xref: /linux/arch/arm/crypto/Kconfig (revision 13150742b09e720fdf021de14cd2b98b37415a89) 
1b2441318SGreg Kroah-Hartman# SPDX-License-Identifier: GPL-2.0
2652ccae5SArd Biesheuvel
34a329fecSRobert Elliottmenu "Accelerated Cryptographic Algorithms for CPU (arm)"
4652ccae5SArd Biesheuvel
54a95d4aeSRobert Elliottconfig CRYPTO_CURVE25519_NEON
6*17ec3e71SHerbert Xu	tristate
74a95d4aeSRobert Elliott	depends on KERNEL_MODE_NEON
8*17ec3e71SHerbert Xu	select CRYPTO_KPP
94a95d4aeSRobert Elliott	select CRYPTO_LIB_CURVE25519_GENERIC
10*17ec3e71SHerbert Xu	select CRYPTO_ARCH_HAVE_LIB_CURVE25519
11*17ec3e71SHerbert Xu	default CRYPTO_LIB_CURVE25519_INTERNAL
1205b37465SRobert Elliott	help
1305b37465SRobert Elliott	  Curve25519 algorithm
1405b37465SRobert Elliott
1505b37465SRobert Elliott	  Architecture: arm with
1605b37465SRobert Elliott	  - NEON (Advanced SIMD) extensions
174a95d4aeSRobert Elliott
184a95d4aeSRobert Elliottconfig CRYPTO_GHASH_ARM_CE
193f342a23SRobert Elliott	tristate "Hash functions: GHASH (PMULL/NEON/ARMv8 Crypto Extensions)"
204a95d4aeSRobert Elliott	depends on KERNEL_MODE_NEON
21b575b5a1SArd Biesheuvel	select CRYPTO_AEAD
224a95d4aeSRobert Elliott	select CRYPTO_HASH
234a95d4aeSRobert Elliott	select CRYPTO_CRYPTD
24b575b5a1SArd Biesheuvel	select CRYPTO_LIB_AES
2561c581a4SArd Biesheuvel	select CRYPTO_LIB_GF128MUL
264a95d4aeSRobert Elliott	help
273f342a23SRobert Elliott	  GCM GHASH function (NIST SP800-38D)
283f342a23SRobert Elliott
293f342a23SRobert Elliott	  Architecture: arm using
303f342a23SRobert Elliott	  - PMULL (Polynomial Multiply Long) instructions
313f342a23SRobert Elliott	  - NEON (Advanced SIMD) extensions
323f342a23SRobert Elliott	  - ARMv8 Crypto Extensions
333f342a23SRobert Elliott
344a95d4aeSRobert Elliott	  Use an implementation of GHASH (used by the GCM AEAD chaining mode)
354a95d4aeSRobert Elliott	  that uses the 64x64 to 128 bit polynomial multiplication (vmull.p64)
364a95d4aeSRobert Elliott	  that is part of the ARMv8 Crypto Extensions, or a slower variant that
374a95d4aeSRobert Elliott	  uses the vmull.p8 instruction that is part of the basic NEON ISA.
384a95d4aeSRobert Elliott
394a95d4aeSRobert Elliottconfig CRYPTO_NHPOLY1305_NEON
403f342a23SRobert Elliott	tristate "Hash functions: NHPoly1305 (NEON)"
414a95d4aeSRobert Elliott	depends on KERNEL_MODE_NEON
424a95d4aeSRobert Elliott	select CRYPTO_NHPOLY1305
433f342a23SRobert Elliott	help
443f342a23SRobert Elliott	  NHPoly1305 hash function (Adiantum)
453f342a23SRobert Elliott
463f342a23SRobert Elliott	  Architecture: arm using:
473f342a23SRobert Elliott	  - NEON (Advanced SIMD) extensions
484a95d4aeSRobert Elliott
494a95d4aeSRobert Elliottconfig CRYPTO_BLAKE2B_NEON
503f342a23SRobert Elliott	tristate "Hash functions: BLAKE2b (NEON)"
514a95d4aeSRobert Elliott	depends on KERNEL_MODE_NEON
524a95d4aeSRobert Elliott	select CRYPTO_BLAKE2B
534a95d4aeSRobert Elliott	help
543f342a23SRobert Elliott	  BLAKE2b cryptographic hash function (RFC 7693)
553f342a23SRobert Elliott
563f342a23SRobert Elliott	  Architecture: arm using
573f342a23SRobert Elliott	  - NEON (Advanced SIMD) extensions
583f342a23SRobert Elliott
594a95d4aeSRobert Elliott	  BLAKE2b digest algorithm optimized with ARM NEON instructions.
604a95d4aeSRobert Elliott	  On ARM processors that have NEON support but not the ARMv8
614a95d4aeSRobert Elliott	  Crypto Extensions, typically this BLAKE2b implementation is
623f342a23SRobert Elliott	  much faster than the SHA-2 family and slightly faster than
633f342a23SRobert Elliott	  SHA-1.
644a95d4aeSRobert Elliott
65652ccae5SArd Biesheuvelconfig CRYPTO_AES_ARM
66cf514b2aSRobert Elliott	tristate "Ciphers: AES"
67652ccae5SArd Biesheuvel	select CRYPTO_ALGAPI
68652ccae5SArd Biesheuvel	select CRYPTO_AES
69652ccae5SArd Biesheuvel	help
70cf514b2aSRobert Elliott	  Block ciphers: AES cipher algorithms (FIPS-197)
71cf514b2aSRobert Elliott
72cf514b2aSRobert Elliott	  Architecture: arm
73652ccae5SArd Biesheuvel
74913a3aa0SEric Biggers	  On ARM processors without the Crypto Extensions, this is the
75913a3aa0SEric Biggers	  fastest AES implementation for single blocks.  For multiple
76913a3aa0SEric Biggers	  blocks, the NEON bit-sliced implementation is usually faster.
77913a3aa0SEric Biggers
78913a3aa0SEric Biggers	  This implementation may be vulnerable to cache timing attacks,
79913a3aa0SEric Biggers	  since it uses lookup tables.  However, as countermeasures it
80913a3aa0SEric Biggers	  disables IRQs and preloads the tables; it is hoped this makes
81913a3aa0SEric Biggers	  such attacks very difficult.
82913a3aa0SEric Biggers
83652ccae5SArd Biesheuvelconfig CRYPTO_AES_ARM_BS
84cf514b2aSRobert Elliott	tristate "Ciphers: AES, modes: ECB/CBC/CTR/XTS (bit-sliced NEON)"
85652ccae5SArd Biesheuvel	depends on KERNEL_MODE_NEON
86f235bc11SEric Biggers	select CRYPTO_AES_ARM
87b95bba5dSEric Biggers	select CRYPTO_SKCIPHER
88aa6e2d2bSArd Biesheuvel	select CRYPTO_LIB_AES
89652ccae5SArd Biesheuvel	help
90cf514b2aSRobert Elliott	  Length-preserving ciphers: AES cipher algorithms (FIPS-197)
91cf514b2aSRobert Elliott	  with block cipher modes:
92cf514b2aSRobert Elliott	   - ECB (Electronic Codebook) mode (NIST SP800-38A)
93cf514b2aSRobert Elliott	   - CBC (Cipher Block Chaining) mode (NIST SP800-38A)
94cf514b2aSRobert Elliott	   - CTR (Counter) mode (NIST SP800-38A)
95cf514b2aSRobert Elliott	   - XTS (XOR Encrypt XOR with ciphertext stealing) mode (NIST SP800-38E
96cf514b2aSRobert Elliott	     and IEEE 1619)
97652ccae5SArd Biesheuvel
98652ccae5SArd Biesheuvel	  Bit sliced AES gives around 45% speedup on Cortex-A15 for CTR mode
99652ccae5SArd Biesheuvel	  and for XTS mode encryption, CBC and XTS mode decryption speedup is
100652ccae5SArd Biesheuvel	  around 25%. (CBC encryption speed is not affected by this driver.)
101f235bc11SEric Biggers
102f235bc11SEric Biggers	  The bit sliced AES code does not use lookup tables, so it is believed
103f235bc11SEric Biggers	  to be invulnerable to cache timing attacks. However, since the bit
104f235bc11SEric Biggers	  sliced AES code cannot process single blocks efficiently, in certain
105f235bc11SEric Biggers	  cases table-based code with some countermeasures against cache timing
106f235bc11SEric Biggers	  attacks will still be used as a fallback method; specifically CBC
107f235bc11SEric Biggers	  encryption (not CBC decryption), the encryption of XTS tweaks, XTS
108f235bc11SEric Biggers	  ciphertext stealing when the message isn't a multiple of 16 bytes, and
109f235bc11SEric Biggers	  CTR when invoked in a context in which NEON instructions are unusable.
110652ccae5SArd Biesheuvel
11186464859SArd Biesheuvelconfig CRYPTO_AES_ARM_CE
112cf514b2aSRobert Elliott	tristate "Ciphers: AES, modes: ECB/CBC/CTS/CTR/XTS (ARMv8 Crypto Extensions)"
1135429ef62SWill Deacon	depends on KERNEL_MODE_NEON
114b95bba5dSEric Biggers	select CRYPTO_SKCIPHER
115f703964fSArd Biesheuvel	select CRYPTO_LIB_AES
11686464859SArd Biesheuvel	help
117cf514b2aSRobert Elliott	  Length-preserving ciphers: AES cipher algorithms (FIPS-197)
118cf514b2aSRobert Elliott	   with block cipher modes:
119cf514b2aSRobert Elliott	   - ECB (Electronic Codebook) mode (NIST SP800-38A)
120cf514b2aSRobert Elliott	   - CBC (Cipher Block Chaining) mode (NIST SP800-38A)
121cf514b2aSRobert Elliott	   - CTR (Counter) mode (NIST SP800-38A)
122cf514b2aSRobert Elliott	   - CTS (Cipher Text Stealing) mode (NIST SP800-38A)
123cf514b2aSRobert Elliott	   - XTS (XOR Encrypt XOR with ciphertext stealing) mode (NIST SP800-38E
124cf514b2aSRobert Elliott	     and IEEE 1619)
125cf514b2aSRobert Elliott
126cf514b2aSRobert Elliott	  Architecture: arm using:
127cf514b2aSRobert Elliott	  - ARMv8 Crypto Extensions
12886464859SArd Biesheuvel
1294a329fecSRobert Elliottendmenu
1304a95d4aeSRobert Elliott
131