xref: /openbmc/linux/crypto/Kconfig (revision 2540d3c9)
1# SPDX-License-Identifier: GPL-2.0
2#
3# Generic algorithms support
4#
5config XOR_BLOCKS
6	tristate
7
8#
9# async_tx api: hardware offloaded memory transfer/transform support
10#
11source "crypto/async_tx/Kconfig"
12
13#
14# Cryptographic API Configuration
15#
16menuconfig CRYPTO
17	tristate "Cryptographic API"
18	select LIB_MEMNEQ
19	help
20	  This option provides the core Cryptographic API.
21
22if CRYPTO
23
24comment "Crypto core or helper"
25
26config CRYPTO_FIPS
27	bool "FIPS 200 compliance"
28	depends on (CRYPTO_ANSI_CPRNG || CRYPTO_DRBG) && !CRYPTO_MANAGER_DISABLE_TESTS
29	depends on (MODULE_SIG || !MODULES)
30	help
31	  This option enables the fips boot option which is
32	  required if you want the system to operate in a FIPS 200
33	  certification.  You should say no unless you know what
34	  this is.
35
36config CRYPTO_ALGAPI
37	tristate
38	select CRYPTO_ALGAPI2
39	help
40	  This option provides the API for cryptographic algorithms.
41
42config CRYPTO_ALGAPI2
43	tristate
44
45config CRYPTO_AEAD
46	tristate
47	select CRYPTO_AEAD2
48	select CRYPTO_ALGAPI
49
50config CRYPTO_AEAD2
51	tristate
52	select CRYPTO_ALGAPI2
53	select CRYPTO_NULL2
54	select CRYPTO_RNG2
55
56config CRYPTO_SKCIPHER
57	tristate
58	select CRYPTO_SKCIPHER2
59	select CRYPTO_ALGAPI
60
61config CRYPTO_SKCIPHER2
62	tristate
63	select CRYPTO_ALGAPI2
64	select CRYPTO_RNG2
65
66config CRYPTO_HASH
67	tristate
68	select CRYPTO_HASH2
69	select CRYPTO_ALGAPI
70
71config CRYPTO_HASH2
72	tristate
73	select CRYPTO_ALGAPI2
74
75config CRYPTO_RNG
76	tristate
77	select CRYPTO_RNG2
78	select CRYPTO_ALGAPI
79
80config CRYPTO_RNG2
81	tristate
82	select CRYPTO_ALGAPI2
83
84config CRYPTO_RNG_DEFAULT
85	tristate
86	select CRYPTO_DRBG_MENU
87
88config CRYPTO_AKCIPHER2
89	tristate
90	select CRYPTO_ALGAPI2
91
92config CRYPTO_AKCIPHER
93	tristate
94	select CRYPTO_AKCIPHER2
95	select CRYPTO_ALGAPI
96
97config CRYPTO_KPP2
98	tristate
99	select CRYPTO_ALGAPI2
100
101config CRYPTO_KPP
102	tristate
103	select CRYPTO_ALGAPI
104	select CRYPTO_KPP2
105
106config CRYPTO_ACOMP2
107	tristate
108	select CRYPTO_ALGAPI2
109	select SGL_ALLOC
110
111config CRYPTO_ACOMP
112	tristate
113	select CRYPTO_ALGAPI
114	select CRYPTO_ACOMP2
115
116config CRYPTO_MANAGER
117	tristate "Cryptographic algorithm manager"
118	select CRYPTO_MANAGER2
119	help
120	  Create default cryptographic template instantiations such as
121	  cbc(aes).
122
123config CRYPTO_MANAGER2
124	def_tristate CRYPTO_MANAGER || (CRYPTO_MANAGER!=n && CRYPTO_ALGAPI=y)
125	select CRYPTO_AEAD2
126	select CRYPTO_HASH2
127	select CRYPTO_SKCIPHER2
128	select CRYPTO_AKCIPHER2
129	select CRYPTO_KPP2
130	select CRYPTO_ACOMP2
131
132config CRYPTO_USER
133	tristate "Userspace cryptographic algorithm configuration"
134	depends on NET
135	select CRYPTO_MANAGER
136	help
137	  Userspace configuration for cryptographic instantiations such as
138	  cbc(aes).
139
140config CRYPTO_MANAGER_DISABLE_TESTS
141	bool "Disable run-time self tests"
142	default y
143	help
144	  Disable run-time self tests that normally take place at
145	  algorithm registration.
146
147config CRYPTO_MANAGER_EXTRA_TESTS
148	bool "Enable extra run-time crypto self tests"
149	depends on DEBUG_KERNEL && !CRYPTO_MANAGER_DISABLE_TESTS && CRYPTO_MANAGER
150	help
151	  Enable extra run-time self tests of registered crypto algorithms,
152	  including randomized fuzz tests.
153
154	  This is intended for developer use only, as these tests take much
155	  longer to run than the normal self tests.
156
157config CRYPTO_GF128MUL
158	tristate
159
160config CRYPTO_NULL
161	tristate "Null algorithms"
162	select CRYPTO_NULL2
163	help
164	  These are 'Null' algorithms, used by IPsec, which do nothing.
165
166config CRYPTO_NULL2
167	tristate
168	select CRYPTO_ALGAPI2
169	select CRYPTO_SKCIPHER2
170	select CRYPTO_HASH2
171
172config CRYPTO_PCRYPT
173	tristate "Parallel crypto engine"
174	depends on SMP
175	select PADATA
176	select CRYPTO_MANAGER
177	select CRYPTO_AEAD
178	help
179	  This converts an arbitrary crypto algorithm into a parallel
180	  algorithm that executes in kernel threads.
181
182config CRYPTO_CRYPTD
183	tristate "Software async crypto daemon"
184	select CRYPTO_SKCIPHER
185	select CRYPTO_HASH
186	select CRYPTO_MANAGER
187	help
188	  This is a generic software asynchronous crypto daemon that
189	  converts an arbitrary synchronous software crypto algorithm
190	  into an asynchronous algorithm that executes in a kernel thread.
191
192config CRYPTO_AUTHENC
193	tristate "Authenc support"
194	select CRYPTO_AEAD
195	select CRYPTO_SKCIPHER
196	select CRYPTO_MANAGER
197	select CRYPTO_HASH
198	select CRYPTO_NULL
199	help
200	  Authenc: Combined mode wrapper for IPsec.
201	  This is required for IPSec.
202
203config CRYPTO_TEST
204	tristate "Testing module"
205	depends on m || EXPERT
206	select CRYPTO_MANAGER
207	help
208	  Quick & dirty crypto test module.
209
210config CRYPTO_SIMD
211	tristate
212	select CRYPTO_CRYPTD
213
214config CRYPTO_ENGINE
215	tristate
216
217comment "Public-key cryptography"
218
219config CRYPTO_RSA
220	tristate "RSA algorithm"
221	select CRYPTO_AKCIPHER
222	select CRYPTO_MANAGER
223	select MPILIB
224	select ASN1
225	help
226	  Generic implementation of the RSA public key algorithm.
227
228config CRYPTO_DH
229	tristate "Diffie-Hellman algorithm"
230	select CRYPTO_KPP
231	select MPILIB
232	help
233	  Generic implementation of the Diffie-Hellman algorithm.
234
235config CRYPTO_DH_RFC7919_GROUPS
236	bool "Support for RFC 7919 FFDHE group parameters"
237	depends on CRYPTO_DH
238	select CRYPTO_RNG_DEFAULT
239	help
240	  Provide support for RFC 7919 FFDHE group parameters. If unsure, say N.
241
242config CRYPTO_ECC
243	tristate
244	select CRYPTO_RNG_DEFAULT
245
246config CRYPTO_ECDH
247	tristate "ECDH algorithm"
248	select CRYPTO_ECC
249	select CRYPTO_KPP
250	help
251	  Generic implementation of the ECDH algorithm
252
253config CRYPTO_ECDSA
254	tristate "ECDSA (NIST P192, P256 etc.) algorithm"
255	select CRYPTO_ECC
256	select CRYPTO_AKCIPHER
257	select ASN1
258	help
259	  Elliptic Curve Digital Signature Algorithm (NIST P192, P256 etc.)
260	  is A NIST cryptographic standard algorithm. Only signature verification
261	  is implemented.
262
263config CRYPTO_ECRDSA
264	tristate "EC-RDSA (GOST 34.10) algorithm"
265	select CRYPTO_ECC
266	select CRYPTO_AKCIPHER
267	select CRYPTO_STREEBOG
268	select OID_REGISTRY
269	select ASN1
270	help
271	  Elliptic Curve Russian Digital Signature Algorithm (GOST R 34.10-2012,
272	  RFC 7091, ISO/IEC 14888-3:2018) is one of the Russian cryptographic
273	  standard algorithms (called GOST algorithms). Only signature verification
274	  is implemented.
275
276config CRYPTO_SM2
277	tristate "SM2 algorithm"
278	select CRYPTO_SM3
279	select CRYPTO_AKCIPHER
280	select CRYPTO_MANAGER
281	select MPILIB
282	select ASN1
283	help
284	  Generic implementation of the SM2 public key algorithm. It was
285	  published by State Encryption Management Bureau, China.
286	  as specified by OSCCA GM/T 0003.1-2012 -- 0003.5-2012.
287
288	  References:
289	  https://tools.ietf.org/html/draft-shen-sm2-ecdsa-02
290	  http://www.oscca.gov.cn/sca/xxgk/2010-12/17/content_1002386.shtml
291	  http://www.gmbz.org.cn/main/bzlb.html
292
293config CRYPTO_CURVE25519
294	tristate "Curve25519 algorithm"
295	select CRYPTO_KPP
296	select CRYPTO_LIB_CURVE25519_GENERIC
297
298config CRYPTO_CURVE25519_X86
299	tristate "x86_64 accelerated Curve25519 scalar multiplication library"
300	depends on X86 && 64BIT
301	select CRYPTO_LIB_CURVE25519_GENERIC
302	select CRYPTO_ARCH_HAVE_LIB_CURVE25519
303
304comment "Authenticated Encryption with Associated Data"
305
306config CRYPTO_CCM
307	tristate "CCM support"
308	select CRYPTO_CTR
309	select CRYPTO_HASH
310	select CRYPTO_AEAD
311	select CRYPTO_MANAGER
312	help
313	  Support for Counter with CBC MAC. Required for IPsec.
314
315config CRYPTO_GCM
316	tristate "GCM/GMAC support"
317	select CRYPTO_CTR
318	select CRYPTO_AEAD
319	select CRYPTO_GHASH
320	select CRYPTO_NULL
321	select CRYPTO_MANAGER
322	help
323	  Support for Galois/Counter Mode (GCM) and Galois Message
324	  Authentication Code (GMAC). Required for IPSec.
325
326config CRYPTO_CHACHA20POLY1305
327	tristate "ChaCha20-Poly1305 AEAD support"
328	select CRYPTO_CHACHA20
329	select CRYPTO_POLY1305
330	select CRYPTO_AEAD
331	select CRYPTO_MANAGER
332	help
333	  ChaCha20-Poly1305 AEAD support, RFC7539.
334
335	  Support for the AEAD wrapper using the ChaCha20 stream cipher combined
336	  with the Poly1305 authenticator. It is defined in RFC7539 for use in
337	  IETF protocols.
338
339config CRYPTO_AEGIS128
340	tristate "AEGIS-128 AEAD algorithm"
341	select CRYPTO_AEAD
342	select CRYPTO_AES  # for AES S-box tables
343	help
344	 Support for the AEGIS-128 dedicated AEAD algorithm.
345
346config CRYPTO_AEGIS128_SIMD
347	bool "Support SIMD acceleration for AEGIS-128"
348	depends on CRYPTO_AEGIS128 && ((ARM || ARM64) && KERNEL_MODE_NEON)
349	default y
350
351config CRYPTO_AEGIS128_AESNI_SSE2
352	tristate "AEGIS-128 AEAD algorithm (x86_64 AESNI+SSE2 implementation)"
353	depends on X86 && 64BIT
354	select CRYPTO_AEAD
355	select CRYPTO_SIMD
356	help
357	 AESNI+SSE2 implementation of the AEGIS-128 dedicated AEAD algorithm.
358
359config CRYPTO_SEQIV
360	tristate "Sequence Number IV Generator"
361	select CRYPTO_AEAD
362	select CRYPTO_SKCIPHER
363	select CRYPTO_NULL
364	select CRYPTO_RNG_DEFAULT
365	select CRYPTO_MANAGER
366	help
367	  This IV generator generates an IV based on a sequence number by
368	  xoring it with a salt.  This algorithm is mainly useful for CTR
369
370config CRYPTO_ECHAINIV
371	tristate "Encrypted Chain IV Generator"
372	select CRYPTO_AEAD
373	select CRYPTO_NULL
374	select CRYPTO_RNG_DEFAULT
375	select CRYPTO_MANAGER
376	help
377	  This IV generator generates an IV based on the encryption of
378	  a sequence number xored with a salt.  This is the default
379	  algorithm for CBC.
380
381comment "Block modes"
382
383config CRYPTO_CBC
384	tristate "CBC support"
385	select CRYPTO_SKCIPHER
386	select CRYPTO_MANAGER
387	help
388	  CBC: Cipher Block Chaining mode
389	  This block cipher algorithm is required for IPSec.
390
391config CRYPTO_CFB
392	tristate "CFB support"
393	select CRYPTO_SKCIPHER
394	select CRYPTO_MANAGER
395	help
396	  CFB: Cipher FeedBack mode
397	  This block cipher algorithm is required for TPM2 Cryptography.
398
399config CRYPTO_CTR
400	tristate "CTR support"
401	select CRYPTO_SKCIPHER
402	select CRYPTO_MANAGER
403	help
404	  CTR: Counter mode
405	  This block cipher algorithm is required for IPSec.
406
407config CRYPTO_CTS
408	tristate "CTS support"
409	select CRYPTO_SKCIPHER
410	select CRYPTO_MANAGER
411	help
412	  CTS: Cipher Text Stealing
413	  This is the Cipher Text Stealing mode as described by
414	  Section 8 of rfc2040 and referenced by rfc3962
415	  (rfc3962 includes errata information in its Appendix A) or
416	  CBC-CS3 as defined by NIST in Sp800-38A addendum from Oct 2010.
417	  This mode is required for Kerberos gss mechanism support
418	  for AES encryption.
419
420	  See: https://csrc.nist.gov/publications/detail/sp/800-38a/addendum/final
421
422config CRYPTO_ECB
423	tristate "ECB support"
424	select CRYPTO_SKCIPHER
425	select CRYPTO_MANAGER
426	help
427	  ECB: Electronic CodeBook mode
428	  This is the simplest block cipher algorithm.  It simply encrypts
429	  the input block by block.
430
431config CRYPTO_LRW
432	tristate "LRW support"
433	select CRYPTO_SKCIPHER
434	select CRYPTO_MANAGER
435	select CRYPTO_GF128MUL
436	select CRYPTO_ECB
437	help
438	  LRW: Liskov Rivest Wagner, a tweakable, non malleable, non movable
439	  narrow block cipher mode for dm-crypt.  Use it with cipher
440	  specification string aes-lrw-benbi, the key must be 256, 320 or 384.
441	  The first 128, 192 or 256 bits in the key are used for AES and the
442	  rest is used to tie each cipher block to its logical position.
443
444config CRYPTO_OFB
445	tristate "OFB support"
446	select CRYPTO_SKCIPHER
447	select CRYPTO_MANAGER
448	help
449	  OFB: the Output Feedback mode makes a block cipher into a synchronous
450	  stream cipher. It generates keystream blocks, which are then XORed
451	  with the plaintext blocks to get the ciphertext. Flipping a bit in the
452	  ciphertext produces a flipped bit in the plaintext at the same
453	  location. This property allows many error correcting codes to function
454	  normally even when applied before encryption.
455
456config CRYPTO_PCBC
457	tristate "PCBC support"
458	select CRYPTO_SKCIPHER
459	select CRYPTO_MANAGER
460	help
461	  PCBC: Propagating Cipher Block Chaining mode
462	  This block cipher algorithm is required for RxRPC.
463
464config CRYPTO_XTS
465	tristate "XTS support"
466	select CRYPTO_SKCIPHER
467	select CRYPTO_MANAGER
468	select CRYPTO_ECB
469	help
470	  XTS: IEEE1619/D16 narrow block cipher use with aes-xts-plain,
471	  key size 256, 384 or 512 bits. This implementation currently
472	  can't handle a sectorsize which is not a multiple of 16 bytes.
473
474config CRYPTO_KEYWRAP
475	tristate "Key wrapping support"
476	select CRYPTO_SKCIPHER
477	select CRYPTO_MANAGER
478	help
479	  Support for key wrapping (NIST SP800-38F / RFC3394) without
480	  padding.
481
482config CRYPTO_NHPOLY1305
483	tristate
484	select CRYPTO_HASH
485	select CRYPTO_LIB_POLY1305_GENERIC
486
487config CRYPTO_NHPOLY1305_SSE2
488	tristate "NHPoly1305 hash function (x86_64 SSE2 implementation)"
489	depends on X86 && 64BIT
490	select CRYPTO_NHPOLY1305
491	help
492	  SSE2 optimized implementation of the hash function used by the
493	  Adiantum encryption mode.
494
495config CRYPTO_NHPOLY1305_AVX2
496	tristate "NHPoly1305 hash function (x86_64 AVX2 implementation)"
497	depends on X86 && 64BIT
498	select CRYPTO_NHPOLY1305
499	help
500	  AVX2 optimized implementation of the hash function used by the
501	  Adiantum encryption mode.
502
503config CRYPTO_ADIANTUM
504	tristate "Adiantum support"
505	select CRYPTO_CHACHA20
506	select CRYPTO_LIB_POLY1305_GENERIC
507	select CRYPTO_NHPOLY1305
508	select CRYPTO_MANAGER
509	help
510	  Adiantum is a tweakable, length-preserving encryption mode
511	  designed for fast and secure disk encryption, especially on
512	  CPUs without dedicated crypto instructions.  It encrypts
513	  each sector using the XChaCha12 stream cipher, two passes of
514	  an ε-almost-∆-universal hash function, and an invocation of
515	  the AES-256 block cipher on a single 16-byte block.  On CPUs
516	  without AES instructions, Adiantum is much faster than
517	  AES-XTS.
518
519	  Adiantum's security is provably reducible to that of its
520	  underlying stream and block ciphers, subject to a security
521	  bound.  Unlike XTS, Adiantum is a true wide-block encryption
522	  mode, so it actually provides an even stronger notion of
523	  security than XTS, subject to the security bound.
524
525	  If unsure, say N.
526
527config CRYPTO_ESSIV
528	tristate "ESSIV support for block encryption"
529	select CRYPTO_AUTHENC
530	help
531	  Encrypted salt-sector initialization vector (ESSIV) is an IV
532	  generation method that is used in some cases by fscrypt and/or
533	  dm-crypt. It uses the hash of the block encryption key as the
534	  symmetric key for a block encryption pass applied to the input
535	  IV, making low entropy IV sources more suitable for block
536	  encryption.
537
538	  This driver implements a crypto API template that can be
539	  instantiated either as an skcipher or as an AEAD (depending on the
540	  type of the first template argument), and which defers encryption
541	  and decryption requests to the encapsulated cipher after applying
542	  ESSIV to the input IV. Note that in the AEAD case, it is assumed
543	  that the keys are presented in the same format used by the authenc
544	  template, and that the IV appears at the end of the authenticated
545	  associated data (AAD) region (which is how dm-crypt uses it.)
546
547	  Note that the use of ESSIV is not recommended for new deployments,
548	  and so this only needs to be enabled when interoperability with
549	  existing encrypted volumes of filesystems is required, or when
550	  building for a particular system that requires it (e.g., when
551	  the SoC in question has accelerated CBC but not XTS, making CBC
552	  combined with ESSIV the only feasible mode for h/w accelerated
553	  block encryption)
554
555comment "Hash modes"
556
557config CRYPTO_CMAC
558	tristate "CMAC support"
559	select CRYPTO_HASH
560	select CRYPTO_MANAGER
561	help
562	  Cipher-based Message Authentication Code (CMAC) specified by
563	  The National Institute of Standards and Technology (NIST).
564
565	  https://tools.ietf.org/html/rfc4493
566	  http://csrc.nist.gov/publications/nistpubs/800-38B/SP_800-38B.pdf
567
568config CRYPTO_HMAC
569	tristate "HMAC support"
570	select CRYPTO_HASH
571	select CRYPTO_MANAGER
572	help
573	  HMAC: Keyed-Hashing for Message Authentication (RFC2104).
574	  This is required for IPSec.
575
576config CRYPTO_XCBC
577	tristate "XCBC support"
578	select CRYPTO_HASH
579	select CRYPTO_MANAGER
580	help
581	  XCBC: Keyed-Hashing with encryption algorithm
582		https://www.ietf.org/rfc/rfc3566.txt
583		http://csrc.nist.gov/encryption/modes/proposedmodes/
584		 xcbc-mac/xcbc-mac-spec.pdf
585
586config CRYPTO_VMAC
587	tristate "VMAC support"
588	select CRYPTO_HASH
589	select CRYPTO_MANAGER
590	help
591	  VMAC is a message authentication algorithm designed for
592	  very high speed on 64-bit architectures.
593
594	  See also:
595	  <https://fastcrypto.org/vmac>
596
597comment "Digest"
598
599config CRYPTO_CRC32C
600	tristate "CRC32c CRC algorithm"
601	select CRYPTO_HASH
602	select CRC32
603	help
604	  Castagnoli, et al Cyclic Redundancy-Check Algorithm.  Used
605	  by iSCSI for header and data digests and by others.
606	  See Castagnoli93.  Module will be crc32c.
607
608config CRYPTO_CRC32C_INTEL
609	tristate "CRC32c INTEL hardware acceleration"
610	depends on X86
611	select CRYPTO_HASH
612	help
613	  In Intel processor with SSE4.2 supported, the processor will
614	  support CRC32C implementation using hardware accelerated CRC32
615	  instruction. This option will create 'crc32c-intel' module,
616	  which will enable any routine to use the CRC32 instruction to
617	  gain performance compared with software implementation.
618	  Module will be crc32c-intel.
619
620config CRYPTO_CRC32C_VPMSUM
621	tristate "CRC32c CRC algorithm (powerpc64)"
622	depends on PPC64 && ALTIVEC
623	select CRYPTO_HASH
624	select CRC32
625	help
626	  CRC32c algorithm implemented using vector polynomial multiply-sum
627	  (vpmsum) instructions, introduced in POWER8. Enable on POWER8
628	  and newer processors for improved performance.
629
630
631config CRYPTO_CRC32C_SPARC64
632	tristate "CRC32c CRC algorithm (SPARC64)"
633	depends on SPARC64
634	select CRYPTO_HASH
635	select CRC32
636	help
637	  CRC32c CRC algorithm implemented using sparc64 crypto instructions,
638	  when available.
639
640config CRYPTO_CRC32
641	tristate "CRC32 CRC algorithm"
642	select CRYPTO_HASH
643	select CRC32
644	help
645	  CRC-32-IEEE 802.3 cyclic redundancy-check algorithm.
646	  Shash crypto api wrappers to crc32_le function.
647
648config CRYPTO_CRC32_PCLMUL
649	tristate "CRC32 PCLMULQDQ hardware acceleration"
650	depends on X86
651	select CRYPTO_HASH
652	select CRC32
653	help
654	  From Intel Westmere and AMD Bulldozer processor with SSE4.2
655	  and PCLMULQDQ supported, the processor will support
656	  CRC32 PCLMULQDQ implementation using hardware accelerated PCLMULQDQ
657	  instruction. This option will create 'crc32-pclmul' module,
658	  which will enable any routine to use the CRC-32-IEEE 802.3 checksum
659	  and gain better performance as compared with the table implementation.
660
661config CRYPTO_CRC32_MIPS
662	tristate "CRC32c and CRC32 CRC algorithm (MIPS)"
663	depends on MIPS_CRC_SUPPORT
664	select CRYPTO_HASH
665	help
666	  CRC32c and CRC32 CRC algorithms implemented using mips crypto
667	  instructions, when available.
668
669config CRYPTO_CRC32_S390
670	tristate "CRC-32 algorithms"
671	depends on S390
672	select CRYPTO_HASH
673	select CRC32
674	help
675	  Select this option if you want to use hardware accelerated
676	  implementations of CRC algorithms.  With this option, you
677	  can optimize the computation of CRC-32 (IEEE 802.3 Ethernet)
678	  and CRC-32C (Castagnoli).
679
680	  It is available with IBM z13 or later.
681
682config CRYPTO_XXHASH
683	tristate "xxHash hash algorithm"
684	select CRYPTO_HASH
685	select XXHASH
686	help
687	  xxHash non-cryptographic hash algorithm. Extremely fast, working at
688	  speeds close to RAM limits.
689
690config CRYPTO_BLAKE2B
691	tristate "BLAKE2b digest algorithm"
692	select CRYPTO_HASH
693	help
694	  Implementation of cryptographic hash function BLAKE2b (or just BLAKE2),
695	  optimized for 64bit platforms and can produce digests of any size
696	  between 1 to 64.  The keyed hash is also implemented.
697
698	  This module provides the following algorithms:
699
700	  - blake2b-160
701	  - blake2b-256
702	  - blake2b-384
703	  - blake2b-512
704
705	  See https://blake2.net for further information.
706
707config CRYPTO_BLAKE2S
708	tristate "BLAKE2s digest algorithm"
709	select CRYPTO_LIB_BLAKE2S_GENERIC
710	select CRYPTO_HASH
711	help
712	  Implementation of cryptographic hash function BLAKE2s
713	  optimized for 8-32bit platforms and can produce digests of any size
714	  between 1 to 32.  The keyed hash is also implemented.
715
716	  This module provides the following algorithms:
717
718	  - blake2s-128
719	  - blake2s-160
720	  - blake2s-224
721	  - blake2s-256
722
723	  See https://blake2.net for further information.
724
725config CRYPTO_BLAKE2S_X86
726	tristate "BLAKE2s digest algorithm (x86 accelerated version)"
727	depends on X86 && 64BIT
728	select CRYPTO_LIB_BLAKE2S_GENERIC
729	select CRYPTO_ARCH_HAVE_LIB_BLAKE2S
730
731config CRYPTO_CRCT10DIF
732	tristate "CRCT10DIF algorithm"
733	select CRYPTO_HASH
734	help
735	  CRC T10 Data Integrity Field computation is being cast as
736	  a crypto transform.  This allows for faster crc t10 diff
737	  transforms to be used if they are available.
738
739config CRYPTO_CRCT10DIF_PCLMUL
740	tristate "CRCT10DIF PCLMULQDQ hardware acceleration"
741	depends on X86 && 64BIT && CRC_T10DIF
742	select CRYPTO_HASH
743	help
744	  For x86_64 processors with SSE4.2 and PCLMULQDQ supported,
745	  CRC T10 DIF PCLMULQDQ computation can be hardware
746	  accelerated PCLMULQDQ instruction. This option will create
747	  'crct10dif-pclmul' module, which is faster when computing the
748	  crct10dif checksum as compared with the generic table implementation.
749
750config CRYPTO_CRCT10DIF_VPMSUM
751	tristate "CRC32T10DIF powerpc64 hardware acceleration"
752	depends on PPC64 && ALTIVEC && CRC_T10DIF
753	select CRYPTO_HASH
754	help
755	  CRC10T10DIF algorithm implemented using vector polynomial
756	  multiply-sum (vpmsum) instructions, introduced in POWER8. Enable on
757	  POWER8 and newer processors for improved performance.
758
759config CRYPTO_CRC64_ROCKSOFT
760	tristate "Rocksoft Model CRC64 algorithm"
761	depends on CRC64
762	select CRYPTO_HASH
763
764config CRYPTO_VPMSUM_TESTER
765	tristate "Powerpc64 vpmsum hardware acceleration tester"
766	depends on CRYPTO_CRCT10DIF_VPMSUM && CRYPTO_CRC32C_VPMSUM
767	help
768	  Stress test for CRC32c and CRC-T10DIF algorithms implemented with
769	  POWER8 vpmsum instructions.
770	  Unless you are testing these algorithms, you don't need this.
771
772config CRYPTO_GHASH
773	tristate "GHASH hash function"
774	select CRYPTO_GF128MUL
775	select CRYPTO_HASH
776	help
777	  GHASH is the hash function used in GCM (Galois/Counter Mode).
778	  It is not a general-purpose cryptographic hash function.
779
780config CRYPTO_POLY1305
781	tristate "Poly1305 authenticator algorithm"
782	select CRYPTO_HASH
783	select CRYPTO_LIB_POLY1305_GENERIC
784	help
785	  Poly1305 authenticator algorithm, RFC7539.
786
787	  Poly1305 is an authenticator algorithm designed by Daniel J. Bernstein.
788	  It is used for the ChaCha20-Poly1305 AEAD, specified in RFC7539 for use
789	  in IETF protocols. This is the portable C implementation of Poly1305.
790
791config CRYPTO_POLY1305_X86_64
792	tristate "Poly1305 authenticator algorithm (x86_64/SSE2/AVX2)"
793	depends on X86 && 64BIT
794	select CRYPTO_LIB_POLY1305_GENERIC
795	select CRYPTO_ARCH_HAVE_LIB_POLY1305
796	help
797	  Poly1305 authenticator algorithm, RFC7539.
798
799	  Poly1305 is an authenticator algorithm designed by Daniel J. Bernstein.
800	  It is used for the ChaCha20-Poly1305 AEAD, specified in RFC7539 for use
801	  in IETF protocols. This is the x86_64 assembler implementation using SIMD
802	  instructions.
803
804config CRYPTO_POLY1305_MIPS
805	tristate "Poly1305 authenticator algorithm (MIPS optimized)"
806	depends on MIPS
807	select CRYPTO_ARCH_HAVE_LIB_POLY1305
808
809config CRYPTO_MD4
810	tristate "MD4 digest algorithm"
811	select CRYPTO_HASH
812	help
813	  MD4 message digest algorithm (RFC1320).
814
815config CRYPTO_MD5
816	tristate "MD5 digest algorithm"
817	select CRYPTO_HASH
818	help
819	  MD5 message digest algorithm (RFC1321).
820
821config CRYPTO_MD5_OCTEON
822	tristate "MD5 digest algorithm (OCTEON)"
823	depends on CPU_CAVIUM_OCTEON
824	select CRYPTO_MD5
825	select CRYPTO_HASH
826	help
827	  MD5 message digest algorithm (RFC1321) implemented
828	  using OCTEON crypto instructions, when available.
829
830config CRYPTO_MD5_PPC
831	tristate "MD5 digest algorithm (PPC)"
832	depends on PPC
833	select CRYPTO_HASH
834	help
835	  MD5 message digest algorithm (RFC1321) implemented
836	  in PPC assembler.
837
838config CRYPTO_MD5_SPARC64
839	tristate "MD5 digest algorithm (SPARC64)"
840	depends on SPARC64
841	select CRYPTO_MD5
842	select CRYPTO_HASH
843	help
844	  MD5 message digest algorithm (RFC1321) implemented
845	  using sparc64 crypto instructions, when available.
846
847config CRYPTO_MICHAEL_MIC
848	tristate "Michael MIC keyed digest algorithm"
849	select CRYPTO_HASH
850	help
851	  Michael MIC is used for message integrity protection in TKIP
852	  (IEEE 802.11i). This algorithm is required for TKIP, but it
853	  should not be used for other purposes because of the weakness
854	  of the algorithm.
855
856config CRYPTO_RMD160
857	tristate "RIPEMD-160 digest algorithm"
858	select CRYPTO_HASH
859	help
860	  RIPEMD-160 (ISO/IEC 10118-3:2004).
861
862	  RIPEMD-160 is a 160-bit cryptographic hash function. It is intended
863	  to be used as a secure replacement for the 128-bit hash functions
864	  MD4, MD5 and it's predecessor RIPEMD
865	  (not to be confused with RIPEMD-128).
866
867	  It's speed is comparable to SHA1 and there are no known attacks
868	  against RIPEMD-160.
869
870	  Developed by Hans Dobbertin, Antoon Bosselaers and Bart Preneel.
871	  See <https://homes.esat.kuleuven.be/~bosselae/ripemd160.html>
872
873config CRYPTO_SHA1
874	tristate "SHA1 digest algorithm"
875	select CRYPTO_HASH
876	help
877	  SHA-1 secure hash standard (FIPS 180-1/DFIPS 180-2).
878
879config CRYPTO_SHA1_SSSE3
880	tristate "SHA1 digest algorithm (SSSE3/AVX/AVX2/SHA-NI)"
881	depends on X86 && 64BIT
882	select CRYPTO_SHA1
883	select CRYPTO_HASH
884	help
885	  SHA-1 secure hash standard (FIPS 180-1/DFIPS 180-2) implemented
886	  using Supplemental SSE3 (SSSE3) instructions or Advanced Vector
887	  Extensions (AVX/AVX2) or SHA-NI(SHA Extensions New Instructions),
888	  when available.
889
890config CRYPTO_SHA256_SSSE3
891	tristate "SHA256 digest algorithm (SSSE3/AVX/AVX2/SHA-NI)"
892	depends on X86 && 64BIT
893	select CRYPTO_SHA256
894	select CRYPTO_HASH
895	help
896	  SHA-256 secure hash standard (DFIPS 180-2) implemented
897	  using Supplemental SSE3 (SSSE3) instructions, or Advanced Vector
898	  Extensions version 1 (AVX1), or Advanced Vector Extensions
899	  version 2 (AVX2) instructions, or SHA-NI (SHA Extensions New
900	  Instructions) when available.
901
902config CRYPTO_SHA512_SSSE3
903	tristate "SHA512 digest algorithm (SSSE3/AVX/AVX2)"
904	depends on X86 && 64BIT
905	select CRYPTO_SHA512
906	select CRYPTO_HASH
907	help
908	  SHA-512 secure hash standard (DFIPS 180-2) implemented
909	  using Supplemental SSE3 (SSSE3) instructions, or Advanced Vector
910	  Extensions version 1 (AVX1), or Advanced Vector Extensions
911	  version 2 (AVX2) instructions, when available.
912
913config CRYPTO_SHA512_S390
914	tristate "SHA384 and SHA512 digest algorithm"
915	depends on S390
916	select CRYPTO_HASH
917	help
918	  This is the s390 hardware accelerated implementation of the
919	  SHA512 secure hash standard.
920
921	  It is available as of z10.
922
923config CRYPTO_SHA1_OCTEON
924	tristate "SHA1 digest algorithm (OCTEON)"
925	depends on CPU_CAVIUM_OCTEON
926	select CRYPTO_SHA1
927	select CRYPTO_HASH
928	help
929	  SHA-1 secure hash standard (FIPS 180-1/DFIPS 180-2) implemented
930	  using OCTEON crypto instructions, when available.
931
932config CRYPTO_SHA1_SPARC64
933	tristate "SHA1 digest algorithm (SPARC64)"
934	depends on SPARC64
935	select CRYPTO_SHA1
936	select CRYPTO_HASH
937	help
938	  SHA-1 secure hash standard (FIPS 180-1/DFIPS 180-2) implemented
939	  using sparc64 crypto instructions, when available.
940
941config CRYPTO_SHA1_PPC
942	tristate "SHA1 digest algorithm (powerpc)"
943	depends on PPC
944	help
945	  This is the powerpc hardware accelerated implementation of the
946	  SHA-1 secure hash standard (FIPS 180-1/DFIPS 180-2).
947
948config CRYPTO_SHA1_PPC_SPE
949	tristate "SHA1 digest algorithm (PPC SPE)"
950	depends on PPC && SPE
951	help
952	  SHA-1 secure hash standard (DFIPS 180-4) implemented
953	  using powerpc SPE SIMD instruction set.
954
955config CRYPTO_SHA1_S390
956	tristate "SHA1 digest algorithm"
957	depends on S390
958	select CRYPTO_HASH
959	help
960	  This is the s390 hardware accelerated implementation of the
961	  SHA-1 secure hash standard (FIPS 180-1/DFIPS 180-2).
962
963	  It is available as of z990.
964
965config CRYPTO_SHA256
966	tristate "SHA224 and SHA256 digest algorithm"
967	select CRYPTO_HASH
968	select CRYPTO_LIB_SHA256
969	help
970	  SHA256 secure hash standard (DFIPS 180-2).
971
972	  This version of SHA implements a 256 bit hash with 128 bits of
973	  security against collision attacks.
974
975	  This code also includes SHA-224, a 224 bit hash with 112 bits
976	  of security against collision attacks.
977
978config CRYPTO_SHA256_PPC_SPE
979	tristate "SHA224 and SHA256 digest algorithm (PPC SPE)"
980	depends on PPC && SPE
981	select CRYPTO_SHA256
982	select CRYPTO_HASH
983	help
984	  SHA224 and SHA256 secure hash standard (DFIPS 180-2)
985	  implemented using powerpc SPE SIMD instruction set.
986
987config CRYPTO_SHA256_OCTEON
988	tristate "SHA224 and SHA256 digest algorithm (OCTEON)"
989	depends on CPU_CAVIUM_OCTEON
990	select CRYPTO_SHA256
991	select CRYPTO_HASH
992	help
993	  SHA-256 secure hash standard (DFIPS 180-2) implemented
994	  using OCTEON crypto instructions, when available.
995
996config CRYPTO_SHA256_SPARC64
997	tristate "SHA224 and SHA256 digest algorithm (SPARC64)"
998	depends on SPARC64
999	select CRYPTO_SHA256
1000	select CRYPTO_HASH
1001	help
1002	  SHA-256 secure hash standard (DFIPS 180-2) implemented
1003	  using sparc64 crypto instructions, when available.
1004
1005config CRYPTO_SHA256_S390
1006	tristate "SHA256 digest algorithm"
1007	depends on S390
1008	select CRYPTO_HASH
1009	help
1010	  This is the s390 hardware accelerated implementation of the
1011	  SHA256 secure hash standard (DFIPS 180-2).
1012
1013	  It is available as of z9.
1014
1015config CRYPTO_SHA512
1016	tristate "SHA384 and SHA512 digest algorithms"
1017	select CRYPTO_HASH
1018	help
1019	  SHA512 secure hash standard (DFIPS 180-2).
1020
1021	  This version of SHA implements a 512 bit hash with 256 bits of
1022	  security against collision attacks.
1023
1024	  This code also includes SHA-384, a 384 bit hash with 192 bits
1025	  of security against collision attacks.
1026
1027config CRYPTO_SHA512_OCTEON
1028	tristate "SHA384 and SHA512 digest algorithms (OCTEON)"
1029	depends on CPU_CAVIUM_OCTEON
1030	select CRYPTO_SHA512
1031	select CRYPTO_HASH
1032	help
1033	  SHA-512 secure hash standard (DFIPS 180-2) implemented
1034	  using OCTEON crypto instructions, when available.
1035
1036config CRYPTO_SHA512_SPARC64
1037	tristate "SHA384 and SHA512 digest algorithm (SPARC64)"
1038	depends on SPARC64
1039	select CRYPTO_SHA512
1040	select CRYPTO_HASH
1041	help
1042	  SHA-512 secure hash standard (DFIPS 180-2) implemented
1043	  using sparc64 crypto instructions, when available.
1044
1045config CRYPTO_SHA3
1046	tristate "SHA3 digest algorithm"
1047	select CRYPTO_HASH
1048	help
1049	  SHA-3 secure hash standard (DFIPS 202). It's based on
1050	  cryptographic sponge function family called Keccak.
1051
1052	  References:
1053	  http://keccak.noekeon.org/
1054
1055config CRYPTO_SHA3_256_S390
1056	tristate "SHA3_224 and SHA3_256 digest algorithm"
1057	depends on S390
1058	select CRYPTO_HASH
1059	help
1060	  This is the s390 hardware accelerated implementation of the
1061	  SHA3_256 secure hash standard.
1062
1063	  It is available as of z14.
1064
1065config CRYPTO_SHA3_512_S390
1066	tristate "SHA3_384 and SHA3_512 digest algorithm"
1067	depends on S390
1068	select CRYPTO_HASH
1069	help
1070	  This is the s390 hardware accelerated implementation of the
1071	  SHA3_512 secure hash standard.
1072
1073	  It is available as of z14.
1074
1075config CRYPTO_SM3
1076	tristate
1077
1078config CRYPTO_SM3_GENERIC
1079	tristate "SM3 digest algorithm"
1080	select CRYPTO_HASH
1081	select CRYPTO_SM3
1082	help
1083	  SM3 secure hash function as defined by OSCCA GM/T 0004-2012 SM3).
1084	  It is part of the Chinese Commercial Cryptography suite.
1085
1086	  References:
1087	  http://www.oscca.gov.cn/UpFile/20101222141857786.pdf
1088	  https://datatracker.ietf.org/doc/html/draft-shen-sm3-hash
1089
1090config CRYPTO_SM3_AVX_X86_64
1091	tristate "SM3 digest algorithm (x86_64/AVX)"
1092	depends on X86 && 64BIT
1093	select CRYPTO_HASH
1094	select CRYPTO_SM3
1095	help
1096	  SM3 secure hash function as defined by OSCCA GM/T 0004-2012 SM3).
1097	  It is part of the Chinese Commercial Cryptography suite. This is
1098	  SM3 optimized implementation using Advanced Vector Extensions (AVX)
1099	  when available.
1100
1101	  If unsure, say N.
1102
1103config CRYPTO_STREEBOG
1104	tristate "Streebog Hash Function"
1105	select CRYPTO_HASH
1106	help
1107	  Streebog Hash Function (GOST R 34.11-2012, RFC 6986) is one of the Russian
1108	  cryptographic standard algorithms (called GOST algorithms).
1109	  This setting enables two hash algorithms with 256 and 512 bits output.
1110
1111	  References:
1112	  https://tc26.ru/upload/iblock/fed/feddbb4d26b685903faa2ba11aea43f6.pdf
1113	  https://tools.ietf.org/html/rfc6986
1114
1115config CRYPTO_WP512
1116	tristate "Whirlpool digest algorithms"
1117	select CRYPTO_HASH
1118	help
1119	  Whirlpool hash algorithm 512, 384 and 256-bit hashes
1120
1121	  Whirlpool-512 is part of the NESSIE cryptographic primitives.
1122	  Whirlpool will be part of the ISO/IEC 10118-3:2003(E) standard
1123
1124	  See also:
1125	  <http://www.larc.usp.br/~pbarreto/WhirlpoolPage.html>
1126
1127config CRYPTO_GHASH_CLMUL_NI_INTEL
1128	tristate "GHASH hash function (CLMUL-NI accelerated)"
1129	depends on X86 && 64BIT
1130	select CRYPTO_CRYPTD
1131	help
1132	  This is the x86_64 CLMUL-NI accelerated implementation of
1133	  GHASH, the hash function used in GCM (Galois/Counter mode).
1134
1135config CRYPTO_GHASH_S390
1136	tristate "GHASH hash function"
1137	depends on S390
1138	select CRYPTO_HASH
1139	help
1140	  This is the s390 hardware accelerated implementation of GHASH,
1141	  the hash function used in GCM (Galois/Counter mode).
1142
1143	  It is available as of z196.
1144
1145comment "Ciphers"
1146
1147config CRYPTO_AES
1148	tristate "AES cipher algorithms"
1149	select CRYPTO_ALGAPI
1150	select CRYPTO_LIB_AES
1151	help
1152	  AES cipher algorithms (FIPS-197). AES uses the Rijndael
1153	  algorithm.
1154
1155	  Rijndael appears to be consistently a very good performer in
1156	  both hardware and software across a wide range of computing
1157	  environments regardless of its use in feedback or non-feedback
1158	  modes. Its key setup time is excellent, and its key agility is
1159	  good. Rijndael's very low memory requirements make it very well
1160	  suited for restricted-space environments, in which it also
1161	  demonstrates excellent performance. Rijndael's operations are
1162	  among the easiest to defend against power and timing attacks.
1163
1164	  The AES specifies three key sizes: 128, 192 and 256 bits
1165
1166	  See <http://csrc.nist.gov/CryptoToolkit/aes/> for more information.
1167
1168config CRYPTO_AES_TI
1169	tristate "Fixed time AES cipher"
1170	select CRYPTO_ALGAPI
1171	select CRYPTO_LIB_AES
1172	help
1173	  This is a generic implementation of AES that attempts to eliminate
1174	  data dependent latencies as much as possible without affecting
1175	  performance too much. It is intended for use by the generic CCM
1176	  and GCM drivers, and other CTR or CMAC/XCBC based modes that rely
1177	  solely on encryption (although decryption is supported as well, but
1178	  with a more dramatic performance hit)
1179
1180	  Instead of using 16 lookup tables of 1 KB each, (8 for encryption and
1181	  8 for decryption), this implementation only uses just two S-boxes of
1182	  256 bytes each, and attempts to eliminate data dependent latencies by
1183	  prefetching the entire table into the cache at the start of each
1184	  block. Interrupts are also disabled to avoid races where cachelines
1185	  are evicted when the CPU is interrupted to do something else.
1186
1187config CRYPTO_AES_NI_INTEL
1188	tristate "AES cipher algorithms (AES-NI)"
1189	depends on X86
1190	select CRYPTO_AEAD
1191	select CRYPTO_LIB_AES
1192	select CRYPTO_ALGAPI
1193	select CRYPTO_SKCIPHER
1194	select CRYPTO_SIMD
1195	help
1196	  Use Intel AES-NI instructions for AES algorithm.
1197
1198	  AES cipher algorithms (FIPS-197). AES uses the Rijndael
1199	  algorithm.
1200
1201	  Rijndael appears to be consistently a very good performer in
1202	  both hardware and software across a wide range of computing
1203	  environments regardless of its use in feedback or non-feedback
1204	  modes. Its key setup time is excellent, and its key agility is
1205	  good. Rijndael's very low memory requirements make it very well
1206	  suited for restricted-space environments, in which it also
1207	  demonstrates excellent performance. Rijndael's operations are
1208	  among the easiest to defend against power and timing attacks.
1209
1210	  The AES specifies three key sizes: 128, 192 and 256 bits
1211
1212	  See <http://csrc.nist.gov/encryption/aes/> for more information.
1213
1214	  In addition to AES cipher algorithm support, the acceleration
1215	  for some popular block cipher mode is supported too, including
1216	  ECB, CBC, LRW, XTS. The 64 bit version has additional
1217	  acceleration for CTR.
1218
1219config CRYPTO_AES_SPARC64
1220	tristate "AES cipher algorithms (SPARC64)"
1221	depends on SPARC64
1222	select CRYPTO_SKCIPHER
1223	help
1224	  Use SPARC64 crypto opcodes for AES algorithm.
1225
1226	  AES cipher algorithms (FIPS-197). AES uses the Rijndael
1227	  algorithm.
1228
1229	  Rijndael appears to be consistently a very good performer in
1230	  both hardware and software across a wide range of computing
1231	  environments regardless of its use in feedback or non-feedback
1232	  modes. Its key setup time is excellent, and its key agility is
1233	  good. Rijndael's very low memory requirements make it very well
1234	  suited for restricted-space environments, in which it also
1235	  demonstrates excellent performance. Rijndael's operations are
1236	  among the easiest to defend against power and timing attacks.
1237
1238	  The AES specifies three key sizes: 128, 192 and 256 bits
1239
1240	  See <http://csrc.nist.gov/encryption/aes/> for more information.
1241
1242	  In addition to AES cipher algorithm support, the acceleration
1243	  for some popular block cipher mode is supported too, including
1244	  ECB and CBC.
1245
1246config CRYPTO_AES_PPC_SPE
1247	tristate "AES cipher algorithms (PPC SPE)"
1248	depends on PPC && SPE
1249	select CRYPTO_SKCIPHER
1250	help
1251	  AES cipher algorithms (FIPS-197). Additionally the acceleration
1252	  for popular block cipher modes ECB, CBC, CTR and XTS is supported.
1253	  This module should only be used for low power (router) devices
1254	  without hardware AES acceleration (e.g. caam crypto). It reduces the
1255	  size of the AES tables from 16KB to 8KB + 256 bytes and mitigates
1256	  timining attacks. Nevertheless it might be not as secure as other
1257	  architecture specific assembler implementations that work on 1KB
1258	  tables or 256 bytes S-boxes.
1259
1260config CRYPTO_AES_S390
1261	tristate "AES cipher algorithms"
1262	depends on S390
1263	select CRYPTO_ALGAPI
1264	select CRYPTO_SKCIPHER
1265	help
1266	  This is the s390 hardware accelerated implementation of the
1267	  AES cipher algorithms (FIPS-197).
1268
1269	  As of z9 the ECB and CBC modes are hardware accelerated
1270	  for 128 bit keys.
1271	  As of z10 the ECB and CBC modes are hardware accelerated
1272	  for all AES key sizes.
1273	  As of z196 the CTR mode is hardware accelerated for all AES
1274	  key sizes and XTS mode is hardware accelerated for 256 and
1275	  512 bit keys.
1276
1277config CRYPTO_ANUBIS
1278	tristate "Anubis cipher algorithm"
1279	depends on CRYPTO_USER_API_ENABLE_OBSOLETE
1280	select CRYPTO_ALGAPI
1281	help
1282	  Anubis cipher algorithm.
1283
1284	  Anubis is a variable key length cipher which can use keys from
1285	  128 bits to 320 bits in length.  It was evaluated as a entrant
1286	  in the NESSIE competition.
1287
1288	  See also:
1289	  <https://www.cosic.esat.kuleuven.be/nessie/reports/>
1290	  <http://www.larc.usp.br/~pbarreto/AnubisPage.html>
1291
1292config CRYPTO_ARC4
1293	tristate "ARC4 cipher algorithm"
1294	depends on CRYPTO_USER_API_ENABLE_OBSOLETE
1295	select CRYPTO_SKCIPHER
1296	select CRYPTO_LIB_ARC4
1297	help
1298	  ARC4 cipher algorithm.
1299
1300	  ARC4 is a stream cipher using keys ranging from 8 bits to 2048
1301	  bits in length.  This algorithm is required for driver-based
1302	  WEP, but it should not be for other purposes because of the
1303	  weakness of the algorithm.
1304
1305config CRYPTO_BLOWFISH
1306	tristate "Blowfish cipher algorithm"
1307	select CRYPTO_ALGAPI
1308	select CRYPTO_BLOWFISH_COMMON
1309	help
1310	  Blowfish cipher algorithm, by Bruce Schneier.
1311
1312	  This is a variable key length cipher which can use keys from 32
1313	  bits to 448 bits in length.  It's fast, simple and specifically
1314	  designed for use on "large microprocessors".
1315
1316	  See also:
1317	  <https://www.schneier.com/blowfish.html>
1318
1319config CRYPTO_BLOWFISH_COMMON
1320	tristate
1321	help
1322	  Common parts of the Blowfish cipher algorithm shared by the
1323	  generic c and the assembler implementations.
1324
1325	  See also:
1326	  <https://www.schneier.com/blowfish.html>
1327
1328config CRYPTO_BLOWFISH_X86_64
1329	tristate "Blowfish cipher algorithm (x86_64)"
1330	depends on X86 && 64BIT
1331	select CRYPTO_SKCIPHER
1332	select CRYPTO_BLOWFISH_COMMON
1333	imply CRYPTO_CTR
1334	help
1335	  Blowfish cipher algorithm (x86_64), by Bruce Schneier.
1336
1337	  This is a variable key length cipher which can use keys from 32
1338	  bits to 448 bits in length.  It's fast, simple and specifically
1339	  designed for use on "large microprocessors".
1340
1341	  See also:
1342	  <https://www.schneier.com/blowfish.html>
1343
1344config CRYPTO_CAMELLIA
1345	tristate "Camellia cipher algorithms"
1346	select CRYPTO_ALGAPI
1347	help
1348	  Camellia cipher algorithms module.
1349
1350	  Camellia is a symmetric key block cipher developed jointly
1351	  at NTT and Mitsubishi Electric Corporation.
1352
1353	  The Camellia specifies three key sizes: 128, 192 and 256 bits.
1354
1355	  See also:
1356	  <https://info.isl.ntt.co.jp/crypt/eng/camellia/index_s.html>
1357
1358config CRYPTO_CAMELLIA_X86_64
1359	tristate "Camellia cipher algorithm (x86_64)"
1360	depends on X86 && 64BIT
1361	select CRYPTO_SKCIPHER
1362	imply CRYPTO_CTR
1363	help
1364	  Camellia cipher algorithm module (x86_64).
1365
1366	  Camellia is a symmetric key block cipher developed jointly
1367	  at NTT and Mitsubishi Electric Corporation.
1368
1369	  The Camellia specifies three key sizes: 128, 192 and 256 bits.
1370
1371	  See also:
1372	  <https://info.isl.ntt.co.jp/crypt/eng/camellia/index_s.html>
1373
1374config CRYPTO_CAMELLIA_AESNI_AVX_X86_64
1375	tristate "Camellia cipher algorithm (x86_64/AES-NI/AVX)"
1376	depends on X86 && 64BIT
1377	select CRYPTO_SKCIPHER
1378	select CRYPTO_CAMELLIA_X86_64
1379	select CRYPTO_SIMD
1380	imply CRYPTO_XTS
1381	help
1382	  Camellia cipher algorithm module (x86_64/AES-NI/AVX).
1383
1384	  Camellia is a symmetric key block cipher developed jointly
1385	  at NTT and Mitsubishi Electric Corporation.
1386
1387	  The Camellia specifies three key sizes: 128, 192 and 256 bits.
1388
1389	  See also:
1390	  <https://info.isl.ntt.co.jp/crypt/eng/camellia/index_s.html>
1391
1392config CRYPTO_CAMELLIA_AESNI_AVX2_X86_64
1393	tristate "Camellia cipher algorithm (x86_64/AES-NI/AVX2)"
1394	depends on X86 && 64BIT
1395	select CRYPTO_CAMELLIA_AESNI_AVX_X86_64
1396	help
1397	  Camellia cipher algorithm module (x86_64/AES-NI/AVX2).
1398
1399	  Camellia is a symmetric key block cipher developed jointly
1400	  at NTT and Mitsubishi Electric Corporation.
1401
1402	  The Camellia specifies three key sizes: 128, 192 and 256 bits.
1403
1404	  See also:
1405	  <https://info.isl.ntt.co.jp/crypt/eng/camellia/index_s.html>
1406
1407config CRYPTO_CAMELLIA_SPARC64
1408	tristate "Camellia cipher algorithm (SPARC64)"
1409	depends on SPARC64
1410	select CRYPTO_ALGAPI
1411	select CRYPTO_SKCIPHER
1412	help
1413	  Camellia cipher algorithm module (SPARC64).
1414
1415	  Camellia is a symmetric key block cipher developed jointly
1416	  at NTT and Mitsubishi Electric Corporation.
1417
1418	  The Camellia specifies three key sizes: 128, 192 and 256 bits.
1419
1420	  See also:
1421	  <https://info.isl.ntt.co.jp/crypt/eng/camellia/index_s.html>
1422
1423config CRYPTO_CAST_COMMON
1424	tristate
1425	help
1426	  Common parts of the CAST cipher algorithms shared by the
1427	  generic c and the assembler implementations.
1428
1429config CRYPTO_CAST5
1430	tristate "CAST5 (CAST-128) cipher algorithm"
1431	select CRYPTO_ALGAPI
1432	select CRYPTO_CAST_COMMON
1433	help
1434	  The CAST5 encryption algorithm (synonymous with CAST-128) is
1435	  described in RFC2144.
1436
1437config CRYPTO_CAST5_AVX_X86_64
1438	tristate "CAST5 (CAST-128) cipher algorithm (x86_64/AVX)"
1439	depends on X86 && 64BIT
1440	select CRYPTO_SKCIPHER
1441	select CRYPTO_CAST5
1442	select CRYPTO_CAST_COMMON
1443	select CRYPTO_SIMD
1444	imply CRYPTO_CTR
1445	help
1446	  The CAST5 encryption algorithm (synonymous with CAST-128) is
1447	  described in RFC2144.
1448
1449	  This module provides the Cast5 cipher algorithm that processes
1450	  sixteen blocks parallel using the AVX instruction set.
1451
1452config CRYPTO_CAST6
1453	tristate "CAST6 (CAST-256) cipher algorithm"
1454	select CRYPTO_ALGAPI
1455	select CRYPTO_CAST_COMMON
1456	help
1457	  The CAST6 encryption algorithm (synonymous with CAST-256) is
1458	  described in RFC2612.
1459
1460config CRYPTO_CAST6_AVX_X86_64
1461	tristate "CAST6 (CAST-256) cipher algorithm (x86_64/AVX)"
1462	depends on X86 && 64BIT
1463	select CRYPTO_SKCIPHER
1464	select CRYPTO_CAST6
1465	select CRYPTO_CAST_COMMON
1466	select CRYPTO_SIMD
1467	imply CRYPTO_XTS
1468	imply CRYPTO_CTR
1469	help
1470	  The CAST6 encryption algorithm (synonymous with CAST-256) is
1471	  described in RFC2612.
1472
1473	  This module provides the Cast6 cipher algorithm that processes
1474	  eight blocks parallel using the AVX instruction set.
1475
1476config CRYPTO_DES
1477	tristate "DES and Triple DES EDE cipher algorithms"
1478	select CRYPTO_ALGAPI
1479	select CRYPTO_LIB_DES
1480	help
1481	  DES cipher algorithm (FIPS 46-2), and Triple DES EDE (FIPS 46-3).
1482
1483config CRYPTO_DES_SPARC64
1484	tristate "DES and Triple DES EDE cipher algorithms (SPARC64)"
1485	depends on SPARC64
1486	select CRYPTO_ALGAPI
1487	select CRYPTO_LIB_DES
1488	select CRYPTO_SKCIPHER
1489	help
1490	  DES cipher algorithm (FIPS 46-2), and Triple DES EDE (FIPS 46-3),
1491	  optimized using SPARC64 crypto opcodes.
1492
1493config CRYPTO_DES3_EDE_X86_64
1494	tristate "Triple DES EDE cipher algorithm (x86-64)"
1495	depends on X86 && 64BIT
1496	select CRYPTO_SKCIPHER
1497	select CRYPTO_LIB_DES
1498	imply CRYPTO_CTR
1499	help
1500	  Triple DES EDE (FIPS 46-3) algorithm.
1501
1502	  This module provides implementation of the Triple DES EDE cipher
1503	  algorithm that is optimized for x86-64 processors. Two versions of
1504	  algorithm are provided; regular processing one input block and
1505	  one that processes three blocks parallel.
1506
1507config CRYPTO_DES_S390
1508	tristate "DES and Triple DES cipher algorithms"
1509	depends on S390
1510	select CRYPTO_ALGAPI
1511	select CRYPTO_SKCIPHER
1512	select CRYPTO_LIB_DES
1513	help
1514	  This is the s390 hardware accelerated implementation of the
1515	  DES cipher algorithm (FIPS 46-2), and Triple DES EDE (FIPS 46-3).
1516
1517	  As of z990 the ECB and CBC mode are hardware accelerated.
1518	  As of z196 the CTR mode is hardware accelerated.
1519
1520config CRYPTO_FCRYPT
1521	tristate "FCrypt cipher algorithm"
1522	select CRYPTO_ALGAPI
1523	select CRYPTO_SKCIPHER
1524	help
1525	  FCrypt algorithm used by RxRPC.
1526
1527config CRYPTO_KHAZAD
1528	tristate "Khazad cipher algorithm"
1529	depends on CRYPTO_USER_API_ENABLE_OBSOLETE
1530	select CRYPTO_ALGAPI
1531	help
1532	  Khazad cipher algorithm.
1533
1534	  Khazad was a finalist in the initial NESSIE competition.  It is
1535	  an algorithm optimized for 64-bit processors with good performance
1536	  on 32-bit processors.  Khazad uses an 128 bit key size.
1537
1538	  See also:
1539	  <http://www.larc.usp.br/~pbarreto/KhazadPage.html>
1540
1541config CRYPTO_CHACHA20
1542	tristate "ChaCha stream cipher algorithms"
1543	select CRYPTO_LIB_CHACHA_GENERIC
1544	select CRYPTO_SKCIPHER
1545	help
1546	  The ChaCha20, XChaCha20, and XChaCha12 stream cipher algorithms.
1547
1548	  ChaCha20 is a 256-bit high-speed stream cipher designed by Daniel J.
1549	  Bernstein and further specified in RFC7539 for use in IETF protocols.
1550	  This is the portable C implementation of ChaCha20.  See also:
1551	  <https://cr.yp.to/chacha/chacha-20080128.pdf>
1552
1553	  XChaCha20 is the application of the XSalsa20 construction to ChaCha20
1554	  rather than to Salsa20.  XChaCha20 extends ChaCha20's nonce length
1555	  from 64 bits (or 96 bits using the RFC7539 convention) to 192 bits,
1556	  while provably retaining ChaCha20's security.  See also:
1557	  <https://cr.yp.to/snuffle/xsalsa-20081128.pdf>
1558
1559	  XChaCha12 is XChaCha20 reduced to 12 rounds, with correspondingly
1560	  reduced security margin but increased performance.  It can be needed
1561	  in some performance-sensitive scenarios.
1562
1563config CRYPTO_CHACHA20_X86_64
1564	tristate "ChaCha stream cipher algorithms (x86_64/SSSE3/AVX2/AVX-512VL)"
1565	depends on X86 && 64BIT
1566	select CRYPTO_SKCIPHER
1567	select CRYPTO_LIB_CHACHA_GENERIC
1568	select CRYPTO_ARCH_HAVE_LIB_CHACHA
1569	help
1570	  SSSE3, AVX2, and AVX-512VL optimized implementations of the ChaCha20,
1571	  XChaCha20, and XChaCha12 stream ciphers.
1572
1573config CRYPTO_CHACHA_MIPS
1574	tristate "ChaCha stream cipher algorithms (MIPS 32r2 optimized)"
1575	depends on CPU_MIPS32_R2
1576	select CRYPTO_SKCIPHER
1577	select CRYPTO_ARCH_HAVE_LIB_CHACHA
1578
1579config CRYPTO_CHACHA_S390
1580	tristate "ChaCha20 stream cipher"
1581	depends on S390
1582	select CRYPTO_SKCIPHER
1583	select CRYPTO_LIB_CHACHA_GENERIC
1584	select CRYPTO_ARCH_HAVE_LIB_CHACHA
1585	help
1586	  This is the s390 SIMD implementation of the ChaCha20 stream
1587	  cipher (RFC 7539).
1588
1589	  It is available as of z13.
1590
1591config CRYPTO_SEED
1592	tristate "SEED cipher algorithm"
1593	depends on CRYPTO_USER_API_ENABLE_OBSOLETE
1594	select CRYPTO_ALGAPI
1595	help
1596	  SEED cipher algorithm (RFC4269).
1597
1598	  SEED is a 128-bit symmetric key block cipher that has been
1599	  developed by KISA (Korea Information Security Agency) as a
1600	  national standard encryption algorithm of the Republic of Korea.
1601	  It is a 16 round block cipher with the key size of 128 bit.
1602
1603	  See also:
1604	  <http://www.kisa.or.kr/kisa/seed/jsp/seed_eng.jsp>
1605
1606config CRYPTO_SERPENT
1607	tristate "Serpent cipher algorithm"
1608	select CRYPTO_ALGAPI
1609	help
1610	  Serpent cipher algorithm, by Anderson, Biham & Knudsen.
1611
1612	  Keys are allowed to be from 0 to 256 bits in length, in steps
1613	  of 8 bits.
1614
1615	  See also:
1616	  <https://www.cl.cam.ac.uk/~rja14/serpent.html>
1617
1618config CRYPTO_SERPENT_SSE2_X86_64
1619	tristate "Serpent cipher algorithm (x86_64/SSE2)"
1620	depends on X86 && 64BIT
1621	select CRYPTO_SKCIPHER
1622	select CRYPTO_SERPENT
1623	select CRYPTO_SIMD
1624	imply CRYPTO_CTR
1625	help
1626	  Serpent cipher algorithm, by Anderson, Biham & Knudsen.
1627
1628	  Keys are allowed to be from 0 to 256 bits in length, in steps
1629	  of 8 bits.
1630
1631	  This module provides Serpent cipher algorithm that processes eight
1632	  blocks parallel using SSE2 instruction set.
1633
1634	  See also:
1635	  <https://www.cl.cam.ac.uk/~rja14/serpent.html>
1636
1637config CRYPTO_SERPENT_SSE2_586
1638	tristate "Serpent cipher algorithm (i586/SSE2)"
1639	depends on X86 && !64BIT
1640	select CRYPTO_SKCIPHER
1641	select CRYPTO_SERPENT
1642	select CRYPTO_SIMD
1643	imply CRYPTO_CTR
1644	help
1645	  Serpent cipher algorithm, by Anderson, Biham & Knudsen.
1646
1647	  Keys are allowed to be from 0 to 256 bits in length, in steps
1648	  of 8 bits.
1649
1650	  This module provides Serpent cipher algorithm that processes four
1651	  blocks parallel using SSE2 instruction set.
1652
1653	  See also:
1654	  <https://www.cl.cam.ac.uk/~rja14/serpent.html>
1655
1656config CRYPTO_SERPENT_AVX_X86_64
1657	tristate "Serpent cipher algorithm (x86_64/AVX)"
1658	depends on X86 && 64BIT
1659	select CRYPTO_SKCIPHER
1660	select CRYPTO_SERPENT
1661	select CRYPTO_SIMD
1662	imply CRYPTO_XTS
1663	imply CRYPTO_CTR
1664	help
1665	  Serpent cipher algorithm, by Anderson, Biham & Knudsen.
1666
1667	  Keys are allowed to be from 0 to 256 bits in length, in steps
1668	  of 8 bits.
1669
1670	  This module provides the Serpent cipher algorithm that processes
1671	  eight blocks parallel using the AVX instruction set.
1672
1673	  See also:
1674	  <https://www.cl.cam.ac.uk/~rja14/serpent.html>
1675
1676config CRYPTO_SERPENT_AVX2_X86_64
1677	tristate "Serpent cipher algorithm (x86_64/AVX2)"
1678	depends on X86 && 64BIT
1679	select CRYPTO_SERPENT_AVX_X86_64
1680	help
1681	  Serpent cipher algorithm, by Anderson, Biham & Knudsen.
1682
1683	  Keys are allowed to be from 0 to 256 bits in length, in steps
1684	  of 8 bits.
1685
1686	  This module provides Serpent cipher algorithm that processes 16
1687	  blocks parallel using AVX2 instruction set.
1688
1689	  See also:
1690	  <https://www.cl.cam.ac.uk/~rja14/serpent.html>
1691
1692config CRYPTO_SM4
1693	tristate
1694
1695config CRYPTO_SM4_GENERIC
1696	tristate "SM4 cipher algorithm"
1697	select CRYPTO_ALGAPI
1698	select CRYPTO_SM4
1699	help
1700	  SM4 cipher algorithms (OSCCA GB/T 32907-2016).
1701
1702	  SM4 (GBT.32907-2016) is a cryptographic standard issued by the
1703	  Organization of State Commercial Administration of China (OSCCA)
1704	  as an authorized cryptographic algorithms for the use within China.
1705
1706	  SMS4 was originally created for use in protecting wireless
1707	  networks, and is mandated in the Chinese National Standard for
1708	  Wireless LAN WAPI (Wired Authentication and Privacy Infrastructure)
1709	  (GB.15629.11-2003).
1710
1711	  The latest SM4 standard (GBT.32907-2016) was proposed by OSCCA and
1712	  standardized through TC 260 of the Standardization Administration
1713	  of the People's Republic of China (SAC).
1714
1715	  The input, output, and key of SMS4 are each 128 bits.
1716
1717	  See also: <https://eprint.iacr.org/2008/329.pdf>
1718
1719	  If unsure, say N.
1720
1721config CRYPTO_SM4_AESNI_AVX_X86_64
1722	tristate "SM4 cipher algorithm (x86_64/AES-NI/AVX)"
1723	depends on X86 && 64BIT
1724	select CRYPTO_SKCIPHER
1725	select CRYPTO_SIMD
1726	select CRYPTO_ALGAPI
1727	select CRYPTO_SM4
1728	help
1729	  SM4 cipher algorithms (OSCCA GB/T 32907-2016) (x86_64/AES-NI/AVX).
1730
1731	  SM4 (GBT.32907-2016) is a cryptographic standard issued by the
1732	  Organization of State Commercial Administration of China (OSCCA)
1733	  as an authorized cryptographic algorithms for the use within China.
1734
1735	  This is SM4 optimized implementation using AES-NI/AVX/x86_64
1736	  instruction set for block cipher. Through two affine transforms,
1737	  we can use the AES S-Box to simulate the SM4 S-Box to achieve the
1738	  effect of instruction acceleration.
1739
1740	  If unsure, say N.
1741
1742config CRYPTO_SM4_AESNI_AVX2_X86_64
1743	tristate "SM4 cipher algorithm (x86_64/AES-NI/AVX2)"
1744	depends on X86 && 64BIT
1745	select CRYPTO_SKCIPHER
1746	select CRYPTO_SIMD
1747	select CRYPTO_ALGAPI
1748	select CRYPTO_SM4
1749	select CRYPTO_SM4_AESNI_AVX_X86_64
1750	help
1751	  SM4 cipher algorithms (OSCCA GB/T 32907-2016) (x86_64/AES-NI/AVX2).
1752
1753	  SM4 (GBT.32907-2016) is a cryptographic standard issued by the
1754	  Organization of State Commercial Administration of China (OSCCA)
1755	  as an authorized cryptographic algorithms for the use within China.
1756
1757	  This is SM4 optimized implementation using AES-NI/AVX2/x86_64
1758	  instruction set for block cipher. Through two affine transforms,
1759	  we can use the AES S-Box to simulate the SM4 S-Box to achieve the
1760	  effect of instruction acceleration.
1761
1762	  If unsure, say N.
1763
1764config CRYPTO_TEA
1765	tristate "TEA, XTEA and XETA cipher algorithms"
1766	depends on CRYPTO_USER_API_ENABLE_OBSOLETE
1767	select CRYPTO_ALGAPI
1768	help
1769	  TEA cipher algorithm.
1770
1771	  Tiny Encryption Algorithm is a simple cipher that uses
1772	  many rounds for security.  It is very fast and uses
1773	  little memory.
1774
1775	  Xtendend Tiny Encryption Algorithm is a modification to
1776	  the TEA algorithm to address a potential key weakness
1777	  in the TEA algorithm.
1778
1779	  Xtendend Encryption Tiny Algorithm is a mis-implementation
1780	  of the XTEA algorithm for compatibility purposes.
1781
1782config CRYPTO_TWOFISH
1783	tristate "Twofish cipher algorithm"
1784	select CRYPTO_ALGAPI
1785	select CRYPTO_TWOFISH_COMMON
1786	help
1787	  Twofish cipher algorithm.
1788
1789	  Twofish was submitted as an AES (Advanced Encryption Standard)
1790	  candidate cipher by researchers at CounterPane Systems.  It is a
1791	  16 round block cipher supporting key sizes of 128, 192, and 256
1792	  bits.
1793
1794	  See also:
1795	  <https://www.schneier.com/twofish.html>
1796
1797config CRYPTO_TWOFISH_COMMON
1798	tristate
1799	help
1800	  Common parts of the Twofish cipher algorithm shared by the
1801	  generic c and the assembler implementations.
1802
1803config CRYPTO_TWOFISH_586
1804	tristate "Twofish cipher algorithms (i586)"
1805	depends on (X86 || UML_X86) && !64BIT
1806	select CRYPTO_ALGAPI
1807	select CRYPTO_TWOFISH_COMMON
1808	imply CRYPTO_CTR
1809	help
1810	  Twofish cipher algorithm.
1811
1812	  Twofish was submitted as an AES (Advanced Encryption Standard)
1813	  candidate cipher by researchers at CounterPane Systems.  It is a
1814	  16 round block cipher supporting key sizes of 128, 192, and 256
1815	  bits.
1816
1817	  See also:
1818	  <https://www.schneier.com/twofish.html>
1819
1820config CRYPTO_TWOFISH_X86_64
1821	tristate "Twofish cipher algorithm (x86_64)"
1822	depends on (X86 || UML_X86) && 64BIT
1823	select CRYPTO_ALGAPI
1824	select CRYPTO_TWOFISH_COMMON
1825	imply CRYPTO_CTR
1826	help
1827	  Twofish cipher algorithm (x86_64).
1828
1829	  Twofish was submitted as an AES (Advanced Encryption Standard)
1830	  candidate cipher by researchers at CounterPane Systems.  It is a
1831	  16 round block cipher supporting key sizes of 128, 192, and 256
1832	  bits.
1833
1834	  See also:
1835	  <https://www.schneier.com/twofish.html>
1836
1837config CRYPTO_TWOFISH_X86_64_3WAY
1838	tristate "Twofish cipher algorithm (x86_64, 3-way parallel)"
1839	depends on X86 && 64BIT
1840	select CRYPTO_SKCIPHER
1841	select CRYPTO_TWOFISH_COMMON
1842	select CRYPTO_TWOFISH_X86_64
1843	help
1844	  Twofish cipher algorithm (x86_64, 3-way parallel).
1845
1846	  Twofish was submitted as an AES (Advanced Encryption Standard)
1847	  candidate cipher by researchers at CounterPane Systems.  It is a
1848	  16 round block cipher supporting key sizes of 128, 192, and 256
1849	  bits.
1850
1851	  This module provides Twofish cipher algorithm that processes three
1852	  blocks parallel, utilizing resources of out-of-order CPUs better.
1853
1854	  See also:
1855	  <https://www.schneier.com/twofish.html>
1856
1857config CRYPTO_TWOFISH_AVX_X86_64
1858	tristate "Twofish cipher algorithm (x86_64/AVX)"
1859	depends on X86 && 64BIT
1860	select CRYPTO_SKCIPHER
1861	select CRYPTO_SIMD
1862	select CRYPTO_TWOFISH_COMMON
1863	select CRYPTO_TWOFISH_X86_64
1864	select CRYPTO_TWOFISH_X86_64_3WAY
1865	imply CRYPTO_XTS
1866	help
1867	  Twofish cipher algorithm (x86_64/AVX).
1868
1869	  Twofish was submitted as an AES (Advanced Encryption Standard)
1870	  candidate cipher by researchers at CounterPane Systems.  It is a
1871	  16 round block cipher supporting key sizes of 128, 192, and 256
1872	  bits.
1873
1874	  This module provides the Twofish cipher algorithm that processes
1875	  eight blocks parallel using the AVX Instruction Set.
1876
1877	  See also:
1878	  <https://www.schneier.com/twofish.html>
1879
1880comment "Compression"
1881
1882config CRYPTO_DEFLATE
1883	tristate "Deflate compression algorithm"
1884	select CRYPTO_ALGAPI
1885	select CRYPTO_ACOMP2
1886	select ZLIB_INFLATE
1887	select ZLIB_DEFLATE
1888	help
1889	  This is the Deflate algorithm (RFC1951), specified for use in
1890	  IPSec with the IPCOMP protocol (RFC3173, RFC2394).
1891
1892	  You will most probably want this if using IPSec.
1893
1894config CRYPTO_LZO
1895	tristate "LZO compression algorithm"
1896	select CRYPTO_ALGAPI
1897	select CRYPTO_ACOMP2
1898	select LZO_COMPRESS
1899	select LZO_DECOMPRESS
1900	help
1901	  This is the LZO algorithm.
1902
1903config CRYPTO_842
1904	tristate "842 compression algorithm"
1905	select CRYPTO_ALGAPI
1906	select CRYPTO_ACOMP2
1907	select 842_COMPRESS
1908	select 842_DECOMPRESS
1909	help
1910	  This is the 842 algorithm.
1911
1912config CRYPTO_LZ4
1913	tristate "LZ4 compression algorithm"
1914	select CRYPTO_ALGAPI
1915	select CRYPTO_ACOMP2
1916	select LZ4_COMPRESS
1917	select LZ4_DECOMPRESS
1918	help
1919	  This is the LZ4 algorithm.
1920
1921config CRYPTO_LZ4HC
1922	tristate "LZ4HC compression algorithm"
1923	select CRYPTO_ALGAPI
1924	select CRYPTO_ACOMP2
1925	select LZ4HC_COMPRESS
1926	select LZ4_DECOMPRESS
1927	help
1928	  This is the LZ4 high compression mode algorithm.
1929
1930config CRYPTO_ZSTD
1931	tristate "Zstd compression algorithm"
1932	select CRYPTO_ALGAPI
1933	select CRYPTO_ACOMP2
1934	select ZSTD_COMPRESS
1935	select ZSTD_DECOMPRESS
1936	help
1937	  This is the zstd algorithm.
1938
1939comment "Random Number Generation"
1940
1941config CRYPTO_ANSI_CPRNG
1942	tristate "Pseudo Random Number Generation for Cryptographic modules"
1943	select CRYPTO_AES
1944	select CRYPTO_RNG
1945	help
1946	  This option enables the generic pseudo random number generator
1947	  for cryptographic modules.  Uses the Algorithm specified in
1948	  ANSI X9.31 A.2.4. Note that this option must be enabled if
1949	  CRYPTO_FIPS is selected
1950
1951menuconfig CRYPTO_DRBG_MENU
1952	tristate "NIST SP800-90A DRBG"
1953	help
1954	  NIST SP800-90A compliant DRBG. In the following submenu, one or
1955	  more of the DRBG types must be selected.
1956
1957if CRYPTO_DRBG_MENU
1958
1959config CRYPTO_DRBG_HMAC
1960	bool
1961	default y
1962	select CRYPTO_HMAC
1963	select CRYPTO_SHA512
1964
1965config CRYPTO_DRBG_HASH
1966	bool "Enable Hash DRBG"
1967	select CRYPTO_SHA256
1968	help
1969	  Enable the Hash DRBG variant as defined in NIST SP800-90A.
1970
1971config CRYPTO_DRBG_CTR
1972	bool "Enable CTR DRBG"
1973	select CRYPTO_AES
1974	select CRYPTO_CTR
1975	help
1976	  Enable the CTR DRBG variant as defined in NIST SP800-90A.
1977
1978config CRYPTO_DRBG
1979	tristate
1980	default CRYPTO_DRBG_MENU
1981	select CRYPTO_RNG
1982	select CRYPTO_JITTERENTROPY
1983
1984endif	# if CRYPTO_DRBG_MENU
1985
1986config CRYPTO_JITTERENTROPY
1987	tristate "Jitterentropy Non-Deterministic Random Number Generator"
1988	select CRYPTO_RNG
1989	help
1990	  The Jitterentropy RNG is a noise that is intended
1991	  to provide seed to another RNG. The RNG does not
1992	  perform any cryptographic whitening of the generated
1993	  random numbers. This Jitterentropy RNG registers with
1994	  the kernel crypto API and can be used by any caller.
1995
1996config CRYPTO_KDF800108_CTR
1997	tristate
1998	select CRYPTO_HMAC
1999	select CRYPTO_SHA256
2000
2001config CRYPTO_USER_API
2002	tristate
2003
2004config CRYPTO_USER_API_HASH
2005	tristate "User-space interface for hash algorithms"
2006	depends on NET
2007	select CRYPTO_HASH
2008	select CRYPTO_USER_API
2009	help
2010	  This option enables the user-spaces interface for hash
2011	  algorithms.
2012
2013config CRYPTO_USER_API_SKCIPHER
2014	tristate "User-space interface for symmetric key cipher algorithms"
2015	depends on NET
2016	select CRYPTO_SKCIPHER
2017	select CRYPTO_USER_API
2018	help
2019	  This option enables the user-spaces interface for symmetric
2020	  key cipher algorithms.
2021
2022config CRYPTO_USER_API_RNG
2023	tristate "User-space interface for random number generator algorithms"
2024	depends on NET
2025	select CRYPTO_RNG
2026	select CRYPTO_USER_API
2027	help
2028	  This option enables the user-spaces interface for random
2029	  number generator algorithms.
2030
2031config CRYPTO_USER_API_RNG_CAVP
2032	bool "Enable CAVP testing of DRBG"
2033	depends on CRYPTO_USER_API_RNG && CRYPTO_DRBG
2034	help
2035	  This option enables extra API for CAVP testing via the user-space
2036	  interface: resetting of DRBG entropy, and providing Additional Data.
2037	  This should only be enabled for CAVP testing. You should say
2038	  no unless you know what this is.
2039
2040config CRYPTO_USER_API_AEAD
2041	tristate "User-space interface for AEAD cipher algorithms"
2042	depends on NET
2043	select CRYPTO_AEAD
2044	select CRYPTO_SKCIPHER
2045	select CRYPTO_NULL
2046	select CRYPTO_USER_API
2047	help
2048	  This option enables the user-spaces interface for AEAD
2049	  cipher algorithms.
2050
2051config CRYPTO_USER_API_ENABLE_OBSOLETE
2052	bool "Enable obsolete cryptographic algorithms for userspace"
2053	depends on CRYPTO_USER_API
2054	default y
2055	help
2056	  Allow obsolete cryptographic algorithms to be selected that have
2057	  already been phased out from internal use by the kernel, and are
2058	  only useful for userspace clients that still rely on them.
2059
2060config CRYPTO_STATS
2061	bool "Crypto usage statistics for User-space"
2062	depends on CRYPTO_USER
2063	help
2064	  This option enables the gathering of crypto stats.
2065	  This will collect:
2066	  - encrypt/decrypt size and numbers of symmeric operations
2067	  - compress/decompress size and numbers of compress operations
2068	  - size and numbers of hash operations
2069	  - encrypt/decrypt/sign/verify numbers for asymmetric operations
2070	  - generate/seed numbers for rng operations
2071
2072config CRYPTO_HASH_INFO
2073	bool
2074
2075source "drivers/crypto/Kconfig"
2076source "crypto/asymmetric_keys/Kconfig"
2077source "certs/Kconfig"
2078
2079endif	# if CRYPTO
2080