xref: /openbmc/linux/crypto/Kconfig (revision 79f382b9)
1# SPDX-License-Identifier: GPL-2.0
2#
3# Generic algorithms support
4#
5config XOR_BLOCKS
6	tristate
7
8#
9# async_tx api: hardware offloaded memory transfer/transform support
10#
11source "crypto/async_tx/Kconfig"
12
13#
14# Cryptographic API Configuration
15#
16menuconfig CRYPTO
17	tristate "Cryptographic API"
18	help
19	  This option provides the core Cryptographic API.
20
21if CRYPTO
22
23comment "Crypto core or helper"
24
25config CRYPTO_FIPS
26	bool "FIPS 200 compliance"
27	depends on (CRYPTO_ANSI_CPRNG || CRYPTO_DRBG) && !CRYPTO_MANAGER_DISABLE_TESTS
28	depends on (MODULE_SIG || !MODULES)
29	help
30	  This option enables the fips boot option which is
31	  required if you want the system to operate in a FIPS 200
32	  certification.  You should say no unless you know what
33	  this is.
34
35config CRYPTO_ALGAPI
36	tristate
37	select CRYPTO_ALGAPI2
38	help
39	  This option provides the API for cryptographic algorithms.
40
41config CRYPTO_ALGAPI2
42	tristate
43
44config CRYPTO_AEAD
45	tristate
46	select CRYPTO_AEAD2
47	select CRYPTO_ALGAPI
48
49config CRYPTO_AEAD2
50	tristate
51	select CRYPTO_ALGAPI2
52	select CRYPTO_NULL2
53	select CRYPTO_RNG2
54
55config CRYPTO_SKCIPHER
56	tristate
57	select CRYPTO_SKCIPHER2
58	select CRYPTO_ALGAPI
59
60config CRYPTO_SKCIPHER2
61	tristate
62	select CRYPTO_ALGAPI2
63	select CRYPTO_RNG2
64
65config CRYPTO_HASH
66	tristate
67	select CRYPTO_HASH2
68	select CRYPTO_ALGAPI
69
70config CRYPTO_HASH2
71	tristate
72	select CRYPTO_ALGAPI2
73
74config CRYPTO_RNG
75	tristate
76	select CRYPTO_RNG2
77	select CRYPTO_ALGAPI
78
79config CRYPTO_RNG2
80	tristate
81	select CRYPTO_ALGAPI2
82
83config CRYPTO_RNG_DEFAULT
84	tristate
85	select CRYPTO_DRBG_MENU
86
87config CRYPTO_AKCIPHER2
88	tristate
89	select CRYPTO_ALGAPI2
90
91config CRYPTO_AKCIPHER
92	tristate
93	select CRYPTO_AKCIPHER2
94	select CRYPTO_ALGAPI
95
96config CRYPTO_KPP2
97	tristate
98	select CRYPTO_ALGAPI2
99
100config CRYPTO_KPP
101	tristate
102	select CRYPTO_ALGAPI
103	select CRYPTO_KPP2
104
105config CRYPTO_ACOMP2
106	tristate
107	select CRYPTO_ALGAPI2
108	select SGL_ALLOC
109
110config CRYPTO_ACOMP
111	tristate
112	select CRYPTO_ALGAPI
113	select CRYPTO_ACOMP2
114
115config CRYPTO_MANAGER
116	tristate "Cryptographic algorithm manager"
117	select CRYPTO_MANAGER2
118	help
119	  Create default cryptographic template instantiations such as
120	  cbc(aes).
121
122config CRYPTO_MANAGER2
123	def_tristate CRYPTO_MANAGER || (CRYPTO_MANAGER!=n && CRYPTO_ALGAPI=y)
124	select CRYPTO_AEAD2
125	select CRYPTO_HASH2
126	select CRYPTO_SKCIPHER2
127	select CRYPTO_AKCIPHER2
128	select CRYPTO_KPP2
129	select CRYPTO_ACOMP2
130
131config CRYPTO_USER
132	tristate "Userspace cryptographic algorithm configuration"
133	depends on NET
134	select CRYPTO_MANAGER
135	help
136	  Userspace configuration for cryptographic instantiations such as
137	  cbc(aes).
138
139config CRYPTO_MANAGER_DISABLE_TESTS
140	bool "Disable run-time self tests"
141	default y
142	help
143	  Disable run-time self tests that normally take place at
144	  algorithm registration.
145
146config CRYPTO_MANAGER_EXTRA_TESTS
147	bool "Enable extra run-time crypto self tests"
148	depends on DEBUG_KERNEL && !CRYPTO_MANAGER_DISABLE_TESTS && CRYPTO_MANAGER
149	help
150	  Enable extra run-time self tests of registered crypto algorithms,
151	  including randomized fuzz tests.
152
153	  This is intended for developer use only, as these tests take much
154	  longer to run than the normal self tests.
155
156config CRYPTO_GF128MUL
157	tristate
158
159config CRYPTO_NULL
160	tristate "Null algorithms"
161	select CRYPTO_NULL2
162	help
163	  These are 'Null' algorithms, used by IPsec, which do nothing.
164
165config CRYPTO_NULL2
166	tristate
167	select CRYPTO_ALGAPI2
168	select CRYPTO_SKCIPHER2
169	select CRYPTO_HASH2
170
171config CRYPTO_PCRYPT
172	tristate "Parallel crypto engine"
173	depends on SMP
174	select PADATA
175	select CRYPTO_MANAGER
176	select CRYPTO_AEAD
177	help
178	  This converts an arbitrary crypto algorithm into a parallel
179	  algorithm that executes in kernel threads.
180
181config CRYPTO_CRYPTD
182	tristate "Software async crypto daemon"
183	select CRYPTO_SKCIPHER
184	select CRYPTO_HASH
185	select CRYPTO_MANAGER
186	help
187	  This is a generic software asynchronous crypto daemon that
188	  converts an arbitrary synchronous software crypto algorithm
189	  into an asynchronous algorithm that executes in a kernel thread.
190
191config CRYPTO_AUTHENC
192	tristate "Authenc support"
193	select CRYPTO_AEAD
194	select CRYPTO_SKCIPHER
195	select CRYPTO_MANAGER
196	select CRYPTO_HASH
197	select CRYPTO_NULL
198	help
199	  Authenc: Combined mode wrapper for IPsec.
200	  This is required for IPSec.
201
202config CRYPTO_TEST
203	tristate "Testing module"
204	depends on m || EXPERT
205	select CRYPTO_MANAGER
206	help
207	  Quick & dirty crypto test module.
208
209config CRYPTO_SIMD
210	tristate
211	select CRYPTO_CRYPTD
212
213config CRYPTO_ENGINE
214	tristate
215
216comment "Public-key cryptography"
217
218config CRYPTO_RSA
219	tristate "RSA algorithm"
220	select CRYPTO_AKCIPHER
221	select CRYPTO_MANAGER
222	select MPILIB
223	select ASN1
224	help
225	  Generic implementation of the RSA public key algorithm.
226
227config CRYPTO_DH
228	tristate "Diffie-Hellman algorithm"
229	select CRYPTO_KPP
230	select MPILIB
231	help
232	  Generic implementation of the Diffie-Hellman algorithm.
233
234config CRYPTO_ECC
235	tristate
236
237config CRYPTO_ECDH
238	tristate "ECDH algorithm"
239	select CRYPTO_ECC
240	select CRYPTO_KPP
241	select CRYPTO_RNG_DEFAULT
242	help
243	  Generic implementation of the ECDH algorithm
244
245config CRYPTO_ECRDSA
246	tristate "EC-RDSA (GOST 34.10) algorithm"
247	select CRYPTO_ECC
248	select CRYPTO_AKCIPHER
249	select CRYPTO_STREEBOG
250	select OID_REGISTRY
251	select ASN1
252	help
253	  Elliptic Curve Russian Digital Signature Algorithm (GOST R 34.10-2012,
254	  RFC 7091, ISO/IEC 14888-3:2018) is one of the Russian cryptographic
255	  standard algorithms (called GOST algorithms). Only signature verification
256	  is implemented.
257
258config CRYPTO_SM2
259	tristate "SM2 algorithm"
260	select CRYPTO_SM3
261	select CRYPTO_AKCIPHER
262	select CRYPTO_MANAGER
263	select MPILIB
264	select ASN1
265	help
266	  Generic implementation of the SM2 public key algorithm. It was
267	  published by State Encryption Management Bureau, China.
268	  as specified by OSCCA GM/T 0003.1-2012 -- 0003.5-2012.
269
270	  References:
271	  https://tools.ietf.org/html/draft-shen-sm2-ecdsa-02
272	  http://www.oscca.gov.cn/sca/xxgk/2010-12/17/content_1002386.shtml
273	  http://www.gmbz.org.cn/main/bzlb.html
274
275config CRYPTO_CURVE25519
276	tristate "Curve25519 algorithm"
277	select CRYPTO_KPP
278	select CRYPTO_LIB_CURVE25519_GENERIC
279
280config CRYPTO_CURVE25519_X86
281	tristate "x86_64 accelerated Curve25519 scalar multiplication library"
282	depends on X86 && 64BIT
283	select CRYPTO_LIB_CURVE25519_GENERIC
284	select CRYPTO_ARCH_HAVE_LIB_CURVE25519
285
286comment "Authenticated Encryption with Associated Data"
287
288config CRYPTO_CCM
289	tristate "CCM support"
290	select CRYPTO_CTR
291	select CRYPTO_HASH
292	select CRYPTO_AEAD
293	select CRYPTO_MANAGER
294	help
295	  Support for Counter with CBC MAC. Required for IPsec.
296
297config CRYPTO_GCM
298	tristate "GCM/GMAC support"
299	select CRYPTO_CTR
300	select CRYPTO_AEAD
301	select CRYPTO_GHASH
302	select CRYPTO_NULL
303	select CRYPTO_MANAGER
304	help
305	  Support for Galois/Counter Mode (GCM) and Galois Message
306	  Authentication Code (GMAC). Required for IPSec.
307
308config CRYPTO_CHACHA20POLY1305
309	tristate "ChaCha20-Poly1305 AEAD support"
310	select CRYPTO_CHACHA20
311	select CRYPTO_POLY1305
312	select CRYPTO_AEAD
313	select CRYPTO_MANAGER
314	help
315	  ChaCha20-Poly1305 AEAD support, RFC7539.
316
317	  Support for the AEAD wrapper using the ChaCha20 stream cipher combined
318	  with the Poly1305 authenticator. It is defined in RFC7539 for use in
319	  IETF protocols.
320
321config CRYPTO_AEGIS128
322	tristate "AEGIS-128 AEAD algorithm"
323	select CRYPTO_AEAD
324	select CRYPTO_AES  # for AES S-box tables
325	help
326	 Support for the AEGIS-128 dedicated AEAD algorithm.
327
328config CRYPTO_AEGIS128_SIMD
329	bool "Support SIMD acceleration for AEGIS-128"
330	depends on CRYPTO_AEGIS128 && ((ARM || ARM64) && KERNEL_MODE_NEON)
331	default y
332
333config CRYPTO_AEGIS128_AESNI_SSE2
334	tristate "AEGIS-128 AEAD algorithm (x86_64 AESNI+SSE2 implementation)"
335	depends on X86 && 64BIT
336	select CRYPTO_AEAD
337	select CRYPTO_SIMD
338	help
339	 AESNI+SSE2 implementation of the AEGIS-128 dedicated AEAD algorithm.
340
341config CRYPTO_SEQIV
342	tristate "Sequence Number IV Generator"
343	select CRYPTO_AEAD
344	select CRYPTO_SKCIPHER
345	select CRYPTO_NULL
346	select CRYPTO_RNG_DEFAULT
347	select CRYPTO_MANAGER
348	help
349	  This IV generator generates an IV based on a sequence number by
350	  xoring it with a salt.  This algorithm is mainly useful for CTR
351
352config CRYPTO_ECHAINIV
353	tristate "Encrypted Chain IV Generator"
354	select CRYPTO_AEAD
355	select CRYPTO_NULL
356	select CRYPTO_RNG_DEFAULT
357	select CRYPTO_MANAGER
358	help
359	  This IV generator generates an IV based on the encryption of
360	  a sequence number xored with a salt.  This is the default
361	  algorithm for CBC.
362
363comment "Block modes"
364
365config CRYPTO_CBC
366	tristate "CBC support"
367	select CRYPTO_SKCIPHER
368	select CRYPTO_MANAGER
369	help
370	  CBC: Cipher Block Chaining mode
371	  This block cipher algorithm is required for IPSec.
372
373config CRYPTO_CFB
374	tristate "CFB support"
375	select CRYPTO_SKCIPHER
376	select CRYPTO_MANAGER
377	help
378	  CFB: Cipher FeedBack mode
379	  This block cipher algorithm is required for TPM2 Cryptography.
380
381config CRYPTO_CTR
382	tristate "CTR support"
383	select CRYPTO_SKCIPHER
384	select CRYPTO_MANAGER
385	help
386	  CTR: Counter mode
387	  This block cipher algorithm is required for IPSec.
388
389config CRYPTO_CTS
390	tristate "CTS support"
391	select CRYPTO_SKCIPHER
392	select CRYPTO_MANAGER
393	help
394	  CTS: Cipher Text Stealing
395	  This is the Cipher Text Stealing mode as described by
396	  Section 8 of rfc2040 and referenced by rfc3962
397	  (rfc3962 includes errata information in its Appendix A) or
398	  CBC-CS3 as defined by NIST in Sp800-38A addendum from Oct 2010.
399	  This mode is required for Kerberos gss mechanism support
400	  for AES encryption.
401
402	  See: https://csrc.nist.gov/publications/detail/sp/800-38a/addendum/final
403
404config CRYPTO_ECB
405	tristate "ECB support"
406	select CRYPTO_SKCIPHER
407	select CRYPTO_MANAGER
408	help
409	  ECB: Electronic CodeBook mode
410	  This is the simplest block cipher algorithm.  It simply encrypts
411	  the input block by block.
412
413config CRYPTO_LRW
414	tristate "LRW support"
415	select CRYPTO_SKCIPHER
416	select CRYPTO_MANAGER
417	select CRYPTO_GF128MUL
418	help
419	  LRW: Liskov Rivest Wagner, a tweakable, non malleable, non movable
420	  narrow block cipher mode for dm-crypt.  Use it with cipher
421	  specification string aes-lrw-benbi, the key must be 256, 320 or 384.
422	  The first 128, 192 or 256 bits in the key are used for AES and the
423	  rest is used to tie each cipher block to its logical position.
424
425config CRYPTO_OFB
426	tristate "OFB support"
427	select CRYPTO_SKCIPHER
428	select CRYPTO_MANAGER
429	help
430	  OFB: the Output Feedback mode makes a block cipher into a synchronous
431	  stream cipher. It generates keystream blocks, which are then XORed
432	  with the plaintext blocks to get the ciphertext. Flipping a bit in the
433	  ciphertext produces a flipped bit in the plaintext at the same
434	  location. This property allows many error correcting codes to function
435	  normally even when applied before encryption.
436
437config CRYPTO_PCBC
438	tristate "PCBC support"
439	select CRYPTO_SKCIPHER
440	select CRYPTO_MANAGER
441	help
442	  PCBC: Propagating Cipher Block Chaining mode
443	  This block cipher algorithm is required for RxRPC.
444
445config CRYPTO_XTS
446	tristate "XTS support"
447	select CRYPTO_SKCIPHER
448	select CRYPTO_MANAGER
449	select CRYPTO_ECB
450	help
451	  XTS: IEEE1619/D16 narrow block cipher use with aes-xts-plain,
452	  key size 256, 384 or 512 bits. This implementation currently
453	  can't handle a sectorsize which is not a multiple of 16 bytes.
454
455config CRYPTO_KEYWRAP
456	tristate "Key wrapping support"
457	select CRYPTO_SKCIPHER
458	select CRYPTO_MANAGER
459	help
460	  Support for key wrapping (NIST SP800-38F / RFC3394) without
461	  padding.
462
463config CRYPTO_NHPOLY1305
464	tristate
465	select CRYPTO_HASH
466	select CRYPTO_LIB_POLY1305_GENERIC
467
468config CRYPTO_NHPOLY1305_SSE2
469	tristate "NHPoly1305 hash function (x86_64 SSE2 implementation)"
470	depends on X86 && 64BIT
471	select CRYPTO_NHPOLY1305
472	help
473	  SSE2 optimized implementation of the hash function used by the
474	  Adiantum encryption mode.
475
476config CRYPTO_NHPOLY1305_AVX2
477	tristate "NHPoly1305 hash function (x86_64 AVX2 implementation)"
478	depends on X86 && 64BIT
479	select CRYPTO_NHPOLY1305
480	help
481	  AVX2 optimized implementation of the hash function used by the
482	  Adiantum encryption mode.
483
484config CRYPTO_ADIANTUM
485	tristate "Adiantum support"
486	select CRYPTO_CHACHA20
487	select CRYPTO_LIB_POLY1305_GENERIC
488	select CRYPTO_NHPOLY1305
489	select CRYPTO_MANAGER
490	help
491	  Adiantum is a tweakable, length-preserving encryption mode
492	  designed for fast and secure disk encryption, especially on
493	  CPUs without dedicated crypto instructions.  It encrypts
494	  each sector using the XChaCha12 stream cipher, two passes of
495	  an ε-almost-∆-universal hash function, and an invocation of
496	  the AES-256 block cipher on a single 16-byte block.  On CPUs
497	  without AES instructions, Adiantum is much faster than
498	  AES-XTS.
499
500	  Adiantum's security is provably reducible to that of its
501	  underlying stream and block ciphers, subject to a security
502	  bound.  Unlike XTS, Adiantum is a true wide-block encryption
503	  mode, so it actually provides an even stronger notion of
504	  security than XTS, subject to the security bound.
505
506	  If unsure, say N.
507
508config CRYPTO_ESSIV
509	tristate "ESSIV support for block encryption"
510	select CRYPTO_AUTHENC
511	help
512	  Encrypted salt-sector initialization vector (ESSIV) is an IV
513	  generation method that is used in some cases by fscrypt and/or
514	  dm-crypt. It uses the hash of the block encryption key as the
515	  symmetric key for a block encryption pass applied to the input
516	  IV, making low entropy IV sources more suitable for block
517	  encryption.
518
519	  This driver implements a crypto API template that can be
520	  instantiated either as an skcipher or as an AEAD (depending on the
521	  type of the first template argument), and which defers encryption
522	  and decryption requests to the encapsulated cipher after applying
523	  ESSIV to the input IV. Note that in the AEAD case, it is assumed
524	  that the keys are presented in the same format used by the authenc
525	  template, and that the IV appears at the end of the authenticated
526	  associated data (AAD) region (which is how dm-crypt uses it.)
527
528	  Note that the use of ESSIV is not recommended for new deployments,
529	  and so this only needs to be enabled when interoperability with
530	  existing encrypted volumes of filesystems is required, or when
531	  building for a particular system that requires it (e.g., when
532	  the SoC in question has accelerated CBC but not XTS, making CBC
533	  combined with ESSIV the only feasible mode for h/w accelerated
534	  block encryption)
535
536comment "Hash modes"
537
538config CRYPTO_CMAC
539	tristate "CMAC support"
540	select CRYPTO_HASH
541	select CRYPTO_MANAGER
542	help
543	  Cipher-based Message Authentication Code (CMAC) specified by
544	  The National Institute of Standards and Technology (NIST).
545
546	  https://tools.ietf.org/html/rfc4493
547	  http://csrc.nist.gov/publications/nistpubs/800-38B/SP_800-38B.pdf
548
549config CRYPTO_HMAC
550	tristate "HMAC support"
551	select CRYPTO_HASH
552	select CRYPTO_MANAGER
553	help
554	  HMAC: Keyed-Hashing for Message Authentication (RFC2104).
555	  This is required for IPSec.
556
557config CRYPTO_XCBC
558	tristate "XCBC support"
559	select CRYPTO_HASH
560	select CRYPTO_MANAGER
561	help
562	  XCBC: Keyed-Hashing with encryption algorithm
563		https://www.ietf.org/rfc/rfc3566.txt
564		http://csrc.nist.gov/encryption/modes/proposedmodes/
565		 xcbc-mac/xcbc-mac-spec.pdf
566
567config CRYPTO_VMAC
568	tristate "VMAC support"
569	select CRYPTO_HASH
570	select CRYPTO_MANAGER
571	help
572	  VMAC is a message authentication algorithm designed for
573	  very high speed on 64-bit architectures.
574
575	  See also:
576	  <https://fastcrypto.org/vmac>
577
578comment "Digest"
579
580config CRYPTO_CRC32C
581	tristate "CRC32c CRC algorithm"
582	select CRYPTO_HASH
583	select CRC32
584	help
585	  Castagnoli, et al Cyclic Redundancy-Check Algorithm.  Used
586	  by iSCSI for header and data digests and by others.
587	  See Castagnoli93.  Module will be crc32c.
588
589config CRYPTO_CRC32C_INTEL
590	tristate "CRC32c INTEL hardware acceleration"
591	depends on X86
592	select CRYPTO_HASH
593	help
594	  In Intel processor with SSE4.2 supported, the processor will
595	  support CRC32C implementation using hardware accelerated CRC32
596	  instruction. This option will create 'crc32c-intel' module,
597	  which will enable any routine to use the CRC32 instruction to
598	  gain performance compared with software implementation.
599	  Module will be crc32c-intel.
600
601config CRYPTO_CRC32C_VPMSUM
602	tristate "CRC32c CRC algorithm (powerpc64)"
603	depends on PPC64 && ALTIVEC
604	select CRYPTO_HASH
605	select CRC32
606	help
607	  CRC32c algorithm implemented using vector polynomial multiply-sum
608	  (vpmsum) instructions, introduced in POWER8. Enable on POWER8
609	  and newer processors for improved performance.
610
611
612config CRYPTO_CRC32C_SPARC64
613	tristate "CRC32c CRC algorithm (SPARC64)"
614	depends on SPARC64
615	select CRYPTO_HASH
616	select CRC32
617	help
618	  CRC32c CRC algorithm implemented using sparc64 crypto instructions,
619	  when available.
620
621config CRYPTO_CRC32
622	tristate "CRC32 CRC algorithm"
623	select CRYPTO_HASH
624	select CRC32
625	help
626	  CRC-32-IEEE 802.3 cyclic redundancy-check algorithm.
627	  Shash crypto api wrappers to crc32_le function.
628
629config CRYPTO_CRC32_PCLMUL
630	tristate "CRC32 PCLMULQDQ hardware acceleration"
631	depends on X86
632	select CRYPTO_HASH
633	select CRC32
634	help
635	  From Intel Westmere and AMD Bulldozer processor with SSE4.2
636	  and PCLMULQDQ supported, the processor will support
637	  CRC32 PCLMULQDQ implementation using hardware accelerated PCLMULQDQ
638	  instruction. This option will create 'crc32-pclmul' module,
639	  which will enable any routine to use the CRC-32-IEEE 802.3 checksum
640	  and gain better performance as compared with the table implementation.
641
642config CRYPTO_CRC32_MIPS
643	tristate "CRC32c and CRC32 CRC algorithm (MIPS)"
644	depends on MIPS_CRC_SUPPORT
645	select CRYPTO_HASH
646	help
647	  CRC32c and CRC32 CRC algorithms implemented using mips crypto
648	  instructions, when available.
649
650
651config CRYPTO_XXHASH
652	tristate "xxHash hash algorithm"
653	select CRYPTO_HASH
654	select XXHASH
655	help
656	  xxHash non-cryptographic hash algorithm. Extremely fast, working at
657	  speeds close to RAM limits.
658
659config CRYPTO_BLAKE2B
660	tristate "BLAKE2b digest algorithm"
661	select CRYPTO_HASH
662	help
663	  Implementation of cryptographic hash function BLAKE2b (or just BLAKE2),
664	  optimized for 64bit platforms and can produce digests of any size
665	  between 1 to 64.  The keyed hash is also implemented.
666
667	  This module provides the following algorithms:
668
669	  - blake2b-160
670	  - blake2b-256
671	  - blake2b-384
672	  - blake2b-512
673
674	  See https://blake2.net for further information.
675
676config CRYPTO_BLAKE2S
677	tristate "BLAKE2s digest algorithm"
678	select CRYPTO_LIB_BLAKE2S_GENERIC
679	select CRYPTO_HASH
680	help
681	  Implementation of cryptographic hash function BLAKE2s
682	  optimized for 8-32bit platforms and can produce digests of any size
683	  between 1 to 32.  The keyed hash is also implemented.
684
685	  This module provides the following algorithms:
686
687	  - blake2s-128
688	  - blake2s-160
689	  - blake2s-224
690	  - blake2s-256
691
692	  See https://blake2.net for further information.
693
694config CRYPTO_BLAKE2S_X86
695	tristate "BLAKE2s digest algorithm (x86 accelerated version)"
696	depends on X86 && 64BIT
697	select CRYPTO_LIB_BLAKE2S_GENERIC
698	select CRYPTO_ARCH_HAVE_LIB_BLAKE2S
699
700config CRYPTO_CRCT10DIF
701	tristate "CRCT10DIF algorithm"
702	select CRYPTO_HASH
703	help
704	  CRC T10 Data Integrity Field computation is being cast as
705	  a crypto transform.  This allows for faster crc t10 diff
706	  transforms to be used if they are available.
707
708config CRYPTO_CRCT10DIF_PCLMUL
709	tristate "CRCT10DIF PCLMULQDQ hardware acceleration"
710	depends on X86 && 64BIT && CRC_T10DIF
711	select CRYPTO_HASH
712	help
713	  For x86_64 processors with SSE4.2 and PCLMULQDQ supported,
714	  CRC T10 DIF PCLMULQDQ computation can be hardware
715	  accelerated PCLMULQDQ instruction. This option will create
716	  'crct10dif-pclmul' module, which is faster when computing the
717	  crct10dif checksum as compared with the generic table implementation.
718
719config CRYPTO_CRCT10DIF_VPMSUM
720	tristate "CRC32T10DIF powerpc64 hardware acceleration"
721	depends on PPC64 && ALTIVEC && CRC_T10DIF
722	select CRYPTO_HASH
723	help
724	  CRC10T10DIF algorithm implemented using vector polynomial
725	  multiply-sum (vpmsum) instructions, introduced in POWER8. Enable on
726	  POWER8 and newer processors for improved performance.
727
728config CRYPTO_VPMSUM_TESTER
729	tristate "Powerpc64 vpmsum hardware acceleration tester"
730	depends on CRYPTO_CRCT10DIF_VPMSUM && CRYPTO_CRC32C_VPMSUM
731	help
732	  Stress test for CRC32c and CRC-T10DIF algorithms implemented with
733	  POWER8 vpmsum instructions.
734	  Unless you are testing these algorithms, you don't need this.
735
736config CRYPTO_GHASH
737	tristate "GHASH hash function"
738	select CRYPTO_GF128MUL
739	select CRYPTO_HASH
740	help
741	  GHASH is the hash function used in GCM (Galois/Counter Mode).
742	  It is not a general-purpose cryptographic hash function.
743
744config CRYPTO_POLY1305
745	tristate "Poly1305 authenticator algorithm"
746	select CRYPTO_HASH
747	select CRYPTO_LIB_POLY1305_GENERIC
748	help
749	  Poly1305 authenticator algorithm, RFC7539.
750
751	  Poly1305 is an authenticator algorithm designed by Daniel J. Bernstein.
752	  It is used for the ChaCha20-Poly1305 AEAD, specified in RFC7539 for use
753	  in IETF protocols. This is the portable C implementation of Poly1305.
754
755config CRYPTO_POLY1305_X86_64
756	tristate "Poly1305 authenticator algorithm (x86_64/SSE2/AVX2)"
757	depends on X86 && 64BIT
758	select CRYPTO_LIB_POLY1305_GENERIC
759	select CRYPTO_ARCH_HAVE_LIB_POLY1305
760	help
761	  Poly1305 authenticator algorithm, RFC7539.
762
763	  Poly1305 is an authenticator algorithm designed by Daniel J. Bernstein.
764	  It is used for the ChaCha20-Poly1305 AEAD, specified in RFC7539 for use
765	  in IETF protocols. This is the x86_64 assembler implementation using SIMD
766	  instructions.
767
768config CRYPTO_POLY1305_MIPS
769	tristate "Poly1305 authenticator algorithm (MIPS optimized)"
770	depends on CPU_MIPS32 || (CPU_MIPS64 && 64BIT)
771	select CRYPTO_ARCH_HAVE_LIB_POLY1305
772
773config CRYPTO_MD4
774	tristate "MD4 digest algorithm"
775	select CRYPTO_HASH
776	help
777	  MD4 message digest algorithm (RFC1320).
778
779config CRYPTO_MD5
780	tristate "MD5 digest algorithm"
781	select CRYPTO_HASH
782	help
783	  MD5 message digest algorithm (RFC1321).
784
785config CRYPTO_MD5_OCTEON
786	tristate "MD5 digest algorithm (OCTEON)"
787	depends on CPU_CAVIUM_OCTEON
788	select CRYPTO_MD5
789	select CRYPTO_HASH
790	help
791	  MD5 message digest algorithm (RFC1321) implemented
792	  using OCTEON crypto instructions, when available.
793
794config CRYPTO_MD5_PPC
795	tristate "MD5 digest algorithm (PPC)"
796	depends on PPC
797	select CRYPTO_HASH
798	help
799	  MD5 message digest algorithm (RFC1321) implemented
800	  in PPC assembler.
801
802config CRYPTO_MD5_SPARC64
803	tristate "MD5 digest algorithm (SPARC64)"
804	depends on SPARC64
805	select CRYPTO_MD5
806	select CRYPTO_HASH
807	help
808	  MD5 message digest algorithm (RFC1321) implemented
809	  using sparc64 crypto instructions, when available.
810
811config CRYPTO_MICHAEL_MIC
812	tristate "Michael MIC keyed digest algorithm"
813	select CRYPTO_HASH
814	help
815	  Michael MIC is used for message integrity protection in TKIP
816	  (IEEE 802.11i). This algorithm is required for TKIP, but it
817	  should not be used for other purposes because of the weakness
818	  of the algorithm.
819
820config CRYPTO_RMD160
821	tristate "RIPEMD-160 digest algorithm"
822	select CRYPTO_HASH
823	help
824	  RIPEMD-160 (ISO/IEC 10118-3:2004).
825
826	  RIPEMD-160 is a 160-bit cryptographic hash function. It is intended
827	  to be used as a secure replacement for the 128-bit hash functions
828	  MD4, MD5 and it's predecessor RIPEMD
829	  (not to be confused with RIPEMD-128).
830
831	  It's speed is comparable to SHA1 and there are no known attacks
832	  against RIPEMD-160.
833
834	  Developed by Hans Dobbertin, Antoon Bosselaers and Bart Preneel.
835	  See <https://homes.esat.kuleuven.be/~bosselae/ripemd160.html>
836
837config CRYPTO_SHA1
838	tristate "SHA1 digest algorithm"
839	select CRYPTO_HASH
840	help
841	  SHA-1 secure hash standard (FIPS 180-1/DFIPS 180-2).
842
843config CRYPTO_SHA1_SSSE3
844	tristate "SHA1 digest algorithm (SSSE3/AVX/AVX2/SHA-NI)"
845	depends on X86 && 64BIT
846	select CRYPTO_SHA1
847	select CRYPTO_HASH
848	help
849	  SHA-1 secure hash standard (FIPS 180-1/DFIPS 180-2) implemented
850	  using Supplemental SSE3 (SSSE3) instructions or Advanced Vector
851	  Extensions (AVX/AVX2) or SHA-NI(SHA Extensions New Instructions),
852	  when available.
853
854config CRYPTO_SHA256_SSSE3
855	tristate "SHA256 digest algorithm (SSSE3/AVX/AVX2/SHA-NI)"
856	depends on X86 && 64BIT
857	select CRYPTO_SHA256
858	select CRYPTO_HASH
859	help
860	  SHA-256 secure hash standard (DFIPS 180-2) implemented
861	  using Supplemental SSE3 (SSSE3) instructions, or Advanced Vector
862	  Extensions version 1 (AVX1), or Advanced Vector Extensions
863	  version 2 (AVX2) instructions, or SHA-NI (SHA Extensions New
864	  Instructions) when available.
865
866config CRYPTO_SHA512_SSSE3
867	tristate "SHA512 digest algorithm (SSSE3/AVX/AVX2)"
868	depends on X86 && 64BIT
869	select CRYPTO_SHA512
870	select CRYPTO_HASH
871	help
872	  SHA-512 secure hash standard (DFIPS 180-2) implemented
873	  using Supplemental SSE3 (SSSE3) instructions, or Advanced Vector
874	  Extensions version 1 (AVX1), or Advanced Vector Extensions
875	  version 2 (AVX2) instructions, when available.
876
877config CRYPTO_SHA1_OCTEON
878	tristate "SHA1 digest algorithm (OCTEON)"
879	depends on CPU_CAVIUM_OCTEON
880	select CRYPTO_SHA1
881	select CRYPTO_HASH
882	help
883	  SHA-1 secure hash standard (FIPS 180-1/DFIPS 180-2) implemented
884	  using OCTEON crypto instructions, when available.
885
886config CRYPTO_SHA1_SPARC64
887	tristate "SHA1 digest algorithm (SPARC64)"
888	depends on SPARC64
889	select CRYPTO_SHA1
890	select CRYPTO_HASH
891	help
892	  SHA-1 secure hash standard (FIPS 180-1/DFIPS 180-2) implemented
893	  using sparc64 crypto instructions, when available.
894
895config CRYPTO_SHA1_PPC
896	tristate "SHA1 digest algorithm (powerpc)"
897	depends on PPC
898	help
899	  This is the powerpc hardware accelerated implementation of the
900	  SHA-1 secure hash standard (FIPS 180-1/DFIPS 180-2).
901
902config CRYPTO_SHA1_PPC_SPE
903	tristate "SHA1 digest algorithm (PPC SPE)"
904	depends on PPC && SPE
905	help
906	  SHA-1 secure hash standard (DFIPS 180-4) implemented
907	  using powerpc SPE SIMD instruction set.
908
909config CRYPTO_SHA256
910	tristate "SHA224 and SHA256 digest algorithm"
911	select CRYPTO_HASH
912	select CRYPTO_LIB_SHA256
913	help
914	  SHA256 secure hash standard (DFIPS 180-2).
915
916	  This version of SHA implements a 256 bit hash with 128 bits of
917	  security against collision attacks.
918
919	  This code also includes SHA-224, a 224 bit hash with 112 bits
920	  of security against collision attacks.
921
922config CRYPTO_SHA256_PPC_SPE
923	tristate "SHA224 and SHA256 digest algorithm (PPC SPE)"
924	depends on PPC && SPE
925	select CRYPTO_SHA256
926	select CRYPTO_HASH
927	help
928	  SHA224 and SHA256 secure hash standard (DFIPS 180-2)
929	  implemented using powerpc SPE SIMD instruction set.
930
931config CRYPTO_SHA256_OCTEON
932	tristate "SHA224 and SHA256 digest algorithm (OCTEON)"
933	depends on CPU_CAVIUM_OCTEON
934	select CRYPTO_SHA256
935	select CRYPTO_HASH
936	help
937	  SHA-256 secure hash standard (DFIPS 180-2) implemented
938	  using OCTEON crypto instructions, when available.
939
940config CRYPTO_SHA256_SPARC64
941	tristate "SHA224 and SHA256 digest algorithm (SPARC64)"
942	depends on SPARC64
943	select CRYPTO_SHA256
944	select CRYPTO_HASH
945	help
946	  SHA-256 secure hash standard (DFIPS 180-2) implemented
947	  using sparc64 crypto instructions, when available.
948
949config CRYPTO_SHA512
950	tristate "SHA384 and SHA512 digest algorithms"
951	select CRYPTO_HASH
952	help
953	  SHA512 secure hash standard (DFIPS 180-2).
954
955	  This version of SHA implements a 512 bit hash with 256 bits of
956	  security against collision attacks.
957
958	  This code also includes SHA-384, a 384 bit hash with 192 bits
959	  of security against collision attacks.
960
961config CRYPTO_SHA512_OCTEON
962	tristate "SHA384 and SHA512 digest algorithms (OCTEON)"
963	depends on CPU_CAVIUM_OCTEON
964	select CRYPTO_SHA512
965	select CRYPTO_HASH
966	help
967	  SHA-512 secure hash standard (DFIPS 180-2) implemented
968	  using OCTEON crypto instructions, when available.
969
970config CRYPTO_SHA512_SPARC64
971	tristate "SHA384 and SHA512 digest algorithm (SPARC64)"
972	depends on SPARC64
973	select CRYPTO_SHA512
974	select CRYPTO_HASH
975	help
976	  SHA-512 secure hash standard (DFIPS 180-2) implemented
977	  using sparc64 crypto instructions, when available.
978
979config CRYPTO_SHA3
980	tristate "SHA3 digest algorithm"
981	select CRYPTO_HASH
982	help
983	  SHA-3 secure hash standard (DFIPS 202). It's based on
984	  cryptographic sponge function family called Keccak.
985
986	  References:
987	  http://keccak.noekeon.org/
988
989config CRYPTO_SM3
990	tristate "SM3 digest algorithm"
991	select CRYPTO_HASH
992	help
993	  SM3 secure hash function as defined by OSCCA GM/T 0004-2012 SM3).
994	  It is part of the Chinese Commercial Cryptography suite.
995
996	  References:
997	  http://www.oscca.gov.cn/UpFile/20101222141857786.pdf
998	  https://datatracker.ietf.org/doc/html/draft-shen-sm3-hash
999
1000config CRYPTO_STREEBOG
1001	tristate "Streebog Hash Function"
1002	select CRYPTO_HASH
1003	help
1004	  Streebog Hash Function (GOST R 34.11-2012, RFC 6986) is one of the Russian
1005	  cryptographic standard algorithms (called GOST algorithms).
1006	  This setting enables two hash algorithms with 256 and 512 bits output.
1007
1008	  References:
1009	  https://tc26.ru/upload/iblock/fed/feddbb4d26b685903faa2ba11aea43f6.pdf
1010	  https://tools.ietf.org/html/rfc6986
1011
1012config CRYPTO_WP512
1013	tristate "Whirlpool digest algorithms"
1014	select CRYPTO_HASH
1015	help
1016	  Whirlpool hash algorithm 512, 384 and 256-bit hashes
1017
1018	  Whirlpool-512 is part of the NESSIE cryptographic primitives.
1019	  Whirlpool will be part of the ISO/IEC 10118-3:2003(E) standard
1020
1021	  See also:
1022	  <http://www.larc.usp.br/~pbarreto/WhirlpoolPage.html>
1023
1024config CRYPTO_GHASH_CLMUL_NI_INTEL
1025	tristate "GHASH hash function (CLMUL-NI accelerated)"
1026	depends on X86 && 64BIT
1027	select CRYPTO_CRYPTD
1028	help
1029	  This is the x86_64 CLMUL-NI accelerated implementation of
1030	  GHASH, the hash function used in GCM (Galois/Counter mode).
1031
1032comment "Ciphers"
1033
1034config CRYPTO_AES
1035	tristate "AES cipher algorithms"
1036	select CRYPTO_ALGAPI
1037	select CRYPTO_LIB_AES
1038	help
1039	  AES cipher algorithms (FIPS-197). AES uses the Rijndael
1040	  algorithm.
1041
1042	  Rijndael appears to be consistently a very good performer in
1043	  both hardware and software across a wide range of computing
1044	  environments regardless of its use in feedback or non-feedback
1045	  modes. Its key setup time is excellent, and its key agility is
1046	  good. Rijndael's very low memory requirements make it very well
1047	  suited for restricted-space environments, in which it also
1048	  demonstrates excellent performance. Rijndael's operations are
1049	  among the easiest to defend against power and timing attacks.
1050
1051	  The AES specifies three key sizes: 128, 192 and 256 bits
1052
1053	  See <http://csrc.nist.gov/CryptoToolkit/aes/> for more information.
1054
1055config CRYPTO_AES_TI
1056	tristate "Fixed time AES cipher"
1057	select CRYPTO_ALGAPI
1058	select CRYPTO_LIB_AES
1059	help
1060	  This is a generic implementation of AES that attempts to eliminate
1061	  data dependent latencies as much as possible without affecting
1062	  performance too much. It is intended for use by the generic CCM
1063	  and GCM drivers, and other CTR or CMAC/XCBC based modes that rely
1064	  solely on encryption (although decryption is supported as well, but
1065	  with a more dramatic performance hit)
1066
1067	  Instead of using 16 lookup tables of 1 KB each, (8 for encryption and
1068	  8 for decryption), this implementation only uses just two S-boxes of
1069	  256 bytes each, and attempts to eliminate data dependent latencies by
1070	  prefetching the entire table into the cache at the start of each
1071	  block. Interrupts are also disabled to avoid races where cachelines
1072	  are evicted when the CPU is interrupted to do something else.
1073
1074config CRYPTO_AES_NI_INTEL
1075	tristate "AES cipher algorithms (AES-NI)"
1076	depends on X86
1077	select CRYPTO_AEAD
1078	select CRYPTO_LIB_AES
1079	select CRYPTO_ALGAPI
1080	select CRYPTO_SKCIPHER
1081	select CRYPTO_SIMD
1082	help
1083	  Use Intel AES-NI instructions for AES algorithm.
1084
1085	  AES cipher algorithms (FIPS-197). AES uses the Rijndael
1086	  algorithm.
1087
1088	  Rijndael appears to be consistently a very good performer in
1089	  both hardware and software across a wide range of computing
1090	  environments regardless of its use in feedback or non-feedback
1091	  modes. Its key setup time is excellent, and its key agility is
1092	  good. Rijndael's very low memory requirements make it very well
1093	  suited for restricted-space environments, in which it also
1094	  demonstrates excellent performance. Rijndael's operations are
1095	  among the easiest to defend against power and timing attacks.
1096
1097	  The AES specifies three key sizes: 128, 192 and 256 bits
1098
1099	  See <http://csrc.nist.gov/encryption/aes/> for more information.
1100
1101	  In addition to AES cipher algorithm support, the acceleration
1102	  for some popular block cipher mode is supported too, including
1103	  ECB, CBC, LRW, XTS. The 64 bit version has additional
1104	  acceleration for CTR.
1105
1106config CRYPTO_AES_SPARC64
1107	tristate "AES cipher algorithms (SPARC64)"
1108	depends on SPARC64
1109	select CRYPTO_SKCIPHER
1110	help
1111	  Use SPARC64 crypto opcodes for AES algorithm.
1112
1113	  AES cipher algorithms (FIPS-197). AES uses the Rijndael
1114	  algorithm.
1115
1116	  Rijndael appears to be consistently a very good performer in
1117	  both hardware and software across a wide range of computing
1118	  environments regardless of its use in feedback or non-feedback
1119	  modes. Its key setup time is excellent, and its key agility is
1120	  good. Rijndael's very low memory requirements make it very well
1121	  suited for restricted-space environments, in which it also
1122	  demonstrates excellent performance. Rijndael's operations are
1123	  among the easiest to defend against power and timing attacks.
1124
1125	  The AES specifies three key sizes: 128, 192 and 256 bits
1126
1127	  See <http://csrc.nist.gov/encryption/aes/> for more information.
1128
1129	  In addition to AES cipher algorithm support, the acceleration
1130	  for some popular block cipher mode is supported too, including
1131	  ECB and CBC.
1132
1133config CRYPTO_AES_PPC_SPE
1134	tristate "AES cipher algorithms (PPC SPE)"
1135	depends on PPC && SPE
1136	select CRYPTO_SKCIPHER
1137	help
1138	  AES cipher algorithms (FIPS-197). Additionally the acceleration
1139	  for popular block cipher modes ECB, CBC, CTR and XTS is supported.
1140	  This module should only be used for low power (router) devices
1141	  without hardware AES acceleration (e.g. caam crypto). It reduces the
1142	  size of the AES tables from 16KB to 8KB + 256 bytes and mitigates
1143	  timining attacks. Nevertheless it might be not as secure as other
1144	  architecture specific assembler implementations that work on 1KB
1145	  tables or 256 bytes S-boxes.
1146
1147config CRYPTO_ANUBIS
1148	tristate "Anubis cipher algorithm"
1149	depends on CRYPTO_USER_API_ENABLE_OBSOLETE
1150	select CRYPTO_ALGAPI
1151	help
1152	  Anubis cipher algorithm.
1153
1154	  Anubis is a variable key length cipher which can use keys from
1155	  128 bits to 320 bits in length.  It was evaluated as a entrant
1156	  in the NESSIE competition.
1157
1158	  See also:
1159	  <https://www.cosic.esat.kuleuven.be/nessie/reports/>
1160	  <http://www.larc.usp.br/~pbarreto/AnubisPage.html>
1161
1162config CRYPTO_ARC4
1163	tristate "ARC4 cipher algorithm"
1164	depends on CRYPTO_USER_API_ENABLE_OBSOLETE
1165	select CRYPTO_SKCIPHER
1166	select CRYPTO_LIB_ARC4
1167	help
1168	  ARC4 cipher algorithm.
1169
1170	  ARC4 is a stream cipher using keys ranging from 8 bits to 2048
1171	  bits in length.  This algorithm is required for driver-based
1172	  WEP, but it should not be for other purposes because of the
1173	  weakness of the algorithm.
1174
1175config CRYPTO_BLOWFISH
1176	tristate "Blowfish cipher algorithm"
1177	select CRYPTO_ALGAPI
1178	select CRYPTO_BLOWFISH_COMMON
1179	help
1180	  Blowfish cipher algorithm, by Bruce Schneier.
1181
1182	  This is a variable key length cipher which can use keys from 32
1183	  bits to 448 bits in length.  It's fast, simple and specifically
1184	  designed for use on "large microprocessors".
1185
1186	  See also:
1187	  <https://www.schneier.com/blowfish.html>
1188
1189config CRYPTO_BLOWFISH_COMMON
1190	tristate
1191	help
1192	  Common parts of the Blowfish cipher algorithm shared by the
1193	  generic c and the assembler implementations.
1194
1195	  See also:
1196	  <https://www.schneier.com/blowfish.html>
1197
1198config CRYPTO_BLOWFISH_X86_64
1199	tristate "Blowfish cipher algorithm (x86_64)"
1200	depends on X86 && 64BIT
1201	select CRYPTO_SKCIPHER
1202	select CRYPTO_BLOWFISH_COMMON
1203	imply CRYPTO_CTR
1204	help
1205	  Blowfish cipher algorithm (x86_64), by Bruce Schneier.
1206
1207	  This is a variable key length cipher which can use keys from 32
1208	  bits to 448 bits in length.  It's fast, simple and specifically
1209	  designed for use on "large microprocessors".
1210
1211	  See also:
1212	  <https://www.schneier.com/blowfish.html>
1213
1214config CRYPTO_CAMELLIA
1215	tristate "Camellia cipher algorithms"
1216	depends on CRYPTO
1217	select CRYPTO_ALGAPI
1218	help
1219	  Camellia cipher algorithms module.
1220
1221	  Camellia is a symmetric key block cipher developed jointly
1222	  at NTT and Mitsubishi Electric Corporation.
1223
1224	  The Camellia specifies three key sizes: 128, 192 and 256 bits.
1225
1226	  See also:
1227	  <https://info.isl.ntt.co.jp/crypt/eng/camellia/index_s.html>
1228
1229config CRYPTO_CAMELLIA_X86_64
1230	tristate "Camellia cipher algorithm (x86_64)"
1231	depends on X86 && 64BIT
1232	depends on CRYPTO
1233	select CRYPTO_SKCIPHER
1234	imply CRYPTO_CTR
1235	help
1236	  Camellia cipher algorithm module (x86_64).
1237
1238	  Camellia is a symmetric key block cipher developed jointly
1239	  at NTT and Mitsubishi Electric Corporation.
1240
1241	  The Camellia specifies three key sizes: 128, 192 and 256 bits.
1242
1243	  See also:
1244	  <https://info.isl.ntt.co.jp/crypt/eng/camellia/index_s.html>
1245
1246config CRYPTO_CAMELLIA_AESNI_AVX_X86_64
1247	tristate "Camellia cipher algorithm (x86_64/AES-NI/AVX)"
1248	depends on X86 && 64BIT
1249	depends on CRYPTO
1250	select CRYPTO_SKCIPHER
1251	select CRYPTO_CAMELLIA_X86_64
1252	select CRYPTO_SIMD
1253	imply CRYPTO_XTS
1254	help
1255	  Camellia cipher algorithm module (x86_64/AES-NI/AVX).
1256
1257	  Camellia is a symmetric key block cipher developed jointly
1258	  at NTT and Mitsubishi Electric Corporation.
1259
1260	  The Camellia specifies three key sizes: 128, 192 and 256 bits.
1261
1262	  See also:
1263	  <https://info.isl.ntt.co.jp/crypt/eng/camellia/index_s.html>
1264
1265config CRYPTO_CAMELLIA_AESNI_AVX2_X86_64
1266	tristate "Camellia cipher algorithm (x86_64/AES-NI/AVX2)"
1267	depends on X86 && 64BIT
1268	depends on CRYPTO
1269	select CRYPTO_CAMELLIA_AESNI_AVX_X86_64
1270	help
1271	  Camellia cipher algorithm module (x86_64/AES-NI/AVX2).
1272
1273	  Camellia is a symmetric key block cipher developed jointly
1274	  at NTT and Mitsubishi Electric Corporation.
1275
1276	  The Camellia specifies three key sizes: 128, 192 and 256 bits.
1277
1278	  See also:
1279	  <https://info.isl.ntt.co.jp/crypt/eng/camellia/index_s.html>
1280
1281config CRYPTO_CAMELLIA_SPARC64
1282	tristate "Camellia cipher algorithm (SPARC64)"
1283	depends on SPARC64
1284	depends on CRYPTO
1285	select CRYPTO_ALGAPI
1286	select CRYPTO_SKCIPHER
1287	help
1288	  Camellia cipher algorithm module (SPARC64).
1289
1290	  Camellia is a symmetric key block cipher developed jointly
1291	  at NTT and Mitsubishi Electric Corporation.
1292
1293	  The Camellia specifies three key sizes: 128, 192 and 256 bits.
1294
1295	  See also:
1296	  <https://info.isl.ntt.co.jp/crypt/eng/camellia/index_s.html>
1297
1298config CRYPTO_CAST_COMMON
1299	tristate
1300	help
1301	  Common parts of the CAST cipher algorithms shared by the
1302	  generic c and the assembler implementations.
1303
1304config CRYPTO_CAST5
1305	tristate "CAST5 (CAST-128) cipher algorithm"
1306	select CRYPTO_ALGAPI
1307	select CRYPTO_CAST_COMMON
1308	help
1309	  The CAST5 encryption algorithm (synonymous with CAST-128) is
1310	  described in RFC2144.
1311
1312config CRYPTO_CAST5_AVX_X86_64
1313	tristate "CAST5 (CAST-128) cipher algorithm (x86_64/AVX)"
1314	depends on X86 && 64BIT
1315	select CRYPTO_SKCIPHER
1316	select CRYPTO_CAST5
1317	select CRYPTO_CAST_COMMON
1318	select CRYPTO_SIMD
1319	imply CRYPTO_CTR
1320	help
1321	  The CAST5 encryption algorithm (synonymous with CAST-128) is
1322	  described in RFC2144.
1323
1324	  This module provides the Cast5 cipher algorithm that processes
1325	  sixteen blocks parallel using the AVX instruction set.
1326
1327config CRYPTO_CAST6
1328	tristate "CAST6 (CAST-256) cipher algorithm"
1329	select CRYPTO_ALGAPI
1330	select CRYPTO_CAST_COMMON
1331	help
1332	  The CAST6 encryption algorithm (synonymous with CAST-256) is
1333	  described in RFC2612.
1334
1335config CRYPTO_CAST6_AVX_X86_64
1336	tristate "CAST6 (CAST-256) cipher algorithm (x86_64/AVX)"
1337	depends on X86 && 64BIT
1338	select CRYPTO_SKCIPHER
1339	select CRYPTO_CAST6
1340	select CRYPTO_CAST_COMMON
1341	select CRYPTO_SIMD
1342	imply CRYPTO_XTS
1343	imply CRYPTO_CTR
1344	help
1345	  The CAST6 encryption algorithm (synonymous with CAST-256) is
1346	  described in RFC2612.
1347
1348	  This module provides the Cast6 cipher algorithm that processes
1349	  eight blocks parallel using the AVX instruction set.
1350
1351config CRYPTO_DES
1352	tristate "DES and Triple DES EDE cipher algorithms"
1353	select CRYPTO_ALGAPI
1354	select CRYPTO_LIB_DES
1355	help
1356	  DES cipher algorithm (FIPS 46-2), and Triple DES EDE (FIPS 46-3).
1357
1358config CRYPTO_DES_SPARC64
1359	tristate "DES and Triple DES EDE cipher algorithms (SPARC64)"
1360	depends on SPARC64
1361	select CRYPTO_ALGAPI
1362	select CRYPTO_LIB_DES
1363	select CRYPTO_SKCIPHER
1364	help
1365	  DES cipher algorithm (FIPS 46-2), and Triple DES EDE (FIPS 46-3),
1366	  optimized using SPARC64 crypto opcodes.
1367
1368config CRYPTO_DES3_EDE_X86_64
1369	tristate "Triple DES EDE cipher algorithm (x86-64)"
1370	depends on X86 && 64BIT
1371	select CRYPTO_SKCIPHER
1372	select CRYPTO_LIB_DES
1373	imply CRYPTO_CTR
1374	help
1375	  Triple DES EDE (FIPS 46-3) algorithm.
1376
1377	  This module provides implementation of the Triple DES EDE cipher
1378	  algorithm that is optimized for x86-64 processors. Two versions of
1379	  algorithm are provided; regular processing one input block and
1380	  one that processes three blocks parallel.
1381
1382config CRYPTO_FCRYPT
1383	tristate "FCrypt cipher algorithm"
1384	select CRYPTO_ALGAPI
1385	select CRYPTO_SKCIPHER
1386	help
1387	  FCrypt algorithm used by RxRPC.
1388
1389config CRYPTO_KHAZAD
1390	tristate "Khazad cipher algorithm"
1391	depends on CRYPTO_USER_API_ENABLE_OBSOLETE
1392	select CRYPTO_ALGAPI
1393	help
1394	  Khazad cipher algorithm.
1395
1396	  Khazad was a finalist in the initial NESSIE competition.  It is
1397	  an algorithm optimized for 64-bit processors with good performance
1398	  on 32-bit processors.  Khazad uses an 128 bit key size.
1399
1400	  See also:
1401	  <http://www.larc.usp.br/~pbarreto/KhazadPage.html>
1402
1403config CRYPTO_CHACHA20
1404	tristate "ChaCha stream cipher algorithms"
1405	select CRYPTO_LIB_CHACHA_GENERIC
1406	select CRYPTO_SKCIPHER
1407	help
1408	  The ChaCha20, XChaCha20, and XChaCha12 stream cipher algorithms.
1409
1410	  ChaCha20 is a 256-bit high-speed stream cipher designed by Daniel J.
1411	  Bernstein and further specified in RFC7539 for use in IETF protocols.
1412	  This is the portable C implementation of ChaCha20.  See also:
1413	  <https://cr.yp.to/chacha/chacha-20080128.pdf>
1414
1415	  XChaCha20 is the application of the XSalsa20 construction to ChaCha20
1416	  rather than to Salsa20.  XChaCha20 extends ChaCha20's nonce length
1417	  from 64 bits (or 96 bits using the RFC7539 convention) to 192 bits,
1418	  while provably retaining ChaCha20's security.  See also:
1419	  <https://cr.yp.to/snuffle/xsalsa-20081128.pdf>
1420
1421	  XChaCha12 is XChaCha20 reduced to 12 rounds, with correspondingly
1422	  reduced security margin but increased performance.  It can be needed
1423	  in some performance-sensitive scenarios.
1424
1425config CRYPTO_CHACHA20_X86_64
1426	tristate "ChaCha stream cipher algorithms (x86_64/SSSE3/AVX2/AVX-512VL)"
1427	depends on X86 && 64BIT
1428	select CRYPTO_SKCIPHER
1429	select CRYPTO_LIB_CHACHA_GENERIC
1430	select CRYPTO_ARCH_HAVE_LIB_CHACHA
1431	help
1432	  SSSE3, AVX2, and AVX-512VL optimized implementations of the ChaCha20,
1433	  XChaCha20, and XChaCha12 stream ciphers.
1434
1435config CRYPTO_CHACHA_MIPS
1436	tristate "ChaCha stream cipher algorithms (MIPS 32r2 optimized)"
1437	depends on CPU_MIPS32_R2
1438	select CRYPTO_SKCIPHER
1439	select CRYPTO_ARCH_HAVE_LIB_CHACHA
1440
1441config CRYPTO_SEED
1442	tristate "SEED cipher algorithm"
1443	depends on CRYPTO_USER_API_ENABLE_OBSOLETE
1444	select CRYPTO_ALGAPI
1445	help
1446	  SEED cipher algorithm (RFC4269).
1447
1448	  SEED is a 128-bit symmetric key block cipher that has been
1449	  developed by KISA (Korea Information Security Agency) as a
1450	  national standard encryption algorithm of the Republic of Korea.
1451	  It is a 16 round block cipher with the key size of 128 bit.
1452
1453	  See also:
1454	  <http://www.kisa.or.kr/kisa/seed/jsp/seed_eng.jsp>
1455
1456config CRYPTO_SERPENT
1457	tristate "Serpent cipher algorithm"
1458	select CRYPTO_ALGAPI
1459	help
1460	  Serpent cipher algorithm, by Anderson, Biham & Knudsen.
1461
1462	  Keys are allowed to be from 0 to 256 bits in length, in steps
1463	  of 8 bits.
1464
1465	  See also:
1466	  <https://www.cl.cam.ac.uk/~rja14/serpent.html>
1467
1468config CRYPTO_SERPENT_SSE2_X86_64
1469	tristate "Serpent cipher algorithm (x86_64/SSE2)"
1470	depends on X86 && 64BIT
1471	select CRYPTO_SKCIPHER
1472	select CRYPTO_SERPENT
1473	select CRYPTO_SIMD
1474	imply CRYPTO_CTR
1475	help
1476	  Serpent cipher algorithm, by Anderson, Biham & Knudsen.
1477
1478	  Keys are allowed to be from 0 to 256 bits in length, in steps
1479	  of 8 bits.
1480
1481	  This module provides Serpent cipher algorithm that processes eight
1482	  blocks parallel using SSE2 instruction set.
1483
1484	  See also:
1485	  <https://www.cl.cam.ac.uk/~rja14/serpent.html>
1486
1487config CRYPTO_SERPENT_SSE2_586
1488	tristate "Serpent cipher algorithm (i586/SSE2)"
1489	depends on X86 && !64BIT
1490	select CRYPTO_SKCIPHER
1491	select CRYPTO_SERPENT
1492	select CRYPTO_SIMD
1493	imply CRYPTO_CTR
1494	help
1495	  Serpent cipher algorithm, by Anderson, Biham & Knudsen.
1496
1497	  Keys are allowed to be from 0 to 256 bits in length, in steps
1498	  of 8 bits.
1499
1500	  This module provides Serpent cipher algorithm that processes four
1501	  blocks parallel using SSE2 instruction set.
1502
1503	  See also:
1504	  <https://www.cl.cam.ac.uk/~rja14/serpent.html>
1505
1506config CRYPTO_SERPENT_AVX_X86_64
1507	tristate "Serpent cipher algorithm (x86_64/AVX)"
1508	depends on X86 && 64BIT
1509	select CRYPTO_SKCIPHER
1510	select CRYPTO_SERPENT
1511	select CRYPTO_SIMD
1512	imply CRYPTO_XTS
1513	imply CRYPTO_CTR
1514	help
1515	  Serpent cipher algorithm, by Anderson, Biham & Knudsen.
1516
1517	  Keys are allowed to be from 0 to 256 bits in length, in steps
1518	  of 8 bits.
1519
1520	  This module provides the Serpent cipher algorithm that processes
1521	  eight blocks parallel using the AVX instruction set.
1522
1523	  See also:
1524	  <https://www.cl.cam.ac.uk/~rja14/serpent.html>
1525
1526config CRYPTO_SERPENT_AVX2_X86_64
1527	tristate "Serpent cipher algorithm (x86_64/AVX2)"
1528	depends on X86 && 64BIT
1529	select CRYPTO_SERPENT_AVX_X86_64
1530	help
1531	  Serpent cipher algorithm, by Anderson, Biham & Knudsen.
1532
1533	  Keys are allowed to be from 0 to 256 bits in length, in steps
1534	  of 8 bits.
1535
1536	  This module provides Serpent cipher algorithm that processes 16
1537	  blocks parallel using AVX2 instruction set.
1538
1539	  See also:
1540	  <https://www.cl.cam.ac.uk/~rja14/serpent.html>
1541
1542config CRYPTO_SM4
1543	tristate "SM4 cipher algorithm"
1544	select CRYPTO_ALGAPI
1545	help
1546	  SM4 cipher algorithms (OSCCA GB/T 32907-2016).
1547
1548	  SM4 (GBT.32907-2016) is a cryptographic standard issued by the
1549	  Organization of State Commercial Administration of China (OSCCA)
1550	  as an authorized cryptographic algorithms for the use within China.
1551
1552	  SMS4 was originally created for use in protecting wireless
1553	  networks, and is mandated in the Chinese National Standard for
1554	  Wireless LAN WAPI (Wired Authentication and Privacy Infrastructure)
1555	  (GB.15629.11-2003).
1556
1557	  The latest SM4 standard (GBT.32907-2016) was proposed by OSCCA and
1558	  standardized through TC 260 of the Standardization Administration
1559	  of the People's Republic of China (SAC).
1560
1561	  The input, output, and key of SMS4 are each 128 bits.
1562
1563	  See also: <https://eprint.iacr.org/2008/329.pdf>
1564
1565	  If unsure, say N.
1566
1567config CRYPTO_TEA
1568	tristate "TEA, XTEA and XETA cipher algorithms"
1569	depends on CRYPTO_USER_API_ENABLE_OBSOLETE
1570	select CRYPTO_ALGAPI
1571	help
1572	  TEA cipher algorithm.
1573
1574	  Tiny Encryption Algorithm is a simple cipher that uses
1575	  many rounds for security.  It is very fast and uses
1576	  little memory.
1577
1578	  Xtendend Tiny Encryption Algorithm is a modification to
1579	  the TEA algorithm to address a potential key weakness
1580	  in the TEA algorithm.
1581
1582	  Xtendend Encryption Tiny Algorithm is a mis-implementation
1583	  of the XTEA algorithm for compatibility purposes.
1584
1585config CRYPTO_TWOFISH
1586	tristate "Twofish cipher algorithm"
1587	select CRYPTO_ALGAPI
1588	select CRYPTO_TWOFISH_COMMON
1589	help
1590	  Twofish cipher algorithm.
1591
1592	  Twofish was submitted as an AES (Advanced Encryption Standard)
1593	  candidate cipher by researchers at CounterPane Systems.  It is a
1594	  16 round block cipher supporting key sizes of 128, 192, and 256
1595	  bits.
1596
1597	  See also:
1598	  <https://www.schneier.com/twofish.html>
1599
1600config CRYPTO_TWOFISH_COMMON
1601	tristate
1602	help
1603	  Common parts of the Twofish cipher algorithm shared by the
1604	  generic c and the assembler implementations.
1605
1606config CRYPTO_TWOFISH_586
1607	tristate "Twofish cipher algorithms (i586)"
1608	depends on (X86 || UML_X86) && !64BIT
1609	select CRYPTO_ALGAPI
1610	select CRYPTO_TWOFISH_COMMON
1611	imply CRYPTO_CTR
1612	help
1613	  Twofish cipher algorithm.
1614
1615	  Twofish was submitted as an AES (Advanced Encryption Standard)
1616	  candidate cipher by researchers at CounterPane Systems.  It is a
1617	  16 round block cipher supporting key sizes of 128, 192, and 256
1618	  bits.
1619
1620	  See also:
1621	  <https://www.schneier.com/twofish.html>
1622
1623config CRYPTO_TWOFISH_X86_64
1624	tristate "Twofish cipher algorithm (x86_64)"
1625	depends on (X86 || UML_X86) && 64BIT
1626	select CRYPTO_ALGAPI
1627	select CRYPTO_TWOFISH_COMMON
1628	imply CRYPTO_CTR
1629	help
1630	  Twofish cipher algorithm (x86_64).
1631
1632	  Twofish was submitted as an AES (Advanced Encryption Standard)
1633	  candidate cipher by researchers at CounterPane Systems.  It is a
1634	  16 round block cipher supporting key sizes of 128, 192, and 256
1635	  bits.
1636
1637	  See also:
1638	  <https://www.schneier.com/twofish.html>
1639
1640config CRYPTO_TWOFISH_X86_64_3WAY
1641	tristate "Twofish cipher algorithm (x86_64, 3-way parallel)"
1642	depends on X86 && 64BIT
1643	select CRYPTO_SKCIPHER
1644	select CRYPTO_TWOFISH_COMMON
1645	select CRYPTO_TWOFISH_X86_64
1646	help
1647	  Twofish cipher algorithm (x86_64, 3-way parallel).
1648
1649	  Twofish was submitted as an AES (Advanced Encryption Standard)
1650	  candidate cipher by researchers at CounterPane Systems.  It is a
1651	  16 round block cipher supporting key sizes of 128, 192, and 256
1652	  bits.
1653
1654	  This module provides Twofish cipher algorithm that processes three
1655	  blocks parallel, utilizing resources of out-of-order CPUs better.
1656
1657	  See also:
1658	  <https://www.schneier.com/twofish.html>
1659
1660config CRYPTO_TWOFISH_AVX_X86_64
1661	tristate "Twofish cipher algorithm (x86_64/AVX)"
1662	depends on X86 && 64BIT
1663	select CRYPTO_SKCIPHER
1664	select CRYPTO_SIMD
1665	select CRYPTO_TWOFISH_COMMON
1666	select CRYPTO_TWOFISH_X86_64
1667	select CRYPTO_TWOFISH_X86_64_3WAY
1668	imply CRYPTO_XTS
1669	help
1670	  Twofish cipher algorithm (x86_64/AVX).
1671
1672	  Twofish was submitted as an AES (Advanced Encryption Standard)
1673	  candidate cipher by researchers at CounterPane Systems.  It is a
1674	  16 round block cipher supporting key sizes of 128, 192, and 256
1675	  bits.
1676
1677	  This module provides the Twofish cipher algorithm that processes
1678	  eight blocks parallel using the AVX Instruction Set.
1679
1680	  See also:
1681	  <https://www.schneier.com/twofish.html>
1682
1683comment "Compression"
1684
1685config CRYPTO_DEFLATE
1686	tristate "Deflate compression algorithm"
1687	select CRYPTO_ALGAPI
1688	select CRYPTO_ACOMP2
1689	select ZLIB_INFLATE
1690	select ZLIB_DEFLATE
1691	help
1692	  This is the Deflate algorithm (RFC1951), specified for use in
1693	  IPSec with the IPCOMP protocol (RFC3173, RFC2394).
1694
1695	  You will most probably want this if using IPSec.
1696
1697config CRYPTO_LZO
1698	tristate "LZO compression algorithm"
1699	select CRYPTO_ALGAPI
1700	select CRYPTO_ACOMP2
1701	select LZO_COMPRESS
1702	select LZO_DECOMPRESS
1703	help
1704	  This is the LZO algorithm.
1705
1706config CRYPTO_842
1707	tristate "842 compression algorithm"
1708	select CRYPTO_ALGAPI
1709	select CRYPTO_ACOMP2
1710	select 842_COMPRESS
1711	select 842_DECOMPRESS
1712	help
1713	  This is the 842 algorithm.
1714
1715config CRYPTO_LZ4
1716	tristate "LZ4 compression algorithm"
1717	select CRYPTO_ALGAPI
1718	select CRYPTO_ACOMP2
1719	select LZ4_COMPRESS
1720	select LZ4_DECOMPRESS
1721	help
1722	  This is the LZ4 algorithm.
1723
1724config CRYPTO_LZ4HC
1725	tristate "LZ4HC compression algorithm"
1726	select CRYPTO_ALGAPI
1727	select CRYPTO_ACOMP2
1728	select LZ4HC_COMPRESS
1729	select LZ4_DECOMPRESS
1730	help
1731	  This is the LZ4 high compression mode algorithm.
1732
1733config CRYPTO_ZSTD
1734	tristate "Zstd compression algorithm"
1735	select CRYPTO_ALGAPI
1736	select CRYPTO_ACOMP2
1737	select ZSTD_COMPRESS
1738	select ZSTD_DECOMPRESS
1739	help
1740	  This is the zstd algorithm.
1741
1742comment "Random Number Generation"
1743
1744config CRYPTO_ANSI_CPRNG
1745	tristate "Pseudo Random Number Generation for Cryptographic modules"
1746	select CRYPTO_AES
1747	select CRYPTO_RNG
1748	help
1749	  This option enables the generic pseudo random number generator
1750	  for cryptographic modules.  Uses the Algorithm specified in
1751	  ANSI X9.31 A.2.4. Note that this option must be enabled if
1752	  CRYPTO_FIPS is selected
1753
1754menuconfig CRYPTO_DRBG_MENU
1755	tristate "NIST SP800-90A DRBG"
1756	help
1757	  NIST SP800-90A compliant DRBG. In the following submenu, one or
1758	  more of the DRBG types must be selected.
1759
1760if CRYPTO_DRBG_MENU
1761
1762config CRYPTO_DRBG_HMAC
1763	bool
1764	default y
1765	select CRYPTO_HMAC
1766	select CRYPTO_SHA256
1767
1768config CRYPTO_DRBG_HASH
1769	bool "Enable Hash DRBG"
1770	select CRYPTO_SHA256
1771	help
1772	  Enable the Hash DRBG variant as defined in NIST SP800-90A.
1773
1774config CRYPTO_DRBG_CTR
1775	bool "Enable CTR DRBG"
1776	select CRYPTO_AES
1777	select CRYPTO_CTR
1778	help
1779	  Enable the CTR DRBG variant as defined in NIST SP800-90A.
1780
1781config CRYPTO_DRBG
1782	tristate
1783	default CRYPTO_DRBG_MENU
1784	select CRYPTO_RNG
1785	select CRYPTO_JITTERENTROPY
1786
1787endif	# if CRYPTO_DRBG_MENU
1788
1789config CRYPTO_JITTERENTROPY
1790	tristate "Jitterentropy Non-Deterministic Random Number Generator"
1791	select CRYPTO_RNG
1792	help
1793	  The Jitterentropy RNG is a noise that is intended
1794	  to provide seed to another RNG. The RNG does not
1795	  perform any cryptographic whitening of the generated
1796	  random numbers. This Jitterentropy RNG registers with
1797	  the kernel crypto API and can be used by any caller.
1798
1799config CRYPTO_USER_API
1800	tristate
1801
1802config CRYPTO_USER_API_HASH
1803	tristate "User-space interface for hash algorithms"
1804	depends on NET
1805	select CRYPTO_HASH
1806	select CRYPTO_USER_API
1807	help
1808	  This option enables the user-spaces interface for hash
1809	  algorithms.
1810
1811config CRYPTO_USER_API_SKCIPHER
1812	tristate "User-space interface for symmetric key cipher algorithms"
1813	depends on NET
1814	select CRYPTO_SKCIPHER
1815	select CRYPTO_USER_API
1816	help
1817	  This option enables the user-spaces interface for symmetric
1818	  key cipher algorithms.
1819
1820config CRYPTO_USER_API_RNG
1821	tristate "User-space interface for random number generator algorithms"
1822	depends on NET
1823	select CRYPTO_RNG
1824	select CRYPTO_USER_API
1825	help
1826	  This option enables the user-spaces interface for random
1827	  number generator algorithms.
1828
1829config CRYPTO_USER_API_RNG_CAVP
1830	bool "Enable CAVP testing of DRBG"
1831	depends on CRYPTO_USER_API_RNG && CRYPTO_DRBG
1832	help
1833	  This option enables extra API for CAVP testing via the user-space
1834	  interface: resetting of DRBG entropy, and providing Additional Data.
1835	  This should only be enabled for CAVP testing. You should say
1836	  no unless you know what this is.
1837
1838config CRYPTO_USER_API_AEAD
1839	tristate "User-space interface for AEAD cipher algorithms"
1840	depends on NET
1841	select CRYPTO_AEAD
1842	select CRYPTO_SKCIPHER
1843	select CRYPTO_NULL
1844	select CRYPTO_USER_API
1845	help
1846	  This option enables the user-spaces interface for AEAD
1847	  cipher algorithms.
1848
1849config CRYPTO_USER_API_ENABLE_OBSOLETE
1850	bool "Enable obsolete cryptographic algorithms for userspace"
1851	depends on CRYPTO_USER_API
1852	default y
1853	help
1854	  Allow obsolete cryptographic algorithms to be selected that have
1855	  already been phased out from internal use by the kernel, and are
1856	  only useful for userspace clients that still rely on them.
1857
1858config CRYPTO_STATS
1859	bool "Crypto usage statistics for User-space"
1860	depends on CRYPTO_USER
1861	help
1862	  This option enables the gathering of crypto stats.
1863	  This will collect:
1864	  - encrypt/decrypt size and numbers of symmeric operations
1865	  - compress/decompress size and numbers of compress operations
1866	  - size and numbers of hash operations
1867	  - encrypt/decrypt/sign/verify numbers for asymmetric operations
1868	  - generate/seed numbers for rng operations
1869
1870config CRYPTO_HASH_INFO
1871	bool
1872
1873source "lib/crypto/Kconfig"
1874source "drivers/crypto/Kconfig"
1875source "crypto/asymmetric_keys/Kconfig"
1876source "certs/Kconfig"
1877
1878endif	# if CRYPTO
1879