Commit | Line | Data |
---|---|---|
ec8f24b7 | 1 | # SPDX-License-Identifier: GPL-2.0-only |
1da177e4 LT |
2 | # |
3 | # XFRM configuration | |
4 | # | |
6a2e9b73 | 5 | config XFRM |
43da1411 KK |
6 | bool |
7 | depends on INET | |
8 | select GRO_CELLS | |
9 | select SKB_EXTENSIONS | |
6a2e9b73 | 10 | |
25393d3f | 11 | config XFRM_OFFLOAD |
43da1411 | 12 | bool |
25393d3f | 13 | |
7e152524 JB |
14 | config XFRM_ALGO |
15 | tristate | |
16 | select XFRM | |
17 | select CRYPTO | |
29b49013 | 18 | select CRYPTO_AEAD |
597179b0 | 19 | select CRYPTO_HASH |
b95bba5d | 20 | select CRYPTO_SKCIPHER |
7e152524 | 21 | |
e54d1527 | 22 | if INET |
1da177e4 | 23 | config XFRM_USER |
654b32c6 | 24 | tristate "Transformation user configuration interface" |
7e152524 | 25 | select XFRM_ALGO |
a7f7f624 | 26 | help |
654b32c6 MN |
27 | Support for Transformation(XFRM) user configuration interface |
28 | like IPsec used by native Linux tools. | |
1da177e4 LT |
29 | |
30 | If unsure, say Y. | |
31 | ||
c9e7c76d DS |
32 | config XFRM_USER_COMPAT |
33 | tristate "Compatible ABI support" | |
5106f4a8 DS |
34 | depends on XFRM_USER && COMPAT_FOR_U64_ALIGNMENT && \ |
35 | HAVE_EFFICIENT_UNALIGNED_ACCESS | |
c9e7c76d DS |
36 | select WANT_COMPAT_NETLINK_MESSAGES |
37 | help | |
38 | Transformation(XFRM) user configuration interface like IPsec | |
39 | used by compatible Linux applications. | |
40 | ||
41 | If unsure, say N. | |
42 | ||
f203b76d SK |
43 | config XFRM_INTERFACE |
44 | tristate "Transformation virtual interface" | |
45 | depends on XFRM && IPV6 | |
a7f7f624 | 46 | help |
f203b76d SK |
47 | This provides a virtual interface to route IPsec traffic. |
48 | ||
49 | If unsure, say N. | |
50 | ||
c11f1a15 | 51 | config XFRM_SUB_POLICY |
f215bf48 KC |
52 | bool "Transformation sub policy support" |
53 | depends on XFRM | |
a7f7f624 | 54 | help |
c11f1a15 MN |
55 | Support sub policy for developers. By using sub policy with main |
56 | one, two policies can be applied to the same packet at once. | |
57 | Policy which lives shorter time in kernel should be a sub. | |
58 | ||
59 | If unsure, say N. | |
60 | ||
d0473655 | 61 | config XFRM_MIGRATE |
f215bf48 KC |
62 | bool "Transformation migrate database" |
63 | depends on XFRM | |
a7f7f624 | 64 | help |
d0473655 SS |
65 | A feature to update locator(s) of a given IPsec security |
66 | association dynamically. This feature is required, for | |
67 | instance, in a Mobile IPv6 environment with IPsec configuration | |
68 | where mobile nodes change their attachment point to the Internet. | |
69 | ||
70 | If unsure, say N. | |
71 | ||
8ea84349 | 72 | config XFRM_STATISTICS |
f215bf48 | 73 | bool "Transformation statistics" |
e54d1527 | 74 | depends on XFRM && PROC_FS |
a7f7f624 | 75 | help |
8ea84349 MN |
76 | This statistics is not a SNMP/MIB specification but shows |
77 | statistics about transformation error (or almost error) factor | |
78 | at packet processing for developer. | |
79 | ||
80 | If unsure, say N. | |
81 | ||
be013698 EB |
82 | # This option selects XFRM_ALGO along with the AH authentication algorithms that |
83 | # RFC 8221 lists as MUST be implemented. | |
7d4e3919 EB |
84 | config XFRM_AH |
85 | tristate | |
86 | select XFRM_ALGO | |
87 | select CRYPTO | |
88 | select CRYPTO_HMAC | |
be013698 | 89 | select CRYPTO_SHA256 |
7d4e3919 | 90 | |
be013698 EB |
91 | # This option selects XFRM_ALGO along with the ESP encryption and authentication |
92 | # algorithms that RFC 8221 lists as MUST be implemented. | |
7d4e3919 EB |
93 | config XFRM_ESP |
94 | tristate | |
95 | select XFRM_ALGO | |
96 | select CRYPTO | |
be013698 | 97 | select CRYPTO_AES |
7d4e3919 | 98 | select CRYPTO_AUTHENC |
7d4e3919 | 99 | select CRYPTO_CBC |
7d4e3919 | 100 | select CRYPTO_ECHAINIV |
be013698 EB |
101 | select CRYPTO_GCM |
102 | select CRYPTO_HMAC | |
37ea0f18 | 103 | select CRYPTO_SEQIV |
be013698 | 104 | select CRYPTO_SHA256 |
7d4e3919 | 105 | |
6fccab67 HX |
106 | config XFRM_IPCOMP |
107 | tristate | |
7e152524 | 108 | select XFRM_ALGO |
6fccab67 HX |
109 | select CRYPTO |
110 | select CRYPTO_DEFLATE | |
111 | ||
6a2e9b73 SR |
112 | config NET_KEY |
113 | tristate "PF_KEY sockets" | |
7e152524 | 114 | select XFRM_ALGO |
a7f7f624 | 115 | help |
6a2e9b73 SR |
116 | PF_KEYv2 socket family, compatible to KAME ones. |
117 | They are required if you are going to use IPsec tools ported | |
118 | from KAME. | |
119 | ||
120 | Say Y unless you know what you are doing. | |
121 | ||
f6ed0ec0 | 122 | config NET_KEY_MIGRATE |
f215bf48 KC |
123 | bool "PF_KEY MIGRATE" |
124 | depends on NET_KEY | |
f6ed0ec0 | 125 | select XFRM_MIGRATE |
a7f7f624 | 126 | help |
f6ed0ec0 SS |
127 | Add a PF_KEY MIGRATE message to PF_KEYv2 socket family. |
128 | The PF_KEY MIGRATE message is used to dynamically update | |
129 | locator(s) of a given IPsec security association. | |
130 | This feature is required, for instance, in a Mobile IPv6 | |
131 | environment with IPsec configuration where mobile nodes | |
132 | change their attachment point to the Internet. Detail | |
133 | information can be found in the internet-draft | |
134 | <draft-sugimoto-mip6-pfkey-migrate>. | |
135 | ||
136 | If unsure, say N. | |
e54d1527 | 137 | |
26333c37 SD |
138 | config XFRM_ESPINTCP |
139 | bool | |
140 | ||
e54d1527 | 141 | endif # INET |