xref: /linux/crypto/Kconfig (revision 76d09ea7c22f2cabf1f66ffc287c23b19b120be9) 
1# SPDX-License-Identifier: GPL-2.0
2#
3# Generic algorithms support
4#
5config XOR_BLOCKS
6	tristate
7
8#
9# async_tx api: hardware offloaded memory transfer/transform support
10#
11source "crypto/async_tx/Kconfig"
12
13#
14# Cryptographic API Configuration
15#
16menuconfig CRYPTO
17	tristate "Cryptographic API"
18	help
19	  This option provides the core Cryptographic API.
20
21if CRYPTO
22
23comment "Crypto core or helper"
24
25config CRYPTO_FIPS
26	bool "FIPS 200 compliance"
27	depends on (CRYPTO_ANSI_CPRNG || CRYPTO_DRBG) && !CRYPTO_MANAGER_DISABLE_TESTS
28	depends on (MODULE_SIG || !MODULES)
29	help
30	  This options enables the fips boot option which is
31	  required if you want to system to operate in a FIPS 200
32	  certification.  You should say no unless you know what
33	  this is.
34
35config CRYPTO_ALGAPI
36	tristate
37	select CRYPTO_ALGAPI2
38	help
39	  This option provides the API for cryptographic algorithms.
40
41config CRYPTO_ALGAPI2
42	tristate
43
44config CRYPTO_AEAD
45	tristate
46	select CRYPTO_AEAD2
47	select CRYPTO_ALGAPI
48
49config CRYPTO_AEAD2
50	tristate
51	select CRYPTO_ALGAPI2
52	select CRYPTO_NULL2
53	select CRYPTO_RNG2
54
55config CRYPTO_BLKCIPHER
56	tristate
57	select CRYPTO_BLKCIPHER2
58	select CRYPTO_ALGAPI
59
60config CRYPTO_BLKCIPHER2
61	tristate
62	select CRYPTO_ALGAPI2
63	select CRYPTO_RNG2
64	select CRYPTO_WORKQUEUE
65
66config CRYPTO_HASH
67	tristate
68	select CRYPTO_HASH2
69	select CRYPTO_ALGAPI
70
71config CRYPTO_HASH2
72	tristate
73	select CRYPTO_ALGAPI2
74
75config CRYPTO_RNG
76	tristate
77	select CRYPTO_RNG2
78	select CRYPTO_ALGAPI
79
80config CRYPTO_RNG2
81	tristate
82	select CRYPTO_ALGAPI2
83
84config CRYPTO_RNG_DEFAULT
85	tristate
86	select CRYPTO_DRBG_MENU
87
88config CRYPTO_AKCIPHER2
89	tristate
90	select CRYPTO_ALGAPI2
91
92config CRYPTO_AKCIPHER
93	tristate
94	select CRYPTO_AKCIPHER2
95	select CRYPTO_ALGAPI
96
97config CRYPTO_KPP2
98	tristate
99	select CRYPTO_ALGAPI2
100
101config CRYPTO_KPP
102	tristate
103	select CRYPTO_ALGAPI
104	select CRYPTO_KPP2
105
106config CRYPTO_ACOMP2
107	tristate
108	select CRYPTO_ALGAPI2
109	select SGL_ALLOC
110
111config CRYPTO_ACOMP
112	tristate
113	select CRYPTO_ALGAPI
114	select CRYPTO_ACOMP2
115
116config CRYPTO_RSA
117	tristate "RSA algorithm"
118	select CRYPTO_AKCIPHER
119	select CRYPTO_MANAGER
120	select MPILIB
121	select ASN1
122	help
123	  Generic implementation of the RSA public key algorithm.
124
125config CRYPTO_DH
126	tristate "Diffie-Hellman algorithm"
127	select CRYPTO_KPP
128	select MPILIB
129	help
130	  Generic implementation of the Diffie-Hellman algorithm.
131
132config CRYPTO_ECDH
133	tristate "ECDH algorithm"
134	select CRYPTO_KPP
135	select CRYPTO_RNG_DEFAULT
136	help
137	  Generic implementation of the ECDH algorithm
138
139config CRYPTO_MANAGER
140	tristate "Cryptographic algorithm manager"
141	select CRYPTO_MANAGER2
142	help
143	  Create default cryptographic template instantiations such as
144	  cbc(aes).
145
146config CRYPTO_MANAGER2
147	def_tristate CRYPTO_MANAGER || (CRYPTO_MANAGER!=n && CRYPTO_ALGAPI=y)
148	select CRYPTO_AEAD2
149	select CRYPTO_HASH2
150	select CRYPTO_BLKCIPHER2
151	select CRYPTO_AKCIPHER2
152	select CRYPTO_KPP2
153	select CRYPTO_ACOMP2
154
155config CRYPTO_USER
156	tristate "Userspace cryptographic algorithm configuration"
157	depends on NET
158	select CRYPTO_MANAGER
159	help
160	  Userspace configuration for cryptographic instantiations such as
161	  cbc(aes).
162
163config CRYPTO_MANAGER_DISABLE_TESTS
164	bool "Disable run-time self tests"
165	default y
166	depends on CRYPTO_MANAGER2
167	help
168	  Disable run-time self tests that normally take place at
169	  algorithm registration.
170
171config CRYPTO_GF128MUL
172	tristate "GF(2^128) multiplication functions"
173	help
174	  Efficient table driven implementation of multiplications in the
175	  field GF(2^128).  This is needed by some cypher modes. This
176	  option will be selected automatically if you select such a
177	  cipher mode.  Only select this option by hand if you expect to load
178	  an external module that requires these functions.
179
180config CRYPTO_NULL
181	tristate "Null algorithms"
182	select CRYPTO_NULL2
183	help
184	  These are 'Null' algorithms, used by IPsec, which do nothing.
185
186config CRYPTO_NULL2
187	tristate
188	select CRYPTO_ALGAPI2
189	select CRYPTO_BLKCIPHER2
190	select CRYPTO_HASH2
191
192config CRYPTO_PCRYPT
193	tristate "Parallel crypto engine"
194	depends on SMP
195	select PADATA
196	select CRYPTO_MANAGER
197	select CRYPTO_AEAD
198	help
199	  This converts an arbitrary crypto algorithm into a parallel
200	  algorithm that executes in kernel threads.
201
202config CRYPTO_WORKQUEUE
203       tristate
204
205config CRYPTO_CRYPTD
206	tristate "Software async crypto daemon"
207	select CRYPTO_BLKCIPHER
208	select CRYPTO_HASH
209	select CRYPTO_MANAGER
210	select CRYPTO_WORKQUEUE
211	help
212	  This is a generic software asynchronous crypto daemon that
213	  converts an arbitrary synchronous software crypto algorithm
214	  into an asynchronous algorithm that executes in a kernel thread.
215
216config CRYPTO_AUTHENC
217	tristate "Authenc support"
218	select CRYPTO_AEAD
219	select CRYPTO_BLKCIPHER
220	select CRYPTO_MANAGER
221	select CRYPTO_HASH
222	select CRYPTO_NULL
223	help
224	  Authenc: Combined mode wrapper for IPsec.
225	  This is required for IPSec.
226
227config CRYPTO_TEST
228	tristate "Testing module"
229	depends on m
230	select CRYPTO_MANAGER
231	help
232	  Quick & dirty crypto test module.
233
234config CRYPTO_SIMD
235	tristate
236	select CRYPTO_CRYPTD
237
238config CRYPTO_GLUE_HELPER_X86
239	tristate
240	depends on X86
241	select CRYPTO_BLKCIPHER
242
243config CRYPTO_ENGINE
244	tristate
245
246comment "Authenticated Encryption with Associated Data"
247
248config CRYPTO_CCM
249	tristate "CCM support"
250	select CRYPTO_CTR
251	select CRYPTO_HASH
252	select CRYPTO_AEAD
253	help
254	  Support for Counter with CBC MAC. Required for IPsec.
255
256config CRYPTO_GCM
257	tristate "GCM/GMAC support"
258	select CRYPTO_CTR
259	select CRYPTO_AEAD
260	select CRYPTO_GHASH
261	select CRYPTO_NULL
262	help
263	  Support for Galois/Counter Mode (GCM) and Galois Message
264	  Authentication Code (GMAC). Required for IPSec.
265
266config CRYPTO_CHACHA20POLY1305
267	tristate "ChaCha20-Poly1305 AEAD support"
268	select CRYPTO_CHACHA20
269	select CRYPTO_POLY1305
270	select CRYPTO_AEAD
271	help
272	  ChaCha20-Poly1305 AEAD support, RFC7539.
273
274	  Support for the AEAD wrapper using the ChaCha20 stream cipher combined
275	  with the Poly1305 authenticator. It is defined in RFC7539 for use in
276	  IETF protocols.
277
278config CRYPTO_AEGIS128
279	tristate "AEGIS-128 AEAD algorithm"
280	select CRYPTO_AEAD
281	select CRYPTO_AES  # for AES S-box tables
282	help
283	 Support for the AEGIS-128 dedicated AEAD algorithm.
284
285config CRYPTO_AEGIS128L
286	tristate "AEGIS-128L AEAD algorithm"
287	select CRYPTO_AEAD
288	select CRYPTO_AES  # for AES S-box tables
289	help
290	 Support for the AEGIS-128L dedicated AEAD algorithm.
291
292config CRYPTO_AEGIS256
293	tristate "AEGIS-256 AEAD algorithm"
294	select CRYPTO_AEAD
295	select CRYPTO_AES  # for AES S-box tables
296	help
297	 Support for the AEGIS-256 dedicated AEAD algorithm.
298
299config CRYPTO_AEGIS128_AESNI_SSE2
300	tristate "AEGIS-128 AEAD algorithm (x86_64 AESNI+SSE2 implementation)"
301	depends on X86 && 64BIT
302	select CRYPTO_AEAD
303	select CRYPTO_CRYPTD
304	help
305	 AESNI+SSE2 implementation of the AEGSI-128 dedicated AEAD algorithm.
306
307config CRYPTO_AEGIS128L_AESNI_SSE2
308	tristate "AEGIS-128L AEAD algorithm (x86_64 AESNI+SSE2 implementation)"
309	depends on X86 && 64BIT
310	select CRYPTO_AEAD
311	select CRYPTO_CRYPTD
312	help
313	 AESNI+SSE2 implementation of the AEGSI-128L dedicated AEAD algorithm.
314
315config CRYPTO_AEGIS256_AESNI_SSE2
316	tristate "AEGIS-256 AEAD algorithm (x86_64 AESNI+SSE2 implementation)"
317	depends on X86 && 64BIT
318	select CRYPTO_AEAD
319	select CRYPTO_CRYPTD
320	help
321	 AESNI+SSE2 implementation of the AEGSI-256 dedicated AEAD algorithm.
322
323config CRYPTO_MORUS640
324	tristate "MORUS-640 AEAD algorithm"
325	select CRYPTO_AEAD
326	help
327	  Support for the MORUS-640 dedicated AEAD algorithm.
328
329config CRYPTO_MORUS640_GLUE
330	tristate
331	depends on X86
332	select CRYPTO_AEAD
333	select CRYPTO_CRYPTD
334	help
335	  Common glue for SIMD optimizations of the MORUS-640 dedicated AEAD
336	  algorithm.
337
338config CRYPTO_MORUS640_SSE2
339	tristate "MORUS-640 AEAD algorithm (x86_64 SSE2 implementation)"
340	depends on X86 && 64BIT
341	select CRYPTO_AEAD
342	select CRYPTO_MORUS640_GLUE
343	help
344	  SSE2 implementation of the MORUS-640 dedicated AEAD algorithm.
345
346config CRYPTO_MORUS1280
347	tristate "MORUS-1280 AEAD algorithm"
348	select CRYPTO_AEAD
349	help
350	  Support for the MORUS-1280 dedicated AEAD algorithm.
351
352config CRYPTO_MORUS1280_GLUE
353	tristate
354	depends on X86
355	select CRYPTO_AEAD
356	select CRYPTO_CRYPTD
357	help
358	  Common glue for SIMD optimizations of the MORUS-1280 dedicated AEAD
359	  algorithm.
360
361config CRYPTO_MORUS1280_SSE2
362	tristate "MORUS-1280 AEAD algorithm (x86_64 SSE2 implementation)"
363	depends on X86 && 64BIT
364	select CRYPTO_AEAD
365	select CRYPTO_MORUS1280_GLUE
366	help
367	  SSE2 optimizedimplementation of the MORUS-1280 dedicated AEAD
368	  algorithm.
369
370config CRYPTO_MORUS1280_AVX2
371	tristate "MORUS-1280 AEAD algorithm (x86_64 AVX2 implementation)"
372	depends on X86 && 64BIT
373	select CRYPTO_AEAD
374	select CRYPTO_MORUS1280_GLUE
375	help
376	  AVX2 optimized implementation of the MORUS-1280 dedicated AEAD
377	  algorithm.
378
379config CRYPTO_SEQIV
380	tristate "Sequence Number IV Generator"
381	select CRYPTO_AEAD
382	select CRYPTO_BLKCIPHER
383	select CRYPTO_NULL
384	select CRYPTO_RNG_DEFAULT
385	help
386	  This IV generator generates an IV based on a sequence number by
387	  xoring it with a salt.  This algorithm is mainly useful for CTR
388
389config CRYPTO_ECHAINIV
390	tristate "Encrypted Chain IV Generator"
391	select CRYPTO_AEAD
392	select CRYPTO_NULL
393	select CRYPTO_RNG_DEFAULT
394	default m
395	help
396	  This IV generator generates an IV based on the encryption of
397	  a sequence number xored with a salt.  This is the default
398	  algorithm for CBC.
399
400comment "Block modes"
401
402config CRYPTO_CBC
403	tristate "CBC support"
404	select CRYPTO_BLKCIPHER
405	select CRYPTO_MANAGER
406	help
407	  CBC: Cipher Block Chaining mode
408	  This block cipher algorithm is required for IPSec.
409
410config CRYPTO_CFB
411	tristate "CFB support"
412	select CRYPTO_BLKCIPHER
413	select CRYPTO_MANAGER
414	help
415	  CFB: Cipher FeedBack mode
416	  This block cipher algorithm is required for TPM2 Cryptography.
417
418config CRYPTO_CTR
419	tristate "CTR support"
420	select CRYPTO_BLKCIPHER
421	select CRYPTO_SEQIV
422	select CRYPTO_MANAGER
423	help
424	  CTR: Counter mode
425	  This block cipher algorithm is required for IPSec.
426
427config CRYPTO_CTS
428	tristate "CTS support"
429	select CRYPTO_BLKCIPHER
430	help
431	  CTS: Cipher Text Stealing
432	  This is the Cipher Text Stealing mode as described by
433	  Section 8 of rfc2040 and referenced by rfc3962
434	  (rfc3962 includes errata information in its Appendix A) or
435	  CBC-CS3 as defined by NIST in Sp800-38A addendum from Oct 2010.
436	  This mode is required for Kerberos gss mechanism support
437	  for AES encryption.
438
439	  See: https://csrc.nist.gov/publications/detail/sp/800-38a/addendum/final
440
441config CRYPTO_ECB
442	tristate "ECB support"
443	select CRYPTO_BLKCIPHER
444	select CRYPTO_MANAGER
445	help
446	  ECB: Electronic CodeBook mode
447	  This is the simplest block cipher algorithm.  It simply encrypts
448	  the input block by block.
449
450config CRYPTO_LRW
451	tristate "LRW support"
452	select CRYPTO_BLKCIPHER
453	select CRYPTO_MANAGER
454	select CRYPTO_GF128MUL
455	help
456	  LRW: Liskov Rivest Wagner, a tweakable, non malleable, non movable
457	  narrow block cipher mode for dm-crypt.  Use it with cipher
458	  specification string aes-lrw-benbi, the key must be 256, 320 or 384.
459	  The first 128, 192 or 256 bits in the key are used for AES and the
460	  rest is used to tie each cipher block to its logical position.
461
462config CRYPTO_OFB
463	tristate "OFB support"
464	select CRYPTO_BLKCIPHER
465	select CRYPTO_MANAGER
466	help
467	  OFB: the Output Feedback mode makes a block cipher into a synchronous
468	  stream cipher. It generates keystream blocks, which are then XORed
469	  with the plaintext blocks to get the ciphertext. Flipping a bit in the
470	  ciphertext produces a flipped bit in the plaintext at the same
471	  location. This property allows many error correcting codes to function
472	  normally even when applied before encryption.
473
474config CRYPTO_PCBC
475	tristate "PCBC support"
476	select CRYPTO_BLKCIPHER
477	select CRYPTO_MANAGER
478	help
479	  PCBC: Propagating Cipher Block Chaining mode
480	  This block cipher algorithm is required for RxRPC.
481
482config CRYPTO_XTS
483	tristate "XTS support"
484	select CRYPTO_BLKCIPHER
485	select CRYPTO_MANAGER
486	select CRYPTO_ECB
487	help
488	  XTS: IEEE1619/D16 narrow block cipher use with aes-xts-plain,
489	  key size 256, 384 or 512 bits. This implementation currently
490	  can't handle a sectorsize which is not a multiple of 16 bytes.
491
492config CRYPTO_KEYWRAP
493	tristate "Key wrapping support"
494	select CRYPTO_BLKCIPHER
495	help
496	  Support for key wrapping (NIST SP800-38F / RFC3394) without
497	  padding.
498
499config CRYPTO_NHPOLY1305
500	tristate
501	select CRYPTO_HASH
502	select CRYPTO_POLY1305
503
504config CRYPTO_ADIANTUM
505	tristate "Adiantum support"
506	select CRYPTO_CHACHA20
507	select CRYPTO_POLY1305
508	select CRYPTO_NHPOLY1305
509	help
510	  Adiantum is a tweakable, length-preserving encryption mode
511	  designed for fast and secure disk encryption, especially on
512	  CPUs without dedicated crypto instructions.  It encrypts
513	  each sector using the XChaCha12 stream cipher, two passes of
514	  an ε-almost-∆-universal hash function, and an invocation of
515	  the AES-256 block cipher on a single 16-byte block.  On CPUs
516	  without AES instructions, Adiantum is much faster than
517	  AES-XTS.
518
519	  Adiantum's security is provably reducible to that of its
520	  underlying stream and block ciphers, subject to a security
521	  bound.  Unlike XTS, Adiantum is a true wide-block encryption
522	  mode, so it actually provides an even stronger notion of
523	  security than XTS, subject to the security bound.
524
525	  If unsure, say N.
526
527comment "Hash modes"
528
529config CRYPTO_CMAC
530	tristate "CMAC support"
531	select CRYPTO_HASH
532	select CRYPTO_MANAGER
533	help
534	  Cipher-based Message Authentication Code (CMAC) specified by
535	  The National Institute of Standards and Technology (NIST).
536
537	  https://tools.ietf.org/html/rfc4493
538	  http://csrc.nist.gov/publications/nistpubs/800-38B/SP_800-38B.pdf
539
540config CRYPTO_HMAC
541	tristate "HMAC support"
542	select CRYPTO_HASH
543	select CRYPTO_MANAGER
544	help
545	  HMAC: Keyed-Hashing for Message Authentication (RFC2104).
546	  This is required for IPSec.
547
548config CRYPTO_XCBC
549	tristate "XCBC support"
550	select CRYPTO_HASH
551	select CRYPTO_MANAGER
552	help
553	  XCBC: Keyed-Hashing with encryption algorithm
554		http://www.ietf.org/rfc/rfc3566.txt
555		http://csrc.nist.gov/encryption/modes/proposedmodes/
556		 xcbc-mac/xcbc-mac-spec.pdf
557
558config CRYPTO_VMAC
559	tristate "VMAC support"
560	select CRYPTO_HASH
561	select CRYPTO_MANAGER
562	help
563	  VMAC is a message authentication algorithm designed for
564	  very high speed on 64-bit architectures.
565
566	  See also:
567	  <http://fastcrypto.org/vmac>
568
569comment "Digest"
570
571config CRYPTO_CRC32C
572	tristate "CRC32c CRC algorithm"
573	select CRYPTO_HASH
574	select CRC32
575	help
576	  Castagnoli, et al Cyclic Redundancy-Check Algorithm.  Used
577	  by iSCSI for header and data digests and by others.
578	  See Castagnoli93.  Module will be crc32c.
579
580config CRYPTO_CRC32C_INTEL
581	tristate "CRC32c INTEL hardware acceleration"
582	depends on X86
583	select CRYPTO_HASH
584	help
585	  In Intel processor with SSE4.2 supported, the processor will
586	  support CRC32C implementation using hardware accelerated CRC32
587	  instruction. This option will create 'crc32c-intel' module,
588	  which will enable any routine to use the CRC32 instruction to
589	  gain performance compared with software implementation.
590	  Module will be crc32c-intel.
591
592config CRYPTO_CRC32C_VPMSUM
593	tristate "CRC32c CRC algorithm (powerpc64)"
594	depends on PPC64 && ALTIVEC
595	select CRYPTO_HASH
596	select CRC32
597	help
598	  CRC32c algorithm implemented using vector polynomial multiply-sum
599	  (vpmsum) instructions, introduced in POWER8. Enable on POWER8
600	  and newer processors for improved performance.
601
602
603config CRYPTO_CRC32C_SPARC64
604	tristate "CRC32c CRC algorithm (SPARC64)"
605	depends on SPARC64
606	select CRYPTO_HASH
607	select CRC32
608	help
609	  CRC32c CRC algorithm implemented using sparc64 crypto instructions,
610	  when available.
611
612config CRYPTO_CRC32
613	tristate "CRC32 CRC algorithm"
614	select CRYPTO_HASH
615	select CRC32
616	help
617	  CRC-32-IEEE 802.3 cyclic redundancy-check algorithm.
618	  Shash crypto api wrappers to crc32_le function.
619
620config CRYPTO_CRC32_PCLMUL
621	tristate "CRC32 PCLMULQDQ hardware acceleration"
622	depends on X86
623	select CRYPTO_HASH
624	select CRC32
625	help
626	  From Intel Westmere and AMD Bulldozer processor with SSE4.2
627	  and PCLMULQDQ supported, the processor will support
628	  CRC32 PCLMULQDQ implementation using hardware accelerated PCLMULQDQ
629	  instruction. This option will create 'crc32-plcmul' module,
630	  which will enable any routine to use the CRC-32-IEEE 802.3 checksum
631	  and gain better performance as compared with the table implementation.
632
633config CRYPTO_CRC32_MIPS
634	tristate "CRC32c and CRC32 CRC algorithm (MIPS)"
635	depends on MIPS_CRC_SUPPORT
636	select CRYPTO_HASH
637	help
638	  CRC32c and CRC32 CRC algorithms implemented using mips crypto
639	  instructions, when available.
640
641
642config CRYPTO_CRCT10DIF
643	tristate "CRCT10DIF algorithm"
644	select CRYPTO_HASH
645	help
646	  CRC T10 Data Integrity Field computation is being cast as
647	  a crypto transform.  This allows for faster crc t10 diff
648	  transforms to be used if they are available.
649
650config CRYPTO_CRCT10DIF_PCLMUL
651	tristate "CRCT10DIF PCLMULQDQ hardware acceleration"
652	depends on X86 && 64BIT && CRC_T10DIF
653	select CRYPTO_HASH
654	help
655	  For x86_64 processors with SSE4.2 and PCLMULQDQ supported,
656	  CRC T10 DIF PCLMULQDQ computation can be hardware
657	  accelerated PCLMULQDQ instruction. This option will create
658	  'crct10dif-plcmul' module, which is faster when computing the
659	  crct10dif checksum as compared with the generic table implementation.
660
661config CRYPTO_CRCT10DIF_VPMSUM
662	tristate "CRC32T10DIF powerpc64 hardware acceleration"
663	depends on PPC64 && ALTIVEC && CRC_T10DIF
664	select CRYPTO_HASH
665	help
666	  CRC10T10DIF algorithm implemented using vector polynomial
667	  multiply-sum (vpmsum) instructions, introduced in POWER8. Enable on
668	  POWER8 and newer processors for improved performance.
669
670config CRYPTO_VPMSUM_TESTER
671	tristate "Powerpc64 vpmsum hardware acceleration tester"
672	depends on CRYPTO_CRCT10DIF_VPMSUM && CRYPTO_CRC32C_VPMSUM
673	help
674	  Stress test for CRC32c and CRC-T10DIF algorithms implemented with
675	  POWER8 vpmsum instructions.
676	  Unless you are testing these algorithms, you don't need this.
677
678config CRYPTO_GHASH
679	tristate "GHASH digest algorithm"
680	select CRYPTO_GF128MUL
681	select CRYPTO_HASH
682	help
683	  GHASH is message digest algorithm for GCM (Galois/Counter Mode).
684
685config CRYPTO_POLY1305
686	tristate "Poly1305 authenticator algorithm"
687	select CRYPTO_HASH
688	help
689	  Poly1305 authenticator algorithm, RFC7539.
690
691	  Poly1305 is an authenticator algorithm designed by Daniel J. Bernstein.
692	  It is used for the ChaCha20-Poly1305 AEAD, specified in RFC7539 for use
693	  in IETF protocols. This is the portable C implementation of Poly1305.
694
695config CRYPTO_POLY1305_X86_64
696	tristate "Poly1305 authenticator algorithm (x86_64/SSE2/AVX2)"
697	depends on X86 && 64BIT
698	select CRYPTO_POLY1305
699	help
700	  Poly1305 authenticator algorithm, RFC7539.
701
702	  Poly1305 is an authenticator algorithm designed by Daniel J. Bernstein.
703	  It is used for the ChaCha20-Poly1305 AEAD, specified in RFC7539 for use
704	  in IETF protocols. This is the x86_64 assembler implementation using SIMD
705	  instructions.
706
707config CRYPTO_MD4
708	tristate "MD4 digest algorithm"
709	select CRYPTO_HASH
710	help
711	  MD4 message digest algorithm (RFC1320).
712
713config CRYPTO_MD5
714	tristate "MD5 digest algorithm"
715	select CRYPTO_HASH
716	help
717	  MD5 message digest algorithm (RFC1321).
718
719config CRYPTO_MD5_OCTEON
720	tristate "MD5 digest algorithm (OCTEON)"
721	depends on CPU_CAVIUM_OCTEON
722	select CRYPTO_MD5
723	select CRYPTO_HASH
724	help
725	  MD5 message digest algorithm (RFC1321) implemented
726	  using OCTEON crypto instructions, when available.
727
728config CRYPTO_MD5_PPC
729	tristate "MD5 digest algorithm (PPC)"
730	depends on PPC
731	select CRYPTO_HASH
732	help
733	  MD5 message digest algorithm (RFC1321) implemented
734	  in PPC assembler.
735
736config CRYPTO_MD5_SPARC64
737	tristate "MD5 digest algorithm (SPARC64)"
738	depends on SPARC64
739	select CRYPTO_MD5
740	select CRYPTO_HASH
741	help
742	  MD5 message digest algorithm (RFC1321) implemented
743	  using sparc64 crypto instructions, when available.
744
745config CRYPTO_MICHAEL_MIC
746	tristate "Michael MIC keyed digest algorithm"
747	select CRYPTO_HASH
748	help
749	  Michael MIC is used for message integrity protection in TKIP
750	  (IEEE 802.11i). This algorithm is required for TKIP, but it
751	  should not be used for other purposes because of the weakness
752	  of the algorithm.
753
754config CRYPTO_RMD128
755	tristate "RIPEMD-128 digest algorithm"
756	select CRYPTO_HASH
757	help
758	  RIPEMD-128 (ISO/IEC 10118-3:2004).
759
760	  RIPEMD-128 is a 128-bit cryptographic hash function. It should only
761	  be used as a secure replacement for RIPEMD. For other use cases,
762	  RIPEMD-160 should be used.
763
764	  Developed by Hans Dobbertin, Antoon Bosselaers and Bart Preneel.
765	  See <http://homes.esat.kuleuven.be/~bosselae/ripemd160.html>
766
767config CRYPTO_RMD160
768	tristate "RIPEMD-160 digest algorithm"
769	select CRYPTO_HASH
770	help
771	  RIPEMD-160 (ISO/IEC 10118-3:2004).
772
773	  RIPEMD-160 is a 160-bit cryptographic hash function. It is intended
774	  to be used as a secure replacement for the 128-bit hash functions
775	  MD4, MD5 and it's predecessor RIPEMD
776	  (not to be confused with RIPEMD-128).
777
778	  It's speed is comparable to SHA1 and there are no known attacks
779	  against RIPEMD-160.
780
781	  Developed by Hans Dobbertin, Antoon Bosselaers and Bart Preneel.
782	  See <http://homes.esat.kuleuven.be/~bosselae/ripemd160.html>
783
784config CRYPTO_RMD256
785	tristate "RIPEMD-256 digest algorithm"
786	select CRYPTO_HASH
787	help
788	  RIPEMD-256 is an optional extension of RIPEMD-128 with a
789	  256 bit hash. It is intended for applications that require
790	  longer hash-results, without needing a larger security level
791	  (than RIPEMD-128).
792
793	  Developed by Hans Dobbertin, Antoon Bosselaers and Bart Preneel.
794	  See <http://homes.esat.kuleuven.be/~bosselae/ripemd160.html>
795
796config CRYPTO_RMD320
797	tristate "RIPEMD-320 digest algorithm"
798	select CRYPTO_HASH
799	help
800	  RIPEMD-320 is an optional extension of RIPEMD-160 with a
801	  320 bit hash. It is intended for applications that require
802	  longer hash-results, without needing a larger security level
803	  (than RIPEMD-160).
804
805	  Developed by Hans Dobbertin, Antoon Bosselaers and Bart Preneel.
806	  See <http://homes.esat.kuleuven.be/~bosselae/ripemd160.html>
807
808config CRYPTO_SHA1
809	tristate "SHA1 digest algorithm"
810	select CRYPTO_HASH
811	help
812	  SHA-1 secure hash standard (FIPS 180-1/DFIPS 180-2).
813
814config CRYPTO_SHA1_SSSE3
815	tristate "SHA1 digest algorithm (SSSE3/AVX/AVX2/SHA-NI)"
816	depends on X86 && 64BIT
817	select CRYPTO_SHA1
818	select CRYPTO_HASH
819	help
820	  SHA-1 secure hash standard (FIPS 180-1/DFIPS 180-2) implemented
821	  using Supplemental SSE3 (SSSE3) instructions or Advanced Vector
822	  Extensions (AVX/AVX2) or SHA-NI(SHA Extensions New Instructions),
823	  when available.
824
825config CRYPTO_SHA256_SSSE3
826	tristate "SHA256 digest algorithm (SSSE3/AVX/AVX2/SHA-NI)"
827	depends on X86 && 64BIT
828	select CRYPTO_SHA256
829	select CRYPTO_HASH
830	help
831	  SHA-256 secure hash standard (DFIPS 180-2) implemented
832	  using Supplemental SSE3 (SSSE3) instructions, or Advanced Vector
833	  Extensions version 1 (AVX1), or Advanced Vector Extensions
834	  version 2 (AVX2) instructions, or SHA-NI (SHA Extensions New
835	  Instructions) when available.
836
837config CRYPTO_SHA512_SSSE3
838	tristate "SHA512 digest algorithm (SSSE3/AVX/AVX2)"
839	depends on X86 && 64BIT
840	select CRYPTO_SHA512
841	select CRYPTO_HASH
842	help
843	  SHA-512 secure hash standard (DFIPS 180-2) implemented
844	  using Supplemental SSE3 (SSSE3) instructions, or Advanced Vector
845	  Extensions version 1 (AVX1), or Advanced Vector Extensions
846	  version 2 (AVX2) instructions, when available.
847
848config CRYPTO_SHA1_OCTEON
849	tristate "SHA1 digest algorithm (OCTEON)"
850	depends on CPU_CAVIUM_OCTEON
851	select CRYPTO_SHA1
852	select CRYPTO_HASH
853	help
854	  SHA-1 secure hash standard (FIPS 180-1/DFIPS 180-2) implemented
855	  using OCTEON crypto instructions, when available.
856
857config CRYPTO_SHA1_SPARC64
858	tristate "SHA1 digest algorithm (SPARC64)"
859	depends on SPARC64
860	select CRYPTO_SHA1
861	select CRYPTO_HASH
862	help
863	  SHA-1 secure hash standard (FIPS 180-1/DFIPS 180-2) implemented
864	  using sparc64 crypto instructions, when available.
865
866config CRYPTO_SHA1_PPC
867	tristate "SHA1 digest algorithm (powerpc)"
868	depends on PPC
869	help
870	  This is the powerpc hardware accelerated implementation of the
871	  SHA-1 secure hash standard (FIPS 180-1/DFIPS 180-2).
872
873config CRYPTO_SHA1_PPC_SPE
874	tristate "SHA1 digest algorithm (PPC SPE)"
875	depends on PPC && SPE
876	help
877	  SHA-1 secure hash standard (DFIPS 180-4) implemented
878	  using powerpc SPE SIMD instruction set.
879
880config CRYPTO_SHA256
881	tristate "SHA224 and SHA256 digest algorithm"
882	select CRYPTO_HASH
883	help
884	  SHA256 secure hash standard (DFIPS 180-2).
885
886	  This version of SHA implements a 256 bit hash with 128 bits of
887	  security against collision attacks.
888
889	  This code also includes SHA-224, a 224 bit hash with 112 bits
890	  of security against collision attacks.
891
892config CRYPTO_SHA256_PPC_SPE
893	tristate "SHA224 and SHA256 digest algorithm (PPC SPE)"
894	depends on PPC && SPE
895	select CRYPTO_SHA256
896	select CRYPTO_HASH
897	help
898	  SHA224 and SHA256 secure hash standard (DFIPS 180-2)
899	  implemented using powerpc SPE SIMD instruction set.
900
901config CRYPTO_SHA256_OCTEON
902	tristate "SHA224 and SHA256 digest algorithm (OCTEON)"
903	depends on CPU_CAVIUM_OCTEON
904	select CRYPTO_SHA256
905	select CRYPTO_HASH
906	help
907	  SHA-256 secure hash standard (DFIPS 180-2) implemented
908	  using OCTEON crypto instructions, when available.
909
910config CRYPTO_SHA256_SPARC64
911	tristate "SHA224 and SHA256 digest algorithm (SPARC64)"
912	depends on SPARC64
913	select CRYPTO_SHA256
914	select CRYPTO_HASH
915	help
916	  SHA-256 secure hash standard (DFIPS 180-2) implemented
917	  using sparc64 crypto instructions, when available.
918
919config CRYPTO_SHA512
920	tristate "SHA384 and SHA512 digest algorithms"
921	select CRYPTO_HASH
922	help
923	  SHA512 secure hash standard (DFIPS 180-2).
924
925	  This version of SHA implements a 512 bit hash with 256 bits of
926	  security against collision attacks.
927
928	  This code also includes SHA-384, a 384 bit hash with 192 bits
929	  of security against collision attacks.
930
931config CRYPTO_SHA512_OCTEON
932	tristate "SHA384 and SHA512 digest algorithms (OCTEON)"
933	depends on CPU_CAVIUM_OCTEON
934	select CRYPTO_SHA512
935	select CRYPTO_HASH
936	help
937	  SHA-512 secure hash standard (DFIPS 180-2) implemented
938	  using OCTEON crypto instructions, when available.
939
940config CRYPTO_SHA512_SPARC64
941	tristate "SHA384 and SHA512 digest algorithm (SPARC64)"
942	depends on SPARC64
943	select CRYPTO_SHA512
944	select CRYPTO_HASH
945	help
946	  SHA-512 secure hash standard (DFIPS 180-2) implemented
947	  using sparc64 crypto instructions, when available.
948
949config CRYPTO_SHA3
950	tristate "SHA3 digest algorithm"
951	select CRYPTO_HASH
952	help
953	  SHA-3 secure hash standard (DFIPS 202). It's based on
954	  cryptographic sponge function family called Keccak.
955
956	  References:
957	  http://keccak.noekeon.org/
958
959config CRYPTO_SM3
960	tristate "SM3 digest algorithm"
961	select CRYPTO_HASH
962	help
963	  SM3 secure hash function as defined by OSCCA GM/T 0004-2012 SM3).
964	  It is part of the Chinese Commercial Cryptography suite.
965
966	  References:
967	  http://www.oscca.gov.cn/UpFile/20101222141857786.pdf
968	  https://datatracker.ietf.org/doc/html/draft-shen-sm3-hash
969
970config CRYPTO_STREEBOG
971	tristate "Streebog Hash Function"
972	select CRYPTO_HASH
973	help
974	  Streebog Hash Function (GOST R 34.11-2012, RFC 6986) is one of the Russian
975	  cryptographic standard algorithms (called GOST algorithms).
976	  This setting enables two hash algorithms with 256 and 512 bits output.
977
978	  References:
979	  https://tc26.ru/upload/iblock/fed/feddbb4d26b685903faa2ba11aea43f6.pdf
980	  https://tools.ietf.org/html/rfc6986
981
982config CRYPTO_TGR192
983	tristate "Tiger digest algorithms"
984	select CRYPTO_HASH
985	help
986	  Tiger hash algorithm 192, 160 and 128-bit hashes
987
988	  Tiger is a hash function optimized for 64-bit processors while
989	  still having decent performance on 32-bit processors.
990	  Tiger was developed by Ross Anderson and Eli Biham.
991
992	  See also:
993	  <http://www.cs.technion.ac.il/~biham/Reports/Tiger/>.
994
995config CRYPTO_WP512
996	tristate "Whirlpool digest algorithms"
997	select CRYPTO_HASH
998	help
999	  Whirlpool hash algorithm 512, 384 and 256-bit hashes
1000
1001	  Whirlpool-512 is part of the NESSIE cryptographic primitives.
1002	  Whirlpool will be part of the ISO/IEC 10118-3:2003(E) standard
1003
1004	  See also:
1005	  <http://www.larc.usp.br/~pbarreto/WhirlpoolPage.html>
1006
1007config CRYPTO_GHASH_CLMUL_NI_INTEL
1008	tristate "GHASH digest algorithm (CLMUL-NI accelerated)"
1009	depends on X86 && 64BIT
1010	select CRYPTO_CRYPTD
1011	help
1012	  GHASH is message digest algorithm for GCM (Galois/Counter Mode).
1013	  The implementation is accelerated by CLMUL-NI of Intel.
1014
1015comment "Ciphers"
1016
1017config CRYPTO_AES
1018	tristate "AES cipher algorithms"
1019	select CRYPTO_ALGAPI
1020	help
1021	  AES cipher algorithms (FIPS-197). AES uses the Rijndael
1022	  algorithm.
1023
1024	  Rijndael appears to be consistently a very good performer in
1025	  both hardware and software across a wide range of computing
1026	  environments regardless of its use in feedback or non-feedback
1027	  modes. Its key setup time is excellent, and its key agility is
1028	  good. Rijndael's very low memory requirements make it very well
1029	  suited for restricted-space environments, in which it also
1030	  demonstrates excellent performance. Rijndael's operations are
1031	  among the easiest to defend against power and timing attacks.
1032
1033	  The AES specifies three key sizes: 128, 192 and 256 bits
1034
1035	  See <http://csrc.nist.gov/CryptoToolkit/aes/> for more information.
1036
1037config CRYPTO_AES_TI
1038	tristate "Fixed time AES cipher"
1039	select CRYPTO_ALGAPI
1040	help
1041	  This is a generic implementation of AES that attempts to eliminate
1042	  data dependent latencies as much as possible without affecting
1043	  performance too much. It is intended for use by the generic CCM
1044	  and GCM drivers, and other CTR or CMAC/XCBC based modes that rely
1045	  solely on encryption (although decryption is supported as well, but
1046	  with a more dramatic performance hit)
1047
1048	  Instead of using 16 lookup tables of 1 KB each, (8 for encryption and
1049	  8 for decryption), this implementation only uses just two S-boxes of
1050	  256 bytes each, and attempts to eliminate data dependent latencies by
1051	  prefetching the entire table into the cache at the start of each
1052	  block. Interrupts are also disabled to avoid races where cachelines
1053	  are evicted when the CPU is interrupted to do something else.
1054
1055config CRYPTO_AES_586
1056	tristate "AES cipher algorithms (i586)"
1057	depends on (X86 || UML_X86) && !64BIT
1058	select CRYPTO_ALGAPI
1059	select CRYPTO_AES
1060	help
1061	  AES cipher algorithms (FIPS-197). AES uses the Rijndael
1062	  algorithm.
1063
1064	  Rijndael appears to be consistently a very good performer in
1065	  both hardware and software across a wide range of computing
1066	  environments regardless of its use in feedback or non-feedback
1067	  modes. Its key setup time is excellent, and its key agility is
1068	  good. Rijndael's very low memory requirements make it very well
1069	  suited for restricted-space environments, in which it also
1070	  demonstrates excellent performance. Rijndael's operations are
1071	  among the easiest to defend against power and timing attacks.
1072
1073	  The AES specifies three key sizes: 128, 192 and 256 bits
1074
1075	  See <http://csrc.nist.gov/encryption/aes/> for more information.
1076
1077config CRYPTO_AES_X86_64
1078	tristate "AES cipher algorithms (x86_64)"
1079	depends on (X86 || UML_X86) && 64BIT
1080	select CRYPTO_ALGAPI
1081	select CRYPTO_AES
1082	help
1083	  AES cipher algorithms (FIPS-197). AES uses the Rijndael
1084	  algorithm.
1085
1086	  Rijndael appears to be consistently a very good performer in
1087	  both hardware and software across a wide range of computing
1088	  environments regardless of its use in feedback or non-feedback
1089	  modes. Its key setup time is excellent, and its key agility is
1090	  good. Rijndael's very low memory requirements make it very well
1091	  suited for restricted-space environments, in which it also
1092	  demonstrates excellent performance. Rijndael's operations are
1093	  among the easiest to defend against power and timing attacks.
1094
1095	  The AES specifies three key sizes: 128, 192 and 256 bits
1096
1097	  See <http://csrc.nist.gov/encryption/aes/> for more information.
1098
1099config CRYPTO_AES_NI_INTEL
1100	tristate "AES cipher algorithms (AES-NI)"
1101	depends on X86
1102	select CRYPTO_AEAD
1103	select CRYPTO_AES_X86_64 if 64BIT
1104	select CRYPTO_AES_586 if !64BIT
1105	select CRYPTO_ALGAPI
1106	select CRYPTO_BLKCIPHER
1107	select CRYPTO_GLUE_HELPER_X86 if 64BIT
1108	select CRYPTO_SIMD
1109	help
1110	  Use Intel AES-NI instructions for AES algorithm.
1111
1112	  AES cipher algorithms (FIPS-197). AES uses the Rijndael
1113	  algorithm.
1114
1115	  Rijndael appears to be consistently a very good performer in
1116	  both hardware and software across a wide range of computing
1117	  environments regardless of its use in feedback or non-feedback
1118	  modes. Its key setup time is excellent, and its key agility is
1119	  good. Rijndael's very low memory requirements make it very well
1120	  suited for restricted-space environments, in which it also
1121	  demonstrates excellent performance. Rijndael's operations are
1122	  among the easiest to defend against power and timing attacks.
1123
1124	  The AES specifies three key sizes: 128, 192 and 256 bits
1125
1126	  See <http://csrc.nist.gov/encryption/aes/> for more information.
1127
1128	  In addition to AES cipher algorithm support, the acceleration
1129	  for some popular block cipher mode is supported too, including
1130	  ECB, CBC, LRW, XTS. The 64 bit version has additional
1131	  acceleration for CTR.
1132
1133config CRYPTO_AES_SPARC64
1134	tristate "AES cipher algorithms (SPARC64)"
1135	depends on SPARC64
1136	select CRYPTO_CRYPTD
1137	select CRYPTO_ALGAPI
1138	help
1139	  Use SPARC64 crypto opcodes for AES algorithm.
1140
1141	  AES cipher algorithms (FIPS-197). AES uses the Rijndael
1142	  algorithm.
1143
1144	  Rijndael appears to be consistently a very good performer in
1145	  both hardware and software across a wide range of computing
1146	  environments regardless of its use in feedback or non-feedback
1147	  modes. Its key setup time is excellent, and its key agility is
1148	  good. Rijndael's very low memory requirements make it very well
1149	  suited for restricted-space environments, in which it also
1150	  demonstrates excellent performance. Rijndael's operations are
1151	  among the easiest to defend against power and timing attacks.
1152
1153	  The AES specifies three key sizes: 128, 192 and 256 bits
1154
1155	  See <http://csrc.nist.gov/encryption/aes/> for more information.
1156
1157	  In addition to AES cipher algorithm support, the acceleration
1158	  for some popular block cipher mode is supported too, including
1159	  ECB and CBC.
1160
1161config CRYPTO_AES_PPC_SPE
1162	tristate "AES cipher algorithms (PPC SPE)"
1163	depends on PPC && SPE
1164	help
1165	  AES cipher algorithms (FIPS-197). Additionally the acceleration
1166	  for popular block cipher modes ECB, CBC, CTR and XTS is supported.
1167	  This module should only be used for low power (router) devices
1168	  without hardware AES acceleration (e.g. caam crypto). It reduces the
1169	  size of the AES tables from 16KB to 8KB + 256 bytes and mitigates
1170	  timining attacks. Nevertheless it might be not as secure as other
1171	  architecture specific assembler implementations that work on 1KB
1172	  tables or 256 bytes S-boxes.
1173
1174config CRYPTO_ANUBIS
1175	tristate "Anubis cipher algorithm"
1176	select CRYPTO_ALGAPI
1177	help
1178	  Anubis cipher algorithm.
1179
1180	  Anubis is a variable key length cipher which can use keys from
1181	  128 bits to 320 bits in length.  It was evaluated as a entrant
1182	  in the NESSIE competition.
1183
1184	  See also:
1185	  <https://www.cosic.esat.kuleuven.be/nessie/reports/>
1186	  <http://www.larc.usp.br/~pbarreto/AnubisPage.html>
1187
1188config CRYPTO_ARC4
1189	tristate "ARC4 cipher algorithm"
1190	select CRYPTO_BLKCIPHER
1191	help
1192	  ARC4 cipher algorithm.
1193
1194	  ARC4 is a stream cipher using keys ranging from 8 bits to 2048
1195	  bits in length.  This algorithm is required for driver-based
1196	  WEP, but it should not be for other purposes because of the
1197	  weakness of the algorithm.
1198
1199config CRYPTO_BLOWFISH
1200	tristate "Blowfish cipher algorithm"
1201	select CRYPTO_ALGAPI
1202	select CRYPTO_BLOWFISH_COMMON
1203	help
1204	  Blowfish cipher algorithm, by Bruce Schneier.
1205
1206	  This is a variable key length cipher which can use keys from 32
1207	  bits to 448 bits in length.  It's fast, simple and specifically
1208	  designed for use on "large microprocessors".
1209
1210	  See also:
1211	  <http://www.schneier.com/blowfish.html>
1212
1213config CRYPTO_BLOWFISH_COMMON
1214	tristate
1215	help
1216	  Common parts of the Blowfish cipher algorithm shared by the
1217	  generic c and the assembler implementations.
1218
1219	  See also:
1220	  <http://www.schneier.com/blowfish.html>
1221
1222config CRYPTO_BLOWFISH_X86_64
1223	tristate "Blowfish cipher algorithm (x86_64)"
1224	depends on X86 && 64BIT
1225	select CRYPTO_BLKCIPHER
1226	select CRYPTO_BLOWFISH_COMMON
1227	help
1228	  Blowfish cipher algorithm (x86_64), by Bruce Schneier.
1229
1230	  This is a variable key length cipher which can use keys from 32
1231	  bits to 448 bits in length.  It's fast, simple and specifically
1232	  designed for use on "large microprocessors".
1233
1234	  See also:
1235	  <http://www.schneier.com/blowfish.html>
1236
1237config CRYPTO_CAMELLIA
1238	tristate "Camellia cipher algorithms"
1239	depends on CRYPTO
1240	select CRYPTO_ALGAPI
1241	help
1242	  Camellia cipher algorithms module.
1243
1244	  Camellia is a symmetric key block cipher developed jointly
1245	  at NTT and Mitsubishi Electric Corporation.
1246
1247	  The Camellia specifies three key sizes: 128, 192 and 256 bits.
1248
1249	  See also:
1250	  <https://info.isl.ntt.co.jp/crypt/eng/camellia/index_s.html>
1251
1252config CRYPTO_CAMELLIA_X86_64
1253	tristate "Camellia cipher algorithm (x86_64)"
1254	depends on X86 && 64BIT
1255	depends on CRYPTO
1256	select CRYPTO_BLKCIPHER
1257	select CRYPTO_GLUE_HELPER_X86
1258	help
1259	  Camellia cipher algorithm module (x86_64).
1260
1261	  Camellia is a symmetric key block cipher developed jointly
1262	  at NTT and Mitsubishi Electric Corporation.
1263
1264	  The Camellia specifies three key sizes: 128, 192 and 256 bits.
1265
1266	  See also:
1267	  <https://info.isl.ntt.co.jp/crypt/eng/camellia/index_s.html>
1268
1269config CRYPTO_CAMELLIA_AESNI_AVX_X86_64
1270	tristate "Camellia cipher algorithm (x86_64/AES-NI/AVX)"
1271	depends on X86 && 64BIT
1272	depends on CRYPTO
1273	select CRYPTO_BLKCIPHER
1274	select CRYPTO_CAMELLIA_X86_64
1275	select CRYPTO_GLUE_HELPER_X86
1276	select CRYPTO_SIMD
1277	select CRYPTO_XTS
1278	help
1279	  Camellia cipher algorithm module (x86_64/AES-NI/AVX).
1280
1281	  Camellia is a symmetric key block cipher developed jointly
1282	  at NTT and Mitsubishi Electric Corporation.
1283
1284	  The Camellia specifies three key sizes: 128, 192 and 256 bits.
1285
1286	  See also:
1287	  <https://info.isl.ntt.co.jp/crypt/eng/camellia/index_s.html>
1288
1289config CRYPTO_CAMELLIA_AESNI_AVX2_X86_64
1290	tristate "Camellia cipher algorithm (x86_64/AES-NI/AVX2)"
1291	depends on X86 && 64BIT
1292	depends on CRYPTO
1293	select CRYPTO_CAMELLIA_AESNI_AVX_X86_64
1294	help
1295	  Camellia cipher algorithm module (x86_64/AES-NI/AVX2).
1296
1297	  Camellia is a symmetric key block cipher developed jointly
1298	  at NTT and Mitsubishi Electric Corporation.
1299
1300	  The Camellia specifies three key sizes: 128, 192 and 256 bits.
1301
1302	  See also:
1303	  <https://info.isl.ntt.co.jp/crypt/eng/camellia/index_s.html>
1304
1305config CRYPTO_CAMELLIA_SPARC64
1306	tristate "Camellia cipher algorithm (SPARC64)"
1307	depends on SPARC64
1308	depends on CRYPTO
1309	select CRYPTO_ALGAPI
1310	help
1311	  Camellia cipher algorithm module (SPARC64).
1312
1313	  Camellia is a symmetric key block cipher developed jointly
1314	  at NTT and Mitsubishi Electric Corporation.
1315
1316	  The Camellia specifies three key sizes: 128, 192 and 256 bits.
1317
1318	  See also:
1319	  <https://info.isl.ntt.co.jp/crypt/eng/camellia/index_s.html>
1320
1321config CRYPTO_CAST_COMMON
1322	tristate
1323	help
1324	  Common parts of the CAST cipher algorithms shared by the
1325	  generic c and the assembler implementations.
1326
1327config CRYPTO_CAST5
1328	tristate "CAST5 (CAST-128) cipher algorithm"
1329	select CRYPTO_ALGAPI
1330	select CRYPTO_CAST_COMMON
1331	help
1332	  The CAST5 encryption algorithm (synonymous with CAST-128) is
1333	  described in RFC2144.
1334
1335config CRYPTO_CAST5_AVX_X86_64
1336	tristate "CAST5 (CAST-128) cipher algorithm (x86_64/AVX)"
1337	depends on X86 && 64BIT
1338	select CRYPTO_BLKCIPHER
1339	select CRYPTO_CAST5
1340	select CRYPTO_CAST_COMMON
1341	select CRYPTO_SIMD
1342	help
1343	  The CAST5 encryption algorithm (synonymous with CAST-128) is
1344	  described in RFC2144.
1345
1346	  This module provides the Cast5 cipher algorithm that processes
1347	  sixteen blocks parallel using the AVX instruction set.
1348
1349config CRYPTO_CAST6
1350	tristate "CAST6 (CAST-256) cipher algorithm"
1351	select CRYPTO_ALGAPI
1352	select CRYPTO_CAST_COMMON
1353	help
1354	  The CAST6 encryption algorithm (synonymous with CAST-256) is
1355	  described in RFC2612.
1356
1357config CRYPTO_CAST6_AVX_X86_64
1358	tristate "CAST6 (CAST-256) cipher algorithm (x86_64/AVX)"
1359	depends on X86 && 64BIT
1360	select CRYPTO_BLKCIPHER
1361	select CRYPTO_CAST6
1362	select CRYPTO_CAST_COMMON
1363	select CRYPTO_GLUE_HELPER_X86
1364	select CRYPTO_SIMD
1365	select CRYPTO_XTS
1366	help
1367	  The CAST6 encryption algorithm (synonymous with CAST-256) is
1368	  described in RFC2612.
1369
1370	  This module provides the Cast6 cipher algorithm that processes
1371	  eight blocks parallel using the AVX instruction set.
1372
1373config CRYPTO_DES
1374	tristate "DES and Triple DES EDE cipher algorithms"
1375	select CRYPTO_ALGAPI
1376	help
1377	  DES cipher algorithm (FIPS 46-2), and Triple DES EDE (FIPS 46-3).
1378
1379config CRYPTO_DES_SPARC64
1380	tristate "DES and Triple DES EDE cipher algorithms (SPARC64)"
1381	depends on SPARC64
1382	select CRYPTO_ALGAPI
1383	select CRYPTO_DES
1384	help
1385	  DES cipher algorithm (FIPS 46-2), and Triple DES EDE (FIPS 46-3),
1386	  optimized using SPARC64 crypto opcodes.
1387
1388config CRYPTO_DES3_EDE_X86_64
1389	tristate "Triple DES EDE cipher algorithm (x86-64)"
1390	depends on X86 && 64BIT
1391	select CRYPTO_BLKCIPHER
1392	select CRYPTO_DES
1393	help
1394	  Triple DES EDE (FIPS 46-3) algorithm.
1395
1396	  This module provides implementation of the Triple DES EDE cipher
1397	  algorithm that is optimized for x86-64 processors. Two versions of
1398	  algorithm are provided; regular processing one input block and
1399	  one that processes three blocks parallel.
1400
1401config CRYPTO_FCRYPT
1402	tristate "FCrypt cipher algorithm"
1403	select CRYPTO_ALGAPI
1404	select CRYPTO_BLKCIPHER
1405	help
1406	  FCrypt algorithm used by RxRPC.
1407
1408config CRYPTO_KHAZAD
1409	tristate "Khazad cipher algorithm"
1410	select CRYPTO_ALGAPI
1411	help
1412	  Khazad cipher algorithm.
1413
1414	  Khazad was a finalist in the initial NESSIE competition.  It is
1415	  an algorithm optimized for 64-bit processors with good performance
1416	  on 32-bit processors.  Khazad uses an 128 bit key size.
1417
1418	  See also:
1419	  <http://www.larc.usp.br/~pbarreto/KhazadPage.html>
1420
1421config CRYPTO_SALSA20
1422	tristate "Salsa20 stream cipher algorithm"
1423	select CRYPTO_BLKCIPHER
1424	help
1425	  Salsa20 stream cipher algorithm.
1426
1427	  Salsa20 is a stream cipher submitted to eSTREAM, the ECRYPT
1428	  Stream Cipher Project. See <http://www.ecrypt.eu.org/stream/>
1429
1430	  The Salsa20 stream cipher algorithm is designed by Daniel J.
1431	  Bernstein <djb@cr.yp.to>. See <http://cr.yp.to/snuffle.html>
1432
1433config CRYPTO_CHACHA20
1434	tristate "ChaCha stream cipher algorithms"
1435	select CRYPTO_BLKCIPHER
1436	help
1437	  The ChaCha20, XChaCha20, and XChaCha12 stream cipher algorithms.
1438
1439	  ChaCha20 is a 256-bit high-speed stream cipher designed by Daniel J.
1440	  Bernstein and further specified in RFC7539 for use in IETF protocols.
1441	  This is the portable C implementation of ChaCha20.  See also:
1442	  <http://cr.yp.to/chacha/chacha-20080128.pdf>
1443
1444	  XChaCha20 is the application of the XSalsa20 construction to ChaCha20
1445	  rather than to Salsa20.  XChaCha20 extends ChaCha20's nonce length
1446	  from 64 bits (or 96 bits using the RFC7539 convention) to 192 bits,
1447	  while provably retaining ChaCha20's security.  See also:
1448	  <https://cr.yp.to/snuffle/xsalsa-20081128.pdf>
1449
1450	  XChaCha12 is XChaCha20 reduced to 12 rounds, with correspondingly
1451	  reduced security margin but increased performance.  It can be needed
1452	  in some performance-sensitive scenarios.
1453
1454config CRYPTO_CHACHA20_X86_64
1455	tristate "ChaCha20 cipher algorithm (x86_64/SSSE3/AVX2)"
1456	depends on X86 && 64BIT
1457	select CRYPTO_BLKCIPHER
1458	select CRYPTO_CHACHA20
1459	help
1460	  ChaCha20 cipher algorithm, RFC7539.
1461
1462	  ChaCha20 is a 256-bit high-speed stream cipher designed by Daniel J.
1463	  Bernstein and further specified in RFC7539 for use in IETF protocols.
1464	  This is the x86_64 assembler implementation using SIMD instructions.
1465
1466	  See also:
1467	  <http://cr.yp.to/chacha/chacha-20080128.pdf>
1468
1469config CRYPTO_SEED
1470	tristate "SEED cipher algorithm"
1471	select CRYPTO_ALGAPI
1472	help
1473	  SEED cipher algorithm (RFC4269).
1474
1475	  SEED is a 128-bit symmetric key block cipher that has been
1476	  developed by KISA (Korea Information Security Agency) as a
1477	  national standard encryption algorithm of the Republic of Korea.
1478	  It is a 16 round block cipher with the key size of 128 bit.
1479
1480	  See also:
1481	  <http://www.kisa.or.kr/kisa/seed/jsp/seed_eng.jsp>
1482
1483config CRYPTO_SERPENT
1484	tristate "Serpent cipher algorithm"
1485	select CRYPTO_ALGAPI
1486	help
1487	  Serpent cipher algorithm, by Anderson, Biham & Knudsen.
1488
1489	  Keys are allowed to be from 0 to 256 bits in length, in steps
1490	  of 8 bits.  Also includes the 'Tnepres' algorithm, a reversed
1491	  variant of Serpent for compatibility with old kerneli.org code.
1492
1493	  See also:
1494	  <http://www.cl.cam.ac.uk/~rja14/serpent.html>
1495
1496config CRYPTO_SERPENT_SSE2_X86_64
1497	tristate "Serpent cipher algorithm (x86_64/SSE2)"
1498	depends on X86 && 64BIT
1499	select CRYPTO_BLKCIPHER
1500	select CRYPTO_GLUE_HELPER_X86
1501	select CRYPTO_SERPENT
1502	select CRYPTO_SIMD
1503	help
1504	  Serpent cipher algorithm, by Anderson, Biham & Knudsen.
1505
1506	  Keys are allowed to be from 0 to 256 bits in length, in steps
1507	  of 8 bits.
1508
1509	  This module provides Serpent cipher algorithm that processes eight
1510	  blocks parallel using SSE2 instruction set.
1511
1512	  See also:
1513	  <http://www.cl.cam.ac.uk/~rja14/serpent.html>
1514
1515config CRYPTO_SERPENT_SSE2_586
1516	tristate "Serpent cipher algorithm (i586/SSE2)"
1517	depends on X86 && !64BIT
1518	select CRYPTO_BLKCIPHER
1519	select CRYPTO_GLUE_HELPER_X86
1520	select CRYPTO_SERPENT
1521	select CRYPTO_SIMD
1522	help
1523	  Serpent cipher algorithm, by Anderson, Biham & Knudsen.
1524
1525	  Keys are allowed to be from 0 to 256 bits in length, in steps
1526	  of 8 bits.
1527
1528	  This module provides Serpent cipher algorithm that processes four
1529	  blocks parallel using SSE2 instruction set.
1530
1531	  See also:
1532	  <http://www.cl.cam.ac.uk/~rja14/serpent.html>
1533
1534config CRYPTO_SERPENT_AVX_X86_64
1535	tristate "Serpent cipher algorithm (x86_64/AVX)"
1536	depends on X86 && 64BIT
1537	select CRYPTO_BLKCIPHER
1538	select CRYPTO_GLUE_HELPER_X86
1539	select CRYPTO_SERPENT
1540	select CRYPTO_SIMD
1541	select CRYPTO_XTS
1542	help
1543	  Serpent cipher algorithm, by Anderson, Biham & Knudsen.
1544
1545	  Keys are allowed to be from 0 to 256 bits in length, in steps
1546	  of 8 bits.
1547
1548	  This module provides the Serpent cipher algorithm that processes
1549	  eight blocks parallel using the AVX instruction set.
1550
1551	  See also:
1552	  <http://www.cl.cam.ac.uk/~rja14/serpent.html>
1553
1554config CRYPTO_SERPENT_AVX2_X86_64
1555	tristate "Serpent cipher algorithm (x86_64/AVX2)"
1556	depends on X86 && 64BIT
1557	select CRYPTO_SERPENT_AVX_X86_64
1558	help
1559	  Serpent cipher algorithm, by Anderson, Biham & Knudsen.
1560
1561	  Keys are allowed to be from 0 to 256 bits in length, in steps
1562	  of 8 bits.
1563
1564	  This module provides Serpent cipher algorithm that processes 16
1565	  blocks parallel using AVX2 instruction set.
1566
1567	  See also:
1568	  <http://www.cl.cam.ac.uk/~rja14/serpent.html>
1569
1570config CRYPTO_SM4
1571	tristate "SM4 cipher algorithm"
1572	select CRYPTO_ALGAPI
1573	help
1574	  SM4 cipher algorithms (OSCCA GB/T 32907-2016).
1575
1576	  SM4 (GBT.32907-2016) is a cryptographic standard issued by the
1577	  Organization of State Commercial Administration of China (OSCCA)
1578	  as an authorized cryptographic algorithms for the use within China.
1579
1580	  SMS4 was originally created for use in protecting wireless
1581	  networks, and is mandated in the Chinese National Standard for
1582	  Wireless LAN WAPI (Wired Authentication and Privacy Infrastructure)
1583	  (GB.15629.11-2003).
1584
1585	  The latest SM4 standard (GBT.32907-2016) was proposed by OSCCA and
1586	  standardized through TC 260 of the Standardization Administration
1587	  of the People's Republic of China (SAC).
1588
1589	  The input, output, and key of SMS4 are each 128 bits.
1590
1591	  See also: <https://eprint.iacr.org/2008/329.pdf>
1592
1593	  If unsure, say N.
1594
1595config CRYPTO_TEA
1596	tristate "TEA, XTEA and XETA cipher algorithms"
1597	select CRYPTO_ALGAPI
1598	help
1599	  TEA cipher algorithm.
1600
1601	  Tiny Encryption Algorithm is a simple cipher that uses
1602	  many rounds for security.  It is very fast and uses
1603	  little memory.
1604
1605	  Xtendend Tiny Encryption Algorithm is a modification to
1606	  the TEA algorithm to address a potential key weakness
1607	  in the TEA algorithm.
1608
1609	  Xtendend Encryption Tiny Algorithm is a mis-implementation
1610	  of the XTEA algorithm for compatibility purposes.
1611
1612config CRYPTO_TWOFISH
1613	tristate "Twofish cipher algorithm"
1614	select CRYPTO_ALGAPI
1615	select CRYPTO_TWOFISH_COMMON
1616	help
1617	  Twofish cipher algorithm.
1618
1619	  Twofish was submitted as an AES (Advanced Encryption Standard)
1620	  candidate cipher by researchers at CounterPane Systems.  It is a
1621	  16 round block cipher supporting key sizes of 128, 192, and 256
1622	  bits.
1623
1624	  See also:
1625	  <http://www.schneier.com/twofish.html>
1626
1627config CRYPTO_TWOFISH_COMMON
1628	tristate
1629	help
1630	  Common parts of the Twofish cipher algorithm shared by the
1631	  generic c and the assembler implementations.
1632
1633config CRYPTO_TWOFISH_586
1634	tristate "Twofish cipher algorithms (i586)"
1635	depends on (X86 || UML_X86) && !64BIT
1636	select CRYPTO_ALGAPI
1637	select CRYPTO_TWOFISH_COMMON
1638	help
1639	  Twofish cipher algorithm.
1640
1641	  Twofish was submitted as an AES (Advanced Encryption Standard)
1642	  candidate cipher by researchers at CounterPane Systems.  It is a
1643	  16 round block cipher supporting key sizes of 128, 192, and 256
1644	  bits.
1645
1646	  See also:
1647	  <http://www.schneier.com/twofish.html>
1648
1649config CRYPTO_TWOFISH_X86_64
1650	tristate "Twofish cipher algorithm (x86_64)"
1651	depends on (X86 || UML_X86) && 64BIT
1652	select CRYPTO_ALGAPI
1653	select CRYPTO_TWOFISH_COMMON
1654	help
1655	  Twofish cipher algorithm (x86_64).
1656
1657	  Twofish was submitted as an AES (Advanced Encryption Standard)
1658	  candidate cipher by researchers at CounterPane Systems.  It is a
1659	  16 round block cipher supporting key sizes of 128, 192, and 256
1660	  bits.
1661
1662	  See also:
1663	  <http://www.schneier.com/twofish.html>
1664
1665config CRYPTO_TWOFISH_X86_64_3WAY
1666	tristate "Twofish cipher algorithm (x86_64, 3-way parallel)"
1667	depends on X86 && 64BIT
1668	select CRYPTO_BLKCIPHER
1669	select CRYPTO_TWOFISH_COMMON
1670	select CRYPTO_TWOFISH_X86_64
1671	select CRYPTO_GLUE_HELPER_X86
1672	help
1673	  Twofish cipher algorithm (x86_64, 3-way parallel).
1674
1675	  Twofish was submitted as an AES (Advanced Encryption Standard)
1676	  candidate cipher by researchers at CounterPane Systems.  It is a
1677	  16 round block cipher supporting key sizes of 128, 192, and 256
1678	  bits.
1679
1680	  This module provides Twofish cipher algorithm that processes three
1681	  blocks parallel, utilizing resources of out-of-order CPUs better.
1682
1683	  See also:
1684	  <http://www.schneier.com/twofish.html>
1685
1686config CRYPTO_TWOFISH_AVX_X86_64
1687	tristate "Twofish cipher algorithm (x86_64/AVX)"
1688	depends on X86 && 64BIT
1689	select CRYPTO_BLKCIPHER
1690	select CRYPTO_GLUE_HELPER_X86
1691	select CRYPTO_SIMD
1692	select CRYPTO_TWOFISH_COMMON
1693	select CRYPTO_TWOFISH_X86_64
1694	select CRYPTO_TWOFISH_X86_64_3WAY
1695	help
1696	  Twofish cipher algorithm (x86_64/AVX).
1697
1698	  Twofish was submitted as an AES (Advanced Encryption Standard)
1699	  candidate cipher by researchers at CounterPane Systems.  It is a
1700	  16 round block cipher supporting key sizes of 128, 192, and 256
1701	  bits.
1702
1703	  This module provides the Twofish cipher algorithm that processes
1704	  eight blocks parallel using the AVX Instruction Set.
1705
1706	  See also:
1707	  <http://www.schneier.com/twofish.html>
1708
1709comment "Compression"
1710
1711config CRYPTO_DEFLATE
1712	tristate "Deflate compression algorithm"
1713	select CRYPTO_ALGAPI
1714	select CRYPTO_ACOMP2
1715	select ZLIB_INFLATE
1716	select ZLIB_DEFLATE
1717	help
1718	  This is the Deflate algorithm (RFC1951), specified for use in
1719	  IPSec with the IPCOMP protocol (RFC3173, RFC2394).
1720
1721	  You will most probably want this if using IPSec.
1722
1723config CRYPTO_LZO
1724	tristate "LZO compression algorithm"
1725	select CRYPTO_ALGAPI
1726	select CRYPTO_ACOMP2
1727	select LZO_COMPRESS
1728	select LZO_DECOMPRESS
1729	help
1730	  This is the LZO algorithm.
1731
1732config CRYPTO_842
1733	tristate "842 compression algorithm"
1734	select CRYPTO_ALGAPI
1735	select CRYPTO_ACOMP2
1736	select 842_COMPRESS
1737	select 842_DECOMPRESS
1738	help
1739	  This is the 842 algorithm.
1740
1741config CRYPTO_LZ4
1742	tristate "LZ4 compression algorithm"
1743	select CRYPTO_ALGAPI
1744	select CRYPTO_ACOMP2
1745	select LZ4_COMPRESS
1746	select LZ4_DECOMPRESS
1747	help
1748	  This is the LZ4 algorithm.
1749
1750config CRYPTO_LZ4HC
1751	tristate "LZ4HC compression algorithm"
1752	select CRYPTO_ALGAPI
1753	select CRYPTO_ACOMP2
1754	select LZ4HC_COMPRESS
1755	select LZ4_DECOMPRESS
1756	help
1757	  This is the LZ4 high compression mode algorithm.
1758
1759config CRYPTO_ZSTD
1760	tristate "Zstd compression algorithm"
1761	select CRYPTO_ALGAPI
1762	select CRYPTO_ACOMP2
1763	select ZSTD_COMPRESS
1764	select ZSTD_DECOMPRESS
1765	help
1766	  This is the zstd algorithm.
1767
1768comment "Random Number Generation"
1769
1770config CRYPTO_ANSI_CPRNG
1771	tristate "Pseudo Random Number Generation for Cryptographic modules"
1772	select CRYPTO_AES
1773	select CRYPTO_RNG
1774	help
1775	  This option enables the generic pseudo random number generator
1776	  for cryptographic modules.  Uses the Algorithm specified in
1777	  ANSI X9.31 A.2.4. Note that this option must be enabled if
1778	  CRYPTO_FIPS is selected
1779
1780menuconfig CRYPTO_DRBG_MENU
1781	tristate "NIST SP800-90A DRBG"
1782	help
1783	  NIST SP800-90A compliant DRBG. In the following submenu, one or
1784	  more of the DRBG types must be selected.
1785
1786if CRYPTO_DRBG_MENU
1787
1788config CRYPTO_DRBG_HMAC
1789	bool
1790	default y
1791	select CRYPTO_HMAC
1792	select CRYPTO_SHA256
1793
1794config CRYPTO_DRBG_HASH
1795	bool "Enable Hash DRBG"
1796	select CRYPTO_SHA256
1797	help
1798	  Enable the Hash DRBG variant as defined in NIST SP800-90A.
1799
1800config CRYPTO_DRBG_CTR
1801	bool "Enable CTR DRBG"
1802	select CRYPTO_AES
1803	depends on CRYPTO_CTR
1804	help
1805	  Enable the CTR DRBG variant as defined in NIST SP800-90A.
1806
1807config CRYPTO_DRBG
1808	tristate
1809	default CRYPTO_DRBG_MENU
1810	select CRYPTO_RNG
1811	select CRYPTO_JITTERENTROPY
1812
1813endif	# if CRYPTO_DRBG_MENU
1814
1815config CRYPTO_JITTERENTROPY
1816	tristate "Jitterentropy Non-Deterministic Random Number Generator"
1817	select CRYPTO_RNG
1818	help
1819	  The Jitterentropy RNG is a noise that is intended
1820	  to provide seed to another RNG. The RNG does not
1821	  perform any cryptographic whitening of the generated
1822	  random numbers. This Jitterentropy RNG registers with
1823	  the kernel crypto API and can be used by any caller.
1824
1825config CRYPTO_USER_API
1826	tristate
1827
1828config CRYPTO_USER_API_HASH
1829	tristate "User-space interface for hash algorithms"
1830	depends on NET
1831	select CRYPTO_HASH
1832	select CRYPTO_USER_API
1833	help
1834	  This option enables the user-spaces interface for hash
1835	  algorithms.
1836
1837config CRYPTO_USER_API_SKCIPHER
1838	tristate "User-space interface for symmetric key cipher algorithms"
1839	depends on NET
1840	select CRYPTO_BLKCIPHER
1841	select CRYPTO_USER_API
1842	help
1843	  This option enables the user-spaces interface for symmetric
1844	  key cipher algorithms.
1845
1846config CRYPTO_USER_API_RNG
1847	tristate "User-space interface for random number generator algorithms"
1848	depends on NET
1849	select CRYPTO_RNG
1850	select CRYPTO_USER_API
1851	help
1852	  This option enables the user-spaces interface for random
1853	  number generator algorithms.
1854
1855config CRYPTO_USER_API_AEAD
1856	tristate "User-space interface for AEAD cipher algorithms"
1857	depends on NET
1858	select CRYPTO_AEAD
1859	select CRYPTO_BLKCIPHER
1860	select CRYPTO_NULL
1861	select CRYPTO_USER_API
1862	help
1863	  This option enables the user-spaces interface for AEAD
1864	  cipher algorithms.
1865
1866config CRYPTO_STATS
1867	bool "Crypto usage statistics for User-space"
1868	depends on CRYPTO_USER
1869	help
1870	  This option enables the gathering of crypto stats.
1871	  This will collect:
1872	  - encrypt/decrypt size and numbers of symmeric operations
1873	  - compress/decompress size and numbers of compress operations
1874	  - size and numbers of hash operations
1875	  - encrypt/decrypt/sign/verify numbers for asymmetric operations
1876	  - generate/seed numbers for rng operations
1877
1878config CRYPTO_HASH_INFO
1879	bool
1880
1881source "drivers/crypto/Kconfig"
1882source crypto/asymmetric_keys/Kconfig
1883source certs/Kconfig
1884
1885endif	# if CRYPTO
1886