xref: /openbmc/linux/crypto/Kconfig (revision 9221b289)
1# SPDX-License-Identifier: GPL-2.0
2#
3# Generic algorithms support
4#
5config XOR_BLOCKS
6	tristate
7
8#
9# async_tx api: hardware offloaded memory transfer/transform support
10#
11source "crypto/async_tx/Kconfig"
12
13#
14# Cryptographic API Configuration
15#
16menuconfig CRYPTO
17	tristate "Cryptographic API"
18	select LIB_MEMNEQ
19	help
20	  This option provides the core Cryptographic API.
21
22if CRYPTO
23
24comment "Crypto core or helper"
25
26config CRYPTO_FIPS
27	bool "FIPS 200 compliance"
28	depends on (CRYPTO_ANSI_CPRNG || CRYPTO_DRBG) && !CRYPTO_MANAGER_DISABLE_TESTS
29	depends on (MODULE_SIG || !MODULES)
30	help
31	  This option enables the fips boot option which is
32	  required if you want the system to operate in a FIPS 200
33	  certification.  You should say no unless you know what
34	  this is.
35
36config CRYPTO_FIPS_NAME
37	string "FIPS Module Name"
38	default "Linux Kernel Cryptographic API"
39	depends on CRYPTO_FIPS
40	help
41	  This option sets the FIPS Module name reported by the Crypto API via
42	  the /proc/sys/crypto/fips_name file.
43
44config CRYPTO_FIPS_CUSTOM_VERSION
45	bool "Use Custom FIPS Module Version"
46	depends on CRYPTO_FIPS
47	default n
48
49config CRYPTO_FIPS_VERSION
50	string "FIPS Module Version"
51	default "(none)"
52	depends on CRYPTO_FIPS_CUSTOM_VERSION
53	help
54	  This option provides the ability to override the FIPS Module Version.
55	  By default the KERNELRELEASE value is used.
56
57config CRYPTO_ALGAPI
58	tristate
59	select CRYPTO_ALGAPI2
60	help
61	  This option provides the API for cryptographic algorithms.
62
63config CRYPTO_ALGAPI2
64	tristate
65
66config CRYPTO_AEAD
67	tristate
68	select CRYPTO_AEAD2
69	select CRYPTO_ALGAPI
70
71config CRYPTO_AEAD2
72	tristate
73	select CRYPTO_ALGAPI2
74	select CRYPTO_NULL2
75	select CRYPTO_RNG2
76
77config CRYPTO_SKCIPHER
78	tristate
79	select CRYPTO_SKCIPHER2
80	select CRYPTO_ALGAPI
81
82config CRYPTO_SKCIPHER2
83	tristate
84	select CRYPTO_ALGAPI2
85	select CRYPTO_RNG2
86
87config CRYPTO_HASH
88	tristate
89	select CRYPTO_HASH2
90	select CRYPTO_ALGAPI
91
92config CRYPTO_HASH2
93	tristate
94	select CRYPTO_ALGAPI2
95
96config CRYPTO_RNG
97	tristate
98	select CRYPTO_RNG2
99	select CRYPTO_ALGAPI
100
101config CRYPTO_RNG2
102	tristate
103	select CRYPTO_ALGAPI2
104
105config CRYPTO_RNG_DEFAULT
106	tristate
107	select CRYPTO_DRBG_MENU
108
109config CRYPTO_AKCIPHER2
110	tristate
111	select CRYPTO_ALGAPI2
112
113config CRYPTO_AKCIPHER
114	tristate
115	select CRYPTO_AKCIPHER2
116	select CRYPTO_ALGAPI
117
118config CRYPTO_KPP2
119	tristate
120	select CRYPTO_ALGAPI2
121
122config CRYPTO_KPP
123	tristate
124	select CRYPTO_ALGAPI
125	select CRYPTO_KPP2
126
127config CRYPTO_ACOMP2
128	tristate
129	select CRYPTO_ALGAPI2
130	select SGL_ALLOC
131
132config CRYPTO_ACOMP
133	tristate
134	select CRYPTO_ALGAPI
135	select CRYPTO_ACOMP2
136
137config CRYPTO_MANAGER
138	tristate "Cryptographic algorithm manager"
139	select CRYPTO_MANAGER2
140	help
141	  Create default cryptographic template instantiations such as
142	  cbc(aes).
143
144config CRYPTO_MANAGER2
145	def_tristate CRYPTO_MANAGER || (CRYPTO_MANAGER!=n && CRYPTO_ALGAPI=y)
146	select CRYPTO_AEAD2
147	select CRYPTO_HASH2
148	select CRYPTO_SKCIPHER2
149	select CRYPTO_AKCIPHER2
150	select CRYPTO_KPP2
151	select CRYPTO_ACOMP2
152
153config CRYPTO_USER
154	tristate "Userspace cryptographic algorithm configuration"
155	depends on NET
156	select CRYPTO_MANAGER
157	help
158	  Userspace configuration for cryptographic instantiations such as
159	  cbc(aes).
160
161config CRYPTO_MANAGER_DISABLE_TESTS
162	bool "Disable run-time self tests"
163	default y
164	help
165	  Disable run-time self tests that normally take place at
166	  algorithm registration.
167
168config CRYPTO_MANAGER_EXTRA_TESTS
169	bool "Enable extra run-time crypto self tests"
170	depends on DEBUG_KERNEL && !CRYPTO_MANAGER_DISABLE_TESTS && CRYPTO_MANAGER
171	help
172	  Enable extra run-time self tests of registered crypto algorithms,
173	  including randomized fuzz tests.
174
175	  This is intended for developer use only, as these tests take much
176	  longer to run than the normal self tests.
177
178config CRYPTO_GF128MUL
179	tristate
180
181config CRYPTO_NULL
182	tristate "Null algorithms"
183	select CRYPTO_NULL2
184	help
185	  These are 'Null' algorithms, used by IPsec, which do nothing.
186
187config CRYPTO_NULL2
188	tristate
189	select CRYPTO_ALGAPI2
190	select CRYPTO_SKCIPHER2
191	select CRYPTO_HASH2
192
193config CRYPTO_PCRYPT
194	tristate "Parallel crypto engine"
195	depends on SMP
196	select PADATA
197	select CRYPTO_MANAGER
198	select CRYPTO_AEAD
199	help
200	  This converts an arbitrary crypto algorithm into a parallel
201	  algorithm that executes in kernel threads.
202
203config CRYPTO_CRYPTD
204	tristate "Software async crypto daemon"
205	select CRYPTO_SKCIPHER
206	select CRYPTO_HASH
207	select CRYPTO_MANAGER
208	help
209	  This is a generic software asynchronous crypto daemon that
210	  converts an arbitrary synchronous software crypto algorithm
211	  into an asynchronous algorithm that executes in a kernel thread.
212
213config CRYPTO_AUTHENC
214	tristate "Authenc support"
215	select CRYPTO_AEAD
216	select CRYPTO_SKCIPHER
217	select CRYPTO_MANAGER
218	select CRYPTO_HASH
219	select CRYPTO_NULL
220	help
221	  Authenc: Combined mode wrapper for IPsec.
222	  This is required for IPSec.
223
224config CRYPTO_TEST
225	tristate "Testing module"
226	depends on m || EXPERT
227	select CRYPTO_MANAGER
228	help
229	  Quick & dirty crypto test module.
230
231config CRYPTO_SIMD
232	tristate
233	select CRYPTO_CRYPTD
234
235config CRYPTO_ENGINE
236	tristate
237
238comment "Public-key cryptography"
239
240config CRYPTO_RSA
241	tristate "RSA algorithm"
242	select CRYPTO_AKCIPHER
243	select CRYPTO_MANAGER
244	select MPILIB
245	select ASN1
246	help
247	  Generic implementation of the RSA public key algorithm.
248
249config CRYPTO_DH
250	tristate "Diffie-Hellman algorithm"
251	select CRYPTO_KPP
252	select MPILIB
253	help
254	  Generic implementation of the Diffie-Hellman algorithm.
255
256config CRYPTO_DH_RFC7919_GROUPS
257	bool "Support for RFC 7919 FFDHE group parameters"
258	depends on CRYPTO_DH
259	select CRYPTO_RNG_DEFAULT
260	help
261	  Provide support for RFC 7919 FFDHE group parameters. If unsure, say N.
262
263config CRYPTO_ECC
264	tristate
265	select CRYPTO_RNG_DEFAULT
266
267config CRYPTO_ECDH
268	tristate "ECDH algorithm"
269	select CRYPTO_ECC
270	select CRYPTO_KPP
271	help
272	  Generic implementation of the ECDH algorithm
273
274config CRYPTO_ECDSA
275	tristate "ECDSA (NIST P192, P256 etc.) algorithm"
276	select CRYPTO_ECC
277	select CRYPTO_AKCIPHER
278	select ASN1
279	help
280	  Elliptic Curve Digital Signature Algorithm (NIST P192, P256 etc.)
281	  is A NIST cryptographic standard algorithm. Only signature verification
282	  is implemented.
283
284config CRYPTO_ECRDSA
285	tristate "EC-RDSA (GOST 34.10) algorithm"
286	select CRYPTO_ECC
287	select CRYPTO_AKCIPHER
288	select CRYPTO_STREEBOG
289	select OID_REGISTRY
290	select ASN1
291	help
292	  Elliptic Curve Russian Digital Signature Algorithm (GOST R 34.10-2012,
293	  RFC 7091, ISO/IEC 14888-3:2018) is one of the Russian cryptographic
294	  standard algorithms (called GOST algorithms). Only signature verification
295	  is implemented.
296
297config CRYPTO_SM2
298	tristate "SM2 algorithm"
299	select CRYPTO_SM3
300	select CRYPTO_AKCIPHER
301	select CRYPTO_MANAGER
302	select MPILIB
303	select ASN1
304	help
305	  Generic implementation of the SM2 public key algorithm. It was
306	  published by State Encryption Management Bureau, China.
307	  as specified by OSCCA GM/T 0003.1-2012 -- 0003.5-2012.
308
309	  References:
310	  https://tools.ietf.org/html/draft-shen-sm2-ecdsa-02
311	  http://www.oscca.gov.cn/sca/xxgk/2010-12/17/content_1002386.shtml
312	  http://www.gmbz.org.cn/main/bzlb.html
313
314config CRYPTO_CURVE25519
315	tristate "Curve25519 algorithm"
316	select CRYPTO_KPP
317	select CRYPTO_LIB_CURVE25519_GENERIC
318
319config CRYPTO_CURVE25519_X86
320	tristate "x86_64 accelerated Curve25519 scalar multiplication library"
321	depends on X86 && 64BIT
322	select CRYPTO_LIB_CURVE25519_GENERIC
323	select CRYPTO_ARCH_HAVE_LIB_CURVE25519
324
325comment "Authenticated Encryption with Associated Data"
326
327config CRYPTO_CCM
328	tristate "CCM support"
329	select CRYPTO_CTR
330	select CRYPTO_HASH
331	select CRYPTO_AEAD
332	select CRYPTO_MANAGER
333	help
334	  Support for Counter with CBC MAC. Required for IPsec.
335
336config CRYPTO_GCM
337	tristate "GCM/GMAC support"
338	select CRYPTO_CTR
339	select CRYPTO_AEAD
340	select CRYPTO_GHASH
341	select CRYPTO_NULL
342	select CRYPTO_MANAGER
343	help
344	  Support for Galois/Counter Mode (GCM) and Galois Message
345	  Authentication Code (GMAC). Required for IPSec.
346
347config CRYPTO_CHACHA20POLY1305
348	tristate "ChaCha20-Poly1305 AEAD support"
349	select CRYPTO_CHACHA20
350	select CRYPTO_POLY1305
351	select CRYPTO_AEAD
352	select CRYPTO_MANAGER
353	help
354	  ChaCha20-Poly1305 AEAD support, RFC7539.
355
356	  Support for the AEAD wrapper using the ChaCha20 stream cipher combined
357	  with the Poly1305 authenticator. It is defined in RFC7539 for use in
358	  IETF protocols.
359
360config CRYPTO_AEGIS128
361	tristate "AEGIS-128 AEAD algorithm"
362	select CRYPTO_AEAD
363	select CRYPTO_AES  # for AES S-box tables
364	help
365	 Support for the AEGIS-128 dedicated AEAD algorithm.
366
367config CRYPTO_AEGIS128_SIMD
368	bool "Support SIMD acceleration for AEGIS-128"
369	depends on CRYPTO_AEGIS128 && ((ARM || ARM64) && KERNEL_MODE_NEON)
370	default y
371
372config CRYPTO_AEGIS128_AESNI_SSE2
373	tristate "AEGIS-128 AEAD algorithm (x86_64 AESNI+SSE2 implementation)"
374	depends on X86 && 64BIT
375	select CRYPTO_AEAD
376	select CRYPTO_SIMD
377	help
378	 AESNI+SSE2 implementation of the AEGIS-128 dedicated AEAD algorithm.
379
380config CRYPTO_SEQIV
381	tristate "Sequence Number IV Generator"
382	select CRYPTO_AEAD
383	select CRYPTO_SKCIPHER
384	select CRYPTO_NULL
385	select CRYPTO_RNG_DEFAULT
386	select CRYPTO_MANAGER
387	help
388	  This IV generator generates an IV based on a sequence number by
389	  xoring it with a salt.  This algorithm is mainly useful for CTR
390
391config CRYPTO_ECHAINIV
392	tristate "Encrypted Chain IV Generator"
393	select CRYPTO_AEAD
394	select CRYPTO_NULL
395	select CRYPTO_RNG_DEFAULT
396	select CRYPTO_MANAGER
397	help
398	  This IV generator generates an IV based on the encryption of
399	  a sequence number xored with a salt.  This is the default
400	  algorithm for CBC.
401
402comment "Block modes"
403
404config CRYPTO_CBC
405	tristate "CBC support"
406	select CRYPTO_SKCIPHER
407	select CRYPTO_MANAGER
408	help
409	  CBC: Cipher Block Chaining mode
410	  This block cipher algorithm is required for IPSec.
411
412config CRYPTO_CFB
413	tristate "CFB support"
414	select CRYPTO_SKCIPHER
415	select CRYPTO_MANAGER
416	help
417	  CFB: Cipher FeedBack mode
418	  This block cipher algorithm is required for TPM2 Cryptography.
419
420config CRYPTO_CTR
421	tristate "CTR support"
422	select CRYPTO_SKCIPHER
423	select CRYPTO_MANAGER
424	help
425	  CTR: Counter mode
426	  This block cipher algorithm is required for IPSec.
427
428config CRYPTO_CTS
429	tristate "CTS support"
430	select CRYPTO_SKCIPHER
431	select CRYPTO_MANAGER
432	help
433	  CTS: Cipher Text Stealing
434	  This is the Cipher Text Stealing mode as described by
435	  Section 8 of rfc2040 and referenced by rfc3962
436	  (rfc3962 includes errata information in its Appendix A) or
437	  CBC-CS3 as defined by NIST in Sp800-38A addendum from Oct 2010.
438	  This mode is required for Kerberos gss mechanism support
439	  for AES encryption.
440
441	  See: https://csrc.nist.gov/publications/detail/sp/800-38a/addendum/final
442
443config CRYPTO_ECB
444	tristate "ECB support"
445	select CRYPTO_SKCIPHER
446	select CRYPTO_MANAGER
447	help
448	  ECB: Electronic CodeBook mode
449	  This is the simplest block cipher algorithm.  It simply encrypts
450	  the input block by block.
451
452config CRYPTO_LRW
453	tristate "LRW support"
454	select CRYPTO_SKCIPHER
455	select CRYPTO_MANAGER
456	select CRYPTO_GF128MUL
457	select CRYPTO_ECB
458	help
459	  LRW: Liskov Rivest Wagner, a tweakable, non malleable, non movable
460	  narrow block cipher mode for dm-crypt.  Use it with cipher
461	  specification string aes-lrw-benbi, the key must be 256, 320 or 384.
462	  The first 128, 192 or 256 bits in the key are used for AES and the
463	  rest is used to tie each cipher block to its logical position.
464
465config CRYPTO_OFB
466	tristate "OFB support"
467	select CRYPTO_SKCIPHER
468	select CRYPTO_MANAGER
469	help
470	  OFB: the Output Feedback mode makes a block cipher into a synchronous
471	  stream cipher. It generates keystream blocks, which are then XORed
472	  with the plaintext blocks to get the ciphertext. Flipping a bit in the
473	  ciphertext produces a flipped bit in the plaintext at the same
474	  location. This property allows many error correcting codes to function
475	  normally even when applied before encryption.
476
477config CRYPTO_PCBC
478	tristate "PCBC support"
479	select CRYPTO_SKCIPHER
480	select CRYPTO_MANAGER
481	help
482	  PCBC: Propagating Cipher Block Chaining mode
483	  This block cipher algorithm is required for RxRPC.
484
485config CRYPTO_XCTR
486	tristate
487	select CRYPTO_SKCIPHER
488	select CRYPTO_MANAGER
489	help
490	  XCTR: XOR Counter mode. This blockcipher mode is a variant of CTR mode
491	  using XORs and little-endian addition rather than big-endian arithmetic.
492	  XCTR mode is used to implement HCTR2.
493
494config CRYPTO_XTS
495	tristate "XTS support"
496	select CRYPTO_SKCIPHER
497	select CRYPTO_MANAGER
498	select CRYPTO_ECB
499	help
500	  XTS: IEEE1619/D16 narrow block cipher use with aes-xts-plain,
501	  key size 256, 384 or 512 bits. This implementation currently
502	  can't handle a sectorsize which is not a multiple of 16 bytes.
503
504config CRYPTO_KEYWRAP
505	tristate "Key wrapping support"
506	select CRYPTO_SKCIPHER
507	select CRYPTO_MANAGER
508	help
509	  Support for key wrapping (NIST SP800-38F / RFC3394) without
510	  padding.
511
512config CRYPTO_NHPOLY1305
513	tristate
514	select CRYPTO_HASH
515	select CRYPTO_LIB_POLY1305_GENERIC
516
517config CRYPTO_NHPOLY1305_SSE2
518	tristate "NHPoly1305 hash function (x86_64 SSE2 implementation)"
519	depends on X86 && 64BIT
520	select CRYPTO_NHPOLY1305
521	help
522	  SSE2 optimized implementation of the hash function used by the
523	  Adiantum encryption mode.
524
525config CRYPTO_NHPOLY1305_AVX2
526	tristate "NHPoly1305 hash function (x86_64 AVX2 implementation)"
527	depends on X86 && 64BIT
528	select CRYPTO_NHPOLY1305
529	help
530	  AVX2 optimized implementation of the hash function used by the
531	  Adiantum encryption mode.
532
533config CRYPTO_ADIANTUM
534	tristate "Adiantum support"
535	select CRYPTO_CHACHA20
536	select CRYPTO_LIB_POLY1305_GENERIC
537	select CRYPTO_NHPOLY1305
538	select CRYPTO_MANAGER
539	help
540	  Adiantum is a tweakable, length-preserving encryption mode
541	  designed for fast and secure disk encryption, especially on
542	  CPUs without dedicated crypto instructions.  It encrypts
543	  each sector using the XChaCha12 stream cipher, two passes of
544	  an ε-almost-∆-universal hash function, and an invocation of
545	  the AES-256 block cipher on a single 16-byte block.  On CPUs
546	  without AES instructions, Adiantum is much faster than
547	  AES-XTS.
548
549	  Adiantum's security is provably reducible to that of its
550	  underlying stream and block ciphers, subject to a security
551	  bound.  Unlike XTS, Adiantum is a true wide-block encryption
552	  mode, so it actually provides an even stronger notion of
553	  security than XTS, subject to the security bound.
554
555	  If unsure, say N.
556
557config CRYPTO_HCTR2
558	tristate "HCTR2 support"
559	select CRYPTO_XCTR
560	select CRYPTO_POLYVAL
561	select CRYPTO_MANAGER
562	help
563	  HCTR2 is a length-preserving encryption mode for storage encryption that
564	  is efficient on processors with instructions to accelerate AES and
565	  carryless multiplication, e.g. x86 processors with AES-NI and CLMUL, and
566	  ARM processors with the ARMv8 crypto extensions.
567
568config CRYPTO_ESSIV
569	tristate "ESSIV support for block encryption"
570	select CRYPTO_AUTHENC
571	help
572	  Encrypted salt-sector initialization vector (ESSIV) is an IV
573	  generation method that is used in some cases by fscrypt and/or
574	  dm-crypt. It uses the hash of the block encryption key as the
575	  symmetric key for a block encryption pass applied to the input
576	  IV, making low entropy IV sources more suitable for block
577	  encryption.
578
579	  This driver implements a crypto API template that can be
580	  instantiated either as an skcipher or as an AEAD (depending on the
581	  type of the first template argument), and which defers encryption
582	  and decryption requests to the encapsulated cipher after applying
583	  ESSIV to the input IV. Note that in the AEAD case, it is assumed
584	  that the keys are presented in the same format used by the authenc
585	  template, and that the IV appears at the end of the authenticated
586	  associated data (AAD) region (which is how dm-crypt uses it.)
587
588	  Note that the use of ESSIV is not recommended for new deployments,
589	  and so this only needs to be enabled when interoperability with
590	  existing encrypted volumes of filesystems is required, or when
591	  building for a particular system that requires it (e.g., when
592	  the SoC in question has accelerated CBC but not XTS, making CBC
593	  combined with ESSIV the only feasible mode for h/w accelerated
594	  block encryption)
595
596comment "Hash modes"
597
598config CRYPTO_CMAC
599	tristate "CMAC support"
600	select CRYPTO_HASH
601	select CRYPTO_MANAGER
602	help
603	  Cipher-based Message Authentication Code (CMAC) specified by
604	  The National Institute of Standards and Technology (NIST).
605
606	  https://tools.ietf.org/html/rfc4493
607	  http://csrc.nist.gov/publications/nistpubs/800-38B/SP_800-38B.pdf
608
609config CRYPTO_HMAC
610	tristate "HMAC support"
611	select CRYPTO_HASH
612	select CRYPTO_MANAGER
613	help
614	  HMAC: Keyed-Hashing for Message Authentication (RFC2104).
615	  This is required for IPSec.
616
617config CRYPTO_XCBC
618	tristate "XCBC support"
619	select CRYPTO_HASH
620	select CRYPTO_MANAGER
621	help
622	  XCBC: Keyed-Hashing with encryption algorithm
623		https://www.ietf.org/rfc/rfc3566.txt
624		http://csrc.nist.gov/encryption/modes/proposedmodes/
625		 xcbc-mac/xcbc-mac-spec.pdf
626
627config CRYPTO_VMAC
628	tristate "VMAC support"
629	select CRYPTO_HASH
630	select CRYPTO_MANAGER
631	help
632	  VMAC is a message authentication algorithm designed for
633	  very high speed on 64-bit architectures.
634
635	  See also:
636	  <https://fastcrypto.org/vmac>
637
638comment "Digest"
639
640config CRYPTO_CRC32C
641	tristate "CRC32c CRC algorithm"
642	select CRYPTO_HASH
643	select CRC32
644	help
645	  Castagnoli, et al Cyclic Redundancy-Check Algorithm.  Used
646	  by iSCSI for header and data digests and by others.
647	  See Castagnoli93.  Module will be crc32c.
648
649config CRYPTO_CRC32C_INTEL
650	tristate "CRC32c INTEL hardware acceleration"
651	depends on X86
652	select CRYPTO_HASH
653	help
654	  In Intel processor with SSE4.2 supported, the processor will
655	  support CRC32C implementation using hardware accelerated CRC32
656	  instruction. This option will create 'crc32c-intel' module,
657	  which will enable any routine to use the CRC32 instruction to
658	  gain performance compared with software implementation.
659	  Module will be crc32c-intel.
660
661config CRYPTO_CRC32C_VPMSUM
662	tristate "CRC32c CRC algorithm (powerpc64)"
663	depends on PPC64 && ALTIVEC
664	select CRYPTO_HASH
665	select CRC32
666	help
667	  CRC32c algorithm implemented using vector polynomial multiply-sum
668	  (vpmsum) instructions, introduced in POWER8. Enable on POWER8
669	  and newer processors for improved performance.
670
671
672config CRYPTO_CRC32C_SPARC64
673	tristate "CRC32c CRC algorithm (SPARC64)"
674	depends on SPARC64
675	select CRYPTO_HASH
676	select CRC32
677	help
678	  CRC32c CRC algorithm implemented using sparc64 crypto instructions,
679	  when available.
680
681config CRYPTO_CRC32
682	tristate "CRC32 CRC algorithm"
683	select CRYPTO_HASH
684	select CRC32
685	help
686	  CRC-32-IEEE 802.3 cyclic redundancy-check algorithm.
687	  Shash crypto api wrappers to crc32_le function.
688
689config CRYPTO_CRC32_PCLMUL
690	tristate "CRC32 PCLMULQDQ hardware acceleration"
691	depends on X86
692	select CRYPTO_HASH
693	select CRC32
694	help
695	  From Intel Westmere and AMD Bulldozer processor with SSE4.2
696	  and PCLMULQDQ supported, the processor will support
697	  CRC32 PCLMULQDQ implementation using hardware accelerated PCLMULQDQ
698	  instruction. This option will create 'crc32-pclmul' module,
699	  which will enable any routine to use the CRC-32-IEEE 802.3 checksum
700	  and gain better performance as compared with the table implementation.
701
702config CRYPTO_CRC32_MIPS
703	tristate "CRC32c and CRC32 CRC algorithm (MIPS)"
704	depends on MIPS_CRC_SUPPORT
705	select CRYPTO_HASH
706	help
707	  CRC32c and CRC32 CRC algorithms implemented using mips crypto
708	  instructions, when available.
709
710config CRYPTO_CRC32_S390
711	tristate "CRC-32 algorithms"
712	depends on S390
713	select CRYPTO_HASH
714	select CRC32
715	help
716	  Select this option if you want to use hardware accelerated
717	  implementations of CRC algorithms.  With this option, you
718	  can optimize the computation of CRC-32 (IEEE 802.3 Ethernet)
719	  and CRC-32C (Castagnoli).
720
721	  It is available with IBM z13 or later.
722
723config CRYPTO_XXHASH
724	tristate "xxHash hash algorithm"
725	select CRYPTO_HASH
726	select XXHASH
727	help
728	  xxHash non-cryptographic hash algorithm. Extremely fast, working at
729	  speeds close to RAM limits.
730
731config CRYPTO_BLAKE2B
732	tristate "BLAKE2b digest algorithm"
733	select CRYPTO_HASH
734	help
735	  Implementation of cryptographic hash function BLAKE2b (or just BLAKE2),
736	  optimized for 64bit platforms and can produce digests of any size
737	  between 1 to 64.  The keyed hash is also implemented.
738
739	  This module provides the following algorithms:
740
741	  - blake2b-160
742	  - blake2b-256
743	  - blake2b-384
744	  - blake2b-512
745
746	  See https://blake2.net for further information.
747
748config CRYPTO_BLAKE2S_X86
749	bool "BLAKE2s digest algorithm (x86 accelerated version)"
750	depends on X86 && 64BIT
751	select CRYPTO_LIB_BLAKE2S_GENERIC
752	select CRYPTO_ARCH_HAVE_LIB_BLAKE2S
753
754config CRYPTO_CRCT10DIF
755	tristate "CRCT10DIF algorithm"
756	select CRYPTO_HASH
757	help
758	  CRC T10 Data Integrity Field computation is being cast as
759	  a crypto transform.  This allows for faster crc t10 diff
760	  transforms to be used if they are available.
761
762config CRYPTO_CRCT10DIF_PCLMUL
763	tristate "CRCT10DIF PCLMULQDQ hardware acceleration"
764	depends on X86 && 64BIT && CRC_T10DIF
765	select CRYPTO_HASH
766	help
767	  For x86_64 processors with SSE4.2 and PCLMULQDQ supported,
768	  CRC T10 DIF PCLMULQDQ computation can be hardware
769	  accelerated PCLMULQDQ instruction. This option will create
770	  'crct10dif-pclmul' module, which is faster when computing the
771	  crct10dif checksum as compared with the generic table implementation.
772
773config CRYPTO_CRCT10DIF_VPMSUM
774	tristate "CRC32T10DIF powerpc64 hardware acceleration"
775	depends on PPC64 && ALTIVEC && CRC_T10DIF
776	select CRYPTO_HASH
777	help
778	  CRC10T10DIF algorithm implemented using vector polynomial
779	  multiply-sum (vpmsum) instructions, introduced in POWER8. Enable on
780	  POWER8 and newer processors for improved performance.
781
782config CRYPTO_CRC64_ROCKSOFT
783	tristate "Rocksoft Model CRC64 algorithm"
784	depends on CRC64
785	select CRYPTO_HASH
786
787config CRYPTO_VPMSUM_TESTER
788	tristate "Powerpc64 vpmsum hardware acceleration tester"
789	depends on CRYPTO_CRCT10DIF_VPMSUM && CRYPTO_CRC32C_VPMSUM
790	help
791	  Stress test for CRC32c and CRC-T10DIF algorithms implemented with
792	  POWER8 vpmsum instructions.
793	  Unless you are testing these algorithms, you don't need this.
794
795config CRYPTO_GHASH
796	tristate "GHASH hash function"
797	select CRYPTO_GF128MUL
798	select CRYPTO_HASH
799	help
800	  GHASH is the hash function used in GCM (Galois/Counter Mode).
801	  It is not a general-purpose cryptographic hash function.
802
803config CRYPTO_POLYVAL
804	tristate
805	select CRYPTO_GF128MUL
806	select CRYPTO_HASH
807	help
808	  POLYVAL is the hash function used in HCTR2.  It is not a general-purpose
809	  cryptographic hash function.
810
811config CRYPTO_POLYVAL_CLMUL_NI
812	tristate "POLYVAL hash function (CLMUL-NI accelerated)"
813	depends on X86 && 64BIT
814	select CRYPTO_POLYVAL
815	help
816	  This is the x86_64 CLMUL-NI accelerated implementation of POLYVAL. It is
817	  used to efficiently implement HCTR2 on x86-64 processors that support
818	  carry-less multiplication instructions.
819
820config CRYPTO_POLY1305
821	tristate "Poly1305 authenticator algorithm"
822	select CRYPTO_HASH
823	select CRYPTO_LIB_POLY1305_GENERIC
824	help
825	  Poly1305 authenticator algorithm, RFC7539.
826
827	  Poly1305 is an authenticator algorithm designed by Daniel J. Bernstein.
828	  It is used for the ChaCha20-Poly1305 AEAD, specified in RFC7539 for use
829	  in IETF protocols. This is the portable C implementation of Poly1305.
830
831config CRYPTO_POLY1305_X86_64
832	tristate "Poly1305 authenticator algorithm (x86_64/SSE2/AVX2)"
833	depends on X86 && 64BIT
834	select CRYPTO_LIB_POLY1305_GENERIC
835	select CRYPTO_ARCH_HAVE_LIB_POLY1305
836	help
837	  Poly1305 authenticator algorithm, RFC7539.
838
839	  Poly1305 is an authenticator algorithm designed by Daniel J. Bernstein.
840	  It is used for the ChaCha20-Poly1305 AEAD, specified in RFC7539 for use
841	  in IETF protocols. This is the x86_64 assembler implementation using SIMD
842	  instructions.
843
844config CRYPTO_POLY1305_MIPS
845	tristate "Poly1305 authenticator algorithm (MIPS optimized)"
846	depends on MIPS
847	select CRYPTO_ARCH_HAVE_LIB_POLY1305
848
849config CRYPTO_MD4
850	tristate "MD4 digest algorithm"
851	select CRYPTO_HASH
852	help
853	  MD4 message digest algorithm (RFC1320).
854
855config CRYPTO_MD5
856	tristate "MD5 digest algorithm"
857	select CRYPTO_HASH
858	help
859	  MD5 message digest algorithm (RFC1321).
860
861config CRYPTO_MD5_OCTEON
862	tristate "MD5 digest algorithm (OCTEON)"
863	depends on CPU_CAVIUM_OCTEON
864	select CRYPTO_MD5
865	select CRYPTO_HASH
866	help
867	  MD5 message digest algorithm (RFC1321) implemented
868	  using OCTEON crypto instructions, when available.
869
870config CRYPTO_MD5_PPC
871	tristate "MD5 digest algorithm (PPC)"
872	depends on PPC
873	select CRYPTO_HASH
874	help
875	  MD5 message digest algorithm (RFC1321) implemented
876	  in PPC assembler.
877
878config CRYPTO_MD5_SPARC64
879	tristate "MD5 digest algorithm (SPARC64)"
880	depends on SPARC64
881	select CRYPTO_MD5
882	select CRYPTO_HASH
883	help
884	  MD5 message digest algorithm (RFC1321) implemented
885	  using sparc64 crypto instructions, when available.
886
887config CRYPTO_MICHAEL_MIC
888	tristate "Michael MIC keyed digest algorithm"
889	select CRYPTO_HASH
890	help
891	  Michael MIC is used for message integrity protection in TKIP
892	  (IEEE 802.11i). This algorithm is required for TKIP, but it
893	  should not be used for other purposes because of the weakness
894	  of the algorithm.
895
896config CRYPTO_RMD160
897	tristate "RIPEMD-160 digest algorithm"
898	select CRYPTO_HASH
899	help
900	  RIPEMD-160 (ISO/IEC 10118-3:2004).
901
902	  RIPEMD-160 is a 160-bit cryptographic hash function. It is intended
903	  to be used as a secure replacement for the 128-bit hash functions
904	  MD4, MD5 and its predecessor RIPEMD
905	  (not to be confused with RIPEMD-128).
906
907	  It's speed is comparable to SHA1 and there are no known attacks
908	  against RIPEMD-160.
909
910	  Developed by Hans Dobbertin, Antoon Bosselaers and Bart Preneel.
911	  See <https://homes.esat.kuleuven.be/~bosselae/ripemd160.html>
912
913config CRYPTO_SHA1
914	tristate "SHA1 digest algorithm"
915	select CRYPTO_HASH
916	select CRYPTO_LIB_SHA1
917	help
918	  SHA-1 secure hash standard (FIPS 180-1/DFIPS 180-2).
919
920config CRYPTO_SHA1_SSSE3
921	tristate "SHA1 digest algorithm (SSSE3/AVX/AVX2/SHA-NI)"
922	depends on X86 && 64BIT
923	select CRYPTO_SHA1
924	select CRYPTO_HASH
925	help
926	  SHA-1 secure hash standard (FIPS 180-1/DFIPS 180-2) implemented
927	  using Supplemental SSE3 (SSSE3) instructions or Advanced Vector
928	  Extensions (AVX/AVX2) or SHA-NI(SHA Extensions New Instructions),
929	  when available.
930
931config CRYPTO_SHA256_SSSE3
932	tristate "SHA256 digest algorithm (SSSE3/AVX/AVX2/SHA-NI)"
933	depends on X86 && 64BIT
934	select CRYPTO_SHA256
935	select CRYPTO_HASH
936	help
937	  SHA-256 secure hash standard (DFIPS 180-2) implemented
938	  using Supplemental SSE3 (SSSE3) instructions, or Advanced Vector
939	  Extensions version 1 (AVX1), or Advanced Vector Extensions
940	  version 2 (AVX2) instructions, or SHA-NI (SHA Extensions New
941	  Instructions) when available.
942
943config CRYPTO_SHA512_SSSE3
944	tristate "SHA512 digest algorithm (SSSE3/AVX/AVX2)"
945	depends on X86 && 64BIT
946	select CRYPTO_SHA512
947	select CRYPTO_HASH
948	help
949	  SHA-512 secure hash standard (DFIPS 180-2) implemented
950	  using Supplemental SSE3 (SSSE3) instructions, or Advanced Vector
951	  Extensions version 1 (AVX1), or Advanced Vector Extensions
952	  version 2 (AVX2) instructions, when available.
953
954config CRYPTO_SHA512_S390
955	tristate "SHA384 and SHA512 digest algorithm"
956	depends on S390
957	select CRYPTO_HASH
958	help
959	  This is the s390 hardware accelerated implementation of the
960	  SHA512 secure hash standard.
961
962	  It is available as of z10.
963
964config CRYPTO_SHA1_OCTEON
965	tristate "SHA1 digest algorithm (OCTEON)"
966	depends on CPU_CAVIUM_OCTEON
967	select CRYPTO_SHA1
968	select CRYPTO_HASH
969	help
970	  SHA-1 secure hash standard (FIPS 180-1/DFIPS 180-2) implemented
971	  using OCTEON crypto instructions, when available.
972
973config CRYPTO_SHA1_SPARC64
974	tristate "SHA1 digest algorithm (SPARC64)"
975	depends on SPARC64
976	select CRYPTO_SHA1
977	select CRYPTO_HASH
978	help
979	  SHA-1 secure hash standard (FIPS 180-1/DFIPS 180-2) implemented
980	  using sparc64 crypto instructions, when available.
981
982config CRYPTO_SHA1_PPC
983	tristate "SHA1 digest algorithm (powerpc)"
984	depends on PPC
985	help
986	  This is the powerpc hardware accelerated implementation of the
987	  SHA-1 secure hash standard (FIPS 180-1/DFIPS 180-2).
988
989config CRYPTO_SHA1_PPC_SPE
990	tristate "SHA1 digest algorithm (PPC SPE)"
991	depends on PPC && SPE
992	help
993	  SHA-1 secure hash standard (DFIPS 180-4) implemented
994	  using powerpc SPE SIMD instruction set.
995
996config CRYPTO_SHA1_S390
997	tristate "SHA1 digest algorithm"
998	depends on S390
999	select CRYPTO_HASH
1000	help
1001	  This is the s390 hardware accelerated implementation of the
1002	  SHA-1 secure hash standard (FIPS 180-1/DFIPS 180-2).
1003
1004	  It is available as of z990.
1005
1006config CRYPTO_SHA256
1007	tristate "SHA224 and SHA256 digest algorithm"
1008	select CRYPTO_HASH
1009	select CRYPTO_LIB_SHA256
1010	help
1011	  SHA256 secure hash standard (DFIPS 180-2).
1012
1013	  This version of SHA implements a 256 bit hash with 128 bits of
1014	  security against collision attacks.
1015
1016	  This code also includes SHA-224, a 224 bit hash with 112 bits
1017	  of security against collision attacks.
1018
1019config CRYPTO_SHA256_PPC_SPE
1020	tristate "SHA224 and SHA256 digest algorithm (PPC SPE)"
1021	depends on PPC && SPE
1022	select CRYPTO_SHA256
1023	select CRYPTO_HASH
1024	help
1025	  SHA224 and SHA256 secure hash standard (DFIPS 180-2)
1026	  implemented using powerpc SPE SIMD instruction set.
1027
1028config CRYPTO_SHA256_OCTEON
1029	tristate "SHA224 and SHA256 digest algorithm (OCTEON)"
1030	depends on CPU_CAVIUM_OCTEON
1031	select CRYPTO_SHA256
1032	select CRYPTO_HASH
1033	help
1034	  SHA-256 secure hash standard (DFIPS 180-2) implemented
1035	  using OCTEON crypto instructions, when available.
1036
1037config CRYPTO_SHA256_SPARC64
1038	tristate "SHA224 and SHA256 digest algorithm (SPARC64)"
1039	depends on SPARC64
1040	select CRYPTO_SHA256
1041	select CRYPTO_HASH
1042	help
1043	  SHA-256 secure hash standard (DFIPS 180-2) implemented
1044	  using sparc64 crypto instructions, when available.
1045
1046config CRYPTO_SHA256_S390
1047	tristate "SHA256 digest algorithm"
1048	depends on S390
1049	select CRYPTO_HASH
1050	help
1051	  This is the s390 hardware accelerated implementation of the
1052	  SHA256 secure hash standard (DFIPS 180-2).
1053
1054	  It is available as of z9.
1055
1056config CRYPTO_SHA512
1057	tristate "SHA384 and SHA512 digest algorithms"
1058	select CRYPTO_HASH
1059	help
1060	  SHA512 secure hash standard (DFIPS 180-2).
1061
1062	  This version of SHA implements a 512 bit hash with 256 bits of
1063	  security against collision attacks.
1064
1065	  This code also includes SHA-384, a 384 bit hash with 192 bits
1066	  of security against collision attacks.
1067
1068config CRYPTO_SHA512_OCTEON
1069	tristate "SHA384 and SHA512 digest algorithms (OCTEON)"
1070	depends on CPU_CAVIUM_OCTEON
1071	select CRYPTO_SHA512
1072	select CRYPTO_HASH
1073	help
1074	  SHA-512 secure hash standard (DFIPS 180-2) implemented
1075	  using OCTEON crypto instructions, when available.
1076
1077config CRYPTO_SHA512_SPARC64
1078	tristate "SHA384 and SHA512 digest algorithm (SPARC64)"
1079	depends on SPARC64
1080	select CRYPTO_SHA512
1081	select CRYPTO_HASH
1082	help
1083	  SHA-512 secure hash standard (DFIPS 180-2) implemented
1084	  using sparc64 crypto instructions, when available.
1085
1086config CRYPTO_SHA3
1087	tristate "SHA3 digest algorithm"
1088	select CRYPTO_HASH
1089	help
1090	  SHA-3 secure hash standard (DFIPS 202). It's based on
1091	  cryptographic sponge function family called Keccak.
1092
1093	  References:
1094	  http://keccak.noekeon.org/
1095
1096config CRYPTO_SHA3_256_S390
1097	tristate "SHA3_224 and SHA3_256 digest algorithm"
1098	depends on S390
1099	select CRYPTO_HASH
1100	help
1101	  This is the s390 hardware accelerated implementation of the
1102	  SHA3_256 secure hash standard.
1103
1104	  It is available as of z14.
1105
1106config CRYPTO_SHA3_512_S390
1107	tristate "SHA3_384 and SHA3_512 digest algorithm"
1108	depends on S390
1109	select CRYPTO_HASH
1110	help
1111	  This is the s390 hardware accelerated implementation of the
1112	  SHA3_512 secure hash standard.
1113
1114	  It is available as of z14.
1115
1116config CRYPTO_SM3
1117	tristate
1118
1119config CRYPTO_SM3_GENERIC
1120	tristate "SM3 digest algorithm"
1121	select CRYPTO_HASH
1122	select CRYPTO_SM3
1123	help
1124	  SM3 secure hash function as defined by OSCCA GM/T 0004-2012 SM3).
1125	  It is part of the Chinese Commercial Cryptography suite.
1126
1127	  References:
1128	  http://www.oscca.gov.cn/UpFile/20101222141857786.pdf
1129	  https://datatracker.ietf.org/doc/html/draft-shen-sm3-hash
1130
1131config CRYPTO_SM3_AVX_X86_64
1132	tristate "SM3 digest algorithm (x86_64/AVX)"
1133	depends on X86 && 64BIT
1134	select CRYPTO_HASH
1135	select CRYPTO_SM3
1136	help
1137	  SM3 secure hash function as defined by OSCCA GM/T 0004-2012 SM3).
1138	  It is part of the Chinese Commercial Cryptography suite. This is
1139	  SM3 optimized implementation using Advanced Vector Extensions (AVX)
1140	  when available.
1141
1142	  If unsure, say N.
1143
1144config CRYPTO_STREEBOG
1145	tristate "Streebog Hash Function"
1146	select CRYPTO_HASH
1147	help
1148	  Streebog Hash Function (GOST R 34.11-2012, RFC 6986) is one of the Russian
1149	  cryptographic standard algorithms (called GOST algorithms).
1150	  This setting enables two hash algorithms with 256 and 512 bits output.
1151
1152	  References:
1153	  https://tc26.ru/upload/iblock/fed/feddbb4d26b685903faa2ba11aea43f6.pdf
1154	  https://tools.ietf.org/html/rfc6986
1155
1156config CRYPTO_WP512
1157	tristate "Whirlpool digest algorithms"
1158	select CRYPTO_HASH
1159	help
1160	  Whirlpool hash algorithm 512, 384 and 256-bit hashes
1161
1162	  Whirlpool-512 is part of the NESSIE cryptographic primitives.
1163	  Whirlpool will be part of the ISO/IEC 10118-3:2003(E) standard
1164
1165	  See also:
1166	  <http://www.larc.usp.br/~pbarreto/WhirlpoolPage.html>
1167
1168config CRYPTO_GHASH_CLMUL_NI_INTEL
1169	tristate "GHASH hash function (CLMUL-NI accelerated)"
1170	depends on X86 && 64BIT
1171	select CRYPTO_CRYPTD
1172	help
1173	  This is the x86_64 CLMUL-NI accelerated implementation of
1174	  GHASH, the hash function used in GCM (Galois/Counter mode).
1175
1176config CRYPTO_GHASH_S390
1177	tristate "GHASH hash function"
1178	depends on S390
1179	select CRYPTO_HASH
1180	help
1181	  This is the s390 hardware accelerated implementation of GHASH,
1182	  the hash function used in GCM (Galois/Counter mode).
1183
1184	  It is available as of z196.
1185
1186comment "Ciphers"
1187
1188config CRYPTO_AES
1189	tristate "AES cipher algorithms"
1190	select CRYPTO_ALGAPI
1191	select CRYPTO_LIB_AES
1192	help
1193	  AES cipher algorithms (FIPS-197). AES uses the Rijndael
1194	  algorithm.
1195
1196	  Rijndael appears to be consistently a very good performer in
1197	  both hardware and software across a wide range of computing
1198	  environments regardless of its use in feedback or non-feedback
1199	  modes. Its key setup time is excellent, and its key agility is
1200	  good. Rijndael's very low memory requirements make it very well
1201	  suited for restricted-space environments, in which it also
1202	  demonstrates excellent performance. Rijndael's operations are
1203	  among the easiest to defend against power and timing attacks.
1204
1205	  The AES specifies three key sizes: 128, 192 and 256 bits
1206
1207	  See <http://csrc.nist.gov/CryptoToolkit/aes/> for more information.
1208
1209config CRYPTO_AES_TI
1210	tristate "Fixed time AES cipher"
1211	select CRYPTO_ALGAPI
1212	select CRYPTO_LIB_AES
1213	help
1214	  This is a generic implementation of AES that attempts to eliminate
1215	  data dependent latencies as much as possible without affecting
1216	  performance too much. It is intended for use by the generic CCM
1217	  and GCM drivers, and other CTR or CMAC/XCBC based modes that rely
1218	  solely on encryption (although decryption is supported as well, but
1219	  with a more dramatic performance hit)
1220
1221	  Instead of using 16 lookup tables of 1 KB each, (8 for encryption and
1222	  8 for decryption), this implementation only uses just two S-boxes of
1223	  256 bytes each, and attempts to eliminate data dependent latencies by
1224	  prefetching the entire table into the cache at the start of each
1225	  block. Interrupts are also disabled to avoid races where cachelines
1226	  are evicted when the CPU is interrupted to do something else.
1227
1228config CRYPTO_AES_NI_INTEL
1229	tristate "AES cipher algorithms (AES-NI)"
1230	depends on X86
1231	select CRYPTO_AEAD
1232	select CRYPTO_LIB_AES
1233	select CRYPTO_ALGAPI
1234	select CRYPTO_SKCIPHER
1235	select CRYPTO_SIMD
1236	help
1237	  Use Intel AES-NI instructions for AES algorithm.
1238
1239	  AES cipher algorithms (FIPS-197). AES uses the Rijndael
1240	  algorithm.
1241
1242	  Rijndael appears to be consistently a very good performer in
1243	  both hardware and software across a wide range of computing
1244	  environments regardless of its use in feedback or non-feedback
1245	  modes. Its key setup time is excellent, and its key agility is
1246	  good. Rijndael's very low memory requirements make it very well
1247	  suited for restricted-space environments, in which it also
1248	  demonstrates excellent performance. Rijndael's operations are
1249	  among the easiest to defend against power and timing attacks.
1250
1251	  The AES specifies three key sizes: 128, 192 and 256 bits
1252
1253	  See <http://csrc.nist.gov/encryption/aes/> for more information.
1254
1255	  In addition to AES cipher algorithm support, the acceleration
1256	  for some popular block cipher mode is supported too, including
1257	  ECB, CBC, LRW, XTS. The 64 bit version has additional
1258	  acceleration for CTR and XCTR.
1259
1260config CRYPTO_AES_SPARC64
1261	tristate "AES cipher algorithms (SPARC64)"
1262	depends on SPARC64
1263	select CRYPTO_SKCIPHER
1264	help
1265	  Use SPARC64 crypto opcodes for AES algorithm.
1266
1267	  AES cipher algorithms (FIPS-197). AES uses the Rijndael
1268	  algorithm.
1269
1270	  Rijndael appears to be consistently a very good performer in
1271	  both hardware and software across a wide range of computing
1272	  environments regardless of its use in feedback or non-feedback
1273	  modes. Its key setup time is excellent, and its key agility is
1274	  good. Rijndael's very low memory requirements make it very well
1275	  suited for restricted-space environments, in which it also
1276	  demonstrates excellent performance. Rijndael's operations are
1277	  among the easiest to defend against power and timing attacks.
1278
1279	  The AES specifies three key sizes: 128, 192 and 256 bits
1280
1281	  See <http://csrc.nist.gov/encryption/aes/> for more information.
1282
1283	  In addition to AES cipher algorithm support, the acceleration
1284	  for some popular block cipher mode is supported too, including
1285	  ECB and CBC.
1286
1287config CRYPTO_AES_PPC_SPE
1288	tristate "AES cipher algorithms (PPC SPE)"
1289	depends on PPC && SPE
1290	select CRYPTO_SKCIPHER
1291	help
1292	  AES cipher algorithms (FIPS-197). Additionally the acceleration
1293	  for popular block cipher modes ECB, CBC, CTR and XTS is supported.
1294	  This module should only be used for low power (router) devices
1295	  without hardware AES acceleration (e.g. caam crypto). It reduces the
1296	  size of the AES tables from 16KB to 8KB + 256 bytes and mitigates
1297	  timining attacks. Nevertheless it might be not as secure as other
1298	  architecture specific assembler implementations that work on 1KB
1299	  tables or 256 bytes S-boxes.
1300
1301config CRYPTO_AES_S390
1302	tristate "AES cipher algorithms"
1303	depends on S390
1304	select CRYPTO_ALGAPI
1305	select CRYPTO_SKCIPHER
1306	help
1307	  This is the s390 hardware accelerated implementation of the
1308	  AES cipher algorithms (FIPS-197).
1309
1310	  As of z9 the ECB and CBC modes are hardware accelerated
1311	  for 128 bit keys.
1312	  As of z10 the ECB and CBC modes are hardware accelerated
1313	  for all AES key sizes.
1314	  As of z196 the CTR mode is hardware accelerated for all AES
1315	  key sizes and XTS mode is hardware accelerated for 256 and
1316	  512 bit keys.
1317
1318config CRYPTO_ANUBIS
1319	tristate "Anubis cipher algorithm"
1320	depends on CRYPTO_USER_API_ENABLE_OBSOLETE
1321	select CRYPTO_ALGAPI
1322	help
1323	  Anubis cipher algorithm.
1324
1325	  Anubis is a variable key length cipher which can use keys from
1326	  128 bits to 320 bits in length.  It was evaluated as a entrant
1327	  in the NESSIE competition.
1328
1329	  See also:
1330	  <https://www.cosic.esat.kuleuven.be/nessie/reports/>
1331	  <http://www.larc.usp.br/~pbarreto/AnubisPage.html>
1332
1333config CRYPTO_ARC4
1334	tristate "ARC4 cipher algorithm"
1335	depends on CRYPTO_USER_API_ENABLE_OBSOLETE
1336	select CRYPTO_SKCIPHER
1337	select CRYPTO_LIB_ARC4
1338	help
1339	  ARC4 cipher algorithm.
1340
1341	  ARC4 is a stream cipher using keys ranging from 8 bits to 2048
1342	  bits in length.  This algorithm is required for driver-based
1343	  WEP, but it should not be for other purposes because of the
1344	  weakness of the algorithm.
1345
1346config CRYPTO_BLOWFISH
1347	tristate "Blowfish cipher algorithm"
1348	select CRYPTO_ALGAPI
1349	select CRYPTO_BLOWFISH_COMMON
1350	help
1351	  Blowfish cipher algorithm, by Bruce Schneier.
1352
1353	  This is a variable key length cipher which can use keys from 32
1354	  bits to 448 bits in length.  It's fast, simple and specifically
1355	  designed for use on "large microprocessors".
1356
1357	  See also:
1358	  <https://www.schneier.com/blowfish.html>
1359
1360config CRYPTO_BLOWFISH_COMMON
1361	tristate
1362	help
1363	  Common parts of the Blowfish cipher algorithm shared by the
1364	  generic c and the assembler implementations.
1365
1366	  See also:
1367	  <https://www.schneier.com/blowfish.html>
1368
1369config CRYPTO_BLOWFISH_X86_64
1370	tristate "Blowfish cipher algorithm (x86_64)"
1371	depends on X86 && 64BIT
1372	select CRYPTO_SKCIPHER
1373	select CRYPTO_BLOWFISH_COMMON
1374	imply CRYPTO_CTR
1375	help
1376	  Blowfish cipher algorithm (x86_64), by Bruce Schneier.
1377
1378	  This is a variable key length cipher which can use keys from 32
1379	  bits to 448 bits in length.  It's fast, simple and specifically
1380	  designed for use on "large microprocessors".
1381
1382	  See also:
1383	  <https://www.schneier.com/blowfish.html>
1384
1385config CRYPTO_CAMELLIA
1386	tristate "Camellia cipher algorithms"
1387	select CRYPTO_ALGAPI
1388	help
1389	  Camellia cipher algorithms module.
1390
1391	  Camellia is a symmetric key block cipher developed jointly
1392	  at NTT and Mitsubishi Electric Corporation.
1393
1394	  The Camellia specifies three key sizes: 128, 192 and 256 bits.
1395
1396	  See also:
1397	  <https://info.isl.ntt.co.jp/crypt/eng/camellia/index_s.html>
1398
1399config CRYPTO_CAMELLIA_X86_64
1400	tristate "Camellia cipher algorithm (x86_64)"
1401	depends on X86 && 64BIT
1402	select CRYPTO_SKCIPHER
1403	imply CRYPTO_CTR
1404	help
1405	  Camellia cipher algorithm module (x86_64).
1406
1407	  Camellia is a symmetric key block cipher developed jointly
1408	  at NTT and Mitsubishi Electric Corporation.
1409
1410	  The Camellia specifies three key sizes: 128, 192 and 256 bits.
1411
1412	  See also:
1413	  <https://info.isl.ntt.co.jp/crypt/eng/camellia/index_s.html>
1414
1415config CRYPTO_CAMELLIA_AESNI_AVX_X86_64
1416	tristate "Camellia cipher algorithm (x86_64/AES-NI/AVX)"
1417	depends on X86 && 64BIT
1418	select CRYPTO_SKCIPHER
1419	select CRYPTO_CAMELLIA_X86_64
1420	select CRYPTO_SIMD
1421	imply CRYPTO_XTS
1422	help
1423	  Camellia cipher algorithm module (x86_64/AES-NI/AVX).
1424
1425	  Camellia is a symmetric key block cipher developed jointly
1426	  at NTT and Mitsubishi Electric Corporation.
1427
1428	  The Camellia specifies three key sizes: 128, 192 and 256 bits.
1429
1430	  See also:
1431	  <https://info.isl.ntt.co.jp/crypt/eng/camellia/index_s.html>
1432
1433config CRYPTO_CAMELLIA_AESNI_AVX2_X86_64
1434	tristate "Camellia cipher algorithm (x86_64/AES-NI/AVX2)"
1435	depends on X86 && 64BIT
1436	select CRYPTO_CAMELLIA_AESNI_AVX_X86_64
1437	help
1438	  Camellia cipher algorithm module (x86_64/AES-NI/AVX2).
1439
1440	  Camellia is a symmetric key block cipher developed jointly
1441	  at NTT and Mitsubishi Electric Corporation.
1442
1443	  The Camellia specifies three key sizes: 128, 192 and 256 bits.
1444
1445	  See also:
1446	  <https://info.isl.ntt.co.jp/crypt/eng/camellia/index_s.html>
1447
1448config CRYPTO_CAMELLIA_SPARC64
1449	tristate "Camellia cipher algorithm (SPARC64)"
1450	depends on SPARC64
1451	select CRYPTO_ALGAPI
1452	select CRYPTO_SKCIPHER
1453	help
1454	  Camellia cipher algorithm module (SPARC64).
1455
1456	  Camellia is a symmetric key block cipher developed jointly
1457	  at NTT and Mitsubishi Electric Corporation.
1458
1459	  The Camellia specifies three key sizes: 128, 192 and 256 bits.
1460
1461	  See also:
1462	  <https://info.isl.ntt.co.jp/crypt/eng/camellia/index_s.html>
1463
1464config CRYPTO_CAST_COMMON
1465	tristate
1466	help
1467	  Common parts of the CAST cipher algorithms shared by the
1468	  generic c and the assembler implementations.
1469
1470config CRYPTO_CAST5
1471	tristate "CAST5 (CAST-128) cipher algorithm"
1472	select CRYPTO_ALGAPI
1473	select CRYPTO_CAST_COMMON
1474	help
1475	  The CAST5 encryption algorithm (synonymous with CAST-128) is
1476	  described in RFC2144.
1477
1478config CRYPTO_CAST5_AVX_X86_64
1479	tristate "CAST5 (CAST-128) cipher algorithm (x86_64/AVX)"
1480	depends on X86 && 64BIT
1481	select CRYPTO_SKCIPHER
1482	select CRYPTO_CAST5
1483	select CRYPTO_CAST_COMMON
1484	select CRYPTO_SIMD
1485	imply CRYPTO_CTR
1486	help
1487	  The CAST5 encryption algorithm (synonymous with CAST-128) is
1488	  described in RFC2144.
1489
1490	  This module provides the Cast5 cipher algorithm that processes
1491	  sixteen blocks parallel using the AVX instruction set.
1492
1493config CRYPTO_CAST6
1494	tristate "CAST6 (CAST-256) cipher algorithm"
1495	select CRYPTO_ALGAPI
1496	select CRYPTO_CAST_COMMON
1497	help
1498	  The CAST6 encryption algorithm (synonymous with CAST-256) is
1499	  described in RFC2612.
1500
1501config CRYPTO_CAST6_AVX_X86_64
1502	tristate "CAST6 (CAST-256) cipher algorithm (x86_64/AVX)"
1503	depends on X86 && 64BIT
1504	select CRYPTO_SKCIPHER
1505	select CRYPTO_CAST6
1506	select CRYPTO_CAST_COMMON
1507	select CRYPTO_SIMD
1508	imply CRYPTO_XTS
1509	imply CRYPTO_CTR
1510	help
1511	  The CAST6 encryption algorithm (synonymous with CAST-256) is
1512	  described in RFC2612.
1513
1514	  This module provides the Cast6 cipher algorithm that processes
1515	  eight blocks parallel using the AVX instruction set.
1516
1517config CRYPTO_DES
1518	tristate "DES and Triple DES EDE cipher algorithms"
1519	select CRYPTO_ALGAPI
1520	select CRYPTO_LIB_DES
1521	help
1522	  DES cipher algorithm (FIPS 46-2), and Triple DES EDE (FIPS 46-3).
1523
1524config CRYPTO_DES_SPARC64
1525	tristate "DES and Triple DES EDE cipher algorithms (SPARC64)"
1526	depends on SPARC64
1527	select CRYPTO_ALGAPI
1528	select CRYPTO_LIB_DES
1529	select CRYPTO_SKCIPHER
1530	help
1531	  DES cipher algorithm (FIPS 46-2), and Triple DES EDE (FIPS 46-3),
1532	  optimized using SPARC64 crypto opcodes.
1533
1534config CRYPTO_DES3_EDE_X86_64
1535	tristate "Triple DES EDE cipher algorithm (x86-64)"
1536	depends on X86 && 64BIT
1537	select CRYPTO_SKCIPHER
1538	select CRYPTO_LIB_DES
1539	imply CRYPTO_CTR
1540	help
1541	  Triple DES EDE (FIPS 46-3) algorithm.
1542
1543	  This module provides implementation of the Triple DES EDE cipher
1544	  algorithm that is optimized for x86-64 processors. Two versions of
1545	  algorithm are provided; regular processing one input block and
1546	  one that processes three blocks parallel.
1547
1548config CRYPTO_DES_S390
1549	tristate "DES and Triple DES cipher algorithms"
1550	depends on S390
1551	select CRYPTO_ALGAPI
1552	select CRYPTO_SKCIPHER
1553	select CRYPTO_LIB_DES
1554	help
1555	  This is the s390 hardware accelerated implementation of the
1556	  DES cipher algorithm (FIPS 46-2), and Triple DES EDE (FIPS 46-3).
1557
1558	  As of z990 the ECB and CBC mode are hardware accelerated.
1559	  As of z196 the CTR mode is hardware accelerated.
1560
1561config CRYPTO_FCRYPT
1562	tristate "FCrypt cipher algorithm"
1563	select CRYPTO_ALGAPI
1564	select CRYPTO_SKCIPHER
1565	help
1566	  FCrypt algorithm used by RxRPC.
1567
1568config CRYPTO_KHAZAD
1569	tristate "Khazad cipher algorithm"
1570	depends on CRYPTO_USER_API_ENABLE_OBSOLETE
1571	select CRYPTO_ALGAPI
1572	help
1573	  Khazad cipher algorithm.
1574
1575	  Khazad was a finalist in the initial NESSIE competition.  It is
1576	  an algorithm optimized for 64-bit processors with good performance
1577	  on 32-bit processors.  Khazad uses an 128 bit key size.
1578
1579	  See also:
1580	  <http://www.larc.usp.br/~pbarreto/KhazadPage.html>
1581
1582config CRYPTO_CHACHA20
1583	tristate "ChaCha stream cipher algorithms"
1584	select CRYPTO_LIB_CHACHA_GENERIC
1585	select CRYPTO_SKCIPHER
1586	help
1587	  The ChaCha20, XChaCha20, and XChaCha12 stream cipher algorithms.
1588
1589	  ChaCha20 is a 256-bit high-speed stream cipher designed by Daniel J.
1590	  Bernstein and further specified in RFC7539 for use in IETF protocols.
1591	  This is the portable C implementation of ChaCha20.  See also:
1592	  <https://cr.yp.to/chacha/chacha-20080128.pdf>
1593
1594	  XChaCha20 is the application of the XSalsa20 construction to ChaCha20
1595	  rather than to Salsa20.  XChaCha20 extends ChaCha20's nonce length
1596	  from 64 bits (or 96 bits using the RFC7539 convention) to 192 bits,
1597	  while provably retaining ChaCha20's security.  See also:
1598	  <https://cr.yp.to/snuffle/xsalsa-20081128.pdf>
1599
1600	  XChaCha12 is XChaCha20 reduced to 12 rounds, with correspondingly
1601	  reduced security margin but increased performance.  It can be needed
1602	  in some performance-sensitive scenarios.
1603
1604config CRYPTO_CHACHA20_X86_64
1605	tristate "ChaCha stream cipher algorithms (x86_64/SSSE3/AVX2/AVX-512VL)"
1606	depends on X86 && 64BIT
1607	select CRYPTO_SKCIPHER
1608	select CRYPTO_LIB_CHACHA_GENERIC
1609	select CRYPTO_ARCH_HAVE_LIB_CHACHA
1610	help
1611	  SSSE3, AVX2, and AVX-512VL optimized implementations of the ChaCha20,
1612	  XChaCha20, and XChaCha12 stream ciphers.
1613
1614config CRYPTO_CHACHA_MIPS
1615	tristate "ChaCha stream cipher algorithms (MIPS 32r2 optimized)"
1616	depends on CPU_MIPS32_R2
1617	select CRYPTO_SKCIPHER
1618	select CRYPTO_ARCH_HAVE_LIB_CHACHA
1619
1620config CRYPTO_CHACHA_S390
1621	tristate "ChaCha20 stream cipher"
1622	depends on S390
1623	select CRYPTO_SKCIPHER
1624	select CRYPTO_LIB_CHACHA_GENERIC
1625	select CRYPTO_ARCH_HAVE_LIB_CHACHA
1626	help
1627	  This is the s390 SIMD implementation of the ChaCha20 stream
1628	  cipher (RFC 7539).
1629
1630	  It is available as of z13.
1631
1632config CRYPTO_SEED
1633	tristate "SEED cipher algorithm"
1634	depends on CRYPTO_USER_API_ENABLE_OBSOLETE
1635	select CRYPTO_ALGAPI
1636	help
1637	  SEED cipher algorithm (RFC4269).
1638
1639	  SEED is a 128-bit symmetric key block cipher that has been
1640	  developed by KISA (Korea Information Security Agency) as a
1641	  national standard encryption algorithm of the Republic of Korea.
1642	  It is a 16 round block cipher with the key size of 128 bit.
1643
1644	  See also:
1645	  <http://www.kisa.or.kr/kisa/seed/jsp/seed_eng.jsp>
1646
1647config CRYPTO_ARIA
1648	tristate "ARIA cipher algorithm"
1649	select CRYPTO_ALGAPI
1650	help
1651	  ARIA cipher algorithm (RFC5794).
1652
1653	  ARIA is a standard encryption algorithm of the Republic of Korea.
1654	  The ARIA specifies three key sizes and rounds.
1655	  128-bit: 12 rounds.
1656	  192-bit: 14 rounds.
1657	  256-bit: 16 rounds.
1658
1659	  See also:
1660	  <https://seed.kisa.or.kr/kisa/algorithm/EgovAriaInfo.do>
1661
1662config CRYPTO_SERPENT
1663	tristate "Serpent cipher algorithm"
1664	select CRYPTO_ALGAPI
1665	help
1666	  Serpent cipher algorithm, by Anderson, Biham & Knudsen.
1667
1668	  Keys are allowed to be from 0 to 256 bits in length, in steps
1669	  of 8 bits.
1670
1671	  See also:
1672	  <https://www.cl.cam.ac.uk/~rja14/serpent.html>
1673
1674config CRYPTO_SERPENT_SSE2_X86_64
1675	tristate "Serpent cipher algorithm (x86_64/SSE2)"
1676	depends on X86 && 64BIT
1677	select CRYPTO_SKCIPHER
1678	select CRYPTO_SERPENT
1679	select CRYPTO_SIMD
1680	imply CRYPTO_CTR
1681	help
1682	  Serpent cipher algorithm, by Anderson, Biham & Knudsen.
1683
1684	  Keys are allowed to be from 0 to 256 bits in length, in steps
1685	  of 8 bits.
1686
1687	  This module provides Serpent cipher algorithm that processes eight
1688	  blocks parallel using SSE2 instruction set.
1689
1690	  See also:
1691	  <https://www.cl.cam.ac.uk/~rja14/serpent.html>
1692
1693config CRYPTO_SERPENT_SSE2_586
1694	tristate "Serpent cipher algorithm (i586/SSE2)"
1695	depends on X86 && !64BIT
1696	select CRYPTO_SKCIPHER
1697	select CRYPTO_SERPENT
1698	select CRYPTO_SIMD
1699	imply CRYPTO_CTR
1700	help
1701	  Serpent cipher algorithm, by Anderson, Biham & Knudsen.
1702
1703	  Keys are allowed to be from 0 to 256 bits in length, in steps
1704	  of 8 bits.
1705
1706	  This module provides Serpent cipher algorithm that processes four
1707	  blocks parallel using SSE2 instruction set.
1708
1709	  See also:
1710	  <https://www.cl.cam.ac.uk/~rja14/serpent.html>
1711
1712config CRYPTO_SERPENT_AVX_X86_64
1713	tristate "Serpent cipher algorithm (x86_64/AVX)"
1714	depends on X86 && 64BIT
1715	select CRYPTO_SKCIPHER
1716	select CRYPTO_SERPENT
1717	select CRYPTO_SIMD
1718	imply CRYPTO_XTS
1719	imply CRYPTO_CTR
1720	help
1721	  Serpent cipher algorithm, by Anderson, Biham & Knudsen.
1722
1723	  Keys are allowed to be from 0 to 256 bits in length, in steps
1724	  of 8 bits.
1725
1726	  This module provides the Serpent cipher algorithm that processes
1727	  eight blocks parallel using the AVX instruction set.
1728
1729	  See also:
1730	  <https://www.cl.cam.ac.uk/~rja14/serpent.html>
1731
1732config CRYPTO_SERPENT_AVX2_X86_64
1733	tristate "Serpent cipher algorithm (x86_64/AVX2)"
1734	depends on X86 && 64BIT
1735	select CRYPTO_SERPENT_AVX_X86_64
1736	help
1737	  Serpent cipher algorithm, by Anderson, Biham & Knudsen.
1738
1739	  Keys are allowed to be from 0 to 256 bits in length, in steps
1740	  of 8 bits.
1741
1742	  This module provides Serpent cipher algorithm that processes 16
1743	  blocks parallel using AVX2 instruction set.
1744
1745	  See also:
1746	  <https://www.cl.cam.ac.uk/~rja14/serpent.html>
1747
1748config CRYPTO_SM4
1749	tristate
1750
1751config CRYPTO_SM4_GENERIC
1752	tristate "SM4 cipher algorithm"
1753	select CRYPTO_ALGAPI
1754	select CRYPTO_SM4
1755	help
1756	  SM4 cipher algorithms (OSCCA GB/T 32907-2016).
1757
1758	  SM4 (GBT.32907-2016) is a cryptographic standard issued by the
1759	  Organization of State Commercial Administration of China (OSCCA)
1760	  as an authorized cryptographic algorithms for the use within China.
1761
1762	  SMS4 was originally created for use in protecting wireless
1763	  networks, and is mandated in the Chinese National Standard for
1764	  Wireless LAN WAPI (Wired Authentication and Privacy Infrastructure)
1765	  (GB.15629.11-2003).
1766
1767	  The latest SM4 standard (GBT.32907-2016) was proposed by OSCCA and
1768	  standardized through TC 260 of the Standardization Administration
1769	  of the People's Republic of China (SAC).
1770
1771	  The input, output, and key of SMS4 are each 128 bits.
1772
1773	  See also: <https://eprint.iacr.org/2008/329.pdf>
1774
1775	  If unsure, say N.
1776
1777config CRYPTO_SM4_AESNI_AVX_X86_64
1778	tristate "SM4 cipher algorithm (x86_64/AES-NI/AVX)"
1779	depends on X86 && 64BIT
1780	select CRYPTO_SKCIPHER
1781	select CRYPTO_SIMD
1782	select CRYPTO_ALGAPI
1783	select CRYPTO_SM4
1784	help
1785	  SM4 cipher algorithms (OSCCA GB/T 32907-2016) (x86_64/AES-NI/AVX).
1786
1787	  SM4 (GBT.32907-2016) is a cryptographic standard issued by the
1788	  Organization of State Commercial Administration of China (OSCCA)
1789	  as an authorized cryptographic algorithms for the use within China.
1790
1791	  This is SM4 optimized implementation using AES-NI/AVX/x86_64
1792	  instruction set for block cipher. Through two affine transforms,
1793	  we can use the AES S-Box to simulate the SM4 S-Box to achieve the
1794	  effect of instruction acceleration.
1795
1796	  If unsure, say N.
1797
1798config CRYPTO_SM4_AESNI_AVX2_X86_64
1799	tristate "SM4 cipher algorithm (x86_64/AES-NI/AVX2)"
1800	depends on X86 && 64BIT
1801	select CRYPTO_SKCIPHER
1802	select CRYPTO_SIMD
1803	select CRYPTO_ALGAPI
1804	select CRYPTO_SM4
1805	select CRYPTO_SM4_AESNI_AVX_X86_64
1806	help
1807	  SM4 cipher algorithms (OSCCA GB/T 32907-2016) (x86_64/AES-NI/AVX2).
1808
1809	  SM4 (GBT.32907-2016) is a cryptographic standard issued by the
1810	  Organization of State Commercial Administration of China (OSCCA)
1811	  as an authorized cryptographic algorithms for the use within China.
1812
1813	  This is SM4 optimized implementation using AES-NI/AVX2/x86_64
1814	  instruction set for block cipher. Through two affine transforms,
1815	  we can use the AES S-Box to simulate the SM4 S-Box to achieve the
1816	  effect of instruction acceleration.
1817
1818	  If unsure, say N.
1819
1820config CRYPTO_TEA
1821	tristate "TEA, XTEA and XETA cipher algorithms"
1822	depends on CRYPTO_USER_API_ENABLE_OBSOLETE
1823	select CRYPTO_ALGAPI
1824	help
1825	  TEA cipher algorithm.
1826
1827	  Tiny Encryption Algorithm is a simple cipher that uses
1828	  many rounds for security.  It is very fast and uses
1829	  little memory.
1830
1831	  Xtendend Tiny Encryption Algorithm is a modification to
1832	  the TEA algorithm to address a potential key weakness
1833	  in the TEA algorithm.
1834
1835	  Xtendend Encryption Tiny Algorithm is a mis-implementation
1836	  of the XTEA algorithm for compatibility purposes.
1837
1838config CRYPTO_TWOFISH
1839	tristate "Twofish cipher algorithm"
1840	select CRYPTO_ALGAPI
1841	select CRYPTO_TWOFISH_COMMON
1842	help
1843	  Twofish cipher algorithm.
1844
1845	  Twofish was submitted as an AES (Advanced Encryption Standard)
1846	  candidate cipher by researchers at CounterPane Systems.  It is a
1847	  16 round block cipher supporting key sizes of 128, 192, and 256
1848	  bits.
1849
1850	  See also:
1851	  <https://www.schneier.com/twofish.html>
1852
1853config CRYPTO_TWOFISH_COMMON
1854	tristate
1855	help
1856	  Common parts of the Twofish cipher algorithm shared by the
1857	  generic c and the assembler implementations.
1858
1859config CRYPTO_TWOFISH_586
1860	tristate "Twofish cipher algorithms (i586)"
1861	depends on (X86 || UML_X86) && !64BIT
1862	select CRYPTO_ALGAPI
1863	select CRYPTO_TWOFISH_COMMON
1864	imply CRYPTO_CTR
1865	help
1866	  Twofish cipher algorithm.
1867
1868	  Twofish was submitted as an AES (Advanced Encryption Standard)
1869	  candidate cipher by researchers at CounterPane Systems.  It is a
1870	  16 round block cipher supporting key sizes of 128, 192, and 256
1871	  bits.
1872
1873	  See also:
1874	  <https://www.schneier.com/twofish.html>
1875
1876config CRYPTO_TWOFISH_X86_64
1877	tristate "Twofish cipher algorithm (x86_64)"
1878	depends on (X86 || UML_X86) && 64BIT
1879	select CRYPTO_ALGAPI
1880	select CRYPTO_TWOFISH_COMMON
1881	imply CRYPTO_CTR
1882	help
1883	  Twofish cipher algorithm (x86_64).
1884
1885	  Twofish was submitted as an AES (Advanced Encryption Standard)
1886	  candidate cipher by researchers at CounterPane Systems.  It is a
1887	  16 round block cipher supporting key sizes of 128, 192, and 256
1888	  bits.
1889
1890	  See also:
1891	  <https://www.schneier.com/twofish.html>
1892
1893config CRYPTO_TWOFISH_X86_64_3WAY
1894	tristate "Twofish cipher algorithm (x86_64, 3-way parallel)"
1895	depends on X86 && 64BIT
1896	select CRYPTO_SKCIPHER
1897	select CRYPTO_TWOFISH_COMMON
1898	select CRYPTO_TWOFISH_X86_64
1899	help
1900	  Twofish cipher algorithm (x86_64, 3-way parallel).
1901
1902	  Twofish was submitted as an AES (Advanced Encryption Standard)
1903	  candidate cipher by researchers at CounterPane Systems.  It is a
1904	  16 round block cipher supporting key sizes of 128, 192, and 256
1905	  bits.
1906
1907	  This module provides Twofish cipher algorithm that processes three
1908	  blocks parallel, utilizing resources of out-of-order CPUs better.
1909
1910	  See also:
1911	  <https://www.schneier.com/twofish.html>
1912
1913config CRYPTO_TWOFISH_AVX_X86_64
1914	tristate "Twofish cipher algorithm (x86_64/AVX)"
1915	depends on X86 && 64BIT
1916	select CRYPTO_SKCIPHER
1917	select CRYPTO_SIMD
1918	select CRYPTO_TWOFISH_COMMON
1919	select CRYPTO_TWOFISH_X86_64
1920	select CRYPTO_TWOFISH_X86_64_3WAY
1921	imply CRYPTO_XTS
1922	help
1923	  Twofish cipher algorithm (x86_64/AVX).
1924
1925	  Twofish was submitted as an AES (Advanced Encryption Standard)
1926	  candidate cipher by researchers at CounterPane Systems.  It is a
1927	  16 round block cipher supporting key sizes of 128, 192, and 256
1928	  bits.
1929
1930	  This module provides the Twofish cipher algorithm that processes
1931	  eight blocks parallel using the AVX Instruction Set.
1932
1933	  See also:
1934	  <https://www.schneier.com/twofish.html>
1935
1936comment "Compression"
1937
1938config CRYPTO_DEFLATE
1939	tristate "Deflate compression algorithm"
1940	select CRYPTO_ALGAPI
1941	select CRYPTO_ACOMP2
1942	select ZLIB_INFLATE
1943	select ZLIB_DEFLATE
1944	help
1945	  This is the Deflate algorithm (RFC1951), specified for use in
1946	  IPSec with the IPCOMP protocol (RFC3173, RFC2394).
1947
1948	  You will most probably want this if using IPSec.
1949
1950config CRYPTO_LZO
1951	tristate "LZO compression algorithm"
1952	select CRYPTO_ALGAPI
1953	select CRYPTO_ACOMP2
1954	select LZO_COMPRESS
1955	select LZO_DECOMPRESS
1956	help
1957	  This is the LZO algorithm.
1958
1959config CRYPTO_842
1960	tristate "842 compression algorithm"
1961	select CRYPTO_ALGAPI
1962	select CRYPTO_ACOMP2
1963	select 842_COMPRESS
1964	select 842_DECOMPRESS
1965	help
1966	  This is the 842 algorithm.
1967
1968config CRYPTO_LZ4
1969	tristate "LZ4 compression algorithm"
1970	select CRYPTO_ALGAPI
1971	select CRYPTO_ACOMP2
1972	select LZ4_COMPRESS
1973	select LZ4_DECOMPRESS
1974	help
1975	  This is the LZ4 algorithm.
1976
1977config CRYPTO_LZ4HC
1978	tristate "LZ4HC compression algorithm"
1979	select CRYPTO_ALGAPI
1980	select CRYPTO_ACOMP2
1981	select LZ4HC_COMPRESS
1982	select LZ4_DECOMPRESS
1983	help
1984	  This is the LZ4 high compression mode algorithm.
1985
1986config CRYPTO_ZSTD
1987	tristate "Zstd compression algorithm"
1988	select CRYPTO_ALGAPI
1989	select CRYPTO_ACOMP2
1990	select ZSTD_COMPRESS
1991	select ZSTD_DECOMPRESS
1992	help
1993	  This is the zstd algorithm.
1994
1995comment "Random Number Generation"
1996
1997config CRYPTO_ANSI_CPRNG
1998	tristate "Pseudo Random Number Generation for Cryptographic modules"
1999	select CRYPTO_AES
2000	select CRYPTO_RNG
2001	help
2002	  This option enables the generic pseudo random number generator
2003	  for cryptographic modules.  Uses the Algorithm specified in
2004	  ANSI X9.31 A.2.4. Note that this option must be enabled if
2005	  CRYPTO_FIPS is selected
2006
2007menuconfig CRYPTO_DRBG_MENU
2008	tristate "NIST SP800-90A DRBG"
2009	help
2010	  NIST SP800-90A compliant DRBG. In the following submenu, one or
2011	  more of the DRBG types must be selected.
2012
2013if CRYPTO_DRBG_MENU
2014
2015config CRYPTO_DRBG_HMAC
2016	bool
2017	default y
2018	select CRYPTO_HMAC
2019	select CRYPTO_SHA512
2020
2021config CRYPTO_DRBG_HASH
2022	bool "Enable Hash DRBG"
2023	select CRYPTO_SHA256
2024	help
2025	  Enable the Hash DRBG variant as defined in NIST SP800-90A.
2026
2027config CRYPTO_DRBG_CTR
2028	bool "Enable CTR DRBG"
2029	select CRYPTO_AES
2030	select CRYPTO_CTR
2031	help
2032	  Enable the CTR DRBG variant as defined in NIST SP800-90A.
2033
2034config CRYPTO_DRBG
2035	tristate
2036	default CRYPTO_DRBG_MENU
2037	select CRYPTO_RNG
2038	select CRYPTO_JITTERENTROPY
2039
2040endif	# if CRYPTO_DRBG_MENU
2041
2042config CRYPTO_JITTERENTROPY
2043	tristate "Jitterentropy Non-Deterministic Random Number Generator"
2044	select CRYPTO_RNG
2045	help
2046	  The Jitterentropy RNG is a noise that is intended
2047	  to provide seed to another RNG. The RNG does not
2048	  perform any cryptographic whitening of the generated
2049	  random numbers. This Jitterentropy RNG registers with
2050	  the kernel crypto API and can be used by any caller.
2051
2052config CRYPTO_KDF800108_CTR
2053	tristate
2054	select CRYPTO_HMAC
2055	select CRYPTO_SHA256
2056
2057config CRYPTO_USER_API
2058	tristate
2059
2060config CRYPTO_USER_API_HASH
2061	tristate "User-space interface for hash algorithms"
2062	depends on NET
2063	select CRYPTO_HASH
2064	select CRYPTO_USER_API
2065	help
2066	  This option enables the user-spaces interface for hash
2067	  algorithms.
2068
2069config CRYPTO_USER_API_SKCIPHER
2070	tristate "User-space interface for symmetric key cipher algorithms"
2071	depends on NET
2072	select CRYPTO_SKCIPHER
2073	select CRYPTO_USER_API
2074	help
2075	  This option enables the user-spaces interface for symmetric
2076	  key cipher algorithms.
2077
2078config CRYPTO_USER_API_RNG
2079	tristate "User-space interface for random number generator algorithms"
2080	depends on NET
2081	select CRYPTO_RNG
2082	select CRYPTO_USER_API
2083	help
2084	  This option enables the user-spaces interface for random
2085	  number generator algorithms.
2086
2087config CRYPTO_USER_API_RNG_CAVP
2088	bool "Enable CAVP testing of DRBG"
2089	depends on CRYPTO_USER_API_RNG && CRYPTO_DRBG
2090	help
2091	  This option enables extra API for CAVP testing via the user-space
2092	  interface: resetting of DRBG entropy, and providing Additional Data.
2093	  This should only be enabled for CAVP testing. You should say
2094	  no unless you know what this is.
2095
2096config CRYPTO_USER_API_AEAD
2097	tristate "User-space interface for AEAD cipher algorithms"
2098	depends on NET
2099	select CRYPTO_AEAD
2100	select CRYPTO_SKCIPHER
2101	select CRYPTO_NULL
2102	select CRYPTO_USER_API
2103	help
2104	  This option enables the user-spaces interface for AEAD
2105	  cipher algorithms.
2106
2107config CRYPTO_USER_API_ENABLE_OBSOLETE
2108	bool "Enable obsolete cryptographic algorithms for userspace"
2109	depends on CRYPTO_USER_API
2110	default y
2111	help
2112	  Allow obsolete cryptographic algorithms to be selected that have
2113	  already been phased out from internal use by the kernel, and are
2114	  only useful for userspace clients that still rely on them.
2115
2116config CRYPTO_STATS
2117	bool "Crypto usage statistics for User-space"
2118	depends on CRYPTO_USER
2119	help
2120	  This option enables the gathering of crypto stats.
2121	  This will collect:
2122	  - encrypt/decrypt size and numbers of symmeric operations
2123	  - compress/decompress size and numbers of compress operations
2124	  - size and numbers of hash operations
2125	  - encrypt/decrypt/sign/verify numbers for asymmetric operations
2126	  - generate/seed numbers for rng operations
2127
2128config CRYPTO_HASH_INFO
2129	bool
2130
2131source "drivers/crypto/Kconfig"
2132source "crypto/asymmetric_keys/Kconfig"
2133source "certs/Kconfig"
2134
2135endif	# if CRYPTO
2136