1b2441318SGreg Kroah-Hartman# SPDX-License-Identifier: GPL-2.0 2652ccae5SArd Biesheuvel 34a329fecSRobert Elliottmenu "Accelerated Cryptographic Algorithms for CPU (arm)" 4652ccae5SArd Biesheuvel 5*4a95d4aeSRobert Elliottconfig CRYPTO_CURVE25519_NEON 6*4a95d4aeSRobert Elliott tristate "NEON accelerated Curve25519 scalar multiplication library" 7*4a95d4aeSRobert Elliott depends on KERNEL_MODE_NEON 8*4a95d4aeSRobert Elliott select CRYPTO_LIB_CURVE25519_GENERIC 9*4a95d4aeSRobert Elliott select CRYPTO_ARCH_HAVE_LIB_CURVE25519 10*4a95d4aeSRobert Elliott 11*4a95d4aeSRobert Elliottconfig CRYPTO_GHASH_ARM_CE 12*4a95d4aeSRobert Elliott tristate "PMULL-accelerated GHASH using NEON/ARMv8 Crypto Extensions" 13*4a95d4aeSRobert Elliott depends on KERNEL_MODE_NEON 14*4a95d4aeSRobert Elliott select CRYPTO_HASH 15*4a95d4aeSRobert Elliott select CRYPTO_CRYPTD 16*4a95d4aeSRobert Elliott select CRYPTO_GF128MUL 17*4a95d4aeSRobert Elliott help 18*4a95d4aeSRobert Elliott Use an implementation of GHASH (used by the GCM AEAD chaining mode) 19*4a95d4aeSRobert Elliott that uses the 64x64 to 128 bit polynomial multiplication (vmull.p64) 20*4a95d4aeSRobert Elliott that is part of the ARMv8 Crypto Extensions, or a slower variant that 21*4a95d4aeSRobert Elliott uses the vmull.p8 instruction that is part of the basic NEON ISA. 22*4a95d4aeSRobert Elliott 23*4a95d4aeSRobert Elliottconfig CRYPTO_NHPOLY1305_NEON 24*4a95d4aeSRobert Elliott tristate "NEON accelerated NHPoly1305 hash function (for Adiantum)" 25*4a95d4aeSRobert Elliott depends on KERNEL_MODE_NEON 26*4a95d4aeSRobert Elliott select CRYPTO_NHPOLY1305 27*4a95d4aeSRobert Elliott 28*4a95d4aeSRobert Elliottconfig CRYPTO_POLY1305_ARM 29*4a95d4aeSRobert Elliott tristate "Accelerated scalar and SIMD Poly1305 hash implementations" 30*4a95d4aeSRobert Elliott select CRYPTO_HASH 31*4a95d4aeSRobert Elliott select CRYPTO_ARCH_HAVE_LIB_POLY1305 32*4a95d4aeSRobert Elliott 33*4a95d4aeSRobert Elliottconfig CRYPTO_BLAKE2S_ARM 34*4a95d4aeSRobert Elliott bool "BLAKE2s digest algorithm (ARM)" 35*4a95d4aeSRobert Elliott select CRYPTO_ARCH_HAVE_LIB_BLAKE2S 36*4a95d4aeSRobert Elliott help 37*4a95d4aeSRobert Elliott BLAKE2s digest algorithm optimized with ARM scalar instructions. This 38*4a95d4aeSRobert Elliott is faster than the generic implementations of BLAKE2s and BLAKE2b, but 39*4a95d4aeSRobert Elliott slower than the NEON implementation of BLAKE2b. (There is no NEON 40*4a95d4aeSRobert Elliott implementation of BLAKE2s, since NEON doesn't really help with it.) 41*4a95d4aeSRobert Elliott 42*4a95d4aeSRobert Elliottconfig CRYPTO_BLAKE2B_NEON 43*4a95d4aeSRobert Elliott tristate "BLAKE2b digest algorithm (ARM NEON)" 44*4a95d4aeSRobert Elliott depends on KERNEL_MODE_NEON 45*4a95d4aeSRobert Elliott select CRYPTO_BLAKE2B 46*4a95d4aeSRobert Elliott help 47*4a95d4aeSRobert Elliott BLAKE2b digest algorithm optimized with ARM NEON instructions. 48*4a95d4aeSRobert Elliott On ARM processors that have NEON support but not the ARMv8 49*4a95d4aeSRobert Elliott Crypto Extensions, typically this BLAKE2b implementation is 50*4a95d4aeSRobert Elliott much faster than SHA-2 and slightly faster than SHA-1. 51*4a95d4aeSRobert Elliott 52652ccae5SArd Biesheuvelconfig CRYPTO_SHA1_ARM 53652ccae5SArd Biesheuvel tristate "SHA1 digest algorithm (ARM-asm)" 54652ccae5SArd Biesheuvel select CRYPTO_SHA1 55652ccae5SArd Biesheuvel select CRYPTO_HASH 56652ccae5SArd Biesheuvel help 57652ccae5SArd Biesheuvel SHA-1 secure hash standard (FIPS 180-1/DFIPS 180-2) implemented 58652ccae5SArd Biesheuvel using optimized ARM assembler. 59652ccae5SArd Biesheuvel 60652ccae5SArd Biesheuvelconfig CRYPTO_SHA1_ARM_NEON 61652ccae5SArd Biesheuvel tristate "SHA1 digest algorithm (ARM NEON)" 62652ccae5SArd Biesheuvel depends on KERNEL_MODE_NEON 63652ccae5SArd Biesheuvel select CRYPTO_SHA1_ARM 64652ccae5SArd Biesheuvel select CRYPTO_SHA1 65652ccae5SArd Biesheuvel select CRYPTO_HASH 66652ccae5SArd Biesheuvel help 67652ccae5SArd Biesheuvel SHA-1 secure hash standard (FIPS 180-1/DFIPS 180-2) implemented 68652ccae5SArd Biesheuvel using optimized ARM NEON assembly, when NEON instructions are 69652ccae5SArd Biesheuvel available. 70652ccae5SArd Biesheuvel 71864cbeedSArd Biesheuvelconfig CRYPTO_SHA1_ARM_CE 72864cbeedSArd Biesheuvel tristate "SHA1 digest algorithm (ARM v8 Crypto Extensions)" 735429ef62SWill Deacon depends on KERNEL_MODE_NEON 74864cbeedSArd Biesheuvel select CRYPTO_SHA1_ARM 75864cbeedSArd Biesheuvel select CRYPTO_HASH 76864cbeedSArd Biesheuvel help 77864cbeedSArd Biesheuvel SHA-1 secure hash standard (FIPS 180-1/DFIPS 180-2) implemented 78864cbeedSArd Biesheuvel using special ARMv8 Crypto Extensions. 79864cbeedSArd Biesheuvel 80006d0624SArd Biesheuvelconfig CRYPTO_SHA2_ARM_CE 81006d0624SArd Biesheuvel tristate "SHA-224/256 digest algorithm (ARM v8 Crypto Extensions)" 825429ef62SWill Deacon depends on KERNEL_MODE_NEON 839205b949SArd Biesheuvel select CRYPTO_SHA256_ARM 84006d0624SArd Biesheuvel select CRYPTO_HASH 85006d0624SArd Biesheuvel help 86006d0624SArd Biesheuvel SHA-256 secure hash standard (DFIPS 180-2) implemented 87006d0624SArd Biesheuvel using special ARMv8 Crypto Extensions. 88006d0624SArd Biesheuvel 89f2f770d7SSami Tolvanenconfig CRYPTO_SHA256_ARM 90f2f770d7SSami Tolvanen tristate "SHA-224/256 digest algorithm (ARM-asm and NEON)" 91f2f770d7SSami Tolvanen select CRYPTO_HASH 92b48321deSArnd Bergmann depends on !CPU_V7M 93f2f770d7SSami Tolvanen help 94f2f770d7SSami Tolvanen SHA-256 secure hash standard (DFIPS 180-2) implemented 95f2f770d7SSami Tolvanen using optimized ARM assembler and NEON, when available. 96f2f770d7SSami Tolvanen 97c80ae7caSArd Biesheuvelconfig CRYPTO_SHA512_ARM 98c80ae7caSArd Biesheuvel tristate "SHA-384/512 digest algorithm (ARM-asm and NEON)" 99652ccae5SArd Biesheuvel select CRYPTO_HASH 100c80ae7caSArd Biesheuvel depends on !CPU_V7M 101652ccae5SArd Biesheuvel help 102652ccae5SArd Biesheuvel SHA-512 secure hash standard (DFIPS 180-2) implemented 103c80ae7caSArd Biesheuvel using optimized ARM assembler and NEON, when available. 104652ccae5SArd Biesheuvel 105652ccae5SArd Biesheuvelconfig CRYPTO_AES_ARM 10681edb426SArd Biesheuvel tristate "Scalar AES cipher for ARM" 107652ccae5SArd Biesheuvel select CRYPTO_ALGAPI 108652ccae5SArd Biesheuvel select CRYPTO_AES 109652ccae5SArd Biesheuvel help 110652ccae5SArd Biesheuvel Use optimized AES assembler routines for ARM platforms. 111652ccae5SArd Biesheuvel 112913a3aa0SEric Biggers On ARM processors without the Crypto Extensions, this is the 113913a3aa0SEric Biggers fastest AES implementation for single blocks. For multiple 114913a3aa0SEric Biggers blocks, the NEON bit-sliced implementation is usually faster. 115913a3aa0SEric Biggers 116913a3aa0SEric Biggers This implementation may be vulnerable to cache timing attacks, 117913a3aa0SEric Biggers since it uses lookup tables. However, as countermeasures it 118913a3aa0SEric Biggers disables IRQs and preloads the tables; it is hoped this makes 119913a3aa0SEric Biggers such attacks very difficult. 120913a3aa0SEric Biggers 121652ccae5SArd Biesheuvelconfig CRYPTO_AES_ARM_BS 122652ccae5SArd Biesheuvel tristate "Bit sliced AES using NEON instructions" 123652ccae5SArd Biesheuvel depends on KERNEL_MODE_NEON 124b95bba5dSEric Biggers select CRYPTO_SKCIPHER 125aa6e2d2bSArd Biesheuvel select CRYPTO_LIB_AES 126c8bd296cSHerbert Xu select CRYPTO_AES 127c8bd296cSHerbert Xu select CRYPTO_CBC 1286fdf436fSHerbert Xu select CRYPTO_SIMD 129652ccae5SArd Biesheuvel help 130652ccae5SArd Biesheuvel Use a faster and more secure NEON based implementation of AES in CBC, 131652ccae5SArd Biesheuvel CTR and XTS modes 132652ccae5SArd Biesheuvel 133652ccae5SArd Biesheuvel Bit sliced AES gives around 45% speedup on Cortex-A15 for CTR mode 134652ccae5SArd Biesheuvel and for XTS mode encryption, CBC and XTS mode decryption speedup is 135652ccae5SArd Biesheuvel around 25%. (CBC encryption speed is not affected by this driver.) 136652ccae5SArd Biesheuvel This implementation does not rely on any lookup tables so it is 137652ccae5SArd Biesheuvel believed to be invulnerable to cache timing attacks. 138652ccae5SArd Biesheuvel 13986464859SArd Biesheuvelconfig CRYPTO_AES_ARM_CE 14086464859SArd Biesheuvel tristate "Accelerated AES using ARMv8 Crypto Extensions" 1415429ef62SWill Deacon depends on KERNEL_MODE_NEON 142b95bba5dSEric Biggers select CRYPTO_SKCIPHER 143f703964fSArd Biesheuvel select CRYPTO_LIB_AES 144585b5fa6SHerbert Xu select CRYPTO_SIMD 14586464859SArd Biesheuvel help 14686464859SArd Biesheuvel Use an implementation of AES in CBC, CTR and XTS modes that uses 14786464859SArd Biesheuvel ARMv8 Crypto Extensions 14886464859SArd Biesheuvel 149*4a95d4aeSRobert Elliottconfig CRYPTO_CHACHA20_NEON 150*4a95d4aeSRobert Elliott tristate "NEON and scalar accelerated ChaCha stream cipher algorithms" 151*4a95d4aeSRobert Elliott select CRYPTO_SKCIPHER 152*4a95d4aeSRobert Elliott select CRYPTO_ARCH_HAVE_LIB_CHACHA 1531d481f1cSArd Biesheuvel 154d0a3431aSArd Biesheuvelconfig CRYPTO_CRC32_ARM_CE 155d0a3431aSArd Biesheuvel tristate "CRC32(C) digest algorithm using CRC and/or PMULL instructions" 1565429ef62SWill Deacon depends on KERNEL_MODE_NEON 157b4d0c0aaSArd Biesheuvel depends on CRC32 158d0a3431aSArd Biesheuvel select CRYPTO_HASH 159d0a3431aSArd Biesheuvel 160*4a95d4aeSRobert Elliottconfig CRYPTO_CRCT10DIF_ARM_CE 161*4a95d4aeSRobert Elliott tristate "CRCT10DIF digest algorithm using PMULL instructions" 162*4a95d4aeSRobert Elliott depends on KERNEL_MODE_NEON 163*4a95d4aeSRobert Elliott depends on CRC_T10DIF 164a6b803b3SArd Biesheuvel select CRYPTO_HASH 165d8f1308aSJason A. Donenfeld 1664a329fecSRobert Elliottendmenu 167*4a95d4aeSRobert Elliott 168