crypto/Kconfig at v6.16-rc3

tjh.dev / kernel
fork
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork
kernel / crypto / Kconfig
at v6.16-rc3 1461 lines 40 kB view raw
wrap content
   1# SPDX-License-Identifier: GPL-2.0
   2#
   3# Generic algorithms support
   4#
   5config XOR_BLOCKS
   6	tristate
   7
   8#
   9# async_tx api: hardware offloaded memory transfer/transform support
  10#
  11source "crypto/async_tx/Kconfig"
  12
  13#
  14# Cryptographic API Configuration
  15#
  16menuconfig CRYPTO
  17	tristate "Cryptographic API"
  18	select CRYPTO_LIB_UTILS
  19	help
  20	  This option provides the core Cryptographic API.
  21
  22if CRYPTO
  23
  24menu "Crypto core or helper"
  25
  26config CRYPTO_FIPS
  27	bool "FIPS 200 compliance"
  28	depends on (CRYPTO_ANSI_CPRNG || CRYPTO_DRBG) && CRYPTO_SELFTESTS
  29	depends on (MODULE_SIG || !MODULES)
  30	help
  31	  This option enables the fips boot option which is
  32	  required if you want the system to operate in a FIPS 200
  33	  certification.  You should say no unless you know what
  34	  this is.
  35
  36config CRYPTO_FIPS_NAME
  37	string "FIPS Module Name"
  38	default "Linux Kernel Cryptographic API"
  39	depends on CRYPTO_FIPS
  40	help
  41	  This option sets the FIPS Module name reported by the Crypto API via
  42	  the /proc/sys/crypto/fips_name file.
  43
  44config CRYPTO_FIPS_CUSTOM_VERSION
  45	bool "Use Custom FIPS Module Version"
  46	depends on CRYPTO_FIPS
  47	default n
  48
  49config CRYPTO_FIPS_VERSION
  50	string "FIPS Module Version"
  51	default "(none)"
  52	depends on CRYPTO_FIPS_CUSTOM_VERSION
  53	help
  54	  This option provides the ability to override the FIPS Module Version.
  55	  By default the KERNELRELEASE value is used.
  56
  57config CRYPTO_ALGAPI
  58	tristate
  59	select CRYPTO_ALGAPI2
  60	help
  61	  This option provides the API for cryptographic algorithms.
  62
  63config CRYPTO_ALGAPI2
  64	tristate
  65
  66config CRYPTO_AEAD
  67	tristate
  68	select CRYPTO_AEAD2
  69	select CRYPTO_ALGAPI
  70
  71config CRYPTO_AEAD2
  72	tristate
  73	select CRYPTO_ALGAPI2
  74
  75config CRYPTO_SIG
  76	tristate
  77	select CRYPTO_SIG2
  78	select CRYPTO_ALGAPI
  79
  80config CRYPTO_SIG2
  81	tristate
  82	select CRYPTO_ALGAPI2
  83
  84config CRYPTO_SKCIPHER
  85	tristate
  86	select CRYPTO_SKCIPHER2
  87	select CRYPTO_ALGAPI
  88	select CRYPTO_ECB
  89
  90config CRYPTO_SKCIPHER2
  91	tristate
  92	select CRYPTO_ALGAPI2
  93
  94config CRYPTO_HASH
  95	tristate
  96	select CRYPTO_HASH2
  97	select CRYPTO_ALGAPI
  98
  99config CRYPTO_HASH2
 100	tristate
 101	select CRYPTO_ALGAPI2
 102
 103config CRYPTO_RNG
 104	tristate
 105	select CRYPTO_RNG2
 106	select CRYPTO_ALGAPI
 107
 108config CRYPTO_RNG2
 109	tristate
 110	select CRYPTO_ALGAPI2
 111
 112config CRYPTO_RNG_DEFAULT
 113	tristate
 114	select CRYPTO_DRBG_MENU
 115
 116config CRYPTO_AKCIPHER2
 117	tristate
 118	select CRYPTO_ALGAPI2
 119
 120config CRYPTO_AKCIPHER
 121	tristate
 122	select CRYPTO_AKCIPHER2
 123	select CRYPTO_ALGAPI
 124
 125config CRYPTO_KPP2
 126	tristate
 127	select CRYPTO_ALGAPI2
 128
 129config CRYPTO_KPP
 130	tristate
 131	select CRYPTO_ALGAPI
 132	select CRYPTO_KPP2
 133
 134config CRYPTO_ACOMP2
 135	tristate
 136	select CRYPTO_ALGAPI2
 137	select SGL_ALLOC
 138
 139config CRYPTO_ACOMP
 140	tristate
 141	select CRYPTO_ALGAPI
 142	select CRYPTO_ACOMP2
 143
 144config CRYPTO_HKDF
 145	tristate
 146	select CRYPTO_SHA256 if CRYPTO_SELFTESTS
 147	select CRYPTO_SHA512 if CRYPTO_SELFTESTS
 148	select CRYPTO_HASH2
 149
 150config CRYPTO_MANAGER
 151	tristate
 152	default CRYPTO_ALGAPI if CRYPTO_SELFTESTS
 153	select CRYPTO_MANAGER2
 154	help
 155	  This provides the support for instantiating templates such as
 156	  cbc(aes), and the support for the crypto self-tests.
 157
 158config CRYPTO_MANAGER2
 159	def_tristate CRYPTO_MANAGER || (CRYPTO_MANAGER!=n && CRYPTO_ALGAPI=y)
 160	select CRYPTO_ACOMP2
 161	select CRYPTO_AEAD2
 162	select CRYPTO_AKCIPHER2
 163	select CRYPTO_SIG2
 164	select CRYPTO_HASH2
 165	select CRYPTO_KPP2
 166	select CRYPTO_RNG2
 167	select CRYPTO_SKCIPHER2
 168
 169config CRYPTO_USER
 170	tristate "Userspace cryptographic algorithm configuration"
 171	depends on NET
 172	select CRYPTO_MANAGER
 173	help
 174	  Userspace configuration for cryptographic instantiations such as
 175	  cbc(aes).
 176
 177config CRYPTO_SELFTESTS
 178	bool "Enable cryptographic self-tests"
 179	depends on EXPERT
 180	help
 181	  Enable the cryptographic self-tests.
 182
 183	  The cryptographic self-tests run at boot time, or at algorithm
 184	  registration time if algorithms are dynamically loaded later.
 185
 186	  There are two main use cases for these tests:
 187
 188	  - Development and pre-release testing.  In this case, also enable
 189	    CRYPTO_SELFTESTS_FULL to get the full set of tests.  All crypto code
 190	    in the kernel is expected to pass the full set of tests.
 191
 192	  - Production kernels, to help prevent buggy drivers from being used
 193	    and/or meet FIPS 140-3 pre-operational testing requirements.  In
 194	    this case, enable CRYPTO_SELFTESTS but not CRYPTO_SELFTESTS_FULL.
 195
 196config CRYPTO_SELFTESTS_FULL
 197	bool "Enable the full set of cryptographic self-tests"
 198	depends on CRYPTO_SELFTESTS
 199	help
 200	  Enable the full set of cryptographic self-tests for each algorithm.
 201
 202	  The full set of tests should be enabled for development and
 203	  pre-release testing, but not in production kernels.
 204
 205	  All crypto code in the kernel is expected to pass the full tests.
 206
 207config CRYPTO_NULL
 208	tristate "Null algorithms"
 209	select CRYPTO_ALGAPI
 210	select CRYPTO_SKCIPHER
 211	select CRYPTO_HASH
 212	help
 213	  These are 'Null' algorithms, used by IPsec, which do nothing.
 214
 215config CRYPTO_PCRYPT
 216	tristate "Parallel crypto engine"
 217	depends on SMP
 218	select PADATA
 219	select CRYPTO_MANAGER
 220	select CRYPTO_AEAD
 221	help
 222	  This converts an arbitrary crypto algorithm into a parallel
 223	  algorithm that executes in kernel threads.
 224
 225config CRYPTO_CRYPTD
 226	tristate "Software async crypto daemon"
 227	select CRYPTO_SKCIPHER
 228	select CRYPTO_HASH
 229	select CRYPTO_MANAGER
 230	help
 231	  This is a generic software asynchronous crypto daemon that
 232	  converts an arbitrary synchronous software crypto algorithm
 233	  into an asynchronous algorithm that executes in a kernel thread.
 234
 235config CRYPTO_AUTHENC
 236	tristate "Authenc support"
 237	select CRYPTO_AEAD
 238	select CRYPTO_SKCIPHER
 239	select CRYPTO_MANAGER
 240	select CRYPTO_HASH
 241	help
 242	  Authenc: Combined mode wrapper for IPsec.
 243
 244	  This is required for IPSec ESP (XFRM_ESP).
 245
 246config CRYPTO_KRB5ENC
 247	tristate "Kerberos 5 combined hash+cipher support"
 248	select CRYPTO_AEAD
 249	select CRYPTO_SKCIPHER
 250	select CRYPTO_MANAGER
 251	select CRYPTO_HASH
 252	help
 253	  Combined hash and cipher support for Kerberos 5 RFC3961 simplified
 254	  profile.  This is required for Kerberos 5-style encryption, used by
 255	  sunrpc/NFS and rxrpc/AFS.
 256
 257config CRYPTO_BENCHMARK
 258	tristate "Crypto benchmarking module"
 259	depends on m || EXPERT
 260	select CRYPTO_MANAGER
 261	help
 262	  Quick & dirty crypto benchmarking module.
 263
 264	  This is mainly intended for use by people developing cryptographic
 265	  algorithms in the kernel.  It should not be enabled in production
 266	  kernels.
 267
 268config CRYPTO_SIMD
 269	tristate
 270	select CRYPTO_CRYPTD
 271
 272config CRYPTO_ENGINE
 273	tristate
 274
 275endmenu
 276
 277menu "Public-key cryptography"
 278
 279config CRYPTO_RSA
 280	tristate "RSA (Rivest-Shamir-Adleman)"
 281	select CRYPTO_AKCIPHER
 282	select CRYPTO_MANAGER
 283	select CRYPTO_SIG
 284	select MPILIB
 285	select ASN1
 286	help
 287	  RSA (Rivest-Shamir-Adleman) public key algorithm (RFC8017)
 288
 289config CRYPTO_DH
 290	tristate "DH (Diffie-Hellman)"
 291	select CRYPTO_KPP
 292	select MPILIB
 293	help
 294	  DH (Diffie-Hellman) key exchange algorithm
 295
 296config CRYPTO_DH_RFC7919_GROUPS
 297	bool "RFC 7919 FFDHE groups"
 298	depends on CRYPTO_DH
 299	select CRYPTO_RNG_DEFAULT
 300	help
 301	  FFDHE (Finite-Field-based Diffie-Hellman Ephemeral) groups
 302	  defined in RFC7919.
 303
 304	  Support these finite-field groups in DH key exchanges:
 305	  - ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192
 306
 307	  If unsure, say N.
 308
 309config CRYPTO_ECC
 310	tristate
 311	select CRYPTO_RNG_DEFAULT
 312
 313config CRYPTO_ECDH
 314	tristate "ECDH (Elliptic Curve Diffie-Hellman)"
 315	select CRYPTO_ECC
 316	select CRYPTO_KPP
 317	help
 318	  ECDH (Elliptic Curve Diffie-Hellman) key exchange algorithm
 319	  using curves P-192, P-256, and P-384 (FIPS 186)
 320
 321config CRYPTO_ECDSA
 322	tristate "ECDSA (Elliptic Curve Digital Signature Algorithm)"
 323	select CRYPTO_ECC
 324	select CRYPTO_SIG
 325	select ASN1
 326	help
 327	  ECDSA (Elliptic Curve Digital Signature Algorithm) (FIPS 186,
 328	  ISO/IEC 14888-3)
 329	  using curves P-192, P-256, P-384 and P-521
 330
 331	  Only signature verification is implemented.
 332
 333config CRYPTO_ECRDSA
 334	tristate "EC-RDSA (Elliptic Curve Russian Digital Signature Algorithm)"
 335	select CRYPTO_ECC
 336	select CRYPTO_SIG
 337	select CRYPTO_STREEBOG
 338	select OID_REGISTRY
 339	select ASN1
 340	help
 341	  Elliptic Curve Russian Digital Signature Algorithm (GOST R 34.10-2012,
 342	  RFC 7091, ISO/IEC 14888-3)
 343
 344	  One of the Russian cryptographic standard algorithms (called GOST
 345	  algorithms). Only signature verification is implemented.
 346
 347config CRYPTO_CURVE25519
 348	tristate "Curve25519"
 349	select CRYPTO_KPP
 350	select CRYPTO_LIB_CURVE25519_GENERIC
 351	select CRYPTO_LIB_CURVE25519_INTERNAL
 352	help
 353	  Curve25519 elliptic curve (RFC7748)
 354
 355endmenu
 356
 357menu "Block ciphers"
 358
 359config CRYPTO_AES
 360	tristate "AES (Advanced Encryption Standard)"
 361	select CRYPTO_ALGAPI
 362	select CRYPTO_LIB_AES
 363	help
 364	  AES cipher algorithms (Rijndael)(FIPS-197, ISO/IEC 18033-3)
 365
 366	  Rijndael appears to be consistently a very good performer in
 367	  both hardware and software across a wide range of computing
 368	  environments regardless of its use in feedback or non-feedback
 369	  modes. Its key setup time is excellent, and its key agility is
 370	  good. Rijndael's very low memory requirements make it very well
 371	  suited for restricted-space environments, in which it also
 372	  demonstrates excellent performance. Rijndael's operations are
 373	  among the easiest to defend against power and timing attacks.
 374
 375	  The AES specifies three key sizes: 128, 192 and 256 bits
 376
 377config CRYPTO_AES_TI
 378	tristate "AES (Advanced Encryption Standard) (fixed time)"
 379	select CRYPTO_ALGAPI
 380	select CRYPTO_LIB_AES
 381	help
 382	  AES cipher algorithms (Rijndael)(FIPS-197, ISO/IEC 18033-3)
 383
 384	  This is a generic implementation of AES that attempts to eliminate
 385	  data dependent latencies as much as possible without affecting
 386	  performance too much. It is intended for use by the generic CCM
 387	  and GCM drivers, and other CTR or CMAC/XCBC based modes that rely
 388	  solely on encryption (although decryption is supported as well, but
 389	  with a more dramatic performance hit)
 390
 391	  Instead of using 16 lookup tables of 1 KB each, (8 for encryption and
 392	  8 for decryption), this implementation only uses just two S-boxes of
 393	  256 bytes each, and attempts to eliminate data dependent latencies by
 394	  prefetching the entire table into the cache at the start of each
 395	  block. Interrupts are also disabled to avoid races where cachelines
 396	  are evicted when the CPU is interrupted to do something else.
 397
 398config CRYPTO_ANUBIS
 399	tristate "Anubis"
 400	depends on CRYPTO_USER_API_ENABLE_OBSOLETE
 401	select CRYPTO_ALGAPI
 402	help
 403	  Anubis cipher algorithm
 404
 405	  Anubis is a variable key length cipher which can use keys from
 406	  128 bits to 320 bits in length.  It was evaluated as a entrant
 407	  in the NESSIE competition.
 408
 409	  See https://web.archive.org/web/20160606112246/http://www.larc.usp.br/~pbarreto/AnubisPage.html
 410	  for further information.
 411
 412config CRYPTO_ARIA
 413	tristate "ARIA"
 414	select CRYPTO_ALGAPI
 415	help
 416	  ARIA cipher algorithm (RFC5794)
 417
 418	  ARIA is a standard encryption algorithm of the Republic of Korea.
 419	  The ARIA specifies three key sizes and rounds.
 420	  128-bit: 12 rounds.
 421	  192-bit: 14 rounds.
 422	  256-bit: 16 rounds.
 423
 424	  See:
 425	  https://seed.kisa.or.kr/kisa/algorithm/EgovAriaInfo.do
 426
 427config CRYPTO_BLOWFISH
 428	tristate "Blowfish"
 429	select CRYPTO_ALGAPI
 430	select CRYPTO_BLOWFISH_COMMON
 431	help
 432	  Blowfish cipher algorithm, by Bruce Schneier
 433
 434	  This is a variable key length cipher which can use keys from 32
 435	  bits to 448 bits in length.  It's fast, simple and specifically
 436	  designed for use on "large microprocessors".
 437
 438	  See https://www.schneier.com/blowfish.html for further information.
 439
 440config CRYPTO_BLOWFISH_COMMON
 441	tristate
 442	help
 443	  Common parts of the Blowfish cipher algorithm shared by the
 444	  generic c and the assembler implementations.
 445
 446config CRYPTO_CAMELLIA
 447	tristate "Camellia"
 448	select CRYPTO_ALGAPI
 449	help
 450	  Camellia cipher algorithms (ISO/IEC 18033-3)
 451
 452	  Camellia is a symmetric key block cipher developed jointly
 453	  at NTT and Mitsubishi Electric Corporation.
 454
 455	  The Camellia specifies three key sizes: 128, 192 and 256 bits.
 456
 457	  See https://info.isl.ntt.co.jp/crypt/eng/camellia/ for further information.
 458
 459config CRYPTO_CAST_COMMON
 460	tristate
 461	help
 462	  Common parts of the CAST cipher algorithms shared by the
 463	  generic c and the assembler implementations.
 464
 465config CRYPTO_CAST5
 466	tristate "CAST5 (CAST-128)"
 467	select CRYPTO_ALGAPI
 468	select CRYPTO_CAST_COMMON
 469	help
 470	  CAST5 (CAST-128) cipher algorithm (RFC2144, ISO/IEC 18033-3)
 471
 472config CRYPTO_CAST6
 473	tristate "CAST6 (CAST-256)"
 474	select CRYPTO_ALGAPI
 475	select CRYPTO_CAST_COMMON
 476	help
 477	  CAST6 (CAST-256) encryption algorithm (RFC2612)
 478
 479config CRYPTO_DES
 480	tristate "DES and Triple DES EDE"
 481	select CRYPTO_ALGAPI
 482	select CRYPTO_LIB_DES
 483	help
 484	  DES (Data Encryption Standard)(FIPS 46-2, ISO/IEC 18033-3) and
 485	  Triple DES EDE (Encrypt/Decrypt/Encrypt) (FIPS 46-3, ISO/IEC 18033-3)
 486	  cipher algorithms
 487
 488config CRYPTO_FCRYPT
 489	tristate "FCrypt"
 490	select CRYPTO_ALGAPI
 491	select CRYPTO_SKCIPHER
 492	help
 493	  FCrypt algorithm used by RxRPC
 494
 495	  See https://ota.polyonymo.us/fcrypt-paper.txt
 496
 497config CRYPTO_KHAZAD
 498	tristate "Khazad"
 499	depends on CRYPTO_USER_API_ENABLE_OBSOLETE
 500	select CRYPTO_ALGAPI
 501	help
 502	  Khazad cipher algorithm
 503
 504	  Khazad was a finalist in the initial NESSIE competition.  It is
 505	  an algorithm optimized for 64-bit processors with good performance
 506	  on 32-bit processors.  Khazad uses an 128 bit key size.
 507
 508	  See https://web.archive.org/web/20171011071731/http://www.larc.usp.br/~pbarreto/KhazadPage.html
 509	  for further information.
 510
 511config CRYPTO_SEED
 512	tristate "SEED"
 513	depends on CRYPTO_USER_API_ENABLE_OBSOLETE
 514	select CRYPTO_ALGAPI
 515	help
 516	  SEED cipher algorithm (RFC4269, ISO/IEC 18033-3)
 517
 518	  SEED is a 128-bit symmetric key block cipher that has been
 519	  developed by KISA (Korea Information Security Agency) as a
 520	  national standard encryption algorithm of the Republic of Korea.
 521	  It is a 16 round block cipher with the key size of 128 bit.
 522
 523	  See https://seed.kisa.or.kr/kisa/algorithm/EgovSeedInfo.do
 524	  for further information.
 525
 526config CRYPTO_SERPENT
 527	tristate "Serpent"
 528	select CRYPTO_ALGAPI
 529	help
 530	  Serpent cipher algorithm, by Anderson, Biham & Knudsen
 531
 532	  Keys are allowed to be from 0 to 256 bits in length, in steps
 533	  of 8 bits.
 534
 535	  See https://www.cl.cam.ac.uk/~rja14/serpent.html for further information.
 536
 537config CRYPTO_SM4
 538	tristate
 539
 540config CRYPTO_SM4_GENERIC
 541	tristate "SM4 (ShangMi 4)"
 542	select CRYPTO_ALGAPI
 543	select CRYPTO_SM4
 544	help
 545	  SM4 cipher algorithms (OSCCA GB/T 32907-2016,
 546	  ISO/IEC 18033-3:2010/Amd 1:2021)
 547
 548	  SM4 (GBT.32907-2016) is a cryptographic standard issued by the
 549	  Organization of State Commercial Administration of China (OSCCA)
 550	  as an authorized cryptographic algorithms for the use within China.
 551
 552	  SMS4 was originally created for use in protecting wireless
 553	  networks, and is mandated in the Chinese National Standard for
 554	  Wireless LAN WAPI (Wired Authentication and Privacy Infrastructure)
 555	  (GB.15629.11-2003).
 556
 557	  The latest SM4 standard (GBT.32907-2016) was proposed by OSCCA and
 558	  standardized through TC 260 of the Standardization Administration
 559	  of the People's Republic of China (SAC).
 560
 561	  The input, output, and key of SMS4 are each 128 bits.
 562
 563	  See https://eprint.iacr.org/2008/329.pdf for further information.
 564
 565	  If unsure, say N.
 566
 567config CRYPTO_TEA
 568	tristate "TEA, XTEA and XETA"
 569	depends on CRYPTO_USER_API_ENABLE_OBSOLETE
 570	select CRYPTO_ALGAPI
 571	help
 572	  TEA (Tiny Encryption Algorithm) cipher algorithms
 573
 574	  Tiny Encryption Algorithm is a simple cipher that uses
 575	  many rounds for security.  It is very fast and uses
 576	  little memory.
 577
 578	  Xtendend Tiny Encryption Algorithm is a modification to
 579	  the TEA algorithm to address a potential key weakness
 580	  in the TEA algorithm.
 581
 582	  Xtendend Encryption Tiny Algorithm is a mis-implementation
 583	  of the XTEA algorithm for compatibility purposes.
 584
 585config CRYPTO_TWOFISH
 586	tristate "Twofish"
 587	select CRYPTO_ALGAPI
 588	select CRYPTO_TWOFISH_COMMON
 589	help
 590	  Twofish cipher algorithm
 591
 592	  Twofish was submitted as an AES (Advanced Encryption Standard)
 593	  candidate cipher by researchers at CounterPane Systems.  It is a
 594	  16 round block cipher supporting key sizes of 128, 192, and 256
 595	  bits.
 596
 597	  See https://www.schneier.com/twofish.html for further information.
 598
 599config CRYPTO_TWOFISH_COMMON
 600	tristate
 601	help
 602	  Common parts of the Twofish cipher algorithm shared by the
 603	  generic c and the assembler implementations.
 604
 605endmenu
 606
 607menu "Length-preserving ciphers and modes"
 608
 609config CRYPTO_ADIANTUM
 610	tristate "Adiantum"
 611	select CRYPTO_CHACHA20
 612	select CRYPTO_LIB_POLY1305_GENERIC
 613	select CRYPTO_NHPOLY1305
 614	select CRYPTO_MANAGER
 615	help
 616	  Adiantum tweakable, length-preserving encryption mode
 617
 618	  Designed for fast and secure disk encryption, especially on
 619	  CPUs without dedicated crypto instructions.  It encrypts
 620	  each sector using the XChaCha12 stream cipher, two passes of
 621	  an ε-almost-∆-universal hash function, and an invocation of
 622	  the AES-256 block cipher on a single 16-byte block.  On CPUs
 623	  without AES instructions, Adiantum is much faster than
 624	  AES-XTS.
 625
 626	  Adiantum's security is provably reducible to that of its
 627	  underlying stream and block ciphers, subject to a security
 628	  bound.  Unlike XTS, Adiantum is a true wide-block encryption
 629	  mode, so it actually provides an even stronger notion of
 630	  security than XTS, subject to the security bound.
 631
 632	  If unsure, say N.
 633
 634config CRYPTO_ARC4
 635	tristate "ARC4 (Alleged Rivest Cipher 4)"
 636	depends on CRYPTO_USER_API_ENABLE_OBSOLETE
 637	select CRYPTO_SKCIPHER
 638	select CRYPTO_LIB_ARC4
 639	help
 640	  ARC4 cipher algorithm
 641
 642	  ARC4 is a stream cipher using keys ranging from 8 bits to 2048
 643	  bits in length.  This algorithm is required for driver-based
 644	  WEP, but it should not be for other purposes because of the
 645	  weakness of the algorithm.
 646
 647config CRYPTO_CHACHA20
 648	tristate "ChaCha"
 649	select CRYPTO_LIB_CHACHA
 650	select CRYPTO_LIB_CHACHA_GENERIC
 651	select CRYPTO_SKCIPHER
 652	help
 653	  The ChaCha20, XChaCha20, and XChaCha12 stream cipher algorithms
 654
 655	  ChaCha20 is a 256-bit high-speed stream cipher designed by Daniel J.
 656	  Bernstein and further specified in RFC7539 for use in IETF protocols.
 657	  This is the portable C implementation of ChaCha20.  See
 658	  https://cr.yp.to/chacha/chacha-20080128.pdf for further information.
 659
 660	  XChaCha20 is the application of the XSalsa20 construction to ChaCha20
 661	  rather than to Salsa20.  XChaCha20 extends ChaCha20's nonce length
 662	  from 64 bits (or 96 bits using the RFC7539 convention) to 192 bits,
 663	  while provably retaining ChaCha20's security.  See
 664	  https://cr.yp.to/snuffle/xsalsa-20081128.pdf for further information.
 665
 666	  XChaCha12 is XChaCha20 reduced to 12 rounds, with correspondingly
 667	  reduced security margin but increased performance.  It can be needed
 668	  in some performance-sensitive scenarios.
 669
 670config CRYPTO_CBC
 671	tristate "CBC (Cipher Block Chaining)"
 672	select CRYPTO_SKCIPHER
 673	select CRYPTO_MANAGER
 674	help
 675	  CBC (Cipher Block Chaining) mode (NIST SP800-38A)
 676
 677	  This block cipher mode is required for IPSec ESP (XFRM_ESP).
 678
 679config CRYPTO_CTR
 680	tristate "CTR (Counter)"
 681	select CRYPTO_SKCIPHER
 682	select CRYPTO_MANAGER
 683	help
 684	  CTR (Counter) mode (NIST SP800-38A)
 685
 686config CRYPTO_CTS
 687	tristate "CTS (Cipher Text Stealing)"
 688	select CRYPTO_SKCIPHER
 689	select CRYPTO_MANAGER
 690	help
 691	  CBC-CS3 variant of CTS (Cipher Text Stealing) (NIST
 692	  Addendum to SP800-38A (October 2010))
 693
 694	  This mode is required for Kerberos gss mechanism support
 695	  for AES encryption.
 696
 697config CRYPTO_ECB
 698	tristate "ECB (Electronic Codebook)"
 699	select CRYPTO_SKCIPHER2
 700	select CRYPTO_MANAGER
 701	help
 702	  ECB (Electronic Codebook) mode (NIST SP800-38A)
 703
 704config CRYPTO_HCTR2
 705	tristate "HCTR2"
 706	select CRYPTO_XCTR
 707	select CRYPTO_POLYVAL
 708	select CRYPTO_MANAGER
 709	help
 710	  HCTR2 length-preserving encryption mode
 711
 712	  A mode for storage encryption that is efficient on processors with
 713	  instructions to accelerate AES and carryless multiplication, e.g.
 714	  x86 processors with AES-NI and CLMUL, and ARM processors with the
 715	  ARMv8 crypto extensions.
 716
 717	  See https://eprint.iacr.org/2021/1441
 718
 719config CRYPTO_LRW
 720	tristate "LRW (Liskov Rivest Wagner)"
 721	select CRYPTO_LIB_GF128MUL
 722	select CRYPTO_SKCIPHER
 723	select CRYPTO_MANAGER
 724	select CRYPTO_ECB
 725	help
 726	  LRW (Liskov Rivest Wagner) mode
 727
 728	  A tweakable, non malleable, non movable
 729	  narrow block cipher mode for dm-crypt.  Use it with cipher
 730	  specification string aes-lrw-benbi, the key must be 256, 320 or 384.
 731	  The first 128, 192 or 256 bits in the key are used for AES and the
 732	  rest is used to tie each cipher block to its logical position.
 733
 734	  See https://people.csail.mit.edu/rivest/pubs/LRW02.pdf
 735
 736config CRYPTO_PCBC
 737	tristate "PCBC (Propagating Cipher Block Chaining)"
 738	select CRYPTO_SKCIPHER
 739	select CRYPTO_MANAGER
 740	help
 741	  PCBC (Propagating Cipher Block Chaining) mode
 742
 743	  This block cipher mode is required for RxRPC.
 744
 745config CRYPTO_XCTR
 746	tristate
 747	select CRYPTO_SKCIPHER
 748	select CRYPTO_MANAGER
 749	help
 750	  XCTR (XOR Counter) mode for HCTR2
 751
 752	  This blockcipher mode is a variant of CTR mode using XORs and little-endian
 753	  addition rather than big-endian arithmetic.
 754
 755	  XCTR mode is used to implement HCTR2.
 756
 757config CRYPTO_XTS
 758	tristate "XTS (XOR Encrypt XOR with ciphertext stealing)"
 759	select CRYPTO_SKCIPHER
 760	select CRYPTO_MANAGER
 761	select CRYPTO_ECB
 762	help
 763	  XTS (XOR Encrypt XOR with ciphertext stealing) mode (NIST SP800-38E
 764	  and IEEE 1619)
 765
 766	  Use with aes-xts-plain, key size 256, 384 or 512 bits. This
 767	  implementation currently can't handle a sectorsize which is not a
 768	  multiple of 16 bytes.
 769
 770config CRYPTO_NHPOLY1305
 771	tristate
 772	select CRYPTO_HASH
 773	select CRYPTO_LIB_POLY1305_GENERIC
 774
 775endmenu
 776
 777menu "AEAD (authenticated encryption with associated data) ciphers"
 778
 779config CRYPTO_AEGIS128
 780	tristate "AEGIS-128"
 781	select CRYPTO_AEAD
 782	select CRYPTO_AES  # for AES S-box tables
 783	help
 784	  AEGIS-128 AEAD algorithm
 785
 786config CRYPTO_AEGIS128_SIMD
 787	bool "AEGIS-128 (arm NEON, arm64 NEON)"
 788	depends on CRYPTO_AEGIS128 && ((ARM || ARM64) && KERNEL_MODE_NEON)
 789	default y
 790	help
 791	  AEGIS-128 AEAD algorithm
 792
 793	  Architecture: arm or arm64 using:
 794	  - NEON (Advanced SIMD) extension
 795
 796config CRYPTO_CHACHA20POLY1305
 797	tristate "ChaCha20-Poly1305"
 798	select CRYPTO_CHACHA20
 799	select CRYPTO_AEAD
 800	select CRYPTO_LIB_POLY1305
 801	select CRYPTO_MANAGER
 802	help
 803	  ChaCha20 stream cipher and Poly1305 authenticator combined
 804	  mode (RFC8439)
 805
 806config CRYPTO_CCM
 807	tristate "CCM (Counter with Cipher Block Chaining-MAC)"
 808	select CRYPTO_CTR
 809	select CRYPTO_HASH
 810	select CRYPTO_AEAD
 811	select CRYPTO_MANAGER
 812	help
 813	  CCM (Counter with Cipher Block Chaining-Message Authentication Code)
 814	  authenticated encryption mode (NIST SP800-38C)
 815
 816config CRYPTO_GCM
 817	tristate "GCM (Galois/Counter Mode) and GMAC (GCM MAC)"
 818	select CRYPTO_CTR
 819	select CRYPTO_AEAD
 820	select CRYPTO_GHASH
 821	select CRYPTO_MANAGER
 822	help
 823	  GCM (Galois/Counter Mode) authenticated encryption mode and GMAC
 824	  (GCM Message Authentication Code) (NIST SP800-38D)
 825
 826	  This is required for IPSec ESP (XFRM_ESP).
 827
 828config CRYPTO_GENIV
 829	tristate
 830	select CRYPTO_AEAD
 831	select CRYPTO_MANAGER
 832	select CRYPTO_RNG_DEFAULT
 833
 834config CRYPTO_SEQIV
 835	tristate "Sequence Number IV Generator"
 836	select CRYPTO_GENIV
 837	help
 838	  Sequence Number IV generator
 839
 840	  This IV generator generates an IV based on a sequence number by
 841	  xoring it with a salt.  This algorithm is mainly useful for CTR.
 842
 843	  This is required for IPsec ESP (XFRM_ESP).
 844
 845config CRYPTO_ECHAINIV
 846	tristate "Encrypted Chain IV Generator"
 847	select CRYPTO_GENIV
 848	help
 849	  Encrypted Chain IV generator
 850
 851	  This IV generator generates an IV based on the encryption of
 852	  a sequence number xored with a salt.  This is the default
 853	  algorithm for CBC.
 854
 855config CRYPTO_ESSIV
 856	tristate "Encrypted Salt-Sector IV Generator"
 857	select CRYPTO_AUTHENC
 858	help
 859	  Encrypted Salt-Sector IV generator
 860
 861	  This IV generator is used in some cases by fscrypt and/or
 862	  dm-crypt. It uses the hash of the block encryption key as the
 863	  symmetric key for a block encryption pass applied to the input
 864	  IV, making low entropy IV sources more suitable for block
 865	  encryption.
 866
 867	  This driver implements a crypto API template that can be
 868	  instantiated either as an skcipher or as an AEAD (depending on the
 869	  type of the first template argument), and which defers encryption
 870	  and decryption requests to the encapsulated cipher after applying
 871	  ESSIV to the input IV. Note that in the AEAD case, it is assumed
 872	  that the keys are presented in the same format used by the authenc
 873	  template, and that the IV appears at the end of the authenticated
 874	  associated data (AAD) region (which is how dm-crypt uses it.)
 875
 876	  Note that the use of ESSIV is not recommended for new deployments,
 877	  and so this only needs to be enabled when interoperability with
 878	  existing encrypted volumes of filesystems is required, or when
 879	  building for a particular system that requires it (e.g., when
 880	  the SoC in question has accelerated CBC but not XTS, making CBC
 881	  combined with ESSIV the only feasible mode for h/w accelerated
 882	  block encryption)
 883
 884endmenu
 885
 886menu "Hashes, digests, and MACs"
 887
 888config CRYPTO_BLAKE2B
 889	tristate "BLAKE2b"
 890	select CRYPTO_HASH
 891	help
 892	  BLAKE2b cryptographic hash function (RFC 7693)
 893
 894	  BLAKE2b is optimized for 64-bit platforms and can produce digests
 895	  of any size between 1 and 64 bytes. The keyed hash is also implemented.
 896
 897	  This module provides the following algorithms:
 898	  - blake2b-160
 899	  - blake2b-256
 900	  - blake2b-384
 901	  - blake2b-512
 902
 903	  Used by the btrfs filesystem.
 904
 905	  See https://blake2.net for further information.
 906
 907config CRYPTO_CMAC
 908	tristate "CMAC (Cipher-based MAC)"
 909	select CRYPTO_HASH
 910	select CRYPTO_MANAGER
 911	help
 912	  CMAC (Cipher-based Message Authentication Code) authentication
 913	  mode (NIST SP800-38B and IETF RFC4493)
 914
 915config CRYPTO_GHASH
 916	tristate "GHASH"
 917	select CRYPTO_HASH
 918	select CRYPTO_LIB_GF128MUL
 919	help
 920	  GCM GHASH function (NIST SP800-38D)
 921
 922config CRYPTO_HMAC
 923	tristate "HMAC (Keyed-Hash MAC)"
 924	select CRYPTO_HASH
 925	select CRYPTO_MANAGER
 926	help
 927	  HMAC (Keyed-Hash Message Authentication Code) (FIPS 198 and
 928	  RFC2104)
 929
 930	  This is required for IPsec AH (XFRM_AH) and IPsec ESP (XFRM_ESP).
 931
 932config CRYPTO_MD4
 933	tristate "MD4"
 934	select CRYPTO_HASH
 935	help
 936	  MD4 message digest algorithm (RFC1320)
 937
 938config CRYPTO_MD5
 939	tristate "MD5"
 940	select CRYPTO_HASH
 941	help
 942	  MD5 message digest algorithm (RFC1321)
 943
 944config CRYPTO_MICHAEL_MIC
 945	tristate "Michael MIC"
 946	select CRYPTO_HASH
 947	help
 948	  Michael MIC (Message Integrity Code) (IEEE 802.11i)
 949
 950	  Defined by the IEEE 802.11i TKIP (Temporal Key Integrity Protocol),
 951	  known as WPA (Wif-Fi Protected Access).
 952
 953	  This algorithm is required for TKIP, but it should not be used for
 954	  other purposes because of the weakness of the algorithm.
 955
 956config CRYPTO_POLYVAL
 957	tristate
 958	select CRYPTO_HASH
 959	select CRYPTO_LIB_GF128MUL
 960	help
 961	  POLYVAL hash function for HCTR2
 962
 963	  This is used in HCTR2.  It is not a general-purpose
 964	  cryptographic hash function.
 965
 966config CRYPTO_RMD160
 967	tristate "RIPEMD-160"
 968	select CRYPTO_HASH
 969	help
 970	  RIPEMD-160 hash function (ISO/IEC 10118-3)
 971
 972	  RIPEMD-160 is a 160-bit cryptographic hash function. It is intended
 973	  to be used as a secure replacement for the 128-bit hash functions
 974	  MD4, MD5 and its predecessor RIPEMD
 975	  (not to be confused with RIPEMD-128).
 976
 977	  Its speed is comparable to SHA-1 and there are no known attacks
 978	  against RIPEMD-160.
 979
 980	  Developed by Hans Dobbertin, Antoon Bosselaers and Bart Preneel.
 981	  See https://homes.esat.kuleuven.be/~bosselae/ripemd160.html
 982	  for further information.
 983
 984config CRYPTO_SHA1
 985	tristate "SHA-1"
 986	select CRYPTO_HASH
 987	select CRYPTO_LIB_SHA1
 988	help
 989	  SHA-1 secure hash algorithm (FIPS 180, ISO/IEC 10118-3)
 990
 991config CRYPTO_SHA256
 992	tristate "SHA-224 and SHA-256"
 993	select CRYPTO_HASH
 994	select CRYPTO_LIB_SHA256
 995	select CRYPTO_LIB_SHA256_GENERIC
 996	help
 997	  SHA-224 and SHA-256 secure hash algorithms (FIPS 180, ISO/IEC 10118-3)
 998
 999	  This is required for IPsec AH (XFRM_AH) and IPsec ESP (XFRM_ESP).
1000	  Used by the btrfs filesystem, Ceph, NFS, and SMB.
1001
1002config CRYPTO_SHA512
1003	tristate "SHA-384 and SHA-512"
1004	select CRYPTO_HASH
1005	help
1006	  SHA-384 and SHA-512 secure hash algorithms (FIPS 180, ISO/IEC 10118-3)
1007
1008config CRYPTO_SHA3
1009	tristate "SHA-3"
1010	select CRYPTO_HASH
1011	help
1012	  SHA-3 secure hash algorithms (FIPS 202, ISO/IEC 10118-3)
1013
1014config CRYPTO_SM3_GENERIC
1015	tristate "SM3 (ShangMi 3)"
1016	select CRYPTO_HASH
1017	select CRYPTO_LIB_SM3
1018	help
1019	  SM3 (ShangMi 3) secure hash function (OSCCA GM/T 0004-2012, ISO/IEC 10118-3)
1020
1021	  This is part of the Chinese Commercial Cryptography suite.
1022
1023	  References:
1024	  http://www.oscca.gov.cn/UpFile/20101222141857786.pdf
1025	  https://datatracker.ietf.org/doc/html/draft-shen-sm3-hash
1026
1027config CRYPTO_STREEBOG
1028	tristate "Streebog"
1029	select CRYPTO_HASH
1030	help
1031	  Streebog Hash Function (GOST R 34.11-2012, RFC 6986, ISO/IEC 10118-3)
1032
1033	  This is one of the Russian cryptographic standard algorithms (called
1034	  GOST algorithms). This setting enables two hash algorithms with
1035	  256 and 512 bits output.
1036
1037	  References:
1038	  https://tc26.ru/upload/iblock/fed/feddbb4d26b685903faa2ba11aea43f6.pdf
1039	  https://tools.ietf.org/html/rfc6986
1040
1041config CRYPTO_WP512
1042	tristate "Whirlpool"
1043	select CRYPTO_HASH
1044	help
1045	  Whirlpool hash function (ISO/IEC 10118-3)
1046
1047	  512, 384 and 256-bit hashes.
1048
1049	  Whirlpool-512 is part of the NESSIE cryptographic primitives.
1050
1051	  See https://web.archive.org/web/20171129084214/http://www.larc.usp.br/~pbarreto/WhirlpoolPage.html
1052	  for further information.
1053
1054config CRYPTO_XCBC
1055	tristate "XCBC-MAC (Extended Cipher Block Chaining MAC)"
1056	select CRYPTO_HASH
1057	select CRYPTO_MANAGER
1058	help
1059	  XCBC-MAC (Extended Cipher Block Chaining Message Authentication
1060	  Code) (RFC3566)
1061
1062config CRYPTO_XXHASH
1063	tristate "xxHash"
1064	select CRYPTO_HASH
1065	select XXHASH
1066	help
1067	  xxHash non-cryptographic hash algorithm
1068
1069	  Extremely fast, working at speeds close to RAM limits.
1070
1071	  Used by the btrfs filesystem.
1072
1073endmenu
1074
1075menu "CRCs (cyclic redundancy checks)"
1076
1077config CRYPTO_CRC32C
1078	tristate "CRC32c"
1079	select CRYPTO_HASH
1080	select CRC32
1081	help
1082	  CRC32c CRC algorithm with the iSCSI polynomial (RFC 3385 and RFC 3720)
1083
1084	  A 32-bit CRC (cyclic redundancy check) with a polynomial defined
1085	  by G. Castagnoli, S. Braeuer and M. Herrman in "Optimization of Cyclic
1086	  Redundancy-Check Codes with 24 and 32 Parity Bits", IEEE Transactions
1087	  on Communications, Vol. 41, No. 6, June 1993, selected for use with
1088	  iSCSI.
1089
1090	  Used by btrfs, ext4, jbd2, NVMeoF/TCP, and iSCSI.
1091
1092config CRYPTO_CRC32
1093	tristate "CRC32"
1094	select CRYPTO_HASH
1095	select CRC32
1096	help
1097	  CRC32 CRC algorithm (IEEE 802.3)
1098
1099	  Used by RoCEv2 and f2fs.
1100
1101endmenu
1102
1103menu "Compression"
1104
1105config CRYPTO_DEFLATE
1106	tristate "Deflate"
1107	select CRYPTO_ALGAPI
1108	select CRYPTO_ACOMP2
1109	select ZLIB_INFLATE
1110	select ZLIB_DEFLATE
1111	help
1112	  Deflate compression algorithm (RFC1951)
1113
1114	  Used by IPSec with the IPCOMP protocol (RFC3173, RFC2394)
1115
1116config CRYPTO_LZO
1117	tristate "LZO"
1118	select CRYPTO_ALGAPI
1119	select CRYPTO_ACOMP2
1120	select LZO_COMPRESS
1121	select LZO_DECOMPRESS
1122	help
1123	  LZO compression algorithm
1124
1125	  See https://www.oberhumer.com/opensource/lzo/ for further information.
1126
1127config CRYPTO_842
1128	tristate "842"
1129	select CRYPTO_ALGAPI
1130	select CRYPTO_ACOMP2
1131	select 842_COMPRESS
1132	select 842_DECOMPRESS
1133	help
1134	  842 compression algorithm by IBM
1135
1136	  See https://github.com/plauth/lib842 for further information.
1137
1138config CRYPTO_LZ4
1139	tristate "LZ4"
1140	select CRYPTO_ALGAPI
1141	select CRYPTO_ACOMP2
1142	select LZ4_COMPRESS
1143	select LZ4_DECOMPRESS
1144	help
1145	  LZ4 compression algorithm
1146
1147	  See https://github.com/lz4/lz4 for further information.
1148
1149config CRYPTO_LZ4HC
1150	tristate "LZ4HC"
1151	select CRYPTO_ALGAPI
1152	select CRYPTO_ACOMP2
1153	select LZ4HC_COMPRESS
1154	select LZ4_DECOMPRESS
1155	help
1156	  LZ4 high compression mode algorithm
1157
1158	  See https://github.com/lz4/lz4 for further information.
1159
1160config CRYPTO_ZSTD
1161	tristate "Zstd"
1162	select CRYPTO_ALGAPI
1163	select CRYPTO_ACOMP2
1164	select ZSTD_COMPRESS
1165	select ZSTD_DECOMPRESS
1166	help
1167	  zstd compression algorithm
1168
1169	  See https://github.com/facebook/zstd for further information.
1170
1171endmenu
1172
1173menu "Random number generation"
1174
1175config CRYPTO_ANSI_CPRNG
1176	tristate "ANSI PRNG (Pseudo Random Number Generator)"
1177	select CRYPTO_AES
1178	select CRYPTO_RNG
1179	help
1180	  Pseudo RNG (random number generator) (ANSI X9.31 Appendix A.2.4)
1181
1182	  This uses the AES cipher algorithm.
1183
1184	  Note that this option must be enabled if CRYPTO_FIPS is selected
1185
1186menuconfig CRYPTO_DRBG_MENU
1187	tristate "NIST SP800-90A DRBG (Deterministic Random Bit Generator)"
1188	help
1189	  DRBG (Deterministic Random Bit Generator) (NIST SP800-90A)
1190
1191	  In the following submenu, one or more of the DRBG types must be selected.
1192
1193if CRYPTO_DRBG_MENU
1194
1195config CRYPTO_DRBG_HMAC
1196	bool
1197	default y
1198	select CRYPTO_HMAC
1199	select CRYPTO_SHA512
1200
1201config CRYPTO_DRBG_HASH
1202	bool "Hash_DRBG"
1203	select CRYPTO_SHA256
1204	help
1205	  Hash_DRBG variant as defined in NIST SP800-90A.
1206
1207	  This uses the SHA-1, SHA-256, SHA-384, or SHA-512 hash algorithms.
1208
1209config CRYPTO_DRBG_CTR
1210	bool "CTR_DRBG"
1211	select CRYPTO_AES
1212	select CRYPTO_CTR
1213	help
1214	  CTR_DRBG variant as defined in NIST SP800-90A.
1215
1216	  This uses the AES cipher algorithm with the counter block mode.
1217
1218config CRYPTO_DRBG
1219	tristate
1220	default CRYPTO_DRBG_MENU
1221	select CRYPTO_RNG
1222	select CRYPTO_JITTERENTROPY
1223
1224endif	# if CRYPTO_DRBG_MENU
1225
1226config CRYPTO_JITTERENTROPY
1227	tristate "CPU Jitter Non-Deterministic RNG (Random Number Generator)"
1228	select CRYPTO_RNG
1229	select CRYPTO_SHA3
1230	help
1231	  CPU Jitter RNG (Random Number Generator) from the Jitterentropy library
1232
1233	  A non-physical non-deterministic ("true") RNG (e.g., an entropy source
1234	  compliant with NIST SP800-90B) intended to provide a seed to a
1235	  deterministic RNG (e.g., per NIST SP800-90C).
1236	  This RNG does not perform any cryptographic whitening of the generated
1237	  random numbers.
1238
1239	  See https://www.chronox.de/jent/
1240
1241if CRYPTO_JITTERENTROPY
1242if CRYPTO_FIPS && EXPERT
1243
1244choice
1245	prompt "CPU Jitter RNG Memory Size"
1246	default CRYPTO_JITTERENTROPY_MEMSIZE_2
1247	help
1248	  The Jitter RNG measures the execution time of memory accesses.
1249	  Multiple consecutive memory accesses are performed. If the memory
1250	  size fits into a cache (e.g. L1), only the memory access timing
1251	  to that cache is measured. The closer the cache is to the CPU
1252	  the less variations are measured and thus the less entropy is
1253	  obtained. Thus, if the memory size fits into the L1 cache, the
1254	  obtained entropy is less than if the memory size fits within
1255	  L1 + L2, which in turn is less if the memory fits into
1256	  L1 + L2 + L3. Thus, by selecting a different memory size,
1257	  the entropy rate produced by the Jitter RNG can be modified.
1258
1259	config CRYPTO_JITTERENTROPY_MEMSIZE_2
1260		bool "2048 Bytes (default)"
1261
1262	config CRYPTO_JITTERENTROPY_MEMSIZE_128
1263		bool "128 kBytes"
1264
1265	config CRYPTO_JITTERENTROPY_MEMSIZE_1024
1266		bool "1024 kBytes"
1267
1268	config CRYPTO_JITTERENTROPY_MEMSIZE_8192
1269		bool "8192 kBytes"
1270endchoice
1271
1272config CRYPTO_JITTERENTROPY_MEMORY_BLOCKS
1273	int
1274	default 64 if CRYPTO_JITTERENTROPY_MEMSIZE_2
1275	default 512 if CRYPTO_JITTERENTROPY_MEMSIZE_128
1276	default 1024 if CRYPTO_JITTERENTROPY_MEMSIZE_1024
1277	default 4096 if CRYPTO_JITTERENTROPY_MEMSIZE_8192
1278
1279config CRYPTO_JITTERENTROPY_MEMORY_BLOCKSIZE
1280	int
1281	default 32 if CRYPTO_JITTERENTROPY_MEMSIZE_2
1282	default 256 if CRYPTO_JITTERENTROPY_MEMSIZE_128
1283	default 1024 if CRYPTO_JITTERENTROPY_MEMSIZE_1024
1284	default 2048 if CRYPTO_JITTERENTROPY_MEMSIZE_8192
1285
1286config CRYPTO_JITTERENTROPY_OSR
1287	int "CPU Jitter RNG Oversampling Rate"
1288	range 1 15
1289	default 3
1290	help
1291	  The Jitter RNG allows the specification of an oversampling rate (OSR).
1292	  The Jitter RNG operation requires a fixed amount of timing
1293	  measurements to produce one output block of random numbers. The
1294	  OSR value is multiplied with the amount of timing measurements to
1295	  generate one output block. Thus, the timing measurement is oversampled
1296	  by the OSR factor. The oversampling allows the Jitter RNG to operate
1297	  on hardware whose timers deliver limited amount of entropy (e.g.
1298	  the timer is coarse) by setting the OSR to a higher value. The
1299	  trade-off, however, is that the Jitter RNG now requires more time
1300	  to generate random numbers.
1301
1302config CRYPTO_JITTERENTROPY_TESTINTERFACE
1303	bool "CPU Jitter RNG Test Interface"
1304	help
1305	  The test interface allows a privileged process to capture
1306	  the raw unconditioned high resolution time stamp noise that
1307	  is collected by the Jitter RNG for statistical analysis. As
1308	  this data is used at the same time to generate random bits,
1309	  the Jitter RNG operates in an insecure mode as long as the
1310	  recording is enabled. This interface therefore is only
1311	  intended for testing purposes and is not suitable for
1312	  production systems.
1313
1314	  The raw noise data can be obtained using the jent_raw_hires
1315	  debugfs file. Using the option
1316	  jitterentropy_testing.boot_raw_hires_test=1 the raw noise of
1317	  the first 1000 entropy events since boot can be sampled.
1318
1319	  If unsure, select N.
1320
1321endif	# if CRYPTO_FIPS && EXPERT
1322
1323if !(CRYPTO_FIPS && EXPERT)
1324
1325config CRYPTO_JITTERENTROPY_MEMORY_BLOCKS
1326	int
1327	default 64
1328
1329config CRYPTO_JITTERENTROPY_MEMORY_BLOCKSIZE
1330	int
1331	default 32
1332
1333config CRYPTO_JITTERENTROPY_OSR
1334	int
1335	default 1
1336
1337config CRYPTO_JITTERENTROPY_TESTINTERFACE
1338	bool
1339
1340endif	# if !(CRYPTO_FIPS && EXPERT)
1341endif	# if CRYPTO_JITTERENTROPY
1342
1343config CRYPTO_KDF800108_CTR
1344	tristate
1345	select CRYPTO_HMAC
1346	select CRYPTO_SHA256
1347
1348endmenu
1349menu "Userspace interface"
1350
1351config CRYPTO_USER_API
1352	tristate
1353
1354config CRYPTO_USER_API_HASH
1355	tristate "Hash algorithms"
1356	depends on NET
1357	select CRYPTO_HASH
1358	select CRYPTO_USER_API
1359	help
1360	  Enable the userspace interface for hash algorithms.
1361
1362	  See Documentation/crypto/userspace-if.rst and
1363	  https://www.chronox.de/libkcapi/html/index.html
1364
1365config CRYPTO_USER_API_SKCIPHER
1366	tristate "Symmetric key cipher algorithms"
1367	depends on NET
1368	select CRYPTO_SKCIPHER
1369	select CRYPTO_USER_API
1370	help
1371	  Enable the userspace interface for symmetric key cipher algorithms.
1372
1373	  See Documentation/crypto/userspace-if.rst and
1374	  https://www.chronox.de/libkcapi/html/index.html
1375
1376config CRYPTO_USER_API_RNG
1377	tristate "RNG (random number generator) algorithms"
1378	depends on NET
1379	select CRYPTO_RNG
1380	select CRYPTO_USER_API
1381	help
1382	  Enable the userspace interface for RNG (random number generator)
1383	  algorithms.
1384
1385	  See Documentation/crypto/userspace-if.rst and
1386	  https://www.chronox.de/libkcapi/html/index.html
1387
1388config CRYPTO_USER_API_RNG_CAVP
1389	bool "Enable CAVP testing of DRBG"
1390	depends on CRYPTO_USER_API_RNG && CRYPTO_DRBG
1391	help
1392	  Enable extra APIs in the userspace interface for NIST CAVP
1393	  (Cryptographic Algorithm Validation Program) testing:
1394	  - resetting DRBG entropy
1395	  - providing Additional Data
1396
1397	  This should only be enabled for CAVP testing. You should say
1398	  no unless you know what this is.
1399
1400config CRYPTO_USER_API_AEAD
1401	tristate "AEAD cipher algorithms"
1402	depends on NET
1403	select CRYPTO_AEAD
1404	select CRYPTO_SKCIPHER
1405	select CRYPTO_USER_API
1406	help
1407	  Enable the userspace interface for AEAD cipher algorithms.
1408
1409	  See Documentation/crypto/userspace-if.rst and
1410	  https://www.chronox.de/libkcapi/html/index.html
1411
1412config CRYPTO_USER_API_ENABLE_OBSOLETE
1413	bool "Obsolete cryptographic algorithms"
1414	depends on CRYPTO_USER_API
1415	default y
1416	help
1417	  Allow obsolete cryptographic algorithms to be selected that have
1418	  already been phased out from internal use by the kernel, and are
1419	  only useful for userspace clients that still rely on them.
1420
1421endmenu
1422
1423config CRYPTO_HASH_INFO
1424	bool
1425
1426if !KMSAN # avoid false positives from assembly
1427if ARM
1428source "arch/arm/crypto/Kconfig"
1429endif
1430if ARM64
1431source "arch/arm64/crypto/Kconfig"
1432endif
1433if LOONGARCH
1434source "arch/loongarch/crypto/Kconfig"
1435endif
1436if MIPS
1437source "arch/mips/crypto/Kconfig"
1438endif
1439if PPC
1440source "arch/powerpc/crypto/Kconfig"
1441endif
1442if RISCV
1443source "arch/riscv/crypto/Kconfig"
1444endif
1445if S390
1446source "arch/s390/crypto/Kconfig"
1447endif
1448if SPARC
1449source "arch/sparc/crypto/Kconfig"
1450endif
1451if X86
1452source "arch/x86/crypto/Kconfig"
1453endif
1454endif
1455
1456source "drivers/crypto/Kconfig"
1457source "crypto/asymmetric_keys/Kconfig"
1458source "certs/Kconfig"
1459source "crypto/krb5/Kconfig"
1460
1461endif	# if CRYPTO
Configure Feed

Configure Feed
