1# SPDX-License-Identifier: GPL-2.0-only 2# 3# XFRM configuration 4# 5config XFRM 6 bool 7 depends on INET 8 select GRO_CELLS 9 select SKB_EXTENSIONS 10 11config XFRM_OFFLOAD 12 bool 13 14config XFRM_ALGO 15 tristate 16 select XFRM 17 select CRYPTO 18 select CRYPTO_HASH 19 select CRYPTO_SKCIPHER 20 21if INET 22config XFRM_USER 23 tristate "Transformation user configuration interface" 24 select XFRM_ALGO 25 help 26 Support for Transformation(XFRM) user configuration interface 27 like IPsec used by native Linux tools. 28 29 If unsure, say Y. 30 31config XFRM_USER_COMPAT 32 tristate "Compatible ABI support" 33 depends on XFRM_USER && COMPAT_FOR_U64_ALIGNMENT && \ 34 HAVE_EFFICIENT_UNALIGNED_ACCESS 35 select WANT_COMPAT_NETLINK_MESSAGES 36 help 37 Transformation(XFRM) user configuration interface like IPsec 38 used by compatible Linux applications. 39 40 If unsure, say N. 41 42config XFRM_INTERFACE 43 tristate "Transformation virtual interface" 44 depends on XFRM && IPV6 45 help 46 This provides a virtual interface to route IPsec traffic. 47 48 If unsure, say N. 49 50config XFRM_SUB_POLICY 51 bool "Transformation sub policy support" 52 depends on XFRM 53 help 54 Support sub policy for developers. By using sub policy with main 55 one, two policies can be applied to the same packet at once. 56 Policy which lives shorter time in kernel should be a sub. 57 58 If unsure, say N. 59 60config XFRM_MIGRATE 61 bool "Transformation migrate database" 62 depends on XFRM 63 help 64 A feature to update locator(s) of a given IPsec security 65 association dynamically. This feature is required, for 66 instance, in a Mobile IPv6 environment with IPsec configuration 67 where mobile nodes change their attachment point to the Internet. 68 69 If unsure, say N. 70 71config XFRM_STATISTICS 72 bool "Transformation statistics" 73 depends on XFRM && PROC_FS 74 help 75 This statistics is not a SNMP/MIB specification but shows 76 statistics about transformation error (or almost error) factor 77 at packet processing for developer. 78 79 If unsure, say N. 80 81# This option selects XFRM_ALGO along with the AH authentication algorithms that 82# RFC 8221 lists as MUST be implemented. 83config XFRM_AH 84 tristate 85 select XFRM_ALGO 86 select CRYPTO 87 select CRYPTO_HMAC 88 select CRYPTO_SHA256 89 90# This option selects XFRM_ALGO along with the ESP encryption and authentication 91# algorithms that RFC 8221 lists as MUST be implemented. 92config XFRM_ESP 93 tristate 94 select XFRM_ALGO 95 select CRYPTO 96 select CRYPTO_AES 97 select CRYPTO_AUTHENC 98 select CRYPTO_CBC 99 select CRYPTO_ECHAINIV 100 select CRYPTO_GCM 101 select CRYPTO_HMAC 102 select CRYPTO_SEQIV 103 select CRYPTO_SHA256 104 105config XFRM_IPCOMP 106 tristate 107 select XFRM_ALGO 108 select CRYPTO 109 select CRYPTO_DEFLATE 110 111config NET_KEY 112 tristate "PF_KEY sockets" 113 select XFRM_ALGO 114 help 115 PF_KEYv2 socket family, compatible to KAME ones. 116 They are required if you are going to use IPsec tools ported 117 from KAME. 118 119 Say Y unless you know what you are doing. 120 121config NET_KEY_MIGRATE 122 bool "PF_KEY MIGRATE" 123 depends on NET_KEY 124 select XFRM_MIGRATE 125 help 126 Add a PF_KEY MIGRATE message to PF_KEYv2 socket family. 127 The PF_KEY MIGRATE message is used to dynamically update 128 locator(s) of a given IPsec security association. 129 This feature is required, for instance, in a Mobile IPv6 130 environment with IPsec configuration where mobile nodes 131 change their attachment point to the Internet. Detail 132 information can be found in the internet-draft 133 <draft-sugimoto-mip6-pfkey-migrate>. 134 135 If unsure, say N. 136 137config XFRM_ESPINTCP 138 bool 139 140endif # INET 141