projects / linux-block.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Merge tag 'nfsd-6.12' of git://git.kernel.org/pub/scm/linux/kernel/git/cel/linux
[linux-block.git] / crypto / Kconfig
CommitLineData
b2441318 1# SPDX-License-Identifier: GPL-2.0
685784aa
DW		 2#
3# Generic algorithms support
4#
5config XOR_BLOCKS
6 tristate
7
1da177e4 8#
9bc89cd8 9# async_tx api: hardware offloaded memory transfer/transform support
1da177e4 10#
9bc89cd8 11source "crypto/async_tx/Kconfig"
1da177e4 12
9bc89cd8
DW		 13#
14# Cryptographic API Configuration
15#
2e290f43 16menuconfig CRYPTO
c3715cb9 17 tristate "Cryptographic API"
7033b937 18 select CRYPTO_LIB_UTILS
1da177e4
LT		 19 help
20 This option provides the core Cryptographic API.
21
cce9e06d
HX		 22if CRYPTO
23
f1f142ad 24menu "Crypto core or helper"
584fffc8 25
ccb778e1
NH		 26config CRYPTO_FIPS
27 bool "FIPS 200 compliance"
f2c89a10 28 depends on (CRYPTO_ANSI_CPRNG || CRYPTO_DRBG) && !CRYPTO_MANAGER_DISABLE_TESTS
1f696097 29 depends on (MODULE_SIG || !MODULES)
ccb778e1 30 help
d99324c2
GU		 31 This option enables the fips boot option which is
32 required if you want the system to operate in a FIPS 200
ccb778e1 33 certification. You should say no unless you know what
e84c5480 34 this is.
ccb778e1 35
5a44749f
VD		 36config CRYPTO_FIPS_NAME
37 string "FIPS Module Name"
38 default "Linux Kernel Cryptographic API"
39 depends on CRYPTO_FIPS
40 help
41 This option sets the FIPS Module name reported by the Crypto API via
42 the /proc/sys/crypto/fips_name file.
43
44config CRYPTO_FIPS_CUSTOM_VERSION
45 bool "Use Custom FIPS Module Version"
46 depends on CRYPTO_FIPS
47 default n
48
49config CRYPTO_FIPS_VERSION
50 string "FIPS Module Version"
51 default "(none)"
52 depends on CRYPTO_FIPS_CUSTOM_VERSION
53 help
54 This option provides the ability to override the FIPS Module Version.
55 By default the KERNELRELEASE value is used.
56
cce9e06d
HX		 57config CRYPTO_ALGAPI
58 tristate
6a0fcbb4 59 select CRYPTO_ALGAPI2
cce9e06d
HX		 60 help
61 This option provides the API for cryptographic algorithms.
62
6a0fcbb4
HX		 63config CRYPTO_ALGAPI2
64 tristate
65
1ae97820
HX		 66config CRYPTO_AEAD
67 tristate
6a0fcbb4 68 select CRYPTO_AEAD2
1ae97820
HX		 69 select CRYPTO_ALGAPI
70
6a0fcbb4
HX		 71config CRYPTO_AEAD2
72 tristate
73 select CRYPTO_ALGAPI2
74
6cb8815f
HX		 75config CRYPTO_SIG
76 tristate
77 select CRYPTO_SIG2
78 select CRYPTO_ALGAPI
79
80config CRYPTO_SIG2
81 tristate
82 select CRYPTO_ALGAPI2
83
b95bba5d 84config CRYPTO_SKCIPHER
5cde0af2 85 tristate
b95bba5d 86 select CRYPTO_SKCIPHER2
5cde0af2 87 select CRYPTO_ALGAPI
84534684 88 select CRYPTO_ECB
6a0fcbb4 89
b95bba5d 90config CRYPTO_SKCIPHER2
6a0fcbb4
HX		 91 tristate
92 select CRYPTO_ALGAPI2
5cde0af2 93
055bcee3
HX		 94config CRYPTO_HASH
95 tristate
6a0fcbb4 96 select CRYPTO_HASH2
055bcee3
HX		 97 select CRYPTO_ALGAPI
98
6a0fcbb4
HX		 99config CRYPTO_HASH2
100 tristate
101 select CRYPTO_ALGAPI2
102
17f0f4a4
NH		 103config CRYPTO_RNG
104 tristate
6a0fcbb4 105 select CRYPTO_RNG2
17f0f4a4
NH		 106 select CRYPTO_ALGAPI
107
6a0fcbb4
HX		 108config CRYPTO_RNG2
109 tristate
110 select CRYPTO_ALGAPI2
111
401e4238
HX		 112config CRYPTO_RNG_DEFAULT
113 tristate
114 select CRYPTO_DRBG_MENU
115
3c339ab8
TS		 116config CRYPTO_AKCIPHER2
117 tristate
118 select CRYPTO_ALGAPI2
119
120config CRYPTO_AKCIPHER
121 tristate
122 select CRYPTO_AKCIPHER2
123 select CRYPTO_ALGAPI
124
4e5f2c40
SB		 125config CRYPTO_KPP2
126 tristate
127 select CRYPTO_ALGAPI2
128
129config CRYPTO_KPP
130 tristate
131 select CRYPTO_ALGAPI
132 select CRYPTO_KPP2
133
2ebda74f
GC		 134config CRYPTO_ACOMP2
135 tristate
136 select CRYPTO_ALGAPI2
8cd579d2 137 select SGL_ALLOC
2ebda74f
GC		 138
139config CRYPTO_ACOMP
140 tristate
141 select CRYPTO_ALGAPI
142 select CRYPTO_ACOMP2
143
2b8c19db
HX		 144config CRYPTO_MANAGER
145 tristate "Cryptographic algorithm manager"
6a0fcbb4 146 select CRYPTO_MANAGER2
2b8c19db
HX		 147 help
148 Create default cryptographic template instantiations such as
149 cbc(aes).
150
6a0fcbb4
HX		 151config CRYPTO_MANAGER2
152 def_tristate CRYPTO_MANAGER || (CRYPTO_MANAGER!=n && CRYPTO_ALGAPI=y)
fb28fabf 153 select CRYPTO_ACOMP2
6a0fcbb4 154 select CRYPTO_AEAD2
946cc463 155 select CRYPTO_AKCIPHER2
6cb8815f 156 select CRYPTO_SIG2
fb28fabf 157 select CRYPTO_HASH2
4e5f2c40 158 select CRYPTO_KPP2
fb28fabf
HX		 159 select CRYPTO_RNG2
160 select CRYPTO_SKCIPHER2
6a0fcbb4 161
a38f7907
SK		 162config CRYPTO_USER
163 tristate "Userspace cryptographic algorithm configuration"
5db017aa 164 depends on NET
a38f7907
SK		 165 select CRYPTO_MANAGER
166 help
d19978f5 167 Userspace configuration for cryptographic instantiations such as
a38f7907
SK		 168 cbc(aes).
169
326a6346
HX		 170config CRYPTO_MANAGER_DISABLE_TESTS
171 bool "Disable run-time self tests"
00ca28a5 172 default y
0b767f96 173 help
326a6346
HX		 174 Disable run-time self tests that normally take place at
175 algorithm registration.
0b767f96 176
5b2706a4
EB		 177config CRYPTO_MANAGER_EXTRA_TESTS
178 bool "Enable extra run-time crypto self tests"
6569e309 179 depends on DEBUG_KERNEL && !CRYPTO_MANAGER_DISABLE_TESTS && CRYPTO_MANAGER
5b2706a4
EB		 180 help
181 Enable extra run-time self tests of registered crypto algorithms,
182 including randomized fuzz tests.
183
184 This is intended for developer use only, as these tests take much
185 longer to run than the normal self tests.
186
1da177e4
LT		 187config CRYPTO_NULL
188 tristate "Null algorithms"
149a3971 189 select CRYPTO_NULL2
1da177e4
LT		 190 help
191 These are 'Null' algorithms, used by IPsec, which do nothing.
192
149a3971 193config CRYPTO_NULL2
dd43c4e9 194 tristate
149a3971 195 select CRYPTO_ALGAPI2
b95bba5d 196 select CRYPTO_SKCIPHER2
149a3971
HX		 197 select CRYPTO_HASH2
198
5068c7a8 199config CRYPTO_PCRYPT
3b4afaf2
KC		 200 tristate "Parallel crypto engine"
201 depends on SMP
5068c7a8
SK		 202 select PADATA
203 select CRYPTO_MANAGER
204 select CRYPTO_AEAD
205 help
206 This converts an arbitrary crypto algorithm into a parallel
207 algorithm that executes in kernel threads.
208
584fffc8
SS		 209config CRYPTO_CRYPTD
210 tristate "Software async crypto daemon"
b95bba5d 211 select CRYPTO_SKCIPHER
b8a28251 212 select CRYPTO_HASH
584fffc8 213 select CRYPTO_MANAGER
1da177e4 214 help
584fffc8
SS		 215 This is a generic software asynchronous crypto daemon that
216 converts an arbitrary synchronous software crypto algorithm
217 into an asynchronous algorithm that executes in a kernel thread.
1da177e4 218
584fffc8
SS		 219config CRYPTO_AUTHENC
220 tristate "Authenc support"
221 select CRYPTO_AEAD
b95bba5d 222 select CRYPTO_SKCIPHER
584fffc8
SS		 223 select CRYPTO_MANAGER
224 select CRYPTO_HASH
e94c6a7a 225 select CRYPTO_NULL
1da177e4 226 help
584fffc8 227 Authenc: Combined mode wrapper for IPsec.
cf514b2a
RE		 228
229 This is required for IPSec ESP (XFRM_ESP).
1da177e4 230
584fffc8
SS		 231config CRYPTO_TEST
232 tristate "Testing module"
00ea27f1 233 depends on m || EXPERT
da7f033d 234 select CRYPTO_MANAGER
1da177e4 235 help
584fffc8 236 Quick & dirty crypto test module.
1da177e4 237
266d0516
HX		 238config CRYPTO_SIMD
239 tristate
ffaf9156
JK		 240 select CRYPTO_CRYPTD
241
735d37b5
BW		 242config CRYPTO_ENGINE
243 tristate
244
f1f142ad
RE		 245endmenu
246
247menu "Public-key cryptography"
3d6228a5
VC		 248
249config CRYPTO_RSA
05b37465 250 tristate "RSA (Rivest-Shamir-Adleman)"
3d6228a5
VC		 251 select CRYPTO_AKCIPHER
252 select CRYPTO_MANAGER
253 select MPILIB
254 select ASN1
255 help
05b37465 256 RSA (Rivest-Shamir-Adleman) public key algorithm (RFC8017)
3d6228a5
VC		 257
258config CRYPTO_DH
05b37465 259 tristate "DH (Diffie-Hellman)"
3d6228a5
VC		 260 select CRYPTO_KPP
261 select MPILIB
262 help
05b37465 263 DH (Diffie-Hellman) key exchange algorithm
3d6228a5 264
7dce5981 265config CRYPTO_DH_RFC7919_GROUPS
05b37465 266 bool "RFC 7919 FFDHE groups"
7dce5981 267 depends on CRYPTO_DH
1e207964 268 select CRYPTO_RNG_DEFAULT
7dce5981 269 help
05b37465
RE		 270 FFDHE (Finite-Field-based Diffie-Hellman Ephemeral) groups
271 defined in RFC7919.
272
273 Support these finite-field groups in DH key exchanges:
274 - ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192
275
276 If unsure, say N.
7dce5981 277
4a2289da
VC		 278config CRYPTO_ECC
279 tristate
38aa192a 280 select CRYPTO_RNG_DEFAULT
4a2289da 281
3d6228a5 282config CRYPTO_ECDH
05b37465 283 tristate "ECDH (Elliptic Curve Diffie-Hellman)"
4a2289da 284 select CRYPTO_ECC
3d6228a5 285 select CRYPTO_KPP
3d6228a5 286 help
05b37465
RE		 287 ECDH (Elliptic Curve Diffie-Hellman) key exchange algorithm
288 using curves P-192, P-256, and P-384 (FIPS 186)
3d6228a5 289
4e660291 290config CRYPTO_ECDSA
05b37465 291 tristate "ECDSA (Elliptic Curve Digital Signature Algorithm)"
4e660291
SB		 292 select CRYPTO_ECC
293 select CRYPTO_AKCIPHER
294 select ASN1
295 help
05b37465
RE		 296 ECDSA (Elliptic Curve Digital Signature Algorithm) (FIPS 186,
297 ISO/IEC 14888-3)
298 using curves P-192, P-256, and P-384
299
300 Only signature verification is implemented.
4e660291 301
0d7a7864 302config CRYPTO_ECRDSA
05b37465 303 tristate "EC-RDSA (Elliptic Curve Russian Digital Signature Algorithm)"
0d7a7864
VC		 304 select CRYPTO_ECC
305 select CRYPTO_AKCIPHER
306 select CRYPTO_STREEBOG
1036633e
VC		 307 select OID_REGISTRY
308 select ASN1
0d7a7864
VC		 309 help
310 Elliptic Curve Russian Digital Signature Algorithm (GOST R 34.10-2012,
05b37465
RE		 311 RFC 7091, ISO/IEC 14888-3)
312
313 One of the Russian cryptographic standard algorithms (called GOST
314 algorithms). Only signature verification is implemented.
0d7a7864 315
ee772cb6 316config CRYPTO_CURVE25519
05b37465 317 tristate "Curve25519"
ee772cb6
AB		 318 select CRYPTO_KPP
319 select CRYPTO_LIB_CURVE25519_GENERIC
05b37465
RE		 320 help
321 Curve25519 elliptic curve (RFC7748)
ee772cb6 322
f1f142ad 323endmenu
cd12fb90 324
f1f142ad 325menu "Block ciphers"
1da177e4 326
f1f142ad 327config CRYPTO_AES
cf514b2a 328 tristate "AES (Advanced Encryption Standard)"
f1f142ad
RE		 329 select CRYPTO_ALGAPI
330 select CRYPTO_LIB_AES
1da177e4 331 help
cf514b2a 332 AES cipher algorithms (Rijndael)(FIPS-197, ISO/IEC 18033-3)
1da177e4 333
f1f142ad
RE		 334 Rijndael appears to be consistently a very good performer in
335 both hardware and software across a wide range of computing
336 environments regardless of its use in feedback or non-feedback
337 modes. Its key setup time is excellent, and its key agility is
338 good. Rijndael's very low memory requirements make it very well
339 suited for restricted-space environments, in which it also
340 demonstrates excellent performance. Rijndael's operations are
341 among the easiest to defend against power and timing attacks.
71ebc4d1 342
f1f142ad 343 The AES specifies three key sizes: 128, 192 and 256 bits
71ebc4d1 344
f1f142ad 345config CRYPTO_AES_TI
cf514b2a 346 tristate "AES (Advanced Encryption Standard) (fixed time)"
f1f142ad
RE		 347 select CRYPTO_ALGAPI
348 select CRYPTO_LIB_AES
f606a88e 349 help
cf514b2a
RE		 350 AES cipher algorithms (Rijndael)(FIPS-197, ISO/IEC 18033-3)
351
f1f142ad
RE		 352 This is a generic implementation of AES that attempts to eliminate
353 data dependent latencies as much as possible without affecting
354 performance too much. It is intended for use by the generic CCM
355 and GCM drivers, and other CTR or CMAC/XCBC based modes that rely
356 solely on encryption (although decryption is supported as well, but
357 with a more dramatic performance hit)
f606a88e 358
f1f142ad
RE		 359 Instead of using 16 lookup tables of 1 KB each, (8 for encryption and
360 8 for decryption), this implementation only uses just two S-boxes of
361 256 bytes each, and attempts to eliminate data dependent latencies by
362 prefetching the entire table into the cache at the start of each
363 block. Interrupts are also disabled to avoid races where cachelines
364 are evicted when the CPU is interrupted to do something else.
a4397635 365
f1f142ad 366config CRYPTO_ANUBIS
cf514b2a 367 tristate "Anubis"
f1f142ad
RE		 368 depends on CRYPTO_USER_API_ENABLE_OBSOLETE
369 select CRYPTO_ALGAPI
1da177e4 370 help
cf514b2a 371 Anubis cipher algorithm
1da177e4 372
f1f142ad
RE		 373 Anubis is a variable key length cipher which can use keys from
374 128 bits to 320 bits in length. It was evaluated as a entrant
375 in the NESSIE competition.
a10f554f 376
cf514b2a
RE		 377 See https://web.archive.org/web/20160606112246/http://www.larc.usp.br/~pbarreto/AnubisPage.html
378 for further information.
c494e070 379
f1f142ad 380config CRYPTO_ARIA
cf514b2a 381 tristate "ARIA"
f1f142ad 382 select CRYPTO_ALGAPI
db131ef9 383 help
cf514b2a 384 ARIA cipher algorithm (RFC5794)
db131ef9 385
f1f142ad
RE		 386 ARIA is a standard encryption algorithm of the Republic of Korea.
387 The ARIA specifies three key sizes and rounds.
388 128-bit: 12 rounds.
389 192-bit: 14 rounds.
390 256-bit: 16 rounds.
a7d85e06 391
cf514b2a
RE		 392 See:
393 https://seed.kisa.or.kr/kisa/algorithm/EgovAriaInfo.do
db131ef9 394
f1f142ad 395config CRYPTO_BLOWFISH
cf514b2a 396 tristate "Blowfish"
f1f142ad
RE		 397 select CRYPTO_ALGAPI
398 select CRYPTO_BLOWFISH_COMMON
584fffc8 399 help
cf514b2a 400 Blowfish cipher algorithm, by Bruce Schneier
584fffc8 401
f1f142ad
RE		 402 This is a variable key length cipher which can use keys from 32
403 bits to 448 bits in length. It's fast, simple and specifically
404 designed for use on "large microprocessors".
ecd6d5c9 405
cf514b2a 406 See https://www.schneier.com/blowfish.html for further information.
f1f142ad
RE		 407
408config CRYPTO_BLOWFISH_COMMON
409 tristate
91652be5 410 help
f1f142ad
RE		 411 Common parts of the Blowfish cipher algorithm shared by the
412 generic c and the assembler implementations.
91652be5 413
f1f142ad 414config CRYPTO_CAMELLIA
cf514b2a 415 tristate "Camellia"
f1f142ad 416 select CRYPTO_ALGAPI
64470f1b 417 help
cf514b2a 418 Camellia cipher algorithms (ISO/IEC 18033-3)
64470f1b 419
f1f142ad
RE		 420 Camellia is a symmetric key block cipher developed jointly
421 at NTT and Mitsubishi Electric Corporation.
422
423 The Camellia specifies three key sizes: 128, 192 and 256 bits.
424
cf514b2a 425 See https://info.isl.ntt.co.jp/crypt/eng/camellia/ for further information.
f1f142ad
RE		 426
427config CRYPTO_CAST_COMMON
428 tristate
e497c518 429 help
f1f142ad
RE		 430 Common parts of the CAST cipher algorithms shared by the
431 generic c and the assembler implementations.
e497c518 432
f1f142ad 433config CRYPTO_CAST5
cf514b2a 434 tristate "CAST5 (CAST-128)"
f1f142ad
RE		 435 select CRYPTO_ALGAPI
436 select CRYPTO_CAST_COMMON
584fffc8 437 help
cf514b2a 438 CAST5 (CAST-128) cipher algorithm (RFC2144, ISO/IEC 18033-3)
584fffc8 439
f1f142ad 440config CRYPTO_CAST6
cf514b2a 441 tristate "CAST6 (CAST-256)"
f1f142ad
RE		 442 select CRYPTO_ALGAPI
443 select CRYPTO_CAST_COMMON
17fee07a 444 help
cf514b2a 445 CAST6 (CAST-256) encryption algorithm (RFC2612)
17fee07a 446
f1f142ad 447config CRYPTO_DES
cf514b2a 448 tristate "DES and Triple DES EDE"
f1f142ad
RE		 449 select CRYPTO_ALGAPI
450 select CRYPTO_LIB_DES
f19f5111 451 help
cf514b2a
RE		 452 DES (Data Encryption Standard)(FIPS 46-2, ISO/IEC 18033-3) and
453 Triple DES EDE (Encrypt/Decrypt/Encrypt) (FIPS 46-3, ISO/IEC 18033-3)
454 cipher algorithms
f19f5111 455
f1f142ad 456config CRYPTO_FCRYPT
cf514b2a 457 tristate "FCrypt"
f1f142ad 458 select CRYPTO_ALGAPI
b95bba5d 459 select CRYPTO_SKCIPHER
1c49678e 460 help
cf514b2a
RE		 461 FCrypt algorithm used by RxRPC
462
463 See https://ota.polyonymo.us/fcrypt-paper.txt
1c49678e 464
f1f142ad 465config CRYPTO_KHAZAD
cf514b2a 466 tristate "Khazad"
f1f142ad
RE		 467 depends on CRYPTO_USER_API_ENABLE_OBSOLETE
468 select CRYPTO_ALGAPI
469 help
cf514b2a 470 Khazad cipher algorithm
f1f142ad
RE		 471
472 Khazad was a finalist in the initial NESSIE competition. It is
473 an algorithm optimized for 64-bit processors with good performance
474 on 32-bit processors. Khazad uses an 128 bit key size.
475
cf514b2a
RE		 476 See https://web.archive.org/web/20171011071731/http://www.larc.usp.br/~pbarreto/KhazadPage.html
477 for further information.
f1f142ad
RE		 478
479config CRYPTO_SEED
cf514b2a 480 tristate "SEED"
f1f142ad
RE		 481 depends on CRYPTO_USER_API_ENABLE_OBSOLETE
482 select CRYPTO_ALGAPI
483 help
cf514b2a 484 SEED cipher algorithm (RFC4269, ISO/IEC 18033-3)
f1f142ad
RE		 485
486 SEED is a 128-bit symmetric key block cipher that has been
487 developed by KISA (Korea Information Security Agency) as a
488 national standard encryption algorithm of the Republic of Korea.
489 It is a 16 round block cipher with the key size of 128 bit.
490
cf514b2a
RE		 491 See https://seed.kisa.or.kr/kisa/algorithm/EgovSeedInfo.do
492 for further information.
f1f142ad
RE		 493
494config CRYPTO_SERPENT
cf514b2a 495 tristate "Serpent"
f1f142ad
RE		 496 select CRYPTO_ALGAPI
497 help
cf514b2a 498 Serpent cipher algorithm, by Anderson, Biham & Knudsen
f1f142ad
RE		 499
500 Keys are allowed to be from 0 to 256 bits in length, in steps
501 of 8 bits.
502
cf514b2a 503 See https://www.cl.cam.ac.uk/~rja14/serpent.html for further information.
f1f142ad
RE		 504
505config CRYPTO_SM4
506 tristate
507
508config CRYPTO_SM4_GENERIC
cf514b2a 509 tristate "SM4 (ShangMi 4)"
f1f142ad
RE		 510 select CRYPTO_ALGAPI
511 select CRYPTO_SM4
512 help
cf514b2a
RE		 513 SM4 cipher algorithms (OSCCA GB/T 32907-2016,
514 ISO/IEC 18033-3:2010/Amd 1:2021)
f1f142ad
RE		 515
516 SM4 (GBT.32907-2016) is a cryptographic standard issued by the
517 Organization of State Commercial Administration of China (OSCCA)
518 as an authorized cryptographic algorithms for the use within China.
519
520 SMS4 was originally created for use in protecting wireless
521 networks, and is mandated in the Chinese National Standard for
522 Wireless LAN WAPI (Wired Authentication and Privacy Infrastructure)
523 (GB.15629.11-2003).
524
525 The latest SM4 standard (GBT.32907-2016) was proposed by OSCCA and
526 standardized through TC 260 of the Standardization Administration
527 of the People's Republic of China (SAC).
528
529 The input, output, and key of SMS4 are each 128 bits.
530
cf514b2a 531 See https://eprint.iacr.org/2008/329.pdf for further information.
f1f142ad
RE		 532
533 If unsure, say N.
534
535config CRYPTO_TEA
cf514b2a 536 tristate "TEA, XTEA and XETA"
f1f142ad
RE		 537 depends on CRYPTO_USER_API_ENABLE_OBSOLETE
538 select CRYPTO_ALGAPI
539 help
cf514b2a 540 TEA (Tiny Encryption Algorithm) cipher algorithms
f1f142ad
RE		 541
542 Tiny Encryption Algorithm is a simple cipher that uses
543 many rounds for security. It is very fast and uses
544 little memory.
545
546 Xtendend Tiny Encryption Algorithm is a modification to
547 the TEA algorithm to address a potential key weakness
548 in the TEA algorithm.
549
550 Xtendend Encryption Tiny Algorithm is a mis-implementation
551 of the XTEA algorithm for compatibility purposes.
552
553config CRYPTO_TWOFISH
cf514b2a 554 tristate "Twofish"
f1f142ad
RE		 555 select CRYPTO_ALGAPI
556 select CRYPTO_TWOFISH_COMMON
557 help
cf514b2a 558 Twofish cipher algorithm
f1f142ad
RE		 559
560 Twofish was submitted as an AES (Advanced Encryption Standard)
561 candidate cipher by researchers at CounterPane Systems. It is a
562 16 round block cipher supporting key sizes of 128, 192, and 256
563 bits.
564
cf514b2a 565 See https://www.schneier.com/twofish.html for further information.
f1f142ad
RE		 566
567config CRYPTO_TWOFISH_COMMON
568 tristate
569 help
570 Common parts of the Twofish cipher algorithm shared by the
571 generic c and the assembler implementations.
572
573endmenu
574
575menu "Length-preserving ciphers and modes"
26609a21 576
059c2a4d 577config CRYPTO_ADIANTUM
cf514b2a 578 tristate "Adiantum"
059c2a4d 579 select CRYPTO_CHACHA20
48ea8c6e 580 select CRYPTO_LIB_POLY1305_GENERIC
059c2a4d 581 select CRYPTO_NHPOLY1305
c8a3315a 582 select CRYPTO_MANAGER
059c2a4d 583 help
cf514b2a
RE		 584 Adiantum tweakable, length-preserving encryption mode
585
586 Designed for fast and secure disk encryption, especially on
059c2a4d
EB		 587 CPUs without dedicated crypto instructions. It encrypts
588 each sector using the XChaCha12 stream cipher, two passes of
589 an ε-almost-∆-universal hash function, and an invocation of
590 the AES-256 block cipher on a single 16-byte block. On CPUs
591 without AES instructions, Adiantum is much faster than
592 AES-XTS.
593
594 Adiantum's security is provably reducible to that of its
595 underlying stream and block ciphers, subject to a security
596 bound. Unlike XTS, Adiantum is a true wide-block encryption
597 mode, so it actually provides an even stronger notion of
598 security than XTS, subject to the security bound.
599
600 If unsure, say N.
601
f1f142ad 602config CRYPTO_ARC4
cf514b2a 603 tristate "ARC4 (Alleged Rivest Cipher 4)"
f1f142ad
RE		 604 depends on CRYPTO_USER_API_ENABLE_OBSOLETE
605 select CRYPTO_SKCIPHER
606 select CRYPTO_LIB_ARC4
7ff554ce 607 help
cf514b2a 608 ARC4 cipher algorithm
7ff554ce 609
f1f142ad
RE		 610 ARC4 is a stream cipher using keys ranging from 8 bits to 2048
611 bits in length. This algorithm is required for driver-based
612 WEP, but it should not be for other purposes because of the
613 weakness of the algorithm.
614
615config CRYPTO_CHACHA20
cf514b2a 616 tristate "ChaCha"
f1f142ad
RE		 617 select CRYPTO_LIB_CHACHA_GENERIC
618 select CRYPTO_SKCIPHER
be1eb7f7 619 help
cf514b2a 620 The ChaCha20, XChaCha20, and XChaCha12 stream cipher algorithms
be1eb7f7 621
f1f142ad
RE		 622 ChaCha20 is a 256-bit high-speed stream cipher designed by Daniel J.
623 Bernstein and further specified in RFC7539 for use in IETF protocols.
cf514b2a
RE		 624 This is the portable C implementation of ChaCha20. See
625 https://cr.yp.to/chacha/chacha-20080128.pdf for further information.
be1eb7f7 626
f1f142ad
RE		 627 XChaCha20 is the application of the XSalsa20 construction to ChaCha20
628 rather than to Salsa20. XChaCha20 extends ChaCha20's nonce length
629 from 64 bits (or 96 bits using the RFC7539 convention) to 192 bits,
cf514b2a
RE		 630 while provably retaining ChaCha20's security. See
631 https://cr.yp.to/snuffle/xsalsa-20081128.pdf for further information.
be1eb7f7 632
f1f142ad
RE		 633 XChaCha12 is XChaCha20 reduced to 12 rounds, with correspondingly
634 reduced security margin but increased performance. It can be needed
635 in some performance-sensitive scenarios.
584fffc8 636
f1f142ad 637config CRYPTO_CBC
cf514b2a 638 tristate "CBC (Cipher Block Chaining)"
f1f142ad 639 select CRYPTO_SKCIPHER
93b5e86a
JK		 640 select CRYPTO_MANAGER
641 help
cf514b2a
RE		 642 CBC (Cipher Block Chaining) mode (NIST SP800-38A)
643
644 This block cipher mode is required for IPSec ESP (XFRM_ESP).
93b5e86a 645
f1f142ad 646config CRYPTO_CTR
cf514b2a 647 tristate "CTR (Counter)"
f1f142ad 648 select CRYPTO_SKCIPHER
584fffc8 649 select CRYPTO_MANAGER
76cb9521 650 help
cf514b2a 651 CTR (Counter) mode (NIST SP800-38A)
76cb9521 652
f1f142ad 653config CRYPTO_CTS
cf514b2a 654 tristate "CTS (Cipher Text Stealing)"
f1f142ad 655 select CRYPTO_SKCIPHER
f1939f7c
SW		 656 select CRYPTO_MANAGER
657 help
cf514b2a
RE		 658 CBC-CS3 variant of CTS (Cipher Text Stealing) (NIST
659 Addendum to SP800-38A (October 2010))
660
f1f142ad
RE		 661 This mode is required for Kerberos gss mechanism support
662 for AES encryption.
f1939f7c 663
f1f142ad 664config CRYPTO_ECB
cf514b2a 665 tristate "ECB (Electronic Codebook)"
84534684 666 select CRYPTO_SKCIPHER2
f1f142ad 667 select CRYPTO_MANAGER
4a49b499 668 help
cf514b2a 669 ECB (Electronic Codebook) mode (NIST SP800-38A)
4a49b499 670
f1f142ad 671config CRYPTO_HCTR2
cf514b2a 672 tristate "HCTR2"
f1f142ad
RE		 673 select CRYPTO_XCTR
674 select CRYPTO_POLYVAL
675 select CRYPTO_MANAGER
78c37d19 676 help
cf514b2a
RE		 677 HCTR2 length-preserving encryption mode
678
679 A mode for storage encryption that is efficient on processors with
680 instructions to accelerate AES and carryless multiplication, e.g.
681 x86 processors with AES-NI and CLMUL, and ARM processors with the
682 ARMv8 crypto extensions.
683
684 See https://eprint.iacr.org/2021/1441
78c37d19 685
f1f142ad 686config CRYPTO_KEYWRAP
cf514b2a 687 tristate "KW (AES Key Wrap)"
f1f142ad
RE		 688 select CRYPTO_SKCIPHER
689 select CRYPTO_MANAGER
2cdc6899 690 help
cf514b2a
RE		 691 KW (AES Key Wrap) authenticated encryption mode (NIST SP800-38F
692 and RFC3394) without padding.
2cdc6899 693
f1f142ad 694config CRYPTO_LRW
cf514b2a 695 tristate "LRW (Liskov Rivest Wagner)"
61c581a4 696 select CRYPTO_LIB_GF128MUL
f1f142ad
RE		 697 select CRYPTO_SKCIPHER
698 select CRYPTO_MANAGER
f1f142ad 699 select CRYPTO_ECB
f3c923a0 700 help
cf514b2a
RE		 701 LRW (Liskov Rivest Wagner) mode
702
703 A tweakable, non malleable, non movable
f1f142ad
RE		 704 narrow block cipher mode for dm-crypt. Use it with cipher
705 specification string aes-lrw-benbi, the key must be 256, 320 or 384.
706 The first 128, 192 or 256 bits in the key are used for AES and the
707 rest is used to tie each cipher block to its logical position.
f3c923a0 708
cf514b2a
RE		 709 See https://people.csail.mit.edu/rivest/pubs/LRW02.pdf
710
f1f142ad 711config CRYPTO_PCBC
cf514b2a 712 tristate "PCBC (Propagating Cipher Block Chaining)"
f1f142ad
RE		 713 select CRYPTO_SKCIPHER
714 select CRYPTO_MANAGER
124b53d0 715 help
cf514b2a
RE		 716 PCBC (Propagating Cipher Block Chaining) mode
717
718 This block cipher mode is required for RxRPC.
124b53d0 719
f1f142ad
RE		 720config CRYPTO_XCTR
721 tristate
722 select CRYPTO_SKCIPHER
723 select CRYPTO_MANAGER
1da177e4 724 help
cf514b2a
RE		 725 XCTR (XOR Counter) mode for HCTR2
726
727 This blockcipher mode is a variant of CTR mode using XORs and little-endian
728 addition rather than big-endian arithmetic.
729
f1f142ad 730 XCTR mode is used to implement HCTR2.
1da177e4 731
f1f142ad 732config CRYPTO_XTS
cf514b2a 733 tristate "XTS (XOR Encrypt XOR with ciphertext stealing)"
f1f142ad
RE		 734 select CRYPTO_SKCIPHER
735 select CRYPTO_MANAGER
736 select CRYPTO_ECB
90831639 737 help
cf514b2a
RE		 738 XTS (XOR Encrypt XOR with ciphertext stealing) mode (NIST SP800-38E
739 and IEEE 1619)
740
741 Use with aes-xts-plain, key size 256, 384 or 512 bits. This
742 implementation currently can't handle a sectorsize which is not a
743 multiple of 16 bytes.
90831639 744
f1f142ad
RE		 745config CRYPTO_NHPOLY1305
746 tristate
e5835fba 747 select CRYPTO_HASH
f1f142ad 748 select CRYPTO_LIB_POLY1305_GENERIC
534fe2c1 749
f1f142ad 750endmenu
534fe2c1 751
f1f142ad 752menu "AEAD (authenticated encryption with associated data) ciphers"
1da177e4 753
f1f142ad 754config CRYPTO_AEGIS128
e3d2eadd 755 tristate "AEGIS-128"
f1f142ad
RE		 756 select CRYPTO_AEAD
757 select CRYPTO_AES # for AES S-box tables
1da177e4 758 help
e3d2eadd 759 AEGIS-128 AEAD algorithm
2729bb42 760
f1f142ad 761config CRYPTO_AEGIS128_SIMD
e3d2eadd 762 bool "AEGIS-128 (arm NEON, arm64 NEON)"
f1f142ad
RE		 763 depends on CRYPTO_AEGIS128 && ((ARM || ARM64) && KERNEL_MODE_NEON)
764 default y
e3d2eadd
RE		 765 help
766 AEGIS-128 AEAD algorithm
767
768 Architecture: arm or arm64 using:
769 - NEON (Advanced SIMD) extension
584fffc8 770
f1f142ad 771config CRYPTO_CHACHA20POLY1305
e3d2eadd 772 tristate "ChaCha20-Poly1305"
f1f142ad
RE		 773 select CRYPTO_CHACHA20
774 select CRYPTO_POLY1305
775 select CRYPTO_AEAD
776 select CRYPTO_MANAGER
b9f535ff 777 help
e3d2eadd
RE		 778 ChaCha20 stream cipher and Poly1305 authenticator combined
779 mode (RFC8439)
b9f535ff 780
f1f142ad 781config CRYPTO_CCM
cf514b2a 782 tristate "CCM (Counter with Cipher Block Chaining-MAC)"
f1f142ad 783 select CRYPTO_CTR
53964b9e 784 select CRYPTO_HASH
f1f142ad
RE		 785 select CRYPTO_AEAD
786 select CRYPTO_MANAGER
53964b9e 787 help
e3d2eadd
RE		 788 CCM (Counter with Cipher Block Chaining-Message Authentication Code)
789 authenticated encryption mode (NIST SP800-38C)
d2825fa9 790
f1f142ad 791config CRYPTO_GCM
cf514b2a 792 tristate "GCM (Galois/Counter Mode) and GMAC (GCM MAC)"
f1f142ad
RE		 793 select CRYPTO_CTR
794 select CRYPTO_AEAD
795 select CRYPTO_GHASH
796 select CRYPTO_NULL
797 select CRYPTO_MANAGER
4f0fc160 798 help
e3d2eadd
RE		 799 GCM (Galois/Counter Mode) authenticated encryption mode and GMAC
800 (GCM Message Authentication Code) (NIST SP800-38D)
801
802 This is required for IPSec ESP (XFRM_ESP).
4f0fc160 803
ba51738f
HX		 804config CRYPTO_GENIV
805 tristate
f1f142ad 806 select CRYPTO_AEAD
f1f142ad 807 select CRYPTO_NULL
f1f142ad 808 select CRYPTO_MANAGER
ba51738f
HX		 809 select CRYPTO_RNG_DEFAULT
810
811config CRYPTO_SEQIV
812 tristate "Sequence Number IV Generator"
813 select CRYPTO_GENIV
fe18957e 814 help
e3d2eadd
RE		 815 Sequence Number IV generator
816
f1f142ad 817 This IV generator generates an IV based on a sequence number by
e3d2eadd
RE		 818 xoring it with a salt. This algorithm is mainly useful for CTR.
819
820 This is required for IPsec ESP (XFRM_ESP).
fe18957e 821
f1f142ad
RE		 822config CRYPTO_ECHAINIV
823 tristate "Encrypted Chain IV Generator"
ba51738f 824 select CRYPTO_GENIV
1da177e4 825 help
e3d2eadd
RE		 826 Encrypted Chain IV generator
827
f1f142ad
RE		 828 This IV generator generates an IV based on the encryption of
829 a sequence number xored with a salt. This is the default
830 algorithm for CBC.
1da177e4 831
f1f142ad 832config CRYPTO_ESSIV
e3d2eadd 833 tristate "Encrypted Salt-Sector IV Generator"
f1f142ad 834 select CRYPTO_AUTHENC
1da177e4 835 help
e3d2eadd
RE		 836 Encrypted Salt-Sector IV generator
837
838 This IV generator is used in some cases by fscrypt and/or
f1f142ad
RE		 839 dm-crypt. It uses the hash of the block encryption key as the
840 symmetric key for a block encryption pass applied to the input
841 IV, making low entropy IV sources more suitable for block
842 encryption.
1da177e4 843
f1f142ad
RE		 844 This driver implements a crypto API template that can be
845 instantiated either as an skcipher or as an AEAD (depending on the
846 type of the first template argument), and which defers encryption
847 and decryption requests to the encapsulated cipher after applying
848 ESSIV to the input IV. Note that in the AEAD case, it is assumed
849 that the keys are presented in the same format used by the authenc
850 template, and that the IV appears at the end of the authenticated
851 associated data (AAD) region (which is how dm-crypt uses it.)
1da177e4 852
f1f142ad
RE		 853 Note that the use of ESSIV is not recommended for new deployments,
854 and so this only needs to be enabled when interoperability with
855 existing encrypted volumes of filesystems is required, or when
856 building for a particular system that requires it (e.g., when
857 the SoC in question has accelerated CBC but not XTS, making CBC
858 combined with ESSIV the only feasible mode for h/w accelerated
859 block encryption)
1da177e4 860
f1f142ad 861endmenu
b5e0b032 862
f1f142ad 863menu "Hashes, digests, and MACs"
b5e0b032 864
f1f142ad 865config CRYPTO_BLAKE2B
3f342a23 866 tristate "BLAKE2b"
f1f142ad 867 select CRYPTO_HASH
584fffc8 868 help
3f342a23 869 BLAKE2b cryptographic hash function (RFC 7693)
584fffc8 870
3f342a23
RE		 871 BLAKE2b is optimized for 64-bit platforms and can produce digests
872 of any size between 1 and 64 bytes. The keyed hash is also implemented.
584fffc8 873
3f342a23 874 This module provides the following algorithms:
f1f142ad
RE		 875 - blake2b-160
876 - blake2b-256
877 - blake2b-384
878 - blake2b-512
584fffc8 879
3f342a23
RE		 880 Used by the btrfs filesystem.
881
f1f142ad 882 See https://blake2.net for further information.
584fffc8 883
f1f142ad 884config CRYPTO_CMAC
3f342a23 885 tristate "CMAC (Cipher-based MAC)"
f1f142ad
RE		 886 select CRYPTO_HASH
887 select CRYPTO_MANAGER
584fffc8 888 help
3f342a23
RE		 889 CMAC (Cipher-based Message Authentication Code) authentication
890 mode (NIST SP800-38B and IETF RFC4493)
584fffc8 891
f1f142ad 892config CRYPTO_GHASH
3f342a23 893 tristate "GHASH"
f1f142ad 894 select CRYPTO_HASH
61c581a4 895 select CRYPTO_LIB_GF128MUL
52ba867c 896 help
3f342a23 897 GCM GHASH function (NIST SP800-38D)
52ba867c 898
f1f142ad 899config CRYPTO_HMAC
3f342a23 900 tristate "HMAC (Keyed-Hash MAC)"
f1f142ad
RE		 901 select CRYPTO_HASH
902 select CRYPTO_MANAGER
584fffc8 903 help
3f342a23
RE		 904 HMAC (Keyed-Hash Message Authentication Code) (FIPS 198 and
905 RFC2104)
906
907 This is required for IPsec AH (XFRM_AH) and IPsec ESP (XFRM_ESP).
584fffc8 908
f1f142ad 909config CRYPTO_MD4
3f342a23 910 tristate "MD4"
f1f142ad 911 select CRYPTO_HASH
044ab525 912 help
3f342a23 913 MD4 message digest algorithm (RFC1320)
044ab525 914
f1f142ad 915config CRYPTO_MD5
3f342a23 916 tristate "MD5"
f1f142ad 917 select CRYPTO_HASH
1da177e4 918 help
3f342a23 919 MD5 message digest algorithm (RFC1321)
1da177e4 920
f1f142ad 921config CRYPTO_MICHAEL_MIC
3f342a23 922 tristate "Michael MIC"
f1f142ad 923 select CRYPTO_HASH
1da177e4 924 help
3f342a23
RE		 925 Michael MIC (Message Integrity Code) (IEEE 802.11i)
926
927 Defined by the IEEE 802.11i TKIP (Temporal Key Integrity Protocol),
928 known as WPA (Wif-Fi Protected Access).
929
930 This algorithm is required for TKIP, but it should not be used for
931 other purposes because of the weakness of the algorithm.
1da177e4 932
f1f142ad
RE		 933config CRYPTO_POLYVAL
934 tristate
f1f142ad 935 select CRYPTO_HASH
61c581a4 936 select CRYPTO_LIB_GF128MUL
1da177e4 937 help
3f342a23
RE		 938 POLYVAL hash function for HCTR2
939
940 This is used in HCTR2. It is not a general-purpose
f1f142ad 941 cryptographic hash function.
fb4f10ed 942
f1f142ad 943config CRYPTO_POLY1305
3f342a23 944 tristate "Poly1305"
f1f142ad
RE		 945 select CRYPTO_HASH
946 select CRYPTO_LIB_POLY1305_GENERIC
1da177e4 947 help
3f342a23 948 Poly1305 authenticator algorithm (RFC7539)
1da177e4 949
f1f142ad
RE		 950 Poly1305 is an authenticator algorithm designed by Daniel J. Bernstein.
951 It is used for the ChaCha20-Poly1305 AEAD, specified in RFC7539 for use
952 in IETF protocols. This is the portable C implementation of Poly1305.
953
954config CRYPTO_RMD160
3f342a23 955 tristate "RIPEMD-160"
f1f142ad 956 select CRYPTO_HASH
1da177e4 957 help
3f342a23 958 RIPEMD-160 hash function (ISO/IEC 10118-3)
1da177e4 959
f1f142ad
RE		 960 RIPEMD-160 is a 160-bit cryptographic hash function. It is intended
961 to be used as a secure replacement for the 128-bit hash functions
962 MD4, MD5 and its predecessor RIPEMD
963 (not to be confused with RIPEMD-128).
1da177e4 964
3f342a23 965 Its speed is comparable to SHA-1 and there are no known attacks
f1f142ad 966 against RIPEMD-160.
1da177e4 967
f1f142ad 968 Developed by Hans Dobbertin, Antoon Bosselaers and Bart Preneel.
3f342a23
RE		 969 See https://homes.esat.kuleuven.be/~bosselae/ripemd160.html
970 for further information.
f1f142ad
RE		 971
972config CRYPTO_SHA1
3f342a23 973 tristate "SHA-1"
f1f142ad
RE		 974 select CRYPTO_HASH
975 select CRYPTO_LIB_SHA1
c08d0e64 976 help
3f342a23 977 SHA-1 secure hash algorithm (FIPS 180, ISO/IEC 10118-3)
c08d0e64 978
f1f142ad 979config CRYPTO_SHA256
3f342a23 980 tristate "SHA-224 and SHA-256"
f1f142ad
RE		 981 select CRYPTO_HASH
982 select CRYPTO_LIB_SHA256
983 help
3f342a23 984 SHA-224 and SHA-256 secure hash algorithms (FIPS 180, ISO/IEC 10118-3)
de61d7ae 985
3f342a23
RE		 986 This is required for IPsec AH (XFRM_AH) and IPsec ESP (XFRM_ESP).
987 Used by the btrfs filesystem, Ceph, NFS, and SMB.
aa762409 988
f1f142ad 989config CRYPTO_SHA512
3f342a23 990 tristate "SHA-384 and SHA-512"
f1f142ad 991 select CRYPTO_HASH
1da177e4 992 help
3f342a23 993 SHA-384 and SHA-512 secure hash algorithms (FIPS 180, ISO/IEC 10118-3)
584fffc8 994
f1f142ad 995config CRYPTO_SHA3
3f342a23 996 tristate "SHA-3"
f1f142ad 997 select CRYPTO_HASH
e4e712bb 998 help
3f342a23 999 SHA-3 secure hash algorithms (FIPS 202, ISO/IEC 10118-3)
e4e712bb 1000
f1f142ad
RE		 1001config CRYPTO_SM3
1002 tristate
e4e712bb 1003
f1f142ad 1004config CRYPTO_SM3_GENERIC
3f342a23 1005 tristate "SM3 (ShangMi 3)"
f1f142ad
RE		 1006 select CRYPTO_HASH
1007 select CRYPTO_SM3
1da177e4 1008 help
3f342a23
RE		 1009 SM3 (ShangMi 3) secure hash function (OSCCA GM/T 0004-2012, ISO/IEC 10118-3)
1010
1011 This is part of the Chinese Commercial Cryptography suite.
1da177e4 1012
f1f142ad
RE		 1013 References:
1014 http://www.oscca.gov.cn/UpFile/20101222141857786.pdf
1015 https://datatracker.ietf.org/doc/html/draft-shen-sm3-hash
584fffc8 1016
f1f142ad 1017config CRYPTO_STREEBOG
3f342a23 1018 tristate "Streebog"
f1f142ad
RE		 1019 select CRYPTO_HASH
1020 help
3f342a23
RE		 1021 Streebog Hash Function (GOST R 34.11-2012, RFC 6986, ISO/IEC 10118-3)
1022
1023 This is one of the Russian cryptographic standard algorithms (called
1024 GOST algorithms). This setting enables two hash algorithms with
1025 256 and 512 bits output.
584fffc8 1026
f1f142ad
RE		 1027 References:
1028 https://tc26.ru/upload/iblock/fed/feddbb4d26b685903faa2ba11aea43f6.pdf
1029 https://tools.ietf.org/html/rfc6986
d2825fa9 1030
f1f142ad 1031config CRYPTO_VMAC
3f342a23 1032 tristate "VMAC"
f1f142ad
RE		 1033 select CRYPTO_HASH
1034 select CRYPTO_MANAGER
747c8ce4 1035 help
f1f142ad
RE		 1036 VMAC is a message authentication algorithm designed for
1037 very high speed on 64-bit architectures.
747c8ce4 1038
3f342a23 1039 See https://fastcrypto.org/vmac for further information.
747c8ce4 1040
f1f142ad 1041config CRYPTO_WP512
3f342a23 1042 tristate "Whirlpool"
f1f142ad
RE		 1043 select CRYPTO_HASH
1044 help
3f342a23
RE		 1045 Whirlpool hash function (ISO/IEC 10118-3)
1046
1047 512, 384 and 256-bit hashes.
747c8ce4 1048
f1f142ad 1049 Whirlpool-512 is part of the NESSIE cryptographic primitives.
747c8ce4 1050
3f342a23
RE		 1051 See https://web.archive.org/web/20171129084214/http://www.larc.usp.br/~pbarreto/WhirlpoolPage.html
1052 for further information.
747c8ce4 1053
f1f142ad 1054config CRYPTO_XCBC
3f342a23 1055 tristate "XCBC-MAC (Extended Cipher Block Chaining MAC)"
f1f142ad
RE		 1056 select CRYPTO_HASH
1057 select CRYPTO_MANAGER
1058 help
3f342a23
RE		 1059 XCBC-MAC (Extended Cipher Block Chaining Message Authentication
1060 Code) (RFC3566)
747c8ce4 1061
f1f142ad 1062config CRYPTO_XXHASH
3f342a23 1063 tristate "xxHash"
f1f142ad
RE		 1064 select CRYPTO_HASH
1065 select XXHASH
1da177e4 1066 help
3f342a23
RE		 1067 xxHash non-cryptographic hash algorithm
1068
1069 Extremely fast, working at speeds close to RAM limits.
1070
1071 Used by the btrfs filesystem.
1da177e4 1072
f1f142ad 1073endmenu
584fffc8 1074
f1f142ad 1075menu "CRCs (cyclic redundancy checks)"
584fffc8 1076
f1f142ad 1077config CRYPTO_CRC32C
ec84348d 1078 tristate "CRC32c"
f1f142ad
RE		 1079 select CRYPTO_HASH
1080 select CRC32
1081 help
ec84348d
RE		 1082 CRC32c CRC algorithm with the iSCSI polynomial (RFC 3385 and RFC 3720)
1083
1084 A 32-bit CRC (cyclic redundancy check) with a polynomial defined
1085 by G. Castagnoli, S. Braeuer and M. Herrman in "Optimization of Cyclic
1086 Redundancy-Check Codes with 24 and 32 Parity Bits", IEEE Transactions
1087 on Communications, Vol. 41, No. 6, June 1993, selected for use with
1088 iSCSI.
1089
1090 Used by btrfs, ext4, jbd2, NVMeoF/TCP, and iSCSI.
584fffc8 1091
f1f142ad 1092config CRYPTO_CRC32
ec84348d 1093 tristate "CRC32"
f1f142ad
RE		 1094 select CRYPTO_HASH
1095 select CRC32
04ac7db3 1096 help
ec84348d
RE		 1097 CRC32 CRC algorithm (IEEE 802.3)
1098
1099 Used by RoCEv2 and f2fs.
04ac7db3 1100
f1f142ad 1101config CRYPTO_CRCT10DIF
ec84348d 1102 tristate "CRCT10DIF"
f1f142ad
RE		 1103 select CRYPTO_HASH
1104 help
ec84348d
RE		 1105 CRC16 CRC algorithm used for the T10 (SCSI) Data Integrity Field (DIF)
1106
1107 CRC algorithm used by the SCSI Block Commands standard.
04ac7db3 1108
f1f142ad 1109config CRYPTO_CRC64_ROCKSOFT
ec84348d 1110 tristate "CRC64 based on Rocksoft Model algorithm"
f1f142ad
RE		 1111 depends on CRC64
1112 select CRYPTO_HASH
ec84348d
RE		 1113 help
1114 CRC64 CRC algorithm based on the Rocksoft Model CRC Algorithm
1115
1116 Used by the NVMe implementation of T10 DIF (BLK_DEV_INTEGRITY)
1117
1118 See https://zlib.net/crc_v3.txt
584fffc8 1119
f1f142ad 1120endmenu
584fffc8 1121
f1f142ad 1122menu "Compression"
584fffc8
SS		 1123
1124config CRYPTO_DEFLATE
a9a98d49 1125 tristate "Deflate"
584fffc8 1126 select CRYPTO_ALGAPI
f6ded09d 1127 select CRYPTO_ACOMP2
584fffc8
SS		 1128 select ZLIB_INFLATE
1129 select ZLIB_DEFLATE
3c09f17c 1130 help
a9a98d49 1131 Deflate compression algorithm (RFC1951)
584fffc8 1132
a9a98d49 1133 Used by IPSec with the IPCOMP protocol (RFC3173, RFC2394)
3c09f17c 1134
0b77abb3 1135config CRYPTO_LZO
a9a98d49 1136 tristate "LZO"
0b77abb3 1137 select CRYPTO_ALGAPI
ac9d2c4b 1138 select CRYPTO_ACOMP2
0b77abb3
ZS		 1139 select LZO_COMPRESS
1140 select LZO_DECOMPRESS
1141 help
a9a98d49
RE		 1142 LZO compression algorithm
1143
1144 See https://www.oberhumer.com/opensource/lzo/ for further information.
0b77abb3 1145
35a1fc18 1146config CRYPTO_842
a9a98d49 1147 tristate "842"
2062c5b6 1148 select CRYPTO_ALGAPI
6a8de3ae 1149 select CRYPTO_ACOMP2
2062c5b6
DS		 1150 select 842_COMPRESS
1151 select 842_DECOMPRESS
35a1fc18 1152 help
a9a98d49
RE		 1153 842 compression algorithm by IBM
1154
1155 See https://github.com/plauth/lib842 for further information.
0ea8530d
CM		 1156
1157config CRYPTO_LZ4
a9a98d49 1158 tristate "LZ4"
0ea8530d 1159 select CRYPTO_ALGAPI
8cd9330e 1160 select CRYPTO_ACOMP2
0ea8530d
CM		 1161 select LZ4_COMPRESS
1162 select LZ4_DECOMPRESS
1163 help
a9a98d49
RE		 1164 LZ4 compression algorithm
1165
1166 See https://github.com/lz4/lz4 for further information.
0ea8530d
CM		 1167
1168config CRYPTO_LZ4HC
a9a98d49 1169 tristate "LZ4HC"
0ea8530d 1170 select CRYPTO_ALGAPI
91d53d96 1171 select CRYPTO_ACOMP2
0ea8530d
CM		 1172 select LZ4HC_COMPRESS
1173 select LZ4_DECOMPRESS
1174 help
a9a98d49
RE		 1175 LZ4 high compression mode algorithm
1176
1177 See https://github.com/lz4/lz4 for further information.
35a1fc18 1178
d28fc3db 1179config CRYPTO_ZSTD
a9a98d49 1180 tristate "Zstd"
d28fc3db
NT		 1181 select CRYPTO_ALGAPI
1182 select CRYPTO_ACOMP2
1183 select ZSTD_COMPRESS
1184 select ZSTD_DECOMPRESS
1185 help
a9a98d49
RE		 1186 zstd compression algorithm
1187
1188 See https://github.com/facebook/zstd for further information.
d28fc3db 1189
f1f142ad
RE		 1190endmenu
1191
1192menu "Random number generation"
17f0f4a4
NH		 1193
1194config CRYPTO_ANSI_CPRNG
a9a98d49 1195 tristate "ANSI PRNG (Pseudo Random Number Generator)"
17f0f4a4
NH		 1196 select CRYPTO_AES
1197 select CRYPTO_RNG
17f0f4a4 1198 help
a9a98d49
RE		 1199 Pseudo RNG (random number generator) (ANSI X9.31 Appendix A.2.4)
1200
1201 This uses the AES cipher algorithm.
1202
1203 Note that this option must be enabled if CRYPTO_FIPS is selected
17f0f4a4 1204
f2c89a10 1205menuconfig CRYPTO_DRBG_MENU
a9a98d49 1206 tristate "NIST SP800-90A DRBG (Deterministic Random Bit Generator)"
419090c6 1207 help
a9a98d49
RE		 1208 DRBG (Deterministic Random Bit Generator) (NIST SP800-90A)
1209
1210 In the following submenu, one or more of the DRBG types must be selected.
419090c6 1211
f2c89a10 1212if CRYPTO_DRBG_MENU
419090c6
SM		 1213
1214config CRYPTO_DRBG_HMAC
401e4238 1215 bool
419090c6 1216 default y
419090c6 1217 select CRYPTO_HMAC
5261cdf4 1218 select CRYPTO_SHA512
419090c6
SM		 1219
1220config CRYPTO_DRBG_HASH
a9a98d49 1221 bool "Hash_DRBG"
826775bb 1222 select CRYPTO_SHA256
419090c6 1223 help
a9a98d49
RE		 1224 Hash_DRBG variant as defined in NIST SP800-90A.
1225
1226 This uses the SHA-1, SHA-256, SHA-384, or SHA-512 hash algorithms.
419090c6
SM		 1227
1228config CRYPTO_DRBG_CTR
a9a98d49 1229 bool "CTR_DRBG"
419090c6 1230 select CRYPTO_AES
d6fc1a45 1231 select CRYPTO_CTR
419090c6 1232 help
a9a98d49
RE		 1233 CTR_DRBG variant as defined in NIST SP800-90A.
1234
1235 This uses the AES cipher algorithm with the counter block mode.
419090c6 1236
f2c89a10
HX		 1237config CRYPTO_DRBG
1238 tristate
401e4238 1239 default CRYPTO_DRBG_MENU
f2c89a10 1240 select CRYPTO_RNG
bb5530e4 1241 select CRYPTO_JITTERENTROPY
f2c89a10
HX		 1242
1243endif # if CRYPTO_DRBG_MENU
419090c6 1244
bb5530e4 1245config CRYPTO_JITTERENTROPY
a9a98d49 1246 tristate "CPU Jitter Non-Deterministic RNG (Random Number Generator)"
2f313e02 1247 select CRYPTO_RNG
bb897c55 1248 select CRYPTO_SHA3
bb5530e4 1249 help
a9a98d49
RE		 1250 CPU Jitter RNG (Random Number Generator) from the Jitterentropy library
1251
1252 A non-physical non-deterministic ("true") RNG (e.g., an entropy source
1253 compliant with NIST SP800-90B) intended to provide a seed to a
e63df1ec 1254 deterministic RNG (e.g., per NIST SP800-90C).
a9a98d49 1255 This RNG does not perform any cryptographic whitening of the generated
e63df1ec 1256 random numbers.
a9a98d49 1257
e63df1ec 1258 See https://www.chronox.de/jent/
bb5530e4 1259
e7ed6473
HX		 1260if CRYPTO_JITTERENTROPY
1261if CRYPTO_FIPS && EXPERT
1262
59bcfd78
SM		 1263choice
1264 prompt "CPU Jitter RNG Memory Size"
1265 default CRYPTO_JITTERENTROPY_MEMSIZE_2
59bcfd78
SM		 1266 help
1267 The Jitter RNG measures the execution time of memory accesses.
1268 Multiple consecutive memory accesses are performed. If the memory
1269 size fits into a cache (e.g. L1), only the memory access timing
1270 to that cache is measured. The closer the cache is to the CPU
1271 the less variations are measured and thus the less entropy is
1272 obtained. Thus, if the memory size fits into the L1 cache, the
1273 obtained entropy is less than if the memory size fits within
1274 L1 + L2, which in turn is less if the memory fits into
1275 L1 + L2 + L3. Thus, by selecting a different memory size,
1276 the entropy rate produced by the Jitter RNG can be modified.
1277
1278 config CRYPTO_JITTERENTROPY_MEMSIZE_2
1279 bool "2048 Bytes (default)"
1280
1281 config CRYPTO_JITTERENTROPY_MEMSIZE_128
1282 bool "128 kBytes"
1283
1284 config CRYPTO_JITTERENTROPY_MEMSIZE_1024
1285 bool "1024 kBytes"
1286
1287 config CRYPTO_JITTERENTROPY_MEMSIZE_8192
1288 bool "8192 kBytes"
1289endchoice
1290
1291config CRYPTO_JITTERENTROPY_MEMORY_BLOCKS
1292 int
1293 default 64 if CRYPTO_JITTERENTROPY_MEMSIZE_2
1294 default 512 if CRYPTO_JITTERENTROPY_MEMSIZE_128
1295 default 1024 if CRYPTO_JITTERENTROPY_MEMSIZE_1024
1296 default 4096 if CRYPTO_JITTERENTROPY_MEMSIZE_8192
1297
1298config CRYPTO_JITTERENTROPY_MEMORY_BLOCKSIZE
1299 int
1300 default 32 if CRYPTO_JITTERENTROPY_MEMSIZE_2
1301 default 256 if CRYPTO_JITTERENTROPY_MEMSIZE_128
1302 default 1024 if CRYPTO_JITTERENTROPY_MEMSIZE_1024
1303 default 2048 if CRYPTO_JITTERENTROPY_MEMSIZE_8192
1304
0baa8fab
SM		 1305config CRYPTO_JITTERENTROPY_OSR
1306 int "CPU Jitter RNG Oversampling Rate"
1307 range 1 15
95a798d2 1308 default 3
0baa8fab
SM		 1309 help
1310 The Jitter RNG allows the specification of an oversampling rate (OSR).
1311 The Jitter RNG operation requires a fixed amount of timing
1312 measurements to produce one output block of random numbers. The
1313 OSR value is multiplied with the amount of timing measurements to
1314 generate one output block. Thus, the timing measurement is oversampled
1315 by the OSR factor. The oversampling allows the Jitter RNG to operate
1316 on hardware whose timers deliver limited amount of entropy (e.g.
1317 the timer is coarse) by setting the OSR to a higher value. The
1318 trade-off, however, is that the Jitter RNG now requires more time
1319 to generate random numbers.
1320
69f1c387
SM		 1321config CRYPTO_JITTERENTROPY_TESTINTERFACE
1322 bool "CPU Jitter RNG Test Interface"
69f1c387
SM		 1323 help
1324 The test interface allows a privileged process to capture
1325 the raw unconditioned high resolution time stamp noise that
1326 is collected by the Jitter RNG for statistical analysis. As
1327 this data is used at the same time to generate random bits,
1328 the Jitter RNG operates in an insecure mode as long as the
1329 recording is enabled. This interface therefore is only
1330 intended for testing purposes and is not suitable for
1331 production systems.
1332
1333 The raw noise data can be obtained using the jent_raw_hires
1334 debugfs file. Using the option
1335 jitterentropy_testing.boot_raw_hires_test=1 the raw noise of
1336 the first 1000 entropy events since boot can be sampled.
1337
1338 If unsure, select N.
1339
e7ed6473
HX		 1340endif # if CRYPTO_FIPS && EXPERT
1341
1342if !(CRYPTO_FIPS && EXPERT)
1343
1344config CRYPTO_JITTERENTROPY_MEMORY_BLOCKS
1345 int
1346 default 64
1347
1348config CRYPTO_JITTERENTROPY_MEMORY_BLOCKSIZE
1349 int
1350 default 32
1351
1352config CRYPTO_JITTERENTROPY_OSR
1353 int
1354 default 1
1355
1356config CRYPTO_JITTERENTROPY_TESTINTERFACE
1357 bool
1358
1359endif # if !(CRYPTO_FIPS && EXPERT)
1360endif # if CRYPTO_JITTERENTROPY
1361
026a733e
SM		 1362config CRYPTO_KDF800108_CTR
1363 tristate
a88592cc 1364 select CRYPTO_HMAC
304b4ace 1365 select CRYPTO_SHA256
026a733e 1366
f1f142ad 1367endmenu
9bc51715 1368menu "Userspace interface"
f1f142ad 1369
03c8efc1
HX		 1370config CRYPTO_USER_API
1371 tristate
1372
fe869cdb 1373config CRYPTO_USER_API_HASH
9bc51715 1374 tristate "Hash algorithms"
7451708f 1375 depends on NET
fe869cdb
HX		 1376 select CRYPTO_HASH
1377 select CRYPTO_USER_API
1378 help
9bc51715
RE		 1379 Enable the userspace interface for hash algorithms.
1380
1381 See Documentation/crypto/userspace-if.rst and
1382 https://www.chronox.de/libkcapi/html/index.html
fe869cdb 1383
8ff59090 1384config CRYPTO_USER_API_SKCIPHER
9bc51715 1385 tristate "Symmetric key cipher algorithms"
7451708f 1386 depends on NET
b95bba5d 1387 select CRYPTO_SKCIPHER
8ff59090
HX		 1388 select CRYPTO_USER_API
1389 help
9bc51715
RE		 1390 Enable the userspace interface for symmetric key cipher algorithms.
1391
1392 See Documentation/crypto/userspace-if.rst and
1393 https://www.chronox.de/libkcapi/html/index.html
8ff59090 1394
2f375538 1395config CRYPTO_USER_API_RNG
9bc51715 1396 tristate "RNG (random number generator) algorithms"
2f375538
SM		 1397 depends on NET
1398 select CRYPTO_RNG
1399 select CRYPTO_USER_API
1400 help
9bc51715
RE		 1401 Enable the userspace interface for RNG (random number generator)
1402 algorithms.
1403
1404 See Documentation/crypto/userspace-if.rst and
1405 https://www.chronox.de/libkcapi/html/index.html
2f375538 1406
77ebdabe
EP		 1407config CRYPTO_USER_API_RNG_CAVP
1408 bool "Enable CAVP testing of DRBG"
1409 depends on CRYPTO_USER_API_RNG && CRYPTO_DRBG
1410 help
9bc51715
RE		 1411 Enable extra APIs in the userspace interface for NIST CAVP
1412 (Cryptographic Algorithm Validation Program) testing:
1413 - resetting DRBG entropy
1414 - providing Additional Data
1415
77ebdabe
EP		 1416 This should only be enabled for CAVP testing. You should say
1417 no unless you know what this is.
1418
b64a2d95 1419config CRYPTO_USER_API_AEAD
9bc51715 1420 tristate "AEAD cipher algorithms"
b64a2d95
HX		 1421 depends on NET
1422 select CRYPTO_AEAD
b95bba5d 1423 select CRYPTO_SKCIPHER
72548b09 1424 select CRYPTO_NULL
b64a2d95
HX		 1425 select CRYPTO_USER_API
1426 help
9bc51715
RE		 1427 Enable the userspace interface for AEAD cipher algorithms.
1428
1429 See Documentation/crypto/userspace-if.rst and
1430 https://www.chronox.de/libkcapi/html/index.html
b64a2d95 1431
9ace6771 1432config CRYPTO_USER_API_ENABLE_OBSOLETE
9bc51715 1433 bool "Obsolete cryptographic algorithms"
9ace6771
AB		 1434 depends on CRYPTO_USER_API
1435 default y
1436 help
1437 Allow obsolete cryptographic algorithms to be selected that have
1438 already been phased out from internal use by the kernel, and are
1439 only useful for userspace clients that still rely on them.
1440
f1f142ad
RE		 1441endmenu
1442
ee08997f
DK		 1443config CRYPTO_HASH_INFO
1444 bool
1445
27bc50fc 1446if !KMSAN # avoid false positives from assembly
4a329fec
RE		 1447if ARM
1448source "arch/arm/crypto/Kconfig"
1449endif
1450if ARM64
1451source "arch/arm64/crypto/Kconfig"
1452endif
2f164822
MZ		 1453if LOONGARCH
1454source "arch/loongarch/crypto/Kconfig"
1455endif
e45f710b
RE		 1456if MIPS
1457source "arch/mips/crypto/Kconfig"
1458endif
6a490a4e
RE		 1459if PPC
1460source "arch/powerpc/crypto/Kconfig"
1461endif
178f3856
HS		 1462if RISCV
1463source "arch/riscv/crypto/Kconfig"
1464endif
c9d24c97
RE		 1465if S390
1466source "arch/s390/crypto/Kconfig"
1467endif
0e9f9ea6
RE		 1468if SPARC
1469source "arch/sparc/crypto/Kconfig"
1470endif
28a936ef
RE		 1471if X86
1472source "arch/x86/crypto/Kconfig"
1473endif
27bc50fc 1474endif
e45f710b 1475
1da177e4 1476source "drivers/crypto/Kconfig"
8636a1f9
MY		 1477source "crypto/asymmetric_keys/Kconfig"
1478source "certs/Kconfig"
1da177e4 1479
cce9e06d 1480endif # if CRYPTO
Linux 6.x block layer and io_uring tree(s)