xref: /linux/crypto/Kconfig (revision 0fa5248255a1f4cc87f35610f2762d9cdd919246)
1b2441318SGreg Kroah-Hartman# SPDX-License-Identifier: GPL-2.0
21da177e4SLinus Torvalds#
3685784aaSDan Williams# Generic algorithms support
4685784aaSDan Williams#
5685784aaSDan Williamsconfig XOR_BLOCKS
6685784aaSDan Williams	tristate
7685784aaSDan Williams
8685784aaSDan Williams#
99bc89cd8SDan Williams# async_tx api: hardware offloaded memory transfer/transform support
109bc89cd8SDan Williams#
119bc89cd8SDan Williamssource "crypto/async_tx/Kconfig"
129bc89cd8SDan Williams
139bc89cd8SDan Williams#
141da177e4SLinus Torvalds# Cryptographic API Configuration
151da177e4SLinus Torvalds#
162e290f43SJan Engelhardtmenuconfig CRYPTO
17c3715cb9SSebastian Siewior	tristate "Cryptographic API"
187033b937SEric Biggers	select CRYPTO_LIB_UTILS
191da177e4SLinus Torvalds	help
201da177e4SLinus Torvalds	  This option provides the core Cryptographic API.
211da177e4SLinus Torvalds
22cce9e06dSHerbert Xuif CRYPTO
23cce9e06dSHerbert Xu
24f1f142adSRobert Elliottmenu "Crypto core or helper"
25584fffc8SSebastian Siewior
26ccb778e1SNeil Hormanconfig CRYPTO_FIPS
27ccb778e1SNeil Horman	bool "FIPS 200 compliance"
2840b99697SEric Biggers	depends on (CRYPTO_ANSI_CPRNG || CRYPTO_DRBG) && CRYPTO_SELFTESTS
291f696097SAlec Ari	depends on (MODULE_SIG || !MODULES)
30ccb778e1SNeil Horman	help
31d99324c2SGeert Uytterhoeven	  This option enables the fips boot option which is
32d99324c2SGeert Uytterhoeven	  required if you want the system to operate in a FIPS 200
33ccb778e1SNeil Horman	  certification.  You should say no unless you know what
34e84c5480SChuck Ebbert	  this is.
35ccb778e1SNeil Horman
365a44749fSVladis Dronovconfig CRYPTO_FIPS_NAME
375a44749fSVladis Dronov	string "FIPS Module Name"
385a44749fSVladis Dronov	default "Linux Kernel Cryptographic API"
395a44749fSVladis Dronov	depends on CRYPTO_FIPS
405a44749fSVladis Dronov	help
415a44749fSVladis Dronov	  This option sets the FIPS Module name reported by the Crypto API via
425a44749fSVladis Dronov	  the /proc/sys/crypto/fips_name file.
435a44749fSVladis Dronov
445a44749fSVladis Dronovconfig CRYPTO_FIPS_CUSTOM_VERSION
455a44749fSVladis Dronov	bool "Use Custom FIPS Module Version"
465a44749fSVladis Dronov	depends on CRYPTO_FIPS
475a44749fSVladis Dronov	default n
485a44749fSVladis Dronov
495a44749fSVladis Dronovconfig CRYPTO_FIPS_VERSION
505a44749fSVladis Dronov	string "FIPS Module Version"
515a44749fSVladis Dronov	default "(none)"
525a44749fSVladis Dronov	depends on CRYPTO_FIPS_CUSTOM_VERSION
535a44749fSVladis Dronov	help
545a44749fSVladis Dronov	  This option provides the ability to override the FIPS Module Version.
555a44749fSVladis Dronov	  By default the KERNELRELEASE value is used.
565a44749fSVladis Dronov
57cce9e06dSHerbert Xuconfig CRYPTO_ALGAPI
58cce9e06dSHerbert Xu	tristate
596a0fcbb4SHerbert Xu	select CRYPTO_ALGAPI2
60cce9e06dSHerbert Xu	help
61cce9e06dSHerbert Xu	  This option provides the API for cryptographic algorithms.
62cce9e06dSHerbert Xu
636a0fcbb4SHerbert Xuconfig CRYPTO_ALGAPI2
646a0fcbb4SHerbert Xu	tristate
656a0fcbb4SHerbert Xu
661ae97820SHerbert Xuconfig CRYPTO_AEAD
671ae97820SHerbert Xu	tristate
686a0fcbb4SHerbert Xu	select CRYPTO_AEAD2
691ae97820SHerbert Xu	select CRYPTO_ALGAPI
701ae97820SHerbert Xu
716a0fcbb4SHerbert Xuconfig CRYPTO_AEAD2
726a0fcbb4SHerbert Xu	tristate
736a0fcbb4SHerbert Xu	select CRYPTO_ALGAPI2
746a0fcbb4SHerbert Xu
756cb8815fSHerbert Xuconfig CRYPTO_SIG
766cb8815fSHerbert Xu	tristate
776cb8815fSHerbert Xu	select CRYPTO_SIG2
786cb8815fSHerbert Xu	select CRYPTO_ALGAPI
796cb8815fSHerbert Xu
806cb8815fSHerbert Xuconfig CRYPTO_SIG2
816cb8815fSHerbert Xu	tristate
826cb8815fSHerbert Xu	select CRYPTO_ALGAPI2
836cb8815fSHerbert Xu
84b95bba5dSEric Biggersconfig CRYPTO_SKCIPHER
855cde0af2SHerbert Xu	tristate
86b95bba5dSEric Biggers	select CRYPTO_SKCIPHER2
875cde0af2SHerbert Xu	select CRYPTO_ALGAPI
8884534684SHerbert Xu	select CRYPTO_ECB
896a0fcbb4SHerbert Xu
90b95bba5dSEric Biggersconfig CRYPTO_SKCIPHER2
916a0fcbb4SHerbert Xu	tristate
926a0fcbb4SHerbert Xu	select CRYPTO_ALGAPI2
935cde0af2SHerbert Xu
94055bcee3SHerbert Xuconfig CRYPTO_HASH
95055bcee3SHerbert Xu	tristate
966a0fcbb4SHerbert Xu	select CRYPTO_HASH2
97055bcee3SHerbert Xu	select CRYPTO_ALGAPI
98055bcee3SHerbert Xu
996a0fcbb4SHerbert Xuconfig CRYPTO_HASH2
1006a0fcbb4SHerbert Xu	tristate
1016a0fcbb4SHerbert Xu	select CRYPTO_ALGAPI2
1026a0fcbb4SHerbert Xu
10317f0f4a4SNeil Hormanconfig CRYPTO_RNG
10417f0f4a4SNeil Horman	tristate
1056a0fcbb4SHerbert Xu	select CRYPTO_RNG2
10617f0f4a4SNeil Horman	select CRYPTO_ALGAPI
10717f0f4a4SNeil Horman
1086a0fcbb4SHerbert Xuconfig CRYPTO_RNG2
1096a0fcbb4SHerbert Xu	tristate
1106a0fcbb4SHerbert Xu	select CRYPTO_ALGAPI2
1116a0fcbb4SHerbert Xu
112401e4238SHerbert Xuconfig CRYPTO_RNG_DEFAULT
113401e4238SHerbert Xu	tristate
114401e4238SHerbert Xu	select CRYPTO_DRBG_MENU
115401e4238SHerbert Xu
1163c339ab8STadeusz Strukconfig CRYPTO_AKCIPHER2
1173c339ab8STadeusz Struk	tristate
1183c339ab8STadeusz Struk	select CRYPTO_ALGAPI2
1193c339ab8STadeusz Struk
1203c339ab8STadeusz Strukconfig CRYPTO_AKCIPHER
1213c339ab8STadeusz Struk	tristate
1223c339ab8STadeusz Struk	select CRYPTO_AKCIPHER2
1233c339ab8STadeusz Struk	select CRYPTO_ALGAPI
1243c339ab8STadeusz Struk
1254e5f2c40SSalvatore Benedettoconfig CRYPTO_KPP2
1264e5f2c40SSalvatore Benedetto	tristate
1274e5f2c40SSalvatore Benedetto	select CRYPTO_ALGAPI2
1284e5f2c40SSalvatore Benedetto
1294e5f2c40SSalvatore Benedettoconfig CRYPTO_KPP
1304e5f2c40SSalvatore Benedetto	tristate
1314e5f2c40SSalvatore Benedetto	select CRYPTO_ALGAPI
1324e5f2c40SSalvatore Benedetto	select CRYPTO_KPP2
1334e5f2c40SSalvatore Benedetto
1342ebda74fSGiovanni Cabidduconfig CRYPTO_ACOMP2
1352ebda74fSGiovanni Cabiddu	tristate
1362ebda74fSGiovanni Cabiddu	select CRYPTO_ALGAPI2
1378cd579d2SBart Van Assche	select SGL_ALLOC
1382ebda74fSGiovanni Cabiddu
1392ebda74fSGiovanni Cabidduconfig CRYPTO_ACOMP
1402ebda74fSGiovanni Cabiddu	tristate
1412ebda74fSGiovanni Cabiddu	select CRYPTO_ALGAPI
1422ebda74fSGiovanni Cabiddu	select CRYPTO_ACOMP2
1432ebda74fSGiovanni Cabiddu
1443241cd0cSHannes Reineckeconfig CRYPTO_HKDF
1453241cd0cSHannes Reinecke	tristate
14640b99697SEric Biggers	select CRYPTO_SHA256 if CRYPTO_SELFTESTS
14740b99697SEric Biggers	select CRYPTO_SHA512 if CRYPTO_SELFTESTS
1483241cd0cSHannes Reinecke	select CRYPTO_HASH2
1493241cd0cSHannes Reinecke
1502b8c19dbSHerbert Xuconfig CRYPTO_MANAGER
1516f9d0f53SEric Biggers	tristate
15257999ed1SEric Biggers	default CRYPTO_ALGAPI if CRYPTO_SELFTESTS
1536a0fcbb4SHerbert Xu	select CRYPTO_MANAGER2
1542b8c19dbSHerbert Xu	help
15557999ed1SEric Biggers	  This provides the support for instantiating templates such as
15657999ed1SEric Biggers	  cbc(aes), and the support for the crypto self-tests.
1572b8c19dbSHerbert Xu
1586a0fcbb4SHerbert Xuconfig CRYPTO_MANAGER2
1596a0fcbb4SHerbert Xu	def_tristate CRYPTO_MANAGER || (CRYPTO_MANAGER!=n && CRYPTO_ALGAPI=y)
1602ebda74fSGiovanni Cabiddu	select CRYPTO_ACOMP2
161fb28fabfSHerbert Xu	select CRYPTO_AEAD2
162fb28fabfSHerbert Xu	select CRYPTO_AKCIPHER2
1636cb8815fSHerbert Xu	select CRYPTO_SIG2
164fb28fabfSHerbert Xu	select CRYPTO_HASH2
165fb28fabfSHerbert Xu	select CRYPTO_KPP2
166fb28fabfSHerbert Xu	select CRYPTO_RNG2
167fb28fabfSHerbert Xu	select CRYPTO_SKCIPHER2
1686a0fcbb4SHerbert Xu
169a38f7907SSteffen Klassertconfig CRYPTO_USER
170a38f7907SSteffen Klassert	tristate "Userspace cryptographic algorithm configuration"
1715db017aaSHerbert Xu	depends on NET
172a38f7907SSteffen Klassert	select CRYPTO_MANAGER
173a38f7907SSteffen Klassert	help
174d19978f5SValdis.Kletnieks@vt.edu	  Userspace configuration for cryptographic instantiations such as
175a38f7907SSteffen Klassert	  cbc(aes).
176a38f7907SSteffen Klassert
17740b99697SEric Biggersconfig CRYPTO_SELFTESTS
17840b99697SEric Biggers	bool "Enable cryptographic self-tests"
179*ac90aad0SEric Biggers	depends on EXPERT
1800b767f96SAlexander Shishkin	help
18140b99697SEric Biggers	  Enable the cryptographic self-tests.
18240b99697SEric Biggers
18340b99697SEric Biggers	  The cryptographic self-tests run at boot time, or at algorithm
18440b99697SEric Biggers	  registration time if algorithms are dynamically loaded later.
18540b99697SEric Biggers
186*ac90aad0SEric Biggers	  There are two main use cases for these tests:
187*ac90aad0SEric Biggers
188*ac90aad0SEric Biggers	  - Development and pre-release testing.  In this case, also enable
189*ac90aad0SEric Biggers	    CRYPTO_SELFTESTS_FULL to get the full set of tests.  All crypto code
190*ac90aad0SEric Biggers	    in the kernel is expected to pass the full set of tests.
191*ac90aad0SEric Biggers
192*ac90aad0SEric Biggers	  - Production kernels, to help prevent buggy drivers from being used
193*ac90aad0SEric Biggers	    and/or meet FIPS 140-3 pre-operational testing requirements.  In
194*ac90aad0SEric Biggers	    this case, enable CRYPTO_SELFTESTS but not CRYPTO_SELFTESTS_FULL.
195*ac90aad0SEric Biggers
196*ac90aad0SEric Biggersconfig CRYPTO_SELFTESTS_FULL
197*ac90aad0SEric Biggers	bool "Enable the full set of cryptographic self-tests"
198*ac90aad0SEric Biggers	depends on CRYPTO_SELFTESTS
199*ac90aad0SEric Biggers	help
200*ac90aad0SEric Biggers	  Enable the full set of cryptographic self-tests for each algorithm.
201*ac90aad0SEric Biggers
202*ac90aad0SEric Biggers	  The full set of tests should be enabled for development and
203*ac90aad0SEric Biggers	  pre-release testing, but not in production kernels.
204*ac90aad0SEric Biggers
205*ac90aad0SEric Biggers	  All crypto code in the kernel is expected to pass the full tests.
2060b767f96SAlexander Shishkin
207584fffc8SSebastian Siewiorconfig CRYPTO_NULL
208584fffc8SSebastian Siewior	tristate "Null algorithms"
209bde39305SEric Biggers	select CRYPTO_ALGAPI
210bde39305SEric Biggers	select CRYPTO_SKCIPHER
211bde39305SEric Biggers	select CRYPTO_HASH
212584fffc8SSebastian Siewior	help
213584fffc8SSebastian Siewior	  These are 'Null' algorithms, used by IPsec, which do nothing.
214584fffc8SSebastian Siewior
2155068c7a8SSteffen Klassertconfig CRYPTO_PCRYPT
2163b4afaf2SKees Cook	tristate "Parallel crypto engine"
2173b4afaf2SKees Cook	depends on SMP
2185068c7a8SSteffen Klassert	select PADATA
2195068c7a8SSteffen Klassert	select CRYPTO_MANAGER
2205068c7a8SSteffen Klassert	select CRYPTO_AEAD
2215068c7a8SSteffen Klassert	help
2225068c7a8SSteffen Klassert	  This converts an arbitrary crypto algorithm into a parallel
2235068c7a8SSteffen Klassert	  algorithm that executes in kernel threads.
2245068c7a8SSteffen Klassert
225584fffc8SSebastian Siewiorconfig CRYPTO_CRYPTD
226584fffc8SSebastian Siewior	tristate "Software async crypto daemon"
227b95bba5dSEric Biggers	select CRYPTO_SKCIPHER
228b8a28251SLoc Ho	select CRYPTO_HASH
229584fffc8SSebastian Siewior	select CRYPTO_MANAGER
230584fffc8SSebastian Siewior	help
231584fffc8SSebastian Siewior	  This is a generic software asynchronous crypto daemon that
232584fffc8SSebastian Siewior	  converts an arbitrary synchronous software crypto algorithm
233584fffc8SSebastian Siewior	  into an asynchronous algorithm that executes in a kernel thread.
234584fffc8SSebastian Siewior
235584fffc8SSebastian Siewiorconfig CRYPTO_AUTHENC
236584fffc8SSebastian Siewior	tristate "Authenc support"
237584fffc8SSebastian Siewior	select CRYPTO_AEAD
238b95bba5dSEric Biggers	select CRYPTO_SKCIPHER
239584fffc8SSebastian Siewior	select CRYPTO_MANAGER
240584fffc8SSebastian Siewior	select CRYPTO_HASH
241584fffc8SSebastian Siewior	help
242584fffc8SSebastian Siewior	  Authenc: Combined mode wrapper for IPsec.
243cf514b2aSRobert Elliott
244cf514b2aSRobert Elliott	  This is required for IPSec ESP (XFRM_ESP).
245584fffc8SSebastian Siewior
246d1775a17SDavid Howellsconfig CRYPTO_KRB5ENC
247d1775a17SDavid Howells	tristate "Kerberos 5 combined hash+cipher support"
248d1775a17SDavid Howells	select CRYPTO_AEAD
249d1775a17SDavid Howells	select CRYPTO_SKCIPHER
250d1775a17SDavid Howells	select CRYPTO_MANAGER
251d1775a17SDavid Howells	select CRYPTO_HASH
252d1775a17SDavid Howells	help
253d1775a17SDavid Howells	  Combined hash and cipher support for Kerberos 5 RFC3961 simplified
254d1775a17SDavid Howells	  profile.  This is required for Kerberos 5-style encryption, used by
255d1775a17SDavid Howells	  sunrpc/NFS and rxrpc/AFS.
256d1775a17SDavid Howells
2573357b6c9SEric Biggersconfig CRYPTO_BENCHMARK
2583357b6c9SEric Biggers	tristate "Crypto benchmarking module"
25900ea27f1SArd Biesheuvel	depends on m || EXPERT
260da7f033dSHerbert Xu	select CRYPTO_MANAGER
261584fffc8SSebastian Siewior	help
2623357b6c9SEric Biggers	  Quick & dirty crypto benchmarking module.
2633357b6c9SEric Biggers
2643357b6c9SEric Biggers	  This is mainly intended for use by people developing cryptographic
2653357b6c9SEric Biggers	  algorithms in the kernel.  It should not be enabled in production
2663357b6c9SEric Biggers	  kernels.
267584fffc8SSebastian Siewior
268266d0516SHerbert Xuconfig CRYPTO_SIMD
269266d0516SHerbert Xu	tristate
270266d0516SHerbert Xu	select CRYPTO_CRYPTD
271266d0516SHerbert Xu
272735d37b5SBaolin Wangconfig CRYPTO_ENGINE
273735d37b5SBaolin Wang	tristate
274735d37b5SBaolin Wang
275f1f142adSRobert Elliottendmenu
276f1f142adSRobert Elliott
277f1f142adSRobert Elliottmenu "Public-key cryptography"
2783d6228a5SVitaly Chikunov
2793d6228a5SVitaly Chikunovconfig CRYPTO_RSA
28005b37465SRobert Elliott	tristate "RSA (Rivest-Shamir-Adleman)"
2813d6228a5SVitaly Chikunov	select CRYPTO_AKCIPHER
2823d6228a5SVitaly Chikunov	select CRYPTO_MANAGER
2831e562deaSLukas Wunner	select CRYPTO_SIG
2843d6228a5SVitaly Chikunov	select MPILIB
2853d6228a5SVitaly Chikunov	select ASN1
2863d6228a5SVitaly Chikunov	help
28705b37465SRobert Elliott	  RSA (Rivest-Shamir-Adleman) public key algorithm (RFC8017)
2883d6228a5SVitaly Chikunov
2893d6228a5SVitaly Chikunovconfig CRYPTO_DH
29005b37465SRobert Elliott	tristate "DH (Diffie-Hellman)"
2913d6228a5SVitaly Chikunov	select CRYPTO_KPP
2923d6228a5SVitaly Chikunov	select MPILIB
2933d6228a5SVitaly Chikunov	help
29405b37465SRobert Elliott	  DH (Diffie-Hellman) key exchange algorithm
2953d6228a5SVitaly Chikunov
2967dce5981SNicolai Stangeconfig CRYPTO_DH_RFC7919_GROUPS
29705b37465SRobert Elliott	bool "RFC 7919 FFDHE groups"
2987dce5981SNicolai Stange	depends on CRYPTO_DH
2991e207964SNicolai Stange	select CRYPTO_RNG_DEFAULT
3007dce5981SNicolai Stange	help
30105b37465SRobert Elliott	  FFDHE (Finite-Field-based Diffie-Hellman Ephemeral) groups
30205b37465SRobert Elliott	  defined in RFC7919.
30305b37465SRobert Elliott
30405b37465SRobert Elliott	  Support these finite-field groups in DH key exchanges:
30505b37465SRobert Elliott	  - ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192
30605b37465SRobert Elliott
30705b37465SRobert Elliott	  If unsure, say N.
3087dce5981SNicolai Stange
3094a2289daSVitaly Chikunovconfig CRYPTO_ECC
3104a2289daSVitaly Chikunov	tristate
31138aa192aSArnd Bergmann	select CRYPTO_RNG_DEFAULT
3124a2289daSVitaly Chikunov
3133d6228a5SVitaly Chikunovconfig CRYPTO_ECDH
31405b37465SRobert Elliott	tristate "ECDH (Elliptic Curve Diffie-Hellman)"
3154a2289daSVitaly Chikunov	select CRYPTO_ECC
3163d6228a5SVitaly Chikunov	select CRYPTO_KPP
3173d6228a5SVitaly Chikunov	help
31805b37465SRobert Elliott	  ECDH (Elliptic Curve Diffie-Hellman) key exchange algorithm
31905b37465SRobert Elliott	  using curves P-192, P-256, and P-384 (FIPS 186)
3203d6228a5SVitaly Chikunov
3214e660291SStefan Bergerconfig CRYPTO_ECDSA
32205b37465SRobert Elliott	tristate "ECDSA (Elliptic Curve Digital Signature Algorithm)"
3234e660291SStefan Berger	select CRYPTO_ECC
324ef132350SLukas Wunner	select CRYPTO_SIG
3254e660291SStefan Berger	select ASN1
3264e660291SStefan Berger	help
32705b37465SRobert Elliott	  ECDSA (Elliptic Curve Digital Signature Algorithm) (FIPS 186,
32805b37465SRobert Elliott	  ISO/IEC 14888-3)
32991790c7aSLukas Wunner	  using curves P-192, P-256, P-384 and P-521
33005b37465SRobert Elliott
33105b37465SRobert Elliott	  Only signature verification is implemented.
3324e660291SStefan Berger
3330d7a7864SVitaly Chikunovconfig CRYPTO_ECRDSA
33405b37465SRobert Elliott	tristate "EC-RDSA (Elliptic Curve Russian Digital Signature Algorithm)"
3350d7a7864SVitaly Chikunov	select CRYPTO_ECC
336ae117924SLukas Wunner	select CRYPTO_SIG
3370d7a7864SVitaly Chikunov	select CRYPTO_STREEBOG
3381036633eSVitaly Chikunov	select OID_REGISTRY
3391036633eSVitaly Chikunov	select ASN1
3400d7a7864SVitaly Chikunov	help
3410d7a7864SVitaly Chikunov	  Elliptic Curve Russian Digital Signature Algorithm (GOST R 34.10-2012,
34205b37465SRobert Elliott	  RFC 7091, ISO/IEC 14888-3)
34305b37465SRobert Elliott
34405b37465SRobert Elliott	  One of the Russian cryptographic standard algorithms (called GOST
34505b37465SRobert Elliott	  algorithms). Only signature verification is implemented.
3460d7a7864SVitaly Chikunov
347ee772cb6SArd Biesheuvelconfig CRYPTO_CURVE25519
34805b37465SRobert Elliott	tristate "Curve25519"
349ee772cb6SArd Biesheuvel	select CRYPTO_KPP
350ee772cb6SArd Biesheuvel	select CRYPTO_LIB_CURVE25519_GENERIC
35117ec3e71SHerbert Xu	select CRYPTO_LIB_CURVE25519_INTERNAL
35205b37465SRobert Elliott	help
35305b37465SRobert Elliott	  Curve25519 elliptic curve (RFC7748)
354ee772cb6SArd Biesheuvel
355f1f142adSRobert Elliottendmenu
356584fffc8SSebastian Siewior
357f1f142adSRobert Elliottmenu "Block ciphers"
3581da177e4SLinus Torvalds
3591da177e4SLinus Torvaldsconfig CRYPTO_AES
360cf514b2aSRobert Elliott	tristate "AES (Advanced Encryption Standard)"
361cce9e06dSHerbert Xu	select CRYPTO_ALGAPI
3625bb12d78SArd Biesheuvel	select CRYPTO_LIB_AES
3631da177e4SLinus Torvalds	help
364cf514b2aSRobert Elliott	  AES cipher algorithms (Rijndael)(FIPS-197, ISO/IEC 18033-3)
3651da177e4SLinus Torvalds
3661da177e4SLinus Torvalds	  Rijndael appears to be consistently a very good performer in
3671da177e4SLinus Torvalds	  both hardware and software across a wide range of computing
3681da177e4SLinus Torvalds	  environments regardless of its use in feedback or non-feedback
3691da177e4SLinus Torvalds	  modes. Its key setup time is excellent, and its key agility is
3701da177e4SLinus Torvalds	  good. Rijndael's very low memory requirements make it very well
3711da177e4SLinus Torvalds	  suited for restricted-space environments, in which it also
3721da177e4SLinus Torvalds	  demonstrates excellent performance. Rijndael's operations are
3731da177e4SLinus Torvalds	  among the easiest to defend against power and timing attacks.
3741da177e4SLinus Torvalds
3751da177e4SLinus Torvalds	  The AES specifies three key sizes: 128, 192 and 256 bits
3761da177e4SLinus Torvalds
377b5e0b032SArd Biesheuvelconfig CRYPTO_AES_TI
378cf514b2aSRobert Elliott	tristate "AES (Advanced Encryption Standard) (fixed time)"
379b5e0b032SArd Biesheuvel	select CRYPTO_ALGAPI
380e59c1c98SArd Biesheuvel	select CRYPTO_LIB_AES
381b5e0b032SArd Biesheuvel	help
382cf514b2aSRobert Elliott	  AES cipher algorithms (Rijndael)(FIPS-197, ISO/IEC 18033-3)
383cf514b2aSRobert Elliott
384b5e0b032SArd Biesheuvel	  This is a generic implementation of AES that attempts to eliminate
385b5e0b032SArd Biesheuvel	  data dependent latencies as much as possible without affecting
386b5e0b032SArd Biesheuvel	  performance too much. It is intended for use by the generic CCM
387b5e0b032SArd Biesheuvel	  and GCM drivers, and other CTR or CMAC/XCBC based modes that rely
388b5e0b032SArd Biesheuvel	  solely on encryption (although decryption is supported as well, but
389b5e0b032SArd Biesheuvel	  with a more dramatic performance hit)
390b5e0b032SArd Biesheuvel
391b5e0b032SArd Biesheuvel	  Instead of using 16 lookup tables of 1 KB each, (8 for encryption and
392b5e0b032SArd Biesheuvel	  8 for decryption), this implementation only uses just two S-boxes of
393b5e0b032SArd Biesheuvel	  256 bytes each, and attempts to eliminate data dependent latencies by
394b5e0b032SArd Biesheuvel	  prefetching the entire table into the cache at the start of each
3950a6a40c2SEric Biggers	  block. Interrupts are also disabled to avoid races where cachelines
3960a6a40c2SEric Biggers	  are evicted when the CPU is interrupted to do something else.
397b5e0b032SArd Biesheuvel
3981da177e4SLinus Torvaldsconfig CRYPTO_ANUBIS
399cf514b2aSRobert Elliott	tristate "Anubis"
4001674aea5SArd Biesheuvel	depends on CRYPTO_USER_API_ENABLE_OBSOLETE
401cce9e06dSHerbert Xu	select CRYPTO_ALGAPI
4021da177e4SLinus Torvalds	help
403cf514b2aSRobert Elliott	  Anubis cipher algorithm
4041da177e4SLinus Torvalds
4051da177e4SLinus Torvalds	  Anubis is a variable key length cipher which can use keys from
4061da177e4SLinus Torvalds	  128 bits to 320 bits in length.  It was evaluated as a entrant
4071da177e4SLinus Torvalds	  in the NESSIE competition.
4081da177e4SLinus Torvalds
409cf514b2aSRobert Elliott	  See https://web.archive.org/web/20160606112246/http://www.larc.usp.br/~pbarreto/AnubisPage.html
410cf514b2aSRobert Elliott	  for further information.
4111da177e4SLinus Torvalds
412f1f142adSRobert Elliottconfig CRYPTO_ARIA
413cf514b2aSRobert Elliott	tristate "ARIA"
414f1f142adSRobert Elliott	select CRYPTO_ALGAPI
415e2ee95b8SHye-Shik Chang	help
416cf514b2aSRobert Elliott	  ARIA cipher algorithm (RFC5794)
417e2ee95b8SHye-Shik Chang
418f1f142adSRobert Elliott	  ARIA is a standard encryption algorithm of the Republic of Korea.
419f1f142adSRobert Elliott	  The ARIA specifies three key sizes and rounds.
420f1f142adSRobert Elliott	  128-bit: 12 rounds.
421f1f142adSRobert Elliott	  192-bit: 14 rounds.
422f1f142adSRobert Elliott	  256-bit: 16 rounds.
423f1f142adSRobert Elliott
424cf514b2aSRobert Elliott	  See:
425cf514b2aSRobert Elliott	  https://seed.kisa.or.kr/kisa/algorithm/EgovAriaInfo.do
426584fffc8SSebastian Siewior
427584fffc8SSebastian Siewiorconfig CRYPTO_BLOWFISH
428cf514b2aSRobert Elliott	tristate "Blowfish"
429584fffc8SSebastian Siewior	select CRYPTO_ALGAPI
43052ba867cSJussi Kivilinna	select CRYPTO_BLOWFISH_COMMON
431584fffc8SSebastian Siewior	help
432cf514b2aSRobert Elliott	  Blowfish cipher algorithm, by Bruce Schneier
433584fffc8SSebastian Siewior
434584fffc8SSebastian Siewior	  This is a variable key length cipher which can use keys from 32
435584fffc8SSebastian Siewior	  bits to 448 bits in length.  It's fast, simple and specifically
436584fffc8SSebastian Siewior	  designed for use on "large microprocessors".
437e2ee95b8SHye-Shik Chang
438cf514b2aSRobert Elliott	  See https://www.schneier.com/blowfish.html for further information.
439584fffc8SSebastian Siewior
44052ba867cSJussi Kivilinnaconfig CRYPTO_BLOWFISH_COMMON
44152ba867cSJussi Kivilinna	tristate
44252ba867cSJussi Kivilinna	help
44352ba867cSJussi Kivilinna	  Common parts of the Blowfish cipher algorithm shared by the
44452ba867cSJussi Kivilinna	  generic c and the assembler implementations.
44552ba867cSJussi Kivilinna
446584fffc8SSebastian Siewiorconfig CRYPTO_CAMELLIA
447cf514b2aSRobert Elliott	tristate "Camellia"
448584fffc8SSebastian Siewior	select CRYPTO_ALGAPI
449584fffc8SSebastian Siewior	help
450cf514b2aSRobert Elliott	  Camellia cipher algorithms (ISO/IEC 18033-3)
451584fffc8SSebastian Siewior
452584fffc8SSebastian Siewior	  Camellia is a symmetric key block cipher developed jointly
453584fffc8SSebastian Siewior	  at NTT and Mitsubishi Electric Corporation.
454584fffc8SSebastian Siewior
455584fffc8SSebastian Siewior	  The Camellia specifies three key sizes: 128, 192 and 256 bits.
456584fffc8SSebastian Siewior
457cf514b2aSRobert Elliott	  See https://info.isl.ntt.co.jp/crypt/eng/camellia/ for further information.
458584fffc8SSebastian Siewior
459044ab525SJussi Kivilinnaconfig CRYPTO_CAST_COMMON
460044ab525SJussi Kivilinna	tristate
461044ab525SJussi Kivilinna	help
462044ab525SJussi Kivilinna	  Common parts of the CAST cipher algorithms shared by the
463044ab525SJussi Kivilinna	  generic c and the assembler implementations.
464044ab525SJussi Kivilinna
465584fffc8SSebastian Siewiorconfig CRYPTO_CAST5
466cf514b2aSRobert Elliott	tristate "CAST5 (CAST-128)"
467584fffc8SSebastian Siewior	select CRYPTO_ALGAPI
468044ab525SJussi Kivilinna	select CRYPTO_CAST_COMMON
469584fffc8SSebastian Siewior	help
470cf514b2aSRobert Elliott	  CAST5 (CAST-128) cipher algorithm (RFC2144, ISO/IEC 18033-3)
471584fffc8SSebastian Siewior
472584fffc8SSebastian Siewiorconfig CRYPTO_CAST6
473cf514b2aSRobert Elliott	tristate "CAST6 (CAST-256)"
474584fffc8SSebastian Siewior	select CRYPTO_ALGAPI
475044ab525SJussi Kivilinna	select CRYPTO_CAST_COMMON
476584fffc8SSebastian Siewior	help
477cf514b2aSRobert Elliott	  CAST6 (CAST-256) encryption algorithm (RFC2612)
478584fffc8SSebastian Siewior
479584fffc8SSebastian Siewiorconfig CRYPTO_DES
480cf514b2aSRobert Elliott	tristate "DES and Triple DES EDE"
481584fffc8SSebastian Siewior	select CRYPTO_ALGAPI
48204007b0eSArd Biesheuvel	select CRYPTO_LIB_DES
483584fffc8SSebastian Siewior	help
484cf514b2aSRobert Elliott	  DES (Data Encryption Standard)(FIPS 46-2, ISO/IEC 18033-3) and
485cf514b2aSRobert Elliott	  Triple DES EDE (Encrypt/Decrypt/Encrypt) (FIPS 46-3, ISO/IEC 18033-3)
486cf514b2aSRobert Elliott	  cipher algorithms
487584fffc8SSebastian Siewior
488584fffc8SSebastian Siewiorconfig CRYPTO_FCRYPT
489cf514b2aSRobert Elliott	tristate "FCrypt"
490584fffc8SSebastian Siewior	select CRYPTO_ALGAPI
491b95bba5dSEric Biggers	select CRYPTO_SKCIPHER
492584fffc8SSebastian Siewior	help
493cf514b2aSRobert Elliott	  FCrypt algorithm used by RxRPC
494cf514b2aSRobert Elliott
495cf514b2aSRobert Elliott	  See https://ota.polyonymo.us/fcrypt-paper.txt
496584fffc8SSebastian Siewior
497584fffc8SSebastian Siewiorconfig CRYPTO_KHAZAD
498cf514b2aSRobert Elliott	tristate "Khazad"
4991674aea5SArd Biesheuvel	depends on CRYPTO_USER_API_ENABLE_OBSOLETE
500584fffc8SSebastian Siewior	select CRYPTO_ALGAPI
501584fffc8SSebastian Siewior	help
502cf514b2aSRobert Elliott	  Khazad cipher algorithm
503584fffc8SSebastian Siewior
504584fffc8SSebastian Siewior	  Khazad was a finalist in the initial NESSIE competition.  It is
505584fffc8SSebastian Siewior	  an algorithm optimized for 64-bit processors with good performance
506584fffc8SSebastian Siewior	  on 32-bit processors.  Khazad uses an 128 bit key size.
507584fffc8SSebastian Siewior
508cf514b2aSRobert Elliott	  See https://web.archive.org/web/20171011071731/http://www.larc.usp.br/~pbarreto/KhazadPage.html
509cf514b2aSRobert Elliott	  for further information.
510e2ee95b8SHye-Shik Chang
511584fffc8SSebastian Siewiorconfig CRYPTO_SEED
512cf514b2aSRobert Elliott	tristate "SEED"
5131674aea5SArd Biesheuvel	depends on CRYPTO_USER_API_ENABLE_OBSOLETE
514584fffc8SSebastian Siewior	select CRYPTO_ALGAPI
515584fffc8SSebastian Siewior	help
516cf514b2aSRobert Elliott	  SEED cipher algorithm (RFC4269, ISO/IEC 18033-3)
517584fffc8SSebastian Siewior
518584fffc8SSebastian Siewior	  SEED is a 128-bit symmetric key block cipher that has been
519584fffc8SSebastian Siewior	  developed by KISA (Korea Information Security Agency) as a
520584fffc8SSebastian Siewior	  national standard encryption algorithm of the Republic of Korea.
521584fffc8SSebastian Siewior	  It is a 16 round block cipher with the key size of 128 bit.
522584fffc8SSebastian Siewior
523cf514b2aSRobert Elliott	  See https://seed.kisa.or.kr/kisa/algorithm/EgovSeedInfo.do
524cf514b2aSRobert Elliott	  for further information.
525584fffc8SSebastian Siewior
526584fffc8SSebastian Siewiorconfig CRYPTO_SERPENT
527cf514b2aSRobert Elliott	tristate "Serpent"
528584fffc8SSebastian Siewior	select CRYPTO_ALGAPI
529584fffc8SSebastian Siewior	help
530cf514b2aSRobert Elliott	  Serpent cipher algorithm, by Anderson, Biham & Knudsen
531584fffc8SSebastian Siewior
532584fffc8SSebastian Siewior	  Keys are allowed to be from 0 to 256 bits in length, in steps
533784506a1SArd Biesheuvel	  of 8 bits.
534584fffc8SSebastian Siewior
535cf514b2aSRobert Elliott	  See https://www.cl.cam.ac.uk/~rja14/serpent.html for further information.
536584fffc8SSebastian Siewior
537747c8ce4SGilad Ben-Yossefconfig CRYPTO_SM4
538d2825fa9SJason A. Donenfeld	tristate
539d2825fa9SJason A. Donenfeld
540d2825fa9SJason A. Donenfeldconfig CRYPTO_SM4_GENERIC
541cf514b2aSRobert Elliott	tristate "SM4 (ShangMi 4)"
542747c8ce4SGilad Ben-Yossef	select CRYPTO_ALGAPI
543d2825fa9SJason A. Donenfeld	select CRYPTO_SM4
544747c8ce4SGilad Ben-Yossef	help
545cf514b2aSRobert Elliott	  SM4 cipher algorithms (OSCCA GB/T 32907-2016,
546cf514b2aSRobert Elliott	  ISO/IEC 18033-3:2010/Amd 1:2021)
547747c8ce4SGilad Ben-Yossef
548747c8ce4SGilad Ben-Yossef	  SM4 (GBT.32907-2016) is a cryptographic standard issued by the
549747c8ce4SGilad Ben-Yossef	  Organization of State Commercial Administration of China (OSCCA)
550747c8ce4SGilad Ben-Yossef	  as an authorized cryptographic algorithms for the use within China.
551747c8ce4SGilad Ben-Yossef
552747c8ce4SGilad Ben-Yossef	  SMS4 was originally created for use in protecting wireless
553747c8ce4SGilad Ben-Yossef	  networks, and is mandated in the Chinese National Standard for
554747c8ce4SGilad Ben-Yossef	  Wireless LAN WAPI (Wired Authentication and Privacy Infrastructure)
555747c8ce4SGilad Ben-Yossef	  (GB.15629.11-2003).
556747c8ce4SGilad Ben-Yossef
557747c8ce4SGilad Ben-Yossef	  The latest SM4 standard (GBT.32907-2016) was proposed by OSCCA and
558747c8ce4SGilad Ben-Yossef	  standardized through TC 260 of the Standardization Administration
559747c8ce4SGilad Ben-Yossef	  of the People's Republic of China (SAC).
560747c8ce4SGilad Ben-Yossef
561747c8ce4SGilad Ben-Yossef	  The input, output, and key of SMS4 are each 128 bits.
562747c8ce4SGilad Ben-Yossef
563cf514b2aSRobert Elliott	  See https://eprint.iacr.org/2008/329.pdf for further information.
564747c8ce4SGilad Ben-Yossef
565747c8ce4SGilad Ben-Yossef	  If unsure, say N.
566747c8ce4SGilad Ben-Yossef
567584fffc8SSebastian Siewiorconfig CRYPTO_TEA
568cf514b2aSRobert Elliott	tristate "TEA, XTEA and XETA"
5691674aea5SArd Biesheuvel	depends on CRYPTO_USER_API_ENABLE_OBSOLETE
570584fffc8SSebastian Siewior	select CRYPTO_ALGAPI
571584fffc8SSebastian Siewior	help
572cf514b2aSRobert Elliott	  TEA (Tiny Encryption Algorithm) cipher algorithms
573584fffc8SSebastian Siewior
574584fffc8SSebastian Siewior	  Tiny Encryption Algorithm is a simple cipher that uses
575584fffc8SSebastian Siewior	  many rounds for security.  It is very fast and uses
576584fffc8SSebastian Siewior	  little memory.
577584fffc8SSebastian Siewior
578584fffc8SSebastian Siewior	  Xtendend Tiny Encryption Algorithm is a modification to
579584fffc8SSebastian Siewior	  the TEA algorithm to address a potential key weakness
580584fffc8SSebastian Siewior	  in the TEA algorithm.
581584fffc8SSebastian Siewior
582584fffc8SSebastian Siewior	  Xtendend Encryption Tiny Algorithm is a mis-implementation
583584fffc8SSebastian Siewior	  of the XTEA algorithm for compatibility purposes.
584584fffc8SSebastian Siewior
585584fffc8SSebastian Siewiorconfig CRYPTO_TWOFISH
586cf514b2aSRobert Elliott	tristate "Twofish"
587584fffc8SSebastian Siewior	select CRYPTO_ALGAPI
588584fffc8SSebastian Siewior	select CRYPTO_TWOFISH_COMMON
589584fffc8SSebastian Siewior	help
590cf514b2aSRobert Elliott	  Twofish cipher algorithm
591584fffc8SSebastian Siewior
592584fffc8SSebastian Siewior	  Twofish was submitted as an AES (Advanced Encryption Standard)
593584fffc8SSebastian Siewior	  candidate cipher by researchers at CounterPane Systems.  It is a
594584fffc8SSebastian Siewior	  16 round block cipher supporting key sizes of 128, 192, and 256
595584fffc8SSebastian Siewior	  bits.
596584fffc8SSebastian Siewior
597cf514b2aSRobert Elliott	  See https://www.schneier.com/twofish.html for further information.
598584fffc8SSebastian Siewior
599584fffc8SSebastian Siewiorconfig CRYPTO_TWOFISH_COMMON
600584fffc8SSebastian Siewior	tristate
601584fffc8SSebastian Siewior	help
602584fffc8SSebastian Siewior	  Common parts of the Twofish cipher algorithm shared by the
603584fffc8SSebastian Siewior	  generic c and the assembler implementations.
604584fffc8SSebastian Siewior
605f1f142adSRobert Elliottendmenu
606f1f142adSRobert Elliott
607f1f142adSRobert Elliottmenu "Length-preserving ciphers and modes"
608f1f142adSRobert Elliott
609f1f142adSRobert Elliottconfig CRYPTO_ADIANTUM
610cf514b2aSRobert Elliott	tristate "Adiantum"
611f1f142adSRobert Elliott	select CRYPTO_CHACHA20
612f1f142adSRobert Elliott	select CRYPTO_LIB_POLY1305_GENERIC
613f1f142adSRobert Elliott	select CRYPTO_NHPOLY1305
614f1f142adSRobert Elliott	select CRYPTO_MANAGER
615f1f142adSRobert Elliott	help
616cf514b2aSRobert Elliott	  Adiantum tweakable, length-preserving encryption mode
617cf514b2aSRobert Elliott
618cf514b2aSRobert Elliott	  Designed for fast and secure disk encryption, especially on
619f1f142adSRobert Elliott	  CPUs without dedicated crypto instructions.  It encrypts
620f1f142adSRobert Elliott	  each sector using the XChaCha12 stream cipher, two passes of
621f1f142adSRobert Elliott	  an ε-almost-∆-universal hash function, and an invocation of
622f1f142adSRobert Elliott	  the AES-256 block cipher on a single 16-byte block.  On CPUs
623f1f142adSRobert Elliott	  without AES instructions, Adiantum is much faster than
624f1f142adSRobert Elliott	  AES-XTS.
625f1f142adSRobert Elliott
626f1f142adSRobert Elliott	  Adiantum's security is provably reducible to that of its
627f1f142adSRobert Elliott	  underlying stream and block ciphers, subject to a security
628f1f142adSRobert Elliott	  bound.  Unlike XTS, Adiantum is a true wide-block encryption
629f1f142adSRobert Elliott	  mode, so it actually provides an even stronger notion of
630f1f142adSRobert Elliott	  security than XTS, subject to the security bound.
631f1f142adSRobert Elliott
632f1f142adSRobert Elliott	  If unsure, say N.
633f1f142adSRobert Elliott
634f1f142adSRobert Elliottconfig CRYPTO_ARC4
635cf514b2aSRobert Elliott	tristate "ARC4 (Alleged Rivest Cipher 4)"
636f1f142adSRobert Elliott	depends on CRYPTO_USER_API_ENABLE_OBSOLETE
637f1f142adSRobert Elliott	select CRYPTO_SKCIPHER
638f1f142adSRobert Elliott	select CRYPTO_LIB_ARC4
639f1f142adSRobert Elliott	help
640cf514b2aSRobert Elliott	  ARC4 cipher algorithm
641f1f142adSRobert Elliott
642f1f142adSRobert Elliott	  ARC4 is a stream cipher using keys ranging from 8 bits to 2048
643f1f142adSRobert Elliott	  bits in length.  This algorithm is required for driver-based
644f1f142adSRobert Elliott	  WEP, but it should not be for other purposes because of the
645f1f142adSRobert Elliott	  weakness of the algorithm.
646f1f142adSRobert Elliott
647f1f142adSRobert Elliottconfig CRYPTO_CHACHA20
648cf514b2aSRobert Elliott	tristate "ChaCha"
649879f4754SEric Biggers	select CRYPTO_LIB_CHACHA
650f1f142adSRobert Elliott	select CRYPTO_LIB_CHACHA_GENERIC
651f1f142adSRobert Elliott	select CRYPTO_SKCIPHER
652f1f142adSRobert Elliott	help
653cf514b2aSRobert Elliott	  The ChaCha20, XChaCha20, and XChaCha12 stream cipher algorithms
654f1f142adSRobert Elliott
655f1f142adSRobert Elliott	  ChaCha20 is a 256-bit high-speed stream cipher designed by Daniel J.
656f1f142adSRobert Elliott	  Bernstein and further specified in RFC7539 for use in IETF protocols.
657cf514b2aSRobert Elliott	  This is the portable C implementation of ChaCha20.  See
658cf514b2aSRobert Elliott	  https://cr.yp.to/chacha/chacha-20080128.pdf for further information.
659f1f142adSRobert Elliott
660f1f142adSRobert Elliott	  XChaCha20 is the application of the XSalsa20 construction to ChaCha20
661f1f142adSRobert Elliott	  rather than to Salsa20.  XChaCha20 extends ChaCha20's nonce length
662f1f142adSRobert Elliott	  from 64 bits (or 96 bits using the RFC7539 convention) to 192 bits,
663cf514b2aSRobert Elliott	  while provably retaining ChaCha20's security.  See
664cf514b2aSRobert Elliott	  https://cr.yp.to/snuffle/xsalsa-20081128.pdf for further information.
665f1f142adSRobert Elliott
666f1f142adSRobert Elliott	  XChaCha12 is XChaCha20 reduced to 12 rounds, with correspondingly
667f1f142adSRobert Elliott	  reduced security margin but increased performance.  It can be needed
668f1f142adSRobert Elliott	  in some performance-sensitive scenarios.
669f1f142adSRobert Elliott
670f1f142adSRobert Elliottconfig CRYPTO_CBC
671cf514b2aSRobert Elliott	tristate "CBC (Cipher Block Chaining)"
672f1f142adSRobert Elliott	select CRYPTO_SKCIPHER
673f1f142adSRobert Elliott	select CRYPTO_MANAGER
674f1f142adSRobert Elliott	help
675cf514b2aSRobert Elliott	  CBC (Cipher Block Chaining) mode (NIST SP800-38A)
676cf514b2aSRobert Elliott
677cf514b2aSRobert Elliott	  This block cipher mode is required for IPSec ESP (XFRM_ESP).
678f1f142adSRobert Elliott
679f1f142adSRobert Elliottconfig CRYPTO_CTR
680cf514b2aSRobert Elliott	tristate "CTR (Counter)"
681f1f142adSRobert Elliott	select CRYPTO_SKCIPHER
682f1f142adSRobert Elliott	select CRYPTO_MANAGER
683f1f142adSRobert Elliott	help
684cf514b2aSRobert Elliott	  CTR (Counter) mode (NIST SP800-38A)
685f1f142adSRobert Elliott
686f1f142adSRobert Elliottconfig CRYPTO_CTS
687cf514b2aSRobert Elliott	tristate "CTS (Cipher Text Stealing)"
688f1f142adSRobert Elliott	select CRYPTO_SKCIPHER
689f1f142adSRobert Elliott	select CRYPTO_MANAGER
690f1f142adSRobert Elliott	help
691cf514b2aSRobert Elliott	  CBC-CS3 variant of CTS (Cipher Text Stealing) (NIST
692cf514b2aSRobert Elliott	  Addendum to SP800-38A (October 2010))
693cf514b2aSRobert Elliott
694f1f142adSRobert Elliott	  This mode is required for Kerberos gss mechanism support
695f1f142adSRobert Elliott	  for AES encryption.
696f1f142adSRobert Elliott
697f1f142adSRobert Elliottconfig CRYPTO_ECB
698cf514b2aSRobert Elliott	tristate "ECB (Electronic Codebook)"
69984534684SHerbert Xu	select CRYPTO_SKCIPHER2
700f1f142adSRobert Elliott	select CRYPTO_MANAGER
701f1f142adSRobert Elliott	help
702cf514b2aSRobert Elliott	  ECB (Electronic Codebook) mode (NIST SP800-38A)
703f1f142adSRobert Elliott
704f1f142adSRobert Elliottconfig CRYPTO_HCTR2
705cf514b2aSRobert Elliott	tristate "HCTR2"
706f1f142adSRobert Elliott	select CRYPTO_XCTR
707f1f142adSRobert Elliott	select CRYPTO_POLYVAL
708f1f142adSRobert Elliott	select CRYPTO_MANAGER
709f1f142adSRobert Elliott	help
710cf514b2aSRobert Elliott	  HCTR2 length-preserving encryption mode
711cf514b2aSRobert Elliott
712cf514b2aSRobert Elliott	  A mode for storage encryption that is efficient on processors with
713cf514b2aSRobert Elliott	  instructions to accelerate AES and carryless multiplication, e.g.
714cf514b2aSRobert Elliott	  x86 processors with AES-NI and CLMUL, and ARM processors with the
715cf514b2aSRobert Elliott	  ARMv8 crypto extensions.
716cf514b2aSRobert Elliott
717cf514b2aSRobert Elliott	  See https://eprint.iacr.org/2021/1441
718f1f142adSRobert Elliott
719f1f142adSRobert Elliottconfig CRYPTO_LRW
720cf514b2aSRobert Elliott	tristate "LRW (Liskov Rivest Wagner)"
72161c581a4SArd Biesheuvel	select CRYPTO_LIB_GF128MUL
722f1f142adSRobert Elliott	select CRYPTO_SKCIPHER
723f1f142adSRobert Elliott	select CRYPTO_MANAGER
724f1f142adSRobert Elliott	select CRYPTO_ECB
725f1f142adSRobert Elliott	help
726cf514b2aSRobert Elliott	  LRW (Liskov Rivest Wagner) mode
727cf514b2aSRobert Elliott
728cf514b2aSRobert Elliott	  A tweakable, non malleable, non movable
729f1f142adSRobert Elliott	  narrow block cipher mode for dm-crypt.  Use it with cipher
730f1f142adSRobert Elliott	  specification string aes-lrw-benbi, the key must be 256, 320 or 384.
731f1f142adSRobert Elliott	  The first 128, 192 or 256 bits in the key are used for AES and the
732f1f142adSRobert Elliott	  rest is used to tie each cipher block to its logical position.
733f1f142adSRobert Elliott
734cf514b2aSRobert Elliott	  See https://people.csail.mit.edu/rivest/pubs/LRW02.pdf
735cf514b2aSRobert Elliott
736f1f142adSRobert Elliottconfig CRYPTO_PCBC
737cf514b2aSRobert Elliott	tristate "PCBC (Propagating Cipher Block Chaining)"
738f1f142adSRobert Elliott	select CRYPTO_SKCIPHER
739f1f142adSRobert Elliott	select CRYPTO_MANAGER
740f1f142adSRobert Elliott	help
741cf514b2aSRobert Elliott	  PCBC (Propagating Cipher Block Chaining) mode
742cf514b2aSRobert Elliott
743cf514b2aSRobert Elliott	  This block cipher mode is required for RxRPC.
744f1f142adSRobert Elliott
745f1f142adSRobert Elliottconfig CRYPTO_XCTR
746f1f142adSRobert Elliott	tristate
747f1f142adSRobert Elliott	select CRYPTO_SKCIPHER
748f1f142adSRobert Elliott	select CRYPTO_MANAGER
749f1f142adSRobert Elliott	help
750cf514b2aSRobert Elliott	  XCTR (XOR Counter) mode for HCTR2
751cf514b2aSRobert Elliott
752cf514b2aSRobert Elliott	  This blockcipher mode is a variant of CTR mode using XORs and little-endian
753cf514b2aSRobert Elliott	  addition rather than big-endian arithmetic.
754cf514b2aSRobert Elliott
755f1f142adSRobert Elliott	  XCTR mode is used to implement HCTR2.
756f1f142adSRobert Elliott
757f1f142adSRobert Elliottconfig CRYPTO_XTS
758cf514b2aSRobert Elliott	tristate "XTS (XOR Encrypt XOR with ciphertext stealing)"
759f1f142adSRobert Elliott	select CRYPTO_SKCIPHER
760f1f142adSRobert Elliott	select CRYPTO_MANAGER
761f1f142adSRobert Elliott	select CRYPTO_ECB
762f1f142adSRobert Elliott	help
763cf514b2aSRobert Elliott	  XTS (XOR Encrypt XOR with ciphertext stealing) mode (NIST SP800-38E
764cf514b2aSRobert Elliott	  and IEEE 1619)
765cf514b2aSRobert Elliott
766cf514b2aSRobert Elliott	  Use with aes-xts-plain, key size 256, 384 or 512 bits. This
767cf514b2aSRobert Elliott	  implementation currently can't handle a sectorsize which is not a
768cf514b2aSRobert Elliott	  multiple of 16 bytes.
769f1f142adSRobert Elliott
770f1f142adSRobert Elliottconfig CRYPTO_NHPOLY1305
771f1f142adSRobert Elliott	tristate
772f1f142adSRobert Elliott	select CRYPTO_HASH
773f1f142adSRobert Elliott	select CRYPTO_LIB_POLY1305_GENERIC
774f1f142adSRobert Elliott
775f1f142adSRobert Elliottendmenu
776f1f142adSRobert Elliott
777f1f142adSRobert Elliottmenu "AEAD (authenticated encryption with associated data) ciphers"
778f1f142adSRobert Elliott
779f1f142adSRobert Elliottconfig CRYPTO_AEGIS128
780e3d2eaddSRobert Elliott	tristate "AEGIS-128"
781f1f142adSRobert Elliott	select CRYPTO_AEAD
782f1f142adSRobert Elliott	select CRYPTO_AES  # for AES S-box tables
783f1f142adSRobert Elliott	help
784e3d2eaddSRobert Elliott	  AEGIS-128 AEAD algorithm
785f1f142adSRobert Elliott
786f1f142adSRobert Elliottconfig CRYPTO_AEGIS128_SIMD
787e3d2eaddSRobert Elliott	bool "AEGIS-128 (arm NEON, arm64 NEON)"
788f1f142adSRobert Elliott	depends on CRYPTO_AEGIS128 && ((ARM || ARM64) && KERNEL_MODE_NEON)
789f1f142adSRobert Elliott	default y
790e3d2eaddSRobert Elliott	help
791e3d2eaddSRobert Elliott	  AEGIS-128 AEAD algorithm
792e3d2eaddSRobert Elliott
793e3d2eaddSRobert Elliott	  Architecture: arm or arm64 using:
794e3d2eaddSRobert Elliott	  - NEON (Advanced SIMD) extension
795f1f142adSRobert Elliott
796f1f142adSRobert Elliottconfig CRYPTO_CHACHA20POLY1305
797e3d2eaddSRobert Elliott	tristate "ChaCha20-Poly1305"
798f1f142adSRobert Elliott	select CRYPTO_CHACHA20
799f1f142adSRobert Elliott	select CRYPTO_AEAD
800a298765eSHerbert Xu	select CRYPTO_LIB_POLY1305
801f1f142adSRobert Elliott	select CRYPTO_MANAGER
802f1f142adSRobert Elliott	help
803e3d2eaddSRobert Elliott	  ChaCha20 stream cipher and Poly1305 authenticator combined
804e3d2eaddSRobert Elliott	  mode (RFC8439)
805f1f142adSRobert Elliott
806f1f142adSRobert Elliottconfig CRYPTO_CCM
807cf514b2aSRobert Elliott	tristate "CCM (Counter with Cipher Block Chaining-MAC)"
808f1f142adSRobert Elliott	select CRYPTO_CTR
809f1f142adSRobert Elliott	select CRYPTO_HASH
810f1f142adSRobert Elliott	select CRYPTO_AEAD
811f1f142adSRobert Elliott	select CRYPTO_MANAGER
812f1f142adSRobert Elliott	help
813e3d2eaddSRobert Elliott	  CCM (Counter with Cipher Block Chaining-Message Authentication Code)
814e3d2eaddSRobert Elliott	  authenticated encryption mode (NIST SP800-38C)
815f1f142adSRobert Elliott
816f1f142adSRobert Elliottconfig CRYPTO_GCM
817cf514b2aSRobert Elliott	tristate "GCM (Galois/Counter Mode) and GMAC (GCM MAC)"
818f1f142adSRobert Elliott	select CRYPTO_CTR
819f1f142adSRobert Elliott	select CRYPTO_AEAD
820f1f142adSRobert Elliott	select CRYPTO_GHASH
821f1f142adSRobert Elliott	select CRYPTO_MANAGER
822f1f142adSRobert Elliott	help
823e3d2eaddSRobert Elliott	  GCM (Galois/Counter Mode) authenticated encryption mode and GMAC
824e3d2eaddSRobert Elliott	  (GCM Message Authentication Code) (NIST SP800-38D)
825e3d2eaddSRobert Elliott
826e3d2eaddSRobert Elliott	  This is required for IPSec ESP (XFRM_ESP).
827f1f142adSRobert Elliott
828ba51738fSHerbert Xuconfig CRYPTO_GENIV
829ba51738fSHerbert Xu	tristate
830ba51738fSHerbert Xu	select CRYPTO_AEAD
831ba51738fSHerbert Xu	select CRYPTO_MANAGER
832ba51738fSHerbert Xu	select CRYPTO_RNG_DEFAULT
833ba51738fSHerbert Xu
834f1f142adSRobert Elliottconfig CRYPTO_SEQIV
835f1f142adSRobert Elliott	tristate "Sequence Number IV Generator"
836ba51738fSHerbert Xu	select CRYPTO_GENIV
837f1f142adSRobert Elliott	help
838e3d2eaddSRobert Elliott	  Sequence Number IV generator
839e3d2eaddSRobert Elliott
840f1f142adSRobert Elliott	  This IV generator generates an IV based on a sequence number by
841e3d2eaddSRobert Elliott	  xoring it with a salt.  This algorithm is mainly useful for CTR.
842e3d2eaddSRobert Elliott
843e3d2eaddSRobert Elliott	  This is required for IPsec ESP (XFRM_ESP).
844f1f142adSRobert Elliott
845f1f142adSRobert Elliottconfig CRYPTO_ECHAINIV
846f1f142adSRobert Elliott	tristate "Encrypted Chain IV Generator"
847ba51738fSHerbert Xu	select CRYPTO_GENIV
848f1f142adSRobert Elliott	help
849e3d2eaddSRobert Elliott	  Encrypted Chain IV generator
850e3d2eaddSRobert Elliott
851f1f142adSRobert Elliott	  This IV generator generates an IV based on the encryption of
852f1f142adSRobert Elliott	  a sequence number xored with a salt.  This is the default
853f1f142adSRobert Elliott	  algorithm for CBC.
854f1f142adSRobert Elliott
855f1f142adSRobert Elliottconfig CRYPTO_ESSIV
856e3d2eaddSRobert Elliott	tristate "Encrypted Salt-Sector IV Generator"
857f1f142adSRobert Elliott	select CRYPTO_AUTHENC
858f1f142adSRobert Elliott	help
859e3d2eaddSRobert Elliott	  Encrypted Salt-Sector IV generator
860e3d2eaddSRobert Elliott
861e3d2eaddSRobert Elliott	  This IV generator is used in some cases by fscrypt and/or
862f1f142adSRobert Elliott	  dm-crypt. It uses the hash of the block encryption key as the
863f1f142adSRobert Elliott	  symmetric key for a block encryption pass applied to the input
864f1f142adSRobert Elliott	  IV, making low entropy IV sources more suitable for block
865f1f142adSRobert Elliott	  encryption.
866f1f142adSRobert Elliott
867f1f142adSRobert Elliott	  This driver implements a crypto API template that can be
868f1f142adSRobert Elliott	  instantiated either as an skcipher or as an AEAD (depending on the
869f1f142adSRobert Elliott	  type of the first template argument), and which defers encryption
870f1f142adSRobert Elliott	  and decryption requests to the encapsulated cipher after applying
871f1f142adSRobert Elliott	  ESSIV to the input IV. Note that in the AEAD case, it is assumed
872f1f142adSRobert Elliott	  that the keys are presented in the same format used by the authenc
873f1f142adSRobert Elliott	  template, and that the IV appears at the end of the authenticated
874f1f142adSRobert Elliott	  associated data (AAD) region (which is how dm-crypt uses it.)
875f1f142adSRobert Elliott
876f1f142adSRobert Elliott	  Note that the use of ESSIV is not recommended for new deployments,
877f1f142adSRobert Elliott	  and so this only needs to be enabled when interoperability with
878f1f142adSRobert Elliott	  existing encrypted volumes of filesystems is required, or when
879f1f142adSRobert Elliott	  building for a particular system that requires it (e.g., when
880f1f142adSRobert Elliott	  the SoC in question has accelerated CBC but not XTS, making CBC
881f1f142adSRobert Elliott	  combined with ESSIV the only feasible mode for h/w accelerated
882f1f142adSRobert Elliott	  block encryption)
883f1f142adSRobert Elliott
884f1f142adSRobert Elliottendmenu
885f1f142adSRobert Elliott
886f1f142adSRobert Elliottmenu "Hashes, digests, and MACs"
887f1f142adSRobert Elliott
888f1f142adSRobert Elliottconfig CRYPTO_BLAKE2B
8893f342a23SRobert Elliott	tristate "BLAKE2b"
890f1f142adSRobert Elliott	select CRYPTO_HASH
891f1f142adSRobert Elliott	help
8923f342a23SRobert Elliott	  BLAKE2b cryptographic hash function (RFC 7693)
8933f342a23SRobert Elliott
8943f342a23SRobert Elliott	  BLAKE2b is optimized for 64-bit platforms and can produce digests
8953f342a23SRobert Elliott	  of any size between 1 and 64 bytes. The keyed hash is also implemented.
896f1f142adSRobert Elliott
897f1f142adSRobert Elliott	  This module provides the following algorithms:
898f1f142adSRobert Elliott	  - blake2b-160
899f1f142adSRobert Elliott	  - blake2b-256
900f1f142adSRobert Elliott	  - blake2b-384
901f1f142adSRobert Elliott	  - blake2b-512
902f1f142adSRobert Elliott
9033f342a23SRobert Elliott	  Used by the btrfs filesystem.
9043f342a23SRobert Elliott
9053f342a23SRobert Elliott	  See https://blake2.net for further information.
9063f342a23SRobert Elliott
907f1f142adSRobert Elliottconfig CRYPTO_CMAC
9083f342a23SRobert Elliott	tristate "CMAC (Cipher-based MAC)"
909f1f142adSRobert Elliott	select CRYPTO_HASH
910f1f142adSRobert Elliott	select CRYPTO_MANAGER
911f1f142adSRobert Elliott	help
9123f342a23SRobert Elliott	  CMAC (Cipher-based Message Authentication Code) authentication
9133f342a23SRobert Elliott	  mode (NIST SP800-38B and IETF RFC4493)
914f1f142adSRobert Elliott
915f1f142adSRobert Elliottconfig CRYPTO_GHASH
9163f342a23SRobert Elliott	tristate "GHASH"
917f1f142adSRobert Elliott	select CRYPTO_HASH
91861c581a4SArd Biesheuvel	select CRYPTO_LIB_GF128MUL
919f1f142adSRobert Elliott	help
9203f342a23SRobert Elliott	  GCM GHASH function (NIST SP800-38D)
921f1f142adSRobert Elliott
922f1f142adSRobert Elliottconfig CRYPTO_HMAC
9233f342a23SRobert Elliott	tristate "HMAC (Keyed-Hash MAC)"
924f1f142adSRobert Elliott	select CRYPTO_HASH
925f1f142adSRobert Elliott	select CRYPTO_MANAGER
926f1f142adSRobert Elliott	help
9273f342a23SRobert Elliott	  HMAC (Keyed-Hash Message Authentication Code) (FIPS 198 and
9283f342a23SRobert Elliott	  RFC2104)
9293f342a23SRobert Elliott
9303f342a23SRobert Elliott	  This is required for IPsec AH (XFRM_AH) and IPsec ESP (XFRM_ESP).
931f1f142adSRobert Elliott
932f1f142adSRobert Elliottconfig CRYPTO_MD4
9333f342a23SRobert Elliott	tristate "MD4"
934f1f142adSRobert Elliott	select CRYPTO_HASH
935f1f142adSRobert Elliott	help
9363f342a23SRobert Elliott	  MD4 message digest algorithm (RFC1320)
937f1f142adSRobert Elliott
938f1f142adSRobert Elliottconfig CRYPTO_MD5
9393f342a23SRobert Elliott	tristate "MD5"
940f1f142adSRobert Elliott	select CRYPTO_HASH
941f1f142adSRobert Elliott	help
9423f342a23SRobert Elliott	  MD5 message digest algorithm (RFC1321)
943f1f142adSRobert Elliott
944f1f142adSRobert Elliottconfig CRYPTO_MICHAEL_MIC
9453f342a23SRobert Elliott	tristate "Michael MIC"
946f1f142adSRobert Elliott	select CRYPTO_HASH
947f1f142adSRobert Elliott	help
9483f342a23SRobert Elliott	  Michael MIC (Message Integrity Code) (IEEE 802.11i)
9493f342a23SRobert Elliott
9503f342a23SRobert Elliott	  Defined by the IEEE 802.11i TKIP (Temporal Key Integrity Protocol),
9513f342a23SRobert Elliott	  known as WPA (Wif-Fi Protected Access).
9523f342a23SRobert Elliott
9533f342a23SRobert Elliott	  This algorithm is required for TKIP, but it should not be used for
9543f342a23SRobert Elliott	  other purposes because of the weakness of the algorithm.
955f1f142adSRobert Elliott
956f1f142adSRobert Elliottconfig CRYPTO_POLYVAL
957f1f142adSRobert Elliott	tristate
958f1f142adSRobert Elliott	select CRYPTO_HASH
95961c581a4SArd Biesheuvel	select CRYPTO_LIB_GF128MUL
960f1f142adSRobert Elliott	help
9613f342a23SRobert Elliott	  POLYVAL hash function for HCTR2
9623f342a23SRobert Elliott
9633f342a23SRobert Elliott	  This is used in HCTR2.  It is not a general-purpose
964f1f142adSRobert Elliott	  cryptographic hash function.
965f1f142adSRobert Elliott
966f1f142adSRobert Elliottconfig CRYPTO_RMD160
9673f342a23SRobert Elliott	tristate "RIPEMD-160"
968f1f142adSRobert Elliott	select CRYPTO_HASH
969f1f142adSRobert Elliott	help
9703f342a23SRobert Elliott	  RIPEMD-160 hash function (ISO/IEC 10118-3)
971f1f142adSRobert Elliott
972f1f142adSRobert Elliott	  RIPEMD-160 is a 160-bit cryptographic hash function. It is intended
973f1f142adSRobert Elliott	  to be used as a secure replacement for the 128-bit hash functions
974f1f142adSRobert Elliott	  MD4, MD5 and its predecessor RIPEMD
975f1f142adSRobert Elliott	  (not to be confused with RIPEMD-128).
976f1f142adSRobert Elliott
9773f342a23SRobert Elliott	  Its speed is comparable to SHA-1 and there are no known attacks
978f1f142adSRobert Elliott	  against RIPEMD-160.
979f1f142adSRobert Elliott
980f1f142adSRobert Elliott	  Developed by Hans Dobbertin, Antoon Bosselaers and Bart Preneel.
9813f342a23SRobert Elliott	  See https://homes.esat.kuleuven.be/~bosselae/ripemd160.html
9823f342a23SRobert Elliott	  for further information.
983f1f142adSRobert Elliott
984f1f142adSRobert Elliottconfig CRYPTO_SHA1
9853f342a23SRobert Elliott	tristate "SHA-1"
986f1f142adSRobert Elliott	select CRYPTO_HASH
987f1f142adSRobert Elliott	select CRYPTO_LIB_SHA1
988f1f142adSRobert Elliott	help
9893f342a23SRobert Elliott	  SHA-1 secure hash algorithm (FIPS 180, ISO/IEC 10118-3)
990f1f142adSRobert Elliott
991f1f142adSRobert Elliottconfig CRYPTO_SHA256
9923f342a23SRobert Elliott	tristate "SHA-224 and SHA-256"
993f1f142adSRobert Elliott	select CRYPTO_HASH
994f1f142adSRobert Elliott	select CRYPTO_LIB_SHA256
995950e5c84SEric Biggers	select CRYPTO_LIB_SHA256_GENERIC
996f1f142adSRobert Elliott	help
9973f342a23SRobert Elliott	  SHA-224 and SHA-256 secure hash algorithms (FIPS 180, ISO/IEC 10118-3)
998f1f142adSRobert Elliott
9993f342a23SRobert Elliott	  This is required for IPsec AH (XFRM_AH) and IPsec ESP (XFRM_ESP).
10003f342a23SRobert Elliott	  Used by the btrfs filesystem, Ceph, NFS, and SMB.
1001f1f142adSRobert Elliott
1002f1f142adSRobert Elliottconfig CRYPTO_SHA512
10033f342a23SRobert Elliott	tristate "SHA-384 and SHA-512"
1004f1f142adSRobert Elliott	select CRYPTO_HASH
1005f1f142adSRobert Elliott	help
10063f342a23SRobert Elliott	  SHA-384 and SHA-512 secure hash algorithms (FIPS 180, ISO/IEC 10118-3)
1007f1f142adSRobert Elliott
1008f1f142adSRobert Elliottconfig CRYPTO_SHA3
10093f342a23SRobert Elliott	tristate "SHA-3"
1010f1f142adSRobert Elliott	select CRYPTO_HASH
1011f1f142adSRobert Elliott	help
10123f342a23SRobert Elliott	  SHA-3 secure hash algorithms (FIPS 202, ISO/IEC 10118-3)
1013f1f142adSRobert Elliott
1014f1f142adSRobert Elliottconfig CRYPTO_SM3_GENERIC
10153f342a23SRobert Elliott	tristate "SM3 (ShangMi 3)"
1016f1f142adSRobert Elliott	select CRYPTO_HASH
1017f4065b2fSHerbert Xu	select CRYPTO_LIB_SM3
1018f1f142adSRobert Elliott	help
10193f342a23SRobert Elliott	  SM3 (ShangMi 3) secure hash function (OSCCA GM/T 0004-2012, ISO/IEC 10118-3)
10203f342a23SRobert Elliott
10213f342a23SRobert Elliott	  This is part of the Chinese Commercial Cryptography suite.
1022f1f142adSRobert Elliott
1023f1f142adSRobert Elliott	  References:
1024f1f142adSRobert Elliott	  http://www.oscca.gov.cn/UpFile/20101222141857786.pdf
1025f1f142adSRobert Elliott	  https://datatracker.ietf.org/doc/html/draft-shen-sm3-hash
1026f1f142adSRobert Elliott
1027f1f142adSRobert Elliottconfig CRYPTO_STREEBOG
10283f342a23SRobert Elliott	tristate "Streebog"
1029f1f142adSRobert Elliott	select CRYPTO_HASH
1030f1f142adSRobert Elliott	help
10313f342a23SRobert Elliott	  Streebog Hash Function (GOST R 34.11-2012, RFC 6986, ISO/IEC 10118-3)
10323f342a23SRobert Elliott
10333f342a23SRobert Elliott	  This is one of the Russian cryptographic standard algorithms (called
10343f342a23SRobert Elliott	  GOST algorithms). This setting enables two hash algorithms with
10353f342a23SRobert Elliott	  256 and 512 bits output.
1036f1f142adSRobert Elliott
1037f1f142adSRobert Elliott	  References:
1038f1f142adSRobert Elliott	  https://tc26.ru/upload/iblock/fed/feddbb4d26b685903faa2ba11aea43f6.pdf
1039f1f142adSRobert Elliott	  https://tools.ietf.org/html/rfc6986
1040f1f142adSRobert Elliott
1041f1f142adSRobert Elliottconfig CRYPTO_WP512
10423f342a23SRobert Elliott	tristate "Whirlpool"
1043f1f142adSRobert Elliott	select CRYPTO_HASH
1044f1f142adSRobert Elliott	help
10453f342a23SRobert Elliott	  Whirlpool hash function (ISO/IEC 10118-3)
10463f342a23SRobert Elliott
10473f342a23SRobert Elliott	  512, 384 and 256-bit hashes.
1048f1f142adSRobert Elliott
1049f1f142adSRobert Elliott	  Whirlpool-512 is part of the NESSIE cryptographic primitives.
1050f1f142adSRobert Elliott
10513f342a23SRobert Elliott	  See https://web.archive.org/web/20171129084214/http://www.larc.usp.br/~pbarreto/WhirlpoolPage.html
10523f342a23SRobert Elliott	  for further information.
1053f1f142adSRobert Elliott
1054f1f142adSRobert Elliottconfig CRYPTO_XCBC
10553f342a23SRobert Elliott	tristate "XCBC-MAC (Extended Cipher Block Chaining MAC)"
1056f1f142adSRobert Elliott	select CRYPTO_HASH
1057f1f142adSRobert Elliott	select CRYPTO_MANAGER
1058f1f142adSRobert Elliott	help
10593f342a23SRobert Elliott	  XCBC-MAC (Extended Cipher Block Chaining Message Authentication
10603f342a23SRobert Elliott	  Code) (RFC3566)
1061f1f142adSRobert Elliott
1062f1f142adSRobert Elliottconfig CRYPTO_XXHASH
10633f342a23SRobert Elliott	tristate "xxHash"
1064f1f142adSRobert Elliott	select CRYPTO_HASH
1065f1f142adSRobert Elliott	select XXHASH
1066f1f142adSRobert Elliott	help
10673f342a23SRobert Elliott	  xxHash non-cryptographic hash algorithm
10683f342a23SRobert Elliott
10693f342a23SRobert Elliott	  Extremely fast, working at speeds close to RAM limits.
10703f342a23SRobert Elliott
10713f342a23SRobert Elliott	  Used by the btrfs filesystem.
1072f1f142adSRobert Elliott
1073f1f142adSRobert Elliottendmenu
1074f1f142adSRobert Elliott
1075f1f142adSRobert Elliottmenu "CRCs (cyclic redundancy checks)"
1076f1f142adSRobert Elliott
1077f1f142adSRobert Elliottconfig CRYPTO_CRC32C
1078ec84348dSRobert Elliott	tristate "CRC32c"
1079f1f142adSRobert Elliott	select CRYPTO_HASH
1080f1f142adSRobert Elliott	select CRC32
1081f1f142adSRobert Elliott	help
1082ec84348dSRobert Elliott	  CRC32c CRC algorithm with the iSCSI polynomial (RFC 3385 and RFC 3720)
1083ec84348dSRobert Elliott
1084ec84348dSRobert Elliott	  A 32-bit CRC (cyclic redundancy check) with a polynomial defined
1085ec84348dSRobert Elliott	  by G. Castagnoli, S. Braeuer and M. Herrman in "Optimization of Cyclic
1086ec84348dSRobert Elliott	  Redundancy-Check Codes with 24 and 32 Parity Bits", IEEE Transactions
1087ec84348dSRobert Elliott	  on Communications, Vol. 41, No. 6, June 1993, selected for use with
1088ec84348dSRobert Elliott	  iSCSI.
1089ec84348dSRobert Elliott
1090ec84348dSRobert Elliott	  Used by btrfs, ext4, jbd2, NVMeoF/TCP, and iSCSI.
1091f1f142adSRobert Elliott
1092f1f142adSRobert Elliottconfig CRYPTO_CRC32
1093ec84348dSRobert Elliott	tristate "CRC32"
1094f1f142adSRobert Elliott	select CRYPTO_HASH
1095f1f142adSRobert Elliott	select CRC32
1096f1f142adSRobert Elliott	help
1097ec84348dSRobert Elliott	  CRC32 CRC algorithm (IEEE 802.3)
1098ec84348dSRobert Elliott
1099ec84348dSRobert Elliott	  Used by RoCEv2 and f2fs.
1100f1f142adSRobert Elliott
1101f1f142adSRobert Elliottendmenu
1102f1f142adSRobert Elliott
1103f1f142adSRobert Elliottmenu "Compression"
1104584fffc8SSebastian Siewior
11051da177e4SLinus Torvaldsconfig CRYPTO_DEFLATE
1106a9a98d49SRobert Elliott	tristate "Deflate"
1107cce9e06dSHerbert Xu	select CRYPTO_ALGAPI
1108f6ded09dSGiovanni Cabiddu	select CRYPTO_ACOMP2
11091da177e4SLinus Torvalds	select ZLIB_INFLATE
11101da177e4SLinus Torvalds	select ZLIB_DEFLATE
11111da177e4SLinus Torvalds	help
1112a9a98d49SRobert Elliott	  Deflate compression algorithm (RFC1951)
11131da177e4SLinus Torvalds
1114a9a98d49SRobert Elliott	  Used by IPSec with the IPCOMP protocol (RFC3173, RFC2394)
11151da177e4SLinus Torvalds
11160b77abb3SZoltan Sogorconfig CRYPTO_LZO
1117a9a98d49SRobert Elliott	tristate "LZO"
11180b77abb3SZoltan Sogor	select CRYPTO_ALGAPI
1119ac9d2c4bSGiovanni Cabiddu	select CRYPTO_ACOMP2
11200b77abb3SZoltan Sogor	select LZO_COMPRESS
11210b77abb3SZoltan Sogor	select LZO_DECOMPRESS
11220b77abb3SZoltan Sogor	help
1123a9a98d49SRobert Elliott	  LZO compression algorithm
1124a9a98d49SRobert Elliott
1125a9a98d49SRobert Elliott	  See https://www.oberhumer.com/opensource/lzo/ for further information.
11260b77abb3SZoltan Sogor
112735a1fc18SSeth Jenningsconfig CRYPTO_842
1128a9a98d49SRobert Elliott	tristate "842"
11292062c5b6SDan Streetman	select CRYPTO_ALGAPI
11306a8de3aeSGiovanni Cabiddu	select CRYPTO_ACOMP2
11312062c5b6SDan Streetman	select 842_COMPRESS
11322062c5b6SDan Streetman	select 842_DECOMPRESS
113335a1fc18SSeth Jennings	help
1134a9a98d49SRobert Elliott	  842 compression algorithm by IBM
1135a9a98d49SRobert Elliott
1136a9a98d49SRobert Elliott	  See https://github.com/plauth/lib842 for further information.
113735a1fc18SSeth Jennings
11380ea8530dSChanho Minconfig CRYPTO_LZ4
1139a9a98d49SRobert Elliott	tristate "LZ4"
11400ea8530dSChanho Min	select CRYPTO_ALGAPI
11418cd9330eSGiovanni Cabiddu	select CRYPTO_ACOMP2
11420ea8530dSChanho Min	select LZ4_COMPRESS
11430ea8530dSChanho Min	select LZ4_DECOMPRESS
11440ea8530dSChanho Min	help
1145a9a98d49SRobert Elliott	  LZ4 compression algorithm
1146a9a98d49SRobert Elliott
1147a9a98d49SRobert Elliott	  See https://github.com/lz4/lz4 for further information.
11480ea8530dSChanho Min
11490ea8530dSChanho Minconfig CRYPTO_LZ4HC
1150a9a98d49SRobert Elliott	tristate "LZ4HC"
11510ea8530dSChanho Min	select CRYPTO_ALGAPI
115291d53d96SGiovanni Cabiddu	select CRYPTO_ACOMP2
11530ea8530dSChanho Min	select LZ4HC_COMPRESS
11540ea8530dSChanho Min	select LZ4_DECOMPRESS
11550ea8530dSChanho Min	help
1156a9a98d49SRobert Elliott	  LZ4 high compression mode algorithm
1157a9a98d49SRobert Elliott
1158a9a98d49SRobert Elliott	  See https://github.com/lz4/lz4 for further information.
11590ea8530dSChanho Min
1160d28fc3dbSNick Terrellconfig CRYPTO_ZSTD
1161a9a98d49SRobert Elliott	tristate "Zstd"
1162d28fc3dbSNick Terrell	select CRYPTO_ALGAPI
1163d28fc3dbSNick Terrell	select CRYPTO_ACOMP2
1164d28fc3dbSNick Terrell	select ZSTD_COMPRESS
1165d28fc3dbSNick Terrell	select ZSTD_DECOMPRESS
1166d28fc3dbSNick Terrell	help
1167a9a98d49SRobert Elliott	  zstd compression algorithm
1168a9a98d49SRobert Elliott
1169a9a98d49SRobert Elliott	  See https://github.com/facebook/zstd for further information.
1170d28fc3dbSNick Terrell
1171f1f142adSRobert Elliottendmenu
1172f1f142adSRobert Elliott
1173f1f142adSRobert Elliottmenu "Random number generation"
117417f0f4a4SNeil Horman
117517f0f4a4SNeil Hormanconfig CRYPTO_ANSI_CPRNG
1176a9a98d49SRobert Elliott	tristate "ANSI PRNG (Pseudo Random Number Generator)"
117717f0f4a4SNeil Horman	select CRYPTO_AES
117817f0f4a4SNeil Horman	select CRYPTO_RNG
117917f0f4a4SNeil Horman	help
1180a9a98d49SRobert Elliott	  Pseudo RNG (random number generator) (ANSI X9.31 Appendix A.2.4)
1181a9a98d49SRobert Elliott
1182a9a98d49SRobert Elliott	  This uses the AES cipher algorithm.
1183a9a98d49SRobert Elliott
1184a9a98d49SRobert Elliott	  Note that this option must be enabled if CRYPTO_FIPS is selected
118517f0f4a4SNeil Horman
1186f2c89a10SHerbert Xumenuconfig CRYPTO_DRBG_MENU
1187a9a98d49SRobert Elliott	tristate "NIST SP800-90A DRBG (Deterministic Random Bit Generator)"
1188419090c6SStephan Mueller	help
1189a9a98d49SRobert Elliott	  DRBG (Deterministic Random Bit Generator) (NIST SP800-90A)
1190a9a98d49SRobert Elliott
1191a9a98d49SRobert Elliott	  In the following submenu, one or more of the DRBG types must be selected.
1192419090c6SStephan Mueller
1193f2c89a10SHerbert Xuif CRYPTO_DRBG_MENU
1194419090c6SStephan Mueller
1195419090c6SStephan Muellerconfig CRYPTO_DRBG_HMAC
1196401e4238SHerbert Xu	bool
1197419090c6SStephan Mueller	default y
1198419090c6SStephan Mueller	select CRYPTO_HMAC
11995261cdf4SStephan Mueller	select CRYPTO_SHA512
1200419090c6SStephan Mueller
1201419090c6SStephan Muellerconfig CRYPTO_DRBG_HASH
1202a9a98d49SRobert Elliott	bool "Hash_DRBG"
1203826775bbSHerbert Xu	select CRYPTO_SHA256
1204419090c6SStephan Mueller	help
1205a9a98d49SRobert Elliott	  Hash_DRBG variant as defined in NIST SP800-90A.
1206a9a98d49SRobert Elliott
1207a9a98d49SRobert Elliott	  This uses the SHA-1, SHA-256, SHA-384, or SHA-512 hash algorithms.
1208419090c6SStephan Mueller
1209419090c6SStephan Muellerconfig CRYPTO_DRBG_CTR
1210a9a98d49SRobert Elliott	bool "CTR_DRBG"
1211419090c6SStephan Mueller	select CRYPTO_AES
1212d6fc1a45SCorentin Labbe	select CRYPTO_CTR
1213419090c6SStephan Mueller	help
1214a9a98d49SRobert Elliott	  CTR_DRBG variant as defined in NIST SP800-90A.
1215a9a98d49SRobert Elliott
1216a9a98d49SRobert Elliott	  This uses the AES cipher algorithm with the counter block mode.
1217419090c6SStephan Mueller
1218f2c89a10SHerbert Xuconfig CRYPTO_DRBG
1219f2c89a10SHerbert Xu	tristate
1220401e4238SHerbert Xu	default CRYPTO_DRBG_MENU
1221f2c89a10SHerbert Xu	select CRYPTO_RNG
1222bb5530e4SStephan Mueller	select CRYPTO_JITTERENTROPY
1223f2c89a10SHerbert Xu
1224f2c89a10SHerbert Xuendif	# if CRYPTO_DRBG_MENU
1225419090c6SStephan Mueller
1226bb5530e4SStephan Muellerconfig CRYPTO_JITTERENTROPY
1227a9a98d49SRobert Elliott	tristate "CPU Jitter Non-Deterministic RNG (Random Number Generator)"
12282f313e02SArnd Bergmann	select CRYPTO_RNG
1229bb897c55SStephan Müller	select CRYPTO_SHA3
1230bb5530e4SStephan Mueller	help
1231a9a98d49SRobert Elliott	  CPU Jitter RNG (Random Number Generator) from the Jitterentropy library
1232a9a98d49SRobert Elliott
1233a9a98d49SRobert Elliott	  A non-physical non-deterministic ("true") RNG (e.g., an entropy source
1234a9a98d49SRobert Elliott	  compliant with NIST SP800-90B) intended to provide a seed to a
1235e63df1ecSRandy Dunlap	  deterministic RNG (e.g., per NIST SP800-90C).
1236a9a98d49SRobert Elliott	  This RNG does not perform any cryptographic whitening of the generated
1237e63df1ecSRandy Dunlap	  random numbers.
1238a9a98d49SRobert Elliott
1239e63df1ecSRandy Dunlap	  See https://www.chronox.de/jent/
1240bb5530e4SStephan Mueller
1241e7ed6473SHerbert Xuif CRYPTO_JITTERENTROPY
1242e7ed6473SHerbert Xuif CRYPTO_FIPS && EXPERT
1243e7ed6473SHerbert Xu
124459bcfd78SStephan Müllerchoice
124559bcfd78SStephan Müller	prompt "CPU Jitter RNG Memory Size"
124659bcfd78SStephan Müller	default CRYPTO_JITTERENTROPY_MEMSIZE_2
124759bcfd78SStephan Müller	help
124859bcfd78SStephan Müller	  The Jitter RNG measures the execution time of memory accesses.
124959bcfd78SStephan Müller	  Multiple consecutive memory accesses are performed. If the memory
125059bcfd78SStephan Müller	  size fits into a cache (e.g. L1), only the memory access timing
125159bcfd78SStephan Müller	  to that cache is measured. The closer the cache is to the CPU
125259bcfd78SStephan Müller	  the less variations are measured and thus the less entropy is
125359bcfd78SStephan Müller	  obtained. Thus, if the memory size fits into the L1 cache, the
125459bcfd78SStephan Müller	  obtained entropy is less than if the memory size fits within
125559bcfd78SStephan Müller	  L1 + L2, which in turn is less if the memory fits into
125659bcfd78SStephan Müller	  L1 + L2 + L3. Thus, by selecting a different memory size,
125759bcfd78SStephan Müller	  the entropy rate produced by the Jitter RNG can be modified.
125859bcfd78SStephan Müller
125959bcfd78SStephan Müller	config CRYPTO_JITTERENTROPY_MEMSIZE_2
126059bcfd78SStephan Müller		bool "2048 Bytes (default)"
126159bcfd78SStephan Müller
126259bcfd78SStephan Müller	config CRYPTO_JITTERENTROPY_MEMSIZE_128
126359bcfd78SStephan Müller		bool "128 kBytes"
126459bcfd78SStephan Müller
126559bcfd78SStephan Müller	config CRYPTO_JITTERENTROPY_MEMSIZE_1024
126659bcfd78SStephan Müller		bool "1024 kBytes"
126759bcfd78SStephan Müller
126859bcfd78SStephan Müller	config CRYPTO_JITTERENTROPY_MEMSIZE_8192
126959bcfd78SStephan Müller		bool "8192 kBytes"
127059bcfd78SStephan Müllerendchoice
127159bcfd78SStephan Müller
127259bcfd78SStephan Müllerconfig CRYPTO_JITTERENTROPY_MEMORY_BLOCKS
127359bcfd78SStephan Müller	int
127459bcfd78SStephan Müller	default 64 if CRYPTO_JITTERENTROPY_MEMSIZE_2
127559bcfd78SStephan Müller	default 512 if CRYPTO_JITTERENTROPY_MEMSIZE_128
127659bcfd78SStephan Müller	default 1024 if CRYPTO_JITTERENTROPY_MEMSIZE_1024
127759bcfd78SStephan Müller	default 4096 if CRYPTO_JITTERENTROPY_MEMSIZE_8192
127859bcfd78SStephan Müller
127959bcfd78SStephan Müllerconfig CRYPTO_JITTERENTROPY_MEMORY_BLOCKSIZE
128059bcfd78SStephan Müller	int
128159bcfd78SStephan Müller	default 32 if CRYPTO_JITTERENTROPY_MEMSIZE_2
128259bcfd78SStephan Müller	default 256 if CRYPTO_JITTERENTROPY_MEMSIZE_128
128359bcfd78SStephan Müller	default 1024 if CRYPTO_JITTERENTROPY_MEMSIZE_1024
128459bcfd78SStephan Müller	default 2048 if CRYPTO_JITTERENTROPY_MEMSIZE_8192
128559bcfd78SStephan Müller
12860baa8fabSStephan Müllerconfig CRYPTO_JITTERENTROPY_OSR
12870baa8fabSStephan Müller	int "CPU Jitter RNG Oversampling Rate"
12880baa8fabSStephan Müller	range 1 15
128995a798d2SStephan Mueller	default 3
12900baa8fabSStephan Müller	help
12910baa8fabSStephan Müller	  The Jitter RNG allows the specification of an oversampling rate (OSR).
12920baa8fabSStephan Müller	  The Jitter RNG operation requires a fixed amount of timing
12930baa8fabSStephan Müller	  measurements to produce one output block of random numbers. The
12940baa8fabSStephan Müller	  OSR value is multiplied with the amount of timing measurements to
12950baa8fabSStephan Müller	  generate one output block. Thus, the timing measurement is oversampled
12960baa8fabSStephan Müller	  by the OSR factor. The oversampling allows the Jitter RNG to operate
12970baa8fabSStephan Müller	  on hardware whose timers deliver limited amount of entropy (e.g.
12980baa8fabSStephan Müller	  the timer is coarse) by setting the OSR to a higher value. The
12990baa8fabSStephan Müller	  trade-off, however, is that the Jitter RNG now requires more time
13000baa8fabSStephan Müller	  to generate random numbers.
13010baa8fabSStephan Müller
130269f1c387SStephan Müllerconfig CRYPTO_JITTERENTROPY_TESTINTERFACE
130369f1c387SStephan Müller	bool "CPU Jitter RNG Test Interface"
130469f1c387SStephan Müller	help
130569f1c387SStephan Müller	  The test interface allows a privileged process to capture
130669f1c387SStephan Müller	  the raw unconditioned high resolution time stamp noise that
130769f1c387SStephan Müller	  is collected by the Jitter RNG for statistical analysis. As
130869f1c387SStephan Müller	  this data is used at the same time to generate random bits,
130969f1c387SStephan Müller	  the Jitter RNG operates in an insecure mode as long as the
131069f1c387SStephan Müller	  recording is enabled. This interface therefore is only
131169f1c387SStephan Müller	  intended for testing purposes and is not suitable for
131269f1c387SStephan Müller	  production systems.
131369f1c387SStephan Müller
131469f1c387SStephan Müller	  The raw noise data can be obtained using the jent_raw_hires
131569f1c387SStephan Müller	  debugfs file. Using the option
131669f1c387SStephan Müller	  jitterentropy_testing.boot_raw_hires_test=1 the raw noise of
131769f1c387SStephan Müller	  the first 1000 entropy events since boot can be sampled.
131869f1c387SStephan Müller
131969f1c387SStephan Müller	  If unsure, select N.
132069f1c387SStephan Müller
1321e7ed6473SHerbert Xuendif	# if CRYPTO_FIPS && EXPERT
1322e7ed6473SHerbert Xu
1323e7ed6473SHerbert Xuif !(CRYPTO_FIPS && EXPERT)
1324e7ed6473SHerbert Xu
1325e7ed6473SHerbert Xuconfig CRYPTO_JITTERENTROPY_MEMORY_BLOCKS
1326e7ed6473SHerbert Xu	int
1327e7ed6473SHerbert Xu	default 64
1328e7ed6473SHerbert Xu
1329e7ed6473SHerbert Xuconfig CRYPTO_JITTERENTROPY_MEMORY_BLOCKSIZE
1330e7ed6473SHerbert Xu	int
1331e7ed6473SHerbert Xu	default 32
1332e7ed6473SHerbert Xu
1333e7ed6473SHerbert Xuconfig CRYPTO_JITTERENTROPY_OSR
1334e7ed6473SHerbert Xu	int
1335e7ed6473SHerbert Xu	default 1
1336e7ed6473SHerbert Xu
1337e7ed6473SHerbert Xuconfig CRYPTO_JITTERENTROPY_TESTINTERFACE
1338e7ed6473SHerbert Xu	bool
1339e7ed6473SHerbert Xu
1340e7ed6473SHerbert Xuendif	# if !(CRYPTO_FIPS && EXPERT)
1341e7ed6473SHerbert Xuendif	# if CRYPTO_JITTERENTROPY
1342e7ed6473SHerbert Xu
1343026a733eSStephan Müllerconfig CRYPTO_KDF800108_CTR
1344026a733eSStephan Müller	tristate
1345a88592ccSHerbert Xu	select CRYPTO_HMAC
1346304b4aceSStephan Müller	select CRYPTO_SHA256
1347026a733eSStephan Müller
1348f1f142adSRobert Elliottendmenu
13499bc51715SRobert Elliottmenu "Userspace interface"
1350f1f142adSRobert Elliott
135103c8efc1SHerbert Xuconfig CRYPTO_USER_API
135203c8efc1SHerbert Xu	tristate
135303c8efc1SHerbert Xu
1354fe869cdbSHerbert Xuconfig CRYPTO_USER_API_HASH
13559bc51715SRobert Elliott	tristate "Hash algorithms"
13567451708fSHerbert Xu	depends on NET
1357fe869cdbSHerbert Xu	select CRYPTO_HASH
1358fe869cdbSHerbert Xu	select CRYPTO_USER_API
1359fe869cdbSHerbert Xu	help
13609bc51715SRobert Elliott	  Enable the userspace interface for hash algorithms.
13619bc51715SRobert Elliott
13629bc51715SRobert Elliott	  See Documentation/crypto/userspace-if.rst and
13639bc51715SRobert Elliott	  https://www.chronox.de/libkcapi/html/index.html
1364fe869cdbSHerbert Xu
13658ff59090SHerbert Xuconfig CRYPTO_USER_API_SKCIPHER
13669bc51715SRobert Elliott	tristate "Symmetric key cipher algorithms"
13677451708fSHerbert Xu	depends on NET
1368b95bba5dSEric Biggers	select CRYPTO_SKCIPHER
13698ff59090SHerbert Xu	select CRYPTO_USER_API
13708ff59090SHerbert Xu	help
13719bc51715SRobert Elliott	  Enable the userspace interface for symmetric key cipher algorithms.
13729bc51715SRobert Elliott
13739bc51715SRobert Elliott	  See Documentation/crypto/userspace-if.rst and
13749bc51715SRobert Elliott	  https://www.chronox.de/libkcapi/html/index.html
13758ff59090SHerbert Xu
13762f375538SStephan Muellerconfig CRYPTO_USER_API_RNG
13779bc51715SRobert Elliott	tristate "RNG (random number generator) algorithms"
13782f375538SStephan Mueller	depends on NET
13792f375538SStephan Mueller	select CRYPTO_RNG
13802f375538SStephan Mueller	select CRYPTO_USER_API
13812f375538SStephan Mueller	help
13829bc51715SRobert Elliott	  Enable the userspace interface for RNG (random number generator)
13839bc51715SRobert Elliott	  algorithms.
13849bc51715SRobert Elliott
13859bc51715SRobert Elliott	  See Documentation/crypto/userspace-if.rst and
13869bc51715SRobert Elliott	  https://www.chronox.de/libkcapi/html/index.html
13872f375538SStephan Mueller
138877ebdabeSElena Petrovaconfig CRYPTO_USER_API_RNG_CAVP
138977ebdabeSElena Petrova	bool "Enable CAVP testing of DRBG"
139077ebdabeSElena Petrova	depends on CRYPTO_USER_API_RNG && CRYPTO_DRBG
139177ebdabeSElena Petrova	help
13929bc51715SRobert Elliott	  Enable extra APIs in the userspace interface for NIST CAVP
13939bc51715SRobert Elliott	  (Cryptographic Algorithm Validation Program) testing:
13949bc51715SRobert Elliott	  - resetting DRBG entropy
13959bc51715SRobert Elliott	  - providing Additional Data
13969bc51715SRobert Elliott
139777ebdabeSElena Petrova	  This should only be enabled for CAVP testing. You should say
139877ebdabeSElena Petrova	  no unless you know what this is.
139977ebdabeSElena Petrova
1400b64a2d95SHerbert Xuconfig CRYPTO_USER_API_AEAD
14019bc51715SRobert Elliott	tristate "AEAD cipher algorithms"
1402b64a2d95SHerbert Xu	depends on NET
1403b64a2d95SHerbert Xu	select CRYPTO_AEAD
1404b95bba5dSEric Biggers	select CRYPTO_SKCIPHER
1405b64a2d95SHerbert Xu	select CRYPTO_USER_API
1406b64a2d95SHerbert Xu	help
14079bc51715SRobert Elliott	  Enable the userspace interface for AEAD cipher algorithms.
14089bc51715SRobert Elliott
14099bc51715SRobert Elliott	  See Documentation/crypto/userspace-if.rst and
14109bc51715SRobert Elliott	  https://www.chronox.de/libkcapi/html/index.html
1411b64a2d95SHerbert Xu
14129ace6771SArd Biesheuvelconfig CRYPTO_USER_API_ENABLE_OBSOLETE
14139bc51715SRobert Elliott	bool "Obsolete cryptographic algorithms"
14149ace6771SArd Biesheuvel	depends on CRYPTO_USER_API
14159ace6771SArd Biesheuvel	default y
14169ace6771SArd Biesheuvel	help
14179ace6771SArd Biesheuvel	  Allow obsolete cryptographic algorithms to be selected that have
14189ace6771SArd Biesheuvel	  already been phased out from internal use by the kernel, and are
14199ace6771SArd Biesheuvel	  only useful for userspace clients that still rely on them.
14209ace6771SArd Biesheuvel
1421f1f142adSRobert Elliottendmenu
1422f1f142adSRobert Elliott
1423ee08997fSDmitry Kasatkinconfig CRYPTO_HASH_INFO
1424ee08997fSDmitry Kasatkin	bool
1425ee08997fSDmitry Kasatkin
142627bc50fcSLinus Torvaldsif !KMSAN # avoid false positives from assembly
14274a329fecSRobert Elliottif ARM
14284a329fecSRobert Elliottsource "arch/arm/crypto/Kconfig"
14294a329fecSRobert Elliottendif
14304a329fecSRobert Elliottif ARM64
14314a329fecSRobert Elliottsource "arch/arm64/crypto/Kconfig"
14324a329fecSRobert Elliottendif
14332f164822SMin Zhouif LOONGARCH
14342f164822SMin Zhousource "arch/loongarch/crypto/Kconfig"
14352f164822SMin Zhouendif
1436e45f710bSRobert Elliottif MIPS
1437e45f710bSRobert Elliottsource "arch/mips/crypto/Kconfig"
1438e45f710bSRobert Elliottendif
14396a490a4eSRobert Elliottif PPC
14406a490a4eSRobert Elliottsource "arch/powerpc/crypto/Kconfig"
14416a490a4eSRobert Elliottendif
1442178f3856SHeiko Stuebnerif RISCV
1443178f3856SHeiko Stuebnersource "arch/riscv/crypto/Kconfig"
1444178f3856SHeiko Stuebnerendif
1445c9d24c97SRobert Elliottif S390
1446c9d24c97SRobert Elliottsource "arch/s390/crypto/Kconfig"
1447c9d24c97SRobert Elliottendif
14480e9f9ea6SRobert Elliottif SPARC
14490e9f9ea6SRobert Elliottsource "arch/sparc/crypto/Kconfig"
14500e9f9ea6SRobert Elliottendif
145128a936efSRobert Elliottif X86
145228a936efSRobert Elliottsource "arch/x86/crypto/Kconfig"
145328a936efSRobert Elliottendif
145427bc50fcSLinus Torvaldsendif
1455e45f710bSRobert Elliott
14561da177e4SLinus Torvaldssource "drivers/crypto/Kconfig"
14578636a1f9SMasahiro Yamadasource "crypto/asymmetric_keys/Kconfig"
14588636a1f9SMasahiro Yamadasource "certs/Kconfig"
14593936f02bSDavid Howellssource "crypto/krb5/Kconfig"
14601da177e4SLinus Torvalds
1461cce9e06dSHerbert Xuendif	# if CRYPTO
1462