xref: /openbmc/linux/crypto/Kconfig (revision dd1fc3c5)
1# SPDX-License-Identifier: GPL-2.0
2#
3# Generic algorithms support
4#
5config XOR_BLOCKS
6	tristate
7
8#
9# async_tx api: hardware offloaded memory transfer/transform support
10#
11source "crypto/async_tx/Kconfig"
12
13#
14# Cryptographic API Configuration
15#
16menuconfig CRYPTO
17	tristate "Cryptographic API"
18	help
19	  This option provides the core Cryptographic API.
20
21if CRYPTO
22
23comment "Crypto core or helper"
24
25config CRYPTO_FIPS
26	bool "FIPS 200 compliance"
27	depends on (CRYPTO_ANSI_CPRNG || CRYPTO_DRBG) && !CRYPTO_MANAGER_DISABLE_TESTS
28	depends on (MODULE_SIG || !MODULES)
29	help
30	  This option enables the fips boot option which is
31	  required if you want the system to operate in a FIPS 200
32	  certification.  You should say no unless you know what
33	  this is.
34
35config CRYPTO_ALGAPI
36	tristate
37	select CRYPTO_ALGAPI2
38	help
39	  This option provides the API for cryptographic algorithms.
40
41config CRYPTO_ALGAPI2
42	tristate
43
44config CRYPTO_AEAD
45	tristate
46	select CRYPTO_AEAD2
47	select CRYPTO_ALGAPI
48
49config CRYPTO_AEAD2
50	tristate
51	select CRYPTO_ALGAPI2
52	select CRYPTO_NULL2
53	select CRYPTO_RNG2
54
55config CRYPTO_SKCIPHER
56	tristate
57	select CRYPTO_SKCIPHER2
58	select CRYPTO_ALGAPI
59
60config CRYPTO_SKCIPHER2
61	tristate
62	select CRYPTO_ALGAPI2
63	select CRYPTO_RNG2
64
65config CRYPTO_HASH
66	tristate
67	select CRYPTO_HASH2
68	select CRYPTO_ALGAPI
69
70config CRYPTO_HASH2
71	tristate
72	select CRYPTO_ALGAPI2
73
74config CRYPTO_RNG
75	tristate
76	select CRYPTO_RNG2
77	select CRYPTO_ALGAPI
78
79config CRYPTO_RNG2
80	tristate
81	select CRYPTO_ALGAPI2
82
83config CRYPTO_RNG_DEFAULT
84	tristate
85	select CRYPTO_DRBG_MENU
86
87config CRYPTO_AKCIPHER2
88	tristate
89	select CRYPTO_ALGAPI2
90
91config CRYPTO_AKCIPHER
92	tristate
93	select CRYPTO_AKCIPHER2
94	select CRYPTO_ALGAPI
95
96config CRYPTO_KPP2
97	tristate
98	select CRYPTO_ALGAPI2
99
100config CRYPTO_KPP
101	tristate
102	select CRYPTO_ALGAPI
103	select CRYPTO_KPP2
104
105config CRYPTO_ACOMP2
106	tristate
107	select CRYPTO_ALGAPI2
108	select SGL_ALLOC
109
110config CRYPTO_ACOMP
111	tristate
112	select CRYPTO_ALGAPI
113	select CRYPTO_ACOMP2
114
115config CRYPTO_MANAGER
116	tristate "Cryptographic algorithm manager"
117	select CRYPTO_MANAGER2
118	help
119	  Create default cryptographic template instantiations such as
120	  cbc(aes).
121
122config CRYPTO_MANAGER2
123	def_tristate CRYPTO_MANAGER || (CRYPTO_MANAGER!=n && CRYPTO_ALGAPI=y)
124	select CRYPTO_AEAD2
125	select CRYPTO_HASH2
126	select CRYPTO_SKCIPHER2
127	select CRYPTO_AKCIPHER2
128	select CRYPTO_KPP2
129	select CRYPTO_ACOMP2
130
131config CRYPTO_USER
132	tristate "Userspace cryptographic algorithm configuration"
133	depends on NET
134	select CRYPTO_MANAGER
135	help
136	  Userspace configuration for cryptographic instantiations such as
137	  cbc(aes).
138
139config CRYPTO_MANAGER_DISABLE_TESTS
140	bool "Disable run-time self tests"
141	default y
142	help
143	  Disable run-time self tests that normally take place at
144	  algorithm registration.
145
146config CRYPTO_MANAGER_EXTRA_TESTS
147	bool "Enable extra run-time crypto self tests"
148	depends on DEBUG_KERNEL && !CRYPTO_MANAGER_DISABLE_TESTS && CRYPTO_MANAGER
149	help
150	  Enable extra run-time self tests of registered crypto algorithms,
151	  including randomized fuzz tests.
152
153	  This is intended for developer use only, as these tests take much
154	  longer to run than the normal self tests.
155
156config CRYPTO_GF128MUL
157	tristate
158
159config CRYPTO_NULL
160	tristate "Null algorithms"
161	select CRYPTO_NULL2
162	help
163	  These are 'Null' algorithms, used by IPsec, which do nothing.
164
165config CRYPTO_NULL2
166	tristate
167	select CRYPTO_ALGAPI2
168	select CRYPTO_SKCIPHER2
169	select CRYPTO_HASH2
170
171config CRYPTO_PCRYPT
172	tristate "Parallel crypto engine"
173	depends on SMP
174	select PADATA
175	select CRYPTO_MANAGER
176	select CRYPTO_AEAD
177	help
178	  This converts an arbitrary crypto algorithm into a parallel
179	  algorithm that executes in kernel threads.
180
181config CRYPTO_CRYPTD
182	tristate "Software async crypto daemon"
183	select CRYPTO_SKCIPHER
184	select CRYPTO_HASH
185	select CRYPTO_MANAGER
186	help
187	  This is a generic software asynchronous crypto daemon that
188	  converts an arbitrary synchronous software crypto algorithm
189	  into an asynchronous algorithm that executes in a kernel thread.
190
191config CRYPTO_AUTHENC
192	tristate "Authenc support"
193	select CRYPTO_AEAD
194	select CRYPTO_SKCIPHER
195	select CRYPTO_MANAGER
196	select CRYPTO_HASH
197	select CRYPTO_NULL
198	help
199	  Authenc: Combined mode wrapper for IPsec.
200	  This is required for IPSec.
201
202config CRYPTO_TEST
203	tristate "Testing module"
204	depends on m || EXPERT
205	select CRYPTO_MANAGER
206	help
207	  Quick & dirty crypto test module.
208
209config CRYPTO_SIMD
210	tristate
211	select CRYPTO_CRYPTD
212
213config CRYPTO_ENGINE
214	tristate
215
216comment "Public-key cryptography"
217
218config CRYPTO_RSA
219	tristate "RSA algorithm"
220	select CRYPTO_AKCIPHER
221	select CRYPTO_MANAGER
222	select MPILIB
223	select ASN1
224	help
225	  Generic implementation of the RSA public key algorithm.
226
227config CRYPTO_DH
228	tristate "Diffie-Hellman algorithm"
229	select CRYPTO_KPP
230	select MPILIB
231	help
232	  Generic implementation of the Diffie-Hellman algorithm.
233
234config CRYPTO_ECC
235	tristate
236
237config CRYPTO_ECDH
238	tristate "ECDH algorithm"
239	select CRYPTO_ECC
240	select CRYPTO_KPP
241	select CRYPTO_RNG_DEFAULT
242	help
243	  Generic implementation of the ECDH algorithm
244
245config CRYPTO_ECDSA
246	tristate "ECDSA (NIST P192, P256 etc.) algorithm"
247	select CRYPTO_ECC
248	select CRYPTO_AKCIPHER
249	select ASN1
250	help
251	  Elliptic Curve Digital Signature Algorithm (NIST P192, P256 etc.)
252	  is A NIST cryptographic standard algorithm. Only signature verification
253	  is implemented.
254
255config CRYPTO_ECRDSA
256	tristate "EC-RDSA (GOST 34.10) algorithm"
257	select CRYPTO_ECC
258	select CRYPTO_AKCIPHER
259	select CRYPTO_STREEBOG
260	select OID_REGISTRY
261	select ASN1
262	help
263	  Elliptic Curve Russian Digital Signature Algorithm (GOST R 34.10-2012,
264	  RFC 7091, ISO/IEC 14888-3:2018) is one of the Russian cryptographic
265	  standard algorithms (called GOST algorithms). Only signature verification
266	  is implemented.
267
268config CRYPTO_SM2
269	tristate "SM2 algorithm"
270	select CRYPTO_SM3
271	select CRYPTO_AKCIPHER
272	select CRYPTO_MANAGER
273	select MPILIB
274	select ASN1
275	help
276	  Generic implementation of the SM2 public key algorithm. It was
277	  published by State Encryption Management Bureau, China.
278	  as specified by OSCCA GM/T 0003.1-2012 -- 0003.5-2012.
279
280	  References:
281	  https://tools.ietf.org/html/draft-shen-sm2-ecdsa-02
282	  http://www.oscca.gov.cn/sca/xxgk/2010-12/17/content_1002386.shtml
283	  http://www.gmbz.org.cn/main/bzlb.html
284
285config CRYPTO_CURVE25519
286	tristate "Curve25519 algorithm"
287	select CRYPTO_KPP
288	select CRYPTO_LIB_CURVE25519_GENERIC
289
290config CRYPTO_CURVE25519_X86
291	tristate "x86_64 accelerated Curve25519 scalar multiplication library"
292	depends on X86 && 64BIT
293	select CRYPTO_LIB_CURVE25519_GENERIC
294	select CRYPTO_ARCH_HAVE_LIB_CURVE25519
295
296comment "Authenticated Encryption with Associated Data"
297
298config CRYPTO_CCM
299	tristate "CCM support"
300	select CRYPTO_CTR
301	select CRYPTO_HASH
302	select CRYPTO_AEAD
303	select CRYPTO_MANAGER
304	help
305	  Support for Counter with CBC MAC. Required for IPsec.
306
307config CRYPTO_GCM
308	tristate "GCM/GMAC support"
309	select CRYPTO_CTR
310	select CRYPTO_AEAD
311	select CRYPTO_GHASH
312	select CRYPTO_NULL
313	select CRYPTO_MANAGER
314	help
315	  Support for Galois/Counter Mode (GCM) and Galois Message
316	  Authentication Code (GMAC). Required for IPSec.
317
318config CRYPTO_CHACHA20POLY1305
319	tristate "ChaCha20-Poly1305 AEAD support"
320	select CRYPTO_CHACHA20
321	select CRYPTO_POLY1305
322	select CRYPTO_AEAD
323	select CRYPTO_MANAGER
324	help
325	  ChaCha20-Poly1305 AEAD support, RFC7539.
326
327	  Support for the AEAD wrapper using the ChaCha20 stream cipher combined
328	  with the Poly1305 authenticator. It is defined in RFC7539 for use in
329	  IETF protocols.
330
331config CRYPTO_AEGIS128
332	tristate "AEGIS-128 AEAD algorithm"
333	select CRYPTO_AEAD
334	select CRYPTO_AES  # for AES S-box tables
335	help
336	 Support for the AEGIS-128 dedicated AEAD algorithm.
337
338config CRYPTO_AEGIS128_SIMD
339	bool "Support SIMD acceleration for AEGIS-128"
340	depends on CRYPTO_AEGIS128 && ((ARM || ARM64) && KERNEL_MODE_NEON)
341	default y
342
343config CRYPTO_AEGIS128_AESNI_SSE2
344	tristate "AEGIS-128 AEAD algorithm (x86_64 AESNI+SSE2 implementation)"
345	depends on X86 && 64BIT
346	select CRYPTO_AEAD
347	select CRYPTO_SIMD
348	help
349	 AESNI+SSE2 implementation of the AEGIS-128 dedicated AEAD algorithm.
350
351config CRYPTO_SEQIV
352	tristate "Sequence Number IV Generator"
353	select CRYPTO_AEAD
354	select CRYPTO_SKCIPHER
355	select CRYPTO_NULL
356	select CRYPTO_RNG_DEFAULT
357	select CRYPTO_MANAGER
358	help
359	  This IV generator generates an IV based on a sequence number by
360	  xoring it with a salt.  This algorithm is mainly useful for CTR
361
362config CRYPTO_ECHAINIV
363	tristate "Encrypted Chain IV Generator"
364	select CRYPTO_AEAD
365	select CRYPTO_NULL
366	select CRYPTO_RNG_DEFAULT
367	select CRYPTO_MANAGER
368	help
369	  This IV generator generates an IV based on the encryption of
370	  a sequence number xored with a salt.  This is the default
371	  algorithm for CBC.
372
373comment "Block modes"
374
375config CRYPTO_CBC
376	tristate "CBC support"
377	select CRYPTO_SKCIPHER
378	select CRYPTO_MANAGER
379	help
380	  CBC: Cipher Block Chaining mode
381	  This block cipher algorithm is required for IPSec.
382
383config CRYPTO_CFB
384	tristate "CFB support"
385	select CRYPTO_SKCIPHER
386	select CRYPTO_MANAGER
387	help
388	  CFB: Cipher FeedBack mode
389	  This block cipher algorithm is required for TPM2 Cryptography.
390
391config CRYPTO_CTR
392	tristate "CTR support"
393	select CRYPTO_SKCIPHER
394	select CRYPTO_MANAGER
395	help
396	  CTR: Counter mode
397	  This block cipher algorithm is required for IPSec.
398
399config CRYPTO_CTS
400	tristate "CTS support"
401	select CRYPTO_SKCIPHER
402	select CRYPTO_MANAGER
403	help
404	  CTS: Cipher Text Stealing
405	  This is the Cipher Text Stealing mode as described by
406	  Section 8 of rfc2040 and referenced by rfc3962
407	  (rfc3962 includes errata information in its Appendix A) or
408	  CBC-CS3 as defined by NIST in Sp800-38A addendum from Oct 2010.
409	  This mode is required for Kerberos gss mechanism support
410	  for AES encryption.
411
412	  See: https://csrc.nist.gov/publications/detail/sp/800-38a/addendum/final
413
414config CRYPTO_ECB
415	tristate "ECB support"
416	select CRYPTO_SKCIPHER
417	select CRYPTO_MANAGER
418	help
419	  ECB: Electronic CodeBook mode
420	  This is the simplest block cipher algorithm.  It simply encrypts
421	  the input block by block.
422
423config CRYPTO_LRW
424	tristate "LRW support"
425	select CRYPTO_SKCIPHER
426	select CRYPTO_MANAGER
427	select CRYPTO_GF128MUL
428	help
429	  LRW: Liskov Rivest Wagner, a tweakable, non malleable, non movable
430	  narrow block cipher mode for dm-crypt.  Use it with cipher
431	  specification string aes-lrw-benbi, the key must be 256, 320 or 384.
432	  The first 128, 192 or 256 bits in the key are used for AES and the
433	  rest is used to tie each cipher block to its logical position.
434
435config CRYPTO_OFB
436	tristate "OFB support"
437	select CRYPTO_SKCIPHER
438	select CRYPTO_MANAGER
439	help
440	  OFB: the Output Feedback mode makes a block cipher into a synchronous
441	  stream cipher. It generates keystream blocks, which are then XORed
442	  with the plaintext blocks to get the ciphertext. Flipping a bit in the
443	  ciphertext produces a flipped bit in the plaintext at the same
444	  location. This property allows many error correcting codes to function
445	  normally even when applied before encryption.
446
447config CRYPTO_PCBC
448	tristate "PCBC support"
449	select CRYPTO_SKCIPHER
450	select CRYPTO_MANAGER
451	help
452	  PCBC: Propagating Cipher Block Chaining mode
453	  This block cipher algorithm is required for RxRPC.
454
455config CRYPTO_XTS
456	tristate "XTS support"
457	select CRYPTO_SKCIPHER
458	select CRYPTO_MANAGER
459	select CRYPTO_ECB
460	help
461	  XTS: IEEE1619/D16 narrow block cipher use with aes-xts-plain,
462	  key size 256, 384 or 512 bits. This implementation currently
463	  can't handle a sectorsize which is not a multiple of 16 bytes.
464
465config CRYPTO_KEYWRAP
466	tristate "Key wrapping support"
467	select CRYPTO_SKCIPHER
468	select CRYPTO_MANAGER
469	help
470	  Support for key wrapping (NIST SP800-38F / RFC3394) without
471	  padding.
472
473config CRYPTO_NHPOLY1305
474	tristate
475	select CRYPTO_HASH
476	select CRYPTO_LIB_POLY1305_GENERIC
477
478config CRYPTO_NHPOLY1305_SSE2
479	tristate "NHPoly1305 hash function (x86_64 SSE2 implementation)"
480	depends on X86 && 64BIT
481	select CRYPTO_NHPOLY1305
482	help
483	  SSE2 optimized implementation of the hash function used by the
484	  Adiantum encryption mode.
485
486config CRYPTO_NHPOLY1305_AVX2
487	tristate "NHPoly1305 hash function (x86_64 AVX2 implementation)"
488	depends on X86 && 64BIT
489	select CRYPTO_NHPOLY1305
490	help
491	  AVX2 optimized implementation of the hash function used by the
492	  Adiantum encryption mode.
493
494config CRYPTO_ADIANTUM
495	tristate "Adiantum support"
496	select CRYPTO_CHACHA20
497	select CRYPTO_LIB_POLY1305_GENERIC
498	select CRYPTO_NHPOLY1305
499	select CRYPTO_MANAGER
500	help
501	  Adiantum is a tweakable, length-preserving encryption mode
502	  designed for fast and secure disk encryption, especially on
503	  CPUs without dedicated crypto instructions.  It encrypts
504	  each sector using the XChaCha12 stream cipher, two passes of
505	  an ε-almost-∆-universal hash function, and an invocation of
506	  the AES-256 block cipher on a single 16-byte block.  On CPUs
507	  without AES instructions, Adiantum is much faster than
508	  AES-XTS.
509
510	  Adiantum's security is provably reducible to that of its
511	  underlying stream and block ciphers, subject to a security
512	  bound.  Unlike XTS, Adiantum is a true wide-block encryption
513	  mode, so it actually provides an even stronger notion of
514	  security than XTS, subject to the security bound.
515
516	  If unsure, say N.
517
518config CRYPTO_ESSIV
519	tristate "ESSIV support for block encryption"
520	select CRYPTO_AUTHENC
521	help
522	  Encrypted salt-sector initialization vector (ESSIV) is an IV
523	  generation method that is used in some cases by fscrypt and/or
524	  dm-crypt. It uses the hash of the block encryption key as the
525	  symmetric key for a block encryption pass applied to the input
526	  IV, making low entropy IV sources more suitable for block
527	  encryption.
528
529	  This driver implements a crypto API template that can be
530	  instantiated either as an skcipher or as an AEAD (depending on the
531	  type of the first template argument), and which defers encryption
532	  and decryption requests to the encapsulated cipher after applying
533	  ESSIV to the input IV. Note that in the AEAD case, it is assumed
534	  that the keys are presented in the same format used by the authenc
535	  template, and that the IV appears at the end of the authenticated
536	  associated data (AAD) region (which is how dm-crypt uses it.)
537
538	  Note that the use of ESSIV is not recommended for new deployments,
539	  and so this only needs to be enabled when interoperability with
540	  existing encrypted volumes of filesystems is required, or when
541	  building for a particular system that requires it (e.g., when
542	  the SoC in question has accelerated CBC but not XTS, making CBC
543	  combined with ESSIV the only feasible mode for h/w accelerated
544	  block encryption)
545
546comment "Hash modes"
547
548config CRYPTO_CMAC
549	tristate "CMAC support"
550	select CRYPTO_HASH
551	select CRYPTO_MANAGER
552	help
553	  Cipher-based Message Authentication Code (CMAC) specified by
554	  The National Institute of Standards and Technology (NIST).
555
556	  https://tools.ietf.org/html/rfc4493
557	  http://csrc.nist.gov/publications/nistpubs/800-38B/SP_800-38B.pdf
558
559config CRYPTO_HMAC
560	tristate "HMAC support"
561	select CRYPTO_HASH
562	select CRYPTO_MANAGER
563	help
564	  HMAC: Keyed-Hashing for Message Authentication (RFC2104).
565	  This is required for IPSec.
566
567config CRYPTO_XCBC
568	tristate "XCBC support"
569	select CRYPTO_HASH
570	select CRYPTO_MANAGER
571	help
572	  XCBC: Keyed-Hashing with encryption algorithm
573		https://www.ietf.org/rfc/rfc3566.txt
574		http://csrc.nist.gov/encryption/modes/proposedmodes/
575		 xcbc-mac/xcbc-mac-spec.pdf
576
577config CRYPTO_VMAC
578	tristate "VMAC support"
579	select CRYPTO_HASH
580	select CRYPTO_MANAGER
581	help
582	  VMAC is a message authentication algorithm designed for
583	  very high speed on 64-bit architectures.
584
585	  See also:
586	  <https://fastcrypto.org/vmac>
587
588comment "Digest"
589
590config CRYPTO_CRC32C
591	tristate "CRC32c CRC algorithm"
592	select CRYPTO_HASH
593	select CRC32
594	help
595	  Castagnoli, et al Cyclic Redundancy-Check Algorithm.  Used
596	  by iSCSI for header and data digests and by others.
597	  See Castagnoli93.  Module will be crc32c.
598
599config CRYPTO_CRC32C_INTEL
600	tristate "CRC32c INTEL hardware acceleration"
601	depends on X86
602	select CRYPTO_HASH
603	help
604	  In Intel processor with SSE4.2 supported, the processor will
605	  support CRC32C implementation using hardware accelerated CRC32
606	  instruction. This option will create 'crc32c-intel' module,
607	  which will enable any routine to use the CRC32 instruction to
608	  gain performance compared with software implementation.
609	  Module will be crc32c-intel.
610
611config CRYPTO_CRC32C_VPMSUM
612	tristate "CRC32c CRC algorithm (powerpc64)"
613	depends on PPC64 && ALTIVEC
614	select CRYPTO_HASH
615	select CRC32
616	help
617	  CRC32c algorithm implemented using vector polynomial multiply-sum
618	  (vpmsum) instructions, introduced in POWER8. Enable on POWER8
619	  and newer processors for improved performance.
620
621
622config CRYPTO_CRC32C_SPARC64
623	tristate "CRC32c CRC algorithm (SPARC64)"
624	depends on SPARC64
625	select CRYPTO_HASH
626	select CRC32
627	help
628	  CRC32c CRC algorithm implemented using sparc64 crypto instructions,
629	  when available.
630
631config CRYPTO_CRC32
632	tristate "CRC32 CRC algorithm"
633	select CRYPTO_HASH
634	select CRC32
635	help
636	  CRC-32-IEEE 802.3 cyclic redundancy-check algorithm.
637	  Shash crypto api wrappers to crc32_le function.
638
639config CRYPTO_CRC32_PCLMUL
640	tristate "CRC32 PCLMULQDQ hardware acceleration"
641	depends on X86
642	select CRYPTO_HASH
643	select CRC32
644	help
645	  From Intel Westmere and AMD Bulldozer processor with SSE4.2
646	  and PCLMULQDQ supported, the processor will support
647	  CRC32 PCLMULQDQ implementation using hardware accelerated PCLMULQDQ
648	  instruction. This option will create 'crc32-pclmul' module,
649	  which will enable any routine to use the CRC-32-IEEE 802.3 checksum
650	  and gain better performance as compared with the table implementation.
651
652config CRYPTO_CRC32_MIPS
653	tristate "CRC32c and CRC32 CRC algorithm (MIPS)"
654	depends on MIPS_CRC_SUPPORT
655	select CRYPTO_HASH
656	help
657	  CRC32c and CRC32 CRC algorithms implemented using mips crypto
658	  instructions, when available.
659
660
661config CRYPTO_XXHASH
662	tristate "xxHash hash algorithm"
663	select CRYPTO_HASH
664	select XXHASH
665	help
666	  xxHash non-cryptographic hash algorithm. Extremely fast, working at
667	  speeds close to RAM limits.
668
669config CRYPTO_BLAKE2B
670	tristate "BLAKE2b digest algorithm"
671	select CRYPTO_HASH
672	help
673	  Implementation of cryptographic hash function BLAKE2b (or just BLAKE2),
674	  optimized for 64bit platforms and can produce digests of any size
675	  between 1 to 64.  The keyed hash is also implemented.
676
677	  This module provides the following algorithms:
678
679	  - blake2b-160
680	  - blake2b-256
681	  - blake2b-384
682	  - blake2b-512
683
684	  See https://blake2.net for further information.
685
686config CRYPTO_BLAKE2S
687	tristate "BLAKE2s digest algorithm"
688	select CRYPTO_LIB_BLAKE2S_GENERIC
689	select CRYPTO_HASH
690	help
691	  Implementation of cryptographic hash function BLAKE2s
692	  optimized for 8-32bit platforms and can produce digests of any size
693	  between 1 to 32.  The keyed hash is also implemented.
694
695	  This module provides the following algorithms:
696
697	  - blake2s-128
698	  - blake2s-160
699	  - blake2s-224
700	  - blake2s-256
701
702	  See https://blake2.net for further information.
703
704config CRYPTO_BLAKE2S_X86
705	tristate "BLAKE2s digest algorithm (x86 accelerated version)"
706	depends on X86 && 64BIT
707	select CRYPTO_LIB_BLAKE2S_GENERIC
708	select CRYPTO_ARCH_HAVE_LIB_BLAKE2S
709
710config CRYPTO_CRCT10DIF
711	tristate "CRCT10DIF algorithm"
712	select CRYPTO_HASH
713	help
714	  CRC T10 Data Integrity Field computation is being cast as
715	  a crypto transform.  This allows for faster crc t10 diff
716	  transforms to be used if they are available.
717
718config CRYPTO_CRCT10DIF_PCLMUL
719	tristate "CRCT10DIF PCLMULQDQ hardware acceleration"
720	depends on X86 && 64BIT && CRC_T10DIF
721	select CRYPTO_HASH
722	help
723	  For x86_64 processors with SSE4.2 and PCLMULQDQ supported,
724	  CRC T10 DIF PCLMULQDQ computation can be hardware
725	  accelerated PCLMULQDQ instruction. This option will create
726	  'crct10dif-pclmul' module, which is faster when computing the
727	  crct10dif checksum as compared with the generic table implementation.
728
729config CRYPTO_CRCT10DIF_VPMSUM
730	tristate "CRC32T10DIF powerpc64 hardware acceleration"
731	depends on PPC64 && ALTIVEC && CRC_T10DIF
732	select CRYPTO_HASH
733	help
734	  CRC10T10DIF algorithm implemented using vector polynomial
735	  multiply-sum (vpmsum) instructions, introduced in POWER8. Enable on
736	  POWER8 and newer processors for improved performance.
737
738config CRYPTO_VPMSUM_TESTER
739	tristate "Powerpc64 vpmsum hardware acceleration tester"
740	depends on CRYPTO_CRCT10DIF_VPMSUM && CRYPTO_CRC32C_VPMSUM
741	help
742	  Stress test for CRC32c and CRC-T10DIF algorithms implemented with
743	  POWER8 vpmsum instructions.
744	  Unless you are testing these algorithms, you don't need this.
745
746config CRYPTO_GHASH
747	tristate "GHASH hash function"
748	select CRYPTO_GF128MUL
749	select CRYPTO_HASH
750	help
751	  GHASH is the hash function used in GCM (Galois/Counter Mode).
752	  It is not a general-purpose cryptographic hash function.
753
754config CRYPTO_POLY1305
755	tristate "Poly1305 authenticator algorithm"
756	select CRYPTO_HASH
757	select CRYPTO_LIB_POLY1305_GENERIC
758	help
759	  Poly1305 authenticator algorithm, RFC7539.
760
761	  Poly1305 is an authenticator algorithm designed by Daniel J. Bernstein.
762	  It is used for the ChaCha20-Poly1305 AEAD, specified in RFC7539 for use
763	  in IETF protocols. This is the portable C implementation of Poly1305.
764
765config CRYPTO_POLY1305_X86_64
766	tristate "Poly1305 authenticator algorithm (x86_64/SSE2/AVX2)"
767	depends on X86 && 64BIT
768	select CRYPTO_LIB_POLY1305_GENERIC
769	select CRYPTO_ARCH_HAVE_LIB_POLY1305
770	help
771	  Poly1305 authenticator algorithm, RFC7539.
772
773	  Poly1305 is an authenticator algorithm designed by Daniel J. Bernstein.
774	  It is used for the ChaCha20-Poly1305 AEAD, specified in RFC7539 for use
775	  in IETF protocols. This is the x86_64 assembler implementation using SIMD
776	  instructions.
777
778config CRYPTO_POLY1305_MIPS
779	tristate "Poly1305 authenticator algorithm (MIPS optimized)"
780	depends on MIPS
781	select CRYPTO_ARCH_HAVE_LIB_POLY1305
782
783config CRYPTO_MD4
784	tristate "MD4 digest algorithm"
785	select CRYPTO_HASH
786	help
787	  MD4 message digest algorithm (RFC1320).
788
789config CRYPTO_MD5
790	tristate "MD5 digest algorithm"
791	select CRYPTO_HASH
792	help
793	  MD5 message digest algorithm (RFC1321).
794
795config CRYPTO_MD5_OCTEON
796	tristate "MD5 digest algorithm (OCTEON)"
797	depends on CPU_CAVIUM_OCTEON
798	select CRYPTO_MD5
799	select CRYPTO_HASH
800	help
801	  MD5 message digest algorithm (RFC1321) implemented
802	  using OCTEON crypto instructions, when available.
803
804config CRYPTO_MD5_PPC
805	tristate "MD5 digest algorithm (PPC)"
806	depends on PPC
807	select CRYPTO_HASH
808	help
809	  MD5 message digest algorithm (RFC1321) implemented
810	  in PPC assembler.
811
812config CRYPTO_MD5_SPARC64
813	tristate "MD5 digest algorithm (SPARC64)"
814	depends on SPARC64
815	select CRYPTO_MD5
816	select CRYPTO_HASH
817	help
818	  MD5 message digest algorithm (RFC1321) implemented
819	  using sparc64 crypto instructions, when available.
820
821config CRYPTO_MICHAEL_MIC
822	tristate "Michael MIC keyed digest algorithm"
823	select CRYPTO_HASH
824	help
825	  Michael MIC is used for message integrity protection in TKIP
826	  (IEEE 802.11i). This algorithm is required for TKIP, but it
827	  should not be used for other purposes because of the weakness
828	  of the algorithm.
829
830config CRYPTO_RMD160
831	tristate "RIPEMD-160 digest algorithm"
832	select CRYPTO_HASH
833	help
834	  RIPEMD-160 (ISO/IEC 10118-3:2004).
835
836	  RIPEMD-160 is a 160-bit cryptographic hash function. It is intended
837	  to be used as a secure replacement for the 128-bit hash functions
838	  MD4, MD5 and it's predecessor RIPEMD
839	  (not to be confused with RIPEMD-128).
840
841	  It's speed is comparable to SHA1 and there are no known attacks
842	  against RIPEMD-160.
843
844	  Developed by Hans Dobbertin, Antoon Bosselaers and Bart Preneel.
845	  See <https://homes.esat.kuleuven.be/~bosselae/ripemd160.html>
846
847config CRYPTO_SHA1
848	tristate "SHA1 digest algorithm"
849	select CRYPTO_HASH
850	help
851	  SHA-1 secure hash standard (FIPS 180-1/DFIPS 180-2).
852
853config CRYPTO_SHA1_SSSE3
854	tristate "SHA1 digest algorithm (SSSE3/AVX/AVX2/SHA-NI)"
855	depends on X86 && 64BIT
856	select CRYPTO_SHA1
857	select CRYPTO_HASH
858	help
859	  SHA-1 secure hash standard (FIPS 180-1/DFIPS 180-2) implemented
860	  using Supplemental SSE3 (SSSE3) instructions or Advanced Vector
861	  Extensions (AVX/AVX2) or SHA-NI(SHA Extensions New Instructions),
862	  when available.
863
864config CRYPTO_SHA256_SSSE3
865	tristate "SHA256 digest algorithm (SSSE3/AVX/AVX2/SHA-NI)"
866	depends on X86 && 64BIT
867	select CRYPTO_SHA256
868	select CRYPTO_HASH
869	help
870	  SHA-256 secure hash standard (DFIPS 180-2) implemented
871	  using Supplemental SSE3 (SSSE3) instructions, or Advanced Vector
872	  Extensions version 1 (AVX1), or Advanced Vector Extensions
873	  version 2 (AVX2) instructions, or SHA-NI (SHA Extensions New
874	  Instructions) when available.
875
876config CRYPTO_SHA512_SSSE3
877	tristate "SHA512 digest algorithm (SSSE3/AVX/AVX2)"
878	depends on X86 && 64BIT
879	select CRYPTO_SHA512
880	select CRYPTO_HASH
881	help
882	  SHA-512 secure hash standard (DFIPS 180-2) implemented
883	  using Supplemental SSE3 (SSSE3) instructions, or Advanced Vector
884	  Extensions version 1 (AVX1), or Advanced Vector Extensions
885	  version 2 (AVX2) instructions, when available.
886
887config CRYPTO_SHA1_OCTEON
888	tristate "SHA1 digest algorithm (OCTEON)"
889	depends on CPU_CAVIUM_OCTEON
890	select CRYPTO_SHA1
891	select CRYPTO_HASH
892	help
893	  SHA-1 secure hash standard (FIPS 180-1/DFIPS 180-2) implemented
894	  using OCTEON crypto instructions, when available.
895
896config CRYPTO_SHA1_SPARC64
897	tristate "SHA1 digest algorithm (SPARC64)"
898	depends on SPARC64
899	select CRYPTO_SHA1
900	select CRYPTO_HASH
901	help
902	  SHA-1 secure hash standard (FIPS 180-1/DFIPS 180-2) implemented
903	  using sparc64 crypto instructions, when available.
904
905config CRYPTO_SHA1_PPC
906	tristate "SHA1 digest algorithm (powerpc)"
907	depends on PPC
908	help
909	  This is the powerpc hardware accelerated implementation of the
910	  SHA-1 secure hash standard (FIPS 180-1/DFIPS 180-2).
911
912config CRYPTO_SHA1_PPC_SPE
913	tristate "SHA1 digest algorithm (PPC SPE)"
914	depends on PPC && SPE
915	help
916	  SHA-1 secure hash standard (DFIPS 180-4) implemented
917	  using powerpc SPE SIMD instruction set.
918
919config CRYPTO_SHA256
920	tristate "SHA224 and SHA256 digest algorithm"
921	select CRYPTO_HASH
922	select CRYPTO_LIB_SHA256
923	help
924	  SHA256 secure hash standard (DFIPS 180-2).
925
926	  This version of SHA implements a 256 bit hash with 128 bits of
927	  security against collision attacks.
928
929	  This code also includes SHA-224, a 224 bit hash with 112 bits
930	  of security against collision attacks.
931
932config CRYPTO_SHA256_PPC_SPE
933	tristate "SHA224 and SHA256 digest algorithm (PPC SPE)"
934	depends on PPC && SPE
935	select CRYPTO_SHA256
936	select CRYPTO_HASH
937	help
938	  SHA224 and SHA256 secure hash standard (DFIPS 180-2)
939	  implemented using powerpc SPE SIMD instruction set.
940
941config CRYPTO_SHA256_OCTEON
942	tristate "SHA224 and SHA256 digest algorithm (OCTEON)"
943	depends on CPU_CAVIUM_OCTEON
944	select CRYPTO_SHA256
945	select CRYPTO_HASH
946	help
947	  SHA-256 secure hash standard (DFIPS 180-2) implemented
948	  using OCTEON crypto instructions, when available.
949
950config CRYPTO_SHA256_SPARC64
951	tristate "SHA224 and SHA256 digest algorithm (SPARC64)"
952	depends on SPARC64
953	select CRYPTO_SHA256
954	select CRYPTO_HASH
955	help
956	  SHA-256 secure hash standard (DFIPS 180-2) implemented
957	  using sparc64 crypto instructions, when available.
958
959config CRYPTO_SHA512
960	tristate "SHA384 and SHA512 digest algorithms"
961	select CRYPTO_HASH
962	help
963	  SHA512 secure hash standard (DFIPS 180-2).
964
965	  This version of SHA implements a 512 bit hash with 256 bits of
966	  security against collision attacks.
967
968	  This code also includes SHA-384, a 384 bit hash with 192 bits
969	  of security against collision attacks.
970
971config CRYPTO_SHA512_OCTEON
972	tristate "SHA384 and SHA512 digest algorithms (OCTEON)"
973	depends on CPU_CAVIUM_OCTEON
974	select CRYPTO_SHA512
975	select CRYPTO_HASH
976	help
977	  SHA-512 secure hash standard (DFIPS 180-2) implemented
978	  using OCTEON crypto instructions, when available.
979
980config CRYPTO_SHA512_SPARC64
981	tristate "SHA384 and SHA512 digest algorithm (SPARC64)"
982	depends on SPARC64
983	select CRYPTO_SHA512
984	select CRYPTO_HASH
985	help
986	  SHA-512 secure hash standard (DFIPS 180-2) implemented
987	  using sparc64 crypto instructions, when available.
988
989config CRYPTO_SHA3
990	tristate "SHA3 digest algorithm"
991	select CRYPTO_HASH
992	help
993	  SHA-3 secure hash standard (DFIPS 202). It's based on
994	  cryptographic sponge function family called Keccak.
995
996	  References:
997	  http://keccak.noekeon.org/
998
999config CRYPTO_SM3
1000	tristate "SM3 digest algorithm"
1001	select CRYPTO_HASH
1002	help
1003	  SM3 secure hash function as defined by OSCCA GM/T 0004-2012 SM3).
1004	  It is part of the Chinese Commercial Cryptography suite.
1005
1006	  References:
1007	  http://www.oscca.gov.cn/UpFile/20101222141857786.pdf
1008	  https://datatracker.ietf.org/doc/html/draft-shen-sm3-hash
1009
1010config CRYPTO_STREEBOG
1011	tristate "Streebog Hash Function"
1012	select CRYPTO_HASH
1013	help
1014	  Streebog Hash Function (GOST R 34.11-2012, RFC 6986) is one of the Russian
1015	  cryptographic standard algorithms (called GOST algorithms).
1016	  This setting enables two hash algorithms with 256 and 512 bits output.
1017
1018	  References:
1019	  https://tc26.ru/upload/iblock/fed/feddbb4d26b685903faa2ba11aea43f6.pdf
1020	  https://tools.ietf.org/html/rfc6986
1021
1022config CRYPTO_WP512
1023	tristate "Whirlpool digest algorithms"
1024	select CRYPTO_HASH
1025	help
1026	  Whirlpool hash algorithm 512, 384 and 256-bit hashes
1027
1028	  Whirlpool-512 is part of the NESSIE cryptographic primitives.
1029	  Whirlpool will be part of the ISO/IEC 10118-3:2003(E) standard
1030
1031	  See also:
1032	  <http://www.larc.usp.br/~pbarreto/WhirlpoolPage.html>
1033
1034config CRYPTO_GHASH_CLMUL_NI_INTEL
1035	tristate "GHASH hash function (CLMUL-NI accelerated)"
1036	depends on X86 && 64BIT
1037	select CRYPTO_CRYPTD
1038	help
1039	  This is the x86_64 CLMUL-NI accelerated implementation of
1040	  GHASH, the hash function used in GCM (Galois/Counter mode).
1041
1042comment "Ciphers"
1043
1044config CRYPTO_AES
1045	tristate "AES cipher algorithms"
1046	select CRYPTO_ALGAPI
1047	select CRYPTO_LIB_AES
1048	help
1049	  AES cipher algorithms (FIPS-197). AES uses the Rijndael
1050	  algorithm.
1051
1052	  Rijndael appears to be consistently a very good performer in
1053	  both hardware and software across a wide range of computing
1054	  environments regardless of its use in feedback or non-feedback
1055	  modes. Its key setup time is excellent, and its key agility is
1056	  good. Rijndael's very low memory requirements make it very well
1057	  suited for restricted-space environments, in which it also
1058	  demonstrates excellent performance. Rijndael's operations are
1059	  among the easiest to defend against power and timing attacks.
1060
1061	  The AES specifies three key sizes: 128, 192 and 256 bits
1062
1063	  See <http://csrc.nist.gov/CryptoToolkit/aes/> for more information.
1064
1065config CRYPTO_AES_TI
1066	tristate "Fixed time AES cipher"
1067	select CRYPTO_ALGAPI
1068	select CRYPTO_LIB_AES
1069	help
1070	  This is a generic implementation of AES that attempts to eliminate
1071	  data dependent latencies as much as possible without affecting
1072	  performance too much. It is intended for use by the generic CCM
1073	  and GCM drivers, and other CTR or CMAC/XCBC based modes that rely
1074	  solely on encryption (although decryption is supported as well, but
1075	  with a more dramatic performance hit)
1076
1077	  Instead of using 16 lookup tables of 1 KB each, (8 for encryption and
1078	  8 for decryption), this implementation only uses just two S-boxes of
1079	  256 bytes each, and attempts to eliminate data dependent latencies by
1080	  prefetching the entire table into the cache at the start of each
1081	  block. Interrupts are also disabled to avoid races where cachelines
1082	  are evicted when the CPU is interrupted to do something else.
1083
1084config CRYPTO_AES_NI_INTEL
1085	tristate "AES cipher algorithms (AES-NI)"
1086	depends on X86
1087	select CRYPTO_AEAD
1088	select CRYPTO_LIB_AES
1089	select CRYPTO_ALGAPI
1090	select CRYPTO_SKCIPHER
1091	select CRYPTO_SIMD
1092	help
1093	  Use Intel AES-NI instructions for AES algorithm.
1094
1095	  AES cipher algorithms (FIPS-197). AES uses the Rijndael
1096	  algorithm.
1097
1098	  Rijndael appears to be consistently a very good performer in
1099	  both hardware and software across a wide range of computing
1100	  environments regardless of its use in feedback or non-feedback
1101	  modes. Its key setup time is excellent, and its key agility is
1102	  good. Rijndael's very low memory requirements make it very well
1103	  suited for restricted-space environments, in which it also
1104	  demonstrates excellent performance. Rijndael's operations are
1105	  among the easiest to defend against power and timing attacks.
1106
1107	  The AES specifies three key sizes: 128, 192 and 256 bits
1108
1109	  See <http://csrc.nist.gov/encryption/aes/> for more information.
1110
1111	  In addition to AES cipher algorithm support, the acceleration
1112	  for some popular block cipher mode is supported too, including
1113	  ECB, CBC, LRW, XTS. The 64 bit version has additional
1114	  acceleration for CTR.
1115
1116config CRYPTO_AES_SPARC64
1117	tristate "AES cipher algorithms (SPARC64)"
1118	depends on SPARC64
1119	select CRYPTO_SKCIPHER
1120	help
1121	  Use SPARC64 crypto opcodes for AES algorithm.
1122
1123	  AES cipher algorithms (FIPS-197). AES uses the Rijndael
1124	  algorithm.
1125
1126	  Rijndael appears to be consistently a very good performer in
1127	  both hardware and software across a wide range of computing
1128	  environments regardless of its use in feedback or non-feedback
1129	  modes. Its key setup time is excellent, and its key agility is
1130	  good. Rijndael's very low memory requirements make it very well
1131	  suited for restricted-space environments, in which it also
1132	  demonstrates excellent performance. Rijndael's operations are
1133	  among the easiest to defend against power and timing attacks.
1134
1135	  The AES specifies three key sizes: 128, 192 and 256 bits
1136
1137	  See <http://csrc.nist.gov/encryption/aes/> for more information.
1138
1139	  In addition to AES cipher algorithm support, the acceleration
1140	  for some popular block cipher mode is supported too, including
1141	  ECB and CBC.
1142
1143config CRYPTO_AES_PPC_SPE
1144	tristate "AES cipher algorithms (PPC SPE)"
1145	depends on PPC && SPE
1146	select CRYPTO_SKCIPHER
1147	help
1148	  AES cipher algorithms (FIPS-197). Additionally the acceleration
1149	  for popular block cipher modes ECB, CBC, CTR and XTS is supported.
1150	  This module should only be used for low power (router) devices
1151	  without hardware AES acceleration (e.g. caam crypto). It reduces the
1152	  size of the AES tables from 16KB to 8KB + 256 bytes and mitigates
1153	  timining attacks. Nevertheless it might be not as secure as other
1154	  architecture specific assembler implementations that work on 1KB
1155	  tables or 256 bytes S-boxes.
1156
1157config CRYPTO_ANUBIS
1158	tristate "Anubis cipher algorithm"
1159	depends on CRYPTO_USER_API_ENABLE_OBSOLETE
1160	select CRYPTO_ALGAPI
1161	help
1162	  Anubis cipher algorithm.
1163
1164	  Anubis is a variable key length cipher which can use keys from
1165	  128 bits to 320 bits in length.  It was evaluated as a entrant
1166	  in the NESSIE competition.
1167
1168	  See also:
1169	  <https://www.cosic.esat.kuleuven.be/nessie/reports/>
1170	  <http://www.larc.usp.br/~pbarreto/AnubisPage.html>
1171
1172config CRYPTO_ARC4
1173	tristate "ARC4 cipher algorithm"
1174	depends on CRYPTO_USER_API_ENABLE_OBSOLETE
1175	select CRYPTO_SKCIPHER
1176	select CRYPTO_LIB_ARC4
1177	help
1178	  ARC4 cipher algorithm.
1179
1180	  ARC4 is a stream cipher using keys ranging from 8 bits to 2048
1181	  bits in length.  This algorithm is required for driver-based
1182	  WEP, but it should not be for other purposes because of the
1183	  weakness of the algorithm.
1184
1185config CRYPTO_BLOWFISH
1186	tristate "Blowfish cipher algorithm"
1187	select CRYPTO_ALGAPI
1188	select CRYPTO_BLOWFISH_COMMON
1189	help
1190	  Blowfish cipher algorithm, by Bruce Schneier.
1191
1192	  This is a variable key length cipher which can use keys from 32
1193	  bits to 448 bits in length.  It's fast, simple and specifically
1194	  designed for use on "large microprocessors".
1195
1196	  See also:
1197	  <https://www.schneier.com/blowfish.html>
1198
1199config CRYPTO_BLOWFISH_COMMON
1200	tristate
1201	help
1202	  Common parts of the Blowfish cipher algorithm shared by the
1203	  generic c and the assembler implementations.
1204
1205	  See also:
1206	  <https://www.schneier.com/blowfish.html>
1207
1208config CRYPTO_BLOWFISH_X86_64
1209	tristate "Blowfish cipher algorithm (x86_64)"
1210	depends on X86 && 64BIT
1211	select CRYPTO_SKCIPHER
1212	select CRYPTO_BLOWFISH_COMMON
1213	imply CRYPTO_CTR
1214	help
1215	  Blowfish cipher algorithm (x86_64), by Bruce Schneier.
1216
1217	  This is a variable key length cipher which can use keys from 32
1218	  bits to 448 bits in length.  It's fast, simple and specifically
1219	  designed for use on "large microprocessors".
1220
1221	  See also:
1222	  <https://www.schneier.com/blowfish.html>
1223
1224config CRYPTO_CAMELLIA
1225	tristate "Camellia cipher algorithms"
1226	select CRYPTO_ALGAPI
1227	help
1228	  Camellia cipher algorithms module.
1229
1230	  Camellia is a symmetric key block cipher developed jointly
1231	  at NTT and Mitsubishi Electric Corporation.
1232
1233	  The Camellia specifies three key sizes: 128, 192 and 256 bits.
1234
1235	  See also:
1236	  <https://info.isl.ntt.co.jp/crypt/eng/camellia/index_s.html>
1237
1238config CRYPTO_CAMELLIA_X86_64
1239	tristate "Camellia cipher algorithm (x86_64)"
1240	depends on X86 && 64BIT
1241	select CRYPTO_SKCIPHER
1242	imply CRYPTO_CTR
1243	help
1244	  Camellia cipher algorithm module (x86_64).
1245
1246	  Camellia is a symmetric key block cipher developed jointly
1247	  at NTT and Mitsubishi Electric Corporation.
1248
1249	  The Camellia specifies three key sizes: 128, 192 and 256 bits.
1250
1251	  See also:
1252	  <https://info.isl.ntt.co.jp/crypt/eng/camellia/index_s.html>
1253
1254config CRYPTO_CAMELLIA_AESNI_AVX_X86_64
1255	tristate "Camellia cipher algorithm (x86_64/AES-NI/AVX)"
1256	depends on X86 && 64BIT
1257	select CRYPTO_SKCIPHER
1258	select CRYPTO_CAMELLIA_X86_64
1259	select CRYPTO_SIMD
1260	imply CRYPTO_XTS
1261	help
1262	  Camellia cipher algorithm module (x86_64/AES-NI/AVX).
1263
1264	  Camellia is a symmetric key block cipher developed jointly
1265	  at NTT and Mitsubishi Electric Corporation.
1266
1267	  The Camellia specifies three key sizes: 128, 192 and 256 bits.
1268
1269	  See also:
1270	  <https://info.isl.ntt.co.jp/crypt/eng/camellia/index_s.html>
1271
1272config CRYPTO_CAMELLIA_AESNI_AVX2_X86_64
1273	tristate "Camellia cipher algorithm (x86_64/AES-NI/AVX2)"
1274	depends on X86 && 64BIT
1275	select CRYPTO_CAMELLIA_AESNI_AVX_X86_64
1276	help
1277	  Camellia cipher algorithm module (x86_64/AES-NI/AVX2).
1278
1279	  Camellia is a symmetric key block cipher developed jointly
1280	  at NTT and Mitsubishi Electric Corporation.
1281
1282	  The Camellia specifies three key sizes: 128, 192 and 256 bits.
1283
1284	  See also:
1285	  <https://info.isl.ntt.co.jp/crypt/eng/camellia/index_s.html>
1286
1287config CRYPTO_CAMELLIA_SPARC64
1288	tristate "Camellia cipher algorithm (SPARC64)"
1289	depends on SPARC64
1290	select CRYPTO_ALGAPI
1291	select CRYPTO_SKCIPHER
1292	help
1293	  Camellia cipher algorithm module (SPARC64).
1294
1295	  Camellia is a symmetric key block cipher developed jointly
1296	  at NTT and Mitsubishi Electric Corporation.
1297
1298	  The Camellia specifies three key sizes: 128, 192 and 256 bits.
1299
1300	  See also:
1301	  <https://info.isl.ntt.co.jp/crypt/eng/camellia/index_s.html>
1302
1303config CRYPTO_CAST_COMMON
1304	tristate
1305	help
1306	  Common parts of the CAST cipher algorithms shared by the
1307	  generic c and the assembler implementations.
1308
1309config CRYPTO_CAST5
1310	tristate "CAST5 (CAST-128) cipher algorithm"
1311	select CRYPTO_ALGAPI
1312	select CRYPTO_CAST_COMMON
1313	help
1314	  The CAST5 encryption algorithm (synonymous with CAST-128) is
1315	  described in RFC2144.
1316
1317config CRYPTO_CAST5_AVX_X86_64
1318	tristate "CAST5 (CAST-128) cipher algorithm (x86_64/AVX)"
1319	depends on X86 && 64BIT
1320	select CRYPTO_SKCIPHER
1321	select CRYPTO_CAST5
1322	select CRYPTO_CAST_COMMON
1323	select CRYPTO_SIMD
1324	imply CRYPTO_CTR
1325	help
1326	  The CAST5 encryption algorithm (synonymous with CAST-128) is
1327	  described in RFC2144.
1328
1329	  This module provides the Cast5 cipher algorithm that processes
1330	  sixteen blocks parallel using the AVX instruction set.
1331
1332config CRYPTO_CAST6
1333	tristate "CAST6 (CAST-256) cipher algorithm"
1334	select CRYPTO_ALGAPI
1335	select CRYPTO_CAST_COMMON
1336	help
1337	  The CAST6 encryption algorithm (synonymous with CAST-256) is
1338	  described in RFC2612.
1339
1340config CRYPTO_CAST6_AVX_X86_64
1341	tristate "CAST6 (CAST-256) cipher algorithm (x86_64/AVX)"
1342	depends on X86 && 64BIT
1343	select CRYPTO_SKCIPHER
1344	select CRYPTO_CAST6
1345	select CRYPTO_CAST_COMMON
1346	select CRYPTO_SIMD
1347	imply CRYPTO_XTS
1348	imply CRYPTO_CTR
1349	help
1350	  The CAST6 encryption algorithm (synonymous with CAST-256) is
1351	  described in RFC2612.
1352
1353	  This module provides the Cast6 cipher algorithm that processes
1354	  eight blocks parallel using the AVX instruction set.
1355
1356config CRYPTO_DES
1357	tristate "DES and Triple DES EDE cipher algorithms"
1358	select CRYPTO_ALGAPI
1359	select CRYPTO_LIB_DES
1360	help
1361	  DES cipher algorithm (FIPS 46-2), and Triple DES EDE (FIPS 46-3).
1362
1363config CRYPTO_DES_SPARC64
1364	tristate "DES and Triple DES EDE cipher algorithms (SPARC64)"
1365	depends on SPARC64
1366	select CRYPTO_ALGAPI
1367	select CRYPTO_LIB_DES
1368	select CRYPTO_SKCIPHER
1369	help
1370	  DES cipher algorithm (FIPS 46-2), and Triple DES EDE (FIPS 46-3),
1371	  optimized using SPARC64 crypto opcodes.
1372
1373config CRYPTO_DES3_EDE_X86_64
1374	tristate "Triple DES EDE cipher algorithm (x86-64)"
1375	depends on X86 && 64BIT
1376	select CRYPTO_SKCIPHER
1377	select CRYPTO_LIB_DES
1378	imply CRYPTO_CTR
1379	help
1380	  Triple DES EDE (FIPS 46-3) algorithm.
1381
1382	  This module provides implementation of the Triple DES EDE cipher
1383	  algorithm that is optimized for x86-64 processors. Two versions of
1384	  algorithm are provided; regular processing one input block and
1385	  one that processes three blocks parallel.
1386
1387config CRYPTO_FCRYPT
1388	tristate "FCrypt cipher algorithm"
1389	select CRYPTO_ALGAPI
1390	select CRYPTO_SKCIPHER
1391	help
1392	  FCrypt algorithm used by RxRPC.
1393
1394config CRYPTO_KHAZAD
1395	tristate "Khazad cipher algorithm"
1396	depends on CRYPTO_USER_API_ENABLE_OBSOLETE
1397	select CRYPTO_ALGAPI
1398	help
1399	  Khazad cipher algorithm.
1400
1401	  Khazad was a finalist in the initial NESSIE competition.  It is
1402	  an algorithm optimized for 64-bit processors with good performance
1403	  on 32-bit processors.  Khazad uses an 128 bit key size.
1404
1405	  See also:
1406	  <http://www.larc.usp.br/~pbarreto/KhazadPage.html>
1407
1408config CRYPTO_CHACHA20
1409	tristate "ChaCha stream cipher algorithms"
1410	select CRYPTO_LIB_CHACHA_GENERIC
1411	select CRYPTO_SKCIPHER
1412	help
1413	  The ChaCha20, XChaCha20, and XChaCha12 stream cipher algorithms.
1414
1415	  ChaCha20 is a 256-bit high-speed stream cipher designed by Daniel J.
1416	  Bernstein and further specified in RFC7539 for use in IETF protocols.
1417	  This is the portable C implementation of ChaCha20.  See also:
1418	  <https://cr.yp.to/chacha/chacha-20080128.pdf>
1419
1420	  XChaCha20 is the application of the XSalsa20 construction to ChaCha20
1421	  rather than to Salsa20.  XChaCha20 extends ChaCha20's nonce length
1422	  from 64 bits (or 96 bits using the RFC7539 convention) to 192 bits,
1423	  while provably retaining ChaCha20's security.  See also:
1424	  <https://cr.yp.to/snuffle/xsalsa-20081128.pdf>
1425
1426	  XChaCha12 is XChaCha20 reduced to 12 rounds, with correspondingly
1427	  reduced security margin but increased performance.  It can be needed
1428	  in some performance-sensitive scenarios.
1429
1430config CRYPTO_CHACHA20_X86_64
1431	tristate "ChaCha stream cipher algorithms (x86_64/SSSE3/AVX2/AVX-512VL)"
1432	depends on X86 && 64BIT
1433	select CRYPTO_SKCIPHER
1434	select CRYPTO_LIB_CHACHA_GENERIC
1435	select CRYPTO_ARCH_HAVE_LIB_CHACHA
1436	help
1437	  SSSE3, AVX2, and AVX-512VL optimized implementations of the ChaCha20,
1438	  XChaCha20, and XChaCha12 stream ciphers.
1439
1440config CRYPTO_CHACHA_MIPS
1441	tristate "ChaCha stream cipher algorithms (MIPS 32r2 optimized)"
1442	depends on CPU_MIPS32_R2
1443	select CRYPTO_SKCIPHER
1444	select CRYPTO_ARCH_HAVE_LIB_CHACHA
1445
1446config CRYPTO_SEED
1447	tristate "SEED cipher algorithm"
1448	depends on CRYPTO_USER_API_ENABLE_OBSOLETE
1449	select CRYPTO_ALGAPI
1450	help
1451	  SEED cipher algorithm (RFC4269).
1452
1453	  SEED is a 128-bit symmetric key block cipher that has been
1454	  developed by KISA (Korea Information Security Agency) as a
1455	  national standard encryption algorithm of the Republic of Korea.
1456	  It is a 16 round block cipher with the key size of 128 bit.
1457
1458	  See also:
1459	  <http://www.kisa.or.kr/kisa/seed/jsp/seed_eng.jsp>
1460
1461config CRYPTO_SERPENT
1462	tristate "Serpent cipher algorithm"
1463	select CRYPTO_ALGAPI
1464	help
1465	  Serpent cipher algorithm, by Anderson, Biham & Knudsen.
1466
1467	  Keys are allowed to be from 0 to 256 bits in length, in steps
1468	  of 8 bits.
1469
1470	  See also:
1471	  <https://www.cl.cam.ac.uk/~rja14/serpent.html>
1472
1473config CRYPTO_SERPENT_SSE2_X86_64
1474	tristate "Serpent cipher algorithm (x86_64/SSE2)"
1475	depends on X86 && 64BIT
1476	select CRYPTO_SKCIPHER
1477	select CRYPTO_SERPENT
1478	select CRYPTO_SIMD
1479	imply CRYPTO_CTR
1480	help
1481	  Serpent cipher algorithm, by Anderson, Biham & Knudsen.
1482
1483	  Keys are allowed to be from 0 to 256 bits in length, in steps
1484	  of 8 bits.
1485
1486	  This module provides Serpent cipher algorithm that processes eight
1487	  blocks parallel using SSE2 instruction set.
1488
1489	  See also:
1490	  <https://www.cl.cam.ac.uk/~rja14/serpent.html>
1491
1492config CRYPTO_SERPENT_SSE2_586
1493	tristate "Serpent cipher algorithm (i586/SSE2)"
1494	depends on X86 && !64BIT
1495	select CRYPTO_SKCIPHER
1496	select CRYPTO_SERPENT
1497	select CRYPTO_SIMD
1498	imply CRYPTO_CTR
1499	help
1500	  Serpent cipher algorithm, by Anderson, Biham & Knudsen.
1501
1502	  Keys are allowed to be from 0 to 256 bits in length, in steps
1503	  of 8 bits.
1504
1505	  This module provides Serpent cipher algorithm that processes four
1506	  blocks parallel using SSE2 instruction set.
1507
1508	  See also:
1509	  <https://www.cl.cam.ac.uk/~rja14/serpent.html>
1510
1511config CRYPTO_SERPENT_AVX_X86_64
1512	tristate "Serpent cipher algorithm (x86_64/AVX)"
1513	depends on X86 && 64BIT
1514	select CRYPTO_SKCIPHER
1515	select CRYPTO_SERPENT
1516	select CRYPTO_SIMD
1517	imply CRYPTO_XTS
1518	imply CRYPTO_CTR
1519	help
1520	  Serpent cipher algorithm, by Anderson, Biham & Knudsen.
1521
1522	  Keys are allowed to be from 0 to 256 bits in length, in steps
1523	  of 8 bits.
1524
1525	  This module provides the Serpent cipher algorithm that processes
1526	  eight blocks parallel using the AVX instruction set.
1527
1528	  See also:
1529	  <https://www.cl.cam.ac.uk/~rja14/serpent.html>
1530
1531config CRYPTO_SERPENT_AVX2_X86_64
1532	tristate "Serpent cipher algorithm (x86_64/AVX2)"
1533	depends on X86 && 64BIT
1534	select CRYPTO_SERPENT_AVX_X86_64
1535	help
1536	  Serpent cipher algorithm, by Anderson, Biham & Knudsen.
1537
1538	  Keys are allowed to be from 0 to 256 bits in length, in steps
1539	  of 8 bits.
1540
1541	  This module provides Serpent cipher algorithm that processes 16
1542	  blocks parallel using AVX2 instruction set.
1543
1544	  See also:
1545	  <https://www.cl.cam.ac.uk/~rja14/serpent.html>
1546
1547config CRYPTO_SM4
1548	tristate "SM4 cipher algorithm"
1549	select CRYPTO_ALGAPI
1550	help
1551	  SM4 cipher algorithms (OSCCA GB/T 32907-2016).
1552
1553	  SM4 (GBT.32907-2016) is a cryptographic standard issued by the
1554	  Organization of State Commercial Administration of China (OSCCA)
1555	  as an authorized cryptographic algorithms for the use within China.
1556
1557	  SMS4 was originally created for use in protecting wireless
1558	  networks, and is mandated in the Chinese National Standard for
1559	  Wireless LAN WAPI (Wired Authentication and Privacy Infrastructure)
1560	  (GB.15629.11-2003).
1561
1562	  The latest SM4 standard (GBT.32907-2016) was proposed by OSCCA and
1563	  standardized through TC 260 of the Standardization Administration
1564	  of the People's Republic of China (SAC).
1565
1566	  The input, output, and key of SMS4 are each 128 bits.
1567
1568	  See also: <https://eprint.iacr.org/2008/329.pdf>
1569
1570	  If unsure, say N.
1571
1572config CRYPTO_TEA
1573	tristate "TEA, XTEA and XETA cipher algorithms"
1574	depends on CRYPTO_USER_API_ENABLE_OBSOLETE
1575	select CRYPTO_ALGAPI
1576	help
1577	  TEA cipher algorithm.
1578
1579	  Tiny Encryption Algorithm is a simple cipher that uses
1580	  many rounds for security.  It is very fast and uses
1581	  little memory.
1582
1583	  Xtendend Tiny Encryption Algorithm is a modification to
1584	  the TEA algorithm to address a potential key weakness
1585	  in the TEA algorithm.
1586
1587	  Xtendend Encryption Tiny Algorithm is a mis-implementation
1588	  of the XTEA algorithm for compatibility purposes.
1589
1590config CRYPTO_TWOFISH
1591	tristate "Twofish cipher algorithm"
1592	select CRYPTO_ALGAPI
1593	select CRYPTO_TWOFISH_COMMON
1594	help
1595	  Twofish cipher algorithm.
1596
1597	  Twofish was submitted as an AES (Advanced Encryption Standard)
1598	  candidate cipher by researchers at CounterPane Systems.  It is a
1599	  16 round block cipher supporting key sizes of 128, 192, and 256
1600	  bits.
1601
1602	  See also:
1603	  <https://www.schneier.com/twofish.html>
1604
1605config CRYPTO_TWOFISH_COMMON
1606	tristate
1607	help
1608	  Common parts of the Twofish cipher algorithm shared by the
1609	  generic c and the assembler implementations.
1610
1611config CRYPTO_TWOFISH_586
1612	tristate "Twofish cipher algorithms (i586)"
1613	depends on (X86 || UML_X86) && !64BIT
1614	select CRYPTO_ALGAPI
1615	select CRYPTO_TWOFISH_COMMON
1616	imply CRYPTO_CTR
1617	help
1618	  Twofish cipher algorithm.
1619
1620	  Twofish was submitted as an AES (Advanced Encryption Standard)
1621	  candidate cipher by researchers at CounterPane Systems.  It is a
1622	  16 round block cipher supporting key sizes of 128, 192, and 256
1623	  bits.
1624
1625	  See also:
1626	  <https://www.schneier.com/twofish.html>
1627
1628config CRYPTO_TWOFISH_X86_64
1629	tristate "Twofish cipher algorithm (x86_64)"
1630	depends on (X86 || UML_X86) && 64BIT
1631	select CRYPTO_ALGAPI
1632	select CRYPTO_TWOFISH_COMMON
1633	imply CRYPTO_CTR
1634	help
1635	  Twofish cipher algorithm (x86_64).
1636
1637	  Twofish was submitted as an AES (Advanced Encryption Standard)
1638	  candidate cipher by researchers at CounterPane Systems.  It is a
1639	  16 round block cipher supporting key sizes of 128, 192, and 256
1640	  bits.
1641
1642	  See also:
1643	  <https://www.schneier.com/twofish.html>
1644
1645config CRYPTO_TWOFISH_X86_64_3WAY
1646	tristate "Twofish cipher algorithm (x86_64, 3-way parallel)"
1647	depends on X86 && 64BIT
1648	select CRYPTO_SKCIPHER
1649	select CRYPTO_TWOFISH_COMMON
1650	select CRYPTO_TWOFISH_X86_64
1651	help
1652	  Twofish cipher algorithm (x86_64, 3-way parallel).
1653
1654	  Twofish was submitted as an AES (Advanced Encryption Standard)
1655	  candidate cipher by researchers at CounterPane Systems.  It is a
1656	  16 round block cipher supporting key sizes of 128, 192, and 256
1657	  bits.
1658
1659	  This module provides Twofish cipher algorithm that processes three
1660	  blocks parallel, utilizing resources of out-of-order CPUs better.
1661
1662	  See also:
1663	  <https://www.schneier.com/twofish.html>
1664
1665config CRYPTO_TWOFISH_AVX_X86_64
1666	tristate "Twofish cipher algorithm (x86_64/AVX)"
1667	depends on X86 && 64BIT
1668	select CRYPTO_SKCIPHER
1669	select CRYPTO_SIMD
1670	select CRYPTO_TWOFISH_COMMON
1671	select CRYPTO_TWOFISH_X86_64
1672	select CRYPTO_TWOFISH_X86_64_3WAY
1673	imply CRYPTO_XTS
1674	help
1675	  Twofish cipher algorithm (x86_64/AVX).
1676
1677	  Twofish was submitted as an AES (Advanced Encryption Standard)
1678	  candidate cipher by researchers at CounterPane Systems.  It is a
1679	  16 round block cipher supporting key sizes of 128, 192, and 256
1680	  bits.
1681
1682	  This module provides the Twofish cipher algorithm that processes
1683	  eight blocks parallel using the AVX Instruction Set.
1684
1685	  See also:
1686	  <https://www.schneier.com/twofish.html>
1687
1688comment "Compression"
1689
1690config CRYPTO_DEFLATE
1691	tristate "Deflate compression algorithm"
1692	select CRYPTO_ALGAPI
1693	select CRYPTO_ACOMP2
1694	select ZLIB_INFLATE
1695	select ZLIB_DEFLATE
1696	help
1697	  This is the Deflate algorithm (RFC1951), specified for use in
1698	  IPSec with the IPCOMP protocol (RFC3173, RFC2394).
1699
1700	  You will most probably want this if using IPSec.
1701
1702config CRYPTO_LZO
1703	tristate "LZO compression algorithm"
1704	select CRYPTO_ALGAPI
1705	select CRYPTO_ACOMP2
1706	select LZO_COMPRESS
1707	select LZO_DECOMPRESS
1708	help
1709	  This is the LZO algorithm.
1710
1711config CRYPTO_842
1712	tristate "842 compression algorithm"
1713	select CRYPTO_ALGAPI
1714	select CRYPTO_ACOMP2
1715	select 842_COMPRESS
1716	select 842_DECOMPRESS
1717	help
1718	  This is the 842 algorithm.
1719
1720config CRYPTO_LZ4
1721	tristate "LZ4 compression algorithm"
1722	select CRYPTO_ALGAPI
1723	select CRYPTO_ACOMP2
1724	select LZ4_COMPRESS
1725	select LZ4_DECOMPRESS
1726	help
1727	  This is the LZ4 algorithm.
1728
1729config CRYPTO_LZ4HC
1730	tristate "LZ4HC compression algorithm"
1731	select CRYPTO_ALGAPI
1732	select CRYPTO_ACOMP2
1733	select LZ4HC_COMPRESS
1734	select LZ4_DECOMPRESS
1735	help
1736	  This is the LZ4 high compression mode algorithm.
1737
1738config CRYPTO_ZSTD
1739	tristate "Zstd compression algorithm"
1740	select CRYPTO_ALGAPI
1741	select CRYPTO_ACOMP2
1742	select ZSTD_COMPRESS
1743	select ZSTD_DECOMPRESS
1744	help
1745	  This is the zstd algorithm.
1746
1747comment "Random Number Generation"
1748
1749config CRYPTO_ANSI_CPRNG
1750	tristate "Pseudo Random Number Generation for Cryptographic modules"
1751	select CRYPTO_AES
1752	select CRYPTO_RNG
1753	help
1754	  This option enables the generic pseudo random number generator
1755	  for cryptographic modules.  Uses the Algorithm specified in
1756	  ANSI X9.31 A.2.4. Note that this option must be enabled if
1757	  CRYPTO_FIPS is selected
1758
1759menuconfig CRYPTO_DRBG_MENU
1760	tristate "NIST SP800-90A DRBG"
1761	help
1762	  NIST SP800-90A compliant DRBG. In the following submenu, one or
1763	  more of the DRBG types must be selected.
1764
1765if CRYPTO_DRBG_MENU
1766
1767config CRYPTO_DRBG_HMAC
1768	bool
1769	default y
1770	select CRYPTO_HMAC
1771	select CRYPTO_SHA256
1772
1773config CRYPTO_DRBG_HASH
1774	bool "Enable Hash DRBG"
1775	select CRYPTO_SHA256
1776	help
1777	  Enable the Hash DRBG variant as defined in NIST SP800-90A.
1778
1779config CRYPTO_DRBG_CTR
1780	bool "Enable CTR DRBG"
1781	select CRYPTO_AES
1782	select CRYPTO_CTR
1783	help
1784	  Enable the CTR DRBG variant as defined in NIST SP800-90A.
1785
1786config CRYPTO_DRBG
1787	tristate
1788	default CRYPTO_DRBG_MENU
1789	select CRYPTO_RNG
1790	select CRYPTO_JITTERENTROPY
1791
1792endif	# if CRYPTO_DRBG_MENU
1793
1794config CRYPTO_JITTERENTROPY
1795	tristate "Jitterentropy Non-Deterministic Random Number Generator"
1796	select CRYPTO_RNG
1797	help
1798	  The Jitterentropy RNG is a noise that is intended
1799	  to provide seed to another RNG. The RNG does not
1800	  perform any cryptographic whitening of the generated
1801	  random numbers. This Jitterentropy RNG registers with
1802	  the kernel crypto API and can be used by any caller.
1803
1804config CRYPTO_USER_API
1805	tristate
1806
1807config CRYPTO_USER_API_HASH
1808	tristate "User-space interface for hash algorithms"
1809	depends on NET
1810	select CRYPTO_HASH
1811	select CRYPTO_USER_API
1812	help
1813	  This option enables the user-spaces interface for hash
1814	  algorithms.
1815
1816config CRYPTO_USER_API_SKCIPHER
1817	tristate "User-space interface for symmetric key cipher algorithms"
1818	depends on NET
1819	select CRYPTO_SKCIPHER
1820	select CRYPTO_USER_API
1821	help
1822	  This option enables the user-spaces interface for symmetric
1823	  key cipher algorithms.
1824
1825config CRYPTO_USER_API_RNG
1826	tristate "User-space interface for random number generator algorithms"
1827	depends on NET
1828	select CRYPTO_RNG
1829	select CRYPTO_USER_API
1830	help
1831	  This option enables the user-spaces interface for random
1832	  number generator algorithms.
1833
1834config CRYPTO_USER_API_RNG_CAVP
1835	bool "Enable CAVP testing of DRBG"
1836	depends on CRYPTO_USER_API_RNG && CRYPTO_DRBG
1837	help
1838	  This option enables extra API for CAVP testing via the user-space
1839	  interface: resetting of DRBG entropy, and providing Additional Data.
1840	  This should only be enabled for CAVP testing. You should say
1841	  no unless you know what this is.
1842
1843config CRYPTO_USER_API_AEAD
1844	tristate "User-space interface for AEAD cipher algorithms"
1845	depends on NET
1846	select CRYPTO_AEAD
1847	select CRYPTO_SKCIPHER
1848	select CRYPTO_NULL
1849	select CRYPTO_USER_API
1850	help
1851	  This option enables the user-spaces interface for AEAD
1852	  cipher algorithms.
1853
1854config CRYPTO_USER_API_ENABLE_OBSOLETE
1855	bool "Enable obsolete cryptographic algorithms for userspace"
1856	depends on CRYPTO_USER_API
1857	default y
1858	help
1859	  Allow obsolete cryptographic algorithms to be selected that have
1860	  already been phased out from internal use by the kernel, and are
1861	  only useful for userspace clients that still rely on them.
1862
1863config CRYPTO_STATS
1864	bool "Crypto usage statistics for User-space"
1865	depends on CRYPTO_USER
1866	help
1867	  This option enables the gathering of crypto stats.
1868	  This will collect:
1869	  - encrypt/decrypt size and numbers of symmeric operations
1870	  - compress/decompress size and numbers of compress operations
1871	  - size and numbers of hash operations
1872	  - encrypt/decrypt/sign/verify numbers for asymmetric operations
1873	  - generate/seed numbers for rng operations
1874
1875config CRYPTO_HASH_INFO
1876	bool
1877
1878source "lib/crypto/Kconfig"
1879source "drivers/crypto/Kconfig"
1880source "crypto/asymmetric_keys/Kconfig"
1881source "certs/Kconfig"
1882
1883endif	# if CRYPTO
1884