xref: /linux/arch/arm/crypto/Kconfig (revision d8768fb12a14c30436bd0466b4fc28edeef45078) 
1b2441318SGreg Kroah-Hartman# SPDX-License-Identifier: GPL-2.0
2652ccae5SArd Biesheuvel
34a329fecSRobert Elliottmenu "Accelerated Cryptographic Algorithms for CPU (arm)"
4652ccae5SArd Biesheuvel
54a95d4aeSRobert Elliottconfig CRYPTO_GHASH_ARM_CE
63f342a23SRobert Elliott	tristate "Hash functions: GHASH (PMULL/NEON/ARMv8 Crypto Extensions)"
74a95d4aeSRobert Elliott	depends on KERNEL_MODE_NEON
8b575b5a1SArd Biesheuvel	select CRYPTO_AEAD
94a95d4aeSRobert Elliott	select CRYPTO_HASH
104a95d4aeSRobert Elliott	select CRYPTO_CRYPTD
11b575b5a1SArd Biesheuvel	select CRYPTO_LIB_AES
1261c581a4SArd Biesheuvel	select CRYPTO_LIB_GF128MUL
134a95d4aeSRobert Elliott	help
143f342a23SRobert Elliott	  GCM GHASH function (NIST SP800-38D)
153f342a23SRobert Elliott
163f342a23SRobert Elliott	  Architecture: arm using
173f342a23SRobert Elliott	  - PMULL (Polynomial Multiply Long) instructions
183f342a23SRobert Elliott	  - NEON (Advanced SIMD) extensions
193f342a23SRobert Elliott	  - ARMv8 Crypto Extensions
203f342a23SRobert Elliott
214a95d4aeSRobert Elliott	  Use an implementation of GHASH (used by the GCM AEAD chaining mode)
224a95d4aeSRobert Elliott	  that uses the 64x64 to 128 bit polynomial multiplication (vmull.p64)
234a95d4aeSRobert Elliott	  that is part of the ARMv8 Crypto Extensions, or a slower variant that
244a95d4aeSRobert Elliott	  uses the vmull.p8 instruction that is part of the basic NEON ISA.
254a95d4aeSRobert Elliott
264a95d4aeSRobert Elliottconfig CRYPTO_NHPOLY1305_NEON
273f342a23SRobert Elliott	tristate "Hash functions: NHPoly1305 (NEON)"
284a95d4aeSRobert Elliott	depends on KERNEL_MODE_NEON
294a95d4aeSRobert Elliott	select CRYPTO_NHPOLY1305
303f342a23SRobert Elliott	help
313f342a23SRobert Elliott	  NHPoly1305 hash function (Adiantum)
323f342a23SRobert Elliott
333f342a23SRobert Elliott	  Architecture: arm using:
343f342a23SRobert Elliott	  - NEON (Advanced SIMD) extensions
354a95d4aeSRobert Elliott
364a95d4aeSRobert Elliottconfig CRYPTO_BLAKE2B_NEON
373f342a23SRobert Elliott	tristate "Hash functions: BLAKE2b (NEON)"
384a95d4aeSRobert Elliott	depends on KERNEL_MODE_NEON
394a95d4aeSRobert Elliott	select CRYPTO_BLAKE2B
404a95d4aeSRobert Elliott	help
413f342a23SRobert Elliott	  BLAKE2b cryptographic hash function (RFC 7693)
423f342a23SRobert Elliott
433f342a23SRobert Elliott	  Architecture: arm using
443f342a23SRobert Elliott	  - NEON (Advanced SIMD) extensions
453f342a23SRobert Elliott
464a95d4aeSRobert Elliott	  BLAKE2b digest algorithm optimized with ARM NEON instructions.
474a95d4aeSRobert Elliott	  On ARM processors that have NEON support but not the ARMv8
484a95d4aeSRobert Elliott	  Crypto Extensions, typically this BLAKE2b implementation is
493f342a23SRobert Elliott	  much faster than the SHA-2 family and slightly faster than
503f342a23SRobert Elliott	  SHA-1.
514a95d4aeSRobert Elliott
52652ccae5SArd Biesheuvelconfig CRYPTO_AES_ARM
53cf514b2aSRobert Elliott	tristate "Ciphers: AES"
54652ccae5SArd Biesheuvel	select CRYPTO_ALGAPI
55652ccae5SArd Biesheuvel	select CRYPTO_AES
56652ccae5SArd Biesheuvel	help
57cf514b2aSRobert Elliott	  Block ciphers: AES cipher algorithms (FIPS-197)
58cf514b2aSRobert Elliott
59cf514b2aSRobert Elliott	  Architecture: arm
60652ccae5SArd Biesheuvel
61913a3aa0SEric Biggers	  On ARM processors without the Crypto Extensions, this is the
62913a3aa0SEric Biggers	  fastest AES implementation for single blocks.  For multiple
63913a3aa0SEric Biggers	  blocks, the NEON bit-sliced implementation is usually faster.
64913a3aa0SEric Biggers
65913a3aa0SEric Biggers	  This implementation may be vulnerable to cache timing attacks,
66913a3aa0SEric Biggers	  since it uses lookup tables.  However, as countermeasures it
67913a3aa0SEric Biggers	  disables IRQs and preloads the tables; it is hoped this makes
68913a3aa0SEric Biggers	  such attacks very difficult.
69913a3aa0SEric Biggers
70652ccae5SArd Biesheuvelconfig CRYPTO_AES_ARM_BS
71cf514b2aSRobert Elliott	tristate "Ciphers: AES, modes: ECB/CBC/CTR/XTS (bit-sliced NEON)"
72652ccae5SArd Biesheuvel	depends on KERNEL_MODE_NEON
73*f235bc11SEric Biggers	select CRYPTO_AES_ARM
74b95bba5dSEric Biggers	select CRYPTO_SKCIPHER
75aa6e2d2bSArd Biesheuvel	select CRYPTO_LIB_AES
76652ccae5SArd Biesheuvel	help
77cf514b2aSRobert Elliott	  Length-preserving ciphers: AES cipher algorithms (FIPS-197)
78cf514b2aSRobert Elliott	  with block cipher modes:
79cf514b2aSRobert Elliott	   - ECB (Electronic Codebook) mode (NIST SP800-38A)
80cf514b2aSRobert Elliott	   - CBC (Cipher Block Chaining) mode (NIST SP800-38A)
81cf514b2aSRobert Elliott	   - CTR (Counter) mode (NIST SP800-38A)
82cf514b2aSRobert Elliott	   - XTS (XOR Encrypt XOR with ciphertext stealing) mode (NIST SP800-38E
83cf514b2aSRobert Elliott	     and IEEE 1619)
84652ccae5SArd Biesheuvel
85652ccae5SArd Biesheuvel	  Bit sliced AES gives around 45% speedup on Cortex-A15 for CTR mode
86652ccae5SArd Biesheuvel	  and for XTS mode encryption, CBC and XTS mode decryption speedup is
87652ccae5SArd Biesheuvel	  around 25%. (CBC encryption speed is not affected by this driver.)
88*f235bc11SEric Biggers
89*f235bc11SEric Biggers	  The bit sliced AES code does not use lookup tables, so it is believed
90*f235bc11SEric Biggers	  to be invulnerable to cache timing attacks. However, since the bit
91*f235bc11SEric Biggers	  sliced AES code cannot process single blocks efficiently, in certain
92*f235bc11SEric Biggers	  cases table-based code with some countermeasures against cache timing
93*f235bc11SEric Biggers	  attacks will still be used as a fallback method; specifically CBC
94*f235bc11SEric Biggers	  encryption (not CBC decryption), the encryption of XTS tweaks, XTS
95*f235bc11SEric Biggers	  ciphertext stealing when the message isn't a multiple of 16 bytes, and
96*f235bc11SEric Biggers	  CTR when invoked in a context in which NEON instructions are unusable.
97652ccae5SArd Biesheuvel
9886464859SArd Biesheuvelconfig CRYPTO_AES_ARM_CE
99cf514b2aSRobert Elliott	tristate "Ciphers: AES, modes: ECB/CBC/CTS/CTR/XTS (ARMv8 Crypto Extensions)"
1005429ef62SWill Deacon	depends on KERNEL_MODE_NEON
101b95bba5dSEric Biggers	select CRYPTO_SKCIPHER
102f703964fSArd Biesheuvel	select CRYPTO_LIB_AES
10386464859SArd Biesheuvel	help
104cf514b2aSRobert Elliott	  Length-preserving ciphers: AES cipher algorithms (FIPS-197)
105cf514b2aSRobert Elliott	   with block cipher modes:
106cf514b2aSRobert Elliott	   - ECB (Electronic Codebook) mode (NIST SP800-38A)
107cf514b2aSRobert Elliott	   - CBC (Cipher Block Chaining) mode (NIST SP800-38A)
108cf514b2aSRobert Elliott	   - CTR (Counter) mode (NIST SP800-38A)
109cf514b2aSRobert Elliott	   - CTS (Cipher Text Stealing) mode (NIST SP800-38A)
110cf514b2aSRobert Elliott	   - XTS (XOR Encrypt XOR with ciphertext stealing) mode (NIST SP800-38E
111cf514b2aSRobert Elliott	     and IEEE 1619)
112cf514b2aSRobert Elliott
113cf514b2aSRobert Elliott	  Architecture: arm using:
114cf514b2aSRobert Elliott	  - ARMv8 Crypto Extensions
11586464859SArd Biesheuvel
1164a329fecSRobert Elliottendmenu
1174a95d4aeSRobert Elliott
118