xref: /linux/crypto/Kconfig (revision f43dcaf2c97eae986378f12c46b27fe21f8a885b)
1b2441318SGreg Kroah-Hartman# SPDX-License-Identifier: GPL-2.0
21da177e4SLinus Torvalds#
3685784aaSDan Williams# Generic algorithms support
4685784aaSDan Williams#
5685784aaSDan Williamsconfig XOR_BLOCKS
6685784aaSDan Williams	tristate
7685784aaSDan Williams
8685784aaSDan Williams#
99bc89cd8SDan Williams# async_tx api: hardware offloaded memory transfer/transform support
109bc89cd8SDan Williams#
119bc89cd8SDan Williamssource "crypto/async_tx/Kconfig"
129bc89cd8SDan Williams
139bc89cd8SDan Williams#
141da177e4SLinus Torvalds# Cryptographic API Configuration
151da177e4SLinus Torvalds#
162e290f43SJan Engelhardtmenuconfig CRYPTO
17c3715cb9SSebastian Siewior	tristate "Cryptographic API"
181da177e4SLinus Torvalds	help
191da177e4SLinus Torvalds	  This option provides the core Cryptographic API.
201da177e4SLinus Torvalds
21cce9e06dSHerbert Xuif CRYPTO
22cce9e06dSHerbert Xu
23584fffc8SSebastian Siewiorcomment "Crypto core or helper"
24584fffc8SSebastian Siewior
25ccb778e1SNeil Hormanconfig CRYPTO_FIPS
26ccb778e1SNeil Horman	bool "FIPS 200 compliance"
27f2c89a10SHerbert Xu	depends on (CRYPTO_ANSI_CPRNG || CRYPTO_DRBG) && !CRYPTO_MANAGER_DISABLE_TESTS
281f696097SAlec Ari	depends on (MODULE_SIG || !MODULES)
29ccb778e1SNeil Horman	help
30d99324c2SGeert Uytterhoeven	  This option enables the fips boot option which is
31d99324c2SGeert Uytterhoeven	  required if you want the system to operate in a FIPS 200
32ccb778e1SNeil Horman	  certification.  You should say no unless you know what
33e84c5480SChuck Ebbert	  this is.
34ccb778e1SNeil Horman
35cce9e06dSHerbert Xuconfig CRYPTO_ALGAPI
36cce9e06dSHerbert Xu	tristate
376a0fcbb4SHerbert Xu	select CRYPTO_ALGAPI2
38cce9e06dSHerbert Xu	help
39cce9e06dSHerbert Xu	  This option provides the API for cryptographic algorithms.
40cce9e06dSHerbert Xu
416a0fcbb4SHerbert Xuconfig CRYPTO_ALGAPI2
426a0fcbb4SHerbert Xu	tristate
436a0fcbb4SHerbert Xu
441ae97820SHerbert Xuconfig CRYPTO_AEAD
451ae97820SHerbert Xu	tristate
466a0fcbb4SHerbert Xu	select CRYPTO_AEAD2
471ae97820SHerbert Xu	select CRYPTO_ALGAPI
481ae97820SHerbert Xu
496a0fcbb4SHerbert Xuconfig CRYPTO_AEAD2
506a0fcbb4SHerbert Xu	tristate
516a0fcbb4SHerbert Xu	select CRYPTO_ALGAPI2
52149a3971SHerbert Xu	select CRYPTO_NULL2
53149a3971SHerbert Xu	select CRYPTO_RNG2
546a0fcbb4SHerbert Xu
55b95bba5dSEric Biggersconfig CRYPTO_SKCIPHER
565cde0af2SHerbert Xu	tristate
57b95bba5dSEric Biggers	select CRYPTO_SKCIPHER2
585cde0af2SHerbert Xu	select CRYPTO_ALGAPI
596a0fcbb4SHerbert Xu
60b95bba5dSEric Biggersconfig CRYPTO_SKCIPHER2
616a0fcbb4SHerbert Xu	tristate
626a0fcbb4SHerbert Xu	select CRYPTO_ALGAPI2
636a0fcbb4SHerbert Xu	select CRYPTO_RNG2
645cde0af2SHerbert Xu
65055bcee3SHerbert Xuconfig CRYPTO_HASH
66055bcee3SHerbert Xu	tristate
676a0fcbb4SHerbert Xu	select CRYPTO_HASH2
68055bcee3SHerbert Xu	select CRYPTO_ALGAPI
69055bcee3SHerbert Xu
706a0fcbb4SHerbert Xuconfig CRYPTO_HASH2
716a0fcbb4SHerbert Xu	tristate
726a0fcbb4SHerbert Xu	select CRYPTO_ALGAPI2
736a0fcbb4SHerbert Xu
7417f0f4a4SNeil Hormanconfig CRYPTO_RNG
7517f0f4a4SNeil Horman	tristate
766a0fcbb4SHerbert Xu	select CRYPTO_RNG2
7717f0f4a4SNeil Horman	select CRYPTO_ALGAPI
7817f0f4a4SNeil Horman
796a0fcbb4SHerbert Xuconfig CRYPTO_RNG2
806a0fcbb4SHerbert Xu	tristate
816a0fcbb4SHerbert Xu	select CRYPTO_ALGAPI2
826a0fcbb4SHerbert Xu
83401e4238SHerbert Xuconfig CRYPTO_RNG_DEFAULT
84401e4238SHerbert Xu	tristate
85401e4238SHerbert Xu	select CRYPTO_DRBG_MENU
86401e4238SHerbert Xu
873c339ab8STadeusz Strukconfig CRYPTO_AKCIPHER2
883c339ab8STadeusz Struk	tristate
893c339ab8STadeusz Struk	select CRYPTO_ALGAPI2
903c339ab8STadeusz Struk
913c339ab8STadeusz Strukconfig CRYPTO_AKCIPHER
923c339ab8STadeusz Struk	tristate
933c339ab8STadeusz Struk	select CRYPTO_AKCIPHER2
943c339ab8STadeusz Struk	select CRYPTO_ALGAPI
953c339ab8STadeusz Struk
964e5f2c40SSalvatore Benedettoconfig CRYPTO_KPP2
974e5f2c40SSalvatore Benedetto	tristate
984e5f2c40SSalvatore Benedetto	select CRYPTO_ALGAPI2
994e5f2c40SSalvatore Benedetto
1004e5f2c40SSalvatore Benedettoconfig CRYPTO_KPP
1014e5f2c40SSalvatore Benedetto	tristate
1024e5f2c40SSalvatore Benedetto	select CRYPTO_ALGAPI
1034e5f2c40SSalvatore Benedetto	select CRYPTO_KPP2
1044e5f2c40SSalvatore Benedetto
1052ebda74fSGiovanni Cabidduconfig CRYPTO_ACOMP2
1062ebda74fSGiovanni Cabiddu	tristate
1072ebda74fSGiovanni Cabiddu	select CRYPTO_ALGAPI2
1088cd579d2SBart Van Assche	select SGL_ALLOC
1092ebda74fSGiovanni Cabiddu
1102ebda74fSGiovanni Cabidduconfig CRYPTO_ACOMP
1112ebda74fSGiovanni Cabiddu	tristate
1122ebda74fSGiovanni Cabiddu	select CRYPTO_ALGAPI
1132ebda74fSGiovanni Cabiddu	select CRYPTO_ACOMP2
1142ebda74fSGiovanni Cabiddu
1152b8c19dbSHerbert Xuconfig CRYPTO_MANAGER
1162b8c19dbSHerbert Xu	tristate "Cryptographic algorithm manager"
1176a0fcbb4SHerbert Xu	select CRYPTO_MANAGER2
1182b8c19dbSHerbert Xu	help
1192b8c19dbSHerbert Xu	  Create default cryptographic template instantiations such as
1202b8c19dbSHerbert Xu	  cbc(aes).
1212b8c19dbSHerbert Xu
1226a0fcbb4SHerbert Xuconfig CRYPTO_MANAGER2
1236a0fcbb4SHerbert Xu	def_tristate CRYPTO_MANAGER || (CRYPTO_MANAGER!=n && CRYPTO_ALGAPI=y)
1246a0fcbb4SHerbert Xu	select CRYPTO_AEAD2
1256a0fcbb4SHerbert Xu	select CRYPTO_HASH2
126b95bba5dSEric Biggers	select CRYPTO_SKCIPHER2
127946cc463STadeusz Struk	select CRYPTO_AKCIPHER2
1284e5f2c40SSalvatore Benedetto	select CRYPTO_KPP2
1292ebda74fSGiovanni Cabiddu	select CRYPTO_ACOMP2
1306a0fcbb4SHerbert Xu
131a38f7907SSteffen Klassertconfig CRYPTO_USER
132a38f7907SSteffen Klassert	tristate "Userspace cryptographic algorithm configuration"
1335db017aaSHerbert Xu	depends on NET
134a38f7907SSteffen Klassert	select CRYPTO_MANAGER
135a38f7907SSteffen Klassert	help
136d19978f5SValdis.Kletnieks@vt.edu	  Userspace configuration for cryptographic instantiations such as
137a38f7907SSteffen Klassert	  cbc(aes).
138a38f7907SSteffen Klassert
139326a6346SHerbert Xuconfig CRYPTO_MANAGER_DISABLE_TESTS
140326a6346SHerbert Xu	bool "Disable run-time self tests"
14100ca28a5SHerbert Xu	default y
1420b767f96SAlexander Shishkin	help
143326a6346SHerbert Xu	  Disable run-time self tests that normally take place at
144326a6346SHerbert Xu	  algorithm registration.
1450b767f96SAlexander Shishkin
1465b2706a4SEric Biggersconfig CRYPTO_MANAGER_EXTRA_TESTS
1475b2706a4SEric Biggers	bool "Enable extra run-time crypto self tests"
1486569e309SJason A. Donenfeld	depends on DEBUG_KERNEL && !CRYPTO_MANAGER_DISABLE_TESTS && CRYPTO_MANAGER
1495b2706a4SEric Biggers	help
1505b2706a4SEric Biggers	  Enable extra run-time self tests of registered crypto algorithms,
1515b2706a4SEric Biggers	  including randomized fuzz tests.
1525b2706a4SEric Biggers
1535b2706a4SEric Biggers	  This is intended for developer use only, as these tests take much
1545b2706a4SEric Biggers	  longer to run than the normal self tests.
1555b2706a4SEric Biggers
156584fffc8SSebastian Siewiorconfig CRYPTO_GF128MUL
157e590e132SEric Biggers	tristate
158584fffc8SSebastian Siewior
159584fffc8SSebastian Siewiorconfig CRYPTO_NULL
160584fffc8SSebastian Siewior	tristate "Null algorithms"
161149a3971SHerbert Xu	select CRYPTO_NULL2
162584fffc8SSebastian Siewior	help
163584fffc8SSebastian Siewior	  These are 'Null' algorithms, used by IPsec, which do nothing.
164584fffc8SSebastian Siewior
165149a3971SHerbert Xuconfig CRYPTO_NULL2
166dd43c4e9SHerbert Xu	tristate
167149a3971SHerbert Xu	select CRYPTO_ALGAPI2
168b95bba5dSEric Biggers	select CRYPTO_SKCIPHER2
169149a3971SHerbert Xu	select CRYPTO_HASH2
170149a3971SHerbert Xu
1715068c7a8SSteffen Klassertconfig CRYPTO_PCRYPT
1723b4afaf2SKees Cook	tristate "Parallel crypto engine"
1733b4afaf2SKees Cook	depends on SMP
1745068c7a8SSteffen Klassert	select PADATA
1755068c7a8SSteffen Klassert	select CRYPTO_MANAGER
1765068c7a8SSteffen Klassert	select CRYPTO_AEAD
1775068c7a8SSteffen Klassert	help
1785068c7a8SSteffen Klassert	  This converts an arbitrary crypto algorithm into a parallel
1795068c7a8SSteffen Klassert	  algorithm that executes in kernel threads.
1805068c7a8SSteffen Klassert
181584fffc8SSebastian Siewiorconfig CRYPTO_CRYPTD
182584fffc8SSebastian Siewior	tristate "Software async crypto daemon"
183b95bba5dSEric Biggers	select CRYPTO_SKCIPHER
184b8a28251SLoc Ho	select CRYPTO_HASH
185584fffc8SSebastian Siewior	select CRYPTO_MANAGER
186584fffc8SSebastian Siewior	help
187584fffc8SSebastian Siewior	  This is a generic software asynchronous crypto daemon that
188584fffc8SSebastian Siewior	  converts an arbitrary synchronous software crypto algorithm
189584fffc8SSebastian Siewior	  into an asynchronous algorithm that executes in a kernel thread.
190584fffc8SSebastian Siewior
191584fffc8SSebastian Siewiorconfig CRYPTO_AUTHENC
192584fffc8SSebastian Siewior	tristate "Authenc support"
193584fffc8SSebastian Siewior	select CRYPTO_AEAD
194b95bba5dSEric Biggers	select CRYPTO_SKCIPHER
195584fffc8SSebastian Siewior	select CRYPTO_MANAGER
196584fffc8SSebastian Siewior	select CRYPTO_HASH
197e94c6a7aSHerbert Xu	select CRYPTO_NULL
198584fffc8SSebastian Siewior	help
199584fffc8SSebastian Siewior	  Authenc: Combined mode wrapper for IPsec.
200584fffc8SSebastian Siewior	  This is required for IPSec.
201584fffc8SSebastian Siewior
202584fffc8SSebastian Siewiorconfig CRYPTO_TEST
203584fffc8SSebastian Siewior	tristate "Testing module"
20400ea27f1SArd Biesheuvel	depends on m || EXPERT
205da7f033dSHerbert Xu	select CRYPTO_MANAGER
206584fffc8SSebastian Siewior	help
207584fffc8SSebastian Siewior	  Quick & dirty crypto test module.
208584fffc8SSebastian Siewior
209266d0516SHerbert Xuconfig CRYPTO_SIMD
210266d0516SHerbert Xu	tristate
211266d0516SHerbert Xu	select CRYPTO_CRYPTD
212266d0516SHerbert Xu
213596d8750SJussi Kivilinnaconfig CRYPTO_GLUE_HELPER_X86
214596d8750SJussi Kivilinna	tristate
215596d8750SJussi Kivilinna	depends on X86
216b95bba5dSEric Biggers	select CRYPTO_SKCIPHER
217596d8750SJussi Kivilinna
218735d37b5SBaolin Wangconfig CRYPTO_ENGINE
219735d37b5SBaolin Wang	tristate
220735d37b5SBaolin Wang
2213d6228a5SVitaly Chikunovcomment "Public-key cryptography"
2223d6228a5SVitaly Chikunov
2233d6228a5SVitaly Chikunovconfig CRYPTO_RSA
2243d6228a5SVitaly Chikunov	tristate "RSA algorithm"
2253d6228a5SVitaly Chikunov	select CRYPTO_AKCIPHER
2263d6228a5SVitaly Chikunov	select CRYPTO_MANAGER
2273d6228a5SVitaly Chikunov	select MPILIB
2283d6228a5SVitaly Chikunov	select ASN1
2293d6228a5SVitaly Chikunov	help
2303d6228a5SVitaly Chikunov	  Generic implementation of the RSA public key algorithm.
2313d6228a5SVitaly Chikunov
2323d6228a5SVitaly Chikunovconfig CRYPTO_DH
2333d6228a5SVitaly Chikunov	tristate "Diffie-Hellman algorithm"
2343d6228a5SVitaly Chikunov	select CRYPTO_KPP
2353d6228a5SVitaly Chikunov	select MPILIB
2363d6228a5SVitaly Chikunov	help
2373d6228a5SVitaly Chikunov	  Generic implementation of the Diffie-Hellman algorithm.
2383d6228a5SVitaly Chikunov
2394a2289daSVitaly Chikunovconfig CRYPTO_ECC
2404a2289daSVitaly Chikunov	tristate
2414a2289daSVitaly Chikunov
2423d6228a5SVitaly Chikunovconfig CRYPTO_ECDH
2433d6228a5SVitaly Chikunov	tristate "ECDH algorithm"
2444a2289daSVitaly Chikunov	select CRYPTO_ECC
2453d6228a5SVitaly Chikunov	select CRYPTO_KPP
2463d6228a5SVitaly Chikunov	select CRYPTO_RNG_DEFAULT
2473d6228a5SVitaly Chikunov	help
2483d6228a5SVitaly Chikunov	  Generic implementation of the ECDH algorithm
2493d6228a5SVitaly Chikunov
2500d7a7864SVitaly Chikunovconfig CRYPTO_ECRDSA
2510d7a7864SVitaly Chikunov	tristate "EC-RDSA (GOST 34.10) algorithm"
2520d7a7864SVitaly Chikunov	select CRYPTO_ECC
2530d7a7864SVitaly Chikunov	select CRYPTO_AKCIPHER
2540d7a7864SVitaly Chikunov	select CRYPTO_STREEBOG
2551036633eSVitaly Chikunov	select OID_REGISTRY
2561036633eSVitaly Chikunov	select ASN1
2570d7a7864SVitaly Chikunov	help
2580d7a7864SVitaly Chikunov	  Elliptic Curve Russian Digital Signature Algorithm (GOST R 34.10-2012,
2590d7a7864SVitaly Chikunov	  RFC 7091, ISO/IEC 14888-3:2018) is one of the Russian cryptographic
2600d7a7864SVitaly Chikunov	  standard algorithms (called GOST algorithms). Only signature verification
2610d7a7864SVitaly Chikunov	  is implemented.
2620d7a7864SVitaly Chikunov
263ea7ecb66STianjia Zhangconfig CRYPTO_SM2
264ea7ecb66STianjia Zhang	tristate "SM2 algorithm"
265ea7ecb66STianjia Zhang	select CRYPTO_SM3
266ea7ecb66STianjia Zhang	select CRYPTO_AKCIPHER
267ea7ecb66STianjia Zhang	select CRYPTO_MANAGER
268ea7ecb66STianjia Zhang	select MPILIB
269ea7ecb66STianjia Zhang	select ASN1
270ea7ecb66STianjia Zhang	help
271ea7ecb66STianjia Zhang	  Generic implementation of the SM2 public key algorithm. It was
272ea7ecb66STianjia Zhang	  published by State Encryption Management Bureau, China.
273ea7ecb66STianjia Zhang	  as specified by OSCCA GM/T 0003.1-2012 -- 0003.5-2012.
274ea7ecb66STianjia Zhang
275ea7ecb66STianjia Zhang	  References:
276ea7ecb66STianjia Zhang	  https://tools.ietf.org/html/draft-shen-sm2-ecdsa-02
277ea7ecb66STianjia Zhang	  http://www.oscca.gov.cn/sca/xxgk/2010-12/17/content_1002386.shtml
278ea7ecb66STianjia Zhang	  http://www.gmbz.org.cn/main/bzlb.html
279ea7ecb66STianjia Zhang
280ee772cb6SArd Biesheuvelconfig CRYPTO_CURVE25519
281ee772cb6SArd Biesheuvel	tristate "Curve25519 algorithm"
282ee772cb6SArd Biesheuvel	select CRYPTO_KPP
283ee772cb6SArd Biesheuvel	select CRYPTO_LIB_CURVE25519_GENERIC
284ee772cb6SArd Biesheuvel
285bb611bdfSJason A. Donenfeldconfig CRYPTO_CURVE25519_X86
286bb611bdfSJason A. Donenfeld	tristate "x86_64 accelerated Curve25519 scalar multiplication library"
287bb611bdfSJason A. Donenfeld	depends on X86 && 64BIT
288bb611bdfSJason A. Donenfeld	select CRYPTO_LIB_CURVE25519_GENERIC
289bb611bdfSJason A. Donenfeld	select CRYPTO_ARCH_HAVE_LIB_CURVE25519
290bb611bdfSJason A. Donenfeld
291584fffc8SSebastian Siewiorcomment "Authenticated Encryption with Associated Data"
292584fffc8SSebastian Siewior
293584fffc8SSebastian Siewiorconfig CRYPTO_CCM
294584fffc8SSebastian Siewior	tristate "CCM support"
295584fffc8SSebastian Siewior	select CRYPTO_CTR
296f15f05b0SArd Biesheuvel	select CRYPTO_HASH
297584fffc8SSebastian Siewior	select CRYPTO_AEAD
298c8a3315aSEric Biggers	select CRYPTO_MANAGER
299584fffc8SSebastian Siewior	help
300584fffc8SSebastian Siewior	  Support for Counter with CBC MAC. Required for IPsec.
301584fffc8SSebastian Siewior
302584fffc8SSebastian Siewiorconfig CRYPTO_GCM
303584fffc8SSebastian Siewior	tristate "GCM/GMAC support"
304584fffc8SSebastian Siewior	select CRYPTO_CTR
305584fffc8SSebastian Siewior	select CRYPTO_AEAD
3069382d97aSHuang Ying	select CRYPTO_GHASH
3079489667dSJussi Kivilinna	select CRYPTO_NULL
308c8a3315aSEric Biggers	select CRYPTO_MANAGER
309584fffc8SSebastian Siewior	help
310584fffc8SSebastian Siewior	  Support for Galois/Counter Mode (GCM) and Galois Message
311584fffc8SSebastian Siewior	  Authentication Code (GMAC). Required for IPSec.
312584fffc8SSebastian Siewior
31371ebc4d1SMartin Williconfig CRYPTO_CHACHA20POLY1305
31471ebc4d1SMartin Willi	tristate "ChaCha20-Poly1305 AEAD support"
31571ebc4d1SMartin Willi	select CRYPTO_CHACHA20
31671ebc4d1SMartin Willi	select CRYPTO_POLY1305
31771ebc4d1SMartin Willi	select CRYPTO_AEAD
318c8a3315aSEric Biggers	select CRYPTO_MANAGER
31971ebc4d1SMartin Willi	help
32071ebc4d1SMartin Willi	  ChaCha20-Poly1305 AEAD support, RFC7539.
32171ebc4d1SMartin Willi
32271ebc4d1SMartin Willi	  Support for the AEAD wrapper using the ChaCha20 stream cipher combined
32371ebc4d1SMartin Willi	  with the Poly1305 authenticator. It is defined in RFC7539 for use in
32471ebc4d1SMartin Willi	  IETF protocols.
32571ebc4d1SMartin Willi
326f606a88eSOndrej Mosnacekconfig CRYPTO_AEGIS128
327f606a88eSOndrej Mosnacek	tristate "AEGIS-128 AEAD algorithm"
328f606a88eSOndrej Mosnacek	select CRYPTO_AEAD
329f606a88eSOndrej Mosnacek	select CRYPTO_AES  # for AES S-box tables
330f606a88eSOndrej Mosnacek	help
331f606a88eSOndrej Mosnacek	 Support for the AEGIS-128 dedicated AEAD algorithm.
332f606a88eSOndrej Mosnacek
333a4397635SArd Biesheuvelconfig CRYPTO_AEGIS128_SIMD
334a4397635SArd Biesheuvel	bool "Support SIMD acceleration for AEGIS-128"
335a4397635SArd Biesheuvel	depends on CRYPTO_AEGIS128 && ((ARM || ARM64) && KERNEL_MODE_NEON)
336a4397635SArd Biesheuvel	default y
337a4397635SArd Biesheuvel
3381d373d4eSOndrej Mosnacekconfig CRYPTO_AEGIS128_AESNI_SSE2
3391d373d4eSOndrej Mosnacek	tristate "AEGIS-128 AEAD algorithm (x86_64 AESNI+SSE2 implementation)"
3401d373d4eSOndrej Mosnacek	depends on X86 && 64BIT
3411d373d4eSOndrej Mosnacek	select CRYPTO_AEAD
342de272ca7SEric Biggers	select CRYPTO_SIMD
3431d373d4eSOndrej Mosnacek	help
3444e5180ebSOndrej Mosnacek	 AESNI+SSE2 implementation of the AEGIS-128 dedicated AEAD algorithm.
3451d373d4eSOndrej Mosnacek
346584fffc8SSebastian Siewiorconfig CRYPTO_SEQIV
347584fffc8SSebastian Siewior	tristate "Sequence Number IV Generator"
348584fffc8SSebastian Siewior	select CRYPTO_AEAD
349b95bba5dSEric Biggers	select CRYPTO_SKCIPHER
350856e3f40SHerbert Xu	select CRYPTO_NULL
351401e4238SHerbert Xu	select CRYPTO_RNG_DEFAULT
352c8a3315aSEric Biggers	select CRYPTO_MANAGER
353584fffc8SSebastian Siewior	help
354584fffc8SSebastian Siewior	  This IV generator generates an IV based on a sequence number by
355584fffc8SSebastian Siewior	  xoring it with a salt.  This algorithm is mainly useful for CTR
356584fffc8SSebastian Siewior
357a10f554fSHerbert Xuconfig CRYPTO_ECHAINIV
358a10f554fSHerbert Xu	tristate "Encrypted Chain IV Generator"
359a10f554fSHerbert Xu	select CRYPTO_AEAD
360a10f554fSHerbert Xu	select CRYPTO_NULL
361401e4238SHerbert Xu	select CRYPTO_RNG_DEFAULT
362c8a3315aSEric Biggers	select CRYPTO_MANAGER
363a10f554fSHerbert Xu	help
364a10f554fSHerbert Xu	  This IV generator generates an IV based on the encryption of
365a10f554fSHerbert Xu	  a sequence number xored with a salt.  This is the default
366a10f554fSHerbert Xu	  algorithm for CBC.
367a10f554fSHerbert Xu
368584fffc8SSebastian Siewiorcomment "Block modes"
369584fffc8SSebastian Siewior
370584fffc8SSebastian Siewiorconfig CRYPTO_CBC
371584fffc8SSebastian Siewior	tristate "CBC support"
372b95bba5dSEric Biggers	select CRYPTO_SKCIPHER
373584fffc8SSebastian Siewior	select CRYPTO_MANAGER
374584fffc8SSebastian Siewior	help
375584fffc8SSebastian Siewior	  CBC: Cipher Block Chaining mode
376584fffc8SSebastian Siewior	  This block cipher algorithm is required for IPSec.
377584fffc8SSebastian Siewior
378a7d85e06SJames Bottomleyconfig CRYPTO_CFB
379a7d85e06SJames Bottomley	tristate "CFB support"
380b95bba5dSEric Biggers	select CRYPTO_SKCIPHER
381a7d85e06SJames Bottomley	select CRYPTO_MANAGER
382a7d85e06SJames Bottomley	help
383a7d85e06SJames Bottomley	  CFB: Cipher FeedBack mode
384a7d85e06SJames Bottomley	  This block cipher algorithm is required for TPM2 Cryptography.
385a7d85e06SJames Bottomley
386584fffc8SSebastian Siewiorconfig CRYPTO_CTR
387584fffc8SSebastian Siewior	tristate "CTR support"
388b95bba5dSEric Biggers	select CRYPTO_SKCIPHER
389584fffc8SSebastian Siewior	select CRYPTO_MANAGER
390584fffc8SSebastian Siewior	help
391584fffc8SSebastian Siewior	  CTR: Counter mode
392584fffc8SSebastian Siewior	  This block cipher algorithm is required for IPSec.
393584fffc8SSebastian Siewior
394584fffc8SSebastian Siewiorconfig CRYPTO_CTS
395584fffc8SSebastian Siewior	tristate "CTS support"
396b95bba5dSEric Biggers	select CRYPTO_SKCIPHER
397c8a3315aSEric Biggers	select CRYPTO_MANAGER
398584fffc8SSebastian Siewior	help
399584fffc8SSebastian Siewior	  CTS: Cipher Text Stealing
400584fffc8SSebastian Siewior	  This is the Cipher Text Stealing mode as described by
401ecd6d5c9SGilad Ben-Yossef	  Section 8 of rfc2040 and referenced by rfc3962
402ecd6d5c9SGilad Ben-Yossef	  (rfc3962 includes errata information in its Appendix A) or
403ecd6d5c9SGilad Ben-Yossef	  CBC-CS3 as defined by NIST in Sp800-38A addendum from Oct 2010.
404584fffc8SSebastian Siewior	  This mode is required for Kerberos gss mechanism support
405584fffc8SSebastian Siewior	  for AES encryption.
406584fffc8SSebastian Siewior
407ecd6d5c9SGilad Ben-Yossef	  See: https://csrc.nist.gov/publications/detail/sp/800-38a/addendum/final
408ecd6d5c9SGilad Ben-Yossef
409584fffc8SSebastian Siewiorconfig CRYPTO_ECB
410584fffc8SSebastian Siewior	tristate "ECB support"
411b95bba5dSEric Biggers	select CRYPTO_SKCIPHER
412584fffc8SSebastian Siewior	select CRYPTO_MANAGER
413584fffc8SSebastian Siewior	help
414584fffc8SSebastian Siewior	  ECB: Electronic CodeBook mode
415584fffc8SSebastian Siewior	  This is the simplest block cipher algorithm.  It simply encrypts
416584fffc8SSebastian Siewior	  the input block by block.
417584fffc8SSebastian Siewior
418584fffc8SSebastian Siewiorconfig CRYPTO_LRW
4192470a2b2SJussi Kivilinna	tristate "LRW support"
420b95bba5dSEric Biggers	select CRYPTO_SKCIPHER
421584fffc8SSebastian Siewior	select CRYPTO_MANAGER
422584fffc8SSebastian Siewior	select CRYPTO_GF128MUL
423584fffc8SSebastian Siewior	help
424584fffc8SSebastian Siewior	  LRW: Liskov Rivest Wagner, a tweakable, non malleable, non movable
425584fffc8SSebastian Siewior	  narrow block cipher mode for dm-crypt.  Use it with cipher
426584fffc8SSebastian Siewior	  specification string aes-lrw-benbi, the key must be 256, 320 or 384.
427584fffc8SSebastian Siewior	  The first 128, 192 or 256 bits in the key are used for AES and the
428584fffc8SSebastian Siewior	  rest is used to tie each cipher block to its logical position.
429584fffc8SSebastian Siewior
430e497c518SGilad Ben-Yossefconfig CRYPTO_OFB
431e497c518SGilad Ben-Yossef	tristate "OFB support"
432b95bba5dSEric Biggers	select CRYPTO_SKCIPHER
433e497c518SGilad Ben-Yossef	select CRYPTO_MANAGER
434e497c518SGilad Ben-Yossef	help
435e497c518SGilad Ben-Yossef	  OFB: the Output Feedback mode makes a block cipher into a synchronous
436e497c518SGilad Ben-Yossef	  stream cipher. It generates keystream blocks, which are then XORed
437e497c518SGilad Ben-Yossef	  with the plaintext blocks to get the ciphertext. Flipping a bit in the
438e497c518SGilad Ben-Yossef	  ciphertext produces a flipped bit in the plaintext at the same
439e497c518SGilad Ben-Yossef	  location. This property allows many error correcting codes to function
440e497c518SGilad Ben-Yossef	  normally even when applied before encryption.
441e497c518SGilad Ben-Yossef
442584fffc8SSebastian Siewiorconfig CRYPTO_PCBC
443584fffc8SSebastian Siewior	tristate "PCBC support"
444b95bba5dSEric Biggers	select CRYPTO_SKCIPHER
445584fffc8SSebastian Siewior	select CRYPTO_MANAGER
446584fffc8SSebastian Siewior	help
447584fffc8SSebastian Siewior	  PCBC: Propagating Cipher Block Chaining mode
448584fffc8SSebastian Siewior	  This block cipher algorithm is required for RxRPC.
449584fffc8SSebastian Siewior
450584fffc8SSebastian Siewiorconfig CRYPTO_XTS
4515bcf8e6dSJussi Kivilinna	tristate "XTS support"
452b95bba5dSEric Biggers	select CRYPTO_SKCIPHER
453584fffc8SSebastian Siewior	select CRYPTO_MANAGER
45412cb3a1cSMilan Broz	select CRYPTO_ECB
455584fffc8SSebastian Siewior	help
456584fffc8SSebastian Siewior	  XTS: IEEE1619/D16 narrow block cipher use with aes-xts-plain,
457584fffc8SSebastian Siewior	  key size 256, 384 or 512 bits. This implementation currently
458584fffc8SSebastian Siewior	  can't handle a sectorsize which is not a multiple of 16 bytes.
459584fffc8SSebastian Siewior
4601c49678eSStephan Muellerconfig CRYPTO_KEYWRAP
4611c49678eSStephan Mueller	tristate "Key wrapping support"
462b95bba5dSEric Biggers	select CRYPTO_SKCIPHER
463c8a3315aSEric Biggers	select CRYPTO_MANAGER
4641c49678eSStephan Mueller	help
4651c49678eSStephan Mueller	  Support for key wrapping (NIST SP800-38F / RFC3394) without
4661c49678eSStephan Mueller	  padding.
4671c49678eSStephan Mueller
46826609a21SEric Biggersconfig CRYPTO_NHPOLY1305
46926609a21SEric Biggers	tristate
47026609a21SEric Biggers	select CRYPTO_HASH
47148ea8c6eSArd Biesheuvel	select CRYPTO_LIB_POLY1305_GENERIC
47226609a21SEric Biggers
473012c8238SEric Biggersconfig CRYPTO_NHPOLY1305_SSE2
474012c8238SEric Biggers	tristate "NHPoly1305 hash function (x86_64 SSE2 implementation)"
475012c8238SEric Biggers	depends on X86 && 64BIT
476012c8238SEric Biggers	select CRYPTO_NHPOLY1305
477012c8238SEric Biggers	help
478012c8238SEric Biggers	  SSE2 optimized implementation of the hash function used by the
479012c8238SEric Biggers	  Adiantum encryption mode.
480012c8238SEric Biggers
4810f961f9fSEric Biggersconfig CRYPTO_NHPOLY1305_AVX2
4820f961f9fSEric Biggers	tristate "NHPoly1305 hash function (x86_64 AVX2 implementation)"
4830f961f9fSEric Biggers	depends on X86 && 64BIT
4840f961f9fSEric Biggers	select CRYPTO_NHPOLY1305
4850f961f9fSEric Biggers	help
4860f961f9fSEric Biggers	  AVX2 optimized implementation of the hash function used by the
4870f961f9fSEric Biggers	  Adiantum encryption mode.
4880f961f9fSEric Biggers
489059c2a4dSEric Biggersconfig CRYPTO_ADIANTUM
490059c2a4dSEric Biggers	tristate "Adiantum support"
491059c2a4dSEric Biggers	select CRYPTO_CHACHA20
49248ea8c6eSArd Biesheuvel	select CRYPTO_LIB_POLY1305_GENERIC
493059c2a4dSEric Biggers	select CRYPTO_NHPOLY1305
494c8a3315aSEric Biggers	select CRYPTO_MANAGER
495059c2a4dSEric Biggers	help
496059c2a4dSEric Biggers	  Adiantum is a tweakable, length-preserving encryption mode
497059c2a4dSEric Biggers	  designed for fast and secure disk encryption, especially on
498059c2a4dSEric Biggers	  CPUs without dedicated crypto instructions.  It encrypts
499059c2a4dSEric Biggers	  each sector using the XChaCha12 stream cipher, two passes of
500059c2a4dSEric Biggers	  an ε-almost-∆-universal hash function, and an invocation of
501059c2a4dSEric Biggers	  the AES-256 block cipher on a single 16-byte block.  On CPUs
502059c2a4dSEric Biggers	  without AES instructions, Adiantum is much faster than
503059c2a4dSEric Biggers	  AES-XTS.
504059c2a4dSEric Biggers
505059c2a4dSEric Biggers	  Adiantum's security is provably reducible to that of its
506059c2a4dSEric Biggers	  underlying stream and block ciphers, subject to a security
507059c2a4dSEric Biggers	  bound.  Unlike XTS, Adiantum is a true wide-block encryption
508059c2a4dSEric Biggers	  mode, so it actually provides an even stronger notion of
509059c2a4dSEric Biggers	  security than XTS, subject to the security bound.
510059c2a4dSEric Biggers
511059c2a4dSEric Biggers	  If unsure, say N.
512059c2a4dSEric Biggers
513be1eb7f7SArd Biesheuvelconfig CRYPTO_ESSIV
514be1eb7f7SArd Biesheuvel	tristate "ESSIV support for block encryption"
515be1eb7f7SArd Biesheuvel	select CRYPTO_AUTHENC
516be1eb7f7SArd Biesheuvel	help
517be1eb7f7SArd Biesheuvel	  Encrypted salt-sector initialization vector (ESSIV) is an IV
518be1eb7f7SArd Biesheuvel	  generation method that is used in some cases by fscrypt and/or
519be1eb7f7SArd Biesheuvel	  dm-crypt. It uses the hash of the block encryption key as the
520be1eb7f7SArd Biesheuvel	  symmetric key for a block encryption pass applied to the input
521be1eb7f7SArd Biesheuvel	  IV, making low entropy IV sources more suitable for block
522be1eb7f7SArd Biesheuvel	  encryption.
523be1eb7f7SArd Biesheuvel
524be1eb7f7SArd Biesheuvel	  This driver implements a crypto API template that can be
525ab3d436bSGeert Uytterhoeven	  instantiated either as an skcipher or as an AEAD (depending on the
526be1eb7f7SArd Biesheuvel	  type of the first template argument), and which defers encryption
527be1eb7f7SArd Biesheuvel	  and decryption requests to the encapsulated cipher after applying
528ab3d436bSGeert Uytterhoeven	  ESSIV to the input IV. Note that in the AEAD case, it is assumed
529be1eb7f7SArd Biesheuvel	  that the keys are presented in the same format used by the authenc
530be1eb7f7SArd Biesheuvel	  template, and that the IV appears at the end of the authenticated
531be1eb7f7SArd Biesheuvel	  associated data (AAD) region (which is how dm-crypt uses it.)
532be1eb7f7SArd Biesheuvel
533be1eb7f7SArd Biesheuvel	  Note that the use of ESSIV is not recommended for new deployments,
534be1eb7f7SArd Biesheuvel	  and so this only needs to be enabled when interoperability with
535be1eb7f7SArd Biesheuvel	  existing encrypted volumes of filesystems is required, or when
536be1eb7f7SArd Biesheuvel	  building for a particular system that requires it (e.g., when
537be1eb7f7SArd Biesheuvel	  the SoC in question has accelerated CBC but not XTS, making CBC
538be1eb7f7SArd Biesheuvel	  combined with ESSIV the only feasible mode for h/w accelerated
539be1eb7f7SArd Biesheuvel	  block encryption)
540be1eb7f7SArd Biesheuvel
541584fffc8SSebastian Siewiorcomment "Hash modes"
542584fffc8SSebastian Siewior
54393b5e86aSJussi Kivilinnaconfig CRYPTO_CMAC
54493b5e86aSJussi Kivilinna	tristate "CMAC support"
54593b5e86aSJussi Kivilinna	select CRYPTO_HASH
54693b5e86aSJussi Kivilinna	select CRYPTO_MANAGER
54793b5e86aSJussi Kivilinna	help
54893b5e86aSJussi Kivilinna	  Cipher-based Message Authentication Code (CMAC) specified by
54993b5e86aSJussi Kivilinna	  The National Institute of Standards and Technology (NIST).
55093b5e86aSJussi Kivilinna
55193b5e86aSJussi Kivilinna	  https://tools.ietf.org/html/rfc4493
55293b5e86aSJussi Kivilinna	  http://csrc.nist.gov/publications/nistpubs/800-38B/SP_800-38B.pdf
55393b5e86aSJussi Kivilinna
5541da177e4SLinus Torvaldsconfig CRYPTO_HMAC
5558425165dSHerbert Xu	tristate "HMAC support"
5560796ae06SHerbert Xu	select CRYPTO_HASH
55743518407SHerbert Xu	select CRYPTO_MANAGER
5581da177e4SLinus Torvalds	help
5591da177e4SLinus Torvalds	  HMAC: Keyed-Hashing for Message Authentication (RFC2104).
5601da177e4SLinus Torvalds	  This is required for IPSec.
5611da177e4SLinus Torvalds
562333b0d7eSKazunori MIYAZAWAconfig CRYPTO_XCBC
563333b0d7eSKazunori MIYAZAWA	tristate "XCBC support"
564333b0d7eSKazunori MIYAZAWA	select CRYPTO_HASH
565333b0d7eSKazunori MIYAZAWA	select CRYPTO_MANAGER
566333b0d7eSKazunori MIYAZAWA	help
567333b0d7eSKazunori MIYAZAWA	  XCBC: Keyed-Hashing with encryption algorithm
5689332a9e7SAlexander A. Klimov		https://www.ietf.org/rfc/rfc3566.txt
569333b0d7eSKazunori MIYAZAWA		http://csrc.nist.gov/encryption/modes/proposedmodes/
570333b0d7eSKazunori MIYAZAWA		 xcbc-mac/xcbc-mac-spec.pdf
571333b0d7eSKazunori MIYAZAWA
572f1939f7cSShane Wangconfig CRYPTO_VMAC
573f1939f7cSShane Wang	tristate "VMAC support"
574f1939f7cSShane Wang	select CRYPTO_HASH
575f1939f7cSShane Wang	select CRYPTO_MANAGER
576f1939f7cSShane Wang	help
577f1939f7cSShane Wang	  VMAC is a message authentication algorithm designed for
578f1939f7cSShane Wang	  very high speed on 64-bit architectures.
579f1939f7cSShane Wang
580f1939f7cSShane Wang	  See also:
5819332a9e7SAlexander A. Klimov	  <https://fastcrypto.org/vmac>
582f1939f7cSShane Wang
583584fffc8SSebastian Siewiorcomment "Digest"
584584fffc8SSebastian Siewior
585584fffc8SSebastian Siewiorconfig CRYPTO_CRC32C
586584fffc8SSebastian Siewior	tristate "CRC32c CRC algorithm"
5875773a3e6SHerbert Xu	select CRYPTO_HASH
5886a0962b2SDarrick J. Wong	select CRC32
5891da177e4SLinus Torvalds	help
590584fffc8SSebastian Siewior	  Castagnoli, et al Cyclic Redundancy-Check Algorithm.  Used
591584fffc8SSebastian Siewior	  by iSCSI for header and data digests and by others.
59269c35efcSHerbert Xu	  See Castagnoli93.  Module will be crc32c.
5931da177e4SLinus Torvalds
5948cb51ba8SAustin Zhangconfig CRYPTO_CRC32C_INTEL
5958cb51ba8SAustin Zhang	tristate "CRC32c INTEL hardware acceleration"
5968cb51ba8SAustin Zhang	depends on X86
5978cb51ba8SAustin Zhang	select CRYPTO_HASH
5988cb51ba8SAustin Zhang	help
5998cb51ba8SAustin Zhang	  In Intel processor with SSE4.2 supported, the processor will
6008cb51ba8SAustin Zhang	  support CRC32C implementation using hardware accelerated CRC32
6018cb51ba8SAustin Zhang	  instruction. This option will create 'crc32c-intel' module,
6028cb51ba8SAustin Zhang	  which will enable any routine to use the CRC32 instruction to
6038cb51ba8SAustin Zhang	  gain performance compared with software implementation.
6048cb51ba8SAustin Zhang	  Module will be crc32c-intel.
6058cb51ba8SAustin Zhang
6067cf31864SJean Delvareconfig CRYPTO_CRC32C_VPMSUM
6076dd7a82cSAnton Blanchard	tristate "CRC32c CRC algorithm (powerpc64)"
608c12abf34SMichael Ellerman	depends on PPC64 && ALTIVEC
6096dd7a82cSAnton Blanchard	select CRYPTO_HASH
6106dd7a82cSAnton Blanchard	select CRC32
6116dd7a82cSAnton Blanchard	help
6126dd7a82cSAnton Blanchard	  CRC32c algorithm implemented using vector polynomial multiply-sum
6136dd7a82cSAnton Blanchard	  (vpmsum) instructions, introduced in POWER8. Enable on POWER8
6146dd7a82cSAnton Blanchard	  and newer processors for improved performance.
6156dd7a82cSAnton Blanchard
6166dd7a82cSAnton Blanchard
617442a7c40SDavid S. Millerconfig CRYPTO_CRC32C_SPARC64
618442a7c40SDavid S. Miller	tristate "CRC32c CRC algorithm (SPARC64)"
619442a7c40SDavid S. Miller	depends on SPARC64
620442a7c40SDavid S. Miller	select CRYPTO_HASH
621442a7c40SDavid S. Miller	select CRC32
622442a7c40SDavid S. Miller	help
623442a7c40SDavid S. Miller	  CRC32c CRC algorithm implemented using sparc64 crypto instructions,
624442a7c40SDavid S. Miller	  when available.
625442a7c40SDavid S. Miller
62678c37d19SAlexander Boykoconfig CRYPTO_CRC32
62778c37d19SAlexander Boyko	tristate "CRC32 CRC algorithm"
62878c37d19SAlexander Boyko	select CRYPTO_HASH
62978c37d19SAlexander Boyko	select CRC32
63078c37d19SAlexander Boyko	help
63178c37d19SAlexander Boyko	  CRC-32-IEEE 802.3 cyclic redundancy-check algorithm.
63278c37d19SAlexander Boyko	  Shash crypto api wrappers to crc32_le function.
63378c37d19SAlexander Boyko
63478c37d19SAlexander Boykoconfig CRYPTO_CRC32_PCLMUL
63578c37d19SAlexander Boyko	tristate "CRC32 PCLMULQDQ hardware acceleration"
63678c37d19SAlexander Boyko	depends on X86
63778c37d19SAlexander Boyko	select CRYPTO_HASH
63878c37d19SAlexander Boyko	select CRC32
63978c37d19SAlexander Boyko	help
64078c37d19SAlexander Boyko	  From Intel Westmere and AMD Bulldozer processor with SSE4.2
64178c37d19SAlexander Boyko	  and PCLMULQDQ supported, the processor will support
64278c37d19SAlexander Boyko	  CRC32 PCLMULQDQ implementation using hardware accelerated PCLMULQDQ
643af8cb01fShaco	  instruction. This option will create 'crc32-pclmul' module,
64478c37d19SAlexander Boyko	  which will enable any routine to use the CRC-32-IEEE 802.3 checksum
64578c37d19SAlexander Boyko	  and gain better performance as compared with the table implementation.
64678c37d19SAlexander Boyko
6474a5dc51eSMarcin Nowakowskiconfig CRYPTO_CRC32_MIPS
6484a5dc51eSMarcin Nowakowski	tristate "CRC32c and CRC32 CRC algorithm (MIPS)"
6494a5dc51eSMarcin Nowakowski	depends on MIPS_CRC_SUPPORT
6504a5dc51eSMarcin Nowakowski	select CRYPTO_HASH
6514a5dc51eSMarcin Nowakowski	help
6524a5dc51eSMarcin Nowakowski	  CRC32c and CRC32 CRC algorithms implemented using mips crypto
6534a5dc51eSMarcin Nowakowski	  instructions, when available.
6544a5dc51eSMarcin Nowakowski
6554a5dc51eSMarcin Nowakowski
65667882e76SNikolay Borisovconfig CRYPTO_XXHASH
65767882e76SNikolay Borisov	tristate "xxHash hash algorithm"
65867882e76SNikolay Borisov	select CRYPTO_HASH
65967882e76SNikolay Borisov	select XXHASH
66067882e76SNikolay Borisov	help
66167882e76SNikolay Borisov	  xxHash non-cryptographic hash algorithm. Extremely fast, working at
66267882e76SNikolay Borisov	  speeds close to RAM limits.
66367882e76SNikolay Borisov
66491d68933SDavid Sterbaconfig CRYPTO_BLAKE2B
66591d68933SDavid Sterba	tristate "BLAKE2b digest algorithm"
66691d68933SDavid Sterba	select CRYPTO_HASH
66791d68933SDavid Sterba	help
66891d68933SDavid Sterba	  Implementation of cryptographic hash function BLAKE2b (or just BLAKE2),
66991d68933SDavid Sterba	  optimized for 64bit platforms and can produce digests of any size
67091d68933SDavid Sterba	  between 1 to 64.  The keyed hash is also implemented.
67191d68933SDavid Sterba
67291d68933SDavid Sterba	  This module provides the following algorithms:
67391d68933SDavid Sterba
67491d68933SDavid Sterba	  - blake2b-160
67591d68933SDavid Sterba	  - blake2b-256
67691d68933SDavid Sterba	  - blake2b-384
67791d68933SDavid Sterba	  - blake2b-512
67891d68933SDavid Sterba
67991d68933SDavid Sterba	  See https://blake2.net for further information.
68091d68933SDavid Sterba
6817f9b0880SArd Biesheuvelconfig CRYPTO_BLAKE2S
6827f9b0880SArd Biesheuvel	tristate "BLAKE2s digest algorithm"
6837f9b0880SArd Biesheuvel	select CRYPTO_LIB_BLAKE2S_GENERIC
6847f9b0880SArd Biesheuvel	select CRYPTO_HASH
6857f9b0880SArd Biesheuvel	help
6867f9b0880SArd Biesheuvel	  Implementation of cryptographic hash function BLAKE2s
6877f9b0880SArd Biesheuvel	  optimized for 8-32bit platforms and can produce digests of any size
6887f9b0880SArd Biesheuvel	  between 1 to 32.  The keyed hash is also implemented.
6897f9b0880SArd Biesheuvel
6907f9b0880SArd Biesheuvel	  This module provides the following algorithms:
6917f9b0880SArd Biesheuvel
6927f9b0880SArd Biesheuvel	  - blake2s-128
6937f9b0880SArd Biesheuvel	  - blake2s-160
6947f9b0880SArd Biesheuvel	  - blake2s-224
6957f9b0880SArd Biesheuvel	  - blake2s-256
6967f9b0880SArd Biesheuvel
6977f9b0880SArd Biesheuvel	  See https://blake2.net for further information.
6987f9b0880SArd Biesheuvel
699ed0356edSJason A. Donenfeldconfig CRYPTO_BLAKE2S_X86
700ed0356edSJason A. Donenfeld	tristate "BLAKE2s digest algorithm (x86 accelerated version)"
701ed0356edSJason A. Donenfeld	depends on X86 && 64BIT
702ed0356edSJason A. Donenfeld	select CRYPTO_LIB_BLAKE2S_GENERIC
703ed0356edSJason A. Donenfeld	select CRYPTO_ARCH_HAVE_LIB_BLAKE2S
704ed0356edSJason A. Donenfeld
70568411521SHerbert Xuconfig CRYPTO_CRCT10DIF
70668411521SHerbert Xu	tristate "CRCT10DIF algorithm"
70768411521SHerbert Xu	select CRYPTO_HASH
70868411521SHerbert Xu	help
70968411521SHerbert Xu	  CRC T10 Data Integrity Field computation is being cast as
71068411521SHerbert Xu	  a crypto transform.  This allows for faster crc t10 diff
71168411521SHerbert Xu	  transforms to be used if they are available.
71268411521SHerbert Xu
71368411521SHerbert Xuconfig CRYPTO_CRCT10DIF_PCLMUL
71468411521SHerbert Xu	tristate "CRCT10DIF PCLMULQDQ hardware acceleration"
71568411521SHerbert Xu	depends on X86 && 64BIT && CRC_T10DIF
71668411521SHerbert Xu	select CRYPTO_HASH
71768411521SHerbert Xu	help
71868411521SHerbert Xu	  For x86_64 processors with SSE4.2 and PCLMULQDQ supported,
71968411521SHerbert Xu	  CRC T10 DIF PCLMULQDQ computation can be hardware
72068411521SHerbert Xu	  accelerated PCLMULQDQ instruction. This option will create
721af8cb01fShaco	  'crct10dif-pclmul' module, which is faster when computing the
72268411521SHerbert Xu	  crct10dif checksum as compared with the generic table implementation.
72368411521SHerbert Xu
724b01df1c1SDaniel Axtensconfig CRYPTO_CRCT10DIF_VPMSUM
725b01df1c1SDaniel Axtens	tristate "CRC32T10DIF powerpc64 hardware acceleration"
726b01df1c1SDaniel Axtens	depends on PPC64 && ALTIVEC && CRC_T10DIF
727b01df1c1SDaniel Axtens	select CRYPTO_HASH
728b01df1c1SDaniel Axtens	help
729b01df1c1SDaniel Axtens	  CRC10T10DIF algorithm implemented using vector polynomial
730b01df1c1SDaniel Axtens	  multiply-sum (vpmsum) instructions, introduced in POWER8. Enable on
731b01df1c1SDaniel Axtens	  POWER8 and newer processors for improved performance.
732b01df1c1SDaniel Axtens
733146c8688SDaniel Axtensconfig CRYPTO_VPMSUM_TESTER
734146c8688SDaniel Axtens	tristate "Powerpc64 vpmsum hardware acceleration tester"
735146c8688SDaniel Axtens	depends on CRYPTO_CRCT10DIF_VPMSUM && CRYPTO_CRC32C_VPMSUM
736146c8688SDaniel Axtens	help
737146c8688SDaniel Axtens	  Stress test for CRC32c and CRC-T10DIF algorithms implemented with
738146c8688SDaniel Axtens	  POWER8 vpmsum instructions.
739146c8688SDaniel Axtens	  Unless you are testing these algorithms, you don't need this.
740146c8688SDaniel Axtens
7412cdc6899SHuang Yingconfig CRYPTO_GHASH
7428dfa20fcSEric Biggers	tristate "GHASH hash function"
7432cdc6899SHuang Ying	select CRYPTO_GF128MUL
744578c60fbSArnd Bergmann	select CRYPTO_HASH
7452cdc6899SHuang Ying	help
7468dfa20fcSEric Biggers	  GHASH is the hash function used in GCM (Galois/Counter Mode).
7478dfa20fcSEric Biggers	  It is not a general-purpose cryptographic hash function.
7482cdc6899SHuang Ying
749f979e014SMartin Williconfig CRYPTO_POLY1305
750f979e014SMartin Willi	tristate "Poly1305 authenticator algorithm"
751578c60fbSArnd Bergmann	select CRYPTO_HASH
75248ea8c6eSArd Biesheuvel	select CRYPTO_LIB_POLY1305_GENERIC
753f979e014SMartin Willi	help
754f979e014SMartin Willi	  Poly1305 authenticator algorithm, RFC7539.
755f979e014SMartin Willi
756f979e014SMartin Willi	  Poly1305 is an authenticator algorithm designed by Daniel J. Bernstein.
757f979e014SMartin Willi	  It is used for the ChaCha20-Poly1305 AEAD, specified in RFC7539 for use
758f979e014SMartin Willi	  in IETF protocols. This is the portable C implementation of Poly1305.
759f979e014SMartin Willi
760c70f4abeSMartin Williconfig CRYPTO_POLY1305_X86_64
761b1ccc8f4SMartin Willi	tristate "Poly1305 authenticator algorithm (x86_64/SSE2/AVX2)"
762c70f4abeSMartin Willi	depends on X86 && 64BIT
7631b2c6a51SArd Biesheuvel	select CRYPTO_LIB_POLY1305_GENERIC
764f0e89bcfSArd Biesheuvel	select CRYPTO_ARCH_HAVE_LIB_POLY1305
765c70f4abeSMartin Willi	help
766c70f4abeSMartin Willi	  Poly1305 authenticator algorithm, RFC7539.
767c70f4abeSMartin Willi
768c70f4abeSMartin Willi	  Poly1305 is an authenticator algorithm designed by Daniel J. Bernstein.
769c70f4abeSMartin Willi	  It is used for the ChaCha20-Poly1305 AEAD, specified in RFC7539 for use
770c70f4abeSMartin Willi	  in IETF protocols. This is the x86_64 assembler implementation using SIMD
771c70f4abeSMartin Willi	  instructions.
772c70f4abeSMartin Willi
773a11d055eSArd Biesheuvelconfig CRYPTO_POLY1305_MIPS
774a11d055eSArd Biesheuvel	tristate "Poly1305 authenticator algorithm (MIPS optimized)"
775a11d055eSArd Biesheuvel	depends on CPU_MIPS32 || (CPU_MIPS64 && 64BIT)
776a11d055eSArd Biesheuvel	select CRYPTO_ARCH_HAVE_LIB_POLY1305
777a11d055eSArd Biesheuvel
7781da177e4SLinus Torvaldsconfig CRYPTO_MD4
7791da177e4SLinus Torvalds	tristate "MD4 digest algorithm"
780808a1763SAdrian-Ken Rueegsegger	select CRYPTO_HASH
7811da177e4SLinus Torvalds	help
7821da177e4SLinus Torvalds	  MD4 message digest algorithm (RFC1320).
7831da177e4SLinus Torvalds
7841da177e4SLinus Torvaldsconfig CRYPTO_MD5
7851da177e4SLinus Torvalds	tristate "MD5 digest algorithm"
78614b75ba7SAdrian-Ken Rueegsegger	select CRYPTO_HASH
7871da177e4SLinus Torvalds	help
7881da177e4SLinus Torvalds	  MD5 message digest algorithm (RFC1321).
7891da177e4SLinus Torvalds
790d69e75deSAaro Koskinenconfig CRYPTO_MD5_OCTEON
791d69e75deSAaro Koskinen	tristate "MD5 digest algorithm (OCTEON)"
792d69e75deSAaro Koskinen	depends on CPU_CAVIUM_OCTEON
793d69e75deSAaro Koskinen	select CRYPTO_MD5
794d69e75deSAaro Koskinen	select CRYPTO_HASH
795d69e75deSAaro Koskinen	help
796d69e75deSAaro Koskinen	  MD5 message digest algorithm (RFC1321) implemented
797d69e75deSAaro Koskinen	  using OCTEON crypto instructions, when available.
798d69e75deSAaro Koskinen
799e8e59953SMarkus Stockhausenconfig CRYPTO_MD5_PPC
800e8e59953SMarkus Stockhausen	tristate "MD5 digest algorithm (PPC)"
801e8e59953SMarkus Stockhausen	depends on PPC
802e8e59953SMarkus Stockhausen	select CRYPTO_HASH
803e8e59953SMarkus Stockhausen	help
804e8e59953SMarkus Stockhausen	  MD5 message digest algorithm (RFC1321) implemented
805e8e59953SMarkus Stockhausen	  in PPC assembler.
806e8e59953SMarkus Stockhausen
807fa4dfedcSDavid S. Millerconfig CRYPTO_MD5_SPARC64
808fa4dfedcSDavid S. Miller	tristate "MD5 digest algorithm (SPARC64)"
809fa4dfedcSDavid S. Miller	depends on SPARC64
810fa4dfedcSDavid S. Miller	select CRYPTO_MD5
811fa4dfedcSDavid S. Miller	select CRYPTO_HASH
812fa4dfedcSDavid S. Miller	help
813fa4dfedcSDavid S. Miller	  MD5 message digest algorithm (RFC1321) implemented
814fa4dfedcSDavid S. Miller	  using sparc64 crypto instructions, when available.
815fa4dfedcSDavid S. Miller
816584fffc8SSebastian Siewiorconfig CRYPTO_MICHAEL_MIC
817584fffc8SSebastian Siewior	tristate "Michael MIC keyed digest algorithm"
81819e2bf14SAdrian-Ken Rueegsegger	select CRYPTO_HASH
819584fffc8SSebastian Siewior	help
820584fffc8SSebastian Siewior	  Michael MIC is used for message integrity protection in TKIP
821584fffc8SSebastian Siewior	  (IEEE 802.11i). This algorithm is required for TKIP, but it
822584fffc8SSebastian Siewior	  should not be used for other purposes because of the weakness
823584fffc8SSebastian Siewior	  of the algorithm.
824584fffc8SSebastian Siewior
82582798f90SAdrian-Ken Rueegseggerconfig CRYPTO_RMD128
82682798f90SAdrian-Ken Rueegsegger	tristate "RIPEMD-128 digest algorithm"
8277c4468bcSHerbert Xu	select CRYPTO_HASH
82882798f90SAdrian-Ken Rueegsegger	help
82982798f90SAdrian-Ken Rueegsegger	  RIPEMD-128 (ISO/IEC 10118-3:2004).
83082798f90SAdrian-Ken Rueegsegger
83182798f90SAdrian-Ken Rueegsegger	  RIPEMD-128 is a 128-bit cryptographic hash function. It should only
83235ed4b35SMichael Witten	  be used as a secure replacement for RIPEMD. For other use cases,
83382798f90SAdrian-Ken Rueegsegger	  RIPEMD-160 should be used.
83482798f90SAdrian-Ken Rueegsegger
83582798f90SAdrian-Ken Rueegsegger	  Developed by Hans Dobbertin, Antoon Bosselaers and Bart Preneel.
8369332a9e7SAlexander A. Klimov	  See <https://homes.esat.kuleuven.be/~bosselae/ripemd160.html>
83782798f90SAdrian-Ken Rueegsegger
83882798f90SAdrian-Ken Rueegseggerconfig CRYPTO_RMD160
83982798f90SAdrian-Ken Rueegsegger	tristate "RIPEMD-160 digest algorithm"
840e5835fbaSHerbert Xu	select CRYPTO_HASH
84182798f90SAdrian-Ken Rueegsegger	help
84282798f90SAdrian-Ken Rueegsegger	  RIPEMD-160 (ISO/IEC 10118-3:2004).
84382798f90SAdrian-Ken Rueegsegger
84482798f90SAdrian-Ken Rueegsegger	  RIPEMD-160 is a 160-bit cryptographic hash function. It is intended
84582798f90SAdrian-Ken Rueegsegger	  to be used as a secure replacement for the 128-bit hash functions
846b6d44341SAdrian Bunk	  MD4, MD5 and it's predecessor RIPEMD
847b6d44341SAdrian Bunk	  (not to be confused with RIPEMD-128).
84882798f90SAdrian-Ken Rueegsegger
849b6d44341SAdrian Bunk	  It's speed is comparable to SHA1 and there are no known attacks
850b6d44341SAdrian Bunk	  against RIPEMD-160.
851534fe2c1SAdrian-Ken Rueegsegger
852534fe2c1SAdrian-Ken Rueegsegger	  Developed by Hans Dobbertin, Antoon Bosselaers and Bart Preneel.
8539332a9e7SAlexander A. Klimov	  See <https://homes.esat.kuleuven.be/~bosselae/ripemd160.html>
854534fe2c1SAdrian-Ken Rueegsegger
855534fe2c1SAdrian-Ken Rueegseggerconfig CRYPTO_RMD256
856534fe2c1SAdrian-Ken Rueegsegger	tristate "RIPEMD-256 digest algorithm"
857d8a5e2e9SHerbert Xu	select CRYPTO_HASH
858534fe2c1SAdrian-Ken Rueegsegger	help
859b6d44341SAdrian Bunk	  RIPEMD-256 is an optional extension of RIPEMD-128 with a
860b6d44341SAdrian Bunk	  256 bit hash. It is intended for applications that require
861b6d44341SAdrian Bunk	  longer hash-results, without needing a larger security level
862b6d44341SAdrian Bunk	  (than RIPEMD-128).
863534fe2c1SAdrian-Ken Rueegsegger
864534fe2c1SAdrian-Ken Rueegsegger	  Developed by Hans Dobbertin, Antoon Bosselaers and Bart Preneel.
8659332a9e7SAlexander A. Klimov	  See <https://homes.esat.kuleuven.be/~bosselae/ripemd160.html>
866534fe2c1SAdrian-Ken Rueegsegger
867534fe2c1SAdrian-Ken Rueegseggerconfig CRYPTO_RMD320
868534fe2c1SAdrian-Ken Rueegsegger	tristate "RIPEMD-320 digest algorithm"
8693b8efb4cSHerbert Xu	select CRYPTO_HASH
870534fe2c1SAdrian-Ken Rueegsegger	help
871b6d44341SAdrian Bunk	  RIPEMD-320 is an optional extension of RIPEMD-160 with a
872b6d44341SAdrian Bunk	  320 bit hash. It is intended for applications that require
873b6d44341SAdrian Bunk	  longer hash-results, without needing a larger security level
874b6d44341SAdrian Bunk	  (than RIPEMD-160).
875534fe2c1SAdrian-Ken Rueegsegger
87682798f90SAdrian-Ken Rueegsegger	  Developed by Hans Dobbertin, Antoon Bosselaers and Bart Preneel.
8779332a9e7SAlexander A. Klimov	  See <https://homes.esat.kuleuven.be/~bosselae/ripemd160.html>
87882798f90SAdrian-Ken Rueegsegger
8791da177e4SLinus Torvaldsconfig CRYPTO_SHA1
8801da177e4SLinus Torvalds	tristate "SHA1 digest algorithm"
88154ccb367SAdrian-Ken Rueegsegger	select CRYPTO_HASH
8821da177e4SLinus Torvalds	help
8831da177e4SLinus Torvalds	  SHA-1 secure hash standard (FIPS 180-1/DFIPS 180-2).
8841da177e4SLinus Torvalds
88566be8951SMathias Krauseconfig CRYPTO_SHA1_SSSE3
886e38b6b7fStim	tristate "SHA1 digest algorithm (SSSE3/AVX/AVX2/SHA-NI)"
88766be8951SMathias Krause	depends on X86 && 64BIT
88866be8951SMathias Krause	select CRYPTO_SHA1
88966be8951SMathias Krause	select CRYPTO_HASH
89066be8951SMathias Krause	help
89166be8951SMathias Krause	  SHA-1 secure hash standard (FIPS 180-1/DFIPS 180-2) implemented
89266be8951SMathias Krause	  using Supplemental SSE3 (SSSE3) instructions or Advanced Vector
893e38b6b7fStim	  Extensions (AVX/AVX2) or SHA-NI(SHA Extensions New Instructions),
894e38b6b7fStim	  when available.
89566be8951SMathias Krause
8968275d1aaSTim Chenconfig CRYPTO_SHA256_SSSE3
897e38b6b7fStim	tristate "SHA256 digest algorithm (SSSE3/AVX/AVX2/SHA-NI)"
8988275d1aaSTim Chen	depends on X86 && 64BIT
8998275d1aaSTim Chen	select CRYPTO_SHA256
9008275d1aaSTim Chen	select CRYPTO_HASH
9018275d1aaSTim Chen	help
9028275d1aaSTim Chen	  SHA-256 secure hash standard (DFIPS 180-2) implemented
9038275d1aaSTim Chen	  using Supplemental SSE3 (SSSE3) instructions, or Advanced Vector
9048275d1aaSTim Chen	  Extensions version 1 (AVX1), or Advanced Vector Extensions
905e38b6b7fStim	  version 2 (AVX2) instructions, or SHA-NI (SHA Extensions New
906e38b6b7fStim	  Instructions) when available.
9078275d1aaSTim Chen
90887de4579STim Chenconfig CRYPTO_SHA512_SSSE3
90987de4579STim Chen	tristate "SHA512 digest algorithm (SSSE3/AVX/AVX2)"
91087de4579STim Chen	depends on X86 && 64BIT
91187de4579STim Chen	select CRYPTO_SHA512
91287de4579STim Chen	select CRYPTO_HASH
91387de4579STim Chen	help
91487de4579STim Chen	  SHA-512 secure hash standard (DFIPS 180-2) implemented
91587de4579STim Chen	  using Supplemental SSE3 (SSSE3) instructions, or Advanced Vector
91687de4579STim Chen	  Extensions version 1 (AVX1), or Advanced Vector Extensions
91787de4579STim Chen	  version 2 (AVX2) instructions, when available.
91887de4579STim Chen
919efdb6f6eSAaro Koskinenconfig CRYPTO_SHA1_OCTEON
920efdb6f6eSAaro Koskinen	tristate "SHA1 digest algorithm (OCTEON)"
921efdb6f6eSAaro Koskinen	depends on CPU_CAVIUM_OCTEON
922efdb6f6eSAaro Koskinen	select CRYPTO_SHA1
923efdb6f6eSAaro Koskinen	select CRYPTO_HASH
924efdb6f6eSAaro Koskinen	help
925efdb6f6eSAaro Koskinen	  SHA-1 secure hash standard (FIPS 180-1/DFIPS 180-2) implemented
926efdb6f6eSAaro Koskinen	  using OCTEON crypto instructions, when available.
927efdb6f6eSAaro Koskinen
9284ff28d4cSDavid S. Millerconfig CRYPTO_SHA1_SPARC64
9294ff28d4cSDavid S. Miller	tristate "SHA1 digest algorithm (SPARC64)"
9304ff28d4cSDavid S. Miller	depends on SPARC64
9314ff28d4cSDavid S. Miller	select CRYPTO_SHA1
9324ff28d4cSDavid S. Miller	select CRYPTO_HASH
9334ff28d4cSDavid S. Miller	help
9344ff28d4cSDavid S. Miller	  SHA-1 secure hash standard (FIPS 180-1/DFIPS 180-2) implemented
9354ff28d4cSDavid S. Miller	  using sparc64 crypto instructions, when available.
9364ff28d4cSDavid S. Miller
937323a6bf1SMichael Ellermanconfig CRYPTO_SHA1_PPC
938323a6bf1SMichael Ellerman	tristate "SHA1 digest algorithm (powerpc)"
939323a6bf1SMichael Ellerman	depends on PPC
940323a6bf1SMichael Ellerman	help
941323a6bf1SMichael Ellerman	  This is the powerpc hardware accelerated implementation of the
942323a6bf1SMichael Ellerman	  SHA-1 secure hash standard (FIPS 180-1/DFIPS 180-2).
943323a6bf1SMichael Ellerman
944d9850fc5SMarkus Stockhausenconfig CRYPTO_SHA1_PPC_SPE
945d9850fc5SMarkus Stockhausen	tristate "SHA1 digest algorithm (PPC SPE)"
946d9850fc5SMarkus Stockhausen	depends on PPC && SPE
947d9850fc5SMarkus Stockhausen	help
948d9850fc5SMarkus Stockhausen	  SHA-1 secure hash standard (DFIPS 180-4) implemented
949d9850fc5SMarkus Stockhausen	  using powerpc SPE SIMD instruction set.
950d9850fc5SMarkus Stockhausen
9511da177e4SLinus Torvaldsconfig CRYPTO_SHA256
952cd12fb90SJonathan Lynch	tristate "SHA224 and SHA256 digest algorithm"
95350e109b5SAdrian-Ken Rueegsegger	select CRYPTO_HASH
95408c327f6SHans de Goede	select CRYPTO_LIB_SHA256
9551da177e4SLinus Torvalds	help
9561da177e4SLinus Torvalds	  SHA256 secure hash standard (DFIPS 180-2).
9571da177e4SLinus Torvalds
9581da177e4SLinus Torvalds	  This version of SHA implements a 256 bit hash with 128 bits of
9591da177e4SLinus Torvalds	  security against collision attacks.
9601da177e4SLinus Torvalds
961cd12fb90SJonathan Lynch	  This code also includes SHA-224, a 224 bit hash with 112 bits
962cd12fb90SJonathan Lynch	  of security against collision attacks.
963cd12fb90SJonathan Lynch
9642ecc1e95SMarkus Stockhausenconfig CRYPTO_SHA256_PPC_SPE
9652ecc1e95SMarkus Stockhausen	tristate "SHA224 and SHA256 digest algorithm (PPC SPE)"
9662ecc1e95SMarkus Stockhausen	depends on PPC && SPE
9672ecc1e95SMarkus Stockhausen	select CRYPTO_SHA256
9682ecc1e95SMarkus Stockhausen	select CRYPTO_HASH
9692ecc1e95SMarkus Stockhausen	help
9702ecc1e95SMarkus Stockhausen	  SHA224 and SHA256 secure hash standard (DFIPS 180-2)
9712ecc1e95SMarkus Stockhausen	  implemented using powerpc SPE SIMD instruction set.
9722ecc1e95SMarkus Stockhausen
973efdb6f6eSAaro Koskinenconfig CRYPTO_SHA256_OCTEON
974efdb6f6eSAaro Koskinen	tristate "SHA224 and SHA256 digest algorithm (OCTEON)"
975efdb6f6eSAaro Koskinen	depends on CPU_CAVIUM_OCTEON
976efdb6f6eSAaro Koskinen	select CRYPTO_SHA256
977efdb6f6eSAaro Koskinen	select CRYPTO_HASH
978efdb6f6eSAaro Koskinen	help
979efdb6f6eSAaro Koskinen	  SHA-256 secure hash standard (DFIPS 180-2) implemented
980efdb6f6eSAaro Koskinen	  using OCTEON crypto instructions, when available.
981efdb6f6eSAaro Koskinen
98286c93b24SDavid S. Millerconfig CRYPTO_SHA256_SPARC64
98386c93b24SDavid S. Miller	tristate "SHA224 and SHA256 digest algorithm (SPARC64)"
98486c93b24SDavid S. Miller	depends on SPARC64
98586c93b24SDavid S. Miller	select CRYPTO_SHA256
98686c93b24SDavid S. Miller	select CRYPTO_HASH
98786c93b24SDavid S. Miller	help
98886c93b24SDavid S. Miller	  SHA-256 secure hash standard (DFIPS 180-2) implemented
98986c93b24SDavid S. Miller	  using sparc64 crypto instructions, when available.
99086c93b24SDavid S. Miller
9911da177e4SLinus Torvaldsconfig CRYPTO_SHA512
9921da177e4SLinus Torvalds	tristate "SHA384 and SHA512 digest algorithms"
993bd9d20dbSAdrian-Ken Rueegsegger	select CRYPTO_HASH
9941da177e4SLinus Torvalds	help
9951da177e4SLinus Torvalds	  SHA512 secure hash standard (DFIPS 180-2).
9961da177e4SLinus Torvalds
9971da177e4SLinus Torvalds	  This version of SHA implements a 512 bit hash with 256 bits of
9981da177e4SLinus Torvalds	  security against collision attacks.
9991da177e4SLinus Torvalds
10001da177e4SLinus Torvalds	  This code also includes SHA-384, a 384 bit hash with 192 bits
10011da177e4SLinus Torvalds	  of security against collision attacks.
10021da177e4SLinus Torvalds
1003efdb6f6eSAaro Koskinenconfig CRYPTO_SHA512_OCTEON
1004efdb6f6eSAaro Koskinen	tristate "SHA384 and SHA512 digest algorithms (OCTEON)"
1005efdb6f6eSAaro Koskinen	depends on CPU_CAVIUM_OCTEON
1006efdb6f6eSAaro Koskinen	select CRYPTO_SHA512
1007efdb6f6eSAaro Koskinen	select CRYPTO_HASH
1008efdb6f6eSAaro Koskinen	help
1009efdb6f6eSAaro Koskinen	  SHA-512 secure hash standard (DFIPS 180-2) implemented
1010efdb6f6eSAaro Koskinen	  using OCTEON crypto instructions, when available.
1011efdb6f6eSAaro Koskinen
1012775e0c69SDavid S. Millerconfig CRYPTO_SHA512_SPARC64
1013775e0c69SDavid S. Miller	tristate "SHA384 and SHA512 digest algorithm (SPARC64)"
1014775e0c69SDavid S. Miller	depends on SPARC64
1015775e0c69SDavid S. Miller	select CRYPTO_SHA512
1016775e0c69SDavid S. Miller	select CRYPTO_HASH
1017775e0c69SDavid S. Miller	help
1018775e0c69SDavid S. Miller	  SHA-512 secure hash standard (DFIPS 180-2) implemented
1019775e0c69SDavid S. Miller	  using sparc64 crypto instructions, when available.
1020775e0c69SDavid S. Miller
102153964b9eSJeff Garzikconfig CRYPTO_SHA3
102253964b9eSJeff Garzik	tristate "SHA3 digest algorithm"
102353964b9eSJeff Garzik	select CRYPTO_HASH
102453964b9eSJeff Garzik	help
102553964b9eSJeff Garzik	  SHA-3 secure hash standard (DFIPS 202). It's based on
102653964b9eSJeff Garzik	  cryptographic sponge function family called Keccak.
102753964b9eSJeff Garzik
102853964b9eSJeff Garzik	  References:
102953964b9eSJeff Garzik	  http://keccak.noekeon.org/
103053964b9eSJeff Garzik
10314f0fc160SGilad Ben-Yossefconfig CRYPTO_SM3
10324f0fc160SGilad Ben-Yossef	tristate "SM3 digest algorithm"
10334f0fc160SGilad Ben-Yossef	select CRYPTO_HASH
10344f0fc160SGilad Ben-Yossef	help
10354f0fc160SGilad Ben-Yossef	  SM3 secure hash function as defined by OSCCA GM/T 0004-2012 SM3).
10364f0fc160SGilad Ben-Yossef	  It is part of the Chinese Commercial Cryptography suite.
10374f0fc160SGilad Ben-Yossef
10384f0fc160SGilad Ben-Yossef	  References:
10394f0fc160SGilad Ben-Yossef	  http://www.oscca.gov.cn/UpFile/20101222141857786.pdf
10404f0fc160SGilad Ben-Yossef	  https://datatracker.ietf.org/doc/html/draft-shen-sm3-hash
10414f0fc160SGilad Ben-Yossef
1042fe18957eSVitaly Chikunovconfig CRYPTO_STREEBOG
1043fe18957eSVitaly Chikunov	tristate "Streebog Hash Function"
1044fe18957eSVitaly Chikunov	select CRYPTO_HASH
1045fe18957eSVitaly Chikunov	help
1046fe18957eSVitaly Chikunov	  Streebog Hash Function (GOST R 34.11-2012, RFC 6986) is one of the Russian
1047fe18957eSVitaly Chikunov	  cryptographic standard algorithms (called GOST algorithms).
1048fe18957eSVitaly Chikunov	  This setting enables two hash algorithms with 256 and 512 bits output.
1049fe18957eSVitaly Chikunov
1050fe18957eSVitaly Chikunov	  References:
1051fe18957eSVitaly Chikunov	  https://tc26.ru/upload/iblock/fed/feddbb4d26b685903faa2ba11aea43f6.pdf
1052fe18957eSVitaly Chikunov	  https://tools.ietf.org/html/rfc6986
1053fe18957eSVitaly Chikunov
10541da177e4SLinus Torvaldsconfig CRYPTO_TGR192
10551da177e4SLinus Torvalds	tristate "Tiger digest algorithms"
1056f63fbd3dSAdrian-Ken Rueegsegger	select CRYPTO_HASH
10571da177e4SLinus Torvalds	help
10581da177e4SLinus Torvalds	  Tiger hash algorithm 192, 160 and 128-bit hashes
10591da177e4SLinus Torvalds
10601da177e4SLinus Torvalds	  Tiger is a hash function optimized for 64-bit processors while
10611da177e4SLinus Torvalds	  still having decent performance on 32-bit processors.
10621da177e4SLinus Torvalds	  Tiger was developed by Ross Anderson and Eli Biham.
10631da177e4SLinus Torvalds
10641da177e4SLinus Torvalds	  See also:
10659332a9e7SAlexander A. Klimov	  <https://www.cs.technion.ac.il/~biham/Reports/Tiger/>.
10661da177e4SLinus Torvalds
1067584fffc8SSebastian Siewiorconfig CRYPTO_WP512
1068584fffc8SSebastian Siewior	tristate "Whirlpool digest algorithms"
10694946510bSAdrian-Ken Rueegsegger	select CRYPTO_HASH
10701da177e4SLinus Torvalds	help
1071584fffc8SSebastian Siewior	  Whirlpool hash algorithm 512, 384 and 256-bit hashes
10721da177e4SLinus Torvalds
1073584fffc8SSebastian Siewior	  Whirlpool-512 is part of the NESSIE cryptographic primitives.
1074584fffc8SSebastian Siewior	  Whirlpool will be part of the ISO/IEC 10118-3:2003(E) standard
10751da177e4SLinus Torvalds
10761da177e4SLinus Torvalds	  See also:
10776d8de74cSJustin P. Mattock	  <http://www.larc.usp.br/~pbarreto/WhirlpoolPage.html>
10781da177e4SLinus Torvalds
10790e1227d3SHuang Yingconfig CRYPTO_GHASH_CLMUL_NI_INTEL
10808dfa20fcSEric Biggers	tristate "GHASH hash function (CLMUL-NI accelerated)"
10818af00860SRichard Weinberger	depends on X86 && 64BIT
10820e1227d3SHuang Ying	select CRYPTO_CRYPTD
10830e1227d3SHuang Ying	help
10848dfa20fcSEric Biggers	  This is the x86_64 CLMUL-NI accelerated implementation of
10858dfa20fcSEric Biggers	  GHASH, the hash function used in GCM (Galois/Counter mode).
10860e1227d3SHuang Ying
1087584fffc8SSebastian Siewiorcomment "Ciphers"
10881da177e4SLinus Torvalds
10891da177e4SLinus Torvaldsconfig CRYPTO_AES
10901da177e4SLinus Torvalds	tristate "AES cipher algorithms"
1091cce9e06dSHerbert Xu	select CRYPTO_ALGAPI
10925bb12d78SArd Biesheuvel	select CRYPTO_LIB_AES
10931da177e4SLinus Torvalds	help
10941da177e4SLinus Torvalds	  AES cipher algorithms (FIPS-197). AES uses the Rijndael
10951da177e4SLinus Torvalds	  algorithm.
10961da177e4SLinus Torvalds
10971da177e4SLinus Torvalds	  Rijndael appears to be consistently a very good performer in
10981da177e4SLinus Torvalds	  both hardware and software across a wide range of computing
10991da177e4SLinus Torvalds	  environments regardless of its use in feedback or non-feedback
11001da177e4SLinus Torvalds	  modes. Its key setup time is excellent, and its key agility is
11011da177e4SLinus Torvalds	  good. Rijndael's very low memory requirements make it very well
11021da177e4SLinus Torvalds	  suited for restricted-space environments, in which it also
11031da177e4SLinus Torvalds	  demonstrates excellent performance. Rijndael's operations are
11041da177e4SLinus Torvalds	  among the easiest to defend against power and timing attacks.
11051da177e4SLinus Torvalds
11061da177e4SLinus Torvalds	  The AES specifies three key sizes: 128, 192 and 256 bits
11071da177e4SLinus Torvalds
11081da177e4SLinus Torvalds	  See <http://csrc.nist.gov/CryptoToolkit/aes/> for more information.
11091da177e4SLinus Torvalds
1110b5e0b032SArd Biesheuvelconfig CRYPTO_AES_TI
1111b5e0b032SArd Biesheuvel	tristate "Fixed time AES cipher"
1112b5e0b032SArd Biesheuvel	select CRYPTO_ALGAPI
1113e59c1c98SArd Biesheuvel	select CRYPTO_LIB_AES
1114b5e0b032SArd Biesheuvel	help
1115b5e0b032SArd Biesheuvel	  This is a generic implementation of AES that attempts to eliminate
1116b5e0b032SArd Biesheuvel	  data dependent latencies as much as possible without affecting
1117b5e0b032SArd Biesheuvel	  performance too much. It is intended for use by the generic CCM
1118b5e0b032SArd Biesheuvel	  and GCM drivers, and other CTR or CMAC/XCBC based modes that rely
1119b5e0b032SArd Biesheuvel	  solely on encryption (although decryption is supported as well, but
1120b5e0b032SArd Biesheuvel	  with a more dramatic performance hit)
1121b5e0b032SArd Biesheuvel
1122b5e0b032SArd Biesheuvel	  Instead of using 16 lookup tables of 1 KB each, (8 for encryption and
1123b5e0b032SArd Biesheuvel	  8 for decryption), this implementation only uses just two S-boxes of
1124b5e0b032SArd Biesheuvel	  256 bytes each, and attempts to eliminate data dependent latencies by
1125b5e0b032SArd Biesheuvel	  prefetching the entire table into the cache at the start of each
11260a6a40c2SEric Biggers	  block. Interrupts are also disabled to avoid races where cachelines
11270a6a40c2SEric Biggers	  are evicted when the CPU is interrupted to do something else.
1128b5e0b032SArd Biesheuvel
112954b6a1bdSHuang Yingconfig CRYPTO_AES_NI_INTEL
113054b6a1bdSHuang Ying	tristate "AES cipher algorithms (AES-NI)"
11318af00860SRichard Weinberger	depends on X86
113285671860SHerbert Xu	select CRYPTO_AEAD
11332c53fd11SArd Biesheuvel	select CRYPTO_LIB_AES
113454b6a1bdSHuang Ying	select CRYPTO_ALGAPI
1135b95bba5dSEric Biggers	select CRYPTO_SKCIPHER
113685671860SHerbert Xu	select CRYPTO_SIMD
113754b6a1bdSHuang Ying	help
113854b6a1bdSHuang Ying	  Use Intel AES-NI instructions for AES algorithm.
113954b6a1bdSHuang Ying
114054b6a1bdSHuang Ying	  AES cipher algorithms (FIPS-197). AES uses the Rijndael
114154b6a1bdSHuang Ying	  algorithm.
114254b6a1bdSHuang Ying
114354b6a1bdSHuang Ying	  Rijndael appears to be consistently a very good performer in
114454b6a1bdSHuang Ying	  both hardware and software across a wide range of computing
114554b6a1bdSHuang Ying	  environments regardless of its use in feedback or non-feedback
114654b6a1bdSHuang Ying	  modes. Its key setup time is excellent, and its key agility is
114754b6a1bdSHuang Ying	  good. Rijndael's very low memory requirements make it very well
114854b6a1bdSHuang Ying	  suited for restricted-space environments, in which it also
114954b6a1bdSHuang Ying	  demonstrates excellent performance. Rijndael's operations are
115054b6a1bdSHuang Ying	  among the easiest to defend against power and timing attacks.
115154b6a1bdSHuang Ying
115254b6a1bdSHuang Ying	  The AES specifies three key sizes: 128, 192 and 256 bits
115354b6a1bdSHuang Ying
115454b6a1bdSHuang Ying	  See <http://csrc.nist.gov/encryption/aes/> for more information.
115554b6a1bdSHuang Ying
11560d258efbSMathias Krause	  In addition to AES cipher algorithm support, the acceleration
11570d258efbSMathias Krause	  for some popular block cipher mode is supported too, including
1158944585a6SArd Biesheuvel	  ECB, CBC, LRW, XTS. The 64 bit version has additional
11590d258efbSMathias Krause	  acceleration for CTR.
11602cf4ac8bSHuang Ying
11619bf4852dSDavid S. Millerconfig CRYPTO_AES_SPARC64
11629bf4852dSDavid S. Miller	tristate "AES cipher algorithms (SPARC64)"
11639bf4852dSDavid S. Miller	depends on SPARC64
1164b95bba5dSEric Biggers	select CRYPTO_SKCIPHER
11659bf4852dSDavid S. Miller	help
11669bf4852dSDavid S. Miller	  Use SPARC64 crypto opcodes for AES algorithm.
11679bf4852dSDavid S. Miller
11689bf4852dSDavid S. Miller	  AES cipher algorithms (FIPS-197). AES uses the Rijndael
11699bf4852dSDavid S. Miller	  algorithm.
11709bf4852dSDavid S. Miller
11719bf4852dSDavid S. Miller	  Rijndael appears to be consistently a very good performer in
11729bf4852dSDavid S. Miller	  both hardware and software across a wide range of computing
11739bf4852dSDavid S. Miller	  environments regardless of its use in feedback or non-feedback
11749bf4852dSDavid S. Miller	  modes. Its key setup time is excellent, and its key agility is
11759bf4852dSDavid S. Miller	  good. Rijndael's very low memory requirements make it very well
11769bf4852dSDavid S. Miller	  suited for restricted-space environments, in which it also
11779bf4852dSDavid S. Miller	  demonstrates excellent performance. Rijndael's operations are
11789bf4852dSDavid S. Miller	  among the easiest to defend against power and timing attacks.
11799bf4852dSDavid S. Miller
11809bf4852dSDavid S. Miller	  The AES specifies three key sizes: 128, 192 and 256 bits
11819bf4852dSDavid S. Miller
11829bf4852dSDavid S. Miller	  See <http://csrc.nist.gov/encryption/aes/> for more information.
11839bf4852dSDavid S. Miller
11849bf4852dSDavid S. Miller	  In addition to AES cipher algorithm support, the acceleration
11859bf4852dSDavid S. Miller	  for some popular block cipher mode is supported too, including
11869bf4852dSDavid S. Miller	  ECB and CBC.
11879bf4852dSDavid S. Miller
1188504c6143SMarkus Stockhausenconfig CRYPTO_AES_PPC_SPE
1189504c6143SMarkus Stockhausen	tristate "AES cipher algorithms (PPC SPE)"
1190504c6143SMarkus Stockhausen	depends on PPC && SPE
1191b95bba5dSEric Biggers	select CRYPTO_SKCIPHER
1192504c6143SMarkus Stockhausen	help
1193504c6143SMarkus Stockhausen	  AES cipher algorithms (FIPS-197). Additionally the acceleration
1194504c6143SMarkus Stockhausen	  for popular block cipher modes ECB, CBC, CTR and XTS is supported.
1195504c6143SMarkus Stockhausen	  This module should only be used for low power (router) devices
1196504c6143SMarkus Stockhausen	  without hardware AES acceleration (e.g. caam crypto). It reduces the
1197504c6143SMarkus Stockhausen	  size of the AES tables from 16KB to 8KB + 256 bytes and mitigates
1198504c6143SMarkus Stockhausen	  timining attacks. Nevertheless it might be not as secure as other
1199504c6143SMarkus Stockhausen	  architecture specific assembler implementations that work on 1KB
1200504c6143SMarkus Stockhausen	  tables or 256 bytes S-boxes.
1201504c6143SMarkus Stockhausen
12021da177e4SLinus Torvaldsconfig CRYPTO_ANUBIS
12031da177e4SLinus Torvalds	tristate "Anubis cipher algorithm"
12041674aea5SArd Biesheuvel	depends on CRYPTO_USER_API_ENABLE_OBSOLETE
1205cce9e06dSHerbert Xu	select CRYPTO_ALGAPI
12061da177e4SLinus Torvalds	help
12071da177e4SLinus Torvalds	  Anubis cipher algorithm.
12081da177e4SLinus Torvalds
12091da177e4SLinus Torvalds	  Anubis is a variable key length cipher which can use keys from
12101da177e4SLinus Torvalds	  128 bits to 320 bits in length.  It was evaluated as a entrant
12111da177e4SLinus Torvalds	  in the NESSIE competition.
12121da177e4SLinus Torvalds
12131da177e4SLinus Torvalds	  See also:
12146d8de74cSJustin P. Mattock	  <https://www.cosic.esat.kuleuven.be/nessie/reports/>
12156d8de74cSJustin P. Mattock	  <http://www.larc.usp.br/~pbarreto/AnubisPage.html>
12161da177e4SLinus Torvalds
1217584fffc8SSebastian Siewiorconfig CRYPTO_ARC4
1218584fffc8SSebastian Siewior	tristate "ARC4 cipher algorithm"
12199ace6771SArd Biesheuvel	depends on CRYPTO_USER_API_ENABLE_OBSOLETE
1220b95bba5dSEric Biggers	select CRYPTO_SKCIPHER
1221dc51f257SArd Biesheuvel	select CRYPTO_LIB_ARC4
1222e2ee95b8SHye-Shik Chang	help
1223584fffc8SSebastian Siewior	  ARC4 cipher algorithm.
1224e2ee95b8SHye-Shik Chang
1225584fffc8SSebastian Siewior	  ARC4 is a stream cipher using keys ranging from 8 bits to 2048
1226584fffc8SSebastian Siewior	  bits in length.  This algorithm is required for driver-based
1227584fffc8SSebastian Siewior	  WEP, but it should not be for other purposes because of the
1228584fffc8SSebastian Siewior	  weakness of the algorithm.
1229584fffc8SSebastian Siewior
1230584fffc8SSebastian Siewiorconfig CRYPTO_BLOWFISH
1231584fffc8SSebastian Siewior	tristate "Blowfish cipher algorithm"
1232584fffc8SSebastian Siewior	select CRYPTO_ALGAPI
123352ba867cSJussi Kivilinna	select CRYPTO_BLOWFISH_COMMON
1234584fffc8SSebastian Siewior	help
1235584fffc8SSebastian Siewior	  Blowfish cipher algorithm, by Bruce Schneier.
1236584fffc8SSebastian Siewior
1237584fffc8SSebastian Siewior	  This is a variable key length cipher which can use keys from 32
1238584fffc8SSebastian Siewior	  bits to 448 bits in length.  It's fast, simple and specifically
1239584fffc8SSebastian Siewior	  designed for use on "large microprocessors".
1240e2ee95b8SHye-Shik Chang
1241e2ee95b8SHye-Shik Chang	  See also:
12429332a9e7SAlexander A. Klimov	  <https://www.schneier.com/blowfish.html>
1243584fffc8SSebastian Siewior
124452ba867cSJussi Kivilinnaconfig CRYPTO_BLOWFISH_COMMON
124552ba867cSJussi Kivilinna	tristate
124652ba867cSJussi Kivilinna	help
124752ba867cSJussi Kivilinna	  Common parts of the Blowfish cipher algorithm shared by the
124852ba867cSJussi Kivilinna	  generic c and the assembler implementations.
124952ba867cSJussi Kivilinna
125052ba867cSJussi Kivilinna	  See also:
12519332a9e7SAlexander A. Klimov	  <https://www.schneier.com/blowfish.html>
125252ba867cSJussi Kivilinna
125364b94ceaSJussi Kivilinnaconfig CRYPTO_BLOWFISH_X86_64
125464b94ceaSJussi Kivilinna	tristate "Blowfish cipher algorithm (x86_64)"
1255f21a7c19SAl Viro	depends on X86 && 64BIT
1256b95bba5dSEric Biggers	select CRYPTO_SKCIPHER
125764b94ceaSJussi Kivilinna	select CRYPTO_BLOWFISH_COMMON
125864b94ceaSJussi Kivilinna	help
125964b94ceaSJussi Kivilinna	  Blowfish cipher algorithm (x86_64), by Bruce Schneier.
126064b94ceaSJussi Kivilinna
126164b94ceaSJussi Kivilinna	  This is a variable key length cipher which can use keys from 32
126264b94ceaSJussi Kivilinna	  bits to 448 bits in length.  It's fast, simple and specifically
126364b94ceaSJussi Kivilinna	  designed for use on "large microprocessors".
126464b94ceaSJussi Kivilinna
126564b94ceaSJussi Kivilinna	  See also:
12669332a9e7SAlexander A. Klimov	  <https://www.schneier.com/blowfish.html>
126764b94ceaSJussi Kivilinna
1268584fffc8SSebastian Siewiorconfig CRYPTO_CAMELLIA
1269584fffc8SSebastian Siewior	tristate "Camellia cipher algorithms"
1270584fffc8SSebastian Siewior	depends on CRYPTO
1271584fffc8SSebastian Siewior	select CRYPTO_ALGAPI
1272584fffc8SSebastian Siewior	help
1273584fffc8SSebastian Siewior	  Camellia cipher algorithms module.
1274584fffc8SSebastian Siewior
1275584fffc8SSebastian Siewior	  Camellia is a symmetric key block cipher developed jointly
1276584fffc8SSebastian Siewior	  at NTT and Mitsubishi Electric Corporation.
1277584fffc8SSebastian Siewior
1278584fffc8SSebastian Siewior	  The Camellia specifies three key sizes: 128, 192 and 256 bits.
1279584fffc8SSebastian Siewior
1280584fffc8SSebastian Siewior	  See also:
1281584fffc8SSebastian Siewior	  <https://info.isl.ntt.co.jp/crypt/eng/camellia/index_s.html>
1282584fffc8SSebastian Siewior
12830b95ec56SJussi Kivilinnaconfig CRYPTO_CAMELLIA_X86_64
12840b95ec56SJussi Kivilinna	tristate "Camellia cipher algorithm (x86_64)"
1285f21a7c19SAl Viro	depends on X86 && 64BIT
12860b95ec56SJussi Kivilinna	depends on CRYPTO
1287b95bba5dSEric Biggers	select CRYPTO_SKCIPHER
1288964263afSJussi Kivilinna	select CRYPTO_GLUE_HELPER_X86
1289a1f91ecfSArd Biesheuvel	imply CRYPTO_CTR
12900b95ec56SJussi Kivilinna	help
12910b95ec56SJussi Kivilinna	  Camellia cipher algorithm module (x86_64).
12920b95ec56SJussi Kivilinna
12930b95ec56SJussi Kivilinna	  Camellia is a symmetric key block cipher developed jointly
12940b95ec56SJussi Kivilinna	  at NTT and Mitsubishi Electric Corporation.
12950b95ec56SJussi Kivilinna
12960b95ec56SJussi Kivilinna	  The Camellia specifies three key sizes: 128, 192 and 256 bits.
12970b95ec56SJussi Kivilinna
12980b95ec56SJussi Kivilinna	  See also:
12990b95ec56SJussi Kivilinna	  <https://info.isl.ntt.co.jp/crypt/eng/camellia/index_s.html>
13000b95ec56SJussi Kivilinna
1301d9b1d2e7SJussi Kivilinnaconfig CRYPTO_CAMELLIA_AESNI_AVX_X86_64
1302d9b1d2e7SJussi Kivilinna	tristate "Camellia cipher algorithm (x86_64/AES-NI/AVX)"
1303d9b1d2e7SJussi Kivilinna	depends on X86 && 64BIT
1304d9b1d2e7SJussi Kivilinna	depends on CRYPTO
1305b95bba5dSEric Biggers	select CRYPTO_SKCIPHER
1306d9b1d2e7SJussi Kivilinna	select CRYPTO_CAMELLIA_X86_64
130744893bc2SEric Biggers	select CRYPTO_GLUE_HELPER_X86
130844893bc2SEric Biggers	select CRYPTO_SIMD
130955a7e88fSArd Biesheuvel	imply CRYPTO_XTS
1310d9b1d2e7SJussi Kivilinna	help
1311d9b1d2e7SJussi Kivilinna	  Camellia cipher algorithm module (x86_64/AES-NI/AVX).
1312d9b1d2e7SJussi Kivilinna
1313d9b1d2e7SJussi Kivilinna	  Camellia is a symmetric key block cipher developed jointly
1314d9b1d2e7SJussi Kivilinna	  at NTT and Mitsubishi Electric Corporation.
1315d9b1d2e7SJussi Kivilinna
1316d9b1d2e7SJussi Kivilinna	  The Camellia specifies three key sizes: 128, 192 and 256 bits.
1317d9b1d2e7SJussi Kivilinna
1318d9b1d2e7SJussi Kivilinna	  See also:
1319d9b1d2e7SJussi Kivilinna	  <https://info.isl.ntt.co.jp/crypt/eng/camellia/index_s.html>
1320d9b1d2e7SJussi Kivilinna
1321f3f935a7SJussi Kivilinnaconfig CRYPTO_CAMELLIA_AESNI_AVX2_X86_64
1322f3f935a7SJussi Kivilinna	tristate "Camellia cipher algorithm (x86_64/AES-NI/AVX2)"
1323f3f935a7SJussi Kivilinna	depends on X86 && 64BIT
1324f3f935a7SJussi Kivilinna	depends on CRYPTO
1325f3f935a7SJussi Kivilinna	select CRYPTO_CAMELLIA_AESNI_AVX_X86_64
1326f3f935a7SJussi Kivilinna	help
1327f3f935a7SJussi Kivilinna	  Camellia cipher algorithm module (x86_64/AES-NI/AVX2).
1328f3f935a7SJussi Kivilinna
1329f3f935a7SJussi Kivilinna	  Camellia is a symmetric key block cipher developed jointly
1330f3f935a7SJussi Kivilinna	  at NTT and Mitsubishi Electric Corporation.
1331f3f935a7SJussi Kivilinna
1332f3f935a7SJussi Kivilinna	  The Camellia specifies three key sizes: 128, 192 and 256 bits.
1333f3f935a7SJussi Kivilinna
1334f3f935a7SJussi Kivilinna	  See also:
1335f3f935a7SJussi Kivilinna	  <https://info.isl.ntt.co.jp/crypt/eng/camellia/index_s.html>
1336f3f935a7SJussi Kivilinna
133781658ad0SDavid S. Millerconfig CRYPTO_CAMELLIA_SPARC64
133881658ad0SDavid S. Miller	tristate "Camellia cipher algorithm (SPARC64)"
133981658ad0SDavid S. Miller	depends on SPARC64
134081658ad0SDavid S. Miller	depends on CRYPTO
134181658ad0SDavid S. Miller	select CRYPTO_ALGAPI
1342b95bba5dSEric Biggers	select CRYPTO_SKCIPHER
134381658ad0SDavid S. Miller	help
134481658ad0SDavid S. Miller	  Camellia cipher algorithm module (SPARC64).
134581658ad0SDavid S. Miller
134681658ad0SDavid S. Miller	  Camellia is a symmetric key block cipher developed jointly
134781658ad0SDavid S. Miller	  at NTT and Mitsubishi Electric Corporation.
134881658ad0SDavid S. Miller
134981658ad0SDavid S. Miller	  The Camellia specifies three key sizes: 128, 192 and 256 bits.
135081658ad0SDavid S. Miller
135181658ad0SDavid S. Miller	  See also:
135281658ad0SDavid S. Miller	  <https://info.isl.ntt.co.jp/crypt/eng/camellia/index_s.html>
135381658ad0SDavid S. Miller
1354044ab525SJussi Kivilinnaconfig CRYPTO_CAST_COMMON
1355044ab525SJussi Kivilinna	tristate
1356044ab525SJussi Kivilinna	help
1357044ab525SJussi Kivilinna	  Common parts of the CAST cipher algorithms shared by the
1358044ab525SJussi Kivilinna	  generic c and the assembler implementations.
1359044ab525SJussi Kivilinna
1360584fffc8SSebastian Siewiorconfig CRYPTO_CAST5
1361584fffc8SSebastian Siewior	tristate "CAST5 (CAST-128) cipher algorithm"
1362584fffc8SSebastian Siewior	select CRYPTO_ALGAPI
1363044ab525SJussi Kivilinna	select CRYPTO_CAST_COMMON
1364584fffc8SSebastian Siewior	help
1365584fffc8SSebastian Siewior	  The CAST5 encryption algorithm (synonymous with CAST-128) is
1366584fffc8SSebastian Siewior	  described in RFC2144.
1367584fffc8SSebastian Siewior
13684d6d6a2cSJohannes Goetzfriedconfig CRYPTO_CAST5_AVX_X86_64
13694d6d6a2cSJohannes Goetzfried	tristate "CAST5 (CAST-128) cipher algorithm (x86_64/AVX)"
13704d6d6a2cSJohannes Goetzfried	depends on X86 && 64BIT
1371b95bba5dSEric Biggers	select CRYPTO_SKCIPHER
13724d6d6a2cSJohannes Goetzfried	select CRYPTO_CAST5
13731e63183aSEric Biggers	select CRYPTO_CAST_COMMON
13741e63183aSEric Biggers	select CRYPTO_SIMD
1375e2d60e2fSArd Biesheuvel	imply CRYPTO_CTR
13764d6d6a2cSJohannes Goetzfried	help
13774d6d6a2cSJohannes Goetzfried	  The CAST5 encryption algorithm (synonymous with CAST-128) is
13784d6d6a2cSJohannes Goetzfried	  described in RFC2144.
13794d6d6a2cSJohannes Goetzfried
13804d6d6a2cSJohannes Goetzfried	  This module provides the Cast5 cipher algorithm that processes
13814d6d6a2cSJohannes Goetzfried	  sixteen blocks parallel using the AVX instruction set.
13824d6d6a2cSJohannes Goetzfried
1383584fffc8SSebastian Siewiorconfig CRYPTO_CAST6
1384584fffc8SSebastian Siewior	tristate "CAST6 (CAST-256) cipher algorithm"
1385584fffc8SSebastian Siewior	select CRYPTO_ALGAPI
1386044ab525SJussi Kivilinna	select CRYPTO_CAST_COMMON
1387584fffc8SSebastian Siewior	help
1388584fffc8SSebastian Siewior	  The CAST6 encryption algorithm (synonymous with CAST-256) is
1389584fffc8SSebastian Siewior	  described in RFC2612.
1390584fffc8SSebastian Siewior
13914ea1277dSJohannes Goetzfriedconfig CRYPTO_CAST6_AVX_X86_64
13924ea1277dSJohannes Goetzfried	tristate "CAST6 (CAST-256) cipher algorithm (x86_64/AVX)"
13934ea1277dSJohannes Goetzfried	depends on X86 && 64BIT
1394b95bba5dSEric Biggers	select CRYPTO_SKCIPHER
13954ea1277dSJohannes Goetzfried	select CRYPTO_CAST6
13964bd96924SEric Biggers	select CRYPTO_CAST_COMMON
13974bd96924SEric Biggers	select CRYPTO_GLUE_HELPER_X86
13984bd96924SEric Biggers	select CRYPTO_SIMD
13992cc0fedbSArd Biesheuvel	imply CRYPTO_XTS
14007a6623ccSArd Biesheuvel	imply CRYPTO_CTR
14014ea1277dSJohannes Goetzfried	help
14024ea1277dSJohannes Goetzfried	  The CAST6 encryption algorithm (synonymous with CAST-256) is
14034ea1277dSJohannes Goetzfried	  described in RFC2612.
14044ea1277dSJohannes Goetzfried
14054ea1277dSJohannes Goetzfried	  This module provides the Cast6 cipher algorithm that processes
14064ea1277dSJohannes Goetzfried	  eight blocks parallel using the AVX instruction set.
14074ea1277dSJohannes Goetzfried
1408584fffc8SSebastian Siewiorconfig CRYPTO_DES
1409584fffc8SSebastian Siewior	tristate "DES and Triple DES EDE cipher algorithms"
1410584fffc8SSebastian Siewior	select CRYPTO_ALGAPI
141104007b0eSArd Biesheuvel	select CRYPTO_LIB_DES
1412584fffc8SSebastian Siewior	help
1413584fffc8SSebastian Siewior	  DES cipher algorithm (FIPS 46-2), and Triple DES EDE (FIPS 46-3).
1414584fffc8SSebastian Siewior
1415c5aac2dfSDavid S. Millerconfig CRYPTO_DES_SPARC64
1416c5aac2dfSDavid S. Miller	tristate "DES and Triple DES EDE cipher algorithms (SPARC64)"
141797da37b3SDave Jones	depends on SPARC64
1418c5aac2dfSDavid S. Miller	select CRYPTO_ALGAPI
141904007b0eSArd Biesheuvel	select CRYPTO_LIB_DES
1420b95bba5dSEric Biggers	select CRYPTO_SKCIPHER
1421c5aac2dfSDavid S. Miller	help
1422c5aac2dfSDavid S. Miller	  DES cipher algorithm (FIPS 46-2), and Triple DES EDE (FIPS 46-3),
1423c5aac2dfSDavid S. Miller	  optimized using SPARC64 crypto opcodes.
1424c5aac2dfSDavid S. Miller
14256574e6c6SJussi Kivilinnaconfig CRYPTO_DES3_EDE_X86_64
14266574e6c6SJussi Kivilinna	tristate "Triple DES EDE cipher algorithm (x86-64)"
14276574e6c6SJussi Kivilinna	depends on X86 && 64BIT
1428b95bba5dSEric Biggers	select CRYPTO_SKCIPHER
142904007b0eSArd Biesheuvel	select CRYPTO_LIB_DES
14306574e6c6SJussi Kivilinna	help
14316574e6c6SJussi Kivilinna	  Triple DES EDE (FIPS 46-3) algorithm.
14326574e6c6SJussi Kivilinna
14336574e6c6SJussi Kivilinna	  This module provides implementation of the Triple DES EDE cipher
14346574e6c6SJussi Kivilinna	  algorithm that is optimized for x86-64 processors. Two versions of
14356574e6c6SJussi Kivilinna	  algorithm are provided; regular processing one input block and
14366574e6c6SJussi Kivilinna	  one that processes three blocks parallel.
14376574e6c6SJussi Kivilinna
1438584fffc8SSebastian Siewiorconfig CRYPTO_FCRYPT
1439584fffc8SSebastian Siewior	tristate "FCrypt cipher algorithm"
1440584fffc8SSebastian Siewior	select CRYPTO_ALGAPI
1441b95bba5dSEric Biggers	select CRYPTO_SKCIPHER
1442584fffc8SSebastian Siewior	help
1443584fffc8SSebastian Siewior	  FCrypt algorithm used by RxRPC.
1444584fffc8SSebastian Siewior
1445584fffc8SSebastian Siewiorconfig CRYPTO_KHAZAD
1446584fffc8SSebastian Siewior	tristate "Khazad cipher algorithm"
14471674aea5SArd Biesheuvel	depends on CRYPTO_USER_API_ENABLE_OBSOLETE
1448584fffc8SSebastian Siewior	select CRYPTO_ALGAPI
1449584fffc8SSebastian Siewior	help
1450584fffc8SSebastian Siewior	  Khazad cipher algorithm.
1451584fffc8SSebastian Siewior
1452584fffc8SSebastian Siewior	  Khazad was a finalist in the initial NESSIE competition.  It is
1453584fffc8SSebastian Siewior	  an algorithm optimized for 64-bit processors with good performance
1454584fffc8SSebastian Siewior	  on 32-bit processors.  Khazad uses an 128 bit key size.
1455584fffc8SSebastian Siewior
1456584fffc8SSebastian Siewior	  See also:
14576d8de74cSJustin P. Mattock	  <http://www.larc.usp.br/~pbarreto/KhazadPage.html>
1458e2ee95b8SHye-Shik Chang
14592407d608STan Swee Hengconfig CRYPTO_SALSA20
14603b4afaf2SKees Cook	tristate "Salsa20 stream cipher algorithm"
1461b95bba5dSEric Biggers	select CRYPTO_SKCIPHER
14622407d608STan Swee Heng	help
14632407d608STan Swee Heng	  Salsa20 stream cipher algorithm.
14642407d608STan Swee Heng
14652407d608STan Swee Heng	  Salsa20 is a stream cipher submitted to eSTREAM, the ECRYPT
14669332a9e7SAlexander A. Klimov	  Stream Cipher Project. See <https://www.ecrypt.eu.org/stream/>
14672407d608STan Swee Heng
14682407d608STan Swee Heng	  The Salsa20 stream cipher algorithm is designed by Daniel J.
14699332a9e7SAlexander A. Klimov	  Bernstein <djb@cr.yp.to>. See <https://cr.yp.to/snuffle.html>
14701da177e4SLinus Torvalds
1471c08d0e64SMartin Williconfig CRYPTO_CHACHA20
1472aa762409SEric Biggers	tristate "ChaCha stream cipher algorithms"
14735fb8ef25SArd Biesheuvel	select CRYPTO_LIB_CHACHA_GENERIC
1474b95bba5dSEric Biggers	select CRYPTO_SKCIPHER
1475c08d0e64SMartin Willi	help
1476aa762409SEric Biggers	  The ChaCha20, XChaCha20, and XChaCha12 stream cipher algorithms.
1477c08d0e64SMartin Willi
1478c08d0e64SMartin Willi	  ChaCha20 is a 256-bit high-speed stream cipher designed by Daniel J.
1479c08d0e64SMartin Willi	  Bernstein and further specified in RFC7539 for use in IETF protocols.
1480de61d7aeSEric Biggers	  This is the portable C implementation of ChaCha20.  See also:
14819332a9e7SAlexander A. Klimov	  <https://cr.yp.to/chacha/chacha-20080128.pdf>
1482c08d0e64SMartin Willi
1483de61d7aeSEric Biggers	  XChaCha20 is the application of the XSalsa20 construction to ChaCha20
1484de61d7aeSEric Biggers	  rather than to Salsa20.  XChaCha20 extends ChaCha20's nonce length
1485de61d7aeSEric Biggers	  from 64 bits (or 96 bits using the RFC7539 convention) to 192 bits,
1486de61d7aeSEric Biggers	  while provably retaining ChaCha20's security.  See also:
1487de61d7aeSEric Biggers	  <https://cr.yp.to/snuffle/xsalsa-20081128.pdf>
1488de61d7aeSEric Biggers
1489aa762409SEric Biggers	  XChaCha12 is XChaCha20 reduced to 12 rounds, with correspondingly
1490aa762409SEric Biggers	  reduced security margin but increased performance.  It can be needed
1491aa762409SEric Biggers	  in some performance-sensitive scenarios.
1492aa762409SEric Biggers
1493c9320b6dSMartin Williconfig CRYPTO_CHACHA20_X86_64
14944af78261SEric Biggers	tristate "ChaCha stream cipher algorithms (x86_64/SSSE3/AVX2/AVX-512VL)"
1495c9320b6dSMartin Willi	depends on X86 && 64BIT
1496b95bba5dSEric Biggers	select CRYPTO_SKCIPHER
149728e8d89bSArd Biesheuvel	select CRYPTO_LIB_CHACHA_GENERIC
149884e03fa3SArd Biesheuvel	select CRYPTO_ARCH_HAVE_LIB_CHACHA
1499c9320b6dSMartin Willi	help
15007a507d62SEric Biggers	  SSSE3, AVX2, and AVX-512VL optimized implementations of the ChaCha20,
15017a507d62SEric Biggers	  XChaCha20, and XChaCha12 stream ciphers.
1502c9320b6dSMartin Willi
15033a2f58f3SArd Biesheuvelconfig CRYPTO_CHACHA_MIPS
15043a2f58f3SArd Biesheuvel	tristate "ChaCha stream cipher algorithms (MIPS 32r2 optimized)"
15053a2f58f3SArd Biesheuvel	depends on CPU_MIPS32_R2
1506660eda8dSEric Biggers	select CRYPTO_SKCIPHER
15073a2f58f3SArd Biesheuvel	select CRYPTO_ARCH_HAVE_LIB_CHACHA
15083a2f58f3SArd Biesheuvel
1509584fffc8SSebastian Siewiorconfig CRYPTO_SEED
1510584fffc8SSebastian Siewior	tristate "SEED cipher algorithm"
15111674aea5SArd Biesheuvel	depends on CRYPTO_USER_API_ENABLE_OBSOLETE
1512584fffc8SSebastian Siewior	select CRYPTO_ALGAPI
1513584fffc8SSebastian Siewior	help
1514584fffc8SSebastian Siewior	  SEED cipher algorithm (RFC4269).
1515584fffc8SSebastian Siewior
1516584fffc8SSebastian Siewior	  SEED is a 128-bit symmetric key block cipher that has been
1517584fffc8SSebastian Siewior	  developed by KISA (Korea Information Security Agency) as a
1518584fffc8SSebastian Siewior	  national standard encryption algorithm of the Republic of Korea.
1519584fffc8SSebastian Siewior	  It is a 16 round block cipher with the key size of 128 bit.
1520584fffc8SSebastian Siewior
1521584fffc8SSebastian Siewior	  See also:
1522584fffc8SSebastian Siewior	  <http://www.kisa.or.kr/kisa/seed/jsp/seed_eng.jsp>
1523584fffc8SSebastian Siewior
1524584fffc8SSebastian Siewiorconfig CRYPTO_SERPENT
1525584fffc8SSebastian Siewior	tristate "Serpent cipher algorithm"
1526584fffc8SSebastian Siewior	select CRYPTO_ALGAPI
1527584fffc8SSebastian Siewior	help
1528584fffc8SSebastian Siewior	  Serpent cipher algorithm, by Anderson, Biham & Knudsen.
1529584fffc8SSebastian Siewior
1530584fffc8SSebastian Siewior	  Keys are allowed to be from 0 to 256 bits in length, in steps
1531584fffc8SSebastian Siewior	  of 8 bits.  Also includes the 'Tnepres' algorithm, a reversed
1532584fffc8SSebastian Siewior	  variant of Serpent for compatibility with old kerneli.org code.
1533584fffc8SSebastian Siewior
1534584fffc8SSebastian Siewior	  See also:
15359332a9e7SAlexander A. Klimov	  <https://www.cl.cam.ac.uk/~rja14/serpent.html>
1536584fffc8SSebastian Siewior
1537937c30d7SJussi Kivilinnaconfig CRYPTO_SERPENT_SSE2_X86_64
1538937c30d7SJussi Kivilinna	tristate "Serpent cipher algorithm (x86_64/SSE2)"
1539937c30d7SJussi Kivilinna	depends on X86 && 64BIT
1540b95bba5dSEric Biggers	select CRYPTO_SKCIPHER
1541596d8750SJussi Kivilinna	select CRYPTO_GLUE_HELPER_X86
1542937c30d7SJussi Kivilinna	select CRYPTO_SERPENT
1543e0f409dcSEric Biggers	select CRYPTO_SIMD
15442e9440aeSArd Biesheuvel	imply CRYPTO_CTR
1545937c30d7SJussi Kivilinna	help
1546937c30d7SJussi Kivilinna	  Serpent cipher algorithm, by Anderson, Biham & Knudsen.
1547937c30d7SJussi Kivilinna
1548937c30d7SJussi Kivilinna	  Keys are allowed to be from 0 to 256 bits in length, in steps
1549937c30d7SJussi Kivilinna	  of 8 bits.
1550937c30d7SJussi Kivilinna
15511e6232f8SMasanari Iida	  This module provides Serpent cipher algorithm that processes eight
1552937c30d7SJussi Kivilinna	  blocks parallel using SSE2 instruction set.
1553937c30d7SJussi Kivilinna
1554937c30d7SJussi Kivilinna	  See also:
15559332a9e7SAlexander A. Klimov	  <https://www.cl.cam.ac.uk/~rja14/serpent.html>
1556937c30d7SJussi Kivilinna
1557251496dbSJussi Kivilinnaconfig CRYPTO_SERPENT_SSE2_586
1558251496dbSJussi Kivilinna	tristate "Serpent cipher algorithm (i586/SSE2)"
1559251496dbSJussi Kivilinna	depends on X86 && !64BIT
1560b95bba5dSEric Biggers	select CRYPTO_SKCIPHER
1561596d8750SJussi Kivilinna	select CRYPTO_GLUE_HELPER_X86
1562251496dbSJussi Kivilinna	select CRYPTO_SERPENT
1563e0f409dcSEric Biggers	select CRYPTO_SIMD
15642e9440aeSArd Biesheuvel	imply CRYPTO_CTR
1565251496dbSJussi Kivilinna	help
1566251496dbSJussi Kivilinna	  Serpent cipher algorithm, by Anderson, Biham & Knudsen.
1567251496dbSJussi Kivilinna
1568251496dbSJussi Kivilinna	  Keys are allowed to be from 0 to 256 bits in length, in steps
1569251496dbSJussi Kivilinna	  of 8 bits.
1570251496dbSJussi Kivilinna
1571251496dbSJussi Kivilinna	  This module provides Serpent cipher algorithm that processes four
1572251496dbSJussi Kivilinna	  blocks parallel using SSE2 instruction set.
1573251496dbSJussi Kivilinna
1574251496dbSJussi Kivilinna	  See also:
15759332a9e7SAlexander A. Klimov	  <https://www.cl.cam.ac.uk/~rja14/serpent.html>
1576251496dbSJussi Kivilinna
15777efe4076SJohannes Goetzfriedconfig CRYPTO_SERPENT_AVX_X86_64
15787efe4076SJohannes Goetzfried	tristate "Serpent cipher algorithm (x86_64/AVX)"
15797efe4076SJohannes Goetzfried	depends on X86 && 64BIT
1580b95bba5dSEric Biggers	select CRYPTO_SKCIPHER
15811d0debbdSJussi Kivilinna	select CRYPTO_GLUE_HELPER_X86
15827efe4076SJohannes Goetzfried	select CRYPTO_SERPENT
1583e16bf974SEric Biggers	select CRYPTO_SIMD
15849ec0af8aSArd Biesheuvel	imply CRYPTO_XTS
15852e9440aeSArd Biesheuvel	imply CRYPTO_CTR
15867efe4076SJohannes Goetzfried	help
15877efe4076SJohannes Goetzfried	  Serpent cipher algorithm, by Anderson, Biham & Knudsen.
15887efe4076SJohannes Goetzfried
15897efe4076SJohannes Goetzfried	  Keys are allowed to be from 0 to 256 bits in length, in steps
15907efe4076SJohannes Goetzfried	  of 8 bits.
15917efe4076SJohannes Goetzfried
15927efe4076SJohannes Goetzfried	  This module provides the Serpent cipher algorithm that processes
15937efe4076SJohannes Goetzfried	  eight blocks parallel using the AVX instruction set.
15947efe4076SJohannes Goetzfried
15957efe4076SJohannes Goetzfried	  See also:
15969332a9e7SAlexander A. Klimov	  <https://www.cl.cam.ac.uk/~rja14/serpent.html>
15977efe4076SJohannes Goetzfried
159856d76c96SJussi Kivilinnaconfig CRYPTO_SERPENT_AVX2_X86_64
159956d76c96SJussi Kivilinna	tristate "Serpent cipher algorithm (x86_64/AVX2)"
160056d76c96SJussi Kivilinna	depends on X86 && 64BIT
160156d76c96SJussi Kivilinna	select CRYPTO_SERPENT_AVX_X86_64
160256d76c96SJussi Kivilinna	help
160356d76c96SJussi Kivilinna	  Serpent cipher algorithm, by Anderson, Biham & Knudsen.
160456d76c96SJussi Kivilinna
160556d76c96SJussi Kivilinna	  Keys are allowed to be from 0 to 256 bits in length, in steps
160656d76c96SJussi Kivilinna	  of 8 bits.
160756d76c96SJussi Kivilinna
160856d76c96SJussi Kivilinna	  This module provides Serpent cipher algorithm that processes 16
160956d76c96SJussi Kivilinna	  blocks parallel using AVX2 instruction set.
161056d76c96SJussi Kivilinna
161156d76c96SJussi Kivilinna	  See also:
16129332a9e7SAlexander A. Klimov	  <https://www.cl.cam.ac.uk/~rja14/serpent.html>
161356d76c96SJussi Kivilinna
1614747c8ce4SGilad Ben-Yossefconfig CRYPTO_SM4
1615747c8ce4SGilad Ben-Yossef	tristate "SM4 cipher algorithm"
1616747c8ce4SGilad Ben-Yossef	select CRYPTO_ALGAPI
1617747c8ce4SGilad Ben-Yossef	help
1618747c8ce4SGilad Ben-Yossef	  SM4 cipher algorithms (OSCCA GB/T 32907-2016).
1619747c8ce4SGilad Ben-Yossef
1620747c8ce4SGilad Ben-Yossef	  SM4 (GBT.32907-2016) is a cryptographic standard issued by the
1621747c8ce4SGilad Ben-Yossef	  Organization of State Commercial Administration of China (OSCCA)
1622747c8ce4SGilad Ben-Yossef	  as an authorized cryptographic algorithms for the use within China.
1623747c8ce4SGilad Ben-Yossef
1624747c8ce4SGilad Ben-Yossef	  SMS4 was originally created for use in protecting wireless
1625747c8ce4SGilad Ben-Yossef	  networks, and is mandated in the Chinese National Standard for
1626747c8ce4SGilad Ben-Yossef	  Wireless LAN WAPI (Wired Authentication and Privacy Infrastructure)
1627747c8ce4SGilad Ben-Yossef	  (GB.15629.11-2003).
1628747c8ce4SGilad Ben-Yossef
1629747c8ce4SGilad Ben-Yossef	  The latest SM4 standard (GBT.32907-2016) was proposed by OSCCA and
1630747c8ce4SGilad Ben-Yossef	  standardized through TC 260 of the Standardization Administration
1631747c8ce4SGilad Ben-Yossef	  of the People's Republic of China (SAC).
1632747c8ce4SGilad Ben-Yossef
1633747c8ce4SGilad Ben-Yossef	  The input, output, and key of SMS4 are each 128 bits.
1634747c8ce4SGilad Ben-Yossef
1635747c8ce4SGilad Ben-Yossef	  See also: <https://eprint.iacr.org/2008/329.pdf>
1636747c8ce4SGilad Ben-Yossef
1637747c8ce4SGilad Ben-Yossef	  If unsure, say N.
1638747c8ce4SGilad Ben-Yossef
1639584fffc8SSebastian Siewiorconfig CRYPTO_TEA
1640584fffc8SSebastian Siewior	tristate "TEA, XTEA and XETA cipher algorithms"
16411674aea5SArd Biesheuvel	depends on CRYPTO_USER_API_ENABLE_OBSOLETE
1642584fffc8SSebastian Siewior	select CRYPTO_ALGAPI
1643584fffc8SSebastian Siewior	help
1644584fffc8SSebastian Siewior	  TEA cipher algorithm.
1645584fffc8SSebastian Siewior
1646584fffc8SSebastian Siewior	  Tiny Encryption Algorithm is a simple cipher that uses
1647584fffc8SSebastian Siewior	  many rounds for security.  It is very fast and uses
1648584fffc8SSebastian Siewior	  little memory.
1649584fffc8SSebastian Siewior
1650584fffc8SSebastian Siewior	  Xtendend Tiny Encryption Algorithm is a modification to
1651584fffc8SSebastian Siewior	  the TEA algorithm to address a potential key weakness
1652584fffc8SSebastian Siewior	  in the TEA algorithm.
1653584fffc8SSebastian Siewior
1654584fffc8SSebastian Siewior	  Xtendend Encryption Tiny Algorithm is a mis-implementation
1655584fffc8SSebastian Siewior	  of the XTEA algorithm for compatibility purposes.
1656584fffc8SSebastian Siewior
1657584fffc8SSebastian Siewiorconfig CRYPTO_TWOFISH
1658584fffc8SSebastian Siewior	tristate "Twofish cipher algorithm"
1659584fffc8SSebastian Siewior	select CRYPTO_ALGAPI
1660584fffc8SSebastian Siewior	select CRYPTO_TWOFISH_COMMON
1661584fffc8SSebastian Siewior	help
1662584fffc8SSebastian Siewior	  Twofish cipher algorithm.
1663584fffc8SSebastian Siewior
1664584fffc8SSebastian Siewior	  Twofish was submitted as an AES (Advanced Encryption Standard)
1665584fffc8SSebastian Siewior	  candidate cipher by researchers at CounterPane Systems.  It is a
1666584fffc8SSebastian Siewior	  16 round block cipher supporting key sizes of 128, 192, and 256
1667584fffc8SSebastian Siewior	  bits.
1668584fffc8SSebastian Siewior
1669584fffc8SSebastian Siewior	  See also:
16709332a9e7SAlexander A. Klimov	  <https://www.schneier.com/twofish.html>
1671584fffc8SSebastian Siewior
1672584fffc8SSebastian Siewiorconfig CRYPTO_TWOFISH_COMMON
1673584fffc8SSebastian Siewior	tristate
1674584fffc8SSebastian Siewior	help
1675584fffc8SSebastian Siewior	  Common parts of the Twofish cipher algorithm shared by the
1676584fffc8SSebastian Siewior	  generic c and the assembler implementations.
1677584fffc8SSebastian Siewior
1678584fffc8SSebastian Siewiorconfig CRYPTO_TWOFISH_586
1679584fffc8SSebastian Siewior	tristate "Twofish cipher algorithms (i586)"
1680584fffc8SSebastian Siewior	depends on (X86 || UML_X86) && !64BIT
1681584fffc8SSebastian Siewior	select CRYPTO_ALGAPI
1682584fffc8SSebastian Siewior	select CRYPTO_TWOFISH_COMMON
1683*f43dcaf2SArd Biesheuvel	imply CRYPTO_CTR
1684584fffc8SSebastian Siewior	help
1685584fffc8SSebastian Siewior	  Twofish cipher algorithm.
1686584fffc8SSebastian Siewior
1687584fffc8SSebastian Siewior	  Twofish was submitted as an AES (Advanced Encryption Standard)
1688584fffc8SSebastian Siewior	  candidate cipher by researchers at CounterPane Systems.  It is a
1689584fffc8SSebastian Siewior	  16 round block cipher supporting key sizes of 128, 192, and 256
1690584fffc8SSebastian Siewior	  bits.
1691584fffc8SSebastian Siewior
1692584fffc8SSebastian Siewior	  See also:
16939332a9e7SAlexander A. Klimov	  <https://www.schneier.com/twofish.html>
1694584fffc8SSebastian Siewior
1695584fffc8SSebastian Siewiorconfig CRYPTO_TWOFISH_X86_64
1696584fffc8SSebastian Siewior	tristate "Twofish cipher algorithm (x86_64)"
1697584fffc8SSebastian Siewior	depends on (X86 || UML_X86) && 64BIT
1698584fffc8SSebastian Siewior	select CRYPTO_ALGAPI
1699584fffc8SSebastian Siewior	select CRYPTO_TWOFISH_COMMON
1700*f43dcaf2SArd Biesheuvel	imply CRYPTO_CTR
1701584fffc8SSebastian Siewior	help
1702584fffc8SSebastian Siewior	  Twofish cipher algorithm (x86_64).
1703584fffc8SSebastian Siewior
1704584fffc8SSebastian Siewior	  Twofish was submitted as an AES (Advanced Encryption Standard)
1705584fffc8SSebastian Siewior	  candidate cipher by researchers at CounterPane Systems.  It is a
1706584fffc8SSebastian Siewior	  16 round block cipher supporting key sizes of 128, 192, and 256
1707584fffc8SSebastian Siewior	  bits.
1708584fffc8SSebastian Siewior
1709584fffc8SSebastian Siewior	  See also:
17109332a9e7SAlexander A. Klimov	  <https://www.schneier.com/twofish.html>
1711584fffc8SSebastian Siewior
17128280daadSJussi Kivilinnaconfig CRYPTO_TWOFISH_X86_64_3WAY
17138280daadSJussi Kivilinna	tristate "Twofish cipher algorithm (x86_64, 3-way parallel)"
1714f21a7c19SAl Viro	depends on X86 && 64BIT
1715b95bba5dSEric Biggers	select CRYPTO_SKCIPHER
17168280daadSJussi Kivilinna	select CRYPTO_TWOFISH_COMMON
17178280daadSJussi Kivilinna	select CRYPTO_TWOFISH_X86_64
1718414cb5e7SJussi Kivilinna	select CRYPTO_GLUE_HELPER_X86
17198280daadSJussi Kivilinna	help
17208280daadSJussi Kivilinna	  Twofish cipher algorithm (x86_64, 3-way parallel).
17218280daadSJussi Kivilinna
17228280daadSJussi Kivilinna	  Twofish was submitted as an AES (Advanced Encryption Standard)
17238280daadSJussi Kivilinna	  candidate cipher by researchers at CounterPane Systems.  It is a
17248280daadSJussi Kivilinna	  16 round block cipher supporting key sizes of 128, 192, and 256
17258280daadSJussi Kivilinna	  bits.
17268280daadSJussi Kivilinna
17278280daadSJussi Kivilinna	  This module provides Twofish cipher algorithm that processes three
17288280daadSJussi Kivilinna	  blocks parallel, utilizing resources of out-of-order CPUs better.
17298280daadSJussi Kivilinna
17308280daadSJussi Kivilinna	  See also:
17319332a9e7SAlexander A. Klimov	  <https://www.schneier.com/twofish.html>
17328280daadSJussi Kivilinna
1733107778b5SJohannes Goetzfriedconfig CRYPTO_TWOFISH_AVX_X86_64
1734107778b5SJohannes Goetzfried	tristate "Twofish cipher algorithm (x86_64/AVX)"
1735107778b5SJohannes Goetzfried	depends on X86 && 64BIT
1736b95bba5dSEric Biggers	select CRYPTO_SKCIPHER
1737a7378d4eSJussi Kivilinna	select CRYPTO_GLUE_HELPER_X86
17380e6ab46dSEric Biggers	select CRYPTO_SIMD
1739107778b5SJohannes Goetzfried	select CRYPTO_TWOFISH_COMMON
1740107778b5SJohannes Goetzfried	select CRYPTO_TWOFISH_X86_64
1741107778b5SJohannes Goetzfried	select CRYPTO_TWOFISH_X86_64_3WAY
1742da4df93aSArd Biesheuvel	imply CRYPTO_XTS
1743107778b5SJohannes Goetzfried	help
1744107778b5SJohannes Goetzfried	  Twofish cipher algorithm (x86_64/AVX).
1745107778b5SJohannes Goetzfried
1746107778b5SJohannes Goetzfried	  Twofish was submitted as an AES (Advanced Encryption Standard)
1747107778b5SJohannes Goetzfried	  candidate cipher by researchers at CounterPane Systems.  It is a
1748107778b5SJohannes Goetzfried	  16 round block cipher supporting key sizes of 128, 192, and 256
1749107778b5SJohannes Goetzfried	  bits.
1750107778b5SJohannes Goetzfried
1751107778b5SJohannes Goetzfried	  This module provides the Twofish cipher algorithm that processes
1752107778b5SJohannes Goetzfried	  eight blocks parallel using the AVX Instruction Set.
1753107778b5SJohannes Goetzfried
1754107778b5SJohannes Goetzfried	  See also:
17559332a9e7SAlexander A. Klimov	  <https://www.schneier.com/twofish.html>
1756107778b5SJohannes Goetzfried
1757584fffc8SSebastian Siewiorcomment "Compression"
1758584fffc8SSebastian Siewior
17591da177e4SLinus Torvaldsconfig CRYPTO_DEFLATE
17601da177e4SLinus Torvalds	tristate "Deflate compression algorithm"
1761cce9e06dSHerbert Xu	select CRYPTO_ALGAPI
1762f6ded09dSGiovanni Cabiddu	select CRYPTO_ACOMP2
17631da177e4SLinus Torvalds	select ZLIB_INFLATE
17641da177e4SLinus Torvalds	select ZLIB_DEFLATE
17651da177e4SLinus Torvalds	help
17661da177e4SLinus Torvalds	  This is the Deflate algorithm (RFC1951), specified for use in
17671da177e4SLinus Torvalds	  IPSec with the IPCOMP protocol (RFC3173, RFC2394).
17681da177e4SLinus Torvalds
17691da177e4SLinus Torvalds	  You will most probably want this if using IPSec.
17701da177e4SLinus Torvalds
17710b77abb3SZoltan Sogorconfig CRYPTO_LZO
17720b77abb3SZoltan Sogor	tristate "LZO compression algorithm"
17730b77abb3SZoltan Sogor	select CRYPTO_ALGAPI
1774ac9d2c4bSGiovanni Cabiddu	select CRYPTO_ACOMP2
17750b77abb3SZoltan Sogor	select LZO_COMPRESS
17760b77abb3SZoltan Sogor	select LZO_DECOMPRESS
17770b77abb3SZoltan Sogor	help
17780b77abb3SZoltan Sogor	  This is the LZO algorithm.
17790b77abb3SZoltan Sogor
178035a1fc18SSeth Jenningsconfig CRYPTO_842
178135a1fc18SSeth Jennings	tristate "842 compression algorithm"
17822062c5b6SDan Streetman	select CRYPTO_ALGAPI
17836a8de3aeSGiovanni Cabiddu	select CRYPTO_ACOMP2
17842062c5b6SDan Streetman	select 842_COMPRESS
17852062c5b6SDan Streetman	select 842_DECOMPRESS
178635a1fc18SSeth Jennings	help
178735a1fc18SSeth Jennings	  This is the 842 algorithm.
178835a1fc18SSeth Jennings
17890ea8530dSChanho Minconfig CRYPTO_LZ4
17900ea8530dSChanho Min	tristate "LZ4 compression algorithm"
17910ea8530dSChanho Min	select CRYPTO_ALGAPI
17928cd9330eSGiovanni Cabiddu	select CRYPTO_ACOMP2
17930ea8530dSChanho Min	select LZ4_COMPRESS
17940ea8530dSChanho Min	select LZ4_DECOMPRESS
17950ea8530dSChanho Min	help
17960ea8530dSChanho Min	  This is the LZ4 algorithm.
17970ea8530dSChanho Min
17980ea8530dSChanho Minconfig CRYPTO_LZ4HC
17990ea8530dSChanho Min	tristate "LZ4HC compression algorithm"
18000ea8530dSChanho Min	select CRYPTO_ALGAPI
180191d53d96SGiovanni Cabiddu	select CRYPTO_ACOMP2
18020ea8530dSChanho Min	select LZ4HC_COMPRESS
18030ea8530dSChanho Min	select LZ4_DECOMPRESS
18040ea8530dSChanho Min	help
18050ea8530dSChanho Min	  This is the LZ4 high compression mode algorithm.
18060ea8530dSChanho Min
1807d28fc3dbSNick Terrellconfig CRYPTO_ZSTD
1808d28fc3dbSNick Terrell	tristate "Zstd compression algorithm"
1809d28fc3dbSNick Terrell	select CRYPTO_ALGAPI
1810d28fc3dbSNick Terrell	select CRYPTO_ACOMP2
1811d28fc3dbSNick Terrell	select ZSTD_COMPRESS
1812d28fc3dbSNick Terrell	select ZSTD_DECOMPRESS
1813d28fc3dbSNick Terrell	help
1814d28fc3dbSNick Terrell	  This is the zstd algorithm.
1815d28fc3dbSNick Terrell
181617f0f4a4SNeil Hormancomment "Random Number Generation"
181717f0f4a4SNeil Horman
181817f0f4a4SNeil Hormanconfig CRYPTO_ANSI_CPRNG
181917f0f4a4SNeil Horman	tristate "Pseudo Random Number Generation for Cryptographic modules"
182017f0f4a4SNeil Horman	select CRYPTO_AES
182117f0f4a4SNeil Horman	select CRYPTO_RNG
182217f0f4a4SNeil Horman	help
182317f0f4a4SNeil Horman	  This option enables the generic pseudo random number generator
182417f0f4a4SNeil Horman	  for cryptographic modules.  Uses the Algorithm specified in
18257dd607e8SJiri Kosina	  ANSI X9.31 A.2.4. Note that this option must be enabled if
18267dd607e8SJiri Kosina	  CRYPTO_FIPS is selected
182717f0f4a4SNeil Horman
1828f2c89a10SHerbert Xumenuconfig CRYPTO_DRBG_MENU
1829419090c6SStephan Mueller	tristate "NIST SP800-90A DRBG"
1830419090c6SStephan Mueller	help
1831419090c6SStephan Mueller	  NIST SP800-90A compliant DRBG. In the following submenu, one or
1832419090c6SStephan Mueller	  more of the DRBG types must be selected.
1833419090c6SStephan Mueller
1834f2c89a10SHerbert Xuif CRYPTO_DRBG_MENU
1835419090c6SStephan Mueller
1836419090c6SStephan Muellerconfig CRYPTO_DRBG_HMAC
1837401e4238SHerbert Xu	bool
1838419090c6SStephan Mueller	default y
1839419090c6SStephan Mueller	select CRYPTO_HMAC
1840826775bbSHerbert Xu	select CRYPTO_SHA256
1841419090c6SStephan Mueller
1842419090c6SStephan Muellerconfig CRYPTO_DRBG_HASH
1843419090c6SStephan Mueller	bool "Enable Hash DRBG"
1844826775bbSHerbert Xu	select CRYPTO_SHA256
1845419090c6SStephan Mueller	help
1846419090c6SStephan Mueller	  Enable the Hash DRBG variant as defined in NIST SP800-90A.
1847419090c6SStephan Mueller
1848419090c6SStephan Muellerconfig CRYPTO_DRBG_CTR
1849419090c6SStephan Mueller	bool "Enable CTR DRBG"
1850419090c6SStephan Mueller	select CRYPTO_AES
1851d6fc1a45SCorentin Labbe	select CRYPTO_CTR
1852419090c6SStephan Mueller	help
1853419090c6SStephan Mueller	  Enable the CTR DRBG variant as defined in NIST SP800-90A.
1854419090c6SStephan Mueller
1855f2c89a10SHerbert Xuconfig CRYPTO_DRBG
1856f2c89a10SHerbert Xu	tristate
1857401e4238SHerbert Xu	default CRYPTO_DRBG_MENU
1858f2c89a10SHerbert Xu	select CRYPTO_RNG
1859bb5530e4SStephan Mueller	select CRYPTO_JITTERENTROPY
1860f2c89a10SHerbert Xu
1861f2c89a10SHerbert Xuendif	# if CRYPTO_DRBG_MENU
1862419090c6SStephan Mueller
1863bb5530e4SStephan Muellerconfig CRYPTO_JITTERENTROPY
1864bb5530e4SStephan Mueller	tristate "Jitterentropy Non-Deterministic Random Number Generator"
18652f313e02SArnd Bergmann	select CRYPTO_RNG
1866bb5530e4SStephan Mueller	help
1867bb5530e4SStephan Mueller	  The Jitterentropy RNG is a noise that is intended
1868bb5530e4SStephan Mueller	  to provide seed to another RNG. The RNG does not
1869bb5530e4SStephan Mueller	  perform any cryptographic whitening of the generated
1870bb5530e4SStephan Mueller	  random numbers. This Jitterentropy RNG registers with
1871bb5530e4SStephan Mueller	  the kernel crypto API and can be used by any caller.
1872bb5530e4SStephan Mueller
187303c8efc1SHerbert Xuconfig CRYPTO_USER_API
187403c8efc1SHerbert Xu	tristate
187503c8efc1SHerbert Xu
1876fe869cdbSHerbert Xuconfig CRYPTO_USER_API_HASH
1877fe869cdbSHerbert Xu	tristate "User-space interface for hash algorithms"
18787451708fSHerbert Xu	depends on NET
1879fe869cdbSHerbert Xu	select CRYPTO_HASH
1880fe869cdbSHerbert Xu	select CRYPTO_USER_API
1881fe869cdbSHerbert Xu	help
1882fe869cdbSHerbert Xu	  This option enables the user-spaces interface for hash
1883fe869cdbSHerbert Xu	  algorithms.
1884fe869cdbSHerbert Xu
18858ff59090SHerbert Xuconfig CRYPTO_USER_API_SKCIPHER
18868ff59090SHerbert Xu	tristate "User-space interface for symmetric key cipher algorithms"
18877451708fSHerbert Xu	depends on NET
1888b95bba5dSEric Biggers	select CRYPTO_SKCIPHER
18898ff59090SHerbert Xu	select CRYPTO_USER_API
18908ff59090SHerbert Xu	help
18918ff59090SHerbert Xu	  This option enables the user-spaces interface for symmetric
18928ff59090SHerbert Xu	  key cipher algorithms.
18938ff59090SHerbert Xu
18942f375538SStephan Muellerconfig CRYPTO_USER_API_RNG
18952f375538SStephan Mueller	tristate "User-space interface for random number generator algorithms"
18962f375538SStephan Mueller	depends on NET
18972f375538SStephan Mueller	select CRYPTO_RNG
18982f375538SStephan Mueller	select CRYPTO_USER_API
18992f375538SStephan Mueller	help
19002f375538SStephan Mueller	  This option enables the user-spaces interface for random
19012f375538SStephan Mueller	  number generator algorithms.
19022f375538SStephan Mueller
190377ebdabeSElena Petrovaconfig CRYPTO_USER_API_RNG_CAVP
190477ebdabeSElena Petrova	bool "Enable CAVP testing of DRBG"
190577ebdabeSElena Petrova	depends on CRYPTO_USER_API_RNG && CRYPTO_DRBG
190677ebdabeSElena Petrova	help
190777ebdabeSElena Petrova	  This option enables extra API for CAVP testing via the user-space
190877ebdabeSElena Petrova	  interface: resetting of DRBG entropy, and providing Additional Data.
190977ebdabeSElena Petrova	  This should only be enabled for CAVP testing. You should say
191077ebdabeSElena Petrova	  no unless you know what this is.
191177ebdabeSElena Petrova
1912b64a2d95SHerbert Xuconfig CRYPTO_USER_API_AEAD
1913b64a2d95SHerbert Xu	tristate "User-space interface for AEAD cipher algorithms"
1914b64a2d95SHerbert Xu	depends on NET
1915b64a2d95SHerbert Xu	select CRYPTO_AEAD
1916b95bba5dSEric Biggers	select CRYPTO_SKCIPHER
191772548b09SStephan Mueller	select CRYPTO_NULL
1918b64a2d95SHerbert Xu	select CRYPTO_USER_API
1919b64a2d95SHerbert Xu	help
1920b64a2d95SHerbert Xu	  This option enables the user-spaces interface for AEAD
1921b64a2d95SHerbert Xu	  cipher algorithms.
1922b64a2d95SHerbert Xu
19239ace6771SArd Biesheuvelconfig CRYPTO_USER_API_ENABLE_OBSOLETE
19249ace6771SArd Biesheuvel	bool "Enable obsolete cryptographic algorithms for userspace"
19259ace6771SArd Biesheuvel	depends on CRYPTO_USER_API
19269ace6771SArd Biesheuvel	default y
19279ace6771SArd Biesheuvel	help
19289ace6771SArd Biesheuvel	  Allow obsolete cryptographic algorithms to be selected that have
19299ace6771SArd Biesheuvel	  already been phased out from internal use by the kernel, and are
19309ace6771SArd Biesheuvel	  only useful for userspace clients that still rely on them.
19319ace6771SArd Biesheuvel
1932cac5818cSCorentin Labbeconfig CRYPTO_STATS
1933cac5818cSCorentin Labbe	bool "Crypto usage statistics for User-space"
1934a6a31385SCorentin Labbe	depends on CRYPTO_USER
1935cac5818cSCorentin Labbe	help
1936cac5818cSCorentin Labbe	  This option enables the gathering of crypto stats.
1937cac5818cSCorentin Labbe	  This will collect:
1938cac5818cSCorentin Labbe	  - encrypt/decrypt size and numbers of symmeric operations
1939cac5818cSCorentin Labbe	  - compress/decompress size and numbers of compress operations
1940cac5818cSCorentin Labbe	  - size and numbers of hash operations
1941cac5818cSCorentin Labbe	  - encrypt/decrypt/sign/verify numbers for asymmetric operations
1942cac5818cSCorentin Labbe	  - generate/seed numbers for rng operations
1943cac5818cSCorentin Labbe
1944ee08997fSDmitry Kasatkinconfig CRYPTO_HASH_INFO
1945ee08997fSDmitry Kasatkin	bool
1946ee08997fSDmitry Kasatkin
1947746b2e02SArd Biesheuvelsource "lib/crypto/Kconfig"
19481da177e4SLinus Torvaldssource "drivers/crypto/Kconfig"
19498636a1f9SMasahiro Yamadasource "crypto/asymmetric_keys/Kconfig"
19508636a1f9SMasahiro Yamadasource "certs/Kconfig"
19511da177e4SLinus Torvalds
1952cce9e06dSHerbert Xuendif	# if CRYPTO
1953