4_DECOMPRESS
1165 LZ4 compression algorithm
1167 See https://github.com/lz4/lz4 for further information.
1171 select CRYPTO_ALGAPI
1172 select CRYPTO_ACOMP2
1173 select LZ4HC_COMPRESS
1174 select LZ4_DECOMPRESS
1176 LZ4 high compression mode algorithm
1178 See https://github.com/lz4/lz4 for further information.
1182 select CRYPTO_ALGAPI
1183 select CRYPTO_ACOMP2
1184 select ZSTD_COMPRESS
1185 select ZSTD_DECOMPRESS
1187 zstd compression algorithm
1189 See https://github.com/facebook/zstd for further information.
1193 menu "Random number generation"
1195 config CRYPTO_ANSI_CPRNG
1196 tristate "ANSI PRNG (Pseudo Random Number Generator)"
1200 Pseudo RNG (random number generator) (ANSI X9.31 Appendix A.2.4)
1202 This uses the AES cipher algorithm.
1204 Note that this option must be enabled if CRYPTO_FIPS is selected
1206 menuconfig CRYPTO_DRBG_MENU
1207 tristate "NIST SP800-90A DRBG (Deterministic Random Bit Generator)"
1209 DRBG (Deterministic Random Bit Generator) (NIST SP800-90A)
1211 In the following submenu, one or more of the DRBG types must be selected.
1215 config CRYPTO_DRBG_HMAC
1219 select CRYPTO_SHA512
1221 config CRYPTO_DRBG_HASH
1223 select CRYPTO_SHA256
1225 Hash_DRBG variant as defined in NIST SP800-90A.
1227 This uses the SHA-1, SHA-256, SHA-384, or SHA-512 hash algorithms.
1229 config CRYPTO_DRBG_CTR
1234 CTR_DRBG variant as defined in NIST SP800-90A.
1236 This uses the AES cipher algorithm with the counter block mode.
1240 default CRYPTO_DRBG_MENU
1242 select CRYPTO_JITTERENTROPY
1244 endif # if CRYPTO_DRBG_MENU
1246 config CRYPTO_JITTERENTROPY
1247 tristate "CPU Jitter Non-Deterministic RNG (Random Number Generator)"
1251 CPU Jitter RNG (Random Number Generator) from the Jitterentropy library
1253 A non-physical non-deterministic ("true") RNG (e.g., an entropy source
1254 compliant with NIST SP800-90B) intended to provide a seed to a
1255 deterministic RNG (e.g., per NIST SP800-90C).
1256 This RNG does not perform any cryptographic whitening of the generated
1259 See https://www.chronox.de/jent/
1261 if CRYPTO_JITTERENTROPY
1262 if CRYPTO_FIPS && EXPERT
1265 prompt "CPU Jitter RNG Memory Size"
1266 default CRYPTO_JITTERENTROPY_MEMSIZE_2
1268 The Jitter RNG measures the execution time of memory accesses.
1269 Multiple consecutive memory accesses are performed. If the memory
1270 size fits into a cache (e.g. L1), only the memory access timing
1271 to that cache is measured. The closer the cache is to the CPU
1272 the less variations are measured and thus the less entropy is
1273 obtained. Thus, if the memory size fits into the L1 cache, the
1274 obtained entropy is less than if the memory size fits within
1275 L1 + L2, which in turn is less if the memory fits into
1276 L1 + L2 + L3. Thus, by selecting a different memory size,
1277 the entropy rate produced by the Jitter RNG can be modified.
1279 config CRYPTO_JITTERENTROPY_MEMSIZE_2
1280 bool "2048 Bytes (default)"
1282 config CRYPTO_JITTERENTROPY_MEMSIZE_128
1285 config CRYPTO_JITTERENTROPY_MEMSIZE_1024
1288 config CRYPTO_JITTERENTROPY_MEMSIZE_8192
1292 config CRYPTO_JITTERENTROPY_MEMORY_BLOCKS
1294 default 64 if CRYPTO_JITTERENTROPY_MEMSIZE_2
1295 default 512 if CRYPTO_JITTERENTROPY_MEMSIZE_128
1296 default 1024 if CRYPTO_JITTERENTROPY_MEMSIZE_1024
1297 default 4096 if CRYPTO_JITTERENTROPY_MEMSIZE_8192
1299 config CRYPTO_JITTERENTROPY_MEMORY_BLOCKSIZE
1301 default 32 if CRYPTO_JITTERENTROPY_MEMSIZE_2
1302 default 256 if CRYPTO_JITTERENTROPY_MEMSIZE_128
1303 default 1024 if CRYPTO_JITTERENTROPY_MEMSIZE_1024
1304 default 2048 if CRYPTO_JITTERENTROPY_MEMSIZE_8192
1306 config CRYPTO_JITTERENTROPY_OSR
1307 int "CPU Jitter RNG Oversampling Rate"
1311 The Jitter RNG allows the specification of an oversampling rate (OSR).
1312 The Jitter RNG operation requires a fixed amount of timing
1313 measurements to produce one output block of random numbers. The
1314 OSR value is multiplied with the amount of timing measurements to
1315 generate one output block. Thus, the timing measurement is oversampled
1316 by the OSR factor. The oversampling allows the Jitter RNG to operate
1317 on hardware whose timers deliver limited amount of entropy (e.g.
1318 the timer is coarse) by setting the OSR to a higher value. The
1319 trade-off, however, is that the Jitter RNG now requires more time
1320 to generate random numbers.
1322 config CRYPTO_JITTERENTROPY_TESTINTERFACE
1323 bool "CPU Jitter RNG Test Interface"
1325 The test interface allows a privileged process to capture
1326 the raw unconditioned high resolution time stamp noise that
1327 is collected by the Jitter RNG for statistical analysis. As
1328 this data is used at the same time to generate random bits,
1329 the Jitter RNG operates in an insecure mode as long as the
1330 recording is enabled. This interface therefore is only
1331 intended for testing purposes and is not suitable for
1334 The raw noise data can be obtained using the jent_raw_hires
1335 debugfs file. Using the option
1336 jitterentropy_testing.boot_raw_hires_test=1 the raw noise of
1337 the first 1000 entropy events since boot can be sampled.
1339 If unsure, select N.
1341 endif # if CRYPTO_FIPS && EXPERT
1343 if !(CRYPTO_FIPS && EXPERT)
1345 config CRYPTO_JITTERENTROPY_MEMORY_BLOCKS
1349 config CRYPTO_JITTERENTROPY_MEMORY_BLOCKSIZE
1353 config CRYPTO_JITTERENTROPY_OSR
1357 config CRYPTO_JITTERENTROPY_TESTINTERFACE
1360 endif # if !(CRYPTO_FIPS && EXPERT)
1361 endif # if CRYPTO_JITTERENTROPY
1363 config CRYPTO_KDF800108_CTR
1366 select CRYPTO_SHA256
1369 menu "Userspace interface"
1371 config CRYPTO_USER_API
1374 config CRYPTO_USER_API_HASH
1375 tristate "Hash algorithms"
1378 select CRYPTO_USER_API
1380 Enable the userspace interface for hash algorithms.
1382 See Documentation/crypto/userspace-if.rst and
1383 https://www.chronox.de/libkcapi/html/index.html
1385 config CRYPTO_USER_API_SKCIPHER
1386 tristate "Symmetric key cipher algorithms"
1388 select CRYPTO_SKCIPHER
1389 select CRYPTO_USER_API
1391 Enable the userspace interface for symmetric key cipher algorithms.
1393 See Documentation/crypto/userspace-if.rst and
1394 https://www.chronox.de/libkcapi/html/index.html
1396 config CRYPTO_USER_API_RNG
1397 tristate "RNG (random number generator) algorithms"
1400 select CRYPTO_USER_API
1402 Enable the userspace interface for RNG (random number generator)
1405 See Documentation/crypto/userspace-if.rst and
1406 https://www.chronox.de/libkcapi/html/index.html
1408 config CRYPTO_USER_API_RNG_CAVP
1409 bool "Enable CAVP testing of DRBG"
1410 depends on CRYPTO_USER_API_RNG && CRYPTO_DRBG
1412 Enable extra APIs in the userspace interface for NIST CAVP
1413 (Cryptographic Algorithm Validation Program) testing:
1414 - resetting DRBG entropy
1415 - providing Additional Data
1417 This should only be enabled for CAVP testing. You should say
1418 no unless you know what this is.
1420 config CRYPTO_USER_API_AEAD
1421 tristate "AEAD cipher algorithms"
1424 select CRYPTO_SKCIPHER
1426 select CRYPTO_USER_API
1428 Enable the userspace interface for AEAD cipher algorithms.
1430 See Documentation/crypto/userspace-if.rst and
1431 https://www.chronox.de/libkcapi/html/index.html
1433 config CRYPTO_USER_API_ENABLE_OBSOLETE
1434 bool "Obsolete cryptographic algorithms"
1435 depends on CRYPTO_USER_API
1438 Allow obsolete cryptographic algorithms to be selected that have
1439 already been phased out from internal use by the kernel, and are
1440 only useful for userspace clients that still rely on them.
1444 config CRYPTO_HASH_INFO
1447 if !KMSAN # avoid false positives from assembly
1449 source "arch/arm/crypto/Kconfig"
1452 source "arch/arm64/crypto/Kconfig"
1455 source "arch/loongarch/crypto/Kconfig"
1458 source "arch/mips/crypto/Kconfig"
1461 source "arch/powerpc/crypto/Kconfig"
1464 source "arch/riscv/crypto/Kconfig"
1467 source "arch/s390/crypto/Kconfig"
1470 source "arch/sparc/crypto/Kconfig"
1473 source "arch/x86/crypto/Kconfig"
1477 source "drivers/crypto/Kconfig"
1478 source "crypto/asymmetric_keys/Kconfig"
1479 source "certs/Kconfig"
projects / linux.git / blob