projects / linux-block.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
io_uring: retain top 8bits of uring_cmd flags for kernel internal use
[linux-block.git] / crypto / Kconfig
CommitLineData
b2441318 1# SPDX-License-Identifier: GPL-2.0
685784aa
DW		 2#
3# Generic algorithms support
4#
5config XOR_BLOCKS
6 tristate
7
1da177e4 8#
9bc89cd8 9# async_tx api: hardware offloaded memory transfer/transform support
1da177e4 10#
9bc89cd8 11source "crypto/async_tx/Kconfig"
1da177e4 12
9bc89cd8
DW		 13#
14# Cryptographic API Configuration
15#
2e290f43 16menuconfig CRYPTO
c3715cb9 17 tristate "Cryptographic API"
7033b937 18 select CRYPTO_LIB_UTILS
1da177e4
LT		 19 help
20 This option provides the core Cryptographic API.
21
cce9e06d
HX		 22if CRYPTO
23
f1f142ad 24menu "Crypto core or helper"
584fffc8 25
ccb778e1
NH		 26config CRYPTO_FIPS
27 bool "FIPS 200 compliance"
f2c89a10 28 depends on (CRYPTO_ANSI_CPRNG || CRYPTO_DRBG) && !CRYPTO_MANAGER_DISABLE_TESTS
1f696097 29 depends on (MODULE_SIG || !MODULES)
ccb778e1 30 help
d99324c2
GU		 31 This option enables the fips boot option which is
32 required if you want the system to operate in a FIPS 200
ccb778e1 33 certification. You should say no unless you know what
e84c5480 34 this is.
ccb778e1 35
5a44749f
VD		 36config CRYPTO_FIPS_NAME
37 string "FIPS Module Name"
38 default "Linux Kernel Cryptographic API"
39 depends on CRYPTO_FIPS
40 help
41 This option sets the FIPS Module name reported by the Crypto API via
42 the /proc/sys/crypto/fips_name file.
43
44config CRYPTO_FIPS_CUSTOM_VERSION
45 bool "Use Custom FIPS Module Version"
46 depends on CRYPTO_FIPS
47 default n
48
49config CRYPTO_FIPS_VERSION
50 string "FIPS Module Version"
51 default "(none)"
52 depends on CRYPTO_FIPS_CUSTOM_VERSION
53 help
54 This option provides the ability to override the FIPS Module Version.
55 By default the KERNELRELEASE value is used.
56
cce9e06d
HX		 57config CRYPTO_ALGAPI
58 tristate
6a0fcbb4 59 select CRYPTO_ALGAPI2
cce9e06d
HX		 60 help
61 This option provides the API for cryptographic algorithms.
62
6a0fcbb4
HX		 63config CRYPTO_ALGAPI2
64 tristate
65
1ae97820
HX		 66config CRYPTO_AEAD
67 tristate
6a0fcbb4 68 select CRYPTO_AEAD2
1ae97820
HX		 69 select CRYPTO_ALGAPI
70
6a0fcbb4
HX		 71config CRYPTO_AEAD2
72 tristate
73 select CRYPTO_ALGAPI2
74
6cb8815f
HX		 75config CRYPTO_SIG
76 tristate
77 select CRYPTO_SIG2
78 select CRYPTO_ALGAPI
79
80config CRYPTO_SIG2
81 tristate
82 select CRYPTO_ALGAPI2
83
b95bba5d 84config CRYPTO_SKCIPHER
5cde0af2 85 tristate
b95bba5d 86 select CRYPTO_SKCIPHER2
5cde0af2 87 select CRYPTO_ALGAPI
6a0fcbb4 88
b95bba5d 89config CRYPTO_SKCIPHER2
6a0fcbb4
HX		 90 tristate
91 select CRYPTO_ALGAPI2
5cde0af2 92
055bcee3
HX		 93config CRYPTO_HASH
94 tristate
6a0fcbb4 95 select CRYPTO_HASH2
055bcee3
HX		 96 select CRYPTO_ALGAPI
97
6a0fcbb4
HX		 98config CRYPTO_HASH2
99 tristate
100 select CRYPTO_ALGAPI2
101
17f0f4a4
NH		 102config CRYPTO_RNG
103 tristate
6a0fcbb4 104 select CRYPTO_RNG2
17f0f4a4
NH		 105 select CRYPTO_ALGAPI
106
6a0fcbb4
HX		 107config CRYPTO_RNG2
108 tristate
109 select CRYPTO_ALGAPI2
110
401e4238
HX		 111config CRYPTO_RNG_DEFAULT
112 tristate
113 select CRYPTO_DRBG_MENU
114
3c339ab8
TS		 115config CRYPTO_AKCIPHER2
116 tristate
117 select CRYPTO_ALGAPI2
118
119config CRYPTO_AKCIPHER
120 tristate
121 select CRYPTO_AKCIPHER2
122 select CRYPTO_ALGAPI
123
4e5f2c40
SB		 124config CRYPTO_KPP2
125 tristate
126 select CRYPTO_ALGAPI2
127
128config CRYPTO_KPP
129 tristate
130 select CRYPTO_ALGAPI
131 select CRYPTO_KPP2
132
2ebda74f
GC		 133config CRYPTO_ACOMP2
134 tristate
135 select CRYPTO_ALGAPI2
8cd579d2 136 select SGL_ALLOC
2ebda74f
GC		 137
138config CRYPTO_ACOMP
139 tristate
140 select CRYPTO_ALGAPI
141 select CRYPTO_ACOMP2
142
2b8c19db
HX		 143config CRYPTO_MANAGER
144 tristate "Cryptographic algorithm manager"
6a0fcbb4 145 select CRYPTO_MANAGER2
2b8c19db
HX		 146 help
147 Create default cryptographic template instantiations such as
148 cbc(aes).
149
6a0fcbb4
HX		 150config CRYPTO_MANAGER2
151 def_tristate CRYPTO_MANAGER || (CRYPTO_MANAGER!=n && CRYPTO_ALGAPI=y)
fb28fabf 152 select CRYPTO_ACOMP2
6a0fcbb4 153 select CRYPTO_AEAD2
946cc463 154 select CRYPTO_AKCIPHER2
6cb8815f 155 select CRYPTO_SIG2
fb28fabf 156 select CRYPTO_HASH2
4e5f2c40 157 select CRYPTO_KPP2
fb28fabf
HX		 158 select CRYPTO_RNG2
159 select CRYPTO_SKCIPHER2
6a0fcbb4 160
a38f7907
SK		 161config CRYPTO_USER
162 tristate "Userspace cryptographic algorithm configuration"
5db017aa 163 depends on NET
a38f7907
SK		 164 select CRYPTO_MANAGER
165 help
d19978f5 166 Userspace configuration for cryptographic instantiations such as
a38f7907
SK		 167 cbc(aes).
168
326a6346
HX		 169config CRYPTO_MANAGER_DISABLE_TESTS
170 bool "Disable run-time self tests"
00ca28a5 171 default y
0b767f96 172 help
326a6346
HX		 173 Disable run-time self tests that normally take place at
174 algorithm registration.
0b767f96 175
5b2706a4
EB		 176config CRYPTO_MANAGER_EXTRA_TESTS
177 bool "Enable extra run-time crypto self tests"
6569e309 178 depends on DEBUG_KERNEL && !CRYPTO_MANAGER_DISABLE_TESTS && CRYPTO_MANAGER
5b2706a4
EB		 179 help
180 Enable extra run-time self tests of registered crypto algorithms,
181 including randomized fuzz tests.
182
183 This is intended for developer use only, as these tests take much
184 longer to run than the normal self tests.
185
1da177e4
LT		 186config CRYPTO_NULL
187 tristate "Null algorithms"
149a3971 188 select CRYPTO_NULL2
1da177e4
LT		 189 help
190 These are 'Null' algorithms, used by IPsec, which do nothing.
191
149a3971 192config CRYPTO_NULL2
dd43c4e9 193 tristate
149a3971 194 select CRYPTO_ALGAPI2
b95bba5d 195 select CRYPTO_SKCIPHER2
149a3971
HX		 196 select CRYPTO_HASH2
197
5068c7a8 198config CRYPTO_PCRYPT
3b4afaf2
KC		 199 tristate "Parallel crypto engine"
200 depends on SMP
5068c7a8
SK		 201 select PADATA
202 select CRYPTO_MANAGER
203 select CRYPTO_AEAD
204 help
205 This converts an arbitrary crypto algorithm into a parallel
206 algorithm that executes in kernel threads.
207
584fffc8
SS		 208config CRYPTO_CRYPTD
209 tristate "Software async crypto daemon"
b95bba5d 210 select CRYPTO_SKCIPHER
b8a28251 211 select CRYPTO_HASH
584fffc8 212 select CRYPTO_MANAGER
1da177e4 213 help
584fffc8
SS		 214 This is a generic software asynchronous crypto daemon that
215 converts an arbitrary synchronous software crypto algorithm
216 into an asynchronous algorithm that executes in a kernel thread.
1da177e4 217
584fffc8
SS		 218config CRYPTO_AUTHENC
219 tristate "Authenc support"
220 select CRYPTO_AEAD
b95bba5d 221 select CRYPTO_SKCIPHER
584fffc8
SS		 222 select CRYPTO_MANAGER
223 select CRYPTO_HASH
e94c6a7a 224 select CRYPTO_NULL
1da177e4 225 help
584fffc8 226 Authenc: Combined mode wrapper for IPsec.
cf514b2a
RE		 227
228 This is required for IPSec ESP (XFRM_ESP).
1da177e4 229
584fffc8
SS		 230config CRYPTO_TEST
231 tristate "Testing module"
00ea27f1 232 depends on m || EXPERT
da7f033d 233 select CRYPTO_MANAGER
1da177e4 234 help
584fffc8 235 Quick & dirty crypto test module.
1da177e4 236
266d0516
HX		 237config CRYPTO_SIMD
238 tristate
ffaf9156
JK		 239 select CRYPTO_CRYPTD
240
735d37b5
BW		 241config CRYPTO_ENGINE
242 tristate
243
f1f142ad
RE		 244endmenu
245
246menu "Public-key cryptography"
3d6228a5
VC		 247
248config CRYPTO_RSA
05b37465 249 tristate "RSA (Rivest-Shamir-Adleman)"
3d6228a5
VC		 250 select CRYPTO_AKCIPHER
251 select CRYPTO_MANAGER
252 select MPILIB
253 select ASN1
254 help
05b37465 255 RSA (Rivest-Shamir-Adleman) public key algorithm (RFC8017)
3d6228a5
VC		 256
257config CRYPTO_DH
05b37465 258 tristate "DH (Diffie-Hellman)"
3d6228a5
VC		 259 select CRYPTO_KPP
260 select MPILIB
261 help
05b37465 262 DH (Diffie-Hellman) key exchange algorithm
3d6228a5 263
7dce5981 264config CRYPTO_DH_RFC7919_GROUPS
05b37465 265 bool "RFC 7919 FFDHE groups"
7dce5981 266 depends on CRYPTO_DH
1e207964 267 select CRYPTO_RNG_DEFAULT
7dce5981 268 help
05b37465
RE		 269 FFDHE (Finite-Field-based Diffie-Hellman Ephemeral) groups
270 defined in RFC7919.
271
272 Support these finite-field groups in DH key exchanges:
273 - ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192
274
275 If unsure, say N.
7dce5981 276
4a2289da
VC		 277config CRYPTO_ECC
278 tristate
38aa192a 279 select CRYPTO_RNG_DEFAULT
4a2289da 280
3d6228a5 281config CRYPTO_ECDH
05b37465 282 tristate "ECDH (Elliptic Curve Diffie-Hellman)"
4a2289da 283 select CRYPTO_ECC
3d6228a5 284 select CRYPTO_KPP
3d6228a5 285 help
05b37465
RE		 286 ECDH (Elliptic Curve Diffie-Hellman) key exchange algorithm
287 using curves P-192, P-256, and P-384 (FIPS 186)
3d6228a5 288
4e660291 289config CRYPTO_ECDSA
05b37465 290 tristate "ECDSA (Elliptic Curve Digital Signature Algorithm)"
4e660291
SB		 291 select CRYPTO_ECC
292 select CRYPTO_AKCIPHER
293 select ASN1
294 help
05b37465
RE		 295 ECDSA (Elliptic Curve Digital Signature Algorithm) (FIPS 186,
296 ISO/IEC 14888-3)
297 using curves P-192, P-256, and P-384
298
299 Only signature verification is implemented.
4e660291 300
0d7a7864 301config CRYPTO_ECRDSA
05b37465 302 tristate "EC-RDSA (Elliptic Curve Russian Digital Signature Algorithm)"
0d7a7864
VC		 303 select CRYPTO_ECC
304 select CRYPTO_AKCIPHER
305 select CRYPTO_STREEBOG
1036633e
VC		 306 select OID_REGISTRY
307 select ASN1
0d7a7864
VC		 308 help
309 Elliptic Curve Russian Digital Signature Algorithm (GOST R 34.10-2012,
05b37465
RE		 310 RFC 7091, ISO/IEC 14888-3)
311
312 One of the Russian cryptographic standard algorithms (called GOST
313 algorithms). Only signature verification is implemented.
0d7a7864 314
ea7ecb66 315config CRYPTO_SM2
05b37465 316 tristate "SM2 (ShangMi 2)"
d2825fa9 317 select CRYPTO_SM3
ea7ecb66
TZ		 318 select CRYPTO_AKCIPHER
319 select CRYPTO_MANAGER
320 select MPILIB
321 select ASN1
322 help
05b37465
RE		 323 SM2 (ShangMi 2) public key algorithm
324
325 Published by State Encryption Management Bureau, China,
ea7ecb66
TZ		 326 as specified by OSCCA GM/T 0003.1-2012 -- 0003.5-2012.
327
328 References:
05b37465 329 https://datatracker.ietf.org/doc/draft-shen-sm2-ecdsa/
ea7ecb66
TZ		 330 http://www.oscca.gov.cn/sca/xxgk/2010-12/17/content_1002386.shtml
331 http://www.gmbz.org.cn/main/bzlb.html
332
ee772cb6 333config CRYPTO_CURVE25519
05b37465 334 tristate "Curve25519"
ee772cb6
AB		 335 select CRYPTO_KPP
336 select CRYPTO_LIB_CURVE25519_GENERIC
05b37465
RE		 337 help
338 Curve25519 elliptic curve (RFC7748)
ee772cb6 339
f1f142ad 340endmenu
cd12fb90 341
f1f142ad 342menu "Block ciphers"
1da177e4 343
f1f142ad 344config CRYPTO_AES
cf514b2a 345 tristate "AES (Advanced Encryption Standard)"
f1f142ad
RE		 346 select CRYPTO_ALGAPI
347 select CRYPTO_LIB_AES
1da177e4 348 help
cf514b2a 349 AES cipher algorithms (Rijndael)(FIPS-197, ISO/IEC 18033-3)
1da177e4 350
f1f142ad
RE		 351 Rijndael appears to be consistently a very good performer in
352 both hardware and software across a wide range of computing
353 environments regardless of its use in feedback or non-feedback
354 modes. Its key setup time is excellent, and its key agility is
355 good. Rijndael's very low memory requirements make it very well
356 suited for restricted-space environments, in which it also
357 demonstrates excellent performance. Rijndael's operations are
358 among the easiest to defend against power and timing attacks.
71ebc4d1 359
f1f142ad 360 The AES specifies three key sizes: 128, 192 and 256 bits
71ebc4d1 361
f1f142ad 362config CRYPTO_AES_TI
cf514b2a 363 tristate "AES (Advanced Encryption Standard) (fixed time)"
f1f142ad
RE		 364 select CRYPTO_ALGAPI
365 select CRYPTO_LIB_AES
f606a88e 366 help
cf514b2a
RE		 367 AES cipher algorithms (Rijndael)(FIPS-197, ISO/IEC 18033-3)
368
f1f142ad
RE		 369 This is a generic implementation of AES that attempts to eliminate
370 data dependent latencies as much as possible without affecting
371 performance too much. It is intended for use by the generic CCM
372 and GCM drivers, and other CTR or CMAC/XCBC based modes that rely
373 solely on encryption (although decryption is supported as well, but
374 with a more dramatic performance hit)
f606a88e 375
f1f142ad
RE		 376 Instead of using 16 lookup tables of 1 KB each, (8 for encryption and
377 8 for decryption), this implementation only uses just two S-boxes of
378 256 bytes each, and attempts to eliminate data dependent latencies by
379 prefetching the entire table into the cache at the start of each
380 block. Interrupts are also disabled to avoid races where cachelines
381 are evicted when the CPU is interrupted to do something else.
a4397635 382
f1f142ad 383config CRYPTO_ANUBIS
cf514b2a 384 tristate "Anubis"
f1f142ad
RE		 385 depends on CRYPTO_USER_API_ENABLE_OBSOLETE
386 select CRYPTO_ALGAPI
1da177e4 387 help
cf514b2a 388 Anubis cipher algorithm
1da177e4 389
f1f142ad
RE		 390 Anubis is a variable key length cipher which can use keys from
391 128 bits to 320 bits in length. It was evaluated as a entrant
392 in the NESSIE competition.
a10f554f 393
cf514b2a
RE		 394 See https://web.archive.org/web/20160606112246/http://www.larc.usp.br/~pbarreto/AnubisPage.html
395 for further information.
c494e070 396
f1f142ad 397config CRYPTO_ARIA
cf514b2a 398 tristate "ARIA"
f1f142ad 399 select CRYPTO_ALGAPI
db131ef9 400 help
cf514b2a 401 ARIA cipher algorithm (RFC5794)
db131ef9 402
f1f142ad
RE		 403 ARIA is a standard encryption algorithm of the Republic of Korea.
404 The ARIA specifies three key sizes and rounds.
405 128-bit: 12 rounds.
406 192-bit: 14 rounds.
407 256-bit: 16 rounds.
a7d85e06 408
cf514b2a
RE		 409 See:
410 https://seed.kisa.or.kr/kisa/algorithm/EgovAriaInfo.do
db131ef9 411
f1f142ad 412config CRYPTO_BLOWFISH
cf514b2a 413 tristate "Blowfish"
f1f142ad
RE		 414 select CRYPTO_ALGAPI
415 select CRYPTO_BLOWFISH_COMMON
584fffc8 416 help
cf514b2a 417 Blowfish cipher algorithm, by Bruce Schneier
584fffc8 418
f1f142ad
RE		 419 This is a variable key length cipher which can use keys from 32
420 bits to 448 bits in length. It's fast, simple and specifically
421 designed for use on "large microprocessors".
ecd6d5c9 422
cf514b2a 423 See https://www.schneier.com/blowfish.html for further information.
f1f142ad
RE		 424
425config CRYPTO_BLOWFISH_COMMON
426 tristate
91652be5 427 help
f1f142ad
RE		 428 Common parts of the Blowfish cipher algorithm shared by the
429 generic c and the assembler implementations.
91652be5 430
f1f142ad 431config CRYPTO_CAMELLIA
cf514b2a 432 tristate "Camellia"
f1f142ad 433 select CRYPTO_ALGAPI
64470f1b 434 help
cf514b2a 435 Camellia cipher algorithms (ISO/IEC 18033-3)
64470f1b 436
f1f142ad
RE		 437 Camellia is a symmetric key block cipher developed jointly
438 at NTT and Mitsubishi Electric Corporation.
439
440 The Camellia specifies three key sizes: 128, 192 and 256 bits.
441
cf514b2a 442 See https://info.isl.ntt.co.jp/crypt/eng/camellia/ for further information.
f1f142ad
RE		 443
444config CRYPTO_CAST_COMMON
445 tristate
e497c518 446 help
f1f142ad
RE		 447 Common parts of the CAST cipher algorithms shared by the
448 generic c and the assembler implementations.
e497c518 449
f1f142ad 450config CRYPTO_CAST5
cf514b2a 451 tristate "CAST5 (CAST-128)"
f1f142ad
RE		 452 select CRYPTO_ALGAPI
453 select CRYPTO_CAST_COMMON
584fffc8 454 help
cf514b2a 455 CAST5 (CAST-128) cipher algorithm (RFC2144, ISO/IEC 18033-3)
584fffc8 456
f1f142ad 457config CRYPTO_CAST6
cf514b2a 458 tristate "CAST6 (CAST-256)"
f1f142ad
RE		 459 select CRYPTO_ALGAPI
460 select CRYPTO_CAST_COMMON
17fee07a 461 help
cf514b2a 462 CAST6 (CAST-256) encryption algorithm (RFC2612)
17fee07a 463
f1f142ad 464config CRYPTO_DES
cf514b2a 465 tristate "DES and Triple DES EDE"
f1f142ad
RE		 466 select CRYPTO_ALGAPI
467 select CRYPTO_LIB_DES
f19f5111 468 help
cf514b2a
RE		 469 DES (Data Encryption Standard)(FIPS 46-2, ISO/IEC 18033-3) and
470 Triple DES EDE (Encrypt/Decrypt/Encrypt) (FIPS 46-3, ISO/IEC 18033-3)
471 cipher algorithms
f19f5111 472
f1f142ad 473config CRYPTO_FCRYPT
cf514b2a 474 tristate "FCrypt"
f1f142ad 475 select CRYPTO_ALGAPI
b95bba5d 476 select CRYPTO_SKCIPHER
1c49678e 477 help
cf514b2a
RE		 478 FCrypt algorithm used by RxRPC
479
480 See https://ota.polyonymo.us/fcrypt-paper.txt
1c49678e 481
f1f142ad 482config CRYPTO_KHAZAD
cf514b2a 483 tristate "Khazad"
f1f142ad
RE		 484 depends on CRYPTO_USER_API_ENABLE_OBSOLETE
485 select CRYPTO_ALGAPI
486 help
cf514b2a 487 Khazad cipher algorithm
f1f142ad
RE		 488
489 Khazad was a finalist in the initial NESSIE competition. It is
490 an algorithm optimized for 64-bit processors with good performance
491 on 32-bit processors. Khazad uses an 128 bit key size.
492
cf514b2a
RE		 493 See https://web.archive.org/web/20171011071731/http://www.larc.usp.br/~pbarreto/KhazadPage.html
494 for further information.
f1f142ad
RE		 495
496config CRYPTO_SEED
cf514b2a 497 tristate "SEED"
f1f142ad
RE		 498 depends on CRYPTO_USER_API_ENABLE_OBSOLETE
499 select CRYPTO_ALGAPI
500 help
cf514b2a 501 SEED cipher algorithm (RFC4269, ISO/IEC 18033-3)
f1f142ad
RE		 502
503 SEED is a 128-bit symmetric key block cipher that has been
504 developed by KISA (Korea Information Security Agency) as a
505 national standard encryption algorithm of the Republic of Korea.
506 It is a 16 round block cipher with the key size of 128 bit.
507
cf514b2a
RE		 508 See https://seed.kisa.or.kr/kisa/algorithm/EgovSeedInfo.do
509 for further information.
f1f142ad
RE		 510
511config CRYPTO_SERPENT
cf514b2a 512 tristate "Serpent"
f1f142ad
RE		 513 select CRYPTO_ALGAPI
514 help
cf514b2a 515 Serpent cipher algorithm, by Anderson, Biham & Knudsen
f1f142ad
RE		 516
517 Keys are allowed to be from 0 to 256 bits in length, in steps
518 of 8 bits.
519
cf514b2a 520 See https://www.cl.cam.ac.uk/~rja14/serpent.html for further information.
f1f142ad
RE		 521
522config CRYPTO_SM4
523 tristate
524
525config CRYPTO_SM4_GENERIC
cf514b2a 526 tristate "SM4 (ShangMi 4)"
f1f142ad
RE		 527 select CRYPTO_ALGAPI
528 select CRYPTO_SM4
529 help
cf514b2a
RE		 530 SM4 cipher algorithms (OSCCA GB/T 32907-2016,
531 ISO/IEC 18033-3:2010/Amd 1:2021)
f1f142ad
RE		 532
533 SM4 (GBT.32907-2016) is a cryptographic standard issued by the
534 Organization of State Commercial Administration of China (OSCCA)
535 as an authorized cryptographic algorithms for the use within China.
536
537 SMS4 was originally created for use in protecting wireless
538 networks, and is mandated in the Chinese National Standard for
539 Wireless LAN WAPI (Wired Authentication and Privacy Infrastructure)
540 (GB.15629.11-2003).
541
542 The latest SM4 standard (GBT.32907-2016) was proposed by OSCCA and
543 standardized through TC 260 of the Standardization Administration
544 of the People's Republic of China (SAC).
545
546 The input, output, and key of SMS4 are each 128 bits.
547
cf514b2a 548 See https://eprint.iacr.org/2008/329.pdf for further information.
f1f142ad
RE		 549
550 If unsure, say N.
551
552config CRYPTO_TEA
cf514b2a 553 tristate "TEA, XTEA and XETA"
f1f142ad
RE		 554 depends on CRYPTO_USER_API_ENABLE_OBSOLETE
555 select CRYPTO_ALGAPI
556 help
cf514b2a 557 TEA (Tiny Encryption Algorithm) cipher algorithms
f1f142ad
RE		 558
559 Tiny Encryption Algorithm is a simple cipher that uses
560 many rounds for security. It is very fast and uses
561 little memory.
562
563 Xtendend Tiny Encryption Algorithm is a modification to
564 the TEA algorithm to address a potential key weakness
565 in the TEA algorithm.
566
567 Xtendend Encryption Tiny Algorithm is a mis-implementation
568 of the XTEA algorithm for compatibility purposes.
569
570config CRYPTO_TWOFISH
cf514b2a 571 tristate "Twofish"
f1f142ad
RE		 572 select CRYPTO_ALGAPI
573 select CRYPTO_TWOFISH_COMMON
574 help
cf514b2a 575 Twofish cipher algorithm
f1f142ad
RE		 576
577 Twofish was submitted as an AES (Advanced Encryption Standard)
578 candidate cipher by researchers at CounterPane Systems. It is a
579 16 round block cipher supporting key sizes of 128, 192, and 256
580 bits.
581
cf514b2a 582 See https://www.schneier.com/twofish.html for further information.
f1f142ad
RE		 583
584config CRYPTO_TWOFISH_COMMON
585 tristate
586 help
587 Common parts of the Twofish cipher algorithm shared by the
588 generic c and the assembler implementations.
589
590endmenu
591
592menu "Length-preserving ciphers and modes"
26609a21 593
059c2a4d 594config CRYPTO_ADIANTUM
cf514b2a 595 tristate "Adiantum"
059c2a4d 596 select CRYPTO_CHACHA20
48ea8c6e 597 select CRYPTO_LIB_POLY1305_GENERIC
059c2a4d 598 select CRYPTO_NHPOLY1305
c8a3315a 599 select CRYPTO_MANAGER
059c2a4d 600 help
cf514b2a
RE		 601 Adiantum tweakable, length-preserving encryption mode
602
603 Designed for fast and secure disk encryption, especially on
059c2a4d
EB		 604 CPUs without dedicated crypto instructions. It encrypts
605 each sector using the XChaCha12 stream cipher, two passes of
606 an ε-almost-∆-universal hash function, and an invocation of
607 the AES-256 block cipher on a single 16-byte block. On CPUs
608 without AES instructions, Adiantum is much faster than
609 AES-XTS.
610
611 Adiantum's security is provably reducible to that of its
612 underlying stream and block ciphers, subject to a security
613 bound. Unlike XTS, Adiantum is a true wide-block encryption
614 mode, so it actually provides an even stronger notion of
615 security than XTS, subject to the security bound.
616
617 If unsure, say N.
618
f1f142ad 619config CRYPTO_ARC4
cf514b2a 620 tristate "ARC4 (Alleged Rivest Cipher 4)"
f1f142ad
RE		 621 depends on CRYPTO_USER_API_ENABLE_OBSOLETE
622 select CRYPTO_SKCIPHER
623 select CRYPTO_LIB_ARC4
7ff554ce 624 help
cf514b2a 625 ARC4 cipher algorithm
7ff554ce 626
f1f142ad
RE		 627 ARC4 is a stream cipher using keys ranging from 8 bits to 2048
628 bits in length. This algorithm is required for driver-based
629 WEP, but it should not be for other purposes because of the
630 weakness of the algorithm.
631
632config CRYPTO_CHACHA20
cf514b2a 633 tristate "ChaCha"
f1f142ad
RE		 634 select CRYPTO_LIB_CHACHA_GENERIC
635 select CRYPTO_SKCIPHER
be1eb7f7 636 help
cf514b2a 637 The ChaCha20, XChaCha20, and XChaCha12 stream cipher algorithms
be1eb7f7 638
f1f142ad
RE		 639 ChaCha20 is a 256-bit high-speed stream cipher designed by Daniel J.
640 Bernstein and further specified in RFC7539 for use in IETF protocols.
cf514b2a
RE		 641 This is the portable C implementation of ChaCha20. See
642 https://cr.yp.to/chacha/chacha-20080128.pdf for further information.
be1eb7f7 643
f1f142ad
RE		 644 XChaCha20 is the application of the XSalsa20 construction to ChaCha20
645 rather than to Salsa20. XChaCha20 extends ChaCha20's nonce length
646 from 64 bits (or 96 bits using the RFC7539 convention) to 192 bits,
cf514b2a
RE		 647 while provably retaining ChaCha20's security. See
648 https://cr.yp.to/snuffle/xsalsa-20081128.pdf for further information.
be1eb7f7 649
f1f142ad
RE		 650 XChaCha12 is XChaCha20 reduced to 12 rounds, with correspondingly
651 reduced security margin but increased performance. It can be needed
652 in some performance-sensitive scenarios.
584fffc8 653
f1f142ad 654config CRYPTO_CBC
cf514b2a 655 tristate "CBC (Cipher Block Chaining)"
f1f142ad 656 select CRYPTO_SKCIPHER
93b5e86a
JK		 657 select CRYPTO_MANAGER
658 help
cf514b2a
RE		 659 CBC (Cipher Block Chaining) mode (NIST SP800-38A)
660
661 This block cipher mode is required for IPSec ESP (XFRM_ESP).
93b5e86a 662
f1f142ad 663config CRYPTO_CFB
cf514b2a 664 tristate "CFB (Cipher Feedback)"
f1f142ad 665 select CRYPTO_SKCIPHER
23e353c8 666 select CRYPTO_MANAGER
23e353c8 667 help
cf514b2a
RE		 668 CFB (Cipher Feedback) mode (NIST SP800-38A)
669
670 This block cipher mode is required for TPM2 Cryptography.
23e353c8 671
f1f142ad 672config CRYPTO_CTR
cf514b2a 673 tristate "CTR (Counter)"
f1f142ad 674 select CRYPTO_SKCIPHER
584fffc8 675 select CRYPTO_MANAGER
76cb9521 676 help
cf514b2a 677 CTR (Counter) mode (NIST SP800-38A)
76cb9521 678
f1f142ad 679config CRYPTO_CTS
cf514b2a 680 tristate "CTS (Cipher Text Stealing)"
f1f142ad 681 select CRYPTO_SKCIPHER
f1939f7c
SW		 682 select CRYPTO_MANAGER
683 help
cf514b2a
RE		 684 CBC-CS3 variant of CTS (Cipher Text Stealing) (NIST
685 Addendum to SP800-38A (October 2010))
686
f1f142ad
RE		 687 This mode is required for Kerberos gss mechanism support
688 for AES encryption.
f1939f7c 689
f1f142ad 690config CRYPTO_ECB
cf514b2a 691 tristate "ECB (Electronic Codebook)"
f1f142ad
RE		 692 select CRYPTO_SKCIPHER
693 select CRYPTO_MANAGER
4a49b499 694 help
cf514b2a 695 ECB (Electronic Codebook) mode (NIST SP800-38A)
4a49b499 696
f1f142ad 697config CRYPTO_HCTR2
cf514b2a 698 tristate "HCTR2"
f1f142ad
RE		 699 select CRYPTO_XCTR
700 select CRYPTO_POLYVAL
701 select CRYPTO_MANAGER
78c37d19 702 help
cf514b2a
RE		 703 HCTR2 length-preserving encryption mode
704
705 A mode for storage encryption that is efficient on processors with
706 instructions to accelerate AES and carryless multiplication, e.g.
707 x86 processors with AES-NI and CLMUL, and ARM processors with the
708 ARMv8 crypto extensions.
709
710 See https://eprint.iacr.org/2021/1441
78c37d19 711
f1f142ad 712config CRYPTO_KEYWRAP
cf514b2a 713 tristate "KW (AES Key Wrap)"
f1f142ad
RE		 714 select CRYPTO_SKCIPHER
715 select CRYPTO_MANAGER
2cdc6899 716 help
cf514b2a
RE		 717 KW (AES Key Wrap) authenticated encryption mode (NIST SP800-38F
718 and RFC3394) without padding.
2cdc6899 719
f1f142ad 720config CRYPTO_LRW
cf514b2a 721 tristate "LRW (Liskov Rivest Wagner)"
61c581a4 722 select CRYPTO_LIB_GF128MUL
f1f142ad
RE		 723 select CRYPTO_SKCIPHER
724 select CRYPTO_MANAGER
f1f142ad 725 select CRYPTO_ECB
f3c923a0 726 help
cf514b2a
RE		 727 LRW (Liskov Rivest Wagner) mode
728
729 A tweakable, non malleable, non movable
f1f142ad
RE		 730 narrow block cipher mode for dm-crypt. Use it with cipher
731 specification string aes-lrw-benbi, the key must be 256, 320 or 384.
732 The first 128, 192 or 256 bits in the key are used for AES and the
733 rest is used to tie each cipher block to its logical position.
f3c923a0 734
cf514b2a
RE		 735 See https://people.csail.mit.edu/rivest/pubs/LRW02.pdf
736
f1f142ad 737config CRYPTO_OFB
cf514b2a 738 tristate "OFB (Output Feedback)"
f1f142ad
RE		 739 select CRYPTO_SKCIPHER
740 select CRYPTO_MANAGER
f979e014 741 help
cf514b2a
RE		 742 OFB (Output Feedback) mode (NIST SP800-38A)
743
744 This mode makes a block cipher into a synchronous
f1f142ad
RE		 745 stream cipher. It generates keystream blocks, which are then XORed
746 with the plaintext blocks to get the ciphertext. Flipping a bit in the
747 ciphertext produces a flipped bit in the plaintext at the same
748 location. This property allows many error correcting codes to function
749 normally even when applied before encryption.
f979e014 750
f1f142ad 751config CRYPTO_PCBC
cf514b2a 752 tristate "PCBC (Propagating Cipher Block Chaining)"
f1f142ad
RE		 753 select CRYPTO_SKCIPHER
754 select CRYPTO_MANAGER
124b53d0 755 help
cf514b2a
RE		 756 PCBC (Propagating Cipher Block Chaining) mode
757
758 This block cipher mode is required for RxRPC.
124b53d0 759
f1f142ad
RE		 760config CRYPTO_XCTR
761 tristate
762 select CRYPTO_SKCIPHER
763 select CRYPTO_MANAGER
1da177e4 764 help
cf514b2a
RE		 765 XCTR (XOR Counter) mode for HCTR2
766
767 This blockcipher mode is a variant of CTR mode using XORs and little-endian
768 addition rather than big-endian arithmetic.
769
f1f142ad 770 XCTR mode is used to implement HCTR2.
1da177e4 771
f1f142ad 772config CRYPTO_XTS
cf514b2a 773 tristate "XTS (XOR Encrypt XOR with ciphertext stealing)"
f1f142ad
RE		 774 select CRYPTO_SKCIPHER
775 select CRYPTO_MANAGER
776 select CRYPTO_ECB
90831639 777 help
cf514b2a
RE		 778 XTS (XOR Encrypt XOR with ciphertext stealing) mode (NIST SP800-38E
779 and IEEE 1619)
780
781 Use with aes-xts-plain, key size 256, 384 or 512 bits. This
782 implementation currently can't handle a sectorsize which is not a
783 multiple of 16 bytes.
90831639 784
f1f142ad
RE		 785config CRYPTO_NHPOLY1305
786 tristate
e5835fba 787 select CRYPTO_HASH
f1f142ad 788 select CRYPTO_LIB_POLY1305_GENERIC
534fe2c1 789
f1f142ad 790endmenu
534fe2c1 791
f1f142ad 792menu "AEAD (authenticated encryption with associated data) ciphers"
1da177e4 793
f1f142ad 794config CRYPTO_AEGIS128
e3d2eadd 795 tristate "AEGIS-128"
f1f142ad
RE		 796 select CRYPTO_AEAD
797 select CRYPTO_AES # for AES S-box tables
1da177e4 798 help
e3d2eadd 799 AEGIS-128 AEAD algorithm
2729bb42 800
f1f142ad 801config CRYPTO_AEGIS128_SIMD
e3d2eadd 802 bool "AEGIS-128 (arm NEON, arm64 NEON)"
f1f142ad
RE		 803 depends on CRYPTO_AEGIS128 && ((ARM || ARM64) && KERNEL_MODE_NEON)
804 default y
e3d2eadd
RE		 805 help
806 AEGIS-128 AEAD algorithm
807
808 Architecture: arm or arm64 using:
809 - NEON (Advanced SIMD) extension
584fffc8 810
f1f142ad 811config CRYPTO_CHACHA20POLY1305
e3d2eadd 812 tristate "ChaCha20-Poly1305"
f1f142ad
RE		 813 select CRYPTO_CHACHA20
814 select CRYPTO_POLY1305
815 select CRYPTO_AEAD
816 select CRYPTO_MANAGER
b9f535ff 817 help
e3d2eadd
RE		 818 ChaCha20 stream cipher and Poly1305 authenticator combined
819 mode (RFC8439)
b9f535ff 820
f1f142ad 821config CRYPTO_CCM
cf514b2a 822 tristate "CCM (Counter with Cipher Block Chaining-MAC)"
f1f142ad 823 select CRYPTO_CTR
53964b9e 824 select CRYPTO_HASH
f1f142ad
RE		 825 select CRYPTO_AEAD
826 select CRYPTO_MANAGER
53964b9e 827 help
e3d2eadd
RE		 828 CCM (Counter with Cipher Block Chaining-Message Authentication Code)
829 authenticated encryption mode (NIST SP800-38C)
d2825fa9 830
f1f142ad 831config CRYPTO_GCM
cf514b2a 832 tristate "GCM (Galois/Counter Mode) and GMAC (GCM MAC)"
f1f142ad
RE		 833 select CRYPTO_CTR
834 select CRYPTO_AEAD
835 select CRYPTO_GHASH
836 select CRYPTO_NULL
837 select CRYPTO_MANAGER
4f0fc160 838 help
e3d2eadd
RE		 839 GCM (Galois/Counter Mode) authenticated encryption mode and GMAC
840 (GCM Message Authentication Code) (NIST SP800-38D)
841
842 This is required for IPSec ESP (XFRM_ESP).
4f0fc160 843
ba51738f
HX		 844config CRYPTO_GENIV
845 tristate
f1f142ad 846 select CRYPTO_AEAD
f1f142ad 847 select CRYPTO_NULL
f1f142ad 848 select CRYPTO_MANAGER
ba51738f
HX		 849 select CRYPTO_RNG_DEFAULT
850
851config CRYPTO_SEQIV
852 tristate "Sequence Number IV Generator"
853 select CRYPTO_GENIV
fe18957e 854 help
e3d2eadd
RE		 855 Sequence Number IV generator
856
f1f142ad 857 This IV generator generates an IV based on a sequence number by
e3d2eadd
RE		 858 xoring it with a salt. This algorithm is mainly useful for CTR.
859
860 This is required for IPsec ESP (XFRM_ESP).
fe18957e 861
f1f142ad
RE		 862config CRYPTO_ECHAINIV
863 tristate "Encrypted Chain IV Generator"
ba51738f 864 select CRYPTO_GENIV
1da177e4 865 help
e3d2eadd
RE		 866 Encrypted Chain IV generator
867
f1f142ad
RE		 868 This IV generator generates an IV based on the encryption of
869 a sequence number xored with a salt. This is the default
870 algorithm for CBC.
1da177e4 871
f1f142ad 872config CRYPTO_ESSIV
e3d2eadd 873 tristate "Encrypted Salt-Sector IV Generator"
f1f142ad 874 select CRYPTO_AUTHENC
1da177e4 875 help
e3d2eadd
RE		 876 Encrypted Salt-Sector IV generator
877
878 This IV generator is used in some cases by fscrypt and/or
f1f142ad
RE		 879 dm-crypt. It uses the hash of the block encryption key as the
880 symmetric key for a block encryption pass applied to the input
881 IV, making low entropy IV sources more suitable for block
882 encryption.
1da177e4 883
f1f142ad
RE		 884 This driver implements a crypto API template that can be
885 instantiated either as an skcipher or as an AEAD (depending on the
886 type of the first template argument), and which defers encryption
887 and decryption requests to the encapsulated cipher after applying
888 ESSIV to the input IV. Note that in the AEAD case, it is assumed
889 that the keys are presented in the same format used by the authenc
890 template, and that the IV appears at the end of the authenticated
891 associated data (AAD) region (which is how dm-crypt uses it.)
1da177e4 892
f1f142ad
RE		 893 Note that the use of ESSIV is not recommended for new deployments,
894 and so this only needs to be enabled when interoperability with
895 existing encrypted volumes of filesystems is required, or when
896 building for a particular system that requires it (e.g., when
897 the SoC in question has accelerated CBC but not XTS, making CBC
898 combined with ESSIV the only feasible mode for h/w accelerated
899 block encryption)
1da177e4 900
f1f142ad 901endmenu
b5e0b032 902
f1f142ad 903menu "Hashes, digests, and MACs"
b5e0b032 904
f1f142ad 905config CRYPTO_BLAKE2B
3f342a23 906 tristate "BLAKE2b"
f1f142ad 907 select CRYPTO_HASH
584fffc8 908 help
3f342a23 909 BLAKE2b cryptographic hash function (RFC 7693)
584fffc8 910
3f342a23
RE		 911 BLAKE2b is optimized for 64-bit platforms and can produce digests
912 of any size between 1 and 64 bytes. The keyed hash is also implemented.
584fffc8 913
3f342a23 914 This module provides the following algorithms:
f1f142ad
RE		 915 - blake2b-160
916 - blake2b-256
917 - blake2b-384
918 - blake2b-512
584fffc8 919
3f342a23
RE		 920 Used by the btrfs filesystem.
921
f1f142ad 922 See https://blake2.net for further information.
584fffc8 923
f1f142ad 924config CRYPTO_CMAC
3f342a23 925 tristate "CMAC (Cipher-based MAC)"
f1f142ad
RE		 926 select CRYPTO_HASH
927 select CRYPTO_MANAGER
584fffc8 928 help
3f342a23
RE		 929 CMAC (Cipher-based Message Authentication Code) authentication
930 mode (NIST SP800-38B and IETF RFC4493)
584fffc8 931
f1f142ad 932config CRYPTO_GHASH
3f342a23 933 tristate "GHASH"
f1f142ad 934 select CRYPTO_HASH
61c581a4 935 select CRYPTO_LIB_GF128MUL
52ba867c 936 help
3f342a23 937 GCM GHASH function (NIST SP800-38D)
52ba867c 938
f1f142ad 939config CRYPTO_HMAC
3f342a23 940 tristate "HMAC (Keyed-Hash MAC)"
f1f142ad
RE		 941 select CRYPTO_HASH
942 select CRYPTO_MANAGER
584fffc8 943 help
3f342a23
RE		 944 HMAC (Keyed-Hash Message Authentication Code) (FIPS 198 and
945 RFC2104)
946
947 This is required for IPsec AH (XFRM_AH) and IPsec ESP (XFRM_ESP).
584fffc8 948
f1f142ad 949config CRYPTO_MD4
3f342a23 950 tristate "MD4"
f1f142ad 951 select CRYPTO_HASH
044ab525 952 help
3f342a23 953 MD4 message digest algorithm (RFC1320)
044ab525 954
f1f142ad 955config CRYPTO_MD5
3f342a23 956 tristate "MD5"
f1f142ad 957 select CRYPTO_HASH
1da177e4 958 help
3f342a23 959 MD5 message digest algorithm (RFC1321)
1da177e4 960
f1f142ad 961config CRYPTO_MICHAEL_MIC
3f342a23 962 tristate "Michael MIC"
f1f142ad 963 select CRYPTO_HASH
1da177e4 964 help
3f342a23
RE		 965 Michael MIC (Message Integrity Code) (IEEE 802.11i)
966
967 Defined by the IEEE 802.11i TKIP (Temporal Key Integrity Protocol),
968 known as WPA (Wif-Fi Protected Access).
969
970 This algorithm is required for TKIP, but it should not be used for
971 other purposes because of the weakness of the algorithm.
1da177e4 972
f1f142ad
RE		 973config CRYPTO_POLYVAL
974 tristate
f1f142ad 975 select CRYPTO_HASH
61c581a4 976 select CRYPTO_LIB_GF128MUL
1da177e4 977 help
3f342a23
RE		 978 POLYVAL hash function for HCTR2
979
980 This is used in HCTR2. It is not a general-purpose
f1f142ad 981 cryptographic hash function.
fb4f10ed 982
f1f142ad 983config CRYPTO_POLY1305
3f342a23 984 tristate "Poly1305"
f1f142ad
RE		 985 select CRYPTO_HASH
986 select CRYPTO_LIB_POLY1305_GENERIC
1da177e4 987 help
3f342a23 988 Poly1305 authenticator algorithm (RFC7539)
1da177e4 989
f1f142ad
RE		 990 Poly1305 is an authenticator algorithm designed by Daniel J. Bernstein.
991 It is used for the ChaCha20-Poly1305 AEAD, specified in RFC7539 for use
992 in IETF protocols. This is the portable C implementation of Poly1305.
993
994config CRYPTO_RMD160
3f342a23 995 tristate "RIPEMD-160"
f1f142ad 996 select CRYPTO_HASH
1da177e4 997 help
3f342a23 998 RIPEMD-160 hash function (ISO/IEC 10118-3)
1da177e4 999
f1f142ad
RE		 1000 RIPEMD-160 is a 160-bit cryptographic hash function. It is intended
1001 to be used as a secure replacement for the 128-bit hash functions
1002 MD4, MD5 and its predecessor RIPEMD
1003 (not to be confused with RIPEMD-128).
1da177e4 1004
3f342a23 1005 Its speed is comparable to SHA-1 and there are no known attacks
f1f142ad 1006 against RIPEMD-160.
1da177e4 1007
f1f142ad 1008 Developed by Hans Dobbertin, Antoon Bosselaers and Bart Preneel.
3f342a23
RE		 1009 See https://homes.esat.kuleuven.be/~bosselae/ripemd160.html
1010 for further information.
f1f142ad
RE		 1011
1012config CRYPTO_SHA1
3f342a23 1013 tristate "SHA-1"
f1f142ad
RE		 1014 select CRYPTO_HASH
1015 select CRYPTO_LIB_SHA1
c08d0e64 1016 help
3f342a23 1017 SHA-1 secure hash algorithm (FIPS 180, ISO/IEC 10118-3)
c08d0e64 1018
f1f142ad 1019config CRYPTO_SHA256
3f342a23 1020 tristate "SHA-224 and SHA-256"
f1f142ad
RE		 1021 select CRYPTO_HASH
1022 select CRYPTO_LIB_SHA256
1023 help
3f342a23 1024 SHA-224 and SHA-256 secure hash algorithms (FIPS 180, ISO/IEC 10118-3)
de61d7ae 1025
3f342a23
RE		 1026 This is required for IPsec AH (XFRM_AH) and IPsec ESP (XFRM_ESP).
1027 Used by the btrfs filesystem, Ceph, NFS, and SMB.
aa762409 1028
f1f142ad 1029config CRYPTO_SHA512
3f342a23 1030 tristate "SHA-384 and SHA-512"
f1f142ad 1031 select CRYPTO_HASH
1da177e4 1032 help
3f342a23 1033 SHA-384 and SHA-512 secure hash algorithms (FIPS 180, ISO/IEC 10118-3)
584fffc8 1034
f1f142ad 1035config CRYPTO_SHA3
3f342a23 1036 tristate "SHA-3"
f1f142ad 1037 select CRYPTO_HASH
e4e712bb 1038 help
3f342a23 1039 SHA-3 secure hash algorithms (FIPS 202, ISO/IEC 10118-3)
e4e712bb 1040
f1f142ad
RE		 1041config CRYPTO_SM3
1042 tristate
e4e712bb 1043
f1f142ad 1044config CRYPTO_SM3_GENERIC
3f342a23 1045 tristate "SM3 (ShangMi 3)"
f1f142ad
RE		 1046 select CRYPTO_HASH
1047 select CRYPTO_SM3
1da177e4 1048 help
3f342a23
RE		 1049 SM3 (ShangMi 3) secure hash function (OSCCA GM/T 0004-2012, ISO/IEC 10118-3)
1050
1051 This is part of the Chinese Commercial Cryptography suite.
1da177e4 1052
f1f142ad
RE		 1053 References:
1054 http://www.oscca.gov.cn/UpFile/20101222141857786.pdf
1055 https://datatracker.ietf.org/doc/html/draft-shen-sm3-hash
584fffc8 1056
f1f142ad 1057config CRYPTO_STREEBOG
3f342a23 1058 tristate "Streebog"
f1f142ad
RE		 1059 select CRYPTO_HASH
1060 help
3f342a23
RE		 1061 Streebog Hash Function (GOST R 34.11-2012, RFC 6986, ISO/IEC 10118-3)
1062
1063 This is one of the Russian cryptographic standard algorithms (called
1064 GOST algorithms). This setting enables two hash algorithms with
1065 256 and 512 bits output.
584fffc8 1066
f1f142ad
RE		 1067 References:
1068 https://tc26.ru/upload/iblock/fed/feddbb4d26b685903faa2ba11aea43f6.pdf
1069 https://tools.ietf.org/html/rfc6986
d2825fa9 1070
f1f142ad 1071config CRYPTO_VMAC
3f342a23 1072 tristate "VMAC"
f1f142ad
RE		 1073 select CRYPTO_HASH
1074 select CRYPTO_MANAGER
747c8ce4 1075 help
f1f142ad
RE		 1076 VMAC is a message authentication algorithm designed for
1077 very high speed on 64-bit architectures.
747c8ce4 1078
3f342a23 1079 See https://fastcrypto.org/vmac for further information.
747c8ce4 1080
f1f142ad 1081config CRYPTO_WP512
3f342a23 1082 tristate "Whirlpool"
f1f142ad
RE		 1083 select CRYPTO_HASH
1084 help
3f342a23
RE		 1085 Whirlpool hash function (ISO/IEC 10118-3)
1086
1087 512, 384 and 256-bit hashes.
747c8ce4 1088
f1f142ad 1089 Whirlpool-512 is part of the NESSIE cryptographic primitives.
747c8ce4 1090
3f342a23
RE		 1091 See https://web.archive.org/web/20171129084214/http://www.larc.usp.br/~pbarreto/WhirlpoolPage.html
1092 for further information.
747c8ce4 1093
f1f142ad 1094config CRYPTO_XCBC
3f342a23 1095 tristate "XCBC-MAC (Extended Cipher Block Chaining MAC)"
f1f142ad
RE		 1096 select CRYPTO_HASH
1097 select CRYPTO_MANAGER
1098 help
3f342a23
RE		 1099 XCBC-MAC (Extended Cipher Block Chaining Message Authentication
1100 Code) (RFC3566)
747c8ce4 1101
f1f142ad 1102config CRYPTO_XXHASH
3f342a23 1103 tristate "xxHash"
f1f142ad
RE		 1104 select CRYPTO_HASH
1105 select XXHASH
1da177e4 1106 help
3f342a23
RE		 1107 xxHash non-cryptographic hash algorithm
1108
1109 Extremely fast, working at speeds close to RAM limits.
1110
1111 Used by the btrfs filesystem.
1da177e4 1112
f1f142ad 1113endmenu
584fffc8 1114
f1f142ad 1115menu "CRCs (cyclic redundancy checks)"
584fffc8 1116
f1f142ad 1117config CRYPTO_CRC32C
ec84348d 1118 tristate "CRC32c"
f1f142ad
RE		 1119 select CRYPTO_HASH
1120 select CRC32
1121 help
ec84348d
RE		 1122 CRC32c CRC algorithm with the iSCSI polynomial (RFC 3385 and RFC 3720)
1123
1124 A 32-bit CRC (cyclic redundancy check) with a polynomial defined
1125 by G. Castagnoli, S. Braeuer and M. Herrman in "Optimization of Cyclic
1126 Redundancy-Check Codes with 24 and 32 Parity Bits", IEEE Transactions
1127 on Communications, Vol. 41, No. 6, June 1993, selected for use with
1128 iSCSI.
1129
1130 Used by btrfs, ext4, jbd2, NVMeoF/TCP, and iSCSI.
584fffc8 1131
f1f142ad 1132config CRYPTO_CRC32
ec84348d 1133 tristate "CRC32"
f1f142ad
RE		 1134 select CRYPTO_HASH
1135 select CRC32
04ac7db3 1136 help
ec84348d
RE		 1137 CRC32 CRC algorithm (IEEE 802.3)
1138
1139 Used by RoCEv2 and f2fs.
04ac7db3 1140
f1f142ad 1141config CRYPTO_CRCT10DIF
ec84348d 1142 tristate "CRCT10DIF"
f1f142ad
RE		 1143 select CRYPTO_HASH
1144 help
ec84348d
RE		 1145 CRC16 CRC algorithm used for the T10 (SCSI) Data Integrity Field (DIF)
1146
1147 CRC algorithm used by the SCSI Block Commands standard.
04ac7db3 1148
f1f142ad 1149config CRYPTO_CRC64_ROCKSOFT
ec84348d 1150 tristate "CRC64 based on Rocksoft Model algorithm"
f1f142ad
RE		 1151 depends on CRC64
1152 select CRYPTO_HASH
ec84348d
RE		 1153 help
1154 CRC64 CRC algorithm based on the Rocksoft Model CRC Algorithm
1155
1156 Used by the NVMe implementation of T10 DIF (BLK_DEV_INTEGRITY)
1157
1158 See https://zlib.net/crc_v3.txt
584fffc8 1159
f1f142ad 1160endmenu
584fffc8 1161
f1f142ad 1162menu "Compression"
584fffc8
SS		 1163
1164config CRYPTO_DEFLATE
a9a98d49 1165 tristate "Deflate"
584fffc8 1166 select CRYPTO_ALGAPI
f6ded09d 1167 select CRYPTO_ACOMP2
584fffc8
SS		 1168 select ZLIB_INFLATE
1169 select ZLIB_DEFLATE
3c09f17c 1170 help
a9a98d49 1171 Deflate compression algorithm (RFC1951)
584fffc8 1172
a9a98d49 1173 Used by IPSec with the IPCOMP protocol (RFC3173, RFC2394)
3c09f17c 1174
0b77abb3 1175config CRYPTO_LZO
a9a98d49 1176 tristate "LZO"
0b77abb3 1177 select CRYPTO_ALGAPI
ac9d2c4b 1178 select CRYPTO_ACOMP2
0b77abb3
ZS		 1179 select LZO_COMPRESS
1180 select LZO_DECOMPRESS
1181 help
a9a98d49
RE		 1182 LZO compression algorithm
1183
1184 See https://www.oberhumer.com/opensource/lzo/ for further information.
0b77abb3 1185
35a1fc18 1186config CRYPTO_842
a9a98d49 1187 tristate "842"
2062c5b6 1188 select CRYPTO_ALGAPI
6a8de3ae 1189 select CRYPTO_ACOMP2
2062c5b6
DS		 1190 select 842_COMPRESS
1191 select 842_DECOMPRESS
35a1fc18 1192 help
a9a98d49
RE		 1193 842 compression algorithm by IBM
1194
1195 See https://github.com/plauth/lib842 for further information.
0ea8530d
CM		 1196
1197config CRYPTO_LZ4
a9a98d49 1198 tristate "LZ4"
0ea8530d 1199 select CRYPTO_ALGAPI
8cd9330e 1200 select CRYPTO_ACOMP2
0ea8530d
CM		 1201 select LZ4_COMPRESS
1202 select LZ4_DECOMPRESS
1203 help
a9a98d49
RE		 1204 LZ4 compression algorithm
1205
1206 See https://github.com/lz4/lz4 for further information.
0ea8530d
CM		 1207
1208config CRYPTO_LZ4HC
a9a98d49 1209 tristate "LZ4HC"
0ea8530d 1210 select CRYPTO_ALGAPI
91d53d96 1211 select CRYPTO_ACOMP2
0ea8530d
CM		 1212 select LZ4HC_COMPRESS
1213 select LZ4_DECOMPRESS
1214 help
a9a98d49
RE		 1215 LZ4 high compression mode algorithm
1216
1217 See https://github.com/lz4/lz4 for further information.
35a1fc18 1218
d28fc3db 1219config CRYPTO_ZSTD
a9a98d49 1220 tristate "Zstd"
d28fc3db
NT		 1221 select CRYPTO_ALGAPI
1222 select CRYPTO_ACOMP2
1223 select ZSTD_COMPRESS
1224 select ZSTD_DECOMPRESS
1225 help
a9a98d49
RE		 1226 zstd compression algorithm
1227
1228 See https://github.com/facebook/zstd for further information.
d28fc3db 1229
f1f142ad
RE		 1230endmenu
1231
1232menu "Random number generation"
17f0f4a4
NH		 1233
1234config CRYPTO_ANSI_CPRNG
a9a98d49 1235 tristate "ANSI PRNG (Pseudo Random Number Generator)"
17f0f4a4
NH		 1236 select CRYPTO_AES
1237 select CRYPTO_RNG
17f0f4a4 1238 help
a9a98d49
RE		 1239 Pseudo RNG (random number generator) (ANSI X9.31 Appendix A.2.4)
1240
1241 This uses the AES cipher algorithm.
1242
1243 Note that this option must be enabled if CRYPTO_FIPS is selected
17f0f4a4 1244
f2c89a10 1245menuconfig CRYPTO_DRBG_MENU
a9a98d49 1246 tristate "NIST SP800-90A DRBG (Deterministic Random Bit Generator)"
419090c6 1247 help
a9a98d49
RE		 1248 DRBG (Deterministic Random Bit Generator) (NIST SP800-90A)
1249
1250 In the following submenu, one or more of the DRBG types must be selected.
419090c6 1251
f2c89a10 1252if CRYPTO_DRBG_MENU
419090c6
SM		 1253
1254config CRYPTO_DRBG_HMAC
401e4238 1255 bool
419090c6 1256 default y
419090c6 1257 select CRYPTO_HMAC
5261cdf4 1258 select CRYPTO_SHA512
419090c6
SM		 1259
1260config CRYPTO_DRBG_HASH
a9a98d49 1261 bool "Hash_DRBG"
826775bb 1262 select CRYPTO_SHA256
419090c6 1263 help
a9a98d49
RE		 1264 Hash_DRBG variant as defined in NIST SP800-90A.
1265
1266 This uses the SHA-1, SHA-256, SHA-384, or SHA-512 hash algorithms.
419090c6
SM		 1267
1268config CRYPTO_DRBG_CTR
a9a98d49 1269 bool "CTR_DRBG"
419090c6 1270 select CRYPTO_AES
d6fc1a45 1271 select CRYPTO_CTR
419090c6 1272 help
a9a98d49
RE		 1273 CTR_DRBG variant as defined in NIST SP800-90A.
1274
1275 This uses the AES cipher algorithm with the counter block mode.
419090c6 1276
f2c89a10
HX		 1277config CRYPTO_DRBG
1278 tristate
401e4238 1279 default CRYPTO_DRBG_MENU
f2c89a10 1280 select CRYPTO_RNG
bb5530e4 1281 select CRYPTO_JITTERENTROPY
f2c89a10
HX		 1282
1283endif # if CRYPTO_DRBG_MENU
419090c6 1284
bb5530e4 1285config CRYPTO_JITTERENTROPY
a9a98d49 1286 tristate "CPU Jitter Non-Deterministic RNG (Random Number Generator)"
2f313e02 1287 select CRYPTO_RNG
bb897c55 1288 select CRYPTO_SHA3
bb5530e4 1289 help
a9a98d49
RE		 1290 CPU Jitter RNG (Random Number Generator) from the Jitterentropy library
1291
1292 A non-physical non-deterministic ("true") RNG (e.g., an entropy source
1293 compliant with NIST SP800-90B) intended to provide a seed to a
1294 deterministic RNG (e.g. per NIST SP800-90C).
1295 This RNG does not perform any cryptographic whitening of the generated
1296
1297 See https://www.chronox.de/jent.html
bb5530e4 1298
69f1c387
SM		 1299config CRYPTO_JITTERENTROPY_TESTINTERFACE
1300 bool "CPU Jitter RNG Test Interface"
1301 depends on CRYPTO_JITTERENTROPY
1302 help
1303 The test interface allows a privileged process to capture
1304 the raw unconditioned high resolution time stamp noise that
1305 is collected by the Jitter RNG for statistical analysis. As
1306 this data is used at the same time to generate random bits,
1307 the Jitter RNG operates in an insecure mode as long as the
1308 recording is enabled. This interface therefore is only
1309 intended for testing purposes and is not suitable for
1310 production systems.
1311
1312 The raw noise data can be obtained using the jent_raw_hires
1313 debugfs file. Using the option
1314 jitterentropy_testing.boot_raw_hires_test=1 the raw noise of
1315 the first 1000 entropy events since boot can be sampled.
1316
1317 If unsure, select N.
1318
026a733e
SM		 1319config CRYPTO_KDF800108_CTR
1320 tristate
a88592cc 1321 select CRYPTO_HMAC
304b4ace 1322 select CRYPTO_SHA256
026a733e 1323
f1f142ad 1324endmenu
9bc51715 1325menu "Userspace interface"
f1f142ad 1326
03c8efc1
HX		 1327config CRYPTO_USER_API
1328 tristate
1329
fe869cdb 1330config CRYPTO_USER_API_HASH
9bc51715 1331 tristate "Hash algorithms"
7451708f 1332 depends on NET
fe869cdb
HX		 1333 select CRYPTO_HASH
1334 select CRYPTO_USER_API
1335 help
9bc51715
RE		 1336 Enable the userspace interface for hash algorithms.
1337
1338 See Documentation/crypto/userspace-if.rst and
1339 https://www.chronox.de/libkcapi/html/index.html
fe869cdb 1340
8ff59090 1341config CRYPTO_USER_API_SKCIPHER
9bc51715 1342 tristate "Symmetric key cipher algorithms"
7451708f 1343 depends on NET
b95bba5d 1344 select CRYPTO_SKCIPHER
8ff59090
HX		 1345 select CRYPTO_USER_API
1346 help
9bc51715
RE		 1347 Enable the userspace interface for symmetric key cipher algorithms.
1348
1349 See Documentation/crypto/userspace-if.rst and
1350 https://www.chronox.de/libkcapi/html/index.html
8ff59090 1351
2f375538 1352config CRYPTO_USER_API_RNG
9bc51715 1353 tristate "RNG (random number generator) algorithms"
2f375538
SM		 1354 depends on NET
1355 select CRYPTO_RNG
1356 select CRYPTO_USER_API
1357 help
9bc51715
RE		 1358 Enable the userspace interface for RNG (random number generator)
1359 algorithms.
1360
1361 See Documentation/crypto/userspace-if.rst and
1362 https://www.chronox.de/libkcapi/html/index.html
2f375538 1363
77ebdabe
EP		 1364config CRYPTO_USER_API_RNG_CAVP
1365 bool "Enable CAVP testing of DRBG"
1366 depends on CRYPTO_USER_API_RNG && CRYPTO_DRBG
1367 help
9bc51715
RE		 1368 Enable extra APIs in the userspace interface for NIST CAVP
1369 (Cryptographic Algorithm Validation Program) testing:
1370 - resetting DRBG entropy
1371 - providing Additional Data
1372
77ebdabe
EP		 1373 This should only be enabled for CAVP testing. You should say
1374 no unless you know what this is.
1375
b64a2d95 1376config CRYPTO_USER_API_AEAD
9bc51715 1377 tristate "AEAD cipher algorithms"
b64a2d95
HX		 1378 depends on NET
1379 select CRYPTO_AEAD
b95bba5d 1380 select CRYPTO_SKCIPHER
72548b09 1381 select CRYPTO_NULL
b64a2d95
HX		 1382 select CRYPTO_USER_API
1383 help
9bc51715
RE		 1384 Enable the userspace interface for AEAD cipher algorithms.
1385
1386 See Documentation/crypto/userspace-if.rst and
1387 https://www.chronox.de/libkcapi/html/index.html
b64a2d95 1388
9ace6771 1389config CRYPTO_USER_API_ENABLE_OBSOLETE
9bc51715 1390 bool "Obsolete cryptographic algorithms"
9ace6771
AB		 1391 depends on CRYPTO_USER_API
1392 default y
1393 help
1394 Allow obsolete cryptographic algorithms to be selected that have
1395 already been phased out from internal use by the kernel, and are
1396 only useful for userspace clients that still rely on them.
1397
cac5818c 1398config CRYPTO_STATS
9bc51715 1399 bool "Crypto usage statistics"
a6a31385 1400 depends on CRYPTO_USER
cac5818c 1401 help
9bc51715
RE		 1402 Enable the gathering of crypto stats.
1403
66dd59b7
EB		 1404 Enabling this option reduces the performance of the crypto API. It
1405 should only be enabled when there is actually a use case for it.
1406
9bc51715
RE		 1407 This collects data sizes, numbers of requests, and numbers
1408 of errors processed by:
1409 - AEAD ciphers (encrypt, decrypt)
1410 - asymmetric key ciphers (encrypt, decrypt, verify, sign)
1411 - symmetric key ciphers (encrypt, decrypt)
1412 - compression algorithms (compress, decompress)
1413 - hash algorithms (hash)
1414 - key-agreement protocol primitives (setsecret, generate
1415 public key, compute shared secret)
1416 - RNG (generate, seed)
cac5818c 1417
f1f142ad
RE		 1418endmenu
1419
ee08997f
DK		 1420config CRYPTO_HASH_INFO
1421 bool
1422
27bc50fc 1423if !KMSAN # avoid false positives from assembly
4a329fec
RE		 1424if ARM
1425source "arch/arm/crypto/Kconfig"
1426endif
1427if ARM64
1428source "arch/arm64/crypto/Kconfig"
1429endif
2f164822
MZ		 1430if LOONGARCH
1431source "arch/loongarch/crypto/Kconfig"
1432endif
e45f710b
RE		 1433if MIPS
1434source "arch/mips/crypto/Kconfig"
1435endif
6a490a4e
RE		 1436if PPC
1437source "arch/powerpc/crypto/Kconfig"
1438endif
c9d24c97
RE		 1439if S390
1440source "arch/s390/crypto/Kconfig"
1441endif
0e9f9ea6
RE		 1442if SPARC
1443source "arch/sparc/crypto/Kconfig"
1444endif
28a936ef
RE		 1445if X86
1446source "arch/x86/crypto/Kconfig"
1447endif
27bc50fc 1448endif
e45f710b 1449
1da177e4 1450source "drivers/crypto/Kconfig"
8636a1f9
MY		 1451source "crypto/asymmetric_keys/Kconfig"
1452source "certs/Kconfig"
1da177e4 1453
cce9e06d 1454endif # if CRYPTO
Linux 6.x block layer and io_uring tree(s)