1b2441318SGreg Kroah-Hartman# SPDX-License-Identifier: GPL-2.0 21da177e4SLinus Torvalds# 3685784aaSDan Williams# Generic algorithms support 4685784aaSDan Williams# 5685784aaSDan Williamsconfig XOR_BLOCKS 6685784aaSDan Williams tristate 7685784aaSDan Williams 8685784aaSDan Williams# 99bc89cd8SDan Williams# async_tx api: hardware offloaded memory transfer/transform support 109bc89cd8SDan Williams# 119bc89cd8SDan Williamssource "crypto/async_tx/Kconfig" 129bc89cd8SDan Williams 139bc89cd8SDan Williams# 141da177e4SLinus Torvalds# Cryptographic API Configuration 151da177e4SLinus Torvalds# 162e290f43SJan Engelhardtmenuconfig CRYPTO 17c3715cb9SSebastian Siewior tristate "Cryptographic API" 187033b937SEric Biggers select CRYPTO_LIB_UTILS 191da177e4SLinus Torvalds help 201da177e4SLinus Torvalds This option provides the core Cryptographic API. 211da177e4SLinus Torvalds 22cce9e06dSHerbert Xuif CRYPTO 23cce9e06dSHerbert Xu 24f1f142adSRobert Elliottmenu "Crypto core or helper" 25584fffc8SSebastian Siewior 26ccb778e1SNeil Hormanconfig CRYPTO_FIPS 27ccb778e1SNeil Horman bool "FIPS 200 compliance" 28f2c89a10SHerbert Xu depends on (CRYPTO_ANSI_CPRNG || CRYPTO_DRBG) && !CRYPTO_MANAGER_DISABLE_TESTS 291f696097SAlec Ari depends on (MODULE_SIG || !MODULES) 30ccb778e1SNeil Horman help 31d99324c2SGeert Uytterhoeven This option enables the fips boot option which is 32d99324c2SGeert Uytterhoeven required if you want the system to operate in a FIPS 200 33ccb778e1SNeil Horman certification. You should say no unless you know what 34e84c5480SChuck Ebbert this is. 35ccb778e1SNeil Horman 365a44749fSVladis Dronovconfig CRYPTO_FIPS_NAME 375a44749fSVladis Dronov string "FIPS Module Name" 385a44749fSVladis Dronov default "Linux Kernel Cryptographic API" 395a44749fSVladis Dronov depends on CRYPTO_FIPS 405a44749fSVladis Dronov help 415a44749fSVladis Dronov This option sets the FIPS Module name reported by the Crypto API via 425a44749fSVladis Dronov the /proc/sys/crypto/fips_name file. 435a44749fSVladis Dronov 445a44749fSVladis Dronovconfig CRYPTO_FIPS_CUSTOM_VERSION 455a44749fSVladis Dronov bool "Use Custom FIPS Module Version" 465a44749fSVladis Dronov depends on CRYPTO_FIPS 475a44749fSVladis Dronov default n 485a44749fSVladis Dronov 495a44749fSVladis Dronovconfig CRYPTO_FIPS_VERSION 505a44749fSVladis Dronov string "FIPS Module Version" 515a44749fSVladis Dronov default "(none)" 525a44749fSVladis Dronov depends on CRYPTO_FIPS_CUSTOM_VERSION 535a44749fSVladis Dronov help 545a44749fSVladis Dronov This option provides the ability to override the FIPS Module Version. 555a44749fSVladis Dronov By default the KERNELRELEASE value is used. 565a44749fSVladis Dronov 57cce9e06dSHerbert Xuconfig CRYPTO_ALGAPI 58cce9e06dSHerbert Xu tristate 596a0fcbb4SHerbert Xu select CRYPTO_ALGAPI2 60cce9e06dSHerbert Xu help 61cce9e06dSHerbert Xu This option provides the API for cryptographic algorithms. 62cce9e06dSHerbert Xu 636a0fcbb4SHerbert Xuconfig CRYPTO_ALGAPI2 646a0fcbb4SHerbert Xu tristate 656a0fcbb4SHerbert Xu 661ae97820SHerbert Xuconfig CRYPTO_AEAD 671ae97820SHerbert Xu tristate 686a0fcbb4SHerbert Xu select CRYPTO_AEAD2 691ae97820SHerbert Xu select CRYPTO_ALGAPI 701ae97820SHerbert Xu 716a0fcbb4SHerbert Xuconfig CRYPTO_AEAD2 726a0fcbb4SHerbert Xu tristate 736a0fcbb4SHerbert Xu select CRYPTO_ALGAPI2 746a0fcbb4SHerbert Xu 756cb8815fSHerbert Xuconfig CRYPTO_SIG 766cb8815fSHerbert Xu tristate 776cb8815fSHerbert Xu select CRYPTO_SIG2 786cb8815fSHerbert Xu select CRYPTO_ALGAPI 796cb8815fSHerbert Xu 806cb8815fSHerbert Xuconfig CRYPTO_SIG2 816cb8815fSHerbert Xu tristate 826cb8815fSHerbert Xu select CRYPTO_ALGAPI2 836cb8815fSHerbert Xu 84b95bba5dSEric Biggersconfig CRYPTO_SKCIPHER 855cde0af2SHerbert Xu tristate 86b95bba5dSEric Biggers select CRYPTO_SKCIPHER2 875cde0af2SHerbert Xu select CRYPTO_ALGAPI 8884534684SHerbert Xu select CRYPTO_ECB 896a0fcbb4SHerbert Xu 90b95bba5dSEric Biggersconfig CRYPTO_SKCIPHER2 916a0fcbb4SHerbert Xu tristate 926a0fcbb4SHerbert Xu select CRYPTO_ALGAPI2 935cde0af2SHerbert Xu 94055bcee3SHerbert Xuconfig CRYPTO_HASH 95055bcee3SHerbert Xu tristate 966a0fcbb4SHerbert Xu select CRYPTO_HASH2 97055bcee3SHerbert Xu select CRYPTO_ALGAPI 98055bcee3SHerbert Xu 996a0fcbb4SHerbert Xuconfig CRYPTO_HASH2 1006a0fcbb4SHerbert Xu tristate 1016a0fcbb4SHerbert Xu select CRYPTO_ALGAPI2 1026a0fcbb4SHerbert Xu 10317f0f4a4SNeil Hormanconfig CRYPTO_RNG 10417f0f4a4SNeil Horman tristate 1056a0fcbb4SHerbert Xu select CRYPTO_RNG2 10617f0f4a4SNeil Horman select CRYPTO_ALGAPI 10717f0f4a4SNeil Horman 1086a0fcbb4SHerbert Xuconfig CRYPTO_RNG2 1096a0fcbb4SHerbert Xu tristate 1106a0fcbb4SHerbert Xu select CRYPTO_ALGAPI2 1116a0fcbb4SHerbert Xu 112401e4238SHerbert Xuconfig CRYPTO_RNG_DEFAULT 113401e4238SHerbert Xu tristate 114401e4238SHerbert Xu select CRYPTO_DRBG_MENU 115401e4238SHerbert Xu 1163c339ab8STadeusz Strukconfig CRYPTO_AKCIPHER2 1173c339ab8STadeusz Struk tristate 1183c339ab8STadeusz Struk select CRYPTO_ALGAPI2 1193c339ab8STadeusz Struk 1203c339ab8STadeusz Strukconfig CRYPTO_AKCIPHER 1213c339ab8STadeusz Struk tristate 1223c339ab8STadeusz Struk select CRYPTO_AKCIPHER2 1233c339ab8STadeusz Struk select CRYPTO_ALGAPI 1243c339ab8STadeusz Struk 1254e5f2c40SSalvatore Benedettoconfig CRYPTO_KPP2 1264e5f2c40SSalvatore Benedetto tristate 1274e5f2c40SSalvatore Benedetto select CRYPTO_ALGAPI2 1284e5f2c40SSalvatore Benedetto 1294e5f2c40SSalvatore Benedettoconfig CRYPTO_KPP 1304e5f2c40SSalvatore Benedetto tristate 1314e5f2c40SSalvatore Benedetto select CRYPTO_ALGAPI 1324e5f2c40SSalvatore Benedetto select CRYPTO_KPP2 1334e5f2c40SSalvatore Benedetto 1342ebda74fSGiovanni Cabidduconfig CRYPTO_ACOMP2 1352ebda74fSGiovanni Cabiddu tristate 1362ebda74fSGiovanni Cabiddu select CRYPTO_ALGAPI2 1378cd579d2SBart Van Assche select SGL_ALLOC 1382ebda74fSGiovanni Cabiddu 1392ebda74fSGiovanni Cabidduconfig CRYPTO_ACOMP 1402ebda74fSGiovanni Cabiddu tristate 1412ebda74fSGiovanni Cabiddu select CRYPTO_ALGAPI 1422ebda74fSGiovanni Cabiddu select CRYPTO_ACOMP2 1432ebda74fSGiovanni Cabiddu 144*3241cd0cSHannes Reineckeconfig CRYPTO_HKDF 145*3241cd0cSHannes Reinecke tristate 146*3241cd0cSHannes Reinecke select CRYPTO_SHA256 if !CONFIG_CRYPTO_MANAGER_DISABLE_TESTS 147*3241cd0cSHannes Reinecke select CRYPTO_SHA512 if !CONFIG_CRYPTO_MANAGER_DISABLE_TESTS 148*3241cd0cSHannes Reinecke select CRYPTO_HASH2 149*3241cd0cSHannes Reinecke 1502b8c19dbSHerbert Xuconfig CRYPTO_MANAGER 1512b8c19dbSHerbert Xu tristate "Cryptographic algorithm manager" 1526a0fcbb4SHerbert Xu select CRYPTO_MANAGER2 1532b8c19dbSHerbert Xu help 1542b8c19dbSHerbert Xu Create default cryptographic template instantiations such as 1552b8c19dbSHerbert Xu cbc(aes). 1562b8c19dbSHerbert Xu 1576a0fcbb4SHerbert Xuconfig CRYPTO_MANAGER2 1586a0fcbb4SHerbert Xu def_tristate CRYPTO_MANAGER || (CRYPTO_MANAGER!=n && CRYPTO_ALGAPI=y) 1592ebda74fSGiovanni Cabiddu select CRYPTO_ACOMP2 160fb28fabfSHerbert Xu select CRYPTO_AEAD2 161fb28fabfSHerbert Xu select CRYPTO_AKCIPHER2 1626cb8815fSHerbert Xu select CRYPTO_SIG2 163fb28fabfSHerbert Xu select CRYPTO_HASH2 164fb28fabfSHerbert Xu select CRYPTO_KPP2 165fb28fabfSHerbert Xu select CRYPTO_RNG2 166fb28fabfSHerbert Xu select CRYPTO_SKCIPHER2 1676a0fcbb4SHerbert Xu 168a38f7907SSteffen Klassertconfig CRYPTO_USER 169a38f7907SSteffen Klassert tristate "Userspace cryptographic algorithm configuration" 1705db017aaSHerbert Xu depends on NET 171a38f7907SSteffen Klassert select CRYPTO_MANAGER 172a38f7907SSteffen Klassert help 173d19978f5S[email protected] Userspace configuration for cryptographic instantiations such as 174a38f7907SSteffen Klassert cbc(aes). 175a38f7907SSteffen Klassert 176326a6346SHerbert Xuconfig CRYPTO_MANAGER_DISABLE_TESTS 177326a6346SHerbert Xu bool "Disable run-time self tests" 17800ca28a5SHerbert Xu default y 1790b767f96SAlexander Shishkin help 180326a6346SHerbert Xu Disable run-time self tests that normally take place at 181326a6346SHerbert Xu algorithm registration. 1820b767f96SAlexander Shishkin 1835b2706a4SEric Biggersconfig CRYPTO_MANAGER_EXTRA_TESTS 1845b2706a4SEric Biggers bool "Enable extra run-time crypto self tests" 1856569e309SJason A. Donenfeld depends on DEBUG_KERNEL && !CRYPTO_MANAGER_DISABLE_TESTS && CRYPTO_MANAGER 1865b2706a4SEric Biggers help 1875b2706a4SEric Biggers Enable extra run-time self tests of registered crypto algorithms, 1885b2706a4SEric Biggers including randomized fuzz tests. 1895b2706a4SEric Biggers 1905b2706a4SEric Biggers This is intended for developer use only, as these tests take much 1915b2706a4SEric Biggers longer to run than the normal self tests. 1925b2706a4SEric Biggers 193584fffc8SSebastian Siewiorconfig CRYPTO_NULL 194584fffc8SSebastian Siewior tristate "Null algorithms" 195149a3971SHerbert Xu select CRYPTO_NULL2 196584fffc8SSebastian Siewior help 197584fffc8SSebastian Siewior These are 'Null' algorithms, used by IPsec, which do nothing. 198584fffc8SSebastian Siewior 199149a3971SHerbert Xuconfig CRYPTO_NULL2 200dd43c4e9SHerbert Xu tristate 201149a3971SHerbert Xu select CRYPTO_ALGAPI2 202b95bba5dSEric Biggers select CRYPTO_SKCIPHER2 203149a3971SHerbert Xu select CRYPTO_HASH2 204149a3971SHerbert Xu 2055068c7a8SSteffen Klassertconfig CRYPTO_PCRYPT 2063b4afaf2SKees Cook tristate "Parallel crypto engine" 2073b4afaf2SKees Cook depends on SMP 2085068c7a8SSteffen Klassert select PADATA 2095068c7a8SSteffen Klassert select CRYPTO_MANAGER 2105068c7a8SSteffen Klassert select CRYPTO_AEAD 2115068c7a8SSteffen Klassert help 2125068c7a8SSteffen Klassert This converts an arbitrary crypto algorithm into a parallel 2135068c7a8SSteffen Klassert algorithm that executes in kernel threads. 2145068c7a8SSteffen Klassert 215584fffc8SSebastian Siewiorconfig CRYPTO_CRYPTD 216584fffc8SSebastian Siewior tristate "Software async crypto daemon" 217b95bba5dSEric Biggers select CRYPTO_SKCIPHER 218b8a28251SLoc Ho select CRYPTO_HASH 219584fffc8SSebastian Siewior select CRYPTO_MANAGER 220584fffc8SSebastian Siewior help 221584fffc8SSebastian Siewior This is a generic software asynchronous crypto daemon that 222584fffc8SSebastian Siewior converts an arbitrary synchronous software crypto algorithm 223584fffc8SSebastian Siewior into an asynchronous algorithm that executes in a kernel thread. 224584fffc8SSebastian Siewior 225584fffc8SSebastian Siewiorconfig CRYPTO_AUTHENC 226584fffc8SSebastian Siewior tristate "Authenc support" 227584fffc8SSebastian Siewior select CRYPTO_AEAD 228b95bba5dSEric Biggers select CRYPTO_SKCIPHER 229584fffc8SSebastian Siewior select CRYPTO_MANAGER 230584fffc8SSebastian Siewior select CRYPTO_HASH 231e94c6a7aSHerbert Xu select CRYPTO_NULL 232584fffc8SSebastian Siewior help 233584fffc8SSebastian Siewior Authenc: Combined mode wrapper for IPsec. 234cf514b2aSRobert Elliott 235cf514b2aSRobert Elliott This is required for IPSec ESP (XFRM_ESP). 236584fffc8SSebastian Siewior 237584fffc8SSebastian Siewiorconfig CRYPTO_KRB5ENC 238584fffc8SSebastian Siewior tristate "Kerberos 5 combined hash+cipher support" 23900ea27f1SArd Biesheuvel select CRYPTO_AEAD 240da7f033dSHerbert Xu select CRYPTO_SKCIPHER 241584fffc8SSebastian Siewior select CRYPTO_MANAGER 242584fffc8SSebastian Siewior select CRYPTO_HASH 243584fffc8SSebastian Siewior select CRYPTO_NULL 244266d0516SHerbert Xu help 245266d0516SHerbert Xu Combined hash and cipher support for Kerberos 5 RFC3961 simplified 246266d0516SHerbert Xu profile. This is required for Kerberos 5-style encryption, used by 247266d0516SHerbert Xu sunrpc/NFS and rxrpc/AFS. 248735d37b5SBaolin Wang 249735d37b5SBaolin Wangconfig CRYPTO_TEST 250735d37b5SBaolin Wang tristate "Testing module" 251f1f142adSRobert Elliott depends on m || EXPERT 252f1f142adSRobert Elliott select CRYPTO_MANAGER 253f1f142adSRobert Elliott help 2543d6228a5SVitaly Chikunov Quick & dirty crypto test module. 2553d6228a5SVitaly Chikunov 25605b37465SRobert Elliottconfig CRYPTO_SIMD 2573d6228a5SVitaly Chikunov tristate 2583d6228a5SVitaly Chikunov select CRYPTO_CRYPTD 2591e562deaSLukas Wunner 2603d6228a5SVitaly Chikunovconfig CRYPTO_ENGINE 2613d6228a5SVitaly Chikunov tristate 2623d6228a5SVitaly Chikunov 26305b37465SRobert Elliottendmenu 2643d6228a5SVitaly Chikunov 2653d6228a5SVitaly Chikunovmenu "Public-key cryptography" 26605b37465SRobert Elliott 2673d6228a5SVitaly Chikunovconfig CRYPTO_RSA 2683d6228a5SVitaly Chikunov tristate "RSA (Rivest-Shamir-Adleman)" 2693d6228a5SVitaly Chikunov select CRYPTO_AKCIPHER 27005b37465SRobert Elliott select CRYPTO_MANAGER 2713d6228a5SVitaly Chikunov select CRYPTO_SIG 2727dce5981SNicolai Stange select MPILIB 27305b37465SRobert Elliott select ASN1 2747dce5981SNicolai Stange help 2751e207964SNicolai Stange RSA (Rivest-Shamir-Adleman) public key algorithm (RFC8017) 2767dce5981SNicolai Stange 27705b37465SRobert Elliottconfig CRYPTO_DH 27805b37465SRobert Elliott tristate "DH (Diffie-Hellman)" 27905b37465SRobert Elliott select CRYPTO_KPP 28005b37465SRobert Elliott select MPILIB 28105b37465SRobert Elliott help 28205b37465SRobert Elliott DH (Diffie-Hellman) key exchange algorithm 28305b37465SRobert Elliott 2847dce5981SNicolai Stangeconfig CRYPTO_DH_RFC7919_GROUPS 2854a2289daSVitaly Chikunov bool "RFC 7919 FFDHE groups" 2864a2289daSVitaly Chikunov depends on CRYPTO_DH 28738aa192aSArnd Bergmann select CRYPTO_RNG_DEFAULT 2884a2289daSVitaly Chikunov help 2893d6228a5SVitaly Chikunov FFDHE (Finite-Field-based Diffie-Hellman Ephemeral) groups 29005b37465SRobert Elliott defined in RFC7919. 2914a2289daSVitaly Chikunov 2923d6228a5SVitaly Chikunov Support these finite-field groups in DH key exchanges: 2933d6228a5SVitaly Chikunov - ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192 29405b37465SRobert Elliott 29505b37465SRobert Elliott If unsure, say N. 2963d6228a5SVitaly Chikunov 2974e660291SStefan Bergerconfig CRYPTO_ECC 29805b37465SRobert Elliott tristate 2994e660291SStefan Berger select CRYPTO_RNG_DEFAULT 300ef132350SLukas Wunner 3014e660291SStefan Bergerconfig CRYPTO_ECDH 3024e660291SStefan Berger tristate "ECDH (Elliptic Curve Diffie-Hellman)" 30305b37465SRobert Elliott select CRYPTO_ECC 30405b37465SRobert Elliott select CRYPTO_KPP 30591790c7aSLukas Wunner help 30605b37465SRobert Elliott ECDH (Elliptic Curve Diffie-Hellman) key exchange algorithm 30705b37465SRobert Elliott using curves P-192, P-256, and P-384 (FIPS 186) 3084e660291SStefan Berger 3090d7a7864SVitaly Chikunovconfig CRYPTO_ECDSA 31005b37465SRobert Elliott tristate "ECDSA (Elliptic Curve Digital Signature Algorithm)" 3110d7a7864SVitaly Chikunov select CRYPTO_ECC 312ae117924SLukas Wunner select CRYPTO_SIG 3130d7a7864SVitaly Chikunov select ASN1 3141036633eSVitaly Chikunov help 3151036633eSVitaly Chikunov ECDSA (Elliptic Curve Digital Signature Algorithm) (FIPS 186, 3160d7a7864SVitaly Chikunov ISO/IEC 14888-3) 3170d7a7864SVitaly Chikunov using curves P-192, P-256, P-384 and P-521 31805b37465SRobert Elliott 31905b37465SRobert Elliott Only signature verification is implemented. 32005b37465SRobert Elliott 32105b37465SRobert Elliottconfig CRYPTO_ECRDSA 3220d7a7864SVitaly Chikunov tristate "EC-RDSA (Elliptic Curve Russian Digital Signature Algorithm)" 323ee772cb6SArd Biesheuvel select CRYPTO_ECC 32405b37465SRobert Elliott select CRYPTO_SIG 325ee772cb6SArd Biesheuvel select CRYPTO_STREEBOG 326ee772cb6SArd Biesheuvel select OID_REGISTRY 32705b37465SRobert Elliott select ASN1 32805b37465SRobert Elliott help 329ee772cb6SArd Biesheuvel Elliptic Curve Russian Digital Signature Algorithm (GOST R 34.10-2012, 330f1f142adSRobert Elliott RFC 7091, ISO/IEC 14888-3) 331584fffc8SSebastian Siewior 332f1f142adSRobert Elliott One of the Russian cryptographic standard algorithms (called GOST 3331da177e4SLinus Torvalds algorithms). Only signature verification is implemented. 3341da177e4SLinus Torvalds 335cf514b2aSRobert Elliottconfig CRYPTO_CURVE25519 336cce9e06dSHerbert Xu tristate "Curve25519" 3375bb12d78SArd Biesheuvel select CRYPTO_KPP 3381da177e4SLinus Torvalds select CRYPTO_LIB_CURVE25519_GENERIC 339cf514b2aSRobert Elliott select CRYPTO_LIB_CURVE25519_INTERNAL 3401da177e4SLinus Torvalds help 3411da177e4SLinus Torvalds Curve25519 elliptic curve (RFC7748) 3421da177e4SLinus Torvalds 3431da177e4SLinus Torvaldsendmenu 3441da177e4SLinus Torvalds 3451da177e4SLinus Torvaldsmenu "Block ciphers" 3461da177e4SLinus Torvalds 3471da177e4SLinus Torvaldsconfig CRYPTO_AES 3481da177e4SLinus Torvalds tristate "AES (Advanced Encryption Standard)" 3491da177e4SLinus Torvalds select CRYPTO_ALGAPI 3501da177e4SLinus Torvalds select CRYPTO_LIB_AES 3511da177e4SLinus Torvalds help 352b5e0b032SArd Biesheuvel AES cipher algorithms (Rijndael)(FIPS-197, ISO/IEC 18033-3) 353cf514b2aSRobert Elliott 354b5e0b032SArd Biesheuvel Rijndael appears to be consistently a very good performer in 355e59c1c98SArd Biesheuvel both hardware and software across a wide range of computing 356b5e0b032SArd Biesheuvel environments regardless of its use in feedback or non-feedback 357cf514b2aSRobert Elliott modes. Its key setup time is excellent, and its key agility is 358cf514b2aSRobert Elliott good. Rijndael's very low memory requirements make it very well 359b5e0b032SArd Biesheuvel suited for restricted-space environments, in which it also 360b5e0b032SArd Biesheuvel demonstrates excellent performance. Rijndael's operations are 361b5e0b032SArd Biesheuvel among the easiest to defend against power and timing attacks. 362b5e0b032SArd Biesheuvel 363b5e0b032SArd Biesheuvel The AES specifies three key sizes: 128, 192 and 256 bits 364b5e0b032SArd Biesheuvel 365b5e0b032SArd Biesheuvelconfig CRYPTO_AES_TI 366b5e0b032SArd Biesheuvel tristate "AES (Advanced Encryption Standard) (fixed time)" 367b5e0b032SArd Biesheuvel select CRYPTO_ALGAPI 368b5e0b032SArd Biesheuvel select CRYPTO_LIB_AES 369b5e0b032SArd Biesheuvel help 3700a6a40c2SEric Biggers AES cipher algorithms (Rijndael)(FIPS-197, ISO/IEC 18033-3) 3710a6a40c2SEric Biggers 372b5e0b032SArd Biesheuvel This is a generic implementation of AES that attempts to eliminate 3731da177e4SLinus Torvalds data dependent latencies as much as possible without affecting 374cf514b2aSRobert Elliott performance too much. It is intended for use by the generic CCM 3751674aea5SArd Biesheuvel and GCM drivers, and other CTR or CMAC/XCBC based modes that rely 376cce9e06dSHerbert Xu solely on encryption (although decryption is supported as well, but 3771da177e4SLinus Torvalds with a more dramatic performance hit) 378cf514b2aSRobert Elliott 3791da177e4SLinus Torvalds Instead of using 16 lookup tables of 1 KB each, (8 for encryption and 3801da177e4SLinus Torvalds 8 for decryption), this implementation only uses just two S-boxes of 3811da177e4SLinus Torvalds 256 bytes each, and attempts to eliminate data dependent latencies by 3821da177e4SLinus Torvalds prefetching the entire table into the cache at the start of each 3831da177e4SLinus Torvalds block. Interrupts are also disabled to avoid races where cachelines 384cf514b2aSRobert Elliott are evicted when the CPU is interrupted to do something else. 385cf514b2aSRobert Elliott 3861da177e4SLinus Torvaldsconfig CRYPTO_ANUBIS 387f1f142adSRobert Elliott tristate "Anubis" 388cf514b2aSRobert Elliott depends on CRYPTO_USER_API_ENABLE_OBSOLETE 389f1f142adSRobert Elliott select CRYPTO_ALGAPI 390e2ee95b8SHye-Shik Chang help 391cf514b2aSRobert Elliott Anubis cipher algorithm 392e2ee95b8SHye-Shik Chang 393f1f142adSRobert Elliott Anubis is a variable key length cipher which can use keys from 394f1f142adSRobert Elliott 128 bits to 320 bits in length. It was evaluated as a entrant 395f1f142adSRobert Elliott in the NESSIE competition. 396f1f142adSRobert Elliott 397f1f142adSRobert Elliott See https://web.archive.org/web/20160606112246/http://www.larc.usp.br/~pbarreto/AnubisPage.html 398f1f142adSRobert Elliott for further information. 399cf514b2aSRobert Elliott 400cf514b2aSRobert Elliottconfig CRYPTO_ARIA 401584fffc8SSebastian Siewior tristate "ARIA" 402584fffc8SSebastian Siewior select CRYPTO_ALGAPI 403cf514b2aSRobert Elliott help 404584fffc8SSebastian Siewior ARIA cipher algorithm (RFC5794) 40552ba867cSJussi Kivilinna 406584fffc8SSebastian Siewior ARIA is a standard encryption algorithm of the Republic of Korea. 407cf514b2aSRobert Elliott The ARIA specifies three key sizes and rounds. 408584fffc8SSebastian Siewior 128-bit: 12 rounds. 409584fffc8SSebastian Siewior 192-bit: 14 rounds. 410584fffc8SSebastian Siewior 256-bit: 16 rounds. 411584fffc8SSebastian Siewior 412e2ee95b8SHye-Shik Chang See: 413cf514b2aSRobert Elliott https://seed.kisa.or.kr/kisa/algorithm/EgovAriaInfo.do 414584fffc8SSebastian Siewior 41552ba867cSJussi Kivilinnaconfig CRYPTO_BLOWFISH 41652ba867cSJussi Kivilinna tristate "Blowfish" 41752ba867cSJussi Kivilinna select CRYPTO_ALGAPI 41852ba867cSJussi Kivilinna select CRYPTO_BLOWFISH_COMMON 41952ba867cSJussi Kivilinna help 42052ba867cSJussi Kivilinna Blowfish cipher algorithm, by Bruce Schneier 421584fffc8SSebastian Siewior 422cf514b2aSRobert Elliott This is a variable key length cipher which can use keys from 32 423584fffc8SSebastian Siewior bits to 448 bits in length. It's fast, simple and specifically 424584fffc8SSebastian Siewior designed for use on "large microprocessors". 425cf514b2aSRobert Elliott 426584fffc8SSebastian Siewior See https://www.schneier.com/blowfish.html for further information. 427584fffc8SSebastian Siewior 428584fffc8SSebastian Siewiorconfig CRYPTO_BLOWFISH_COMMON 429584fffc8SSebastian Siewior tristate 430584fffc8SSebastian Siewior help 431584fffc8SSebastian Siewior Common parts of the Blowfish cipher algorithm shared by the 432cf514b2aSRobert Elliott generic c and the assembler implementations. 433584fffc8SSebastian Siewior 434044ab525SJussi Kivilinnaconfig CRYPTO_CAMELLIA 435044ab525SJussi Kivilinna tristate "Camellia" 436044ab525SJussi Kivilinna select CRYPTO_ALGAPI 437044ab525SJussi Kivilinna help 438044ab525SJussi Kivilinna Camellia cipher algorithms (ISO/IEC 18033-3) 439044ab525SJussi Kivilinna 440584fffc8SSebastian Siewior Camellia is a symmetric key block cipher developed jointly 441cf514b2aSRobert Elliott at NTT and Mitsubishi Electric Corporation. 442584fffc8SSebastian Siewior 443044ab525SJussi Kivilinna The Camellia specifies three key sizes: 128, 192 and 256 bits. 444584fffc8SSebastian Siewior 445cf514b2aSRobert Elliott See https://info.isl.ntt.co.jp/crypt/eng/camellia/ for further information. 446584fffc8SSebastian Siewior 447584fffc8SSebastian Siewiorconfig CRYPTO_CAST_COMMON 448cf514b2aSRobert Elliott tristate 449584fffc8SSebastian Siewior help 450044ab525SJussi Kivilinna Common parts of the CAST cipher algorithms shared by the 451584fffc8SSebastian Siewior generic c and the assembler implementations. 452cf514b2aSRobert Elliott 453584fffc8SSebastian Siewiorconfig CRYPTO_CAST5 454584fffc8SSebastian Siewior tristate "CAST5 (CAST-128)" 455cf514b2aSRobert Elliott select CRYPTO_ALGAPI 456584fffc8SSebastian Siewior select CRYPTO_CAST_COMMON 45704007b0eSArd Biesheuvel help 458584fffc8SSebastian Siewior CAST5 (CAST-128) cipher algorithm (RFC2144, ISO/IEC 18033-3) 459cf514b2aSRobert Elliott 460cf514b2aSRobert Elliottconfig CRYPTO_CAST6 461cf514b2aSRobert Elliott tristate "CAST6 (CAST-256)" 462584fffc8SSebastian Siewior select CRYPTO_ALGAPI 463584fffc8SSebastian Siewior select CRYPTO_CAST_COMMON 464cf514b2aSRobert Elliott help 465584fffc8SSebastian Siewior CAST6 (CAST-256) encryption algorithm (RFC2612) 466b95bba5dSEric Biggers 467584fffc8SSebastian Siewiorconfig CRYPTO_DES 468cf514b2aSRobert Elliott tristate "DES and Triple DES EDE" 469cf514b2aSRobert Elliott select CRYPTO_ALGAPI 470cf514b2aSRobert Elliott select CRYPTO_LIB_DES 471584fffc8SSebastian Siewior help 472584fffc8SSebastian Siewior DES (Data Encryption Standard)(FIPS 46-2, ISO/IEC 18033-3) and 473cf514b2aSRobert Elliott Triple DES EDE (Encrypt/Decrypt/Encrypt) (FIPS 46-3, ISO/IEC 18033-3) 4741674aea5SArd Biesheuvel cipher algorithms 475584fffc8SSebastian Siewior 476584fffc8SSebastian Siewiorconfig CRYPTO_FCRYPT 477cf514b2aSRobert Elliott tristate "FCrypt" 478584fffc8SSebastian Siewior select CRYPTO_ALGAPI 479584fffc8SSebastian Siewior select CRYPTO_SKCIPHER 480584fffc8SSebastian Siewior help 481584fffc8SSebastian Siewior FCrypt algorithm used by RxRPC 482584fffc8SSebastian Siewior 483cf514b2aSRobert Elliott See https://ota.polyonymo.us/fcrypt-paper.txt 484cf514b2aSRobert Elliott 485e2ee95b8SHye-Shik Changconfig CRYPTO_KHAZAD 486584fffc8SSebastian Siewior tristate "Khazad" 487cf514b2aSRobert Elliott depends on CRYPTO_USER_API_ENABLE_OBSOLETE 4881674aea5SArd Biesheuvel select CRYPTO_ALGAPI 489584fffc8SSebastian Siewior help 490584fffc8SSebastian Siewior Khazad cipher algorithm 491cf514b2aSRobert Elliott 492584fffc8SSebastian Siewior Khazad was a finalist in the initial NESSIE competition. It is 493584fffc8SSebastian Siewior an algorithm optimized for 64-bit processors with good performance 494584fffc8SSebastian Siewior on 32-bit processors. Khazad uses an 128 bit key size. 495584fffc8SSebastian Siewior 496584fffc8SSebastian Siewior See https://web.archive.org/web/20171011071731/http://www.larc.usp.br/~pbarreto/KhazadPage.html 497584fffc8SSebastian Siewior for further information. 498cf514b2aSRobert Elliott 499cf514b2aSRobert Elliottconfig CRYPTO_SEED 500584fffc8SSebastian Siewior tristate "SEED" 501584fffc8SSebastian Siewior depends on CRYPTO_USER_API_ENABLE_OBSOLETE 502cf514b2aSRobert Elliott select CRYPTO_ALGAPI 503584fffc8SSebastian Siewior help 504584fffc8SSebastian Siewior SEED cipher algorithm (RFC4269, ISO/IEC 18033-3) 505cf514b2aSRobert Elliott 506584fffc8SSebastian Siewior SEED is a 128-bit symmetric key block cipher that has been 507584fffc8SSebastian Siewior developed by KISA (Korea Information Security Agency) as a 508784506a1SArd Biesheuvel national standard encryption algorithm of the Republic of Korea. 509584fffc8SSebastian Siewior It is a 16 round block cipher with the key size of 128 bit. 510cf514b2aSRobert Elliott 511584fffc8SSebastian Siewior See https://seed.kisa.or.kr/kisa/algorithm/EgovSeedInfo.do 512747c8ce4SGilad Ben-Yossef for further information. 513d2825fa9SJason A. Donenfeld 514d2825fa9SJason A. Donenfeldconfig CRYPTO_SERPENT 515d2825fa9SJason A. Donenfeld tristate "Serpent" 516cf514b2aSRobert Elliott select CRYPTO_ALGAPI 517747c8ce4SGilad Ben-Yossef help 518d2825fa9SJason A. Donenfeld Serpent cipher algorithm, by Anderson, Biham & Knudsen 519747c8ce4SGilad Ben-Yossef 520cf514b2aSRobert Elliott Keys are allowed to be from 0 to 256 bits in length, in steps 521cf514b2aSRobert Elliott of 8 bits. 522747c8ce4SGilad Ben-Yossef 523747c8ce4SGilad Ben-Yossef See https://www.cl.cam.ac.uk/~rja14/serpent.html for further information. 524747c8ce4SGilad Ben-Yossef 525747c8ce4SGilad Ben-Yossefconfig CRYPTO_SM4 526747c8ce4SGilad Ben-Yossef tristate 527747c8ce4SGilad Ben-Yossef 528747c8ce4SGilad Ben-Yossefconfig CRYPTO_SM4_GENERIC 529747c8ce4SGilad Ben-Yossef tristate "SM4 (ShangMi 4)" 530747c8ce4SGilad Ben-Yossef select CRYPTO_ALGAPI 531747c8ce4SGilad Ben-Yossef select CRYPTO_SM4 532747c8ce4SGilad Ben-Yossef help 533747c8ce4SGilad Ben-Yossef SM4 cipher algorithms (OSCCA GB/T 32907-2016, 534747c8ce4SGilad Ben-Yossef ISO/IEC 18033-3:2010/Amd 1:2021) 535747c8ce4SGilad Ben-Yossef 536747c8ce4SGilad Ben-Yossef SM4 (GBT.32907-2016) is a cryptographic standard issued by the 537747c8ce4SGilad Ben-Yossef Organization of State Commercial Administration of China (OSCCA) 538cf514b2aSRobert Elliott as an authorized cryptographic algorithms for the use within China. 539747c8ce4SGilad Ben-Yossef 540747c8ce4SGilad Ben-Yossef SMS4 was originally created for use in protecting wireless 541747c8ce4SGilad Ben-Yossef networks, and is mandated in the Chinese National Standard for 542584fffc8SSebastian Siewior Wireless LAN WAPI (Wired Authentication and Privacy Infrastructure) 543cf514b2aSRobert Elliott (GB.15629.11-2003). 5441674aea5SArd Biesheuvel 545584fffc8SSebastian Siewior The latest SM4 standard (GBT.32907-2016) was proposed by OSCCA and 546584fffc8SSebastian Siewior standardized through TC 260 of the Standardization Administration 547cf514b2aSRobert Elliott of the People's Republic of China (SAC). 548584fffc8SSebastian Siewior 549584fffc8SSebastian Siewior The input, output, and key of SMS4 are each 128 bits. 550584fffc8SSebastian Siewior 551584fffc8SSebastian Siewior See https://eprint.iacr.org/2008/329.pdf for further information. 552584fffc8SSebastian Siewior 553584fffc8SSebastian Siewior If unsure, say N. 554584fffc8SSebastian Siewior 555584fffc8SSebastian Siewiorconfig CRYPTO_TEA 556584fffc8SSebastian Siewior tristate "TEA, XTEA and XETA" 557584fffc8SSebastian Siewior depends on CRYPTO_USER_API_ENABLE_OBSOLETE 558584fffc8SSebastian Siewior select CRYPTO_ALGAPI 559584fffc8SSebastian Siewior help 560584fffc8SSebastian Siewior TEA (Tiny Encryption Algorithm) cipher algorithms 561cf514b2aSRobert Elliott 562584fffc8SSebastian Siewior Tiny Encryption Algorithm is a simple cipher that uses 563584fffc8SSebastian Siewior many rounds for security. It is very fast and uses 564584fffc8SSebastian Siewior little memory. 565cf514b2aSRobert Elliott 566584fffc8SSebastian Siewior Xtendend Tiny Encryption Algorithm is a modification to 567584fffc8SSebastian Siewior the TEA algorithm to address a potential key weakness 568584fffc8SSebastian Siewior in the TEA algorithm. 569584fffc8SSebastian Siewior 570584fffc8SSebastian Siewior Xtendend Encryption Tiny Algorithm is a mis-implementation 571584fffc8SSebastian Siewior of the XTEA algorithm for compatibility purposes. 572cf514b2aSRobert Elliott 573584fffc8SSebastian Siewiorconfig CRYPTO_TWOFISH 574584fffc8SSebastian Siewior tristate "Twofish" 575584fffc8SSebastian Siewior select CRYPTO_ALGAPI 576584fffc8SSebastian Siewior select CRYPTO_TWOFISH_COMMON 577584fffc8SSebastian Siewior help 578584fffc8SSebastian Siewior Twofish cipher algorithm 579584fffc8SSebastian Siewior 580f1f142adSRobert Elliott Twofish was submitted as an AES (Advanced Encryption Standard) 581f1f142adSRobert Elliott candidate cipher by researchers at CounterPane Systems. It is a 582f1f142adSRobert Elliott 16 round block cipher supporting key sizes of 128, 192, and 256 583f1f142adSRobert Elliott bits. 584f1f142adSRobert Elliott 585cf514b2aSRobert Elliott See https://www.schneier.com/twofish.html for further information. 586f1f142adSRobert Elliott 587f1f142adSRobert Elliottconfig CRYPTO_TWOFISH_COMMON 588f1f142adSRobert Elliott tristate 589f1f142adSRobert Elliott help 590f1f142adSRobert Elliott Common parts of the Twofish cipher algorithm shared by the 591cf514b2aSRobert Elliott generic c and the assembler implementations. 592cf514b2aSRobert Elliott 593cf514b2aSRobert Elliottendmenu 594f1f142adSRobert Elliott 595f1f142adSRobert Elliottmenu "Length-preserving ciphers and modes" 596f1f142adSRobert Elliott 597f1f142adSRobert Elliottconfig CRYPTO_ADIANTUM 598f1f142adSRobert Elliott tristate "Adiantum" 599f1f142adSRobert Elliott select CRYPTO_CHACHA20 600f1f142adSRobert Elliott select CRYPTO_LIB_POLY1305_GENERIC 601f1f142adSRobert Elliott select CRYPTO_NHPOLY1305 602f1f142adSRobert Elliott select CRYPTO_MANAGER 603f1f142adSRobert Elliott help 604f1f142adSRobert Elliott Adiantum tweakable, length-preserving encryption mode 605f1f142adSRobert Elliott 606f1f142adSRobert Elliott Designed for fast and secure disk encryption, especially on 607f1f142adSRobert Elliott CPUs without dedicated crypto instructions. It encrypts 608f1f142adSRobert Elliott each sector using the XChaCha12 stream cipher, two passes of 609f1f142adSRobert Elliott an ε-almost-∆-universal hash function, and an invocation of 610cf514b2aSRobert Elliott the AES-256 block cipher on a single 16-byte block. On CPUs 611f1f142adSRobert Elliott without AES instructions, Adiantum is much faster than 612f1f142adSRobert Elliott AES-XTS. 613f1f142adSRobert Elliott 614f1f142adSRobert Elliott Adiantum's security is provably reducible to that of its 615cf514b2aSRobert Elliott underlying stream and block ciphers, subject to a security 616f1f142adSRobert Elliott bound. Unlike XTS, Adiantum is a true wide-block encryption 617f1f142adSRobert Elliott mode, so it actually provides an even stronger notion of 618f1f142adSRobert Elliott security than XTS, subject to the security bound. 619f1f142adSRobert Elliott 620f1f142adSRobert Elliott If unsure, say N. 621f1f142adSRobert Elliott 622f1f142adSRobert Elliottconfig CRYPTO_ARC4 623cf514b2aSRobert Elliott tristate "ARC4 (Alleged Rivest Cipher 4)" 624f1f142adSRobert Elliott depends on CRYPTO_USER_API_ENABLE_OBSOLETE 625f1f142adSRobert Elliott select CRYPTO_SKCIPHER 626f1f142adSRobert Elliott select CRYPTO_LIB_ARC4 627cf514b2aSRobert Elliott help 628f1f142adSRobert Elliott ARC4 cipher algorithm 629f1f142adSRobert Elliott 630f1f142adSRobert Elliott ARC4 is a stream cipher using keys ranging from 8 bits to 2048 631cf514b2aSRobert Elliott bits in length. This algorithm is required for driver-based 632cf514b2aSRobert Elliott WEP, but it should not be for other purposes because of the 633f1f142adSRobert Elliott weakness of the algorithm. 634f1f142adSRobert Elliott 635f1f142adSRobert Elliottconfig CRYPTO_CHACHA20 636f1f142adSRobert Elliott tristate "ChaCha" 637cf514b2aSRobert Elliott select CRYPTO_LIB_CHACHA_GENERIC 638cf514b2aSRobert Elliott select CRYPTO_LIB_CHACHA_INTERNAL 639f1f142adSRobert Elliott select CRYPTO_SKCIPHER 640f1f142adSRobert Elliott help 641f1f142adSRobert Elliott The ChaCha20, XChaCha20, and XChaCha12 stream cipher algorithms 642f1f142adSRobert Elliott 643f1f142adSRobert Elliott ChaCha20 is a 256-bit high-speed stream cipher designed by Daniel J. 644f1f142adSRobert Elliott Bernstein and further specified in RFC7539 for use in IETF protocols. 645cf514b2aSRobert Elliott This is the portable C implementation of ChaCha20. See 646f1f142adSRobert Elliott https://cr.yp.to/chacha/chacha-20080128.pdf for further information. 647f1f142adSRobert Elliott 648f1f142adSRobert Elliott XChaCha20 is the application of the XSalsa20 construction to ChaCha20 649cf514b2aSRobert Elliott rather than to Salsa20. XChaCha20 extends ChaCha20's nonce length 650cf514b2aSRobert Elliott from 64 bits (or 96 bits using the RFC7539 convention) to 192 bits, 651cf514b2aSRobert Elliott while provably retaining ChaCha20's security. See 652f1f142adSRobert Elliott https://cr.yp.to/snuffle/xsalsa-20081128.pdf for further information. 653f1f142adSRobert Elliott 654cf514b2aSRobert Elliott XChaCha12 is XChaCha20 reduced to 12 rounds, with correspondingly 655f1f142adSRobert Elliott reduced security margin but increased performance. It can be needed 656f1f142adSRobert Elliott in some performance-sensitive scenarios. 657f1f142adSRobert Elliott 658cf514b2aSRobert Elliottconfig CRYPTO_CBC 659f1f142adSRobert Elliott tristate "CBC (Cipher Block Chaining)" 660f1f142adSRobert Elliott select CRYPTO_SKCIPHER 661cf514b2aSRobert Elliott select CRYPTO_MANAGER 662f1f142adSRobert Elliott help 663f1f142adSRobert Elliott CBC (Cipher Block Chaining) mode (NIST SP800-38A) 664f1f142adSRobert Elliott 665cf514b2aSRobert Elliott This block cipher mode is required for IPSec ESP (XFRM_ESP). 666cf514b2aSRobert Elliott 667cf514b2aSRobert Elliottconfig CRYPTO_CTR 668f1f142adSRobert Elliott tristate "CTR (Counter)" 669f1f142adSRobert Elliott select CRYPTO_SKCIPHER 670f1f142adSRobert Elliott select CRYPTO_MANAGER 671f1f142adSRobert Elliott help 672cf514b2aSRobert Elliott CTR (Counter) mode (NIST SP800-38A) 67384534684SHerbert Xu 674f1f142adSRobert Elliottconfig CRYPTO_CTS 675f1f142adSRobert Elliott tristate "CTS (Cipher Text Stealing)" 676cf514b2aSRobert Elliott select CRYPTO_SKCIPHER 677f1f142adSRobert Elliott select CRYPTO_MANAGER 678f1f142adSRobert Elliott help 679cf514b2aSRobert Elliott CBC-CS3 variant of CTS (Cipher Text Stealing) (NIST 680f1f142adSRobert Elliott Addendum to SP800-38A (October 2010)) 681f1f142adSRobert Elliott 682f1f142adSRobert Elliott This mode is required for Kerberos gss mechanism support 683f1f142adSRobert Elliott for AES encryption. 684cf514b2aSRobert Elliott 685cf514b2aSRobert Elliottconfig CRYPTO_ECB 686cf514b2aSRobert Elliott tristate "ECB (Electronic Codebook)" 687cf514b2aSRobert Elliott select CRYPTO_SKCIPHER2 688cf514b2aSRobert Elliott select CRYPTO_MANAGER 689cf514b2aSRobert Elliott help 690cf514b2aSRobert Elliott ECB (Electronic Codebook) mode (NIST SP800-38A) 691cf514b2aSRobert Elliott 692f1f142adSRobert Elliottconfig CRYPTO_HCTR2 693f1f142adSRobert Elliott tristate "HCTR2" 694cf514b2aSRobert Elliott select CRYPTO_XCTR 69561c581a4SArd Biesheuvel select CRYPTO_POLYVAL 696f1f142adSRobert Elliott select CRYPTO_MANAGER 697f1f142adSRobert Elliott help 698f1f142adSRobert Elliott HCTR2 length-preserving encryption mode 699f1f142adSRobert Elliott 700cf514b2aSRobert Elliott A mode for storage encryption that is efficient on processors with 701cf514b2aSRobert Elliott instructions to accelerate AES and carryless multiplication, e.g. 702cf514b2aSRobert Elliott x86 processors with AES-NI and CLMUL, and ARM processors with the 703f1f142adSRobert Elliott ARMv8 crypto extensions. 704f1f142adSRobert Elliott 705f1f142adSRobert Elliott See https://eprint.iacr.org/2021/1441 706f1f142adSRobert Elliott 707f1f142adSRobert Elliottconfig CRYPTO_LRW 708cf514b2aSRobert Elliott tristate "LRW (Liskov Rivest Wagner)" 709cf514b2aSRobert Elliott select CRYPTO_LIB_GF128MUL 710f1f142adSRobert Elliott select CRYPTO_SKCIPHER 711cf514b2aSRobert Elliott select CRYPTO_MANAGER 712f1f142adSRobert Elliott select CRYPTO_ECB 713f1f142adSRobert Elliott help 714f1f142adSRobert Elliott LRW (Liskov Rivest Wagner) mode 715cf514b2aSRobert Elliott 716cf514b2aSRobert Elliott A tweakable, non malleable, non movable 717cf514b2aSRobert Elliott narrow block cipher mode for dm-crypt. Use it with cipher 718f1f142adSRobert Elliott specification string aes-lrw-benbi, the key must be 256, 320 or 384. 719f1f142adSRobert Elliott The first 128, 192 or 256 bits in the key are used for AES and the 720f1f142adSRobert Elliott rest is used to tie each cipher block to its logical position. 721f1f142adSRobert Elliott 722f1f142adSRobert Elliott See https://people.csail.mit.edu/rivest/pubs/LRW02.pdf 723f1f142adSRobert Elliott 724cf514b2aSRobert Elliottconfig CRYPTO_PCBC 725cf514b2aSRobert Elliott tristate "PCBC (Propagating Cipher Block Chaining)" 726cf514b2aSRobert Elliott select CRYPTO_SKCIPHER 727cf514b2aSRobert Elliott select CRYPTO_MANAGER 728cf514b2aSRobert Elliott help 729f1f142adSRobert Elliott PCBC (Propagating Cipher Block Chaining) mode 730f1f142adSRobert Elliott 731f1f142adSRobert Elliott This block cipher mode is required for RxRPC. 732cf514b2aSRobert Elliott 733f1f142adSRobert Elliottconfig CRYPTO_XCTR 734f1f142adSRobert Elliott tristate 735f1f142adSRobert Elliott select CRYPTO_SKCIPHER 736f1f142adSRobert Elliott select CRYPTO_MANAGER 737cf514b2aSRobert Elliott help 738cf514b2aSRobert Elliott XCTR (XOR Counter) mode for HCTR2 739cf514b2aSRobert Elliott 740cf514b2aSRobert Elliott This blockcipher mode is a variant of CTR mode using XORs and little-endian 741cf514b2aSRobert Elliott addition rather than big-endian arithmetic. 742cf514b2aSRobert Elliott 743f1f142adSRobert Elliott XCTR mode is used to implement HCTR2. 744f1f142adSRobert Elliott 745f1f142adSRobert Elliottconfig CRYPTO_XTS 746f1f142adSRobert Elliott tristate "XTS (XOR Encrypt XOR with ciphertext stealing)" 747f1f142adSRobert Elliott select CRYPTO_SKCIPHER 748f1f142adSRobert Elliott select CRYPTO_MANAGER 749f1f142adSRobert Elliott select CRYPTO_ECB 750f1f142adSRobert Elliott help 751f1f142adSRobert Elliott XTS (XOR Encrypt XOR with ciphertext stealing) mode (NIST SP800-38E 752f1f142adSRobert Elliott and IEEE 1619) 753f1f142adSRobert Elliott 754e3d2eaddSRobert Elliott Use with aes-xts-plain, key size 256, 384 or 512 bits. This 755f1f142adSRobert Elliott implementation currently can't handle a sectorsize which is not a 756f1f142adSRobert Elliott multiple of 16 bytes. 757f1f142adSRobert Elliott 758e3d2eaddSRobert Elliottconfig CRYPTO_NHPOLY1305 759f1f142adSRobert Elliott tristate 760f1f142adSRobert Elliott select CRYPTO_HASH 761e3d2eaddSRobert Elliott select CRYPTO_LIB_POLY1305_GENERIC 762f1f142adSRobert Elliott 763f1f142adSRobert Elliottendmenu 764e3d2eaddSRobert Elliott 765e3d2eaddSRobert Elliottmenu "AEAD (authenticated encryption with associated data) ciphers" 766e3d2eaddSRobert Elliott 767e3d2eaddSRobert Elliottconfig CRYPTO_AEGIS128 768e3d2eaddSRobert Elliott tristate "AEGIS-128" 769f1f142adSRobert Elliott select CRYPTO_AEAD 770f1f142adSRobert Elliott select CRYPTO_AES # for AES S-box tables 771e3d2eaddSRobert Elliott help 772f1f142adSRobert Elliott AEGIS-128 AEAD algorithm 773f1f142adSRobert Elliott 774f1f142adSRobert Elliottconfig CRYPTO_AEGIS128_SIMD 775f1f142adSRobert Elliott bool "AEGIS-128 (arm NEON, arm64 NEON)" 776f1f142adSRobert Elliott depends on CRYPTO_AEGIS128 && ((ARM || ARM64) && KERNEL_MODE_NEON) 777e3d2eaddSRobert Elliott default y 778e3d2eaddSRobert Elliott help 779f1f142adSRobert Elliott AEGIS-128 AEAD algorithm 780f1f142adSRobert Elliott 781cf514b2aSRobert Elliott Architecture: arm or arm64 using: 782f1f142adSRobert Elliott - NEON (Advanced SIMD) extension 783f1f142adSRobert Elliott 784f1f142adSRobert Elliottconfig CRYPTO_CHACHA20POLY1305 785f1f142adSRobert Elliott tristate "ChaCha20-Poly1305" 786f1f142adSRobert Elliott select CRYPTO_CHACHA20 787e3d2eaddSRobert Elliott select CRYPTO_POLY1305 788e3d2eaddSRobert Elliott select CRYPTO_AEAD 789f1f142adSRobert Elliott select CRYPTO_MANAGER 790f1f142adSRobert Elliott help 791cf514b2aSRobert Elliott ChaCha20 stream cipher and Poly1305 authenticator combined 792f1f142adSRobert Elliott mode (RFC8439) 793f1f142adSRobert Elliott 794f1f142adSRobert Elliottconfig CRYPTO_CCM 795f1f142adSRobert Elliott tristate "CCM (Counter with Cipher Block Chaining-MAC)" 796f1f142adSRobert Elliott select CRYPTO_CTR 797f1f142adSRobert Elliott select CRYPTO_HASH 798e3d2eaddSRobert Elliott select CRYPTO_AEAD 799e3d2eaddSRobert Elliott select CRYPTO_MANAGER 800e3d2eaddSRobert Elliott help 801e3d2eaddSRobert Elliott CCM (Counter with Cipher Block Chaining-Message Authentication Code) 802f1f142adSRobert Elliott authenticated encryption mode (NIST SP800-38C) 803ba51738fSHerbert Xu 804ba51738fSHerbert Xuconfig CRYPTO_GCM 805ba51738fSHerbert Xu tristate "GCM (Galois/Counter Mode) and GMAC (GCM MAC)" 806ba51738fSHerbert Xu select CRYPTO_CTR 807ba51738fSHerbert Xu select CRYPTO_AEAD 808ba51738fSHerbert Xu select CRYPTO_GHASH 809ba51738fSHerbert Xu select CRYPTO_NULL 810f1f142adSRobert Elliott select CRYPTO_MANAGER 811f1f142adSRobert Elliott help 812ba51738fSHerbert Xu GCM (Galois/Counter Mode) authenticated encryption mode and GMAC 813f1f142adSRobert Elliott (GCM Message Authentication Code) (NIST SP800-38D) 814e3d2eaddSRobert Elliott 815e3d2eaddSRobert Elliott This is required for IPSec ESP (XFRM_ESP). 816f1f142adSRobert Elliott 817e3d2eaddSRobert Elliottconfig CRYPTO_GENIV 818e3d2eaddSRobert Elliott tristate 819e3d2eaddSRobert Elliott select CRYPTO_AEAD 820f1f142adSRobert Elliott select CRYPTO_NULL 821f1f142adSRobert Elliott select CRYPTO_MANAGER 822f1f142adSRobert Elliott select CRYPTO_RNG_DEFAULT 823ba51738fSHerbert Xu 824f1f142adSRobert Elliottconfig CRYPTO_SEQIV 825e3d2eaddSRobert Elliott tristate "Sequence Number IV Generator" 826e3d2eaddSRobert Elliott select CRYPTO_GENIV 827f1f142adSRobert Elliott help 828f1f142adSRobert Elliott Sequence Number IV generator 829f1f142adSRobert Elliott 830f1f142adSRobert Elliott This IV generator generates an IV based on a sequence number by 831f1f142adSRobert Elliott xoring it with a salt. This algorithm is mainly useful for CTR. 832e3d2eaddSRobert Elliott 833f1f142adSRobert Elliott This is required for IPsec ESP (XFRM_ESP). 834f1f142adSRobert Elliott 835e3d2eaddSRobert Elliottconfig CRYPTO_ECHAINIV 836e3d2eaddSRobert Elliott tristate "Encrypted Chain IV Generator" 837e3d2eaddSRobert Elliott select CRYPTO_GENIV 838f1f142adSRobert Elliott help 839f1f142adSRobert Elliott Encrypted Chain IV generator 840f1f142adSRobert Elliott 841f1f142adSRobert Elliott This IV generator generates an IV based on the encryption of 842f1f142adSRobert Elliott a sequence number xored with a salt. This is the default 843f1f142adSRobert Elliott algorithm for CBC. 844f1f142adSRobert Elliott 845f1f142adSRobert Elliottconfig CRYPTO_ESSIV 846f1f142adSRobert Elliott tristate "Encrypted Salt-Sector IV Generator" 847f1f142adSRobert Elliott select CRYPTO_AUTHENC 848f1f142adSRobert Elliott help 849f1f142adSRobert Elliott Encrypted Salt-Sector IV generator 850f1f142adSRobert Elliott 851f1f142adSRobert Elliott This IV generator is used in some cases by fscrypt and/or 852f1f142adSRobert Elliott dm-crypt. It uses the hash of the block encryption key as the 853f1f142adSRobert Elliott symmetric key for a block encryption pass applied to the input 854f1f142adSRobert Elliott IV, making low entropy IV sources more suitable for block 855f1f142adSRobert Elliott encryption. 856f1f142adSRobert Elliott 857f1f142adSRobert Elliott This driver implements a crypto API template that can be 858f1f142adSRobert Elliott instantiated either as an skcipher or as an AEAD (depending on the 859f1f142adSRobert Elliott type of the first template argument), and which defers encryption 860f1f142adSRobert Elliott and decryption requests to the encapsulated cipher after applying 861f1f142adSRobert Elliott ESSIV to the input IV. Note that in the AEAD case, it is assumed 862f1f142adSRobert Elliott that the keys are presented in the same format used by the authenc 863f1f142adSRobert Elliott template, and that the IV appears at the end of the authenticated 864f1f142adSRobert Elliott associated data (AAD) region (which is how dm-crypt uses it.) 8653f342a23SRobert Elliott 866f1f142adSRobert Elliott Note that the use of ESSIV is not recommended for new deployments, 867f1f142adSRobert Elliott and so this only needs to be enabled when interoperability with 8683f342a23SRobert Elliott existing encrypted volumes of filesystems is required, or when 8693f342a23SRobert Elliott building for a particular system that requires it (e.g., when 8703f342a23SRobert Elliott the SoC in question has accelerated CBC but not XTS, making CBC 8713f342a23SRobert Elliott combined with ESSIV the only feasible mode for h/w accelerated 872f1f142adSRobert Elliott block encryption) 873f1f142adSRobert Elliott 874f1f142adSRobert Elliottendmenu 875f1f142adSRobert Elliott 876f1f142adSRobert Elliottmenu "Hashes, digests, and MACs" 877f1f142adSRobert Elliott 878f1f142adSRobert Elliottconfig CRYPTO_BLAKE2B 8793f342a23SRobert Elliott tristate "BLAKE2b" 8803f342a23SRobert Elliott select CRYPTO_HASH 8813f342a23SRobert Elliott help 8823f342a23SRobert Elliott BLAKE2b cryptographic hash function (RFC 7693) 883f1f142adSRobert Elliott 8843f342a23SRobert Elliott BLAKE2b is optimized for 64-bit platforms and can produce digests 885f1f142adSRobert Elliott of any size between 1 and 64 bytes. The keyed hash is also implemented. 886f1f142adSRobert Elliott 887f1f142adSRobert Elliott This module provides the following algorithms: 8883f342a23SRobert Elliott - blake2b-160 8893f342a23SRobert Elliott - blake2b-256 890f1f142adSRobert Elliott - blake2b-384 891f1f142adSRobert Elliott - blake2b-512 8923f342a23SRobert Elliott 893f1f142adSRobert Elliott Used by the btrfs filesystem. 89461c581a4SArd Biesheuvel 895f1f142adSRobert Elliott See https://blake2.net for further information. 8963f342a23SRobert Elliott 897f1f142adSRobert Elliottconfig CRYPTO_CMAC 898f1f142adSRobert Elliott tristate "CMAC (Cipher-based MAC)" 8993f342a23SRobert Elliott select CRYPTO_HASH 900f1f142adSRobert Elliott select CRYPTO_MANAGER 901f1f142adSRobert Elliott help 902f1f142adSRobert Elliott CMAC (Cipher-based Message Authentication Code) authentication 9033f342a23SRobert Elliott mode (NIST SP800-38B and IETF RFC4493) 9043f342a23SRobert Elliott 9053f342a23SRobert Elliottconfig CRYPTO_GHASH 9063f342a23SRobert Elliott tristate "GHASH" 907f1f142adSRobert Elliott select CRYPTO_HASH 908f1f142adSRobert Elliott select CRYPTO_LIB_GF128MUL 9093f342a23SRobert Elliott help 910f1f142adSRobert Elliott GCM GHASH function (NIST SP800-38D) 911f1f142adSRobert Elliott 9123f342a23SRobert Elliottconfig CRYPTO_HMAC 913f1f142adSRobert Elliott tristate "HMAC (Keyed-Hash MAC)" 914f1f142adSRobert Elliott select CRYPTO_HASH 9153f342a23SRobert Elliott select CRYPTO_MANAGER 916f1f142adSRobert Elliott help 917f1f142adSRobert Elliott HMAC (Keyed-Hash Message Authentication Code) (FIPS 198 and 9183f342a23SRobert Elliott RFC2104) 919f1f142adSRobert Elliott 920f1f142adSRobert Elliott This is required for IPsec AH (XFRM_AH) and IPsec ESP (XFRM_ESP). 9213f342a23SRobert Elliott 922f1f142adSRobert Elliottconfig CRYPTO_MD4 923f1f142adSRobert Elliott tristate "MD4" 9243f342a23SRobert Elliott select CRYPTO_HASH 9253f342a23SRobert Elliott help 9263f342a23SRobert Elliott MD4 message digest algorithm (RFC1320) 9273f342a23SRobert Elliott 9283f342a23SRobert Elliottconfig CRYPTO_MD5 9293f342a23SRobert Elliott tristate "MD5" 9303f342a23SRobert Elliott select CRYPTO_HASH 931f1f142adSRobert Elliott help 932f1f142adSRobert Elliott MD5 message digest algorithm (RFC1321) 933f1f142adSRobert Elliott 934f1f142adSRobert Elliottconfig CRYPTO_MICHAEL_MIC 93561c581a4SArd Biesheuvel tristate "Michael MIC" 936f1f142adSRobert Elliott select CRYPTO_HASH 9373f342a23SRobert Elliott help 9383f342a23SRobert Elliott Michael MIC (Message Integrity Code) (IEEE 802.11i) 9393f342a23SRobert Elliott 940f1f142adSRobert Elliott Defined by the IEEE 802.11i TKIP (Temporal Key Integrity Protocol), 941f1f142adSRobert Elliott known as WPA (Wif-Fi Protected Access). 942f1f142adSRobert Elliott 9433f342a23SRobert Elliott This algorithm is required for TKIP, but it should not be used for 944f1f142adSRobert Elliott other purposes because of the weakness of the algorithm. 945f1f142adSRobert Elliott 946f1f142adSRobert Elliottconfig CRYPTO_POLYVAL 9473f342a23SRobert Elliott tristate 948f1f142adSRobert Elliott select CRYPTO_HASH 949f1f142adSRobert Elliott select CRYPTO_LIB_GF128MUL 950f1f142adSRobert Elliott help 951f1f142adSRobert Elliott POLYVAL hash function for HCTR2 952f1f142adSRobert Elliott 953f1f142adSRobert Elliott This is used in HCTR2. It is not a general-purpose 9543f342a23SRobert Elliott cryptographic hash function. 955f1f142adSRobert Elliott 956f1f142adSRobert Elliottconfig CRYPTO_POLY1305 9573f342a23SRobert Elliott tristate "Poly1305" 958f1f142adSRobert Elliott select CRYPTO_HASH 959f1f142adSRobert Elliott select CRYPTO_LIB_POLY1305_GENERIC 960f1f142adSRobert Elliott select CRYPTO_LIB_POLY1305_INTERNAL 961f1f142adSRobert Elliott help 962f1f142adSRobert Elliott Poly1305 authenticator algorithm (RFC7539) 963f1f142adSRobert Elliott 9643f342a23SRobert Elliott Poly1305 is an authenticator algorithm designed by Daniel J. Bernstein. 965f1f142adSRobert Elliott It is used for the ChaCha20-Poly1305 AEAD, specified in RFC7539 for use 966f1f142adSRobert Elliott in IETF protocols. This is the portable C implementation of Poly1305. 967f1f142adSRobert Elliott 9683f342a23SRobert Elliottconfig CRYPTO_RMD160 9693f342a23SRobert Elliott tristate "RIPEMD-160" 970f1f142adSRobert Elliott select CRYPTO_HASH 971f1f142adSRobert Elliott help 9723f342a23SRobert Elliott RIPEMD-160 hash function (ISO/IEC 10118-3) 973f1f142adSRobert Elliott 974f1f142adSRobert Elliott RIPEMD-160 is a 160-bit cryptographic hash function. It is intended 975f1f142adSRobert Elliott to be used as a secure replacement for the 128-bit hash functions 9763f342a23SRobert Elliott MD4, MD5 and its predecessor RIPEMD 977f1f142adSRobert Elliott (not to be confused with RIPEMD-128). 978f1f142adSRobert Elliott 9793f342a23SRobert Elliott Its speed is comparable to SHA-1 and there are no known attacks 980f1f142adSRobert Elliott against RIPEMD-160. 981f1f142adSRobert Elliott 982f1f142adSRobert Elliott Developed by Hans Dobbertin, Antoon Bosselaers and Bart Preneel. 9833f342a23SRobert Elliott See https://homes.esat.kuleuven.be/~bosselae/ripemd160.html 984f1f142adSRobert Elliott for further information. 9853f342a23SRobert Elliott 9863f342a23SRobert Elliottconfig CRYPTO_SHA1 987f1f142adSRobert Elliott tristate "SHA-1" 988f1f142adSRobert Elliott select CRYPTO_HASH 9893f342a23SRobert Elliott select CRYPTO_LIB_SHA1 990f1f142adSRobert Elliott help 991f1f142adSRobert Elliott SHA-1 secure hash algorithm (FIPS 180, ISO/IEC 10118-3) 9923f342a23SRobert Elliott 993f1f142adSRobert Elliottconfig CRYPTO_SHA256 994f1f142adSRobert Elliott tristate "SHA-224 and SHA-256" 9953f342a23SRobert Elliott select CRYPTO_HASH 996f1f142adSRobert Elliott select CRYPTO_LIB_SHA256 997f1f142adSRobert Elliott help 9983f342a23SRobert Elliott SHA-224 and SHA-256 secure hash algorithms (FIPS 180, ISO/IEC 10118-3) 999f1f142adSRobert Elliott 1000f1f142adSRobert Elliott This is required for IPsec AH (XFRM_AH) and IPsec ESP (XFRM_ESP). 1001f1f142adSRobert Elliott Used by the btrfs filesystem, Ceph, NFS, and SMB. 1002f1f142adSRobert Elliott 1003f1f142adSRobert Elliottconfig CRYPTO_SHA512 10043f342a23SRobert Elliott tristate "SHA-384 and SHA-512" 1005f1f142adSRobert Elliott select CRYPTO_HASH 1006f1f142adSRobert Elliott help 1007f1f142adSRobert Elliott SHA-384 and SHA-512 secure hash algorithms (FIPS 180, ISO/IEC 10118-3) 10083f342a23SRobert Elliott 10093f342a23SRobert Elliottconfig CRYPTO_SHA3 10103f342a23SRobert Elliott tristate "SHA-3" 1011f1f142adSRobert Elliott select CRYPTO_HASH 1012f1f142adSRobert Elliott help 1013f1f142adSRobert Elliott SHA-3 secure hash algorithms (FIPS 202, ISO/IEC 10118-3) 1014f1f142adSRobert Elliott 1015f1f142adSRobert Elliottconfig CRYPTO_SM3 1016f1f142adSRobert Elliott tristate 10173f342a23SRobert Elliott 1018f1f142adSRobert Elliottconfig CRYPTO_SM3_GENERIC 1019f1f142adSRobert Elliott tristate "SM3 (ShangMi 3)" 10203f342a23SRobert Elliott select CRYPTO_HASH 10213f342a23SRobert Elliott select CRYPTO_SM3 10223f342a23SRobert Elliott help 10233f342a23SRobert Elliott SM3 (ShangMi 3) secure hash function (OSCCA GM/T 0004-2012, ISO/IEC 10118-3) 10243f342a23SRobert Elliott 1025f1f142adSRobert Elliott This is part of the Chinese Commercial Cryptography suite. 1026f1f142adSRobert Elliott 1027f1f142adSRobert Elliott References: 1028f1f142adSRobert Elliott http://www.oscca.gov.cn/UpFile/20101222141857786.pdf 1029f1f142adSRobert Elliott https://datatracker.ietf.org/doc/html/draft-shen-sm3-hash 1030f1f142adSRobert Elliott 10313f342a23SRobert Elliottconfig CRYPTO_STREEBOG 1032f1f142adSRobert Elliott tristate "Streebog" 1033f1f142adSRobert Elliott select CRYPTO_HASH 10343f342a23SRobert Elliott help 10353f342a23SRobert Elliott Streebog Hash Function (GOST R 34.11-2012, RFC 6986, ISO/IEC 10118-3) 10363f342a23SRobert Elliott 1037f1f142adSRobert Elliott This is one of the Russian cryptographic standard algorithms (called 1038f1f142adSRobert Elliott GOST algorithms). This setting enables two hash algorithms with 1039f1f142adSRobert Elliott 256 and 512 bits output. 10403f342a23SRobert Elliott 10413f342a23SRobert Elliott References: 1042f1f142adSRobert Elliott https://tc26.ru/upload/iblock/fed/feddbb4d26b685903faa2ba11aea43f6.pdf 1043f1f142adSRobert Elliott https://tools.ietf.org/html/rfc6986 10443f342a23SRobert Elliott 1045f1f142adSRobert Elliottconfig CRYPTO_WP512 1046f1f142adSRobert Elliott tristate "Whirlpool" 1047f1f142adSRobert Elliott select CRYPTO_HASH 10483f342a23SRobert Elliott help 10493f342a23SRobert Elliott Whirlpool hash function (ISO/IEC 10118-3) 1050f1f142adSRobert Elliott 1051f1f142adSRobert Elliott 512, 384 and 256-bit hashes. 10523f342a23SRobert Elliott 1053f1f142adSRobert Elliott Whirlpool-512 is part of the NESSIE cryptographic primitives. 1054f1f142adSRobert Elliott 1055f1f142adSRobert Elliott See https://web.archive.org/web/20171129084214/http://www.larc.usp.br/~pbarreto/WhirlpoolPage.html 10563f342a23SRobert Elliott for further information. 10573f342a23SRobert Elliott 10583f342a23SRobert Elliottconfig CRYPTO_XCBC 10593f342a23SRobert Elliott tristate "XCBC-MAC (Extended Cipher Block Chaining MAC)" 10603f342a23SRobert Elliott select CRYPTO_HASH 1061f1f142adSRobert Elliott select CRYPTO_MANAGER 1062f1f142adSRobert Elliott help 1063f1f142adSRobert Elliott XCBC-MAC (Extended Cipher Block Chaining Message Authentication 1064f1f142adSRobert Elliott Code) (RFC3566) 1065f1f142adSRobert Elliott 1066f1f142adSRobert Elliottconfig CRYPTO_XXHASH 1067ec84348dSRobert Elliott tristate "xxHash" 1068f1f142adSRobert Elliott select CRYPTO_HASH 1069f1f142adSRobert Elliott select XXHASH 1070f1f142adSRobert Elliott help 1071ec84348dSRobert Elliott xxHash non-cryptographic hash algorithm 1072ec84348dSRobert Elliott 1073ec84348dSRobert Elliott Extremely fast, working at speeds close to RAM limits. 1074ec84348dSRobert Elliott 1075ec84348dSRobert Elliott Used by the btrfs filesystem. 1076ec84348dSRobert Elliott 1077ec84348dSRobert Elliottendmenu 1078ec84348dSRobert Elliott 1079ec84348dSRobert Elliottmenu "CRCs (cyclic redundancy checks)" 1080f1f142adSRobert Elliott 1081f1f142adSRobert Elliottconfig CRYPTO_CRC32C 1082ec84348dSRobert Elliott tristate "CRC32c" 1083f1f142adSRobert Elliott select CRYPTO_HASH 1084f1f142adSRobert Elliott select CRC32 1085f1f142adSRobert Elliott help 1086ec84348dSRobert Elliott CRC32c CRC algorithm with the iSCSI polynomial (RFC 3385 and RFC 3720) 1087ec84348dSRobert Elliott 1088ec84348dSRobert Elliott A 32-bit CRC (cyclic redundancy check) with a polynomial defined 1089f1f142adSRobert Elliott by G. Castagnoli, S. Braeuer and M. Herrman in "Optimization of Cyclic 1090f1f142adSRobert Elliott Redundancy-Check Codes with 24 and 32 Parity Bits", IEEE Transactions 1091ec84348dSRobert Elliott on Communications, Vol. 41, No. 6, June 1993, selected for use with 1092f1f142adSRobert Elliott iSCSI. 1093be3c45b0SEric Biggers 1094f1f142adSRobert Elliott Used by btrfs, ext4, jbd2, NVMeoF/TCP, and iSCSI. 1095ec84348dSRobert Elliott 1096ec84348dSRobert Elliottconfig CRYPTO_CRC32 1097ec84348dSRobert Elliott tristate "CRC32" 1098f1f142adSRobert Elliott select CRYPTO_HASH 1099f1f142adSRobert Elliott select CRC32 1100ec84348dSRobert Elliott help 1101f1f142adSRobert Elliott CRC32 CRC algorithm (IEEE 802.3) 1102f1f142adSRobert Elliott 1103ec84348dSRobert Elliott Used by RoCEv2 and f2fs. 1104ec84348dSRobert Elliott 1105ec84348dSRobert Elliottendmenu 1106ec84348dSRobert Elliott 1107ec84348dSRobert Elliottmenu "Compression" 1108ec84348dSRobert Elliott 1109f1f142adSRobert Elliottconfig CRYPTO_DEFLATE 1110f1f142adSRobert Elliott tristate "Deflate" 1111f1f142adSRobert Elliott select CRYPTO_ALGAPI 1112f1f142adSRobert Elliott select CRYPTO_ACOMP2 1113584fffc8SSebastian Siewior select ZLIB_INFLATE 11141da177e4SLinus Torvalds select ZLIB_DEFLATE 1115a9a98d49SRobert Elliott help 1116cce9e06dSHerbert Xu Deflate compression algorithm (RFC1951) 1117f6ded09dSGiovanni Cabiddu 11181da177e4SLinus Torvalds Used by IPSec with the IPCOMP protocol (RFC3173, RFC2394) 11191da177e4SLinus Torvalds 11201da177e4SLinus Torvaldsconfig CRYPTO_LZO 1121a9a98d49SRobert Elliott tristate "LZO" 11221da177e4SLinus Torvalds select CRYPTO_ALGAPI 1123a9a98d49SRobert Elliott select CRYPTO_ACOMP2 11241da177e4SLinus Torvalds select LZO_COMPRESS 11250b77abb3SZoltan Sogor select LZO_DECOMPRESS 1126a9a98d49SRobert Elliott help 11270b77abb3SZoltan Sogor LZO compression algorithm 1128ac9d2c4bSGiovanni Cabiddu 11290b77abb3SZoltan Sogor See https://www.oberhumer.com/opensource/lzo/ for further information. 11300b77abb3SZoltan Sogor 11310b77abb3SZoltan Sogorconfig CRYPTO_842 1132a9a98d49SRobert Elliott tristate "842" 1133a9a98d49SRobert Elliott select CRYPTO_ALGAPI 1134a9a98d49SRobert Elliott select CRYPTO_ACOMP2 11350b77abb3SZoltan Sogor select 842_COMPRESS 113635a1fc18SSeth Jennings select 842_DECOMPRESS 1137a9a98d49SRobert Elliott help 11382062c5b6SDan Streetman 842 compression algorithm by IBM 11396a8de3aeSGiovanni Cabiddu 11402062c5b6SDan Streetman See https://github.com/plauth/lib842 for further information. 11412062c5b6SDan Streetman 114235a1fc18SSeth Jenningsconfig CRYPTO_LZ4 1143a9a98d49SRobert Elliott tristate "LZ4" 1144a9a98d49SRobert Elliott select CRYPTO_ALGAPI 1145a9a98d49SRobert Elliott select CRYPTO_ACOMP2 114635a1fc18SSeth Jennings select LZ4_COMPRESS 11470ea8530dSChanho Min select LZ4_DECOMPRESS 1148a9a98d49SRobert Elliott help 11490ea8530dSChanho Min LZ4 compression algorithm 11508cd9330eSGiovanni Cabiddu 11510ea8530dSChanho Min See https://github.com/lz4/lz4 for further information. 11520ea8530dSChanho Min 11530ea8530dSChanho Minconfig CRYPTO_LZ4HC 1154a9a98d49SRobert Elliott tristate "LZ4HC" 1155a9a98d49SRobert Elliott select CRYPTO_ALGAPI 1156a9a98d49SRobert Elliott select CRYPTO_ACOMP2 11570ea8530dSChanho Min select LZ4HC_COMPRESS 11580ea8530dSChanho Min select LZ4_DECOMPRESS 1159a9a98d49SRobert Elliott help 11600ea8530dSChanho Min LZ4 high compression mode algorithm 116191d53d96SGiovanni Cabiddu 11620ea8530dSChanho Min See https://github.com/lz4/lz4 for further information. 11630ea8530dSChanho Min 11640ea8530dSChanho Minconfig CRYPTO_ZSTD 1165a9a98d49SRobert Elliott tristate "Zstd" 1166a9a98d49SRobert Elliott select CRYPTO_ALGAPI 1167a9a98d49SRobert Elliott select CRYPTO_ACOMP2 11680ea8530dSChanho Min select ZSTD_COMPRESS 1169d28fc3dbSNick Terrell select ZSTD_DECOMPRESS 1170a9a98d49SRobert Elliott help 1171d28fc3dbSNick Terrell zstd compression algorithm 1172d28fc3dbSNick Terrell 1173d28fc3dbSNick Terrell See https://github.com/facebook/zstd for further information. 1174d28fc3dbSNick Terrell 1175d28fc3dbSNick Terrellendmenu 1176a9a98d49SRobert Elliott 1177a9a98d49SRobert Elliottmenu "Random number generation" 1178a9a98d49SRobert Elliott 1179d28fc3dbSNick Terrellconfig CRYPTO_ANSI_CPRNG 1180f1f142adSRobert Elliott tristate "ANSI PRNG (Pseudo Random Number Generator)" 1181f1f142adSRobert Elliott select CRYPTO_AES 1182f1f142adSRobert Elliott select CRYPTO_RNG 118317f0f4a4SNeil Horman help 118417f0f4a4SNeil Horman Pseudo RNG (random number generator) (ANSI X9.31 Appendix A.2.4) 1185a9a98d49SRobert Elliott 118617f0f4a4SNeil Horman This uses the AES cipher algorithm. 118717f0f4a4SNeil Horman 118817f0f4a4SNeil Horman Note that this option must be enabled if CRYPTO_FIPS is selected 1189a9a98d49SRobert Elliott 1190a9a98d49SRobert Elliottmenuconfig CRYPTO_DRBG_MENU 1191a9a98d49SRobert Elliott tristate "NIST SP800-90A DRBG (Deterministic Random Bit Generator)" 1192a9a98d49SRobert Elliott help 1193a9a98d49SRobert Elliott DRBG (Deterministic Random Bit Generator) (NIST SP800-90A) 119417f0f4a4SNeil Horman 1195f2c89a10SHerbert Xu In the following submenu, one or more of the DRBG types must be selected. 1196a9a98d49SRobert Elliott 1197419090c6SStephan Muellerif CRYPTO_DRBG_MENU 1198a9a98d49SRobert Elliott 1199a9a98d49SRobert Elliottconfig CRYPTO_DRBG_HMAC 1200a9a98d49SRobert Elliott bool 1201419090c6SStephan Mueller default y 1202f2c89a10SHerbert Xu select CRYPTO_HMAC 1203419090c6SStephan Mueller select CRYPTO_SHA512 1204419090c6SStephan Mueller 1205401e4238SHerbert Xuconfig CRYPTO_DRBG_HASH 1206419090c6SStephan Mueller bool "Hash_DRBG" 1207419090c6SStephan Mueller select CRYPTO_SHA256 12085261cdf4SStephan Mueller help 1209419090c6SStephan Mueller Hash_DRBG variant as defined in NIST SP800-90A. 1210419090c6SStephan Mueller 1211a9a98d49SRobert Elliott This uses the SHA-1, SHA-256, SHA-384, or SHA-512 hash algorithms. 1212826775bbSHerbert Xu 1213419090c6SStephan Muellerconfig CRYPTO_DRBG_CTR 1214a9a98d49SRobert Elliott bool "CTR_DRBG" 1215a9a98d49SRobert Elliott select CRYPTO_AES 1216a9a98d49SRobert Elliott select CRYPTO_CTR 1217419090c6SStephan Mueller help 1218419090c6SStephan Mueller CTR_DRBG variant as defined in NIST SP800-90A. 1219a9a98d49SRobert Elliott 1220419090c6SStephan Mueller This uses the AES cipher algorithm with the counter block mode. 1221d6fc1a45SCorentin Labbe 1222419090c6SStephan Muellerconfig CRYPTO_DRBG 1223a9a98d49SRobert Elliott tristate 1224a9a98d49SRobert Elliott default CRYPTO_DRBG_MENU 1225a9a98d49SRobert Elliott select CRYPTO_RNG 1226419090c6SStephan Mueller select CRYPTO_JITTERENTROPY 1227f2c89a10SHerbert Xu 1228f2c89a10SHerbert Xuendif # if CRYPTO_DRBG_MENU 1229401e4238SHerbert Xu 1230f2c89a10SHerbert Xuconfig CRYPTO_JITTERENTROPY 1231bb5530e4SStephan Mueller tristate "CPU Jitter Non-Deterministic RNG (Random Number Generator)" 1232f2c89a10SHerbert Xu select CRYPTO_RNG 1233f2c89a10SHerbert Xu select CRYPTO_SHA3 1234419090c6SStephan Mueller help 1235bb5530e4SStephan Mueller CPU Jitter RNG (Random Number Generator) from the Jitterentropy library 1236a9a98d49SRobert Elliott 12372f313e02SArnd Bergmann A non-physical non-deterministic ("true") RNG (e.g., an entropy source 1238bb897c55SStephan Müller compliant with NIST SP800-90B) intended to provide a seed to a 1239bb5530e4SStephan Mueller deterministic RNG (e.g., per NIST SP800-90C). 1240a9a98d49SRobert Elliott This RNG does not perform any cryptographic whitening of the generated 1241a9a98d49SRobert Elliott random numbers. 1242a9a98d49SRobert Elliott 1243a9a98d49SRobert Elliott See https://www.chronox.de/jent/ 1244e63df1ecSRandy Dunlap 1245a9a98d49SRobert Elliottif CRYPTO_JITTERENTROPY 1246e63df1ecSRandy Dunlapif CRYPTO_FIPS && EXPERT 1247a9a98d49SRobert Elliott 1248e63df1ecSRandy Dunlapchoice 1249bb5530e4SStephan Mueller prompt "CPU Jitter RNG Memory Size" 1250e7ed6473SHerbert Xu default CRYPTO_JITTERENTROPY_MEMSIZE_2 1251e7ed6473SHerbert Xu help 1252e7ed6473SHerbert Xu The Jitter RNG measures the execution time of memory accesses. 125359bcfd78SStephan Müller Multiple consecutive memory accesses are performed. If the memory 125459bcfd78SStephan Müller size fits into a cache (e.g. L1), only the memory access timing 125559bcfd78SStephan Müller to that cache is measured. The closer the cache is to the CPU 125659bcfd78SStephan Müller the less variations are measured and thus the less entropy is 125759bcfd78SStephan Müller obtained. Thus, if the memory size fits into the L1 cache, the 125859bcfd78SStephan Müller obtained entropy is less than if the memory size fits within 125959bcfd78SStephan Müller L1 + L2, which in turn is less if the memory fits into 126059bcfd78SStephan Müller L1 + L2 + L3. Thus, by selecting a different memory size, 126159bcfd78SStephan Müller the entropy rate produced by the Jitter RNG can be modified. 126259bcfd78SStephan Müller 126359bcfd78SStephan Müller config CRYPTO_JITTERENTROPY_MEMSIZE_2 126459bcfd78SStephan Müller bool "2048 Bytes (default)" 126559bcfd78SStephan Müller 126659bcfd78SStephan Müller config CRYPTO_JITTERENTROPY_MEMSIZE_128 126759bcfd78SStephan Müller bool "128 kBytes" 126859bcfd78SStephan Müller 126959bcfd78SStephan Müller config CRYPTO_JITTERENTROPY_MEMSIZE_1024 127059bcfd78SStephan Müller bool "1024 kBytes" 127159bcfd78SStephan Müller 127259bcfd78SStephan Müller config CRYPTO_JITTERENTROPY_MEMSIZE_8192 127359bcfd78SStephan Müller bool "8192 kBytes" 127459bcfd78SStephan Müllerendchoice 127559bcfd78SStephan Müller 127659bcfd78SStephan Müllerconfig CRYPTO_JITTERENTROPY_MEMORY_BLOCKS 127759bcfd78SStephan Müller int 127859bcfd78SStephan Müller default 64 if CRYPTO_JITTERENTROPY_MEMSIZE_2 127959bcfd78SStephan Müller default 512 if CRYPTO_JITTERENTROPY_MEMSIZE_128 128059bcfd78SStephan Müller default 1024 if CRYPTO_JITTERENTROPY_MEMSIZE_1024 128159bcfd78SStephan Müller default 4096 if CRYPTO_JITTERENTROPY_MEMSIZE_8192 128259bcfd78SStephan Müller 128359bcfd78SStephan Müllerconfig CRYPTO_JITTERENTROPY_MEMORY_BLOCKSIZE 128459bcfd78SStephan Müller int 128559bcfd78SStephan Müller default 32 if CRYPTO_JITTERENTROPY_MEMSIZE_2 128659bcfd78SStephan Müller default 256 if CRYPTO_JITTERENTROPY_MEMSIZE_128 128759bcfd78SStephan Müller default 1024 if CRYPTO_JITTERENTROPY_MEMSIZE_1024 128859bcfd78SStephan Müller default 2048 if CRYPTO_JITTERENTROPY_MEMSIZE_8192 128959bcfd78SStephan Müller 129059bcfd78SStephan Müllerconfig CRYPTO_JITTERENTROPY_OSR 129159bcfd78SStephan Müller int "CPU Jitter RNG Oversampling Rate" 129259bcfd78SStephan Müller range 1 15 129359bcfd78SStephan Müller default 3 129459bcfd78SStephan Müller help 12950baa8fabSStephan Müller The Jitter RNG allows the specification of an oversampling rate (OSR). 12960baa8fabSStephan Müller The Jitter RNG operation requires a fixed amount of timing 12970baa8fabSStephan Müller measurements to produce one output block of random numbers. The 129895a798d2SStephan Mueller OSR value is multiplied with the amount of timing measurements to 12990baa8fabSStephan Müller generate one output block. Thus, the timing measurement is oversampled 13000baa8fabSStephan Müller by the OSR factor. The oversampling allows the Jitter RNG to operate 13010baa8fabSStephan Müller on hardware whose timers deliver limited amount of entropy (e.g. 13020baa8fabSStephan Müller the timer is coarse) by setting the OSR to a higher value. The 13030baa8fabSStephan Müller trade-off, however, is that the Jitter RNG now requires more time 13040baa8fabSStephan Müller to generate random numbers. 13050baa8fabSStephan Müller 13060baa8fabSStephan Müllerconfig CRYPTO_JITTERENTROPY_TESTINTERFACE 13070baa8fabSStephan Müller bool "CPU Jitter RNG Test Interface" 13080baa8fabSStephan Müller help 13090baa8fabSStephan Müller The test interface allows a privileged process to capture 13100baa8fabSStephan Müller the raw unconditioned high resolution time stamp noise that 131169f1c387SStephan Müller is collected by the Jitter RNG for statistical analysis. As 131269f1c387SStephan Müller this data is used at the same time to generate random bits, 131369f1c387SStephan Müller the Jitter RNG operates in an insecure mode as long as the 131469f1c387SStephan Müller recording is enabled. This interface therefore is only 131569f1c387SStephan Müller intended for testing purposes and is not suitable for 131669f1c387SStephan Müller production systems. 131769f1c387SStephan Müller 131869f1c387SStephan Müller The raw noise data can be obtained using the jent_raw_hires 131969f1c387SStephan Müller debugfs file. Using the option 132069f1c387SStephan Müller jitterentropy_testing.boot_raw_hires_test=1 the raw noise of 132169f1c387SStephan Müller the first 1000 entropy events since boot can be sampled. 132269f1c387SStephan Müller 132369f1c387SStephan Müller If unsure, select N. 132469f1c387SStephan Müller 132569f1c387SStephan Müllerendif # if CRYPTO_FIPS && EXPERT 132669f1c387SStephan Müller 132769f1c387SStephan Müllerif !(CRYPTO_FIPS && EXPERT) 132869f1c387SStephan Müller 132969f1c387SStephan Müllerconfig CRYPTO_JITTERENTROPY_MEMORY_BLOCKS 1330e7ed6473SHerbert Xu int 1331e7ed6473SHerbert Xu default 64 1332e7ed6473SHerbert Xu 1333e7ed6473SHerbert Xuconfig CRYPTO_JITTERENTROPY_MEMORY_BLOCKSIZE 1334e7ed6473SHerbert Xu int 1335e7ed6473SHerbert Xu default 32 1336e7ed6473SHerbert Xu 1337e7ed6473SHerbert Xuconfig CRYPTO_JITTERENTROPY_OSR 1338e7ed6473SHerbert Xu int 1339e7ed6473SHerbert Xu default 1 1340e7ed6473SHerbert Xu 1341e7ed6473SHerbert Xuconfig CRYPTO_JITTERENTROPY_TESTINTERFACE 1342e7ed6473SHerbert Xu bool 1343e7ed6473SHerbert Xu 1344e7ed6473SHerbert Xuendif # if !(CRYPTO_FIPS && EXPERT) 1345e7ed6473SHerbert Xuendif # if CRYPTO_JITTERENTROPY 1346e7ed6473SHerbert Xu 1347e7ed6473SHerbert Xuconfig CRYPTO_KDF800108_CTR 1348e7ed6473SHerbert Xu tristate 1349e7ed6473SHerbert Xu select CRYPTO_HMAC 1350e7ed6473SHerbert Xu select CRYPTO_SHA256 1351e7ed6473SHerbert Xu 1352026a733eSStephan Müllerendmenu 1353026a733eSStephan Müllermenu "Userspace interface" 1354a88592ccSHerbert Xu 1355304b4aceSStephan Müllerconfig CRYPTO_USER_API 1356026a733eSStephan Müller tristate 1357f1f142adSRobert Elliott 13589bc51715SRobert Elliottconfig CRYPTO_USER_API_HASH 1359f1f142adSRobert Elliott tristate "Hash algorithms" 136003c8efc1SHerbert Xu depends on NET 136103c8efc1SHerbert Xu select CRYPTO_HASH 136203c8efc1SHerbert Xu select CRYPTO_USER_API 1363fe869cdbSHerbert Xu help 13649bc51715SRobert Elliott Enable the userspace interface for hash algorithms. 13657451708fSHerbert Xu 1366fe869cdbSHerbert Xu See Documentation/crypto/userspace-if.rst and 1367fe869cdbSHerbert Xu https://www.chronox.de/libkcapi/html/index.html 1368fe869cdbSHerbert Xu 13699bc51715SRobert Elliottconfig CRYPTO_USER_API_SKCIPHER 13709bc51715SRobert Elliott tristate "Symmetric key cipher algorithms" 13719bc51715SRobert Elliott depends on NET 13729bc51715SRobert Elliott select CRYPTO_SKCIPHER 1373fe869cdbSHerbert Xu select CRYPTO_USER_API 13748ff59090SHerbert Xu help 13759bc51715SRobert Elliott Enable the userspace interface for symmetric key cipher algorithms. 13767451708fSHerbert Xu 1377b95bba5dSEric Biggers See Documentation/crypto/userspace-if.rst and 13788ff59090SHerbert Xu https://www.chronox.de/libkcapi/html/index.html 13798ff59090SHerbert Xu 13809bc51715SRobert Elliottconfig CRYPTO_USER_API_RNG 13819bc51715SRobert Elliott tristate "RNG (random number generator) algorithms" 13829bc51715SRobert Elliott depends on NET 13839bc51715SRobert Elliott select CRYPTO_RNG 13848ff59090SHerbert Xu select CRYPTO_USER_API 13852f375538SStephan Mueller help 13869bc51715SRobert Elliott Enable the userspace interface for RNG (random number generator) 13872f375538SStephan Mueller algorithms. 13882f375538SStephan Mueller 13892f375538SStephan Mueller See Documentation/crypto/userspace-if.rst and 13902f375538SStephan Mueller https://www.chronox.de/libkcapi/html/index.html 13919bc51715SRobert Elliott 13929bc51715SRobert Elliottconfig CRYPTO_USER_API_RNG_CAVP 13939bc51715SRobert Elliott bool "Enable CAVP testing of DRBG" 13949bc51715SRobert Elliott depends on CRYPTO_USER_API_RNG && CRYPTO_DRBG 13959bc51715SRobert Elliott help 13962f375538SStephan Mueller Enable extra APIs in the userspace interface for NIST CAVP 139777ebdabeSElena Petrova (Cryptographic Algorithm Validation Program) testing: 139877ebdabeSElena Petrova - resetting DRBG entropy 139977ebdabeSElena Petrova - providing Additional Data 140077ebdabeSElena Petrova 14019bc51715SRobert Elliott This should only be enabled for CAVP testing. You should say 14029bc51715SRobert Elliott no unless you know what this is. 14039bc51715SRobert Elliott 14049bc51715SRobert Elliottconfig CRYPTO_USER_API_AEAD 14059bc51715SRobert Elliott tristate "AEAD cipher algorithms" 140677ebdabeSElena Petrova depends on NET 140777ebdabeSElena Petrova select CRYPTO_AEAD 140877ebdabeSElena Petrova select CRYPTO_SKCIPHER 1409b64a2d95SHerbert Xu select CRYPTO_NULL 14109bc51715SRobert Elliott select CRYPTO_USER_API 1411b64a2d95SHerbert Xu help 1412b64a2d95SHerbert Xu Enable the userspace interface for AEAD cipher algorithms. 1413b95bba5dSEric Biggers 141472548b09SStephan Mueller See Documentation/crypto/userspace-if.rst and 1415b64a2d95SHerbert Xu https://www.chronox.de/libkcapi/html/index.html 1416b64a2d95SHerbert Xu 14179bc51715SRobert Elliottconfig CRYPTO_USER_API_ENABLE_OBSOLETE 14189bc51715SRobert Elliott bool "Obsolete cryptographic algorithms" 14199bc51715SRobert Elliott depends on CRYPTO_USER_API 14209bc51715SRobert Elliott default y 1421b64a2d95SHerbert Xu help 14229ace6771SArd Biesheuvel Allow obsolete cryptographic algorithms to be selected that have 14239bc51715SRobert Elliott already been phased out from internal use by the kernel, and are 14249ace6771SArd Biesheuvel only useful for userspace clients that still rely on them. 14259ace6771SArd Biesheuvel 14269ace6771SArd Biesheuvelendmenu 14279ace6771SArd Biesheuvel 14289ace6771SArd Biesheuvelconfig CRYPTO_HASH_INFO 14299ace6771SArd Biesheuvel bool 14309ace6771SArd Biesheuvel 1431f1f142adSRobert Elliottif !KMSAN # avoid false positives from assembly 1432f1f142adSRobert Elliottif ARM 1433ee08997fSDmitry Kasatkinsource "arch/arm/crypto/Kconfig" 1434ee08997fSDmitry Kasatkinendif 1435ee08997fSDmitry Kasatkinif ARM64 143627bc50fcSLinus Torvaldssource "arch/arm64/crypto/Kconfig" 14374a329fecSRobert Elliottendif 14384a329fecSRobert Elliottif LOONGARCH 14394a329fecSRobert Elliottsource "arch/loongarch/crypto/Kconfig" 14404a329fecSRobert Elliottendif 14414a329fecSRobert Elliottif MIPS 14424a329fecSRobert Elliottsource "arch/mips/crypto/Kconfig" 14432f164822SMin Zhouendif 14442f164822SMin Zhouif PPC 14452f164822SMin Zhousource "arch/powerpc/crypto/Kconfig" 1446e45f710bSRobert Elliottendif 1447e45f710bSRobert Elliottif RISCV 1448e45f710bSRobert Elliottsource "arch/riscv/crypto/Kconfig" 14496a490a4eSRobert Elliottendif 14506a490a4eSRobert Elliottif S390 14516a490a4eSRobert Elliottsource "arch/s390/crypto/Kconfig" 1452178f3856SHeiko Stuebnerendif 1453178f3856SHeiko Stuebnerif SPARC 1454178f3856SHeiko Stuebnersource "arch/sparc/crypto/Kconfig" 1455c9d24c97SRobert Elliottendif 1456c9d24c97SRobert Elliottif X86 1457c9d24c97SRobert Elliottsource "arch/x86/crypto/Kconfig" 14580e9f9ea6SRobert Elliottendif 14590e9f9ea6SRobert Elliottendif 14600e9f9ea6SRobert Elliott 146128a936efSRobert Elliottsource "drivers/crypto/Kconfig" 146228a936efSRobert Elliottsource "crypto/asymmetric_keys/Kconfig" 146328a936efSRobert Elliottsource "certs/Kconfig" 146427bc50fcSLinus Torvaldssource "crypto/krb5/Kconfig" 1465e45f710bSRobert Elliott 14661da177e4SLinus Torvaldsendif # if CRYPTO 14678636a1f9SMasahiro Yamada