1b2441318SGreg Kroah-Hartman# SPDX-License-Identifier: GPL-2.0 21da177e4SLinus Torvalds# 3685784aaSDan Williams# Generic algorithms support 4685784aaSDan Williams# 5685784aaSDan Williamsconfig XOR_BLOCKS 6685784aaSDan Williams tristate 7685784aaSDan Williams 8685784aaSDan Williams# 99bc89cd8SDan Williams# async_tx api: hardware offloaded memory transfer/transform support 109bc89cd8SDan Williams# 119bc89cd8SDan Williamssource "crypto/async_tx/Kconfig" 129bc89cd8SDan Williams 139bc89cd8SDan Williams# 141da177e4SLinus Torvalds# Cryptographic API Configuration 151da177e4SLinus Torvalds# 162e290f43SJan Engelhardtmenuconfig CRYPTO 17c3715cb9SSebastian Siewior tristate "Cryptographic API" 187033b937SEric Biggers select CRYPTO_LIB_UTILS 191da177e4SLinus Torvalds help 201da177e4SLinus Torvalds This option provides the core Cryptographic API. 211da177e4SLinus Torvalds 22cce9e06dSHerbert Xuif CRYPTO 23cce9e06dSHerbert Xu 24*f1f142adSRobert Elliottmenu "Crypto core or helper" 25584fffc8SSebastian Siewior 26ccb778e1SNeil Hormanconfig CRYPTO_FIPS 27ccb778e1SNeil Horman bool "FIPS 200 compliance" 28f2c89a10SHerbert Xu depends on (CRYPTO_ANSI_CPRNG || CRYPTO_DRBG) && !CRYPTO_MANAGER_DISABLE_TESTS 291f696097SAlec Ari depends on (MODULE_SIG || !MODULES) 30ccb778e1SNeil Horman help 31d99324c2SGeert Uytterhoeven This option enables the fips boot option which is 32d99324c2SGeert Uytterhoeven required if you want the system to operate in a FIPS 200 33ccb778e1SNeil Horman certification. You should say no unless you know what 34e84c5480SChuck Ebbert this is. 35ccb778e1SNeil Horman 365a44749fSVladis Dronovconfig CRYPTO_FIPS_NAME 375a44749fSVladis Dronov string "FIPS Module Name" 385a44749fSVladis Dronov default "Linux Kernel Cryptographic API" 395a44749fSVladis Dronov depends on CRYPTO_FIPS 405a44749fSVladis Dronov help 415a44749fSVladis Dronov This option sets the FIPS Module name reported by the Crypto API via 425a44749fSVladis Dronov the /proc/sys/crypto/fips_name file. 435a44749fSVladis Dronov 445a44749fSVladis Dronovconfig CRYPTO_FIPS_CUSTOM_VERSION 455a44749fSVladis Dronov bool "Use Custom FIPS Module Version" 465a44749fSVladis Dronov depends on CRYPTO_FIPS 475a44749fSVladis Dronov default n 485a44749fSVladis Dronov 495a44749fSVladis Dronovconfig CRYPTO_FIPS_VERSION 505a44749fSVladis Dronov string "FIPS Module Version" 515a44749fSVladis Dronov default "(none)" 525a44749fSVladis Dronov depends on CRYPTO_FIPS_CUSTOM_VERSION 535a44749fSVladis Dronov help 545a44749fSVladis Dronov This option provides the ability to override the FIPS Module Version. 555a44749fSVladis Dronov By default the KERNELRELEASE value is used. 565a44749fSVladis Dronov 57cce9e06dSHerbert Xuconfig CRYPTO_ALGAPI 58cce9e06dSHerbert Xu tristate 596a0fcbb4SHerbert Xu select CRYPTO_ALGAPI2 60cce9e06dSHerbert Xu help 61cce9e06dSHerbert Xu This option provides the API for cryptographic algorithms. 62cce9e06dSHerbert Xu 636a0fcbb4SHerbert Xuconfig CRYPTO_ALGAPI2 646a0fcbb4SHerbert Xu tristate 656a0fcbb4SHerbert Xu 661ae97820SHerbert Xuconfig CRYPTO_AEAD 671ae97820SHerbert Xu tristate 686a0fcbb4SHerbert Xu select CRYPTO_AEAD2 691ae97820SHerbert Xu select CRYPTO_ALGAPI 701ae97820SHerbert Xu 716a0fcbb4SHerbert Xuconfig CRYPTO_AEAD2 726a0fcbb4SHerbert Xu tristate 736a0fcbb4SHerbert Xu select CRYPTO_ALGAPI2 74149a3971SHerbert Xu select CRYPTO_NULL2 75149a3971SHerbert Xu select CRYPTO_RNG2 766a0fcbb4SHerbert Xu 77b95bba5dSEric Biggersconfig CRYPTO_SKCIPHER 785cde0af2SHerbert Xu tristate 79b95bba5dSEric Biggers select CRYPTO_SKCIPHER2 805cde0af2SHerbert Xu select CRYPTO_ALGAPI 816a0fcbb4SHerbert Xu 82b95bba5dSEric Biggersconfig CRYPTO_SKCIPHER2 836a0fcbb4SHerbert Xu tristate 846a0fcbb4SHerbert Xu select CRYPTO_ALGAPI2 856a0fcbb4SHerbert Xu select CRYPTO_RNG2 865cde0af2SHerbert Xu 87055bcee3SHerbert Xuconfig CRYPTO_HASH 88055bcee3SHerbert Xu tristate 896a0fcbb4SHerbert Xu select CRYPTO_HASH2 90055bcee3SHerbert Xu select CRYPTO_ALGAPI 91055bcee3SHerbert Xu 926a0fcbb4SHerbert Xuconfig CRYPTO_HASH2 936a0fcbb4SHerbert Xu tristate 946a0fcbb4SHerbert Xu select CRYPTO_ALGAPI2 956a0fcbb4SHerbert Xu 9617f0f4a4SNeil Hormanconfig CRYPTO_RNG 9717f0f4a4SNeil Horman tristate 986a0fcbb4SHerbert Xu select CRYPTO_RNG2 9917f0f4a4SNeil Horman select CRYPTO_ALGAPI 10017f0f4a4SNeil Horman 1016a0fcbb4SHerbert Xuconfig CRYPTO_RNG2 1026a0fcbb4SHerbert Xu tristate 1036a0fcbb4SHerbert Xu select CRYPTO_ALGAPI2 1046a0fcbb4SHerbert Xu 105401e4238SHerbert Xuconfig CRYPTO_RNG_DEFAULT 106401e4238SHerbert Xu tristate 107401e4238SHerbert Xu select CRYPTO_DRBG_MENU 108401e4238SHerbert Xu 1093c339ab8STadeusz Strukconfig CRYPTO_AKCIPHER2 1103c339ab8STadeusz Struk tristate 1113c339ab8STadeusz Struk select CRYPTO_ALGAPI2 1123c339ab8STadeusz Struk 1133c339ab8STadeusz Strukconfig CRYPTO_AKCIPHER 1143c339ab8STadeusz Struk tristate 1153c339ab8STadeusz Struk select CRYPTO_AKCIPHER2 1163c339ab8STadeusz Struk select CRYPTO_ALGAPI 1173c339ab8STadeusz Struk 1184e5f2c40SSalvatore Benedettoconfig CRYPTO_KPP2 1194e5f2c40SSalvatore Benedetto tristate 1204e5f2c40SSalvatore Benedetto select CRYPTO_ALGAPI2 1214e5f2c40SSalvatore Benedetto 1224e5f2c40SSalvatore Benedettoconfig CRYPTO_KPP 1234e5f2c40SSalvatore Benedetto tristate 1244e5f2c40SSalvatore Benedetto select CRYPTO_ALGAPI 1254e5f2c40SSalvatore Benedetto select CRYPTO_KPP2 1264e5f2c40SSalvatore Benedetto 1272ebda74fSGiovanni Cabidduconfig CRYPTO_ACOMP2 1282ebda74fSGiovanni Cabiddu tristate 1292ebda74fSGiovanni Cabiddu select CRYPTO_ALGAPI2 1308cd579d2SBart Van Assche select SGL_ALLOC 1312ebda74fSGiovanni Cabiddu 1322ebda74fSGiovanni Cabidduconfig CRYPTO_ACOMP 1332ebda74fSGiovanni Cabiddu tristate 1342ebda74fSGiovanni Cabiddu select CRYPTO_ALGAPI 1352ebda74fSGiovanni Cabiddu select CRYPTO_ACOMP2 1362ebda74fSGiovanni Cabiddu 1372b8c19dbSHerbert Xuconfig CRYPTO_MANAGER 1382b8c19dbSHerbert Xu tristate "Cryptographic algorithm manager" 1396a0fcbb4SHerbert Xu select CRYPTO_MANAGER2 1402b8c19dbSHerbert Xu help 1412b8c19dbSHerbert Xu Create default cryptographic template instantiations such as 1422b8c19dbSHerbert Xu cbc(aes). 1432b8c19dbSHerbert Xu 1446a0fcbb4SHerbert Xuconfig CRYPTO_MANAGER2 1456a0fcbb4SHerbert Xu def_tristate CRYPTO_MANAGER || (CRYPTO_MANAGER!=n && CRYPTO_ALGAPI=y) 1466a0fcbb4SHerbert Xu select CRYPTO_AEAD2 1476a0fcbb4SHerbert Xu select CRYPTO_HASH2 148b95bba5dSEric Biggers select CRYPTO_SKCIPHER2 149946cc463STadeusz Struk select CRYPTO_AKCIPHER2 1504e5f2c40SSalvatore Benedetto select CRYPTO_KPP2 1512ebda74fSGiovanni Cabiddu select CRYPTO_ACOMP2 1526a0fcbb4SHerbert Xu 153a38f7907SSteffen Klassertconfig CRYPTO_USER 154a38f7907SSteffen Klassert tristate "Userspace cryptographic algorithm configuration" 1555db017aaSHerbert Xu depends on NET 156a38f7907SSteffen Klassert select CRYPTO_MANAGER 157a38f7907SSteffen Klassert help 158d19978f5SValdis.Kletnieks@vt.edu Userspace configuration for cryptographic instantiations such as 159a38f7907SSteffen Klassert cbc(aes). 160a38f7907SSteffen Klassert 161326a6346SHerbert Xuconfig CRYPTO_MANAGER_DISABLE_TESTS 162326a6346SHerbert Xu bool "Disable run-time self tests" 16300ca28a5SHerbert Xu default y 1640b767f96SAlexander Shishkin help 165326a6346SHerbert Xu Disable run-time self tests that normally take place at 166326a6346SHerbert Xu algorithm registration. 1670b767f96SAlexander Shishkin 1685b2706a4SEric Biggersconfig CRYPTO_MANAGER_EXTRA_TESTS 1695b2706a4SEric Biggers bool "Enable extra run-time crypto self tests" 1706569e309SJason A. Donenfeld depends on DEBUG_KERNEL && !CRYPTO_MANAGER_DISABLE_TESTS && CRYPTO_MANAGER 1715b2706a4SEric Biggers help 1725b2706a4SEric Biggers Enable extra run-time self tests of registered crypto algorithms, 1735b2706a4SEric Biggers including randomized fuzz tests. 1745b2706a4SEric Biggers 1755b2706a4SEric Biggers This is intended for developer use only, as these tests take much 1765b2706a4SEric Biggers longer to run than the normal self tests. 1775b2706a4SEric Biggers 178584fffc8SSebastian Siewiorconfig CRYPTO_GF128MUL 179e590e132SEric Biggers tristate 180584fffc8SSebastian Siewior 181584fffc8SSebastian Siewiorconfig CRYPTO_NULL 182584fffc8SSebastian Siewior tristate "Null algorithms" 183149a3971SHerbert Xu select CRYPTO_NULL2 184584fffc8SSebastian Siewior help 185584fffc8SSebastian Siewior These are 'Null' algorithms, used by IPsec, which do nothing. 186584fffc8SSebastian Siewior 187149a3971SHerbert Xuconfig CRYPTO_NULL2 188dd43c4e9SHerbert Xu tristate 189149a3971SHerbert Xu select CRYPTO_ALGAPI2 190b95bba5dSEric Biggers select CRYPTO_SKCIPHER2 191149a3971SHerbert Xu select CRYPTO_HASH2 192149a3971SHerbert Xu 1935068c7a8SSteffen Klassertconfig CRYPTO_PCRYPT 1943b4afaf2SKees Cook tristate "Parallel crypto engine" 1953b4afaf2SKees Cook depends on SMP 1965068c7a8SSteffen Klassert select PADATA 1975068c7a8SSteffen Klassert select CRYPTO_MANAGER 1985068c7a8SSteffen Klassert select CRYPTO_AEAD 1995068c7a8SSteffen Klassert help 2005068c7a8SSteffen Klassert This converts an arbitrary crypto algorithm into a parallel 2015068c7a8SSteffen Klassert algorithm that executes in kernel threads. 2025068c7a8SSteffen Klassert 203584fffc8SSebastian Siewiorconfig CRYPTO_CRYPTD 204584fffc8SSebastian Siewior tristate "Software async crypto daemon" 205b95bba5dSEric Biggers select CRYPTO_SKCIPHER 206b8a28251SLoc Ho select CRYPTO_HASH 207584fffc8SSebastian Siewior select CRYPTO_MANAGER 208584fffc8SSebastian Siewior help 209584fffc8SSebastian Siewior This is a generic software asynchronous crypto daemon that 210584fffc8SSebastian Siewior converts an arbitrary synchronous software crypto algorithm 211584fffc8SSebastian Siewior into an asynchronous algorithm that executes in a kernel thread. 212584fffc8SSebastian Siewior 213584fffc8SSebastian Siewiorconfig CRYPTO_AUTHENC 214584fffc8SSebastian Siewior tristate "Authenc support" 215584fffc8SSebastian Siewior select CRYPTO_AEAD 216b95bba5dSEric Biggers select CRYPTO_SKCIPHER 217584fffc8SSebastian Siewior select CRYPTO_MANAGER 218584fffc8SSebastian Siewior select CRYPTO_HASH 219e94c6a7aSHerbert Xu select CRYPTO_NULL 220584fffc8SSebastian Siewior help 221584fffc8SSebastian Siewior Authenc: Combined mode wrapper for IPsec. 222584fffc8SSebastian Siewior This is required for IPSec. 223584fffc8SSebastian Siewior 224584fffc8SSebastian Siewiorconfig CRYPTO_TEST 225584fffc8SSebastian Siewior tristate "Testing module" 22600ea27f1SArd Biesheuvel depends on m || EXPERT 227da7f033dSHerbert Xu select CRYPTO_MANAGER 228584fffc8SSebastian Siewior help 229584fffc8SSebastian Siewior Quick & dirty crypto test module. 230584fffc8SSebastian Siewior 231266d0516SHerbert Xuconfig CRYPTO_SIMD 232266d0516SHerbert Xu tristate 233266d0516SHerbert Xu select CRYPTO_CRYPTD 234266d0516SHerbert Xu 235735d37b5SBaolin Wangconfig CRYPTO_ENGINE 236735d37b5SBaolin Wang tristate 237735d37b5SBaolin Wang 238*f1f142adSRobert Elliottendmenu 239*f1f142adSRobert Elliott 240*f1f142adSRobert Elliottmenu "Public-key cryptography" 2413d6228a5SVitaly Chikunov 2423d6228a5SVitaly Chikunovconfig CRYPTO_RSA 2433d6228a5SVitaly Chikunov tristate "RSA algorithm" 2443d6228a5SVitaly Chikunov select CRYPTO_AKCIPHER 2453d6228a5SVitaly Chikunov select CRYPTO_MANAGER 2463d6228a5SVitaly Chikunov select MPILIB 2473d6228a5SVitaly Chikunov select ASN1 2483d6228a5SVitaly Chikunov help 2493d6228a5SVitaly Chikunov Generic implementation of the RSA public key algorithm. 2503d6228a5SVitaly Chikunov 2513d6228a5SVitaly Chikunovconfig CRYPTO_DH 2523d6228a5SVitaly Chikunov tristate "Diffie-Hellman algorithm" 2533d6228a5SVitaly Chikunov select CRYPTO_KPP 2543d6228a5SVitaly Chikunov select MPILIB 2553d6228a5SVitaly Chikunov help 2563d6228a5SVitaly Chikunov Generic implementation of the Diffie-Hellman algorithm. 2573d6228a5SVitaly Chikunov 2587dce5981SNicolai Stangeconfig CRYPTO_DH_RFC7919_GROUPS 2597dce5981SNicolai Stange bool "Support for RFC 7919 FFDHE group parameters" 2607dce5981SNicolai Stange depends on CRYPTO_DH 2611e207964SNicolai Stange select CRYPTO_RNG_DEFAULT 2627dce5981SNicolai Stange help 2637dce5981SNicolai Stange Provide support for RFC 7919 FFDHE group parameters. If unsure, say N. 2647dce5981SNicolai Stange 2654a2289daSVitaly Chikunovconfig CRYPTO_ECC 2664a2289daSVitaly Chikunov tristate 26738aa192aSArnd Bergmann select CRYPTO_RNG_DEFAULT 2684a2289daSVitaly Chikunov 2693d6228a5SVitaly Chikunovconfig CRYPTO_ECDH 2703d6228a5SVitaly Chikunov tristate "ECDH algorithm" 2714a2289daSVitaly Chikunov select CRYPTO_ECC 2723d6228a5SVitaly Chikunov select CRYPTO_KPP 2733d6228a5SVitaly Chikunov help 2743d6228a5SVitaly Chikunov Generic implementation of the ECDH algorithm 2753d6228a5SVitaly Chikunov 2764e660291SStefan Bergerconfig CRYPTO_ECDSA 2774e660291SStefan Berger tristate "ECDSA (NIST P192, P256 etc.) algorithm" 2784e660291SStefan Berger select CRYPTO_ECC 2794e660291SStefan Berger select CRYPTO_AKCIPHER 2804e660291SStefan Berger select ASN1 2814e660291SStefan Berger help 2824e660291SStefan Berger Elliptic Curve Digital Signature Algorithm (NIST P192, P256 etc.) 2834e660291SStefan Berger is A NIST cryptographic standard algorithm. Only signature verification 2844e660291SStefan Berger is implemented. 2854e660291SStefan Berger 2860d7a7864SVitaly Chikunovconfig CRYPTO_ECRDSA 2870d7a7864SVitaly Chikunov tristate "EC-RDSA (GOST 34.10) algorithm" 2880d7a7864SVitaly Chikunov select CRYPTO_ECC 2890d7a7864SVitaly Chikunov select CRYPTO_AKCIPHER 2900d7a7864SVitaly Chikunov select CRYPTO_STREEBOG 2911036633eSVitaly Chikunov select OID_REGISTRY 2921036633eSVitaly Chikunov select ASN1 2930d7a7864SVitaly Chikunov help 2940d7a7864SVitaly Chikunov Elliptic Curve Russian Digital Signature Algorithm (GOST R 34.10-2012, 2950d7a7864SVitaly Chikunov RFC 7091, ISO/IEC 14888-3:2018) is one of the Russian cryptographic 2960d7a7864SVitaly Chikunov standard algorithms (called GOST algorithms). Only signature verification 2970d7a7864SVitaly Chikunov is implemented. 2980d7a7864SVitaly Chikunov 299ea7ecb66STianjia Zhangconfig CRYPTO_SM2 300ea7ecb66STianjia Zhang tristate "SM2 algorithm" 301d2825fa9SJason A. Donenfeld select CRYPTO_SM3 302ea7ecb66STianjia Zhang select CRYPTO_AKCIPHER 303ea7ecb66STianjia Zhang select CRYPTO_MANAGER 304ea7ecb66STianjia Zhang select MPILIB 305ea7ecb66STianjia Zhang select ASN1 306ea7ecb66STianjia Zhang help 307ea7ecb66STianjia Zhang Generic implementation of the SM2 public key algorithm. It was 308ea7ecb66STianjia Zhang published by State Encryption Management Bureau, China. 309ea7ecb66STianjia Zhang as specified by OSCCA GM/T 0003.1-2012 -- 0003.5-2012. 310ea7ecb66STianjia Zhang 311ea7ecb66STianjia Zhang References: 312ea7ecb66STianjia Zhang https://tools.ietf.org/html/draft-shen-sm2-ecdsa-02 313ea7ecb66STianjia Zhang http://www.oscca.gov.cn/sca/xxgk/2010-12/17/content_1002386.shtml 314ea7ecb66STianjia Zhang http://www.gmbz.org.cn/main/bzlb.html 315ea7ecb66STianjia Zhang 316ee772cb6SArd Biesheuvelconfig CRYPTO_CURVE25519 317ee772cb6SArd Biesheuvel tristate "Curve25519 algorithm" 318ee772cb6SArd Biesheuvel select CRYPTO_KPP 319ee772cb6SArd Biesheuvel select CRYPTO_LIB_CURVE25519_GENERIC 320ee772cb6SArd Biesheuvel 321*f1f142adSRobert Elliottendmenu 322584fffc8SSebastian Siewior 323*f1f142adSRobert Elliottmenu "Block ciphers" 3241da177e4SLinus Torvalds 3251da177e4SLinus Torvaldsconfig CRYPTO_AES 3261da177e4SLinus Torvalds tristate "AES cipher algorithms" 327cce9e06dSHerbert Xu select CRYPTO_ALGAPI 3285bb12d78SArd Biesheuvel select CRYPTO_LIB_AES 3291da177e4SLinus Torvalds help 3301da177e4SLinus Torvalds AES cipher algorithms (FIPS-197). AES uses the Rijndael 3311da177e4SLinus Torvalds algorithm. 3321da177e4SLinus Torvalds 3331da177e4SLinus Torvalds Rijndael appears to be consistently a very good performer in 3341da177e4SLinus Torvalds both hardware and software across a wide range of computing 3351da177e4SLinus Torvalds environments regardless of its use in feedback or non-feedback 3361da177e4SLinus Torvalds modes. Its key setup time is excellent, and its key agility is 3371da177e4SLinus Torvalds good. Rijndael's very low memory requirements make it very well 3381da177e4SLinus Torvalds suited for restricted-space environments, in which it also 3391da177e4SLinus Torvalds demonstrates excellent performance. Rijndael's operations are 3401da177e4SLinus Torvalds among the easiest to defend against power and timing attacks. 3411da177e4SLinus Torvalds 3421da177e4SLinus Torvalds The AES specifies three key sizes: 128, 192 and 256 bits 3431da177e4SLinus Torvalds 3441da177e4SLinus Torvalds See <http://csrc.nist.gov/CryptoToolkit/aes/> for more information. 3451da177e4SLinus Torvalds 346b5e0b032SArd Biesheuvelconfig CRYPTO_AES_TI 347b5e0b032SArd Biesheuvel tristate "Fixed time AES cipher" 348b5e0b032SArd Biesheuvel select CRYPTO_ALGAPI 349e59c1c98SArd Biesheuvel select CRYPTO_LIB_AES 350b5e0b032SArd Biesheuvel help 351b5e0b032SArd Biesheuvel This is a generic implementation of AES that attempts to eliminate 352b5e0b032SArd Biesheuvel data dependent latencies as much as possible without affecting 353b5e0b032SArd Biesheuvel performance too much. It is intended for use by the generic CCM 354b5e0b032SArd Biesheuvel and GCM drivers, and other CTR or CMAC/XCBC based modes that rely 355b5e0b032SArd Biesheuvel solely on encryption (although decryption is supported as well, but 356b5e0b032SArd Biesheuvel with a more dramatic performance hit) 357b5e0b032SArd Biesheuvel 358b5e0b032SArd Biesheuvel Instead of using 16 lookup tables of 1 KB each, (8 for encryption and 359b5e0b032SArd Biesheuvel 8 for decryption), this implementation only uses just two S-boxes of 360b5e0b032SArd Biesheuvel 256 bytes each, and attempts to eliminate data dependent latencies by 361b5e0b032SArd Biesheuvel prefetching the entire table into the cache at the start of each 3620a6a40c2SEric Biggers block. Interrupts are also disabled to avoid races where cachelines 3630a6a40c2SEric Biggers are evicted when the CPU is interrupted to do something else. 364b5e0b032SArd Biesheuvel 3651da177e4SLinus Torvaldsconfig CRYPTO_ANUBIS 3661da177e4SLinus Torvalds tristate "Anubis cipher algorithm" 3671674aea5SArd Biesheuvel depends on CRYPTO_USER_API_ENABLE_OBSOLETE 368cce9e06dSHerbert Xu select CRYPTO_ALGAPI 3691da177e4SLinus Torvalds help 3701da177e4SLinus Torvalds Anubis cipher algorithm. 3711da177e4SLinus Torvalds 3721da177e4SLinus Torvalds Anubis is a variable key length cipher which can use keys from 3731da177e4SLinus Torvalds 128 bits to 320 bits in length. It was evaluated as a entrant 3741da177e4SLinus Torvalds in the NESSIE competition. 3751da177e4SLinus Torvalds 3761da177e4SLinus Torvalds See also: 3776d8de74cSJustin P. Mattock <https://www.cosic.esat.kuleuven.be/nessie/reports/> 3786d8de74cSJustin P. Mattock <http://www.larc.usp.br/~pbarreto/AnubisPage.html> 3791da177e4SLinus Torvalds 380*f1f142adSRobert Elliottconfig CRYPTO_ARIA 381*f1f142adSRobert Elliott tristate "ARIA cipher algorithm" 382*f1f142adSRobert Elliott select CRYPTO_ALGAPI 383e2ee95b8SHye-Shik Chang help 384*f1f142adSRobert Elliott ARIA cipher algorithm (RFC5794). 385e2ee95b8SHye-Shik Chang 386*f1f142adSRobert Elliott ARIA is a standard encryption algorithm of the Republic of Korea. 387*f1f142adSRobert Elliott The ARIA specifies three key sizes and rounds. 388*f1f142adSRobert Elliott 128-bit: 12 rounds. 389*f1f142adSRobert Elliott 192-bit: 14 rounds. 390*f1f142adSRobert Elliott 256-bit: 16 rounds. 391*f1f142adSRobert Elliott 392*f1f142adSRobert Elliott See also: 393*f1f142adSRobert Elliott <https://seed.kisa.or.kr/kisa/algorithm/EgovAriaInfo.do> 394584fffc8SSebastian Siewior 395584fffc8SSebastian Siewiorconfig CRYPTO_BLOWFISH 396584fffc8SSebastian Siewior tristate "Blowfish cipher algorithm" 397584fffc8SSebastian Siewior select CRYPTO_ALGAPI 39852ba867cSJussi Kivilinna select CRYPTO_BLOWFISH_COMMON 399584fffc8SSebastian Siewior help 400584fffc8SSebastian Siewior Blowfish cipher algorithm, by Bruce Schneier. 401584fffc8SSebastian Siewior 402584fffc8SSebastian Siewior This is a variable key length cipher which can use keys from 32 403584fffc8SSebastian Siewior bits to 448 bits in length. It's fast, simple and specifically 404584fffc8SSebastian Siewior designed for use on "large microprocessors". 405e2ee95b8SHye-Shik Chang 406e2ee95b8SHye-Shik Chang See also: 4079332a9e7SAlexander A. Klimov <https://www.schneier.com/blowfish.html> 408584fffc8SSebastian Siewior 40952ba867cSJussi Kivilinnaconfig CRYPTO_BLOWFISH_COMMON 41052ba867cSJussi Kivilinna tristate 41152ba867cSJussi Kivilinna help 41252ba867cSJussi Kivilinna Common parts of the Blowfish cipher algorithm shared by the 41352ba867cSJussi Kivilinna generic c and the assembler implementations. 41452ba867cSJussi Kivilinna 41552ba867cSJussi Kivilinna See also: 4169332a9e7SAlexander A. Klimov <https://www.schneier.com/blowfish.html> 41752ba867cSJussi Kivilinna 418584fffc8SSebastian Siewiorconfig CRYPTO_CAMELLIA 419584fffc8SSebastian Siewior tristate "Camellia cipher algorithms" 420584fffc8SSebastian Siewior select CRYPTO_ALGAPI 421584fffc8SSebastian Siewior help 422584fffc8SSebastian Siewior Camellia cipher algorithms module. 423584fffc8SSebastian Siewior 424584fffc8SSebastian Siewior Camellia is a symmetric key block cipher developed jointly 425584fffc8SSebastian Siewior at NTT and Mitsubishi Electric Corporation. 426584fffc8SSebastian Siewior 427584fffc8SSebastian Siewior The Camellia specifies three key sizes: 128, 192 and 256 bits. 428584fffc8SSebastian Siewior 429584fffc8SSebastian Siewior See also: 430584fffc8SSebastian Siewior <https://info.isl.ntt.co.jp/crypt/eng/camellia/index_s.html> 431584fffc8SSebastian Siewior 432044ab525SJussi Kivilinnaconfig CRYPTO_CAST_COMMON 433044ab525SJussi Kivilinna tristate 434044ab525SJussi Kivilinna help 435044ab525SJussi Kivilinna Common parts of the CAST cipher algorithms shared by the 436044ab525SJussi Kivilinna generic c and the assembler implementations. 437044ab525SJussi Kivilinna 438584fffc8SSebastian Siewiorconfig CRYPTO_CAST5 439584fffc8SSebastian Siewior tristate "CAST5 (CAST-128) cipher algorithm" 440584fffc8SSebastian Siewior select CRYPTO_ALGAPI 441044ab525SJussi Kivilinna select CRYPTO_CAST_COMMON 442584fffc8SSebastian Siewior help 443584fffc8SSebastian Siewior The CAST5 encryption algorithm (synonymous with CAST-128) is 444584fffc8SSebastian Siewior described in RFC2144. 445584fffc8SSebastian Siewior 446584fffc8SSebastian Siewiorconfig CRYPTO_CAST6 447584fffc8SSebastian Siewior tristate "CAST6 (CAST-256) cipher algorithm" 448584fffc8SSebastian Siewior select CRYPTO_ALGAPI 449044ab525SJussi Kivilinna select CRYPTO_CAST_COMMON 450584fffc8SSebastian Siewior help 451584fffc8SSebastian Siewior The CAST6 encryption algorithm (synonymous with CAST-256) is 452584fffc8SSebastian Siewior described in RFC2612. 453584fffc8SSebastian Siewior 454584fffc8SSebastian Siewiorconfig CRYPTO_DES 455584fffc8SSebastian Siewior tristate "DES and Triple DES EDE cipher algorithms" 456584fffc8SSebastian Siewior select CRYPTO_ALGAPI 45704007b0eSArd Biesheuvel select CRYPTO_LIB_DES 458584fffc8SSebastian Siewior help 459584fffc8SSebastian Siewior DES cipher algorithm (FIPS 46-2), and Triple DES EDE (FIPS 46-3). 460584fffc8SSebastian Siewior 461584fffc8SSebastian Siewiorconfig CRYPTO_FCRYPT 462584fffc8SSebastian Siewior tristate "FCrypt cipher algorithm" 463584fffc8SSebastian Siewior select CRYPTO_ALGAPI 464b95bba5dSEric Biggers select CRYPTO_SKCIPHER 465584fffc8SSebastian Siewior help 466584fffc8SSebastian Siewior FCrypt algorithm used by RxRPC. 467584fffc8SSebastian Siewior 468584fffc8SSebastian Siewiorconfig CRYPTO_KHAZAD 469584fffc8SSebastian Siewior tristate "Khazad cipher algorithm" 4701674aea5SArd Biesheuvel depends on CRYPTO_USER_API_ENABLE_OBSOLETE 471584fffc8SSebastian Siewior select CRYPTO_ALGAPI 472584fffc8SSebastian Siewior help 473584fffc8SSebastian Siewior Khazad cipher algorithm. 474584fffc8SSebastian Siewior 475584fffc8SSebastian Siewior Khazad was a finalist in the initial NESSIE competition. It is 476584fffc8SSebastian Siewior an algorithm optimized for 64-bit processors with good performance 477584fffc8SSebastian Siewior on 32-bit processors. Khazad uses an 128 bit key size. 478584fffc8SSebastian Siewior 479584fffc8SSebastian Siewior See also: 4806d8de74cSJustin P. Mattock <http://www.larc.usp.br/~pbarreto/KhazadPage.html> 481e2ee95b8SHye-Shik Chang 482584fffc8SSebastian Siewiorconfig CRYPTO_SEED 483584fffc8SSebastian Siewior tristate "SEED cipher algorithm" 4841674aea5SArd Biesheuvel depends on CRYPTO_USER_API_ENABLE_OBSOLETE 485584fffc8SSebastian Siewior select CRYPTO_ALGAPI 486584fffc8SSebastian Siewior help 487584fffc8SSebastian Siewior SEED cipher algorithm (RFC4269). 488584fffc8SSebastian Siewior 489584fffc8SSebastian Siewior SEED is a 128-bit symmetric key block cipher that has been 490584fffc8SSebastian Siewior developed by KISA (Korea Information Security Agency) as a 491584fffc8SSebastian Siewior national standard encryption algorithm of the Republic of Korea. 492584fffc8SSebastian Siewior It is a 16 round block cipher with the key size of 128 bit. 493584fffc8SSebastian Siewior 494584fffc8SSebastian Siewior See also: 495584fffc8SSebastian Siewior <http://www.kisa.or.kr/kisa/seed/jsp/seed_eng.jsp> 496584fffc8SSebastian Siewior 497584fffc8SSebastian Siewiorconfig CRYPTO_SERPENT 498584fffc8SSebastian Siewior tristate "Serpent cipher algorithm" 499584fffc8SSebastian Siewior select CRYPTO_ALGAPI 500584fffc8SSebastian Siewior help 501584fffc8SSebastian Siewior Serpent cipher algorithm, by Anderson, Biham & Knudsen. 502584fffc8SSebastian Siewior 503584fffc8SSebastian Siewior Keys are allowed to be from 0 to 256 bits in length, in steps 504784506a1SArd Biesheuvel of 8 bits. 505584fffc8SSebastian Siewior 506584fffc8SSebastian Siewior See also: 5079332a9e7SAlexander A. Klimov <https://www.cl.cam.ac.uk/~rja14/serpent.html> 508584fffc8SSebastian Siewior 509747c8ce4SGilad Ben-Yossefconfig CRYPTO_SM4 510d2825fa9SJason A. Donenfeld tristate 511d2825fa9SJason A. Donenfeld 512d2825fa9SJason A. Donenfeldconfig CRYPTO_SM4_GENERIC 513747c8ce4SGilad Ben-Yossef tristate "SM4 cipher algorithm" 514747c8ce4SGilad Ben-Yossef select CRYPTO_ALGAPI 515d2825fa9SJason A. Donenfeld select CRYPTO_SM4 516747c8ce4SGilad Ben-Yossef help 517747c8ce4SGilad Ben-Yossef SM4 cipher algorithms (OSCCA GB/T 32907-2016). 518747c8ce4SGilad Ben-Yossef 519747c8ce4SGilad Ben-Yossef SM4 (GBT.32907-2016) is a cryptographic standard issued by the 520747c8ce4SGilad Ben-Yossef Organization of State Commercial Administration of China (OSCCA) 521747c8ce4SGilad Ben-Yossef as an authorized cryptographic algorithms for the use within China. 522747c8ce4SGilad Ben-Yossef 523747c8ce4SGilad Ben-Yossef SMS4 was originally created for use in protecting wireless 524747c8ce4SGilad Ben-Yossef networks, and is mandated in the Chinese National Standard for 525747c8ce4SGilad Ben-Yossef Wireless LAN WAPI (Wired Authentication and Privacy Infrastructure) 526747c8ce4SGilad Ben-Yossef (GB.15629.11-2003). 527747c8ce4SGilad Ben-Yossef 528747c8ce4SGilad Ben-Yossef The latest SM4 standard (GBT.32907-2016) was proposed by OSCCA and 529747c8ce4SGilad Ben-Yossef standardized through TC 260 of the Standardization Administration 530747c8ce4SGilad Ben-Yossef of the People's Republic of China (SAC). 531747c8ce4SGilad Ben-Yossef 532747c8ce4SGilad Ben-Yossef The input, output, and key of SMS4 are each 128 bits. 533747c8ce4SGilad Ben-Yossef 534747c8ce4SGilad Ben-Yossef See also: <https://eprint.iacr.org/2008/329.pdf> 535747c8ce4SGilad Ben-Yossef 536747c8ce4SGilad Ben-Yossef If unsure, say N. 537747c8ce4SGilad Ben-Yossef 538584fffc8SSebastian Siewiorconfig CRYPTO_TEA 539584fffc8SSebastian Siewior tristate "TEA, XTEA and XETA cipher algorithms" 5401674aea5SArd Biesheuvel depends on CRYPTO_USER_API_ENABLE_OBSOLETE 541584fffc8SSebastian Siewior select CRYPTO_ALGAPI 542584fffc8SSebastian Siewior help 543584fffc8SSebastian Siewior TEA cipher algorithm. 544584fffc8SSebastian Siewior 545584fffc8SSebastian Siewior Tiny Encryption Algorithm is a simple cipher that uses 546584fffc8SSebastian Siewior many rounds for security. It is very fast and uses 547584fffc8SSebastian Siewior little memory. 548584fffc8SSebastian Siewior 549584fffc8SSebastian Siewior Xtendend Tiny Encryption Algorithm is a modification to 550584fffc8SSebastian Siewior the TEA algorithm to address a potential key weakness 551584fffc8SSebastian Siewior in the TEA algorithm. 552584fffc8SSebastian Siewior 553584fffc8SSebastian Siewior Xtendend Encryption Tiny Algorithm is a mis-implementation 554584fffc8SSebastian Siewior of the XTEA algorithm for compatibility purposes. 555584fffc8SSebastian Siewior 556584fffc8SSebastian Siewiorconfig CRYPTO_TWOFISH 557584fffc8SSebastian Siewior tristate "Twofish cipher algorithm" 558584fffc8SSebastian Siewior select CRYPTO_ALGAPI 559584fffc8SSebastian Siewior select CRYPTO_TWOFISH_COMMON 560584fffc8SSebastian Siewior help 561584fffc8SSebastian Siewior Twofish cipher algorithm. 562584fffc8SSebastian Siewior 563584fffc8SSebastian Siewior Twofish was submitted as an AES (Advanced Encryption Standard) 564584fffc8SSebastian Siewior candidate cipher by researchers at CounterPane Systems. It is a 565584fffc8SSebastian Siewior 16 round block cipher supporting key sizes of 128, 192, and 256 566584fffc8SSebastian Siewior bits. 567584fffc8SSebastian Siewior 568584fffc8SSebastian Siewior See also: 5699332a9e7SAlexander A. Klimov <https://www.schneier.com/twofish.html> 570584fffc8SSebastian Siewior 571584fffc8SSebastian Siewiorconfig CRYPTO_TWOFISH_COMMON 572584fffc8SSebastian Siewior tristate 573584fffc8SSebastian Siewior help 574584fffc8SSebastian Siewior Common parts of the Twofish cipher algorithm shared by the 575584fffc8SSebastian Siewior generic c and the assembler implementations. 576584fffc8SSebastian Siewior 577*f1f142adSRobert Elliottendmenu 578*f1f142adSRobert Elliott 579*f1f142adSRobert Elliottmenu "Length-preserving ciphers and modes" 580*f1f142adSRobert Elliott 581*f1f142adSRobert Elliottconfig CRYPTO_ADIANTUM 582*f1f142adSRobert Elliott tristate "Adiantum support" 583*f1f142adSRobert Elliott select CRYPTO_CHACHA20 584*f1f142adSRobert Elliott select CRYPTO_LIB_POLY1305_GENERIC 585*f1f142adSRobert Elliott select CRYPTO_NHPOLY1305 586*f1f142adSRobert Elliott select CRYPTO_MANAGER 587*f1f142adSRobert Elliott help 588*f1f142adSRobert Elliott Adiantum is a tweakable, length-preserving encryption mode 589*f1f142adSRobert Elliott designed for fast and secure disk encryption, especially on 590*f1f142adSRobert Elliott CPUs without dedicated crypto instructions. It encrypts 591*f1f142adSRobert Elliott each sector using the XChaCha12 stream cipher, two passes of 592*f1f142adSRobert Elliott an ε-almost-∆-universal hash function, and an invocation of 593*f1f142adSRobert Elliott the AES-256 block cipher on a single 16-byte block. On CPUs 594*f1f142adSRobert Elliott without AES instructions, Adiantum is much faster than 595*f1f142adSRobert Elliott AES-XTS. 596*f1f142adSRobert Elliott 597*f1f142adSRobert Elliott Adiantum's security is provably reducible to that of its 598*f1f142adSRobert Elliott underlying stream and block ciphers, subject to a security 599*f1f142adSRobert Elliott bound. Unlike XTS, Adiantum is a true wide-block encryption 600*f1f142adSRobert Elliott mode, so it actually provides an even stronger notion of 601*f1f142adSRobert Elliott security than XTS, subject to the security bound. 602*f1f142adSRobert Elliott 603*f1f142adSRobert Elliott If unsure, say N. 604*f1f142adSRobert Elliott 605*f1f142adSRobert Elliottconfig CRYPTO_ARC4 606*f1f142adSRobert Elliott tristate "ARC4 cipher algorithm" 607*f1f142adSRobert Elliott depends on CRYPTO_USER_API_ENABLE_OBSOLETE 608*f1f142adSRobert Elliott select CRYPTO_SKCIPHER 609*f1f142adSRobert Elliott select CRYPTO_LIB_ARC4 610*f1f142adSRobert Elliott help 611*f1f142adSRobert Elliott ARC4 cipher algorithm. 612*f1f142adSRobert Elliott 613*f1f142adSRobert Elliott ARC4 is a stream cipher using keys ranging from 8 bits to 2048 614*f1f142adSRobert Elliott bits in length. This algorithm is required for driver-based 615*f1f142adSRobert Elliott WEP, but it should not be for other purposes because of the 616*f1f142adSRobert Elliott weakness of the algorithm. 617*f1f142adSRobert Elliott 618*f1f142adSRobert Elliottconfig CRYPTO_CHACHA20 619*f1f142adSRobert Elliott tristate "ChaCha stream cipher algorithms" 620*f1f142adSRobert Elliott select CRYPTO_LIB_CHACHA_GENERIC 621*f1f142adSRobert Elliott select CRYPTO_SKCIPHER 622*f1f142adSRobert Elliott help 623*f1f142adSRobert Elliott The ChaCha20, XChaCha20, and XChaCha12 stream cipher algorithms. 624*f1f142adSRobert Elliott 625*f1f142adSRobert Elliott ChaCha20 is a 256-bit high-speed stream cipher designed by Daniel J. 626*f1f142adSRobert Elliott Bernstein and further specified in RFC7539 for use in IETF protocols. 627*f1f142adSRobert Elliott This is the portable C implementation of ChaCha20. See also: 628*f1f142adSRobert Elliott <https://cr.yp.to/chacha/chacha-20080128.pdf> 629*f1f142adSRobert Elliott 630*f1f142adSRobert Elliott XChaCha20 is the application of the XSalsa20 construction to ChaCha20 631*f1f142adSRobert Elliott rather than to Salsa20. XChaCha20 extends ChaCha20's nonce length 632*f1f142adSRobert Elliott from 64 bits (or 96 bits using the RFC7539 convention) to 192 bits, 633*f1f142adSRobert Elliott while provably retaining ChaCha20's security. See also: 634*f1f142adSRobert Elliott <https://cr.yp.to/snuffle/xsalsa-20081128.pdf> 635*f1f142adSRobert Elliott 636*f1f142adSRobert Elliott XChaCha12 is XChaCha20 reduced to 12 rounds, with correspondingly 637*f1f142adSRobert Elliott reduced security margin but increased performance. It can be needed 638*f1f142adSRobert Elliott in some performance-sensitive scenarios. 639*f1f142adSRobert Elliott 640*f1f142adSRobert Elliottconfig CRYPTO_CBC 641*f1f142adSRobert Elliott tristate "CBC support" 642*f1f142adSRobert Elliott select CRYPTO_SKCIPHER 643*f1f142adSRobert Elliott select CRYPTO_MANAGER 644*f1f142adSRobert Elliott help 645*f1f142adSRobert Elliott CBC: Cipher Block Chaining mode 646*f1f142adSRobert Elliott This block cipher algorithm is required for IPSec. 647*f1f142adSRobert Elliott 648*f1f142adSRobert Elliottconfig CRYPTO_CFB 649*f1f142adSRobert Elliott tristate "CFB support" 650*f1f142adSRobert Elliott select CRYPTO_SKCIPHER 651*f1f142adSRobert Elliott select CRYPTO_MANAGER 652*f1f142adSRobert Elliott help 653*f1f142adSRobert Elliott CFB: Cipher FeedBack mode 654*f1f142adSRobert Elliott This block cipher algorithm is required for TPM2 Cryptography. 655*f1f142adSRobert Elliott 656*f1f142adSRobert Elliottconfig CRYPTO_CTR 657*f1f142adSRobert Elliott tristate "CTR support" 658*f1f142adSRobert Elliott select CRYPTO_SKCIPHER 659*f1f142adSRobert Elliott select CRYPTO_MANAGER 660*f1f142adSRobert Elliott help 661*f1f142adSRobert Elliott CTR: Counter mode 662*f1f142adSRobert Elliott This block cipher algorithm is required for IPSec. 663*f1f142adSRobert Elliott 664*f1f142adSRobert Elliottconfig CRYPTO_CTS 665*f1f142adSRobert Elliott tristate "CTS support" 666*f1f142adSRobert Elliott select CRYPTO_SKCIPHER 667*f1f142adSRobert Elliott select CRYPTO_MANAGER 668*f1f142adSRobert Elliott help 669*f1f142adSRobert Elliott CTS: Cipher Text Stealing 670*f1f142adSRobert Elliott This is the Cipher Text Stealing mode as described by 671*f1f142adSRobert Elliott Section 8 of rfc2040 and referenced by rfc3962 672*f1f142adSRobert Elliott (rfc3962 includes errata information in its Appendix A) or 673*f1f142adSRobert Elliott CBC-CS3 as defined by NIST in Sp800-38A addendum from Oct 2010. 674*f1f142adSRobert Elliott This mode is required for Kerberos gss mechanism support 675*f1f142adSRobert Elliott for AES encryption. 676*f1f142adSRobert Elliott 677*f1f142adSRobert Elliott See: https://csrc.nist.gov/publications/detail/sp/800-38a/addendum/final 678*f1f142adSRobert Elliott 679*f1f142adSRobert Elliottconfig CRYPTO_ECB 680*f1f142adSRobert Elliott tristate "ECB support" 681*f1f142adSRobert Elliott select CRYPTO_SKCIPHER 682*f1f142adSRobert Elliott select CRYPTO_MANAGER 683*f1f142adSRobert Elliott help 684*f1f142adSRobert Elliott ECB: Electronic CodeBook mode 685*f1f142adSRobert Elliott This is the simplest block cipher algorithm. It simply encrypts 686*f1f142adSRobert Elliott the input block by block. 687*f1f142adSRobert Elliott 688*f1f142adSRobert Elliottconfig CRYPTO_HCTR2 689*f1f142adSRobert Elliott tristate "HCTR2 support" 690*f1f142adSRobert Elliott select CRYPTO_XCTR 691*f1f142adSRobert Elliott select CRYPTO_POLYVAL 692*f1f142adSRobert Elliott select CRYPTO_MANAGER 693*f1f142adSRobert Elliott help 694*f1f142adSRobert Elliott HCTR2 is a length-preserving encryption mode for storage encryption that 695*f1f142adSRobert Elliott is efficient on processors with instructions to accelerate AES and 696*f1f142adSRobert Elliott carryless multiplication, e.g. x86 processors with AES-NI and CLMUL, and 697*f1f142adSRobert Elliott ARM processors with the ARMv8 crypto extensions. 698*f1f142adSRobert Elliott 699*f1f142adSRobert Elliottconfig CRYPTO_KEYWRAP 700*f1f142adSRobert Elliott tristate "Key wrapping support" 701*f1f142adSRobert Elliott select CRYPTO_SKCIPHER 702*f1f142adSRobert Elliott select CRYPTO_MANAGER 703*f1f142adSRobert Elliott help 704*f1f142adSRobert Elliott Support for key wrapping (NIST SP800-38F / RFC3394) without 705*f1f142adSRobert Elliott padding. 706*f1f142adSRobert Elliott 707*f1f142adSRobert Elliottconfig CRYPTO_LRW 708*f1f142adSRobert Elliott tristate "LRW support" 709*f1f142adSRobert Elliott select CRYPTO_SKCIPHER 710*f1f142adSRobert Elliott select CRYPTO_MANAGER 711*f1f142adSRobert Elliott select CRYPTO_GF128MUL 712*f1f142adSRobert Elliott select CRYPTO_ECB 713*f1f142adSRobert Elliott help 714*f1f142adSRobert Elliott LRW: Liskov Rivest Wagner, a tweakable, non malleable, non movable 715*f1f142adSRobert Elliott narrow block cipher mode for dm-crypt. Use it with cipher 716*f1f142adSRobert Elliott specification string aes-lrw-benbi, the key must be 256, 320 or 384. 717*f1f142adSRobert Elliott The first 128, 192 or 256 bits in the key are used for AES and the 718*f1f142adSRobert Elliott rest is used to tie each cipher block to its logical position. 719*f1f142adSRobert Elliott 720*f1f142adSRobert Elliottconfig CRYPTO_OFB 721*f1f142adSRobert Elliott tristate "OFB support" 722*f1f142adSRobert Elliott select CRYPTO_SKCIPHER 723*f1f142adSRobert Elliott select CRYPTO_MANAGER 724*f1f142adSRobert Elliott help 725*f1f142adSRobert Elliott OFB: the Output Feedback mode makes a block cipher into a synchronous 726*f1f142adSRobert Elliott stream cipher. It generates keystream blocks, which are then XORed 727*f1f142adSRobert Elliott with the plaintext blocks to get the ciphertext. Flipping a bit in the 728*f1f142adSRobert Elliott ciphertext produces a flipped bit in the plaintext at the same 729*f1f142adSRobert Elliott location. This property allows many error correcting codes to function 730*f1f142adSRobert Elliott normally even when applied before encryption. 731*f1f142adSRobert Elliott 732*f1f142adSRobert Elliottconfig CRYPTO_PCBC 733*f1f142adSRobert Elliott tristate "PCBC support" 734*f1f142adSRobert Elliott select CRYPTO_SKCIPHER 735*f1f142adSRobert Elliott select CRYPTO_MANAGER 736*f1f142adSRobert Elliott help 737*f1f142adSRobert Elliott PCBC: Propagating Cipher Block Chaining mode 738*f1f142adSRobert Elliott This block cipher algorithm is required for RxRPC. 739*f1f142adSRobert Elliott 740*f1f142adSRobert Elliottconfig CRYPTO_XCTR 741*f1f142adSRobert Elliott tristate 742*f1f142adSRobert Elliott select CRYPTO_SKCIPHER 743*f1f142adSRobert Elliott select CRYPTO_MANAGER 744*f1f142adSRobert Elliott help 745*f1f142adSRobert Elliott XCTR: XOR Counter mode. This blockcipher mode is a variant of CTR mode 746*f1f142adSRobert Elliott using XORs and little-endian addition rather than big-endian arithmetic. 747*f1f142adSRobert Elliott XCTR mode is used to implement HCTR2. 748*f1f142adSRobert Elliott 749*f1f142adSRobert Elliottconfig CRYPTO_XTS 750*f1f142adSRobert Elliott tristate "XTS support" 751*f1f142adSRobert Elliott select CRYPTO_SKCIPHER 752*f1f142adSRobert Elliott select CRYPTO_MANAGER 753*f1f142adSRobert Elliott select CRYPTO_ECB 754*f1f142adSRobert Elliott help 755*f1f142adSRobert Elliott XTS: IEEE1619/D16 narrow block cipher use with aes-xts-plain, 756*f1f142adSRobert Elliott key size 256, 384 or 512 bits. This implementation currently 757*f1f142adSRobert Elliott can't handle a sectorsize which is not a multiple of 16 bytes. 758*f1f142adSRobert Elliott 759*f1f142adSRobert Elliottconfig CRYPTO_NHPOLY1305 760*f1f142adSRobert Elliott tristate 761*f1f142adSRobert Elliott select CRYPTO_HASH 762*f1f142adSRobert Elliott select CRYPTO_LIB_POLY1305_GENERIC 763*f1f142adSRobert Elliott 764*f1f142adSRobert Elliottendmenu 765*f1f142adSRobert Elliott 766*f1f142adSRobert Elliottmenu "AEAD (authenticated encryption with associated data) ciphers" 767*f1f142adSRobert Elliott 768*f1f142adSRobert Elliottconfig CRYPTO_AEGIS128 769*f1f142adSRobert Elliott tristate "AEGIS-128 AEAD algorithm" 770*f1f142adSRobert Elliott select CRYPTO_AEAD 771*f1f142adSRobert Elliott select CRYPTO_AES # for AES S-box tables 772*f1f142adSRobert Elliott help 773*f1f142adSRobert Elliott Support for the AEGIS-128 dedicated AEAD algorithm. 774*f1f142adSRobert Elliott 775*f1f142adSRobert Elliottconfig CRYPTO_AEGIS128_SIMD 776*f1f142adSRobert Elliott bool "Support SIMD acceleration for AEGIS-128" 777*f1f142adSRobert Elliott depends on CRYPTO_AEGIS128 && ((ARM || ARM64) && KERNEL_MODE_NEON) 778*f1f142adSRobert Elliott default y 779*f1f142adSRobert Elliott 780*f1f142adSRobert Elliottconfig CRYPTO_CHACHA20POLY1305 781*f1f142adSRobert Elliott tristate "ChaCha20-Poly1305 AEAD support" 782*f1f142adSRobert Elliott select CRYPTO_CHACHA20 783*f1f142adSRobert Elliott select CRYPTO_POLY1305 784*f1f142adSRobert Elliott select CRYPTO_AEAD 785*f1f142adSRobert Elliott select CRYPTO_MANAGER 786*f1f142adSRobert Elliott help 787*f1f142adSRobert Elliott ChaCha20-Poly1305 AEAD support, RFC7539. 788*f1f142adSRobert Elliott 789*f1f142adSRobert Elliott Support for the AEAD wrapper using the ChaCha20 stream cipher combined 790*f1f142adSRobert Elliott with the Poly1305 authenticator. It is defined in RFC7539 for use in 791*f1f142adSRobert Elliott IETF protocols. 792*f1f142adSRobert Elliott 793*f1f142adSRobert Elliottconfig CRYPTO_CCM 794*f1f142adSRobert Elliott tristate "CCM support" 795*f1f142adSRobert Elliott select CRYPTO_CTR 796*f1f142adSRobert Elliott select CRYPTO_HASH 797*f1f142adSRobert Elliott select CRYPTO_AEAD 798*f1f142adSRobert Elliott select CRYPTO_MANAGER 799*f1f142adSRobert Elliott help 800*f1f142adSRobert Elliott Support for Counter with CBC MAC. Required for IPsec. 801*f1f142adSRobert Elliott 802*f1f142adSRobert Elliottconfig CRYPTO_GCM 803*f1f142adSRobert Elliott tristate "GCM/GMAC support" 804*f1f142adSRobert Elliott select CRYPTO_CTR 805*f1f142adSRobert Elliott select CRYPTO_AEAD 806*f1f142adSRobert Elliott select CRYPTO_GHASH 807*f1f142adSRobert Elliott select CRYPTO_NULL 808*f1f142adSRobert Elliott select CRYPTO_MANAGER 809*f1f142adSRobert Elliott help 810*f1f142adSRobert Elliott Support for Galois/Counter Mode (GCM) and Galois Message 811*f1f142adSRobert Elliott Authentication Code (GMAC). Required for IPSec. 812*f1f142adSRobert Elliott 813*f1f142adSRobert Elliottconfig CRYPTO_SEQIV 814*f1f142adSRobert Elliott tristate "Sequence Number IV Generator" 815*f1f142adSRobert Elliott select CRYPTO_AEAD 816*f1f142adSRobert Elliott select CRYPTO_SKCIPHER 817*f1f142adSRobert Elliott select CRYPTO_NULL 818*f1f142adSRobert Elliott select CRYPTO_RNG_DEFAULT 819*f1f142adSRobert Elliott select CRYPTO_MANAGER 820*f1f142adSRobert Elliott help 821*f1f142adSRobert Elliott This IV generator generates an IV based on a sequence number by 822*f1f142adSRobert Elliott xoring it with a salt. This algorithm is mainly useful for CTR 823*f1f142adSRobert Elliott 824*f1f142adSRobert Elliottconfig CRYPTO_ECHAINIV 825*f1f142adSRobert Elliott tristate "Encrypted Chain IV Generator" 826*f1f142adSRobert Elliott select CRYPTO_AEAD 827*f1f142adSRobert Elliott select CRYPTO_NULL 828*f1f142adSRobert Elliott select CRYPTO_RNG_DEFAULT 829*f1f142adSRobert Elliott select CRYPTO_MANAGER 830*f1f142adSRobert Elliott help 831*f1f142adSRobert Elliott This IV generator generates an IV based on the encryption of 832*f1f142adSRobert Elliott a sequence number xored with a salt. This is the default 833*f1f142adSRobert Elliott algorithm for CBC. 834*f1f142adSRobert Elliott 835*f1f142adSRobert Elliottconfig CRYPTO_ESSIV 836*f1f142adSRobert Elliott tristate "ESSIV support for block encryption" 837*f1f142adSRobert Elliott select CRYPTO_AUTHENC 838*f1f142adSRobert Elliott help 839*f1f142adSRobert Elliott Encrypted salt-sector initialization vector (ESSIV) is an IV 840*f1f142adSRobert Elliott generation method that is used in some cases by fscrypt and/or 841*f1f142adSRobert Elliott dm-crypt. It uses the hash of the block encryption key as the 842*f1f142adSRobert Elliott symmetric key for a block encryption pass applied to the input 843*f1f142adSRobert Elliott IV, making low entropy IV sources more suitable for block 844*f1f142adSRobert Elliott encryption. 845*f1f142adSRobert Elliott 846*f1f142adSRobert Elliott This driver implements a crypto API template that can be 847*f1f142adSRobert Elliott instantiated either as an skcipher or as an AEAD (depending on the 848*f1f142adSRobert Elliott type of the first template argument), and which defers encryption 849*f1f142adSRobert Elliott and decryption requests to the encapsulated cipher after applying 850*f1f142adSRobert Elliott ESSIV to the input IV. Note that in the AEAD case, it is assumed 851*f1f142adSRobert Elliott that the keys are presented in the same format used by the authenc 852*f1f142adSRobert Elliott template, and that the IV appears at the end of the authenticated 853*f1f142adSRobert Elliott associated data (AAD) region (which is how dm-crypt uses it.) 854*f1f142adSRobert Elliott 855*f1f142adSRobert Elliott Note that the use of ESSIV is not recommended for new deployments, 856*f1f142adSRobert Elliott and so this only needs to be enabled when interoperability with 857*f1f142adSRobert Elliott existing encrypted volumes of filesystems is required, or when 858*f1f142adSRobert Elliott building for a particular system that requires it (e.g., when 859*f1f142adSRobert Elliott the SoC in question has accelerated CBC but not XTS, making CBC 860*f1f142adSRobert Elliott combined with ESSIV the only feasible mode for h/w accelerated 861*f1f142adSRobert Elliott block encryption) 862*f1f142adSRobert Elliott 863*f1f142adSRobert Elliottendmenu 864*f1f142adSRobert Elliott 865*f1f142adSRobert Elliottmenu "Hashes, digests, and MACs" 866*f1f142adSRobert Elliott 867*f1f142adSRobert Elliottconfig CRYPTO_BLAKE2B 868*f1f142adSRobert Elliott tristate "BLAKE2b digest algorithm" 869*f1f142adSRobert Elliott select CRYPTO_HASH 870*f1f142adSRobert Elliott help 871*f1f142adSRobert Elliott Implementation of cryptographic hash function BLAKE2b (or just BLAKE2), 872*f1f142adSRobert Elliott optimized for 64bit platforms and can produce digests of any size 873*f1f142adSRobert Elliott between 1 to 64. The keyed hash is also implemented. 874*f1f142adSRobert Elliott 875*f1f142adSRobert Elliott This module provides the following algorithms: 876*f1f142adSRobert Elliott 877*f1f142adSRobert Elliott - blake2b-160 878*f1f142adSRobert Elliott - blake2b-256 879*f1f142adSRobert Elliott - blake2b-384 880*f1f142adSRobert Elliott - blake2b-512 881*f1f142adSRobert Elliott 882*f1f142adSRobert Elliott See https://blake2.net for further information. 883*f1f142adSRobert Elliott 884*f1f142adSRobert Elliottconfig CRYPTO_CMAC 885*f1f142adSRobert Elliott tristate "CMAC support" 886*f1f142adSRobert Elliott select CRYPTO_HASH 887*f1f142adSRobert Elliott select CRYPTO_MANAGER 888*f1f142adSRobert Elliott help 889*f1f142adSRobert Elliott Cipher-based Message Authentication Code (CMAC) specified by 890*f1f142adSRobert Elliott The National Institute of Standards and Technology (NIST). 891*f1f142adSRobert Elliott 892*f1f142adSRobert Elliott https://tools.ietf.org/html/rfc4493 893*f1f142adSRobert Elliott http://csrc.nist.gov/publications/nistpubs/800-38B/SP_800-38B.pdf 894*f1f142adSRobert Elliott 895*f1f142adSRobert Elliottconfig CRYPTO_GHASH 896*f1f142adSRobert Elliott tristate "GHASH hash function" 897*f1f142adSRobert Elliott select CRYPTO_GF128MUL 898*f1f142adSRobert Elliott select CRYPTO_HASH 899*f1f142adSRobert Elliott help 900*f1f142adSRobert Elliott GHASH is the hash function used in GCM (Galois/Counter Mode). 901*f1f142adSRobert Elliott It is not a general-purpose cryptographic hash function. 902*f1f142adSRobert Elliott 903*f1f142adSRobert Elliottconfig CRYPTO_HMAC 904*f1f142adSRobert Elliott tristate "HMAC support" 905*f1f142adSRobert Elliott select CRYPTO_HASH 906*f1f142adSRobert Elliott select CRYPTO_MANAGER 907*f1f142adSRobert Elliott help 908*f1f142adSRobert Elliott HMAC: Keyed-Hashing for Message Authentication (RFC2104). 909*f1f142adSRobert Elliott This is required for IPSec. 910*f1f142adSRobert Elliott 911*f1f142adSRobert Elliottconfig CRYPTO_MD4 912*f1f142adSRobert Elliott tristate "MD4 digest algorithm" 913*f1f142adSRobert Elliott select CRYPTO_HASH 914*f1f142adSRobert Elliott help 915*f1f142adSRobert Elliott MD4 message digest algorithm (RFC1320). 916*f1f142adSRobert Elliott 917*f1f142adSRobert Elliottconfig CRYPTO_MD5 918*f1f142adSRobert Elliott tristate "MD5 digest algorithm" 919*f1f142adSRobert Elliott select CRYPTO_HASH 920*f1f142adSRobert Elliott help 921*f1f142adSRobert Elliott MD5 message digest algorithm (RFC1321). 922*f1f142adSRobert Elliott 923*f1f142adSRobert Elliottconfig CRYPTO_MICHAEL_MIC 924*f1f142adSRobert Elliott tristate "Michael MIC keyed digest algorithm" 925*f1f142adSRobert Elliott select CRYPTO_HASH 926*f1f142adSRobert Elliott help 927*f1f142adSRobert Elliott Michael MIC is used for message integrity protection in TKIP 928*f1f142adSRobert Elliott (IEEE 802.11i). This algorithm is required for TKIP, but it 929*f1f142adSRobert Elliott should not be used for other purposes because of the weakness 930*f1f142adSRobert Elliott of the algorithm. 931*f1f142adSRobert Elliott 932*f1f142adSRobert Elliottconfig CRYPTO_POLYVAL 933*f1f142adSRobert Elliott tristate 934*f1f142adSRobert Elliott select CRYPTO_GF128MUL 935*f1f142adSRobert Elliott select CRYPTO_HASH 936*f1f142adSRobert Elliott help 937*f1f142adSRobert Elliott POLYVAL is the hash function used in HCTR2. It is not a general-purpose 938*f1f142adSRobert Elliott cryptographic hash function. 939*f1f142adSRobert Elliott 940*f1f142adSRobert Elliottconfig CRYPTO_POLY1305 941*f1f142adSRobert Elliott tristate "Poly1305 authenticator algorithm" 942*f1f142adSRobert Elliott select CRYPTO_HASH 943*f1f142adSRobert Elliott select CRYPTO_LIB_POLY1305_GENERIC 944*f1f142adSRobert Elliott help 945*f1f142adSRobert Elliott Poly1305 authenticator algorithm, RFC7539. 946*f1f142adSRobert Elliott 947*f1f142adSRobert Elliott Poly1305 is an authenticator algorithm designed by Daniel J. Bernstein. 948*f1f142adSRobert Elliott It is used for the ChaCha20-Poly1305 AEAD, specified in RFC7539 for use 949*f1f142adSRobert Elliott in IETF protocols. This is the portable C implementation of Poly1305. 950*f1f142adSRobert Elliott 951*f1f142adSRobert Elliottconfig CRYPTO_RMD160 952*f1f142adSRobert Elliott tristate "RIPEMD-160 digest algorithm" 953*f1f142adSRobert Elliott select CRYPTO_HASH 954*f1f142adSRobert Elliott help 955*f1f142adSRobert Elliott RIPEMD-160 (ISO/IEC 10118-3:2004). 956*f1f142adSRobert Elliott 957*f1f142adSRobert Elliott RIPEMD-160 is a 160-bit cryptographic hash function. It is intended 958*f1f142adSRobert Elliott to be used as a secure replacement for the 128-bit hash functions 959*f1f142adSRobert Elliott MD4, MD5 and its predecessor RIPEMD 960*f1f142adSRobert Elliott (not to be confused with RIPEMD-128). 961*f1f142adSRobert Elliott 962*f1f142adSRobert Elliott It's speed is comparable to SHA1 and there are no known attacks 963*f1f142adSRobert Elliott against RIPEMD-160. 964*f1f142adSRobert Elliott 965*f1f142adSRobert Elliott Developed by Hans Dobbertin, Antoon Bosselaers and Bart Preneel. 966*f1f142adSRobert Elliott See <https://homes.esat.kuleuven.be/~bosselae/ripemd160.html> 967*f1f142adSRobert Elliott 968*f1f142adSRobert Elliottconfig CRYPTO_SHA1 969*f1f142adSRobert Elliott tristate "SHA1 digest algorithm" 970*f1f142adSRobert Elliott select CRYPTO_HASH 971*f1f142adSRobert Elliott select CRYPTO_LIB_SHA1 972*f1f142adSRobert Elliott help 973*f1f142adSRobert Elliott SHA-1 secure hash standard (FIPS 180-1/DFIPS 180-2). 974*f1f142adSRobert Elliott 975*f1f142adSRobert Elliottconfig CRYPTO_SHA256 976*f1f142adSRobert Elliott tristate "SHA224 and SHA256 digest algorithm" 977*f1f142adSRobert Elliott select CRYPTO_HASH 978*f1f142adSRobert Elliott select CRYPTO_LIB_SHA256 979*f1f142adSRobert Elliott help 980*f1f142adSRobert Elliott SHA256 secure hash standard (DFIPS 180-2). 981*f1f142adSRobert Elliott 982*f1f142adSRobert Elliott This version of SHA implements a 256 bit hash with 128 bits of 983*f1f142adSRobert Elliott security against collision attacks. 984*f1f142adSRobert Elliott 985*f1f142adSRobert Elliott This code also includes SHA-224, a 224 bit hash with 112 bits 986*f1f142adSRobert Elliott of security against collision attacks. 987*f1f142adSRobert Elliott 988*f1f142adSRobert Elliottconfig CRYPTO_SHA512 989*f1f142adSRobert Elliott tristate "SHA384 and SHA512 digest algorithms" 990*f1f142adSRobert Elliott select CRYPTO_HASH 991*f1f142adSRobert Elliott help 992*f1f142adSRobert Elliott SHA512 secure hash standard (DFIPS 180-2). 993*f1f142adSRobert Elliott 994*f1f142adSRobert Elliott This version of SHA implements a 512 bit hash with 256 bits of 995*f1f142adSRobert Elliott security against collision attacks. 996*f1f142adSRobert Elliott 997*f1f142adSRobert Elliott This code also includes SHA-384, a 384 bit hash with 192 bits 998*f1f142adSRobert Elliott of security against collision attacks. 999*f1f142adSRobert Elliott 1000*f1f142adSRobert Elliottconfig CRYPTO_SHA3 1001*f1f142adSRobert Elliott tristate "SHA3 digest algorithm" 1002*f1f142adSRobert Elliott select CRYPTO_HASH 1003*f1f142adSRobert Elliott help 1004*f1f142adSRobert Elliott SHA-3 secure hash standard (DFIPS 202). It's based on 1005*f1f142adSRobert Elliott cryptographic sponge function family called Keccak. 1006*f1f142adSRobert Elliott 1007*f1f142adSRobert Elliott References: 1008*f1f142adSRobert Elliott http://keccak.noekeon.org/ 1009*f1f142adSRobert Elliott 1010*f1f142adSRobert Elliottconfig CRYPTO_SM3 1011*f1f142adSRobert Elliott tristate 1012*f1f142adSRobert Elliott 1013*f1f142adSRobert Elliottconfig CRYPTO_SM3_GENERIC 1014*f1f142adSRobert Elliott tristate "SM3 digest algorithm" 1015*f1f142adSRobert Elliott select CRYPTO_HASH 1016*f1f142adSRobert Elliott select CRYPTO_SM3 1017*f1f142adSRobert Elliott help 1018*f1f142adSRobert Elliott SM3 secure hash function as defined by OSCCA GM/T 0004-2012 SM3). 1019*f1f142adSRobert Elliott It is part of the Chinese Commercial Cryptography suite. 1020*f1f142adSRobert Elliott 1021*f1f142adSRobert Elliott References: 1022*f1f142adSRobert Elliott http://www.oscca.gov.cn/UpFile/20101222141857786.pdf 1023*f1f142adSRobert Elliott https://datatracker.ietf.org/doc/html/draft-shen-sm3-hash 1024*f1f142adSRobert Elliott 1025*f1f142adSRobert Elliottconfig CRYPTO_STREEBOG 1026*f1f142adSRobert Elliott tristate "Streebog Hash Function" 1027*f1f142adSRobert Elliott select CRYPTO_HASH 1028*f1f142adSRobert Elliott help 1029*f1f142adSRobert Elliott Streebog Hash Function (GOST R 34.11-2012, RFC 6986) is one of the Russian 1030*f1f142adSRobert Elliott cryptographic standard algorithms (called GOST algorithms). 1031*f1f142adSRobert Elliott This setting enables two hash algorithms with 256 and 512 bits output. 1032*f1f142adSRobert Elliott 1033*f1f142adSRobert Elliott References: 1034*f1f142adSRobert Elliott https://tc26.ru/upload/iblock/fed/feddbb4d26b685903faa2ba11aea43f6.pdf 1035*f1f142adSRobert Elliott https://tools.ietf.org/html/rfc6986 1036*f1f142adSRobert Elliott 1037*f1f142adSRobert Elliottconfig CRYPTO_VMAC 1038*f1f142adSRobert Elliott tristate "VMAC support" 1039*f1f142adSRobert Elliott select CRYPTO_HASH 1040*f1f142adSRobert Elliott select CRYPTO_MANAGER 1041*f1f142adSRobert Elliott help 1042*f1f142adSRobert Elliott VMAC is a message authentication algorithm designed for 1043*f1f142adSRobert Elliott very high speed on 64-bit architectures. 1044*f1f142adSRobert Elliott 1045*f1f142adSRobert Elliott See also: 1046*f1f142adSRobert Elliott <https://fastcrypto.org/vmac> 1047*f1f142adSRobert Elliott 1048*f1f142adSRobert Elliottconfig CRYPTO_WP512 1049*f1f142adSRobert Elliott tristate "Whirlpool digest algorithms" 1050*f1f142adSRobert Elliott select CRYPTO_HASH 1051*f1f142adSRobert Elliott help 1052*f1f142adSRobert Elliott Whirlpool hash algorithm 512, 384 and 256-bit hashes 1053*f1f142adSRobert Elliott 1054*f1f142adSRobert Elliott Whirlpool-512 is part of the NESSIE cryptographic primitives. 1055*f1f142adSRobert Elliott Whirlpool will be part of the ISO/IEC 10118-3:2003(E) standard 1056*f1f142adSRobert Elliott 1057*f1f142adSRobert Elliott See also: 1058*f1f142adSRobert Elliott <http://www.larc.usp.br/~pbarreto/WhirlpoolPage.html> 1059*f1f142adSRobert Elliott 1060*f1f142adSRobert Elliottconfig CRYPTO_XCBC 1061*f1f142adSRobert Elliott tristate "XCBC support" 1062*f1f142adSRobert Elliott select CRYPTO_HASH 1063*f1f142adSRobert Elliott select CRYPTO_MANAGER 1064*f1f142adSRobert Elliott help 1065*f1f142adSRobert Elliott XCBC: Keyed-Hashing with encryption algorithm 1066*f1f142adSRobert Elliott https://www.ietf.org/rfc/rfc3566.txt 1067*f1f142adSRobert Elliott http://csrc.nist.gov/encryption/modes/proposedmodes/ 1068*f1f142adSRobert Elliott xcbc-mac/xcbc-mac-spec.pdf 1069*f1f142adSRobert Elliott 1070*f1f142adSRobert Elliottconfig CRYPTO_XXHASH 1071*f1f142adSRobert Elliott tristate "xxHash hash algorithm" 1072*f1f142adSRobert Elliott select CRYPTO_HASH 1073*f1f142adSRobert Elliott select XXHASH 1074*f1f142adSRobert Elliott help 1075*f1f142adSRobert Elliott xxHash non-cryptographic hash algorithm. Extremely fast, working at 1076*f1f142adSRobert Elliott speeds close to RAM limits. 1077*f1f142adSRobert Elliott 1078*f1f142adSRobert Elliottendmenu 1079*f1f142adSRobert Elliott 1080*f1f142adSRobert Elliottmenu "CRCs (cyclic redundancy checks)" 1081*f1f142adSRobert Elliott 1082*f1f142adSRobert Elliottconfig CRYPTO_CRC32C 1083*f1f142adSRobert Elliott tristate "CRC32c CRC algorithm" 1084*f1f142adSRobert Elliott select CRYPTO_HASH 1085*f1f142adSRobert Elliott select CRC32 1086*f1f142adSRobert Elliott help 1087*f1f142adSRobert Elliott Castagnoli, et al Cyclic Redundancy-Check Algorithm. Used 1088*f1f142adSRobert Elliott by iSCSI for header and data digests and by others. 1089*f1f142adSRobert Elliott See Castagnoli93. Module will be crc32c. 1090*f1f142adSRobert Elliott 1091*f1f142adSRobert Elliottconfig CRYPTO_CRC32 1092*f1f142adSRobert Elliott tristate "CRC32 CRC algorithm" 1093*f1f142adSRobert Elliott select CRYPTO_HASH 1094*f1f142adSRobert Elliott select CRC32 1095*f1f142adSRobert Elliott help 1096*f1f142adSRobert Elliott CRC-32-IEEE 802.3 cyclic redundancy-check algorithm. 1097*f1f142adSRobert Elliott Shash crypto api wrappers to crc32_le function. 1098*f1f142adSRobert Elliott 1099*f1f142adSRobert Elliottconfig CRYPTO_CRCT10DIF 1100*f1f142adSRobert Elliott tristate "CRCT10DIF algorithm" 1101*f1f142adSRobert Elliott select CRYPTO_HASH 1102*f1f142adSRobert Elliott help 1103*f1f142adSRobert Elliott CRC T10 Data Integrity Field computation is being cast as 1104*f1f142adSRobert Elliott a crypto transform. This allows for faster crc t10 diff 1105*f1f142adSRobert Elliott transforms to be used if they are available. 1106*f1f142adSRobert Elliott 1107*f1f142adSRobert Elliottconfig CRYPTO_CRC64_ROCKSOFT 1108*f1f142adSRobert Elliott tristate "Rocksoft Model CRC64 algorithm" 1109*f1f142adSRobert Elliott depends on CRC64 1110*f1f142adSRobert Elliott select CRYPTO_HASH 1111*f1f142adSRobert Elliott 1112*f1f142adSRobert Elliottendmenu 1113*f1f142adSRobert Elliott 1114*f1f142adSRobert Elliottmenu "Compression" 1115584fffc8SSebastian Siewior 11161da177e4SLinus Torvaldsconfig CRYPTO_DEFLATE 11171da177e4SLinus Torvalds tristate "Deflate compression algorithm" 1118cce9e06dSHerbert Xu select CRYPTO_ALGAPI 1119f6ded09dSGiovanni Cabiddu select CRYPTO_ACOMP2 11201da177e4SLinus Torvalds select ZLIB_INFLATE 11211da177e4SLinus Torvalds select ZLIB_DEFLATE 11221da177e4SLinus Torvalds help 11231da177e4SLinus Torvalds This is the Deflate algorithm (RFC1951), specified for use in 11241da177e4SLinus Torvalds IPSec with the IPCOMP protocol (RFC3173, RFC2394). 11251da177e4SLinus Torvalds 11261da177e4SLinus Torvalds You will most probably want this if using IPSec. 11271da177e4SLinus Torvalds 11280b77abb3SZoltan Sogorconfig CRYPTO_LZO 11290b77abb3SZoltan Sogor tristate "LZO compression algorithm" 11300b77abb3SZoltan Sogor select CRYPTO_ALGAPI 1131ac9d2c4bSGiovanni Cabiddu select CRYPTO_ACOMP2 11320b77abb3SZoltan Sogor select LZO_COMPRESS 11330b77abb3SZoltan Sogor select LZO_DECOMPRESS 11340b77abb3SZoltan Sogor help 11350b77abb3SZoltan Sogor This is the LZO algorithm. 11360b77abb3SZoltan Sogor 113735a1fc18SSeth Jenningsconfig CRYPTO_842 113835a1fc18SSeth Jennings tristate "842 compression algorithm" 11392062c5b6SDan Streetman select CRYPTO_ALGAPI 11406a8de3aeSGiovanni Cabiddu select CRYPTO_ACOMP2 11412062c5b6SDan Streetman select 842_COMPRESS 11422062c5b6SDan Streetman select 842_DECOMPRESS 114335a1fc18SSeth Jennings help 114435a1fc18SSeth Jennings This is the 842 algorithm. 114535a1fc18SSeth Jennings 11460ea8530dSChanho Minconfig CRYPTO_LZ4 11470ea8530dSChanho Min tristate "LZ4 compression algorithm" 11480ea8530dSChanho Min select CRYPTO_ALGAPI 11498cd9330eSGiovanni Cabiddu select CRYPTO_ACOMP2 11500ea8530dSChanho Min select LZ4_COMPRESS 11510ea8530dSChanho Min select LZ4_DECOMPRESS 11520ea8530dSChanho Min help 11530ea8530dSChanho Min This is the LZ4 algorithm. 11540ea8530dSChanho Min 11550ea8530dSChanho Minconfig CRYPTO_LZ4HC 11560ea8530dSChanho Min tristate "LZ4HC compression algorithm" 11570ea8530dSChanho Min select CRYPTO_ALGAPI 115891d53d96SGiovanni Cabiddu select CRYPTO_ACOMP2 11590ea8530dSChanho Min select LZ4HC_COMPRESS 11600ea8530dSChanho Min select LZ4_DECOMPRESS 11610ea8530dSChanho Min help 11620ea8530dSChanho Min This is the LZ4 high compression mode algorithm. 11630ea8530dSChanho Min 1164d28fc3dbSNick Terrellconfig CRYPTO_ZSTD 1165d28fc3dbSNick Terrell tristate "Zstd compression algorithm" 1166d28fc3dbSNick Terrell select CRYPTO_ALGAPI 1167d28fc3dbSNick Terrell select CRYPTO_ACOMP2 1168d28fc3dbSNick Terrell select ZSTD_COMPRESS 1169d28fc3dbSNick Terrell select ZSTD_DECOMPRESS 1170d28fc3dbSNick Terrell help 1171d28fc3dbSNick Terrell This is the zstd algorithm. 1172d28fc3dbSNick Terrell 1173*f1f142adSRobert Elliottendmenu 1174*f1f142adSRobert Elliott 1175*f1f142adSRobert Elliottmenu "Random number generation" 117617f0f4a4SNeil Horman 117717f0f4a4SNeil Hormanconfig CRYPTO_ANSI_CPRNG 117817f0f4a4SNeil Horman tristate "Pseudo Random Number Generation for Cryptographic modules" 117917f0f4a4SNeil Horman select CRYPTO_AES 118017f0f4a4SNeil Horman select CRYPTO_RNG 118117f0f4a4SNeil Horman help 118217f0f4a4SNeil Horman This option enables the generic pseudo random number generator 118317f0f4a4SNeil Horman for cryptographic modules. Uses the Algorithm specified in 11847dd607e8SJiri Kosina ANSI X9.31 A.2.4. Note that this option must be enabled if 11857dd607e8SJiri Kosina CRYPTO_FIPS is selected 118617f0f4a4SNeil Horman 1187f2c89a10SHerbert Xumenuconfig CRYPTO_DRBG_MENU 1188419090c6SStephan Mueller tristate "NIST SP800-90A DRBG" 1189419090c6SStephan Mueller help 1190419090c6SStephan Mueller NIST SP800-90A compliant DRBG. In the following submenu, one or 1191419090c6SStephan Mueller more of the DRBG types must be selected. 1192419090c6SStephan Mueller 1193f2c89a10SHerbert Xuif CRYPTO_DRBG_MENU 1194419090c6SStephan Mueller 1195419090c6SStephan Muellerconfig CRYPTO_DRBG_HMAC 1196401e4238SHerbert Xu bool 1197419090c6SStephan Mueller default y 1198419090c6SStephan Mueller select CRYPTO_HMAC 11995261cdf4SStephan Mueller select CRYPTO_SHA512 1200419090c6SStephan Mueller 1201419090c6SStephan Muellerconfig CRYPTO_DRBG_HASH 1202419090c6SStephan Mueller bool "Enable Hash DRBG" 1203826775bbSHerbert Xu select CRYPTO_SHA256 1204419090c6SStephan Mueller help 1205419090c6SStephan Mueller Enable the Hash DRBG variant as defined in NIST SP800-90A. 1206419090c6SStephan Mueller 1207419090c6SStephan Muellerconfig CRYPTO_DRBG_CTR 1208419090c6SStephan Mueller bool "Enable CTR DRBG" 1209419090c6SStephan Mueller select CRYPTO_AES 1210d6fc1a45SCorentin Labbe select CRYPTO_CTR 1211419090c6SStephan Mueller help 1212419090c6SStephan Mueller Enable the CTR DRBG variant as defined in NIST SP800-90A. 1213419090c6SStephan Mueller 1214f2c89a10SHerbert Xuconfig CRYPTO_DRBG 1215f2c89a10SHerbert Xu tristate 1216401e4238SHerbert Xu default CRYPTO_DRBG_MENU 1217f2c89a10SHerbert Xu select CRYPTO_RNG 1218bb5530e4SStephan Mueller select CRYPTO_JITTERENTROPY 1219f2c89a10SHerbert Xu 1220f2c89a10SHerbert Xuendif # if CRYPTO_DRBG_MENU 1221419090c6SStephan Mueller 1222bb5530e4SStephan Muellerconfig CRYPTO_JITTERENTROPY 1223bb5530e4SStephan Mueller tristate "Jitterentropy Non-Deterministic Random Number Generator" 12242f313e02SArnd Bergmann select CRYPTO_RNG 1225bb5530e4SStephan Mueller help 1226bb5530e4SStephan Mueller The Jitterentropy RNG is a noise that is intended 1227bb5530e4SStephan Mueller to provide seed to another RNG. The RNG does not 1228bb5530e4SStephan Mueller perform any cryptographic whitening of the generated 1229bb5530e4SStephan Mueller random numbers. This Jitterentropy RNG registers with 1230bb5530e4SStephan Mueller the kernel crypto API and can be used by any caller. 1231bb5530e4SStephan Mueller 1232026a733eSStephan Müllerconfig CRYPTO_KDF800108_CTR 1233026a733eSStephan Müller tristate 1234a88592ccSHerbert Xu select CRYPTO_HMAC 1235304b4aceSStephan Müller select CRYPTO_SHA256 1236026a733eSStephan Müller 1237*f1f142adSRobert Elliottendmenu 1238*f1f142adSRobert Elliottmenu "User-space interface" 1239*f1f142adSRobert Elliott 124003c8efc1SHerbert Xuconfig CRYPTO_USER_API 124103c8efc1SHerbert Xu tristate 124203c8efc1SHerbert Xu 1243fe869cdbSHerbert Xuconfig CRYPTO_USER_API_HASH 1244fe869cdbSHerbert Xu tristate "User-space interface for hash algorithms" 12457451708fSHerbert Xu depends on NET 1246fe869cdbSHerbert Xu select CRYPTO_HASH 1247fe869cdbSHerbert Xu select CRYPTO_USER_API 1248fe869cdbSHerbert Xu help 1249fe869cdbSHerbert Xu This option enables the user-spaces interface for hash 1250fe869cdbSHerbert Xu algorithms. 1251fe869cdbSHerbert Xu 12528ff59090SHerbert Xuconfig CRYPTO_USER_API_SKCIPHER 12538ff59090SHerbert Xu tristate "User-space interface for symmetric key cipher algorithms" 12547451708fSHerbert Xu depends on NET 1255b95bba5dSEric Biggers select CRYPTO_SKCIPHER 12568ff59090SHerbert Xu select CRYPTO_USER_API 12578ff59090SHerbert Xu help 12588ff59090SHerbert Xu This option enables the user-spaces interface for symmetric 12598ff59090SHerbert Xu key cipher algorithms. 12608ff59090SHerbert Xu 12612f375538SStephan Muellerconfig CRYPTO_USER_API_RNG 12622f375538SStephan Mueller tristate "User-space interface for random number generator algorithms" 12632f375538SStephan Mueller depends on NET 12642f375538SStephan Mueller select CRYPTO_RNG 12652f375538SStephan Mueller select CRYPTO_USER_API 12662f375538SStephan Mueller help 12672f375538SStephan Mueller This option enables the user-spaces interface for random 12682f375538SStephan Mueller number generator algorithms. 12692f375538SStephan Mueller 127077ebdabeSElena Petrovaconfig CRYPTO_USER_API_RNG_CAVP 127177ebdabeSElena Petrova bool "Enable CAVP testing of DRBG" 127277ebdabeSElena Petrova depends on CRYPTO_USER_API_RNG && CRYPTO_DRBG 127377ebdabeSElena Petrova help 127477ebdabeSElena Petrova This option enables extra API for CAVP testing via the user-space 127577ebdabeSElena Petrova interface: resetting of DRBG entropy, and providing Additional Data. 127677ebdabeSElena Petrova This should only be enabled for CAVP testing. You should say 127777ebdabeSElena Petrova no unless you know what this is. 127877ebdabeSElena Petrova 1279b64a2d95SHerbert Xuconfig CRYPTO_USER_API_AEAD 1280b64a2d95SHerbert Xu tristate "User-space interface for AEAD cipher algorithms" 1281b64a2d95SHerbert Xu depends on NET 1282b64a2d95SHerbert Xu select CRYPTO_AEAD 1283b95bba5dSEric Biggers select CRYPTO_SKCIPHER 128472548b09SStephan Mueller select CRYPTO_NULL 1285b64a2d95SHerbert Xu select CRYPTO_USER_API 1286b64a2d95SHerbert Xu help 1287b64a2d95SHerbert Xu This option enables the user-spaces interface for AEAD 1288b64a2d95SHerbert Xu cipher algorithms. 1289b64a2d95SHerbert Xu 12909ace6771SArd Biesheuvelconfig CRYPTO_USER_API_ENABLE_OBSOLETE 12919ace6771SArd Biesheuvel bool "Enable obsolete cryptographic algorithms for userspace" 12929ace6771SArd Biesheuvel depends on CRYPTO_USER_API 12939ace6771SArd Biesheuvel default y 12949ace6771SArd Biesheuvel help 12959ace6771SArd Biesheuvel Allow obsolete cryptographic algorithms to be selected that have 12969ace6771SArd Biesheuvel already been phased out from internal use by the kernel, and are 12979ace6771SArd Biesheuvel only useful for userspace clients that still rely on them. 12989ace6771SArd Biesheuvel 1299cac5818cSCorentin Labbeconfig CRYPTO_STATS 1300cac5818cSCorentin Labbe bool "Crypto usage statistics for User-space" 1301a6a31385SCorentin Labbe depends on CRYPTO_USER 1302cac5818cSCorentin Labbe help 1303cac5818cSCorentin Labbe This option enables the gathering of crypto stats. 1304cac5818cSCorentin Labbe This will collect: 1305cac5818cSCorentin Labbe - encrypt/decrypt size and numbers of symmeric operations 1306cac5818cSCorentin Labbe - compress/decompress size and numbers of compress operations 1307cac5818cSCorentin Labbe - size and numbers of hash operations 1308cac5818cSCorentin Labbe - encrypt/decrypt/sign/verify numbers for asymmetric operations 1309cac5818cSCorentin Labbe - generate/seed numbers for rng operations 1310cac5818cSCorentin Labbe 1311*f1f142adSRobert Elliottendmenu 1312*f1f142adSRobert Elliott 1313ee08997fSDmitry Kasatkinconfig CRYPTO_HASH_INFO 1314ee08997fSDmitry Kasatkin bool 1315ee08997fSDmitry Kasatkin 13164a329fecSRobert Elliottif ARM 13174a329fecSRobert Elliottsource "arch/arm/crypto/Kconfig" 13184a329fecSRobert Elliottendif 13194a329fecSRobert Elliottif ARM64 13204a329fecSRobert Elliottsource "arch/arm64/crypto/Kconfig" 13214a329fecSRobert Elliottendif 1322e45f710bSRobert Elliottif MIPS 1323e45f710bSRobert Elliottsource "arch/mips/crypto/Kconfig" 1324e45f710bSRobert Elliottendif 13256a490a4eSRobert Elliottif PPC 13266a490a4eSRobert Elliottsource "arch/powerpc/crypto/Kconfig" 13276a490a4eSRobert Elliottendif 1328c9d24c97SRobert Elliottif S390 1329c9d24c97SRobert Elliottsource "arch/s390/crypto/Kconfig" 1330c9d24c97SRobert Elliottendif 13310e9f9ea6SRobert Elliottif SPARC 13320e9f9ea6SRobert Elliottsource "arch/sparc/crypto/Kconfig" 13330e9f9ea6SRobert Elliottendif 133428a936efSRobert Elliottif X86 133528a936efSRobert Elliottsource "arch/x86/crypto/Kconfig" 133628a936efSRobert Elliottendif 1337e45f710bSRobert Elliott 13381da177e4SLinus Torvaldssource "drivers/crypto/Kconfig" 13398636a1f9SMasahiro Yamadasource "crypto/asymmetric_keys/Kconfig" 13408636a1f9SMasahiro Yamadasource "certs/Kconfig" 13411da177e4SLinus Torvalds 1342cce9e06dSHerbert Xuendif # if CRYPTO 1343