1 # SPDX-License-Identifier: GPL-2.0
3 # Generic algorithms support
9 # async_tx api: hardware offloaded memory transfer/transform support
11 source "crypto/async_tx/Kconfig"
14 # Cryptographic API Configuration
17 tristate "Cryptographic API"
18 select CRYPTO_LIB_UTILS
20 This option provides the core Cryptographic API.
24 menu "Crypto core or helper"
27 bool "FIPS 200 compliance"
28 depends on (CRYPTO_ANSI_CPRNG || CRYPTO_DRBG) && !CRYPTO_MANAGER_DISABLE_TESTS
29 depends on (MODULE_SIG || !MODULES)
31 This option enables the fips boot option which is
32 required if you want the system to operate in a FIPS 200
33 certification. You should say no unless you know what
36 config CRYPTO_FIPS_NAME
37 string "FIPS Module Name"
38 default "Linux Kernel Cryptographic API"
39 depends on CRYPTO_FIPS
41 This option sets the FIPS Module name reported by the Crypto API via
42 the /proc/sys/crypto/fips_name file.
44 config CRYPTO_FIPS_CUSTOM_VERSION
45 bool "Use Custom FIPS Module Version"
46 depends on CRYPTO_FIPS
49 config CRYPTO_FIPS_VERSION
50 string "FIPS Module Version"
52 depends on CRYPTO_FIPS_CUSTOM_VERSION
54 This option provides the ability to override the FIPS Module Version.
55 By default the KERNELRELEASE value is used.
61 This option provides the API for cryptographic algorithms.
84 config CRYPTO_SKCIPHER
86 select CRYPTO_SKCIPHER2
89 config CRYPTO_SKCIPHER2
100 select CRYPTO_ALGAPI2
109 select CRYPTO_ALGAPI2
111 config CRYPTO_RNG_DEFAULT
113 select CRYPTO_DRBG_MENU
115 config CRYPTO_AKCIPHER2
117 select CRYPTO_ALGAPI2
119 config CRYPTO_AKCIPHER
121 select CRYPTO_AKCIPHER2
126 select CRYPTO_ALGAPI2
135 select CRYPTO_ALGAPI2
143 config CRYPTO_MANAGER
144 tristate "Cryptographic algorithm manager"
145 select CRYPTO_MANAGER2
147 Create default cryptographic template instantiations such as
150 config CRYPTO_MANAGER2
151 def_tristate CRYPTO_MANAGER || (CRYPTO_MANAGER!=n && CRYPTO_ALGAPI=y)
154 select CRYPTO_AKCIPHER2
159 select CRYPTO_SKCIPHER2
162 tristate "Userspace cryptographic algorithm configuration"
164 select CRYPTO_MANAGER
166 Userspace configuration for cryptographic instantiations such as
169 config CRYPTO_MANAGER_DISABLE_TESTS
170 bool "Disable run-time self tests"
173 Disable run-time self tests that normally take place at
174 algorithm registration.
176 config CRYPTO_MANAGER_EXTRA_TESTS
177 bool "Enable extra run-time crypto self tests"
178 depends on DEBUG_KERNEL && !CRYPTO_MANAGER_DISABLE_TESTS && CRYPTO_MANAGER
180 Enable extra run-time self tests of registered crypto algorithms,
181 including randomized fuzz tests.
183 This is intended for developer use only, as these tests take much
184 longer to run than the normal self tests.
187 tristate "Null algorithms"
190 These are 'Null' algorithms, used by IPsec, which do nothing.
194 select CRYPTO_ALGAPI2
195 select CRYPTO_SKCIPHER2
199 tristate "Parallel crypto engine"
202 select CRYPTO_MANAGER
205 This converts an arbitrary crypto algorithm into a parallel
206 algorithm that executes in kernel threads.
209 tristate "Software async crypto daemon"
210 select CRYPTO_SKCIPHER
212 select CRYPTO_MANAGER
214 This is a generic software asynchronous crypto daemon that
215 converts an arbitrary synchronous software crypto algorithm
216 into an asynchronous algorithm that executes in a kernel thread.
218 config CRYPTO_AUTHENC
219 tristate "Authenc support"
221 select CRYPTO_SKCIPHER
222 select CRYPTO_MANAGER
226 Authenc: Combined mode wrapper for IPsec.
228 This is required for IPSec ESP (XFRM_ESP).
231 tristate "Testing module"
232 depends on m || EXPERT
233 select CRYPTO_MANAGER
235 Quick & dirty crypto test module.
246 menu "Public-key cryptography"
249 tristate "RSA (Rivest-Shamir-Adleman)"
250 select CRYPTO_AKCIPHER
251 select CRYPTO_MANAGER
255 RSA (Rivest-Shamir-Adleman) public key algorithm (RFC8017)
258 tristate "DH (Diffie-Hellman)"
262 DH (Diffie-Hellman) key exchange algorithm
264 config CRYPTO_DH_RFC7919_GROUPS
265 bool "RFC 7919 FFDHE groups"
267 select CRYPTO_RNG_DEFAULT
269 FFDHE (Finite-Field-based Diffie-Hellman Ephemeral) groups
272 Support these finite-field groups in DH key exchanges:
273 - ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192
279 select CRYPTO_RNG_DEFAULT
282 tristate "ECDH (Elliptic Curve Diffie-Hellman)"
286 ECDH (Elliptic Curve Diffie-Hellman) key exchange algorithm
287 using curves P-192, P-256, and P-384 (FIPS 186)
290 tristate "ECDSA (Elliptic Curve Digital Signature Algorithm)"
292 select CRYPTO_AKCIPHER
295 ECDSA (Elliptic Curve Digital Signature Algorithm) (FIPS 186,
297 using curves P-192, P-256, and P-384
299 Only signature verification is implemented.
302 tristate "EC-RDSA (Elliptic Curve Russian Digital Signature Algorithm)"
304 select CRYPTO_AKCIPHER
305 select CRYPTO_STREEBOG
309 Elliptic Curve Russian Digital Signature Algorithm (GOST R 34.10-2012,
310 RFC 7091, ISO/IEC 14888-3)
312 One of the Russian cryptographic standard algorithms (called GOST
313 algorithms). Only signature verification is implemented.
316 tristate "SM2 (ShangMi 2)"
318 select CRYPTO_AKCIPHER
319 select CRYPTO_MANAGER
323 SM2 (ShangMi 2) public key algorithm
325 Published by State Encryption Management Bureau, China,
326 as specified by OSCCA GM/T 0003.1-2012 -- 0003.5-2012.
329 https://datatracker.ietf.org/doc/draft-shen-sm2-ecdsa/
330 http://www.oscca.gov.cn/sca/xxgk/2010-12/17/content_1002386.shtml
331 http://www.gmbz.org.cn/main/bzlb.html
333 config CRYPTO_CURVE25519
334 tristate "Curve25519"
336 select CRYPTO_LIB_CURVE25519_GENERIC
338 Curve25519 elliptic curve (RFC7748)
345 tristate "AES (Advanced Encryption Standard)"
347 select CRYPTO_LIB_AES
349 AES cipher algorithms (Rijndael)(FIPS-197, ISO/IEC 18033-3)
351 Rijndael appears to be consistently a very good performer in
352 both hardware and software across a wide range of computing
353 environments regardless of its use in feedback or non-feedback
354 modes. Its key setup time is excellent, and its key agility is
355 good. Rijndael's very low memory requirements make it very well
356 suited for restricted-space environments, in which it also
357 demonstrates excellent performance. Rijndael's operations are
358 among the easiest to defend against power and timing attacks.
360 The AES specifies three key sizes: 128, 192 and 256 bits
363 tristate "AES (Advanced Encryption Standard) (fixed time)"
365 select CRYPTO_LIB_AES
367 AES cipher algorithms (Rijndael)(FIPS-197, ISO/IEC 18033-3)
369 This is a generic implementation of AES that attempts to eliminate
370 data dependent latencies as much as possible without affecting
371 performance too much. It is intended for use by the generic CCM
372 and GCM drivers, and other CTR or CMAC/XCBC based modes that rely
373 solely on encryption (although decryption is supported as well, but
374 with a more dramatic performance hit)
376 Instead of using 16 lookup tables of 1 KB each, (8 for encryption and
377 8 for decryption), this implementation only uses just two S-boxes of
378 256 bytes each, and attempts to eliminate data dependent latencies by
379 prefetching the entire table into the cache at the start of each
380 block. Interrupts are also disabled to avoid races where cachelines
381 are evicted when the CPU is interrupted to do something else.
385 depends on CRYPTO_USER_API_ENABLE_OBSOLETE
388 Anubis cipher algorithm
390 Anubis is a variable key length cipher which can use keys from
391 128 bits to 320 bits in length. It was evaluated as a entrant
392 in the NESSIE competition.
394 See https://web.archive.org/web/20160606112246/http://www.larc.usp.br/~pbarreto/AnubisPage.html
395 for further information.
401 ARIA cipher algorithm (RFC5794)
403 ARIA is a standard encryption algorithm of the Republic of Korea.
404 The ARIA specifies three key sizes and rounds.
410 https://seed.kisa.or.kr/kisa/algorithm/EgovAriaInfo.do
412 config CRYPTO_BLOWFISH
415 select CRYPTO_BLOWFISH_COMMON
417 Blowfish cipher algorithm, by Bruce Schneier
419 This is a variable key length cipher which can use keys from 32
420 bits to 448 bits in length. It's fast, simple and specifically
421 designed for use on "large microprocessors".
423 See https://www.schneier.com/blowfish.html for further information.
425 config CRYPTO_BLOWFISH_COMMON
428 Common parts of the Blowfish cipher algorithm shared by the
429 generic c and the assembler implementations.
431 config CRYPTO_CAMELLIA
435 Camellia cipher algorithms (ISO/IEC 18033-3)
437 Camellia is a symmetric key block cipher developed jointly
438 at NTT and Mitsubishi Electric Corporation.
440 The Camellia specifies three key sizes: 128, 192 and 256 bits.
442 See https://info.isl.ntt.co.jp/crypt/eng/camellia/ for further information.
444 config CRYPTO_CAST_COMMON
447 Common parts of the CAST cipher algorithms shared by the
448 generic c and the assembler implementations.
451 tristate "CAST5 (CAST-128)"
453 select CRYPTO_CAST_COMMON
455 CAST5 (CAST-128) cipher algorithm (RFC2144, ISO/IEC 18033-3)
458 tristate "CAST6 (CAST-256)"
460 select CRYPTO_CAST_COMMON
462 CAST6 (CAST-256) encryption algorithm (RFC2612)
465 tristate "DES and Triple DES EDE"
467 select CRYPTO_LIB_DES
469 DES (Data Encryption Standard)(FIPS 46-2, ISO/IEC 18033-3) and
470 Triple DES EDE (Encrypt/Decrypt/Encrypt) (FIPS 46-3, ISO/IEC 18033-3)
476 select CRYPTO_SKCIPHER
478 FCrypt algorithm used by RxRPC
480 See https://ota.polyonymo.us/fcrypt-paper.txt
484 depends on CRYPTO_USER_API_ENABLE_OBSOLETE
487 Khazad cipher algorithm
489 Khazad was a finalist in the initial NESSIE competition. It is
490 an algorithm optimized for 64-bit processors with good performance
491 on 32-bit processors. Khazad uses an 128 bit key size.
493 See https://web.archive.org/web/20171011071731/http://www.larc.usp.br/~pbarreto/KhazadPage.html
494 for further information.
498 depends on CRYPTO_USER_API_ENABLE_OBSOLETE
501 SEED cipher algorithm (RFC4269, ISO/IEC 18033-3)
503 SEED is a 128-bit symmetric key block cipher that has been
504 developed by KISA (Korea Information Security Agency) as a
505 national standard encryption algorithm of the Republic of Korea.
506 It is a 16 round block cipher with the key size of 128 bit.
508 See https://seed.kisa.or.kr/kisa/algorithm/EgovSeedInfo.do
509 for further information.
511 config CRYPTO_SERPENT
515 Serpent cipher algorithm, by Anderson, Biham & Knudsen
517 Keys are allowed to be from 0 to 256 bits in length, in steps
520 See https://www.cl.cam.ac.uk/~rja14/serpent.html for further information.
525 config CRYPTO_SM4_GENERIC
526 tristate "SM4 (ShangMi 4)"
530 SM4 cipher algorithms (OSCCA GB/T 32907-2016,
531 ISO/IEC 18033-3:2010/Amd 1:2021)
533 SM4 (GBT.32907-2016) is a cryptographic standard issued by the
534 Organization of State Commercial Administration of China (OSCCA)
535 as an authorized cryptographic algorithms for the use within China.
537 SMS4 was originally created for use in protecting wireless
538 networks, and is mandated in the Chinese National Standard for
539 Wireless LAN WAPI (Wired Authentication and Privacy Infrastructure)
542 The latest SM4 standard (GBT.32907-2016) was proposed by OSCCA and
543 standardized through TC 260 of the Standardization Administration
544 of the People's Republic of China (SAC).
546 The input, output, and key of SMS4 are each 128 bits.
548 See https://eprint.iacr.org/2008/329.pdf for further information.
553 tristate "TEA, XTEA and XETA"
554 depends on CRYPTO_USER_API_ENABLE_OBSOLETE
557 TEA (Tiny Encryption Algorithm) cipher algorithms
559 Tiny Encryption Algorithm is a simple cipher that uses
560 many rounds for security. It is very fast and uses
563 Xtendend Tiny Encryption Algorithm is a modification to
564 the TEA algorithm to address a potential key weakness
565 in the TEA algorithm.
567 Xtendend Encryption Tiny Algorithm is a mis-implementation
568 of the XTEA algorithm for compatibility purposes.
570 config CRYPTO_TWOFISH
573 select CRYPTO_TWOFISH_COMMON
575 Twofish cipher algorithm
577 Twofish was submitted as an AES (Advanced Encryption Standard)
578 candidate cipher by researchers at CounterPane Systems. It is a
579 16 round block cipher supporting key sizes of 128, 192, and 256
582 See https://www.schneier.com/twofish.html for further information.
584 config CRYPTO_TWOFISH_COMMON
587 Common parts of the Twofish cipher algorithm shared by the
588 generic c and the assembler implementations.
592 menu "Length-preserving ciphers and modes"
594 config CRYPTO_ADIANTUM
596 select CRYPTO_CHACHA20
597 select CRYPTO_LIB_POLY1305_GENERIC
598 select CRYPTO_NHPOLY1305
599 select CRYPTO_MANAGER
601 Adiantum tweakable, length-preserving encryption mode
603 Designed for fast and secure disk encryption, especially on
604 CPUs without dedicated crypto instructions. It encrypts
605 each sector using the XChaCha12 stream cipher, two passes of
606 an ε-almost-∆-universal hash function, and an invocation of
607 the AES-256 block cipher on a single 16-byte block. On CPUs
608 without AES instructions, Adiantum is much faster than
611 Adiantum's security is provably reducible to that of its
612 underlying stream and block ciphers, subject to a security
613 bound. Unlike XTS, Adiantum is a true wide-block encryption
614 mode, so it actually provides an even stronger notion of
615 security than XTS, subject to the security bound.
620 tristate "ARC4 (Alleged Rivest Cipher 4)"
621 depends on CRYPTO_USER_API_ENABLE_OBSOLETE
622 select CRYPTO_SKCIPHER
623 select CRYPTO_LIB_ARC4
625 ARC4 cipher algorithm
627 ARC4 is a stream cipher using keys ranging from 8 bits to 2048
628 bits in length. This algorithm is required for driver-based
629 WEP, but it should not be for other purposes because of the
630 weakness of the algorithm.
632 config CRYPTO_CHACHA20
634 select CRYPTO_LIB_CHACHA_GENERIC
635 select CRYPTO_SKCIPHER
637 The ChaCha20, XChaCha20, and XChaCha12 stream cipher algorithms
639 ChaCha20 is a 256-bit high-speed stream cipher designed by Daniel J.
640 Bernstein and further specified in RFC7539 for use in IETF protocols.
641 This is the portable C implementation of ChaCha20. See
642 https://cr.yp.to/chacha/chacha-20080128.pdf for further information.
644 XChaCha20 is the application of the XSalsa20 construction to ChaCha20
645 rather than to Salsa20. XChaCha20 extends ChaCha20's nonce length
646 from 64 bits (or 96 bits using the RFC7539 convention) to 192 bits,
647 while provably retaining ChaCha20's security. See
648 https://cr.yp.to/snuffle/xsalsa-20081128.pdf for further information.
650 XChaCha12 is XChaCha20 reduced to 12 rounds, with correspondingly
651 reduced security margin but increased performance. It can be needed
652 in some performance-sensitive scenarios.
655 tristate "CBC (Cipher Block Chaining)"
656 select CRYPTO_SKCIPHER
657 select CRYPTO_MANAGER
659 CBC (Cipher Block Chaining) mode (NIST SP800-38A)
661 This block cipher mode is required for IPSec ESP (XFRM_ESP).
664 tristate "CFB (Cipher Feedback)"
665 select CRYPTO_SKCIPHER
666 select CRYPTO_MANAGER
668 CFB (Cipher Feedback) mode (NIST SP800-38A)
670 This block cipher mode is required for TPM2 Cryptography.
673 tristate "CTR (Counter)"
674 select CRYPTO_SKCIPHER
675 select CRYPTO_MANAGER
677 CTR (Counter) mode (NIST SP800-38A)
680 tristate "CTS (Cipher Text Stealing)"
681 select CRYPTO_SKCIPHER
682 select CRYPTO_MANAGER
684 CBC-CS3 variant of CTS (Cipher Text Stealing) (NIST
685 Addendum to SP800-38A (October 2010))
687 This mode is required for Kerberos gss mechanism support
691 tristate "ECB (Electronic Codebook)"
692 select CRYPTO_SKCIPHER
693 select CRYPTO_MANAGER
695 ECB (Electronic Codebook) mode (NIST SP800-38A)
700 select CRYPTO_POLYVAL
701 select CRYPTO_MANAGER
703 HCTR2 length-preserving encryption mode
705 A mode for storage encryption that is efficient on processors with
706 instructions to accelerate AES and carryless multiplication, e.g.
707 x86 processors with AES-NI and CLMUL, and ARM processors with the
708 ARMv8 crypto extensions.
710 See https://eprint.iacr.org/2021/1441
712 config CRYPTO_KEYWRAP
713 tristate "KW (AES Key Wrap)"
714 select CRYPTO_SKCIPHER
715 select CRYPTO_MANAGER
717 KW (AES Key Wrap) authenticated encryption mode (NIST SP800-38F
718 and RFC3394) without padding.
721 tristate "LRW (Liskov Rivest Wagner)"
722 select CRYPTO_LIB_GF128MUL
723 select CRYPTO_SKCIPHER
724 select CRYPTO_MANAGER
727 LRW (Liskov Rivest Wagner) mode
729 A tweakable, non malleable, non movable
730 narrow block cipher mode for dm-crypt. Use it with cipher
731 specification string aes-lrw-benbi, the key must be 256, 320 or 384.
732 The first 128, 192 or 256 bits in the key are used for AES and the
733 rest is used to tie each cipher block to its logical position.
735 See https://people.csail.mit.edu/rivest/pubs/LRW02.pdf
738 tristate "OFB (Output Feedback)"
739 select CRYPTO_SKCIPHER
740 select CRYPTO_MANAGER
742 OFB (Output Feedback) mode (NIST SP800-38A)
744 This mode makes a block cipher into a synchronous
745 stream cipher. It generates keystream blocks, which are then XORed
746 with the plaintext blocks to get the ciphertext. Flipping a bit in the
747 ciphertext produces a flipped bit in the plaintext at the same
748 location. This property allows many error correcting codes to function
749 normally even when applied before encryption.
752 tristate "PCBC (Propagating Cipher Block Chaining)"
753 select CRYPTO_SKCIPHER
754 select CRYPTO_MANAGER
756 PCBC (Propagating Cipher Block Chaining) mode
758 This block cipher mode is required for RxRPC.
762 select CRYPTO_SKCIPHER
763 select CRYPTO_MANAGER
765 XCTR (XOR Counter) mode for HCTR2
767 This blockcipher mode is a variant of CTR mode using XORs and little-endian
768 addition rather than big-endian arithmetic.
770 XCTR mode is used to implement HCTR2.
773 tristate "XTS (XOR Encrypt XOR with ciphertext stealing)"
774 select CRYPTO_SKCIPHER
775 select CRYPTO_MANAGER
778 XTS (XOR Encrypt XOR with ciphertext stealing) mode (NIST SP800-38E
781 Use with aes-xts-plain, key size 256, 384 or 512 bits. This
782 implementation currently can't handle a sectorsize which is not a
783 multiple of 16 bytes.
785 config CRYPTO_NHPOLY1305
788 select CRYPTO_LIB_POLY1305_GENERIC
792 menu "AEAD (authenticated encryption with associated data) ciphers"
794 config CRYPTO_AEGIS128
797 select CRYPTO_AES # for AES S-box tables
799 AEGIS-128 AEAD algorithm
801 config CRYPTO_AEGIS128_SIMD
802 bool "AEGIS-128 (arm NEON, arm64 NEON)"
803 depends on CRYPTO_AEGIS128 && ((ARM || ARM64) && KERNEL_MODE_NEON)
806 AEGIS-128 AEAD algorithm
808 Architecture: arm or arm64 using:
809 - NEON (Advanced SIMD) extension
811 config CRYPTO_CHACHA20POLY1305
812 tristate "ChaCha20-Poly1305"
813 select CRYPTO_CHACHA20
814 select CRYPTO_POLY1305
816 select CRYPTO_MANAGER
818 ChaCha20 stream cipher and Poly1305 authenticator combined
822 tristate "CCM (Counter with Cipher Block Chaining-MAC)"
826 select CRYPTO_MANAGER
828 CCM (Counter with Cipher Block Chaining-Message Authentication Code)
829 authenticated encryption mode (NIST SP800-38C)
832 tristate "GCM (Galois/Counter Mode) and GMAC (GCM MAC)"
837 select CRYPTO_MANAGER
839 GCM (Galois/Counter Mode) authenticated encryption mode and GMAC
840 (GCM Message Authentication Code) (NIST SP800-38D)
842 This is required for IPSec ESP (XFRM_ESP).
848 select CRYPTO_MANAGER
849 select CRYPTO_RNG_DEFAULT
852 tristate "Sequence Number IV Generator"
855 Sequence Number IV generator
857 This IV generator generates an IV based on a sequence number by
858 xoring it with a salt. This algorithm is mainly useful for CTR.
860 This is required for IPsec ESP (XFRM_ESP).
862 config CRYPTO_ECHAINIV
863 tristate "Encrypted Chain IV Generator"
866 Encrypted Chain IV generator
868 This IV generator generates an IV based on the encryption of
869 a sequence number xored with a salt. This is the default
873 tristate "Encrypted Salt-Sector IV Generator"
874 select CRYPTO_AUTHENC
876 Encrypted Salt-Sector IV generator
878 This IV generator is used in some cases by fscrypt and/or
879 dm-crypt. It uses the hash of the block encryption key as the
880 symmetric key for a block encryption pass applied to the input
881 IV, making low entropy IV sources more suitable for block
884 This driver implements a crypto API template that can be
885 instantiated either as an skcipher or as an AEAD (depending on the
886 type of the first template argument), and which defers encryption
887 and decryption requests to the encapsulated cipher after applying
888 ESSIV to the input IV. Note that in the AEAD case, it is assumed
889 that the keys are presented in the same format used by the authenc
890 template, and that the IV appears at the end of the authenticated
891 associated data (AAD) region (which is how dm-crypt uses it.)
893 Note that the use of ESSIV is not recommended for new deployments,
894 and so this only needs to be enabled when interoperability with
895 existing encrypted volumes of filesystems is required, or when
896 building for a particular system that requires it (e.g., when
897 the SoC in question has accelerated CBC but not XTS, making CBC
898 combined with ESSIV the only feasible mode for h/w accelerated
903 menu "Hashes, digests, and MACs"
905 config CRYPTO_BLAKE2B
909 BLAKE2b cryptographic hash function (RFC 7693)
911 BLAKE2b is optimized for 64-bit platforms and can produce digests
912 of any size between 1 and 64 bytes. The keyed hash is also implemented.
914 This module provides the following algorithms:
920 Used by the btrfs filesystem.
922 See https://blake2.net for further information.
925 tristate "CMAC (Cipher-based MAC)"
927 select CRYPTO_MANAGER
929 CMAC (Cipher-based Message Authentication Code) authentication
930 mode (NIST SP800-38B and IETF RFC4493)
935 select CRYPTO_LIB_GF128MUL
937 GCM GHASH function (NIST SP800-38D)
940 tristate "HMAC (Keyed-Hash MAC)"
942 select CRYPTO_MANAGER
944 HMAC (Keyed-Hash Message Authentication Code) (FIPS 198 and
947 This is required for IPsec AH (XFRM_AH) and IPsec ESP (XFRM_ESP).
953 MD4 message digest algorithm (RFC1320)
959 MD5 message digest algorithm (RFC1321)
961 config CRYPTO_MICHAEL_MIC
962 tristate "Michael MIC"
965 Michael MIC (Message Integrity Code) (IEEE 802.11i)
967 Defined by the IEEE 802.11i TKIP (Temporal Key Integrity Protocol),
968 known as WPA (Wif-Fi Protected Access).
970 This algorithm is required for TKIP, but it should not be used for
971 other purposes because of the weakness of the algorithm.
973 config CRYPTO_POLYVAL
976 select CRYPTO_LIB_GF128MUL
978 POLYVAL hash function for HCTR2
980 This is used in HCTR2. It is not a general-purpose
981 cryptographic hash function.
983 config CRYPTO_POLY1305
986 select CRYPTO_LIB_POLY1305_GENERIC
988 Poly1305 authenticator algorithm (RFC7539)
990 Poly1305 is an authenticator algorithm designed by Daniel J. Bernstein.
991 It is used for the ChaCha20-Poly1305 AEAD, specified in RFC7539 for use
992 in IETF protocols. This is the portable C implementation of Poly1305.
995 tristate "RIPEMD-160"
998 RIPEMD-160 hash function (ISO/IEC 10118-3)
1000 RIPEMD-160 is a 160-bit cryptographic hash function. It is intended
1001 to be used as a secure replacement for the 128-bit hash functions
1002 MD4, MD5 and its predecessor RIPEMD
1003 (not to be confused with RIPEMD-128).
1005 Its speed is comparable to SHA-1 and there are no known attacks
1008 Developed by Hans Dobbertin, Antoon Bosselaers and Bart Preneel.
1009 See https://homes.esat.kuleuven.be/~bosselae/ripemd160.html
1010 for further information.
1015 select CRYPTO_LIB_SHA1
1017 SHA-1 secure hash algorithm (FIPS 180, ISO/IEC 10118-3)
1019 config CRYPTO_SHA256
1020 tristate "SHA-224 and SHA-256"
1022 select CRYPTO_LIB_SHA256
1024 SHA-224 and SHA-256 secure hash algorithms (FIPS 180, ISO/IEC 10118-3)
1026 This is required for IPsec AH (XFRM_AH) and IPsec ESP (XFRM_ESP).
1027 Used by the btrfs filesystem, Ceph, NFS, and SMB.
1029 config CRYPTO_SHA512
1030 tristate "SHA-384 and SHA-512"
1033 SHA-384 and SHA-512 secure hash algorithms (FIPS 180, ISO/IEC 10118-3)
1039 SHA-3 secure hash algorithms (FIPS 202, ISO/IEC 10118-3)
1044 config CRYPTO_SM3_GENERIC
1045 tristate "SM3 (ShangMi 3)"
1049 SM3 (ShangMi 3) secure hash function (OSCCA GM/T 0004-2012, ISO/IEC 10118-3)
1051 This is part of the Chinese Commercial Cryptography suite.
1054 http://www.oscca.gov.cn/UpFile/20101222141857786.pdf
1055 https://datatracker.ietf.org/doc/html/draft-shen-sm3-hash
1057 config CRYPTO_STREEBOG
1061 Streebog Hash Function (GOST R 34.11-2012, RFC 6986, ISO/IEC 10118-3)
1063 This is one of the Russian cryptographic standard algorithms (called
1064 GOST algorithms). This setting enables two hash algorithms with
1065 256 and 512 bits output.
1068 https://tc26.ru/upload/iblock/fed/feddbb4d26b685903faa2ba11aea43f6.pdf
1069 https://tools.ietf.org/html/rfc6986
1074 select CRYPTO_MANAGER
1076 VMAC is a message authentication algorithm designed for
1077 very high speed on 64-bit architectures.
1079 See https://fastcrypto.org/vmac for further information.
1082 tristate "Whirlpool"
1085 Whirlpool hash function (ISO/IEC 10118-3)
1087 512, 384 and 256-bit hashes.
1089 Whirlpool-512 is part of the NESSIE cryptographic primitives.
1091 See https://web.archive.org/web/20171129084214/http://www.larc.usp.br/~pbarreto/WhirlpoolPage.html
1092 for further information.
1095 tristate "XCBC-MAC (Extended Cipher Block Chaining MAC)"
1097 select CRYPTO_MANAGER
1099 XCBC-MAC (Extended Cipher Block Chaining Message Authentication
1102 config CRYPTO_XXHASH
1107 xxHash non-cryptographic hash algorithm
1109 Extremely fast, working at speeds close to RAM limits.
1111 Used by the btrfs filesystem.
1115 menu "CRCs (cyclic redundancy checks)"
1117 config CRYPTO_CRC32C
1122 CRC32c CRC algorithm with the iSCSI polynomial (RFC 3385 and RFC 3720)
1124 A 32-bit CRC (cyclic redundancy check) with a polynomial defined
1125 by G. Castagnoli, S. Braeuer and M. Herrman in "Optimization of Cyclic
1126 Redundancy-Check Codes with 24 and 32 Parity Bits", IEEE Transactions
1127 on Communications, Vol. 41, No. 6, June 1993, selected for use with
1130 Used by btrfs, ext4, jbd2, NVMeoF/TCP, and iSCSI.
1137 CRC32 CRC algorithm (IEEE 802.3)
1139 Used by RoCEv2 and f2fs.
1141 config CRYPTO_CRCT10DIF
1142 tristate "CRCT10DIF"
1145 CRC16 CRC algorithm used for the T10 (SCSI) Data Integrity Field (DIF)
1147 CRC algorithm used by the SCSI Block Commands standard.
1149 config CRYPTO_CRC64_ROCKSOFT
1150 tristate "CRC64 based on Rocksoft Model algorithm"
1154 CRC64 CRC algorithm based on the Rocksoft Model CRC Algorithm
1156 Used by the NVMe implementation of T10 DIF (BLK_DEV_INTEGRITY)
1158 See https://zlib.net/crc_v3.txt
1164 config CRYPTO_DEFLATE
1166 select CRYPTO_ALGAPI
1167 select CRYPTO_ACOMP2
1171 Deflate compression algorithm (RFC1951)
1173 Used by IPSec with the IPCOMP protocol (RFC3173, RFC2394)
1177 select CRYPTO_ALGAPI
1178 select CRYPTO_ACOMP2
1180 select LZO_DECOMPRESS
1182 LZO compression algorithm
1184 See https://www.oberhumer.com/opensource/lzo/ for further information.
1188 select CRYPTO_ALGAPI
1189 select CRYPTO_ACOMP2
1191 select 842_DECOMPRESS
1193 842 compression algorithm by IBM
1195 See https://github.com/plauth/lib842 for further information.
1199 select CRYPTO_ALGAPI
1200 select CRYPTO_ACOMP2
1202 select LZ4_DECOMPRESS
1204 LZ4 compression algorithm
1206 See https://github.com/lz4/lz4 for further information.
1210 select CRYPTO_ALGAPI
1211 select CRYPTO_ACOMP2
1212 select LZ4HC_COMPRESS
1213 select LZ4_DECOMPRESS
1215 LZ4 high compression mode algorithm
1217 See https://github.com/lz4/lz4 for further information.
1221 select CRYPTO_ALGAPI
1222 select CRYPTO_ACOMP2
1223 select ZSTD_COMPRESS
1224 select ZSTD_DECOMPRESS
1226 zstd compression algorithm
1228 See https://github.com/facebook/zstd for further information.
1232 menu "Random number generation"
1234 config CRYPTO_ANSI_CPRNG
1235 tristate "ANSI PRNG (Pseudo Random Number Generator)"
1239 Pseudo RNG (random number generator) (ANSI X9.31 Appendix A.2.4)
1241 This uses the AES cipher algorithm.
1243 Note that this option must be enabled if CRYPTO_FIPS is selected
1245 menuconfig CRYPTO_DRBG_MENU
1246 tristate "NIST SP800-90A DRBG (Deterministic Random Bit Generator)"
1248 DRBG (Deterministic Random Bit Generator) (NIST SP800-90A)
1250 In the following submenu, one or more of the DRBG types must be selected.
1254 config CRYPTO_DRBG_HMAC
1258 select CRYPTO_SHA512
1260 config CRYPTO_DRBG_HASH
1262 select CRYPTO_SHA256
1264 Hash_DRBG variant as defined in NIST SP800-90A.
1266 This uses the SHA-1, SHA-256, SHA-384, or SHA-512 hash algorithms.
1268 config CRYPTO_DRBG_CTR
1273 CTR_DRBG variant as defined in NIST SP800-90A.
1275 This uses the AES cipher algorithm with the counter block mode.
1279 default CRYPTO_DRBG_MENU
1281 select CRYPTO_JITTERENTROPY
1283 endif # if CRYPTO_DRBG_MENU
1285 config CRYPTO_JITTERENTROPY
1286 tristate "CPU Jitter Non-Deterministic RNG (Random Number Generator)"
1290 CPU Jitter RNG (Random Number Generator) from the Jitterentropy library
1292 A non-physical non-deterministic ("true") RNG (e.g., an entropy source
1293 compliant with NIST SP800-90B) intended to provide a seed to a
1294 deterministic RNG (e.g. per NIST SP800-90C).
1295 This RNG does not perform any cryptographic whitening of the generated
1297 See https://www.chronox.de/jent.html
1299 config CRYPTO_JITTERENTROPY_TESTINTERFACE
1300 bool "CPU Jitter RNG Test Interface"
1301 depends on CRYPTO_JITTERENTROPY
1303 The test interface allows a privileged process to capture
1304 the raw unconditioned high resolution time stamp noise that
1305 is collected by the Jitter RNG for statistical analysis. As
1306 this data is used at the same time to generate random bits,
1307 the Jitter RNG operates in an insecure mode as long as the
1308 recording is enabled. This interface therefore is only
1309 intended for testing purposes and is not suitable for
1312 The raw noise data can be obtained using the jent_raw_hires
1313 debugfs file. Using the option
1314 jitterentropy_testing.boot_raw_hires_test=1 the raw noise of
1315 the first 1000 entropy events since boot can be sampled.
1317 If unsure, select N.
1319 config CRYPTO_KDF800108_CTR
1322 select CRYPTO_SHA256
1325 menu "Userspace interface"
1327 config CRYPTO_USER_API
1330 config CRYPTO_USER_API_HASH
1331 tristate "Hash algorithms"
1334 select CRYPTO_USER_API
1336 Enable the userspace interface for hash algorithms.
1338 See Documentation/crypto/userspace-if.rst and
1339 https://www.chronox.de/libkcapi/html/index.html
1341 config CRYPTO_USER_API_SKCIPHER
1342 tristate "Symmetric key cipher algorithms"
1344 select CRYPTO_SKCIPHER
1345 select CRYPTO_USER_API
1347 Enable the userspace interface for symmetric key cipher algorithms.
1349 See Documentation/crypto/userspace-if.rst and
1350 https://www.chronox.de/libkcapi/html/index.html
1352 config CRYPTO_USER_API_RNG
1353 tristate "RNG (random number generator) algorithms"
1356 select CRYPTO_USER_API
1358 Enable the userspace interface for RNG (random number generator)
1361 See Documentation/crypto/userspace-if.rst and
1362 https://www.chronox.de/libkcapi/html/index.html
1364 config CRYPTO_USER_API_RNG_CAVP
1365 bool "Enable CAVP testing of DRBG"
1366 depends on CRYPTO_USER_API_RNG && CRYPTO_DRBG
1368 Enable extra APIs in the userspace interface for NIST CAVP
1369 (Cryptographic Algorithm Validation Program) testing:
1370 - resetting DRBG entropy
1371 - providing Additional Data
1373 This should only be enabled for CAVP testing. You should say
1374 no unless you know what this is.
1376 config CRYPTO_USER_API_AEAD
1377 tristate "AEAD cipher algorithms"
1380 select CRYPTO_SKCIPHER
1382 select CRYPTO_USER_API
1384 Enable the userspace interface for AEAD cipher algorithms.
1386 See Documentation/crypto/userspace-if.rst and
1387 https://www.chronox.de/libkcapi/html/index.html
1389 config CRYPTO_USER_API_ENABLE_OBSOLETE
1390 bool "Obsolete cryptographic algorithms"
1391 depends on CRYPTO_USER_API
1394 Allow obsolete cryptographic algorithms to be selected that have
1395 already been phased out from internal use by the kernel, and are
1396 only useful for userspace clients that still rely on them.
1399 bool "Crypto usage statistics"
1400 depends on CRYPTO_USER
1402 Enable the gathering of crypto stats.
1404 Enabling this option reduces the performance of the crypto API. It
1405 should only be enabled when there is actually a use case for it.
1407 This collects data sizes, numbers of requests, and numbers
1408 of errors processed by:
1409 - AEAD ciphers (encrypt, decrypt)
1410 - asymmetric key ciphers (encrypt, decrypt, verify, sign)
1411 - symmetric key ciphers (encrypt, decrypt)
1412 - compression algorithms (compress, decompress)
1413 - hash algorithms (hash)
1414 - key-agreement protocol primitives (setsecret, generate
1415 public key, compute shared secret)
1416 - RNG (generate, seed)
1420 config CRYPTO_HASH_INFO
1423 if !KMSAN # avoid false positives from assembly
1425 source "arch/arm/crypto/Kconfig"
1428 source "arch/arm64/crypto/Kconfig"
1431 source "arch/loongarch/crypto/Kconfig"
1434 source "arch/mips/crypto/Kconfig"
1437 source "arch/powerpc/crypto/Kconfig"
1440 source "arch/s390/crypto/Kconfig"
1443 source "arch/sparc/crypto/Kconfig"
1446 source "arch/x86/crypto/Kconfig"
1450 source "drivers/crypto/Kconfig"
1451 source "crypto/asymmetric_keys/Kconfig"
1452 source "certs/Kconfig"
projects / platform / kernel / linux-rpi.git / blob