xref: /linux/crypto/Kconfig (revision be1eb7f78aa8fbe34779c56c266ccd0364604e71)
1b2441318SGreg Kroah-Hartman# SPDX-License-Identifier: GPL-2.0
21da177e4SLinus Torvalds#
3685784aaSDan Williams# Generic algorithms support
4685784aaSDan Williams#
5685784aaSDan Williamsconfig XOR_BLOCKS
6685784aaSDan Williams	tristate
7685784aaSDan Williams
8685784aaSDan Williams#
99bc89cd8SDan Williams# async_tx api: hardware offloaded memory transfer/transform support
109bc89cd8SDan Williams#
119bc89cd8SDan Williamssource "crypto/async_tx/Kconfig"
129bc89cd8SDan Williams
139bc89cd8SDan Williams#
141da177e4SLinus Torvalds# Cryptographic API Configuration
151da177e4SLinus Torvalds#
162e290f43SJan Engelhardtmenuconfig CRYPTO
17c3715cb9SSebastian Siewior	tristate "Cryptographic API"
181da177e4SLinus Torvalds	help
191da177e4SLinus Torvalds	  This option provides the core Cryptographic API.
201da177e4SLinus Torvalds
21cce9e06dSHerbert Xuif CRYPTO
22cce9e06dSHerbert Xu
23584fffc8SSebastian Siewiorcomment "Crypto core or helper"
24584fffc8SSebastian Siewior
25ccb778e1SNeil Hormanconfig CRYPTO_FIPS
26ccb778e1SNeil Horman	bool "FIPS 200 compliance"
27f2c89a10SHerbert Xu	depends on (CRYPTO_ANSI_CPRNG || CRYPTO_DRBG) && !CRYPTO_MANAGER_DISABLE_TESTS
281f696097SAlec Ari	depends on (MODULE_SIG || !MODULES)
29ccb778e1SNeil Horman	help
30d99324c2SGeert Uytterhoeven	  This option enables the fips boot option which is
31d99324c2SGeert Uytterhoeven	  required if you want the system to operate in a FIPS 200
32ccb778e1SNeil Horman	  certification.  You should say no unless you know what
33e84c5480SChuck Ebbert	  this is.
34ccb778e1SNeil Horman
35cce9e06dSHerbert Xuconfig CRYPTO_ALGAPI
36cce9e06dSHerbert Xu	tristate
376a0fcbb4SHerbert Xu	select CRYPTO_ALGAPI2
38cce9e06dSHerbert Xu	help
39cce9e06dSHerbert Xu	  This option provides the API for cryptographic algorithms.
40cce9e06dSHerbert Xu
416a0fcbb4SHerbert Xuconfig CRYPTO_ALGAPI2
426a0fcbb4SHerbert Xu	tristate
436a0fcbb4SHerbert Xu
441ae97820SHerbert Xuconfig CRYPTO_AEAD
451ae97820SHerbert Xu	tristate
466a0fcbb4SHerbert Xu	select CRYPTO_AEAD2
471ae97820SHerbert Xu	select CRYPTO_ALGAPI
481ae97820SHerbert Xu
496a0fcbb4SHerbert Xuconfig CRYPTO_AEAD2
506a0fcbb4SHerbert Xu	tristate
516a0fcbb4SHerbert Xu	select CRYPTO_ALGAPI2
52149a3971SHerbert Xu	select CRYPTO_NULL2
53149a3971SHerbert Xu	select CRYPTO_RNG2
546a0fcbb4SHerbert Xu
555cde0af2SHerbert Xuconfig CRYPTO_BLKCIPHER
565cde0af2SHerbert Xu	tristate
576a0fcbb4SHerbert Xu	select CRYPTO_BLKCIPHER2
585cde0af2SHerbert Xu	select CRYPTO_ALGAPI
596a0fcbb4SHerbert Xu
606a0fcbb4SHerbert Xuconfig CRYPTO_BLKCIPHER2
616a0fcbb4SHerbert Xu	tristate
626a0fcbb4SHerbert Xu	select CRYPTO_ALGAPI2
636a0fcbb4SHerbert Xu	select CRYPTO_RNG2
645cde0af2SHerbert Xu
65055bcee3SHerbert Xuconfig CRYPTO_HASH
66055bcee3SHerbert Xu	tristate
676a0fcbb4SHerbert Xu	select CRYPTO_HASH2
68055bcee3SHerbert Xu	select CRYPTO_ALGAPI
69055bcee3SHerbert Xu
706a0fcbb4SHerbert Xuconfig CRYPTO_HASH2
716a0fcbb4SHerbert Xu	tristate
726a0fcbb4SHerbert Xu	select CRYPTO_ALGAPI2
736a0fcbb4SHerbert Xu
7417f0f4a4SNeil Hormanconfig CRYPTO_RNG
7517f0f4a4SNeil Horman	tristate
766a0fcbb4SHerbert Xu	select CRYPTO_RNG2
7717f0f4a4SNeil Horman	select CRYPTO_ALGAPI
7817f0f4a4SNeil Horman
796a0fcbb4SHerbert Xuconfig CRYPTO_RNG2
806a0fcbb4SHerbert Xu	tristate
816a0fcbb4SHerbert Xu	select CRYPTO_ALGAPI2
826a0fcbb4SHerbert Xu
83401e4238SHerbert Xuconfig CRYPTO_RNG_DEFAULT
84401e4238SHerbert Xu	tristate
85401e4238SHerbert Xu	select CRYPTO_DRBG_MENU
86401e4238SHerbert Xu
873c339ab8STadeusz Strukconfig CRYPTO_AKCIPHER2
883c339ab8STadeusz Struk	tristate
893c339ab8STadeusz Struk	select CRYPTO_ALGAPI2
903c339ab8STadeusz Struk
913c339ab8STadeusz Strukconfig CRYPTO_AKCIPHER
923c339ab8STadeusz Struk	tristate
933c339ab8STadeusz Struk	select CRYPTO_AKCIPHER2
943c339ab8STadeusz Struk	select CRYPTO_ALGAPI
953c339ab8STadeusz Struk
964e5f2c40SSalvatore Benedettoconfig CRYPTO_KPP2
974e5f2c40SSalvatore Benedetto	tristate
984e5f2c40SSalvatore Benedetto	select CRYPTO_ALGAPI2
994e5f2c40SSalvatore Benedetto
1004e5f2c40SSalvatore Benedettoconfig CRYPTO_KPP
1014e5f2c40SSalvatore Benedetto	tristate
1024e5f2c40SSalvatore Benedetto	select CRYPTO_ALGAPI
1034e5f2c40SSalvatore Benedetto	select CRYPTO_KPP2
1044e5f2c40SSalvatore Benedetto
1052ebda74fSGiovanni Cabidduconfig CRYPTO_ACOMP2
1062ebda74fSGiovanni Cabiddu	tristate
1072ebda74fSGiovanni Cabiddu	select CRYPTO_ALGAPI2
1088cd579d2SBart Van Assche	select SGL_ALLOC
1092ebda74fSGiovanni Cabiddu
1102ebda74fSGiovanni Cabidduconfig CRYPTO_ACOMP
1112ebda74fSGiovanni Cabiddu	tristate
1122ebda74fSGiovanni Cabiddu	select CRYPTO_ALGAPI
1132ebda74fSGiovanni Cabiddu	select CRYPTO_ACOMP2
1142ebda74fSGiovanni Cabiddu
1152b8c19dbSHerbert Xuconfig CRYPTO_MANAGER
1162b8c19dbSHerbert Xu	tristate "Cryptographic algorithm manager"
1176a0fcbb4SHerbert Xu	select CRYPTO_MANAGER2
1182b8c19dbSHerbert Xu	help
1192b8c19dbSHerbert Xu	  Create default cryptographic template instantiations such as
1202b8c19dbSHerbert Xu	  cbc(aes).
1212b8c19dbSHerbert Xu
1226a0fcbb4SHerbert Xuconfig CRYPTO_MANAGER2
1236a0fcbb4SHerbert Xu	def_tristate CRYPTO_MANAGER || (CRYPTO_MANAGER!=n && CRYPTO_ALGAPI=y)
1246a0fcbb4SHerbert Xu	select CRYPTO_AEAD2
1256a0fcbb4SHerbert Xu	select CRYPTO_HASH2
1266a0fcbb4SHerbert Xu	select CRYPTO_BLKCIPHER2
127946cc463STadeusz Struk	select CRYPTO_AKCIPHER2
1284e5f2c40SSalvatore Benedetto	select CRYPTO_KPP2
1292ebda74fSGiovanni Cabiddu	select CRYPTO_ACOMP2
1306a0fcbb4SHerbert Xu
131a38f7907SSteffen Klassertconfig CRYPTO_USER
132a38f7907SSteffen Klassert	tristate "Userspace cryptographic algorithm configuration"
1335db017aaSHerbert Xu	depends on NET
134a38f7907SSteffen Klassert	select CRYPTO_MANAGER
135a38f7907SSteffen Klassert	help
136d19978f5SValdis.Kletnieks@vt.edu	  Userspace configuration for cryptographic instantiations such as
137a38f7907SSteffen Klassert	  cbc(aes).
138a38f7907SSteffen Klassert
139929d34caSEric Biggersif CRYPTO_MANAGER2
140929d34caSEric Biggers
141326a6346SHerbert Xuconfig CRYPTO_MANAGER_DISABLE_TESTS
142326a6346SHerbert Xu	bool "Disable run-time self tests"
14300ca28a5SHerbert Xu	default y
1440b767f96SAlexander Shishkin	help
145326a6346SHerbert Xu	  Disable run-time self tests that normally take place at
146326a6346SHerbert Xu	  algorithm registration.
1470b767f96SAlexander Shishkin
1485b2706a4SEric Biggersconfig CRYPTO_MANAGER_EXTRA_TESTS
1495b2706a4SEric Biggers	bool "Enable extra run-time crypto self tests"
1505b2706a4SEric Biggers	depends on DEBUG_KERNEL && !CRYPTO_MANAGER_DISABLE_TESTS
1515b2706a4SEric Biggers	help
1525b2706a4SEric Biggers	  Enable extra run-time self tests of registered crypto algorithms,
1535b2706a4SEric Biggers	  including randomized fuzz tests.
1545b2706a4SEric Biggers
1555b2706a4SEric Biggers	  This is intended for developer use only, as these tests take much
1565b2706a4SEric Biggers	  longer to run than the normal self tests.
1575b2706a4SEric Biggers
158929d34caSEric Biggersendif	# if CRYPTO_MANAGER2
159929d34caSEric Biggers
160584fffc8SSebastian Siewiorconfig CRYPTO_GF128MUL
161e590e132SEric Biggers	tristate
162584fffc8SSebastian Siewior
163584fffc8SSebastian Siewiorconfig CRYPTO_NULL
164584fffc8SSebastian Siewior	tristate "Null algorithms"
165149a3971SHerbert Xu	select CRYPTO_NULL2
166584fffc8SSebastian Siewior	help
167584fffc8SSebastian Siewior	  These are 'Null' algorithms, used by IPsec, which do nothing.
168584fffc8SSebastian Siewior
169149a3971SHerbert Xuconfig CRYPTO_NULL2
170dd43c4e9SHerbert Xu	tristate
171149a3971SHerbert Xu	select CRYPTO_ALGAPI2
172149a3971SHerbert Xu	select CRYPTO_BLKCIPHER2
173149a3971SHerbert Xu	select CRYPTO_HASH2
174149a3971SHerbert Xu
1755068c7a8SSteffen Klassertconfig CRYPTO_PCRYPT
1763b4afaf2SKees Cook	tristate "Parallel crypto engine"
1773b4afaf2SKees Cook	depends on SMP
1785068c7a8SSteffen Klassert	select PADATA
1795068c7a8SSteffen Klassert	select CRYPTO_MANAGER
1805068c7a8SSteffen Klassert	select CRYPTO_AEAD
1815068c7a8SSteffen Klassert	help
1825068c7a8SSteffen Klassert	  This converts an arbitrary crypto algorithm into a parallel
1835068c7a8SSteffen Klassert	  algorithm that executes in kernel threads.
1845068c7a8SSteffen Klassert
185584fffc8SSebastian Siewiorconfig CRYPTO_CRYPTD
186584fffc8SSebastian Siewior	tristate "Software async crypto daemon"
187584fffc8SSebastian Siewior	select CRYPTO_BLKCIPHER
188b8a28251SLoc Ho	select CRYPTO_HASH
189584fffc8SSebastian Siewior	select CRYPTO_MANAGER
190584fffc8SSebastian Siewior	help
191584fffc8SSebastian Siewior	  This is a generic software asynchronous crypto daemon that
192584fffc8SSebastian Siewior	  converts an arbitrary synchronous software crypto algorithm
193584fffc8SSebastian Siewior	  into an asynchronous algorithm that executes in a kernel thread.
194584fffc8SSebastian Siewior
195584fffc8SSebastian Siewiorconfig CRYPTO_AUTHENC
196584fffc8SSebastian Siewior	tristate "Authenc support"
197584fffc8SSebastian Siewior	select CRYPTO_AEAD
198584fffc8SSebastian Siewior	select CRYPTO_BLKCIPHER
199584fffc8SSebastian Siewior	select CRYPTO_MANAGER
200584fffc8SSebastian Siewior	select CRYPTO_HASH
201e94c6a7aSHerbert Xu	select CRYPTO_NULL
202584fffc8SSebastian Siewior	help
203584fffc8SSebastian Siewior	  Authenc: Combined mode wrapper for IPsec.
204584fffc8SSebastian Siewior	  This is required for IPSec.
205584fffc8SSebastian Siewior
206584fffc8SSebastian Siewiorconfig CRYPTO_TEST
207584fffc8SSebastian Siewior	tristate "Testing module"
208584fffc8SSebastian Siewior	depends on m
209da7f033dSHerbert Xu	select CRYPTO_MANAGER
210584fffc8SSebastian Siewior	help
211584fffc8SSebastian Siewior	  Quick & dirty crypto test module.
212584fffc8SSebastian Siewior
213266d0516SHerbert Xuconfig CRYPTO_SIMD
214266d0516SHerbert Xu	tristate
215266d0516SHerbert Xu	select CRYPTO_CRYPTD
216266d0516SHerbert Xu
217596d8750SJussi Kivilinnaconfig CRYPTO_GLUE_HELPER_X86
218596d8750SJussi Kivilinna	tristate
219596d8750SJussi Kivilinna	depends on X86
220065ce327SHerbert Xu	select CRYPTO_BLKCIPHER
221596d8750SJussi Kivilinna
222735d37b5SBaolin Wangconfig CRYPTO_ENGINE
223735d37b5SBaolin Wang	tristate
224735d37b5SBaolin Wang
2253d6228a5SVitaly Chikunovcomment "Public-key cryptography"
2263d6228a5SVitaly Chikunov
2273d6228a5SVitaly Chikunovconfig CRYPTO_RSA
2283d6228a5SVitaly Chikunov	tristate "RSA algorithm"
2293d6228a5SVitaly Chikunov	select CRYPTO_AKCIPHER
2303d6228a5SVitaly Chikunov	select CRYPTO_MANAGER
2313d6228a5SVitaly Chikunov	select MPILIB
2323d6228a5SVitaly Chikunov	select ASN1
2333d6228a5SVitaly Chikunov	help
2343d6228a5SVitaly Chikunov	  Generic implementation of the RSA public key algorithm.
2353d6228a5SVitaly Chikunov
2363d6228a5SVitaly Chikunovconfig CRYPTO_DH
2373d6228a5SVitaly Chikunov	tristate "Diffie-Hellman algorithm"
2383d6228a5SVitaly Chikunov	select CRYPTO_KPP
2393d6228a5SVitaly Chikunov	select MPILIB
2403d6228a5SVitaly Chikunov	help
2413d6228a5SVitaly Chikunov	  Generic implementation of the Diffie-Hellman algorithm.
2423d6228a5SVitaly Chikunov
2434a2289daSVitaly Chikunovconfig CRYPTO_ECC
2444a2289daSVitaly Chikunov	tristate
2454a2289daSVitaly Chikunov
2463d6228a5SVitaly Chikunovconfig CRYPTO_ECDH
2473d6228a5SVitaly Chikunov	tristate "ECDH algorithm"
2484a2289daSVitaly Chikunov	select CRYPTO_ECC
2493d6228a5SVitaly Chikunov	select CRYPTO_KPP
2503d6228a5SVitaly Chikunov	select CRYPTO_RNG_DEFAULT
2513d6228a5SVitaly Chikunov	help
2523d6228a5SVitaly Chikunov	  Generic implementation of the ECDH algorithm
2533d6228a5SVitaly Chikunov
2540d7a7864SVitaly Chikunovconfig CRYPTO_ECRDSA
2550d7a7864SVitaly Chikunov	tristate "EC-RDSA (GOST 34.10) algorithm"
2560d7a7864SVitaly Chikunov	select CRYPTO_ECC
2570d7a7864SVitaly Chikunov	select CRYPTO_AKCIPHER
2580d7a7864SVitaly Chikunov	select CRYPTO_STREEBOG
2591036633eSVitaly Chikunov	select OID_REGISTRY
2601036633eSVitaly Chikunov	select ASN1
2610d7a7864SVitaly Chikunov	help
2620d7a7864SVitaly Chikunov	  Elliptic Curve Russian Digital Signature Algorithm (GOST R 34.10-2012,
2630d7a7864SVitaly Chikunov	  RFC 7091, ISO/IEC 14888-3:2018) is one of the Russian cryptographic
2640d7a7864SVitaly Chikunov	  standard algorithms (called GOST algorithms). Only signature verification
2650d7a7864SVitaly Chikunov	  is implemented.
2660d7a7864SVitaly Chikunov
267584fffc8SSebastian Siewiorcomment "Authenticated Encryption with Associated Data"
268584fffc8SSebastian Siewior
269584fffc8SSebastian Siewiorconfig CRYPTO_CCM
270584fffc8SSebastian Siewior	tristate "CCM support"
271584fffc8SSebastian Siewior	select CRYPTO_CTR
272f15f05b0SArd Biesheuvel	select CRYPTO_HASH
273584fffc8SSebastian Siewior	select CRYPTO_AEAD
274c8a3315aSEric Biggers	select CRYPTO_MANAGER
275584fffc8SSebastian Siewior	help
276584fffc8SSebastian Siewior	  Support for Counter with CBC MAC. Required for IPsec.
277584fffc8SSebastian Siewior
278584fffc8SSebastian Siewiorconfig CRYPTO_GCM
279584fffc8SSebastian Siewior	tristate "GCM/GMAC support"
280584fffc8SSebastian Siewior	select CRYPTO_CTR
281584fffc8SSebastian Siewior	select CRYPTO_AEAD
2829382d97aSHuang Ying	select CRYPTO_GHASH
2839489667dSJussi Kivilinna	select CRYPTO_NULL
284c8a3315aSEric Biggers	select CRYPTO_MANAGER
285584fffc8SSebastian Siewior	help
286584fffc8SSebastian Siewior	  Support for Galois/Counter Mode (GCM) and Galois Message
287584fffc8SSebastian Siewior	  Authentication Code (GMAC). Required for IPSec.
288584fffc8SSebastian Siewior
28971ebc4d1SMartin Williconfig CRYPTO_CHACHA20POLY1305
29071ebc4d1SMartin Willi	tristate "ChaCha20-Poly1305 AEAD support"
29171ebc4d1SMartin Willi	select CRYPTO_CHACHA20
29271ebc4d1SMartin Willi	select CRYPTO_POLY1305
29371ebc4d1SMartin Willi	select CRYPTO_AEAD
294c8a3315aSEric Biggers	select CRYPTO_MANAGER
29571ebc4d1SMartin Willi	help
29671ebc4d1SMartin Willi	  ChaCha20-Poly1305 AEAD support, RFC7539.
29771ebc4d1SMartin Willi
29871ebc4d1SMartin Willi	  Support for the AEAD wrapper using the ChaCha20 stream cipher combined
29971ebc4d1SMartin Willi	  with the Poly1305 authenticator. It is defined in RFC7539 for use in
30071ebc4d1SMartin Willi	  IETF protocols.
30171ebc4d1SMartin Willi
302f606a88eSOndrej Mosnacekconfig CRYPTO_AEGIS128
303f606a88eSOndrej Mosnacek	tristate "AEGIS-128 AEAD algorithm"
304f606a88eSOndrej Mosnacek	select CRYPTO_AEAD
305f606a88eSOndrej Mosnacek	select CRYPTO_AES  # for AES S-box tables
306f606a88eSOndrej Mosnacek	help
307f606a88eSOndrej Mosnacek	 Support for the AEGIS-128 dedicated AEAD algorithm.
308f606a88eSOndrej Mosnacek
309f606a88eSOndrej Mosnacekconfig CRYPTO_AEGIS128L
310f606a88eSOndrej Mosnacek	tristate "AEGIS-128L AEAD algorithm"
311f606a88eSOndrej Mosnacek	select CRYPTO_AEAD
312f606a88eSOndrej Mosnacek	select CRYPTO_AES  # for AES S-box tables
313f606a88eSOndrej Mosnacek	help
314f606a88eSOndrej Mosnacek	 Support for the AEGIS-128L dedicated AEAD algorithm.
315f606a88eSOndrej Mosnacek
316f606a88eSOndrej Mosnacekconfig CRYPTO_AEGIS256
317f606a88eSOndrej Mosnacek	tristate "AEGIS-256 AEAD algorithm"
318f606a88eSOndrej Mosnacek	select CRYPTO_AEAD
319f606a88eSOndrej Mosnacek	select CRYPTO_AES  # for AES S-box tables
320f606a88eSOndrej Mosnacek	help
321f606a88eSOndrej Mosnacek	 Support for the AEGIS-256 dedicated AEAD algorithm.
322f606a88eSOndrej Mosnacek
3231d373d4eSOndrej Mosnacekconfig CRYPTO_AEGIS128_AESNI_SSE2
3241d373d4eSOndrej Mosnacek	tristate "AEGIS-128 AEAD algorithm (x86_64 AESNI+SSE2 implementation)"
3251d373d4eSOndrej Mosnacek	depends on X86 && 64BIT
3261d373d4eSOndrej Mosnacek	select CRYPTO_AEAD
327de272ca7SEric Biggers	select CRYPTO_SIMD
3281d373d4eSOndrej Mosnacek	help
3294e5180ebSOndrej Mosnacek	 AESNI+SSE2 implementation of the AEGIS-128 dedicated AEAD algorithm.
3301d373d4eSOndrej Mosnacek
3311d373d4eSOndrej Mosnacekconfig CRYPTO_AEGIS128L_AESNI_SSE2
3321d373d4eSOndrej Mosnacek	tristate "AEGIS-128L AEAD algorithm (x86_64 AESNI+SSE2 implementation)"
3331d373d4eSOndrej Mosnacek	depends on X86 && 64BIT
3341d373d4eSOndrej Mosnacek	select CRYPTO_AEAD
335d628132aSEric Biggers	select CRYPTO_SIMD
3361d373d4eSOndrej Mosnacek	help
3374e5180ebSOndrej Mosnacek	 AESNI+SSE2 implementation of the AEGIS-128L dedicated AEAD algorithm.
3381d373d4eSOndrej Mosnacek
3391d373d4eSOndrej Mosnacekconfig CRYPTO_AEGIS256_AESNI_SSE2
3401d373d4eSOndrej Mosnacek	tristate "AEGIS-256 AEAD algorithm (x86_64 AESNI+SSE2 implementation)"
3411d373d4eSOndrej Mosnacek	depends on X86 && 64BIT
3421d373d4eSOndrej Mosnacek	select CRYPTO_AEAD
343b6708c2dSEric Biggers	select CRYPTO_SIMD
3441d373d4eSOndrej Mosnacek	help
3454e5180ebSOndrej Mosnacek	 AESNI+SSE2 implementation of the AEGIS-256 dedicated AEAD algorithm.
3461d373d4eSOndrej Mosnacek
347396be41fSOndrej Mosnacekconfig CRYPTO_MORUS640
348396be41fSOndrej Mosnacek	tristate "MORUS-640 AEAD algorithm"
349396be41fSOndrej Mosnacek	select CRYPTO_AEAD
350396be41fSOndrej Mosnacek	help
351396be41fSOndrej Mosnacek	  Support for the MORUS-640 dedicated AEAD algorithm.
352396be41fSOndrej Mosnacek
35356e8e57fSOndrej Mosnacekconfig CRYPTO_MORUS640_GLUE
3542808f173SOndrej Mosnacek	tristate
3552808f173SOndrej Mosnacek	depends on X86
35656e8e57fSOndrej Mosnacek	select CRYPTO_AEAD
35747730958SEric Biggers	select CRYPTO_SIMD
35856e8e57fSOndrej Mosnacek	help
35956e8e57fSOndrej Mosnacek	  Common glue for SIMD optimizations of the MORUS-640 dedicated AEAD
36056e8e57fSOndrej Mosnacek	  algorithm.
36156e8e57fSOndrej Mosnacek
3626ecc9d9fSOndrej Mosnacekconfig CRYPTO_MORUS640_SSE2
3636ecc9d9fSOndrej Mosnacek	tristate "MORUS-640 AEAD algorithm (x86_64 SSE2 implementation)"
3646ecc9d9fSOndrej Mosnacek	depends on X86 && 64BIT
3656ecc9d9fSOndrej Mosnacek	select CRYPTO_AEAD
3666ecc9d9fSOndrej Mosnacek	select CRYPTO_MORUS640_GLUE
3676ecc9d9fSOndrej Mosnacek	help
3686ecc9d9fSOndrej Mosnacek	  SSE2 implementation of the MORUS-640 dedicated AEAD algorithm.
3696ecc9d9fSOndrej Mosnacek
370396be41fSOndrej Mosnacekconfig CRYPTO_MORUS1280
371396be41fSOndrej Mosnacek	tristate "MORUS-1280 AEAD algorithm"
372396be41fSOndrej Mosnacek	select CRYPTO_AEAD
373396be41fSOndrej Mosnacek	help
374396be41fSOndrej Mosnacek	  Support for the MORUS-1280 dedicated AEAD algorithm.
375396be41fSOndrej Mosnacek
37656e8e57fSOndrej Mosnacekconfig CRYPTO_MORUS1280_GLUE
3772808f173SOndrej Mosnacek	tristate
3782808f173SOndrej Mosnacek	depends on X86
37956e8e57fSOndrej Mosnacek	select CRYPTO_AEAD
380e151a8d2SEric Biggers	select CRYPTO_SIMD
38156e8e57fSOndrej Mosnacek	help
38256e8e57fSOndrej Mosnacek	  Common glue for SIMD optimizations of the MORUS-1280 dedicated AEAD
38356e8e57fSOndrej Mosnacek	  algorithm.
38456e8e57fSOndrej Mosnacek
3856ecc9d9fSOndrej Mosnacekconfig CRYPTO_MORUS1280_SSE2
3866ecc9d9fSOndrej Mosnacek	tristate "MORUS-1280 AEAD algorithm (x86_64 SSE2 implementation)"
3876ecc9d9fSOndrej Mosnacek	depends on X86 && 64BIT
3886ecc9d9fSOndrej Mosnacek	select CRYPTO_AEAD
3896ecc9d9fSOndrej Mosnacek	select CRYPTO_MORUS1280_GLUE
3906ecc9d9fSOndrej Mosnacek	help
3916ecc9d9fSOndrej Mosnacek	  SSE2 optimizedimplementation of the MORUS-1280 dedicated AEAD
3926ecc9d9fSOndrej Mosnacek	  algorithm.
3936ecc9d9fSOndrej Mosnacek
3946ecc9d9fSOndrej Mosnacekconfig CRYPTO_MORUS1280_AVX2
3956ecc9d9fSOndrej Mosnacek	tristate "MORUS-1280 AEAD algorithm (x86_64 AVX2 implementation)"
3966ecc9d9fSOndrej Mosnacek	depends on X86 && 64BIT
3976ecc9d9fSOndrej Mosnacek	select CRYPTO_AEAD
3986ecc9d9fSOndrej Mosnacek	select CRYPTO_MORUS1280_GLUE
3996ecc9d9fSOndrej Mosnacek	help
4006ecc9d9fSOndrej Mosnacek	  AVX2 optimized implementation of the MORUS-1280 dedicated AEAD
4016ecc9d9fSOndrej Mosnacek	  algorithm.
4026ecc9d9fSOndrej Mosnacek
403584fffc8SSebastian Siewiorconfig CRYPTO_SEQIV
404584fffc8SSebastian Siewior	tristate "Sequence Number IV Generator"
405584fffc8SSebastian Siewior	select CRYPTO_AEAD
406584fffc8SSebastian Siewior	select CRYPTO_BLKCIPHER
407856e3f40SHerbert Xu	select CRYPTO_NULL
408401e4238SHerbert Xu	select CRYPTO_RNG_DEFAULT
409c8a3315aSEric Biggers	select CRYPTO_MANAGER
410584fffc8SSebastian Siewior	help
411584fffc8SSebastian Siewior	  This IV generator generates an IV based on a sequence number by
412584fffc8SSebastian Siewior	  xoring it with a salt.  This algorithm is mainly useful for CTR
413584fffc8SSebastian Siewior
414a10f554fSHerbert Xuconfig CRYPTO_ECHAINIV
415a10f554fSHerbert Xu	tristate "Encrypted Chain IV Generator"
416a10f554fSHerbert Xu	select CRYPTO_AEAD
417a10f554fSHerbert Xu	select CRYPTO_NULL
418401e4238SHerbert Xu	select CRYPTO_RNG_DEFAULT
419c8a3315aSEric Biggers	select CRYPTO_MANAGER
420a10f554fSHerbert Xu	help
421a10f554fSHerbert Xu	  This IV generator generates an IV based on the encryption of
422a10f554fSHerbert Xu	  a sequence number xored with a salt.  This is the default
423a10f554fSHerbert Xu	  algorithm for CBC.
424a10f554fSHerbert Xu
425584fffc8SSebastian Siewiorcomment "Block modes"
426584fffc8SSebastian Siewior
427584fffc8SSebastian Siewiorconfig CRYPTO_CBC
428584fffc8SSebastian Siewior	tristate "CBC support"
429584fffc8SSebastian Siewior	select CRYPTO_BLKCIPHER
430584fffc8SSebastian Siewior	select CRYPTO_MANAGER
431584fffc8SSebastian Siewior	help
432584fffc8SSebastian Siewior	  CBC: Cipher Block Chaining mode
433584fffc8SSebastian Siewior	  This block cipher algorithm is required for IPSec.
434584fffc8SSebastian Siewior
435a7d85e06SJames Bottomleyconfig CRYPTO_CFB
436a7d85e06SJames Bottomley	tristate "CFB support"
437a7d85e06SJames Bottomley	select CRYPTO_BLKCIPHER
438a7d85e06SJames Bottomley	select CRYPTO_MANAGER
439a7d85e06SJames Bottomley	help
440a7d85e06SJames Bottomley	  CFB: Cipher FeedBack mode
441a7d85e06SJames Bottomley	  This block cipher algorithm is required for TPM2 Cryptography.
442a7d85e06SJames Bottomley
443584fffc8SSebastian Siewiorconfig CRYPTO_CTR
444584fffc8SSebastian Siewior	tristate "CTR support"
445584fffc8SSebastian Siewior	select CRYPTO_BLKCIPHER
446584fffc8SSebastian Siewior	select CRYPTO_SEQIV
447584fffc8SSebastian Siewior	select CRYPTO_MANAGER
448584fffc8SSebastian Siewior	help
449584fffc8SSebastian Siewior	  CTR: Counter mode
450584fffc8SSebastian Siewior	  This block cipher algorithm is required for IPSec.
451584fffc8SSebastian Siewior
452584fffc8SSebastian Siewiorconfig CRYPTO_CTS
453584fffc8SSebastian Siewior	tristate "CTS support"
454584fffc8SSebastian Siewior	select CRYPTO_BLKCIPHER
455c8a3315aSEric Biggers	select CRYPTO_MANAGER
456584fffc8SSebastian Siewior	help
457584fffc8SSebastian Siewior	  CTS: Cipher Text Stealing
458584fffc8SSebastian Siewior	  This is the Cipher Text Stealing mode as described by
459ecd6d5c9SGilad Ben-Yossef	  Section 8 of rfc2040 and referenced by rfc3962
460ecd6d5c9SGilad Ben-Yossef	  (rfc3962 includes errata information in its Appendix A) or
461ecd6d5c9SGilad Ben-Yossef	  CBC-CS3 as defined by NIST in Sp800-38A addendum from Oct 2010.
462584fffc8SSebastian Siewior	  This mode is required for Kerberos gss mechanism support
463584fffc8SSebastian Siewior	  for AES encryption.
464584fffc8SSebastian Siewior
465ecd6d5c9SGilad Ben-Yossef	  See: https://csrc.nist.gov/publications/detail/sp/800-38a/addendum/final
466ecd6d5c9SGilad Ben-Yossef
467584fffc8SSebastian Siewiorconfig CRYPTO_ECB
468584fffc8SSebastian Siewior	tristate "ECB support"
469584fffc8SSebastian Siewior	select CRYPTO_BLKCIPHER
470584fffc8SSebastian Siewior	select CRYPTO_MANAGER
471584fffc8SSebastian Siewior	help
472584fffc8SSebastian Siewior	  ECB: Electronic CodeBook mode
473584fffc8SSebastian Siewior	  This is the simplest block cipher algorithm.  It simply encrypts
474584fffc8SSebastian Siewior	  the input block by block.
475584fffc8SSebastian Siewior
476584fffc8SSebastian Siewiorconfig CRYPTO_LRW
4772470a2b2SJussi Kivilinna	tristate "LRW support"
478584fffc8SSebastian Siewior	select CRYPTO_BLKCIPHER
479584fffc8SSebastian Siewior	select CRYPTO_MANAGER
480584fffc8SSebastian Siewior	select CRYPTO_GF128MUL
481584fffc8SSebastian Siewior	help
482584fffc8SSebastian Siewior	  LRW: Liskov Rivest Wagner, a tweakable, non malleable, non movable
483584fffc8SSebastian Siewior	  narrow block cipher mode for dm-crypt.  Use it with cipher
484584fffc8SSebastian Siewior	  specification string aes-lrw-benbi, the key must be 256, 320 or 384.
485584fffc8SSebastian Siewior	  The first 128, 192 or 256 bits in the key are used for AES and the
486584fffc8SSebastian Siewior	  rest is used to tie each cipher block to its logical position.
487584fffc8SSebastian Siewior
488e497c518SGilad Ben-Yossefconfig CRYPTO_OFB
489e497c518SGilad Ben-Yossef	tristate "OFB support"
490e497c518SGilad Ben-Yossef	select CRYPTO_BLKCIPHER
491e497c518SGilad Ben-Yossef	select CRYPTO_MANAGER
492e497c518SGilad Ben-Yossef	help
493e497c518SGilad Ben-Yossef	  OFB: the Output Feedback mode makes a block cipher into a synchronous
494e497c518SGilad Ben-Yossef	  stream cipher. It generates keystream blocks, which are then XORed
495e497c518SGilad Ben-Yossef	  with the plaintext blocks to get the ciphertext. Flipping a bit in the
496e497c518SGilad Ben-Yossef	  ciphertext produces a flipped bit in the plaintext at the same
497e497c518SGilad Ben-Yossef	  location. This property allows many error correcting codes to function
498e497c518SGilad Ben-Yossef	  normally even when applied before encryption.
499e497c518SGilad Ben-Yossef
500584fffc8SSebastian Siewiorconfig CRYPTO_PCBC
501584fffc8SSebastian Siewior	tristate "PCBC support"
502584fffc8SSebastian Siewior	select CRYPTO_BLKCIPHER
503584fffc8SSebastian Siewior	select CRYPTO_MANAGER
504584fffc8SSebastian Siewior	help
505584fffc8SSebastian Siewior	  PCBC: Propagating Cipher Block Chaining mode
506584fffc8SSebastian Siewior	  This block cipher algorithm is required for RxRPC.
507584fffc8SSebastian Siewior
508584fffc8SSebastian Siewiorconfig CRYPTO_XTS
5095bcf8e6dSJussi Kivilinna	tristate "XTS support"
510584fffc8SSebastian Siewior	select CRYPTO_BLKCIPHER
511584fffc8SSebastian Siewior	select CRYPTO_MANAGER
51212cb3a1cSMilan Broz	select CRYPTO_ECB
513584fffc8SSebastian Siewior	help
514584fffc8SSebastian Siewior	  XTS: IEEE1619/D16 narrow block cipher use with aes-xts-plain,
515584fffc8SSebastian Siewior	  key size 256, 384 or 512 bits. This implementation currently
516584fffc8SSebastian Siewior	  can't handle a sectorsize which is not a multiple of 16 bytes.
517584fffc8SSebastian Siewior
5181c49678eSStephan Muellerconfig CRYPTO_KEYWRAP
5191c49678eSStephan Mueller	tristate "Key wrapping support"
5201c49678eSStephan Mueller	select CRYPTO_BLKCIPHER
521c8a3315aSEric Biggers	select CRYPTO_MANAGER
5221c49678eSStephan Mueller	help
5231c49678eSStephan Mueller	  Support for key wrapping (NIST SP800-38F / RFC3394) without
5241c49678eSStephan Mueller	  padding.
5251c49678eSStephan Mueller
52626609a21SEric Biggersconfig CRYPTO_NHPOLY1305
52726609a21SEric Biggers	tristate
52826609a21SEric Biggers	select CRYPTO_HASH
52926609a21SEric Biggers	select CRYPTO_POLY1305
53026609a21SEric Biggers
531012c8238SEric Biggersconfig CRYPTO_NHPOLY1305_SSE2
532012c8238SEric Biggers	tristate "NHPoly1305 hash function (x86_64 SSE2 implementation)"
533012c8238SEric Biggers	depends on X86 && 64BIT
534012c8238SEric Biggers	select CRYPTO_NHPOLY1305
535012c8238SEric Biggers	help
536012c8238SEric Biggers	  SSE2 optimized implementation of the hash function used by the
537012c8238SEric Biggers	  Adiantum encryption mode.
538012c8238SEric Biggers
5390f961f9fSEric Biggersconfig CRYPTO_NHPOLY1305_AVX2
5400f961f9fSEric Biggers	tristate "NHPoly1305 hash function (x86_64 AVX2 implementation)"
5410f961f9fSEric Biggers	depends on X86 && 64BIT
5420f961f9fSEric Biggers	select CRYPTO_NHPOLY1305
5430f961f9fSEric Biggers	help
5440f961f9fSEric Biggers	  AVX2 optimized implementation of the hash function used by the
5450f961f9fSEric Biggers	  Adiantum encryption mode.
5460f961f9fSEric Biggers
547059c2a4dSEric Biggersconfig CRYPTO_ADIANTUM
548059c2a4dSEric Biggers	tristate "Adiantum support"
549059c2a4dSEric Biggers	select CRYPTO_CHACHA20
550059c2a4dSEric Biggers	select CRYPTO_POLY1305
551059c2a4dSEric Biggers	select CRYPTO_NHPOLY1305
552c8a3315aSEric Biggers	select CRYPTO_MANAGER
553059c2a4dSEric Biggers	help
554059c2a4dSEric Biggers	  Adiantum is a tweakable, length-preserving encryption mode
555059c2a4dSEric Biggers	  designed for fast and secure disk encryption, especially on
556059c2a4dSEric Biggers	  CPUs without dedicated crypto instructions.  It encrypts
557059c2a4dSEric Biggers	  each sector using the XChaCha12 stream cipher, two passes of
558059c2a4dSEric Biggers	  an ε-almost-∆-universal hash function, and an invocation of
559059c2a4dSEric Biggers	  the AES-256 block cipher on a single 16-byte block.  On CPUs
560059c2a4dSEric Biggers	  without AES instructions, Adiantum is much faster than
561059c2a4dSEric Biggers	  AES-XTS.
562059c2a4dSEric Biggers
563059c2a4dSEric Biggers	  Adiantum's security is provably reducible to that of its
564059c2a4dSEric Biggers	  underlying stream and block ciphers, subject to a security
565059c2a4dSEric Biggers	  bound.  Unlike XTS, Adiantum is a true wide-block encryption
566059c2a4dSEric Biggers	  mode, so it actually provides an even stronger notion of
567059c2a4dSEric Biggers	  security than XTS, subject to the security bound.
568059c2a4dSEric Biggers
569059c2a4dSEric Biggers	  If unsure, say N.
570059c2a4dSEric Biggers
571*be1eb7f7SArd Biesheuvelconfig CRYPTO_ESSIV
572*be1eb7f7SArd Biesheuvel	tristate "ESSIV support for block encryption"
573*be1eb7f7SArd Biesheuvel	select CRYPTO_AUTHENC
574*be1eb7f7SArd Biesheuvel	help
575*be1eb7f7SArd Biesheuvel	  Encrypted salt-sector initialization vector (ESSIV) is an IV
576*be1eb7f7SArd Biesheuvel	  generation method that is used in some cases by fscrypt and/or
577*be1eb7f7SArd Biesheuvel	  dm-crypt. It uses the hash of the block encryption key as the
578*be1eb7f7SArd Biesheuvel	  symmetric key for a block encryption pass applied to the input
579*be1eb7f7SArd Biesheuvel	  IV, making low entropy IV sources more suitable for block
580*be1eb7f7SArd Biesheuvel	  encryption.
581*be1eb7f7SArd Biesheuvel
582*be1eb7f7SArd Biesheuvel	  This driver implements a crypto API template that can be
583*be1eb7f7SArd Biesheuvel	  instantiated either as a skcipher or as a aead (depending on the
584*be1eb7f7SArd Biesheuvel	  type of the first template argument), and which defers encryption
585*be1eb7f7SArd Biesheuvel	  and decryption requests to the encapsulated cipher after applying
586*be1eb7f7SArd Biesheuvel	  ESSIV to the input IV. Note that in the aead case, it is assumed
587*be1eb7f7SArd Biesheuvel	  that the keys are presented in the same format used by the authenc
588*be1eb7f7SArd Biesheuvel	  template, and that the IV appears at the end of the authenticated
589*be1eb7f7SArd Biesheuvel	  associated data (AAD) region (which is how dm-crypt uses it.)
590*be1eb7f7SArd Biesheuvel
591*be1eb7f7SArd Biesheuvel	  Note that the use of ESSIV is not recommended for new deployments,
592*be1eb7f7SArd Biesheuvel	  and so this only needs to be enabled when interoperability with
593*be1eb7f7SArd Biesheuvel	  existing encrypted volumes of filesystems is required, or when
594*be1eb7f7SArd Biesheuvel	  building for a particular system that requires it (e.g., when
595*be1eb7f7SArd Biesheuvel	  the SoC in question has accelerated CBC but not XTS, making CBC
596*be1eb7f7SArd Biesheuvel	  combined with ESSIV the only feasible mode for h/w accelerated
597*be1eb7f7SArd Biesheuvel	  block encryption)
598*be1eb7f7SArd Biesheuvel
599584fffc8SSebastian Siewiorcomment "Hash modes"
600584fffc8SSebastian Siewior
60193b5e86aSJussi Kivilinnaconfig CRYPTO_CMAC
60293b5e86aSJussi Kivilinna	tristate "CMAC support"
60393b5e86aSJussi Kivilinna	select CRYPTO_HASH
60493b5e86aSJussi Kivilinna	select CRYPTO_MANAGER
60593b5e86aSJussi Kivilinna	help
60693b5e86aSJussi Kivilinna	  Cipher-based Message Authentication Code (CMAC) specified by
60793b5e86aSJussi Kivilinna	  The National Institute of Standards and Technology (NIST).
60893b5e86aSJussi Kivilinna
60993b5e86aSJussi Kivilinna	  https://tools.ietf.org/html/rfc4493
61093b5e86aSJussi Kivilinna	  http://csrc.nist.gov/publications/nistpubs/800-38B/SP_800-38B.pdf
61193b5e86aSJussi Kivilinna
6121da177e4SLinus Torvaldsconfig CRYPTO_HMAC
6138425165dSHerbert Xu	tristate "HMAC support"
6140796ae06SHerbert Xu	select CRYPTO_HASH
61543518407SHerbert Xu	select CRYPTO_MANAGER
6161da177e4SLinus Torvalds	help
6171da177e4SLinus Torvalds	  HMAC: Keyed-Hashing for Message Authentication (RFC2104).
6181da177e4SLinus Torvalds	  This is required for IPSec.
6191da177e4SLinus Torvalds
620333b0d7eSKazunori MIYAZAWAconfig CRYPTO_XCBC
621333b0d7eSKazunori MIYAZAWA	tristate "XCBC support"
622333b0d7eSKazunori MIYAZAWA	select CRYPTO_HASH
623333b0d7eSKazunori MIYAZAWA	select CRYPTO_MANAGER
624333b0d7eSKazunori MIYAZAWA	help
625333b0d7eSKazunori MIYAZAWA	  XCBC: Keyed-Hashing with encryption algorithm
626333b0d7eSKazunori MIYAZAWA		http://www.ietf.org/rfc/rfc3566.txt
627333b0d7eSKazunori MIYAZAWA		http://csrc.nist.gov/encryption/modes/proposedmodes/
628333b0d7eSKazunori MIYAZAWA		 xcbc-mac/xcbc-mac-spec.pdf
629333b0d7eSKazunori MIYAZAWA
630f1939f7cSShane Wangconfig CRYPTO_VMAC
631f1939f7cSShane Wang	tristate "VMAC support"
632f1939f7cSShane Wang	select CRYPTO_HASH
633f1939f7cSShane Wang	select CRYPTO_MANAGER
634f1939f7cSShane Wang	help
635f1939f7cSShane Wang	  VMAC is a message authentication algorithm designed for
636f1939f7cSShane Wang	  very high speed on 64-bit architectures.
637f1939f7cSShane Wang
638f1939f7cSShane Wang	  See also:
639f1939f7cSShane Wang	  <http://fastcrypto.org/vmac>
640f1939f7cSShane Wang
641584fffc8SSebastian Siewiorcomment "Digest"
642584fffc8SSebastian Siewior
643584fffc8SSebastian Siewiorconfig CRYPTO_CRC32C
644584fffc8SSebastian Siewior	tristate "CRC32c CRC algorithm"
6455773a3e6SHerbert Xu	select CRYPTO_HASH
6466a0962b2SDarrick J. Wong	select CRC32
6471da177e4SLinus Torvalds	help
648584fffc8SSebastian Siewior	  Castagnoli, et al Cyclic Redundancy-Check Algorithm.  Used
649584fffc8SSebastian Siewior	  by iSCSI for header and data digests and by others.
65069c35efcSHerbert Xu	  See Castagnoli93.  Module will be crc32c.
6511da177e4SLinus Torvalds
6528cb51ba8SAustin Zhangconfig CRYPTO_CRC32C_INTEL
6538cb51ba8SAustin Zhang	tristate "CRC32c INTEL hardware acceleration"
6548cb51ba8SAustin Zhang	depends on X86
6558cb51ba8SAustin Zhang	select CRYPTO_HASH
6568cb51ba8SAustin Zhang	help
6578cb51ba8SAustin Zhang	  In Intel processor with SSE4.2 supported, the processor will
6588cb51ba8SAustin Zhang	  support CRC32C implementation using hardware accelerated CRC32
6598cb51ba8SAustin Zhang	  instruction. This option will create 'crc32c-intel' module,
6608cb51ba8SAustin Zhang	  which will enable any routine to use the CRC32 instruction to
6618cb51ba8SAustin Zhang	  gain performance compared with software implementation.
6628cb51ba8SAustin Zhang	  Module will be crc32c-intel.
6638cb51ba8SAustin Zhang
6647cf31864SJean Delvareconfig CRYPTO_CRC32C_VPMSUM
6656dd7a82cSAnton Blanchard	tristate "CRC32c CRC algorithm (powerpc64)"
666c12abf34SMichael Ellerman	depends on PPC64 && ALTIVEC
6676dd7a82cSAnton Blanchard	select CRYPTO_HASH
6686dd7a82cSAnton Blanchard	select CRC32
6696dd7a82cSAnton Blanchard	help
6706dd7a82cSAnton Blanchard	  CRC32c algorithm implemented using vector polynomial multiply-sum
6716dd7a82cSAnton Blanchard	  (vpmsum) instructions, introduced in POWER8. Enable on POWER8
6726dd7a82cSAnton Blanchard	  and newer processors for improved performance.
6736dd7a82cSAnton Blanchard
6746dd7a82cSAnton Blanchard
675442a7c40SDavid S. Millerconfig CRYPTO_CRC32C_SPARC64
676442a7c40SDavid S. Miller	tristate "CRC32c CRC algorithm (SPARC64)"
677442a7c40SDavid S. Miller	depends on SPARC64
678442a7c40SDavid S. Miller	select CRYPTO_HASH
679442a7c40SDavid S. Miller	select CRC32
680442a7c40SDavid S. Miller	help
681442a7c40SDavid S. Miller	  CRC32c CRC algorithm implemented using sparc64 crypto instructions,
682442a7c40SDavid S. Miller	  when available.
683442a7c40SDavid S. Miller
68478c37d19SAlexander Boykoconfig CRYPTO_CRC32
68578c37d19SAlexander Boyko	tristate "CRC32 CRC algorithm"
68678c37d19SAlexander Boyko	select CRYPTO_HASH
68778c37d19SAlexander Boyko	select CRC32
68878c37d19SAlexander Boyko	help
68978c37d19SAlexander Boyko	  CRC-32-IEEE 802.3 cyclic redundancy-check algorithm.
69078c37d19SAlexander Boyko	  Shash crypto api wrappers to crc32_le function.
69178c37d19SAlexander Boyko
69278c37d19SAlexander Boykoconfig CRYPTO_CRC32_PCLMUL
69378c37d19SAlexander Boyko	tristate "CRC32 PCLMULQDQ hardware acceleration"
69478c37d19SAlexander Boyko	depends on X86
69578c37d19SAlexander Boyko	select CRYPTO_HASH
69678c37d19SAlexander Boyko	select CRC32
69778c37d19SAlexander Boyko	help
69878c37d19SAlexander Boyko	  From Intel Westmere and AMD Bulldozer processor with SSE4.2
69978c37d19SAlexander Boyko	  and PCLMULQDQ supported, the processor will support
70078c37d19SAlexander Boyko	  CRC32 PCLMULQDQ implementation using hardware accelerated PCLMULQDQ
701af8cb01fShaco	  instruction. This option will create 'crc32-pclmul' module,
70278c37d19SAlexander Boyko	  which will enable any routine to use the CRC-32-IEEE 802.3 checksum
70378c37d19SAlexander Boyko	  and gain better performance as compared with the table implementation.
70478c37d19SAlexander Boyko
7054a5dc51eSMarcin Nowakowskiconfig CRYPTO_CRC32_MIPS
7064a5dc51eSMarcin Nowakowski	tristate "CRC32c and CRC32 CRC algorithm (MIPS)"
7074a5dc51eSMarcin Nowakowski	depends on MIPS_CRC_SUPPORT
7084a5dc51eSMarcin Nowakowski	select CRYPTO_HASH
7094a5dc51eSMarcin Nowakowski	help
7104a5dc51eSMarcin Nowakowski	  CRC32c and CRC32 CRC algorithms implemented using mips crypto
7114a5dc51eSMarcin Nowakowski	  instructions, when available.
7124a5dc51eSMarcin Nowakowski
7134a5dc51eSMarcin Nowakowski
71467882e76SNikolay Borisovconfig CRYPTO_XXHASH
71567882e76SNikolay Borisov	tristate "xxHash hash algorithm"
71667882e76SNikolay Borisov	select CRYPTO_HASH
71767882e76SNikolay Borisov	select XXHASH
71867882e76SNikolay Borisov	help
71967882e76SNikolay Borisov	  xxHash non-cryptographic hash algorithm. Extremely fast, working at
72067882e76SNikolay Borisov	  speeds close to RAM limits.
72167882e76SNikolay Borisov
72268411521SHerbert Xuconfig CRYPTO_CRCT10DIF
72368411521SHerbert Xu	tristate "CRCT10DIF algorithm"
72468411521SHerbert Xu	select CRYPTO_HASH
72568411521SHerbert Xu	help
72668411521SHerbert Xu	  CRC T10 Data Integrity Field computation is being cast as
72768411521SHerbert Xu	  a crypto transform.  This allows for faster crc t10 diff
72868411521SHerbert Xu	  transforms to be used if they are available.
72968411521SHerbert Xu
73068411521SHerbert Xuconfig CRYPTO_CRCT10DIF_PCLMUL
73168411521SHerbert Xu	tristate "CRCT10DIF PCLMULQDQ hardware acceleration"
73268411521SHerbert Xu	depends on X86 && 64BIT && CRC_T10DIF
73368411521SHerbert Xu	select CRYPTO_HASH
73468411521SHerbert Xu	help
73568411521SHerbert Xu	  For x86_64 processors with SSE4.2 and PCLMULQDQ supported,
73668411521SHerbert Xu	  CRC T10 DIF PCLMULQDQ computation can be hardware
73768411521SHerbert Xu	  accelerated PCLMULQDQ instruction. This option will create
738af8cb01fShaco	  'crct10dif-pclmul' module, which is faster when computing the
73968411521SHerbert Xu	  crct10dif checksum as compared with the generic table implementation.
74068411521SHerbert Xu
741b01df1c1SDaniel Axtensconfig CRYPTO_CRCT10DIF_VPMSUM
742b01df1c1SDaniel Axtens	tristate "CRC32T10DIF powerpc64 hardware acceleration"
743b01df1c1SDaniel Axtens	depends on PPC64 && ALTIVEC && CRC_T10DIF
744b01df1c1SDaniel Axtens	select CRYPTO_HASH
745b01df1c1SDaniel Axtens	help
746b01df1c1SDaniel Axtens	  CRC10T10DIF algorithm implemented using vector polynomial
747b01df1c1SDaniel Axtens	  multiply-sum (vpmsum) instructions, introduced in POWER8. Enable on
748b01df1c1SDaniel Axtens	  POWER8 and newer processors for improved performance.
749b01df1c1SDaniel Axtens
750146c8688SDaniel Axtensconfig CRYPTO_VPMSUM_TESTER
751146c8688SDaniel Axtens	tristate "Powerpc64 vpmsum hardware acceleration tester"
752146c8688SDaniel Axtens	depends on CRYPTO_CRCT10DIF_VPMSUM && CRYPTO_CRC32C_VPMSUM
753146c8688SDaniel Axtens	help
754146c8688SDaniel Axtens	  Stress test for CRC32c and CRC-T10DIF algorithms implemented with
755146c8688SDaniel Axtens	  POWER8 vpmsum instructions.
756146c8688SDaniel Axtens	  Unless you are testing these algorithms, you don't need this.
757146c8688SDaniel Axtens
7582cdc6899SHuang Yingconfig CRYPTO_GHASH
7592cdc6899SHuang Ying	tristate "GHASH digest algorithm"
7602cdc6899SHuang Ying	select CRYPTO_GF128MUL
761578c60fbSArnd Bergmann	select CRYPTO_HASH
7622cdc6899SHuang Ying	help
7632cdc6899SHuang Ying	  GHASH is message digest algorithm for GCM (Galois/Counter Mode).
7642cdc6899SHuang Ying
765f979e014SMartin Williconfig CRYPTO_POLY1305
766f979e014SMartin Willi	tristate "Poly1305 authenticator algorithm"
767578c60fbSArnd Bergmann	select CRYPTO_HASH
768f979e014SMartin Willi	help
769f979e014SMartin Willi	  Poly1305 authenticator algorithm, RFC7539.
770f979e014SMartin Willi
771f979e014SMartin Willi	  Poly1305 is an authenticator algorithm designed by Daniel J. Bernstein.
772f979e014SMartin Willi	  It is used for the ChaCha20-Poly1305 AEAD, specified in RFC7539 for use
773f979e014SMartin Willi	  in IETF protocols. This is the portable C implementation of Poly1305.
774f979e014SMartin Willi
775c70f4abeSMartin Williconfig CRYPTO_POLY1305_X86_64
776b1ccc8f4SMartin Willi	tristate "Poly1305 authenticator algorithm (x86_64/SSE2/AVX2)"
777c70f4abeSMartin Willi	depends on X86 && 64BIT
778c70f4abeSMartin Willi	select CRYPTO_POLY1305
779c70f4abeSMartin Willi	help
780c70f4abeSMartin Willi	  Poly1305 authenticator algorithm, RFC7539.
781c70f4abeSMartin Willi
782c70f4abeSMartin Willi	  Poly1305 is an authenticator algorithm designed by Daniel J. Bernstein.
783c70f4abeSMartin Willi	  It is used for the ChaCha20-Poly1305 AEAD, specified in RFC7539 for use
784c70f4abeSMartin Willi	  in IETF protocols. This is the x86_64 assembler implementation using SIMD
785c70f4abeSMartin Willi	  instructions.
786c70f4abeSMartin Willi
7871da177e4SLinus Torvaldsconfig CRYPTO_MD4
7881da177e4SLinus Torvalds	tristate "MD4 digest algorithm"
789808a1763SAdrian-Ken Rueegsegger	select CRYPTO_HASH
7901da177e4SLinus Torvalds	help
7911da177e4SLinus Torvalds	  MD4 message digest algorithm (RFC1320).
7921da177e4SLinus Torvalds
7931da177e4SLinus Torvaldsconfig CRYPTO_MD5
7941da177e4SLinus Torvalds	tristate "MD5 digest algorithm"
79514b75ba7SAdrian-Ken Rueegsegger	select CRYPTO_HASH
7961da177e4SLinus Torvalds	help
7971da177e4SLinus Torvalds	  MD5 message digest algorithm (RFC1321).
7981da177e4SLinus Torvalds
799d69e75deSAaro Koskinenconfig CRYPTO_MD5_OCTEON
800d69e75deSAaro Koskinen	tristate "MD5 digest algorithm (OCTEON)"
801d69e75deSAaro Koskinen	depends on CPU_CAVIUM_OCTEON
802d69e75deSAaro Koskinen	select CRYPTO_MD5
803d69e75deSAaro Koskinen	select CRYPTO_HASH
804d69e75deSAaro Koskinen	help
805d69e75deSAaro Koskinen	  MD5 message digest algorithm (RFC1321) implemented
806d69e75deSAaro Koskinen	  using OCTEON crypto instructions, when available.
807d69e75deSAaro Koskinen
808e8e59953SMarkus Stockhausenconfig CRYPTO_MD5_PPC
809e8e59953SMarkus Stockhausen	tristate "MD5 digest algorithm (PPC)"
810e8e59953SMarkus Stockhausen	depends on PPC
811e8e59953SMarkus Stockhausen	select CRYPTO_HASH
812e8e59953SMarkus Stockhausen	help
813e8e59953SMarkus Stockhausen	  MD5 message digest algorithm (RFC1321) implemented
814e8e59953SMarkus Stockhausen	  in PPC assembler.
815e8e59953SMarkus Stockhausen
816fa4dfedcSDavid S. Millerconfig CRYPTO_MD5_SPARC64
817fa4dfedcSDavid S. Miller	tristate "MD5 digest algorithm (SPARC64)"
818fa4dfedcSDavid S. Miller	depends on SPARC64
819fa4dfedcSDavid S. Miller	select CRYPTO_MD5
820fa4dfedcSDavid S. Miller	select CRYPTO_HASH
821fa4dfedcSDavid S. Miller	help
822fa4dfedcSDavid S. Miller	  MD5 message digest algorithm (RFC1321) implemented
823fa4dfedcSDavid S. Miller	  using sparc64 crypto instructions, when available.
824fa4dfedcSDavid S. Miller
825584fffc8SSebastian Siewiorconfig CRYPTO_MICHAEL_MIC
826584fffc8SSebastian Siewior	tristate "Michael MIC keyed digest algorithm"
82719e2bf14SAdrian-Ken Rueegsegger	select CRYPTO_HASH
828584fffc8SSebastian Siewior	help
829584fffc8SSebastian Siewior	  Michael MIC is used for message integrity protection in TKIP
830584fffc8SSebastian Siewior	  (IEEE 802.11i). This algorithm is required for TKIP, but it
831584fffc8SSebastian Siewior	  should not be used for other purposes because of the weakness
832584fffc8SSebastian Siewior	  of the algorithm.
833584fffc8SSebastian Siewior
83482798f90SAdrian-Ken Rueegseggerconfig CRYPTO_RMD128
83582798f90SAdrian-Ken Rueegsegger	tristate "RIPEMD-128 digest algorithm"
8367c4468bcSHerbert Xu	select CRYPTO_HASH
83782798f90SAdrian-Ken Rueegsegger	help
83882798f90SAdrian-Ken Rueegsegger	  RIPEMD-128 (ISO/IEC 10118-3:2004).
83982798f90SAdrian-Ken Rueegsegger
84082798f90SAdrian-Ken Rueegsegger	  RIPEMD-128 is a 128-bit cryptographic hash function. It should only
84135ed4b35SMichael Witten	  be used as a secure replacement for RIPEMD. For other use cases,
84282798f90SAdrian-Ken Rueegsegger	  RIPEMD-160 should be used.
84382798f90SAdrian-Ken Rueegsegger
84482798f90SAdrian-Ken Rueegsegger	  Developed by Hans Dobbertin, Antoon Bosselaers and Bart Preneel.
8456d8de74cSJustin P. Mattock	  See <http://homes.esat.kuleuven.be/~bosselae/ripemd160.html>
84682798f90SAdrian-Ken Rueegsegger
84782798f90SAdrian-Ken Rueegseggerconfig CRYPTO_RMD160
84882798f90SAdrian-Ken Rueegsegger	tristate "RIPEMD-160 digest algorithm"
849e5835fbaSHerbert Xu	select CRYPTO_HASH
85082798f90SAdrian-Ken Rueegsegger	help
85182798f90SAdrian-Ken Rueegsegger	  RIPEMD-160 (ISO/IEC 10118-3:2004).
85282798f90SAdrian-Ken Rueegsegger
85382798f90SAdrian-Ken Rueegsegger	  RIPEMD-160 is a 160-bit cryptographic hash function. It is intended
85482798f90SAdrian-Ken Rueegsegger	  to be used as a secure replacement for the 128-bit hash functions
855b6d44341SAdrian Bunk	  MD4, MD5 and it's predecessor RIPEMD
856b6d44341SAdrian Bunk	  (not to be confused with RIPEMD-128).
85782798f90SAdrian-Ken Rueegsegger
858b6d44341SAdrian Bunk	  It's speed is comparable to SHA1 and there are no known attacks
859b6d44341SAdrian Bunk	  against RIPEMD-160.
860534fe2c1SAdrian-Ken Rueegsegger
861534fe2c1SAdrian-Ken Rueegsegger	  Developed by Hans Dobbertin, Antoon Bosselaers and Bart Preneel.
8626d8de74cSJustin P. Mattock	  See <http://homes.esat.kuleuven.be/~bosselae/ripemd160.html>
863534fe2c1SAdrian-Ken Rueegsegger
864534fe2c1SAdrian-Ken Rueegseggerconfig CRYPTO_RMD256
865534fe2c1SAdrian-Ken Rueegsegger	tristate "RIPEMD-256 digest algorithm"
866d8a5e2e9SHerbert Xu	select CRYPTO_HASH
867534fe2c1SAdrian-Ken Rueegsegger	help
868b6d44341SAdrian Bunk	  RIPEMD-256 is an optional extension of RIPEMD-128 with a
869b6d44341SAdrian Bunk	  256 bit hash. It is intended for applications that require
870b6d44341SAdrian Bunk	  longer hash-results, without needing a larger security level
871b6d44341SAdrian Bunk	  (than RIPEMD-128).
872534fe2c1SAdrian-Ken Rueegsegger
873534fe2c1SAdrian-Ken Rueegsegger	  Developed by Hans Dobbertin, Antoon Bosselaers and Bart Preneel.
8746d8de74cSJustin P. Mattock	  See <http://homes.esat.kuleuven.be/~bosselae/ripemd160.html>
875534fe2c1SAdrian-Ken Rueegsegger
876534fe2c1SAdrian-Ken Rueegseggerconfig CRYPTO_RMD320
877534fe2c1SAdrian-Ken Rueegsegger	tristate "RIPEMD-320 digest algorithm"
8783b8efb4cSHerbert Xu	select CRYPTO_HASH
879534fe2c1SAdrian-Ken Rueegsegger	help
880b6d44341SAdrian Bunk	  RIPEMD-320 is an optional extension of RIPEMD-160 with a
881b6d44341SAdrian Bunk	  320 bit hash. It is intended for applications that require
882b6d44341SAdrian Bunk	  longer hash-results, without needing a larger security level
883b6d44341SAdrian Bunk	  (than RIPEMD-160).
884534fe2c1SAdrian-Ken Rueegsegger
88582798f90SAdrian-Ken Rueegsegger	  Developed by Hans Dobbertin, Antoon Bosselaers and Bart Preneel.
8866d8de74cSJustin P. Mattock	  See <http://homes.esat.kuleuven.be/~bosselae/ripemd160.html>
88782798f90SAdrian-Ken Rueegsegger
8881da177e4SLinus Torvaldsconfig CRYPTO_SHA1
8891da177e4SLinus Torvalds	tristate "SHA1 digest algorithm"
89054ccb367SAdrian-Ken Rueegsegger	select CRYPTO_HASH
8911da177e4SLinus Torvalds	help
8921da177e4SLinus Torvalds	  SHA-1 secure hash standard (FIPS 180-1/DFIPS 180-2).
8931da177e4SLinus Torvalds
89466be8951SMathias Krauseconfig CRYPTO_SHA1_SSSE3
895e38b6b7fStim	tristate "SHA1 digest algorithm (SSSE3/AVX/AVX2/SHA-NI)"
89666be8951SMathias Krause	depends on X86 && 64BIT
89766be8951SMathias Krause	select CRYPTO_SHA1
89866be8951SMathias Krause	select CRYPTO_HASH
89966be8951SMathias Krause	help
90066be8951SMathias Krause	  SHA-1 secure hash standard (FIPS 180-1/DFIPS 180-2) implemented
90166be8951SMathias Krause	  using Supplemental SSE3 (SSSE3) instructions or Advanced Vector
902e38b6b7fStim	  Extensions (AVX/AVX2) or SHA-NI(SHA Extensions New Instructions),
903e38b6b7fStim	  when available.
90466be8951SMathias Krause
9058275d1aaSTim Chenconfig CRYPTO_SHA256_SSSE3
906e38b6b7fStim	tristate "SHA256 digest algorithm (SSSE3/AVX/AVX2/SHA-NI)"
9078275d1aaSTim Chen	depends on X86 && 64BIT
9088275d1aaSTim Chen	select CRYPTO_SHA256
9098275d1aaSTim Chen	select CRYPTO_HASH
9108275d1aaSTim Chen	help
9118275d1aaSTim Chen	  SHA-256 secure hash standard (DFIPS 180-2) implemented
9128275d1aaSTim Chen	  using Supplemental SSE3 (SSSE3) instructions, or Advanced Vector
9138275d1aaSTim Chen	  Extensions version 1 (AVX1), or Advanced Vector Extensions
914e38b6b7fStim	  version 2 (AVX2) instructions, or SHA-NI (SHA Extensions New
915e38b6b7fStim	  Instructions) when available.
9168275d1aaSTim Chen
91787de4579STim Chenconfig CRYPTO_SHA512_SSSE3
91887de4579STim Chen	tristate "SHA512 digest algorithm (SSSE3/AVX/AVX2)"
91987de4579STim Chen	depends on X86 && 64BIT
92087de4579STim Chen	select CRYPTO_SHA512
92187de4579STim Chen	select CRYPTO_HASH
92287de4579STim Chen	help
92387de4579STim Chen	  SHA-512 secure hash standard (DFIPS 180-2) implemented
92487de4579STim Chen	  using Supplemental SSE3 (SSSE3) instructions, or Advanced Vector
92587de4579STim Chen	  Extensions version 1 (AVX1), or Advanced Vector Extensions
92687de4579STim Chen	  version 2 (AVX2) instructions, when available.
92787de4579STim Chen
928efdb6f6eSAaro Koskinenconfig CRYPTO_SHA1_OCTEON
929efdb6f6eSAaro Koskinen	tristate "SHA1 digest algorithm (OCTEON)"
930efdb6f6eSAaro Koskinen	depends on CPU_CAVIUM_OCTEON
931efdb6f6eSAaro Koskinen	select CRYPTO_SHA1
932efdb6f6eSAaro Koskinen	select CRYPTO_HASH
933efdb6f6eSAaro Koskinen	help
934efdb6f6eSAaro Koskinen	  SHA-1 secure hash standard (FIPS 180-1/DFIPS 180-2) implemented
935efdb6f6eSAaro Koskinen	  using OCTEON crypto instructions, when available.
936efdb6f6eSAaro Koskinen
9374ff28d4cSDavid S. Millerconfig CRYPTO_SHA1_SPARC64
9384ff28d4cSDavid S. Miller	tristate "SHA1 digest algorithm (SPARC64)"
9394ff28d4cSDavid S. Miller	depends on SPARC64
9404ff28d4cSDavid S. Miller	select CRYPTO_SHA1
9414ff28d4cSDavid S. Miller	select CRYPTO_HASH
9424ff28d4cSDavid S. Miller	help
9434ff28d4cSDavid S. Miller	  SHA-1 secure hash standard (FIPS 180-1/DFIPS 180-2) implemented
9444ff28d4cSDavid S. Miller	  using sparc64 crypto instructions, when available.
9454ff28d4cSDavid S. Miller
946323a6bf1SMichael Ellermanconfig CRYPTO_SHA1_PPC
947323a6bf1SMichael Ellerman	tristate "SHA1 digest algorithm (powerpc)"
948323a6bf1SMichael Ellerman	depends on PPC
949323a6bf1SMichael Ellerman	help
950323a6bf1SMichael Ellerman	  This is the powerpc hardware accelerated implementation of the
951323a6bf1SMichael Ellerman	  SHA-1 secure hash standard (FIPS 180-1/DFIPS 180-2).
952323a6bf1SMichael Ellerman
953d9850fc5SMarkus Stockhausenconfig CRYPTO_SHA1_PPC_SPE
954d9850fc5SMarkus Stockhausen	tristate "SHA1 digest algorithm (PPC SPE)"
955d9850fc5SMarkus Stockhausen	depends on PPC && SPE
956d9850fc5SMarkus Stockhausen	help
957d9850fc5SMarkus Stockhausen	  SHA-1 secure hash standard (DFIPS 180-4) implemented
958d9850fc5SMarkus Stockhausen	  using powerpc SPE SIMD instruction set.
959d9850fc5SMarkus Stockhausen
9601da177e4SLinus Torvaldsconfig CRYPTO_SHA256
961cd12fb90SJonathan Lynch	tristate "SHA224 and SHA256 digest algorithm"
96250e109b5SAdrian-Ken Rueegsegger	select CRYPTO_HASH
9631da177e4SLinus Torvalds	help
9641da177e4SLinus Torvalds	  SHA256 secure hash standard (DFIPS 180-2).
9651da177e4SLinus Torvalds
9661da177e4SLinus Torvalds	  This version of SHA implements a 256 bit hash with 128 bits of
9671da177e4SLinus Torvalds	  security against collision attacks.
9681da177e4SLinus Torvalds
969cd12fb90SJonathan Lynch	  This code also includes SHA-224, a 224 bit hash with 112 bits
970cd12fb90SJonathan Lynch	  of security against collision attacks.
971cd12fb90SJonathan Lynch
9722ecc1e95SMarkus Stockhausenconfig CRYPTO_SHA256_PPC_SPE
9732ecc1e95SMarkus Stockhausen	tristate "SHA224 and SHA256 digest algorithm (PPC SPE)"
9742ecc1e95SMarkus Stockhausen	depends on PPC && SPE
9752ecc1e95SMarkus Stockhausen	select CRYPTO_SHA256
9762ecc1e95SMarkus Stockhausen	select CRYPTO_HASH
9772ecc1e95SMarkus Stockhausen	help
9782ecc1e95SMarkus Stockhausen	  SHA224 and SHA256 secure hash standard (DFIPS 180-2)
9792ecc1e95SMarkus Stockhausen	  implemented using powerpc SPE SIMD instruction set.
9802ecc1e95SMarkus Stockhausen
981efdb6f6eSAaro Koskinenconfig CRYPTO_SHA256_OCTEON
982efdb6f6eSAaro Koskinen	tristate "SHA224 and SHA256 digest algorithm (OCTEON)"
983efdb6f6eSAaro Koskinen	depends on CPU_CAVIUM_OCTEON
984efdb6f6eSAaro Koskinen	select CRYPTO_SHA256
985efdb6f6eSAaro Koskinen	select CRYPTO_HASH
986efdb6f6eSAaro Koskinen	help
987efdb6f6eSAaro Koskinen	  SHA-256 secure hash standard (DFIPS 180-2) implemented
988efdb6f6eSAaro Koskinen	  using OCTEON crypto instructions, when available.
989efdb6f6eSAaro Koskinen
99086c93b24SDavid S. Millerconfig CRYPTO_SHA256_SPARC64
99186c93b24SDavid S. Miller	tristate "SHA224 and SHA256 digest algorithm (SPARC64)"
99286c93b24SDavid S. Miller	depends on SPARC64
99386c93b24SDavid S. Miller	select CRYPTO_SHA256
99486c93b24SDavid S. Miller	select CRYPTO_HASH
99586c93b24SDavid S. Miller	help
99686c93b24SDavid S. Miller	  SHA-256 secure hash standard (DFIPS 180-2) implemented
99786c93b24SDavid S. Miller	  using sparc64 crypto instructions, when available.
99886c93b24SDavid S. Miller
9991da177e4SLinus Torvaldsconfig CRYPTO_SHA512
10001da177e4SLinus Torvalds	tristate "SHA384 and SHA512 digest algorithms"
1001bd9d20dbSAdrian-Ken Rueegsegger	select CRYPTO_HASH
10021da177e4SLinus Torvalds	help
10031da177e4SLinus Torvalds	  SHA512 secure hash standard (DFIPS 180-2).
10041da177e4SLinus Torvalds
10051da177e4SLinus Torvalds	  This version of SHA implements a 512 bit hash with 256 bits of
10061da177e4SLinus Torvalds	  security against collision attacks.
10071da177e4SLinus Torvalds
10081da177e4SLinus Torvalds	  This code also includes SHA-384, a 384 bit hash with 192 bits
10091da177e4SLinus Torvalds	  of security against collision attacks.
10101da177e4SLinus Torvalds
1011efdb6f6eSAaro Koskinenconfig CRYPTO_SHA512_OCTEON
1012efdb6f6eSAaro Koskinen	tristate "SHA384 and SHA512 digest algorithms (OCTEON)"
1013efdb6f6eSAaro Koskinen	depends on CPU_CAVIUM_OCTEON
1014efdb6f6eSAaro Koskinen	select CRYPTO_SHA512
1015efdb6f6eSAaro Koskinen	select CRYPTO_HASH
1016efdb6f6eSAaro Koskinen	help
1017efdb6f6eSAaro Koskinen	  SHA-512 secure hash standard (DFIPS 180-2) implemented
1018efdb6f6eSAaro Koskinen	  using OCTEON crypto instructions, when available.
1019efdb6f6eSAaro Koskinen
1020775e0c69SDavid S. Millerconfig CRYPTO_SHA512_SPARC64
1021775e0c69SDavid S. Miller	tristate "SHA384 and SHA512 digest algorithm (SPARC64)"
1022775e0c69SDavid S. Miller	depends on SPARC64
1023775e0c69SDavid S. Miller	select CRYPTO_SHA512
1024775e0c69SDavid S. Miller	select CRYPTO_HASH
1025775e0c69SDavid S. Miller	help
1026775e0c69SDavid S. Miller	  SHA-512 secure hash standard (DFIPS 180-2) implemented
1027775e0c69SDavid S. Miller	  using sparc64 crypto instructions, when available.
1028775e0c69SDavid S. Miller
102953964b9eSJeff Garzikconfig CRYPTO_SHA3
103053964b9eSJeff Garzik	tristate "SHA3 digest algorithm"
103153964b9eSJeff Garzik	select CRYPTO_HASH
103253964b9eSJeff Garzik	help
103353964b9eSJeff Garzik	  SHA-3 secure hash standard (DFIPS 202). It's based on
103453964b9eSJeff Garzik	  cryptographic sponge function family called Keccak.
103553964b9eSJeff Garzik
103653964b9eSJeff Garzik	  References:
103753964b9eSJeff Garzik	  http://keccak.noekeon.org/
103853964b9eSJeff Garzik
10394f0fc160SGilad Ben-Yossefconfig CRYPTO_SM3
10404f0fc160SGilad Ben-Yossef	tristate "SM3 digest algorithm"
10414f0fc160SGilad Ben-Yossef	select CRYPTO_HASH
10424f0fc160SGilad Ben-Yossef	help
10434f0fc160SGilad Ben-Yossef	  SM3 secure hash function as defined by OSCCA GM/T 0004-2012 SM3).
10444f0fc160SGilad Ben-Yossef	  It is part of the Chinese Commercial Cryptography suite.
10454f0fc160SGilad Ben-Yossef
10464f0fc160SGilad Ben-Yossef	  References:
10474f0fc160SGilad Ben-Yossef	  http://www.oscca.gov.cn/UpFile/20101222141857786.pdf
10484f0fc160SGilad Ben-Yossef	  https://datatracker.ietf.org/doc/html/draft-shen-sm3-hash
10494f0fc160SGilad Ben-Yossef
1050fe18957eSVitaly Chikunovconfig CRYPTO_STREEBOG
1051fe18957eSVitaly Chikunov	tristate "Streebog Hash Function"
1052fe18957eSVitaly Chikunov	select CRYPTO_HASH
1053fe18957eSVitaly Chikunov	help
1054fe18957eSVitaly Chikunov	  Streebog Hash Function (GOST R 34.11-2012, RFC 6986) is one of the Russian
1055fe18957eSVitaly Chikunov	  cryptographic standard algorithms (called GOST algorithms).
1056fe18957eSVitaly Chikunov	  This setting enables two hash algorithms with 256 and 512 bits output.
1057fe18957eSVitaly Chikunov
1058fe18957eSVitaly Chikunov	  References:
1059fe18957eSVitaly Chikunov	  https://tc26.ru/upload/iblock/fed/feddbb4d26b685903faa2ba11aea43f6.pdf
1060fe18957eSVitaly Chikunov	  https://tools.ietf.org/html/rfc6986
1061fe18957eSVitaly Chikunov
10621da177e4SLinus Torvaldsconfig CRYPTO_TGR192
10631da177e4SLinus Torvalds	tristate "Tiger digest algorithms"
1064f63fbd3dSAdrian-Ken Rueegsegger	select CRYPTO_HASH
10651da177e4SLinus Torvalds	help
10661da177e4SLinus Torvalds	  Tiger hash algorithm 192, 160 and 128-bit hashes
10671da177e4SLinus Torvalds
10681da177e4SLinus Torvalds	  Tiger is a hash function optimized for 64-bit processors while
10691da177e4SLinus Torvalds	  still having decent performance on 32-bit processors.
10701da177e4SLinus Torvalds	  Tiger was developed by Ross Anderson and Eli Biham.
10711da177e4SLinus Torvalds
10721da177e4SLinus Torvalds	  See also:
10731da177e4SLinus Torvalds	  <http://www.cs.technion.ac.il/~biham/Reports/Tiger/>.
10741da177e4SLinus Torvalds
1075584fffc8SSebastian Siewiorconfig CRYPTO_WP512
1076584fffc8SSebastian Siewior	tristate "Whirlpool digest algorithms"
10774946510bSAdrian-Ken Rueegsegger	select CRYPTO_HASH
10781da177e4SLinus Torvalds	help
1079584fffc8SSebastian Siewior	  Whirlpool hash algorithm 512, 384 and 256-bit hashes
10801da177e4SLinus Torvalds
1081584fffc8SSebastian Siewior	  Whirlpool-512 is part of the NESSIE cryptographic primitives.
1082584fffc8SSebastian Siewior	  Whirlpool will be part of the ISO/IEC 10118-3:2003(E) standard
10831da177e4SLinus Torvalds
10841da177e4SLinus Torvalds	  See also:
10856d8de74cSJustin P. Mattock	  <http://www.larc.usp.br/~pbarreto/WhirlpoolPage.html>
10861da177e4SLinus Torvalds
10870e1227d3SHuang Yingconfig CRYPTO_GHASH_CLMUL_NI_INTEL
10880e1227d3SHuang Ying	tristate "GHASH digest algorithm (CLMUL-NI accelerated)"
10898af00860SRichard Weinberger	depends on X86 && 64BIT
10900e1227d3SHuang Ying	select CRYPTO_CRYPTD
10910e1227d3SHuang Ying	help
10920e1227d3SHuang Ying	  GHASH is message digest algorithm for GCM (Galois/Counter Mode).
10930e1227d3SHuang Ying	  The implementation is accelerated by CLMUL-NI of Intel.
10940e1227d3SHuang Ying
1095584fffc8SSebastian Siewiorcomment "Ciphers"
10961da177e4SLinus Torvalds
10971da177e4SLinus Torvaldsconfig CRYPTO_AES
10981da177e4SLinus Torvalds	tristate "AES cipher algorithms"
1099cce9e06dSHerbert Xu	select CRYPTO_ALGAPI
11001da177e4SLinus Torvalds	help
11011da177e4SLinus Torvalds	  AES cipher algorithms (FIPS-197). AES uses the Rijndael
11021da177e4SLinus Torvalds	  algorithm.
11031da177e4SLinus Torvalds
11041da177e4SLinus Torvalds	  Rijndael appears to be consistently a very good performer in
11051da177e4SLinus Torvalds	  both hardware and software across a wide range of computing
11061da177e4SLinus Torvalds	  environments regardless of its use in feedback or non-feedback
11071da177e4SLinus Torvalds	  modes. Its key setup time is excellent, and its key agility is
11081da177e4SLinus Torvalds	  good. Rijndael's very low memory requirements make it very well
11091da177e4SLinus Torvalds	  suited for restricted-space environments, in which it also
11101da177e4SLinus Torvalds	  demonstrates excellent performance. Rijndael's operations are
11111da177e4SLinus Torvalds	  among the easiest to defend against power and timing attacks.
11121da177e4SLinus Torvalds
11131da177e4SLinus Torvalds	  The AES specifies three key sizes: 128, 192 and 256 bits
11141da177e4SLinus Torvalds
11151da177e4SLinus Torvalds	  See <http://csrc.nist.gov/CryptoToolkit/aes/> for more information.
11161da177e4SLinus Torvalds
1117b5e0b032SArd Biesheuvelconfig CRYPTO_AES_TI
1118b5e0b032SArd Biesheuvel	tristate "Fixed time AES cipher"
1119b5e0b032SArd Biesheuvel	select CRYPTO_ALGAPI
1120b5e0b032SArd Biesheuvel	help
1121b5e0b032SArd Biesheuvel	  This is a generic implementation of AES that attempts to eliminate
1122b5e0b032SArd Biesheuvel	  data dependent latencies as much as possible without affecting
1123b5e0b032SArd Biesheuvel	  performance too much. It is intended for use by the generic CCM
1124b5e0b032SArd Biesheuvel	  and GCM drivers, and other CTR or CMAC/XCBC based modes that rely
1125b5e0b032SArd Biesheuvel	  solely on encryption (although decryption is supported as well, but
1126b5e0b032SArd Biesheuvel	  with a more dramatic performance hit)
1127b5e0b032SArd Biesheuvel
1128b5e0b032SArd Biesheuvel	  Instead of using 16 lookup tables of 1 KB each, (8 for encryption and
1129b5e0b032SArd Biesheuvel	  8 for decryption), this implementation only uses just two S-boxes of
1130b5e0b032SArd Biesheuvel	  256 bytes each, and attempts to eliminate data dependent latencies by
1131b5e0b032SArd Biesheuvel	  prefetching the entire table into the cache at the start of each
11320a6a40c2SEric Biggers	  block. Interrupts are also disabled to avoid races where cachelines
11330a6a40c2SEric Biggers	  are evicted when the CPU is interrupted to do something else.
1134b5e0b032SArd Biesheuvel
11351da177e4SLinus Torvaldsconfig CRYPTO_AES_586
11361da177e4SLinus Torvalds	tristate "AES cipher algorithms (i586)"
1137cce9e06dSHerbert Xu	depends on (X86 || UML_X86) && !64BIT
1138cce9e06dSHerbert Xu	select CRYPTO_ALGAPI
11395157dea8SSebastian Siewior	select CRYPTO_AES
11401da177e4SLinus Torvalds	help
11411da177e4SLinus Torvalds	  AES cipher algorithms (FIPS-197). AES uses the Rijndael
11421da177e4SLinus Torvalds	  algorithm.
11431da177e4SLinus Torvalds
11441da177e4SLinus Torvalds	  Rijndael appears to be consistently a very good performer in
11451da177e4SLinus Torvalds	  both hardware and software across a wide range of computing
11461da177e4SLinus Torvalds	  environments regardless of its use in feedback or non-feedback
11471da177e4SLinus Torvalds	  modes. Its key setup time is excellent, and its key agility is
11481da177e4SLinus Torvalds	  good. Rijndael's very low memory requirements make it very well
11491da177e4SLinus Torvalds	  suited for restricted-space environments, in which it also
11501da177e4SLinus Torvalds	  demonstrates excellent performance. Rijndael's operations are
11511da177e4SLinus Torvalds	  among the easiest to defend against power and timing attacks.
11521da177e4SLinus Torvalds
11531da177e4SLinus Torvalds	  The AES specifies three key sizes: 128, 192 and 256 bits
11541da177e4SLinus Torvalds
11551da177e4SLinus Torvalds	  See <http://csrc.nist.gov/encryption/aes/> for more information.
11561da177e4SLinus Torvalds
1157a2a892a2SAndreas Steinmetzconfig CRYPTO_AES_X86_64
1158a2a892a2SAndreas Steinmetz	tristate "AES cipher algorithms (x86_64)"
1159cce9e06dSHerbert Xu	depends on (X86 || UML_X86) && 64BIT
1160cce9e06dSHerbert Xu	select CRYPTO_ALGAPI
116181190b32SSebastian Siewior	select CRYPTO_AES
1162a2a892a2SAndreas Steinmetz	help
1163a2a892a2SAndreas Steinmetz	  AES cipher algorithms (FIPS-197). AES uses the Rijndael
1164a2a892a2SAndreas Steinmetz	  algorithm.
1165a2a892a2SAndreas Steinmetz
1166a2a892a2SAndreas Steinmetz	  Rijndael appears to be consistently a very good performer in
1167a2a892a2SAndreas Steinmetz	  both hardware and software across a wide range of computing
1168a2a892a2SAndreas Steinmetz	  environments regardless of its use in feedback or non-feedback
1169a2a892a2SAndreas Steinmetz	  modes. Its key setup time is excellent, and its key agility is
1170a2a892a2SAndreas Steinmetz	  good. Rijndael's very low memory requirements make it very well
1171a2a892a2SAndreas Steinmetz	  suited for restricted-space environments, in which it also
1172a2a892a2SAndreas Steinmetz	  demonstrates excellent performance. Rijndael's operations are
1173a2a892a2SAndreas Steinmetz	  among the easiest to defend against power and timing attacks.
1174a2a892a2SAndreas Steinmetz
1175a2a892a2SAndreas Steinmetz	  The AES specifies three key sizes: 128, 192 and 256 bits
1176a2a892a2SAndreas Steinmetz
1177a2a892a2SAndreas Steinmetz	  See <http://csrc.nist.gov/encryption/aes/> for more information.
1178a2a892a2SAndreas Steinmetz
117954b6a1bdSHuang Yingconfig CRYPTO_AES_NI_INTEL
118054b6a1bdSHuang Ying	tristate "AES cipher algorithms (AES-NI)"
11818af00860SRichard Weinberger	depends on X86
118285671860SHerbert Xu	select CRYPTO_AEAD
11830d258efbSMathias Krause	select CRYPTO_AES_X86_64 if 64BIT
11840d258efbSMathias Krause	select CRYPTO_AES_586 if !64BIT
118554b6a1bdSHuang Ying	select CRYPTO_ALGAPI
118685671860SHerbert Xu	select CRYPTO_BLKCIPHER
11877643a11aSJussi Kivilinna	select CRYPTO_GLUE_HELPER_X86 if 64BIT
118885671860SHerbert Xu	select CRYPTO_SIMD
118954b6a1bdSHuang Ying	help
119054b6a1bdSHuang Ying	  Use Intel AES-NI instructions for AES algorithm.
119154b6a1bdSHuang Ying
119254b6a1bdSHuang Ying	  AES cipher algorithms (FIPS-197). AES uses the Rijndael
119354b6a1bdSHuang Ying	  algorithm.
119454b6a1bdSHuang Ying
119554b6a1bdSHuang Ying	  Rijndael appears to be consistently a very good performer in
119654b6a1bdSHuang Ying	  both hardware and software across a wide range of computing
119754b6a1bdSHuang Ying	  environments regardless of its use in feedback or non-feedback
119854b6a1bdSHuang Ying	  modes. Its key setup time is excellent, and its key agility is
119954b6a1bdSHuang Ying	  good. Rijndael's very low memory requirements make it very well
120054b6a1bdSHuang Ying	  suited for restricted-space environments, in which it also
120154b6a1bdSHuang Ying	  demonstrates excellent performance. Rijndael's operations are
120254b6a1bdSHuang Ying	  among the easiest to defend against power and timing attacks.
120354b6a1bdSHuang Ying
120454b6a1bdSHuang Ying	  The AES specifies three key sizes: 128, 192 and 256 bits
120554b6a1bdSHuang Ying
120654b6a1bdSHuang Ying	  See <http://csrc.nist.gov/encryption/aes/> for more information.
120754b6a1bdSHuang Ying
12080d258efbSMathias Krause	  In addition to AES cipher algorithm support, the acceleration
12090d258efbSMathias Krause	  for some popular block cipher mode is supported too, including
1210944585a6SArd Biesheuvel	  ECB, CBC, LRW, XTS. The 64 bit version has additional
12110d258efbSMathias Krause	  acceleration for CTR.
12122cf4ac8bSHuang Ying
12139bf4852dSDavid S. Millerconfig CRYPTO_AES_SPARC64
12149bf4852dSDavid S. Miller	tristate "AES cipher algorithms (SPARC64)"
12159bf4852dSDavid S. Miller	depends on SPARC64
12169bf4852dSDavid S. Miller	select CRYPTO_CRYPTD
12179bf4852dSDavid S. Miller	select CRYPTO_ALGAPI
12189bf4852dSDavid S. Miller	help
12199bf4852dSDavid S. Miller	  Use SPARC64 crypto opcodes for AES algorithm.
12209bf4852dSDavid S. Miller
12219bf4852dSDavid S. Miller	  AES cipher algorithms (FIPS-197). AES uses the Rijndael
12229bf4852dSDavid S. Miller	  algorithm.
12239bf4852dSDavid S. Miller
12249bf4852dSDavid S. Miller	  Rijndael appears to be consistently a very good performer in
12259bf4852dSDavid S. Miller	  both hardware and software across a wide range of computing
12269bf4852dSDavid S. Miller	  environments regardless of its use in feedback or non-feedback
12279bf4852dSDavid S. Miller	  modes. Its key setup time is excellent, and its key agility is
12289bf4852dSDavid S. Miller	  good. Rijndael's very low memory requirements make it very well
12299bf4852dSDavid S. Miller	  suited for restricted-space environments, in which it also
12309bf4852dSDavid S. Miller	  demonstrates excellent performance. Rijndael's operations are
12319bf4852dSDavid S. Miller	  among the easiest to defend against power and timing attacks.
12329bf4852dSDavid S. Miller
12339bf4852dSDavid S. Miller	  The AES specifies three key sizes: 128, 192 and 256 bits
12349bf4852dSDavid S. Miller
12359bf4852dSDavid S. Miller	  See <http://csrc.nist.gov/encryption/aes/> for more information.
12369bf4852dSDavid S. Miller
12379bf4852dSDavid S. Miller	  In addition to AES cipher algorithm support, the acceleration
12389bf4852dSDavid S. Miller	  for some popular block cipher mode is supported too, including
12399bf4852dSDavid S. Miller	  ECB and CBC.
12409bf4852dSDavid S. Miller
1241504c6143SMarkus Stockhausenconfig CRYPTO_AES_PPC_SPE
1242504c6143SMarkus Stockhausen	tristate "AES cipher algorithms (PPC SPE)"
1243504c6143SMarkus Stockhausen	depends on PPC && SPE
1244504c6143SMarkus Stockhausen	help
1245504c6143SMarkus Stockhausen	  AES cipher algorithms (FIPS-197). Additionally the acceleration
1246504c6143SMarkus Stockhausen	  for popular block cipher modes ECB, CBC, CTR and XTS is supported.
1247504c6143SMarkus Stockhausen	  This module should only be used for low power (router) devices
1248504c6143SMarkus Stockhausen	  without hardware AES acceleration (e.g. caam crypto). It reduces the
1249504c6143SMarkus Stockhausen	  size of the AES tables from 16KB to 8KB + 256 bytes and mitigates
1250504c6143SMarkus Stockhausen	  timining attacks. Nevertheless it might be not as secure as other
1251504c6143SMarkus Stockhausen	  architecture specific assembler implementations that work on 1KB
1252504c6143SMarkus Stockhausen	  tables or 256 bytes S-boxes.
1253504c6143SMarkus Stockhausen
12541da177e4SLinus Torvaldsconfig CRYPTO_ANUBIS
12551da177e4SLinus Torvalds	tristate "Anubis cipher algorithm"
1256cce9e06dSHerbert Xu	select CRYPTO_ALGAPI
12571da177e4SLinus Torvalds	help
12581da177e4SLinus Torvalds	  Anubis cipher algorithm.
12591da177e4SLinus Torvalds
12601da177e4SLinus Torvalds	  Anubis is a variable key length cipher which can use keys from
12611da177e4SLinus Torvalds	  128 bits to 320 bits in length.  It was evaluated as a entrant
12621da177e4SLinus Torvalds	  in the NESSIE competition.
12631da177e4SLinus Torvalds
12641da177e4SLinus Torvalds	  See also:
12656d8de74cSJustin P. Mattock	  <https://www.cosic.esat.kuleuven.be/nessie/reports/>
12666d8de74cSJustin P. Mattock	  <http://www.larc.usp.br/~pbarreto/AnubisPage.html>
12671da177e4SLinus Torvalds
1268dc51f257SArd Biesheuvelconfig CRYPTO_LIB_ARC4
1269dc51f257SArd Biesheuvel	tristate
1270dc51f257SArd Biesheuvel
1271584fffc8SSebastian Siewiorconfig CRYPTO_ARC4
1272584fffc8SSebastian Siewior	tristate "ARC4 cipher algorithm"
1273b9b0f080SSebastian Andrzej Siewior	select CRYPTO_BLKCIPHER
1274dc51f257SArd Biesheuvel	select CRYPTO_LIB_ARC4
1275e2ee95b8SHye-Shik Chang	help
1276584fffc8SSebastian Siewior	  ARC4 cipher algorithm.
1277e2ee95b8SHye-Shik Chang
1278584fffc8SSebastian Siewior	  ARC4 is a stream cipher using keys ranging from 8 bits to 2048
1279584fffc8SSebastian Siewior	  bits in length.  This algorithm is required for driver-based
1280584fffc8SSebastian Siewior	  WEP, but it should not be for other purposes because of the
1281584fffc8SSebastian Siewior	  weakness of the algorithm.
1282584fffc8SSebastian Siewior
1283584fffc8SSebastian Siewiorconfig CRYPTO_BLOWFISH
1284584fffc8SSebastian Siewior	tristate "Blowfish cipher algorithm"
1285584fffc8SSebastian Siewior	select CRYPTO_ALGAPI
128652ba867cSJussi Kivilinna	select CRYPTO_BLOWFISH_COMMON
1287584fffc8SSebastian Siewior	help
1288584fffc8SSebastian Siewior	  Blowfish cipher algorithm, by Bruce Schneier.
1289584fffc8SSebastian Siewior
1290584fffc8SSebastian Siewior	  This is a variable key length cipher which can use keys from 32
1291584fffc8SSebastian Siewior	  bits to 448 bits in length.  It's fast, simple and specifically
1292584fffc8SSebastian Siewior	  designed for use on "large microprocessors".
1293e2ee95b8SHye-Shik Chang
1294e2ee95b8SHye-Shik Chang	  See also:
1295584fffc8SSebastian Siewior	  <http://www.schneier.com/blowfish.html>
1296584fffc8SSebastian Siewior
129752ba867cSJussi Kivilinnaconfig CRYPTO_BLOWFISH_COMMON
129852ba867cSJussi Kivilinna	tristate
129952ba867cSJussi Kivilinna	help
130052ba867cSJussi Kivilinna	  Common parts of the Blowfish cipher algorithm shared by the
130152ba867cSJussi Kivilinna	  generic c and the assembler implementations.
130252ba867cSJussi Kivilinna
130352ba867cSJussi Kivilinna	  See also:
130452ba867cSJussi Kivilinna	  <http://www.schneier.com/blowfish.html>
130552ba867cSJussi Kivilinna
130664b94ceaSJussi Kivilinnaconfig CRYPTO_BLOWFISH_X86_64
130764b94ceaSJussi Kivilinna	tristate "Blowfish cipher algorithm (x86_64)"
1308f21a7c19SAl Viro	depends on X86 && 64BIT
1309c1679171SEric Biggers	select CRYPTO_BLKCIPHER
131064b94ceaSJussi Kivilinna	select CRYPTO_BLOWFISH_COMMON
131164b94ceaSJussi Kivilinna	help
131264b94ceaSJussi Kivilinna	  Blowfish cipher algorithm (x86_64), by Bruce Schneier.
131364b94ceaSJussi Kivilinna
131464b94ceaSJussi Kivilinna	  This is a variable key length cipher which can use keys from 32
131564b94ceaSJussi Kivilinna	  bits to 448 bits in length.  It's fast, simple and specifically
131664b94ceaSJussi Kivilinna	  designed for use on "large microprocessors".
131764b94ceaSJussi Kivilinna
131864b94ceaSJussi Kivilinna	  See also:
131964b94ceaSJussi Kivilinna	  <http://www.schneier.com/blowfish.html>
132064b94ceaSJussi Kivilinna
1321584fffc8SSebastian Siewiorconfig CRYPTO_CAMELLIA
1322584fffc8SSebastian Siewior	tristate "Camellia cipher algorithms"
1323584fffc8SSebastian Siewior	depends on CRYPTO
1324584fffc8SSebastian Siewior	select CRYPTO_ALGAPI
1325584fffc8SSebastian Siewior	help
1326584fffc8SSebastian Siewior	  Camellia cipher algorithms module.
1327584fffc8SSebastian Siewior
1328584fffc8SSebastian Siewior	  Camellia is a symmetric key block cipher developed jointly
1329584fffc8SSebastian Siewior	  at NTT and Mitsubishi Electric Corporation.
1330584fffc8SSebastian Siewior
1331584fffc8SSebastian Siewior	  The Camellia specifies three key sizes: 128, 192 and 256 bits.
1332584fffc8SSebastian Siewior
1333584fffc8SSebastian Siewior	  See also:
1334584fffc8SSebastian Siewior	  <https://info.isl.ntt.co.jp/crypt/eng/camellia/index_s.html>
1335584fffc8SSebastian Siewior
13360b95ec56SJussi Kivilinnaconfig CRYPTO_CAMELLIA_X86_64
13370b95ec56SJussi Kivilinna	tristate "Camellia cipher algorithm (x86_64)"
1338f21a7c19SAl Viro	depends on X86 && 64BIT
13390b95ec56SJussi Kivilinna	depends on CRYPTO
13401af6d037SEric Biggers	select CRYPTO_BLKCIPHER
1341964263afSJussi Kivilinna	select CRYPTO_GLUE_HELPER_X86
13420b95ec56SJussi Kivilinna	help
13430b95ec56SJussi Kivilinna	  Camellia cipher algorithm module (x86_64).
13440b95ec56SJussi Kivilinna
13450b95ec56SJussi Kivilinna	  Camellia is a symmetric key block cipher developed jointly
13460b95ec56SJussi Kivilinna	  at NTT and Mitsubishi Electric Corporation.
13470b95ec56SJussi Kivilinna
13480b95ec56SJussi Kivilinna	  The Camellia specifies three key sizes: 128, 192 and 256 bits.
13490b95ec56SJussi Kivilinna
13500b95ec56SJussi Kivilinna	  See also:
13510b95ec56SJussi Kivilinna	  <https://info.isl.ntt.co.jp/crypt/eng/camellia/index_s.html>
13520b95ec56SJussi Kivilinna
1353d9b1d2e7SJussi Kivilinnaconfig CRYPTO_CAMELLIA_AESNI_AVX_X86_64
1354d9b1d2e7SJussi Kivilinna	tristate "Camellia cipher algorithm (x86_64/AES-NI/AVX)"
1355d9b1d2e7SJussi Kivilinna	depends on X86 && 64BIT
1356d9b1d2e7SJussi Kivilinna	depends on CRYPTO
135744893bc2SEric Biggers	select CRYPTO_BLKCIPHER
1358d9b1d2e7SJussi Kivilinna	select CRYPTO_CAMELLIA_X86_64
135944893bc2SEric Biggers	select CRYPTO_GLUE_HELPER_X86
136044893bc2SEric Biggers	select CRYPTO_SIMD
1361d9b1d2e7SJussi Kivilinna	select CRYPTO_XTS
1362d9b1d2e7SJussi Kivilinna	help
1363d9b1d2e7SJussi Kivilinna	  Camellia cipher algorithm module (x86_64/AES-NI/AVX).
1364d9b1d2e7SJussi Kivilinna
1365d9b1d2e7SJussi Kivilinna	  Camellia is a symmetric key block cipher developed jointly
1366d9b1d2e7SJussi Kivilinna	  at NTT and Mitsubishi Electric Corporation.
1367d9b1d2e7SJussi Kivilinna
1368d9b1d2e7SJussi Kivilinna	  The Camellia specifies three key sizes: 128, 192 and 256 bits.
1369d9b1d2e7SJussi Kivilinna
1370d9b1d2e7SJussi Kivilinna	  See also:
1371d9b1d2e7SJussi Kivilinna	  <https://info.isl.ntt.co.jp/crypt/eng/camellia/index_s.html>
1372d9b1d2e7SJussi Kivilinna
1373f3f935a7SJussi Kivilinnaconfig CRYPTO_CAMELLIA_AESNI_AVX2_X86_64
1374f3f935a7SJussi Kivilinna	tristate "Camellia cipher algorithm (x86_64/AES-NI/AVX2)"
1375f3f935a7SJussi Kivilinna	depends on X86 && 64BIT
1376f3f935a7SJussi Kivilinna	depends on CRYPTO
1377f3f935a7SJussi Kivilinna	select CRYPTO_CAMELLIA_AESNI_AVX_X86_64
1378f3f935a7SJussi Kivilinna	help
1379f3f935a7SJussi Kivilinna	  Camellia cipher algorithm module (x86_64/AES-NI/AVX2).
1380f3f935a7SJussi Kivilinna
1381f3f935a7SJussi Kivilinna	  Camellia is a symmetric key block cipher developed jointly
1382f3f935a7SJussi Kivilinna	  at NTT and Mitsubishi Electric Corporation.
1383f3f935a7SJussi Kivilinna
1384f3f935a7SJussi Kivilinna	  The Camellia specifies three key sizes: 128, 192 and 256 bits.
1385f3f935a7SJussi Kivilinna
1386f3f935a7SJussi Kivilinna	  See also:
1387f3f935a7SJussi Kivilinna	  <https://info.isl.ntt.co.jp/crypt/eng/camellia/index_s.html>
1388f3f935a7SJussi Kivilinna
138981658ad0SDavid S. Millerconfig CRYPTO_CAMELLIA_SPARC64
139081658ad0SDavid S. Miller	tristate "Camellia cipher algorithm (SPARC64)"
139181658ad0SDavid S. Miller	depends on SPARC64
139281658ad0SDavid S. Miller	depends on CRYPTO
139381658ad0SDavid S. Miller	select CRYPTO_ALGAPI
139481658ad0SDavid S. Miller	help
139581658ad0SDavid S. Miller	  Camellia cipher algorithm module (SPARC64).
139681658ad0SDavid S. Miller
139781658ad0SDavid S. Miller	  Camellia is a symmetric key block cipher developed jointly
139881658ad0SDavid S. Miller	  at NTT and Mitsubishi Electric Corporation.
139981658ad0SDavid S. Miller
140081658ad0SDavid S. Miller	  The Camellia specifies three key sizes: 128, 192 and 256 bits.
140181658ad0SDavid S. Miller
140281658ad0SDavid S. Miller	  See also:
140381658ad0SDavid S. Miller	  <https://info.isl.ntt.co.jp/crypt/eng/camellia/index_s.html>
140481658ad0SDavid S. Miller
1405044ab525SJussi Kivilinnaconfig CRYPTO_CAST_COMMON
1406044ab525SJussi Kivilinna	tristate
1407044ab525SJussi Kivilinna	help
1408044ab525SJussi Kivilinna	  Common parts of the CAST cipher algorithms shared by the
1409044ab525SJussi Kivilinna	  generic c and the assembler implementations.
1410044ab525SJussi Kivilinna
1411584fffc8SSebastian Siewiorconfig CRYPTO_CAST5
1412584fffc8SSebastian Siewior	tristate "CAST5 (CAST-128) cipher algorithm"
1413584fffc8SSebastian Siewior	select CRYPTO_ALGAPI
1414044ab525SJussi Kivilinna	select CRYPTO_CAST_COMMON
1415584fffc8SSebastian Siewior	help
1416584fffc8SSebastian Siewior	  The CAST5 encryption algorithm (synonymous with CAST-128) is
1417584fffc8SSebastian Siewior	  described in RFC2144.
1418584fffc8SSebastian Siewior
14194d6d6a2cSJohannes Goetzfriedconfig CRYPTO_CAST5_AVX_X86_64
14204d6d6a2cSJohannes Goetzfried	tristate "CAST5 (CAST-128) cipher algorithm (x86_64/AVX)"
14214d6d6a2cSJohannes Goetzfried	depends on X86 && 64BIT
14221e63183aSEric Biggers	select CRYPTO_BLKCIPHER
14234d6d6a2cSJohannes Goetzfried	select CRYPTO_CAST5
14241e63183aSEric Biggers	select CRYPTO_CAST_COMMON
14251e63183aSEric Biggers	select CRYPTO_SIMD
14264d6d6a2cSJohannes Goetzfried	help
14274d6d6a2cSJohannes Goetzfried	  The CAST5 encryption algorithm (synonymous with CAST-128) is
14284d6d6a2cSJohannes Goetzfried	  described in RFC2144.
14294d6d6a2cSJohannes Goetzfried
14304d6d6a2cSJohannes Goetzfried	  This module provides the Cast5 cipher algorithm that processes
14314d6d6a2cSJohannes Goetzfried	  sixteen blocks parallel using the AVX instruction set.
14324d6d6a2cSJohannes Goetzfried
1433584fffc8SSebastian Siewiorconfig CRYPTO_CAST6
1434584fffc8SSebastian Siewior	tristate "CAST6 (CAST-256) cipher algorithm"
1435584fffc8SSebastian Siewior	select CRYPTO_ALGAPI
1436044ab525SJussi Kivilinna	select CRYPTO_CAST_COMMON
1437584fffc8SSebastian Siewior	help
1438584fffc8SSebastian Siewior	  The CAST6 encryption algorithm (synonymous with CAST-256) is
1439584fffc8SSebastian Siewior	  described in RFC2612.
1440584fffc8SSebastian Siewior
14414ea1277dSJohannes Goetzfriedconfig CRYPTO_CAST6_AVX_X86_64
14424ea1277dSJohannes Goetzfried	tristate "CAST6 (CAST-256) cipher algorithm (x86_64/AVX)"
14434ea1277dSJohannes Goetzfried	depends on X86 && 64BIT
14444bd96924SEric Biggers	select CRYPTO_BLKCIPHER
14454ea1277dSJohannes Goetzfried	select CRYPTO_CAST6
14464bd96924SEric Biggers	select CRYPTO_CAST_COMMON
14474bd96924SEric Biggers	select CRYPTO_GLUE_HELPER_X86
14484bd96924SEric Biggers	select CRYPTO_SIMD
14494ea1277dSJohannes Goetzfried	select CRYPTO_XTS
14504ea1277dSJohannes Goetzfried	help
14514ea1277dSJohannes Goetzfried	  The CAST6 encryption algorithm (synonymous with CAST-256) is
14524ea1277dSJohannes Goetzfried	  described in RFC2612.
14534ea1277dSJohannes Goetzfried
14544ea1277dSJohannes Goetzfried	  This module provides the Cast6 cipher algorithm that processes
14554ea1277dSJohannes Goetzfried	  eight blocks parallel using the AVX instruction set.
14564ea1277dSJohannes Goetzfried
1457584fffc8SSebastian Siewiorconfig CRYPTO_DES
1458584fffc8SSebastian Siewior	tristate "DES and Triple DES EDE cipher algorithms"
1459584fffc8SSebastian Siewior	select CRYPTO_ALGAPI
1460584fffc8SSebastian Siewior	help
1461584fffc8SSebastian Siewior	  DES cipher algorithm (FIPS 46-2), and Triple DES EDE (FIPS 46-3).
1462584fffc8SSebastian Siewior
1463c5aac2dfSDavid S. Millerconfig CRYPTO_DES_SPARC64
1464c5aac2dfSDavid S. Miller	tristate "DES and Triple DES EDE cipher algorithms (SPARC64)"
146597da37b3SDave Jones	depends on SPARC64
1466c5aac2dfSDavid S. Miller	select CRYPTO_ALGAPI
1467c5aac2dfSDavid S. Miller	select CRYPTO_DES
1468c5aac2dfSDavid S. Miller	help
1469c5aac2dfSDavid S. Miller	  DES cipher algorithm (FIPS 46-2), and Triple DES EDE (FIPS 46-3),
1470c5aac2dfSDavid S. Miller	  optimized using SPARC64 crypto opcodes.
1471c5aac2dfSDavid S. Miller
14726574e6c6SJussi Kivilinnaconfig CRYPTO_DES3_EDE_X86_64
14736574e6c6SJussi Kivilinna	tristate "Triple DES EDE cipher algorithm (x86-64)"
14746574e6c6SJussi Kivilinna	depends on X86 && 64BIT
147509c0f03bSEric Biggers	select CRYPTO_BLKCIPHER
14766574e6c6SJussi Kivilinna	select CRYPTO_DES
14776574e6c6SJussi Kivilinna	help
14786574e6c6SJussi Kivilinna	  Triple DES EDE (FIPS 46-3) algorithm.
14796574e6c6SJussi Kivilinna
14806574e6c6SJussi Kivilinna	  This module provides implementation of the Triple DES EDE cipher
14816574e6c6SJussi Kivilinna	  algorithm that is optimized for x86-64 processors. Two versions of
14826574e6c6SJussi Kivilinna	  algorithm are provided; regular processing one input block and
14836574e6c6SJussi Kivilinna	  one that processes three blocks parallel.
14846574e6c6SJussi Kivilinna
1485584fffc8SSebastian Siewiorconfig CRYPTO_FCRYPT
1486584fffc8SSebastian Siewior	tristate "FCrypt cipher algorithm"
1487584fffc8SSebastian Siewior	select CRYPTO_ALGAPI
1488584fffc8SSebastian Siewior	select CRYPTO_BLKCIPHER
1489584fffc8SSebastian Siewior	help
1490584fffc8SSebastian Siewior	  FCrypt algorithm used by RxRPC.
1491584fffc8SSebastian Siewior
1492584fffc8SSebastian Siewiorconfig CRYPTO_KHAZAD
1493584fffc8SSebastian Siewior	tristate "Khazad cipher algorithm"
1494584fffc8SSebastian Siewior	select CRYPTO_ALGAPI
1495584fffc8SSebastian Siewior	help
1496584fffc8SSebastian Siewior	  Khazad cipher algorithm.
1497584fffc8SSebastian Siewior
1498584fffc8SSebastian Siewior	  Khazad was a finalist in the initial NESSIE competition.  It is
1499584fffc8SSebastian Siewior	  an algorithm optimized for 64-bit processors with good performance
1500584fffc8SSebastian Siewior	  on 32-bit processors.  Khazad uses an 128 bit key size.
1501584fffc8SSebastian Siewior
1502584fffc8SSebastian Siewior	  See also:
15036d8de74cSJustin P. Mattock	  <http://www.larc.usp.br/~pbarreto/KhazadPage.html>
1504e2ee95b8SHye-Shik Chang
15052407d608STan Swee Hengconfig CRYPTO_SALSA20
15063b4afaf2SKees Cook	tristate "Salsa20 stream cipher algorithm"
15072407d608STan Swee Heng	select CRYPTO_BLKCIPHER
15082407d608STan Swee Heng	help
15092407d608STan Swee Heng	  Salsa20 stream cipher algorithm.
15102407d608STan Swee Heng
15112407d608STan Swee Heng	  Salsa20 is a stream cipher submitted to eSTREAM, the ECRYPT
15122407d608STan Swee Heng	  Stream Cipher Project. See <http://www.ecrypt.eu.org/stream/>
15132407d608STan Swee Heng
15142407d608STan Swee Heng	  The Salsa20 stream cipher algorithm is designed by Daniel J.
15152407d608STan Swee Heng	  Bernstein <djb@cr.yp.to>. See <http://cr.yp.to/snuffle.html>
15161da177e4SLinus Torvalds
1517c08d0e64SMartin Williconfig CRYPTO_CHACHA20
1518aa762409SEric Biggers	tristate "ChaCha stream cipher algorithms"
1519c08d0e64SMartin Willi	select CRYPTO_BLKCIPHER
1520c08d0e64SMartin Willi	help
1521aa762409SEric Biggers	  The ChaCha20, XChaCha20, and XChaCha12 stream cipher algorithms.
1522c08d0e64SMartin Willi
1523c08d0e64SMartin Willi	  ChaCha20 is a 256-bit high-speed stream cipher designed by Daniel J.
1524c08d0e64SMartin Willi	  Bernstein and further specified in RFC7539 for use in IETF protocols.
1525de61d7aeSEric Biggers	  This is the portable C implementation of ChaCha20.  See also:
1526c08d0e64SMartin Willi	  <http://cr.yp.to/chacha/chacha-20080128.pdf>
1527c08d0e64SMartin Willi
1528de61d7aeSEric Biggers	  XChaCha20 is the application of the XSalsa20 construction to ChaCha20
1529de61d7aeSEric Biggers	  rather than to Salsa20.  XChaCha20 extends ChaCha20's nonce length
1530de61d7aeSEric Biggers	  from 64 bits (or 96 bits using the RFC7539 convention) to 192 bits,
1531de61d7aeSEric Biggers	  while provably retaining ChaCha20's security.  See also:
1532de61d7aeSEric Biggers	  <https://cr.yp.to/snuffle/xsalsa-20081128.pdf>
1533de61d7aeSEric Biggers
1534aa762409SEric Biggers	  XChaCha12 is XChaCha20 reduced to 12 rounds, with correspondingly
1535aa762409SEric Biggers	  reduced security margin but increased performance.  It can be needed
1536aa762409SEric Biggers	  in some performance-sensitive scenarios.
1537aa762409SEric Biggers
1538c9320b6dSMartin Williconfig CRYPTO_CHACHA20_X86_64
15394af78261SEric Biggers	tristate "ChaCha stream cipher algorithms (x86_64/SSSE3/AVX2/AVX-512VL)"
1540c9320b6dSMartin Willi	depends on X86 && 64BIT
1541c9320b6dSMartin Willi	select CRYPTO_BLKCIPHER
1542c9320b6dSMartin Willi	select CRYPTO_CHACHA20
1543c9320b6dSMartin Willi	help
15447a507d62SEric Biggers	  SSSE3, AVX2, and AVX-512VL optimized implementations of the ChaCha20,
15457a507d62SEric Biggers	  XChaCha20, and XChaCha12 stream ciphers.
1546c9320b6dSMartin Willi
1547584fffc8SSebastian Siewiorconfig CRYPTO_SEED
1548584fffc8SSebastian Siewior	tristate "SEED cipher algorithm"
1549584fffc8SSebastian Siewior	select CRYPTO_ALGAPI
1550584fffc8SSebastian Siewior	help
1551584fffc8SSebastian Siewior	  SEED cipher algorithm (RFC4269).
1552584fffc8SSebastian Siewior
1553584fffc8SSebastian Siewior	  SEED is a 128-bit symmetric key block cipher that has been
1554584fffc8SSebastian Siewior	  developed by KISA (Korea Information Security Agency) as a
1555584fffc8SSebastian Siewior	  national standard encryption algorithm of the Republic of Korea.
1556584fffc8SSebastian Siewior	  It is a 16 round block cipher with the key size of 128 bit.
1557584fffc8SSebastian Siewior
1558584fffc8SSebastian Siewior	  See also:
1559584fffc8SSebastian Siewior	  <http://www.kisa.or.kr/kisa/seed/jsp/seed_eng.jsp>
1560584fffc8SSebastian Siewior
1561584fffc8SSebastian Siewiorconfig CRYPTO_SERPENT
1562584fffc8SSebastian Siewior	tristate "Serpent cipher algorithm"
1563584fffc8SSebastian Siewior	select CRYPTO_ALGAPI
1564584fffc8SSebastian Siewior	help
1565584fffc8SSebastian Siewior	  Serpent cipher algorithm, by Anderson, Biham & Knudsen.
1566584fffc8SSebastian Siewior
1567584fffc8SSebastian Siewior	  Keys are allowed to be from 0 to 256 bits in length, in steps
1568584fffc8SSebastian Siewior	  of 8 bits.  Also includes the 'Tnepres' algorithm, a reversed
1569584fffc8SSebastian Siewior	  variant of Serpent for compatibility with old kerneli.org code.
1570584fffc8SSebastian Siewior
1571584fffc8SSebastian Siewior	  See also:
1572584fffc8SSebastian Siewior	  <http://www.cl.cam.ac.uk/~rja14/serpent.html>
1573584fffc8SSebastian Siewior
1574937c30d7SJussi Kivilinnaconfig CRYPTO_SERPENT_SSE2_X86_64
1575937c30d7SJussi Kivilinna	tristate "Serpent cipher algorithm (x86_64/SSE2)"
1576937c30d7SJussi Kivilinna	depends on X86 && 64BIT
1577e0f409dcSEric Biggers	select CRYPTO_BLKCIPHER
1578596d8750SJussi Kivilinna	select CRYPTO_GLUE_HELPER_X86
1579937c30d7SJussi Kivilinna	select CRYPTO_SERPENT
1580e0f409dcSEric Biggers	select CRYPTO_SIMD
1581937c30d7SJussi Kivilinna	help
1582937c30d7SJussi Kivilinna	  Serpent cipher algorithm, by Anderson, Biham & Knudsen.
1583937c30d7SJussi Kivilinna
1584937c30d7SJussi Kivilinna	  Keys are allowed to be from 0 to 256 bits in length, in steps
1585937c30d7SJussi Kivilinna	  of 8 bits.
1586937c30d7SJussi Kivilinna
15871e6232f8SMasanari Iida	  This module provides Serpent cipher algorithm that processes eight
1588937c30d7SJussi Kivilinna	  blocks parallel using SSE2 instruction set.
1589937c30d7SJussi Kivilinna
1590937c30d7SJussi Kivilinna	  See also:
1591937c30d7SJussi Kivilinna	  <http://www.cl.cam.ac.uk/~rja14/serpent.html>
1592937c30d7SJussi Kivilinna
1593251496dbSJussi Kivilinnaconfig CRYPTO_SERPENT_SSE2_586
1594251496dbSJussi Kivilinna	tristate "Serpent cipher algorithm (i586/SSE2)"
1595251496dbSJussi Kivilinna	depends on X86 && !64BIT
1596e0f409dcSEric Biggers	select CRYPTO_BLKCIPHER
1597596d8750SJussi Kivilinna	select CRYPTO_GLUE_HELPER_X86
1598251496dbSJussi Kivilinna	select CRYPTO_SERPENT
1599e0f409dcSEric Biggers	select CRYPTO_SIMD
1600251496dbSJussi Kivilinna	help
1601251496dbSJussi Kivilinna	  Serpent cipher algorithm, by Anderson, Biham & Knudsen.
1602251496dbSJussi Kivilinna
1603251496dbSJussi Kivilinna	  Keys are allowed to be from 0 to 256 bits in length, in steps
1604251496dbSJussi Kivilinna	  of 8 bits.
1605251496dbSJussi Kivilinna
1606251496dbSJussi Kivilinna	  This module provides Serpent cipher algorithm that processes four
1607251496dbSJussi Kivilinna	  blocks parallel using SSE2 instruction set.
1608251496dbSJussi Kivilinna
1609251496dbSJussi Kivilinna	  See also:
1610251496dbSJussi Kivilinna	  <http://www.cl.cam.ac.uk/~rja14/serpent.html>
1611251496dbSJussi Kivilinna
16127efe4076SJohannes Goetzfriedconfig CRYPTO_SERPENT_AVX_X86_64
16137efe4076SJohannes Goetzfried	tristate "Serpent cipher algorithm (x86_64/AVX)"
16147efe4076SJohannes Goetzfried	depends on X86 && 64BIT
1615e16bf974SEric Biggers	select CRYPTO_BLKCIPHER
16161d0debbdSJussi Kivilinna	select CRYPTO_GLUE_HELPER_X86
16177efe4076SJohannes Goetzfried	select CRYPTO_SERPENT
1618e16bf974SEric Biggers	select CRYPTO_SIMD
16197efe4076SJohannes Goetzfried	select CRYPTO_XTS
16207efe4076SJohannes Goetzfried	help
16217efe4076SJohannes Goetzfried	  Serpent cipher algorithm, by Anderson, Biham & Knudsen.
16227efe4076SJohannes Goetzfried
16237efe4076SJohannes Goetzfried	  Keys are allowed to be from 0 to 256 bits in length, in steps
16247efe4076SJohannes Goetzfried	  of 8 bits.
16257efe4076SJohannes Goetzfried
16267efe4076SJohannes Goetzfried	  This module provides the Serpent cipher algorithm that processes
16277efe4076SJohannes Goetzfried	  eight blocks parallel using the AVX instruction set.
16287efe4076SJohannes Goetzfried
16297efe4076SJohannes Goetzfried	  See also:
16307efe4076SJohannes Goetzfried	  <http://www.cl.cam.ac.uk/~rja14/serpent.html>
16317efe4076SJohannes Goetzfried
163256d76c96SJussi Kivilinnaconfig CRYPTO_SERPENT_AVX2_X86_64
163356d76c96SJussi Kivilinna	tristate "Serpent cipher algorithm (x86_64/AVX2)"
163456d76c96SJussi Kivilinna	depends on X86 && 64BIT
163556d76c96SJussi Kivilinna	select CRYPTO_SERPENT_AVX_X86_64
163656d76c96SJussi Kivilinna	help
163756d76c96SJussi Kivilinna	  Serpent cipher algorithm, by Anderson, Biham & Knudsen.
163856d76c96SJussi Kivilinna
163956d76c96SJussi Kivilinna	  Keys are allowed to be from 0 to 256 bits in length, in steps
164056d76c96SJussi Kivilinna	  of 8 bits.
164156d76c96SJussi Kivilinna
164256d76c96SJussi Kivilinna	  This module provides Serpent cipher algorithm that processes 16
164356d76c96SJussi Kivilinna	  blocks parallel using AVX2 instruction set.
164456d76c96SJussi Kivilinna
164556d76c96SJussi Kivilinna	  See also:
164656d76c96SJussi Kivilinna	  <http://www.cl.cam.ac.uk/~rja14/serpent.html>
164756d76c96SJussi Kivilinna
1648747c8ce4SGilad Ben-Yossefconfig CRYPTO_SM4
1649747c8ce4SGilad Ben-Yossef	tristate "SM4 cipher algorithm"
1650747c8ce4SGilad Ben-Yossef	select CRYPTO_ALGAPI
1651747c8ce4SGilad Ben-Yossef	help
1652747c8ce4SGilad Ben-Yossef	  SM4 cipher algorithms (OSCCA GB/T 32907-2016).
1653747c8ce4SGilad Ben-Yossef
1654747c8ce4SGilad Ben-Yossef	  SM4 (GBT.32907-2016) is a cryptographic standard issued by the
1655747c8ce4SGilad Ben-Yossef	  Organization of State Commercial Administration of China (OSCCA)
1656747c8ce4SGilad Ben-Yossef	  as an authorized cryptographic algorithms for the use within China.
1657747c8ce4SGilad Ben-Yossef
1658747c8ce4SGilad Ben-Yossef	  SMS4 was originally created for use in protecting wireless
1659747c8ce4SGilad Ben-Yossef	  networks, and is mandated in the Chinese National Standard for
1660747c8ce4SGilad Ben-Yossef	  Wireless LAN WAPI (Wired Authentication and Privacy Infrastructure)
1661747c8ce4SGilad Ben-Yossef	  (GB.15629.11-2003).
1662747c8ce4SGilad Ben-Yossef
1663747c8ce4SGilad Ben-Yossef	  The latest SM4 standard (GBT.32907-2016) was proposed by OSCCA and
1664747c8ce4SGilad Ben-Yossef	  standardized through TC 260 of the Standardization Administration
1665747c8ce4SGilad Ben-Yossef	  of the People's Republic of China (SAC).
1666747c8ce4SGilad Ben-Yossef
1667747c8ce4SGilad Ben-Yossef	  The input, output, and key of SMS4 are each 128 bits.
1668747c8ce4SGilad Ben-Yossef
1669747c8ce4SGilad Ben-Yossef	  See also: <https://eprint.iacr.org/2008/329.pdf>
1670747c8ce4SGilad Ben-Yossef
1671747c8ce4SGilad Ben-Yossef	  If unsure, say N.
1672747c8ce4SGilad Ben-Yossef
1673584fffc8SSebastian Siewiorconfig CRYPTO_TEA
1674584fffc8SSebastian Siewior	tristate "TEA, XTEA and XETA cipher algorithms"
1675584fffc8SSebastian Siewior	select CRYPTO_ALGAPI
1676584fffc8SSebastian Siewior	help
1677584fffc8SSebastian Siewior	  TEA cipher algorithm.
1678584fffc8SSebastian Siewior
1679584fffc8SSebastian Siewior	  Tiny Encryption Algorithm is a simple cipher that uses
1680584fffc8SSebastian Siewior	  many rounds for security.  It is very fast and uses
1681584fffc8SSebastian Siewior	  little memory.
1682584fffc8SSebastian Siewior
1683584fffc8SSebastian Siewior	  Xtendend Tiny Encryption Algorithm is a modification to
1684584fffc8SSebastian Siewior	  the TEA algorithm to address a potential key weakness
1685584fffc8SSebastian Siewior	  in the TEA algorithm.
1686584fffc8SSebastian Siewior
1687584fffc8SSebastian Siewior	  Xtendend Encryption Tiny Algorithm is a mis-implementation
1688584fffc8SSebastian Siewior	  of the XTEA algorithm for compatibility purposes.
1689584fffc8SSebastian Siewior
1690584fffc8SSebastian Siewiorconfig CRYPTO_TWOFISH
1691584fffc8SSebastian Siewior	tristate "Twofish cipher algorithm"
1692584fffc8SSebastian Siewior	select CRYPTO_ALGAPI
1693584fffc8SSebastian Siewior	select CRYPTO_TWOFISH_COMMON
1694584fffc8SSebastian Siewior	help
1695584fffc8SSebastian Siewior	  Twofish cipher algorithm.
1696584fffc8SSebastian Siewior
1697584fffc8SSebastian Siewior	  Twofish was submitted as an AES (Advanced Encryption Standard)
1698584fffc8SSebastian Siewior	  candidate cipher by researchers at CounterPane Systems.  It is a
1699584fffc8SSebastian Siewior	  16 round block cipher supporting key sizes of 128, 192, and 256
1700584fffc8SSebastian Siewior	  bits.
1701584fffc8SSebastian Siewior
1702584fffc8SSebastian Siewior	  See also:
1703584fffc8SSebastian Siewior	  <http://www.schneier.com/twofish.html>
1704584fffc8SSebastian Siewior
1705584fffc8SSebastian Siewiorconfig CRYPTO_TWOFISH_COMMON
1706584fffc8SSebastian Siewior	tristate
1707584fffc8SSebastian Siewior	help
1708584fffc8SSebastian Siewior	  Common parts of the Twofish cipher algorithm shared by the
1709584fffc8SSebastian Siewior	  generic c and the assembler implementations.
1710584fffc8SSebastian Siewior
1711584fffc8SSebastian Siewiorconfig CRYPTO_TWOFISH_586
1712584fffc8SSebastian Siewior	tristate "Twofish cipher algorithms (i586)"
1713584fffc8SSebastian Siewior	depends on (X86 || UML_X86) && !64BIT
1714584fffc8SSebastian Siewior	select CRYPTO_ALGAPI
1715584fffc8SSebastian Siewior	select CRYPTO_TWOFISH_COMMON
1716584fffc8SSebastian Siewior	help
1717584fffc8SSebastian Siewior	  Twofish cipher algorithm.
1718584fffc8SSebastian Siewior
1719584fffc8SSebastian Siewior	  Twofish was submitted as an AES (Advanced Encryption Standard)
1720584fffc8SSebastian Siewior	  candidate cipher by researchers at CounterPane Systems.  It is a
1721584fffc8SSebastian Siewior	  16 round block cipher supporting key sizes of 128, 192, and 256
1722584fffc8SSebastian Siewior	  bits.
1723584fffc8SSebastian Siewior
1724584fffc8SSebastian Siewior	  See also:
1725584fffc8SSebastian Siewior	  <http://www.schneier.com/twofish.html>
1726584fffc8SSebastian Siewior
1727584fffc8SSebastian Siewiorconfig CRYPTO_TWOFISH_X86_64
1728584fffc8SSebastian Siewior	tristate "Twofish cipher algorithm (x86_64)"
1729584fffc8SSebastian Siewior	depends on (X86 || UML_X86) && 64BIT
1730584fffc8SSebastian Siewior	select CRYPTO_ALGAPI
1731584fffc8SSebastian Siewior	select CRYPTO_TWOFISH_COMMON
1732584fffc8SSebastian Siewior	help
1733584fffc8SSebastian Siewior	  Twofish cipher algorithm (x86_64).
1734584fffc8SSebastian Siewior
1735584fffc8SSebastian Siewior	  Twofish was submitted as an AES (Advanced Encryption Standard)
1736584fffc8SSebastian Siewior	  candidate cipher by researchers at CounterPane Systems.  It is a
1737584fffc8SSebastian Siewior	  16 round block cipher supporting key sizes of 128, 192, and 256
1738584fffc8SSebastian Siewior	  bits.
1739584fffc8SSebastian Siewior
1740584fffc8SSebastian Siewior	  See also:
1741584fffc8SSebastian Siewior	  <http://www.schneier.com/twofish.html>
1742584fffc8SSebastian Siewior
17438280daadSJussi Kivilinnaconfig CRYPTO_TWOFISH_X86_64_3WAY
17448280daadSJussi Kivilinna	tristate "Twofish cipher algorithm (x86_64, 3-way parallel)"
1745f21a7c19SAl Viro	depends on X86 && 64BIT
174637992fa4SEric Biggers	select CRYPTO_BLKCIPHER
17478280daadSJussi Kivilinna	select CRYPTO_TWOFISH_COMMON
17488280daadSJussi Kivilinna	select CRYPTO_TWOFISH_X86_64
1749414cb5e7SJussi Kivilinna	select CRYPTO_GLUE_HELPER_X86
17508280daadSJussi Kivilinna	help
17518280daadSJussi Kivilinna	  Twofish cipher algorithm (x86_64, 3-way parallel).
17528280daadSJussi Kivilinna
17538280daadSJussi Kivilinna	  Twofish was submitted as an AES (Advanced Encryption Standard)
17548280daadSJussi Kivilinna	  candidate cipher by researchers at CounterPane Systems.  It is a
17558280daadSJussi Kivilinna	  16 round block cipher supporting key sizes of 128, 192, and 256
17568280daadSJussi Kivilinna	  bits.
17578280daadSJussi Kivilinna
17588280daadSJussi Kivilinna	  This module provides Twofish cipher algorithm that processes three
17598280daadSJussi Kivilinna	  blocks parallel, utilizing resources of out-of-order CPUs better.
17608280daadSJussi Kivilinna
17618280daadSJussi Kivilinna	  See also:
17628280daadSJussi Kivilinna	  <http://www.schneier.com/twofish.html>
17638280daadSJussi Kivilinna
1764107778b5SJohannes Goetzfriedconfig CRYPTO_TWOFISH_AVX_X86_64
1765107778b5SJohannes Goetzfried	tristate "Twofish cipher algorithm (x86_64/AVX)"
1766107778b5SJohannes Goetzfried	depends on X86 && 64BIT
17670e6ab46dSEric Biggers	select CRYPTO_BLKCIPHER
1768a7378d4eSJussi Kivilinna	select CRYPTO_GLUE_HELPER_X86
17690e6ab46dSEric Biggers	select CRYPTO_SIMD
1770107778b5SJohannes Goetzfried	select CRYPTO_TWOFISH_COMMON
1771107778b5SJohannes Goetzfried	select CRYPTO_TWOFISH_X86_64
1772107778b5SJohannes Goetzfried	select CRYPTO_TWOFISH_X86_64_3WAY
1773107778b5SJohannes Goetzfried	help
1774107778b5SJohannes Goetzfried	  Twofish cipher algorithm (x86_64/AVX).
1775107778b5SJohannes Goetzfried
1776107778b5SJohannes Goetzfried	  Twofish was submitted as an AES (Advanced Encryption Standard)
1777107778b5SJohannes Goetzfried	  candidate cipher by researchers at CounterPane Systems.  It is a
1778107778b5SJohannes Goetzfried	  16 round block cipher supporting key sizes of 128, 192, and 256
1779107778b5SJohannes Goetzfried	  bits.
1780107778b5SJohannes Goetzfried
1781107778b5SJohannes Goetzfried	  This module provides the Twofish cipher algorithm that processes
1782107778b5SJohannes Goetzfried	  eight blocks parallel using the AVX Instruction Set.
1783107778b5SJohannes Goetzfried
1784107778b5SJohannes Goetzfried	  See also:
1785107778b5SJohannes Goetzfried	  <http://www.schneier.com/twofish.html>
1786107778b5SJohannes Goetzfried
1787584fffc8SSebastian Siewiorcomment "Compression"
1788584fffc8SSebastian Siewior
17891da177e4SLinus Torvaldsconfig CRYPTO_DEFLATE
17901da177e4SLinus Torvalds	tristate "Deflate compression algorithm"
1791cce9e06dSHerbert Xu	select CRYPTO_ALGAPI
1792f6ded09dSGiovanni Cabiddu	select CRYPTO_ACOMP2
17931da177e4SLinus Torvalds	select ZLIB_INFLATE
17941da177e4SLinus Torvalds	select ZLIB_DEFLATE
17951da177e4SLinus Torvalds	help
17961da177e4SLinus Torvalds	  This is the Deflate algorithm (RFC1951), specified for use in
17971da177e4SLinus Torvalds	  IPSec with the IPCOMP protocol (RFC3173, RFC2394).
17981da177e4SLinus Torvalds
17991da177e4SLinus Torvalds	  You will most probably want this if using IPSec.
18001da177e4SLinus Torvalds
18010b77abb3SZoltan Sogorconfig CRYPTO_LZO
18020b77abb3SZoltan Sogor	tristate "LZO compression algorithm"
18030b77abb3SZoltan Sogor	select CRYPTO_ALGAPI
1804ac9d2c4bSGiovanni Cabiddu	select CRYPTO_ACOMP2
18050b77abb3SZoltan Sogor	select LZO_COMPRESS
18060b77abb3SZoltan Sogor	select LZO_DECOMPRESS
18070b77abb3SZoltan Sogor	help
18080b77abb3SZoltan Sogor	  This is the LZO algorithm.
18090b77abb3SZoltan Sogor
181035a1fc18SSeth Jenningsconfig CRYPTO_842
181135a1fc18SSeth Jennings	tristate "842 compression algorithm"
18122062c5b6SDan Streetman	select CRYPTO_ALGAPI
18136a8de3aeSGiovanni Cabiddu	select CRYPTO_ACOMP2
18142062c5b6SDan Streetman	select 842_COMPRESS
18152062c5b6SDan Streetman	select 842_DECOMPRESS
181635a1fc18SSeth Jennings	help
181735a1fc18SSeth Jennings	  This is the 842 algorithm.
181835a1fc18SSeth Jennings
18190ea8530dSChanho Minconfig CRYPTO_LZ4
18200ea8530dSChanho Min	tristate "LZ4 compression algorithm"
18210ea8530dSChanho Min	select CRYPTO_ALGAPI
18228cd9330eSGiovanni Cabiddu	select CRYPTO_ACOMP2
18230ea8530dSChanho Min	select LZ4_COMPRESS
18240ea8530dSChanho Min	select LZ4_DECOMPRESS
18250ea8530dSChanho Min	help
18260ea8530dSChanho Min	  This is the LZ4 algorithm.
18270ea8530dSChanho Min
18280ea8530dSChanho Minconfig CRYPTO_LZ4HC
18290ea8530dSChanho Min	tristate "LZ4HC compression algorithm"
18300ea8530dSChanho Min	select CRYPTO_ALGAPI
183191d53d96SGiovanni Cabiddu	select CRYPTO_ACOMP2
18320ea8530dSChanho Min	select LZ4HC_COMPRESS
18330ea8530dSChanho Min	select LZ4_DECOMPRESS
18340ea8530dSChanho Min	help
18350ea8530dSChanho Min	  This is the LZ4 high compression mode algorithm.
18360ea8530dSChanho Min
1837d28fc3dbSNick Terrellconfig CRYPTO_ZSTD
1838d28fc3dbSNick Terrell	tristate "Zstd compression algorithm"
1839d28fc3dbSNick Terrell	select CRYPTO_ALGAPI
1840d28fc3dbSNick Terrell	select CRYPTO_ACOMP2
1841d28fc3dbSNick Terrell	select ZSTD_COMPRESS
1842d28fc3dbSNick Terrell	select ZSTD_DECOMPRESS
1843d28fc3dbSNick Terrell	help
1844d28fc3dbSNick Terrell	  This is the zstd algorithm.
1845d28fc3dbSNick Terrell
184617f0f4a4SNeil Hormancomment "Random Number Generation"
184717f0f4a4SNeil Horman
184817f0f4a4SNeil Hormanconfig CRYPTO_ANSI_CPRNG
184917f0f4a4SNeil Horman	tristate "Pseudo Random Number Generation for Cryptographic modules"
185017f0f4a4SNeil Horman	select CRYPTO_AES
185117f0f4a4SNeil Horman	select CRYPTO_RNG
185217f0f4a4SNeil Horman	help
185317f0f4a4SNeil Horman	  This option enables the generic pseudo random number generator
185417f0f4a4SNeil Horman	  for cryptographic modules.  Uses the Algorithm specified in
18557dd607e8SJiri Kosina	  ANSI X9.31 A.2.4. Note that this option must be enabled if
18567dd607e8SJiri Kosina	  CRYPTO_FIPS is selected
185717f0f4a4SNeil Horman
1858f2c89a10SHerbert Xumenuconfig CRYPTO_DRBG_MENU
1859419090c6SStephan Mueller	tristate "NIST SP800-90A DRBG"
1860419090c6SStephan Mueller	help
1861419090c6SStephan Mueller	  NIST SP800-90A compliant DRBG. In the following submenu, one or
1862419090c6SStephan Mueller	  more of the DRBG types must be selected.
1863419090c6SStephan Mueller
1864f2c89a10SHerbert Xuif CRYPTO_DRBG_MENU
1865419090c6SStephan Mueller
1866419090c6SStephan Muellerconfig CRYPTO_DRBG_HMAC
1867401e4238SHerbert Xu	bool
1868419090c6SStephan Mueller	default y
1869419090c6SStephan Mueller	select CRYPTO_HMAC
1870826775bbSHerbert Xu	select CRYPTO_SHA256
1871419090c6SStephan Mueller
1872419090c6SStephan Muellerconfig CRYPTO_DRBG_HASH
1873419090c6SStephan Mueller	bool "Enable Hash DRBG"
1874826775bbSHerbert Xu	select CRYPTO_SHA256
1875419090c6SStephan Mueller	help
1876419090c6SStephan Mueller	  Enable the Hash DRBG variant as defined in NIST SP800-90A.
1877419090c6SStephan Mueller
1878419090c6SStephan Muellerconfig CRYPTO_DRBG_CTR
1879419090c6SStephan Mueller	bool "Enable CTR DRBG"
1880419090c6SStephan Mueller	select CRYPTO_AES
188135591285SStephan Mueller	depends on CRYPTO_CTR
1882419090c6SStephan Mueller	help
1883419090c6SStephan Mueller	  Enable the CTR DRBG variant as defined in NIST SP800-90A.
1884419090c6SStephan Mueller
1885f2c89a10SHerbert Xuconfig CRYPTO_DRBG
1886f2c89a10SHerbert Xu	tristate
1887401e4238SHerbert Xu	default CRYPTO_DRBG_MENU
1888f2c89a10SHerbert Xu	select CRYPTO_RNG
1889bb5530e4SStephan Mueller	select CRYPTO_JITTERENTROPY
1890f2c89a10SHerbert Xu
1891f2c89a10SHerbert Xuendif	# if CRYPTO_DRBG_MENU
1892419090c6SStephan Mueller
1893bb5530e4SStephan Muellerconfig CRYPTO_JITTERENTROPY
1894bb5530e4SStephan Mueller	tristate "Jitterentropy Non-Deterministic Random Number Generator"
18952f313e02SArnd Bergmann	select CRYPTO_RNG
1896bb5530e4SStephan Mueller	help
1897bb5530e4SStephan Mueller	  The Jitterentropy RNG is a noise that is intended
1898bb5530e4SStephan Mueller	  to provide seed to another RNG. The RNG does not
1899bb5530e4SStephan Mueller	  perform any cryptographic whitening of the generated
1900bb5530e4SStephan Mueller	  random numbers. This Jitterentropy RNG registers with
1901bb5530e4SStephan Mueller	  the kernel crypto API and can be used by any caller.
1902bb5530e4SStephan Mueller
190303c8efc1SHerbert Xuconfig CRYPTO_USER_API
190403c8efc1SHerbert Xu	tristate
190503c8efc1SHerbert Xu
1906fe869cdbSHerbert Xuconfig CRYPTO_USER_API_HASH
1907fe869cdbSHerbert Xu	tristate "User-space interface for hash algorithms"
19087451708fSHerbert Xu	depends on NET
1909fe869cdbSHerbert Xu	select CRYPTO_HASH
1910fe869cdbSHerbert Xu	select CRYPTO_USER_API
1911fe869cdbSHerbert Xu	help
1912fe869cdbSHerbert Xu	  This option enables the user-spaces interface for hash
1913fe869cdbSHerbert Xu	  algorithms.
1914fe869cdbSHerbert Xu
19158ff59090SHerbert Xuconfig CRYPTO_USER_API_SKCIPHER
19168ff59090SHerbert Xu	tristate "User-space interface for symmetric key cipher algorithms"
19177451708fSHerbert Xu	depends on NET
19188ff59090SHerbert Xu	select CRYPTO_BLKCIPHER
19198ff59090SHerbert Xu	select CRYPTO_USER_API
19208ff59090SHerbert Xu	help
19218ff59090SHerbert Xu	  This option enables the user-spaces interface for symmetric
19228ff59090SHerbert Xu	  key cipher algorithms.
19238ff59090SHerbert Xu
19242f375538SStephan Muellerconfig CRYPTO_USER_API_RNG
19252f375538SStephan Mueller	tristate "User-space interface for random number generator algorithms"
19262f375538SStephan Mueller	depends on NET
19272f375538SStephan Mueller	select CRYPTO_RNG
19282f375538SStephan Mueller	select CRYPTO_USER_API
19292f375538SStephan Mueller	help
19302f375538SStephan Mueller	  This option enables the user-spaces interface for random
19312f375538SStephan Mueller	  number generator algorithms.
19322f375538SStephan Mueller
1933b64a2d95SHerbert Xuconfig CRYPTO_USER_API_AEAD
1934b64a2d95SHerbert Xu	tristate "User-space interface for AEAD cipher algorithms"
1935b64a2d95SHerbert Xu	depends on NET
1936b64a2d95SHerbert Xu	select CRYPTO_AEAD
193772548b09SStephan Mueller	select CRYPTO_BLKCIPHER
193872548b09SStephan Mueller	select CRYPTO_NULL
1939b64a2d95SHerbert Xu	select CRYPTO_USER_API
1940b64a2d95SHerbert Xu	help
1941b64a2d95SHerbert Xu	  This option enables the user-spaces interface for AEAD
1942b64a2d95SHerbert Xu	  cipher algorithms.
1943b64a2d95SHerbert Xu
1944cac5818cSCorentin Labbeconfig CRYPTO_STATS
1945cac5818cSCorentin Labbe	bool "Crypto usage statistics for User-space"
1946a6a31385SCorentin Labbe	depends on CRYPTO_USER
1947cac5818cSCorentin Labbe	help
1948cac5818cSCorentin Labbe	  This option enables the gathering of crypto stats.
1949cac5818cSCorentin Labbe	  This will collect:
1950cac5818cSCorentin Labbe	  - encrypt/decrypt size and numbers of symmeric operations
1951cac5818cSCorentin Labbe	  - compress/decompress size and numbers of compress operations
1952cac5818cSCorentin Labbe	  - size and numbers of hash operations
1953cac5818cSCorentin Labbe	  - encrypt/decrypt/sign/verify numbers for asymmetric operations
1954cac5818cSCorentin Labbe	  - generate/seed numbers for rng operations
1955cac5818cSCorentin Labbe
1956ee08997fSDmitry Kasatkinconfig CRYPTO_HASH_INFO
1957ee08997fSDmitry Kasatkin	bool
1958ee08997fSDmitry Kasatkin
19591da177e4SLinus Torvaldssource "drivers/crypto/Kconfig"
19608636a1f9SMasahiro Yamadasource "crypto/asymmetric_keys/Kconfig"
19618636a1f9SMasahiro Yamadasource "certs/Kconfig"
19621da177e4SLinus Torvalds
1963cce9e06dSHerbert Xuendif	# if CRYPTO
1964