projects / linux-2.6-block.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Merge tag 'pm-6.16-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm
[linux-2.6-block.git] / crypto / Kconfig
CommitLineData
b2441318 1# SPDX-License-Identifier: GPL-2.0
685784aa
DW		 2#
3# Generic algorithms support
4#
5config XOR_BLOCKS
6 tristate
7
1da177e4 8#
9bc89cd8 9# async_tx api: hardware offloaded memory transfer/transform support
1da177e4 10#
9bc89cd8 11source "crypto/async_tx/Kconfig"
1da177e4 12
9bc89cd8
DW		 13#
14# Cryptographic API Configuration
15#
2e290f43 16menuconfig CRYPTO
c3715cb9 17 tristate "Cryptographic API"
7033b937 18 select CRYPTO_LIB_UTILS
1da177e4
LT		 19 help
20 This option provides the core Cryptographic API.
21
cce9e06d
HX		 22if CRYPTO
23
f1f142ad 24menu "Crypto core or helper"
584fffc8 25
ccb778e1
NH		 26config CRYPTO_FIPS
27 bool "FIPS 200 compliance"
40b99697 28 depends on (CRYPTO_ANSI_CPRNG || CRYPTO_DRBG) && CRYPTO_SELFTESTS
1f696097 29 depends on (MODULE_SIG || !MODULES)
ccb778e1 30 help
d99324c2
GU		 31 This option enables the fips boot option which is
32 required if you want the system to operate in a FIPS 200
ccb778e1 33 certification. You should say no unless you know what
e84c5480 34 this is.
ccb778e1 35
5a44749f
VD		 36config CRYPTO_FIPS_NAME
37 string "FIPS Module Name"
38 default "Linux Kernel Cryptographic API"
39 depends on CRYPTO_FIPS
40 help
41 This option sets the FIPS Module name reported by the Crypto API via
42 the /proc/sys/crypto/fips_name file.
43
44config CRYPTO_FIPS_CUSTOM_VERSION
45 bool "Use Custom FIPS Module Version"
46 depends on CRYPTO_FIPS
47 default n
48
49config CRYPTO_FIPS_VERSION
50 string "FIPS Module Version"
51 default "(none)"
52 depends on CRYPTO_FIPS_CUSTOM_VERSION
53 help
54 This option provides the ability to override the FIPS Module Version.
55 By default the KERNELRELEASE value is used.
56
cce9e06d
HX		 57config CRYPTO_ALGAPI
58 tristate
6a0fcbb4 59 select CRYPTO_ALGAPI2
cce9e06d
HX		 60 help
61 This option provides the API for cryptographic algorithms.
62
6a0fcbb4
HX		 63config CRYPTO_ALGAPI2
64 tristate
65
1ae97820
HX		 66config CRYPTO_AEAD
67 tristate
6a0fcbb4 68 select CRYPTO_AEAD2
1ae97820
HX		 69 select CRYPTO_ALGAPI
70
6a0fcbb4
HX		 71config CRYPTO_AEAD2
72 tristate
73 select CRYPTO_ALGAPI2
74
6cb8815f
HX		 75config CRYPTO_SIG
76 tristate
77 select CRYPTO_SIG2
78 select CRYPTO_ALGAPI
79
80config CRYPTO_SIG2
81 tristate
82 select CRYPTO_ALGAPI2
83
b95bba5d 84config CRYPTO_SKCIPHER
5cde0af2 85 tristate
b95bba5d 86 select CRYPTO_SKCIPHER2
5cde0af2 87 select CRYPTO_ALGAPI
84534684 88 select CRYPTO_ECB
6a0fcbb4 89
b95bba5d 90config CRYPTO_SKCIPHER2
6a0fcbb4
HX		 91 tristate
92 select CRYPTO_ALGAPI2
5cde0af2 93
055bcee3
HX		 94config CRYPTO_HASH
95 tristate
6a0fcbb4 96 select CRYPTO_HASH2
055bcee3
HX		 97 select CRYPTO_ALGAPI
98
6a0fcbb4
HX		 99config CRYPTO_HASH2
100 tristate
101 select CRYPTO_ALGAPI2
102
17f0f4a4
NH		 103config CRYPTO_RNG
104 tristate
6a0fcbb4 105 select CRYPTO_RNG2
17f0f4a4
NH		 106 select CRYPTO_ALGAPI
107
6a0fcbb4
HX		 108config CRYPTO_RNG2
109 tristate
110 select CRYPTO_ALGAPI2
111
401e4238
HX		 112config CRYPTO_RNG_DEFAULT
113 tristate
114 select CRYPTO_DRBG_MENU
115
3c339ab8
TS		 116config CRYPTO_AKCIPHER2
117 tristate
118 select CRYPTO_ALGAPI2
119
120config CRYPTO_AKCIPHER
121 tristate
122 select CRYPTO_AKCIPHER2
123 select CRYPTO_ALGAPI
124
4e5f2c40
SB		 125config CRYPTO_KPP2
126 tristate
127 select CRYPTO_ALGAPI2
128
129config CRYPTO_KPP
130 tristate
131 select CRYPTO_ALGAPI
132 select CRYPTO_KPP2
133
2ebda74f
GC		 134config CRYPTO_ACOMP2
135 tristate
136 select CRYPTO_ALGAPI2
8cd579d2 137 select SGL_ALLOC
2ebda74f
GC		 138
139config CRYPTO_ACOMP
140 tristate
141 select CRYPTO_ALGAPI
142 select CRYPTO_ACOMP2
143
3241cd0c
HR		 144config CRYPTO_HKDF
145 tristate
40b99697
EB		 146 select CRYPTO_SHA256 if CRYPTO_SELFTESTS
147 select CRYPTO_SHA512 if CRYPTO_SELFTESTS
3241cd0c
HR		 148 select CRYPTO_HASH2
149
2b8c19db 150config CRYPTO_MANAGER
6f9d0f53 151 tristate
57999ed1 152 default CRYPTO_ALGAPI if CRYPTO_SELFTESTS
6a0fcbb4 153 select CRYPTO_MANAGER2
2b8c19db 154 help
57999ed1
EB		 155 This provides the support for instantiating templates such as
156 cbc(aes), and the support for the crypto self-tests.
2b8c19db 157
6a0fcbb4
HX		 158config CRYPTO_MANAGER2
159 def_tristate CRYPTO_MANAGER || (CRYPTO_MANAGER!=n && CRYPTO_ALGAPI=y)
fb28fabf 160 select CRYPTO_ACOMP2
6a0fcbb4 161 select CRYPTO_AEAD2
946cc463 162 select CRYPTO_AKCIPHER2
6cb8815f 163 select CRYPTO_SIG2
fb28fabf 164 select CRYPTO_HASH2
4e5f2c40 165 select CRYPTO_KPP2
fb28fabf
HX		 166 select CRYPTO_RNG2
167 select CRYPTO_SKCIPHER2
6a0fcbb4 168
a38f7907
SK		 169config CRYPTO_USER
170 tristate "Userspace cryptographic algorithm configuration"
5db017aa 171 depends on NET
a38f7907
SK		 172 select CRYPTO_MANAGER
173 help
d19978f5 174 Userspace configuration for cryptographic instantiations such as
a38f7907
SK		 175 cbc(aes).
176
40b99697
EB		 177config CRYPTO_SELFTESTS
178 bool "Enable cryptographic self-tests"
ac90aad0 179 depends on EXPERT
0b767f96 180 help
40b99697
EB		 181 Enable the cryptographic self-tests.
182
183 The cryptographic self-tests run at boot time, or at algorithm
184 registration time if algorithms are dynamically loaded later.
185
ac90aad0
EB		 186 There are two main use cases for these tests:
187
188 - Development and pre-release testing. In this case, also enable
189 CRYPTO_SELFTESTS_FULL to get the full set of tests. All crypto code
190 in the kernel is expected to pass the full set of tests.
191
192 - Production kernels, to help prevent buggy drivers from being used
193 and/or meet FIPS 140-3 pre-operational testing requirements. In
194 this case, enable CRYPTO_SELFTESTS but not CRYPTO_SELFTESTS_FULL.
195
196config CRYPTO_SELFTESTS_FULL
197 bool "Enable the full set of cryptographic self-tests"
198 depends on CRYPTO_SELFTESTS
199 help
200 Enable the full set of cryptographic self-tests for each algorithm.
201
202 The full set of tests should be enabled for development and
203 pre-release testing, but not in production kernels.
204
205 All crypto code in the kernel is expected to pass the full tests.
0b767f96 206
1da177e4
LT		 207config CRYPTO_NULL
208 tristate "Null algorithms"
bde39305
EB		 209 select CRYPTO_ALGAPI
210 select CRYPTO_SKCIPHER
211 select CRYPTO_HASH
1da177e4
LT		 212 help
213 These are 'Null' algorithms, used by IPsec, which do nothing.
214
5068c7a8 215config CRYPTO_PCRYPT
3b4afaf2
KC		 216 tristate "Parallel crypto engine"
217 depends on SMP
5068c7a8
SK		 218 select PADATA
219 select CRYPTO_MANAGER
220 select CRYPTO_AEAD
221 help
222 This converts an arbitrary crypto algorithm into a parallel
223 algorithm that executes in kernel threads.
224
584fffc8
SS		 225config CRYPTO_CRYPTD
226 tristate "Software async crypto daemon"
b95bba5d 227 select CRYPTO_SKCIPHER
b8a28251 228 select CRYPTO_HASH
584fffc8 229 select CRYPTO_MANAGER
1da177e4 230 help
584fffc8
SS		 231 This is a generic software asynchronous crypto daemon that
232 converts an arbitrary synchronous software crypto algorithm
233 into an asynchronous algorithm that executes in a kernel thread.
1da177e4 234
584fffc8
SS		 235config CRYPTO_AUTHENC
236 tristate "Authenc support"
237 select CRYPTO_AEAD
b95bba5d 238 select CRYPTO_SKCIPHER
584fffc8
SS		 239 select CRYPTO_MANAGER
240 select CRYPTO_HASH
1da177e4 241 help
584fffc8 242 Authenc: Combined mode wrapper for IPsec.
cf514b2a
RE		 243
244 This is required for IPSec ESP (XFRM_ESP).
1da177e4 245
d1775a17
DH		 246config CRYPTO_KRB5ENC
247 tristate "Kerberos 5 combined hash+cipher support"
248 select CRYPTO_AEAD
249 select CRYPTO_SKCIPHER
250 select CRYPTO_MANAGER
251 select CRYPTO_HASH
d1775a17
DH		 252 help
253 Combined hash and cipher support for Kerberos 5 RFC3961 simplified
254 profile. This is required for Kerberos 5-style encryption, used by
255 sunrpc/NFS and rxrpc/AFS.
256
3357b6c9
EB		 257config CRYPTO_BENCHMARK
258 tristate "Crypto benchmarking module"
00ea27f1 259 depends on m || EXPERT
da7f033d 260 select CRYPTO_MANAGER
1da177e4 261 help
3357b6c9
EB		 262 Quick & dirty crypto benchmarking module.
263
264 This is mainly intended for use by people developing cryptographic
265 algorithms in the kernel. It should not be enabled in production
266 kernels.
1da177e4 267
266d0516
HX		 268config CRYPTO_SIMD
269 tristate
ffaf9156
JK		 270 select CRYPTO_CRYPTD
271
735d37b5
BW		 272config CRYPTO_ENGINE
273 tristate
274
f1f142ad
RE		 275endmenu
276
277menu "Public-key cryptography"
3d6228a5
VC		 278
279config CRYPTO_RSA
05b37465 280 tristate "RSA (Rivest-Shamir-Adleman)"
3d6228a5
VC		 281 select CRYPTO_AKCIPHER
282 select CRYPTO_MANAGER
1e562dea 283 select CRYPTO_SIG
3d6228a5
VC		 284 select MPILIB
285 select ASN1
286 help
05b37465 287 RSA (Rivest-Shamir-Adleman) public key algorithm (RFC8017)
3d6228a5
VC		 288
289config CRYPTO_DH
05b37465 290 tristate "DH (Diffie-Hellman)"
3d6228a5
VC		 291 select CRYPTO_KPP
292 select MPILIB
293 help
05b37465 294 DH (Diffie-Hellman) key exchange algorithm
3d6228a5 295
7dce5981 296config CRYPTO_DH_RFC7919_GROUPS
05b37465 297 bool "RFC 7919 FFDHE groups"
7dce5981 298 depends on CRYPTO_DH
1e207964 299 select CRYPTO_RNG_DEFAULT
7dce5981 300 help
05b37465
RE		 301 FFDHE (Finite-Field-based Diffie-Hellman Ephemeral) groups
302 defined in RFC7919.
303
304 Support these finite-field groups in DH key exchanges:
305 - ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192
306
307 If unsure, say N.
7dce5981 308
4a2289da
VC		 309config CRYPTO_ECC
310 tristate
38aa192a 311 select CRYPTO_RNG_DEFAULT
4a2289da 312
3d6228a5 313config CRYPTO_ECDH
05b37465 314 tristate "ECDH (Elliptic Curve Diffie-Hellman)"
4a2289da 315 select CRYPTO_ECC
3d6228a5 316 select CRYPTO_KPP
3d6228a5 317 help
05b37465
RE		 318 ECDH (Elliptic Curve Diffie-Hellman) key exchange algorithm
319 using curves P-192, P-256, and P-384 (FIPS 186)
3d6228a5 320
4e660291 321config CRYPTO_ECDSA
05b37465 322 tristate "ECDSA (Elliptic Curve Digital Signature Algorithm)"
4e660291 323 select CRYPTO_ECC
ef132350 324 select CRYPTO_SIG
4e660291
SB		 325 select ASN1
326 help
05b37465
RE		 327 ECDSA (Elliptic Curve Digital Signature Algorithm) (FIPS 186,
328 ISO/IEC 14888-3)
91790c7a 329 using curves P-192, P-256, P-384 and P-521
05b37465
RE		 330
331 Only signature verification is implemented.
4e660291 332
0d7a7864 333config CRYPTO_ECRDSA
05b37465 334 tristate "EC-RDSA (Elliptic Curve Russian Digital Signature Algorithm)"
0d7a7864 335 select CRYPTO_ECC
ae117924 336 select CRYPTO_SIG
0d7a7864 337 select CRYPTO_STREEBOG
1036633e
VC		 338 select OID_REGISTRY
339 select ASN1
0d7a7864
VC		 340 help
341 Elliptic Curve Russian Digital Signature Algorithm (GOST R 34.10-2012,
05b37465
RE		 342 RFC 7091, ISO/IEC 14888-3)
343
344 One of the Russian cryptographic standard algorithms (called GOST
345 algorithms). Only signature verification is implemented.
0d7a7864 346
ee772cb6 347config CRYPTO_CURVE25519
05b37465 348 tristate "Curve25519"
ee772cb6
AB		 349 select CRYPTO_KPP
350 select CRYPTO_LIB_CURVE25519_GENERIC
17ec3e71 351 select CRYPTO_LIB_CURVE25519_INTERNAL
05b37465
RE		 352 help
353 Curve25519 elliptic curve (RFC7748)
ee772cb6 354
f1f142ad 355endmenu
cd12fb90 356
f1f142ad 357menu "Block ciphers"
1da177e4 358
f1f142ad 359config CRYPTO_AES
cf514b2a 360 tristate "AES (Advanced Encryption Standard)"
f1f142ad
RE		 361 select CRYPTO_ALGAPI
362 select CRYPTO_LIB_AES
1da177e4 363 help
cf514b2a 364 AES cipher algorithms (Rijndael)(FIPS-197, ISO/IEC 18033-3)
1da177e4 365
f1f142ad
RE		 366 Rijndael appears to be consistently a very good performer in
367 both hardware and software across a wide range of computing
368 environments regardless of its use in feedback or non-feedback
369 modes. Its key setup time is excellent, and its key agility is
370 good. Rijndael's very low memory requirements make it very well
371 suited for restricted-space environments, in which it also
372 demonstrates excellent performance. Rijndael's operations are
373 among the easiest to defend against power and timing attacks.
71ebc4d1 374
f1f142ad 375 The AES specifies three key sizes: 128, 192 and 256 bits
71ebc4d1 376
f1f142ad 377config CRYPTO_AES_TI
cf514b2a 378 tristate "AES (Advanced Encryption Standard) (fixed time)"
f1f142ad
RE		 379 select CRYPTO_ALGAPI
380 select CRYPTO_LIB_AES
f606a88e 381 help
cf514b2a
RE		 382 AES cipher algorithms (Rijndael)(FIPS-197, ISO/IEC 18033-3)
383
f1f142ad
RE		 384 This is a generic implementation of AES that attempts to eliminate
385 data dependent latencies as much as possible without affecting
386 performance too much. It is intended for use by the generic CCM
387 and GCM drivers, and other CTR or CMAC/XCBC based modes that rely
388 solely on encryption (although decryption is supported as well, but
389 with a more dramatic performance hit)
f606a88e 390
f1f142ad
RE		 391 Instead of using 16 lookup tables of 1 KB each, (8 for encryption and
392 8 for decryption), this implementation only uses just two S-boxes of
393 256 bytes each, and attempts to eliminate data dependent latencies by
394 prefetching the entire table into the cache at the start of each
395 block. Interrupts are also disabled to avoid races where cachelines
396 are evicted when the CPU is interrupted to do something else.
a4397635 397
f1f142ad 398config CRYPTO_ANUBIS
cf514b2a 399 tristate "Anubis"
f1f142ad
RE		 400 depends on CRYPTO_USER_API_ENABLE_OBSOLETE
401 select CRYPTO_ALGAPI
1da177e4 402 help
cf514b2a 403 Anubis cipher algorithm
1da177e4 404
f1f142ad
RE		 405 Anubis is a variable key length cipher which can use keys from
406 128 bits to 320 bits in length. It was evaluated as a entrant
407 in the NESSIE competition.
a10f554f 408
cf514b2a
RE		 409 See https://web.archive.org/web/20160606112246/http://www.larc.usp.br/~pbarreto/AnubisPage.html
410 for further information.
c494e070 411
f1f142ad 412config CRYPTO_ARIA
cf514b2a 413 tristate "ARIA"
f1f142ad 414 select CRYPTO_ALGAPI
db131ef9 415 help
cf514b2a 416 ARIA cipher algorithm (RFC5794)
db131ef9 417
f1f142ad
RE		 418 ARIA is a standard encryption algorithm of the Republic of Korea.
419 The ARIA specifies three key sizes and rounds.
420 128-bit: 12 rounds.
421 192-bit: 14 rounds.
422 256-bit: 16 rounds.
a7d85e06 423
cf514b2a
RE		 424 See:
425 https://seed.kisa.or.kr/kisa/algorithm/EgovAriaInfo.do
db131ef9 426
f1f142ad 427config CRYPTO_BLOWFISH
cf514b2a 428 tristate "Blowfish"
f1f142ad
RE		 429 select CRYPTO_ALGAPI
430 select CRYPTO_BLOWFISH_COMMON
584fffc8 431 help
cf514b2a 432 Blowfish cipher algorithm, by Bruce Schneier
584fffc8 433
f1f142ad
RE		 434 This is a variable key length cipher which can use keys from 32
435 bits to 448 bits in length. It's fast, simple and specifically
436 designed for use on "large microprocessors".
ecd6d5c9 437
cf514b2a 438 See https://www.schneier.com/blowfish.html for further information.
f1f142ad
RE		 439
440config CRYPTO_BLOWFISH_COMMON
441 tristate
91652be5 442 help
f1f142ad
RE		 443 Common parts of the Blowfish cipher algorithm shared by the
444 generic c and the assembler implementations.
91652be5 445
f1f142ad 446config CRYPTO_CAMELLIA
cf514b2a 447 tristate "Camellia"
f1f142ad 448 select CRYPTO_ALGAPI
64470f1b 449 help
cf514b2a 450 Camellia cipher algorithms (ISO/IEC 18033-3)
64470f1b 451
f1f142ad
RE		 452 Camellia is a symmetric key block cipher developed jointly
453 at NTT and Mitsubishi Electric Corporation.
454
455 The Camellia specifies three key sizes: 128, 192 and 256 bits.
456
cf514b2a 457 See https://info.isl.ntt.co.jp/crypt/eng/camellia/ for further information.
f1f142ad
RE		 458
459config CRYPTO_CAST_COMMON
460 tristate
e497c518 461 help
f1f142ad
RE		 462 Common parts of the CAST cipher algorithms shared by the
463 generic c and the assembler implementations.
e497c518 464
f1f142ad 465config CRYPTO_CAST5
cf514b2a 466 tristate "CAST5 (CAST-128)"
f1f142ad
RE		 467 select CRYPTO_ALGAPI
468 select CRYPTO_CAST_COMMON
584fffc8 469 help
cf514b2a 470 CAST5 (CAST-128) cipher algorithm (RFC2144, ISO/IEC 18033-3)
584fffc8 471
f1f142ad 472config CRYPTO_CAST6
cf514b2a 473 tristate "CAST6 (CAST-256)"
f1f142ad
RE		 474 select CRYPTO_ALGAPI
475 select CRYPTO_CAST_COMMON
17fee07a 476 help
cf514b2a 477 CAST6 (CAST-256) encryption algorithm (RFC2612)
17fee07a 478
f1f142ad 479config CRYPTO_DES
cf514b2a 480 tristate "DES and Triple DES EDE"
f1f142ad
RE		 481 select CRYPTO_ALGAPI
482 select CRYPTO_LIB_DES
f19f5111 483 help
cf514b2a
RE		 484 DES (Data Encryption Standard)(FIPS 46-2, ISO/IEC 18033-3) and
485 Triple DES EDE (Encrypt/Decrypt/Encrypt) (FIPS 46-3, ISO/IEC 18033-3)
486 cipher algorithms
f19f5111 487
f1f142ad 488config CRYPTO_FCRYPT
cf514b2a 489 tristate "FCrypt"
f1f142ad 490 select CRYPTO_ALGAPI
b95bba5d 491 select CRYPTO_SKCIPHER
1c49678e 492 help
cf514b2a
RE		 493 FCrypt algorithm used by RxRPC
494
495 See https://ota.polyonymo.us/fcrypt-paper.txt
1c49678e 496
f1f142ad 497config CRYPTO_KHAZAD
cf514b2a 498 tristate "Khazad"
f1f142ad
RE		 499 depends on CRYPTO_USER_API_ENABLE_OBSOLETE
500 select CRYPTO_ALGAPI
501 help
cf514b2a 502 Khazad cipher algorithm
f1f142ad
RE		 503
504 Khazad was a finalist in the initial NESSIE competition. It is
505 an algorithm optimized for 64-bit processors with good performance
506 on 32-bit processors. Khazad uses an 128 bit key size.
507
cf514b2a
RE		 508 See https://web.archive.org/web/20171011071731/http://www.larc.usp.br/~pbarreto/KhazadPage.html
509 for further information.
f1f142ad
RE		 510
511config CRYPTO_SEED
cf514b2a 512 tristate "SEED"
f1f142ad
RE		 513 depends on CRYPTO_USER_API_ENABLE_OBSOLETE
514 select CRYPTO_ALGAPI
515 help
cf514b2a 516 SEED cipher algorithm (RFC4269, ISO/IEC 18033-3)
f1f142ad
RE		 517
518 SEED is a 128-bit symmetric key block cipher that has been
519 developed by KISA (Korea Information Security Agency) as a
520 national standard encryption algorithm of the Republic of Korea.
521 It is a 16 round block cipher with the key size of 128 bit.
522
cf514b2a
RE		 523 See https://seed.kisa.or.kr/kisa/algorithm/EgovSeedInfo.do
524 for further information.
f1f142ad
RE		 525
526config CRYPTO_SERPENT
cf514b2a 527 tristate "Serpent"
f1f142ad
RE		 528 select CRYPTO_ALGAPI
529 help
cf514b2a 530 Serpent cipher algorithm, by Anderson, Biham & Knudsen
f1f142ad
RE		 531
532 Keys are allowed to be from 0 to 256 bits in length, in steps
533 of 8 bits.
534
cf514b2a 535 See https://www.cl.cam.ac.uk/~rja14/serpent.html for further information.
f1f142ad
RE		 536
537config CRYPTO_SM4
538 tristate
539
540config CRYPTO_SM4_GENERIC
cf514b2a 541 tristate "SM4 (ShangMi 4)"
f1f142ad
RE		 542 select CRYPTO_ALGAPI
543 select CRYPTO_SM4
544 help
cf514b2a
RE		 545 SM4 cipher algorithms (OSCCA GB/T 32907-2016,
546 ISO/IEC 18033-3:2010/Amd 1:2021)
f1f142ad
RE		 547
548 SM4 (GBT.32907-2016) is a cryptographic standard issued by the
549 Organization of State Commercial Administration of China (OSCCA)
550 as an authorized cryptographic algorithms for the use within China.
551
552 SMS4 was originally created for use in protecting wireless
553 networks, and is mandated in the Chinese National Standard for
554 Wireless LAN WAPI (Wired Authentication and Privacy Infrastructure)
555 (GB.15629.11-2003).
556
557 The latest SM4 standard (GBT.32907-2016) was proposed by OSCCA and
558 standardized through TC 260 of the Standardization Administration
559 of the People's Republic of China (SAC).
560
561 The input, output, and key of SMS4 are each 128 bits.
562
cf514b2a 563 See https://eprint.iacr.org/2008/329.pdf for further information.
f1f142ad
RE		 564
565 If unsure, say N.
566
567config CRYPTO_TEA
cf514b2a 568 tristate "TEA, XTEA and XETA"
f1f142ad
RE		 569 depends on CRYPTO_USER_API_ENABLE_OBSOLETE
570 select CRYPTO_ALGAPI
571 help
cf514b2a 572 TEA (Tiny Encryption Algorithm) cipher algorithms
f1f142ad
RE		 573
574 Tiny Encryption Algorithm is a simple cipher that uses
575 many rounds for security. It is very fast and uses
576 little memory.
577
578 Xtendend Tiny Encryption Algorithm is a modification to
579 the TEA algorithm to address a potential key weakness
580 in the TEA algorithm.
581
582 Xtendend Encryption Tiny Algorithm is a mis-implementation
583 of the XTEA algorithm for compatibility purposes.
584
585config CRYPTO_TWOFISH
cf514b2a 586 tristate "Twofish"
f1f142ad
RE		 587 select CRYPTO_ALGAPI
588 select CRYPTO_TWOFISH_COMMON
589 help
cf514b2a 590 Twofish cipher algorithm
f1f142ad
RE		 591
592 Twofish was submitted as an AES (Advanced Encryption Standard)
593 candidate cipher by researchers at CounterPane Systems. It is a
594 16 round block cipher supporting key sizes of 128, 192, and 256
595 bits.
596
cf514b2a 597 See https://www.schneier.com/twofish.html for further information.
f1f142ad
RE		 598
599config CRYPTO_TWOFISH_COMMON
600 tristate
601 help
602 Common parts of the Twofish cipher algorithm shared by the
603 generic c and the assembler implementations.
604
605endmenu
606
607menu "Length-preserving ciphers and modes"
26609a21 608
059c2a4d 609config CRYPTO_ADIANTUM
cf514b2a 610 tristate "Adiantum"
059c2a4d 611 select CRYPTO_CHACHA20
48ea8c6e 612 select CRYPTO_LIB_POLY1305_GENERIC
059c2a4d 613 select CRYPTO_NHPOLY1305
c8a3315a 614 select CRYPTO_MANAGER
059c2a4d 615 help
cf514b2a
RE		 616 Adiantum tweakable, length-preserving encryption mode
617
618 Designed for fast and secure disk encryption, especially on
059c2a4d
EB		 619 CPUs without dedicated crypto instructions. It encrypts
620 each sector using the XChaCha12 stream cipher, two passes of
621 an ε-almost-∆-universal hash function, and an invocation of
622 the AES-256 block cipher on a single 16-byte block. On CPUs
623 without AES instructions, Adiantum is much faster than
624 AES-XTS.
625
626 Adiantum's security is provably reducible to that of its
627 underlying stream and block ciphers, subject to a security
628 bound. Unlike XTS, Adiantum is a true wide-block encryption
629 mode, so it actually provides an even stronger notion of
630 security than XTS, subject to the security bound.
631
632 If unsure, say N.
633
f1f142ad 634config CRYPTO_ARC4
cf514b2a 635 tristate "ARC4 (Alleged Rivest Cipher 4)"
f1f142ad
RE		 636 depends on CRYPTO_USER_API_ENABLE_OBSOLETE
637 select CRYPTO_SKCIPHER
638 select CRYPTO_LIB_ARC4
7ff554ce 639 help
cf514b2a 640 ARC4 cipher algorithm
7ff554ce 641
f1f142ad
RE		 642 ARC4 is a stream cipher using keys ranging from 8 bits to 2048
643 bits in length. This algorithm is required for driver-based
644 WEP, but it should not be for other purposes because of the
645 weakness of the algorithm.
646
647config CRYPTO_CHACHA20
cf514b2a 648 tristate "ChaCha"
879f4754 649 select CRYPTO_LIB_CHACHA
f1f142ad
RE		 650 select CRYPTO_LIB_CHACHA_GENERIC
651 select CRYPTO_SKCIPHER
be1eb7f7 652 help
cf514b2a 653 The ChaCha20, XChaCha20, and XChaCha12 stream cipher algorithms
be1eb7f7 654
f1f142ad
RE		 655 ChaCha20 is a 256-bit high-speed stream cipher designed by Daniel J.
656 Bernstein and further specified in RFC7539 for use in IETF protocols.
cf514b2a
RE		 657 This is the portable C implementation of ChaCha20. See
658 https://cr.yp.to/chacha/chacha-20080128.pdf for further information.
be1eb7f7 659
f1f142ad
RE		 660 XChaCha20 is the application of the XSalsa20 construction to ChaCha20
661 rather than to Salsa20. XChaCha20 extends ChaCha20's nonce length
662 from 64 bits (or 96 bits using the RFC7539 convention) to 192 bits,
cf514b2a
RE		 663 while provably retaining ChaCha20's security. See
664 https://cr.yp.to/snuffle/xsalsa-20081128.pdf for further information.
be1eb7f7 665
f1f142ad
RE		 666 XChaCha12 is XChaCha20 reduced to 12 rounds, with correspondingly
667 reduced security margin but increased performance. It can be needed
668 in some performance-sensitive scenarios.
584fffc8 669
f1f142ad 670config CRYPTO_CBC
cf514b2a 671 tristate "CBC (Cipher Block Chaining)"
f1f142ad 672 select CRYPTO_SKCIPHER
93b5e86a
JK		 673 select CRYPTO_MANAGER
674 help
cf514b2a
RE		 675 CBC (Cipher Block Chaining) mode (NIST SP800-38A)
676
677 This block cipher mode is required for IPSec ESP (XFRM_ESP).
93b5e86a 678
f1f142ad 679config CRYPTO_CTR
cf514b2a 680 tristate "CTR (Counter)"
f1f142ad 681 select CRYPTO_SKCIPHER
584fffc8 682 select CRYPTO_MANAGER
76cb9521 683 help
cf514b2a 684 CTR (Counter) mode (NIST SP800-38A)
76cb9521 685
f1f142ad 686config CRYPTO_CTS
cf514b2a 687 tristate "CTS (Cipher Text Stealing)"
f1f142ad 688 select CRYPTO_SKCIPHER
f1939f7c
SW		 689 select CRYPTO_MANAGER
690 help
cf514b2a
RE		 691 CBC-CS3 variant of CTS (Cipher Text Stealing) (NIST
692 Addendum to SP800-38A (October 2010))
693
f1f142ad
RE		 694 This mode is required for Kerberos gss mechanism support
695 for AES encryption.
f1939f7c 696
f1f142ad 697config CRYPTO_ECB
cf514b2a 698 tristate "ECB (Electronic Codebook)"
84534684 699 select CRYPTO_SKCIPHER2
f1f142ad 700 select CRYPTO_MANAGER
4a49b499 701 help
cf514b2a 702 ECB (Electronic Codebook) mode (NIST SP800-38A)
4a49b499 703
f1f142ad 704config CRYPTO_HCTR2
cf514b2a 705 tristate "HCTR2"
f1f142ad
RE		 706 select CRYPTO_XCTR
707 select CRYPTO_POLYVAL
708 select CRYPTO_MANAGER
78c37d19 709 help
cf514b2a
RE		 710 HCTR2 length-preserving encryption mode
711
712 A mode for storage encryption that is efficient on processors with
713 instructions to accelerate AES and carryless multiplication, e.g.
714 x86 processors with AES-NI and CLMUL, and ARM processors with the
715 ARMv8 crypto extensions.
716
717 See https://eprint.iacr.org/2021/1441
78c37d19 718
f1f142ad 719config CRYPTO_LRW
cf514b2a 720 tristate "LRW (Liskov Rivest Wagner)"
61c581a4 721 select CRYPTO_LIB_GF128MUL
f1f142ad
RE		 722 select CRYPTO_SKCIPHER
723 select CRYPTO_MANAGER
f1f142ad 724 select CRYPTO_ECB
f3c923a0 725 help
cf514b2a
RE		 726 LRW (Liskov Rivest Wagner) mode
727
728 A tweakable, non malleable, non movable
f1f142ad
RE		 729 narrow block cipher mode for dm-crypt. Use it with cipher
730 specification string aes-lrw-benbi, the key must be 256, 320 or 384.
731 The first 128, 192 or 256 bits in the key are used for AES and the
732 rest is used to tie each cipher block to its logical position.
f3c923a0 733
cf514b2a
RE		 734 See https://people.csail.mit.edu/rivest/pubs/LRW02.pdf
735
f1f142ad 736config CRYPTO_PCBC
cf514b2a 737 tristate "PCBC (Propagating Cipher Block Chaining)"
f1f142ad
RE		 738 select CRYPTO_SKCIPHER
739 select CRYPTO_MANAGER
124b53d0 740 help
cf514b2a
RE		 741 PCBC (Propagating Cipher Block Chaining) mode
742
743 This block cipher mode is required for RxRPC.
124b53d0 744
f1f142ad
RE		 745config CRYPTO_XCTR
746 tristate
747 select CRYPTO_SKCIPHER
748 select CRYPTO_MANAGER
1da177e4 749 help
cf514b2a
RE		 750 XCTR (XOR Counter) mode for HCTR2
751
752 This blockcipher mode is a variant of CTR mode using XORs and little-endian
753 addition rather than big-endian arithmetic.
754
f1f142ad 755 XCTR mode is used to implement HCTR2.
1da177e4 756
f1f142ad 757config CRYPTO_XTS
cf514b2a 758 tristate "XTS (XOR Encrypt XOR with ciphertext stealing)"
f1f142ad
RE		 759 select CRYPTO_SKCIPHER
760 select CRYPTO_MANAGER
761 select CRYPTO_ECB
90831639 762 help
cf514b2a
RE		 763 XTS (XOR Encrypt XOR with ciphertext stealing) mode (NIST SP800-38E
764 and IEEE 1619)
765
766 Use with aes-xts-plain, key size 256, 384 or 512 bits. This
767 implementation currently can't handle a sectorsize which is not a
768 multiple of 16 bytes.
90831639 769
f1f142ad
RE		 770config CRYPTO_NHPOLY1305
771 tristate
e5835fba 772 select CRYPTO_HASH
f1f142ad 773 select CRYPTO_LIB_POLY1305_GENERIC
534fe2c1 774
f1f142ad 775endmenu
534fe2c1 776
f1f142ad 777menu "AEAD (authenticated encryption with associated data) ciphers"
1da177e4 778
f1f142ad 779config CRYPTO_AEGIS128
e3d2eadd 780 tristate "AEGIS-128"
f1f142ad
RE		 781 select CRYPTO_AEAD
782 select CRYPTO_AES # for AES S-box tables
1da177e4 783 help
e3d2eadd 784 AEGIS-128 AEAD algorithm
2729bb42 785
f1f142ad 786config CRYPTO_AEGIS128_SIMD
e3d2eadd 787 bool "AEGIS-128 (arm NEON, arm64 NEON)"
f1f142ad
RE		 788 depends on CRYPTO_AEGIS128 && ((ARM || ARM64) && KERNEL_MODE_NEON)
789 default y
e3d2eadd
RE		 790 help
791 AEGIS-128 AEAD algorithm
792
793 Architecture: arm or arm64 using:
794 - NEON (Advanced SIMD) extension
584fffc8 795
f1f142ad 796config CRYPTO_CHACHA20POLY1305
e3d2eadd 797 tristate "ChaCha20-Poly1305"
f1f142ad 798 select CRYPTO_CHACHA20
f1f142ad 799 select CRYPTO_AEAD
a298765e 800 select CRYPTO_LIB_POLY1305
f1f142ad 801 select CRYPTO_MANAGER
b9f535ff 802 help
e3d2eadd
RE		 803 ChaCha20 stream cipher and Poly1305 authenticator combined
804 mode (RFC8439)
b9f535ff 805
f1f142ad 806config CRYPTO_CCM
cf514b2a 807 tristate "CCM (Counter with Cipher Block Chaining-MAC)"
f1f142ad 808 select CRYPTO_CTR
53964b9e 809 select CRYPTO_HASH
f1f142ad
RE		 810 select CRYPTO_AEAD
811 select CRYPTO_MANAGER
53964b9e 812 help
e3d2eadd
RE		 813 CCM (Counter with Cipher Block Chaining-Message Authentication Code)
814 authenticated encryption mode (NIST SP800-38C)
d2825fa9 815
f1f142ad 816config CRYPTO_GCM
cf514b2a 817 tristate "GCM (Galois/Counter Mode) and GMAC (GCM MAC)"
f1f142ad
RE		 818 select CRYPTO_CTR
819 select CRYPTO_AEAD
820 select CRYPTO_GHASH
f1f142ad 821 select CRYPTO_MANAGER
4f0fc160 822 help
e3d2eadd
RE		 823 GCM (Galois/Counter Mode) authenticated encryption mode and GMAC
824 (GCM Message Authentication Code) (NIST SP800-38D)
825
826 This is required for IPSec ESP (XFRM_ESP).
4f0fc160 827
ba51738f
HX		 828config CRYPTO_GENIV
829 tristate
f1f142ad 830 select CRYPTO_AEAD
f1f142ad 831 select CRYPTO_MANAGER
ba51738f
HX		 832 select CRYPTO_RNG_DEFAULT
833
834config CRYPTO_SEQIV
835 tristate "Sequence Number IV Generator"
836 select CRYPTO_GENIV
fe18957e 837 help
e3d2eadd
RE		 838 Sequence Number IV generator
839
f1f142ad 840 This IV generator generates an IV based on a sequence number by
e3d2eadd
RE		 841 xoring it with a salt. This algorithm is mainly useful for CTR.
842
843 This is required for IPsec ESP (XFRM_ESP).
fe18957e 844
f1f142ad
RE		 845config CRYPTO_ECHAINIV
846 tristate "Encrypted Chain IV Generator"
ba51738f 847 select CRYPTO_GENIV
1da177e4 848 help
e3d2eadd
RE		 849 Encrypted Chain IV generator
850
f1f142ad
RE		 851 This IV generator generates an IV based on the encryption of
852 a sequence number xored with a salt. This is the default
853 algorithm for CBC.
1da177e4 854
f1f142ad 855config CRYPTO_ESSIV
e3d2eadd 856 tristate "Encrypted Salt-Sector IV Generator"
f1f142ad 857 select CRYPTO_AUTHENC
1da177e4 858 help
e3d2eadd
RE		 859 Encrypted Salt-Sector IV generator
860
861 This IV generator is used in some cases by fscrypt and/or
f1f142ad
RE		 862 dm-crypt. It uses the hash of the block encryption key as the
863 symmetric key for a block encryption pass applied to the input
864 IV, making low entropy IV sources more suitable for block
865 encryption.
1da177e4 866
f1f142ad
RE		 867 This driver implements a crypto API template that can be
868 instantiated either as an skcipher or as an AEAD (depending on the
869 type of the first template argument), and which defers encryption
870 and decryption requests to the encapsulated cipher after applying
871 ESSIV to the input IV. Note that in the AEAD case, it is assumed
872 that the keys are presented in the same format used by the authenc
873 template, and that the IV appears at the end of the authenticated
874 associated data (AAD) region (which is how dm-crypt uses it.)
1da177e4 875
f1f142ad
RE		 876 Note that the use of ESSIV is not recommended for new deployments,
877 and so this only needs to be enabled when interoperability with
878 existing encrypted volumes of filesystems is required, or when
879 building for a particular system that requires it (e.g., when
880 the SoC in question has accelerated CBC but not XTS, making CBC
881 combined with ESSIV the only feasible mode for h/w accelerated
882 block encryption)
1da177e4 883
f1f142ad 884endmenu
b5e0b032 885
f1f142ad 886menu "Hashes, digests, and MACs"
b5e0b032 887
f1f142ad 888config CRYPTO_BLAKE2B
3f342a23 889 tristate "BLAKE2b"
f1f142ad 890 select CRYPTO_HASH
584fffc8 891 help
3f342a23 892 BLAKE2b cryptographic hash function (RFC 7693)
584fffc8 893
3f342a23
RE		 894 BLAKE2b is optimized for 64-bit platforms and can produce digests
895 of any size between 1 and 64 bytes. The keyed hash is also implemented.
584fffc8 896
3f342a23 897 This module provides the following algorithms:
f1f142ad
RE		 898 - blake2b-160
899 - blake2b-256
900 - blake2b-384
901 - blake2b-512
584fffc8 902
3f342a23
RE		 903 Used by the btrfs filesystem.
904
f1f142ad 905 See https://blake2.net for further information.
584fffc8 906
f1f142ad 907config CRYPTO_CMAC
3f342a23 908 tristate "CMAC (Cipher-based MAC)"
f1f142ad
RE		 909 select CRYPTO_HASH
910 select CRYPTO_MANAGER
584fffc8 911 help
3f342a23
RE		 912 CMAC (Cipher-based Message Authentication Code) authentication
913 mode (NIST SP800-38B and IETF RFC4493)
584fffc8 914
f1f142ad 915config CRYPTO_GHASH
3f342a23 916 tristate "GHASH"
f1f142ad 917 select CRYPTO_HASH
61c581a4 918 select CRYPTO_LIB_GF128MUL
52ba867c 919 help
3f342a23 920 GCM GHASH function (NIST SP800-38D)
52ba867c 921
f1f142ad 922config CRYPTO_HMAC
3f342a23 923 tristate "HMAC (Keyed-Hash MAC)"
f1f142ad
RE		 924 select CRYPTO_HASH
925 select CRYPTO_MANAGER
584fffc8 926 help
3f342a23
RE		 927 HMAC (Keyed-Hash Message Authentication Code) (FIPS 198 and
928 RFC2104)
929
930 This is required for IPsec AH (XFRM_AH) and IPsec ESP (XFRM_ESP).
584fffc8 931
f1f142ad 932config CRYPTO_MD4
3f342a23 933 tristate "MD4"
f1f142ad 934 select CRYPTO_HASH
044ab525 935 help
3f342a23 936 MD4 message digest algorithm (RFC1320)
044ab525 937
f1f142ad 938config CRYPTO_MD5
3f342a23 939 tristate "MD5"
f1f142ad 940 select CRYPTO_HASH
1da177e4 941 help
3f342a23 942 MD5 message digest algorithm (RFC1321)
1da177e4 943
f1f142ad 944config CRYPTO_MICHAEL_MIC
3f342a23 945 tristate "Michael MIC"
f1f142ad 946 select CRYPTO_HASH
1da177e4 947 help
3f342a23
RE		 948 Michael MIC (Message Integrity Code) (IEEE 802.11i)
949
950 Defined by the IEEE 802.11i TKIP (Temporal Key Integrity Protocol),
951 known as WPA (Wif-Fi Protected Access).
952
953 This algorithm is required for TKIP, but it should not be used for
954 other purposes because of the weakness of the algorithm.
1da177e4 955
f1f142ad
RE		 956config CRYPTO_POLYVAL
957 tristate
f1f142ad 958 select CRYPTO_HASH
61c581a4 959 select CRYPTO_LIB_GF128MUL
1da177e4 960 help
3f342a23
RE		 961 POLYVAL hash function for HCTR2
962
963 This is used in HCTR2. It is not a general-purpose
f1f142ad 964 cryptographic hash function.
fb4f10ed 965
f1f142ad 966config CRYPTO_RMD160
3f342a23 967 tristate "RIPEMD-160"
f1f142ad 968 select CRYPTO_HASH
1da177e4 969 help
3f342a23 970 RIPEMD-160 hash function (ISO/IEC 10118-3)
1da177e4 971
f1f142ad
RE		 972 RIPEMD-160 is a 160-bit cryptographic hash function. It is intended
973 to be used as a secure replacement for the 128-bit hash functions
974 MD4, MD5 and its predecessor RIPEMD
975 (not to be confused with RIPEMD-128).
1da177e4 976
3f342a23 977 Its speed is comparable to SHA-1 and there are no known attacks
f1f142ad 978 against RIPEMD-160.
1da177e4 979
f1f142ad 980 Developed by Hans Dobbertin, Antoon Bosselaers and Bart Preneel.
3f342a23
RE		 981 See https://homes.esat.kuleuven.be/~bosselae/ripemd160.html
982 for further information.
f1f142ad
RE		 983
984config CRYPTO_SHA1
3f342a23 985 tristate "SHA-1"
f1f142ad
RE		 986 select CRYPTO_HASH
987 select CRYPTO_LIB_SHA1
c08d0e64 988 help
3f342a23 989 SHA-1 secure hash algorithm (FIPS 180, ISO/IEC 10118-3)
c08d0e64 990
f1f142ad 991config CRYPTO_SHA256
3f342a23 992 tristate "SHA-224 and SHA-256"
f1f142ad
RE		 993 select CRYPTO_HASH
994 select CRYPTO_LIB_SHA256
950e5c84 995 select CRYPTO_LIB_SHA256_GENERIC
f1f142ad 996 help
3f342a23 997 SHA-224 and SHA-256 secure hash algorithms (FIPS 180, ISO/IEC 10118-3)
de61d7ae 998
3f342a23
RE		 999 This is required for IPsec AH (XFRM_AH) and IPsec ESP (XFRM_ESP).
1000 Used by the btrfs filesystem, Ceph, NFS, and SMB.
aa762409 1001
f1f142ad 1002config CRYPTO_SHA512
3f342a23 1003 tristate "SHA-384 and SHA-512"
f1f142ad 1004 select CRYPTO_HASH
1da177e4 1005 help
3f342a23 1006 SHA-384 and SHA-512 secure hash algorithms (FIPS 180, ISO/IEC 10118-3)
584fffc8 1007
f1f142ad 1008config CRYPTO_SHA3
3f342a23 1009 tristate "SHA-3"
f1f142ad 1010 select CRYPTO_HASH
e4e712bb 1011 help
3f342a23 1012 SHA-3 secure hash algorithms (FIPS 202, ISO/IEC 10118-3)
e4e712bb 1013
f1f142ad 1014config CRYPTO_SM3_GENERIC
3f342a23 1015 tristate "SM3 (ShangMi 3)"
f1f142ad 1016 select CRYPTO_HASH
f4065b2f 1017 select CRYPTO_LIB_SM3
1da177e4 1018 help
3f342a23
RE		 1019 SM3 (ShangMi 3) secure hash function (OSCCA GM/T 0004-2012, ISO/IEC 10118-3)
1020
1021 This is part of the Chinese Commercial Cryptography suite.
1da177e4 1022
f1f142ad
RE		 1023 References:
1024 http://www.oscca.gov.cn/UpFile/20101222141857786.pdf
1025 https://datatracker.ietf.org/doc/html/draft-shen-sm3-hash
584fffc8 1026
f1f142ad 1027config CRYPTO_STREEBOG
3f342a23 1028 tristate "Streebog"
f1f142ad
RE		 1029 select CRYPTO_HASH
1030 help
3f342a23
RE		 1031 Streebog Hash Function (GOST R 34.11-2012, RFC 6986, ISO/IEC 10118-3)
1032
1033 This is one of the Russian cryptographic standard algorithms (called
1034 GOST algorithms). This setting enables two hash algorithms with
1035 256 and 512 bits output.
584fffc8 1036
f1f142ad
RE		 1037 References:
1038 https://tc26.ru/upload/iblock/fed/feddbb4d26b685903faa2ba11aea43f6.pdf
1039 https://tools.ietf.org/html/rfc6986
d2825fa9 1040
f1f142ad 1041config CRYPTO_WP512
3f342a23 1042 tristate "Whirlpool"
f1f142ad
RE		 1043 select CRYPTO_HASH
1044 help
3f342a23
RE		 1045 Whirlpool hash function (ISO/IEC 10118-3)
1046
1047 512, 384 and 256-bit hashes.
747c8ce4 1048
f1f142ad 1049 Whirlpool-512 is part of the NESSIE cryptographic primitives.
747c8ce4 1050
3f342a23
RE		 1051 See https://web.archive.org/web/20171129084214/http://www.larc.usp.br/~pbarreto/WhirlpoolPage.html
1052 for further information.
747c8ce4 1053
f1f142ad 1054config CRYPTO_XCBC
3f342a23 1055 tristate "XCBC-MAC (Extended Cipher Block Chaining MAC)"
f1f142ad
RE		 1056 select CRYPTO_HASH
1057 select CRYPTO_MANAGER
1058 help
3f342a23
RE		 1059 XCBC-MAC (Extended Cipher Block Chaining Message Authentication
1060 Code) (RFC3566)
747c8ce4 1061
f1f142ad 1062config CRYPTO_XXHASH
3f342a23 1063 tristate "xxHash"
f1f142ad
RE		 1064 select CRYPTO_HASH
1065 select XXHASH
1da177e4 1066 help
3f342a23
RE		 1067 xxHash non-cryptographic hash algorithm
1068
1069 Extremely fast, working at speeds close to RAM limits.
1070
1071 Used by the btrfs filesystem.
1da177e4 1072
f1f142ad 1073endmenu
584fffc8 1074
f1f142ad 1075menu "CRCs (cyclic redundancy checks)"
584fffc8 1076
f1f142ad 1077config CRYPTO_CRC32C
ec84348d 1078 tristate "CRC32c"
f1f142ad
RE		 1079 select CRYPTO_HASH
1080 select CRC32
1081 help
ec84348d
RE		 1082 CRC32c CRC algorithm with the iSCSI polynomial (RFC 3385 and RFC 3720)
1083
1084 A 32-bit CRC (cyclic redundancy check) with a polynomial defined
1085 by G. Castagnoli, S. Braeuer and M. Herrman in "Optimization of Cyclic
1086 Redundancy-Check Codes with 24 and 32 Parity Bits", IEEE Transactions
1087 on Communications, Vol. 41, No. 6, June 1993, selected for use with
1088 iSCSI.
1089
1090 Used by btrfs, ext4, jbd2, NVMeoF/TCP, and iSCSI.
584fffc8 1091
f1f142ad 1092config CRYPTO_CRC32
ec84348d 1093 tristate "CRC32"
f1f142ad
RE		 1094 select CRYPTO_HASH
1095 select CRC32
04ac7db3 1096 help
ec84348d
RE		 1097 CRC32 CRC algorithm (IEEE 802.3)
1098
1099 Used by RoCEv2 and f2fs.
04ac7db3 1100
f1f142ad 1101endmenu
584fffc8 1102
f1f142ad 1103menu "Compression"
584fffc8
SS		 1104
1105config CRYPTO_DEFLATE
a9a98d49 1106 tristate "Deflate"
584fffc8 1107 select CRYPTO_ALGAPI
f6ded09d 1108 select CRYPTO_ACOMP2
584fffc8
SS		 1109 select ZLIB_INFLATE
1110 select ZLIB_DEFLATE
3c09f17c 1111 help
a9a98d49 1112 Deflate compression algorithm (RFC1951)
584fffc8 1113
a9a98d49 1114 Used by IPSec with the IPCOMP protocol (RFC3173, RFC2394)
3c09f17c 1115
0b77abb3 1116config CRYPTO_LZO
a9a98d49 1117 tristate "LZO"
0b77abb3 1118 select CRYPTO_ALGAPI
ac9d2c4b 1119 select CRYPTO_ACOMP2
0b77abb3
ZS		 1120 select LZO_COMPRESS
1121 select LZO_DECOMPRESS
1122 help
a9a98d49
RE		 1123 LZO compression algorithm
1124
1125 See https://www.oberhumer.com/opensource/lzo/ for further information.
0b77abb3 1126
35a1fc18 1127config CRYPTO_842
a9a98d49 1128 tristate "842"
2062c5b6 1129 select CRYPTO_ALGAPI
6a8de3ae 1130 select CRYPTO_ACOMP2
2062c5b6
DS		 1131 select 842_COMPRESS
1132 select 842_DECOMPRESS
35a1fc18 1133 help
a9a98d49
RE		 1134 842 compression algorithm by IBM
1135
1136 See https://github.com/plauth/lib842 for further information.
0ea8530d
CM		 1137
1138config CRYPTO_LZ4
a9a98d49 1139 tristate "LZ4"
0ea8530d 1140 select CRYPTO_ALGAPI
8cd9330e 1141 select CRYPTO_ACOMP2
0ea8530d
CM		 1142 select LZ4_COMPRESS
1143 select LZ4_DECOMPRESS
1144 help
a9a98d49
RE		 1145 LZ4 compression algorithm
1146
1147 See https://github.com/lz4/lz4 for further information.
0ea8530d
CM		 1148
1149config CRYPTO_LZ4HC
a9a98d49 1150 tristate "LZ4HC"
0ea8530d 1151 select CRYPTO_ALGAPI
91d53d96 1152 select CRYPTO_ACOMP2
0ea8530d
CM		 1153 select LZ4HC_COMPRESS
1154 select LZ4_DECOMPRESS
1155 help
a9a98d49
RE		 1156 LZ4 high compression mode algorithm
1157
1158 See https://github.com/lz4/lz4 for further information.
35a1fc18 1159
d28fc3db 1160config CRYPTO_ZSTD
a9a98d49 1161 tristate "Zstd"
d28fc3db
NT		 1162 select CRYPTO_ALGAPI
1163 select CRYPTO_ACOMP2
1164 select ZSTD_COMPRESS
1165 select ZSTD_DECOMPRESS
1166 help
a9a98d49
RE		 1167 zstd compression algorithm
1168
1169 See https://github.com/facebook/zstd for further information.
d28fc3db 1170
f1f142ad
RE		 1171endmenu
1172
1173menu "Random number generation"
17f0f4a4
NH		 1174
1175config CRYPTO_ANSI_CPRNG
a9a98d49 1176 tristate "ANSI PRNG (Pseudo Random Number Generator)"
17f0f4a4
NH		 1177 select CRYPTO_AES
1178 select CRYPTO_RNG
17f0f4a4 1179 help
a9a98d49
RE		 1180 Pseudo RNG (random number generator) (ANSI X9.31 Appendix A.2.4)
1181
1182 This uses the AES cipher algorithm.
1183
1184 Note that this option must be enabled if CRYPTO_FIPS is selected
17f0f4a4 1185
f2c89a10 1186menuconfig CRYPTO_DRBG_MENU
a9a98d49 1187 tristate "NIST SP800-90A DRBG (Deterministic Random Bit Generator)"
419090c6 1188 help
a9a98d49
RE		 1189 DRBG (Deterministic Random Bit Generator) (NIST SP800-90A)
1190
1191 In the following submenu, one or more of the DRBG types must be selected.
419090c6 1192
f2c89a10 1193if CRYPTO_DRBG_MENU
419090c6
SM		 1194
1195config CRYPTO_DRBG_HMAC
401e4238 1196 bool
419090c6 1197 default y
419090c6 1198 select CRYPTO_HMAC
5261cdf4 1199 select CRYPTO_SHA512
419090c6
SM		 1200
1201config CRYPTO_DRBG_HASH
a9a98d49 1202 bool "Hash_DRBG"
826775bb 1203 select CRYPTO_SHA256
419090c6 1204 help
a9a98d49
RE		 1205 Hash_DRBG variant as defined in NIST SP800-90A.
1206
1207 This uses the SHA-1, SHA-256, SHA-384, or SHA-512 hash algorithms.
419090c6
SM		 1208
1209config CRYPTO_DRBG_CTR
a9a98d49 1210 bool "CTR_DRBG"
419090c6 1211 select CRYPTO_AES
d6fc1a45 1212 select CRYPTO_CTR
419090c6 1213 help
a9a98d49
RE		 1214 CTR_DRBG variant as defined in NIST SP800-90A.
1215
1216 This uses the AES cipher algorithm with the counter block mode.
419090c6 1217
f2c89a10
HX		 1218config CRYPTO_DRBG
1219 tristate
401e4238 1220 default CRYPTO_DRBG_MENU
f2c89a10 1221 select CRYPTO_RNG
bb5530e4 1222 select CRYPTO_JITTERENTROPY
f2c89a10
HX		 1223
1224endif # if CRYPTO_DRBG_MENU
419090c6 1225
bb5530e4 1226config CRYPTO_JITTERENTROPY
a9a98d49 1227 tristate "CPU Jitter Non-Deterministic RNG (Random Number Generator)"
2f313e02 1228 select CRYPTO_RNG
bb897c55 1229 select CRYPTO_SHA3
bb5530e4 1230 help
a9a98d49
RE		 1231 CPU Jitter RNG (Random Number Generator) from the Jitterentropy library
1232
1233 A non-physical non-deterministic ("true") RNG (e.g., an entropy source
1234 compliant with NIST SP800-90B) intended to provide a seed to a
e63df1ec 1235 deterministic RNG (e.g., per NIST SP800-90C).
a9a98d49 1236 This RNG does not perform any cryptographic whitening of the generated
e63df1ec 1237 random numbers.
a9a98d49 1238
e63df1ec 1239 See https://www.chronox.de/jent/
bb5530e4 1240
e7ed6473
HX		 1241if CRYPTO_JITTERENTROPY
1242if CRYPTO_FIPS && EXPERT
1243
59bcfd78
SM		 1244choice
1245 prompt "CPU Jitter RNG Memory Size"
1246 default CRYPTO_JITTERENTROPY_MEMSIZE_2
59bcfd78
SM		 1247 help
1248 The Jitter RNG measures the execution time of memory accesses.
1249 Multiple consecutive memory accesses are performed. If the memory
1250 size fits into a cache (e.g. L1), only the memory access timing
1251 to that cache is measured. The closer the cache is to the CPU
1252 the less variations are measured and thus the less entropy is
1253 obtained. Thus, if the memory size fits into the L1 cache, the
1254 obtained entropy is less than if the memory size fits within
1255 L1 + L2, which in turn is less if the memory fits into
1256 L1 + L2 + L3. Thus, by selecting a different memory size,
1257 the entropy rate produced by the Jitter RNG can be modified.
1258
1259 config CRYPTO_JITTERENTROPY_MEMSIZE_2
1260 bool "2048 Bytes (default)"
1261
1262 config CRYPTO_JITTERENTROPY_MEMSIZE_128
1263 bool "128 kBytes"
1264
1265 config CRYPTO_JITTERENTROPY_MEMSIZE_1024
1266 bool "1024 kBytes"
1267
1268 config CRYPTO_JITTERENTROPY_MEMSIZE_8192
1269 bool "8192 kBytes"
1270endchoice
1271
1272config CRYPTO_JITTERENTROPY_MEMORY_BLOCKS
1273 int
1274 default 64 if CRYPTO_JITTERENTROPY_MEMSIZE_2
1275 default 512 if CRYPTO_JITTERENTROPY_MEMSIZE_128
1276 default 1024 if CRYPTO_JITTERENTROPY_MEMSIZE_1024
1277 default 4096 if CRYPTO_JITTERENTROPY_MEMSIZE_8192
1278
1279config CRYPTO_JITTERENTROPY_MEMORY_BLOCKSIZE
1280 int
1281 default 32 if CRYPTO_JITTERENTROPY_MEMSIZE_2
1282 default 256 if CRYPTO_JITTERENTROPY_MEMSIZE_128
1283 default 1024 if CRYPTO_JITTERENTROPY_MEMSIZE_1024
1284 default 2048 if CRYPTO_JITTERENTROPY_MEMSIZE_8192
1285
0baa8fab
SM		 1286config CRYPTO_JITTERENTROPY_OSR
1287 int "CPU Jitter RNG Oversampling Rate"
1288 range 1 15
95a798d2 1289 default 3
0baa8fab
SM		 1290 help
1291 The Jitter RNG allows the specification of an oversampling rate (OSR).
1292 The Jitter RNG operation requires a fixed amount of timing
1293 measurements to produce one output block of random numbers. The
1294 OSR value is multiplied with the amount of timing measurements to
1295 generate one output block. Thus, the timing measurement is oversampled
1296 by the OSR factor. The oversampling allows the Jitter RNG to operate
1297 on hardware whose timers deliver limited amount of entropy (e.g.
1298 the timer is coarse) by setting the OSR to a higher value. The
1299 trade-off, however, is that the Jitter RNG now requires more time
1300 to generate random numbers.
1301
69f1c387
SM		 1302config CRYPTO_JITTERENTROPY_TESTINTERFACE
1303 bool "CPU Jitter RNG Test Interface"
69f1c387
SM		 1304 help
1305 The test interface allows a privileged process to capture
1306 the raw unconditioned high resolution time stamp noise that
1307 is collected by the Jitter RNG for statistical analysis. As
1308 this data is used at the same time to generate random bits,
1309 the Jitter RNG operates in an insecure mode as long as the
1310 recording is enabled. This interface therefore is only
1311 intended for testing purposes and is not suitable for
1312 production systems.
1313
1314 The raw noise data can be obtained using the jent_raw_hires
1315 debugfs file. Using the option
1316 jitterentropy_testing.boot_raw_hires_test=1 the raw noise of
1317 the first 1000 entropy events since boot can be sampled.
1318
1319 If unsure, select N.
1320
e7ed6473
HX		 1321endif # if CRYPTO_FIPS && EXPERT
1322
1323if !(CRYPTO_FIPS && EXPERT)
1324
1325config CRYPTO_JITTERENTROPY_MEMORY_BLOCKS
1326 int
1327 default 64
1328
1329config CRYPTO_JITTERENTROPY_MEMORY_BLOCKSIZE
1330 int
1331 default 32
1332
1333config CRYPTO_JITTERENTROPY_OSR
1334 int
1335 default 1
1336
1337config CRYPTO_JITTERENTROPY_TESTINTERFACE
1338 bool
1339
1340endif # if !(CRYPTO_FIPS && EXPERT)
1341endif # if CRYPTO_JITTERENTROPY
1342
026a733e
SM		 1343config CRYPTO_KDF800108_CTR
1344 tristate
a88592cc 1345 select CRYPTO_HMAC
304b4ace 1346 select CRYPTO_SHA256
026a733e 1347
f1f142ad 1348endmenu
9bc51715 1349menu "Userspace interface"
f1f142ad 1350
03c8efc1
HX		 1351config CRYPTO_USER_API
1352 tristate
1353
fe869cdb 1354config CRYPTO_USER_API_HASH
9bc51715 1355 tristate "Hash algorithms"
7451708f 1356 depends on NET
fe869cdb
HX		 1357 select CRYPTO_HASH
1358 select CRYPTO_USER_API
1359 help
9bc51715
RE		 1360 Enable the userspace interface for hash algorithms.
1361
1362 See Documentation/crypto/userspace-if.rst and
1363 https://www.chronox.de/libkcapi/html/index.html
fe869cdb 1364
8ff59090 1365config CRYPTO_USER_API_SKCIPHER
9bc51715 1366 tristate "Symmetric key cipher algorithms"
7451708f 1367 depends on NET
b95bba5d 1368 select CRYPTO_SKCIPHER
8ff59090
HX		 1369 select CRYPTO_USER_API
1370 help
9bc51715
RE		 1371 Enable the userspace interface for symmetric key cipher algorithms.
1372
1373 See Documentation/crypto/userspace-if.rst and
1374 https://www.chronox.de/libkcapi/html/index.html
8ff59090 1375
2f375538 1376config CRYPTO_USER_API_RNG
9bc51715 1377 tristate "RNG (random number generator) algorithms"
2f375538
SM		 1378 depends on NET
1379 select CRYPTO_RNG
1380 select CRYPTO_USER_API
1381 help
9bc51715
RE		 1382 Enable the userspace interface for RNG (random number generator)
1383 algorithms.
1384
1385 See Documentation/crypto/userspace-if.rst and
1386 https://www.chronox.de/libkcapi/html/index.html
2f375538 1387
77ebdabe
EP		 1388config CRYPTO_USER_API_RNG_CAVP
1389 bool "Enable CAVP testing of DRBG"
1390 depends on CRYPTO_USER_API_RNG && CRYPTO_DRBG
1391 help
9bc51715
RE		 1392 Enable extra APIs in the userspace interface for NIST CAVP
1393 (Cryptographic Algorithm Validation Program) testing:
1394 - resetting DRBG entropy
1395 - providing Additional Data
1396
77ebdabe
EP		 1397 This should only be enabled for CAVP testing. You should say
1398 no unless you know what this is.
1399
b64a2d95 1400config CRYPTO_USER_API_AEAD
9bc51715 1401 tristate "AEAD cipher algorithms"
b64a2d95
HX		 1402 depends on NET
1403 select CRYPTO_AEAD
b95bba5d 1404 select CRYPTO_SKCIPHER
b64a2d95
HX		 1405 select CRYPTO_USER_API
1406 help
9bc51715
RE		 1407 Enable the userspace interface for AEAD cipher algorithms.
1408
1409 See Documentation/crypto/userspace-if.rst and
1410 https://www.chronox.de/libkcapi/html/index.html
b64a2d95 1411
9ace6771 1412config CRYPTO_USER_API_ENABLE_OBSOLETE
9bc51715 1413 bool "Obsolete cryptographic algorithms"
9ace6771
AB		 1414 depends on CRYPTO_USER_API
1415 default y
1416 help
1417 Allow obsolete cryptographic algorithms to be selected that have
1418 already been phased out from internal use by the kernel, and are
1419 only useful for userspace clients that still rely on them.
1420
f1f142ad
RE		 1421endmenu
1422
ee08997f
DK		 1423config CRYPTO_HASH_INFO
1424 bool
1425
27bc50fc 1426if !KMSAN # avoid false positives from assembly
4a329fec
RE		 1427if ARM
1428source "arch/arm/crypto/Kconfig"
1429endif
1430if ARM64
1431source "arch/arm64/crypto/Kconfig"
1432endif
2f164822
MZ		 1433if LOONGARCH
1434source "arch/loongarch/crypto/Kconfig"
1435endif
e45f710b
RE		 1436if MIPS
1437source "arch/mips/crypto/Kconfig"
1438endif
6a490a4e
RE		 1439if PPC
1440source "arch/powerpc/crypto/Kconfig"
1441endif
178f3856
HS		 1442if RISCV
1443source "arch/riscv/crypto/Kconfig"
1444endif
c9d24c97
RE		 1445if S390
1446source "arch/s390/crypto/Kconfig"
1447endif
0e9f9ea6
RE		 1448if SPARC
1449source "arch/sparc/crypto/Kconfig"
1450endif
28a936ef
RE		 1451if X86
1452source "arch/x86/crypto/Kconfig"
1453endif
27bc50fc 1454endif
e45f710b 1455
1da177e4 1456source "drivers/crypto/Kconfig"
8636a1f9
MY		 1457source "crypto/asymmetric_keys/Kconfig"
1458source "certs/Kconfig"
3936f02b 1459source "crypto/krb5/Kconfig"
1da177e4 1460
cce9e06d 1461endif # if CRYPTO
Linux 6.x block layer and io_uring tree(s)