xref: /linux-6.15/crypto/Kconfig (revision 3241cd0c)
1b2441318SGreg Kroah-Hartman# SPDX-License-Identifier: GPL-2.0
21da177e4SLinus Torvalds#
3685784aaSDan Williams# Generic algorithms support
4685784aaSDan Williams#
5685784aaSDan Williamsconfig XOR_BLOCKS
6685784aaSDan Williams	tristate
7685784aaSDan Williams
8685784aaSDan Williams#
99bc89cd8SDan Williams# async_tx api: hardware offloaded memory transfer/transform support
109bc89cd8SDan Williams#
119bc89cd8SDan Williamssource "crypto/async_tx/Kconfig"
129bc89cd8SDan Williams
139bc89cd8SDan Williams#
141da177e4SLinus Torvalds# Cryptographic API Configuration
151da177e4SLinus Torvalds#
162e290f43SJan Engelhardtmenuconfig CRYPTO
17c3715cb9SSebastian Siewior	tristate "Cryptographic API"
187033b937SEric Biggers	select CRYPTO_LIB_UTILS
191da177e4SLinus Torvalds	help
201da177e4SLinus Torvalds	  This option provides the core Cryptographic API.
211da177e4SLinus Torvalds
22cce9e06dSHerbert Xuif CRYPTO
23cce9e06dSHerbert Xu
24f1f142adSRobert Elliottmenu "Crypto core or helper"
25584fffc8SSebastian Siewior
26ccb778e1SNeil Hormanconfig CRYPTO_FIPS
27ccb778e1SNeil Horman	bool "FIPS 200 compliance"
28f2c89a10SHerbert Xu	depends on (CRYPTO_ANSI_CPRNG || CRYPTO_DRBG) && !CRYPTO_MANAGER_DISABLE_TESTS
291f696097SAlec Ari	depends on (MODULE_SIG || !MODULES)
30ccb778e1SNeil Horman	help
31d99324c2SGeert Uytterhoeven	  This option enables the fips boot option which is
32d99324c2SGeert Uytterhoeven	  required if you want the system to operate in a FIPS 200
33ccb778e1SNeil Horman	  certification.  You should say no unless you know what
34e84c5480SChuck Ebbert	  this is.
35ccb778e1SNeil Horman
365a44749fSVladis Dronovconfig CRYPTO_FIPS_NAME
375a44749fSVladis Dronov	string "FIPS Module Name"
385a44749fSVladis Dronov	default "Linux Kernel Cryptographic API"
395a44749fSVladis Dronov	depends on CRYPTO_FIPS
405a44749fSVladis Dronov	help
415a44749fSVladis Dronov	  This option sets the FIPS Module name reported by the Crypto API via
425a44749fSVladis Dronov	  the /proc/sys/crypto/fips_name file.
435a44749fSVladis Dronov
445a44749fSVladis Dronovconfig CRYPTO_FIPS_CUSTOM_VERSION
455a44749fSVladis Dronov	bool "Use Custom FIPS Module Version"
465a44749fSVladis Dronov	depends on CRYPTO_FIPS
475a44749fSVladis Dronov	default n
485a44749fSVladis Dronov
495a44749fSVladis Dronovconfig CRYPTO_FIPS_VERSION
505a44749fSVladis Dronov	string "FIPS Module Version"
515a44749fSVladis Dronov	default "(none)"
525a44749fSVladis Dronov	depends on CRYPTO_FIPS_CUSTOM_VERSION
535a44749fSVladis Dronov	help
545a44749fSVladis Dronov	  This option provides the ability to override the FIPS Module Version.
555a44749fSVladis Dronov	  By default the KERNELRELEASE value is used.
565a44749fSVladis Dronov
57cce9e06dSHerbert Xuconfig CRYPTO_ALGAPI
58cce9e06dSHerbert Xu	tristate
596a0fcbb4SHerbert Xu	select CRYPTO_ALGAPI2
60cce9e06dSHerbert Xu	help
61cce9e06dSHerbert Xu	  This option provides the API for cryptographic algorithms.
62cce9e06dSHerbert Xu
636a0fcbb4SHerbert Xuconfig CRYPTO_ALGAPI2
646a0fcbb4SHerbert Xu	tristate
656a0fcbb4SHerbert Xu
661ae97820SHerbert Xuconfig CRYPTO_AEAD
671ae97820SHerbert Xu	tristate
686a0fcbb4SHerbert Xu	select CRYPTO_AEAD2
691ae97820SHerbert Xu	select CRYPTO_ALGAPI
701ae97820SHerbert Xu
716a0fcbb4SHerbert Xuconfig CRYPTO_AEAD2
726a0fcbb4SHerbert Xu	tristate
736a0fcbb4SHerbert Xu	select CRYPTO_ALGAPI2
746a0fcbb4SHerbert Xu
756cb8815fSHerbert Xuconfig CRYPTO_SIG
766cb8815fSHerbert Xu	tristate
776cb8815fSHerbert Xu	select CRYPTO_SIG2
786cb8815fSHerbert Xu	select CRYPTO_ALGAPI
796cb8815fSHerbert Xu
806cb8815fSHerbert Xuconfig CRYPTO_SIG2
816cb8815fSHerbert Xu	tristate
826cb8815fSHerbert Xu	select CRYPTO_ALGAPI2
836cb8815fSHerbert Xu
84b95bba5dSEric Biggersconfig CRYPTO_SKCIPHER
855cde0af2SHerbert Xu	tristate
86b95bba5dSEric Biggers	select CRYPTO_SKCIPHER2
875cde0af2SHerbert Xu	select CRYPTO_ALGAPI
8884534684SHerbert Xu	select CRYPTO_ECB
896a0fcbb4SHerbert Xu
90b95bba5dSEric Biggersconfig CRYPTO_SKCIPHER2
916a0fcbb4SHerbert Xu	tristate
926a0fcbb4SHerbert Xu	select CRYPTO_ALGAPI2
935cde0af2SHerbert Xu
94055bcee3SHerbert Xuconfig CRYPTO_HASH
95055bcee3SHerbert Xu	tristate
966a0fcbb4SHerbert Xu	select CRYPTO_HASH2
97055bcee3SHerbert Xu	select CRYPTO_ALGAPI
98055bcee3SHerbert Xu
996a0fcbb4SHerbert Xuconfig CRYPTO_HASH2
1006a0fcbb4SHerbert Xu	tristate
1016a0fcbb4SHerbert Xu	select CRYPTO_ALGAPI2
1026a0fcbb4SHerbert Xu
10317f0f4a4SNeil Hormanconfig CRYPTO_RNG
10417f0f4a4SNeil Horman	tristate
1056a0fcbb4SHerbert Xu	select CRYPTO_RNG2
10617f0f4a4SNeil Horman	select CRYPTO_ALGAPI
10717f0f4a4SNeil Horman
1086a0fcbb4SHerbert Xuconfig CRYPTO_RNG2
1096a0fcbb4SHerbert Xu	tristate
1106a0fcbb4SHerbert Xu	select CRYPTO_ALGAPI2
1116a0fcbb4SHerbert Xu
112401e4238SHerbert Xuconfig CRYPTO_RNG_DEFAULT
113401e4238SHerbert Xu	tristate
114401e4238SHerbert Xu	select CRYPTO_DRBG_MENU
115401e4238SHerbert Xu
1163c339ab8STadeusz Strukconfig CRYPTO_AKCIPHER2
1173c339ab8STadeusz Struk	tristate
1183c339ab8STadeusz Struk	select CRYPTO_ALGAPI2
1193c339ab8STadeusz Struk
1203c339ab8STadeusz Strukconfig CRYPTO_AKCIPHER
1213c339ab8STadeusz Struk	tristate
1223c339ab8STadeusz Struk	select CRYPTO_AKCIPHER2
1233c339ab8STadeusz Struk	select CRYPTO_ALGAPI
1243c339ab8STadeusz Struk
1254e5f2c40SSalvatore Benedettoconfig CRYPTO_KPP2
1264e5f2c40SSalvatore Benedetto	tristate
1274e5f2c40SSalvatore Benedetto	select CRYPTO_ALGAPI2
1284e5f2c40SSalvatore Benedetto
1294e5f2c40SSalvatore Benedettoconfig CRYPTO_KPP
1304e5f2c40SSalvatore Benedetto	tristate
1314e5f2c40SSalvatore Benedetto	select CRYPTO_ALGAPI
1324e5f2c40SSalvatore Benedetto	select CRYPTO_KPP2
1334e5f2c40SSalvatore Benedetto
1342ebda74fSGiovanni Cabidduconfig CRYPTO_ACOMP2
1352ebda74fSGiovanni Cabiddu	tristate
1362ebda74fSGiovanni Cabiddu	select CRYPTO_ALGAPI2
1378cd579d2SBart Van Assche	select SGL_ALLOC
1382ebda74fSGiovanni Cabiddu
1392ebda74fSGiovanni Cabidduconfig CRYPTO_ACOMP
1402ebda74fSGiovanni Cabiddu	tristate
1412ebda74fSGiovanni Cabiddu	select CRYPTO_ALGAPI
1422ebda74fSGiovanni Cabiddu	select CRYPTO_ACOMP2
1432ebda74fSGiovanni Cabiddu
144*3241cd0cSHannes Reineckeconfig CRYPTO_HKDF
145*3241cd0cSHannes Reinecke	tristate
146*3241cd0cSHannes Reinecke	select CRYPTO_SHA256 if !CONFIG_CRYPTO_MANAGER_DISABLE_TESTS
147*3241cd0cSHannes Reinecke	select CRYPTO_SHA512 if !CONFIG_CRYPTO_MANAGER_DISABLE_TESTS
148*3241cd0cSHannes Reinecke	select CRYPTO_HASH2
149*3241cd0cSHannes Reinecke
1502b8c19dbSHerbert Xuconfig CRYPTO_MANAGER
1512b8c19dbSHerbert Xu	tristate "Cryptographic algorithm manager"
1526a0fcbb4SHerbert Xu	select CRYPTO_MANAGER2
1532b8c19dbSHerbert Xu	help
1542b8c19dbSHerbert Xu	  Create default cryptographic template instantiations such as
1552b8c19dbSHerbert Xu	  cbc(aes).
1562b8c19dbSHerbert Xu
1576a0fcbb4SHerbert Xuconfig CRYPTO_MANAGER2
1586a0fcbb4SHerbert Xu	def_tristate CRYPTO_MANAGER || (CRYPTO_MANAGER!=n && CRYPTO_ALGAPI=y)
1592ebda74fSGiovanni Cabiddu	select CRYPTO_ACOMP2
160fb28fabfSHerbert Xu	select CRYPTO_AEAD2
161fb28fabfSHerbert Xu	select CRYPTO_AKCIPHER2
1626cb8815fSHerbert Xu	select CRYPTO_SIG2
163fb28fabfSHerbert Xu	select CRYPTO_HASH2
164fb28fabfSHerbert Xu	select CRYPTO_KPP2
165fb28fabfSHerbert Xu	select CRYPTO_RNG2
166fb28fabfSHerbert Xu	select CRYPTO_SKCIPHER2
1676a0fcbb4SHerbert Xu
168a38f7907SSteffen Klassertconfig CRYPTO_USER
169a38f7907SSteffen Klassert	tristate "Userspace cryptographic algorithm configuration"
1705db017aaSHerbert Xu	depends on NET
171a38f7907SSteffen Klassert	select CRYPTO_MANAGER
172a38f7907SSteffen Klassert	help
173d19978f5S[email protected]	  Userspace configuration for cryptographic instantiations such as
174a38f7907SSteffen Klassert	  cbc(aes).
175a38f7907SSteffen Klassert
176326a6346SHerbert Xuconfig CRYPTO_MANAGER_DISABLE_TESTS
177326a6346SHerbert Xu	bool "Disable run-time self tests"
17800ca28a5SHerbert Xu	default y
1790b767f96SAlexander Shishkin	help
180326a6346SHerbert Xu	  Disable run-time self tests that normally take place at
181326a6346SHerbert Xu	  algorithm registration.
1820b767f96SAlexander Shishkin
1835b2706a4SEric Biggersconfig CRYPTO_MANAGER_EXTRA_TESTS
1845b2706a4SEric Biggers	bool "Enable extra run-time crypto self tests"
1856569e309SJason A. Donenfeld	depends on DEBUG_KERNEL && !CRYPTO_MANAGER_DISABLE_TESTS && CRYPTO_MANAGER
1865b2706a4SEric Biggers	help
1875b2706a4SEric Biggers	  Enable extra run-time self tests of registered crypto algorithms,
1885b2706a4SEric Biggers	  including randomized fuzz tests.
1895b2706a4SEric Biggers
1905b2706a4SEric Biggers	  This is intended for developer use only, as these tests take much
1915b2706a4SEric Biggers	  longer to run than the normal self tests.
1925b2706a4SEric Biggers
193584fffc8SSebastian Siewiorconfig CRYPTO_NULL
194584fffc8SSebastian Siewior	tristate "Null algorithms"
195149a3971SHerbert Xu	select CRYPTO_NULL2
196584fffc8SSebastian Siewior	help
197584fffc8SSebastian Siewior	  These are 'Null' algorithms, used by IPsec, which do nothing.
198584fffc8SSebastian Siewior
199149a3971SHerbert Xuconfig CRYPTO_NULL2
200dd43c4e9SHerbert Xu	tristate
201149a3971SHerbert Xu	select CRYPTO_ALGAPI2
202b95bba5dSEric Biggers	select CRYPTO_SKCIPHER2
203149a3971SHerbert Xu	select CRYPTO_HASH2
204149a3971SHerbert Xu
2055068c7a8SSteffen Klassertconfig CRYPTO_PCRYPT
2063b4afaf2SKees Cook	tristate "Parallel crypto engine"
2073b4afaf2SKees Cook	depends on SMP
2085068c7a8SSteffen Klassert	select PADATA
2095068c7a8SSteffen Klassert	select CRYPTO_MANAGER
2105068c7a8SSteffen Klassert	select CRYPTO_AEAD
2115068c7a8SSteffen Klassert	help
2125068c7a8SSteffen Klassert	  This converts an arbitrary crypto algorithm into a parallel
2135068c7a8SSteffen Klassert	  algorithm that executes in kernel threads.
2145068c7a8SSteffen Klassert
215584fffc8SSebastian Siewiorconfig CRYPTO_CRYPTD
216584fffc8SSebastian Siewior	tristate "Software async crypto daemon"
217b95bba5dSEric Biggers	select CRYPTO_SKCIPHER
218b8a28251SLoc Ho	select CRYPTO_HASH
219584fffc8SSebastian Siewior	select CRYPTO_MANAGER
220584fffc8SSebastian Siewior	help
221584fffc8SSebastian Siewior	  This is a generic software asynchronous crypto daemon that
222584fffc8SSebastian Siewior	  converts an arbitrary synchronous software crypto algorithm
223584fffc8SSebastian Siewior	  into an asynchronous algorithm that executes in a kernel thread.
224584fffc8SSebastian Siewior
225584fffc8SSebastian Siewiorconfig CRYPTO_AUTHENC
226584fffc8SSebastian Siewior	tristate "Authenc support"
227584fffc8SSebastian Siewior	select CRYPTO_AEAD
228b95bba5dSEric Biggers	select CRYPTO_SKCIPHER
229584fffc8SSebastian Siewior	select CRYPTO_MANAGER
230584fffc8SSebastian Siewior	select CRYPTO_HASH
231e94c6a7aSHerbert Xu	select CRYPTO_NULL
232584fffc8SSebastian Siewior	help
233584fffc8SSebastian Siewior	  Authenc: Combined mode wrapper for IPsec.
234cf514b2aSRobert Elliott
235cf514b2aSRobert Elliott	  This is required for IPSec ESP (XFRM_ESP).
236584fffc8SSebastian Siewior
237584fffc8SSebastian Siewiorconfig CRYPTO_KRB5ENC
238584fffc8SSebastian Siewior	tristate "Kerberos 5 combined hash+cipher support"
23900ea27f1SArd Biesheuvel	select CRYPTO_AEAD
240da7f033dSHerbert Xu	select CRYPTO_SKCIPHER
241584fffc8SSebastian Siewior	select CRYPTO_MANAGER
242584fffc8SSebastian Siewior	select CRYPTO_HASH
243584fffc8SSebastian Siewior	select CRYPTO_NULL
244266d0516SHerbert Xu	help
245266d0516SHerbert Xu	  Combined hash and cipher support for Kerberos 5 RFC3961 simplified
246266d0516SHerbert Xu	  profile.  This is required for Kerberos 5-style encryption, used by
247266d0516SHerbert Xu	  sunrpc/NFS and rxrpc/AFS.
248735d37b5SBaolin Wang
249735d37b5SBaolin Wangconfig CRYPTO_TEST
250735d37b5SBaolin Wang	tristate "Testing module"
251f1f142adSRobert Elliott	depends on m || EXPERT
252f1f142adSRobert Elliott	select CRYPTO_MANAGER
253f1f142adSRobert Elliott	help
2543d6228a5SVitaly Chikunov	  Quick & dirty crypto test module.
2553d6228a5SVitaly Chikunov
25605b37465SRobert Elliottconfig CRYPTO_SIMD
2573d6228a5SVitaly Chikunov	tristate
2583d6228a5SVitaly Chikunov	select CRYPTO_CRYPTD
2591e562deaSLukas Wunner
2603d6228a5SVitaly Chikunovconfig CRYPTO_ENGINE
2613d6228a5SVitaly Chikunov	tristate
2623d6228a5SVitaly Chikunov
26305b37465SRobert Elliottendmenu
2643d6228a5SVitaly Chikunov
2653d6228a5SVitaly Chikunovmenu "Public-key cryptography"
26605b37465SRobert Elliott
2673d6228a5SVitaly Chikunovconfig CRYPTO_RSA
2683d6228a5SVitaly Chikunov	tristate "RSA (Rivest-Shamir-Adleman)"
2693d6228a5SVitaly Chikunov	select CRYPTO_AKCIPHER
27005b37465SRobert Elliott	select CRYPTO_MANAGER
2713d6228a5SVitaly Chikunov	select CRYPTO_SIG
2727dce5981SNicolai Stange	select MPILIB
27305b37465SRobert Elliott	select ASN1
2747dce5981SNicolai Stange	help
2751e207964SNicolai Stange	  RSA (Rivest-Shamir-Adleman) public key algorithm (RFC8017)
2767dce5981SNicolai Stange
27705b37465SRobert Elliottconfig CRYPTO_DH
27805b37465SRobert Elliott	tristate "DH (Diffie-Hellman)"
27905b37465SRobert Elliott	select CRYPTO_KPP
28005b37465SRobert Elliott	select MPILIB
28105b37465SRobert Elliott	help
28205b37465SRobert Elliott	  DH (Diffie-Hellman) key exchange algorithm
28305b37465SRobert Elliott
2847dce5981SNicolai Stangeconfig CRYPTO_DH_RFC7919_GROUPS
2854a2289daSVitaly Chikunov	bool "RFC 7919 FFDHE groups"
2864a2289daSVitaly Chikunov	depends on CRYPTO_DH
28738aa192aSArnd Bergmann	select CRYPTO_RNG_DEFAULT
2884a2289daSVitaly Chikunov	help
2893d6228a5SVitaly Chikunov	  FFDHE (Finite-Field-based Diffie-Hellman Ephemeral) groups
29005b37465SRobert Elliott	  defined in RFC7919.
2914a2289daSVitaly Chikunov
2923d6228a5SVitaly Chikunov	  Support these finite-field groups in DH key exchanges:
2933d6228a5SVitaly Chikunov	  - ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192
29405b37465SRobert Elliott
29505b37465SRobert Elliott	  If unsure, say N.
2963d6228a5SVitaly Chikunov
2974e660291SStefan Bergerconfig CRYPTO_ECC
29805b37465SRobert Elliott	tristate
2994e660291SStefan Berger	select CRYPTO_RNG_DEFAULT
300ef132350SLukas Wunner
3014e660291SStefan Bergerconfig CRYPTO_ECDH
3024e660291SStefan Berger	tristate "ECDH (Elliptic Curve Diffie-Hellman)"
30305b37465SRobert Elliott	select CRYPTO_ECC
30405b37465SRobert Elliott	select CRYPTO_KPP
30591790c7aSLukas Wunner	help
30605b37465SRobert Elliott	  ECDH (Elliptic Curve Diffie-Hellman) key exchange algorithm
30705b37465SRobert Elliott	  using curves P-192, P-256, and P-384 (FIPS 186)
3084e660291SStefan Berger
3090d7a7864SVitaly Chikunovconfig CRYPTO_ECDSA
31005b37465SRobert Elliott	tristate "ECDSA (Elliptic Curve Digital Signature Algorithm)"
3110d7a7864SVitaly Chikunov	select CRYPTO_ECC
312ae117924SLukas Wunner	select CRYPTO_SIG
3130d7a7864SVitaly Chikunov	select ASN1
3141036633eSVitaly Chikunov	help
3151036633eSVitaly Chikunov	  ECDSA (Elliptic Curve Digital Signature Algorithm) (FIPS 186,
3160d7a7864SVitaly Chikunov	  ISO/IEC 14888-3)
3170d7a7864SVitaly Chikunov	  using curves P-192, P-256, P-384 and P-521
31805b37465SRobert Elliott
31905b37465SRobert Elliott	  Only signature verification is implemented.
32005b37465SRobert Elliott
32105b37465SRobert Elliottconfig CRYPTO_ECRDSA
3220d7a7864SVitaly Chikunov	tristate "EC-RDSA (Elliptic Curve Russian Digital Signature Algorithm)"
323ee772cb6SArd Biesheuvel	select CRYPTO_ECC
32405b37465SRobert Elliott	select CRYPTO_SIG
325ee772cb6SArd Biesheuvel	select CRYPTO_STREEBOG
326ee772cb6SArd Biesheuvel	select OID_REGISTRY
32705b37465SRobert Elliott	select ASN1
32805b37465SRobert Elliott	help
329ee772cb6SArd Biesheuvel	  Elliptic Curve Russian Digital Signature Algorithm (GOST R 34.10-2012,
330f1f142adSRobert Elliott	  RFC 7091, ISO/IEC 14888-3)
331584fffc8SSebastian Siewior
332f1f142adSRobert Elliott	  One of the Russian cryptographic standard algorithms (called GOST
3331da177e4SLinus Torvalds	  algorithms). Only signature verification is implemented.
3341da177e4SLinus Torvalds
335cf514b2aSRobert Elliottconfig CRYPTO_CURVE25519
336cce9e06dSHerbert Xu	tristate "Curve25519"
3375bb12d78SArd Biesheuvel	select CRYPTO_KPP
3381da177e4SLinus Torvalds	select CRYPTO_LIB_CURVE25519_GENERIC
339cf514b2aSRobert Elliott	select CRYPTO_LIB_CURVE25519_INTERNAL
3401da177e4SLinus Torvalds	help
3411da177e4SLinus Torvalds	  Curve25519 elliptic curve (RFC7748)
3421da177e4SLinus Torvalds
3431da177e4SLinus Torvaldsendmenu
3441da177e4SLinus Torvalds
3451da177e4SLinus Torvaldsmenu "Block ciphers"
3461da177e4SLinus Torvalds
3471da177e4SLinus Torvaldsconfig CRYPTO_AES
3481da177e4SLinus Torvalds	tristate "AES (Advanced Encryption Standard)"
3491da177e4SLinus Torvalds	select CRYPTO_ALGAPI
3501da177e4SLinus Torvalds	select CRYPTO_LIB_AES
3511da177e4SLinus Torvalds	help
352b5e0b032SArd Biesheuvel	  AES cipher algorithms (Rijndael)(FIPS-197, ISO/IEC 18033-3)
353cf514b2aSRobert Elliott
354b5e0b032SArd Biesheuvel	  Rijndael appears to be consistently a very good performer in
355e59c1c98SArd Biesheuvel	  both hardware and software across a wide range of computing
356b5e0b032SArd Biesheuvel	  environments regardless of its use in feedback or non-feedback
357cf514b2aSRobert Elliott	  modes. Its key setup time is excellent, and its key agility is
358cf514b2aSRobert Elliott	  good. Rijndael's very low memory requirements make it very well
359b5e0b032SArd Biesheuvel	  suited for restricted-space environments, in which it also
360b5e0b032SArd Biesheuvel	  demonstrates excellent performance. Rijndael's operations are
361b5e0b032SArd Biesheuvel	  among the easiest to defend against power and timing attacks.
362b5e0b032SArd Biesheuvel
363b5e0b032SArd Biesheuvel	  The AES specifies three key sizes: 128, 192 and 256 bits
364b5e0b032SArd Biesheuvel
365b5e0b032SArd Biesheuvelconfig CRYPTO_AES_TI
366b5e0b032SArd Biesheuvel	tristate "AES (Advanced Encryption Standard) (fixed time)"
367b5e0b032SArd Biesheuvel	select CRYPTO_ALGAPI
368b5e0b032SArd Biesheuvel	select CRYPTO_LIB_AES
369b5e0b032SArd Biesheuvel	help
3700a6a40c2SEric Biggers	  AES cipher algorithms (Rijndael)(FIPS-197, ISO/IEC 18033-3)
3710a6a40c2SEric Biggers
372b5e0b032SArd Biesheuvel	  This is a generic implementation of AES that attempts to eliminate
3731da177e4SLinus Torvalds	  data dependent latencies as much as possible without affecting
374cf514b2aSRobert Elliott	  performance too much. It is intended for use by the generic CCM
3751674aea5SArd Biesheuvel	  and GCM drivers, and other CTR or CMAC/XCBC based modes that rely
376cce9e06dSHerbert Xu	  solely on encryption (although decryption is supported as well, but
3771da177e4SLinus Torvalds	  with a more dramatic performance hit)
378cf514b2aSRobert Elliott
3791da177e4SLinus Torvalds	  Instead of using 16 lookup tables of 1 KB each, (8 for encryption and
3801da177e4SLinus Torvalds	  8 for decryption), this implementation only uses just two S-boxes of
3811da177e4SLinus Torvalds	  256 bytes each, and attempts to eliminate data dependent latencies by
3821da177e4SLinus Torvalds	  prefetching the entire table into the cache at the start of each
3831da177e4SLinus Torvalds	  block. Interrupts are also disabled to avoid races where cachelines
384cf514b2aSRobert Elliott	  are evicted when the CPU is interrupted to do something else.
385cf514b2aSRobert Elliott
3861da177e4SLinus Torvaldsconfig CRYPTO_ANUBIS
387f1f142adSRobert Elliott	tristate "Anubis"
388cf514b2aSRobert Elliott	depends on CRYPTO_USER_API_ENABLE_OBSOLETE
389f1f142adSRobert Elliott	select CRYPTO_ALGAPI
390e2ee95b8SHye-Shik Chang	help
391cf514b2aSRobert Elliott	  Anubis cipher algorithm
392e2ee95b8SHye-Shik Chang
393f1f142adSRobert Elliott	  Anubis is a variable key length cipher which can use keys from
394f1f142adSRobert Elliott	  128 bits to 320 bits in length.  It was evaluated as a entrant
395f1f142adSRobert Elliott	  in the NESSIE competition.
396f1f142adSRobert Elliott
397f1f142adSRobert Elliott	  See https://web.archive.org/web/20160606112246/http://www.larc.usp.br/~pbarreto/AnubisPage.html
398f1f142adSRobert Elliott	  for further information.
399cf514b2aSRobert Elliott
400cf514b2aSRobert Elliottconfig CRYPTO_ARIA
401584fffc8SSebastian Siewior	tristate "ARIA"
402584fffc8SSebastian Siewior	select CRYPTO_ALGAPI
403cf514b2aSRobert Elliott	help
404584fffc8SSebastian Siewior	  ARIA cipher algorithm (RFC5794)
40552ba867cSJussi Kivilinna
406584fffc8SSebastian Siewior	  ARIA is a standard encryption algorithm of the Republic of Korea.
407cf514b2aSRobert Elliott	  The ARIA specifies three key sizes and rounds.
408584fffc8SSebastian Siewior	  128-bit: 12 rounds.
409584fffc8SSebastian Siewior	  192-bit: 14 rounds.
410584fffc8SSebastian Siewior	  256-bit: 16 rounds.
411584fffc8SSebastian Siewior
412e2ee95b8SHye-Shik Chang	  See:
413cf514b2aSRobert Elliott	  https://seed.kisa.or.kr/kisa/algorithm/EgovAriaInfo.do
414584fffc8SSebastian Siewior
41552ba867cSJussi Kivilinnaconfig CRYPTO_BLOWFISH
41652ba867cSJussi Kivilinna	tristate "Blowfish"
41752ba867cSJussi Kivilinna	select CRYPTO_ALGAPI
41852ba867cSJussi Kivilinna	select CRYPTO_BLOWFISH_COMMON
41952ba867cSJussi Kivilinna	help
42052ba867cSJussi Kivilinna	  Blowfish cipher algorithm, by Bruce Schneier
421584fffc8SSebastian Siewior
422cf514b2aSRobert Elliott	  This is a variable key length cipher which can use keys from 32
423584fffc8SSebastian Siewior	  bits to 448 bits in length.  It's fast, simple and specifically
424584fffc8SSebastian Siewior	  designed for use on "large microprocessors".
425cf514b2aSRobert Elliott
426584fffc8SSebastian Siewior	  See https://www.schneier.com/blowfish.html for further information.
427584fffc8SSebastian Siewior
428584fffc8SSebastian Siewiorconfig CRYPTO_BLOWFISH_COMMON
429584fffc8SSebastian Siewior	tristate
430584fffc8SSebastian Siewior	help
431584fffc8SSebastian Siewior	  Common parts of the Blowfish cipher algorithm shared by the
432cf514b2aSRobert Elliott	  generic c and the assembler implementations.
433584fffc8SSebastian Siewior
434044ab525SJussi Kivilinnaconfig CRYPTO_CAMELLIA
435044ab525SJussi Kivilinna	tristate "Camellia"
436044ab525SJussi Kivilinna	select CRYPTO_ALGAPI
437044ab525SJussi Kivilinna	help
438044ab525SJussi Kivilinna	  Camellia cipher algorithms (ISO/IEC 18033-3)
439044ab525SJussi Kivilinna
440584fffc8SSebastian Siewior	  Camellia is a symmetric key block cipher developed jointly
441cf514b2aSRobert Elliott	  at NTT and Mitsubishi Electric Corporation.
442584fffc8SSebastian Siewior
443044ab525SJussi Kivilinna	  The Camellia specifies three key sizes: 128, 192 and 256 bits.
444584fffc8SSebastian Siewior
445cf514b2aSRobert Elliott	  See https://info.isl.ntt.co.jp/crypt/eng/camellia/ for further information.
446584fffc8SSebastian Siewior
447584fffc8SSebastian Siewiorconfig CRYPTO_CAST_COMMON
448cf514b2aSRobert Elliott	tristate
449584fffc8SSebastian Siewior	help
450044ab525SJussi Kivilinna	  Common parts of the CAST cipher algorithms shared by the
451584fffc8SSebastian Siewior	  generic c and the assembler implementations.
452cf514b2aSRobert Elliott
453584fffc8SSebastian Siewiorconfig CRYPTO_CAST5
454584fffc8SSebastian Siewior	tristate "CAST5 (CAST-128)"
455cf514b2aSRobert Elliott	select CRYPTO_ALGAPI
456584fffc8SSebastian Siewior	select CRYPTO_CAST_COMMON
45704007b0eSArd Biesheuvel	help
458584fffc8SSebastian Siewior	  CAST5 (CAST-128) cipher algorithm (RFC2144, ISO/IEC 18033-3)
459cf514b2aSRobert Elliott
460cf514b2aSRobert Elliottconfig CRYPTO_CAST6
461cf514b2aSRobert Elliott	tristate "CAST6 (CAST-256)"
462584fffc8SSebastian Siewior	select CRYPTO_ALGAPI
463584fffc8SSebastian Siewior	select CRYPTO_CAST_COMMON
464cf514b2aSRobert Elliott	help
465584fffc8SSebastian Siewior	  CAST6 (CAST-256) encryption algorithm (RFC2612)
466b95bba5dSEric Biggers
467584fffc8SSebastian Siewiorconfig CRYPTO_DES
468cf514b2aSRobert Elliott	tristate "DES and Triple DES EDE"
469cf514b2aSRobert Elliott	select CRYPTO_ALGAPI
470cf514b2aSRobert Elliott	select CRYPTO_LIB_DES
471584fffc8SSebastian Siewior	help
472584fffc8SSebastian Siewior	  DES (Data Encryption Standard)(FIPS 46-2, ISO/IEC 18033-3) and
473cf514b2aSRobert Elliott	  Triple DES EDE (Encrypt/Decrypt/Encrypt) (FIPS 46-3, ISO/IEC 18033-3)
4741674aea5SArd Biesheuvel	  cipher algorithms
475584fffc8SSebastian Siewior
476584fffc8SSebastian Siewiorconfig CRYPTO_FCRYPT
477cf514b2aSRobert Elliott	tristate "FCrypt"
478584fffc8SSebastian Siewior	select CRYPTO_ALGAPI
479584fffc8SSebastian Siewior	select CRYPTO_SKCIPHER
480584fffc8SSebastian Siewior	help
481584fffc8SSebastian Siewior	  FCrypt algorithm used by RxRPC
482584fffc8SSebastian Siewior
483cf514b2aSRobert Elliott	  See https://ota.polyonymo.us/fcrypt-paper.txt
484cf514b2aSRobert Elliott
485e2ee95b8SHye-Shik Changconfig CRYPTO_KHAZAD
486584fffc8SSebastian Siewior	tristate "Khazad"
487cf514b2aSRobert Elliott	depends on CRYPTO_USER_API_ENABLE_OBSOLETE
4881674aea5SArd Biesheuvel	select CRYPTO_ALGAPI
489584fffc8SSebastian Siewior	help
490584fffc8SSebastian Siewior	  Khazad cipher algorithm
491cf514b2aSRobert Elliott
492584fffc8SSebastian Siewior	  Khazad was a finalist in the initial NESSIE competition.  It is
493584fffc8SSebastian Siewior	  an algorithm optimized for 64-bit processors with good performance
494584fffc8SSebastian Siewior	  on 32-bit processors.  Khazad uses an 128 bit key size.
495584fffc8SSebastian Siewior
496584fffc8SSebastian Siewior	  See https://web.archive.org/web/20171011071731/http://www.larc.usp.br/~pbarreto/KhazadPage.html
497584fffc8SSebastian Siewior	  for further information.
498cf514b2aSRobert Elliott
499cf514b2aSRobert Elliottconfig CRYPTO_SEED
500584fffc8SSebastian Siewior	tristate "SEED"
501584fffc8SSebastian Siewior	depends on CRYPTO_USER_API_ENABLE_OBSOLETE
502cf514b2aSRobert Elliott	select CRYPTO_ALGAPI
503584fffc8SSebastian Siewior	help
504584fffc8SSebastian Siewior	  SEED cipher algorithm (RFC4269, ISO/IEC 18033-3)
505cf514b2aSRobert Elliott
506584fffc8SSebastian Siewior	  SEED is a 128-bit symmetric key block cipher that has been
507584fffc8SSebastian Siewior	  developed by KISA (Korea Information Security Agency) as a
508784506a1SArd Biesheuvel	  national standard encryption algorithm of the Republic of Korea.
509584fffc8SSebastian Siewior	  It is a 16 round block cipher with the key size of 128 bit.
510cf514b2aSRobert Elliott
511584fffc8SSebastian Siewior	  See https://seed.kisa.or.kr/kisa/algorithm/EgovSeedInfo.do
512747c8ce4SGilad Ben-Yossef	  for further information.
513d2825fa9SJason A. Donenfeld
514d2825fa9SJason A. Donenfeldconfig CRYPTO_SERPENT
515d2825fa9SJason A. Donenfeld	tristate "Serpent"
516cf514b2aSRobert Elliott	select CRYPTO_ALGAPI
517747c8ce4SGilad Ben-Yossef	help
518d2825fa9SJason A. Donenfeld	  Serpent cipher algorithm, by Anderson, Biham & Knudsen
519747c8ce4SGilad Ben-Yossef
520cf514b2aSRobert Elliott	  Keys are allowed to be from 0 to 256 bits in length, in steps
521cf514b2aSRobert Elliott	  of 8 bits.
522747c8ce4SGilad Ben-Yossef
523747c8ce4SGilad Ben-Yossef	  See https://www.cl.cam.ac.uk/~rja14/serpent.html for further information.
524747c8ce4SGilad Ben-Yossef
525747c8ce4SGilad Ben-Yossefconfig CRYPTO_SM4
526747c8ce4SGilad Ben-Yossef	tristate
527747c8ce4SGilad Ben-Yossef
528747c8ce4SGilad Ben-Yossefconfig CRYPTO_SM4_GENERIC
529747c8ce4SGilad Ben-Yossef	tristate "SM4 (ShangMi 4)"
530747c8ce4SGilad Ben-Yossef	select CRYPTO_ALGAPI
531747c8ce4SGilad Ben-Yossef	select CRYPTO_SM4
532747c8ce4SGilad Ben-Yossef	help
533747c8ce4SGilad Ben-Yossef	  SM4 cipher algorithms (OSCCA GB/T 32907-2016,
534747c8ce4SGilad Ben-Yossef	  ISO/IEC 18033-3:2010/Amd 1:2021)
535747c8ce4SGilad Ben-Yossef
536747c8ce4SGilad Ben-Yossef	  SM4 (GBT.32907-2016) is a cryptographic standard issued by the
537747c8ce4SGilad Ben-Yossef	  Organization of State Commercial Administration of China (OSCCA)
538cf514b2aSRobert Elliott	  as an authorized cryptographic algorithms for the use within China.
539747c8ce4SGilad Ben-Yossef
540747c8ce4SGilad Ben-Yossef	  SMS4 was originally created for use in protecting wireless
541747c8ce4SGilad Ben-Yossef	  networks, and is mandated in the Chinese National Standard for
542584fffc8SSebastian Siewior	  Wireless LAN WAPI (Wired Authentication and Privacy Infrastructure)
543cf514b2aSRobert Elliott	  (GB.15629.11-2003).
5441674aea5SArd Biesheuvel
545584fffc8SSebastian Siewior	  The latest SM4 standard (GBT.32907-2016) was proposed by OSCCA and
546584fffc8SSebastian Siewior	  standardized through TC 260 of the Standardization Administration
547cf514b2aSRobert Elliott	  of the People's Republic of China (SAC).
548584fffc8SSebastian Siewior
549584fffc8SSebastian Siewior	  The input, output, and key of SMS4 are each 128 bits.
550584fffc8SSebastian Siewior
551584fffc8SSebastian Siewior	  See https://eprint.iacr.org/2008/329.pdf for further information.
552584fffc8SSebastian Siewior
553584fffc8SSebastian Siewior	  If unsure, say N.
554584fffc8SSebastian Siewior
555584fffc8SSebastian Siewiorconfig CRYPTO_TEA
556584fffc8SSebastian Siewior	tristate "TEA, XTEA and XETA"
557584fffc8SSebastian Siewior	depends on CRYPTO_USER_API_ENABLE_OBSOLETE
558584fffc8SSebastian Siewior	select CRYPTO_ALGAPI
559584fffc8SSebastian Siewior	help
560584fffc8SSebastian Siewior	  TEA (Tiny Encryption Algorithm) cipher algorithms
561cf514b2aSRobert Elliott
562584fffc8SSebastian Siewior	  Tiny Encryption Algorithm is a simple cipher that uses
563584fffc8SSebastian Siewior	  many rounds for security.  It is very fast and uses
564584fffc8SSebastian Siewior	  little memory.
565cf514b2aSRobert Elliott
566584fffc8SSebastian Siewior	  Xtendend Tiny Encryption Algorithm is a modification to
567584fffc8SSebastian Siewior	  the TEA algorithm to address a potential key weakness
568584fffc8SSebastian Siewior	  in the TEA algorithm.
569584fffc8SSebastian Siewior
570584fffc8SSebastian Siewior	  Xtendend Encryption Tiny Algorithm is a mis-implementation
571584fffc8SSebastian Siewior	  of the XTEA algorithm for compatibility purposes.
572cf514b2aSRobert Elliott
573584fffc8SSebastian Siewiorconfig CRYPTO_TWOFISH
574584fffc8SSebastian Siewior	tristate "Twofish"
575584fffc8SSebastian Siewior	select CRYPTO_ALGAPI
576584fffc8SSebastian Siewior	select CRYPTO_TWOFISH_COMMON
577584fffc8SSebastian Siewior	help
578584fffc8SSebastian Siewior	  Twofish cipher algorithm
579584fffc8SSebastian Siewior
580f1f142adSRobert Elliott	  Twofish was submitted as an AES (Advanced Encryption Standard)
581f1f142adSRobert Elliott	  candidate cipher by researchers at CounterPane Systems.  It is a
582f1f142adSRobert Elliott	  16 round block cipher supporting key sizes of 128, 192, and 256
583f1f142adSRobert Elliott	  bits.
584f1f142adSRobert Elliott
585cf514b2aSRobert Elliott	  See https://www.schneier.com/twofish.html for further information.
586f1f142adSRobert Elliott
587f1f142adSRobert Elliottconfig CRYPTO_TWOFISH_COMMON
588f1f142adSRobert Elliott	tristate
589f1f142adSRobert Elliott	help
590f1f142adSRobert Elliott	  Common parts of the Twofish cipher algorithm shared by the
591cf514b2aSRobert Elliott	  generic c and the assembler implementations.
592cf514b2aSRobert Elliott
593cf514b2aSRobert Elliottendmenu
594f1f142adSRobert Elliott
595f1f142adSRobert Elliottmenu "Length-preserving ciphers and modes"
596f1f142adSRobert Elliott
597f1f142adSRobert Elliottconfig CRYPTO_ADIANTUM
598f1f142adSRobert Elliott	tristate "Adiantum"
599f1f142adSRobert Elliott	select CRYPTO_CHACHA20
600f1f142adSRobert Elliott	select CRYPTO_LIB_POLY1305_GENERIC
601f1f142adSRobert Elliott	select CRYPTO_NHPOLY1305
602f1f142adSRobert Elliott	select CRYPTO_MANAGER
603f1f142adSRobert Elliott	help
604f1f142adSRobert Elliott	  Adiantum tweakable, length-preserving encryption mode
605f1f142adSRobert Elliott
606f1f142adSRobert Elliott	  Designed for fast and secure disk encryption, especially on
607f1f142adSRobert Elliott	  CPUs without dedicated crypto instructions.  It encrypts
608f1f142adSRobert Elliott	  each sector using the XChaCha12 stream cipher, two passes of
609f1f142adSRobert Elliott	  an ε-almost-∆-universal hash function, and an invocation of
610cf514b2aSRobert Elliott	  the AES-256 block cipher on a single 16-byte block.  On CPUs
611f1f142adSRobert Elliott	  without AES instructions, Adiantum is much faster than
612f1f142adSRobert Elliott	  AES-XTS.
613f1f142adSRobert Elliott
614f1f142adSRobert Elliott	  Adiantum's security is provably reducible to that of its
615cf514b2aSRobert Elliott	  underlying stream and block ciphers, subject to a security
616f1f142adSRobert Elliott	  bound.  Unlike XTS, Adiantum is a true wide-block encryption
617f1f142adSRobert Elliott	  mode, so it actually provides an even stronger notion of
618f1f142adSRobert Elliott	  security than XTS, subject to the security bound.
619f1f142adSRobert Elliott
620f1f142adSRobert Elliott	  If unsure, say N.
621f1f142adSRobert Elliott
622f1f142adSRobert Elliottconfig CRYPTO_ARC4
623cf514b2aSRobert Elliott	tristate "ARC4 (Alleged Rivest Cipher 4)"
624f1f142adSRobert Elliott	depends on CRYPTO_USER_API_ENABLE_OBSOLETE
625f1f142adSRobert Elliott	select CRYPTO_SKCIPHER
626f1f142adSRobert Elliott	select CRYPTO_LIB_ARC4
627cf514b2aSRobert Elliott	help
628f1f142adSRobert Elliott	  ARC4 cipher algorithm
629f1f142adSRobert Elliott
630f1f142adSRobert Elliott	  ARC4 is a stream cipher using keys ranging from 8 bits to 2048
631cf514b2aSRobert Elliott	  bits in length.  This algorithm is required for driver-based
632cf514b2aSRobert Elliott	  WEP, but it should not be for other purposes because of the
633f1f142adSRobert Elliott	  weakness of the algorithm.
634f1f142adSRobert Elliott
635f1f142adSRobert Elliottconfig CRYPTO_CHACHA20
636f1f142adSRobert Elliott	tristate "ChaCha"
637cf514b2aSRobert Elliott	select CRYPTO_LIB_CHACHA_GENERIC
638cf514b2aSRobert Elliott	select CRYPTO_LIB_CHACHA_INTERNAL
639f1f142adSRobert Elliott	select CRYPTO_SKCIPHER
640f1f142adSRobert Elliott	help
641f1f142adSRobert Elliott	  The ChaCha20, XChaCha20, and XChaCha12 stream cipher algorithms
642f1f142adSRobert Elliott
643f1f142adSRobert Elliott	  ChaCha20 is a 256-bit high-speed stream cipher designed by Daniel J.
644f1f142adSRobert Elliott	  Bernstein and further specified in RFC7539 for use in IETF protocols.
645cf514b2aSRobert Elliott	  This is the portable C implementation of ChaCha20.  See
646f1f142adSRobert Elliott	  https://cr.yp.to/chacha/chacha-20080128.pdf for further information.
647f1f142adSRobert Elliott
648f1f142adSRobert Elliott	  XChaCha20 is the application of the XSalsa20 construction to ChaCha20
649cf514b2aSRobert Elliott	  rather than to Salsa20.  XChaCha20 extends ChaCha20's nonce length
650cf514b2aSRobert Elliott	  from 64 bits (or 96 bits using the RFC7539 convention) to 192 bits,
651cf514b2aSRobert Elliott	  while provably retaining ChaCha20's security.  See
652f1f142adSRobert Elliott	  https://cr.yp.to/snuffle/xsalsa-20081128.pdf for further information.
653f1f142adSRobert Elliott
654cf514b2aSRobert Elliott	  XChaCha12 is XChaCha20 reduced to 12 rounds, with correspondingly
655f1f142adSRobert Elliott	  reduced security margin but increased performance.  It can be needed
656f1f142adSRobert Elliott	  in some performance-sensitive scenarios.
657f1f142adSRobert Elliott
658cf514b2aSRobert Elliottconfig CRYPTO_CBC
659f1f142adSRobert Elliott	tristate "CBC (Cipher Block Chaining)"
660f1f142adSRobert Elliott	select CRYPTO_SKCIPHER
661cf514b2aSRobert Elliott	select CRYPTO_MANAGER
662f1f142adSRobert Elliott	help
663f1f142adSRobert Elliott	  CBC (Cipher Block Chaining) mode (NIST SP800-38A)
664f1f142adSRobert Elliott
665cf514b2aSRobert Elliott	  This block cipher mode is required for IPSec ESP (XFRM_ESP).
666cf514b2aSRobert Elliott
667cf514b2aSRobert Elliottconfig CRYPTO_CTR
668f1f142adSRobert Elliott	tristate "CTR (Counter)"
669f1f142adSRobert Elliott	select CRYPTO_SKCIPHER
670f1f142adSRobert Elliott	select CRYPTO_MANAGER
671f1f142adSRobert Elliott	help
672cf514b2aSRobert Elliott	  CTR (Counter) mode (NIST SP800-38A)
67384534684SHerbert Xu
674f1f142adSRobert Elliottconfig CRYPTO_CTS
675f1f142adSRobert Elliott	tristate "CTS (Cipher Text Stealing)"
676cf514b2aSRobert Elliott	select CRYPTO_SKCIPHER
677f1f142adSRobert Elliott	select CRYPTO_MANAGER
678f1f142adSRobert Elliott	help
679cf514b2aSRobert Elliott	  CBC-CS3 variant of CTS (Cipher Text Stealing) (NIST
680f1f142adSRobert Elliott	  Addendum to SP800-38A (October 2010))
681f1f142adSRobert Elliott
682f1f142adSRobert Elliott	  This mode is required for Kerberos gss mechanism support
683f1f142adSRobert Elliott	  for AES encryption.
684cf514b2aSRobert Elliott
685cf514b2aSRobert Elliottconfig CRYPTO_ECB
686cf514b2aSRobert Elliott	tristate "ECB (Electronic Codebook)"
687cf514b2aSRobert Elliott	select CRYPTO_SKCIPHER2
688cf514b2aSRobert Elliott	select CRYPTO_MANAGER
689cf514b2aSRobert Elliott	help
690cf514b2aSRobert Elliott	  ECB (Electronic Codebook) mode (NIST SP800-38A)
691cf514b2aSRobert Elliott
692f1f142adSRobert Elliottconfig CRYPTO_HCTR2
693f1f142adSRobert Elliott	tristate "HCTR2"
694cf514b2aSRobert Elliott	select CRYPTO_XCTR
69561c581a4SArd Biesheuvel	select CRYPTO_POLYVAL
696f1f142adSRobert Elliott	select CRYPTO_MANAGER
697f1f142adSRobert Elliott	help
698f1f142adSRobert Elliott	  HCTR2 length-preserving encryption mode
699f1f142adSRobert Elliott
700cf514b2aSRobert Elliott	  A mode for storage encryption that is efficient on processors with
701cf514b2aSRobert Elliott	  instructions to accelerate AES and carryless multiplication, e.g.
702cf514b2aSRobert Elliott	  x86 processors with AES-NI and CLMUL, and ARM processors with the
703f1f142adSRobert Elliott	  ARMv8 crypto extensions.
704f1f142adSRobert Elliott
705f1f142adSRobert Elliott	  See https://eprint.iacr.org/2021/1441
706f1f142adSRobert Elliott
707f1f142adSRobert Elliottconfig CRYPTO_LRW
708cf514b2aSRobert Elliott	tristate "LRW (Liskov Rivest Wagner)"
709cf514b2aSRobert Elliott	select CRYPTO_LIB_GF128MUL
710f1f142adSRobert Elliott	select CRYPTO_SKCIPHER
711cf514b2aSRobert Elliott	select CRYPTO_MANAGER
712f1f142adSRobert Elliott	select CRYPTO_ECB
713f1f142adSRobert Elliott	help
714f1f142adSRobert Elliott	  LRW (Liskov Rivest Wagner) mode
715cf514b2aSRobert Elliott
716cf514b2aSRobert Elliott	  A tweakable, non malleable, non movable
717cf514b2aSRobert Elliott	  narrow block cipher mode for dm-crypt.  Use it with cipher
718f1f142adSRobert Elliott	  specification string aes-lrw-benbi, the key must be 256, 320 or 384.
719f1f142adSRobert Elliott	  The first 128, 192 or 256 bits in the key are used for AES and the
720f1f142adSRobert Elliott	  rest is used to tie each cipher block to its logical position.
721f1f142adSRobert Elliott
722f1f142adSRobert Elliott	  See https://people.csail.mit.edu/rivest/pubs/LRW02.pdf
723f1f142adSRobert Elliott
724cf514b2aSRobert Elliottconfig CRYPTO_PCBC
725cf514b2aSRobert Elliott	tristate "PCBC (Propagating Cipher Block Chaining)"
726cf514b2aSRobert Elliott	select CRYPTO_SKCIPHER
727cf514b2aSRobert Elliott	select CRYPTO_MANAGER
728cf514b2aSRobert Elliott	help
729f1f142adSRobert Elliott	  PCBC (Propagating Cipher Block Chaining) mode
730f1f142adSRobert Elliott
731f1f142adSRobert Elliott	  This block cipher mode is required for RxRPC.
732cf514b2aSRobert Elliott
733f1f142adSRobert Elliottconfig CRYPTO_XCTR
734f1f142adSRobert Elliott	tristate
735f1f142adSRobert Elliott	select CRYPTO_SKCIPHER
736f1f142adSRobert Elliott	select CRYPTO_MANAGER
737cf514b2aSRobert Elliott	help
738cf514b2aSRobert Elliott	  XCTR (XOR Counter) mode for HCTR2
739cf514b2aSRobert Elliott
740cf514b2aSRobert Elliott	  This blockcipher mode is a variant of CTR mode using XORs and little-endian
741cf514b2aSRobert Elliott	  addition rather than big-endian arithmetic.
742cf514b2aSRobert Elliott
743f1f142adSRobert Elliott	  XCTR mode is used to implement HCTR2.
744f1f142adSRobert Elliott
745f1f142adSRobert Elliottconfig CRYPTO_XTS
746f1f142adSRobert Elliott	tristate "XTS (XOR Encrypt XOR with ciphertext stealing)"
747f1f142adSRobert Elliott	select CRYPTO_SKCIPHER
748f1f142adSRobert Elliott	select CRYPTO_MANAGER
749f1f142adSRobert Elliott	select CRYPTO_ECB
750f1f142adSRobert Elliott	help
751f1f142adSRobert Elliott	  XTS (XOR Encrypt XOR with ciphertext stealing) mode (NIST SP800-38E
752f1f142adSRobert Elliott	  and IEEE 1619)
753f1f142adSRobert Elliott
754e3d2eaddSRobert Elliott	  Use with aes-xts-plain, key size 256, 384 or 512 bits. This
755f1f142adSRobert Elliott	  implementation currently can't handle a sectorsize which is not a
756f1f142adSRobert Elliott	  multiple of 16 bytes.
757f1f142adSRobert Elliott
758e3d2eaddSRobert Elliottconfig CRYPTO_NHPOLY1305
759f1f142adSRobert Elliott	tristate
760f1f142adSRobert Elliott	select CRYPTO_HASH
761e3d2eaddSRobert Elliott	select CRYPTO_LIB_POLY1305_GENERIC
762f1f142adSRobert Elliott
763f1f142adSRobert Elliottendmenu
764e3d2eaddSRobert Elliott
765e3d2eaddSRobert Elliottmenu "AEAD (authenticated encryption with associated data) ciphers"
766e3d2eaddSRobert Elliott
767e3d2eaddSRobert Elliottconfig CRYPTO_AEGIS128
768e3d2eaddSRobert Elliott	tristate "AEGIS-128"
769f1f142adSRobert Elliott	select CRYPTO_AEAD
770f1f142adSRobert Elliott	select CRYPTO_AES  # for AES S-box tables
771e3d2eaddSRobert Elliott	help
772f1f142adSRobert Elliott	  AEGIS-128 AEAD algorithm
773f1f142adSRobert Elliott
774f1f142adSRobert Elliottconfig CRYPTO_AEGIS128_SIMD
775f1f142adSRobert Elliott	bool "AEGIS-128 (arm NEON, arm64 NEON)"
776f1f142adSRobert Elliott	depends on CRYPTO_AEGIS128 && ((ARM || ARM64) && KERNEL_MODE_NEON)
777e3d2eaddSRobert Elliott	default y
778e3d2eaddSRobert Elliott	help
779f1f142adSRobert Elliott	  AEGIS-128 AEAD algorithm
780f1f142adSRobert Elliott
781cf514b2aSRobert Elliott	  Architecture: arm or arm64 using:
782f1f142adSRobert Elliott	  - NEON (Advanced SIMD) extension
783f1f142adSRobert Elliott
784f1f142adSRobert Elliottconfig CRYPTO_CHACHA20POLY1305
785f1f142adSRobert Elliott	tristate "ChaCha20-Poly1305"
786f1f142adSRobert Elliott	select CRYPTO_CHACHA20
787e3d2eaddSRobert Elliott	select CRYPTO_POLY1305
788e3d2eaddSRobert Elliott	select CRYPTO_AEAD
789f1f142adSRobert Elliott	select CRYPTO_MANAGER
790f1f142adSRobert Elliott	help
791cf514b2aSRobert Elliott	  ChaCha20 stream cipher and Poly1305 authenticator combined
792f1f142adSRobert Elliott	  mode (RFC8439)
793f1f142adSRobert Elliott
794f1f142adSRobert Elliottconfig CRYPTO_CCM
795f1f142adSRobert Elliott	tristate "CCM (Counter with Cipher Block Chaining-MAC)"
796f1f142adSRobert Elliott	select CRYPTO_CTR
797f1f142adSRobert Elliott	select CRYPTO_HASH
798e3d2eaddSRobert Elliott	select CRYPTO_AEAD
799e3d2eaddSRobert Elliott	select CRYPTO_MANAGER
800e3d2eaddSRobert Elliott	help
801e3d2eaddSRobert Elliott	  CCM (Counter with Cipher Block Chaining-Message Authentication Code)
802f1f142adSRobert Elliott	  authenticated encryption mode (NIST SP800-38C)
803ba51738fSHerbert Xu
804ba51738fSHerbert Xuconfig CRYPTO_GCM
805ba51738fSHerbert Xu	tristate "GCM (Galois/Counter Mode) and GMAC (GCM MAC)"
806ba51738fSHerbert Xu	select CRYPTO_CTR
807ba51738fSHerbert Xu	select CRYPTO_AEAD
808ba51738fSHerbert Xu	select CRYPTO_GHASH
809ba51738fSHerbert Xu	select CRYPTO_NULL
810f1f142adSRobert Elliott	select CRYPTO_MANAGER
811f1f142adSRobert Elliott	help
812ba51738fSHerbert Xu	  GCM (Galois/Counter Mode) authenticated encryption mode and GMAC
813f1f142adSRobert Elliott	  (GCM Message Authentication Code) (NIST SP800-38D)
814e3d2eaddSRobert Elliott
815e3d2eaddSRobert Elliott	  This is required for IPSec ESP (XFRM_ESP).
816f1f142adSRobert Elliott
817e3d2eaddSRobert Elliottconfig CRYPTO_GENIV
818e3d2eaddSRobert Elliott	tristate
819e3d2eaddSRobert Elliott	select CRYPTO_AEAD
820f1f142adSRobert Elliott	select CRYPTO_NULL
821f1f142adSRobert Elliott	select CRYPTO_MANAGER
822f1f142adSRobert Elliott	select CRYPTO_RNG_DEFAULT
823ba51738fSHerbert Xu
824f1f142adSRobert Elliottconfig CRYPTO_SEQIV
825e3d2eaddSRobert Elliott	tristate "Sequence Number IV Generator"
826e3d2eaddSRobert Elliott	select CRYPTO_GENIV
827f1f142adSRobert Elliott	help
828f1f142adSRobert Elliott	  Sequence Number IV generator
829f1f142adSRobert Elliott
830f1f142adSRobert Elliott	  This IV generator generates an IV based on a sequence number by
831f1f142adSRobert Elliott	  xoring it with a salt.  This algorithm is mainly useful for CTR.
832e3d2eaddSRobert Elliott
833f1f142adSRobert Elliott	  This is required for IPsec ESP (XFRM_ESP).
834f1f142adSRobert Elliott
835e3d2eaddSRobert Elliottconfig CRYPTO_ECHAINIV
836e3d2eaddSRobert Elliott	tristate "Encrypted Chain IV Generator"
837e3d2eaddSRobert Elliott	select CRYPTO_GENIV
838f1f142adSRobert Elliott	help
839f1f142adSRobert Elliott	  Encrypted Chain IV generator
840f1f142adSRobert Elliott
841f1f142adSRobert Elliott	  This IV generator generates an IV based on the encryption of
842f1f142adSRobert Elliott	  a sequence number xored with a salt.  This is the default
843f1f142adSRobert Elliott	  algorithm for CBC.
844f1f142adSRobert Elliott
845f1f142adSRobert Elliottconfig CRYPTO_ESSIV
846f1f142adSRobert Elliott	tristate "Encrypted Salt-Sector IV Generator"
847f1f142adSRobert Elliott	select CRYPTO_AUTHENC
848f1f142adSRobert Elliott	help
849f1f142adSRobert Elliott	  Encrypted Salt-Sector IV generator
850f1f142adSRobert Elliott
851f1f142adSRobert Elliott	  This IV generator is used in some cases by fscrypt and/or
852f1f142adSRobert Elliott	  dm-crypt. It uses the hash of the block encryption key as the
853f1f142adSRobert Elliott	  symmetric key for a block encryption pass applied to the input
854f1f142adSRobert Elliott	  IV, making low entropy IV sources more suitable for block
855f1f142adSRobert Elliott	  encryption.
856f1f142adSRobert Elliott
857f1f142adSRobert Elliott	  This driver implements a crypto API template that can be
858f1f142adSRobert Elliott	  instantiated either as an skcipher or as an AEAD (depending on the
859f1f142adSRobert Elliott	  type of the first template argument), and which defers encryption
860f1f142adSRobert Elliott	  and decryption requests to the encapsulated cipher after applying
861f1f142adSRobert Elliott	  ESSIV to the input IV. Note that in the AEAD case, it is assumed
862f1f142adSRobert Elliott	  that the keys are presented in the same format used by the authenc
863f1f142adSRobert Elliott	  template, and that the IV appears at the end of the authenticated
864f1f142adSRobert Elliott	  associated data (AAD) region (which is how dm-crypt uses it.)
8653f342a23SRobert Elliott
866f1f142adSRobert Elliott	  Note that the use of ESSIV is not recommended for new deployments,
867f1f142adSRobert Elliott	  and so this only needs to be enabled when interoperability with
8683f342a23SRobert Elliott	  existing encrypted volumes of filesystems is required, or when
8693f342a23SRobert Elliott	  building for a particular system that requires it (e.g., when
8703f342a23SRobert Elliott	  the SoC in question has accelerated CBC but not XTS, making CBC
8713f342a23SRobert Elliott	  combined with ESSIV the only feasible mode for h/w accelerated
872f1f142adSRobert Elliott	  block encryption)
873f1f142adSRobert Elliott
874f1f142adSRobert Elliottendmenu
875f1f142adSRobert Elliott
876f1f142adSRobert Elliottmenu "Hashes, digests, and MACs"
877f1f142adSRobert Elliott
878f1f142adSRobert Elliottconfig CRYPTO_BLAKE2B
8793f342a23SRobert Elliott	tristate "BLAKE2b"
8803f342a23SRobert Elliott	select CRYPTO_HASH
8813f342a23SRobert Elliott	help
8823f342a23SRobert Elliott	  BLAKE2b cryptographic hash function (RFC 7693)
883f1f142adSRobert Elliott
8843f342a23SRobert Elliott	  BLAKE2b is optimized for 64-bit platforms and can produce digests
885f1f142adSRobert Elliott	  of any size between 1 and 64 bytes. The keyed hash is also implemented.
886f1f142adSRobert Elliott
887f1f142adSRobert Elliott	  This module provides the following algorithms:
8883f342a23SRobert Elliott	  - blake2b-160
8893f342a23SRobert Elliott	  - blake2b-256
890f1f142adSRobert Elliott	  - blake2b-384
891f1f142adSRobert Elliott	  - blake2b-512
8923f342a23SRobert Elliott
893f1f142adSRobert Elliott	  Used by the btrfs filesystem.
89461c581a4SArd Biesheuvel
895f1f142adSRobert Elliott	  See https://blake2.net for further information.
8963f342a23SRobert Elliott
897f1f142adSRobert Elliottconfig CRYPTO_CMAC
898f1f142adSRobert Elliott	tristate "CMAC (Cipher-based MAC)"
8993f342a23SRobert Elliott	select CRYPTO_HASH
900f1f142adSRobert Elliott	select CRYPTO_MANAGER
901f1f142adSRobert Elliott	help
902f1f142adSRobert Elliott	  CMAC (Cipher-based Message Authentication Code) authentication
9033f342a23SRobert Elliott	  mode (NIST SP800-38B and IETF RFC4493)
9043f342a23SRobert Elliott
9053f342a23SRobert Elliottconfig CRYPTO_GHASH
9063f342a23SRobert Elliott	tristate "GHASH"
907f1f142adSRobert Elliott	select CRYPTO_HASH
908f1f142adSRobert Elliott	select CRYPTO_LIB_GF128MUL
9093f342a23SRobert Elliott	help
910f1f142adSRobert Elliott	  GCM GHASH function (NIST SP800-38D)
911f1f142adSRobert Elliott
9123f342a23SRobert Elliottconfig CRYPTO_HMAC
913f1f142adSRobert Elliott	tristate "HMAC (Keyed-Hash MAC)"
914f1f142adSRobert Elliott	select CRYPTO_HASH
9153f342a23SRobert Elliott	select CRYPTO_MANAGER
916f1f142adSRobert Elliott	help
917f1f142adSRobert Elliott	  HMAC (Keyed-Hash Message Authentication Code) (FIPS 198 and
9183f342a23SRobert Elliott	  RFC2104)
919f1f142adSRobert Elliott
920f1f142adSRobert Elliott	  This is required for IPsec AH (XFRM_AH) and IPsec ESP (XFRM_ESP).
9213f342a23SRobert Elliott
922f1f142adSRobert Elliottconfig CRYPTO_MD4
923f1f142adSRobert Elliott	tristate "MD4"
9243f342a23SRobert Elliott	select CRYPTO_HASH
9253f342a23SRobert Elliott	help
9263f342a23SRobert Elliott	  MD4 message digest algorithm (RFC1320)
9273f342a23SRobert Elliott
9283f342a23SRobert Elliottconfig CRYPTO_MD5
9293f342a23SRobert Elliott	tristate "MD5"
9303f342a23SRobert Elliott	select CRYPTO_HASH
931f1f142adSRobert Elliott	help
932f1f142adSRobert Elliott	  MD5 message digest algorithm (RFC1321)
933f1f142adSRobert Elliott
934f1f142adSRobert Elliottconfig CRYPTO_MICHAEL_MIC
93561c581a4SArd Biesheuvel	tristate "Michael MIC"
936f1f142adSRobert Elliott	select CRYPTO_HASH
9373f342a23SRobert Elliott	help
9383f342a23SRobert Elliott	  Michael MIC (Message Integrity Code) (IEEE 802.11i)
9393f342a23SRobert Elliott
940f1f142adSRobert Elliott	  Defined by the IEEE 802.11i TKIP (Temporal Key Integrity Protocol),
941f1f142adSRobert Elliott	  known as WPA (Wif-Fi Protected Access).
942f1f142adSRobert Elliott
9433f342a23SRobert Elliott	  This algorithm is required for TKIP, but it should not be used for
944f1f142adSRobert Elliott	  other purposes because of the weakness of the algorithm.
945f1f142adSRobert Elliott
946f1f142adSRobert Elliottconfig CRYPTO_POLYVAL
9473f342a23SRobert Elliott	tristate
948f1f142adSRobert Elliott	select CRYPTO_HASH
949f1f142adSRobert Elliott	select CRYPTO_LIB_GF128MUL
950f1f142adSRobert Elliott	help
951f1f142adSRobert Elliott	  POLYVAL hash function for HCTR2
952f1f142adSRobert Elliott
953f1f142adSRobert Elliott	  This is used in HCTR2.  It is not a general-purpose
9543f342a23SRobert Elliott	  cryptographic hash function.
955f1f142adSRobert Elliott
956f1f142adSRobert Elliottconfig CRYPTO_POLY1305
9573f342a23SRobert Elliott	tristate "Poly1305"
958f1f142adSRobert Elliott	select CRYPTO_HASH
959f1f142adSRobert Elliott	select CRYPTO_LIB_POLY1305_GENERIC
960f1f142adSRobert Elliott	select CRYPTO_LIB_POLY1305_INTERNAL
961f1f142adSRobert Elliott	help
962f1f142adSRobert Elliott	  Poly1305 authenticator algorithm (RFC7539)
963f1f142adSRobert Elliott
9643f342a23SRobert Elliott	  Poly1305 is an authenticator algorithm designed by Daniel J. Bernstein.
965f1f142adSRobert Elliott	  It is used for the ChaCha20-Poly1305 AEAD, specified in RFC7539 for use
966f1f142adSRobert Elliott	  in IETF protocols. This is the portable C implementation of Poly1305.
967f1f142adSRobert Elliott
9683f342a23SRobert Elliottconfig CRYPTO_RMD160
9693f342a23SRobert Elliott	tristate "RIPEMD-160"
970f1f142adSRobert Elliott	select CRYPTO_HASH
971f1f142adSRobert Elliott	help
9723f342a23SRobert Elliott	  RIPEMD-160 hash function (ISO/IEC 10118-3)
973f1f142adSRobert Elliott
974f1f142adSRobert Elliott	  RIPEMD-160 is a 160-bit cryptographic hash function. It is intended
975f1f142adSRobert Elliott	  to be used as a secure replacement for the 128-bit hash functions
9763f342a23SRobert Elliott	  MD4, MD5 and its predecessor RIPEMD
977f1f142adSRobert Elliott	  (not to be confused with RIPEMD-128).
978f1f142adSRobert Elliott
9793f342a23SRobert Elliott	  Its speed is comparable to SHA-1 and there are no known attacks
980f1f142adSRobert Elliott	  against RIPEMD-160.
981f1f142adSRobert Elliott
982f1f142adSRobert Elliott	  Developed by Hans Dobbertin, Antoon Bosselaers and Bart Preneel.
9833f342a23SRobert Elliott	  See https://homes.esat.kuleuven.be/~bosselae/ripemd160.html
984f1f142adSRobert Elliott	  for further information.
9853f342a23SRobert Elliott
9863f342a23SRobert Elliottconfig CRYPTO_SHA1
987f1f142adSRobert Elliott	tristate "SHA-1"
988f1f142adSRobert Elliott	select CRYPTO_HASH
9893f342a23SRobert Elliott	select CRYPTO_LIB_SHA1
990f1f142adSRobert Elliott	help
991f1f142adSRobert Elliott	  SHA-1 secure hash algorithm (FIPS 180, ISO/IEC 10118-3)
9923f342a23SRobert Elliott
993f1f142adSRobert Elliottconfig CRYPTO_SHA256
994f1f142adSRobert Elliott	tristate "SHA-224 and SHA-256"
9953f342a23SRobert Elliott	select CRYPTO_HASH
996f1f142adSRobert Elliott	select CRYPTO_LIB_SHA256
997f1f142adSRobert Elliott	help
9983f342a23SRobert Elliott	  SHA-224 and SHA-256 secure hash algorithms (FIPS 180, ISO/IEC 10118-3)
999f1f142adSRobert Elliott
1000f1f142adSRobert Elliott	  This is required for IPsec AH (XFRM_AH) and IPsec ESP (XFRM_ESP).
1001f1f142adSRobert Elliott	  Used by the btrfs filesystem, Ceph, NFS, and SMB.
1002f1f142adSRobert Elliott
1003f1f142adSRobert Elliottconfig CRYPTO_SHA512
10043f342a23SRobert Elliott	tristate "SHA-384 and SHA-512"
1005f1f142adSRobert Elliott	select CRYPTO_HASH
1006f1f142adSRobert Elliott	help
1007f1f142adSRobert Elliott	  SHA-384 and SHA-512 secure hash algorithms (FIPS 180, ISO/IEC 10118-3)
10083f342a23SRobert Elliott
10093f342a23SRobert Elliottconfig CRYPTO_SHA3
10103f342a23SRobert Elliott	tristate "SHA-3"
1011f1f142adSRobert Elliott	select CRYPTO_HASH
1012f1f142adSRobert Elliott	help
1013f1f142adSRobert Elliott	  SHA-3 secure hash algorithms (FIPS 202, ISO/IEC 10118-3)
1014f1f142adSRobert Elliott
1015f1f142adSRobert Elliottconfig CRYPTO_SM3
1016f1f142adSRobert Elliott	tristate
10173f342a23SRobert Elliott
1018f1f142adSRobert Elliottconfig CRYPTO_SM3_GENERIC
1019f1f142adSRobert Elliott	tristate "SM3 (ShangMi 3)"
10203f342a23SRobert Elliott	select CRYPTO_HASH
10213f342a23SRobert Elliott	select CRYPTO_SM3
10223f342a23SRobert Elliott	help
10233f342a23SRobert Elliott	  SM3 (ShangMi 3) secure hash function (OSCCA GM/T 0004-2012, ISO/IEC 10118-3)
10243f342a23SRobert Elliott
1025f1f142adSRobert Elliott	  This is part of the Chinese Commercial Cryptography suite.
1026f1f142adSRobert Elliott
1027f1f142adSRobert Elliott	  References:
1028f1f142adSRobert Elliott	  http://www.oscca.gov.cn/UpFile/20101222141857786.pdf
1029f1f142adSRobert Elliott	  https://datatracker.ietf.org/doc/html/draft-shen-sm3-hash
1030f1f142adSRobert Elliott
10313f342a23SRobert Elliottconfig CRYPTO_STREEBOG
1032f1f142adSRobert Elliott	tristate "Streebog"
1033f1f142adSRobert Elliott	select CRYPTO_HASH
10343f342a23SRobert Elliott	help
10353f342a23SRobert Elliott	  Streebog Hash Function (GOST R 34.11-2012, RFC 6986, ISO/IEC 10118-3)
10363f342a23SRobert Elliott
1037f1f142adSRobert Elliott	  This is one of the Russian cryptographic standard algorithms (called
1038f1f142adSRobert Elliott	  GOST algorithms). This setting enables two hash algorithms with
1039f1f142adSRobert Elliott	  256 and 512 bits output.
10403f342a23SRobert Elliott
10413f342a23SRobert Elliott	  References:
1042f1f142adSRobert Elliott	  https://tc26.ru/upload/iblock/fed/feddbb4d26b685903faa2ba11aea43f6.pdf
1043f1f142adSRobert Elliott	  https://tools.ietf.org/html/rfc6986
10443f342a23SRobert Elliott
1045f1f142adSRobert Elliottconfig CRYPTO_WP512
1046f1f142adSRobert Elliott	tristate "Whirlpool"
1047f1f142adSRobert Elliott	select CRYPTO_HASH
10483f342a23SRobert Elliott	help
10493f342a23SRobert Elliott	  Whirlpool hash function (ISO/IEC 10118-3)
1050f1f142adSRobert Elliott
1051f1f142adSRobert Elliott	  512, 384 and 256-bit hashes.
10523f342a23SRobert Elliott
1053f1f142adSRobert Elliott	  Whirlpool-512 is part of the NESSIE cryptographic primitives.
1054f1f142adSRobert Elliott
1055f1f142adSRobert Elliott	  See https://web.archive.org/web/20171129084214/http://www.larc.usp.br/~pbarreto/WhirlpoolPage.html
10563f342a23SRobert Elliott	  for further information.
10573f342a23SRobert Elliott
10583f342a23SRobert Elliottconfig CRYPTO_XCBC
10593f342a23SRobert Elliott	tristate "XCBC-MAC (Extended Cipher Block Chaining MAC)"
10603f342a23SRobert Elliott	select CRYPTO_HASH
1061f1f142adSRobert Elliott	select CRYPTO_MANAGER
1062f1f142adSRobert Elliott	help
1063f1f142adSRobert Elliott	  XCBC-MAC (Extended Cipher Block Chaining Message Authentication
1064f1f142adSRobert Elliott	  Code) (RFC3566)
1065f1f142adSRobert Elliott
1066f1f142adSRobert Elliottconfig CRYPTO_XXHASH
1067ec84348dSRobert Elliott	tristate "xxHash"
1068f1f142adSRobert Elliott	select CRYPTO_HASH
1069f1f142adSRobert Elliott	select XXHASH
1070f1f142adSRobert Elliott	help
1071ec84348dSRobert Elliott	  xxHash non-cryptographic hash algorithm
1072ec84348dSRobert Elliott
1073ec84348dSRobert Elliott	  Extremely fast, working at speeds close to RAM limits.
1074ec84348dSRobert Elliott
1075ec84348dSRobert Elliott	  Used by the btrfs filesystem.
1076ec84348dSRobert Elliott
1077ec84348dSRobert Elliottendmenu
1078ec84348dSRobert Elliott
1079ec84348dSRobert Elliottmenu "CRCs (cyclic redundancy checks)"
1080f1f142adSRobert Elliott
1081f1f142adSRobert Elliottconfig CRYPTO_CRC32C
1082ec84348dSRobert Elliott	tristate "CRC32c"
1083f1f142adSRobert Elliott	select CRYPTO_HASH
1084f1f142adSRobert Elliott	select CRC32
1085f1f142adSRobert Elliott	help
1086ec84348dSRobert Elliott	  CRC32c CRC algorithm with the iSCSI polynomial (RFC 3385 and RFC 3720)
1087ec84348dSRobert Elliott
1088ec84348dSRobert Elliott	  A 32-bit CRC (cyclic redundancy check) with a polynomial defined
1089f1f142adSRobert Elliott	  by G. Castagnoli, S. Braeuer and M. Herrman in "Optimization of Cyclic
1090f1f142adSRobert Elliott	  Redundancy-Check Codes with 24 and 32 Parity Bits", IEEE Transactions
1091ec84348dSRobert Elliott	  on Communications, Vol. 41, No. 6, June 1993, selected for use with
1092f1f142adSRobert Elliott	  iSCSI.
1093be3c45b0SEric Biggers
1094f1f142adSRobert Elliott	  Used by btrfs, ext4, jbd2, NVMeoF/TCP, and iSCSI.
1095ec84348dSRobert Elliott
1096ec84348dSRobert Elliottconfig CRYPTO_CRC32
1097ec84348dSRobert Elliott	tristate "CRC32"
1098f1f142adSRobert Elliott	select CRYPTO_HASH
1099f1f142adSRobert Elliott	select CRC32
1100ec84348dSRobert Elliott	help
1101f1f142adSRobert Elliott	  CRC32 CRC algorithm (IEEE 802.3)
1102f1f142adSRobert Elliott
1103ec84348dSRobert Elliott	  Used by RoCEv2 and f2fs.
1104ec84348dSRobert Elliott
1105ec84348dSRobert Elliottendmenu
1106ec84348dSRobert Elliott
1107ec84348dSRobert Elliottmenu "Compression"
1108ec84348dSRobert Elliott
1109f1f142adSRobert Elliottconfig CRYPTO_DEFLATE
1110f1f142adSRobert Elliott	tristate "Deflate"
1111f1f142adSRobert Elliott	select CRYPTO_ALGAPI
1112f1f142adSRobert Elliott	select CRYPTO_ACOMP2
1113584fffc8SSebastian Siewior	select ZLIB_INFLATE
11141da177e4SLinus Torvalds	select ZLIB_DEFLATE
1115a9a98d49SRobert Elliott	help
1116cce9e06dSHerbert Xu	  Deflate compression algorithm (RFC1951)
1117f6ded09dSGiovanni Cabiddu
11181da177e4SLinus Torvalds	  Used by IPSec with the IPCOMP protocol (RFC3173, RFC2394)
11191da177e4SLinus Torvalds
11201da177e4SLinus Torvaldsconfig CRYPTO_LZO
1121a9a98d49SRobert Elliott	tristate "LZO"
11221da177e4SLinus Torvalds	select CRYPTO_ALGAPI
1123a9a98d49SRobert Elliott	select CRYPTO_ACOMP2
11241da177e4SLinus Torvalds	select LZO_COMPRESS
11250b77abb3SZoltan Sogor	select LZO_DECOMPRESS
1126a9a98d49SRobert Elliott	help
11270b77abb3SZoltan Sogor	  LZO compression algorithm
1128ac9d2c4bSGiovanni Cabiddu
11290b77abb3SZoltan Sogor	  See https://www.oberhumer.com/opensource/lzo/ for further information.
11300b77abb3SZoltan Sogor
11310b77abb3SZoltan Sogorconfig CRYPTO_842
1132a9a98d49SRobert Elliott	tristate "842"
1133a9a98d49SRobert Elliott	select CRYPTO_ALGAPI
1134a9a98d49SRobert Elliott	select CRYPTO_ACOMP2
11350b77abb3SZoltan Sogor	select 842_COMPRESS
113635a1fc18SSeth Jennings	select 842_DECOMPRESS
1137a9a98d49SRobert Elliott	help
11382062c5b6SDan Streetman	  842 compression algorithm by IBM
11396a8de3aeSGiovanni Cabiddu
11402062c5b6SDan Streetman	  See https://github.com/plauth/lib842 for further information.
11412062c5b6SDan Streetman
114235a1fc18SSeth Jenningsconfig CRYPTO_LZ4
1143a9a98d49SRobert Elliott	tristate "LZ4"
1144a9a98d49SRobert Elliott	select CRYPTO_ALGAPI
1145a9a98d49SRobert Elliott	select CRYPTO_ACOMP2
114635a1fc18SSeth Jennings	select LZ4_COMPRESS
11470ea8530dSChanho Min	select LZ4_DECOMPRESS
1148a9a98d49SRobert Elliott	help
11490ea8530dSChanho Min	  LZ4 compression algorithm
11508cd9330eSGiovanni Cabiddu
11510ea8530dSChanho Min	  See https://github.com/lz4/lz4 for further information.
11520ea8530dSChanho Min
11530ea8530dSChanho Minconfig CRYPTO_LZ4HC
1154a9a98d49SRobert Elliott	tristate "LZ4HC"
1155a9a98d49SRobert Elliott	select CRYPTO_ALGAPI
1156a9a98d49SRobert Elliott	select CRYPTO_ACOMP2
11570ea8530dSChanho Min	select LZ4HC_COMPRESS
11580ea8530dSChanho Min	select LZ4_DECOMPRESS
1159a9a98d49SRobert Elliott	help
11600ea8530dSChanho Min	  LZ4 high compression mode algorithm
116191d53d96SGiovanni Cabiddu
11620ea8530dSChanho Min	  See https://github.com/lz4/lz4 for further information.
11630ea8530dSChanho Min
11640ea8530dSChanho Minconfig CRYPTO_ZSTD
1165a9a98d49SRobert Elliott	tristate "Zstd"
1166a9a98d49SRobert Elliott	select CRYPTO_ALGAPI
1167a9a98d49SRobert Elliott	select CRYPTO_ACOMP2
11680ea8530dSChanho Min	select ZSTD_COMPRESS
1169d28fc3dbSNick Terrell	select ZSTD_DECOMPRESS
1170a9a98d49SRobert Elliott	help
1171d28fc3dbSNick Terrell	  zstd compression algorithm
1172d28fc3dbSNick Terrell
1173d28fc3dbSNick Terrell	  See https://github.com/facebook/zstd for further information.
1174d28fc3dbSNick Terrell
1175d28fc3dbSNick Terrellendmenu
1176a9a98d49SRobert Elliott
1177a9a98d49SRobert Elliottmenu "Random number generation"
1178a9a98d49SRobert Elliott
1179d28fc3dbSNick Terrellconfig CRYPTO_ANSI_CPRNG
1180f1f142adSRobert Elliott	tristate "ANSI PRNG (Pseudo Random Number Generator)"
1181f1f142adSRobert Elliott	select CRYPTO_AES
1182f1f142adSRobert Elliott	select CRYPTO_RNG
118317f0f4a4SNeil Horman	help
118417f0f4a4SNeil Horman	  Pseudo RNG (random number generator) (ANSI X9.31 Appendix A.2.4)
1185a9a98d49SRobert Elliott
118617f0f4a4SNeil Horman	  This uses the AES cipher algorithm.
118717f0f4a4SNeil Horman
118817f0f4a4SNeil Horman	  Note that this option must be enabled if CRYPTO_FIPS is selected
1189a9a98d49SRobert Elliott
1190a9a98d49SRobert Elliottmenuconfig CRYPTO_DRBG_MENU
1191a9a98d49SRobert Elliott	tristate "NIST SP800-90A DRBG (Deterministic Random Bit Generator)"
1192a9a98d49SRobert Elliott	help
1193a9a98d49SRobert Elliott	  DRBG (Deterministic Random Bit Generator) (NIST SP800-90A)
119417f0f4a4SNeil Horman
1195f2c89a10SHerbert Xu	  In the following submenu, one or more of the DRBG types must be selected.
1196a9a98d49SRobert Elliott
1197419090c6SStephan Muellerif CRYPTO_DRBG_MENU
1198a9a98d49SRobert Elliott
1199a9a98d49SRobert Elliottconfig CRYPTO_DRBG_HMAC
1200a9a98d49SRobert Elliott	bool
1201419090c6SStephan Mueller	default y
1202f2c89a10SHerbert Xu	select CRYPTO_HMAC
1203419090c6SStephan Mueller	select CRYPTO_SHA512
1204419090c6SStephan Mueller
1205401e4238SHerbert Xuconfig CRYPTO_DRBG_HASH
1206419090c6SStephan Mueller	bool "Hash_DRBG"
1207419090c6SStephan Mueller	select CRYPTO_SHA256
12085261cdf4SStephan Mueller	help
1209419090c6SStephan Mueller	  Hash_DRBG variant as defined in NIST SP800-90A.
1210419090c6SStephan Mueller
1211a9a98d49SRobert Elliott	  This uses the SHA-1, SHA-256, SHA-384, or SHA-512 hash algorithms.
1212826775bbSHerbert Xu
1213419090c6SStephan Muellerconfig CRYPTO_DRBG_CTR
1214a9a98d49SRobert Elliott	bool "CTR_DRBG"
1215a9a98d49SRobert Elliott	select CRYPTO_AES
1216a9a98d49SRobert Elliott	select CRYPTO_CTR
1217419090c6SStephan Mueller	help
1218419090c6SStephan Mueller	  CTR_DRBG variant as defined in NIST SP800-90A.
1219a9a98d49SRobert Elliott
1220419090c6SStephan Mueller	  This uses the AES cipher algorithm with the counter block mode.
1221d6fc1a45SCorentin Labbe
1222419090c6SStephan Muellerconfig CRYPTO_DRBG
1223a9a98d49SRobert Elliott	tristate
1224a9a98d49SRobert Elliott	default CRYPTO_DRBG_MENU
1225a9a98d49SRobert Elliott	select CRYPTO_RNG
1226419090c6SStephan Mueller	select CRYPTO_JITTERENTROPY
1227f2c89a10SHerbert Xu
1228f2c89a10SHerbert Xuendif	# if CRYPTO_DRBG_MENU
1229401e4238SHerbert Xu
1230f2c89a10SHerbert Xuconfig CRYPTO_JITTERENTROPY
1231bb5530e4SStephan Mueller	tristate "CPU Jitter Non-Deterministic RNG (Random Number Generator)"
1232f2c89a10SHerbert Xu	select CRYPTO_RNG
1233f2c89a10SHerbert Xu	select CRYPTO_SHA3
1234419090c6SStephan Mueller	help
1235bb5530e4SStephan Mueller	  CPU Jitter RNG (Random Number Generator) from the Jitterentropy library
1236a9a98d49SRobert Elliott
12372f313e02SArnd Bergmann	  A non-physical non-deterministic ("true") RNG (e.g., an entropy source
1238bb897c55SStephan Müller	  compliant with NIST SP800-90B) intended to provide a seed to a
1239bb5530e4SStephan Mueller	  deterministic RNG (e.g., per NIST SP800-90C).
1240a9a98d49SRobert Elliott	  This RNG does not perform any cryptographic whitening of the generated
1241a9a98d49SRobert Elliott	  random numbers.
1242a9a98d49SRobert Elliott
1243a9a98d49SRobert Elliott	  See https://www.chronox.de/jent/
1244e63df1ecSRandy Dunlap
1245a9a98d49SRobert Elliottif CRYPTO_JITTERENTROPY
1246e63df1ecSRandy Dunlapif CRYPTO_FIPS && EXPERT
1247a9a98d49SRobert Elliott
1248e63df1ecSRandy Dunlapchoice
1249bb5530e4SStephan Mueller	prompt "CPU Jitter RNG Memory Size"
1250e7ed6473SHerbert Xu	default CRYPTO_JITTERENTROPY_MEMSIZE_2
1251e7ed6473SHerbert Xu	help
1252e7ed6473SHerbert Xu	  The Jitter RNG measures the execution time of memory accesses.
125359bcfd78SStephan Müller	  Multiple consecutive memory accesses are performed. If the memory
125459bcfd78SStephan Müller	  size fits into a cache (e.g. L1), only the memory access timing
125559bcfd78SStephan Müller	  to that cache is measured. The closer the cache is to the CPU
125659bcfd78SStephan Müller	  the less variations are measured and thus the less entropy is
125759bcfd78SStephan Müller	  obtained. Thus, if the memory size fits into the L1 cache, the
125859bcfd78SStephan Müller	  obtained entropy is less than if the memory size fits within
125959bcfd78SStephan Müller	  L1 + L2, which in turn is less if the memory fits into
126059bcfd78SStephan Müller	  L1 + L2 + L3. Thus, by selecting a different memory size,
126159bcfd78SStephan Müller	  the entropy rate produced by the Jitter RNG can be modified.
126259bcfd78SStephan Müller
126359bcfd78SStephan Müller	config CRYPTO_JITTERENTROPY_MEMSIZE_2
126459bcfd78SStephan Müller		bool "2048 Bytes (default)"
126559bcfd78SStephan Müller
126659bcfd78SStephan Müller	config CRYPTO_JITTERENTROPY_MEMSIZE_128
126759bcfd78SStephan Müller		bool "128 kBytes"
126859bcfd78SStephan Müller
126959bcfd78SStephan Müller	config CRYPTO_JITTERENTROPY_MEMSIZE_1024
127059bcfd78SStephan Müller		bool "1024 kBytes"
127159bcfd78SStephan Müller
127259bcfd78SStephan Müller	config CRYPTO_JITTERENTROPY_MEMSIZE_8192
127359bcfd78SStephan Müller		bool "8192 kBytes"
127459bcfd78SStephan Müllerendchoice
127559bcfd78SStephan Müller
127659bcfd78SStephan Müllerconfig CRYPTO_JITTERENTROPY_MEMORY_BLOCKS
127759bcfd78SStephan Müller	int
127859bcfd78SStephan Müller	default 64 if CRYPTO_JITTERENTROPY_MEMSIZE_2
127959bcfd78SStephan Müller	default 512 if CRYPTO_JITTERENTROPY_MEMSIZE_128
128059bcfd78SStephan Müller	default 1024 if CRYPTO_JITTERENTROPY_MEMSIZE_1024
128159bcfd78SStephan Müller	default 4096 if CRYPTO_JITTERENTROPY_MEMSIZE_8192
128259bcfd78SStephan Müller
128359bcfd78SStephan Müllerconfig CRYPTO_JITTERENTROPY_MEMORY_BLOCKSIZE
128459bcfd78SStephan Müller	int
128559bcfd78SStephan Müller	default 32 if CRYPTO_JITTERENTROPY_MEMSIZE_2
128659bcfd78SStephan Müller	default 256 if CRYPTO_JITTERENTROPY_MEMSIZE_128
128759bcfd78SStephan Müller	default 1024 if CRYPTO_JITTERENTROPY_MEMSIZE_1024
128859bcfd78SStephan Müller	default 2048 if CRYPTO_JITTERENTROPY_MEMSIZE_8192
128959bcfd78SStephan Müller
129059bcfd78SStephan Müllerconfig CRYPTO_JITTERENTROPY_OSR
129159bcfd78SStephan Müller	int "CPU Jitter RNG Oversampling Rate"
129259bcfd78SStephan Müller	range 1 15
129359bcfd78SStephan Müller	default 3
129459bcfd78SStephan Müller	help
12950baa8fabSStephan Müller	  The Jitter RNG allows the specification of an oversampling rate (OSR).
12960baa8fabSStephan Müller	  The Jitter RNG operation requires a fixed amount of timing
12970baa8fabSStephan Müller	  measurements to produce one output block of random numbers. The
129895a798d2SStephan Mueller	  OSR value is multiplied with the amount of timing measurements to
12990baa8fabSStephan Müller	  generate one output block. Thus, the timing measurement is oversampled
13000baa8fabSStephan Müller	  by the OSR factor. The oversampling allows the Jitter RNG to operate
13010baa8fabSStephan Müller	  on hardware whose timers deliver limited amount of entropy (e.g.
13020baa8fabSStephan Müller	  the timer is coarse) by setting the OSR to a higher value. The
13030baa8fabSStephan Müller	  trade-off, however, is that the Jitter RNG now requires more time
13040baa8fabSStephan Müller	  to generate random numbers.
13050baa8fabSStephan Müller
13060baa8fabSStephan Müllerconfig CRYPTO_JITTERENTROPY_TESTINTERFACE
13070baa8fabSStephan Müller	bool "CPU Jitter RNG Test Interface"
13080baa8fabSStephan Müller	help
13090baa8fabSStephan Müller	  The test interface allows a privileged process to capture
13100baa8fabSStephan Müller	  the raw unconditioned high resolution time stamp noise that
131169f1c387SStephan Müller	  is collected by the Jitter RNG for statistical analysis. As
131269f1c387SStephan Müller	  this data is used at the same time to generate random bits,
131369f1c387SStephan Müller	  the Jitter RNG operates in an insecure mode as long as the
131469f1c387SStephan Müller	  recording is enabled. This interface therefore is only
131569f1c387SStephan Müller	  intended for testing purposes and is not suitable for
131669f1c387SStephan Müller	  production systems.
131769f1c387SStephan Müller
131869f1c387SStephan Müller	  The raw noise data can be obtained using the jent_raw_hires
131969f1c387SStephan Müller	  debugfs file. Using the option
132069f1c387SStephan Müller	  jitterentropy_testing.boot_raw_hires_test=1 the raw noise of
132169f1c387SStephan Müller	  the first 1000 entropy events since boot can be sampled.
132269f1c387SStephan Müller
132369f1c387SStephan Müller	  If unsure, select N.
132469f1c387SStephan Müller
132569f1c387SStephan Müllerendif	# if CRYPTO_FIPS && EXPERT
132669f1c387SStephan Müller
132769f1c387SStephan Müllerif !(CRYPTO_FIPS && EXPERT)
132869f1c387SStephan Müller
132969f1c387SStephan Müllerconfig CRYPTO_JITTERENTROPY_MEMORY_BLOCKS
1330e7ed6473SHerbert Xu	int
1331e7ed6473SHerbert Xu	default 64
1332e7ed6473SHerbert Xu
1333e7ed6473SHerbert Xuconfig CRYPTO_JITTERENTROPY_MEMORY_BLOCKSIZE
1334e7ed6473SHerbert Xu	int
1335e7ed6473SHerbert Xu	default 32
1336e7ed6473SHerbert Xu
1337e7ed6473SHerbert Xuconfig CRYPTO_JITTERENTROPY_OSR
1338e7ed6473SHerbert Xu	int
1339e7ed6473SHerbert Xu	default 1
1340e7ed6473SHerbert Xu
1341e7ed6473SHerbert Xuconfig CRYPTO_JITTERENTROPY_TESTINTERFACE
1342e7ed6473SHerbert Xu	bool
1343e7ed6473SHerbert Xu
1344e7ed6473SHerbert Xuendif	# if !(CRYPTO_FIPS && EXPERT)
1345e7ed6473SHerbert Xuendif	# if CRYPTO_JITTERENTROPY
1346e7ed6473SHerbert Xu
1347e7ed6473SHerbert Xuconfig CRYPTO_KDF800108_CTR
1348e7ed6473SHerbert Xu	tristate
1349e7ed6473SHerbert Xu	select CRYPTO_HMAC
1350e7ed6473SHerbert Xu	select CRYPTO_SHA256
1351e7ed6473SHerbert Xu
1352026a733eSStephan Müllerendmenu
1353026a733eSStephan Müllermenu "Userspace interface"
1354a88592ccSHerbert Xu
1355304b4aceSStephan Müllerconfig CRYPTO_USER_API
1356026a733eSStephan Müller	tristate
1357f1f142adSRobert Elliott
13589bc51715SRobert Elliottconfig CRYPTO_USER_API_HASH
1359f1f142adSRobert Elliott	tristate "Hash algorithms"
136003c8efc1SHerbert Xu	depends on NET
136103c8efc1SHerbert Xu	select CRYPTO_HASH
136203c8efc1SHerbert Xu	select CRYPTO_USER_API
1363fe869cdbSHerbert Xu	help
13649bc51715SRobert Elliott	  Enable the userspace interface for hash algorithms.
13657451708fSHerbert Xu
1366fe869cdbSHerbert Xu	  See Documentation/crypto/userspace-if.rst and
1367fe869cdbSHerbert Xu	  https://www.chronox.de/libkcapi/html/index.html
1368fe869cdbSHerbert Xu
13699bc51715SRobert Elliottconfig CRYPTO_USER_API_SKCIPHER
13709bc51715SRobert Elliott	tristate "Symmetric key cipher algorithms"
13719bc51715SRobert Elliott	depends on NET
13729bc51715SRobert Elliott	select CRYPTO_SKCIPHER
1373fe869cdbSHerbert Xu	select CRYPTO_USER_API
13748ff59090SHerbert Xu	help
13759bc51715SRobert Elliott	  Enable the userspace interface for symmetric key cipher algorithms.
13767451708fSHerbert Xu
1377b95bba5dSEric Biggers	  See Documentation/crypto/userspace-if.rst and
13788ff59090SHerbert Xu	  https://www.chronox.de/libkcapi/html/index.html
13798ff59090SHerbert Xu
13809bc51715SRobert Elliottconfig CRYPTO_USER_API_RNG
13819bc51715SRobert Elliott	tristate "RNG (random number generator) algorithms"
13829bc51715SRobert Elliott	depends on NET
13839bc51715SRobert Elliott	select CRYPTO_RNG
13848ff59090SHerbert Xu	select CRYPTO_USER_API
13852f375538SStephan Mueller	help
13869bc51715SRobert Elliott	  Enable the userspace interface for RNG (random number generator)
13872f375538SStephan Mueller	  algorithms.
13882f375538SStephan Mueller
13892f375538SStephan Mueller	  See Documentation/crypto/userspace-if.rst and
13902f375538SStephan Mueller	  https://www.chronox.de/libkcapi/html/index.html
13919bc51715SRobert Elliott
13929bc51715SRobert Elliottconfig CRYPTO_USER_API_RNG_CAVP
13939bc51715SRobert Elliott	bool "Enable CAVP testing of DRBG"
13949bc51715SRobert Elliott	depends on CRYPTO_USER_API_RNG && CRYPTO_DRBG
13959bc51715SRobert Elliott	help
13962f375538SStephan Mueller	  Enable extra APIs in the userspace interface for NIST CAVP
139777ebdabeSElena Petrova	  (Cryptographic Algorithm Validation Program) testing:
139877ebdabeSElena Petrova	  - resetting DRBG entropy
139977ebdabeSElena Petrova	  - providing Additional Data
140077ebdabeSElena Petrova
14019bc51715SRobert Elliott	  This should only be enabled for CAVP testing. You should say
14029bc51715SRobert Elliott	  no unless you know what this is.
14039bc51715SRobert Elliott
14049bc51715SRobert Elliottconfig CRYPTO_USER_API_AEAD
14059bc51715SRobert Elliott	tristate "AEAD cipher algorithms"
140677ebdabeSElena Petrova	depends on NET
140777ebdabeSElena Petrova	select CRYPTO_AEAD
140877ebdabeSElena Petrova	select CRYPTO_SKCIPHER
1409b64a2d95SHerbert Xu	select CRYPTO_NULL
14109bc51715SRobert Elliott	select CRYPTO_USER_API
1411b64a2d95SHerbert Xu	help
1412b64a2d95SHerbert Xu	  Enable the userspace interface for AEAD cipher algorithms.
1413b95bba5dSEric Biggers
141472548b09SStephan Mueller	  See Documentation/crypto/userspace-if.rst and
1415b64a2d95SHerbert Xu	  https://www.chronox.de/libkcapi/html/index.html
1416b64a2d95SHerbert Xu
14179bc51715SRobert Elliottconfig CRYPTO_USER_API_ENABLE_OBSOLETE
14189bc51715SRobert Elliott	bool "Obsolete cryptographic algorithms"
14199bc51715SRobert Elliott	depends on CRYPTO_USER_API
14209bc51715SRobert Elliott	default y
1421b64a2d95SHerbert Xu	help
14229ace6771SArd Biesheuvel	  Allow obsolete cryptographic algorithms to be selected that have
14239bc51715SRobert Elliott	  already been phased out from internal use by the kernel, and are
14249ace6771SArd Biesheuvel	  only useful for userspace clients that still rely on them.
14259ace6771SArd Biesheuvel
14269ace6771SArd Biesheuvelendmenu
14279ace6771SArd Biesheuvel
14289ace6771SArd Biesheuvelconfig CRYPTO_HASH_INFO
14299ace6771SArd Biesheuvel	bool
14309ace6771SArd Biesheuvel
1431f1f142adSRobert Elliottif !KMSAN # avoid false positives from assembly
1432f1f142adSRobert Elliottif ARM
1433ee08997fSDmitry Kasatkinsource "arch/arm/crypto/Kconfig"
1434ee08997fSDmitry Kasatkinendif
1435ee08997fSDmitry Kasatkinif ARM64
143627bc50fcSLinus Torvaldssource "arch/arm64/crypto/Kconfig"
14374a329fecSRobert Elliottendif
14384a329fecSRobert Elliottif LOONGARCH
14394a329fecSRobert Elliottsource "arch/loongarch/crypto/Kconfig"
14404a329fecSRobert Elliottendif
14414a329fecSRobert Elliottif MIPS
14424a329fecSRobert Elliottsource "arch/mips/crypto/Kconfig"
14432f164822SMin Zhouendif
14442f164822SMin Zhouif PPC
14452f164822SMin Zhousource "arch/powerpc/crypto/Kconfig"
1446e45f710bSRobert Elliottendif
1447e45f710bSRobert Elliottif RISCV
1448e45f710bSRobert Elliottsource "arch/riscv/crypto/Kconfig"
14496a490a4eSRobert Elliottendif
14506a490a4eSRobert Elliottif S390
14516a490a4eSRobert Elliottsource "arch/s390/crypto/Kconfig"
1452178f3856SHeiko Stuebnerendif
1453178f3856SHeiko Stuebnerif SPARC
1454178f3856SHeiko Stuebnersource "arch/sparc/crypto/Kconfig"
1455c9d24c97SRobert Elliottendif
1456c9d24c97SRobert Elliottif X86
1457c9d24c97SRobert Elliottsource "arch/x86/crypto/Kconfig"
14580e9f9ea6SRobert Elliottendif
14590e9f9ea6SRobert Elliottendif
14600e9f9ea6SRobert Elliott
146128a936efSRobert Elliottsource "drivers/crypto/Kconfig"
146228a936efSRobert Elliottsource "crypto/asymmetric_keys/Kconfig"
146328a936efSRobert Elliottsource "certs/Kconfig"
146427bc50fcSLinus Torvaldssource "crypto/krb5/Kconfig"
1465e45f710bSRobert Elliott
14661da177e4SLinus Torvaldsendif	# if CRYPTO
14678636a1f9SMasahiro Yamada