1b2441318SGreg Kroah-Hartman# SPDX-License-Identifier: GPL-2.0 21da177e4SLinus Torvalds# 3685784aaSDan Williams# Generic algorithms support 4685784aaSDan Williams# 5685784aaSDan Williamsconfig XOR_BLOCKS 6685784aaSDan Williams tristate 7685784aaSDan Williams 8685784aaSDan Williams# 99bc89cd8SDan Williams# async_tx api: hardware offloaded memory transfer/transform support 109bc89cd8SDan Williams# 119bc89cd8SDan Williamssource "crypto/async_tx/Kconfig" 129bc89cd8SDan Williams 139bc89cd8SDan Williams# 141da177e4SLinus Torvalds# Cryptographic API Configuration 151da177e4SLinus Torvalds# 162e290f43SJan Engelhardtmenuconfig CRYPTO 17c3715cb9SSebastian Siewior tristate "Cryptographic API" 187033b937SEric Biggers select CRYPTO_LIB_UTILS 191da177e4SLinus Torvalds help 201da177e4SLinus Torvalds This option provides the core Cryptographic API. 211da177e4SLinus Torvalds 22cce9e06dSHerbert Xuif CRYPTO 23cce9e06dSHerbert Xu 24f1f142adSRobert Elliottmenu "Crypto core or helper" 25584fffc8SSebastian Siewior 26ccb778e1SNeil Hormanconfig CRYPTO_FIPS 27ccb778e1SNeil Horman bool "FIPS 200 compliance" 2840b99697SEric Biggers depends on (CRYPTO_ANSI_CPRNG || CRYPTO_DRBG) && CRYPTO_SELFTESTS 291f696097SAlec Ari depends on (MODULE_SIG || !MODULES) 30ccb778e1SNeil Horman help 31d99324c2SGeert Uytterhoeven This option enables the fips boot option which is 32d99324c2SGeert Uytterhoeven required if you want the system to operate in a FIPS 200 33ccb778e1SNeil Horman certification. You should say no unless you know what 34e84c5480SChuck Ebbert this is. 35ccb778e1SNeil Horman 365a44749fSVladis Dronovconfig CRYPTO_FIPS_NAME 375a44749fSVladis Dronov string "FIPS Module Name" 385a44749fSVladis Dronov default "Linux Kernel Cryptographic API" 395a44749fSVladis Dronov depends on CRYPTO_FIPS 405a44749fSVladis Dronov help 415a44749fSVladis Dronov This option sets the FIPS Module name reported by the Crypto API via 425a44749fSVladis Dronov the /proc/sys/crypto/fips_name file. 435a44749fSVladis Dronov 445a44749fSVladis Dronovconfig CRYPTO_FIPS_CUSTOM_VERSION 455a44749fSVladis Dronov bool "Use Custom FIPS Module Version" 465a44749fSVladis Dronov depends on CRYPTO_FIPS 475a44749fSVladis Dronov default n 485a44749fSVladis Dronov 495a44749fSVladis Dronovconfig CRYPTO_FIPS_VERSION 505a44749fSVladis Dronov string "FIPS Module Version" 515a44749fSVladis Dronov default "(none)" 525a44749fSVladis Dronov depends on CRYPTO_FIPS_CUSTOM_VERSION 535a44749fSVladis Dronov help 545a44749fSVladis Dronov This option provides the ability to override the FIPS Module Version. 555a44749fSVladis Dronov By default the KERNELRELEASE value is used. 565a44749fSVladis Dronov 57cce9e06dSHerbert Xuconfig CRYPTO_ALGAPI 58cce9e06dSHerbert Xu tristate 596a0fcbb4SHerbert Xu select CRYPTO_ALGAPI2 60cce9e06dSHerbert Xu help 61cce9e06dSHerbert Xu This option provides the API for cryptographic algorithms. 62cce9e06dSHerbert Xu 636a0fcbb4SHerbert Xuconfig CRYPTO_ALGAPI2 646a0fcbb4SHerbert Xu tristate 656a0fcbb4SHerbert Xu 661ae97820SHerbert Xuconfig CRYPTO_AEAD 671ae97820SHerbert Xu tristate 686a0fcbb4SHerbert Xu select CRYPTO_AEAD2 691ae97820SHerbert Xu select CRYPTO_ALGAPI 701ae97820SHerbert Xu 716a0fcbb4SHerbert Xuconfig CRYPTO_AEAD2 726a0fcbb4SHerbert Xu tristate 736a0fcbb4SHerbert Xu select CRYPTO_ALGAPI2 746a0fcbb4SHerbert Xu 756cb8815fSHerbert Xuconfig CRYPTO_SIG 766cb8815fSHerbert Xu tristate 776cb8815fSHerbert Xu select CRYPTO_SIG2 786cb8815fSHerbert Xu select CRYPTO_ALGAPI 796cb8815fSHerbert Xu 806cb8815fSHerbert Xuconfig CRYPTO_SIG2 816cb8815fSHerbert Xu tristate 826cb8815fSHerbert Xu select CRYPTO_ALGAPI2 836cb8815fSHerbert Xu 84b95bba5dSEric Biggersconfig CRYPTO_SKCIPHER 855cde0af2SHerbert Xu tristate 86b95bba5dSEric Biggers select CRYPTO_SKCIPHER2 875cde0af2SHerbert Xu select CRYPTO_ALGAPI 8884534684SHerbert Xu select CRYPTO_ECB 896a0fcbb4SHerbert Xu 90b95bba5dSEric Biggersconfig CRYPTO_SKCIPHER2 916a0fcbb4SHerbert Xu tristate 926a0fcbb4SHerbert Xu select CRYPTO_ALGAPI2 935cde0af2SHerbert Xu 94055bcee3SHerbert Xuconfig CRYPTO_HASH 95055bcee3SHerbert Xu tristate 966a0fcbb4SHerbert Xu select CRYPTO_HASH2 97055bcee3SHerbert Xu select CRYPTO_ALGAPI 98055bcee3SHerbert Xu 996a0fcbb4SHerbert Xuconfig CRYPTO_HASH2 1006a0fcbb4SHerbert Xu tristate 1016a0fcbb4SHerbert Xu select CRYPTO_ALGAPI2 1026a0fcbb4SHerbert Xu 10317f0f4a4SNeil Hormanconfig CRYPTO_RNG 10417f0f4a4SNeil Horman tristate 1056a0fcbb4SHerbert Xu select CRYPTO_RNG2 10617f0f4a4SNeil Horman select CRYPTO_ALGAPI 10717f0f4a4SNeil Horman 1086a0fcbb4SHerbert Xuconfig CRYPTO_RNG2 1096a0fcbb4SHerbert Xu tristate 1106a0fcbb4SHerbert Xu select CRYPTO_ALGAPI2 1116a0fcbb4SHerbert Xu 112401e4238SHerbert Xuconfig CRYPTO_RNG_DEFAULT 113401e4238SHerbert Xu tristate 114401e4238SHerbert Xu select CRYPTO_DRBG_MENU 115401e4238SHerbert Xu 1163c339ab8STadeusz Strukconfig CRYPTO_AKCIPHER2 1173c339ab8STadeusz Struk tristate 1183c339ab8STadeusz Struk select CRYPTO_ALGAPI2 1193c339ab8STadeusz Struk 1203c339ab8STadeusz Strukconfig CRYPTO_AKCIPHER 1213c339ab8STadeusz Struk tristate 1223c339ab8STadeusz Struk select CRYPTO_AKCIPHER2 1233c339ab8STadeusz Struk select CRYPTO_ALGAPI 1243c339ab8STadeusz Struk 1254e5f2c40SSalvatore Benedettoconfig CRYPTO_KPP2 1264e5f2c40SSalvatore Benedetto tristate 1274e5f2c40SSalvatore Benedetto select CRYPTO_ALGAPI2 1284e5f2c40SSalvatore Benedetto 1294e5f2c40SSalvatore Benedettoconfig CRYPTO_KPP 1304e5f2c40SSalvatore Benedetto tristate 1314e5f2c40SSalvatore Benedetto select CRYPTO_ALGAPI 1324e5f2c40SSalvatore Benedetto select CRYPTO_KPP2 1334e5f2c40SSalvatore Benedetto 1342ebda74fSGiovanni Cabidduconfig CRYPTO_ACOMP2 1352ebda74fSGiovanni Cabiddu tristate 1362ebda74fSGiovanni Cabiddu select CRYPTO_ALGAPI2 1378cd579d2SBart Van Assche select SGL_ALLOC 1382ebda74fSGiovanni Cabiddu 1392ebda74fSGiovanni Cabidduconfig CRYPTO_ACOMP 1402ebda74fSGiovanni Cabiddu tristate 1412ebda74fSGiovanni Cabiddu select CRYPTO_ALGAPI 1422ebda74fSGiovanni Cabiddu select CRYPTO_ACOMP2 1432ebda74fSGiovanni Cabiddu 1443241cd0cSHannes Reineckeconfig CRYPTO_HKDF 1453241cd0cSHannes Reinecke tristate 14640b99697SEric Biggers select CRYPTO_SHA256 if CRYPTO_SELFTESTS 14740b99697SEric Biggers select CRYPTO_SHA512 if CRYPTO_SELFTESTS 1483241cd0cSHannes Reinecke select CRYPTO_HASH2 1493241cd0cSHannes Reinecke 1502b8c19dbSHerbert Xuconfig CRYPTO_MANAGER 1516f9d0f53SEric Biggers tristate 15257999ed1SEric Biggers default CRYPTO_ALGAPI if CRYPTO_SELFTESTS 1536a0fcbb4SHerbert Xu select CRYPTO_MANAGER2 1542b8c19dbSHerbert Xu help 15557999ed1SEric Biggers This provides the support for instantiating templates such as 15657999ed1SEric Biggers cbc(aes), and the support for the crypto self-tests. 1572b8c19dbSHerbert Xu 1586a0fcbb4SHerbert Xuconfig CRYPTO_MANAGER2 1596a0fcbb4SHerbert Xu def_tristate CRYPTO_MANAGER || (CRYPTO_MANAGER!=n && CRYPTO_ALGAPI=y) 1602ebda74fSGiovanni Cabiddu select CRYPTO_ACOMP2 161fb28fabfSHerbert Xu select CRYPTO_AEAD2 162fb28fabfSHerbert Xu select CRYPTO_AKCIPHER2 1636cb8815fSHerbert Xu select CRYPTO_SIG2 164fb28fabfSHerbert Xu select CRYPTO_HASH2 165fb28fabfSHerbert Xu select CRYPTO_KPP2 166fb28fabfSHerbert Xu select CRYPTO_RNG2 167fb28fabfSHerbert Xu select CRYPTO_SKCIPHER2 1686a0fcbb4SHerbert Xu 169a38f7907SSteffen Klassertconfig CRYPTO_USER 170a38f7907SSteffen Klassert tristate "Userspace cryptographic algorithm configuration" 1715db017aaSHerbert Xu depends on NET 172a38f7907SSteffen Klassert select CRYPTO_MANAGER 173a38f7907SSteffen Klassert help 174d19978f5SValdis.Kletnieks@vt.edu Userspace configuration for cryptographic instantiations such as 175a38f7907SSteffen Klassert cbc(aes). 176a38f7907SSteffen Klassert 17740b99697SEric Biggersconfig CRYPTO_SELFTESTS 17840b99697SEric Biggers bool "Enable cryptographic self-tests" 179*ac90aad0SEric Biggers depends on EXPERT 1800b767f96SAlexander Shishkin help 18140b99697SEric Biggers Enable the cryptographic self-tests. 18240b99697SEric Biggers 18340b99697SEric Biggers The cryptographic self-tests run at boot time, or at algorithm 18440b99697SEric Biggers registration time if algorithms are dynamically loaded later. 18540b99697SEric Biggers 186*ac90aad0SEric Biggers There are two main use cases for these tests: 187*ac90aad0SEric Biggers 188*ac90aad0SEric Biggers - Development and pre-release testing. In this case, also enable 189*ac90aad0SEric Biggers CRYPTO_SELFTESTS_FULL to get the full set of tests. All crypto code 190*ac90aad0SEric Biggers in the kernel is expected to pass the full set of tests. 191*ac90aad0SEric Biggers 192*ac90aad0SEric Biggers - Production kernels, to help prevent buggy drivers from being used 193*ac90aad0SEric Biggers and/or meet FIPS 140-3 pre-operational testing requirements. In 194*ac90aad0SEric Biggers this case, enable CRYPTO_SELFTESTS but not CRYPTO_SELFTESTS_FULL. 195*ac90aad0SEric Biggers 196*ac90aad0SEric Biggersconfig CRYPTO_SELFTESTS_FULL 197*ac90aad0SEric Biggers bool "Enable the full set of cryptographic self-tests" 198*ac90aad0SEric Biggers depends on CRYPTO_SELFTESTS 199*ac90aad0SEric Biggers help 200*ac90aad0SEric Biggers Enable the full set of cryptographic self-tests for each algorithm. 201*ac90aad0SEric Biggers 202*ac90aad0SEric Biggers The full set of tests should be enabled for development and 203*ac90aad0SEric Biggers pre-release testing, but not in production kernels. 204*ac90aad0SEric Biggers 205*ac90aad0SEric Biggers All crypto code in the kernel is expected to pass the full tests. 2060b767f96SAlexander Shishkin 207584fffc8SSebastian Siewiorconfig CRYPTO_NULL 208584fffc8SSebastian Siewior tristate "Null algorithms" 209bde39305SEric Biggers select CRYPTO_ALGAPI 210bde39305SEric Biggers select CRYPTO_SKCIPHER 211bde39305SEric Biggers select CRYPTO_HASH 212584fffc8SSebastian Siewior help 213584fffc8SSebastian Siewior These are 'Null' algorithms, used by IPsec, which do nothing. 214584fffc8SSebastian Siewior 2155068c7a8SSteffen Klassertconfig CRYPTO_PCRYPT 2163b4afaf2SKees Cook tristate "Parallel crypto engine" 2173b4afaf2SKees Cook depends on SMP 2185068c7a8SSteffen Klassert select PADATA 2195068c7a8SSteffen Klassert select CRYPTO_MANAGER 2205068c7a8SSteffen Klassert select CRYPTO_AEAD 2215068c7a8SSteffen Klassert help 2225068c7a8SSteffen Klassert This converts an arbitrary crypto algorithm into a parallel 2235068c7a8SSteffen Klassert algorithm that executes in kernel threads. 2245068c7a8SSteffen Klassert 225584fffc8SSebastian Siewiorconfig CRYPTO_CRYPTD 226584fffc8SSebastian Siewior tristate "Software async crypto daemon" 227b95bba5dSEric Biggers select CRYPTO_SKCIPHER 228b8a28251SLoc Ho select CRYPTO_HASH 229584fffc8SSebastian Siewior select CRYPTO_MANAGER 230584fffc8SSebastian Siewior help 231584fffc8SSebastian Siewior This is a generic software asynchronous crypto daemon that 232584fffc8SSebastian Siewior converts an arbitrary synchronous software crypto algorithm 233584fffc8SSebastian Siewior into an asynchronous algorithm that executes in a kernel thread. 234584fffc8SSebastian Siewior 235584fffc8SSebastian Siewiorconfig CRYPTO_AUTHENC 236584fffc8SSebastian Siewior tristate "Authenc support" 237584fffc8SSebastian Siewior select CRYPTO_AEAD 238b95bba5dSEric Biggers select CRYPTO_SKCIPHER 239584fffc8SSebastian Siewior select CRYPTO_MANAGER 240584fffc8SSebastian Siewior select CRYPTO_HASH 241584fffc8SSebastian Siewior help 242584fffc8SSebastian Siewior Authenc: Combined mode wrapper for IPsec. 243cf514b2aSRobert Elliott 244cf514b2aSRobert Elliott This is required for IPSec ESP (XFRM_ESP). 245584fffc8SSebastian Siewior 246d1775a17SDavid Howellsconfig CRYPTO_KRB5ENC 247d1775a17SDavid Howells tristate "Kerberos 5 combined hash+cipher support" 248d1775a17SDavid Howells select CRYPTO_AEAD 249d1775a17SDavid Howells select CRYPTO_SKCIPHER 250d1775a17SDavid Howells select CRYPTO_MANAGER 251d1775a17SDavid Howells select CRYPTO_HASH 252d1775a17SDavid Howells help 253d1775a17SDavid Howells Combined hash and cipher support for Kerberos 5 RFC3961 simplified 254d1775a17SDavid Howells profile. This is required for Kerberos 5-style encryption, used by 255d1775a17SDavid Howells sunrpc/NFS and rxrpc/AFS. 256d1775a17SDavid Howells 2573357b6c9SEric Biggersconfig CRYPTO_BENCHMARK 2583357b6c9SEric Biggers tristate "Crypto benchmarking module" 25900ea27f1SArd Biesheuvel depends on m || EXPERT 260da7f033dSHerbert Xu select CRYPTO_MANAGER 261584fffc8SSebastian Siewior help 2623357b6c9SEric Biggers Quick & dirty crypto benchmarking module. 2633357b6c9SEric Biggers 2643357b6c9SEric Biggers This is mainly intended for use by people developing cryptographic 2653357b6c9SEric Biggers algorithms in the kernel. It should not be enabled in production 2663357b6c9SEric Biggers kernels. 267584fffc8SSebastian Siewior 268266d0516SHerbert Xuconfig CRYPTO_SIMD 269266d0516SHerbert Xu tristate 270266d0516SHerbert Xu select CRYPTO_CRYPTD 271266d0516SHerbert Xu 272735d37b5SBaolin Wangconfig CRYPTO_ENGINE 273735d37b5SBaolin Wang tristate 274735d37b5SBaolin Wang 275f1f142adSRobert Elliottendmenu 276f1f142adSRobert Elliott 277f1f142adSRobert Elliottmenu "Public-key cryptography" 2783d6228a5SVitaly Chikunov 2793d6228a5SVitaly Chikunovconfig CRYPTO_RSA 28005b37465SRobert Elliott tristate "RSA (Rivest-Shamir-Adleman)" 2813d6228a5SVitaly Chikunov select CRYPTO_AKCIPHER 2823d6228a5SVitaly Chikunov select CRYPTO_MANAGER 2831e562deaSLukas Wunner select CRYPTO_SIG 2843d6228a5SVitaly Chikunov select MPILIB 2853d6228a5SVitaly Chikunov select ASN1 2863d6228a5SVitaly Chikunov help 28705b37465SRobert Elliott RSA (Rivest-Shamir-Adleman) public key algorithm (RFC8017) 2883d6228a5SVitaly Chikunov 2893d6228a5SVitaly Chikunovconfig CRYPTO_DH 29005b37465SRobert Elliott tristate "DH (Diffie-Hellman)" 2913d6228a5SVitaly Chikunov select CRYPTO_KPP 2923d6228a5SVitaly Chikunov select MPILIB 2933d6228a5SVitaly Chikunov help 29405b37465SRobert Elliott DH (Diffie-Hellman) key exchange algorithm 2953d6228a5SVitaly Chikunov 2967dce5981SNicolai Stangeconfig CRYPTO_DH_RFC7919_GROUPS 29705b37465SRobert Elliott bool "RFC 7919 FFDHE groups" 2987dce5981SNicolai Stange depends on CRYPTO_DH 2991e207964SNicolai Stange select CRYPTO_RNG_DEFAULT 3007dce5981SNicolai Stange help 30105b37465SRobert Elliott FFDHE (Finite-Field-based Diffie-Hellman Ephemeral) groups 30205b37465SRobert Elliott defined in RFC7919. 30305b37465SRobert Elliott 30405b37465SRobert Elliott Support these finite-field groups in DH key exchanges: 30505b37465SRobert Elliott - ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192 30605b37465SRobert Elliott 30705b37465SRobert Elliott If unsure, say N. 3087dce5981SNicolai Stange 3094a2289daSVitaly Chikunovconfig CRYPTO_ECC 3104a2289daSVitaly Chikunov tristate 31138aa192aSArnd Bergmann select CRYPTO_RNG_DEFAULT 3124a2289daSVitaly Chikunov 3133d6228a5SVitaly Chikunovconfig CRYPTO_ECDH 31405b37465SRobert Elliott tristate "ECDH (Elliptic Curve Diffie-Hellman)" 3154a2289daSVitaly Chikunov select CRYPTO_ECC 3163d6228a5SVitaly Chikunov select CRYPTO_KPP 3173d6228a5SVitaly Chikunov help 31805b37465SRobert Elliott ECDH (Elliptic Curve Diffie-Hellman) key exchange algorithm 31905b37465SRobert Elliott using curves P-192, P-256, and P-384 (FIPS 186) 3203d6228a5SVitaly Chikunov 3214e660291SStefan Bergerconfig CRYPTO_ECDSA 32205b37465SRobert Elliott tristate "ECDSA (Elliptic Curve Digital Signature Algorithm)" 3234e660291SStefan Berger select CRYPTO_ECC 324ef132350SLukas Wunner select CRYPTO_SIG 3254e660291SStefan Berger select ASN1 3264e660291SStefan Berger help 32705b37465SRobert Elliott ECDSA (Elliptic Curve Digital Signature Algorithm) (FIPS 186, 32805b37465SRobert Elliott ISO/IEC 14888-3) 32991790c7aSLukas Wunner using curves P-192, P-256, P-384 and P-521 33005b37465SRobert Elliott 33105b37465SRobert Elliott Only signature verification is implemented. 3324e660291SStefan Berger 3330d7a7864SVitaly Chikunovconfig CRYPTO_ECRDSA 33405b37465SRobert Elliott tristate "EC-RDSA (Elliptic Curve Russian Digital Signature Algorithm)" 3350d7a7864SVitaly Chikunov select CRYPTO_ECC 336ae117924SLukas Wunner select CRYPTO_SIG 3370d7a7864SVitaly Chikunov select CRYPTO_STREEBOG 3381036633eSVitaly Chikunov select OID_REGISTRY 3391036633eSVitaly Chikunov select ASN1 3400d7a7864SVitaly Chikunov help 3410d7a7864SVitaly Chikunov Elliptic Curve Russian Digital Signature Algorithm (GOST R 34.10-2012, 34205b37465SRobert Elliott RFC 7091, ISO/IEC 14888-3) 34305b37465SRobert Elliott 34405b37465SRobert Elliott One of the Russian cryptographic standard algorithms (called GOST 34505b37465SRobert Elliott algorithms). Only signature verification is implemented. 3460d7a7864SVitaly Chikunov 347ee772cb6SArd Biesheuvelconfig CRYPTO_CURVE25519 34805b37465SRobert Elliott tristate "Curve25519" 349ee772cb6SArd Biesheuvel select CRYPTO_KPP 350ee772cb6SArd Biesheuvel select CRYPTO_LIB_CURVE25519_GENERIC 35117ec3e71SHerbert Xu select CRYPTO_LIB_CURVE25519_INTERNAL 35205b37465SRobert Elliott help 35305b37465SRobert Elliott Curve25519 elliptic curve (RFC7748) 354ee772cb6SArd Biesheuvel 355f1f142adSRobert Elliottendmenu 356584fffc8SSebastian Siewior 357f1f142adSRobert Elliottmenu "Block ciphers" 3581da177e4SLinus Torvalds 3591da177e4SLinus Torvaldsconfig CRYPTO_AES 360cf514b2aSRobert Elliott tristate "AES (Advanced Encryption Standard)" 361cce9e06dSHerbert Xu select CRYPTO_ALGAPI 3625bb12d78SArd Biesheuvel select CRYPTO_LIB_AES 3631da177e4SLinus Torvalds help 364cf514b2aSRobert Elliott AES cipher algorithms (Rijndael)(FIPS-197, ISO/IEC 18033-3) 3651da177e4SLinus Torvalds 3661da177e4SLinus Torvalds Rijndael appears to be consistently a very good performer in 3671da177e4SLinus Torvalds both hardware and software across a wide range of computing 3681da177e4SLinus Torvalds environments regardless of its use in feedback or non-feedback 3691da177e4SLinus Torvalds modes. Its key setup time is excellent, and its key agility is 3701da177e4SLinus Torvalds good. Rijndael's very low memory requirements make it very well 3711da177e4SLinus Torvalds suited for restricted-space environments, in which it also 3721da177e4SLinus Torvalds demonstrates excellent performance. Rijndael's operations are 3731da177e4SLinus Torvalds among the easiest to defend against power and timing attacks. 3741da177e4SLinus Torvalds 3751da177e4SLinus Torvalds The AES specifies three key sizes: 128, 192 and 256 bits 3761da177e4SLinus Torvalds 377b5e0b032SArd Biesheuvelconfig CRYPTO_AES_TI 378cf514b2aSRobert Elliott tristate "AES (Advanced Encryption Standard) (fixed time)" 379b5e0b032SArd Biesheuvel select CRYPTO_ALGAPI 380e59c1c98SArd Biesheuvel select CRYPTO_LIB_AES 381b5e0b032SArd Biesheuvel help 382cf514b2aSRobert Elliott AES cipher algorithms (Rijndael)(FIPS-197, ISO/IEC 18033-3) 383cf514b2aSRobert Elliott 384b5e0b032SArd Biesheuvel This is a generic implementation of AES that attempts to eliminate 385b5e0b032SArd Biesheuvel data dependent latencies as much as possible without affecting 386b5e0b032SArd Biesheuvel performance too much. It is intended for use by the generic CCM 387b5e0b032SArd Biesheuvel and GCM drivers, and other CTR or CMAC/XCBC based modes that rely 388b5e0b032SArd Biesheuvel solely on encryption (although decryption is supported as well, but 389b5e0b032SArd Biesheuvel with a more dramatic performance hit) 390b5e0b032SArd Biesheuvel 391b5e0b032SArd Biesheuvel Instead of using 16 lookup tables of 1 KB each, (8 for encryption and 392b5e0b032SArd Biesheuvel 8 for decryption), this implementation only uses just two S-boxes of 393b5e0b032SArd Biesheuvel 256 bytes each, and attempts to eliminate data dependent latencies by 394b5e0b032SArd Biesheuvel prefetching the entire table into the cache at the start of each 3950a6a40c2SEric Biggers block. Interrupts are also disabled to avoid races where cachelines 3960a6a40c2SEric Biggers are evicted when the CPU is interrupted to do something else. 397b5e0b032SArd Biesheuvel 3981da177e4SLinus Torvaldsconfig CRYPTO_ANUBIS 399cf514b2aSRobert Elliott tristate "Anubis" 4001674aea5SArd Biesheuvel depends on CRYPTO_USER_API_ENABLE_OBSOLETE 401cce9e06dSHerbert Xu select CRYPTO_ALGAPI 4021da177e4SLinus Torvalds help 403cf514b2aSRobert Elliott Anubis cipher algorithm 4041da177e4SLinus Torvalds 4051da177e4SLinus Torvalds Anubis is a variable key length cipher which can use keys from 4061da177e4SLinus Torvalds 128 bits to 320 bits in length. It was evaluated as a entrant 4071da177e4SLinus Torvalds in the NESSIE competition. 4081da177e4SLinus Torvalds 409cf514b2aSRobert Elliott See https://web.archive.org/web/20160606112246/http://www.larc.usp.br/~pbarreto/AnubisPage.html 410cf514b2aSRobert Elliott for further information. 4111da177e4SLinus Torvalds 412f1f142adSRobert Elliottconfig CRYPTO_ARIA 413cf514b2aSRobert Elliott tristate "ARIA" 414f1f142adSRobert Elliott select CRYPTO_ALGAPI 415e2ee95b8SHye-Shik Chang help 416cf514b2aSRobert Elliott ARIA cipher algorithm (RFC5794) 417e2ee95b8SHye-Shik Chang 418f1f142adSRobert Elliott ARIA is a standard encryption algorithm of the Republic of Korea. 419f1f142adSRobert Elliott The ARIA specifies three key sizes and rounds. 420f1f142adSRobert Elliott 128-bit: 12 rounds. 421f1f142adSRobert Elliott 192-bit: 14 rounds. 422f1f142adSRobert Elliott 256-bit: 16 rounds. 423f1f142adSRobert Elliott 424cf514b2aSRobert Elliott See: 425cf514b2aSRobert Elliott https://seed.kisa.or.kr/kisa/algorithm/EgovAriaInfo.do 426584fffc8SSebastian Siewior 427584fffc8SSebastian Siewiorconfig CRYPTO_BLOWFISH 428cf514b2aSRobert Elliott tristate "Blowfish" 429584fffc8SSebastian Siewior select CRYPTO_ALGAPI 43052ba867cSJussi Kivilinna select CRYPTO_BLOWFISH_COMMON 431584fffc8SSebastian Siewior help 432cf514b2aSRobert Elliott Blowfish cipher algorithm, by Bruce Schneier 433584fffc8SSebastian Siewior 434584fffc8SSebastian Siewior This is a variable key length cipher which can use keys from 32 435584fffc8SSebastian Siewior bits to 448 bits in length. It's fast, simple and specifically 436584fffc8SSebastian Siewior designed for use on "large microprocessors". 437e2ee95b8SHye-Shik Chang 438cf514b2aSRobert Elliott See https://www.schneier.com/blowfish.html for further information. 439584fffc8SSebastian Siewior 44052ba867cSJussi Kivilinnaconfig CRYPTO_BLOWFISH_COMMON 44152ba867cSJussi Kivilinna tristate 44252ba867cSJussi Kivilinna help 44352ba867cSJussi Kivilinna Common parts of the Blowfish cipher algorithm shared by the 44452ba867cSJussi Kivilinna generic c and the assembler implementations. 44552ba867cSJussi Kivilinna 446584fffc8SSebastian Siewiorconfig CRYPTO_CAMELLIA 447cf514b2aSRobert Elliott tristate "Camellia" 448584fffc8SSebastian Siewior select CRYPTO_ALGAPI 449584fffc8SSebastian Siewior help 450cf514b2aSRobert Elliott Camellia cipher algorithms (ISO/IEC 18033-3) 451584fffc8SSebastian Siewior 452584fffc8SSebastian Siewior Camellia is a symmetric key block cipher developed jointly 453584fffc8SSebastian Siewior at NTT and Mitsubishi Electric Corporation. 454584fffc8SSebastian Siewior 455584fffc8SSebastian Siewior The Camellia specifies three key sizes: 128, 192 and 256 bits. 456584fffc8SSebastian Siewior 457cf514b2aSRobert Elliott See https://info.isl.ntt.co.jp/crypt/eng/camellia/ for further information. 458584fffc8SSebastian Siewior 459044ab525SJussi Kivilinnaconfig CRYPTO_CAST_COMMON 460044ab525SJussi Kivilinna tristate 461044ab525SJussi Kivilinna help 462044ab525SJussi Kivilinna Common parts of the CAST cipher algorithms shared by the 463044ab525SJussi Kivilinna generic c and the assembler implementations. 464044ab525SJussi Kivilinna 465584fffc8SSebastian Siewiorconfig CRYPTO_CAST5 466cf514b2aSRobert Elliott tristate "CAST5 (CAST-128)" 467584fffc8SSebastian Siewior select CRYPTO_ALGAPI 468044ab525SJussi Kivilinna select CRYPTO_CAST_COMMON 469584fffc8SSebastian Siewior help 470cf514b2aSRobert Elliott CAST5 (CAST-128) cipher algorithm (RFC2144, ISO/IEC 18033-3) 471584fffc8SSebastian Siewior 472584fffc8SSebastian Siewiorconfig CRYPTO_CAST6 473cf514b2aSRobert Elliott tristate "CAST6 (CAST-256)" 474584fffc8SSebastian Siewior select CRYPTO_ALGAPI 475044ab525SJussi Kivilinna select CRYPTO_CAST_COMMON 476584fffc8SSebastian Siewior help 477cf514b2aSRobert Elliott CAST6 (CAST-256) encryption algorithm (RFC2612) 478584fffc8SSebastian Siewior 479584fffc8SSebastian Siewiorconfig CRYPTO_DES 480cf514b2aSRobert Elliott tristate "DES and Triple DES EDE" 481584fffc8SSebastian Siewior select CRYPTO_ALGAPI 48204007b0eSArd Biesheuvel select CRYPTO_LIB_DES 483584fffc8SSebastian Siewior help 484cf514b2aSRobert Elliott DES (Data Encryption Standard)(FIPS 46-2, ISO/IEC 18033-3) and 485cf514b2aSRobert Elliott Triple DES EDE (Encrypt/Decrypt/Encrypt) (FIPS 46-3, ISO/IEC 18033-3) 486cf514b2aSRobert Elliott cipher algorithms 487584fffc8SSebastian Siewior 488584fffc8SSebastian Siewiorconfig CRYPTO_FCRYPT 489cf514b2aSRobert Elliott tristate "FCrypt" 490584fffc8SSebastian Siewior select CRYPTO_ALGAPI 491b95bba5dSEric Biggers select CRYPTO_SKCIPHER 492584fffc8SSebastian Siewior help 493cf514b2aSRobert Elliott FCrypt algorithm used by RxRPC 494cf514b2aSRobert Elliott 495cf514b2aSRobert Elliott See https://ota.polyonymo.us/fcrypt-paper.txt 496584fffc8SSebastian Siewior 497584fffc8SSebastian Siewiorconfig CRYPTO_KHAZAD 498cf514b2aSRobert Elliott tristate "Khazad" 4991674aea5SArd Biesheuvel depends on CRYPTO_USER_API_ENABLE_OBSOLETE 500584fffc8SSebastian Siewior select CRYPTO_ALGAPI 501584fffc8SSebastian Siewior help 502cf514b2aSRobert Elliott Khazad cipher algorithm 503584fffc8SSebastian Siewior 504584fffc8SSebastian Siewior Khazad was a finalist in the initial NESSIE competition. It is 505584fffc8SSebastian Siewior an algorithm optimized for 64-bit processors with good performance 506584fffc8SSebastian Siewior on 32-bit processors. Khazad uses an 128 bit key size. 507584fffc8SSebastian Siewior 508cf514b2aSRobert Elliott See https://web.archive.org/web/20171011071731/http://www.larc.usp.br/~pbarreto/KhazadPage.html 509cf514b2aSRobert Elliott for further information. 510e2ee95b8SHye-Shik Chang 511584fffc8SSebastian Siewiorconfig CRYPTO_SEED 512cf514b2aSRobert Elliott tristate "SEED" 5131674aea5SArd Biesheuvel depends on CRYPTO_USER_API_ENABLE_OBSOLETE 514584fffc8SSebastian Siewior select CRYPTO_ALGAPI 515584fffc8SSebastian Siewior help 516cf514b2aSRobert Elliott SEED cipher algorithm (RFC4269, ISO/IEC 18033-3) 517584fffc8SSebastian Siewior 518584fffc8SSebastian Siewior SEED is a 128-bit symmetric key block cipher that has been 519584fffc8SSebastian Siewior developed by KISA (Korea Information Security Agency) as a 520584fffc8SSebastian Siewior national standard encryption algorithm of the Republic of Korea. 521584fffc8SSebastian Siewior It is a 16 round block cipher with the key size of 128 bit. 522584fffc8SSebastian Siewior 523cf514b2aSRobert Elliott See https://seed.kisa.or.kr/kisa/algorithm/EgovSeedInfo.do 524cf514b2aSRobert Elliott for further information. 525584fffc8SSebastian Siewior 526584fffc8SSebastian Siewiorconfig CRYPTO_SERPENT 527cf514b2aSRobert Elliott tristate "Serpent" 528584fffc8SSebastian Siewior select CRYPTO_ALGAPI 529584fffc8SSebastian Siewior help 530cf514b2aSRobert Elliott Serpent cipher algorithm, by Anderson, Biham & Knudsen 531584fffc8SSebastian Siewior 532584fffc8SSebastian Siewior Keys are allowed to be from 0 to 256 bits in length, in steps 533784506a1SArd Biesheuvel of 8 bits. 534584fffc8SSebastian Siewior 535cf514b2aSRobert Elliott See https://www.cl.cam.ac.uk/~rja14/serpent.html for further information. 536584fffc8SSebastian Siewior 537747c8ce4SGilad Ben-Yossefconfig CRYPTO_SM4 538d2825fa9SJason A. Donenfeld tristate 539d2825fa9SJason A. Donenfeld 540d2825fa9SJason A. Donenfeldconfig CRYPTO_SM4_GENERIC 541cf514b2aSRobert Elliott tristate "SM4 (ShangMi 4)" 542747c8ce4SGilad Ben-Yossef select CRYPTO_ALGAPI 543d2825fa9SJason A. Donenfeld select CRYPTO_SM4 544747c8ce4SGilad Ben-Yossef help 545cf514b2aSRobert Elliott SM4 cipher algorithms (OSCCA GB/T 32907-2016, 546cf514b2aSRobert Elliott ISO/IEC 18033-3:2010/Amd 1:2021) 547747c8ce4SGilad Ben-Yossef 548747c8ce4SGilad Ben-Yossef SM4 (GBT.32907-2016) is a cryptographic standard issued by the 549747c8ce4SGilad Ben-Yossef Organization of State Commercial Administration of China (OSCCA) 550747c8ce4SGilad Ben-Yossef as an authorized cryptographic algorithms for the use within China. 551747c8ce4SGilad Ben-Yossef 552747c8ce4SGilad Ben-Yossef SMS4 was originally created for use in protecting wireless 553747c8ce4SGilad Ben-Yossef networks, and is mandated in the Chinese National Standard for 554747c8ce4SGilad Ben-Yossef Wireless LAN WAPI (Wired Authentication and Privacy Infrastructure) 555747c8ce4SGilad Ben-Yossef (GB.15629.11-2003). 556747c8ce4SGilad Ben-Yossef 557747c8ce4SGilad Ben-Yossef The latest SM4 standard (GBT.32907-2016) was proposed by OSCCA and 558747c8ce4SGilad Ben-Yossef standardized through TC 260 of the Standardization Administration 559747c8ce4SGilad Ben-Yossef of the People's Republic of China (SAC). 560747c8ce4SGilad Ben-Yossef 561747c8ce4SGilad Ben-Yossef The input, output, and key of SMS4 are each 128 bits. 562747c8ce4SGilad Ben-Yossef 563cf514b2aSRobert Elliott See https://eprint.iacr.org/2008/329.pdf for further information. 564747c8ce4SGilad Ben-Yossef 565747c8ce4SGilad Ben-Yossef If unsure, say N. 566747c8ce4SGilad Ben-Yossef 567584fffc8SSebastian Siewiorconfig CRYPTO_TEA 568cf514b2aSRobert Elliott tristate "TEA, XTEA and XETA" 5691674aea5SArd Biesheuvel depends on CRYPTO_USER_API_ENABLE_OBSOLETE 570584fffc8SSebastian Siewior select CRYPTO_ALGAPI 571584fffc8SSebastian Siewior help 572cf514b2aSRobert Elliott TEA (Tiny Encryption Algorithm) cipher algorithms 573584fffc8SSebastian Siewior 574584fffc8SSebastian Siewior Tiny Encryption Algorithm is a simple cipher that uses 575584fffc8SSebastian Siewior many rounds for security. It is very fast and uses 576584fffc8SSebastian Siewior little memory. 577584fffc8SSebastian Siewior 578584fffc8SSebastian Siewior Xtendend Tiny Encryption Algorithm is a modification to 579584fffc8SSebastian Siewior the TEA algorithm to address a potential key weakness 580584fffc8SSebastian Siewior in the TEA algorithm. 581584fffc8SSebastian Siewior 582584fffc8SSebastian Siewior Xtendend Encryption Tiny Algorithm is a mis-implementation 583584fffc8SSebastian Siewior of the XTEA algorithm for compatibility purposes. 584584fffc8SSebastian Siewior 585584fffc8SSebastian Siewiorconfig CRYPTO_TWOFISH 586cf514b2aSRobert Elliott tristate "Twofish" 587584fffc8SSebastian Siewior select CRYPTO_ALGAPI 588584fffc8SSebastian Siewior select CRYPTO_TWOFISH_COMMON 589584fffc8SSebastian Siewior help 590cf514b2aSRobert Elliott Twofish cipher algorithm 591584fffc8SSebastian Siewior 592584fffc8SSebastian Siewior Twofish was submitted as an AES (Advanced Encryption Standard) 593584fffc8SSebastian Siewior candidate cipher by researchers at CounterPane Systems. It is a 594584fffc8SSebastian Siewior 16 round block cipher supporting key sizes of 128, 192, and 256 595584fffc8SSebastian Siewior bits. 596584fffc8SSebastian Siewior 597cf514b2aSRobert Elliott See https://www.schneier.com/twofish.html for further information. 598584fffc8SSebastian Siewior 599584fffc8SSebastian Siewiorconfig CRYPTO_TWOFISH_COMMON 600584fffc8SSebastian Siewior tristate 601584fffc8SSebastian Siewior help 602584fffc8SSebastian Siewior Common parts of the Twofish cipher algorithm shared by the 603584fffc8SSebastian Siewior generic c and the assembler implementations. 604584fffc8SSebastian Siewior 605f1f142adSRobert Elliottendmenu 606f1f142adSRobert Elliott 607f1f142adSRobert Elliottmenu "Length-preserving ciphers and modes" 608f1f142adSRobert Elliott 609f1f142adSRobert Elliottconfig CRYPTO_ADIANTUM 610cf514b2aSRobert Elliott tristate "Adiantum" 611f1f142adSRobert Elliott select CRYPTO_CHACHA20 612f1f142adSRobert Elliott select CRYPTO_LIB_POLY1305_GENERIC 613f1f142adSRobert Elliott select CRYPTO_NHPOLY1305 614f1f142adSRobert Elliott select CRYPTO_MANAGER 615f1f142adSRobert Elliott help 616cf514b2aSRobert Elliott Adiantum tweakable, length-preserving encryption mode 617cf514b2aSRobert Elliott 618cf514b2aSRobert Elliott Designed for fast and secure disk encryption, especially on 619f1f142adSRobert Elliott CPUs without dedicated crypto instructions. It encrypts 620f1f142adSRobert Elliott each sector using the XChaCha12 stream cipher, two passes of 621f1f142adSRobert Elliott an ε-almost-∆-universal hash function, and an invocation of 622f1f142adSRobert Elliott the AES-256 block cipher on a single 16-byte block. On CPUs 623f1f142adSRobert Elliott without AES instructions, Adiantum is much faster than 624f1f142adSRobert Elliott AES-XTS. 625f1f142adSRobert Elliott 626f1f142adSRobert Elliott Adiantum's security is provably reducible to that of its 627f1f142adSRobert Elliott underlying stream and block ciphers, subject to a security 628f1f142adSRobert Elliott bound. Unlike XTS, Adiantum is a true wide-block encryption 629f1f142adSRobert Elliott mode, so it actually provides an even stronger notion of 630f1f142adSRobert Elliott security than XTS, subject to the security bound. 631f1f142adSRobert Elliott 632f1f142adSRobert Elliott If unsure, say N. 633f1f142adSRobert Elliott 634f1f142adSRobert Elliottconfig CRYPTO_ARC4 635cf514b2aSRobert Elliott tristate "ARC4 (Alleged Rivest Cipher 4)" 636f1f142adSRobert Elliott depends on CRYPTO_USER_API_ENABLE_OBSOLETE 637f1f142adSRobert Elliott select CRYPTO_SKCIPHER 638f1f142adSRobert Elliott select CRYPTO_LIB_ARC4 639f1f142adSRobert Elliott help 640cf514b2aSRobert Elliott ARC4 cipher algorithm 641f1f142adSRobert Elliott 642f1f142adSRobert Elliott ARC4 is a stream cipher using keys ranging from 8 bits to 2048 643f1f142adSRobert Elliott bits in length. This algorithm is required for driver-based 644f1f142adSRobert Elliott WEP, but it should not be for other purposes because of the 645f1f142adSRobert Elliott weakness of the algorithm. 646f1f142adSRobert Elliott 647f1f142adSRobert Elliottconfig CRYPTO_CHACHA20 648cf514b2aSRobert Elliott tristate "ChaCha" 649879f4754SEric Biggers select CRYPTO_LIB_CHACHA 650f1f142adSRobert Elliott select CRYPTO_LIB_CHACHA_GENERIC 651f1f142adSRobert Elliott select CRYPTO_SKCIPHER 652f1f142adSRobert Elliott help 653cf514b2aSRobert Elliott The ChaCha20, XChaCha20, and XChaCha12 stream cipher algorithms 654f1f142adSRobert Elliott 655f1f142adSRobert Elliott ChaCha20 is a 256-bit high-speed stream cipher designed by Daniel J. 656f1f142adSRobert Elliott Bernstein and further specified in RFC7539 for use in IETF protocols. 657cf514b2aSRobert Elliott This is the portable C implementation of ChaCha20. See 658cf514b2aSRobert Elliott https://cr.yp.to/chacha/chacha-20080128.pdf for further information. 659f1f142adSRobert Elliott 660f1f142adSRobert Elliott XChaCha20 is the application of the XSalsa20 construction to ChaCha20 661f1f142adSRobert Elliott rather than to Salsa20. XChaCha20 extends ChaCha20's nonce length 662f1f142adSRobert Elliott from 64 bits (or 96 bits using the RFC7539 convention) to 192 bits, 663cf514b2aSRobert Elliott while provably retaining ChaCha20's security. See 664cf514b2aSRobert Elliott https://cr.yp.to/snuffle/xsalsa-20081128.pdf for further information. 665f1f142adSRobert Elliott 666f1f142adSRobert Elliott XChaCha12 is XChaCha20 reduced to 12 rounds, with correspondingly 667f1f142adSRobert Elliott reduced security margin but increased performance. It can be needed 668f1f142adSRobert Elliott in some performance-sensitive scenarios. 669f1f142adSRobert Elliott 670f1f142adSRobert Elliottconfig CRYPTO_CBC 671cf514b2aSRobert Elliott tristate "CBC (Cipher Block Chaining)" 672f1f142adSRobert Elliott select CRYPTO_SKCIPHER 673f1f142adSRobert Elliott select CRYPTO_MANAGER 674f1f142adSRobert Elliott help 675cf514b2aSRobert Elliott CBC (Cipher Block Chaining) mode (NIST SP800-38A) 676cf514b2aSRobert Elliott 677cf514b2aSRobert Elliott This block cipher mode is required for IPSec ESP (XFRM_ESP). 678f1f142adSRobert Elliott 679f1f142adSRobert Elliottconfig CRYPTO_CTR 680cf514b2aSRobert Elliott tristate "CTR (Counter)" 681f1f142adSRobert Elliott select CRYPTO_SKCIPHER 682f1f142adSRobert Elliott select CRYPTO_MANAGER 683f1f142adSRobert Elliott help 684cf514b2aSRobert Elliott CTR (Counter) mode (NIST SP800-38A) 685f1f142adSRobert Elliott 686f1f142adSRobert Elliottconfig CRYPTO_CTS 687cf514b2aSRobert Elliott tristate "CTS (Cipher Text Stealing)" 688f1f142adSRobert Elliott select CRYPTO_SKCIPHER 689f1f142adSRobert Elliott select CRYPTO_MANAGER 690f1f142adSRobert Elliott help 691cf514b2aSRobert Elliott CBC-CS3 variant of CTS (Cipher Text Stealing) (NIST 692cf514b2aSRobert Elliott Addendum to SP800-38A (October 2010)) 693cf514b2aSRobert Elliott 694f1f142adSRobert Elliott This mode is required for Kerberos gss mechanism support 695f1f142adSRobert Elliott for AES encryption. 696f1f142adSRobert Elliott 697f1f142adSRobert Elliottconfig CRYPTO_ECB 698cf514b2aSRobert Elliott tristate "ECB (Electronic Codebook)" 69984534684SHerbert Xu select CRYPTO_SKCIPHER2 700f1f142adSRobert Elliott select CRYPTO_MANAGER 701f1f142adSRobert Elliott help 702cf514b2aSRobert Elliott ECB (Electronic Codebook) mode (NIST SP800-38A) 703f1f142adSRobert Elliott 704f1f142adSRobert Elliottconfig CRYPTO_HCTR2 705cf514b2aSRobert Elliott tristate "HCTR2" 706f1f142adSRobert Elliott select CRYPTO_XCTR 707f1f142adSRobert Elliott select CRYPTO_POLYVAL 708f1f142adSRobert Elliott select CRYPTO_MANAGER 709f1f142adSRobert Elliott help 710cf514b2aSRobert Elliott HCTR2 length-preserving encryption mode 711cf514b2aSRobert Elliott 712cf514b2aSRobert Elliott A mode for storage encryption that is efficient on processors with 713cf514b2aSRobert Elliott instructions to accelerate AES and carryless multiplication, e.g. 714cf514b2aSRobert Elliott x86 processors with AES-NI and CLMUL, and ARM processors with the 715cf514b2aSRobert Elliott ARMv8 crypto extensions. 716cf514b2aSRobert Elliott 717cf514b2aSRobert Elliott See https://eprint.iacr.org/2021/1441 718f1f142adSRobert Elliott 719f1f142adSRobert Elliottconfig CRYPTO_LRW 720cf514b2aSRobert Elliott tristate "LRW (Liskov Rivest Wagner)" 72161c581a4SArd Biesheuvel select CRYPTO_LIB_GF128MUL 722f1f142adSRobert Elliott select CRYPTO_SKCIPHER 723f1f142adSRobert Elliott select CRYPTO_MANAGER 724f1f142adSRobert Elliott select CRYPTO_ECB 725f1f142adSRobert Elliott help 726cf514b2aSRobert Elliott LRW (Liskov Rivest Wagner) mode 727cf514b2aSRobert Elliott 728cf514b2aSRobert Elliott A tweakable, non malleable, non movable 729f1f142adSRobert Elliott narrow block cipher mode for dm-crypt. Use it with cipher 730f1f142adSRobert Elliott specification string aes-lrw-benbi, the key must be 256, 320 or 384. 731f1f142adSRobert Elliott The first 128, 192 or 256 bits in the key are used for AES and the 732f1f142adSRobert Elliott rest is used to tie each cipher block to its logical position. 733f1f142adSRobert Elliott 734cf514b2aSRobert Elliott See https://people.csail.mit.edu/rivest/pubs/LRW02.pdf 735cf514b2aSRobert Elliott 736f1f142adSRobert Elliottconfig CRYPTO_PCBC 737cf514b2aSRobert Elliott tristate "PCBC (Propagating Cipher Block Chaining)" 738f1f142adSRobert Elliott select CRYPTO_SKCIPHER 739f1f142adSRobert Elliott select CRYPTO_MANAGER 740f1f142adSRobert Elliott help 741cf514b2aSRobert Elliott PCBC (Propagating Cipher Block Chaining) mode 742cf514b2aSRobert Elliott 743cf514b2aSRobert Elliott This block cipher mode is required for RxRPC. 744f1f142adSRobert Elliott 745f1f142adSRobert Elliottconfig CRYPTO_XCTR 746f1f142adSRobert Elliott tristate 747f1f142adSRobert Elliott select CRYPTO_SKCIPHER 748f1f142adSRobert Elliott select CRYPTO_MANAGER 749f1f142adSRobert Elliott help 750cf514b2aSRobert Elliott XCTR (XOR Counter) mode for HCTR2 751cf514b2aSRobert Elliott 752cf514b2aSRobert Elliott This blockcipher mode is a variant of CTR mode using XORs and little-endian 753cf514b2aSRobert Elliott addition rather than big-endian arithmetic. 754cf514b2aSRobert Elliott 755f1f142adSRobert Elliott XCTR mode is used to implement HCTR2. 756f1f142adSRobert Elliott 757f1f142adSRobert Elliottconfig CRYPTO_XTS 758cf514b2aSRobert Elliott tristate "XTS (XOR Encrypt XOR with ciphertext stealing)" 759f1f142adSRobert Elliott select CRYPTO_SKCIPHER 760f1f142adSRobert Elliott select CRYPTO_MANAGER 761f1f142adSRobert Elliott select CRYPTO_ECB 762f1f142adSRobert Elliott help 763cf514b2aSRobert Elliott XTS (XOR Encrypt XOR with ciphertext stealing) mode (NIST SP800-38E 764cf514b2aSRobert Elliott and IEEE 1619) 765cf514b2aSRobert Elliott 766cf514b2aSRobert Elliott Use with aes-xts-plain, key size 256, 384 or 512 bits. This 767cf514b2aSRobert Elliott implementation currently can't handle a sectorsize which is not a 768cf514b2aSRobert Elliott multiple of 16 bytes. 769f1f142adSRobert Elliott 770f1f142adSRobert Elliottconfig CRYPTO_NHPOLY1305 771f1f142adSRobert Elliott tristate 772f1f142adSRobert Elliott select CRYPTO_HASH 773f1f142adSRobert Elliott select CRYPTO_LIB_POLY1305_GENERIC 774f1f142adSRobert Elliott 775f1f142adSRobert Elliottendmenu 776f1f142adSRobert Elliott 777f1f142adSRobert Elliottmenu "AEAD (authenticated encryption with associated data) ciphers" 778f1f142adSRobert Elliott 779f1f142adSRobert Elliottconfig CRYPTO_AEGIS128 780e3d2eaddSRobert Elliott tristate "AEGIS-128" 781f1f142adSRobert Elliott select CRYPTO_AEAD 782f1f142adSRobert Elliott select CRYPTO_AES # for AES S-box tables 783f1f142adSRobert Elliott help 784e3d2eaddSRobert Elliott AEGIS-128 AEAD algorithm 785f1f142adSRobert Elliott 786f1f142adSRobert Elliottconfig CRYPTO_AEGIS128_SIMD 787e3d2eaddSRobert Elliott bool "AEGIS-128 (arm NEON, arm64 NEON)" 788f1f142adSRobert Elliott depends on CRYPTO_AEGIS128 && ((ARM || ARM64) && KERNEL_MODE_NEON) 789f1f142adSRobert Elliott default y 790e3d2eaddSRobert Elliott help 791e3d2eaddSRobert Elliott AEGIS-128 AEAD algorithm 792e3d2eaddSRobert Elliott 793e3d2eaddSRobert Elliott Architecture: arm or arm64 using: 794e3d2eaddSRobert Elliott - NEON (Advanced SIMD) extension 795f1f142adSRobert Elliott 796f1f142adSRobert Elliottconfig CRYPTO_CHACHA20POLY1305 797e3d2eaddSRobert Elliott tristate "ChaCha20-Poly1305" 798f1f142adSRobert Elliott select CRYPTO_CHACHA20 799f1f142adSRobert Elliott select CRYPTO_AEAD 800a298765eSHerbert Xu select CRYPTO_LIB_POLY1305 801f1f142adSRobert Elliott select CRYPTO_MANAGER 802f1f142adSRobert Elliott help 803e3d2eaddSRobert Elliott ChaCha20 stream cipher and Poly1305 authenticator combined 804e3d2eaddSRobert Elliott mode (RFC8439) 805f1f142adSRobert Elliott 806f1f142adSRobert Elliottconfig CRYPTO_CCM 807cf514b2aSRobert Elliott tristate "CCM (Counter with Cipher Block Chaining-MAC)" 808f1f142adSRobert Elliott select CRYPTO_CTR 809f1f142adSRobert Elliott select CRYPTO_HASH 810f1f142adSRobert Elliott select CRYPTO_AEAD 811f1f142adSRobert Elliott select CRYPTO_MANAGER 812f1f142adSRobert Elliott help 813e3d2eaddSRobert Elliott CCM (Counter with Cipher Block Chaining-Message Authentication Code) 814e3d2eaddSRobert Elliott authenticated encryption mode (NIST SP800-38C) 815f1f142adSRobert Elliott 816f1f142adSRobert Elliottconfig CRYPTO_GCM 817cf514b2aSRobert Elliott tristate "GCM (Galois/Counter Mode) and GMAC (GCM MAC)" 818f1f142adSRobert Elliott select CRYPTO_CTR 819f1f142adSRobert Elliott select CRYPTO_AEAD 820f1f142adSRobert Elliott select CRYPTO_GHASH 821f1f142adSRobert Elliott select CRYPTO_MANAGER 822f1f142adSRobert Elliott help 823e3d2eaddSRobert Elliott GCM (Galois/Counter Mode) authenticated encryption mode and GMAC 824e3d2eaddSRobert Elliott (GCM Message Authentication Code) (NIST SP800-38D) 825e3d2eaddSRobert Elliott 826e3d2eaddSRobert Elliott This is required for IPSec ESP (XFRM_ESP). 827f1f142adSRobert Elliott 828ba51738fSHerbert Xuconfig CRYPTO_GENIV 829ba51738fSHerbert Xu tristate 830ba51738fSHerbert Xu select CRYPTO_AEAD 831ba51738fSHerbert Xu select CRYPTO_MANAGER 832ba51738fSHerbert Xu select CRYPTO_RNG_DEFAULT 833ba51738fSHerbert Xu 834f1f142adSRobert Elliottconfig CRYPTO_SEQIV 835f1f142adSRobert Elliott tristate "Sequence Number IV Generator" 836ba51738fSHerbert Xu select CRYPTO_GENIV 837f1f142adSRobert Elliott help 838e3d2eaddSRobert Elliott Sequence Number IV generator 839e3d2eaddSRobert Elliott 840f1f142adSRobert Elliott This IV generator generates an IV based on a sequence number by 841e3d2eaddSRobert Elliott xoring it with a salt. This algorithm is mainly useful for CTR. 842e3d2eaddSRobert Elliott 843e3d2eaddSRobert Elliott This is required for IPsec ESP (XFRM_ESP). 844f1f142adSRobert Elliott 845f1f142adSRobert Elliottconfig CRYPTO_ECHAINIV 846f1f142adSRobert Elliott tristate "Encrypted Chain IV Generator" 847ba51738fSHerbert Xu select CRYPTO_GENIV 848f1f142adSRobert Elliott help 849e3d2eaddSRobert Elliott Encrypted Chain IV generator 850e3d2eaddSRobert Elliott 851f1f142adSRobert Elliott This IV generator generates an IV based on the encryption of 852f1f142adSRobert Elliott a sequence number xored with a salt. This is the default 853f1f142adSRobert Elliott algorithm for CBC. 854f1f142adSRobert Elliott 855f1f142adSRobert Elliottconfig CRYPTO_ESSIV 856e3d2eaddSRobert Elliott tristate "Encrypted Salt-Sector IV Generator" 857f1f142adSRobert Elliott select CRYPTO_AUTHENC 858f1f142adSRobert Elliott help 859e3d2eaddSRobert Elliott Encrypted Salt-Sector IV generator 860e3d2eaddSRobert Elliott 861e3d2eaddSRobert Elliott This IV generator is used in some cases by fscrypt and/or 862f1f142adSRobert Elliott dm-crypt. It uses the hash of the block encryption key as the 863f1f142adSRobert Elliott symmetric key for a block encryption pass applied to the input 864f1f142adSRobert Elliott IV, making low entropy IV sources more suitable for block 865f1f142adSRobert Elliott encryption. 866f1f142adSRobert Elliott 867f1f142adSRobert Elliott This driver implements a crypto API template that can be 868f1f142adSRobert Elliott instantiated either as an skcipher or as an AEAD (depending on the 869f1f142adSRobert Elliott type of the first template argument), and which defers encryption 870f1f142adSRobert Elliott and decryption requests to the encapsulated cipher after applying 871f1f142adSRobert Elliott ESSIV to the input IV. Note that in the AEAD case, it is assumed 872f1f142adSRobert Elliott that the keys are presented in the same format used by the authenc 873f1f142adSRobert Elliott template, and that the IV appears at the end of the authenticated 874f1f142adSRobert Elliott associated data (AAD) region (which is how dm-crypt uses it.) 875f1f142adSRobert Elliott 876f1f142adSRobert Elliott Note that the use of ESSIV is not recommended for new deployments, 877f1f142adSRobert Elliott and so this only needs to be enabled when interoperability with 878f1f142adSRobert Elliott existing encrypted volumes of filesystems is required, or when 879f1f142adSRobert Elliott building for a particular system that requires it (e.g., when 880f1f142adSRobert Elliott the SoC in question has accelerated CBC but not XTS, making CBC 881f1f142adSRobert Elliott combined with ESSIV the only feasible mode for h/w accelerated 882f1f142adSRobert Elliott block encryption) 883f1f142adSRobert Elliott 884f1f142adSRobert Elliottendmenu 885f1f142adSRobert Elliott 886f1f142adSRobert Elliottmenu "Hashes, digests, and MACs" 887f1f142adSRobert Elliott 888f1f142adSRobert Elliottconfig CRYPTO_BLAKE2B 8893f342a23SRobert Elliott tristate "BLAKE2b" 890f1f142adSRobert Elliott select CRYPTO_HASH 891f1f142adSRobert Elliott help 8923f342a23SRobert Elliott BLAKE2b cryptographic hash function (RFC 7693) 8933f342a23SRobert Elliott 8943f342a23SRobert Elliott BLAKE2b is optimized for 64-bit platforms and can produce digests 8953f342a23SRobert Elliott of any size between 1 and 64 bytes. The keyed hash is also implemented. 896f1f142adSRobert Elliott 897f1f142adSRobert Elliott This module provides the following algorithms: 898f1f142adSRobert Elliott - blake2b-160 899f1f142adSRobert Elliott - blake2b-256 900f1f142adSRobert Elliott - blake2b-384 901f1f142adSRobert Elliott - blake2b-512 902f1f142adSRobert Elliott 9033f342a23SRobert Elliott Used by the btrfs filesystem. 9043f342a23SRobert Elliott 9053f342a23SRobert Elliott See https://blake2.net for further information. 9063f342a23SRobert Elliott 907f1f142adSRobert Elliottconfig CRYPTO_CMAC 9083f342a23SRobert Elliott tristate "CMAC (Cipher-based MAC)" 909f1f142adSRobert Elliott select CRYPTO_HASH 910f1f142adSRobert Elliott select CRYPTO_MANAGER 911f1f142adSRobert Elliott help 9123f342a23SRobert Elliott CMAC (Cipher-based Message Authentication Code) authentication 9133f342a23SRobert Elliott mode (NIST SP800-38B and IETF RFC4493) 914f1f142adSRobert Elliott 915f1f142adSRobert Elliottconfig CRYPTO_GHASH 9163f342a23SRobert Elliott tristate "GHASH" 917f1f142adSRobert Elliott select CRYPTO_HASH 91861c581a4SArd Biesheuvel select CRYPTO_LIB_GF128MUL 919f1f142adSRobert Elliott help 9203f342a23SRobert Elliott GCM GHASH function (NIST SP800-38D) 921f1f142adSRobert Elliott 922f1f142adSRobert Elliottconfig CRYPTO_HMAC 9233f342a23SRobert Elliott tristate "HMAC (Keyed-Hash MAC)" 924f1f142adSRobert Elliott select CRYPTO_HASH 925f1f142adSRobert Elliott select CRYPTO_MANAGER 926f1f142adSRobert Elliott help 9273f342a23SRobert Elliott HMAC (Keyed-Hash Message Authentication Code) (FIPS 198 and 9283f342a23SRobert Elliott RFC2104) 9293f342a23SRobert Elliott 9303f342a23SRobert Elliott This is required for IPsec AH (XFRM_AH) and IPsec ESP (XFRM_ESP). 931f1f142adSRobert Elliott 932f1f142adSRobert Elliottconfig CRYPTO_MD4 9333f342a23SRobert Elliott tristate "MD4" 934f1f142adSRobert Elliott select CRYPTO_HASH 935f1f142adSRobert Elliott help 9363f342a23SRobert Elliott MD4 message digest algorithm (RFC1320) 937f1f142adSRobert Elliott 938f1f142adSRobert Elliottconfig CRYPTO_MD5 9393f342a23SRobert Elliott tristate "MD5" 940f1f142adSRobert Elliott select CRYPTO_HASH 941f1f142adSRobert Elliott help 9423f342a23SRobert Elliott MD5 message digest algorithm (RFC1321) 943f1f142adSRobert Elliott 944f1f142adSRobert Elliottconfig CRYPTO_MICHAEL_MIC 9453f342a23SRobert Elliott tristate "Michael MIC" 946f1f142adSRobert Elliott select CRYPTO_HASH 947f1f142adSRobert Elliott help 9483f342a23SRobert Elliott Michael MIC (Message Integrity Code) (IEEE 802.11i) 9493f342a23SRobert Elliott 9503f342a23SRobert Elliott Defined by the IEEE 802.11i TKIP (Temporal Key Integrity Protocol), 9513f342a23SRobert Elliott known as WPA (Wif-Fi Protected Access). 9523f342a23SRobert Elliott 9533f342a23SRobert Elliott This algorithm is required for TKIP, but it should not be used for 9543f342a23SRobert Elliott other purposes because of the weakness of the algorithm. 955f1f142adSRobert Elliott 956f1f142adSRobert Elliottconfig CRYPTO_POLYVAL 957f1f142adSRobert Elliott tristate 958f1f142adSRobert Elliott select CRYPTO_HASH 95961c581a4SArd Biesheuvel select CRYPTO_LIB_GF128MUL 960f1f142adSRobert Elliott help 9613f342a23SRobert Elliott POLYVAL hash function for HCTR2 9623f342a23SRobert Elliott 9633f342a23SRobert Elliott This is used in HCTR2. It is not a general-purpose 964f1f142adSRobert Elliott cryptographic hash function. 965f1f142adSRobert Elliott 966f1f142adSRobert Elliottconfig CRYPTO_RMD160 9673f342a23SRobert Elliott tristate "RIPEMD-160" 968f1f142adSRobert Elliott select CRYPTO_HASH 969f1f142adSRobert Elliott help 9703f342a23SRobert Elliott RIPEMD-160 hash function (ISO/IEC 10118-3) 971f1f142adSRobert Elliott 972f1f142adSRobert Elliott RIPEMD-160 is a 160-bit cryptographic hash function. It is intended 973f1f142adSRobert Elliott to be used as a secure replacement for the 128-bit hash functions 974f1f142adSRobert Elliott MD4, MD5 and its predecessor RIPEMD 975f1f142adSRobert Elliott (not to be confused with RIPEMD-128). 976f1f142adSRobert Elliott 9773f342a23SRobert Elliott Its speed is comparable to SHA-1 and there are no known attacks 978f1f142adSRobert Elliott against RIPEMD-160. 979f1f142adSRobert Elliott 980f1f142adSRobert Elliott Developed by Hans Dobbertin, Antoon Bosselaers and Bart Preneel. 9813f342a23SRobert Elliott See https://homes.esat.kuleuven.be/~bosselae/ripemd160.html 9823f342a23SRobert Elliott for further information. 983f1f142adSRobert Elliott 984f1f142adSRobert Elliottconfig CRYPTO_SHA1 9853f342a23SRobert Elliott tristate "SHA-1" 986f1f142adSRobert Elliott select CRYPTO_HASH 987f1f142adSRobert Elliott select CRYPTO_LIB_SHA1 988f1f142adSRobert Elliott help 9893f342a23SRobert Elliott SHA-1 secure hash algorithm (FIPS 180, ISO/IEC 10118-3) 990f1f142adSRobert Elliott 991f1f142adSRobert Elliottconfig CRYPTO_SHA256 9923f342a23SRobert Elliott tristate "SHA-224 and SHA-256" 993f1f142adSRobert Elliott select CRYPTO_HASH 994f1f142adSRobert Elliott select CRYPTO_LIB_SHA256 995950e5c84SEric Biggers select CRYPTO_LIB_SHA256_GENERIC 996f1f142adSRobert Elliott help 9973f342a23SRobert Elliott SHA-224 and SHA-256 secure hash algorithms (FIPS 180, ISO/IEC 10118-3) 998f1f142adSRobert Elliott 9993f342a23SRobert Elliott This is required for IPsec AH (XFRM_AH) and IPsec ESP (XFRM_ESP). 10003f342a23SRobert Elliott Used by the btrfs filesystem, Ceph, NFS, and SMB. 1001f1f142adSRobert Elliott 1002f1f142adSRobert Elliottconfig CRYPTO_SHA512 10033f342a23SRobert Elliott tristate "SHA-384 and SHA-512" 1004f1f142adSRobert Elliott select CRYPTO_HASH 1005f1f142adSRobert Elliott help 10063f342a23SRobert Elliott SHA-384 and SHA-512 secure hash algorithms (FIPS 180, ISO/IEC 10118-3) 1007f1f142adSRobert Elliott 1008f1f142adSRobert Elliottconfig CRYPTO_SHA3 10093f342a23SRobert Elliott tristate "SHA-3" 1010f1f142adSRobert Elliott select CRYPTO_HASH 1011f1f142adSRobert Elliott help 10123f342a23SRobert Elliott SHA-3 secure hash algorithms (FIPS 202, ISO/IEC 10118-3) 1013f1f142adSRobert Elliott 1014f1f142adSRobert Elliottconfig CRYPTO_SM3_GENERIC 10153f342a23SRobert Elliott tristate "SM3 (ShangMi 3)" 1016f1f142adSRobert Elliott select CRYPTO_HASH 1017f4065b2fSHerbert Xu select CRYPTO_LIB_SM3 1018f1f142adSRobert Elliott help 10193f342a23SRobert Elliott SM3 (ShangMi 3) secure hash function (OSCCA GM/T 0004-2012, ISO/IEC 10118-3) 10203f342a23SRobert Elliott 10213f342a23SRobert Elliott This is part of the Chinese Commercial Cryptography suite. 1022f1f142adSRobert Elliott 1023f1f142adSRobert Elliott References: 1024f1f142adSRobert Elliott http://www.oscca.gov.cn/UpFile/20101222141857786.pdf 1025f1f142adSRobert Elliott https://datatracker.ietf.org/doc/html/draft-shen-sm3-hash 1026f1f142adSRobert Elliott 1027f1f142adSRobert Elliottconfig CRYPTO_STREEBOG 10283f342a23SRobert Elliott tristate "Streebog" 1029f1f142adSRobert Elliott select CRYPTO_HASH 1030f1f142adSRobert Elliott help 10313f342a23SRobert Elliott Streebog Hash Function (GOST R 34.11-2012, RFC 6986, ISO/IEC 10118-3) 10323f342a23SRobert Elliott 10333f342a23SRobert Elliott This is one of the Russian cryptographic standard algorithms (called 10343f342a23SRobert Elliott GOST algorithms). This setting enables two hash algorithms with 10353f342a23SRobert Elliott 256 and 512 bits output. 1036f1f142adSRobert Elliott 1037f1f142adSRobert Elliott References: 1038f1f142adSRobert Elliott https://tc26.ru/upload/iblock/fed/feddbb4d26b685903faa2ba11aea43f6.pdf 1039f1f142adSRobert Elliott https://tools.ietf.org/html/rfc6986 1040f1f142adSRobert Elliott 1041f1f142adSRobert Elliottconfig CRYPTO_WP512 10423f342a23SRobert Elliott tristate "Whirlpool" 1043f1f142adSRobert Elliott select CRYPTO_HASH 1044f1f142adSRobert Elliott help 10453f342a23SRobert Elliott Whirlpool hash function (ISO/IEC 10118-3) 10463f342a23SRobert Elliott 10473f342a23SRobert Elliott 512, 384 and 256-bit hashes. 1048f1f142adSRobert Elliott 1049f1f142adSRobert Elliott Whirlpool-512 is part of the NESSIE cryptographic primitives. 1050f1f142adSRobert Elliott 10513f342a23SRobert Elliott See https://web.archive.org/web/20171129084214/http://www.larc.usp.br/~pbarreto/WhirlpoolPage.html 10523f342a23SRobert Elliott for further information. 1053f1f142adSRobert Elliott 1054f1f142adSRobert Elliottconfig CRYPTO_XCBC 10553f342a23SRobert Elliott tristate "XCBC-MAC (Extended Cipher Block Chaining MAC)" 1056f1f142adSRobert Elliott select CRYPTO_HASH 1057f1f142adSRobert Elliott select CRYPTO_MANAGER 1058f1f142adSRobert Elliott help 10593f342a23SRobert Elliott XCBC-MAC (Extended Cipher Block Chaining Message Authentication 10603f342a23SRobert Elliott Code) (RFC3566) 1061f1f142adSRobert Elliott 1062f1f142adSRobert Elliottconfig CRYPTO_XXHASH 10633f342a23SRobert Elliott tristate "xxHash" 1064f1f142adSRobert Elliott select CRYPTO_HASH 1065f1f142adSRobert Elliott select XXHASH 1066f1f142adSRobert Elliott help 10673f342a23SRobert Elliott xxHash non-cryptographic hash algorithm 10683f342a23SRobert Elliott 10693f342a23SRobert Elliott Extremely fast, working at speeds close to RAM limits. 10703f342a23SRobert Elliott 10713f342a23SRobert Elliott Used by the btrfs filesystem. 1072f1f142adSRobert Elliott 1073f1f142adSRobert Elliottendmenu 1074f1f142adSRobert Elliott 1075f1f142adSRobert Elliottmenu "CRCs (cyclic redundancy checks)" 1076f1f142adSRobert Elliott 1077f1f142adSRobert Elliottconfig CRYPTO_CRC32C 1078ec84348dSRobert Elliott tristate "CRC32c" 1079f1f142adSRobert Elliott select CRYPTO_HASH 1080f1f142adSRobert Elliott select CRC32 1081f1f142adSRobert Elliott help 1082ec84348dSRobert Elliott CRC32c CRC algorithm with the iSCSI polynomial (RFC 3385 and RFC 3720) 1083ec84348dSRobert Elliott 1084ec84348dSRobert Elliott A 32-bit CRC (cyclic redundancy check) with a polynomial defined 1085ec84348dSRobert Elliott by G. Castagnoli, S. Braeuer and M. Herrman in "Optimization of Cyclic 1086ec84348dSRobert Elliott Redundancy-Check Codes with 24 and 32 Parity Bits", IEEE Transactions 1087ec84348dSRobert Elliott on Communications, Vol. 41, No. 6, June 1993, selected for use with 1088ec84348dSRobert Elliott iSCSI. 1089ec84348dSRobert Elliott 1090ec84348dSRobert Elliott Used by btrfs, ext4, jbd2, NVMeoF/TCP, and iSCSI. 1091f1f142adSRobert Elliott 1092f1f142adSRobert Elliottconfig CRYPTO_CRC32 1093ec84348dSRobert Elliott tristate "CRC32" 1094f1f142adSRobert Elliott select CRYPTO_HASH 1095f1f142adSRobert Elliott select CRC32 1096f1f142adSRobert Elliott help 1097ec84348dSRobert Elliott CRC32 CRC algorithm (IEEE 802.3) 1098ec84348dSRobert Elliott 1099ec84348dSRobert Elliott Used by RoCEv2 and f2fs. 1100f1f142adSRobert Elliott 1101f1f142adSRobert Elliottendmenu 1102f1f142adSRobert Elliott 1103f1f142adSRobert Elliottmenu "Compression" 1104584fffc8SSebastian Siewior 11051da177e4SLinus Torvaldsconfig CRYPTO_DEFLATE 1106a9a98d49SRobert Elliott tristate "Deflate" 1107cce9e06dSHerbert Xu select CRYPTO_ALGAPI 1108f6ded09dSGiovanni Cabiddu select CRYPTO_ACOMP2 11091da177e4SLinus Torvalds select ZLIB_INFLATE 11101da177e4SLinus Torvalds select ZLIB_DEFLATE 11111da177e4SLinus Torvalds help 1112a9a98d49SRobert Elliott Deflate compression algorithm (RFC1951) 11131da177e4SLinus Torvalds 1114a9a98d49SRobert Elliott Used by IPSec with the IPCOMP protocol (RFC3173, RFC2394) 11151da177e4SLinus Torvalds 11160b77abb3SZoltan Sogorconfig CRYPTO_LZO 1117a9a98d49SRobert Elliott tristate "LZO" 11180b77abb3SZoltan Sogor select CRYPTO_ALGAPI 1119ac9d2c4bSGiovanni Cabiddu select CRYPTO_ACOMP2 11200b77abb3SZoltan Sogor select LZO_COMPRESS 11210b77abb3SZoltan Sogor select LZO_DECOMPRESS 11220b77abb3SZoltan Sogor help 1123a9a98d49SRobert Elliott LZO compression algorithm 1124a9a98d49SRobert Elliott 1125a9a98d49SRobert Elliott See https://www.oberhumer.com/opensource/lzo/ for further information. 11260b77abb3SZoltan Sogor 112735a1fc18SSeth Jenningsconfig CRYPTO_842 1128a9a98d49SRobert Elliott tristate "842" 11292062c5b6SDan Streetman select CRYPTO_ALGAPI 11306a8de3aeSGiovanni Cabiddu select CRYPTO_ACOMP2 11312062c5b6SDan Streetman select 842_COMPRESS 11322062c5b6SDan Streetman select 842_DECOMPRESS 113335a1fc18SSeth Jennings help 1134a9a98d49SRobert Elliott 842 compression algorithm by IBM 1135a9a98d49SRobert Elliott 1136a9a98d49SRobert Elliott See https://github.com/plauth/lib842 for further information. 113735a1fc18SSeth Jennings 11380ea8530dSChanho Minconfig CRYPTO_LZ4 1139a9a98d49SRobert Elliott tristate "LZ4" 11400ea8530dSChanho Min select CRYPTO_ALGAPI 11418cd9330eSGiovanni Cabiddu select CRYPTO_ACOMP2 11420ea8530dSChanho Min select LZ4_COMPRESS 11430ea8530dSChanho Min select LZ4_DECOMPRESS 11440ea8530dSChanho Min help 1145a9a98d49SRobert Elliott LZ4 compression algorithm 1146a9a98d49SRobert Elliott 1147a9a98d49SRobert Elliott See https://github.com/lz4/lz4 for further information. 11480ea8530dSChanho Min 11490ea8530dSChanho Minconfig CRYPTO_LZ4HC 1150a9a98d49SRobert Elliott tristate "LZ4HC" 11510ea8530dSChanho Min select CRYPTO_ALGAPI 115291d53d96SGiovanni Cabiddu select CRYPTO_ACOMP2 11530ea8530dSChanho Min select LZ4HC_COMPRESS 11540ea8530dSChanho Min select LZ4_DECOMPRESS 11550ea8530dSChanho Min help 1156a9a98d49SRobert Elliott LZ4 high compression mode algorithm 1157a9a98d49SRobert Elliott 1158a9a98d49SRobert Elliott See https://github.com/lz4/lz4 for further information. 11590ea8530dSChanho Min 1160d28fc3dbSNick Terrellconfig CRYPTO_ZSTD 1161a9a98d49SRobert Elliott tristate "Zstd" 1162d28fc3dbSNick Terrell select CRYPTO_ALGAPI 1163d28fc3dbSNick Terrell select CRYPTO_ACOMP2 1164d28fc3dbSNick Terrell select ZSTD_COMPRESS 1165d28fc3dbSNick Terrell select ZSTD_DECOMPRESS 1166d28fc3dbSNick Terrell help 1167a9a98d49SRobert Elliott zstd compression algorithm 1168a9a98d49SRobert Elliott 1169a9a98d49SRobert Elliott See https://github.com/facebook/zstd for further information. 1170d28fc3dbSNick Terrell 1171f1f142adSRobert Elliottendmenu 1172f1f142adSRobert Elliott 1173f1f142adSRobert Elliottmenu "Random number generation" 117417f0f4a4SNeil Horman 117517f0f4a4SNeil Hormanconfig CRYPTO_ANSI_CPRNG 1176a9a98d49SRobert Elliott tristate "ANSI PRNG (Pseudo Random Number Generator)" 117717f0f4a4SNeil Horman select CRYPTO_AES 117817f0f4a4SNeil Horman select CRYPTO_RNG 117917f0f4a4SNeil Horman help 1180a9a98d49SRobert Elliott Pseudo RNG (random number generator) (ANSI X9.31 Appendix A.2.4) 1181a9a98d49SRobert Elliott 1182a9a98d49SRobert Elliott This uses the AES cipher algorithm. 1183a9a98d49SRobert Elliott 1184a9a98d49SRobert Elliott Note that this option must be enabled if CRYPTO_FIPS is selected 118517f0f4a4SNeil Horman 1186f2c89a10SHerbert Xumenuconfig CRYPTO_DRBG_MENU 1187a9a98d49SRobert Elliott tristate "NIST SP800-90A DRBG (Deterministic Random Bit Generator)" 1188419090c6SStephan Mueller help 1189a9a98d49SRobert Elliott DRBG (Deterministic Random Bit Generator) (NIST SP800-90A) 1190a9a98d49SRobert Elliott 1191a9a98d49SRobert Elliott In the following submenu, one or more of the DRBG types must be selected. 1192419090c6SStephan Mueller 1193f2c89a10SHerbert Xuif CRYPTO_DRBG_MENU 1194419090c6SStephan Mueller 1195419090c6SStephan Muellerconfig CRYPTO_DRBG_HMAC 1196401e4238SHerbert Xu bool 1197419090c6SStephan Mueller default y 1198419090c6SStephan Mueller select CRYPTO_HMAC 11995261cdf4SStephan Mueller select CRYPTO_SHA512 1200419090c6SStephan Mueller 1201419090c6SStephan Muellerconfig CRYPTO_DRBG_HASH 1202a9a98d49SRobert Elliott bool "Hash_DRBG" 1203826775bbSHerbert Xu select CRYPTO_SHA256 1204419090c6SStephan Mueller help 1205a9a98d49SRobert Elliott Hash_DRBG variant as defined in NIST SP800-90A. 1206a9a98d49SRobert Elliott 1207a9a98d49SRobert Elliott This uses the SHA-1, SHA-256, SHA-384, or SHA-512 hash algorithms. 1208419090c6SStephan Mueller 1209419090c6SStephan Muellerconfig CRYPTO_DRBG_CTR 1210a9a98d49SRobert Elliott bool "CTR_DRBG" 1211419090c6SStephan Mueller select CRYPTO_AES 1212d6fc1a45SCorentin Labbe select CRYPTO_CTR 1213419090c6SStephan Mueller help 1214a9a98d49SRobert Elliott CTR_DRBG variant as defined in NIST SP800-90A. 1215a9a98d49SRobert Elliott 1216a9a98d49SRobert Elliott This uses the AES cipher algorithm with the counter block mode. 1217419090c6SStephan Mueller 1218f2c89a10SHerbert Xuconfig CRYPTO_DRBG 1219f2c89a10SHerbert Xu tristate 1220401e4238SHerbert Xu default CRYPTO_DRBG_MENU 1221f2c89a10SHerbert Xu select CRYPTO_RNG 1222bb5530e4SStephan Mueller select CRYPTO_JITTERENTROPY 1223f2c89a10SHerbert Xu 1224f2c89a10SHerbert Xuendif # if CRYPTO_DRBG_MENU 1225419090c6SStephan Mueller 1226bb5530e4SStephan Muellerconfig CRYPTO_JITTERENTROPY 1227a9a98d49SRobert Elliott tristate "CPU Jitter Non-Deterministic RNG (Random Number Generator)" 12282f313e02SArnd Bergmann select CRYPTO_RNG 1229bb897c55SStephan Müller select CRYPTO_SHA3 1230bb5530e4SStephan Mueller help 1231a9a98d49SRobert Elliott CPU Jitter RNG (Random Number Generator) from the Jitterentropy library 1232a9a98d49SRobert Elliott 1233a9a98d49SRobert Elliott A non-physical non-deterministic ("true") RNG (e.g., an entropy source 1234a9a98d49SRobert Elliott compliant with NIST SP800-90B) intended to provide a seed to a 1235e63df1ecSRandy Dunlap deterministic RNG (e.g., per NIST SP800-90C). 1236a9a98d49SRobert Elliott This RNG does not perform any cryptographic whitening of the generated 1237e63df1ecSRandy Dunlap random numbers. 1238a9a98d49SRobert Elliott 1239e63df1ecSRandy Dunlap See https://www.chronox.de/jent/ 1240bb5530e4SStephan Mueller 1241e7ed6473SHerbert Xuif CRYPTO_JITTERENTROPY 1242e7ed6473SHerbert Xuif CRYPTO_FIPS && EXPERT 1243e7ed6473SHerbert Xu 124459bcfd78SStephan Müllerchoice 124559bcfd78SStephan Müller prompt "CPU Jitter RNG Memory Size" 124659bcfd78SStephan Müller default CRYPTO_JITTERENTROPY_MEMSIZE_2 124759bcfd78SStephan Müller help 124859bcfd78SStephan Müller The Jitter RNG measures the execution time of memory accesses. 124959bcfd78SStephan Müller Multiple consecutive memory accesses are performed. If the memory 125059bcfd78SStephan Müller size fits into a cache (e.g. L1), only the memory access timing 125159bcfd78SStephan Müller to that cache is measured. The closer the cache is to the CPU 125259bcfd78SStephan Müller the less variations are measured and thus the less entropy is 125359bcfd78SStephan Müller obtained. Thus, if the memory size fits into the L1 cache, the 125459bcfd78SStephan Müller obtained entropy is less than if the memory size fits within 125559bcfd78SStephan Müller L1 + L2, which in turn is less if the memory fits into 125659bcfd78SStephan Müller L1 + L2 + L3. Thus, by selecting a different memory size, 125759bcfd78SStephan Müller the entropy rate produced by the Jitter RNG can be modified. 125859bcfd78SStephan Müller 125959bcfd78SStephan Müller config CRYPTO_JITTERENTROPY_MEMSIZE_2 126059bcfd78SStephan Müller bool "2048 Bytes (default)" 126159bcfd78SStephan Müller 126259bcfd78SStephan Müller config CRYPTO_JITTERENTROPY_MEMSIZE_128 126359bcfd78SStephan Müller bool "128 kBytes" 126459bcfd78SStephan Müller 126559bcfd78SStephan Müller config CRYPTO_JITTERENTROPY_MEMSIZE_1024 126659bcfd78SStephan Müller bool "1024 kBytes" 126759bcfd78SStephan Müller 126859bcfd78SStephan Müller config CRYPTO_JITTERENTROPY_MEMSIZE_8192 126959bcfd78SStephan Müller bool "8192 kBytes" 127059bcfd78SStephan Müllerendchoice 127159bcfd78SStephan Müller 127259bcfd78SStephan Müllerconfig CRYPTO_JITTERENTROPY_MEMORY_BLOCKS 127359bcfd78SStephan Müller int 127459bcfd78SStephan Müller default 64 if CRYPTO_JITTERENTROPY_MEMSIZE_2 127559bcfd78SStephan Müller default 512 if CRYPTO_JITTERENTROPY_MEMSIZE_128 127659bcfd78SStephan Müller default 1024 if CRYPTO_JITTERENTROPY_MEMSIZE_1024 127759bcfd78SStephan Müller default 4096 if CRYPTO_JITTERENTROPY_MEMSIZE_8192 127859bcfd78SStephan Müller 127959bcfd78SStephan Müllerconfig CRYPTO_JITTERENTROPY_MEMORY_BLOCKSIZE 128059bcfd78SStephan Müller int 128159bcfd78SStephan Müller default 32 if CRYPTO_JITTERENTROPY_MEMSIZE_2 128259bcfd78SStephan Müller default 256 if CRYPTO_JITTERENTROPY_MEMSIZE_128 128359bcfd78SStephan Müller default 1024 if CRYPTO_JITTERENTROPY_MEMSIZE_1024 128459bcfd78SStephan Müller default 2048 if CRYPTO_JITTERENTROPY_MEMSIZE_8192 128559bcfd78SStephan Müller 12860baa8fabSStephan Müllerconfig CRYPTO_JITTERENTROPY_OSR 12870baa8fabSStephan Müller int "CPU Jitter RNG Oversampling Rate" 12880baa8fabSStephan Müller range 1 15 128995a798d2SStephan Mueller default 3 12900baa8fabSStephan Müller help 12910baa8fabSStephan Müller The Jitter RNG allows the specification of an oversampling rate (OSR). 12920baa8fabSStephan Müller The Jitter RNG operation requires a fixed amount of timing 12930baa8fabSStephan Müller measurements to produce one output block of random numbers. The 12940baa8fabSStephan Müller OSR value is multiplied with the amount of timing measurements to 12950baa8fabSStephan Müller generate one output block. Thus, the timing measurement is oversampled 12960baa8fabSStephan Müller by the OSR factor. The oversampling allows the Jitter RNG to operate 12970baa8fabSStephan Müller on hardware whose timers deliver limited amount of entropy (e.g. 12980baa8fabSStephan Müller the timer is coarse) by setting the OSR to a higher value. The 12990baa8fabSStephan Müller trade-off, however, is that the Jitter RNG now requires more time 13000baa8fabSStephan Müller to generate random numbers. 13010baa8fabSStephan Müller 130269f1c387SStephan Müllerconfig CRYPTO_JITTERENTROPY_TESTINTERFACE 130369f1c387SStephan Müller bool "CPU Jitter RNG Test Interface" 130469f1c387SStephan Müller help 130569f1c387SStephan Müller The test interface allows a privileged process to capture 130669f1c387SStephan Müller the raw unconditioned high resolution time stamp noise that 130769f1c387SStephan Müller is collected by the Jitter RNG for statistical analysis. As 130869f1c387SStephan Müller this data is used at the same time to generate random bits, 130969f1c387SStephan Müller the Jitter RNG operates in an insecure mode as long as the 131069f1c387SStephan Müller recording is enabled. This interface therefore is only 131169f1c387SStephan Müller intended for testing purposes and is not suitable for 131269f1c387SStephan Müller production systems. 131369f1c387SStephan Müller 131469f1c387SStephan Müller The raw noise data can be obtained using the jent_raw_hires 131569f1c387SStephan Müller debugfs file. Using the option 131669f1c387SStephan Müller jitterentropy_testing.boot_raw_hires_test=1 the raw noise of 131769f1c387SStephan Müller the first 1000 entropy events since boot can be sampled. 131869f1c387SStephan Müller 131969f1c387SStephan Müller If unsure, select N. 132069f1c387SStephan Müller 1321e7ed6473SHerbert Xuendif # if CRYPTO_FIPS && EXPERT 1322e7ed6473SHerbert Xu 1323e7ed6473SHerbert Xuif !(CRYPTO_FIPS && EXPERT) 1324e7ed6473SHerbert Xu 1325e7ed6473SHerbert Xuconfig CRYPTO_JITTERENTROPY_MEMORY_BLOCKS 1326e7ed6473SHerbert Xu int 1327e7ed6473SHerbert Xu default 64 1328e7ed6473SHerbert Xu 1329e7ed6473SHerbert Xuconfig CRYPTO_JITTERENTROPY_MEMORY_BLOCKSIZE 1330e7ed6473SHerbert Xu int 1331e7ed6473SHerbert Xu default 32 1332e7ed6473SHerbert Xu 1333e7ed6473SHerbert Xuconfig CRYPTO_JITTERENTROPY_OSR 1334e7ed6473SHerbert Xu int 1335e7ed6473SHerbert Xu default 1 1336e7ed6473SHerbert Xu 1337e7ed6473SHerbert Xuconfig CRYPTO_JITTERENTROPY_TESTINTERFACE 1338e7ed6473SHerbert Xu bool 1339e7ed6473SHerbert Xu 1340e7ed6473SHerbert Xuendif # if !(CRYPTO_FIPS && EXPERT) 1341e7ed6473SHerbert Xuendif # if CRYPTO_JITTERENTROPY 1342e7ed6473SHerbert Xu 1343026a733eSStephan Müllerconfig CRYPTO_KDF800108_CTR 1344026a733eSStephan Müller tristate 1345a88592ccSHerbert Xu select CRYPTO_HMAC 1346304b4aceSStephan Müller select CRYPTO_SHA256 1347026a733eSStephan Müller 1348f1f142adSRobert Elliottendmenu 13499bc51715SRobert Elliottmenu "Userspace interface" 1350f1f142adSRobert Elliott 135103c8efc1SHerbert Xuconfig CRYPTO_USER_API 135203c8efc1SHerbert Xu tristate 135303c8efc1SHerbert Xu 1354fe869cdbSHerbert Xuconfig CRYPTO_USER_API_HASH 13559bc51715SRobert Elliott tristate "Hash algorithms" 13567451708fSHerbert Xu depends on NET 1357fe869cdbSHerbert Xu select CRYPTO_HASH 1358fe869cdbSHerbert Xu select CRYPTO_USER_API 1359fe869cdbSHerbert Xu help 13609bc51715SRobert Elliott Enable the userspace interface for hash algorithms. 13619bc51715SRobert Elliott 13629bc51715SRobert Elliott See Documentation/crypto/userspace-if.rst and 13639bc51715SRobert Elliott https://www.chronox.de/libkcapi/html/index.html 1364fe869cdbSHerbert Xu 13658ff59090SHerbert Xuconfig CRYPTO_USER_API_SKCIPHER 13669bc51715SRobert Elliott tristate "Symmetric key cipher algorithms" 13677451708fSHerbert Xu depends on NET 1368b95bba5dSEric Biggers select CRYPTO_SKCIPHER 13698ff59090SHerbert Xu select CRYPTO_USER_API 13708ff59090SHerbert Xu help 13719bc51715SRobert Elliott Enable the userspace interface for symmetric key cipher algorithms. 13729bc51715SRobert Elliott 13739bc51715SRobert Elliott See Documentation/crypto/userspace-if.rst and 13749bc51715SRobert Elliott https://www.chronox.de/libkcapi/html/index.html 13758ff59090SHerbert Xu 13762f375538SStephan Muellerconfig CRYPTO_USER_API_RNG 13779bc51715SRobert Elliott tristate "RNG (random number generator) algorithms" 13782f375538SStephan Mueller depends on NET 13792f375538SStephan Mueller select CRYPTO_RNG 13802f375538SStephan Mueller select CRYPTO_USER_API 13812f375538SStephan Mueller help 13829bc51715SRobert Elliott Enable the userspace interface for RNG (random number generator) 13839bc51715SRobert Elliott algorithms. 13849bc51715SRobert Elliott 13859bc51715SRobert Elliott See Documentation/crypto/userspace-if.rst and 13869bc51715SRobert Elliott https://www.chronox.de/libkcapi/html/index.html 13872f375538SStephan Mueller 138877ebdabeSElena Petrovaconfig CRYPTO_USER_API_RNG_CAVP 138977ebdabeSElena Petrova bool "Enable CAVP testing of DRBG" 139077ebdabeSElena Petrova depends on CRYPTO_USER_API_RNG && CRYPTO_DRBG 139177ebdabeSElena Petrova help 13929bc51715SRobert Elliott Enable extra APIs in the userspace interface for NIST CAVP 13939bc51715SRobert Elliott (Cryptographic Algorithm Validation Program) testing: 13949bc51715SRobert Elliott - resetting DRBG entropy 13959bc51715SRobert Elliott - providing Additional Data 13969bc51715SRobert Elliott 139777ebdabeSElena Petrova This should only be enabled for CAVP testing. You should say 139877ebdabeSElena Petrova no unless you know what this is. 139977ebdabeSElena Petrova 1400b64a2d95SHerbert Xuconfig CRYPTO_USER_API_AEAD 14019bc51715SRobert Elliott tristate "AEAD cipher algorithms" 1402b64a2d95SHerbert Xu depends on NET 1403b64a2d95SHerbert Xu select CRYPTO_AEAD 1404b95bba5dSEric Biggers select CRYPTO_SKCIPHER 1405b64a2d95SHerbert Xu select CRYPTO_USER_API 1406b64a2d95SHerbert Xu help 14079bc51715SRobert Elliott Enable the userspace interface for AEAD cipher algorithms. 14089bc51715SRobert Elliott 14099bc51715SRobert Elliott See Documentation/crypto/userspace-if.rst and 14109bc51715SRobert Elliott https://www.chronox.de/libkcapi/html/index.html 1411b64a2d95SHerbert Xu 14129ace6771SArd Biesheuvelconfig CRYPTO_USER_API_ENABLE_OBSOLETE 14139bc51715SRobert Elliott bool "Obsolete cryptographic algorithms" 14149ace6771SArd Biesheuvel depends on CRYPTO_USER_API 14159ace6771SArd Biesheuvel default y 14169ace6771SArd Biesheuvel help 14179ace6771SArd Biesheuvel Allow obsolete cryptographic algorithms to be selected that have 14189ace6771SArd Biesheuvel already been phased out from internal use by the kernel, and are 14199ace6771SArd Biesheuvel only useful for userspace clients that still rely on them. 14209ace6771SArd Biesheuvel 1421f1f142adSRobert Elliottendmenu 1422f1f142adSRobert Elliott 1423ee08997fSDmitry Kasatkinconfig CRYPTO_HASH_INFO 1424ee08997fSDmitry Kasatkin bool 1425ee08997fSDmitry Kasatkin 142627bc50fcSLinus Torvaldsif !KMSAN # avoid false positives from assembly 14274a329fecSRobert Elliottif ARM 14284a329fecSRobert Elliottsource "arch/arm/crypto/Kconfig" 14294a329fecSRobert Elliottendif 14304a329fecSRobert Elliottif ARM64 14314a329fecSRobert Elliottsource "arch/arm64/crypto/Kconfig" 14324a329fecSRobert Elliottendif 14332f164822SMin Zhouif LOONGARCH 14342f164822SMin Zhousource "arch/loongarch/crypto/Kconfig" 14352f164822SMin Zhouendif 1436e45f710bSRobert Elliottif MIPS 1437e45f710bSRobert Elliottsource "arch/mips/crypto/Kconfig" 1438e45f710bSRobert Elliottendif 14396a490a4eSRobert Elliottif PPC 14406a490a4eSRobert Elliottsource "arch/powerpc/crypto/Kconfig" 14416a490a4eSRobert Elliottendif 1442178f3856SHeiko Stuebnerif RISCV 1443178f3856SHeiko Stuebnersource "arch/riscv/crypto/Kconfig" 1444178f3856SHeiko Stuebnerendif 1445c9d24c97SRobert Elliottif S390 1446c9d24c97SRobert Elliottsource "arch/s390/crypto/Kconfig" 1447c9d24c97SRobert Elliottendif 14480e9f9ea6SRobert Elliottif SPARC 14490e9f9ea6SRobert Elliottsource "arch/sparc/crypto/Kconfig" 14500e9f9ea6SRobert Elliottendif 145128a936efSRobert Elliottif X86 145228a936efSRobert Elliottsource "arch/x86/crypto/Kconfig" 145328a936efSRobert Elliottendif 145427bc50fcSLinus Torvaldsendif 1455e45f710bSRobert Elliott 14561da177e4SLinus Torvaldssource "drivers/crypto/Kconfig" 14578636a1f9SMasahiro Yamadasource "crypto/asymmetric_keys/Kconfig" 14588636a1f9SMasahiro Yamadasource "certs/Kconfig" 14593936f02bSDavid Howellssource "crypto/krb5/Kconfig" 14601da177e4SLinus Torvalds 1461cce9e06dSHerbert Xuendif # if CRYPTO 1462