crypto/Kconfig at v6.11 · tjh.dev/kernel

tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
kernel / crypto / Kconfig
at v6.11 40 kB view raw
   1# SPDX-License-Identifier: GPL-2.0
   2#
   3# Generic algorithms support
   4#
   5config XOR_BLOCKS
   6	tristate
   7
   8#
   9# async_tx api: hardware offloaded memory transfer/transform support
  10#
  11source "crypto/async_tx/Kconfig"
  12
  13#
  14# Cryptographic API Configuration
  15#
  16menuconfig CRYPTO
  17	tristate "Cryptographic API"
  18	select CRYPTO_LIB_UTILS
  19	help
  20	  This option provides the core Cryptographic API.
  21
  22if CRYPTO
  23
  24menu "Crypto core or helper"
  25
  26config CRYPTO_FIPS
  27	bool "FIPS 200 compliance"
  28	depends on (CRYPTO_ANSI_CPRNG || CRYPTO_DRBG) && !CRYPTO_MANAGER_DISABLE_TESTS
  29	depends on (MODULE_SIG || !MODULES)
  30	help
  31	  This option enables the fips boot option which is
  32	  required if you want the system to operate in a FIPS 200
  33	  certification.  You should say no unless you know what
  34	  this is.
  35
  36config CRYPTO_FIPS_NAME
  37	string "FIPS Module Name"
  38	default "Linux Kernel Cryptographic API"
  39	depends on CRYPTO_FIPS
  40	help
  41	  This option sets the FIPS Module name reported by the Crypto API via
  42	  the /proc/sys/crypto/fips_name file.
  43
  44config CRYPTO_FIPS_CUSTOM_VERSION
  45	bool "Use Custom FIPS Module Version"
  46	depends on CRYPTO_FIPS
  47	default n
  48
  49config CRYPTO_FIPS_VERSION
  50	string "FIPS Module Version"
  51	default "(none)"
  52	depends on CRYPTO_FIPS_CUSTOM_VERSION
  53	help
  54	  This option provides the ability to override the FIPS Module Version.
  55	  By default the KERNELRELEASE value is used.
  56
  57config CRYPTO_ALGAPI
  58	tristate
  59	select CRYPTO_ALGAPI2
  60	help
  61	  This option provides the API for cryptographic algorithms.
  62
  63config CRYPTO_ALGAPI2
  64	tristate
  65
  66config CRYPTO_AEAD
  67	tristate
  68	select CRYPTO_AEAD2
  69	select CRYPTO_ALGAPI
  70
  71config CRYPTO_AEAD2
  72	tristate
  73	select CRYPTO_ALGAPI2
  74
  75config CRYPTO_SIG
  76	tristate
  77	select CRYPTO_SIG2
  78	select CRYPTO_ALGAPI
  79
  80config CRYPTO_SIG2
  81	tristate
  82	select CRYPTO_ALGAPI2
  83
  84config CRYPTO_SKCIPHER
  85	tristate
  86	select CRYPTO_SKCIPHER2
  87	select CRYPTO_ALGAPI
  88	select CRYPTO_ECB
  89
  90config CRYPTO_SKCIPHER2
  91	tristate
  92	select CRYPTO_ALGAPI2
  93
  94config CRYPTO_HASH
  95	tristate
  96	select CRYPTO_HASH2
  97	select CRYPTO_ALGAPI
  98
  99config CRYPTO_HASH2
 100	tristate
 101	select CRYPTO_ALGAPI2
 102
 103config CRYPTO_RNG
 104	tristate
 105	select CRYPTO_RNG2
 106	select CRYPTO_ALGAPI
 107
 108config CRYPTO_RNG2
 109	tristate
 110	select CRYPTO_ALGAPI2
 111
 112config CRYPTO_RNG_DEFAULT
 113	tristate
 114	select CRYPTO_DRBG_MENU
 115
 116config CRYPTO_AKCIPHER2
 117	tristate
 118	select CRYPTO_ALGAPI2
 119
 120config CRYPTO_AKCIPHER
 121	tristate
 122	select CRYPTO_AKCIPHER2
 123	select CRYPTO_ALGAPI
 124
 125config CRYPTO_KPP2
 126	tristate
 127	select CRYPTO_ALGAPI2
 128
 129config CRYPTO_KPP
 130	tristate
 131	select CRYPTO_ALGAPI
 132	select CRYPTO_KPP2
 133
 134config CRYPTO_ACOMP2
 135	tristate
 136	select CRYPTO_ALGAPI2
 137	select SGL_ALLOC
 138
 139config CRYPTO_ACOMP
 140	tristate
 141	select CRYPTO_ALGAPI
 142	select CRYPTO_ACOMP2
 143
 144config CRYPTO_MANAGER
 145	tristate "Cryptographic algorithm manager"
 146	select CRYPTO_MANAGER2
 147	help
 148	  Create default cryptographic template instantiations such as
 149	  cbc(aes).
 150
 151config CRYPTO_MANAGER2
 152	def_tristate CRYPTO_MANAGER || (CRYPTO_MANAGER!=n && CRYPTO_ALGAPI=y)
 153	select CRYPTO_ACOMP2
 154	select CRYPTO_AEAD2
 155	select CRYPTO_AKCIPHER2
 156	select CRYPTO_SIG2
 157	select CRYPTO_HASH2
 158	select CRYPTO_KPP2
 159	select CRYPTO_RNG2
 160	select CRYPTO_SKCIPHER2
 161
 162config CRYPTO_USER
 163	tristate "Userspace cryptographic algorithm configuration"
 164	depends on NET
 165	select CRYPTO_MANAGER
 166	help
 167	  Userspace configuration for cryptographic instantiations such as
 168	  cbc(aes).
 169
 170config CRYPTO_MANAGER_DISABLE_TESTS
 171	bool "Disable run-time self tests"
 172	default y
 173	help
 174	  Disable run-time self tests that normally take place at
 175	  algorithm registration.
 176
 177config CRYPTO_MANAGER_EXTRA_TESTS
 178	bool "Enable extra run-time crypto self tests"
 179	depends on DEBUG_KERNEL && !CRYPTO_MANAGER_DISABLE_TESTS && CRYPTO_MANAGER
 180	help
 181	  Enable extra run-time self tests of registered crypto algorithms,
 182	  including randomized fuzz tests.
 183
 184	  This is intended for developer use only, as these tests take much
 185	  longer to run than the normal self tests.
 186
 187config CRYPTO_NULL
 188	tristate "Null algorithms"
 189	select CRYPTO_NULL2
 190	help
 191	  These are 'Null' algorithms, used by IPsec, which do nothing.
 192
 193config CRYPTO_NULL2
 194	tristate
 195	select CRYPTO_ALGAPI2
 196	select CRYPTO_SKCIPHER2
 197	select CRYPTO_HASH2
 198
 199config CRYPTO_PCRYPT
 200	tristate "Parallel crypto engine"
 201	depends on SMP
 202	select PADATA
 203	select CRYPTO_MANAGER
 204	select CRYPTO_AEAD
 205	help
 206	  This converts an arbitrary crypto algorithm into a parallel
 207	  algorithm that executes in kernel threads.
 208
 209config CRYPTO_CRYPTD
 210	tristate "Software async crypto daemon"
 211	select CRYPTO_SKCIPHER
 212	select CRYPTO_HASH
 213	select CRYPTO_MANAGER
 214	help
 215	  This is a generic software asynchronous crypto daemon that
 216	  converts an arbitrary synchronous software crypto algorithm
 217	  into an asynchronous algorithm that executes in a kernel thread.
 218
 219config CRYPTO_AUTHENC
 220	tristate "Authenc support"
 221	select CRYPTO_AEAD
 222	select CRYPTO_SKCIPHER
 223	select CRYPTO_MANAGER
 224	select CRYPTO_HASH
 225	select CRYPTO_NULL
 226	help
 227	  Authenc: Combined mode wrapper for IPsec.
 228
 229	  This is required for IPSec ESP (XFRM_ESP).
 230
 231config CRYPTO_TEST
 232	tristate "Testing module"
 233	depends on m || EXPERT
 234	select CRYPTO_MANAGER
 235	help
 236	  Quick & dirty crypto test module.
 237
 238config CRYPTO_SIMD
 239	tristate
 240	select CRYPTO_CRYPTD
 241
 242config CRYPTO_ENGINE
 243	tristate
 244
 245endmenu
 246
 247menu "Public-key cryptography"
 248
 249config CRYPTO_RSA
 250	tristate "RSA (Rivest-Shamir-Adleman)"
 251	select CRYPTO_AKCIPHER
 252	select CRYPTO_MANAGER
 253	select MPILIB
 254	select ASN1
 255	help
 256	  RSA (Rivest-Shamir-Adleman) public key algorithm (RFC8017)
 257
 258config CRYPTO_DH
 259	tristate "DH (Diffie-Hellman)"
 260	select CRYPTO_KPP
 261	select MPILIB
 262	help
 263	  DH (Diffie-Hellman) key exchange algorithm
 264
 265config CRYPTO_DH_RFC7919_GROUPS
 266	bool "RFC 7919 FFDHE groups"
 267	depends on CRYPTO_DH
 268	select CRYPTO_RNG_DEFAULT
 269	help
 270	  FFDHE (Finite-Field-based Diffie-Hellman Ephemeral) groups
 271	  defined in RFC7919.
 272
 273	  Support these finite-field groups in DH key exchanges:
 274	  - ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192
 275
 276	  If unsure, say N.
 277
 278config CRYPTO_ECC
 279	tristate
 280	select CRYPTO_RNG_DEFAULT
 281
 282config CRYPTO_ECDH
 283	tristate "ECDH (Elliptic Curve Diffie-Hellman)"
 284	select CRYPTO_ECC
 285	select CRYPTO_KPP
 286	help
 287	  ECDH (Elliptic Curve Diffie-Hellman) key exchange algorithm
 288	  using curves P-192, P-256, and P-384 (FIPS 186)
 289
 290config CRYPTO_ECDSA
 291	tristate "ECDSA (Elliptic Curve Digital Signature Algorithm)"
 292	select CRYPTO_ECC
 293	select CRYPTO_AKCIPHER
 294	select ASN1
 295	help
 296	  ECDSA (Elliptic Curve Digital Signature Algorithm) (FIPS 186,
 297	  ISO/IEC 14888-3)
 298	  using curves P-192, P-256, and P-384
 299
 300	  Only signature verification is implemented.
 301
 302config CRYPTO_ECRDSA
 303	tristate "EC-RDSA (Elliptic Curve Russian Digital Signature Algorithm)"
 304	select CRYPTO_ECC
 305	select CRYPTO_AKCIPHER
 306	select CRYPTO_STREEBOG
 307	select OID_REGISTRY
 308	select ASN1
 309	help
 310	  Elliptic Curve Russian Digital Signature Algorithm (GOST R 34.10-2012,
 311	  RFC 7091, ISO/IEC 14888-3)
 312
 313	  One of the Russian cryptographic standard algorithms (called GOST
 314	  algorithms). Only signature verification is implemented.
 315
 316config CRYPTO_CURVE25519
 317	tristate "Curve25519"
 318	select CRYPTO_KPP
 319	select CRYPTO_LIB_CURVE25519_GENERIC
 320	help
 321	  Curve25519 elliptic curve (RFC7748)
 322
 323endmenu
 324
 325menu "Block ciphers"
 326
 327config CRYPTO_AES
 328	tristate "AES (Advanced Encryption Standard)"
 329	select CRYPTO_ALGAPI
 330	select CRYPTO_LIB_AES
 331	help
 332	  AES cipher algorithms (Rijndael)(FIPS-197, ISO/IEC 18033-3)
 333
 334	  Rijndael appears to be consistently a very good performer in
 335	  both hardware and software across a wide range of computing
 336	  environments regardless of its use in feedback or non-feedback
 337	  modes. Its key setup time is excellent, and its key agility is
 338	  good. Rijndael's very low memory requirements make it very well
 339	  suited for restricted-space environments, in which it also
 340	  demonstrates excellent performance. Rijndael's operations are
 341	  among the easiest to defend against power and timing attacks.
 342
 343	  The AES specifies three key sizes: 128, 192 and 256 bits
 344
 345config CRYPTO_AES_TI
 346	tristate "AES (Advanced Encryption Standard) (fixed time)"
 347	select CRYPTO_ALGAPI
 348	select CRYPTO_LIB_AES
 349	help
 350	  AES cipher algorithms (Rijndael)(FIPS-197, ISO/IEC 18033-3)
 351
 352	  This is a generic implementation of AES that attempts to eliminate
 353	  data dependent latencies as much as possible without affecting
 354	  performance too much. It is intended for use by the generic CCM
 355	  and GCM drivers, and other CTR or CMAC/XCBC based modes that rely
 356	  solely on encryption (although decryption is supported as well, but
 357	  with a more dramatic performance hit)
 358
 359	  Instead of using 16 lookup tables of 1 KB each, (8 for encryption and
 360	  8 for decryption), this implementation only uses just two S-boxes of
 361	  256 bytes each, and attempts to eliminate data dependent latencies by
 362	  prefetching the entire table into the cache at the start of each
 363	  block. Interrupts are also disabled to avoid races where cachelines
 364	  are evicted when the CPU is interrupted to do something else.
 365
 366config CRYPTO_ANUBIS
 367	tristate "Anubis"
 368	depends on CRYPTO_USER_API_ENABLE_OBSOLETE
 369	select CRYPTO_ALGAPI
 370	help
 371	  Anubis cipher algorithm
 372
 373	  Anubis is a variable key length cipher which can use keys from
 374	  128 bits to 320 bits in length.  It was evaluated as a entrant
 375	  in the NESSIE competition.
 376
 377	  See https://web.archive.org/web/20160606112246/http://www.larc.usp.br/~pbarreto/AnubisPage.html
 378	  for further information.
 379
 380config CRYPTO_ARIA
 381	tristate "ARIA"
 382	select CRYPTO_ALGAPI
 383	help
 384	  ARIA cipher algorithm (RFC5794)
 385
 386	  ARIA is a standard encryption algorithm of the Republic of Korea.
 387	  The ARIA specifies three key sizes and rounds.
 388	  128-bit: 12 rounds.
 389	  192-bit: 14 rounds.
 390	  256-bit: 16 rounds.
 391
 392	  See:
 393	  https://seed.kisa.or.kr/kisa/algorithm/EgovAriaInfo.do
 394
 395config CRYPTO_BLOWFISH
 396	tristate "Blowfish"
 397	select CRYPTO_ALGAPI
 398	select CRYPTO_BLOWFISH_COMMON
 399	help
 400	  Blowfish cipher algorithm, by Bruce Schneier
 401
 402	  This is a variable key length cipher which can use keys from 32
 403	  bits to 448 bits in length.  It's fast, simple and specifically
 404	  designed for use on "large microprocessors".
 405
 406	  See https://www.schneier.com/blowfish.html for further information.
 407
 408config CRYPTO_BLOWFISH_COMMON
 409	tristate
 410	help
 411	  Common parts of the Blowfish cipher algorithm shared by the
 412	  generic c and the assembler implementations.
 413
 414config CRYPTO_CAMELLIA
 415	tristate "Camellia"
 416	select CRYPTO_ALGAPI
 417	help
 418	  Camellia cipher algorithms (ISO/IEC 18033-3)
 419
 420	  Camellia is a symmetric key block cipher developed jointly
 421	  at NTT and Mitsubishi Electric Corporation.
 422
 423	  The Camellia specifies three key sizes: 128, 192 and 256 bits.
 424
 425	  See https://info.isl.ntt.co.jp/crypt/eng/camellia/ for further information.
 426
 427config CRYPTO_CAST_COMMON
 428	tristate
 429	help
 430	  Common parts of the CAST cipher algorithms shared by the
 431	  generic c and the assembler implementations.
 432
 433config CRYPTO_CAST5
 434	tristate "CAST5 (CAST-128)"
 435	select CRYPTO_ALGAPI
 436	select CRYPTO_CAST_COMMON
 437	help
 438	  CAST5 (CAST-128) cipher algorithm (RFC2144, ISO/IEC 18033-3)
 439
 440config CRYPTO_CAST6
 441	tristate "CAST6 (CAST-256)"
 442	select CRYPTO_ALGAPI
 443	select CRYPTO_CAST_COMMON
 444	help
 445	  CAST6 (CAST-256) encryption algorithm (RFC2612)
 446
 447config CRYPTO_DES
 448	tristate "DES and Triple DES EDE"
 449	select CRYPTO_ALGAPI
 450	select CRYPTO_LIB_DES
 451	help
 452	  DES (Data Encryption Standard)(FIPS 46-2, ISO/IEC 18033-3) and
 453	  Triple DES EDE (Encrypt/Decrypt/Encrypt) (FIPS 46-3, ISO/IEC 18033-3)
 454	  cipher algorithms
 455
 456config CRYPTO_FCRYPT
 457	tristate "FCrypt"
 458	select CRYPTO_ALGAPI
 459	select CRYPTO_SKCIPHER
 460	help
 461	  FCrypt algorithm used by RxRPC
 462
 463	  See https://ota.polyonymo.us/fcrypt-paper.txt
 464
 465config CRYPTO_KHAZAD
 466	tristate "Khazad"
 467	depends on CRYPTO_USER_API_ENABLE_OBSOLETE
 468	select CRYPTO_ALGAPI
 469	help
 470	  Khazad cipher algorithm
 471
 472	  Khazad was a finalist in the initial NESSIE competition.  It is
 473	  an algorithm optimized for 64-bit processors with good performance
 474	  on 32-bit processors.  Khazad uses an 128 bit key size.
 475
 476	  See https://web.archive.org/web/20171011071731/http://www.larc.usp.br/~pbarreto/KhazadPage.html
 477	  for further information.
 478
 479config CRYPTO_SEED
 480	tristate "SEED"
 481	depends on CRYPTO_USER_API_ENABLE_OBSOLETE
 482	select CRYPTO_ALGAPI
 483	help
 484	  SEED cipher algorithm (RFC4269, ISO/IEC 18033-3)
 485
 486	  SEED is a 128-bit symmetric key block cipher that has been
 487	  developed by KISA (Korea Information Security Agency) as a
 488	  national standard encryption algorithm of the Republic of Korea.
 489	  It is a 16 round block cipher with the key size of 128 bit.
 490
 491	  See https://seed.kisa.or.kr/kisa/algorithm/EgovSeedInfo.do
 492	  for further information.
 493
 494config CRYPTO_SERPENT
 495	tristate "Serpent"
 496	select CRYPTO_ALGAPI
 497	help
 498	  Serpent cipher algorithm, by Anderson, Biham & Knudsen
 499
 500	  Keys are allowed to be from 0 to 256 bits in length, in steps
 501	  of 8 bits.
 502
 503	  See https://www.cl.cam.ac.uk/~rja14/serpent.html for further information.
 504
 505config CRYPTO_SM4
 506	tristate
 507
 508config CRYPTO_SM4_GENERIC
 509	tristate "SM4 (ShangMi 4)"
 510	select CRYPTO_ALGAPI
 511	select CRYPTO_SM4
 512	help
 513	  SM4 cipher algorithms (OSCCA GB/T 32907-2016,
 514	  ISO/IEC 18033-3:2010/Amd 1:2021)
 515
 516	  SM4 (GBT.32907-2016) is a cryptographic standard issued by the
 517	  Organization of State Commercial Administration of China (OSCCA)
 518	  as an authorized cryptographic algorithms for the use within China.
 519
 520	  SMS4 was originally created for use in protecting wireless
 521	  networks, and is mandated in the Chinese National Standard for
 522	  Wireless LAN WAPI (Wired Authentication and Privacy Infrastructure)
 523	  (GB.15629.11-2003).
 524
 525	  The latest SM4 standard (GBT.32907-2016) was proposed by OSCCA and
 526	  standardized through TC 260 of the Standardization Administration
 527	  of the People's Republic of China (SAC).
 528
 529	  The input, output, and key of SMS4 are each 128 bits.
 530
 531	  See https://eprint.iacr.org/2008/329.pdf for further information.
 532
 533	  If unsure, say N.
 534
 535config CRYPTO_TEA
 536	tristate "TEA, XTEA and XETA"
 537	depends on CRYPTO_USER_API_ENABLE_OBSOLETE
 538	select CRYPTO_ALGAPI
 539	help
 540	  TEA (Tiny Encryption Algorithm) cipher algorithms
 541
 542	  Tiny Encryption Algorithm is a simple cipher that uses
 543	  many rounds for security.  It is very fast and uses
 544	  little memory.
 545
 546	  Xtendend Tiny Encryption Algorithm is a modification to
 547	  the TEA algorithm to address a potential key weakness
 548	  in the TEA algorithm.
 549
 550	  Xtendend Encryption Tiny Algorithm is a mis-implementation
 551	  of the XTEA algorithm for compatibility purposes.
 552
 553config CRYPTO_TWOFISH
 554	tristate "Twofish"
 555	select CRYPTO_ALGAPI
 556	select CRYPTO_TWOFISH_COMMON
 557	help
 558	  Twofish cipher algorithm
 559
 560	  Twofish was submitted as an AES (Advanced Encryption Standard)
 561	  candidate cipher by researchers at CounterPane Systems.  It is a
 562	  16 round block cipher supporting key sizes of 128, 192, and 256
 563	  bits.
 564
 565	  See https://www.schneier.com/twofish.html for further information.
 566
 567config CRYPTO_TWOFISH_COMMON
 568	tristate
 569	help
 570	  Common parts of the Twofish cipher algorithm shared by the
 571	  generic c and the assembler implementations.
 572
 573endmenu
 574
 575menu "Length-preserving ciphers and modes"
 576
 577config CRYPTO_ADIANTUM
 578	tristate "Adiantum"
 579	select CRYPTO_CHACHA20
 580	select CRYPTO_LIB_POLY1305_GENERIC
 581	select CRYPTO_NHPOLY1305
 582	select CRYPTO_MANAGER
 583	help
 584	  Adiantum tweakable, length-preserving encryption mode
 585
 586	  Designed for fast and secure disk encryption, especially on
 587	  CPUs without dedicated crypto instructions.  It encrypts
 588	  each sector using the XChaCha12 stream cipher, two passes of
 589	  an ε-almost-∆-universal hash function, and an invocation of
 590	  the AES-256 block cipher on a single 16-byte block.  On CPUs
 591	  without AES instructions, Adiantum is much faster than
 592	  AES-XTS.
 593
 594	  Adiantum's security is provably reducible to that of its
 595	  underlying stream and block ciphers, subject to a security
 596	  bound.  Unlike XTS, Adiantum is a true wide-block encryption
 597	  mode, so it actually provides an even stronger notion of
 598	  security than XTS, subject to the security bound.
 599
 600	  If unsure, say N.
 601
 602config CRYPTO_ARC4
 603	tristate "ARC4 (Alleged Rivest Cipher 4)"
 604	depends on CRYPTO_USER_API_ENABLE_OBSOLETE
 605	select CRYPTO_SKCIPHER
 606	select CRYPTO_LIB_ARC4
 607	help
 608	  ARC4 cipher algorithm
 609
 610	  ARC4 is a stream cipher using keys ranging from 8 bits to 2048
 611	  bits in length.  This algorithm is required for driver-based
 612	  WEP, but it should not be for other purposes because of the
 613	  weakness of the algorithm.
 614
 615config CRYPTO_CHACHA20
 616	tristate "ChaCha"
 617	select CRYPTO_LIB_CHACHA_GENERIC
 618	select CRYPTO_SKCIPHER
 619	help
 620	  The ChaCha20, XChaCha20, and XChaCha12 stream cipher algorithms
 621
 622	  ChaCha20 is a 256-bit high-speed stream cipher designed by Daniel J.
 623	  Bernstein and further specified in RFC7539 for use in IETF protocols.
 624	  This is the portable C implementation of ChaCha20.  See
 625	  https://cr.yp.to/chacha/chacha-20080128.pdf for further information.
 626
 627	  XChaCha20 is the application of the XSalsa20 construction to ChaCha20
 628	  rather than to Salsa20.  XChaCha20 extends ChaCha20's nonce length
 629	  from 64 bits (or 96 bits using the RFC7539 convention) to 192 bits,
 630	  while provably retaining ChaCha20's security.  See
 631	  https://cr.yp.to/snuffle/xsalsa-20081128.pdf for further information.
 632
 633	  XChaCha12 is XChaCha20 reduced to 12 rounds, with correspondingly
 634	  reduced security margin but increased performance.  It can be needed
 635	  in some performance-sensitive scenarios.
 636
 637config CRYPTO_CBC
 638	tristate "CBC (Cipher Block Chaining)"
 639	select CRYPTO_SKCIPHER
 640	select CRYPTO_MANAGER
 641	help
 642	  CBC (Cipher Block Chaining) mode (NIST SP800-38A)
 643
 644	  This block cipher mode is required for IPSec ESP (XFRM_ESP).
 645
 646config CRYPTO_CTR
 647	tristate "CTR (Counter)"
 648	select CRYPTO_SKCIPHER
 649	select CRYPTO_MANAGER
 650	help
 651	  CTR (Counter) mode (NIST SP800-38A)
 652
 653config CRYPTO_CTS
 654	tristate "CTS (Cipher Text Stealing)"
 655	select CRYPTO_SKCIPHER
 656	select CRYPTO_MANAGER
 657	help
 658	  CBC-CS3 variant of CTS (Cipher Text Stealing) (NIST
 659	  Addendum to SP800-38A (October 2010))
 660
 661	  This mode is required for Kerberos gss mechanism support
 662	  for AES encryption.
 663
 664config CRYPTO_ECB
 665	tristate "ECB (Electronic Codebook)"
 666	select CRYPTO_SKCIPHER2
 667	select CRYPTO_MANAGER
 668	help
 669	  ECB (Electronic Codebook) mode (NIST SP800-38A)
 670
 671config CRYPTO_HCTR2
 672	tristate "HCTR2"
 673	select CRYPTO_XCTR
 674	select CRYPTO_POLYVAL
 675	select CRYPTO_MANAGER
 676	help
 677	  HCTR2 length-preserving encryption mode
 678
 679	  A mode for storage encryption that is efficient on processors with
 680	  instructions to accelerate AES and carryless multiplication, e.g.
 681	  x86 processors with AES-NI and CLMUL, and ARM processors with the
 682	  ARMv8 crypto extensions.
 683
 684	  See https://eprint.iacr.org/2021/1441
 685
 686config CRYPTO_KEYWRAP
 687	tristate "KW (AES Key Wrap)"
 688	select CRYPTO_SKCIPHER
 689	select CRYPTO_MANAGER
 690	help
 691	  KW (AES Key Wrap) authenticated encryption mode (NIST SP800-38F
 692	  and RFC3394) without padding.
 693
 694config CRYPTO_LRW
 695	tristate "LRW (Liskov Rivest Wagner)"
 696	select CRYPTO_LIB_GF128MUL
 697	select CRYPTO_SKCIPHER
 698	select CRYPTO_MANAGER
 699	select CRYPTO_ECB
 700	help
 701	  LRW (Liskov Rivest Wagner) mode
 702
 703	  A tweakable, non malleable, non movable
 704	  narrow block cipher mode for dm-crypt.  Use it with cipher
 705	  specification string aes-lrw-benbi, the key must be 256, 320 or 384.
 706	  The first 128, 192 or 256 bits in the key are used for AES and the
 707	  rest is used to tie each cipher block to its logical position.
 708
 709	  See https://people.csail.mit.edu/rivest/pubs/LRW02.pdf
 710
 711config CRYPTO_PCBC
 712	tristate "PCBC (Propagating Cipher Block Chaining)"
 713	select CRYPTO_SKCIPHER
 714	select CRYPTO_MANAGER
 715	help
 716	  PCBC (Propagating Cipher Block Chaining) mode
 717
 718	  This block cipher mode is required for RxRPC.
 719
 720config CRYPTO_XCTR
 721	tristate
 722	select CRYPTO_SKCIPHER
 723	select CRYPTO_MANAGER
 724	help
 725	  XCTR (XOR Counter) mode for HCTR2
 726
 727	  This blockcipher mode is a variant of CTR mode using XORs and little-endian
 728	  addition rather than big-endian arithmetic.
 729
 730	  XCTR mode is used to implement HCTR2.
 731
 732config CRYPTO_XTS
 733	tristate "XTS (XOR Encrypt XOR with ciphertext stealing)"
 734	select CRYPTO_SKCIPHER
 735	select CRYPTO_MANAGER
 736	select CRYPTO_ECB
 737	help
 738	  XTS (XOR Encrypt XOR with ciphertext stealing) mode (NIST SP800-38E
 739	  and IEEE 1619)
 740
 741	  Use with aes-xts-plain, key size 256, 384 or 512 bits. This
 742	  implementation currently can't handle a sectorsize which is not a
 743	  multiple of 16 bytes.
 744
 745config CRYPTO_NHPOLY1305
 746	tristate
 747	select CRYPTO_HASH
 748	select CRYPTO_LIB_POLY1305_GENERIC
 749
 750endmenu
 751
 752menu "AEAD (authenticated encryption with associated data) ciphers"
 753
 754config CRYPTO_AEGIS128
 755	tristate "AEGIS-128"
 756	select CRYPTO_AEAD
 757	select CRYPTO_AES  # for AES S-box tables
 758	help
 759	  AEGIS-128 AEAD algorithm
 760
 761config CRYPTO_AEGIS128_SIMD
 762	bool "AEGIS-128 (arm NEON, arm64 NEON)"
 763	depends on CRYPTO_AEGIS128 && ((ARM || ARM64) && KERNEL_MODE_NEON)
 764	default y
 765	help
 766	  AEGIS-128 AEAD algorithm
 767
 768	  Architecture: arm or arm64 using:
 769	  - NEON (Advanced SIMD) extension
 770
 771config CRYPTO_CHACHA20POLY1305
 772	tristate "ChaCha20-Poly1305"
 773	select CRYPTO_CHACHA20
 774	select CRYPTO_POLY1305
 775	select CRYPTO_AEAD
 776	select CRYPTO_MANAGER
 777	help
 778	  ChaCha20 stream cipher and Poly1305 authenticator combined
 779	  mode (RFC8439)
 780
 781config CRYPTO_CCM
 782	tristate "CCM (Counter with Cipher Block Chaining-MAC)"
 783	select CRYPTO_CTR
 784	select CRYPTO_HASH
 785	select CRYPTO_AEAD
 786	select CRYPTO_MANAGER
 787	help
 788	  CCM (Counter with Cipher Block Chaining-Message Authentication Code)
 789	  authenticated encryption mode (NIST SP800-38C)
 790
 791config CRYPTO_GCM
 792	tristate "GCM (Galois/Counter Mode) and GMAC (GCM MAC)"
 793	select CRYPTO_CTR
 794	select CRYPTO_AEAD
 795	select CRYPTO_GHASH
 796	select CRYPTO_NULL
 797	select CRYPTO_MANAGER
 798	help
 799	  GCM (Galois/Counter Mode) authenticated encryption mode and GMAC
 800	  (GCM Message Authentication Code) (NIST SP800-38D)
 801
 802	  This is required for IPSec ESP (XFRM_ESP).
 803
 804config CRYPTO_GENIV
 805	tristate
 806	select CRYPTO_AEAD
 807	select CRYPTO_NULL
 808	select CRYPTO_MANAGER
 809	select CRYPTO_RNG_DEFAULT
 810
 811config CRYPTO_SEQIV
 812	tristate "Sequence Number IV Generator"
 813	select CRYPTO_GENIV
 814	help
 815	  Sequence Number IV generator
 816
 817	  This IV generator generates an IV based on a sequence number by
 818	  xoring it with a salt.  This algorithm is mainly useful for CTR.
 819
 820	  This is required for IPsec ESP (XFRM_ESP).
 821
 822config CRYPTO_ECHAINIV
 823	tristate "Encrypted Chain IV Generator"
 824	select CRYPTO_GENIV
 825	help
 826	  Encrypted Chain IV generator
 827
 828	  This IV generator generates an IV based on the encryption of
 829	  a sequence number xored with a salt.  This is the default
 830	  algorithm for CBC.
 831
 832config CRYPTO_ESSIV
 833	tristate "Encrypted Salt-Sector IV Generator"
 834	select CRYPTO_AUTHENC
 835	help
 836	  Encrypted Salt-Sector IV generator
 837
 838	  This IV generator is used in some cases by fscrypt and/or
 839	  dm-crypt. It uses the hash of the block encryption key as the
 840	  symmetric key for a block encryption pass applied to the input
 841	  IV, making low entropy IV sources more suitable for block
 842	  encryption.
 843
 844	  This driver implements a crypto API template that can be
 845	  instantiated either as an skcipher or as an AEAD (depending on the
 846	  type of the first template argument), and which defers encryption
 847	  and decryption requests to the encapsulated cipher after applying
 848	  ESSIV to the input IV. Note that in the AEAD case, it is assumed
 849	  that the keys are presented in the same format used by the authenc
 850	  template, and that the IV appears at the end of the authenticated
 851	  associated data (AAD) region (which is how dm-crypt uses it.)
 852
 853	  Note that the use of ESSIV is not recommended for new deployments,
 854	  and so this only needs to be enabled when interoperability with
 855	  existing encrypted volumes of filesystems is required, or when
 856	  building for a particular system that requires it (e.g., when
 857	  the SoC in question has accelerated CBC but not XTS, making CBC
 858	  combined with ESSIV the only feasible mode for h/w accelerated
 859	  block encryption)
 860
 861endmenu
 862
 863menu "Hashes, digests, and MACs"
 864
 865config CRYPTO_BLAKE2B
 866	tristate "BLAKE2b"
 867	select CRYPTO_HASH
 868	help
 869	  BLAKE2b cryptographic hash function (RFC 7693)
 870
 871	  BLAKE2b is optimized for 64-bit platforms and can produce digests
 872	  of any size between 1 and 64 bytes. The keyed hash is also implemented.
 873
 874	  This module provides the following algorithms:
 875	  - blake2b-160
 876	  - blake2b-256
 877	  - blake2b-384
 878	  - blake2b-512
 879
 880	  Used by the btrfs filesystem.
 881
 882	  See https://blake2.net for further information.
 883
 884config CRYPTO_CMAC
 885	tristate "CMAC (Cipher-based MAC)"
 886	select CRYPTO_HASH
 887	select CRYPTO_MANAGER
 888	help
 889	  CMAC (Cipher-based Message Authentication Code) authentication
 890	  mode (NIST SP800-38B and IETF RFC4493)
 891
 892config CRYPTO_GHASH
 893	tristate "GHASH"
 894	select CRYPTO_HASH
 895	select CRYPTO_LIB_GF128MUL
 896	help
 897	  GCM GHASH function (NIST SP800-38D)
 898
 899config CRYPTO_HMAC
 900	tristate "HMAC (Keyed-Hash MAC)"
 901	select CRYPTO_HASH
 902	select CRYPTO_MANAGER
 903	help
 904	  HMAC (Keyed-Hash Message Authentication Code) (FIPS 198 and
 905	  RFC2104)
 906
 907	  This is required for IPsec AH (XFRM_AH) and IPsec ESP (XFRM_ESP).
 908
 909config CRYPTO_MD4
 910	tristate "MD4"
 911	select CRYPTO_HASH
 912	help
 913	  MD4 message digest algorithm (RFC1320)
 914
 915config CRYPTO_MD5
 916	tristate "MD5"
 917	select CRYPTO_HASH
 918	help
 919	  MD5 message digest algorithm (RFC1321)
 920
 921config CRYPTO_MICHAEL_MIC
 922	tristate "Michael MIC"
 923	select CRYPTO_HASH
 924	help
 925	  Michael MIC (Message Integrity Code) (IEEE 802.11i)
 926
 927	  Defined by the IEEE 802.11i TKIP (Temporal Key Integrity Protocol),
 928	  known as WPA (Wif-Fi Protected Access).
 929
 930	  This algorithm is required for TKIP, but it should not be used for
 931	  other purposes because of the weakness of the algorithm.
 932
 933config CRYPTO_POLYVAL
 934	tristate
 935	select CRYPTO_HASH
 936	select CRYPTO_LIB_GF128MUL
 937	help
 938	  POLYVAL hash function for HCTR2
 939
 940	  This is used in HCTR2.  It is not a general-purpose
 941	  cryptographic hash function.
 942
 943config CRYPTO_POLY1305
 944	tristate "Poly1305"
 945	select CRYPTO_HASH
 946	select CRYPTO_LIB_POLY1305_GENERIC
 947	help
 948	  Poly1305 authenticator algorithm (RFC7539)
 949
 950	  Poly1305 is an authenticator algorithm designed by Daniel J. Bernstein.
 951	  It is used for the ChaCha20-Poly1305 AEAD, specified in RFC7539 for use
 952	  in IETF protocols. This is the portable C implementation of Poly1305.
 953
 954config CRYPTO_RMD160
 955	tristate "RIPEMD-160"
 956	select CRYPTO_HASH
 957	help
 958	  RIPEMD-160 hash function (ISO/IEC 10118-3)
 959
 960	  RIPEMD-160 is a 160-bit cryptographic hash function. It is intended
 961	  to be used as a secure replacement for the 128-bit hash functions
 962	  MD4, MD5 and its predecessor RIPEMD
 963	  (not to be confused with RIPEMD-128).
 964
 965	  Its speed is comparable to SHA-1 and there are no known attacks
 966	  against RIPEMD-160.
 967
 968	  Developed by Hans Dobbertin, Antoon Bosselaers and Bart Preneel.
 969	  See https://homes.esat.kuleuven.be/~bosselae/ripemd160.html
 970	  for further information.
 971
 972config CRYPTO_SHA1
 973	tristate "SHA-1"
 974	select CRYPTO_HASH
 975	select CRYPTO_LIB_SHA1
 976	help
 977	  SHA-1 secure hash algorithm (FIPS 180, ISO/IEC 10118-3)
 978
 979config CRYPTO_SHA256
 980	tristate "SHA-224 and SHA-256"
 981	select CRYPTO_HASH
 982	select CRYPTO_LIB_SHA256
 983	help
 984	  SHA-224 and SHA-256 secure hash algorithms (FIPS 180, ISO/IEC 10118-3)
 985
 986	  This is required for IPsec AH (XFRM_AH) and IPsec ESP (XFRM_ESP).
 987	  Used by the btrfs filesystem, Ceph, NFS, and SMB.
 988
 989config CRYPTO_SHA512
 990	tristate "SHA-384 and SHA-512"
 991	select CRYPTO_HASH
 992	help
 993	  SHA-384 and SHA-512 secure hash algorithms (FIPS 180, ISO/IEC 10118-3)
 994
 995config CRYPTO_SHA3
 996	tristate "SHA-3"
 997	select CRYPTO_HASH
 998	help
 999	  SHA-3 secure hash algorithms (FIPS 202, ISO/IEC 10118-3)
1000
1001config CRYPTO_SM3
1002	tristate
1003
1004config CRYPTO_SM3_GENERIC
1005	tristate "SM3 (ShangMi 3)"
1006	select CRYPTO_HASH
1007	select CRYPTO_SM3
1008	help
1009	  SM3 (ShangMi 3) secure hash function (OSCCA GM/T 0004-2012, ISO/IEC 10118-3)
1010
1011	  This is part of the Chinese Commercial Cryptography suite.
1012
1013	  References:
1014	  http://www.oscca.gov.cn/UpFile/20101222141857786.pdf
1015	  https://datatracker.ietf.org/doc/html/draft-shen-sm3-hash
1016
1017config CRYPTO_STREEBOG
1018	tristate "Streebog"
1019	select CRYPTO_HASH
1020	help
1021	  Streebog Hash Function (GOST R 34.11-2012, RFC 6986, ISO/IEC 10118-3)
1022
1023	  This is one of the Russian cryptographic standard algorithms (called
1024	  GOST algorithms). This setting enables two hash algorithms with
1025	  256 and 512 bits output.
1026
1027	  References:
1028	  https://tc26.ru/upload/iblock/fed/feddbb4d26b685903faa2ba11aea43f6.pdf
1029	  https://tools.ietf.org/html/rfc6986
1030
1031config CRYPTO_VMAC
1032	tristate "VMAC"
1033	select CRYPTO_HASH
1034	select CRYPTO_MANAGER
1035	help
1036	  VMAC is a message authentication algorithm designed for
1037	  very high speed on 64-bit architectures.
1038
1039	  See https://fastcrypto.org/vmac for further information.
1040
1041config CRYPTO_WP512
1042	tristate "Whirlpool"
1043	select CRYPTO_HASH
1044	help
1045	  Whirlpool hash function (ISO/IEC 10118-3)
1046
1047	  512, 384 and 256-bit hashes.
1048
1049	  Whirlpool-512 is part of the NESSIE cryptographic primitives.
1050
1051	  See https://web.archive.org/web/20171129084214/http://www.larc.usp.br/~pbarreto/WhirlpoolPage.html
1052	  for further information.
1053
1054config CRYPTO_XCBC
1055	tristate "XCBC-MAC (Extended Cipher Block Chaining MAC)"
1056	select CRYPTO_HASH
1057	select CRYPTO_MANAGER
1058	help
1059	  XCBC-MAC (Extended Cipher Block Chaining Message Authentication
1060	  Code) (RFC3566)
1061
1062config CRYPTO_XXHASH
1063	tristate "xxHash"
1064	select CRYPTO_HASH
1065	select XXHASH
1066	help
1067	  xxHash non-cryptographic hash algorithm
1068
1069	  Extremely fast, working at speeds close to RAM limits.
1070
1071	  Used by the btrfs filesystem.
1072
1073endmenu
1074
1075menu "CRCs (cyclic redundancy checks)"
1076
1077config CRYPTO_CRC32C
1078	tristate "CRC32c"
1079	select CRYPTO_HASH
1080	select CRC32
1081	help
1082	  CRC32c CRC algorithm with the iSCSI polynomial (RFC 3385 and RFC 3720)
1083
1084	  A 32-bit CRC (cyclic redundancy check) with a polynomial defined
1085	  by G. Castagnoli, S. Braeuer and M. Herrman in "Optimization of Cyclic
1086	  Redundancy-Check Codes with 24 and 32 Parity Bits", IEEE Transactions
1087	  on Communications, Vol. 41, No. 6, June 1993, selected for use with
1088	  iSCSI.
1089
1090	  Used by btrfs, ext4, jbd2, NVMeoF/TCP, and iSCSI.
1091
1092config CRYPTO_CRC32
1093	tristate "CRC32"
1094	select CRYPTO_HASH
1095	select CRC32
1096	help
1097	  CRC32 CRC algorithm (IEEE 802.3)
1098
1099	  Used by RoCEv2 and f2fs.
1100
1101config CRYPTO_CRCT10DIF
1102	tristate "CRCT10DIF"
1103	select CRYPTO_HASH
1104	help
1105	  CRC16 CRC algorithm used for the T10 (SCSI) Data Integrity Field (DIF)
1106
1107	  CRC algorithm used by the SCSI Block Commands standard.
1108
1109config CRYPTO_CRC64_ROCKSOFT
1110	tristate "CRC64 based on Rocksoft Model algorithm"
1111	depends on CRC64
1112	select CRYPTO_HASH
1113	help
1114	  CRC64 CRC algorithm based on the Rocksoft Model CRC Algorithm
1115
1116	  Used by the NVMe implementation of T10 DIF (BLK_DEV_INTEGRITY)
1117
1118	  See https://zlib.net/crc_v3.txt
1119
1120endmenu
1121
1122menu "Compression"
1123
1124config CRYPTO_DEFLATE
1125	tristate "Deflate"
1126	select CRYPTO_ALGAPI
1127	select CRYPTO_ACOMP2
1128	select ZLIB_INFLATE
1129	select ZLIB_DEFLATE
1130	help
1131	  Deflate compression algorithm (RFC1951)
1132
1133	  Used by IPSec with the IPCOMP protocol (RFC3173, RFC2394)
1134
1135config CRYPTO_LZO
1136	tristate "LZO"
1137	select CRYPTO_ALGAPI
1138	select CRYPTO_ACOMP2
1139	select LZO_COMPRESS
1140	select LZO_DECOMPRESS
1141	help
1142	  LZO compression algorithm
1143
1144	  See https://www.oberhumer.com/opensource/lzo/ for further information.
1145
1146config CRYPTO_842
1147	tristate "842"
1148	select CRYPTO_ALGAPI
1149	select CRYPTO_ACOMP2
1150	select 842_COMPRESS
1151	select 842_DECOMPRESS
1152	help
1153	  842 compression algorithm by IBM
1154
1155	  See https://github.com/plauth/lib842 for further information.
1156
1157config CRYPTO_LZ4
1158	tristate "LZ4"
1159	select CRYPTO_ALGAPI
1160	select CRYPTO_ACOMP2
1161	select LZ4_COMPRESS
1162	select LZ4_DECOMPRESS
1163	help
1164	  LZ4 compression algorithm
1165
1166	  See https://github.com/lz4/lz4 for further information.
1167
1168config CRYPTO_LZ4HC
1169	tristate "LZ4HC"
1170	select CRYPTO_ALGAPI
1171	select CRYPTO_ACOMP2
1172	select LZ4HC_COMPRESS
1173	select LZ4_DECOMPRESS
1174	help
1175	  LZ4 high compression mode algorithm
1176
1177	  See https://github.com/lz4/lz4 for further information.
1178
1179config CRYPTO_ZSTD
1180	tristate "Zstd"
1181	select CRYPTO_ALGAPI
1182	select CRYPTO_ACOMP2
1183	select ZSTD_COMPRESS
1184	select ZSTD_DECOMPRESS
1185	help
1186	  zstd compression algorithm
1187
1188	  See https://github.com/facebook/zstd for further information.
1189
1190endmenu
1191
1192menu "Random number generation"
1193
1194config CRYPTO_ANSI_CPRNG
1195	tristate "ANSI PRNG (Pseudo Random Number Generator)"
1196	select CRYPTO_AES
1197	select CRYPTO_RNG
1198	help
1199	  Pseudo RNG (random number generator) (ANSI X9.31 Appendix A.2.4)
1200
1201	  This uses the AES cipher algorithm.
1202
1203	  Note that this option must be enabled if CRYPTO_FIPS is selected
1204
1205menuconfig CRYPTO_DRBG_MENU
1206	tristate "NIST SP800-90A DRBG (Deterministic Random Bit Generator)"
1207	help
1208	  DRBG (Deterministic Random Bit Generator) (NIST SP800-90A)
1209
1210	  In the following submenu, one or more of the DRBG types must be selected.
1211
1212if CRYPTO_DRBG_MENU
1213
1214config CRYPTO_DRBG_HMAC
1215	bool
1216	default y
1217	select CRYPTO_HMAC
1218	select CRYPTO_SHA512
1219
1220config CRYPTO_DRBG_HASH
1221	bool "Hash_DRBG"
1222	select CRYPTO_SHA256
1223	help
1224	  Hash_DRBG variant as defined in NIST SP800-90A.
1225
1226	  This uses the SHA-1, SHA-256, SHA-384, or SHA-512 hash algorithms.
1227
1228config CRYPTO_DRBG_CTR
1229	bool "CTR_DRBG"
1230	select CRYPTO_AES
1231	select CRYPTO_CTR
1232	help
1233	  CTR_DRBG variant as defined in NIST SP800-90A.
1234
1235	  This uses the AES cipher algorithm with the counter block mode.
1236
1237config CRYPTO_DRBG
1238	tristate
1239	default CRYPTO_DRBG_MENU
1240	select CRYPTO_RNG
1241	select CRYPTO_JITTERENTROPY
1242
1243endif	# if CRYPTO_DRBG_MENU
1244
1245config CRYPTO_JITTERENTROPY
1246	tristate "CPU Jitter Non-Deterministic RNG (Random Number Generator)"
1247	select CRYPTO_RNG
1248	select CRYPTO_SHA3
1249	help
1250	  CPU Jitter RNG (Random Number Generator) from the Jitterentropy library
1251
1252	  A non-physical non-deterministic ("true") RNG (e.g., an entropy source
1253	  compliant with NIST SP800-90B) intended to provide a seed to a
1254	  deterministic RNG (e.g., per NIST SP800-90C).
1255	  This RNG does not perform any cryptographic whitening of the generated
1256	  random numbers.
1257
1258	  See https://www.chronox.de/jent/
1259
1260if CRYPTO_JITTERENTROPY
1261if CRYPTO_FIPS && EXPERT
1262
1263choice
1264	prompt "CPU Jitter RNG Memory Size"
1265	default CRYPTO_JITTERENTROPY_MEMSIZE_2
1266	help
1267	  The Jitter RNG measures the execution time of memory accesses.
1268	  Multiple consecutive memory accesses are performed. If the memory
1269	  size fits into a cache (e.g. L1), only the memory access timing
1270	  to that cache is measured. The closer the cache is to the CPU
1271	  the less variations are measured and thus the less entropy is
1272	  obtained. Thus, if the memory size fits into the L1 cache, the
1273	  obtained entropy is less than if the memory size fits within
1274	  L1 + L2, which in turn is less if the memory fits into
1275	  L1 + L2 + L3. Thus, by selecting a different memory size,
1276	  the entropy rate produced by the Jitter RNG can be modified.
1277
1278	config CRYPTO_JITTERENTROPY_MEMSIZE_2
1279		bool "2048 Bytes (default)"
1280
1281	config CRYPTO_JITTERENTROPY_MEMSIZE_128
1282		bool "128 kBytes"
1283
1284	config CRYPTO_JITTERENTROPY_MEMSIZE_1024
1285		bool "1024 kBytes"
1286
1287	config CRYPTO_JITTERENTROPY_MEMSIZE_8192
1288		bool "8192 kBytes"
1289endchoice
1290
1291config CRYPTO_JITTERENTROPY_MEMORY_BLOCKS
1292	int
1293	default 64 if CRYPTO_JITTERENTROPY_MEMSIZE_2
1294	default 512 if CRYPTO_JITTERENTROPY_MEMSIZE_128
1295	default 1024 if CRYPTO_JITTERENTROPY_MEMSIZE_1024
1296	default 4096 if CRYPTO_JITTERENTROPY_MEMSIZE_8192
1297
1298config CRYPTO_JITTERENTROPY_MEMORY_BLOCKSIZE
1299	int
1300	default 32 if CRYPTO_JITTERENTROPY_MEMSIZE_2
1301	default 256 if CRYPTO_JITTERENTROPY_MEMSIZE_128
1302	default 1024 if CRYPTO_JITTERENTROPY_MEMSIZE_1024
1303	default 2048 if CRYPTO_JITTERENTROPY_MEMSIZE_8192
1304
1305config CRYPTO_JITTERENTROPY_OSR
1306	int "CPU Jitter RNG Oversampling Rate"
1307	range 1 15
1308	default 1
1309	help
1310	  The Jitter RNG allows the specification of an oversampling rate (OSR).
1311	  The Jitter RNG operation requires a fixed amount of timing
1312	  measurements to produce one output block of random numbers. The
1313	  OSR value is multiplied with the amount of timing measurements to
1314	  generate one output block. Thus, the timing measurement is oversampled
1315	  by the OSR factor. The oversampling allows the Jitter RNG to operate
1316	  on hardware whose timers deliver limited amount of entropy (e.g.
1317	  the timer is coarse) by setting the OSR to a higher value. The
1318	  trade-off, however, is that the Jitter RNG now requires more time
1319	  to generate random numbers.
1320
1321config CRYPTO_JITTERENTROPY_TESTINTERFACE
1322	bool "CPU Jitter RNG Test Interface"
1323	help
1324	  The test interface allows a privileged process to capture
1325	  the raw unconditioned high resolution time stamp noise that
1326	  is collected by the Jitter RNG for statistical analysis. As
1327	  this data is used at the same time to generate random bits,
1328	  the Jitter RNG operates in an insecure mode as long as the
1329	  recording is enabled. This interface therefore is only
1330	  intended for testing purposes and is not suitable for
1331	  production systems.
1332
1333	  The raw noise data can be obtained using the jent_raw_hires
1334	  debugfs file. Using the option
1335	  jitterentropy_testing.boot_raw_hires_test=1 the raw noise of
1336	  the first 1000 entropy events since boot can be sampled.
1337
1338	  If unsure, select N.
1339
1340endif	# if CRYPTO_FIPS && EXPERT
1341
1342if !(CRYPTO_FIPS && EXPERT)
1343
1344config CRYPTO_JITTERENTROPY_MEMORY_BLOCKS
1345	int
1346	default 64
1347
1348config CRYPTO_JITTERENTROPY_MEMORY_BLOCKSIZE
1349	int
1350	default 32
1351
1352config CRYPTO_JITTERENTROPY_OSR
1353	int
1354	default 1
1355
1356config CRYPTO_JITTERENTROPY_TESTINTERFACE
1357	bool
1358
1359endif	# if !(CRYPTO_FIPS && EXPERT)
1360endif	# if CRYPTO_JITTERENTROPY
1361
1362config CRYPTO_KDF800108_CTR
1363	tristate
1364	select CRYPTO_HMAC
1365	select CRYPTO_SHA256
1366
1367endmenu
1368menu "Userspace interface"
1369
1370config CRYPTO_USER_API
1371	tristate
1372
1373config CRYPTO_USER_API_HASH
1374	tristate "Hash algorithms"
1375	depends on NET
1376	select CRYPTO_HASH
1377	select CRYPTO_USER_API
1378	help
1379	  Enable the userspace interface for hash algorithms.
1380
1381	  See Documentation/crypto/userspace-if.rst and
1382	  https://www.chronox.de/libkcapi/html/index.html
1383
1384config CRYPTO_USER_API_SKCIPHER
1385	tristate "Symmetric key cipher algorithms"
1386	depends on NET
1387	select CRYPTO_SKCIPHER
1388	select CRYPTO_USER_API
1389	help
1390	  Enable the userspace interface for symmetric key cipher algorithms.
1391
1392	  See Documentation/crypto/userspace-if.rst and
1393	  https://www.chronox.de/libkcapi/html/index.html
1394
1395config CRYPTO_USER_API_RNG
1396	tristate "RNG (random number generator) algorithms"
1397	depends on NET
1398	select CRYPTO_RNG
1399	select CRYPTO_USER_API
1400	help
1401	  Enable the userspace interface for RNG (random number generator)
1402	  algorithms.
1403
1404	  See Documentation/crypto/userspace-if.rst and
1405	  https://www.chronox.de/libkcapi/html/index.html
1406
1407config CRYPTO_USER_API_RNG_CAVP
1408	bool "Enable CAVP testing of DRBG"
1409	depends on CRYPTO_USER_API_RNG && CRYPTO_DRBG
1410	help
1411	  Enable extra APIs in the userspace interface for NIST CAVP
1412	  (Cryptographic Algorithm Validation Program) testing:
1413	  - resetting DRBG entropy
1414	  - providing Additional Data
1415
1416	  This should only be enabled for CAVP testing. You should say
1417	  no unless you know what this is.
1418
1419config CRYPTO_USER_API_AEAD
1420	tristate "AEAD cipher algorithms"
1421	depends on NET
1422	select CRYPTO_AEAD
1423	select CRYPTO_SKCIPHER
1424	select CRYPTO_NULL
1425	select CRYPTO_USER_API
1426	help
1427	  Enable the userspace interface for AEAD cipher algorithms.
1428
1429	  See Documentation/crypto/userspace-if.rst and
1430	  https://www.chronox.de/libkcapi/html/index.html
1431
1432config CRYPTO_USER_API_ENABLE_OBSOLETE
1433	bool "Obsolete cryptographic algorithms"
1434	depends on CRYPTO_USER_API
1435	default y
1436	help
1437	  Allow obsolete cryptographic algorithms to be selected that have
1438	  already been phased out from internal use by the kernel, and are
1439	  only useful for userspace clients that still rely on them.
1440
1441endmenu
1442
1443config CRYPTO_HASH_INFO
1444	bool
1445
1446if !KMSAN # avoid false positives from assembly
1447if ARM
1448source "arch/arm/crypto/Kconfig"
1449endif
1450if ARM64
1451source "arch/arm64/crypto/Kconfig"
1452endif
1453if LOONGARCH
1454source "arch/loongarch/crypto/Kconfig"
1455endif
1456if MIPS
1457source "arch/mips/crypto/Kconfig"
1458endif
1459if PPC
1460source "arch/powerpc/crypto/Kconfig"
1461endif
1462if RISCV
1463source "arch/riscv/crypto/Kconfig"
1464endif
1465if S390
1466source "arch/s390/crypto/Kconfig"
1467endif
1468if SPARC
1469source "arch/sparc/crypto/Kconfig"
1470endif
1471if X86
1472source "arch/x86/crypto/Kconfig"
1473endif
1474endif
1475
1476source "drivers/crypto/Kconfig"
1477source "crypto/asymmetric_keys/Kconfig"
1478source "certs/Kconfig"
1479
1480endif	# if CRYPTO