xref: /linux/crypto/Kconfig (revision d2825fa9365d0101571ed16534b16b7c8d261ab3)
1b2441318SGreg Kroah-Hartman# SPDX-License-Identifier: GPL-2.0
21da177e4SLinus Torvalds#
3685784aaSDan Williams# Generic algorithms support
4685784aaSDan Williams#
5685784aaSDan Williamsconfig XOR_BLOCKS
6685784aaSDan Williams	tristate
7685784aaSDan Williams
8685784aaSDan Williams#
99bc89cd8SDan Williams# async_tx api: hardware offloaded memory transfer/transform support
109bc89cd8SDan Williams#
119bc89cd8SDan Williamssource "crypto/async_tx/Kconfig"
129bc89cd8SDan Williams
139bc89cd8SDan Williams#
141da177e4SLinus Torvalds# Cryptographic API Configuration
151da177e4SLinus Torvalds#
162e290f43SJan Engelhardtmenuconfig CRYPTO
17c3715cb9SSebastian Siewior	tristate "Cryptographic API"
181da177e4SLinus Torvalds	help
191da177e4SLinus Torvalds	  This option provides the core Cryptographic API.
201da177e4SLinus Torvalds
21cce9e06dSHerbert Xuif CRYPTO
22cce9e06dSHerbert Xu
23584fffc8SSebastian Siewiorcomment "Crypto core or helper"
24584fffc8SSebastian Siewior
25ccb778e1SNeil Hormanconfig CRYPTO_FIPS
26ccb778e1SNeil Horman	bool "FIPS 200 compliance"
27f2c89a10SHerbert Xu	depends on (CRYPTO_ANSI_CPRNG || CRYPTO_DRBG) && !CRYPTO_MANAGER_DISABLE_TESTS
281f696097SAlec Ari	depends on (MODULE_SIG || !MODULES)
29ccb778e1SNeil Horman	help
30d99324c2SGeert Uytterhoeven	  This option enables the fips boot option which is
31d99324c2SGeert Uytterhoeven	  required if you want the system to operate in a FIPS 200
32ccb778e1SNeil Horman	  certification.  You should say no unless you know what
33e84c5480SChuck Ebbert	  this is.
34ccb778e1SNeil Horman
35cce9e06dSHerbert Xuconfig CRYPTO_ALGAPI
36cce9e06dSHerbert Xu	tristate
376a0fcbb4SHerbert Xu	select CRYPTO_ALGAPI2
38cce9e06dSHerbert Xu	help
39cce9e06dSHerbert Xu	  This option provides the API for cryptographic algorithms.
40cce9e06dSHerbert Xu
416a0fcbb4SHerbert Xuconfig CRYPTO_ALGAPI2
426a0fcbb4SHerbert Xu	tristate
436a0fcbb4SHerbert Xu
441ae97820SHerbert Xuconfig CRYPTO_AEAD
451ae97820SHerbert Xu	tristate
466a0fcbb4SHerbert Xu	select CRYPTO_AEAD2
471ae97820SHerbert Xu	select CRYPTO_ALGAPI
481ae97820SHerbert Xu
496a0fcbb4SHerbert Xuconfig CRYPTO_AEAD2
506a0fcbb4SHerbert Xu	tristate
516a0fcbb4SHerbert Xu	select CRYPTO_ALGAPI2
52149a3971SHerbert Xu	select CRYPTO_NULL2
53149a3971SHerbert Xu	select CRYPTO_RNG2
546a0fcbb4SHerbert Xu
55b95bba5dSEric Biggersconfig CRYPTO_SKCIPHER
565cde0af2SHerbert Xu	tristate
57b95bba5dSEric Biggers	select CRYPTO_SKCIPHER2
585cde0af2SHerbert Xu	select CRYPTO_ALGAPI
596a0fcbb4SHerbert Xu
60b95bba5dSEric Biggersconfig CRYPTO_SKCIPHER2
616a0fcbb4SHerbert Xu	tristate
626a0fcbb4SHerbert Xu	select CRYPTO_ALGAPI2
636a0fcbb4SHerbert Xu	select CRYPTO_RNG2
645cde0af2SHerbert Xu
65055bcee3SHerbert Xuconfig CRYPTO_HASH
66055bcee3SHerbert Xu	tristate
676a0fcbb4SHerbert Xu	select CRYPTO_HASH2
68055bcee3SHerbert Xu	select CRYPTO_ALGAPI
69055bcee3SHerbert Xu
706a0fcbb4SHerbert Xuconfig CRYPTO_HASH2
716a0fcbb4SHerbert Xu	tristate
726a0fcbb4SHerbert Xu	select CRYPTO_ALGAPI2
736a0fcbb4SHerbert Xu
7417f0f4a4SNeil Hormanconfig CRYPTO_RNG
7517f0f4a4SNeil Horman	tristate
766a0fcbb4SHerbert Xu	select CRYPTO_RNG2
7717f0f4a4SNeil Horman	select CRYPTO_ALGAPI
7817f0f4a4SNeil Horman
796a0fcbb4SHerbert Xuconfig CRYPTO_RNG2
806a0fcbb4SHerbert Xu	tristate
816a0fcbb4SHerbert Xu	select CRYPTO_ALGAPI2
826a0fcbb4SHerbert Xu
83401e4238SHerbert Xuconfig CRYPTO_RNG_DEFAULT
84401e4238SHerbert Xu	tristate
85401e4238SHerbert Xu	select CRYPTO_DRBG_MENU
86401e4238SHerbert Xu
873c339ab8STadeusz Strukconfig CRYPTO_AKCIPHER2
883c339ab8STadeusz Struk	tristate
893c339ab8STadeusz Struk	select CRYPTO_ALGAPI2
903c339ab8STadeusz Struk
913c339ab8STadeusz Strukconfig CRYPTO_AKCIPHER
923c339ab8STadeusz Struk	tristate
933c339ab8STadeusz Struk	select CRYPTO_AKCIPHER2
943c339ab8STadeusz Struk	select CRYPTO_ALGAPI
953c339ab8STadeusz Struk
964e5f2c40SSalvatore Benedettoconfig CRYPTO_KPP2
974e5f2c40SSalvatore Benedetto	tristate
984e5f2c40SSalvatore Benedetto	select CRYPTO_ALGAPI2
994e5f2c40SSalvatore Benedetto
1004e5f2c40SSalvatore Benedettoconfig CRYPTO_KPP
1014e5f2c40SSalvatore Benedetto	tristate
1024e5f2c40SSalvatore Benedetto	select CRYPTO_ALGAPI
1034e5f2c40SSalvatore Benedetto	select CRYPTO_KPP2
1044e5f2c40SSalvatore Benedetto
1052ebda74fSGiovanni Cabidduconfig CRYPTO_ACOMP2
1062ebda74fSGiovanni Cabiddu	tristate
1072ebda74fSGiovanni Cabiddu	select CRYPTO_ALGAPI2
1088cd579d2SBart Van Assche	select SGL_ALLOC
1092ebda74fSGiovanni Cabiddu
1102ebda74fSGiovanni Cabidduconfig CRYPTO_ACOMP
1112ebda74fSGiovanni Cabiddu	tristate
1122ebda74fSGiovanni Cabiddu	select CRYPTO_ALGAPI
1132ebda74fSGiovanni Cabiddu	select CRYPTO_ACOMP2
1142ebda74fSGiovanni Cabiddu
1152b8c19dbSHerbert Xuconfig CRYPTO_MANAGER
1162b8c19dbSHerbert Xu	tristate "Cryptographic algorithm manager"
1176a0fcbb4SHerbert Xu	select CRYPTO_MANAGER2
1182b8c19dbSHerbert Xu	help
1192b8c19dbSHerbert Xu	  Create default cryptographic template instantiations such as
1202b8c19dbSHerbert Xu	  cbc(aes).
1212b8c19dbSHerbert Xu
1226a0fcbb4SHerbert Xuconfig CRYPTO_MANAGER2
1236a0fcbb4SHerbert Xu	def_tristate CRYPTO_MANAGER || (CRYPTO_MANAGER!=n && CRYPTO_ALGAPI=y)
1246a0fcbb4SHerbert Xu	select CRYPTO_AEAD2
1256a0fcbb4SHerbert Xu	select CRYPTO_HASH2
126b95bba5dSEric Biggers	select CRYPTO_SKCIPHER2
127946cc463STadeusz Struk	select CRYPTO_AKCIPHER2
1284e5f2c40SSalvatore Benedetto	select CRYPTO_KPP2
1292ebda74fSGiovanni Cabiddu	select CRYPTO_ACOMP2
1306a0fcbb4SHerbert Xu
131a38f7907SSteffen Klassertconfig CRYPTO_USER
132a38f7907SSteffen Klassert	tristate "Userspace cryptographic algorithm configuration"
1335db017aaSHerbert Xu	depends on NET
134a38f7907SSteffen Klassert	select CRYPTO_MANAGER
135a38f7907SSteffen Klassert	help
136d19978f5SValdis.Kletnieks@vt.edu	  Userspace configuration for cryptographic instantiations such as
137a38f7907SSteffen Klassert	  cbc(aes).
138a38f7907SSteffen Klassert
139326a6346SHerbert Xuconfig CRYPTO_MANAGER_DISABLE_TESTS
140326a6346SHerbert Xu	bool "Disable run-time self tests"
14100ca28a5SHerbert Xu	default y
1420b767f96SAlexander Shishkin	help
143326a6346SHerbert Xu	  Disable run-time self tests that normally take place at
144326a6346SHerbert Xu	  algorithm registration.
1450b767f96SAlexander Shishkin
1465b2706a4SEric Biggersconfig CRYPTO_MANAGER_EXTRA_TESTS
1475b2706a4SEric Biggers	bool "Enable extra run-time crypto self tests"
1486569e309SJason A. Donenfeld	depends on DEBUG_KERNEL && !CRYPTO_MANAGER_DISABLE_TESTS && CRYPTO_MANAGER
1495b2706a4SEric Biggers	help
1505b2706a4SEric Biggers	  Enable extra run-time self tests of registered crypto algorithms,
1515b2706a4SEric Biggers	  including randomized fuzz tests.
1525b2706a4SEric Biggers
1535b2706a4SEric Biggers	  This is intended for developer use only, as these tests take much
1545b2706a4SEric Biggers	  longer to run than the normal self tests.
1555b2706a4SEric Biggers
156584fffc8SSebastian Siewiorconfig CRYPTO_GF128MUL
157e590e132SEric Biggers	tristate
158584fffc8SSebastian Siewior
159584fffc8SSebastian Siewiorconfig CRYPTO_NULL
160584fffc8SSebastian Siewior	tristate "Null algorithms"
161149a3971SHerbert Xu	select CRYPTO_NULL2
162584fffc8SSebastian Siewior	help
163584fffc8SSebastian Siewior	  These are 'Null' algorithms, used by IPsec, which do nothing.
164584fffc8SSebastian Siewior
165149a3971SHerbert Xuconfig CRYPTO_NULL2
166dd43c4e9SHerbert Xu	tristate
167149a3971SHerbert Xu	select CRYPTO_ALGAPI2
168b95bba5dSEric Biggers	select CRYPTO_SKCIPHER2
169149a3971SHerbert Xu	select CRYPTO_HASH2
170149a3971SHerbert Xu
1715068c7a8SSteffen Klassertconfig CRYPTO_PCRYPT
1723b4afaf2SKees Cook	tristate "Parallel crypto engine"
1733b4afaf2SKees Cook	depends on SMP
1745068c7a8SSteffen Klassert	select PADATA
1755068c7a8SSteffen Klassert	select CRYPTO_MANAGER
1765068c7a8SSteffen Klassert	select CRYPTO_AEAD
1775068c7a8SSteffen Klassert	help
1785068c7a8SSteffen Klassert	  This converts an arbitrary crypto algorithm into a parallel
1795068c7a8SSteffen Klassert	  algorithm that executes in kernel threads.
1805068c7a8SSteffen Klassert
181584fffc8SSebastian Siewiorconfig CRYPTO_CRYPTD
182584fffc8SSebastian Siewior	tristate "Software async crypto daemon"
183b95bba5dSEric Biggers	select CRYPTO_SKCIPHER
184b8a28251SLoc Ho	select CRYPTO_HASH
185584fffc8SSebastian Siewior	select CRYPTO_MANAGER
186584fffc8SSebastian Siewior	help
187584fffc8SSebastian Siewior	  This is a generic software asynchronous crypto daemon that
188584fffc8SSebastian Siewior	  converts an arbitrary synchronous software crypto algorithm
189584fffc8SSebastian Siewior	  into an asynchronous algorithm that executes in a kernel thread.
190584fffc8SSebastian Siewior
191584fffc8SSebastian Siewiorconfig CRYPTO_AUTHENC
192584fffc8SSebastian Siewior	tristate "Authenc support"
193584fffc8SSebastian Siewior	select CRYPTO_AEAD
194b95bba5dSEric Biggers	select CRYPTO_SKCIPHER
195584fffc8SSebastian Siewior	select CRYPTO_MANAGER
196584fffc8SSebastian Siewior	select CRYPTO_HASH
197e94c6a7aSHerbert Xu	select CRYPTO_NULL
198584fffc8SSebastian Siewior	help
199584fffc8SSebastian Siewior	  Authenc: Combined mode wrapper for IPsec.
200584fffc8SSebastian Siewior	  This is required for IPSec.
201584fffc8SSebastian Siewior
202584fffc8SSebastian Siewiorconfig CRYPTO_TEST
203584fffc8SSebastian Siewior	tristate "Testing module"
20400ea27f1SArd Biesheuvel	depends on m || EXPERT
205da7f033dSHerbert Xu	select CRYPTO_MANAGER
206584fffc8SSebastian Siewior	help
207584fffc8SSebastian Siewior	  Quick & dirty crypto test module.
208584fffc8SSebastian Siewior
209266d0516SHerbert Xuconfig CRYPTO_SIMD
210266d0516SHerbert Xu	tristate
211266d0516SHerbert Xu	select CRYPTO_CRYPTD
212266d0516SHerbert Xu
213735d37b5SBaolin Wangconfig CRYPTO_ENGINE
214735d37b5SBaolin Wang	tristate
215735d37b5SBaolin Wang
2163d6228a5SVitaly Chikunovcomment "Public-key cryptography"
2173d6228a5SVitaly Chikunov
2183d6228a5SVitaly Chikunovconfig CRYPTO_RSA
2193d6228a5SVitaly Chikunov	tristate "RSA algorithm"
2203d6228a5SVitaly Chikunov	select CRYPTO_AKCIPHER
2213d6228a5SVitaly Chikunov	select CRYPTO_MANAGER
2223d6228a5SVitaly Chikunov	select MPILIB
2233d6228a5SVitaly Chikunov	select ASN1
2243d6228a5SVitaly Chikunov	help
2253d6228a5SVitaly Chikunov	  Generic implementation of the RSA public key algorithm.
2263d6228a5SVitaly Chikunov
2273d6228a5SVitaly Chikunovconfig CRYPTO_DH
2283d6228a5SVitaly Chikunov	tristate "Diffie-Hellman algorithm"
2293d6228a5SVitaly Chikunov	select CRYPTO_KPP
2303d6228a5SVitaly Chikunov	select MPILIB
2313d6228a5SVitaly Chikunov	help
2323d6228a5SVitaly Chikunov	  Generic implementation of the Diffie-Hellman algorithm.
2333d6228a5SVitaly Chikunov
2347dce5981SNicolai Stangeconfig CRYPTO_DH_RFC7919_GROUPS
2357dce5981SNicolai Stange	bool "Support for RFC 7919 FFDHE group parameters"
2367dce5981SNicolai Stange	depends on CRYPTO_DH
2371e207964SNicolai Stange	select CRYPTO_RNG_DEFAULT
2387dce5981SNicolai Stange	help
2397dce5981SNicolai Stange	  Provide support for RFC 7919 FFDHE group parameters. If unsure, say N.
2407dce5981SNicolai Stange
2414a2289daSVitaly Chikunovconfig CRYPTO_ECC
2424a2289daSVitaly Chikunov	tristate
24338aa192aSArnd Bergmann	select CRYPTO_RNG_DEFAULT
2444a2289daSVitaly Chikunov
2453d6228a5SVitaly Chikunovconfig CRYPTO_ECDH
2463d6228a5SVitaly Chikunov	tristate "ECDH algorithm"
2474a2289daSVitaly Chikunov	select CRYPTO_ECC
2483d6228a5SVitaly Chikunov	select CRYPTO_KPP
2493d6228a5SVitaly Chikunov	help
2503d6228a5SVitaly Chikunov	  Generic implementation of the ECDH algorithm
2513d6228a5SVitaly Chikunov
2524e660291SStefan Bergerconfig CRYPTO_ECDSA
2534e660291SStefan Berger	tristate "ECDSA (NIST P192, P256 etc.) algorithm"
2544e660291SStefan Berger	select CRYPTO_ECC
2554e660291SStefan Berger	select CRYPTO_AKCIPHER
2564e660291SStefan Berger	select ASN1
2574e660291SStefan Berger	help
2584e660291SStefan Berger	  Elliptic Curve Digital Signature Algorithm (NIST P192, P256 etc.)
2594e660291SStefan Berger	  is A NIST cryptographic standard algorithm. Only signature verification
2604e660291SStefan Berger	  is implemented.
2614e660291SStefan Berger
2620d7a7864SVitaly Chikunovconfig CRYPTO_ECRDSA
2630d7a7864SVitaly Chikunov	tristate "EC-RDSA (GOST 34.10) algorithm"
2640d7a7864SVitaly Chikunov	select CRYPTO_ECC
2650d7a7864SVitaly Chikunov	select CRYPTO_AKCIPHER
2660d7a7864SVitaly Chikunov	select CRYPTO_STREEBOG
2671036633eSVitaly Chikunov	select OID_REGISTRY
2681036633eSVitaly Chikunov	select ASN1
2690d7a7864SVitaly Chikunov	help
2700d7a7864SVitaly Chikunov	  Elliptic Curve Russian Digital Signature Algorithm (GOST R 34.10-2012,
2710d7a7864SVitaly Chikunov	  RFC 7091, ISO/IEC 14888-3:2018) is one of the Russian cryptographic
2720d7a7864SVitaly Chikunov	  standard algorithms (called GOST algorithms). Only signature verification
2730d7a7864SVitaly Chikunov	  is implemented.
2740d7a7864SVitaly Chikunov
275ea7ecb66STianjia Zhangconfig CRYPTO_SM2
276ea7ecb66STianjia Zhang	tristate "SM2 algorithm"
277*d2825fa9SJason A. Donenfeld	select CRYPTO_SM3
278ea7ecb66STianjia Zhang	select CRYPTO_AKCIPHER
279ea7ecb66STianjia Zhang	select CRYPTO_MANAGER
280ea7ecb66STianjia Zhang	select MPILIB
281ea7ecb66STianjia Zhang	select ASN1
282ea7ecb66STianjia Zhang	help
283ea7ecb66STianjia Zhang	  Generic implementation of the SM2 public key algorithm. It was
284ea7ecb66STianjia Zhang	  published by State Encryption Management Bureau, China.
285ea7ecb66STianjia Zhang	  as specified by OSCCA GM/T 0003.1-2012 -- 0003.5-2012.
286ea7ecb66STianjia Zhang
287ea7ecb66STianjia Zhang	  References:
288ea7ecb66STianjia Zhang	  https://tools.ietf.org/html/draft-shen-sm2-ecdsa-02
289ea7ecb66STianjia Zhang	  http://www.oscca.gov.cn/sca/xxgk/2010-12/17/content_1002386.shtml
290ea7ecb66STianjia Zhang	  http://www.gmbz.org.cn/main/bzlb.html
291ea7ecb66STianjia Zhang
292ee772cb6SArd Biesheuvelconfig CRYPTO_CURVE25519
293ee772cb6SArd Biesheuvel	tristate "Curve25519 algorithm"
294ee772cb6SArd Biesheuvel	select CRYPTO_KPP
295ee772cb6SArd Biesheuvel	select CRYPTO_LIB_CURVE25519_GENERIC
296ee772cb6SArd Biesheuvel
297bb611bdfSJason A. Donenfeldconfig CRYPTO_CURVE25519_X86
298bb611bdfSJason A. Donenfeld	tristate "x86_64 accelerated Curve25519 scalar multiplication library"
299bb611bdfSJason A. Donenfeld	depends on X86 && 64BIT
300bb611bdfSJason A. Donenfeld	select CRYPTO_LIB_CURVE25519_GENERIC
301bb611bdfSJason A. Donenfeld	select CRYPTO_ARCH_HAVE_LIB_CURVE25519
302bb611bdfSJason A. Donenfeld
303584fffc8SSebastian Siewiorcomment "Authenticated Encryption with Associated Data"
304584fffc8SSebastian Siewior
305584fffc8SSebastian Siewiorconfig CRYPTO_CCM
306584fffc8SSebastian Siewior	tristate "CCM support"
307584fffc8SSebastian Siewior	select CRYPTO_CTR
308f15f05b0SArd Biesheuvel	select CRYPTO_HASH
309584fffc8SSebastian Siewior	select CRYPTO_AEAD
310c8a3315aSEric Biggers	select CRYPTO_MANAGER
311584fffc8SSebastian Siewior	help
312584fffc8SSebastian Siewior	  Support for Counter with CBC MAC. Required for IPsec.
313584fffc8SSebastian Siewior
314584fffc8SSebastian Siewiorconfig CRYPTO_GCM
315584fffc8SSebastian Siewior	tristate "GCM/GMAC support"
316584fffc8SSebastian Siewior	select CRYPTO_CTR
317584fffc8SSebastian Siewior	select CRYPTO_AEAD
3189382d97aSHuang Ying	select CRYPTO_GHASH
3199489667dSJussi Kivilinna	select CRYPTO_NULL
320c8a3315aSEric Biggers	select CRYPTO_MANAGER
321584fffc8SSebastian Siewior	help
322584fffc8SSebastian Siewior	  Support for Galois/Counter Mode (GCM) and Galois Message
323584fffc8SSebastian Siewior	  Authentication Code (GMAC). Required for IPSec.
324584fffc8SSebastian Siewior
32571ebc4d1SMartin Williconfig CRYPTO_CHACHA20POLY1305
32671ebc4d1SMartin Willi	tristate "ChaCha20-Poly1305 AEAD support"
32771ebc4d1SMartin Willi	select CRYPTO_CHACHA20
32871ebc4d1SMartin Willi	select CRYPTO_POLY1305
32971ebc4d1SMartin Willi	select CRYPTO_AEAD
330c8a3315aSEric Biggers	select CRYPTO_MANAGER
33171ebc4d1SMartin Willi	help
33271ebc4d1SMartin Willi	  ChaCha20-Poly1305 AEAD support, RFC7539.
33371ebc4d1SMartin Willi
33471ebc4d1SMartin Willi	  Support for the AEAD wrapper using the ChaCha20 stream cipher combined
33571ebc4d1SMartin Willi	  with the Poly1305 authenticator. It is defined in RFC7539 for use in
33671ebc4d1SMartin Willi	  IETF protocols.
33771ebc4d1SMartin Willi
338f606a88eSOndrej Mosnacekconfig CRYPTO_AEGIS128
339f606a88eSOndrej Mosnacek	tristate "AEGIS-128 AEAD algorithm"
340f606a88eSOndrej Mosnacek	select CRYPTO_AEAD
341f606a88eSOndrej Mosnacek	select CRYPTO_AES  # for AES S-box tables
342f606a88eSOndrej Mosnacek	help
343f606a88eSOndrej Mosnacek	 Support for the AEGIS-128 dedicated AEAD algorithm.
344f606a88eSOndrej Mosnacek
345a4397635SArd Biesheuvelconfig CRYPTO_AEGIS128_SIMD
346a4397635SArd Biesheuvel	bool "Support SIMD acceleration for AEGIS-128"
347a4397635SArd Biesheuvel	depends on CRYPTO_AEGIS128 && ((ARM || ARM64) && KERNEL_MODE_NEON)
348a4397635SArd Biesheuvel	default y
349a4397635SArd Biesheuvel
3501d373d4eSOndrej Mosnacekconfig CRYPTO_AEGIS128_AESNI_SSE2
3511d373d4eSOndrej Mosnacek	tristate "AEGIS-128 AEAD algorithm (x86_64 AESNI+SSE2 implementation)"
3521d373d4eSOndrej Mosnacek	depends on X86 && 64BIT
3531d373d4eSOndrej Mosnacek	select CRYPTO_AEAD
354de272ca7SEric Biggers	select CRYPTO_SIMD
3551d373d4eSOndrej Mosnacek	help
3564e5180ebSOndrej Mosnacek	 AESNI+SSE2 implementation of the AEGIS-128 dedicated AEAD algorithm.
3571d373d4eSOndrej Mosnacek
358584fffc8SSebastian Siewiorconfig CRYPTO_SEQIV
359584fffc8SSebastian Siewior	tristate "Sequence Number IV Generator"
360584fffc8SSebastian Siewior	select CRYPTO_AEAD
361b95bba5dSEric Biggers	select CRYPTO_SKCIPHER
362856e3f40SHerbert Xu	select CRYPTO_NULL
363401e4238SHerbert Xu	select CRYPTO_RNG_DEFAULT
364c8a3315aSEric Biggers	select CRYPTO_MANAGER
365584fffc8SSebastian Siewior	help
366584fffc8SSebastian Siewior	  This IV generator generates an IV based on a sequence number by
367584fffc8SSebastian Siewior	  xoring it with a salt.  This algorithm is mainly useful for CTR
368584fffc8SSebastian Siewior
369a10f554fSHerbert Xuconfig CRYPTO_ECHAINIV
370a10f554fSHerbert Xu	tristate "Encrypted Chain IV Generator"
371a10f554fSHerbert Xu	select CRYPTO_AEAD
372a10f554fSHerbert Xu	select CRYPTO_NULL
373401e4238SHerbert Xu	select CRYPTO_RNG_DEFAULT
374c8a3315aSEric Biggers	select CRYPTO_MANAGER
375a10f554fSHerbert Xu	help
376a10f554fSHerbert Xu	  This IV generator generates an IV based on the encryption of
377a10f554fSHerbert Xu	  a sequence number xored with a salt.  This is the default
378a10f554fSHerbert Xu	  algorithm for CBC.
379a10f554fSHerbert Xu
380584fffc8SSebastian Siewiorcomment "Block modes"
381584fffc8SSebastian Siewior
382584fffc8SSebastian Siewiorconfig CRYPTO_CBC
383584fffc8SSebastian Siewior	tristate "CBC support"
384b95bba5dSEric Biggers	select CRYPTO_SKCIPHER
385584fffc8SSebastian Siewior	select CRYPTO_MANAGER
386584fffc8SSebastian Siewior	help
387584fffc8SSebastian Siewior	  CBC: Cipher Block Chaining mode
388584fffc8SSebastian Siewior	  This block cipher algorithm is required for IPSec.
389584fffc8SSebastian Siewior
390a7d85e06SJames Bottomleyconfig CRYPTO_CFB
391a7d85e06SJames Bottomley	tristate "CFB support"
392b95bba5dSEric Biggers	select CRYPTO_SKCIPHER
393a7d85e06SJames Bottomley	select CRYPTO_MANAGER
394a7d85e06SJames Bottomley	help
395a7d85e06SJames Bottomley	  CFB: Cipher FeedBack mode
396a7d85e06SJames Bottomley	  This block cipher algorithm is required for TPM2 Cryptography.
397a7d85e06SJames Bottomley
398584fffc8SSebastian Siewiorconfig CRYPTO_CTR
399584fffc8SSebastian Siewior	tristate "CTR support"
400b95bba5dSEric Biggers	select CRYPTO_SKCIPHER
401584fffc8SSebastian Siewior	select CRYPTO_MANAGER
402584fffc8SSebastian Siewior	help
403584fffc8SSebastian Siewior	  CTR: Counter mode
404584fffc8SSebastian Siewior	  This block cipher algorithm is required for IPSec.
405584fffc8SSebastian Siewior
406584fffc8SSebastian Siewiorconfig CRYPTO_CTS
407584fffc8SSebastian Siewior	tristate "CTS support"
408b95bba5dSEric Biggers	select CRYPTO_SKCIPHER
409c8a3315aSEric Biggers	select CRYPTO_MANAGER
410584fffc8SSebastian Siewior	help
411584fffc8SSebastian Siewior	  CTS: Cipher Text Stealing
412584fffc8SSebastian Siewior	  This is the Cipher Text Stealing mode as described by
413ecd6d5c9SGilad Ben-Yossef	  Section 8 of rfc2040 and referenced by rfc3962
414ecd6d5c9SGilad Ben-Yossef	  (rfc3962 includes errata information in its Appendix A) or
415ecd6d5c9SGilad Ben-Yossef	  CBC-CS3 as defined by NIST in Sp800-38A addendum from Oct 2010.
416584fffc8SSebastian Siewior	  This mode is required for Kerberos gss mechanism support
417584fffc8SSebastian Siewior	  for AES encryption.
418584fffc8SSebastian Siewior
419ecd6d5c9SGilad Ben-Yossef	  See: https://csrc.nist.gov/publications/detail/sp/800-38a/addendum/final
420ecd6d5c9SGilad Ben-Yossef
421584fffc8SSebastian Siewiorconfig CRYPTO_ECB
422584fffc8SSebastian Siewior	tristate "ECB support"
423b95bba5dSEric Biggers	select CRYPTO_SKCIPHER
424584fffc8SSebastian Siewior	select CRYPTO_MANAGER
425584fffc8SSebastian Siewior	help
426584fffc8SSebastian Siewior	  ECB: Electronic CodeBook mode
427584fffc8SSebastian Siewior	  This is the simplest block cipher algorithm.  It simply encrypts
428584fffc8SSebastian Siewior	  the input block by block.
429584fffc8SSebastian Siewior
430584fffc8SSebastian Siewiorconfig CRYPTO_LRW
4312470a2b2SJussi Kivilinna	tristate "LRW support"
432b95bba5dSEric Biggers	select CRYPTO_SKCIPHER
433584fffc8SSebastian Siewior	select CRYPTO_MANAGER
434584fffc8SSebastian Siewior	select CRYPTO_GF128MUL
435f60bbbbeSHerbert Xu	select CRYPTO_ECB
436584fffc8SSebastian Siewior	help
437584fffc8SSebastian Siewior	  LRW: Liskov Rivest Wagner, a tweakable, non malleable, non movable
438584fffc8SSebastian Siewior	  narrow block cipher mode for dm-crypt.  Use it with cipher
439584fffc8SSebastian Siewior	  specification string aes-lrw-benbi, the key must be 256, 320 or 384.
440584fffc8SSebastian Siewior	  The first 128, 192 or 256 bits in the key are used for AES and the
441584fffc8SSebastian Siewior	  rest is used to tie each cipher block to its logical position.
442584fffc8SSebastian Siewior
443e497c518SGilad Ben-Yossefconfig CRYPTO_OFB
444e497c518SGilad Ben-Yossef	tristate "OFB support"
445b95bba5dSEric Biggers	select CRYPTO_SKCIPHER
446e497c518SGilad Ben-Yossef	select CRYPTO_MANAGER
447e497c518SGilad Ben-Yossef	help
448e497c518SGilad Ben-Yossef	  OFB: the Output Feedback mode makes a block cipher into a synchronous
449e497c518SGilad Ben-Yossef	  stream cipher. It generates keystream blocks, which are then XORed
450e497c518SGilad Ben-Yossef	  with the plaintext blocks to get the ciphertext. Flipping a bit in the
451e497c518SGilad Ben-Yossef	  ciphertext produces a flipped bit in the plaintext at the same
452e497c518SGilad Ben-Yossef	  location. This property allows many error correcting codes to function
453e497c518SGilad Ben-Yossef	  normally even when applied before encryption.
454e497c518SGilad Ben-Yossef
455584fffc8SSebastian Siewiorconfig CRYPTO_PCBC
456584fffc8SSebastian Siewior	tristate "PCBC support"
457b95bba5dSEric Biggers	select CRYPTO_SKCIPHER
458584fffc8SSebastian Siewior	select CRYPTO_MANAGER
459584fffc8SSebastian Siewior	help
460584fffc8SSebastian Siewior	  PCBC: Propagating Cipher Block Chaining mode
461584fffc8SSebastian Siewior	  This block cipher algorithm is required for RxRPC.
462584fffc8SSebastian Siewior
463584fffc8SSebastian Siewiorconfig CRYPTO_XTS
4645bcf8e6dSJussi Kivilinna	tristate "XTS support"
465b95bba5dSEric Biggers	select CRYPTO_SKCIPHER
466584fffc8SSebastian Siewior	select CRYPTO_MANAGER
46712cb3a1cSMilan Broz	select CRYPTO_ECB
468584fffc8SSebastian Siewior	help
469584fffc8SSebastian Siewior	  XTS: IEEE1619/D16 narrow block cipher use with aes-xts-plain,
470584fffc8SSebastian Siewior	  key size 256, 384 or 512 bits. This implementation currently
471584fffc8SSebastian Siewior	  can't handle a sectorsize which is not a multiple of 16 bytes.
472584fffc8SSebastian Siewior
4731c49678eSStephan Muellerconfig CRYPTO_KEYWRAP
4741c49678eSStephan Mueller	tristate "Key wrapping support"
475b95bba5dSEric Biggers	select CRYPTO_SKCIPHER
476c8a3315aSEric Biggers	select CRYPTO_MANAGER
4771c49678eSStephan Mueller	help
4781c49678eSStephan Mueller	  Support for key wrapping (NIST SP800-38F / RFC3394) without
4791c49678eSStephan Mueller	  padding.
4801c49678eSStephan Mueller
48126609a21SEric Biggersconfig CRYPTO_NHPOLY1305
48226609a21SEric Biggers	tristate
48326609a21SEric Biggers	select CRYPTO_HASH
48448ea8c6eSArd Biesheuvel	select CRYPTO_LIB_POLY1305_GENERIC
48526609a21SEric Biggers
486012c8238SEric Biggersconfig CRYPTO_NHPOLY1305_SSE2
487012c8238SEric Biggers	tristate "NHPoly1305 hash function (x86_64 SSE2 implementation)"
488012c8238SEric Biggers	depends on X86 && 64BIT
489012c8238SEric Biggers	select CRYPTO_NHPOLY1305
490012c8238SEric Biggers	help
491012c8238SEric Biggers	  SSE2 optimized implementation of the hash function used by the
492012c8238SEric Biggers	  Adiantum encryption mode.
493012c8238SEric Biggers
4940f961f9fSEric Biggersconfig CRYPTO_NHPOLY1305_AVX2
4950f961f9fSEric Biggers	tristate "NHPoly1305 hash function (x86_64 AVX2 implementation)"
4960f961f9fSEric Biggers	depends on X86 && 64BIT
4970f961f9fSEric Biggers	select CRYPTO_NHPOLY1305
4980f961f9fSEric Biggers	help
4990f961f9fSEric Biggers	  AVX2 optimized implementation of the hash function used by the
5000f961f9fSEric Biggers	  Adiantum encryption mode.
5010f961f9fSEric Biggers
502059c2a4dSEric Biggersconfig CRYPTO_ADIANTUM
503059c2a4dSEric Biggers	tristate "Adiantum support"
504059c2a4dSEric Biggers	select CRYPTO_CHACHA20
50548ea8c6eSArd Biesheuvel	select CRYPTO_LIB_POLY1305_GENERIC
506059c2a4dSEric Biggers	select CRYPTO_NHPOLY1305
507c8a3315aSEric Biggers	select CRYPTO_MANAGER
508059c2a4dSEric Biggers	help
509059c2a4dSEric Biggers	  Adiantum is a tweakable, length-preserving encryption mode
510059c2a4dSEric Biggers	  designed for fast and secure disk encryption, especially on
511059c2a4dSEric Biggers	  CPUs without dedicated crypto instructions.  It encrypts
512059c2a4dSEric Biggers	  each sector using the XChaCha12 stream cipher, two passes of
513059c2a4dSEric Biggers	  an ε-almost-∆-universal hash function, and an invocation of
514059c2a4dSEric Biggers	  the AES-256 block cipher on a single 16-byte block.  On CPUs
515059c2a4dSEric Biggers	  without AES instructions, Adiantum is much faster than
516059c2a4dSEric Biggers	  AES-XTS.
517059c2a4dSEric Biggers
518059c2a4dSEric Biggers	  Adiantum's security is provably reducible to that of its
519059c2a4dSEric Biggers	  underlying stream and block ciphers, subject to a security
520059c2a4dSEric Biggers	  bound.  Unlike XTS, Adiantum is a true wide-block encryption
521059c2a4dSEric Biggers	  mode, so it actually provides an even stronger notion of
522059c2a4dSEric Biggers	  security than XTS, subject to the security bound.
523059c2a4dSEric Biggers
524059c2a4dSEric Biggers	  If unsure, say N.
525059c2a4dSEric Biggers
526be1eb7f7SArd Biesheuvelconfig CRYPTO_ESSIV
527be1eb7f7SArd Biesheuvel	tristate "ESSIV support for block encryption"
528be1eb7f7SArd Biesheuvel	select CRYPTO_AUTHENC
529be1eb7f7SArd Biesheuvel	help
530be1eb7f7SArd Biesheuvel	  Encrypted salt-sector initialization vector (ESSIV) is an IV
531be1eb7f7SArd Biesheuvel	  generation method that is used in some cases by fscrypt and/or
532be1eb7f7SArd Biesheuvel	  dm-crypt. It uses the hash of the block encryption key as the
533be1eb7f7SArd Biesheuvel	  symmetric key for a block encryption pass applied to the input
534be1eb7f7SArd Biesheuvel	  IV, making low entropy IV sources more suitable for block
535be1eb7f7SArd Biesheuvel	  encryption.
536be1eb7f7SArd Biesheuvel
537be1eb7f7SArd Biesheuvel	  This driver implements a crypto API template that can be
538ab3d436bSGeert Uytterhoeven	  instantiated either as an skcipher or as an AEAD (depending on the
539be1eb7f7SArd Biesheuvel	  type of the first template argument), and which defers encryption
540be1eb7f7SArd Biesheuvel	  and decryption requests to the encapsulated cipher after applying
541ab3d436bSGeert Uytterhoeven	  ESSIV to the input IV. Note that in the AEAD case, it is assumed
542be1eb7f7SArd Biesheuvel	  that the keys are presented in the same format used by the authenc
543be1eb7f7SArd Biesheuvel	  template, and that the IV appears at the end of the authenticated
544be1eb7f7SArd Biesheuvel	  associated data (AAD) region (which is how dm-crypt uses it.)
545be1eb7f7SArd Biesheuvel
546be1eb7f7SArd Biesheuvel	  Note that the use of ESSIV is not recommended for new deployments,
547be1eb7f7SArd Biesheuvel	  and so this only needs to be enabled when interoperability with
548be1eb7f7SArd Biesheuvel	  existing encrypted volumes of filesystems is required, or when
549be1eb7f7SArd Biesheuvel	  building for a particular system that requires it (e.g., when
550be1eb7f7SArd Biesheuvel	  the SoC in question has accelerated CBC but not XTS, making CBC
551be1eb7f7SArd Biesheuvel	  combined with ESSIV the only feasible mode for h/w accelerated
552be1eb7f7SArd Biesheuvel	  block encryption)
553be1eb7f7SArd Biesheuvel
554584fffc8SSebastian Siewiorcomment "Hash modes"
555584fffc8SSebastian Siewior
55693b5e86aSJussi Kivilinnaconfig CRYPTO_CMAC
55793b5e86aSJussi Kivilinna	tristate "CMAC support"
55893b5e86aSJussi Kivilinna	select CRYPTO_HASH
55993b5e86aSJussi Kivilinna	select CRYPTO_MANAGER
56093b5e86aSJussi Kivilinna	help
56193b5e86aSJussi Kivilinna	  Cipher-based Message Authentication Code (CMAC) specified by
56293b5e86aSJussi Kivilinna	  The National Institute of Standards and Technology (NIST).
56393b5e86aSJussi Kivilinna
56493b5e86aSJussi Kivilinna	  https://tools.ietf.org/html/rfc4493
56593b5e86aSJussi Kivilinna	  http://csrc.nist.gov/publications/nistpubs/800-38B/SP_800-38B.pdf
56693b5e86aSJussi Kivilinna
5671da177e4SLinus Torvaldsconfig CRYPTO_HMAC
5688425165dSHerbert Xu	tristate "HMAC support"
5690796ae06SHerbert Xu	select CRYPTO_HASH
57043518407SHerbert Xu	select CRYPTO_MANAGER
5711da177e4SLinus Torvalds	help
5721da177e4SLinus Torvalds	  HMAC: Keyed-Hashing for Message Authentication (RFC2104).
5731da177e4SLinus Torvalds	  This is required for IPSec.
5741da177e4SLinus Torvalds
575333b0d7eSKazunori MIYAZAWAconfig CRYPTO_XCBC
576333b0d7eSKazunori MIYAZAWA	tristate "XCBC support"
577333b0d7eSKazunori MIYAZAWA	select CRYPTO_HASH
578333b0d7eSKazunori MIYAZAWA	select CRYPTO_MANAGER
579333b0d7eSKazunori MIYAZAWA	help
580333b0d7eSKazunori MIYAZAWA	  XCBC: Keyed-Hashing with encryption algorithm
5819332a9e7SAlexander A. Klimov		https://www.ietf.org/rfc/rfc3566.txt
582333b0d7eSKazunori MIYAZAWA		http://csrc.nist.gov/encryption/modes/proposedmodes/
583333b0d7eSKazunori MIYAZAWA		 xcbc-mac/xcbc-mac-spec.pdf
584333b0d7eSKazunori MIYAZAWA
585f1939f7cSShane Wangconfig CRYPTO_VMAC
586f1939f7cSShane Wang	tristate "VMAC support"
587f1939f7cSShane Wang	select CRYPTO_HASH
588f1939f7cSShane Wang	select CRYPTO_MANAGER
589f1939f7cSShane Wang	help
590f1939f7cSShane Wang	  VMAC is a message authentication algorithm designed for
591f1939f7cSShane Wang	  very high speed on 64-bit architectures.
592f1939f7cSShane Wang
593f1939f7cSShane Wang	  See also:
5949332a9e7SAlexander A. Klimov	  <https://fastcrypto.org/vmac>
595f1939f7cSShane Wang
596584fffc8SSebastian Siewiorcomment "Digest"
597584fffc8SSebastian Siewior
598584fffc8SSebastian Siewiorconfig CRYPTO_CRC32C
599584fffc8SSebastian Siewior	tristate "CRC32c CRC algorithm"
6005773a3e6SHerbert Xu	select CRYPTO_HASH
6016a0962b2SDarrick J. Wong	select CRC32
6021da177e4SLinus Torvalds	help
603584fffc8SSebastian Siewior	  Castagnoli, et al Cyclic Redundancy-Check Algorithm.  Used
604584fffc8SSebastian Siewior	  by iSCSI for header and data digests and by others.
60569c35efcSHerbert Xu	  See Castagnoli93.  Module will be crc32c.
6061da177e4SLinus Torvalds
6078cb51ba8SAustin Zhangconfig CRYPTO_CRC32C_INTEL
6088cb51ba8SAustin Zhang	tristate "CRC32c INTEL hardware acceleration"
6098cb51ba8SAustin Zhang	depends on X86
6108cb51ba8SAustin Zhang	select CRYPTO_HASH
6118cb51ba8SAustin Zhang	help
6128cb51ba8SAustin Zhang	  In Intel processor with SSE4.2 supported, the processor will
6138cb51ba8SAustin Zhang	  support CRC32C implementation using hardware accelerated CRC32
6148cb51ba8SAustin Zhang	  instruction. This option will create 'crc32c-intel' module,
6158cb51ba8SAustin Zhang	  which will enable any routine to use the CRC32 instruction to
6168cb51ba8SAustin Zhang	  gain performance compared with software implementation.
6178cb51ba8SAustin Zhang	  Module will be crc32c-intel.
6188cb51ba8SAustin Zhang
6197cf31864SJean Delvareconfig CRYPTO_CRC32C_VPMSUM
6206dd7a82cSAnton Blanchard	tristate "CRC32c CRC algorithm (powerpc64)"
621c12abf34SMichael Ellerman	depends on PPC64 && ALTIVEC
6226dd7a82cSAnton Blanchard	select CRYPTO_HASH
6236dd7a82cSAnton Blanchard	select CRC32
6246dd7a82cSAnton Blanchard	help
6256dd7a82cSAnton Blanchard	  CRC32c algorithm implemented using vector polynomial multiply-sum
6266dd7a82cSAnton Blanchard	  (vpmsum) instructions, introduced in POWER8. Enable on POWER8
6276dd7a82cSAnton Blanchard	  and newer processors for improved performance.
6286dd7a82cSAnton Blanchard
6296dd7a82cSAnton Blanchard
630442a7c40SDavid S. Millerconfig CRYPTO_CRC32C_SPARC64
631442a7c40SDavid S. Miller	tristate "CRC32c CRC algorithm (SPARC64)"
632442a7c40SDavid S. Miller	depends on SPARC64
633442a7c40SDavid S. Miller	select CRYPTO_HASH
634442a7c40SDavid S. Miller	select CRC32
635442a7c40SDavid S. Miller	help
636442a7c40SDavid S. Miller	  CRC32c CRC algorithm implemented using sparc64 crypto instructions,
637442a7c40SDavid S. Miller	  when available.
638442a7c40SDavid S. Miller
63978c37d19SAlexander Boykoconfig CRYPTO_CRC32
64078c37d19SAlexander Boyko	tristate "CRC32 CRC algorithm"
64178c37d19SAlexander Boyko	select CRYPTO_HASH
64278c37d19SAlexander Boyko	select CRC32
64378c37d19SAlexander Boyko	help
64478c37d19SAlexander Boyko	  CRC-32-IEEE 802.3 cyclic redundancy-check algorithm.
64578c37d19SAlexander Boyko	  Shash crypto api wrappers to crc32_le function.
64678c37d19SAlexander Boyko
64778c37d19SAlexander Boykoconfig CRYPTO_CRC32_PCLMUL
64878c37d19SAlexander Boyko	tristate "CRC32 PCLMULQDQ hardware acceleration"
64978c37d19SAlexander Boyko	depends on X86
65078c37d19SAlexander Boyko	select CRYPTO_HASH
65178c37d19SAlexander Boyko	select CRC32
65278c37d19SAlexander Boyko	help
65378c37d19SAlexander Boyko	  From Intel Westmere and AMD Bulldozer processor with SSE4.2
65478c37d19SAlexander Boyko	  and PCLMULQDQ supported, the processor will support
65578c37d19SAlexander Boyko	  CRC32 PCLMULQDQ implementation using hardware accelerated PCLMULQDQ
656af8cb01fShaco	  instruction. This option will create 'crc32-pclmul' module,
65778c37d19SAlexander Boyko	  which will enable any routine to use the CRC-32-IEEE 802.3 checksum
65878c37d19SAlexander Boyko	  and gain better performance as compared with the table implementation.
65978c37d19SAlexander Boyko
6604a5dc51eSMarcin Nowakowskiconfig CRYPTO_CRC32_MIPS
6614a5dc51eSMarcin Nowakowski	tristate "CRC32c and CRC32 CRC algorithm (MIPS)"
6624a5dc51eSMarcin Nowakowski	depends on MIPS_CRC_SUPPORT
6634a5dc51eSMarcin Nowakowski	select CRYPTO_HASH
6644a5dc51eSMarcin Nowakowski	help
6654a5dc51eSMarcin Nowakowski	  CRC32c and CRC32 CRC algorithms implemented using mips crypto
6664a5dc51eSMarcin Nowakowski	  instructions, when available.
6674a5dc51eSMarcin Nowakowski
6684a5dc51eSMarcin Nowakowski
66967882e76SNikolay Borisovconfig CRYPTO_XXHASH
67067882e76SNikolay Borisov	tristate "xxHash hash algorithm"
67167882e76SNikolay Borisov	select CRYPTO_HASH
67267882e76SNikolay Borisov	select XXHASH
67367882e76SNikolay Borisov	help
67467882e76SNikolay Borisov	  xxHash non-cryptographic hash algorithm. Extremely fast, working at
67567882e76SNikolay Borisov	  speeds close to RAM limits.
67667882e76SNikolay Borisov
67791d68933SDavid Sterbaconfig CRYPTO_BLAKE2B
67891d68933SDavid Sterba	tristate "BLAKE2b digest algorithm"
67991d68933SDavid Sterba	select CRYPTO_HASH
68091d68933SDavid Sterba	help
68191d68933SDavid Sterba	  Implementation of cryptographic hash function BLAKE2b (or just BLAKE2),
68291d68933SDavid Sterba	  optimized for 64bit platforms and can produce digests of any size
68391d68933SDavid Sterba	  between 1 to 64.  The keyed hash is also implemented.
68491d68933SDavid Sterba
68591d68933SDavid Sterba	  This module provides the following algorithms:
68691d68933SDavid Sterba
68791d68933SDavid Sterba	  - blake2b-160
68891d68933SDavid Sterba	  - blake2b-256
68991d68933SDavid Sterba	  - blake2b-384
69091d68933SDavid Sterba	  - blake2b-512
69191d68933SDavid Sterba
69291d68933SDavid Sterba	  See https://blake2.net for further information.
69391d68933SDavid Sterba
6947f9b0880SArd Biesheuvelconfig CRYPTO_BLAKE2S
6957f9b0880SArd Biesheuvel	tristate "BLAKE2s digest algorithm"
6967f9b0880SArd Biesheuvel	select CRYPTO_LIB_BLAKE2S_GENERIC
6977f9b0880SArd Biesheuvel	select CRYPTO_HASH
6987f9b0880SArd Biesheuvel	help
6997f9b0880SArd Biesheuvel	  Implementation of cryptographic hash function BLAKE2s
7007f9b0880SArd Biesheuvel	  optimized for 8-32bit platforms and can produce digests of any size
7017f9b0880SArd Biesheuvel	  between 1 to 32.  The keyed hash is also implemented.
7027f9b0880SArd Biesheuvel
7037f9b0880SArd Biesheuvel	  This module provides the following algorithms:
7047f9b0880SArd Biesheuvel
7057f9b0880SArd Biesheuvel	  - blake2s-128
7067f9b0880SArd Biesheuvel	  - blake2s-160
7077f9b0880SArd Biesheuvel	  - blake2s-224
7087f9b0880SArd Biesheuvel	  - blake2s-256
7097f9b0880SArd Biesheuvel
7107f9b0880SArd Biesheuvel	  See https://blake2.net for further information.
7117f9b0880SArd Biesheuvel
712ed0356edSJason A. Donenfeldconfig CRYPTO_BLAKE2S_X86
713ed0356edSJason A. Donenfeld	tristate "BLAKE2s digest algorithm (x86 accelerated version)"
714ed0356edSJason A. Donenfeld	depends on X86 && 64BIT
715ed0356edSJason A. Donenfeld	select CRYPTO_LIB_BLAKE2S_GENERIC
716ed0356edSJason A. Donenfeld	select CRYPTO_ARCH_HAVE_LIB_BLAKE2S
717ed0356edSJason A. Donenfeld
71868411521SHerbert Xuconfig CRYPTO_CRCT10DIF
71968411521SHerbert Xu	tristate "CRCT10DIF algorithm"
72068411521SHerbert Xu	select CRYPTO_HASH
72168411521SHerbert Xu	help
72268411521SHerbert Xu	  CRC T10 Data Integrity Field computation is being cast as
72368411521SHerbert Xu	  a crypto transform.  This allows for faster crc t10 diff
72468411521SHerbert Xu	  transforms to be used if they are available.
72568411521SHerbert Xu
72668411521SHerbert Xuconfig CRYPTO_CRCT10DIF_PCLMUL
72768411521SHerbert Xu	tristate "CRCT10DIF PCLMULQDQ hardware acceleration"
72868411521SHerbert Xu	depends on X86 && 64BIT && CRC_T10DIF
72968411521SHerbert Xu	select CRYPTO_HASH
73068411521SHerbert Xu	help
73168411521SHerbert Xu	  For x86_64 processors with SSE4.2 and PCLMULQDQ supported,
73268411521SHerbert Xu	  CRC T10 DIF PCLMULQDQ computation can be hardware
73368411521SHerbert Xu	  accelerated PCLMULQDQ instruction. This option will create
734af8cb01fShaco	  'crct10dif-pclmul' module, which is faster when computing the
73568411521SHerbert Xu	  crct10dif checksum as compared with the generic table implementation.
73668411521SHerbert Xu
737b01df1c1SDaniel Axtensconfig CRYPTO_CRCT10DIF_VPMSUM
738b01df1c1SDaniel Axtens	tristate "CRC32T10DIF powerpc64 hardware acceleration"
739b01df1c1SDaniel Axtens	depends on PPC64 && ALTIVEC && CRC_T10DIF
740b01df1c1SDaniel Axtens	select CRYPTO_HASH
741b01df1c1SDaniel Axtens	help
742b01df1c1SDaniel Axtens	  CRC10T10DIF algorithm implemented using vector polynomial
743b01df1c1SDaniel Axtens	  multiply-sum (vpmsum) instructions, introduced in POWER8. Enable on
744b01df1c1SDaniel Axtens	  POWER8 and newer processors for improved performance.
745b01df1c1SDaniel Axtens
746f3813f4bSKeith Buschconfig CRYPTO_CRC64_ROCKSOFT
747f3813f4bSKeith Busch	tristate "Rocksoft Model CRC64 algorithm"
748f3813f4bSKeith Busch	depends on CRC64
749f3813f4bSKeith Busch	select CRYPTO_HASH
750f3813f4bSKeith Busch
751146c8688SDaniel Axtensconfig CRYPTO_VPMSUM_TESTER
752146c8688SDaniel Axtens	tristate "Powerpc64 vpmsum hardware acceleration tester"
753146c8688SDaniel Axtens	depends on CRYPTO_CRCT10DIF_VPMSUM && CRYPTO_CRC32C_VPMSUM
754146c8688SDaniel Axtens	help
755146c8688SDaniel Axtens	  Stress test for CRC32c and CRC-T10DIF algorithms implemented with
756146c8688SDaniel Axtens	  POWER8 vpmsum instructions.
757146c8688SDaniel Axtens	  Unless you are testing these algorithms, you don't need this.
758146c8688SDaniel Axtens
7592cdc6899SHuang Yingconfig CRYPTO_GHASH
7608dfa20fcSEric Biggers	tristate "GHASH hash function"
7612cdc6899SHuang Ying	select CRYPTO_GF128MUL
762578c60fbSArnd Bergmann	select CRYPTO_HASH
7632cdc6899SHuang Ying	help
7648dfa20fcSEric Biggers	  GHASH is the hash function used in GCM (Galois/Counter Mode).
7658dfa20fcSEric Biggers	  It is not a general-purpose cryptographic hash function.
7662cdc6899SHuang Ying
767f979e014SMartin Williconfig CRYPTO_POLY1305
768f979e014SMartin Willi	tristate "Poly1305 authenticator algorithm"
769578c60fbSArnd Bergmann	select CRYPTO_HASH
77048ea8c6eSArd Biesheuvel	select CRYPTO_LIB_POLY1305_GENERIC
771f979e014SMartin Willi	help
772f979e014SMartin Willi	  Poly1305 authenticator algorithm, RFC7539.
773f979e014SMartin Willi
774f979e014SMartin Willi	  Poly1305 is an authenticator algorithm designed by Daniel J. Bernstein.
775f979e014SMartin Willi	  It is used for the ChaCha20-Poly1305 AEAD, specified in RFC7539 for use
776f979e014SMartin Willi	  in IETF protocols. This is the portable C implementation of Poly1305.
777f979e014SMartin Willi
778c70f4abeSMartin Williconfig CRYPTO_POLY1305_X86_64
779b1ccc8f4SMartin Willi	tristate "Poly1305 authenticator algorithm (x86_64/SSE2/AVX2)"
780c70f4abeSMartin Willi	depends on X86 && 64BIT
7811b2c6a51SArd Biesheuvel	select CRYPTO_LIB_POLY1305_GENERIC
782f0e89bcfSArd Biesheuvel	select CRYPTO_ARCH_HAVE_LIB_POLY1305
783c70f4abeSMartin Willi	help
784c70f4abeSMartin Willi	  Poly1305 authenticator algorithm, RFC7539.
785c70f4abeSMartin Willi
786c70f4abeSMartin Willi	  Poly1305 is an authenticator algorithm designed by Daniel J. Bernstein.
787c70f4abeSMartin Willi	  It is used for the ChaCha20-Poly1305 AEAD, specified in RFC7539 for use
788c70f4abeSMartin Willi	  in IETF protocols. This is the x86_64 assembler implementation using SIMD
789c70f4abeSMartin Willi	  instructions.
790c70f4abeSMartin Willi
791a11d055eSArd Biesheuvelconfig CRYPTO_POLY1305_MIPS
792a11d055eSArd Biesheuvel	tristate "Poly1305 authenticator algorithm (MIPS optimized)"
7936c810cf2SMaciej W. Rozycki	depends on MIPS
794a11d055eSArd Biesheuvel	select CRYPTO_ARCH_HAVE_LIB_POLY1305
795a11d055eSArd Biesheuvel
7961da177e4SLinus Torvaldsconfig CRYPTO_MD4
7971da177e4SLinus Torvalds	tristate "MD4 digest algorithm"
798808a1763SAdrian-Ken Rueegsegger	select CRYPTO_HASH
7991da177e4SLinus Torvalds	help
8001da177e4SLinus Torvalds	  MD4 message digest algorithm (RFC1320).
8011da177e4SLinus Torvalds
8021da177e4SLinus Torvaldsconfig CRYPTO_MD5
8031da177e4SLinus Torvalds	tristate "MD5 digest algorithm"
80414b75ba7SAdrian-Ken Rueegsegger	select CRYPTO_HASH
8051da177e4SLinus Torvalds	help
8061da177e4SLinus Torvalds	  MD5 message digest algorithm (RFC1321).
8071da177e4SLinus Torvalds
808d69e75deSAaro Koskinenconfig CRYPTO_MD5_OCTEON
809d69e75deSAaro Koskinen	tristate "MD5 digest algorithm (OCTEON)"
810d69e75deSAaro Koskinen	depends on CPU_CAVIUM_OCTEON
811d69e75deSAaro Koskinen	select CRYPTO_MD5
812d69e75deSAaro Koskinen	select CRYPTO_HASH
813d69e75deSAaro Koskinen	help
814d69e75deSAaro Koskinen	  MD5 message digest algorithm (RFC1321) implemented
815d69e75deSAaro Koskinen	  using OCTEON crypto instructions, when available.
816d69e75deSAaro Koskinen
817e8e59953SMarkus Stockhausenconfig CRYPTO_MD5_PPC
818e8e59953SMarkus Stockhausen	tristate "MD5 digest algorithm (PPC)"
819e8e59953SMarkus Stockhausen	depends on PPC
820e8e59953SMarkus Stockhausen	select CRYPTO_HASH
821e8e59953SMarkus Stockhausen	help
822e8e59953SMarkus Stockhausen	  MD5 message digest algorithm (RFC1321) implemented
823e8e59953SMarkus Stockhausen	  in PPC assembler.
824e8e59953SMarkus Stockhausen
825fa4dfedcSDavid S. Millerconfig CRYPTO_MD5_SPARC64
826fa4dfedcSDavid S. Miller	tristate "MD5 digest algorithm (SPARC64)"
827fa4dfedcSDavid S. Miller	depends on SPARC64
828fa4dfedcSDavid S. Miller	select CRYPTO_MD5
829fa4dfedcSDavid S. Miller	select CRYPTO_HASH
830fa4dfedcSDavid S. Miller	help
831fa4dfedcSDavid S. Miller	  MD5 message digest algorithm (RFC1321) implemented
832fa4dfedcSDavid S. Miller	  using sparc64 crypto instructions, when available.
833fa4dfedcSDavid S. Miller
834584fffc8SSebastian Siewiorconfig CRYPTO_MICHAEL_MIC
835584fffc8SSebastian Siewior	tristate "Michael MIC keyed digest algorithm"
83619e2bf14SAdrian-Ken Rueegsegger	select CRYPTO_HASH
837584fffc8SSebastian Siewior	help
838584fffc8SSebastian Siewior	  Michael MIC is used for message integrity protection in TKIP
839584fffc8SSebastian Siewior	  (IEEE 802.11i). This algorithm is required for TKIP, but it
840584fffc8SSebastian Siewior	  should not be used for other purposes because of the weakness
841584fffc8SSebastian Siewior	  of the algorithm.
842584fffc8SSebastian Siewior
84382798f90SAdrian-Ken Rueegseggerconfig CRYPTO_RMD160
84482798f90SAdrian-Ken Rueegsegger	tristate "RIPEMD-160 digest algorithm"
845e5835fbaSHerbert Xu	select CRYPTO_HASH
84682798f90SAdrian-Ken Rueegsegger	help
84782798f90SAdrian-Ken Rueegsegger	  RIPEMD-160 (ISO/IEC 10118-3:2004).
84882798f90SAdrian-Ken Rueegsegger
84982798f90SAdrian-Ken Rueegsegger	  RIPEMD-160 is a 160-bit cryptographic hash function. It is intended
85082798f90SAdrian-Ken Rueegsegger	  to be used as a secure replacement for the 128-bit hash functions
851b6d44341SAdrian Bunk	  MD4, MD5 and it's predecessor RIPEMD
852b6d44341SAdrian Bunk	  (not to be confused with RIPEMD-128).
85382798f90SAdrian-Ken Rueegsegger
854b6d44341SAdrian Bunk	  It's speed is comparable to SHA1 and there are no known attacks
855b6d44341SAdrian Bunk	  against RIPEMD-160.
856534fe2c1SAdrian-Ken Rueegsegger
857534fe2c1SAdrian-Ken Rueegsegger	  Developed by Hans Dobbertin, Antoon Bosselaers and Bart Preneel.
8589332a9e7SAlexander A. Klimov	  See <https://homes.esat.kuleuven.be/~bosselae/ripemd160.html>
859534fe2c1SAdrian-Ken Rueegsegger
8601da177e4SLinus Torvaldsconfig CRYPTO_SHA1
8611da177e4SLinus Torvalds	tristate "SHA1 digest algorithm"
86254ccb367SAdrian-Ken Rueegsegger	select CRYPTO_HASH
8631da177e4SLinus Torvalds	help
8641da177e4SLinus Torvalds	  SHA-1 secure hash standard (FIPS 180-1/DFIPS 180-2).
8651da177e4SLinus Torvalds
86666be8951SMathias Krauseconfig CRYPTO_SHA1_SSSE3
867e38b6b7fStim	tristate "SHA1 digest algorithm (SSSE3/AVX/AVX2/SHA-NI)"
86866be8951SMathias Krause	depends on X86 && 64BIT
86966be8951SMathias Krause	select CRYPTO_SHA1
87066be8951SMathias Krause	select CRYPTO_HASH
87166be8951SMathias Krause	help
87266be8951SMathias Krause	  SHA-1 secure hash standard (FIPS 180-1/DFIPS 180-2) implemented
87366be8951SMathias Krause	  using Supplemental SSE3 (SSSE3) instructions or Advanced Vector
874e38b6b7fStim	  Extensions (AVX/AVX2) or SHA-NI(SHA Extensions New Instructions),
875e38b6b7fStim	  when available.
87666be8951SMathias Krause
8778275d1aaSTim Chenconfig CRYPTO_SHA256_SSSE3
878e38b6b7fStim	tristate "SHA256 digest algorithm (SSSE3/AVX/AVX2/SHA-NI)"
8798275d1aaSTim Chen	depends on X86 && 64BIT
8808275d1aaSTim Chen	select CRYPTO_SHA256
8818275d1aaSTim Chen	select CRYPTO_HASH
8828275d1aaSTim Chen	help
8838275d1aaSTim Chen	  SHA-256 secure hash standard (DFIPS 180-2) implemented
8848275d1aaSTim Chen	  using Supplemental SSE3 (SSSE3) instructions, or Advanced Vector
8858275d1aaSTim Chen	  Extensions version 1 (AVX1), or Advanced Vector Extensions
886e38b6b7fStim	  version 2 (AVX2) instructions, or SHA-NI (SHA Extensions New
887e38b6b7fStim	  Instructions) when available.
8888275d1aaSTim Chen
88987de4579STim Chenconfig CRYPTO_SHA512_SSSE3
89087de4579STim Chen	tristate "SHA512 digest algorithm (SSSE3/AVX/AVX2)"
89187de4579STim Chen	depends on X86 && 64BIT
89287de4579STim Chen	select CRYPTO_SHA512
89387de4579STim Chen	select CRYPTO_HASH
89487de4579STim Chen	help
89587de4579STim Chen	  SHA-512 secure hash standard (DFIPS 180-2) implemented
89687de4579STim Chen	  using Supplemental SSE3 (SSSE3) instructions, or Advanced Vector
89787de4579STim Chen	  Extensions version 1 (AVX1), or Advanced Vector Extensions
89887de4579STim Chen	  version 2 (AVX2) instructions, when available.
89987de4579STim Chen
900efdb6f6eSAaro Koskinenconfig CRYPTO_SHA1_OCTEON
901efdb6f6eSAaro Koskinen	tristate "SHA1 digest algorithm (OCTEON)"
902efdb6f6eSAaro Koskinen	depends on CPU_CAVIUM_OCTEON
903efdb6f6eSAaro Koskinen	select CRYPTO_SHA1
904efdb6f6eSAaro Koskinen	select CRYPTO_HASH
905efdb6f6eSAaro Koskinen	help
906efdb6f6eSAaro Koskinen	  SHA-1 secure hash standard (FIPS 180-1/DFIPS 180-2) implemented
907efdb6f6eSAaro Koskinen	  using OCTEON crypto instructions, when available.
908efdb6f6eSAaro Koskinen
9094ff28d4cSDavid S. Millerconfig CRYPTO_SHA1_SPARC64
9104ff28d4cSDavid S. Miller	tristate "SHA1 digest algorithm (SPARC64)"
9114ff28d4cSDavid S. Miller	depends on SPARC64
9124ff28d4cSDavid S. Miller	select CRYPTO_SHA1
9134ff28d4cSDavid S. Miller	select CRYPTO_HASH
9144ff28d4cSDavid S. Miller	help
9154ff28d4cSDavid S. Miller	  SHA-1 secure hash standard (FIPS 180-1/DFIPS 180-2) implemented
9164ff28d4cSDavid S. Miller	  using sparc64 crypto instructions, when available.
9174ff28d4cSDavid S. Miller
918323a6bf1SMichael Ellermanconfig CRYPTO_SHA1_PPC
919323a6bf1SMichael Ellerman	tristate "SHA1 digest algorithm (powerpc)"
920323a6bf1SMichael Ellerman	depends on PPC
921323a6bf1SMichael Ellerman	help
922323a6bf1SMichael Ellerman	  This is the powerpc hardware accelerated implementation of the
923323a6bf1SMichael Ellerman	  SHA-1 secure hash standard (FIPS 180-1/DFIPS 180-2).
924323a6bf1SMichael Ellerman
925d9850fc5SMarkus Stockhausenconfig CRYPTO_SHA1_PPC_SPE
926d9850fc5SMarkus Stockhausen	tristate "SHA1 digest algorithm (PPC SPE)"
927d9850fc5SMarkus Stockhausen	depends on PPC && SPE
928d9850fc5SMarkus Stockhausen	help
929d9850fc5SMarkus Stockhausen	  SHA-1 secure hash standard (DFIPS 180-4) implemented
930d9850fc5SMarkus Stockhausen	  using powerpc SPE SIMD instruction set.
931d9850fc5SMarkus Stockhausen
9321da177e4SLinus Torvaldsconfig CRYPTO_SHA256
933cd12fb90SJonathan Lynch	tristate "SHA224 and SHA256 digest algorithm"
93450e109b5SAdrian-Ken Rueegsegger	select CRYPTO_HASH
93508c327f6SHans de Goede	select CRYPTO_LIB_SHA256
9361da177e4SLinus Torvalds	help
9371da177e4SLinus Torvalds	  SHA256 secure hash standard (DFIPS 180-2).
9381da177e4SLinus Torvalds
9391da177e4SLinus Torvalds	  This version of SHA implements a 256 bit hash with 128 bits of
9401da177e4SLinus Torvalds	  security against collision attacks.
9411da177e4SLinus Torvalds
942cd12fb90SJonathan Lynch	  This code also includes SHA-224, a 224 bit hash with 112 bits
943cd12fb90SJonathan Lynch	  of security against collision attacks.
944cd12fb90SJonathan Lynch
9452ecc1e95SMarkus Stockhausenconfig CRYPTO_SHA256_PPC_SPE
9462ecc1e95SMarkus Stockhausen	tristate "SHA224 and SHA256 digest algorithm (PPC SPE)"
9472ecc1e95SMarkus Stockhausen	depends on PPC && SPE
9482ecc1e95SMarkus Stockhausen	select CRYPTO_SHA256
9492ecc1e95SMarkus Stockhausen	select CRYPTO_HASH
9502ecc1e95SMarkus Stockhausen	help
9512ecc1e95SMarkus Stockhausen	  SHA224 and SHA256 secure hash standard (DFIPS 180-2)
9522ecc1e95SMarkus Stockhausen	  implemented using powerpc SPE SIMD instruction set.
9532ecc1e95SMarkus Stockhausen
954efdb6f6eSAaro Koskinenconfig CRYPTO_SHA256_OCTEON
955efdb6f6eSAaro Koskinen	tristate "SHA224 and SHA256 digest algorithm (OCTEON)"
956efdb6f6eSAaro Koskinen	depends on CPU_CAVIUM_OCTEON
957efdb6f6eSAaro Koskinen	select CRYPTO_SHA256
958efdb6f6eSAaro Koskinen	select CRYPTO_HASH
959efdb6f6eSAaro Koskinen	help
960efdb6f6eSAaro Koskinen	  SHA-256 secure hash standard (DFIPS 180-2) implemented
961efdb6f6eSAaro Koskinen	  using OCTEON crypto instructions, when available.
962efdb6f6eSAaro Koskinen
96386c93b24SDavid S. Millerconfig CRYPTO_SHA256_SPARC64
96486c93b24SDavid S. Miller	tristate "SHA224 and SHA256 digest algorithm (SPARC64)"
96586c93b24SDavid S. Miller	depends on SPARC64
96686c93b24SDavid S. Miller	select CRYPTO_SHA256
96786c93b24SDavid S. Miller	select CRYPTO_HASH
96886c93b24SDavid S. Miller	help
96986c93b24SDavid S. Miller	  SHA-256 secure hash standard (DFIPS 180-2) implemented
97086c93b24SDavid S. Miller	  using sparc64 crypto instructions, when available.
97186c93b24SDavid S. Miller
9721da177e4SLinus Torvaldsconfig CRYPTO_SHA512
9731da177e4SLinus Torvalds	tristate "SHA384 and SHA512 digest algorithms"
974bd9d20dbSAdrian-Ken Rueegsegger	select CRYPTO_HASH
9751da177e4SLinus Torvalds	help
9761da177e4SLinus Torvalds	  SHA512 secure hash standard (DFIPS 180-2).
9771da177e4SLinus Torvalds
9781da177e4SLinus Torvalds	  This version of SHA implements a 512 bit hash with 256 bits of
9791da177e4SLinus Torvalds	  security against collision attacks.
9801da177e4SLinus Torvalds
9811da177e4SLinus Torvalds	  This code also includes SHA-384, a 384 bit hash with 192 bits
9821da177e4SLinus Torvalds	  of security against collision attacks.
9831da177e4SLinus Torvalds
984efdb6f6eSAaro Koskinenconfig CRYPTO_SHA512_OCTEON
985efdb6f6eSAaro Koskinen	tristate "SHA384 and SHA512 digest algorithms (OCTEON)"
986efdb6f6eSAaro Koskinen	depends on CPU_CAVIUM_OCTEON
987efdb6f6eSAaro Koskinen	select CRYPTO_SHA512
988efdb6f6eSAaro Koskinen	select CRYPTO_HASH
989efdb6f6eSAaro Koskinen	help
990efdb6f6eSAaro Koskinen	  SHA-512 secure hash standard (DFIPS 180-2) implemented
991efdb6f6eSAaro Koskinen	  using OCTEON crypto instructions, when available.
992efdb6f6eSAaro Koskinen
993775e0c69SDavid S. Millerconfig CRYPTO_SHA512_SPARC64
994775e0c69SDavid S. Miller	tristate "SHA384 and SHA512 digest algorithm (SPARC64)"
995775e0c69SDavid S. Miller	depends on SPARC64
996775e0c69SDavid S. Miller	select CRYPTO_SHA512
997775e0c69SDavid S. Miller	select CRYPTO_HASH
998775e0c69SDavid S. Miller	help
999775e0c69SDavid S. Miller	  SHA-512 secure hash standard (DFIPS 180-2) implemented
1000775e0c69SDavid S. Miller	  using sparc64 crypto instructions, when available.
1001775e0c69SDavid S. Miller
100253964b9eSJeff Garzikconfig CRYPTO_SHA3
100353964b9eSJeff Garzik	tristate "SHA3 digest algorithm"
100453964b9eSJeff Garzik	select CRYPTO_HASH
100553964b9eSJeff Garzik	help
100653964b9eSJeff Garzik	  SHA-3 secure hash standard (DFIPS 202). It's based on
100753964b9eSJeff Garzik	  cryptographic sponge function family called Keccak.
100853964b9eSJeff Garzik
100953964b9eSJeff Garzik	  References:
101053964b9eSJeff Garzik	  http://keccak.noekeon.org/
101153964b9eSJeff Garzik
10124f0fc160SGilad Ben-Yossefconfig CRYPTO_SM3
1013*d2825fa9SJason A. Donenfeld	tristate
1014*d2825fa9SJason A. Donenfeld
1015*d2825fa9SJason A. Donenfeldconfig CRYPTO_SM3_GENERIC
10164f0fc160SGilad Ben-Yossef	tristate "SM3 digest algorithm"
10174f0fc160SGilad Ben-Yossef	select CRYPTO_HASH
1018*d2825fa9SJason A. Donenfeld	select CRYPTO_SM3
10194f0fc160SGilad Ben-Yossef	help
10204f0fc160SGilad Ben-Yossef	  SM3 secure hash function as defined by OSCCA GM/T 0004-2012 SM3).
10214f0fc160SGilad Ben-Yossef	  It is part of the Chinese Commercial Cryptography suite.
10224f0fc160SGilad Ben-Yossef
10234f0fc160SGilad Ben-Yossef	  References:
10244f0fc160SGilad Ben-Yossef	  http://www.oscca.gov.cn/UpFile/20101222141857786.pdf
10254f0fc160SGilad Ben-Yossef	  https://datatracker.ietf.org/doc/html/draft-shen-sm3-hash
10264f0fc160SGilad Ben-Yossef
1027930ab34dSTianjia Zhangconfig CRYPTO_SM3_AVX_X86_64
1028930ab34dSTianjia Zhang	tristate "SM3 digest algorithm (x86_64/AVX)"
1029930ab34dSTianjia Zhang	depends on X86 && 64BIT
1030930ab34dSTianjia Zhang	select CRYPTO_HASH
1031*d2825fa9SJason A. Donenfeld	select CRYPTO_SM3
1032930ab34dSTianjia Zhang	help
1033930ab34dSTianjia Zhang	  SM3 secure hash function as defined by OSCCA GM/T 0004-2012 SM3).
1034930ab34dSTianjia Zhang	  It is part of the Chinese Commercial Cryptography suite. This is
1035930ab34dSTianjia Zhang	  SM3 optimized implementation using Advanced Vector Extensions (AVX)
1036930ab34dSTianjia Zhang	  when available.
1037930ab34dSTianjia Zhang
1038930ab34dSTianjia Zhang	  If unsure, say N.
1039930ab34dSTianjia Zhang
1040fe18957eSVitaly Chikunovconfig CRYPTO_STREEBOG
1041fe18957eSVitaly Chikunov	tristate "Streebog Hash Function"
1042fe18957eSVitaly Chikunov	select CRYPTO_HASH
1043fe18957eSVitaly Chikunov	help
1044fe18957eSVitaly Chikunov	  Streebog Hash Function (GOST R 34.11-2012, RFC 6986) is one of the Russian
1045fe18957eSVitaly Chikunov	  cryptographic standard algorithms (called GOST algorithms).
1046fe18957eSVitaly Chikunov	  This setting enables two hash algorithms with 256 and 512 bits output.
1047fe18957eSVitaly Chikunov
1048fe18957eSVitaly Chikunov	  References:
1049fe18957eSVitaly Chikunov	  https://tc26.ru/upload/iblock/fed/feddbb4d26b685903faa2ba11aea43f6.pdf
1050fe18957eSVitaly Chikunov	  https://tools.ietf.org/html/rfc6986
1051fe18957eSVitaly Chikunov
1052584fffc8SSebastian Siewiorconfig CRYPTO_WP512
1053584fffc8SSebastian Siewior	tristate "Whirlpool digest algorithms"
10544946510bSAdrian-Ken Rueegsegger	select CRYPTO_HASH
10551da177e4SLinus Torvalds	help
1056584fffc8SSebastian Siewior	  Whirlpool hash algorithm 512, 384 and 256-bit hashes
10571da177e4SLinus Torvalds
1058584fffc8SSebastian Siewior	  Whirlpool-512 is part of the NESSIE cryptographic primitives.
1059584fffc8SSebastian Siewior	  Whirlpool will be part of the ISO/IEC 10118-3:2003(E) standard
10601da177e4SLinus Torvalds
10611da177e4SLinus Torvalds	  See also:
10626d8de74cSJustin P. Mattock	  <http://www.larc.usp.br/~pbarreto/WhirlpoolPage.html>
10631da177e4SLinus Torvalds
10640e1227d3SHuang Yingconfig CRYPTO_GHASH_CLMUL_NI_INTEL
10658dfa20fcSEric Biggers	tristate "GHASH hash function (CLMUL-NI accelerated)"
10668af00860SRichard Weinberger	depends on X86 && 64BIT
10670e1227d3SHuang Ying	select CRYPTO_CRYPTD
10680e1227d3SHuang Ying	help
10698dfa20fcSEric Biggers	  This is the x86_64 CLMUL-NI accelerated implementation of
10708dfa20fcSEric Biggers	  GHASH, the hash function used in GCM (Galois/Counter mode).
10710e1227d3SHuang Ying
1072584fffc8SSebastian Siewiorcomment "Ciphers"
10731da177e4SLinus Torvalds
10741da177e4SLinus Torvaldsconfig CRYPTO_AES
10751da177e4SLinus Torvalds	tristate "AES cipher algorithms"
1076cce9e06dSHerbert Xu	select CRYPTO_ALGAPI
10775bb12d78SArd Biesheuvel	select CRYPTO_LIB_AES
10781da177e4SLinus Torvalds	help
10791da177e4SLinus Torvalds	  AES cipher algorithms (FIPS-197). AES uses the Rijndael
10801da177e4SLinus Torvalds	  algorithm.
10811da177e4SLinus Torvalds
10821da177e4SLinus Torvalds	  Rijndael appears to be consistently a very good performer in
10831da177e4SLinus Torvalds	  both hardware and software across a wide range of computing
10841da177e4SLinus Torvalds	  environments regardless of its use in feedback or non-feedback
10851da177e4SLinus Torvalds	  modes. Its key setup time is excellent, and its key agility is
10861da177e4SLinus Torvalds	  good. Rijndael's very low memory requirements make it very well
10871da177e4SLinus Torvalds	  suited for restricted-space environments, in which it also
10881da177e4SLinus Torvalds	  demonstrates excellent performance. Rijndael's operations are
10891da177e4SLinus Torvalds	  among the easiest to defend against power and timing attacks.
10901da177e4SLinus Torvalds
10911da177e4SLinus Torvalds	  The AES specifies three key sizes: 128, 192 and 256 bits
10921da177e4SLinus Torvalds
10931da177e4SLinus Torvalds	  See <http://csrc.nist.gov/CryptoToolkit/aes/> for more information.
10941da177e4SLinus Torvalds
1095b5e0b032SArd Biesheuvelconfig CRYPTO_AES_TI
1096b5e0b032SArd Biesheuvel	tristate "Fixed time AES cipher"
1097b5e0b032SArd Biesheuvel	select CRYPTO_ALGAPI
1098e59c1c98SArd Biesheuvel	select CRYPTO_LIB_AES
1099b5e0b032SArd Biesheuvel	help
1100b5e0b032SArd Biesheuvel	  This is a generic implementation of AES that attempts to eliminate
1101b5e0b032SArd Biesheuvel	  data dependent latencies as much as possible without affecting
1102b5e0b032SArd Biesheuvel	  performance too much. It is intended for use by the generic CCM
1103b5e0b032SArd Biesheuvel	  and GCM drivers, and other CTR or CMAC/XCBC based modes that rely
1104b5e0b032SArd Biesheuvel	  solely on encryption (although decryption is supported as well, but
1105b5e0b032SArd Biesheuvel	  with a more dramatic performance hit)
1106b5e0b032SArd Biesheuvel
1107b5e0b032SArd Biesheuvel	  Instead of using 16 lookup tables of 1 KB each, (8 for encryption and
1108b5e0b032SArd Biesheuvel	  8 for decryption), this implementation only uses just two S-boxes of
1109b5e0b032SArd Biesheuvel	  256 bytes each, and attempts to eliminate data dependent latencies by
1110b5e0b032SArd Biesheuvel	  prefetching the entire table into the cache at the start of each
11110a6a40c2SEric Biggers	  block. Interrupts are also disabled to avoid races where cachelines
11120a6a40c2SEric Biggers	  are evicted when the CPU is interrupted to do something else.
1113b5e0b032SArd Biesheuvel
111454b6a1bdSHuang Yingconfig CRYPTO_AES_NI_INTEL
111554b6a1bdSHuang Ying	tristate "AES cipher algorithms (AES-NI)"
11168af00860SRichard Weinberger	depends on X86
111785671860SHerbert Xu	select CRYPTO_AEAD
11182c53fd11SArd Biesheuvel	select CRYPTO_LIB_AES
111954b6a1bdSHuang Ying	select CRYPTO_ALGAPI
1120b95bba5dSEric Biggers	select CRYPTO_SKCIPHER
112185671860SHerbert Xu	select CRYPTO_SIMD
112254b6a1bdSHuang Ying	help
112354b6a1bdSHuang Ying	  Use Intel AES-NI instructions for AES algorithm.
112454b6a1bdSHuang Ying
112554b6a1bdSHuang Ying	  AES cipher algorithms (FIPS-197). AES uses the Rijndael
112654b6a1bdSHuang Ying	  algorithm.
112754b6a1bdSHuang Ying
112854b6a1bdSHuang Ying	  Rijndael appears to be consistently a very good performer in
112954b6a1bdSHuang Ying	  both hardware and software across a wide range of computing
113054b6a1bdSHuang Ying	  environments regardless of its use in feedback or non-feedback
113154b6a1bdSHuang Ying	  modes. Its key setup time is excellent, and its key agility is
113254b6a1bdSHuang Ying	  good. Rijndael's very low memory requirements make it very well
113354b6a1bdSHuang Ying	  suited for restricted-space environments, in which it also
113454b6a1bdSHuang Ying	  demonstrates excellent performance. Rijndael's operations are
113554b6a1bdSHuang Ying	  among the easiest to defend against power and timing attacks.
113654b6a1bdSHuang Ying
113754b6a1bdSHuang Ying	  The AES specifies three key sizes: 128, 192 and 256 bits
113854b6a1bdSHuang Ying
113954b6a1bdSHuang Ying	  See <http://csrc.nist.gov/encryption/aes/> for more information.
114054b6a1bdSHuang Ying
11410d258efbSMathias Krause	  In addition to AES cipher algorithm support, the acceleration
11420d258efbSMathias Krause	  for some popular block cipher mode is supported too, including
1143944585a6SArd Biesheuvel	  ECB, CBC, LRW, XTS. The 64 bit version has additional
11440d258efbSMathias Krause	  acceleration for CTR.
11452cf4ac8bSHuang Ying
11469bf4852dSDavid S. Millerconfig CRYPTO_AES_SPARC64
11479bf4852dSDavid S. Miller	tristate "AES cipher algorithms (SPARC64)"
11489bf4852dSDavid S. Miller	depends on SPARC64
1149b95bba5dSEric Biggers	select CRYPTO_SKCIPHER
11509bf4852dSDavid S. Miller	help
11519bf4852dSDavid S. Miller	  Use SPARC64 crypto opcodes for AES algorithm.
11529bf4852dSDavid S. Miller
11539bf4852dSDavid S. Miller	  AES cipher algorithms (FIPS-197). AES uses the Rijndael
11549bf4852dSDavid S. Miller	  algorithm.
11559bf4852dSDavid S. Miller
11569bf4852dSDavid S. Miller	  Rijndael appears to be consistently a very good performer in
11579bf4852dSDavid S. Miller	  both hardware and software across a wide range of computing
11589bf4852dSDavid S. Miller	  environments regardless of its use in feedback or non-feedback
11599bf4852dSDavid S. Miller	  modes. Its key setup time is excellent, and its key agility is
11609bf4852dSDavid S. Miller	  good. Rijndael's very low memory requirements make it very well
11619bf4852dSDavid S. Miller	  suited for restricted-space environments, in which it also
11629bf4852dSDavid S. Miller	  demonstrates excellent performance. Rijndael's operations are
11639bf4852dSDavid S. Miller	  among the easiest to defend against power and timing attacks.
11649bf4852dSDavid S. Miller
11659bf4852dSDavid S. Miller	  The AES specifies three key sizes: 128, 192 and 256 bits
11669bf4852dSDavid S. Miller
11679bf4852dSDavid S. Miller	  See <http://csrc.nist.gov/encryption/aes/> for more information.
11689bf4852dSDavid S. Miller
11699bf4852dSDavid S. Miller	  In addition to AES cipher algorithm support, the acceleration
11709bf4852dSDavid S. Miller	  for some popular block cipher mode is supported too, including
11719bf4852dSDavid S. Miller	  ECB and CBC.
11729bf4852dSDavid S. Miller
1173504c6143SMarkus Stockhausenconfig CRYPTO_AES_PPC_SPE
1174504c6143SMarkus Stockhausen	tristate "AES cipher algorithms (PPC SPE)"
1175504c6143SMarkus Stockhausen	depends on PPC && SPE
1176b95bba5dSEric Biggers	select CRYPTO_SKCIPHER
1177504c6143SMarkus Stockhausen	help
1178504c6143SMarkus Stockhausen	  AES cipher algorithms (FIPS-197). Additionally the acceleration
1179504c6143SMarkus Stockhausen	  for popular block cipher modes ECB, CBC, CTR and XTS is supported.
1180504c6143SMarkus Stockhausen	  This module should only be used for low power (router) devices
1181504c6143SMarkus Stockhausen	  without hardware AES acceleration (e.g. caam crypto). It reduces the
1182504c6143SMarkus Stockhausen	  size of the AES tables from 16KB to 8KB + 256 bytes and mitigates
1183504c6143SMarkus Stockhausen	  timining attacks. Nevertheless it might be not as secure as other
1184504c6143SMarkus Stockhausen	  architecture specific assembler implementations that work on 1KB
1185504c6143SMarkus Stockhausen	  tables or 256 bytes S-boxes.
1186504c6143SMarkus Stockhausen
11871da177e4SLinus Torvaldsconfig CRYPTO_ANUBIS
11881da177e4SLinus Torvalds	tristate "Anubis cipher algorithm"
11891674aea5SArd Biesheuvel	depends on CRYPTO_USER_API_ENABLE_OBSOLETE
1190cce9e06dSHerbert Xu	select CRYPTO_ALGAPI
11911da177e4SLinus Torvalds	help
11921da177e4SLinus Torvalds	  Anubis cipher algorithm.
11931da177e4SLinus Torvalds
11941da177e4SLinus Torvalds	  Anubis is a variable key length cipher which can use keys from
11951da177e4SLinus Torvalds	  128 bits to 320 bits in length.  It was evaluated as a entrant
11961da177e4SLinus Torvalds	  in the NESSIE competition.
11971da177e4SLinus Torvalds
11981da177e4SLinus Torvalds	  See also:
11996d8de74cSJustin P. Mattock	  <https://www.cosic.esat.kuleuven.be/nessie/reports/>
12006d8de74cSJustin P. Mattock	  <http://www.larc.usp.br/~pbarreto/AnubisPage.html>
12011da177e4SLinus Torvalds
1202584fffc8SSebastian Siewiorconfig CRYPTO_ARC4
1203584fffc8SSebastian Siewior	tristate "ARC4 cipher algorithm"
12049ace6771SArd Biesheuvel	depends on CRYPTO_USER_API_ENABLE_OBSOLETE
1205b95bba5dSEric Biggers	select CRYPTO_SKCIPHER
1206dc51f257SArd Biesheuvel	select CRYPTO_LIB_ARC4
1207e2ee95b8SHye-Shik Chang	help
1208584fffc8SSebastian Siewior	  ARC4 cipher algorithm.
1209e2ee95b8SHye-Shik Chang
1210584fffc8SSebastian Siewior	  ARC4 is a stream cipher using keys ranging from 8 bits to 2048
1211584fffc8SSebastian Siewior	  bits in length.  This algorithm is required for driver-based
1212584fffc8SSebastian Siewior	  WEP, but it should not be for other purposes because of the
1213584fffc8SSebastian Siewior	  weakness of the algorithm.
1214584fffc8SSebastian Siewior
1215584fffc8SSebastian Siewiorconfig CRYPTO_BLOWFISH
1216584fffc8SSebastian Siewior	tristate "Blowfish cipher algorithm"
1217584fffc8SSebastian Siewior	select CRYPTO_ALGAPI
121852ba867cSJussi Kivilinna	select CRYPTO_BLOWFISH_COMMON
1219584fffc8SSebastian Siewior	help
1220584fffc8SSebastian Siewior	  Blowfish cipher algorithm, by Bruce Schneier.
1221584fffc8SSebastian Siewior
1222584fffc8SSebastian Siewior	  This is a variable key length cipher which can use keys from 32
1223584fffc8SSebastian Siewior	  bits to 448 bits in length.  It's fast, simple and specifically
1224584fffc8SSebastian Siewior	  designed for use on "large microprocessors".
1225e2ee95b8SHye-Shik Chang
1226e2ee95b8SHye-Shik Chang	  See also:
12279332a9e7SAlexander A. Klimov	  <https://www.schneier.com/blowfish.html>
1228584fffc8SSebastian Siewior
122952ba867cSJussi Kivilinnaconfig CRYPTO_BLOWFISH_COMMON
123052ba867cSJussi Kivilinna	tristate
123152ba867cSJussi Kivilinna	help
123252ba867cSJussi Kivilinna	  Common parts of the Blowfish cipher algorithm shared by the
123352ba867cSJussi Kivilinna	  generic c and the assembler implementations.
123452ba867cSJussi Kivilinna
123552ba867cSJussi Kivilinna	  See also:
12369332a9e7SAlexander A. Klimov	  <https://www.schneier.com/blowfish.html>
123752ba867cSJussi Kivilinna
123864b94ceaSJussi Kivilinnaconfig CRYPTO_BLOWFISH_X86_64
123964b94ceaSJussi Kivilinna	tristate "Blowfish cipher algorithm (x86_64)"
1240f21a7c19SAl Viro	depends on X86 && 64BIT
1241b95bba5dSEric Biggers	select CRYPTO_SKCIPHER
124264b94ceaSJussi Kivilinna	select CRYPTO_BLOWFISH_COMMON
1243c0a64926SArd Biesheuvel	imply CRYPTO_CTR
124464b94ceaSJussi Kivilinna	help
124564b94ceaSJussi Kivilinna	  Blowfish cipher algorithm (x86_64), by Bruce Schneier.
124664b94ceaSJussi Kivilinna
124764b94ceaSJussi Kivilinna	  This is a variable key length cipher which can use keys from 32
124864b94ceaSJussi Kivilinna	  bits to 448 bits in length.  It's fast, simple and specifically
124964b94ceaSJussi Kivilinna	  designed for use on "large microprocessors".
125064b94ceaSJussi Kivilinna
125164b94ceaSJussi Kivilinna	  See also:
12529332a9e7SAlexander A. Klimov	  <https://www.schneier.com/blowfish.html>
125364b94ceaSJussi Kivilinna
1254584fffc8SSebastian Siewiorconfig CRYPTO_CAMELLIA
1255584fffc8SSebastian Siewior	tristate "Camellia cipher algorithms"
1256584fffc8SSebastian Siewior	select CRYPTO_ALGAPI
1257584fffc8SSebastian Siewior	help
1258584fffc8SSebastian Siewior	  Camellia cipher algorithms module.
1259584fffc8SSebastian Siewior
1260584fffc8SSebastian Siewior	  Camellia is a symmetric key block cipher developed jointly
1261584fffc8SSebastian Siewior	  at NTT and Mitsubishi Electric Corporation.
1262584fffc8SSebastian Siewior
1263584fffc8SSebastian Siewior	  The Camellia specifies three key sizes: 128, 192 and 256 bits.
1264584fffc8SSebastian Siewior
1265584fffc8SSebastian Siewior	  See also:
1266584fffc8SSebastian Siewior	  <https://info.isl.ntt.co.jp/crypt/eng/camellia/index_s.html>
1267584fffc8SSebastian Siewior
12680b95ec56SJussi Kivilinnaconfig CRYPTO_CAMELLIA_X86_64
12690b95ec56SJussi Kivilinna	tristate "Camellia cipher algorithm (x86_64)"
1270f21a7c19SAl Viro	depends on X86 && 64BIT
1271b95bba5dSEric Biggers	select CRYPTO_SKCIPHER
1272a1f91ecfSArd Biesheuvel	imply CRYPTO_CTR
12730b95ec56SJussi Kivilinna	help
12740b95ec56SJussi Kivilinna	  Camellia cipher algorithm module (x86_64).
12750b95ec56SJussi Kivilinna
12760b95ec56SJussi Kivilinna	  Camellia is a symmetric key block cipher developed jointly
12770b95ec56SJussi Kivilinna	  at NTT and Mitsubishi Electric Corporation.
12780b95ec56SJussi Kivilinna
12790b95ec56SJussi Kivilinna	  The Camellia specifies three key sizes: 128, 192 and 256 bits.
12800b95ec56SJussi Kivilinna
12810b95ec56SJussi Kivilinna	  See also:
12820b95ec56SJussi Kivilinna	  <https://info.isl.ntt.co.jp/crypt/eng/camellia/index_s.html>
12830b95ec56SJussi Kivilinna
1284d9b1d2e7SJussi Kivilinnaconfig CRYPTO_CAMELLIA_AESNI_AVX_X86_64
1285d9b1d2e7SJussi Kivilinna	tristate "Camellia cipher algorithm (x86_64/AES-NI/AVX)"
1286d9b1d2e7SJussi Kivilinna	depends on X86 && 64BIT
1287b95bba5dSEric Biggers	select CRYPTO_SKCIPHER
1288d9b1d2e7SJussi Kivilinna	select CRYPTO_CAMELLIA_X86_64
128944893bc2SEric Biggers	select CRYPTO_SIMD
129055a7e88fSArd Biesheuvel	imply CRYPTO_XTS
1291d9b1d2e7SJussi Kivilinna	help
1292d9b1d2e7SJussi Kivilinna	  Camellia cipher algorithm module (x86_64/AES-NI/AVX).
1293d9b1d2e7SJussi Kivilinna
1294d9b1d2e7SJussi Kivilinna	  Camellia is a symmetric key block cipher developed jointly
1295d9b1d2e7SJussi Kivilinna	  at NTT and Mitsubishi Electric Corporation.
1296d9b1d2e7SJussi Kivilinna
1297d9b1d2e7SJussi Kivilinna	  The Camellia specifies three key sizes: 128, 192 and 256 bits.
1298d9b1d2e7SJussi Kivilinna
1299d9b1d2e7SJussi Kivilinna	  See also:
1300d9b1d2e7SJussi Kivilinna	  <https://info.isl.ntt.co.jp/crypt/eng/camellia/index_s.html>
1301d9b1d2e7SJussi Kivilinna
1302f3f935a7SJussi Kivilinnaconfig CRYPTO_CAMELLIA_AESNI_AVX2_X86_64
1303f3f935a7SJussi Kivilinna	tristate "Camellia cipher algorithm (x86_64/AES-NI/AVX2)"
1304f3f935a7SJussi Kivilinna	depends on X86 && 64BIT
1305f3f935a7SJussi Kivilinna	select CRYPTO_CAMELLIA_AESNI_AVX_X86_64
1306f3f935a7SJussi Kivilinna	help
1307f3f935a7SJussi Kivilinna	  Camellia cipher algorithm module (x86_64/AES-NI/AVX2).
1308f3f935a7SJussi Kivilinna
1309f3f935a7SJussi Kivilinna	  Camellia is a symmetric key block cipher developed jointly
1310f3f935a7SJussi Kivilinna	  at NTT and Mitsubishi Electric Corporation.
1311f3f935a7SJussi Kivilinna
1312f3f935a7SJussi Kivilinna	  The Camellia specifies three key sizes: 128, 192 and 256 bits.
1313f3f935a7SJussi Kivilinna
1314f3f935a7SJussi Kivilinna	  See also:
1315f3f935a7SJussi Kivilinna	  <https://info.isl.ntt.co.jp/crypt/eng/camellia/index_s.html>
1316f3f935a7SJussi Kivilinna
131781658ad0SDavid S. Millerconfig CRYPTO_CAMELLIA_SPARC64
131881658ad0SDavid S. Miller	tristate "Camellia cipher algorithm (SPARC64)"
131981658ad0SDavid S. Miller	depends on SPARC64
132081658ad0SDavid S. Miller	select CRYPTO_ALGAPI
1321b95bba5dSEric Biggers	select CRYPTO_SKCIPHER
132281658ad0SDavid S. Miller	help
132381658ad0SDavid S. Miller	  Camellia cipher algorithm module (SPARC64).
132481658ad0SDavid S. Miller
132581658ad0SDavid S. Miller	  Camellia is a symmetric key block cipher developed jointly
132681658ad0SDavid S. Miller	  at NTT and Mitsubishi Electric Corporation.
132781658ad0SDavid S. Miller
132881658ad0SDavid S. Miller	  The Camellia specifies three key sizes: 128, 192 and 256 bits.
132981658ad0SDavid S. Miller
133081658ad0SDavid S. Miller	  See also:
133181658ad0SDavid S. Miller	  <https://info.isl.ntt.co.jp/crypt/eng/camellia/index_s.html>
133281658ad0SDavid S. Miller
1333044ab525SJussi Kivilinnaconfig CRYPTO_CAST_COMMON
1334044ab525SJussi Kivilinna	tristate
1335044ab525SJussi Kivilinna	help
1336044ab525SJussi Kivilinna	  Common parts of the CAST cipher algorithms shared by the
1337044ab525SJussi Kivilinna	  generic c and the assembler implementations.
1338044ab525SJussi Kivilinna
1339584fffc8SSebastian Siewiorconfig CRYPTO_CAST5
1340584fffc8SSebastian Siewior	tristate "CAST5 (CAST-128) cipher algorithm"
1341584fffc8SSebastian Siewior	select CRYPTO_ALGAPI
1342044ab525SJussi Kivilinna	select CRYPTO_CAST_COMMON
1343584fffc8SSebastian Siewior	help
1344584fffc8SSebastian Siewior	  The CAST5 encryption algorithm (synonymous with CAST-128) is
1345584fffc8SSebastian Siewior	  described in RFC2144.
1346584fffc8SSebastian Siewior
13474d6d6a2cSJohannes Goetzfriedconfig CRYPTO_CAST5_AVX_X86_64
13484d6d6a2cSJohannes Goetzfried	tristate "CAST5 (CAST-128) cipher algorithm (x86_64/AVX)"
13494d6d6a2cSJohannes Goetzfried	depends on X86 && 64BIT
1350b95bba5dSEric Biggers	select CRYPTO_SKCIPHER
13514d6d6a2cSJohannes Goetzfried	select CRYPTO_CAST5
13521e63183aSEric Biggers	select CRYPTO_CAST_COMMON
13531e63183aSEric Biggers	select CRYPTO_SIMD
1354e2d60e2fSArd Biesheuvel	imply CRYPTO_CTR
13554d6d6a2cSJohannes Goetzfried	help
13564d6d6a2cSJohannes Goetzfried	  The CAST5 encryption algorithm (synonymous with CAST-128) is
13574d6d6a2cSJohannes Goetzfried	  described in RFC2144.
13584d6d6a2cSJohannes Goetzfried
13594d6d6a2cSJohannes Goetzfried	  This module provides the Cast5 cipher algorithm that processes
13604d6d6a2cSJohannes Goetzfried	  sixteen blocks parallel using the AVX instruction set.
13614d6d6a2cSJohannes Goetzfried
1362584fffc8SSebastian Siewiorconfig CRYPTO_CAST6
1363584fffc8SSebastian Siewior	tristate "CAST6 (CAST-256) cipher algorithm"
1364584fffc8SSebastian Siewior	select CRYPTO_ALGAPI
1365044ab525SJussi Kivilinna	select CRYPTO_CAST_COMMON
1366584fffc8SSebastian Siewior	help
1367584fffc8SSebastian Siewior	  The CAST6 encryption algorithm (synonymous with CAST-256) is
1368584fffc8SSebastian Siewior	  described in RFC2612.
1369584fffc8SSebastian Siewior
13704ea1277dSJohannes Goetzfriedconfig CRYPTO_CAST6_AVX_X86_64
13714ea1277dSJohannes Goetzfried	tristate "CAST6 (CAST-256) cipher algorithm (x86_64/AVX)"
13724ea1277dSJohannes Goetzfried	depends on X86 && 64BIT
1373b95bba5dSEric Biggers	select CRYPTO_SKCIPHER
13744ea1277dSJohannes Goetzfried	select CRYPTO_CAST6
13754bd96924SEric Biggers	select CRYPTO_CAST_COMMON
13764bd96924SEric Biggers	select CRYPTO_SIMD
13772cc0fedbSArd Biesheuvel	imply CRYPTO_XTS
13787a6623ccSArd Biesheuvel	imply CRYPTO_CTR
13794ea1277dSJohannes Goetzfried	help
13804ea1277dSJohannes Goetzfried	  The CAST6 encryption algorithm (synonymous with CAST-256) is
13814ea1277dSJohannes Goetzfried	  described in RFC2612.
13824ea1277dSJohannes Goetzfried
13834ea1277dSJohannes Goetzfried	  This module provides the Cast6 cipher algorithm that processes
13844ea1277dSJohannes Goetzfried	  eight blocks parallel using the AVX instruction set.
13854ea1277dSJohannes Goetzfried
1386584fffc8SSebastian Siewiorconfig CRYPTO_DES
1387584fffc8SSebastian Siewior	tristate "DES and Triple DES EDE cipher algorithms"
1388584fffc8SSebastian Siewior	select CRYPTO_ALGAPI
138904007b0eSArd Biesheuvel	select CRYPTO_LIB_DES
1390584fffc8SSebastian Siewior	help
1391584fffc8SSebastian Siewior	  DES cipher algorithm (FIPS 46-2), and Triple DES EDE (FIPS 46-3).
1392584fffc8SSebastian Siewior
1393c5aac2dfSDavid S. Millerconfig CRYPTO_DES_SPARC64
1394c5aac2dfSDavid S. Miller	tristate "DES and Triple DES EDE cipher algorithms (SPARC64)"
139597da37b3SDave Jones	depends on SPARC64
1396c5aac2dfSDavid S. Miller	select CRYPTO_ALGAPI
139704007b0eSArd Biesheuvel	select CRYPTO_LIB_DES
1398b95bba5dSEric Biggers	select CRYPTO_SKCIPHER
1399c5aac2dfSDavid S. Miller	help
1400c5aac2dfSDavid S. Miller	  DES cipher algorithm (FIPS 46-2), and Triple DES EDE (FIPS 46-3),
1401c5aac2dfSDavid S. Miller	  optimized using SPARC64 crypto opcodes.
1402c5aac2dfSDavid S. Miller
14036574e6c6SJussi Kivilinnaconfig CRYPTO_DES3_EDE_X86_64
14046574e6c6SJussi Kivilinna	tristate "Triple DES EDE cipher algorithm (x86-64)"
14056574e6c6SJussi Kivilinna	depends on X86 && 64BIT
1406b95bba5dSEric Biggers	select CRYPTO_SKCIPHER
140704007b0eSArd Biesheuvel	select CRYPTO_LIB_DES
1408768db5feSArd Biesheuvel	imply CRYPTO_CTR
14096574e6c6SJussi Kivilinna	help
14106574e6c6SJussi Kivilinna	  Triple DES EDE (FIPS 46-3) algorithm.
14116574e6c6SJussi Kivilinna
14126574e6c6SJussi Kivilinna	  This module provides implementation of the Triple DES EDE cipher
14136574e6c6SJussi Kivilinna	  algorithm that is optimized for x86-64 processors. Two versions of
14146574e6c6SJussi Kivilinna	  algorithm are provided; regular processing one input block and
14156574e6c6SJussi Kivilinna	  one that processes three blocks parallel.
14166574e6c6SJussi Kivilinna
1417584fffc8SSebastian Siewiorconfig CRYPTO_FCRYPT
1418584fffc8SSebastian Siewior	tristate "FCrypt cipher algorithm"
1419584fffc8SSebastian Siewior	select CRYPTO_ALGAPI
1420b95bba5dSEric Biggers	select CRYPTO_SKCIPHER
1421584fffc8SSebastian Siewior	help
1422584fffc8SSebastian Siewior	  FCrypt algorithm used by RxRPC.
1423584fffc8SSebastian Siewior
1424584fffc8SSebastian Siewiorconfig CRYPTO_KHAZAD
1425584fffc8SSebastian Siewior	tristate "Khazad cipher algorithm"
14261674aea5SArd Biesheuvel	depends on CRYPTO_USER_API_ENABLE_OBSOLETE
1427584fffc8SSebastian Siewior	select CRYPTO_ALGAPI
1428584fffc8SSebastian Siewior	help
1429584fffc8SSebastian Siewior	  Khazad cipher algorithm.
1430584fffc8SSebastian Siewior
1431584fffc8SSebastian Siewior	  Khazad was a finalist in the initial NESSIE competition.  It is
1432584fffc8SSebastian Siewior	  an algorithm optimized for 64-bit processors with good performance
1433584fffc8SSebastian Siewior	  on 32-bit processors.  Khazad uses an 128 bit key size.
1434584fffc8SSebastian Siewior
1435584fffc8SSebastian Siewior	  See also:
14366d8de74cSJustin P. Mattock	  <http://www.larc.usp.br/~pbarreto/KhazadPage.html>
1437e2ee95b8SHye-Shik Chang
1438c08d0e64SMartin Williconfig CRYPTO_CHACHA20
1439aa762409SEric Biggers	tristate "ChaCha stream cipher algorithms"
14405fb8ef25SArd Biesheuvel	select CRYPTO_LIB_CHACHA_GENERIC
1441b95bba5dSEric Biggers	select CRYPTO_SKCIPHER
1442c08d0e64SMartin Willi	help
1443aa762409SEric Biggers	  The ChaCha20, XChaCha20, and XChaCha12 stream cipher algorithms.
1444c08d0e64SMartin Willi
1445c08d0e64SMartin Willi	  ChaCha20 is a 256-bit high-speed stream cipher designed by Daniel J.
1446c08d0e64SMartin Willi	  Bernstein and further specified in RFC7539 for use in IETF protocols.
1447de61d7aeSEric Biggers	  This is the portable C implementation of ChaCha20.  See also:
14489332a9e7SAlexander A. Klimov	  <https://cr.yp.to/chacha/chacha-20080128.pdf>
1449c08d0e64SMartin Willi
1450de61d7aeSEric Biggers	  XChaCha20 is the application of the XSalsa20 construction to ChaCha20
1451de61d7aeSEric Biggers	  rather than to Salsa20.  XChaCha20 extends ChaCha20's nonce length
1452de61d7aeSEric Biggers	  from 64 bits (or 96 bits using the RFC7539 convention) to 192 bits,
1453de61d7aeSEric Biggers	  while provably retaining ChaCha20's security.  See also:
1454de61d7aeSEric Biggers	  <https://cr.yp.to/snuffle/xsalsa-20081128.pdf>
1455de61d7aeSEric Biggers
1456aa762409SEric Biggers	  XChaCha12 is XChaCha20 reduced to 12 rounds, with correspondingly
1457aa762409SEric Biggers	  reduced security margin but increased performance.  It can be needed
1458aa762409SEric Biggers	  in some performance-sensitive scenarios.
1459aa762409SEric Biggers
1460c9320b6dSMartin Williconfig CRYPTO_CHACHA20_X86_64
14614af78261SEric Biggers	tristate "ChaCha stream cipher algorithms (x86_64/SSSE3/AVX2/AVX-512VL)"
1462c9320b6dSMartin Willi	depends on X86 && 64BIT
1463b95bba5dSEric Biggers	select CRYPTO_SKCIPHER
146428e8d89bSArd Biesheuvel	select CRYPTO_LIB_CHACHA_GENERIC
146584e03fa3SArd Biesheuvel	select CRYPTO_ARCH_HAVE_LIB_CHACHA
1466c9320b6dSMartin Willi	help
14677a507d62SEric Biggers	  SSSE3, AVX2, and AVX-512VL optimized implementations of the ChaCha20,
14687a507d62SEric Biggers	  XChaCha20, and XChaCha12 stream ciphers.
1469c9320b6dSMartin Willi
14703a2f58f3SArd Biesheuvelconfig CRYPTO_CHACHA_MIPS
14713a2f58f3SArd Biesheuvel	tristate "ChaCha stream cipher algorithms (MIPS 32r2 optimized)"
14723a2f58f3SArd Biesheuvel	depends on CPU_MIPS32_R2
1473660eda8dSEric Biggers	select CRYPTO_SKCIPHER
14743a2f58f3SArd Biesheuvel	select CRYPTO_ARCH_HAVE_LIB_CHACHA
14753a2f58f3SArd Biesheuvel
1476584fffc8SSebastian Siewiorconfig CRYPTO_SEED
1477584fffc8SSebastian Siewior	tristate "SEED cipher algorithm"
14781674aea5SArd Biesheuvel	depends on CRYPTO_USER_API_ENABLE_OBSOLETE
1479584fffc8SSebastian Siewior	select CRYPTO_ALGAPI
1480584fffc8SSebastian Siewior	help
1481584fffc8SSebastian Siewior	  SEED cipher algorithm (RFC4269).
1482584fffc8SSebastian Siewior
1483584fffc8SSebastian Siewior	  SEED is a 128-bit symmetric key block cipher that has been
1484584fffc8SSebastian Siewior	  developed by KISA (Korea Information Security Agency) as a
1485584fffc8SSebastian Siewior	  national standard encryption algorithm of the Republic of Korea.
1486584fffc8SSebastian Siewior	  It is a 16 round block cipher with the key size of 128 bit.
1487584fffc8SSebastian Siewior
1488584fffc8SSebastian Siewior	  See also:
1489584fffc8SSebastian Siewior	  <http://www.kisa.or.kr/kisa/seed/jsp/seed_eng.jsp>
1490584fffc8SSebastian Siewior
1491584fffc8SSebastian Siewiorconfig CRYPTO_SERPENT
1492584fffc8SSebastian Siewior	tristate "Serpent cipher algorithm"
1493584fffc8SSebastian Siewior	select CRYPTO_ALGAPI
1494584fffc8SSebastian Siewior	help
1495584fffc8SSebastian Siewior	  Serpent cipher algorithm, by Anderson, Biham & Knudsen.
1496584fffc8SSebastian Siewior
1497584fffc8SSebastian Siewior	  Keys are allowed to be from 0 to 256 bits in length, in steps
1498784506a1SArd Biesheuvel	  of 8 bits.
1499584fffc8SSebastian Siewior
1500584fffc8SSebastian Siewior	  See also:
15019332a9e7SAlexander A. Klimov	  <https://www.cl.cam.ac.uk/~rja14/serpent.html>
1502584fffc8SSebastian Siewior
1503937c30d7SJussi Kivilinnaconfig CRYPTO_SERPENT_SSE2_X86_64
1504937c30d7SJussi Kivilinna	tristate "Serpent cipher algorithm (x86_64/SSE2)"
1505937c30d7SJussi Kivilinna	depends on X86 && 64BIT
1506b95bba5dSEric Biggers	select CRYPTO_SKCIPHER
1507937c30d7SJussi Kivilinna	select CRYPTO_SERPENT
1508e0f409dcSEric Biggers	select CRYPTO_SIMD
15092e9440aeSArd Biesheuvel	imply CRYPTO_CTR
1510937c30d7SJussi Kivilinna	help
1511937c30d7SJussi Kivilinna	  Serpent cipher algorithm, by Anderson, Biham & Knudsen.
1512937c30d7SJussi Kivilinna
1513937c30d7SJussi Kivilinna	  Keys are allowed to be from 0 to 256 bits in length, in steps
1514937c30d7SJussi Kivilinna	  of 8 bits.
1515937c30d7SJussi Kivilinna
15161e6232f8SMasanari Iida	  This module provides Serpent cipher algorithm that processes eight
1517937c30d7SJussi Kivilinna	  blocks parallel using SSE2 instruction set.
1518937c30d7SJussi Kivilinna
1519937c30d7SJussi Kivilinna	  See also:
15209332a9e7SAlexander A. Klimov	  <https://www.cl.cam.ac.uk/~rja14/serpent.html>
1521937c30d7SJussi Kivilinna
1522251496dbSJussi Kivilinnaconfig CRYPTO_SERPENT_SSE2_586
1523251496dbSJussi Kivilinna	tristate "Serpent cipher algorithm (i586/SSE2)"
1524251496dbSJussi Kivilinna	depends on X86 && !64BIT
1525b95bba5dSEric Biggers	select CRYPTO_SKCIPHER
1526251496dbSJussi Kivilinna	select CRYPTO_SERPENT
1527e0f409dcSEric Biggers	select CRYPTO_SIMD
15282e9440aeSArd Biesheuvel	imply CRYPTO_CTR
1529251496dbSJussi Kivilinna	help
1530251496dbSJussi Kivilinna	  Serpent cipher algorithm, by Anderson, Biham & Knudsen.
1531251496dbSJussi Kivilinna
1532251496dbSJussi Kivilinna	  Keys are allowed to be from 0 to 256 bits in length, in steps
1533251496dbSJussi Kivilinna	  of 8 bits.
1534251496dbSJussi Kivilinna
1535251496dbSJussi Kivilinna	  This module provides Serpent cipher algorithm that processes four
1536251496dbSJussi Kivilinna	  blocks parallel using SSE2 instruction set.
1537251496dbSJussi Kivilinna
1538251496dbSJussi Kivilinna	  See also:
15399332a9e7SAlexander A. Klimov	  <https://www.cl.cam.ac.uk/~rja14/serpent.html>
1540251496dbSJussi Kivilinna
15417efe4076SJohannes Goetzfriedconfig CRYPTO_SERPENT_AVX_X86_64
15427efe4076SJohannes Goetzfried	tristate "Serpent cipher algorithm (x86_64/AVX)"
15437efe4076SJohannes Goetzfried	depends on X86 && 64BIT
1544b95bba5dSEric Biggers	select CRYPTO_SKCIPHER
15457efe4076SJohannes Goetzfried	select CRYPTO_SERPENT
1546e16bf974SEric Biggers	select CRYPTO_SIMD
15479ec0af8aSArd Biesheuvel	imply CRYPTO_XTS
15482e9440aeSArd Biesheuvel	imply CRYPTO_CTR
15497efe4076SJohannes Goetzfried	help
15507efe4076SJohannes Goetzfried	  Serpent cipher algorithm, by Anderson, Biham & Knudsen.
15517efe4076SJohannes Goetzfried
15527efe4076SJohannes Goetzfried	  Keys are allowed to be from 0 to 256 bits in length, in steps
15537efe4076SJohannes Goetzfried	  of 8 bits.
15547efe4076SJohannes Goetzfried
15557efe4076SJohannes Goetzfried	  This module provides the Serpent cipher algorithm that processes
15567efe4076SJohannes Goetzfried	  eight blocks parallel using the AVX instruction set.
15577efe4076SJohannes Goetzfried
15587efe4076SJohannes Goetzfried	  See also:
15599332a9e7SAlexander A. Klimov	  <https://www.cl.cam.ac.uk/~rja14/serpent.html>
15607efe4076SJohannes Goetzfried
156156d76c96SJussi Kivilinnaconfig CRYPTO_SERPENT_AVX2_X86_64
156256d76c96SJussi Kivilinna	tristate "Serpent cipher algorithm (x86_64/AVX2)"
156356d76c96SJussi Kivilinna	depends on X86 && 64BIT
156456d76c96SJussi Kivilinna	select CRYPTO_SERPENT_AVX_X86_64
156556d76c96SJussi Kivilinna	help
156656d76c96SJussi Kivilinna	  Serpent cipher algorithm, by Anderson, Biham & Knudsen.
156756d76c96SJussi Kivilinna
156856d76c96SJussi Kivilinna	  Keys are allowed to be from 0 to 256 bits in length, in steps
156956d76c96SJussi Kivilinna	  of 8 bits.
157056d76c96SJussi Kivilinna
157156d76c96SJussi Kivilinna	  This module provides Serpent cipher algorithm that processes 16
157256d76c96SJussi Kivilinna	  blocks parallel using AVX2 instruction set.
157356d76c96SJussi Kivilinna
157456d76c96SJussi Kivilinna	  See also:
15759332a9e7SAlexander A. Klimov	  <https://www.cl.cam.ac.uk/~rja14/serpent.html>
157656d76c96SJussi Kivilinna
1577747c8ce4SGilad Ben-Yossefconfig CRYPTO_SM4
1578*d2825fa9SJason A. Donenfeld	tristate
1579*d2825fa9SJason A. Donenfeld
1580*d2825fa9SJason A. Donenfeldconfig CRYPTO_SM4_GENERIC
1581747c8ce4SGilad Ben-Yossef	tristate "SM4 cipher algorithm"
1582747c8ce4SGilad Ben-Yossef	select CRYPTO_ALGAPI
1583*d2825fa9SJason A. Donenfeld	select CRYPTO_SM4
1584747c8ce4SGilad Ben-Yossef	help
1585747c8ce4SGilad Ben-Yossef	  SM4 cipher algorithms (OSCCA GB/T 32907-2016).
1586747c8ce4SGilad Ben-Yossef
1587747c8ce4SGilad Ben-Yossef	  SM4 (GBT.32907-2016) is a cryptographic standard issued by the
1588747c8ce4SGilad Ben-Yossef	  Organization of State Commercial Administration of China (OSCCA)
1589747c8ce4SGilad Ben-Yossef	  as an authorized cryptographic algorithms for the use within China.
1590747c8ce4SGilad Ben-Yossef
1591747c8ce4SGilad Ben-Yossef	  SMS4 was originally created for use in protecting wireless
1592747c8ce4SGilad Ben-Yossef	  networks, and is mandated in the Chinese National Standard for
1593747c8ce4SGilad Ben-Yossef	  Wireless LAN WAPI (Wired Authentication and Privacy Infrastructure)
1594747c8ce4SGilad Ben-Yossef	  (GB.15629.11-2003).
1595747c8ce4SGilad Ben-Yossef
1596747c8ce4SGilad Ben-Yossef	  The latest SM4 standard (GBT.32907-2016) was proposed by OSCCA and
1597747c8ce4SGilad Ben-Yossef	  standardized through TC 260 of the Standardization Administration
1598747c8ce4SGilad Ben-Yossef	  of the People's Republic of China (SAC).
1599747c8ce4SGilad Ben-Yossef
1600747c8ce4SGilad Ben-Yossef	  The input, output, and key of SMS4 are each 128 bits.
1601747c8ce4SGilad Ben-Yossef
1602747c8ce4SGilad Ben-Yossef	  See also: <https://eprint.iacr.org/2008/329.pdf>
1603747c8ce4SGilad Ben-Yossef
1604747c8ce4SGilad Ben-Yossef	  If unsure, say N.
1605747c8ce4SGilad Ben-Yossef
1606a7ee22eeSTianjia Zhangconfig CRYPTO_SM4_AESNI_AVX_X86_64
1607a7ee22eeSTianjia Zhang	tristate "SM4 cipher algorithm (x86_64/AES-NI/AVX)"
1608a7ee22eeSTianjia Zhang	depends on X86 && 64BIT
1609a7ee22eeSTianjia Zhang	select CRYPTO_SKCIPHER
1610a7ee22eeSTianjia Zhang	select CRYPTO_SIMD
1611a7ee22eeSTianjia Zhang	select CRYPTO_ALGAPI
1612*d2825fa9SJason A. Donenfeld	select CRYPTO_SM4
1613a7ee22eeSTianjia Zhang	help
1614a7ee22eeSTianjia Zhang	  SM4 cipher algorithms (OSCCA GB/T 32907-2016) (x86_64/AES-NI/AVX).
1615a7ee22eeSTianjia Zhang
1616a7ee22eeSTianjia Zhang	  SM4 (GBT.32907-2016) is a cryptographic standard issued by the
1617a7ee22eeSTianjia Zhang	  Organization of State Commercial Administration of China (OSCCA)
1618a7ee22eeSTianjia Zhang	  as an authorized cryptographic algorithms for the use within China.
1619a7ee22eeSTianjia Zhang
1620a7ee22eeSTianjia Zhang	  This is SM4 optimized implementation using AES-NI/AVX/x86_64
1621a7ee22eeSTianjia Zhang	  instruction set for block cipher. Through two affine transforms,
1622a7ee22eeSTianjia Zhang	  we can use the AES S-Box to simulate the SM4 S-Box to achieve the
1623a7ee22eeSTianjia Zhang	  effect of instruction acceleration.
1624a7ee22eeSTianjia Zhang
1625a7ee22eeSTianjia Zhang	  If unsure, say N.
1626a7ee22eeSTianjia Zhang
16275b2efa2bSTianjia Zhangconfig CRYPTO_SM4_AESNI_AVX2_X86_64
16285b2efa2bSTianjia Zhang	tristate "SM4 cipher algorithm (x86_64/AES-NI/AVX2)"
16295b2efa2bSTianjia Zhang	depends on X86 && 64BIT
16305b2efa2bSTianjia Zhang	select CRYPTO_SKCIPHER
16315b2efa2bSTianjia Zhang	select CRYPTO_SIMD
16325b2efa2bSTianjia Zhang	select CRYPTO_ALGAPI
1633*d2825fa9SJason A. Donenfeld	select CRYPTO_SM4
16345b2efa2bSTianjia Zhang	select CRYPTO_SM4_AESNI_AVX_X86_64
16355b2efa2bSTianjia Zhang	help
16365b2efa2bSTianjia Zhang	  SM4 cipher algorithms (OSCCA GB/T 32907-2016) (x86_64/AES-NI/AVX2).
16375b2efa2bSTianjia Zhang
16385b2efa2bSTianjia Zhang	  SM4 (GBT.32907-2016) is a cryptographic standard issued by the
16395b2efa2bSTianjia Zhang	  Organization of State Commercial Administration of China (OSCCA)
16405b2efa2bSTianjia Zhang	  as an authorized cryptographic algorithms for the use within China.
16415b2efa2bSTianjia Zhang
16425b2efa2bSTianjia Zhang	  This is SM4 optimized implementation using AES-NI/AVX2/x86_64
16435b2efa2bSTianjia Zhang	  instruction set for block cipher. Through two affine transforms,
16445b2efa2bSTianjia Zhang	  we can use the AES S-Box to simulate the SM4 S-Box to achieve the
16455b2efa2bSTianjia Zhang	  effect of instruction acceleration.
16465b2efa2bSTianjia Zhang
16475b2efa2bSTianjia Zhang	  If unsure, say N.
16485b2efa2bSTianjia Zhang
1649584fffc8SSebastian Siewiorconfig CRYPTO_TEA
1650584fffc8SSebastian Siewior	tristate "TEA, XTEA and XETA cipher algorithms"
16511674aea5SArd Biesheuvel	depends on CRYPTO_USER_API_ENABLE_OBSOLETE
1652584fffc8SSebastian Siewior	select CRYPTO_ALGAPI
1653584fffc8SSebastian Siewior	help
1654584fffc8SSebastian Siewior	  TEA cipher algorithm.
1655584fffc8SSebastian Siewior
1656584fffc8SSebastian Siewior	  Tiny Encryption Algorithm is a simple cipher that uses
1657584fffc8SSebastian Siewior	  many rounds for security.  It is very fast and uses
1658584fffc8SSebastian Siewior	  little memory.
1659584fffc8SSebastian Siewior
1660584fffc8SSebastian Siewior	  Xtendend Tiny Encryption Algorithm is a modification to
1661584fffc8SSebastian Siewior	  the TEA algorithm to address a potential key weakness
1662584fffc8SSebastian Siewior	  in the TEA algorithm.
1663584fffc8SSebastian Siewior
1664584fffc8SSebastian Siewior	  Xtendend Encryption Tiny Algorithm is a mis-implementation
1665584fffc8SSebastian Siewior	  of the XTEA algorithm for compatibility purposes.
1666584fffc8SSebastian Siewior
1667584fffc8SSebastian Siewiorconfig CRYPTO_TWOFISH
1668584fffc8SSebastian Siewior	tristate "Twofish cipher algorithm"
1669584fffc8SSebastian Siewior	select CRYPTO_ALGAPI
1670584fffc8SSebastian Siewior	select CRYPTO_TWOFISH_COMMON
1671584fffc8SSebastian Siewior	help
1672584fffc8SSebastian Siewior	  Twofish cipher algorithm.
1673584fffc8SSebastian Siewior
1674584fffc8SSebastian Siewior	  Twofish was submitted as an AES (Advanced Encryption Standard)
1675584fffc8SSebastian Siewior	  candidate cipher by researchers at CounterPane Systems.  It is a
1676584fffc8SSebastian Siewior	  16 round block cipher supporting key sizes of 128, 192, and 256
1677584fffc8SSebastian Siewior	  bits.
1678584fffc8SSebastian Siewior
1679584fffc8SSebastian Siewior	  See also:
16809332a9e7SAlexander A. Klimov	  <https://www.schneier.com/twofish.html>
1681584fffc8SSebastian Siewior
1682584fffc8SSebastian Siewiorconfig CRYPTO_TWOFISH_COMMON
1683584fffc8SSebastian Siewior	tristate
1684584fffc8SSebastian Siewior	help
1685584fffc8SSebastian Siewior	  Common parts of the Twofish cipher algorithm shared by the
1686584fffc8SSebastian Siewior	  generic c and the assembler implementations.
1687584fffc8SSebastian Siewior
1688584fffc8SSebastian Siewiorconfig CRYPTO_TWOFISH_586
1689584fffc8SSebastian Siewior	tristate "Twofish cipher algorithms (i586)"
1690584fffc8SSebastian Siewior	depends on (X86 || UML_X86) && !64BIT
1691584fffc8SSebastian Siewior	select CRYPTO_ALGAPI
1692584fffc8SSebastian Siewior	select CRYPTO_TWOFISH_COMMON
1693f43dcaf2SArd Biesheuvel	imply CRYPTO_CTR
1694584fffc8SSebastian Siewior	help
1695584fffc8SSebastian Siewior	  Twofish cipher algorithm.
1696584fffc8SSebastian Siewior
1697584fffc8SSebastian Siewior	  Twofish was submitted as an AES (Advanced Encryption Standard)
1698584fffc8SSebastian Siewior	  candidate cipher by researchers at CounterPane Systems.  It is a
1699584fffc8SSebastian Siewior	  16 round block cipher supporting key sizes of 128, 192, and 256
1700584fffc8SSebastian Siewior	  bits.
1701584fffc8SSebastian Siewior
1702584fffc8SSebastian Siewior	  See also:
17039332a9e7SAlexander A. Klimov	  <https://www.schneier.com/twofish.html>
1704584fffc8SSebastian Siewior
1705584fffc8SSebastian Siewiorconfig CRYPTO_TWOFISH_X86_64
1706584fffc8SSebastian Siewior	tristate "Twofish cipher algorithm (x86_64)"
1707584fffc8SSebastian Siewior	depends on (X86 || UML_X86) && 64BIT
1708584fffc8SSebastian Siewior	select CRYPTO_ALGAPI
1709584fffc8SSebastian Siewior	select CRYPTO_TWOFISH_COMMON
1710f43dcaf2SArd Biesheuvel	imply CRYPTO_CTR
1711584fffc8SSebastian Siewior	help
1712584fffc8SSebastian Siewior	  Twofish cipher algorithm (x86_64).
1713584fffc8SSebastian Siewior
1714584fffc8SSebastian Siewior	  Twofish was submitted as an AES (Advanced Encryption Standard)
1715584fffc8SSebastian Siewior	  candidate cipher by researchers at CounterPane Systems.  It is a
1716584fffc8SSebastian Siewior	  16 round block cipher supporting key sizes of 128, 192, and 256
1717584fffc8SSebastian Siewior	  bits.
1718584fffc8SSebastian Siewior
1719584fffc8SSebastian Siewior	  See also:
17209332a9e7SAlexander A. Klimov	  <https://www.schneier.com/twofish.html>
1721584fffc8SSebastian Siewior
17228280daadSJussi Kivilinnaconfig CRYPTO_TWOFISH_X86_64_3WAY
17238280daadSJussi Kivilinna	tristate "Twofish cipher algorithm (x86_64, 3-way parallel)"
1724f21a7c19SAl Viro	depends on X86 && 64BIT
1725b95bba5dSEric Biggers	select CRYPTO_SKCIPHER
17268280daadSJussi Kivilinna	select CRYPTO_TWOFISH_COMMON
17278280daadSJussi Kivilinna	select CRYPTO_TWOFISH_X86_64
17288280daadSJussi Kivilinna	help
17298280daadSJussi Kivilinna	  Twofish cipher algorithm (x86_64, 3-way parallel).
17308280daadSJussi Kivilinna
17318280daadSJussi Kivilinna	  Twofish was submitted as an AES (Advanced Encryption Standard)
17328280daadSJussi Kivilinna	  candidate cipher by researchers at CounterPane Systems.  It is a
17338280daadSJussi Kivilinna	  16 round block cipher supporting key sizes of 128, 192, and 256
17348280daadSJussi Kivilinna	  bits.
17358280daadSJussi Kivilinna
17368280daadSJussi Kivilinna	  This module provides Twofish cipher algorithm that processes three
17378280daadSJussi Kivilinna	  blocks parallel, utilizing resources of out-of-order CPUs better.
17388280daadSJussi Kivilinna
17398280daadSJussi Kivilinna	  See also:
17409332a9e7SAlexander A. Klimov	  <https://www.schneier.com/twofish.html>
17418280daadSJussi Kivilinna
1742107778b5SJohannes Goetzfriedconfig CRYPTO_TWOFISH_AVX_X86_64
1743107778b5SJohannes Goetzfried	tristate "Twofish cipher algorithm (x86_64/AVX)"
1744107778b5SJohannes Goetzfried	depends on X86 && 64BIT
1745b95bba5dSEric Biggers	select CRYPTO_SKCIPHER
17460e6ab46dSEric Biggers	select CRYPTO_SIMD
1747107778b5SJohannes Goetzfried	select CRYPTO_TWOFISH_COMMON
1748107778b5SJohannes Goetzfried	select CRYPTO_TWOFISH_X86_64
1749107778b5SJohannes Goetzfried	select CRYPTO_TWOFISH_X86_64_3WAY
1750da4df93aSArd Biesheuvel	imply CRYPTO_XTS
1751107778b5SJohannes Goetzfried	help
1752107778b5SJohannes Goetzfried	  Twofish cipher algorithm (x86_64/AVX).
1753107778b5SJohannes Goetzfried
1754107778b5SJohannes Goetzfried	  Twofish was submitted as an AES (Advanced Encryption Standard)
1755107778b5SJohannes Goetzfried	  candidate cipher by researchers at CounterPane Systems.  It is a
1756107778b5SJohannes Goetzfried	  16 round block cipher supporting key sizes of 128, 192, and 256
1757107778b5SJohannes Goetzfried	  bits.
1758107778b5SJohannes Goetzfried
1759107778b5SJohannes Goetzfried	  This module provides the Twofish cipher algorithm that processes
1760107778b5SJohannes Goetzfried	  eight blocks parallel using the AVX Instruction Set.
1761107778b5SJohannes Goetzfried
1762107778b5SJohannes Goetzfried	  See also:
17639332a9e7SAlexander A. Klimov	  <https://www.schneier.com/twofish.html>
1764107778b5SJohannes Goetzfried
1765584fffc8SSebastian Siewiorcomment "Compression"
1766584fffc8SSebastian Siewior
17671da177e4SLinus Torvaldsconfig CRYPTO_DEFLATE
17681da177e4SLinus Torvalds	tristate "Deflate compression algorithm"
1769cce9e06dSHerbert Xu	select CRYPTO_ALGAPI
1770f6ded09dSGiovanni Cabiddu	select CRYPTO_ACOMP2
17711da177e4SLinus Torvalds	select ZLIB_INFLATE
17721da177e4SLinus Torvalds	select ZLIB_DEFLATE
17731da177e4SLinus Torvalds	help
17741da177e4SLinus Torvalds	  This is the Deflate algorithm (RFC1951), specified for use in
17751da177e4SLinus Torvalds	  IPSec with the IPCOMP protocol (RFC3173, RFC2394).
17761da177e4SLinus Torvalds
17771da177e4SLinus Torvalds	  You will most probably want this if using IPSec.
17781da177e4SLinus Torvalds
17790b77abb3SZoltan Sogorconfig CRYPTO_LZO
17800b77abb3SZoltan Sogor	tristate "LZO compression algorithm"
17810b77abb3SZoltan Sogor	select CRYPTO_ALGAPI
1782ac9d2c4bSGiovanni Cabiddu	select CRYPTO_ACOMP2
17830b77abb3SZoltan Sogor	select LZO_COMPRESS
17840b77abb3SZoltan Sogor	select LZO_DECOMPRESS
17850b77abb3SZoltan Sogor	help
17860b77abb3SZoltan Sogor	  This is the LZO algorithm.
17870b77abb3SZoltan Sogor
178835a1fc18SSeth Jenningsconfig CRYPTO_842
178935a1fc18SSeth Jennings	tristate "842 compression algorithm"
17902062c5b6SDan Streetman	select CRYPTO_ALGAPI
17916a8de3aeSGiovanni Cabiddu	select CRYPTO_ACOMP2
17922062c5b6SDan Streetman	select 842_COMPRESS
17932062c5b6SDan Streetman	select 842_DECOMPRESS
179435a1fc18SSeth Jennings	help
179535a1fc18SSeth Jennings	  This is the 842 algorithm.
179635a1fc18SSeth Jennings
17970ea8530dSChanho Minconfig CRYPTO_LZ4
17980ea8530dSChanho Min	tristate "LZ4 compression algorithm"
17990ea8530dSChanho Min	select CRYPTO_ALGAPI
18008cd9330eSGiovanni Cabiddu	select CRYPTO_ACOMP2
18010ea8530dSChanho Min	select LZ4_COMPRESS
18020ea8530dSChanho Min	select LZ4_DECOMPRESS
18030ea8530dSChanho Min	help
18040ea8530dSChanho Min	  This is the LZ4 algorithm.
18050ea8530dSChanho Min
18060ea8530dSChanho Minconfig CRYPTO_LZ4HC
18070ea8530dSChanho Min	tristate "LZ4HC compression algorithm"
18080ea8530dSChanho Min	select CRYPTO_ALGAPI
180991d53d96SGiovanni Cabiddu	select CRYPTO_ACOMP2
18100ea8530dSChanho Min	select LZ4HC_COMPRESS
18110ea8530dSChanho Min	select LZ4_DECOMPRESS
18120ea8530dSChanho Min	help
18130ea8530dSChanho Min	  This is the LZ4 high compression mode algorithm.
18140ea8530dSChanho Min
1815d28fc3dbSNick Terrellconfig CRYPTO_ZSTD
1816d28fc3dbSNick Terrell	tristate "Zstd compression algorithm"
1817d28fc3dbSNick Terrell	select CRYPTO_ALGAPI
1818d28fc3dbSNick Terrell	select CRYPTO_ACOMP2
1819d28fc3dbSNick Terrell	select ZSTD_COMPRESS
1820d28fc3dbSNick Terrell	select ZSTD_DECOMPRESS
1821d28fc3dbSNick Terrell	help
1822d28fc3dbSNick Terrell	  This is the zstd algorithm.
1823d28fc3dbSNick Terrell
182417f0f4a4SNeil Hormancomment "Random Number Generation"
182517f0f4a4SNeil Horman
182617f0f4a4SNeil Hormanconfig CRYPTO_ANSI_CPRNG
182717f0f4a4SNeil Horman	tristate "Pseudo Random Number Generation for Cryptographic modules"
182817f0f4a4SNeil Horman	select CRYPTO_AES
182917f0f4a4SNeil Horman	select CRYPTO_RNG
183017f0f4a4SNeil Horman	help
183117f0f4a4SNeil Horman	  This option enables the generic pseudo random number generator
183217f0f4a4SNeil Horman	  for cryptographic modules.  Uses the Algorithm specified in
18337dd607e8SJiri Kosina	  ANSI X9.31 A.2.4. Note that this option must be enabled if
18347dd607e8SJiri Kosina	  CRYPTO_FIPS is selected
183517f0f4a4SNeil Horman
1836f2c89a10SHerbert Xumenuconfig CRYPTO_DRBG_MENU
1837419090c6SStephan Mueller	tristate "NIST SP800-90A DRBG"
1838419090c6SStephan Mueller	help
1839419090c6SStephan Mueller	  NIST SP800-90A compliant DRBG. In the following submenu, one or
1840419090c6SStephan Mueller	  more of the DRBG types must be selected.
1841419090c6SStephan Mueller
1842f2c89a10SHerbert Xuif CRYPTO_DRBG_MENU
1843419090c6SStephan Mueller
1844419090c6SStephan Muellerconfig CRYPTO_DRBG_HMAC
1845401e4238SHerbert Xu	bool
1846419090c6SStephan Mueller	default y
1847419090c6SStephan Mueller	select CRYPTO_HMAC
18485261cdf4SStephan Mueller	select CRYPTO_SHA512
1849419090c6SStephan Mueller
1850419090c6SStephan Muellerconfig CRYPTO_DRBG_HASH
1851419090c6SStephan Mueller	bool "Enable Hash DRBG"
1852826775bbSHerbert Xu	select CRYPTO_SHA256
1853419090c6SStephan Mueller	help
1854419090c6SStephan Mueller	  Enable the Hash DRBG variant as defined in NIST SP800-90A.
1855419090c6SStephan Mueller
1856419090c6SStephan Muellerconfig CRYPTO_DRBG_CTR
1857419090c6SStephan Mueller	bool "Enable CTR DRBG"
1858419090c6SStephan Mueller	select CRYPTO_AES
1859d6fc1a45SCorentin Labbe	select CRYPTO_CTR
1860419090c6SStephan Mueller	help
1861419090c6SStephan Mueller	  Enable the CTR DRBG variant as defined in NIST SP800-90A.
1862419090c6SStephan Mueller
1863f2c89a10SHerbert Xuconfig CRYPTO_DRBG
1864f2c89a10SHerbert Xu	tristate
1865401e4238SHerbert Xu	default CRYPTO_DRBG_MENU
1866f2c89a10SHerbert Xu	select CRYPTO_RNG
1867bb5530e4SStephan Mueller	select CRYPTO_JITTERENTROPY
1868f2c89a10SHerbert Xu
1869f2c89a10SHerbert Xuendif	# if CRYPTO_DRBG_MENU
1870419090c6SStephan Mueller
1871bb5530e4SStephan Muellerconfig CRYPTO_JITTERENTROPY
1872bb5530e4SStephan Mueller	tristate "Jitterentropy Non-Deterministic Random Number Generator"
18732f313e02SArnd Bergmann	select CRYPTO_RNG
1874bb5530e4SStephan Mueller	help
1875bb5530e4SStephan Mueller	  The Jitterentropy RNG is a noise that is intended
1876bb5530e4SStephan Mueller	  to provide seed to another RNG. The RNG does not
1877bb5530e4SStephan Mueller	  perform any cryptographic whitening of the generated
1878bb5530e4SStephan Mueller	  random numbers. This Jitterentropy RNG registers with
1879bb5530e4SStephan Mueller	  the kernel crypto API and can be used by any caller.
1880bb5530e4SStephan Mueller
1881026a733eSStephan Müllerconfig CRYPTO_KDF800108_CTR
1882026a733eSStephan Müller	tristate
1883a88592ccSHerbert Xu	select CRYPTO_HMAC
1884304b4aceSStephan Müller	select CRYPTO_SHA256
1885026a733eSStephan Müller
188603c8efc1SHerbert Xuconfig CRYPTO_USER_API
188703c8efc1SHerbert Xu	tristate
188803c8efc1SHerbert Xu
1889fe869cdbSHerbert Xuconfig CRYPTO_USER_API_HASH
1890fe869cdbSHerbert Xu	tristate "User-space interface for hash algorithms"
18917451708fSHerbert Xu	depends on NET
1892fe869cdbSHerbert Xu	select CRYPTO_HASH
1893fe869cdbSHerbert Xu	select CRYPTO_USER_API
1894fe869cdbSHerbert Xu	help
1895fe869cdbSHerbert Xu	  This option enables the user-spaces interface for hash
1896fe869cdbSHerbert Xu	  algorithms.
1897fe869cdbSHerbert Xu
18988ff59090SHerbert Xuconfig CRYPTO_USER_API_SKCIPHER
18998ff59090SHerbert Xu	tristate "User-space interface for symmetric key cipher algorithms"
19007451708fSHerbert Xu	depends on NET
1901b95bba5dSEric Biggers	select CRYPTO_SKCIPHER
19028ff59090SHerbert Xu	select CRYPTO_USER_API
19038ff59090SHerbert Xu	help
19048ff59090SHerbert Xu	  This option enables the user-spaces interface for symmetric
19058ff59090SHerbert Xu	  key cipher algorithms.
19068ff59090SHerbert Xu
19072f375538SStephan Muellerconfig CRYPTO_USER_API_RNG
19082f375538SStephan Mueller	tristate "User-space interface for random number generator algorithms"
19092f375538SStephan Mueller	depends on NET
19102f375538SStephan Mueller	select CRYPTO_RNG
19112f375538SStephan Mueller	select CRYPTO_USER_API
19122f375538SStephan Mueller	help
19132f375538SStephan Mueller	  This option enables the user-spaces interface for random
19142f375538SStephan Mueller	  number generator algorithms.
19152f375538SStephan Mueller
191677ebdabeSElena Petrovaconfig CRYPTO_USER_API_RNG_CAVP
191777ebdabeSElena Petrova	bool "Enable CAVP testing of DRBG"
191877ebdabeSElena Petrova	depends on CRYPTO_USER_API_RNG && CRYPTO_DRBG
191977ebdabeSElena Petrova	help
192077ebdabeSElena Petrova	  This option enables extra API for CAVP testing via the user-space
192177ebdabeSElena Petrova	  interface: resetting of DRBG entropy, and providing Additional Data.
192277ebdabeSElena Petrova	  This should only be enabled for CAVP testing. You should say
192377ebdabeSElena Petrova	  no unless you know what this is.
192477ebdabeSElena Petrova
1925b64a2d95SHerbert Xuconfig CRYPTO_USER_API_AEAD
1926b64a2d95SHerbert Xu	tristate "User-space interface for AEAD cipher algorithms"
1927b64a2d95SHerbert Xu	depends on NET
1928b64a2d95SHerbert Xu	select CRYPTO_AEAD
1929b95bba5dSEric Biggers	select CRYPTO_SKCIPHER
193072548b09SStephan Mueller	select CRYPTO_NULL
1931b64a2d95SHerbert Xu	select CRYPTO_USER_API
1932b64a2d95SHerbert Xu	help
1933b64a2d95SHerbert Xu	  This option enables the user-spaces interface for AEAD
1934b64a2d95SHerbert Xu	  cipher algorithms.
1935b64a2d95SHerbert Xu
19369ace6771SArd Biesheuvelconfig CRYPTO_USER_API_ENABLE_OBSOLETE
19379ace6771SArd Biesheuvel	bool "Enable obsolete cryptographic algorithms for userspace"
19389ace6771SArd Biesheuvel	depends on CRYPTO_USER_API
19399ace6771SArd Biesheuvel	default y
19409ace6771SArd Biesheuvel	help
19419ace6771SArd Biesheuvel	  Allow obsolete cryptographic algorithms to be selected that have
19429ace6771SArd Biesheuvel	  already been phased out from internal use by the kernel, and are
19439ace6771SArd Biesheuvel	  only useful for userspace clients that still rely on them.
19449ace6771SArd Biesheuvel
1945cac5818cSCorentin Labbeconfig CRYPTO_STATS
1946cac5818cSCorentin Labbe	bool "Crypto usage statistics for User-space"
1947a6a31385SCorentin Labbe	depends on CRYPTO_USER
1948cac5818cSCorentin Labbe	help
1949cac5818cSCorentin Labbe	  This option enables the gathering of crypto stats.
1950cac5818cSCorentin Labbe	  This will collect:
1951cac5818cSCorentin Labbe	  - encrypt/decrypt size and numbers of symmeric operations
1952cac5818cSCorentin Labbe	  - compress/decompress size and numbers of compress operations
1953cac5818cSCorentin Labbe	  - size and numbers of hash operations
1954cac5818cSCorentin Labbe	  - encrypt/decrypt/sign/verify numbers for asymmetric operations
1955cac5818cSCorentin Labbe	  - generate/seed numbers for rng operations
1956cac5818cSCorentin Labbe
1957ee08997fSDmitry Kasatkinconfig CRYPTO_HASH_INFO
1958ee08997fSDmitry Kasatkin	bool
1959ee08997fSDmitry Kasatkin
19601da177e4SLinus Torvaldssource "drivers/crypto/Kconfig"
19618636a1f9SMasahiro Yamadasource "crypto/asymmetric_keys/Kconfig"
19628636a1f9SMasahiro Yamadasource "certs/Kconfig"
19631da177e4SLinus Torvalds
1964cce9e06dSHerbert Xuendif	# if CRYPTO
1965