crypto/Kconfig at v6.18-rc3

tjh.dev / kernel
fork
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork
kernel / crypto / Kconfig
at v6.18-rc3 1455 lines 40 kB view raw
wrap content
   1# SPDX-License-Identifier: GPL-2.0
   2#
   3# Generic algorithms support
   4#
   5config XOR_BLOCKS
   6	tristate
   7
   8#
   9# async_tx api: hardware offloaded memory transfer/transform support
  10#
  11source "crypto/async_tx/Kconfig"
  12
  13#
  14# Cryptographic API Configuration
  15#
  16menuconfig CRYPTO
  17	tristate "Cryptographic API"
  18	select CRYPTO_LIB_UTILS
  19	help
  20	  This option provides the core Cryptographic API.
  21
  22if CRYPTO
  23
  24menu "Crypto core or helper"
  25
  26config CRYPTO_FIPS
  27	bool "FIPS 200 compliance"
  28	depends on (CRYPTO_ANSI_CPRNG || CRYPTO_DRBG) && CRYPTO_SELFTESTS
  29	depends on (MODULE_SIG || !MODULES)
  30	help
  31	  This option enables the fips boot option which is
  32	  required if you want the system to operate in a FIPS 200
  33	  certification.  You should say no unless you know what
  34	  this is.
  35
  36config CRYPTO_FIPS_NAME
  37	string "FIPS Module Name"
  38	default "Linux Kernel Cryptographic API"
  39	depends on CRYPTO_FIPS
  40	help
  41	  This option sets the FIPS Module name reported by the Crypto API via
  42	  the /proc/sys/crypto/fips_name file.
  43
  44config CRYPTO_FIPS_CUSTOM_VERSION
  45	bool "Use Custom FIPS Module Version"
  46	depends on CRYPTO_FIPS
  47	default n
  48
  49config CRYPTO_FIPS_VERSION
  50	string "FIPS Module Version"
  51	default "(none)"
  52	depends on CRYPTO_FIPS_CUSTOM_VERSION
  53	help
  54	  This option provides the ability to override the FIPS Module Version.
  55	  By default the KERNELRELEASE value is used.
  56
  57config CRYPTO_ALGAPI
  58	tristate
  59	select CRYPTO_ALGAPI2
  60	help
  61	  This option provides the API for cryptographic algorithms.
  62
  63config CRYPTO_ALGAPI2
  64	tristate
  65
  66config CRYPTO_AEAD
  67	tristate
  68	select CRYPTO_AEAD2
  69	select CRYPTO_ALGAPI
  70
  71config CRYPTO_AEAD2
  72	tristate
  73	select CRYPTO_ALGAPI2
  74
  75config CRYPTO_SIG
  76	tristate
  77	select CRYPTO_SIG2
  78	select CRYPTO_ALGAPI
  79
  80config CRYPTO_SIG2
  81	tristate
  82	select CRYPTO_ALGAPI2
  83
  84config CRYPTO_SKCIPHER
  85	tristate
  86	select CRYPTO_SKCIPHER2
  87	select CRYPTO_ALGAPI
  88	select CRYPTO_ECB
  89
  90config CRYPTO_SKCIPHER2
  91	tristate
  92	select CRYPTO_ALGAPI2
  93
  94config CRYPTO_HASH
  95	tristate
  96	select CRYPTO_HASH2
  97	select CRYPTO_ALGAPI
  98
  99config CRYPTO_HASH2
 100	tristate
 101	select CRYPTO_ALGAPI2
 102
 103config CRYPTO_RNG
 104	tristate
 105	select CRYPTO_RNG2
 106	select CRYPTO_ALGAPI
 107
 108config CRYPTO_RNG2
 109	tristate
 110	select CRYPTO_ALGAPI2
 111
 112config CRYPTO_RNG_DEFAULT
 113	tristate
 114	select CRYPTO_DRBG_MENU
 115
 116config CRYPTO_AKCIPHER2
 117	tristate
 118	select CRYPTO_ALGAPI2
 119
 120config CRYPTO_AKCIPHER
 121	tristate
 122	select CRYPTO_AKCIPHER2
 123	select CRYPTO_ALGAPI
 124
 125config CRYPTO_KPP2
 126	tristate
 127	select CRYPTO_ALGAPI2
 128
 129config CRYPTO_KPP
 130	tristate
 131	select CRYPTO_ALGAPI
 132	select CRYPTO_KPP2
 133
 134config CRYPTO_ACOMP2
 135	tristate
 136	select CRYPTO_ALGAPI2
 137	select SGL_ALLOC
 138
 139config CRYPTO_ACOMP
 140	tristate
 141	select CRYPTO_ALGAPI
 142	select CRYPTO_ACOMP2
 143
 144config CRYPTO_HKDF
 145	tristate
 146	select CRYPTO_SHA256 if CRYPTO_SELFTESTS
 147	select CRYPTO_SHA512 if CRYPTO_SELFTESTS
 148	select CRYPTO_HASH2
 149
 150config CRYPTO_MANAGER
 151	tristate
 152	default CRYPTO_ALGAPI if CRYPTO_SELFTESTS
 153	select CRYPTO_MANAGER2
 154	help
 155	  This provides the support for instantiating templates such as
 156	  cbc(aes), and the support for the crypto self-tests.
 157
 158config CRYPTO_MANAGER2
 159	def_tristate CRYPTO_MANAGER || (CRYPTO_MANAGER!=n && CRYPTO_ALGAPI=y)
 160	select CRYPTO_ACOMP2
 161	select CRYPTO_AEAD2
 162	select CRYPTO_AKCIPHER2
 163	select CRYPTO_SIG2
 164	select CRYPTO_HASH2
 165	select CRYPTO_KPP2
 166	select CRYPTO_RNG2
 167	select CRYPTO_SKCIPHER2
 168
 169config CRYPTO_USER
 170	tristate "Userspace cryptographic algorithm configuration"
 171	depends on NET
 172	select CRYPTO_MANAGER
 173	help
 174	  Userspace configuration for cryptographic instantiations such as
 175	  cbc(aes).
 176
 177config CRYPTO_SELFTESTS
 178	bool "Enable cryptographic self-tests"
 179	depends on EXPERT
 180	help
 181	  Enable the cryptographic self-tests.
 182
 183	  The cryptographic self-tests run at boot time, or at algorithm
 184	  registration time if algorithms are dynamically loaded later.
 185
 186	  There are two main use cases for these tests:
 187
 188	  - Development and pre-release testing.  In this case, also enable
 189	    CRYPTO_SELFTESTS_FULL to get the full set of tests.  All crypto code
 190	    in the kernel is expected to pass the full set of tests.
 191
 192	  - Production kernels, to help prevent buggy drivers from being used
 193	    and/or meet FIPS 140-3 pre-operational testing requirements.  In
 194	    this case, enable CRYPTO_SELFTESTS but not CRYPTO_SELFTESTS_FULL.
 195
 196config CRYPTO_SELFTESTS_FULL
 197	bool "Enable the full set of cryptographic self-tests"
 198	depends on CRYPTO_SELFTESTS
 199	help
 200	  Enable the full set of cryptographic self-tests for each algorithm.
 201
 202	  The full set of tests should be enabled for development and
 203	  pre-release testing, but not in production kernels.
 204
 205	  All crypto code in the kernel is expected to pass the full tests.
 206
 207config CRYPTO_NULL
 208	tristate "Null algorithms"
 209	select CRYPTO_ALGAPI
 210	select CRYPTO_SKCIPHER
 211	select CRYPTO_HASH
 212	help
 213	  These are 'Null' algorithms, used by IPsec, which do nothing.
 214
 215config CRYPTO_PCRYPT
 216	tristate "Parallel crypto engine"
 217	depends on SMP
 218	select PADATA
 219	select CRYPTO_MANAGER
 220	select CRYPTO_AEAD
 221	help
 222	  This converts an arbitrary crypto algorithm into a parallel
 223	  algorithm that executes in kernel threads.
 224
 225config CRYPTO_CRYPTD
 226	tristate "Software async crypto daemon"
 227	select CRYPTO_SKCIPHER
 228	select CRYPTO_HASH
 229	select CRYPTO_MANAGER
 230	help
 231	  This is a generic software asynchronous crypto daemon that
 232	  converts an arbitrary synchronous software crypto algorithm
 233	  into an asynchronous algorithm that executes in a kernel thread.
 234
 235config CRYPTO_AUTHENC
 236	tristate "Authenc support"
 237	select CRYPTO_AEAD
 238	select CRYPTO_SKCIPHER
 239	select CRYPTO_MANAGER
 240	select CRYPTO_HASH
 241	help
 242	  Authenc: Combined mode wrapper for IPsec.
 243
 244	  This is required for IPSec ESP (XFRM_ESP).
 245
 246config CRYPTO_KRB5ENC
 247	tristate "Kerberos 5 combined hash+cipher support"
 248	select CRYPTO_AEAD
 249	select CRYPTO_SKCIPHER
 250	select CRYPTO_MANAGER
 251	select CRYPTO_HASH
 252	help
 253	  Combined hash and cipher support for Kerberos 5 RFC3961 simplified
 254	  profile.  This is required for Kerberos 5-style encryption, used by
 255	  sunrpc/NFS and rxrpc/AFS.
 256
 257config CRYPTO_BENCHMARK
 258	tristate "Crypto benchmarking module"
 259	depends on m || EXPERT
 260	select CRYPTO_MANAGER
 261	help
 262	  Quick & dirty crypto benchmarking module.
 263
 264	  This is mainly intended for use by people developing cryptographic
 265	  algorithms in the kernel.  It should not be enabled in production
 266	  kernels.
 267
 268config CRYPTO_SIMD
 269	tristate
 270	select CRYPTO_CRYPTD
 271
 272config CRYPTO_ENGINE
 273	tristate
 274
 275endmenu
 276
 277menu "Public-key cryptography"
 278
 279config CRYPTO_RSA
 280	tristate "RSA (Rivest-Shamir-Adleman)"
 281	select CRYPTO_AKCIPHER
 282	select CRYPTO_MANAGER
 283	select CRYPTO_SIG
 284	select MPILIB
 285	select ASN1
 286	help
 287	  RSA (Rivest-Shamir-Adleman) public key algorithm (RFC8017)
 288
 289config CRYPTO_DH
 290	tristate "DH (Diffie-Hellman)"
 291	select CRYPTO_KPP
 292	select MPILIB
 293	help
 294	  DH (Diffie-Hellman) key exchange algorithm
 295
 296config CRYPTO_DH_RFC7919_GROUPS
 297	bool "RFC 7919 FFDHE groups"
 298	depends on CRYPTO_DH
 299	select CRYPTO_RNG_DEFAULT
 300	help
 301	  FFDHE (Finite-Field-based Diffie-Hellman Ephemeral) groups
 302	  defined in RFC7919.
 303
 304	  Support these finite-field groups in DH key exchanges:
 305	  - ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192
 306
 307	  If unsure, say N.
 308
 309config CRYPTO_ECC
 310	tristate
 311	select CRYPTO_RNG_DEFAULT
 312
 313config CRYPTO_ECDH
 314	tristate "ECDH (Elliptic Curve Diffie-Hellman)"
 315	select CRYPTO_ECC
 316	select CRYPTO_KPP
 317	help
 318	  ECDH (Elliptic Curve Diffie-Hellman) key exchange algorithm
 319	  using curves P-192, P-256, and P-384 (FIPS 186)
 320
 321config CRYPTO_ECDSA
 322	tristate "ECDSA (Elliptic Curve Digital Signature Algorithm)"
 323	select CRYPTO_ECC
 324	select CRYPTO_SIG
 325	select ASN1
 326	help
 327	  ECDSA (Elliptic Curve Digital Signature Algorithm) (FIPS 186,
 328	  ISO/IEC 14888-3)
 329	  using curves P-192, P-256, P-384 and P-521
 330
 331	  Only signature verification is implemented.
 332
 333config CRYPTO_ECRDSA
 334	tristate "EC-RDSA (Elliptic Curve Russian Digital Signature Algorithm)"
 335	select CRYPTO_ECC
 336	select CRYPTO_SIG
 337	select CRYPTO_STREEBOG
 338	select OID_REGISTRY
 339	select ASN1
 340	help
 341	  Elliptic Curve Russian Digital Signature Algorithm (GOST R 34.10-2012,
 342	  RFC 7091, ISO/IEC 14888-3)
 343
 344	  One of the Russian cryptographic standard algorithms (called GOST
 345	  algorithms). Only signature verification is implemented.
 346
 347endmenu
 348
 349menu "Block ciphers"
 350
 351config CRYPTO_AES
 352	tristate "AES (Advanced Encryption Standard)"
 353	select CRYPTO_ALGAPI
 354	select CRYPTO_LIB_AES
 355	help
 356	  AES cipher algorithms (Rijndael)(FIPS-197, ISO/IEC 18033-3)
 357
 358	  Rijndael appears to be consistently a very good performer in
 359	  both hardware and software across a wide range of computing
 360	  environments regardless of its use in feedback or non-feedback
 361	  modes. Its key setup time is excellent, and its key agility is
 362	  good. Rijndael's very low memory requirements make it very well
 363	  suited for restricted-space environments, in which it also
 364	  demonstrates excellent performance. Rijndael's operations are
 365	  among the easiest to defend against power and timing attacks.
 366
 367	  The AES specifies three key sizes: 128, 192 and 256 bits
 368
 369config CRYPTO_AES_TI
 370	tristate "AES (Advanced Encryption Standard) (fixed time)"
 371	select CRYPTO_ALGAPI
 372	select CRYPTO_LIB_AES
 373	help
 374	  AES cipher algorithms (Rijndael)(FIPS-197, ISO/IEC 18033-3)
 375
 376	  This is a generic implementation of AES that attempts to eliminate
 377	  data dependent latencies as much as possible without affecting
 378	  performance too much. It is intended for use by the generic CCM
 379	  and GCM drivers, and other CTR or CMAC/XCBC based modes that rely
 380	  solely on encryption (although decryption is supported as well, but
 381	  with a more dramatic performance hit)
 382
 383	  Instead of using 16 lookup tables of 1 KB each, (8 for encryption and
 384	  8 for decryption), this implementation only uses just two S-boxes of
 385	  256 bytes each, and attempts to eliminate data dependent latencies by
 386	  prefetching the entire table into the cache at the start of each
 387	  block. Interrupts are also disabled to avoid races where cachelines
 388	  are evicted when the CPU is interrupted to do something else.
 389
 390config CRYPTO_ANUBIS
 391	tristate "Anubis"
 392	depends on CRYPTO_USER_API_ENABLE_OBSOLETE
 393	select CRYPTO_ALGAPI
 394	help
 395	  Anubis cipher algorithm
 396
 397	  Anubis is a variable key length cipher which can use keys from
 398	  128 bits to 320 bits in length.  It was evaluated as a entrant
 399	  in the NESSIE competition.
 400
 401	  See https://web.archive.org/web/20160606112246/http://www.larc.usp.br/~pbarreto/AnubisPage.html
 402	  for further information.
 403
 404config CRYPTO_ARIA
 405	tristate "ARIA"
 406	select CRYPTO_ALGAPI
 407	help
 408	  ARIA cipher algorithm (RFC5794)
 409
 410	  ARIA is a standard encryption algorithm of the Republic of Korea.
 411	  The ARIA specifies three key sizes and rounds.
 412	  128-bit: 12 rounds.
 413	  192-bit: 14 rounds.
 414	  256-bit: 16 rounds.
 415
 416	  See:
 417	  https://seed.kisa.or.kr/kisa/algorithm/EgovAriaInfo.do
 418
 419config CRYPTO_BLOWFISH
 420	tristate "Blowfish"
 421	select CRYPTO_ALGAPI
 422	select CRYPTO_BLOWFISH_COMMON
 423	help
 424	  Blowfish cipher algorithm, by Bruce Schneier
 425
 426	  This is a variable key length cipher which can use keys from 32
 427	  bits to 448 bits in length.  It's fast, simple and specifically
 428	  designed for use on "large microprocessors".
 429
 430	  See https://www.schneier.com/blowfish.html for further information.
 431
 432config CRYPTO_BLOWFISH_COMMON
 433	tristate
 434	help
 435	  Common parts of the Blowfish cipher algorithm shared by the
 436	  generic c and the assembler implementations.
 437
 438config CRYPTO_CAMELLIA
 439	tristate "Camellia"
 440	select CRYPTO_ALGAPI
 441	help
 442	  Camellia cipher algorithms (ISO/IEC 18033-3)
 443
 444	  Camellia is a symmetric key block cipher developed jointly
 445	  at NTT and Mitsubishi Electric Corporation.
 446
 447	  The Camellia specifies three key sizes: 128, 192 and 256 bits.
 448
 449	  See https://info.isl.ntt.co.jp/crypt/eng/camellia/ for further information.
 450
 451config CRYPTO_CAST_COMMON
 452	tristate
 453	help
 454	  Common parts of the CAST cipher algorithms shared by the
 455	  generic c and the assembler implementations.
 456
 457config CRYPTO_CAST5
 458	tristate "CAST5 (CAST-128)"
 459	select CRYPTO_ALGAPI
 460	select CRYPTO_CAST_COMMON
 461	help
 462	  CAST5 (CAST-128) cipher algorithm (RFC2144, ISO/IEC 18033-3)
 463
 464config CRYPTO_CAST6
 465	tristate "CAST6 (CAST-256)"
 466	select CRYPTO_ALGAPI
 467	select CRYPTO_CAST_COMMON
 468	help
 469	  CAST6 (CAST-256) encryption algorithm (RFC2612)
 470
 471config CRYPTO_DES
 472	tristate "DES and Triple DES EDE"
 473	select CRYPTO_ALGAPI
 474	select CRYPTO_LIB_DES
 475	help
 476	  DES (Data Encryption Standard)(FIPS 46-2, ISO/IEC 18033-3) and
 477	  Triple DES EDE (Encrypt/Decrypt/Encrypt) (FIPS 46-3, ISO/IEC 18033-3)
 478	  cipher algorithms
 479
 480config CRYPTO_FCRYPT
 481	tristate "FCrypt"
 482	select CRYPTO_ALGAPI
 483	select CRYPTO_SKCIPHER
 484	help
 485	  FCrypt algorithm used by RxRPC
 486
 487	  See https://ota.polyonymo.us/fcrypt-paper.txt
 488
 489config CRYPTO_KHAZAD
 490	tristate "Khazad"
 491	depends on CRYPTO_USER_API_ENABLE_OBSOLETE
 492	select CRYPTO_ALGAPI
 493	help
 494	  Khazad cipher algorithm
 495
 496	  Khazad was a finalist in the initial NESSIE competition.  It is
 497	  an algorithm optimized for 64-bit processors with good performance
 498	  on 32-bit processors.  Khazad uses an 128 bit key size.
 499
 500	  See https://web.archive.org/web/20171011071731/http://www.larc.usp.br/~pbarreto/KhazadPage.html
 501	  for further information.
 502
 503config CRYPTO_SEED
 504	tristate "SEED"
 505	depends on CRYPTO_USER_API_ENABLE_OBSOLETE
 506	select CRYPTO_ALGAPI
 507	help
 508	  SEED cipher algorithm (RFC4269, ISO/IEC 18033-3)
 509
 510	  SEED is a 128-bit symmetric key block cipher that has been
 511	  developed by KISA (Korea Information Security Agency) as a
 512	  national standard encryption algorithm of the Republic of Korea.
 513	  It is a 16 round block cipher with the key size of 128 bit.
 514
 515	  See https://seed.kisa.or.kr/kisa/algorithm/EgovSeedInfo.do
 516	  for further information.
 517
 518config CRYPTO_SERPENT
 519	tristate "Serpent"
 520	select CRYPTO_ALGAPI
 521	help
 522	  Serpent cipher algorithm, by Anderson, Biham & Knudsen
 523
 524	  Keys are allowed to be from 0 to 256 bits in length, in steps
 525	  of 8 bits.
 526
 527	  See https://www.cl.cam.ac.uk/~rja14/serpent.html for further information.
 528
 529config CRYPTO_SM4
 530	tristate
 531
 532config CRYPTO_SM4_GENERIC
 533	tristate "SM4 (ShangMi 4)"
 534	select CRYPTO_ALGAPI
 535	select CRYPTO_SM4
 536	help
 537	  SM4 cipher algorithms (OSCCA GB/T 32907-2016,
 538	  ISO/IEC 18033-3:2010/Amd 1:2021)
 539
 540	  SM4 (GBT.32907-2016) is a cryptographic standard issued by the
 541	  Organization of State Commercial Administration of China (OSCCA)
 542	  as an authorized cryptographic algorithms for the use within China.
 543
 544	  SMS4 was originally created for use in protecting wireless
 545	  networks, and is mandated in the Chinese National Standard for
 546	  Wireless LAN WAPI (Wired Authentication and Privacy Infrastructure)
 547	  (GB.15629.11-2003).
 548
 549	  The latest SM4 standard (GBT.32907-2016) was proposed by OSCCA and
 550	  standardized through TC 260 of the Standardization Administration
 551	  of the People's Republic of China (SAC).
 552
 553	  The input, output, and key of SMS4 are each 128 bits.
 554
 555	  See https://eprint.iacr.org/2008/329.pdf for further information.
 556
 557	  If unsure, say N.
 558
 559config CRYPTO_TEA
 560	tristate "TEA, XTEA and XETA"
 561	depends on CRYPTO_USER_API_ENABLE_OBSOLETE
 562	select CRYPTO_ALGAPI
 563	help
 564	  TEA (Tiny Encryption Algorithm) cipher algorithms
 565
 566	  Tiny Encryption Algorithm is a simple cipher that uses
 567	  many rounds for security.  It is very fast and uses
 568	  little memory.
 569
 570	  Xtendend Tiny Encryption Algorithm is a modification to
 571	  the TEA algorithm to address a potential key weakness
 572	  in the TEA algorithm.
 573
 574	  Xtendend Encryption Tiny Algorithm is a mis-implementation
 575	  of the XTEA algorithm for compatibility purposes.
 576
 577config CRYPTO_TWOFISH
 578	tristate "Twofish"
 579	select CRYPTO_ALGAPI
 580	select CRYPTO_TWOFISH_COMMON
 581	help
 582	  Twofish cipher algorithm
 583
 584	  Twofish was submitted as an AES (Advanced Encryption Standard)
 585	  candidate cipher by researchers at CounterPane Systems.  It is a
 586	  16 round block cipher supporting key sizes of 128, 192, and 256
 587	  bits.
 588
 589	  See https://www.schneier.com/twofish.html for further information.
 590
 591config CRYPTO_TWOFISH_COMMON
 592	tristate
 593	help
 594	  Common parts of the Twofish cipher algorithm shared by the
 595	  generic c and the assembler implementations.
 596
 597endmenu
 598
 599menu "Length-preserving ciphers and modes"
 600
 601config CRYPTO_ADIANTUM
 602	tristate "Adiantum"
 603	select CRYPTO_CHACHA20
 604	select CRYPTO_LIB_POLY1305
 605	select CRYPTO_LIB_POLY1305_GENERIC
 606	select CRYPTO_NHPOLY1305
 607	select CRYPTO_MANAGER
 608	help
 609	  Adiantum tweakable, length-preserving encryption mode
 610
 611	  Designed for fast and secure disk encryption, especially on
 612	  CPUs without dedicated crypto instructions.  It encrypts
 613	  each sector using the XChaCha12 stream cipher, two passes of
 614	  an ε-almost-∆-universal hash function, and an invocation of
 615	  the AES-256 block cipher on a single 16-byte block.  On CPUs
 616	  without AES instructions, Adiantum is much faster than
 617	  AES-XTS.
 618
 619	  Adiantum's security is provably reducible to that of its
 620	  underlying stream and block ciphers, subject to a security
 621	  bound.  Unlike XTS, Adiantum is a true wide-block encryption
 622	  mode, so it actually provides an even stronger notion of
 623	  security than XTS, subject to the security bound.
 624
 625	  If unsure, say N.
 626
 627config CRYPTO_ARC4
 628	tristate "ARC4 (Alleged Rivest Cipher 4)"
 629	depends on CRYPTO_USER_API_ENABLE_OBSOLETE
 630	select CRYPTO_SKCIPHER
 631	select CRYPTO_LIB_ARC4
 632	help
 633	  ARC4 cipher algorithm
 634
 635	  ARC4 is a stream cipher using keys ranging from 8 bits to 2048
 636	  bits in length.  This algorithm is required for driver-based
 637	  WEP, but it should not be for other purposes because of the
 638	  weakness of the algorithm.
 639
 640config CRYPTO_CHACHA20
 641	tristate "ChaCha"
 642	select CRYPTO_LIB_CHACHA
 643	select CRYPTO_SKCIPHER
 644	help
 645	  The ChaCha20, XChaCha20, and XChaCha12 stream cipher algorithms
 646
 647	  ChaCha20 is a 256-bit high-speed stream cipher designed by Daniel J.
 648	  Bernstein and further specified in RFC7539 for use in IETF protocols.
 649	  This is the portable C implementation of ChaCha20.  See
 650	  https://cr.yp.to/chacha/chacha-20080128.pdf for further information.
 651
 652	  XChaCha20 is the application of the XSalsa20 construction to ChaCha20
 653	  rather than to Salsa20.  XChaCha20 extends ChaCha20's nonce length
 654	  from 64 bits (or 96 bits using the RFC7539 convention) to 192 bits,
 655	  while provably retaining ChaCha20's security.  See
 656	  https://cr.yp.to/snuffle/xsalsa-20081128.pdf for further information.
 657
 658	  XChaCha12 is XChaCha20 reduced to 12 rounds, with correspondingly
 659	  reduced security margin but increased performance.  It can be needed
 660	  in some performance-sensitive scenarios.
 661
 662config CRYPTO_CBC
 663	tristate "CBC (Cipher Block Chaining)"
 664	select CRYPTO_SKCIPHER
 665	select CRYPTO_MANAGER
 666	help
 667	  CBC (Cipher Block Chaining) mode (NIST SP800-38A)
 668
 669	  This block cipher mode is required for IPSec ESP (XFRM_ESP).
 670
 671config CRYPTO_CTR
 672	tristate "CTR (Counter)"
 673	select CRYPTO_SKCIPHER
 674	select CRYPTO_MANAGER
 675	help
 676	  CTR (Counter) mode (NIST SP800-38A)
 677
 678config CRYPTO_CTS
 679	tristate "CTS (Cipher Text Stealing)"
 680	select CRYPTO_SKCIPHER
 681	select CRYPTO_MANAGER
 682	help
 683	  CBC-CS3 variant of CTS (Cipher Text Stealing) (NIST
 684	  Addendum to SP800-38A (October 2010))
 685
 686	  This mode is required for Kerberos gss mechanism support
 687	  for AES encryption.
 688
 689config CRYPTO_ECB
 690	tristate "ECB (Electronic Codebook)"
 691	select CRYPTO_SKCIPHER2
 692	select CRYPTO_MANAGER
 693	help
 694	  ECB (Electronic Codebook) mode (NIST SP800-38A)
 695
 696config CRYPTO_HCTR2
 697	tristate "HCTR2"
 698	select CRYPTO_XCTR
 699	select CRYPTO_POLYVAL
 700	select CRYPTO_MANAGER
 701	help
 702	  HCTR2 length-preserving encryption mode
 703
 704	  A mode for storage encryption that is efficient on processors with
 705	  instructions to accelerate AES and carryless multiplication, e.g.
 706	  x86 processors with AES-NI and CLMUL, and ARM processors with the
 707	  ARMv8 crypto extensions.
 708
 709	  See https://eprint.iacr.org/2021/1441
 710
 711config CRYPTO_LRW
 712	tristate "LRW (Liskov Rivest Wagner)"
 713	select CRYPTO_LIB_GF128MUL
 714	select CRYPTO_SKCIPHER
 715	select CRYPTO_MANAGER
 716	select CRYPTO_ECB
 717	help
 718	  LRW (Liskov Rivest Wagner) mode
 719
 720	  A tweakable, non malleable, non movable
 721	  narrow block cipher mode for dm-crypt.  Use it with cipher
 722	  specification string aes-lrw-benbi, the key must be 256, 320 or 384.
 723	  The first 128, 192 or 256 bits in the key are used for AES and the
 724	  rest is used to tie each cipher block to its logical position.
 725
 726	  See https://people.csail.mit.edu/rivest/pubs/LRW02.pdf
 727
 728config CRYPTO_PCBC
 729	tristate "PCBC (Propagating Cipher Block Chaining)"
 730	select CRYPTO_SKCIPHER
 731	select CRYPTO_MANAGER
 732	help
 733	  PCBC (Propagating Cipher Block Chaining) mode
 734
 735	  This block cipher mode is required for RxRPC.
 736
 737config CRYPTO_XCTR
 738	tristate
 739	select CRYPTO_SKCIPHER
 740	select CRYPTO_MANAGER
 741	help
 742	  XCTR (XOR Counter) mode for HCTR2
 743
 744	  This blockcipher mode is a variant of CTR mode using XORs and little-endian
 745	  addition rather than big-endian arithmetic.
 746
 747	  XCTR mode is used to implement HCTR2.
 748
 749config CRYPTO_XTS
 750	tristate "XTS (XOR Encrypt XOR with ciphertext stealing)"
 751	select CRYPTO_SKCIPHER
 752	select CRYPTO_MANAGER
 753	select CRYPTO_ECB
 754	help
 755	  XTS (XOR Encrypt XOR with ciphertext stealing) mode (NIST SP800-38E
 756	  and IEEE 1619)
 757
 758	  Use with aes-xts-plain, key size 256, 384 or 512 bits. This
 759	  implementation currently can't handle a sectorsize which is not a
 760	  multiple of 16 bytes.
 761
 762config CRYPTO_NHPOLY1305
 763	tristate
 764	select CRYPTO_HASH
 765	select CRYPTO_LIB_POLY1305
 766	select CRYPTO_LIB_POLY1305_GENERIC
 767
 768endmenu
 769
 770menu "AEAD (authenticated encryption with associated data) ciphers"
 771
 772config CRYPTO_AEGIS128
 773	tristate "AEGIS-128"
 774	select CRYPTO_AEAD
 775	select CRYPTO_AES  # for AES S-box tables
 776	help
 777	  AEGIS-128 AEAD algorithm
 778
 779config CRYPTO_AEGIS128_SIMD
 780	bool "AEGIS-128 (arm NEON, arm64 NEON)"
 781	depends on CRYPTO_AEGIS128 && ((ARM || ARM64) && KERNEL_MODE_NEON)
 782	default y
 783	help
 784	  AEGIS-128 AEAD algorithm
 785
 786	  Architecture: arm or arm64 using:
 787	  - NEON (Advanced SIMD) extension
 788
 789config CRYPTO_CHACHA20POLY1305
 790	tristate "ChaCha20-Poly1305"
 791	select CRYPTO_CHACHA20
 792	select CRYPTO_AEAD
 793	select CRYPTO_LIB_POLY1305
 794	select CRYPTO_MANAGER
 795	help
 796	  ChaCha20 stream cipher and Poly1305 authenticator combined
 797	  mode (RFC8439)
 798
 799config CRYPTO_CCM
 800	tristate "CCM (Counter with Cipher Block Chaining-MAC)"
 801	select CRYPTO_CTR
 802	select CRYPTO_HASH
 803	select CRYPTO_AEAD
 804	select CRYPTO_MANAGER
 805	help
 806	  CCM (Counter with Cipher Block Chaining-Message Authentication Code)
 807	  authenticated encryption mode (NIST SP800-38C)
 808
 809config CRYPTO_GCM
 810	tristate "GCM (Galois/Counter Mode) and GMAC (GCM MAC)"
 811	select CRYPTO_CTR
 812	select CRYPTO_AEAD
 813	select CRYPTO_GHASH
 814	select CRYPTO_MANAGER
 815	help
 816	  GCM (Galois/Counter Mode) authenticated encryption mode and GMAC
 817	  (GCM Message Authentication Code) (NIST SP800-38D)
 818
 819	  This is required for IPSec ESP (XFRM_ESP).
 820
 821config CRYPTO_GENIV
 822	tristate
 823	select CRYPTO_AEAD
 824	select CRYPTO_MANAGER
 825	select CRYPTO_RNG_DEFAULT
 826
 827config CRYPTO_SEQIV
 828	tristate "Sequence Number IV Generator"
 829	select CRYPTO_GENIV
 830	help
 831	  Sequence Number IV generator
 832
 833	  This IV generator generates an IV based on a sequence number by
 834	  xoring it with a salt.  This algorithm is mainly useful for CTR.
 835
 836	  This is required for IPsec ESP (XFRM_ESP).
 837
 838config CRYPTO_ECHAINIV
 839	tristate "Encrypted Chain IV Generator"
 840	select CRYPTO_GENIV
 841	help
 842	  Encrypted Chain IV generator
 843
 844	  This IV generator generates an IV based on the encryption of
 845	  a sequence number xored with a salt.  This is the default
 846	  algorithm for CBC.
 847
 848config CRYPTO_ESSIV
 849	tristate "Encrypted Salt-Sector IV Generator"
 850	select CRYPTO_AUTHENC
 851	help
 852	  Encrypted Salt-Sector IV generator
 853
 854	  This IV generator is used in some cases by fscrypt and/or
 855	  dm-crypt. It uses the hash of the block encryption key as the
 856	  symmetric key for a block encryption pass applied to the input
 857	  IV, making low entropy IV sources more suitable for block
 858	  encryption.
 859
 860	  This driver implements a crypto API template that can be
 861	  instantiated either as an skcipher or as an AEAD (depending on the
 862	  type of the first template argument), and which defers encryption
 863	  and decryption requests to the encapsulated cipher after applying
 864	  ESSIV to the input IV. Note that in the AEAD case, it is assumed
 865	  that the keys are presented in the same format used by the authenc
 866	  template, and that the IV appears at the end of the authenticated
 867	  associated data (AAD) region (which is how dm-crypt uses it.)
 868
 869	  Note that the use of ESSIV is not recommended for new deployments,
 870	  and so this only needs to be enabled when interoperability with
 871	  existing encrypted volumes of filesystems is required, or when
 872	  building for a particular system that requires it (e.g., when
 873	  the SoC in question has accelerated CBC but not XTS, making CBC
 874	  combined with ESSIV the only feasible mode for h/w accelerated
 875	  block encryption)
 876
 877endmenu
 878
 879menu "Hashes, digests, and MACs"
 880
 881config CRYPTO_BLAKE2B
 882	tristate "BLAKE2b"
 883	select CRYPTO_HASH
 884	help
 885	  BLAKE2b cryptographic hash function (RFC 7693)
 886
 887	  BLAKE2b is optimized for 64-bit platforms and can produce digests
 888	  of any size between 1 and 64 bytes. The keyed hash is also implemented.
 889
 890	  This module provides the following algorithms:
 891	  - blake2b-160
 892	  - blake2b-256
 893	  - blake2b-384
 894	  - blake2b-512
 895
 896	  Used by the btrfs filesystem.
 897
 898	  See https://blake2.net for further information.
 899
 900config CRYPTO_CMAC
 901	tristate "CMAC (Cipher-based MAC)"
 902	select CRYPTO_HASH
 903	select CRYPTO_MANAGER
 904	help
 905	  CMAC (Cipher-based Message Authentication Code) authentication
 906	  mode (NIST SP800-38B and IETF RFC4493)
 907
 908config CRYPTO_GHASH
 909	tristate "GHASH"
 910	select CRYPTO_HASH
 911	select CRYPTO_LIB_GF128MUL
 912	help
 913	  GCM GHASH function (NIST SP800-38D)
 914
 915config CRYPTO_HMAC
 916	tristate "HMAC (Keyed-Hash MAC)"
 917	select CRYPTO_HASH
 918	select CRYPTO_MANAGER
 919	help
 920	  HMAC (Keyed-Hash Message Authentication Code) (FIPS 198 and
 921	  RFC2104)
 922
 923	  This is required for IPsec AH (XFRM_AH) and IPsec ESP (XFRM_ESP).
 924
 925config CRYPTO_MD4
 926	tristate "MD4"
 927	select CRYPTO_HASH
 928	help
 929	  MD4 message digest algorithm (RFC1320)
 930
 931config CRYPTO_MD5
 932	tristate "MD5"
 933	select CRYPTO_HASH
 934	select CRYPTO_LIB_MD5
 935	help
 936	  MD5 message digest algorithm (RFC1321), including HMAC support.
 937
 938config CRYPTO_MICHAEL_MIC
 939	tristate "Michael MIC"
 940	select CRYPTO_HASH
 941	help
 942	  Michael MIC (Message Integrity Code) (IEEE 802.11i)
 943
 944	  Defined by the IEEE 802.11i TKIP (Temporal Key Integrity Protocol),
 945	  known as WPA (Wif-Fi Protected Access).
 946
 947	  This algorithm is required for TKIP, but it should not be used for
 948	  other purposes because of the weakness of the algorithm.
 949
 950config CRYPTO_POLYVAL
 951	tristate
 952	select CRYPTO_HASH
 953	select CRYPTO_LIB_GF128MUL
 954	help
 955	  POLYVAL hash function for HCTR2
 956
 957	  This is used in HCTR2.  It is not a general-purpose
 958	  cryptographic hash function.
 959
 960config CRYPTO_RMD160
 961	tristate "RIPEMD-160"
 962	select CRYPTO_HASH
 963	help
 964	  RIPEMD-160 hash function (ISO/IEC 10118-3)
 965
 966	  RIPEMD-160 is a 160-bit cryptographic hash function. It is intended
 967	  to be used as a secure replacement for the 128-bit hash functions
 968	  MD4, MD5 and its predecessor RIPEMD
 969	  (not to be confused with RIPEMD-128).
 970
 971	  Its speed is comparable to SHA-1 and there are no known attacks
 972	  against RIPEMD-160.
 973
 974	  Developed by Hans Dobbertin, Antoon Bosselaers and Bart Preneel.
 975	  See https://homes.esat.kuleuven.be/~bosselae/ripemd160.html
 976	  for further information.
 977
 978config CRYPTO_SHA1
 979	tristate "SHA-1"
 980	select CRYPTO_HASH
 981	select CRYPTO_LIB_SHA1
 982	help
 983	  SHA-1 secure hash algorithm (FIPS 180, ISO/IEC 10118-3), including
 984	  HMAC support.
 985
 986config CRYPTO_SHA256
 987	tristate "SHA-224 and SHA-256"
 988	select CRYPTO_HASH
 989	select CRYPTO_LIB_SHA256
 990	help
 991	  SHA-224 and SHA-256 secure hash algorithms (FIPS 180, ISO/IEC
 992	  10118-3), including HMAC support.
 993
 994	  This is required for IPsec AH (XFRM_AH) and IPsec ESP (XFRM_ESP).
 995	  Used by the btrfs filesystem, Ceph, NFS, and SMB.
 996
 997config CRYPTO_SHA512
 998	tristate "SHA-384 and SHA-512"
 999	select CRYPTO_HASH
1000	select CRYPTO_LIB_SHA512
1001	help
1002	  SHA-384 and SHA-512 secure hash algorithms (FIPS 180, ISO/IEC
1003	  10118-3), including HMAC support.
1004
1005config CRYPTO_SHA3
1006	tristate "SHA-3"
1007	select CRYPTO_HASH
1008	help
1009	  SHA-3 secure hash algorithms (FIPS 202, ISO/IEC 10118-3)
1010
1011config CRYPTO_SM3_GENERIC
1012	tristate "SM3 (ShangMi 3)"
1013	select CRYPTO_HASH
1014	select CRYPTO_LIB_SM3
1015	help
1016	  SM3 (ShangMi 3) secure hash function (OSCCA GM/T 0004-2012, ISO/IEC 10118-3)
1017
1018	  This is part of the Chinese Commercial Cryptography suite.
1019
1020	  References:
1021	  http://www.oscca.gov.cn/UpFile/20101222141857786.pdf
1022	  https://datatracker.ietf.org/doc/html/draft-shen-sm3-hash
1023
1024config CRYPTO_STREEBOG
1025	tristate "Streebog"
1026	select CRYPTO_HASH
1027	help
1028	  Streebog Hash Function (GOST R 34.11-2012, RFC 6986, ISO/IEC 10118-3)
1029
1030	  This is one of the Russian cryptographic standard algorithms (called
1031	  GOST algorithms). This setting enables two hash algorithms with
1032	  256 and 512 bits output.
1033
1034	  References:
1035	  https://tc26.ru/upload/iblock/fed/feddbb4d26b685903faa2ba11aea43f6.pdf
1036	  https://tools.ietf.org/html/rfc6986
1037
1038config CRYPTO_WP512
1039	tristate "Whirlpool"
1040	select CRYPTO_HASH
1041	help
1042	  Whirlpool hash function (ISO/IEC 10118-3)
1043
1044	  512, 384 and 256-bit hashes.
1045
1046	  Whirlpool-512 is part of the NESSIE cryptographic primitives.
1047
1048	  See https://web.archive.org/web/20171129084214/http://www.larc.usp.br/~pbarreto/WhirlpoolPage.html
1049	  for further information.
1050
1051config CRYPTO_XCBC
1052	tristate "XCBC-MAC (Extended Cipher Block Chaining MAC)"
1053	select CRYPTO_HASH
1054	select CRYPTO_MANAGER
1055	help
1056	  XCBC-MAC (Extended Cipher Block Chaining Message Authentication
1057	  Code) (RFC3566)
1058
1059config CRYPTO_XXHASH
1060	tristate "xxHash"
1061	select CRYPTO_HASH
1062	select XXHASH
1063	help
1064	  xxHash non-cryptographic hash algorithm
1065
1066	  Extremely fast, working at speeds close to RAM limits.
1067
1068	  Used by the btrfs filesystem.
1069
1070endmenu
1071
1072menu "CRCs (cyclic redundancy checks)"
1073
1074config CRYPTO_CRC32C
1075	tristate "CRC32c"
1076	select CRYPTO_HASH
1077	select CRC32
1078	help
1079	  CRC32c CRC algorithm with the iSCSI polynomial (RFC 3385 and RFC 3720)
1080
1081	  A 32-bit CRC (cyclic redundancy check) with a polynomial defined
1082	  by G. Castagnoli, S. Braeuer and M. Herrman in "Optimization of Cyclic
1083	  Redundancy-Check Codes with 24 and 32 Parity Bits", IEEE Transactions
1084	  on Communications, Vol. 41, No. 6, June 1993, selected for use with
1085	  iSCSI.
1086
1087	  Used by btrfs, ext4, jbd2, NVMeoF/TCP, and iSCSI.
1088
1089config CRYPTO_CRC32
1090	tristate "CRC32"
1091	select CRYPTO_HASH
1092	select CRC32
1093	help
1094	  CRC32 CRC algorithm (IEEE 802.3)
1095
1096	  Used by RoCEv2 and f2fs.
1097
1098endmenu
1099
1100menu "Compression"
1101
1102config CRYPTO_DEFLATE
1103	tristate "Deflate"
1104	select CRYPTO_ALGAPI
1105	select CRYPTO_ACOMP2
1106	select ZLIB_INFLATE
1107	select ZLIB_DEFLATE
1108	help
1109	  Deflate compression algorithm (RFC1951)
1110
1111	  Used by IPSec with the IPCOMP protocol (RFC3173, RFC2394)
1112
1113config CRYPTO_LZO
1114	tristate "LZO"
1115	select CRYPTO_ALGAPI
1116	select CRYPTO_ACOMP2
1117	select LZO_COMPRESS
1118	select LZO_DECOMPRESS
1119	help
1120	  LZO compression algorithm
1121
1122	  See https://www.oberhumer.com/opensource/lzo/ for further information.
1123
1124config CRYPTO_842
1125	tristate "842"
1126	select CRYPTO_ALGAPI
1127	select CRYPTO_ACOMP2
1128	select 842_COMPRESS
1129	select 842_DECOMPRESS
1130	help
1131	  842 compression algorithm by IBM
1132
1133	  See https://github.com/plauth/lib842 for further information.
1134
1135config CRYPTO_LZ4
1136	tristate "LZ4"
1137	select CRYPTO_ALGAPI
1138	select CRYPTO_ACOMP2
1139	select LZ4_COMPRESS
1140	select LZ4_DECOMPRESS
1141	help
1142	  LZ4 compression algorithm
1143
1144	  See https://github.com/lz4/lz4 for further information.
1145
1146config CRYPTO_LZ4HC
1147	tristate "LZ4HC"
1148	select CRYPTO_ALGAPI
1149	select CRYPTO_ACOMP2
1150	select LZ4HC_COMPRESS
1151	select LZ4_DECOMPRESS
1152	help
1153	  LZ4 high compression mode algorithm
1154
1155	  See https://github.com/lz4/lz4 for further information.
1156
1157config CRYPTO_ZSTD
1158	tristate "Zstd"
1159	select CRYPTO_ALGAPI
1160	select CRYPTO_ACOMP2
1161	select ZSTD_COMPRESS
1162	select ZSTD_DECOMPRESS
1163	help
1164	  zstd compression algorithm
1165
1166	  See https://github.com/facebook/zstd for further information.
1167
1168endmenu
1169
1170menu "Random number generation"
1171
1172config CRYPTO_ANSI_CPRNG
1173	tristate "ANSI PRNG (Pseudo Random Number Generator)"
1174	select CRYPTO_AES
1175	select CRYPTO_RNG
1176	help
1177	  Pseudo RNG (random number generator) (ANSI X9.31 Appendix A.2.4)
1178
1179	  This uses the AES cipher algorithm.
1180
1181	  Note that this option must be enabled if CRYPTO_FIPS is selected
1182
1183menuconfig CRYPTO_DRBG_MENU
1184	tristate "NIST SP800-90A DRBG (Deterministic Random Bit Generator)"
1185	help
1186	  DRBG (Deterministic Random Bit Generator) (NIST SP800-90A)
1187
1188	  In the following submenu, one or more of the DRBG types must be selected.
1189
1190if CRYPTO_DRBG_MENU
1191
1192config CRYPTO_DRBG_HMAC
1193	bool
1194	default y
1195	select CRYPTO_HMAC
1196	select CRYPTO_SHA512
1197
1198config CRYPTO_DRBG_HASH
1199	bool "Hash_DRBG"
1200	select CRYPTO_SHA256
1201	help
1202	  Hash_DRBG variant as defined in NIST SP800-90A.
1203
1204	  This uses the SHA-1, SHA-256, SHA-384, or SHA-512 hash algorithms.
1205
1206config CRYPTO_DRBG_CTR
1207	bool "CTR_DRBG"
1208	select CRYPTO_AES
1209	select CRYPTO_CTR
1210	help
1211	  CTR_DRBG variant as defined in NIST SP800-90A.
1212
1213	  This uses the AES cipher algorithm with the counter block mode.
1214
1215config CRYPTO_DRBG
1216	tristate
1217	default CRYPTO_DRBG_MENU
1218	select CRYPTO_RNG
1219	select CRYPTO_JITTERENTROPY
1220
1221endif	# if CRYPTO_DRBG_MENU
1222
1223config CRYPTO_JITTERENTROPY
1224	tristate "CPU Jitter Non-Deterministic RNG (Random Number Generator)"
1225	select CRYPTO_RNG
1226	select CRYPTO_SHA3
1227	help
1228	  CPU Jitter RNG (Random Number Generator) from the Jitterentropy library
1229
1230	  A non-physical non-deterministic ("true") RNG (e.g., an entropy source
1231	  compliant with NIST SP800-90B) intended to provide a seed to a
1232	  deterministic RNG (e.g., per NIST SP800-90C).
1233	  This RNG does not perform any cryptographic whitening of the generated
1234	  random numbers.
1235
1236	  See https://www.chronox.de/jent/
1237
1238if CRYPTO_JITTERENTROPY
1239if CRYPTO_FIPS && EXPERT
1240
1241choice
1242	prompt "CPU Jitter RNG Memory Size"
1243	default CRYPTO_JITTERENTROPY_MEMSIZE_2
1244	help
1245	  The Jitter RNG measures the execution time of memory accesses.
1246	  Multiple consecutive memory accesses are performed. If the memory
1247	  size fits into a cache (e.g. L1), only the memory access timing
1248	  to that cache is measured. The closer the cache is to the CPU
1249	  the less variations are measured and thus the less entropy is
1250	  obtained. Thus, if the memory size fits into the L1 cache, the
1251	  obtained entropy is less than if the memory size fits within
1252	  L1 + L2, which in turn is less if the memory fits into
1253	  L1 + L2 + L3. Thus, by selecting a different memory size,
1254	  the entropy rate produced by the Jitter RNG can be modified.
1255
1256	config CRYPTO_JITTERENTROPY_MEMSIZE_2
1257		bool "2048 Bytes (default)"
1258
1259	config CRYPTO_JITTERENTROPY_MEMSIZE_128
1260		bool "128 kBytes"
1261
1262	config CRYPTO_JITTERENTROPY_MEMSIZE_1024
1263		bool "1024 kBytes"
1264
1265	config CRYPTO_JITTERENTROPY_MEMSIZE_8192
1266		bool "8192 kBytes"
1267endchoice
1268
1269config CRYPTO_JITTERENTROPY_MEMORY_BLOCKS
1270	int
1271	default 64 if CRYPTO_JITTERENTROPY_MEMSIZE_2
1272	default 512 if CRYPTO_JITTERENTROPY_MEMSIZE_128
1273	default 1024 if CRYPTO_JITTERENTROPY_MEMSIZE_1024
1274	default 4096 if CRYPTO_JITTERENTROPY_MEMSIZE_8192
1275
1276config CRYPTO_JITTERENTROPY_MEMORY_BLOCKSIZE
1277	int
1278	default 32 if CRYPTO_JITTERENTROPY_MEMSIZE_2
1279	default 256 if CRYPTO_JITTERENTROPY_MEMSIZE_128
1280	default 1024 if CRYPTO_JITTERENTROPY_MEMSIZE_1024
1281	default 2048 if CRYPTO_JITTERENTROPY_MEMSIZE_8192
1282
1283config CRYPTO_JITTERENTROPY_OSR
1284	int "CPU Jitter RNG Oversampling Rate"
1285	range 1 15
1286	default 3
1287	help
1288	  The Jitter RNG allows the specification of an oversampling rate (OSR).
1289	  The Jitter RNG operation requires a fixed amount of timing
1290	  measurements to produce one output block of random numbers. The
1291	  OSR value is multiplied with the amount of timing measurements to
1292	  generate one output block. Thus, the timing measurement is oversampled
1293	  by the OSR factor. The oversampling allows the Jitter RNG to operate
1294	  on hardware whose timers deliver limited amount of entropy (e.g.
1295	  the timer is coarse) by setting the OSR to a higher value. The
1296	  trade-off, however, is that the Jitter RNG now requires more time
1297	  to generate random numbers.
1298
1299config CRYPTO_JITTERENTROPY_TESTINTERFACE
1300	bool "CPU Jitter RNG Test Interface"
1301	help
1302	  The test interface allows a privileged process to capture
1303	  the raw unconditioned high resolution time stamp noise that
1304	  is collected by the Jitter RNG for statistical analysis. As
1305	  this data is used at the same time to generate random bits,
1306	  the Jitter RNG operates in an insecure mode as long as the
1307	  recording is enabled. This interface therefore is only
1308	  intended for testing purposes and is not suitable for
1309	  production systems.
1310
1311	  The raw noise data can be obtained using the jent_raw_hires
1312	  debugfs file. Using the option
1313	  jitterentropy_testing.boot_raw_hires_test=1 the raw noise of
1314	  the first 1000 entropy events since boot can be sampled.
1315
1316	  If unsure, select N.
1317
1318endif	# if CRYPTO_FIPS && EXPERT
1319
1320if !(CRYPTO_FIPS && EXPERT)
1321
1322config CRYPTO_JITTERENTROPY_MEMORY_BLOCKS
1323	int
1324	default 64
1325
1326config CRYPTO_JITTERENTROPY_MEMORY_BLOCKSIZE
1327	int
1328	default 32
1329
1330config CRYPTO_JITTERENTROPY_OSR
1331	int
1332	default 1
1333
1334config CRYPTO_JITTERENTROPY_TESTINTERFACE
1335	bool
1336
1337endif	# if !(CRYPTO_FIPS && EXPERT)
1338endif	# if CRYPTO_JITTERENTROPY
1339
1340config CRYPTO_KDF800108_CTR
1341	tristate
1342	select CRYPTO_HMAC
1343	select CRYPTO_SHA256
1344
1345endmenu
1346menu "Userspace interface"
1347
1348config CRYPTO_USER_API
1349	tristate
1350
1351config CRYPTO_USER_API_HASH
1352	tristate "Hash algorithms"
1353	depends on NET
1354	select CRYPTO_HASH
1355	select CRYPTO_USER_API
1356	help
1357	  Enable the userspace interface for hash algorithms.
1358
1359	  See Documentation/crypto/userspace-if.rst and
1360	  https://www.chronox.de/libkcapi/html/index.html
1361
1362config CRYPTO_USER_API_SKCIPHER
1363	tristate "Symmetric key cipher algorithms"
1364	depends on NET
1365	select CRYPTO_SKCIPHER
1366	select CRYPTO_USER_API
1367	help
1368	  Enable the userspace interface for symmetric key cipher algorithms.
1369
1370	  See Documentation/crypto/userspace-if.rst and
1371	  https://www.chronox.de/libkcapi/html/index.html
1372
1373config CRYPTO_USER_API_RNG
1374	tristate "RNG (random number generator) algorithms"
1375	depends on NET
1376	select CRYPTO_RNG
1377	select CRYPTO_USER_API
1378	help
1379	  Enable the userspace interface for RNG (random number generator)
1380	  algorithms.
1381
1382	  See Documentation/crypto/userspace-if.rst and
1383	  https://www.chronox.de/libkcapi/html/index.html
1384
1385config CRYPTO_USER_API_RNG_CAVP
1386	bool "Enable CAVP testing of DRBG"
1387	depends on CRYPTO_USER_API_RNG && CRYPTO_DRBG
1388	help
1389	  Enable extra APIs in the userspace interface for NIST CAVP
1390	  (Cryptographic Algorithm Validation Program) testing:
1391	  - resetting DRBG entropy
1392	  - providing Additional Data
1393
1394	  This should only be enabled for CAVP testing. You should say
1395	  no unless you know what this is.
1396
1397config CRYPTO_USER_API_AEAD
1398	tristate "AEAD cipher algorithms"
1399	depends on NET
1400	select CRYPTO_AEAD
1401	select CRYPTO_SKCIPHER
1402	select CRYPTO_USER_API
1403	help
1404	  Enable the userspace interface for AEAD cipher algorithms.
1405
1406	  See Documentation/crypto/userspace-if.rst and
1407	  https://www.chronox.de/libkcapi/html/index.html
1408
1409config CRYPTO_USER_API_ENABLE_OBSOLETE
1410	bool "Obsolete cryptographic algorithms"
1411	depends on CRYPTO_USER_API
1412	default y
1413	help
1414	  Allow obsolete cryptographic algorithms to be selected that have
1415	  already been phased out from internal use by the kernel, and are
1416	  only useful for userspace clients that still rely on them.
1417
1418endmenu
1419
1420if !KMSAN # avoid false positives from assembly
1421if ARM
1422source "arch/arm/crypto/Kconfig"
1423endif
1424if ARM64
1425source "arch/arm64/crypto/Kconfig"
1426endif
1427if LOONGARCH
1428source "arch/loongarch/crypto/Kconfig"
1429endif
1430if MIPS
1431source "arch/mips/crypto/Kconfig"
1432endif
1433if PPC
1434source "arch/powerpc/crypto/Kconfig"
1435endif
1436if RISCV
1437source "arch/riscv/crypto/Kconfig"
1438endif
1439if S390
1440source "arch/s390/crypto/Kconfig"
1441endif
1442if SPARC
1443source "arch/sparc/crypto/Kconfig"
1444endif
1445if X86
1446source "arch/x86/crypto/Kconfig"
1447endif
1448endif
1449
1450source "drivers/crypto/Kconfig"
1451source "crypto/asymmetric_keys/Kconfig"
1452source "certs/Kconfig"
1453source "crypto/krb5/Kconfig"
1454
1455endif	# if CRYPTO
Configure Feed

Configure Feed
