xref: /linux/crypto/Kconfig (revision 71dfa617ea9f18e4585fe78364217cd32b1fc382)
1# SPDX-License-Identifier: GPL-2.0
2#
3# Generic algorithms support
4#
5config XOR_BLOCKS
6	tristate
7
8#
9# async_tx api: hardware offloaded memory transfer/transform support
10#
11source "crypto/async_tx/Kconfig"
12
13#
14# Cryptographic API Configuration
15#
16menuconfig CRYPTO
17	tristate "Cryptographic API"
18	select CRYPTO_LIB_UTILS
19	help
20	  This option provides the core Cryptographic API.
21
22if CRYPTO
23
24menu "Crypto core or helper"
25
26config CRYPTO_FIPS
27	bool "FIPS 200 compliance"
28	depends on (CRYPTO_ANSI_CPRNG || CRYPTO_DRBG) && !CRYPTO_MANAGER_DISABLE_TESTS
29	depends on (MODULE_SIG || !MODULES)
30	help
31	  This option enables the fips boot option which is
32	  required if you want the system to operate in a FIPS 200
33	  certification.  You should say no unless you know what
34	  this is.
35
36config CRYPTO_FIPS_NAME
37	string "FIPS Module Name"
38	default "Linux Kernel Cryptographic API"
39	depends on CRYPTO_FIPS
40	help
41	  This option sets the FIPS Module name reported by the Crypto API via
42	  the /proc/sys/crypto/fips_name file.
43
44config CRYPTO_FIPS_CUSTOM_VERSION
45	bool "Use Custom FIPS Module Version"
46	depends on CRYPTO_FIPS
47	default n
48
49config CRYPTO_FIPS_VERSION
50	string "FIPS Module Version"
51	default "(none)"
52	depends on CRYPTO_FIPS_CUSTOM_VERSION
53	help
54	  This option provides the ability to override the FIPS Module Version.
55	  By default the KERNELRELEASE value is used.
56
57config CRYPTO_ALGAPI
58	tristate
59	select CRYPTO_ALGAPI2
60	help
61	  This option provides the API for cryptographic algorithms.
62
63config CRYPTO_ALGAPI2
64	tristate
65
66config CRYPTO_AEAD
67	tristate
68	select CRYPTO_AEAD2
69	select CRYPTO_ALGAPI
70
71config CRYPTO_AEAD2
72	tristate
73	select CRYPTO_ALGAPI2
74
75config CRYPTO_SIG
76	tristate
77	select CRYPTO_SIG2
78	select CRYPTO_ALGAPI
79
80config CRYPTO_SIG2
81	tristate
82	select CRYPTO_ALGAPI2
83
84config CRYPTO_SKCIPHER
85	tristate
86	select CRYPTO_SKCIPHER2
87	select CRYPTO_ALGAPI
88	select CRYPTO_ECB
89
90config CRYPTO_SKCIPHER2
91	tristate
92	select CRYPTO_ALGAPI2
93
94config CRYPTO_HASH
95	tristate
96	select CRYPTO_HASH2
97	select CRYPTO_ALGAPI
98
99config CRYPTO_HASH2
100	tristate
101	select CRYPTO_ALGAPI2
102
103config CRYPTO_RNG
104	tristate
105	select CRYPTO_RNG2
106	select CRYPTO_ALGAPI
107
108config CRYPTO_RNG2
109	tristate
110	select CRYPTO_ALGAPI2
111
112config CRYPTO_RNG_DEFAULT
113	tristate
114	select CRYPTO_DRBG_MENU
115
116config CRYPTO_AKCIPHER2
117	tristate
118	select CRYPTO_ALGAPI2
119
120config CRYPTO_AKCIPHER
121	tristate
122	select CRYPTO_AKCIPHER2
123	select CRYPTO_ALGAPI
124
125config CRYPTO_KPP2
126	tristate
127	select CRYPTO_ALGAPI2
128
129config CRYPTO_KPP
130	tristate
131	select CRYPTO_ALGAPI
132	select CRYPTO_KPP2
133
134config CRYPTO_ACOMP2
135	tristate
136	select CRYPTO_ALGAPI2
137	select SGL_ALLOC
138
139config CRYPTO_ACOMP
140	tristate
141	select CRYPTO_ALGAPI
142	select CRYPTO_ACOMP2
143
144config CRYPTO_MANAGER
145	tristate "Cryptographic algorithm manager"
146	select CRYPTO_MANAGER2
147	help
148	  Create default cryptographic template instantiations such as
149	  cbc(aes).
150
151config CRYPTO_MANAGER2
152	def_tristate CRYPTO_MANAGER || (CRYPTO_MANAGER!=n && CRYPTO_ALGAPI=y)
153	select CRYPTO_ACOMP2
154	select CRYPTO_AEAD2
155	select CRYPTO_AKCIPHER2
156	select CRYPTO_SIG2
157	select CRYPTO_HASH2
158	select CRYPTO_KPP2
159	select CRYPTO_RNG2
160	select CRYPTO_SKCIPHER2
161
162config CRYPTO_USER
163	tristate "Userspace cryptographic algorithm configuration"
164	depends on NET
165	select CRYPTO_MANAGER
166	help
167	  Userspace configuration for cryptographic instantiations such as
168	  cbc(aes).
169
170config CRYPTO_MANAGER_DISABLE_TESTS
171	bool "Disable run-time self tests"
172	default y
173	help
174	  Disable run-time self tests that normally take place at
175	  algorithm registration.
176
177config CRYPTO_MANAGER_EXTRA_TESTS
178	bool "Enable extra run-time crypto self tests"
179	depends on DEBUG_KERNEL && !CRYPTO_MANAGER_DISABLE_TESTS && CRYPTO_MANAGER
180	help
181	  Enable extra run-time self tests of registered crypto algorithms,
182	  including randomized fuzz tests.
183
184	  This is intended for developer use only, as these tests take much
185	  longer to run than the normal self tests.
186
187config CRYPTO_NULL
188	tristate "Null algorithms"
189	select CRYPTO_NULL2
190	help
191	  These are 'Null' algorithms, used by IPsec, which do nothing.
192
193config CRYPTO_NULL2
194	tristate
195	select CRYPTO_ALGAPI2
196	select CRYPTO_SKCIPHER2
197	select CRYPTO_HASH2
198
199config CRYPTO_PCRYPT
200	tristate "Parallel crypto engine"
201	depends on SMP
202	select PADATA
203	select CRYPTO_MANAGER
204	select CRYPTO_AEAD
205	help
206	  This converts an arbitrary crypto algorithm into a parallel
207	  algorithm that executes in kernel threads.
208
209config CRYPTO_CRYPTD
210	tristate "Software async crypto daemon"
211	select CRYPTO_SKCIPHER
212	select CRYPTO_HASH
213	select CRYPTO_MANAGER
214	help
215	  This is a generic software asynchronous crypto daemon that
216	  converts an arbitrary synchronous software crypto algorithm
217	  into an asynchronous algorithm that executes in a kernel thread.
218
219config CRYPTO_AUTHENC
220	tristate "Authenc support"
221	select CRYPTO_AEAD
222	select CRYPTO_SKCIPHER
223	select CRYPTO_MANAGER
224	select CRYPTO_HASH
225	select CRYPTO_NULL
226	help
227	  Authenc: Combined mode wrapper for IPsec.
228
229	  This is required for IPSec ESP (XFRM_ESP).
230
231config CRYPTO_TEST
232	tristate "Testing module"
233	depends on m || EXPERT
234	select CRYPTO_MANAGER
235	help
236	  Quick & dirty crypto test module.
237
238config CRYPTO_SIMD
239	tristate
240	select CRYPTO_CRYPTD
241
242config CRYPTO_ENGINE
243	tristate
244
245endmenu
246
247menu "Public-key cryptography"
248
249config CRYPTO_RSA
250	tristate "RSA (Rivest-Shamir-Adleman)"
251	select CRYPTO_AKCIPHER
252	select CRYPTO_MANAGER
253	select MPILIB
254	select ASN1
255	help
256	  RSA (Rivest-Shamir-Adleman) public key algorithm (RFC8017)
257
258config CRYPTO_DH
259	tristate "DH (Diffie-Hellman)"
260	select CRYPTO_KPP
261	select MPILIB
262	help
263	  DH (Diffie-Hellman) key exchange algorithm
264
265config CRYPTO_DH_RFC7919_GROUPS
266	bool "RFC 7919 FFDHE groups"
267	depends on CRYPTO_DH
268	select CRYPTO_RNG_DEFAULT
269	help
270	  FFDHE (Finite-Field-based Diffie-Hellman Ephemeral) groups
271	  defined in RFC7919.
272
273	  Support these finite-field groups in DH key exchanges:
274	  - ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192
275
276	  If unsure, say N.
277
278config CRYPTO_ECC
279	tristate
280	select CRYPTO_RNG_DEFAULT
281
282config CRYPTO_ECDH
283	tristate "ECDH (Elliptic Curve Diffie-Hellman)"
284	select CRYPTO_ECC
285	select CRYPTO_KPP
286	help
287	  ECDH (Elliptic Curve Diffie-Hellman) key exchange algorithm
288	  using curves P-192, P-256, and P-384 (FIPS 186)
289
290config CRYPTO_ECDSA
291	tristate "ECDSA (Elliptic Curve Digital Signature Algorithm)"
292	select CRYPTO_ECC
293	select CRYPTO_AKCIPHER
294	select ASN1
295	help
296	  ECDSA (Elliptic Curve Digital Signature Algorithm) (FIPS 186,
297	  ISO/IEC 14888-3)
298	  using curves P-192, P-256, and P-384
299
300	  Only signature verification is implemented.
301
302config CRYPTO_ECRDSA
303	tristate "EC-RDSA (Elliptic Curve Russian Digital Signature Algorithm)"
304	select CRYPTO_ECC
305	select CRYPTO_AKCIPHER
306	select CRYPTO_STREEBOG
307	select OID_REGISTRY
308	select ASN1
309	help
310	  Elliptic Curve Russian Digital Signature Algorithm (GOST R 34.10-2012,
311	  RFC 7091, ISO/IEC 14888-3)
312
313	  One of the Russian cryptographic standard algorithms (called GOST
314	  algorithms). Only signature verification is implemented.
315
316config CRYPTO_SM2
317	tristate "SM2 (ShangMi 2)"
318	select CRYPTO_SM3
319	select CRYPTO_AKCIPHER
320	select CRYPTO_MANAGER
321	select MPILIB
322	select ASN1
323	help
324	  SM2 (ShangMi 2) public key algorithm
325
326	  Published by State Encryption Management Bureau, China,
327	  as specified by OSCCA GM/T 0003.1-2012 -- 0003.5-2012.
328
329	  References:
330	  https://datatracker.ietf.org/doc/draft-shen-sm2-ecdsa/
331	  http://www.oscca.gov.cn/sca/xxgk/2010-12/17/content_1002386.shtml
332	  http://www.gmbz.org.cn/main/bzlb.html
333
334config CRYPTO_CURVE25519
335	tristate "Curve25519"
336	select CRYPTO_KPP
337	select CRYPTO_LIB_CURVE25519_GENERIC
338	help
339	  Curve25519 elliptic curve (RFC7748)
340
341endmenu
342
343menu "Block ciphers"
344
345config CRYPTO_AES
346	tristate "AES (Advanced Encryption Standard)"
347	select CRYPTO_ALGAPI
348	select CRYPTO_LIB_AES
349	help
350	  AES cipher algorithms (Rijndael)(FIPS-197, ISO/IEC 18033-3)
351
352	  Rijndael appears to be consistently a very good performer in
353	  both hardware and software across a wide range of computing
354	  environments regardless of its use in feedback or non-feedback
355	  modes. Its key setup time is excellent, and its key agility is
356	  good. Rijndael's very low memory requirements make it very well
357	  suited for restricted-space environments, in which it also
358	  demonstrates excellent performance. Rijndael's operations are
359	  among the easiest to defend against power and timing attacks.
360
361	  The AES specifies three key sizes: 128, 192 and 256 bits
362
363config CRYPTO_AES_TI
364	tristate "AES (Advanced Encryption Standard) (fixed time)"
365	select CRYPTO_ALGAPI
366	select CRYPTO_LIB_AES
367	help
368	  AES cipher algorithms (Rijndael)(FIPS-197, ISO/IEC 18033-3)
369
370	  This is a generic implementation of AES that attempts to eliminate
371	  data dependent latencies as much as possible without affecting
372	  performance too much. It is intended for use by the generic CCM
373	  and GCM drivers, and other CTR or CMAC/XCBC based modes that rely
374	  solely on encryption (although decryption is supported as well, but
375	  with a more dramatic performance hit)
376
377	  Instead of using 16 lookup tables of 1 KB each, (8 for encryption and
378	  8 for decryption), this implementation only uses just two S-boxes of
379	  256 bytes each, and attempts to eliminate data dependent latencies by
380	  prefetching the entire table into the cache at the start of each
381	  block. Interrupts are also disabled to avoid races where cachelines
382	  are evicted when the CPU is interrupted to do something else.
383
384config CRYPTO_ANUBIS
385	tristate "Anubis"
386	depends on CRYPTO_USER_API_ENABLE_OBSOLETE
387	select CRYPTO_ALGAPI
388	help
389	  Anubis cipher algorithm
390
391	  Anubis is a variable key length cipher which can use keys from
392	  128 bits to 320 bits in length.  It was evaluated as a entrant
393	  in the NESSIE competition.
394
395	  See https://web.archive.org/web/20160606112246/http://www.larc.usp.br/~pbarreto/AnubisPage.html
396	  for further information.
397
398config CRYPTO_ARIA
399	tristate "ARIA"
400	select CRYPTO_ALGAPI
401	help
402	  ARIA cipher algorithm (RFC5794)
403
404	  ARIA is a standard encryption algorithm of the Republic of Korea.
405	  The ARIA specifies three key sizes and rounds.
406	  128-bit: 12 rounds.
407	  192-bit: 14 rounds.
408	  256-bit: 16 rounds.
409
410	  See:
411	  https://seed.kisa.or.kr/kisa/algorithm/EgovAriaInfo.do
412
413config CRYPTO_BLOWFISH
414	tristate "Blowfish"
415	select CRYPTO_ALGAPI
416	select CRYPTO_BLOWFISH_COMMON
417	help
418	  Blowfish cipher algorithm, by Bruce Schneier
419
420	  This is a variable key length cipher which can use keys from 32
421	  bits to 448 bits in length.  It's fast, simple and specifically
422	  designed for use on "large microprocessors".
423
424	  See https://www.schneier.com/blowfish.html for further information.
425
426config CRYPTO_BLOWFISH_COMMON
427	tristate
428	help
429	  Common parts of the Blowfish cipher algorithm shared by the
430	  generic c and the assembler implementations.
431
432config CRYPTO_CAMELLIA
433	tristate "Camellia"
434	select CRYPTO_ALGAPI
435	help
436	  Camellia cipher algorithms (ISO/IEC 18033-3)
437
438	  Camellia is a symmetric key block cipher developed jointly
439	  at NTT and Mitsubishi Electric Corporation.
440
441	  The Camellia specifies three key sizes: 128, 192 and 256 bits.
442
443	  See https://info.isl.ntt.co.jp/crypt/eng/camellia/ for further information.
444
445config CRYPTO_CAST_COMMON
446	tristate
447	help
448	  Common parts of the CAST cipher algorithms shared by the
449	  generic c and the assembler implementations.
450
451config CRYPTO_CAST5
452	tristate "CAST5 (CAST-128)"
453	select CRYPTO_ALGAPI
454	select CRYPTO_CAST_COMMON
455	help
456	  CAST5 (CAST-128) cipher algorithm (RFC2144, ISO/IEC 18033-3)
457
458config CRYPTO_CAST6
459	tristate "CAST6 (CAST-256)"
460	select CRYPTO_ALGAPI
461	select CRYPTO_CAST_COMMON
462	help
463	  CAST6 (CAST-256) encryption algorithm (RFC2612)
464
465config CRYPTO_DES
466	tristate "DES and Triple DES EDE"
467	select CRYPTO_ALGAPI
468	select CRYPTO_LIB_DES
469	help
470	  DES (Data Encryption Standard)(FIPS 46-2, ISO/IEC 18033-3) and
471	  Triple DES EDE (Encrypt/Decrypt/Encrypt) (FIPS 46-3, ISO/IEC 18033-3)
472	  cipher algorithms
473
474config CRYPTO_FCRYPT
475	tristate "FCrypt"
476	select CRYPTO_ALGAPI
477	select CRYPTO_SKCIPHER
478	help
479	  FCrypt algorithm used by RxRPC
480
481	  See https://ota.polyonymo.us/fcrypt-paper.txt
482
483config CRYPTO_KHAZAD
484	tristate "Khazad"
485	depends on CRYPTO_USER_API_ENABLE_OBSOLETE
486	select CRYPTO_ALGAPI
487	help
488	  Khazad cipher algorithm
489
490	  Khazad was a finalist in the initial NESSIE competition.  It is
491	  an algorithm optimized for 64-bit processors with good performance
492	  on 32-bit processors.  Khazad uses an 128 bit key size.
493
494	  See https://web.archive.org/web/20171011071731/http://www.larc.usp.br/~pbarreto/KhazadPage.html
495	  for further information.
496
497config CRYPTO_SEED
498	tristate "SEED"
499	depends on CRYPTO_USER_API_ENABLE_OBSOLETE
500	select CRYPTO_ALGAPI
501	help
502	  SEED cipher algorithm (RFC4269, ISO/IEC 18033-3)
503
504	  SEED is a 128-bit symmetric key block cipher that has been
505	  developed by KISA (Korea Information Security Agency) as a
506	  national standard encryption algorithm of the Republic of Korea.
507	  It is a 16 round block cipher with the key size of 128 bit.
508
509	  See https://seed.kisa.or.kr/kisa/algorithm/EgovSeedInfo.do
510	  for further information.
511
512config CRYPTO_SERPENT
513	tristate "Serpent"
514	select CRYPTO_ALGAPI
515	help
516	  Serpent cipher algorithm, by Anderson, Biham & Knudsen
517
518	  Keys are allowed to be from 0 to 256 bits in length, in steps
519	  of 8 bits.
520
521	  See https://www.cl.cam.ac.uk/~rja14/serpent.html for further information.
522
523config CRYPTO_SM4
524	tristate
525
526config CRYPTO_SM4_GENERIC
527	tristate "SM4 (ShangMi 4)"
528	select CRYPTO_ALGAPI
529	select CRYPTO_SM4
530	help
531	  SM4 cipher algorithms (OSCCA GB/T 32907-2016,
532	  ISO/IEC 18033-3:2010/Amd 1:2021)
533
534	  SM4 (GBT.32907-2016) is a cryptographic standard issued by the
535	  Organization of State Commercial Administration of China (OSCCA)
536	  as an authorized cryptographic algorithms for the use within China.
537
538	  SMS4 was originally created for use in protecting wireless
539	  networks, and is mandated in the Chinese National Standard for
540	  Wireless LAN WAPI (Wired Authentication and Privacy Infrastructure)
541	  (GB.15629.11-2003).
542
543	  The latest SM4 standard (GBT.32907-2016) was proposed by OSCCA and
544	  standardized through TC 260 of the Standardization Administration
545	  of the People's Republic of China (SAC).
546
547	  The input, output, and key of SMS4 are each 128 bits.
548
549	  See https://eprint.iacr.org/2008/329.pdf for further information.
550
551	  If unsure, say N.
552
553config CRYPTO_TEA
554	tristate "TEA, XTEA and XETA"
555	depends on CRYPTO_USER_API_ENABLE_OBSOLETE
556	select CRYPTO_ALGAPI
557	help
558	  TEA (Tiny Encryption Algorithm) cipher algorithms
559
560	  Tiny Encryption Algorithm is a simple cipher that uses
561	  many rounds for security.  It is very fast and uses
562	  little memory.
563
564	  Xtendend Tiny Encryption Algorithm is a modification to
565	  the TEA algorithm to address a potential key weakness
566	  in the TEA algorithm.
567
568	  Xtendend Encryption Tiny Algorithm is a mis-implementation
569	  of the XTEA algorithm for compatibility purposes.
570
571config CRYPTO_TWOFISH
572	tristate "Twofish"
573	select CRYPTO_ALGAPI
574	select CRYPTO_TWOFISH_COMMON
575	help
576	  Twofish cipher algorithm
577
578	  Twofish was submitted as an AES (Advanced Encryption Standard)
579	  candidate cipher by researchers at CounterPane Systems.  It is a
580	  16 round block cipher supporting key sizes of 128, 192, and 256
581	  bits.
582
583	  See https://www.schneier.com/twofish.html for further information.
584
585config CRYPTO_TWOFISH_COMMON
586	tristate
587	help
588	  Common parts of the Twofish cipher algorithm shared by the
589	  generic c and the assembler implementations.
590
591endmenu
592
593menu "Length-preserving ciphers and modes"
594
595config CRYPTO_ADIANTUM
596	tristate "Adiantum"
597	select CRYPTO_CHACHA20
598	select CRYPTO_LIB_POLY1305_GENERIC
599	select CRYPTO_NHPOLY1305
600	select CRYPTO_MANAGER
601	help
602	  Adiantum tweakable, length-preserving encryption mode
603
604	  Designed for fast and secure disk encryption, especially on
605	  CPUs without dedicated crypto instructions.  It encrypts
606	  each sector using the XChaCha12 stream cipher, two passes of
607	  an ε-almost-∆-universal hash function, and an invocation of
608	  the AES-256 block cipher on a single 16-byte block.  On CPUs
609	  without AES instructions, Adiantum is much faster than
610	  AES-XTS.
611
612	  Adiantum's security is provably reducible to that of its
613	  underlying stream and block ciphers, subject to a security
614	  bound.  Unlike XTS, Adiantum is a true wide-block encryption
615	  mode, so it actually provides an even stronger notion of
616	  security than XTS, subject to the security bound.
617
618	  If unsure, say N.
619
620config CRYPTO_ARC4
621	tristate "ARC4 (Alleged Rivest Cipher 4)"
622	depends on CRYPTO_USER_API_ENABLE_OBSOLETE
623	select CRYPTO_SKCIPHER
624	select CRYPTO_LIB_ARC4
625	help
626	  ARC4 cipher algorithm
627
628	  ARC4 is a stream cipher using keys ranging from 8 bits to 2048
629	  bits in length.  This algorithm is required for driver-based
630	  WEP, but it should not be for other purposes because of the
631	  weakness of the algorithm.
632
633config CRYPTO_CHACHA20
634	tristate "ChaCha"
635	select CRYPTO_LIB_CHACHA_GENERIC
636	select CRYPTO_SKCIPHER
637	help
638	  The ChaCha20, XChaCha20, and XChaCha12 stream cipher algorithms
639
640	  ChaCha20 is a 256-bit high-speed stream cipher designed by Daniel J.
641	  Bernstein and further specified in RFC7539 for use in IETF protocols.
642	  This is the portable C implementation of ChaCha20.  See
643	  https://cr.yp.to/chacha/chacha-20080128.pdf for further information.
644
645	  XChaCha20 is the application of the XSalsa20 construction to ChaCha20
646	  rather than to Salsa20.  XChaCha20 extends ChaCha20's nonce length
647	  from 64 bits (or 96 bits using the RFC7539 convention) to 192 bits,
648	  while provably retaining ChaCha20's security.  See
649	  https://cr.yp.to/snuffle/xsalsa-20081128.pdf for further information.
650
651	  XChaCha12 is XChaCha20 reduced to 12 rounds, with correspondingly
652	  reduced security margin but increased performance.  It can be needed
653	  in some performance-sensitive scenarios.
654
655config CRYPTO_CBC
656	tristate "CBC (Cipher Block Chaining)"
657	select CRYPTO_SKCIPHER
658	select CRYPTO_MANAGER
659	help
660	  CBC (Cipher Block Chaining) mode (NIST SP800-38A)
661
662	  This block cipher mode is required for IPSec ESP (XFRM_ESP).
663
664config CRYPTO_CTR
665	tristate "CTR (Counter)"
666	select CRYPTO_SKCIPHER
667	select CRYPTO_MANAGER
668	help
669	  CTR (Counter) mode (NIST SP800-38A)
670
671config CRYPTO_CTS
672	tristate "CTS (Cipher Text Stealing)"
673	select CRYPTO_SKCIPHER
674	select CRYPTO_MANAGER
675	help
676	  CBC-CS3 variant of CTS (Cipher Text Stealing) (NIST
677	  Addendum to SP800-38A (October 2010))
678
679	  This mode is required for Kerberos gss mechanism support
680	  for AES encryption.
681
682config CRYPTO_ECB
683	tristate "ECB (Electronic Codebook)"
684	select CRYPTO_SKCIPHER2
685	select CRYPTO_MANAGER
686	help
687	  ECB (Electronic Codebook) mode (NIST SP800-38A)
688
689config CRYPTO_HCTR2
690	tristate "HCTR2"
691	select CRYPTO_XCTR
692	select CRYPTO_POLYVAL
693	select CRYPTO_MANAGER
694	help
695	  HCTR2 length-preserving encryption mode
696
697	  A mode for storage encryption that is efficient on processors with
698	  instructions to accelerate AES and carryless multiplication, e.g.
699	  x86 processors with AES-NI and CLMUL, and ARM processors with the
700	  ARMv8 crypto extensions.
701
702	  See https://eprint.iacr.org/2021/1441
703
704config CRYPTO_KEYWRAP
705	tristate "KW (AES Key Wrap)"
706	select CRYPTO_SKCIPHER
707	select CRYPTO_MANAGER
708	help
709	  KW (AES Key Wrap) authenticated encryption mode (NIST SP800-38F
710	  and RFC3394) without padding.
711
712config CRYPTO_LRW
713	tristate "LRW (Liskov Rivest Wagner)"
714	select CRYPTO_LIB_GF128MUL
715	select CRYPTO_SKCIPHER
716	select CRYPTO_MANAGER
717	select CRYPTO_ECB
718	help
719	  LRW (Liskov Rivest Wagner) mode
720
721	  A tweakable, non malleable, non movable
722	  narrow block cipher mode for dm-crypt.  Use it with cipher
723	  specification string aes-lrw-benbi, the key must be 256, 320 or 384.
724	  The first 128, 192 or 256 bits in the key are used for AES and the
725	  rest is used to tie each cipher block to its logical position.
726
727	  See https://people.csail.mit.edu/rivest/pubs/LRW02.pdf
728
729config CRYPTO_PCBC
730	tristate "PCBC (Propagating Cipher Block Chaining)"
731	select CRYPTO_SKCIPHER
732	select CRYPTO_MANAGER
733	help
734	  PCBC (Propagating Cipher Block Chaining) mode
735
736	  This block cipher mode is required for RxRPC.
737
738config CRYPTO_XCTR
739	tristate
740	select CRYPTO_SKCIPHER
741	select CRYPTO_MANAGER
742	help
743	  XCTR (XOR Counter) mode for HCTR2
744
745	  This blockcipher mode is a variant of CTR mode using XORs and little-endian
746	  addition rather than big-endian arithmetic.
747
748	  XCTR mode is used to implement HCTR2.
749
750config CRYPTO_XTS
751	tristate "XTS (XOR Encrypt XOR with ciphertext stealing)"
752	select CRYPTO_SKCIPHER
753	select CRYPTO_MANAGER
754	select CRYPTO_ECB
755	help
756	  XTS (XOR Encrypt XOR with ciphertext stealing) mode (NIST SP800-38E
757	  and IEEE 1619)
758
759	  Use with aes-xts-plain, key size 256, 384 or 512 bits. This
760	  implementation currently can't handle a sectorsize which is not a
761	  multiple of 16 bytes.
762
763config CRYPTO_NHPOLY1305
764	tristate
765	select CRYPTO_HASH
766	select CRYPTO_LIB_POLY1305_GENERIC
767
768endmenu
769
770menu "AEAD (authenticated encryption with associated data) ciphers"
771
772config CRYPTO_AEGIS128
773	tristate "AEGIS-128"
774	select CRYPTO_AEAD
775	select CRYPTO_AES  # for AES S-box tables
776	help
777	  AEGIS-128 AEAD algorithm
778
779config CRYPTO_AEGIS128_SIMD
780	bool "AEGIS-128 (arm NEON, arm64 NEON)"
781	depends on CRYPTO_AEGIS128 && ((ARM || ARM64) && KERNEL_MODE_NEON)
782	default y
783	help
784	  AEGIS-128 AEAD algorithm
785
786	  Architecture: arm or arm64 using:
787	  - NEON (Advanced SIMD) extension
788
789config CRYPTO_CHACHA20POLY1305
790	tristate "ChaCha20-Poly1305"
791	select CRYPTO_CHACHA20
792	select CRYPTO_POLY1305
793	select CRYPTO_AEAD
794	select CRYPTO_MANAGER
795	help
796	  ChaCha20 stream cipher and Poly1305 authenticator combined
797	  mode (RFC8439)
798
799config CRYPTO_CCM
800	tristate "CCM (Counter with Cipher Block Chaining-MAC)"
801	select CRYPTO_CTR
802	select CRYPTO_HASH
803	select CRYPTO_AEAD
804	select CRYPTO_MANAGER
805	help
806	  CCM (Counter with Cipher Block Chaining-Message Authentication Code)
807	  authenticated encryption mode (NIST SP800-38C)
808
809config CRYPTO_GCM
810	tristate "GCM (Galois/Counter Mode) and GMAC (GCM MAC)"
811	select CRYPTO_CTR
812	select CRYPTO_AEAD
813	select CRYPTO_GHASH
814	select CRYPTO_NULL
815	select CRYPTO_MANAGER
816	help
817	  GCM (Galois/Counter Mode) authenticated encryption mode and GMAC
818	  (GCM Message Authentication Code) (NIST SP800-38D)
819
820	  This is required for IPSec ESP (XFRM_ESP).
821
822config CRYPTO_GENIV
823	tristate
824	select CRYPTO_AEAD
825	select CRYPTO_NULL
826	select CRYPTO_MANAGER
827	select CRYPTO_RNG_DEFAULT
828
829config CRYPTO_SEQIV
830	tristate "Sequence Number IV Generator"
831	select CRYPTO_GENIV
832	help
833	  Sequence Number IV generator
834
835	  This IV generator generates an IV based on a sequence number by
836	  xoring it with a salt.  This algorithm is mainly useful for CTR.
837
838	  This is required for IPsec ESP (XFRM_ESP).
839
840config CRYPTO_ECHAINIV
841	tristate "Encrypted Chain IV Generator"
842	select CRYPTO_GENIV
843	help
844	  Encrypted Chain IV generator
845
846	  This IV generator generates an IV based on the encryption of
847	  a sequence number xored with a salt.  This is the default
848	  algorithm for CBC.
849
850config CRYPTO_ESSIV
851	tristate "Encrypted Salt-Sector IV Generator"
852	select CRYPTO_AUTHENC
853	help
854	  Encrypted Salt-Sector IV generator
855
856	  This IV generator is used in some cases by fscrypt and/or
857	  dm-crypt. It uses the hash of the block encryption key as the
858	  symmetric key for a block encryption pass applied to the input
859	  IV, making low entropy IV sources more suitable for block
860	  encryption.
861
862	  This driver implements a crypto API template that can be
863	  instantiated either as an skcipher or as an AEAD (depending on the
864	  type of the first template argument), and which defers encryption
865	  and decryption requests to the encapsulated cipher after applying
866	  ESSIV to the input IV. Note that in the AEAD case, it is assumed
867	  that the keys are presented in the same format used by the authenc
868	  template, and that the IV appears at the end of the authenticated
869	  associated data (AAD) region (which is how dm-crypt uses it.)
870
871	  Note that the use of ESSIV is not recommended for new deployments,
872	  and so this only needs to be enabled when interoperability with
873	  existing encrypted volumes of filesystems is required, or when
874	  building for a particular system that requires it (e.g., when
875	  the SoC in question has accelerated CBC but not XTS, making CBC
876	  combined with ESSIV the only feasible mode for h/w accelerated
877	  block encryption)
878
879endmenu
880
881menu "Hashes, digests, and MACs"
882
883config CRYPTO_BLAKE2B
884	tristate "BLAKE2b"
885	select CRYPTO_HASH
886	help
887	  BLAKE2b cryptographic hash function (RFC 7693)
888
889	  BLAKE2b is optimized for 64-bit platforms and can produce digests
890	  of any size between 1 and 64 bytes. The keyed hash is also implemented.
891
892	  This module provides the following algorithms:
893	  - blake2b-160
894	  - blake2b-256
895	  - blake2b-384
896	  - blake2b-512
897
898	  Used by the btrfs filesystem.
899
900	  See https://blake2.net for further information.
901
902config CRYPTO_CMAC
903	tristate "CMAC (Cipher-based MAC)"
904	select CRYPTO_HASH
905	select CRYPTO_MANAGER
906	help
907	  CMAC (Cipher-based Message Authentication Code) authentication
908	  mode (NIST SP800-38B and IETF RFC4493)
909
910config CRYPTO_GHASH
911	tristate "GHASH"
912	select CRYPTO_HASH
913	select CRYPTO_LIB_GF128MUL
914	help
915	  GCM GHASH function (NIST SP800-38D)
916
917config CRYPTO_HMAC
918	tristate "HMAC (Keyed-Hash MAC)"
919	select CRYPTO_HASH
920	select CRYPTO_MANAGER
921	help
922	  HMAC (Keyed-Hash Message Authentication Code) (FIPS 198 and
923	  RFC2104)
924
925	  This is required for IPsec AH (XFRM_AH) and IPsec ESP (XFRM_ESP).
926
927config CRYPTO_MD4
928	tristate "MD4"
929	select CRYPTO_HASH
930	help
931	  MD4 message digest algorithm (RFC1320)
932
933config CRYPTO_MD5
934	tristate "MD5"
935	select CRYPTO_HASH
936	help
937	  MD5 message digest algorithm (RFC1321)
938
939config CRYPTO_MICHAEL_MIC
940	tristate "Michael MIC"
941	select CRYPTO_HASH
942	help
943	  Michael MIC (Message Integrity Code) (IEEE 802.11i)
944
945	  Defined by the IEEE 802.11i TKIP (Temporal Key Integrity Protocol),
946	  known as WPA (Wif-Fi Protected Access).
947
948	  This algorithm is required for TKIP, but it should not be used for
949	  other purposes because of the weakness of the algorithm.
950
951config CRYPTO_POLYVAL
952	tristate
953	select CRYPTO_HASH
954	select CRYPTO_LIB_GF128MUL
955	help
956	  POLYVAL hash function for HCTR2
957
958	  This is used in HCTR2.  It is not a general-purpose
959	  cryptographic hash function.
960
961config CRYPTO_POLY1305
962	tristate "Poly1305"
963	select CRYPTO_HASH
964	select CRYPTO_LIB_POLY1305_GENERIC
965	help
966	  Poly1305 authenticator algorithm (RFC7539)
967
968	  Poly1305 is an authenticator algorithm designed by Daniel J. Bernstein.
969	  It is used for the ChaCha20-Poly1305 AEAD, specified in RFC7539 for use
970	  in IETF protocols. This is the portable C implementation of Poly1305.
971
972config CRYPTO_RMD160
973	tristate "RIPEMD-160"
974	select CRYPTO_HASH
975	help
976	  RIPEMD-160 hash function (ISO/IEC 10118-3)
977
978	  RIPEMD-160 is a 160-bit cryptographic hash function. It is intended
979	  to be used as a secure replacement for the 128-bit hash functions
980	  MD4, MD5 and its predecessor RIPEMD
981	  (not to be confused with RIPEMD-128).
982
983	  Its speed is comparable to SHA-1 and there are no known attacks
984	  against RIPEMD-160.
985
986	  Developed by Hans Dobbertin, Antoon Bosselaers and Bart Preneel.
987	  See https://homes.esat.kuleuven.be/~bosselae/ripemd160.html
988	  for further information.
989
990config CRYPTO_SHA1
991	tristate "SHA-1"
992	select CRYPTO_HASH
993	select CRYPTO_LIB_SHA1
994	help
995	  SHA-1 secure hash algorithm (FIPS 180, ISO/IEC 10118-3)
996
997config CRYPTO_SHA256
998	tristate "SHA-224 and SHA-256"
999	select CRYPTO_HASH
1000	select CRYPTO_LIB_SHA256
1001	help
1002	  SHA-224 and SHA-256 secure hash algorithms (FIPS 180, ISO/IEC 10118-3)
1003
1004	  This is required for IPsec AH (XFRM_AH) and IPsec ESP (XFRM_ESP).
1005	  Used by the btrfs filesystem, Ceph, NFS, and SMB.
1006
1007config CRYPTO_SHA512
1008	tristate "SHA-384 and SHA-512"
1009	select CRYPTO_HASH
1010	help
1011	  SHA-384 and SHA-512 secure hash algorithms (FIPS 180, ISO/IEC 10118-3)
1012
1013config CRYPTO_SHA3
1014	tristate "SHA-3"
1015	select CRYPTO_HASH
1016	help
1017	  SHA-3 secure hash algorithms (FIPS 202, ISO/IEC 10118-3)
1018
1019config CRYPTO_SM3
1020	tristate
1021
1022config CRYPTO_SM3_GENERIC
1023	tristate "SM3 (ShangMi 3)"
1024	select CRYPTO_HASH
1025	select CRYPTO_SM3
1026	help
1027	  SM3 (ShangMi 3) secure hash function (OSCCA GM/T 0004-2012, ISO/IEC 10118-3)
1028
1029	  This is part of the Chinese Commercial Cryptography suite.
1030
1031	  References:
1032	  http://www.oscca.gov.cn/UpFile/20101222141857786.pdf
1033	  https://datatracker.ietf.org/doc/html/draft-shen-sm3-hash
1034
1035config CRYPTO_STREEBOG
1036	tristate "Streebog"
1037	select CRYPTO_HASH
1038	help
1039	  Streebog Hash Function (GOST R 34.11-2012, RFC 6986, ISO/IEC 10118-3)
1040
1041	  This is one of the Russian cryptographic standard algorithms (called
1042	  GOST algorithms). This setting enables two hash algorithms with
1043	  256 and 512 bits output.
1044
1045	  References:
1046	  https://tc26.ru/upload/iblock/fed/feddbb4d26b685903faa2ba11aea43f6.pdf
1047	  https://tools.ietf.org/html/rfc6986
1048
1049config CRYPTO_VMAC
1050	tristate "VMAC"
1051	select CRYPTO_HASH
1052	select CRYPTO_MANAGER
1053	help
1054	  VMAC is a message authentication algorithm designed for
1055	  very high speed on 64-bit architectures.
1056
1057	  See https://fastcrypto.org/vmac for further information.
1058
1059config CRYPTO_WP512
1060	tristate "Whirlpool"
1061	select CRYPTO_HASH
1062	help
1063	  Whirlpool hash function (ISO/IEC 10118-3)
1064
1065	  512, 384 and 256-bit hashes.
1066
1067	  Whirlpool-512 is part of the NESSIE cryptographic primitives.
1068
1069	  See https://web.archive.org/web/20171129084214/http://www.larc.usp.br/~pbarreto/WhirlpoolPage.html
1070	  for further information.
1071
1072config CRYPTO_XCBC
1073	tristate "XCBC-MAC (Extended Cipher Block Chaining MAC)"
1074	select CRYPTO_HASH
1075	select CRYPTO_MANAGER
1076	help
1077	  XCBC-MAC (Extended Cipher Block Chaining Message Authentication
1078	  Code) (RFC3566)
1079
1080config CRYPTO_XXHASH
1081	tristate "xxHash"
1082	select CRYPTO_HASH
1083	select XXHASH
1084	help
1085	  xxHash non-cryptographic hash algorithm
1086
1087	  Extremely fast, working at speeds close to RAM limits.
1088
1089	  Used by the btrfs filesystem.
1090
1091endmenu
1092
1093menu "CRCs (cyclic redundancy checks)"
1094
1095config CRYPTO_CRC32C
1096	tristate "CRC32c"
1097	select CRYPTO_HASH
1098	select CRC32
1099	help
1100	  CRC32c CRC algorithm with the iSCSI polynomial (RFC 3385 and RFC 3720)
1101
1102	  A 32-bit CRC (cyclic redundancy check) with a polynomial defined
1103	  by G. Castagnoli, S. Braeuer and M. Herrman in "Optimization of Cyclic
1104	  Redundancy-Check Codes with 24 and 32 Parity Bits", IEEE Transactions
1105	  on Communications, Vol. 41, No. 6, June 1993, selected for use with
1106	  iSCSI.
1107
1108	  Used by btrfs, ext4, jbd2, NVMeoF/TCP, and iSCSI.
1109
1110config CRYPTO_CRC32
1111	tristate "CRC32"
1112	select CRYPTO_HASH
1113	select CRC32
1114	help
1115	  CRC32 CRC algorithm (IEEE 802.3)
1116
1117	  Used by RoCEv2 and f2fs.
1118
1119config CRYPTO_CRCT10DIF
1120	tristate "CRCT10DIF"
1121	select CRYPTO_HASH
1122	help
1123	  CRC16 CRC algorithm used for the T10 (SCSI) Data Integrity Field (DIF)
1124
1125	  CRC algorithm used by the SCSI Block Commands standard.
1126
1127config CRYPTO_CRC64_ROCKSOFT
1128	tristate "CRC64 based on Rocksoft Model algorithm"
1129	depends on CRC64
1130	select CRYPTO_HASH
1131	help
1132	  CRC64 CRC algorithm based on the Rocksoft Model CRC Algorithm
1133
1134	  Used by the NVMe implementation of T10 DIF (BLK_DEV_INTEGRITY)
1135
1136	  See https://zlib.net/crc_v3.txt
1137
1138endmenu
1139
1140menu "Compression"
1141
1142config CRYPTO_DEFLATE
1143	tristate "Deflate"
1144	select CRYPTO_ALGAPI
1145	select CRYPTO_ACOMP2
1146	select ZLIB_INFLATE
1147	select ZLIB_DEFLATE
1148	help
1149	  Deflate compression algorithm (RFC1951)
1150
1151	  Used by IPSec with the IPCOMP protocol (RFC3173, RFC2394)
1152
1153config CRYPTO_LZO
1154	tristate "LZO"
1155	select CRYPTO_ALGAPI
1156	select CRYPTO_ACOMP2
1157	select LZO_COMPRESS
1158	select LZO_DECOMPRESS
1159	help
1160	  LZO compression algorithm
1161
1162	  See https://www.oberhumer.com/opensource/lzo/ for further information.
1163
1164config CRYPTO_842
1165	tristate "842"
1166	select CRYPTO_ALGAPI
1167	select CRYPTO_ACOMP2
1168	select 842_COMPRESS
1169	select 842_DECOMPRESS
1170	help
1171	  842 compression algorithm by IBM
1172
1173	  See https://github.com/plauth/lib842 for further information.
1174
1175config CRYPTO_LZ4
1176	tristate "LZ4"
1177	select CRYPTO_ALGAPI
1178	select CRYPTO_ACOMP2
1179	select LZ4_COMPRESS
1180	select LZ4_DECOMPRESS
1181	help
1182	  LZ4 compression algorithm
1183
1184	  See https://github.com/lz4/lz4 for further information.
1185
1186config CRYPTO_LZ4HC
1187	tristate "LZ4HC"
1188	select CRYPTO_ALGAPI
1189	select CRYPTO_ACOMP2
1190	select LZ4HC_COMPRESS
1191	select LZ4_DECOMPRESS
1192	help
1193	  LZ4 high compression mode algorithm
1194
1195	  See https://github.com/lz4/lz4 for further information.
1196
1197config CRYPTO_ZSTD
1198	tristate "Zstd"
1199	select CRYPTO_ALGAPI
1200	select CRYPTO_ACOMP2
1201	select ZSTD_COMPRESS
1202	select ZSTD_DECOMPRESS
1203	help
1204	  zstd compression algorithm
1205
1206	  See https://github.com/facebook/zstd for further information.
1207
1208endmenu
1209
1210menu "Random number generation"
1211
1212config CRYPTO_ANSI_CPRNG
1213	tristate "ANSI PRNG (Pseudo Random Number Generator)"
1214	select CRYPTO_AES
1215	select CRYPTO_RNG
1216	help
1217	  Pseudo RNG (random number generator) (ANSI X9.31 Appendix A.2.4)
1218
1219	  This uses the AES cipher algorithm.
1220
1221	  Note that this option must be enabled if CRYPTO_FIPS is selected
1222
1223menuconfig CRYPTO_DRBG_MENU
1224	tristate "NIST SP800-90A DRBG (Deterministic Random Bit Generator)"
1225	help
1226	  DRBG (Deterministic Random Bit Generator) (NIST SP800-90A)
1227
1228	  In the following submenu, one or more of the DRBG types must be selected.
1229
1230if CRYPTO_DRBG_MENU
1231
1232config CRYPTO_DRBG_HMAC
1233	bool
1234	default y
1235	select CRYPTO_HMAC
1236	select CRYPTO_SHA512
1237
1238config CRYPTO_DRBG_HASH
1239	bool "Hash_DRBG"
1240	select CRYPTO_SHA256
1241	help
1242	  Hash_DRBG variant as defined in NIST SP800-90A.
1243
1244	  This uses the SHA-1, SHA-256, SHA-384, or SHA-512 hash algorithms.
1245
1246config CRYPTO_DRBG_CTR
1247	bool "CTR_DRBG"
1248	select CRYPTO_AES
1249	select CRYPTO_CTR
1250	help
1251	  CTR_DRBG variant as defined in NIST SP800-90A.
1252
1253	  This uses the AES cipher algorithm with the counter block mode.
1254
1255config CRYPTO_DRBG
1256	tristate
1257	default CRYPTO_DRBG_MENU
1258	select CRYPTO_RNG
1259	select CRYPTO_JITTERENTROPY
1260
1261endif	# if CRYPTO_DRBG_MENU
1262
1263config CRYPTO_JITTERENTROPY
1264	tristate "CPU Jitter Non-Deterministic RNG (Random Number Generator)"
1265	select CRYPTO_RNG
1266	select CRYPTO_SHA3
1267	help
1268	  CPU Jitter RNG (Random Number Generator) from the Jitterentropy library
1269
1270	  A non-physical non-deterministic ("true") RNG (e.g., an entropy source
1271	  compliant with NIST SP800-90B) intended to provide a seed to a
1272	  deterministic RNG (e.g., per NIST SP800-90C).
1273	  This RNG does not perform any cryptographic whitening of the generated
1274	  random numbers.
1275
1276	  See https://www.chronox.de/jent/
1277
1278if CRYPTO_JITTERENTROPY
1279if CRYPTO_FIPS && EXPERT
1280
1281choice
1282	prompt "CPU Jitter RNG Memory Size"
1283	default CRYPTO_JITTERENTROPY_MEMSIZE_2
1284	help
1285	  The Jitter RNG measures the execution time of memory accesses.
1286	  Multiple consecutive memory accesses are performed. If the memory
1287	  size fits into a cache (e.g. L1), only the memory access timing
1288	  to that cache is measured. The closer the cache is to the CPU
1289	  the less variations are measured and thus the less entropy is
1290	  obtained. Thus, if the memory size fits into the L1 cache, the
1291	  obtained entropy is less than if the memory size fits within
1292	  L1 + L2, which in turn is less if the memory fits into
1293	  L1 + L2 + L3. Thus, by selecting a different memory size,
1294	  the entropy rate produced by the Jitter RNG can be modified.
1295
1296	config CRYPTO_JITTERENTROPY_MEMSIZE_2
1297		bool "2048 Bytes (default)"
1298
1299	config CRYPTO_JITTERENTROPY_MEMSIZE_128
1300		bool "128 kBytes"
1301
1302	config CRYPTO_JITTERENTROPY_MEMSIZE_1024
1303		bool "1024 kBytes"
1304
1305	config CRYPTO_JITTERENTROPY_MEMSIZE_8192
1306		bool "8192 kBytes"
1307endchoice
1308
1309config CRYPTO_JITTERENTROPY_MEMORY_BLOCKS
1310	int
1311	default 64 if CRYPTO_JITTERENTROPY_MEMSIZE_2
1312	default 512 if CRYPTO_JITTERENTROPY_MEMSIZE_128
1313	default 1024 if CRYPTO_JITTERENTROPY_MEMSIZE_1024
1314	default 4096 if CRYPTO_JITTERENTROPY_MEMSIZE_8192
1315
1316config CRYPTO_JITTERENTROPY_MEMORY_BLOCKSIZE
1317	int
1318	default 32 if CRYPTO_JITTERENTROPY_MEMSIZE_2
1319	default 256 if CRYPTO_JITTERENTROPY_MEMSIZE_128
1320	default 1024 if CRYPTO_JITTERENTROPY_MEMSIZE_1024
1321	default 2048 if CRYPTO_JITTERENTROPY_MEMSIZE_8192
1322
1323config CRYPTO_JITTERENTROPY_OSR
1324	int "CPU Jitter RNG Oversampling Rate"
1325	range 1 15
1326	default 1
1327	help
1328	  The Jitter RNG allows the specification of an oversampling rate (OSR).
1329	  The Jitter RNG operation requires a fixed amount of timing
1330	  measurements to produce one output block of random numbers. The
1331	  OSR value is multiplied with the amount of timing measurements to
1332	  generate one output block. Thus, the timing measurement is oversampled
1333	  by the OSR factor. The oversampling allows the Jitter RNG to operate
1334	  on hardware whose timers deliver limited amount of entropy (e.g.
1335	  the timer is coarse) by setting the OSR to a higher value. The
1336	  trade-off, however, is that the Jitter RNG now requires more time
1337	  to generate random numbers.
1338
1339config CRYPTO_JITTERENTROPY_TESTINTERFACE
1340	bool "CPU Jitter RNG Test Interface"
1341	help
1342	  The test interface allows a privileged process to capture
1343	  the raw unconditioned high resolution time stamp noise that
1344	  is collected by the Jitter RNG for statistical analysis. As
1345	  this data is used at the same time to generate random bits,
1346	  the Jitter RNG operates in an insecure mode as long as the
1347	  recording is enabled. This interface therefore is only
1348	  intended for testing purposes and is not suitable for
1349	  production systems.
1350
1351	  The raw noise data can be obtained using the jent_raw_hires
1352	  debugfs file. Using the option
1353	  jitterentropy_testing.boot_raw_hires_test=1 the raw noise of
1354	  the first 1000 entropy events since boot can be sampled.
1355
1356	  If unsure, select N.
1357
1358endif	# if CRYPTO_FIPS && EXPERT
1359
1360if !(CRYPTO_FIPS && EXPERT)
1361
1362config CRYPTO_JITTERENTROPY_MEMORY_BLOCKS
1363	int
1364	default 64
1365
1366config CRYPTO_JITTERENTROPY_MEMORY_BLOCKSIZE
1367	int
1368	default 32
1369
1370config CRYPTO_JITTERENTROPY_OSR
1371	int
1372	default 1
1373
1374config CRYPTO_JITTERENTROPY_TESTINTERFACE
1375	bool
1376
1377endif	# if !(CRYPTO_FIPS && EXPERT)
1378endif	# if CRYPTO_JITTERENTROPY
1379
1380config CRYPTO_KDF800108_CTR
1381	tristate
1382	select CRYPTO_HMAC
1383	select CRYPTO_SHA256
1384
1385endmenu
1386menu "Userspace interface"
1387
1388config CRYPTO_USER_API
1389	tristate
1390
1391config CRYPTO_USER_API_HASH
1392	tristate "Hash algorithms"
1393	depends on NET
1394	select CRYPTO_HASH
1395	select CRYPTO_USER_API
1396	help
1397	  Enable the userspace interface for hash algorithms.
1398
1399	  See Documentation/crypto/userspace-if.rst and
1400	  https://www.chronox.de/libkcapi/html/index.html
1401
1402config CRYPTO_USER_API_SKCIPHER
1403	tristate "Symmetric key cipher algorithms"
1404	depends on NET
1405	select CRYPTO_SKCIPHER
1406	select CRYPTO_USER_API
1407	help
1408	  Enable the userspace interface for symmetric key cipher algorithms.
1409
1410	  See Documentation/crypto/userspace-if.rst and
1411	  https://www.chronox.de/libkcapi/html/index.html
1412
1413config CRYPTO_USER_API_RNG
1414	tristate "RNG (random number generator) algorithms"
1415	depends on NET
1416	select CRYPTO_RNG
1417	select CRYPTO_USER_API
1418	help
1419	  Enable the userspace interface for RNG (random number generator)
1420	  algorithms.
1421
1422	  See Documentation/crypto/userspace-if.rst and
1423	  https://www.chronox.de/libkcapi/html/index.html
1424
1425config CRYPTO_USER_API_RNG_CAVP
1426	bool "Enable CAVP testing of DRBG"
1427	depends on CRYPTO_USER_API_RNG && CRYPTO_DRBG
1428	help
1429	  Enable extra APIs in the userspace interface for NIST CAVP
1430	  (Cryptographic Algorithm Validation Program) testing:
1431	  - resetting DRBG entropy
1432	  - providing Additional Data
1433
1434	  This should only be enabled for CAVP testing. You should say
1435	  no unless you know what this is.
1436
1437config CRYPTO_USER_API_AEAD
1438	tristate "AEAD cipher algorithms"
1439	depends on NET
1440	select CRYPTO_AEAD
1441	select CRYPTO_SKCIPHER
1442	select CRYPTO_NULL
1443	select CRYPTO_USER_API
1444	help
1445	  Enable the userspace interface for AEAD cipher algorithms.
1446
1447	  See Documentation/crypto/userspace-if.rst and
1448	  https://www.chronox.de/libkcapi/html/index.html
1449
1450config CRYPTO_USER_API_ENABLE_OBSOLETE
1451	bool "Obsolete cryptographic algorithms"
1452	depends on CRYPTO_USER_API
1453	default y
1454	help
1455	  Allow obsolete cryptographic algorithms to be selected that have
1456	  already been phased out from internal use by the kernel, and are
1457	  only useful for userspace clients that still rely on them.
1458
1459config CRYPTO_STATS
1460	bool "Crypto usage statistics"
1461	depends on CRYPTO_USER
1462	help
1463	  Enable the gathering of crypto stats.
1464
1465	  Enabling this option reduces the performance of the crypto API.  It
1466	  should only be enabled when there is actually a use case for it.
1467
1468	  This collects data sizes, numbers of requests, and numbers
1469	  of errors processed by:
1470	  - AEAD ciphers (encrypt, decrypt)
1471	  - asymmetric key ciphers (encrypt, decrypt, verify, sign)
1472	  - symmetric key ciphers (encrypt, decrypt)
1473	  - compression algorithms (compress, decompress)
1474	  - hash algorithms (hash)
1475	  - key-agreement protocol primitives (setsecret, generate
1476	    public key, compute shared secret)
1477	  - RNG (generate, seed)
1478
1479endmenu
1480
1481config CRYPTO_HASH_INFO
1482	bool
1483
1484if !KMSAN # avoid false positives from assembly
1485if ARM
1486source "arch/arm/crypto/Kconfig"
1487endif
1488if ARM64
1489source "arch/arm64/crypto/Kconfig"
1490endif
1491if LOONGARCH
1492source "arch/loongarch/crypto/Kconfig"
1493endif
1494if MIPS
1495source "arch/mips/crypto/Kconfig"
1496endif
1497if PPC
1498source "arch/powerpc/crypto/Kconfig"
1499endif
1500if RISCV
1501source "arch/riscv/crypto/Kconfig"
1502endif
1503if S390
1504source "arch/s390/crypto/Kconfig"
1505endif
1506if SPARC
1507source "arch/sparc/crypto/Kconfig"
1508endif
1509if X86
1510source "arch/x86/crypto/Kconfig"
1511endif
1512endif
1513
1514source "drivers/crypto/Kconfig"
1515source "crypto/asymmetric_keys/Kconfig"
1516source "certs/Kconfig"
1517
1518endif	# if CRYPTO
1519