crypto/Kconfig at master · tjh.dev/kernel

tjh.dev / kernel
fork atom
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom
kernel / crypto / Kconfig
at master 1413 lines 38 kB view raw
wrap content
   1# SPDX-License-Identifier: GPL-2.0
   2#
   3# Generic algorithms support
   4#
   5config XOR_BLOCKS
   6	tristate
   7
   8#
   9# async_tx api: hardware offloaded memory transfer/transform support
  10#
  11source "crypto/async_tx/Kconfig"
  12
  13#
  14# Cryptographic API Configuration
  15#
  16menuconfig CRYPTO
  17	tristate "Cryptographic API"
  18	select CRYPTO_LIB_UTILS
  19	help
  20	  This option provides the core Cryptographic API.
  21
  22if CRYPTO
  23
  24menu "Crypto core or helper"
  25
  26config CRYPTO_FIPS
  27	bool "FIPS 200 compliance"
  28	depends on CRYPTO_DRBG && CRYPTO_SELFTESTS
  29	depends on (MODULE_SIG || !MODULES)
  30	help
  31	  This option enables the fips boot option which is
  32	  required if you want the system to operate in a FIPS 200
  33	  certification.  You should say no unless you know what
  34	  this is.
  35
  36config CRYPTO_FIPS_NAME
  37	string "FIPS Module Name"
  38	default "Linux Kernel Cryptographic API"
  39	depends on CRYPTO_FIPS
  40	help
  41	  This option sets the FIPS Module name reported by the Crypto API via
  42	  the /proc/sys/crypto/fips_name file.
  43
  44config CRYPTO_FIPS_CUSTOM_VERSION
  45	bool "Use Custom FIPS Module Version"
  46	depends on CRYPTO_FIPS
  47	default n
  48
  49config CRYPTO_FIPS_VERSION
  50	string "FIPS Module Version"
  51	default "(none)"
  52	depends on CRYPTO_FIPS_CUSTOM_VERSION
  53	help
  54	  This option provides the ability to override the FIPS Module Version.
  55	  By default the KERNELRELEASE value is used.
  56
  57config CRYPTO_ALGAPI
  58	tristate
  59	select CRYPTO_ALGAPI2
  60	help
  61	  This option provides the API for cryptographic algorithms.
  62
  63config CRYPTO_ALGAPI2
  64	tristate
  65
  66config CRYPTO_AEAD
  67	tristate
  68	select CRYPTO_AEAD2
  69	select CRYPTO_ALGAPI
  70
  71config CRYPTO_AEAD2
  72	tristate
  73	select CRYPTO_ALGAPI2
  74
  75config CRYPTO_SIG
  76	tristate
  77	select CRYPTO_SIG2
  78	select CRYPTO_ALGAPI
  79
  80config CRYPTO_SIG2
  81	tristate
  82	select CRYPTO_ALGAPI2
  83
  84config CRYPTO_SKCIPHER
  85	tristate
  86	select CRYPTO_SKCIPHER2
  87	select CRYPTO_ALGAPI
  88	select CRYPTO_ECB
  89
  90config CRYPTO_SKCIPHER2
  91	tristate
  92	select CRYPTO_ALGAPI2
  93
  94config CRYPTO_HASH
  95	tristate
  96	select CRYPTO_HASH2
  97	select CRYPTO_ALGAPI
  98
  99config CRYPTO_HASH2
 100	tristate
 101	select CRYPTO_ALGAPI2
 102
 103config CRYPTO_RNG
 104	tristate
 105	select CRYPTO_RNG2
 106	select CRYPTO_ALGAPI
 107
 108config CRYPTO_RNG2
 109	tristate
 110	select CRYPTO_ALGAPI2
 111
 112config CRYPTO_RNG_DEFAULT
 113	tristate
 114	select CRYPTO_DRBG_MENU
 115
 116config CRYPTO_AKCIPHER2
 117	tristate
 118	select CRYPTO_ALGAPI2
 119
 120config CRYPTO_AKCIPHER
 121	tristate
 122	select CRYPTO_AKCIPHER2
 123	select CRYPTO_ALGAPI
 124
 125config CRYPTO_KPP2
 126	tristate
 127	select CRYPTO_ALGAPI2
 128
 129config CRYPTO_KPP
 130	tristate
 131	select CRYPTO_ALGAPI
 132	select CRYPTO_KPP2
 133
 134config CRYPTO_ACOMP2
 135	tristate
 136	select CRYPTO_ALGAPI2
 137	select SGL_ALLOC
 138
 139config CRYPTO_ACOMP
 140	tristate
 141	select CRYPTO_ALGAPI
 142	select CRYPTO_ACOMP2
 143
 144config CRYPTO_HKDF
 145	tristate
 146	select CRYPTO_SHA256 if CRYPTO_SELFTESTS
 147	select CRYPTO_SHA512 if CRYPTO_SELFTESTS
 148	select CRYPTO_HASH2
 149
 150config CRYPTO_MANAGER
 151	tristate
 152	default CRYPTO_ALGAPI if CRYPTO_SELFTESTS
 153	select CRYPTO_MANAGER2
 154	help
 155	  This provides the support for instantiating templates such as
 156	  cbc(aes), and the support for the crypto self-tests.
 157
 158config CRYPTO_MANAGER2
 159	def_tristate CRYPTO_MANAGER || (CRYPTO_MANAGER!=n && CRYPTO_ALGAPI=y)
 160	select CRYPTO_ACOMP2
 161	select CRYPTO_AEAD2
 162	select CRYPTO_AKCIPHER2
 163	select CRYPTO_SIG2
 164	select CRYPTO_HASH2
 165	select CRYPTO_KPP2
 166	select CRYPTO_RNG2
 167	select CRYPTO_SKCIPHER2
 168
 169config CRYPTO_USER
 170	tristate "Userspace cryptographic algorithm configuration"
 171	depends on NET
 172	select CRYPTO_MANAGER
 173	help
 174	  Userspace configuration for cryptographic instantiations such as
 175	  cbc(aes).
 176
 177config CRYPTO_SELFTESTS
 178	bool "Enable cryptographic self-tests"
 179	depends on EXPERT
 180	help
 181	  Enable the cryptographic self-tests.
 182
 183	  The cryptographic self-tests run at boot time, or at algorithm
 184	  registration time if algorithms are dynamically loaded later.
 185
 186	  There are two main use cases for these tests:
 187
 188	  - Development and pre-release testing.  In this case, also enable
 189	    CRYPTO_SELFTESTS_FULL to get the full set of tests.  All crypto code
 190	    in the kernel is expected to pass the full set of tests.
 191
 192	  - Production kernels, to help prevent buggy drivers from being used
 193	    and/or meet FIPS 140-3 pre-operational testing requirements.  In
 194	    this case, enable CRYPTO_SELFTESTS but not CRYPTO_SELFTESTS_FULL.
 195
 196config CRYPTO_SELFTESTS_FULL
 197	bool "Enable the full set of cryptographic self-tests"
 198	depends on CRYPTO_SELFTESTS
 199	help
 200	  Enable the full set of cryptographic self-tests for each algorithm.
 201
 202	  The full set of tests should be enabled for development and
 203	  pre-release testing, but not in production kernels.
 204
 205	  All crypto code in the kernel is expected to pass the full tests.
 206
 207config CRYPTO_NULL
 208	tristate "Null algorithms"
 209	select CRYPTO_ALGAPI
 210	select CRYPTO_SKCIPHER
 211	select CRYPTO_HASH
 212	help
 213	  These are 'Null' algorithms, used by IPsec, which do nothing.
 214
 215config CRYPTO_PCRYPT
 216	tristate "Parallel crypto engine"
 217	depends on SMP
 218	select PADATA
 219	select CRYPTO_MANAGER
 220	select CRYPTO_AEAD
 221	help
 222	  This converts an arbitrary crypto algorithm into a parallel
 223	  algorithm that executes in kernel threads.
 224
 225config CRYPTO_CRYPTD
 226	tristate "Software async crypto daemon"
 227	select CRYPTO_SKCIPHER
 228	select CRYPTO_HASH
 229	select CRYPTO_MANAGER
 230	help
 231	  This is a generic software asynchronous crypto daemon that
 232	  converts an arbitrary synchronous software crypto algorithm
 233	  into an asynchronous algorithm that executes in a kernel thread.
 234
 235config CRYPTO_AUTHENC
 236	tristate "Authenc support"
 237	select CRYPTO_AEAD
 238	select CRYPTO_SKCIPHER
 239	select CRYPTO_MANAGER
 240	select CRYPTO_HASH
 241	help
 242	  Authenc: Combined mode wrapper for IPsec.
 243
 244	  This is required for IPSec ESP (XFRM_ESP).
 245
 246config CRYPTO_KRB5ENC
 247	tristate "Kerberos 5 combined hash+cipher support"
 248	select CRYPTO_AEAD
 249	select CRYPTO_SKCIPHER
 250	select CRYPTO_MANAGER
 251	select CRYPTO_HASH
 252	help
 253	  Combined hash and cipher support for Kerberos 5 RFC3961 simplified
 254	  profile.  This is required for Kerberos 5-style encryption, used by
 255	  sunrpc/NFS and rxrpc/AFS.
 256
 257config CRYPTO_BENCHMARK
 258	tristate "Crypto benchmarking module"
 259	depends on m || EXPERT
 260	select CRYPTO_MANAGER
 261	help
 262	  Quick & dirty crypto benchmarking module.
 263
 264	  This is mainly intended for use by people developing cryptographic
 265	  algorithms in the kernel.  It should not be enabled in production
 266	  kernels.
 267
 268config CRYPTO_SIMD
 269	tristate
 270	select CRYPTO_CRYPTD
 271
 272config CRYPTO_ENGINE
 273	tristate
 274
 275endmenu
 276
 277menu "Public-key cryptography"
 278
 279config CRYPTO_RSA
 280	tristate "RSA (Rivest-Shamir-Adleman)"
 281	select CRYPTO_AKCIPHER
 282	select CRYPTO_MANAGER
 283	select CRYPTO_SIG
 284	select MPILIB
 285	select ASN1
 286	help
 287	  RSA (Rivest-Shamir-Adleman) public key algorithm (RFC8017)
 288
 289config CRYPTO_DH
 290	tristate "DH (Diffie-Hellman)"
 291	select CRYPTO_KPP
 292	select MPILIB
 293	help
 294	  DH (Diffie-Hellman) key exchange algorithm
 295
 296config CRYPTO_DH_RFC7919_GROUPS
 297	bool "RFC 7919 FFDHE groups"
 298	depends on CRYPTO_DH
 299	select CRYPTO_RNG_DEFAULT
 300	help
 301	  FFDHE (Finite-Field-based Diffie-Hellman Ephemeral) groups
 302	  defined in RFC7919.
 303
 304	  Support these finite-field groups in DH key exchanges:
 305	  - ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192
 306
 307	  If unsure, say N.
 308
 309config CRYPTO_ECC
 310	tristate
 311	select CRYPTO_RNG_DEFAULT
 312
 313config CRYPTO_ECDH
 314	tristate "ECDH (Elliptic Curve Diffie-Hellman)"
 315	select CRYPTO_ECC
 316	select CRYPTO_KPP
 317	help
 318	  ECDH (Elliptic Curve Diffie-Hellman) key exchange algorithm
 319	  using curves P-192, P-256, and P-384 (FIPS 186)
 320
 321config CRYPTO_ECDSA
 322	tristate "ECDSA (Elliptic Curve Digital Signature Algorithm)"
 323	select CRYPTO_ECC
 324	select CRYPTO_SIG
 325	select ASN1
 326	help
 327	  ECDSA (Elliptic Curve Digital Signature Algorithm) (FIPS 186,
 328	  ISO/IEC 14888-3)
 329	  using curves P-192, P-256, P-384 and P-521
 330
 331	  Only signature verification is implemented.
 332
 333config CRYPTO_ECRDSA
 334	tristate "EC-RDSA (Elliptic Curve Russian Digital Signature Algorithm)"
 335	select CRYPTO_ECC
 336	select CRYPTO_SIG
 337	select CRYPTO_STREEBOG
 338	select OID_REGISTRY
 339	select ASN1
 340	help
 341	  Elliptic Curve Russian Digital Signature Algorithm (GOST R 34.10-2012,
 342	  RFC 7091, ISO/IEC 14888-3)
 343
 344	  One of the Russian cryptographic standard algorithms (called GOST
 345	  algorithms). Only signature verification is implemented.
 346
 347config CRYPTO_MLDSA
 348	tristate "ML-DSA (Module-Lattice-Based Digital Signature Algorithm)"
 349	select CRYPTO_SIG
 350	select CRYPTO_LIB_MLDSA
 351	help
 352	  ML-DSA (Module-Lattice-Based Digital Signature Algorithm) (FIPS-204).
 353
 354	  Only signature verification is implemented.
 355
 356endmenu
 357
 358menu "Block ciphers"
 359
 360config CRYPTO_AES
 361	tristate "AES (Advanced Encryption Standard)"
 362	select CRYPTO_ALGAPI
 363	select CRYPTO_LIB_AES
 364	help
 365	  AES cipher algorithms (Rijndael)(FIPS-197, ISO/IEC 18033-3)
 366
 367	  Rijndael appears to be consistently a very good performer in
 368	  both hardware and software across a wide range of computing
 369	  environments regardless of its use in feedback or non-feedback
 370	  modes. Its key setup time is excellent, and its key agility is
 371	  good. Rijndael's very low memory requirements make it very well
 372	  suited for restricted-space environments, in which it also
 373	  demonstrates excellent performance. Rijndael's operations are
 374	  among the easiest to defend against power and timing attacks.
 375
 376	  The AES specifies three key sizes: 128, 192 and 256 bits
 377
 378config CRYPTO_ANUBIS
 379	tristate "Anubis"
 380	depends on CRYPTO_USER_API_ENABLE_OBSOLETE
 381	select CRYPTO_ALGAPI
 382	help
 383	  Anubis cipher algorithm
 384
 385	  Anubis is a variable key length cipher which can use keys from
 386	  128 bits to 320 bits in length.  It was evaluated as a entrant
 387	  in the NESSIE competition.
 388
 389	  See https://web.archive.org/web/20160606112246/http://www.larc.usp.br/~pbarreto/AnubisPage.html
 390	  for further information.
 391
 392config CRYPTO_ARIA
 393	tristate "ARIA"
 394	select CRYPTO_ALGAPI
 395	help
 396	  ARIA cipher algorithm (RFC5794)
 397
 398	  ARIA is a standard encryption algorithm of the Republic of Korea.
 399	  The ARIA specifies three key sizes and rounds.
 400	  128-bit: 12 rounds.
 401	  192-bit: 14 rounds.
 402	  256-bit: 16 rounds.
 403
 404	  See:
 405	  https://seed.kisa.or.kr/kisa/algorithm/EgovAriaInfo.do
 406
 407config CRYPTO_BLOWFISH
 408	tristate "Blowfish"
 409	select CRYPTO_ALGAPI
 410	select CRYPTO_BLOWFISH_COMMON
 411	help
 412	  Blowfish cipher algorithm, by Bruce Schneier
 413
 414	  This is a variable key length cipher which can use keys from 32
 415	  bits to 448 bits in length.  It's fast, simple and specifically
 416	  designed for use on "large microprocessors".
 417
 418	  See https://www.schneier.com/blowfish.html for further information.
 419
 420config CRYPTO_BLOWFISH_COMMON
 421	tristate
 422	help
 423	  Common parts of the Blowfish cipher algorithm shared by the
 424	  generic c and the assembler implementations.
 425
 426config CRYPTO_CAMELLIA
 427	tristate "Camellia"
 428	select CRYPTO_ALGAPI
 429	help
 430	  Camellia cipher algorithms (ISO/IEC 18033-3)
 431
 432	  Camellia is a symmetric key block cipher developed jointly
 433	  at NTT and Mitsubishi Electric Corporation.
 434
 435	  The Camellia specifies three key sizes: 128, 192 and 256 bits.
 436
 437	  See https://info.isl.ntt.co.jp/crypt/eng/camellia/ for further information.
 438
 439config CRYPTO_CAST_COMMON
 440	tristate
 441	help
 442	  Common parts of the CAST cipher algorithms shared by the
 443	  generic c and the assembler implementations.
 444
 445config CRYPTO_CAST5
 446	tristate "CAST5 (CAST-128)"
 447	select CRYPTO_ALGAPI
 448	select CRYPTO_CAST_COMMON
 449	help
 450	  CAST5 (CAST-128) cipher algorithm (RFC2144, ISO/IEC 18033-3)
 451
 452config CRYPTO_CAST6
 453	tristate "CAST6 (CAST-256)"
 454	select CRYPTO_ALGAPI
 455	select CRYPTO_CAST_COMMON
 456	help
 457	  CAST6 (CAST-256) encryption algorithm (RFC2612)
 458
 459config CRYPTO_DES
 460	tristate "DES and Triple DES EDE"
 461	select CRYPTO_ALGAPI
 462	select CRYPTO_LIB_DES
 463	help
 464	  DES (Data Encryption Standard)(FIPS 46-2, ISO/IEC 18033-3) and
 465	  Triple DES EDE (Encrypt/Decrypt/Encrypt) (FIPS 46-3, ISO/IEC 18033-3)
 466	  cipher algorithms
 467
 468config CRYPTO_FCRYPT
 469	tristate "FCrypt"
 470	select CRYPTO_ALGAPI
 471	select CRYPTO_SKCIPHER
 472	help
 473	  FCrypt algorithm used by RxRPC
 474
 475	  See https://ota.polyonymo.us/fcrypt-paper.txt
 476
 477config CRYPTO_KHAZAD
 478	tristate "Khazad"
 479	depends on CRYPTO_USER_API_ENABLE_OBSOLETE
 480	select CRYPTO_ALGAPI
 481	help
 482	  Khazad cipher algorithm
 483
 484	  Khazad was a finalist in the initial NESSIE competition.  It is
 485	  an algorithm optimized for 64-bit processors with good performance
 486	  on 32-bit processors.  Khazad uses an 128 bit key size.
 487
 488	  See https://web.archive.org/web/20171011071731/http://www.larc.usp.br/~pbarreto/KhazadPage.html
 489	  for further information.
 490
 491config CRYPTO_SEED
 492	tristate "SEED"
 493	depends on CRYPTO_USER_API_ENABLE_OBSOLETE
 494	select CRYPTO_ALGAPI
 495	help
 496	  SEED cipher algorithm (RFC4269, ISO/IEC 18033-3)
 497
 498	  SEED is a 128-bit symmetric key block cipher that has been
 499	  developed by KISA (Korea Information Security Agency) as a
 500	  national standard encryption algorithm of the Republic of Korea.
 501	  It is a 16 round block cipher with the key size of 128 bit.
 502
 503	  See https://seed.kisa.or.kr/kisa/algorithm/EgovSeedInfo.do
 504	  for further information.
 505
 506config CRYPTO_SERPENT
 507	tristate "Serpent"
 508	select CRYPTO_ALGAPI
 509	help
 510	  Serpent cipher algorithm, by Anderson, Biham & Knudsen
 511
 512	  Keys are allowed to be from 0 to 256 bits in length, in steps
 513	  of 8 bits.
 514
 515	  See https://www.cl.cam.ac.uk/~rja14/serpent.html for further information.
 516
 517config CRYPTO_SM4
 518	tristate
 519
 520config CRYPTO_SM4_GENERIC
 521	tristate "SM4 (ShangMi 4)"
 522	select CRYPTO_ALGAPI
 523	select CRYPTO_SM4
 524	help
 525	  SM4 cipher algorithms (OSCCA GB/T 32907-2016,
 526	  ISO/IEC 18033-3:2010/Amd 1:2021)
 527
 528	  SM4 (GBT.32907-2016) is a cryptographic standard issued by the
 529	  Organization of State Commercial Administration of China (OSCCA)
 530	  as an authorized cryptographic algorithms for the use within China.
 531
 532	  SMS4 was originally created for use in protecting wireless
 533	  networks, and is mandated in the Chinese National Standard for
 534	  Wireless LAN WAPI (Wired Authentication and Privacy Infrastructure)
 535	  (GB.15629.11-2003).
 536
 537	  The latest SM4 standard (GBT.32907-2016) was proposed by OSCCA and
 538	  standardized through TC 260 of the Standardization Administration
 539	  of the People's Republic of China (SAC).
 540
 541	  The input, output, and key of SMS4 are each 128 bits.
 542
 543	  See https://eprint.iacr.org/2008/329.pdf for further information.
 544
 545	  If unsure, say N.
 546
 547config CRYPTO_TEA
 548	tristate "TEA, XTEA and XETA"
 549	depends on CRYPTO_USER_API_ENABLE_OBSOLETE
 550	select CRYPTO_ALGAPI
 551	help
 552	  TEA (Tiny Encryption Algorithm) cipher algorithms
 553
 554	  Tiny Encryption Algorithm is a simple cipher that uses
 555	  many rounds for security.  It is very fast and uses
 556	  little memory.
 557
 558	  Xtendend Tiny Encryption Algorithm is a modification to
 559	  the TEA algorithm to address a potential key weakness
 560	  in the TEA algorithm.
 561
 562	  Xtendend Encryption Tiny Algorithm is a mis-implementation
 563	  of the XTEA algorithm for compatibility purposes.
 564
 565config CRYPTO_TWOFISH
 566	tristate "Twofish"
 567	select CRYPTO_ALGAPI
 568	select CRYPTO_TWOFISH_COMMON
 569	help
 570	  Twofish cipher algorithm
 571
 572	  Twofish was submitted as an AES (Advanced Encryption Standard)
 573	  candidate cipher by researchers at CounterPane Systems.  It is a
 574	  16 round block cipher supporting key sizes of 128, 192, and 256
 575	  bits.
 576
 577	  See https://www.schneier.com/twofish.html for further information.
 578
 579config CRYPTO_TWOFISH_COMMON
 580	tristate
 581	help
 582	  Common parts of the Twofish cipher algorithm shared by the
 583	  generic c and the assembler implementations.
 584
 585endmenu
 586
 587menu "Length-preserving ciphers and modes"
 588
 589config CRYPTO_ADIANTUM
 590	tristate "Adiantum"
 591	select CRYPTO_CHACHA20
 592	select CRYPTO_LIB_NH
 593	select CRYPTO_LIB_POLY1305
 594	select CRYPTO_LIB_POLY1305_GENERIC
 595	select CRYPTO_MANAGER
 596	help
 597	  Adiantum tweakable, length-preserving encryption mode
 598
 599	  Designed for fast and secure disk encryption, especially on
 600	  CPUs without dedicated crypto instructions.  It encrypts
 601	  each sector using the XChaCha12 stream cipher, two passes of
 602	  an ε-almost-∆-universal hash function, and an invocation of
 603	  the AES-256 block cipher on a single 16-byte block.  On CPUs
 604	  without AES instructions, Adiantum is much faster than
 605	  AES-XTS.
 606
 607	  Adiantum's security is provably reducible to that of its
 608	  underlying stream and block ciphers, subject to a security
 609	  bound.  Unlike XTS, Adiantum is a true wide-block encryption
 610	  mode, so it actually provides an even stronger notion of
 611	  security than XTS, subject to the security bound.
 612
 613	  If unsure, say N.
 614
 615config CRYPTO_ARC4
 616	tristate "ARC4 (Alleged Rivest Cipher 4)"
 617	depends on CRYPTO_USER_API_ENABLE_OBSOLETE
 618	select CRYPTO_SKCIPHER
 619	select CRYPTO_LIB_ARC4
 620	help
 621	  ARC4 cipher algorithm
 622
 623	  ARC4 is a stream cipher using keys ranging from 8 bits to 2048
 624	  bits in length.  This algorithm is required for driver-based
 625	  WEP, but it should not be for other purposes because of the
 626	  weakness of the algorithm.
 627
 628config CRYPTO_CHACHA20
 629	tristate "ChaCha"
 630	select CRYPTO_LIB_CHACHA
 631	select CRYPTO_SKCIPHER
 632	help
 633	  The ChaCha20, XChaCha20, and XChaCha12 stream cipher algorithms
 634
 635	  ChaCha20 is a 256-bit high-speed stream cipher designed by Daniel J.
 636	  Bernstein and further specified in RFC7539 for use in IETF protocols.
 637	  This is the portable C implementation of ChaCha20.  See
 638	  https://cr.yp.to/chacha/chacha-20080128.pdf for further information.
 639
 640	  XChaCha20 is the application of the XSalsa20 construction to ChaCha20
 641	  rather than to Salsa20.  XChaCha20 extends ChaCha20's nonce length
 642	  from 64 bits (or 96 bits using the RFC7539 convention) to 192 bits,
 643	  while provably retaining ChaCha20's security.  See
 644	  https://cr.yp.to/snuffle/xsalsa-20081128.pdf for further information.
 645
 646	  XChaCha12 is XChaCha20 reduced to 12 rounds, with correspondingly
 647	  reduced security margin but increased performance.  It can be needed
 648	  in some performance-sensitive scenarios.
 649
 650config CRYPTO_CBC
 651	tristate "CBC (Cipher Block Chaining)"
 652	select CRYPTO_SKCIPHER
 653	select CRYPTO_MANAGER
 654	help
 655	  CBC (Cipher Block Chaining) mode (NIST SP800-38A)
 656
 657	  This block cipher mode is required for IPSec ESP (XFRM_ESP).
 658
 659config CRYPTO_CTR
 660	tristate "CTR (Counter)"
 661	select CRYPTO_SKCIPHER
 662	select CRYPTO_MANAGER
 663	help
 664	  CTR (Counter) mode (NIST SP800-38A)
 665
 666config CRYPTO_CTS
 667	tristate "CTS (Cipher Text Stealing)"
 668	select CRYPTO_SKCIPHER
 669	select CRYPTO_MANAGER
 670	help
 671	  CBC-CS3 variant of CTS (Cipher Text Stealing) (NIST
 672	  Addendum to SP800-38A (October 2010))
 673
 674	  This mode is required for Kerberos gss mechanism support
 675	  for AES encryption.
 676
 677config CRYPTO_ECB
 678	tristate "ECB (Electronic Codebook)"
 679	select CRYPTO_SKCIPHER2
 680	select CRYPTO_MANAGER
 681	help
 682	  ECB (Electronic Codebook) mode (NIST SP800-38A)
 683
 684config CRYPTO_HCTR2
 685	tristate "HCTR2"
 686	select CRYPTO_XCTR
 687	select CRYPTO_LIB_POLYVAL
 688	select CRYPTO_MANAGER
 689	help
 690	  HCTR2 length-preserving encryption mode
 691
 692	  A mode for storage encryption that is efficient on processors with
 693	  instructions to accelerate AES and carryless multiplication, e.g.
 694	  x86 processors with AES-NI and CLMUL, and ARM processors with the
 695	  ARMv8 crypto extensions.
 696
 697	  See https://eprint.iacr.org/2021/1441
 698
 699config CRYPTO_LRW
 700	tristate "LRW (Liskov Rivest Wagner)"
 701	select CRYPTO_LIB_GF128MUL
 702	select CRYPTO_SKCIPHER
 703	select CRYPTO_MANAGER
 704	select CRYPTO_ECB
 705	help
 706	  LRW (Liskov Rivest Wagner) mode
 707
 708	  A tweakable, non malleable, non movable
 709	  narrow block cipher mode for dm-crypt.  Use it with cipher
 710	  specification string aes-lrw-benbi, the key must be 256, 320 or 384.
 711	  The first 128, 192 or 256 bits in the key are used for AES and the
 712	  rest is used to tie each cipher block to its logical position.
 713
 714	  See https://people.csail.mit.edu/rivest/pubs/LRW02.pdf
 715
 716config CRYPTO_PCBC
 717	tristate "PCBC (Propagating Cipher Block Chaining)"
 718	select CRYPTO_SKCIPHER
 719	select CRYPTO_MANAGER
 720	help
 721	  PCBC (Propagating Cipher Block Chaining) mode
 722
 723	  This block cipher mode is required for RxRPC.
 724
 725config CRYPTO_XCTR
 726	tristate
 727	select CRYPTO_SKCIPHER
 728	select CRYPTO_MANAGER
 729	help
 730	  XCTR (XOR Counter) mode for HCTR2
 731
 732	  This blockcipher mode is a variant of CTR mode using XORs and little-endian
 733	  addition rather than big-endian arithmetic.
 734
 735	  XCTR mode is used to implement HCTR2.
 736
 737config CRYPTO_XTS
 738	tristate "XTS (XOR Encrypt XOR with ciphertext stealing)"
 739	select CRYPTO_SKCIPHER
 740	select CRYPTO_MANAGER
 741	select CRYPTO_ECB
 742	help
 743	  XTS (XOR Encrypt XOR with ciphertext stealing) mode (NIST SP800-38E
 744	  and IEEE 1619)
 745
 746	  Use with aes-xts-plain, key size 256, 384 or 512 bits. This
 747	  implementation currently can't handle a sectorsize which is not a
 748	  multiple of 16 bytes.
 749
 750endmenu
 751
 752menu "AEAD (authenticated encryption with associated data) ciphers"
 753
 754config CRYPTO_AEGIS128
 755	tristate "AEGIS-128"
 756	select CRYPTO_AEAD
 757	select CRYPTO_LIB_AES  # for AES S-box tables
 758	help
 759	  AEGIS-128 AEAD algorithm
 760
 761config CRYPTO_AEGIS128_SIMD
 762	bool "AEGIS-128 (arm NEON, arm64 NEON)"
 763	depends on CRYPTO_AEGIS128 && ((ARM || ARM64) && KERNEL_MODE_NEON)
 764	default y
 765	help
 766	  AEGIS-128 AEAD algorithm
 767
 768	  Architecture: arm or arm64 using:
 769	  - NEON (Advanced SIMD) extension
 770
 771config CRYPTO_CHACHA20POLY1305
 772	tristate "ChaCha20-Poly1305"
 773	select CRYPTO_CHACHA20
 774	select CRYPTO_AEAD
 775	select CRYPTO_LIB_POLY1305
 776	select CRYPTO_MANAGER
 777	help
 778	  ChaCha20 stream cipher and Poly1305 authenticator combined
 779	  mode (RFC8439)
 780
 781config CRYPTO_CCM
 782	tristate "CCM (Counter with Cipher Block Chaining-MAC)"
 783	select CRYPTO_CTR
 784	select CRYPTO_HASH
 785	select CRYPTO_AEAD
 786	select CRYPTO_MANAGER
 787	help
 788	  CCM (Counter with Cipher Block Chaining-Message Authentication Code)
 789	  authenticated encryption mode (NIST SP800-38C)
 790
 791config CRYPTO_GCM
 792	tristate "GCM (Galois/Counter Mode) and GMAC (GCM MAC)"
 793	select CRYPTO_CTR
 794	select CRYPTO_AEAD
 795	select CRYPTO_GHASH
 796	select CRYPTO_MANAGER
 797	help
 798	  GCM (Galois/Counter Mode) authenticated encryption mode and GMAC
 799	  (GCM Message Authentication Code) (NIST SP800-38D)
 800
 801	  This is required for IPSec ESP (XFRM_ESP).
 802
 803config CRYPTO_GENIV
 804	tristate
 805	select CRYPTO_AEAD
 806	select CRYPTO_MANAGER
 807	select CRYPTO_RNG_DEFAULT
 808
 809config CRYPTO_SEQIV
 810	tristate "Sequence Number IV Generator"
 811	select CRYPTO_GENIV
 812	help
 813	  Sequence Number IV generator
 814
 815	  This IV generator generates an IV based on a sequence number by
 816	  xoring it with a salt.  This algorithm is mainly useful for CTR.
 817
 818	  This is required for IPsec ESP (XFRM_ESP).
 819
 820config CRYPTO_ECHAINIV
 821	tristate "Encrypted Chain IV Generator"
 822	select CRYPTO_GENIV
 823	help
 824	  Encrypted Chain IV generator
 825
 826	  This IV generator generates an IV based on the encryption of
 827	  a sequence number xored with a salt.  This is the default
 828	  algorithm for CBC.
 829
 830config CRYPTO_ESSIV
 831	tristate "Encrypted Salt-Sector IV Generator"
 832	select CRYPTO_AUTHENC
 833	help
 834	  Encrypted Salt-Sector IV generator
 835
 836	  This IV generator is used in some cases by fscrypt and/or
 837	  dm-crypt. It uses the hash of the block encryption key as the
 838	  symmetric key for a block encryption pass applied to the input
 839	  IV, making low entropy IV sources more suitable for block
 840	  encryption.
 841
 842	  This driver implements a crypto API template that can be
 843	  instantiated either as an skcipher or as an AEAD (depending on the
 844	  type of the first template argument), and which defers encryption
 845	  and decryption requests to the encapsulated cipher after applying
 846	  ESSIV to the input IV. Note that in the AEAD case, it is assumed
 847	  that the keys are presented in the same format used by the authenc
 848	  template, and that the IV appears at the end of the authenticated
 849	  associated data (AAD) region (which is how dm-crypt uses it.)
 850
 851	  Note that the use of ESSIV is not recommended for new deployments,
 852	  and so this only needs to be enabled when interoperability with
 853	  existing encrypted volumes of filesystems is required, or when
 854	  building for a particular system that requires it (e.g., when
 855	  the SoC in question has accelerated CBC but not XTS, making CBC
 856	  combined with ESSIV the only feasible mode for h/w accelerated
 857	  block encryption)
 858
 859endmenu
 860
 861menu "Hashes, digests, and MACs"
 862
 863config CRYPTO_BLAKE2B
 864	tristate "BLAKE2b"
 865	select CRYPTO_HASH
 866	select CRYPTO_LIB_BLAKE2B
 867	help
 868	  BLAKE2b cryptographic hash function (RFC 7693)
 869
 870	  BLAKE2b is optimized for 64-bit platforms and can produce digests
 871	  of any size between 1 and 64 bytes. The keyed hash is also implemented.
 872
 873	  This module provides the following algorithms:
 874	  - blake2b-160
 875	  - blake2b-256
 876	  - blake2b-384
 877	  - blake2b-512
 878
 879	  See https://blake2.net for further information.
 880
 881config CRYPTO_CMAC
 882	tristate "CMAC (Cipher-based MAC)"
 883	select CRYPTO_HASH
 884	select CRYPTO_MANAGER
 885	help
 886	  CMAC (Cipher-based Message Authentication Code) authentication
 887	  mode (NIST SP800-38B and IETF RFC4493)
 888
 889config CRYPTO_GHASH
 890	tristate "GHASH"
 891	select CRYPTO_HASH
 892	select CRYPTO_LIB_GF128MUL
 893	help
 894	  GCM GHASH function (NIST SP800-38D)
 895
 896config CRYPTO_HMAC
 897	tristate "HMAC (Keyed-Hash MAC)"
 898	select CRYPTO_HASH
 899	select CRYPTO_MANAGER
 900	help
 901	  HMAC (Keyed-Hash Message Authentication Code) (FIPS 198 and
 902	  RFC2104)
 903
 904	  This is required for IPsec AH (XFRM_AH) and IPsec ESP (XFRM_ESP).
 905
 906config CRYPTO_MD4
 907	tristate "MD4"
 908	select CRYPTO_HASH
 909	help
 910	  MD4 message digest algorithm (RFC1320)
 911
 912config CRYPTO_MD5
 913	tristate "MD5"
 914	select CRYPTO_HASH
 915	select CRYPTO_LIB_MD5
 916	help
 917	  MD5 message digest algorithm (RFC1321), including HMAC support.
 918
 919config CRYPTO_MICHAEL_MIC
 920	tristate "Michael MIC"
 921	select CRYPTO_HASH
 922	help
 923	  Michael MIC (Message Integrity Code) (IEEE 802.11i)
 924
 925	  Defined by the IEEE 802.11i TKIP (Temporal Key Integrity Protocol),
 926	  known as WPA (Wif-Fi Protected Access).
 927
 928	  This algorithm is required for TKIP, but it should not be used for
 929	  other purposes because of the weakness of the algorithm.
 930
 931config CRYPTO_RMD160
 932	tristate "RIPEMD-160"
 933	select CRYPTO_HASH
 934	help
 935	  RIPEMD-160 hash function (ISO/IEC 10118-3)
 936
 937	  RIPEMD-160 is a 160-bit cryptographic hash function. It is intended
 938	  to be used as a secure replacement for the 128-bit hash functions
 939	  MD4, MD5 and its predecessor RIPEMD
 940	  (not to be confused with RIPEMD-128).
 941
 942	  Its speed is comparable to SHA-1 and there are no known attacks
 943	  against RIPEMD-160.
 944
 945	  Developed by Hans Dobbertin, Antoon Bosselaers and Bart Preneel.
 946	  See https://homes.esat.kuleuven.be/~bosselae/ripemd160.html
 947	  for further information.
 948
 949config CRYPTO_SHA1
 950	tristate "SHA-1"
 951	select CRYPTO_HASH
 952	select CRYPTO_LIB_SHA1
 953	help
 954	  SHA-1 secure hash algorithm (FIPS 180, ISO/IEC 10118-3), including
 955	  HMAC support.
 956
 957config CRYPTO_SHA256
 958	tristate "SHA-224 and SHA-256"
 959	select CRYPTO_HASH
 960	select CRYPTO_LIB_SHA256
 961	help
 962	  SHA-224 and SHA-256 secure hash algorithms (FIPS 180, ISO/IEC
 963	  10118-3), including HMAC support.
 964
 965	  This is required for IPsec AH (XFRM_AH) and IPsec ESP (XFRM_ESP).
 966
 967config CRYPTO_SHA512
 968	tristate "SHA-384 and SHA-512"
 969	select CRYPTO_HASH
 970	select CRYPTO_LIB_SHA512
 971	help
 972	  SHA-384 and SHA-512 secure hash algorithms (FIPS 180, ISO/IEC
 973	  10118-3), including HMAC support.
 974
 975config CRYPTO_SHA3
 976	tristate "SHA-3"
 977	select CRYPTO_HASH
 978	select CRYPTO_LIB_SHA3
 979	help
 980	  SHA-3 secure hash algorithms (FIPS 202, ISO/IEC 10118-3)
 981
 982config CRYPTO_SM3_GENERIC
 983	tristate "SM3 (ShangMi 3)"
 984	select CRYPTO_HASH
 985	select CRYPTO_LIB_SM3
 986	help
 987	  SM3 (ShangMi 3) secure hash function (OSCCA GM/T 0004-2012, ISO/IEC 10118-3)
 988
 989	  This is part of the Chinese Commercial Cryptography suite.
 990
 991	  References:
 992	  http://www.oscca.gov.cn/UpFile/20101222141857786.pdf
 993	  https://datatracker.ietf.org/doc/html/draft-shen-sm3-hash
 994
 995config CRYPTO_STREEBOG
 996	tristate "Streebog"
 997	select CRYPTO_HASH
 998	help
 999	  Streebog Hash Function (GOST R 34.11-2012, RFC 6986, ISO/IEC 10118-3)
1000
1001	  This is one of the Russian cryptographic standard algorithms (called
1002	  GOST algorithms). This setting enables two hash algorithms with
1003	  256 and 512 bits output.
1004
1005	  References:
1006	  https://tc26.ru/upload/iblock/fed/feddbb4d26b685903faa2ba11aea43f6.pdf
1007	  https://tools.ietf.org/html/rfc6986
1008
1009config CRYPTO_WP512
1010	tristate "Whirlpool"
1011	select CRYPTO_HASH
1012	help
1013	  Whirlpool hash function (ISO/IEC 10118-3)
1014
1015	  512, 384 and 256-bit hashes.
1016
1017	  Whirlpool-512 is part of the NESSIE cryptographic primitives.
1018
1019	  See https://web.archive.org/web/20171129084214/http://www.larc.usp.br/~pbarreto/WhirlpoolPage.html
1020	  for further information.
1021
1022config CRYPTO_XCBC
1023	tristate "XCBC-MAC (Extended Cipher Block Chaining MAC)"
1024	select CRYPTO_HASH
1025	select CRYPTO_MANAGER
1026	help
1027	  XCBC-MAC (Extended Cipher Block Chaining Message Authentication
1028	  Code) (RFC3566)
1029
1030config CRYPTO_XXHASH
1031	tristate "xxHash"
1032	select CRYPTO_HASH
1033	select XXHASH
1034	help
1035	  xxHash non-cryptographic hash algorithm
1036
1037	  Extremely fast, working at speeds close to RAM limits.
1038
1039endmenu
1040
1041menu "CRCs (cyclic redundancy checks)"
1042
1043config CRYPTO_CRC32C
1044	tristate "CRC32c"
1045	select CRYPTO_HASH
1046	select CRC32
1047	help
1048	  CRC32c CRC algorithm with the iSCSI polynomial (RFC 3385 and RFC 3720)
1049
1050	  A 32-bit CRC (cyclic redundancy check) with a polynomial defined
1051	  by G. Castagnoli, S. Braeuer and M. Herrman in "Optimization of Cyclic
1052	  Redundancy-Check Codes with 24 and 32 Parity Bits", IEEE Transactions
1053	  on Communications, Vol. 41, No. 6, June 1993, selected for use with
1054	  iSCSI.
1055
1056config CRYPTO_CRC32
1057	tristate "CRC32"
1058	select CRYPTO_HASH
1059	select CRC32
1060	help
1061	  CRC32 CRC algorithm (IEEE 802.3)
1062
1063endmenu
1064
1065menu "Compression"
1066
1067config CRYPTO_DEFLATE
1068	tristate "Deflate"
1069	select CRYPTO_ALGAPI
1070	select CRYPTO_ACOMP2
1071	select ZLIB_INFLATE
1072	select ZLIB_DEFLATE
1073	help
1074	  Deflate compression algorithm (RFC1951)
1075
1076	  Used by IPSec with the IPCOMP protocol (RFC3173, RFC2394)
1077
1078config CRYPTO_LZO
1079	tristate "LZO"
1080	select CRYPTO_ALGAPI
1081	select CRYPTO_ACOMP2
1082	select LZO_COMPRESS
1083	select LZO_DECOMPRESS
1084	help
1085	  LZO compression algorithm
1086
1087	  See https://www.oberhumer.com/opensource/lzo/ for further information.
1088
1089config CRYPTO_842
1090	tristate "842"
1091	select CRYPTO_ALGAPI
1092	select CRYPTO_ACOMP2
1093	select 842_COMPRESS
1094	select 842_DECOMPRESS
1095	help
1096	  842 compression algorithm by IBM
1097
1098	  See https://github.com/plauth/lib842 for further information.
1099
1100config CRYPTO_LZ4
1101	tristate "LZ4"
1102	select CRYPTO_ALGAPI
1103	select CRYPTO_ACOMP2
1104	select LZ4_COMPRESS
1105	select LZ4_DECOMPRESS
1106	help
1107	  LZ4 compression algorithm
1108
1109	  See https://github.com/lz4/lz4 for further information.
1110
1111config CRYPTO_LZ4HC
1112	tristate "LZ4HC"
1113	select CRYPTO_ALGAPI
1114	select CRYPTO_ACOMP2
1115	select LZ4HC_COMPRESS
1116	select LZ4_DECOMPRESS
1117	help
1118	  LZ4 high compression mode algorithm
1119
1120	  See https://github.com/lz4/lz4 for further information.
1121
1122config CRYPTO_ZSTD
1123	tristate "Zstd"
1124	select CRYPTO_ALGAPI
1125	select CRYPTO_ACOMP2
1126	select ZSTD_COMPRESS
1127	select ZSTD_DECOMPRESS
1128	help
1129	  zstd compression algorithm
1130
1131	  See https://github.com/facebook/zstd for further information.
1132
1133endmenu
1134
1135menu "Random number generation"
1136
1137menuconfig CRYPTO_DRBG_MENU
1138	tristate "NIST SP800-90A DRBG (Deterministic Random Bit Generator)"
1139	help
1140	  DRBG (Deterministic Random Bit Generator) (NIST SP800-90A)
1141
1142	  In the following submenu, one or more of the DRBG types must be selected.
1143
1144if CRYPTO_DRBG_MENU
1145
1146config CRYPTO_DRBG_HMAC
1147	bool
1148	default y
1149	select CRYPTO_HMAC
1150	select CRYPTO_SHA512
1151
1152config CRYPTO_DRBG_HASH
1153	bool "Hash_DRBG"
1154	select CRYPTO_SHA256
1155	help
1156	  Hash_DRBG variant as defined in NIST SP800-90A.
1157
1158	  This uses the SHA-1, SHA-256, SHA-384, or SHA-512 hash algorithms.
1159
1160config CRYPTO_DRBG_CTR
1161	bool "CTR_DRBG"
1162	select CRYPTO_DF80090A
1163	help
1164	  CTR_DRBG variant as defined in NIST SP800-90A.
1165
1166	  This uses the AES cipher algorithm with the counter block mode.
1167
1168config CRYPTO_DRBG
1169	tristate
1170	default CRYPTO_DRBG_MENU
1171	select CRYPTO_RNG
1172	select CRYPTO_JITTERENTROPY
1173
1174endif	# if CRYPTO_DRBG_MENU
1175
1176config CRYPTO_JITTERENTROPY
1177	tristate "CPU Jitter Non-Deterministic RNG (Random Number Generator)"
1178	select CRYPTO_RNG
1179	select CRYPTO_SHA3
1180	help
1181	  CPU Jitter RNG (Random Number Generator) from the Jitterentropy library
1182
1183	  A non-physical non-deterministic ("true") RNG (e.g., an entropy source
1184	  compliant with NIST SP800-90B) intended to provide a seed to a
1185	  deterministic RNG (e.g., per NIST SP800-90C).
1186	  This RNG does not perform any cryptographic whitening of the generated
1187	  random numbers.
1188
1189	  See https://www.chronox.de/jent/
1190
1191if CRYPTO_JITTERENTROPY
1192if CRYPTO_FIPS && EXPERT
1193
1194choice
1195	prompt "CPU Jitter RNG Memory Size"
1196	default CRYPTO_JITTERENTROPY_MEMSIZE_2
1197	help
1198	  The Jitter RNG measures the execution time of memory accesses.
1199	  Multiple consecutive memory accesses are performed. If the memory
1200	  size fits into a cache (e.g. L1), only the memory access timing
1201	  to that cache is measured. The closer the cache is to the CPU
1202	  the less variations are measured and thus the less entropy is
1203	  obtained. Thus, if the memory size fits into the L1 cache, the
1204	  obtained entropy is less than if the memory size fits within
1205	  L1 + L2, which in turn is less if the memory fits into
1206	  L1 + L2 + L3. Thus, by selecting a different memory size,
1207	  the entropy rate produced by the Jitter RNG can be modified.
1208
1209	config CRYPTO_JITTERENTROPY_MEMSIZE_2
1210		bool "2048 Bytes (default)"
1211
1212	config CRYPTO_JITTERENTROPY_MEMSIZE_128
1213		bool "128 kBytes"
1214
1215	config CRYPTO_JITTERENTROPY_MEMSIZE_1024
1216		bool "1024 kBytes"
1217
1218	config CRYPTO_JITTERENTROPY_MEMSIZE_8192
1219		bool "8192 kBytes"
1220endchoice
1221
1222config CRYPTO_JITTERENTROPY_MEMORY_BLOCKS
1223	int
1224	default 64 if CRYPTO_JITTERENTROPY_MEMSIZE_2
1225	default 512 if CRYPTO_JITTERENTROPY_MEMSIZE_128
1226	default 1024 if CRYPTO_JITTERENTROPY_MEMSIZE_1024
1227	default 4096 if CRYPTO_JITTERENTROPY_MEMSIZE_8192
1228
1229config CRYPTO_JITTERENTROPY_MEMORY_BLOCKSIZE
1230	int
1231	default 32 if CRYPTO_JITTERENTROPY_MEMSIZE_2
1232	default 256 if CRYPTO_JITTERENTROPY_MEMSIZE_128
1233	default 1024 if CRYPTO_JITTERENTROPY_MEMSIZE_1024
1234	default 2048 if CRYPTO_JITTERENTROPY_MEMSIZE_8192
1235
1236config CRYPTO_JITTERENTROPY_OSR
1237	int "CPU Jitter RNG Oversampling Rate"
1238	range 1 15
1239	default 3
1240	help
1241	  The Jitter RNG allows the specification of an oversampling rate (OSR).
1242	  The Jitter RNG operation requires a fixed amount of timing
1243	  measurements to produce one output block of random numbers. The
1244	  OSR value is multiplied with the amount of timing measurements to
1245	  generate one output block. Thus, the timing measurement is oversampled
1246	  by the OSR factor. The oversampling allows the Jitter RNG to operate
1247	  on hardware whose timers deliver limited amount of entropy (e.g.
1248	  the timer is coarse) by setting the OSR to a higher value. The
1249	  trade-off, however, is that the Jitter RNG now requires more time
1250	  to generate random numbers.
1251
1252config CRYPTO_JITTERENTROPY_TESTINTERFACE
1253	bool "CPU Jitter RNG Test Interface"
1254	help
1255	  The test interface allows a privileged process to capture
1256	  the raw unconditioned high resolution time stamp noise that
1257	  is collected by the Jitter RNG for statistical analysis. As
1258	  this data is used at the same time to generate random bits,
1259	  the Jitter RNG operates in an insecure mode as long as the
1260	  recording is enabled. This interface therefore is only
1261	  intended for testing purposes and is not suitable for
1262	  production systems.
1263
1264	  The raw noise data can be obtained using the jent_raw_hires
1265	  debugfs file. Using the option
1266	  jitterentropy_testing.boot_raw_hires_test=1 the raw noise of
1267	  the first 1000 entropy events since boot can be sampled.
1268
1269	  If unsure, select N.
1270
1271endif	# if CRYPTO_FIPS && EXPERT
1272
1273if !(CRYPTO_FIPS && EXPERT)
1274
1275config CRYPTO_JITTERENTROPY_MEMORY_BLOCKS
1276	int
1277	default 64
1278
1279config CRYPTO_JITTERENTROPY_MEMORY_BLOCKSIZE
1280	int
1281	default 32
1282
1283config CRYPTO_JITTERENTROPY_OSR
1284	int
1285	default 1
1286
1287config CRYPTO_JITTERENTROPY_TESTINTERFACE
1288	bool
1289
1290endif	# if !(CRYPTO_FIPS && EXPERT)
1291endif	# if CRYPTO_JITTERENTROPY
1292
1293config CRYPTO_KDF800108_CTR
1294	tristate
1295	select CRYPTO_HMAC
1296	select CRYPTO_SHA256
1297
1298config CRYPTO_DF80090A
1299	tristate
1300	select CRYPTO_AES
1301	select CRYPTO_CTR
1302
1303endmenu
1304menu "Userspace interface"
1305
1306config CRYPTO_USER_API
1307	tristate
1308
1309config CRYPTO_USER_API_HASH
1310	tristate "Hash algorithms"
1311	depends on NET
1312	select CRYPTO_HASH
1313	select CRYPTO_USER_API
1314	help
1315	  Enable the userspace interface for hash algorithms.
1316
1317	  See Documentation/crypto/userspace-if.rst and
1318	  https://www.chronox.de/libkcapi/html/index.html
1319
1320config CRYPTO_USER_API_SKCIPHER
1321	tristate "Symmetric key cipher algorithms"
1322	depends on NET
1323	select CRYPTO_SKCIPHER
1324	select CRYPTO_USER_API
1325	help
1326	  Enable the userspace interface for symmetric key cipher algorithms.
1327
1328	  See Documentation/crypto/userspace-if.rst and
1329	  https://www.chronox.de/libkcapi/html/index.html
1330
1331config CRYPTO_USER_API_RNG
1332	tristate "RNG (random number generator) algorithms"
1333	depends on NET
1334	select CRYPTO_RNG
1335	select CRYPTO_USER_API
1336	help
1337	  Enable the userspace interface for RNG (random number generator)
1338	  algorithms.
1339
1340	  See Documentation/crypto/userspace-if.rst and
1341	  https://www.chronox.de/libkcapi/html/index.html
1342
1343config CRYPTO_USER_API_RNG_CAVP
1344	bool "Enable CAVP testing of DRBG"
1345	depends on CRYPTO_USER_API_RNG && CRYPTO_DRBG
1346	help
1347	  Enable extra APIs in the userspace interface for NIST CAVP
1348	  (Cryptographic Algorithm Validation Program) testing:
1349	  - resetting DRBG entropy
1350	  - providing Additional Data
1351
1352	  This should only be enabled for CAVP testing. You should say
1353	  no unless you know what this is.
1354
1355config CRYPTO_USER_API_AEAD
1356	tristate "AEAD cipher algorithms"
1357	depends on NET
1358	select CRYPTO_AEAD
1359	select CRYPTO_SKCIPHER
1360	select CRYPTO_USER_API
1361	help
1362	  Enable the userspace interface for AEAD cipher algorithms.
1363
1364	  See Documentation/crypto/userspace-if.rst and
1365	  https://www.chronox.de/libkcapi/html/index.html
1366
1367config CRYPTO_USER_API_ENABLE_OBSOLETE
1368	bool "Obsolete cryptographic algorithms"
1369	depends on CRYPTO_USER_API
1370	default y
1371	help
1372	  Allow obsolete cryptographic algorithms to be selected that have
1373	  already been phased out from internal use by the kernel, and are
1374	  only useful for userspace clients that still rely on them.
1375
1376endmenu
1377
1378if !KMSAN # avoid false positives from assembly
1379if ARM
1380source "arch/arm/crypto/Kconfig"
1381endif
1382if ARM64
1383source "arch/arm64/crypto/Kconfig"
1384endif
1385if LOONGARCH
1386source "arch/loongarch/crypto/Kconfig"
1387endif
1388if MIPS
1389source "arch/mips/crypto/Kconfig"
1390endif
1391if PPC
1392source "arch/powerpc/crypto/Kconfig"
1393endif
1394if RISCV
1395source "arch/riscv/crypto/Kconfig"
1396endif
1397if S390
1398source "arch/s390/crypto/Kconfig"
1399endif
1400if SPARC
1401source "arch/sparc/crypto/Kconfig"
1402endif
1403if X86
1404source "arch/x86/crypto/Kconfig"
1405endif
1406endif
1407
1408source "drivers/crypto/Kconfig"
1409source "crypto/asymmetric_keys/Kconfig"
1410source "certs/Kconfig"
1411source "crypto/krb5/Kconfig"
1412
1413endif	# if CRYPTO