1b2441318SGreg Kroah-Hartman# SPDX-License-Identifier: GPL-2.0 21da177e4SLinus Torvalds# 3685784aaSDan Williams# Generic algorithms support 4685784aaSDan Williams# 5685784aaSDan Williamsconfig XOR_BLOCKS 6685784aaSDan Williams tristate 7685784aaSDan Williams 8685784aaSDan Williams# 99bc89cd8SDan Williams# async_tx api: hardware offloaded memory transfer/transform support 109bc89cd8SDan Williams# 119bc89cd8SDan Williamssource "crypto/async_tx/Kconfig" 129bc89cd8SDan Williams 139bc89cd8SDan Williams# 141da177e4SLinus Torvalds# Cryptographic API Configuration 151da177e4SLinus Torvalds# 162e290f43SJan Engelhardtmenuconfig CRYPTO 17c3715cb9SSebastian Siewior tristate "Cryptographic API" 187033b937SEric Biggers select CRYPTO_LIB_UTILS 191da177e4SLinus Torvalds help 201da177e4SLinus Torvalds This option provides the core Cryptographic API. 211da177e4SLinus Torvalds 22cce9e06dSHerbert Xuif CRYPTO 23cce9e06dSHerbert Xu 24f1f142adSRobert Elliottmenu "Crypto core or helper" 25584fffc8SSebastian Siewior 26ccb778e1SNeil Hormanconfig CRYPTO_FIPS 27ccb778e1SNeil Horman bool "FIPS 200 compliance" 28f2c89a10SHerbert Xu depends on (CRYPTO_ANSI_CPRNG || CRYPTO_DRBG) && !CRYPTO_MANAGER_DISABLE_TESTS 291f696097SAlec Ari depends on (MODULE_SIG || !MODULES) 30ccb778e1SNeil Horman help 31d99324c2SGeert Uytterhoeven This option enables the fips boot option which is 32d99324c2SGeert Uytterhoeven required if you want the system to operate in a FIPS 200 33ccb778e1SNeil Horman certification. You should say no unless you know what 34e84c5480SChuck Ebbert this is. 35ccb778e1SNeil Horman 365a44749fSVladis Dronovconfig CRYPTO_FIPS_NAME 375a44749fSVladis Dronov string "FIPS Module Name" 385a44749fSVladis Dronov default "Linux Kernel Cryptographic API" 395a44749fSVladis Dronov depends on CRYPTO_FIPS 405a44749fSVladis Dronov help 415a44749fSVladis Dronov This option sets the FIPS Module name reported by the Crypto API via 425a44749fSVladis Dronov the /proc/sys/crypto/fips_name file. 435a44749fSVladis Dronov 445a44749fSVladis Dronovconfig CRYPTO_FIPS_CUSTOM_VERSION 455a44749fSVladis Dronov bool "Use Custom FIPS Module Version" 465a44749fSVladis Dronov depends on CRYPTO_FIPS 475a44749fSVladis Dronov default n 485a44749fSVladis Dronov 495a44749fSVladis Dronovconfig CRYPTO_FIPS_VERSION 505a44749fSVladis Dronov string "FIPS Module Version" 515a44749fSVladis Dronov default "(none)" 525a44749fSVladis Dronov depends on CRYPTO_FIPS_CUSTOM_VERSION 535a44749fSVladis Dronov help 545a44749fSVladis Dronov This option provides the ability to override the FIPS Module Version. 555a44749fSVladis Dronov By default the KERNELRELEASE value is used. 565a44749fSVladis Dronov 57cce9e06dSHerbert Xuconfig CRYPTO_ALGAPI 58cce9e06dSHerbert Xu tristate 596a0fcbb4SHerbert Xu select CRYPTO_ALGAPI2 60cce9e06dSHerbert Xu help 61cce9e06dSHerbert Xu This option provides the API for cryptographic algorithms. 62cce9e06dSHerbert Xu 636a0fcbb4SHerbert Xuconfig CRYPTO_ALGAPI2 646a0fcbb4SHerbert Xu tristate 656a0fcbb4SHerbert Xu 661ae97820SHerbert Xuconfig CRYPTO_AEAD 671ae97820SHerbert Xu tristate 686a0fcbb4SHerbert Xu select CRYPTO_AEAD2 691ae97820SHerbert Xu select CRYPTO_ALGAPI 701ae97820SHerbert Xu 716a0fcbb4SHerbert Xuconfig CRYPTO_AEAD2 726a0fcbb4SHerbert Xu tristate 736a0fcbb4SHerbert Xu select CRYPTO_ALGAPI2 74149a3971SHerbert Xu select CRYPTO_NULL2 75149a3971SHerbert Xu select CRYPTO_RNG2 766a0fcbb4SHerbert Xu 77b95bba5dSEric Biggersconfig CRYPTO_SKCIPHER 785cde0af2SHerbert Xu tristate 79b95bba5dSEric Biggers select CRYPTO_SKCIPHER2 805cde0af2SHerbert Xu select CRYPTO_ALGAPI 816a0fcbb4SHerbert Xu 82b95bba5dSEric Biggersconfig CRYPTO_SKCIPHER2 836a0fcbb4SHerbert Xu tristate 846a0fcbb4SHerbert Xu select CRYPTO_ALGAPI2 856a0fcbb4SHerbert Xu select CRYPTO_RNG2 865cde0af2SHerbert Xu 87055bcee3SHerbert Xuconfig CRYPTO_HASH 88055bcee3SHerbert Xu tristate 896a0fcbb4SHerbert Xu select CRYPTO_HASH2 90055bcee3SHerbert Xu select CRYPTO_ALGAPI 91055bcee3SHerbert Xu 926a0fcbb4SHerbert Xuconfig CRYPTO_HASH2 936a0fcbb4SHerbert Xu tristate 946a0fcbb4SHerbert Xu select CRYPTO_ALGAPI2 956a0fcbb4SHerbert Xu 9617f0f4a4SNeil Hormanconfig CRYPTO_RNG 9717f0f4a4SNeil Horman tristate 986a0fcbb4SHerbert Xu select CRYPTO_RNG2 9917f0f4a4SNeil Horman select CRYPTO_ALGAPI 10017f0f4a4SNeil Horman 1016a0fcbb4SHerbert Xuconfig CRYPTO_RNG2 1026a0fcbb4SHerbert Xu tristate 1036a0fcbb4SHerbert Xu select CRYPTO_ALGAPI2 1046a0fcbb4SHerbert Xu 105401e4238SHerbert Xuconfig CRYPTO_RNG_DEFAULT 106401e4238SHerbert Xu tristate 107401e4238SHerbert Xu select CRYPTO_DRBG_MENU 108401e4238SHerbert Xu 1093c339ab8STadeusz Strukconfig CRYPTO_AKCIPHER2 1103c339ab8STadeusz Struk tristate 1113c339ab8STadeusz Struk select CRYPTO_ALGAPI2 1123c339ab8STadeusz Struk 1133c339ab8STadeusz Strukconfig CRYPTO_AKCIPHER 1143c339ab8STadeusz Struk tristate 1153c339ab8STadeusz Struk select CRYPTO_AKCIPHER2 1163c339ab8STadeusz Struk select CRYPTO_ALGAPI 1173c339ab8STadeusz Struk 1184e5f2c40SSalvatore Benedettoconfig CRYPTO_KPP2 1194e5f2c40SSalvatore Benedetto tristate 1204e5f2c40SSalvatore Benedetto select CRYPTO_ALGAPI2 1214e5f2c40SSalvatore Benedetto 1224e5f2c40SSalvatore Benedettoconfig CRYPTO_KPP 1234e5f2c40SSalvatore Benedetto tristate 1244e5f2c40SSalvatore Benedetto select CRYPTO_ALGAPI 1254e5f2c40SSalvatore Benedetto select CRYPTO_KPP2 1264e5f2c40SSalvatore Benedetto 1272ebda74fSGiovanni Cabidduconfig CRYPTO_ACOMP2 1282ebda74fSGiovanni Cabiddu tristate 1292ebda74fSGiovanni Cabiddu select CRYPTO_ALGAPI2 1308cd579d2SBart Van Assche select SGL_ALLOC 1312ebda74fSGiovanni Cabiddu 1322ebda74fSGiovanni Cabidduconfig CRYPTO_ACOMP 1332ebda74fSGiovanni Cabiddu tristate 1342ebda74fSGiovanni Cabiddu select CRYPTO_ALGAPI 1352ebda74fSGiovanni Cabiddu select CRYPTO_ACOMP2 1362ebda74fSGiovanni Cabiddu 1372b8c19dbSHerbert Xuconfig CRYPTO_MANAGER 1382b8c19dbSHerbert Xu tristate "Cryptographic algorithm manager" 1396a0fcbb4SHerbert Xu select CRYPTO_MANAGER2 1402b8c19dbSHerbert Xu help 1412b8c19dbSHerbert Xu Create default cryptographic template instantiations such as 1422b8c19dbSHerbert Xu cbc(aes). 1432b8c19dbSHerbert Xu 1446a0fcbb4SHerbert Xuconfig CRYPTO_MANAGER2 1456a0fcbb4SHerbert Xu def_tristate CRYPTO_MANAGER || (CRYPTO_MANAGER!=n && CRYPTO_ALGAPI=y) 1466a0fcbb4SHerbert Xu select CRYPTO_AEAD2 1476a0fcbb4SHerbert Xu select CRYPTO_HASH2 148b95bba5dSEric Biggers select CRYPTO_SKCIPHER2 149946cc463STadeusz Struk select CRYPTO_AKCIPHER2 1504e5f2c40SSalvatore Benedetto select CRYPTO_KPP2 1512ebda74fSGiovanni Cabiddu select CRYPTO_ACOMP2 1526a0fcbb4SHerbert Xu 153a38f7907SSteffen Klassertconfig CRYPTO_USER 154a38f7907SSteffen Klassert tristate "Userspace cryptographic algorithm configuration" 1555db017aaSHerbert Xu depends on NET 156a38f7907SSteffen Klassert select CRYPTO_MANAGER 157a38f7907SSteffen Klassert help 158d19978f5SValdis.Kletnieks@vt.edu Userspace configuration for cryptographic instantiations such as 159a38f7907SSteffen Klassert cbc(aes). 160a38f7907SSteffen Klassert 161326a6346SHerbert Xuconfig CRYPTO_MANAGER_DISABLE_TESTS 162326a6346SHerbert Xu bool "Disable run-time self tests" 16300ca28a5SHerbert Xu default y 1640b767f96SAlexander Shishkin help 165326a6346SHerbert Xu Disable run-time self tests that normally take place at 166326a6346SHerbert Xu algorithm registration. 1670b767f96SAlexander Shishkin 1685b2706a4SEric Biggersconfig CRYPTO_MANAGER_EXTRA_TESTS 1695b2706a4SEric Biggers bool "Enable extra run-time crypto self tests" 1706569e309SJason A. Donenfeld depends on DEBUG_KERNEL && !CRYPTO_MANAGER_DISABLE_TESTS && CRYPTO_MANAGER 1715b2706a4SEric Biggers help 1725b2706a4SEric Biggers Enable extra run-time self tests of registered crypto algorithms, 1735b2706a4SEric Biggers including randomized fuzz tests. 1745b2706a4SEric Biggers 1755b2706a4SEric Biggers This is intended for developer use only, as these tests take much 1765b2706a4SEric Biggers longer to run than the normal self tests. 1775b2706a4SEric Biggers 178584fffc8SSebastian Siewiorconfig CRYPTO_GF128MUL 179e590e132SEric Biggers tristate 180584fffc8SSebastian Siewior 181584fffc8SSebastian Siewiorconfig CRYPTO_NULL 182584fffc8SSebastian Siewior tristate "Null algorithms" 183149a3971SHerbert Xu select CRYPTO_NULL2 184584fffc8SSebastian Siewior help 185584fffc8SSebastian Siewior These are 'Null' algorithms, used by IPsec, which do nothing. 186584fffc8SSebastian Siewior 187149a3971SHerbert Xuconfig CRYPTO_NULL2 188dd43c4e9SHerbert Xu tristate 189149a3971SHerbert Xu select CRYPTO_ALGAPI2 190b95bba5dSEric Biggers select CRYPTO_SKCIPHER2 191149a3971SHerbert Xu select CRYPTO_HASH2 192149a3971SHerbert Xu 1935068c7a8SSteffen Klassertconfig CRYPTO_PCRYPT 1943b4afaf2SKees Cook tristate "Parallel crypto engine" 1953b4afaf2SKees Cook depends on SMP 1965068c7a8SSteffen Klassert select PADATA 1975068c7a8SSteffen Klassert select CRYPTO_MANAGER 1985068c7a8SSteffen Klassert select CRYPTO_AEAD 1995068c7a8SSteffen Klassert help 2005068c7a8SSteffen Klassert This converts an arbitrary crypto algorithm into a parallel 2015068c7a8SSteffen Klassert algorithm that executes in kernel threads. 2025068c7a8SSteffen Klassert 203584fffc8SSebastian Siewiorconfig CRYPTO_CRYPTD 204584fffc8SSebastian Siewior tristate "Software async crypto daemon" 205b95bba5dSEric Biggers select CRYPTO_SKCIPHER 206b8a28251SLoc Ho select CRYPTO_HASH 207584fffc8SSebastian Siewior select CRYPTO_MANAGER 208584fffc8SSebastian Siewior help 209584fffc8SSebastian Siewior This is a generic software asynchronous crypto daemon that 210584fffc8SSebastian Siewior converts an arbitrary synchronous software crypto algorithm 211584fffc8SSebastian Siewior into an asynchronous algorithm that executes in a kernel thread. 212584fffc8SSebastian Siewior 213584fffc8SSebastian Siewiorconfig CRYPTO_AUTHENC 214584fffc8SSebastian Siewior tristate "Authenc support" 215584fffc8SSebastian Siewior select CRYPTO_AEAD 216b95bba5dSEric Biggers select CRYPTO_SKCIPHER 217584fffc8SSebastian Siewior select CRYPTO_MANAGER 218584fffc8SSebastian Siewior select CRYPTO_HASH 219e94c6a7aSHerbert Xu select CRYPTO_NULL 220584fffc8SSebastian Siewior help 221584fffc8SSebastian Siewior Authenc: Combined mode wrapper for IPsec. 222584fffc8SSebastian Siewior This is required for IPSec. 223584fffc8SSebastian Siewior 224584fffc8SSebastian Siewiorconfig CRYPTO_TEST 225584fffc8SSebastian Siewior tristate "Testing module" 22600ea27f1SArd Biesheuvel depends on m || EXPERT 227da7f033dSHerbert Xu select CRYPTO_MANAGER 228584fffc8SSebastian Siewior help 229584fffc8SSebastian Siewior Quick & dirty crypto test module. 230584fffc8SSebastian Siewior 231266d0516SHerbert Xuconfig CRYPTO_SIMD 232266d0516SHerbert Xu tristate 233266d0516SHerbert Xu select CRYPTO_CRYPTD 234266d0516SHerbert Xu 235735d37b5SBaolin Wangconfig CRYPTO_ENGINE 236735d37b5SBaolin Wang tristate 237735d37b5SBaolin Wang 238f1f142adSRobert Elliottendmenu 239f1f142adSRobert Elliott 240f1f142adSRobert Elliottmenu "Public-key cryptography" 2413d6228a5SVitaly Chikunov 2423d6228a5SVitaly Chikunovconfig CRYPTO_RSA 243*05b37465SRobert Elliott tristate "RSA (Rivest-Shamir-Adleman)" 2443d6228a5SVitaly Chikunov select CRYPTO_AKCIPHER 2453d6228a5SVitaly Chikunov select CRYPTO_MANAGER 2463d6228a5SVitaly Chikunov select MPILIB 2473d6228a5SVitaly Chikunov select ASN1 2483d6228a5SVitaly Chikunov help 249*05b37465SRobert Elliott RSA (Rivest-Shamir-Adleman) public key algorithm (RFC8017) 2503d6228a5SVitaly Chikunov 2513d6228a5SVitaly Chikunovconfig CRYPTO_DH 252*05b37465SRobert Elliott tristate "DH (Diffie-Hellman)" 2533d6228a5SVitaly Chikunov select CRYPTO_KPP 2543d6228a5SVitaly Chikunov select MPILIB 2553d6228a5SVitaly Chikunov help 256*05b37465SRobert Elliott DH (Diffie-Hellman) key exchange algorithm 2573d6228a5SVitaly Chikunov 2587dce5981SNicolai Stangeconfig CRYPTO_DH_RFC7919_GROUPS 259*05b37465SRobert Elliott bool "RFC 7919 FFDHE groups" 2607dce5981SNicolai Stange depends on CRYPTO_DH 2611e207964SNicolai Stange select CRYPTO_RNG_DEFAULT 2627dce5981SNicolai Stange help 263*05b37465SRobert Elliott FFDHE (Finite-Field-based Diffie-Hellman Ephemeral) groups 264*05b37465SRobert Elliott defined in RFC7919. 265*05b37465SRobert Elliott 266*05b37465SRobert Elliott Support these finite-field groups in DH key exchanges: 267*05b37465SRobert Elliott - ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192 268*05b37465SRobert Elliott 269*05b37465SRobert Elliott If unsure, say N. 2707dce5981SNicolai Stange 2714a2289daSVitaly Chikunovconfig CRYPTO_ECC 2724a2289daSVitaly Chikunov tristate 27338aa192aSArnd Bergmann select CRYPTO_RNG_DEFAULT 2744a2289daSVitaly Chikunov 2753d6228a5SVitaly Chikunovconfig CRYPTO_ECDH 276*05b37465SRobert Elliott tristate "ECDH (Elliptic Curve Diffie-Hellman)" 2774a2289daSVitaly Chikunov select CRYPTO_ECC 2783d6228a5SVitaly Chikunov select CRYPTO_KPP 2793d6228a5SVitaly Chikunov help 280*05b37465SRobert Elliott ECDH (Elliptic Curve Diffie-Hellman) key exchange algorithm 281*05b37465SRobert Elliott using curves P-192, P-256, and P-384 (FIPS 186) 2823d6228a5SVitaly Chikunov 2834e660291SStefan Bergerconfig CRYPTO_ECDSA 284*05b37465SRobert Elliott tristate "ECDSA (Elliptic Curve Digital Signature Algorithm)" 2854e660291SStefan Berger select CRYPTO_ECC 2864e660291SStefan Berger select CRYPTO_AKCIPHER 2874e660291SStefan Berger select ASN1 2884e660291SStefan Berger help 289*05b37465SRobert Elliott ECDSA (Elliptic Curve Digital Signature Algorithm) (FIPS 186, 290*05b37465SRobert Elliott ISO/IEC 14888-3) 291*05b37465SRobert Elliott using curves P-192, P-256, and P-384 292*05b37465SRobert Elliott 293*05b37465SRobert Elliott Only signature verification is implemented. 2944e660291SStefan Berger 2950d7a7864SVitaly Chikunovconfig CRYPTO_ECRDSA 296*05b37465SRobert Elliott tristate "EC-RDSA (Elliptic Curve Russian Digital Signature Algorithm)" 2970d7a7864SVitaly Chikunov select CRYPTO_ECC 2980d7a7864SVitaly Chikunov select CRYPTO_AKCIPHER 2990d7a7864SVitaly Chikunov select CRYPTO_STREEBOG 3001036633eSVitaly Chikunov select OID_REGISTRY 3011036633eSVitaly Chikunov select ASN1 3020d7a7864SVitaly Chikunov help 3030d7a7864SVitaly Chikunov Elliptic Curve Russian Digital Signature Algorithm (GOST R 34.10-2012, 304*05b37465SRobert Elliott RFC 7091, ISO/IEC 14888-3) 305*05b37465SRobert Elliott 306*05b37465SRobert Elliott One of the Russian cryptographic standard algorithms (called GOST 307*05b37465SRobert Elliott algorithms). Only signature verification is implemented. 3080d7a7864SVitaly Chikunov 309ea7ecb66STianjia Zhangconfig CRYPTO_SM2 310*05b37465SRobert Elliott tristate "SM2 (ShangMi 2)" 311d2825fa9SJason A. Donenfeld select CRYPTO_SM3 312ea7ecb66STianjia Zhang select CRYPTO_AKCIPHER 313ea7ecb66STianjia Zhang select CRYPTO_MANAGER 314ea7ecb66STianjia Zhang select MPILIB 315ea7ecb66STianjia Zhang select ASN1 316ea7ecb66STianjia Zhang help 317*05b37465SRobert Elliott SM2 (ShangMi 2) public key algorithm 318*05b37465SRobert Elliott 319*05b37465SRobert Elliott Published by State Encryption Management Bureau, China, 320ea7ecb66STianjia Zhang as specified by OSCCA GM/T 0003.1-2012 -- 0003.5-2012. 321ea7ecb66STianjia Zhang 322ea7ecb66STianjia Zhang References: 323*05b37465SRobert Elliott https://datatracker.ietf.org/doc/draft-shen-sm2-ecdsa/ 324ea7ecb66STianjia Zhang http://www.oscca.gov.cn/sca/xxgk/2010-12/17/content_1002386.shtml 325ea7ecb66STianjia Zhang http://www.gmbz.org.cn/main/bzlb.html 326ea7ecb66STianjia Zhang 327ee772cb6SArd Biesheuvelconfig CRYPTO_CURVE25519 328*05b37465SRobert Elliott tristate "Curve25519" 329ee772cb6SArd Biesheuvel select CRYPTO_KPP 330ee772cb6SArd Biesheuvel select CRYPTO_LIB_CURVE25519_GENERIC 331*05b37465SRobert Elliott help 332*05b37465SRobert Elliott Curve25519 elliptic curve (RFC7748) 333ee772cb6SArd Biesheuvel 334f1f142adSRobert Elliottendmenu 335584fffc8SSebastian Siewior 336f1f142adSRobert Elliottmenu "Block ciphers" 3371da177e4SLinus Torvalds 3381da177e4SLinus Torvaldsconfig CRYPTO_AES 3391da177e4SLinus Torvalds tristate "AES cipher algorithms" 340cce9e06dSHerbert Xu select CRYPTO_ALGAPI 3415bb12d78SArd Biesheuvel select CRYPTO_LIB_AES 3421da177e4SLinus Torvalds help 3431da177e4SLinus Torvalds AES cipher algorithms (FIPS-197). AES uses the Rijndael 3441da177e4SLinus Torvalds algorithm. 3451da177e4SLinus Torvalds 3461da177e4SLinus Torvalds Rijndael appears to be consistently a very good performer in 3471da177e4SLinus Torvalds both hardware and software across a wide range of computing 3481da177e4SLinus Torvalds environments regardless of its use in feedback or non-feedback 3491da177e4SLinus Torvalds modes. Its key setup time is excellent, and its key agility is 3501da177e4SLinus Torvalds good. Rijndael's very low memory requirements make it very well 3511da177e4SLinus Torvalds suited for restricted-space environments, in which it also 3521da177e4SLinus Torvalds demonstrates excellent performance. Rijndael's operations are 3531da177e4SLinus Torvalds among the easiest to defend against power and timing attacks. 3541da177e4SLinus Torvalds 3551da177e4SLinus Torvalds The AES specifies three key sizes: 128, 192 and 256 bits 3561da177e4SLinus Torvalds 3571da177e4SLinus Torvalds See <http://csrc.nist.gov/CryptoToolkit/aes/> for more information. 3581da177e4SLinus Torvalds 359b5e0b032SArd Biesheuvelconfig CRYPTO_AES_TI 360b5e0b032SArd Biesheuvel tristate "Fixed time AES cipher" 361b5e0b032SArd Biesheuvel select CRYPTO_ALGAPI 362e59c1c98SArd Biesheuvel select CRYPTO_LIB_AES 363b5e0b032SArd Biesheuvel help 364b5e0b032SArd Biesheuvel This is a generic implementation of AES that attempts to eliminate 365b5e0b032SArd Biesheuvel data dependent latencies as much as possible without affecting 366b5e0b032SArd Biesheuvel performance too much. It is intended for use by the generic CCM 367b5e0b032SArd Biesheuvel and GCM drivers, and other CTR or CMAC/XCBC based modes that rely 368b5e0b032SArd Biesheuvel solely on encryption (although decryption is supported as well, but 369b5e0b032SArd Biesheuvel with a more dramatic performance hit) 370b5e0b032SArd Biesheuvel 371b5e0b032SArd Biesheuvel Instead of using 16 lookup tables of 1 KB each, (8 for encryption and 372b5e0b032SArd Biesheuvel 8 for decryption), this implementation only uses just two S-boxes of 373b5e0b032SArd Biesheuvel 256 bytes each, and attempts to eliminate data dependent latencies by 374b5e0b032SArd Biesheuvel prefetching the entire table into the cache at the start of each 3750a6a40c2SEric Biggers block. Interrupts are also disabled to avoid races where cachelines 3760a6a40c2SEric Biggers are evicted when the CPU is interrupted to do something else. 377b5e0b032SArd Biesheuvel 3781da177e4SLinus Torvaldsconfig CRYPTO_ANUBIS 3791da177e4SLinus Torvalds tristate "Anubis cipher algorithm" 3801674aea5SArd Biesheuvel depends on CRYPTO_USER_API_ENABLE_OBSOLETE 381cce9e06dSHerbert Xu select CRYPTO_ALGAPI 3821da177e4SLinus Torvalds help 3831da177e4SLinus Torvalds Anubis cipher algorithm. 3841da177e4SLinus Torvalds 3851da177e4SLinus Torvalds Anubis is a variable key length cipher which can use keys from 3861da177e4SLinus Torvalds 128 bits to 320 bits in length. It was evaluated as a entrant 3871da177e4SLinus Torvalds in the NESSIE competition. 3881da177e4SLinus Torvalds 3891da177e4SLinus Torvalds See also: 3906d8de74cSJustin P. Mattock <https://www.cosic.esat.kuleuven.be/nessie/reports/> 3916d8de74cSJustin P. Mattock <http://www.larc.usp.br/~pbarreto/AnubisPage.html> 3921da177e4SLinus Torvalds 393f1f142adSRobert Elliottconfig CRYPTO_ARIA 394f1f142adSRobert Elliott tristate "ARIA cipher algorithm" 395f1f142adSRobert Elliott select CRYPTO_ALGAPI 396e2ee95b8SHye-Shik Chang help 397f1f142adSRobert Elliott ARIA cipher algorithm (RFC5794). 398e2ee95b8SHye-Shik Chang 399f1f142adSRobert Elliott ARIA is a standard encryption algorithm of the Republic of Korea. 400f1f142adSRobert Elliott The ARIA specifies three key sizes and rounds. 401f1f142adSRobert Elliott 128-bit: 12 rounds. 402f1f142adSRobert Elliott 192-bit: 14 rounds. 403f1f142adSRobert Elliott 256-bit: 16 rounds. 404f1f142adSRobert Elliott 405f1f142adSRobert Elliott See also: 406f1f142adSRobert Elliott <https://seed.kisa.or.kr/kisa/algorithm/EgovAriaInfo.do> 407584fffc8SSebastian Siewior 408584fffc8SSebastian Siewiorconfig CRYPTO_BLOWFISH 409584fffc8SSebastian Siewior tristate "Blowfish cipher algorithm" 410584fffc8SSebastian Siewior select CRYPTO_ALGAPI 41152ba867cSJussi Kivilinna select CRYPTO_BLOWFISH_COMMON 412584fffc8SSebastian Siewior help 413584fffc8SSebastian Siewior Blowfish cipher algorithm, by Bruce Schneier. 414584fffc8SSebastian Siewior 415584fffc8SSebastian Siewior This is a variable key length cipher which can use keys from 32 416584fffc8SSebastian Siewior bits to 448 bits in length. It's fast, simple and specifically 417584fffc8SSebastian Siewior designed for use on "large microprocessors". 418e2ee95b8SHye-Shik Chang 419e2ee95b8SHye-Shik Chang See also: 4209332a9e7SAlexander A. Klimov <https://www.schneier.com/blowfish.html> 421584fffc8SSebastian Siewior 42252ba867cSJussi Kivilinnaconfig CRYPTO_BLOWFISH_COMMON 42352ba867cSJussi Kivilinna tristate 42452ba867cSJussi Kivilinna help 42552ba867cSJussi Kivilinna Common parts of the Blowfish cipher algorithm shared by the 42652ba867cSJussi Kivilinna generic c and the assembler implementations. 42752ba867cSJussi Kivilinna 42852ba867cSJussi Kivilinna See also: 4299332a9e7SAlexander A. Klimov <https://www.schneier.com/blowfish.html> 43052ba867cSJussi Kivilinna 431584fffc8SSebastian Siewiorconfig CRYPTO_CAMELLIA 432584fffc8SSebastian Siewior tristate "Camellia cipher algorithms" 433584fffc8SSebastian Siewior select CRYPTO_ALGAPI 434584fffc8SSebastian Siewior help 435584fffc8SSebastian Siewior Camellia cipher algorithms module. 436584fffc8SSebastian Siewior 437584fffc8SSebastian Siewior Camellia is a symmetric key block cipher developed jointly 438584fffc8SSebastian Siewior at NTT and Mitsubishi Electric Corporation. 439584fffc8SSebastian Siewior 440584fffc8SSebastian Siewior The Camellia specifies three key sizes: 128, 192 and 256 bits. 441584fffc8SSebastian Siewior 442584fffc8SSebastian Siewior See also: 443584fffc8SSebastian Siewior <https://info.isl.ntt.co.jp/crypt/eng/camellia/index_s.html> 444584fffc8SSebastian Siewior 445044ab525SJussi Kivilinnaconfig CRYPTO_CAST_COMMON 446044ab525SJussi Kivilinna tristate 447044ab525SJussi Kivilinna help 448044ab525SJussi Kivilinna Common parts of the CAST cipher algorithms shared by the 449044ab525SJussi Kivilinna generic c and the assembler implementations. 450044ab525SJussi Kivilinna 451584fffc8SSebastian Siewiorconfig CRYPTO_CAST5 452584fffc8SSebastian Siewior tristate "CAST5 (CAST-128) cipher algorithm" 453584fffc8SSebastian Siewior select CRYPTO_ALGAPI 454044ab525SJussi Kivilinna select CRYPTO_CAST_COMMON 455584fffc8SSebastian Siewior help 456584fffc8SSebastian Siewior The CAST5 encryption algorithm (synonymous with CAST-128) is 457584fffc8SSebastian Siewior described in RFC2144. 458584fffc8SSebastian Siewior 459584fffc8SSebastian Siewiorconfig CRYPTO_CAST6 460584fffc8SSebastian Siewior tristate "CAST6 (CAST-256) cipher algorithm" 461584fffc8SSebastian Siewior select CRYPTO_ALGAPI 462044ab525SJussi Kivilinna select CRYPTO_CAST_COMMON 463584fffc8SSebastian Siewior help 464584fffc8SSebastian Siewior The CAST6 encryption algorithm (synonymous with CAST-256) is 465584fffc8SSebastian Siewior described in RFC2612. 466584fffc8SSebastian Siewior 467584fffc8SSebastian Siewiorconfig CRYPTO_DES 468584fffc8SSebastian Siewior tristate "DES and Triple DES EDE cipher algorithms" 469584fffc8SSebastian Siewior select CRYPTO_ALGAPI 47004007b0eSArd Biesheuvel select CRYPTO_LIB_DES 471584fffc8SSebastian Siewior help 472584fffc8SSebastian Siewior DES cipher algorithm (FIPS 46-2), and Triple DES EDE (FIPS 46-3). 473584fffc8SSebastian Siewior 474584fffc8SSebastian Siewiorconfig CRYPTO_FCRYPT 475584fffc8SSebastian Siewior tristate "FCrypt cipher algorithm" 476584fffc8SSebastian Siewior select CRYPTO_ALGAPI 477b95bba5dSEric Biggers select CRYPTO_SKCIPHER 478584fffc8SSebastian Siewior help 479584fffc8SSebastian Siewior FCrypt algorithm used by RxRPC. 480584fffc8SSebastian Siewior 481584fffc8SSebastian Siewiorconfig CRYPTO_KHAZAD 482584fffc8SSebastian Siewior tristate "Khazad cipher algorithm" 4831674aea5SArd Biesheuvel depends on CRYPTO_USER_API_ENABLE_OBSOLETE 484584fffc8SSebastian Siewior select CRYPTO_ALGAPI 485584fffc8SSebastian Siewior help 486584fffc8SSebastian Siewior Khazad cipher algorithm. 487584fffc8SSebastian Siewior 488584fffc8SSebastian Siewior Khazad was a finalist in the initial NESSIE competition. It is 489584fffc8SSebastian Siewior an algorithm optimized for 64-bit processors with good performance 490584fffc8SSebastian Siewior on 32-bit processors. Khazad uses an 128 bit key size. 491584fffc8SSebastian Siewior 492584fffc8SSebastian Siewior See also: 4936d8de74cSJustin P. Mattock <http://www.larc.usp.br/~pbarreto/KhazadPage.html> 494e2ee95b8SHye-Shik Chang 495584fffc8SSebastian Siewiorconfig CRYPTO_SEED 496584fffc8SSebastian Siewior tristate "SEED cipher algorithm" 4971674aea5SArd Biesheuvel depends on CRYPTO_USER_API_ENABLE_OBSOLETE 498584fffc8SSebastian Siewior select CRYPTO_ALGAPI 499584fffc8SSebastian Siewior help 500584fffc8SSebastian Siewior SEED cipher algorithm (RFC4269). 501584fffc8SSebastian Siewior 502584fffc8SSebastian Siewior SEED is a 128-bit symmetric key block cipher that has been 503584fffc8SSebastian Siewior developed by KISA (Korea Information Security Agency) as a 504584fffc8SSebastian Siewior national standard encryption algorithm of the Republic of Korea. 505584fffc8SSebastian Siewior It is a 16 round block cipher with the key size of 128 bit. 506584fffc8SSebastian Siewior 507584fffc8SSebastian Siewior See also: 508584fffc8SSebastian Siewior <http://www.kisa.or.kr/kisa/seed/jsp/seed_eng.jsp> 509584fffc8SSebastian Siewior 510584fffc8SSebastian Siewiorconfig CRYPTO_SERPENT 511584fffc8SSebastian Siewior tristate "Serpent cipher algorithm" 512584fffc8SSebastian Siewior select CRYPTO_ALGAPI 513584fffc8SSebastian Siewior help 514584fffc8SSebastian Siewior Serpent cipher algorithm, by Anderson, Biham & Knudsen. 515584fffc8SSebastian Siewior 516584fffc8SSebastian Siewior Keys are allowed to be from 0 to 256 bits in length, in steps 517784506a1SArd Biesheuvel of 8 bits. 518584fffc8SSebastian Siewior 519584fffc8SSebastian Siewior See also: 5209332a9e7SAlexander A. Klimov <https://www.cl.cam.ac.uk/~rja14/serpent.html> 521584fffc8SSebastian Siewior 522747c8ce4SGilad Ben-Yossefconfig CRYPTO_SM4 523d2825fa9SJason A. Donenfeld tristate 524d2825fa9SJason A. Donenfeld 525d2825fa9SJason A. Donenfeldconfig CRYPTO_SM4_GENERIC 526747c8ce4SGilad Ben-Yossef tristate "SM4 cipher algorithm" 527747c8ce4SGilad Ben-Yossef select CRYPTO_ALGAPI 528d2825fa9SJason A. Donenfeld select CRYPTO_SM4 529747c8ce4SGilad Ben-Yossef help 530747c8ce4SGilad Ben-Yossef SM4 cipher algorithms (OSCCA GB/T 32907-2016). 531747c8ce4SGilad Ben-Yossef 532747c8ce4SGilad Ben-Yossef SM4 (GBT.32907-2016) is a cryptographic standard issued by the 533747c8ce4SGilad Ben-Yossef Organization of State Commercial Administration of China (OSCCA) 534747c8ce4SGilad Ben-Yossef as an authorized cryptographic algorithms for the use within China. 535747c8ce4SGilad Ben-Yossef 536747c8ce4SGilad Ben-Yossef SMS4 was originally created for use in protecting wireless 537747c8ce4SGilad Ben-Yossef networks, and is mandated in the Chinese National Standard for 538747c8ce4SGilad Ben-Yossef Wireless LAN WAPI (Wired Authentication and Privacy Infrastructure) 539747c8ce4SGilad Ben-Yossef (GB.15629.11-2003). 540747c8ce4SGilad Ben-Yossef 541747c8ce4SGilad Ben-Yossef The latest SM4 standard (GBT.32907-2016) was proposed by OSCCA and 542747c8ce4SGilad Ben-Yossef standardized through TC 260 of the Standardization Administration 543747c8ce4SGilad Ben-Yossef of the People's Republic of China (SAC). 544747c8ce4SGilad Ben-Yossef 545747c8ce4SGilad Ben-Yossef The input, output, and key of SMS4 are each 128 bits. 546747c8ce4SGilad Ben-Yossef 547747c8ce4SGilad Ben-Yossef See also: <https://eprint.iacr.org/2008/329.pdf> 548747c8ce4SGilad Ben-Yossef 549747c8ce4SGilad Ben-Yossef If unsure, say N. 550747c8ce4SGilad Ben-Yossef 551584fffc8SSebastian Siewiorconfig CRYPTO_TEA 552584fffc8SSebastian Siewior tristate "TEA, XTEA and XETA cipher algorithms" 5531674aea5SArd Biesheuvel depends on CRYPTO_USER_API_ENABLE_OBSOLETE 554584fffc8SSebastian Siewior select CRYPTO_ALGAPI 555584fffc8SSebastian Siewior help 556584fffc8SSebastian Siewior TEA cipher algorithm. 557584fffc8SSebastian Siewior 558584fffc8SSebastian Siewior Tiny Encryption Algorithm is a simple cipher that uses 559584fffc8SSebastian Siewior many rounds for security. It is very fast and uses 560584fffc8SSebastian Siewior little memory. 561584fffc8SSebastian Siewior 562584fffc8SSebastian Siewior Xtendend Tiny Encryption Algorithm is a modification to 563584fffc8SSebastian Siewior the TEA algorithm to address a potential key weakness 564584fffc8SSebastian Siewior in the TEA algorithm. 565584fffc8SSebastian Siewior 566584fffc8SSebastian Siewior Xtendend Encryption Tiny Algorithm is a mis-implementation 567584fffc8SSebastian Siewior of the XTEA algorithm for compatibility purposes. 568584fffc8SSebastian Siewior 569584fffc8SSebastian Siewiorconfig CRYPTO_TWOFISH 570584fffc8SSebastian Siewior tristate "Twofish cipher algorithm" 571584fffc8SSebastian Siewior select CRYPTO_ALGAPI 572584fffc8SSebastian Siewior select CRYPTO_TWOFISH_COMMON 573584fffc8SSebastian Siewior help 574584fffc8SSebastian Siewior Twofish cipher algorithm. 575584fffc8SSebastian Siewior 576584fffc8SSebastian Siewior Twofish was submitted as an AES (Advanced Encryption Standard) 577584fffc8SSebastian Siewior candidate cipher by researchers at CounterPane Systems. It is a 578584fffc8SSebastian Siewior 16 round block cipher supporting key sizes of 128, 192, and 256 579584fffc8SSebastian Siewior bits. 580584fffc8SSebastian Siewior 581584fffc8SSebastian Siewior See also: 5829332a9e7SAlexander A. Klimov <https://www.schneier.com/twofish.html> 583584fffc8SSebastian Siewior 584584fffc8SSebastian Siewiorconfig CRYPTO_TWOFISH_COMMON 585584fffc8SSebastian Siewior tristate 586584fffc8SSebastian Siewior help 587584fffc8SSebastian Siewior Common parts of the Twofish cipher algorithm shared by the 588584fffc8SSebastian Siewior generic c and the assembler implementations. 589584fffc8SSebastian Siewior 590f1f142adSRobert Elliottendmenu 591f1f142adSRobert Elliott 592f1f142adSRobert Elliottmenu "Length-preserving ciphers and modes" 593f1f142adSRobert Elliott 594f1f142adSRobert Elliottconfig CRYPTO_ADIANTUM 595f1f142adSRobert Elliott tristate "Adiantum support" 596f1f142adSRobert Elliott select CRYPTO_CHACHA20 597f1f142adSRobert Elliott select CRYPTO_LIB_POLY1305_GENERIC 598f1f142adSRobert Elliott select CRYPTO_NHPOLY1305 599f1f142adSRobert Elliott select CRYPTO_MANAGER 600f1f142adSRobert Elliott help 601f1f142adSRobert Elliott Adiantum is a tweakable, length-preserving encryption mode 602f1f142adSRobert Elliott designed for fast and secure disk encryption, especially on 603f1f142adSRobert Elliott CPUs without dedicated crypto instructions. It encrypts 604f1f142adSRobert Elliott each sector using the XChaCha12 stream cipher, two passes of 605f1f142adSRobert Elliott an ε-almost-∆-universal hash function, and an invocation of 606f1f142adSRobert Elliott the AES-256 block cipher on a single 16-byte block. On CPUs 607f1f142adSRobert Elliott without AES instructions, Adiantum is much faster than 608f1f142adSRobert Elliott AES-XTS. 609f1f142adSRobert Elliott 610f1f142adSRobert Elliott Adiantum's security is provably reducible to that of its 611f1f142adSRobert Elliott underlying stream and block ciphers, subject to a security 612f1f142adSRobert Elliott bound. Unlike XTS, Adiantum is a true wide-block encryption 613f1f142adSRobert Elliott mode, so it actually provides an even stronger notion of 614f1f142adSRobert Elliott security than XTS, subject to the security bound. 615f1f142adSRobert Elliott 616f1f142adSRobert Elliott If unsure, say N. 617f1f142adSRobert Elliott 618f1f142adSRobert Elliottconfig CRYPTO_ARC4 619f1f142adSRobert Elliott tristate "ARC4 cipher algorithm" 620f1f142adSRobert Elliott depends on CRYPTO_USER_API_ENABLE_OBSOLETE 621f1f142adSRobert Elliott select CRYPTO_SKCIPHER 622f1f142adSRobert Elliott select CRYPTO_LIB_ARC4 623f1f142adSRobert Elliott help 624f1f142adSRobert Elliott ARC4 cipher algorithm. 625f1f142adSRobert Elliott 626f1f142adSRobert Elliott ARC4 is a stream cipher using keys ranging from 8 bits to 2048 627f1f142adSRobert Elliott bits in length. This algorithm is required for driver-based 628f1f142adSRobert Elliott WEP, but it should not be for other purposes because of the 629f1f142adSRobert Elliott weakness of the algorithm. 630f1f142adSRobert Elliott 631f1f142adSRobert Elliottconfig CRYPTO_CHACHA20 632f1f142adSRobert Elliott tristate "ChaCha stream cipher algorithms" 633f1f142adSRobert Elliott select CRYPTO_LIB_CHACHA_GENERIC 634f1f142adSRobert Elliott select CRYPTO_SKCIPHER 635f1f142adSRobert Elliott help 636f1f142adSRobert Elliott The ChaCha20, XChaCha20, and XChaCha12 stream cipher algorithms. 637f1f142adSRobert Elliott 638f1f142adSRobert Elliott ChaCha20 is a 256-bit high-speed stream cipher designed by Daniel J. 639f1f142adSRobert Elliott Bernstein and further specified in RFC7539 for use in IETF protocols. 640f1f142adSRobert Elliott This is the portable C implementation of ChaCha20. See also: 641f1f142adSRobert Elliott <https://cr.yp.to/chacha/chacha-20080128.pdf> 642f1f142adSRobert Elliott 643f1f142adSRobert Elliott XChaCha20 is the application of the XSalsa20 construction to ChaCha20 644f1f142adSRobert Elliott rather than to Salsa20. XChaCha20 extends ChaCha20's nonce length 645f1f142adSRobert Elliott from 64 bits (or 96 bits using the RFC7539 convention) to 192 bits, 646f1f142adSRobert Elliott while provably retaining ChaCha20's security. See also: 647f1f142adSRobert Elliott <https://cr.yp.to/snuffle/xsalsa-20081128.pdf> 648f1f142adSRobert Elliott 649f1f142adSRobert Elliott XChaCha12 is XChaCha20 reduced to 12 rounds, with correspondingly 650f1f142adSRobert Elliott reduced security margin but increased performance. It can be needed 651f1f142adSRobert Elliott in some performance-sensitive scenarios. 652f1f142adSRobert Elliott 653f1f142adSRobert Elliottconfig CRYPTO_CBC 654f1f142adSRobert Elliott tristate "CBC support" 655f1f142adSRobert Elliott select CRYPTO_SKCIPHER 656f1f142adSRobert Elliott select CRYPTO_MANAGER 657f1f142adSRobert Elliott help 658f1f142adSRobert Elliott CBC: Cipher Block Chaining mode 659f1f142adSRobert Elliott This block cipher algorithm is required for IPSec. 660f1f142adSRobert Elliott 661f1f142adSRobert Elliottconfig CRYPTO_CFB 662f1f142adSRobert Elliott tristate "CFB support" 663f1f142adSRobert Elliott select CRYPTO_SKCIPHER 664f1f142adSRobert Elliott select CRYPTO_MANAGER 665f1f142adSRobert Elliott help 666f1f142adSRobert Elliott CFB: Cipher FeedBack mode 667f1f142adSRobert Elliott This block cipher algorithm is required for TPM2 Cryptography. 668f1f142adSRobert Elliott 669f1f142adSRobert Elliottconfig CRYPTO_CTR 670f1f142adSRobert Elliott tristate "CTR support" 671f1f142adSRobert Elliott select CRYPTO_SKCIPHER 672f1f142adSRobert Elliott select CRYPTO_MANAGER 673f1f142adSRobert Elliott help 674f1f142adSRobert Elliott CTR: Counter mode 675f1f142adSRobert Elliott This block cipher algorithm is required for IPSec. 676f1f142adSRobert Elliott 677f1f142adSRobert Elliottconfig CRYPTO_CTS 678f1f142adSRobert Elliott tristate "CTS support" 679f1f142adSRobert Elliott select CRYPTO_SKCIPHER 680f1f142adSRobert Elliott select CRYPTO_MANAGER 681f1f142adSRobert Elliott help 682f1f142adSRobert Elliott CTS: Cipher Text Stealing 683f1f142adSRobert Elliott This is the Cipher Text Stealing mode as described by 684f1f142adSRobert Elliott Section 8 of rfc2040 and referenced by rfc3962 685f1f142adSRobert Elliott (rfc3962 includes errata information in its Appendix A) or 686f1f142adSRobert Elliott CBC-CS3 as defined by NIST in Sp800-38A addendum from Oct 2010. 687f1f142adSRobert Elliott This mode is required for Kerberos gss mechanism support 688f1f142adSRobert Elliott for AES encryption. 689f1f142adSRobert Elliott 690f1f142adSRobert Elliott See: https://csrc.nist.gov/publications/detail/sp/800-38a/addendum/final 691f1f142adSRobert Elliott 692f1f142adSRobert Elliottconfig CRYPTO_ECB 693f1f142adSRobert Elliott tristate "ECB support" 694f1f142adSRobert Elliott select CRYPTO_SKCIPHER 695f1f142adSRobert Elliott select CRYPTO_MANAGER 696f1f142adSRobert Elliott help 697f1f142adSRobert Elliott ECB: Electronic CodeBook mode 698f1f142adSRobert Elliott This is the simplest block cipher algorithm. It simply encrypts 699f1f142adSRobert Elliott the input block by block. 700f1f142adSRobert Elliott 701f1f142adSRobert Elliottconfig CRYPTO_HCTR2 702f1f142adSRobert Elliott tristate "HCTR2 support" 703f1f142adSRobert Elliott select CRYPTO_XCTR 704f1f142adSRobert Elliott select CRYPTO_POLYVAL 705f1f142adSRobert Elliott select CRYPTO_MANAGER 706f1f142adSRobert Elliott help 707f1f142adSRobert Elliott HCTR2 is a length-preserving encryption mode for storage encryption that 708f1f142adSRobert Elliott is efficient on processors with instructions to accelerate AES and 709f1f142adSRobert Elliott carryless multiplication, e.g. x86 processors with AES-NI and CLMUL, and 710f1f142adSRobert Elliott ARM processors with the ARMv8 crypto extensions. 711f1f142adSRobert Elliott 712f1f142adSRobert Elliottconfig CRYPTO_KEYWRAP 713f1f142adSRobert Elliott tristate "Key wrapping support" 714f1f142adSRobert Elliott select CRYPTO_SKCIPHER 715f1f142adSRobert Elliott select CRYPTO_MANAGER 716f1f142adSRobert Elliott help 717f1f142adSRobert Elliott Support for key wrapping (NIST SP800-38F / RFC3394) without 718f1f142adSRobert Elliott padding. 719f1f142adSRobert Elliott 720f1f142adSRobert Elliottconfig CRYPTO_LRW 721f1f142adSRobert Elliott tristate "LRW support" 722f1f142adSRobert Elliott select CRYPTO_SKCIPHER 723f1f142adSRobert Elliott select CRYPTO_MANAGER 724f1f142adSRobert Elliott select CRYPTO_GF128MUL 725f1f142adSRobert Elliott select CRYPTO_ECB 726f1f142adSRobert Elliott help 727f1f142adSRobert Elliott LRW: Liskov Rivest Wagner, a tweakable, non malleable, non movable 728f1f142adSRobert Elliott narrow block cipher mode for dm-crypt. Use it with cipher 729f1f142adSRobert Elliott specification string aes-lrw-benbi, the key must be 256, 320 or 384. 730f1f142adSRobert Elliott The first 128, 192 or 256 bits in the key are used for AES and the 731f1f142adSRobert Elliott rest is used to tie each cipher block to its logical position. 732f1f142adSRobert Elliott 733f1f142adSRobert Elliottconfig CRYPTO_OFB 734f1f142adSRobert Elliott tristate "OFB support" 735f1f142adSRobert Elliott select CRYPTO_SKCIPHER 736f1f142adSRobert Elliott select CRYPTO_MANAGER 737f1f142adSRobert Elliott help 738f1f142adSRobert Elliott OFB: the Output Feedback mode makes a block cipher into a synchronous 739f1f142adSRobert Elliott stream cipher. It generates keystream blocks, which are then XORed 740f1f142adSRobert Elliott with the plaintext blocks to get the ciphertext. Flipping a bit in the 741f1f142adSRobert Elliott ciphertext produces a flipped bit in the plaintext at the same 742f1f142adSRobert Elliott location. This property allows many error correcting codes to function 743f1f142adSRobert Elliott normally even when applied before encryption. 744f1f142adSRobert Elliott 745f1f142adSRobert Elliottconfig CRYPTO_PCBC 746f1f142adSRobert Elliott tristate "PCBC support" 747f1f142adSRobert Elliott select CRYPTO_SKCIPHER 748f1f142adSRobert Elliott select CRYPTO_MANAGER 749f1f142adSRobert Elliott help 750f1f142adSRobert Elliott PCBC: Propagating Cipher Block Chaining mode 751f1f142adSRobert Elliott This block cipher algorithm is required for RxRPC. 752f1f142adSRobert Elliott 753f1f142adSRobert Elliottconfig CRYPTO_XCTR 754f1f142adSRobert Elliott tristate 755f1f142adSRobert Elliott select CRYPTO_SKCIPHER 756f1f142adSRobert Elliott select CRYPTO_MANAGER 757f1f142adSRobert Elliott help 758f1f142adSRobert Elliott XCTR: XOR Counter mode. This blockcipher mode is a variant of CTR mode 759f1f142adSRobert Elliott using XORs and little-endian addition rather than big-endian arithmetic. 760f1f142adSRobert Elliott XCTR mode is used to implement HCTR2. 761f1f142adSRobert Elliott 762f1f142adSRobert Elliottconfig CRYPTO_XTS 763f1f142adSRobert Elliott tristate "XTS support" 764f1f142adSRobert Elliott select CRYPTO_SKCIPHER 765f1f142adSRobert Elliott select CRYPTO_MANAGER 766f1f142adSRobert Elliott select CRYPTO_ECB 767f1f142adSRobert Elliott help 768f1f142adSRobert Elliott XTS: IEEE1619/D16 narrow block cipher use with aes-xts-plain, 769f1f142adSRobert Elliott key size 256, 384 or 512 bits. This implementation currently 770f1f142adSRobert Elliott can't handle a sectorsize which is not a multiple of 16 bytes. 771f1f142adSRobert Elliott 772f1f142adSRobert Elliottconfig CRYPTO_NHPOLY1305 773f1f142adSRobert Elliott tristate 774f1f142adSRobert Elliott select CRYPTO_HASH 775f1f142adSRobert Elliott select CRYPTO_LIB_POLY1305_GENERIC 776f1f142adSRobert Elliott 777f1f142adSRobert Elliottendmenu 778f1f142adSRobert Elliott 779f1f142adSRobert Elliottmenu "AEAD (authenticated encryption with associated data) ciphers" 780f1f142adSRobert Elliott 781f1f142adSRobert Elliottconfig CRYPTO_AEGIS128 782f1f142adSRobert Elliott tristate "AEGIS-128 AEAD algorithm" 783f1f142adSRobert Elliott select CRYPTO_AEAD 784f1f142adSRobert Elliott select CRYPTO_AES # for AES S-box tables 785f1f142adSRobert Elliott help 786f1f142adSRobert Elliott Support for the AEGIS-128 dedicated AEAD algorithm. 787f1f142adSRobert Elliott 788f1f142adSRobert Elliottconfig CRYPTO_AEGIS128_SIMD 789f1f142adSRobert Elliott bool "Support SIMD acceleration for AEGIS-128" 790f1f142adSRobert Elliott depends on CRYPTO_AEGIS128 && ((ARM || ARM64) && KERNEL_MODE_NEON) 791f1f142adSRobert Elliott default y 792f1f142adSRobert Elliott 793f1f142adSRobert Elliottconfig CRYPTO_CHACHA20POLY1305 794f1f142adSRobert Elliott tristate "ChaCha20-Poly1305 AEAD support" 795f1f142adSRobert Elliott select CRYPTO_CHACHA20 796f1f142adSRobert Elliott select CRYPTO_POLY1305 797f1f142adSRobert Elliott select CRYPTO_AEAD 798f1f142adSRobert Elliott select CRYPTO_MANAGER 799f1f142adSRobert Elliott help 800f1f142adSRobert Elliott ChaCha20-Poly1305 AEAD support, RFC7539. 801f1f142adSRobert Elliott 802f1f142adSRobert Elliott Support for the AEAD wrapper using the ChaCha20 stream cipher combined 803f1f142adSRobert Elliott with the Poly1305 authenticator. It is defined in RFC7539 for use in 804f1f142adSRobert Elliott IETF protocols. 805f1f142adSRobert Elliott 806f1f142adSRobert Elliottconfig CRYPTO_CCM 807f1f142adSRobert Elliott tristate "CCM support" 808f1f142adSRobert Elliott select CRYPTO_CTR 809f1f142adSRobert Elliott select CRYPTO_HASH 810f1f142adSRobert Elliott select CRYPTO_AEAD 811f1f142adSRobert Elliott select CRYPTO_MANAGER 812f1f142adSRobert Elliott help 813f1f142adSRobert Elliott Support for Counter with CBC MAC. Required for IPsec. 814f1f142adSRobert Elliott 815f1f142adSRobert Elliottconfig CRYPTO_GCM 816f1f142adSRobert Elliott tristate "GCM/GMAC support" 817f1f142adSRobert Elliott select CRYPTO_CTR 818f1f142adSRobert Elliott select CRYPTO_AEAD 819f1f142adSRobert Elliott select CRYPTO_GHASH 820f1f142adSRobert Elliott select CRYPTO_NULL 821f1f142adSRobert Elliott select CRYPTO_MANAGER 822f1f142adSRobert Elliott help 823f1f142adSRobert Elliott Support for Galois/Counter Mode (GCM) and Galois Message 824f1f142adSRobert Elliott Authentication Code (GMAC). Required for IPSec. 825f1f142adSRobert Elliott 826f1f142adSRobert Elliottconfig CRYPTO_SEQIV 827f1f142adSRobert Elliott tristate "Sequence Number IV Generator" 828f1f142adSRobert Elliott select CRYPTO_AEAD 829f1f142adSRobert Elliott select CRYPTO_SKCIPHER 830f1f142adSRobert Elliott select CRYPTO_NULL 831f1f142adSRobert Elliott select CRYPTO_RNG_DEFAULT 832f1f142adSRobert Elliott select CRYPTO_MANAGER 833f1f142adSRobert Elliott help 834f1f142adSRobert Elliott This IV generator generates an IV based on a sequence number by 835f1f142adSRobert Elliott xoring it with a salt. This algorithm is mainly useful for CTR 836f1f142adSRobert Elliott 837f1f142adSRobert Elliottconfig CRYPTO_ECHAINIV 838f1f142adSRobert Elliott tristate "Encrypted Chain IV Generator" 839f1f142adSRobert Elliott select CRYPTO_AEAD 840f1f142adSRobert Elliott select CRYPTO_NULL 841f1f142adSRobert Elliott select CRYPTO_RNG_DEFAULT 842f1f142adSRobert Elliott select CRYPTO_MANAGER 843f1f142adSRobert Elliott help 844f1f142adSRobert Elliott This IV generator generates an IV based on the encryption of 845f1f142adSRobert Elliott a sequence number xored with a salt. This is the default 846f1f142adSRobert Elliott algorithm for CBC. 847f1f142adSRobert Elliott 848f1f142adSRobert Elliottconfig CRYPTO_ESSIV 849f1f142adSRobert Elliott tristate "ESSIV support for block encryption" 850f1f142adSRobert Elliott select CRYPTO_AUTHENC 851f1f142adSRobert Elliott help 852f1f142adSRobert Elliott Encrypted salt-sector initialization vector (ESSIV) is an IV 853f1f142adSRobert Elliott generation method that is used in some cases by fscrypt and/or 854f1f142adSRobert Elliott dm-crypt. It uses the hash of the block encryption key as the 855f1f142adSRobert Elliott symmetric key for a block encryption pass applied to the input 856f1f142adSRobert Elliott IV, making low entropy IV sources more suitable for block 857f1f142adSRobert Elliott encryption. 858f1f142adSRobert Elliott 859f1f142adSRobert Elliott This driver implements a crypto API template that can be 860f1f142adSRobert Elliott instantiated either as an skcipher or as an AEAD (depending on the 861f1f142adSRobert Elliott type of the first template argument), and which defers encryption 862f1f142adSRobert Elliott and decryption requests to the encapsulated cipher after applying 863f1f142adSRobert Elliott ESSIV to the input IV. Note that in the AEAD case, it is assumed 864f1f142adSRobert Elliott that the keys are presented in the same format used by the authenc 865f1f142adSRobert Elliott template, and that the IV appears at the end of the authenticated 866f1f142adSRobert Elliott associated data (AAD) region (which is how dm-crypt uses it.) 867f1f142adSRobert Elliott 868f1f142adSRobert Elliott Note that the use of ESSIV is not recommended for new deployments, 869f1f142adSRobert Elliott and so this only needs to be enabled when interoperability with 870f1f142adSRobert Elliott existing encrypted volumes of filesystems is required, or when 871f1f142adSRobert Elliott building for a particular system that requires it (e.g., when 872f1f142adSRobert Elliott the SoC in question has accelerated CBC but not XTS, making CBC 873f1f142adSRobert Elliott combined with ESSIV the only feasible mode for h/w accelerated 874f1f142adSRobert Elliott block encryption) 875f1f142adSRobert Elliott 876f1f142adSRobert Elliottendmenu 877f1f142adSRobert Elliott 878f1f142adSRobert Elliottmenu "Hashes, digests, and MACs" 879f1f142adSRobert Elliott 880f1f142adSRobert Elliottconfig CRYPTO_BLAKE2B 881f1f142adSRobert Elliott tristate "BLAKE2b digest algorithm" 882f1f142adSRobert Elliott select CRYPTO_HASH 883f1f142adSRobert Elliott help 884f1f142adSRobert Elliott Implementation of cryptographic hash function BLAKE2b (or just BLAKE2), 885f1f142adSRobert Elliott optimized for 64bit platforms and can produce digests of any size 886f1f142adSRobert Elliott between 1 to 64. The keyed hash is also implemented. 887f1f142adSRobert Elliott 888f1f142adSRobert Elliott This module provides the following algorithms: 889f1f142adSRobert Elliott 890f1f142adSRobert Elliott - blake2b-160 891f1f142adSRobert Elliott - blake2b-256 892f1f142adSRobert Elliott - blake2b-384 893f1f142adSRobert Elliott - blake2b-512 894f1f142adSRobert Elliott 895f1f142adSRobert Elliott See https://blake2.net for further information. 896f1f142adSRobert Elliott 897f1f142adSRobert Elliottconfig CRYPTO_CMAC 898f1f142adSRobert Elliott tristate "CMAC support" 899f1f142adSRobert Elliott select CRYPTO_HASH 900f1f142adSRobert Elliott select CRYPTO_MANAGER 901f1f142adSRobert Elliott help 902f1f142adSRobert Elliott Cipher-based Message Authentication Code (CMAC) specified by 903f1f142adSRobert Elliott The National Institute of Standards and Technology (NIST). 904f1f142adSRobert Elliott 905f1f142adSRobert Elliott https://tools.ietf.org/html/rfc4493 906f1f142adSRobert Elliott http://csrc.nist.gov/publications/nistpubs/800-38B/SP_800-38B.pdf 907f1f142adSRobert Elliott 908f1f142adSRobert Elliottconfig CRYPTO_GHASH 909f1f142adSRobert Elliott tristate "GHASH hash function" 910f1f142adSRobert Elliott select CRYPTO_GF128MUL 911f1f142adSRobert Elliott select CRYPTO_HASH 912f1f142adSRobert Elliott help 913f1f142adSRobert Elliott GHASH is the hash function used in GCM (Galois/Counter Mode). 914f1f142adSRobert Elliott It is not a general-purpose cryptographic hash function. 915f1f142adSRobert Elliott 916f1f142adSRobert Elliottconfig CRYPTO_HMAC 917f1f142adSRobert Elliott tristate "HMAC support" 918f1f142adSRobert Elliott select CRYPTO_HASH 919f1f142adSRobert Elliott select CRYPTO_MANAGER 920f1f142adSRobert Elliott help 921f1f142adSRobert Elliott HMAC: Keyed-Hashing for Message Authentication (RFC2104). 922f1f142adSRobert Elliott This is required for IPSec. 923f1f142adSRobert Elliott 924f1f142adSRobert Elliottconfig CRYPTO_MD4 925f1f142adSRobert Elliott tristate "MD4 digest algorithm" 926f1f142adSRobert Elliott select CRYPTO_HASH 927f1f142adSRobert Elliott help 928f1f142adSRobert Elliott MD4 message digest algorithm (RFC1320). 929f1f142adSRobert Elliott 930f1f142adSRobert Elliottconfig CRYPTO_MD5 931f1f142adSRobert Elliott tristate "MD5 digest algorithm" 932f1f142adSRobert Elliott select CRYPTO_HASH 933f1f142adSRobert Elliott help 934f1f142adSRobert Elliott MD5 message digest algorithm (RFC1321). 935f1f142adSRobert Elliott 936f1f142adSRobert Elliottconfig CRYPTO_MICHAEL_MIC 937f1f142adSRobert Elliott tristate "Michael MIC keyed digest algorithm" 938f1f142adSRobert Elliott select CRYPTO_HASH 939f1f142adSRobert Elliott help 940f1f142adSRobert Elliott Michael MIC is used for message integrity protection in TKIP 941f1f142adSRobert Elliott (IEEE 802.11i). This algorithm is required for TKIP, but it 942f1f142adSRobert Elliott should not be used for other purposes because of the weakness 943f1f142adSRobert Elliott of the algorithm. 944f1f142adSRobert Elliott 945f1f142adSRobert Elliottconfig CRYPTO_POLYVAL 946f1f142adSRobert Elliott tristate 947f1f142adSRobert Elliott select CRYPTO_GF128MUL 948f1f142adSRobert Elliott select CRYPTO_HASH 949f1f142adSRobert Elliott help 950f1f142adSRobert Elliott POLYVAL is the hash function used in HCTR2. It is not a general-purpose 951f1f142adSRobert Elliott cryptographic hash function. 952f1f142adSRobert Elliott 953f1f142adSRobert Elliottconfig CRYPTO_POLY1305 954f1f142adSRobert Elliott tristate "Poly1305 authenticator algorithm" 955f1f142adSRobert Elliott select CRYPTO_HASH 956f1f142adSRobert Elliott select CRYPTO_LIB_POLY1305_GENERIC 957f1f142adSRobert Elliott help 958f1f142adSRobert Elliott Poly1305 authenticator algorithm, RFC7539. 959f1f142adSRobert Elliott 960f1f142adSRobert Elliott Poly1305 is an authenticator algorithm designed by Daniel J. Bernstein. 961f1f142adSRobert Elliott It is used for the ChaCha20-Poly1305 AEAD, specified in RFC7539 for use 962f1f142adSRobert Elliott in IETF protocols. This is the portable C implementation of Poly1305. 963f1f142adSRobert Elliott 964f1f142adSRobert Elliottconfig CRYPTO_RMD160 965f1f142adSRobert Elliott tristate "RIPEMD-160 digest algorithm" 966f1f142adSRobert Elliott select CRYPTO_HASH 967f1f142adSRobert Elliott help 968f1f142adSRobert Elliott RIPEMD-160 (ISO/IEC 10118-3:2004). 969f1f142adSRobert Elliott 970f1f142adSRobert Elliott RIPEMD-160 is a 160-bit cryptographic hash function. It is intended 971f1f142adSRobert Elliott to be used as a secure replacement for the 128-bit hash functions 972f1f142adSRobert Elliott MD4, MD5 and its predecessor RIPEMD 973f1f142adSRobert Elliott (not to be confused with RIPEMD-128). 974f1f142adSRobert Elliott 975f1f142adSRobert Elliott It's speed is comparable to SHA1 and there are no known attacks 976f1f142adSRobert Elliott against RIPEMD-160. 977f1f142adSRobert Elliott 978f1f142adSRobert Elliott Developed by Hans Dobbertin, Antoon Bosselaers and Bart Preneel. 979f1f142adSRobert Elliott See <https://homes.esat.kuleuven.be/~bosselae/ripemd160.html> 980f1f142adSRobert Elliott 981f1f142adSRobert Elliottconfig CRYPTO_SHA1 982f1f142adSRobert Elliott tristate "SHA1 digest algorithm" 983f1f142adSRobert Elliott select CRYPTO_HASH 984f1f142adSRobert Elliott select CRYPTO_LIB_SHA1 985f1f142adSRobert Elliott help 986f1f142adSRobert Elliott SHA-1 secure hash standard (FIPS 180-1/DFIPS 180-2). 987f1f142adSRobert Elliott 988f1f142adSRobert Elliottconfig CRYPTO_SHA256 989f1f142adSRobert Elliott tristate "SHA224 and SHA256 digest algorithm" 990f1f142adSRobert Elliott select CRYPTO_HASH 991f1f142adSRobert Elliott select CRYPTO_LIB_SHA256 992f1f142adSRobert Elliott help 993f1f142adSRobert Elliott SHA256 secure hash standard (DFIPS 180-2). 994f1f142adSRobert Elliott 995f1f142adSRobert Elliott This version of SHA implements a 256 bit hash with 128 bits of 996f1f142adSRobert Elliott security against collision attacks. 997f1f142adSRobert Elliott 998f1f142adSRobert Elliott This code also includes SHA-224, a 224 bit hash with 112 bits 999f1f142adSRobert Elliott of security against collision attacks. 1000f1f142adSRobert Elliott 1001f1f142adSRobert Elliottconfig CRYPTO_SHA512 1002f1f142adSRobert Elliott tristate "SHA384 and SHA512 digest algorithms" 1003f1f142adSRobert Elliott select CRYPTO_HASH 1004f1f142adSRobert Elliott help 1005f1f142adSRobert Elliott SHA512 secure hash standard (DFIPS 180-2). 1006f1f142adSRobert Elliott 1007f1f142adSRobert Elliott This version of SHA implements a 512 bit hash with 256 bits of 1008f1f142adSRobert Elliott security against collision attacks. 1009f1f142adSRobert Elliott 1010f1f142adSRobert Elliott This code also includes SHA-384, a 384 bit hash with 192 bits 1011f1f142adSRobert Elliott of security against collision attacks. 1012f1f142adSRobert Elliott 1013f1f142adSRobert Elliottconfig CRYPTO_SHA3 1014f1f142adSRobert Elliott tristate "SHA3 digest algorithm" 1015f1f142adSRobert Elliott select CRYPTO_HASH 1016f1f142adSRobert Elliott help 1017f1f142adSRobert Elliott SHA-3 secure hash standard (DFIPS 202). It's based on 1018f1f142adSRobert Elliott cryptographic sponge function family called Keccak. 1019f1f142adSRobert Elliott 1020f1f142adSRobert Elliott References: 1021f1f142adSRobert Elliott http://keccak.noekeon.org/ 1022f1f142adSRobert Elliott 1023f1f142adSRobert Elliottconfig CRYPTO_SM3 1024f1f142adSRobert Elliott tristate 1025f1f142adSRobert Elliott 1026f1f142adSRobert Elliottconfig CRYPTO_SM3_GENERIC 1027f1f142adSRobert Elliott tristate "SM3 digest algorithm" 1028f1f142adSRobert Elliott select CRYPTO_HASH 1029f1f142adSRobert Elliott select CRYPTO_SM3 1030f1f142adSRobert Elliott help 1031f1f142adSRobert Elliott SM3 secure hash function as defined by OSCCA GM/T 0004-2012 SM3). 1032f1f142adSRobert Elliott It is part of the Chinese Commercial Cryptography suite. 1033f1f142adSRobert Elliott 1034f1f142adSRobert Elliott References: 1035f1f142adSRobert Elliott http://www.oscca.gov.cn/UpFile/20101222141857786.pdf 1036f1f142adSRobert Elliott https://datatracker.ietf.org/doc/html/draft-shen-sm3-hash 1037f1f142adSRobert Elliott 1038f1f142adSRobert Elliottconfig CRYPTO_STREEBOG 1039f1f142adSRobert Elliott tristate "Streebog Hash Function" 1040f1f142adSRobert Elliott select CRYPTO_HASH 1041f1f142adSRobert Elliott help 1042f1f142adSRobert Elliott Streebog Hash Function (GOST R 34.11-2012, RFC 6986) is one of the Russian 1043f1f142adSRobert Elliott cryptographic standard algorithms (called GOST algorithms). 1044f1f142adSRobert Elliott This setting enables two hash algorithms with 256 and 512 bits output. 1045f1f142adSRobert Elliott 1046f1f142adSRobert Elliott References: 1047f1f142adSRobert Elliott https://tc26.ru/upload/iblock/fed/feddbb4d26b685903faa2ba11aea43f6.pdf 1048f1f142adSRobert Elliott https://tools.ietf.org/html/rfc6986 1049f1f142adSRobert Elliott 1050f1f142adSRobert Elliottconfig CRYPTO_VMAC 1051f1f142adSRobert Elliott tristate "VMAC support" 1052f1f142adSRobert Elliott select CRYPTO_HASH 1053f1f142adSRobert Elliott select CRYPTO_MANAGER 1054f1f142adSRobert Elliott help 1055f1f142adSRobert Elliott VMAC is a message authentication algorithm designed for 1056f1f142adSRobert Elliott very high speed on 64-bit architectures. 1057f1f142adSRobert Elliott 1058f1f142adSRobert Elliott See also: 1059f1f142adSRobert Elliott <https://fastcrypto.org/vmac> 1060f1f142adSRobert Elliott 1061f1f142adSRobert Elliottconfig CRYPTO_WP512 1062f1f142adSRobert Elliott tristate "Whirlpool digest algorithms" 1063f1f142adSRobert Elliott select CRYPTO_HASH 1064f1f142adSRobert Elliott help 1065f1f142adSRobert Elliott Whirlpool hash algorithm 512, 384 and 256-bit hashes 1066f1f142adSRobert Elliott 1067f1f142adSRobert Elliott Whirlpool-512 is part of the NESSIE cryptographic primitives. 1068f1f142adSRobert Elliott Whirlpool will be part of the ISO/IEC 10118-3:2003(E) standard 1069f1f142adSRobert Elliott 1070f1f142adSRobert Elliott See also: 1071f1f142adSRobert Elliott <http://www.larc.usp.br/~pbarreto/WhirlpoolPage.html> 1072f1f142adSRobert Elliott 1073f1f142adSRobert Elliottconfig CRYPTO_XCBC 1074f1f142adSRobert Elliott tristate "XCBC support" 1075f1f142adSRobert Elliott select CRYPTO_HASH 1076f1f142adSRobert Elliott select CRYPTO_MANAGER 1077f1f142adSRobert Elliott help 1078f1f142adSRobert Elliott XCBC: Keyed-Hashing with encryption algorithm 1079f1f142adSRobert Elliott https://www.ietf.org/rfc/rfc3566.txt 1080f1f142adSRobert Elliott http://csrc.nist.gov/encryption/modes/proposedmodes/ 1081f1f142adSRobert Elliott xcbc-mac/xcbc-mac-spec.pdf 1082f1f142adSRobert Elliott 1083f1f142adSRobert Elliottconfig CRYPTO_XXHASH 1084f1f142adSRobert Elliott tristate "xxHash hash algorithm" 1085f1f142adSRobert Elliott select CRYPTO_HASH 1086f1f142adSRobert Elliott select XXHASH 1087f1f142adSRobert Elliott help 1088f1f142adSRobert Elliott xxHash non-cryptographic hash algorithm. Extremely fast, working at 1089f1f142adSRobert Elliott speeds close to RAM limits. 1090f1f142adSRobert Elliott 1091f1f142adSRobert Elliottendmenu 1092f1f142adSRobert Elliott 1093f1f142adSRobert Elliottmenu "CRCs (cyclic redundancy checks)" 1094f1f142adSRobert Elliott 1095f1f142adSRobert Elliottconfig CRYPTO_CRC32C 1096f1f142adSRobert Elliott tristate "CRC32c CRC algorithm" 1097f1f142adSRobert Elliott select CRYPTO_HASH 1098f1f142adSRobert Elliott select CRC32 1099f1f142adSRobert Elliott help 1100f1f142adSRobert Elliott Castagnoli, et al Cyclic Redundancy-Check Algorithm. Used 1101f1f142adSRobert Elliott by iSCSI for header and data digests and by others. 1102f1f142adSRobert Elliott See Castagnoli93. Module will be crc32c. 1103f1f142adSRobert Elliott 1104f1f142adSRobert Elliottconfig CRYPTO_CRC32 1105f1f142adSRobert Elliott tristate "CRC32 CRC algorithm" 1106f1f142adSRobert Elliott select CRYPTO_HASH 1107f1f142adSRobert Elliott select CRC32 1108f1f142adSRobert Elliott help 1109f1f142adSRobert Elliott CRC-32-IEEE 802.3 cyclic redundancy-check algorithm. 1110f1f142adSRobert Elliott Shash crypto api wrappers to crc32_le function. 1111f1f142adSRobert Elliott 1112f1f142adSRobert Elliottconfig CRYPTO_CRCT10DIF 1113f1f142adSRobert Elliott tristate "CRCT10DIF algorithm" 1114f1f142adSRobert Elliott select CRYPTO_HASH 1115f1f142adSRobert Elliott help 1116f1f142adSRobert Elliott CRC T10 Data Integrity Field computation is being cast as 1117f1f142adSRobert Elliott a crypto transform. This allows for faster crc t10 diff 1118f1f142adSRobert Elliott transforms to be used if they are available. 1119f1f142adSRobert Elliott 1120f1f142adSRobert Elliottconfig CRYPTO_CRC64_ROCKSOFT 1121f1f142adSRobert Elliott tristate "Rocksoft Model CRC64 algorithm" 1122f1f142adSRobert Elliott depends on CRC64 1123f1f142adSRobert Elliott select CRYPTO_HASH 1124f1f142adSRobert Elliott 1125f1f142adSRobert Elliottendmenu 1126f1f142adSRobert Elliott 1127f1f142adSRobert Elliottmenu "Compression" 1128584fffc8SSebastian Siewior 11291da177e4SLinus Torvaldsconfig CRYPTO_DEFLATE 11301da177e4SLinus Torvalds tristate "Deflate compression algorithm" 1131cce9e06dSHerbert Xu select CRYPTO_ALGAPI 1132f6ded09dSGiovanni Cabiddu select CRYPTO_ACOMP2 11331da177e4SLinus Torvalds select ZLIB_INFLATE 11341da177e4SLinus Torvalds select ZLIB_DEFLATE 11351da177e4SLinus Torvalds help 11361da177e4SLinus Torvalds This is the Deflate algorithm (RFC1951), specified for use in 11371da177e4SLinus Torvalds IPSec with the IPCOMP protocol (RFC3173, RFC2394). 11381da177e4SLinus Torvalds 11391da177e4SLinus Torvalds You will most probably want this if using IPSec. 11401da177e4SLinus Torvalds 11410b77abb3SZoltan Sogorconfig CRYPTO_LZO 11420b77abb3SZoltan Sogor tristate "LZO compression algorithm" 11430b77abb3SZoltan Sogor select CRYPTO_ALGAPI 1144ac9d2c4bSGiovanni Cabiddu select CRYPTO_ACOMP2 11450b77abb3SZoltan Sogor select LZO_COMPRESS 11460b77abb3SZoltan Sogor select LZO_DECOMPRESS 11470b77abb3SZoltan Sogor help 11480b77abb3SZoltan Sogor This is the LZO algorithm. 11490b77abb3SZoltan Sogor 115035a1fc18SSeth Jenningsconfig CRYPTO_842 115135a1fc18SSeth Jennings tristate "842 compression algorithm" 11522062c5b6SDan Streetman select CRYPTO_ALGAPI 11536a8de3aeSGiovanni Cabiddu select CRYPTO_ACOMP2 11542062c5b6SDan Streetman select 842_COMPRESS 11552062c5b6SDan Streetman select 842_DECOMPRESS 115635a1fc18SSeth Jennings help 115735a1fc18SSeth Jennings This is the 842 algorithm. 115835a1fc18SSeth Jennings 11590ea8530dSChanho Minconfig CRYPTO_LZ4 11600ea8530dSChanho Min tristate "LZ4 compression algorithm" 11610ea8530dSChanho Min select CRYPTO_ALGAPI 11628cd9330eSGiovanni Cabiddu select CRYPTO_ACOMP2 11630ea8530dSChanho Min select LZ4_COMPRESS 11640ea8530dSChanho Min select LZ4_DECOMPRESS 11650ea8530dSChanho Min help 11660ea8530dSChanho Min This is the LZ4 algorithm. 11670ea8530dSChanho Min 11680ea8530dSChanho Minconfig CRYPTO_LZ4HC 11690ea8530dSChanho Min tristate "LZ4HC compression algorithm" 11700ea8530dSChanho Min select CRYPTO_ALGAPI 117191d53d96SGiovanni Cabiddu select CRYPTO_ACOMP2 11720ea8530dSChanho Min select LZ4HC_COMPRESS 11730ea8530dSChanho Min select LZ4_DECOMPRESS 11740ea8530dSChanho Min help 11750ea8530dSChanho Min This is the LZ4 high compression mode algorithm. 11760ea8530dSChanho Min 1177d28fc3dbSNick Terrellconfig CRYPTO_ZSTD 1178d28fc3dbSNick Terrell tristate "Zstd compression algorithm" 1179d28fc3dbSNick Terrell select CRYPTO_ALGAPI 1180d28fc3dbSNick Terrell select CRYPTO_ACOMP2 1181d28fc3dbSNick Terrell select ZSTD_COMPRESS 1182d28fc3dbSNick Terrell select ZSTD_DECOMPRESS 1183d28fc3dbSNick Terrell help 1184d28fc3dbSNick Terrell This is the zstd algorithm. 1185d28fc3dbSNick Terrell 1186f1f142adSRobert Elliottendmenu 1187f1f142adSRobert Elliott 1188f1f142adSRobert Elliottmenu "Random number generation" 118917f0f4a4SNeil Horman 119017f0f4a4SNeil Hormanconfig CRYPTO_ANSI_CPRNG 119117f0f4a4SNeil Horman tristate "Pseudo Random Number Generation for Cryptographic modules" 119217f0f4a4SNeil Horman select CRYPTO_AES 119317f0f4a4SNeil Horman select CRYPTO_RNG 119417f0f4a4SNeil Horman help 119517f0f4a4SNeil Horman This option enables the generic pseudo random number generator 119617f0f4a4SNeil Horman for cryptographic modules. Uses the Algorithm specified in 11977dd607e8SJiri Kosina ANSI X9.31 A.2.4. Note that this option must be enabled if 11987dd607e8SJiri Kosina CRYPTO_FIPS is selected 119917f0f4a4SNeil Horman 1200f2c89a10SHerbert Xumenuconfig CRYPTO_DRBG_MENU 1201419090c6SStephan Mueller tristate "NIST SP800-90A DRBG" 1202419090c6SStephan Mueller help 1203419090c6SStephan Mueller NIST SP800-90A compliant DRBG. In the following submenu, one or 1204419090c6SStephan Mueller more of the DRBG types must be selected. 1205419090c6SStephan Mueller 1206f2c89a10SHerbert Xuif CRYPTO_DRBG_MENU 1207419090c6SStephan Mueller 1208419090c6SStephan Muellerconfig CRYPTO_DRBG_HMAC 1209401e4238SHerbert Xu bool 1210419090c6SStephan Mueller default y 1211419090c6SStephan Mueller select CRYPTO_HMAC 12125261cdf4SStephan Mueller select CRYPTO_SHA512 1213419090c6SStephan Mueller 1214419090c6SStephan Muellerconfig CRYPTO_DRBG_HASH 1215419090c6SStephan Mueller bool "Enable Hash DRBG" 1216826775bbSHerbert Xu select CRYPTO_SHA256 1217419090c6SStephan Mueller help 1218419090c6SStephan Mueller Enable the Hash DRBG variant as defined in NIST SP800-90A. 1219419090c6SStephan Mueller 1220419090c6SStephan Muellerconfig CRYPTO_DRBG_CTR 1221419090c6SStephan Mueller bool "Enable CTR DRBG" 1222419090c6SStephan Mueller select CRYPTO_AES 1223d6fc1a45SCorentin Labbe select CRYPTO_CTR 1224419090c6SStephan Mueller help 1225419090c6SStephan Mueller Enable the CTR DRBG variant as defined in NIST SP800-90A. 1226419090c6SStephan Mueller 1227f2c89a10SHerbert Xuconfig CRYPTO_DRBG 1228f2c89a10SHerbert Xu tristate 1229401e4238SHerbert Xu default CRYPTO_DRBG_MENU 1230f2c89a10SHerbert Xu select CRYPTO_RNG 1231bb5530e4SStephan Mueller select CRYPTO_JITTERENTROPY 1232f2c89a10SHerbert Xu 1233f2c89a10SHerbert Xuendif # if CRYPTO_DRBG_MENU 1234419090c6SStephan Mueller 1235bb5530e4SStephan Muellerconfig CRYPTO_JITTERENTROPY 1236bb5530e4SStephan Mueller tristate "Jitterentropy Non-Deterministic Random Number Generator" 12372f313e02SArnd Bergmann select CRYPTO_RNG 1238bb5530e4SStephan Mueller help 1239bb5530e4SStephan Mueller The Jitterentropy RNG is a noise that is intended 1240bb5530e4SStephan Mueller to provide seed to another RNG. The RNG does not 1241bb5530e4SStephan Mueller perform any cryptographic whitening of the generated 1242bb5530e4SStephan Mueller random numbers. This Jitterentropy RNG registers with 1243bb5530e4SStephan Mueller the kernel crypto API and can be used by any caller. 1244bb5530e4SStephan Mueller 1245026a733eSStephan Müllerconfig CRYPTO_KDF800108_CTR 1246026a733eSStephan Müller tristate 1247a88592ccSHerbert Xu select CRYPTO_HMAC 1248304b4aceSStephan Müller select CRYPTO_SHA256 1249026a733eSStephan Müller 1250f1f142adSRobert Elliottendmenu 1251f1f142adSRobert Elliottmenu "User-space interface" 1252f1f142adSRobert Elliott 125303c8efc1SHerbert Xuconfig CRYPTO_USER_API 125403c8efc1SHerbert Xu tristate 125503c8efc1SHerbert Xu 1256fe869cdbSHerbert Xuconfig CRYPTO_USER_API_HASH 1257fe869cdbSHerbert Xu tristate "User-space interface for hash algorithms" 12587451708fSHerbert Xu depends on NET 1259fe869cdbSHerbert Xu select CRYPTO_HASH 1260fe869cdbSHerbert Xu select CRYPTO_USER_API 1261fe869cdbSHerbert Xu help 1262fe869cdbSHerbert Xu This option enables the user-spaces interface for hash 1263fe869cdbSHerbert Xu algorithms. 1264fe869cdbSHerbert Xu 12658ff59090SHerbert Xuconfig CRYPTO_USER_API_SKCIPHER 12668ff59090SHerbert Xu tristate "User-space interface for symmetric key cipher algorithms" 12677451708fSHerbert Xu depends on NET 1268b95bba5dSEric Biggers select CRYPTO_SKCIPHER 12698ff59090SHerbert Xu select CRYPTO_USER_API 12708ff59090SHerbert Xu help 12718ff59090SHerbert Xu This option enables the user-spaces interface for symmetric 12728ff59090SHerbert Xu key cipher algorithms. 12738ff59090SHerbert Xu 12742f375538SStephan Muellerconfig CRYPTO_USER_API_RNG 12752f375538SStephan Mueller tristate "User-space interface for random number generator algorithms" 12762f375538SStephan Mueller depends on NET 12772f375538SStephan Mueller select CRYPTO_RNG 12782f375538SStephan Mueller select CRYPTO_USER_API 12792f375538SStephan Mueller help 12802f375538SStephan Mueller This option enables the user-spaces interface for random 12812f375538SStephan Mueller number generator algorithms. 12822f375538SStephan Mueller 128377ebdabeSElena Petrovaconfig CRYPTO_USER_API_RNG_CAVP 128477ebdabeSElena Petrova bool "Enable CAVP testing of DRBG" 128577ebdabeSElena Petrova depends on CRYPTO_USER_API_RNG && CRYPTO_DRBG 128677ebdabeSElena Petrova help 128777ebdabeSElena Petrova This option enables extra API for CAVP testing via the user-space 128877ebdabeSElena Petrova interface: resetting of DRBG entropy, and providing Additional Data. 128977ebdabeSElena Petrova This should only be enabled for CAVP testing. You should say 129077ebdabeSElena Petrova no unless you know what this is. 129177ebdabeSElena Petrova 1292b64a2d95SHerbert Xuconfig CRYPTO_USER_API_AEAD 1293b64a2d95SHerbert Xu tristate "User-space interface for AEAD cipher algorithms" 1294b64a2d95SHerbert Xu depends on NET 1295b64a2d95SHerbert Xu select CRYPTO_AEAD 1296b95bba5dSEric Biggers select CRYPTO_SKCIPHER 129772548b09SStephan Mueller select CRYPTO_NULL 1298b64a2d95SHerbert Xu select CRYPTO_USER_API 1299b64a2d95SHerbert Xu help 1300b64a2d95SHerbert Xu This option enables the user-spaces interface for AEAD 1301b64a2d95SHerbert Xu cipher algorithms. 1302b64a2d95SHerbert Xu 13039ace6771SArd Biesheuvelconfig CRYPTO_USER_API_ENABLE_OBSOLETE 13049ace6771SArd Biesheuvel bool "Enable obsolete cryptographic algorithms for userspace" 13059ace6771SArd Biesheuvel depends on CRYPTO_USER_API 13069ace6771SArd Biesheuvel default y 13079ace6771SArd Biesheuvel help 13089ace6771SArd Biesheuvel Allow obsolete cryptographic algorithms to be selected that have 13099ace6771SArd Biesheuvel already been phased out from internal use by the kernel, and are 13109ace6771SArd Biesheuvel only useful for userspace clients that still rely on them. 13119ace6771SArd Biesheuvel 1312cac5818cSCorentin Labbeconfig CRYPTO_STATS 1313cac5818cSCorentin Labbe bool "Crypto usage statistics for User-space" 1314a6a31385SCorentin Labbe depends on CRYPTO_USER 1315cac5818cSCorentin Labbe help 1316cac5818cSCorentin Labbe This option enables the gathering of crypto stats. 1317cac5818cSCorentin Labbe This will collect: 1318cac5818cSCorentin Labbe - encrypt/decrypt size and numbers of symmeric operations 1319cac5818cSCorentin Labbe - compress/decompress size and numbers of compress operations 1320cac5818cSCorentin Labbe - size and numbers of hash operations 1321cac5818cSCorentin Labbe - encrypt/decrypt/sign/verify numbers for asymmetric operations 1322cac5818cSCorentin Labbe - generate/seed numbers for rng operations 1323cac5818cSCorentin Labbe 1324f1f142adSRobert Elliottendmenu 1325f1f142adSRobert Elliott 1326ee08997fSDmitry Kasatkinconfig CRYPTO_HASH_INFO 1327ee08997fSDmitry Kasatkin bool 1328ee08997fSDmitry Kasatkin 13294a329fecSRobert Elliottif ARM 13304a329fecSRobert Elliottsource "arch/arm/crypto/Kconfig" 13314a329fecSRobert Elliottendif 13324a329fecSRobert Elliottif ARM64 13334a329fecSRobert Elliottsource "arch/arm64/crypto/Kconfig" 13344a329fecSRobert Elliottendif 1335e45f710bSRobert Elliottif MIPS 1336e45f710bSRobert Elliottsource "arch/mips/crypto/Kconfig" 1337e45f710bSRobert Elliottendif 13386a490a4eSRobert Elliottif PPC 13396a490a4eSRobert Elliottsource "arch/powerpc/crypto/Kconfig" 13406a490a4eSRobert Elliottendif 1341c9d24c97SRobert Elliottif S390 1342c9d24c97SRobert Elliottsource "arch/s390/crypto/Kconfig" 1343c9d24c97SRobert Elliottendif 13440e9f9ea6SRobert Elliottif SPARC 13450e9f9ea6SRobert Elliottsource "arch/sparc/crypto/Kconfig" 13460e9f9ea6SRobert Elliottendif 134728a936efSRobert Elliottif X86 134828a936efSRobert Elliottsource "arch/x86/crypto/Kconfig" 134928a936efSRobert Elliottendif 1350e45f710bSRobert Elliott 13511da177e4SLinus Torvaldssource "drivers/crypto/Kconfig" 13528636a1f9SMasahiro Yamadasource "crypto/asymmetric_keys/Kconfig" 13538636a1f9SMasahiro Yamadasource "certs/Kconfig" 13541da177e4SLinus Torvalds 1355cce9e06dSHerbert Xuendif # if CRYPTO 1356