crypto/Kconfig at v6.14 · tjh.dev/kernel

tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
kernel / crypto / Kconfig
at v6.14 39 kB view raw
   1# SPDX-License-Identifier: GPL-2.0
   2#
   3# Generic algorithms support
   4#
   5config XOR_BLOCKS
   6	tristate
   7
   8#
   9# async_tx api: hardware offloaded memory transfer/transform support
  10#
  11source "crypto/async_tx/Kconfig"
  12
  13#
  14# Cryptographic API Configuration
  15#
  16menuconfig CRYPTO
  17	tristate "Cryptographic API"
  18	select CRYPTO_LIB_UTILS
  19	help
  20	  This option provides the core Cryptographic API.
  21
  22if CRYPTO
  23
  24menu "Crypto core or helper"
  25
  26config CRYPTO_FIPS
  27	bool "FIPS 200 compliance"
  28	depends on (CRYPTO_ANSI_CPRNG || CRYPTO_DRBG) && !CRYPTO_MANAGER_DISABLE_TESTS
  29	depends on (MODULE_SIG || !MODULES)
  30	help
  31	  This option enables the fips boot option which is
  32	  required if you want the system to operate in a FIPS 200
  33	  certification.  You should say no unless you know what
  34	  this is.
  35
  36config CRYPTO_FIPS_NAME
  37	string "FIPS Module Name"
  38	default "Linux Kernel Cryptographic API"
  39	depends on CRYPTO_FIPS
  40	help
  41	  This option sets the FIPS Module name reported by the Crypto API via
  42	  the /proc/sys/crypto/fips_name file.
  43
  44config CRYPTO_FIPS_CUSTOM_VERSION
  45	bool "Use Custom FIPS Module Version"
  46	depends on CRYPTO_FIPS
  47	default n
  48
  49config CRYPTO_FIPS_VERSION
  50	string "FIPS Module Version"
  51	default "(none)"
  52	depends on CRYPTO_FIPS_CUSTOM_VERSION
  53	help
  54	  This option provides the ability to override the FIPS Module Version.
  55	  By default the KERNELRELEASE value is used.
  56
  57config CRYPTO_ALGAPI
  58	tristate
  59	select CRYPTO_ALGAPI2
  60	help
  61	  This option provides the API for cryptographic algorithms.
  62
  63config CRYPTO_ALGAPI2
  64	tristate
  65
  66config CRYPTO_AEAD
  67	tristate
  68	select CRYPTO_AEAD2
  69	select CRYPTO_ALGAPI
  70
  71config CRYPTO_AEAD2
  72	tristate
  73	select CRYPTO_ALGAPI2
  74
  75config CRYPTO_SIG
  76	tristate
  77	select CRYPTO_SIG2
  78	select CRYPTO_ALGAPI
  79
  80config CRYPTO_SIG2
  81	tristate
  82	select CRYPTO_ALGAPI2
  83
  84config CRYPTO_SKCIPHER
  85	tristate
  86	select CRYPTO_SKCIPHER2
  87	select CRYPTO_ALGAPI
  88	select CRYPTO_ECB
  89
  90config CRYPTO_SKCIPHER2
  91	tristate
  92	select CRYPTO_ALGAPI2
  93
  94config CRYPTO_HASH
  95	tristate
  96	select CRYPTO_HASH2
  97	select CRYPTO_ALGAPI
  98
  99config CRYPTO_HASH2
 100	tristate
 101	select CRYPTO_ALGAPI2
 102
 103config CRYPTO_RNG
 104	tristate
 105	select CRYPTO_RNG2
 106	select CRYPTO_ALGAPI
 107
 108config CRYPTO_RNG2
 109	tristate
 110	select CRYPTO_ALGAPI2
 111
 112config CRYPTO_RNG_DEFAULT
 113	tristate
 114	select CRYPTO_DRBG_MENU
 115
 116config CRYPTO_AKCIPHER2
 117	tristate
 118	select CRYPTO_ALGAPI2
 119
 120config CRYPTO_AKCIPHER
 121	tristate
 122	select CRYPTO_AKCIPHER2
 123	select CRYPTO_ALGAPI
 124
 125config CRYPTO_KPP2
 126	tristate
 127	select CRYPTO_ALGAPI2
 128
 129config CRYPTO_KPP
 130	tristate
 131	select CRYPTO_ALGAPI
 132	select CRYPTO_KPP2
 133
 134config CRYPTO_ACOMP2
 135	tristate
 136	select CRYPTO_ALGAPI2
 137	select SGL_ALLOC
 138
 139config CRYPTO_ACOMP
 140	tristate
 141	select CRYPTO_ALGAPI
 142	select CRYPTO_ACOMP2
 143
 144config CRYPTO_MANAGER
 145	tristate "Cryptographic algorithm manager"
 146	select CRYPTO_MANAGER2
 147	help
 148	  Create default cryptographic template instantiations such as
 149	  cbc(aes).
 150
 151config CRYPTO_MANAGER2
 152	def_tristate CRYPTO_MANAGER || (CRYPTO_MANAGER!=n && CRYPTO_ALGAPI=y)
 153	select CRYPTO_ACOMP2
 154	select CRYPTO_AEAD2
 155	select CRYPTO_AKCIPHER2
 156	select CRYPTO_SIG2
 157	select CRYPTO_HASH2
 158	select CRYPTO_KPP2
 159	select CRYPTO_RNG2
 160	select CRYPTO_SKCIPHER2
 161
 162config CRYPTO_USER
 163	tristate "Userspace cryptographic algorithm configuration"
 164	depends on NET
 165	select CRYPTO_MANAGER
 166	help
 167	  Userspace configuration for cryptographic instantiations such as
 168	  cbc(aes).
 169
 170config CRYPTO_MANAGER_DISABLE_TESTS
 171	bool "Disable run-time self tests"
 172	default y
 173	help
 174	  Disable run-time self tests that normally take place at
 175	  algorithm registration.
 176
 177config CRYPTO_MANAGER_EXTRA_TESTS
 178	bool "Enable extra run-time crypto self tests"
 179	depends on DEBUG_KERNEL && !CRYPTO_MANAGER_DISABLE_TESTS && CRYPTO_MANAGER
 180	help
 181	  Enable extra run-time self tests of registered crypto algorithms,
 182	  including randomized fuzz tests.
 183
 184	  This is intended for developer use only, as these tests take much
 185	  longer to run than the normal self tests.
 186
 187config CRYPTO_NULL
 188	tristate "Null algorithms"
 189	select CRYPTO_NULL2
 190	help
 191	  These are 'Null' algorithms, used by IPsec, which do nothing.
 192
 193config CRYPTO_NULL2
 194	tristate
 195	select CRYPTO_ALGAPI2
 196	select CRYPTO_SKCIPHER2
 197	select CRYPTO_HASH2
 198
 199config CRYPTO_PCRYPT
 200	tristate "Parallel crypto engine"
 201	depends on SMP
 202	select PADATA
 203	select CRYPTO_MANAGER
 204	select CRYPTO_AEAD
 205	help
 206	  This converts an arbitrary crypto algorithm into a parallel
 207	  algorithm that executes in kernel threads.
 208
 209config CRYPTO_CRYPTD
 210	tristate "Software async crypto daemon"
 211	select CRYPTO_SKCIPHER
 212	select CRYPTO_HASH
 213	select CRYPTO_MANAGER
 214	help
 215	  This is a generic software asynchronous crypto daemon that
 216	  converts an arbitrary synchronous software crypto algorithm
 217	  into an asynchronous algorithm that executes in a kernel thread.
 218
 219config CRYPTO_AUTHENC
 220	tristate "Authenc support"
 221	select CRYPTO_AEAD
 222	select CRYPTO_SKCIPHER
 223	select CRYPTO_MANAGER
 224	select CRYPTO_HASH
 225	select CRYPTO_NULL
 226	help
 227	  Authenc: Combined mode wrapper for IPsec.
 228
 229	  This is required for IPSec ESP (XFRM_ESP).
 230
 231config CRYPTO_TEST
 232	tristate "Testing module"
 233	depends on m || EXPERT
 234	select CRYPTO_MANAGER
 235	help
 236	  Quick & dirty crypto test module.
 237
 238config CRYPTO_SIMD
 239	tristate
 240	select CRYPTO_CRYPTD
 241
 242config CRYPTO_ENGINE
 243	tristate
 244
 245endmenu
 246
 247menu "Public-key cryptography"
 248
 249config CRYPTO_RSA
 250	tristate "RSA (Rivest-Shamir-Adleman)"
 251	select CRYPTO_AKCIPHER
 252	select CRYPTO_MANAGER
 253	select CRYPTO_SIG
 254	select MPILIB
 255	select ASN1
 256	help
 257	  RSA (Rivest-Shamir-Adleman) public key algorithm (RFC8017)
 258
 259config CRYPTO_DH
 260	tristate "DH (Diffie-Hellman)"
 261	select CRYPTO_KPP
 262	select MPILIB
 263	help
 264	  DH (Diffie-Hellman) key exchange algorithm
 265
 266config CRYPTO_DH_RFC7919_GROUPS
 267	bool "RFC 7919 FFDHE groups"
 268	depends on CRYPTO_DH
 269	select CRYPTO_RNG_DEFAULT
 270	help
 271	  FFDHE (Finite-Field-based Diffie-Hellman Ephemeral) groups
 272	  defined in RFC7919.
 273
 274	  Support these finite-field groups in DH key exchanges:
 275	  - ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192
 276
 277	  If unsure, say N.
 278
 279config CRYPTO_ECC
 280	tristate
 281	select CRYPTO_RNG_DEFAULT
 282
 283config CRYPTO_ECDH
 284	tristate "ECDH (Elliptic Curve Diffie-Hellman)"
 285	select CRYPTO_ECC
 286	select CRYPTO_KPP
 287	help
 288	  ECDH (Elliptic Curve Diffie-Hellman) key exchange algorithm
 289	  using curves P-192, P-256, and P-384 (FIPS 186)
 290
 291config CRYPTO_ECDSA
 292	tristate "ECDSA (Elliptic Curve Digital Signature Algorithm)"
 293	select CRYPTO_ECC
 294	select CRYPTO_SIG
 295	select ASN1
 296	help
 297	  ECDSA (Elliptic Curve Digital Signature Algorithm) (FIPS 186,
 298	  ISO/IEC 14888-3)
 299	  using curves P-192, P-256, P-384 and P-521
 300
 301	  Only signature verification is implemented.
 302
 303config CRYPTO_ECRDSA
 304	tristate "EC-RDSA (Elliptic Curve Russian Digital Signature Algorithm)"
 305	select CRYPTO_ECC
 306	select CRYPTO_SIG
 307	select CRYPTO_STREEBOG
 308	select OID_REGISTRY
 309	select ASN1
 310	help
 311	  Elliptic Curve Russian Digital Signature Algorithm (GOST R 34.10-2012,
 312	  RFC 7091, ISO/IEC 14888-3)
 313
 314	  One of the Russian cryptographic standard algorithms (called GOST
 315	  algorithms). Only signature verification is implemented.
 316
 317config CRYPTO_CURVE25519
 318	tristate "Curve25519"
 319	select CRYPTO_KPP
 320	select CRYPTO_LIB_CURVE25519_GENERIC
 321	help
 322	  Curve25519 elliptic curve (RFC7748)
 323
 324endmenu
 325
 326menu "Block ciphers"
 327
 328config CRYPTO_AES
 329	tristate "AES (Advanced Encryption Standard)"
 330	select CRYPTO_ALGAPI
 331	select CRYPTO_LIB_AES
 332	help
 333	  AES cipher algorithms (Rijndael)(FIPS-197, ISO/IEC 18033-3)
 334
 335	  Rijndael appears to be consistently a very good performer in
 336	  both hardware and software across a wide range of computing
 337	  environments regardless of its use in feedback or non-feedback
 338	  modes. Its key setup time is excellent, and its key agility is
 339	  good. Rijndael's very low memory requirements make it very well
 340	  suited for restricted-space environments, in which it also
 341	  demonstrates excellent performance. Rijndael's operations are
 342	  among the easiest to defend against power and timing attacks.
 343
 344	  The AES specifies three key sizes: 128, 192 and 256 bits
 345
 346config CRYPTO_AES_TI
 347	tristate "AES (Advanced Encryption Standard) (fixed time)"
 348	select CRYPTO_ALGAPI
 349	select CRYPTO_LIB_AES
 350	help
 351	  AES cipher algorithms (Rijndael)(FIPS-197, ISO/IEC 18033-3)
 352
 353	  This is a generic implementation of AES that attempts to eliminate
 354	  data dependent latencies as much as possible without affecting
 355	  performance too much. It is intended for use by the generic CCM
 356	  and GCM drivers, and other CTR or CMAC/XCBC based modes that rely
 357	  solely on encryption (although decryption is supported as well, but
 358	  with a more dramatic performance hit)
 359
 360	  Instead of using 16 lookup tables of 1 KB each, (8 for encryption and
 361	  8 for decryption), this implementation only uses just two S-boxes of
 362	  256 bytes each, and attempts to eliminate data dependent latencies by
 363	  prefetching the entire table into the cache at the start of each
 364	  block. Interrupts are also disabled to avoid races where cachelines
 365	  are evicted when the CPU is interrupted to do something else.
 366
 367config CRYPTO_ANUBIS
 368	tristate "Anubis"
 369	depends on CRYPTO_USER_API_ENABLE_OBSOLETE
 370	select CRYPTO_ALGAPI
 371	help
 372	  Anubis cipher algorithm
 373
 374	  Anubis is a variable key length cipher which can use keys from
 375	  128 bits to 320 bits in length.  It was evaluated as a entrant
 376	  in the NESSIE competition.
 377
 378	  See https://web.archive.org/web/20160606112246/http://www.larc.usp.br/~pbarreto/AnubisPage.html
 379	  for further information.
 380
 381config CRYPTO_ARIA
 382	tristate "ARIA"
 383	select CRYPTO_ALGAPI
 384	help
 385	  ARIA cipher algorithm (RFC5794)
 386
 387	  ARIA is a standard encryption algorithm of the Republic of Korea.
 388	  The ARIA specifies three key sizes and rounds.
 389	  128-bit: 12 rounds.
 390	  192-bit: 14 rounds.
 391	  256-bit: 16 rounds.
 392
 393	  See:
 394	  https://seed.kisa.or.kr/kisa/algorithm/EgovAriaInfo.do
 395
 396config CRYPTO_BLOWFISH
 397	tristate "Blowfish"
 398	select CRYPTO_ALGAPI
 399	select CRYPTO_BLOWFISH_COMMON
 400	help
 401	  Blowfish cipher algorithm, by Bruce Schneier
 402
 403	  This is a variable key length cipher which can use keys from 32
 404	  bits to 448 bits in length.  It's fast, simple and specifically
 405	  designed for use on "large microprocessors".
 406
 407	  See https://www.schneier.com/blowfish.html for further information.
 408
 409config CRYPTO_BLOWFISH_COMMON
 410	tristate
 411	help
 412	  Common parts of the Blowfish cipher algorithm shared by the
 413	  generic c and the assembler implementations.
 414
 415config CRYPTO_CAMELLIA
 416	tristate "Camellia"
 417	select CRYPTO_ALGAPI
 418	help
 419	  Camellia cipher algorithms (ISO/IEC 18033-3)
 420
 421	  Camellia is a symmetric key block cipher developed jointly
 422	  at NTT and Mitsubishi Electric Corporation.
 423
 424	  The Camellia specifies three key sizes: 128, 192 and 256 bits.
 425
 426	  See https://info.isl.ntt.co.jp/crypt/eng/camellia/ for further information.
 427
 428config CRYPTO_CAST_COMMON
 429	tristate
 430	help
 431	  Common parts of the CAST cipher algorithms shared by the
 432	  generic c and the assembler implementations.
 433
 434config CRYPTO_CAST5
 435	tristate "CAST5 (CAST-128)"
 436	select CRYPTO_ALGAPI
 437	select CRYPTO_CAST_COMMON
 438	help
 439	  CAST5 (CAST-128) cipher algorithm (RFC2144, ISO/IEC 18033-3)
 440
 441config CRYPTO_CAST6
 442	tristate "CAST6 (CAST-256)"
 443	select CRYPTO_ALGAPI
 444	select CRYPTO_CAST_COMMON
 445	help
 446	  CAST6 (CAST-256) encryption algorithm (RFC2612)
 447
 448config CRYPTO_DES
 449	tristate "DES and Triple DES EDE"
 450	select CRYPTO_ALGAPI
 451	select CRYPTO_LIB_DES
 452	help
 453	  DES (Data Encryption Standard)(FIPS 46-2, ISO/IEC 18033-3) and
 454	  Triple DES EDE (Encrypt/Decrypt/Encrypt) (FIPS 46-3, ISO/IEC 18033-3)
 455	  cipher algorithms
 456
 457config CRYPTO_FCRYPT
 458	tristate "FCrypt"
 459	select CRYPTO_ALGAPI
 460	select CRYPTO_SKCIPHER
 461	help
 462	  FCrypt algorithm used by RxRPC
 463
 464	  See https://ota.polyonymo.us/fcrypt-paper.txt
 465
 466config CRYPTO_KHAZAD
 467	tristate "Khazad"
 468	depends on CRYPTO_USER_API_ENABLE_OBSOLETE
 469	select CRYPTO_ALGAPI
 470	help
 471	  Khazad cipher algorithm
 472
 473	  Khazad was a finalist in the initial NESSIE competition.  It is
 474	  an algorithm optimized for 64-bit processors with good performance
 475	  on 32-bit processors.  Khazad uses an 128 bit key size.
 476
 477	  See https://web.archive.org/web/20171011071731/http://www.larc.usp.br/~pbarreto/KhazadPage.html
 478	  for further information.
 479
 480config CRYPTO_SEED
 481	tristate "SEED"
 482	depends on CRYPTO_USER_API_ENABLE_OBSOLETE
 483	select CRYPTO_ALGAPI
 484	help
 485	  SEED cipher algorithm (RFC4269, ISO/IEC 18033-3)
 486
 487	  SEED is a 128-bit symmetric key block cipher that has been
 488	  developed by KISA (Korea Information Security Agency) as a
 489	  national standard encryption algorithm of the Republic of Korea.
 490	  It is a 16 round block cipher with the key size of 128 bit.
 491
 492	  See https://seed.kisa.or.kr/kisa/algorithm/EgovSeedInfo.do
 493	  for further information.
 494
 495config CRYPTO_SERPENT
 496	tristate "Serpent"
 497	select CRYPTO_ALGAPI
 498	help
 499	  Serpent cipher algorithm, by Anderson, Biham & Knudsen
 500
 501	  Keys are allowed to be from 0 to 256 bits in length, in steps
 502	  of 8 bits.
 503
 504	  See https://www.cl.cam.ac.uk/~rja14/serpent.html for further information.
 505
 506config CRYPTO_SM4
 507	tristate
 508
 509config CRYPTO_SM4_GENERIC
 510	tristate "SM4 (ShangMi 4)"
 511	select CRYPTO_ALGAPI
 512	select CRYPTO_SM4
 513	help
 514	  SM4 cipher algorithms (OSCCA GB/T 32907-2016,
 515	  ISO/IEC 18033-3:2010/Amd 1:2021)
 516
 517	  SM4 (GBT.32907-2016) is a cryptographic standard issued by the
 518	  Organization of State Commercial Administration of China (OSCCA)
 519	  as an authorized cryptographic algorithms for the use within China.
 520
 521	  SMS4 was originally created for use in protecting wireless
 522	  networks, and is mandated in the Chinese National Standard for
 523	  Wireless LAN WAPI (Wired Authentication and Privacy Infrastructure)
 524	  (GB.15629.11-2003).
 525
 526	  The latest SM4 standard (GBT.32907-2016) was proposed by OSCCA and
 527	  standardized through TC 260 of the Standardization Administration
 528	  of the People's Republic of China (SAC).
 529
 530	  The input, output, and key of SMS4 are each 128 bits.
 531
 532	  See https://eprint.iacr.org/2008/329.pdf for further information.
 533
 534	  If unsure, say N.
 535
 536config CRYPTO_TEA
 537	tristate "TEA, XTEA and XETA"
 538	depends on CRYPTO_USER_API_ENABLE_OBSOLETE
 539	select CRYPTO_ALGAPI
 540	help
 541	  TEA (Tiny Encryption Algorithm) cipher algorithms
 542
 543	  Tiny Encryption Algorithm is a simple cipher that uses
 544	  many rounds for security.  It is very fast and uses
 545	  little memory.
 546
 547	  Xtendend Tiny Encryption Algorithm is a modification to
 548	  the TEA algorithm to address a potential key weakness
 549	  in the TEA algorithm.
 550
 551	  Xtendend Encryption Tiny Algorithm is a mis-implementation
 552	  of the XTEA algorithm for compatibility purposes.
 553
 554config CRYPTO_TWOFISH
 555	tristate "Twofish"
 556	select CRYPTO_ALGAPI
 557	select CRYPTO_TWOFISH_COMMON
 558	help
 559	  Twofish cipher algorithm
 560
 561	  Twofish was submitted as an AES (Advanced Encryption Standard)
 562	  candidate cipher by researchers at CounterPane Systems.  It is a
 563	  16 round block cipher supporting key sizes of 128, 192, and 256
 564	  bits.
 565
 566	  See https://www.schneier.com/twofish.html for further information.
 567
 568config CRYPTO_TWOFISH_COMMON
 569	tristate
 570	help
 571	  Common parts of the Twofish cipher algorithm shared by the
 572	  generic c and the assembler implementations.
 573
 574endmenu
 575
 576menu "Length-preserving ciphers and modes"
 577
 578config CRYPTO_ADIANTUM
 579	tristate "Adiantum"
 580	select CRYPTO_CHACHA20
 581	select CRYPTO_LIB_POLY1305_GENERIC
 582	select CRYPTO_NHPOLY1305
 583	select CRYPTO_MANAGER
 584	help
 585	  Adiantum tweakable, length-preserving encryption mode
 586
 587	  Designed for fast and secure disk encryption, especially on
 588	  CPUs without dedicated crypto instructions.  It encrypts
 589	  each sector using the XChaCha12 stream cipher, two passes of
 590	  an ε-almost-∆-universal hash function, and an invocation of
 591	  the AES-256 block cipher on a single 16-byte block.  On CPUs
 592	  without AES instructions, Adiantum is much faster than
 593	  AES-XTS.
 594
 595	  Adiantum's security is provably reducible to that of its
 596	  underlying stream and block ciphers, subject to a security
 597	  bound.  Unlike XTS, Adiantum is a true wide-block encryption
 598	  mode, so it actually provides an even stronger notion of
 599	  security than XTS, subject to the security bound.
 600
 601	  If unsure, say N.
 602
 603config CRYPTO_ARC4
 604	tristate "ARC4 (Alleged Rivest Cipher 4)"
 605	depends on CRYPTO_USER_API_ENABLE_OBSOLETE
 606	select CRYPTO_SKCIPHER
 607	select CRYPTO_LIB_ARC4
 608	help
 609	  ARC4 cipher algorithm
 610
 611	  ARC4 is a stream cipher using keys ranging from 8 bits to 2048
 612	  bits in length.  This algorithm is required for driver-based
 613	  WEP, but it should not be for other purposes because of the
 614	  weakness of the algorithm.
 615
 616config CRYPTO_CHACHA20
 617	tristate "ChaCha"
 618	select CRYPTO_LIB_CHACHA_GENERIC
 619	select CRYPTO_SKCIPHER
 620	help
 621	  The ChaCha20, XChaCha20, and XChaCha12 stream cipher algorithms
 622
 623	  ChaCha20 is a 256-bit high-speed stream cipher designed by Daniel J.
 624	  Bernstein and further specified in RFC7539 for use in IETF protocols.
 625	  This is the portable C implementation of ChaCha20.  See
 626	  https://cr.yp.to/chacha/chacha-20080128.pdf for further information.
 627
 628	  XChaCha20 is the application of the XSalsa20 construction to ChaCha20
 629	  rather than to Salsa20.  XChaCha20 extends ChaCha20's nonce length
 630	  from 64 bits (or 96 bits using the RFC7539 convention) to 192 bits,
 631	  while provably retaining ChaCha20's security.  See
 632	  https://cr.yp.to/snuffle/xsalsa-20081128.pdf for further information.
 633
 634	  XChaCha12 is XChaCha20 reduced to 12 rounds, with correspondingly
 635	  reduced security margin but increased performance.  It can be needed
 636	  in some performance-sensitive scenarios.
 637
 638config CRYPTO_CBC
 639	tristate "CBC (Cipher Block Chaining)"
 640	select CRYPTO_SKCIPHER
 641	select CRYPTO_MANAGER
 642	help
 643	  CBC (Cipher Block Chaining) mode (NIST SP800-38A)
 644
 645	  This block cipher mode is required for IPSec ESP (XFRM_ESP).
 646
 647config CRYPTO_CTR
 648	tristate "CTR (Counter)"
 649	select CRYPTO_SKCIPHER
 650	select CRYPTO_MANAGER
 651	help
 652	  CTR (Counter) mode (NIST SP800-38A)
 653
 654config CRYPTO_CTS
 655	tristate "CTS (Cipher Text Stealing)"
 656	select CRYPTO_SKCIPHER
 657	select CRYPTO_MANAGER
 658	help
 659	  CBC-CS3 variant of CTS (Cipher Text Stealing) (NIST
 660	  Addendum to SP800-38A (October 2010))
 661
 662	  This mode is required for Kerberos gss mechanism support
 663	  for AES encryption.
 664
 665config CRYPTO_ECB
 666	tristate "ECB (Electronic Codebook)"
 667	select CRYPTO_SKCIPHER2
 668	select CRYPTO_MANAGER
 669	help
 670	  ECB (Electronic Codebook) mode (NIST SP800-38A)
 671
 672config CRYPTO_HCTR2
 673	tristate "HCTR2"
 674	select CRYPTO_XCTR
 675	select CRYPTO_POLYVAL
 676	select CRYPTO_MANAGER
 677	help
 678	  HCTR2 length-preserving encryption mode
 679
 680	  A mode for storage encryption that is efficient on processors with
 681	  instructions to accelerate AES and carryless multiplication, e.g.
 682	  x86 processors with AES-NI and CLMUL, and ARM processors with the
 683	  ARMv8 crypto extensions.
 684
 685	  See https://eprint.iacr.org/2021/1441
 686
 687config CRYPTO_LRW
 688	tristate "LRW (Liskov Rivest Wagner)"
 689	select CRYPTO_LIB_GF128MUL
 690	select CRYPTO_SKCIPHER
 691	select CRYPTO_MANAGER
 692	select CRYPTO_ECB
 693	help
 694	  LRW (Liskov Rivest Wagner) mode
 695
 696	  A tweakable, non malleable, non movable
 697	  narrow block cipher mode for dm-crypt.  Use it with cipher
 698	  specification string aes-lrw-benbi, the key must be 256, 320 or 384.
 699	  The first 128, 192 or 256 bits in the key are used for AES and the
 700	  rest is used to tie each cipher block to its logical position.
 701
 702	  See https://people.csail.mit.edu/rivest/pubs/LRW02.pdf
 703
 704config CRYPTO_PCBC
 705	tristate "PCBC (Propagating Cipher Block Chaining)"
 706	select CRYPTO_SKCIPHER
 707	select CRYPTO_MANAGER
 708	help
 709	  PCBC (Propagating Cipher Block Chaining) mode
 710
 711	  This block cipher mode is required for RxRPC.
 712
 713config CRYPTO_XCTR
 714	tristate
 715	select CRYPTO_SKCIPHER
 716	select CRYPTO_MANAGER
 717	help
 718	  XCTR (XOR Counter) mode for HCTR2
 719
 720	  This blockcipher mode is a variant of CTR mode using XORs and little-endian
 721	  addition rather than big-endian arithmetic.
 722
 723	  XCTR mode is used to implement HCTR2.
 724
 725config CRYPTO_XTS
 726	tristate "XTS (XOR Encrypt XOR with ciphertext stealing)"
 727	select CRYPTO_SKCIPHER
 728	select CRYPTO_MANAGER
 729	select CRYPTO_ECB
 730	help
 731	  XTS (XOR Encrypt XOR with ciphertext stealing) mode (NIST SP800-38E
 732	  and IEEE 1619)
 733
 734	  Use with aes-xts-plain, key size 256, 384 or 512 bits. This
 735	  implementation currently can't handle a sectorsize which is not a
 736	  multiple of 16 bytes.
 737
 738config CRYPTO_NHPOLY1305
 739	tristate
 740	select CRYPTO_HASH
 741	select CRYPTO_LIB_POLY1305_GENERIC
 742
 743endmenu
 744
 745menu "AEAD (authenticated encryption with associated data) ciphers"
 746
 747config CRYPTO_AEGIS128
 748	tristate "AEGIS-128"
 749	select CRYPTO_AEAD
 750	select CRYPTO_AES  # for AES S-box tables
 751	help
 752	  AEGIS-128 AEAD algorithm
 753
 754config CRYPTO_AEGIS128_SIMD
 755	bool "AEGIS-128 (arm NEON, arm64 NEON)"
 756	depends on CRYPTO_AEGIS128 && ((ARM || ARM64) && KERNEL_MODE_NEON)
 757	default y
 758	help
 759	  AEGIS-128 AEAD algorithm
 760
 761	  Architecture: arm or arm64 using:
 762	  - NEON (Advanced SIMD) extension
 763
 764config CRYPTO_CHACHA20POLY1305
 765	tristate "ChaCha20-Poly1305"
 766	select CRYPTO_CHACHA20
 767	select CRYPTO_POLY1305
 768	select CRYPTO_AEAD
 769	select CRYPTO_MANAGER
 770	help
 771	  ChaCha20 stream cipher and Poly1305 authenticator combined
 772	  mode (RFC8439)
 773
 774config CRYPTO_CCM
 775	tristate "CCM (Counter with Cipher Block Chaining-MAC)"
 776	select CRYPTO_CTR
 777	select CRYPTO_HASH
 778	select CRYPTO_AEAD
 779	select CRYPTO_MANAGER
 780	help
 781	  CCM (Counter with Cipher Block Chaining-Message Authentication Code)
 782	  authenticated encryption mode (NIST SP800-38C)
 783
 784config CRYPTO_GCM
 785	tristate "GCM (Galois/Counter Mode) and GMAC (GCM MAC)"
 786	select CRYPTO_CTR
 787	select CRYPTO_AEAD
 788	select CRYPTO_GHASH
 789	select CRYPTO_NULL
 790	select CRYPTO_MANAGER
 791	help
 792	  GCM (Galois/Counter Mode) authenticated encryption mode and GMAC
 793	  (GCM Message Authentication Code) (NIST SP800-38D)
 794
 795	  This is required for IPSec ESP (XFRM_ESP).
 796
 797config CRYPTO_GENIV
 798	tristate
 799	select CRYPTO_AEAD
 800	select CRYPTO_NULL
 801	select CRYPTO_MANAGER
 802	select CRYPTO_RNG_DEFAULT
 803
 804config CRYPTO_SEQIV
 805	tristate "Sequence Number IV Generator"
 806	select CRYPTO_GENIV
 807	help
 808	  Sequence Number IV generator
 809
 810	  This IV generator generates an IV based on a sequence number by
 811	  xoring it with a salt.  This algorithm is mainly useful for CTR.
 812
 813	  This is required for IPsec ESP (XFRM_ESP).
 814
 815config CRYPTO_ECHAINIV
 816	tristate "Encrypted Chain IV Generator"
 817	select CRYPTO_GENIV
 818	help
 819	  Encrypted Chain IV generator
 820
 821	  This IV generator generates an IV based on the encryption of
 822	  a sequence number xored with a salt.  This is the default
 823	  algorithm for CBC.
 824
 825config CRYPTO_ESSIV
 826	tristate "Encrypted Salt-Sector IV Generator"
 827	select CRYPTO_AUTHENC
 828	help
 829	  Encrypted Salt-Sector IV generator
 830
 831	  This IV generator is used in some cases by fscrypt and/or
 832	  dm-crypt. It uses the hash of the block encryption key as the
 833	  symmetric key for a block encryption pass applied to the input
 834	  IV, making low entropy IV sources more suitable for block
 835	  encryption.
 836
 837	  This driver implements a crypto API template that can be
 838	  instantiated either as an skcipher or as an AEAD (depending on the
 839	  type of the first template argument), and which defers encryption
 840	  and decryption requests to the encapsulated cipher after applying
 841	  ESSIV to the input IV. Note that in the AEAD case, it is assumed
 842	  that the keys are presented in the same format used by the authenc
 843	  template, and that the IV appears at the end of the authenticated
 844	  associated data (AAD) region (which is how dm-crypt uses it.)
 845
 846	  Note that the use of ESSIV is not recommended for new deployments,
 847	  and so this only needs to be enabled when interoperability with
 848	  existing encrypted volumes of filesystems is required, or when
 849	  building for a particular system that requires it (e.g., when
 850	  the SoC in question has accelerated CBC but not XTS, making CBC
 851	  combined with ESSIV the only feasible mode for h/w accelerated
 852	  block encryption)
 853
 854endmenu
 855
 856menu "Hashes, digests, and MACs"
 857
 858config CRYPTO_BLAKE2B
 859	tristate "BLAKE2b"
 860	select CRYPTO_HASH
 861	help
 862	  BLAKE2b cryptographic hash function (RFC 7693)
 863
 864	  BLAKE2b is optimized for 64-bit platforms and can produce digests
 865	  of any size between 1 and 64 bytes. The keyed hash is also implemented.
 866
 867	  This module provides the following algorithms:
 868	  - blake2b-160
 869	  - blake2b-256
 870	  - blake2b-384
 871	  - blake2b-512
 872
 873	  Used by the btrfs filesystem.
 874
 875	  See https://blake2.net for further information.
 876
 877config CRYPTO_CMAC
 878	tristate "CMAC (Cipher-based MAC)"
 879	select CRYPTO_HASH
 880	select CRYPTO_MANAGER
 881	help
 882	  CMAC (Cipher-based Message Authentication Code) authentication
 883	  mode (NIST SP800-38B and IETF RFC4493)
 884
 885config CRYPTO_GHASH
 886	tristate "GHASH"
 887	select CRYPTO_HASH
 888	select CRYPTO_LIB_GF128MUL
 889	help
 890	  GCM GHASH function (NIST SP800-38D)
 891
 892config CRYPTO_HMAC
 893	tristate "HMAC (Keyed-Hash MAC)"
 894	select CRYPTO_HASH
 895	select CRYPTO_MANAGER
 896	help
 897	  HMAC (Keyed-Hash Message Authentication Code) (FIPS 198 and
 898	  RFC2104)
 899
 900	  This is required for IPsec AH (XFRM_AH) and IPsec ESP (XFRM_ESP).
 901
 902config CRYPTO_MD4
 903	tristate "MD4"
 904	select CRYPTO_HASH
 905	help
 906	  MD4 message digest algorithm (RFC1320)
 907
 908config CRYPTO_MD5
 909	tristate "MD5"
 910	select CRYPTO_HASH
 911	help
 912	  MD5 message digest algorithm (RFC1321)
 913
 914config CRYPTO_MICHAEL_MIC
 915	tristate "Michael MIC"
 916	select CRYPTO_HASH
 917	help
 918	  Michael MIC (Message Integrity Code) (IEEE 802.11i)
 919
 920	  Defined by the IEEE 802.11i TKIP (Temporal Key Integrity Protocol),
 921	  known as WPA (Wif-Fi Protected Access).
 922
 923	  This algorithm is required for TKIP, but it should not be used for
 924	  other purposes because of the weakness of the algorithm.
 925
 926config CRYPTO_POLYVAL
 927	tristate
 928	select CRYPTO_HASH
 929	select CRYPTO_LIB_GF128MUL
 930	help
 931	  POLYVAL hash function for HCTR2
 932
 933	  This is used in HCTR2.  It is not a general-purpose
 934	  cryptographic hash function.
 935
 936config CRYPTO_POLY1305
 937	tristate "Poly1305"
 938	select CRYPTO_HASH
 939	select CRYPTO_LIB_POLY1305_GENERIC
 940	help
 941	  Poly1305 authenticator algorithm (RFC7539)
 942
 943	  Poly1305 is an authenticator algorithm designed by Daniel J. Bernstein.
 944	  It is used for the ChaCha20-Poly1305 AEAD, specified in RFC7539 for use
 945	  in IETF protocols. This is the portable C implementation of Poly1305.
 946
 947config CRYPTO_RMD160
 948	tristate "RIPEMD-160"
 949	select CRYPTO_HASH
 950	help
 951	  RIPEMD-160 hash function (ISO/IEC 10118-3)
 952
 953	  RIPEMD-160 is a 160-bit cryptographic hash function. It is intended
 954	  to be used as a secure replacement for the 128-bit hash functions
 955	  MD4, MD5 and its predecessor RIPEMD
 956	  (not to be confused with RIPEMD-128).
 957
 958	  Its speed is comparable to SHA-1 and there are no known attacks
 959	  against RIPEMD-160.
 960
 961	  Developed by Hans Dobbertin, Antoon Bosselaers and Bart Preneel.
 962	  See https://homes.esat.kuleuven.be/~bosselae/ripemd160.html
 963	  for further information.
 964
 965config CRYPTO_SHA1
 966	tristate "SHA-1"
 967	select CRYPTO_HASH
 968	select CRYPTO_LIB_SHA1
 969	help
 970	  SHA-1 secure hash algorithm (FIPS 180, ISO/IEC 10118-3)
 971
 972config CRYPTO_SHA256
 973	tristate "SHA-224 and SHA-256"
 974	select CRYPTO_HASH
 975	select CRYPTO_LIB_SHA256
 976	help
 977	  SHA-224 and SHA-256 secure hash algorithms (FIPS 180, ISO/IEC 10118-3)
 978
 979	  This is required for IPsec AH (XFRM_AH) and IPsec ESP (XFRM_ESP).
 980	  Used by the btrfs filesystem, Ceph, NFS, and SMB.
 981
 982config CRYPTO_SHA512
 983	tristate "SHA-384 and SHA-512"
 984	select CRYPTO_HASH
 985	help
 986	  SHA-384 and SHA-512 secure hash algorithms (FIPS 180, ISO/IEC 10118-3)
 987
 988config CRYPTO_SHA3
 989	tristate "SHA-3"
 990	select CRYPTO_HASH
 991	help
 992	  SHA-3 secure hash algorithms (FIPS 202, ISO/IEC 10118-3)
 993
 994config CRYPTO_SM3
 995	tristate
 996
 997config CRYPTO_SM3_GENERIC
 998	tristate "SM3 (ShangMi 3)"
 999	select CRYPTO_HASH
1000	select CRYPTO_SM3
1001	help
1002	  SM3 (ShangMi 3) secure hash function (OSCCA GM/T 0004-2012, ISO/IEC 10118-3)
1003
1004	  This is part of the Chinese Commercial Cryptography suite.
1005
1006	  References:
1007	  http://www.oscca.gov.cn/UpFile/20101222141857786.pdf
1008	  https://datatracker.ietf.org/doc/html/draft-shen-sm3-hash
1009
1010config CRYPTO_STREEBOG
1011	tristate "Streebog"
1012	select CRYPTO_HASH
1013	help
1014	  Streebog Hash Function (GOST R 34.11-2012, RFC 6986, ISO/IEC 10118-3)
1015
1016	  This is one of the Russian cryptographic standard algorithms (called
1017	  GOST algorithms). This setting enables two hash algorithms with
1018	  256 and 512 bits output.
1019
1020	  References:
1021	  https://tc26.ru/upload/iblock/fed/feddbb4d26b685903faa2ba11aea43f6.pdf
1022	  https://tools.ietf.org/html/rfc6986
1023
1024config CRYPTO_WP512
1025	tristate "Whirlpool"
1026	select CRYPTO_HASH
1027	help
1028	  Whirlpool hash function (ISO/IEC 10118-3)
1029
1030	  512, 384 and 256-bit hashes.
1031
1032	  Whirlpool-512 is part of the NESSIE cryptographic primitives.
1033
1034	  See https://web.archive.org/web/20171129084214/http://www.larc.usp.br/~pbarreto/WhirlpoolPage.html
1035	  for further information.
1036
1037config CRYPTO_XCBC
1038	tristate "XCBC-MAC (Extended Cipher Block Chaining MAC)"
1039	select CRYPTO_HASH
1040	select CRYPTO_MANAGER
1041	help
1042	  XCBC-MAC (Extended Cipher Block Chaining Message Authentication
1043	  Code) (RFC3566)
1044
1045config CRYPTO_XXHASH
1046	tristate "xxHash"
1047	select CRYPTO_HASH
1048	select XXHASH
1049	help
1050	  xxHash non-cryptographic hash algorithm
1051
1052	  Extremely fast, working at speeds close to RAM limits.
1053
1054	  Used by the btrfs filesystem.
1055
1056endmenu
1057
1058menu "CRCs (cyclic redundancy checks)"
1059
1060config CRYPTO_CRC32C
1061	tristate "CRC32c"
1062	select CRYPTO_HASH
1063	select CRC32
1064	help
1065	  CRC32c CRC algorithm with the iSCSI polynomial (RFC 3385 and RFC 3720)
1066
1067	  A 32-bit CRC (cyclic redundancy check) with a polynomial defined
1068	  by G. Castagnoli, S. Braeuer and M. Herrman in "Optimization of Cyclic
1069	  Redundancy-Check Codes with 24 and 32 Parity Bits", IEEE Transactions
1070	  on Communications, Vol. 41, No. 6, June 1993, selected for use with
1071	  iSCSI.
1072
1073	  Used by btrfs, ext4, jbd2, NVMeoF/TCP, and iSCSI.
1074
1075config CRYPTO_CRC32
1076	tristate "CRC32"
1077	select CRYPTO_HASH
1078	select CRC32
1079	help
1080	  CRC32 CRC algorithm (IEEE 802.3)
1081
1082	  Used by RoCEv2 and f2fs.
1083
1084config CRYPTO_CRCT10DIF
1085	tristate "CRCT10DIF"
1086	select CRYPTO_HASH
1087	select CRC_T10DIF
1088	help
1089	  CRC16 CRC algorithm used for the T10 (SCSI) Data Integrity Field (DIF)
1090
1091	  CRC algorithm used by the SCSI Block Commands standard.
1092
1093config CRYPTO_CRC64_ROCKSOFT
1094	tristate "CRC64 based on Rocksoft Model algorithm"
1095	depends on CRC64
1096	select CRYPTO_HASH
1097	help
1098	  CRC64 CRC algorithm based on the Rocksoft Model CRC Algorithm
1099
1100	  Used by the NVMe implementation of T10 DIF (BLK_DEV_INTEGRITY)
1101
1102	  See https://zlib.net/crc_v3.txt
1103
1104endmenu
1105
1106menu "Compression"
1107
1108config CRYPTO_DEFLATE
1109	tristate "Deflate"
1110	select CRYPTO_ALGAPI
1111	select CRYPTO_ACOMP2
1112	select ZLIB_INFLATE
1113	select ZLIB_DEFLATE
1114	help
1115	  Deflate compression algorithm (RFC1951)
1116
1117	  Used by IPSec with the IPCOMP protocol (RFC3173, RFC2394)
1118
1119config CRYPTO_LZO
1120	tristate "LZO"
1121	select CRYPTO_ALGAPI
1122	select CRYPTO_ACOMP2
1123	select LZO_COMPRESS
1124	select LZO_DECOMPRESS
1125	help
1126	  LZO compression algorithm
1127
1128	  See https://www.oberhumer.com/opensource/lzo/ for further information.
1129
1130config CRYPTO_842
1131	tristate "842"
1132	select CRYPTO_ALGAPI
1133	select CRYPTO_ACOMP2
1134	select 842_COMPRESS
1135	select 842_DECOMPRESS
1136	help
1137	  842 compression algorithm by IBM
1138
1139	  See https://github.com/plauth/lib842 for further information.
1140
1141config CRYPTO_LZ4
1142	tristate "LZ4"
1143	select CRYPTO_ALGAPI
1144	select CRYPTO_ACOMP2
1145	select LZ4_COMPRESS
1146	select LZ4_DECOMPRESS
1147	help
1148	  LZ4 compression algorithm
1149
1150	  See https://github.com/lz4/lz4 for further information.
1151
1152config CRYPTO_LZ4HC
1153	tristate "LZ4HC"
1154	select CRYPTO_ALGAPI
1155	select CRYPTO_ACOMP2
1156	select LZ4HC_COMPRESS
1157	select LZ4_DECOMPRESS
1158	help
1159	  LZ4 high compression mode algorithm
1160
1161	  See https://github.com/lz4/lz4 for further information.
1162
1163config CRYPTO_ZSTD
1164	tristate "Zstd"
1165	select CRYPTO_ALGAPI
1166	select CRYPTO_ACOMP2
1167	select ZSTD_COMPRESS
1168	select ZSTD_DECOMPRESS
1169	help
1170	  zstd compression algorithm
1171
1172	  See https://github.com/facebook/zstd for further information.
1173
1174endmenu
1175
1176menu "Random number generation"
1177
1178config CRYPTO_ANSI_CPRNG
1179	tristate "ANSI PRNG (Pseudo Random Number Generator)"
1180	select CRYPTO_AES
1181	select CRYPTO_RNG
1182	help
1183	  Pseudo RNG (random number generator) (ANSI X9.31 Appendix A.2.4)
1184
1185	  This uses the AES cipher algorithm.
1186
1187	  Note that this option must be enabled if CRYPTO_FIPS is selected
1188
1189menuconfig CRYPTO_DRBG_MENU
1190	tristate "NIST SP800-90A DRBG (Deterministic Random Bit Generator)"
1191	help
1192	  DRBG (Deterministic Random Bit Generator) (NIST SP800-90A)
1193
1194	  In the following submenu, one or more of the DRBG types must be selected.
1195
1196if CRYPTO_DRBG_MENU
1197
1198config CRYPTO_DRBG_HMAC
1199	bool
1200	default y
1201	select CRYPTO_HMAC
1202	select CRYPTO_SHA512
1203
1204config CRYPTO_DRBG_HASH
1205	bool "Hash_DRBG"
1206	select CRYPTO_SHA256
1207	help
1208	  Hash_DRBG variant as defined in NIST SP800-90A.
1209
1210	  This uses the SHA-1, SHA-256, SHA-384, or SHA-512 hash algorithms.
1211
1212config CRYPTO_DRBG_CTR
1213	bool "CTR_DRBG"
1214	select CRYPTO_AES
1215	select CRYPTO_CTR
1216	help
1217	  CTR_DRBG variant as defined in NIST SP800-90A.
1218
1219	  This uses the AES cipher algorithm with the counter block mode.
1220
1221config CRYPTO_DRBG
1222	tristate
1223	default CRYPTO_DRBG_MENU
1224	select CRYPTO_RNG
1225	select CRYPTO_JITTERENTROPY
1226
1227endif	# if CRYPTO_DRBG_MENU
1228
1229config CRYPTO_JITTERENTROPY
1230	tristate "CPU Jitter Non-Deterministic RNG (Random Number Generator)"
1231	select CRYPTO_RNG
1232	select CRYPTO_SHA3
1233	help
1234	  CPU Jitter RNG (Random Number Generator) from the Jitterentropy library
1235
1236	  A non-physical non-deterministic ("true") RNG (e.g., an entropy source
1237	  compliant with NIST SP800-90B) intended to provide a seed to a
1238	  deterministic RNG (e.g., per NIST SP800-90C).
1239	  This RNG does not perform any cryptographic whitening of the generated
1240	  random numbers.
1241
1242	  See https://www.chronox.de/jent/
1243
1244if CRYPTO_JITTERENTROPY
1245if CRYPTO_FIPS && EXPERT
1246
1247choice
1248	prompt "CPU Jitter RNG Memory Size"
1249	default CRYPTO_JITTERENTROPY_MEMSIZE_2
1250	help
1251	  The Jitter RNG measures the execution time of memory accesses.
1252	  Multiple consecutive memory accesses are performed. If the memory
1253	  size fits into a cache (e.g. L1), only the memory access timing
1254	  to that cache is measured. The closer the cache is to the CPU
1255	  the less variations are measured and thus the less entropy is
1256	  obtained. Thus, if the memory size fits into the L1 cache, the
1257	  obtained entropy is less than if the memory size fits within
1258	  L1 + L2, which in turn is less if the memory fits into
1259	  L1 + L2 + L3. Thus, by selecting a different memory size,
1260	  the entropy rate produced by the Jitter RNG can be modified.
1261
1262	config CRYPTO_JITTERENTROPY_MEMSIZE_2
1263		bool "2048 Bytes (default)"
1264
1265	config CRYPTO_JITTERENTROPY_MEMSIZE_128
1266		bool "128 kBytes"
1267
1268	config CRYPTO_JITTERENTROPY_MEMSIZE_1024
1269		bool "1024 kBytes"
1270
1271	config CRYPTO_JITTERENTROPY_MEMSIZE_8192
1272		bool "8192 kBytes"
1273endchoice
1274
1275config CRYPTO_JITTERENTROPY_MEMORY_BLOCKS
1276	int
1277	default 64 if CRYPTO_JITTERENTROPY_MEMSIZE_2
1278	default 512 if CRYPTO_JITTERENTROPY_MEMSIZE_128
1279	default 1024 if CRYPTO_JITTERENTROPY_MEMSIZE_1024
1280	default 4096 if CRYPTO_JITTERENTROPY_MEMSIZE_8192
1281
1282config CRYPTO_JITTERENTROPY_MEMORY_BLOCKSIZE
1283	int
1284	default 32 if CRYPTO_JITTERENTROPY_MEMSIZE_2
1285	default 256 if CRYPTO_JITTERENTROPY_MEMSIZE_128
1286	default 1024 if CRYPTO_JITTERENTROPY_MEMSIZE_1024
1287	default 2048 if CRYPTO_JITTERENTROPY_MEMSIZE_8192
1288
1289config CRYPTO_JITTERENTROPY_OSR
1290	int "CPU Jitter RNG Oversampling Rate"
1291	range 1 15
1292	default 3
1293	help
1294	  The Jitter RNG allows the specification of an oversampling rate (OSR).
1295	  The Jitter RNG operation requires a fixed amount of timing
1296	  measurements to produce one output block of random numbers. The
1297	  OSR value is multiplied with the amount of timing measurements to
1298	  generate one output block. Thus, the timing measurement is oversampled
1299	  by the OSR factor. The oversampling allows the Jitter RNG to operate
1300	  on hardware whose timers deliver limited amount of entropy (e.g.
1301	  the timer is coarse) by setting the OSR to a higher value. The
1302	  trade-off, however, is that the Jitter RNG now requires more time
1303	  to generate random numbers.
1304
1305config CRYPTO_JITTERENTROPY_TESTINTERFACE
1306	bool "CPU Jitter RNG Test Interface"
1307	help
1308	  The test interface allows a privileged process to capture
1309	  the raw unconditioned high resolution time stamp noise that
1310	  is collected by the Jitter RNG for statistical analysis. As
1311	  this data is used at the same time to generate random bits,
1312	  the Jitter RNG operates in an insecure mode as long as the
1313	  recording is enabled. This interface therefore is only
1314	  intended for testing purposes and is not suitable for
1315	  production systems.
1316
1317	  The raw noise data can be obtained using the jent_raw_hires
1318	  debugfs file. Using the option
1319	  jitterentropy_testing.boot_raw_hires_test=1 the raw noise of
1320	  the first 1000 entropy events since boot can be sampled.
1321
1322	  If unsure, select N.
1323
1324endif	# if CRYPTO_FIPS && EXPERT
1325
1326if !(CRYPTO_FIPS && EXPERT)
1327
1328config CRYPTO_JITTERENTROPY_MEMORY_BLOCKS
1329	int
1330	default 64
1331
1332config CRYPTO_JITTERENTROPY_MEMORY_BLOCKSIZE
1333	int
1334	default 32
1335
1336config CRYPTO_JITTERENTROPY_OSR
1337	int
1338	default 1
1339
1340config CRYPTO_JITTERENTROPY_TESTINTERFACE
1341	bool
1342
1343endif	# if !(CRYPTO_FIPS && EXPERT)
1344endif	# if CRYPTO_JITTERENTROPY
1345
1346config CRYPTO_KDF800108_CTR
1347	tristate
1348	select CRYPTO_HMAC
1349	select CRYPTO_SHA256
1350
1351endmenu
1352menu "Userspace interface"
1353
1354config CRYPTO_USER_API
1355	tristate
1356
1357config CRYPTO_USER_API_HASH
1358	tristate "Hash algorithms"
1359	depends on NET
1360	select CRYPTO_HASH
1361	select CRYPTO_USER_API
1362	help
1363	  Enable the userspace interface for hash algorithms.
1364
1365	  See Documentation/crypto/userspace-if.rst and
1366	  https://www.chronox.de/libkcapi/html/index.html
1367
1368config CRYPTO_USER_API_SKCIPHER
1369	tristate "Symmetric key cipher algorithms"
1370	depends on NET
1371	select CRYPTO_SKCIPHER
1372	select CRYPTO_USER_API
1373	help
1374	  Enable the userspace interface for symmetric key cipher algorithms.
1375
1376	  See Documentation/crypto/userspace-if.rst and
1377	  https://www.chronox.de/libkcapi/html/index.html
1378
1379config CRYPTO_USER_API_RNG
1380	tristate "RNG (random number generator) algorithms"
1381	depends on NET
1382	select CRYPTO_RNG
1383	select CRYPTO_USER_API
1384	help
1385	  Enable the userspace interface for RNG (random number generator)
1386	  algorithms.
1387
1388	  See Documentation/crypto/userspace-if.rst and
1389	  https://www.chronox.de/libkcapi/html/index.html
1390
1391config CRYPTO_USER_API_RNG_CAVP
1392	bool "Enable CAVP testing of DRBG"
1393	depends on CRYPTO_USER_API_RNG && CRYPTO_DRBG
1394	help
1395	  Enable extra APIs in the userspace interface for NIST CAVP
1396	  (Cryptographic Algorithm Validation Program) testing:
1397	  - resetting DRBG entropy
1398	  - providing Additional Data
1399
1400	  This should only be enabled for CAVP testing. You should say
1401	  no unless you know what this is.
1402
1403config CRYPTO_USER_API_AEAD
1404	tristate "AEAD cipher algorithms"
1405	depends on NET
1406	select CRYPTO_AEAD
1407	select CRYPTO_SKCIPHER
1408	select CRYPTO_NULL
1409	select CRYPTO_USER_API
1410	help
1411	  Enable the userspace interface for AEAD cipher algorithms.
1412
1413	  See Documentation/crypto/userspace-if.rst and
1414	  https://www.chronox.de/libkcapi/html/index.html
1415
1416config CRYPTO_USER_API_ENABLE_OBSOLETE
1417	bool "Obsolete cryptographic algorithms"
1418	depends on CRYPTO_USER_API
1419	default y
1420	help
1421	  Allow obsolete cryptographic algorithms to be selected that have
1422	  already been phased out from internal use by the kernel, and are
1423	  only useful for userspace clients that still rely on them.
1424
1425endmenu
1426
1427config CRYPTO_HASH_INFO
1428	bool
1429
1430if !KMSAN # avoid false positives from assembly
1431if ARM
1432source "arch/arm/crypto/Kconfig"
1433endif
1434if ARM64
1435source "arch/arm64/crypto/Kconfig"
1436endif
1437if LOONGARCH
1438source "arch/loongarch/crypto/Kconfig"
1439endif
1440if MIPS
1441source "arch/mips/crypto/Kconfig"
1442endif
1443if PPC
1444source "arch/powerpc/crypto/Kconfig"
1445endif
1446if RISCV
1447source "arch/riscv/crypto/Kconfig"
1448endif
1449if S390
1450source "arch/s390/crypto/Kconfig"
1451endif
1452if SPARC
1453source "arch/sparc/crypto/Kconfig"
1454endif
1455if X86
1456source "arch/x86/crypto/Kconfig"
1457endif
1458endif
1459
1460source "drivers/crypto/Kconfig"
1461source "crypto/asymmetric_keys/Kconfig"
1462source "certs/Kconfig"
1463
1464endif	# if CRYPTO