xref: /openbmc/linux/net/xfrm/Kconfig (revision 4bb1eb3c)
1# SPDX-License-Identifier: GPL-2.0-only
2#
3# XFRM configuration
4#
5config XFRM
6	bool
7	depends on INET
8	select GRO_CELLS
9	select SKB_EXTENSIONS
10
11config XFRM_OFFLOAD
12	bool
13
14config XFRM_ALGO
15	tristate
16	select XFRM
17	select CRYPTO
18	select CRYPTO_HASH
19	select CRYPTO_SKCIPHER
20
21if INET
22config XFRM_USER
23	tristate "Transformation user configuration interface"
24	select XFRM_ALGO
25	help
26	  Support for Transformation(XFRM) user configuration interface
27	  like IPsec used by native Linux tools.
28
29	  If unsure, say Y.
30
31config XFRM_INTERFACE
32	tristate "Transformation virtual interface"
33	depends on XFRM && IPV6
34	help
35	  This provides a virtual interface to route IPsec traffic.
36
37	  If unsure, say N.
38
39config XFRM_SUB_POLICY
40	bool "Transformation sub policy support"
41	depends on XFRM
42	help
43	  Support sub policy for developers. By using sub policy with main
44	  one, two policies can be applied to the same packet at once.
45	  Policy which lives shorter time in kernel should be a sub.
46
47	  If unsure, say N.
48
49config XFRM_MIGRATE
50	bool "Transformation migrate database"
51	depends on XFRM
52	help
53	  A feature to update locator(s) of a given IPsec security
54	  association dynamically.  This feature is required, for
55	  instance, in a Mobile IPv6 environment with IPsec configuration
56	  where mobile nodes change their attachment point to the Internet.
57
58	  If unsure, say N.
59
60config XFRM_STATISTICS
61	bool "Transformation statistics"
62	depends on XFRM && PROC_FS
63	help
64	  This statistics is not a SNMP/MIB specification but shows
65	  statistics about transformation error (or almost error) factor
66	  at packet processing for developer.
67
68	  If unsure, say N.
69
70# This option selects XFRM_ALGO along with the AH authentication algorithms that
71# RFC 8221 lists as MUST be implemented.
72config XFRM_AH
73	tristate
74	select XFRM_ALGO
75	select CRYPTO
76	select CRYPTO_HMAC
77	select CRYPTO_SHA256
78
79# This option selects XFRM_ALGO along with the ESP encryption and authentication
80# algorithms that RFC 8221 lists as MUST be implemented.
81config XFRM_ESP
82	tristate
83	select XFRM_ALGO
84	select CRYPTO
85	select CRYPTO_AES
86	select CRYPTO_AUTHENC
87	select CRYPTO_CBC
88	select CRYPTO_ECHAINIV
89	select CRYPTO_GCM
90	select CRYPTO_HMAC
91	select CRYPTO_SEQIV
92	select CRYPTO_SHA256
93
94config XFRM_IPCOMP
95	tristate
96	select XFRM_ALGO
97	select CRYPTO
98	select CRYPTO_DEFLATE
99
100config NET_KEY
101	tristate "PF_KEY sockets"
102	select XFRM_ALGO
103	help
104	  PF_KEYv2 socket family, compatible to KAME ones.
105	  They are required if you are going to use IPsec tools ported
106	  from KAME.
107
108	  Say Y unless you know what you are doing.
109
110config NET_KEY_MIGRATE
111	bool "PF_KEY MIGRATE"
112	depends on NET_KEY
113	select XFRM_MIGRATE
114	help
115	  Add a PF_KEY MIGRATE message to PF_KEYv2 socket family.
116	  The PF_KEY MIGRATE message is used to dynamically update
117	  locator(s) of a given IPsec security association.
118	  This feature is required, for instance, in a Mobile IPv6
119	  environment with IPsec configuration where mobile nodes
120	  change their attachment point to the Internet.  Detail
121	  information can be found in the internet-draft
122	  <draft-sugimoto-mip6-pfkey-migrate>.
123
124	  If unsure, say N.
125
126config XFRM_ESPINTCP
127	bool
128
129endif # INET
130