linux/crypto/Kconfig
<<
>>
Prefs
   1# SPDX-License-Identifier: GPL-2.0
   2#
   3# Generic algorithms support
   4#
   5config XOR_BLOCKS
   6        tristate
   7
   8#
   9# async_tx api: hardware offloaded memory transfer/transform support
  10#
  11source "crypto/async_tx/Kconfig"
  12
  13#
  14# Cryptographic API Configuration
  15#
  16menuconfig CRYPTO
  17        tristate "Cryptographic API"
  18        help
  19          This option provides the core Cryptographic API.
  20
  21if CRYPTO
  22
  23comment "Crypto core or helper"
  24
  25config CRYPTO_FIPS
  26        bool "FIPS 200 compliance"
  27        depends on (CRYPTO_ANSI_CPRNG || CRYPTO_DRBG) && !CRYPTO_MANAGER_DISABLE_TESTS
  28        depends on (MODULE_SIG || !MODULES)
  29        help
  30          This option enables the fips boot option which is
  31          required if you want the system to operate in a FIPS 200
  32          certification.  You should say no unless you know what
  33          this is.
  34
  35config CRYPTO_ALGAPI
  36        tristate
  37        select CRYPTO_ALGAPI2
  38        help
  39          This option provides the API for cryptographic algorithms.
  40
  41config CRYPTO_ALGAPI2
  42        tristate
  43
  44config CRYPTO_AEAD
  45        tristate
  46        select CRYPTO_AEAD2
  47        select CRYPTO_ALGAPI
  48
  49config CRYPTO_AEAD2
  50        tristate
  51        select CRYPTO_ALGAPI2
  52        select CRYPTO_NULL2
  53        select CRYPTO_RNG2
  54
  55config CRYPTO_BLKCIPHER
  56        tristate
  57        select CRYPTO_BLKCIPHER2
  58        select CRYPTO_ALGAPI
  59
  60config CRYPTO_BLKCIPHER2
  61        tristate
  62        select CRYPTO_ALGAPI2
  63        select CRYPTO_RNG2
  64
  65config CRYPTO_HASH
  66        tristate
  67        select CRYPTO_HASH2
  68        select CRYPTO_ALGAPI
  69
  70config CRYPTO_HASH2
  71        tristate
  72        select CRYPTO_ALGAPI2
  73
  74config CRYPTO_RNG
  75        tristate
  76        select CRYPTO_RNG2
  77        select CRYPTO_ALGAPI
  78
  79config CRYPTO_RNG2
  80        tristate
  81        select CRYPTO_ALGAPI2
  82
  83config CRYPTO_RNG_DEFAULT
  84        tristate
  85        select CRYPTO_DRBG_MENU
  86
  87config CRYPTO_AKCIPHER2
  88        tristate
  89        select CRYPTO_ALGAPI2
  90
  91config CRYPTO_AKCIPHER
  92        tristate
  93        select CRYPTO_AKCIPHER2
  94        select CRYPTO_ALGAPI
  95
  96config CRYPTO_KPP2
  97        tristate
  98        select CRYPTO_ALGAPI2
  99
 100config CRYPTO_KPP
 101        tristate
 102        select CRYPTO_ALGAPI
 103        select CRYPTO_KPP2
 104
 105config CRYPTO_ACOMP2
 106        tristate
 107        select CRYPTO_ALGAPI2
 108        select SGL_ALLOC
 109
 110config CRYPTO_ACOMP
 111        tristate
 112        select CRYPTO_ALGAPI
 113        select CRYPTO_ACOMP2
 114
 115config CRYPTO_MANAGER
 116        tristate "Cryptographic algorithm manager"
 117        select CRYPTO_MANAGER2
 118        help
 119          Create default cryptographic template instantiations such as
 120          cbc(aes).
 121
 122config CRYPTO_MANAGER2
 123        def_tristate CRYPTO_MANAGER || (CRYPTO_MANAGER!=n && CRYPTO_ALGAPI=y)
 124        select CRYPTO_AEAD2
 125        select CRYPTO_HASH2
 126        select CRYPTO_BLKCIPHER2
 127        select CRYPTO_AKCIPHER2
 128        select CRYPTO_KPP2
 129        select CRYPTO_ACOMP2
 130
 131config CRYPTO_USER
 132        tristate "Userspace cryptographic algorithm configuration"
 133        depends on NET
 134        select CRYPTO_MANAGER
 135        help
 136          Userspace configuration for cryptographic instantiations such as
 137          cbc(aes).
 138
 139if CRYPTO_MANAGER2
 140
 141config CRYPTO_MANAGER_DISABLE_TESTS
 142        bool "Disable run-time self tests"
 143        default y
 144        help
 145          Disable run-time self tests that normally take place at
 146          algorithm registration.
 147
 148config CRYPTO_MANAGER_EXTRA_TESTS
 149        bool "Enable extra run-time crypto self tests"
 150        depends on DEBUG_KERNEL && !CRYPTO_MANAGER_DISABLE_TESTS
 151        help
 152          Enable extra run-time self tests of registered crypto algorithms,
 153          including randomized fuzz tests.
 154
 155          This is intended for developer use only, as these tests take much
 156          longer to run than the normal self tests.
 157
 158endif   # if CRYPTO_MANAGER2
 159
 160config CRYPTO_GF128MUL
 161        tristate
 162
 163config CRYPTO_NULL
 164        tristate "Null algorithms"
 165        select CRYPTO_NULL2
 166        help
 167          These are 'Null' algorithms, used by IPsec, which do nothing.
 168
 169config CRYPTO_NULL2
 170        tristate
 171        select CRYPTO_ALGAPI2
 172        select CRYPTO_BLKCIPHER2
 173        select CRYPTO_HASH2
 174
 175config CRYPTO_PCRYPT
 176        tristate "Parallel crypto engine"
 177        depends on SMP
 178        select PADATA
 179        select CRYPTO_MANAGER
 180        select CRYPTO_AEAD
 181        help
 182          This converts an arbitrary crypto algorithm into a parallel
 183          algorithm that executes in kernel threads.
 184
 185config CRYPTO_CRYPTD
 186        tristate "Software async crypto daemon"
 187        select CRYPTO_BLKCIPHER
 188        select CRYPTO_HASH
 189        select CRYPTO_MANAGER
 190        help
 191          This is a generic software asynchronous crypto daemon that
 192          converts an arbitrary synchronous software crypto algorithm
 193          into an asynchronous algorithm that executes in a kernel thread.
 194
 195config CRYPTO_AUTHENC
 196        tristate "Authenc support"
 197        select CRYPTO_AEAD
 198        select CRYPTO_BLKCIPHER
 199        select CRYPTO_MANAGER
 200        select CRYPTO_HASH
 201        select CRYPTO_NULL
 202        help
 203          Authenc: Combined mode wrapper for IPsec.
 204          This is required for IPSec.
 205
 206config CRYPTO_TEST
 207        tristate "Testing module"
 208        depends on m
 209        select CRYPTO_MANAGER
 210        help
 211          Quick & dirty crypto test module.
 212
 213config CRYPTO_SIMD
 214        tristate
 215        select CRYPTO_CRYPTD
 216
 217config CRYPTO_GLUE_HELPER_X86
 218        tristate
 219        depends on X86
 220        select CRYPTO_BLKCIPHER
 221
 222config CRYPTO_ENGINE
 223        tristate
 224
 225comment "Public-key cryptography"
 226
 227config CRYPTO_RSA
 228        tristate "RSA algorithm"
 229        select CRYPTO_AKCIPHER
 230        select CRYPTO_MANAGER
 231        select MPILIB
 232        select ASN1
 233        help
 234          Generic implementation of the RSA public key algorithm.
 235
 236config CRYPTO_DH
 237        tristate "Diffie-Hellman algorithm"
 238        select CRYPTO_KPP
 239        select MPILIB
 240        help
 241          Generic implementation of the Diffie-Hellman algorithm.
 242
 243config CRYPTO_ECC
 244        tristate
 245
 246config CRYPTO_ECDH
 247        tristate "ECDH algorithm"
 248        select CRYPTO_ECC
 249        select CRYPTO_KPP
 250        select CRYPTO_RNG_DEFAULT
 251        help
 252          Generic implementation of the ECDH algorithm
 253
 254config CRYPTO_ECRDSA
 255        tristate "EC-RDSA (GOST 34.10) algorithm"
 256        select CRYPTO_ECC
 257        select CRYPTO_AKCIPHER
 258        select CRYPTO_STREEBOG
 259        select OID_REGISTRY
 260        select ASN1
 261        help
 262          Elliptic Curve Russian Digital Signature Algorithm (GOST R 34.10-2012,
 263          RFC 7091, ISO/IEC 14888-3:2018) is one of the Russian cryptographic
 264          standard algorithms (called GOST algorithms). Only signature verification
 265          is implemented.
 266
 267comment "Authenticated Encryption with Associated Data"
 268
 269config CRYPTO_CCM
 270        tristate "CCM support"
 271        select CRYPTO_CTR
 272        select CRYPTO_HASH
 273        select CRYPTO_AEAD
 274        select CRYPTO_MANAGER
 275        help
 276          Support for Counter with CBC MAC. Required for IPsec.
 277
 278config CRYPTO_GCM
 279        tristate "GCM/GMAC support"
 280        select CRYPTO_CTR
 281        select CRYPTO_AEAD
 282        select CRYPTO_GHASH
 283        select CRYPTO_NULL
 284        select CRYPTO_MANAGER
 285        help
 286          Support for Galois/Counter Mode (GCM) and Galois Message
 287          Authentication Code (GMAC). Required for IPSec.
 288
 289config CRYPTO_CHACHA20POLY1305
 290        tristate "ChaCha20-Poly1305 AEAD support"
 291        select CRYPTO_CHACHA20
 292        select CRYPTO_POLY1305
 293        select CRYPTO_AEAD
 294        select CRYPTO_MANAGER
 295        help
 296          ChaCha20-Poly1305 AEAD support, RFC7539.
 297
 298          Support for the AEAD wrapper using the ChaCha20 stream cipher combined
 299          with the Poly1305 authenticator. It is defined in RFC7539 for use in
 300          IETF protocols.
 301
 302config CRYPTO_AEGIS128
 303        tristate "AEGIS-128 AEAD algorithm"
 304        select CRYPTO_AEAD
 305        select CRYPTO_AES  # for AES S-box tables
 306        help
 307         Support for the AEGIS-128 dedicated AEAD algorithm.
 308
 309config CRYPTO_AEGIS128_SIMD
 310        bool "Support SIMD acceleration for AEGIS-128"
 311        depends on CRYPTO_AEGIS128 && ((ARM || ARM64) && KERNEL_MODE_NEON)
 312        default y
 313
 314config CRYPTO_AEGIS128_AESNI_SSE2
 315        tristate "AEGIS-128 AEAD algorithm (x86_64 AESNI+SSE2 implementation)"
 316        depends on X86 && 64BIT
 317        select CRYPTO_AEAD
 318        select CRYPTO_SIMD
 319        help
 320         AESNI+SSE2 implementation of the AEGIS-128 dedicated AEAD algorithm.
 321
 322config CRYPTO_SEQIV
 323        tristate "Sequence Number IV Generator"
 324        select CRYPTO_AEAD
 325        select CRYPTO_BLKCIPHER
 326        select CRYPTO_NULL
 327        select CRYPTO_RNG_DEFAULT
 328        select CRYPTO_MANAGER
 329        help
 330          This IV generator generates an IV based on a sequence number by
 331          xoring it with a salt.  This algorithm is mainly useful for CTR
 332
 333config CRYPTO_ECHAINIV
 334        tristate "Encrypted Chain IV Generator"
 335        select CRYPTO_AEAD
 336        select CRYPTO_NULL
 337        select CRYPTO_RNG_DEFAULT
 338        select CRYPTO_MANAGER
 339        help
 340          This IV generator generates an IV based on the encryption of
 341          a sequence number xored with a salt.  This is the default
 342          algorithm for CBC.
 343
 344comment "Block modes"
 345
 346config CRYPTO_CBC
 347        tristate "CBC support"
 348        select CRYPTO_BLKCIPHER
 349        select CRYPTO_MANAGER
 350        help
 351          CBC: Cipher Block Chaining mode
 352          This block cipher algorithm is required for IPSec.
 353
 354config CRYPTO_CFB
 355        tristate "CFB support"
 356        select CRYPTO_BLKCIPHER
 357        select CRYPTO_MANAGER
 358        help
 359          CFB: Cipher FeedBack mode
 360          This block cipher algorithm is required for TPM2 Cryptography.
 361
 362config CRYPTO_CTR
 363        tristate "CTR support"
 364        select CRYPTO_BLKCIPHER
 365        select CRYPTO_SEQIV
 366        select CRYPTO_MANAGER
 367        help
 368          CTR: Counter mode
 369          This block cipher algorithm is required for IPSec.
 370
 371config CRYPTO_CTS
 372        tristate "CTS support"
 373        select CRYPTO_BLKCIPHER
 374        select CRYPTO_MANAGER
 375        help
 376          CTS: Cipher Text Stealing
 377          This is the Cipher Text Stealing mode as described by
 378          Section 8 of rfc2040 and referenced by rfc3962
 379          (rfc3962 includes errata information in its Appendix A) or
 380          CBC-CS3 as defined by NIST in Sp800-38A addendum from Oct 2010.
 381          This mode is required for Kerberos gss mechanism support
 382          for AES encryption.
 383
 384          See: https://csrc.nist.gov/publications/detail/sp/800-38a/addendum/final
 385
 386config CRYPTO_ECB
 387        tristate "ECB support"
 388        select CRYPTO_BLKCIPHER
 389        select CRYPTO_MANAGER
 390        help
 391          ECB: Electronic CodeBook mode
 392          This is the simplest block cipher algorithm.  It simply encrypts
 393          the input block by block.
 394
 395config CRYPTO_LRW
 396        tristate "LRW support"
 397        select CRYPTO_BLKCIPHER
 398        select CRYPTO_MANAGER
 399        select CRYPTO_GF128MUL
 400        help
 401          LRW: Liskov Rivest Wagner, a tweakable, non malleable, non movable
 402          narrow block cipher mode for dm-crypt.  Use it with cipher
 403          specification string aes-lrw-benbi, the key must be 256, 320 or 384.
 404          The first 128, 192 or 256 bits in the key are used for AES and the
 405          rest is used to tie each cipher block to its logical position.
 406
 407config CRYPTO_OFB
 408        tristate "OFB support"
 409        select CRYPTO_BLKCIPHER
 410        select CRYPTO_MANAGER
 411        help
 412          OFB: the Output Feedback mode makes a block cipher into a synchronous
 413          stream cipher. It generates keystream blocks, which are then XORed
 414          with the plaintext blocks to get the ciphertext. Flipping a bit in the
 415          ciphertext produces a flipped bit in the plaintext at the same
 416          location. This property allows many error correcting codes to function
 417          normally even when applied before encryption.
 418
 419config CRYPTO_PCBC
 420        tristate "PCBC support"
 421        select CRYPTO_BLKCIPHER
 422        select CRYPTO_MANAGER
 423        help
 424          PCBC: Propagating Cipher Block Chaining mode
 425          This block cipher algorithm is required for RxRPC.
 426
 427config CRYPTO_XTS
 428        tristate "XTS support"
 429        select CRYPTO_BLKCIPHER
 430        select CRYPTO_MANAGER
 431        select CRYPTO_ECB
 432        help
 433          XTS: IEEE1619/D16 narrow block cipher use with aes-xts-plain,
 434          key size 256, 384 or 512 bits. This implementation currently
 435          can't handle a sectorsize which is not a multiple of 16 bytes.
 436
 437config CRYPTO_KEYWRAP
 438        tristate "Key wrapping support"
 439        select CRYPTO_BLKCIPHER
 440        select CRYPTO_MANAGER
 441        help
 442          Support for key wrapping (NIST SP800-38F / RFC3394) without
 443          padding.
 444
 445config CRYPTO_NHPOLY1305
 446        tristate
 447        select CRYPTO_HASH
 448        select CRYPTO_POLY1305
 449
 450config CRYPTO_NHPOLY1305_SSE2
 451        tristate "NHPoly1305 hash function (x86_64 SSE2 implementation)"
 452        depends on X86 && 64BIT
 453        select CRYPTO_NHPOLY1305
 454        help
 455          SSE2 optimized implementation of the hash function used by the
 456          Adiantum encryption mode.
 457
 458config CRYPTO_NHPOLY1305_AVX2
 459        tristate "NHPoly1305 hash function (x86_64 AVX2 implementation)"
 460        depends on X86 && 64BIT
 461        select CRYPTO_NHPOLY1305
 462        help
 463          AVX2 optimized implementation of the hash function used by the
 464          Adiantum encryption mode.
 465
 466config CRYPTO_ADIANTUM
 467        tristate "Adiantum support"
 468        select CRYPTO_CHACHA20
 469        select CRYPTO_POLY1305
 470        select CRYPTO_NHPOLY1305
 471        select CRYPTO_MANAGER
 472        help
 473          Adiantum is a tweakable, length-preserving encryption mode
 474          designed for fast and secure disk encryption, especially on
 475          CPUs without dedicated crypto instructions.  It encrypts
 476          each sector using the XChaCha12 stream cipher, two passes of
 477          an ε-almost-∆-universal hash function, and an invocation of
 478          the AES-256 block cipher on a single 16-byte block.  On CPUs
 479          without AES instructions, Adiantum is much faster than
 480          AES-XTS.
 481
 482          Adiantum's security is provably reducible to that of its
 483          underlying stream and block ciphers, subject to a security
 484          bound.  Unlike XTS, Adiantum is a true wide-block encryption
 485          mode, so it actually provides an even stronger notion of
 486          security than XTS, subject to the security bound.
 487
 488          If unsure, say N.
 489
 490config CRYPTO_ESSIV
 491        tristate "ESSIV support for block encryption"
 492        select CRYPTO_AUTHENC
 493        help
 494          Encrypted salt-sector initialization vector (ESSIV) is an IV
 495          generation method that is used in some cases by fscrypt and/or
 496          dm-crypt. It uses the hash of the block encryption key as the
 497          symmetric key for a block encryption pass applied to the input
 498          IV, making low entropy IV sources more suitable for block
 499          encryption.
 500
 501          This driver implements a crypto API template that can be
 502          instantiated either as a skcipher or as a aead (depending on the
 503          type of the first template argument), and which defers encryption
 504          and decryption requests to the encapsulated cipher after applying
 505          ESSIV to the input IV. Note that in the aead case, it is assumed
 506          that the keys are presented in the same format used by the authenc
 507          template, and that the IV appears at the end of the authenticated
 508          associated data (AAD) region (which is how dm-crypt uses it.)
 509
 510          Note that the use of ESSIV is not recommended for new deployments,
 511          and so this only needs to be enabled when interoperability with
 512          existing encrypted volumes of filesystems is required, or when
 513          building for a particular system that requires it (e.g., when
 514          the SoC in question has accelerated CBC but not XTS, making CBC
 515          combined with ESSIV the only feasible mode for h/w accelerated
 516          block encryption)
 517
 518comment "Hash modes"
 519
 520config CRYPTO_CMAC
 521        tristate "CMAC support"
 522        select CRYPTO_HASH
 523        select CRYPTO_MANAGER
 524        help
 525          Cipher-based Message Authentication Code (CMAC) specified by
 526          The National Institute of Standards and Technology (NIST).
 527
 528          https://tools.ietf.org/html/rfc4493
 529          http://csrc.nist.gov/publications/nistpubs/800-38B/SP_800-38B.pdf
 530
 531config CRYPTO_HMAC
 532        tristate "HMAC support"
 533        select CRYPTO_HASH
 534        select CRYPTO_MANAGER
 535        help
 536          HMAC: Keyed-Hashing for Message Authentication (RFC2104).
 537          This is required for IPSec.
 538
 539config CRYPTO_XCBC
 540        tristate "XCBC support"
 541        select CRYPTO_HASH
 542        select CRYPTO_MANAGER
 543        help
 544          XCBC: Keyed-Hashing with encryption algorithm
 545                http://www.ietf.org/rfc/rfc3566.txt
 546                http://csrc.nist.gov/encryption/modes/proposedmodes/
 547                 xcbc-mac/xcbc-mac-spec.pdf
 548
 549config CRYPTO_VMAC
 550        tristate "VMAC support"
 551        select CRYPTO_HASH
 552        select CRYPTO_MANAGER
 553        help
 554          VMAC is a message authentication algorithm designed for
 555          very high speed on 64-bit architectures.
 556
 557          See also:
 558          <http://fastcrypto.org/vmac>
 559
 560comment "Digest"
 561
 562config CRYPTO_CRC32C
 563        tristate "CRC32c CRC algorithm"
 564        select CRYPTO_HASH
 565        select CRC32
 566        help
 567          Castagnoli, et al Cyclic Redundancy-Check Algorithm.  Used
 568          by iSCSI for header and data digests and by others.
 569          See Castagnoli93.  Module will be crc32c.
 570
 571config CRYPTO_CRC32C_INTEL
 572        tristate "CRC32c INTEL hardware acceleration"
 573        depends on X86
 574        select CRYPTO_HASH
 575        help
 576          In Intel processor with SSE4.2 supported, the processor will
 577          support CRC32C implementation using hardware accelerated CRC32
 578          instruction. This option will create 'crc32c-intel' module,
 579          which will enable any routine to use the CRC32 instruction to
 580          gain performance compared with software implementation.
 581          Module will be crc32c-intel.
 582
 583config CRYPTO_CRC32C_VPMSUM
 584        tristate "CRC32c CRC algorithm (powerpc64)"
 585        depends on PPC64 && ALTIVEC
 586        select CRYPTO_HASH
 587        select CRC32
 588        help
 589          CRC32c algorithm implemented using vector polynomial multiply-sum
 590          (vpmsum) instructions, introduced in POWER8. Enable on POWER8
 591          and newer processors for improved performance.
 592
 593
 594config CRYPTO_CRC32C_SPARC64
 595        tristate "CRC32c CRC algorithm (SPARC64)"
 596        depends on SPARC64
 597        select CRYPTO_HASH
 598        select CRC32
 599        help
 600          CRC32c CRC algorithm implemented using sparc64 crypto instructions,
 601          when available.
 602
 603config CRYPTO_CRC32
 604        tristate "CRC32 CRC algorithm"
 605        select CRYPTO_HASH
 606        select CRC32
 607        help
 608          CRC-32-IEEE 802.3 cyclic redundancy-check algorithm.
 609          Shash crypto api wrappers to crc32_le function.
 610
 611config CRYPTO_CRC32_PCLMUL
 612        tristate "CRC32 PCLMULQDQ hardware acceleration"
 613        depends on X86
 614        select CRYPTO_HASH
 615        select CRC32
 616        help
 617          From Intel Westmere and AMD Bulldozer processor with SSE4.2
 618          and PCLMULQDQ supported, the processor will support
 619          CRC32 PCLMULQDQ implementation using hardware accelerated PCLMULQDQ
 620          instruction. This option will create 'crc32-pclmul' module,
 621          which will enable any routine to use the CRC-32-IEEE 802.3 checksum
 622          and gain better performance as compared with the table implementation.
 623
 624config CRYPTO_CRC32_MIPS
 625        tristate "CRC32c and CRC32 CRC algorithm (MIPS)"
 626        depends on MIPS_CRC_SUPPORT
 627        select CRYPTO_HASH
 628        help
 629          CRC32c and CRC32 CRC algorithms implemented using mips crypto
 630          instructions, when available.
 631
 632
 633config CRYPTO_XXHASH
 634        tristate "xxHash hash algorithm"
 635        select CRYPTO_HASH
 636        select XXHASH
 637        help
 638          xxHash non-cryptographic hash algorithm. Extremely fast, working at
 639          speeds close to RAM limits.
 640
 641config CRYPTO_CRCT10DIF
 642        tristate "CRCT10DIF algorithm"
 643        select CRYPTO_HASH
 644        help
 645          CRC T10 Data Integrity Field computation is being cast as
 646          a crypto transform.  This allows for faster crc t10 diff
 647          transforms to be used if they are available.
 648
 649config CRYPTO_CRCT10DIF_PCLMUL
 650        tristate "CRCT10DIF PCLMULQDQ hardware acceleration"
 651        depends on X86 && 64BIT && CRC_T10DIF
 652        select CRYPTO_HASH
 653        help
 654          For x86_64 processors with SSE4.2 and PCLMULQDQ supported,
 655          CRC T10 DIF PCLMULQDQ computation can be hardware
 656          accelerated PCLMULQDQ instruction. This option will create
 657          'crct10dif-pclmul' module, which is faster when computing the
 658          crct10dif checksum as compared with the generic table implementation.
 659
 660config CRYPTO_CRCT10DIF_VPMSUM
 661        tristate "CRC32T10DIF powerpc64 hardware acceleration"
 662        depends on PPC64 && ALTIVEC && CRC_T10DIF
 663        select CRYPTO_HASH
 664        help
 665          CRC10T10DIF algorithm implemented using vector polynomial
 666          multiply-sum (vpmsum) instructions, introduced in POWER8. Enable on
 667          POWER8 and newer processors for improved performance.
 668
 669config CRYPTO_VPMSUM_TESTER
 670        tristate "Powerpc64 vpmsum hardware acceleration tester"
 671        depends on CRYPTO_CRCT10DIF_VPMSUM && CRYPTO_CRC32C_VPMSUM
 672        help
 673          Stress test for CRC32c and CRC-T10DIF algorithms implemented with
 674          POWER8 vpmsum instructions.
 675          Unless you are testing these algorithms, you don't need this.
 676
 677config CRYPTO_GHASH
 678        tristate "GHASH hash function"
 679        select CRYPTO_GF128MUL
 680        select CRYPTO_HASH
 681        help
 682          GHASH is the hash function used in GCM (Galois/Counter Mode).
 683          It is not a general-purpose cryptographic hash function.
 684
 685config CRYPTO_POLY1305
 686        tristate "Poly1305 authenticator algorithm"
 687        select CRYPTO_HASH
 688        help
 689          Poly1305 authenticator algorithm, RFC7539.
 690
 691          Poly1305 is an authenticator algorithm designed by Daniel J. Bernstein.
 692          It is used for the ChaCha20-Poly1305 AEAD, specified in RFC7539 for use
 693          in IETF protocols. This is the portable C implementation of Poly1305.
 694
 695config CRYPTO_POLY1305_X86_64
 696        tristate "Poly1305 authenticator algorithm (x86_64/SSE2/AVX2)"
 697        depends on X86 && 64BIT
 698        select CRYPTO_POLY1305
 699        help
 700          Poly1305 authenticator algorithm, RFC7539.
 701
 702          Poly1305 is an authenticator algorithm designed by Daniel J. Bernstein.
 703          It is used for the ChaCha20-Poly1305 AEAD, specified in RFC7539 for use
 704          in IETF protocols. This is the x86_64 assembler implementation using SIMD
 705          instructions.
 706
 707config CRYPTO_MD4
 708        tristate "MD4 digest algorithm"
 709        select CRYPTO_HASH
 710        help
 711          MD4 message digest algorithm (RFC1320).
 712
 713config CRYPTO_MD5
 714        tristate "MD5 digest algorithm"
 715        select CRYPTO_HASH
 716        help
 717          MD5 message digest algorithm (RFC1321).
 718
 719config CRYPTO_MD5_OCTEON
 720        tristate "MD5 digest algorithm (OCTEON)"
 721        depends on CPU_CAVIUM_OCTEON
 722        select CRYPTO_MD5
 723        select CRYPTO_HASH
 724        help
 725          MD5 message digest algorithm (RFC1321) implemented
 726          using OCTEON crypto instructions, when available.
 727
 728config CRYPTO_MD5_PPC
 729        tristate "MD5 digest algorithm (PPC)"
 730        depends on PPC
 731        select CRYPTO_HASH
 732        help
 733          MD5 message digest algorithm (RFC1321) implemented
 734          in PPC assembler.
 735
 736config CRYPTO_MD5_SPARC64
 737        tristate "MD5 digest algorithm (SPARC64)"
 738        depends on SPARC64
 739        select CRYPTO_MD5
 740        select CRYPTO_HASH
 741        help
 742          MD5 message digest algorithm (RFC1321) implemented
 743          using sparc64 crypto instructions, when available.
 744
 745config CRYPTO_MICHAEL_MIC
 746        tristate "Michael MIC keyed digest algorithm"
 747        select CRYPTO_HASH
 748        help
 749          Michael MIC is used for message integrity protection in TKIP
 750          (IEEE 802.11i). This algorithm is required for TKIP, but it
 751          should not be used for other purposes because of the weakness
 752          of the algorithm.
 753
 754config CRYPTO_RMD128
 755        tristate "RIPEMD-128 digest algorithm"
 756        select CRYPTO_HASH
 757        help
 758          RIPEMD-128 (ISO/IEC 10118-3:2004).
 759
 760          RIPEMD-128 is a 128-bit cryptographic hash function. It should only
 761          be used as a secure replacement for RIPEMD. For other use cases,
 762          RIPEMD-160 should be used.
 763
 764          Developed by Hans Dobbertin, Antoon Bosselaers and Bart Preneel.
 765          See <http://homes.esat.kuleuven.be/~bosselae/ripemd160.html>
 766
 767config CRYPTO_RMD160
 768        tristate "RIPEMD-160 digest algorithm"
 769        select CRYPTO_HASH
 770        help
 771          RIPEMD-160 (ISO/IEC 10118-3:2004).
 772
 773          RIPEMD-160 is a 160-bit cryptographic hash function. It is intended
 774          to be used as a secure replacement for the 128-bit hash functions
 775          MD4, MD5 and it's predecessor RIPEMD
 776          (not to be confused with RIPEMD-128).
 777
 778          It's speed is comparable to SHA1 and there are no known attacks
 779          against RIPEMD-160.
 780
 781          Developed by Hans Dobbertin, Antoon Bosselaers and Bart Preneel.
 782          See <http://homes.esat.kuleuven.be/~bosselae/ripemd160.html>
 783
 784config CRYPTO_RMD256
 785        tristate "RIPEMD-256 digest algorithm"
 786        select CRYPTO_HASH
 787        help
 788          RIPEMD-256 is an optional extension of RIPEMD-128 with a
 789          256 bit hash. It is intended for applications that require
 790          longer hash-results, without needing a larger security level
 791          (than RIPEMD-128).
 792
 793          Developed by Hans Dobbertin, Antoon Bosselaers and Bart Preneel.
 794          See <http://homes.esat.kuleuven.be/~bosselae/ripemd160.html>
 795
 796config CRYPTO_RMD320
 797        tristate "RIPEMD-320 digest algorithm"
 798        select CRYPTO_HASH
 799        help
 800          RIPEMD-320 is an optional extension of RIPEMD-160 with a
 801          320 bit hash. It is intended for applications that require
 802          longer hash-results, without needing a larger security level
 803          (than RIPEMD-160).
 804
 805          Developed by Hans Dobbertin, Antoon Bosselaers and Bart Preneel.
 806          See <http://homes.esat.kuleuven.be/~bosselae/ripemd160.html>
 807
 808config CRYPTO_SHA1
 809        tristate "SHA1 digest algorithm"
 810        select CRYPTO_HASH
 811        help
 812          SHA-1 secure hash standard (FIPS 180-1/DFIPS 180-2).
 813
 814config CRYPTO_SHA1_SSSE3
 815        tristate "SHA1 digest algorithm (SSSE3/AVX/AVX2/SHA-NI)"
 816        depends on X86 && 64BIT
 817        select CRYPTO_SHA1
 818        select CRYPTO_HASH
 819        help
 820          SHA-1 secure hash standard (FIPS 180-1/DFIPS 180-2) implemented
 821          using Supplemental SSE3 (SSSE3) instructions or Advanced Vector
 822          Extensions (AVX/AVX2) or SHA-NI(SHA Extensions New Instructions),
 823          when available.
 824
 825config CRYPTO_SHA256_SSSE3
 826        tristate "SHA256 digest algorithm (SSSE3/AVX/AVX2/SHA-NI)"
 827        depends on X86 && 64BIT
 828        select CRYPTO_SHA256
 829        select CRYPTO_HASH
 830        help
 831          SHA-256 secure hash standard (DFIPS 180-2) implemented
 832          using Supplemental SSE3 (SSSE3) instructions, or Advanced Vector
 833          Extensions version 1 (AVX1), or Advanced Vector Extensions
 834          version 2 (AVX2) instructions, or SHA-NI (SHA Extensions New
 835          Instructions) when available.
 836
 837config CRYPTO_SHA512_SSSE3
 838        tristate "SHA512 digest algorithm (SSSE3/AVX/AVX2)"
 839        depends on X86 && 64BIT
 840        select CRYPTO_SHA512
 841        select CRYPTO_HASH
 842        help
 843          SHA-512 secure hash standard (DFIPS 180-2) implemented
 844          using Supplemental SSE3 (SSSE3) instructions, or Advanced Vector
 845          Extensions version 1 (AVX1), or Advanced Vector Extensions
 846          version 2 (AVX2) instructions, when available.
 847
 848config CRYPTO_SHA1_OCTEON
 849        tristate "SHA1 digest algorithm (OCTEON)"
 850        depends on CPU_CAVIUM_OCTEON
 851        select CRYPTO_SHA1
 852        select CRYPTO_HASH
 853        help
 854          SHA-1 secure hash standard (FIPS 180-1/DFIPS 180-2) implemented
 855          using OCTEON crypto instructions, when available.
 856
 857config CRYPTO_SHA1_SPARC64
 858        tristate "SHA1 digest algorithm (SPARC64)"
 859        depends on SPARC64
 860        select CRYPTO_SHA1
 861        select CRYPTO_HASH
 862        help
 863          SHA-1 secure hash standard (FIPS 180-1/DFIPS 180-2) implemented
 864          using sparc64 crypto instructions, when available.
 865
 866config CRYPTO_SHA1_PPC
 867        tristate "SHA1 digest algorithm (powerpc)"
 868        depends on PPC
 869        help
 870          This is the powerpc hardware accelerated implementation of the
 871          SHA-1 secure hash standard (FIPS 180-1/DFIPS 180-2).
 872
 873config CRYPTO_SHA1_PPC_SPE
 874        tristate "SHA1 digest algorithm (PPC SPE)"
 875        depends on PPC && SPE
 876        help
 877          SHA-1 secure hash standard (DFIPS 180-4) implemented
 878          using powerpc SPE SIMD instruction set.
 879
 880config CRYPTO_LIB_SHA256
 881        tristate
 882
 883config CRYPTO_SHA256
 884        tristate "SHA224 and SHA256 digest algorithm"
 885        select CRYPTO_HASH
 886        select CRYPTO_LIB_SHA256
 887        help
 888          SHA256 secure hash standard (DFIPS 180-2).
 889
 890          This version of SHA implements a 256 bit hash with 128 bits of
 891          security against collision attacks.
 892
 893          This code also includes SHA-224, a 224 bit hash with 112 bits
 894          of security against collision attacks.
 895
 896config CRYPTO_SHA256_PPC_SPE
 897        tristate "SHA224 and SHA256 digest algorithm (PPC SPE)"
 898        depends on PPC && SPE
 899        select CRYPTO_SHA256
 900        select CRYPTO_HASH
 901        help
 902          SHA224 and SHA256 secure hash standard (DFIPS 180-2)
 903          implemented using powerpc SPE SIMD instruction set.
 904
 905config CRYPTO_SHA256_OCTEON
 906        tristate "SHA224 and SHA256 digest algorithm (OCTEON)"
 907        depends on CPU_CAVIUM_OCTEON
 908        select CRYPTO_SHA256
 909        select CRYPTO_HASH
 910        help
 911          SHA-256 secure hash standard (DFIPS 180-2) implemented
 912          using OCTEON crypto instructions, when available.
 913
 914config CRYPTO_SHA256_SPARC64
 915        tristate "SHA224 and SHA256 digest algorithm (SPARC64)"
 916        depends on SPARC64
 917        select CRYPTO_SHA256
 918        select CRYPTO_HASH
 919        help
 920          SHA-256 secure hash standard (DFIPS 180-2) implemented
 921          using sparc64 crypto instructions, when available.
 922
 923config CRYPTO_SHA512
 924        tristate "SHA384 and SHA512 digest algorithms"
 925        select CRYPTO_HASH
 926        help
 927          SHA512 secure hash standard (DFIPS 180-2).
 928
 929          This version of SHA implements a 512 bit hash with 256 bits of
 930          security against collision attacks.
 931
 932          This code also includes SHA-384, a 384 bit hash with 192 bits
 933          of security against collision attacks.
 934
 935config CRYPTO_SHA512_OCTEON
 936        tristate "SHA384 and SHA512 digest algorithms (OCTEON)"
 937        depends on CPU_CAVIUM_OCTEON
 938        select CRYPTO_SHA512
 939        select CRYPTO_HASH
 940        help
 941          SHA-512 secure hash standard (DFIPS 180-2) implemented
 942          using OCTEON crypto instructions, when available.
 943
 944config CRYPTO_SHA512_SPARC64
 945        tristate "SHA384 and SHA512 digest algorithm (SPARC64)"
 946        depends on SPARC64
 947        select CRYPTO_SHA512
 948        select CRYPTO_HASH
 949        help
 950          SHA-512 secure hash standard (DFIPS 180-2) implemented
 951          using sparc64 crypto instructions, when available.
 952
 953config CRYPTO_SHA3
 954        tristate "SHA3 digest algorithm"
 955        select CRYPTO_HASH
 956        help
 957          SHA-3 secure hash standard (DFIPS 202). It's based on
 958          cryptographic sponge function family called Keccak.
 959
 960          References:
 961          http://keccak.noekeon.org/
 962
 963config CRYPTO_SM3
 964        tristate "SM3 digest algorithm"
 965        select CRYPTO_HASH
 966        help
 967          SM3 secure hash function as defined by OSCCA GM/T 0004-2012 SM3).
 968          It is part of the Chinese Commercial Cryptography suite.
 969
 970          References:
 971          http://www.oscca.gov.cn/UpFile/20101222141857786.pdf
 972          https://datatracker.ietf.org/doc/html/draft-shen-sm3-hash
 973
 974config CRYPTO_STREEBOG
 975        tristate "Streebog Hash Function"
 976        select CRYPTO_HASH
 977        help
 978          Streebog Hash Function (GOST R 34.11-2012, RFC 6986) is one of the Russian
 979          cryptographic standard algorithms (called GOST algorithms).
 980          This setting enables two hash algorithms with 256 and 512 bits output.
 981
 982          References:
 983          https://tc26.ru/upload/iblock/fed/feddbb4d26b685903faa2ba11aea43f6.pdf
 984          https://tools.ietf.org/html/rfc6986
 985
 986config CRYPTO_TGR192
 987        tristate "Tiger digest algorithms"
 988        select CRYPTO_HASH
 989        help
 990          Tiger hash algorithm 192, 160 and 128-bit hashes
 991
 992          Tiger is a hash function optimized for 64-bit processors while
 993          still having decent performance on 32-bit processors.
 994          Tiger was developed by Ross Anderson and Eli Biham.
 995
 996          See also:
 997          <http://www.cs.technion.ac.il/~biham/Reports/Tiger/>.
 998
 999config CRYPTO_WP512
1000        tristate "Whirlpool digest algorithms"
1001        select CRYPTO_HASH
1002        help
1003          Whirlpool hash algorithm 512, 384 and 256-bit hashes
1004
1005          Whirlpool-512 is part of the NESSIE cryptographic primitives.
1006          Whirlpool will be part of the ISO/IEC 10118-3:2003(E) standard
1007
1008          See also:
1009          <http://www.larc.usp.br/~pbarreto/WhirlpoolPage.html>
1010
1011config CRYPTO_GHASH_CLMUL_NI_INTEL
1012        tristate "GHASH hash function (CLMUL-NI accelerated)"
1013        depends on X86 && 64BIT
1014        select CRYPTO_CRYPTD
1015        help
1016          This is the x86_64 CLMUL-NI accelerated implementation of
1017          GHASH, the hash function used in GCM (Galois/Counter mode).
1018
1019comment "Ciphers"
1020
1021config CRYPTO_LIB_AES
1022        tristate
1023
1024config CRYPTO_AES
1025        tristate "AES cipher algorithms"
1026        select CRYPTO_ALGAPI
1027        select CRYPTO_LIB_AES
1028        help
1029          AES cipher algorithms (FIPS-197). AES uses the Rijndael
1030          algorithm.
1031
1032          Rijndael appears to be consistently a very good performer in
1033          both hardware and software across a wide range of computing
1034          environments regardless of its use in feedback or non-feedback
1035          modes. Its key setup time is excellent, and its key agility is
1036          good. Rijndael's very low memory requirements make it very well
1037          suited for restricted-space environments, in which it also
1038          demonstrates excellent performance. Rijndael's operations are
1039          among the easiest to defend against power and timing attacks.
1040
1041          The AES specifies three key sizes: 128, 192 and 256 bits
1042
1043          See <http://csrc.nist.gov/CryptoToolkit/aes/> for more information.
1044
1045config CRYPTO_AES_TI
1046        tristate "Fixed time AES cipher"
1047        select CRYPTO_ALGAPI
1048        select CRYPTO_LIB_AES
1049        help
1050          This is a generic implementation of AES that attempts to eliminate
1051          data dependent latencies as much as possible without affecting
1052          performance too much. It is intended for use by the generic CCM
1053          and GCM drivers, and other CTR or CMAC/XCBC based modes that rely
1054          solely on encryption (although decryption is supported as well, but
1055          with a more dramatic performance hit)
1056
1057          Instead of using 16 lookup tables of 1 KB each, (8 for encryption and
1058          8 for decryption), this implementation only uses just two S-boxes of
1059          256 bytes each, and attempts to eliminate data dependent latencies by
1060          prefetching the entire table into the cache at the start of each
1061          block. Interrupts are also disabled to avoid races where cachelines
1062          are evicted when the CPU is interrupted to do something else.
1063
1064config CRYPTO_AES_NI_INTEL
1065        tristate "AES cipher algorithms (AES-NI)"
1066        depends on X86
1067        select CRYPTO_AEAD
1068        select CRYPTO_LIB_AES
1069        select CRYPTO_ALGAPI
1070        select CRYPTO_BLKCIPHER
1071        select CRYPTO_GLUE_HELPER_X86 if 64BIT
1072        select CRYPTO_SIMD
1073        help
1074          Use Intel AES-NI instructions for AES algorithm.
1075
1076          AES cipher algorithms (FIPS-197). AES uses the Rijndael
1077          algorithm.
1078
1079          Rijndael appears to be consistently a very good performer in
1080          both hardware and software across a wide range of computing
1081          environments regardless of its use in feedback or non-feedback
1082          modes. Its key setup time is excellent, and its key agility is
1083          good. Rijndael's very low memory requirements make it very well
1084          suited for restricted-space environments, in which it also
1085          demonstrates excellent performance. Rijndael's operations are
1086          among the easiest to defend against power and timing attacks.
1087
1088          The AES specifies three key sizes: 128, 192 and 256 bits
1089
1090          See <http://csrc.nist.gov/encryption/aes/> for more information.
1091
1092          In addition to AES cipher algorithm support, the acceleration
1093          for some popular block cipher mode is supported too, including
1094          ECB, CBC, LRW, XTS. The 64 bit version has additional
1095          acceleration for CTR.
1096
1097config CRYPTO_AES_SPARC64
1098        tristate "AES cipher algorithms (SPARC64)"
1099        depends on SPARC64
1100        select CRYPTO_CRYPTD
1101        select CRYPTO_ALGAPI
1102        help
1103          Use SPARC64 crypto opcodes for AES algorithm.
1104
1105          AES cipher algorithms (FIPS-197). AES uses the Rijndael
1106          algorithm.
1107
1108          Rijndael appears to be consistently a very good performer in
1109          both hardware and software across a wide range of computing
1110          environments regardless of its use in feedback or non-feedback
1111          modes. Its key setup time is excellent, and its key agility is
1112          good. Rijndael's very low memory requirements make it very well
1113          suited for restricted-space environments, in which it also
1114          demonstrates excellent performance. Rijndael's operations are
1115          among the easiest to defend against power and timing attacks.
1116
1117          The AES specifies three key sizes: 128, 192 and 256 bits
1118
1119          See <http://csrc.nist.gov/encryption/aes/> for more information.
1120
1121          In addition to AES cipher algorithm support, the acceleration
1122          for some popular block cipher mode is supported too, including
1123          ECB and CBC.
1124
1125config CRYPTO_AES_PPC_SPE
1126        tristate "AES cipher algorithms (PPC SPE)"
1127        depends on PPC && SPE
1128        help
1129          AES cipher algorithms (FIPS-197). Additionally the acceleration
1130          for popular block cipher modes ECB, CBC, CTR and XTS is supported.
1131          This module should only be used for low power (router) devices
1132          without hardware AES acceleration (e.g. caam crypto). It reduces the
1133          size of the AES tables from 16KB to 8KB + 256 bytes and mitigates
1134          timining attacks. Nevertheless it might be not as secure as other
1135          architecture specific assembler implementations that work on 1KB
1136          tables or 256 bytes S-boxes.
1137
1138config CRYPTO_ANUBIS
1139        tristate "Anubis cipher algorithm"
1140        select CRYPTO_ALGAPI
1141        help
1142          Anubis cipher algorithm.
1143
1144          Anubis is a variable key length cipher which can use keys from
1145          128 bits to 320 bits in length.  It was evaluated as a entrant
1146          in the NESSIE competition.
1147
1148          See also:
1149          <https://www.cosic.esat.kuleuven.be/nessie/reports/>
1150          <http://www.larc.usp.br/~pbarreto/AnubisPage.html>
1151
1152config CRYPTO_LIB_ARC4
1153        tristate
1154
1155config CRYPTO_ARC4
1156        tristate "ARC4 cipher algorithm"
1157        select CRYPTO_BLKCIPHER
1158        select CRYPTO_LIB_ARC4
1159        help
1160          ARC4 cipher algorithm.
1161
1162          ARC4 is a stream cipher using keys ranging from 8 bits to 2048
1163          bits in length.  This algorithm is required for driver-based
1164          WEP, but it should not be for other purposes because of the
1165          weakness of the algorithm.
1166
1167config CRYPTO_BLOWFISH
1168        tristate "Blowfish cipher algorithm"
1169        select CRYPTO_ALGAPI
1170        select CRYPTO_BLOWFISH_COMMON
1171        help
1172          Blowfish cipher algorithm, by Bruce Schneier.
1173
1174          This is a variable key length cipher which can use keys from 32
1175          bits to 448 bits in length.  It's fast, simple and specifically
1176          designed for use on "large microprocessors".
1177
1178          See also:
1179          <http://www.schneier.com/blowfish.html>
1180
1181config CRYPTO_BLOWFISH_COMMON
1182        tristate
1183        help
1184          Common parts of the Blowfish cipher algorithm shared by the
1185          generic c and the assembler implementations.
1186
1187          See also:
1188          <http://www.schneier.com/blowfish.html>
1189
1190config CRYPTO_BLOWFISH_X86_64
1191        tristate "Blowfish cipher algorithm (x86_64)"
1192        depends on X86 && 64BIT
1193        select CRYPTO_BLKCIPHER
1194        select CRYPTO_BLOWFISH_COMMON
1195        help
1196          Blowfish cipher algorithm (x86_64), by Bruce Schneier.
1197
1198          This is a variable key length cipher which can use keys from 32
1199          bits to 448 bits in length.  It's fast, simple and specifically
1200          designed for use on "large microprocessors".
1201
1202          See also:
1203          <http://www.schneier.com/blowfish.html>
1204
1205config CRYPTO_CAMELLIA
1206        tristate "Camellia cipher algorithms"
1207        depends on CRYPTO
1208        select CRYPTO_ALGAPI
1209        help
1210          Camellia cipher algorithms module.
1211
1212          Camellia is a symmetric key block cipher developed jointly
1213          at NTT and Mitsubishi Electric Corporation.
1214
1215          The Camellia specifies three key sizes: 128, 192 and 256 bits.
1216
1217          See also:
1218          <https://info.isl.ntt.co.jp/crypt/eng/camellia/index_s.html>
1219
1220config CRYPTO_CAMELLIA_X86_64
1221        tristate "Camellia cipher algorithm (x86_64)"
1222        depends on X86 && 64BIT
1223        depends on CRYPTO
1224        select CRYPTO_BLKCIPHER
1225        select CRYPTO_GLUE_HELPER_X86
1226        help
1227          Camellia cipher algorithm module (x86_64).
1228
1229          Camellia is a symmetric key block cipher developed jointly
1230          at NTT and Mitsubishi Electric Corporation.
1231
1232          The Camellia specifies three key sizes: 128, 192 and 256 bits.
1233
1234          See also:
1235          <https://info.isl.ntt.co.jp/crypt/eng/camellia/index_s.html>
1236
1237config CRYPTO_CAMELLIA_AESNI_AVX_X86_64
1238        tristate "Camellia cipher algorithm (x86_64/AES-NI/AVX)"
1239        depends on X86 && 64BIT
1240        depends on CRYPTO
1241        select CRYPTO_BLKCIPHER
1242        select CRYPTO_CAMELLIA_X86_64
1243        select CRYPTO_GLUE_HELPER_X86
1244        select CRYPTO_SIMD
1245        select CRYPTO_XTS
1246        help
1247          Camellia cipher algorithm module (x86_64/AES-NI/AVX).
1248
1249          Camellia is a symmetric key block cipher developed jointly
1250          at NTT and Mitsubishi Electric Corporation.
1251
1252          The Camellia specifies three key sizes: 128, 192 and 256 bits.
1253
1254          See also:
1255          <https://info.isl.ntt.co.jp/crypt/eng/camellia/index_s.html>
1256
1257config CRYPTO_CAMELLIA_AESNI_AVX2_X86_64
1258        tristate "Camellia cipher algorithm (x86_64/AES-NI/AVX2)"
1259        depends on X86 && 64BIT
1260        depends on CRYPTO
1261        select CRYPTO_CAMELLIA_AESNI_AVX_X86_64
1262        help
1263          Camellia cipher algorithm module (x86_64/AES-NI/AVX2).
1264
1265          Camellia is a symmetric key block cipher developed jointly
1266          at NTT and Mitsubishi Electric Corporation.
1267
1268          The Camellia specifies three key sizes: 128, 192 and 256 bits.
1269
1270          See also:
1271          <https://info.isl.ntt.co.jp/crypt/eng/camellia/index_s.html>
1272
1273config CRYPTO_CAMELLIA_SPARC64
1274        tristate "Camellia cipher algorithm (SPARC64)"
1275        depends on SPARC64
1276        depends on CRYPTO
1277        select CRYPTO_ALGAPI
1278        help
1279          Camellia cipher algorithm module (SPARC64).
1280
1281          Camellia is a symmetric key block cipher developed jointly
1282          at NTT and Mitsubishi Electric Corporation.
1283
1284          The Camellia specifies three key sizes: 128, 192 and 256 bits.
1285
1286          See also:
1287          <https://info.isl.ntt.co.jp/crypt/eng/camellia/index_s.html>
1288
1289config CRYPTO_CAST_COMMON
1290        tristate
1291        help
1292          Common parts of the CAST cipher algorithms shared by the
1293          generic c and the assembler implementations.
1294
1295config CRYPTO_CAST5
1296        tristate "CAST5 (CAST-128) cipher algorithm"
1297        select CRYPTO_ALGAPI
1298        select CRYPTO_CAST_COMMON
1299        help
1300          The CAST5 encryption algorithm (synonymous with CAST-128) is
1301          described in RFC2144.
1302
1303config CRYPTO_CAST5_AVX_X86_64
1304        tristate "CAST5 (CAST-128) cipher algorithm (x86_64/AVX)"
1305        depends on X86 && 64BIT
1306        select CRYPTO_BLKCIPHER
1307        select CRYPTO_CAST5
1308        select CRYPTO_CAST_COMMON
1309        select CRYPTO_SIMD
1310        help
1311          The CAST5 encryption algorithm (synonymous with CAST-128) is
1312          described in RFC2144.
1313
1314          This module provides the Cast5 cipher algorithm that processes
1315          sixteen blocks parallel using the AVX instruction set.
1316
1317config CRYPTO_CAST6
1318        tristate "CAST6 (CAST-256) cipher algorithm"
1319        select CRYPTO_ALGAPI
1320        select CRYPTO_CAST_COMMON
1321        help
1322          The CAST6 encryption algorithm (synonymous with CAST-256) is
1323          described in RFC2612.
1324
1325config CRYPTO_CAST6_AVX_X86_64
1326        tristate "CAST6 (CAST-256) cipher algorithm (x86_64/AVX)"
1327        depends on X86 && 64BIT
1328        select CRYPTO_BLKCIPHER
1329        select CRYPTO_CAST6
1330        select CRYPTO_CAST_COMMON
1331        select CRYPTO_GLUE_HELPER_X86
1332        select CRYPTO_SIMD
1333        select CRYPTO_XTS
1334        help
1335          The CAST6 encryption algorithm (synonymous with CAST-256) is
1336          described in RFC2612.
1337
1338          This module provides the Cast6 cipher algorithm that processes
1339          eight blocks parallel using the AVX instruction set.
1340
1341config CRYPTO_LIB_DES
1342        tristate
1343
1344config CRYPTO_DES
1345        tristate "DES and Triple DES EDE cipher algorithms"
1346        select CRYPTO_ALGAPI
1347        select CRYPTO_LIB_DES
1348        help
1349          DES cipher algorithm (FIPS 46-2), and Triple DES EDE (FIPS 46-3).
1350
1351config CRYPTO_DES_SPARC64
1352        tristate "DES and Triple DES EDE cipher algorithms (SPARC64)"
1353        depends on SPARC64
1354        select CRYPTO_ALGAPI
1355        select CRYPTO_LIB_DES
1356        help
1357          DES cipher algorithm (FIPS 46-2), and Triple DES EDE (FIPS 46-3),
1358          optimized using SPARC64 crypto opcodes.
1359
1360config CRYPTO_DES3_EDE_X86_64
1361        tristate "Triple DES EDE cipher algorithm (x86-64)"
1362        depends on X86 && 64BIT
1363        select CRYPTO_BLKCIPHER
1364        select CRYPTO_LIB_DES
1365        help
1366          Triple DES EDE (FIPS 46-3) algorithm.
1367
1368          This module provides implementation of the Triple DES EDE cipher
1369          algorithm that is optimized for x86-64 processors. Two versions of
1370          algorithm are provided; regular processing one input block and
1371          one that processes three blocks parallel.
1372
1373config CRYPTO_FCRYPT
1374        tristate "FCrypt cipher algorithm"
1375        select CRYPTO_ALGAPI
1376        select CRYPTO_BLKCIPHER
1377        help
1378          FCrypt algorithm used by RxRPC.
1379
1380config CRYPTO_KHAZAD
1381        tristate "Khazad cipher algorithm"
1382        select CRYPTO_ALGAPI
1383        help
1384          Khazad cipher algorithm.
1385
1386          Khazad was a finalist in the initial NESSIE competition.  It is
1387          an algorithm optimized for 64-bit processors with good performance
1388          on 32-bit processors.  Khazad uses an 128 bit key size.
1389
1390          See also:
1391          <http://www.larc.usp.br/~pbarreto/KhazadPage.html>
1392
1393config CRYPTO_SALSA20
1394        tristate "Salsa20 stream cipher algorithm"
1395        select CRYPTO_BLKCIPHER
1396        help
1397          Salsa20 stream cipher algorithm.
1398
1399          Salsa20 is a stream cipher submitted to eSTREAM, the ECRYPT
1400          Stream Cipher Project. See <http://www.ecrypt.eu.org/stream/>
1401
1402          The Salsa20 stream cipher algorithm is designed by Daniel J.
1403          Bernstein <djb@cr.yp.to>. See <http://cr.yp.to/snuffle.html>
1404
1405config CRYPTO_CHACHA20
1406        tristate "ChaCha stream cipher algorithms"
1407        select CRYPTO_BLKCIPHER
1408        help
1409          The ChaCha20, XChaCha20, and XChaCha12 stream cipher algorithms.
1410
1411          ChaCha20 is a 256-bit high-speed stream cipher designed by Daniel J.
1412          Bernstein and further specified in RFC7539 for use in IETF protocols.
1413          This is the portable C implementation of ChaCha20.  See also:
1414          <http://cr.yp.to/chacha/chacha-20080128.pdf>
1415
1416          XChaCha20 is the application of the XSalsa20 construction to ChaCha20
1417          rather than to Salsa20.  XChaCha20 extends ChaCha20's nonce length
1418          from 64 bits (or 96 bits using the RFC7539 convention) to 192 bits,
1419          while provably retaining ChaCha20's security.  See also:
1420          <https://cr.yp.to/snuffle/xsalsa-20081128.pdf>
1421
1422          XChaCha12 is XChaCha20 reduced to 12 rounds, with correspondingly
1423          reduced security margin but increased performance.  It can be needed
1424          in some performance-sensitive scenarios.
1425
1426config CRYPTO_CHACHA20_X86_64
1427        tristate "ChaCha stream cipher algorithms (x86_64/SSSE3/AVX2/AVX-512VL)"
1428        depends on X86 && 64BIT
1429        select CRYPTO_BLKCIPHER
1430        select CRYPTO_CHACHA20
1431        help
1432          SSSE3, AVX2, and AVX-512VL optimized implementations of the ChaCha20,
1433          XChaCha20, and XChaCha12 stream ciphers.
1434
1435config CRYPTO_SEED
1436        tristate "SEED cipher algorithm"
1437        select CRYPTO_ALGAPI
1438        help
1439          SEED cipher algorithm (RFC4269).
1440
1441          SEED is a 128-bit symmetric key block cipher that has been
1442          developed by KISA (Korea Information Security Agency) as a
1443          national standard encryption algorithm of the Republic of Korea.
1444          It is a 16 round block cipher with the key size of 128 bit.
1445
1446          See also:
1447          <http://www.kisa.or.kr/kisa/seed/jsp/seed_eng.jsp>
1448
1449config CRYPTO_SERPENT
1450        tristate "Serpent cipher algorithm"
1451        select CRYPTO_ALGAPI
1452        help
1453          Serpent cipher algorithm, by Anderson, Biham & Knudsen.
1454
1455          Keys are allowed to be from 0 to 256 bits in length, in steps
1456          of 8 bits.  Also includes the 'Tnepres' algorithm, a reversed
1457          variant of Serpent for compatibility with old kerneli.org code.
1458
1459          See also:
1460          <http://www.cl.cam.ac.uk/~rja14/serpent.html>
1461
1462config CRYPTO_SERPENT_SSE2_X86_64
1463        tristate "Serpent cipher algorithm (x86_64/SSE2)"
1464        depends on X86 && 64BIT
1465        select CRYPTO_BLKCIPHER
1466        select CRYPTO_GLUE_HELPER_X86
1467        select CRYPTO_SERPENT
1468        select CRYPTO_SIMD
1469        help
1470          Serpent cipher algorithm, by Anderson, Biham & Knudsen.
1471
1472          Keys are allowed to be from 0 to 256 bits in length, in steps
1473          of 8 bits.
1474
1475          This module provides Serpent cipher algorithm that processes eight
1476          blocks parallel using SSE2 instruction set.
1477
1478          See also:
1479          <http://www.cl.cam.ac.uk/~rja14/serpent.html>
1480
1481config CRYPTO_SERPENT_SSE2_586
1482        tristate "Serpent cipher algorithm (i586/SSE2)"
1483        depends on X86 && !64BIT
1484        select CRYPTO_BLKCIPHER
1485        select CRYPTO_GLUE_HELPER_X86
1486        select CRYPTO_SERPENT
1487        select CRYPTO_SIMD
1488        help
1489          Serpent cipher algorithm, by Anderson, Biham & Knudsen.
1490
1491          Keys are allowed to be from 0 to 256 bits in length, in steps
1492          of 8 bits.
1493
1494          This module provides Serpent cipher algorithm that processes four
1495          blocks parallel using SSE2 instruction set.
1496
1497          See also:
1498          <http://www.cl.cam.ac.uk/~rja14/serpent.html>
1499
1500config CRYPTO_SERPENT_AVX_X86_64
1501        tristate "Serpent cipher algorithm (x86_64/AVX)"
1502        depends on X86 && 64BIT
1503        select CRYPTO_BLKCIPHER
1504        select CRYPTO_GLUE_HELPER_X86
1505        select CRYPTO_SERPENT
1506        select CRYPTO_SIMD
1507        select CRYPTO_XTS
1508        help
1509          Serpent cipher algorithm, by Anderson, Biham & Knudsen.
1510
1511          Keys are allowed to be from 0 to 256 bits in length, in steps
1512          of 8 bits.
1513
1514          This module provides the Serpent cipher algorithm that processes
1515          eight blocks parallel using the AVX instruction set.
1516
1517          See also:
1518          <http://www.cl.cam.ac.uk/~rja14/serpent.html>
1519
1520config CRYPTO_SERPENT_AVX2_X86_64
1521        tristate "Serpent cipher algorithm (x86_64/AVX2)"
1522        depends on X86 && 64BIT
1523        select CRYPTO_SERPENT_AVX_X86_64
1524        help
1525          Serpent cipher algorithm, by Anderson, Biham & Knudsen.
1526
1527          Keys are allowed to be from 0 to 256 bits in length, in steps
1528          of 8 bits.
1529
1530          This module provides Serpent cipher algorithm that processes 16
1531          blocks parallel using AVX2 instruction set.
1532
1533          See also:
1534          <http://www.cl.cam.ac.uk/~rja14/serpent.html>
1535
1536config CRYPTO_SM4
1537        tristate "SM4 cipher algorithm"
1538        select CRYPTO_ALGAPI
1539        help
1540          SM4 cipher algorithms (OSCCA GB/T 32907-2016).
1541
1542          SM4 (GBT.32907-2016) is a cryptographic standard issued by the
1543          Organization of State Commercial Administration of China (OSCCA)
1544          as an authorized cryptographic algorithms for the use within China.
1545
1546          SMS4 was originally created for use in protecting wireless
1547          networks, and is mandated in the Chinese National Standard for
1548          Wireless LAN WAPI (Wired Authentication and Privacy Infrastructure)
1549          (GB.15629.11-2003).
1550
1551          The latest SM4 standard (GBT.32907-2016) was proposed by OSCCA and
1552          standardized through TC 260 of the Standardization Administration
1553          of the People's Republic of China (SAC).
1554
1555          The input, output, and key of SMS4 are each 128 bits.
1556
1557          See also: <https://eprint.iacr.org/2008/329.pdf>
1558
1559          If unsure, say N.
1560
1561config CRYPTO_TEA
1562        tristate "TEA, XTEA and XETA cipher algorithms"
1563        select CRYPTO_ALGAPI
1564        help
1565          TEA cipher algorithm.
1566
1567          Tiny Encryption Algorithm is a simple cipher that uses
1568          many rounds for security.  It is very fast and uses
1569          little memory.
1570
1571          Xtendend Tiny Encryption Algorithm is a modification to
1572          the TEA algorithm to address a potential key weakness
1573          in the TEA algorithm.
1574
1575          Xtendend Encryption Tiny Algorithm is a mis-implementation
1576          of the XTEA algorithm for compatibility purposes.
1577
1578config CRYPTO_TWOFISH
1579        tristate "Twofish cipher algorithm"
1580        select CRYPTO_ALGAPI
1581        select CRYPTO_TWOFISH_COMMON
1582        help
1583          Twofish cipher algorithm.
1584
1585          Twofish was submitted as an AES (Advanced Encryption Standard)
1586          candidate cipher by researchers at CounterPane Systems.  It is a
1587          16 round block cipher supporting key sizes of 128, 192, and 256
1588          bits.
1589
1590          See also:
1591          <http://www.schneier.com/twofish.html>
1592
1593config CRYPTO_TWOFISH_COMMON
1594        tristate
1595        help
1596          Common parts of the Twofish cipher algorithm shared by the
1597          generic c and the assembler implementations.
1598
1599config CRYPTO_TWOFISH_586
1600        tristate "Twofish cipher algorithms (i586)"
1601        depends on (X86 || UML_X86) && !64BIT
1602        select CRYPTO_ALGAPI
1603        select CRYPTO_TWOFISH_COMMON
1604        help
1605          Twofish cipher algorithm.
1606
1607          Twofish was submitted as an AES (Advanced Encryption Standard)
1608          candidate cipher by researchers at CounterPane Systems.  It is a
1609          16 round block cipher supporting key sizes of 128, 192, and 256
1610          bits.
1611
1612          See also:
1613          <http://www.schneier.com/twofish.html>
1614
1615config CRYPTO_TWOFISH_X86_64
1616        tristate "Twofish cipher algorithm (x86_64)"
1617        depends on (X86 || UML_X86) && 64BIT
1618        select CRYPTO_ALGAPI
1619        select CRYPTO_TWOFISH_COMMON
1620        help
1621          Twofish cipher algorithm (x86_64).
1622
1623          Twofish was submitted as an AES (Advanced Encryption Standard)
1624          candidate cipher by researchers at CounterPane Systems.  It is a
1625          16 round block cipher supporting key sizes of 128, 192, and 256
1626          bits.
1627
1628          See also:
1629          <http://www.schneier.com/twofish.html>
1630
1631config CRYPTO_TWOFISH_X86_64_3WAY
1632        tristate "Twofish cipher algorithm (x86_64, 3-way parallel)"
1633        depends on X86 && 64BIT
1634        select CRYPTO_BLKCIPHER
1635        select CRYPTO_TWOFISH_COMMON
1636        select CRYPTO_TWOFISH_X86_64
1637        select CRYPTO_GLUE_HELPER_X86
1638        help
1639          Twofish cipher algorithm (x86_64, 3-way parallel).
1640
1641          Twofish was submitted as an AES (Advanced Encryption Standard)
1642          candidate cipher by researchers at CounterPane Systems.  It is a
1643          16 round block cipher supporting key sizes of 128, 192, and 256
1644          bits.
1645
1646          This module provides Twofish cipher algorithm that processes three
1647          blocks parallel, utilizing resources of out-of-order CPUs better.
1648
1649          See also:
1650          <http://www.schneier.com/twofish.html>
1651
1652config CRYPTO_TWOFISH_AVX_X86_64
1653        tristate "Twofish cipher algorithm (x86_64/AVX)"
1654        depends on X86 && 64BIT
1655        select CRYPTO_BLKCIPHER
1656        select CRYPTO_GLUE_HELPER_X86
1657        select CRYPTO_SIMD
1658        select CRYPTO_TWOFISH_COMMON
1659        select CRYPTO_TWOFISH_X86_64
1660        select CRYPTO_TWOFISH_X86_64_3WAY
1661        help
1662          Twofish cipher algorithm (x86_64/AVX).
1663
1664          Twofish was submitted as an AES (Advanced Encryption Standard)
1665          candidate cipher by researchers at CounterPane Systems.  It is a
1666          16 round block cipher supporting key sizes of 128, 192, and 256
1667          bits.
1668
1669          This module provides the Twofish cipher algorithm that processes
1670          eight blocks parallel using the AVX Instruction Set.
1671
1672          See also:
1673          <http://www.schneier.com/twofish.html>
1674
1675comment "Compression"
1676
1677config CRYPTO_DEFLATE
1678        tristate "Deflate compression algorithm"
1679        select CRYPTO_ALGAPI
1680        select CRYPTO_ACOMP2
1681        select ZLIB_INFLATE
1682        select ZLIB_DEFLATE
1683        help
1684          This is the Deflate algorithm (RFC1951), specified for use in
1685          IPSec with the IPCOMP protocol (RFC3173, RFC2394).
1686
1687          You will most probably want this if using IPSec.
1688
1689config CRYPTO_LZO
1690        tristate "LZO compression algorithm"
1691        select CRYPTO_ALGAPI
1692        select CRYPTO_ACOMP2
1693        select LZO_COMPRESS
1694        select LZO_DECOMPRESS
1695        help
1696          This is the LZO algorithm.
1697
1698config CRYPTO_842
1699        tristate "842 compression algorithm"
1700        select CRYPTO_ALGAPI
1701        select CRYPTO_ACOMP2
1702        select 842_COMPRESS
1703        select 842_DECOMPRESS
1704        help
1705          This is the 842 algorithm.
1706
1707config CRYPTO_LZ4
1708        tristate "LZ4 compression algorithm"
1709        select CRYPTO_ALGAPI
1710        select CRYPTO_ACOMP2
1711        select LZ4_COMPRESS
1712        select LZ4_DECOMPRESS
1713        help
1714          This is the LZ4 algorithm.
1715
1716config CRYPTO_LZ4HC
1717        tristate "LZ4HC compression algorithm"
1718        select CRYPTO_ALGAPI
1719        select CRYPTO_ACOMP2
1720        select LZ4HC_COMPRESS
1721        select LZ4_DECOMPRESS
1722        help
1723          This is the LZ4 high compression mode algorithm.
1724
1725config CRYPTO_ZSTD
1726        tristate "Zstd compression algorithm"
1727        select CRYPTO_ALGAPI
1728        select CRYPTO_ACOMP2
1729        select ZSTD_COMPRESS
1730        select ZSTD_DECOMPRESS
1731        help
1732          This is the zstd algorithm.
1733
1734comment "Random Number Generation"
1735
1736config CRYPTO_ANSI_CPRNG
1737        tristate "Pseudo Random Number Generation for Cryptographic modules"
1738        select CRYPTO_AES
1739        select CRYPTO_RNG
1740        help
1741          This option enables the generic pseudo random number generator
1742          for cryptographic modules.  Uses the Algorithm specified in
1743          ANSI X9.31 A.2.4. Note that this option must be enabled if
1744          CRYPTO_FIPS is selected
1745
1746menuconfig CRYPTO_DRBG_MENU
1747        tristate "NIST SP800-90A DRBG"
1748        help
1749          NIST SP800-90A compliant DRBG. In the following submenu, one or
1750          more of the DRBG types must be selected.
1751
1752if CRYPTO_DRBG_MENU
1753
1754config CRYPTO_DRBG_HMAC
1755        bool
1756        default y
1757        select CRYPTO_HMAC
1758        select CRYPTO_SHA256
1759
1760config CRYPTO_DRBG_HASH
1761        bool "Enable Hash DRBG"
1762        select CRYPTO_SHA256
1763        help
1764          Enable the Hash DRBG variant as defined in NIST SP800-90A.
1765
1766config CRYPTO_DRBG_CTR
1767        bool "Enable CTR DRBG"
1768        select CRYPTO_AES
1769        depends on CRYPTO_CTR
1770        help
1771          Enable the CTR DRBG variant as defined in NIST SP800-90A.
1772
1773config CRYPTO_DRBG
1774        tristate
1775        default CRYPTO_DRBG_MENU
1776        select CRYPTO_RNG
1777        select CRYPTO_JITTERENTROPY
1778
1779endif   # if CRYPTO_DRBG_MENU
1780
1781config CRYPTO_JITTERENTROPY
1782        tristate "Jitterentropy Non-Deterministic Random Number Generator"
1783        select CRYPTO_RNG
1784        help
1785          The Jitterentropy RNG is a noise that is intended
1786          to provide seed to another RNG. The RNG does not
1787          perform any cryptographic whitening of the generated
1788          random numbers. This Jitterentropy RNG registers with
1789          the kernel crypto API and can be used by any caller.
1790
1791config CRYPTO_USER_API
1792        tristate
1793
1794config CRYPTO_USER_API_HASH
1795        tristate "User-space interface for hash algorithms"
1796        depends on NET
1797        select CRYPTO_HASH
1798        select CRYPTO_USER_API
1799        help
1800          This option enables the user-spaces interface for hash
1801          algorithms.
1802
1803config CRYPTO_USER_API_SKCIPHER
1804        tristate "User-space interface for symmetric key cipher algorithms"
1805        depends on NET
1806        select CRYPTO_BLKCIPHER
1807        select CRYPTO_USER_API
1808        help
1809          This option enables the user-spaces interface for symmetric
1810          key cipher algorithms.
1811
1812config CRYPTO_USER_API_RNG
1813        tristate "User-space interface for random number generator algorithms"
1814        depends on NET
1815        select CRYPTO_RNG
1816        select CRYPTO_USER_API
1817        help
1818          This option enables the user-spaces interface for random
1819          number generator algorithms.
1820
1821config CRYPTO_USER_API_AEAD
1822        tristate "User-space interface for AEAD cipher algorithms"
1823        depends on NET
1824        select CRYPTO_AEAD
1825        select CRYPTO_BLKCIPHER
1826        select CRYPTO_NULL
1827        select CRYPTO_USER_API
1828        help
1829          This option enables the user-spaces interface for AEAD
1830          cipher algorithms.
1831
1832config CRYPTO_STATS
1833        bool "Crypto usage statistics for User-space"
1834        depends on CRYPTO_USER
1835        help
1836          This option enables the gathering of crypto stats.
1837          This will collect:
1838          - encrypt/decrypt size and numbers of symmeric operations
1839          - compress/decompress size and numbers of compress operations
1840          - size and numbers of hash operations
1841          - encrypt/decrypt/sign/verify numbers for asymmetric operations
1842          - generate/seed numbers for rng operations
1843
1844config CRYPTO_HASH_INFO
1845        bool
1846
1847source "drivers/crypto/Kconfig"
1848source "crypto/asymmetric_keys/Kconfig"
1849source "certs/Kconfig"
1850
1851endif   # if CRYPTO
1852