1b2441318SGreg Kroah-Hartman# SPDX-License-Identifier: GPL-2.0 2652ccae5SArd Biesheuvel 34a329fecSRobert Elliottmenu "Accelerated Cryptographic Algorithms for CPU (arm)" 4652ccae5SArd Biesheuvel 54a95d4aeSRobert Elliottconfig CRYPTO_CURVE25519_NEON 605b37465SRobert Elliott tristate "Public key crypto: Curve25519 (NEON)" 74a95d4aeSRobert Elliott depends on KERNEL_MODE_NEON 84a95d4aeSRobert Elliott select CRYPTO_LIB_CURVE25519_GENERIC 94a95d4aeSRobert Elliott select CRYPTO_ARCH_HAVE_LIB_CURVE25519 1005b37465SRobert Elliott help 1105b37465SRobert Elliott Curve25519 algorithm 1205b37465SRobert Elliott 1305b37465SRobert Elliott Architecture: arm with 1405b37465SRobert Elliott - NEON (Advanced SIMD) extensions 154a95d4aeSRobert Elliott 164a95d4aeSRobert Elliottconfig CRYPTO_GHASH_ARM_CE 173f342a23SRobert Elliott tristate "Hash functions: GHASH (PMULL/NEON/ARMv8 Crypto Extensions)" 184a95d4aeSRobert Elliott depends on KERNEL_MODE_NEON 19b575b5a1SArd Biesheuvel select CRYPTO_AEAD 204a95d4aeSRobert Elliott select CRYPTO_HASH 214a95d4aeSRobert Elliott select CRYPTO_CRYPTD 22b575b5a1SArd Biesheuvel select CRYPTO_LIB_AES 2361c581a4SArd Biesheuvel select CRYPTO_LIB_GF128MUL 244a95d4aeSRobert Elliott help 253f342a23SRobert Elliott GCM GHASH function (NIST SP800-38D) 263f342a23SRobert Elliott 273f342a23SRobert Elliott Architecture: arm using 283f342a23SRobert Elliott - PMULL (Polynomial Multiply Long) instructions 293f342a23SRobert Elliott - NEON (Advanced SIMD) extensions 303f342a23SRobert Elliott - ARMv8 Crypto Extensions 313f342a23SRobert Elliott 324a95d4aeSRobert Elliott Use an implementation of GHASH (used by the GCM AEAD chaining mode) 334a95d4aeSRobert Elliott that uses the 64x64 to 128 bit polynomial multiplication (vmull.p64) 344a95d4aeSRobert Elliott that is part of the ARMv8 Crypto Extensions, or a slower variant that 354a95d4aeSRobert Elliott uses the vmull.p8 instruction that is part of the basic NEON ISA. 364a95d4aeSRobert Elliott 374a95d4aeSRobert Elliottconfig CRYPTO_NHPOLY1305_NEON 383f342a23SRobert Elliott tristate "Hash functions: NHPoly1305 (NEON)" 394a95d4aeSRobert Elliott depends on KERNEL_MODE_NEON 404a95d4aeSRobert Elliott select CRYPTO_NHPOLY1305 413f342a23SRobert Elliott help 423f342a23SRobert Elliott NHPoly1305 hash function (Adiantum) 433f342a23SRobert Elliott 443f342a23SRobert Elliott Architecture: arm using: 453f342a23SRobert Elliott - NEON (Advanced SIMD) extensions 464a95d4aeSRobert Elliott 474a95d4aeSRobert Elliottconfig CRYPTO_POLY1305_ARM 483f342a23SRobert Elliott tristate "Hash functions: Poly1305 (NEON)" 494a95d4aeSRobert Elliott select CRYPTO_HASH 504a95d4aeSRobert Elliott select CRYPTO_ARCH_HAVE_LIB_POLY1305 513f342a23SRobert Elliott help 523f342a23SRobert Elliott Poly1305 authenticator algorithm (RFC7539) 533f342a23SRobert Elliott 543f342a23SRobert Elliott Architecture: arm optionally using 553f342a23SRobert Elliott - NEON (Advanced SIMD) extensions 564a95d4aeSRobert Elliott 574a95d4aeSRobert Elliottconfig CRYPTO_BLAKE2S_ARM 583f342a23SRobert Elliott bool "Hash functions: BLAKE2s" 594a95d4aeSRobert Elliott select CRYPTO_ARCH_HAVE_LIB_BLAKE2S 604a95d4aeSRobert Elliott help 613f342a23SRobert Elliott BLAKE2s cryptographic hash function (RFC 7693) 623f342a23SRobert Elliott 633f342a23SRobert Elliott Architecture: arm 643f342a23SRobert Elliott 653f342a23SRobert Elliott This is faster than the generic implementations of BLAKE2s and 663f342a23SRobert Elliott BLAKE2b, but slower than the NEON implementation of BLAKE2b. 673f342a23SRobert Elliott There is no NEON implementation of BLAKE2s, since NEON doesn't 683f342a23SRobert Elliott really help with it. 694a95d4aeSRobert Elliott 704a95d4aeSRobert Elliottconfig CRYPTO_BLAKE2B_NEON 713f342a23SRobert Elliott tristate "Hash functions: BLAKE2b (NEON)" 724a95d4aeSRobert Elliott depends on KERNEL_MODE_NEON 734a95d4aeSRobert Elliott select CRYPTO_BLAKE2B 744a95d4aeSRobert Elliott help 753f342a23SRobert Elliott BLAKE2b cryptographic hash function (RFC 7693) 763f342a23SRobert Elliott 773f342a23SRobert Elliott Architecture: arm using 783f342a23SRobert Elliott - NEON (Advanced SIMD) extensions 793f342a23SRobert Elliott 804a95d4aeSRobert Elliott BLAKE2b digest algorithm optimized with ARM NEON instructions. 814a95d4aeSRobert Elliott On ARM processors that have NEON support but not the ARMv8 824a95d4aeSRobert Elliott Crypto Extensions, typically this BLAKE2b implementation is 833f342a23SRobert Elliott much faster than the SHA-2 family and slightly faster than 843f342a23SRobert Elliott SHA-1. 854a95d4aeSRobert Elliott 86652ccae5SArd Biesheuvelconfig CRYPTO_SHA1_ARM 873f342a23SRobert Elliott tristate "Hash functions: SHA-1" 88652ccae5SArd Biesheuvel select CRYPTO_SHA1 89652ccae5SArd Biesheuvel select CRYPTO_HASH 90652ccae5SArd Biesheuvel help 913f342a23SRobert Elliott SHA-1 secure hash algorithm (FIPS 180) 923f342a23SRobert Elliott 933f342a23SRobert Elliott Architecture: arm 94652ccae5SArd Biesheuvel 95652ccae5SArd Biesheuvelconfig CRYPTO_SHA1_ARM_NEON 963f342a23SRobert Elliott tristate "Hash functions: SHA-1 (NEON)" 97652ccae5SArd Biesheuvel depends on KERNEL_MODE_NEON 98652ccae5SArd Biesheuvel select CRYPTO_SHA1_ARM 99652ccae5SArd Biesheuvel select CRYPTO_SHA1 100652ccae5SArd Biesheuvel select CRYPTO_HASH 101652ccae5SArd Biesheuvel help 1023f342a23SRobert Elliott SHA-1 secure hash algorithm (FIPS 180) 1033f342a23SRobert Elliott 1043f342a23SRobert Elliott Architecture: arm using 1053f342a23SRobert Elliott - NEON (Advanced SIMD) extensions 106652ccae5SArd Biesheuvel 107864cbeedSArd Biesheuvelconfig CRYPTO_SHA1_ARM_CE 1083f342a23SRobert Elliott tristate "Hash functions: SHA-1 (ARMv8 Crypto Extensions)" 1095429ef62SWill Deacon depends on KERNEL_MODE_NEON 110864cbeedSArd Biesheuvel select CRYPTO_SHA1_ARM 111864cbeedSArd Biesheuvel select CRYPTO_HASH 112864cbeedSArd Biesheuvel help 1133f342a23SRobert Elliott SHA-1 secure hash algorithm (FIPS 180) 1143f342a23SRobert Elliott 1153f342a23SRobert Elliott Architecture: arm using ARMv8 Crypto Extensions 116864cbeedSArd Biesheuvel 117006d0624SArd Biesheuvelconfig CRYPTO_SHA2_ARM_CE 1183f342a23SRobert Elliott tristate "Hash functions: SHA-224 and SHA-256 (ARMv8 Crypto Extensions)" 1195429ef62SWill Deacon depends on KERNEL_MODE_NEON 1209205b949SArd Biesheuvel select CRYPTO_SHA256_ARM 121006d0624SArd Biesheuvel select CRYPTO_HASH 122006d0624SArd Biesheuvel help 1233f342a23SRobert Elliott SHA-224 and SHA-256 secure hash algorithms (FIPS 180) 1243f342a23SRobert Elliott 1253f342a23SRobert Elliott Architecture: arm using 1263f342a23SRobert Elliott - ARMv8 Crypto Extensions 127006d0624SArd Biesheuvel 128f2f770d7SSami Tolvanenconfig CRYPTO_SHA256_ARM 1293f342a23SRobert Elliott tristate "Hash functions: SHA-224 and SHA-256 (NEON)" 130f2f770d7SSami Tolvanen select CRYPTO_HASH 131b48321deSArnd Bergmann depends on !CPU_V7M 132f2f770d7SSami Tolvanen help 1333f342a23SRobert Elliott SHA-224 and SHA-256 secure hash algorithms (FIPS 180) 1343f342a23SRobert Elliott 1353f342a23SRobert Elliott Architecture: arm using 1363f342a23SRobert Elliott - NEON (Advanced SIMD) extensions 137f2f770d7SSami Tolvanen 138c80ae7caSArd Biesheuvelconfig CRYPTO_SHA512_ARM 1393f342a23SRobert Elliott tristate "Hash functions: SHA-384 and SHA-512 (NEON)" 140652ccae5SArd Biesheuvel select CRYPTO_HASH 141c80ae7caSArd Biesheuvel depends on !CPU_V7M 142652ccae5SArd Biesheuvel help 1433f342a23SRobert Elliott SHA-384 and SHA-512 secure hash algorithms (FIPS 180) 1443f342a23SRobert Elliott 1453f342a23SRobert Elliott Architecture: arm using 1463f342a23SRobert Elliott - NEON (Advanced SIMD) extensions 147652ccae5SArd Biesheuvel 148652ccae5SArd Biesheuvelconfig CRYPTO_AES_ARM 149cf514b2aSRobert Elliott tristate "Ciphers: AES" 150652ccae5SArd Biesheuvel select CRYPTO_ALGAPI 151652ccae5SArd Biesheuvel select CRYPTO_AES 152652ccae5SArd Biesheuvel help 153cf514b2aSRobert Elliott Block ciphers: AES cipher algorithms (FIPS-197) 154cf514b2aSRobert Elliott 155cf514b2aSRobert Elliott Architecture: arm 156652ccae5SArd Biesheuvel 157913a3aa0SEric Biggers On ARM processors without the Crypto Extensions, this is the 158913a3aa0SEric Biggers fastest AES implementation for single blocks. For multiple 159913a3aa0SEric Biggers blocks, the NEON bit-sliced implementation is usually faster. 160913a3aa0SEric Biggers 161913a3aa0SEric Biggers This implementation may be vulnerable to cache timing attacks, 162913a3aa0SEric Biggers since it uses lookup tables. However, as countermeasures it 163913a3aa0SEric Biggers disables IRQs and preloads the tables; it is hoped this makes 164913a3aa0SEric Biggers such attacks very difficult. 165913a3aa0SEric Biggers 166652ccae5SArd Biesheuvelconfig CRYPTO_AES_ARM_BS 167cf514b2aSRobert Elliott tristate "Ciphers: AES, modes: ECB/CBC/CTR/XTS (bit-sliced NEON)" 168652ccae5SArd Biesheuvel depends on KERNEL_MODE_NEON 169*f235bc11SEric Biggers select CRYPTO_AES_ARM 170b95bba5dSEric Biggers select CRYPTO_SKCIPHER 171aa6e2d2bSArd Biesheuvel select CRYPTO_LIB_AES 1726fdf436fSHerbert Xu select CRYPTO_SIMD 173652ccae5SArd Biesheuvel help 174cf514b2aSRobert Elliott Length-preserving ciphers: AES cipher algorithms (FIPS-197) 175cf514b2aSRobert Elliott with block cipher modes: 176cf514b2aSRobert Elliott - ECB (Electronic Codebook) mode (NIST SP800-38A) 177cf514b2aSRobert Elliott - CBC (Cipher Block Chaining) mode (NIST SP800-38A) 178cf514b2aSRobert Elliott - CTR (Counter) mode (NIST SP800-38A) 179cf514b2aSRobert Elliott - XTS (XOR Encrypt XOR with ciphertext stealing) mode (NIST SP800-38E 180cf514b2aSRobert Elliott and IEEE 1619) 181652ccae5SArd Biesheuvel 182652ccae5SArd Biesheuvel Bit sliced AES gives around 45% speedup on Cortex-A15 for CTR mode 183652ccae5SArd Biesheuvel and for XTS mode encryption, CBC and XTS mode decryption speedup is 184652ccae5SArd Biesheuvel around 25%. (CBC encryption speed is not affected by this driver.) 185*f235bc11SEric Biggers 186*f235bc11SEric Biggers The bit sliced AES code does not use lookup tables, so it is believed 187*f235bc11SEric Biggers to be invulnerable to cache timing attacks. However, since the bit 188*f235bc11SEric Biggers sliced AES code cannot process single blocks efficiently, in certain 189*f235bc11SEric Biggers cases table-based code with some countermeasures against cache timing 190*f235bc11SEric Biggers attacks will still be used as a fallback method; specifically CBC 191*f235bc11SEric Biggers encryption (not CBC decryption), the encryption of XTS tweaks, XTS 192*f235bc11SEric Biggers ciphertext stealing when the message isn't a multiple of 16 bytes, and 193*f235bc11SEric Biggers CTR when invoked in a context in which NEON instructions are unusable. 194652ccae5SArd Biesheuvel 19586464859SArd Biesheuvelconfig CRYPTO_AES_ARM_CE 196cf514b2aSRobert Elliott tristate "Ciphers: AES, modes: ECB/CBC/CTS/CTR/XTS (ARMv8 Crypto Extensions)" 1975429ef62SWill Deacon depends on KERNEL_MODE_NEON 198b95bba5dSEric Biggers select CRYPTO_SKCIPHER 199f703964fSArd Biesheuvel select CRYPTO_LIB_AES 200585b5fa6SHerbert Xu select CRYPTO_SIMD 20186464859SArd Biesheuvel help 202cf514b2aSRobert Elliott Length-preserving ciphers: AES cipher algorithms (FIPS-197) 203cf514b2aSRobert Elliott with block cipher modes: 204cf514b2aSRobert Elliott - ECB (Electronic Codebook) mode (NIST SP800-38A) 205cf514b2aSRobert Elliott - CBC (Cipher Block Chaining) mode (NIST SP800-38A) 206cf514b2aSRobert Elliott - CTR (Counter) mode (NIST SP800-38A) 207cf514b2aSRobert Elliott - CTS (Cipher Text Stealing) mode (NIST SP800-38A) 208cf514b2aSRobert Elliott - XTS (XOR Encrypt XOR with ciphertext stealing) mode (NIST SP800-38E 209cf514b2aSRobert Elliott and IEEE 1619) 210cf514b2aSRobert Elliott 211cf514b2aSRobert Elliott Architecture: arm using: 212cf514b2aSRobert Elliott - ARMv8 Crypto Extensions 21386464859SArd Biesheuvel 2144a95d4aeSRobert Elliottconfig CRYPTO_CHACHA20_NEON 215cf514b2aSRobert Elliott tristate "Ciphers: ChaCha20, XChaCha20, XChaCha12 (NEON)" 2164a95d4aeSRobert Elliott select CRYPTO_SKCIPHER 2174a95d4aeSRobert Elliott select CRYPTO_ARCH_HAVE_LIB_CHACHA 218cf514b2aSRobert Elliott help 219cf514b2aSRobert Elliott Length-preserving ciphers: ChaCha20, XChaCha20, and XChaCha12 220cf514b2aSRobert Elliott stream cipher algorithms 221cf514b2aSRobert Elliott 222cf514b2aSRobert Elliott Architecture: arm using: 223cf514b2aSRobert Elliott - NEON (Advanced SIMD) extensions 2241d481f1cSArd Biesheuvel 225d0a3431aSArd Biesheuvelconfig CRYPTO_CRC32_ARM_CE 226ec84348dSRobert Elliott tristate "CRC32C and CRC32" 2275429ef62SWill Deacon depends on KERNEL_MODE_NEON 228b4d0c0aaSArd Biesheuvel depends on CRC32 229d0a3431aSArd Biesheuvel select CRYPTO_HASH 230ec84348dSRobert Elliott help 231ec84348dSRobert Elliott CRC32c CRC algorithm with the iSCSI polynomial (RFC 3385 and RFC 3720) 232ec84348dSRobert Elliott and CRC32 CRC algorithm (IEEE 802.3) 233ec84348dSRobert Elliott 234ec84348dSRobert Elliott Architecture: arm using: 235ec84348dSRobert Elliott - CRC and/or PMULL instructions 236ec84348dSRobert Elliott 237ec84348dSRobert Elliott Drivers: crc32-arm-ce and crc32c-arm-ce 238d0a3431aSArd Biesheuvel 2394a95d4aeSRobert Elliottconfig CRYPTO_CRCT10DIF_ARM_CE 240ec84348dSRobert Elliott tristate "CRCT10DIF" 2414a95d4aeSRobert Elliott depends on KERNEL_MODE_NEON 2424a95d4aeSRobert Elliott depends on CRC_T10DIF 243a6b803b3SArd Biesheuvel select CRYPTO_HASH 244ec84348dSRobert Elliott help 245ec84348dSRobert Elliott CRC16 CRC algorithm used for the T10 (SCSI) Data Integrity Field (DIF) 246ec84348dSRobert Elliott 247ec84348dSRobert Elliott Architecture: arm using: 248ec84348dSRobert Elliott - PMULL (Polynomial Multiply Long) instructions 249d8f1308aSJason A. Donenfeld 2504a329fecSRobert Elliottendmenu 2514a95d4aeSRobert Elliott 252