projects / linux-2.6-block.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Merge tag 'nvme-6.7-2023-11-22' of git://git.infradead.org/nvme into block-6.7
[linux-2.6-block.git] / crypto / Kconfig
CommitLineData
b2441318 1# SPDX-License-Identifier: GPL-2.0
685784aa
DW		 2#
3# Generic algorithms support
4#
5config XOR_BLOCKS
6 tristate
7
1da177e4 8#
9bc89cd8 9# async_tx api: hardware offloaded memory transfer/transform support
1da177e4 10#
9bc89cd8 11source "crypto/async_tx/Kconfig"
1da177e4 12
9bc89cd8
DW		 13#
14# Cryptographic API Configuration
15#
2e290f43 16menuconfig CRYPTO
c3715cb9 17 tristate "Cryptographic API"
7033b937 18 select CRYPTO_LIB_UTILS
1da177e4
LT		 19 help
20 This option provides the core Cryptographic API.
21
cce9e06d
HX		 22if CRYPTO
23
f1f142ad 24menu "Crypto core or helper"
584fffc8 25
ccb778e1
NH		 26config CRYPTO_FIPS
27 bool "FIPS 200 compliance"
f2c89a10 28 depends on (CRYPTO_ANSI_CPRNG || CRYPTO_DRBG) && !CRYPTO_MANAGER_DISABLE_TESTS
1f696097 29 depends on (MODULE_SIG || !MODULES)
ccb778e1 30 help
d99324c2
GU		 31 This option enables the fips boot option which is
32 required if you want the system to operate in a FIPS 200
ccb778e1 33 certification. You should say no unless you know what
e84c5480 34 this is.
ccb778e1 35
5a44749f
VD		 36config CRYPTO_FIPS_NAME
37 string "FIPS Module Name"
38 default "Linux Kernel Cryptographic API"
39 depends on CRYPTO_FIPS
40 help
41 This option sets the FIPS Module name reported by the Crypto API via
42 the /proc/sys/crypto/fips_name file.
43
44config CRYPTO_FIPS_CUSTOM_VERSION
45 bool "Use Custom FIPS Module Version"
46 depends on CRYPTO_FIPS
47 default n
48
49config CRYPTO_FIPS_VERSION
50 string "FIPS Module Version"
51 default "(none)"
52 depends on CRYPTO_FIPS_CUSTOM_VERSION
53 help
54 This option provides the ability to override the FIPS Module Version.
55 By default the KERNELRELEASE value is used.
56
cce9e06d
HX		 57config CRYPTO_ALGAPI
58 tristate
6a0fcbb4 59 select CRYPTO_ALGAPI2
cce9e06d
HX		 60 help
61 This option provides the API for cryptographic algorithms.
62
6a0fcbb4
HX		 63config CRYPTO_ALGAPI2
64 tristate
65
1ae97820
HX		 66config CRYPTO_AEAD
67 tristate
6a0fcbb4 68 select CRYPTO_AEAD2
1ae97820
HX		 69 select CRYPTO_ALGAPI
70
6a0fcbb4
HX		 71config CRYPTO_AEAD2
72 tristate
73 select CRYPTO_ALGAPI2
74
6cb8815f
HX		 75config CRYPTO_SIG
76 tristate
77 select CRYPTO_SIG2
78 select CRYPTO_ALGAPI
79
80config CRYPTO_SIG2
81 tristate
82 select CRYPTO_ALGAPI2
83
b95bba5d 84config CRYPTO_SKCIPHER
5cde0af2 85 tristate
b95bba5d 86 select CRYPTO_SKCIPHER2
5cde0af2 87 select CRYPTO_ALGAPI
84534684 88 select CRYPTO_ECB
6a0fcbb4 89
b95bba5d 90config CRYPTO_SKCIPHER2
6a0fcbb4
HX		 91 tristate
92 select CRYPTO_ALGAPI2
5cde0af2 93
055bcee3
HX		 94config CRYPTO_HASH
95 tristate
6a0fcbb4 96 select CRYPTO_HASH2
055bcee3
HX		 97 select CRYPTO_ALGAPI
98
6a0fcbb4
HX		 99config CRYPTO_HASH2
100 tristate
101 select CRYPTO_ALGAPI2
102
17f0f4a4
NH		 103config CRYPTO_RNG
104 tristate
6a0fcbb4 105 select CRYPTO_RNG2
17f0f4a4
NH		 106 select CRYPTO_ALGAPI
107
6a0fcbb4
HX		 108config CRYPTO_RNG2
109 tristate
110 select CRYPTO_ALGAPI2
111
401e4238
HX		 112config CRYPTO_RNG_DEFAULT
113 tristate
114 select CRYPTO_DRBG_MENU
115
3c339ab8
TS		 116config CRYPTO_AKCIPHER2
117 tristate
118 select CRYPTO_ALGAPI2
119
120config CRYPTO_AKCIPHER
121 tristate
122 select CRYPTO_AKCIPHER2
123 select CRYPTO_ALGAPI
124
4e5f2c40
SB		 125config CRYPTO_KPP2
126 tristate
127 select CRYPTO_ALGAPI2
128
129config CRYPTO_KPP
130 tristate
131 select CRYPTO_ALGAPI
132 select CRYPTO_KPP2
133
2ebda74f
GC		 134config CRYPTO_ACOMP2
135 tristate
136 select CRYPTO_ALGAPI2
8cd579d2 137 select SGL_ALLOC
2ebda74f
GC		 138
139config CRYPTO_ACOMP
140 tristate
141 select CRYPTO_ALGAPI
142 select CRYPTO_ACOMP2
143
2b8c19db
HX		 144config CRYPTO_MANAGER
145 tristate "Cryptographic algorithm manager"
6a0fcbb4 146 select CRYPTO_MANAGER2
2b8c19db
HX		 147 help
148 Create default cryptographic template instantiations such as
149 cbc(aes).
150
6a0fcbb4
HX		 151config CRYPTO_MANAGER2
152 def_tristate CRYPTO_MANAGER || (CRYPTO_MANAGER!=n && CRYPTO_ALGAPI=y)
fb28fabf 153 select CRYPTO_ACOMP2
6a0fcbb4 154 select CRYPTO_AEAD2
946cc463 155 select CRYPTO_AKCIPHER2
6cb8815f 156 select CRYPTO_SIG2
fb28fabf 157 select CRYPTO_HASH2
4e5f2c40 158 select CRYPTO_KPP2
fb28fabf
HX		 159 select CRYPTO_RNG2
160 select CRYPTO_SKCIPHER2
6a0fcbb4 161
a38f7907
SK		 162config CRYPTO_USER
163 tristate "Userspace cryptographic algorithm configuration"
5db017aa 164 depends on NET
a38f7907
SK		 165 select CRYPTO_MANAGER
166 help
d19978f5 167 Userspace configuration for cryptographic instantiations such as
a38f7907
SK		 168 cbc(aes).
169
326a6346
HX		 170config CRYPTO_MANAGER_DISABLE_TESTS
171 bool "Disable run-time self tests"
00ca28a5 172 default y
0b767f96 173 help
326a6346
HX		 174 Disable run-time self tests that normally take place at
175 algorithm registration.
0b767f96 176
5b2706a4
EB		 177config CRYPTO_MANAGER_EXTRA_TESTS
178 bool "Enable extra run-time crypto self tests"
6569e309 179 depends on DEBUG_KERNEL && !CRYPTO_MANAGER_DISABLE_TESTS && CRYPTO_MANAGER
5b2706a4
EB		 180 help
181 Enable extra run-time self tests of registered crypto algorithms,
182 including randomized fuzz tests.
183
184 This is intended for developer use only, as these tests take much
185 longer to run than the normal self tests.
186
1da177e4
LT		 187config CRYPTO_NULL
188 tristate "Null algorithms"
149a3971 189 select CRYPTO_NULL2
1da177e4
LT		 190 help
191 These are 'Null' algorithms, used by IPsec, which do nothing.
192
149a3971 193config CRYPTO_NULL2
dd43c4e9 194 tristate
149a3971 195 select CRYPTO_ALGAPI2
b95bba5d 196 select CRYPTO_SKCIPHER2
149a3971
HX		 197 select CRYPTO_HASH2
198
5068c7a8 199config CRYPTO_PCRYPT
3b4afaf2
KC		 200 tristate "Parallel crypto engine"
201 depends on SMP
5068c7a8
SK		 202 select PADATA
203 select CRYPTO_MANAGER
204 select CRYPTO_AEAD
205 help
206 This converts an arbitrary crypto algorithm into a parallel
207 algorithm that executes in kernel threads.
208
584fffc8
SS		 209config CRYPTO_CRYPTD
210 tristate "Software async crypto daemon"
b95bba5d 211 select CRYPTO_SKCIPHER
b8a28251 212 select CRYPTO_HASH
584fffc8 213 select CRYPTO_MANAGER
1da177e4 214 help
584fffc8
SS		 215 This is a generic software asynchronous crypto daemon that
216 converts an arbitrary synchronous software crypto algorithm
217 into an asynchronous algorithm that executes in a kernel thread.
1da177e4 218
584fffc8
SS		 219config CRYPTO_AUTHENC
220 tristate "Authenc support"
221 select CRYPTO_AEAD
b95bba5d 222 select CRYPTO_SKCIPHER
584fffc8
SS		 223 select CRYPTO_MANAGER
224 select CRYPTO_HASH
e94c6a7a 225 select CRYPTO_NULL
1da177e4 226 help
584fffc8 227 Authenc: Combined mode wrapper for IPsec.
cf514b2a
RE		 228
229 This is required for IPSec ESP (XFRM_ESP).
1da177e4 230
584fffc8
SS		 231config CRYPTO_TEST
232 tristate "Testing module"
00ea27f1 233 depends on m || EXPERT
da7f033d 234 select CRYPTO_MANAGER
1da177e4 235 help
584fffc8 236 Quick & dirty crypto test module.
1da177e4 237
266d0516
HX		 238config CRYPTO_SIMD
239 tristate
ffaf9156
JK		 240 select CRYPTO_CRYPTD
241
735d37b5
BW		 242config CRYPTO_ENGINE
243 tristate
244
f1f142ad
RE		 245endmenu
246
247menu "Public-key cryptography"
3d6228a5
VC		 248
249config CRYPTO_RSA
05b37465 250 tristate "RSA (Rivest-Shamir-Adleman)"
3d6228a5
VC		 251 select CRYPTO_AKCIPHER
252 select CRYPTO_MANAGER
253 select MPILIB
254 select ASN1
255 help
05b37465 256 RSA (Rivest-Shamir-Adleman) public key algorithm (RFC8017)
3d6228a5
VC		 257
258config CRYPTO_DH
05b37465 259 tristate "DH (Diffie-Hellman)"
3d6228a5
VC		 260 select CRYPTO_KPP
261 select MPILIB
262 help
05b37465 263 DH (Diffie-Hellman) key exchange algorithm
3d6228a5 264
7dce5981 265config CRYPTO_DH_RFC7919_GROUPS
05b37465 266 bool "RFC 7919 FFDHE groups"
7dce5981 267 depends on CRYPTO_DH
1e207964 268 select CRYPTO_RNG_DEFAULT
7dce5981 269 help
05b37465
RE		 270 FFDHE (Finite-Field-based Diffie-Hellman Ephemeral) groups
271 defined in RFC7919.
272
273 Support these finite-field groups in DH key exchanges:
274 - ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192
275
276 If unsure, say N.
7dce5981 277
4a2289da
VC		 278config CRYPTO_ECC
279 tristate
38aa192a 280 select CRYPTO_RNG_DEFAULT
4a2289da 281
3d6228a5 282config CRYPTO_ECDH
05b37465 283 tristate "ECDH (Elliptic Curve Diffie-Hellman)"
4a2289da 284 select CRYPTO_ECC
3d6228a5 285 select CRYPTO_KPP
3d6228a5 286 help
05b37465
RE		 287 ECDH (Elliptic Curve Diffie-Hellman) key exchange algorithm
288 using curves P-192, P-256, and P-384 (FIPS 186)
3d6228a5 289
4e660291 290config CRYPTO_ECDSA
05b37465 291 tristate "ECDSA (Elliptic Curve Digital Signature Algorithm)"
4e660291
SB		 292 select CRYPTO_ECC
293 select CRYPTO_AKCIPHER
294 select ASN1
295 help
05b37465
RE		 296 ECDSA (Elliptic Curve Digital Signature Algorithm) (FIPS 186,
297 ISO/IEC 14888-3)
298 using curves P-192, P-256, and P-384
299
300 Only signature verification is implemented.
4e660291 301
0d7a7864 302config CRYPTO_ECRDSA
05b37465 303 tristate "EC-RDSA (Elliptic Curve Russian Digital Signature Algorithm)"
0d7a7864
VC		 304 select CRYPTO_ECC
305 select CRYPTO_AKCIPHER
306 select CRYPTO_STREEBOG
1036633e
VC		 307 select OID_REGISTRY
308 select ASN1
0d7a7864
VC		 309 help
310 Elliptic Curve Russian Digital Signature Algorithm (GOST R 34.10-2012,
05b37465
RE		 311 RFC 7091, ISO/IEC 14888-3)
312
313 One of the Russian cryptographic standard algorithms (called GOST
314 algorithms). Only signature verification is implemented.
0d7a7864 315
ea7ecb66 316config CRYPTO_SM2
05b37465 317 tristate "SM2 (ShangMi 2)"
d2825fa9 318 select CRYPTO_SM3
ea7ecb66
TZ		 319 select CRYPTO_AKCIPHER
320 select CRYPTO_MANAGER
321 select MPILIB
322 select ASN1
323 help
05b37465
RE		 324 SM2 (ShangMi 2) public key algorithm
325
326 Published by State Encryption Management Bureau, China,
ea7ecb66
TZ		 327 as specified by OSCCA GM/T 0003.1-2012 -- 0003.5-2012.
328
329 References:
05b37465 330 https://datatracker.ietf.org/doc/draft-shen-sm2-ecdsa/
ea7ecb66
TZ		 331 http://www.oscca.gov.cn/sca/xxgk/2010-12/17/content_1002386.shtml
332 http://www.gmbz.org.cn/main/bzlb.html
333
ee772cb6 334config CRYPTO_CURVE25519
05b37465 335 tristate "Curve25519"
ee772cb6
AB		 336 select CRYPTO_KPP
337 select CRYPTO_LIB_CURVE25519_GENERIC
05b37465
RE		 338 help
339 Curve25519 elliptic curve (RFC7748)
ee772cb6 340
f1f142ad 341endmenu
cd12fb90 342
f1f142ad 343menu "Block ciphers"
1da177e4 344
f1f142ad 345config CRYPTO_AES
cf514b2a 346 tristate "AES (Advanced Encryption Standard)"
f1f142ad
RE		 347 select CRYPTO_ALGAPI
348 select CRYPTO_LIB_AES
1da177e4 349 help
cf514b2a 350 AES cipher algorithms (Rijndael)(FIPS-197, ISO/IEC 18033-3)
1da177e4 351
f1f142ad
RE		 352 Rijndael appears to be consistently a very good performer in
353 both hardware and software across a wide range of computing
354 environments regardless of its use in feedback or non-feedback
355 modes. Its key setup time is excellent, and its key agility is
356 good. Rijndael's very low memory requirements make it very well
357 suited for restricted-space environments, in which it also
358 demonstrates excellent performance. Rijndael's operations are
359 among the easiest to defend against power and timing attacks.
71ebc4d1 360
f1f142ad 361 The AES specifies three key sizes: 128, 192 and 256 bits
71ebc4d1 362
f1f142ad 363config CRYPTO_AES_TI
cf514b2a 364 tristate "AES (Advanced Encryption Standard) (fixed time)"
f1f142ad
RE		 365 select CRYPTO_ALGAPI
366 select CRYPTO_LIB_AES
f606a88e 367 help
cf514b2a
RE		 368 AES cipher algorithms (Rijndael)(FIPS-197, ISO/IEC 18033-3)
369
f1f142ad
RE		 370 This is a generic implementation of AES that attempts to eliminate
371 data dependent latencies as much as possible without affecting
372 performance too much. It is intended for use by the generic CCM
373 and GCM drivers, and other CTR or CMAC/XCBC based modes that rely
374 solely on encryption (although decryption is supported as well, but
375 with a more dramatic performance hit)
f606a88e 376
f1f142ad
RE		 377 Instead of using 16 lookup tables of 1 KB each, (8 for encryption and
378 8 for decryption), this implementation only uses just two S-boxes of
379 256 bytes each, and attempts to eliminate data dependent latencies by
380 prefetching the entire table into the cache at the start of each
381 block. Interrupts are also disabled to avoid races where cachelines
382 are evicted when the CPU is interrupted to do something else.
a4397635 383
f1f142ad 384config CRYPTO_ANUBIS
cf514b2a 385 tristate "Anubis"
f1f142ad
RE		 386 depends on CRYPTO_USER_API_ENABLE_OBSOLETE
387 select CRYPTO_ALGAPI
1da177e4 388 help
cf514b2a 389 Anubis cipher algorithm
1da177e4 390
f1f142ad
RE		 391 Anubis is a variable key length cipher which can use keys from
392 128 bits to 320 bits in length. It was evaluated as a entrant
393 in the NESSIE competition.
a10f554f 394
cf514b2a
RE		 395 See https://web.archive.org/web/20160606112246/http://www.larc.usp.br/~pbarreto/AnubisPage.html
396 for further information.
c494e070 397
f1f142ad 398config CRYPTO_ARIA
cf514b2a 399 tristate "ARIA"
f1f142ad 400 select CRYPTO_ALGAPI
db131ef9 401 help
cf514b2a 402 ARIA cipher algorithm (RFC5794)
db131ef9 403
f1f142ad
RE		 404 ARIA is a standard encryption algorithm of the Republic of Korea.
405 The ARIA specifies three key sizes and rounds.
406 128-bit: 12 rounds.
407 192-bit: 14 rounds.
408 256-bit: 16 rounds.
a7d85e06 409
cf514b2a
RE		 410 See:
411 https://seed.kisa.or.kr/kisa/algorithm/EgovAriaInfo.do
db131ef9 412
f1f142ad 413config CRYPTO_BLOWFISH
cf514b2a 414 tristate "Blowfish"
f1f142ad
RE		 415 select CRYPTO_ALGAPI
416 select CRYPTO_BLOWFISH_COMMON
584fffc8 417 help
cf514b2a 418 Blowfish cipher algorithm, by Bruce Schneier
584fffc8 419
f1f142ad
RE		 420 This is a variable key length cipher which can use keys from 32
421 bits to 448 bits in length. It's fast, simple and specifically
422 designed for use on "large microprocessors".
ecd6d5c9 423
cf514b2a 424 See https://www.schneier.com/blowfish.html for further information.
f1f142ad
RE		 425
426config CRYPTO_BLOWFISH_COMMON
427 tristate
91652be5 428 help
f1f142ad
RE		 429 Common parts of the Blowfish cipher algorithm shared by the
430 generic c and the assembler implementations.
91652be5 431
f1f142ad 432config CRYPTO_CAMELLIA
cf514b2a 433 tristate "Camellia"
f1f142ad 434 select CRYPTO_ALGAPI
64470f1b 435 help
cf514b2a 436 Camellia cipher algorithms (ISO/IEC 18033-3)
64470f1b 437
f1f142ad
RE		 438 Camellia is a symmetric key block cipher developed jointly
439 at NTT and Mitsubishi Electric Corporation.
440
441 The Camellia specifies three key sizes: 128, 192 and 256 bits.
442
cf514b2a 443 See https://info.isl.ntt.co.jp/crypt/eng/camellia/ for further information.
f1f142ad
RE		 444
445config CRYPTO_CAST_COMMON
446 tristate
e497c518 447 help
f1f142ad
RE		 448 Common parts of the CAST cipher algorithms shared by the
449 generic c and the assembler implementations.
e497c518 450
f1f142ad 451config CRYPTO_CAST5
cf514b2a 452 tristate "CAST5 (CAST-128)"
f1f142ad
RE		 453 select CRYPTO_ALGAPI
454 select CRYPTO_CAST_COMMON
584fffc8 455 help
cf514b2a 456 CAST5 (CAST-128) cipher algorithm (RFC2144, ISO/IEC 18033-3)
584fffc8 457
f1f142ad 458config CRYPTO_CAST6
cf514b2a 459 tristate "CAST6 (CAST-256)"
f1f142ad
RE		 460 select CRYPTO_ALGAPI
461 select CRYPTO_CAST_COMMON
17fee07a 462 help
cf514b2a 463 CAST6 (CAST-256) encryption algorithm (RFC2612)
17fee07a 464
f1f142ad 465config CRYPTO_DES
cf514b2a 466 tristate "DES and Triple DES EDE"
f1f142ad
RE		 467 select CRYPTO_ALGAPI
468 select CRYPTO_LIB_DES
f19f5111 469 help
cf514b2a
RE		 470 DES (Data Encryption Standard)(FIPS 46-2, ISO/IEC 18033-3) and
471 Triple DES EDE (Encrypt/Decrypt/Encrypt) (FIPS 46-3, ISO/IEC 18033-3)
472 cipher algorithms
f19f5111 473
f1f142ad 474config CRYPTO_FCRYPT
cf514b2a 475 tristate "FCrypt"
f1f142ad 476 select CRYPTO_ALGAPI
b95bba5d 477 select CRYPTO_SKCIPHER
1c49678e 478 help
cf514b2a
RE		 479 FCrypt algorithm used by RxRPC
480
481 See https://ota.polyonymo.us/fcrypt-paper.txt
1c49678e 482
f1f142ad 483config CRYPTO_KHAZAD
cf514b2a 484 tristate "Khazad"
f1f142ad
RE		 485 depends on CRYPTO_USER_API_ENABLE_OBSOLETE
486 select CRYPTO_ALGAPI
487 help
cf514b2a 488 Khazad cipher algorithm
f1f142ad
RE		 489
490 Khazad was a finalist in the initial NESSIE competition. It is
491 an algorithm optimized for 64-bit processors with good performance
492 on 32-bit processors. Khazad uses an 128 bit key size.
493
cf514b2a
RE		 494 See https://web.archive.org/web/20171011071731/http://www.larc.usp.br/~pbarreto/KhazadPage.html
495 for further information.
f1f142ad
RE		 496
497config CRYPTO_SEED
cf514b2a 498 tristate "SEED"
f1f142ad
RE		 499 depends on CRYPTO_USER_API_ENABLE_OBSOLETE
500 select CRYPTO_ALGAPI
501 help
cf514b2a 502 SEED cipher algorithm (RFC4269, ISO/IEC 18033-3)
f1f142ad
RE		 503
504 SEED is a 128-bit symmetric key block cipher that has been
505 developed by KISA (Korea Information Security Agency) as a
506 national standard encryption algorithm of the Republic of Korea.
507 It is a 16 round block cipher with the key size of 128 bit.
508
cf514b2a
RE		 509 See https://seed.kisa.or.kr/kisa/algorithm/EgovSeedInfo.do
510 for further information.
f1f142ad
RE		 511
512config CRYPTO_SERPENT
cf514b2a 513 tristate "Serpent"
f1f142ad
RE		 514 select CRYPTO_ALGAPI
515 help
cf514b2a 516 Serpent cipher algorithm, by Anderson, Biham & Knudsen
f1f142ad
RE		 517
518 Keys are allowed to be from 0 to 256 bits in length, in steps
519 of 8 bits.
520
cf514b2a 521 See https://www.cl.cam.ac.uk/~rja14/serpent.html for further information.
f1f142ad
RE		 522
523config CRYPTO_SM4
524 tristate
525
526config CRYPTO_SM4_GENERIC
cf514b2a 527 tristate "SM4 (ShangMi 4)"
f1f142ad
RE		 528 select CRYPTO_ALGAPI
529 select CRYPTO_SM4
530 help
cf514b2a
RE		 531 SM4 cipher algorithms (OSCCA GB/T 32907-2016,
532 ISO/IEC 18033-3:2010/Amd 1:2021)
f1f142ad
RE		 533
534 SM4 (GBT.32907-2016) is a cryptographic standard issued by the
535 Organization of State Commercial Administration of China (OSCCA)
536 as an authorized cryptographic algorithms for the use within China.
537
538 SMS4 was originally created for use in protecting wireless
539 networks, and is mandated in the Chinese National Standard for
540 Wireless LAN WAPI (Wired Authentication and Privacy Infrastructure)
541 (GB.15629.11-2003).
542
543 The latest SM4 standard (GBT.32907-2016) was proposed by OSCCA and
544 standardized through TC 260 of the Standardization Administration
545 of the People's Republic of China (SAC).
546
547 The input, output, and key of SMS4 are each 128 bits.
548
cf514b2a 549 See https://eprint.iacr.org/2008/329.pdf for further information.
f1f142ad
RE		 550
551 If unsure, say N.
552
553config CRYPTO_TEA
cf514b2a 554 tristate "TEA, XTEA and XETA"
f1f142ad
RE		 555 depends on CRYPTO_USER_API_ENABLE_OBSOLETE
556 select CRYPTO_ALGAPI
557 help
cf514b2a 558 TEA (Tiny Encryption Algorithm) cipher algorithms
f1f142ad
RE		 559
560 Tiny Encryption Algorithm is a simple cipher that uses
561 many rounds for security. It is very fast and uses
562 little memory.
563
564 Xtendend Tiny Encryption Algorithm is a modification to
565 the TEA algorithm to address a potential key weakness
566 in the TEA algorithm.
567
568 Xtendend Encryption Tiny Algorithm is a mis-implementation
569 of the XTEA algorithm for compatibility purposes.
570
571config CRYPTO_TWOFISH
cf514b2a 572 tristate "Twofish"
f1f142ad
RE		 573 select CRYPTO_ALGAPI
574 select CRYPTO_TWOFISH_COMMON
575 help
cf514b2a 576 Twofish cipher algorithm
f1f142ad
RE		 577
578 Twofish was submitted as an AES (Advanced Encryption Standard)
579 candidate cipher by researchers at CounterPane Systems. It is a
580 16 round block cipher supporting key sizes of 128, 192, and 256
581 bits.
582
cf514b2a 583 See https://www.schneier.com/twofish.html for further information.
f1f142ad
RE		 584
585config CRYPTO_TWOFISH_COMMON
586 tristate
587 help
588 Common parts of the Twofish cipher algorithm shared by the
589 generic c and the assembler implementations.
590
591endmenu
592
593menu "Length-preserving ciphers and modes"
26609a21 594
059c2a4d 595config CRYPTO_ADIANTUM
cf514b2a 596 tristate "Adiantum"
059c2a4d 597 select CRYPTO_CHACHA20
48ea8c6e 598 select CRYPTO_LIB_POLY1305_GENERIC
059c2a4d 599 select CRYPTO_NHPOLY1305
c8a3315a 600 select CRYPTO_MANAGER
059c2a4d 601 help
cf514b2a
RE		 602 Adiantum tweakable, length-preserving encryption mode
603
604 Designed for fast and secure disk encryption, especially on
059c2a4d
EB		 605 CPUs without dedicated crypto instructions. It encrypts
606 each sector using the XChaCha12 stream cipher, two passes of
607 an ε-almost-∆-universal hash function, and an invocation of
608 the AES-256 block cipher on a single 16-byte block. On CPUs
609 without AES instructions, Adiantum is much faster than
610 AES-XTS.
611
612 Adiantum's security is provably reducible to that of its
613 underlying stream and block ciphers, subject to a security
614 bound. Unlike XTS, Adiantum is a true wide-block encryption
615 mode, so it actually provides an even stronger notion of
616 security than XTS, subject to the security bound.
617
618 If unsure, say N.
619
f1f142ad 620config CRYPTO_ARC4
cf514b2a 621 tristate "ARC4 (Alleged Rivest Cipher 4)"
f1f142ad
RE		 622 depends on CRYPTO_USER_API_ENABLE_OBSOLETE
623 select CRYPTO_SKCIPHER
624 select CRYPTO_LIB_ARC4
7ff554ce 625 help
cf514b2a 626 ARC4 cipher algorithm
7ff554ce 627
f1f142ad
RE		 628 ARC4 is a stream cipher using keys ranging from 8 bits to 2048
629 bits in length. This algorithm is required for driver-based
630 WEP, but it should not be for other purposes because of the
631 weakness of the algorithm.
632
633config CRYPTO_CHACHA20
cf514b2a 634 tristate "ChaCha"
f1f142ad
RE		 635 select CRYPTO_LIB_CHACHA_GENERIC
636 select CRYPTO_SKCIPHER
be1eb7f7 637 help
cf514b2a 638 The ChaCha20, XChaCha20, and XChaCha12 stream cipher algorithms
be1eb7f7 639
f1f142ad
RE		 640 ChaCha20 is a 256-bit high-speed stream cipher designed by Daniel J.
641 Bernstein and further specified in RFC7539 for use in IETF protocols.
cf514b2a
RE		 642 This is the portable C implementation of ChaCha20. See
643 https://cr.yp.to/chacha/chacha-20080128.pdf for further information.
be1eb7f7 644
f1f142ad
RE		 645 XChaCha20 is the application of the XSalsa20 construction to ChaCha20
646 rather than to Salsa20. XChaCha20 extends ChaCha20's nonce length
647 from 64 bits (or 96 bits using the RFC7539 convention) to 192 bits,
cf514b2a
RE		 648 while provably retaining ChaCha20's security. See
649 https://cr.yp.to/snuffle/xsalsa-20081128.pdf for further information.
be1eb7f7 650
f1f142ad
RE		 651 XChaCha12 is XChaCha20 reduced to 12 rounds, with correspondingly
652 reduced security margin but increased performance. It can be needed
653 in some performance-sensitive scenarios.
584fffc8 654
f1f142ad 655config CRYPTO_CBC
cf514b2a 656 tristate "CBC (Cipher Block Chaining)"
f1f142ad 657 select CRYPTO_SKCIPHER
93b5e86a
JK		 658 select CRYPTO_MANAGER
659 help
cf514b2a
RE		 660 CBC (Cipher Block Chaining) mode (NIST SP800-38A)
661
662 This block cipher mode is required for IPSec ESP (XFRM_ESP).
93b5e86a 663
f1f142ad 664config CRYPTO_CFB
cf514b2a 665 tristate "CFB (Cipher Feedback)"
f1f142ad 666 select CRYPTO_SKCIPHER
23e353c8 667 select CRYPTO_MANAGER
23e353c8 668 help
cf514b2a
RE		 669 CFB (Cipher Feedback) mode (NIST SP800-38A)
670
671 This block cipher mode is required for TPM2 Cryptography.
23e353c8 672
f1f142ad 673config CRYPTO_CTR
cf514b2a 674 tristate "CTR (Counter)"
f1f142ad 675 select CRYPTO_SKCIPHER
584fffc8 676 select CRYPTO_MANAGER
76cb9521 677 help
cf514b2a 678 CTR (Counter) mode (NIST SP800-38A)
76cb9521 679
f1f142ad 680config CRYPTO_CTS
cf514b2a 681 tristate "CTS (Cipher Text Stealing)"
f1f142ad 682 select CRYPTO_SKCIPHER
f1939f7c
SW		 683 select CRYPTO_MANAGER
684 help
cf514b2a
RE		 685 CBC-CS3 variant of CTS (Cipher Text Stealing) (NIST
686 Addendum to SP800-38A (October 2010))
687
f1f142ad
RE		 688 This mode is required for Kerberos gss mechanism support
689 for AES encryption.
f1939f7c 690
f1f142ad 691config CRYPTO_ECB
cf514b2a 692 tristate "ECB (Electronic Codebook)"
84534684 693 select CRYPTO_SKCIPHER2
f1f142ad 694 select CRYPTO_MANAGER
4a49b499 695 help
cf514b2a 696 ECB (Electronic Codebook) mode (NIST SP800-38A)
4a49b499 697
f1f142ad 698config CRYPTO_HCTR2
cf514b2a 699 tristate "HCTR2"
f1f142ad
RE		 700 select CRYPTO_XCTR
701 select CRYPTO_POLYVAL
702 select CRYPTO_MANAGER
78c37d19 703 help
cf514b2a
RE		 704 HCTR2 length-preserving encryption mode
705
706 A mode for storage encryption that is efficient on processors with
707 instructions to accelerate AES and carryless multiplication, e.g.
708 x86 processors with AES-NI and CLMUL, and ARM processors with the
709 ARMv8 crypto extensions.
710
711 See https://eprint.iacr.org/2021/1441
78c37d19 712
f1f142ad 713config CRYPTO_KEYWRAP
cf514b2a 714 tristate "KW (AES Key Wrap)"
f1f142ad
RE		 715 select CRYPTO_SKCIPHER
716 select CRYPTO_MANAGER
2cdc6899 717 help
cf514b2a
RE		 718 KW (AES Key Wrap) authenticated encryption mode (NIST SP800-38F
719 and RFC3394) without padding.
2cdc6899 720
f1f142ad 721config CRYPTO_LRW
cf514b2a 722 tristate "LRW (Liskov Rivest Wagner)"
61c581a4 723 select CRYPTO_LIB_GF128MUL
f1f142ad
RE		 724 select CRYPTO_SKCIPHER
725 select CRYPTO_MANAGER
f1f142ad 726 select CRYPTO_ECB
f3c923a0 727 help
cf514b2a
RE		 728 LRW (Liskov Rivest Wagner) mode
729
730 A tweakable, non malleable, non movable
f1f142ad
RE		 731 narrow block cipher mode for dm-crypt. Use it with cipher
732 specification string aes-lrw-benbi, the key must be 256, 320 or 384.
733 The first 128, 192 or 256 bits in the key are used for AES and the
734 rest is used to tie each cipher block to its logical position.
f3c923a0 735
cf514b2a
RE		 736 See https://people.csail.mit.edu/rivest/pubs/LRW02.pdf
737
f1f142ad 738config CRYPTO_OFB
cf514b2a 739 tristate "OFB (Output Feedback)"
f1f142ad
RE		 740 select CRYPTO_SKCIPHER
741 select CRYPTO_MANAGER
f979e014 742 help
cf514b2a
RE		 743 OFB (Output Feedback) mode (NIST SP800-38A)
744
745 This mode makes a block cipher into a synchronous
f1f142ad
RE		 746 stream cipher. It generates keystream blocks, which are then XORed
747 with the plaintext blocks to get the ciphertext. Flipping a bit in the
748 ciphertext produces a flipped bit in the plaintext at the same
749 location. This property allows many error correcting codes to function
750 normally even when applied before encryption.
f979e014 751
f1f142ad 752config CRYPTO_PCBC
cf514b2a 753 tristate "PCBC (Propagating Cipher Block Chaining)"
f1f142ad
RE		 754 select CRYPTO_SKCIPHER
755 select CRYPTO_MANAGER
124b53d0 756 help
cf514b2a
RE		 757 PCBC (Propagating Cipher Block Chaining) mode
758
759 This block cipher mode is required for RxRPC.
124b53d0 760
f1f142ad
RE		 761config CRYPTO_XCTR
762 tristate
763 select CRYPTO_SKCIPHER
764 select CRYPTO_MANAGER
1da177e4 765 help
cf514b2a
RE		 766 XCTR (XOR Counter) mode for HCTR2
767
768 This blockcipher mode is a variant of CTR mode using XORs and little-endian
769 addition rather than big-endian arithmetic.
770
f1f142ad 771 XCTR mode is used to implement HCTR2.
1da177e4 772
f1f142ad 773config CRYPTO_XTS
cf514b2a 774 tristate "XTS (XOR Encrypt XOR with ciphertext stealing)"
f1f142ad
RE		 775 select CRYPTO_SKCIPHER
776 select CRYPTO_MANAGER
777 select CRYPTO_ECB
90831639 778 help
cf514b2a
RE		 779 XTS (XOR Encrypt XOR with ciphertext stealing) mode (NIST SP800-38E
780 and IEEE 1619)
781
782 Use with aes-xts-plain, key size 256, 384 or 512 bits. This
783 implementation currently can't handle a sectorsize which is not a
784 multiple of 16 bytes.
90831639 785
f1f142ad
RE		 786config CRYPTO_NHPOLY1305
787 tristate
e5835fba 788 select CRYPTO_HASH
f1f142ad 789 select CRYPTO_LIB_POLY1305_GENERIC
534fe2c1 790
f1f142ad 791endmenu
534fe2c1 792
f1f142ad 793menu "AEAD (authenticated encryption with associated data) ciphers"
1da177e4 794
f1f142ad 795config CRYPTO_AEGIS128
e3d2eadd 796 tristate "AEGIS-128"
f1f142ad
RE		 797 select CRYPTO_AEAD
798 select CRYPTO_AES # for AES S-box tables
1da177e4 799 help
e3d2eadd 800 AEGIS-128 AEAD algorithm
2729bb42 801
f1f142ad 802config CRYPTO_AEGIS128_SIMD
e3d2eadd 803 bool "AEGIS-128 (arm NEON, arm64 NEON)"
f1f142ad
RE		 804 depends on CRYPTO_AEGIS128 && ((ARM || ARM64) && KERNEL_MODE_NEON)
805 default y
e3d2eadd
RE		 806 help
807 AEGIS-128 AEAD algorithm
808
809 Architecture: arm or arm64 using:
810 - NEON (Advanced SIMD) extension
584fffc8 811
f1f142ad 812config CRYPTO_CHACHA20POLY1305
e3d2eadd 813 tristate "ChaCha20-Poly1305"
f1f142ad
RE		 814 select CRYPTO_CHACHA20
815 select CRYPTO_POLY1305
816 select CRYPTO_AEAD
817 select CRYPTO_MANAGER
b9f535ff 818 help
e3d2eadd
RE		 819 ChaCha20 stream cipher and Poly1305 authenticator combined
820 mode (RFC8439)
b9f535ff 821
f1f142ad 822config CRYPTO_CCM
cf514b2a 823 tristate "CCM (Counter with Cipher Block Chaining-MAC)"
f1f142ad 824 select CRYPTO_CTR
53964b9e 825 select CRYPTO_HASH
f1f142ad
RE		 826 select CRYPTO_AEAD
827 select CRYPTO_MANAGER
53964b9e 828 help
e3d2eadd
RE		 829 CCM (Counter with Cipher Block Chaining-Message Authentication Code)
830 authenticated encryption mode (NIST SP800-38C)
d2825fa9 831
f1f142ad 832config CRYPTO_GCM
cf514b2a 833 tristate "GCM (Galois/Counter Mode) and GMAC (GCM MAC)"
f1f142ad
RE		 834 select CRYPTO_CTR
835 select CRYPTO_AEAD
836 select CRYPTO_GHASH
837 select CRYPTO_NULL
838 select CRYPTO_MANAGER
4f0fc160 839 help
e3d2eadd
RE		 840 GCM (Galois/Counter Mode) authenticated encryption mode and GMAC
841 (GCM Message Authentication Code) (NIST SP800-38D)
842
843 This is required for IPSec ESP (XFRM_ESP).
4f0fc160 844
ba51738f
HX		 845config CRYPTO_GENIV
846 tristate
f1f142ad 847 select CRYPTO_AEAD
f1f142ad 848 select CRYPTO_NULL
f1f142ad 849 select CRYPTO_MANAGER
ba51738f
HX		 850 select CRYPTO_RNG_DEFAULT
851
852config CRYPTO_SEQIV
853 tristate "Sequence Number IV Generator"
854 select CRYPTO_GENIV
fe18957e 855 help
e3d2eadd
RE		 856 Sequence Number IV generator
857
f1f142ad 858 This IV generator generates an IV based on a sequence number by
e3d2eadd
RE		 859 xoring it with a salt. This algorithm is mainly useful for CTR.
860
861 This is required for IPsec ESP (XFRM_ESP).
fe18957e 862
f1f142ad
RE		 863config CRYPTO_ECHAINIV
864 tristate "Encrypted Chain IV Generator"
ba51738f 865 select CRYPTO_GENIV
1da177e4 866 help
e3d2eadd
RE		 867 Encrypted Chain IV generator
868
f1f142ad
RE		 869 This IV generator generates an IV based on the encryption of
870 a sequence number xored with a salt. This is the default
871 algorithm for CBC.
1da177e4 872
f1f142ad 873config CRYPTO_ESSIV
e3d2eadd 874 tristate "Encrypted Salt-Sector IV Generator"
f1f142ad 875 select CRYPTO_AUTHENC
1da177e4 876 help
e3d2eadd
RE		 877 Encrypted Salt-Sector IV generator
878
879 This IV generator is used in some cases by fscrypt and/or
f1f142ad
RE		 880 dm-crypt. It uses the hash of the block encryption key as the
881 symmetric key for a block encryption pass applied to the input
882 IV, making low entropy IV sources more suitable for block
883 encryption.
1da177e4 884
f1f142ad
RE		 885 This driver implements a crypto API template that can be
886 instantiated either as an skcipher or as an AEAD (depending on the
887 type of the first template argument), and which defers encryption
888 and decryption requests to the encapsulated cipher after applying
889 ESSIV to the input IV. Note that in the AEAD case, it is assumed
890 that the keys are presented in the same format used by the authenc
891 template, and that the IV appears at the end of the authenticated
892 associated data (AAD) region (which is how dm-crypt uses it.)
1da177e4 893
f1f142ad
RE		 894 Note that the use of ESSIV is not recommended for new deployments,
895 and so this only needs to be enabled when interoperability with
896 existing encrypted volumes of filesystems is required, or when
897 building for a particular system that requires it (e.g., when
898 the SoC in question has accelerated CBC but not XTS, making CBC
899 combined with ESSIV the only feasible mode for h/w accelerated
900 block encryption)
1da177e4 901
f1f142ad 902endmenu
b5e0b032 903
f1f142ad 904menu "Hashes, digests, and MACs"
b5e0b032 905
f1f142ad 906config CRYPTO_BLAKE2B
3f342a23 907 tristate "BLAKE2b"
f1f142ad 908 select CRYPTO_HASH
584fffc8 909 help
3f342a23 910 BLAKE2b cryptographic hash function (RFC 7693)
584fffc8 911
3f342a23
RE		 912 BLAKE2b is optimized for 64-bit platforms and can produce digests
913 of any size between 1 and 64 bytes. The keyed hash is also implemented.
584fffc8 914
3f342a23 915 This module provides the following algorithms:
f1f142ad
RE		 916 - blake2b-160
917 - blake2b-256
918 - blake2b-384
919 - blake2b-512
584fffc8 920
3f342a23
RE		 921 Used by the btrfs filesystem.
922
f1f142ad 923 See https://blake2.net for further information.
584fffc8 924
f1f142ad 925config CRYPTO_CMAC
3f342a23 926 tristate "CMAC (Cipher-based MAC)"
f1f142ad
RE		 927 select CRYPTO_HASH
928 select CRYPTO_MANAGER
584fffc8 929 help
3f342a23
RE		 930 CMAC (Cipher-based Message Authentication Code) authentication
931 mode (NIST SP800-38B and IETF RFC4493)
584fffc8 932
f1f142ad 933config CRYPTO_GHASH
3f342a23 934 tristate "GHASH"
f1f142ad 935 select CRYPTO_HASH
61c581a4 936 select CRYPTO_LIB_GF128MUL
52ba867c 937 help
3f342a23 938 GCM GHASH function (NIST SP800-38D)
52ba867c 939
f1f142ad 940config CRYPTO_HMAC
3f342a23 941 tristate "HMAC (Keyed-Hash MAC)"
f1f142ad
RE		 942 select CRYPTO_HASH
943 select CRYPTO_MANAGER
584fffc8 944 help
3f342a23
RE		 945 HMAC (Keyed-Hash Message Authentication Code) (FIPS 198 and
946 RFC2104)
947
948 This is required for IPsec AH (XFRM_AH) and IPsec ESP (XFRM_ESP).
584fffc8 949
f1f142ad 950config CRYPTO_MD4
3f342a23 951 tristate "MD4"
f1f142ad 952 select CRYPTO_HASH
044ab525 953 help
3f342a23 954 MD4 message digest algorithm (RFC1320)
044ab525 955
f1f142ad 956config CRYPTO_MD5
3f342a23 957 tristate "MD5"
f1f142ad 958 select CRYPTO_HASH
1da177e4 959 help
3f342a23 960 MD5 message digest algorithm (RFC1321)
1da177e4 961
f1f142ad 962config CRYPTO_MICHAEL_MIC
3f342a23 963 tristate "Michael MIC"
f1f142ad 964 select CRYPTO_HASH
1da177e4 965 help
3f342a23
RE		 966 Michael MIC (Message Integrity Code) (IEEE 802.11i)
967
968 Defined by the IEEE 802.11i TKIP (Temporal Key Integrity Protocol),
969 known as WPA (Wif-Fi Protected Access).
970
971 This algorithm is required for TKIP, but it should not be used for
972 other purposes because of the weakness of the algorithm.
1da177e4 973
f1f142ad
RE		 974config CRYPTO_POLYVAL
975 tristate
f1f142ad 976 select CRYPTO_HASH
61c581a4 977 select CRYPTO_LIB_GF128MUL
1da177e4 978 help
3f342a23
RE		 979 POLYVAL hash function for HCTR2
980
981 This is used in HCTR2. It is not a general-purpose
f1f142ad 982 cryptographic hash function.
fb4f10ed 983
f1f142ad 984config CRYPTO_POLY1305
3f342a23 985 tristate "Poly1305"
f1f142ad
RE		 986 select CRYPTO_HASH
987 select CRYPTO_LIB_POLY1305_GENERIC
1da177e4 988 help
3f342a23 989 Poly1305 authenticator algorithm (RFC7539)
1da177e4 990
f1f142ad
RE		 991 Poly1305 is an authenticator algorithm designed by Daniel J. Bernstein.
992 It is used for the ChaCha20-Poly1305 AEAD, specified in RFC7539 for use
993 in IETF protocols. This is the portable C implementation of Poly1305.
994
995config CRYPTO_RMD160
3f342a23 996 tristate "RIPEMD-160"
f1f142ad 997 select CRYPTO_HASH
1da177e4 998 help
3f342a23 999 RIPEMD-160 hash function (ISO/IEC 10118-3)
1da177e4 1000
f1f142ad
RE		 1001 RIPEMD-160 is a 160-bit cryptographic hash function. It is intended
1002 to be used as a secure replacement for the 128-bit hash functions
1003 MD4, MD5 and its predecessor RIPEMD
1004 (not to be confused with RIPEMD-128).
1da177e4 1005
3f342a23 1006 Its speed is comparable to SHA-1 and there are no known attacks
f1f142ad 1007 against RIPEMD-160.
1da177e4 1008
f1f142ad 1009 Developed by Hans Dobbertin, Antoon Bosselaers and Bart Preneel.
3f342a23
RE		 1010 See https://homes.esat.kuleuven.be/~bosselae/ripemd160.html
1011 for further information.
f1f142ad
RE		 1012
1013config CRYPTO_SHA1
3f342a23 1014 tristate "SHA-1"
f1f142ad
RE		 1015 select CRYPTO_HASH
1016 select CRYPTO_LIB_SHA1
c08d0e64 1017 help
3f342a23 1018 SHA-1 secure hash algorithm (FIPS 180, ISO/IEC 10118-3)
c08d0e64 1019
f1f142ad 1020config CRYPTO_SHA256
3f342a23 1021 tristate "SHA-224 and SHA-256"
f1f142ad
RE		 1022 select CRYPTO_HASH
1023 select CRYPTO_LIB_SHA256
1024 help
3f342a23 1025 SHA-224 and SHA-256 secure hash algorithms (FIPS 180, ISO/IEC 10118-3)
de61d7ae 1026
3f342a23
RE		 1027 This is required for IPsec AH (XFRM_AH) and IPsec ESP (XFRM_ESP).
1028 Used by the btrfs filesystem, Ceph, NFS, and SMB.
aa762409 1029
f1f142ad 1030config CRYPTO_SHA512
3f342a23 1031 tristate "SHA-384 and SHA-512"
f1f142ad 1032 select CRYPTO_HASH
1da177e4 1033 help
3f342a23 1034 SHA-384 and SHA-512 secure hash algorithms (FIPS 180, ISO/IEC 10118-3)
584fffc8 1035
f1f142ad 1036config CRYPTO_SHA3
3f342a23 1037 tristate "SHA-3"
f1f142ad 1038 select CRYPTO_HASH
e4e712bb 1039 help
3f342a23 1040 SHA-3 secure hash algorithms (FIPS 202, ISO/IEC 10118-3)
e4e712bb 1041
f1f142ad
RE		 1042config CRYPTO_SM3
1043 tristate
e4e712bb 1044
f1f142ad 1045config CRYPTO_SM3_GENERIC
3f342a23 1046 tristate "SM3 (ShangMi 3)"
f1f142ad
RE		 1047 select CRYPTO_HASH
1048 select CRYPTO_SM3
1da177e4 1049 help
3f342a23
RE		 1050 SM3 (ShangMi 3) secure hash function (OSCCA GM/T 0004-2012, ISO/IEC 10118-3)
1051
1052 This is part of the Chinese Commercial Cryptography suite.
1da177e4 1053
f1f142ad
RE		 1054 References:
1055 http://www.oscca.gov.cn/UpFile/20101222141857786.pdf
1056 https://datatracker.ietf.org/doc/html/draft-shen-sm3-hash
584fffc8 1057
f1f142ad 1058config CRYPTO_STREEBOG
3f342a23 1059 tristate "Streebog"
f1f142ad
RE		 1060 select CRYPTO_HASH
1061 help
3f342a23
RE		 1062 Streebog Hash Function (GOST R 34.11-2012, RFC 6986, ISO/IEC 10118-3)
1063
1064 This is one of the Russian cryptographic standard algorithms (called
1065 GOST algorithms). This setting enables two hash algorithms with
1066 256 and 512 bits output.
584fffc8 1067
f1f142ad
RE		 1068 References:
1069 https://tc26.ru/upload/iblock/fed/feddbb4d26b685903faa2ba11aea43f6.pdf
1070 https://tools.ietf.org/html/rfc6986
d2825fa9 1071
f1f142ad 1072config CRYPTO_VMAC
3f342a23 1073 tristate "VMAC"
f1f142ad
RE		 1074 select CRYPTO_HASH
1075 select CRYPTO_MANAGER
747c8ce4 1076 help
f1f142ad
RE		 1077 VMAC is a message authentication algorithm designed for
1078 very high speed on 64-bit architectures.
747c8ce4 1079
3f342a23 1080 See https://fastcrypto.org/vmac for further information.
747c8ce4 1081
f1f142ad 1082config CRYPTO_WP512
3f342a23 1083 tristate "Whirlpool"
f1f142ad
RE		 1084 select CRYPTO_HASH
1085 help
3f342a23
RE		 1086 Whirlpool hash function (ISO/IEC 10118-3)
1087
1088 512, 384 and 256-bit hashes.
747c8ce4 1089
f1f142ad 1090 Whirlpool-512 is part of the NESSIE cryptographic primitives.
747c8ce4 1091
3f342a23
RE		 1092 See https://web.archive.org/web/20171129084214/http://www.larc.usp.br/~pbarreto/WhirlpoolPage.html
1093 for further information.
747c8ce4 1094
f1f142ad 1095config CRYPTO_XCBC
3f342a23 1096 tristate "XCBC-MAC (Extended Cipher Block Chaining MAC)"
f1f142ad
RE		 1097 select CRYPTO_HASH
1098 select CRYPTO_MANAGER
1099 help
3f342a23
RE		 1100 XCBC-MAC (Extended Cipher Block Chaining Message Authentication
1101 Code) (RFC3566)
747c8ce4 1102
f1f142ad 1103config CRYPTO_XXHASH
3f342a23 1104 tristate "xxHash"
f1f142ad
RE		 1105 select CRYPTO_HASH
1106 select XXHASH
1da177e4 1107 help
3f342a23
RE		 1108 xxHash non-cryptographic hash algorithm
1109
1110 Extremely fast, working at speeds close to RAM limits.
1111
1112 Used by the btrfs filesystem.
1da177e4 1113
f1f142ad 1114endmenu
584fffc8 1115
f1f142ad 1116menu "CRCs (cyclic redundancy checks)"
584fffc8 1117
f1f142ad 1118config CRYPTO_CRC32C
ec84348d 1119 tristate "CRC32c"
f1f142ad
RE		 1120 select CRYPTO_HASH
1121 select CRC32
1122 help
ec84348d
RE		 1123 CRC32c CRC algorithm with the iSCSI polynomial (RFC 3385 and RFC 3720)
1124
1125 A 32-bit CRC (cyclic redundancy check) with a polynomial defined
1126 by G. Castagnoli, S. Braeuer and M. Herrman in "Optimization of Cyclic
1127 Redundancy-Check Codes with 24 and 32 Parity Bits", IEEE Transactions
1128 on Communications, Vol. 41, No. 6, June 1993, selected for use with
1129 iSCSI.
1130
1131 Used by btrfs, ext4, jbd2, NVMeoF/TCP, and iSCSI.
584fffc8 1132
f1f142ad 1133config CRYPTO_CRC32
ec84348d 1134 tristate "CRC32"
f1f142ad
RE		 1135 select CRYPTO_HASH
1136 select CRC32
04ac7db3 1137 help
ec84348d
RE		 1138 CRC32 CRC algorithm (IEEE 802.3)
1139
1140 Used by RoCEv2 and f2fs.
04ac7db3 1141
f1f142ad 1142config CRYPTO_CRCT10DIF
ec84348d 1143 tristate "CRCT10DIF"
f1f142ad
RE		 1144 select CRYPTO_HASH
1145 help
ec84348d
RE		 1146 CRC16 CRC algorithm used for the T10 (SCSI) Data Integrity Field (DIF)
1147
1148 CRC algorithm used by the SCSI Block Commands standard.
04ac7db3 1149
f1f142ad 1150config CRYPTO_CRC64_ROCKSOFT
ec84348d 1151 tristate "CRC64 based on Rocksoft Model algorithm"
f1f142ad
RE		 1152 depends on CRC64
1153 select CRYPTO_HASH
ec84348d
RE		 1154 help
1155 CRC64 CRC algorithm based on the Rocksoft Model CRC Algorithm
1156
1157 Used by the NVMe implementation of T10 DIF (BLK_DEV_INTEGRITY)
1158
1159 See https://zlib.net/crc_v3.txt
584fffc8 1160
f1f142ad 1161endmenu
584fffc8 1162
f1f142ad 1163menu "Compression"
584fffc8
SS		 1164
1165config CRYPTO_DEFLATE
a9a98d49 1166 tristate "Deflate"
584fffc8 1167 select CRYPTO_ALGAPI
f6ded09d 1168 select CRYPTO_ACOMP2
584fffc8
SS		 1169 select ZLIB_INFLATE
1170 select ZLIB_DEFLATE
3c09f17c 1171 help
a9a98d49 1172 Deflate compression algorithm (RFC1951)
584fffc8 1173
a9a98d49 1174 Used by IPSec with the IPCOMP protocol (RFC3173, RFC2394)
3c09f17c 1175
0b77abb3 1176config CRYPTO_LZO
a9a98d49 1177 tristate "LZO"
0b77abb3 1178 select CRYPTO_ALGAPI
ac9d2c4b 1179 select CRYPTO_ACOMP2
0b77abb3
ZS		 1180 select LZO_COMPRESS
1181 select LZO_DECOMPRESS
1182 help
a9a98d49
RE		 1183 LZO compression algorithm
1184
1185 See https://www.oberhumer.com/opensource/lzo/ for further information.
0b77abb3 1186
35a1fc18 1187config CRYPTO_842
a9a98d49 1188 tristate "842"
2062c5b6 1189 select CRYPTO_ALGAPI
6a8de3ae 1190 select CRYPTO_ACOMP2
2062c5b6
DS		 1191 select 842_COMPRESS
1192 select 842_DECOMPRESS
35a1fc18 1193 help
a9a98d49
RE		 1194 842 compression algorithm by IBM
1195
1196 See https://github.com/plauth/lib842 for further information.
0ea8530d
CM		 1197
1198config CRYPTO_LZ4
a9a98d49 1199 tristate "LZ4"
0ea8530d 1200 select CRYPTO_ALGAPI
8cd9330e 1201 select CRYPTO_ACOMP2
0ea8530d
CM		 1202 select LZ4_COMPRESS
1203 select LZ4_DECOMPRESS
1204 help
a9a98d49
RE		 1205 LZ4 compression algorithm
1206
1207 See https://github.com/lz4/lz4 for further information.
0ea8530d
CM		 1208
1209config CRYPTO_LZ4HC
a9a98d49 1210 tristate "LZ4HC"
0ea8530d 1211 select CRYPTO_ALGAPI
91d53d96 1212 select CRYPTO_ACOMP2
0ea8530d
CM		 1213 select LZ4HC_COMPRESS
1214 select LZ4_DECOMPRESS
1215 help
a9a98d49
RE		 1216 LZ4 high compression mode algorithm
1217
1218 See https://github.com/lz4/lz4 for further information.
35a1fc18 1219
d28fc3db 1220config CRYPTO_ZSTD
a9a98d49 1221 tristate "Zstd"
d28fc3db
NT		 1222 select CRYPTO_ALGAPI
1223 select CRYPTO_ACOMP2
1224 select ZSTD_COMPRESS
1225 select ZSTD_DECOMPRESS
1226 help
a9a98d49
RE		 1227 zstd compression algorithm
1228
1229 See https://github.com/facebook/zstd for further information.
d28fc3db 1230
f1f142ad
RE		 1231endmenu
1232
1233menu "Random number generation"
17f0f4a4
NH		 1234
1235config CRYPTO_ANSI_CPRNG
a9a98d49 1236 tristate "ANSI PRNG (Pseudo Random Number Generator)"
17f0f4a4
NH		 1237 select CRYPTO_AES
1238 select CRYPTO_RNG
17f0f4a4 1239 help
a9a98d49
RE		 1240 Pseudo RNG (random number generator) (ANSI X9.31 Appendix A.2.4)
1241
1242 This uses the AES cipher algorithm.
1243
1244 Note that this option must be enabled if CRYPTO_FIPS is selected
17f0f4a4 1245
f2c89a10 1246menuconfig CRYPTO_DRBG_MENU
a9a98d49 1247 tristate "NIST SP800-90A DRBG (Deterministic Random Bit Generator)"
419090c6 1248 help
a9a98d49
RE		 1249 DRBG (Deterministic Random Bit Generator) (NIST SP800-90A)
1250
1251 In the following submenu, one or more of the DRBG types must be selected.
419090c6 1252
f2c89a10 1253if CRYPTO_DRBG_MENU
419090c6
SM		 1254
1255config CRYPTO_DRBG_HMAC
401e4238 1256 bool
419090c6 1257 default y
419090c6 1258 select CRYPTO_HMAC
5261cdf4 1259 select CRYPTO_SHA512
419090c6
SM		 1260
1261config CRYPTO_DRBG_HASH
a9a98d49 1262 bool "Hash_DRBG"
826775bb 1263 select CRYPTO_SHA256
419090c6 1264 help
a9a98d49
RE		 1265 Hash_DRBG variant as defined in NIST SP800-90A.
1266
1267 This uses the SHA-1, SHA-256, SHA-384, or SHA-512 hash algorithms.
419090c6
SM		 1268
1269config CRYPTO_DRBG_CTR
a9a98d49 1270 bool "CTR_DRBG"
419090c6 1271 select CRYPTO_AES
d6fc1a45 1272 select CRYPTO_CTR
419090c6 1273 help
a9a98d49
RE		 1274 CTR_DRBG variant as defined in NIST SP800-90A.
1275
1276 This uses the AES cipher algorithm with the counter block mode.
419090c6 1277
f2c89a10
HX		 1278config CRYPTO_DRBG
1279 tristate
401e4238 1280 default CRYPTO_DRBG_MENU
f2c89a10 1281 select CRYPTO_RNG
bb5530e4 1282 select CRYPTO_JITTERENTROPY
f2c89a10
HX		 1283
1284endif # if CRYPTO_DRBG_MENU
419090c6 1285
bb5530e4 1286config CRYPTO_JITTERENTROPY
a9a98d49 1287 tristate "CPU Jitter Non-Deterministic RNG (Random Number Generator)"
2f313e02 1288 select CRYPTO_RNG
bb897c55 1289 select CRYPTO_SHA3
bb5530e4 1290 help
a9a98d49
RE		 1291 CPU Jitter RNG (Random Number Generator) from the Jitterentropy library
1292
1293 A non-physical non-deterministic ("true") RNG (e.g., an entropy source
1294 compliant with NIST SP800-90B) intended to provide a seed to a
1295 deterministic RNG (e.g. per NIST SP800-90C).
1296 This RNG does not perform any cryptographic whitening of the generated
1297
1298 See https://www.chronox.de/jent.html
bb5530e4 1299
e7ed6473
HX		 1300if CRYPTO_JITTERENTROPY
1301if CRYPTO_FIPS && EXPERT
1302
59bcfd78
SM		 1303choice
1304 prompt "CPU Jitter RNG Memory Size"
1305 default CRYPTO_JITTERENTROPY_MEMSIZE_2
59bcfd78
SM		 1306 help
1307 The Jitter RNG measures the execution time of memory accesses.
1308 Multiple consecutive memory accesses are performed. If the memory
1309 size fits into a cache (e.g. L1), only the memory access timing
1310 to that cache is measured. The closer the cache is to the CPU
1311 the less variations are measured and thus the less entropy is
1312 obtained. Thus, if the memory size fits into the L1 cache, the
1313 obtained entropy is less than if the memory size fits within
1314 L1 + L2, which in turn is less if the memory fits into
1315 L1 + L2 + L3. Thus, by selecting a different memory size,
1316 the entropy rate produced by the Jitter RNG can be modified.
1317
1318 config CRYPTO_JITTERENTROPY_MEMSIZE_2
1319 bool "2048 Bytes (default)"
1320
1321 config CRYPTO_JITTERENTROPY_MEMSIZE_128
1322 bool "128 kBytes"
1323
1324 config CRYPTO_JITTERENTROPY_MEMSIZE_1024
1325 bool "1024 kBytes"
1326
1327 config CRYPTO_JITTERENTROPY_MEMSIZE_8192
1328 bool "8192 kBytes"
1329endchoice
1330
1331config CRYPTO_JITTERENTROPY_MEMORY_BLOCKS
1332 int
1333 default 64 if CRYPTO_JITTERENTROPY_MEMSIZE_2
1334 default 512 if CRYPTO_JITTERENTROPY_MEMSIZE_128
1335 default 1024 if CRYPTO_JITTERENTROPY_MEMSIZE_1024
1336 default 4096 if CRYPTO_JITTERENTROPY_MEMSIZE_8192
1337
1338config CRYPTO_JITTERENTROPY_MEMORY_BLOCKSIZE
1339 int
1340 default 32 if CRYPTO_JITTERENTROPY_MEMSIZE_2
1341 default 256 if CRYPTO_JITTERENTROPY_MEMSIZE_128
1342 default 1024 if CRYPTO_JITTERENTROPY_MEMSIZE_1024
1343 default 2048 if CRYPTO_JITTERENTROPY_MEMSIZE_8192
1344
0baa8fab
SM		 1345config CRYPTO_JITTERENTROPY_OSR
1346 int "CPU Jitter RNG Oversampling Rate"
1347 range 1 15
1348 default 1
0baa8fab
SM		 1349 help
1350 The Jitter RNG allows the specification of an oversampling rate (OSR).
1351 The Jitter RNG operation requires a fixed amount of timing
1352 measurements to produce one output block of random numbers. The
1353 OSR value is multiplied with the amount of timing measurements to
1354 generate one output block. Thus, the timing measurement is oversampled
1355 by the OSR factor. The oversampling allows the Jitter RNG to operate
1356 on hardware whose timers deliver limited amount of entropy (e.g.
1357 the timer is coarse) by setting the OSR to a higher value. The
1358 trade-off, however, is that the Jitter RNG now requires more time
1359 to generate random numbers.
1360
69f1c387
SM		 1361config CRYPTO_JITTERENTROPY_TESTINTERFACE
1362 bool "CPU Jitter RNG Test Interface"
69f1c387
SM		 1363 help
1364 The test interface allows a privileged process to capture
1365 the raw unconditioned high resolution time stamp noise that
1366 is collected by the Jitter RNG for statistical analysis. As
1367 this data is used at the same time to generate random bits,
1368 the Jitter RNG operates in an insecure mode as long as the
1369 recording is enabled. This interface therefore is only
1370 intended for testing purposes and is not suitable for
1371 production systems.
1372
1373 The raw noise data can be obtained using the jent_raw_hires
1374 debugfs file. Using the option
1375 jitterentropy_testing.boot_raw_hires_test=1 the raw noise of
1376 the first 1000 entropy events since boot can be sampled.
1377
1378 If unsure, select N.
1379
e7ed6473
HX		 1380endif # if CRYPTO_FIPS && EXPERT
1381
1382if !(CRYPTO_FIPS && EXPERT)
1383
1384config CRYPTO_JITTERENTROPY_MEMORY_BLOCKS
1385 int
1386 default 64
1387
1388config CRYPTO_JITTERENTROPY_MEMORY_BLOCKSIZE
1389 int
1390 default 32
1391
1392config CRYPTO_JITTERENTROPY_OSR
1393 int
1394 default 1
1395
1396config CRYPTO_JITTERENTROPY_TESTINTERFACE
1397 bool
1398
1399endif # if !(CRYPTO_FIPS && EXPERT)
1400endif # if CRYPTO_JITTERENTROPY
1401
026a733e
SM		 1402config CRYPTO_KDF800108_CTR
1403 tristate
a88592cc 1404 select CRYPTO_HMAC
304b4ace 1405 select CRYPTO_SHA256
026a733e 1406
f1f142ad 1407endmenu
9bc51715 1408menu "Userspace interface"
f1f142ad 1409
03c8efc1
HX		 1410config CRYPTO_USER_API
1411 tristate
1412
fe869cdb 1413config CRYPTO_USER_API_HASH
9bc51715 1414 tristate "Hash algorithms"
7451708f 1415 depends on NET
fe869cdb
HX		 1416 select CRYPTO_HASH
1417 select CRYPTO_USER_API
1418 help
9bc51715
RE		 1419 Enable the userspace interface for hash algorithms.
1420
1421 See Documentation/crypto/userspace-if.rst and
1422 https://www.chronox.de/libkcapi/html/index.html
fe869cdb 1423
8ff59090 1424config CRYPTO_USER_API_SKCIPHER
9bc51715 1425 tristate "Symmetric key cipher algorithms"
7451708f 1426 depends on NET
b95bba5d 1427 select CRYPTO_SKCIPHER
8ff59090
HX		 1428 select CRYPTO_USER_API
1429 help
9bc51715
RE		 1430 Enable the userspace interface for symmetric key cipher algorithms.
1431
1432 See Documentation/crypto/userspace-if.rst and
1433 https://www.chronox.de/libkcapi/html/index.html
8ff59090 1434
2f375538 1435config CRYPTO_USER_API_RNG
9bc51715 1436 tristate "RNG (random number generator) algorithms"
2f375538
SM		 1437 depends on NET
1438 select CRYPTO_RNG
1439 select CRYPTO_USER_API
1440 help
9bc51715
RE		 1441 Enable the userspace interface for RNG (random number generator)
1442 algorithms.
1443
1444 See Documentation/crypto/userspace-if.rst and
1445 https://www.chronox.de/libkcapi/html/index.html
2f375538 1446
77ebdabe
EP		 1447config CRYPTO_USER_API_RNG_CAVP
1448 bool "Enable CAVP testing of DRBG"
1449 depends on CRYPTO_USER_API_RNG && CRYPTO_DRBG
1450 help
9bc51715
RE		 1451 Enable extra APIs in the userspace interface for NIST CAVP
1452 (Cryptographic Algorithm Validation Program) testing:
1453 - resetting DRBG entropy
1454 - providing Additional Data
1455
77ebdabe
EP		 1456 This should only be enabled for CAVP testing. You should say
1457 no unless you know what this is.
1458
b64a2d95 1459config CRYPTO_USER_API_AEAD
9bc51715 1460 tristate "AEAD cipher algorithms"
b64a2d95
HX		 1461 depends on NET
1462 select CRYPTO_AEAD
b95bba5d 1463 select CRYPTO_SKCIPHER
72548b09 1464 select CRYPTO_NULL
b64a2d95
HX		 1465 select CRYPTO_USER_API
1466 help
9bc51715
RE		 1467 Enable the userspace interface for AEAD cipher algorithms.
1468
1469 See Documentation/crypto/userspace-if.rst and
1470 https://www.chronox.de/libkcapi/html/index.html
b64a2d95 1471
9ace6771 1472config CRYPTO_USER_API_ENABLE_OBSOLETE
9bc51715 1473 bool "Obsolete cryptographic algorithms"
9ace6771
AB		 1474 depends on CRYPTO_USER_API
1475 default y
1476 help
1477 Allow obsolete cryptographic algorithms to be selected that have
1478 already been phased out from internal use by the kernel, and are
1479 only useful for userspace clients that still rely on them.
1480
cac5818c 1481config CRYPTO_STATS
9bc51715 1482 bool "Crypto usage statistics"
a6a31385 1483 depends on CRYPTO_USER
cac5818c 1484 help
9bc51715
RE		 1485 Enable the gathering of crypto stats.
1486
66dd59b7
EB		 1487 Enabling this option reduces the performance of the crypto API. It
1488 should only be enabled when there is actually a use case for it.
1489
9bc51715
RE		 1490 This collects data sizes, numbers of requests, and numbers
1491 of errors processed by:
1492 - AEAD ciphers (encrypt, decrypt)
1493 - asymmetric key ciphers (encrypt, decrypt, verify, sign)
1494 - symmetric key ciphers (encrypt, decrypt)
1495 - compression algorithms (compress, decompress)
1496 - hash algorithms (hash)
1497 - key-agreement protocol primitives (setsecret, generate
1498 public key, compute shared secret)
1499 - RNG (generate, seed)
cac5818c 1500
f1f142ad
RE		 1501endmenu
1502
ee08997f
DK		 1503config CRYPTO_HASH_INFO
1504 bool
1505
27bc50fc 1506if !KMSAN # avoid false positives from assembly
4a329fec
RE		 1507if ARM
1508source "arch/arm/crypto/Kconfig"
1509endif
1510if ARM64
1511source "arch/arm64/crypto/Kconfig"
1512endif
2f164822
MZ		 1513if LOONGARCH
1514source "arch/loongarch/crypto/Kconfig"
1515endif
e45f710b
RE		 1516if MIPS
1517source "arch/mips/crypto/Kconfig"
1518endif
6a490a4e
RE		 1519if PPC
1520source "arch/powerpc/crypto/Kconfig"
1521endif
c9d24c97
RE		 1522if S390
1523source "arch/s390/crypto/Kconfig"
1524endif
0e9f9ea6
RE		 1525if SPARC
1526source "arch/sparc/crypto/Kconfig"
1527endif
28a936ef
RE		 1528if X86
1529source "arch/x86/crypto/Kconfig"
1530endif
27bc50fc 1531endif
e45f710b 1532
1da177e4 1533source "drivers/crypto/Kconfig"
8636a1f9
MY		 1534source "crypto/asymmetric_keys/Kconfig"
1535source "certs/Kconfig"
1da177e4 1536
cce9e06d 1537endif # if CRYPTO
Linux 6.x block layer and io_uring tree(s)