1b2441318SGreg Kroah-Hartman# SPDX-License-Identifier: GPL-2.0 21da177e4SLinus Torvalds# 3685784aaSDan Williams# Generic algorithms support 4685784aaSDan Williams# 5685784aaSDan Williamsconfig XOR_BLOCKS 6685784aaSDan Williams tristate 7685784aaSDan Williams 8685784aaSDan Williams# 99bc89cd8SDan Williams# async_tx api: hardware offloaded memory transfer/transform support 109bc89cd8SDan Williams# 119bc89cd8SDan Williamssource "crypto/async_tx/Kconfig" 129bc89cd8SDan Williams 139bc89cd8SDan Williams# 141da177e4SLinus Torvalds# Cryptographic API Configuration 151da177e4SLinus Torvalds# 162e290f43SJan Engelhardtmenuconfig CRYPTO 17c3715cb9SSebastian Siewior tristate "Cryptographic API" 187033b937SEric Biggers select CRYPTO_LIB_UTILS 191da177e4SLinus Torvalds help 201da177e4SLinus Torvalds This option provides the core Cryptographic API. 211da177e4SLinus Torvalds 22cce9e06dSHerbert Xuif CRYPTO 23cce9e06dSHerbert Xu 24f1f142adSRobert Elliottmenu "Crypto core or helper" 25584fffc8SSebastian Siewior 26ccb778e1SNeil Hormanconfig CRYPTO_FIPS 27ccb778e1SNeil Horman bool "FIPS 200 compliance" 28f2c89a10SHerbert Xu depends on (CRYPTO_ANSI_CPRNG || CRYPTO_DRBG) && !CRYPTO_MANAGER_DISABLE_TESTS 291f696097SAlec Ari depends on (MODULE_SIG || !MODULES) 30ccb778e1SNeil Horman help 31d99324c2SGeert Uytterhoeven This option enables the fips boot option which is 32d99324c2SGeert Uytterhoeven required if you want the system to operate in a FIPS 200 33ccb778e1SNeil Horman certification. You should say no unless you know what 34e84c5480SChuck Ebbert this is. 35ccb778e1SNeil Horman 365a44749fSVladis Dronovconfig CRYPTO_FIPS_NAME 375a44749fSVladis Dronov string "FIPS Module Name" 385a44749fSVladis Dronov default "Linux Kernel Cryptographic API" 395a44749fSVladis Dronov depends on CRYPTO_FIPS 405a44749fSVladis Dronov help 415a44749fSVladis Dronov This option sets the FIPS Module name reported by the Crypto API via 425a44749fSVladis Dronov the /proc/sys/crypto/fips_name file. 435a44749fSVladis Dronov 445a44749fSVladis Dronovconfig CRYPTO_FIPS_CUSTOM_VERSION 455a44749fSVladis Dronov bool "Use Custom FIPS Module Version" 465a44749fSVladis Dronov depends on CRYPTO_FIPS 475a44749fSVladis Dronov default n 485a44749fSVladis Dronov 495a44749fSVladis Dronovconfig CRYPTO_FIPS_VERSION 505a44749fSVladis Dronov string "FIPS Module Version" 515a44749fSVladis Dronov default "(none)" 525a44749fSVladis Dronov depends on CRYPTO_FIPS_CUSTOM_VERSION 535a44749fSVladis Dronov help 545a44749fSVladis Dronov This option provides the ability to override the FIPS Module Version. 555a44749fSVladis Dronov By default the KERNELRELEASE value is used. 565a44749fSVladis Dronov 57cce9e06dSHerbert Xuconfig CRYPTO_ALGAPI 58cce9e06dSHerbert Xu tristate 596a0fcbb4SHerbert Xu select CRYPTO_ALGAPI2 60cce9e06dSHerbert Xu help 61cce9e06dSHerbert Xu This option provides the API for cryptographic algorithms. 62cce9e06dSHerbert Xu 636a0fcbb4SHerbert Xuconfig CRYPTO_ALGAPI2 646a0fcbb4SHerbert Xu tristate 656a0fcbb4SHerbert Xu 661ae97820SHerbert Xuconfig CRYPTO_AEAD 671ae97820SHerbert Xu tristate 686a0fcbb4SHerbert Xu select CRYPTO_AEAD2 691ae97820SHerbert Xu select CRYPTO_ALGAPI 701ae97820SHerbert Xu 716a0fcbb4SHerbert Xuconfig CRYPTO_AEAD2 726a0fcbb4SHerbert Xu tristate 736a0fcbb4SHerbert Xu select CRYPTO_ALGAPI2 746a0fcbb4SHerbert Xu 756cb8815fSHerbert Xuconfig CRYPTO_SIG 766cb8815fSHerbert Xu tristate 776cb8815fSHerbert Xu select CRYPTO_SIG2 786cb8815fSHerbert Xu select CRYPTO_ALGAPI 796cb8815fSHerbert Xu 806cb8815fSHerbert Xuconfig CRYPTO_SIG2 816cb8815fSHerbert Xu tristate 826cb8815fSHerbert Xu select CRYPTO_ALGAPI2 836cb8815fSHerbert Xu 84b95bba5dSEric Biggersconfig CRYPTO_SKCIPHER 855cde0af2SHerbert Xu tristate 86b95bba5dSEric Biggers select CRYPTO_SKCIPHER2 875cde0af2SHerbert Xu select CRYPTO_ALGAPI 8884534684SHerbert Xu select CRYPTO_ECB 896a0fcbb4SHerbert Xu 90b95bba5dSEric Biggersconfig CRYPTO_SKCIPHER2 916a0fcbb4SHerbert Xu tristate 926a0fcbb4SHerbert Xu select CRYPTO_ALGAPI2 935cde0af2SHerbert Xu 94055bcee3SHerbert Xuconfig CRYPTO_HASH 95055bcee3SHerbert Xu tristate 966a0fcbb4SHerbert Xu select CRYPTO_HASH2 97055bcee3SHerbert Xu select CRYPTO_ALGAPI 98055bcee3SHerbert Xu 996a0fcbb4SHerbert Xuconfig CRYPTO_HASH2 1006a0fcbb4SHerbert Xu tristate 1016a0fcbb4SHerbert Xu select CRYPTO_ALGAPI2 1026a0fcbb4SHerbert Xu 10317f0f4a4SNeil Hormanconfig CRYPTO_RNG 10417f0f4a4SNeil Horman tristate 1056a0fcbb4SHerbert Xu select CRYPTO_RNG2 10617f0f4a4SNeil Horman select CRYPTO_ALGAPI 10717f0f4a4SNeil Horman 1086a0fcbb4SHerbert Xuconfig CRYPTO_RNG2 1096a0fcbb4SHerbert Xu tristate 1106a0fcbb4SHerbert Xu select CRYPTO_ALGAPI2 1116a0fcbb4SHerbert Xu 112401e4238SHerbert Xuconfig CRYPTO_RNG_DEFAULT 113401e4238SHerbert Xu tristate 114401e4238SHerbert Xu select CRYPTO_DRBG_MENU 115401e4238SHerbert Xu 1163c339ab8STadeusz Strukconfig CRYPTO_AKCIPHER2 1173c339ab8STadeusz Struk tristate 1183c339ab8STadeusz Struk select CRYPTO_ALGAPI2 1193c339ab8STadeusz Struk 1203c339ab8STadeusz Strukconfig CRYPTO_AKCIPHER 1213c339ab8STadeusz Struk tristate 1223c339ab8STadeusz Struk select CRYPTO_AKCIPHER2 1233c339ab8STadeusz Struk select CRYPTO_ALGAPI 1243c339ab8STadeusz Struk 1254e5f2c40SSalvatore Benedettoconfig CRYPTO_KPP2 1264e5f2c40SSalvatore Benedetto tristate 1274e5f2c40SSalvatore Benedetto select CRYPTO_ALGAPI2 1284e5f2c40SSalvatore Benedetto 1294e5f2c40SSalvatore Benedettoconfig CRYPTO_KPP 1304e5f2c40SSalvatore Benedetto tristate 1314e5f2c40SSalvatore Benedetto select CRYPTO_ALGAPI 1324e5f2c40SSalvatore Benedetto select CRYPTO_KPP2 1334e5f2c40SSalvatore Benedetto 1342ebda74fSGiovanni Cabidduconfig CRYPTO_ACOMP2 1352ebda74fSGiovanni Cabiddu tristate 1362ebda74fSGiovanni Cabiddu select CRYPTO_ALGAPI2 1378cd579d2SBart Van Assche select SGL_ALLOC 1382ebda74fSGiovanni Cabiddu 1392ebda74fSGiovanni Cabidduconfig CRYPTO_ACOMP 1402ebda74fSGiovanni Cabiddu tristate 1412ebda74fSGiovanni Cabiddu select CRYPTO_ALGAPI 1422ebda74fSGiovanni Cabiddu select CRYPTO_ACOMP2 1432ebda74fSGiovanni Cabiddu 1442b8c19dbSHerbert Xuconfig CRYPTO_MANAGER 1452b8c19dbSHerbert Xu tristate "Cryptographic algorithm manager" 1466a0fcbb4SHerbert Xu select CRYPTO_MANAGER2 1472b8c19dbSHerbert Xu help 1482b8c19dbSHerbert Xu Create default cryptographic template instantiations such as 1492b8c19dbSHerbert Xu cbc(aes). 1502b8c19dbSHerbert Xu 1516a0fcbb4SHerbert Xuconfig CRYPTO_MANAGER2 1526a0fcbb4SHerbert Xu def_tristate CRYPTO_MANAGER || (CRYPTO_MANAGER!=n && CRYPTO_ALGAPI=y) 1532ebda74fSGiovanni Cabiddu select CRYPTO_ACOMP2 154fb28fabfSHerbert Xu select CRYPTO_AEAD2 155fb28fabfSHerbert Xu select CRYPTO_AKCIPHER2 1566cb8815fSHerbert Xu select CRYPTO_SIG2 157fb28fabfSHerbert Xu select CRYPTO_HASH2 158fb28fabfSHerbert Xu select CRYPTO_KPP2 159fb28fabfSHerbert Xu select CRYPTO_RNG2 160fb28fabfSHerbert Xu select CRYPTO_SKCIPHER2 1616a0fcbb4SHerbert Xu 162a38f7907SSteffen Klassertconfig CRYPTO_USER 163a38f7907SSteffen Klassert tristate "Userspace cryptographic algorithm configuration" 1645db017aaSHerbert Xu depends on NET 165a38f7907SSteffen Klassert select CRYPTO_MANAGER 166a38f7907SSteffen Klassert help 167d19978f5SValdis.Kletnieks@vt.edu Userspace configuration for cryptographic instantiations such as 168a38f7907SSteffen Klassert cbc(aes). 169a38f7907SSteffen Klassert 170326a6346SHerbert Xuconfig CRYPTO_MANAGER_DISABLE_TESTS 171326a6346SHerbert Xu bool "Disable run-time self tests" 17200ca28a5SHerbert Xu default y 1730b767f96SAlexander Shishkin help 174326a6346SHerbert Xu Disable run-time self tests that normally take place at 175326a6346SHerbert Xu algorithm registration. 1760b767f96SAlexander Shishkin 1775b2706a4SEric Biggersconfig CRYPTO_MANAGER_EXTRA_TESTS 1785b2706a4SEric Biggers bool "Enable extra run-time crypto self tests" 1796569e309SJason A. Donenfeld depends on DEBUG_KERNEL && !CRYPTO_MANAGER_DISABLE_TESTS && CRYPTO_MANAGER 1805b2706a4SEric Biggers help 1815b2706a4SEric Biggers Enable extra run-time self tests of registered crypto algorithms, 1825b2706a4SEric Biggers including randomized fuzz tests. 1835b2706a4SEric Biggers 1845b2706a4SEric Biggers This is intended for developer use only, as these tests take much 1855b2706a4SEric Biggers longer to run than the normal self tests. 1865b2706a4SEric Biggers 187584fffc8SSebastian Siewiorconfig CRYPTO_NULL 188584fffc8SSebastian Siewior tristate "Null algorithms" 189149a3971SHerbert Xu select CRYPTO_NULL2 190584fffc8SSebastian Siewior help 191584fffc8SSebastian Siewior These are 'Null' algorithms, used by IPsec, which do nothing. 192584fffc8SSebastian Siewior 193149a3971SHerbert Xuconfig CRYPTO_NULL2 194dd43c4e9SHerbert Xu tristate 195149a3971SHerbert Xu select CRYPTO_ALGAPI2 196b95bba5dSEric Biggers select CRYPTO_SKCIPHER2 197149a3971SHerbert Xu select CRYPTO_HASH2 198149a3971SHerbert Xu 1995068c7a8SSteffen Klassertconfig CRYPTO_PCRYPT 2003b4afaf2SKees Cook tristate "Parallel crypto engine" 2013b4afaf2SKees Cook depends on SMP 2025068c7a8SSteffen Klassert select PADATA 2035068c7a8SSteffen Klassert select CRYPTO_MANAGER 2045068c7a8SSteffen Klassert select CRYPTO_AEAD 2055068c7a8SSteffen Klassert help 2065068c7a8SSteffen Klassert This converts an arbitrary crypto algorithm into a parallel 2075068c7a8SSteffen Klassert algorithm that executes in kernel threads. 2085068c7a8SSteffen Klassert 209584fffc8SSebastian Siewiorconfig CRYPTO_CRYPTD 210584fffc8SSebastian Siewior tristate "Software async crypto daemon" 211b95bba5dSEric Biggers select CRYPTO_SKCIPHER 212b8a28251SLoc Ho select CRYPTO_HASH 213584fffc8SSebastian Siewior select CRYPTO_MANAGER 214584fffc8SSebastian Siewior help 215584fffc8SSebastian Siewior This is a generic software asynchronous crypto daemon that 216584fffc8SSebastian Siewior converts an arbitrary synchronous software crypto algorithm 217584fffc8SSebastian Siewior into an asynchronous algorithm that executes in a kernel thread. 218584fffc8SSebastian Siewior 219584fffc8SSebastian Siewiorconfig CRYPTO_AUTHENC 220584fffc8SSebastian Siewior tristate "Authenc support" 221584fffc8SSebastian Siewior select CRYPTO_AEAD 222b95bba5dSEric Biggers select CRYPTO_SKCIPHER 223584fffc8SSebastian Siewior select CRYPTO_MANAGER 224584fffc8SSebastian Siewior select CRYPTO_HASH 225e94c6a7aSHerbert Xu select CRYPTO_NULL 226584fffc8SSebastian Siewior help 227584fffc8SSebastian Siewior Authenc: Combined mode wrapper for IPsec. 228cf514b2aSRobert Elliott 229cf514b2aSRobert Elliott This is required for IPSec ESP (XFRM_ESP). 230584fffc8SSebastian Siewior 231584fffc8SSebastian Siewiorconfig CRYPTO_TEST 232584fffc8SSebastian Siewior tristate "Testing module" 23300ea27f1SArd Biesheuvel depends on m || EXPERT 234da7f033dSHerbert Xu select CRYPTO_MANAGER 235584fffc8SSebastian Siewior help 236584fffc8SSebastian Siewior Quick & dirty crypto test module. 237584fffc8SSebastian Siewior 238266d0516SHerbert Xuconfig CRYPTO_SIMD 239266d0516SHerbert Xu tristate 240266d0516SHerbert Xu select CRYPTO_CRYPTD 241266d0516SHerbert Xu 242735d37b5SBaolin Wangconfig CRYPTO_ENGINE 243735d37b5SBaolin Wang tristate 244735d37b5SBaolin Wang 245f1f142adSRobert Elliottendmenu 246f1f142adSRobert Elliott 247f1f142adSRobert Elliottmenu "Public-key cryptography" 2483d6228a5SVitaly Chikunov 2493d6228a5SVitaly Chikunovconfig CRYPTO_RSA 25005b37465SRobert Elliott tristate "RSA (Rivest-Shamir-Adleman)" 2513d6228a5SVitaly Chikunov select CRYPTO_AKCIPHER 2523d6228a5SVitaly Chikunov select CRYPTO_MANAGER 2533d6228a5SVitaly Chikunov select CRYPTO_SIG 2543d6228a5SVitaly Chikunov select MPILIB 2553d6228a5SVitaly Chikunov select ASN1 25605b37465SRobert Elliott help 2573d6228a5SVitaly Chikunov RSA (Rivest-Shamir-Adleman) public key algorithm (RFC8017) 2583d6228a5SVitaly Chikunov 25905b37465SRobert Elliottconfig CRYPTO_DH 2603d6228a5SVitaly Chikunov tristate "DH (Diffie-Hellman)" 2613d6228a5SVitaly Chikunov select CRYPTO_KPP 2623d6228a5SVitaly Chikunov select MPILIB 26305b37465SRobert Elliott help 2643d6228a5SVitaly Chikunov DH (Diffie-Hellman) key exchange algorithm 2657dce5981SNicolai Stange 26605b37465SRobert Elliottconfig CRYPTO_DH_RFC7919_GROUPS 2677dce5981SNicolai Stange bool "RFC 7919 FFDHE groups" 2681e207964SNicolai Stange depends on CRYPTO_DH 2697dce5981SNicolai Stange select CRYPTO_RNG_DEFAULT 27005b37465SRobert Elliott help 27105b37465SRobert Elliott FFDHE (Finite-Field-based Diffie-Hellman Ephemeral) groups 27205b37465SRobert Elliott defined in RFC7919. 27305b37465SRobert Elliott 27405b37465SRobert Elliott Support these finite-field groups in DH key exchanges: 27505b37465SRobert Elliott - ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192 27605b37465SRobert Elliott 2777dce5981SNicolai Stange If unsure, say N. 2784a2289daSVitaly Chikunov 2794a2289daSVitaly Chikunovconfig CRYPTO_ECC 28038aa192aSArnd Bergmann tristate 2814a2289daSVitaly Chikunov select CRYPTO_RNG_DEFAULT 2823d6228a5SVitaly Chikunov 28305b37465SRobert Elliottconfig CRYPTO_ECDH 2844a2289daSVitaly Chikunov tristate "ECDH (Elliptic Curve Diffie-Hellman)" 2853d6228a5SVitaly Chikunov select CRYPTO_ECC 2863d6228a5SVitaly Chikunov select CRYPTO_KPP 28705b37465SRobert Elliott help 28805b37465SRobert Elliott ECDH (Elliptic Curve Diffie-Hellman) key exchange algorithm 2893d6228a5SVitaly Chikunov using curves P-192, P-256, and P-384 (FIPS 186) 2904e660291SStefan Berger 29105b37465SRobert Elliottconfig CRYPTO_ECDSA 2924e660291SStefan Berger tristate "ECDSA (Elliptic Curve Digital Signature Algorithm)" 2934e660291SStefan Berger select CRYPTO_ECC 2944e660291SStefan Berger select CRYPTO_SIG 2954e660291SStefan Berger select ASN1 29605b37465SRobert Elliott help 29705b37465SRobert Elliott ECDSA (Elliptic Curve Digital Signature Algorithm) (FIPS 186, 29805b37465SRobert Elliott ISO/IEC 14888-3) 29905b37465SRobert Elliott using curves P-192, P-256, P-384 and P-521 30005b37465SRobert Elliott 3014e660291SStefan Berger Only signature verification is implemented. 3020d7a7864SVitaly Chikunov 30305b37465SRobert Elliottconfig CRYPTO_ECRDSA 3040d7a7864SVitaly Chikunov tristate "EC-RDSA (Elliptic Curve Russian Digital Signature Algorithm)" 3050d7a7864SVitaly Chikunov select CRYPTO_ECC 3060d7a7864SVitaly Chikunov select CRYPTO_SIG 3071036633eSVitaly Chikunov select CRYPTO_STREEBOG 3081036633eSVitaly Chikunov select OID_REGISTRY 3090d7a7864SVitaly Chikunov select ASN1 3100d7a7864SVitaly Chikunov help 31105b37465SRobert Elliott Elliptic Curve Russian Digital Signature Algorithm (GOST R 34.10-2012, 31205b37465SRobert Elliott RFC 7091, ISO/IEC 14888-3) 31305b37465SRobert Elliott 31405b37465SRobert Elliott One of the Russian cryptographic standard algorithms (called GOST 3150d7a7864SVitaly Chikunov algorithms). Only signature verification is implemented. 316ee772cb6SArd Biesheuvel 31705b37465SRobert Elliottconfig CRYPTO_CURVE25519 318ee772cb6SArd Biesheuvel tristate "Curve25519" 319ee772cb6SArd Biesheuvel select CRYPTO_KPP 32005b37465SRobert Elliott select CRYPTO_LIB_CURVE25519_GENERIC 32105b37465SRobert Elliott help 322ee772cb6SArd Biesheuvel Curve25519 elliptic curve (RFC7748) 323f1f142adSRobert Elliott 324584fffc8SSebastian Siewiorendmenu 325f1f142adSRobert Elliott 3261da177e4SLinus Torvaldsmenu "Block ciphers" 3271da177e4SLinus Torvalds 328cf514b2aSRobert Elliottconfig CRYPTO_AES 329cce9e06dSHerbert Xu tristate "AES (Advanced Encryption Standard)" 3305bb12d78SArd Biesheuvel select CRYPTO_ALGAPI 3311da177e4SLinus Torvalds select CRYPTO_LIB_AES 332cf514b2aSRobert Elliott help 3331da177e4SLinus Torvalds AES cipher algorithms (Rijndael)(FIPS-197, ISO/IEC 18033-3) 3341da177e4SLinus Torvalds 3351da177e4SLinus Torvalds Rijndael appears to be consistently a very good performer in 3361da177e4SLinus Torvalds both hardware and software across a wide range of computing 3371da177e4SLinus Torvalds environments regardless of its use in feedback or non-feedback 3381da177e4SLinus Torvalds modes. Its key setup time is excellent, and its key agility is 3391da177e4SLinus Torvalds good. Rijndael's very low memory requirements make it very well 3401da177e4SLinus Torvalds suited for restricted-space environments, in which it also 3411da177e4SLinus Torvalds demonstrates excellent performance. Rijndael's operations are 3421da177e4SLinus Torvalds among the easiest to defend against power and timing attacks. 3431da177e4SLinus Torvalds 3441da177e4SLinus Torvalds The AES specifies three key sizes: 128, 192 and 256 bits 345b5e0b032SArd Biesheuvel 346cf514b2aSRobert Elliottconfig CRYPTO_AES_TI 347b5e0b032SArd Biesheuvel tristate "AES (Advanced Encryption Standard) (fixed time)" 348e59c1c98SArd Biesheuvel select CRYPTO_ALGAPI 349b5e0b032SArd Biesheuvel select CRYPTO_LIB_AES 350cf514b2aSRobert Elliott help 351cf514b2aSRobert Elliott AES cipher algorithms (Rijndael)(FIPS-197, ISO/IEC 18033-3) 352b5e0b032SArd Biesheuvel 353b5e0b032SArd Biesheuvel This is a generic implementation of AES that attempts to eliminate 354b5e0b032SArd Biesheuvel data dependent latencies as much as possible without affecting 355b5e0b032SArd Biesheuvel performance too much. It is intended for use by the generic CCM 356b5e0b032SArd Biesheuvel and GCM drivers, and other CTR or CMAC/XCBC based modes that rely 357b5e0b032SArd Biesheuvel solely on encryption (although decryption is supported as well, but 358b5e0b032SArd Biesheuvel with a more dramatic performance hit) 359b5e0b032SArd Biesheuvel 360b5e0b032SArd Biesheuvel Instead of using 16 lookup tables of 1 KB each, (8 for encryption and 361b5e0b032SArd Biesheuvel 8 for decryption), this implementation only uses just two S-boxes of 362b5e0b032SArd Biesheuvel 256 bytes each, and attempts to eliminate data dependent latencies by 3630a6a40c2SEric Biggers prefetching the entire table into the cache at the start of each 3640a6a40c2SEric Biggers block. Interrupts are also disabled to avoid races where cachelines 365b5e0b032SArd Biesheuvel are evicted when the CPU is interrupted to do something else. 3661da177e4SLinus Torvalds 367cf514b2aSRobert Elliottconfig CRYPTO_ANUBIS 3681674aea5SArd Biesheuvel tristate "Anubis" 369cce9e06dSHerbert Xu depends on CRYPTO_USER_API_ENABLE_OBSOLETE 3701da177e4SLinus Torvalds select CRYPTO_ALGAPI 371cf514b2aSRobert Elliott help 3721da177e4SLinus Torvalds Anubis cipher algorithm 3731da177e4SLinus Torvalds 3741da177e4SLinus Torvalds Anubis is a variable key length cipher which can use keys from 3751da177e4SLinus Torvalds 128 bits to 320 bits in length. It was evaluated as a entrant 3761da177e4SLinus Torvalds in the NESSIE competition. 377cf514b2aSRobert Elliott 378cf514b2aSRobert Elliott See https://web.archive.org/web/20160606112246/http://www.larc.usp.br/~pbarreto/AnubisPage.html 3791da177e4SLinus Torvalds for further information. 380f1f142adSRobert Elliott 381cf514b2aSRobert Elliottconfig CRYPTO_ARIA 382f1f142adSRobert Elliott tristate "ARIA" 383e2ee95b8SHye-Shik Chang select CRYPTO_ALGAPI 384cf514b2aSRobert Elliott help 385e2ee95b8SHye-Shik Chang ARIA cipher algorithm (RFC5794) 386f1f142adSRobert Elliott 387f1f142adSRobert Elliott ARIA is a standard encryption algorithm of the Republic of Korea. 388f1f142adSRobert Elliott The ARIA specifies three key sizes and rounds. 389f1f142adSRobert Elliott 128-bit: 12 rounds. 390f1f142adSRobert Elliott 192-bit: 14 rounds. 391f1f142adSRobert Elliott 256-bit: 16 rounds. 392cf514b2aSRobert Elliott 393cf514b2aSRobert Elliott See: 394584fffc8SSebastian Siewior https://seed.kisa.or.kr/kisa/algorithm/EgovAriaInfo.do 395584fffc8SSebastian Siewior 396cf514b2aSRobert Elliottconfig CRYPTO_BLOWFISH 397584fffc8SSebastian Siewior tristate "Blowfish" 39852ba867cSJussi Kivilinna select CRYPTO_ALGAPI 399584fffc8SSebastian Siewior select CRYPTO_BLOWFISH_COMMON 400cf514b2aSRobert Elliott help 401584fffc8SSebastian Siewior Blowfish cipher algorithm, by Bruce Schneier 402584fffc8SSebastian Siewior 403584fffc8SSebastian Siewior This is a variable key length cipher which can use keys from 32 404584fffc8SSebastian Siewior bits to 448 bits in length. It's fast, simple and specifically 405e2ee95b8SHye-Shik Chang designed for use on "large microprocessors". 406cf514b2aSRobert Elliott 407584fffc8SSebastian Siewior See https://www.schneier.com/blowfish.html for further information. 40852ba867cSJussi Kivilinna 40952ba867cSJussi Kivilinnaconfig CRYPTO_BLOWFISH_COMMON 41052ba867cSJussi Kivilinna tristate 41152ba867cSJussi Kivilinna help 41252ba867cSJussi Kivilinna Common parts of the Blowfish cipher algorithm shared by the 41352ba867cSJussi Kivilinna generic c and the assembler implementations. 414584fffc8SSebastian Siewior 415cf514b2aSRobert Elliottconfig CRYPTO_CAMELLIA 416584fffc8SSebastian Siewior tristate "Camellia" 417584fffc8SSebastian Siewior select CRYPTO_ALGAPI 418cf514b2aSRobert Elliott help 419584fffc8SSebastian Siewior Camellia cipher algorithms (ISO/IEC 18033-3) 420584fffc8SSebastian Siewior 421584fffc8SSebastian Siewior Camellia is a symmetric key block cipher developed jointly 422584fffc8SSebastian Siewior at NTT and Mitsubishi Electric Corporation. 423584fffc8SSebastian Siewior 424584fffc8SSebastian Siewior The Camellia specifies three key sizes: 128, 192 and 256 bits. 425cf514b2aSRobert Elliott 426584fffc8SSebastian Siewior See https://info.isl.ntt.co.jp/crypt/eng/camellia/ for further information. 427044ab525SJussi Kivilinna 428044ab525SJussi Kivilinnaconfig CRYPTO_CAST_COMMON 429044ab525SJussi Kivilinna tristate 430044ab525SJussi Kivilinna help 431044ab525SJussi Kivilinna Common parts of the CAST cipher algorithms shared by the 432044ab525SJussi Kivilinna generic c and the assembler implementations. 433584fffc8SSebastian Siewior 434cf514b2aSRobert Elliottconfig CRYPTO_CAST5 435584fffc8SSebastian Siewior tristate "CAST5 (CAST-128)" 436044ab525SJussi Kivilinna select CRYPTO_ALGAPI 437584fffc8SSebastian Siewior select CRYPTO_CAST_COMMON 438cf514b2aSRobert Elliott help 439584fffc8SSebastian Siewior CAST5 (CAST-128) cipher algorithm (RFC2144, ISO/IEC 18033-3) 440584fffc8SSebastian Siewior 441cf514b2aSRobert Elliottconfig CRYPTO_CAST6 442584fffc8SSebastian Siewior tristate "CAST6 (CAST-256)" 443044ab525SJussi Kivilinna select CRYPTO_ALGAPI 444584fffc8SSebastian Siewior select CRYPTO_CAST_COMMON 445cf514b2aSRobert Elliott help 446584fffc8SSebastian Siewior CAST6 (CAST-256) encryption algorithm (RFC2612) 447584fffc8SSebastian Siewior 448cf514b2aSRobert Elliottconfig CRYPTO_DES 449584fffc8SSebastian Siewior tristate "DES and Triple DES EDE" 45004007b0eSArd Biesheuvel select CRYPTO_ALGAPI 451584fffc8SSebastian Siewior select CRYPTO_LIB_DES 452cf514b2aSRobert Elliott help 453cf514b2aSRobert Elliott DES (Data Encryption Standard)(FIPS 46-2, ISO/IEC 18033-3) and 454cf514b2aSRobert Elliott Triple DES EDE (Encrypt/Decrypt/Encrypt) (FIPS 46-3, ISO/IEC 18033-3) 455584fffc8SSebastian Siewior cipher algorithms 456584fffc8SSebastian Siewior 457cf514b2aSRobert Elliottconfig CRYPTO_FCRYPT 458584fffc8SSebastian Siewior tristate "FCrypt" 459b95bba5dSEric Biggers select CRYPTO_ALGAPI 460584fffc8SSebastian Siewior select CRYPTO_SKCIPHER 461cf514b2aSRobert Elliott help 462cf514b2aSRobert Elliott FCrypt algorithm used by RxRPC 463cf514b2aSRobert Elliott 464584fffc8SSebastian Siewior See https://ota.polyonymo.us/fcrypt-paper.txt 465584fffc8SSebastian Siewior 466cf514b2aSRobert Elliottconfig CRYPTO_KHAZAD 4671674aea5SArd Biesheuvel tristate "Khazad" 468584fffc8SSebastian Siewior depends on CRYPTO_USER_API_ENABLE_OBSOLETE 469584fffc8SSebastian Siewior select CRYPTO_ALGAPI 470cf514b2aSRobert Elliott help 471584fffc8SSebastian Siewior Khazad cipher algorithm 472584fffc8SSebastian Siewior 473584fffc8SSebastian Siewior Khazad was a finalist in the initial NESSIE competition. It is 474584fffc8SSebastian Siewior an algorithm optimized for 64-bit processors with good performance 475584fffc8SSebastian Siewior on 32-bit processors. Khazad uses an 128 bit key size. 476cf514b2aSRobert Elliott 477cf514b2aSRobert Elliott See https://web.archive.org/web/20171011071731/http://www.larc.usp.br/~pbarreto/KhazadPage.html 478e2ee95b8SHye-Shik Chang for further information. 479584fffc8SSebastian Siewior 480cf514b2aSRobert Elliottconfig CRYPTO_SEED 4811674aea5SArd Biesheuvel tristate "SEED" 482584fffc8SSebastian Siewior depends on CRYPTO_USER_API_ENABLE_OBSOLETE 483584fffc8SSebastian Siewior select CRYPTO_ALGAPI 484cf514b2aSRobert Elliott help 485584fffc8SSebastian Siewior SEED cipher algorithm (RFC4269, ISO/IEC 18033-3) 486584fffc8SSebastian Siewior 487584fffc8SSebastian Siewior SEED is a 128-bit symmetric key block cipher that has been 488584fffc8SSebastian Siewior developed by KISA (Korea Information Security Agency) as a 489584fffc8SSebastian Siewior national standard encryption algorithm of the Republic of Korea. 490584fffc8SSebastian Siewior It is a 16 round block cipher with the key size of 128 bit. 491cf514b2aSRobert Elliott 492cf514b2aSRobert Elliott See https://seed.kisa.or.kr/kisa/algorithm/EgovSeedInfo.do 493584fffc8SSebastian Siewior for further information. 494584fffc8SSebastian Siewior 495cf514b2aSRobert Elliottconfig CRYPTO_SERPENT 496584fffc8SSebastian Siewior tristate "Serpent" 497584fffc8SSebastian Siewior select CRYPTO_ALGAPI 498cf514b2aSRobert Elliott help 499584fffc8SSebastian Siewior Serpent cipher algorithm, by Anderson, Biham & Knudsen 500584fffc8SSebastian Siewior 501784506a1SArd Biesheuvel Keys are allowed to be from 0 to 256 bits in length, in steps 502584fffc8SSebastian Siewior of 8 bits. 503cf514b2aSRobert Elliott 504584fffc8SSebastian Siewior See https://www.cl.cam.ac.uk/~rja14/serpent.html for further information. 505747c8ce4SGilad Ben-Yossef 506d2825fa9SJason A. Donenfeldconfig CRYPTO_SM4 507d2825fa9SJason A. Donenfeld tristate 508d2825fa9SJason A. Donenfeld 509cf514b2aSRobert Elliottconfig CRYPTO_SM4_GENERIC 510747c8ce4SGilad Ben-Yossef tristate "SM4 (ShangMi 4)" 511d2825fa9SJason A. Donenfeld select CRYPTO_ALGAPI 512747c8ce4SGilad Ben-Yossef select CRYPTO_SM4 513cf514b2aSRobert Elliott help 514cf514b2aSRobert Elliott SM4 cipher algorithms (OSCCA GB/T 32907-2016, 515747c8ce4SGilad Ben-Yossef ISO/IEC 18033-3:2010/Amd 1:2021) 516747c8ce4SGilad Ben-Yossef 517747c8ce4SGilad Ben-Yossef SM4 (GBT.32907-2016) is a cryptographic standard issued by the 518747c8ce4SGilad Ben-Yossef Organization of State Commercial Administration of China (OSCCA) 519747c8ce4SGilad Ben-Yossef as an authorized cryptographic algorithms for the use within China. 520747c8ce4SGilad Ben-Yossef 521747c8ce4SGilad Ben-Yossef SMS4 was originally created for use in protecting wireless 522747c8ce4SGilad Ben-Yossef networks, and is mandated in the Chinese National Standard for 523747c8ce4SGilad Ben-Yossef Wireless LAN WAPI (Wired Authentication and Privacy Infrastructure) 524747c8ce4SGilad Ben-Yossef (GB.15629.11-2003). 525747c8ce4SGilad Ben-Yossef 526747c8ce4SGilad Ben-Yossef The latest SM4 standard (GBT.32907-2016) was proposed by OSCCA and 527747c8ce4SGilad Ben-Yossef standardized through TC 260 of the Standardization Administration 528747c8ce4SGilad Ben-Yossef of the People's Republic of China (SAC). 529747c8ce4SGilad Ben-Yossef 530747c8ce4SGilad Ben-Yossef The input, output, and key of SMS4 are each 128 bits. 531cf514b2aSRobert Elliott 532747c8ce4SGilad Ben-Yossef See https://eprint.iacr.org/2008/329.pdf for further information. 533747c8ce4SGilad Ben-Yossef 534747c8ce4SGilad Ben-Yossef If unsure, say N. 535584fffc8SSebastian Siewior 536cf514b2aSRobert Elliottconfig CRYPTO_TEA 5371674aea5SArd Biesheuvel tristate "TEA, XTEA and XETA" 538584fffc8SSebastian Siewior depends on CRYPTO_USER_API_ENABLE_OBSOLETE 539584fffc8SSebastian Siewior select CRYPTO_ALGAPI 540cf514b2aSRobert Elliott help 541584fffc8SSebastian Siewior TEA (Tiny Encryption Algorithm) cipher algorithms 542584fffc8SSebastian Siewior 543584fffc8SSebastian Siewior Tiny Encryption Algorithm is a simple cipher that uses 544584fffc8SSebastian Siewior many rounds for security. It is very fast and uses 545584fffc8SSebastian Siewior little memory. 546584fffc8SSebastian Siewior 547584fffc8SSebastian Siewior Xtendend Tiny Encryption Algorithm is a modification to 548584fffc8SSebastian Siewior the TEA algorithm to address a potential key weakness 549584fffc8SSebastian Siewior in the TEA algorithm. 550584fffc8SSebastian Siewior 551584fffc8SSebastian Siewior Xtendend Encryption Tiny Algorithm is a mis-implementation 552584fffc8SSebastian Siewior of the XTEA algorithm for compatibility purposes. 553584fffc8SSebastian Siewior 554cf514b2aSRobert Elliottconfig CRYPTO_TWOFISH 555584fffc8SSebastian Siewior tristate "Twofish" 556584fffc8SSebastian Siewior select CRYPTO_ALGAPI 557584fffc8SSebastian Siewior select CRYPTO_TWOFISH_COMMON 558cf514b2aSRobert Elliott help 559584fffc8SSebastian Siewior Twofish cipher algorithm 560584fffc8SSebastian Siewior 561584fffc8SSebastian Siewior Twofish was submitted as an AES (Advanced Encryption Standard) 562584fffc8SSebastian Siewior candidate cipher by researchers at CounterPane Systems. It is a 563584fffc8SSebastian Siewior 16 round block cipher supporting key sizes of 128, 192, and 256 564584fffc8SSebastian Siewior bits. 565cf514b2aSRobert Elliott 566584fffc8SSebastian Siewior See https://www.schneier.com/twofish.html for further information. 567584fffc8SSebastian Siewior 568584fffc8SSebastian Siewiorconfig CRYPTO_TWOFISH_COMMON 569584fffc8SSebastian Siewior tristate 570584fffc8SSebastian Siewior help 571584fffc8SSebastian Siewior Common parts of the Twofish cipher algorithm shared by the 572584fffc8SSebastian Siewior generic c and the assembler implementations. 573f1f142adSRobert Elliott 574f1f142adSRobert Elliottendmenu 575f1f142adSRobert Elliott 576f1f142adSRobert Elliottmenu "Length-preserving ciphers and modes" 577f1f142adSRobert Elliott 578cf514b2aSRobert Elliottconfig CRYPTO_ADIANTUM 579f1f142adSRobert Elliott tristate "Adiantum" 580f1f142adSRobert Elliott select CRYPTO_CHACHA20 581f1f142adSRobert Elliott select CRYPTO_LIB_POLY1305_GENERIC 582f1f142adSRobert Elliott select CRYPTO_NHPOLY1305 583f1f142adSRobert Elliott select CRYPTO_MANAGER 584cf514b2aSRobert Elliott help 585cf514b2aSRobert Elliott Adiantum tweakable, length-preserving encryption mode 586cf514b2aSRobert Elliott 587f1f142adSRobert Elliott Designed for fast and secure disk encryption, especially on 588f1f142adSRobert Elliott CPUs without dedicated crypto instructions. It encrypts 589f1f142adSRobert Elliott each sector using the XChaCha12 stream cipher, two passes of 590f1f142adSRobert Elliott an ε-almost-∆-universal hash function, and an invocation of 591f1f142adSRobert Elliott the AES-256 block cipher on a single 16-byte block. On CPUs 592f1f142adSRobert Elliott without AES instructions, Adiantum is much faster than 593f1f142adSRobert Elliott AES-XTS. 594f1f142adSRobert Elliott 595f1f142adSRobert Elliott Adiantum's security is provably reducible to that of its 596f1f142adSRobert Elliott underlying stream and block ciphers, subject to a security 597f1f142adSRobert Elliott bound. Unlike XTS, Adiantum is a true wide-block encryption 598f1f142adSRobert Elliott mode, so it actually provides an even stronger notion of 599f1f142adSRobert Elliott security than XTS, subject to the security bound. 600f1f142adSRobert Elliott 601f1f142adSRobert Elliott If unsure, say N. 602f1f142adSRobert Elliott 603cf514b2aSRobert Elliottconfig CRYPTO_ARC4 604f1f142adSRobert Elliott tristate "ARC4 (Alleged Rivest Cipher 4)" 605f1f142adSRobert Elliott depends on CRYPTO_USER_API_ENABLE_OBSOLETE 606f1f142adSRobert Elliott select CRYPTO_SKCIPHER 607f1f142adSRobert Elliott select CRYPTO_LIB_ARC4 608cf514b2aSRobert Elliott help 609f1f142adSRobert Elliott ARC4 cipher algorithm 610f1f142adSRobert Elliott 611f1f142adSRobert Elliott ARC4 is a stream cipher using keys ranging from 8 bits to 2048 612f1f142adSRobert Elliott bits in length. This algorithm is required for driver-based 613f1f142adSRobert Elliott WEP, but it should not be for other purposes because of the 614f1f142adSRobert Elliott weakness of the algorithm. 615f1f142adSRobert Elliott 616cf514b2aSRobert Elliottconfig CRYPTO_CHACHA20 617f1f142adSRobert Elliott tristate "ChaCha" 618f1f142adSRobert Elliott select CRYPTO_LIB_CHACHA_GENERIC 619f1f142adSRobert Elliott select CRYPTO_SKCIPHER 620cf514b2aSRobert Elliott help 621f1f142adSRobert Elliott The ChaCha20, XChaCha20, and XChaCha12 stream cipher algorithms 622f1f142adSRobert Elliott 623f1f142adSRobert Elliott ChaCha20 is a 256-bit high-speed stream cipher designed by Daniel J. 624cf514b2aSRobert Elliott Bernstein and further specified in RFC7539 for use in IETF protocols. 625cf514b2aSRobert Elliott This is the portable C implementation of ChaCha20. See 626f1f142adSRobert Elliott https://cr.yp.to/chacha/chacha-20080128.pdf for further information. 627f1f142adSRobert Elliott 628f1f142adSRobert Elliott XChaCha20 is the application of the XSalsa20 construction to ChaCha20 629f1f142adSRobert Elliott rather than to Salsa20. XChaCha20 extends ChaCha20's nonce length 630cf514b2aSRobert Elliott from 64 bits (or 96 bits using the RFC7539 convention) to 192 bits, 631cf514b2aSRobert Elliott while provably retaining ChaCha20's security. See 632f1f142adSRobert Elliott https://cr.yp.to/snuffle/xsalsa-20081128.pdf for further information. 633f1f142adSRobert Elliott 634f1f142adSRobert Elliott XChaCha12 is XChaCha20 reduced to 12 rounds, with correspondingly 635f1f142adSRobert Elliott reduced security margin but increased performance. It can be needed 636f1f142adSRobert Elliott in some performance-sensitive scenarios. 637f1f142adSRobert Elliott 638cf514b2aSRobert Elliottconfig CRYPTO_CBC 639f1f142adSRobert Elliott tristate "CBC (Cipher Block Chaining)" 640f1f142adSRobert Elliott select CRYPTO_SKCIPHER 641f1f142adSRobert Elliott select CRYPTO_MANAGER 642cf514b2aSRobert Elliott help 643cf514b2aSRobert Elliott CBC (Cipher Block Chaining) mode (NIST SP800-38A) 644cf514b2aSRobert Elliott 645f1f142adSRobert Elliott This block cipher mode is required for IPSec ESP (XFRM_ESP). 646f1f142adSRobert Elliott 647cf514b2aSRobert Elliottconfig CRYPTO_CTR 648f1f142adSRobert Elliott tristate "CTR (Counter)" 649f1f142adSRobert Elliott select CRYPTO_SKCIPHER 650f1f142adSRobert Elliott select CRYPTO_MANAGER 651cf514b2aSRobert Elliott help 652f1f142adSRobert Elliott CTR (Counter) mode (NIST SP800-38A) 653f1f142adSRobert Elliott 654cf514b2aSRobert Elliottconfig CRYPTO_CTS 655f1f142adSRobert Elliott tristate "CTS (Cipher Text Stealing)" 656f1f142adSRobert Elliott select CRYPTO_SKCIPHER 657f1f142adSRobert Elliott select CRYPTO_MANAGER 658cf514b2aSRobert Elliott help 659cf514b2aSRobert Elliott CBC-CS3 variant of CTS (Cipher Text Stealing) (NIST 660cf514b2aSRobert Elliott Addendum to SP800-38A (October 2010)) 661f1f142adSRobert Elliott 662f1f142adSRobert Elliott This mode is required for Kerberos gss mechanism support 663f1f142adSRobert Elliott for AES encryption. 664f1f142adSRobert Elliott 665cf514b2aSRobert Elliottconfig CRYPTO_ECB 66684534684SHerbert Xu tristate "ECB (Electronic Codebook)" 667f1f142adSRobert Elliott select CRYPTO_SKCIPHER2 668f1f142adSRobert Elliott select CRYPTO_MANAGER 669cf514b2aSRobert Elliott help 670f1f142adSRobert Elliott ECB (Electronic Codebook) mode (NIST SP800-38A) 671f1f142adSRobert Elliott 672cf514b2aSRobert Elliottconfig CRYPTO_HCTR2 673f1f142adSRobert Elliott tristate "HCTR2" 674f1f142adSRobert Elliott select CRYPTO_XCTR 675f1f142adSRobert Elliott select CRYPTO_POLYVAL 676f1f142adSRobert Elliott select CRYPTO_MANAGER 677cf514b2aSRobert Elliott help 678cf514b2aSRobert Elliott HCTR2 length-preserving encryption mode 679cf514b2aSRobert Elliott 680cf514b2aSRobert Elliott A mode for storage encryption that is efficient on processors with 681cf514b2aSRobert Elliott instructions to accelerate AES and carryless multiplication, e.g. 682cf514b2aSRobert Elliott x86 processors with AES-NI and CLMUL, and ARM processors with the 683cf514b2aSRobert Elliott ARMv8 crypto extensions. 684cf514b2aSRobert Elliott 685f1f142adSRobert Elliott See https://eprint.iacr.org/2021/1441 686f1f142adSRobert Elliott 687cf514b2aSRobert Elliottconfig CRYPTO_KEYWRAP 688f1f142adSRobert Elliott tristate "KW (AES Key Wrap)" 689f1f142adSRobert Elliott select CRYPTO_SKCIPHER 690f1f142adSRobert Elliott select CRYPTO_MANAGER 691cf514b2aSRobert Elliott help 692cf514b2aSRobert Elliott KW (AES Key Wrap) authenticated encryption mode (NIST SP800-38F 693f1f142adSRobert Elliott and RFC3394) without padding. 694f1f142adSRobert Elliott 695cf514b2aSRobert Elliottconfig CRYPTO_LRW 69661c581a4SArd Biesheuvel tristate "LRW (Liskov Rivest Wagner)" 697f1f142adSRobert Elliott select CRYPTO_LIB_GF128MUL 698f1f142adSRobert Elliott select CRYPTO_SKCIPHER 699f1f142adSRobert Elliott select CRYPTO_MANAGER 700f1f142adSRobert Elliott select CRYPTO_ECB 701cf514b2aSRobert Elliott help 702cf514b2aSRobert Elliott LRW (Liskov Rivest Wagner) mode 703cf514b2aSRobert Elliott 704f1f142adSRobert Elliott A tweakable, non malleable, non movable 705f1f142adSRobert Elliott narrow block cipher mode for dm-crypt. Use it with cipher 706f1f142adSRobert Elliott specification string aes-lrw-benbi, the key must be 256, 320 or 384. 707f1f142adSRobert Elliott The first 128, 192 or 256 bits in the key are used for AES and the 708f1f142adSRobert Elliott rest is used to tie each cipher block to its logical position. 709cf514b2aSRobert Elliott 710cf514b2aSRobert Elliott See https://people.csail.mit.edu/rivest/pubs/LRW02.pdf 711f1f142adSRobert Elliott 712cf514b2aSRobert Elliottconfig CRYPTO_PCBC 713f1f142adSRobert Elliott tristate "PCBC (Propagating Cipher Block Chaining)" 714f1f142adSRobert Elliott select CRYPTO_SKCIPHER 715f1f142adSRobert Elliott select CRYPTO_MANAGER 716cf514b2aSRobert Elliott help 717cf514b2aSRobert Elliott PCBC (Propagating Cipher Block Chaining) mode 718cf514b2aSRobert Elliott 719f1f142adSRobert Elliott This block cipher mode is required for RxRPC. 720f1f142adSRobert Elliott 721f1f142adSRobert Elliottconfig CRYPTO_XCTR 722f1f142adSRobert Elliott tristate 723f1f142adSRobert Elliott select CRYPTO_SKCIPHER 724f1f142adSRobert Elliott select CRYPTO_MANAGER 725cf514b2aSRobert Elliott help 726cf514b2aSRobert Elliott XCTR (XOR Counter) mode for HCTR2 727cf514b2aSRobert Elliott 728cf514b2aSRobert Elliott This blockcipher mode is a variant of CTR mode using XORs and little-endian 729cf514b2aSRobert Elliott addition rather than big-endian arithmetic. 730f1f142adSRobert Elliott 731f1f142adSRobert Elliott XCTR mode is used to implement HCTR2. 732f1f142adSRobert Elliott 733cf514b2aSRobert Elliottconfig CRYPTO_XTS 734f1f142adSRobert Elliott tristate "XTS (XOR Encrypt XOR with ciphertext stealing)" 735f1f142adSRobert Elliott select CRYPTO_SKCIPHER 736f1f142adSRobert Elliott select CRYPTO_MANAGER 737f1f142adSRobert Elliott select CRYPTO_ECB 738cf514b2aSRobert Elliott help 739cf514b2aSRobert Elliott XTS (XOR Encrypt XOR with ciphertext stealing) mode (NIST SP800-38E 740cf514b2aSRobert Elliott and IEEE 1619) 741cf514b2aSRobert Elliott 742cf514b2aSRobert Elliott Use with aes-xts-plain, key size 256, 384 or 512 bits. This 743cf514b2aSRobert Elliott implementation currently can't handle a sectorsize which is not a 744f1f142adSRobert Elliott multiple of 16 bytes. 745f1f142adSRobert Elliott 746f1f142adSRobert Elliottconfig CRYPTO_NHPOLY1305 747f1f142adSRobert Elliott tristate 748f1f142adSRobert Elliott select CRYPTO_HASH 749f1f142adSRobert Elliott select CRYPTO_LIB_POLY1305_GENERIC 750f1f142adSRobert Elliott 751f1f142adSRobert Elliottendmenu 752f1f142adSRobert Elliott 753f1f142adSRobert Elliottmenu "AEAD (authenticated encryption with associated data) ciphers" 754f1f142adSRobert Elliott 755e3d2eaddSRobert Elliottconfig CRYPTO_AEGIS128 756f1f142adSRobert Elliott tristate "AEGIS-128" 757f1f142adSRobert Elliott select CRYPTO_AEAD 758f1f142adSRobert Elliott select CRYPTO_AES # for AES S-box tables 759e3d2eaddSRobert Elliott help 760f1f142adSRobert Elliott AEGIS-128 AEAD algorithm 761f1f142adSRobert Elliott 762e3d2eaddSRobert Elliottconfig CRYPTO_AEGIS128_SIMD 763f1f142adSRobert Elliott bool "AEGIS-128 (arm NEON, arm64 NEON)" 764f1f142adSRobert Elliott depends on CRYPTO_AEGIS128 && ((ARM || ARM64) && KERNEL_MODE_NEON) 765e3d2eaddSRobert Elliott default y 766e3d2eaddSRobert Elliott help 767e3d2eaddSRobert Elliott AEGIS-128 AEAD algorithm 768e3d2eaddSRobert Elliott 769e3d2eaddSRobert Elliott Architecture: arm or arm64 using: 770f1f142adSRobert Elliott - NEON (Advanced SIMD) extension 771f1f142adSRobert Elliott 772e3d2eaddSRobert Elliottconfig CRYPTO_CHACHA20POLY1305 773f1f142adSRobert Elliott tristate "ChaCha20-Poly1305" 774f1f142adSRobert Elliott select CRYPTO_CHACHA20 775f1f142adSRobert Elliott select CRYPTO_POLY1305 776f1f142adSRobert Elliott select CRYPTO_AEAD 777f1f142adSRobert Elliott select CRYPTO_MANAGER 778e3d2eaddSRobert Elliott help 779e3d2eaddSRobert Elliott ChaCha20 stream cipher and Poly1305 authenticator combined 780f1f142adSRobert Elliott mode (RFC8439) 781f1f142adSRobert Elliott 782cf514b2aSRobert Elliottconfig CRYPTO_CCM 783f1f142adSRobert Elliott tristate "CCM (Counter with Cipher Block Chaining-MAC)" 784f1f142adSRobert Elliott select CRYPTO_CTR 785f1f142adSRobert Elliott select CRYPTO_HASH 786f1f142adSRobert Elliott select CRYPTO_AEAD 787f1f142adSRobert Elliott select CRYPTO_MANAGER 788e3d2eaddSRobert Elliott help 789e3d2eaddSRobert Elliott CCM (Counter with Cipher Block Chaining-Message Authentication Code) 790f1f142adSRobert Elliott authenticated encryption mode (NIST SP800-38C) 791f1f142adSRobert Elliott 792cf514b2aSRobert Elliottconfig CRYPTO_GCM 793f1f142adSRobert Elliott tristate "GCM (Galois/Counter Mode) and GMAC (GCM MAC)" 794f1f142adSRobert Elliott select CRYPTO_CTR 795f1f142adSRobert Elliott select CRYPTO_AEAD 796f1f142adSRobert Elliott select CRYPTO_GHASH 797f1f142adSRobert Elliott select CRYPTO_NULL 798f1f142adSRobert Elliott select CRYPTO_MANAGER 799e3d2eaddSRobert Elliott help 800e3d2eaddSRobert Elliott GCM (Galois/Counter Mode) authenticated encryption mode and GMAC 801e3d2eaddSRobert Elliott (GCM Message Authentication Code) (NIST SP800-38D) 802e3d2eaddSRobert Elliott 803f1f142adSRobert Elliott This is required for IPSec ESP (XFRM_ESP). 804ba51738fSHerbert Xu 805ba51738fSHerbert Xuconfig CRYPTO_GENIV 806ba51738fSHerbert Xu tristate 807ba51738fSHerbert Xu select CRYPTO_AEAD 808ba51738fSHerbert Xu select CRYPTO_NULL 809ba51738fSHerbert Xu select CRYPTO_MANAGER 810ba51738fSHerbert Xu select CRYPTO_RNG_DEFAULT 811f1f142adSRobert Elliott 812f1f142adSRobert Elliottconfig CRYPTO_SEQIV 813ba51738fSHerbert Xu tristate "Sequence Number IV Generator" 814f1f142adSRobert Elliott select CRYPTO_GENIV 815e3d2eaddSRobert Elliott help 816e3d2eaddSRobert Elliott Sequence Number IV generator 817f1f142adSRobert Elliott 818e3d2eaddSRobert Elliott This IV generator generates an IV based on a sequence number by 819e3d2eaddSRobert Elliott xoring it with a salt. This algorithm is mainly useful for CTR. 820e3d2eaddSRobert Elliott 821f1f142adSRobert Elliott This is required for IPsec ESP (XFRM_ESP). 822f1f142adSRobert Elliott 823f1f142adSRobert Elliottconfig CRYPTO_ECHAINIV 824ba51738fSHerbert Xu tristate "Encrypted Chain IV Generator" 825f1f142adSRobert Elliott select CRYPTO_GENIV 826e3d2eaddSRobert Elliott help 827e3d2eaddSRobert Elliott Encrypted Chain IV generator 828f1f142adSRobert Elliott 829f1f142adSRobert Elliott This IV generator generates an IV based on the encryption of 830f1f142adSRobert Elliott a sequence number xored with a salt. This is the default 831f1f142adSRobert Elliott algorithm for CBC. 832f1f142adSRobert Elliott 833e3d2eaddSRobert Elliottconfig CRYPTO_ESSIV 834f1f142adSRobert Elliott tristate "Encrypted Salt-Sector IV Generator" 835f1f142adSRobert Elliott select CRYPTO_AUTHENC 836e3d2eaddSRobert Elliott help 837e3d2eaddSRobert Elliott Encrypted Salt-Sector IV generator 838e3d2eaddSRobert Elliott 839f1f142adSRobert Elliott This IV generator is used in some cases by fscrypt and/or 840f1f142adSRobert Elliott dm-crypt. It uses the hash of the block encryption key as the 841f1f142adSRobert Elliott symmetric key for a block encryption pass applied to the input 842f1f142adSRobert Elliott IV, making low entropy IV sources more suitable for block 843f1f142adSRobert Elliott encryption. 844f1f142adSRobert Elliott 845f1f142adSRobert Elliott This driver implements a crypto API template that can be 846f1f142adSRobert Elliott instantiated either as an skcipher or as an AEAD (depending on the 847f1f142adSRobert Elliott type of the first template argument), and which defers encryption 848f1f142adSRobert Elliott and decryption requests to the encapsulated cipher after applying 849f1f142adSRobert Elliott ESSIV to the input IV. Note that in the AEAD case, it is assumed 850f1f142adSRobert Elliott that the keys are presented in the same format used by the authenc 851f1f142adSRobert Elliott template, and that the IV appears at the end of the authenticated 852f1f142adSRobert Elliott associated data (AAD) region (which is how dm-crypt uses it.) 853f1f142adSRobert Elliott 854f1f142adSRobert Elliott Note that the use of ESSIV is not recommended for new deployments, 855f1f142adSRobert Elliott and so this only needs to be enabled when interoperability with 856f1f142adSRobert Elliott existing encrypted volumes of filesystems is required, or when 857f1f142adSRobert Elliott building for a particular system that requires it (e.g., when 858f1f142adSRobert Elliott the SoC in question has accelerated CBC but not XTS, making CBC 859f1f142adSRobert Elliott combined with ESSIV the only feasible mode for h/w accelerated 860f1f142adSRobert Elliott block encryption) 861f1f142adSRobert Elliott 862f1f142adSRobert Elliottendmenu 863f1f142adSRobert Elliott 864f1f142adSRobert Elliottmenu "Hashes, digests, and MACs" 865f1f142adSRobert Elliott 8663f342a23SRobert Elliottconfig CRYPTO_BLAKE2B 867f1f142adSRobert Elliott tristate "BLAKE2b" 868f1f142adSRobert Elliott select CRYPTO_HASH 8693f342a23SRobert Elliott help 8703f342a23SRobert Elliott BLAKE2b cryptographic hash function (RFC 7693) 8713f342a23SRobert Elliott 8723f342a23SRobert Elliott BLAKE2b is optimized for 64-bit platforms and can produce digests 873f1f142adSRobert Elliott of any size between 1 and 64 bytes. The keyed hash is also implemented. 874f1f142adSRobert Elliott 875f1f142adSRobert Elliott This module provides the following algorithms: 876f1f142adSRobert Elliott - blake2b-160 877f1f142adSRobert Elliott - blake2b-256 878f1f142adSRobert Elliott - blake2b-384 879f1f142adSRobert Elliott - blake2b-512 8803f342a23SRobert Elliott 8813f342a23SRobert Elliott Used by the btrfs filesystem. 8823f342a23SRobert Elliott 8833f342a23SRobert Elliott See https://blake2.net for further information. 884f1f142adSRobert Elliott 8853f342a23SRobert Elliottconfig CRYPTO_CMAC 886f1f142adSRobert Elliott tristate "CMAC (Cipher-based MAC)" 887f1f142adSRobert Elliott select CRYPTO_HASH 888f1f142adSRobert Elliott select CRYPTO_MANAGER 8893f342a23SRobert Elliott help 8903f342a23SRobert Elliott CMAC (Cipher-based Message Authentication Code) authentication 891f1f142adSRobert Elliott mode (NIST SP800-38B and IETF RFC4493) 892f1f142adSRobert Elliott 8933f342a23SRobert Elliottconfig CRYPTO_GHASH 894f1f142adSRobert Elliott tristate "GHASH" 89561c581a4SArd Biesheuvel select CRYPTO_HASH 896f1f142adSRobert Elliott select CRYPTO_LIB_GF128MUL 8973f342a23SRobert Elliott help 898f1f142adSRobert Elliott GCM GHASH function (NIST SP800-38D) 899f1f142adSRobert Elliott 9003f342a23SRobert Elliottconfig CRYPTO_HMAC 901f1f142adSRobert Elliott tristate "HMAC (Keyed-Hash MAC)" 902f1f142adSRobert Elliott select CRYPTO_HASH 903f1f142adSRobert Elliott select CRYPTO_MANAGER 9043f342a23SRobert Elliott help 9053f342a23SRobert Elliott HMAC (Keyed-Hash Message Authentication Code) (FIPS 198 and 9063f342a23SRobert Elliott RFC2104) 9073f342a23SRobert Elliott 908f1f142adSRobert Elliott This is required for IPsec AH (XFRM_AH) and IPsec ESP (XFRM_ESP). 909f1f142adSRobert Elliott 9103f342a23SRobert Elliottconfig CRYPTO_MD4 911f1f142adSRobert Elliott tristate "MD4" 912f1f142adSRobert Elliott select CRYPTO_HASH 9133f342a23SRobert Elliott help 914f1f142adSRobert Elliott MD4 message digest algorithm (RFC1320) 915f1f142adSRobert Elliott 9163f342a23SRobert Elliottconfig CRYPTO_MD5 917f1f142adSRobert Elliott tristate "MD5" 918f1f142adSRobert Elliott select CRYPTO_HASH 9193f342a23SRobert Elliott help 920f1f142adSRobert Elliott MD5 message digest algorithm (RFC1321) 921f1f142adSRobert Elliott 9223f342a23SRobert Elliottconfig CRYPTO_MICHAEL_MIC 923f1f142adSRobert Elliott tristate "Michael MIC" 924f1f142adSRobert Elliott select CRYPTO_HASH 9253f342a23SRobert Elliott help 9263f342a23SRobert Elliott Michael MIC (Message Integrity Code) (IEEE 802.11i) 9273f342a23SRobert Elliott 9283f342a23SRobert Elliott Defined by the IEEE 802.11i TKIP (Temporal Key Integrity Protocol), 9293f342a23SRobert Elliott known as WPA (Wif-Fi Protected Access). 9303f342a23SRobert Elliott 9313f342a23SRobert Elliott This algorithm is required for TKIP, but it should not be used for 932f1f142adSRobert Elliott other purposes because of the weakness of the algorithm. 933f1f142adSRobert Elliott 934f1f142adSRobert Elliottconfig CRYPTO_POLYVAL 935f1f142adSRobert Elliott tristate 93661c581a4SArd Biesheuvel select CRYPTO_HASH 937f1f142adSRobert Elliott select CRYPTO_LIB_GF128MUL 9383f342a23SRobert Elliott help 9393f342a23SRobert Elliott POLYVAL hash function for HCTR2 9403f342a23SRobert Elliott 941f1f142adSRobert Elliott This is used in HCTR2. It is not a general-purpose 942f1f142adSRobert Elliott cryptographic hash function. 943f1f142adSRobert Elliott 9443f342a23SRobert Elliottconfig CRYPTO_POLY1305 945f1f142adSRobert Elliott tristate "Poly1305" 946f1f142adSRobert Elliott select CRYPTO_HASH 947f1f142adSRobert Elliott select CRYPTO_LIB_POLY1305_GENERIC 9483f342a23SRobert Elliott help 949f1f142adSRobert Elliott Poly1305 authenticator algorithm (RFC7539) 950f1f142adSRobert Elliott 951f1f142adSRobert Elliott Poly1305 is an authenticator algorithm designed by Daniel J. Bernstein. 952f1f142adSRobert Elliott It is used for the ChaCha20-Poly1305 AEAD, specified in RFC7539 for use 953f1f142adSRobert Elliott in IETF protocols. This is the portable C implementation of Poly1305. 954f1f142adSRobert Elliott 9553f342a23SRobert Elliottconfig CRYPTO_RMD160 956f1f142adSRobert Elliott tristate "RIPEMD-160" 957f1f142adSRobert Elliott select CRYPTO_HASH 9583f342a23SRobert Elliott help 959f1f142adSRobert Elliott RIPEMD-160 hash function (ISO/IEC 10118-3) 960f1f142adSRobert Elliott 961f1f142adSRobert Elliott RIPEMD-160 is a 160-bit cryptographic hash function. It is intended 962f1f142adSRobert Elliott to be used as a secure replacement for the 128-bit hash functions 963f1f142adSRobert Elliott MD4, MD5 and its predecessor RIPEMD 964f1f142adSRobert Elliott (not to be confused with RIPEMD-128). 9653f342a23SRobert Elliott 966f1f142adSRobert Elliott Its speed is comparable to SHA-1 and there are no known attacks 967f1f142adSRobert Elliott against RIPEMD-160. 968f1f142adSRobert Elliott 9693f342a23SRobert Elliott Developed by Hans Dobbertin, Antoon Bosselaers and Bart Preneel. 9703f342a23SRobert Elliott See https://homes.esat.kuleuven.be/~bosselae/ripemd160.html 971f1f142adSRobert Elliott for further information. 972f1f142adSRobert Elliott 9733f342a23SRobert Elliottconfig CRYPTO_SHA1 974f1f142adSRobert Elliott tristate "SHA-1" 975f1f142adSRobert Elliott select CRYPTO_HASH 976f1f142adSRobert Elliott select CRYPTO_LIB_SHA1 9773f342a23SRobert Elliott help 978f1f142adSRobert Elliott SHA-1 secure hash algorithm (FIPS 180, ISO/IEC 10118-3) 979f1f142adSRobert Elliott 9803f342a23SRobert Elliottconfig CRYPTO_SHA256 981f1f142adSRobert Elliott tristate "SHA-224 and SHA-256" 982f1f142adSRobert Elliott select CRYPTO_HASH 983f1f142adSRobert Elliott select CRYPTO_LIB_SHA256 9843f342a23SRobert Elliott help 985f1f142adSRobert Elliott SHA-224 and SHA-256 secure hash algorithms (FIPS 180, ISO/IEC 10118-3) 9863f342a23SRobert Elliott 9873f342a23SRobert Elliott This is required for IPsec AH (XFRM_AH) and IPsec ESP (XFRM_ESP). 988f1f142adSRobert Elliott Used by the btrfs filesystem, Ceph, NFS, and SMB. 989f1f142adSRobert Elliott 9903f342a23SRobert Elliottconfig CRYPTO_SHA512 991f1f142adSRobert Elliott tristate "SHA-384 and SHA-512" 992f1f142adSRobert Elliott select CRYPTO_HASH 9933f342a23SRobert Elliott help 994f1f142adSRobert Elliott SHA-384 and SHA-512 secure hash algorithms (FIPS 180, ISO/IEC 10118-3) 995f1f142adSRobert Elliott 9963f342a23SRobert Elliottconfig CRYPTO_SHA3 997f1f142adSRobert Elliott tristate "SHA-3" 998f1f142adSRobert Elliott select CRYPTO_HASH 9993f342a23SRobert Elliott help 1000f1f142adSRobert Elliott SHA-3 secure hash algorithms (FIPS 202, ISO/IEC 10118-3) 1001f1f142adSRobert Elliott 1002f1f142adSRobert Elliottconfig CRYPTO_SM3 1003f1f142adSRobert Elliott tristate 1004f1f142adSRobert Elliott 10053f342a23SRobert Elliottconfig CRYPTO_SM3_GENERIC 1006f1f142adSRobert Elliott tristate "SM3 (ShangMi 3)" 1007f1f142adSRobert Elliott select CRYPTO_HASH 1008f1f142adSRobert Elliott select CRYPTO_SM3 10093f342a23SRobert Elliott help 10103f342a23SRobert Elliott SM3 (ShangMi 3) secure hash function (OSCCA GM/T 0004-2012, ISO/IEC 10118-3) 10113f342a23SRobert Elliott 1012f1f142adSRobert Elliott This is part of the Chinese Commercial Cryptography suite. 1013f1f142adSRobert Elliott 1014f1f142adSRobert Elliott References: 1015f1f142adSRobert Elliott http://www.oscca.gov.cn/UpFile/20101222141857786.pdf 1016f1f142adSRobert Elliott https://datatracker.ietf.org/doc/html/draft-shen-sm3-hash 1017f1f142adSRobert Elliott 10183f342a23SRobert Elliottconfig CRYPTO_STREEBOG 1019f1f142adSRobert Elliott tristate "Streebog" 1020f1f142adSRobert Elliott select CRYPTO_HASH 10213f342a23SRobert Elliott help 10223f342a23SRobert Elliott Streebog Hash Function (GOST R 34.11-2012, RFC 6986, ISO/IEC 10118-3) 10233f342a23SRobert Elliott 10243f342a23SRobert Elliott This is one of the Russian cryptographic standard algorithms (called 10253f342a23SRobert Elliott GOST algorithms). This setting enables two hash algorithms with 1026f1f142adSRobert Elliott 256 and 512 bits output. 1027f1f142adSRobert Elliott 1028f1f142adSRobert Elliott References: 1029f1f142adSRobert Elliott https://tc26.ru/upload/iblock/fed/feddbb4d26b685903faa2ba11aea43f6.pdf 1030f1f142adSRobert Elliott https://tools.ietf.org/html/rfc6986 1031f1f142adSRobert Elliott 10323f342a23SRobert Elliottconfig CRYPTO_VMAC 1033f1f142adSRobert Elliott tristate "VMAC" 1034f1f142adSRobert Elliott select CRYPTO_HASH 1035f1f142adSRobert Elliott select CRYPTO_MANAGER 1036f1f142adSRobert Elliott help 1037f1f142adSRobert Elliott VMAC is a message authentication algorithm designed for 1038f1f142adSRobert Elliott very high speed on 64-bit architectures. 10393f342a23SRobert Elliott 1040f1f142adSRobert Elliott See https://fastcrypto.org/vmac for further information. 1041f1f142adSRobert Elliott 10423f342a23SRobert Elliottconfig CRYPTO_WP512 1043f1f142adSRobert Elliott tristate "Whirlpool" 1044f1f142adSRobert Elliott select CRYPTO_HASH 10453f342a23SRobert Elliott help 10463f342a23SRobert Elliott Whirlpool hash function (ISO/IEC 10118-3) 10473f342a23SRobert Elliott 1048f1f142adSRobert Elliott 512, 384 and 256-bit hashes. 1049f1f142adSRobert Elliott 1050f1f142adSRobert Elliott Whirlpool-512 is part of the NESSIE cryptographic primitives. 10513f342a23SRobert Elliott 10523f342a23SRobert Elliott See https://web.archive.org/web/20171129084214/http://www.larc.usp.br/~pbarreto/WhirlpoolPage.html 1053f1f142adSRobert Elliott for further information. 1054f1f142adSRobert Elliott 10553f342a23SRobert Elliottconfig CRYPTO_XCBC 1056f1f142adSRobert Elliott tristate "XCBC-MAC (Extended Cipher Block Chaining MAC)" 1057f1f142adSRobert Elliott select CRYPTO_HASH 1058f1f142adSRobert Elliott select CRYPTO_MANAGER 10593f342a23SRobert Elliott help 10603f342a23SRobert Elliott XCBC-MAC (Extended Cipher Block Chaining Message Authentication 1061f1f142adSRobert Elliott Code) (RFC3566) 1062f1f142adSRobert Elliott 10633f342a23SRobert Elliottconfig CRYPTO_XXHASH 1064f1f142adSRobert Elliott tristate "xxHash" 1065f1f142adSRobert Elliott select CRYPTO_HASH 1066f1f142adSRobert Elliott select XXHASH 10673f342a23SRobert Elliott help 10683f342a23SRobert Elliott xxHash non-cryptographic hash algorithm 10693f342a23SRobert Elliott 10703f342a23SRobert Elliott Extremely fast, working at speeds close to RAM limits. 10713f342a23SRobert Elliott 1072f1f142adSRobert Elliott Used by the btrfs filesystem. 1073f1f142adSRobert Elliott 1074f1f142adSRobert Elliottendmenu 1075f1f142adSRobert Elliott 1076f1f142adSRobert Elliottmenu "CRCs (cyclic redundancy checks)" 1077f1f142adSRobert Elliott 1078ec84348dSRobert Elliottconfig CRYPTO_CRC32C 1079f1f142adSRobert Elliott tristate "CRC32c" 1080f1f142adSRobert Elliott select CRYPTO_HASH 1081f1f142adSRobert Elliott select CRC32 1082ec84348dSRobert Elliott help 1083ec84348dSRobert Elliott CRC32c CRC algorithm with the iSCSI polynomial (RFC 3385 and RFC 3720) 1084ec84348dSRobert Elliott 1085ec84348dSRobert Elliott A 32-bit CRC (cyclic redundancy check) with a polynomial defined 1086ec84348dSRobert Elliott by G. Castagnoli, S. Braeuer and M. Herrman in "Optimization of Cyclic 1087ec84348dSRobert Elliott Redundancy-Check Codes with 24 and 32 Parity Bits", IEEE Transactions 1088ec84348dSRobert Elliott on Communications, Vol. 41, No. 6, June 1993, selected for use with 1089ec84348dSRobert Elliott iSCSI. 1090ec84348dSRobert Elliott 1091f1f142adSRobert Elliott Used by btrfs, ext4, jbd2, NVMeoF/TCP, and iSCSI. 1092f1f142adSRobert Elliott 1093ec84348dSRobert Elliottconfig CRYPTO_CRC32 1094f1f142adSRobert Elliott tristate "CRC32" 1095f1f142adSRobert Elliott select CRYPTO_HASH 1096f1f142adSRobert Elliott select CRC32 1097ec84348dSRobert Elliott help 1098ec84348dSRobert Elliott CRC32 CRC algorithm (IEEE 802.3) 1099ec84348dSRobert Elliott 1100f1f142adSRobert Elliott Used by RoCEv2 and f2fs. 1101f1f142adSRobert Elliott 1102ec84348dSRobert Elliottconfig CRYPTO_CRCT10DIF 1103f1f142adSRobert Elliott tristate "CRCT10DIF" 1104f1f142adSRobert Elliott select CRYPTO_HASH 1105ec84348dSRobert Elliott help 1106ec84348dSRobert Elliott CRC16 CRC algorithm used for the T10 (SCSI) Data Integrity Field (DIF) 1107ec84348dSRobert Elliott 1108f1f142adSRobert Elliott CRC algorithm used by the SCSI Block Commands standard. 1109f1f142adSRobert Elliott 1110ec84348dSRobert Elliottconfig CRYPTO_CRC64_ROCKSOFT 1111f1f142adSRobert Elliott tristate "CRC64 based on Rocksoft Model algorithm" 1112f1f142adSRobert Elliott depends on CRC64 1113ec84348dSRobert Elliott select CRYPTO_HASH 1114ec84348dSRobert Elliott help 1115ec84348dSRobert Elliott CRC64 CRC algorithm based on the Rocksoft Model CRC Algorithm 1116ec84348dSRobert Elliott 1117ec84348dSRobert Elliott Used by the NVMe implementation of T10 DIF (BLK_DEV_INTEGRITY) 1118ec84348dSRobert Elliott 1119f1f142adSRobert Elliott See https://zlib.net/crc_v3.txt 1120f1f142adSRobert Elliott 1121f1f142adSRobert Elliottendmenu 1122f1f142adSRobert Elliott 1123584fffc8SSebastian Siewiormenu "Compression" 11241da177e4SLinus Torvalds 1125a9a98d49SRobert Elliottconfig CRYPTO_DEFLATE 1126cce9e06dSHerbert Xu tristate "Deflate" 1127f6ded09dSGiovanni Cabiddu select CRYPTO_ALGAPI 11281da177e4SLinus Torvalds select CRYPTO_ACOMP2 11291da177e4SLinus Torvalds select ZLIB_INFLATE 11301da177e4SLinus Torvalds select ZLIB_DEFLATE 1131a9a98d49SRobert Elliott help 11321da177e4SLinus Torvalds Deflate compression algorithm (RFC1951) 1133a9a98d49SRobert Elliott 11341da177e4SLinus Torvalds Used by IPSec with the IPCOMP protocol (RFC3173, RFC2394) 11350b77abb3SZoltan Sogor 1136a9a98d49SRobert Elliottconfig CRYPTO_LZO 11370b77abb3SZoltan Sogor tristate "LZO" 1138ac9d2c4bSGiovanni Cabiddu select CRYPTO_ALGAPI 11390b77abb3SZoltan Sogor select CRYPTO_ACOMP2 11400b77abb3SZoltan Sogor select LZO_COMPRESS 11410b77abb3SZoltan Sogor select LZO_DECOMPRESS 1142a9a98d49SRobert Elliott help 1143a9a98d49SRobert Elliott LZO compression algorithm 1144a9a98d49SRobert Elliott 11450b77abb3SZoltan Sogor See https://www.oberhumer.com/opensource/lzo/ for further information. 114635a1fc18SSeth Jennings 1147a9a98d49SRobert Elliottconfig CRYPTO_842 11482062c5b6SDan Streetman tristate "842" 11496a8de3aeSGiovanni Cabiddu select CRYPTO_ALGAPI 11502062c5b6SDan Streetman select CRYPTO_ACOMP2 11512062c5b6SDan Streetman select 842_COMPRESS 115235a1fc18SSeth Jennings select 842_DECOMPRESS 1153a9a98d49SRobert Elliott help 1154a9a98d49SRobert Elliott 842 compression algorithm by IBM 1155a9a98d49SRobert Elliott 115635a1fc18SSeth Jennings See https://github.com/plauth/lib842 for further information. 11570ea8530dSChanho Min 1158a9a98d49SRobert Elliottconfig CRYPTO_LZ4 11590ea8530dSChanho Min tristate "LZ4" 11608cd9330eSGiovanni Cabiddu select CRYPTO_ALGAPI 11610ea8530dSChanho Min select CRYPTO_ACOMP2 11620ea8530dSChanho Min select LZ4_COMPRESS 11630ea8530dSChanho Min select LZ4_DECOMPRESS 1164a9a98d49SRobert Elliott help 1165a9a98d49SRobert Elliott LZ4 compression algorithm 1166a9a98d49SRobert Elliott 11670ea8530dSChanho Min See https://github.com/lz4/lz4 for further information. 11680ea8530dSChanho Min 1169a9a98d49SRobert Elliottconfig CRYPTO_LZ4HC 11700ea8530dSChanho Min tristate "LZ4HC" 117191d53d96SGiovanni Cabiddu select CRYPTO_ALGAPI 11720ea8530dSChanho Min select CRYPTO_ACOMP2 11730ea8530dSChanho Min select LZ4HC_COMPRESS 11740ea8530dSChanho Min select LZ4_DECOMPRESS 1175a9a98d49SRobert Elliott help 1176a9a98d49SRobert Elliott LZ4 high compression mode algorithm 1177a9a98d49SRobert Elliott 11780ea8530dSChanho Min See https://github.com/lz4/lz4 for further information. 1179d28fc3dbSNick Terrell 1180a9a98d49SRobert Elliottconfig CRYPTO_ZSTD 1181d28fc3dbSNick Terrell tristate "Zstd" 1182d28fc3dbSNick Terrell select CRYPTO_ALGAPI 1183d28fc3dbSNick Terrell select CRYPTO_ACOMP2 1184d28fc3dbSNick Terrell select ZSTD_COMPRESS 1185d28fc3dbSNick Terrell select ZSTD_DECOMPRESS 1186a9a98d49SRobert Elliott help 1187a9a98d49SRobert Elliott zstd compression algorithm 1188a9a98d49SRobert Elliott 1189d28fc3dbSNick Terrell See https://github.com/facebook/zstd for further information. 1190f1f142adSRobert Elliott 1191f1f142adSRobert Elliottendmenu 1192f1f142adSRobert Elliott 119317f0f4a4SNeil Hormanmenu "Random number generation" 119417f0f4a4SNeil Horman 1195a9a98d49SRobert Elliottconfig CRYPTO_ANSI_CPRNG 119617f0f4a4SNeil Horman tristate "ANSI PRNG (Pseudo Random Number Generator)" 119717f0f4a4SNeil Horman select CRYPTO_AES 119817f0f4a4SNeil Horman select CRYPTO_RNG 1199a9a98d49SRobert Elliott help 1200a9a98d49SRobert Elliott Pseudo RNG (random number generator) (ANSI X9.31 Appendix A.2.4) 1201a9a98d49SRobert Elliott 1202a9a98d49SRobert Elliott This uses the AES cipher algorithm. 1203a9a98d49SRobert Elliott 120417f0f4a4SNeil Horman Note that this option must be enabled if CRYPTO_FIPS is selected 1205f2c89a10SHerbert Xu 1206a9a98d49SRobert Elliottmenuconfig CRYPTO_DRBG_MENU 1207419090c6SStephan Mueller tristate "NIST SP800-90A DRBG (Deterministic Random Bit Generator)" 1208a9a98d49SRobert Elliott help 1209a9a98d49SRobert Elliott DRBG (Deterministic Random Bit Generator) (NIST SP800-90A) 1210a9a98d49SRobert Elliott 1211419090c6SStephan Mueller In the following submenu, one or more of the DRBG types must be selected. 1212f2c89a10SHerbert Xu 1213419090c6SStephan Muellerif CRYPTO_DRBG_MENU 1214419090c6SStephan Mueller 1215401e4238SHerbert Xuconfig CRYPTO_DRBG_HMAC 1216419090c6SStephan Mueller bool 1217419090c6SStephan Mueller default y 12185261cdf4SStephan Mueller select CRYPTO_HMAC 1219419090c6SStephan Mueller select CRYPTO_SHA512 1220419090c6SStephan Mueller 1221a9a98d49SRobert Elliottconfig CRYPTO_DRBG_HASH 1222826775bbSHerbert Xu bool "Hash_DRBG" 1223419090c6SStephan Mueller select CRYPTO_SHA256 1224a9a98d49SRobert Elliott help 1225a9a98d49SRobert Elliott Hash_DRBG variant as defined in NIST SP800-90A. 1226a9a98d49SRobert Elliott 1227419090c6SStephan Mueller This uses the SHA-1, SHA-256, SHA-384, or SHA-512 hash algorithms. 1228419090c6SStephan Mueller 1229a9a98d49SRobert Elliottconfig CRYPTO_DRBG_CTR 1230419090c6SStephan Mueller bool "CTR_DRBG" 1231d6fc1a45SCorentin Labbe select CRYPTO_AES 1232419090c6SStephan Mueller select CRYPTO_CTR 1233a9a98d49SRobert Elliott help 1234a9a98d49SRobert Elliott CTR_DRBG variant as defined in NIST SP800-90A. 1235a9a98d49SRobert Elliott 1236419090c6SStephan Mueller This uses the AES cipher algorithm with the counter block mode. 1237f2c89a10SHerbert Xu 1238f2c89a10SHerbert Xuconfig CRYPTO_DRBG 1239401e4238SHerbert Xu tristate 1240f2c89a10SHerbert Xu default CRYPTO_DRBG_MENU 1241bb5530e4SStephan Mueller select CRYPTO_RNG 1242f2c89a10SHerbert Xu select CRYPTO_JITTERENTROPY 1243f2c89a10SHerbert Xu 1244419090c6SStephan Muellerendif # if CRYPTO_DRBG_MENU 1245bb5530e4SStephan Mueller 1246a9a98d49SRobert Elliottconfig CRYPTO_JITTERENTROPY 12472f313e02SArnd Bergmann tristate "CPU Jitter Non-Deterministic RNG (Random Number Generator)" 1248bb897c55SStephan Müller select CRYPTO_RNG 1249bb5530e4SStephan Mueller select CRYPTO_SHA3 1250a9a98d49SRobert Elliott help 1251a9a98d49SRobert Elliott CPU Jitter RNG (Random Number Generator) from the Jitterentropy library 1252a9a98d49SRobert Elliott 1253a9a98d49SRobert Elliott A non-physical non-deterministic ("true") RNG (e.g., an entropy source 1254e63df1ecSRandy Dunlap compliant with NIST SP800-90B) intended to provide a seed to a 1255a9a98d49SRobert Elliott deterministic RNG (e.g., per NIST SP800-90C). 1256e63df1ecSRandy Dunlap This RNG does not perform any cryptographic whitening of the generated 1257a9a98d49SRobert Elliott random numbers. 1258e63df1ecSRandy Dunlap 1259bb5530e4SStephan Mueller See https://www.chronox.de/jent/ 1260e7ed6473SHerbert Xu 1261e7ed6473SHerbert Xuif CRYPTO_JITTERENTROPY 1262e7ed6473SHerbert Xuif CRYPTO_FIPS && EXPERT 126359bcfd78SStephan Müller 126459bcfd78SStephan Müllerchoice 126559bcfd78SStephan Müller prompt "CPU Jitter RNG Memory Size" 126659bcfd78SStephan Müller default CRYPTO_JITTERENTROPY_MEMSIZE_2 126759bcfd78SStephan Müller help 126859bcfd78SStephan Müller The Jitter RNG measures the execution time of memory accesses. 126959bcfd78SStephan Müller Multiple consecutive memory accesses are performed. If the memory 127059bcfd78SStephan Müller size fits into a cache (e.g. L1), only the memory access timing 127159bcfd78SStephan Müller to that cache is measured. The closer the cache is to the CPU 127259bcfd78SStephan Müller the less variations are measured and thus the less entropy is 127359bcfd78SStephan Müller obtained. Thus, if the memory size fits into the L1 cache, the 127459bcfd78SStephan Müller obtained entropy is less than if the memory size fits within 127559bcfd78SStephan Müller L1 + L2, which in turn is less if the memory fits into 127659bcfd78SStephan Müller L1 + L2 + L3. Thus, by selecting a different memory size, 127759bcfd78SStephan Müller the entropy rate produced by the Jitter RNG can be modified. 127859bcfd78SStephan Müller 127959bcfd78SStephan Müller config CRYPTO_JITTERENTROPY_MEMSIZE_2 128059bcfd78SStephan Müller bool "2048 Bytes (default)" 128159bcfd78SStephan Müller 128259bcfd78SStephan Müller config CRYPTO_JITTERENTROPY_MEMSIZE_128 128359bcfd78SStephan Müller bool "128 kBytes" 128459bcfd78SStephan Müller 128559bcfd78SStephan Müller config CRYPTO_JITTERENTROPY_MEMSIZE_1024 128659bcfd78SStephan Müller bool "1024 kBytes" 128759bcfd78SStephan Müller 128859bcfd78SStephan Müller config CRYPTO_JITTERENTROPY_MEMSIZE_8192 128959bcfd78SStephan Müller bool "8192 kBytes" 129059bcfd78SStephan Müllerendchoice 129159bcfd78SStephan Müller 129259bcfd78SStephan Müllerconfig CRYPTO_JITTERENTROPY_MEMORY_BLOCKS 129359bcfd78SStephan Müller int 129459bcfd78SStephan Müller default 64 if CRYPTO_JITTERENTROPY_MEMSIZE_2 129559bcfd78SStephan Müller default 512 if CRYPTO_JITTERENTROPY_MEMSIZE_128 129659bcfd78SStephan Müller default 1024 if CRYPTO_JITTERENTROPY_MEMSIZE_1024 129759bcfd78SStephan Müller default 4096 if CRYPTO_JITTERENTROPY_MEMSIZE_8192 129859bcfd78SStephan Müller 129959bcfd78SStephan Müllerconfig CRYPTO_JITTERENTROPY_MEMORY_BLOCKSIZE 130059bcfd78SStephan Müller int 130159bcfd78SStephan Müller default 32 if CRYPTO_JITTERENTROPY_MEMSIZE_2 130259bcfd78SStephan Müller default 256 if CRYPTO_JITTERENTROPY_MEMSIZE_128 130359bcfd78SStephan Müller default 1024 if CRYPTO_JITTERENTROPY_MEMSIZE_1024 130459bcfd78SStephan Müller default 2048 if CRYPTO_JITTERENTROPY_MEMSIZE_8192 13050baa8fabSStephan Müller 13060baa8fabSStephan Müllerconfig CRYPTO_JITTERENTROPY_OSR 13070baa8fabSStephan Müller int "CPU Jitter RNG Oversampling Rate" 1308*95a798d2SStephan Mueller range 1 15 13090baa8fabSStephan Müller default 3 13100baa8fabSStephan Müller help 13110baa8fabSStephan Müller The Jitter RNG allows the specification of an oversampling rate (OSR). 13120baa8fabSStephan Müller The Jitter RNG operation requires a fixed amount of timing 13130baa8fabSStephan Müller measurements to produce one output block of random numbers. The 13140baa8fabSStephan Müller OSR value is multiplied with the amount of timing measurements to 13150baa8fabSStephan Müller generate one output block. Thus, the timing measurement is oversampled 13160baa8fabSStephan Müller by the OSR factor. The oversampling allows the Jitter RNG to operate 13170baa8fabSStephan Müller on hardware whose timers deliver limited amount of entropy (e.g. 13180baa8fabSStephan Müller the timer is coarse) by setting the OSR to a higher value. The 13190baa8fabSStephan Müller trade-off, however, is that the Jitter RNG now requires more time 13200baa8fabSStephan Müller to generate random numbers. 132169f1c387SStephan Müller 132269f1c387SStephan Müllerconfig CRYPTO_JITTERENTROPY_TESTINTERFACE 132369f1c387SStephan Müller bool "CPU Jitter RNG Test Interface" 132469f1c387SStephan Müller help 132569f1c387SStephan Müller The test interface allows a privileged process to capture 132669f1c387SStephan Müller the raw unconditioned high resolution time stamp noise that 132769f1c387SStephan Müller is collected by the Jitter RNG for statistical analysis. As 132869f1c387SStephan Müller this data is used at the same time to generate random bits, 132969f1c387SStephan Müller the Jitter RNG operates in an insecure mode as long as the 133069f1c387SStephan Müller recording is enabled. This interface therefore is only 133169f1c387SStephan Müller intended for testing purposes and is not suitable for 133269f1c387SStephan Müller production systems. 133369f1c387SStephan Müller 133469f1c387SStephan Müller The raw noise data can be obtained using the jent_raw_hires 133569f1c387SStephan Müller debugfs file. Using the option 133669f1c387SStephan Müller jitterentropy_testing.boot_raw_hires_test=1 the raw noise of 133769f1c387SStephan Müller the first 1000 entropy events since boot can be sampled. 133869f1c387SStephan Müller 133969f1c387SStephan Müller If unsure, select N. 1340e7ed6473SHerbert Xu 1341e7ed6473SHerbert Xuendif # if CRYPTO_FIPS && EXPERT 1342e7ed6473SHerbert Xu 1343e7ed6473SHerbert Xuif !(CRYPTO_FIPS && EXPERT) 1344e7ed6473SHerbert Xu 1345e7ed6473SHerbert Xuconfig CRYPTO_JITTERENTROPY_MEMORY_BLOCKS 1346e7ed6473SHerbert Xu int 1347e7ed6473SHerbert Xu default 64 1348e7ed6473SHerbert Xu 1349e7ed6473SHerbert Xuconfig CRYPTO_JITTERENTROPY_MEMORY_BLOCKSIZE 1350e7ed6473SHerbert Xu int 1351e7ed6473SHerbert Xu default 32 1352e7ed6473SHerbert Xu 1353e7ed6473SHerbert Xuconfig CRYPTO_JITTERENTROPY_OSR 1354e7ed6473SHerbert Xu int 1355e7ed6473SHerbert Xu default 1 1356e7ed6473SHerbert Xu 1357e7ed6473SHerbert Xuconfig CRYPTO_JITTERENTROPY_TESTINTERFACE 1358e7ed6473SHerbert Xu bool 1359e7ed6473SHerbert Xu 1360e7ed6473SHerbert Xuendif # if !(CRYPTO_FIPS && EXPERT) 1361e7ed6473SHerbert Xuendif # if CRYPTO_JITTERENTROPY 1362026a733eSStephan Müller 1363026a733eSStephan Müllerconfig CRYPTO_KDF800108_CTR 1364a88592ccSHerbert Xu tristate 1365304b4aceSStephan Müller select CRYPTO_HMAC 1366026a733eSStephan Müller select CRYPTO_SHA256 1367f1f142adSRobert Elliott 13689bc51715SRobert Elliottendmenu 1369f1f142adSRobert Elliottmenu "Userspace interface" 137003c8efc1SHerbert Xu 137103c8efc1SHerbert Xuconfig CRYPTO_USER_API 137203c8efc1SHerbert Xu tristate 1373fe869cdbSHerbert Xu 13749bc51715SRobert Elliottconfig CRYPTO_USER_API_HASH 13757451708fSHerbert Xu tristate "Hash algorithms" 1376fe869cdbSHerbert Xu depends on NET 1377fe869cdbSHerbert Xu select CRYPTO_HASH 1378fe869cdbSHerbert Xu select CRYPTO_USER_API 13799bc51715SRobert Elliott help 13809bc51715SRobert Elliott Enable the userspace interface for hash algorithms. 13819bc51715SRobert Elliott 13829bc51715SRobert Elliott See Documentation/crypto/userspace-if.rst and 1383fe869cdbSHerbert Xu https://www.chronox.de/libkcapi/html/index.html 13848ff59090SHerbert Xu 13859bc51715SRobert Elliottconfig CRYPTO_USER_API_SKCIPHER 13867451708fSHerbert Xu tristate "Symmetric key cipher algorithms" 1387b95bba5dSEric Biggers depends on NET 13888ff59090SHerbert Xu select CRYPTO_SKCIPHER 13898ff59090SHerbert Xu select CRYPTO_USER_API 13909bc51715SRobert Elliott help 13919bc51715SRobert Elliott Enable the userspace interface for symmetric key cipher algorithms. 13929bc51715SRobert Elliott 13939bc51715SRobert Elliott See Documentation/crypto/userspace-if.rst and 13948ff59090SHerbert Xu https://www.chronox.de/libkcapi/html/index.html 13952f375538SStephan Mueller 13969bc51715SRobert Elliottconfig CRYPTO_USER_API_RNG 13972f375538SStephan Mueller tristate "RNG (random number generator) algorithms" 13982f375538SStephan Mueller depends on NET 13992f375538SStephan Mueller select CRYPTO_RNG 14002f375538SStephan Mueller select CRYPTO_USER_API 14019bc51715SRobert Elliott help 14029bc51715SRobert Elliott Enable the userspace interface for RNG (random number generator) 14039bc51715SRobert Elliott algorithms. 14049bc51715SRobert Elliott 14059bc51715SRobert Elliott See Documentation/crypto/userspace-if.rst and 14062f375538SStephan Mueller https://www.chronox.de/libkcapi/html/index.html 140777ebdabeSElena Petrova 140877ebdabeSElena Petrovaconfig CRYPTO_USER_API_RNG_CAVP 140977ebdabeSElena Petrova bool "Enable CAVP testing of DRBG" 141077ebdabeSElena Petrova depends on CRYPTO_USER_API_RNG && CRYPTO_DRBG 14119bc51715SRobert Elliott help 14129bc51715SRobert Elliott Enable extra APIs in the userspace interface for NIST CAVP 14139bc51715SRobert Elliott (Cryptographic Algorithm Validation Program) testing: 14149bc51715SRobert Elliott - resetting DRBG entropy 14159bc51715SRobert Elliott - providing Additional Data 141677ebdabeSElena Petrova 141777ebdabeSElena Petrova This should only be enabled for CAVP testing. You should say 141877ebdabeSElena Petrova no unless you know what this is. 1419b64a2d95SHerbert Xu 14209bc51715SRobert Elliottconfig CRYPTO_USER_API_AEAD 1421b64a2d95SHerbert Xu tristate "AEAD cipher algorithms" 1422b64a2d95SHerbert Xu depends on NET 1423b95bba5dSEric Biggers select CRYPTO_AEAD 142472548b09SStephan Mueller select CRYPTO_SKCIPHER 1425b64a2d95SHerbert Xu select CRYPTO_NULL 1426b64a2d95SHerbert Xu select CRYPTO_USER_API 14279bc51715SRobert Elliott help 14289bc51715SRobert Elliott Enable the userspace interface for AEAD cipher algorithms. 14299bc51715SRobert Elliott 14309bc51715SRobert Elliott See Documentation/crypto/userspace-if.rst and 1431b64a2d95SHerbert Xu https://www.chronox.de/libkcapi/html/index.html 14329ace6771SArd Biesheuvel 14339bc51715SRobert Elliottconfig CRYPTO_USER_API_ENABLE_OBSOLETE 14349ace6771SArd Biesheuvel bool "Obsolete cryptographic algorithms" 14359ace6771SArd Biesheuvel depends on CRYPTO_USER_API 14369ace6771SArd Biesheuvel default y 14379ace6771SArd Biesheuvel help 14389ace6771SArd Biesheuvel Allow obsolete cryptographic algorithms to be selected that have 14399ace6771SArd Biesheuvel already been phased out from internal use by the kernel, and are 14409ace6771SArd Biesheuvel only useful for userspace clients that still rely on them. 1441f1f142adSRobert Elliott 1442f1f142adSRobert Elliottendmenu 1443ee08997fSDmitry Kasatkin 1444ee08997fSDmitry Kasatkinconfig CRYPTO_HASH_INFO 1445ee08997fSDmitry Kasatkin bool 144627bc50fcSLinus Torvalds 14474a329fecSRobert Elliottif !KMSAN # avoid false positives from assembly 14484a329fecSRobert Elliottif ARM 14494a329fecSRobert Elliottsource "arch/arm/crypto/Kconfig" 14504a329fecSRobert Elliottendif 14514a329fecSRobert Elliottif ARM64 14524a329fecSRobert Elliottsource "arch/arm64/crypto/Kconfig" 14532f164822SMin Zhouendif 14542f164822SMin Zhouif LOONGARCH 14552f164822SMin Zhousource "arch/loongarch/crypto/Kconfig" 1456e45f710bSRobert Elliottendif 1457e45f710bSRobert Elliottif MIPS 1458e45f710bSRobert Elliottsource "arch/mips/crypto/Kconfig" 14596a490a4eSRobert Elliottendif 14606a490a4eSRobert Elliottif PPC 14616a490a4eSRobert Elliottsource "arch/powerpc/crypto/Kconfig" 1462178f3856SHeiko Stuebnerendif 1463178f3856SHeiko Stuebnerif RISCV 1464178f3856SHeiko Stuebnersource "arch/riscv/crypto/Kconfig" 1465c9d24c97SRobert Elliottendif 1466c9d24c97SRobert Elliottif S390 1467c9d24c97SRobert Elliottsource "arch/s390/crypto/Kconfig" 14680e9f9ea6SRobert Elliottendif 14690e9f9ea6SRobert Elliottif SPARC 14700e9f9ea6SRobert Elliottsource "arch/sparc/crypto/Kconfig" 147128a936efSRobert Elliottendif 147228a936efSRobert Elliottif X86 147328a936efSRobert Elliottsource "arch/x86/crypto/Kconfig" 147427bc50fcSLinus Torvaldsendif 1475e45f710bSRobert Elliottendif 14761da177e4SLinus Torvalds 14778636a1f9SMasahiro Yamadasource "drivers/crypto/Kconfig" 14788636a1f9SMasahiro Yamadasource "crypto/asymmetric_keys/Kconfig" 14791da177e4SLinus Torvaldssource "certs/Kconfig" 1480cce9e06dSHerbert Xu 1481endif # if CRYPTO 1482