1# SPDX-License-Identifier: GPL-2.0-only 2# 3# XFRM configuration 4# 5config XFRM 6 bool 7 depends on INET 8 select GRO_CELLS 9 select SKB_EXTENSIONS 10 11config XFRM_OFFLOAD 12 bool 13 14config XFRM_ALGO 15 tristate 16 select XFRM 17 select CRYPTO 18 select CRYPTO_AEAD 19 select CRYPTO_HASH 20 select CRYPTO_SKCIPHER 21 22if INET 23config XFRM_USER 24 tristate "Transformation user configuration interface" 25 select XFRM_ALGO 26 help 27 Support for Transformation(XFRM) user configuration interface 28 like IPsec used by native Linux tools. 29 30 If unsure, say Y. 31 32config XFRM_USER_COMPAT 33 tristate "Compatible ABI support" 34 depends on XFRM_USER && COMPAT_FOR_U64_ALIGNMENT && \ 35 HAVE_EFFICIENT_UNALIGNED_ACCESS 36 select WANT_COMPAT_NETLINK_MESSAGES 37 help 38 Transformation(XFRM) user configuration interface like IPsec 39 used by compatible Linux applications. 40 41 If unsure, say N. 42 43config XFRM_INTERFACE 44 tristate "Transformation virtual interface" 45 depends on XFRM && IPV6 46 help 47 This provides a virtual interface to route IPsec traffic. 48 49 If unsure, say N. 50 51config XFRM_SUB_POLICY 52 bool "Transformation sub policy support" 53 depends on XFRM 54 help 55 Support sub policy for developers. By using sub policy with main 56 one, two policies can be applied to the same packet at once. 57 Policy which lives shorter time in kernel should be a sub. 58 59 If unsure, say N. 60 61config XFRM_MIGRATE 62 bool "Transformation migrate database" 63 depends on XFRM 64 help 65 A feature to update locator(s) of a given IPsec security 66 association dynamically. This feature is required, for 67 instance, in a Mobile IPv6 environment with IPsec configuration 68 where mobile nodes change their attachment point to the Internet. 69 70 If unsure, say N. 71 72config XFRM_STATISTICS 73 bool "Transformation statistics" 74 depends on XFRM && PROC_FS 75 help 76 This statistics is not a SNMP/MIB specification but shows 77 statistics about transformation error (or almost error) factor 78 at packet processing for developer. 79 80 If unsure, say N. 81 82# This option selects XFRM_ALGO along with the AH authentication algorithms that 83# RFC 8221 lists as MUST be implemented. 84config XFRM_AH 85 tristate 86 select XFRM_ALGO 87 select CRYPTO 88 select CRYPTO_HMAC 89 select CRYPTO_SHA256 90 91# This option selects XFRM_ALGO along with the ESP encryption and authentication 92# algorithms that RFC 8221 lists as MUST be implemented. 93config XFRM_ESP 94 tristate 95 select XFRM_ALGO 96 select CRYPTO 97 select CRYPTO_AES 98 select CRYPTO_AUTHENC 99 select CRYPTO_CBC 100 select CRYPTO_ECHAINIV 101 select CRYPTO_GCM 102 select CRYPTO_HMAC 103 select CRYPTO_SEQIV 104 select CRYPTO_SHA256 105 106config XFRM_IPCOMP 107 tristate 108 select XFRM_ALGO 109 select CRYPTO 110 select CRYPTO_DEFLATE 111 112config NET_KEY 113 tristate "PF_KEY sockets" 114 select XFRM_ALGO 115 help 116 PF_KEYv2 socket family, compatible to KAME ones. 117 They are required if you are going to use IPsec tools ported 118 from KAME. 119 120 Say Y unless you know what you are doing. 121 122config NET_KEY_MIGRATE 123 bool "PF_KEY MIGRATE" 124 depends on NET_KEY 125 select XFRM_MIGRATE 126 help 127 Add a PF_KEY MIGRATE message to PF_KEYv2 socket family. 128 The PF_KEY MIGRATE message is used to dynamically update 129 locator(s) of a given IPsec security association. 130 This feature is required, for instance, in a Mobile IPv6 131 environment with IPsec configuration where mobile nodes 132 change their attachment point to the Internet. Detail 133 information can be found in the internet-draft 134 <draft-sugimoto-mip6-pfkey-migrate>. 135 136 If unsure, say N. 137 138config XFRM_ESPINTCP 139 bool 140 141endif # INET 142