xref: /linux/arch/arm/crypto/Kconfig (revision cf514b2a5902ee4f93e9636ace5228fed27f23bb) 
1b2441318SGreg Kroah-Hartman# SPDX-License-Identifier: GPL-2.0
2652ccae5SArd Biesheuvel
34a329fecSRobert Elliottmenu "Accelerated Cryptographic Algorithms for CPU (arm)"
4652ccae5SArd Biesheuvel
54a95d4aeSRobert Elliottconfig CRYPTO_CURVE25519_NEON
605b37465SRobert Elliott	tristate "Public key crypto: Curve25519 (NEON)"
74a95d4aeSRobert Elliott	depends on KERNEL_MODE_NEON
84a95d4aeSRobert Elliott	select CRYPTO_LIB_CURVE25519_GENERIC
94a95d4aeSRobert Elliott	select CRYPTO_ARCH_HAVE_LIB_CURVE25519
1005b37465SRobert Elliott	help
1105b37465SRobert Elliott	  Curve25519 algorithm
1205b37465SRobert Elliott
1305b37465SRobert Elliott	  Architecture: arm with
1405b37465SRobert Elliott	  - NEON (Advanced SIMD) extensions
154a95d4aeSRobert Elliott
164a95d4aeSRobert Elliottconfig CRYPTO_GHASH_ARM_CE
173f342a23SRobert Elliott	tristate "Hash functions: GHASH (PMULL/NEON/ARMv8 Crypto Extensions)"
184a95d4aeSRobert Elliott	depends on KERNEL_MODE_NEON
194a95d4aeSRobert Elliott	select CRYPTO_HASH
204a95d4aeSRobert Elliott	select CRYPTO_CRYPTD
214a95d4aeSRobert Elliott	select CRYPTO_GF128MUL
224a95d4aeSRobert Elliott	help
233f342a23SRobert Elliott	  GCM GHASH function (NIST SP800-38D)
243f342a23SRobert Elliott
253f342a23SRobert Elliott	  Architecture: arm using
263f342a23SRobert Elliott	  - PMULL (Polynomial Multiply Long) instructions
273f342a23SRobert Elliott	  - NEON (Advanced SIMD) extensions
283f342a23SRobert Elliott	  - ARMv8 Crypto Extensions
293f342a23SRobert Elliott
304a95d4aeSRobert Elliott	  Use an implementation of GHASH (used by the GCM AEAD chaining mode)
314a95d4aeSRobert Elliott	  that uses the 64x64 to 128 bit polynomial multiplication (vmull.p64)
324a95d4aeSRobert Elliott	  that is part of the ARMv8 Crypto Extensions, or a slower variant that
334a95d4aeSRobert Elliott	  uses the vmull.p8 instruction that is part of the basic NEON ISA.
344a95d4aeSRobert Elliott
354a95d4aeSRobert Elliottconfig CRYPTO_NHPOLY1305_NEON
363f342a23SRobert Elliott	tristate "Hash functions: NHPoly1305 (NEON)"
374a95d4aeSRobert Elliott	depends on KERNEL_MODE_NEON
384a95d4aeSRobert Elliott	select CRYPTO_NHPOLY1305
393f342a23SRobert Elliott	help
403f342a23SRobert Elliott	  NHPoly1305 hash function (Adiantum)
413f342a23SRobert Elliott
423f342a23SRobert Elliott	  Architecture: arm using:
433f342a23SRobert Elliott	  - NEON (Advanced SIMD) extensions
444a95d4aeSRobert Elliott
454a95d4aeSRobert Elliottconfig CRYPTO_POLY1305_ARM
463f342a23SRobert Elliott	tristate "Hash functions: Poly1305 (NEON)"
474a95d4aeSRobert Elliott	select CRYPTO_HASH
484a95d4aeSRobert Elliott	select CRYPTO_ARCH_HAVE_LIB_POLY1305
493f342a23SRobert Elliott	help
503f342a23SRobert Elliott	  Poly1305 authenticator algorithm (RFC7539)
513f342a23SRobert Elliott
523f342a23SRobert Elliott	  Architecture: arm optionally using
533f342a23SRobert Elliott	  - NEON (Advanced SIMD) extensions
544a95d4aeSRobert Elliott
554a95d4aeSRobert Elliottconfig CRYPTO_BLAKE2S_ARM
563f342a23SRobert Elliott	bool "Hash functions: BLAKE2s"
574a95d4aeSRobert Elliott	select CRYPTO_ARCH_HAVE_LIB_BLAKE2S
584a95d4aeSRobert Elliott	help
593f342a23SRobert Elliott	  BLAKE2s cryptographic hash function (RFC 7693)
603f342a23SRobert Elliott
613f342a23SRobert Elliott	  Architecture: arm
623f342a23SRobert Elliott
633f342a23SRobert Elliott	  This is faster than the generic implementations of BLAKE2s and
643f342a23SRobert Elliott	  BLAKE2b, but slower than the NEON implementation of BLAKE2b.
653f342a23SRobert Elliott	  There is no NEON implementation of BLAKE2s, since NEON doesn't
663f342a23SRobert Elliott	  really help with it.
674a95d4aeSRobert Elliott
684a95d4aeSRobert Elliottconfig CRYPTO_BLAKE2B_NEON
693f342a23SRobert Elliott	tristate "Hash functions: BLAKE2b (NEON)"
704a95d4aeSRobert Elliott	depends on KERNEL_MODE_NEON
714a95d4aeSRobert Elliott	select CRYPTO_BLAKE2B
724a95d4aeSRobert Elliott	help
733f342a23SRobert Elliott	  BLAKE2b cryptographic hash function (RFC 7693)
743f342a23SRobert Elliott
753f342a23SRobert Elliott	  Architecture: arm using
763f342a23SRobert Elliott	  - NEON (Advanced SIMD) extensions
773f342a23SRobert Elliott
784a95d4aeSRobert Elliott	  BLAKE2b digest algorithm optimized with ARM NEON instructions.
794a95d4aeSRobert Elliott	  On ARM processors that have NEON support but not the ARMv8
804a95d4aeSRobert Elliott	  Crypto Extensions, typically this BLAKE2b implementation is
813f342a23SRobert Elliott	  much faster than the SHA-2 family and slightly faster than
823f342a23SRobert Elliott	  SHA-1.
834a95d4aeSRobert Elliott
84652ccae5SArd Biesheuvelconfig CRYPTO_SHA1_ARM
853f342a23SRobert Elliott	tristate "Hash functions: SHA-1"
86652ccae5SArd Biesheuvel	select CRYPTO_SHA1
87652ccae5SArd Biesheuvel	select CRYPTO_HASH
88652ccae5SArd Biesheuvel	help
893f342a23SRobert Elliott	  SHA-1 secure hash algorithm (FIPS 180)
903f342a23SRobert Elliott
913f342a23SRobert Elliott	  Architecture: arm
92652ccae5SArd Biesheuvel
93652ccae5SArd Biesheuvelconfig CRYPTO_SHA1_ARM_NEON
943f342a23SRobert Elliott	tristate "Hash functions: SHA-1 (NEON)"
95652ccae5SArd Biesheuvel	depends on KERNEL_MODE_NEON
96652ccae5SArd Biesheuvel	select CRYPTO_SHA1_ARM
97652ccae5SArd Biesheuvel	select CRYPTO_SHA1
98652ccae5SArd Biesheuvel	select CRYPTO_HASH
99652ccae5SArd Biesheuvel	help
1003f342a23SRobert Elliott	  SHA-1 secure hash algorithm (FIPS 180)
1013f342a23SRobert Elliott
1023f342a23SRobert Elliott	  Architecture: arm using
1033f342a23SRobert Elliott	  - NEON (Advanced SIMD) extensions
104652ccae5SArd Biesheuvel
105864cbeedSArd Biesheuvelconfig CRYPTO_SHA1_ARM_CE
1063f342a23SRobert Elliott	tristate "Hash functions: SHA-1 (ARMv8 Crypto Extensions)"
1075429ef62SWill Deacon	depends on KERNEL_MODE_NEON
108864cbeedSArd Biesheuvel	select CRYPTO_SHA1_ARM
109864cbeedSArd Biesheuvel	select CRYPTO_HASH
110864cbeedSArd Biesheuvel	help
1113f342a23SRobert Elliott	  SHA-1 secure hash algorithm (FIPS 180)
1123f342a23SRobert Elliott
1133f342a23SRobert Elliott	  Architecture: arm using ARMv8 Crypto Extensions
114864cbeedSArd Biesheuvel
115006d0624SArd Biesheuvelconfig CRYPTO_SHA2_ARM_CE
1163f342a23SRobert Elliott	tristate "Hash functions: SHA-224 and SHA-256 (ARMv8 Crypto Extensions)"
1175429ef62SWill Deacon	depends on KERNEL_MODE_NEON
1189205b949SArd Biesheuvel	select CRYPTO_SHA256_ARM
119006d0624SArd Biesheuvel	select CRYPTO_HASH
120006d0624SArd Biesheuvel	help
1213f342a23SRobert Elliott	  SHA-224 and SHA-256 secure hash algorithms (FIPS 180)
1223f342a23SRobert Elliott
1233f342a23SRobert Elliott	  Architecture: arm using
1243f342a23SRobert Elliott	  - ARMv8 Crypto Extensions
125006d0624SArd Biesheuvel
126f2f770d7SSami Tolvanenconfig CRYPTO_SHA256_ARM
1273f342a23SRobert Elliott	tristate "Hash functions: SHA-224 and SHA-256 (NEON)"
128f2f770d7SSami Tolvanen	select CRYPTO_HASH
129b48321deSArnd Bergmann	depends on !CPU_V7M
130f2f770d7SSami Tolvanen	help
1313f342a23SRobert Elliott	  SHA-224 and SHA-256 secure hash algorithms (FIPS 180)
1323f342a23SRobert Elliott
1333f342a23SRobert Elliott	  Architecture: arm using
1343f342a23SRobert Elliott	  - NEON (Advanced SIMD) extensions
135f2f770d7SSami Tolvanen
136c80ae7caSArd Biesheuvelconfig CRYPTO_SHA512_ARM
1373f342a23SRobert Elliott	tristate "Hash functions: SHA-384 and SHA-512 (NEON)"
138652ccae5SArd Biesheuvel	select CRYPTO_HASH
139c80ae7caSArd Biesheuvel	depends on !CPU_V7M
140652ccae5SArd Biesheuvel	help
1413f342a23SRobert Elliott	  SHA-384 and SHA-512 secure hash algorithms (FIPS 180)
1423f342a23SRobert Elliott
1433f342a23SRobert Elliott	  Architecture: arm using
1443f342a23SRobert Elliott	  - NEON (Advanced SIMD) extensions
145652ccae5SArd Biesheuvel
146652ccae5SArd Biesheuvelconfig CRYPTO_AES_ARM
147*cf514b2aSRobert Elliott	tristate "Ciphers: AES"
148652ccae5SArd Biesheuvel	select CRYPTO_ALGAPI
149652ccae5SArd Biesheuvel	select CRYPTO_AES
150652ccae5SArd Biesheuvel	help
151*cf514b2aSRobert Elliott	  Block ciphers: AES cipher algorithms (FIPS-197)
152*cf514b2aSRobert Elliott
153*cf514b2aSRobert Elliott	  Architecture: arm
154652ccae5SArd Biesheuvel
155913a3aa0SEric Biggers	  On ARM processors without the Crypto Extensions, this is the
156913a3aa0SEric Biggers	  fastest AES implementation for single blocks.  For multiple
157913a3aa0SEric Biggers	  blocks, the NEON bit-sliced implementation is usually faster.
158913a3aa0SEric Biggers
159913a3aa0SEric Biggers	  This implementation may be vulnerable to cache timing attacks,
160913a3aa0SEric Biggers	  since it uses lookup tables.  However, as countermeasures it
161913a3aa0SEric Biggers	  disables IRQs and preloads the tables; it is hoped this makes
162913a3aa0SEric Biggers	  such attacks very difficult.
163913a3aa0SEric Biggers
164652ccae5SArd Biesheuvelconfig CRYPTO_AES_ARM_BS
165*cf514b2aSRobert Elliott	tristate "Ciphers: AES, modes: ECB/CBC/CTR/XTS (bit-sliced NEON)"
166652ccae5SArd Biesheuvel	depends on KERNEL_MODE_NEON
167b95bba5dSEric Biggers	select CRYPTO_SKCIPHER
168aa6e2d2bSArd Biesheuvel	select CRYPTO_LIB_AES
169c8bd296cSHerbert Xu	select CRYPTO_AES
170c8bd296cSHerbert Xu	select CRYPTO_CBC
1716fdf436fSHerbert Xu	select CRYPTO_SIMD
172652ccae5SArd Biesheuvel	help
173*cf514b2aSRobert Elliott	  Length-preserving ciphers: AES cipher algorithms (FIPS-197)
174*cf514b2aSRobert Elliott	  with block cipher modes:
175*cf514b2aSRobert Elliott	   - ECB (Electronic Codebook) mode (NIST SP800-38A)
176*cf514b2aSRobert Elliott	   - CBC (Cipher Block Chaining) mode (NIST SP800-38A)
177*cf514b2aSRobert Elliott	   - CTR (Counter) mode (NIST SP800-38A)
178*cf514b2aSRobert Elliott	   - XTS (XOR Encrypt XOR with ciphertext stealing) mode (NIST SP800-38E
179*cf514b2aSRobert Elliott	     and IEEE 1619)
180652ccae5SArd Biesheuvel
181652ccae5SArd Biesheuvel	  Bit sliced AES gives around 45% speedup on Cortex-A15 for CTR mode
182652ccae5SArd Biesheuvel	  and for XTS mode encryption, CBC and XTS mode decryption speedup is
183652ccae5SArd Biesheuvel	  around 25%. (CBC encryption speed is not affected by this driver.)
184652ccae5SArd Biesheuvel	  This implementation does not rely on any lookup tables so it is
185652ccae5SArd Biesheuvel	  believed to be invulnerable to cache timing attacks.
186652ccae5SArd Biesheuvel
18786464859SArd Biesheuvelconfig CRYPTO_AES_ARM_CE
188*cf514b2aSRobert Elliott	tristate "Ciphers: AES, modes: ECB/CBC/CTS/CTR/XTS (ARMv8 Crypto Extensions)"
1895429ef62SWill Deacon	depends on KERNEL_MODE_NEON
190b95bba5dSEric Biggers	select CRYPTO_SKCIPHER
191f703964fSArd Biesheuvel	select CRYPTO_LIB_AES
192585b5fa6SHerbert Xu	select CRYPTO_SIMD
19386464859SArd Biesheuvel	help
194*cf514b2aSRobert Elliott	  Length-preserving ciphers: AES cipher algorithms (FIPS-197)
195*cf514b2aSRobert Elliott	   with block cipher modes:
196*cf514b2aSRobert Elliott	   - ECB (Electronic Codebook) mode (NIST SP800-38A)
197*cf514b2aSRobert Elliott	   - CBC (Cipher Block Chaining) mode (NIST SP800-38A)
198*cf514b2aSRobert Elliott	   - CTR (Counter) mode (NIST SP800-38A)
199*cf514b2aSRobert Elliott	   - CTS (Cipher Text Stealing) mode (NIST SP800-38A)
200*cf514b2aSRobert Elliott	   - XTS (XOR Encrypt XOR with ciphertext stealing) mode (NIST SP800-38E
201*cf514b2aSRobert Elliott	     and IEEE 1619)
202*cf514b2aSRobert Elliott
203*cf514b2aSRobert Elliott	  Architecture: arm using:
204*cf514b2aSRobert Elliott	  - ARMv8 Crypto Extensions
20586464859SArd Biesheuvel
2064a95d4aeSRobert Elliottconfig CRYPTO_CHACHA20_NEON
207*cf514b2aSRobert Elliott	tristate "Ciphers: ChaCha20, XChaCha20, XChaCha12 (NEON)"
2084a95d4aeSRobert Elliott	select CRYPTO_SKCIPHER
2094a95d4aeSRobert Elliott	select CRYPTO_ARCH_HAVE_LIB_CHACHA
210*cf514b2aSRobert Elliott	help
211*cf514b2aSRobert Elliott	  Length-preserving ciphers: ChaCha20, XChaCha20, and XChaCha12
212*cf514b2aSRobert Elliott	  stream cipher algorithms
213*cf514b2aSRobert Elliott
214*cf514b2aSRobert Elliott	  Architecture: arm using:
215*cf514b2aSRobert Elliott	  - NEON (Advanced SIMD) extensions
2161d481f1cSArd Biesheuvel
217d0a3431aSArd Biesheuvelconfig CRYPTO_CRC32_ARM_CE
218ec84348dSRobert Elliott	tristate "CRC32C and CRC32"
2195429ef62SWill Deacon	depends on KERNEL_MODE_NEON
220b4d0c0aaSArd Biesheuvel	depends on CRC32
221d0a3431aSArd Biesheuvel	select CRYPTO_HASH
222ec84348dSRobert Elliott	help
223ec84348dSRobert Elliott	  CRC32c CRC algorithm with the iSCSI polynomial (RFC 3385 and RFC 3720)
224ec84348dSRobert Elliott	  and CRC32 CRC algorithm (IEEE 802.3)
225ec84348dSRobert Elliott
226ec84348dSRobert Elliott	  Architecture: arm using:
227ec84348dSRobert Elliott	  - CRC and/or PMULL instructions
228ec84348dSRobert Elliott
229ec84348dSRobert Elliott	  Drivers: crc32-arm-ce and crc32c-arm-ce
230d0a3431aSArd Biesheuvel
2314a95d4aeSRobert Elliottconfig CRYPTO_CRCT10DIF_ARM_CE
232ec84348dSRobert Elliott	tristate "CRCT10DIF"
2334a95d4aeSRobert Elliott	depends on KERNEL_MODE_NEON
2344a95d4aeSRobert Elliott	depends on CRC_T10DIF
235a6b803b3SArd Biesheuvel	select CRYPTO_HASH
236ec84348dSRobert Elliott	help
237ec84348dSRobert Elliott	  CRC16 CRC algorithm used for the T10 (SCSI) Data Integrity Field (DIF)
238ec84348dSRobert Elliott
239ec84348dSRobert Elliott	  Architecture: arm using:
240ec84348dSRobert Elliott	  - PMULL (Polynomial Multiply Long) instructions
241d8f1308aSJason A. Donenfeld
2424a329fecSRobert Elliottendmenu
2434a95d4aeSRobert Elliott
244