xref: /linux/crypto/Kconfig (revision ebc733e54a1a79ea2dde2ba5121ae73a188e20d4)
1# SPDX-License-Identifier: GPL-2.0
2#
3# Generic algorithms support
4#
5config XOR_BLOCKS
6	tristate
7
8#
9# async_tx api: hardware offloaded memory transfer/transform support
10#
11source "crypto/async_tx/Kconfig"
12
13#
14# Cryptographic API Configuration
15#
16menuconfig CRYPTO
17	tristate "Cryptographic API"
18	select CRYPTO_LIB_UTILS
19	help
20	  This option provides the core Cryptographic API.
21
22if CRYPTO
23
24menu "Crypto core or helper"
25
26config CRYPTO_FIPS
27	bool "FIPS 200 compliance"
28	depends on (CRYPTO_ANSI_CPRNG || CRYPTO_DRBG) && !CRYPTO_MANAGER_DISABLE_TESTS
29	depends on (MODULE_SIG || !MODULES)
30	help
31	  This option enables the fips boot option which is
32	  required if you want the system to operate in a FIPS 200
33	  certification.  You should say no unless you know what
34	  this is.
35
36config CRYPTO_FIPS_NAME
37	string "FIPS Module Name"
38	default "Linux Kernel Cryptographic API"
39	depends on CRYPTO_FIPS
40	help
41	  This option sets the FIPS Module name reported by the Crypto API via
42	  the /proc/sys/crypto/fips_name file.
43
44config CRYPTO_FIPS_CUSTOM_VERSION
45	bool "Use Custom FIPS Module Version"
46	depends on CRYPTO_FIPS
47	default n
48
49config CRYPTO_FIPS_VERSION
50	string "FIPS Module Version"
51	default "(none)"
52	depends on CRYPTO_FIPS_CUSTOM_VERSION
53	help
54	  This option provides the ability to override the FIPS Module Version.
55	  By default the KERNELRELEASE value is used.
56
57config CRYPTO_ALGAPI
58	tristate
59	select CRYPTO_ALGAPI2
60	help
61	  This option provides the API for cryptographic algorithms.
62
63config CRYPTO_ALGAPI2
64	tristate
65
66config CRYPTO_AEAD
67	tristate
68	select CRYPTO_AEAD2
69	select CRYPTO_ALGAPI
70
71config CRYPTO_AEAD2
72	tristate
73	select CRYPTO_ALGAPI2
74
75config CRYPTO_SIG
76	tristate
77	select CRYPTO_SIG2
78	select CRYPTO_ALGAPI
79
80config CRYPTO_SIG2
81	tristate
82	select CRYPTO_ALGAPI2
83
84config CRYPTO_SKCIPHER
85	tristate
86	select CRYPTO_SKCIPHER2
87	select CRYPTO_ALGAPI
88	select CRYPTO_ECB
89
90config CRYPTO_SKCIPHER2
91	tristate
92	select CRYPTO_ALGAPI2
93
94config CRYPTO_HASH
95	tristate
96	select CRYPTO_HASH2
97	select CRYPTO_ALGAPI
98
99config CRYPTO_HASH2
100	tristate
101	select CRYPTO_ALGAPI2
102
103config CRYPTO_RNG
104	tristate
105	select CRYPTO_RNG2
106	select CRYPTO_ALGAPI
107
108config CRYPTO_RNG2
109	tristate
110	select CRYPTO_ALGAPI2
111
112config CRYPTO_RNG_DEFAULT
113	tristate
114	select CRYPTO_DRBG_MENU
115
116config CRYPTO_AKCIPHER2
117	tristate
118	select CRYPTO_ALGAPI2
119
120config CRYPTO_AKCIPHER
121	tristate
122	select CRYPTO_AKCIPHER2
123	select CRYPTO_ALGAPI
124
125config CRYPTO_KPP2
126	tristate
127	select CRYPTO_ALGAPI2
128
129config CRYPTO_KPP
130	tristate
131	select CRYPTO_ALGAPI
132	select CRYPTO_KPP2
133
134config CRYPTO_ACOMP2
135	tristate
136	select CRYPTO_ALGAPI2
137	select SGL_ALLOC
138
139config CRYPTO_ACOMP
140	tristate
141	select CRYPTO_ALGAPI
142	select CRYPTO_ACOMP2
143
144config CRYPTO_MANAGER
145	tristate "Cryptographic algorithm manager"
146	select CRYPTO_MANAGER2
147	help
148	  Create default cryptographic template instantiations such as
149	  cbc(aes).
150
151config CRYPTO_MANAGER2
152	def_tristate CRYPTO_MANAGER || (CRYPTO_MANAGER!=n && CRYPTO_ALGAPI=y)
153	select CRYPTO_ACOMP2
154	select CRYPTO_AEAD2
155	select CRYPTO_AKCIPHER2
156	select CRYPTO_SIG2
157	select CRYPTO_HASH2
158	select CRYPTO_KPP2
159	select CRYPTO_RNG2
160	select CRYPTO_SKCIPHER2
161
162config CRYPTO_USER
163	tristate "Userspace cryptographic algorithm configuration"
164	depends on NET
165	select CRYPTO_MANAGER
166	help
167	  Userspace configuration for cryptographic instantiations such as
168	  cbc(aes).
169
170config CRYPTO_MANAGER_DISABLE_TESTS
171	bool "Disable run-time self tests"
172	default y
173	help
174	  Disable run-time self tests that normally take place at
175	  algorithm registration.
176
177config CRYPTO_MANAGER_EXTRA_TESTS
178	bool "Enable extra run-time crypto self tests"
179	depends on DEBUG_KERNEL && !CRYPTO_MANAGER_DISABLE_TESTS && CRYPTO_MANAGER
180	help
181	  Enable extra run-time self tests of registered crypto algorithms,
182	  including randomized fuzz tests.
183
184	  This is intended for developer use only, as these tests take much
185	  longer to run than the normal self tests.
186
187config CRYPTO_NULL
188	tristate "Null algorithms"
189	select CRYPTO_NULL2
190	help
191	  These are 'Null' algorithms, used by IPsec, which do nothing.
192
193config CRYPTO_NULL2
194	tristate
195	select CRYPTO_ALGAPI2
196	select CRYPTO_SKCIPHER2
197	select CRYPTO_HASH2
198
199config CRYPTO_PCRYPT
200	tristate "Parallel crypto engine"
201	depends on SMP
202	select PADATA
203	select CRYPTO_MANAGER
204	select CRYPTO_AEAD
205	help
206	  This converts an arbitrary crypto algorithm into a parallel
207	  algorithm that executes in kernel threads.
208
209config CRYPTO_CRYPTD
210	tristate "Software async crypto daemon"
211	select CRYPTO_SKCIPHER
212	select CRYPTO_HASH
213	select CRYPTO_MANAGER
214	help
215	  This is a generic software asynchronous crypto daemon that
216	  converts an arbitrary synchronous software crypto algorithm
217	  into an asynchronous algorithm that executes in a kernel thread.
218
219config CRYPTO_AUTHENC
220	tristate "Authenc support"
221	select CRYPTO_AEAD
222	select CRYPTO_SKCIPHER
223	select CRYPTO_MANAGER
224	select CRYPTO_HASH
225	select CRYPTO_NULL
226	help
227	  Authenc: Combined mode wrapper for IPsec.
228
229	  This is required for IPSec ESP (XFRM_ESP).
230
231config CRYPTO_TEST
232	tristate "Testing module"
233	depends on m || EXPERT
234	select CRYPTO_MANAGER
235	help
236	  Quick & dirty crypto test module.
237
238config CRYPTO_SIMD
239	tristate
240	select CRYPTO_CRYPTD
241
242config CRYPTO_ENGINE
243	tristate
244
245endmenu
246
247menu "Public-key cryptography"
248
249config CRYPTO_RSA
250	tristate "RSA (Rivest-Shamir-Adleman)"
251	select CRYPTO_AKCIPHER
252	select CRYPTO_MANAGER
253	select MPILIB
254	select ASN1
255	help
256	  RSA (Rivest-Shamir-Adleman) public key algorithm (RFC8017)
257
258config CRYPTO_DH
259	tristate "DH (Diffie-Hellman)"
260	select CRYPTO_KPP
261	select MPILIB
262	help
263	  DH (Diffie-Hellman) key exchange algorithm
264
265config CRYPTO_DH_RFC7919_GROUPS
266	bool "RFC 7919 FFDHE groups"
267	depends on CRYPTO_DH
268	select CRYPTO_RNG_DEFAULT
269	help
270	  FFDHE (Finite-Field-based Diffie-Hellman Ephemeral) groups
271	  defined in RFC7919.
272
273	  Support these finite-field groups in DH key exchanges:
274	  - ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192
275
276	  If unsure, say N.
277
278config CRYPTO_ECC
279	tristate
280	select CRYPTO_RNG_DEFAULT
281
282config CRYPTO_ECDH
283	tristate "ECDH (Elliptic Curve Diffie-Hellman)"
284	select CRYPTO_ECC
285	select CRYPTO_KPP
286	help
287	  ECDH (Elliptic Curve Diffie-Hellman) key exchange algorithm
288	  using curves P-192, P-256, and P-384 (FIPS 186)
289
290config CRYPTO_ECDSA
291	tristate "ECDSA (Elliptic Curve Digital Signature Algorithm)"
292	select CRYPTO_ECC
293	select CRYPTO_AKCIPHER
294	select ASN1
295	help
296	  ECDSA (Elliptic Curve Digital Signature Algorithm) (FIPS 186,
297	  ISO/IEC 14888-3)
298	  using curves P-192, P-256, and P-384
299
300	  Only signature verification is implemented.
301
302config CRYPTO_ECRDSA
303	tristate "EC-RDSA (Elliptic Curve Russian Digital Signature Algorithm)"
304	select CRYPTO_ECC
305	select CRYPTO_AKCIPHER
306	select CRYPTO_STREEBOG
307	select OID_REGISTRY
308	select ASN1
309	help
310	  Elliptic Curve Russian Digital Signature Algorithm (GOST R 34.10-2012,
311	  RFC 7091, ISO/IEC 14888-3)
312
313	  One of the Russian cryptographic standard algorithms (called GOST
314	  algorithms). Only signature verification is implemented.
315
316config CRYPTO_SM2
317	tristate "SM2 (ShangMi 2)"
318	select CRYPTO_SM3
319	select CRYPTO_AKCIPHER
320	select CRYPTO_MANAGER
321	select MPILIB
322	select ASN1
323	help
324	  SM2 (ShangMi 2) public key algorithm
325
326	  Published by State Encryption Management Bureau, China,
327	  as specified by OSCCA GM/T 0003.1-2012 -- 0003.5-2012.
328
329	  References:
330	  https://datatracker.ietf.org/doc/draft-shen-sm2-ecdsa/
331	  http://www.oscca.gov.cn/sca/xxgk/2010-12/17/content_1002386.shtml
332	  http://www.gmbz.org.cn/main/bzlb.html
333
334config CRYPTO_CURVE25519
335	tristate "Curve25519"
336	select CRYPTO_KPP
337	select CRYPTO_LIB_CURVE25519_GENERIC
338	help
339	  Curve25519 elliptic curve (RFC7748)
340
341endmenu
342
343menu "Block ciphers"
344
345config CRYPTO_AES
346	tristate "AES (Advanced Encryption Standard)"
347	select CRYPTO_ALGAPI
348	select CRYPTO_LIB_AES
349	help
350	  AES cipher algorithms (Rijndael)(FIPS-197, ISO/IEC 18033-3)
351
352	  Rijndael appears to be consistently a very good performer in
353	  both hardware and software across a wide range of computing
354	  environments regardless of its use in feedback or non-feedback
355	  modes. Its key setup time is excellent, and its key agility is
356	  good. Rijndael's very low memory requirements make it very well
357	  suited for restricted-space environments, in which it also
358	  demonstrates excellent performance. Rijndael's operations are
359	  among the easiest to defend against power and timing attacks.
360
361	  The AES specifies three key sizes: 128, 192 and 256 bits
362
363config CRYPTO_AES_TI
364	tristate "AES (Advanced Encryption Standard) (fixed time)"
365	select CRYPTO_ALGAPI
366	select CRYPTO_LIB_AES
367	help
368	  AES cipher algorithms (Rijndael)(FIPS-197, ISO/IEC 18033-3)
369
370	  This is a generic implementation of AES that attempts to eliminate
371	  data dependent latencies as much as possible without affecting
372	  performance too much. It is intended for use by the generic CCM
373	  and GCM drivers, and other CTR or CMAC/XCBC based modes that rely
374	  solely on encryption (although decryption is supported as well, but
375	  with a more dramatic performance hit)
376
377	  Instead of using 16 lookup tables of 1 KB each, (8 for encryption and
378	  8 for decryption), this implementation only uses just two S-boxes of
379	  256 bytes each, and attempts to eliminate data dependent latencies by
380	  prefetching the entire table into the cache at the start of each
381	  block. Interrupts are also disabled to avoid races where cachelines
382	  are evicted when the CPU is interrupted to do something else.
383
384config CRYPTO_ANUBIS
385	tristate "Anubis"
386	depends on CRYPTO_USER_API_ENABLE_OBSOLETE
387	select CRYPTO_ALGAPI
388	help
389	  Anubis cipher algorithm
390
391	  Anubis is a variable key length cipher which can use keys from
392	  128 bits to 320 bits in length.  It was evaluated as a entrant
393	  in the NESSIE competition.
394
395	  See https://web.archive.org/web/20160606112246/http://www.larc.usp.br/~pbarreto/AnubisPage.html
396	  for further information.
397
398config CRYPTO_ARIA
399	tristate "ARIA"
400	select CRYPTO_ALGAPI
401	help
402	  ARIA cipher algorithm (RFC5794)
403
404	  ARIA is a standard encryption algorithm of the Republic of Korea.
405	  The ARIA specifies three key sizes and rounds.
406	  128-bit: 12 rounds.
407	  192-bit: 14 rounds.
408	  256-bit: 16 rounds.
409
410	  See:
411	  https://seed.kisa.or.kr/kisa/algorithm/EgovAriaInfo.do
412
413config CRYPTO_BLOWFISH
414	tristate "Blowfish"
415	select CRYPTO_ALGAPI
416	select CRYPTO_BLOWFISH_COMMON
417	help
418	  Blowfish cipher algorithm, by Bruce Schneier
419
420	  This is a variable key length cipher which can use keys from 32
421	  bits to 448 bits in length.  It's fast, simple and specifically
422	  designed for use on "large microprocessors".
423
424	  See https://www.schneier.com/blowfish.html for further information.
425
426config CRYPTO_BLOWFISH_COMMON
427	tristate
428	help
429	  Common parts of the Blowfish cipher algorithm shared by the
430	  generic c and the assembler implementations.
431
432config CRYPTO_CAMELLIA
433	tristate "Camellia"
434	select CRYPTO_ALGAPI
435	help
436	  Camellia cipher algorithms (ISO/IEC 18033-3)
437
438	  Camellia is a symmetric key block cipher developed jointly
439	  at NTT and Mitsubishi Electric Corporation.
440
441	  The Camellia specifies three key sizes: 128, 192 and 256 bits.
442
443	  See https://info.isl.ntt.co.jp/crypt/eng/camellia/ for further information.
444
445config CRYPTO_CAST_COMMON
446	tristate
447	help
448	  Common parts of the CAST cipher algorithms shared by the
449	  generic c and the assembler implementations.
450
451config CRYPTO_CAST5
452	tristate "CAST5 (CAST-128)"
453	select CRYPTO_ALGAPI
454	select CRYPTO_CAST_COMMON
455	help
456	  CAST5 (CAST-128) cipher algorithm (RFC2144, ISO/IEC 18033-3)
457
458config CRYPTO_CAST6
459	tristate "CAST6 (CAST-256)"
460	select CRYPTO_ALGAPI
461	select CRYPTO_CAST_COMMON
462	help
463	  CAST6 (CAST-256) encryption algorithm (RFC2612)
464
465config CRYPTO_DES
466	tristate "DES and Triple DES EDE"
467	select CRYPTO_ALGAPI
468	select CRYPTO_LIB_DES
469	help
470	  DES (Data Encryption Standard)(FIPS 46-2, ISO/IEC 18033-3) and
471	  Triple DES EDE (Encrypt/Decrypt/Encrypt) (FIPS 46-3, ISO/IEC 18033-3)
472	  cipher algorithms
473
474config CRYPTO_FCRYPT
475	tristate "FCrypt"
476	select CRYPTO_ALGAPI
477	select CRYPTO_SKCIPHER
478	help
479	  FCrypt algorithm used by RxRPC
480
481	  See https://ota.polyonymo.us/fcrypt-paper.txt
482
483config CRYPTO_KHAZAD
484	tristate "Khazad"
485	depends on CRYPTO_USER_API_ENABLE_OBSOLETE
486	select CRYPTO_ALGAPI
487	help
488	  Khazad cipher algorithm
489
490	  Khazad was a finalist in the initial NESSIE competition.  It is
491	  an algorithm optimized for 64-bit processors with good performance
492	  on 32-bit processors.  Khazad uses an 128 bit key size.
493
494	  See https://web.archive.org/web/20171011071731/http://www.larc.usp.br/~pbarreto/KhazadPage.html
495	  for further information.
496
497config CRYPTO_SEED
498	tristate "SEED"
499	depends on CRYPTO_USER_API_ENABLE_OBSOLETE
500	select CRYPTO_ALGAPI
501	help
502	  SEED cipher algorithm (RFC4269, ISO/IEC 18033-3)
503
504	  SEED is a 128-bit symmetric key block cipher that has been
505	  developed by KISA (Korea Information Security Agency) as a
506	  national standard encryption algorithm of the Republic of Korea.
507	  It is a 16 round block cipher with the key size of 128 bit.
508
509	  See https://seed.kisa.or.kr/kisa/algorithm/EgovSeedInfo.do
510	  for further information.
511
512config CRYPTO_SERPENT
513	tristate "Serpent"
514	select CRYPTO_ALGAPI
515	help
516	  Serpent cipher algorithm, by Anderson, Biham & Knudsen
517
518	  Keys are allowed to be from 0 to 256 bits in length, in steps
519	  of 8 bits.
520
521	  See https://www.cl.cam.ac.uk/~rja14/serpent.html for further information.
522
523config CRYPTO_SM4
524	tristate
525
526config CRYPTO_SM4_GENERIC
527	tristate "SM4 (ShangMi 4)"
528	select CRYPTO_ALGAPI
529	select CRYPTO_SM4
530	help
531	  SM4 cipher algorithms (OSCCA GB/T 32907-2016,
532	  ISO/IEC 18033-3:2010/Amd 1:2021)
533
534	  SM4 (GBT.32907-2016) is a cryptographic standard issued by the
535	  Organization of State Commercial Administration of China (OSCCA)
536	  as an authorized cryptographic algorithms for the use within China.
537
538	  SMS4 was originally created for use in protecting wireless
539	  networks, and is mandated in the Chinese National Standard for
540	  Wireless LAN WAPI (Wired Authentication and Privacy Infrastructure)
541	  (GB.15629.11-2003).
542
543	  The latest SM4 standard (GBT.32907-2016) was proposed by OSCCA and
544	  standardized through TC 260 of the Standardization Administration
545	  of the People's Republic of China (SAC).
546
547	  The input, output, and key of SMS4 are each 128 bits.
548
549	  See https://eprint.iacr.org/2008/329.pdf for further information.
550
551	  If unsure, say N.
552
553config CRYPTO_TEA
554	tristate "TEA, XTEA and XETA"
555	depends on CRYPTO_USER_API_ENABLE_OBSOLETE
556	select CRYPTO_ALGAPI
557	help
558	  TEA (Tiny Encryption Algorithm) cipher algorithms
559
560	  Tiny Encryption Algorithm is a simple cipher that uses
561	  many rounds for security.  It is very fast and uses
562	  little memory.
563
564	  Xtendend Tiny Encryption Algorithm is a modification to
565	  the TEA algorithm to address a potential key weakness
566	  in the TEA algorithm.
567
568	  Xtendend Encryption Tiny Algorithm is a mis-implementation
569	  of the XTEA algorithm for compatibility purposes.
570
571config CRYPTO_TWOFISH
572	tristate "Twofish"
573	select CRYPTO_ALGAPI
574	select CRYPTO_TWOFISH_COMMON
575	help
576	  Twofish cipher algorithm
577
578	  Twofish was submitted as an AES (Advanced Encryption Standard)
579	  candidate cipher by researchers at CounterPane Systems.  It is a
580	  16 round block cipher supporting key sizes of 128, 192, and 256
581	  bits.
582
583	  See https://www.schneier.com/twofish.html for further information.
584
585config CRYPTO_TWOFISH_COMMON
586	tristate
587	help
588	  Common parts of the Twofish cipher algorithm shared by the
589	  generic c and the assembler implementations.
590
591endmenu
592
593menu "Length-preserving ciphers and modes"
594
595config CRYPTO_ADIANTUM
596	tristate "Adiantum"
597	select CRYPTO_CHACHA20
598	select CRYPTO_LIB_POLY1305_GENERIC
599	select CRYPTO_NHPOLY1305
600	select CRYPTO_MANAGER
601	help
602	  Adiantum tweakable, length-preserving encryption mode
603
604	  Designed for fast and secure disk encryption, especially on
605	  CPUs without dedicated crypto instructions.  It encrypts
606	  each sector using the XChaCha12 stream cipher, two passes of
607	  an ε-almost-∆-universal hash function, and an invocation of
608	  the AES-256 block cipher on a single 16-byte block.  On CPUs
609	  without AES instructions, Adiantum is much faster than
610	  AES-XTS.
611
612	  Adiantum's security is provably reducible to that of its
613	  underlying stream and block ciphers, subject to a security
614	  bound.  Unlike XTS, Adiantum is a true wide-block encryption
615	  mode, so it actually provides an even stronger notion of
616	  security than XTS, subject to the security bound.
617
618	  If unsure, say N.
619
620config CRYPTO_ARC4
621	tristate "ARC4 (Alleged Rivest Cipher 4)"
622	depends on CRYPTO_USER_API_ENABLE_OBSOLETE
623	select CRYPTO_SKCIPHER
624	select CRYPTO_LIB_ARC4
625	help
626	  ARC4 cipher algorithm
627
628	  ARC4 is a stream cipher using keys ranging from 8 bits to 2048
629	  bits in length.  This algorithm is required for driver-based
630	  WEP, but it should not be for other purposes because of the
631	  weakness of the algorithm.
632
633config CRYPTO_CHACHA20
634	tristate "ChaCha"
635	select CRYPTO_LIB_CHACHA_GENERIC
636	select CRYPTO_SKCIPHER
637	help
638	  The ChaCha20, XChaCha20, and XChaCha12 stream cipher algorithms
639
640	  ChaCha20 is a 256-bit high-speed stream cipher designed by Daniel J.
641	  Bernstein and further specified in RFC7539 for use in IETF protocols.
642	  This is the portable C implementation of ChaCha20.  See
643	  https://cr.yp.to/chacha/chacha-20080128.pdf for further information.
644
645	  XChaCha20 is the application of the XSalsa20 construction to ChaCha20
646	  rather than to Salsa20.  XChaCha20 extends ChaCha20's nonce length
647	  from 64 bits (or 96 bits using the RFC7539 convention) to 192 bits,
648	  while provably retaining ChaCha20's security.  See
649	  https://cr.yp.to/snuffle/xsalsa-20081128.pdf for further information.
650
651	  XChaCha12 is XChaCha20 reduced to 12 rounds, with correspondingly
652	  reduced security margin but increased performance.  It can be needed
653	  in some performance-sensitive scenarios.
654
655config CRYPTO_CBC
656	tristate "CBC (Cipher Block Chaining)"
657	select CRYPTO_SKCIPHER
658	select CRYPTO_MANAGER
659	help
660	  CBC (Cipher Block Chaining) mode (NIST SP800-38A)
661
662	  This block cipher mode is required for IPSec ESP (XFRM_ESP).
663
664config CRYPTO_CFB
665	tristate "CFB (Cipher Feedback)"
666	select CRYPTO_SKCIPHER
667	select CRYPTO_MANAGER
668	help
669	  CFB (Cipher Feedback) mode (NIST SP800-38A)
670
671	  This block cipher mode is required for TPM2 Cryptography.
672
673config CRYPTO_CTR
674	tristate "CTR (Counter)"
675	select CRYPTO_SKCIPHER
676	select CRYPTO_MANAGER
677	help
678	  CTR (Counter) mode (NIST SP800-38A)
679
680config CRYPTO_CTS
681	tristate "CTS (Cipher Text Stealing)"
682	select CRYPTO_SKCIPHER
683	select CRYPTO_MANAGER
684	help
685	  CBC-CS3 variant of CTS (Cipher Text Stealing) (NIST
686	  Addendum to SP800-38A (October 2010))
687
688	  This mode is required for Kerberos gss mechanism support
689	  for AES encryption.
690
691config CRYPTO_ECB
692	tristate "ECB (Electronic Codebook)"
693	select CRYPTO_SKCIPHER2
694	select CRYPTO_MANAGER
695	help
696	  ECB (Electronic Codebook) mode (NIST SP800-38A)
697
698config CRYPTO_HCTR2
699	tristate "HCTR2"
700	select CRYPTO_XCTR
701	select CRYPTO_POLYVAL
702	select CRYPTO_MANAGER
703	help
704	  HCTR2 length-preserving encryption mode
705
706	  A mode for storage encryption that is efficient on processors with
707	  instructions to accelerate AES and carryless multiplication, e.g.
708	  x86 processors with AES-NI and CLMUL, and ARM processors with the
709	  ARMv8 crypto extensions.
710
711	  See https://eprint.iacr.org/2021/1441
712
713config CRYPTO_KEYWRAP
714	tristate "KW (AES Key Wrap)"
715	select CRYPTO_SKCIPHER
716	select CRYPTO_MANAGER
717	help
718	  KW (AES Key Wrap) authenticated encryption mode (NIST SP800-38F
719	  and RFC3394) without padding.
720
721config CRYPTO_LRW
722	tristate "LRW (Liskov Rivest Wagner)"
723	select CRYPTO_LIB_GF128MUL
724	select CRYPTO_SKCIPHER
725	select CRYPTO_MANAGER
726	select CRYPTO_ECB
727	help
728	  LRW (Liskov Rivest Wagner) mode
729
730	  A tweakable, non malleable, non movable
731	  narrow block cipher mode for dm-crypt.  Use it with cipher
732	  specification string aes-lrw-benbi, the key must be 256, 320 or 384.
733	  The first 128, 192 or 256 bits in the key are used for AES and the
734	  rest is used to tie each cipher block to its logical position.
735
736	  See https://people.csail.mit.edu/rivest/pubs/LRW02.pdf
737
738config CRYPTO_OFB
739	tristate "OFB (Output Feedback)"
740	select CRYPTO_SKCIPHER
741	select CRYPTO_MANAGER
742	help
743	  OFB (Output Feedback) mode (NIST SP800-38A)
744
745	  This mode makes a block cipher into a synchronous
746	  stream cipher. It generates keystream blocks, which are then XORed
747	  with the plaintext blocks to get the ciphertext. Flipping a bit in the
748	  ciphertext produces a flipped bit in the plaintext at the same
749	  location. This property allows many error correcting codes to function
750	  normally even when applied before encryption.
751
752config CRYPTO_PCBC
753	tristate "PCBC (Propagating Cipher Block Chaining)"
754	select CRYPTO_SKCIPHER
755	select CRYPTO_MANAGER
756	help
757	  PCBC (Propagating Cipher Block Chaining) mode
758
759	  This block cipher mode is required for RxRPC.
760
761config CRYPTO_XCTR
762	tristate
763	select CRYPTO_SKCIPHER
764	select CRYPTO_MANAGER
765	help
766	  XCTR (XOR Counter) mode for HCTR2
767
768	  This blockcipher mode is a variant of CTR mode using XORs and little-endian
769	  addition rather than big-endian arithmetic.
770
771	  XCTR mode is used to implement HCTR2.
772
773config CRYPTO_XTS
774	tristate "XTS (XOR Encrypt XOR with ciphertext stealing)"
775	select CRYPTO_SKCIPHER
776	select CRYPTO_MANAGER
777	select CRYPTO_ECB
778	help
779	  XTS (XOR Encrypt XOR with ciphertext stealing) mode (NIST SP800-38E
780	  and IEEE 1619)
781
782	  Use with aes-xts-plain, key size 256, 384 or 512 bits. This
783	  implementation currently can't handle a sectorsize which is not a
784	  multiple of 16 bytes.
785
786config CRYPTO_NHPOLY1305
787	tristate
788	select CRYPTO_HASH
789	select CRYPTO_LIB_POLY1305_GENERIC
790
791endmenu
792
793menu "AEAD (authenticated encryption with associated data) ciphers"
794
795config CRYPTO_AEGIS128
796	tristate "AEGIS-128"
797	select CRYPTO_AEAD
798	select CRYPTO_AES  # for AES S-box tables
799	help
800	  AEGIS-128 AEAD algorithm
801
802config CRYPTO_AEGIS128_SIMD
803	bool "AEGIS-128 (arm NEON, arm64 NEON)"
804	depends on CRYPTO_AEGIS128 && ((ARM || ARM64) && KERNEL_MODE_NEON)
805	default y
806	help
807	  AEGIS-128 AEAD algorithm
808
809	  Architecture: arm or arm64 using:
810	  - NEON (Advanced SIMD) extension
811
812config CRYPTO_CHACHA20POLY1305
813	tristate "ChaCha20-Poly1305"
814	select CRYPTO_CHACHA20
815	select CRYPTO_POLY1305
816	select CRYPTO_AEAD
817	select CRYPTO_MANAGER
818	help
819	  ChaCha20 stream cipher and Poly1305 authenticator combined
820	  mode (RFC8439)
821
822config CRYPTO_CCM
823	tristate "CCM (Counter with Cipher Block Chaining-MAC)"
824	select CRYPTO_CTR
825	select CRYPTO_HASH
826	select CRYPTO_AEAD
827	select CRYPTO_MANAGER
828	help
829	  CCM (Counter with Cipher Block Chaining-Message Authentication Code)
830	  authenticated encryption mode (NIST SP800-38C)
831
832config CRYPTO_GCM
833	tristate "GCM (Galois/Counter Mode) and GMAC (GCM MAC)"
834	select CRYPTO_CTR
835	select CRYPTO_AEAD
836	select CRYPTO_GHASH
837	select CRYPTO_NULL
838	select CRYPTO_MANAGER
839	help
840	  GCM (Galois/Counter Mode) authenticated encryption mode and GMAC
841	  (GCM Message Authentication Code) (NIST SP800-38D)
842
843	  This is required for IPSec ESP (XFRM_ESP).
844
845config CRYPTO_GENIV
846	tristate
847	select CRYPTO_AEAD
848	select CRYPTO_NULL
849	select CRYPTO_MANAGER
850	select CRYPTO_RNG_DEFAULT
851
852config CRYPTO_SEQIV
853	tristate "Sequence Number IV Generator"
854	select CRYPTO_GENIV
855	help
856	  Sequence Number IV generator
857
858	  This IV generator generates an IV based on a sequence number by
859	  xoring it with a salt.  This algorithm is mainly useful for CTR.
860
861	  This is required for IPsec ESP (XFRM_ESP).
862
863config CRYPTO_ECHAINIV
864	tristate "Encrypted Chain IV Generator"
865	select CRYPTO_GENIV
866	help
867	  Encrypted Chain IV generator
868
869	  This IV generator generates an IV based on the encryption of
870	  a sequence number xored with a salt.  This is the default
871	  algorithm for CBC.
872
873config CRYPTO_ESSIV
874	tristate "Encrypted Salt-Sector IV Generator"
875	select CRYPTO_AUTHENC
876	help
877	  Encrypted Salt-Sector IV generator
878
879	  This IV generator is used in some cases by fscrypt and/or
880	  dm-crypt. It uses the hash of the block encryption key as the
881	  symmetric key for a block encryption pass applied to the input
882	  IV, making low entropy IV sources more suitable for block
883	  encryption.
884
885	  This driver implements a crypto API template that can be
886	  instantiated either as an skcipher or as an AEAD (depending on the
887	  type of the first template argument), and which defers encryption
888	  and decryption requests to the encapsulated cipher after applying
889	  ESSIV to the input IV. Note that in the AEAD case, it is assumed
890	  that the keys are presented in the same format used by the authenc
891	  template, and that the IV appears at the end of the authenticated
892	  associated data (AAD) region (which is how dm-crypt uses it.)
893
894	  Note that the use of ESSIV is not recommended for new deployments,
895	  and so this only needs to be enabled when interoperability with
896	  existing encrypted volumes of filesystems is required, or when
897	  building for a particular system that requires it (e.g., when
898	  the SoC in question has accelerated CBC but not XTS, making CBC
899	  combined with ESSIV the only feasible mode for h/w accelerated
900	  block encryption)
901
902endmenu
903
904menu "Hashes, digests, and MACs"
905
906config CRYPTO_BLAKE2B
907	tristate "BLAKE2b"
908	select CRYPTO_HASH
909	help
910	  BLAKE2b cryptographic hash function (RFC 7693)
911
912	  BLAKE2b is optimized for 64-bit platforms and can produce digests
913	  of any size between 1 and 64 bytes. The keyed hash is also implemented.
914
915	  This module provides the following algorithms:
916	  - blake2b-160
917	  - blake2b-256
918	  - blake2b-384
919	  - blake2b-512
920
921	  Used by the btrfs filesystem.
922
923	  See https://blake2.net for further information.
924
925config CRYPTO_CMAC
926	tristate "CMAC (Cipher-based MAC)"
927	select CRYPTO_HASH
928	select CRYPTO_MANAGER
929	help
930	  CMAC (Cipher-based Message Authentication Code) authentication
931	  mode (NIST SP800-38B and IETF RFC4493)
932
933config CRYPTO_GHASH
934	tristate "GHASH"
935	select CRYPTO_HASH
936	select CRYPTO_LIB_GF128MUL
937	help
938	  GCM GHASH function (NIST SP800-38D)
939
940config CRYPTO_HMAC
941	tristate "HMAC (Keyed-Hash MAC)"
942	select CRYPTO_HASH
943	select CRYPTO_MANAGER
944	help
945	  HMAC (Keyed-Hash Message Authentication Code) (FIPS 198 and
946	  RFC2104)
947
948	  This is required for IPsec AH (XFRM_AH) and IPsec ESP (XFRM_ESP).
949
950config CRYPTO_MD4
951	tristate "MD4"
952	select CRYPTO_HASH
953	help
954	  MD4 message digest algorithm (RFC1320)
955
956config CRYPTO_MD5
957	tristate "MD5"
958	select CRYPTO_HASH
959	help
960	  MD5 message digest algorithm (RFC1321)
961
962config CRYPTO_MICHAEL_MIC
963	tristate "Michael MIC"
964	select CRYPTO_HASH
965	help
966	  Michael MIC (Message Integrity Code) (IEEE 802.11i)
967
968	  Defined by the IEEE 802.11i TKIP (Temporal Key Integrity Protocol),
969	  known as WPA (Wif-Fi Protected Access).
970
971	  This algorithm is required for TKIP, but it should not be used for
972	  other purposes because of the weakness of the algorithm.
973
974config CRYPTO_POLYVAL
975	tristate
976	select CRYPTO_HASH
977	select CRYPTO_LIB_GF128MUL
978	help
979	  POLYVAL hash function for HCTR2
980
981	  This is used in HCTR2.  It is not a general-purpose
982	  cryptographic hash function.
983
984config CRYPTO_POLY1305
985	tristate "Poly1305"
986	select CRYPTO_HASH
987	select CRYPTO_LIB_POLY1305_GENERIC
988	help
989	  Poly1305 authenticator algorithm (RFC7539)
990
991	  Poly1305 is an authenticator algorithm designed by Daniel J. Bernstein.
992	  It is used for the ChaCha20-Poly1305 AEAD, specified in RFC7539 for use
993	  in IETF protocols. This is the portable C implementation of Poly1305.
994
995config CRYPTO_RMD160
996	tristate "RIPEMD-160"
997	select CRYPTO_HASH
998	help
999	  RIPEMD-160 hash function (ISO/IEC 10118-3)
1000
1001	  RIPEMD-160 is a 160-bit cryptographic hash function. It is intended
1002	  to be used as a secure replacement for the 128-bit hash functions
1003	  MD4, MD5 and its predecessor RIPEMD
1004	  (not to be confused with RIPEMD-128).
1005
1006	  Its speed is comparable to SHA-1 and there are no known attacks
1007	  against RIPEMD-160.
1008
1009	  Developed by Hans Dobbertin, Antoon Bosselaers and Bart Preneel.
1010	  See https://homes.esat.kuleuven.be/~bosselae/ripemd160.html
1011	  for further information.
1012
1013config CRYPTO_SHA1
1014	tristate "SHA-1"
1015	select CRYPTO_HASH
1016	select CRYPTO_LIB_SHA1
1017	help
1018	  SHA-1 secure hash algorithm (FIPS 180, ISO/IEC 10118-3)
1019
1020config CRYPTO_SHA256
1021	tristate "SHA-224 and SHA-256"
1022	select CRYPTO_HASH
1023	select CRYPTO_LIB_SHA256
1024	help
1025	  SHA-224 and SHA-256 secure hash algorithms (FIPS 180, ISO/IEC 10118-3)
1026
1027	  This is required for IPsec AH (XFRM_AH) and IPsec ESP (XFRM_ESP).
1028	  Used by the btrfs filesystem, Ceph, NFS, and SMB.
1029
1030config CRYPTO_SHA512
1031	tristate "SHA-384 and SHA-512"
1032	select CRYPTO_HASH
1033	help
1034	  SHA-384 and SHA-512 secure hash algorithms (FIPS 180, ISO/IEC 10118-3)
1035
1036config CRYPTO_SHA3
1037	tristate "SHA-3"
1038	select CRYPTO_HASH
1039	help
1040	  SHA-3 secure hash algorithms (FIPS 202, ISO/IEC 10118-3)
1041
1042config CRYPTO_SM3
1043	tristate
1044
1045config CRYPTO_SM3_GENERIC
1046	tristate "SM3 (ShangMi 3)"
1047	select CRYPTO_HASH
1048	select CRYPTO_SM3
1049	help
1050	  SM3 (ShangMi 3) secure hash function (OSCCA GM/T 0004-2012, ISO/IEC 10118-3)
1051
1052	  This is part of the Chinese Commercial Cryptography suite.
1053
1054	  References:
1055	  http://www.oscca.gov.cn/UpFile/20101222141857786.pdf
1056	  https://datatracker.ietf.org/doc/html/draft-shen-sm3-hash
1057
1058config CRYPTO_STREEBOG
1059	tristate "Streebog"
1060	select CRYPTO_HASH
1061	help
1062	  Streebog Hash Function (GOST R 34.11-2012, RFC 6986, ISO/IEC 10118-3)
1063
1064	  This is one of the Russian cryptographic standard algorithms (called
1065	  GOST algorithms). This setting enables two hash algorithms with
1066	  256 and 512 bits output.
1067
1068	  References:
1069	  https://tc26.ru/upload/iblock/fed/feddbb4d26b685903faa2ba11aea43f6.pdf
1070	  https://tools.ietf.org/html/rfc6986
1071
1072config CRYPTO_VMAC
1073	tristate "VMAC"
1074	select CRYPTO_HASH
1075	select CRYPTO_MANAGER
1076	help
1077	  VMAC is a message authentication algorithm designed for
1078	  very high speed on 64-bit architectures.
1079
1080	  See https://fastcrypto.org/vmac for further information.
1081
1082config CRYPTO_WP512
1083	tristate "Whirlpool"
1084	select CRYPTO_HASH
1085	help
1086	  Whirlpool hash function (ISO/IEC 10118-3)
1087
1088	  512, 384 and 256-bit hashes.
1089
1090	  Whirlpool-512 is part of the NESSIE cryptographic primitives.
1091
1092	  See https://web.archive.org/web/20171129084214/http://www.larc.usp.br/~pbarreto/WhirlpoolPage.html
1093	  for further information.
1094
1095config CRYPTO_XCBC
1096	tristate "XCBC-MAC (Extended Cipher Block Chaining MAC)"
1097	select CRYPTO_HASH
1098	select CRYPTO_MANAGER
1099	help
1100	  XCBC-MAC (Extended Cipher Block Chaining Message Authentication
1101	  Code) (RFC3566)
1102
1103config CRYPTO_XXHASH
1104	tristate "xxHash"
1105	select CRYPTO_HASH
1106	select XXHASH
1107	help
1108	  xxHash non-cryptographic hash algorithm
1109
1110	  Extremely fast, working at speeds close to RAM limits.
1111
1112	  Used by the btrfs filesystem.
1113
1114endmenu
1115
1116menu "CRCs (cyclic redundancy checks)"
1117
1118config CRYPTO_CRC32C
1119	tristate "CRC32c"
1120	select CRYPTO_HASH
1121	select CRC32
1122	help
1123	  CRC32c CRC algorithm with the iSCSI polynomial (RFC 3385 and RFC 3720)
1124
1125	  A 32-bit CRC (cyclic redundancy check) with a polynomial defined
1126	  by G. Castagnoli, S. Braeuer and M. Herrman in "Optimization of Cyclic
1127	  Redundancy-Check Codes with 24 and 32 Parity Bits", IEEE Transactions
1128	  on Communications, Vol. 41, No. 6, June 1993, selected for use with
1129	  iSCSI.
1130
1131	  Used by btrfs, ext4, jbd2, NVMeoF/TCP, and iSCSI.
1132
1133config CRYPTO_CRC32
1134	tristate "CRC32"
1135	select CRYPTO_HASH
1136	select CRC32
1137	help
1138	  CRC32 CRC algorithm (IEEE 802.3)
1139
1140	  Used by RoCEv2 and f2fs.
1141
1142config CRYPTO_CRCT10DIF
1143	tristate "CRCT10DIF"
1144	select CRYPTO_HASH
1145	help
1146	  CRC16 CRC algorithm used for the T10 (SCSI) Data Integrity Field (DIF)
1147
1148	  CRC algorithm used by the SCSI Block Commands standard.
1149
1150config CRYPTO_CRC64_ROCKSOFT
1151	tristate "CRC64 based on Rocksoft Model algorithm"
1152	depends on CRC64
1153	select CRYPTO_HASH
1154	help
1155	  CRC64 CRC algorithm based on the Rocksoft Model CRC Algorithm
1156
1157	  Used by the NVMe implementation of T10 DIF (BLK_DEV_INTEGRITY)
1158
1159	  See https://zlib.net/crc_v3.txt
1160
1161endmenu
1162
1163menu "Compression"
1164
1165config CRYPTO_DEFLATE
1166	tristate "Deflate"
1167	select CRYPTO_ALGAPI
1168	select CRYPTO_ACOMP2
1169	select ZLIB_INFLATE
1170	select ZLIB_DEFLATE
1171	help
1172	  Deflate compression algorithm (RFC1951)
1173
1174	  Used by IPSec with the IPCOMP protocol (RFC3173, RFC2394)
1175
1176config CRYPTO_LZO
1177	tristate "LZO"
1178	select CRYPTO_ALGAPI
1179	select CRYPTO_ACOMP2
1180	select LZO_COMPRESS
1181	select LZO_DECOMPRESS
1182	help
1183	  LZO compression algorithm
1184
1185	  See https://www.oberhumer.com/opensource/lzo/ for further information.
1186
1187config CRYPTO_842
1188	tristate "842"
1189	select CRYPTO_ALGAPI
1190	select CRYPTO_ACOMP2
1191	select 842_COMPRESS
1192	select 842_DECOMPRESS
1193	help
1194	  842 compression algorithm by IBM
1195
1196	  See https://github.com/plauth/lib842 for further information.
1197
1198config CRYPTO_LZ4
1199	tristate "LZ4"
1200	select CRYPTO_ALGAPI
1201	select CRYPTO_ACOMP2
1202	select LZ4_COMPRESS
1203	select LZ4_DECOMPRESS
1204	help
1205	  LZ4 compression algorithm
1206
1207	  See https://github.com/lz4/lz4 for further information.
1208
1209config CRYPTO_LZ4HC
1210	tristate "LZ4HC"
1211	select CRYPTO_ALGAPI
1212	select CRYPTO_ACOMP2
1213	select LZ4HC_COMPRESS
1214	select LZ4_DECOMPRESS
1215	help
1216	  LZ4 high compression mode algorithm
1217
1218	  See https://github.com/lz4/lz4 for further information.
1219
1220config CRYPTO_ZSTD
1221	tristate "Zstd"
1222	select CRYPTO_ALGAPI
1223	select CRYPTO_ACOMP2
1224	select ZSTD_COMPRESS
1225	select ZSTD_DECOMPRESS
1226	help
1227	  zstd compression algorithm
1228
1229	  See https://github.com/facebook/zstd for further information.
1230
1231endmenu
1232
1233menu "Random number generation"
1234
1235config CRYPTO_ANSI_CPRNG
1236	tristate "ANSI PRNG (Pseudo Random Number Generator)"
1237	select CRYPTO_AES
1238	select CRYPTO_RNG
1239	help
1240	  Pseudo RNG (random number generator) (ANSI X9.31 Appendix A.2.4)
1241
1242	  This uses the AES cipher algorithm.
1243
1244	  Note that this option must be enabled if CRYPTO_FIPS is selected
1245
1246menuconfig CRYPTO_DRBG_MENU
1247	tristate "NIST SP800-90A DRBG (Deterministic Random Bit Generator)"
1248	help
1249	  DRBG (Deterministic Random Bit Generator) (NIST SP800-90A)
1250
1251	  In the following submenu, one or more of the DRBG types must be selected.
1252
1253if CRYPTO_DRBG_MENU
1254
1255config CRYPTO_DRBG_HMAC
1256	bool
1257	default y
1258	select CRYPTO_HMAC
1259	select CRYPTO_SHA512
1260
1261config CRYPTO_DRBG_HASH
1262	bool "Hash_DRBG"
1263	select CRYPTO_SHA256
1264	help
1265	  Hash_DRBG variant as defined in NIST SP800-90A.
1266
1267	  This uses the SHA-1, SHA-256, SHA-384, or SHA-512 hash algorithms.
1268
1269config CRYPTO_DRBG_CTR
1270	bool "CTR_DRBG"
1271	select CRYPTO_AES
1272	select CRYPTO_CTR
1273	help
1274	  CTR_DRBG variant as defined in NIST SP800-90A.
1275
1276	  This uses the AES cipher algorithm with the counter block mode.
1277
1278config CRYPTO_DRBG
1279	tristate
1280	default CRYPTO_DRBG_MENU
1281	select CRYPTO_RNG
1282	select CRYPTO_JITTERENTROPY
1283
1284endif	# if CRYPTO_DRBG_MENU
1285
1286config CRYPTO_JITTERENTROPY
1287	tristate "CPU Jitter Non-Deterministic RNG (Random Number Generator)"
1288	select CRYPTO_RNG
1289	select CRYPTO_SHA3
1290	help
1291	  CPU Jitter RNG (Random Number Generator) from the Jitterentropy library
1292
1293	  A non-physical non-deterministic ("true") RNG (e.g., an entropy source
1294	  compliant with NIST SP800-90B) intended to provide a seed to a
1295	  deterministic RNG (e.g.  per NIST SP800-90C).
1296	  This RNG does not perform any cryptographic whitening of the generated
1297
1298	  See https://www.chronox.de/jent.html
1299
1300if CRYPTO_JITTERENTROPY
1301if CRYPTO_FIPS && EXPERT
1302
1303choice
1304	prompt "CPU Jitter RNG Memory Size"
1305	default CRYPTO_JITTERENTROPY_MEMSIZE_2
1306	help
1307	  The Jitter RNG measures the execution time of memory accesses.
1308	  Multiple consecutive memory accesses are performed. If the memory
1309	  size fits into a cache (e.g. L1), only the memory access timing
1310	  to that cache is measured. The closer the cache is to the CPU
1311	  the less variations are measured and thus the less entropy is
1312	  obtained. Thus, if the memory size fits into the L1 cache, the
1313	  obtained entropy is less than if the memory size fits within
1314	  L1 + L2, which in turn is less if the memory fits into
1315	  L1 + L2 + L3. Thus, by selecting a different memory size,
1316	  the entropy rate produced by the Jitter RNG can be modified.
1317
1318	config CRYPTO_JITTERENTROPY_MEMSIZE_2
1319		bool "2048 Bytes (default)"
1320
1321	config CRYPTO_JITTERENTROPY_MEMSIZE_128
1322		bool "128 kBytes"
1323
1324	config CRYPTO_JITTERENTROPY_MEMSIZE_1024
1325		bool "1024 kBytes"
1326
1327	config CRYPTO_JITTERENTROPY_MEMSIZE_8192
1328		bool "8192 kBytes"
1329endchoice
1330
1331config CRYPTO_JITTERENTROPY_MEMORY_BLOCKS
1332	int
1333	default 64 if CRYPTO_JITTERENTROPY_MEMSIZE_2
1334	default 512 if CRYPTO_JITTERENTROPY_MEMSIZE_128
1335	default 1024 if CRYPTO_JITTERENTROPY_MEMSIZE_1024
1336	default 4096 if CRYPTO_JITTERENTROPY_MEMSIZE_8192
1337
1338config CRYPTO_JITTERENTROPY_MEMORY_BLOCKSIZE
1339	int
1340	default 32 if CRYPTO_JITTERENTROPY_MEMSIZE_2
1341	default 256 if CRYPTO_JITTERENTROPY_MEMSIZE_128
1342	default 1024 if CRYPTO_JITTERENTROPY_MEMSIZE_1024
1343	default 2048 if CRYPTO_JITTERENTROPY_MEMSIZE_8192
1344
1345config CRYPTO_JITTERENTROPY_OSR
1346	int "CPU Jitter RNG Oversampling Rate"
1347	range 1 15
1348	default 1
1349	help
1350	  The Jitter RNG allows the specification of an oversampling rate (OSR).
1351	  The Jitter RNG operation requires a fixed amount of timing
1352	  measurements to produce one output block of random numbers. The
1353	  OSR value is multiplied with the amount of timing measurements to
1354	  generate one output block. Thus, the timing measurement is oversampled
1355	  by the OSR factor. The oversampling allows the Jitter RNG to operate
1356	  on hardware whose timers deliver limited amount of entropy (e.g.
1357	  the timer is coarse) by setting the OSR to a higher value. The
1358	  trade-off, however, is that the Jitter RNG now requires more time
1359	  to generate random numbers.
1360
1361config CRYPTO_JITTERENTROPY_TESTINTERFACE
1362	bool "CPU Jitter RNG Test Interface"
1363	help
1364	  The test interface allows a privileged process to capture
1365	  the raw unconditioned high resolution time stamp noise that
1366	  is collected by the Jitter RNG for statistical analysis. As
1367	  this data is used at the same time to generate random bits,
1368	  the Jitter RNG operates in an insecure mode as long as the
1369	  recording is enabled. This interface therefore is only
1370	  intended for testing purposes and is not suitable for
1371	  production systems.
1372
1373	  The raw noise data can be obtained using the jent_raw_hires
1374	  debugfs file. Using the option
1375	  jitterentropy_testing.boot_raw_hires_test=1 the raw noise of
1376	  the first 1000 entropy events since boot can be sampled.
1377
1378	  If unsure, select N.
1379
1380endif	# if CRYPTO_FIPS && EXPERT
1381
1382if !(CRYPTO_FIPS && EXPERT)
1383
1384config CRYPTO_JITTERENTROPY_MEMORY_BLOCKS
1385	int
1386	default 64
1387
1388config CRYPTO_JITTERENTROPY_MEMORY_BLOCKSIZE
1389	int
1390	default 32
1391
1392config CRYPTO_JITTERENTROPY_OSR
1393	int
1394	default 1
1395
1396config CRYPTO_JITTERENTROPY_TESTINTERFACE
1397	bool
1398
1399endif	# if !(CRYPTO_FIPS && EXPERT)
1400endif	# if CRYPTO_JITTERENTROPY
1401
1402config CRYPTO_KDF800108_CTR
1403	tristate
1404	select CRYPTO_HMAC
1405	select CRYPTO_SHA256
1406
1407endmenu
1408menu "Userspace interface"
1409
1410config CRYPTO_USER_API
1411	tristate
1412
1413config CRYPTO_USER_API_HASH
1414	tristate "Hash algorithms"
1415	depends on NET
1416	select CRYPTO_HASH
1417	select CRYPTO_USER_API
1418	help
1419	  Enable the userspace interface for hash algorithms.
1420
1421	  See Documentation/crypto/userspace-if.rst and
1422	  https://www.chronox.de/libkcapi/html/index.html
1423
1424config CRYPTO_USER_API_SKCIPHER
1425	tristate "Symmetric key cipher algorithms"
1426	depends on NET
1427	select CRYPTO_SKCIPHER
1428	select CRYPTO_USER_API
1429	help
1430	  Enable the userspace interface for symmetric key cipher algorithms.
1431
1432	  See Documentation/crypto/userspace-if.rst and
1433	  https://www.chronox.de/libkcapi/html/index.html
1434
1435config CRYPTO_USER_API_RNG
1436	tristate "RNG (random number generator) algorithms"
1437	depends on NET
1438	select CRYPTO_RNG
1439	select CRYPTO_USER_API
1440	help
1441	  Enable the userspace interface for RNG (random number generator)
1442	  algorithms.
1443
1444	  See Documentation/crypto/userspace-if.rst and
1445	  https://www.chronox.de/libkcapi/html/index.html
1446
1447config CRYPTO_USER_API_RNG_CAVP
1448	bool "Enable CAVP testing of DRBG"
1449	depends on CRYPTO_USER_API_RNG && CRYPTO_DRBG
1450	help
1451	  Enable extra APIs in the userspace interface for NIST CAVP
1452	  (Cryptographic Algorithm Validation Program) testing:
1453	  - resetting DRBG entropy
1454	  - providing Additional Data
1455
1456	  This should only be enabled for CAVP testing. You should say
1457	  no unless you know what this is.
1458
1459config CRYPTO_USER_API_AEAD
1460	tristate "AEAD cipher algorithms"
1461	depends on NET
1462	select CRYPTO_AEAD
1463	select CRYPTO_SKCIPHER
1464	select CRYPTO_NULL
1465	select CRYPTO_USER_API
1466	help
1467	  Enable the userspace interface for AEAD cipher algorithms.
1468
1469	  See Documentation/crypto/userspace-if.rst and
1470	  https://www.chronox.de/libkcapi/html/index.html
1471
1472config CRYPTO_USER_API_ENABLE_OBSOLETE
1473	bool "Obsolete cryptographic algorithms"
1474	depends on CRYPTO_USER_API
1475	default y
1476	help
1477	  Allow obsolete cryptographic algorithms to be selected that have
1478	  already been phased out from internal use by the kernel, and are
1479	  only useful for userspace clients that still rely on them.
1480
1481config CRYPTO_STATS
1482	bool "Crypto usage statistics"
1483	depends on CRYPTO_USER
1484	help
1485	  Enable the gathering of crypto stats.
1486
1487	  Enabling this option reduces the performance of the crypto API.  It
1488	  should only be enabled when there is actually a use case for it.
1489
1490	  This collects data sizes, numbers of requests, and numbers
1491	  of errors processed by:
1492	  - AEAD ciphers (encrypt, decrypt)
1493	  - asymmetric key ciphers (encrypt, decrypt, verify, sign)
1494	  - symmetric key ciphers (encrypt, decrypt)
1495	  - compression algorithms (compress, decompress)
1496	  - hash algorithms (hash)
1497	  - key-agreement protocol primitives (setsecret, generate
1498	    public key, compute shared secret)
1499	  - RNG (generate, seed)
1500
1501endmenu
1502
1503config CRYPTO_HASH_INFO
1504	bool
1505
1506if !KMSAN # avoid false positives from assembly
1507if ARM
1508source "arch/arm/crypto/Kconfig"
1509endif
1510if ARM64
1511source "arch/arm64/crypto/Kconfig"
1512endif
1513if LOONGARCH
1514source "arch/loongarch/crypto/Kconfig"
1515endif
1516if MIPS
1517source "arch/mips/crypto/Kconfig"
1518endif
1519if PPC
1520source "arch/powerpc/crypto/Kconfig"
1521endif
1522if S390
1523source "arch/s390/crypto/Kconfig"
1524endif
1525if SPARC
1526source "arch/sparc/crypto/Kconfig"
1527endif
1528if X86
1529source "arch/x86/crypto/Kconfig"
1530endif
1531endif
1532
1533source "drivers/crypto/Kconfig"
1534source "crypto/asymmetric_keys/Kconfig"
1535source "certs/Kconfig"
1536
1537endif	# if CRYPTO
1538