1# SPDX-License-Identifier: GPL-2.0 2 3menu "Accelerated Cryptographic Algorithms for CPU (arm)" 4 5config CRYPTO_GHASH_ARM_CE 6 tristate "Hash functions: GHASH (PMULL/NEON/ARMv8 Crypto Extensions)" 7 depends on KERNEL_MODE_NEON 8 select CRYPTO_AEAD 9 select CRYPTO_HASH 10 select CRYPTO_CRYPTD 11 select CRYPTO_LIB_AES 12 select CRYPTO_LIB_GF128MUL 13 help 14 GCM GHASH function (NIST SP800-38D) 15 16 Architecture: arm using 17 - PMULL (Polynomial Multiply Long) instructions 18 - NEON (Advanced SIMD) extensions 19 - ARMv8 Crypto Extensions 20 21 Use an implementation of GHASH (used by the GCM AEAD chaining mode) 22 that uses the 64x64 to 128 bit polynomial multiplication (vmull.p64) 23 that is part of the ARMv8 Crypto Extensions, or a slower variant that 24 uses the vmull.p8 instruction that is part of the basic NEON ISA. 25 26config CRYPTO_NHPOLY1305_NEON 27 tristate "Hash functions: NHPoly1305 (NEON)" 28 depends on KERNEL_MODE_NEON 29 select CRYPTO_NHPOLY1305 30 help 31 NHPoly1305 hash function (Adiantum) 32 33 Architecture: arm using: 34 - NEON (Advanced SIMD) extensions 35 36config CRYPTO_BLAKE2B_NEON 37 tristate "Hash functions: BLAKE2b (NEON)" 38 depends on KERNEL_MODE_NEON 39 select CRYPTO_BLAKE2B 40 help 41 BLAKE2b cryptographic hash function (RFC 7693) 42 43 Architecture: arm using 44 - NEON (Advanced SIMD) extensions 45 46 BLAKE2b digest algorithm optimized with ARM NEON instructions. 47 On ARM processors that have NEON support but not the ARMv8 48 Crypto Extensions, typically this BLAKE2b implementation is 49 much faster than the SHA-2 family and slightly faster than 50 SHA-1. 51 52config CRYPTO_AES_ARM 53 tristate "Ciphers: AES" 54 select CRYPTO_ALGAPI 55 select CRYPTO_AES 56 help 57 Block ciphers: AES cipher algorithms (FIPS-197) 58 59 Architecture: arm 60 61 On ARM processors without the Crypto Extensions, this is the 62 fastest AES implementation for single blocks. For multiple 63 blocks, the NEON bit-sliced implementation is usually faster. 64 65 This implementation may be vulnerable to cache timing attacks, 66 since it uses lookup tables. However, as countermeasures it 67 disables IRQs and preloads the tables; it is hoped this makes 68 such attacks very difficult. 69 70config CRYPTO_AES_ARM_BS 71 tristate "Ciphers: AES, modes: ECB/CBC/CTR/XTS (bit-sliced NEON)" 72 depends on KERNEL_MODE_NEON 73 select CRYPTO_AES_ARM 74 select CRYPTO_SKCIPHER 75 select CRYPTO_LIB_AES 76 help 77 Length-preserving ciphers: AES cipher algorithms (FIPS-197) 78 with block cipher modes: 79 - ECB (Electronic Codebook) mode (NIST SP800-38A) 80 - CBC (Cipher Block Chaining) mode (NIST SP800-38A) 81 - CTR (Counter) mode (NIST SP800-38A) 82 - XTS (XOR Encrypt XOR with ciphertext stealing) mode (NIST SP800-38E 83 and IEEE 1619) 84 85 Bit sliced AES gives around 45% speedup on Cortex-A15 for CTR mode 86 and for XTS mode encryption, CBC and XTS mode decryption speedup is 87 around 25%. (CBC encryption speed is not affected by this driver.) 88 89 The bit sliced AES code does not use lookup tables, so it is believed 90 to be invulnerable to cache timing attacks. However, since the bit 91 sliced AES code cannot process single blocks efficiently, in certain 92 cases table-based code with some countermeasures against cache timing 93 attacks will still be used as a fallback method; specifically CBC 94 encryption (not CBC decryption), the encryption of XTS tweaks, XTS 95 ciphertext stealing when the message isn't a multiple of 16 bytes, and 96 CTR when invoked in a context in which NEON instructions are unusable. 97 98config CRYPTO_AES_ARM_CE 99 tristate "Ciphers: AES, modes: ECB/CBC/CTS/CTR/XTS (ARMv8 Crypto Extensions)" 100 depends on KERNEL_MODE_NEON 101 select CRYPTO_SKCIPHER 102 select CRYPTO_LIB_AES 103 help 104 Length-preserving ciphers: AES cipher algorithms (FIPS-197) 105 with block cipher modes: 106 - ECB (Electronic Codebook) mode (NIST SP800-38A) 107 - CBC (Cipher Block Chaining) mode (NIST SP800-38A) 108 - CTR (Counter) mode (NIST SP800-38A) 109 - CTS (Cipher Text Stealing) mode (NIST SP800-38A) 110 - XTS (XOR Encrypt XOR with ciphertext stealing) mode (NIST SP800-38E 111 and IEEE 1619) 112 113 Architecture: arm using: 114 - ARMv8 Crypto Extensions 115 116endmenu 117 118