xref: /linux/crypto/Kconfig (revision e45f710b42afd7e67276234853d2de19faf46362)
1b2441318SGreg Kroah-Hartman# SPDX-License-Identifier: GPL-2.0
21da177e4SLinus Torvalds#
3685784aaSDan Williams# Generic algorithms support
4685784aaSDan Williams#
5685784aaSDan Williamsconfig XOR_BLOCKS
6685784aaSDan Williams	tristate
7685784aaSDan Williams
8685784aaSDan Williams#
99bc89cd8SDan Williams# async_tx api: hardware offloaded memory transfer/transform support
109bc89cd8SDan Williams#
119bc89cd8SDan Williamssource "crypto/async_tx/Kconfig"
129bc89cd8SDan Williams
139bc89cd8SDan Williams#
141da177e4SLinus Torvalds# Cryptographic API Configuration
151da177e4SLinus Torvalds#
162e290f43SJan Engelhardtmenuconfig CRYPTO
17c3715cb9SSebastian Siewior	tristate "Cryptographic API"
187033b937SEric Biggers	select CRYPTO_LIB_UTILS
191da177e4SLinus Torvalds	help
201da177e4SLinus Torvalds	  This option provides the core Cryptographic API.
211da177e4SLinus Torvalds
22cce9e06dSHerbert Xuif CRYPTO
23cce9e06dSHerbert Xu
24584fffc8SSebastian Siewiorcomment "Crypto core or helper"
25584fffc8SSebastian Siewior
26ccb778e1SNeil Hormanconfig CRYPTO_FIPS
27ccb778e1SNeil Horman	bool "FIPS 200 compliance"
28f2c89a10SHerbert Xu	depends on (CRYPTO_ANSI_CPRNG || CRYPTO_DRBG) && !CRYPTO_MANAGER_DISABLE_TESTS
291f696097SAlec Ari	depends on (MODULE_SIG || !MODULES)
30ccb778e1SNeil Horman	help
31d99324c2SGeert Uytterhoeven	  This option enables the fips boot option which is
32d99324c2SGeert Uytterhoeven	  required if you want the system to operate in a FIPS 200
33ccb778e1SNeil Horman	  certification.  You should say no unless you know what
34e84c5480SChuck Ebbert	  this is.
35ccb778e1SNeil Horman
365a44749fSVladis Dronovconfig CRYPTO_FIPS_NAME
375a44749fSVladis Dronov	string "FIPS Module Name"
385a44749fSVladis Dronov	default "Linux Kernel Cryptographic API"
395a44749fSVladis Dronov	depends on CRYPTO_FIPS
405a44749fSVladis Dronov	help
415a44749fSVladis Dronov	  This option sets the FIPS Module name reported by the Crypto API via
425a44749fSVladis Dronov	  the /proc/sys/crypto/fips_name file.
435a44749fSVladis Dronov
445a44749fSVladis Dronovconfig CRYPTO_FIPS_CUSTOM_VERSION
455a44749fSVladis Dronov	bool "Use Custom FIPS Module Version"
465a44749fSVladis Dronov	depends on CRYPTO_FIPS
475a44749fSVladis Dronov	default n
485a44749fSVladis Dronov
495a44749fSVladis Dronovconfig CRYPTO_FIPS_VERSION
505a44749fSVladis Dronov	string "FIPS Module Version"
515a44749fSVladis Dronov	default "(none)"
525a44749fSVladis Dronov	depends on CRYPTO_FIPS_CUSTOM_VERSION
535a44749fSVladis Dronov	help
545a44749fSVladis Dronov	  This option provides the ability to override the FIPS Module Version.
555a44749fSVladis Dronov	  By default the KERNELRELEASE value is used.
565a44749fSVladis Dronov
57cce9e06dSHerbert Xuconfig CRYPTO_ALGAPI
58cce9e06dSHerbert Xu	tristate
596a0fcbb4SHerbert Xu	select CRYPTO_ALGAPI2
60cce9e06dSHerbert Xu	help
61cce9e06dSHerbert Xu	  This option provides the API for cryptographic algorithms.
62cce9e06dSHerbert Xu
636a0fcbb4SHerbert Xuconfig CRYPTO_ALGAPI2
646a0fcbb4SHerbert Xu	tristate
656a0fcbb4SHerbert Xu
661ae97820SHerbert Xuconfig CRYPTO_AEAD
671ae97820SHerbert Xu	tristate
686a0fcbb4SHerbert Xu	select CRYPTO_AEAD2
691ae97820SHerbert Xu	select CRYPTO_ALGAPI
701ae97820SHerbert Xu
716a0fcbb4SHerbert Xuconfig CRYPTO_AEAD2
726a0fcbb4SHerbert Xu	tristate
736a0fcbb4SHerbert Xu	select CRYPTO_ALGAPI2
74149a3971SHerbert Xu	select CRYPTO_NULL2
75149a3971SHerbert Xu	select CRYPTO_RNG2
766a0fcbb4SHerbert Xu
77b95bba5dSEric Biggersconfig CRYPTO_SKCIPHER
785cde0af2SHerbert Xu	tristate
79b95bba5dSEric Biggers	select CRYPTO_SKCIPHER2
805cde0af2SHerbert Xu	select CRYPTO_ALGAPI
816a0fcbb4SHerbert Xu
82b95bba5dSEric Biggersconfig CRYPTO_SKCIPHER2
836a0fcbb4SHerbert Xu	tristate
846a0fcbb4SHerbert Xu	select CRYPTO_ALGAPI2
856a0fcbb4SHerbert Xu	select CRYPTO_RNG2
865cde0af2SHerbert Xu
87055bcee3SHerbert Xuconfig CRYPTO_HASH
88055bcee3SHerbert Xu	tristate
896a0fcbb4SHerbert Xu	select CRYPTO_HASH2
90055bcee3SHerbert Xu	select CRYPTO_ALGAPI
91055bcee3SHerbert Xu
926a0fcbb4SHerbert Xuconfig CRYPTO_HASH2
936a0fcbb4SHerbert Xu	tristate
946a0fcbb4SHerbert Xu	select CRYPTO_ALGAPI2
956a0fcbb4SHerbert Xu
9617f0f4a4SNeil Hormanconfig CRYPTO_RNG
9717f0f4a4SNeil Horman	tristate
986a0fcbb4SHerbert Xu	select CRYPTO_RNG2
9917f0f4a4SNeil Horman	select CRYPTO_ALGAPI
10017f0f4a4SNeil Horman
1016a0fcbb4SHerbert Xuconfig CRYPTO_RNG2
1026a0fcbb4SHerbert Xu	tristate
1036a0fcbb4SHerbert Xu	select CRYPTO_ALGAPI2
1046a0fcbb4SHerbert Xu
105401e4238SHerbert Xuconfig CRYPTO_RNG_DEFAULT
106401e4238SHerbert Xu	tristate
107401e4238SHerbert Xu	select CRYPTO_DRBG_MENU
108401e4238SHerbert Xu
1093c339ab8STadeusz Strukconfig CRYPTO_AKCIPHER2
1103c339ab8STadeusz Struk	tristate
1113c339ab8STadeusz Struk	select CRYPTO_ALGAPI2
1123c339ab8STadeusz Struk
1133c339ab8STadeusz Strukconfig CRYPTO_AKCIPHER
1143c339ab8STadeusz Struk	tristate
1153c339ab8STadeusz Struk	select CRYPTO_AKCIPHER2
1163c339ab8STadeusz Struk	select CRYPTO_ALGAPI
1173c339ab8STadeusz Struk
1184e5f2c40SSalvatore Benedettoconfig CRYPTO_KPP2
1194e5f2c40SSalvatore Benedetto	tristate
1204e5f2c40SSalvatore Benedetto	select CRYPTO_ALGAPI2
1214e5f2c40SSalvatore Benedetto
1224e5f2c40SSalvatore Benedettoconfig CRYPTO_KPP
1234e5f2c40SSalvatore Benedetto	tristate
1244e5f2c40SSalvatore Benedetto	select CRYPTO_ALGAPI
1254e5f2c40SSalvatore Benedetto	select CRYPTO_KPP2
1264e5f2c40SSalvatore Benedetto
1272ebda74fSGiovanni Cabidduconfig CRYPTO_ACOMP2
1282ebda74fSGiovanni Cabiddu	tristate
1292ebda74fSGiovanni Cabiddu	select CRYPTO_ALGAPI2
1308cd579d2SBart Van Assche	select SGL_ALLOC
1312ebda74fSGiovanni Cabiddu
1322ebda74fSGiovanni Cabidduconfig CRYPTO_ACOMP
1332ebda74fSGiovanni Cabiddu	tristate
1342ebda74fSGiovanni Cabiddu	select CRYPTO_ALGAPI
1352ebda74fSGiovanni Cabiddu	select CRYPTO_ACOMP2
1362ebda74fSGiovanni Cabiddu
1372b8c19dbSHerbert Xuconfig CRYPTO_MANAGER
1382b8c19dbSHerbert Xu	tristate "Cryptographic algorithm manager"
1396a0fcbb4SHerbert Xu	select CRYPTO_MANAGER2
1402b8c19dbSHerbert Xu	help
1412b8c19dbSHerbert Xu	  Create default cryptographic template instantiations such as
1422b8c19dbSHerbert Xu	  cbc(aes).
1432b8c19dbSHerbert Xu
1446a0fcbb4SHerbert Xuconfig CRYPTO_MANAGER2
1456a0fcbb4SHerbert Xu	def_tristate CRYPTO_MANAGER || (CRYPTO_MANAGER!=n && CRYPTO_ALGAPI=y)
1466a0fcbb4SHerbert Xu	select CRYPTO_AEAD2
1476a0fcbb4SHerbert Xu	select CRYPTO_HASH2
148b95bba5dSEric Biggers	select CRYPTO_SKCIPHER2
149946cc463STadeusz Struk	select CRYPTO_AKCIPHER2
1504e5f2c40SSalvatore Benedetto	select CRYPTO_KPP2
1512ebda74fSGiovanni Cabiddu	select CRYPTO_ACOMP2
1526a0fcbb4SHerbert Xu
153a38f7907SSteffen Klassertconfig CRYPTO_USER
154a38f7907SSteffen Klassert	tristate "Userspace cryptographic algorithm configuration"
1555db017aaSHerbert Xu	depends on NET
156a38f7907SSteffen Klassert	select CRYPTO_MANAGER
157a38f7907SSteffen Klassert	help
158d19978f5SValdis.Kletnieks@vt.edu	  Userspace configuration for cryptographic instantiations such as
159a38f7907SSteffen Klassert	  cbc(aes).
160a38f7907SSteffen Klassert
161326a6346SHerbert Xuconfig CRYPTO_MANAGER_DISABLE_TESTS
162326a6346SHerbert Xu	bool "Disable run-time self tests"
16300ca28a5SHerbert Xu	default y
1640b767f96SAlexander Shishkin	help
165326a6346SHerbert Xu	  Disable run-time self tests that normally take place at
166326a6346SHerbert Xu	  algorithm registration.
1670b767f96SAlexander Shishkin
1685b2706a4SEric Biggersconfig CRYPTO_MANAGER_EXTRA_TESTS
1695b2706a4SEric Biggers	bool "Enable extra run-time crypto self tests"
1706569e309SJason A. Donenfeld	depends on DEBUG_KERNEL && !CRYPTO_MANAGER_DISABLE_TESTS && CRYPTO_MANAGER
1715b2706a4SEric Biggers	help
1725b2706a4SEric Biggers	  Enable extra run-time self tests of registered crypto algorithms,
1735b2706a4SEric Biggers	  including randomized fuzz tests.
1745b2706a4SEric Biggers
1755b2706a4SEric Biggers	  This is intended for developer use only, as these tests take much
1765b2706a4SEric Biggers	  longer to run than the normal self tests.
1775b2706a4SEric Biggers
178584fffc8SSebastian Siewiorconfig CRYPTO_GF128MUL
179e590e132SEric Biggers	tristate
180584fffc8SSebastian Siewior
181584fffc8SSebastian Siewiorconfig CRYPTO_NULL
182584fffc8SSebastian Siewior	tristate "Null algorithms"
183149a3971SHerbert Xu	select CRYPTO_NULL2
184584fffc8SSebastian Siewior	help
185584fffc8SSebastian Siewior	  These are 'Null' algorithms, used by IPsec, which do nothing.
186584fffc8SSebastian Siewior
187149a3971SHerbert Xuconfig CRYPTO_NULL2
188dd43c4e9SHerbert Xu	tristate
189149a3971SHerbert Xu	select CRYPTO_ALGAPI2
190b95bba5dSEric Biggers	select CRYPTO_SKCIPHER2
191149a3971SHerbert Xu	select CRYPTO_HASH2
192149a3971SHerbert Xu
1935068c7a8SSteffen Klassertconfig CRYPTO_PCRYPT
1943b4afaf2SKees Cook	tristate "Parallel crypto engine"
1953b4afaf2SKees Cook	depends on SMP
1965068c7a8SSteffen Klassert	select PADATA
1975068c7a8SSteffen Klassert	select CRYPTO_MANAGER
1985068c7a8SSteffen Klassert	select CRYPTO_AEAD
1995068c7a8SSteffen Klassert	help
2005068c7a8SSteffen Klassert	  This converts an arbitrary crypto algorithm into a parallel
2015068c7a8SSteffen Klassert	  algorithm that executes in kernel threads.
2025068c7a8SSteffen Klassert
203584fffc8SSebastian Siewiorconfig CRYPTO_CRYPTD
204584fffc8SSebastian Siewior	tristate "Software async crypto daemon"
205b95bba5dSEric Biggers	select CRYPTO_SKCIPHER
206b8a28251SLoc Ho	select CRYPTO_HASH
207584fffc8SSebastian Siewior	select CRYPTO_MANAGER
208584fffc8SSebastian Siewior	help
209584fffc8SSebastian Siewior	  This is a generic software asynchronous crypto daemon that
210584fffc8SSebastian Siewior	  converts an arbitrary synchronous software crypto algorithm
211584fffc8SSebastian Siewior	  into an asynchronous algorithm that executes in a kernel thread.
212584fffc8SSebastian Siewior
213584fffc8SSebastian Siewiorconfig CRYPTO_AUTHENC
214584fffc8SSebastian Siewior	tristate "Authenc support"
215584fffc8SSebastian Siewior	select CRYPTO_AEAD
216b95bba5dSEric Biggers	select CRYPTO_SKCIPHER
217584fffc8SSebastian Siewior	select CRYPTO_MANAGER
218584fffc8SSebastian Siewior	select CRYPTO_HASH
219e94c6a7aSHerbert Xu	select CRYPTO_NULL
220584fffc8SSebastian Siewior	help
221584fffc8SSebastian Siewior	  Authenc: Combined mode wrapper for IPsec.
222584fffc8SSebastian Siewior	  This is required for IPSec.
223584fffc8SSebastian Siewior
224584fffc8SSebastian Siewiorconfig CRYPTO_TEST
225584fffc8SSebastian Siewior	tristate "Testing module"
22600ea27f1SArd Biesheuvel	depends on m || EXPERT
227da7f033dSHerbert Xu	select CRYPTO_MANAGER
228584fffc8SSebastian Siewior	help
229584fffc8SSebastian Siewior	  Quick & dirty crypto test module.
230584fffc8SSebastian Siewior
231266d0516SHerbert Xuconfig CRYPTO_SIMD
232266d0516SHerbert Xu	tristate
233266d0516SHerbert Xu	select CRYPTO_CRYPTD
234266d0516SHerbert Xu
235735d37b5SBaolin Wangconfig CRYPTO_ENGINE
236735d37b5SBaolin Wang	tristate
237735d37b5SBaolin Wang
2383d6228a5SVitaly Chikunovcomment "Public-key cryptography"
2393d6228a5SVitaly Chikunov
2403d6228a5SVitaly Chikunovconfig CRYPTO_RSA
2413d6228a5SVitaly Chikunov	tristate "RSA algorithm"
2423d6228a5SVitaly Chikunov	select CRYPTO_AKCIPHER
2433d6228a5SVitaly Chikunov	select CRYPTO_MANAGER
2443d6228a5SVitaly Chikunov	select MPILIB
2453d6228a5SVitaly Chikunov	select ASN1
2463d6228a5SVitaly Chikunov	help
2473d6228a5SVitaly Chikunov	  Generic implementation of the RSA public key algorithm.
2483d6228a5SVitaly Chikunov
2493d6228a5SVitaly Chikunovconfig CRYPTO_DH
2503d6228a5SVitaly Chikunov	tristate "Diffie-Hellman algorithm"
2513d6228a5SVitaly Chikunov	select CRYPTO_KPP
2523d6228a5SVitaly Chikunov	select MPILIB
2533d6228a5SVitaly Chikunov	help
2543d6228a5SVitaly Chikunov	  Generic implementation of the Diffie-Hellman algorithm.
2553d6228a5SVitaly Chikunov
2567dce5981SNicolai Stangeconfig CRYPTO_DH_RFC7919_GROUPS
2577dce5981SNicolai Stange	bool "Support for RFC 7919 FFDHE group parameters"
2587dce5981SNicolai Stange	depends on CRYPTO_DH
2591e207964SNicolai Stange	select CRYPTO_RNG_DEFAULT
2607dce5981SNicolai Stange	help
2617dce5981SNicolai Stange	  Provide support for RFC 7919 FFDHE group parameters. If unsure, say N.
2627dce5981SNicolai Stange
2634a2289daSVitaly Chikunovconfig CRYPTO_ECC
2644a2289daSVitaly Chikunov	tristate
26538aa192aSArnd Bergmann	select CRYPTO_RNG_DEFAULT
2664a2289daSVitaly Chikunov
2673d6228a5SVitaly Chikunovconfig CRYPTO_ECDH
2683d6228a5SVitaly Chikunov	tristate "ECDH algorithm"
2694a2289daSVitaly Chikunov	select CRYPTO_ECC
2703d6228a5SVitaly Chikunov	select CRYPTO_KPP
2713d6228a5SVitaly Chikunov	help
2723d6228a5SVitaly Chikunov	  Generic implementation of the ECDH algorithm
2733d6228a5SVitaly Chikunov
2744e660291SStefan Bergerconfig CRYPTO_ECDSA
2754e660291SStefan Berger	tristate "ECDSA (NIST P192, P256 etc.) algorithm"
2764e660291SStefan Berger	select CRYPTO_ECC
2774e660291SStefan Berger	select CRYPTO_AKCIPHER
2784e660291SStefan Berger	select ASN1
2794e660291SStefan Berger	help
2804e660291SStefan Berger	  Elliptic Curve Digital Signature Algorithm (NIST P192, P256 etc.)
2814e660291SStefan Berger	  is A NIST cryptographic standard algorithm. Only signature verification
2824e660291SStefan Berger	  is implemented.
2834e660291SStefan Berger
2840d7a7864SVitaly Chikunovconfig CRYPTO_ECRDSA
2850d7a7864SVitaly Chikunov	tristate "EC-RDSA (GOST 34.10) algorithm"
2860d7a7864SVitaly Chikunov	select CRYPTO_ECC
2870d7a7864SVitaly Chikunov	select CRYPTO_AKCIPHER
2880d7a7864SVitaly Chikunov	select CRYPTO_STREEBOG
2891036633eSVitaly Chikunov	select OID_REGISTRY
2901036633eSVitaly Chikunov	select ASN1
2910d7a7864SVitaly Chikunov	help
2920d7a7864SVitaly Chikunov	  Elliptic Curve Russian Digital Signature Algorithm (GOST R 34.10-2012,
2930d7a7864SVitaly Chikunov	  RFC 7091, ISO/IEC 14888-3:2018) is one of the Russian cryptographic
2940d7a7864SVitaly Chikunov	  standard algorithms (called GOST algorithms). Only signature verification
2950d7a7864SVitaly Chikunov	  is implemented.
2960d7a7864SVitaly Chikunov
297ea7ecb66STianjia Zhangconfig CRYPTO_SM2
298ea7ecb66STianjia Zhang	tristate "SM2 algorithm"
299d2825fa9SJason A. Donenfeld	select CRYPTO_SM3
300ea7ecb66STianjia Zhang	select CRYPTO_AKCIPHER
301ea7ecb66STianjia Zhang	select CRYPTO_MANAGER
302ea7ecb66STianjia Zhang	select MPILIB
303ea7ecb66STianjia Zhang	select ASN1
304ea7ecb66STianjia Zhang	help
305ea7ecb66STianjia Zhang	  Generic implementation of the SM2 public key algorithm. It was
306ea7ecb66STianjia Zhang	  published by State Encryption Management Bureau, China.
307ea7ecb66STianjia Zhang	  as specified by OSCCA GM/T 0003.1-2012 -- 0003.5-2012.
308ea7ecb66STianjia Zhang
309ea7ecb66STianjia Zhang	  References:
310ea7ecb66STianjia Zhang	  https://tools.ietf.org/html/draft-shen-sm2-ecdsa-02
311ea7ecb66STianjia Zhang	  http://www.oscca.gov.cn/sca/xxgk/2010-12/17/content_1002386.shtml
312ea7ecb66STianjia Zhang	  http://www.gmbz.org.cn/main/bzlb.html
313ea7ecb66STianjia Zhang
314ee772cb6SArd Biesheuvelconfig CRYPTO_CURVE25519
315ee772cb6SArd Biesheuvel	tristate "Curve25519 algorithm"
316ee772cb6SArd Biesheuvel	select CRYPTO_KPP
317ee772cb6SArd Biesheuvel	select CRYPTO_LIB_CURVE25519_GENERIC
318ee772cb6SArd Biesheuvel
319bb611bdfSJason A. Donenfeldconfig CRYPTO_CURVE25519_X86
320bb611bdfSJason A. Donenfeld	tristate "x86_64 accelerated Curve25519 scalar multiplication library"
321bb611bdfSJason A. Donenfeld	depends on X86 && 64BIT
322bb611bdfSJason A. Donenfeld	select CRYPTO_LIB_CURVE25519_GENERIC
323bb611bdfSJason A. Donenfeld	select CRYPTO_ARCH_HAVE_LIB_CURVE25519
324bb611bdfSJason A. Donenfeld
325584fffc8SSebastian Siewiorcomment "Authenticated Encryption with Associated Data"
326584fffc8SSebastian Siewior
327584fffc8SSebastian Siewiorconfig CRYPTO_CCM
328584fffc8SSebastian Siewior	tristate "CCM support"
329584fffc8SSebastian Siewior	select CRYPTO_CTR
330f15f05b0SArd Biesheuvel	select CRYPTO_HASH
331584fffc8SSebastian Siewior	select CRYPTO_AEAD
332c8a3315aSEric Biggers	select CRYPTO_MANAGER
333584fffc8SSebastian Siewior	help
334584fffc8SSebastian Siewior	  Support for Counter with CBC MAC. Required for IPsec.
335584fffc8SSebastian Siewior
336584fffc8SSebastian Siewiorconfig CRYPTO_GCM
337584fffc8SSebastian Siewior	tristate "GCM/GMAC support"
338584fffc8SSebastian Siewior	select CRYPTO_CTR
339584fffc8SSebastian Siewior	select CRYPTO_AEAD
3409382d97aSHuang Ying	select CRYPTO_GHASH
3419489667dSJussi Kivilinna	select CRYPTO_NULL
342c8a3315aSEric Biggers	select CRYPTO_MANAGER
343584fffc8SSebastian Siewior	help
344584fffc8SSebastian Siewior	  Support for Galois/Counter Mode (GCM) and Galois Message
345584fffc8SSebastian Siewior	  Authentication Code (GMAC). Required for IPSec.
346584fffc8SSebastian Siewior
34771ebc4d1SMartin Williconfig CRYPTO_CHACHA20POLY1305
34871ebc4d1SMartin Willi	tristate "ChaCha20-Poly1305 AEAD support"
34971ebc4d1SMartin Willi	select CRYPTO_CHACHA20
35071ebc4d1SMartin Willi	select CRYPTO_POLY1305
35171ebc4d1SMartin Willi	select CRYPTO_AEAD
352c8a3315aSEric Biggers	select CRYPTO_MANAGER
35371ebc4d1SMartin Willi	help
35471ebc4d1SMartin Willi	  ChaCha20-Poly1305 AEAD support, RFC7539.
35571ebc4d1SMartin Willi
35671ebc4d1SMartin Willi	  Support for the AEAD wrapper using the ChaCha20 stream cipher combined
35771ebc4d1SMartin Willi	  with the Poly1305 authenticator. It is defined in RFC7539 for use in
35871ebc4d1SMartin Willi	  IETF protocols.
35971ebc4d1SMartin Willi
360f606a88eSOndrej Mosnacekconfig CRYPTO_AEGIS128
361f606a88eSOndrej Mosnacek	tristate "AEGIS-128 AEAD algorithm"
362f606a88eSOndrej Mosnacek	select CRYPTO_AEAD
363f606a88eSOndrej Mosnacek	select CRYPTO_AES  # for AES S-box tables
364f606a88eSOndrej Mosnacek	help
365f606a88eSOndrej Mosnacek	 Support for the AEGIS-128 dedicated AEAD algorithm.
366f606a88eSOndrej Mosnacek
367a4397635SArd Biesheuvelconfig CRYPTO_AEGIS128_SIMD
368a4397635SArd Biesheuvel	bool "Support SIMD acceleration for AEGIS-128"
369a4397635SArd Biesheuvel	depends on CRYPTO_AEGIS128 && ((ARM || ARM64) && KERNEL_MODE_NEON)
370a4397635SArd Biesheuvel	default y
371a4397635SArd Biesheuvel
3721d373d4eSOndrej Mosnacekconfig CRYPTO_AEGIS128_AESNI_SSE2
3731d373d4eSOndrej Mosnacek	tristate "AEGIS-128 AEAD algorithm (x86_64 AESNI+SSE2 implementation)"
3741d373d4eSOndrej Mosnacek	depends on X86 && 64BIT
3751d373d4eSOndrej Mosnacek	select CRYPTO_AEAD
376de272ca7SEric Biggers	select CRYPTO_SIMD
3771d373d4eSOndrej Mosnacek	help
3784e5180ebSOndrej Mosnacek	 AESNI+SSE2 implementation of the AEGIS-128 dedicated AEAD algorithm.
3791d373d4eSOndrej Mosnacek
380584fffc8SSebastian Siewiorconfig CRYPTO_SEQIV
381584fffc8SSebastian Siewior	tristate "Sequence Number IV Generator"
382584fffc8SSebastian Siewior	select CRYPTO_AEAD
383b95bba5dSEric Biggers	select CRYPTO_SKCIPHER
384856e3f40SHerbert Xu	select CRYPTO_NULL
385401e4238SHerbert Xu	select CRYPTO_RNG_DEFAULT
386c8a3315aSEric Biggers	select CRYPTO_MANAGER
387584fffc8SSebastian Siewior	help
388584fffc8SSebastian Siewior	  This IV generator generates an IV based on a sequence number by
389584fffc8SSebastian Siewior	  xoring it with a salt.  This algorithm is mainly useful for CTR
390584fffc8SSebastian Siewior
391a10f554fSHerbert Xuconfig CRYPTO_ECHAINIV
392a10f554fSHerbert Xu	tristate "Encrypted Chain IV Generator"
393a10f554fSHerbert Xu	select CRYPTO_AEAD
394a10f554fSHerbert Xu	select CRYPTO_NULL
395401e4238SHerbert Xu	select CRYPTO_RNG_DEFAULT
396c8a3315aSEric Biggers	select CRYPTO_MANAGER
397a10f554fSHerbert Xu	help
398a10f554fSHerbert Xu	  This IV generator generates an IV based on the encryption of
399a10f554fSHerbert Xu	  a sequence number xored with a salt.  This is the default
400a10f554fSHerbert Xu	  algorithm for CBC.
401a10f554fSHerbert Xu
402584fffc8SSebastian Siewiorcomment "Block modes"
403584fffc8SSebastian Siewior
404584fffc8SSebastian Siewiorconfig CRYPTO_CBC
405584fffc8SSebastian Siewior	tristate "CBC support"
406b95bba5dSEric Biggers	select CRYPTO_SKCIPHER
407584fffc8SSebastian Siewior	select CRYPTO_MANAGER
408584fffc8SSebastian Siewior	help
409584fffc8SSebastian Siewior	  CBC: Cipher Block Chaining mode
410584fffc8SSebastian Siewior	  This block cipher algorithm is required for IPSec.
411584fffc8SSebastian Siewior
412a7d85e06SJames Bottomleyconfig CRYPTO_CFB
413a7d85e06SJames Bottomley	tristate "CFB support"
414b95bba5dSEric Biggers	select CRYPTO_SKCIPHER
415a7d85e06SJames Bottomley	select CRYPTO_MANAGER
416a7d85e06SJames Bottomley	help
417a7d85e06SJames Bottomley	  CFB: Cipher FeedBack mode
418a7d85e06SJames Bottomley	  This block cipher algorithm is required for TPM2 Cryptography.
419a7d85e06SJames Bottomley
420584fffc8SSebastian Siewiorconfig CRYPTO_CTR
421584fffc8SSebastian Siewior	tristate "CTR support"
422b95bba5dSEric Biggers	select CRYPTO_SKCIPHER
423584fffc8SSebastian Siewior	select CRYPTO_MANAGER
424584fffc8SSebastian Siewior	help
425584fffc8SSebastian Siewior	  CTR: Counter mode
426584fffc8SSebastian Siewior	  This block cipher algorithm is required for IPSec.
427584fffc8SSebastian Siewior
428584fffc8SSebastian Siewiorconfig CRYPTO_CTS
429584fffc8SSebastian Siewior	tristate "CTS support"
430b95bba5dSEric Biggers	select CRYPTO_SKCIPHER
431c8a3315aSEric Biggers	select CRYPTO_MANAGER
432584fffc8SSebastian Siewior	help
433584fffc8SSebastian Siewior	  CTS: Cipher Text Stealing
434584fffc8SSebastian Siewior	  This is the Cipher Text Stealing mode as described by
435ecd6d5c9SGilad Ben-Yossef	  Section 8 of rfc2040 and referenced by rfc3962
436ecd6d5c9SGilad Ben-Yossef	  (rfc3962 includes errata information in its Appendix A) or
437ecd6d5c9SGilad Ben-Yossef	  CBC-CS3 as defined by NIST in Sp800-38A addendum from Oct 2010.
438584fffc8SSebastian Siewior	  This mode is required for Kerberos gss mechanism support
439584fffc8SSebastian Siewior	  for AES encryption.
440584fffc8SSebastian Siewior
441ecd6d5c9SGilad Ben-Yossef	  See: https://csrc.nist.gov/publications/detail/sp/800-38a/addendum/final
442ecd6d5c9SGilad Ben-Yossef
443584fffc8SSebastian Siewiorconfig CRYPTO_ECB
444584fffc8SSebastian Siewior	tristate "ECB support"
445b95bba5dSEric Biggers	select CRYPTO_SKCIPHER
446584fffc8SSebastian Siewior	select CRYPTO_MANAGER
447584fffc8SSebastian Siewior	help
448584fffc8SSebastian Siewior	  ECB: Electronic CodeBook mode
449584fffc8SSebastian Siewior	  This is the simplest block cipher algorithm.  It simply encrypts
450584fffc8SSebastian Siewior	  the input block by block.
451584fffc8SSebastian Siewior
452584fffc8SSebastian Siewiorconfig CRYPTO_LRW
4532470a2b2SJussi Kivilinna	tristate "LRW support"
454b95bba5dSEric Biggers	select CRYPTO_SKCIPHER
455584fffc8SSebastian Siewior	select CRYPTO_MANAGER
456584fffc8SSebastian Siewior	select CRYPTO_GF128MUL
457f60bbbbeSHerbert Xu	select CRYPTO_ECB
458584fffc8SSebastian Siewior	help
459584fffc8SSebastian Siewior	  LRW: Liskov Rivest Wagner, a tweakable, non malleable, non movable
460584fffc8SSebastian Siewior	  narrow block cipher mode for dm-crypt.  Use it with cipher
461584fffc8SSebastian Siewior	  specification string aes-lrw-benbi, the key must be 256, 320 or 384.
462584fffc8SSebastian Siewior	  The first 128, 192 or 256 bits in the key are used for AES and the
463584fffc8SSebastian Siewior	  rest is used to tie each cipher block to its logical position.
464584fffc8SSebastian Siewior
465e497c518SGilad Ben-Yossefconfig CRYPTO_OFB
466e497c518SGilad Ben-Yossef	tristate "OFB support"
467b95bba5dSEric Biggers	select CRYPTO_SKCIPHER
468e497c518SGilad Ben-Yossef	select CRYPTO_MANAGER
469e497c518SGilad Ben-Yossef	help
470e497c518SGilad Ben-Yossef	  OFB: the Output Feedback mode makes a block cipher into a synchronous
471e497c518SGilad Ben-Yossef	  stream cipher. It generates keystream blocks, which are then XORed
472e497c518SGilad Ben-Yossef	  with the plaintext blocks to get the ciphertext. Flipping a bit in the
473e497c518SGilad Ben-Yossef	  ciphertext produces a flipped bit in the plaintext at the same
474e497c518SGilad Ben-Yossef	  location. This property allows many error correcting codes to function
475e497c518SGilad Ben-Yossef	  normally even when applied before encryption.
476e497c518SGilad Ben-Yossef
477584fffc8SSebastian Siewiorconfig CRYPTO_PCBC
478584fffc8SSebastian Siewior	tristate "PCBC support"
479b95bba5dSEric Biggers	select CRYPTO_SKCIPHER
480584fffc8SSebastian Siewior	select CRYPTO_MANAGER
481584fffc8SSebastian Siewior	help
482584fffc8SSebastian Siewior	  PCBC: Propagating Cipher Block Chaining mode
483584fffc8SSebastian Siewior	  This block cipher algorithm is required for RxRPC.
484584fffc8SSebastian Siewior
48517fee07aSNathan Huckleberryconfig CRYPTO_XCTR
48617fee07aSNathan Huckleberry	tristate
48717fee07aSNathan Huckleberry	select CRYPTO_SKCIPHER
48817fee07aSNathan Huckleberry	select CRYPTO_MANAGER
48917fee07aSNathan Huckleberry	help
49017fee07aSNathan Huckleberry	  XCTR: XOR Counter mode. This blockcipher mode is a variant of CTR mode
49117fee07aSNathan Huckleberry	  using XORs and little-endian addition rather than big-endian arithmetic.
49217fee07aSNathan Huckleberry	  XCTR mode is used to implement HCTR2.
49317fee07aSNathan Huckleberry
494584fffc8SSebastian Siewiorconfig CRYPTO_XTS
4955bcf8e6dSJussi Kivilinna	tristate "XTS support"
496b95bba5dSEric Biggers	select CRYPTO_SKCIPHER
497584fffc8SSebastian Siewior	select CRYPTO_MANAGER
49812cb3a1cSMilan Broz	select CRYPTO_ECB
499584fffc8SSebastian Siewior	help
500584fffc8SSebastian Siewior	  XTS: IEEE1619/D16 narrow block cipher use with aes-xts-plain,
501584fffc8SSebastian Siewior	  key size 256, 384 or 512 bits. This implementation currently
502584fffc8SSebastian Siewior	  can't handle a sectorsize which is not a multiple of 16 bytes.
503584fffc8SSebastian Siewior
5041c49678eSStephan Muellerconfig CRYPTO_KEYWRAP
5051c49678eSStephan Mueller	tristate "Key wrapping support"
506b95bba5dSEric Biggers	select CRYPTO_SKCIPHER
507c8a3315aSEric Biggers	select CRYPTO_MANAGER
5081c49678eSStephan Mueller	help
5091c49678eSStephan Mueller	  Support for key wrapping (NIST SP800-38F / RFC3394) without
5101c49678eSStephan Mueller	  padding.
5111c49678eSStephan Mueller
51226609a21SEric Biggersconfig CRYPTO_NHPOLY1305
51326609a21SEric Biggers	tristate
51426609a21SEric Biggers	select CRYPTO_HASH
51548ea8c6eSArd Biesheuvel	select CRYPTO_LIB_POLY1305_GENERIC
51626609a21SEric Biggers
517012c8238SEric Biggersconfig CRYPTO_NHPOLY1305_SSE2
518012c8238SEric Biggers	tristate "NHPoly1305 hash function (x86_64 SSE2 implementation)"
519012c8238SEric Biggers	depends on X86 && 64BIT
520012c8238SEric Biggers	select CRYPTO_NHPOLY1305
521012c8238SEric Biggers	help
522012c8238SEric Biggers	  SSE2 optimized implementation of the hash function used by the
523012c8238SEric Biggers	  Adiantum encryption mode.
524012c8238SEric Biggers
5250f961f9fSEric Biggersconfig CRYPTO_NHPOLY1305_AVX2
5260f961f9fSEric Biggers	tristate "NHPoly1305 hash function (x86_64 AVX2 implementation)"
5270f961f9fSEric Biggers	depends on X86 && 64BIT
5280f961f9fSEric Biggers	select CRYPTO_NHPOLY1305
5290f961f9fSEric Biggers	help
5300f961f9fSEric Biggers	  AVX2 optimized implementation of the hash function used by the
5310f961f9fSEric Biggers	  Adiantum encryption mode.
5320f961f9fSEric Biggers
533059c2a4dSEric Biggersconfig CRYPTO_ADIANTUM
534059c2a4dSEric Biggers	tristate "Adiantum support"
535059c2a4dSEric Biggers	select CRYPTO_CHACHA20
53648ea8c6eSArd Biesheuvel	select CRYPTO_LIB_POLY1305_GENERIC
537059c2a4dSEric Biggers	select CRYPTO_NHPOLY1305
538c8a3315aSEric Biggers	select CRYPTO_MANAGER
539059c2a4dSEric Biggers	help
540059c2a4dSEric Biggers	  Adiantum is a tweakable, length-preserving encryption mode
541059c2a4dSEric Biggers	  designed for fast and secure disk encryption, especially on
542059c2a4dSEric Biggers	  CPUs without dedicated crypto instructions.  It encrypts
543059c2a4dSEric Biggers	  each sector using the XChaCha12 stream cipher, two passes of
544059c2a4dSEric Biggers	  an ε-almost-∆-universal hash function, and an invocation of
545059c2a4dSEric Biggers	  the AES-256 block cipher on a single 16-byte block.  On CPUs
546059c2a4dSEric Biggers	  without AES instructions, Adiantum is much faster than
547059c2a4dSEric Biggers	  AES-XTS.
548059c2a4dSEric Biggers
549059c2a4dSEric Biggers	  Adiantum's security is provably reducible to that of its
550059c2a4dSEric Biggers	  underlying stream and block ciphers, subject to a security
551059c2a4dSEric Biggers	  bound.  Unlike XTS, Adiantum is a true wide-block encryption
552059c2a4dSEric Biggers	  mode, so it actually provides an even stronger notion of
553059c2a4dSEric Biggers	  security than XTS, subject to the security bound.
554059c2a4dSEric Biggers
555059c2a4dSEric Biggers	  If unsure, say N.
556059c2a4dSEric Biggers
5577ff554ceSNathan Huckleberryconfig CRYPTO_HCTR2
5587ff554ceSNathan Huckleberry	tristate "HCTR2 support"
5597ff554ceSNathan Huckleberry	select CRYPTO_XCTR
5607ff554ceSNathan Huckleberry	select CRYPTO_POLYVAL
5617ff554ceSNathan Huckleberry	select CRYPTO_MANAGER
5627ff554ceSNathan Huckleberry	help
5637ff554ceSNathan Huckleberry	  HCTR2 is a length-preserving encryption mode for storage encryption that
5647ff554ceSNathan Huckleberry	  is efficient on processors with instructions to accelerate AES and
5657ff554ceSNathan Huckleberry	  carryless multiplication, e.g. x86 processors with AES-NI and CLMUL, and
5667ff554ceSNathan Huckleberry	  ARM processors with the ARMv8 crypto extensions.
5677ff554ceSNathan Huckleberry
568be1eb7f7SArd Biesheuvelconfig CRYPTO_ESSIV
569be1eb7f7SArd Biesheuvel	tristate "ESSIV support for block encryption"
570be1eb7f7SArd Biesheuvel	select CRYPTO_AUTHENC
571be1eb7f7SArd Biesheuvel	help
572be1eb7f7SArd Biesheuvel	  Encrypted salt-sector initialization vector (ESSIV) is an IV
573be1eb7f7SArd Biesheuvel	  generation method that is used in some cases by fscrypt and/or
574be1eb7f7SArd Biesheuvel	  dm-crypt. It uses the hash of the block encryption key as the
575be1eb7f7SArd Biesheuvel	  symmetric key for a block encryption pass applied to the input
576be1eb7f7SArd Biesheuvel	  IV, making low entropy IV sources more suitable for block
577be1eb7f7SArd Biesheuvel	  encryption.
578be1eb7f7SArd Biesheuvel
579be1eb7f7SArd Biesheuvel	  This driver implements a crypto API template that can be
580ab3d436bSGeert Uytterhoeven	  instantiated either as an skcipher or as an AEAD (depending on the
581be1eb7f7SArd Biesheuvel	  type of the first template argument), and which defers encryption
582be1eb7f7SArd Biesheuvel	  and decryption requests to the encapsulated cipher after applying
583ab3d436bSGeert Uytterhoeven	  ESSIV to the input IV. Note that in the AEAD case, it is assumed
584be1eb7f7SArd Biesheuvel	  that the keys are presented in the same format used by the authenc
585be1eb7f7SArd Biesheuvel	  template, and that the IV appears at the end of the authenticated
586be1eb7f7SArd Biesheuvel	  associated data (AAD) region (which is how dm-crypt uses it.)
587be1eb7f7SArd Biesheuvel
588be1eb7f7SArd Biesheuvel	  Note that the use of ESSIV is not recommended for new deployments,
589be1eb7f7SArd Biesheuvel	  and so this only needs to be enabled when interoperability with
590be1eb7f7SArd Biesheuvel	  existing encrypted volumes of filesystems is required, or when
591be1eb7f7SArd Biesheuvel	  building for a particular system that requires it (e.g., when
592be1eb7f7SArd Biesheuvel	  the SoC in question has accelerated CBC but not XTS, making CBC
593be1eb7f7SArd Biesheuvel	  combined with ESSIV the only feasible mode for h/w accelerated
594be1eb7f7SArd Biesheuvel	  block encryption)
595be1eb7f7SArd Biesheuvel
596584fffc8SSebastian Siewiorcomment "Hash modes"
597584fffc8SSebastian Siewior
59893b5e86aSJussi Kivilinnaconfig CRYPTO_CMAC
59993b5e86aSJussi Kivilinna	tristate "CMAC support"
60093b5e86aSJussi Kivilinna	select CRYPTO_HASH
60193b5e86aSJussi Kivilinna	select CRYPTO_MANAGER
60293b5e86aSJussi Kivilinna	help
60393b5e86aSJussi Kivilinna	  Cipher-based Message Authentication Code (CMAC) specified by
60493b5e86aSJussi Kivilinna	  The National Institute of Standards and Technology (NIST).
60593b5e86aSJussi Kivilinna
60693b5e86aSJussi Kivilinna	  https://tools.ietf.org/html/rfc4493
60793b5e86aSJussi Kivilinna	  http://csrc.nist.gov/publications/nistpubs/800-38B/SP_800-38B.pdf
60893b5e86aSJussi Kivilinna
6091da177e4SLinus Torvaldsconfig CRYPTO_HMAC
6108425165dSHerbert Xu	tristate "HMAC support"
6110796ae06SHerbert Xu	select CRYPTO_HASH
61243518407SHerbert Xu	select CRYPTO_MANAGER
6131da177e4SLinus Torvalds	help
6141da177e4SLinus Torvalds	  HMAC: Keyed-Hashing for Message Authentication (RFC2104).
6151da177e4SLinus Torvalds	  This is required for IPSec.
6161da177e4SLinus Torvalds
617333b0d7eSKazunori MIYAZAWAconfig CRYPTO_XCBC
618333b0d7eSKazunori MIYAZAWA	tristate "XCBC support"
619333b0d7eSKazunori MIYAZAWA	select CRYPTO_HASH
620333b0d7eSKazunori MIYAZAWA	select CRYPTO_MANAGER
621333b0d7eSKazunori MIYAZAWA	help
622333b0d7eSKazunori MIYAZAWA	  XCBC: Keyed-Hashing with encryption algorithm
6239332a9e7SAlexander A. Klimov		https://www.ietf.org/rfc/rfc3566.txt
624333b0d7eSKazunori MIYAZAWA		http://csrc.nist.gov/encryption/modes/proposedmodes/
625333b0d7eSKazunori MIYAZAWA		 xcbc-mac/xcbc-mac-spec.pdf
626333b0d7eSKazunori MIYAZAWA
627f1939f7cSShane Wangconfig CRYPTO_VMAC
628f1939f7cSShane Wang	tristate "VMAC support"
629f1939f7cSShane Wang	select CRYPTO_HASH
630f1939f7cSShane Wang	select CRYPTO_MANAGER
631f1939f7cSShane Wang	help
632f1939f7cSShane Wang	  VMAC is a message authentication algorithm designed for
633f1939f7cSShane Wang	  very high speed on 64-bit architectures.
634f1939f7cSShane Wang
635f1939f7cSShane Wang	  See also:
6369332a9e7SAlexander A. Klimov	  <https://fastcrypto.org/vmac>
637f1939f7cSShane Wang
638584fffc8SSebastian Siewiorcomment "Digest"
639584fffc8SSebastian Siewior
640584fffc8SSebastian Siewiorconfig CRYPTO_CRC32C
641584fffc8SSebastian Siewior	tristate "CRC32c CRC algorithm"
6425773a3e6SHerbert Xu	select CRYPTO_HASH
6436a0962b2SDarrick J. Wong	select CRC32
6441da177e4SLinus Torvalds	help
645584fffc8SSebastian Siewior	  Castagnoli, et al Cyclic Redundancy-Check Algorithm.  Used
646584fffc8SSebastian Siewior	  by iSCSI for header and data digests and by others.
64769c35efcSHerbert Xu	  See Castagnoli93.  Module will be crc32c.
6481da177e4SLinus Torvalds
6498cb51ba8SAustin Zhangconfig CRYPTO_CRC32C_INTEL
6508cb51ba8SAustin Zhang	tristate "CRC32c INTEL hardware acceleration"
6518cb51ba8SAustin Zhang	depends on X86
6528cb51ba8SAustin Zhang	select CRYPTO_HASH
6538cb51ba8SAustin Zhang	help
6548cb51ba8SAustin Zhang	  In Intel processor with SSE4.2 supported, the processor will
6558cb51ba8SAustin Zhang	  support CRC32C implementation using hardware accelerated CRC32
6568cb51ba8SAustin Zhang	  instruction. This option will create 'crc32c-intel' module,
6578cb51ba8SAustin Zhang	  which will enable any routine to use the CRC32 instruction to
6588cb51ba8SAustin Zhang	  gain performance compared with software implementation.
6598cb51ba8SAustin Zhang	  Module will be crc32c-intel.
6608cb51ba8SAustin Zhang
6617cf31864SJean Delvareconfig CRYPTO_CRC32C_VPMSUM
6626dd7a82cSAnton Blanchard	tristate "CRC32c CRC algorithm (powerpc64)"
663c12abf34SMichael Ellerman	depends on PPC64 && ALTIVEC
6646dd7a82cSAnton Blanchard	select CRYPTO_HASH
6656dd7a82cSAnton Blanchard	select CRC32
6666dd7a82cSAnton Blanchard	help
6676dd7a82cSAnton Blanchard	  CRC32c algorithm implemented using vector polynomial multiply-sum
6686dd7a82cSAnton Blanchard	  (vpmsum) instructions, introduced in POWER8. Enable on POWER8
6696dd7a82cSAnton Blanchard	  and newer processors for improved performance.
6706dd7a82cSAnton Blanchard
6716dd7a82cSAnton Blanchard
672442a7c40SDavid S. Millerconfig CRYPTO_CRC32C_SPARC64
673442a7c40SDavid S. Miller	tristate "CRC32c CRC algorithm (SPARC64)"
674442a7c40SDavid S. Miller	depends on SPARC64
675442a7c40SDavid S. Miller	select CRYPTO_HASH
676442a7c40SDavid S. Miller	select CRC32
677442a7c40SDavid S. Miller	help
678442a7c40SDavid S. Miller	  CRC32c CRC algorithm implemented using sparc64 crypto instructions,
679442a7c40SDavid S. Miller	  when available.
680442a7c40SDavid S. Miller
68178c37d19SAlexander Boykoconfig CRYPTO_CRC32
68278c37d19SAlexander Boyko	tristate "CRC32 CRC algorithm"
68378c37d19SAlexander Boyko	select CRYPTO_HASH
68478c37d19SAlexander Boyko	select CRC32
68578c37d19SAlexander Boyko	help
68678c37d19SAlexander Boyko	  CRC-32-IEEE 802.3 cyclic redundancy-check algorithm.
68778c37d19SAlexander Boyko	  Shash crypto api wrappers to crc32_le function.
68878c37d19SAlexander Boyko
68978c37d19SAlexander Boykoconfig CRYPTO_CRC32_PCLMUL
69078c37d19SAlexander Boyko	tristate "CRC32 PCLMULQDQ hardware acceleration"
69178c37d19SAlexander Boyko	depends on X86
69278c37d19SAlexander Boyko	select CRYPTO_HASH
69378c37d19SAlexander Boyko	select CRC32
69478c37d19SAlexander Boyko	help
69578c37d19SAlexander Boyko	  From Intel Westmere and AMD Bulldozer processor with SSE4.2
69678c37d19SAlexander Boyko	  and PCLMULQDQ supported, the processor will support
69778c37d19SAlexander Boyko	  CRC32 PCLMULQDQ implementation using hardware accelerated PCLMULQDQ
698af8cb01fShaco	  instruction. This option will create 'crc32-pclmul' module,
69978c37d19SAlexander Boyko	  which will enable any routine to use the CRC-32-IEEE 802.3 checksum
70078c37d19SAlexander Boyko	  and gain better performance as compared with the table implementation.
70178c37d19SAlexander Boyko
702b7133757SJason A. Donenfeldconfig CRYPTO_CRC32_S390
703b7133757SJason A. Donenfeld	tristate "CRC-32 algorithms"
704b7133757SJason A. Donenfeld	depends on S390
705b7133757SJason A. Donenfeld	select CRYPTO_HASH
706b7133757SJason A. Donenfeld	select CRC32
707b7133757SJason A. Donenfeld	help
708b7133757SJason A. Donenfeld	  Select this option if you want to use hardware accelerated
709b7133757SJason A. Donenfeld	  implementations of CRC algorithms.  With this option, you
710b7133757SJason A. Donenfeld	  can optimize the computation of CRC-32 (IEEE 802.3 Ethernet)
711b7133757SJason A. Donenfeld	  and CRC-32C (Castagnoli).
712b7133757SJason A. Donenfeld
713b7133757SJason A. Donenfeld	  It is available with IBM z13 or later.
7144a5dc51eSMarcin Nowakowski
71567882e76SNikolay Borisovconfig CRYPTO_XXHASH
71667882e76SNikolay Borisov	tristate "xxHash hash algorithm"
71767882e76SNikolay Borisov	select CRYPTO_HASH
71867882e76SNikolay Borisov	select XXHASH
71967882e76SNikolay Borisov	help
72067882e76SNikolay Borisov	  xxHash non-cryptographic hash algorithm. Extremely fast, working at
72167882e76SNikolay Borisov	  speeds close to RAM limits.
72267882e76SNikolay Borisov
72391d68933SDavid Sterbaconfig CRYPTO_BLAKE2B
72491d68933SDavid Sterba	tristate "BLAKE2b digest algorithm"
72591d68933SDavid Sterba	select CRYPTO_HASH
72691d68933SDavid Sterba	help
72791d68933SDavid Sterba	  Implementation of cryptographic hash function BLAKE2b (or just BLAKE2),
72891d68933SDavid Sterba	  optimized for 64bit platforms and can produce digests of any size
72991d68933SDavid Sterba	  between 1 to 64.  The keyed hash is also implemented.
73091d68933SDavid Sterba
73191d68933SDavid Sterba	  This module provides the following algorithms:
73291d68933SDavid Sterba
73391d68933SDavid Sterba	  - blake2b-160
73491d68933SDavid Sterba	  - blake2b-256
73591d68933SDavid Sterba	  - blake2b-384
73691d68933SDavid Sterba	  - blake2b-512
73791d68933SDavid Sterba
73891d68933SDavid Sterba	  See https://blake2.net for further information.
73991d68933SDavid Sterba
740ed0356edSJason A. Donenfeldconfig CRYPTO_BLAKE2S_X86
7412d16803cSJason A. Donenfeld	bool "BLAKE2s digest algorithm (x86 accelerated version)"
742ed0356edSJason A. Donenfeld	depends on X86 && 64BIT
743ed0356edSJason A. Donenfeld	select CRYPTO_LIB_BLAKE2S_GENERIC
744ed0356edSJason A. Donenfeld	select CRYPTO_ARCH_HAVE_LIB_BLAKE2S
745ed0356edSJason A. Donenfeld
74668411521SHerbert Xuconfig CRYPTO_CRCT10DIF
74768411521SHerbert Xu	tristate "CRCT10DIF algorithm"
74868411521SHerbert Xu	select CRYPTO_HASH
74968411521SHerbert Xu	help
75068411521SHerbert Xu	  CRC T10 Data Integrity Field computation is being cast as
75168411521SHerbert Xu	  a crypto transform.  This allows for faster crc t10 diff
75268411521SHerbert Xu	  transforms to be used if they are available.
75368411521SHerbert Xu
75468411521SHerbert Xuconfig CRYPTO_CRCT10DIF_PCLMUL
75568411521SHerbert Xu	tristate "CRCT10DIF PCLMULQDQ hardware acceleration"
75668411521SHerbert Xu	depends on X86 && 64BIT && CRC_T10DIF
75768411521SHerbert Xu	select CRYPTO_HASH
75868411521SHerbert Xu	help
75968411521SHerbert Xu	  For x86_64 processors with SSE4.2 and PCLMULQDQ supported,
76068411521SHerbert Xu	  CRC T10 DIF PCLMULQDQ computation can be hardware
76168411521SHerbert Xu	  accelerated PCLMULQDQ instruction. This option will create
762af8cb01fShaco	  'crct10dif-pclmul' module, which is faster when computing the
76368411521SHerbert Xu	  crct10dif checksum as compared with the generic table implementation.
76468411521SHerbert Xu
765b01df1c1SDaniel Axtensconfig CRYPTO_CRCT10DIF_VPMSUM
766b01df1c1SDaniel Axtens	tristate "CRC32T10DIF powerpc64 hardware acceleration"
767b01df1c1SDaniel Axtens	depends on PPC64 && ALTIVEC && CRC_T10DIF
768b01df1c1SDaniel Axtens	select CRYPTO_HASH
769b01df1c1SDaniel Axtens	help
770b01df1c1SDaniel Axtens	  CRC10T10DIF algorithm implemented using vector polynomial
771b01df1c1SDaniel Axtens	  multiply-sum (vpmsum) instructions, introduced in POWER8. Enable on
772b01df1c1SDaniel Axtens	  POWER8 and newer processors for improved performance.
773b01df1c1SDaniel Axtens
774f3813f4bSKeith Buschconfig CRYPTO_CRC64_ROCKSOFT
775f3813f4bSKeith Busch	tristate "Rocksoft Model CRC64 algorithm"
776f3813f4bSKeith Busch	depends on CRC64
777f3813f4bSKeith Busch	select CRYPTO_HASH
778f3813f4bSKeith Busch
779146c8688SDaniel Axtensconfig CRYPTO_VPMSUM_TESTER
780146c8688SDaniel Axtens	tristate "Powerpc64 vpmsum hardware acceleration tester"
781146c8688SDaniel Axtens	depends on CRYPTO_CRCT10DIF_VPMSUM && CRYPTO_CRC32C_VPMSUM
782146c8688SDaniel Axtens	help
783146c8688SDaniel Axtens	  Stress test for CRC32c and CRC-T10DIF algorithms implemented with
784146c8688SDaniel Axtens	  POWER8 vpmsum instructions.
785146c8688SDaniel Axtens	  Unless you are testing these algorithms, you don't need this.
786146c8688SDaniel Axtens
7872cdc6899SHuang Yingconfig CRYPTO_GHASH
7888dfa20fcSEric Biggers	tristate "GHASH hash function"
7892cdc6899SHuang Ying	select CRYPTO_GF128MUL
790578c60fbSArnd Bergmann	select CRYPTO_HASH
7912cdc6899SHuang Ying	help
7928dfa20fcSEric Biggers	  GHASH is the hash function used in GCM (Galois/Counter Mode).
7938dfa20fcSEric Biggers	  It is not a general-purpose cryptographic hash function.
7942cdc6899SHuang Ying
795f3c923a0SNathan Huckleberryconfig CRYPTO_POLYVAL
796f3c923a0SNathan Huckleberry	tristate
797f3c923a0SNathan Huckleberry	select CRYPTO_GF128MUL
798f3c923a0SNathan Huckleberry	select CRYPTO_HASH
799f3c923a0SNathan Huckleberry	help
800f3c923a0SNathan Huckleberry	  POLYVAL is the hash function used in HCTR2.  It is not a general-purpose
801f3c923a0SNathan Huckleberry	  cryptographic hash function.
802f3c923a0SNathan Huckleberry
80334f7f6c3SNathan Huckleberryconfig CRYPTO_POLYVAL_CLMUL_NI
80434f7f6c3SNathan Huckleberry	tristate "POLYVAL hash function (CLMUL-NI accelerated)"
80534f7f6c3SNathan Huckleberry	depends on X86 && 64BIT
80634f7f6c3SNathan Huckleberry	select CRYPTO_POLYVAL
80734f7f6c3SNathan Huckleberry	help
80834f7f6c3SNathan Huckleberry	  This is the x86_64 CLMUL-NI accelerated implementation of POLYVAL. It is
80934f7f6c3SNathan Huckleberry	  used to efficiently implement HCTR2 on x86-64 processors that support
81034f7f6c3SNathan Huckleberry	  carry-less multiplication instructions.
81134f7f6c3SNathan Huckleberry
812f979e014SMartin Williconfig CRYPTO_POLY1305
813f979e014SMartin Willi	tristate "Poly1305 authenticator algorithm"
814578c60fbSArnd Bergmann	select CRYPTO_HASH
81548ea8c6eSArd Biesheuvel	select CRYPTO_LIB_POLY1305_GENERIC
816f979e014SMartin Willi	help
817f979e014SMartin Willi	  Poly1305 authenticator algorithm, RFC7539.
818f979e014SMartin Willi
819f979e014SMartin Willi	  Poly1305 is an authenticator algorithm designed by Daniel J. Bernstein.
820f979e014SMartin Willi	  It is used for the ChaCha20-Poly1305 AEAD, specified in RFC7539 for use
821f979e014SMartin Willi	  in IETF protocols. This is the portable C implementation of Poly1305.
822f979e014SMartin Willi
823c70f4abeSMartin Williconfig CRYPTO_POLY1305_X86_64
824b1ccc8f4SMartin Willi	tristate "Poly1305 authenticator algorithm (x86_64/SSE2/AVX2)"
825c70f4abeSMartin Willi	depends on X86 && 64BIT
8261b2c6a51SArd Biesheuvel	select CRYPTO_LIB_POLY1305_GENERIC
827f0e89bcfSArd Biesheuvel	select CRYPTO_ARCH_HAVE_LIB_POLY1305
828c70f4abeSMartin Willi	help
829c70f4abeSMartin Willi	  Poly1305 authenticator algorithm, RFC7539.
830c70f4abeSMartin Willi
831c70f4abeSMartin Willi	  Poly1305 is an authenticator algorithm designed by Daniel J. Bernstein.
832c70f4abeSMartin Willi	  It is used for the ChaCha20-Poly1305 AEAD, specified in RFC7539 for use
833c70f4abeSMartin Willi	  in IETF protocols. This is the x86_64 assembler implementation using SIMD
834c70f4abeSMartin Willi	  instructions.
835c70f4abeSMartin Willi
8361da177e4SLinus Torvaldsconfig CRYPTO_MD4
8371da177e4SLinus Torvalds	tristate "MD4 digest algorithm"
838808a1763SAdrian-Ken Rueegsegger	select CRYPTO_HASH
8391da177e4SLinus Torvalds	help
8401da177e4SLinus Torvalds	  MD4 message digest algorithm (RFC1320).
8411da177e4SLinus Torvalds
8421da177e4SLinus Torvaldsconfig CRYPTO_MD5
8431da177e4SLinus Torvalds	tristate "MD5 digest algorithm"
84414b75ba7SAdrian-Ken Rueegsegger	select CRYPTO_HASH
8451da177e4SLinus Torvalds	help
8461da177e4SLinus Torvalds	  MD5 message digest algorithm (RFC1321).
8471da177e4SLinus Torvalds
848e8e59953SMarkus Stockhausenconfig CRYPTO_MD5_PPC
849e8e59953SMarkus Stockhausen	tristate "MD5 digest algorithm (PPC)"
850e8e59953SMarkus Stockhausen	depends on PPC
851e8e59953SMarkus Stockhausen	select CRYPTO_HASH
852e8e59953SMarkus Stockhausen	help
853e8e59953SMarkus Stockhausen	  MD5 message digest algorithm (RFC1321) implemented
854e8e59953SMarkus Stockhausen	  in PPC assembler.
855e8e59953SMarkus Stockhausen
856fa4dfedcSDavid S. Millerconfig CRYPTO_MD5_SPARC64
857fa4dfedcSDavid S. Miller	tristate "MD5 digest algorithm (SPARC64)"
858fa4dfedcSDavid S. Miller	depends on SPARC64
859fa4dfedcSDavid S. Miller	select CRYPTO_MD5
860fa4dfedcSDavid S. Miller	select CRYPTO_HASH
861fa4dfedcSDavid S. Miller	help
862fa4dfedcSDavid S. Miller	  MD5 message digest algorithm (RFC1321) implemented
863fa4dfedcSDavid S. Miller	  using sparc64 crypto instructions, when available.
864fa4dfedcSDavid S. Miller
865584fffc8SSebastian Siewiorconfig CRYPTO_MICHAEL_MIC
866584fffc8SSebastian Siewior	tristate "Michael MIC keyed digest algorithm"
86719e2bf14SAdrian-Ken Rueegsegger	select CRYPTO_HASH
868584fffc8SSebastian Siewior	help
869584fffc8SSebastian Siewior	  Michael MIC is used for message integrity protection in TKIP
870584fffc8SSebastian Siewior	  (IEEE 802.11i). This algorithm is required for TKIP, but it
871584fffc8SSebastian Siewior	  should not be used for other purposes because of the weakness
872584fffc8SSebastian Siewior	  of the algorithm.
873584fffc8SSebastian Siewior
87482798f90SAdrian-Ken Rueegseggerconfig CRYPTO_RMD160
87582798f90SAdrian-Ken Rueegsegger	tristate "RIPEMD-160 digest algorithm"
876e5835fbaSHerbert Xu	select CRYPTO_HASH
87782798f90SAdrian-Ken Rueegsegger	help
87882798f90SAdrian-Ken Rueegsegger	  RIPEMD-160 (ISO/IEC 10118-3:2004).
87982798f90SAdrian-Ken Rueegsegger
88082798f90SAdrian-Ken Rueegsegger	  RIPEMD-160 is a 160-bit cryptographic hash function. It is intended
88182798f90SAdrian-Ken Rueegsegger	  to be used as a secure replacement for the 128-bit hash functions
8824cbdecd0SRandy Dunlap	  MD4, MD5 and its predecessor RIPEMD
883b6d44341SAdrian Bunk	  (not to be confused with RIPEMD-128).
88482798f90SAdrian-Ken Rueegsegger
885b6d44341SAdrian Bunk	  It's speed is comparable to SHA1 and there are no known attacks
886b6d44341SAdrian Bunk	  against RIPEMD-160.
887534fe2c1SAdrian-Ken Rueegsegger
888534fe2c1SAdrian-Ken Rueegsegger	  Developed by Hans Dobbertin, Antoon Bosselaers and Bart Preneel.
8899332a9e7SAlexander A. Klimov	  See <https://homes.esat.kuleuven.be/~bosselae/ripemd160.html>
890534fe2c1SAdrian-Ken Rueegsegger
8911da177e4SLinus Torvaldsconfig CRYPTO_SHA1
8921da177e4SLinus Torvalds	tristate "SHA1 digest algorithm"
89354ccb367SAdrian-Ken Rueegsegger	select CRYPTO_HASH
894ec8f7f48SEric Biggers	select CRYPTO_LIB_SHA1
8951da177e4SLinus Torvalds	help
8961da177e4SLinus Torvalds	  SHA-1 secure hash standard (FIPS 180-1/DFIPS 180-2).
8971da177e4SLinus Torvalds
89866be8951SMathias Krauseconfig CRYPTO_SHA1_SSSE3
899e38b6b7fStim	tristate "SHA1 digest algorithm (SSSE3/AVX/AVX2/SHA-NI)"
90066be8951SMathias Krause	depends on X86 && 64BIT
90166be8951SMathias Krause	select CRYPTO_SHA1
90266be8951SMathias Krause	select CRYPTO_HASH
90366be8951SMathias Krause	help
90466be8951SMathias Krause	  SHA-1 secure hash standard (FIPS 180-1/DFIPS 180-2) implemented
90566be8951SMathias Krause	  using Supplemental SSE3 (SSSE3) instructions or Advanced Vector
906e38b6b7fStim	  Extensions (AVX/AVX2) or SHA-NI(SHA Extensions New Instructions),
907e38b6b7fStim	  when available.
90866be8951SMathias Krause
9098275d1aaSTim Chenconfig CRYPTO_SHA256_SSSE3
910e38b6b7fStim	tristate "SHA256 digest algorithm (SSSE3/AVX/AVX2/SHA-NI)"
9118275d1aaSTim Chen	depends on X86 && 64BIT
9128275d1aaSTim Chen	select CRYPTO_SHA256
9138275d1aaSTim Chen	select CRYPTO_HASH
9148275d1aaSTim Chen	help
9158275d1aaSTim Chen	  SHA-256 secure hash standard (DFIPS 180-2) implemented
9168275d1aaSTim Chen	  using Supplemental SSE3 (SSSE3) instructions, or Advanced Vector
9178275d1aaSTim Chen	  Extensions version 1 (AVX1), or Advanced Vector Extensions
918e38b6b7fStim	  version 2 (AVX2) instructions, or SHA-NI (SHA Extensions New
919e38b6b7fStim	  Instructions) when available.
9208275d1aaSTim Chen
92187de4579STim Chenconfig CRYPTO_SHA512_SSSE3
92287de4579STim Chen	tristate "SHA512 digest algorithm (SSSE3/AVX/AVX2)"
92387de4579STim Chen	depends on X86 && 64BIT
92487de4579STim Chen	select CRYPTO_SHA512
92587de4579STim Chen	select CRYPTO_HASH
92687de4579STim Chen	help
92787de4579STim Chen	  SHA-512 secure hash standard (DFIPS 180-2) implemented
92887de4579STim Chen	  using Supplemental SSE3 (SSSE3) instructions, or Advanced Vector
92987de4579STim Chen	  Extensions version 1 (AVX1), or Advanced Vector Extensions
93087de4579STim Chen	  version 2 (AVX2) instructions, when available.
93187de4579STim Chen
932b7133757SJason A. Donenfeldconfig CRYPTO_SHA512_S390
933b7133757SJason A. Donenfeld	tristate "SHA384 and SHA512 digest algorithm"
934b7133757SJason A. Donenfeld	depends on S390
935b7133757SJason A. Donenfeld	select CRYPTO_HASH
936b7133757SJason A. Donenfeld	help
937b7133757SJason A. Donenfeld	  This is the s390 hardware accelerated implementation of the
938b7133757SJason A. Donenfeld	  SHA512 secure hash standard.
939b7133757SJason A. Donenfeld
940b7133757SJason A. Donenfeld	  It is available as of z10.
941b7133757SJason A. Donenfeld
9424ff28d4cSDavid S. Millerconfig CRYPTO_SHA1_SPARC64
9434ff28d4cSDavid S. Miller	tristate "SHA1 digest algorithm (SPARC64)"
9444ff28d4cSDavid S. Miller	depends on SPARC64
9454ff28d4cSDavid S. Miller	select CRYPTO_SHA1
9464ff28d4cSDavid S. Miller	select CRYPTO_HASH
9474ff28d4cSDavid S. Miller	help
9484ff28d4cSDavid S. Miller	  SHA-1 secure hash standard (FIPS 180-1/DFIPS 180-2) implemented
9494ff28d4cSDavid S. Miller	  using sparc64 crypto instructions, when available.
9504ff28d4cSDavid S. Miller
951323a6bf1SMichael Ellermanconfig CRYPTO_SHA1_PPC
952323a6bf1SMichael Ellerman	tristate "SHA1 digest algorithm (powerpc)"
953323a6bf1SMichael Ellerman	depends on PPC
954323a6bf1SMichael Ellerman	help
955323a6bf1SMichael Ellerman	  This is the powerpc hardware accelerated implementation of the
956323a6bf1SMichael Ellerman	  SHA-1 secure hash standard (FIPS 180-1/DFIPS 180-2).
957323a6bf1SMichael Ellerman
958d9850fc5SMarkus Stockhausenconfig CRYPTO_SHA1_PPC_SPE
959d9850fc5SMarkus Stockhausen	tristate "SHA1 digest algorithm (PPC SPE)"
960d9850fc5SMarkus Stockhausen	depends on PPC && SPE
961d9850fc5SMarkus Stockhausen	help
962d9850fc5SMarkus Stockhausen	  SHA-1 secure hash standard (DFIPS 180-4) implemented
963d9850fc5SMarkus Stockhausen	  using powerpc SPE SIMD instruction set.
964d9850fc5SMarkus Stockhausen
965b7133757SJason A. Donenfeldconfig CRYPTO_SHA1_S390
966b7133757SJason A. Donenfeld	tristate "SHA1 digest algorithm"
967b7133757SJason A. Donenfeld	depends on S390
968b7133757SJason A. Donenfeld	select CRYPTO_HASH
969b7133757SJason A. Donenfeld	help
970b7133757SJason A. Donenfeld	  This is the s390 hardware accelerated implementation of the
971b7133757SJason A. Donenfeld	  SHA-1 secure hash standard (FIPS 180-1/DFIPS 180-2).
972b7133757SJason A. Donenfeld
973b7133757SJason A. Donenfeld	  It is available as of z990.
974b7133757SJason A. Donenfeld
9751da177e4SLinus Torvaldsconfig CRYPTO_SHA256
976cd12fb90SJonathan Lynch	tristate "SHA224 and SHA256 digest algorithm"
97750e109b5SAdrian-Ken Rueegsegger	select CRYPTO_HASH
97808c327f6SHans de Goede	select CRYPTO_LIB_SHA256
9791da177e4SLinus Torvalds	help
9801da177e4SLinus Torvalds	  SHA256 secure hash standard (DFIPS 180-2).
9811da177e4SLinus Torvalds
9821da177e4SLinus Torvalds	  This version of SHA implements a 256 bit hash with 128 bits of
9831da177e4SLinus Torvalds	  security against collision attacks.
9841da177e4SLinus Torvalds
985cd12fb90SJonathan Lynch	  This code also includes SHA-224, a 224 bit hash with 112 bits
986cd12fb90SJonathan Lynch	  of security against collision attacks.
987cd12fb90SJonathan Lynch
9882ecc1e95SMarkus Stockhausenconfig CRYPTO_SHA256_PPC_SPE
9892ecc1e95SMarkus Stockhausen	tristate "SHA224 and SHA256 digest algorithm (PPC SPE)"
9902ecc1e95SMarkus Stockhausen	depends on PPC && SPE
9912ecc1e95SMarkus Stockhausen	select CRYPTO_SHA256
9922ecc1e95SMarkus Stockhausen	select CRYPTO_HASH
9932ecc1e95SMarkus Stockhausen	help
9942ecc1e95SMarkus Stockhausen	  SHA224 and SHA256 secure hash standard (DFIPS 180-2)
9952ecc1e95SMarkus Stockhausen	  implemented using powerpc SPE SIMD instruction set.
9962ecc1e95SMarkus Stockhausen
99786c93b24SDavid S. Millerconfig CRYPTO_SHA256_SPARC64
99886c93b24SDavid S. Miller	tristate "SHA224 and SHA256 digest algorithm (SPARC64)"
99986c93b24SDavid S. Miller	depends on SPARC64
100086c93b24SDavid S. Miller	select CRYPTO_SHA256
100186c93b24SDavid S. Miller	select CRYPTO_HASH
100286c93b24SDavid S. Miller	help
100386c93b24SDavid S. Miller	  SHA-256 secure hash standard (DFIPS 180-2) implemented
100486c93b24SDavid S. Miller	  using sparc64 crypto instructions, when available.
100586c93b24SDavid S. Miller
1006b7133757SJason A. Donenfeldconfig CRYPTO_SHA256_S390
1007b7133757SJason A. Donenfeld	tristate "SHA256 digest algorithm"
1008b7133757SJason A. Donenfeld	depends on S390
1009b7133757SJason A. Donenfeld	select CRYPTO_HASH
1010b7133757SJason A. Donenfeld	help
1011b7133757SJason A. Donenfeld	  This is the s390 hardware accelerated implementation of the
1012b7133757SJason A. Donenfeld	  SHA256 secure hash standard (DFIPS 180-2).
1013b7133757SJason A. Donenfeld
1014b7133757SJason A. Donenfeld	  It is available as of z9.
1015b7133757SJason A. Donenfeld
10161da177e4SLinus Torvaldsconfig CRYPTO_SHA512
10171da177e4SLinus Torvalds	tristate "SHA384 and SHA512 digest algorithms"
1018bd9d20dbSAdrian-Ken Rueegsegger	select CRYPTO_HASH
10191da177e4SLinus Torvalds	help
10201da177e4SLinus Torvalds	  SHA512 secure hash standard (DFIPS 180-2).
10211da177e4SLinus Torvalds
10221da177e4SLinus Torvalds	  This version of SHA implements a 512 bit hash with 256 bits of
10231da177e4SLinus Torvalds	  security against collision attacks.
10241da177e4SLinus Torvalds
10251da177e4SLinus Torvalds	  This code also includes SHA-384, a 384 bit hash with 192 bits
10261da177e4SLinus Torvalds	  of security against collision attacks.
10271da177e4SLinus Torvalds
1028775e0c69SDavid S. Millerconfig CRYPTO_SHA512_SPARC64
1029775e0c69SDavid S. Miller	tristate "SHA384 and SHA512 digest algorithm (SPARC64)"
1030775e0c69SDavid S. Miller	depends on SPARC64
1031775e0c69SDavid S. Miller	select CRYPTO_SHA512
1032775e0c69SDavid S. Miller	select CRYPTO_HASH
1033775e0c69SDavid S. Miller	help
1034775e0c69SDavid S. Miller	  SHA-512 secure hash standard (DFIPS 180-2) implemented
1035775e0c69SDavid S. Miller	  using sparc64 crypto instructions, when available.
1036775e0c69SDavid S. Miller
103753964b9eSJeff Garzikconfig CRYPTO_SHA3
103853964b9eSJeff Garzik	tristate "SHA3 digest algorithm"
103953964b9eSJeff Garzik	select CRYPTO_HASH
104053964b9eSJeff Garzik	help
104153964b9eSJeff Garzik	  SHA-3 secure hash standard (DFIPS 202). It's based on
104253964b9eSJeff Garzik	  cryptographic sponge function family called Keccak.
104353964b9eSJeff Garzik
104453964b9eSJeff Garzik	  References:
104553964b9eSJeff Garzik	  http://keccak.noekeon.org/
104653964b9eSJeff Garzik
1047b7133757SJason A. Donenfeldconfig CRYPTO_SHA3_256_S390
1048b7133757SJason A. Donenfeld	tristate "SHA3_224 and SHA3_256 digest algorithm"
1049b7133757SJason A. Donenfeld	depends on S390
1050b7133757SJason A. Donenfeld	select CRYPTO_HASH
1051b7133757SJason A. Donenfeld	help
1052b7133757SJason A. Donenfeld	  This is the s390 hardware accelerated implementation of the
1053b7133757SJason A. Donenfeld	  SHA3_256 secure hash standard.
1054b7133757SJason A. Donenfeld
1055b7133757SJason A. Donenfeld	  It is available as of z14.
1056b7133757SJason A. Donenfeld
1057b7133757SJason A. Donenfeldconfig CRYPTO_SHA3_512_S390
1058b7133757SJason A. Donenfeld	tristate "SHA3_384 and SHA3_512 digest algorithm"
1059b7133757SJason A. Donenfeld	depends on S390
1060b7133757SJason A. Donenfeld	select CRYPTO_HASH
1061b7133757SJason A. Donenfeld	help
1062b7133757SJason A. Donenfeld	  This is the s390 hardware accelerated implementation of the
1063b7133757SJason A. Donenfeld	  SHA3_512 secure hash standard.
1064b7133757SJason A. Donenfeld
1065b7133757SJason A. Donenfeld	  It is available as of z14.
1066b7133757SJason A. Donenfeld
10674f0fc160SGilad Ben-Yossefconfig CRYPTO_SM3
1068d2825fa9SJason A. Donenfeld	tristate
1069d2825fa9SJason A. Donenfeld
1070d2825fa9SJason A. Donenfeldconfig CRYPTO_SM3_GENERIC
10714f0fc160SGilad Ben-Yossef	tristate "SM3 digest algorithm"
10724f0fc160SGilad Ben-Yossef	select CRYPTO_HASH
1073d2825fa9SJason A. Donenfeld	select CRYPTO_SM3
10744f0fc160SGilad Ben-Yossef	help
10754f0fc160SGilad Ben-Yossef	  SM3 secure hash function as defined by OSCCA GM/T 0004-2012 SM3).
10764f0fc160SGilad Ben-Yossef	  It is part of the Chinese Commercial Cryptography suite.
10774f0fc160SGilad Ben-Yossef
10784f0fc160SGilad Ben-Yossef	  References:
10794f0fc160SGilad Ben-Yossef	  http://www.oscca.gov.cn/UpFile/20101222141857786.pdf
10804f0fc160SGilad Ben-Yossef	  https://datatracker.ietf.org/doc/html/draft-shen-sm3-hash
10814f0fc160SGilad Ben-Yossef
1082930ab34dSTianjia Zhangconfig CRYPTO_SM3_AVX_X86_64
1083930ab34dSTianjia Zhang	tristate "SM3 digest algorithm (x86_64/AVX)"
1084930ab34dSTianjia Zhang	depends on X86 && 64BIT
1085930ab34dSTianjia Zhang	select CRYPTO_HASH
1086d2825fa9SJason A. Donenfeld	select CRYPTO_SM3
1087930ab34dSTianjia Zhang	help
1088930ab34dSTianjia Zhang	  SM3 secure hash function as defined by OSCCA GM/T 0004-2012 SM3).
1089930ab34dSTianjia Zhang	  It is part of the Chinese Commercial Cryptography suite. This is
1090930ab34dSTianjia Zhang	  SM3 optimized implementation using Advanced Vector Extensions (AVX)
1091930ab34dSTianjia Zhang	  when available.
1092930ab34dSTianjia Zhang
1093930ab34dSTianjia Zhang	  If unsure, say N.
1094930ab34dSTianjia Zhang
1095fe18957eSVitaly Chikunovconfig CRYPTO_STREEBOG
1096fe18957eSVitaly Chikunov	tristate "Streebog Hash Function"
1097fe18957eSVitaly Chikunov	select CRYPTO_HASH
1098fe18957eSVitaly Chikunov	help
1099fe18957eSVitaly Chikunov	  Streebog Hash Function (GOST R 34.11-2012, RFC 6986) is one of the Russian
1100fe18957eSVitaly Chikunov	  cryptographic standard algorithms (called GOST algorithms).
1101fe18957eSVitaly Chikunov	  This setting enables two hash algorithms with 256 and 512 bits output.
1102fe18957eSVitaly Chikunov
1103fe18957eSVitaly Chikunov	  References:
1104fe18957eSVitaly Chikunov	  https://tc26.ru/upload/iblock/fed/feddbb4d26b685903faa2ba11aea43f6.pdf
1105fe18957eSVitaly Chikunov	  https://tools.ietf.org/html/rfc6986
1106fe18957eSVitaly Chikunov
1107584fffc8SSebastian Siewiorconfig CRYPTO_WP512
1108584fffc8SSebastian Siewior	tristate "Whirlpool digest algorithms"
11094946510bSAdrian-Ken Rueegsegger	select CRYPTO_HASH
11101da177e4SLinus Torvalds	help
1111584fffc8SSebastian Siewior	  Whirlpool hash algorithm 512, 384 and 256-bit hashes
11121da177e4SLinus Torvalds
1113584fffc8SSebastian Siewior	  Whirlpool-512 is part of the NESSIE cryptographic primitives.
1114584fffc8SSebastian Siewior	  Whirlpool will be part of the ISO/IEC 10118-3:2003(E) standard
11151da177e4SLinus Torvalds
11161da177e4SLinus Torvalds	  See also:
11176d8de74cSJustin P. Mattock	  <http://www.larc.usp.br/~pbarreto/WhirlpoolPage.html>
11181da177e4SLinus Torvalds
11190e1227d3SHuang Yingconfig CRYPTO_GHASH_CLMUL_NI_INTEL
11208dfa20fcSEric Biggers	tristate "GHASH hash function (CLMUL-NI accelerated)"
11218af00860SRichard Weinberger	depends on X86 && 64BIT
11220e1227d3SHuang Ying	select CRYPTO_CRYPTD
11230e1227d3SHuang Ying	help
11248dfa20fcSEric Biggers	  This is the x86_64 CLMUL-NI accelerated implementation of
11258dfa20fcSEric Biggers	  GHASH, the hash function used in GCM (Galois/Counter mode).
11260e1227d3SHuang Ying
1127b7133757SJason A. Donenfeldconfig CRYPTO_GHASH_S390
1128b7133757SJason A. Donenfeld	tristate "GHASH hash function"
1129b7133757SJason A. Donenfeld	depends on S390
1130b7133757SJason A. Donenfeld	select CRYPTO_HASH
1131b7133757SJason A. Donenfeld	help
1132b7133757SJason A. Donenfeld	  This is the s390 hardware accelerated implementation of GHASH,
1133b7133757SJason A. Donenfeld	  the hash function used in GCM (Galois/Counter mode).
1134b7133757SJason A. Donenfeld
1135b7133757SJason A. Donenfeld	  It is available as of z196.
1136b7133757SJason A. Donenfeld
1137584fffc8SSebastian Siewiorcomment "Ciphers"
11381da177e4SLinus Torvalds
11391da177e4SLinus Torvaldsconfig CRYPTO_AES
11401da177e4SLinus Torvalds	tristate "AES cipher algorithms"
1141cce9e06dSHerbert Xu	select CRYPTO_ALGAPI
11425bb12d78SArd Biesheuvel	select CRYPTO_LIB_AES
11431da177e4SLinus Torvalds	help
11441da177e4SLinus Torvalds	  AES cipher algorithms (FIPS-197). AES uses the Rijndael
11451da177e4SLinus Torvalds	  algorithm.
11461da177e4SLinus Torvalds
11471da177e4SLinus Torvalds	  Rijndael appears to be consistently a very good performer in
11481da177e4SLinus Torvalds	  both hardware and software across a wide range of computing
11491da177e4SLinus Torvalds	  environments regardless of its use in feedback or non-feedback
11501da177e4SLinus Torvalds	  modes. Its key setup time is excellent, and its key agility is
11511da177e4SLinus Torvalds	  good. Rijndael's very low memory requirements make it very well
11521da177e4SLinus Torvalds	  suited for restricted-space environments, in which it also
11531da177e4SLinus Torvalds	  demonstrates excellent performance. Rijndael's operations are
11541da177e4SLinus Torvalds	  among the easiest to defend against power and timing attacks.
11551da177e4SLinus Torvalds
11561da177e4SLinus Torvalds	  The AES specifies three key sizes: 128, 192 and 256 bits
11571da177e4SLinus Torvalds
11581da177e4SLinus Torvalds	  See <http://csrc.nist.gov/CryptoToolkit/aes/> for more information.
11591da177e4SLinus Torvalds
1160b5e0b032SArd Biesheuvelconfig CRYPTO_AES_TI
1161b5e0b032SArd Biesheuvel	tristate "Fixed time AES cipher"
1162b5e0b032SArd Biesheuvel	select CRYPTO_ALGAPI
1163e59c1c98SArd Biesheuvel	select CRYPTO_LIB_AES
1164b5e0b032SArd Biesheuvel	help
1165b5e0b032SArd Biesheuvel	  This is a generic implementation of AES that attempts to eliminate
1166b5e0b032SArd Biesheuvel	  data dependent latencies as much as possible without affecting
1167b5e0b032SArd Biesheuvel	  performance too much. It is intended for use by the generic CCM
1168b5e0b032SArd Biesheuvel	  and GCM drivers, and other CTR or CMAC/XCBC based modes that rely
1169b5e0b032SArd Biesheuvel	  solely on encryption (although decryption is supported as well, but
1170b5e0b032SArd Biesheuvel	  with a more dramatic performance hit)
1171b5e0b032SArd Biesheuvel
1172b5e0b032SArd Biesheuvel	  Instead of using 16 lookup tables of 1 KB each, (8 for encryption and
1173b5e0b032SArd Biesheuvel	  8 for decryption), this implementation only uses just two S-boxes of
1174b5e0b032SArd Biesheuvel	  256 bytes each, and attempts to eliminate data dependent latencies by
1175b5e0b032SArd Biesheuvel	  prefetching the entire table into the cache at the start of each
11760a6a40c2SEric Biggers	  block. Interrupts are also disabled to avoid races where cachelines
11770a6a40c2SEric Biggers	  are evicted when the CPU is interrupted to do something else.
1178b5e0b032SArd Biesheuvel
117954b6a1bdSHuang Yingconfig CRYPTO_AES_NI_INTEL
118054b6a1bdSHuang Ying	tristate "AES cipher algorithms (AES-NI)"
11818af00860SRichard Weinberger	depends on X86
118285671860SHerbert Xu	select CRYPTO_AEAD
11832c53fd11SArd Biesheuvel	select CRYPTO_LIB_AES
118454b6a1bdSHuang Ying	select CRYPTO_ALGAPI
1185b95bba5dSEric Biggers	select CRYPTO_SKCIPHER
118685671860SHerbert Xu	select CRYPTO_SIMD
118754b6a1bdSHuang Ying	help
118854b6a1bdSHuang Ying	  Use Intel AES-NI instructions for AES algorithm.
118954b6a1bdSHuang Ying
119054b6a1bdSHuang Ying	  AES cipher algorithms (FIPS-197). AES uses the Rijndael
119154b6a1bdSHuang Ying	  algorithm.
119254b6a1bdSHuang Ying
119354b6a1bdSHuang Ying	  Rijndael appears to be consistently a very good performer in
119454b6a1bdSHuang Ying	  both hardware and software across a wide range of computing
119554b6a1bdSHuang Ying	  environments regardless of its use in feedback or non-feedback
119654b6a1bdSHuang Ying	  modes. Its key setup time is excellent, and its key agility is
119754b6a1bdSHuang Ying	  good. Rijndael's very low memory requirements make it very well
119854b6a1bdSHuang Ying	  suited for restricted-space environments, in which it also
119954b6a1bdSHuang Ying	  demonstrates excellent performance. Rijndael's operations are
120054b6a1bdSHuang Ying	  among the easiest to defend against power and timing attacks.
120154b6a1bdSHuang Ying
120254b6a1bdSHuang Ying	  The AES specifies three key sizes: 128, 192 and 256 bits
120354b6a1bdSHuang Ying
120454b6a1bdSHuang Ying	  See <http://csrc.nist.gov/encryption/aes/> for more information.
120554b6a1bdSHuang Ying
12060d258efbSMathias Krause	  In addition to AES cipher algorithm support, the acceleration
12070d258efbSMathias Krause	  for some popular block cipher mode is supported too, including
1208944585a6SArd Biesheuvel	  ECB, CBC, LRW, XTS. The 64 bit version has additional
1209fd94fcf0SNathan Huckleberry	  acceleration for CTR and XCTR.
12102cf4ac8bSHuang Ying
12119bf4852dSDavid S. Millerconfig CRYPTO_AES_SPARC64
12129bf4852dSDavid S. Miller	tristate "AES cipher algorithms (SPARC64)"
12139bf4852dSDavid S. Miller	depends on SPARC64
1214b95bba5dSEric Biggers	select CRYPTO_SKCIPHER
12159bf4852dSDavid S. Miller	help
12169bf4852dSDavid S. Miller	  Use SPARC64 crypto opcodes for AES algorithm.
12179bf4852dSDavid S. Miller
12189bf4852dSDavid S. Miller	  AES cipher algorithms (FIPS-197). AES uses the Rijndael
12199bf4852dSDavid S. Miller	  algorithm.
12209bf4852dSDavid S. Miller
12219bf4852dSDavid S. Miller	  Rijndael appears to be consistently a very good performer in
12229bf4852dSDavid S. Miller	  both hardware and software across a wide range of computing
12239bf4852dSDavid S. Miller	  environments regardless of its use in feedback or non-feedback
12249bf4852dSDavid S. Miller	  modes. Its key setup time is excellent, and its key agility is
12259bf4852dSDavid S. Miller	  good. Rijndael's very low memory requirements make it very well
12269bf4852dSDavid S. Miller	  suited for restricted-space environments, in which it also
12279bf4852dSDavid S. Miller	  demonstrates excellent performance. Rijndael's operations are
12289bf4852dSDavid S. Miller	  among the easiest to defend against power and timing attacks.
12299bf4852dSDavid S. Miller
12309bf4852dSDavid S. Miller	  The AES specifies three key sizes: 128, 192 and 256 bits
12319bf4852dSDavid S. Miller
12329bf4852dSDavid S. Miller	  See <http://csrc.nist.gov/encryption/aes/> for more information.
12339bf4852dSDavid S. Miller
12349bf4852dSDavid S. Miller	  In addition to AES cipher algorithm support, the acceleration
12359bf4852dSDavid S. Miller	  for some popular block cipher mode is supported too, including
12369bf4852dSDavid S. Miller	  ECB and CBC.
12379bf4852dSDavid S. Miller
1238504c6143SMarkus Stockhausenconfig CRYPTO_AES_PPC_SPE
1239504c6143SMarkus Stockhausen	tristate "AES cipher algorithms (PPC SPE)"
1240504c6143SMarkus Stockhausen	depends on PPC && SPE
1241b95bba5dSEric Biggers	select CRYPTO_SKCIPHER
1242504c6143SMarkus Stockhausen	help
1243504c6143SMarkus Stockhausen	  AES cipher algorithms (FIPS-197). Additionally the acceleration
1244504c6143SMarkus Stockhausen	  for popular block cipher modes ECB, CBC, CTR and XTS is supported.
1245504c6143SMarkus Stockhausen	  This module should only be used for low power (router) devices
1246504c6143SMarkus Stockhausen	  without hardware AES acceleration (e.g. caam crypto). It reduces the
1247504c6143SMarkus Stockhausen	  size of the AES tables from 16KB to 8KB + 256 bytes and mitigates
1248504c6143SMarkus Stockhausen	  timining attacks. Nevertheless it might be not as secure as other
1249504c6143SMarkus Stockhausen	  architecture specific assembler implementations that work on 1KB
1250504c6143SMarkus Stockhausen	  tables or 256 bytes S-boxes.
1251504c6143SMarkus Stockhausen
1252b7133757SJason A. Donenfeldconfig CRYPTO_AES_S390
1253b7133757SJason A. Donenfeld	tristate "AES cipher algorithms"
1254b7133757SJason A. Donenfeld	depends on S390
1255b7133757SJason A. Donenfeld	select CRYPTO_ALGAPI
1256b7133757SJason A. Donenfeld	select CRYPTO_SKCIPHER
1257b7133757SJason A. Donenfeld	help
1258b7133757SJason A. Donenfeld	  This is the s390 hardware accelerated implementation of the
1259b7133757SJason A. Donenfeld	  AES cipher algorithms (FIPS-197).
1260b7133757SJason A. Donenfeld
1261b7133757SJason A. Donenfeld	  As of z9 the ECB and CBC modes are hardware accelerated
1262b7133757SJason A. Donenfeld	  for 128 bit keys.
1263b7133757SJason A. Donenfeld	  As of z10 the ECB and CBC modes are hardware accelerated
1264b7133757SJason A. Donenfeld	  for all AES key sizes.
1265b7133757SJason A. Donenfeld	  As of z196 the CTR mode is hardware accelerated for all AES
1266b7133757SJason A. Donenfeld	  key sizes and XTS mode is hardware accelerated for 256 and
1267b7133757SJason A. Donenfeld	  512 bit keys.
1268b7133757SJason A. Donenfeld
12691da177e4SLinus Torvaldsconfig CRYPTO_ANUBIS
12701da177e4SLinus Torvalds	tristate "Anubis cipher algorithm"
12711674aea5SArd Biesheuvel	depends on CRYPTO_USER_API_ENABLE_OBSOLETE
1272cce9e06dSHerbert Xu	select CRYPTO_ALGAPI
12731da177e4SLinus Torvalds	help
12741da177e4SLinus Torvalds	  Anubis cipher algorithm.
12751da177e4SLinus Torvalds
12761da177e4SLinus Torvalds	  Anubis is a variable key length cipher which can use keys from
12771da177e4SLinus Torvalds	  128 bits to 320 bits in length.  It was evaluated as a entrant
12781da177e4SLinus Torvalds	  in the NESSIE competition.
12791da177e4SLinus Torvalds
12801da177e4SLinus Torvalds	  See also:
12816d8de74cSJustin P. Mattock	  <https://www.cosic.esat.kuleuven.be/nessie/reports/>
12826d8de74cSJustin P. Mattock	  <http://www.larc.usp.br/~pbarreto/AnubisPage.html>
12831da177e4SLinus Torvalds
1284584fffc8SSebastian Siewiorconfig CRYPTO_ARC4
1285584fffc8SSebastian Siewior	tristate "ARC4 cipher algorithm"
12869ace6771SArd Biesheuvel	depends on CRYPTO_USER_API_ENABLE_OBSOLETE
1287b95bba5dSEric Biggers	select CRYPTO_SKCIPHER
1288dc51f257SArd Biesheuvel	select CRYPTO_LIB_ARC4
1289e2ee95b8SHye-Shik Chang	help
1290584fffc8SSebastian Siewior	  ARC4 cipher algorithm.
1291e2ee95b8SHye-Shik Chang
1292584fffc8SSebastian Siewior	  ARC4 is a stream cipher using keys ranging from 8 bits to 2048
1293584fffc8SSebastian Siewior	  bits in length.  This algorithm is required for driver-based
1294584fffc8SSebastian Siewior	  WEP, but it should not be for other purposes because of the
1295584fffc8SSebastian Siewior	  weakness of the algorithm.
1296584fffc8SSebastian Siewior
1297584fffc8SSebastian Siewiorconfig CRYPTO_BLOWFISH
1298584fffc8SSebastian Siewior	tristate "Blowfish cipher algorithm"
1299584fffc8SSebastian Siewior	select CRYPTO_ALGAPI
130052ba867cSJussi Kivilinna	select CRYPTO_BLOWFISH_COMMON
1301584fffc8SSebastian Siewior	help
1302584fffc8SSebastian Siewior	  Blowfish cipher algorithm, by Bruce Schneier.
1303584fffc8SSebastian Siewior
1304584fffc8SSebastian Siewior	  This is a variable key length cipher which can use keys from 32
1305584fffc8SSebastian Siewior	  bits to 448 bits in length.  It's fast, simple and specifically
1306584fffc8SSebastian Siewior	  designed for use on "large microprocessors".
1307e2ee95b8SHye-Shik Chang
1308e2ee95b8SHye-Shik Chang	  See also:
13099332a9e7SAlexander A. Klimov	  <https://www.schneier.com/blowfish.html>
1310584fffc8SSebastian Siewior
131152ba867cSJussi Kivilinnaconfig CRYPTO_BLOWFISH_COMMON
131252ba867cSJussi Kivilinna	tristate
131352ba867cSJussi Kivilinna	help
131452ba867cSJussi Kivilinna	  Common parts of the Blowfish cipher algorithm shared by the
131552ba867cSJussi Kivilinna	  generic c and the assembler implementations.
131652ba867cSJussi Kivilinna
131752ba867cSJussi Kivilinna	  See also:
13189332a9e7SAlexander A. Klimov	  <https://www.schneier.com/blowfish.html>
131952ba867cSJussi Kivilinna
132064b94ceaSJussi Kivilinnaconfig CRYPTO_BLOWFISH_X86_64
132164b94ceaSJussi Kivilinna	tristate "Blowfish cipher algorithm (x86_64)"
1322f21a7c19SAl Viro	depends on X86 && 64BIT
1323b95bba5dSEric Biggers	select CRYPTO_SKCIPHER
132464b94ceaSJussi Kivilinna	select CRYPTO_BLOWFISH_COMMON
1325c0a64926SArd Biesheuvel	imply CRYPTO_CTR
132664b94ceaSJussi Kivilinna	help
132764b94ceaSJussi Kivilinna	  Blowfish cipher algorithm (x86_64), by Bruce Schneier.
132864b94ceaSJussi Kivilinna
132964b94ceaSJussi Kivilinna	  This is a variable key length cipher which can use keys from 32
133064b94ceaSJussi Kivilinna	  bits to 448 bits in length.  It's fast, simple and specifically
133164b94ceaSJussi Kivilinna	  designed for use on "large microprocessors".
133264b94ceaSJussi Kivilinna
133364b94ceaSJussi Kivilinna	  See also:
13349332a9e7SAlexander A. Klimov	  <https://www.schneier.com/blowfish.html>
133564b94ceaSJussi Kivilinna
1336584fffc8SSebastian Siewiorconfig CRYPTO_CAMELLIA
1337584fffc8SSebastian Siewior	tristate "Camellia cipher algorithms"
1338584fffc8SSebastian Siewior	select CRYPTO_ALGAPI
1339584fffc8SSebastian Siewior	help
1340584fffc8SSebastian Siewior	  Camellia cipher algorithms module.
1341584fffc8SSebastian Siewior
1342584fffc8SSebastian Siewior	  Camellia is a symmetric key block cipher developed jointly
1343584fffc8SSebastian Siewior	  at NTT and Mitsubishi Electric Corporation.
1344584fffc8SSebastian Siewior
1345584fffc8SSebastian Siewior	  The Camellia specifies three key sizes: 128, 192 and 256 bits.
1346584fffc8SSebastian Siewior
1347584fffc8SSebastian Siewior	  See also:
1348584fffc8SSebastian Siewior	  <https://info.isl.ntt.co.jp/crypt/eng/camellia/index_s.html>
1349584fffc8SSebastian Siewior
13500b95ec56SJussi Kivilinnaconfig CRYPTO_CAMELLIA_X86_64
13510b95ec56SJussi Kivilinna	tristate "Camellia cipher algorithm (x86_64)"
1352f21a7c19SAl Viro	depends on X86 && 64BIT
1353b95bba5dSEric Biggers	select CRYPTO_SKCIPHER
1354a1f91ecfSArd Biesheuvel	imply CRYPTO_CTR
13550b95ec56SJussi Kivilinna	help
13560b95ec56SJussi Kivilinna	  Camellia cipher algorithm module (x86_64).
13570b95ec56SJussi Kivilinna
13580b95ec56SJussi Kivilinna	  Camellia is a symmetric key block cipher developed jointly
13590b95ec56SJussi Kivilinna	  at NTT and Mitsubishi Electric Corporation.
13600b95ec56SJussi Kivilinna
13610b95ec56SJussi Kivilinna	  The Camellia specifies three key sizes: 128, 192 and 256 bits.
13620b95ec56SJussi Kivilinna
13630b95ec56SJussi Kivilinna	  See also:
13640b95ec56SJussi Kivilinna	  <https://info.isl.ntt.co.jp/crypt/eng/camellia/index_s.html>
13650b95ec56SJussi Kivilinna
1366d9b1d2e7SJussi Kivilinnaconfig CRYPTO_CAMELLIA_AESNI_AVX_X86_64
1367d9b1d2e7SJussi Kivilinna	tristate "Camellia cipher algorithm (x86_64/AES-NI/AVX)"
1368d9b1d2e7SJussi Kivilinna	depends on X86 && 64BIT
1369b95bba5dSEric Biggers	select CRYPTO_SKCIPHER
1370d9b1d2e7SJussi Kivilinna	select CRYPTO_CAMELLIA_X86_64
137144893bc2SEric Biggers	select CRYPTO_SIMD
137255a7e88fSArd Biesheuvel	imply CRYPTO_XTS
1373d9b1d2e7SJussi Kivilinna	help
1374d9b1d2e7SJussi Kivilinna	  Camellia cipher algorithm module (x86_64/AES-NI/AVX).
1375d9b1d2e7SJussi Kivilinna
1376d9b1d2e7SJussi Kivilinna	  Camellia is a symmetric key block cipher developed jointly
1377d9b1d2e7SJussi Kivilinna	  at NTT and Mitsubishi Electric Corporation.
1378d9b1d2e7SJussi Kivilinna
1379d9b1d2e7SJussi Kivilinna	  The Camellia specifies three key sizes: 128, 192 and 256 bits.
1380d9b1d2e7SJussi Kivilinna
1381d9b1d2e7SJussi Kivilinna	  See also:
1382d9b1d2e7SJussi Kivilinna	  <https://info.isl.ntt.co.jp/crypt/eng/camellia/index_s.html>
1383d9b1d2e7SJussi Kivilinna
1384f3f935a7SJussi Kivilinnaconfig CRYPTO_CAMELLIA_AESNI_AVX2_X86_64
1385f3f935a7SJussi Kivilinna	tristate "Camellia cipher algorithm (x86_64/AES-NI/AVX2)"
1386f3f935a7SJussi Kivilinna	depends on X86 && 64BIT
1387f3f935a7SJussi Kivilinna	select CRYPTO_CAMELLIA_AESNI_AVX_X86_64
1388f3f935a7SJussi Kivilinna	help
1389f3f935a7SJussi Kivilinna	  Camellia cipher algorithm module (x86_64/AES-NI/AVX2).
1390f3f935a7SJussi Kivilinna
1391f3f935a7SJussi Kivilinna	  Camellia is a symmetric key block cipher developed jointly
1392f3f935a7SJussi Kivilinna	  at NTT and Mitsubishi Electric Corporation.
1393f3f935a7SJussi Kivilinna
1394f3f935a7SJussi Kivilinna	  The Camellia specifies three key sizes: 128, 192 and 256 bits.
1395f3f935a7SJussi Kivilinna
1396f3f935a7SJussi Kivilinna	  See also:
1397f3f935a7SJussi Kivilinna	  <https://info.isl.ntt.co.jp/crypt/eng/camellia/index_s.html>
1398f3f935a7SJussi Kivilinna
139981658ad0SDavid S. Millerconfig CRYPTO_CAMELLIA_SPARC64
140081658ad0SDavid S. Miller	tristate "Camellia cipher algorithm (SPARC64)"
140181658ad0SDavid S. Miller	depends on SPARC64
140281658ad0SDavid S. Miller	select CRYPTO_ALGAPI
1403b95bba5dSEric Biggers	select CRYPTO_SKCIPHER
140481658ad0SDavid S. Miller	help
140581658ad0SDavid S. Miller	  Camellia cipher algorithm module (SPARC64).
140681658ad0SDavid S. Miller
140781658ad0SDavid S. Miller	  Camellia is a symmetric key block cipher developed jointly
140881658ad0SDavid S. Miller	  at NTT and Mitsubishi Electric Corporation.
140981658ad0SDavid S. Miller
141081658ad0SDavid S. Miller	  The Camellia specifies three key sizes: 128, 192 and 256 bits.
141181658ad0SDavid S. Miller
141281658ad0SDavid S. Miller	  See also:
141381658ad0SDavid S. Miller	  <https://info.isl.ntt.co.jp/crypt/eng/camellia/index_s.html>
141481658ad0SDavid S. Miller
1415044ab525SJussi Kivilinnaconfig CRYPTO_CAST_COMMON
1416044ab525SJussi Kivilinna	tristate
1417044ab525SJussi Kivilinna	help
1418044ab525SJussi Kivilinna	  Common parts of the CAST cipher algorithms shared by the
1419044ab525SJussi Kivilinna	  generic c and the assembler implementations.
1420044ab525SJussi Kivilinna
1421584fffc8SSebastian Siewiorconfig CRYPTO_CAST5
1422584fffc8SSebastian Siewior	tristate "CAST5 (CAST-128) cipher algorithm"
1423584fffc8SSebastian Siewior	select CRYPTO_ALGAPI
1424044ab525SJussi Kivilinna	select CRYPTO_CAST_COMMON
1425584fffc8SSebastian Siewior	help
1426584fffc8SSebastian Siewior	  The CAST5 encryption algorithm (synonymous with CAST-128) is
1427584fffc8SSebastian Siewior	  described in RFC2144.
1428584fffc8SSebastian Siewior
14294d6d6a2cSJohannes Goetzfriedconfig CRYPTO_CAST5_AVX_X86_64
14304d6d6a2cSJohannes Goetzfried	tristate "CAST5 (CAST-128) cipher algorithm (x86_64/AVX)"
14314d6d6a2cSJohannes Goetzfried	depends on X86 && 64BIT
1432b95bba5dSEric Biggers	select CRYPTO_SKCIPHER
14334d6d6a2cSJohannes Goetzfried	select CRYPTO_CAST5
14341e63183aSEric Biggers	select CRYPTO_CAST_COMMON
14351e63183aSEric Biggers	select CRYPTO_SIMD
1436e2d60e2fSArd Biesheuvel	imply CRYPTO_CTR
14374d6d6a2cSJohannes Goetzfried	help
14384d6d6a2cSJohannes Goetzfried	  The CAST5 encryption algorithm (synonymous with CAST-128) is
14394d6d6a2cSJohannes Goetzfried	  described in RFC2144.
14404d6d6a2cSJohannes Goetzfried
14414d6d6a2cSJohannes Goetzfried	  This module provides the Cast5 cipher algorithm that processes
14424d6d6a2cSJohannes Goetzfried	  sixteen blocks parallel using the AVX instruction set.
14434d6d6a2cSJohannes Goetzfried
1444584fffc8SSebastian Siewiorconfig CRYPTO_CAST6
1445584fffc8SSebastian Siewior	tristate "CAST6 (CAST-256) cipher algorithm"
1446584fffc8SSebastian Siewior	select CRYPTO_ALGAPI
1447044ab525SJussi Kivilinna	select CRYPTO_CAST_COMMON
1448584fffc8SSebastian Siewior	help
1449584fffc8SSebastian Siewior	  The CAST6 encryption algorithm (synonymous with CAST-256) is
1450584fffc8SSebastian Siewior	  described in RFC2612.
1451584fffc8SSebastian Siewior
14524ea1277dSJohannes Goetzfriedconfig CRYPTO_CAST6_AVX_X86_64
14534ea1277dSJohannes Goetzfried	tristate "CAST6 (CAST-256) cipher algorithm (x86_64/AVX)"
14544ea1277dSJohannes Goetzfried	depends on X86 && 64BIT
1455b95bba5dSEric Biggers	select CRYPTO_SKCIPHER
14564ea1277dSJohannes Goetzfried	select CRYPTO_CAST6
14574bd96924SEric Biggers	select CRYPTO_CAST_COMMON
14584bd96924SEric Biggers	select CRYPTO_SIMD
14592cc0fedbSArd Biesheuvel	imply CRYPTO_XTS
14607a6623ccSArd Biesheuvel	imply CRYPTO_CTR
14614ea1277dSJohannes Goetzfried	help
14624ea1277dSJohannes Goetzfried	  The CAST6 encryption algorithm (synonymous with CAST-256) is
14634ea1277dSJohannes Goetzfried	  described in RFC2612.
14644ea1277dSJohannes Goetzfried
14654ea1277dSJohannes Goetzfried	  This module provides the Cast6 cipher algorithm that processes
14664ea1277dSJohannes Goetzfried	  eight blocks parallel using the AVX instruction set.
14674ea1277dSJohannes Goetzfried
1468584fffc8SSebastian Siewiorconfig CRYPTO_DES
1469584fffc8SSebastian Siewior	tristate "DES and Triple DES EDE cipher algorithms"
1470584fffc8SSebastian Siewior	select CRYPTO_ALGAPI
147104007b0eSArd Biesheuvel	select CRYPTO_LIB_DES
1472584fffc8SSebastian Siewior	help
1473584fffc8SSebastian Siewior	  DES cipher algorithm (FIPS 46-2), and Triple DES EDE (FIPS 46-3).
1474584fffc8SSebastian Siewior
1475c5aac2dfSDavid S. Millerconfig CRYPTO_DES_SPARC64
1476c5aac2dfSDavid S. Miller	tristate "DES and Triple DES EDE cipher algorithms (SPARC64)"
147797da37b3SDave Jones	depends on SPARC64
1478c5aac2dfSDavid S. Miller	select CRYPTO_ALGAPI
147904007b0eSArd Biesheuvel	select CRYPTO_LIB_DES
1480b95bba5dSEric Biggers	select CRYPTO_SKCIPHER
1481c5aac2dfSDavid S. Miller	help
1482c5aac2dfSDavid S. Miller	  DES cipher algorithm (FIPS 46-2), and Triple DES EDE (FIPS 46-3),
1483c5aac2dfSDavid S. Miller	  optimized using SPARC64 crypto opcodes.
1484c5aac2dfSDavid S. Miller
14856574e6c6SJussi Kivilinnaconfig CRYPTO_DES3_EDE_X86_64
14866574e6c6SJussi Kivilinna	tristate "Triple DES EDE cipher algorithm (x86-64)"
14876574e6c6SJussi Kivilinna	depends on X86 && 64BIT
1488b95bba5dSEric Biggers	select CRYPTO_SKCIPHER
148904007b0eSArd Biesheuvel	select CRYPTO_LIB_DES
1490768db5feSArd Biesheuvel	imply CRYPTO_CTR
14916574e6c6SJussi Kivilinna	help
14926574e6c6SJussi Kivilinna	  Triple DES EDE (FIPS 46-3) algorithm.
14936574e6c6SJussi Kivilinna
14946574e6c6SJussi Kivilinna	  This module provides implementation of the Triple DES EDE cipher
14956574e6c6SJussi Kivilinna	  algorithm that is optimized for x86-64 processors. Two versions of
14966574e6c6SJussi Kivilinna	  algorithm are provided; regular processing one input block and
14976574e6c6SJussi Kivilinna	  one that processes three blocks parallel.
14986574e6c6SJussi Kivilinna
1499b7133757SJason A. Donenfeldconfig CRYPTO_DES_S390
1500b7133757SJason A. Donenfeld	tristate "DES and Triple DES cipher algorithms"
1501b7133757SJason A. Donenfeld	depends on S390
1502b7133757SJason A. Donenfeld	select CRYPTO_ALGAPI
1503b7133757SJason A. Donenfeld	select CRYPTO_SKCIPHER
1504b7133757SJason A. Donenfeld	select CRYPTO_LIB_DES
1505b7133757SJason A. Donenfeld	help
1506b7133757SJason A. Donenfeld	  This is the s390 hardware accelerated implementation of the
1507b7133757SJason A. Donenfeld	  DES cipher algorithm (FIPS 46-2), and Triple DES EDE (FIPS 46-3).
1508b7133757SJason A. Donenfeld
1509b7133757SJason A. Donenfeld	  As of z990 the ECB and CBC mode are hardware accelerated.
1510b7133757SJason A. Donenfeld	  As of z196 the CTR mode is hardware accelerated.
1511b7133757SJason A. Donenfeld
1512584fffc8SSebastian Siewiorconfig CRYPTO_FCRYPT
1513584fffc8SSebastian Siewior	tristate "FCrypt cipher algorithm"
1514584fffc8SSebastian Siewior	select CRYPTO_ALGAPI
1515b95bba5dSEric Biggers	select CRYPTO_SKCIPHER
1516584fffc8SSebastian Siewior	help
1517584fffc8SSebastian Siewior	  FCrypt algorithm used by RxRPC.
1518584fffc8SSebastian Siewior
1519584fffc8SSebastian Siewiorconfig CRYPTO_KHAZAD
1520584fffc8SSebastian Siewior	tristate "Khazad cipher algorithm"
15211674aea5SArd Biesheuvel	depends on CRYPTO_USER_API_ENABLE_OBSOLETE
1522584fffc8SSebastian Siewior	select CRYPTO_ALGAPI
1523584fffc8SSebastian Siewior	help
1524584fffc8SSebastian Siewior	  Khazad cipher algorithm.
1525584fffc8SSebastian Siewior
1526584fffc8SSebastian Siewior	  Khazad was a finalist in the initial NESSIE competition.  It is
1527584fffc8SSebastian Siewior	  an algorithm optimized for 64-bit processors with good performance
1528584fffc8SSebastian Siewior	  on 32-bit processors.  Khazad uses an 128 bit key size.
1529584fffc8SSebastian Siewior
1530584fffc8SSebastian Siewior	  See also:
15316d8de74cSJustin P. Mattock	  <http://www.larc.usp.br/~pbarreto/KhazadPage.html>
1532e2ee95b8SHye-Shik Chang
1533c08d0e64SMartin Williconfig CRYPTO_CHACHA20
1534aa762409SEric Biggers	tristate "ChaCha stream cipher algorithms"
15355fb8ef25SArd Biesheuvel	select CRYPTO_LIB_CHACHA_GENERIC
1536b95bba5dSEric Biggers	select CRYPTO_SKCIPHER
1537c08d0e64SMartin Willi	help
1538aa762409SEric Biggers	  The ChaCha20, XChaCha20, and XChaCha12 stream cipher algorithms.
1539c08d0e64SMartin Willi
1540c08d0e64SMartin Willi	  ChaCha20 is a 256-bit high-speed stream cipher designed by Daniel J.
1541c08d0e64SMartin Willi	  Bernstein and further specified in RFC7539 for use in IETF protocols.
1542de61d7aeSEric Biggers	  This is the portable C implementation of ChaCha20.  See also:
15439332a9e7SAlexander A. Klimov	  <https://cr.yp.to/chacha/chacha-20080128.pdf>
1544c08d0e64SMartin Willi
1545de61d7aeSEric Biggers	  XChaCha20 is the application of the XSalsa20 construction to ChaCha20
1546de61d7aeSEric Biggers	  rather than to Salsa20.  XChaCha20 extends ChaCha20's nonce length
1547de61d7aeSEric Biggers	  from 64 bits (or 96 bits using the RFC7539 convention) to 192 bits,
1548de61d7aeSEric Biggers	  while provably retaining ChaCha20's security.  See also:
1549de61d7aeSEric Biggers	  <https://cr.yp.to/snuffle/xsalsa-20081128.pdf>
1550de61d7aeSEric Biggers
1551aa762409SEric Biggers	  XChaCha12 is XChaCha20 reduced to 12 rounds, with correspondingly
1552aa762409SEric Biggers	  reduced security margin but increased performance.  It can be needed
1553aa762409SEric Biggers	  in some performance-sensitive scenarios.
1554aa762409SEric Biggers
1555c9320b6dSMartin Williconfig CRYPTO_CHACHA20_X86_64
15564af78261SEric Biggers	tristate "ChaCha stream cipher algorithms (x86_64/SSSE3/AVX2/AVX-512VL)"
1557c9320b6dSMartin Willi	depends on X86 && 64BIT
1558b95bba5dSEric Biggers	select CRYPTO_SKCIPHER
155928e8d89bSArd Biesheuvel	select CRYPTO_LIB_CHACHA_GENERIC
156084e03fa3SArd Biesheuvel	select CRYPTO_ARCH_HAVE_LIB_CHACHA
1561c9320b6dSMartin Willi	help
15627a507d62SEric Biggers	  SSSE3, AVX2, and AVX-512VL optimized implementations of the ChaCha20,
15637a507d62SEric Biggers	  XChaCha20, and XChaCha12 stream ciphers.
1564c9320b6dSMartin Willi
1565b7133757SJason A. Donenfeldconfig CRYPTO_CHACHA_S390
1566b7133757SJason A. Donenfeld	tristate "ChaCha20 stream cipher"
1567b7133757SJason A. Donenfeld	depends on S390
1568b7133757SJason A. Donenfeld	select CRYPTO_SKCIPHER
1569b7133757SJason A. Donenfeld	select CRYPTO_LIB_CHACHA_GENERIC
1570b7133757SJason A. Donenfeld	select CRYPTO_ARCH_HAVE_LIB_CHACHA
1571b7133757SJason A. Donenfeld	help
1572b7133757SJason A. Donenfeld	  This is the s390 SIMD implementation of the ChaCha20 stream
1573b7133757SJason A. Donenfeld	  cipher (RFC 7539).
1574b7133757SJason A. Donenfeld
1575b7133757SJason A. Donenfeld	  It is available as of z13.
1576b7133757SJason A. Donenfeld
1577584fffc8SSebastian Siewiorconfig CRYPTO_SEED
1578584fffc8SSebastian Siewior	tristate "SEED cipher algorithm"
15791674aea5SArd Biesheuvel	depends on CRYPTO_USER_API_ENABLE_OBSOLETE
1580584fffc8SSebastian Siewior	select CRYPTO_ALGAPI
1581584fffc8SSebastian Siewior	help
1582584fffc8SSebastian Siewior	  SEED cipher algorithm (RFC4269).
1583584fffc8SSebastian Siewior
1584584fffc8SSebastian Siewior	  SEED is a 128-bit symmetric key block cipher that has been
1585584fffc8SSebastian Siewior	  developed by KISA (Korea Information Security Agency) as a
1586584fffc8SSebastian Siewior	  national standard encryption algorithm of the Republic of Korea.
1587584fffc8SSebastian Siewior	  It is a 16 round block cipher with the key size of 128 bit.
1588584fffc8SSebastian Siewior
1589584fffc8SSebastian Siewior	  See also:
1590584fffc8SSebastian Siewior	  <http://www.kisa.or.kr/kisa/seed/jsp/seed_eng.jsp>
1591584fffc8SSebastian Siewior
1592e4e712bbSTaehee Yooconfig CRYPTO_ARIA
1593e4e712bbSTaehee Yoo	tristate "ARIA cipher algorithm"
1594e4e712bbSTaehee Yoo	select CRYPTO_ALGAPI
1595e4e712bbSTaehee Yoo	help
1596e4e712bbSTaehee Yoo	  ARIA cipher algorithm (RFC5794).
1597e4e712bbSTaehee Yoo
1598e4e712bbSTaehee Yoo	  ARIA is a standard encryption algorithm of the Republic of Korea.
1599e4e712bbSTaehee Yoo	  The ARIA specifies three key sizes and rounds.
1600e4e712bbSTaehee Yoo	  128-bit: 12 rounds.
1601e4e712bbSTaehee Yoo	  192-bit: 14 rounds.
1602e4e712bbSTaehee Yoo	  256-bit: 16 rounds.
1603e4e712bbSTaehee Yoo
1604e4e712bbSTaehee Yoo	  See also:
1605e4e712bbSTaehee Yoo	  <https://seed.kisa.or.kr/kisa/algorithm/EgovAriaInfo.do>
1606e4e712bbSTaehee Yoo
1607584fffc8SSebastian Siewiorconfig CRYPTO_SERPENT
1608584fffc8SSebastian Siewior	tristate "Serpent cipher algorithm"
1609584fffc8SSebastian Siewior	select CRYPTO_ALGAPI
1610584fffc8SSebastian Siewior	help
1611584fffc8SSebastian Siewior	  Serpent cipher algorithm, by Anderson, Biham & Knudsen.
1612584fffc8SSebastian Siewior
1613584fffc8SSebastian Siewior	  Keys are allowed to be from 0 to 256 bits in length, in steps
1614784506a1SArd Biesheuvel	  of 8 bits.
1615584fffc8SSebastian Siewior
1616584fffc8SSebastian Siewior	  See also:
16179332a9e7SAlexander A. Klimov	  <https://www.cl.cam.ac.uk/~rja14/serpent.html>
1618584fffc8SSebastian Siewior
1619937c30d7SJussi Kivilinnaconfig CRYPTO_SERPENT_SSE2_X86_64
1620937c30d7SJussi Kivilinna	tristate "Serpent cipher algorithm (x86_64/SSE2)"
1621937c30d7SJussi Kivilinna	depends on X86 && 64BIT
1622b95bba5dSEric Biggers	select CRYPTO_SKCIPHER
1623937c30d7SJussi Kivilinna	select CRYPTO_SERPENT
1624e0f409dcSEric Biggers	select CRYPTO_SIMD
16252e9440aeSArd Biesheuvel	imply CRYPTO_CTR
1626937c30d7SJussi Kivilinna	help
1627937c30d7SJussi Kivilinna	  Serpent cipher algorithm, by Anderson, Biham & Knudsen.
1628937c30d7SJussi Kivilinna
1629937c30d7SJussi Kivilinna	  Keys are allowed to be from 0 to 256 bits in length, in steps
1630937c30d7SJussi Kivilinna	  of 8 bits.
1631937c30d7SJussi Kivilinna
16321e6232f8SMasanari Iida	  This module provides Serpent cipher algorithm that processes eight
1633937c30d7SJussi Kivilinna	  blocks parallel using SSE2 instruction set.
1634937c30d7SJussi Kivilinna
1635937c30d7SJussi Kivilinna	  See also:
16369332a9e7SAlexander A. Klimov	  <https://www.cl.cam.ac.uk/~rja14/serpent.html>
1637937c30d7SJussi Kivilinna
1638251496dbSJussi Kivilinnaconfig CRYPTO_SERPENT_SSE2_586
1639251496dbSJussi Kivilinna	tristate "Serpent cipher algorithm (i586/SSE2)"
1640251496dbSJussi Kivilinna	depends on X86 && !64BIT
1641b95bba5dSEric Biggers	select CRYPTO_SKCIPHER
1642251496dbSJussi Kivilinna	select CRYPTO_SERPENT
1643e0f409dcSEric Biggers	select CRYPTO_SIMD
16442e9440aeSArd Biesheuvel	imply CRYPTO_CTR
1645251496dbSJussi Kivilinna	help
1646251496dbSJussi Kivilinna	  Serpent cipher algorithm, by Anderson, Biham & Knudsen.
1647251496dbSJussi Kivilinna
1648251496dbSJussi Kivilinna	  Keys are allowed to be from 0 to 256 bits in length, in steps
1649251496dbSJussi Kivilinna	  of 8 bits.
1650251496dbSJussi Kivilinna
1651251496dbSJussi Kivilinna	  This module provides Serpent cipher algorithm that processes four
1652251496dbSJussi Kivilinna	  blocks parallel using SSE2 instruction set.
1653251496dbSJussi Kivilinna
1654251496dbSJussi Kivilinna	  See also:
16559332a9e7SAlexander A. Klimov	  <https://www.cl.cam.ac.uk/~rja14/serpent.html>
1656251496dbSJussi Kivilinna
16577efe4076SJohannes Goetzfriedconfig CRYPTO_SERPENT_AVX_X86_64
16587efe4076SJohannes Goetzfried	tristate "Serpent cipher algorithm (x86_64/AVX)"
16597efe4076SJohannes Goetzfried	depends on X86 && 64BIT
1660b95bba5dSEric Biggers	select CRYPTO_SKCIPHER
16617efe4076SJohannes Goetzfried	select CRYPTO_SERPENT
1662e16bf974SEric Biggers	select CRYPTO_SIMD
16639ec0af8aSArd Biesheuvel	imply CRYPTO_XTS
16642e9440aeSArd Biesheuvel	imply CRYPTO_CTR
16657efe4076SJohannes Goetzfried	help
16667efe4076SJohannes Goetzfried	  Serpent cipher algorithm, by Anderson, Biham & Knudsen.
16677efe4076SJohannes Goetzfried
16687efe4076SJohannes Goetzfried	  Keys are allowed to be from 0 to 256 bits in length, in steps
16697efe4076SJohannes Goetzfried	  of 8 bits.
16707efe4076SJohannes Goetzfried
16717efe4076SJohannes Goetzfried	  This module provides the Serpent cipher algorithm that processes
16727efe4076SJohannes Goetzfried	  eight blocks parallel using the AVX instruction set.
16737efe4076SJohannes Goetzfried
16747efe4076SJohannes Goetzfried	  See also:
16759332a9e7SAlexander A. Klimov	  <https://www.cl.cam.ac.uk/~rja14/serpent.html>
16767efe4076SJohannes Goetzfried
167756d76c96SJussi Kivilinnaconfig CRYPTO_SERPENT_AVX2_X86_64
167856d76c96SJussi Kivilinna	tristate "Serpent cipher algorithm (x86_64/AVX2)"
167956d76c96SJussi Kivilinna	depends on X86 && 64BIT
168056d76c96SJussi Kivilinna	select CRYPTO_SERPENT_AVX_X86_64
168156d76c96SJussi Kivilinna	help
168256d76c96SJussi Kivilinna	  Serpent cipher algorithm, by Anderson, Biham & Knudsen.
168356d76c96SJussi Kivilinna
168456d76c96SJussi Kivilinna	  Keys are allowed to be from 0 to 256 bits in length, in steps
168556d76c96SJussi Kivilinna	  of 8 bits.
168656d76c96SJussi Kivilinna
168756d76c96SJussi Kivilinna	  This module provides Serpent cipher algorithm that processes 16
168856d76c96SJussi Kivilinna	  blocks parallel using AVX2 instruction set.
168956d76c96SJussi Kivilinna
169056d76c96SJussi Kivilinna	  See also:
16919332a9e7SAlexander A. Klimov	  <https://www.cl.cam.ac.uk/~rja14/serpent.html>
169256d76c96SJussi Kivilinna
1693747c8ce4SGilad Ben-Yossefconfig CRYPTO_SM4
1694d2825fa9SJason A. Donenfeld	tristate
1695d2825fa9SJason A. Donenfeld
1696d2825fa9SJason A. Donenfeldconfig CRYPTO_SM4_GENERIC
1697747c8ce4SGilad Ben-Yossef	tristate "SM4 cipher algorithm"
1698747c8ce4SGilad Ben-Yossef	select CRYPTO_ALGAPI
1699d2825fa9SJason A. Donenfeld	select CRYPTO_SM4
1700747c8ce4SGilad Ben-Yossef	help
1701747c8ce4SGilad Ben-Yossef	  SM4 cipher algorithms (OSCCA GB/T 32907-2016).
1702747c8ce4SGilad Ben-Yossef
1703747c8ce4SGilad Ben-Yossef	  SM4 (GBT.32907-2016) is a cryptographic standard issued by the
1704747c8ce4SGilad Ben-Yossef	  Organization of State Commercial Administration of China (OSCCA)
1705747c8ce4SGilad Ben-Yossef	  as an authorized cryptographic algorithms for the use within China.
1706747c8ce4SGilad Ben-Yossef
1707747c8ce4SGilad Ben-Yossef	  SMS4 was originally created for use in protecting wireless
1708747c8ce4SGilad Ben-Yossef	  networks, and is mandated in the Chinese National Standard for
1709747c8ce4SGilad Ben-Yossef	  Wireless LAN WAPI (Wired Authentication and Privacy Infrastructure)
1710747c8ce4SGilad Ben-Yossef	  (GB.15629.11-2003).
1711747c8ce4SGilad Ben-Yossef
1712747c8ce4SGilad Ben-Yossef	  The latest SM4 standard (GBT.32907-2016) was proposed by OSCCA and
1713747c8ce4SGilad Ben-Yossef	  standardized through TC 260 of the Standardization Administration
1714747c8ce4SGilad Ben-Yossef	  of the People's Republic of China (SAC).
1715747c8ce4SGilad Ben-Yossef
1716747c8ce4SGilad Ben-Yossef	  The input, output, and key of SMS4 are each 128 bits.
1717747c8ce4SGilad Ben-Yossef
1718747c8ce4SGilad Ben-Yossef	  See also: <https://eprint.iacr.org/2008/329.pdf>
1719747c8ce4SGilad Ben-Yossef
1720747c8ce4SGilad Ben-Yossef	  If unsure, say N.
1721747c8ce4SGilad Ben-Yossef
1722a7ee22eeSTianjia Zhangconfig CRYPTO_SM4_AESNI_AVX_X86_64
1723a7ee22eeSTianjia Zhang	tristate "SM4 cipher algorithm (x86_64/AES-NI/AVX)"
1724a7ee22eeSTianjia Zhang	depends on X86 && 64BIT
1725a7ee22eeSTianjia Zhang	select CRYPTO_SKCIPHER
1726a7ee22eeSTianjia Zhang	select CRYPTO_SIMD
1727a7ee22eeSTianjia Zhang	select CRYPTO_ALGAPI
1728d2825fa9SJason A. Donenfeld	select CRYPTO_SM4
1729a7ee22eeSTianjia Zhang	help
1730a7ee22eeSTianjia Zhang	  SM4 cipher algorithms (OSCCA GB/T 32907-2016) (x86_64/AES-NI/AVX).
1731a7ee22eeSTianjia Zhang
1732a7ee22eeSTianjia Zhang	  SM4 (GBT.32907-2016) is a cryptographic standard issued by the
1733a7ee22eeSTianjia Zhang	  Organization of State Commercial Administration of China (OSCCA)
1734a7ee22eeSTianjia Zhang	  as an authorized cryptographic algorithms for the use within China.
1735a7ee22eeSTianjia Zhang
1736a7ee22eeSTianjia Zhang	  This is SM4 optimized implementation using AES-NI/AVX/x86_64
1737a7ee22eeSTianjia Zhang	  instruction set for block cipher. Through two affine transforms,
1738a7ee22eeSTianjia Zhang	  we can use the AES S-Box to simulate the SM4 S-Box to achieve the
1739a7ee22eeSTianjia Zhang	  effect of instruction acceleration.
1740a7ee22eeSTianjia Zhang
1741a7ee22eeSTianjia Zhang	  If unsure, say N.
1742a7ee22eeSTianjia Zhang
17435b2efa2bSTianjia Zhangconfig CRYPTO_SM4_AESNI_AVX2_X86_64
17445b2efa2bSTianjia Zhang	tristate "SM4 cipher algorithm (x86_64/AES-NI/AVX2)"
17455b2efa2bSTianjia Zhang	depends on X86 && 64BIT
17465b2efa2bSTianjia Zhang	select CRYPTO_SKCIPHER
17475b2efa2bSTianjia Zhang	select CRYPTO_SIMD
17485b2efa2bSTianjia Zhang	select CRYPTO_ALGAPI
1749d2825fa9SJason A. Donenfeld	select CRYPTO_SM4
17505b2efa2bSTianjia Zhang	select CRYPTO_SM4_AESNI_AVX_X86_64
17515b2efa2bSTianjia Zhang	help
17525b2efa2bSTianjia Zhang	  SM4 cipher algorithms (OSCCA GB/T 32907-2016) (x86_64/AES-NI/AVX2).
17535b2efa2bSTianjia Zhang
17545b2efa2bSTianjia Zhang	  SM4 (GBT.32907-2016) is a cryptographic standard issued by the
17555b2efa2bSTianjia Zhang	  Organization of State Commercial Administration of China (OSCCA)
17565b2efa2bSTianjia Zhang	  as an authorized cryptographic algorithms for the use within China.
17575b2efa2bSTianjia Zhang
17585b2efa2bSTianjia Zhang	  This is SM4 optimized implementation using AES-NI/AVX2/x86_64
17595b2efa2bSTianjia Zhang	  instruction set for block cipher. Through two affine transforms,
17605b2efa2bSTianjia Zhang	  we can use the AES S-Box to simulate the SM4 S-Box to achieve the
17615b2efa2bSTianjia Zhang	  effect of instruction acceleration.
17625b2efa2bSTianjia Zhang
17635b2efa2bSTianjia Zhang	  If unsure, say N.
17645b2efa2bSTianjia Zhang
1765584fffc8SSebastian Siewiorconfig CRYPTO_TEA
1766584fffc8SSebastian Siewior	tristate "TEA, XTEA and XETA cipher algorithms"
17671674aea5SArd Biesheuvel	depends on CRYPTO_USER_API_ENABLE_OBSOLETE
1768584fffc8SSebastian Siewior	select CRYPTO_ALGAPI
1769584fffc8SSebastian Siewior	help
1770584fffc8SSebastian Siewior	  TEA cipher algorithm.
1771584fffc8SSebastian Siewior
1772584fffc8SSebastian Siewior	  Tiny Encryption Algorithm is a simple cipher that uses
1773584fffc8SSebastian Siewior	  many rounds for security.  It is very fast and uses
1774584fffc8SSebastian Siewior	  little memory.
1775584fffc8SSebastian Siewior
1776584fffc8SSebastian Siewior	  Xtendend Tiny Encryption Algorithm is a modification to
1777584fffc8SSebastian Siewior	  the TEA algorithm to address a potential key weakness
1778584fffc8SSebastian Siewior	  in the TEA algorithm.
1779584fffc8SSebastian Siewior
1780584fffc8SSebastian Siewior	  Xtendend Encryption Tiny Algorithm is a mis-implementation
1781584fffc8SSebastian Siewior	  of the XTEA algorithm for compatibility purposes.
1782584fffc8SSebastian Siewior
1783584fffc8SSebastian Siewiorconfig CRYPTO_TWOFISH
1784584fffc8SSebastian Siewior	tristate "Twofish cipher algorithm"
1785584fffc8SSebastian Siewior	select CRYPTO_ALGAPI
1786584fffc8SSebastian Siewior	select CRYPTO_TWOFISH_COMMON
1787584fffc8SSebastian Siewior	help
1788584fffc8SSebastian Siewior	  Twofish cipher algorithm.
1789584fffc8SSebastian Siewior
1790584fffc8SSebastian Siewior	  Twofish was submitted as an AES (Advanced Encryption Standard)
1791584fffc8SSebastian Siewior	  candidate cipher by researchers at CounterPane Systems.  It is a
1792584fffc8SSebastian Siewior	  16 round block cipher supporting key sizes of 128, 192, and 256
1793584fffc8SSebastian Siewior	  bits.
1794584fffc8SSebastian Siewior
1795584fffc8SSebastian Siewior	  See also:
17969332a9e7SAlexander A. Klimov	  <https://www.schneier.com/twofish.html>
1797584fffc8SSebastian Siewior
1798584fffc8SSebastian Siewiorconfig CRYPTO_TWOFISH_COMMON
1799584fffc8SSebastian Siewior	tristate
1800584fffc8SSebastian Siewior	help
1801584fffc8SSebastian Siewior	  Common parts of the Twofish cipher algorithm shared by the
1802584fffc8SSebastian Siewior	  generic c and the assembler implementations.
1803584fffc8SSebastian Siewior
1804584fffc8SSebastian Siewiorconfig CRYPTO_TWOFISH_586
1805584fffc8SSebastian Siewior	tristate "Twofish cipher algorithms (i586)"
1806584fffc8SSebastian Siewior	depends on (X86 || UML_X86) && !64BIT
1807584fffc8SSebastian Siewior	select CRYPTO_ALGAPI
1808584fffc8SSebastian Siewior	select CRYPTO_TWOFISH_COMMON
1809f43dcaf2SArd Biesheuvel	imply CRYPTO_CTR
1810584fffc8SSebastian Siewior	help
1811584fffc8SSebastian Siewior	  Twofish cipher algorithm.
1812584fffc8SSebastian Siewior
1813584fffc8SSebastian Siewior	  Twofish was submitted as an AES (Advanced Encryption Standard)
1814584fffc8SSebastian Siewior	  candidate cipher by researchers at CounterPane Systems.  It is a
1815584fffc8SSebastian Siewior	  16 round block cipher supporting key sizes of 128, 192, and 256
1816584fffc8SSebastian Siewior	  bits.
1817584fffc8SSebastian Siewior
1818584fffc8SSebastian Siewior	  See also:
18199332a9e7SAlexander A. Klimov	  <https://www.schneier.com/twofish.html>
1820584fffc8SSebastian Siewior
1821584fffc8SSebastian Siewiorconfig CRYPTO_TWOFISH_X86_64
1822584fffc8SSebastian Siewior	tristate "Twofish cipher algorithm (x86_64)"
1823584fffc8SSebastian Siewior	depends on (X86 || UML_X86) && 64BIT
1824584fffc8SSebastian Siewior	select CRYPTO_ALGAPI
1825584fffc8SSebastian Siewior	select CRYPTO_TWOFISH_COMMON
1826f43dcaf2SArd Biesheuvel	imply CRYPTO_CTR
1827584fffc8SSebastian Siewior	help
1828584fffc8SSebastian Siewior	  Twofish cipher algorithm (x86_64).
1829584fffc8SSebastian Siewior
1830584fffc8SSebastian Siewior	  Twofish was submitted as an AES (Advanced Encryption Standard)
1831584fffc8SSebastian Siewior	  candidate cipher by researchers at CounterPane Systems.  It is a
1832584fffc8SSebastian Siewior	  16 round block cipher supporting key sizes of 128, 192, and 256
1833584fffc8SSebastian Siewior	  bits.
1834584fffc8SSebastian Siewior
1835584fffc8SSebastian Siewior	  See also:
18369332a9e7SAlexander A. Klimov	  <https://www.schneier.com/twofish.html>
1837584fffc8SSebastian Siewior
18388280daadSJussi Kivilinnaconfig CRYPTO_TWOFISH_X86_64_3WAY
18398280daadSJussi Kivilinna	tristate "Twofish cipher algorithm (x86_64, 3-way parallel)"
1840f21a7c19SAl Viro	depends on X86 && 64BIT
1841b95bba5dSEric Biggers	select CRYPTO_SKCIPHER
18428280daadSJussi Kivilinna	select CRYPTO_TWOFISH_COMMON
18438280daadSJussi Kivilinna	select CRYPTO_TWOFISH_X86_64
18448280daadSJussi Kivilinna	help
18458280daadSJussi Kivilinna	  Twofish cipher algorithm (x86_64, 3-way parallel).
18468280daadSJussi Kivilinna
18478280daadSJussi Kivilinna	  Twofish was submitted as an AES (Advanced Encryption Standard)
18488280daadSJussi Kivilinna	  candidate cipher by researchers at CounterPane Systems.  It is a
18498280daadSJussi Kivilinna	  16 round block cipher supporting key sizes of 128, 192, and 256
18508280daadSJussi Kivilinna	  bits.
18518280daadSJussi Kivilinna
18528280daadSJussi Kivilinna	  This module provides Twofish cipher algorithm that processes three
18538280daadSJussi Kivilinna	  blocks parallel, utilizing resources of out-of-order CPUs better.
18548280daadSJussi Kivilinna
18558280daadSJussi Kivilinna	  See also:
18569332a9e7SAlexander A. Klimov	  <https://www.schneier.com/twofish.html>
18578280daadSJussi Kivilinna
1858107778b5SJohannes Goetzfriedconfig CRYPTO_TWOFISH_AVX_X86_64
1859107778b5SJohannes Goetzfried	tristate "Twofish cipher algorithm (x86_64/AVX)"
1860107778b5SJohannes Goetzfried	depends on X86 && 64BIT
1861b95bba5dSEric Biggers	select CRYPTO_SKCIPHER
18620e6ab46dSEric Biggers	select CRYPTO_SIMD
1863107778b5SJohannes Goetzfried	select CRYPTO_TWOFISH_COMMON
1864107778b5SJohannes Goetzfried	select CRYPTO_TWOFISH_X86_64
1865107778b5SJohannes Goetzfried	select CRYPTO_TWOFISH_X86_64_3WAY
1866da4df93aSArd Biesheuvel	imply CRYPTO_XTS
1867107778b5SJohannes Goetzfried	help
1868107778b5SJohannes Goetzfried	  Twofish cipher algorithm (x86_64/AVX).
1869107778b5SJohannes Goetzfried
1870107778b5SJohannes Goetzfried	  Twofish was submitted as an AES (Advanced Encryption Standard)
1871107778b5SJohannes Goetzfried	  candidate cipher by researchers at CounterPane Systems.  It is a
1872107778b5SJohannes Goetzfried	  16 round block cipher supporting key sizes of 128, 192, and 256
1873107778b5SJohannes Goetzfried	  bits.
1874107778b5SJohannes Goetzfried
1875107778b5SJohannes Goetzfried	  This module provides the Twofish cipher algorithm that processes
1876107778b5SJohannes Goetzfried	  eight blocks parallel using the AVX Instruction Set.
1877107778b5SJohannes Goetzfried
1878107778b5SJohannes Goetzfried	  See also:
18799332a9e7SAlexander A. Klimov	  <https://www.schneier.com/twofish.html>
1880107778b5SJohannes Goetzfried
1881584fffc8SSebastian Siewiorcomment "Compression"
1882584fffc8SSebastian Siewior
18831da177e4SLinus Torvaldsconfig CRYPTO_DEFLATE
18841da177e4SLinus Torvalds	tristate "Deflate compression algorithm"
1885cce9e06dSHerbert Xu	select CRYPTO_ALGAPI
1886f6ded09dSGiovanni Cabiddu	select CRYPTO_ACOMP2
18871da177e4SLinus Torvalds	select ZLIB_INFLATE
18881da177e4SLinus Torvalds	select ZLIB_DEFLATE
18891da177e4SLinus Torvalds	help
18901da177e4SLinus Torvalds	  This is the Deflate algorithm (RFC1951), specified for use in
18911da177e4SLinus Torvalds	  IPSec with the IPCOMP protocol (RFC3173, RFC2394).
18921da177e4SLinus Torvalds
18931da177e4SLinus Torvalds	  You will most probably want this if using IPSec.
18941da177e4SLinus Torvalds
18950b77abb3SZoltan Sogorconfig CRYPTO_LZO
18960b77abb3SZoltan Sogor	tristate "LZO compression algorithm"
18970b77abb3SZoltan Sogor	select CRYPTO_ALGAPI
1898ac9d2c4bSGiovanni Cabiddu	select CRYPTO_ACOMP2
18990b77abb3SZoltan Sogor	select LZO_COMPRESS
19000b77abb3SZoltan Sogor	select LZO_DECOMPRESS
19010b77abb3SZoltan Sogor	help
19020b77abb3SZoltan Sogor	  This is the LZO algorithm.
19030b77abb3SZoltan Sogor
190435a1fc18SSeth Jenningsconfig CRYPTO_842
190535a1fc18SSeth Jennings	tristate "842 compression algorithm"
19062062c5b6SDan Streetman	select CRYPTO_ALGAPI
19076a8de3aeSGiovanni Cabiddu	select CRYPTO_ACOMP2
19082062c5b6SDan Streetman	select 842_COMPRESS
19092062c5b6SDan Streetman	select 842_DECOMPRESS
191035a1fc18SSeth Jennings	help
191135a1fc18SSeth Jennings	  This is the 842 algorithm.
191235a1fc18SSeth Jennings
19130ea8530dSChanho Minconfig CRYPTO_LZ4
19140ea8530dSChanho Min	tristate "LZ4 compression algorithm"
19150ea8530dSChanho Min	select CRYPTO_ALGAPI
19168cd9330eSGiovanni Cabiddu	select CRYPTO_ACOMP2
19170ea8530dSChanho Min	select LZ4_COMPRESS
19180ea8530dSChanho Min	select LZ4_DECOMPRESS
19190ea8530dSChanho Min	help
19200ea8530dSChanho Min	  This is the LZ4 algorithm.
19210ea8530dSChanho Min
19220ea8530dSChanho Minconfig CRYPTO_LZ4HC
19230ea8530dSChanho Min	tristate "LZ4HC compression algorithm"
19240ea8530dSChanho Min	select CRYPTO_ALGAPI
192591d53d96SGiovanni Cabiddu	select CRYPTO_ACOMP2
19260ea8530dSChanho Min	select LZ4HC_COMPRESS
19270ea8530dSChanho Min	select LZ4_DECOMPRESS
19280ea8530dSChanho Min	help
19290ea8530dSChanho Min	  This is the LZ4 high compression mode algorithm.
19300ea8530dSChanho Min
1931d28fc3dbSNick Terrellconfig CRYPTO_ZSTD
1932d28fc3dbSNick Terrell	tristate "Zstd compression algorithm"
1933d28fc3dbSNick Terrell	select CRYPTO_ALGAPI
1934d28fc3dbSNick Terrell	select CRYPTO_ACOMP2
1935d28fc3dbSNick Terrell	select ZSTD_COMPRESS
1936d28fc3dbSNick Terrell	select ZSTD_DECOMPRESS
1937d28fc3dbSNick Terrell	help
1938d28fc3dbSNick Terrell	  This is the zstd algorithm.
1939d28fc3dbSNick Terrell
194017f0f4a4SNeil Hormancomment "Random Number Generation"
194117f0f4a4SNeil Horman
194217f0f4a4SNeil Hormanconfig CRYPTO_ANSI_CPRNG
194317f0f4a4SNeil Horman	tristate "Pseudo Random Number Generation for Cryptographic modules"
194417f0f4a4SNeil Horman	select CRYPTO_AES
194517f0f4a4SNeil Horman	select CRYPTO_RNG
194617f0f4a4SNeil Horman	help
194717f0f4a4SNeil Horman	  This option enables the generic pseudo random number generator
194817f0f4a4SNeil Horman	  for cryptographic modules.  Uses the Algorithm specified in
19497dd607e8SJiri Kosina	  ANSI X9.31 A.2.4. Note that this option must be enabled if
19507dd607e8SJiri Kosina	  CRYPTO_FIPS is selected
195117f0f4a4SNeil Horman
1952f2c89a10SHerbert Xumenuconfig CRYPTO_DRBG_MENU
1953419090c6SStephan Mueller	tristate "NIST SP800-90A DRBG"
1954419090c6SStephan Mueller	help
1955419090c6SStephan Mueller	  NIST SP800-90A compliant DRBG. In the following submenu, one or
1956419090c6SStephan Mueller	  more of the DRBG types must be selected.
1957419090c6SStephan Mueller
1958f2c89a10SHerbert Xuif CRYPTO_DRBG_MENU
1959419090c6SStephan Mueller
1960419090c6SStephan Muellerconfig CRYPTO_DRBG_HMAC
1961401e4238SHerbert Xu	bool
1962419090c6SStephan Mueller	default y
1963419090c6SStephan Mueller	select CRYPTO_HMAC
19645261cdf4SStephan Mueller	select CRYPTO_SHA512
1965419090c6SStephan Mueller
1966419090c6SStephan Muellerconfig CRYPTO_DRBG_HASH
1967419090c6SStephan Mueller	bool "Enable Hash DRBG"
1968826775bbSHerbert Xu	select CRYPTO_SHA256
1969419090c6SStephan Mueller	help
1970419090c6SStephan Mueller	  Enable the Hash DRBG variant as defined in NIST SP800-90A.
1971419090c6SStephan Mueller
1972419090c6SStephan Muellerconfig CRYPTO_DRBG_CTR
1973419090c6SStephan Mueller	bool "Enable CTR DRBG"
1974419090c6SStephan Mueller	select CRYPTO_AES
1975d6fc1a45SCorentin Labbe	select CRYPTO_CTR
1976419090c6SStephan Mueller	help
1977419090c6SStephan Mueller	  Enable the CTR DRBG variant as defined in NIST SP800-90A.
1978419090c6SStephan Mueller
1979f2c89a10SHerbert Xuconfig CRYPTO_DRBG
1980f2c89a10SHerbert Xu	tristate
1981401e4238SHerbert Xu	default CRYPTO_DRBG_MENU
1982f2c89a10SHerbert Xu	select CRYPTO_RNG
1983bb5530e4SStephan Mueller	select CRYPTO_JITTERENTROPY
1984f2c89a10SHerbert Xu
1985f2c89a10SHerbert Xuendif	# if CRYPTO_DRBG_MENU
1986419090c6SStephan Mueller
1987bb5530e4SStephan Muellerconfig CRYPTO_JITTERENTROPY
1988bb5530e4SStephan Mueller	tristate "Jitterentropy Non-Deterministic Random Number Generator"
19892f313e02SArnd Bergmann	select CRYPTO_RNG
1990bb5530e4SStephan Mueller	help
1991bb5530e4SStephan Mueller	  The Jitterentropy RNG is a noise that is intended
1992bb5530e4SStephan Mueller	  to provide seed to another RNG. The RNG does not
1993bb5530e4SStephan Mueller	  perform any cryptographic whitening of the generated
1994bb5530e4SStephan Mueller	  random numbers. This Jitterentropy RNG registers with
1995bb5530e4SStephan Mueller	  the kernel crypto API and can be used by any caller.
1996bb5530e4SStephan Mueller
1997026a733eSStephan Müllerconfig CRYPTO_KDF800108_CTR
1998026a733eSStephan Müller	tristate
1999a88592ccSHerbert Xu	select CRYPTO_HMAC
2000304b4aceSStephan Müller	select CRYPTO_SHA256
2001026a733eSStephan Müller
200203c8efc1SHerbert Xuconfig CRYPTO_USER_API
200303c8efc1SHerbert Xu	tristate
200403c8efc1SHerbert Xu
2005fe869cdbSHerbert Xuconfig CRYPTO_USER_API_HASH
2006fe869cdbSHerbert Xu	tristate "User-space interface for hash algorithms"
20077451708fSHerbert Xu	depends on NET
2008fe869cdbSHerbert Xu	select CRYPTO_HASH
2009fe869cdbSHerbert Xu	select CRYPTO_USER_API
2010fe869cdbSHerbert Xu	help
2011fe869cdbSHerbert Xu	  This option enables the user-spaces interface for hash
2012fe869cdbSHerbert Xu	  algorithms.
2013fe869cdbSHerbert Xu
20148ff59090SHerbert Xuconfig CRYPTO_USER_API_SKCIPHER
20158ff59090SHerbert Xu	tristate "User-space interface for symmetric key cipher algorithms"
20167451708fSHerbert Xu	depends on NET
2017b95bba5dSEric Biggers	select CRYPTO_SKCIPHER
20188ff59090SHerbert Xu	select CRYPTO_USER_API
20198ff59090SHerbert Xu	help
20208ff59090SHerbert Xu	  This option enables the user-spaces interface for symmetric
20218ff59090SHerbert Xu	  key cipher algorithms.
20228ff59090SHerbert Xu
20232f375538SStephan Muellerconfig CRYPTO_USER_API_RNG
20242f375538SStephan Mueller	tristate "User-space interface for random number generator algorithms"
20252f375538SStephan Mueller	depends on NET
20262f375538SStephan Mueller	select CRYPTO_RNG
20272f375538SStephan Mueller	select CRYPTO_USER_API
20282f375538SStephan Mueller	help
20292f375538SStephan Mueller	  This option enables the user-spaces interface for random
20302f375538SStephan Mueller	  number generator algorithms.
20312f375538SStephan Mueller
203277ebdabeSElena Petrovaconfig CRYPTO_USER_API_RNG_CAVP
203377ebdabeSElena Petrova	bool "Enable CAVP testing of DRBG"
203477ebdabeSElena Petrova	depends on CRYPTO_USER_API_RNG && CRYPTO_DRBG
203577ebdabeSElena Petrova	help
203677ebdabeSElena Petrova	  This option enables extra API for CAVP testing via the user-space
203777ebdabeSElena Petrova	  interface: resetting of DRBG entropy, and providing Additional Data.
203877ebdabeSElena Petrova	  This should only be enabled for CAVP testing. You should say
203977ebdabeSElena Petrova	  no unless you know what this is.
204077ebdabeSElena Petrova
2041b64a2d95SHerbert Xuconfig CRYPTO_USER_API_AEAD
2042b64a2d95SHerbert Xu	tristate "User-space interface for AEAD cipher algorithms"
2043b64a2d95SHerbert Xu	depends on NET
2044b64a2d95SHerbert Xu	select CRYPTO_AEAD
2045b95bba5dSEric Biggers	select CRYPTO_SKCIPHER
204672548b09SStephan Mueller	select CRYPTO_NULL
2047b64a2d95SHerbert Xu	select CRYPTO_USER_API
2048b64a2d95SHerbert Xu	help
2049b64a2d95SHerbert Xu	  This option enables the user-spaces interface for AEAD
2050b64a2d95SHerbert Xu	  cipher algorithms.
2051b64a2d95SHerbert Xu
20529ace6771SArd Biesheuvelconfig CRYPTO_USER_API_ENABLE_OBSOLETE
20539ace6771SArd Biesheuvel	bool "Enable obsolete cryptographic algorithms for userspace"
20549ace6771SArd Biesheuvel	depends on CRYPTO_USER_API
20559ace6771SArd Biesheuvel	default y
20569ace6771SArd Biesheuvel	help
20579ace6771SArd Biesheuvel	  Allow obsolete cryptographic algorithms to be selected that have
20589ace6771SArd Biesheuvel	  already been phased out from internal use by the kernel, and are
20599ace6771SArd Biesheuvel	  only useful for userspace clients that still rely on them.
20609ace6771SArd Biesheuvel
2061cac5818cSCorentin Labbeconfig CRYPTO_STATS
2062cac5818cSCorentin Labbe	bool "Crypto usage statistics for User-space"
2063a6a31385SCorentin Labbe	depends on CRYPTO_USER
2064cac5818cSCorentin Labbe	help
2065cac5818cSCorentin Labbe	  This option enables the gathering of crypto stats.
2066cac5818cSCorentin Labbe	  This will collect:
2067cac5818cSCorentin Labbe	  - encrypt/decrypt size and numbers of symmeric operations
2068cac5818cSCorentin Labbe	  - compress/decompress size and numbers of compress operations
2069cac5818cSCorentin Labbe	  - size and numbers of hash operations
2070cac5818cSCorentin Labbe	  - encrypt/decrypt/sign/verify numbers for asymmetric operations
2071cac5818cSCorentin Labbe	  - generate/seed numbers for rng operations
2072cac5818cSCorentin Labbe
2073ee08997fSDmitry Kasatkinconfig CRYPTO_HASH_INFO
2074ee08997fSDmitry Kasatkin	bool
2075ee08997fSDmitry Kasatkin
2076*e45f710bSRobert Elliottif MIPS
2077*e45f710bSRobert Elliottsource "arch/mips/crypto/Kconfig"
2078*e45f710bSRobert Elliottendif
2079*e45f710bSRobert Elliott
20801da177e4SLinus Torvaldssource "drivers/crypto/Kconfig"
20818636a1f9SMasahiro Yamadasource "crypto/asymmetric_keys/Kconfig"
20828636a1f9SMasahiro Yamadasource "certs/Kconfig"
20831da177e4SLinus Torvalds
2084cce9e06dSHerbert Xuendif	# if CRYPTO
2085