[linux-block.git] / net / xfrm / Kconfig

# SPDX-License-Identifier: GPL-2.0-only
#
# XFRM configuration
#
config XFRM
	bool
	depends on INET
	select GRO_CELLS
	select SKB_EXTENSIONS

config XFRM_OFFLOAD
	bool

config XFRM_ALGO
	tristate
	select XFRM
	select CRYPTO
	select CRYPTO_AEAD
	select CRYPTO_HASH
	select CRYPTO_SKCIPHER

if INET
config XFRM_USER
	tristate "Transformation user configuration interface"
	select XFRM_ALGO
	help
	  Support for Transformation(XFRM) user configuration interface
	  like IPsec used by native Linux tools.

	  If unsure, say Y.

config XFRM_USER_COMPAT
	tristate "Compatible ABI support"
	depends on XFRM_USER && COMPAT_FOR_U64_ALIGNMENT && \
		HAVE_EFFICIENT_UNALIGNED_ACCESS
	select WANT_COMPAT_NETLINK_MESSAGES
	help
	  Transformation(XFRM) user configuration interface like IPsec
	  used by compatible Linux applications.

	  If unsure, say N.

config XFRM_INTERFACE
	tristate "Transformation virtual interface"
	depends on XFRM && IPV6
	help
	  This provides a virtual interface to route IPsec traffic.

	  If unsure, say N.

config XFRM_SUB_POLICY
	bool "Transformation sub policy support"
	depends on XFRM
	help
	  Support sub policy for developers. By using sub policy with main
	  one, two policies can be applied to the same packet at once.
	  Policy which lives shorter time in kernel should be a sub.

	  If unsure, say N.

config XFRM_MIGRATE
	bool "Transformation migrate database"
	depends on XFRM
	help
	  A feature to update locator(s) of a given IPsec security
	  association dynamically.  This feature is required, for
	  instance, in a Mobile IPv6 environment with IPsec configuration
	  where mobile nodes change their attachment point to the Internet.

	  If unsure, say N.

config XFRM_STATISTICS
	bool "Transformation statistics"
	depends on XFRM && PROC_FS
	help
	  This statistics is not a SNMP/MIB specification but shows
	  statistics about transformation error (or almost error) factor
	  at packet processing for developer.

	  If unsure, say N.

# This option selects XFRM_ALGO along with the AH authentication algorithms that
# RFC 8221 lists as MUST be implemented.
config XFRM_AH
	tristate
	select XFRM_ALGO
	select CRYPTO
	select CRYPTO_HMAC
	select CRYPTO_SHA256

# This option selects XFRM_ALGO along with the ESP encryption and authentication
# algorithms that RFC 8221 lists as MUST be implemented.
config XFRM_ESP
	tristate
	select XFRM_ALGO
	select CRYPTO
	select CRYPTO_AES
	select CRYPTO_AUTHENC
	select CRYPTO_CBC
	select CRYPTO_ECHAINIV
	select CRYPTO_GCM
	select CRYPTO_HMAC
	select CRYPTO_SEQIV
	select CRYPTO_SHA256

config XFRM_IPCOMP
	tristate
	select XFRM_ALGO
	select CRYPTO
	select CRYPTO_DEFLATE

config NET_KEY
	tristate "PF_KEY sockets"
	select XFRM_ALGO
	help
	  PF_KEYv2 socket family, compatible to KAME ones.
	  They are required if you are going to use IPsec tools ported
	  from KAME.

	  Say Y unless you know what you are doing.

config NET_KEY_MIGRATE
	bool "PF_KEY MIGRATE"
	depends on NET_KEY
	select XFRM_MIGRATE
	help
	  Add a PF_KEY MIGRATE message to PF_KEYv2 socket family.
	  The PF_KEY MIGRATE message is used to dynamically update
	  locator(s) of a given IPsec security association.
	  This feature is required, for instance, in a Mobile IPv6
	  environment with IPsec configuration where mobile nodes
	  change their attachment point to the Internet.  Detail
	  information can be found in the internet-draft
	  <draft-sugimoto-mip6-pfkey-migrate>.

	  If unsure, say N.

config XFRM_ESPINTCP
	bool

endif # INET
Commit	Line	Data
ec8f24b7	1	# SPDX-License-Identifier: GPL-2.0-only
1da177e4 LT	2	#
	3	# XFRM configuration
	4	#
6a2e9b73	5	config XFRM
43da1411 KK	6	bool
	7	depends on INET
	8	select GRO_CELLS
	9	select SKB_EXTENSIONS
6a2e9b73	10
25393d3f	11	config XFRM_OFFLOAD
43da1411	12	bool
25393d3f	13
7e152524 JB	14	config XFRM_ALGO
	15	tristate
	16	select XFRM
	17	select CRYPTO
29b49013	18	select CRYPTO_AEAD
597179b0	19	select CRYPTO_HASH
b95bba5d	20	select CRYPTO_SKCIPHER
7e152524	21
e54d1527	22	if INET
1da177e4	23	config XFRM_USER
654b32c6	24	tristate "Transformation user configuration interface"
7e152524	25	select XFRM_ALGO
a7f7f624	26	help
654b32c6 MN	27	Support for Transformation(XFRM) user configuration interface
654b32c6 MN	28	like IPsec used by native Linux tools.
1da177e4 LT	29
	30	If unsure, say Y.
	31
c9e7c76d DS	32	config XFRM_USER_COMPAT
c9e7c76d DS	33	tristate "Compatible ABI support"
5106f4a8 DS	34	depends on XFRM_USER && COMPAT_FOR_U64_ALIGNMENT && \
5106f4a8 DS	35	HAVE_EFFICIENT_UNALIGNED_ACCESS
c9e7c76d DS	36	select WANT_COMPAT_NETLINK_MESSAGES
	37	help
	38	Transformation(XFRM) user configuration interface like IPsec
	39	used by compatible Linux applications.
	40
	41	If unsure, say N.
	42
f203b76d SK	43	config XFRM_INTERFACE
	44	tristate "Transformation virtual interface"
	45	depends on XFRM && IPV6
a7f7f624	46	help
f203b76d SK	47	This provides a virtual interface to route IPsec traffic.
	48
	49	If unsure, say N.
	50
c11f1a15	51	config XFRM_SUB_POLICY
f215bf48 KC	52	bool "Transformation sub policy support"
f215bf48 KC	53	depends on XFRM
a7f7f624	54	help
c11f1a15 MN	55	Support sub policy for developers. By using sub policy with main
	56	one, two policies can be applied to the same packet at once.
	57	Policy which lives shorter time in kernel should be a sub.
	58
	59	If unsure, say N.
	60
d0473655	61	config XFRM_MIGRATE
f215bf48 KC	62	bool "Transformation migrate database"
f215bf48 KC	63	depends on XFRM
a7f7f624	64	help
d0473655 SS	65	A feature to update locator(s) of a given IPsec security
	66	association dynamically. This feature is required, for
	67	instance, in a Mobile IPv6 environment with IPsec configuration
	68	where mobile nodes change their attachment point to the Internet.
	69
	70	If unsure, say N.
	71
8ea84349	72	config XFRM_STATISTICS
f215bf48	73	bool "Transformation statistics"
e54d1527	74	depends on XFRM && PROC_FS
a7f7f624	75	help
8ea84349 MN	76	This statistics is not a SNMP/MIB specification but shows
	77	statistics about transformation error (or almost error) factor
	78	at packet processing for developer.
	79
	80	If unsure, say N.
	81
be013698 EB	82	# This option selects XFRM_ALGO along with the AH authentication algorithms that
be013698 EB	83	# RFC 8221 lists as MUST be implemented.
7d4e3919 EB	84	config XFRM_AH
	85	tristate
	86	select XFRM_ALGO
	87	select CRYPTO
	88	select CRYPTO_HMAC
be013698	89	select CRYPTO_SHA256
7d4e3919	90
be013698 EB	91	# This option selects XFRM_ALGO along with the ESP encryption and authentication
be013698 EB	92	# algorithms that RFC 8221 lists as MUST be implemented.
7d4e3919 EB	93	config XFRM_ESP
	94	tristate
	95	select XFRM_ALGO
	96	select CRYPTO
be013698	97	select CRYPTO_AES
7d4e3919	98	select CRYPTO_AUTHENC
7d4e3919	99	select CRYPTO_CBC
7d4e3919	100	select CRYPTO_ECHAINIV
be013698 EB	101	select CRYPTO_GCM
be013698 EB	102	select CRYPTO_HMAC
37ea0f18	103	select CRYPTO_SEQIV
be013698	104	select CRYPTO_SHA256
7d4e3919	105
6fccab67 HX	106	config XFRM_IPCOMP
6fccab67 HX	107	tristate
7e152524	108	select XFRM_ALGO
6fccab67 HX	109	select CRYPTO
	110	select CRYPTO_DEFLATE
	111
6a2e9b73 SR	112	config NET_KEY
6a2e9b73 SR	113	tristate "PF_KEY sockets"
7e152524	114	select XFRM_ALGO
a7f7f624	115	help
6a2e9b73 SR	116	PF_KEYv2 socket family, compatible to KAME ones.
	117	They are required if you are going to use IPsec tools ported
	118	from KAME.
	119
	120	Say Y unless you know what you are doing.
	121
f6ed0ec0	122	config NET_KEY_MIGRATE
f215bf48 KC	123	bool "PF_KEY MIGRATE"
f215bf48 KC	124	depends on NET_KEY
f6ed0ec0	125	select XFRM_MIGRATE
a7f7f624	126	help
f6ed0ec0 SS	127	Add a PF_KEY MIGRATE message to PF_KEYv2 socket family.
	128	The PF_KEY MIGRATE message is used to dynamically update
	129	locator(s) of a given IPsec security association.
	130	This feature is required, for instance, in a Mobile IPv6
	131	environment with IPsec configuration where mobile nodes
	132	change their attachment point to the Internet. Detail
	133	information can be found in the internet-draft
	134	<draft-sugimoto-mip6-pfkey-migrate>.
	135
	136	If unsure, say N.
e54d1527	137
26333c37 SD	138	config XFRM_ESPINTCP
	139	bool
	140
e54d1527	141	endif # INET