1 # SPDX-License-Identifier: GPL-2.0
3 # Generic algorithms support
9 # async_tx api: hardware offloaded memory transfer/transform support
11 source "crypto/async_tx/Kconfig"
14 # Cryptographic API Configuration
17 tristate "Cryptographic API"
18 select CRYPTO_LIB_UTILS
20 This option provides the core Cryptographic API.
24 menu "Crypto core or helper"
27 bool "FIPS 200 compliance"
28 depends on (CRYPTO_ANSI_CPRNG || CRYPTO_DRBG) && !CRYPTO_MANAGER_DISABLE_TESTS
29 depends on (MODULE_SIG || !MODULES)
31 This option enables the fips boot option which is
32 required if you want the system to operate in a FIPS 200
33 certification. You should say no unless you know what
36 config CRYPTO_FIPS_NAME
37 string "FIPS Module Name"
38 default "Linux Kernel Cryptographic API"
39 depends on CRYPTO_FIPS
41 This option sets the FIPS Module name reported by the Crypto API via
42 the /proc/sys/crypto/fips_name file.
44 config CRYPTO_FIPS_CUSTOM_VERSION
45 bool "Use Custom FIPS Module Version"
46 depends on CRYPTO_FIPS
49 config CRYPTO_FIPS_VERSION
50 string "FIPS Module Version"
52 depends on CRYPTO_FIPS_CUSTOM_VERSION
54 This option provides the ability to override the FIPS Module Version.
55 By default the KERNELRELEASE value is used.
61 This option provides the API for cryptographic algorithms.
84 config CRYPTO_SKCIPHER
86 select CRYPTO_SKCIPHER2
90 config CRYPTO_SKCIPHER2
101 select CRYPTO_ALGAPI2
110 select CRYPTO_ALGAPI2
112 config CRYPTO_RNG_DEFAULT
114 select CRYPTO_DRBG_MENU
116 config CRYPTO_AKCIPHER2
118 select CRYPTO_ALGAPI2
120 config CRYPTO_AKCIPHER
122 select CRYPTO_AKCIPHER2
127 select CRYPTO_ALGAPI2
136 select CRYPTO_ALGAPI2
144 config CRYPTO_MANAGER
145 tristate "Cryptographic algorithm manager"
146 select CRYPTO_MANAGER2
148 Create default cryptographic template instantiations such as
151 config CRYPTO_MANAGER2
152 def_tristate CRYPTO_MANAGER || (CRYPTO_MANAGER!=n && CRYPTO_ALGAPI=y)
155 select CRYPTO_AKCIPHER2
160 select CRYPTO_SKCIPHER2
163 tristate "Userspace cryptographic algorithm configuration"
165 select CRYPTO_MANAGER
167 Userspace configuration for cryptographic instantiations such as
170 config CRYPTO_MANAGER_DISABLE_TESTS
171 bool "Disable run-time self tests"
174 Disable run-time self tests that normally take place at
175 algorithm registration.
177 config CRYPTO_MANAGER_EXTRA_TESTS
178 bool "Enable extra run-time crypto self tests"
179 depends on DEBUG_KERNEL && !CRYPTO_MANAGER_DISABLE_TESTS && CRYPTO_MANAGER
181 Enable extra run-time self tests of registered crypto algorithms,
182 including randomized fuzz tests.
184 This is intended for developer use only, as these tests take much
185 longer to run than the normal self tests.
188 tristate "Null algorithms"
191 These are 'Null' algorithms, used by IPsec, which do nothing.
195 select CRYPTO_ALGAPI2
196 select CRYPTO_SKCIPHER2
200 tristate "Parallel crypto engine"
203 select CRYPTO_MANAGER
206 This converts an arbitrary crypto algorithm into a parallel
207 algorithm that executes in kernel threads.
210 tristate "Software async crypto daemon"
211 select CRYPTO_SKCIPHER
213 select CRYPTO_MANAGER
215 This is a generic software asynchronous crypto daemon that
216 converts an arbitrary synchronous software crypto algorithm
217 into an asynchronous algorithm that executes in a kernel thread.
219 config CRYPTO_AUTHENC
220 tristate "Authenc support"
222 select CRYPTO_SKCIPHER
223 select CRYPTO_MANAGER
227 Authenc: Combined mode wrapper for IPsec.
229 This is required for IPSec ESP (XFRM_ESP).
232 tristate "Testing module"
233 depends on m || EXPERT
234 select CRYPTO_MANAGER
236 Quick & dirty crypto test module.
247 menu "Public-key cryptography"
250 tristate "RSA (Rivest-Shamir-Adleman)"
251 select CRYPTO_AKCIPHER
252 select CRYPTO_MANAGER
257 RSA (Rivest-Shamir-Adleman) public key algorithm (RFC8017)
260 tristate "DH (Diffie-Hellman)"
264 DH (Diffie-Hellman) key exchange algorithm
266 config CRYPTO_DH_RFC7919_GROUPS
267 bool "RFC 7919 FFDHE groups"
269 select CRYPTO_RNG_DEFAULT
271 FFDHE (Finite-Field-based Diffie-Hellman Ephemeral) groups
274 Support these finite-field groups in DH key exchanges:
275 - ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192
281 select CRYPTO_RNG_DEFAULT
284 tristate "ECDH (Elliptic Curve Diffie-Hellman)"
288 ECDH (Elliptic Curve Diffie-Hellman) key exchange algorithm
289 using curves P-192, P-256, and P-384 (FIPS 186)
292 tristate "ECDSA (Elliptic Curve Digital Signature Algorithm)"
297 ECDSA (Elliptic Curve Digital Signature Algorithm) (FIPS 186,
299 using curves P-192, P-256, P-384 and P-521
301 Only signature verification is implemented.
304 tristate "EC-RDSA (Elliptic Curve Russian Digital Signature Algorithm)"
307 select CRYPTO_STREEBOG
311 Elliptic Curve Russian Digital Signature Algorithm (GOST R 34.10-2012,
312 RFC 7091, ISO/IEC 14888-3)
314 One of the Russian cryptographic standard algorithms (called GOST
315 algorithms). Only signature verification is implemented.
317 config CRYPTO_CURVE25519
318 tristate "Curve25519"
320 select CRYPTO_LIB_CURVE25519_GENERIC
322 Curve25519 elliptic curve (RFC7748)
329 tristate "AES (Advanced Encryption Standard)"
331 select CRYPTO_LIB_AES
333 AES cipher algorithms (Rijndael)(FIPS-197, ISO/IEC 18033-3)
335 Rijndael appears to be consistently a very good performer in
336 both hardware and software across a wide range of computing
337 environments regardless of its use in feedback or non-feedback
338 modes. Its key setup time is excellent, and its key agility is
339 good. Rijndael's very low memory requirements make it very well
340 suited for restricted-space environments, in which it also
341 demonstrates excellent performance. Rijndael's operations are
342 among the easiest to defend against power and timing attacks.
344 The AES specifies three key sizes: 128, 192 and 256 bits
347 tristate "AES (Advanced Encryption Standard) (fixed time)"
349 select CRYPTO_LIB_AES
351 AES cipher algorithms (Rijndael)(FIPS-197, ISO/IEC 18033-3)
353 This is a generic implementation of AES that attempts to eliminate
354 data dependent latencies as much as possible without affecting
355 performance too much. It is intended for use by the generic CCM
356 and GCM drivers, and other CTR or CMAC/XCBC based modes that rely
357 solely on encryption (although decryption is supported as well, but
358 with a more dramatic performance hit)
360 Instead of using 16 lookup tables of 1 KB each, (8 for encryption and
361 8 for decryption), this implementation only uses just two S-boxes of
362 256 bytes each, and attempts to eliminate data dependent latencies by
363 prefetching the entire table into the cache at the start of each
364 block. Interrupts are also disabled to avoid races where cachelines
365 are evicted when the CPU is interrupted to do something else.
369 depends on CRYPTO_USER_API_ENABLE_OBSOLETE
372 Anubis cipher algorithm
374 Anubis is a variable key length cipher which can use keys from
375 128 bits to 320 bits in length. It was evaluated as a entrant
376 in the NESSIE competition.
378 See https://web.archive.org/web/20160606112246/http://www.larc.usp.br/~pbarreto/AnubisPage.html
379 for further information.
385 ARIA cipher algorithm (RFC5794)
387 ARIA is a standard encryption algorithm of the Republic of Korea.
388 The ARIA specifies three key sizes and rounds.
394 https://seed.kisa.or.kr/kisa/algorithm/EgovAriaInfo.do
396 config CRYPTO_BLOWFISH
399 select CRYPTO_BLOWFISH_COMMON
401 Blowfish cipher algorithm, by Bruce Schneier
403 This is a variable key length cipher which can use keys from 32
404 bits to 448 bits in length. It's fast, simple and specifically
405 designed for use on "large microprocessors".
407 See https://www.schneier.com/blowfish.html for further information.
409 config CRYPTO_BLOWFISH_COMMON
412 Common parts of the Blowfish cipher algorithm shared by the
413 generic c and the assembler implementations.
415 config CRYPTO_CAMELLIA
419 Camellia cipher algorithms (ISO/IEC 18033-3)
421 Camellia is a symmetric key block cipher developed jointly
422 at NTT and Mitsubishi Electric Corporation.
424 The Camellia specifies three key sizes: 128, 192 and 256 bits.
426 See https://info.isl.ntt.co.jp/crypt/eng/camellia/ for further information.
428 config CRYPTO_CAST_COMMON
431 Common parts of the CAST cipher algorithms shared by the
432 generic c and the assembler implementations.
435 tristate "CAST5 (CAST-128)"
437 select CRYPTO_CAST_COMMON
439 CAST5 (CAST-128) cipher algorithm (RFC2144, ISO/IEC 18033-3)
442 tristate "CAST6 (CAST-256)"
444 select CRYPTO_CAST_COMMON
446 CAST6 (CAST-256) encryption algorithm (RFC2612)
449 tristate "DES and Triple DES EDE"
451 select CRYPTO_LIB_DES
453 DES (Data Encryption Standard)(FIPS 46-2, ISO/IEC 18033-3) and
454 Triple DES EDE (Encrypt/Decrypt/Encrypt) (FIPS 46-3, ISO/IEC 18033-3)
460 select CRYPTO_SKCIPHER
462 FCrypt algorithm used by RxRPC
464 See https://ota.polyonymo.us/fcrypt-paper.txt
468 depends on CRYPTO_USER_API_ENABLE_OBSOLETE
471 Khazad cipher algorithm
473 Khazad was a finalist in the initial NESSIE competition. It is
474 an algorithm optimized for 64-bit processors with good performance
475 on 32-bit processors. Khazad uses an 128 bit key size.
477 See https://web.archive.org/web/20171011071731/http://www.larc.usp.br/~pbarreto/KhazadPage.html
478 for further information.
482 depends on CRYPTO_USER_API_ENABLE_OBSOLETE
485 SEED cipher algorithm (RFC4269, ISO/IEC 18033-3)
487 SEED is a 128-bit symmetric key block cipher that has been
488 developed by KISA (Korea Information Security Agency) as a
489 national standard encryption algorithm of the Republic of Korea.
490 It is a 16 round block cipher with the key size of 128 bit.
492 See https://seed.kisa.or.kr/kisa/algorithm/EgovSeedInfo.do
493 for further information.
495 config CRYPTO_SERPENT
499 Serpent cipher algorithm, by Anderson, Biham & Knudsen
501 Keys are allowed to be from 0 to 256 bits in length, in steps
504 See https://www.cl.cam.ac.uk/~rja14/serpent.html for further information.
509 config CRYPTO_SM4_GENERIC
510 tristate "SM4 (ShangMi 4)"
514 SM4 cipher algorithms (OSCCA GB/T 32907-2016,
515 ISO/IEC 18033-3:2010/Amd 1:2021)
517 SM4 (GBT.32907-2016) is a cryptographic standard issued by the
518 Organization of State Commercial Administration of China (OSCCA)
519 as an authorized cryptographic algorithms for the use within China.
521 SMS4 was originally created for use in protecting wireless
522 networks, and is mandated in the Chinese National Standard for
523 Wireless LAN WAPI (Wired Authentication and Privacy Infrastructure)
526 The latest SM4 standard (GBT.32907-2016) was proposed by OSCCA and
527 standardized through TC 260 of the Standardization Administration
528 of the People's Republic of China (SAC).
530 The input, output, and key of SMS4 are each 128 bits.
532 See https://eprint.iacr.org/2008/329.pdf for further information.
537 tristate "TEA, XTEA and XETA"
538 depends on CRYPTO_USER_API_ENABLE_OBSOLETE
541 TEA (Tiny Encryption Algorithm) cipher algorithms
543 Tiny Encryption Algorithm is a simple cipher that uses
544 many rounds for security. It is very fast and uses
547 Xtendend Tiny Encryption Algorithm is a modification to
548 the TEA algorithm to address a potential key weakness
549 in the TEA algorithm.
551 Xtendend Encryption Tiny Algorithm is a mis-implementation
552 of the XTEA algorithm for compatibility purposes.
554 config CRYPTO_TWOFISH
557 select CRYPTO_TWOFISH_COMMON
559 Twofish cipher algorithm
561 Twofish was submitted as an AES (Advanced Encryption Standard)
562 candidate cipher by researchers at CounterPane Systems. It is a
563 16 round block cipher supporting key sizes of 128, 192, and 256
566 See https://www.schneier.com/twofish.html for further information.
568 config CRYPTO_TWOFISH_COMMON
571 Common parts of the Twofish cipher algorithm shared by the
572 generic c and the assembler implementations.
576 menu "Length-preserving ciphers and modes"
578 config CRYPTO_ADIANTUM
580 select CRYPTO_CHACHA20
581 select CRYPTO_LIB_POLY1305_GENERIC
582 select CRYPTO_NHPOLY1305
583 select CRYPTO_MANAGER
585 Adiantum tweakable, length-preserving encryption mode
587 Designed for fast and secure disk encryption, especially on
588 CPUs without dedicated crypto instructions. It encrypts
589 each sector using the XChaCha12 stream cipher, two passes of
590 an ε-almost-∆-universal hash function, and an invocation of
591 the AES-256 block cipher on a single 16-byte block. On CPUs
592 without AES instructions, Adiantum is much faster than
595 Adiantum's security is provably reducible to that of its
596 underlying stream and block ciphers, subject to a security
597 bound. Unlike XTS, Adiantum is a true wide-block encryption
598 mode, so it actually provides an even stronger notion of
599 security than XTS, subject to the security bound.
604 tristate "ARC4 (Alleged Rivest Cipher 4)"
605 depends on CRYPTO_USER_API_ENABLE_OBSOLETE
606 select CRYPTO_SKCIPHER
607 select CRYPTO_LIB_ARC4
609 ARC4 cipher algorithm
611 ARC4 is a stream cipher using keys ranging from 8 bits to 2048
612 bits in length. This algorithm is required for driver-based
613 WEP, but it should not be for other purposes because of the
614 weakness of the algorithm.
616 config CRYPTO_CHACHA20
618 select CRYPTO_LIB_CHACHA_GENERIC
619 select CRYPTO_SKCIPHER
621 The ChaCha20, XChaCha20, and XChaCha12 stream cipher algorithms
623 ChaCha20 is a 256-bit high-speed stream cipher designed by Daniel J.
624 Bernstein and further specified in RFC7539 for use in IETF protocols.
625 This is the portable C implementation of ChaCha20. See
626 https://cr.yp.to/chacha/chacha-20080128.pdf for further information.
628 XChaCha20 is the application of the XSalsa20 construction to ChaCha20
629 rather than to Salsa20. XChaCha20 extends ChaCha20's nonce length
630 from 64 bits (or 96 bits using the RFC7539 convention) to 192 bits,
631 while provably retaining ChaCha20's security. See
632 https://cr.yp.to/snuffle/xsalsa-20081128.pdf for further information.
634 XChaCha12 is XChaCha20 reduced to 12 rounds, with correspondingly
635 reduced security margin but increased performance. It can be needed
636 in some performance-sensitive scenarios.
639 tristate "CBC (Cipher Block Chaining)"
640 select CRYPTO_SKCIPHER
641 select CRYPTO_MANAGER
643 CBC (Cipher Block Chaining) mode (NIST SP800-38A)
645 This block cipher mode is required for IPSec ESP (XFRM_ESP).
648 tristate "CTR (Counter)"
649 select CRYPTO_SKCIPHER
650 select CRYPTO_MANAGER
652 CTR (Counter) mode (NIST SP800-38A)
655 tristate "CTS (Cipher Text Stealing)"
656 select CRYPTO_SKCIPHER
657 select CRYPTO_MANAGER
659 CBC-CS3 variant of CTS (Cipher Text Stealing) (NIST
660 Addendum to SP800-38A (October 2010))
662 This mode is required for Kerberos gss mechanism support
666 tristate "ECB (Electronic Codebook)"
667 select CRYPTO_SKCIPHER2
668 select CRYPTO_MANAGER
670 ECB (Electronic Codebook) mode (NIST SP800-38A)
675 select CRYPTO_POLYVAL
676 select CRYPTO_MANAGER
678 HCTR2 length-preserving encryption mode
680 A mode for storage encryption that is efficient on processors with
681 instructions to accelerate AES and carryless multiplication, e.g.
682 x86 processors with AES-NI and CLMUL, and ARM processors with the
683 ARMv8 crypto extensions.
685 See https://eprint.iacr.org/2021/1441
688 tristate "LRW (Liskov Rivest Wagner)"
689 select CRYPTO_LIB_GF128MUL
690 select CRYPTO_SKCIPHER
691 select CRYPTO_MANAGER
694 LRW (Liskov Rivest Wagner) mode
696 A tweakable, non malleable, non movable
697 narrow block cipher mode for dm-crypt. Use it with cipher
698 specification string aes-lrw-benbi, the key must be 256, 320 or 384.
699 The first 128, 192 or 256 bits in the key are used for AES and the
700 rest is used to tie each cipher block to its logical position.
702 See https://people.csail.mit.edu/rivest/pubs/LRW02.pdf
705 tristate "PCBC (Propagating Cipher Block Chaining)"
706 select CRYPTO_SKCIPHER
707 select CRYPTO_MANAGER
709 PCBC (Propagating Cipher Block Chaining) mode
711 This block cipher mode is required for RxRPC.
715 select CRYPTO_SKCIPHER
716 select CRYPTO_MANAGER
718 XCTR (XOR Counter) mode for HCTR2
720 This blockcipher mode is a variant of CTR mode using XORs and little-endian
721 addition rather than big-endian arithmetic.
723 XCTR mode is used to implement HCTR2.
726 tristate "XTS (XOR Encrypt XOR with ciphertext stealing)"
727 select CRYPTO_SKCIPHER
728 select CRYPTO_MANAGER
731 XTS (XOR Encrypt XOR with ciphertext stealing) mode (NIST SP800-38E
734 Use with aes-xts-plain, key size 256, 384 or 512 bits. This
735 implementation currently can't handle a sectorsize which is not a
736 multiple of 16 bytes.
738 config CRYPTO_NHPOLY1305
741 select CRYPTO_LIB_POLY1305_GENERIC
745 menu "AEAD (authenticated encryption with associated data) ciphers"
747 config CRYPTO_AEGIS128
750 select CRYPTO_AES # for AES S-box tables
752 AEGIS-128 AEAD algorithm
754 config CRYPTO_AEGIS128_SIMD
755 bool "AEGIS-128 (arm NEON, arm64 NEON)"
756 depends on CRYPTO_AEGIS128 && ((ARM || ARM64) && KERNEL_MODE_NEON)
759 AEGIS-128 AEAD algorithm
761 Architecture: arm or arm64 using:
762 - NEON (Advanced SIMD) extension
764 config CRYPTO_CHACHA20POLY1305
765 tristate "ChaCha20-Poly1305"
766 select CRYPTO_CHACHA20
767 select CRYPTO_POLY1305
769 select CRYPTO_MANAGER
771 ChaCha20 stream cipher and Poly1305 authenticator combined
775 tristate "CCM (Counter with Cipher Block Chaining-MAC)"
779 select CRYPTO_MANAGER
781 CCM (Counter with Cipher Block Chaining-Message Authentication Code)
782 authenticated encryption mode (NIST SP800-38C)
785 tristate "GCM (Galois/Counter Mode) and GMAC (GCM MAC)"
790 select CRYPTO_MANAGER
792 GCM (Galois/Counter Mode) authenticated encryption mode and GMAC
793 (GCM Message Authentication Code) (NIST SP800-38D)
795 This is required for IPSec ESP (XFRM_ESP).
801 select CRYPTO_MANAGER
802 select CRYPTO_RNG_DEFAULT
805 tristate "Sequence Number IV Generator"
808 Sequence Number IV generator
810 This IV generator generates an IV based on a sequence number by
811 xoring it with a salt. This algorithm is mainly useful for CTR.
813 This is required for IPsec ESP (XFRM_ESP).
815 config CRYPTO_ECHAINIV
816 tristate "Encrypted Chain IV Generator"
819 Encrypted Chain IV generator
821 This IV generator generates an IV based on the encryption of
822 a sequence number xored with a salt. This is the default
826 tristate "Encrypted Salt-Sector IV Generator"
827 select CRYPTO_AUTHENC
829 Encrypted Salt-Sector IV generator
831 This IV generator is used in some cases by fscrypt and/or
832 dm-crypt. It uses the hash of the block encryption key as the
833 symmetric key for a block encryption pass applied to the input
834 IV, making low entropy IV sources more suitable for block
837 This driver implements a crypto API template that can be
838 instantiated either as an skcipher or as an AEAD (depending on the
839 type of the first template argument), and which defers encryption
840 and decryption requests to the encapsulated cipher after applying
841 ESSIV to the input IV. Note that in the AEAD case, it is assumed
842 that the keys are presented in the same format used by the authenc
843 template, and that the IV appears at the end of the authenticated
844 associated data (AAD) region (which is how dm-crypt uses it.)
846 Note that the use of ESSIV is not recommended for new deployments,
847 and so this only needs to be enabled when interoperability with
848 existing encrypted volumes of filesystems is required, or when
849 building for a particular system that requires it (e.g., when
850 the SoC in question has accelerated CBC but not XTS, making CBC
851 combined with ESSIV the only feasible mode for h/w accelerated
856 menu "Hashes, digests, and MACs"
858 config CRYPTO_BLAKE2B
862 BLAKE2b cryptographic hash function (RFC 7693)
864 BLAKE2b is optimized for 64-bit platforms and can produce digests
865 of any size between 1 and 64 bytes. The keyed hash is also implemented.
867 This module provides the following algorithms:
873 Used by the btrfs filesystem.
875 See https://blake2.net for further information.
878 tristate "CMAC (Cipher-based MAC)"
880 select CRYPTO_MANAGER
882 CMAC (Cipher-based Message Authentication Code) authentication
883 mode (NIST SP800-38B and IETF RFC4493)
888 select CRYPTO_LIB_GF128MUL
890 GCM GHASH function (NIST SP800-38D)
893 tristate "HMAC (Keyed-Hash MAC)"
895 select CRYPTO_MANAGER
897 HMAC (Keyed-Hash Message Authentication Code) (FIPS 198 and
900 This is required for IPsec AH (XFRM_AH) and IPsec ESP (XFRM_ESP).
906 MD4 message digest algorithm (RFC1320)
912 MD5 message digest algorithm (RFC1321)
914 config CRYPTO_MICHAEL_MIC
915 tristate "Michael MIC"
918 Michael MIC (Message Integrity Code) (IEEE 802.11i)
920 Defined by the IEEE 802.11i TKIP (Temporal Key Integrity Protocol),
921 known as WPA (Wif-Fi Protected Access).
923 This algorithm is required for TKIP, but it should not be used for
924 other purposes because of the weakness of the algorithm.
926 config CRYPTO_POLYVAL
929 select CRYPTO_LIB_GF128MUL
931 POLYVAL hash function for HCTR2
933 This is used in HCTR2. It is not a general-purpose
934 cryptographic hash function.
936 config CRYPTO_POLY1305
939 select CRYPTO_LIB_POLY1305_GENERIC
941 Poly1305 authenticator algorithm (RFC7539)
943 Poly1305 is an authenticator algorithm designed by Daniel J. Bernstein.
944 It is used for the ChaCha20-Poly1305 AEAD, specified in RFC7539 for use
945 in IETF protocols. This is the portable C implementation of Poly1305.
948 tristate "RIPEMD-160"
951 RIPEMD-160 hash function (ISO/IEC 10118-3)
953 RIPEMD-160 is a 160-bit cryptographic hash function. It is intended
954 to be used as a secure replacement for the 128-bit hash functions
955 MD4, MD5 and its predecessor RIPEMD
956 (not to be confused with RIPEMD-128).
958 Its speed is comparable to SHA-1 and there are no known attacks
961 Developed by Hans Dobbertin, Antoon Bosselaers and Bart Preneel.
962 See https://homes.esat.kuleuven.be/~bosselae/ripemd160.html
963 for further information.
968 select CRYPTO_LIB_SHA1
970 SHA-1 secure hash algorithm (FIPS 180, ISO/IEC 10118-3)
973 tristate "SHA-224 and SHA-256"
975 select CRYPTO_LIB_SHA256
977 SHA-224 and SHA-256 secure hash algorithms (FIPS 180, ISO/IEC 10118-3)
979 This is required for IPsec AH (XFRM_AH) and IPsec ESP (XFRM_ESP).
980 Used by the btrfs filesystem, Ceph, NFS, and SMB.
983 tristate "SHA-384 and SHA-512"
986 SHA-384 and SHA-512 secure hash algorithms (FIPS 180, ISO/IEC 10118-3)
992 SHA-3 secure hash algorithms (FIPS 202, ISO/IEC 10118-3)
997 config CRYPTO_SM3_GENERIC
998 tristate "SM3 (ShangMi 3)"
1002 SM3 (ShangMi 3) secure hash function (OSCCA GM/T 0004-2012, ISO/IEC 10118-3)
1004 This is part of the Chinese Commercial Cryptography suite.
1007 http://www.oscca.gov.cn/UpFile/20101222141857786.pdf
1008 https://datatracker.ietf.org/doc/html/draft-shen-sm3-hash
1010 config CRYPTO_STREEBOG
1014 Streebog Hash Function (GOST R 34.11-2012, RFC 6986, ISO/IEC 10118-3)
1016 This is one of the Russian cryptographic standard algorithms (called
1017 GOST algorithms). This setting enables two hash algorithms with
1018 256 and 512 bits output.
1021 https://tc26.ru/upload/iblock/fed/feddbb4d26b685903faa2ba11aea43f6.pdf
1022 https://tools.ietf.org/html/rfc6986
1025 tristate "Whirlpool"
1028 Whirlpool hash function (ISO/IEC 10118-3)
1030 512, 384 and 256-bit hashes.
1032 Whirlpool-512 is part of the NESSIE cryptographic primitives.
1034 See https://web.archive.org/web/20171129084214/http://www.larc.usp.br/~pbarreto/WhirlpoolPage.html
1035 for further information.
1038 tristate "XCBC-MAC (Extended Cipher Block Chaining MAC)"
1040 select CRYPTO_MANAGER
1042 XCBC-MAC (Extended Cipher Block Chaining Message Authentication
1045 config CRYPTO_XXHASH
1050 xxHash non-cryptographic hash algorithm
1052 Extremely fast, working at speeds close to RAM limits.
1054 Used by the btrfs filesystem.
1058 menu "CRCs (cyclic redundancy checks)"
1060 config CRYPTO_CRC32C
1065 CRC32c CRC algorithm with the iSCSI polynomial (RFC 3385 and RFC 3720)
1067 A 32-bit CRC (cyclic redundancy check) with a polynomial defined
1068 by G. Castagnoli, S. Braeuer and M. Herrman in "Optimization of Cyclic
1069 Redundancy-Check Codes with 24 and 32 Parity Bits", IEEE Transactions
1070 on Communications, Vol. 41, No. 6, June 1993, selected for use with
1073 Used by btrfs, ext4, jbd2, NVMeoF/TCP, and iSCSI.
1080 CRC32 CRC algorithm (IEEE 802.3)
1082 Used by RoCEv2 and f2fs.
1084 config CRYPTO_CRCT10DIF
1085 tristate "CRCT10DIF"
1089 CRC16 CRC algorithm used for the T10 (SCSI) Data Integrity Field (DIF)
1091 CRC algorithm used by the SCSI Block Commands standard.
1093 config CRYPTO_CRC64_ROCKSOFT
1094 tristate "CRC64 based on Rocksoft Model algorithm"
1098 CRC64 CRC algorithm based on the Rocksoft Model CRC Algorithm
1100 Used by the NVMe implementation of T10 DIF (BLK_DEV_INTEGRITY)
1102 See https://zlib.net/crc_v3.txt
1108 config CRYPTO_DEFLATE
1110 select CRYPTO_ALGAPI
1111 select CRYPTO_ACOMP2
1115 Deflate compression algorithm (RFC1951)
1117 Used by IPSec with the IPCOMP protocol (RFC3173, RFC2394)
1121 select CRYPTO_ALGAPI
1122 select CRYPTO_ACOMP2
1124 select LZO_DECOMPRESS
1126 LZO compression algorithm
1128 See https://www.oberhumer.com/opensource/lzo/ for further information.
1132 select CRYPTO_ALGAPI
1133 select CRYPTO_ACOMP2
1135 select 842_DECOMPRESS
1137 842 compression algorithm by IBM
1139 See https://github.com/plauth/lib842 for further information.
1143 select CRYPTO_ALGAPI
1144 select CRYPTO_ACOMP2
1146 select LZ4_DECOMPRESS
1148 LZ4 compression algorithm
1150 See https://github.com/lz4/lz4 for further information.
1154 select CRYPTO_ALGAPI
1155 select CRYPTO_ACOMP2
1156 select LZ4HC_COMPRESS
1157 select LZ4_DECOMPRESS
1159 LZ4 high compression mode algorithm
1161 See https://github.com/lz4/lz4 for further information.
1165 select CRYPTO_ALGAPI
1166 select CRYPTO_ACOMP2
1167 select ZSTD_COMPRESS
1168 select ZSTD_DECOMPRESS
1170 zstd compression algorithm
1172 See https://github.com/facebook/zstd for further information.
1176 menu "Random number generation"
1178 config CRYPTO_ANSI_CPRNG
1179 tristate "ANSI PRNG (Pseudo Random Number Generator)"
1183 Pseudo RNG (random number generator) (ANSI X9.31 Appendix A.2.4)
1185 This uses the AES cipher algorithm.
1187 Note that this option must be enabled if CRYPTO_FIPS is selected
1189 menuconfig CRYPTO_DRBG_MENU
1190 tristate "NIST SP800-90A DRBG (Deterministic Random Bit Generator)"
1192 DRBG (Deterministic Random Bit Generator) (NIST SP800-90A)
1194 In the following submenu, one or more of the DRBG types must be selected.
1198 config CRYPTO_DRBG_HMAC
1202 select CRYPTO_SHA512
1204 config CRYPTO_DRBG_HASH
1206 select CRYPTO_SHA256
1208 Hash_DRBG variant as defined in NIST SP800-90A.
1210 This uses the SHA-1, SHA-256, SHA-384, or SHA-512 hash algorithms.
1212 config CRYPTO_DRBG_CTR
1217 CTR_DRBG variant as defined in NIST SP800-90A.
1219 This uses the AES cipher algorithm with the counter block mode.
1223 default CRYPTO_DRBG_MENU
1225 select CRYPTO_JITTERENTROPY
1227 endif # if CRYPTO_DRBG_MENU
1229 config CRYPTO_JITTERENTROPY
1230 tristate "CPU Jitter Non-Deterministic RNG (Random Number Generator)"
1234 CPU Jitter RNG (Random Number Generator) from the Jitterentropy library
1236 A non-physical non-deterministic ("true") RNG (e.g., an entropy source
1237 compliant with NIST SP800-90B) intended to provide a seed to a
1238 deterministic RNG (e.g., per NIST SP800-90C).
1239 This RNG does not perform any cryptographic whitening of the generated
1242 See https://www.chronox.de/jent/
1244 if CRYPTO_JITTERENTROPY
1245 if CRYPTO_FIPS && EXPERT
1248 prompt "CPU Jitter RNG Memory Size"
1249 default CRYPTO_JITTERENTROPY_MEMSIZE_2
1251 The Jitter RNG measures the execution time of memory accesses.
1252 Multiple consecutive memory accesses are performed. If the memory
1253 size fits into a cache (e.g. L1), only the memory access timing
1254 to that cache is measured. The closer the cache is to the CPU
1255 the less variations are measured and thus the less entropy is
1256 obtained. Thus, if the memory size fits into the L1 cache, the
1257 obtained entropy is less than if the memory size fits within
1258 L1 + L2, which in turn is less if the memory fits into
1259 L1 + L2 + L3. Thus, by selecting a different memory size,
1260 the entropy rate produced by the Jitter RNG can be modified.
1262 config CRYPTO_JITTERENTROPY_MEMSIZE_2
1263 bool "2048 Bytes (default)"
1265 config CRYPTO_JITTERENTROPY_MEMSIZE_128
1268 config CRYPTO_JITTERENTROPY_MEMSIZE_1024
1271 config CRYPTO_JITTERENTROPY_MEMSIZE_8192
1275 config CRYPTO_JITTERENTROPY_MEMORY_BLOCKS
1277 default 64 if CRYPTO_JITTERENTROPY_MEMSIZE_2
1278 default 512 if CRYPTO_JITTERENTROPY_MEMSIZE_128
1279 default 1024 if CRYPTO_JITTERENTROPY_MEMSIZE_1024
1280 default 4096 if CRYPTO_JITTERENTROPY_MEMSIZE_8192
1282 config CRYPTO_JITTERENTROPY_MEMORY_BLOCKSIZE
1284 default 32 if CRYPTO_JITTERENTROPY_MEMSIZE_2
1285 default 256 if CRYPTO_JITTERENTROPY_MEMSIZE_128
1286 default 1024 if CRYPTO_JITTERENTROPY_MEMSIZE_1024
1287 default 2048 if CRYPTO_JITTERENTROPY_MEMSIZE_8192
1289 config CRYPTO_JITTERENTROPY_OSR
1290 int "CPU Jitter RNG Oversampling Rate"
1294 The Jitter RNG allows the specification of an oversampling rate (OSR).
1295 The Jitter RNG operation requires a fixed amount of timing
1296 measurements to produce one output block of random numbers. The
1297 OSR value is multiplied with the amount of timing measurements to
1298 generate one output block. Thus, the timing measurement is oversampled
1299 by the OSR factor. The oversampling allows the Jitter RNG to operate
1300 on hardware whose timers deliver limited amount of entropy (e.g.
1301 the timer is coarse) by setting the OSR to a higher value. The
1302 trade-off, however, is that the Jitter RNG now requires more time
1303 to generate random numbers.
1305 config CRYPTO_JITTERENTROPY_TESTINTERFACE
1306 bool "CPU Jitter RNG Test Interface"
1308 The test interface allows a privileged process to capture
1309 the raw unconditioned high resolution time stamp noise that
1310 is collected by the Jitter RNG for statistical analysis. As
1311 this data is used at the same time to generate random bits,
1312 the Jitter RNG operates in an insecure mode as long as the
1313 recording is enabled. This interface therefore is only
1314 intended for testing purposes and is not suitable for
1317 The raw noise data can be obtained using the jent_raw_hires
1318 debugfs file. Using the option
1319 jitterentropy_testing.boot_raw_hires_test=1 the raw noise of
1320 the first 1000 entropy events since boot can be sampled.
1322 If unsure, select N.
1324 endif # if CRYPTO_FIPS && EXPERT
1326 if !(CRYPTO_FIPS && EXPERT)
1328 config CRYPTO_JITTERENTROPY_MEMORY_BLOCKS
1332 config CRYPTO_JITTERENTROPY_MEMORY_BLOCKSIZE
1336 config CRYPTO_JITTERENTROPY_OSR
1340 config CRYPTO_JITTERENTROPY_TESTINTERFACE
1343 endif # if !(CRYPTO_FIPS && EXPERT)
1344 endif # if CRYPTO_JITTERENTROPY
1346 config CRYPTO_KDF800108_CTR
1349 select CRYPTO_SHA256
1352 menu "Userspace interface"
1354 config CRYPTO_USER_API
1357 config CRYPTO_USER_API_HASH
1358 tristate "Hash algorithms"
1361 select CRYPTO_USER_API
1363 Enable the userspace interface for hash algorithms.
1365 See Documentation/crypto/userspace-if.rst and
1366 https://www.chronox.de/libkcapi/html/index.html
1368 config CRYPTO_USER_API_SKCIPHER
1369 tristate "Symmetric key cipher algorithms"
1371 select CRYPTO_SKCIPHER
1372 select CRYPTO_USER_API
1374 Enable the userspace interface for symmetric key cipher algorithms.
1376 See Documentation/crypto/userspace-if.rst and
1377 https://www.chronox.de/libkcapi/html/index.html
1379 config CRYPTO_USER_API_RNG
1380 tristate "RNG (random number generator) algorithms"
1383 select CRYPTO_USER_API
1385 Enable the userspace interface for RNG (random number generator)
1388 See Documentation/crypto/userspace-if.rst and
1389 https://www.chronox.de/libkcapi/html/index.html
1391 config CRYPTO_USER_API_RNG_CAVP
1392 bool "Enable CAVP testing of DRBG"
1393 depends on CRYPTO_USER_API_RNG && CRYPTO_DRBG
1395 Enable extra APIs in the userspace interface for NIST CAVP
1396 (Cryptographic Algorithm Validation Program) testing:
1397 - resetting DRBG entropy
1398 - providing Additional Data
1400 This should only be enabled for CAVP testing. You should say
1401 no unless you know what this is.
1403 config CRYPTO_USER_API_AEAD
1404 tristate "AEAD cipher algorithms"
1407 select CRYPTO_SKCIPHER
1409 select CRYPTO_USER_API
1411 Enable the userspace interface for AEAD cipher algorithms.
1413 See Documentation/crypto/userspace-if.rst and
1414 https://www.chronox.de/libkcapi/html/index.html
1416 config CRYPTO_USER_API_ENABLE_OBSOLETE
1417 bool "Obsolete cryptographic algorithms"
1418 depends on CRYPTO_USER_API
1421 Allow obsolete cryptographic algorithms to be selected that have
1422 already been phased out from internal use by the kernel, and are
1423 only useful for userspace clients that still rely on them.
1427 config CRYPTO_HASH_INFO
1430 if !KMSAN # avoid false positives from assembly
1432 source "arch/arm/crypto/Kconfig"
1435 source "arch/arm64/crypto/Kconfig"
1438 source "arch/loongarch/crypto/Kconfig"
1441 source "arch/mips/crypto/Kconfig"
1444 source "arch/powerpc/crypto/Kconfig"
1447 source "arch/riscv/crypto/Kconfig"
1450 source "arch/s390/crypto/Kconfig"
1453 source "arch/sparc/crypto/Kconfig"
1456 source "arch/x86/crypto/Kconfig"
1460 source "drivers/crypto/Kconfig"
1461 source "crypto/asymmetric_keys/Kconfig"
1462 source "certs/Kconfig"
projects / linux.git / blob