projects / linux-2.6-block.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Merge tag 'for-6.1-rc1-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave...
[linux-2.6-block.git] / crypto / Kconfig
CommitLineData
b2441318 1# SPDX-License-Identifier: GPL-2.0
685784aa
DW		 2#
3# Generic algorithms support
4#
5config XOR_BLOCKS
6 tristate
7
1da177e4 8#
9bc89cd8 9# async_tx api: hardware offloaded memory transfer/transform support
1da177e4 10#
9bc89cd8 11source "crypto/async_tx/Kconfig"
1da177e4 12
9bc89cd8
DW		 13#
14# Cryptographic API Configuration
15#
2e290f43 16menuconfig CRYPTO
c3715cb9 17 tristate "Cryptographic API"
7033b937 18 select CRYPTO_LIB_UTILS
1da177e4
LT		 19 help
20 This option provides the core Cryptographic API.
21
cce9e06d
HX		 22if CRYPTO
23
f1f142ad 24menu "Crypto core or helper"
584fffc8 25
ccb778e1
NH		 26config CRYPTO_FIPS
27 bool "FIPS 200 compliance"
f2c89a10 28 depends on (CRYPTO_ANSI_CPRNG || CRYPTO_DRBG) && !CRYPTO_MANAGER_DISABLE_TESTS
1f696097 29 depends on (MODULE_SIG || !MODULES)
ccb778e1 30 help
d99324c2
GU		 31 This option enables the fips boot option which is
32 required if you want the system to operate in a FIPS 200
ccb778e1 33 certification. You should say no unless you know what
e84c5480 34 this is.
ccb778e1 35
5a44749f
VD		 36config CRYPTO_FIPS_NAME
37 string "FIPS Module Name"
38 default "Linux Kernel Cryptographic API"
39 depends on CRYPTO_FIPS
40 help
41 This option sets the FIPS Module name reported by the Crypto API via
42 the /proc/sys/crypto/fips_name file.
43
44config CRYPTO_FIPS_CUSTOM_VERSION
45 bool "Use Custom FIPS Module Version"
46 depends on CRYPTO_FIPS
47 default n
48
49config CRYPTO_FIPS_VERSION
50 string "FIPS Module Version"
51 default "(none)"
52 depends on CRYPTO_FIPS_CUSTOM_VERSION
53 help
54 This option provides the ability to override the FIPS Module Version.
55 By default the KERNELRELEASE value is used.
56
cce9e06d
HX		 57config CRYPTO_ALGAPI
58 tristate
6a0fcbb4 59 select CRYPTO_ALGAPI2
cce9e06d
HX		 60 help
61 This option provides the API for cryptographic algorithms.
62
6a0fcbb4
HX		 63config CRYPTO_ALGAPI2
64 tristate
65
1ae97820
HX		 66config CRYPTO_AEAD
67 tristate
6a0fcbb4 68 select CRYPTO_AEAD2
1ae97820
HX		 69 select CRYPTO_ALGAPI
70
6a0fcbb4
HX		 71config CRYPTO_AEAD2
72 tristate
73 select CRYPTO_ALGAPI2
149a3971
HX		 74 select CRYPTO_NULL2
75 select CRYPTO_RNG2
6a0fcbb4 76
b95bba5d 77config CRYPTO_SKCIPHER
5cde0af2 78 tristate
b95bba5d 79 select CRYPTO_SKCIPHER2
5cde0af2 80 select CRYPTO_ALGAPI
6a0fcbb4 81
b95bba5d 82config CRYPTO_SKCIPHER2
6a0fcbb4
HX		 83 tristate
84 select CRYPTO_ALGAPI2
85 select CRYPTO_RNG2
5cde0af2 86
055bcee3
HX		 87config CRYPTO_HASH
88 tristate
6a0fcbb4 89 select CRYPTO_HASH2
055bcee3
HX		 90 select CRYPTO_ALGAPI
91
6a0fcbb4
HX		 92config CRYPTO_HASH2
93 tristate
94 select CRYPTO_ALGAPI2
95
17f0f4a4
NH		 96config CRYPTO_RNG
97 tristate
6a0fcbb4 98 select CRYPTO_RNG2
17f0f4a4
NH		 99 select CRYPTO_ALGAPI
100
6a0fcbb4
HX		 101config CRYPTO_RNG2
102 tristate
103 select CRYPTO_ALGAPI2
104
401e4238
HX		 105config CRYPTO_RNG_DEFAULT
106 tristate
107 select CRYPTO_DRBG_MENU
108
3c339ab8
TS		 109config CRYPTO_AKCIPHER2
110 tristate
111 select CRYPTO_ALGAPI2
112
113config CRYPTO_AKCIPHER
114 tristate
115 select CRYPTO_AKCIPHER2
116 select CRYPTO_ALGAPI
117
4e5f2c40
SB		 118config CRYPTO_KPP2
119 tristate
120 select CRYPTO_ALGAPI2
121
122config CRYPTO_KPP
123 tristate
124 select CRYPTO_ALGAPI
125 select CRYPTO_KPP2
126
2ebda74f
GC		 127config CRYPTO_ACOMP2
128 tristate
129 select CRYPTO_ALGAPI2
8cd579d2 130 select SGL_ALLOC
2ebda74f
GC		 131
132config CRYPTO_ACOMP
133 tristate
134 select CRYPTO_ALGAPI
135 select CRYPTO_ACOMP2
136
2b8c19db
HX		 137config CRYPTO_MANAGER
138 tristate "Cryptographic algorithm manager"
6a0fcbb4 139 select CRYPTO_MANAGER2
2b8c19db
HX		 140 help
141 Create default cryptographic template instantiations such as
142 cbc(aes).
143
6a0fcbb4
HX		 144config CRYPTO_MANAGER2
145 def_tristate CRYPTO_MANAGER || (CRYPTO_MANAGER!=n && CRYPTO_ALGAPI=y)
146 select CRYPTO_AEAD2
147 select CRYPTO_HASH2
b95bba5d 148 select CRYPTO_SKCIPHER2
946cc463 149 select CRYPTO_AKCIPHER2
4e5f2c40 150 select CRYPTO_KPP2
2ebda74f 151 select CRYPTO_ACOMP2
6a0fcbb4 152
a38f7907
SK		 153config CRYPTO_USER
154 tristate "Userspace cryptographic algorithm configuration"
5db017aa 155 depends on NET
a38f7907
SK		 156 select CRYPTO_MANAGER
157 help
d19978f5 158 Userspace configuration for cryptographic instantiations such as
a38f7907
SK		 159 cbc(aes).
160
326a6346
HX		 161config CRYPTO_MANAGER_DISABLE_TESTS
162 bool "Disable run-time self tests"
00ca28a5 163 default y
0b767f96 164 help
326a6346
HX		 165 Disable run-time self tests that normally take place at
166 algorithm registration.
0b767f96 167
5b2706a4
EB		 168config CRYPTO_MANAGER_EXTRA_TESTS
169 bool "Enable extra run-time crypto self tests"
6569e309 170 depends on DEBUG_KERNEL && !CRYPTO_MANAGER_DISABLE_TESTS && CRYPTO_MANAGER
5b2706a4
EB		 171 help
172 Enable extra run-time self tests of registered crypto algorithms,
173 including randomized fuzz tests.
174
175 This is intended for developer use only, as these tests take much
176 longer to run than the normal self tests.
177
584fffc8 178config CRYPTO_GF128MUL
e590e132 179 tristate
333b0d7e 180
1da177e4
LT		 181config CRYPTO_NULL
182 tristate "Null algorithms"
149a3971 183 select CRYPTO_NULL2
1da177e4
LT		 184 help
185 These are 'Null' algorithms, used by IPsec, which do nothing.
186
149a3971 187config CRYPTO_NULL2
dd43c4e9 188 tristate
149a3971 189 select CRYPTO_ALGAPI2
b95bba5d 190 select CRYPTO_SKCIPHER2
149a3971
HX		 191 select CRYPTO_HASH2
192
5068c7a8 193config CRYPTO_PCRYPT
3b4afaf2
KC		 194 tristate "Parallel crypto engine"
195 depends on SMP
5068c7a8
SK		 196 select PADATA
197 select CRYPTO_MANAGER
198 select CRYPTO_AEAD
199 help
200 This converts an arbitrary crypto algorithm into a parallel
201 algorithm that executes in kernel threads.
202
584fffc8
SS		 203config CRYPTO_CRYPTD
204 tristate "Software async crypto daemon"
b95bba5d 205 select CRYPTO_SKCIPHER
b8a28251 206 select CRYPTO_HASH
584fffc8 207 select CRYPTO_MANAGER
1da177e4 208 help
584fffc8
SS		 209 This is a generic software asynchronous crypto daemon that
210 converts an arbitrary synchronous software crypto algorithm
211 into an asynchronous algorithm that executes in a kernel thread.
1da177e4 212
584fffc8
SS		 213config CRYPTO_AUTHENC
214 tristate "Authenc support"
215 select CRYPTO_AEAD
b95bba5d 216 select CRYPTO_SKCIPHER
584fffc8
SS		 217 select CRYPTO_MANAGER
218 select CRYPTO_HASH
e94c6a7a 219 select CRYPTO_NULL
1da177e4 220 help
584fffc8 221 Authenc: Combined mode wrapper for IPsec.
cf514b2a
RE		 222
223 This is required for IPSec ESP (XFRM_ESP).
1da177e4 224
584fffc8
SS		 225config CRYPTO_TEST
226 tristate "Testing module"
00ea27f1 227 depends on m || EXPERT
da7f033d 228 select CRYPTO_MANAGER
1da177e4 229 help
584fffc8 230 Quick & dirty crypto test module.
1da177e4 231
266d0516
HX		 232config CRYPTO_SIMD
233 tristate
ffaf9156
JK		 234 select CRYPTO_CRYPTD
235
735d37b5
BW		 236config CRYPTO_ENGINE
237 tristate
238
f1f142ad
RE		 239endmenu
240
241menu "Public-key cryptography"
3d6228a5
VC		 242
243config CRYPTO_RSA
05b37465 244 tristate "RSA (Rivest-Shamir-Adleman)"
3d6228a5
VC		 245 select CRYPTO_AKCIPHER
246 select CRYPTO_MANAGER
247 select MPILIB
248 select ASN1
249 help
05b37465 250 RSA (Rivest-Shamir-Adleman) public key algorithm (RFC8017)
3d6228a5
VC		 251
252config CRYPTO_DH
05b37465 253 tristate "DH (Diffie-Hellman)"
3d6228a5
VC		 254 select CRYPTO_KPP
255 select MPILIB
256 help
05b37465 257 DH (Diffie-Hellman) key exchange algorithm
3d6228a5 258
7dce5981 259config CRYPTO_DH_RFC7919_GROUPS
05b37465 260 bool "RFC 7919 FFDHE groups"
7dce5981 261 depends on CRYPTO_DH
1e207964 262 select CRYPTO_RNG_DEFAULT
7dce5981 263 help
05b37465
RE		 264 FFDHE (Finite-Field-based Diffie-Hellman Ephemeral) groups
265 defined in RFC7919.
266
267 Support these finite-field groups in DH key exchanges:
268 - ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192
269
270 If unsure, say N.
7dce5981 271
4a2289da
VC		 272config CRYPTO_ECC
273 tristate
38aa192a 274 select CRYPTO_RNG_DEFAULT
4a2289da 275
3d6228a5 276config CRYPTO_ECDH
05b37465 277 tristate "ECDH (Elliptic Curve Diffie-Hellman)"
4a2289da 278 select CRYPTO_ECC
3d6228a5 279 select CRYPTO_KPP
3d6228a5 280 help
05b37465
RE		 281 ECDH (Elliptic Curve Diffie-Hellman) key exchange algorithm
282 using curves P-192, P-256, and P-384 (FIPS 186)
3d6228a5 283
4e660291 284config CRYPTO_ECDSA
05b37465 285 tristate "ECDSA (Elliptic Curve Digital Signature Algorithm)"
4e660291
SB		 286 select CRYPTO_ECC
287 select CRYPTO_AKCIPHER
288 select ASN1
289 help
05b37465
RE		 290 ECDSA (Elliptic Curve Digital Signature Algorithm) (FIPS 186,
291 ISO/IEC 14888-3)
292 using curves P-192, P-256, and P-384
293
294 Only signature verification is implemented.
4e660291 295
0d7a7864 296config CRYPTO_ECRDSA
05b37465 297 tristate "EC-RDSA (Elliptic Curve Russian Digital Signature Algorithm)"
0d7a7864
VC		 298 select CRYPTO_ECC
299 select CRYPTO_AKCIPHER
300 select CRYPTO_STREEBOG
1036633e
VC		 301 select OID_REGISTRY
302 select ASN1
0d7a7864
VC		 303 help
304 Elliptic Curve Russian Digital Signature Algorithm (GOST R 34.10-2012,
05b37465
RE		 305 RFC 7091, ISO/IEC 14888-3)
306
307 One of the Russian cryptographic standard algorithms (called GOST
308 algorithms). Only signature verification is implemented.
0d7a7864 309
ea7ecb66 310config CRYPTO_SM2
05b37465 311 tristate "SM2 (ShangMi 2)"
d2825fa9 312 select CRYPTO_SM3
ea7ecb66
TZ		 313 select CRYPTO_AKCIPHER
314 select CRYPTO_MANAGER
315 select MPILIB
316 select ASN1
317 help
05b37465
RE		 318 SM2 (ShangMi 2) public key algorithm
319
320 Published by State Encryption Management Bureau, China,
ea7ecb66
TZ		 321 as specified by OSCCA GM/T 0003.1-2012 -- 0003.5-2012.
322
323 References:
05b37465 324 https://datatracker.ietf.org/doc/draft-shen-sm2-ecdsa/
ea7ecb66
TZ		 325 http://www.oscca.gov.cn/sca/xxgk/2010-12/17/content_1002386.shtml
326 http://www.gmbz.org.cn/main/bzlb.html
327
ee772cb6 328config CRYPTO_CURVE25519
05b37465 329 tristate "Curve25519"
ee772cb6
AB		 330 select CRYPTO_KPP
331 select CRYPTO_LIB_CURVE25519_GENERIC
05b37465
RE		 332 help
333 Curve25519 elliptic curve (RFC7748)
ee772cb6 334
f1f142ad 335endmenu
cd12fb90 336
f1f142ad 337menu "Block ciphers"
1da177e4 338
f1f142ad 339config CRYPTO_AES
cf514b2a 340 tristate "AES (Advanced Encryption Standard)"
f1f142ad
RE		 341 select CRYPTO_ALGAPI
342 select CRYPTO_LIB_AES
1da177e4 343 help
cf514b2a 344 AES cipher algorithms (Rijndael)(FIPS-197, ISO/IEC 18033-3)
1da177e4 345
f1f142ad
RE		 346 Rijndael appears to be consistently a very good performer in
347 both hardware and software across a wide range of computing
348 environments regardless of its use in feedback or non-feedback
349 modes. Its key setup time is excellent, and its key agility is
350 good. Rijndael's very low memory requirements make it very well
351 suited for restricted-space environments, in which it also
352 demonstrates excellent performance. Rijndael's operations are
353 among the easiest to defend against power and timing attacks.
71ebc4d1 354
f1f142ad 355 The AES specifies three key sizes: 128, 192 and 256 bits
71ebc4d1 356
f1f142ad 357config CRYPTO_AES_TI
cf514b2a 358 tristate "AES (Advanced Encryption Standard) (fixed time)"
f1f142ad
RE		 359 select CRYPTO_ALGAPI
360 select CRYPTO_LIB_AES
f606a88e 361 help
cf514b2a
RE		 362 AES cipher algorithms (Rijndael)(FIPS-197, ISO/IEC 18033-3)
363
f1f142ad
RE		 364 This is a generic implementation of AES that attempts to eliminate
365 data dependent latencies as much as possible without affecting
366 performance too much. It is intended for use by the generic CCM
367 and GCM drivers, and other CTR or CMAC/XCBC based modes that rely
368 solely on encryption (although decryption is supported as well, but
369 with a more dramatic performance hit)
f606a88e 370
f1f142ad
RE		 371 Instead of using 16 lookup tables of 1 KB each, (8 for encryption and
372 8 for decryption), this implementation only uses just two S-boxes of
373 256 bytes each, and attempts to eliminate data dependent latencies by
374 prefetching the entire table into the cache at the start of each
375 block. Interrupts are also disabled to avoid races where cachelines
376 are evicted when the CPU is interrupted to do something else.
a4397635 377
f1f142ad 378config CRYPTO_ANUBIS
cf514b2a 379 tristate "Anubis"
f1f142ad
RE		 380 depends on CRYPTO_USER_API_ENABLE_OBSOLETE
381 select CRYPTO_ALGAPI
1da177e4 382 help
cf514b2a 383 Anubis cipher algorithm
1da177e4 384
f1f142ad
RE		 385 Anubis is a variable key length cipher which can use keys from
386 128 bits to 320 bits in length. It was evaluated as a entrant
387 in the NESSIE competition.
a10f554f 388
cf514b2a
RE		 389 See https://web.archive.org/web/20160606112246/http://www.larc.usp.br/~pbarreto/AnubisPage.html
390 for further information.
c494e070 391
f1f142ad 392config CRYPTO_ARIA
cf514b2a 393 tristate "ARIA"
f1f142ad 394 select CRYPTO_ALGAPI
db131ef9 395 help
cf514b2a 396 ARIA cipher algorithm (RFC5794)
db131ef9 397
f1f142ad
RE		 398 ARIA is a standard encryption algorithm of the Republic of Korea.
399 The ARIA specifies three key sizes and rounds.
400 128-bit: 12 rounds.
401 192-bit: 14 rounds.
402 256-bit: 16 rounds.
a7d85e06 403
cf514b2a
RE		 404 See:
405 https://seed.kisa.or.kr/kisa/algorithm/EgovAriaInfo.do
db131ef9 406
f1f142ad 407config CRYPTO_BLOWFISH
cf514b2a 408 tristate "Blowfish"
f1f142ad
RE		 409 select CRYPTO_ALGAPI
410 select CRYPTO_BLOWFISH_COMMON
584fffc8 411 help
cf514b2a 412 Blowfish cipher algorithm, by Bruce Schneier
584fffc8 413
f1f142ad
RE		 414 This is a variable key length cipher which can use keys from 32
415 bits to 448 bits in length. It's fast, simple and specifically
416 designed for use on "large microprocessors".
ecd6d5c9 417
cf514b2a 418 See https://www.schneier.com/blowfish.html for further information.
f1f142ad
RE		 419
420config CRYPTO_BLOWFISH_COMMON
421 tristate
91652be5 422 help
f1f142ad
RE		 423 Common parts of the Blowfish cipher algorithm shared by the
424 generic c and the assembler implementations.
91652be5 425
f1f142ad 426config CRYPTO_CAMELLIA
cf514b2a 427 tristate "Camellia"
f1f142ad 428 select CRYPTO_ALGAPI
64470f1b 429 help
cf514b2a 430 Camellia cipher algorithms (ISO/IEC 18033-3)
64470f1b 431
f1f142ad
RE		 432 Camellia is a symmetric key block cipher developed jointly
433 at NTT and Mitsubishi Electric Corporation.
434
435 The Camellia specifies three key sizes: 128, 192 and 256 bits.
436
cf514b2a 437 See https://info.isl.ntt.co.jp/crypt/eng/camellia/ for further information.
f1f142ad
RE		 438
439config CRYPTO_CAST_COMMON
440 tristate
e497c518 441 help
f1f142ad
RE		 442 Common parts of the CAST cipher algorithms shared by the
443 generic c and the assembler implementations.
e497c518 444
f1f142ad 445config CRYPTO_CAST5
cf514b2a 446 tristate "CAST5 (CAST-128)"
f1f142ad
RE		 447 select CRYPTO_ALGAPI
448 select CRYPTO_CAST_COMMON
584fffc8 449 help
cf514b2a 450 CAST5 (CAST-128) cipher algorithm (RFC2144, ISO/IEC 18033-3)
584fffc8 451
f1f142ad 452config CRYPTO_CAST6
cf514b2a 453 tristate "CAST6 (CAST-256)"
f1f142ad
RE		 454 select CRYPTO_ALGAPI
455 select CRYPTO_CAST_COMMON
17fee07a 456 help
cf514b2a 457 CAST6 (CAST-256) encryption algorithm (RFC2612)
17fee07a 458
f1f142ad 459config CRYPTO_DES
cf514b2a 460 tristate "DES and Triple DES EDE"
f1f142ad
RE		 461 select CRYPTO_ALGAPI
462 select CRYPTO_LIB_DES
f19f5111 463 help
cf514b2a
RE		 464 DES (Data Encryption Standard)(FIPS 46-2, ISO/IEC 18033-3) and
465 Triple DES EDE (Encrypt/Decrypt/Encrypt) (FIPS 46-3, ISO/IEC 18033-3)
466 cipher algorithms
f19f5111 467
f1f142ad 468config CRYPTO_FCRYPT
cf514b2a 469 tristate "FCrypt"
f1f142ad 470 select CRYPTO_ALGAPI
b95bba5d 471 select CRYPTO_SKCIPHER
1c49678e 472 help
cf514b2a
RE		 473 FCrypt algorithm used by RxRPC
474
475 See https://ota.polyonymo.us/fcrypt-paper.txt
1c49678e 476
f1f142ad 477config CRYPTO_KHAZAD
cf514b2a 478 tristate "Khazad"
f1f142ad
RE		 479 depends on CRYPTO_USER_API_ENABLE_OBSOLETE
480 select CRYPTO_ALGAPI
481 help
cf514b2a 482 Khazad cipher algorithm
f1f142ad
RE		 483
484 Khazad was a finalist in the initial NESSIE competition. It is
485 an algorithm optimized for 64-bit processors with good performance
486 on 32-bit processors. Khazad uses an 128 bit key size.
487
cf514b2a
RE		 488 See https://web.archive.org/web/20171011071731/http://www.larc.usp.br/~pbarreto/KhazadPage.html
489 for further information.
f1f142ad
RE		 490
491config CRYPTO_SEED
cf514b2a 492 tristate "SEED"
f1f142ad
RE		 493 depends on CRYPTO_USER_API_ENABLE_OBSOLETE
494 select CRYPTO_ALGAPI
495 help
cf514b2a 496 SEED cipher algorithm (RFC4269, ISO/IEC 18033-3)
f1f142ad
RE		 497
498 SEED is a 128-bit symmetric key block cipher that has been
499 developed by KISA (Korea Information Security Agency) as a
500 national standard encryption algorithm of the Republic of Korea.
501 It is a 16 round block cipher with the key size of 128 bit.
502
cf514b2a
RE		 503 See https://seed.kisa.or.kr/kisa/algorithm/EgovSeedInfo.do
504 for further information.
f1f142ad
RE		 505
506config CRYPTO_SERPENT
cf514b2a 507 tristate "Serpent"
f1f142ad
RE		 508 select CRYPTO_ALGAPI
509 help
cf514b2a 510 Serpent cipher algorithm, by Anderson, Biham & Knudsen
f1f142ad
RE		 511
512 Keys are allowed to be from 0 to 256 bits in length, in steps
513 of 8 bits.
514
cf514b2a 515 See https://www.cl.cam.ac.uk/~rja14/serpent.html for further information.
f1f142ad
RE		 516
517config CRYPTO_SM4
518 tristate
519
520config CRYPTO_SM4_GENERIC
cf514b2a 521 tristate "SM4 (ShangMi 4)"
f1f142ad
RE		 522 select CRYPTO_ALGAPI
523 select CRYPTO_SM4
524 help
cf514b2a
RE		 525 SM4 cipher algorithms (OSCCA GB/T 32907-2016,
526 ISO/IEC 18033-3:2010/Amd 1:2021)
f1f142ad
RE		 527
528 SM4 (GBT.32907-2016) is a cryptographic standard issued by the
529 Organization of State Commercial Administration of China (OSCCA)
530 as an authorized cryptographic algorithms for the use within China.
531
532 SMS4 was originally created for use in protecting wireless
533 networks, and is mandated in the Chinese National Standard for
534 Wireless LAN WAPI (Wired Authentication and Privacy Infrastructure)
535 (GB.15629.11-2003).
536
537 The latest SM4 standard (GBT.32907-2016) was proposed by OSCCA and
538 standardized through TC 260 of the Standardization Administration
539 of the People's Republic of China (SAC).
540
541 The input, output, and key of SMS4 are each 128 bits.
542
cf514b2a 543 See https://eprint.iacr.org/2008/329.pdf for further information.
f1f142ad
RE		 544
545 If unsure, say N.
546
547config CRYPTO_TEA
cf514b2a 548 tristate "TEA, XTEA and XETA"
f1f142ad
RE		 549 depends on CRYPTO_USER_API_ENABLE_OBSOLETE
550 select CRYPTO_ALGAPI
551 help
cf514b2a 552 TEA (Tiny Encryption Algorithm) cipher algorithms
f1f142ad
RE		 553
554 Tiny Encryption Algorithm is a simple cipher that uses
555 many rounds for security. It is very fast and uses
556 little memory.
557
558 Xtendend Tiny Encryption Algorithm is a modification to
559 the TEA algorithm to address a potential key weakness
560 in the TEA algorithm.
561
562 Xtendend Encryption Tiny Algorithm is a mis-implementation
563 of the XTEA algorithm for compatibility purposes.
564
565config CRYPTO_TWOFISH
cf514b2a 566 tristate "Twofish"
f1f142ad
RE		 567 select CRYPTO_ALGAPI
568 select CRYPTO_TWOFISH_COMMON
569 help
cf514b2a 570 Twofish cipher algorithm
f1f142ad
RE		 571
572 Twofish was submitted as an AES (Advanced Encryption Standard)
573 candidate cipher by researchers at CounterPane Systems. It is a
574 16 round block cipher supporting key sizes of 128, 192, and 256
575 bits.
576
cf514b2a 577 See https://www.schneier.com/twofish.html for further information.
f1f142ad
RE		 578
579config CRYPTO_TWOFISH_COMMON
580 tristate
581 help
582 Common parts of the Twofish cipher algorithm shared by the
583 generic c and the assembler implementations.
584
585endmenu
586
587menu "Length-preserving ciphers and modes"
26609a21 588
059c2a4d 589config CRYPTO_ADIANTUM
cf514b2a 590 tristate "Adiantum"
059c2a4d 591 select CRYPTO_CHACHA20
48ea8c6e 592 select CRYPTO_LIB_POLY1305_GENERIC
059c2a4d 593 select CRYPTO_NHPOLY1305
c8a3315a 594 select CRYPTO_MANAGER
059c2a4d 595 help
cf514b2a
RE		 596 Adiantum tweakable, length-preserving encryption mode
597
598 Designed for fast and secure disk encryption, especially on
059c2a4d
EB		 599 CPUs without dedicated crypto instructions. It encrypts
600 each sector using the XChaCha12 stream cipher, two passes of
601 an ε-almost-∆-universal hash function, and an invocation of
602 the AES-256 block cipher on a single 16-byte block. On CPUs
603 without AES instructions, Adiantum is much faster than
604 AES-XTS.
605
606 Adiantum's security is provably reducible to that of its
607 underlying stream and block ciphers, subject to a security
608 bound. Unlike XTS, Adiantum is a true wide-block encryption
609 mode, so it actually provides an even stronger notion of
610 security than XTS, subject to the security bound.
611
612 If unsure, say N.
613
f1f142ad 614config CRYPTO_ARC4
cf514b2a 615 tristate "ARC4 (Alleged Rivest Cipher 4)"
f1f142ad
RE		 616 depends on CRYPTO_USER_API_ENABLE_OBSOLETE
617 select CRYPTO_SKCIPHER
618 select CRYPTO_LIB_ARC4
7ff554ce 619 help
cf514b2a 620 ARC4 cipher algorithm
7ff554ce 621
f1f142ad
RE		 622 ARC4 is a stream cipher using keys ranging from 8 bits to 2048
623 bits in length. This algorithm is required for driver-based
624 WEP, but it should not be for other purposes because of the
625 weakness of the algorithm.
626
627config CRYPTO_CHACHA20
cf514b2a 628 tristate "ChaCha"
f1f142ad
RE		 629 select CRYPTO_LIB_CHACHA_GENERIC
630 select CRYPTO_SKCIPHER
be1eb7f7 631 help
cf514b2a 632 The ChaCha20, XChaCha20, and XChaCha12 stream cipher algorithms
be1eb7f7 633
f1f142ad
RE		 634 ChaCha20 is a 256-bit high-speed stream cipher designed by Daniel J.
635 Bernstein and further specified in RFC7539 for use in IETF protocols.
cf514b2a
RE		 636 This is the portable C implementation of ChaCha20. See
637 https://cr.yp.to/chacha/chacha-20080128.pdf for further information.
be1eb7f7 638
f1f142ad
RE		 639 XChaCha20 is the application of the XSalsa20 construction to ChaCha20
640 rather than to Salsa20. XChaCha20 extends ChaCha20's nonce length
641 from 64 bits (or 96 bits using the RFC7539 convention) to 192 bits,
cf514b2a
RE		 642 while provably retaining ChaCha20's security. See
643 https://cr.yp.to/snuffle/xsalsa-20081128.pdf for further information.
be1eb7f7 644
f1f142ad
RE		 645 XChaCha12 is XChaCha20 reduced to 12 rounds, with correspondingly
646 reduced security margin but increased performance. It can be needed
647 in some performance-sensitive scenarios.
584fffc8 648
f1f142ad 649config CRYPTO_CBC
cf514b2a 650 tristate "CBC (Cipher Block Chaining)"
f1f142ad 651 select CRYPTO_SKCIPHER
93b5e86a
JK		 652 select CRYPTO_MANAGER
653 help
cf514b2a
RE		 654 CBC (Cipher Block Chaining) mode (NIST SP800-38A)
655
656 This block cipher mode is required for IPSec ESP (XFRM_ESP).
93b5e86a 657
f1f142ad 658config CRYPTO_CFB
cf514b2a 659 tristate "CFB (Cipher Feedback)"
f1f142ad 660 select CRYPTO_SKCIPHER
23e353c8 661 select CRYPTO_MANAGER
23e353c8 662 help
cf514b2a
RE		 663 CFB (Cipher Feedback) mode (NIST SP800-38A)
664
665 This block cipher mode is required for TPM2 Cryptography.
23e353c8 666
f1f142ad 667config CRYPTO_CTR
cf514b2a 668 tristate "CTR (Counter)"
f1f142ad 669 select CRYPTO_SKCIPHER
584fffc8 670 select CRYPTO_MANAGER
76cb9521 671 help
cf514b2a 672 CTR (Counter) mode (NIST SP800-38A)
76cb9521 673
f1f142ad 674config CRYPTO_CTS
cf514b2a 675 tristate "CTS (Cipher Text Stealing)"
f1f142ad 676 select CRYPTO_SKCIPHER
f1939f7c
SW		 677 select CRYPTO_MANAGER
678 help
cf514b2a
RE		 679 CBC-CS3 variant of CTS (Cipher Text Stealing) (NIST
680 Addendum to SP800-38A (October 2010))
681
f1f142ad
RE		 682 This mode is required for Kerberos gss mechanism support
683 for AES encryption.
f1939f7c 684
f1f142ad 685config CRYPTO_ECB
cf514b2a 686 tristate "ECB (Electronic Codebook)"
f1f142ad
RE		 687 select CRYPTO_SKCIPHER
688 select CRYPTO_MANAGER
4a49b499 689 help
cf514b2a 690 ECB (Electronic Codebook) mode (NIST SP800-38A)
4a49b499 691
f1f142ad 692config CRYPTO_HCTR2
cf514b2a 693 tristate "HCTR2"
f1f142ad
RE		 694 select CRYPTO_XCTR
695 select CRYPTO_POLYVAL
696 select CRYPTO_MANAGER
78c37d19 697 help
cf514b2a
RE		 698 HCTR2 length-preserving encryption mode
699
700 A mode for storage encryption that is efficient on processors with
701 instructions to accelerate AES and carryless multiplication, e.g.
702 x86 processors with AES-NI and CLMUL, and ARM processors with the
703 ARMv8 crypto extensions.
704
705 See https://eprint.iacr.org/2021/1441
78c37d19 706
f1f142ad 707config CRYPTO_KEYWRAP
cf514b2a 708 tristate "KW (AES Key Wrap)"
f1f142ad
RE		 709 select CRYPTO_SKCIPHER
710 select CRYPTO_MANAGER
2cdc6899 711 help
cf514b2a
RE		 712 KW (AES Key Wrap) authenticated encryption mode (NIST SP800-38F
713 and RFC3394) without padding.
2cdc6899 714
f1f142ad 715config CRYPTO_LRW
cf514b2a 716 tristate "LRW (Liskov Rivest Wagner)"
f1f142ad
RE		 717 select CRYPTO_SKCIPHER
718 select CRYPTO_MANAGER
f3c923a0 719 select CRYPTO_GF128MUL
f1f142ad 720 select CRYPTO_ECB
f3c923a0 721 help
cf514b2a
RE		 722 LRW (Liskov Rivest Wagner) mode
723
724 A tweakable, non malleable, non movable
f1f142ad
RE		 725 narrow block cipher mode for dm-crypt. Use it with cipher
726 specification string aes-lrw-benbi, the key must be 256, 320 or 384.
727 The first 128, 192 or 256 bits in the key are used for AES and the
728 rest is used to tie each cipher block to its logical position.
f3c923a0 729
cf514b2a
RE		 730 See https://people.csail.mit.edu/rivest/pubs/LRW02.pdf
731
f1f142ad 732config CRYPTO_OFB
cf514b2a 733 tristate "OFB (Output Feedback)"
f1f142ad
RE		 734 select CRYPTO_SKCIPHER
735 select CRYPTO_MANAGER
f979e014 736 help
cf514b2a
RE		 737 OFB (Output Feedback) mode (NIST SP800-38A)
738
739 This mode makes a block cipher into a synchronous
f1f142ad
RE		 740 stream cipher. It generates keystream blocks, which are then XORed
741 with the plaintext blocks to get the ciphertext. Flipping a bit in the
742 ciphertext produces a flipped bit in the plaintext at the same
743 location. This property allows many error correcting codes to function
744 normally even when applied before encryption.
f979e014 745
f1f142ad 746config CRYPTO_PCBC
cf514b2a 747 tristate "PCBC (Propagating Cipher Block Chaining)"
f1f142ad
RE		 748 select CRYPTO_SKCIPHER
749 select CRYPTO_MANAGER
124b53d0 750 help
cf514b2a
RE		 751 PCBC (Propagating Cipher Block Chaining) mode
752
753 This block cipher mode is required for RxRPC.
124b53d0 754
f1f142ad
RE		 755config CRYPTO_XCTR
756 tristate
757 select CRYPTO_SKCIPHER
758 select CRYPTO_MANAGER
1da177e4 759 help
cf514b2a
RE		 760 XCTR (XOR Counter) mode for HCTR2
761
762 This blockcipher mode is a variant of CTR mode using XORs and little-endian
763 addition rather than big-endian arithmetic.
764
f1f142ad 765 XCTR mode is used to implement HCTR2.
1da177e4 766
f1f142ad 767config CRYPTO_XTS
cf514b2a 768 tristate "XTS (XOR Encrypt XOR with ciphertext stealing)"
f1f142ad
RE		 769 select CRYPTO_SKCIPHER
770 select CRYPTO_MANAGER
771 select CRYPTO_ECB
90831639 772 help
cf514b2a
RE		 773 XTS (XOR Encrypt XOR with ciphertext stealing) mode (NIST SP800-38E
774 and IEEE 1619)
775
776 Use with aes-xts-plain, key size 256, 384 or 512 bits. This
777 implementation currently can't handle a sectorsize which is not a
778 multiple of 16 bytes.
90831639 779
f1f142ad
RE		 780config CRYPTO_NHPOLY1305
781 tristate
e5835fba 782 select CRYPTO_HASH
f1f142ad 783 select CRYPTO_LIB_POLY1305_GENERIC
534fe2c1 784
f1f142ad 785endmenu
534fe2c1 786
f1f142ad 787menu "AEAD (authenticated encryption with associated data) ciphers"
1da177e4 788
f1f142ad 789config CRYPTO_AEGIS128
e3d2eadd 790 tristate "AEGIS-128"
f1f142ad
RE		 791 select CRYPTO_AEAD
792 select CRYPTO_AES # for AES S-box tables
1da177e4 793 help
e3d2eadd 794 AEGIS-128 AEAD algorithm
2729bb42 795
f1f142ad 796config CRYPTO_AEGIS128_SIMD
e3d2eadd 797 bool "AEGIS-128 (arm NEON, arm64 NEON)"
f1f142ad
RE		 798 depends on CRYPTO_AEGIS128 && ((ARM || ARM64) && KERNEL_MODE_NEON)
799 default y
e3d2eadd
RE		 800 help
801 AEGIS-128 AEAD algorithm
802
803 Architecture: arm or arm64 using:
804 - NEON (Advanced SIMD) extension
584fffc8 805
f1f142ad 806config CRYPTO_CHACHA20POLY1305
e3d2eadd 807 tristate "ChaCha20-Poly1305"
f1f142ad
RE		 808 select CRYPTO_CHACHA20
809 select CRYPTO_POLY1305
810 select CRYPTO_AEAD
811 select CRYPTO_MANAGER
b9f535ff 812 help
e3d2eadd
RE		 813 ChaCha20 stream cipher and Poly1305 authenticator combined
814 mode (RFC8439)
b9f535ff 815
f1f142ad 816config CRYPTO_CCM
cf514b2a 817 tristate "CCM (Counter with Cipher Block Chaining-MAC)"
f1f142ad 818 select CRYPTO_CTR
53964b9e 819 select CRYPTO_HASH
f1f142ad
RE		 820 select CRYPTO_AEAD
821 select CRYPTO_MANAGER
53964b9e 822 help
e3d2eadd
RE		 823 CCM (Counter with Cipher Block Chaining-Message Authentication Code)
824 authenticated encryption mode (NIST SP800-38C)
d2825fa9 825
f1f142ad 826config CRYPTO_GCM
cf514b2a 827 tristate "GCM (Galois/Counter Mode) and GMAC (GCM MAC)"
f1f142ad
RE		 828 select CRYPTO_CTR
829 select CRYPTO_AEAD
830 select CRYPTO_GHASH
831 select CRYPTO_NULL
832 select CRYPTO_MANAGER
4f0fc160 833 help
e3d2eadd
RE		 834 GCM (Galois/Counter Mode) authenticated encryption mode and GMAC
835 (GCM Message Authentication Code) (NIST SP800-38D)
836
837 This is required for IPSec ESP (XFRM_ESP).
4f0fc160 838
f1f142ad
RE		 839config CRYPTO_SEQIV
840 tristate "Sequence Number IV Generator"
841 select CRYPTO_AEAD
842 select CRYPTO_SKCIPHER
843 select CRYPTO_NULL
844 select CRYPTO_RNG_DEFAULT
845 select CRYPTO_MANAGER
fe18957e 846 help
e3d2eadd
RE		 847 Sequence Number IV generator
848
f1f142ad 849 This IV generator generates an IV based on a sequence number by
e3d2eadd
RE		 850 xoring it with a salt. This algorithm is mainly useful for CTR.
851
852 This is required for IPsec ESP (XFRM_ESP).
fe18957e 853
f1f142ad
RE		 854config CRYPTO_ECHAINIV
855 tristate "Encrypted Chain IV Generator"
856 select CRYPTO_AEAD
857 select CRYPTO_NULL
858 select CRYPTO_RNG_DEFAULT
859 select CRYPTO_MANAGER
1da177e4 860 help
e3d2eadd
RE		 861 Encrypted Chain IV generator
862
f1f142ad
RE		 863 This IV generator generates an IV based on the encryption of
864 a sequence number xored with a salt. This is the default
865 algorithm for CBC.
1da177e4 866
f1f142ad 867config CRYPTO_ESSIV
e3d2eadd 868 tristate "Encrypted Salt-Sector IV Generator"
f1f142ad 869 select CRYPTO_AUTHENC
1da177e4 870 help
e3d2eadd
RE		 871 Encrypted Salt-Sector IV generator
872
873 This IV generator is used in some cases by fscrypt and/or
f1f142ad
RE		 874 dm-crypt. It uses the hash of the block encryption key as the
875 symmetric key for a block encryption pass applied to the input
876 IV, making low entropy IV sources more suitable for block
877 encryption.
1da177e4 878
f1f142ad
RE		 879 This driver implements a crypto API template that can be
880 instantiated either as an skcipher or as an AEAD (depending on the
881 type of the first template argument), and which defers encryption
882 and decryption requests to the encapsulated cipher after applying
883 ESSIV to the input IV. Note that in the AEAD case, it is assumed
884 that the keys are presented in the same format used by the authenc
885 template, and that the IV appears at the end of the authenticated
886 associated data (AAD) region (which is how dm-crypt uses it.)
1da177e4 887
f1f142ad
RE		 888 Note that the use of ESSIV is not recommended for new deployments,
889 and so this only needs to be enabled when interoperability with
890 existing encrypted volumes of filesystems is required, or when
891 building for a particular system that requires it (e.g., when
892 the SoC in question has accelerated CBC but not XTS, making CBC
893 combined with ESSIV the only feasible mode for h/w accelerated
894 block encryption)
1da177e4 895
f1f142ad 896endmenu
b5e0b032 897
f1f142ad 898menu "Hashes, digests, and MACs"
b5e0b032 899
f1f142ad 900config CRYPTO_BLAKE2B
3f342a23 901 tristate "BLAKE2b"
f1f142ad 902 select CRYPTO_HASH
584fffc8 903 help
3f342a23 904 BLAKE2b cryptographic hash function (RFC 7693)
584fffc8 905
3f342a23
RE		 906 BLAKE2b is optimized for 64-bit platforms and can produce digests
907 of any size between 1 and 64 bytes. The keyed hash is also implemented.
584fffc8 908
3f342a23 909 This module provides the following algorithms:
f1f142ad
RE		 910 - blake2b-160
911 - blake2b-256
912 - blake2b-384
913 - blake2b-512
584fffc8 914
3f342a23
RE		 915 Used by the btrfs filesystem.
916
f1f142ad 917 See https://blake2.net for further information.
584fffc8 918
f1f142ad 919config CRYPTO_CMAC
3f342a23 920 tristate "CMAC (Cipher-based MAC)"
f1f142ad
RE		 921 select CRYPTO_HASH
922 select CRYPTO_MANAGER
584fffc8 923 help
3f342a23
RE		 924 CMAC (Cipher-based Message Authentication Code) authentication
925 mode (NIST SP800-38B and IETF RFC4493)
584fffc8 926
f1f142ad 927config CRYPTO_GHASH
3f342a23 928 tristate "GHASH"
f1f142ad
RE		 929 select CRYPTO_GF128MUL
930 select CRYPTO_HASH
52ba867c 931 help
3f342a23 932 GCM GHASH function (NIST SP800-38D)
52ba867c 933
f1f142ad 934config CRYPTO_HMAC
3f342a23 935 tristate "HMAC (Keyed-Hash MAC)"
f1f142ad
RE		 936 select CRYPTO_HASH
937 select CRYPTO_MANAGER
584fffc8 938 help
3f342a23
RE		 939 HMAC (Keyed-Hash Message Authentication Code) (FIPS 198 and
940 RFC2104)
941
942 This is required for IPsec AH (XFRM_AH) and IPsec ESP (XFRM_ESP).
584fffc8 943
f1f142ad 944config CRYPTO_MD4
3f342a23 945 tristate "MD4"
f1f142ad 946 select CRYPTO_HASH
044ab525 947 help
3f342a23 948 MD4 message digest algorithm (RFC1320)
044ab525 949
f1f142ad 950config CRYPTO_MD5
3f342a23 951 tristate "MD5"
f1f142ad 952 select CRYPTO_HASH
1da177e4 953 help
3f342a23 954 MD5 message digest algorithm (RFC1321)
1da177e4 955
f1f142ad 956config CRYPTO_MICHAEL_MIC
3f342a23 957 tristate "Michael MIC"
f1f142ad 958 select CRYPTO_HASH
1da177e4 959 help
3f342a23
RE		 960 Michael MIC (Message Integrity Code) (IEEE 802.11i)
961
962 Defined by the IEEE 802.11i TKIP (Temporal Key Integrity Protocol),
963 known as WPA (Wif-Fi Protected Access).
964
965 This algorithm is required for TKIP, but it should not be used for
966 other purposes because of the weakness of the algorithm.
1da177e4 967
f1f142ad
RE		 968config CRYPTO_POLYVAL
969 tristate
970 select CRYPTO_GF128MUL
971 select CRYPTO_HASH
1da177e4 972 help
3f342a23
RE		 973 POLYVAL hash function for HCTR2
974
975 This is used in HCTR2. It is not a general-purpose
f1f142ad 976 cryptographic hash function.
fb4f10ed 977
f1f142ad 978config CRYPTO_POLY1305
3f342a23 979 tristate "Poly1305"
f1f142ad
RE		 980 select CRYPTO_HASH
981 select CRYPTO_LIB_POLY1305_GENERIC
1da177e4 982 help
3f342a23 983 Poly1305 authenticator algorithm (RFC7539)
1da177e4 984
f1f142ad
RE		 985 Poly1305 is an authenticator algorithm designed by Daniel J. Bernstein.
986 It is used for the ChaCha20-Poly1305 AEAD, specified in RFC7539 for use
987 in IETF protocols. This is the portable C implementation of Poly1305.
988
989config CRYPTO_RMD160
3f342a23 990 tristate "RIPEMD-160"
f1f142ad 991 select CRYPTO_HASH
1da177e4 992 help
3f342a23 993 RIPEMD-160 hash function (ISO/IEC 10118-3)
1da177e4 994
f1f142ad
RE		 995 RIPEMD-160 is a 160-bit cryptographic hash function. It is intended
996 to be used as a secure replacement for the 128-bit hash functions
997 MD4, MD5 and its predecessor RIPEMD
998 (not to be confused with RIPEMD-128).
1da177e4 999
3f342a23 1000 Its speed is comparable to SHA-1 and there are no known attacks
f1f142ad 1001 against RIPEMD-160.
1da177e4 1002
f1f142ad 1003 Developed by Hans Dobbertin, Antoon Bosselaers and Bart Preneel.
3f342a23
RE		 1004 See https://homes.esat.kuleuven.be/~bosselae/ripemd160.html
1005 for further information.
f1f142ad
RE		 1006
1007config CRYPTO_SHA1
3f342a23 1008 tristate "SHA-1"
f1f142ad
RE		 1009 select CRYPTO_HASH
1010 select CRYPTO_LIB_SHA1
c08d0e64 1011 help
3f342a23 1012 SHA-1 secure hash algorithm (FIPS 180, ISO/IEC 10118-3)
c08d0e64 1013
f1f142ad 1014config CRYPTO_SHA256
3f342a23 1015 tristate "SHA-224 and SHA-256"
f1f142ad
RE		 1016 select CRYPTO_HASH
1017 select CRYPTO_LIB_SHA256
1018 help
3f342a23 1019 SHA-224 and SHA-256 secure hash algorithms (FIPS 180, ISO/IEC 10118-3)
de61d7ae 1020
3f342a23
RE		 1021 This is required for IPsec AH (XFRM_AH) and IPsec ESP (XFRM_ESP).
1022 Used by the btrfs filesystem, Ceph, NFS, and SMB.
aa762409 1023
f1f142ad 1024config CRYPTO_SHA512
3f342a23 1025 tristate "SHA-384 and SHA-512"
f1f142ad 1026 select CRYPTO_HASH
1da177e4 1027 help
3f342a23 1028 SHA-384 and SHA-512 secure hash algorithms (FIPS 180, ISO/IEC 10118-3)
584fffc8 1029
f1f142ad 1030config CRYPTO_SHA3
3f342a23 1031 tristate "SHA-3"
f1f142ad 1032 select CRYPTO_HASH
e4e712bb 1033 help
3f342a23 1034 SHA-3 secure hash algorithms (FIPS 202, ISO/IEC 10118-3)
e4e712bb 1035
f1f142ad
RE		 1036config CRYPTO_SM3
1037 tristate
e4e712bb 1038
f1f142ad 1039config CRYPTO_SM3_GENERIC
3f342a23 1040 tristate "SM3 (ShangMi 3)"
f1f142ad
RE		 1041 select CRYPTO_HASH
1042 select CRYPTO_SM3
1da177e4 1043 help
3f342a23
RE		 1044 SM3 (ShangMi 3) secure hash function (OSCCA GM/T 0004-2012, ISO/IEC 10118-3)
1045
1046 This is part of the Chinese Commercial Cryptography suite.
1da177e4 1047
f1f142ad
RE		 1048 References:
1049 http://www.oscca.gov.cn/UpFile/20101222141857786.pdf
1050 https://datatracker.ietf.org/doc/html/draft-shen-sm3-hash
584fffc8 1051
f1f142ad 1052config CRYPTO_STREEBOG
3f342a23 1053 tristate "Streebog"
f1f142ad
RE		 1054 select CRYPTO_HASH
1055 help
3f342a23
RE		 1056 Streebog Hash Function (GOST R 34.11-2012, RFC 6986, ISO/IEC 10118-3)
1057
1058 This is one of the Russian cryptographic standard algorithms (called
1059 GOST algorithms). This setting enables two hash algorithms with
1060 256 and 512 bits output.
584fffc8 1061
f1f142ad
RE		 1062 References:
1063 https://tc26.ru/upload/iblock/fed/feddbb4d26b685903faa2ba11aea43f6.pdf
1064 https://tools.ietf.org/html/rfc6986
d2825fa9 1065
f1f142ad 1066config CRYPTO_VMAC
3f342a23 1067 tristate "VMAC"
f1f142ad
RE		 1068 select CRYPTO_HASH
1069 select CRYPTO_MANAGER
747c8ce4 1070 help
f1f142ad
RE		 1071 VMAC is a message authentication algorithm designed for
1072 very high speed on 64-bit architectures.
747c8ce4 1073
3f342a23 1074 See https://fastcrypto.org/vmac for further information.
747c8ce4 1075
f1f142ad 1076config CRYPTO_WP512
3f342a23 1077 tristate "Whirlpool"
f1f142ad
RE		 1078 select CRYPTO_HASH
1079 help
3f342a23
RE		 1080 Whirlpool hash function (ISO/IEC 10118-3)
1081
1082 512, 384 and 256-bit hashes.
747c8ce4 1083
f1f142ad 1084 Whirlpool-512 is part of the NESSIE cryptographic primitives.
747c8ce4 1085
3f342a23
RE		 1086 See https://web.archive.org/web/20171129084214/http://www.larc.usp.br/~pbarreto/WhirlpoolPage.html
1087 for further information.
747c8ce4 1088
f1f142ad 1089config CRYPTO_XCBC
3f342a23 1090 tristate "XCBC-MAC (Extended Cipher Block Chaining MAC)"
f1f142ad
RE		 1091 select CRYPTO_HASH
1092 select CRYPTO_MANAGER
1093 help
3f342a23
RE		 1094 XCBC-MAC (Extended Cipher Block Chaining Message Authentication
1095 Code) (RFC3566)
747c8ce4 1096
f1f142ad 1097config CRYPTO_XXHASH
3f342a23 1098 tristate "xxHash"
f1f142ad
RE		 1099 select CRYPTO_HASH
1100 select XXHASH
1da177e4 1101 help
3f342a23
RE		 1102 xxHash non-cryptographic hash algorithm
1103
1104 Extremely fast, working at speeds close to RAM limits.
1105
1106 Used by the btrfs filesystem.
1da177e4 1107
f1f142ad 1108endmenu
584fffc8 1109
f1f142ad 1110menu "CRCs (cyclic redundancy checks)"
584fffc8 1111
f1f142ad 1112config CRYPTO_CRC32C
ec84348d 1113 tristate "CRC32c"
f1f142ad
RE		 1114 select CRYPTO_HASH
1115 select CRC32
1116 help
ec84348d
RE		 1117 CRC32c CRC algorithm with the iSCSI polynomial (RFC 3385 and RFC 3720)
1118
1119 A 32-bit CRC (cyclic redundancy check) with a polynomial defined
1120 by G. Castagnoli, S. Braeuer and M. Herrman in "Optimization of Cyclic
1121 Redundancy-Check Codes with 24 and 32 Parity Bits", IEEE Transactions
1122 on Communications, Vol. 41, No. 6, June 1993, selected for use with
1123 iSCSI.
1124
1125 Used by btrfs, ext4, jbd2, NVMeoF/TCP, and iSCSI.
584fffc8 1126
f1f142ad 1127config CRYPTO_CRC32
ec84348d 1128 tristate "CRC32"
f1f142ad
RE		 1129 select CRYPTO_HASH
1130 select CRC32
04ac7db3 1131 help
ec84348d
RE		 1132 CRC32 CRC algorithm (IEEE 802.3)
1133
1134 Used by RoCEv2 and f2fs.
04ac7db3 1135
f1f142ad 1136config CRYPTO_CRCT10DIF
ec84348d 1137 tristate "CRCT10DIF"
f1f142ad
RE		 1138 select CRYPTO_HASH
1139 help
ec84348d
RE		 1140 CRC16 CRC algorithm used for the T10 (SCSI) Data Integrity Field (DIF)
1141
1142 CRC algorithm used by the SCSI Block Commands standard.
04ac7db3 1143
f1f142ad 1144config CRYPTO_CRC64_ROCKSOFT
ec84348d 1145 tristate "CRC64 based on Rocksoft Model algorithm"
f1f142ad
RE		 1146 depends on CRC64
1147 select CRYPTO_HASH
ec84348d
RE		 1148 help
1149 CRC64 CRC algorithm based on the Rocksoft Model CRC Algorithm
1150
1151 Used by the NVMe implementation of T10 DIF (BLK_DEV_INTEGRITY)
1152
1153 See https://zlib.net/crc_v3.txt
584fffc8 1154
f1f142ad 1155endmenu
584fffc8 1156
f1f142ad 1157menu "Compression"
584fffc8
SS		 1158
1159config CRYPTO_DEFLATE
a9a98d49 1160 tristate "Deflate"
584fffc8 1161 select CRYPTO_ALGAPI
f6ded09d 1162 select CRYPTO_ACOMP2
584fffc8
SS		 1163 select ZLIB_INFLATE
1164 select ZLIB_DEFLATE
3c09f17c 1165 help
a9a98d49 1166 Deflate compression algorithm (RFC1951)
584fffc8 1167
a9a98d49 1168 Used by IPSec with the IPCOMP protocol (RFC3173, RFC2394)
3c09f17c 1169
0b77abb3 1170config CRYPTO_LZO
a9a98d49 1171 tristate "LZO"
0b77abb3 1172 select CRYPTO_ALGAPI
ac9d2c4b 1173 select CRYPTO_ACOMP2
0b77abb3
ZS		 1174 select LZO_COMPRESS
1175 select LZO_DECOMPRESS
1176 help
a9a98d49
RE		 1177 LZO compression algorithm
1178
1179 See https://www.oberhumer.com/opensource/lzo/ for further information.
0b77abb3 1180
35a1fc18 1181config CRYPTO_842
a9a98d49 1182 tristate "842"
2062c5b6 1183 select CRYPTO_ALGAPI
6a8de3ae 1184 select CRYPTO_ACOMP2
2062c5b6
DS		 1185 select 842_COMPRESS
1186 select 842_DECOMPRESS
35a1fc18 1187 help
a9a98d49
RE		 1188 842 compression algorithm by IBM
1189
1190 See https://github.com/plauth/lib842 for further information.
0ea8530d
CM		 1191
1192config CRYPTO_LZ4
a9a98d49 1193 tristate "LZ4"
0ea8530d 1194 select CRYPTO_ALGAPI
8cd9330e 1195 select CRYPTO_ACOMP2
0ea8530d
CM		 1196 select LZ4_COMPRESS
1197 select LZ4_DECOMPRESS
1198 help
a9a98d49
RE		 1199 LZ4 compression algorithm
1200
1201 See https://github.com/lz4/lz4 for further information.
0ea8530d
CM		 1202
1203config CRYPTO_LZ4HC
a9a98d49 1204 tristate "LZ4HC"
0ea8530d 1205 select CRYPTO_ALGAPI
91d53d96 1206 select CRYPTO_ACOMP2
0ea8530d
CM		 1207 select LZ4HC_COMPRESS
1208 select LZ4_DECOMPRESS
1209 help
a9a98d49
RE		 1210 LZ4 high compression mode algorithm
1211
1212 See https://github.com/lz4/lz4 for further information.
35a1fc18 1213
d28fc3db 1214config CRYPTO_ZSTD
a9a98d49 1215 tristate "Zstd"
d28fc3db
NT		 1216 select CRYPTO_ALGAPI
1217 select CRYPTO_ACOMP2
1218 select ZSTD_COMPRESS
1219 select ZSTD_DECOMPRESS
1220 help
a9a98d49
RE		 1221 zstd compression algorithm
1222
1223 See https://github.com/facebook/zstd for further information.
d28fc3db 1224
f1f142ad
RE		 1225endmenu
1226
1227menu "Random number generation"
17f0f4a4
NH		 1228
1229config CRYPTO_ANSI_CPRNG
a9a98d49 1230 tristate "ANSI PRNG (Pseudo Random Number Generator)"
17f0f4a4
NH		 1231 select CRYPTO_AES
1232 select CRYPTO_RNG
17f0f4a4 1233 help
a9a98d49
RE		 1234 Pseudo RNG (random number generator) (ANSI X9.31 Appendix A.2.4)
1235
1236 This uses the AES cipher algorithm.
1237
1238 Note that this option must be enabled if CRYPTO_FIPS is selected
17f0f4a4 1239
f2c89a10 1240menuconfig CRYPTO_DRBG_MENU
a9a98d49 1241 tristate "NIST SP800-90A DRBG (Deterministic Random Bit Generator)"
419090c6 1242 help
a9a98d49
RE		 1243 DRBG (Deterministic Random Bit Generator) (NIST SP800-90A)
1244
1245 In the following submenu, one or more of the DRBG types must be selected.
419090c6 1246
f2c89a10 1247if CRYPTO_DRBG_MENU
419090c6
SM		 1248
1249config CRYPTO_DRBG_HMAC
401e4238 1250 bool
419090c6 1251 default y
419090c6 1252 select CRYPTO_HMAC
5261cdf4 1253 select CRYPTO_SHA512
419090c6
SM		 1254
1255config CRYPTO_DRBG_HASH
a9a98d49 1256 bool "Hash_DRBG"
826775bb 1257 select CRYPTO_SHA256
419090c6 1258 help
a9a98d49
RE		 1259 Hash_DRBG variant as defined in NIST SP800-90A.
1260
1261 This uses the SHA-1, SHA-256, SHA-384, or SHA-512 hash algorithms.
419090c6
SM		 1262
1263config CRYPTO_DRBG_CTR
a9a98d49 1264 bool "CTR_DRBG"
419090c6 1265 select CRYPTO_AES
d6fc1a45 1266 select CRYPTO_CTR
419090c6 1267 help
a9a98d49
RE		 1268 CTR_DRBG variant as defined in NIST SP800-90A.
1269
1270 This uses the AES cipher algorithm with the counter block mode.
419090c6 1271
f2c89a10
HX		 1272config CRYPTO_DRBG
1273 tristate
401e4238 1274 default CRYPTO_DRBG_MENU
f2c89a10 1275 select CRYPTO_RNG
bb5530e4 1276 select CRYPTO_JITTERENTROPY
f2c89a10
HX		 1277
1278endif # if CRYPTO_DRBG_MENU
419090c6 1279
bb5530e4 1280config CRYPTO_JITTERENTROPY
a9a98d49 1281 tristate "CPU Jitter Non-Deterministic RNG (Random Number Generator)"
2f313e02 1282 select CRYPTO_RNG
bb5530e4 1283 help
a9a98d49
RE		 1284 CPU Jitter RNG (Random Number Generator) from the Jitterentropy library
1285
1286 A non-physical non-deterministic ("true") RNG (e.g., an entropy source
1287 compliant with NIST SP800-90B) intended to provide a seed to a
1288 deterministic RNG (e.g. per NIST SP800-90C).
1289 This RNG does not perform any cryptographic whitening of the generated
1290
1291 See https://www.chronox.de/jent.html
bb5530e4 1292
026a733e
SM		 1293config CRYPTO_KDF800108_CTR
1294 tristate
a88592cc 1295 select CRYPTO_HMAC
304b4ace 1296 select CRYPTO_SHA256
026a733e 1297
f1f142ad 1298endmenu
9bc51715 1299menu "Userspace interface"
f1f142ad 1300
03c8efc1
HX		 1301config CRYPTO_USER_API
1302 tristate
1303
fe869cdb 1304config CRYPTO_USER_API_HASH
9bc51715 1305 tristate "Hash algorithms"
7451708f 1306 depends on NET
fe869cdb
HX		 1307 select CRYPTO_HASH
1308 select CRYPTO_USER_API
1309 help
9bc51715
RE		 1310 Enable the userspace interface for hash algorithms.
1311
1312 See Documentation/crypto/userspace-if.rst and
1313 https://www.chronox.de/libkcapi/html/index.html
fe869cdb 1314
8ff59090 1315config CRYPTO_USER_API_SKCIPHER
9bc51715 1316 tristate "Symmetric key cipher algorithms"
7451708f 1317 depends on NET
b95bba5d 1318 select CRYPTO_SKCIPHER
8ff59090
HX		 1319 select CRYPTO_USER_API
1320 help
9bc51715
RE		 1321 Enable the userspace interface for symmetric key cipher algorithms.
1322
1323 See Documentation/crypto/userspace-if.rst and
1324 https://www.chronox.de/libkcapi/html/index.html
8ff59090 1325
2f375538 1326config CRYPTO_USER_API_RNG
9bc51715 1327 tristate "RNG (random number generator) algorithms"
2f375538
SM		 1328 depends on NET
1329 select CRYPTO_RNG
1330 select CRYPTO_USER_API
1331 help
9bc51715
RE		 1332 Enable the userspace interface for RNG (random number generator)
1333 algorithms.
1334
1335 See Documentation/crypto/userspace-if.rst and
1336 https://www.chronox.de/libkcapi/html/index.html
2f375538 1337
77ebdabe
EP		 1338config CRYPTO_USER_API_RNG_CAVP
1339 bool "Enable CAVP testing of DRBG"
1340 depends on CRYPTO_USER_API_RNG && CRYPTO_DRBG
1341 help
9bc51715
RE		 1342 Enable extra APIs in the userspace interface for NIST CAVP
1343 (Cryptographic Algorithm Validation Program) testing:
1344 - resetting DRBG entropy
1345 - providing Additional Data
1346
77ebdabe
EP		 1347 This should only be enabled for CAVP testing. You should say
1348 no unless you know what this is.
1349
b64a2d95 1350config CRYPTO_USER_API_AEAD
9bc51715 1351 tristate "AEAD cipher algorithms"
b64a2d95
HX		 1352 depends on NET
1353 select CRYPTO_AEAD
b95bba5d 1354 select CRYPTO_SKCIPHER
72548b09 1355 select CRYPTO_NULL
b64a2d95
HX		 1356 select CRYPTO_USER_API
1357 help
9bc51715
RE		 1358 Enable the userspace interface for AEAD cipher algorithms.
1359
1360 See Documentation/crypto/userspace-if.rst and
1361 https://www.chronox.de/libkcapi/html/index.html
b64a2d95 1362
9ace6771 1363config CRYPTO_USER_API_ENABLE_OBSOLETE
9bc51715 1364 bool "Obsolete cryptographic algorithms"
9ace6771
AB		 1365 depends on CRYPTO_USER_API
1366 default y
1367 help
1368 Allow obsolete cryptographic algorithms to be selected that have
1369 already been phased out from internal use by the kernel, and are
1370 only useful for userspace clients that still rely on them.
1371
cac5818c 1372config CRYPTO_STATS
9bc51715 1373 bool "Crypto usage statistics"
a6a31385 1374 depends on CRYPTO_USER
cac5818c 1375 help
9bc51715
RE		 1376 Enable the gathering of crypto stats.
1377
1378 This collects data sizes, numbers of requests, and numbers
1379 of errors processed by:
1380 - AEAD ciphers (encrypt, decrypt)
1381 - asymmetric key ciphers (encrypt, decrypt, verify, sign)
1382 - symmetric key ciphers (encrypt, decrypt)
1383 - compression algorithms (compress, decompress)
1384 - hash algorithms (hash)
1385 - key-agreement protocol primitives (setsecret, generate
1386 public key, compute shared secret)
1387 - RNG (generate, seed)
cac5818c 1388
f1f142ad
RE		 1389endmenu
1390
ee08997f
DK		 1391config CRYPTO_HASH_INFO
1392 bool
1393
27bc50fc 1394if !KMSAN # avoid false positives from assembly
4a329fec
RE		 1395if ARM
1396source "arch/arm/crypto/Kconfig"
1397endif
1398if ARM64
1399source "arch/arm64/crypto/Kconfig"
1400endif
e45f710b
RE		 1401if MIPS
1402source "arch/mips/crypto/Kconfig"
1403endif
6a490a4e
RE		 1404if PPC
1405source "arch/powerpc/crypto/Kconfig"
1406endif
c9d24c97
RE		 1407if S390
1408source "arch/s390/crypto/Kconfig"
1409endif
0e9f9ea6
RE		 1410if SPARC
1411source "arch/sparc/crypto/Kconfig"
1412endif
28a936ef
RE		 1413if X86
1414source "arch/x86/crypto/Kconfig"
1415endif
27bc50fc 1416endif
e45f710b 1417
1da177e4 1418source "drivers/crypto/Kconfig"
8636a1f9
MY		 1419source "crypto/asymmetric_keys/Kconfig"
1420source "certs/Kconfig"
1da177e4 1421
cce9e06d 1422endif # if CRYPTO
Linux 6.x block layer and io_uring tree(s)