xref: /linux/arch/arm/crypto/Kconfig (revision 5abe8d8efc022cc78b6273d01e4a453242b9f4d8) 
1# SPDX-License-Identifier: GPL-2.0
2
3menu "Accelerated Cryptographic Algorithms for CPU (arm)"
4
5config CRYPTO_GHASH_ARM_CE
6	tristate "Hash functions: GHASH (PMULL/NEON/ARMv8 Crypto Extensions)"
7	depends on KERNEL_MODE_NEON
8	select CRYPTO_AEAD
9	select CRYPTO_HASH
10	select CRYPTO_CRYPTD
11	select CRYPTO_LIB_AES
12	select CRYPTO_LIB_GF128MUL
13	help
14	  GCM GHASH function (NIST SP800-38D)
15
16	  Architecture: arm using
17	  - PMULL (Polynomial Multiply Long) instructions
18	  - NEON (Advanced SIMD) extensions
19	  - ARMv8 Crypto Extensions
20
21	  Use an implementation of GHASH (used by the GCM AEAD chaining mode)
22	  that uses the 64x64 to 128 bit polynomial multiplication (vmull.p64)
23	  that is part of the ARMv8 Crypto Extensions, or a slower variant that
24	  uses the vmull.p8 instruction that is part of the basic NEON ISA.
25
26config CRYPTO_NHPOLY1305_NEON
27	tristate "Hash functions: NHPoly1305 (NEON)"
28	depends on KERNEL_MODE_NEON
29	select CRYPTO_NHPOLY1305
30	help
31	  NHPoly1305 hash function (Adiantum)
32
33	  Architecture: arm using:
34	  - NEON (Advanced SIMD) extensions
35
36config CRYPTO_AES_ARM
37	tristate "Ciphers: AES"
38	select CRYPTO_ALGAPI
39	select CRYPTO_AES
40	help
41	  Block ciphers: AES cipher algorithms (FIPS-197)
42
43	  Architecture: arm
44
45	  On ARM processors without the Crypto Extensions, this is the
46	  fastest AES implementation for single blocks.  For multiple
47	  blocks, the NEON bit-sliced implementation is usually faster.
48
49	  This implementation may be vulnerable to cache timing attacks,
50	  since it uses lookup tables.  However, as countermeasures it
51	  disables IRQs and preloads the tables; it is hoped this makes
52	  such attacks very difficult.
53
54config CRYPTO_AES_ARM_BS
55	tristate "Ciphers: AES, modes: ECB/CBC/CTR/XTS (bit-sliced NEON)"
56	depends on KERNEL_MODE_NEON
57	select CRYPTO_AES_ARM
58	select CRYPTO_SKCIPHER
59	select CRYPTO_LIB_AES
60	help
61	  Length-preserving ciphers: AES cipher algorithms (FIPS-197)
62	  with block cipher modes:
63	   - ECB (Electronic Codebook) mode (NIST SP800-38A)
64	   - CBC (Cipher Block Chaining) mode (NIST SP800-38A)
65	   - CTR (Counter) mode (NIST SP800-38A)
66	   - XTS (XOR Encrypt XOR with ciphertext stealing) mode (NIST SP800-38E
67	     and IEEE 1619)
68
69	  Bit sliced AES gives around 45% speedup on Cortex-A15 for CTR mode
70	  and for XTS mode encryption, CBC and XTS mode decryption speedup is
71	  around 25%. (CBC encryption speed is not affected by this driver.)
72
73	  The bit sliced AES code does not use lookup tables, so it is believed
74	  to be invulnerable to cache timing attacks. However, since the bit
75	  sliced AES code cannot process single blocks efficiently, in certain
76	  cases table-based code with some countermeasures against cache timing
77	  attacks will still be used as a fallback method; specifically CBC
78	  encryption (not CBC decryption), the encryption of XTS tweaks, XTS
79	  ciphertext stealing when the message isn't a multiple of 16 bytes, and
80	  CTR when invoked in a context in which NEON instructions are unusable.
81
82config CRYPTO_AES_ARM_CE
83	tristate "Ciphers: AES, modes: ECB/CBC/CTS/CTR/XTS (ARMv8 Crypto Extensions)"
84	depends on KERNEL_MODE_NEON
85	select CRYPTO_SKCIPHER
86	select CRYPTO_LIB_AES
87	help
88	  Length-preserving ciphers: AES cipher algorithms (FIPS-197)
89	   with block cipher modes:
90	   - ECB (Electronic Codebook) mode (NIST SP800-38A)
91	   - CBC (Cipher Block Chaining) mode (NIST SP800-38A)
92	   - CTR (Counter) mode (NIST SP800-38A)
93	   - CTS (Cipher Text Stealing) mode (NIST SP800-38A)
94	   - XTS (XOR Encrypt XOR with ciphertext stealing) mode (NIST SP800-38E
95	     and IEEE 1619)
96
97	  Architecture: arm using:
98	  - ARMv8 Crypto Extensions
99
100endmenu
101
102