xref: /openbmc/linux/crypto/Kconfig (revision 22f1d06f)
1# SPDX-License-Identifier: GPL-2.0
2#
3# Generic algorithms support
4#
5config XOR_BLOCKS
6	tristate
7
8#
9# async_tx api: hardware offloaded memory transfer/transform support
10#
11source "crypto/async_tx/Kconfig"
12
13#
14# Cryptographic API Configuration
15#
16menuconfig CRYPTO
17	tristate "Cryptographic API"
18	select CRYPTO_LIB_UTILS
19	help
20	  This option provides the core Cryptographic API.
21
22if CRYPTO
23
24menu "Crypto core or helper"
25
26config CRYPTO_FIPS
27	bool "FIPS 200 compliance"
28	depends on (CRYPTO_ANSI_CPRNG || CRYPTO_DRBG) && !CRYPTO_MANAGER_DISABLE_TESTS
29	depends on (MODULE_SIG || !MODULES)
30	help
31	  This option enables the fips boot option which is
32	  required if you want the system to operate in a FIPS 200
33	  certification.  You should say no unless you know what
34	  this is.
35
36config CRYPTO_FIPS_NAME
37	string "FIPS Module Name"
38	default "Linux Kernel Cryptographic API"
39	depends on CRYPTO_FIPS
40	help
41	  This option sets the FIPS Module name reported by the Crypto API via
42	  the /proc/sys/crypto/fips_name file.
43
44config CRYPTO_FIPS_CUSTOM_VERSION
45	bool "Use Custom FIPS Module Version"
46	depends on CRYPTO_FIPS
47	default n
48
49config CRYPTO_FIPS_VERSION
50	string "FIPS Module Version"
51	default "(none)"
52	depends on CRYPTO_FIPS_CUSTOM_VERSION
53	help
54	  This option provides the ability to override the FIPS Module Version.
55	  By default the KERNELRELEASE value is used.
56
57config CRYPTO_ALGAPI
58	tristate
59	select CRYPTO_ALGAPI2
60	help
61	  This option provides the API for cryptographic algorithms.
62
63config CRYPTO_ALGAPI2
64	tristate
65
66config CRYPTO_AEAD
67	tristate
68	select CRYPTO_AEAD2
69	select CRYPTO_ALGAPI
70
71config CRYPTO_AEAD2
72	tristate
73	select CRYPTO_ALGAPI2
74	select CRYPTO_NULL2
75	select CRYPTO_RNG2
76
77config CRYPTO_SKCIPHER
78	tristate
79	select CRYPTO_SKCIPHER2
80	select CRYPTO_ALGAPI
81
82config CRYPTO_SKCIPHER2
83	tristate
84	select CRYPTO_ALGAPI2
85	select CRYPTO_RNG2
86
87config CRYPTO_HASH
88	tristate
89	select CRYPTO_HASH2
90	select CRYPTO_ALGAPI
91
92config CRYPTO_HASH2
93	tristate
94	select CRYPTO_ALGAPI2
95
96config CRYPTO_RNG
97	tristate
98	select CRYPTO_RNG2
99	select CRYPTO_ALGAPI
100
101config CRYPTO_RNG2
102	tristate
103	select CRYPTO_ALGAPI2
104
105config CRYPTO_RNG_DEFAULT
106	tristate
107	select CRYPTO_DRBG_MENU
108
109config CRYPTO_AKCIPHER2
110	tristate
111	select CRYPTO_ALGAPI2
112
113config CRYPTO_AKCIPHER
114	tristate
115	select CRYPTO_AKCIPHER2
116	select CRYPTO_ALGAPI
117
118config CRYPTO_KPP2
119	tristate
120	select CRYPTO_ALGAPI2
121
122config CRYPTO_KPP
123	tristate
124	select CRYPTO_ALGAPI
125	select CRYPTO_KPP2
126
127config CRYPTO_ACOMP2
128	tristate
129	select CRYPTO_ALGAPI2
130	select SGL_ALLOC
131
132config CRYPTO_ACOMP
133	tristate
134	select CRYPTO_ALGAPI
135	select CRYPTO_ACOMP2
136
137config CRYPTO_MANAGER
138	tristate "Cryptographic algorithm manager"
139	select CRYPTO_MANAGER2
140	help
141	  Create default cryptographic template instantiations such as
142	  cbc(aes).
143
144config CRYPTO_MANAGER2
145	def_tristate CRYPTO_MANAGER || (CRYPTO_MANAGER!=n && CRYPTO_ALGAPI=y)
146	select CRYPTO_AEAD2
147	select CRYPTO_HASH2
148	select CRYPTO_SKCIPHER2
149	select CRYPTO_AKCIPHER2
150	select CRYPTO_KPP2
151	select CRYPTO_ACOMP2
152
153config CRYPTO_USER
154	tristate "Userspace cryptographic algorithm configuration"
155	depends on NET
156	select CRYPTO_MANAGER
157	help
158	  Userspace configuration for cryptographic instantiations such as
159	  cbc(aes).
160
161config CRYPTO_MANAGER_DISABLE_TESTS
162	bool "Disable run-time self tests"
163	default y
164	help
165	  Disable run-time self tests that normally take place at
166	  algorithm registration.
167
168config CRYPTO_MANAGER_EXTRA_TESTS
169	bool "Enable extra run-time crypto self tests"
170	depends on DEBUG_KERNEL && !CRYPTO_MANAGER_DISABLE_TESTS && CRYPTO_MANAGER
171	help
172	  Enable extra run-time self tests of registered crypto algorithms,
173	  including randomized fuzz tests.
174
175	  This is intended for developer use only, as these tests take much
176	  longer to run than the normal self tests.
177
178config CRYPTO_GF128MUL
179	tristate
180
181config CRYPTO_NULL
182	tristate "Null algorithms"
183	select CRYPTO_NULL2
184	help
185	  These are 'Null' algorithms, used by IPsec, which do nothing.
186
187config CRYPTO_NULL2
188	tristate
189	select CRYPTO_ALGAPI2
190	select CRYPTO_SKCIPHER2
191	select CRYPTO_HASH2
192
193config CRYPTO_PCRYPT
194	tristate "Parallel crypto engine"
195	depends on SMP
196	select PADATA
197	select CRYPTO_MANAGER
198	select CRYPTO_AEAD
199	help
200	  This converts an arbitrary crypto algorithm into a parallel
201	  algorithm that executes in kernel threads.
202
203config CRYPTO_CRYPTD
204	tristate "Software async crypto daemon"
205	select CRYPTO_SKCIPHER
206	select CRYPTO_HASH
207	select CRYPTO_MANAGER
208	help
209	  This is a generic software asynchronous crypto daemon that
210	  converts an arbitrary synchronous software crypto algorithm
211	  into an asynchronous algorithm that executes in a kernel thread.
212
213config CRYPTO_AUTHENC
214	tristate "Authenc support"
215	select CRYPTO_AEAD
216	select CRYPTO_SKCIPHER
217	select CRYPTO_MANAGER
218	select CRYPTO_HASH
219	select CRYPTO_NULL
220	help
221	  Authenc: Combined mode wrapper for IPsec.
222
223	  This is required for IPSec ESP (XFRM_ESP).
224
225config CRYPTO_TEST
226	tristate "Testing module"
227	depends on m || EXPERT
228	select CRYPTO_MANAGER
229	help
230	  Quick & dirty crypto test module.
231
232config CRYPTO_SIMD
233	tristate
234	select CRYPTO_CRYPTD
235
236config CRYPTO_ENGINE
237	tristate
238
239endmenu
240
241menu "Public-key cryptography"
242
243config CRYPTO_RSA
244	tristate "RSA (Rivest-Shamir-Adleman)"
245	select CRYPTO_AKCIPHER
246	select CRYPTO_MANAGER
247	select MPILIB
248	select ASN1
249	help
250	  RSA (Rivest-Shamir-Adleman) public key algorithm (RFC8017)
251
252config CRYPTO_DH
253	tristate "DH (Diffie-Hellman)"
254	select CRYPTO_KPP
255	select MPILIB
256	help
257	  DH (Diffie-Hellman) key exchange algorithm
258
259config CRYPTO_DH_RFC7919_GROUPS
260	bool "RFC 7919 FFDHE groups"
261	depends on CRYPTO_DH
262	select CRYPTO_RNG_DEFAULT
263	help
264	  FFDHE (Finite-Field-based Diffie-Hellman Ephemeral) groups
265	  defined in RFC7919.
266
267	  Support these finite-field groups in DH key exchanges:
268	  - ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192
269
270	  If unsure, say N.
271
272config CRYPTO_ECC
273	tristate
274	select CRYPTO_RNG_DEFAULT
275
276config CRYPTO_ECDH
277	tristate "ECDH (Elliptic Curve Diffie-Hellman)"
278	select CRYPTO_ECC
279	select CRYPTO_KPP
280	help
281	  ECDH (Elliptic Curve Diffie-Hellman) key exchange algorithm
282	  using curves P-192, P-256, and P-384 (FIPS 186)
283
284config CRYPTO_ECDSA
285	tristate "ECDSA (Elliptic Curve Digital Signature Algorithm)"
286	select CRYPTO_ECC
287	select CRYPTO_AKCIPHER
288	select ASN1
289	help
290	  ECDSA (Elliptic Curve Digital Signature Algorithm) (FIPS 186,
291	  ISO/IEC 14888-3)
292	  using curves P-192, P-256, and P-384
293
294	  Only signature verification is implemented.
295
296config CRYPTO_ECRDSA
297	tristate "EC-RDSA (Elliptic Curve Russian Digital Signature Algorithm)"
298	select CRYPTO_ECC
299	select CRYPTO_AKCIPHER
300	select CRYPTO_STREEBOG
301	select OID_REGISTRY
302	select ASN1
303	help
304	  Elliptic Curve Russian Digital Signature Algorithm (GOST R 34.10-2012,
305	  RFC 7091, ISO/IEC 14888-3)
306
307	  One of the Russian cryptographic standard algorithms (called GOST
308	  algorithms). Only signature verification is implemented.
309
310config CRYPTO_SM2
311	tristate "SM2 (ShangMi 2)"
312	select CRYPTO_SM3
313	select CRYPTO_AKCIPHER
314	select CRYPTO_MANAGER
315	select MPILIB
316	select ASN1
317	help
318	  SM2 (ShangMi 2) public key algorithm
319
320	  Published by State Encryption Management Bureau, China,
321	  as specified by OSCCA GM/T 0003.1-2012 -- 0003.5-2012.
322
323	  References:
324	  https://datatracker.ietf.org/doc/draft-shen-sm2-ecdsa/
325	  http://www.oscca.gov.cn/sca/xxgk/2010-12/17/content_1002386.shtml
326	  http://www.gmbz.org.cn/main/bzlb.html
327
328config CRYPTO_CURVE25519
329	tristate "Curve25519"
330	select CRYPTO_KPP
331	select CRYPTO_LIB_CURVE25519_GENERIC
332	help
333	  Curve25519 elliptic curve (RFC7748)
334
335endmenu
336
337menu "Block ciphers"
338
339config CRYPTO_AES
340	tristate "AES (Advanced Encryption Standard)"
341	select CRYPTO_ALGAPI
342	select CRYPTO_LIB_AES
343	help
344	  AES cipher algorithms (Rijndael)(FIPS-197, ISO/IEC 18033-3)
345
346	  Rijndael appears to be consistently a very good performer in
347	  both hardware and software across a wide range of computing
348	  environments regardless of its use in feedback or non-feedback
349	  modes. Its key setup time is excellent, and its key agility is
350	  good. Rijndael's very low memory requirements make it very well
351	  suited for restricted-space environments, in which it also
352	  demonstrates excellent performance. Rijndael's operations are
353	  among the easiest to defend against power and timing attacks.
354
355	  The AES specifies three key sizes: 128, 192 and 256 bits
356
357config CRYPTO_AES_TI
358	tristate "AES (Advanced Encryption Standard) (fixed time)"
359	select CRYPTO_ALGAPI
360	select CRYPTO_LIB_AES
361	help
362	  AES cipher algorithms (Rijndael)(FIPS-197, ISO/IEC 18033-3)
363
364	  This is a generic implementation of AES that attempts to eliminate
365	  data dependent latencies as much as possible without affecting
366	  performance too much. It is intended for use by the generic CCM
367	  and GCM drivers, and other CTR or CMAC/XCBC based modes that rely
368	  solely on encryption (although decryption is supported as well, but
369	  with a more dramatic performance hit)
370
371	  Instead of using 16 lookup tables of 1 KB each, (8 for encryption and
372	  8 for decryption), this implementation only uses just two S-boxes of
373	  256 bytes each, and attempts to eliminate data dependent latencies by
374	  prefetching the entire table into the cache at the start of each
375	  block. Interrupts are also disabled to avoid races where cachelines
376	  are evicted when the CPU is interrupted to do something else.
377
378config CRYPTO_ANUBIS
379	tristate "Anubis"
380	depends on CRYPTO_USER_API_ENABLE_OBSOLETE
381	select CRYPTO_ALGAPI
382	help
383	  Anubis cipher algorithm
384
385	  Anubis is a variable key length cipher which can use keys from
386	  128 bits to 320 bits in length.  It was evaluated as a entrant
387	  in the NESSIE competition.
388
389	  See https://web.archive.org/web/20160606112246/http://www.larc.usp.br/~pbarreto/AnubisPage.html
390	  for further information.
391
392config CRYPTO_ARIA
393	tristate "ARIA"
394	select CRYPTO_ALGAPI
395	help
396	  ARIA cipher algorithm (RFC5794)
397
398	  ARIA is a standard encryption algorithm of the Republic of Korea.
399	  The ARIA specifies three key sizes and rounds.
400	  128-bit: 12 rounds.
401	  192-bit: 14 rounds.
402	  256-bit: 16 rounds.
403
404	  See:
405	  https://seed.kisa.or.kr/kisa/algorithm/EgovAriaInfo.do
406
407config CRYPTO_BLOWFISH
408	tristate "Blowfish"
409	select CRYPTO_ALGAPI
410	select CRYPTO_BLOWFISH_COMMON
411	help
412	  Blowfish cipher algorithm, by Bruce Schneier
413
414	  This is a variable key length cipher which can use keys from 32
415	  bits to 448 bits in length.  It's fast, simple and specifically
416	  designed for use on "large microprocessors".
417
418	  See https://www.schneier.com/blowfish.html for further information.
419
420config CRYPTO_BLOWFISH_COMMON
421	tristate
422	help
423	  Common parts of the Blowfish cipher algorithm shared by the
424	  generic c and the assembler implementations.
425
426config CRYPTO_CAMELLIA
427	tristate "Camellia"
428	select CRYPTO_ALGAPI
429	help
430	  Camellia cipher algorithms (ISO/IEC 18033-3)
431
432	  Camellia is a symmetric key block cipher developed jointly
433	  at NTT and Mitsubishi Electric Corporation.
434
435	  The Camellia specifies three key sizes: 128, 192 and 256 bits.
436
437	  See https://info.isl.ntt.co.jp/crypt/eng/camellia/ for further information.
438
439config CRYPTO_CAST_COMMON
440	tristate
441	help
442	  Common parts of the CAST cipher algorithms shared by the
443	  generic c and the assembler implementations.
444
445config CRYPTO_CAST5
446	tristate "CAST5 (CAST-128)"
447	select CRYPTO_ALGAPI
448	select CRYPTO_CAST_COMMON
449	help
450	  CAST5 (CAST-128) cipher algorithm (RFC2144, ISO/IEC 18033-3)
451
452config CRYPTO_CAST6
453	tristate "CAST6 (CAST-256)"
454	select CRYPTO_ALGAPI
455	select CRYPTO_CAST_COMMON
456	help
457	  CAST6 (CAST-256) encryption algorithm (RFC2612)
458
459config CRYPTO_DES
460	tristate "DES and Triple DES EDE"
461	select CRYPTO_ALGAPI
462	select CRYPTO_LIB_DES
463	help
464	  DES (Data Encryption Standard)(FIPS 46-2, ISO/IEC 18033-3) and
465	  Triple DES EDE (Encrypt/Decrypt/Encrypt) (FIPS 46-3, ISO/IEC 18033-3)
466	  cipher algorithms
467
468config CRYPTO_FCRYPT
469	tristate "FCrypt"
470	select CRYPTO_ALGAPI
471	select CRYPTO_SKCIPHER
472	help
473	  FCrypt algorithm used by RxRPC
474
475	  See https://ota.polyonymo.us/fcrypt-paper.txt
476
477config CRYPTO_KHAZAD
478	tristate "Khazad"
479	depends on CRYPTO_USER_API_ENABLE_OBSOLETE
480	select CRYPTO_ALGAPI
481	help
482	  Khazad cipher algorithm
483
484	  Khazad was a finalist in the initial NESSIE competition.  It is
485	  an algorithm optimized for 64-bit processors with good performance
486	  on 32-bit processors.  Khazad uses an 128 bit key size.
487
488	  See https://web.archive.org/web/20171011071731/http://www.larc.usp.br/~pbarreto/KhazadPage.html
489	  for further information.
490
491config CRYPTO_SEED
492	tristate "SEED"
493	depends on CRYPTO_USER_API_ENABLE_OBSOLETE
494	select CRYPTO_ALGAPI
495	help
496	  SEED cipher algorithm (RFC4269, ISO/IEC 18033-3)
497
498	  SEED is a 128-bit symmetric key block cipher that has been
499	  developed by KISA (Korea Information Security Agency) as a
500	  national standard encryption algorithm of the Republic of Korea.
501	  It is a 16 round block cipher with the key size of 128 bit.
502
503	  See https://seed.kisa.or.kr/kisa/algorithm/EgovSeedInfo.do
504	  for further information.
505
506config CRYPTO_SERPENT
507	tristate "Serpent"
508	select CRYPTO_ALGAPI
509	help
510	  Serpent cipher algorithm, by Anderson, Biham & Knudsen
511
512	  Keys are allowed to be from 0 to 256 bits in length, in steps
513	  of 8 bits.
514
515	  See https://www.cl.cam.ac.uk/~rja14/serpent.html for further information.
516
517config CRYPTO_SM4
518	tristate
519
520config CRYPTO_SM4_GENERIC
521	tristate "SM4 (ShangMi 4)"
522	select CRYPTO_ALGAPI
523	select CRYPTO_SM4
524	help
525	  SM4 cipher algorithms (OSCCA GB/T 32907-2016,
526	  ISO/IEC 18033-3:2010/Amd 1:2021)
527
528	  SM4 (GBT.32907-2016) is a cryptographic standard issued by the
529	  Organization of State Commercial Administration of China (OSCCA)
530	  as an authorized cryptographic algorithms for the use within China.
531
532	  SMS4 was originally created for use in protecting wireless
533	  networks, and is mandated in the Chinese National Standard for
534	  Wireless LAN WAPI (Wired Authentication and Privacy Infrastructure)
535	  (GB.15629.11-2003).
536
537	  The latest SM4 standard (GBT.32907-2016) was proposed by OSCCA and
538	  standardized through TC 260 of the Standardization Administration
539	  of the People's Republic of China (SAC).
540
541	  The input, output, and key of SMS4 are each 128 bits.
542
543	  See https://eprint.iacr.org/2008/329.pdf for further information.
544
545	  If unsure, say N.
546
547config CRYPTO_TEA
548	tristate "TEA, XTEA and XETA"
549	depends on CRYPTO_USER_API_ENABLE_OBSOLETE
550	select CRYPTO_ALGAPI
551	help
552	  TEA (Tiny Encryption Algorithm) cipher algorithms
553
554	  Tiny Encryption Algorithm is a simple cipher that uses
555	  many rounds for security.  It is very fast and uses
556	  little memory.
557
558	  Xtendend Tiny Encryption Algorithm is a modification to
559	  the TEA algorithm to address a potential key weakness
560	  in the TEA algorithm.
561
562	  Xtendend Encryption Tiny Algorithm is a mis-implementation
563	  of the XTEA algorithm for compatibility purposes.
564
565config CRYPTO_TWOFISH
566	tristate "Twofish"
567	select CRYPTO_ALGAPI
568	select CRYPTO_TWOFISH_COMMON
569	help
570	  Twofish cipher algorithm
571
572	  Twofish was submitted as an AES (Advanced Encryption Standard)
573	  candidate cipher by researchers at CounterPane Systems.  It is a
574	  16 round block cipher supporting key sizes of 128, 192, and 256
575	  bits.
576
577	  See https://www.schneier.com/twofish.html for further information.
578
579config CRYPTO_TWOFISH_COMMON
580	tristate
581	help
582	  Common parts of the Twofish cipher algorithm shared by the
583	  generic c and the assembler implementations.
584
585endmenu
586
587menu "Length-preserving ciphers and modes"
588
589config CRYPTO_ADIANTUM
590	tristate "Adiantum"
591	select CRYPTO_CHACHA20
592	select CRYPTO_LIB_POLY1305_GENERIC
593	select CRYPTO_NHPOLY1305
594	select CRYPTO_MANAGER
595	help
596	  Adiantum tweakable, length-preserving encryption mode
597
598	  Designed for fast and secure disk encryption, especially on
599	  CPUs without dedicated crypto instructions.  It encrypts
600	  each sector using the XChaCha12 stream cipher, two passes of
601	  an ε-almost-∆-universal hash function, and an invocation of
602	  the AES-256 block cipher on a single 16-byte block.  On CPUs
603	  without AES instructions, Adiantum is much faster than
604	  AES-XTS.
605
606	  Adiantum's security is provably reducible to that of its
607	  underlying stream and block ciphers, subject to a security
608	  bound.  Unlike XTS, Adiantum is a true wide-block encryption
609	  mode, so it actually provides an even stronger notion of
610	  security than XTS, subject to the security bound.
611
612	  If unsure, say N.
613
614config CRYPTO_ARC4
615	tristate "ARC4 (Alleged Rivest Cipher 4)"
616	depends on CRYPTO_USER_API_ENABLE_OBSOLETE
617	select CRYPTO_SKCIPHER
618	select CRYPTO_LIB_ARC4
619	help
620	  ARC4 cipher algorithm
621
622	  ARC4 is a stream cipher using keys ranging from 8 bits to 2048
623	  bits in length.  This algorithm is required for driver-based
624	  WEP, but it should not be for other purposes because of the
625	  weakness of the algorithm.
626
627config CRYPTO_CHACHA20
628	tristate "ChaCha"
629	select CRYPTO_LIB_CHACHA_GENERIC
630	select CRYPTO_SKCIPHER
631	help
632	  The ChaCha20, XChaCha20, and XChaCha12 stream cipher algorithms
633
634	  ChaCha20 is a 256-bit high-speed stream cipher designed by Daniel J.
635	  Bernstein and further specified in RFC7539 for use in IETF protocols.
636	  This is the portable C implementation of ChaCha20.  See
637	  https://cr.yp.to/chacha/chacha-20080128.pdf for further information.
638
639	  XChaCha20 is the application of the XSalsa20 construction to ChaCha20
640	  rather than to Salsa20.  XChaCha20 extends ChaCha20's nonce length
641	  from 64 bits (or 96 bits using the RFC7539 convention) to 192 bits,
642	  while provably retaining ChaCha20's security.  See
643	  https://cr.yp.to/snuffle/xsalsa-20081128.pdf for further information.
644
645	  XChaCha12 is XChaCha20 reduced to 12 rounds, with correspondingly
646	  reduced security margin but increased performance.  It can be needed
647	  in some performance-sensitive scenarios.
648
649config CRYPTO_CBC
650	tristate "CBC (Cipher Block Chaining)"
651	select CRYPTO_SKCIPHER
652	select CRYPTO_MANAGER
653	help
654	  CBC (Cipher Block Chaining) mode (NIST SP800-38A)
655
656	  This block cipher mode is required for IPSec ESP (XFRM_ESP).
657
658config CRYPTO_CFB
659	tristate "CFB (Cipher Feedback)"
660	select CRYPTO_SKCIPHER
661	select CRYPTO_MANAGER
662	help
663	  CFB (Cipher Feedback) mode (NIST SP800-38A)
664
665	  This block cipher mode is required for TPM2 Cryptography.
666
667config CRYPTO_CTR
668	tristate "CTR (Counter)"
669	select CRYPTO_SKCIPHER
670	select CRYPTO_MANAGER
671	help
672	  CTR (Counter) mode (NIST SP800-38A)
673
674config CRYPTO_CTS
675	tristate "CTS (Cipher Text Stealing)"
676	select CRYPTO_SKCIPHER
677	select CRYPTO_MANAGER
678	help
679	  CBC-CS3 variant of CTS (Cipher Text Stealing) (NIST
680	  Addendum to SP800-38A (October 2010))
681
682	  This mode is required for Kerberos gss mechanism support
683	  for AES encryption.
684
685config CRYPTO_ECB
686	tristate "ECB (Electronic Codebook)"
687	select CRYPTO_SKCIPHER
688	select CRYPTO_MANAGER
689	help
690	  ECB (Electronic Codebook) mode (NIST SP800-38A)
691
692config CRYPTO_HCTR2
693	tristate "HCTR2"
694	select CRYPTO_XCTR
695	select CRYPTO_POLYVAL
696	select CRYPTO_MANAGER
697	help
698	  HCTR2 length-preserving encryption mode
699
700	  A mode for storage encryption that is efficient on processors with
701	  instructions to accelerate AES and carryless multiplication, e.g.
702	  x86 processors with AES-NI and CLMUL, and ARM processors with the
703	  ARMv8 crypto extensions.
704
705	  See https://eprint.iacr.org/2021/1441
706
707config CRYPTO_KEYWRAP
708	tristate "KW (AES Key Wrap)"
709	select CRYPTO_SKCIPHER
710	select CRYPTO_MANAGER
711	help
712	  KW (AES Key Wrap) authenticated encryption mode (NIST SP800-38F
713	  and RFC3394) without padding.
714
715config CRYPTO_LRW
716	tristate "LRW (Liskov Rivest Wagner)"
717	select CRYPTO_SKCIPHER
718	select CRYPTO_MANAGER
719	select CRYPTO_GF128MUL
720	select CRYPTO_ECB
721	help
722	  LRW (Liskov Rivest Wagner) mode
723
724	  A tweakable, non malleable, non movable
725	  narrow block cipher mode for dm-crypt.  Use it with cipher
726	  specification string aes-lrw-benbi, the key must be 256, 320 or 384.
727	  The first 128, 192 or 256 bits in the key are used for AES and the
728	  rest is used to tie each cipher block to its logical position.
729
730	  See https://people.csail.mit.edu/rivest/pubs/LRW02.pdf
731
732config CRYPTO_OFB
733	tristate "OFB (Output Feedback)"
734	select CRYPTO_SKCIPHER
735	select CRYPTO_MANAGER
736	help
737	  OFB (Output Feedback) mode (NIST SP800-38A)
738
739	  This mode makes a block cipher into a synchronous
740	  stream cipher. It generates keystream blocks, which are then XORed
741	  with the plaintext blocks to get the ciphertext. Flipping a bit in the
742	  ciphertext produces a flipped bit in the plaintext at the same
743	  location. This property allows many error correcting codes to function
744	  normally even when applied before encryption.
745
746config CRYPTO_PCBC
747	tristate "PCBC (Propagating Cipher Block Chaining)"
748	select CRYPTO_SKCIPHER
749	select CRYPTO_MANAGER
750	help
751	  PCBC (Propagating Cipher Block Chaining) mode
752
753	  This block cipher mode is required for RxRPC.
754
755config CRYPTO_XCTR
756	tristate
757	select CRYPTO_SKCIPHER
758	select CRYPTO_MANAGER
759	help
760	  XCTR (XOR Counter) mode for HCTR2
761
762	  This blockcipher mode is a variant of CTR mode using XORs and little-endian
763	  addition rather than big-endian arithmetic.
764
765	  XCTR mode is used to implement HCTR2.
766
767config CRYPTO_XTS
768	tristate "XTS (XOR Encrypt XOR with ciphertext stealing)"
769	select CRYPTO_SKCIPHER
770	select CRYPTO_MANAGER
771	select CRYPTO_ECB
772	help
773	  XTS (XOR Encrypt XOR with ciphertext stealing) mode (NIST SP800-38E
774	  and IEEE 1619)
775
776	  Use with aes-xts-plain, key size 256, 384 or 512 bits. This
777	  implementation currently can't handle a sectorsize which is not a
778	  multiple of 16 bytes.
779
780config CRYPTO_NHPOLY1305
781	tristate
782	select CRYPTO_HASH
783	select CRYPTO_LIB_POLY1305_GENERIC
784
785endmenu
786
787menu "AEAD (authenticated encryption with associated data) ciphers"
788
789config CRYPTO_AEGIS128
790	tristate "AEGIS-128"
791	select CRYPTO_AEAD
792	select CRYPTO_AES  # for AES S-box tables
793	help
794	  AEGIS-128 AEAD algorithm
795
796config CRYPTO_AEGIS128_SIMD
797	bool "AEGIS-128 (arm NEON, arm64 NEON)"
798	depends on CRYPTO_AEGIS128 && ((ARM || ARM64) && KERNEL_MODE_NEON)
799	default y
800	help
801	  AEGIS-128 AEAD algorithm
802
803	  Architecture: arm or arm64 using:
804	  - NEON (Advanced SIMD) extension
805
806config CRYPTO_CHACHA20POLY1305
807	tristate "ChaCha20-Poly1305"
808	select CRYPTO_CHACHA20
809	select CRYPTO_POLY1305
810	select CRYPTO_AEAD
811	select CRYPTO_MANAGER
812	help
813	  ChaCha20 stream cipher and Poly1305 authenticator combined
814	  mode (RFC8439)
815
816config CRYPTO_CCM
817	tristate "CCM (Counter with Cipher Block Chaining-MAC)"
818	select CRYPTO_CTR
819	select CRYPTO_HASH
820	select CRYPTO_AEAD
821	select CRYPTO_MANAGER
822	help
823	  CCM (Counter with Cipher Block Chaining-Message Authentication Code)
824	  authenticated encryption mode (NIST SP800-38C)
825
826config CRYPTO_GCM
827	tristate "GCM (Galois/Counter Mode) and GMAC (GCM MAC)"
828	select CRYPTO_CTR
829	select CRYPTO_AEAD
830	select CRYPTO_GHASH
831	select CRYPTO_NULL
832	select CRYPTO_MANAGER
833	help
834	  GCM (Galois/Counter Mode) authenticated encryption mode and GMAC
835	  (GCM Message Authentication Code) (NIST SP800-38D)
836
837	  This is required for IPSec ESP (XFRM_ESP).
838
839config CRYPTO_SEQIV
840	tristate "Sequence Number IV Generator"
841	select CRYPTO_AEAD
842	select CRYPTO_SKCIPHER
843	select CRYPTO_NULL
844	select CRYPTO_RNG_DEFAULT
845	select CRYPTO_MANAGER
846	help
847	  Sequence Number IV generator
848
849	  This IV generator generates an IV based on a sequence number by
850	  xoring it with a salt.  This algorithm is mainly useful for CTR.
851
852	  This is required for IPsec ESP (XFRM_ESP).
853
854config CRYPTO_ECHAINIV
855	tristate "Encrypted Chain IV Generator"
856	select CRYPTO_AEAD
857	select CRYPTO_NULL
858	select CRYPTO_RNG_DEFAULT
859	select CRYPTO_MANAGER
860	help
861	  Encrypted Chain IV generator
862
863	  This IV generator generates an IV based on the encryption of
864	  a sequence number xored with a salt.  This is the default
865	  algorithm for CBC.
866
867config CRYPTO_ESSIV
868	tristate "Encrypted Salt-Sector IV Generator"
869	select CRYPTO_AUTHENC
870	help
871	  Encrypted Salt-Sector IV generator
872
873	  This IV generator is used in some cases by fscrypt and/or
874	  dm-crypt. It uses the hash of the block encryption key as the
875	  symmetric key for a block encryption pass applied to the input
876	  IV, making low entropy IV sources more suitable for block
877	  encryption.
878
879	  This driver implements a crypto API template that can be
880	  instantiated either as an skcipher or as an AEAD (depending on the
881	  type of the first template argument), and which defers encryption
882	  and decryption requests to the encapsulated cipher after applying
883	  ESSIV to the input IV. Note that in the AEAD case, it is assumed
884	  that the keys are presented in the same format used by the authenc
885	  template, and that the IV appears at the end of the authenticated
886	  associated data (AAD) region (which is how dm-crypt uses it.)
887
888	  Note that the use of ESSIV is not recommended for new deployments,
889	  and so this only needs to be enabled when interoperability with
890	  existing encrypted volumes of filesystems is required, or when
891	  building for a particular system that requires it (e.g., when
892	  the SoC in question has accelerated CBC but not XTS, making CBC
893	  combined with ESSIV the only feasible mode for h/w accelerated
894	  block encryption)
895
896endmenu
897
898menu "Hashes, digests, and MACs"
899
900config CRYPTO_BLAKE2B
901	tristate "BLAKE2b"
902	select CRYPTO_HASH
903	help
904	  BLAKE2b cryptographic hash function (RFC 7693)
905
906	  BLAKE2b is optimized for 64-bit platforms and can produce digests
907	  of any size between 1 and 64 bytes. The keyed hash is also implemented.
908
909	  This module provides the following algorithms:
910	  - blake2b-160
911	  - blake2b-256
912	  - blake2b-384
913	  - blake2b-512
914
915	  Used by the btrfs filesystem.
916
917	  See https://blake2.net for further information.
918
919config CRYPTO_CMAC
920	tristate "CMAC (Cipher-based MAC)"
921	select CRYPTO_HASH
922	select CRYPTO_MANAGER
923	help
924	  CMAC (Cipher-based Message Authentication Code) authentication
925	  mode (NIST SP800-38B and IETF RFC4493)
926
927config CRYPTO_GHASH
928	tristate "GHASH"
929	select CRYPTO_GF128MUL
930	select CRYPTO_HASH
931	help
932	  GCM GHASH function (NIST SP800-38D)
933
934config CRYPTO_HMAC
935	tristate "HMAC (Keyed-Hash MAC)"
936	select CRYPTO_HASH
937	select CRYPTO_MANAGER
938	help
939	  HMAC (Keyed-Hash Message Authentication Code) (FIPS 198 and
940	  RFC2104)
941
942	  This is required for IPsec AH (XFRM_AH) and IPsec ESP (XFRM_ESP).
943
944config CRYPTO_MD4
945	tristate "MD4"
946	select CRYPTO_HASH
947	help
948	  MD4 message digest algorithm (RFC1320)
949
950config CRYPTO_MD5
951	tristate "MD5"
952	select CRYPTO_HASH
953	help
954	  MD5 message digest algorithm (RFC1321)
955
956config CRYPTO_MICHAEL_MIC
957	tristate "Michael MIC"
958	select CRYPTO_HASH
959	help
960	  Michael MIC (Message Integrity Code) (IEEE 802.11i)
961
962	  Defined by the IEEE 802.11i TKIP (Temporal Key Integrity Protocol),
963	  known as WPA (Wif-Fi Protected Access).
964
965	  This algorithm is required for TKIP, but it should not be used for
966	  other purposes because of the weakness of the algorithm.
967
968config CRYPTO_POLYVAL
969	tristate
970	select CRYPTO_GF128MUL
971	select CRYPTO_HASH
972	help
973	  POLYVAL hash function for HCTR2
974
975	  This is used in HCTR2.  It is not a general-purpose
976	  cryptographic hash function.
977
978config CRYPTO_POLY1305
979	tristate "Poly1305"
980	select CRYPTO_HASH
981	select CRYPTO_LIB_POLY1305_GENERIC
982	help
983	  Poly1305 authenticator algorithm (RFC7539)
984
985	  Poly1305 is an authenticator algorithm designed by Daniel J. Bernstein.
986	  It is used for the ChaCha20-Poly1305 AEAD, specified in RFC7539 for use
987	  in IETF protocols. This is the portable C implementation of Poly1305.
988
989config CRYPTO_RMD160
990	tristate "RIPEMD-160"
991	select CRYPTO_HASH
992	help
993	  RIPEMD-160 hash function (ISO/IEC 10118-3)
994
995	  RIPEMD-160 is a 160-bit cryptographic hash function. It is intended
996	  to be used as a secure replacement for the 128-bit hash functions
997	  MD4, MD5 and its predecessor RIPEMD
998	  (not to be confused with RIPEMD-128).
999
1000	  Its speed is comparable to SHA-1 and there are no known attacks
1001	  against RIPEMD-160.
1002
1003	  Developed by Hans Dobbertin, Antoon Bosselaers and Bart Preneel.
1004	  See https://homes.esat.kuleuven.be/~bosselae/ripemd160.html
1005	  for further information.
1006
1007config CRYPTO_SHA1
1008	tristate "SHA-1"
1009	select CRYPTO_HASH
1010	select CRYPTO_LIB_SHA1
1011	help
1012	  SHA-1 secure hash algorithm (FIPS 180, ISO/IEC 10118-3)
1013
1014config CRYPTO_SHA256
1015	tristate "SHA-224 and SHA-256"
1016	select CRYPTO_HASH
1017	select CRYPTO_LIB_SHA256
1018	help
1019	  SHA-224 and SHA-256 secure hash algorithms (FIPS 180, ISO/IEC 10118-3)
1020
1021	  This is required for IPsec AH (XFRM_AH) and IPsec ESP (XFRM_ESP).
1022	  Used by the btrfs filesystem, Ceph, NFS, and SMB.
1023
1024config CRYPTO_SHA512
1025	tristate "SHA-384 and SHA-512"
1026	select CRYPTO_HASH
1027	help
1028	  SHA-384 and SHA-512 secure hash algorithms (FIPS 180, ISO/IEC 10118-3)
1029
1030config CRYPTO_SHA3
1031	tristate "SHA-3"
1032	select CRYPTO_HASH
1033	help
1034	  SHA-3 secure hash algorithms (FIPS 202, ISO/IEC 10118-3)
1035
1036config CRYPTO_SM3
1037	tristate
1038
1039config CRYPTO_SM3_GENERIC
1040	tristate "SM3 (ShangMi 3)"
1041	select CRYPTO_HASH
1042	select CRYPTO_SM3
1043	help
1044	  SM3 (ShangMi 3) secure hash function (OSCCA GM/T 0004-2012, ISO/IEC 10118-3)
1045
1046	  This is part of the Chinese Commercial Cryptography suite.
1047
1048	  References:
1049	  http://www.oscca.gov.cn/UpFile/20101222141857786.pdf
1050	  https://datatracker.ietf.org/doc/html/draft-shen-sm3-hash
1051
1052config CRYPTO_STREEBOG
1053	tristate "Streebog"
1054	select CRYPTO_HASH
1055	help
1056	  Streebog Hash Function (GOST R 34.11-2012, RFC 6986, ISO/IEC 10118-3)
1057
1058	  This is one of the Russian cryptographic standard algorithms (called
1059	  GOST algorithms). This setting enables two hash algorithms with
1060	  256 and 512 bits output.
1061
1062	  References:
1063	  https://tc26.ru/upload/iblock/fed/feddbb4d26b685903faa2ba11aea43f6.pdf
1064	  https://tools.ietf.org/html/rfc6986
1065
1066config CRYPTO_VMAC
1067	tristate "VMAC"
1068	select CRYPTO_HASH
1069	select CRYPTO_MANAGER
1070	help
1071	  VMAC is a message authentication algorithm designed for
1072	  very high speed on 64-bit architectures.
1073
1074	  See https://fastcrypto.org/vmac for further information.
1075
1076config CRYPTO_WP512
1077	tristate "Whirlpool"
1078	select CRYPTO_HASH
1079	help
1080	  Whirlpool hash function (ISO/IEC 10118-3)
1081
1082	  512, 384 and 256-bit hashes.
1083
1084	  Whirlpool-512 is part of the NESSIE cryptographic primitives.
1085
1086	  See https://web.archive.org/web/20171129084214/http://www.larc.usp.br/~pbarreto/WhirlpoolPage.html
1087	  for further information.
1088
1089config CRYPTO_XCBC
1090	tristate "XCBC-MAC (Extended Cipher Block Chaining MAC)"
1091	select CRYPTO_HASH
1092	select CRYPTO_MANAGER
1093	help
1094	  XCBC-MAC (Extended Cipher Block Chaining Message Authentication
1095	  Code) (RFC3566)
1096
1097config CRYPTO_XXHASH
1098	tristate "xxHash"
1099	select CRYPTO_HASH
1100	select XXHASH
1101	help
1102	  xxHash non-cryptographic hash algorithm
1103
1104	  Extremely fast, working at speeds close to RAM limits.
1105
1106	  Used by the btrfs filesystem.
1107
1108endmenu
1109
1110menu "CRCs (cyclic redundancy checks)"
1111
1112config CRYPTO_CRC32C
1113	tristate "CRC32c"
1114	select CRYPTO_HASH
1115	select CRC32
1116	help
1117	  CRC32c CRC algorithm with the iSCSI polynomial (RFC 3385 and RFC 3720)
1118
1119	  A 32-bit CRC (cyclic redundancy check) with a polynomial defined
1120	  by G. Castagnoli, S. Braeuer and M. Herrman in "Optimization of Cyclic
1121	  Redundancy-Check Codes with 24 and 32 Parity Bits", IEEE Transactions
1122	  on Communications, Vol. 41, No. 6, June 1993, selected for use with
1123	  iSCSI.
1124
1125	  Used by btrfs, ext4, jbd2, NVMeoF/TCP, and iSCSI.
1126
1127config CRYPTO_CRC32
1128	tristate "CRC32"
1129	select CRYPTO_HASH
1130	select CRC32
1131	help
1132	  CRC32 CRC algorithm (IEEE 802.3)
1133
1134	  Used by RoCEv2 and f2fs.
1135
1136config CRYPTO_CRCT10DIF
1137	tristate "CRCT10DIF"
1138	select CRYPTO_HASH
1139	help
1140	  CRC16 CRC algorithm used for the T10 (SCSI) Data Integrity Field (DIF)
1141
1142	  CRC algorithm used by the SCSI Block Commands standard.
1143
1144config CRYPTO_CRC64_ROCKSOFT
1145	tristate "CRC64 based on Rocksoft Model algorithm"
1146	depends on CRC64
1147	select CRYPTO_HASH
1148	help
1149	  CRC64 CRC algorithm based on the Rocksoft Model CRC Algorithm
1150
1151	  Used by the NVMe implementation of T10 DIF (BLK_DEV_INTEGRITY)
1152
1153	  See https://zlib.net/crc_v3.txt
1154
1155endmenu
1156
1157menu "Compression"
1158
1159config CRYPTO_DEFLATE
1160	tristate "Deflate"
1161	select CRYPTO_ALGAPI
1162	select CRYPTO_ACOMP2
1163	select ZLIB_INFLATE
1164	select ZLIB_DEFLATE
1165	help
1166	  Deflate compression algorithm (RFC1951)
1167
1168	  Used by IPSec with the IPCOMP protocol (RFC3173, RFC2394)
1169
1170config CRYPTO_LZO
1171	tristate "LZO"
1172	select CRYPTO_ALGAPI
1173	select CRYPTO_ACOMP2
1174	select LZO_COMPRESS
1175	select LZO_DECOMPRESS
1176	help
1177	  LZO compression algorithm
1178
1179	  See https://www.oberhumer.com/opensource/lzo/ for further information.
1180
1181config CRYPTO_842
1182	tristate "842"
1183	select CRYPTO_ALGAPI
1184	select CRYPTO_ACOMP2
1185	select 842_COMPRESS
1186	select 842_DECOMPRESS
1187	help
1188	  842 compression algorithm by IBM
1189
1190	  See https://github.com/plauth/lib842 for further information.
1191
1192config CRYPTO_LZ4
1193	tristate "LZ4"
1194	select CRYPTO_ALGAPI
1195	select CRYPTO_ACOMP2
1196	select LZ4_COMPRESS
1197	select LZ4_DECOMPRESS
1198	help
1199	  LZ4 compression algorithm
1200
1201	  See https://github.com/lz4/lz4 for further information.
1202
1203config CRYPTO_LZ4HC
1204	tristate "LZ4HC"
1205	select CRYPTO_ALGAPI
1206	select CRYPTO_ACOMP2
1207	select LZ4HC_COMPRESS
1208	select LZ4_DECOMPRESS
1209	help
1210	  LZ4 high compression mode algorithm
1211
1212	  See https://github.com/lz4/lz4 for further information.
1213
1214config CRYPTO_ZSTD
1215	tristate "Zstd"
1216	select CRYPTO_ALGAPI
1217	select CRYPTO_ACOMP2
1218	select ZSTD_COMPRESS
1219	select ZSTD_DECOMPRESS
1220	help
1221	  zstd compression algorithm
1222
1223	  See https://github.com/facebook/zstd for further information.
1224
1225endmenu
1226
1227menu "Random number generation"
1228
1229config CRYPTO_ANSI_CPRNG
1230	tristate "ANSI PRNG (Pseudo Random Number Generator)"
1231	select CRYPTO_AES
1232	select CRYPTO_RNG
1233	help
1234	  Pseudo RNG (random number generator) (ANSI X9.31 Appendix A.2.4)
1235
1236	  This uses the AES cipher algorithm.
1237
1238	  Note that this option must be enabled if CRYPTO_FIPS is selected
1239
1240menuconfig CRYPTO_DRBG_MENU
1241	tristate "NIST SP800-90A DRBG (Deterministic Random Bit Generator)"
1242	help
1243	  DRBG (Deterministic Random Bit Generator) (NIST SP800-90A)
1244
1245	  In the following submenu, one or more of the DRBG types must be selected.
1246
1247if CRYPTO_DRBG_MENU
1248
1249config CRYPTO_DRBG_HMAC
1250	bool
1251	default y
1252	select CRYPTO_HMAC
1253	select CRYPTO_SHA512
1254
1255config CRYPTO_DRBG_HASH
1256	bool "Hash_DRBG"
1257	select CRYPTO_SHA256
1258	help
1259	  Hash_DRBG variant as defined in NIST SP800-90A.
1260
1261	  This uses the SHA-1, SHA-256, SHA-384, or SHA-512 hash algorithms.
1262
1263config CRYPTO_DRBG_CTR
1264	bool "CTR_DRBG"
1265	select CRYPTO_AES
1266	select CRYPTO_CTR
1267	help
1268	  CTR_DRBG variant as defined in NIST SP800-90A.
1269
1270	  This uses the AES cipher algorithm with the counter block mode.
1271
1272config CRYPTO_DRBG
1273	tristate
1274	default CRYPTO_DRBG_MENU
1275	select CRYPTO_RNG
1276	select CRYPTO_JITTERENTROPY
1277
1278endif	# if CRYPTO_DRBG_MENU
1279
1280config CRYPTO_JITTERENTROPY
1281	tristate "CPU Jitter Non-Deterministic RNG (Random Number Generator)"
1282	select CRYPTO_RNG
1283	help
1284	  CPU Jitter RNG (Random Number Generator) from the Jitterentropy library
1285
1286	  A non-physical non-deterministic ("true") RNG (e.g., an entropy source
1287	  compliant with NIST SP800-90B) intended to provide a seed to a
1288	  deterministic RNG (e.g.  per NIST SP800-90C).
1289	  This RNG does not perform any cryptographic whitening of the generated
1290
1291	  See https://www.chronox.de/jent.html
1292
1293config CRYPTO_KDF800108_CTR
1294	tristate
1295	select CRYPTO_HMAC
1296	select CRYPTO_SHA256
1297
1298endmenu
1299menu "Userspace interface"
1300
1301config CRYPTO_USER_API
1302	tristate
1303
1304config CRYPTO_USER_API_HASH
1305	tristate "Hash algorithms"
1306	depends on NET
1307	select CRYPTO_HASH
1308	select CRYPTO_USER_API
1309	help
1310	  Enable the userspace interface for hash algorithms.
1311
1312	  See Documentation/crypto/userspace-if.rst and
1313	  https://www.chronox.de/libkcapi/html/index.html
1314
1315config CRYPTO_USER_API_SKCIPHER
1316	tristate "Symmetric key cipher algorithms"
1317	depends on NET
1318	select CRYPTO_SKCIPHER
1319	select CRYPTO_USER_API
1320	help
1321	  Enable the userspace interface for symmetric key cipher algorithms.
1322
1323	  See Documentation/crypto/userspace-if.rst and
1324	  https://www.chronox.de/libkcapi/html/index.html
1325
1326config CRYPTO_USER_API_RNG
1327	tristate "RNG (random number generator) algorithms"
1328	depends on NET
1329	select CRYPTO_RNG
1330	select CRYPTO_USER_API
1331	help
1332	  Enable the userspace interface for RNG (random number generator)
1333	  algorithms.
1334
1335	  See Documentation/crypto/userspace-if.rst and
1336	  https://www.chronox.de/libkcapi/html/index.html
1337
1338config CRYPTO_USER_API_RNG_CAVP
1339	bool "Enable CAVP testing of DRBG"
1340	depends on CRYPTO_USER_API_RNG && CRYPTO_DRBG
1341	help
1342	  Enable extra APIs in the userspace interface for NIST CAVP
1343	  (Cryptographic Algorithm Validation Program) testing:
1344	  - resetting DRBG entropy
1345	  - providing Additional Data
1346
1347	  This should only be enabled for CAVP testing. You should say
1348	  no unless you know what this is.
1349
1350config CRYPTO_USER_API_AEAD
1351	tristate "AEAD cipher algorithms"
1352	depends on NET
1353	select CRYPTO_AEAD
1354	select CRYPTO_SKCIPHER
1355	select CRYPTO_NULL
1356	select CRYPTO_USER_API
1357	help
1358	  Enable the userspace interface for AEAD cipher algorithms.
1359
1360	  See Documentation/crypto/userspace-if.rst and
1361	  https://www.chronox.de/libkcapi/html/index.html
1362
1363config CRYPTO_USER_API_ENABLE_OBSOLETE
1364	bool "Obsolete cryptographic algorithms"
1365	depends on CRYPTO_USER_API
1366	default y
1367	help
1368	  Allow obsolete cryptographic algorithms to be selected that have
1369	  already been phased out from internal use by the kernel, and are
1370	  only useful for userspace clients that still rely on them.
1371
1372config CRYPTO_STATS
1373	bool "Crypto usage statistics"
1374	depends on CRYPTO_USER
1375	help
1376	  Enable the gathering of crypto stats.
1377
1378	  This collects data sizes, numbers of requests, and numbers
1379	  of errors processed by:
1380	  - AEAD ciphers (encrypt, decrypt)
1381	  - asymmetric key ciphers (encrypt, decrypt, verify, sign)
1382	  - symmetric key ciphers (encrypt, decrypt)
1383	  - compression algorithms (compress, decompress)
1384	  - hash algorithms (hash)
1385	  - key-agreement protocol primitives (setsecret, generate
1386	    public key, compute shared secret)
1387	  - RNG (generate, seed)
1388
1389endmenu
1390
1391config CRYPTO_HASH_INFO
1392	bool
1393
1394if !KMSAN # avoid false positives from assembly
1395if ARM
1396source "arch/arm/crypto/Kconfig"
1397endif
1398if ARM64
1399source "arch/arm64/crypto/Kconfig"
1400endif
1401if MIPS
1402source "arch/mips/crypto/Kconfig"
1403endif
1404if PPC
1405source "arch/powerpc/crypto/Kconfig"
1406endif
1407if S390
1408source "arch/s390/crypto/Kconfig"
1409endif
1410if SPARC
1411source "arch/sparc/crypto/Kconfig"
1412endif
1413if X86
1414source "arch/x86/crypto/Kconfig"
1415endif
1416endif
1417
1418source "drivers/crypto/Kconfig"
1419source "crypto/asymmetric_keys/Kconfig"
1420source "certs/Kconfig"
1421
1422endif	# if CRYPTO
1423