xref: /linux/crypto/Kconfig (revision 3fd6c59042dbba50391e30862beac979491145fe)
1b2441318SGreg Kroah-Hartman# SPDX-License-Identifier: GPL-2.0
21da177e4SLinus Torvalds#
3685784aaSDan Williams# Generic algorithms support
4685784aaSDan Williams#
5685784aaSDan Williamsconfig XOR_BLOCKS
6685784aaSDan Williams	tristate
7685784aaSDan Williams
8685784aaSDan Williams#
99bc89cd8SDan Williams# async_tx api: hardware offloaded memory transfer/transform support
109bc89cd8SDan Williams#
119bc89cd8SDan Williamssource "crypto/async_tx/Kconfig"
129bc89cd8SDan Williams
139bc89cd8SDan Williams#
141da177e4SLinus Torvalds# Cryptographic API Configuration
151da177e4SLinus Torvalds#
162e290f43SJan Engelhardtmenuconfig CRYPTO
17c3715cb9SSebastian Siewior	tristate "Cryptographic API"
187033b937SEric Biggers	select CRYPTO_LIB_UTILS
191da177e4SLinus Torvalds	help
201da177e4SLinus Torvalds	  This option provides the core Cryptographic API.
211da177e4SLinus Torvalds
22cce9e06dSHerbert Xuif CRYPTO
23cce9e06dSHerbert Xu
24f1f142adSRobert Elliottmenu "Crypto core or helper"
25584fffc8SSebastian Siewior
26ccb778e1SNeil Hormanconfig CRYPTO_FIPS
27ccb778e1SNeil Horman	bool "FIPS 200 compliance"
28f2c89a10SHerbert Xu	depends on (CRYPTO_ANSI_CPRNG || CRYPTO_DRBG) && !CRYPTO_MANAGER_DISABLE_TESTS
291f696097SAlec Ari	depends on (MODULE_SIG || !MODULES)
30ccb778e1SNeil Horman	help
31d99324c2SGeert Uytterhoeven	  This option enables the fips boot option which is
32d99324c2SGeert Uytterhoeven	  required if you want the system to operate in a FIPS 200
33ccb778e1SNeil Horman	  certification.  You should say no unless you know what
34e84c5480SChuck Ebbert	  this is.
35ccb778e1SNeil Horman
365a44749fSVladis Dronovconfig CRYPTO_FIPS_NAME
375a44749fSVladis Dronov	string "FIPS Module Name"
385a44749fSVladis Dronov	default "Linux Kernel Cryptographic API"
395a44749fSVladis Dronov	depends on CRYPTO_FIPS
405a44749fSVladis Dronov	help
415a44749fSVladis Dronov	  This option sets the FIPS Module name reported by the Crypto API via
425a44749fSVladis Dronov	  the /proc/sys/crypto/fips_name file.
435a44749fSVladis Dronov
445a44749fSVladis Dronovconfig CRYPTO_FIPS_CUSTOM_VERSION
455a44749fSVladis Dronov	bool "Use Custom FIPS Module Version"
465a44749fSVladis Dronov	depends on CRYPTO_FIPS
475a44749fSVladis Dronov	default n
485a44749fSVladis Dronov
495a44749fSVladis Dronovconfig CRYPTO_FIPS_VERSION
505a44749fSVladis Dronov	string "FIPS Module Version"
515a44749fSVladis Dronov	default "(none)"
525a44749fSVladis Dronov	depends on CRYPTO_FIPS_CUSTOM_VERSION
535a44749fSVladis Dronov	help
545a44749fSVladis Dronov	  This option provides the ability to override the FIPS Module Version.
555a44749fSVladis Dronov	  By default the KERNELRELEASE value is used.
565a44749fSVladis Dronov
57cce9e06dSHerbert Xuconfig CRYPTO_ALGAPI
58cce9e06dSHerbert Xu	tristate
596a0fcbb4SHerbert Xu	select CRYPTO_ALGAPI2
60cce9e06dSHerbert Xu	help
61cce9e06dSHerbert Xu	  This option provides the API for cryptographic algorithms.
62cce9e06dSHerbert Xu
636a0fcbb4SHerbert Xuconfig CRYPTO_ALGAPI2
646a0fcbb4SHerbert Xu	tristate
656a0fcbb4SHerbert Xu
661ae97820SHerbert Xuconfig CRYPTO_AEAD
671ae97820SHerbert Xu	tristate
686a0fcbb4SHerbert Xu	select CRYPTO_AEAD2
691ae97820SHerbert Xu	select CRYPTO_ALGAPI
701ae97820SHerbert Xu
716a0fcbb4SHerbert Xuconfig CRYPTO_AEAD2
726a0fcbb4SHerbert Xu	tristate
736a0fcbb4SHerbert Xu	select CRYPTO_ALGAPI2
746a0fcbb4SHerbert Xu
756cb8815fSHerbert Xuconfig CRYPTO_SIG
766cb8815fSHerbert Xu	tristate
776cb8815fSHerbert Xu	select CRYPTO_SIG2
786cb8815fSHerbert Xu	select CRYPTO_ALGAPI
796cb8815fSHerbert Xu
806cb8815fSHerbert Xuconfig CRYPTO_SIG2
816cb8815fSHerbert Xu	tristate
826cb8815fSHerbert Xu	select CRYPTO_ALGAPI2
836cb8815fSHerbert Xu
84b95bba5dSEric Biggersconfig CRYPTO_SKCIPHER
855cde0af2SHerbert Xu	tristate
86b95bba5dSEric Biggers	select CRYPTO_SKCIPHER2
875cde0af2SHerbert Xu	select CRYPTO_ALGAPI
8884534684SHerbert Xu	select CRYPTO_ECB
896a0fcbb4SHerbert Xu
90b95bba5dSEric Biggersconfig CRYPTO_SKCIPHER2
916a0fcbb4SHerbert Xu	tristate
926a0fcbb4SHerbert Xu	select CRYPTO_ALGAPI2
935cde0af2SHerbert Xu
94055bcee3SHerbert Xuconfig CRYPTO_HASH
95055bcee3SHerbert Xu	tristate
966a0fcbb4SHerbert Xu	select CRYPTO_HASH2
97055bcee3SHerbert Xu	select CRYPTO_ALGAPI
98055bcee3SHerbert Xu
996a0fcbb4SHerbert Xuconfig CRYPTO_HASH2
1006a0fcbb4SHerbert Xu	tristate
1016a0fcbb4SHerbert Xu	select CRYPTO_ALGAPI2
1026a0fcbb4SHerbert Xu
10317f0f4a4SNeil Hormanconfig CRYPTO_RNG
10417f0f4a4SNeil Horman	tristate
1056a0fcbb4SHerbert Xu	select CRYPTO_RNG2
10617f0f4a4SNeil Horman	select CRYPTO_ALGAPI
10717f0f4a4SNeil Horman
1086a0fcbb4SHerbert Xuconfig CRYPTO_RNG2
1096a0fcbb4SHerbert Xu	tristate
1106a0fcbb4SHerbert Xu	select CRYPTO_ALGAPI2
1116a0fcbb4SHerbert Xu
112401e4238SHerbert Xuconfig CRYPTO_RNG_DEFAULT
113401e4238SHerbert Xu	tristate
114401e4238SHerbert Xu	select CRYPTO_DRBG_MENU
115401e4238SHerbert Xu
1163c339ab8STadeusz Strukconfig CRYPTO_AKCIPHER2
1173c339ab8STadeusz Struk	tristate
1183c339ab8STadeusz Struk	select CRYPTO_ALGAPI2
1193c339ab8STadeusz Struk
1203c339ab8STadeusz Strukconfig CRYPTO_AKCIPHER
1213c339ab8STadeusz Struk	tristate
1223c339ab8STadeusz Struk	select CRYPTO_AKCIPHER2
1233c339ab8STadeusz Struk	select CRYPTO_ALGAPI
1243c339ab8STadeusz Struk
1254e5f2c40SSalvatore Benedettoconfig CRYPTO_KPP2
1264e5f2c40SSalvatore Benedetto	tristate
1274e5f2c40SSalvatore Benedetto	select CRYPTO_ALGAPI2
1284e5f2c40SSalvatore Benedetto
1294e5f2c40SSalvatore Benedettoconfig CRYPTO_KPP
1304e5f2c40SSalvatore Benedetto	tristate
1314e5f2c40SSalvatore Benedetto	select CRYPTO_ALGAPI
1324e5f2c40SSalvatore Benedetto	select CRYPTO_KPP2
1334e5f2c40SSalvatore Benedetto
1342ebda74fSGiovanni Cabidduconfig CRYPTO_ACOMP2
1352ebda74fSGiovanni Cabiddu	tristate
1362ebda74fSGiovanni Cabiddu	select CRYPTO_ALGAPI2
1378cd579d2SBart Van Assche	select SGL_ALLOC
1382ebda74fSGiovanni Cabiddu
1392ebda74fSGiovanni Cabidduconfig CRYPTO_ACOMP
1402ebda74fSGiovanni Cabiddu	tristate
1412ebda74fSGiovanni Cabiddu	select CRYPTO_ALGAPI
1422ebda74fSGiovanni Cabiddu	select CRYPTO_ACOMP2
1432ebda74fSGiovanni Cabiddu
1442b8c19dbSHerbert Xuconfig CRYPTO_MANAGER
1452b8c19dbSHerbert Xu	tristate "Cryptographic algorithm manager"
1466a0fcbb4SHerbert Xu	select CRYPTO_MANAGER2
1472b8c19dbSHerbert Xu	help
1482b8c19dbSHerbert Xu	  Create default cryptographic template instantiations such as
1492b8c19dbSHerbert Xu	  cbc(aes).
1502b8c19dbSHerbert Xu
1516a0fcbb4SHerbert Xuconfig CRYPTO_MANAGER2
1526a0fcbb4SHerbert Xu	def_tristate CRYPTO_MANAGER || (CRYPTO_MANAGER!=n && CRYPTO_ALGAPI=y)
1532ebda74fSGiovanni Cabiddu	select CRYPTO_ACOMP2
154fb28fabfSHerbert Xu	select CRYPTO_AEAD2
155fb28fabfSHerbert Xu	select CRYPTO_AKCIPHER2
1566cb8815fSHerbert Xu	select CRYPTO_SIG2
157fb28fabfSHerbert Xu	select CRYPTO_HASH2
158fb28fabfSHerbert Xu	select CRYPTO_KPP2
159fb28fabfSHerbert Xu	select CRYPTO_RNG2
160fb28fabfSHerbert Xu	select CRYPTO_SKCIPHER2
1616a0fcbb4SHerbert Xu
162a38f7907SSteffen Klassertconfig CRYPTO_USER
163a38f7907SSteffen Klassert	tristate "Userspace cryptographic algorithm configuration"
1645db017aaSHerbert Xu	depends on NET
165a38f7907SSteffen Klassert	select CRYPTO_MANAGER
166a38f7907SSteffen Klassert	help
167d19978f5SValdis.Kletnieks@vt.edu	  Userspace configuration for cryptographic instantiations such as
168a38f7907SSteffen Klassert	  cbc(aes).
169a38f7907SSteffen Klassert
170326a6346SHerbert Xuconfig CRYPTO_MANAGER_DISABLE_TESTS
171326a6346SHerbert Xu	bool "Disable run-time self tests"
17200ca28a5SHerbert Xu	default y
1730b767f96SAlexander Shishkin	help
174326a6346SHerbert Xu	  Disable run-time self tests that normally take place at
175326a6346SHerbert Xu	  algorithm registration.
1760b767f96SAlexander Shishkin
1775b2706a4SEric Biggersconfig CRYPTO_MANAGER_EXTRA_TESTS
1785b2706a4SEric Biggers	bool "Enable extra run-time crypto self tests"
1796569e309SJason A. Donenfeld	depends on DEBUG_KERNEL && !CRYPTO_MANAGER_DISABLE_TESTS && CRYPTO_MANAGER
1805b2706a4SEric Biggers	help
1815b2706a4SEric Biggers	  Enable extra run-time self tests of registered crypto algorithms,
1825b2706a4SEric Biggers	  including randomized fuzz tests.
1835b2706a4SEric Biggers
1845b2706a4SEric Biggers	  This is intended for developer use only, as these tests take much
1855b2706a4SEric Biggers	  longer to run than the normal self tests.
1865b2706a4SEric Biggers
187584fffc8SSebastian Siewiorconfig CRYPTO_NULL
188584fffc8SSebastian Siewior	tristate "Null algorithms"
189149a3971SHerbert Xu	select CRYPTO_NULL2
190584fffc8SSebastian Siewior	help
191584fffc8SSebastian Siewior	  These are 'Null' algorithms, used by IPsec, which do nothing.
192584fffc8SSebastian Siewior
193149a3971SHerbert Xuconfig CRYPTO_NULL2
194dd43c4e9SHerbert Xu	tristate
195149a3971SHerbert Xu	select CRYPTO_ALGAPI2
196b95bba5dSEric Biggers	select CRYPTO_SKCIPHER2
197149a3971SHerbert Xu	select CRYPTO_HASH2
198149a3971SHerbert Xu
1995068c7a8SSteffen Klassertconfig CRYPTO_PCRYPT
2003b4afaf2SKees Cook	tristate "Parallel crypto engine"
2013b4afaf2SKees Cook	depends on SMP
2025068c7a8SSteffen Klassert	select PADATA
2035068c7a8SSteffen Klassert	select CRYPTO_MANAGER
2045068c7a8SSteffen Klassert	select CRYPTO_AEAD
2055068c7a8SSteffen Klassert	help
2065068c7a8SSteffen Klassert	  This converts an arbitrary crypto algorithm into a parallel
2075068c7a8SSteffen Klassert	  algorithm that executes in kernel threads.
2085068c7a8SSteffen Klassert
209584fffc8SSebastian Siewiorconfig CRYPTO_CRYPTD
210584fffc8SSebastian Siewior	tristate "Software async crypto daemon"
211b95bba5dSEric Biggers	select CRYPTO_SKCIPHER
212b8a28251SLoc Ho	select CRYPTO_HASH
213584fffc8SSebastian Siewior	select CRYPTO_MANAGER
214584fffc8SSebastian Siewior	help
215584fffc8SSebastian Siewior	  This is a generic software asynchronous crypto daemon that
216584fffc8SSebastian Siewior	  converts an arbitrary synchronous software crypto algorithm
217584fffc8SSebastian Siewior	  into an asynchronous algorithm that executes in a kernel thread.
218584fffc8SSebastian Siewior
219584fffc8SSebastian Siewiorconfig CRYPTO_AUTHENC
220584fffc8SSebastian Siewior	tristate "Authenc support"
221584fffc8SSebastian Siewior	select CRYPTO_AEAD
222b95bba5dSEric Biggers	select CRYPTO_SKCIPHER
223584fffc8SSebastian Siewior	select CRYPTO_MANAGER
224584fffc8SSebastian Siewior	select CRYPTO_HASH
225e94c6a7aSHerbert Xu	select CRYPTO_NULL
226584fffc8SSebastian Siewior	help
227584fffc8SSebastian Siewior	  Authenc: Combined mode wrapper for IPsec.
228cf514b2aSRobert Elliott
229cf514b2aSRobert Elliott	  This is required for IPSec ESP (XFRM_ESP).
230584fffc8SSebastian Siewior
231584fffc8SSebastian Siewiorconfig CRYPTO_TEST
232584fffc8SSebastian Siewior	tristate "Testing module"
23300ea27f1SArd Biesheuvel	depends on m || EXPERT
234da7f033dSHerbert Xu	select CRYPTO_MANAGER
235584fffc8SSebastian Siewior	help
236584fffc8SSebastian Siewior	  Quick & dirty crypto test module.
237584fffc8SSebastian Siewior
238266d0516SHerbert Xuconfig CRYPTO_SIMD
239266d0516SHerbert Xu	tristate
240266d0516SHerbert Xu	select CRYPTO_CRYPTD
241266d0516SHerbert Xu
242735d37b5SBaolin Wangconfig CRYPTO_ENGINE
243735d37b5SBaolin Wang	tristate
244735d37b5SBaolin Wang
245f1f142adSRobert Elliottendmenu
246f1f142adSRobert Elliott
247f1f142adSRobert Elliottmenu "Public-key cryptography"
2483d6228a5SVitaly Chikunov
2493d6228a5SVitaly Chikunovconfig CRYPTO_RSA
25005b37465SRobert Elliott	tristate "RSA (Rivest-Shamir-Adleman)"
2513d6228a5SVitaly Chikunov	select CRYPTO_AKCIPHER
2523d6228a5SVitaly Chikunov	select CRYPTO_MANAGER
2533d6228a5SVitaly Chikunov	select CRYPTO_SIG
2543d6228a5SVitaly Chikunov	select MPILIB
2553d6228a5SVitaly Chikunov	select ASN1
25605b37465SRobert Elliott	help
2573d6228a5SVitaly Chikunov	  RSA (Rivest-Shamir-Adleman) public key algorithm (RFC8017)
2583d6228a5SVitaly Chikunov
25905b37465SRobert Elliottconfig CRYPTO_DH
2603d6228a5SVitaly Chikunov	tristate "DH (Diffie-Hellman)"
2613d6228a5SVitaly Chikunov	select CRYPTO_KPP
2623d6228a5SVitaly Chikunov	select MPILIB
26305b37465SRobert Elliott	help
2643d6228a5SVitaly Chikunov	  DH (Diffie-Hellman) key exchange algorithm
2657dce5981SNicolai Stange
26605b37465SRobert Elliottconfig CRYPTO_DH_RFC7919_GROUPS
2677dce5981SNicolai Stange	bool "RFC 7919 FFDHE groups"
2681e207964SNicolai Stange	depends on CRYPTO_DH
2697dce5981SNicolai Stange	select CRYPTO_RNG_DEFAULT
27005b37465SRobert Elliott	help
27105b37465SRobert Elliott	  FFDHE (Finite-Field-based Diffie-Hellman Ephemeral) groups
27205b37465SRobert Elliott	  defined in RFC7919.
27305b37465SRobert Elliott
27405b37465SRobert Elliott	  Support these finite-field groups in DH key exchanges:
27505b37465SRobert Elliott	  - ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192
27605b37465SRobert Elliott
2777dce5981SNicolai Stange	  If unsure, say N.
2784a2289daSVitaly Chikunov
2794a2289daSVitaly Chikunovconfig CRYPTO_ECC
28038aa192aSArnd Bergmann	tristate
2814a2289daSVitaly Chikunov	select CRYPTO_RNG_DEFAULT
2823d6228a5SVitaly Chikunov
28305b37465SRobert Elliottconfig CRYPTO_ECDH
2844a2289daSVitaly Chikunov	tristate "ECDH (Elliptic Curve Diffie-Hellman)"
2853d6228a5SVitaly Chikunov	select CRYPTO_ECC
2863d6228a5SVitaly Chikunov	select CRYPTO_KPP
28705b37465SRobert Elliott	help
28805b37465SRobert Elliott	  ECDH (Elliptic Curve Diffie-Hellman) key exchange algorithm
2893d6228a5SVitaly Chikunov	  using curves P-192, P-256, and P-384 (FIPS 186)
2904e660291SStefan Berger
29105b37465SRobert Elliottconfig CRYPTO_ECDSA
2924e660291SStefan Berger	tristate "ECDSA (Elliptic Curve Digital Signature Algorithm)"
2934e660291SStefan Berger	select CRYPTO_ECC
2944e660291SStefan Berger	select CRYPTO_SIG
2954e660291SStefan Berger	select ASN1
29605b37465SRobert Elliott	help
29705b37465SRobert Elliott	  ECDSA (Elliptic Curve Digital Signature Algorithm) (FIPS 186,
29805b37465SRobert Elliott	  ISO/IEC 14888-3)
29905b37465SRobert Elliott	  using curves P-192, P-256, P-384 and P-521
30005b37465SRobert Elliott
3014e660291SStefan Berger	  Only signature verification is implemented.
3020d7a7864SVitaly Chikunov
30305b37465SRobert Elliottconfig CRYPTO_ECRDSA
3040d7a7864SVitaly Chikunov	tristate "EC-RDSA (Elliptic Curve Russian Digital Signature Algorithm)"
3050d7a7864SVitaly Chikunov	select CRYPTO_ECC
3060d7a7864SVitaly Chikunov	select CRYPTO_SIG
3071036633eSVitaly Chikunov	select CRYPTO_STREEBOG
3081036633eSVitaly Chikunov	select OID_REGISTRY
3090d7a7864SVitaly Chikunov	select ASN1
3100d7a7864SVitaly Chikunov	help
31105b37465SRobert Elliott	  Elliptic Curve Russian Digital Signature Algorithm (GOST R 34.10-2012,
31205b37465SRobert Elliott	  RFC 7091, ISO/IEC 14888-3)
31305b37465SRobert Elliott
31405b37465SRobert Elliott	  One of the Russian cryptographic standard algorithms (called GOST
3150d7a7864SVitaly Chikunov	  algorithms). Only signature verification is implemented.
316ee772cb6SArd Biesheuvel
31705b37465SRobert Elliottconfig CRYPTO_CURVE25519
318ee772cb6SArd Biesheuvel	tristate "Curve25519"
319ee772cb6SArd Biesheuvel	select CRYPTO_KPP
32005b37465SRobert Elliott	select CRYPTO_LIB_CURVE25519_GENERIC
32105b37465SRobert Elliott	help
322ee772cb6SArd Biesheuvel	  Curve25519 elliptic curve (RFC7748)
323f1f142adSRobert Elliott
324584fffc8SSebastian Siewiorendmenu
325f1f142adSRobert Elliott
3261da177e4SLinus Torvaldsmenu "Block ciphers"
3271da177e4SLinus Torvalds
328cf514b2aSRobert Elliottconfig CRYPTO_AES
329cce9e06dSHerbert Xu	tristate "AES (Advanced Encryption Standard)"
3305bb12d78SArd Biesheuvel	select CRYPTO_ALGAPI
3311da177e4SLinus Torvalds	select CRYPTO_LIB_AES
332cf514b2aSRobert Elliott	help
3331da177e4SLinus Torvalds	  AES cipher algorithms (Rijndael)(FIPS-197, ISO/IEC 18033-3)
3341da177e4SLinus Torvalds
3351da177e4SLinus Torvalds	  Rijndael appears to be consistently a very good performer in
3361da177e4SLinus Torvalds	  both hardware and software across a wide range of computing
3371da177e4SLinus Torvalds	  environments regardless of its use in feedback or non-feedback
3381da177e4SLinus Torvalds	  modes. Its key setup time is excellent, and its key agility is
3391da177e4SLinus Torvalds	  good. Rijndael's very low memory requirements make it very well
3401da177e4SLinus Torvalds	  suited for restricted-space environments, in which it also
3411da177e4SLinus Torvalds	  demonstrates excellent performance. Rijndael's operations are
3421da177e4SLinus Torvalds	  among the easiest to defend against power and timing attacks.
3431da177e4SLinus Torvalds
3441da177e4SLinus Torvalds	  The AES specifies three key sizes: 128, 192 and 256 bits
345b5e0b032SArd Biesheuvel
346cf514b2aSRobert Elliottconfig CRYPTO_AES_TI
347b5e0b032SArd Biesheuvel	tristate "AES (Advanced Encryption Standard) (fixed time)"
348e59c1c98SArd Biesheuvel	select CRYPTO_ALGAPI
349b5e0b032SArd Biesheuvel	select CRYPTO_LIB_AES
350cf514b2aSRobert Elliott	help
351cf514b2aSRobert Elliott	  AES cipher algorithms (Rijndael)(FIPS-197, ISO/IEC 18033-3)
352b5e0b032SArd Biesheuvel
353b5e0b032SArd Biesheuvel	  This is a generic implementation of AES that attempts to eliminate
354b5e0b032SArd Biesheuvel	  data dependent latencies as much as possible without affecting
355b5e0b032SArd Biesheuvel	  performance too much. It is intended for use by the generic CCM
356b5e0b032SArd Biesheuvel	  and GCM drivers, and other CTR or CMAC/XCBC based modes that rely
357b5e0b032SArd Biesheuvel	  solely on encryption (although decryption is supported as well, but
358b5e0b032SArd Biesheuvel	  with a more dramatic performance hit)
359b5e0b032SArd Biesheuvel
360b5e0b032SArd Biesheuvel	  Instead of using 16 lookup tables of 1 KB each, (8 for encryption and
361b5e0b032SArd Biesheuvel	  8 for decryption), this implementation only uses just two S-boxes of
362b5e0b032SArd Biesheuvel	  256 bytes each, and attempts to eliminate data dependent latencies by
3630a6a40c2SEric Biggers	  prefetching the entire table into the cache at the start of each
3640a6a40c2SEric Biggers	  block. Interrupts are also disabled to avoid races where cachelines
365b5e0b032SArd Biesheuvel	  are evicted when the CPU is interrupted to do something else.
3661da177e4SLinus Torvalds
367cf514b2aSRobert Elliottconfig CRYPTO_ANUBIS
3681674aea5SArd Biesheuvel	tristate "Anubis"
369cce9e06dSHerbert Xu	depends on CRYPTO_USER_API_ENABLE_OBSOLETE
3701da177e4SLinus Torvalds	select CRYPTO_ALGAPI
371cf514b2aSRobert Elliott	help
3721da177e4SLinus Torvalds	  Anubis cipher algorithm
3731da177e4SLinus Torvalds
3741da177e4SLinus Torvalds	  Anubis is a variable key length cipher which can use keys from
3751da177e4SLinus Torvalds	  128 bits to 320 bits in length.  It was evaluated as a entrant
3761da177e4SLinus Torvalds	  in the NESSIE competition.
377cf514b2aSRobert Elliott
378cf514b2aSRobert Elliott	  See https://web.archive.org/web/20160606112246/http://www.larc.usp.br/~pbarreto/AnubisPage.html
3791da177e4SLinus Torvalds	  for further information.
380f1f142adSRobert Elliott
381cf514b2aSRobert Elliottconfig CRYPTO_ARIA
382f1f142adSRobert Elliott	tristate "ARIA"
383e2ee95b8SHye-Shik Chang	select CRYPTO_ALGAPI
384cf514b2aSRobert Elliott	help
385e2ee95b8SHye-Shik Chang	  ARIA cipher algorithm (RFC5794)
386f1f142adSRobert Elliott
387f1f142adSRobert Elliott	  ARIA is a standard encryption algorithm of the Republic of Korea.
388f1f142adSRobert Elliott	  The ARIA specifies three key sizes and rounds.
389f1f142adSRobert Elliott	  128-bit: 12 rounds.
390f1f142adSRobert Elliott	  192-bit: 14 rounds.
391f1f142adSRobert Elliott	  256-bit: 16 rounds.
392cf514b2aSRobert Elliott
393cf514b2aSRobert Elliott	  See:
394584fffc8SSebastian Siewior	  https://seed.kisa.or.kr/kisa/algorithm/EgovAriaInfo.do
395584fffc8SSebastian Siewior
396cf514b2aSRobert Elliottconfig CRYPTO_BLOWFISH
397584fffc8SSebastian Siewior	tristate "Blowfish"
39852ba867cSJussi Kivilinna	select CRYPTO_ALGAPI
399584fffc8SSebastian Siewior	select CRYPTO_BLOWFISH_COMMON
400cf514b2aSRobert Elliott	help
401584fffc8SSebastian Siewior	  Blowfish cipher algorithm, by Bruce Schneier
402584fffc8SSebastian Siewior
403584fffc8SSebastian Siewior	  This is a variable key length cipher which can use keys from 32
404584fffc8SSebastian Siewior	  bits to 448 bits in length.  It's fast, simple and specifically
405e2ee95b8SHye-Shik Chang	  designed for use on "large microprocessors".
406cf514b2aSRobert Elliott
407584fffc8SSebastian Siewior	  See https://www.schneier.com/blowfish.html for further information.
40852ba867cSJussi Kivilinna
40952ba867cSJussi Kivilinnaconfig CRYPTO_BLOWFISH_COMMON
41052ba867cSJussi Kivilinna	tristate
41152ba867cSJussi Kivilinna	help
41252ba867cSJussi Kivilinna	  Common parts of the Blowfish cipher algorithm shared by the
41352ba867cSJussi Kivilinna	  generic c and the assembler implementations.
414584fffc8SSebastian Siewior
415cf514b2aSRobert Elliottconfig CRYPTO_CAMELLIA
416584fffc8SSebastian Siewior	tristate "Camellia"
417584fffc8SSebastian Siewior	select CRYPTO_ALGAPI
418cf514b2aSRobert Elliott	help
419584fffc8SSebastian Siewior	  Camellia cipher algorithms (ISO/IEC 18033-3)
420584fffc8SSebastian Siewior
421584fffc8SSebastian Siewior	  Camellia is a symmetric key block cipher developed jointly
422584fffc8SSebastian Siewior	  at NTT and Mitsubishi Electric Corporation.
423584fffc8SSebastian Siewior
424584fffc8SSebastian Siewior	  The Camellia specifies three key sizes: 128, 192 and 256 bits.
425cf514b2aSRobert Elliott
426584fffc8SSebastian Siewior	  See https://info.isl.ntt.co.jp/crypt/eng/camellia/ for further information.
427044ab525SJussi Kivilinna
428044ab525SJussi Kivilinnaconfig CRYPTO_CAST_COMMON
429044ab525SJussi Kivilinna	tristate
430044ab525SJussi Kivilinna	help
431044ab525SJussi Kivilinna	  Common parts of the CAST cipher algorithms shared by the
432044ab525SJussi Kivilinna	  generic c and the assembler implementations.
433584fffc8SSebastian Siewior
434cf514b2aSRobert Elliottconfig CRYPTO_CAST5
435584fffc8SSebastian Siewior	tristate "CAST5 (CAST-128)"
436044ab525SJussi Kivilinna	select CRYPTO_ALGAPI
437584fffc8SSebastian Siewior	select CRYPTO_CAST_COMMON
438cf514b2aSRobert Elliott	help
439584fffc8SSebastian Siewior	  CAST5 (CAST-128) cipher algorithm (RFC2144, ISO/IEC 18033-3)
440584fffc8SSebastian Siewior
441cf514b2aSRobert Elliottconfig CRYPTO_CAST6
442584fffc8SSebastian Siewior	tristate "CAST6 (CAST-256)"
443044ab525SJussi Kivilinna	select CRYPTO_ALGAPI
444584fffc8SSebastian Siewior	select CRYPTO_CAST_COMMON
445cf514b2aSRobert Elliott	help
446584fffc8SSebastian Siewior	  CAST6 (CAST-256) encryption algorithm (RFC2612)
447584fffc8SSebastian Siewior
448cf514b2aSRobert Elliottconfig CRYPTO_DES
449584fffc8SSebastian Siewior	tristate "DES and Triple DES EDE"
45004007b0eSArd Biesheuvel	select CRYPTO_ALGAPI
451584fffc8SSebastian Siewior	select CRYPTO_LIB_DES
452cf514b2aSRobert Elliott	help
453cf514b2aSRobert Elliott	  DES (Data Encryption Standard)(FIPS 46-2, ISO/IEC 18033-3) and
454cf514b2aSRobert Elliott	  Triple DES EDE (Encrypt/Decrypt/Encrypt) (FIPS 46-3, ISO/IEC 18033-3)
455584fffc8SSebastian Siewior	  cipher algorithms
456584fffc8SSebastian Siewior
457cf514b2aSRobert Elliottconfig CRYPTO_FCRYPT
458584fffc8SSebastian Siewior	tristate "FCrypt"
459b95bba5dSEric Biggers	select CRYPTO_ALGAPI
460584fffc8SSebastian Siewior	select CRYPTO_SKCIPHER
461cf514b2aSRobert Elliott	help
462cf514b2aSRobert Elliott	  FCrypt algorithm used by RxRPC
463cf514b2aSRobert Elliott
464584fffc8SSebastian Siewior	  See https://ota.polyonymo.us/fcrypt-paper.txt
465584fffc8SSebastian Siewior
466cf514b2aSRobert Elliottconfig CRYPTO_KHAZAD
4671674aea5SArd Biesheuvel	tristate "Khazad"
468584fffc8SSebastian Siewior	depends on CRYPTO_USER_API_ENABLE_OBSOLETE
469584fffc8SSebastian Siewior	select CRYPTO_ALGAPI
470cf514b2aSRobert Elliott	help
471584fffc8SSebastian Siewior	  Khazad cipher algorithm
472584fffc8SSebastian Siewior
473584fffc8SSebastian Siewior	  Khazad was a finalist in the initial NESSIE competition.  It is
474584fffc8SSebastian Siewior	  an algorithm optimized for 64-bit processors with good performance
475584fffc8SSebastian Siewior	  on 32-bit processors.  Khazad uses an 128 bit key size.
476cf514b2aSRobert Elliott
477cf514b2aSRobert Elliott	  See https://web.archive.org/web/20171011071731/http://www.larc.usp.br/~pbarreto/KhazadPage.html
478e2ee95b8SHye-Shik Chang	  for further information.
479584fffc8SSebastian Siewior
480cf514b2aSRobert Elliottconfig CRYPTO_SEED
4811674aea5SArd Biesheuvel	tristate "SEED"
482584fffc8SSebastian Siewior	depends on CRYPTO_USER_API_ENABLE_OBSOLETE
483584fffc8SSebastian Siewior	select CRYPTO_ALGAPI
484cf514b2aSRobert Elliott	help
485584fffc8SSebastian Siewior	  SEED cipher algorithm (RFC4269, ISO/IEC 18033-3)
486584fffc8SSebastian Siewior
487584fffc8SSebastian Siewior	  SEED is a 128-bit symmetric key block cipher that has been
488584fffc8SSebastian Siewior	  developed by KISA (Korea Information Security Agency) as a
489584fffc8SSebastian Siewior	  national standard encryption algorithm of the Republic of Korea.
490584fffc8SSebastian Siewior	  It is a 16 round block cipher with the key size of 128 bit.
491cf514b2aSRobert Elliott
492cf514b2aSRobert Elliott	  See https://seed.kisa.or.kr/kisa/algorithm/EgovSeedInfo.do
493584fffc8SSebastian Siewior	  for further information.
494584fffc8SSebastian Siewior
495cf514b2aSRobert Elliottconfig CRYPTO_SERPENT
496584fffc8SSebastian Siewior	tristate "Serpent"
497584fffc8SSebastian Siewior	select CRYPTO_ALGAPI
498cf514b2aSRobert Elliott	help
499584fffc8SSebastian Siewior	  Serpent cipher algorithm, by Anderson, Biham & Knudsen
500584fffc8SSebastian Siewior
501784506a1SArd Biesheuvel	  Keys are allowed to be from 0 to 256 bits in length, in steps
502584fffc8SSebastian Siewior	  of 8 bits.
503cf514b2aSRobert Elliott
504584fffc8SSebastian Siewior	  See https://www.cl.cam.ac.uk/~rja14/serpent.html for further information.
505747c8ce4SGilad Ben-Yossef
506d2825fa9SJason A. Donenfeldconfig CRYPTO_SM4
507d2825fa9SJason A. Donenfeld	tristate
508d2825fa9SJason A. Donenfeld
509cf514b2aSRobert Elliottconfig CRYPTO_SM4_GENERIC
510747c8ce4SGilad Ben-Yossef	tristate "SM4 (ShangMi 4)"
511d2825fa9SJason A. Donenfeld	select CRYPTO_ALGAPI
512747c8ce4SGilad Ben-Yossef	select CRYPTO_SM4
513cf514b2aSRobert Elliott	help
514cf514b2aSRobert Elliott	  SM4 cipher algorithms (OSCCA GB/T 32907-2016,
515747c8ce4SGilad Ben-Yossef	  ISO/IEC 18033-3:2010/Amd 1:2021)
516747c8ce4SGilad Ben-Yossef
517747c8ce4SGilad Ben-Yossef	  SM4 (GBT.32907-2016) is a cryptographic standard issued by the
518747c8ce4SGilad Ben-Yossef	  Organization of State Commercial Administration of China (OSCCA)
519747c8ce4SGilad Ben-Yossef	  as an authorized cryptographic algorithms for the use within China.
520747c8ce4SGilad Ben-Yossef
521747c8ce4SGilad Ben-Yossef	  SMS4 was originally created for use in protecting wireless
522747c8ce4SGilad Ben-Yossef	  networks, and is mandated in the Chinese National Standard for
523747c8ce4SGilad Ben-Yossef	  Wireless LAN WAPI (Wired Authentication and Privacy Infrastructure)
524747c8ce4SGilad Ben-Yossef	  (GB.15629.11-2003).
525747c8ce4SGilad Ben-Yossef
526747c8ce4SGilad Ben-Yossef	  The latest SM4 standard (GBT.32907-2016) was proposed by OSCCA and
527747c8ce4SGilad Ben-Yossef	  standardized through TC 260 of the Standardization Administration
528747c8ce4SGilad Ben-Yossef	  of the People's Republic of China (SAC).
529747c8ce4SGilad Ben-Yossef
530747c8ce4SGilad Ben-Yossef	  The input, output, and key of SMS4 are each 128 bits.
531cf514b2aSRobert Elliott
532747c8ce4SGilad Ben-Yossef	  See https://eprint.iacr.org/2008/329.pdf for further information.
533747c8ce4SGilad Ben-Yossef
534747c8ce4SGilad Ben-Yossef	  If unsure, say N.
535584fffc8SSebastian Siewior
536cf514b2aSRobert Elliottconfig CRYPTO_TEA
5371674aea5SArd Biesheuvel	tristate "TEA, XTEA and XETA"
538584fffc8SSebastian Siewior	depends on CRYPTO_USER_API_ENABLE_OBSOLETE
539584fffc8SSebastian Siewior	select CRYPTO_ALGAPI
540cf514b2aSRobert Elliott	help
541584fffc8SSebastian Siewior	  TEA (Tiny Encryption Algorithm) cipher algorithms
542584fffc8SSebastian Siewior
543584fffc8SSebastian Siewior	  Tiny Encryption Algorithm is a simple cipher that uses
544584fffc8SSebastian Siewior	  many rounds for security.  It is very fast and uses
545584fffc8SSebastian Siewior	  little memory.
546584fffc8SSebastian Siewior
547584fffc8SSebastian Siewior	  Xtendend Tiny Encryption Algorithm is a modification to
548584fffc8SSebastian Siewior	  the TEA algorithm to address a potential key weakness
549584fffc8SSebastian Siewior	  in the TEA algorithm.
550584fffc8SSebastian Siewior
551584fffc8SSebastian Siewior	  Xtendend Encryption Tiny Algorithm is a mis-implementation
552584fffc8SSebastian Siewior	  of the XTEA algorithm for compatibility purposes.
553584fffc8SSebastian Siewior
554cf514b2aSRobert Elliottconfig CRYPTO_TWOFISH
555584fffc8SSebastian Siewior	tristate "Twofish"
556584fffc8SSebastian Siewior	select CRYPTO_ALGAPI
557584fffc8SSebastian Siewior	select CRYPTO_TWOFISH_COMMON
558cf514b2aSRobert Elliott	help
559584fffc8SSebastian Siewior	  Twofish cipher algorithm
560584fffc8SSebastian Siewior
561584fffc8SSebastian Siewior	  Twofish was submitted as an AES (Advanced Encryption Standard)
562584fffc8SSebastian Siewior	  candidate cipher by researchers at CounterPane Systems.  It is a
563584fffc8SSebastian Siewior	  16 round block cipher supporting key sizes of 128, 192, and 256
564584fffc8SSebastian Siewior	  bits.
565cf514b2aSRobert Elliott
566584fffc8SSebastian Siewior	  See https://www.schneier.com/twofish.html for further information.
567584fffc8SSebastian Siewior
568584fffc8SSebastian Siewiorconfig CRYPTO_TWOFISH_COMMON
569584fffc8SSebastian Siewior	tristate
570584fffc8SSebastian Siewior	help
571584fffc8SSebastian Siewior	  Common parts of the Twofish cipher algorithm shared by the
572584fffc8SSebastian Siewior	  generic c and the assembler implementations.
573f1f142adSRobert Elliott
574f1f142adSRobert Elliottendmenu
575f1f142adSRobert Elliott
576f1f142adSRobert Elliottmenu "Length-preserving ciphers and modes"
577f1f142adSRobert Elliott
578cf514b2aSRobert Elliottconfig CRYPTO_ADIANTUM
579f1f142adSRobert Elliott	tristate "Adiantum"
580f1f142adSRobert Elliott	select CRYPTO_CHACHA20
581f1f142adSRobert Elliott	select CRYPTO_LIB_POLY1305_GENERIC
582f1f142adSRobert Elliott	select CRYPTO_NHPOLY1305
583f1f142adSRobert Elliott	select CRYPTO_MANAGER
584cf514b2aSRobert Elliott	help
585cf514b2aSRobert Elliott	  Adiantum tweakable, length-preserving encryption mode
586cf514b2aSRobert Elliott
587f1f142adSRobert Elliott	  Designed for fast and secure disk encryption, especially on
588f1f142adSRobert Elliott	  CPUs without dedicated crypto instructions.  It encrypts
589f1f142adSRobert Elliott	  each sector using the XChaCha12 stream cipher, two passes of
590f1f142adSRobert Elliott	  an ε-almost-∆-universal hash function, and an invocation of
591f1f142adSRobert Elliott	  the AES-256 block cipher on a single 16-byte block.  On CPUs
592f1f142adSRobert Elliott	  without AES instructions, Adiantum is much faster than
593f1f142adSRobert Elliott	  AES-XTS.
594f1f142adSRobert Elliott
595f1f142adSRobert Elliott	  Adiantum's security is provably reducible to that of its
596f1f142adSRobert Elliott	  underlying stream and block ciphers, subject to a security
597f1f142adSRobert Elliott	  bound.  Unlike XTS, Adiantum is a true wide-block encryption
598f1f142adSRobert Elliott	  mode, so it actually provides an even stronger notion of
599f1f142adSRobert Elliott	  security than XTS, subject to the security bound.
600f1f142adSRobert Elliott
601f1f142adSRobert Elliott	  If unsure, say N.
602f1f142adSRobert Elliott
603cf514b2aSRobert Elliottconfig CRYPTO_ARC4
604f1f142adSRobert Elliott	tristate "ARC4 (Alleged Rivest Cipher 4)"
605f1f142adSRobert Elliott	depends on CRYPTO_USER_API_ENABLE_OBSOLETE
606f1f142adSRobert Elliott	select CRYPTO_SKCIPHER
607f1f142adSRobert Elliott	select CRYPTO_LIB_ARC4
608cf514b2aSRobert Elliott	help
609f1f142adSRobert Elliott	  ARC4 cipher algorithm
610f1f142adSRobert Elliott
611f1f142adSRobert Elliott	  ARC4 is a stream cipher using keys ranging from 8 bits to 2048
612f1f142adSRobert Elliott	  bits in length.  This algorithm is required for driver-based
613f1f142adSRobert Elliott	  WEP, but it should not be for other purposes because of the
614f1f142adSRobert Elliott	  weakness of the algorithm.
615f1f142adSRobert Elliott
616cf514b2aSRobert Elliottconfig CRYPTO_CHACHA20
617f1f142adSRobert Elliott	tristate "ChaCha"
618f1f142adSRobert Elliott	select CRYPTO_LIB_CHACHA_GENERIC
619f1f142adSRobert Elliott	select CRYPTO_SKCIPHER
620cf514b2aSRobert Elliott	help
621f1f142adSRobert Elliott	  The ChaCha20, XChaCha20, and XChaCha12 stream cipher algorithms
622f1f142adSRobert Elliott
623f1f142adSRobert Elliott	  ChaCha20 is a 256-bit high-speed stream cipher designed by Daniel J.
624cf514b2aSRobert Elliott	  Bernstein and further specified in RFC7539 for use in IETF protocols.
625cf514b2aSRobert Elliott	  This is the portable C implementation of ChaCha20.  See
626f1f142adSRobert Elliott	  https://cr.yp.to/chacha/chacha-20080128.pdf for further information.
627f1f142adSRobert Elliott
628f1f142adSRobert Elliott	  XChaCha20 is the application of the XSalsa20 construction to ChaCha20
629f1f142adSRobert Elliott	  rather than to Salsa20.  XChaCha20 extends ChaCha20's nonce length
630cf514b2aSRobert Elliott	  from 64 bits (or 96 bits using the RFC7539 convention) to 192 bits,
631cf514b2aSRobert Elliott	  while provably retaining ChaCha20's security.  See
632f1f142adSRobert Elliott	  https://cr.yp.to/snuffle/xsalsa-20081128.pdf for further information.
633f1f142adSRobert Elliott
634f1f142adSRobert Elliott	  XChaCha12 is XChaCha20 reduced to 12 rounds, with correspondingly
635f1f142adSRobert Elliott	  reduced security margin but increased performance.  It can be needed
636f1f142adSRobert Elliott	  in some performance-sensitive scenarios.
637f1f142adSRobert Elliott
638cf514b2aSRobert Elliottconfig CRYPTO_CBC
639f1f142adSRobert Elliott	tristate "CBC (Cipher Block Chaining)"
640f1f142adSRobert Elliott	select CRYPTO_SKCIPHER
641f1f142adSRobert Elliott	select CRYPTO_MANAGER
642cf514b2aSRobert Elliott	help
643cf514b2aSRobert Elliott	  CBC (Cipher Block Chaining) mode (NIST SP800-38A)
644cf514b2aSRobert Elliott
645f1f142adSRobert Elliott	  This block cipher mode is required for IPSec ESP (XFRM_ESP).
646f1f142adSRobert Elliott
647cf514b2aSRobert Elliottconfig CRYPTO_CTR
648f1f142adSRobert Elliott	tristate "CTR (Counter)"
649f1f142adSRobert Elliott	select CRYPTO_SKCIPHER
650f1f142adSRobert Elliott	select CRYPTO_MANAGER
651cf514b2aSRobert Elliott	help
652f1f142adSRobert Elliott	  CTR (Counter) mode (NIST SP800-38A)
653f1f142adSRobert Elliott
654cf514b2aSRobert Elliottconfig CRYPTO_CTS
655f1f142adSRobert Elliott	tristate "CTS (Cipher Text Stealing)"
656f1f142adSRobert Elliott	select CRYPTO_SKCIPHER
657f1f142adSRobert Elliott	select CRYPTO_MANAGER
658cf514b2aSRobert Elliott	help
659cf514b2aSRobert Elliott	  CBC-CS3 variant of CTS (Cipher Text Stealing) (NIST
660cf514b2aSRobert Elliott	  Addendum to SP800-38A (October 2010))
661f1f142adSRobert Elliott
662f1f142adSRobert Elliott	  This mode is required for Kerberos gss mechanism support
663f1f142adSRobert Elliott	  for AES encryption.
664f1f142adSRobert Elliott
665cf514b2aSRobert Elliottconfig CRYPTO_ECB
66684534684SHerbert Xu	tristate "ECB (Electronic Codebook)"
667f1f142adSRobert Elliott	select CRYPTO_SKCIPHER2
668f1f142adSRobert Elliott	select CRYPTO_MANAGER
669cf514b2aSRobert Elliott	help
670f1f142adSRobert Elliott	  ECB (Electronic Codebook) mode (NIST SP800-38A)
671f1f142adSRobert Elliott
672cf514b2aSRobert Elliottconfig CRYPTO_HCTR2
673f1f142adSRobert Elliott	tristate "HCTR2"
674f1f142adSRobert Elliott	select CRYPTO_XCTR
675f1f142adSRobert Elliott	select CRYPTO_POLYVAL
676f1f142adSRobert Elliott	select CRYPTO_MANAGER
677cf514b2aSRobert Elliott	help
678cf514b2aSRobert Elliott	  HCTR2 length-preserving encryption mode
679cf514b2aSRobert Elliott
680cf514b2aSRobert Elliott	  A mode for storage encryption that is efficient on processors with
681cf514b2aSRobert Elliott	  instructions to accelerate AES and carryless multiplication, e.g.
682cf514b2aSRobert Elliott	  x86 processors with AES-NI and CLMUL, and ARM processors with the
683cf514b2aSRobert Elliott	  ARMv8 crypto extensions.
684cf514b2aSRobert Elliott
685f1f142adSRobert Elliott	  See https://eprint.iacr.org/2021/1441
686f1f142adSRobert Elliott
687cf514b2aSRobert Elliottconfig CRYPTO_KEYWRAP
688f1f142adSRobert Elliott	tristate "KW (AES Key Wrap)"
689f1f142adSRobert Elliott	select CRYPTO_SKCIPHER
690f1f142adSRobert Elliott	select CRYPTO_MANAGER
691cf514b2aSRobert Elliott	help
692cf514b2aSRobert Elliott	  KW (AES Key Wrap) authenticated encryption mode (NIST SP800-38F
693f1f142adSRobert Elliott	  and RFC3394) without padding.
694f1f142adSRobert Elliott
695cf514b2aSRobert Elliottconfig CRYPTO_LRW
69661c581a4SArd Biesheuvel	tristate "LRW (Liskov Rivest Wagner)"
697f1f142adSRobert Elliott	select CRYPTO_LIB_GF128MUL
698f1f142adSRobert Elliott	select CRYPTO_SKCIPHER
699f1f142adSRobert Elliott	select CRYPTO_MANAGER
700f1f142adSRobert Elliott	select CRYPTO_ECB
701cf514b2aSRobert Elliott	help
702cf514b2aSRobert Elliott	  LRW (Liskov Rivest Wagner) mode
703cf514b2aSRobert Elliott
704f1f142adSRobert Elliott	  A tweakable, non malleable, non movable
705f1f142adSRobert Elliott	  narrow block cipher mode for dm-crypt.  Use it with cipher
706f1f142adSRobert Elliott	  specification string aes-lrw-benbi, the key must be 256, 320 or 384.
707f1f142adSRobert Elliott	  The first 128, 192 or 256 bits in the key are used for AES and the
708f1f142adSRobert Elliott	  rest is used to tie each cipher block to its logical position.
709cf514b2aSRobert Elliott
710cf514b2aSRobert Elliott	  See https://people.csail.mit.edu/rivest/pubs/LRW02.pdf
711f1f142adSRobert Elliott
712cf514b2aSRobert Elliottconfig CRYPTO_PCBC
713f1f142adSRobert Elliott	tristate "PCBC (Propagating Cipher Block Chaining)"
714f1f142adSRobert Elliott	select CRYPTO_SKCIPHER
715f1f142adSRobert Elliott	select CRYPTO_MANAGER
716cf514b2aSRobert Elliott	help
717cf514b2aSRobert Elliott	  PCBC (Propagating Cipher Block Chaining) mode
718cf514b2aSRobert Elliott
719f1f142adSRobert Elliott	  This block cipher mode is required for RxRPC.
720f1f142adSRobert Elliott
721f1f142adSRobert Elliottconfig CRYPTO_XCTR
722f1f142adSRobert Elliott	tristate
723f1f142adSRobert Elliott	select CRYPTO_SKCIPHER
724f1f142adSRobert Elliott	select CRYPTO_MANAGER
725cf514b2aSRobert Elliott	help
726cf514b2aSRobert Elliott	  XCTR (XOR Counter) mode for HCTR2
727cf514b2aSRobert Elliott
728cf514b2aSRobert Elliott	  This blockcipher mode is a variant of CTR mode using XORs and little-endian
729cf514b2aSRobert Elliott	  addition rather than big-endian arithmetic.
730f1f142adSRobert Elliott
731f1f142adSRobert Elliott	  XCTR mode is used to implement HCTR2.
732f1f142adSRobert Elliott
733cf514b2aSRobert Elliottconfig CRYPTO_XTS
734f1f142adSRobert Elliott	tristate "XTS (XOR Encrypt XOR with ciphertext stealing)"
735f1f142adSRobert Elliott	select CRYPTO_SKCIPHER
736f1f142adSRobert Elliott	select CRYPTO_MANAGER
737f1f142adSRobert Elliott	select CRYPTO_ECB
738cf514b2aSRobert Elliott	help
739cf514b2aSRobert Elliott	  XTS (XOR Encrypt XOR with ciphertext stealing) mode (NIST SP800-38E
740cf514b2aSRobert Elliott	  and IEEE 1619)
741cf514b2aSRobert Elliott
742cf514b2aSRobert Elliott	  Use with aes-xts-plain, key size 256, 384 or 512 bits. This
743cf514b2aSRobert Elliott	  implementation currently can't handle a sectorsize which is not a
744f1f142adSRobert Elliott	  multiple of 16 bytes.
745f1f142adSRobert Elliott
746f1f142adSRobert Elliottconfig CRYPTO_NHPOLY1305
747f1f142adSRobert Elliott	tristate
748f1f142adSRobert Elliott	select CRYPTO_HASH
749f1f142adSRobert Elliott	select CRYPTO_LIB_POLY1305_GENERIC
750f1f142adSRobert Elliott
751f1f142adSRobert Elliottendmenu
752f1f142adSRobert Elliott
753f1f142adSRobert Elliottmenu "AEAD (authenticated encryption with associated data) ciphers"
754f1f142adSRobert Elliott
755e3d2eaddSRobert Elliottconfig CRYPTO_AEGIS128
756f1f142adSRobert Elliott	tristate "AEGIS-128"
757f1f142adSRobert Elliott	select CRYPTO_AEAD
758f1f142adSRobert Elliott	select CRYPTO_AES  # for AES S-box tables
759e3d2eaddSRobert Elliott	help
760f1f142adSRobert Elliott	  AEGIS-128 AEAD algorithm
761f1f142adSRobert Elliott
762e3d2eaddSRobert Elliottconfig CRYPTO_AEGIS128_SIMD
763f1f142adSRobert Elliott	bool "AEGIS-128 (arm NEON, arm64 NEON)"
764f1f142adSRobert Elliott	depends on CRYPTO_AEGIS128 && ((ARM || ARM64) && KERNEL_MODE_NEON)
765e3d2eaddSRobert Elliott	default y
766e3d2eaddSRobert Elliott	help
767e3d2eaddSRobert Elliott	  AEGIS-128 AEAD algorithm
768e3d2eaddSRobert Elliott
769e3d2eaddSRobert Elliott	  Architecture: arm or arm64 using:
770f1f142adSRobert Elliott	  - NEON (Advanced SIMD) extension
771f1f142adSRobert Elliott
772e3d2eaddSRobert Elliottconfig CRYPTO_CHACHA20POLY1305
773f1f142adSRobert Elliott	tristate "ChaCha20-Poly1305"
774f1f142adSRobert Elliott	select CRYPTO_CHACHA20
775f1f142adSRobert Elliott	select CRYPTO_POLY1305
776f1f142adSRobert Elliott	select CRYPTO_AEAD
777f1f142adSRobert Elliott	select CRYPTO_MANAGER
778e3d2eaddSRobert Elliott	help
779e3d2eaddSRobert Elliott	  ChaCha20 stream cipher and Poly1305 authenticator combined
780f1f142adSRobert Elliott	  mode (RFC8439)
781f1f142adSRobert Elliott
782cf514b2aSRobert Elliottconfig CRYPTO_CCM
783f1f142adSRobert Elliott	tristate "CCM (Counter with Cipher Block Chaining-MAC)"
784f1f142adSRobert Elliott	select CRYPTO_CTR
785f1f142adSRobert Elliott	select CRYPTO_HASH
786f1f142adSRobert Elliott	select CRYPTO_AEAD
787f1f142adSRobert Elliott	select CRYPTO_MANAGER
788e3d2eaddSRobert Elliott	help
789e3d2eaddSRobert Elliott	  CCM (Counter with Cipher Block Chaining-Message Authentication Code)
790f1f142adSRobert Elliott	  authenticated encryption mode (NIST SP800-38C)
791f1f142adSRobert Elliott
792cf514b2aSRobert Elliottconfig CRYPTO_GCM
793f1f142adSRobert Elliott	tristate "GCM (Galois/Counter Mode) and GMAC (GCM MAC)"
794f1f142adSRobert Elliott	select CRYPTO_CTR
795f1f142adSRobert Elliott	select CRYPTO_AEAD
796f1f142adSRobert Elliott	select CRYPTO_GHASH
797f1f142adSRobert Elliott	select CRYPTO_NULL
798f1f142adSRobert Elliott	select CRYPTO_MANAGER
799e3d2eaddSRobert Elliott	help
800e3d2eaddSRobert Elliott	  GCM (Galois/Counter Mode) authenticated encryption mode and GMAC
801e3d2eaddSRobert Elliott	  (GCM Message Authentication Code) (NIST SP800-38D)
802e3d2eaddSRobert Elliott
803f1f142adSRobert Elliott	  This is required for IPSec ESP (XFRM_ESP).
804ba51738fSHerbert Xu
805ba51738fSHerbert Xuconfig CRYPTO_GENIV
806ba51738fSHerbert Xu	tristate
807ba51738fSHerbert Xu	select CRYPTO_AEAD
808ba51738fSHerbert Xu	select CRYPTO_NULL
809ba51738fSHerbert Xu	select CRYPTO_MANAGER
810ba51738fSHerbert Xu	select CRYPTO_RNG_DEFAULT
811f1f142adSRobert Elliott
812f1f142adSRobert Elliottconfig CRYPTO_SEQIV
813ba51738fSHerbert Xu	tristate "Sequence Number IV Generator"
814f1f142adSRobert Elliott	select CRYPTO_GENIV
815e3d2eaddSRobert Elliott	help
816e3d2eaddSRobert Elliott	  Sequence Number IV generator
817f1f142adSRobert Elliott
818e3d2eaddSRobert Elliott	  This IV generator generates an IV based on a sequence number by
819e3d2eaddSRobert Elliott	  xoring it with a salt.  This algorithm is mainly useful for CTR.
820e3d2eaddSRobert Elliott
821f1f142adSRobert Elliott	  This is required for IPsec ESP (XFRM_ESP).
822f1f142adSRobert Elliott
823f1f142adSRobert Elliottconfig CRYPTO_ECHAINIV
824ba51738fSHerbert Xu	tristate "Encrypted Chain IV Generator"
825f1f142adSRobert Elliott	select CRYPTO_GENIV
826e3d2eaddSRobert Elliott	help
827e3d2eaddSRobert Elliott	  Encrypted Chain IV generator
828f1f142adSRobert Elliott
829f1f142adSRobert Elliott	  This IV generator generates an IV based on the encryption of
830f1f142adSRobert Elliott	  a sequence number xored with a salt.  This is the default
831f1f142adSRobert Elliott	  algorithm for CBC.
832f1f142adSRobert Elliott
833e3d2eaddSRobert Elliottconfig CRYPTO_ESSIV
834f1f142adSRobert Elliott	tristate "Encrypted Salt-Sector IV Generator"
835f1f142adSRobert Elliott	select CRYPTO_AUTHENC
836e3d2eaddSRobert Elliott	help
837e3d2eaddSRobert Elliott	  Encrypted Salt-Sector IV generator
838e3d2eaddSRobert Elliott
839f1f142adSRobert Elliott	  This IV generator is used in some cases by fscrypt and/or
840f1f142adSRobert Elliott	  dm-crypt. It uses the hash of the block encryption key as the
841f1f142adSRobert Elliott	  symmetric key for a block encryption pass applied to the input
842f1f142adSRobert Elliott	  IV, making low entropy IV sources more suitable for block
843f1f142adSRobert Elliott	  encryption.
844f1f142adSRobert Elliott
845f1f142adSRobert Elliott	  This driver implements a crypto API template that can be
846f1f142adSRobert Elliott	  instantiated either as an skcipher or as an AEAD (depending on the
847f1f142adSRobert Elliott	  type of the first template argument), and which defers encryption
848f1f142adSRobert Elliott	  and decryption requests to the encapsulated cipher after applying
849f1f142adSRobert Elliott	  ESSIV to the input IV. Note that in the AEAD case, it is assumed
850f1f142adSRobert Elliott	  that the keys are presented in the same format used by the authenc
851f1f142adSRobert Elliott	  template, and that the IV appears at the end of the authenticated
852f1f142adSRobert Elliott	  associated data (AAD) region (which is how dm-crypt uses it.)
853f1f142adSRobert Elliott
854f1f142adSRobert Elliott	  Note that the use of ESSIV is not recommended for new deployments,
855f1f142adSRobert Elliott	  and so this only needs to be enabled when interoperability with
856f1f142adSRobert Elliott	  existing encrypted volumes of filesystems is required, or when
857f1f142adSRobert Elliott	  building for a particular system that requires it (e.g., when
858f1f142adSRobert Elliott	  the SoC in question has accelerated CBC but not XTS, making CBC
859f1f142adSRobert Elliott	  combined with ESSIV the only feasible mode for h/w accelerated
860f1f142adSRobert Elliott	  block encryption)
861f1f142adSRobert Elliott
862f1f142adSRobert Elliottendmenu
863f1f142adSRobert Elliott
864f1f142adSRobert Elliottmenu "Hashes, digests, and MACs"
865f1f142adSRobert Elliott
8663f342a23SRobert Elliottconfig CRYPTO_BLAKE2B
867f1f142adSRobert Elliott	tristate "BLAKE2b"
868f1f142adSRobert Elliott	select CRYPTO_HASH
8693f342a23SRobert Elliott	help
8703f342a23SRobert Elliott	  BLAKE2b cryptographic hash function (RFC 7693)
8713f342a23SRobert Elliott
8723f342a23SRobert Elliott	  BLAKE2b is optimized for 64-bit platforms and can produce digests
873f1f142adSRobert Elliott	  of any size between 1 and 64 bytes. The keyed hash is also implemented.
874f1f142adSRobert Elliott
875f1f142adSRobert Elliott	  This module provides the following algorithms:
876f1f142adSRobert Elliott	  - blake2b-160
877f1f142adSRobert Elliott	  - blake2b-256
878f1f142adSRobert Elliott	  - blake2b-384
879f1f142adSRobert Elliott	  - blake2b-512
8803f342a23SRobert Elliott
8813f342a23SRobert Elliott	  Used by the btrfs filesystem.
8823f342a23SRobert Elliott
8833f342a23SRobert Elliott	  See https://blake2.net for further information.
884f1f142adSRobert Elliott
8853f342a23SRobert Elliottconfig CRYPTO_CMAC
886f1f142adSRobert Elliott	tristate "CMAC (Cipher-based MAC)"
887f1f142adSRobert Elliott	select CRYPTO_HASH
888f1f142adSRobert Elliott	select CRYPTO_MANAGER
8893f342a23SRobert Elliott	help
8903f342a23SRobert Elliott	  CMAC (Cipher-based Message Authentication Code) authentication
891f1f142adSRobert Elliott	  mode (NIST SP800-38B and IETF RFC4493)
892f1f142adSRobert Elliott
8933f342a23SRobert Elliottconfig CRYPTO_GHASH
894f1f142adSRobert Elliott	tristate "GHASH"
89561c581a4SArd Biesheuvel	select CRYPTO_HASH
896f1f142adSRobert Elliott	select CRYPTO_LIB_GF128MUL
8973f342a23SRobert Elliott	help
898f1f142adSRobert Elliott	  GCM GHASH function (NIST SP800-38D)
899f1f142adSRobert Elliott
9003f342a23SRobert Elliottconfig CRYPTO_HMAC
901f1f142adSRobert Elliott	tristate "HMAC (Keyed-Hash MAC)"
902f1f142adSRobert Elliott	select CRYPTO_HASH
903f1f142adSRobert Elliott	select CRYPTO_MANAGER
9043f342a23SRobert Elliott	help
9053f342a23SRobert Elliott	  HMAC (Keyed-Hash Message Authentication Code) (FIPS 198 and
9063f342a23SRobert Elliott	  RFC2104)
9073f342a23SRobert Elliott
908f1f142adSRobert Elliott	  This is required for IPsec AH (XFRM_AH) and IPsec ESP (XFRM_ESP).
909f1f142adSRobert Elliott
9103f342a23SRobert Elliottconfig CRYPTO_MD4
911f1f142adSRobert Elliott	tristate "MD4"
912f1f142adSRobert Elliott	select CRYPTO_HASH
9133f342a23SRobert Elliott	help
914f1f142adSRobert Elliott	  MD4 message digest algorithm (RFC1320)
915f1f142adSRobert Elliott
9163f342a23SRobert Elliottconfig CRYPTO_MD5
917f1f142adSRobert Elliott	tristate "MD5"
918f1f142adSRobert Elliott	select CRYPTO_HASH
9193f342a23SRobert Elliott	help
920f1f142adSRobert Elliott	  MD5 message digest algorithm (RFC1321)
921f1f142adSRobert Elliott
9223f342a23SRobert Elliottconfig CRYPTO_MICHAEL_MIC
923f1f142adSRobert Elliott	tristate "Michael MIC"
924f1f142adSRobert Elliott	select CRYPTO_HASH
9253f342a23SRobert Elliott	help
9263f342a23SRobert Elliott	  Michael MIC (Message Integrity Code) (IEEE 802.11i)
9273f342a23SRobert Elliott
9283f342a23SRobert Elliott	  Defined by the IEEE 802.11i TKIP (Temporal Key Integrity Protocol),
9293f342a23SRobert Elliott	  known as WPA (Wif-Fi Protected Access).
9303f342a23SRobert Elliott
9313f342a23SRobert Elliott	  This algorithm is required for TKIP, but it should not be used for
932f1f142adSRobert Elliott	  other purposes because of the weakness of the algorithm.
933f1f142adSRobert Elliott
934f1f142adSRobert Elliottconfig CRYPTO_POLYVAL
935f1f142adSRobert Elliott	tristate
93661c581a4SArd Biesheuvel	select CRYPTO_HASH
937f1f142adSRobert Elliott	select CRYPTO_LIB_GF128MUL
9383f342a23SRobert Elliott	help
9393f342a23SRobert Elliott	  POLYVAL hash function for HCTR2
9403f342a23SRobert Elliott
941f1f142adSRobert Elliott	  This is used in HCTR2.  It is not a general-purpose
942f1f142adSRobert Elliott	  cryptographic hash function.
943f1f142adSRobert Elliott
9443f342a23SRobert Elliottconfig CRYPTO_POLY1305
945f1f142adSRobert Elliott	tristate "Poly1305"
946f1f142adSRobert Elliott	select CRYPTO_HASH
947f1f142adSRobert Elliott	select CRYPTO_LIB_POLY1305_GENERIC
9483f342a23SRobert Elliott	help
949f1f142adSRobert Elliott	  Poly1305 authenticator algorithm (RFC7539)
950f1f142adSRobert Elliott
951f1f142adSRobert Elliott	  Poly1305 is an authenticator algorithm designed by Daniel J. Bernstein.
952f1f142adSRobert Elliott	  It is used for the ChaCha20-Poly1305 AEAD, specified in RFC7539 for use
953f1f142adSRobert Elliott	  in IETF protocols. This is the portable C implementation of Poly1305.
954f1f142adSRobert Elliott
9553f342a23SRobert Elliottconfig CRYPTO_RMD160
956f1f142adSRobert Elliott	tristate "RIPEMD-160"
957f1f142adSRobert Elliott	select CRYPTO_HASH
9583f342a23SRobert Elliott	help
959f1f142adSRobert Elliott	  RIPEMD-160 hash function (ISO/IEC 10118-3)
960f1f142adSRobert Elliott
961f1f142adSRobert Elliott	  RIPEMD-160 is a 160-bit cryptographic hash function. It is intended
962f1f142adSRobert Elliott	  to be used as a secure replacement for the 128-bit hash functions
963f1f142adSRobert Elliott	  MD4, MD5 and its predecessor RIPEMD
964f1f142adSRobert Elliott	  (not to be confused with RIPEMD-128).
9653f342a23SRobert Elliott
966f1f142adSRobert Elliott	  Its speed is comparable to SHA-1 and there are no known attacks
967f1f142adSRobert Elliott	  against RIPEMD-160.
968f1f142adSRobert Elliott
9693f342a23SRobert Elliott	  Developed by Hans Dobbertin, Antoon Bosselaers and Bart Preneel.
9703f342a23SRobert Elliott	  See https://homes.esat.kuleuven.be/~bosselae/ripemd160.html
971f1f142adSRobert Elliott	  for further information.
972f1f142adSRobert Elliott
9733f342a23SRobert Elliottconfig CRYPTO_SHA1
974f1f142adSRobert Elliott	tristate "SHA-1"
975f1f142adSRobert Elliott	select CRYPTO_HASH
976f1f142adSRobert Elliott	select CRYPTO_LIB_SHA1
9773f342a23SRobert Elliott	help
978f1f142adSRobert Elliott	  SHA-1 secure hash algorithm (FIPS 180, ISO/IEC 10118-3)
979f1f142adSRobert Elliott
9803f342a23SRobert Elliottconfig CRYPTO_SHA256
981f1f142adSRobert Elliott	tristate "SHA-224 and SHA-256"
982f1f142adSRobert Elliott	select CRYPTO_HASH
983f1f142adSRobert Elliott	select CRYPTO_LIB_SHA256
9843f342a23SRobert Elliott	help
985f1f142adSRobert Elliott	  SHA-224 and SHA-256 secure hash algorithms (FIPS 180, ISO/IEC 10118-3)
9863f342a23SRobert Elliott
9873f342a23SRobert Elliott	  This is required for IPsec AH (XFRM_AH) and IPsec ESP (XFRM_ESP).
988f1f142adSRobert Elliott	  Used by the btrfs filesystem, Ceph, NFS, and SMB.
989f1f142adSRobert Elliott
9903f342a23SRobert Elliottconfig CRYPTO_SHA512
991f1f142adSRobert Elliott	tristate "SHA-384 and SHA-512"
992f1f142adSRobert Elliott	select CRYPTO_HASH
9933f342a23SRobert Elliott	help
994f1f142adSRobert Elliott	  SHA-384 and SHA-512 secure hash algorithms (FIPS 180, ISO/IEC 10118-3)
995f1f142adSRobert Elliott
9963f342a23SRobert Elliottconfig CRYPTO_SHA3
997f1f142adSRobert Elliott	tristate "SHA-3"
998f1f142adSRobert Elliott	select CRYPTO_HASH
9993f342a23SRobert Elliott	help
1000f1f142adSRobert Elliott	  SHA-3 secure hash algorithms (FIPS 202, ISO/IEC 10118-3)
1001f1f142adSRobert Elliott
1002f1f142adSRobert Elliottconfig CRYPTO_SM3
1003f1f142adSRobert Elliott	tristate
1004f1f142adSRobert Elliott
10053f342a23SRobert Elliottconfig CRYPTO_SM3_GENERIC
1006f1f142adSRobert Elliott	tristate "SM3 (ShangMi 3)"
1007f1f142adSRobert Elliott	select CRYPTO_HASH
1008f1f142adSRobert Elliott	select CRYPTO_SM3
10093f342a23SRobert Elliott	help
10103f342a23SRobert Elliott	  SM3 (ShangMi 3) secure hash function (OSCCA GM/T 0004-2012, ISO/IEC 10118-3)
10113f342a23SRobert Elliott
1012f1f142adSRobert Elliott	  This is part of the Chinese Commercial Cryptography suite.
1013f1f142adSRobert Elliott
1014f1f142adSRobert Elliott	  References:
1015f1f142adSRobert Elliott	  http://www.oscca.gov.cn/UpFile/20101222141857786.pdf
1016f1f142adSRobert Elliott	  https://datatracker.ietf.org/doc/html/draft-shen-sm3-hash
1017f1f142adSRobert Elliott
10183f342a23SRobert Elliottconfig CRYPTO_STREEBOG
1019f1f142adSRobert Elliott	tristate "Streebog"
1020f1f142adSRobert Elliott	select CRYPTO_HASH
10213f342a23SRobert Elliott	help
10223f342a23SRobert Elliott	  Streebog Hash Function (GOST R 34.11-2012, RFC 6986, ISO/IEC 10118-3)
10233f342a23SRobert Elliott
10243f342a23SRobert Elliott	  This is one of the Russian cryptographic standard algorithms (called
10253f342a23SRobert Elliott	  GOST algorithms). This setting enables two hash algorithms with
1026f1f142adSRobert Elliott	  256 and 512 bits output.
1027f1f142adSRobert Elliott
1028f1f142adSRobert Elliott	  References:
1029f1f142adSRobert Elliott	  https://tc26.ru/upload/iblock/fed/feddbb4d26b685903faa2ba11aea43f6.pdf
1030f1f142adSRobert Elliott	  https://tools.ietf.org/html/rfc6986
1031f1f142adSRobert Elliott
10323f342a23SRobert Elliottconfig CRYPTO_VMAC
1033f1f142adSRobert Elliott	tristate "VMAC"
1034f1f142adSRobert Elliott	select CRYPTO_HASH
1035f1f142adSRobert Elliott	select CRYPTO_MANAGER
1036f1f142adSRobert Elliott	help
1037f1f142adSRobert Elliott	  VMAC is a message authentication algorithm designed for
1038f1f142adSRobert Elliott	  very high speed on 64-bit architectures.
10393f342a23SRobert Elliott
1040f1f142adSRobert Elliott	  See https://fastcrypto.org/vmac for further information.
1041f1f142adSRobert Elliott
10423f342a23SRobert Elliottconfig CRYPTO_WP512
1043f1f142adSRobert Elliott	tristate "Whirlpool"
1044f1f142adSRobert Elliott	select CRYPTO_HASH
10453f342a23SRobert Elliott	help
10463f342a23SRobert Elliott	  Whirlpool hash function (ISO/IEC 10118-3)
10473f342a23SRobert Elliott
1048f1f142adSRobert Elliott	  512, 384 and 256-bit hashes.
1049f1f142adSRobert Elliott
1050f1f142adSRobert Elliott	  Whirlpool-512 is part of the NESSIE cryptographic primitives.
10513f342a23SRobert Elliott
10523f342a23SRobert Elliott	  See https://web.archive.org/web/20171129084214/http://www.larc.usp.br/~pbarreto/WhirlpoolPage.html
1053f1f142adSRobert Elliott	  for further information.
1054f1f142adSRobert Elliott
10553f342a23SRobert Elliottconfig CRYPTO_XCBC
1056f1f142adSRobert Elliott	tristate "XCBC-MAC (Extended Cipher Block Chaining MAC)"
1057f1f142adSRobert Elliott	select CRYPTO_HASH
1058f1f142adSRobert Elliott	select CRYPTO_MANAGER
10593f342a23SRobert Elliott	help
10603f342a23SRobert Elliott	  XCBC-MAC (Extended Cipher Block Chaining Message Authentication
1061f1f142adSRobert Elliott	  Code) (RFC3566)
1062f1f142adSRobert Elliott
10633f342a23SRobert Elliottconfig CRYPTO_XXHASH
1064f1f142adSRobert Elliott	tristate "xxHash"
1065f1f142adSRobert Elliott	select CRYPTO_HASH
1066f1f142adSRobert Elliott	select XXHASH
10673f342a23SRobert Elliott	help
10683f342a23SRobert Elliott	  xxHash non-cryptographic hash algorithm
10693f342a23SRobert Elliott
10703f342a23SRobert Elliott	  Extremely fast, working at speeds close to RAM limits.
10713f342a23SRobert Elliott
1072f1f142adSRobert Elliott	  Used by the btrfs filesystem.
1073f1f142adSRobert Elliott
1074f1f142adSRobert Elliottendmenu
1075f1f142adSRobert Elliott
1076f1f142adSRobert Elliottmenu "CRCs (cyclic redundancy checks)"
1077f1f142adSRobert Elliott
1078ec84348dSRobert Elliottconfig CRYPTO_CRC32C
1079f1f142adSRobert Elliott	tristate "CRC32c"
1080f1f142adSRobert Elliott	select CRYPTO_HASH
1081f1f142adSRobert Elliott	select CRC32
1082ec84348dSRobert Elliott	help
1083ec84348dSRobert Elliott	  CRC32c CRC algorithm with the iSCSI polynomial (RFC 3385 and RFC 3720)
1084ec84348dSRobert Elliott
1085ec84348dSRobert Elliott	  A 32-bit CRC (cyclic redundancy check) with a polynomial defined
1086ec84348dSRobert Elliott	  by G. Castagnoli, S. Braeuer and M. Herrman in "Optimization of Cyclic
1087ec84348dSRobert Elliott	  Redundancy-Check Codes with 24 and 32 Parity Bits", IEEE Transactions
1088ec84348dSRobert Elliott	  on Communications, Vol. 41, No. 6, June 1993, selected for use with
1089ec84348dSRobert Elliott	  iSCSI.
1090ec84348dSRobert Elliott
1091f1f142adSRobert Elliott	  Used by btrfs, ext4, jbd2, NVMeoF/TCP, and iSCSI.
1092f1f142adSRobert Elliott
1093ec84348dSRobert Elliottconfig CRYPTO_CRC32
1094f1f142adSRobert Elliott	tristate "CRC32"
1095f1f142adSRobert Elliott	select CRYPTO_HASH
1096f1f142adSRobert Elliott	select CRC32
1097ec84348dSRobert Elliott	help
1098ec84348dSRobert Elliott	  CRC32 CRC algorithm (IEEE 802.3)
1099ec84348dSRobert Elliott
1100f1f142adSRobert Elliott	  Used by RoCEv2 and f2fs.
1101f1f142adSRobert Elliott
1102ec84348dSRobert Elliottconfig CRYPTO_CRCT10DIF
1103f1f142adSRobert Elliott	tristate "CRCT10DIF"
1104f1f142adSRobert Elliott	select CRYPTO_HASH
1105ec84348dSRobert Elliott	help
1106ec84348dSRobert Elliott	  CRC16 CRC algorithm used for the T10 (SCSI) Data Integrity Field (DIF)
1107ec84348dSRobert Elliott
1108f1f142adSRobert Elliott	  CRC algorithm used by the SCSI Block Commands standard.
1109f1f142adSRobert Elliott
1110ec84348dSRobert Elliottconfig CRYPTO_CRC64_ROCKSOFT
1111f1f142adSRobert Elliott	tristate "CRC64 based on Rocksoft Model algorithm"
1112f1f142adSRobert Elliott	depends on CRC64
1113ec84348dSRobert Elliott	select CRYPTO_HASH
1114ec84348dSRobert Elliott	help
1115ec84348dSRobert Elliott	  CRC64 CRC algorithm based on the Rocksoft Model CRC Algorithm
1116ec84348dSRobert Elliott
1117ec84348dSRobert Elliott	  Used by the NVMe implementation of T10 DIF (BLK_DEV_INTEGRITY)
1118ec84348dSRobert Elliott
1119f1f142adSRobert Elliott	  See https://zlib.net/crc_v3.txt
1120f1f142adSRobert Elliott
1121f1f142adSRobert Elliottendmenu
1122f1f142adSRobert Elliott
1123584fffc8SSebastian Siewiormenu "Compression"
11241da177e4SLinus Torvalds
1125a9a98d49SRobert Elliottconfig CRYPTO_DEFLATE
1126cce9e06dSHerbert Xu	tristate "Deflate"
1127f6ded09dSGiovanni Cabiddu	select CRYPTO_ALGAPI
11281da177e4SLinus Torvalds	select CRYPTO_ACOMP2
11291da177e4SLinus Torvalds	select ZLIB_INFLATE
11301da177e4SLinus Torvalds	select ZLIB_DEFLATE
1131a9a98d49SRobert Elliott	help
11321da177e4SLinus Torvalds	  Deflate compression algorithm (RFC1951)
1133a9a98d49SRobert Elliott
11341da177e4SLinus Torvalds	  Used by IPSec with the IPCOMP protocol (RFC3173, RFC2394)
11350b77abb3SZoltan Sogor
1136a9a98d49SRobert Elliottconfig CRYPTO_LZO
11370b77abb3SZoltan Sogor	tristate "LZO"
1138ac9d2c4bSGiovanni Cabiddu	select CRYPTO_ALGAPI
11390b77abb3SZoltan Sogor	select CRYPTO_ACOMP2
11400b77abb3SZoltan Sogor	select LZO_COMPRESS
11410b77abb3SZoltan Sogor	select LZO_DECOMPRESS
1142a9a98d49SRobert Elliott	help
1143a9a98d49SRobert Elliott	  LZO compression algorithm
1144a9a98d49SRobert Elliott
11450b77abb3SZoltan Sogor	  See https://www.oberhumer.com/opensource/lzo/ for further information.
114635a1fc18SSeth Jennings
1147a9a98d49SRobert Elliottconfig CRYPTO_842
11482062c5b6SDan Streetman	tristate "842"
11496a8de3aeSGiovanni Cabiddu	select CRYPTO_ALGAPI
11502062c5b6SDan Streetman	select CRYPTO_ACOMP2
11512062c5b6SDan Streetman	select 842_COMPRESS
115235a1fc18SSeth Jennings	select 842_DECOMPRESS
1153a9a98d49SRobert Elliott	help
1154a9a98d49SRobert Elliott	  842 compression algorithm by IBM
1155a9a98d49SRobert Elliott
115635a1fc18SSeth Jennings	  See https://github.com/plauth/lib842 for further information.
11570ea8530dSChanho Min
1158a9a98d49SRobert Elliottconfig CRYPTO_LZ4
11590ea8530dSChanho Min	tristate "LZ4"
11608cd9330eSGiovanni Cabiddu	select CRYPTO_ALGAPI
11610ea8530dSChanho Min	select CRYPTO_ACOMP2
11620ea8530dSChanho Min	select LZ4_COMPRESS
11630ea8530dSChanho Min	select LZ4_DECOMPRESS
1164a9a98d49SRobert Elliott	help
1165a9a98d49SRobert Elliott	  LZ4 compression algorithm
1166a9a98d49SRobert Elliott
11670ea8530dSChanho Min	  See https://github.com/lz4/lz4 for further information.
11680ea8530dSChanho Min
1169a9a98d49SRobert Elliottconfig CRYPTO_LZ4HC
11700ea8530dSChanho Min	tristate "LZ4HC"
117191d53d96SGiovanni Cabiddu	select CRYPTO_ALGAPI
11720ea8530dSChanho Min	select CRYPTO_ACOMP2
11730ea8530dSChanho Min	select LZ4HC_COMPRESS
11740ea8530dSChanho Min	select LZ4_DECOMPRESS
1175a9a98d49SRobert Elliott	help
1176a9a98d49SRobert Elliott	  LZ4 high compression mode algorithm
1177a9a98d49SRobert Elliott
11780ea8530dSChanho Min	  See https://github.com/lz4/lz4 for further information.
1179d28fc3dbSNick Terrell
1180a9a98d49SRobert Elliottconfig CRYPTO_ZSTD
1181d28fc3dbSNick Terrell	tristate "Zstd"
1182d28fc3dbSNick Terrell	select CRYPTO_ALGAPI
1183d28fc3dbSNick Terrell	select CRYPTO_ACOMP2
1184d28fc3dbSNick Terrell	select ZSTD_COMPRESS
1185d28fc3dbSNick Terrell	select ZSTD_DECOMPRESS
1186a9a98d49SRobert Elliott	help
1187a9a98d49SRobert Elliott	  zstd compression algorithm
1188a9a98d49SRobert Elliott
1189d28fc3dbSNick Terrell	  See https://github.com/facebook/zstd for further information.
1190f1f142adSRobert Elliott
1191f1f142adSRobert Elliottendmenu
1192f1f142adSRobert Elliott
119317f0f4a4SNeil Hormanmenu "Random number generation"
119417f0f4a4SNeil Horman
1195a9a98d49SRobert Elliottconfig CRYPTO_ANSI_CPRNG
119617f0f4a4SNeil Horman	tristate "ANSI PRNG (Pseudo Random Number Generator)"
119717f0f4a4SNeil Horman	select CRYPTO_AES
119817f0f4a4SNeil Horman	select CRYPTO_RNG
1199a9a98d49SRobert Elliott	help
1200a9a98d49SRobert Elliott	  Pseudo RNG (random number generator) (ANSI X9.31 Appendix A.2.4)
1201a9a98d49SRobert Elliott
1202a9a98d49SRobert Elliott	  This uses the AES cipher algorithm.
1203a9a98d49SRobert Elliott
120417f0f4a4SNeil Horman	  Note that this option must be enabled if CRYPTO_FIPS is selected
1205f2c89a10SHerbert Xu
1206a9a98d49SRobert Elliottmenuconfig CRYPTO_DRBG_MENU
1207419090c6SStephan Mueller	tristate "NIST SP800-90A DRBG (Deterministic Random Bit Generator)"
1208a9a98d49SRobert Elliott	help
1209a9a98d49SRobert Elliott	  DRBG (Deterministic Random Bit Generator) (NIST SP800-90A)
1210a9a98d49SRobert Elliott
1211419090c6SStephan Mueller	  In the following submenu, one or more of the DRBG types must be selected.
1212f2c89a10SHerbert Xu
1213419090c6SStephan Muellerif CRYPTO_DRBG_MENU
1214419090c6SStephan Mueller
1215401e4238SHerbert Xuconfig CRYPTO_DRBG_HMAC
1216419090c6SStephan Mueller	bool
1217419090c6SStephan Mueller	default y
12185261cdf4SStephan Mueller	select CRYPTO_HMAC
1219419090c6SStephan Mueller	select CRYPTO_SHA512
1220419090c6SStephan Mueller
1221a9a98d49SRobert Elliottconfig CRYPTO_DRBG_HASH
1222826775bbSHerbert Xu	bool "Hash_DRBG"
1223419090c6SStephan Mueller	select CRYPTO_SHA256
1224a9a98d49SRobert Elliott	help
1225a9a98d49SRobert Elliott	  Hash_DRBG variant as defined in NIST SP800-90A.
1226a9a98d49SRobert Elliott
1227419090c6SStephan Mueller	  This uses the SHA-1, SHA-256, SHA-384, or SHA-512 hash algorithms.
1228419090c6SStephan Mueller
1229a9a98d49SRobert Elliottconfig CRYPTO_DRBG_CTR
1230419090c6SStephan Mueller	bool "CTR_DRBG"
1231d6fc1a45SCorentin Labbe	select CRYPTO_AES
1232419090c6SStephan Mueller	select CRYPTO_CTR
1233a9a98d49SRobert Elliott	help
1234a9a98d49SRobert Elliott	  CTR_DRBG variant as defined in NIST SP800-90A.
1235a9a98d49SRobert Elliott
1236419090c6SStephan Mueller	  This uses the AES cipher algorithm with the counter block mode.
1237f2c89a10SHerbert Xu
1238f2c89a10SHerbert Xuconfig CRYPTO_DRBG
1239401e4238SHerbert Xu	tristate
1240f2c89a10SHerbert Xu	default CRYPTO_DRBG_MENU
1241bb5530e4SStephan Mueller	select CRYPTO_RNG
1242f2c89a10SHerbert Xu	select CRYPTO_JITTERENTROPY
1243f2c89a10SHerbert Xu
1244419090c6SStephan Muellerendif	# if CRYPTO_DRBG_MENU
1245bb5530e4SStephan Mueller
1246a9a98d49SRobert Elliottconfig CRYPTO_JITTERENTROPY
12472f313e02SArnd Bergmann	tristate "CPU Jitter Non-Deterministic RNG (Random Number Generator)"
1248bb897c55SStephan Müller	select CRYPTO_RNG
1249bb5530e4SStephan Mueller	select CRYPTO_SHA3
1250a9a98d49SRobert Elliott	help
1251a9a98d49SRobert Elliott	  CPU Jitter RNG (Random Number Generator) from the Jitterentropy library
1252a9a98d49SRobert Elliott
1253a9a98d49SRobert Elliott	  A non-physical non-deterministic ("true") RNG (e.g., an entropy source
1254e63df1ecSRandy Dunlap	  compliant with NIST SP800-90B) intended to provide a seed to a
1255a9a98d49SRobert Elliott	  deterministic RNG (e.g., per NIST SP800-90C).
1256e63df1ecSRandy Dunlap	  This RNG does not perform any cryptographic whitening of the generated
1257a9a98d49SRobert Elliott	  random numbers.
1258e63df1ecSRandy Dunlap
1259bb5530e4SStephan Mueller	  See https://www.chronox.de/jent/
1260e7ed6473SHerbert Xu
1261e7ed6473SHerbert Xuif CRYPTO_JITTERENTROPY
1262e7ed6473SHerbert Xuif CRYPTO_FIPS && EXPERT
126359bcfd78SStephan Müller
126459bcfd78SStephan Müllerchoice
126559bcfd78SStephan Müller	prompt "CPU Jitter RNG Memory Size"
126659bcfd78SStephan Müller	default CRYPTO_JITTERENTROPY_MEMSIZE_2
126759bcfd78SStephan Müller	help
126859bcfd78SStephan Müller	  The Jitter RNG measures the execution time of memory accesses.
126959bcfd78SStephan Müller	  Multiple consecutive memory accesses are performed. If the memory
127059bcfd78SStephan Müller	  size fits into a cache (e.g. L1), only the memory access timing
127159bcfd78SStephan Müller	  to that cache is measured. The closer the cache is to the CPU
127259bcfd78SStephan Müller	  the less variations are measured and thus the less entropy is
127359bcfd78SStephan Müller	  obtained. Thus, if the memory size fits into the L1 cache, the
127459bcfd78SStephan Müller	  obtained entropy is less than if the memory size fits within
127559bcfd78SStephan Müller	  L1 + L2, which in turn is less if the memory fits into
127659bcfd78SStephan Müller	  L1 + L2 + L3. Thus, by selecting a different memory size,
127759bcfd78SStephan Müller	  the entropy rate produced by the Jitter RNG can be modified.
127859bcfd78SStephan Müller
127959bcfd78SStephan Müller	config CRYPTO_JITTERENTROPY_MEMSIZE_2
128059bcfd78SStephan Müller		bool "2048 Bytes (default)"
128159bcfd78SStephan Müller
128259bcfd78SStephan Müller	config CRYPTO_JITTERENTROPY_MEMSIZE_128
128359bcfd78SStephan Müller		bool "128 kBytes"
128459bcfd78SStephan Müller
128559bcfd78SStephan Müller	config CRYPTO_JITTERENTROPY_MEMSIZE_1024
128659bcfd78SStephan Müller		bool "1024 kBytes"
128759bcfd78SStephan Müller
128859bcfd78SStephan Müller	config CRYPTO_JITTERENTROPY_MEMSIZE_8192
128959bcfd78SStephan Müller		bool "8192 kBytes"
129059bcfd78SStephan Müllerendchoice
129159bcfd78SStephan Müller
129259bcfd78SStephan Müllerconfig CRYPTO_JITTERENTROPY_MEMORY_BLOCKS
129359bcfd78SStephan Müller	int
129459bcfd78SStephan Müller	default 64 if CRYPTO_JITTERENTROPY_MEMSIZE_2
129559bcfd78SStephan Müller	default 512 if CRYPTO_JITTERENTROPY_MEMSIZE_128
129659bcfd78SStephan Müller	default 1024 if CRYPTO_JITTERENTROPY_MEMSIZE_1024
129759bcfd78SStephan Müller	default 4096 if CRYPTO_JITTERENTROPY_MEMSIZE_8192
129859bcfd78SStephan Müller
129959bcfd78SStephan Müllerconfig CRYPTO_JITTERENTROPY_MEMORY_BLOCKSIZE
130059bcfd78SStephan Müller	int
130159bcfd78SStephan Müller	default 32 if CRYPTO_JITTERENTROPY_MEMSIZE_2
130259bcfd78SStephan Müller	default 256 if CRYPTO_JITTERENTROPY_MEMSIZE_128
130359bcfd78SStephan Müller	default 1024 if CRYPTO_JITTERENTROPY_MEMSIZE_1024
130459bcfd78SStephan Müller	default 2048 if CRYPTO_JITTERENTROPY_MEMSIZE_8192
13050baa8fabSStephan Müller
13060baa8fabSStephan Müllerconfig CRYPTO_JITTERENTROPY_OSR
13070baa8fabSStephan Müller	int "CPU Jitter RNG Oversampling Rate"
1308*95a798d2SStephan Mueller	range 1 15
13090baa8fabSStephan Müller	default 3
13100baa8fabSStephan Müller	help
13110baa8fabSStephan Müller	  The Jitter RNG allows the specification of an oversampling rate (OSR).
13120baa8fabSStephan Müller	  The Jitter RNG operation requires a fixed amount of timing
13130baa8fabSStephan Müller	  measurements to produce one output block of random numbers. The
13140baa8fabSStephan Müller	  OSR value is multiplied with the amount of timing measurements to
13150baa8fabSStephan Müller	  generate one output block. Thus, the timing measurement is oversampled
13160baa8fabSStephan Müller	  by the OSR factor. The oversampling allows the Jitter RNG to operate
13170baa8fabSStephan Müller	  on hardware whose timers deliver limited amount of entropy (e.g.
13180baa8fabSStephan Müller	  the timer is coarse) by setting the OSR to a higher value. The
13190baa8fabSStephan Müller	  trade-off, however, is that the Jitter RNG now requires more time
13200baa8fabSStephan Müller	  to generate random numbers.
132169f1c387SStephan Müller
132269f1c387SStephan Müllerconfig CRYPTO_JITTERENTROPY_TESTINTERFACE
132369f1c387SStephan Müller	bool "CPU Jitter RNG Test Interface"
132469f1c387SStephan Müller	help
132569f1c387SStephan Müller	  The test interface allows a privileged process to capture
132669f1c387SStephan Müller	  the raw unconditioned high resolution time stamp noise that
132769f1c387SStephan Müller	  is collected by the Jitter RNG for statistical analysis. As
132869f1c387SStephan Müller	  this data is used at the same time to generate random bits,
132969f1c387SStephan Müller	  the Jitter RNG operates in an insecure mode as long as the
133069f1c387SStephan Müller	  recording is enabled. This interface therefore is only
133169f1c387SStephan Müller	  intended for testing purposes and is not suitable for
133269f1c387SStephan Müller	  production systems.
133369f1c387SStephan Müller
133469f1c387SStephan Müller	  The raw noise data can be obtained using the jent_raw_hires
133569f1c387SStephan Müller	  debugfs file. Using the option
133669f1c387SStephan Müller	  jitterentropy_testing.boot_raw_hires_test=1 the raw noise of
133769f1c387SStephan Müller	  the first 1000 entropy events since boot can be sampled.
133869f1c387SStephan Müller
133969f1c387SStephan Müller	  If unsure, select N.
1340e7ed6473SHerbert Xu
1341e7ed6473SHerbert Xuendif	# if CRYPTO_FIPS && EXPERT
1342e7ed6473SHerbert Xu
1343e7ed6473SHerbert Xuif !(CRYPTO_FIPS && EXPERT)
1344e7ed6473SHerbert Xu
1345e7ed6473SHerbert Xuconfig CRYPTO_JITTERENTROPY_MEMORY_BLOCKS
1346e7ed6473SHerbert Xu	int
1347e7ed6473SHerbert Xu	default 64
1348e7ed6473SHerbert Xu
1349e7ed6473SHerbert Xuconfig CRYPTO_JITTERENTROPY_MEMORY_BLOCKSIZE
1350e7ed6473SHerbert Xu	int
1351e7ed6473SHerbert Xu	default 32
1352e7ed6473SHerbert Xu
1353e7ed6473SHerbert Xuconfig CRYPTO_JITTERENTROPY_OSR
1354e7ed6473SHerbert Xu	int
1355e7ed6473SHerbert Xu	default 1
1356e7ed6473SHerbert Xu
1357e7ed6473SHerbert Xuconfig CRYPTO_JITTERENTROPY_TESTINTERFACE
1358e7ed6473SHerbert Xu	bool
1359e7ed6473SHerbert Xu
1360e7ed6473SHerbert Xuendif	# if !(CRYPTO_FIPS && EXPERT)
1361e7ed6473SHerbert Xuendif	# if CRYPTO_JITTERENTROPY
1362026a733eSStephan Müller
1363026a733eSStephan Müllerconfig CRYPTO_KDF800108_CTR
1364a88592ccSHerbert Xu	tristate
1365304b4aceSStephan Müller	select CRYPTO_HMAC
1366026a733eSStephan Müller	select CRYPTO_SHA256
1367f1f142adSRobert Elliott
13689bc51715SRobert Elliottendmenu
1369f1f142adSRobert Elliottmenu "Userspace interface"
137003c8efc1SHerbert Xu
137103c8efc1SHerbert Xuconfig CRYPTO_USER_API
137203c8efc1SHerbert Xu	tristate
1373fe869cdbSHerbert Xu
13749bc51715SRobert Elliottconfig CRYPTO_USER_API_HASH
13757451708fSHerbert Xu	tristate "Hash algorithms"
1376fe869cdbSHerbert Xu	depends on NET
1377fe869cdbSHerbert Xu	select CRYPTO_HASH
1378fe869cdbSHerbert Xu	select CRYPTO_USER_API
13799bc51715SRobert Elliott	help
13809bc51715SRobert Elliott	  Enable the userspace interface for hash algorithms.
13819bc51715SRobert Elliott
13829bc51715SRobert Elliott	  See Documentation/crypto/userspace-if.rst and
1383fe869cdbSHerbert Xu	  https://www.chronox.de/libkcapi/html/index.html
13848ff59090SHerbert Xu
13859bc51715SRobert Elliottconfig CRYPTO_USER_API_SKCIPHER
13867451708fSHerbert Xu	tristate "Symmetric key cipher algorithms"
1387b95bba5dSEric Biggers	depends on NET
13888ff59090SHerbert Xu	select CRYPTO_SKCIPHER
13898ff59090SHerbert Xu	select CRYPTO_USER_API
13909bc51715SRobert Elliott	help
13919bc51715SRobert Elliott	  Enable the userspace interface for symmetric key cipher algorithms.
13929bc51715SRobert Elliott
13939bc51715SRobert Elliott	  See Documentation/crypto/userspace-if.rst and
13948ff59090SHerbert Xu	  https://www.chronox.de/libkcapi/html/index.html
13952f375538SStephan Mueller
13969bc51715SRobert Elliottconfig CRYPTO_USER_API_RNG
13972f375538SStephan Mueller	tristate "RNG (random number generator) algorithms"
13982f375538SStephan Mueller	depends on NET
13992f375538SStephan Mueller	select CRYPTO_RNG
14002f375538SStephan Mueller	select CRYPTO_USER_API
14019bc51715SRobert Elliott	help
14029bc51715SRobert Elliott	  Enable the userspace interface for RNG (random number generator)
14039bc51715SRobert Elliott	  algorithms.
14049bc51715SRobert Elliott
14059bc51715SRobert Elliott	  See Documentation/crypto/userspace-if.rst and
14062f375538SStephan Mueller	  https://www.chronox.de/libkcapi/html/index.html
140777ebdabeSElena Petrova
140877ebdabeSElena Petrovaconfig CRYPTO_USER_API_RNG_CAVP
140977ebdabeSElena Petrova	bool "Enable CAVP testing of DRBG"
141077ebdabeSElena Petrova	depends on CRYPTO_USER_API_RNG && CRYPTO_DRBG
14119bc51715SRobert Elliott	help
14129bc51715SRobert Elliott	  Enable extra APIs in the userspace interface for NIST CAVP
14139bc51715SRobert Elliott	  (Cryptographic Algorithm Validation Program) testing:
14149bc51715SRobert Elliott	  - resetting DRBG entropy
14159bc51715SRobert Elliott	  - providing Additional Data
141677ebdabeSElena Petrova
141777ebdabeSElena Petrova	  This should only be enabled for CAVP testing. You should say
141877ebdabeSElena Petrova	  no unless you know what this is.
1419b64a2d95SHerbert Xu
14209bc51715SRobert Elliottconfig CRYPTO_USER_API_AEAD
1421b64a2d95SHerbert Xu	tristate "AEAD cipher algorithms"
1422b64a2d95SHerbert Xu	depends on NET
1423b95bba5dSEric Biggers	select CRYPTO_AEAD
142472548b09SStephan Mueller	select CRYPTO_SKCIPHER
1425b64a2d95SHerbert Xu	select CRYPTO_NULL
1426b64a2d95SHerbert Xu	select CRYPTO_USER_API
14279bc51715SRobert Elliott	help
14289bc51715SRobert Elliott	  Enable the userspace interface for AEAD cipher algorithms.
14299bc51715SRobert Elliott
14309bc51715SRobert Elliott	  See Documentation/crypto/userspace-if.rst and
1431b64a2d95SHerbert Xu	  https://www.chronox.de/libkcapi/html/index.html
14329ace6771SArd Biesheuvel
14339bc51715SRobert Elliottconfig CRYPTO_USER_API_ENABLE_OBSOLETE
14349ace6771SArd Biesheuvel	bool "Obsolete cryptographic algorithms"
14359ace6771SArd Biesheuvel	depends on CRYPTO_USER_API
14369ace6771SArd Biesheuvel	default y
14379ace6771SArd Biesheuvel	help
14389ace6771SArd Biesheuvel	  Allow obsolete cryptographic algorithms to be selected that have
14399ace6771SArd Biesheuvel	  already been phased out from internal use by the kernel, and are
14409ace6771SArd Biesheuvel	  only useful for userspace clients that still rely on them.
1441f1f142adSRobert Elliott
1442f1f142adSRobert Elliottendmenu
1443ee08997fSDmitry Kasatkin
1444ee08997fSDmitry Kasatkinconfig CRYPTO_HASH_INFO
1445ee08997fSDmitry Kasatkin	bool
144627bc50fcSLinus Torvalds
14474a329fecSRobert Elliottif !KMSAN # avoid false positives from assembly
14484a329fecSRobert Elliottif ARM
14494a329fecSRobert Elliottsource "arch/arm/crypto/Kconfig"
14504a329fecSRobert Elliottendif
14514a329fecSRobert Elliottif ARM64
14524a329fecSRobert Elliottsource "arch/arm64/crypto/Kconfig"
14532f164822SMin Zhouendif
14542f164822SMin Zhouif LOONGARCH
14552f164822SMin Zhousource "arch/loongarch/crypto/Kconfig"
1456e45f710bSRobert Elliottendif
1457e45f710bSRobert Elliottif MIPS
1458e45f710bSRobert Elliottsource "arch/mips/crypto/Kconfig"
14596a490a4eSRobert Elliottendif
14606a490a4eSRobert Elliottif PPC
14616a490a4eSRobert Elliottsource "arch/powerpc/crypto/Kconfig"
1462178f3856SHeiko Stuebnerendif
1463178f3856SHeiko Stuebnerif RISCV
1464178f3856SHeiko Stuebnersource "arch/riscv/crypto/Kconfig"
1465c9d24c97SRobert Elliottendif
1466c9d24c97SRobert Elliottif S390
1467c9d24c97SRobert Elliottsource "arch/s390/crypto/Kconfig"
14680e9f9ea6SRobert Elliottendif
14690e9f9ea6SRobert Elliottif SPARC
14700e9f9ea6SRobert Elliottsource "arch/sparc/crypto/Kconfig"
147128a936efSRobert Elliottendif
147228a936efSRobert Elliottif X86
147328a936efSRobert Elliottsource "arch/x86/crypto/Kconfig"
147427bc50fcSLinus Torvaldsendif
1475e45f710bSRobert Elliottendif
14761da177e4SLinus Torvalds
14778636a1f9SMasahiro Yamadasource "drivers/crypto/Kconfig"
14788636a1f9SMasahiro Yamadasource "crypto/asymmetric_keys/Kconfig"
14791da177e4SLinus Torvaldssource "certs/Kconfig"
1480cce9e06dSHerbert Xu
1481endif	# if CRYPTO
1482