1b2441318SGreg Kroah-Hartman# SPDX-License-Identifier: GPL-2.0 2652ccae5SArd Biesheuvel 34a329fecSRobert Elliottmenu "Accelerated Cryptographic Algorithms for CPU (arm)" 4652ccae5SArd Biesheuvel 54a95d4aeSRobert Elliottconfig CRYPTO_CURVE25519_NEON 605b37465SRobert Elliott tristate "Public key crypto: Curve25519 (NEON)" 74a95d4aeSRobert Elliott depends on KERNEL_MODE_NEON 84a95d4aeSRobert Elliott select CRYPTO_LIB_CURVE25519_GENERIC 94a95d4aeSRobert Elliott select CRYPTO_ARCH_HAVE_LIB_CURVE25519 1005b37465SRobert Elliott help 1105b37465SRobert Elliott Curve25519 algorithm 1205b37465SRobert Elliott 1305b37465SRobert Elliott Architecture: arm with 1405b37465SRobert Elliott - NEON (Advanced SIMD) extensions 154a95d4aeSRobert Elliott 164a95d4aeSRobert Elliottconfig CRYPTO_GHASH_ARM_CE 173f342a23SRobert Elliott tristate "Hash functions: GHASH (PMULL/NEON/ARMv8 Crypto Extensions)" 184a95d4aeSRobert Elliott depends on KERNEL_MODE_NEON 19*b575b5a1SArd Biesheuvel select CRYPTO_AEAD 204a95d4aeSRobert Elliott select CRYPTO_HASH 214a95d4aeSRobert Elliott select CRYPTO_CRYPTD 22*b575b5a1SArd Biesheuvel select CRYPTO_LIB_AES 2361c581a4SArd Biesheuvel select CRYPTO_LIB_GF128MUL 244a95d4aeSRobert Elliott help 253f342a23SRobert Elliott GCM GHASH function (NIST SP800-38D) 263f342a23SRobert Elliott 273f342a23SRobert Elliott Architecture: arm using 283f342a23SRobert Elliott - PMULL (Polynomial Multiply Long) instructions 293f342a23SRobert Elliott - NEON (Advanced SIMD) extensions 303f342a23SRobert Elliott - ARMv8 Crypto Extensions 313f342a23SRobert Elliott 324a95d4aeSRobert Elliott Use an implementation of GHASH (used by the GCM AEAD chaining mode) 334a95d4aeSRobert Elliott that uses the 64x64 to 128 bit polynomial multiplication (vmull.p64) 344a95d4aeSRobert Elliott that is part of the ARMv8 Crypto Extensions, or a slower variant that 354a95d4aeSRobert Elliott uses the vmull.p8 instruction that is part of the basic NEON ISA. 364a95d4aeSRobert Elliott 374a95d4aeSRobert Elliottconfig CRYPTO_NHPOLY1305_NEON 383f342a23SRobert Elliott tristate "Hash functions: NHPoly1305 (NEON)" 394a95d4aeSRobert Elliott depends on KERNEL_MODE_NEON 404a95d4aeSRobert Elliott select CRYPTO_NHPOLY1305 413f342a23SRobert Elliott help 423f342a23SRobert Elliott NHPoly1305 hash function (Adiantum) 433f342a23SRobert Elliott 443f342a23SRobert Elliott Architecture: arm using: 453f342a23SRobert Elliott - NEON (Advanced SIMD) extensions 464a95d4aeSRobert Elliott 474a95d4aeSRobert Elliottconfig CRYPTO_POLY1305_ARM 483f342a23SRobert Elliott tristate "Hash functions: Poly1305 (NEON)" 494a95d4aeSRobert Elliott select CRYPTO_HASH 504a95d4aeSRobert Elliott select CRYPTO_ARCH_HAVE_LIB_POLY1305 513f342a23SRobert Elliott help 523f342a23SRobert Elliott Poly1305 authenticator algorithm (RFC7539) 533f342a23SRobert Elliott 543f342a23SRobert Elliott Architecture: arm optionally using 553f342a23SRobert Elliott - NEON (Advanced SIMD) extensions 564a95d4aeSRobert Elliott 574a95d4aeSRobert Elliottconfig CRYPTO_BLAKE2S_ARM 583f342a23SRobert Elliott bool "Hash functions: BLAKE2s" 594a95d4aeSRobert Elliott select CRYPTO_ARCH_HAVE_LIB_BLAKE2S 604a95d4aeSRobert Elliott help 613f342a23SRobert Elliott BLAKE2s cryptographic hash function (RFC 7693) 623f342a23SRobert Elliott 633f342a23SRobert Elliott Architecture: arm 643f342a23SRobert Elliott 653f342a23SRobert Elliott This is faster than the generic implementations of BLAKE2s and 663f342a23SRobert Elliott BLAKE2b, but slower than the NEON implementation of BLAKE2b. 673f342a23SRobert Elliott There is no NEON implementation of BLAKE2s, since NEON doesn't 683f342a23SRobert Elliott really help with it. 694a95d4aeSRobert Elliott 704a95d4aeSRobert Elliottconfig CRYPTO_BLAKE2B_NEON 713f342a23SRobert Elliott tristate "Hash functions: BLAKE2b (NEON)" 724a95d4aeSRobert Elliott depends on KERNEL_MODE_NEON 734a95d4aeSRobert Elliott select CRYPTO_BLAKE2B 744a95d4aeSRobert Elliott help 753f342a23SRobert Elliott BLAKE2b cryptographic hash function (RFC 7693) 763f342a23SRobert Elliott 773f342a23SRobert Elliott Architecture: arm using 783f342a23SRobert Elliott - NEON (Advanced SIMD) extensions 793f342a23SRobert Elliott 804a95d4aeSRobert Elliott BLAKE2b digest algorithm optimized with ARM NEON instructions. 814a95d4aeSRobert Elliott On ARM processors that have NEON support but not the ARMv8 824a95d4aeSRobert Elliott Crypto Extensions, typically this BLAKE2b implementation is 833f342a23SRobert Elliott much faster than the SHA-2 family and slightly faster than 843f342a23SRobert Elliott SHA-1. 854a95d4aeSRobert Elliott 86652ccae5SArd Biesheuvelconfig CRYPTO_SHA1_ARM 873f342a23SRobert Elliott tristate "Hash functions: SHA-1" 88652ccae5SArd Biesheuvel select CRYPTO_SHA1 89652ccae5SArd Biesheuvel select CRYPTO_HASH 90652ccae5SArd Biesheuvel help 913f342a23SRobert Elliott SHA-1 secure hash algorithm (FIPS 180) 923f342a23SRobert Elliott 933f342a23SRobert Elliott Architecture: arm 94652ccae5SArd Biesheuvel 95652ccae5SArd Biesheuvelconfig CRYPTO_SHA1_ARM_NEON 963f342a23SRobert Elliott tristate "Hash functions: SHA-1 (NEON)" 97652ccae5SArd Biesheuvel depends on KERNEL_MODE_NEON 98652ccae5SArd Biesheuvel select CRYPTO_SHA1_ARM 99652ccae5SArd Biesheuvel select CRYPTO_SHA1 100652ccae5SArd Biesheuvel select CRYPTO_HASH 101652ccae5SArd Biesheuvel help 1023f342a23SRobert Elliott SHA-1 secure hash algorithm (FIPS 180) 1033f342a23SRobert Elliott 1043f342a23SRobert Elliott Architecture: arm using 1053f342a23SRobert Elliott - NEON (Advanced SIMD) extensions 106652ccae5SArd Biesheuvel 107864cbeedSArd Biesheuvelconfig CRYPTO_SHA1_ARM_CE 1083f342a23SRobert Elliott tristate "Hash functions: SHA-1 (ARMv8 Crypto Extensions)" 1095429ef62SWill Deacon depends on KERNEL_MODE_NEON 110864cbeedSArd Biesheuvel select CRYPTO_SHA1_ARM 111864cbeedSArd Biesheuvel select CRYPTO_HASH 112864cbeedSArd Biesheuvel help 1133f342a23SRobert Elliott SHA-1 secure hash algorithm (FIPS 180) 1143f342a23SRobert Elliott 1153f342a23SRobert Elliott Architecture: arm using ARMv8 Crypto Extensions 116864cbeedSArd Biesheuvel 117006d0624SArd Biesheuvelconfig CRYPTO_SHA2_ARM_CE 1183f342a23SRobert Elliott tristate "Hash functions: SHA-224 and SHA-256 (ARMv8 Crypto Extensions)" 1195429ef62SWill Deacon depends on KERNEL_MODE_NEON 1209205b949SArd Biesheuvel select CRYPTO_SHA256_ARM 121006d0624SArd Biesheuvel select CRYPTO_HASH 122006d0624SArd Biesheuvel help 1233f342a23SRobert Elliott SHA-224 and SHA-256 secure hash algorithms (FIPS 180) 1243f342a23SRobert Elliott 1253f342a23SRobert Elliott Architecture: arm using 1263f342a23SRobert Elliott - ARMv8 Crypto Extensions 127006d0624SArd Biesheuvel 128f2f770d7SSami Tolvanenconfig CRYPTO_SHA256_ARM 1293f342a23SRobert Elliott tristate "Hash functions: SHA-224 and SHA-256 (NEON)" 130f2f770d7SSami Tolvanen select CRYPTO_HASH 131b48321deSArnd Bergmann depends on !CPU_V7M 132f2f770d7SSami Tolvanen help 1333f342a23SRobert Elliott SHA-224 and SHA-256 secure hash algorithms (FIPS 180) 1343f342a23SRobert Elliott 1353f342a23SRobert Elliott Architecture: arm using 1363f342a23SRobert Elliott - NEON (Advanced SIMD) extensions 137f2f770d7SSami Tolvanen 138c80ae7caSArd Biesheuvelconfig CRYPTO_SHA512_ARM 1393f342a23SRobert Elliott tristate "Hash functions: SHA-384 and SHA-512 (NEON)" 140652ccae5SArd Biesheuvel select CRYPTO_HASH 141c80ae7caSArd Biesheuvel depends on !CPU_V7M 142652ccae5SArd Biesheuvel help 1433f342a23SRobert Elliott SHA-384 and SHA-512 secure hash algorithms (FIPS 180) 1443f342a23SRobert Elliott 1453f342a23SRobert Elliott Architecture: arm using 1463f342a23SRobert Elliott - NEON (Advanced SIMD) extensions 147652ccae5SArd Biesheuvel 148652ccae5SArd Biesheuvelconfig CRYPTO_AES_ARM 149cf514b2aSRobert Elliott tristate "Ciphers: AES" 150652ccae5SArd Biesheuvel select CRYPTO_ALGAPI 151652ccae5SArd Biesheuvel select CRYPTO_AES 152652ccae5SArd Biesheuvel help 153cf514b2aSRobert Elliott Block ciphers: AES cipher algorithms (FIPS-197) 154cf514b2aSRobert Elliott 155cf514b2aSRobert Elliott Architecture: arm 156652ccae5SArd Biesheuvel 157913a3aa0SEric Biggers On ARM processors without the Crypto Extensions, this is the 158913a3aa0SEric Biggers fastest AES implementation for single blocks. For multiple 159913a3aa0SEric Biggers blocks, the NEON bit-sliced implementation is usually faster. 160913a3aa0SEric Biggers 161913a3aa0SEric Biggers This implementation may be vulnerable to cache timing attacks, 162913a3aa0SEric Biggers since it uses lookup tables. However, as countermeasures it 163913a3aa0SEric Biggers disables IRQs and preloads the tables; it is hoped this makes 164913a3aa0SEric Biggers such attacks very difficult. 165913a3aa0SEric Biggers 166652ccae5SArd Biesheuvelconfig CRYPTO_AES_ARM_BS 167cf514b2aSRobert Elliott tristate "Ciphers: AES, modes: ECB/CBC/CTR/XTS (bit-sliced NEON)" 168652ccae5SArd Biesheuvel depends on KERNEL_MODE_NEON 169b95bba5dSEric Biggers select CRYPTO_SKCIPHER 170aa6e2d2bSArd Biesheuvel select CRYPTO_LIB_AES 171c8bd296cSHerbert Xu select CRYPTO_AES 172c8bd296cSHerbert Xu select CRYPTO_CBC 1736fdf436fSHerbert Xu select CRYPTO_SIMD 174652ccae5SArd Biesheuvel help 175cf514b2aSRobert Elliott Length-preserving ciphers: AES cipher algorithms (FIPS-197) 176cf514b2aSRobert Elliott with block cipher modes: 177cf514b2aSRobert Elliott - ECB (Electronic Codebook) mode (NIST SP800-38A) 178cf514b2aSRobert Elliott - CBC (Cipher Block Chaining) mode (NIST SP800-38A) 179cf514b2aSRobert Elliott - CTR (Counter) mode (NIST SP800-38A) 180cf514b2aSRobert Elliott - XTS (XOR Encrypt XOR with ciphertext stealing) mode (NIST SP800-38E 181cf514b2aSRobert Elliott and IEEE 1619) 182652ccae5SArd Biesheuvel 183652ccae5SArd Biesheuvel Bit sliced AES gives around 45% speedup on Cortex-A15 for CTR mode 184652ccae5SArd Biesheuvel and for XTS mode encryption, CBC and XTS mode decryption speedup is 185652ccae5SArd Biesheuvel around 25%. (CBC encryption speed is not affected by this driver.) 186652ccae5SArd Biesheuvel This implementation does not rely on any lookup tables so it is 187652ccae5SArd Biesheuvel believed to be invulnerable to cache timing attacks. 188652ccae5SArd Biesheuvel 18986464859SArd Biesheuvelconfig CRYPTO_AES_ARM_CE 190cf514b2aSRobert Elliott tristate "Ciphers: AES, modes: ECB/CBC/CTS/CTR/XTS (ARMv8 Crypto Extensions)" 1915429ef62SWill Deacon depends on KERNEL_MODE_NEON 192b95bba5dSEric Biggers select CRYPTO_SKCIPHER 193f703964fSArd Biesheuvel select CRYPTO_LIB_AES 194585b5fa6SHerbert Xu select CRYPTO_SIMD 19586464859SArd Biesheuvel help 196cf514b2aSRobert Elliott Length-preserving ciphers: AES cipher algorithms (FIPS-197) 197cf514b2aSRobert Elliott with block cipher modes: 198cf514b2aSRobert Elliott - ECB (Electronic Codebook) mode (NIST SP800-38A) 199cf514b2aSRobert Elliott - CBC (Cipher Block Chaining) mode (NIST SP800-38A) 200cf514b2aSRobert Elliott - CTR (Counter) mode (NIST SP800-38A) 201cf514b2aSRobert Elliott - CTS (Cipher Text Stealing) mode (NIST SP800-38A) 202cf514b2aSRobert Elliott - XTS (XOR Encrypt XOR with ciphertext stealing) mode (NIST SP800-38E 203cf514b2aSRobert Elliott and IEEE 1619) 204cf514b2aSRobert Elliott 205cf514b2aSRobert Elliott Architecture: arm using: 206cf514b2aSRobert Elliott - ARMv8 Crypto Extensions 20786464859SArd Biesheuvel 2084a95d4aeSRobert Elliottconfig CRYPTO_CHACHA20_NEON 209cf514b2aSRobert Elliott tristate "Ciphers: ChaCha20, XChaCha20, XChaCha12 (NEON)" 2104a95d4aeSRobert Elliott select CRYPTO_SKCIPHER 2114a95d4aeSRobert Elliott select CRYPTO_ARCH_HAVE_LIB_CHACHA 212cf514b2aSRobert Elliott help 213cf514b2aSRobert Elliott Length-preserving ciphers: ChaCha20, XChaCha20, and XChaCha12 214cf514b2aSRobert Elliott stream cipher algorithms 215cf514b2aSRobert Elliott 216cf514b2aSRobert Elliott Architecture: arm using: 217cf514b2aSRobert Elliott - NEON (Advanced SIMD) extensions 2181d481f1cSArd Biesheuvel 219d0a3431aSArd Biesheuvelconfig CRYPTO_CRC32_ARM_CE 220ec84348dSRobert Elliott tristate "CRC32C and CRC32" 2215429ef62SWill Deacon depends on KERNEL_MODE_NEON 222b4d0c0aaSArd Biesheuvel depends on CRC32 223d0a3431aSArd Biesheuvel select CRYPTO_HASH 224ec84348dSRobert Elliott help 225ec84348dSRobert Elliott CRC32c CRC algorithm with the iSCSI polynomial (RFC 3385 and RFC 3720) 226ec84348dSRobert Elliott and CRC32 CRC algorithm (IEEE 802.3) 227ec84348dSRobert Elliott 228ec84348dSRobert Elliott Architecture: arm using: 229ec84348dSRobert Elliott - CRC and/or PMULL instructions 230ec84348dSRobert Elliott 231ec84348dSRobert Elliott Drivers: crc32-arm-ce and crc32c-arm-ce 232d0a3431aSArd Biesheuvel 2334a95d4aeSRobert Elliottconfig CRYPTO_CRCT10DIF_ARM_CE 234ec84348dSRobert Elliott tristate "CRCT10DIF" 2354a95d4aeSRobert Elliott depends on KERNEL_MODE_NEON 2364a95d4aeSRobert Elliott depends on CRC_T10DIF 237a6b803b3SArd Biesheuvel select CRYPTO_HASH 238ec84348dSRobert Elliott help 239ec84348dSRobert Elliott CRC16 CRC algorithm used for the T10 (SCSI) Data Integrity Field (DIF) 240ec84348dSRobert Elliott 241ec84348dSRobert Elliott Architecture: arm using: 242ec84348dSRobert Elliott - PMULL (Polynomial Multiply Long) instructions 243d8f1308aSJason A. Donenfeld 2444a329fecSRobert Elliottendmenu 2454a95d4aeSRobert Elliott 246