crypto/Kconfig at v6.15-rc2

tjh.dev / kernel
fork
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork
kernel / crypto / Kconfig
at v6.15-rc2 1466 lines 40 kB view raw
wrap content
   1# SPDX-License-Identifier: GPL-2.0
   2#
   3# Generic algorithms support
   4#
   5config XOR_BLOCKS
   6	tristate
   7
   8#
   9# async_tx api: hardware offloaded memory transfer/transform support
  10#
  11source "crypto/async_tx/Kconfig"
  12
  13#
  14# Cryptographic API Configuration
  15#
  16menuconfig CRYPTO
  17	tristate "Cryptographic API"
  18	select CRYPTO_LIB_UTILS
  19	help
  20	  This option provides the core Cryptographic API.
  21
  22if CRYPTO
  23
  24menu "Crypto core or helper"
  25
  26config CRYPTO_FIPS
  27	bool "FIPS 200 compliance"
  28	depends on (CRYPTO_ANSI_CPRNG || CRYPTO_DRBG) && !CRYPTO_MANAGER_DISABLE_TESTS
  29	depends on (MODULE_SIG || !MODULES)
  30	help
  31	  This option enables the fips boot option which is
  32	  required if you want the system to operate in a FIPS 200
  33	  certification.  You should say no unless you know what
  34	  this is.
  35
  36config CRYPTO_FIPS_NAME
  37	string "FIPS Module Name"
  38	default "Linux Kernel Cryptographic API"
  39	depends on CRYPTO_FIPS
  40	help
  41	  This option sets the FIPS Module name reported by the Crypto API via
  42	  the /proc/sys/crypto/fips_name file.
  43
  44config CRYPTO_FIPS_CUSTOM_VERSION
  45	bool "Use Custom FIPS Module Version"
  46	depends on CRYPTO_FIPS
  47	default n
  48
  49config CRYPTO_FIPS_VERSION
  50	string "FIPS Module Version"
  51	default "(none)"
  52	depends on CRYPTO_FIPS_CUSTOM_VERSION
  53	help
  54	  This option provides the ability to override the FIPS Module Version.
  55	  By default the KERNELRELEASE value is used.
  56
  57config CRYPTO_ALGAPI
  58	tristate
  59	select CRYPTO_ALGAPI2
  60	help
  61	  This option provides the API for cryptographic algorithms.
  62
  63config CRYPTO_ALGAPI2
  64	tristate
  65
  66config CRYPTO_AEAD
  67	tristate
  68	select CRYPTO_AEAD2
  69	select CRYPTO_ALGAPI
  70
  71config CRYPTO_AEAD2
  72	tristate
  73	select CRYPTO_ALGAPI2
  74
  75config CRYPTO_SIG
  76	tristate
  77	select CRYPTO_SIG2
  78	select CRYPTO_ALGAPI
  79
  80config CRYPTO_SIG2
  81	tristate
  82	select CRYPTO_ALGAPI2
  83
  84config CRYPTO_SKCIPHER
  85	tristate
  86	select CRYPTO_SKCIPHER2
  87	select CRYPTO_ALGAPI
  88	select CRYPTO_ECB
  89
  90config CRYPTO_SKCIPHER2
  91	tristate
  92	select CRYPTO_ALGAPI2
  93
  94config CRYPTO_HASH
  95	tristate
  96	select CRYPTO_HASH2
  97	select CRYPTO_ALGAPI
  98
  99config CRYPTO_HASH2
 100	tristate
 101	select CRYPTO_ALGAPI2
 102
 103config CRYPTO_RNG
 104	tristate
 105	select CRYPTO_RNG2
 106	select CRYPTO_ALGAPI
 107
 108config CRYPTO_RNG2
 109	tristate
 110	select CRYPTO_ALGAPI2
 111
 112config CRYPTO_RNG_DEFAULT
 113	tristate
 114	select CRYPTO_DRBG_MENU
 115
 116config CRYPTO_AKCIPHER2
 117	tristate
 118	select CRYPTO_ALGAPI2
 119
 120config CRYPTO_AKCIPHER
 121	tristate
 122	select CRYPTO_AKCIPHER2
 123	select CRYPTO_ALGAPI
 124
 125config CRYPTO_KPP2
 126	tristate
 127	select CRYPTO_ALGAPI2
 128
 129config CRYPTO_KPP
 130	tristate
 131	select CRYPTO_ALGAPI
 132	select CRYPTO_KPP2
 133
 134config CRYPTO_ACOMP2
 135	tristate
 136	select CRYPTO_ALGAPI2
 137	select SGL_ALLOC
 138
 139config CRYPTO_ACOMP
 140	tristate
 141	select CRYPTO_ALGAPI
 142	select CRYPTO_ACOMP2
 143
 144config CRYPTO_HKDF
 145	tristate
 146	select CRYPTO_SHA256 if !CONFIG_CRYPTO_MANAGER_DISABLE_TESTS
 147	select CRYPTO_SHA512 if !CONFIG_CRYPTO_MANAGER_DISABLE_TESTS
 148	select CRYPTO_HASH2
 149
 150config CRYPTO_MANAGER
 151	tristate "Cryptographic algorithm manager"
 152	select CRYPTO_MANAGER2
 153	help
 154	  Create default cryptographic template instantiations such as
 155	  cbc(aes).
 156
 157config CRYPTO_MANAGER2
 158	def_tristate CRYPTO_MANAGER || (CRYPTO_MANAGER!=n && CRYPTO_ALGAPI=y)
 159	select CRYPTO_ACOMP2
 160	select CRYPTO_AEAD2
 161	select CRYPTO_AKCIPHER2
 162	select CRYPTO_SIG2
 163	select CRYPTO_HASH2
 164	select CRYPTO_KPP2
 165	select CRYPTO_RNG2
 166	select CRYPTO_SKCIPHER2
 167
 168config CRYPTO_USER
 169	tristate "Userspace cryptographic algorithm configuration"
 170	depends on NET
 171	select CRYPTO_MANAGER
 172	help
 173	  Userspace configuration for cryptographic instantiations such as
 174	  cbc(aes).
 175
 176config CRYPTO_MANAGER_DISABLE_TESTS
 177	bool "Disable run-time self tests"
 178	default y
 179	help
 180	  Disable run-time self tests that normally take place at
 181	  algorithm registration.
 182
 183config CRYPTO_MANAGER_EXTRA_TESTS
 184	bool "Enable extra run-time crypto self tests"
 185	depends on DEBUG_KERNEL && !CRYPTO_MANAGER_DISABLE_TESTS && CRYPTO_MANAGER
 186	help
 187	  Enable extra run-time self tests of registered crypto algorithms,
 188	  including randomized fuzz tests.
 189
 190	  This is intended for developer use only, as these tests take much
 191	  longer to run than the normal self tests.
 192
 193config CRYPTO_NULL
 194	tristate "Null algorithms"
 195	select CRYPTO_NULL2
 196	help
 197	  These are 'Null' algorithms, used by IPsec, which do nothing.
 198
 199config CRYPTO_NULL2
 200	tristate
 201	select CRYPTO_ALGAPI2
 202	select CRYPTO_SKCIPHER2
 203	select CRYPTO_HASH2
 204
 205config CRYPTO_PCRYPT
 206	tristate "Parallel crypto engine"
 207	depends on SMP
 208	select PADATA
 209	select CRYPTO_MANAGER
 210	select CRYPTO_AEAD
 211	help
 212	  This converts an arbitrary crypto algorithm into a parallel
 213	  algorithm that executes in kernel threads.
 214
 215config CRYPTO_CRYPTD
 216	tristate "Software async crypto daemon"
 217	select CRYPTO_SKCIPHER
 218	select CRYPTO_HASH
 219	select CRYPTO_MANAGER
 220	help
 221	  This is a generic software asynchronous crypto daemon that
 222	  converts an arbitrary synchronous software crypto algorithm
 223	  into an asynchronous algorithm that executes in a kernel thread.
 224
 225config CRYPTO_AUTHENC
 226	tristate "Authenc support"
 227	select CRYPTO_AEAD
 228	select CRYPTO_SKCIPHER
 229	select CRYPTO_MANAGER
 230	select CRYPTO_HASH
 231	select CRYPTO_NULL
 232	help
 233	  Authenc: Combined mode wrapper for IPsec.
 234
 235	  This is required for IPSec ESP (XFRM_ESP).
 236
 237config CRYPTO_KRB5ENC
 238	tristate "Kerberos 5 combined hash+cipher support"
 239	select CRYPTO_AEAD
 240	select CRYPTO_SKCIPHER
 241	select CRYPTO_MANAGER
 242	select CRYPTO_HASH
 243	select CRYPTO_NULL
 244	help
 245	  Combined hash and cipher support for Kerberos 5 RFC3961 simplified
 246	  profile.  This is required for Kerberos 5-style encryption, used by
 247	  sunrpc/NFS and rxrpc/AFS.
 248
 249config CRYPTO_TEST
 250	tristate "Testing module"
 251	depends on m || EXPERT
 252	select CRYPTO_MANAGER
 253	help
 254	  Quick & dirty crypto test module.
 255
 256config CRYPTO_SIMD
 257	tristate
 258	select CRYPTO_CRYPTD
 259
 260config CRYPTO_ENGINE
 261	tristate
 262
 263endmenu
 264
 265menu "Public-key cryptography"
 266
 267config CRYPTO_RSA
 268	tristate "RSA (Rivest-Shamir-Adleman)"
 269	select CRYPTO_AKCIPHER
 270	select CRYPTO_MANAGER
 271	select CRYPTO_SIG
 272	select MPILIB
 273	select ASN1
 274	help
 275	  RSA (Rivest-Shamir-Adleman) public key algorithm (RFC8017)
 276
 277config CRYPTO_DH
 278	tristate "DH (Diffie-Hellman)"
 279	select CRYPTO_KPP
 280	select MPILIB
 281	help
 282	  DH (Diffie-Hellman) key exchange algorithm
 283
 284config CRYPTO_DH_RFC7919_GROUPS
 285	bool "RFC 7919 FFDHE groups"
 286	depends on CRYPTO_DH
 287	select CRYPTO_RNG_DEFAULT
 288	help
 289	  FFDHE (Finite-Field-based Diffie-Hellman Ephemeral) groups
 290	  defined in RFC7919.
 291
 292	  Support these finite-field groups in DH key exchanges:
 293	  - ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192
 294
 295	  If unsure, say N.
 296
 297config CRYPTO_ECC
 298	tristate
 299	select CRYPTO_RNG_DEFAULT
 300
 301config CRYPTO_ECDH
 302	tristate "ECDH (Elliptic Curve Diffie-Hellman)"
 303	select CRYPTO_ECC
 304	select CRYPTO_KPP
 305	help
 306	  ECDH (Elliptic Curve Diffie-Hellman) key exchange algorithm
 307	  using curves P-192, P-256, and P-384 (FIPS 186)
 308
 309config CRYPTO_ECDSA
 310	tristate "ECDSA (Elliptic Curve Digital Signature Algorithm)"
 311	select CRYPTO_ECC
 312	select CRYPTO_SIG
 313	select ASN1
 314	help
 315	  ECDSA (Elliptic Curve Digital Signature Algorithm) (FIPS 186,
 316	  ISO/IEC 14888-3)
 317	  using curves P-192, P-256, P-384 and P-521
 318
 319	  Only signature verification is implemented.
 320
 321config CRYPTO_ECRDSA
 322	tristate "EC-RDSA (Elliptic Curve Russian Digital Signature Algorithm)"
 323	select CRYPTO_ECC
 324	select CRYPTO_SIG
 325	select CRYPTO_STREEBOG
 326	select OID_REGISTRY
 327	select ASN1
 328	help
 329	  Elliptic Curve Russian Digital Signature Algorithm (GOST R 34.10-2012,
 330	  RFC 7091, ISO/IEC 14888-3)
 331
 332	  One of the Russian cryptographic standard algorithms (called GOST
 333	  algorithms). Only signature verification is implemented.
 334
 335config CRYPTO_CURVE25519
 336	tristate "Curve25519"
 337	select CRYPTO_KPP
 338	select CRYPTO_LIB_CURVE25519_GENERIC
 339	select CRYPTO_LIB_CURVE25519_INTERNAL
 340	help
 341	  Curve25519 elliptic curve (RFC7748)
 342
 343endmenu
 344
 345menu "Block ciphers"
 346
 347config CRYPTO_AES
 348	tristate "AES (Advanced Encryption Standard)"
 349	select CRYPTO_ALGAPI
 350	select CRYPTO_LIB_AES
 351	help
 352	  AES cipher algorithms (Rijndael)(FIPS-197, ISO/IEC 18033-3)
 353
 354	  Rijndael appears to be consistently a very good performer in
 355	  both hardware and software across a wide range of computing
 356	  environments regardless of its use in feedback or non-feedback
 357	  modes. Its key setup time is excellent, and its key agility is
 358	  good. Rijndael's very low memory requirements make it very well
 359	  suited for restricted-space environments, in which it also
 360	  demonstrates excellent performance. Rijndael's operations are
 361	  among the easiest to defend against power and timing attacks.
 362
 363	  The AES specifies three key sizes: 128, 192 and 256 bits
 364
 365config CRYPTO_AES_TI
 366	tristate "AES (Advanced Encryption Standard) (fixed time)"
 367	select CRYPTO_ALGAPI
 368	select CRYPTO_LIB_AES
 369	help
 370	  AES cipher algorithms (Rijndael)(FIPS-197, ISO/IEC 18033-3)
 371
 372	  This is a generic implementation of AES that attempts to eliminate
 373	  data dependent latencies as much as possible without affecting
 374	  performance too much. It is intended for use by the generic CCM
 375	  and GCM drivers, and other CTR or CMAC/XCBC based modes that rely
 376	  solely on encryption (although decryption is supported as well, but
 377	  with a more dramatic performance hit)
 378
 379	  Instead of using 16 lookup tables of 1 KB each, (8 for encryption and
 380	  8 for decryption), this implementation only uses just two S-boxes of
 381	  256 bytes each, and attempts to eliminate data dependent latencies by
 382	  prefetching the entire table into the cache at the start of each
 383	  block. Interrupts are also disabled to avoid races where cachelines
 384	  are evicted when the CPU is interrupted to do something else.
 385
 386config CRYPTO_ANUBIS
 387	tristate "Anubis"
 388	depends on CRYPTO_USER_API_ENABLE_OBSOLETE
 389	select CRYPTO_ALGAPI
 390	help
 391	  Anubis cipher algorithm
 392
 393	  Anubis is a variable key length cipher which can use keys from
 394	  128 bits to 320 bits in length.  It was evaluated as a entrant
 395	  in the NESSIE competition.
 396
 397	  See https://web.archive.org/web/20160606112246/http://www.larc.usp.br/~pbarreto/AnubisPage.html
 398	  for further information.
 399
 400config CRYPTO_ARIA
 401	tristate "ARIA"
 402	select CRYPTO_ALGAPI
 403	help
 404	  ARIA cipher algorithm (RFC5794)
 405
 406	  ARIA is a standard encryption algorithm of the Republic of Korea.
 407	  The ARIA specifies three key sizes and rounds.
 408	  128-bit: 12 rounds.
 409	  192-bit: 14 rounds.
 410	  256-bit: 16 rounds.
 411
 412	  See:
 413	  https://seed.kisa.or.kr/kisa/algorithm/EgovAriaInfo.do
 414
 415config CRYPTO_BLOWFISH
 416	tristate "Blowfish"
 417	select CRYPTO_ALGAPI
 418	select CRYPTO_BLOWFISH_COMMON
 419	help
 420	  Blowfish cipher algorithm, by Bruce Schneier
 421
 422	  This is a variable key length cipher which can use keys from 32
 423	  bits to 448 bits in length.  It's fast, simple and specifically
 424	  designed for use on "large microprocessors".
 425
 426	  See https://www.schneier.com/blowfish.html for further information.
 427
 428config CRYPTO_BLOWFISH_COMMON
 429	tristate
 430	help
 431	  Common parts of the Blowfish cipher algorithm shared by the
 432	  generic c and the assembler implementations.
 433
 434config CRYPTO_CAMELLIA
 435	tristate "Camellia"
 436	select CRYPTO_ALGAPI
 437	help
 438	  Camellia cipher algorithms (ISO/IEC 18033-3)
 439
 440	  Camellia is a symmetric key block cipher developed jointly
 441	  at NTT and Mitsubishi Electric Corporation.
 442
 443	  The Camellia specifies three key sizes: 128, 192 and 256 bits.
 444
 445	  See https://info.isl.ntt.co.jp/crypt/eng/camellia/ for further information.
 446
 447config CRYPTO_CAST_COMMON
 448	tristate
 449	help
 450	  Common parts of the CAST cipher algorithms shared by the
 451	  generic c and the assembler implementations.
 452
 453config CRYPTO_CAST5
 454	tristate "CAST5 (CAST-128)"
 455	select CRYPTO_ALGAPI
 456	select CRYPTO_CAST_COMMON
 457	help
 458	  CAST5 (CAST-128) cipher algorithm (RFC2144, ISO/IEC 18033-3)
 459
 460config CRYPTO_CAST6
 461	tristate "CAST6 (CAST-256)"
 462	select CRYPTO_ALGAPI
 463	select CRYPTO_CAST_COMMON
 464	help
 465	  CAST6 (CAST-256) encryption algorithm (RFC2612)
 466
 467config CRYPTO_DES
 468	tristate "DES and Triple DES EDE"
 469	select CRYPTO_ALGAPI
 470	select CRYPTO_LIB_DES
 471	help
 472	  DES (Data Encryption Standard)(FIPS 46-2, ISO/IEC 18033-3) and
 473	  Triple DES EDE (Encrypt/Decrypt/Encrypt) (FIPS 46-3, ISO/IEC 18033-3)
 474	  cipher algorithms
 475
 476config CRYPTO_FCRYPT
 477	tristate "FCrypt"
 478	select CRYPTO_ALGAPI
 479	select CRYPTO_SKCIPHER
 480	help
 481	  FCrypt algorithm used by RxRPC
 482
 483	  See https://ota.polyonymo.us/fcrypt-paper.txt
 484
 485config CRYPTO_KHAZAD
 486	tristate "Khazad"
 487	depends on CRYPTO_USER_API_ENABLE_OBSOLETE
 488	select CRYPTO_ALGAPI
 489	help
 490	  Khazad cipher algorithm
 491
 492	  Khazad was a finalist in the initial NESSIE competition.  It is
 493	  an algorithm optimized for 64-bit processors with good performance
 494	  on 32-bit processors.  Khazad uses an 128 bit key size.
 495
 496	  See https://web.archive.org/web/20171011071731/http://www.larc.usp.br/~pbarreto/KhazadPage.html
 497	  for further information.
 498
 499config CRYPTO_SEED
 500	tristate "SEED"
 501	depends on CRYPTO_USER_API_ENABLE_OBSOLETE
 502	select CRYPTO_ALGAPI
 503	help
 504	  SEED cipher algorithm (RFC4269, ISO/IEC 18033-3)
 505
 506	  SEED is a 128-bit symmetric key block cipher that has been
 507	  developed by KISA (Korea Information Security Agency) as a
 508	  national standard encryption algorithm of the Republic of Korea.
 509	  It is a 16 round block cipher with the key size of 128 bit.
 510
 511	  See https://seed.kisa.or.kr/kisa/algorithm/EgovSeedInfo.do
 512	  for further information.
 513
 514config CRYPTO_SERPENT
 515	tristate "Serpent"
 516	select CRYPTO_ALGAPI
 517	help
 518	  Serpent cipher algorithm, by Anderson, Biham & Knudsen
 519
 520	  Keys are allowed to be from 0 to 256 bits in length, in steps
 521	  of 8 bits.
 522
 523	  See https://www.cl.cam.ac.uk/~rja14/serpent.html for further information.
 524
 525config CRYPTO_SM4
 526	tristate
 527
 528config CRYPTO_SM4_GENERIC
 529	tristate "SM4 (ShangMi 4)"
 530	select CRYPTO_ALGAPI
 531	select CRYPTO_SM4
 532	help
 533	  SM4 cipher algorithms (OSCCA GB/T 32907-2016,
 534	  ISO/IEC 18033-3:2010/Amd 1:2021)
 535
 536	  SM4 (GBT.32907-2016) is a cryptographic standard issued by the
 537	  Organization of State Commercial Administration of China (OSCCA)
 538	  as an authorized cryptographic algorithms for the use within China.
 539
 540	  SMS4 was originally created for use in protecting wireless
 541	  networks, and is mandated in the Chinese National Standard for
 542	  Wireless LAN WAPI (Wired Authentication and Privacy Infrastructure)
 543	  (GB.15629.11-2003).
 544
 545	  The latest SM4 standard (GBT.32907-2016) was proposed by OSCCA and
 546	  standardized through TC 260 of the Standardization Administration
 547	  of the People's Republic of China (SAC).
 548
 549	  The input, output, and key of SMS4 are each 128 bits.
 550
 551	  See https://eprint.iacr.org/2008/329.pdf for further information.
 552
 553	  If unsure, say N.
 554
 555config CRYPTO_TEA
 556	tristate "TEA, XTEA and XETA"
 557	depends on CRYPTO_USER_API_ENABLE_OBSOLETE
 558	select CRYPTO_ALGAPI
 559	help
 560	  TEA (Tiny Encryption Algorithm) cipher algorithms
 561
 562	  Tiny Encryption Algorithm is a simple cipher that uses
 563	  many rounds for security.  It is very fast and uses
 564	  little memory.
 565
 566	  Xtendend Tiny Encryption Algorithm is a modification to
 567	  the TEA algorithm to address a potential key weakness
 568	  in the TEA algorithm.
 569
 570	  Xtendend Encryption Tiny Algorithm is a mis-implementation
 571	  of the XTEA algorithm for compatibility purposes.
 572
 573config CRYPTO_TWOFISH
 574	tristate "Twofish"
 575	select CRYPTO_ALGAPI
 576	select CRYPTO_TWOFISH_COMMON
 577	help
 578	  Twofish cipher algorithm
 579
 580	  Twofish was submitted as an AES (Advanced Encryption Standard)
 581	  candidate cipher by researchers at CounterPane Systems.  It is a
 582	  16 round block cipher supporting key sizes of 128, 192, and 256
 583	  bits.
 584
 585	  See https://www.schneier.com/twofish.html for further information.
 586
 587config CRYPTO_TWOFISH_COMMON
 588	tristate
 589	help
 590	  Common parts of the Twofish cipher algorithm shared by the
 591	  generic c and the assembler implementations.
 592
 593endmenu
 594
 595menu "Length-preserving ciphers and modes"
 596
 597config CRYPTO_ADIANTUM
 598	tristate "Adiantum"
 599	select CRYPTO_CHACHA20
 600	select CRYPTO_LIB_POLY1305_GENERIC
 601	select CRYPTO_NHPOLY1305
 602	select CRYPTO_MANAGER
 603	help
 604	  Adiantum tweakable, length-preserving encryption mode
 605
 606	  Designed for fast and secure disk encryption, especially on
 607	  CPUs without dedicated crypto instructions.  It encrypts
 608	  each sector using the XChaCha12 stream cipher, two passes of
 609	  an ε-almost-∆-universal hash function, and an invocation of
 610	  the AES-256 block cipher on a single 16-byte block.  On CPUs
 611	  without AES instructions, Adiantum is much faster than
 612	  AES-XTS.
 613
 614	  Adiantum's security is provably reducible to that of its
 615	  underlying stream and block ciphers, subject to a security
 616	  bound.  Unlike XTS, Adiantum is a true wide-block encryption
 617	  mode, so it actually provides an even stronger notion of
 618	  security than XTS, subject to the security bound.
 619
 620	  If unsure, say N.
 621
 622config CRYPTO_ARC4
 623	tristate "ARC4 (Alleged Rivest Cipher 4)"
 624	depends on CRYPTO_USER_API_ENABLE_OBSOLETE
 625	select CRYPTO_SKCIPHER
 626	select CRYPTO_LIB_ARC4
 627	help
 628	  ARC4 cipher algorithm
 629
 630	  ARC4 is a stream cipher using keys ranging from 8 bits to 2048
 631	  bits in length.  This algorithm is required for driver-based
 632	  WEP, but it should not be for other purposes because of the
 633	  weakness of the algorithm.
 634
 635config CRYPTO_CHACHA20
 636	tristate "ChaCha"
 637	select CRYPTO_LIB_CHACHA_GENERIC
 638	select CRYPTO_LIB_CHACHA_INTERNAL
 639	select CRYPTO_SKCIPHER
 640	help
 641	  The ChaCha20, XChaCha20, and XChaCha12 stream cipher algorithms
 642
 643	  ChaCha20 is a 256-bit high-speed stream cipher designed by Daniel J.
 644	  Bernstein and further specified in RFC7539 for use in IETF protocols.
 645	  This is the portable C implementation of ChaCha20.  See
 646	  https://cr.yp.to/chacha/chacha-20080128.pdf for further information.
 647
 648	  XChaCha20 is the application of the XSalsa20 construction to ChaCha20
 649	  rather than to Salsa20.  XChaCha20 extends ChaCha20's nonce length
 650	  from 64 bits (or 96 bits using the RFC7539 convention) to 192 bits,
 651	  while provably retaining ChaCha20's security.  See
 652	  https://cr.yp.to/snuffle/xsalsa-20081128.pdf for further information.
 653
 654	  XChaCha12 is XChaCha20 reduced to 12 rounds, with correspondingly
 655	  reduced security margin but increased performance.  It can be needed
 656	  in some performance-sensitive scenarios.
 657
 658config CRYPTO_CBC
 659	tristate "CBC (Cipher Block Chaining)"
 660	select CRYPTO_SKCIPHER
 661	select CRYPTO_MANAGER
 662	help
 663	  CBC (Cipher Block Chaining) mode (NIST SP800-38A)
 664
 665	  This block cipher mode is required for IPSec ESP (XFRM_ESP).
 666
 667config CRYPTO_CTR
 668	tristate "CTR (Counter)"
 669	select CRYPTO_SKCIPHER
 670	select CRYPTO_MANAGER
 671	help
 672	  CTR (Counter) mode (NIST SP800-38A)
 673
 674config CRYPTO_CTS
 675	tristate "CTS (Cipher Text Stealing)"
 676	select CRYPTO_SKCIPHER
 677	select CRYPTO_MANAGER
 678	help
 679	  CBC-CS3 variant of CTS (Cipher Text Stealing) (NIST
 680	  Addendum to SP800-38A (October 2010))
 681
 682	  This mode is required for Kerberos gss mechanism support
 683	  for AES encryption.
 684
 685config CRYPTO_ECB
 686	tristate "ECB (Electronic Codebook)"
 687	select CRYPTO_SKCIPHER2
 688	select CRYPTO_MANAGER
 689	help
 690	  ECB (Electronic Codebook) mode (NIST SP800-38A)
 691
 692config CRYPTO_HCTR2
 693	tristate "HCTR2"
 694	select CRYPTO_XCTR
 695	select CRYPTO_POLYVAL
 696	select CRYPTO_MANAGER
 697	help
 698	  HCTR2 length-preserving encryption mode
 699
 700	  A mode for storage encryption that is efficient on processors with
 701	  instructions to accelerate AES and carryless multiplication, e.g.
 702	  x86 processors with AES-NI and CLMUL, and ARM processors with the
 703	  ARMv8 crypto extensions.
 704
 705	  See https://eprint.iacr.org/2021/1441
 706
 707config CRYPTO_LRW
 708	tristate "LRW (Liskov Rivest Wagner)"
 709	select CRYPTO_LIB_GF128MUL
 710	select CRYPTO_SKCIPHER
 711	select CRYPTO_MANAGER
 712	select CRYPTO_ECB
 713	help
 714	  LRW (Liskov Rivest Wagner) mode
 715
 716	  A tweakable, non malleable, non movable
 717	  narrow block cipher mode for dm-crypt.  Use it with cipher
 718	  specification string aes-lrw-benbi, the key must be 256, 320 or 384.
 719	  The first 128, 192 or 256 bits in the key are used for AES and the
 720	  rest is used to tie each cipher block to its logical position.
 721
 722	  See https://people.csail.mit.edu/rivest/pubs/LRW02.pdf
 723
 724config CRYPTO_PCBC
 725	tristate "PCBC (Propagating Cipher Block Chaining)"
 726	select CRYPTO_SKCIPHER
 727	select CRYPTO_MANAGER
 728	help
 729	  PCBC (Propagating Cipher Block Chaining) mode
 730
 731	  This block cipher mode is required for RxRPC.
 732
 733config CRYPTO_XCTR
 734	tristate
 735	select CRYPTO_SKCIPHER
 736	select CRYPTO_MANAGER
 737	help
 738	  XCTR (XOR Counter) mode for HCTR2
 739
 740	  This blockcipher mode is a variant of CTR mode using XORs and little-endian
 741	  addition rather than big-endian arithmetic.
 742
 743	  XCTR mode is used to implement HCTR2.
 744
 745config CRYPTO_XTS
 746	tristate "XTS (XOR Encrypt XOR with ciphertext stealing)"
 747	select CRYPTO_SKCIPHER
 748	select CRYPTO_MANAGER
 749	select CRYPTO_ECB
 750	help
 751	  XTS (XOR Encrypt XOR with ciphertext stealing) mode (NIST SP800-38E
 752	  and IEEE 1619)
 753
 754	  Use with aes-xts-plain, key size 256, 384 or 512 bits. This
 755	  implementation currently can't handle a sectorsize which is not a
 756	  multiple of 16 bytes.
 757
 758config CRYPTO_NHPOLY1305
 759	tristate
 760	select CRYPTO_HASH
 761	select CRYPTO_LIB_POLY1305_GENERIC
 762
 763endmenu
 764
 765menu "AEAD (authenticated encryption with associated data) ciphers"
 766
 767config CRYPTO_AEGIS128
 768	tristate "AEGIS-128"
 769	select CRYPTO_AEAD
 770	select CRYPTO_AES  # for AES S-box tables
 771	help
 772	  AEGIS-128 AEAD algorithm
 773
 774config CRYPTO_AEGIS128_SIMD
 775	bool "AEGIS-128 (arm NEON, arm64 NEON)"
 776	depends on CRYPTO_AEGIS128 && ((ARM || ARM64) && KERNEL_MODE_NEON)
 777	default y
 778	help
 779	  AEGIS-128 AEAD algorithm
 780
 781	  Architecture: arm or arm64 using:
 782	  - NEON (Advanced SIMD) extension
 783
 784config CRYPTO_CHACHA20POLY1305
 785	tristate "ChaCha20-Poly1305"
 786	select CRYPTO_CHACHA20
 787	select CRYPTO_POLY1305
 788	select CRYPTO_AEAD
 789	select CRYPTO_MANAGER
 790	help
 791	  ChaCha20 stream cipher and Poly1305 authenticator combined
 792	  mode (RFC8439)
 793
 794config CRYPTO_CCM
 795	tristate "CCM (Counter with Cipher Block Chaining-MAC)"
 796	select CRYPTO_CTR
 797	select CRYPTO_HASH
 798	select CRYPTO_AEAD
 799	select CRYPTO_MANAGER
 800	help
 801	  CCM (Counter with Cipher Block Chaining-Message Authentication Code)
 802	  authenticated encryption mode (NIST SP800-38C)
 803
 804config CRYPTO_GCM
 805	tristate "GCM (Galois/Counter Mode) and GMAC (GCM MAC)"
 806	select CRYPTO_CTR
 807	select CRYPTO_AEAD
 808	select CRYPTO_GHASH
 809	select CRYPTO_NULL
 810	select CRYPTO_MANAGER
 811	help
 812	  GCM (Galois/Counter Mode) authenticated encryption mode and GMAC
 813	  (GCM Message Authentication Code) (NIST SP800-38D)
 814
 815	  This is required for IPSec ESP (XFRM_ESP).
 816
 817config CRYPTO_GENIV
 818	tristate
 819	select CRYPTO_AEAD
 820	select CRYPTO_NULL
 821	select CRYPTO_MANAGER
 822	select CRYPTO_RNG_DEFAULT
 823
 824config CRYPTO_SEQIV
 825	tristate "Sequence Number IV Generator"
 826	select CRYPTO_GENIV
 827	help
 828	  Sequence Number IV generator
 829
 830	  This IV generator generates an IV based on a sequence number by
 831	  xoring it with a salt.  This algorithm is mainly useful for CTR.
 832
 833	  This is required for IPsec ESP (XFRM_ESP).
 834
 835config CRYPTO_ECHAINIV
 836	tristate "Encrypted Chain IV Generator"
 837	select CRYPTO_GENIV
 838	help
 839	  Encrypted Chain IV generator
 840
 841	  This IV generator generates an IV based on the encryption of
 842	  a sequence number xored with a salt.  This is the default
 843	  algorithm for CBC.
 844
 845config CRYPTO_ESSIV
 846	tristate "Encrypted Salt-Sector IV Generator"
 847	select CRYPTO_AUTHENC
 848	help
 849	  Encrypted Salt-Sector IV generator
 850
 851	  This IV generator is used in some cases by fscrypt and/or
 852	  dm-crypt. It uses the hash of the block encryption key as the
 853	  symmetric key for a block encryption pass applied to the input
 854	  IV, making low entropy IV sources more suitable for block
 855	  encryption.
 856
 857	  This driver implements a crypto API template that can be
 858	  instantiated either as an skcipher or as an AEAD (depending on the
 859	  type of the first template argument), and which defers encryption
 860	  and decryption requests to the encapsulated cipher after applying
 861	  ESSIV to the input IV. Note that in the AEAD case, it is assumed
 862	  that the keys are presented in the same format used by the authenc
 863	  template, and that the IV appears at the end of the authenticated
 864	  associated data (AAD) region (which is how dm-crypt uses it.)
 865
 866	  Note that the use of ESSIV is not recommended for new deployments,
 867	  and so this only needs to be enabled when interoperability with
 868	  existing encrypted volumes of filesystems is required, or when
 869	  building for a particular system that requires it (e.g., when
 870	  the SoC in question has accelerated CBC but not XTS, making CBC
 871	  combined with ESSIV the only feasible mode for h/w accelerated
 872	  block encryption)
 873
 874endmenu
 875
 876menu "Hashes, digests, and MACs"
 877
 878config CRYPTO_BLAKE2B
 879	tristate "BLAKE2b"
 880	select CRYPTO_HASH
 881	help
 882	  BLAKE2b cryptographic hash function (RFC 7693)
 883
 884	  BLAKE2b is optimized for 64-bit platforms and can produce digests
 885	  of any size between 1 and 64 bytes. The keyed hash is also implemented.
 886
 887	  This module provides the following algorithms:
 888	  - blake2b-160
 889	  - blake2b-256
 890	  - blake2b-384
 891	  - blake2b-512
 892
 893	  Used by the btrfs filesystem.
 894
 895	  See https://blake2.net for further information.
 896
 897config CRYPTO_CMAC
 898	tristate "CMAC (Cipher-based MAC)"
 899	select CRYPTO_HASH
 900	select CRYPTO_MANAGER
 901	help
 902	  CMAC (Cipher-based Message Authentication Code) authentication
 903	  mode (NIST SP800-38B and IETF RFC4493)
 904
 905config CRYPTO_GHASH
 906	tristate "GHASH"
 907	select CRYPTO_HASH
 908	select CRYPTO_LIB_GF128MUL
 909	help
 910	  GCM GHASH function (NIST SP800-38D)
 911
 912config CRYPTO_HMAC
 913	tristate "HMAC (Keyed-Hash MAC)"
 914	select CRYPTO_HASH
 915	select CRYPTO_MANAGER
 916	help
 917	  HMAC (Keyed-Hash Message Authentication Code) (FIPS 198 and
 918	  RFC2104)
 919
 920	  This is required for IPsec AH (XFRM_AH) and IPsec ESP (XFRM_ESP).
 921
 922config CRYPTO_MD4
 923	tristate "MD4"
 924	select CRYPTO_HASH
 925	help
 926	  MD4 message digest algorithm (RFC1320)
 927
 928config CRYPTO_MD5
 929	tristate "MD5"
 930	select CRYPTO_HASH
 931	help
 932	  MD5 message digest algorithm (RFC1321)
 933
 934config CRYPTO_MICHAEL_MIC
 935	tristate "Michael MIC"
 936	select CRYPTO_HASH
 937	help
 938	  Michael MIC (Message Integrity Code) (IEEE 802.11i)
 939
 940	  Defined by the IEEE 802.11i TKIP (Temporal Key Integrity Protocol),
 941	  known as WPA (Wif-Fi Protected Access).
 942
 943	  This algorithm is required for TKIP, but it should not be used for
 944	  other purposes because of the weakness of the algorithm.
 945
 946config CRYPTO_POLYVAL
 947	tristate
 948	select CRYPTO_HASH
 949	select CRYPTO_LIB_GF128MUL
 950	help
 951	  POLYVAL hash function for HCTR2
 952
 953	  This is used in HCTR2.  It is not a general-purpose
 954	  cryptographic hash function.
 955
 956config CRYPTO_POLY1305
 957	tristate "Poly1305"
 958	select CRYPTO_HASH
 959	select CRYPTO_LIB_POLY1305_GENERIC
 960	select CRYPTO_LIB_POLY1305_INTERNAL
 961	help
 962	  Poly1305 authenticator algorithm (RFC7539)
 963
 964	  Poly1305 is an authenticator algorithm designed by Daniel J. Bernstein.
 965	  It is used for the ChaCha20-Poly1305 AEAD, specified in RFC7539 for use
 966	  in IETF protocols. This is the portable C implementation of Poly1305.
 967
 968config CRYPTO_RMD160
 969	tristate "RIPEMD-160"
 970	select CRYPTO_HASH
 971	help
 972	  RIPEMD-160 hash function (ISO/IEC 10118-3)
 973
 974	  RIPEMD-160 is a 160-bit cryptographic hash function. It is intended
 975	  to be used as a secure replacement for the 128-bit hash functions
 976	  MD4, MD5 and its predecessor RIPEMD
 977	  (not to be confused with RIPEMD-128).
 978
 979	  Its speed is comparable to SHA-1 and there are no known attacks
 980	  against RIPEMD-160.
 981
 982	  Developed by Hans Dobbertin, Antoon Bosselaers and Bart Preneel.
 983	  See https://homes.esat.kuleuven.be/~bosselae/ripemd160.html
 984	  for further information.
 985
 986config CRYPTO_SHA1
 987	tristate "SHA-1"
 988	select CRYPTO_HASH
 989	select CRYPTO_LIB_SHA1
 990	help
 991	  SHA-1 secure hash algorithm (FIPS 180, ISO/IEC 10118-3)
 992
 993config CRYPTO_SHA256
 994	tristate "SHA-224 and SHA-256"
 995	select CRYPTO_HASH
 996	select CRYPTO_LIB_SHA256
 997	help
 998	  SHA-224 and SHA-256 secure hash algorithms (FIPS 180, ISO/IEC 10118-3)
 999
1000	  This is required for IPsec AH (XFRM_AH) and IPsec ESP (XFRM_ESP).
1001	  Used by the btrfs filesystem, Ceph, NFS, and SMB.
1002
1003config CRYPTO_SHA512
1004	tristate "SHA-384 and SHA-512"
1005	select CRYPTO_HASH
1006	help
1007	  SHA-384 and SHA-512 secure hash algorithms (FIPS 180, ISO/IEC 10118-3)
1008
1009config CRYPTO_SHA3
1010	tristate "SHA-3"
1011	select CRYPTO_HASH
1012	help
1013	  SHA-3 secure hash algorithms (FIPS 202, ISO/IEC 10118-3)
1014
1015config CRYPTO_SM3
1016	tristate
1017
1018config CRYPTO_SM3_GENERIC
1019	tristate "SM3 (ShangMi 3)"
1020	select CRYPTO_HASH
1021	select CRYPTO_SM3
1022	help
1023	  SM3 (ShangMi 3) secure hash function (OSCCA GM/T 0004-2012, ISO/IEC 10118-3)
1024
1025	  This is part of the Chinese Commercial Cryptography suite.
1026
1027	  References:
1028	  http://www.oscca.gov.cn/UpFile/20101222141857786.pdf
1029	  https://datatracker.ietf.org/doc/html/draft-shen-sm3-hash
1030
1031config CRYPTO_STREEBOG
1032	tristate "Streebog"
1033	select CRYPTO_HASH
1034	help
1035	  Streebog Hash Function (GOST R 34.11-2012, RFC 6986, ISO/IEC 10118-3)
1036
1037	  This is one of the Russian cryptographic standard algorithms (called
1038	  GOST algorithms). This setting enables two hash algorithms with
1039	  256 and 512 bits output.
1040
1041	  References:
1042	  https://tc26.ru/upload/iblock/fed/feddbb4d26b685903faa2ba11aea43f6.pdf
1043	  https://tools.ietf.org/html/rfc6986
1044
1045config CRYPTO_WP512
1046	tristate "Whirlpool"
1047	select CRYPTO_HASH
1048	help
1049	  Whirlpool hash function (ISO/IEC 10118-3)
1050
1051	  512, 384 and 256-bit hashes.
1052
1053	  Whirlpool-512 is part of the NESSIE cryptographic primitives.
1054
1055	  See https://web.archive.org/web/20171129084214/http://www.larc.usp.br/~pbarreto/WhirlpoolPage.html
1056	  for further information.
1057
1058config CRYPTO_XCBC
1059	tristate "XCBC-MAC (Extended Cipher Block Chaining MAC)"
1060	select CRYPTO_HASH
1061	select CRYPTO_MANAGER
1062	help
1063	  XCBC-MAC (Extended Cipher Block Chaining Message Authentication
1064	  Code) (RFC3566)
1065
1066config CRYPTO_XXHASH
1067	tristate "xxHash"
1068	select CRYPTO_HASH
1069	select XXHASH
1070	help
1071	  xxHash non-cryptographic hash algorithm
1072
1073	  Extremely fast, working at speeds close to RAM limits.
1074
1075	  Used by the btrfs filesystem.
1076
1077endmenu
1078
1079menu "CRCs (cyclic redundancy checks)"
1080
1081config CRYPTO_CRC32C
1082	tristate "CRC32c"
1083	select CRYPTO_HASH
1084	select CRC32
1085	help
1086	  CRC32c CRC algorithm with the iSCSI polynomial (RFC 3385 and RFC 3720)
1087
1088	  A 32-bit CRC (cyclic redundancy check) with a polynomial defined
1089	  by G. Castagnoli, S. Braeuer and M. Herrman in "Optimization of Cyclic
1090	  Redundancy-Check Codes with 24 and 32 Parity Bits", IEEE Transactions
1091	  on Communications, Vol. 41, No. 6, June 1993, selected for use with
1092	  iSCSI.
1093
1094	  Used by btrfs, ext4, jbd2, NVMeoF/TCP, and iSCSI.
1095
1096config CRYPTO_CRC32
1097	tristate "CRC32"
1098	select CRYPTO_HASH
1099	select CRC32
1100	help
1101	  CRC32 CRC algorithm (IEEE 802.3)
1102
1103	  Used by RoCEv2 and f2fs.
1104
1105endmenu
1106
1107menu "Compression"
1108
1109config CRYPTO_DEFLATE
1110	tristate "Deflate"
1111	select CRYPTO_ALGAPI
1112	select CRYPTO_ACOMP2
1113	select ZLIB_INFLATE
1114	select ZLIB_DEFLATE
1115	help
1116	  Deflate compression algorithm (RFC1951)
1117
1118	  Used by IPSec with the IPCOMP protocol (RFC3173, RFC2394)
1119
1120config CRYPTO_LZO
1121	tristate "LZO"
1122	select CRYPTO_ALGAPI
1123	select CRYPTO_ACOMP2
1124	select LZO_COMPRESS
1125	select LZO_DECOMPRESS
1126	help
1127	  LZO compression algorithm
1128
1129	  See https://www.oberhumer.com/opensource/lzo/ for further information.
1130
1131config CRYPTO_842
1132	tristate "842"
1133	select CRYPTO_ALGAPI
1134	select CRYPTO_ACOMP2
1135	select 842_COMPRESS
1136	select 842_DECOMPRESS
1137	help
1138	  842 compression algorithm by IBM
1139
1140	  See https://github.com/plauth/lib842 for further information.
1141
1142config CRYPTO_LZ4
1143	tristate "LZ4"
1144	select CRYPTO_ALGAPI
1145	select CRYPTO_ACOMP2
1146	select LZ4_COMPRESS
1147	select LZ4_DECOMPRESS
1148	help
1149	  LZ4 compression algorithm
1150
1151	  See https://github.com/lz4/lz4 for further information.
1152
1153config CRYPTO_LZ4HC
1154	tristate "LZ4HC"
1155	select CRYPTO_ALGAPI
1156	select CRYPTO_ACOMP2
1157	select LZ4HC_COMPRESS
1158	select LZ4_DECOMPRESS
1159	help
1160	  LZ4 high compression mode algorithm
1161
1162	  See https://github.com/lz4/lz4 for further information.
1163
1164config CRYPTO_ZSTD
1165	tristate "Zstd"
1166	select CRYPTO_ALGAPI
1167	select CRYPTO_ACOMP2
1168	select ZSTD_COMPRESS
1169	select ZSTD_DECOMPRESS
1170	help
1171	  zstd compression algorithm
1172
1173	  See https://github.com/facebook/zstd for further information.
1174
1175endmenu
1176
1177menu "Random number generation"
1178
1179config CRYPTO_ANSI_CPRNG
1180	tristate "ANSI PRNG (Pseudo Random Number Generator)"
1181	select CRYPTO_AES
1182	select CRYPTO_RNG
1183	help
1184	  Pseudo RNG (random number generator) (ANSI X9.31 Appendix A.2.4)
1185
1186	  This uses the AES cipher algorithm.
1187
1188	  Note that this option must be enabled if CRYPTO_FIPS is selected
1189
1190menuconfig CRYPTO_DRBG_MENU
1191	tristate "NIST SP800-90A DRBG (Deterministic Random Bit Generator)"
1192	help
1193	  DRBG (Deterministic Random Bit Generator) (NIST SP800-90A)
1194
1195	  In the following submenu, one or more of the DRBG types must be selected.
1196
1197if CRYPTO_DRBG_MENU
1198
1199config CRYPTO_DRBG_HMAC
1200	bool
1201	default y
1202	select CRYPTO_HMAC
1203	select CRYPTO_SHA512
1204
1205config CRYPTO_DRBG_HASH
1206	bool "Hash_DRBG"
1207	select CRYPTO_SHA256
1208	help
1209	  Hash_DRBG variant as defined in NIST SP800-90A.
1210
1211	  This uses the SHA-1, SHA-256, SHA-384, or SHA-512 hash algorithms.
1212
1213config CRYPTO_DRBG_CTR
1214	bool "CTR_DRBG"
1215	select CRYPTO_AES
1216	select CRYPTO_CTR
1217	help
1218	  CTR_DRBG variant as defined in NIST SP800-90A.
1219
1220	  This uses the AES cipher algorithm with the counter block mode.
1221
1222config CRYPTO_DRBG
1223	tristate
1224	default CRYPTO_DRBG_MENU
1225	select CRYPTO_RNG
1226	select CRYPTO_JITTERENTROPY
1227
1228endif	# if CRYPTO_DRBG_MENU
1229
1230config CRYPTO_JITTERENTROPY
1231	tristate "CPU Jitter Non-Deterministic RNG (Random Number Generator)"
1232	select CRYPTO_RNG
1233	select CRYPTO_SHA3
1234	help
1235	  CPU Jitter RNG (Random Number Generator) from the Jitterentropy library
1236
1237	  A non-physical non-deterministic ("true") RNG (e.g., an entropy source
1238	  compliant with NIST SP800-90B) intended to provide a seed to a
1239	  deterministic RNG (e.g., per NIST SP800-90C).
1240	  This RNG does not perform any cryptographic whitening of the generated
1241	  random numbers.
1242
1243	  See https://www.chronox.de/jent/
1244
1245if CRYPTO_JITTERENTROPY
1246if CRYPTO_FIPS && EXPERT
1247
1248choice
1249	prompt "CPU Jitter RNG Memory Size"
1250	default CRYPTO_JITTERENTROPY_MEMSIZE_2
1251	help
1252	  The Jitter RNG measures the execution time of memory accesses.
1253	  Multiple consecutive memory accesses are performed. If the memory
1254	  size fits into a cache (e.g. L1), only the memory access timing
1255	  to that cache is measured. The closer the cache is to the CPU
1256	  the less variations are measured and thus the less entropy is
1257	  obtained. Thus, if the memory size fits into the L1 cache, the
1258	  obtained entropy is less than if the memory size fits within
1259	  L1 + L2, which in turn is less if the memory fits into
1260	  L1 + L2 + L3. Thus, by selecting a different memory size,
1261	  the entropy rate produced by the Jitter RNG can be modified.
1262
1263	config CRYPTO_JITTERENTROPY_MEMSIZE_2
1264		bool "2048 Bytes (default)"
1265
1266	config CRYPTO_JITTERENTROPY_MEMSIZE_128
1267		bool "128 kBytes"
1268
1269	config CRYPTO_JITTERENTROPY_MEMSIZE_1024
1270		bool "1024 kBytes"
1271
1272	config CRYPTO_JITTERENTROPY_MEMSIZE_8192
1273		bool "8192 kBytes"
1274endchoice
1275
1276config CRYPTO_JITTERENTROPY_MEMORY_BLOCKS
1277	int
1278	default 64 if CRYPTO_JITTERENTROPY_MEMSIZE_2
1279	default 512 if CRYPTO_JITTERENTROPY_MEMSIZE_128
1280	default 1024 if CRYPTO_JITTERENTROPY_MEMSIZE_1024
1281	default 4096 if CRYPTO_JITTERENTROPY_MEMSIZE_8192
1282
1283config CRYPTO_JITTERENTROPY_MEMORY_BLOCKSIZE
1284	int
1285	default 32 if CRYPTO_JITTERENTROPY_MEMSIZE_2
1286	default 256 if CRYPTO_JITTERENTROPY_MEMSIZE_128
1287	default 1024 if CRYPTO_JITTERENTROPY_MEMSIZE_1024
1288	default 2048 if CRYPTO_JITTERENTROPY_MEMSIZE_8192
1289
1290config CRYPTO_JITTERENTROPY_OSR
1291	int "CPU Jitter RNG Oversampling Rate"
1292	range 1 15
1293	default 3
1294	help
1295	  The Jitter RNG allows the specification of an oversampling rate (OSR).
1296	  The Jitter RNG operation requires a fixed amount of timing
1297	  measurements to produce one output block of random numbers. The
1298	  OSR value is multiplied with the amount of timing measurements to
1299	  generate one output block. Thus, the timing measurement is oversampled
1300	  by the OSR factor. The oversampling allows the Jitter RNG to operate
1301	  on hardware whose timers deliver limited amount of entropy (e.g.
1302	  the timer is coarse) by setting the OSR to a higher value. The
1303	  trade-off, however, is that the Jitter RNG now requires more time
1304	  to generate random numbers.
1305
1306config CRYPTO_JITTERENTROPY_TESTINTERFACE
1307	bool "CPU Jitter RNG Test Interface"
1308	help
1309	  The test interface allows a privileged process to capture
1310	  the raw unconditioned high resolution time stamp noise that
1311	  is collected by the Jitter RNG for statistical analysis. As
1312	  this data is used at the same time to generate random bits,
1313	  the Jitter RNG operates in an insecure mode as long as the
1314	  recording is enabled. This interface therefore is only
1315	  intended for testing purposes and is not suitable for
1316	  production systems.
1317
1318	  The raw noise data can be obtained using the jent_raw_hires
1319	  debugfs file. Using the option
1320	  jitterentropy_testing.boot_raw_hires_test=1 the raw noise of
1321	  the first 1000 entropy events since boot can be sampled.
1322
1323	  If unsure, select N.
1324
1325endif	# if CRYPTO_FIPS && EXPERT
1326
1327if !(CRYPTO_FIPS && EXPERT)
1328
1329config CRYPTO_JITTERENTROPY_MEMORY_BLOCKS
1330	int
1331	default 64
1332
1333config CRYPTO_JITTERENTROPY_MEMORY_BLOCKSIZE
1334	int
1335	default 32
1336
1337config CRYPTO_JITTERENTROPY_OSR
1338	int
1339	default 1
1340
1341config CRYPTO_JITTERENTROPY_TESTINTERFACE
1342	bool
1343
1344endif	# if !(CRYPTO_FIPS && EXPERT)
1345endif	# if CRYPTO_JITTERENTROPY
1346
1347config CRYPTO_KDF800108_CTR
1348	tristate
1349	select CRYPTO_HMAC
1350	select CRYPTO_SHA256
1351
1352endmenu
1353menu "Userspace interface"
1354
1355config CRYPTO_USER_API
1356	tristate
1357
1358config CRYPTO_USER_API_HASH
1359	tristate "Hash algorithms"
1360	depends on NET
1361	select CRYPTO_HASH
1362	select CRYPTO_USER_API
1363	help
1364	  Enable the userspace interface for hash algorithms.
1365
1366	  See Documentation/crypto/userspace-if.rst and
1367	  https://www.chronox.de/libkcapi/html/index.html
1368
1369config CRYPTO_USER_API_SKCIPHER
1370	tristate "Symmetric key cipher algorithms"
1371	depends on NET
1372	select CRYPTO_SKCIPHER
1373	select CRYPTO_USER_API
1374	help
1375	  Enable the userspace interface for symmetric key cipher algorithms.
1376
1377	  See Documentation/crypto/userspace-if.rst and
1378	  https://www.chronox.de/libkcapi/html/index.html
1379
1380config CRYPTO_USER_API_RNG
1381	tristate "RNG (random number generator) algorithms"
1382	depends on NET
1383	select CRYPTO_RNG
1384	select CRYPTO_USER_API
1385	help
1386	  Enable the userspace interface for RNG (random number generator)
1387	  algorithms.
1388
1389	  See Documentation/crypto/userspace-if.rst and
1390	  https://www.chronox.de/libkcapi/html/index.html
1391
1392config CRYPTO_USER_API_RNG_CAVP
1393	bool "Enable CAVP testing of DRBG"
1394	depends on CRYPTO_USER_API_RNG && CRYPTO_DRBG
1395	help
1396	  Enable extra APIs in the userspace interface for NIST CAVP
1397	  (Cryptographic Algorithm Validation Program) testing:
1398	  - resetting DRBG entropy
1399	  - providing Additional Data
1400
1401	  This should only be enabled for CAVP testing. You should say
1402	  no unless you know what this is.
1403
1404config CRYPTO_USER_API_AEAD
1405	tristate "AEAD cipher algorithms"
1406	depends on NET
1407	select CRYPTO_AEAD
1408	select CRYPTO_SKCIPHER
1409	select CRYPTO_NULL
1410	select CRYPTO_USER_API
1411	help
1412	  Enable the userspace interface for AEAD cipher algorithms.
1413
1414	  See Documentation/crypto/userspace-if.rst and
1415	  https://www.chronox.de/libkcapi/html/index.html
1416
1417config CRYPTO_USER_API_ENABLE_OBSOLETE
1418	bool "Obsolete cryptographic algorithms"
1419	depends on CRYPTO_USER_API
1420	default y
1421	help
1422	  Allow obsolete cryptographic algorithms to be selected that have
1423	  already been phased out from internal use by the kernel, and are
1424	  only useful for userspace clients that still rely on them.
1425
1426endmenu
1427
1428config CRYPTO_HASH_INFO
1429	bool
1430
1431if !KMSAN # avoid false positives from assembly
1432if ARM
1433source "arch/arm/crypto/Kconfig"
1434endif
1435if ARM64
1436source "arch/arm64/crypto/Kconfig"
1437endif
1438if LOONGARCH
1439source "arch/loongarch/crypto/Kconfig"
1440endif
1441if MIPS
1442source "arch/mips/crypto/Kconfig"
1443endif
1444if PPC
1445source "arch/powerpc/crypto/Kconfig"
1446endif
1447if RISCV
1448source "arch/riscv/crypto/Kconfig"
1449endif
1450if S390
1451source "arch/s390/crypto/Kconfig"
1452endif
1453if SPARC
1454source "arch/sparc/crypto/Kconfig"
1455endif
1456if X86
1457source "arch/x86/crypto/Kconfig"
1458endif
1459endif
1460
1461source "drivers/crypto/Kconfig"
1462source "crypto/asymmetric_keys/Kconfig"
1463source "certs/Kconfig"
1464source "crypto/krb5/Kconfig"
1465
1466endif	# if CRYPTO
Configure Feed

Configure Feed
