xref: /linux/crypto/Kconfig (revision e59c1c98745637796df824c0177f279b6e9cad94)
1b2441318SGreg Kroah-Hartman# SPDX-License-Identifier: GPL-2.0
21da177e4SLinus Torvalds#
3685784aaSDan Williams# Generic algorithms support
4685784aaSDan Williams#
5685784aaSDan Williamsconfig XOR_BLOCKS
6685784aaSDan Williams	tristate
7685784aaSDan Williams
8685784aaSDan Williams#
99bc89cd8SDan Williams# async_tx api: hardware offloaded memory transfer/transform support
109bc89cd8SDan Williams#
119bc89cd8SDan Williamssource "crypto/async_tx/Kconfig"
129bc89cd8SDan Williams
139bc89cd8SDan Williams#
141da177e4SLinus Torvalds# Cryptographic API Configuration
151da177e4SLinus Torvalds#
162e290f43SJan Engelhardtmenuconfig CRYPTO
17c3715cb9SSebastian Siewior	tristate "Cryptographic API"
181da177e4SLinus Torvalds	help
191da177e4SLinus Torvalds	  This option provides the core Cryptographic API.
201da177e4SLinus Torvalds
21cce9e06dSHerbert Xuif CRYPTO
22cce9e06dSHerbert Xu
23584fffc8SSebastian Siewiorcomment "Crypto core or helper"
24584fffc8SSebastian Siewior
25ccb778e1SNeil Hormanconfig CRYPTO_FIPS
26ccb778e1SNeil Horman	bool "FIPS 200 compliance"
27f2c89a10SHerbert Xu	depends on (CRYPTO_ANSI_CPRNG || CRYPTO_DRBG) && !CRYPTO_MANAGER_DISABLE_TESTS
281f696097SAlec Ari	depends on (MODULE_SIG || !MODULES)
29ccb778e1SNeil Horman	help
30d99324c2SGeert Uytterhoeven	  This option enables the fips boot option which is
31d99324c2SGeert Uytterhoeven	  required if you want the system to operate in a FIPS 200
32ccb778e1SNeil Horman	  certification.  You should say no unless you know what
33e84c5480SChuck Ebbert	  this is.
34ccb778e1SNeil Horman
35cce9e06dSHerbert Xuconfig CRYPTO_ALGAPI
36cce9e06dSHerbert Xu	tristate
376a0fcbb4SHerbert Xu	select CRYPTO_ALGAPI2
38cce9e06dSHerbert Xu	help
39cce9e06dSHerbert Xu	  This option provides the API for cryptographic algorithms.
40cce9e06dSHerbert Xu
416a0fcbb4SHerbert Xuconfig CRYPTO_ALGAPI2
426a0fcbb4SHerbert Xu	tristate
436a0fcbb4SHerbert Xu
441ae97820SHerbert Xuconfig CRYPTO_AEAD
451ae97820SHerbert Xu	tristate
466a0fcbb4SHerbert Xu	select CRYPTO_AEAD2
471ae97820SHerbert Xu	select CRYPTO_ALGAPI
481ae97820SHerbert Xu
496a0fcbb4SHerbert Xuconfig CRYPTO_AEAD2
506a0fcbb4SHerbert Xu	tristate
516a0fcbb4SHerbert Xu	select CRYPTO_ALGAPI2
52149a3971SHerbert Xu	select CRYPTO_NULL2
53149a3971SHerbert Xu	select CRYPTO_RNG2
546a0fcbb4SHerbert Xu
555cde0af2SHerbert Xuconfig CRYPTO_BLKCIPHER
565cde0af2SHerbert Xu	tristate
576a0fcbb4SHerbert Xu	select CRYPTO_BLKCIPHER2
585cde0af2SHerbert Xu	select CRYPTO_ALGAPI
596a0fcbb4SHerbert Xu
606a0fcbb4SHerbert Xuconfig CRYPTO_BLKCIPHER2
616a0fcbb4SHerbert Xu	tristate
626a0fcbb4SHerbert Xu	select CRYPTO_ALGAPI2
636a0fcbb4SHerbert Xu	select CRYPTO_RNG2
645cde0af2SHerbert Xu
65055bcee3SHerbert Xuconfig CRYPTO_HASH
66055bcee3SHerbert Xu	tristate
676a0fcbb4SHerbert Xu	select CRYPTO_HASH2
68055bcee3SHerbert Xu	select CRYPTO_ALGAPI
69055bcee3SHerbert Xu
706a0fcbb4SHerbert Xuconfig CRYPTO_HASH2
716a0fcbb4SHerbert Xu	tristate
726a0fcbb4SHerbert Xu	select CRYPTO_ALGAPI2
736a0fcbb4SHerbert Xu
7417f0f4a4SNeil Hormanconfig CRYPTO_RNG
7517f0f4a4SNeil Horman	tristate
766a0fcbb4SHerbert Xu	select CRYPTO_RNG2
7717f0f4a4SNeil Horman	select CRYPTO_ALGAPI
7817f0f4a4SNeil Horman
796a0fcbb4SHerbert Xuconfig CRYPTO_RNG2
806a0fcbb4SHerbert Xu	tristate
816a0fcbb4SHerbert Xu	select CRYPTO_ALGAPI2
826a0fcbb4SHerbert Xu
83401e4238SHerbert Xuconfig CRYPTO_RNG_DEFAULT
84401e4238SHerbert Xu	tristate
85401e4238SHerbert Xu	select CRYPTO_DRBG_MENU
86401e4238SHerbert Xu
873c339ab8STadeusz Strukconfig CRYPTO_AKCIPHER2
883c339ab8STadeusz Struk	tristate
893c339ab8STadeusz Struk	select CRYPTO_ALGAPI2
903c339ab8STadeusz Struk
913c339ab8STadeusz Strukconfig CRYPTO_AKCIPHER
923c339ab8STadeusz Struk	tristate
933c339ab8STadeusz Struk	select CRYPTO_AKCIPHER2
943c339ab8STadeusz Struk	select CRYPTO_ALGAPI
953c339ab8STadeusz Struk
964e5f2c40SSalvatore Benedettoconfig CRYPTO_KPP2
974e5f2c40SSalvatore Benedetto	tristate
984e5f2c40SSalvatore Benedetto	select CRYPTO_ALGAPI2
994e5f2c40SSalvatore Benedetto
1004e5f2c40SSalvatore Benedettoconfig CRYPTO_KPP
1014e5f2c40SSalvatore Benedetto	tristate
1024e5f2c40SSalvatore Benedetto	select CRYPTO_ALGAPI
1034e5f2c40SSalvatore Benedetto	select CRYPTO_KPP2
1044e5f2c40SSalvatore Benedetto
1052ebda74fSGiovanni Cabidduconfig CRYPTO_ACOMP2
1062ebda74fSGiovanni Cabiddu	tristate
1072ebda74fSGiovanni Cabiddu	select CRYPTO_ALGAPI2
1088cd579d2SBart Van Assche	select SGL_ALLOC
1092ebda74fSGiovanni Cabiddu
1102ebda74fSGiovanni Cabidduconfig CRYPTO_ACOMP
1112ebda74fSGiovanni Cabiddu	tristate
1122ebda74fSGiovanni Cabiddu	select CRYPTO_ALGAPI
1132ebda74fSGiovanni Cabiddu	select CRYPTO_ACOMP2
1142ebda74fSGiovanni Cabiddu
1152b8c19dbSHerbert Xuconfig CRYPTO_MANAGER
1162b8c19dbSHerbert Xu	tristate "Cryptographic algorithm manager"
1176a0fcbb4SHerbert Xu	select CRYPTO_MANAGER2
1182b8c19dbSHerbert Xu	help
1192b8c19dbSHerbert Xu	  Create default cryptographic template instantiations such as
1202b8c19dbSHerbert Xu	  cbc(aes).
1212b8c19dbSHerbert Xu
1226a0fcbb4SHerbert Xuconfig CRYPTO_MANAGER2
1236a0fcbb4SHerbert Xu	def_tristate CRYPTO_MANAGER || (CRYPTO_MANAGER!=n && CRYPTO_ALGAPI=y)
1246a0fcbb4SHerbert Xu	select CRYPTO_AEAD2
1256a0fcbb4SHerbert Xu	select CRYPTO_HASH2
1266a0fcbb4SHerbert Xu	select CRYPTO_BLKCIPHER2
127946cc463STadeusz Struk	select CRYPTO_AKCIPHER2
1284e5f2c40SSalvatore Benedetto	select CRYPTO_KPP2
1292ebda74fSGiovanni Cabiddu	select CRYPTO_ACOMP2
1306a0fcbb4SHerbert Xu
131a38f7907SSteffen Klassertconfig CRYPTO_USER
132a38f7907SSteffen Klassert	tristate "Userspace cryptographic algorithm configuration"
1335db017aaSHerbert Xu	depends on NET
134a38f7907SSteffen Klassert	select CRYPTO_MANAGER
135a38f7907SSteffen Klassert	help
136d19978f5SValdis.Kletnieks@vt.edu	  Userspace configuration for cryptographic instantiations such as
137a38f7907SSteffen Klassert	  cbc(aes).
138a38f7907SSteffen Klassert
139929d34caSEric Biggersif CRYPTO_MANAGER2
140929d34caSEric Biggers
141326a6346SHerbert Xuconfig CRYPTO_MANAGER_DISABLE_TESTS
142326a6346SHerbert Xu	bool "Disable run-time self tests"
14300ca28a5SHerbert Xu	default y
1440b767f96SAlexander Shishkin	help
145326a6346SHerbert Xu	  Disable run-time self tests that normally take place at
146326a6346SHerbert Xu	  algorithm registration.
1470b767f96SAlexander Shishkin
1485b2706a4SEric Biggersconfig CRYPTO_MANAGER_EXTRA_TESTS
1495b2706a4SEric Biggers	bool "Enable extra run-time crypto self tests"
1505b2706a4SEric Biggers	depends on DEBUG_KERNEL && !CRYPTO_MANAGER_DISABLE_TESTS
1515b2706a4SEric Biggers	help
1525b2706a4SEric Biggers	  Enable extra run-time self tests of registered crypto algorithms,
1535b2706a4SEric Biggers	  including randomized fuzz tests.
1545b2706a4SEric Biggers
1555b2706a4SEric Biggers	  This is intended for developer use only, as these tests take much
1565b2706a4SEric Biggers	  longer to run than the normal self tests.
1575b2706a4SEric Biggers
158929d34caSEric Biggersendif	# if CRYPTO_MANAGER2
159929d34caSEric Biggers
160584fffc8SSebastian Siewiorconfig CRYPTO_GF128MUL
161e590e132SEric Biggers	tristate
162584fffc8SSebastian Siewior
163584fffc8SSebastian Siewiorconfig CRYPTO_NULL
164584fffc8SSebastian Siewior	tristate "Null algorithms"
165149a3971SHerbert Xu	select CRYPTO_NULL2
166584fffc8SSebastian Siewior	help
167584fffc8SSebastian Siewior	  These are 'Null' algorithms, used by IPsec, which do nothing.
168584fffc8SSebastian Siewior
169149a3971SHerbert Xuconfig CRYPTO_NULL2
170dd43c4e9SHerbert Xu	tristate
171149a3971SHerbert Xu	select CRYPTO_ALGAPI2
172149a3971SHerbert Xu	select CRYPTO_BLKCIPHER2
173149a3971SHerbert Xu	select CRYPTO_HASH2
174149a3971SHerbert Xu
1755068c7a8SSteffen Klassertconfig CRYPTO_PCRYPT
1763b4afaf2SKees Cook	tristate "Parallel crypto engine"
1773b4afaf2SKees Cook	depends on SMP
1785068c7a8SSteffen Klassert	select PADATA
1795068c7a8SSteffen Klassert	select CRYPTO_MANAGER
1805068c7a8SSteffen Klassert	select CRYPTO_AEAD
1815068c7a8SSteffen Klassert	help
1825068c7a8SSteffen Klassert	  This converts an arbitrary crypto algorithm into a parallel
1835068c7a8SSteffen Klassert	  algorithm that executes in kernel threads.
1845068c7a8SSteffen Klassert
185584fffc8SSebastian Siewiorconfig CRYPTO_CRYPTD
186584fffc8SSebastian Siewior	tristate "Software async crypto daemon"
187584fffc8SSebastian Siewior	select CRYPTO_BLKCIPHER
188b8a28251SLoc Ho	select CRYPTO_HASH
189584fffc8SSebastian Siewior	select CRYPTO_MANAGER
190584fffc8SSebastian Siewior	help
191584fffc8SSebastian Siewior	  This is a generic software asynchronous crypto daemon that
192584fffc8SSebastian Siewior	  converts an arbitrary synchronous software crypto algorithm
193584fffc8SSebastian Siewior	  into an asynchronous algorithm that executes in a kernel thread.
194584fffc8SSebastian Siewior
195584fffc8SSebastian Siewiorconfig CRYPTO_AUTHENC
196584fffc8SSebastian Siewior	tristate "Authenc support"
197584fffc8SSebastian Siewior	select CRYPTO_AEAD
198584fffc8SSebastian Siewior	select CRYPTO_BLKCIPHER
199584fffc8SSebastian Siewior	select CRYPTO_MANAGER
200584fffc8SSebastian Siewior	select CRYPTO_HASH
201e94c6a7aSHerbert Xu	select CRYPTO_NULL
202584fffc8SSebastian Siewior	help
203584fffc8SSebastian Siewior	  Authenc: Combined mode wrapper for IPsec.
204584fffc8SSebastian Siewior	  This is required for IPSec.
205584fffc8SSebastian Siewior
206584fffc8SSebastian Siewiorconfig CRYPTO_TEST
207584fffc8SSebastian Siewior	tristate "Testing module"
208584fffc8SSebastian Siewior	depends on m
209da7f033dSHerbert Xu	select CRYPTO_MANAGER
210584fffc8SSebastian Siewior	help
211584fffc8SSebastian Siewior	  Quick & dirty crypto test module.
212584fffc8SSebastian Siewior
213266d0516SHerbert Xuconfig CRYPTO_SIMD
214266d0516SHerbert Xu	tristate
215266d0516SHerbert Xu	select CRYPTO_CRYPTD
216266d0516SHerbert Xu
217596d8750SJussi Kivilinnaconfig CRYPTO_GLUE_HELPER_X86
218596d8750SJussi Kivilinna	tristate
219596d8750SJussi Kivilinna	depends on X86
220065ce327SHerbert Xu	select CRYPTO_BLKCIPHER
221596d8750SJussi Kivilinna
222735d37b5SBaolin Wangconfig CRYPTO_ENGINE
223735d37b5SBaolin Wang	tristate
224735d37b5SBaolin Wang
2253d6228a5SVitaly Chikunovcomment "Public-key cryptography"
2263d6228a5SVitaly Chikunov
2273d6228a5SVitaly Chikunovconfig CRYPTO_RSA
2283d6228a5SVitaly Chikunov	tristate "RSA algorithm"
2293d6228a5SVitaly Chikunov	select CRYPTO_AKCIPHER
2303d6228a5SVitaly Chikunov	select CRYPTO_MANAGER
2313d6228a5SVitaly Chikunov	select MPILIB
2323d6228a5SVitaly Chikunov	select ASN1
2333d6228a5SVitaly Chikunov	help
2343d6228a5SVitaly Chikunov	  Generic implementation of the RSA public key algorithm.
2353d6228a5SVitaly Chikunov
2363d6228a5SVitaly Chikunovconfig CRYPTO_DH
2373d6228a5SVitaly Chikunov	tristate "Diffie-Hellman algorithm"
2383d6228a5SVitaly Chikunov	select CRYPTO_KPP
2393d6228a5SVitaly Chikunov	select MPILIB
2403d6228a5SVitaly Chikunov	help
2413d6228a5SVitaly Chikunov	  Generic implementation of the Diffie-Hellman algorithm.
2423d6228a5SVitaly Chikunov
2434a2289daSVitaly Chikunovconfig CRYPTO_ECC
2444a2289daSVitaly Chikunov	tristate
2454a2289daSVitaly Chikunov
2463d6228a5SVitaly Chikunovconfig CRYPTO_ECDH
2473d6228a5SVitaly Chikunov	tristate "ECDH algorithm"
2484a2289daSVitaly Chikunov	select CRYPTO_ECC
2493d6228a5SVitaly Chikunov	select CRYPTO_KPP
2503d6228a5SVitaly Chikunov	select CRYPTO_RNG_DEFAULT
2513d6228a5SVitaly Chikunov	help
2523d6228a5SVitaly Chikunov	  Generic implementation of the ECDH algorithm
2533d6228a5SVitaly Chikunov
2540d7a7864SVitaly Chikunovconfig CRYPTO_ECRDSA
2550d7a7864SVitaly Chikunov	tristate "EC-RDSA (GOST 34.10) algorithm"
2560d7a7864SVitaly Chikunov	select CRYPTO_ECC
2570d7a7864SVitaly Chikunov	select CRYPTO_AKCIPHER
2580d7a7864SVitaly Chikunov	select CRYPTO_STREEBOG
2591036633eSVitaly Chikunov	select OID_REGISTRY
2601036633eSVitaly Chikunov	select ASN1
2610d7a7864SVitaly Chikunov	help
2620d7a7864SVitaly Chikunov	  Elliptic Curve Russian Digital Signature Algorithm (GOST R 34.10-2012,
2630d7a7864SVitaly Chikunov	  RFC 7091, ISO/IEC 14888-3:2018) is one of the Russian cryptographic
2640d7a7864SVitaly Chikunov	  standard algorithms (called GOST algorithms). Only signature verification
2650d7a7864SVitaly Chikunov	  is implemented.
2660d7a7864SVitaly Chikunov
267584fffc8SSebastian Siewiorcomment "Authenticated Encryption with Associated Data"
268584fffc8SSebastian Siewior
269584fffc8SSebastian Siewiorconfig CRYPTO_CCM
270584fffc8SSebastian Siewior	tristate "CCM support"
271584fffc8SSebastian Siewior	select CRYPTO_CTR
272f15f05b0SArd Biesheuvel	select CRYPTO_HASH
273584fffc8SSebastian Siewior	select CRYPTO_AEAD
274c8a3315aSEric Biggers	select CRYPTO_MANAGER
275584fffc8SSebastian Siewior	help
276584fffc8SSebastian Siewior	  Support for Counter with CBC MAC. Required for IPsec.
277584fffc8SSebastian Siewior
278584fffc8SSebastian Siewiorconfig CRYPTO_GCM
279584fffc8SSebastian Siewior	tristate "GCM/GMAC support"
280584fffc8SSebastian Siewior	select CRYPTO_CTR
281584fffc8SSebastian Siewior	select CRYPTO_AEAD
2829382d97aSHuang Ying	select CRYPTO_GHASH
2839489667dSJussi Kivilinna	select CRYPTO_NULL
284c8a3315aSEric Biggers	select CRYPTO_MANAGER
285584fffc8SSebastian Siewior	help
286584fffc8SSebastian Siewior	  Support for Galois/Counter Mode (GCM) and Galois Message
287584fffc8SSebastian Siewior	  Authentication Code (GMAC). Required for IPSec.
288584fffc8SSebastian Siewior
28971ebc4d1SMartin Williconfig CRYPTO_CHACHA20POLY1305
29071ebc4d1SMartin Willi	tristate "ChaCha20-Poly1305 AEAD support"
29171ebc4d1SMartin Willi	select CRYPTO_CHACHA20
29271ebc4d1SMartin Willi	select CRYPTO_POLY1305
29371ebc4d1SMartin Willi	select CRYPTO_AEAD
294c8a3315aSEric Biggers	select CRYPTO_MANAGER
29571ebc4d1SMartin Willi	help
29671ebc4d1SMartin Willi	  ChaCha20-Poly1305 AEAD support, RFC7539.
29771ebc4d1SMartin Willi
29871ebc4d1SMartin Willi	  Support for the AEAD wrapper using the ChaCha20 stream cipher combined
29971ebc4d1SMartin Willi	  with the Poly1305 authenticator. It is defined in RFC7539 for use in
30071ebc4d1SMartin Willi	  IETF protocols.
30171ebc4d1SMartin Willi
302f606a88eSOndrej Mosnacekconfig CRYPTO_AEGIS128
303f606a88eSOndrej Mosnacek	tristate "AEGIS-128 AEAD algorithm"
304f606a88eSOndrej Mosnacek	select CRYPTO_AEAD
305f606a88eSOndrej Mosnacek	select CRYPTO_AES  # for AES S-box tables
306f606a88eSOndrej Mosnacek	help
307f606a88eSOndrej Mosnacek	 Support for the AEGIS-128 dedicated AEAD algorithm.
308f606a88eSOndrej Mosnacek
309f606a88eSOndrej Mosnacekconfig CRYPTO_AEGIS128L
310f606a88eSOndrej Mosnacek	tristate "AEGIS-128L AEAD algorithm"
311f606a88eSOndrej Mosnacek	select CRYPTO_AEAD
312f606a88eSOndrej Mosnacek	select CRYPTO_AES  # for AES S-box tables
313f606a88eSOndrej Mosnacek	help
314f606a88eSOndrej Mosnacek	 Support for the AEGIS-128L dedicated AEAD algorithm.
315f606a88eSOndrej Mosnacek
316f606a88eSOndrej Mosnacekconfig CRYPTO_AEGIS256
317f606a88eSOndrej Mosnacek	tristate "AEGIS-256 AEAD algorithm"
318f606a88eSOndrej Mosnacek	select CRYPTO_AEAD
319f606a88eSOndrej Mosnacek	select CRYPTO_AES  # for AES S-box tables
320f606a88eSOndrej Mosnacek	help
321f606a88eSOndrej Mosnacek	 Support for the AEGIS-256 dedicated AEAD algorithm.
322f606a88eSOndrej Mosnacek
3231d373d4eSOndrej Mosnacekconfig CRYPTO_AEGIS128_AESNI_SSE2
3241d373d4eSOndrej Mosnacek	tristate "AEGIS-128 AEAD algorithm (x86_64 AESNI+SSE2 implementation)"
3251d373d4eSOndrej Mosnacek	depends on X86 && 64BIT
3261d373d4eSOndrej Mosnacek	select CRYPTO_AEAD
327de272ca7SEric Biggers	select CRYPTO_SIMD
3281d373d4eSOndrej Mosnacek	help
3294e5180ebSOndrej Mosnacek	 AESNI+SSE2 implementation of the AEGIS-128 dedicated AEAD algorithm.
3301d373d4eSOndrej Mosnacek
3311d373d4eSOndrej Mosnacekconfig CRYPTO_AEGIS128L_AESNI_SSE2
3321d373d4eSOndrej Mosnacek	tristate "AEGIS-128L AEAD algorithm (x86_64 AESNI+SSE2 implementation)"
3331d373d4eSOndrej Mosnacek	depends on X86 && 64BIT
3341d373d4eSOndrej Mosnacek	select CRYPTO_AEAD
335d628132aSEric Biggers	select CRYPTO_SIMD
3361d373d4eSOndrej Mosnacek	help
3374e5180ebSOndrej Mosnacek	 AESNI+SSE2 implementation of the AEGIS-128L dedicated AEAD algorithm.
3381d373d4eSOndrej Mosnacek
3391d373d4eSOndrej Mosnacekconfig CRYPTO_AEGIS256_AESNI_SSE2
3401d373d4eSOndrej Mosnacek	tristate "AEGIS-256 AEAD algorithm (x86_64 AESNI+SSE2 implementation)"
3411d373d4eSOndrej Mosnacek	depends on X86 && 64BIT
3421d373d4eSOndrej Mosnacek	select CRYPTO_AEAD
343b6708c2dSEric Biggers	select CRYPTO_SIMD
3441d373d4eSOndrej Mosnacek	help
3454e5180ebSOndrej Mosnacek	 AESNI+SSE2 implementation of the AEGIS-256 dedicated AEAD algorithm.
3461d373d4eSOndrej Mosnacek
347396be41fSOndrej Mosnacekconfig CRYPTO_MORUS640
348396be41fSOndrej Mosnacek	tristate "MORUS-640 AEAD algorithm"
349396be41fSOndrej Mosnacek	select CRYPTO_AEAD
350396be41fSOndrej Mosnacek	help
351396be41fSOndrej Mosnacek	  Support for the MORUS-640 dedicated AEAD algorithm.
352396be41fSOndrej Mosnacek
35356e8e57fSOndrej Mosnacekconfig CRYPTO_MORUS640_GLUE
3542808f173SOndrej Mosnacek	tristate
3552808f173SOndrej Mosnacek	depends on X86
35656e8e57fSOndrej Mosnacek	select CRYPTO_AEAD
35747730958SEric Biggers	select CRYPTO_SIMD
35856e8e57fSOndrej Mosnacek	help
35956e8e57fSOndrej Mosnacek	  Common glue for SIMD optimizations of the MORUS-640 dedicated AEAD
36056e8e57fSOndrej Mosnacek	  algorithm.
36156e8e57fSOndrej Mosnacek
3626ecc9d9fSOndrej Mosnacekconfig CRYPTO_MORUS640_SSE2
3636ecc9d9fSOndrej Mosnacek	tristate "MORUS-640 AEAD algorithm (x86_64 SSE2 implementation)"
3646ecc9d9fSOndrej Mosnacek	depends on X86 && 64BIT
3656ecc9d9fSOndrej Mosnacek	select CRYPTO_AEAD
3666ecc9d9fSOndrej Mosnacek	select CRYPTO_MORUS640_GLUE
3676ecc9d9fSOndrej Mosnacek	help
3686ecc9d9fSOndrej Mosnacek	  SSE2 implementation of the MORUS-640 dedicated AEAD algorithm.
3696ecc9d9fSOndrej Mosnacek
370396be41fSOndrej Mosnacekconfig CRYPTO_MORUS1280
371396be41fSOndrej Mosnacek	tristate "MORUS-1280 AEAD algorithm"
372396be41fSOndrej Mosnacek	select CRYPTO_AEAD
373396be41fSOndrej Mosnacek	help
374396be41fSOndrej Mosnacek	  Support for the MORUS-1280 dedicated AEAD algorithm.
375396be41fSOndrej Mosnacek
37656e8e57fSOndrej Mosnacekconfig CRYPTO_MORUS1280_GLUE
3772808f173SOndrej Mosnacek	tristate
3782808f173SOndrej Mosnacek	depends on X86
37956e8e57fSOndrej Mosnacek	select CRYPTO_AEAD
380e151a8d2SEric Biggers	select CRYPTO_SIMD
38156e8e57fSOndrej Mosnacek	help
38256e8e57fSOndrej Mosnacek	  Common glue for SIMD optimizations of the MORUS-1280 dedicated AEAD
38356e8e57fSOndrej Mosnacek	  algorithm.
38456e8e57fSOndrej Mosnacek
3856ecc9d9fSOndrej Mosnacekconfig CRYPTO_MORUS1280_SSE2
3866ecc9d9fSOndrej Mosnacek	tristate "MORUS-1280 AEAD algorithm (x86_64 SSE2 implementation)"
3876ecc9d9fSOndrej Mosnacek	depends on X86 && 64BIT
3886ecc9d9fSOndrej Mosnacek	select CRYPTO_AEAD
3896ecc9d9fSOndrej Mosnacek	select CRYPTO_MORUS1280_GLUE
3906ecc9d9fSOndrej Mosnacek	help
3916ecc9d9fSOndrej Mosnacek	  SSE2 optimizedimplementation of the MORUS-1280 dedicated AEAD
3926ecc9d9fSOndrej Mosnacek	  algorithm.
3936ecc9d9fSOndrej Mosnacek
3946ecc9d9fSOndrej Mosnacekconfig CRYPTO_MORUS1280_AVX2
3956ecc9d9fSOndrej Mosnacek	tristate "MORUS-1280 AEAD algorithm (x86_64 AVX2 implementation)"
3966ecc9d9fSOndrej Mosnacek	depends on X86 && 64BIT
3976ecc9d9fSOndrej Mosnacek	select CRYPTO_AEAD
3986ecc9d9fSOndrej Mosnacek	select CRYPTO_MORUS1280_GLUE
3996ecc9d9fSOndrej Mosnacek	help
4006ecc9d9fSOndrej Mosnacek	  AVX2 optimized implementation of the MORUS-1280 dedicated AEAD
4016ecc9d9fSOndrej Mosnacek	  algorithm.
4026ecc9d9fSOndrej Mosnacek
403584fffc8SSebastian Siewiorconfig CRYPTO_SEQIV
404584fffc8SSebastian Siewior	tristate "Sequence Number IV Generator"
405584fffc8SSebastian Siewior	select CRYPTO_AEAD
406584fffc8SSebastian Siewior	select CRYPTO_BLKCIPHER
407856e3f40SHerbert Xu	select CRYPTO_NULL
408401e4238SHerbert Xu	select CRYPTO_RNG_DEFAULT
409c8a3315aSEric Biggers	select CRYPTO_MANAGER
410584fffc8SSebastian Siewior	help
411584fffc8SSebastian Siewior	  This IV generator generates an IV based on a sequence number by
412584fffc8SSebastian Siewior	  xoring it with a salt.  This algorithm is mainly useful for CTR
413584fffc8SSebastian Siewior
414a10f554fSHerbert Xuconfig CRYPTO_ECHAINIV
415a10f554fSHerbert Xu	tristate "Encrypted Chain IV Generator"
416a10f554fSHerbert Xu	select CRYPTO_AEAD
417a10f554fSHerbert Xu	select CRYPTO_NULL
418401e4238SHerbert Xu	select CRYPTO_RNG_DEFAULT
419c8a3315aSEric Biggers	select CRYPTO_MANAGER
420a10f554fSHerbert Xu	help
421a10f554fSHerbert Xu	  This IV generator generates an IV based on the encryption of
422a10f554fSHerbert Xu	  a sequence number xored with a salt.  This is the default
423a10f554fSHerbert Xu	  algorithm for CBC.
424a10f554fSHerbert Xu
425584fffc8SSebastian Siewiorcomment "Block modes"
426584fffc8SSebastian Siewior
427584fffc8SSebastian Siewiorconfig CRYPTO_CBC
428584fffc8SSebastian Siewior	tristate "CBC support"
429584fffc8SSebastian Siewior	select CRYPTO_BLKCIPHER
430584fffc8SSebastian Siewior	select CRYPTO_MANAGER
431584fffc8SSebastian Siewior	help
432584fffc8SSebastian Siewior	  CBC: Cipher Block Chaining mode
433584fffc8SSebastian Siewior	  This block cipher algorithm is required for IPSec.
434584fffc8SSebastian Siewior
435a7d85e06SJames Bottomleyconfig CRYPTO_CFB
436a7d85e06SJames Bottomley	tristate "CFB support"
437a7d85e06SJames Bottomley	select CRYPTO_BLKCIPHER
438a7d85e06SJames Bottomley	select CRYPTO_MANAGER
439a7d85e06SJames Bottomley	help
440a7d85e06SJames Bottomley	  CFB: Cipher FeedBack mode
441a7d85e06SJames Bottomley	  This block cipher algorithm is required for TPM2 Cryptography.
442a7d85e06SJames Bottomley
443584fffc8SSebastian Siewiorconfig CRYPTO_CTR
444584fffc8SSebastian Siewior	tristate "CTR support"
445584fffc8SSebastian Siewior	select CRYPTO_BLKCIPHER
446584fffc8SSebastian Siewior	select CRYPTO_SEQIV
447584fffc8SSebastian Siewior	select CRYPTO_MANAGER
448584fffc8SSebastian Siewior	help
449584fffc8SSebastian Siewior	  CTR: Counter mode
450584fffc8SSebastian Siewior	  This block cipher algorithm is required for IPSec.
451584fffc8SSebastian Siewior
452584fffc8SSebastian Siewiorconfig CRYPTO_CTS
453584fffc8SSebastian Siewior	tristate "CTS support"
454584fffc8SSebastian Siewior	select CRYPTO_BLKCIPHER
455c8a3315aSEric Biggers	select CRYPTO_MANAGER
456584fffc8SSebastian Siewior	help
457584fffc8SSebastian Siewior	  CTS: Cipher Text Stealing
458584fffc8SSebastian Siewior	  This is the Cipher Text Stealing mode as described by
459ecd6d5c9SGilad Ben-Yossef	  Section 8 of rfc2040 and referenced by rfc3962
460ecd6d5c9SGilad Ben-Yossef	  (rfc3962 includes errata information in its Appendix A) or
461ecd6d5c9SGilad Ben-Yossef	  CBC-CS3 as defined by NIST in Sp800-38A addendum from Oct 2010.
462584fffc8SSebastian Siewior	  This mode is required for Kerberos gss mechanism support
463584fffc8SSebastian Siewior	  for AES encryption.
464584fffc8SSebastian Siewior
465ecd6d5c9SGilad Ben-Yossef	  See: https://csrc.nist.gov/publications/detail/sp/800-38a/addendum/final
466ecd6d5c9SGilad Ben-Yossef
467584fffc8SSebastian Siewiorconfig CRYPTO_ECB
468584fffc8SSebastian Siewior	tristate "ECB support"
469584fffc8SSebastian Siewior	select CRYPTO_BLKCIPHER
470584fffc8SSebastian Siewior	select CRYPTO_MANAGER
471584fffc8SSebastian Siewior	help
472584fffc8SSebastian Siewior	  ECB: Electronic CodeBook mode
473584fffc8SSebastian Siewior	  This is the simplest block cipher algorithm.  It simply encrypts
474584fffc8SSebastian Siewior	  the input block by block.
475584fffc8SSebastian Siewior
476584fffc8SSebastian Siewiorconfig CRYPTO_LRW
4772470a2b2SJussi Kivilinna	tristate "LRW support"
478584fffc8SSebastian Siewior	select CRYPTO_BLKCIPHER
479584fffc8SSebastian Siewior	select CRYPTO_MANAGER
480584fffc8SSebastian Siewior	select CRYPTO_GF128MUL
481584fffc8SSebastian Siewior	help
482584fffc8SSebastian Siewior	  LRW: Liskov Rivest Wagner, a tweakable, non malleable, non movable
483584fffc8SSebastian Siewior	  narrow block cipher mode for dm-crypt.  Use it with cipher
484584fffc8SSebastian Siewior	  specification string aes-lrw-benbi, the key must be 256, 320 or 384.
485584fffc8SSebastian Siewior	  The first 128, 192 or 256 bits in the key are used for AES and the
486584fffc8SSebastian Siewior	  rest is used to tie each cipher block to its logical position.
487584fffc8SSebastian Siewior
488e497c518SGilad Ben-Yossefconfig CRYPTO_OFB
489e497c518SGilad Ben-Yossef	tristate "OFB support"
490e497c518SGilad Ben-Yossef	select CRYPTO_BLKCIPHER
491e497c518SGilad Ben-Yossef	select CRYPTO_MANAGER
492e497c518SGilad Ben-Yossef	help
493e497c518SGilad Ben-Yossef	  OFB: the Output Feedback mode makes a block cipher into a synchronous
494e497c518SGilad Ben-Yossef	  stream cipher. It generates keystream blocks, which are then XORed
495e497c518SGilad Ben-Yossef	  with the plaintext blocks to get the ciphertext. Flipping a bit in the
496e497c518SGilad Ben-Yossef	  ciphertext produces a flipped bit in the plaintext at the same
497e497c518SGilad Ben-Yossef	  location. This property allows many error correcting codes to function
498e497c518SGilad Ben-Yossef	  normally even when applied before encryption.
499e497c518SGilad Ben-Yossef
500584fffc8SSebastian Siewiorconfig CRYPTO_PCBC
501584fffc8SSebastian Siewior	tristate "PCBC support"
502584fffc8SSebastian Siewior	select CRYPTO_BLKCIPHER
503584fffc8SSebastian Siewior	select CRYPTO_MANAGER
504584fffc8SSebastian Siewior	help
505584fffc8SSebastian Siewior	  PCBC: Propagating Cipher Block Chaining mode
506584fffc8SSebastian Siewior	  This block cipher algorithm is required for RxRPC.
507584fffc8SSebastian Siewior
508584fffc8SSebastian Siewiorconfig CRYPTO_XTS
5095bcf8e6dSJussi Kivilinna	tristate "XTS support"
510584fffc8SSebastian Siewior	select CRYPTO_BLKCIPHER
511584fffc8SSebastian Siewior	select CRYPTO_MANAGER
51212cb3a1cSMilan Broz	select CRYPTO_ECB
513584fffc8SSebastian Siewior	help
514584fffc8SSebastian Siewior	  XTS: IEEE1619/D16 narrow block cipher use with aes-xts-plain,
515584fffc8SSebastian Siewior	  key size 256, 384 or 512 bits. This implementation currently
516584fffc8SSebastian Siewior	  can't handle a sectorsize which is not a multiple of 16 bytes.
517584fffc8SSebastian Siewior
5181c49678eSStephan Muellerconfig CRYPTO_KEYWRAP
5191c49678eSStephan Mueller	tristate "Key wrapping support"
5201c49678eSStephan Mueller	select CRYPTO_BLKCIPHER
521c8a3315aSEric Biggers	select CRYPTO_MANAGER
5221c49678eSStephan Mueller	help
5231c49678eSStephan Mueller	  Support for key wrapping (NIST SP800-38F / RFC3394) without
5241c49678eSStephan Mueller	  padding.
5251c49678eSStephan Mueller
52626609a21SEric Biggersconfig CRYPTO_NHPOLY1305
52726609a21SEric Biggers	tristate
52826609a21SEric Biggers	select CRYPTO_HASH
52926609a21SEric Biggers	select CRYPTO_POLY1305
53026609a21SEric Biggers
531012c8238SEric Biggersconfig CRYPTO_NHPOLY1305_SSE2
532012c8238SEric Biggers	tristate "NHPoly1305 hash function (x86_64 SSE2 implementation)"
533012c8238SEric Biggers	depends on X86 && 64BIT
534012c8238SEric Biggers	select CRYPTO_NHPOLY1305
535012c8238SEric Biggers	help
536012c8238SEric Biggers	  SSE2 optimized implementation of the hash function used by the
537012c8238SEric Biggers	  Adiantum encryption mode.
538012c8238SEric Biggers
5390f961f9fSEric Biggersconfig CRYPTO_NHPOLY1305_AVX2
5400f961f9fSEric Biggers	tristate "NHPoly1305 hash function (x86_64 AVX2 implementation)"
5410f961f9fSEric Biggers	depends on X86 && 64BIT
5420f961f9fSEric Biggers	select CRYPTO_NHPOLY1305
5430f961f9fSEric Biggers	help
5440f961f9fSEric Biggers	  AVX2 optimized implementation of the hash function used by the
5450f961f9fSEric Biggers	  Adiantum encryption mode.
5460f961f9fSEric Biggers
547059c2a4dSEric Biggersconfig CRYPTO_ADIANTUM
548059c2a4dSEric Biggers	tristate "Adiantum support"
549059c2a4dSEric Biggers	select CRYPTO_CHACHA20
550059c2a4dSEric Biggers	select CRYPTO_POLY1305
551059c2a4dSEric Biggers	select CRYPTO_NHPOLY1305
552c8a3315aSEric Biggers	select CRYPTO_MANAGER
553059c2a4dSEric Biggers	help
554059c2a4dSEric Biggers	  Adiantum is a tweakable, length-preserving encryption mode
555059c2a4dSEric Biggers	  designed for fast and secure disk encryption, especially on
556059c2a4dSEric Biggers	  CPUs without dedicated crypto instructions.  It encrypts
557059c2a4dSEric Biggers	  each sector using the XChaCha12 stream cipher, two passes of
558059c2a4dSEric Biggers	  an ε-almost-∆-universal hash function, and an invocation of
559059c2a4dSEric Biggers	  the AES-256 block cipher on a single 16-byte block.  On CPUs
560059c2a4dSEric Biggers	  without AES instructions, Adiantum is much faster than
561059c2a4dSEric Biggers	  AES-XTS.
562059c2a4dSEric Biggers
563059c2a4dSEric Biggers	  Adiantum's security is provably reducible to that of its
564059c2a4dSEric Biggers	  underlying stream and block ciphers, subject to a security
565059c2a4dSEric Biggers	  bound.  Unlike XTS, Adiantum is a true wide-block encryption
566059c2a4dSEric Biggers	  mode, so it actually provides an even stronger notion of
567059c2a4dSEric Biggers	  security than XTS, subject to the security bound.
568059c2a4dSEric Biggers
569059c2a4dSEric Biggers	  If unsure, say N.
570059c2a4dSEric Biggers
571584fffc8SSebastian Siewiorcomment "Hash modes"
572584fffc8SSebastian Siewior
57393b5e86aSJussi Kivilinnaconfig CRYPTO_CMAC
57493b5e86aSJussi Kivilinna	tristate "CMAC support"
57593b5e86aSJussi Kivilinna	select CRYPTO_HASH
57693b5e86aSJussi Kivilinna	select CRYPTO_MANAGER
57793b5e86aSJussi Kivilinna	help
57893b5e86aSJussi Kivilinna	  Cipher-based Message Authentication Code (CMAC) specified by
57993b5e86aSJussi Kivilinna	  The National Institute of Standards and Technology (NIST).
58093b5e86aSJussi Kivilinna
58193b5e86aSJussi Kivilinna	  https://tools.ietf.org/html/rfc4493
58293b5e86aSJussi Kivilinna	  http://csrc.nist.gov/publications/nistpubs/800-38B/SP_800-38B.pdf
58393b5e86aSJussi Kivilinna
5841da177e4SLinus Torvaldsconfig CRYPTO_HMAC
5858425165dSHerbert Xu	tristate "HMAC support"
5860796ae06SHerbert Xu	select CRYPTO_HASH
58743518407SHerbert Xu	select CRYPTO_MANAGER
5881da177e4SLinus Torvalds	help
5891da177e4SLinus Torvalds	  HMAC: Keyed-Hashing for Message Authentication (RFC2104).
5901da177e4SLinus Torvalds	  This is required for IPSec.
5911da177e4SLinus Torvalds
592333b0d7eSKazunori MIYAZAWAconfig CRYPTO_XCBC
593333b0d7eSKazunori MIYAZAWA	tristate "XCBC support"
594333b0d7eSKazunori MIYAZAWA	select CRYPTO_HASH
595333b0d7eSKazunori MIYAZAWA	select CRYPTO_MANAGER
596333b0d7eSKazunori MIYAZAWA	help
597333b0d7eSKazunori MIYAZAWA	  XCBC: Keyed-Hashing with encryption algorithm
598333b0d7eSKazunori MIYAZAWA		http://www.ietf.org/rfc/rfc3566.txt
599333b0d7eSKazunori MIYAZAWA		http://csrc.nist.gov/encryption/modes/proposedmodes/
600333b0d7eSKazunori MIYAZAWA		 xcbc-mac/xcbc-mac-spec.pdf
601333b0d7eSKazunori MIYAZAWA
602f1939f7cSShane Wangconfig CRYPTO_VMAC
603f1939f7cSShane Wang	tristate "VMAC support"
604f1939f7cSShane Wang	select CRYPTO_HASH
605f1939f7cSShane Wang	select CRYPTO_MANAGER
606f1939f7cSShane Wang	help
607f1939f7cSShane Wang	  VMAC is a message authentication algorithm designed for
608f1939f7cSShane Wang	  very high speed on 64-bit architectures.
609f1939f7cSShane Wang
610f1939f7cSShane Wang	  See also:
611f1939f7cSShane Wang	  <http://fastcrypto.org/vmac>
612f1939f7cSShane Wang
613584fffc8SSebastian Siewiorcomment "Digest"
614584fffc8SSebastian Siewior
615584fffc8SSebastian Siewiorconfig CRYPTO_CRC32C
616584fffc8SSebastian Siewior	tristate "CRC32c CRC algorithm"
6175773a3e6SHerbert Xu	select CRYPTO_HASH
6186a0962b2SDarrick J. Wong	select CRC32
6191da177e4SLinus Torvalds	help
620584fffc8SSebastian Siewior	  Castagnoli, et al Cyclic Redundancy-Check Algorithm.  Used
621584fffc8SSebastian Siewior	  by iSCSI for header and data digests and by others.
62269c35efcSHerbert Xu	  See Castagnoli93.  Module will be crc32c.
6231da177e4SLinus Torvalds
6248cb51ba8SAustin Zhangconfig CRYPTO_CRC32C_INTEL
6258cb51ba8SAustin Zhang	tristate "CRC32c INTEL hardware acceleration"
6268cb51ba8SAustin Zhang	depends on X86
6278cb51ba8SAustin Zhang	select CRYPTO_HASH
6288cb51ba8SAustin Zhang	help
6298cb51ba8SAustin Zhang	  In Intel processor with SSE4.2 supported, the processor will
6308cb51ba8SAustin Zhang	  support CRC32C implementation using hardware accelerated CRC32
6318cb51ba8SAustin Zhang	  instruction. This option will create 'crc32c-intel' module,
6328cb51ba8SAustin Zhang	  which will enable any routine to use the CRC32 instruction to
6338cb51ba8SAustin Zhang	  gain performance compared with software implementation.
6348cb51ba8SAustin Zhang	  Module will be crc32c-intel.
6358cb51ba8SAustin Zhang
6367cf31864SJean Delvareconfig CRYPTO_CRC32C_VPMSUM
6376dd7a82cSAnton Blanchard	tristate "CRC32c CRC algorithm (powerpc64)"
638c12abf34SMichael Ellerman	depends on PPC64 && ALTIVEC
6396dd7a82cSAnton Blanchard	select CRYPTO_HASH
6406dd7a82cSAnton Blanchard	select CRC32
6416dd7a82cSAnton Blanchard	help
6426dd7a82cSAnton Blanchard	  CRC32c algorithm implemented using vector polynomial multiply-sum
6436dd7a82cSAnton Blanchard	  (vpmsum) instructions, introduced in POWER8. Enable on POWER8
6446dd7a82cSAnton Blanchard	  and newer processors for improved performance.
6456dd7a82cSAnton Blanchard
6466dd7a82cSAnton Blanchard
647442a7c40SDavid S. Millerconfig CRYPTO_CRC32C_SPARC64
648442a7c40SDavid S. Miller	tristate "CRC32c CRC algorithm (SPARC64)"
649442a7c40SDavid S. Miller	depends on SPARC64
650442a7c40SDavid S. Miller	select CRYPTO_HASH
651442a7c40SDavid S. Miller	select CRC32
652442a7c40SDavid S. Miller	help
653442a7c40SDavid S. Miller	  CRC32c CRC algorithm implemented using sparc64 crypto instructions,
654442a7c40SDavid S. Miller	  when available.
655442a7c40SDavid S. Miller
65678c37d19SAlexander Boykoconfig CRYPTO_CRC32
65778c37d19SAlexander Boyko	tristate "CRC32 CRC algorithm"
65878c37d19SAlexander Boyko	select CRYPTO_HASH
65978c37d19SAlexander Boyko	select CRC32
66078c37d19SAlexander Boyko	help
66178c37d19SAlexander Boyko	  CRC-32-IEEE 802.3 cyclic redundancy-check algorithm.
66278c37d19SAlexander Boyko	  Shash crypto api wrappers to crc32_le function.
66378c37d19SAlexander Boyko
66478c37d19SAlexander Boykoconfig CRYPTO_CRC32_PCLMUL
66578c37d19SAlexander Boyko	tristate "CRC32 PCLMULQDQ hardware acceleration"
66678c37d19SAlexander Boyko	depends on X86
66778c37d19SAlexander Boyko	select CRYPTO_HASH
66878c37d19SAlexander Boyko	select CRC32
66978c37d19SAlexander Boyko	help
67078c37d19SAlexander Boyko	  From Intel Westmere and AMD Bulldozer processor with SSE4.2
67178c37d19SAlexander Boyko	  and PCLMULQDQ supported, the processor will support
67278c37d19SAlexander Boyko	  CRC32 PCLMULQDQ implementation using hardware accelerated PCLMULQDQ
673af8cb01fShaco	  instruction. This option will create 'crc32-pclmul' module,
67478c37d19SAlexander Boyko	  which will enable any routine to use the CRC-32-IEEE 802.3 checksum
67578c37d19SAlexander Boyko	  and gain better performance as compared with the table implementation.
67678c37d19SAlexander Boyko
6774a5dc51eSMarcin Nowakowskiconfig CRYPTO_CRC32_MIPS
6784a5dc51eSMarcin Nowakowski	tristate "CRC32c and CRC32 CRC algorithm (MIPS)"
6794a5dc51eSMarcin Nowakowski	depends on MIPS_CRC_SUPPORT
6804a5dc51eSMarcin Nowakowski	select CRYPTO_HASH
6814a5dc51eSMarcin Nowakowski	help
6824a5dc51eSMarcin Nowakowski	  CRC32c and CRC32 CRC algorithms implemented using mips crypto
6834a5dc51eSMarcin Nowakowski	  instructions, when available.
6844a5dc51eSMarcin Nowakowski
6854a5dc51eSMarcin Nowakowski
68667882e76SNikolay Borisovconfig CRYPTO_XXHASH
68767882e76SNikolay Borisov	tristate "xxHash hash algorithm"
68867882e76SNikolay Borisov	select CRYPTO_HASH
68967882e76SNikolay Borisov	select XXHASH
69067882e76SNikolay Borisov	help
69167882e76SNikolay Borisov	  xxHash non-cryptographic hash algorithm. Extremely fast, working at
69267882e76SNikolay Borisov	  speeds close to RAM limits.
69367882e76SNikolay Borisov
69468411521SHerbert Xuconfig CRYPTO_CRCT10DIF
69568411521SHerbert Xu	tristate "CRCT10DIF algorithm"
69668411521SHerbert Xu	select CRYPTO_HASH
69768411521SHerbert Xu	help
69868411521SHerbert Xu	  CRC T10 Data Integrity Field computation is being cast as
69968411521SHerbert Xu	  a crypto transform.  This allows for faster crc t10 diff
70068411521SHerbert Xu	  transforms to be used if they are available.
70168411521SHerbert Xu
70268411521SHerbert Xuconfig CRYPTO_CRCT10DIF_PCLMUL
70368411521SHerbert Xu	tristate "CRCT10DIF PCLMULQDQ hardware acceleration"
70468411521SHerbert Xu	depends on X86 && 64BIT && CRC_T10DIF
70568411521SHerbert Xu	select CRYPTO_HASH
70668411521SHerbert Xu	help
70768411521SHerbert Xu	  For x86_64 processors with SSE4.2 and PCLMULQDQ supported,
70868411521SHerbert Xu	  CRC T10 DIF PCLMULQDQ computation can be hardware
70968411521SHerbert Xu	  accelerated PCLMULQDQ instruction. This option will create
710af8cb01fShaco	  'crct10dif-pclmul' module, which is faster when computing the
71168411521SHerbert Xu	  crct10dif checksum as compared with the generic table implementation.
71268411521SHerbert Xu
713b01df1c1SDaniel Axtensconfig CRYPTO_CRCT10DIF_VPMSUM
714b01df1c1SDaniel Axtens	tristate "CRC32T10DIF powerpc64 hardware acceleration"
715b01df1c1SDaniel Axtens	depends on PPC64 && ALTIVEC && CRC_T10DIF
716b01df1c1SDaniel Axtens	select CRYPTO_HASH
717b01df1c1SDaniel Axtens	help
718b01df1c1SDaniel Axtens	  CRC10T10DIF algorithm implemented using vector polynomial
719b01df1c1SDaniel Axtens	  multiply-sum (vpmsum) instructions, introduced in POWER8. Enable on
720b01df1c1SDaniel Axtens	  POWER8 and newer processors for improved performance.
721b01df1c1SDaniel Axtens
722146c8688SDaniel Axtensconfig CRYPTO_VPMSUM_TESTER
723146c8688SDaniel Axtens	tristate "Powerpc64 vpmsum hardware acceleration tester"
724146c8688SDaniel Axtens	depends on CRYPTO_CRCT10DIF_VPMSUM && CRYPTO_CRC32C_VPMSUM
725146c8688SDaniel Axtens	help
726146c8688SDaniel Axtens	  Stress test for CRC32c and CRC-T10DIF algorithms implemented with
727146c8688SDaniel Axtens	  POWER8 vpmsum instructions.
728146c8688SDaniel Axtens	  Unless you are testing these algorithms, you don't need this.
729146c8688SDaniel Axtens
7302cdc6899SHuang Yingconfig CRYPTO_GHASH
7312cdc6899SHuang Ying	tristate "GHASH digest algorithm"
7322cdc6899SHuang Ying	select CRYPTO_GF128MUL
733578c60fbSArnd Bergmann	select CRYPTO_HASH
7342cdc6899SHuang Ying	help
7352cdc6899SHuang Ying	  GHASH is message digest algorithm for GCM (Galois/Counter Mode).
7362cdc6899SHuang Ying
737f979e014SMartin Williconfig CRYPTO_POLY1305
738f979e014SMartin Willi	tristate "Poly1305 authenticator algorithm"
739578c60fbSArnd Bergmann	select CRYPTO_HASH
740f979e014SMartin Willi	help
741f979e014SMartin Willi	  Poly1305 authenticator algorithm, RFC7539.
742f979e014SMartin Willi
743f979e014SMartin Willi	  Poly1305 is an authenticator algorithm designed by Daniel J. Bernstein.
744f979e014SMartin Willi	  It is used for the ChaCha20-Poly1305 AEAD, specified in RFC7539 for use
745f979e014SMartin Willi	  in IETF protocols. This is the portable C implementation of Poly1305.
746f979e014SMartin Willi
747c70f4abeSMartin Williconfig CRYPTO_POLY1305_X86_64
748b1ccc8f4SMartin Willi	tristate "Poly1305 authenticator algorithm (x86_64/SSE2/AVX2)"
749c70f4abeSMartin Willi	depends on X86 && 64BIT
750c70f4abeSMartin Willi	select CRYPTO_POLY1305
751c70f4abeSMartin Willi	help
752c70f4abeSMartin Willi	  Poly1305 authenticator algorithm, RFC7539.
753c70f4abeSMartin Willi
754c70f4abeSMartin Willi	  Poly1305 is an authenticator algorithm designed by Daniel J. Bernstein.
755c70f4abeSMartin Willi	  It is used for the ChaCha20-Poly1305 AEAD, specified in RFC7539 for use
756c70f4abeSMartin Willi	  in IETF protocols. This is the x86_64 assembler implementation using SIMD
757c70f4abeSMartin Willi	  instructions.
758c70f4abeSMartin Willi
7591da177e4SLinus Torvaldsconfig CRYPTO_MD4
7601da177e4SLinus Torvalds	tristate "MD4 digest algorithm"
761808a1763SAdrian-Ken Rueegsegger	select CRYPTO_HASH
7621da177e4SLinus Torvalds	help
7631da177e4SLinus Torvalds	  MD4 message digest algorithm (RFC1320).
7641da177e4SLinus Torvalds
7651da177e4SLinus Torvaldsconfig CRYPTO_MD5
7661da177e4SLinus Torvalds	tristate "MD5 digest algorithm"
76714b75ba7SAdrian-Ken Rueegsegger	select CRYPTO_HASH
7681da177e4SLinus Torvalds	help
7691da177e4SLinus Torvalds	  MD5 message digest algorithm (RFC1321).
7701da177e4SLinus Torvalds
771d69e75deSAaro Koskinenconfig CRYPTO_MD5_OCTEON
772d69e75deSAaro Koskinen	tristate "MD5 digest algorithm (OCTEON)"
773d69e75deSAaro Koskinen	depends on CPU_CAVIUM_OCTEON
774d69e75deSAaro Koskinen	select CRYPTO_MD5
775d69e75deSAaro Koskinen	select CRYPTO_HASH
776d69e75deSAaro Koskinen	help
777d69e75deSAaro Koskinen	  MD5 message digest algorithm (RFC1321) implemented
778d69e75deSAaro Koskinen	  using OCTEON crypto instructions, when available.
779d69e75deSAaro Koskinen
780e8e59953SMarkus Stockhausenconfig CRYPTO_MD5_PPC
781e8e59953SMarkus Stockhausen	tristate "MD5 digest algorithm (PPC)"
782e8e59953SMarkus Stockhausen	depends on PPC
783e8e59953SMarkus Stockhausen	select CRYPTO_HASH
784e8e59953SMarkus Stockhausen	help
785e8e59953SMarkus Stockhausen	  MD5 message digest algorithm (RFC1321) implemented
786e8e59953SMarkus Stockhausen	  in PPC assembler.
787e8e59953SMarkus Stockhausen
788fa4dfedcSDavid S. Millerconfig CRYPTO_MD5_SPARC64
789fa4dfedcSDavid S. Miller	tristate "MD5 digest algorithm (SPARC64)"
790fa4dfedcSDavid S. Miller	depends on SPARC64
791fa4dfedcSDavid S. Miller	select CRYPTO_MD5
792fa4dfedcSDavid S. Miller	select CRYPTO_HASH
793fa4dfedcSDavid S. Miller	help
794fa4dfedcSDavid S. Miller	  MD5 message digest algorithm (RFC1321) implemented
795fa4dfedcSDavid S. Miller	  using sparc64 crypto instructions, when available.
796fa4dfedcSDavid S. Miller
797584fffc8SSebastian Siewiorconfig CRYPTO_MICHAEL_MIC
798584fffc8SSebastian Siewior	tristate "Michael MIC keyed digest algorithm"
79919e2bf14SAdrian-Ken Rueegsegger	select CRYPTO_HASH
800584fffc8SSebastian Siewior	help
801584fffc8SSebastian Siewior	  Michael MIC is used for message integrity protection in TKIP
802584fffc8SSebastian Siewior	  (IEEE 802.11i). This algorithm is required for TKIP, but it
803584fffc8SSebastian Siewior	  should not be used for other purposes because of the weakness
804584fffc8SSebastian Siewior	  of the algorithm.
805584fffc8SSebastian Siewior
80682798f90SAdrian-Ken Rueegseggerconfig CRYPTO_RMD128
80782798f90SAdrian-Ken Rueegsegger	tristate "RIPEMD-128 digest algorithm"
8087c4468bcSHerbert Xu	select CRYPTO_HASH
80982798f90SAdrian-Ken Rueegsegger	help
81082798f90SAdrian-Ken Rueegsegger	  RIPEMD-128 (ISO/IEC 10118-3:2004).
81182798f90SAdrian-Ken Rueegsegger
81282798f90SAdrian-Ken Rueegsegger	  RIPEMD-128 is a 128-bit cryptographic hash function. It should only
81335ed4b35SMichael Witten	  be used as a secure replacement for RIPEMD. For other use cases,
81482798f90SAdrian-Ken Rueegsegger	  RIPEMD-160 should be used.
81582798f90SAdrian-Ken Rueegsegger
81682798f90SAdrian-Ken Rueegsegger	  Developed by Hans Dobbertin, Antoon Bosselaers and Bart Preneel.
8176d8de74cSJustin P. Mattock	  See <http://homes.esat.kuleuven.be/~bosselae/ripemd160.html>
81882798f90SAdrian-Ken Rueegsegger
81982798f90SAdrian-Ken Rueegseggerconfig CRYPTO_RMD160
82082798f90SAdrian-Ken Rueegsegger	tristate "RIPEMD-160 digest algorithm"
821e5835fbaSHerbert Xu	select CRYPTO_HASH
82282798f90SAdrian-Ken Rueegsegger	help
82382798f90SAdrian-Ken Rueegsegger	  RIPEMD-160 (ISO/IEC 10118-3:2004).
82482798f90SAdrian-Ken Rueegsegger
82582798f90SAdrian-Ken Rueegsegger	  RIPEMD-160 is a 160-bit cryptographic hash function. It is intended
82682798f90SAdrian-Ken Rueegsegger	  to be used as a secure replacement for the 128-bit hash functions
827b6d44341SAdrian Bunk	  MD4, MD5 and it's predecessor RIPEMD
828b6d44341SAdrian Bunk	  (not to be confused with RIPEMD-128).
82982798f90SAdrian-Ken Rueegsegger
830b6d44341SAdrian Bunk	  It's speed is comparable to SHA1 and there are no known attacks
831b6d44341SAdrian Bunk	  against RIPEMD-160.
832534fe2c1SAdrian-Ken Rueegsegger
833534fe2c1SAdrian-Ken Rueegsegger	  Developed by Hans Dobbertin, Antoon Bosselaers and Bart Preneel.
8346d8de74cSJustin P. Mattock	  See <http://homes.esat.kuleuven.be/~bosselae/ripemd160.html>
835534fe2c1SAdrian-Ken Rueegsegger
836534fe2c1SAdrian-Ken Rueegseggerconfig CRYPTO_RMD256
837534fe2c1SAdrian-Ken Rueegsegger	tristate "RIPEMD-256 digest algorithm"
838d8a5e2e9SHerbert Xu	select CRYPTO_HASH
839534fe2c1SAdrian-Ken Rueegsegger	help
840b6d44341SAdrian Bunk	  RIPEMD-256 is an optional extension of RIPEMD-128 with a
841b6d44341SAdrian Bunk	  256 bit hash. It is intended for applications that require
842b6d44341SAdrian Bunk	  longer hash-results, without needing a larger security level
843b6d44341SAdrian Bunk	  (than RIPEMD-128).
844534fe2c1SAdrian-Ken Rueegsegger
845534fe2c1SAdrian-Ken Rueegsegger	  Developed by Hans Dobbertin, Antoon Bosselaers and Bart Preneel.
8466d8de74cSJustin P. Mattock	  See <http://homes.esat.kuleuven.be/~bosselae/ripemd160.html>
847534fe2c1SAdrian-Ken Rueegsegger
848534fe2c1SAdrian-Ken Rueegseggerconfig CRYPTO_RMD320
849534fe2c1SAdrian-Ken Rueegsegger	tristate "RIPEMD-320 digest algorithm"
8503b8efb4cSHerbert Xu	select CRYPTO_HASH
851534fe2c1SAdrian-Ken Rueegsegger	help
852b6d44341SAdrian Bunk	  RIPEMD-320 is an optional extension of RIPEMD-160 with a
853b6d44341SAdrian Bunk	  320 bit hash. It is intended for applications that require
854b6d44341SAdrian Bunk	  longer hash-results, without needing a larger security level
855b6d44341SAdrian Bunk	  (than RIPEMD-160).
856534fe2c1SAdrian-Ken Rueegsegger
85782798f90SAdrian-Ken Rueegsegger	  Developed by Hans Dobbertin, Antoon Bosselaers and Bart Preneel.
8586d8de74cSJustin P. Mattock	  See <http://homes.esat.kuleuven.be/~bosselae/ripemd160.html>
85982798f90SAdrian-Ken Rueegsegger
8601da177e4SLinus Torvaldsconfig CRYPTO_SHA1
8611da177e4SLinus Torvalds	tristate "SHA1 digest algorithm"
86254ccb367SAdrian-Ken Rueegsegger	select CRYPTO_HASH
8631da177e4SLinus Torvalds	help
8641da177e4SLinus Torvalds	  SHA-1 secure hash standard (FIPS 180-1/DFIPS 180-2).
8651da177e4SLinus Torvalds
86666be8951SMathias Krauseconfig CRYPTO_SHA1_SSSE3
867e38b6b7fStim	tristate "SHA1 digest algorithm (SSSE3/AVX/AVX2/SHA-NI)"
86866be8951SMathias Krause	depends on X86 && 64BIT
86966be8951SMathias Krause	select CRYPTO_SHA1
87066be8951SMathias Krause	select CRYPTO_HASH
87166be8951SMathias Krause	help
87266be8951SMathias Krause	  SHA-1 secure hash standard (FIPS 180-1/DFIPS 180-2) implemented
87366be8951SMathias Krause	  using Supplemental SSE3 (SSSE3) instructions or Advanced Vector
874e38b6b7fStim	  Extensions (AVX/AVX2) or SHA-NI(SHA Extensions New Instructions),
875e38b6b7fStim	  when available.
87666be8951SMathias Krause
8778275d1aaSTim Chenconfig CRYPTO_SHA256_SSSE3
878e38b6b7fStim	tristate "SHA256 digest algorithm (SSSE3/AVX/AVX2/SHA-NI)"
8798275d1aaSTim Chen	depends on X86 && 64BIT
8808275d1aaSTim Chen	select CRYPTO_SHA256
8818275d1aaSTim Chen	select CRYPTO_HASH
8828275d1aaSTim Chen	help
8838275d1aaSTim Chen	  SHA-256 secure hash standard (DFIPS 180-2) implemented
8848275d1aaSTim Chen	  using Supplemental SSE3 (SSSE3) instructions, or Advanced Vector
8858275d1aaSTim Chen	  Extensions version 1 (AVX1), or Advanced Vector Extensions
886e38b6b7fStim	  version 2 (AVX2) instructions, or SHA-NI (SHA Extensions New
887e38b6b7fStim	  Instructions) when available.
8888275d1aaSTim Chen
88987de4579STim Chenconfig CRYPTO_SHA512_SSSE3
89087de4579STim Chen	tristate "SHA512 digest algorithm (SSSE3/AVX/AVX2)"
89187de4579STim Chen	depends on X86 && 64BIT
89287de4579STim Chen	select CRYPTO_SHA512
89387de4579STim Chen	select CRYPTO_HASH
89487de4579STim Chen	help
89587de4579STim Chen	  SHA-512 secure hash standard (DFIPS 180-2) implemented
89687de4579STim Chen	  using Supplemental SSE3 (SSSE3) instructions, or Advanced Vector
89787de4579STim Chen	  Extensions version 1 (AVX1), or Advanced Vector Extensions
89887de4579STim Chen	  version 2 (AVX2) instructions, when available.
89987de4579STim Chen
900efdb6f6eSAaro Koskinenconfig CRYPTO_SHA1_OCTEON
901efdb6f6eSAaro Koskinen	tristate "SHA1 digest algorithm (OCTEON)"
902efdb6f6eSAaro Koskinen	depends on CPU_CAVIUM_OCTEON
903efdb6f6eSAaro Koskinen	select CRYPTO_SHA1
904efdb6f6eSAaro Koskinen	select CRYPTO_HASH
905efdb6f6eSAaro Koskinen	help
906efdb6f6eSAaro Koskinen	  SHA-1 secure hash standard (FIPS 180-1/DFIPS 180-2) implemented
907efdb6f6eSAaro Koskinen	  using OCTEON crypto instructions, when available.
908efdb6f6eSAaro Koskinen
9094ff28d4cSDavid S. Millerconfig CRYPTO_SHA1_SPARC64
9104ff28d4cSDavid S. Miller	tristate "SHA1 digest algorithm (SPARC64)"
9114ff28d4cSDavid S. Miller	depends on SPARC64
9124ff28d4cSDavid S. Miller	select CRYPTO_SHA1
9134ff28d4cSDavid S. Miller	select CRYPTO_HASH
9144ff28d4cSDavid S. Miller	help
9154ff28d4cSDavid S. Miller	  SHA-1 secure hash standard (FIPS 180-1/DFIPS 180-2) implemented
9164ff28d4cSDavid S. Miller	  using sparc64 crypto instructions, when available.
9174ff28d4cSDavid S. Miller
918323a6bf1SMichael Ellermanconfig CRYPTO_SHA1_PPC
919323a6bf1SMichael Ellerman	tristate "SHA1 digest algorithm (powerpc)"
920323a6bf1SMichael Ellerman	depends on PPC
921323a6bf1SMichael Ellerman	help
922323a6bf1SMichael Ellerman	  This is the powerpc hardware accelerated implementation of the
923323a6bf1SMichael Ellerman	  SHA-1 secure hash standard (FIPS 180-1/DFIPS 180-2).
924323a6bf1SMichael Ellerman
925d9850fc5SMarkus Stockhausenconfig CRYPTO_SHA1_PPC_SPE
926d9850fc5SMarkus Stockhausen	tristate "SHA1 digest algorithm (PPC SPE)"
927d9850fc5SMarkus Stockhausen	depends on PPC && SPE
928d9850fc5SMarkus Stockhausen	help
929d9850fc5SMarkus Stockhausen	  SHA-1 secure hash standard (DFIPS 180-4) implemented
930d9850fc5SMarkus Stockhausen	  using powerpc SPE SIMD instruction set.
931d9850fc5SMarkus Stockhausen
9321da177e4SLinus Torvaldsconfig CRYPTO_SHA256
933cd12fb90SJonathan Lynch	tristate "SHA224 and SHA256 digest algorithm"
93450e109b5SAdrian-Ken Rueegsegger	select CRYPTO_HASH
9351da177e4SLinus Torvalds	help
9361da177e4SLinus Torvalds	  SHA256 secure hash standard (DFIPS 180-2).
9371da177e4SLinus Torvalds
9381da177e4SLinus Torvalds	  This version of SHA implements a 256 bit hash with 128 bits of
9391da177e4SLinus Torvalds	  security against collision attacks.
9401da177e4SLinus Torvalds
941cd12fb90SJonathan Lynch	  This code also includes SHA-224, a 224 bit hash with 112 bits
942cd12fb90SJonathan Lynch	  of security against collision attacks.
943cd12fb90SJonathan Lynch
9442ecc1e95SMarkus Stockhausenconfig CRYPTO_SHA256_PPC_SPE
9452ecc1e95SMarkus Stockhausen	tristate "SHA224 and SHA256 digest algorithm (PPC SPE)"
9462ecc1e95SMarkus Stockhausen	depends on PPC && SPE
9472ecc1e95SMarkus Stockhausen	select CRYPTO_SHA256
9482ecc1e95SMarkus Stockhausen	select CRYPTO_HASH
9492ecc1e95SMarkus Stockhausen	help
9502ecc1e95SMarkus Stockhausen	  SHA224 and SHA256 secure hash standard (DFIPS 180-2)
9512ecc1e95SMarkus Stockhausen	  implemented using powerpc SPE SIMD instruction set.
9522ecc1e95SMarkus Stockhausen
953efdb6f6eSAaro Koskinenconfig CRYPTO_SHA256_OCTEON
954efdb6f6eSAaro Koskinen	tristate "SHA224 and SHA256 digest algorithm (OCTEON)"
955efdb6f6eSAaro Koskinen	depends on CPU_CAVIUM_OCTEON
956efdb6f6eSAaro Koskinen	select CRYPTO_SHA256
957efdb6f6eSAaro Koskinen	select CRYPTO_HASH
958efdb6f6eSAaro Koskinen	help
959efdb6f6eSAaro Koskinen	  SHA-256 secure hash standard (DFIPS 180-2) implemented
960efdb6f6eSAaro Koskinen	  using OCTEON crypto instructions, when available.
961efdb6f6eSAaro Koskinen
96286c93b24SDavid S. Millerconfig CRYPTO_SHA256_SPARC64
96386c93b24SDavid S. Miller	tristate "SHA224 and SHA256 digest algorithm (SPARC64)"
96486c93b24SDavid S. Miller	depends on SPARC64
96586c93b24SDavid S. Miller	select CRYPTO_SHA256
96686c93b24SDavid S. Miller	select CRYPTO_HASH
96786c93b24SDavid S. Miller	help
96886c93b24SDavid S. Miller	  SHA-256 secure hash standard (DFIPS 180-2) implemented
96986c93b24SDavid S. Miller	  using sparc64 crypto instructions, when available.
97086c93b24SDavid S. Miller
9711da177e4SLinus Torvaldsconfig CRYPTO_SHA512
9721da177e4SLinus Torvalds	tristate "SHA384 and SHA512 digest algorithms"
973bd9d20dbSAdrian-Ken Rueegsegger	select CRYPTO_HASH
9741da177e4SLinus Torvalds	help
9751da177e4SLinus Torvalds	  SHA512 secure hash standard (DFIPS 180-2).
9761da177e4SLinus Torvalds
9771da177e4SLinus Torvalds	  This version of SHA implements a 512 bit hash with 256 bits of
9781da177e4SLinus Torvalds	  security against collision attacks.
9791da177e4SLinus Torvalds
9801da177e4SLinus Torvalds	  This code also includes SHA-384, a 384 bit hash with 192 bits
9811da177e4SLinus Torvalds	  of security against collision attacks.
9821da177e4SLinus Torvalds
983efdb6f6eSAaro Koskinenconfig CRYPTO_SHA512_OCTEON
984efdb6f6eSAaro Koskinen	tristate "SHA384 and SHA512 digest algorithms (OCTEON)"
985efdb6f6eSAaro Koskinen	depends on CPU_CAVIUM_OCTEON
986efdb6f6eSAaro Koskinen	select CRYPTO_SHA512
987efdb6f6eSAaro Koskinen	select CRYPTO_HASH
988efdb6f6eSAaro Koskinen	help
989efdb6f6eSAaro Koskinen	  SHA-512 secure hash standard (DFIPS 180-2) implemented
990efdb6f6eSAaro Koskinen	  using OCTEON crypto instructions, when available.
991efdb6f6eSAaro Koskinen
992775e0c69SDavid S. Millerconfig CRYPTO_SHA512_SPARC64
993775e0c69SDavid S. Miller	tristate "SHA384 and SHA512 digest algorithm (SPARC64)"
994775e0c69SDavid S. Miller	depends on SPARC64
995775e0c69SDavid S. Miller	select CRYPTO_SHA512
996775e0c69SDavid S. Miller	select CRYPTO_HASH
997775e0c69SDavid S. Miller	help
998775e0c69SDavid S. Miller	  SHA-512 secure hash standard (DFIPS 180-2) implemented
999775e0c69SDavid S. Miller	  using sparc64 crypto instructions, when available.
1000775e0c69SDavid S. Miller
100153964b9eSJeff Garzikconfig CRYPTO_SHA3
100253964b9eSJeff Garzik	tristate "SHA3 digest algorithm"
100353964b9eSJeff Garzik	select CRYPTO_HASH
100453964b9eSJeff Garzik	help
100553964b9eSJeff Garzik	  SHA-3 secure hash standard (DFIPS 202). It's based on
100653964b9eSJeff Garzik	  cryptographic sponge function family called Keccak.
100753964b9eSJeff Garzik
100853964b9eSJeff Garzik	  References:
100953964b9eSJeff Garzik	  http://keccak.noekeon.org/
101053964b9eSJeff Garzik
10114f0fc160SGilad Ben-Yossefconfig CRYPTO_SM3
10124f0fc160SGilad Ben-Yossef	tristate "SM3 digest algorithm"
10134f0fc160SGilad Ben-Yossef	select CRYPTO_HASH
10144f0fc160SGilad Ben-Yossef	help
10154f0fc160SGilad Ben-Yossef	  SM3 secure hash function as defined by OSCCA GM/T 0004-2012 SM3).
10164f0fc160SGilad Ben-Yossef	  It is part of the Chinese Commercial Cryptography suite.
10174f0fc160SGilad Ben-Yossef
10184f0fc160SGilad Ben-Yossef	  References:
10194f0fc160SGilad Ben-Yossef	  http://www.oscca.gov.cn/UpFile/20101222141857786.pdf
10204f0fc160SGilad Ben-Yossef	  https://datatracker.ietf.org/doc/html/draft-shen-sm3-hash
10214f0fc160SGilad Ben-Yossef
1022fe18957eSVitaly Chikunovconfig CRYPTO_STREEBOG
1023fe18957eSVitaly Chikunov	tristate "Streebog Hash Function"
1024fe18957eSVitaly Chikunov	select CRYPTO_HASH
1025fe18957eSVitaly Chikunov	help
1026fe18957eSVitaly Chikunov	  Streebog Hash Function (GOST R 34.11-2012, RFC 6986) is one of the Russian
1027fe18957eSVitaly Chikunov	  cryptographic standard algorithms (called GOST algorithms).
1028fe18957eSVitaly Chikunov	  This setting enables two hash algorithms with 256 and 512 bits output.
1029fe18957eSVitaly Chikunov
1030fe18957eSVitaly Chikunov	  References:
1031fe18957eSVitaly Chikunov	  https://tc26.ru/upload/iblock/fed/feddbb4d26b685903faa2ba11aea43f6.pdf
1032fe18957eSVitaly Chikunov	  https://tools.ietf.org/html/rfc6986
1033fe18957eSVitaly Chikunov
10341da177e4SLinus Torvaldsconfig CRYPTO_TGR192
10351da177e4SLinus Torvalds	tristate "Tiger digest algorithms"
1036f63fbd3dSAdrian-Ken Rueegsegger	select CRYPTO_HASH
10371da177e4SLinus Torvalds	help
10381da177e4SLinus Torvalds	  Tiger hash algorithm 192, 160 and 128-bit hashes
10391da177e4SLinus Torvalds
10401da177e4SLinus Torvalds	  Tiger is a hash function optimized for 64-bit processors while
10411da177e4SLinus Torvalds	  still having decent performance on 32-bit processors.
10421da177e4SLinus Torvalds	  Tiger was developed by Ross Anderson and Eli Biham.
10431da177e4SLinus Torvalds
10441da177e4SLinus Torvalds	  See also:
10451da177e4SLinus Torvalds	  <http://www.cs.technion.ac.il/~biham/Reports/Tiger/>.
10461da177e4SLinus Torvalds
1047584fffc8SSebastian Siewiorconfig CRYPTO_WP512
1048584fffc8SSebastian Siewior	tristate "Whirlpool digest algorithms"
10494946510bSAdrian-Ken Rueegsegger	select CRYPTO_HASH
10501da177e4SLinus Torvalds	help
1051584fffc8SSebastian Siewior	  Whirlpool hash algorithm 512, 384 and 256-bit hashes
10521da177e4SLinus Torvalds
1053584fffc8SSebastian Siewior	  Whirlpool-512 is part of the NESSIE cryptographic primitives.
1054584fffc8SSebastian Siewior	  Whirlpool will be part of the ISO/IEC 10118-3:2003(E) standard
10551da177e4SLinus Torvalds
10561da177e4SLinus Torvalds	  See also:
10576d8de74cSJustin P. Mattock	  <http://www.larc.usp.br/~pbarreto/WhirlpoolPage.html>
10581da177e4SLinus Torvalds
10590e1227d3SHuang Yingconfig CRYPTO_GHASH_CLMUL_NI_INTEL
10600e1227d3SHuang Ying	tristate "GHASH digest algorithm (CLMUL-NI accelerated)"
10618af00860SRichard Weinberger	depends on X86 && 64BIT
10620e1227d3SHuang Ying	select CRYPTO_CRYPTD
10630e1227d3SHuang Ying	help
10640e1227d3SHuang Ying	  GHASH is message digest algorithm for GCM (Galois/Counter Mode).
10650e1227d3SHuang Ying	  The implementation is accelerated by CLMUL-NI of Intel.
10660e1227d3SHuang Ying
1067584fffc8SSebastian Siewiorcomment "Ciphers"
10681da177e4SLinus Torvalds
1069*e59c1c98SArd Biesheuvelconfig CRYPTO_LIB_AES
1070*e59c1c98SArd Biesheuvel	tristate
1071*e59c1c98SArd Biesheuvel
10721da177e4SLinus Torvaldsconfig CRYPTO_AES
10731da177e4SLinus Torvalds	tristate "AES cipher algorithms"
1074cce9e06dSHerbert Xu	select CRYPTO_ALGAPI
10751da177e4SLinus Torvalds	help
10761da177e4SLinus Torvalds	  AES cipher algorithms (FIPS-197). AES uses the Rijndael
10771da177e4SLinus Torvalds	  algorithm.
10781da177e4SLinus Torvalds
10791da177e4SLinus Torvalds	  Rijndael appears to be consistently a very good performer in
10801da177e4SLinus Torvalds	  both hardware and software across a wide range of computing
10811da177e4SLinus Torvalds	  environments regardless of its use in feedback or non-feedback
10821da177e4SLinus Torvalds	  modes. Its key setup time is excellent, and its key agility is
10831da177e4SLinus Torvalds	  good. Rijndael's very low memory requirements make it very well
10841da177e4SLinus Torvalds	  suited for restricted-space environments, in which it also
10851da177e4SLinus Torvalds	  demonstrates excellent performance. Rijndael's operations are
10861da177e4SLinus Torvalds	  among the easiest to defend against power and timing attacks.
10871da177e4SLinus Torvalds
10881da177e4SLinus Torvalds	  The AES specifies three key sizes: 128, 192 and 256 bits
10891da177e4SLinus Torvalds
10901da177e4SLinus Torvalds	  See <http://csrc.nist.gov/CryptoToolkit/aes/> for more information.
10911da177e4SLinus Torvalds
1092b5e0b032SArd Biesheuvelconfig CRYPTO_AES_TI
1093b5e0b032SArd Biesheuvel	tristate "Fixed time AES cipher"
1094b5e0b032SArd Biesheuvel	select CRYPTO_ALGAPI
1095*e59c1c98SArd Biesheuvel	select CRYPTO_LIB_AES
1096b5e0b032SArd Biesheuvel	help
1097b5e0b032SArd Biesheuvel	  This is a generic implementation of AES that attempts to eliminate
1098b5e0b032SArd Biesheuvel	  data dependent latencies as much as possible without affecting
1099b5e0b032SArd Biesheuvel	  performance too much. It is intended for use by the generic CCM
1100b5e0b032SArd Biesheuvel	  and GCM drivers, and other CTR or CMAC/XCBC based modes that rely
1101b5e0b032SArd Biesheuvel	  solely on encryption (although decryption is supported as well, but
1102b5e0b032SArd Biesheuvel	  with a more dramatic performance hit)
1103b5e0b032SArd Biesheuvel
1104b5e0b032SArd Biesheuvel	  Instead of using 16 lookup tables of 1 KB each, (8 for encryption and
1105b5e0b032SArd Biesheuvel	  8 for decryption), this implementation only uses just two S-boxes of
1106b5e0b032SArd Biesheuvel	  256 bytes each, and attempts to eliminate data dependent latencies by
1107b5e0b032SArd Biesheuvel	  prefetching the entire table into the cache at the start of each
11080a6a40c2SEric Biggers	  block. Interrupts are also disabled to avoid races where cachelines
11090a6a40c2SEric Biggers	  are evicted when the CPU is interrupted to do something else.
1110b5e0b032SArd Biesheuvel
11111da177e4SLinus Torvaldsconfig CRYPTO_AES_586
11121da177e4SLinus Torvalds	tristate "AES cipher algorithms (i586)"
1113cce9e06dSHerbert Xu	depends on (X86 || UML_X86) && !64BIT
1114cce9e06dSHerbert Xu	select CRYPTO_ALGAPI
11155157dea8SSebastian Siewior	select CRYPTO_AES
11161da177e4SLinus Torvalds	help
11171da177e4SLinus Torvalds	  AES cipher algorithms (FIPS-197). AES uses the Rijndael
11181da177e4SLinus Torvalds	  algorithm.
11191da177e4SLinus Torvalds
11201da177e4SLinus Torvalds	  Rijndael appears to be consistently a very good performer in
11211da177e4SLinus Torvalds	  both hardware and software across a wide range of computing
11221da177e4SLinus Torvalds	  environments regardless of its use in feedback or non-feedback
11231da177e4SLinus Torvalds	  modes. Its key setup time is excellent, and its key agility is
11241da177e4SLinus Torvalds	  good. Rijndael's very low memory requirements make it very well
11251da177e4SLinus Torvalds	  suited for restricted-space environments, in which it also
11261da177e4SLinus Torvalds	  demonstrates excellent performance. Rijndael's operations are
11271da177e4SLinus Torvalds	  among the easiest to defend against power and timing attacks.
11281da177e4SLinus Torvalds
11291da177e4SLinus Torvalds	  The AES specifies three key sizes: 128, 192 and 256 bits
11301da177e4SLinus Torvalds
11311da177e4SLinus Torvalds	  See <http://csrc.nist.gov/encryption/aes/> for more information.
11321da177e4SLinus Torvalds
1133a2a892a2SAndreas Steinmetzconfig CRYPTO_AES_X86_64
1134a2a892a2SAndreas Steinmetz	tristate "AES cipher algorithms (x86_64)"
1135cce9e06dSHerbert Xu	depends on (X86 || UML_X86) && 64BIT
1136cce9e06dSHerbert Xu	select CRYPTO_ALGAPI
113781190b32SSebastian Siewior	select CRYPTO_AES
1138a2a892a2SAndreas Steinmetz	help
1139a2a892a2SAndreas Steinmetz	  AES cipher algorithms (FIPS-197). AES uses the Rijndael
1140a2a892a2SAndreas Steinmetz	  algorithm.
1141a2a892a2SAndreas Steinmetz
1142a2a892a2SAndreas Steinmetz	  Rijndael appears to be consistently a very good performer in
1143a2a892a2SAndreas Steinmetz	  both hardware and software across a wide range of computing
1144a2a892a2SAndreas Steinmetz	  environments regardless of its use in feedback or non-feedback
1145a2a892a2SAndreas Steinmetz	  modes. Its key setup time is excellent, and its key agility is
1146a2a892a2SAndreas Steinmetz	  good. Rijndael's very low memory requirements make it very well
1147a2a892a2SAndreas Steinmetz	  suited for restricted-space environments, in which it also
1148a2a892a2SAndreas Steinmetz	  demonstrates excellent performance. Rijndael's operations are
1149a2a892a2SAndreas Steinmetz	  among the easiest to defend against power and timing attacks.
1150a2a892a2SAndreas Steinmetz
1151a2a892a2SAndreas Steinmetz	  The AES specifies three key sizes: 128, 192 and 256 bits
1152a2a892a2SAndreas Steinmetz
1153a2a892a2SAndreas Steinmetz	  See <http://csrc.nist.gov/encryption/aes/> for more information.
1154a2a892a2SAndreas Steinmetz
115554b6a1bdSHuang Yingconfig CRYPTO_AES_NI_INTEL
115654b6a1bdSHuang Ying	tristate "AES cipher algorithms (AES-NI)"
11578af00860SRichard Weinberger	depends on X86
115885671860SHerbert Xu	select CRYPTO_AEAD
11590d258efbSMathias Krause	select CRYPTO_AES_X86_64 if 64BIT
11600d258efbSMathias Krause	select CRYPTO_AES_586 if !64BIT
116154b6a1bdSHuang Ying	select CRYPTO_ALGAPI
116285671860SHerbert Xu	select CRYPTO_BLKCIPHER
11637643a11aSJussi Kivilinna	select CRYPTO_GLUE_HELPER_X86 if 64BIT
116485671860SHerbert Xu	select CRYPTO_SIMD
116554b6a1bdSHuang Ying	help
116654b6a1bdSHuang Ying	  Use Intel AES-NI instructions for AES algorithm.
116754b6a1bdSHuang Ying
116854b6a1bdSHuang Ying	  AES cipher algorithms (FIPS-197). AES uses the Rijndael
116954b6a1bdSHuang Ying	  algorithm.
117054b6a1bdSHuang Ying
117154b6a1bdSHuang Ying	  Rijndael appears to be consistently a very good performer in
117254b6a1bdSHuang Ying	  both hardware and software across a wide range of computing
117354b6a1bdSHuang Ying	  environments regardless of its use in feedback or non-feedback
117454b6a1bdSHuang Ying	  modes. Its key setup time is excellent, and its key agility is
117554b6a1bdSHuang Ying	  good. Rijndael's very low memory requirements make it very well
117654b6a1bdSHuang Ying	  suited for restricted-space environments, in which it also
117754b6a1bdSHuang Ying	  demonstrates excellent performance. Rijndael's operations are
117854b6a1bdSHuang Ying	  among the easiest to defend against power and timing attacks.
117954b6a1bdSHuang Ying
118054b6a1bdSHuang Ying	  The AES specifies three key sizes: 128, 192 and 256 bits
118154b6a1bdSHuang Ying
118254b6a1bdSHuang Ying	  See <http://csrc.nist.gov/encryption/aes/> for more information.
118354b6a1bdSHuang Ying
11840d258efbSMathias Krause	  In addition to AES cipher algorithm support, the acceleration
11850d258efbSMathias Krause	  for some popular block cipher mode is supported too, including
1186944585a6SArd Biesheuvel	  ECB, CBC, LRW, XTS. The 64 bit version has additional
11870d258efbSMathias Krause	  acceleration for CTR.
11882cf4ac8bSHuang Ying
11899bf4852dSDavid S. Millerconfig CRYPTO_AES_SPARC64
11909bf4852dSDavid S. Miller	tristate "AES cipher algorithms (SPARC64)"
11919bf4852dSDavid S. Miller	depends on SPARC64
11929bf4852dSDavid S. Miller	select CRYPTO_CRYPTD
11939bf4852dSDavid S. Miller	select CRYPTO_ALGAPI
11949bf4852dSDavid S. Miller	help
11959bf4852dSDavid S. Miller	  Use SPARC64 crypto opcodes for AES algorithm.
11969bf4852dSDavid S. Miller
11979bf4852dSDavid S. Miller	  AES cipher algorithms (FIPS-197). AES uses the Rijndael
11989bf4852dSDavid S. Miller	  algorithm.
11999bf4852dSDavid S. Miller
12009bf4852dSDavid S. Miller	  Rijndael appears to be consistently a very good performer in
12019bf4852dSDavid S. Miller	  both hardware and software across a wide range of computing
12029bf4852dSDavid S. Miller	  environments regardless of its use in feedback or non-feedback
12039bf4852dSDavid S. Miller	  modes. Its key setup time is excellent, and its key agility is
12049bf4852dSDavid S. Miller	  good. Rijndael's very low memory requirements make it very well
12059bf4852dSDavid S. Miller	  suited for restricted-space environments, in which it also
12069bf4852dSDavid S. Miller	  demonstrates excellent performance. Rijndael's operations are
12079bf4852dSDavid S. Miller	  among the easiest to defend against power and timing attacks.
12089bf4852dSDavid S. Miller
12099bf4852dSDavid S. Miller	  The AES specifies three key sizes: 128, 192 and 256 bits
12109bf4852dSDavid S. Miller
12119bf4852dSDavid S. Miller	  See <http://csrc.nist.gov/encryption/aes/> for more information.
12129bf4852dSDavid S. Miller
12139bf4852dSDavid S. Miller	  In addition to AES cipher algorithm support, the acceleration
12149bf4852dSDavid S. Miller	  for some popular block cipher mode is supported too, including
12159bf4852dSDavid S. Miller	  ECB and CBC.
12169bf4852dSDavid S. Miller
1217504c6143SMarkus Stockhausenconfig CRYPTO_AES_PPC_SPE
1218504c6143SMarkus Stockhausen	tristate "AES cipher algorithms (PPC SPE)"
1219504c6143SMarkus Stockhausen	depends on PPC && SPE
1220504c6143SMarkus Stockhausen	help
1221504c6143SMarkus Stockhausen	  AES cipher algorithms (FIPS-197). Additionally the acceleration
1222504c6143SMarkus Stockhausen	  for popular block cipher modes ECB, CBC, CTR and XTS is supported.
1223504c6143SMarkus Stockhausen	  This module should only be used for low power (router) devices
1224504c6143SMarkus Stockhausen	  without hardware AES acceleration (e.g. caam crypto). It reduces the
1225504c6143SMarkus Stockhausen	  size of the AES tables from 16KB to 8KB + 256 bytes and mitigates
1226504c6143SMarkus Stockhausen	  timining attacks. Nevertheless it might be not as secure as other
1227504c6143SMarkus Stockhausen	  architecture specific assembler implementations that work on 1KB
1228504c6143SMarkus Stockhausen	  tables or 256 bytes S-boxes.
1229504c6143SMarkus Stockhausen
12301da177e4SLinus Torvaldsconfig CRYPTO_ANUBIS
12311da177e4SLinus Torvalds	tristate "Anubis cipher algorithm"
1232cce9e06dSHerbert Xu	select CRYPTO_ALGAPI
12331da177e4SLinus Torvalds	help
12341da177e4SLinus Torvalds	  Anubis cipher algorithm.
12351da177e4SLinus Torvalds
12361da177e4SLinus Torvalds	  Anubis is a variable key length cipher which can use keys from
12371da177e4SLinus Torvalds	  128 bits to 320 bits in length.  It was evaluated as a entrant
12381da177e4SLinus Torvalds	  in the NESSIE competition.
12391da177e4SLinus Torvalds
12401da177e4SLinus Torvalds	  See also:
12416d8de74cSJustin P. Mattock	  <https://www.cosic.esat.kuleuven.be/nessie/reports/>
12426d8de74cSJustin P. Mattock	  <http://www.larc.usp.br/~pbarreto/AnubisPage.html>
12431da177e4SLinus Torvalds
1244dc51f257SArd Biesheuvelconfig CRYPTO_LIB_ARC4
1245dc51f257SArd Biesheuvel	tristate
1246dc51f257SArd Biesheuvel
1247584fffc8SSebastian Siewiorconfig CRYPTO_ARC4
1248584fffc8SSebastian Siewior	tristate "ARC4 cipher algorithm"
1249b9b0f080SSebastian Andrzej Siewior	select CRYPTO_BLKCIPHER
1250dc51f257SArd Biesheuvel	select CRYPTO_LIB_ARC4
1251e2ee95b8SHye-Shik Chang	help
1252584fffc8SSebastian Siewior	  ARC4 cipher algorithm.
1253e2ee95b8SHye-Shik Chang
1254584fffc8SSebastian Siewior	  ARC4 is a stream cipher using keys ranging from 8 bits to 2048
1255584fffc8SSebastian Siewior	  bits in length.  This algorithm is required for driver-based
1256584fffc8SSebastian Siewior	  WEP, but it should not be for other purposes because of the
1257584fffc8SSebastian Siewior	  weakness of the algorithm.
1258584fffc8SSebastian Siewior
1259584fffc8SSebastian Siewiorconfig CRYPTO_BLOWFISH
1260584fffc8SSebastian Siewior	tristate "Blowfish cipher algorithm"
1261584fffc8SSebastian Siewior	select CRYPTO_ALGAPI
126252ba867cSJussi Kivilinna	select CRYPTO_BLOWFISH_COMMON
1263584fffc8SSebastian Siewior	help
1264584fffc8SSebastian Siewior	  Blowfish cipher algorithm, by Bruce Schneier.
1265584fffc8SSebastian Siewior
1266584fffc8SSebastian Siewior	  This is a variable key length cipher which can use keys from 32
1267584fffc8SSebastian Siewior	  bits to 448 bits in length.  It's fast, simple and specifically
1268584fffc8SSebastian Siewior	  designed for use on "large microprocessors".
1269e2ee95b8SHye-Shik Chang
1270e2ee95b8SHye-Shik Chang	  See also:
1271584fffc8SSebastian Siewior	  <http://www.schneier.com/blowfish.html>
1272584fffc8SSebastian Siewior
127352ba867cSJussi Kivilinnaconfig CRYPTO_BLOWFISH_COMMON
127452ba867cSJussi Kivilinna	tristate
127552ba867cSJussi Kivilinna	help
127652ba867cSJussi Kivilinna	  Common parts of the Blowfish cipher algorithm shared by the
127752ba867cSJussi Kivilinna	  generic c and the assembler implementations.
127852ba867cSJussi Kivilinna
127952ba867cSJussi Kivilinna	  See also:
128052ba867cSJussi Kivilinna	  <http://www.schneier.com/blowfish.html>
128152ba867cSJussi Kivilinna
128264b94ceaSJussi Kivilinnaconfig CRYPTO_BLOWFISH_X86_64
128364b94ceaSJussi Kivilinna	tristate "Blowfish cipher algorithm (x86_64)"
1284f21a7c19SAl Viro	depends on X86 && 64BIT
1285c1679171SEric Biggers	select CRYPTO_BLKCIPHER
128664b94ceaSJussi Kivilinna	select CRYPTO_BLOWFISH_COMMON
128764b94ceaSJussi Kivilinna	help
128864b94ceaSJussi Kivilinna	  Blowfish cipher algorithm (x86_64), by Bruce Schneier.
128964b94ceaSJussi Kivilinna
129064b94ceaSJussi Kivilinna	  This is a variable key length cipher which can use keys from 32
129164b94ceaSJussi Kivilinna	  bits to 448 bits in length.  It's fast, simple and specifically
129264b94ceaSJussi Kivilinna	  designed for use on "large microprocessors".
129364b94ceaSJussi Kivilinna
129464b94ceaSJussi Kivilinna	  See also:
129564b94ceaSJussi Kivilinna	  <http://www.schneier.com/blowfish.html>
129664b94ceaSJussi Kivilinna
1297584fffc8SSebastian Siewiorconfig CRYPTO_CAMELLIA
1298584fffc8SSebastian Siewior	tristate "Camellia cipher algorithms"
1299584fffc8SSebastian Siewior	depends on CRYPTO
1300584fffc8SSebastian Siewior	select CRYPTO_ALGAPI
1301584fffc8SSebastian Siewior	help
1302584fffc8SSebastian Siewior	  Camellia cipher algorithms module.
1303584fffc8SSebastian Siewior
1304584fffc8SSebastian Siewior	  Camellia is a symmetric key block cipher developed jointly
1305584fffc8SSebastian Siewior	  at NTT and Mitsubishi Electric Corporation.
1306584fffc8SSebastian Siewior
1307584fffc8SSebastian Siewior	  The Camellia specifies three key sizes: 128, 192 and 256 bits.
1308584fffc8SSebastian Siewior
1309584fffc8SSebastian Siewior	  See also:
1310584fffc8SSebastian Siewior	  <https://info.isl.ntt.co.jp/crypt/eng/camellia/index_s.html>
1311584fffc8SSebastian Siewior
13120b95ec56SJussi Kivilinnaconfig CRYPTO_CAMELLIA_X86_64
13130b95ec56SJussi Kivilinna	tristate "Camellia cipher algorithm (x86_64)"
1314f21a7c19SAl Viro	depends on X86 && 64BIT
13150b95ec56SJussi Kivilinna	depends on CRYPTO
13161af6d037SEric Biggers	select CRYPTO_BLKCIPHER
1317964263afSJussi Kivilinna	select CRYPTO_GLUE_HELPER_X86
13180b95ec56SJussi Kivilinna	help
13190b95ec56SJussi Kivilinna	  Camellia cipher algorithm module (x86_64).
13200b95ec56SJussi Kivilinna
13210b95ec56SJussi Kivilinna	  Camellia is a symmetric key block cipher developed jointly
13220b95ec56SJussi Kivilinna	  at NTT and Mitsubishi Electric Corporation.
13230b95ec56SJussi Kivilinna
13240b95ec56SJussi Kivilinna	  The Camellia specifies three key sizes: 128, 192 and 256 bits.
13250b95ec56SJussi Kivilinna
13260b95ec56SJussi Kivilinna	  See also:
13270b95ec56SJussi Kivilinna	  <https://info.isl.ntt.co.jp/crypt/eng/camellia/index_s.html>
13280b95ec56SJussi Kivilinna
1329d9b1d2e7SJussi Kivilinnaconfig CRYPTO_CAMELLIA_AESNI_AVX_X86_64
1330d9b1d2e7SJussi Kivilinna	tristate "Camellia cipher algorithm (x86_64/AES-NI/AVX)"
1331d9b1d2e7SJussi Kivilinna	depends on X86 && 64BIT
1332d9b1d2e7SJussi Kivilinna	depends on CRYPTO
133344893bc2SEric Biggers	select CRYPTO_BLKCIPHER
1334d9b1d2e7SJussi Kivilinna	select CRYPTO_CAMELLIA_X86_64
133544893bc2SEric Biggers	select CRYPTO_GLUE_HELPER_X86
133644893bc2SEric Biggers	select CRYPTO_SIMD
1337d9b1d2e7SJussi Kivilinna	select CRYPTO_XTS
1338d9b1d2e7SJussi Kivilinna	help
1339d9b1d2e7SJussi Kivilinna	  Camellia cipher algorithm module (x86_64/AES-NI/AVX).
1340d9b1d2e7SJussi Kivilinna
1341d9b1d2e7SJussi Kivilinna	  Camellia is a symmetric key block cipher developed jointly
1342d9b1d2e7SJussi Kivilinna	  at NTT and Mitsubishi Electric Corporation.
1343d9b1d2e7SJussi Kivilinna
1344d9b1d2e7SJussi Kivilinna	  The Camellia specifies three key sizes: 128, 192 and 256 bits.
1345d9b1d2e7SJussi Kivilinna
1346d9b1d2e7SJussi Kivilinna	  See also:
1347d9b1d2e7SJussi Kivilinna	  <https://info.isl.ntt.co.jp/crypt/eng/camellia/index_s.html>
1348d9b1d2e7SJussi Kivilinna
1349f3f935a7SJussi Kivilinnaconfig CRYPTO_CAMELLIA_AESNI_AVX2_X86_64
1350f3f935a7SJussi Kivilinna	tristate "Camellia cipher algorithm (x86_64/AES-NI/AVX2)"
1351f3f935a7SJussi Kivilinna	depends on X86 && 64BIT
1352f3f935a7SJussi Kivilinna	depends on CRYPTO
1353f3f935a7SJussi Kivilinna	select CRYPTO_CAMELLIA_AESNI_AVX_X86_64
1354f3f935a7SJussi Kivilinna	help
1355f3f935a7SJussi Kivilinna	  Camellia cipher algorithm module (x86_64/AES-NI/AVX2).
1356f3f935a7SJussi Kivilinna
1357f3f935a7SJussi Kivilinna	  Camellia is a symmetric key block cipher developed jointly
1358f3f935a7SJussi Kivilinna	  at NTT and Mitsubishi Electric Corporation.
1359f3f935a7SJussi Kivilinna
1360f3f935a7SJussi Kivilinna	  The Camellia specifies three key sizes: 128, 192 and 256 bits.
1361f3f935a7SJussi Kivilinna
1362f3f935a7SJussi Kivilinna	  See also:
1363f3f935a7SJussi Kivilinna	  <https://info.isl.ntt.co.jp/crypt/eng/camellia/index_s.html>
1364f3f935a7SJussi Kivilinna
136581658ad0SDavid S. Millerconfig CRYPTO_CAMELLIA_SPARC64
136681658ad0SDavid S. Miller	tristate "Camellia cipher algorithm (SPARC64)"
136781658ad0SDavid S. Miller	depends on SPARC64
136881658ad0SDavid S. Miller	depends on CRYPTO
136981658ad0SDavid S. Miller	select CRYPTO_ALGAPI
137081658ad0SDavid S. Miller	help
137181658ad0SDavid S. Miller	  Camellia cipher algorithm module (SPARC64).
137281658ad0SDavid S. Miller
137381658ad0SDavid S. Miller	  Camellia is a symmetric key block cipher developed jointly
137481658ad0SDavid S. Miller	  at NTT and Mitsubishi Electric Corporation.
137581658ad0SDavid S. Miller
137681658ad0SDavid S. Miller	  The Camellia specifies three key sizes: 128, 192 and 256 bits.
137781658ad0SDavid S. Miller
137881658ad0SDavid S. Miller	  See also:
137981658ad0SDavid S. Miller	  <https://info.isl.ntt.co.jp/crypt/eng/camellia/index_s.html>
138081658ad0SDavid S. Miller
1381044ab525SJussi Kivilinnaconfig CRYPTO_CAST_COMMON
1382044ab525SJussi Kivilinna	tristate
1383044ab525SJussi Kivilinna	help
1384044ab525SJussi Kivilinna	  Common parts of the CAST cipher algorithms shared by the
1385044ab525SJussi Kivilinna	  generic c and the assembler implementations.
1386044ab525SJussi Kivilinna
1387584fffc8SSebastian Siewiorconfig CRYPTO_CAST5
1388584fffc8SSebastian Siewior	tristate "CAST5 (CAST-128) cipher algorithm"
1389584fffc8SSebastian Siewior	select CRYPTO_ALGAPI
1390044ab525SJussi Kivilinna	select CRYPTO_CAST_COMMON
1391584fffc8SSebastian Siewior	help
1392584fffc8SSebastian Siewior	  The CAST5 encryption algorithm (synonymous with CAST-128) is
1393584fffc8SSebastian Siewior	  described in RFC2144.
1394584fffc8SSebastian Siewior
13954d6d6a2cSJohannes Goetzfriedconfig CRYPTO_CAST5_AVX_X86_64
13964d6d6a2cSJohannes Goetzfried	tristate "CAST5 (CAST-128) cipher algorithm (x86_64/AVX)"
13974d6d6a2cSJohannes Goetzfried	depends on X86 && 64BIT
13981e63183aSEric Biggers	select CRYPTO_BLKCIPHER
13994d6d6a2cSJohannes Goetzfried	select CRYPTO_CAST5
14001e63183aSEric Biggers	select CRYPTO_CAST_COMMON
14011e63183aSEric Biggers	select CRYPTO_SIMD
14024d6d6a2cSJohannes Goetzfried	help
14034d6d6a2cSJohannes Goetzfried	  The CAST5 encryption algorithm (synonymous with CAST-128) is
14044d6d6a2cSJohannes Goetzfried	  described in RFC2144.
14054d6d6a2cSJohannes Goetzfried
14064d6d6a2cSJohannes Goetzfried	  This module provides the Cast5 cipher algorithm that processes
14074d6d6a2cSJohannes Goetzfried	  sixteen blocks parallel using the AVX instruction set.
14084d6d6a2cSJohannes Goetzfried
1409584fffc8SSebastian Siewiorconfig CRYPTO_CAST6
1410584fffc8SSebastian Siewior	tristate "CAST6 (CAST-256) cipher algorithm"
1411584fffc8SSebastian Siewior	select CRYPTO_ALGAPI
1412044ab525SJussi Kivilinna	select CRYPTO_CAST_COMMON
1413584fffc8SSebastian Siewior	help
1414584fffc8SSebastian Siewior	  The CAST6 encryption algorithm (synonymous with CAST-256) is
1415584fffc8SSebastian Siewior	  described in RFC2612.
1416584fffc8SSebastian Siewior
14174ea1277dSJohannes Goetzfriedconfig CRYPTO_CAST6_AVX_X86_64
14184ea1277dSJohannes Goetzfried	tristate "CAST6 (CAST-256) cipher algorithm (x86_64/AVX)"
14194ea1277dSJohannes Goetzfried	depends on X86 && 64BIT
14204bd96924SEric Biggers	select CRYPTO_BLKCIPHER
14214ea1277dSJohannes Goetzfried	select CRYPTO_CAST6
14224bd96924SEric Biggers	select CRYPTO_CAST_COMMON
14234bd96924SEric Biggers	select CRYPTO_GLUE_HELPER_X86
14244bd96924SEric Biggers	select CRYPTO_SIMD
14254ea1277dSJohannes Goetzfried	select CRYPTO_XTS
14264ea1277dSJohannes Goetzfried	help
14274ea1277dSJohannes Goetzfried	  The CAST6 encryption algorithm (synonymous with CAST-256) is
14284ea1277dSJohannes Goetzfried	  described in RFC2612.
14294ea1277dSJohannes Goetzfried
14304ea1277dSJohannes Goetzfried	  This module provides the Cast6 cipher algorithm that processes
14314ea1277dSJohannes Goetzfried	  eight blocks parallel using the AVX instruction set.
14324ea1277dSJohannes Goetzfried
1433584fffc8SSebastian Siewiorconfig CRYPTO_DES
1434584fffc8SSebastian Siewior	tristate "DES and Triple DES EDE cipher algorithms"
1435584fffc8SSebastian Siewior	select CRYPTO_ALGAPI
1436584fffc8SSebastian Siewior	help
1437584fffc8SSebastian Siewior	  DES cipher algorithm (FIPS 46-2), and Triple DES EDE (FIPS 46-3).
1438584fffc8SSebastian Siewior
1439c5aac2dfSDavid S. Millerconfig CRYPTO_DES_SPARC64
1440c5aac2dfSDavid S. Miller	tristate "DES and Triple DES EDE cipher algorithms (SPARC64)"
144197da37b3SDave Jones	depends on SPARC64
1442c5aac2dfSDavid S. Miller	select CRYPTO_ALGAPI
1443c5aac2dfSDavid S. Miller	select CRYPTO_DES
1444c5aac2dfSDavid S. Miller	help
1445c5aac2dfSDavid S. Miller	  DES cipher algorithm (FIPS 46-2), and Triple DES EDE (FIPS 46-3),
1446c5aac2dfSDavid S. Miller	  optimized using SPARC64 crypto opcodes.
1447c5aac2dfSDavid S. Miller
14486574e6c6SJussi Kivilinnaconfig CRYPTO_DES3_EDE_X86_64
14496574e6c6SJussi Kivilinna	tristate "Triple DES EDE cipher algorithm (x86-64)"
14506574e6c6SJussi Kivilinna	depends on X86 && 64BIT
145109c0f03bSEric Biggers	select CRYPTO_BLKCIPHER
14526574e6c6SJussi Kivilinna	select CRYPTO_DES
14536574e6c6SJussi Kivilinna	help
14546574e6c6SJussi Kivilinna	  Triple DES EDE (FIPS 46-3) algorithm.
14556574e6c6SJussi Kivilinna
14566574e6c6SJussi Kivilinna	  This module provides implementation of the Triple DES EDE cipher
14576574e6c6SJussi Kivilinna	  algorithm that is optimized for x86-64 processors. Two versions of
14586574e6c6SJussi Kivilinna	  algorithm are provided; regular processing one input block and
14596574e6c6SJussi Kivilinna	  one that processes three blocks parallel.
14606574e6c6SJussi Kivilinna
1461584fffc8SSebastian Siewiorconfig CRYPTO_FCRYPT
1462584fffc8SSebastian Siewior	tristate "FCrypt cipher algorithm"
1463584fffc8SSebastian Siewior	select CRYPTO_ALGAPI
1464584fffc8SSebastian Siewior	select CRYPTO_BLKCIPHER
1465584fffc8SSebastian Siewior	help
1466584fffc8SSebastian Siewior	  FCrypt algorithm used by RxRPC.
1467584fffc8SSebastian Siewior
1468584fffc8SSebastian Siewiorconfig CRYPTO_KHAZAD
1469584fffc8SSebastian Siewior	tristate "Khazad cipher algorithm"
1470584fffc8SSebastian Siewior	select CRYPTO_ALGAPI
1471584fffc8SSebastian Siewior	help
1472584fffc8SSebastian Siewior	  Khazad cipher algorithm.
1473584fffc8SSebastian Siewior
1474584fffc8SSebastian Siewior	  Khazad was a finalist in the initial NESSIE competition.  It is
1475584fffc8SSebastian Siewior	  an algorithm optimized for 64-bit processors with good performance
1476584fffc8SSebastian Siewior	  on 32-bit processors.  Khazad uses an 128 bit key size.
1477584fffc8SSebastian Siewior
1478584fffc8SSebastian Siewior	  See also:
14796d8de74cSJustin P. Mattock	  <http://www.larc.usp.br/~pbarreto/KhazadPage.html>
1480e2ee95b8SHye-Shik Chang
14812407d608STan Swee Hengconfig CRYPTO_SALSA20
14823b4afaf2SKees Cook	tristate "Salsa20 stream cipher algorithm"
14832407d608STan Swee Heng	select CRYPTO_BLKCIPHER
14842407d608STan Swee Heng	help
14852407d608STan Swee Heng	  Salsa20 stream cipher algorithm.
14862407d608STan Swee Heng
14872407d608STan Swee Heng	  Salsa20 is a stream cipher submitted to eSTREAM, the ECRYPT
14882407d608STan Swee Heng	  Stream Cipher Project. See <http://www.ecrypt.eu.org/stream/>
14892407d608STan Swee Heng
14902407d608STan Swee Heng	  The Salsa20 stream cipher algorithm is designed by Daniel J.
14912407d608STan Swee Heng	  Bernstein <djb@cr.yp.to>. See <http://cr.yp.to/snuffle.html>
14921da177e4SLinus Torvalds
1493c08d0e64SMartin Williconfig CRYPTO_CHACHA20
1494aa762409SEric Biggers	tristate "ChaCha stream cipher algorithms"
1495c08d0e64SMartin Willi	select CRYPTO_BLKCIPHER
1496c08d0e64SMartin Willi	help
1497aa762409SEric Biggers	  The ChaCha20, XChaCha20, and XChaCha12 stream cipher algorithms.
1498c08d0e64SMartin Willi
1499c08d0e64SMartin Willi	  ChaCha20 is a 256-bit high-speed stream cipher designed by Daniel J.
1500c08d0e64SMartin Willi	  Bernstein and further specified in RFC7539 for use in IETF protocols.
1501de61d7aeSEric Biggers	  This is the portable C implementation of ChaCha20.  See also:
1502c08d0e64SMartin Willi	  <http://cr.yp.to/chacha/chacha-20080128.pdf>
1503c08d0e64SMartin Willi
1504de61d7aeSEric Biggers	  XChaCha20 is the application of the XSalsa20 construction to ChaCha20
1505de61d7aeSEric Biggers	  rather than to Salsa20.  XChaCha20 extends ChaCha20's nonce length
1506de61d7aeSEric Biggers	  from 64 bits (or 96 bits using the RFC7539 convention) to 192 bits,
1507de61d7aeSEric Biggers	  while provably retaining ChaCha20's security.  See also:
1508de61d7aeSEric Biggers	  <https://cr.yp.to/snuffle/xsalsa-20081128.pdf>
1509de61d7aeSEric Biggers
1510aa762409SEric Biggers	  XChaCha12 is XChaCha20 reduced to 12 rounds, with correspondingly
1511aa762409SEric Biggers	  reduced security margin but increased performance.  It can be needed
1512aa762409SEric Biggers	  in some performance-sensitive scenarios.
1513aa762409SEric Biggers
1514c9320b6dSMartin Williconfig CRYPTO_CHACHA20_X86_64
15154af78261SEric Biggers	tristate "ChaCha stream cipher algorithms (x86_64/SSSE3/AVX2/AVX-512VL)"
1516c9320b6dSMartin Willi	depends on X86 && 64BIT
1517c9320b6dSMartin Willi	select CRYPTO_BLKCIPHER
1518c9320b6dSMartin Willi	select CRYPTO_CHACHA20
1519c9320b6dSMartin Willi	help
15207a507d62SEric Biggers	  SSSE3, AVX2, and AVX-512VL optimized implementations of the ChaCha20,
15217a507d62SEric Biggers	  XChaCha20, and XChaCha12 stream ciphers.
1522c9320b6dSMartin Willi
1523584fffc8SSebastian Siewiorconfig CRYPTO_SEED
1524584fffc8SSebastian Siewior	tristate "SEED cipher algorithm"
1525584fffc8SSebastian Siewior	select CRYPTO_ALGAPI
1526584fffc8SSebastian Siewior	help
1527584fffc8SSebastian Siewior	  SEED cipher algorithm (RFC4269).
1528584fffc8SSebastian Siewior
1529584fffc8SSebastian Siewior	  SEED is a 128-bit symmetric key block cipher that has been
1530584fffc8SSebastian Siewior	  developed by KISA (Korea Information Security Agency) as a
1531584fffc8SSebastian Siewior	  national standard encryption algorithm of the Republic of Korea.
1532584fffc8SSebastian Siewior	  It is a 16 round block cipher with the key size of 128 bit.
1533584fffc8SSebastian Siewior
1534584fffc8SSebastian Siewior	  See also:
1535584fffc8SSebastian Siewior	  <http://www.kisa.or.kr/kisa/seed/jsp/seed_eng.jsp>
1536584fffc8SSebastian Siewior
1537584fffc8SSebastian Siewiorconfig CRYPTO_SERPENT
1538584fffc8SSebastian Siewior	tristate "Serpent cipher algorithm"
1539584fffc8SSebastian Siewior	select CRYPTO_ALGAPI
1540584fffc8SSebastian Siewior	help
1541584fffc8SSebastian Siewior	  Serpent cipher algorithm, by Anderson, Biham & Knudsen.
1542584fffc8SSebastian Siewior
1543584fffc8SSebastian Siewior	  Keys are allowed to be from 0 to 256 bits in length, in steps
1544584fffc8SSebastian Siewior	  of 8 bits.  Also includes the 'Tnepres' algorithm, a reversed
1545584fffc8SSebastian Siewior	  variant of Serpent for compatibility with old kerneli.org code.
1546584fffc8SSebastian Siewior
1547584fffc8SSebastian Siewior	  See also:
1548584fffc8SSebastian Siewior	  <http://www.cl.cam.ac.uk/~rja14/serpent.html>
1549584fffc8SSebastian Siewior
1550937c30d7SJussi Kivilinnaconfig CRYPTO_SERPENT_SSE2_X86_64
1551937c30d7SJussi Kivilinna	tristate "Serpent cipher algorithm (x86_64/SSE2)"
1552937c30d7SJussi Kivilinna	depends on X86 && 64BIT
1553e0f409dcSEric Biggers	select CRYPTO_BLKCIPHER
1554596d8750SJussi Kivilinna	select CRYPTO_GLUE_HELPER_X86
1555937c30d7SJussi Kivilinna	select CRYPTO_SERPENT
1556e0f409dcSEric Biggers	select CRYPTO_SIMD
1557937c30d7SJussi Kivilinna	help
1558937c30d7SJussi Kivilinna	  Serpent cipher algorithm, by Anderson, Biham & Knudsen.
1559937c30d7SJussi Kivilinna
1560937c30d7SJussi Kivilinna	  Keys are allowed to be from 0 to 256 bits in length, in steps
1561937c30d7SJussi Kivilinna	  of 8 bits.
1562937c30d7SJussi Kivilinna
15631e6232f8SMasanari Iida	  This module provides Serpent cipher algorithm that processes eight
1564937c30d7SJussi Kivilinna	  blocks parallel using SSE2 instruction set.
1565937c30d7SJussi Kivilinna
1566937c30d7SJussi Kivilinna	  See also:
1567937c30d7SJussi Kivilinna	  <http://www.cl.cam.ac.uk/~rja14/serpent.html>
1568937c30d7SJussi Kivilinna
1569251496dbSJussi Kivilinnaconfig CRYPTO_SERPENT_SSE2_586
1570251496dbSJussi Kivilinna	tristate "Serpent cipher algorithm (i586/SSE2)"
1571251496dbSJussi Kivilinna	depends on X86 && !64BIT
1572e0f409dcSEric Biggers	select CRYPTO_BLKCIPHER
1573596d8750SJussi Kivilinna	select CRYPTO_GLUE_HELPER_X86
1574251496dbSJussi Kivilinna	select CRYPTO_SERPENT
1575e0f409dcSEric Biggers	select CRYPTO_SIMD
1576251496dbSJussi Kivilinna	help
1577251496dbSJussi Kivilinna	  Serpent cipher algorithm, by Anderson, Biham & Knudsen.
1578251496dbSJussi Kivilinna
1579251496dbSJussi Kivilinna	  Keys are allowed to be from 0 to 256 bits in length, in steps
1580251496dbSJussi Kivilinna	  of 8 bits.
1581251496dbSJussi Kivilinna
1582251496dbSJussi Kivilinna	  This module provides Serpent cipher algorithm that processes four
1583251496dbSJussi Kivilinna	  blocks parallel using SSE2 instruction set.
1584251496dbSJussi Kivilinna
1585251496dbSJussi Kivilinna	  See also:
1586251496dbSJussi Kivilinna	  <http://www.cl.cam.ac.uk/~rja14/serpent.html>
1587251496dbSJussi Kivilinna
15887efe4076SJohannes Goetzfriedconfig CRYPTO_SERPENT_AVX_X86_64
15897efe4076SJohannes Goetzfried	tristate "Serpent cipher algorithm (x86_64/AVX)"
15907efe4076SJohannes Goetzfried	depends on X86 && 64BIT
1591e16bf974SEric Biggers	select CRYPTO_BLKCIPHER
15921d0debbdSJussi Kivilinna	select CRYPTO_GLUE_HELPER_X86
15937efe4076SJohannes Goetzfried	select CRYPTO_SERPENT
1594e16bf974SEric Biggers	select CRYPTO_SIMD
15957efe4076SJohannes Goetzfried	select CRYPTO_XTS
15967efe4076SJohannes Goetzfried	help
15977efe4076SJohannes Goetzfried	  Serpent cipher algorithm, by Anderson, Biham & Knudsen.
15987efe4076SJohannes Goetzfried
15997efe4076SJohannes Goetzfried	  Keys are allowed to be from 0 to 256 bits in length, in steps
16007efe4076SJohannes Goetzfried	  of 8 bits.
16017efe4076SJohannes Goetzfried
16027efe4076SJohannes Goetzfried	  This module provides the Serpent cipher algorithm that processes
16037efe4076SJohannes Goetzfried	  eight blocks parallel using the AVX instruction set.
16047efe4076SJohannes Goetzfried
16057efe4076SJohannes Goetzfried	  See also:
16067efe4076SJohannes Goetzfried	  <http://www.cl.cam.ac.uk/~rja14/serpent.html>
16077efe4076SJohannes Goetzfried
160856d76c96SJussi Kivilinnaconfig CRYPTO_SERPENT_AVX2_X86_64
160956d76c96SJussi Kivilinna	tristate "Serpent cipher algorithm (x86_64/AVX2)"
161056d76c96SJussi Kivilinna	depends on X86 && 64BIT
161156d76c96SJussi Kivilinna	select CRYPTO_SERPENT_AVX_X86_64
161256d76c96SJussi Kivilinna	help
161356d76c96SJussi Kivilinna	  Serpent cipher algorithm, by Anderson, Biham & Knudsen.
161456d76c96SJussi Kivilinna
161556d76c96SJussi Kivilinna	  Keys are allowed to be from 0 to 256 bits in length, in steps
161656d76c96SJussi Kivilinna	  of 8 bits.
161756d76c96SJussi Kivilinna
161856d76c96SJussi Kivilinna	  This module provides Serpent cipher algorithm that processes 16
161956d76c96SJussi Kivilinna	  blocks parallel using AVX2 instruction set.
162056d76c96SJussi Kivilinna
162156d76c96SJussi Kivilinna	  See also:
162256d76c96SJussi Kivilinna	  <http://www.cl.cam.ac.uk/~rja14/serpent.html>
162356d76c96SJussi Kivilinna
1624747c8ce4SGilad Ben-Yossefconfig CRYPTO_SM4
1625747c8ce4SGilad Ben-Yossef	tristate "SM4 cipher algorithm"
1626747c8ce4SGilad Ben-Yossef	select CRYPTO_ALGAPI
1627747c8ce4SGilad Ben-Yossef	help
1628747c8ce4SGilad Ben-Yossef	  SM4 cipher algorithms (OSCCA GB/T 32907-2016).
1629747c8ce4SGilad Ben-Yossef
1630747c8ce4SGilad Ben-Yossef	  SM4 (GBT.32907-2016) is a cryptographic standard issued by the
1631747c8ce4SGilad Ben-Yossef	  Organization of State Commercial Administration of China (OSCCA)
1632747c8ce4SGilad Ben-Yossef	  as an authorized cryptographic algorithms for the use within China.
1633747c8ce4SGilad Ben-Yossef
1634747c8ce4SGilad Ben-Yossef	  SMS4 was originally created for use in protecting wireless
1635747c8ce4SGilad Ben-Yossef	  networks, and is mandated in the Chinese National Standard for
1636747c8ce4SGilad Ben-Yossef	  Wireless LAN WAPI (Wired Authentication and Privacy Infrastructure)
1637747c8ce4SGilad Ben-Yossef	  (GB.15629.11-2003).
1638747c8ce4SGilad Ben-Yossef
1639747c8ce4SGilad Ben-Yossef	  The latest SM4 standard (GBT.32907-2016) was proposed by OSCCA and
1640747c8ce4SGilad Ben-Yossef	  standardized through TC 260 of the Standardization Administration
1641747c8ce4SGilad Ben-Yossef	  of the People's Republic of China (SAC).
1642747c8ce4SGilad Ben-Yossef
1643747c8ce4SGilad Ben-Yossef	  The input, output, and key of SMS4 are each 128 bits.
1644747c8ce4SGilad Ben-Yossef
1645747c8ce4SGilad Ben-Yossef	  See also: <https://eprint.iacr.org/2008/329.pdf>
1646747c8ce4SGilad Ben-Yossef
1647747c8ce4SGilad Ben-Yossef	  If unsure, say N.
1648747c8ce4SGilad Ben-Yossef
1649584fffc8SSebastian Siewiorconfig CRYPTO_TEA
1650584fffc8SSebastian Siewior	tristate "TEA, XTEA and XETA cipher algorithms"
1651584fffc8SSebastian Siewior	select CRYPTO_ALGAPI
1652584fffc8SSebastian Siewior	help
1653584fffc8SSebastian Siewior	  TEA cipher algorithm.
1654584fffc8SSebastian Siewior
1655584fffc8SSebastian Siewior	  Tiny Encryption Algorithm is a simple cipher that uses
1656584fffc8SSebastian Siewior	  many rounds for security.  It is very fast and uses
1657584fffc8SSebastian Siewior	  little memory.
1658584fffc8SSebastian Siewior
1659584fffc8SSebastian Siewior	  Xtendend Tiny Encryption Algorithm is a modification to
1660584fffc8SSebastian Siewior	  the TEA algorithm to address a potential key weakness
1661584fffc8SSebastian Siewior	  in the TEA algorithm.
1662584fffc8SSebastian Siewior
1663584fffc8SSebastian Siewior	  Xtendend Encryption Tiny Algorithm is a mis-implementation
1664584fffc8SSebastian Siewior	  of the XTEA algorithm for compatibility purposes.
1665584fffc8SSebastian Siewior
1666584fffc8SSebastian Siewiorconfig CRYPTO_TWOFISH
1667584fffc8SSebastian Siewior	tristate "Twofish cipher algorithm"
1668584fffc8SSebastian Siewior	select CRYPTO_ALGAPI
1669584fffc8SSebastian Siewior	select CRYPTO_TWOFISH_COMMON
1670584fffc8SSebastian Siewior	help
1671584fffc8SSebastian Siewior	  Twofish cipher algorithm.
1672584fffc8SSebastian Siewior
1673584fffc8SSebastian Siewior	  Twofish was submitted as an AES (Advanced Encryption Standard)
1674584fffc8SSebastian Siewior	  candidate cipher by researchers at CounterPane Systems.  It is a
1675584fffc8SSebastian Siewior	  16 round block cipher supporting key sizes of 128, 192, and 256
1676584fffc8SSebastian Siewior	  bits.
1677584fffc8SSebastian Siewior
1678584fffc8SSebastian Siewior	  See also:
1679584fffc8SSebastian Siewior	  <http://www.schneier.com/twofish.html>
1680584fffc8SSebastian Siewior
1681584fffc8SSebastian Siewiorconfig CRYPTO_TWOFISH_COMMON
1682584fffc8SSebastian Siewior	tristate
1683584fffc8SSebastian Siewior	help
1684584fffc8SSebastian Siewior	  Common parts of the Twofish cipher algorithm shared by the
1685584fffc8SSebastian Siewior	  generic c and the assembler implementations.
1686584fffc8SSebastian Siewior
1687584fffc8SSebastian Siewiorconfig CRYPTO_TWOFISH_586
1688584fffc8SSebastian Siewior	tristate "Twofish cipher algorithms (i586)"
1689584fffc8SSebastian Siewior	depends on (X86 || UML_X86) && !64BIT
1690584fffc8SSebastian Siewior	select CRYPTO_ALGAPI
1691584fffc8SSebastian Siewior	select CRYPTO_TWOFISH_COMMON
1692584fffc8SSebastian Siewior	help
1693584fffc8SSebastian Siewior	  Twofish cipher algorithm.
1694584fffc8SSebastian Siewior
1695584fffc8SSebastian Siewior	  Twofish was submitted as an AES (Advanced Encryption Standard)
1696584fffc8SSebastian Siewior	  candidate cipher by researchers at CounterPane Systems.  It is a
1697584fffc8SSebastian Siewior	  16 round block cipher supporting key sizes of 128, 192, and 256
1698584fffc8SSebastian Siewior	  bits.
1699584fffc8SSebastian Siewior
1700584fffc8SSebastian Siewior	  See also:
1701584fffc8SSebastian Siewior	  <http://www.schneier.com/twofish.html>
1702584fffc8SSebastian Siewior
1703584fffc8SSebastian Siewiorconfig CRYPTO_TWOFISH_X86_64
1704584fffc8SSebastian Siewior	tristate "Twofish cipher algorithm (x86_64)"
1705584fffc8SSebastian Siewior	depends on (X86 || UML_X86) && 64BIT
1706584fffc8SSebastian Siewior	select CRYPTO_ALGAPI
1707584fffc8SSebastian Siewior	select CRYPTO_TWOFISH_COMMON
1708584fffc8SSebastian Siewior	help
1709584fffc8SSebastian Siewior	  Twofish cipher algorithm (x86_64).
1710584fffc8SSebastian Siewior
1711584fffc8SSebastian Siewior	  Twofish was submitted as an AES (Advanced Encryption Standard)
1712584fffc8SSebastian Siewior	  candidate cipher by researchers at CounterPane Systems.  It is a
1713584fffc8SSebastian Siewior	  16 round block cipher supporting key sizes of 128, 192, and 256
1714584fffc8SSebastian Siewior	  bits.
1715584fffc8SSebastian Siewior
1716584fffc8SSebastian Siewior	  See also:
1717584fffc8SSebastian Siewior	  <http://www.schneier.com/twofish.html>
1718584fffc8SSebastian Siewior
17198280daadSJussi Kivilinnaconfig CRYPTO_TWOFISH_X86_64_3WAY
17208280daadSJussi Kivilinna	tristate "Twofish cipher algorithm (x86_64, 3-way parallel)"
1721f21a7c19SAl Viro	depends on X86 && 64BIT
172237992fa4SEric Biggers	select CRYPTO_BLKCIPHER
17238280daadSJussi Kivilinna	select CRYPTO_TWOFISH_COMMON
17248280daadSJussi Kivilinna	select CRYPTO_TWOFISH_X86_64
1725414cb5e7SJussi Kivilinna	select CRYPTO_GLUE_HELPER_X86
17268280daadSJussi Kivilinna	help
17278280daadSJussi Kivilinna	  Twofish cipher algorithm (x86_64, 3-way parallel).
17288280daadSJussi Kivilinna
17298280daadSJussi Kivilinna	  Twofish was submitted as an AES (Advanced Encryption Standard)
17308280daadSJussi Kivilinna	  candidate cipher by researchers at CounterPane Systems.  It is a
17318280daadSJussi Kivilinna	  16 round block cipher supporting key sizes of 128, 192, and 256
17328280daadSJussi Kivilinna	  bits.
17338280daadSJussi Kivilinna
17348280daadSJussi Kivilinna	  This module provides Twofish cipher algorithm that processes three
17358280daadSJussi Kivilinna	  blocks parallel, utilizing resources of out-of-order CPUs better.
17368280daadSJussi Kivilinna
17378280daadSJussi Kivilinna	  See also:
17388280daadSJussi Kivilinna	  <http://www.schneier.com/twofish.html>
17398280daadSJussi Kivilinna
1740107778b5SJohannes Goetzfriedconfig CRYPTO_TWOFISH_AVX_X86_64
1741107778b5SJohannes Goetzfried	tristate "Twofish cipher algorithm (x86_64/AVX)"
1742107778b5SJohannes Goetzfried	depends on X86 && 64BIT
17430e6ab46dSEric Biggers	select CRYPTO_BLKCIPHER
1744a7378d4eSJussi Kivilinna	select CRYPTO_GLUE_HELPER_X86
17450e6ab46dSEric Biggers	select CRYPTO_SIMD
1746107778b5SJohannes Goetzfried	select CRYPTO_TWOFISH_COMMON
1747107778b5SJohannes Goetzfried	select CRYPTO_TWOFISH_X86_64
1748107778b5SJohannes Goetzfried	select CRYPTO_TWOFISH_X86_64_3WAY
1749107778b5SJohannes Goetzfried	help
1750107778b5SJohannes Goetzfried	  Twofish cipher algorithm (x86_64/AVX).
1751107778b5SJohannes Goetzfried
1752107778b5SJohannes Goetzfried	  Twofish was submitted as an AES (Advanced Encryption Standard)
1753107778b5SJohannes Goetzfried	  candidate cipher by researchers at CounterPane Systems.  It is a
1754107778b5SJohannes Goetzfried	  16 round block cipher supporting key sizes of 128, 192, and 256
1755107778b5SJohannes Goetzfried	  bits.
1756107778b5SJohannes Goetzfried
1757107778b5SJohannes Goetzfried	  This module provides the Twofish cipher algorithm that processes
1758107778b5SJohannes Goetzfried	  eight blocks parallel using the AVX Instruction Set.
1759107778b5SJohannes Goetzfried
1760107778b5SJohannes Goetzfried	  See also:
1761107778b5SJohannes Goetzfried	  <http://www.schneier.com/twofish.html>
1762107778b5SJohannes Goetzfried
1763584fffc8SSebastian Siewiorcomment "Compression"
1764584fffc8SSebastian Siewior
17651da177e4SLinus Torvaldsconfig CRYPTO_DEFLATE
17661da177e4SLinus Torvalds	tristate "Deflate compression algorithm"
1767cce9e06dSHerbert Xu	select CRYPTO_ALGAPI
1768f6ded09dSGiovanni Cabiddu	select CRYPTO_ACOMP2
17691da177e4SLinus Torvalds	select ZLIB_INFLATE
17701da177e4SLinus Torvalds	select ZLIB_DEFLATE
17711da177e4SLinus Torvalds	help
17721da177e4SLinus Torvalds	  This is the Deflate algorithm (RFC1951), specified for use in
17731da177e4SLinus Torvalds	  IPSec with the IPCOMP protocol (RFC3173, RFC2394).
17741da177e4SLinus Torvalds
17751da177e4SLinus Torvalds	  You will most probably want this if using IPSec.
17761da177e4SLinus Torvalds
17770b77abb3SZoltan Sogorconfig CRYPTO_LZO
17780b77abb3SZoltan Sogor	tristate "LZO compression algorithm"
17790b77abb3SZoltan Sogor	select CRYPTO_ALGAPI
1780ac9d2c4bSGiovanni Cabiddu	select CRYPTO_ACOMP2
17810b77abb3SZoltan Sogor	select LZO_COMPRESS
17820b77abb3SZoltan Sogor	select LZO_DECOMPRESS
17830b77abb3SZoltan Sogor	help
17840b77abb3SZoltan Sogor	  This is the LZO algorithm.
17850b77abb3SZoltan Sogor
178635a1fc18SSeth Jenningsconfig CRYPTO_842
178735a1fc18SSeth Jennings	tristate "842 compression algorithm"
17882062c5b6SDan Streetman	select CRYPTO_ALGAPI
17896a8de3aeSGiovanni Cabiddu	select CRYPTO_ACOMP2
17902062c5b6SDan Streetman	select 842_COMPRESS
17912062c5b6SDan Streetman	select 842_DECOMPRESS
179235a1fc18SSeth Jennings	help
179335a1fc18SSeth Jennings	  This is the 842 algorithm.
179435a1fc18SSeth Jennings
17950ea8530dSChanho Minconfig CRYPTO_LZ4
17960ea8530dSChanho Min	tristate "LZ4 compression algorithm"
17970ea8530dSChanho Min	select CRYPTO_ALGAPI
17988cd9330eSGiovanni Cabiddu	select CRYPTO_ACOMP2
17990ea8530dSChanho Min	select LZ4_COMPRESS
18000ea8530dSChanho Min	select LZ4_DECOMPRESS
18010ea8530dSChanho Min	help
18020ea8530dSChanho Min	  This is the LZ4 algorithm.
18030ea8530dSChanho Min
18040ea8530dSChanho Minconfig CRYPTO_LZ4HC
18050ea8530dSChanho Min	tristate "LZ4HC compression algorithm"
18060ea8530dSChanho Min	select CRYPTO_ALGAPI
180791d53d96SGiovanni Cabiddu	select CRYPTO_ACOMP2
18080ea8530dSChanho Min	select LZ4HC_COMPRESS
18090ea8530dSChanho Min	select LZ4_DECOMPRESS
18100ea8530dSChanho Min	help
18110ea8530dSChanho Min	  This is the LZ4 high compression mode algorithm.
18120ea8530dSChanho Min
1813d28fc3dbSNick Terrellconfig CRYPTO_ZSTD
1814d28fc3dbSNick Terrell	tristate "Zstd compression algorithm"
1815d28fc3dbSNick Terrell	select CRYPTO_ALGAPI
1816d28fc3dbSNick Terrell	select CRYPTO_ACOMP2
1817d28fc3dbSNick Terrell	select ZSTD_COMPRESS
1818d28fc3dbSNick Terrell	select ZSTD_DECOMPRESS
1819d28fc3dbSNick Terrell	help
1820d28fc3dbSNick Terrell	  This is the zstd algorithm.
1821d28fc3dbSNick Terrell
182217f0f4a4SNeil Hormancomment "Random Number Generation"
182317f0f4a4SNeil Horman
182417f0f4a4SNeil Hormanconfig CRYPTO_ANSI_CPRNG
182517f0f4a4SNeil Horman	tristate "Pseudo Random Number Generation for Cryptographic modules"
182617f0f4a4SNeil Horman	select CRYPTO_AES
182717f0f4a4SNeil Horman	select CRYPTO_RNG
182817f0f4a4SNeil Horman	help
182917f0f4a4SNeil Horman	  This option enables the generic pseudo random number generator
183017f0f4a4SNeil Horman	  for cryptographic modules.  Uses the Algorithm specified in
18317dd607e8SJiri Kosina	  ANSI X9.31 A.2.4. Note that this option must be enabled if
18327dd607e8SJiri Kosina	  CRYPTO_FIPS is selected
183317f0f4a4SNeil Horman
1834f2c89a10SHerbert Xumenuconfig CRYPTO_DRBG_MENU
1835419090c6SStephan Mueller	tristate "NIST SP800-90A DRBG"
1836419090c6SStephan Mueller	help
1837419090c6SStephan Mueller	  NIST SP800-90A compliant DRBG. In the following submenu, one or
1838419090c6SStephan Mueller	  more of the DRBG types must be selected.
1839419090c6SStephan Mueller
1840f2c89a10SHerbert Xuif CRYPTO_DRBG_MENU
1841419090c6SStephan Mueller
1842419090c6SStephan Muellerconfig CRYPTO_DRBG_HMAC
1843401e4238SHerbert Xu	bool
1844419090c6SStephan Mueller	default y
1845419090c6SStephan Mueller	select CRYPTO_HMAC
1846826775bbSHerbert Xu	select CRYPTO_SHA256
1847419090c6SStephan Mueller
1848419090c6SStephan Muellerconfig CRYPTO_DRBG_HASH
1849419090c6SStephan Mueller	bool "Enable Hash DRBG"
1850826775bbSHerbert Xu	select CRYPTO_SHA256
1851419090c6SStephan Mueller	help
1852419090c6SStephan Mueller	  Enable the Hash DRBG variant as defined in NIST SP800-90A.
1853419090c6SStephan Mueller
1854419090c6SStephan Muellerconfig CRYPTO_DRBG_CTR
1855419090c6SStephan Mueller	bool "Enable CTR DRBG"
1856419090c6SStephan Mueller	select CRYPTO_AES
185735591285SStephan Mueller	depends on CRYPTO_CTR
1858419090c6SStephan Mueller	help
1859419090c6SStephan Mueller	  Enable the CTR DRBG variant as defined in NIST SP800-90A.
1860419090c6SStephan Mueller
1861f2c89a10SHerbert Xuconfig CRYPTO_DRBG
1862f2c89a10SHerbert Xu	tristate
1863401e4238SHerbert Xu	default CRYPTO_DRBG_MENU
1864f2c89a10SHerbert Xu	select CRYPTO_RNG
1865bb5530e4SStephan Mueller	select CRYPTO_JITTERENTROPY
1866f2c89a10SHerbert Xu
1867f2c89a10SHerbert Xuendif	# if CRYPTO_DRBG_MENU
1868419090c6SStephan Mueller
1869bb5530e4SStephan Muellerconfig CRYPTO_JITTERENTROPY
1870bb5530e4SStephan Mueller	tristate "Jitterentropy Non-Deterministic Random Number Generator"
18712f313e02SArnd Bergmann	select CRYPTO_RNG
1872bb5530e4SStephan Mueller	help
1873bb5530e4SStephan Mueller	  The Jitterentropy RNG is a noise that is intended
1874bb5530e4SStephan Mueller	  to provide seed to another RNG. The RNG does not
1875bb5530e4SStephan Mueller	  perform any cryptographic whitening of the generated
1876bb5530e4SStephan Mueller	  random numbers. This Jitterentropy RNG registers with
1877bb5530e4SStephan Mueller	  the kernel crypto API and can be used by any caller.
1878bb5530e4SStephan Mueller
187903c8efc1SHerbert Xuconfig CRYPTO_USER_API
188003c8efc1SHerbert Xu	tristate
188103c8efc1SHerbert Xu
1882fe869cdbSHerbert Xuconfig CRYPTO_USER_API_HASH
1883fe869cdbSHerbert Xu	tristate "User-space interface for hash algorithms"
18847451708fSHerbert Xu	depends on NET
1885fe869cdbSHerbert Xu	select CRYPTO_HASH
1886fe869cdbSHerbert Xu	select CRYPTO_USER_API
1887fe869cdbSHerbert Xu	help
1888fe869cdbSHerbert Xu	  This option enables the user-spaces interface for hash
1889fe869cdbSHerbert Xu	  algorithms.
1890fe869cdbSHerbert Xu
18918ff59090SHerbert Xuconfig CRYPTO_USER_API_SKCIPHER
18928ff59090SHerbert Xu	tristate "User-space interface for symmetric key cipher algorithms"
18937451708fSHerbert Xu	depends on NET
18948ff59090SHerbert Xu	select CRYPTO_BLKCIPHER
18958ff59090SHerbert Xu	select CRYPTO_USER_API
18968ff59090SHerbert Xu	help
18978ff59090SHerbert Xu	  This option enables the user-spaces interface for symmetric
18988ff59090SHerbert Xu	  key cipher algorithms.
18998ff59090SHerbert Xu
19002f375538SStephan Muellerconfig CRYPTO_USER_API_RNG
19012f375538SStephan Mueller	tristate "User-space interface for random number generator algorithms"
19022f375538SStephan Mueller	depends on NET
19032f375538SStephan Mueller	select CRYPTO_RNG
19042f375538SStephan Mueller	select CRYPTO_USER_API
19052f375538SStephan Mueller	help
19062f375538SStephan Mueller	  This option enables the user-spaces interface for random
19072f375538SStephan Mueller	  number generator algorithms.
19082f375538SStephan Mueller
1909b64a2d95SHerbert Xuconfig CRYPTO_USER_API_AEAD
1910b64a2d95SHerbert Xu	tristate "User-space interface for AEAD cipher algorithms"
1911b64a2d95SHerbert Xu	depends on NET
1912b64a2d95SHerbert Xu	select CRYPTO_AEAD
191372548b09SStephan Mueller	select CRYPTO_BLKCIPHER
191472548b09SStephan Mueller	select CRYPTO_NULL
1915b64a2d95SHerbert Xu	select CRYPTO_USER_API
1916b64a2d95SHerbert Xu	help
1917b64a2d95SHerbert Xu	  This option enables the user-spaces interface for AEAD
1918b64a2d95SHerbert Xu	  cipher algorithms.
1919b64a2d95SHerbert Xu
1920cac5818cSCorentin Labbeconfig CRYPTO_STATS
1921cac5818cSCorentin Labbe	bool "Crypto usage statistics for User-space"
1922a6a31385SCorentin Labbe	depends on CRYPTO_USER
1923cac5818cSCorentin Labbe	help
1924cac5818cSCorentin Labbe	  This option enables the gathering of crypto stats.
1925cac5818cSCorentin Labbe	  This will collect:
1926cac5818cSCorentin Labbe	  - encrypt/decrypt size and numbers of symmeric operations
1927cac5818cSCorentin Labbe	  - compress/decompress size and numbers of compress operations
1928cac5818cSCorentin Labbe	  - size and numbers of hash operations
1929cac5818cSCorentin Labbe	  - encrypt/decrypt/sign/verify numbers for asymmetric operations
1930cac5818cSCorentin Labbe	  - generate/seed numbers for rng operations
1931cac5818cSCorentin Labbe
1932ee08997fSDmitry Kasatkinconfig CRYPTO_HASH_INFO
1933ee08997fSDmitry Kasatkin	bool
1934ee08997fSDmitry Kasatkin
19351da177e4SLinus Torvaldssource "drivers/crypto/Kconfig"
19368636a1f9SMasahiro Yamadasource "crypto/asymmetric_keys/Kconfig"
19378636a1f9SMasahiro Yamadasource "certs/Kconfig"
19381da177e4SLinus Torvalds
1939cce9e06dSHerbert Xuendif	# if CRYPTO
1940