1b2441318SGreg Kroah-Hartman# SPDX-License-Identifier: GPL-2.0 2652ccae5SArd Biesheuvel 34a329fecSRobert Elliottmenu "Accelerated Cryptographic Algorithms for CPU (arm)" 4652ccae5SArd Biesheuvel 54a95d4aeSRobert Elliottconfig CRYPTO_CURVE25519_NEON 605b37465SRobert Elliott tristate "Public key crypto: Curve25519 (NEON)" 74a95d4aeSRobert Elliott depends on KERNEL_MODE_NEON 84a95d4aeSRobert Elliott select CRYPTO_LIB_CURVE25519_GENERIC 94a95d4aeSRobert Elliott select CRYPTO_ARCH_HAVE_LIB_CURVE25519 1005b37465SRobert Elliott help 1105b37465SRobert Elliott Curve25519 algorithm 1205b37465SRobert Elliott 1305b37465SRobert Elliott Architecture: arm with 1405b37465SRobert Elliott - NEON (Advanced SIMD) extensions 154a95d4aeSRobert Elliott 164a95d4aeSRobert Elliottconfig CRYPTO_GHASH_ARM_CE 17*3f342a23SRobert Elliott tristate "Hash functions: GHASH (PMULL/NEON/ARMv8 Crypto Extensions)" 184a95d4aeSRobert Elliott depends on KERNEL_MODE_NEON 194a95d4aeSRobert Elliott select CRYPTO_HASH 204a95d4aeSRobert Elliott select CRYPTO_CRYPTD 214a95d4aeSRobert Elliott select CRYPTO_GF128MUL 224a95d4aeSRobert Elliott help 23*3f342a23SRobert Elliott GCM GHASH function (NIST SP800-38D) 24*3f342a23SRobert Elliott 25*3f342a23SRobert Elliott Architecture: arm using 26*3f342a23SRobert Elliott - PMULL (Polynomial Multiply Long) instructions 27*3f342a23SRobert Elliott - NEON (Advanced SIMD) extensions 28*3f342a23SRobert Elliott - ARMv8 Crypto Extensions 29*3f342a23SRobert Elliott 304a95d4aeSRobert Elliott Use an implementation of GHASH (used by the GCM AEAD chaining mode) 314a95d4aeSRobert Elliott that uses the 64x64 to 128 bit polynomial multiplication (vmull.p64) 324a95d4aeSRobert Elliott that is part of the ARMv8 Crypto Extensions, or a slower variant that 334a95d4aeSRobert Elliott uses the vmull.p8 instruction that is part of the basic NEON ISA. 344a95d4aeSRobert Elliott 354a95d4aeSRobert Elliottconfig CRYPTO_NHPOLY1305_NEON 36*3f342a23SRobert Elliott tristate "Hash functions: NHPoly1305 (NEON)" 374a95d4aeSRobert Elliott depends on KERNEL_MODE_NEON 384a95d4aeSRobert Elliott select CRYPTO_NHPOLY1305 39*3f342a23SRobert Elliott help 40*3f342a23SRobert Elliott NHPoly1305 hash function (Adiantum) 41*3f342a23SRobert Elliott 42*3f342a23SRobert Elliott Architecture: arm using: 43*3f342a23SRobert Elliott - NEON (Advanced SIMD) extensions 444a95d4aeSRobert Elliott 454a95d4aeSRobert Elliottconfig CRYPTO_POLY1305_ARM 46*3f342a23SRobert Elliott tristate "Hash functions: Poly1305 (NEON)" 474a95d4aeSRobert Elliott select CRYPTO_HASH 484a95d4aeSRobert Elliott select CRYPTO_ARCH_HAVE_LIB_POLY1305 49*3f342a23SRobert Elliott help 50*3f342a23SRobert Elliott Poly1305 authenticator algorithm (RFC7539) 51*3f342a23SRobert Elliott 52*3f342a23SRobert Elliott Architecture: arm optionally using 53*3f342a23SRobert Elliott - NEON (Advanced SIMD) extensions 544a95d4aeSRobert Elliott 554a95d4aeSRobert Elliottconfig CRYPTO_BLAKE2S_ARM 56*3f342a23SRobert Elliott bool "Hash functions: BLAKE2s" 574a95d4aeSRobert Elliott select CRYPTO_ARCH_HAVE_LIB_BLAKE2S 584a95d4aeSRobert Elliott help 59*3f342a23SRobert Elliott BLAKE2s cryptographic hash function (RFC 7693) 60*3f342a23SRobert Elliott 61*3f342a23SRobert Elliott Architecture: arm 62*3f342a23SRobert Elliott 63*3f342a23SRobert Elliott This is faster than the generic implementations of BLAKE2s and 64*3f342a23SRobert Elliott BLAKE2b, but slower than the NEON implementation of BLAKE2b. 65*3f342a23SRobert Elliott There is no NEON implementation of BLAKE2s, since NEON doesn't 66*3f342a23SRobert Elliott really help with it. 674a95d4aeSRobert Elliott 684a95d4aeSRobert Elliottconfig CRYPTO_BLAKE2B_NEON 69*3f342a23SRobert Elliott tristate "Hash functions: BLAKE2b (NEON)" 704a95d4aeSRobert Elliott depends on KERNEL_MODE_NEON 714a95d4aeSRobert Elliott select CRYPTO_BLAKE2B 724a95d4aeSRobert Elliott help 73*3f342a23SRobert Elliott BLAKE2b cryptographic hash function (RFC 7693) 74*3f342a23SRobert Elliott 75*3f342a23SRobert Elliott Architecture: arm using 76*3f342a23SRobert Elliott - NEON (Advanced SIMD) extensions 77*3f342a23SRobert Elliott 784a95d4aeSRobert Elliott BLAKE2b digest algorithm optimized with ARM NEON instructions. 794a95d4aeSRobert Elliott On ARM processors that have NEON support but not the ARMv8 804a95d4aeSRobert Elliott Crypto Extensions, typically this BLAKE2b implementation is 81*3f342a23SRobert Elliott much faster than the SHA-2 family and slightly faster than 82*3f342a23SRobert Elliott SHA-1. 834a95d4aeSRobert Elliott 84652ccae5SArd Biesheuvelconfig CRYPTO_SHA1_ARM 85*3f342a23SRobert Elliott tristate "Hash functions: SHA-1" 86652ccae5SArd Biesheuvel select CRYPTO_SHA1 87652ccae5SArd Biesheuvel select CRYPTO_HASH 88652ccae5SArd Biesheuvel help 89*3f342a23SRobert Elliott SHA-1 secure hash algorithm (FIPS 180) 90*3f342a23SRobert Elliott 91*3f342a23SRobert Elliott Architecture: arm 92652ccae5SArd Biesheuvel 93652ccae5SArd Biesheuvelconfig CRYPTO_SHA1_ARM_NEON 94*3f342a23SRobert Elliott tristate "Hash functions: SHA-1 (NEON)" 95652ccae5SArd Biesheuvel depends on KERNEL_MODE_NEON 96652ccae5SArd Biesheuvel select CRYPTO_SHA1_ARM 97652ccae5SArd Biesheuvel select CRYPTO_SHA1 98652ccae5SArd Biesheuvel select CRYPTO_HASH 99652ccae5SArd Biesheuvel help 100*3f342a23SRobert Elliott SHA-1 secure hash algorithm (FIPS 180) 101*3f342a23SRobert Elliott 102*3f342a23SRobert Elliott Architecture: arm using 103*3f342a23SRobert Elliott - NEON (Advanced SIMD) extensions 104652ccae5SArd Biesheuvel 105864cbeedSArd Biesheuvelconfig CRYPTO_SHA1_ARM_CE 106*3f342a23SRobert Elliott tristate "Hash functions: SHA-1 (ARMv8 Crypto Extensions)" 1075429ef62SWill Deacon depends on KERNEL_MODE_NEON 108864cbeedSArd Biesheuvel select CRYPTO_SHA1_ARM 109864cbeedSArd Biesheuvel select CRYPTO_HASH 110864cbeedSArd Biesheuvel help 111*3f342a23SRobert Elliott SHA-1 secure hash algorithm (FIPS 180) 112*3f342a23SRobert Elliott 113*3f342a23SRobert Elliott Architecture: arm using ARMv8 Crypto Extensions 114864cbeedSArd Biesheuvel 115006d0624SArd Biesheuvelconfig CRYPTO_SHA2_ARM_CE 116*3f342a23SRobert Elliott tristate "Hash functions: SHA-224 and SHA-256 (ARMv8 Crypto Extensions)" 1175429ef62SWill Deacon depends on KERNEL_MODE_NEON 1189205b949SArd Biesheuvel select CRYPTO_SHA256_ARM 119006d0624SArd Biesheuvel select CRYPTO_HASH 120006d0624SArd Biesheuvel help 121*3f342a23SRobert Elliott SHA-224 and SHA-256 secure hash algorithms (FIPS 180) 122*3f342a23SRobert Elliott 123*3f342a23SRobert Elliott Architecture: arm using 124*3f342a23SRobert Elliott - ARMv8 Crypto Extensions 125006d0624SArd Biesheuvel 126f2f770d7SSami Tolvanenconfig CRYPTO_SHA256_ARM 127*3f342a23SRobert Elliott tristate "Hash functions: SHA-224 and SHA-256 (NEON)" 128f2f770d7SSami Tolvanen select CRYPTO_HASH 129b48321deSArnd Bergmann depends on !CPU_V7M 130f2f770d7SSami Tolvanen help 131*3f342a23SRobert Elliott SHA-224 and SHA-256 secure hash algorithms (FIPS 180) 132*3f342a23SRobert Elliott 133*3f342a23SRobert Elliott Architecture: arm using 134*3f342a23SRobert Elliott - NEON (Advanced SIMD) extensions 135f2f770d7SSami Tolvanen 136c80ae7caSArd Biesheuvelconfig CRYPTO_SHA512_ARM 137*3f342a23SRobert Elliott tristate "Hash functions: SHA-384 and SHA-512 (NEON)" 138652ccae5SArd Biesheuvel select CRYPTO_HASH 139c80ae7caSArd Biesheuvel depends on !CPU_V7M 140652ccae5SArd Biesheuvel help 141*3f342a23SRobert Elliott SHA-384 and SHA-512 secure hash algorithms (FIPS 180) 142*3f342a23SRobert Elliott 143*3f342a23SRobert Elliott Architecture: arm using 144*3f342a23SRobert Elliott - NEON (Advanced SIMD) extensions 145652ccae5SArd Biesheuvel 146652ccae5SArd Biesheuvelconfig CRYPTO_AES_ARM 14781edb426SArd Biesheuvel tristate "Scalar AES cipher for ARM" 148652ccae5SArd Biesheuvel select CRYPTO_ALGAPI 149652ccae5SArd Biesheuvel select CRYPTO_AES 150652ccae5SArd Biesheuvel help 151652ccae5SArd Biesheuvel Use optimized AES assembler routines for ARM platforms. 152652ccae5SArd Biesheuvel 153913a3aa0SEric Biggers On ARM processors without the Crypto Extensions, this is the 154913a3aa0SEric Biggers fastest AES implementation for single blocks. For multiple 155913a3aa0SEric Biggers blocks, the NEON bit-sliced implementation is usually faster. 156913a3aa0SEric Biggers 157913a3aa0SEric Biggers This implementation may be vulnerable to cache timing attacks, 158913a3aa0SEric Biggers since it uses lookup tables. However, as countermeasures it 159913a3aa0SEric Biggers disables IRQs and preloads the tables; it is hoped this makes 160913a3aa0SEric Biggers such attacks very difficult. 161913a3aa0SEric Biggers 162652ccae5SArd Biesheuvelconfig CRYPTO_AES_ARM_BS 163652ccae5SArd Biesheuvel tristate "Bit sliced AES using NEON instructions" 164652ccae5SArd Biesheuvel depends on KERNEL_MODE_NEON 165b95bba5dSEric Biggers select CRYPTO_SKCIPHER 166aa6e2d2bSArd Biesheuvel select CRYPTO_LIB_AES 167c8bd296cSHerbert Xu select CRYPTO_AES 168c8bd296cSHerbert Xu select CRYPTO_CBC 1696fdf436fSHerbert Xu select CRYPTO_SIMD 170652ccae5SArd Biesheuvel help 171652ccae5SArd Biesheuvel Use a faster and more secure NEON based implementation of AES in CBC, 172652ccae5SArd Biesheuvel CTR and XTS modes 173652ccae5SArd Biesheuvel 174652ccae5SArd Biesheuvel Bit sliced AES gives around 45% speedup on Cortex-A15 for CTR mode 175652ccae5SArd Biesheuvel and for XTS mode encryption, CBC and XTS mode decryption speedup is 176652ccae5SArd Biesheuvel around 25%. (CBC encryption speed is not affected by this driver.) 177652ccae5SArd Biesheuvel This implementation does not rely on any lookup tables so it is 178652ccae5SArd Biesheuvel believed to be invulnerable to cache timing attacks. 179652ccae5SArd Biesheuvel 18086464859SArd Biesheuvelconfig CRYPTO_AES_ARM_CE 18186464859SArd Biesheuvel tristate "Accelerated AES using ARMv8 Crypto Extensions" 1825429ef62SWill Deacon depends on KERNEL_MODE_NEON 183b95bba5dSEric Biggers select CRYPTO_SKCIPHER 184f703964fSArd Biesheuvel select CRYPTO_LIB_AES 185585b5fa6SHerbert Xu select CRYPTO_SIMD 18686464859SArd Biesheuvel help 18786464859SArd Biesheuvel Use an implementation of AES in CBC, CTR and XTS modes that uses 18886464859SArd Biesheuvel ARMv8 Crypto Extensions 18986464859SArd Biesheuvel 1904a95d4aeSRobert Elliottconfig CRYPTO_CHACHA20_NEON 1914a95d4aeSRobert Elliott tristate "NEON and scalar accelerated ChaCha stream cipher algorithms" 1924a95d4aeSRobert Elliott select CRYPTO_SKCIPHER 1934a95d4aeSRobert Elliott select CRYPTO_ARCH_HAVE_LIB_CHACHA 1941d481f1cSArd Biesheuvel 195d0a3431aSArd Biesheuvelconfig CRYPTO_CRC32_ARM_CE 196ec84348dSRobert Elliott tristate "CRC32C and CRC32" 1975429ef62SWill Deacon depends on KERNEL_MODE_NEON 198b4d0c0aaSArd Biesheuvel depends on CRC32 199d0a3431aSArd Biesheuvel select CRYPTO_HASH 200ec84348dSRobert Elliott help 201ec84348dSRobert Elliott CRC32c CRC algorithm with the iSCSI polynomial (RFC 3385 and RFC 3720) 202ec84348dSRobert Elliott and CRC32 CRC algorithm (IEEE 802.3) 203ec84348dSRobert Elliott 204ec84348dSRobert Elliott Architecture: arm using: 205ec84348dSRobert Elliott - CRC and/or PMULL instructions 206ec84348dSRobert Elliott 207ec84348dSRobert Elliott Drivers: crc32-arm-ce and crc32c-arm-ce 208d0a3431aSArd Biesheuvel 2094a95d4aeSRobert Elliottconfig CRYPTO_CRCT10DIF_ARM_CE 210ec84348dSRobert Elliott tristate "CRCT10DIF" 2114a95d4aeSRobert Elliott depends on KERNEL_MODE_NEON 2124a95d4aeSRobert Elliott depends on CRC_T10DIF 213a6b803b3SArd Biesheuvel select CRYPTO_HASH 214ec84348dSRobert Elliott help 215ec84348dSRobert Elliott CRC16 CRC algorithm used for the T10 (SCSI) Data Integrity Field (DIF) 216ec84348dSRobert Elliott 217ec84348dSRobert Elliott Architecture: arm using: 218ec84348dSRobert Elliott - PMULL (Polynomial Multiply Long) instructions 219d8f1308aSJason A. Donenfeld 2204a329fecSRobert Elliottendmenu 2214a95d4aeSRobert Elliott 222