xref: /openbmc/linux/crypto/Kconfig (revision 3dc4b6fb)
1# SPDX-License-Identifier: GPL-2.0
2#
3# Generic algorithms support
4#
5config XOR_BLOCKS
6	tristate
7
8#
9# async_tx api: hardware offloaded memory transfer/transform support
10#
11source "crypto/async_tx/Kconfig"
12
13#
14# Cryptographic API Configuration
15#
16menuconfig CRYPTO
17	tristate "Cryptographic API"
18	help
19	  This option provides the core Cryptographic API.
20
21if CRYPTO
22
23comment "Crypto core or helper"
24
25config CRYPTO_FIPS
26	bool "FIPS 200 compliance"
27	depends on (CRYPTO_ANSI_CPRNG || CRYPTO_DRBG) && !CRYPTO_MANAGER_DISABLE_TESTS
28	depends on (MODULE_SIG || !MODULES)
29	help
30	  This option enables the fips boot option which is
31	  required if you want the system to operate in a FIPS 200
32	  certification.  You should say no unless you know what
33	  this is.
34
35config CRYPTO_ALGAPI
36	tristate
37	select CRYPTO_ALGAPI2
38	help
39	  This option provides the API for cryptographic algorithms.
40
41config CRYPTO_ALGAPI2
42	tristate
43
44config CRYPTO_AEAD
45	tristate
46	select CRYPTO_AEAD2
47	select CRYPTO_ALGAPI
48
49config CRYPTO_AEAD2
50	tristate
51	select CRYPTO_ALGAPI2
52	select CRYPTO_NULL2
53	select CRYPTO_RNG2
54
55config CRYPTO_BLKCIPHER
56	tristate
57	select CRYPTO_BLKCIPHER2
58	select CRYPTO_ALGAPI
59
60config CRYPTO_BLKCIPHER2
61	tristate
62	select CRYPTO_ALGAPI2
63	select CRYPTO_RNG2
64
65config CRYPTO_HASH
66	tristate
67	select CRYPTO_HASH2
68	select CRYPTO_ALGAPI
69
70config CRYPTO_HASH2
71	tristate
72	select CRYPTO_ALGAPI2
73
74config CRYPTO_RNG
75	tristate
76	select CRYPTO_RNG2
77	select CRYPTO_ALGAPI
78
79config CRYPTO_RNG2
80	tristate
81	select CRYPTO_ALGAPI2
82
83config CRYPTO_RNG_DEFAULT
84	tristate
85	select CRYPTO_DRBG_MENU
86
87config CRYPTO_AKCIPHER2
88	tristate
89	select CRYPTO_ALGAPI2
90
91config CRYPTO_AKCIPHER
92	tristate
93	select CRYPTO_AKCIPHER2
94	select CRYPTO_ALGAPI
95
96config CRYPTO_KPP2
97	tristate
98	select CRYPTO_ALGAPI2
99
100config CRYPTO_KPP
101	tristate
102	select CRYPTO_ALGAPI
103	select CRYPTO_KPP2
104
105config CRYPTO_ACOMP2
106	tristate
107	select CRYPTO_ALGAPI2
108	select SGL_ALLOC
109
110config CRYPTO_ACOMP
111	tristate
112	select CRYPTO_ALGAPI
113	select CRYPTO_ACOMP2
114
115config CRYPTO_MANAGER
116	tristate "Cryptographic algorithm manager"
117	select CRYPTO_MANAGER2
118	help
119	  Create default cryptographic template instantiations such as
120	  cbc(aes).
121
122config CRYPTO_MANAGER2
123	def_tristate CRYPTO_MANAGER || (CRYPTO_MANAGER!=n && CRYPTO_ALGAPI=y)
124	select CRYPTO_AEAD2
125	select CRYPTO_HASH2
126	select CRYPTO_BLKCIPHER2
127	select CRYPTO_AKCIPHER2
128	select CRYPTO_KPP2
129	select CRYPTO_ACOMP2
130
131config CRYPTO_USER
132	tristate "Userspace cryptographic algorithm configuration"
133	depends on NET
134	select CRYPTO_MANAGER
135	help
136	  Userspace configuration for cryptographic instantiations such as
137	  cbc(aes).
138
139if CRYPTO_MANAGER2
140
141config CRYPTO_MANAGER_DISABLE_TESTS
142	bool "Disable run-time self tests"
143	default y
144	help
145	  Disable run-time self tests that normally take place at
146	  algorithm registration.
147
148config CRYPTO_MANAGER_EXTRA_TESTS
149	bool "Enable extra run-time crypto self tests"
150	depends on DEBUG_KERNEL && !CRYPTO_MANAGER_DISABLE_TESTS
151	help
152	  Enable extra run-time self tests of registered crypto algorithms,
153	  including randomized fuzz tests.
154
155	  This is intended for developer use only, as these tests take much
156	  longer to run than the normal self tests.
157
158endif	# if CRYPTO_MANAGER2
159
160config CRYPTO_GF128MUL
161	tristate
162
163config CRYPTO_NULL
164	tristate "Null algorithms"
165	select CRYPTO_NULL2
166	help
167	  These are 'Null' algorithms, used by IPsec, which do nothing.
168
169config CRYPTO_NULL2
170	tristate
171	select CRYPTO_ALGAPI2
172	select CRYPTO_BLKCIPHER2
173	select CRYPTO_HASH2
174
175config CRYPTO_PCRYPT
176	tristate "Parallel crypto engine"
177	depends on SMP
178	select PADATA
179	select CRYPTO_MANAGER
180	select CRYPTO_AEAD
181	help
182	  This converts an arbitrary crypto algorithm into a parallel
183	  algorithm that executes in kernel threads.
184
185config CRYPTO_CRYPTD
186	tristate "Software async crypto daemon"
187	select CRYPTO_BLKCIPHER
188	select CRYPTO_HASH
189	select CRYPTO_MANAGER
190	help
191	  This is a generic software asynchronous crypto daemon that
192	  converts an arbitrary synchronous software crypto algorithm
193	  into an asynchronous algorithm that executes in a kernel thread.
194
195config CRYPTO_AUTHENC
196	tristate "Authenc support"
197	select CRYPTO_AEAD
198	select CRYPTO_BLKCIPHER
199	select CRYPTO_MANAGER
200	select CRYPTO_HASH
201	select CRYPTO_NULL
202	help
203	  Authenc: Combined mode wrapper for IPsec.
204	  This is required for IPSec.
205
206config CRYPTO_TEST
207	tristate "Testing module"
208	depends on m
209	select CRYPTO_MANAGER
210	help
211	  Quick & dirty crypto test module.
212
213config CRYPTO_SIMD
214	tristate
215	select CRYPTO_CRYPTD
216
217config CRYPTO_GLUE_HELPER_X86
218	tristate
219	depends on X86
220	select CRYPTO_BLKCIPHER
221
222config CRYPTO_ENGINE
223	tristate
224
225comment "Public-key cryptography"
226
227config CRYPTO_RSA
228	tristate "RSA algorithm"
229	select CRYPTO_AKCIPHER
230	select CRYPTO_MANAGER
231	select MPILIB
232	select ASN1
233	help
234	  Generic implementation of the RSA public key algorithm.
235
236config CRYPTO_DH
237	tristate "Diffie-Hellman algorithm"
238	select CRYPTO_KPP
239	select MPILIB
240	help
241	  Generic implementation of the Diffie-Hellman algorithm.
242
243config CRYPTO_ECC
244	tristate
245
246config CRYPTO_ECDH
247	tristate "ECDH algorithm"
248	select CRYPTO_ECC
249	select CRYPTO_KPP
250	select CRYPTO_RNG_DEFAULT
251	help
252	  Generic implementation of the ECDH algorithm
253
254config CRYPTO_ECRDSA
255	tristate "EC-RDSA (GOST 34.10) algorithm"
256	select CRYPTO_ECC
257	select CRYPTO_AKCIPHER
258	select CRYPTO_STREEBOG
259	select OID_REGISTRY
260	select ASN1
261	help
262	  Elliptic Curve Russian Digital Signature Algorithm (GOST R 34.10-2012,
263	  RFC 7091, ISO/IEC 14888-3:2018) is one of the Russian cryptographic
264	  standard algorithms (called GOST algorithms). Only signature verification
265	  is implemented.
266
267comment "Authenticated Encryption with Associated Data"
268
269config CRYPTO_CCM
270	tristate "CCM support"
271	select CRYPTO_CTR
272	select CRYPTO_HASH
273	select CRYPTO_AEAD
274	select CRYPTO_MANAGER
275	help
276	  Support for Counter with CBC MAC. Required for IPsec.
277
278config CRYPTO_GCM
279	tristate "GCM/GMAC support"
280	select CRYPTO_CTR
281	select CRYPTO_AEAD
282	select CRYPTO_GHASH
283	select CRYPTO_NULL
284	select CRYPTO_MANAGER
285	help
286	  Support for Galois/Counter Mode (GCM) and Galois Message
287	  Authentication Code (GMAC). Required for IPSec.
288
289config CRYPTO_CHACHA20POLY1305
290	tristate "ChaCha20-Poly1305 AEAD support"
291	select CRYPTO_CHACHA20
292	select CRYPTO_POLY1305
293	select CRYPTO_AEAD
294	select CRYPTO_MANAGER
295	help
296	  ChaCha20-Poly1305 AEAD support, RFC7539.
297
298	  Support for the AEAD wrapper using the ChaCha20 stream cipher combined
299	  with the Poly1305 authenticator. It is defined in RFC7539 for use in
300	  IETF protocols.
301
302config CRYPTO_AEGIS128
303	tristate "AEGIS-128 AEAD algorithm"
304	select CRYPTO_AEAD
305	select CRYPTO_AES  # for AES S-box tables
306	help
307	 Support for the AEGIS-128 dedicated AEAD algorithm.
308
309config CRYPTO_AEGIS128_SIMD
310	bool "Support SIMD acceleration for AEGIS-128"
311	depends on CRYPTO_AEGIS128 && ((ARM || ARM64) && KERNEL_MODE_NEON)
312	default y
313
314config CRYPTO_AEGIS128_AESNI_SSE2
315	tristate "AEGIS-128 AEAD algorithm (x86_64 AESNI+SSE2 implementation)"
316	depends on X86 && 64BIT
317	select CRYPTO_AEAD
318	select CRYPTO_SIMD
319	help
320	 AESNI+SSE2 implementation of the AEGIS-128 dedicated AEAD algorithm.
321
322config CRYPTO_SEQIV
323	tristate "Sequence Number IV Generator"
324	select CRYPTO_AEAD
325	select CRYPTO_BLKCIPHER
326	select CRYPTO_NULL
327	select CRYPTO_RNG_DEFAULT
328	select CRYPTO_MANAGER
329	help
330	  This IV generator generates an IV based on a sequence number by
331	  xoring it with a salt.  This algorithm is mainly useful for CTR
332
333config CRYPTO_ECHAINIV
334	tristate "Encrypted Chain IV Generator"
335	select CRYPTO_AEAD
336	select CRYPTO_NULL
337	select CRYPTO_RNG_DEFAULT
338	select CRYPTO_MANAGER
339	help
340	  This IV generator generates an IV based on the encryption of
341	  a sequence number xored with a salt.  This is the default
342	  algorithm for CBC.
343
344comment "Block modes"
345
346config CRYPTO_CBC
347	tristate "CBC support"
348	select CRYPTO_BLKCIPHER
349	select CRYPTO_MANAGER
350	help
351	  CBC: Cipher Block Chaining mode
352	  This block cipher algorithm is required for IPSec.
353
354config CRYPTO_CFB
355	tristate "CFB support"
356	select CRYPTO_BLKCIPHER
357	select CRYPTO_MANAGER
358	help
359	  CFB: Cipher FeedBack mode
360	  This block cipher algorithm is required for TPM2 Cryptography.
361
362config CRYPTO_CTR
363	tristate "CTR support"
364	select CRYPTO_BLKCIPHER
365	select CRYPTO_SEQIV
366	select CRYPTO_MANAGER
367	help
368	  CTR: Counter mode
369	  This block cipher algorithm is required for IPSec.
370
371config CRYPTO_CTS
372	tristate "CTS support"
373	select CRYPTO_BLKCIPHER
374	select CRYPTO_MANAGER
375	help
376	  CTS: Cipher Text Stealing
377	  This is the Cipher Text Stealing mode as described by
378	  Section 8 of rfc2040 and referenced by rfc3962
379	  (rfc3962 includes errata information in its Appendix A) or
380	  CBC-CS3 as defined by NIST in Sp800-38A addendum from Oct 2010.
381	  This mode is required for Kerberos gss mechanism support
382	  for AES encryption.
383
384	  See: https://csrc.nist.gov/publications/detail/sp/800-38a/addendum/final
385
386config CRYPTO_ECB
387	tristate "ECB support"
388	select CRYPTO_BLKCIPHER
389	select CRYPTO_MANAGER
390	help
391	  ECB: Electronic CodeBook mode
392	  This is the simplest block cipher algorithm.  It simply encrypts
393	  the input block by block.
394
395config CRYPTO_LRW
396	tristate "LRW support"
397	select CRYPTO_BLKCIPHER
398	select CRYPTO_MANAGER
399	select CRYPTO_GF128MUL
400	help
401	  LRW: Liskov Rivest Wagner, a tweakable, non malleable, non movable
402	  narrow block cipher mode for dm-crypt.  Use it with cipher
403	  specification string aes-lrw-benbi, the key must be 256, 320 or 384.
404	  The first 128, 192 or 256 bits in the key are used for AES and the
405	  rest is used to tie each cipher block to its logical position.
406
407config CRYPTO_OFB
408	tristate "OFB support"
409	select CRYPTO_BLKCIPHER
410	select CRYPTO_MANAGER
411	help
412	  OFB: the Output Feedback mode makes a block cipher into a synchronous
413	  stream cipher. It generates keystream blocks, which are then XORed
414	  with the plaintext blocks to get the ciphertext. Flipping a bit in the
415	  ciphertext produces a flipped bit in the plaintext at the same
416	  location. This property allows many error correcting codes to function
417	  normally even when applied before encryption.
418
419config CRYPTO_PCBC
420	tristate "PCBC support"
421	select CRYPTO_BLKCIPHER
422	select CRYPTO_MANAGER
423	help
424	  PCBC: Propagating Cipher Block Chaining mode
425	  This block cipher algorithm is required for RxRPC.
426
427config CRYPTO_XTS
428	tristate "XTS support"
429	select CRYPTO_BLKCIPHER
430	select CRYPTO_MANAGER
431	select CRYPTO_ECB
432	help
433	  XTS: IEEE1619/D16 narrow block cipher use with aes-xts-plain,
434	  key size 256, 384 or 512 bits. This implementation currently
435	  can't handle a sectorsize which is not a multiple of 16 bytes.
436
437config CRYPTO_KEYWRAP
438	tristate "Key wrapping support"
439	select CRYPTO_BLKCIPHER
440	select CRYPTO_MANAGER
441	help
442	  Support for key wrapping (NIST SP800-38F / RFC3394) without
443	  padding.
444
445config CRYPTO_NHPOLY1305
446	tristate
447	select CRYPTO_HASH
448	select CRYPTO_POLY1305
449
450config CRYPTO_NHPOLY1305_SSE2
451	tristate "NHPoly1305 hash function (x86_64 SSE2 implementation)"
452	depends on X86 && 64BIT
453	select CRYPTO_NHPOLY1305
454	help
455	  SSE2 optimized implementation of the hash function used by the
456	  Adiantum encryption mode.
457
458config CRYPTO_NHPOLY1305_AVX2
459	tristate "NHPoly1305 hash function (x86_64 AVX2 implementation)"
460	depends on X86 && 64BIT
461	select CRYPTO_NHPOLY1305
462	help
463	  AVX2 optimized implementation of the hash function used by the
464	  Adiantum encryption mode.
465
466config CRYPTO_ADIANTUM
467	tristate "Adiantum support"
468	select CRYPTO_CHACHA20
469	select CRYPTO_POLY1305
470	select CRYPTO_NHPOLY1305
471	select CRYPTO_MANAGER
472	help
473	  Adiantum is a tweakable, length-preserving encryption mode
474	  designed for fast and secure disk encryption, especially on
475	  CPUs without dedicated crypto instructions.  It encrypts
476	  each sector using the XChaCha12 stream cipher, two passes of
477	  an ε-almost-∆-universal hash function, and an invocation of
478	  the AES-256 block cipher on a single 16-byte block.  On CPUs
479	  without AES instructions, Adiantum is much faster than
480	  AES-XTS.
481
482	  Adiantum's security is provably reducible to that of its
483	  underlying stream and block ciphers, subject to a security
484	  bound.  Unlike XTS, Adiantum is a true wide-block encryption
485	  mode, so it actually provides an even stronger notion of
486	  security than XTS, subject to the security bound.
487
488	  If unsure, say N.
489
490config CRYPTO_ESSIV
491	tristate "ESSIV support for block encryption"
492	select CRYPTO_AUTHENC
493	help
494	  Encrypted salt-sector initialization vector (ESSIV) is an IV
495	  generation method that is used in some cases by fscrypt and/or
496	  dm-crypt. It uses the hash of the block encryption key as the
497	  symmetric key for a block encryption pass applied to the input
498	  IV, making low entropy IV sources more suitable for block
499	  encryption.
500
501	  This driver implements a crypto API template that can be
502	  instantiated either as a skcipher or as a aead (depending on the
503	  type of the first template argument), and which defers encryption
504	  and decryption requests to the encapsulated cipher after applying
505	  ESSIV to the input IV. Note that in the aead case, it is assumed
506	  that the keys are presented in the same format used by the authenc
507	  template, and that the IV appears at the end of the authenticated
508	  associated data (AAD) region (which is how dm-crypt uses it.)
509
510	  Note that the use of ESSIV is not recommended for new deployments,
511	  and so this only needs to be enabled when interoperability with
512	  existing encrypted volumes of filesystems is required, or when
513	  building for a particular system that requires it (e.g., when
514	  the SoC in question has accelerated CBC but not XTS, making CBC
515	  combined with ESSIV the only feasible mode for h/w accelerated
516	  block encryption)
517
518comment "Hash modes"
519
520config CRYPTO_CMAC
521	tristate "CMAC support"
522	select CRYPTO_HASH
523	select CRYPTO_MANAGER
524	help
525	  Cipher-based Message Authentication Code (CMAC) specified by
526	  The National Institute of Standards and Technology (NIST).
527
528	  https://tools.ietf.org/html/rfc4493
529	  http://csrc.nist.gov/publications/nistpubs/800-38B/SP_800-38B.pdf
530
531config CRYPTO_HMAC
532	tristate "HMAC support"
533	select CRYPTO_HASH
534	select CRYPTO_MANAGER
535	help
536	  HMAC: Keyed-Hashing for Message Authentication (RFC2104).
537	  This is required for IPSec.
538
539config CRYPTO_XCBC
540	tristate "XCBC support"
541	select CRYPTO_HASH
542	select CRYPTO_MANAGER
543	help
544	  XCBC: Keyed-Hashing with encryption algorithm
545		http://www.ietf.org/rfc/rfc3566.txt
546		http://csrc.nist.gov/encryption/modes/proposedmodes/
547		 xcbc-mac/xcbc-mac-spec.pdf
548
549config CRYPTO_VMAC
550	tristate "VMAC support"
551	select CRYPTO_HASH
552	select CRYPTO_MANAGER
553	help
554	  VMAC is a message authentication algorithm designed for
555	  very high speed on 64-bit architectures.
556
557	  See also:
558	  <http://fastcrypto.org/vmac>
559
560comment "Digest"
561
562config CRYPTO_CRC32C
563	tristate "CRC32c CRC algorithm"
564	select CRYPTO_HASH
565	select CRC32
566	help
567	  Castagnoli, et al Cyclic Redundancy-Check Algorithm.  Used
568	  by iSCSI for header and data digests and by others.
569	  See Castagnoli93.  Module will be crc32c.
570
571config CRYPTO_CRC32C_INTEL
572	tristate "CRC32c INTEL hardware acceleration"
573	depends on X86
574	select CRYPTO_HASH
575	help
576	  In Intel processor with SSE4.2 supported, the processor will
577	  support CRC32C implementation using hardware accelerated CRC32
578	  instruction. This option will create 'crc32c-intel' module,
579	  which will enable any routine to use the CRC32 instruction to
580	  gain performance compared with software implementation.
581	  Module will be crc32c-intel.
582
583config CRYPTO_CRC32C_VPMSUM
584	tristate "CRC32c CRC algorithm (powerpc64)"
585	depends on PPC64 && ALTIVEC
586	select CRYPTO_HASH
587	select CRC32
588	help
589	  CRC32c algorithm implemented using vector polynomial multiply-sum
590	  (vpmsum) instructions, introduced in POWER8. Enable on POWER8
591	  and newer processors for improved performance.
592
593
594config CRYPTO_CRC32C_SPARC64
595	tristate "CRC32c CRC algorithm (SPARC64)"
596	depends on SPARC64
597	select CRYPTO_HASH
598	select CRC32
599	help
600	  CRC32c CRC algorithm implemented using sparc64 crypto instructions,
601	  when available.
602
603config CRYPTO_CRC32
604	tristate "CRC32 CRC algorithm"
605	select CRYPTO_HASH
606	select CRC32
607	help
608	  CRC-32-IEEE 802.3 cyclic redundancy-check algorithm.
609	  Shash crypto api wrappers to crc32_le function.
610
611config CRYPTO_CRC32_PCLMUL
612	tristate "CRC32 PCLMULQDQ hardware acceleration"
613	depends on X86
614	select CRYPTO_HASH
615	select CRC32
616	help
617	  From Intel Westmere and AMD Bulldozer processor with SSE4.2
618	  and PCLMULQDQ supported, the processor will support
619	  CRC32 PCLMULQDQ implementation using hardware accelerated PCLMULQDQ
620	  instruction. This option will create 'crc32-pclmul' module,
621	  which will enable any routine to use the CRC-32-IEEE 802.3 checksum
622	  and gain better performance as compared with the table implementation.
623
624config CRYPTO_CRC32_MIPS
625	tristate "CRC32c and CRC32 CRC algorithm (MIPS)"
626	depends on MIPS_CRC_SUPPORT
627	select CRYPTO_HASH
628	help
629	  CRC32c and CRC32 CRC algorithms implemented using mips crypto
630	  instructions, when available.
631
632
633config CRYPTO_XXHASH
634	tristate "xxHash hash algorithm"
635	select CRYPTO_HASH
636	select XXHASH
637	help
638	  xxHash non-cryptographic hash algorithm. Extremely fast, working at
639	  speeds close to RAM limits.
640
641config CRYPTO_CRCT10DIF
642	tristate "CRCT10DIF algorithm"
643	select CRYPTO_HASH
644	help
645	  CRC T10 Data Integrity Field computation is being cast as
646	  a crypto transform.  This allows for faster crc t10 diff
647	  transforms to be used if they are available.
648
649config CRYPTO_CRCT10DIF_PCLMUL
650	tristate "CRCT10DIF PCLMULQDQ hardware acceleration"
651	depends on X86 && 64BIT && CRC_T10DIF
652	select CRYPTO_HASH
653	help
654	  For x86_64 processors with SSE4.2 and PCLMULQDQ supported,
655	  CRC T10 DIF PCLMULQDQ computation can be hardware
656	  accelerated PCLMULQDQ instruction. This option will create
657	  'crct10dif-pclmul' module, which is faster when computing the
658	  crct10dif checksum as compared with the generic table implementation.
659
660config CRYPTO_CRCT10DIF_VPMSUM
661	tristate "CRC32T10DIF powerpc64 hardware acceleration"
662	depends on PPC64 && ALTIVEC && CRC_T10DIF
663	select CRYPTO_HASH
664	help
665	  CRC10T10DIF algorithm implemented using vector polynomial
666	  multiply-sum (vpmsum) instructions, introduced in POWER8. Enable on
667	  POWER8 and newer processors for improved performance.
668
669config CRYPTO_VPMSUM_TESTER
670	tristate "Powerpc64 vpmsum hardware acceleration tester"
671	depends on CRYPTO_CRCT10DIF_VPMSUM && CRYPTO_CRC32C_VPMSUM
672	help
673	  Stress test for CRC32c and CRC-T10DIF algorithms implemented with
674	  POWER8 vpmsum instructions.
675	  Unless you are testing these algorithms, you don't need this.
676
677config CRYPTO_GHASH
678	tristate "GHASH hash function"
679	select CRYPTO_GF128MUL
680	select CRYPTO_HASH
681	help
682	  GHASH is the hash function used in GCM (Galois/Counter Mode).
683	  It is not a general-purpose cryptographic hash function.
684
685config CRYPTO_POLY1305
686	tristate "Poly1305 authenticator algorithm"
687	select CRYPTO_HASH
688	help
689	  Poly1305 authenticator algorithm, RFC7539.
690
691	  Poly1305 is an authenticator algorithm designed by Daniel J. Bernstein.
692	  It is used for the ChaCha20-Poly1305 AEAD, specified in RFC7539 for use
693	  in IETF protocols. This is the portable C implementation of Poly1305.
694
695config CRYPTO_POLY1305_X86_64
696	tristate "Poly1305 authenticator algorithm (x86_64/SSE2/AVX2)"
697	depends on X86 && 64BIT
698	select CRYPTO_POLY1305
699	help
700	  Poly1305 authenticator algorithm, RFC7539.
701
702	  Poly1305 is an authenticator algorithm designed by Daniel J. Bernstein.
703	  It is used for the ChaCha20-Poly1305 AEAD, specified in RFC7539 for use
704	  in IETF protocols. This is the x86_64 assembler implementation using SIMD
705	  instructions.
706
707config CRYPTO_MD4
708	tristate "MD4 digest algorithm"
709	select CRYPTO_HASH
710	help
711	  MD4 message digest algorithm (RFC1320).
712
713config CRYPTO_MD5
714	tristate "MD5 digest algorithm"
715	select CRYPTO_HASH
716	help
717	  MD5 message digest algorithm (RFC1321).
718
719config CRYPTO_MD5_OCTEON
720	tristate "MD5 digest algorithm (OCTEON)"
721	depends on CPU_CAVIUM_OCTEON
722	select CRYPTO_MD5
723	select CRYPTO_HASH
724	help
725	  MD5 message digest algorithm (RFC1321) implemented
726	  using OCTEON crypto instructions, when available.
727
728config CRYPTO_MD5_PPC
729	tristate "MD5 digest algorithm (PPC)"
730	depends on PPC
731	select CRYPTO_HASH
732	help
733	  MD5 message digest algorithm (RFC1321) implemented
734	  in PPC assembler.
735
736config CRYPTO_MD5_SPARC64
737	tristate "MD5 digest algorithm (SPARC64)"
738	depends on SPARC64
739	select CRYPTO_MD5
740	select CRYPTO_HASH
741	help
742	  MD5 message digest algorithm (RFC1321) implemented
743	  using sparc64 crypto instructions, when available.
744
745config CRYPTO_MICHAEL_MIC
746	tristate "Michael MIC keyed digest algorithm"
747	select CRYPTO_HASH
748	help
749	  Michael MIC is used for message integrity protection in TKIP
750	  (IEEE 802.11i). This algorithm is required for TKIP, but it
751	  should not be used for other purposes because of the weakness
752	  of the algorithm.
753
754config CRYPTO_RMD128
755	tristate "RIPEMD-128 digest algorithm"
756	select CRYPTO_HASH
757	help
758	  RIPEMD-128 (ISO/IEC 10118-3:2004).
759
760	  RIPEMD-128 is a 128-bit cryptographic hash function. It should only
761	  be used as a secure replacement for RIPEMD. For other use cases,
762	  RIPEMD-160 should be used.
763
764	  Developed by Hans Dobbertin, Antoon Bosselaers and Bart Preneel.
765	  See <http://homes.esat.kuleuven.be/~bosselae/ripemd160.html>
766
767config CRYPTO_RMD160
768	tristate "RIPEMD-160 digest algorithm"
769	select CRYPTO_HASH
770	help
771	  RIPEMD-160 (ISO/IEC 10118-3:2004).
772
773	  RIPEMD-160 is a 160-bit cryptographic hash function. It is intended
774	  to be used as a secure replacement for the 128-bit hash functions
775	  MD4, MD5 and it's predecessor RIPEMD
776	  (not to be confused with RIPEMD-128).
777
778	  It's speed is comparable to SHA1 and there are no known attacks
779	  against RIPEMD-160.
780
781	  Developed by Hans Dobbertin, Antoon Bosselaers and Bart Preneel.
782	  See <http://homes.esat.kuleuven.be/~bosselae/ripemd160.html>
783
784config CRYPTO_RMD256
785	tristate "RIPEMD-256 digest algorithm"
786	select CRYPTO_HASH
787	help
788	  RIPEMD-256 is an optional extension of RIPEMD-128 with a
789	  256 bit hash. It is intended for applications that require
790	  longer hash-results, without needing a larger security level
791	  (than RIPEMD-128).
792
793	  Developed by Hans Dobbertin, Antoon Bosselaers and Bart Preneel.
794	  See <http://homes.esat.kuleuven.be/~bosselae/ripemd160.html>
795
796config CRYPTO_RMD320
797	tristate "RIPEMD-320 digest algorithm"
798	select CRYPTO_HASH
799	help
800	  RIPEMD-320 is an optional extension of RIPEMD-160 with a
801	  320 bit hash. It is intended for applications that require
802	  longer hash-results, without needing a larger security level
803	  (than RIPEMD-160).
804
805	  Developed by Hans Dobbertin, Antoon Bosselaers and Bart Preneel.
806	  See <http://homes.esat.kuleuven.be/~bosselae/ripemd160.html>
807
808config CRYPTO_SHA1
809	tristate "SHA1 digest algorithm"
810	select CRYPTO_HASH
811	help
812	  SHA-1 secure hash standard (FIPS 180-1/DFIPS 180-2).
813
814config CRYPTO_SHA1_SSSE3
815	tristate "SHA1 digest algorithm (SSSE3/AVX/AVX2/SHA-NI)"
816	depends on X86 && 64BIT
817	select CRYPTO_SHA1
818	select CRYPTO_HASH
819	help
820	  SHA-1 secure hash standard (FIPS 180-1/DFIPS 180-2) implemented
821	  using Supplemental SSE3 (SSSE3) instructions or Advanced Vector
822	  Extensions (AVX/AVX2) or SHA-NI(SHA Extensions New Instructions),
823	  when available.
824
825config CRYPTO_SHA256_SSSE3
826	tristate "SHA256 digest algorithm (SSSE3/AVX/AVX2/SHA-NI)"
827	depends on X86 && 64BIT
828	select CRYPTO_SHA256
829	select CRYPTO_HASH
830	help
831	  SHA-256 secure hash standard (DFIPS 180-2) implemented
832	  using Supplemental SSE3 (SSSE3) instructions, or Advanced Vector
833	  Extensions version 1 (AVX1), or Advanced Vector Extensions
834	  version 2 (AVX2) instructions, or SHA-NI (SHA Extensions New
835	  Instructions) when available.
836
837config CRYPTO_SHA512_SSSE3
838	tristate "SHA512 digest algorithm (SSSE3/AVX/AVX2)"
839	depends on X86 && 64BIT
840	select CRYPTO_SHA512
841	select CRYPTO_HASH
842	help
843	  SHA-512 secure hash standard (DFIPS 180-2) implemented
844	  using Supplemental SSE3 (SSSE3) instructions, or Advanced Vector
845	  Extensions version 1 (AVX1), or Advanced Vector Extensions
846	  version 2 (AVX2) instructions, when available.
847
848config CRYPTO_SHA1_OCTEON
849	tristate "SHA1 digest algorithm (OCTEON)"
850	depends on CPU_CAVIUM_OCTEON
851	select CRYPTO_SHA1
852	select CRYPTO_HASH
853	help
854	  SHA-1 secure hash standard (FIPS 180-1/DFIPS 180-2) implemented
855	  using OCTEON crypto instructions, when available.
856
857config CRYPTO_SHA1_SPARC64
858	tristate "SHA1 digest algorithm (SPARC64)"
859	depends on SPARC64
860	select CRYPTO_SHA1
861	select CRYPTO_HASH
862	help
863	  SHA-1 secure hash standard (FIPS 180-1/DFIPS 180-2) implemented
864	  using sparc64 crypto instructions, when available.
865
866config CRYPTO_SHA1_PPC
867	tristate "SHA1 digest algorithm (powerpc)"
868	depends on PPC
869	help
870	  This is the powerpc hardware accelerated implementation of the
871	  SHA-1 secure hash standard (FIPS 180-1/DFIPS 180-2).
872
873config CRYPTO_SHA1_PPC_SPE
874	tristate "SHA1 digest algorithm (PPC SPE)"
875	depends on PPC && SPE
876	help
877	  SHA-1 secure hash standard (DFIPS 180-4) implemented
878	  using powerpc SPE SIMD instruction set.
879
880config CRYPTO_LIB_SHA256
881	tristate
882
883config CRYPTO_SHA256
884	tristate "SHA224 and SHA256 digest algorithm"
885	select CRYPTO_HASH
886	select CRYPTO_LIB_SHA256
887	help
888	  SHA256 secure hash standard (DFIPS 180-2).
889
890	  This version of SHA implements a 256 bit hash with 128 bits of
891	  security against collision attacks.
892
893	  This code also includes SHA-224, a 224 bit hash with 112 bits
894	  of security against collision attacks.
895
896config CRYPTO_SHA256_PPC_SPE
897	tristate "SHA224 and SHA256 digest algorithm (PPC SPE)"
898	depends on PPC && SPE
899	select CRYPTO_SHA256
900	select CRYPTO_HASH
901	help
902	  SHA224 and SHA256 secure hash standard (DFIPS 180-2)
903	  implemented using powerpc SPE SIMD instruction set.
904
905config CRYPTO_SHA256_OCTEON
906	tristate "SHA224 and SHA256 digest algorithm (OCTEON)"
907	depends on CPU_CAVIUM_OCTEON
908	select CRYPTO_SHA256
909	select CRYPTO_HASH
910	help
911	  SHA-256 secure hash standard (DFIPS 180-2) implemented
912	  using OCTEON crypto instructions, when available.
913
914config CRYPTO_SHA256_SPARC64
915	tristate "SHA224 and SHA256 digest algorithm (SPARC64)"
916	depends on SPARC64
917	select CRYPTO_SHA256
918	select CRYPTO_HASH
919	help
920	  SHA-256 secure hash standard (DFIPS 180-2) implemented
921	  using sparc64 crypto instructions, when available.
922
923config CRYPTO_SHA512
924	tristate "SHA384 and SHA512 digest algorithms"
925	select CRYPTO_HASH
926	help
927	  SHA512 secure hash standard (DFIPS 180-2).
928
929	  This version of SHA implements a 512 bit hash with 256 bits of
930	  security against collision attacks.
931
932	  This code also includes SHA-384, a 384 bit hash with 192 bits
933	  of security against collision attacks.
934
935config CRYPTO_SHA512_OCTEON
936	tristate "SHA384 and SHA512 digest algorithms (OCTEON)"
937	depends on CPU_CAVIUM_OCTEON
938	select CRYPTO_SHA512
939	select CRYPTO_HASH
940	help
941	  SHA-512 secure hash standard (DFIPS 180-2) implemented
942	  using OCTEON crypto instructions, when available.
943
944config CRYPTO_SHA512_SPARC64
945	tristate "SHA384 and SHA512 digest algorithm (SPARC64)"
946	depends on SPARC64
947	select CRYPTO_SHA512
948	select CRYPTO_HASH
949	help
950	  SHA-512 secure hash standard (DFIPS 180-2) implemented
951	  using sparc64 crypto instructions, when available.
952
953config CRYPTO_SHA3
954	tristate "SHA3 digest algorithm"
955	select CRYPTO_HASH
956	help
957	  SHA-3 secure hash standard (DFIPS 202). It's based on
958	  cryptographic sponge function family called Keccak.
959
960	  References:
961	  http://keccak.noekeon.org/
962
963config CRYPTO_SM3
964	tristate "SM3 digest algorithm"
965	select CRYPTO_HASH
966	help
967	  SM3 secure hash function as defined by OSCCA GM/T 0004-2012 SM3).
968	  It is part of the Chinese Commercial Cryptography suite.
969
970	  References:
971	  http://www.oscca.gov.cn/UpFile/20101222141857786.pdf
972	  https://datatracker.ietf.org/doc/html/draft-shen-sm3-hash
973
974config CRYPTO_STREEBOG
975	tristate "Streebog Hash Function"
976	select CRYPTO_HASH
977	help
978	  Streebog Hash Function (GOST R 34.11-2012, RFC 6986) is one of the Russian
979	  cryptographic standard algorithms (called GOST algorithms).
980	  This setting enables two hash algorithms with 256 and 512 bits output.
981
982	  References:
983	  https://tc26.ru/upload/iblock/fed/feddbb4d26b685903faa2ba11aea43f6.pdf
984	  https://tools.ietf.org/html/rfc6986
985
986config CRYPTO_TGR192
987	tristate "Tiger digest algorithms"
988	select CRYPTO_HASH
989	help
990	  Tiger hash algorithm 192, 160 and 128-bit hashes
991
992	  Tiger is a hash function optimized for 64-bit processors while
993	  still having decent performance on 32-bit processors.
994	  Tiger was developed by Ross Anderson and Eli Biham.
995
996	  See also:
997	  <http://www.cs.technion.ac.il/~biham/Reports/Tiger/>.
998
999config CRYPTO_WP512
1000	tristate "Whirlpool digest algorithms"
1001	select CRYPTO_HASH
1002	help
1003	  Whirlpool hash algorithm 512, 384 and 256-bit hashes
1004
1005	  Whirlpool-512 is part of the NESSIE cryptographic primitives.
1006	  Whirlpool will be part of the ISO/IEC 10118-3:2003(E) standard
1007
1008	  See also:
1009	  <http://www.larc.usp.br/~pbarreto/WhirlpoolPage.html>
1010
1011config CRYPTO_GHASH_CLMUL_NI_INTEL
1012	tristate "GHASH hash function (CLMUL-NI accelerated)"
1013	depends on X86 && 64BIT
1014	select CRYPTO_CRYPTD
1015	help
1016	  This is the x86_64 CLMUL-NI accelerated implementation of
1017	  GHASH, the hash function used in GCM (Galois/Counter mode).
1018
1019comment "Ciphers"
1020
1021config CRYPTO_LIB_AES
1022	tristate
1023
1024config CRYPTO_AES
1025	tristate "AES cipher algorithms"
1026	select CRYPTO_ALGAPI
1027	select CRYPTO_LIB_AES
1028	help
1029	  AES cipher algorithms (FIPS-197). AES uses the Rijndael
1030	  algorithm.
1031
1032	  Rijndael appears to be consistently a very good performer in
1033	  both hardware and software across a wide range of computing
1034	  environments regardless of its use in feedback or non-feedback
1035	  modes. Its key setup time is excellent, and its key agility is
1036	  good. Rijndael's very low memory requirements make it very well
1037	  suited for restricted-space environments, in which it also
1038	  demonstrates excellent performance. Rijndael's operations are
1039	  among the easiest to defend against power and timing attacks.
1040
1041	  The AES specifies three key sizes: 128, 192 and 256 bits
1042
1043	  See <http://csrc.nist.gov/CryptoToolkit/aes/> for more information.
1044
1045config CRYPTO_AES_TI
1046	tristate "Fixed time AES cipher"
1047	select CRYPTO_ALGAPI
1048	select CRYPTO_LIB_AES
1049	help
1050	  This is a generic implementation of AES that attempts to eliminate
1051	  data dependent latencies as much as possible without affecting
1052	  performance too much. It is intended for use by the generic CCM
1053	  and GCM drivers, and other CTR or CMAC/XCBC based modes that rely
1054	  solely on encryption (although decryption is supported as well, but
1055	  with a more dramatic performance hit)
1056
1057	  Instead of using 16 lookup tables of 1 KB each, (8 for encryption and
1058	  8 for decryption), this implementation only uses just two S-boxes of
1059	  256 bytes each, and attempts to eliminate data dependent latencies by
1060	  prefetching the entire table into the cache at the start of each
1061	  block. Interrupts are also disabled to avoid races where cachelines
1062	  are evicted when the CPU is interrupted to do something else.
1063
1064config CRYPTO_AES_NI_INTEL
1065	tristate "AES cipher algorithms (AES-NI)"
1066	depends on X86
1067	select CRYPTO_AEAD
1068	select CRYPTO_LIB_AES
1069	select CRYPTO_ALGAPI
1070	select CRYPTO_BLKCIPHER
1071	select CRYPTO_GLUE_HELPER_X86 if 64BIT
1072	select CRYPTO_SIMD
1073	help
1074	  Use Intel AES-NI instructions for AES algorithm.
1075
1076	  AES cipher algorithms (FIPS-197). AES uses the Rijndael
1077	  algorithm.
1078
1079	  Rijndael appears to be consistently a very good performer in
1080	  both hardware and software across a wide range of computing
1081	  environments regardless of its use in feedback or non-feedback
1082	  modes. Its key setup time is excellent, and its key agility is
1083	  good. Rijndael's very low memory requirements make it very well
1084	  suited for restricted-space environments, in which it also
1085	  demonstrates excellent performance. Rijndael's operations are
1086	  among the easiest to defend against power and timing attacks.
1087
1088	  The AES specifies three key sizes: 128, 192 and 256 bits
1089
1090	  See <http://csrc.nist.gov/encryption/aes/> for more information.
1091
1092	  In addition to AES cipher algorithm support, the acceleration
1093	  for some popular block cipher mode is supported too, including
1094	  ECB, CBC, LRW, XTS. The 64 bit version has additional
1095	  acceleration for CTR.
1096
1097config CRYPTO_AES_SPARC64
1098	tristate "AES cipher algorithms (SPARC64)"
1099	depends on SPARC64
1100	select CRYPTO_CRYPTD
1101	select CRYPTO_ALGAPI
1102	help
1103	  Use SPARC64 crypto opcodes for AES algorithm.
1104
1105	  AES cipher algorithms (FIPS-197). AES uses the Rijndael
1106	  algorithm.
1107
1108	  Rijndael appears to be consistently a very good performer in
1109	  both hardware and software across a wide range of computing
1110	  environments regardless of its use in feedback or non-feedback
1111	  modes. Its key setup time is excellent, and its key agility is
1112	  good. Rijndael's very low memory requirements make it very well
1113	  suited for restricted-space environments, in which it also
1114	  demonstrates excellent performance. Rijndael's operations are
1115	  among the easiest to defend against power and timing attacks.
1116
1117	  The AES specifies three key sizes: 128, 192 and 256 bits
1118
1119	  See <http://csrc.nist.gov/encryption/aes/> for more information.
1120
1121	  In addition to AES cipher algorithm support, the acceleration
1122	  for some popular block cipher mode is supported too, including
1123	  ECB and CBC.
1124
1125config CRYPTO_AES_PPC_SPE
1126	tristate "AES cipher algorithms (PPC SPE)"
1127	depends on PPC && SPE
1128	help
1129	  AES cipher algorithms (FIPS-197). Additionally the acceleration
1130	  for popular block cipher modes ECB, CBC, CTR and XTS is supported.
1131	  This module should only be used for low power (router) devices
1132	  without hardware AES acceleration (e.g. caam crypto). It reduces the
1133	  size of the AES tables from 16KB to 8KB + 256 bytes and mitigates
1134	  timining attacks. Nevertheless it might be not as secure as other
1135	  architecture specific assembler implementations that work on 1KB
1136	  tables or 256 bytes S-boxes.
1137
1138config CRYPTO_ANUBIS
1139	tristate "Anubis cipher algorithm"
1140	select CRYPTO_ALGAPI
1141	help
1142	  Anubis cipher algorithm.
1143
1144	  Anubis is a variable key length cipher which can use keys from
1145	  128 bits to 320 bits in length.  It was evaluated as a entrant
1146	  in the NESSIE competition.
1147
1148	  See also:
1149	  <https://www.cosic.esat.kuleuven.be/nessie/reports/>
1150	  <http://www.larc.usp.br/~pbarreto/AnubisPage.html>
1151
1152config CRYPTO_LIB_ARC4
1153	tristate
1154
1155config CRYPTO_ARC4
1156	tristate "ARC4 cipher algorithm"
1157	select CRYPTO_BLKCIPHER
1158	select CRYPTO_LIB_ARC4
1159	help
1160	  ARC4 cipher algorithm.
1161
1162	  ARC4 is a stream cipher using keys ranging from 8 bits to 2048
1163	  bits in length.  This algorithm is required for driver-based
1164	  WEP, but it should not be for other purposes because of the
1165	  weakness of the algorithm.
1166
1167config CRYPTO_BLOWFISH
1168	tristate "Blowfish cipher algorithm"
1169	select CRYPTO_ALGAPI
1170	select CRYPTO_BLOWFISH_COMMON
1171	help
1172	  Blowfish cipher algorithm, by Bruce Schneier.
1173
1174	  This is a variable key length cipher which can use keys from 32
1175	  bits to 448 bits in length.  It's fast, simple and specifically
1176	  designed for use on "large microprocessors".
1177
1178	  See also:
1179	  <http://www.schneier.com/blowfish.html>
1180
1181config CRYPTO_BLOWFISH_COMMON
1182	tristate
1183	help
1184	  Common parts of the Blowfish cipher algorithm shared by the
1185	  generic c and the assembler implementations.
1186
1187	  See also:
1188	  <http://www.schneier.com/blowfish.html>
1189
1190config CRYPTO_BLOWFISH_X86_64
1191	tristate "Blowfish cipher algorithm (x86_64)"
1192	depends on X86 && 64BIT
1193	select CRYPTO_BLKCIPHER
1194	select CRYPTO_BLOWFISH_COMMON
1195	help
1196	  Blowfish cipher algorithm (x86_64), by Bruce Schneier.
1197
1198	  This is a variable key length cipher which can use keys from 32
1199	  bits to 448 bits in length.  It's fast, simple and specifically
1200	  designed for use on "large microprocessors".
1201
1202	  See also:
1203	  <http://www.schneier.com/blowfish.html>
1204
1205config CRYPTO_CAMELLIA
1206	tristate "Camellia cipher algorithms"
1207	depends on CRYPTO
1208	select CRYPTO_ALGAPI
1209	help
1210	  Camellia cipher algorithms module.
1211
1212	  Camellia is a symmetric key block cipher developed jointly
1213	  at NTT and Mitsubishi Electric Corporation.
1214
1215	  The Camellia specifies three key sizes: 128, 192 and 256 bits.
1216
1217	  See also:
1218	  <https://info.isl.ntt.co.jp/crypt/eng/camellia/index_s.html>
1219
1220config CRYPTO_CAMELLIA_X86_64
1221	tristate "Camellia cipher algorithm (x86_64)"
1222	depends on X86 && 64BIT
1223	depends on CRYPTO
1224	select CRYPTO_BLKCIPHER
1225	select CRYPTO_GLUE_HELPER_X86
1226	help
1227	  Camellia cipher algorithm module (x86_64).
1228
1229	  Camellia is a symmetric key block cipher developed jointly
1230	  at NTT and Mitsubishi Electric Corporation.
1231
1232	  The Camellia specifies three key sizes: 128, 192 and 256 bits.
1233
1234	  See also:
1235	  <https://info.isl.ntt.co.jp/crypt/eng/camellia/index_s.html>
1236
1237config CRYPTO_CAMELLIA_AESNI_AVX_X86_64
1238	tristate "Camellia cipher algorithm (x86_64/AES-NI/AVX)"
1239	depends on X86 && 64BIT
1240	depends on CRYPTO
1241	select CRYPTO_BLKCIPHER
1242	select CRYPTO_CAMELLIA_X86_64
1243	select CRYPTO_GLUE_HELPER_X86
1244	select CRYPTO_SIMD
1245	select CRYPTO_XTS
1246	help
1247	  Camellia cipher algorithm module (x86_64/AES-NI/AVX).
1248
1249	  Camellia is a symmetric key block cipher developed jointly
1250	  at NTT and Mitsubishi Electric Corporation.
1251
1252	  The Camellia specifies three key sizes: 128, 192 and 256 bits.
1253
1254	  See also:
1255	  <https://info.isl.ntt.co.jp/crypt/eng/camellia/index_s.html>
1256
1257config CRYPTO_CAMELLIA_AESNI_AVX2_X86_64
1258	tristate "Camellia cipher algorithm (x86_64/AES-NI/AVX2)"
1259	depends on X86 && 64BIT
1260	depends on CRYPTO
1261	select CRYPTO_CAMELLIA_AESNI_AVX_X86_64
1262	help
1263	  Camellia cipher algorithm module (x86_64/AES-NI/AVX2).
1264
1265	  Camellia is a symmetric key block cipher developed jointly
1266	  at NTT and Mitsubishi Electric Corporation.
1267
1268	  The Camellia specifies three key sizes: 128, 192 and 256 bits.
1269
1270	  See also:
1271	  <https://info.isl.ntt.co.jp/crypt/eng/camellia/index_s.html>
1272
1273config CRYPTO_CAMELLIA_SPARC64
1274	tristate "Camellia cipher algorithm (SPARC64)"
1275	depends on SPARC64
1276	depends on CRYPTO
1277	select CRYPTO_ALGAPI
1278	help
1279	  Camellia cipher algorithm module (SPARC64).
1280
1281	  Camellia is a symmetric key block cipher developed jointly
1282	  at NTT and Mitsubishi Electric Corporation.
1283
1284	  The Camellia specifies three key sizes: 128, 192 and 256 bits.
1285
1286	  See also:
1287	  <https://info.isl.ntt.co.jp/crypt/eng/camellia/index_s.html>
1288
1289config CRYPTO_CAST_COMMON
1290	tristate
1291	help
1292	  Common parts of the CAST cipher algorithms shared by the
1293	  generic c and the assembler implementations.
1294
1295config CRYPTO_CAST5
1296	tristate "CAST5 (CAST-128) cipher algorithm"
1297	select CRYPTO_ALGAPI
1298	select CRYPTO_CAST_COMMON
1299	help
1300	  The CAST5 encryption algorithm (synonymous with CAST-128) is
1301	  described in RFC2144.
1302
1303config CRYPTO_CAST5_AVX_X86_64
1304	tristate "CAST5 (CAST-128) cipher algorithm (x86_64/AVX)"
1305	depends on X86 && 64BIT
1306	select CRYPTO_BLKCIPHER
1307	select CRYPTO_CAST5
1308	select CRYPTO_CAST_COMMON
1309	select CRYPTO_SIMD
1310	help
1311	  The CAST5 encryption algorithm (synonymous with CAST-128) is
1312	  described in RFC2144.
1313
1314	  This module provides the Cast5 cipher algorithm that processes
1315	  sixteen blocks parallel using the AVX instruction set.
1316
1317config CRYPTO_CAST6
1318	tristate "CAST6 (CAST-256) cipher algorithm"
1319	select CRYPTO_ALGAPI
1320	select CRYPTO_CAST_COMMON
1321	help
1322	  The CAST6 encryption algorithm (synonymous with CAST-256) is
1323	  described in RFC2612.
1324
1325config CRYPTO_CAST6_AVX_X86_64
1326	tristate "CAST6 (CAST-256) cipher algorithm (x86_64/AVX)"
1327	depends on X86 && 64BIT
1328	select CRYPTO_BLKCIPHER
1329	select CRYPTO_CAST6
1330	select CRYPTO_CAST_COMMON
1331	select CRYPTO_GLUE_HELPER_X86
1332	select CRYPTO_SIMD
1333	select CRYPTO_XTS
1334	help
1335	  The CAST6 encryption algorithm (synonymous with CAST-256) is
1336	  described in RFC2612.
1337
1338	  This module provides the Cast6 cipher algorithm that processes
1339	  eight blocks parallel using the AVX instruction set.
1340
1341config CRYPTO_LIB_DES
1342	tristate
1343
1344config CRYPTO_DES
1345	tristate "DES and Triple DES EDE cipher algorithms"
1346	select CRYPTO_ALGAPI
1347	select CRYPTO_LIB_DES
1348	help
1349	  DES cipher algorithm (FIPS 46-2), and Triple DES EDE (FIPS 46-3).
1350
1351config CRYPTO_DES_SPARC64
1352	tristate "DES and Triple DES EDE cipher algorithms (SPARC64)"
1353	depends on SPARC64
1354	select CRYPTO_ALGAPI
1355	select CRYPTO_LIB_DES
1356	help
1357	  DES cipher algorithm (FIPS 46-2), and Triple DES EDE (FIPS 46-3),
1358	  optimized using SPARC64 crypto opcodes.
1359
1360config CRYPTO_DES3_EDE_X86_64
1361	tristate "Triple DES EDE cipher algorithm (x86-64)"
1362	depends on X86 && 64BIT
1363	select CRYPTO_BLKCIPHER
1364	select CRYPTO_LIB_DES
1365	help
1366	  Triple DES EDE (FIPS 46-3) algorithm.
1367
1368	  This module provides implementation of the Triple DES EDE cipher
1369	  algorithm that is optimized for x86-64 processors. Two versions of
1370	  algorithm are provided; regular processing one input block and
1371	  one that processes three blocks parallel.
1372
1373config CRYPTO_FCRYPT
1374	tristate "FCrypt cipher algorithm"
1375	select CRYPTO_ALGAPI
1376	select CRYPTO_BLKCIPHER
1377	help
1378	  FCrypt algorithm used by RxRPC.
1379
1380config CRYPTO_KHAZAD
1381	tristate "Khazad cipher algorithm"
1382	select CRYPTO_ALGAPI
1383	help
1384	  Khazad cipher algorithm.
1385
1386	  Khazad was a finalist in the initial NESSIE competition.  It is
1387	  an algorithm optimized for 64-bit processors with good performance
1388	  on 32-bit processors.  Khazad uses an 128 bit key size.
1389
1390	  See also:
1391	  <http://www.larc.usp.br/~pbarreto/KhazadPage.html>
1392
1393config CRYPTO_SALSA20
1394	tristate "Salsa20 stream cipher algorithm"
1395	select CRYPTO_BLKCIPHER
1396	help
1397	  Salsa20 stream cipher algorithm.
1398
1399	  Salsa20 is a stream cipher submitted to eSTREAM, the ECRYPT
1400	  Stream Cipher Project. See <http://www.ecrypt.eu.org/stream/>
1401
1402	  The Salsa20 stream cipher algorithm is designed by Daniel J.
1403	  Bernstein <djb@cr.yp.to>. See <http://cr.yp.to/snuffle.html>
1404
1405config CRYPTO_CHACHA20
1406	tristate "ChaCha stream cipher algorithms"
1407	select CRYPTO_BLKCIPHER
1408	help
1409	  The ChaCha20, XChaCha20, and XChaCha12 stream cipher algorithms.
1410
1411	  ChaCha20 is a 256-bit high-speed stream cipher designed by Daniel J.
1412	  Bernstein and further specified in RFC7539 for use in IETF protocols.
1413	  This is the portable C implementation of ChaCha20.  See also:
1414	  <http://cr.yp.to/chacha/chacha-20080128.pdf>
1415
1416	  XChaCha20 is the application of the XSalsa20 construction to ChaCha20
1417	  rather than to Salsa20.  XChaCha20 extends ChaCha20's nonce length
1418	  from 64 bits (or 96 bits using the RFC7539 convention) to 192 bits,
1419	  while provably retaining ChaCha20's security.  See also:
1420	  <https://cr.yp.to/snuffle/xsalsa-20081128.pdf>
1421
1422	  XChaCha12 is XChaCha20 reduced to 12 rounds, with correspondingly
1423	  reduced security margin but increased performance.  It can be needed
1424	  in some performance-sensitive scenarios.
1425
1426config CRYPTO_CHACHA20_X86_64
1427	tristate "ChaCha stream cipher algorithms (x86_64/SSSE3/AVX2/AVX-512VL)"
1428	depends on X86 && 64BIT
1429	select CRYPTO_BLKCIPHER
1430	select CRYPTO_CHACHA20
1431	help
1432	  SSSE3, AVX2, and AVX-512VL optimized implementations of the ChaCha20,
1433	  XChaCha20, and XChaCha12 stream ciphers.
1434
1435config CRYPTO_SEED
1436	tristate "SEED cipher algorithm"
1437	select CRYPTO_ALGAPI
1438	help
1439	  SEED cipher algorithm (RFC4269).
1440
1441	  SEED is a 128-bit symmetric key block cipher that has been
1442	  developed by KISA (Korea Information Security Agency) as a
1443	  national standard encryption algorithm of the Republic of Korea.
1444	  It is a 16 round block cipher with the key size of 128 bit.
1445
1446	  See also:
1447	  <http://www.kisa.or.kr/kisa/seed/jsp/seed_eng.jsp>
1448
1449config CRYPTO_SERPENT
1450	tristate "Serpent cipher algorithm"
1451	select CRYPTO_ALGAPI
1452	help
1453	  Serpent cipher algorithm, by Anderson, Biham & Knudsen.
1454
1455	  Keys are allowed to be from 0 to 256 bits in length, in steps
1456	  of 8 bits.  Also includes the 'Tnepres' algorithm, a reversed
1457	  variant of Serpent for compatibility with old kerneli.org code.
1458
1459	  See also:
1460	  <http://www.cl.cam.ac.uk/~rja14/serpent.html>
1461
1462config CRYPTO_SERPENT_SSE2_X86_64
1463	tristate "Serpent cipher algorithm (x86_64/SSE2)"
1464	depends on X86 && 64BIT
1465	select CRYPTO_BLKCIPHER
1466	select CRYPTO_GLUE_HELPER_X86
1467	select CRYPTO_SERPENT
1468	select CRYPTO_SIMD
1469	help
1470	  Serpent cipher algorithm, by Anderson, Biham & Knudsen.
1471
1472	  Keys are allowed to be from 0 to 256 bits in length, in steps
1473	  of 8 bits.
1474
1475	  This module provides Serpent cipher algorithm that processes eight
1476	  blocks parallel using SSE2 instruction set.
1477
1478	  See also:
1479	  <http://www.cl.cam.ac.uk/~rja14/serpent.html>
1480
1481config CRYPTO_SERPENT_SSE2_586
1482	tristate "Serpent cipher algorithm (i586/SSE2)"
1483	depends on X86 && !64BIT
1484	select CRYPTO_BLKCIPHER
1485	select CRYPTO_GLUE_HELPER_X86
1486	select CRYPTO_SERPENT
1487	select CRYPTO_SIMD
1488	help
1489	  Serpent cipher algorithm, by Anderson, Biham & Knudsen.
1490
1491	  Keys are allowed to be from 0 to 256 bits in length, in steps
1492	  of 8 bits.
1493
1494	  This module provides Serpent cipher algorithm that processes four
1495	  blocks parallel using SSE2 instruction set.
1496
1497	  See also:
1498	  <http://www.cl.cam.ac.uk/~rja14/serpent.html>
1499
1500config CRYPTO_SERPENT_AVX_X86_64
1501	tristate "Serpent cipher algorithm (x86_64/AVX)"
1502	depends on X86 && 64BIT
1503	select CRYPTO_BLKCIPHER
1504	select CRYPTO_GLUE_HELPER_X86
1505	select CRYPTO_SERPENT
1506	select CRYPTO_SIMD
1507	select CRYPTO_XTS
1508	help
1509	  Serpent cipher algorithm, by Anderson, Biham & Knudsen.
1510
1511	  Keys are allowed to be from 0 to 256 bits in length, in steps
1512	  of 8 bits.
1513
1514	  This module provides the Serpent cipher algorithm that processes
1515	  eight blocks parallel using the AVX instruction set.
1516
1517	  See also:
1518	  <http://www.cl.cam.ac.uk/~rja14/serpent.html>
1519
1520config CRYPTO_SERPENT_AVX2_X86_64
1521	tristate "Serpent cipher algorithm (x86_64/AVX2)"
1522	depends on X86 && 64BIT
1523	select CRYPTO_SERPENT_AVX_X86_64
1524	help
1525	  Serpent cipher algorithm, by Anderson, Biham & Knudsen.
1526
1527	  Keys are allowed to be from 0 to 256 bits in length, in steps
1528	  of 8 bits.
1529
1530	  This module provides Serpent cipher algorithm that processes 16
1531	  blocks parallel using AVX2 instruction set.
1532
1533	  See also:
1534	  <http://www.cl.cam.ac.uk/~rja14/serpent.html>
1535
1536config CRYPTO_SM4
1537	tristate "SM4 cipher algorithm"
1538	select CRYPTO_ALGAPI
1539	help
1540	  SM4 cipher algorithms (OSCCA GB/T 32907-2016).
1541
1542	  SM4 (GBT.32907-2016) is a cryptographic standard issued by the
1543	  Organization of State Commercial Administration of China (OSCCA)
1544	  as an authorized cryptographic algorithms for the use within China.
1545
1546	  SMS4 was originally created for use in protecting wireless
1547	  networks, and is mandated in the Chinese National Standard for
1548	  Wireless LAN WAPI (Wired Authentication and Privacy Infrastructure)
1549	  (GB.15629.11-2003).
1550
1551	  The latest SM4 standard (GBT.32907-2016) was proposed by OSCCA and
1552	  standardized through TC 260 of the Standardization Administration
1553	  of the People's Republic of China (SAC).
1554
1555	  The input, output, and key of SMS4 are each 128 bits.
1556
1557	  See also: <https://eprint.iacr.org/2008/329.pdf>
1558
1559	  If unsure, say N.
1560
1561config CRYPTO_TEA
1562	tristate "TEA, XTEA and XETA cipher algorithms"
1563	select CRYPTO_ALGAPI
1564	help
1565	  TEA cipher algorithm.
1566
1567	  Tiny Encryption Algorithm is a simple cipher that uses
1568	  many rounds for security.  It is very fast and uses
1569	  little memory.
1570
1571	  Xtendend Tiny Encryption Algorithm is a modification to
1572	  the TEA algorithm to address a potential key weakness
1573	  in the TEA algorithm.
1574
1575	  Xtendend Encryption Tiny Algorithm is a mis-implementation
1576	  of the XTEA algorithm for compatibility purposes.
1577
1578config CRYPTO_TWOFISH
1579	tristate "Twofish cipher algorithm"
1580	select CRYPTO_ALGAPI
1581	select CRYPTO_TWOFISH_COMMON
1582	help
1583	  Twofish cipher algorithm.
1584
1585	  Twofish was submitted as an AES (Advanced Encryption Standard)
1586	  candidate cipher by researchers at CounterPane Systems.  It is a
1587	  16 round block cipher supporting key sizes of 128, 192, and 256
1588	  bits.
1589
1590	  See also:
1591	  <http://www.schneier.com/twofish.html>
1592
1593config CRYPTO_TWOFISH_COMMON
1594	tristate
1595	help
1596	  Common parts of the Twofish cipher algorithm shared by the
1597	  generic c and the assembler implementations.
1598
1599config CRYPTO_TWOFISH_586
1600	tristate "Twofish cipher algorithms (i586)"
1601	depends on (X86 || UML_X86) && !64BIT
1602	select CRYPTO_ALGAPI
1603	select CRYPTO_TWOFISH_COMMON
1604	help
1605	  Twofish cipher algorithm.
1606
1607	  Twofish was submitted as an AES (Advanced Encryption Standard)
1608	  candidate cipher by researchers at CounterPane Systems.  It is a
1609	  16 round block cipher supporting key sizes of 128, 192, and 256
1610	  bits.
1611
1612	  See also:
1613	  <http://www.schneier.com/twofish.html>
1614
1615config CRYPTO_TWOFISH_X86_64
1616	tristate "Twofish cipher algorithm (x86_64)"
1617	depends on (X86 || UML_X86) && 64BIT
1618	select CRYPTO_ALGAPI
1619	select CRYPTO_TWOFISH_COMMON
1620	help
1621	  Twofish cipher algorithm (x86_64).
1622
1623	  Twofish was submitted as an AES (Advanced Encryption Standard)
1624	  candidate cipher by researchers at CounterPane Systems.  It is a
1625	  16 round block cipher supporting key sizes of 128, 192, and 256
1626	  bits.
1627
1628	  See also:
1629	  <http://www.schneier.com/twofish.html>
1630
1631config CRYPTO_TWOFISH_X86_64_3WAY
1632	tristate "Twofish cipher algorithm (x86_64, 3-way parallel)"
1633	depends on X86 && 64BIT
1634	select CRYPTO_BLKCIPHER
1635	select CRYPTO_TWOFISH_COMMON
1636	select CRYPTO_TWOFISH_X86_64
1637	select CRYPTO_GLUE_HELPER_X86
1638	help
1639	  Twofish cipher algorithm (x86_64, 3-way parallel).
1640
1641	  Twofish was submitted as an AES (Advanced Encryption Standard)
1642	  candidate cipher by researchers at CounterPane Systems.  It is a
1643	  16 round block cipher supporting key sizes of 128, 192, and 256
1644	  bits.
1645
1646	  This module provides Twofish cipher algorithm that processes three
1647	  blocks parallel, utilizing resources of out-of-order CPUs better.
1648
1649	  See also:
1650	  <http://www.schneier.com/twofish.html>
1651
1652config CRYPTO_TWOFISH_AVX_X86_64
1653	tristate "Twofish cipher algorithm (x86_64/AVX)"
1654	depends on X86 && 64BIT
1655	select CRYPTO_BLKCIPHER
1656	select CRYPTO_GLUE_HELPER_X86
1657	select CRYPTO_SIMD
1658	select CRYPTO_TWOFISH_COMMON
1659	select CRYPTO_TWOFISH_X86_64
1660	select CRYPTO_TWOFISH_X86_64_3WAY
1661	help
1662	  Twofish cipher algorithm (x86_64/AVX).
1663
1664	  Twofish was submitted as an AES (Advanced Encryption Standard)
1665	  candidate cipher by researchers at CounterPane Systems.  It is a
1666	  16 round block cipher supporting key sizes of 128, 192, and 256
1667	  bits.
1668
1669	  This module provides the Twofish cipher algorithm that processes
1670	  eight blocks parallel using the AVX Instruction Set.
1671
1672	  See also:
1673	  <http://www.schneier.com/twofish.html>
1674
1675comment "Compression"
1676
1677config CRYPTO_DEFLATE
1678	tristate "Deflate compression algorithm"
1679	select CRYPTO_ALGAPI
1680	select CRYPTO_ACOMP2
1681	select ZLIB_INFLATE
1682	select ZLIB_DEFLATE
1683	help
1684	  This is the Deflate algorithm (RFC1951), specified for use in
1685	  IPSec with the IPCOMP protocol (RFC3173, RFC2394).
1686
1687	  You will most probably want this if using IPSec.
1688
1689config CRYPTO_LZO
1690	tristate "LZO compression algorithm"
1691	select CRYPTO_ALGAPI
1692	select CRYPTO_ACOMP2
1693	select LZO_COMPRESS
1694	select LZO_DECOMPRESS
1695	help
1696	  This is the LZO algorithm.
1697
1698config CRYPTO_842
1699	tristate "842 compression algorithm"
1700	select CRYPTO_ALGAPI
1701	select CRYPTO_ACOMP2
1702	select 842_COMPRESS
1703	select 842_DECOMPRESS
1704	help
1705	  This is the 842 algorithm.
1706
1707config CRYPTO_LZ4
1708	tristate "LZ4 compression algorithm"
1709	select CRYPTO_ALGAPI
1710	select CRYPTO_ACOMP2
1711	select LZ4_COMPRESS
1712	select LZ4_DECOMPRESS
1713	help
1714	  This is the LZ4 algorithm.
1715
1716config CRYPTO_LZ4HC
1717	tristate "LZ4HC compression algorithm"
1718	select CRYPTO_ALGAPI
1719	select CRYPTO_ACOMP2
1720	select LZ4HC_COMPRESS
1721	select LZ4_DECOMPRESS
1722	help
1723	  This is the LZ4 high compression mode algorithm.
1724
1725config CRYPTO_ZSTD
1726	tristate "Zstd compression algorithm"
1727	select CRYPTO_ALGAPI
1728	select CRYPTO_ACOMP2
1729	select ZSTD_COMPRESS
1730	select ZSTD_DECOMPRESS
1731	help
1732	  This is the zstd algorithm.
1733
1734comment "Random Number Generation"
1735
1736config CRYPTO_ANSI_CPRNG
1737	tristate "Pseudo Random Number Generation for Cryptographic modules"
1738	select CRYPTO_AES
1739	select CRYPTO_RNG
1740	help
1741	  This option enables the generic pseudo random number generator
1742	  for cryptographic modules.  Uses the Algorithm specified in
1743	  ANSI X9.31 A.2.4. Note that this option must be enabled if
1744	  CRYPTO_FIPS is selected
1745
1746menuconfig CRYPTO_DRBG_MENU
1747	tristate "NIST SP800-90A DRBG"
1748	help
1749	  NIST SP800-90A compliant DRBG. In the following submenu, one or
1750	  more of the DRBG types must be selected.
1751
1752if CRYPTO_DRBG_MENU
1753
1754config CRYPTO_DRBG_HMAC
1755	bool
1756	default y
1757	select CRYPTO_HMAC
1758	select CRYPTO_SHA256
1759
1760config CRYPTO_DRBG_HASH
1761	bool "Enable Hash DRBG"
1762	select CRYPTO_SHA256
1763	help
1764	  Enable the Hash DRBG variant as defined in NIST SP800-90A.
1765
1766config CRYPTO_DRBG_CTR
1767	bool "Enable CTR DRBG"
1768	select CRYPTO_AES
1769	depends on CRYPTO_CTR
1770	help
1771	  Enable the CTR DRBG variant as defined in NIST SP800-90A.
1772
1773config CRYPTO_DRBG
1774	tristate
1775	default CRYPTO_DRBG_MENU
1776	select CRYPTO_RNG
1777	select CRYPTO_JITTERENTROPY
1778
1779endif	# if CRYPTO_DRBG_MENU
1780
1781config CRYPTO_JITTERENTROPY
1782	tristate "Jitterentropy Non-Deterministic Random Number Generator"
1783	select CRYPTO_RNG
1784	help
1785	  The Jitterentropy RNG is a noise that is intended
1786	  to provide seed to another RNG. The RNG does not
1787	  perform any cryptographic whitening of the generated
1788	  random numbers. This Jitterentropy RNG registers with
1789	  the kernel crypto API and can be used by any caller.
1790
1791config CRYPTO_USER_API
1792	tristate
1793
1794config CRYPTO_USER_API_HASH
1795	tristate "User-space interface for hash algorithms"
1796	depends on NET
1797	select CRYPTO_HASH
1798	select CRYPTO_USER_API
1799	help
1800	  This option enables the user-spaces interface for hash
1801	  algorithms.
1802
1803config CRYPTO_USER_API_SKCIPHER
1804	tristate "User-space interface for symmetric key cipher algorithms"
1805	depends on NET
1806	select CRYPTO_BLKCIPHER
1807	select CRYPTO_USER_API
1808	help
1809	  This option enables the user-spaces interface for symmetric
1810	  key cipher algorithms.
1811
1812config CRYPTO_USER_API_RNG
1813	tristate "User-space interface for random number generator algorithms"
1814	depends on NET
1815	select CRYPTO_RNG
1816	select CRYPTO_USER_API
1817	help
1818	  This option enables the user-spaces interface for random
1819	  number generator algorithms.
1820
1821config CRYPTO_USER_API_AEAD
1822	tristate "User-space interface for AEAD cipher algorithms"
1823	depends on NET
1824	select CRYPTO_AEAD
1825	select CRYPTO_BLKCIPHER
1826	select CRYPTO_NULL
1827	select CRYPTO_USER_API
1828	help
1829	  This option enables the user-spaces interface for AEAD
1830	  cipher algorithms.
1831
1832config CRYPTO_STATS
1833	bool "Crypto usage statistics for User-space"
1834	depends on CRYPTO_USER
1835	help
1836	  This option enables the gathering of crypto stats.
1837	  This will collect:
1838	  - encrypt/decrypt size and numbers of symmeric operations
1839	  - compress/decompress size and numbers of compress operations
1840	  - size and numbers of hash operations
1841	  - encrypt/decrypt/sign/verify numbers for asymmetric operations
1842	  - generate/seed numbers for rng operations
1843
1844config CRYPTO_HASH_INFO
1845	bool
1846
1847source "drivers/crypto/Kconfig"
1848source "crypto/asymmetric_keys/Kconfig"
1849source "certs/Kconfig"
1850
1851endif	# if CRYPTO
1852