1 # SPDX-License-Identifier: GPL-2.0
3 # Generic algorithms support
9 # async_tx api: hardware offloaded memory transfer/transform support
11 source "crypto/async_tx/Kconfig"
14 # Cryptographic API Configuration
17 tristate "Cryptographic API"
18 select CRYPTO_LIB_UTILS
20 This option provides the core Cryptographic API.
24 menu "Crypto core or helper"
27 bool "FIPS 200 compliance"
28 depends on (CRYPTO_ANSI_CPRNG || CRYPTO_DRBG) && !CRYPTO_MANAGER_DISABLE_TESTS
29 depends on (MODULE_SIG || !MODULES)
31 This option enables the fips boot option which is
32 required if you want the system to operate in a FIPS 200
33 certification. You should say no unless you know what
36 config CRYPTO_FIPS_NAME
37 string "FIPS Module Name"
38 default "Linux Kernel Cryptographic API"
39 depends on CRYPTO_FIPS
41 This option sets the FIPS Module name reported by the Crypto API via
42 the /proc/sys/crypto/fips_name file.
44 config CRYPTO_FIPS_CUSTOM_VERSION
45 bool "Use Custom FIPS Module Version"
46 depends on CRYPTO_FIPS
49 config CRYPTO_FIPS_VERSION
50 string "FIPS Module Version"
52 depends on CRYPTO_FIPS_CUSTOM_VERSION
54 This option provides the ability to override the FIPS Module Version.
55 By default the KERNELRELEASE value is used.
61 This option provides the API for cryptographic algorithms.
75 config CRYPTO_SKCIPHER
77 select CRYPTO_SKCIPHER2
80 config CRYPTO_SKCIPHER2
100 select CRYPTO_ALGAPI2
102 config CRYPTO_RNG_DEFAULT
104 select CRYPTO_DRBG_MENU
106 config CRYPTO_AKCIPHER2
108 select CRYPTO_ALGAPI2
110 config CRYPTO_AKCIPHER
112 select CRYPTO_AKCIPHER2
117 select CRYPTO_ALGAPI2
126 select CRYPTO_ALGAPI2
134 config CRYPTO_MANAGER
135 tristate "Cryptographic algorithm manager"
136 select CRYPTO_MANAGER2
138 Create default cryptographic template instantiations such as
141 config CRYPTO_MANAGER2
142 def_tristate CRYPTO_MANAGER || (CRYPTO_MANAGER!=n && CRYPTO_ALGAPI=y)
145 select CRYPTO_AKCIPHER2
149 select CRYPTO_SKCIPHER2
152 tristate "Userspace cryptographic algorithm configuration"
154 select CRYPTO_MANAGER
156 Userspace configuration for cryptographic instantiations such as
159 config CRYPTO_MANAGER_DISABLE_TESTS
160 bool "Disable run-time self tests"
163 Disable run-time self tests that normally take place at
164 algorithm registration.
166 config CRYPTO_MANAGER_EXTRA_TESTS
167 bool "Enable extra run-time crypto self tests"
168 depends on DEBUG_KERNEL && !CRYPTO_MANAGER_DISABLE_TESTS && CRYPTO_MANAGER
170 Enable extra run-time self tests of registered crypto algorithms,
171 including randomized fuzz tests.
173 This is intended for developer use only, as these tests take much
174 longer to run than the normal self tests.
177 tristate "Null algorithms"
180 These are 'Null' algorithms, used by IPsec, which do nothing.
184 select CRYPTO_ALGAPI2
185 select CRYPTO_SKCIPHER2
189 tristate "Parallel crypto engine"
192 select CRYPTO_MANAGER
195 This converts an arbitrary crypto algorithm into a parallel
196 algorithm that executes in kernel threads.
199 tristate "Software async crypto daemon"
200 select CRYPTO_SKCIPHER
202 select CRYPTO_MANAGER
204 This is a generic software asynchronous crypto daemon that
205 converts an arbitrary synchronous software crypto algorithm
206 into an asynchronous algorithm that executes in a kernel thread.
208 config CRYPTO_AUTHENC
209 tristate "Authenc support"
211 select CRYPTO_SKCIPHER
212 select CRYPTO_MANAGER
216 Authenc: Combined mode wrapper for IPsec.
218 This is required for IPSec ESP (XFRM_ESP).
221 tristate "Testing module"
222 depends on m || EXPERT
223 select CRYPTO_MANAGER
225 Quick & dirty crypto test module.
236 menu "Public-key cryptography"
239 tristate "RSA (Rivest-Shamir-Adleman)"
240 select CRYPTO_AKCIPHER
241 select CRYPTO_MANAGER
245 RSA (Rivest-Shamir-Adleman) public key algorithm (RFC8017)
248 tristate "DH (Diffie-Hellman)"
252 DH (Diffie-Hellman) key exchange algorithm
254 config CRYPTO_DH_RFC7919_GROUPS
255 bool "RFC 7919 FFDHE groups"
257 select CRYPTO_RNG_DEFAULT
259 FFDHE (Finite-Field-based Diffie-Hellman Ephemeral) groups
262 Support these finite-field groups in DH key exchanges:
263 - ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192
269 select CRYPTO_RNG_DEFAULT
272 tristate "ECDH (Elliptic Curve Diffie-Hellman)"
276 ECDH (Elliptic Curve Diffie-Hellman) key exchange algorithm
277 using curves P-192, P-256, and P-384 (FIPS 186)
280 tristate "ECDSA (Elliptic Curve Digital Signature Algorithm)"
282 select CRYPTO_AKCIPHER
285 ECDSA (Elliptic Curve Digital Signature Algorithm) (FIPS 186,
287 using curves P-192, P-256, and P-384
289 Only signature verification is implemented.
292 tristate "EC-RDSA (Elliptic Curve Russian Digital Signature Algorithm)"
294 select CRYPTO_AKCIPHER
295 select CRYPTO_STREEBOG
299 Elliptic Curve Russian Digital Signature Algorithm (GOST R 34.10-2012,
300 RFC 7091, ISO/IEC 14888-3)
302 One of the Russian cryptographic standard algorithms (called GOST
303 algorithms). Only signature verification is implemented.
306 tristate "SM2 (ShangMi 2)"
308 select CRYPTO_AKCIPHER
309 select CRYPTO_MANAGER
313 SM2 (ShangMi 2) public key algorithm
315 Published by State Encryption Management Bureau, China,
316 as specified by OSCCA GM/T 0003.1-2012 -- 0003.5-2012.
319 https://datatracker.ietf.org/doc/draft-shen-sm2-ecdsa/
320 http://www.oscca.gov.cn/sca/xxgk/2010-12/17/content_1002386.shtml
321 http://www.gmbz.org.cn/main/bzlb.html
323 config CRYPTO_CURVE25519
324 tristate "Curve25519"
326 select CRYPTO_LIB_CURVE25519_GENERIC
328 Curve25519 elliptic curve (RFC7748)
335 tristate "AES (Advanced Encryption Standard)"
337 select CRYPTO_LIB_AES
339 AES cipher algorithms (Rijndael)(FIPS-197, ISO/IEC 18033-3)
341 Rijndael appears to be consistently a very good performer in
342 both hardware and software across a wide range of computing
343 environments regardless of its use in feedback or non-feedback
344 modes. Its key setup time is excellent, and its key agility is
345 good. Rijndael's very low memory requirements make it very well
346 suited for restricted-space environments, in which it also
347 demonstrates excellent performance. Rijndael's operations are
348 among the easiest to defend against power and timing attacks.
350 The AES specifies three key sizes: 128, 192 and 256 bits
353 tristate "AES (Advanced Encryption Standard) (fixed time)"
355 select CRYPTO_LIB_AES
357 AES cipher algorithms (Rijndael)(FIPS-197, ISO/IEC 18033-3)
359 This is a generic implementation of AES that attempts to eliminate
360 data dependent latencies as much as possible without affecting
361 performance too much. It is intended for use by the generic CCM
362 and GCM drivers, and other CTR or CMAC/XCBC based modes that rely
363 solely on encryption (although decryption is supported as well, but
364 with a more dramatic performance hit)
366 Instead of using 16 lookup tables of 1 KB each, (8 for encryption and
367 8 for decryption), this implementation only uses just two S-boxes of
368 256 bytes each, and attempts to eliminate data dependent latencies by
369 prefetching the entire table into the cache at the start of each
370 block. Interrupts are also disabled to avoid races where cachelines
371 are evicted when the CPU is interrupted to do something else.
375 depends on CRYPTO_USER_API_ENABLE_OBSOLETE
378 Anubis cipher algorithm
380 Anubis is a variable key length cipher which can use keys from
381 128 bits to 320 bits in length. It was evaluated as a entrant
382 in the NESSIE competition.
384 See https://web.archive.org/web/20160606112246/http://www.larc.usp.br/~pbarreto/AnubisPage.html
385 for further information.
391 ARIA cipher algorithm (RFC5794)
393 ARIA is a standard encryption algorithm of the Republic of Korea.
394 The ARIA specifies three key sizes and rounds.
400 https://seed.kisa.or.kr/kisa/algorithm/EgovAriaInfo.do
402 config CRYPTO_BLOWFISH
405 select CRYPTO_BLOWFISH_COMMON
407 Blowfish cipher algorithm, by Bruce Schneier
409 This is a variable key length cipher which can use keys from 32
410 bits to 448 bits in length. It's fast, simple and specifically
411 designed for use on "large microprocessors".
413 See https://www.schneier.com/blowfish.html for further information.
415 config CRYPTO_BLOWFISH_COMMON
418 Common parts of the Blowfish cipher algorithm shared by the
419 generic c and the assembler implementations.
421 config CRYPTO_CAMELLIA
425 Camellia cipher algorithms (ISO/IEC 18033-3)
427 Camellia is a symmetric key block cipher developed jointly
428 at NTT and Mitsubishi Electric Corporation.
430 The Camellia specifies three key sizes: 128, 192 and 256 bits.
432 See https://info.isl.ntt.co.jp/crypt/eng/camellia/ for further information.
434 config CRYPTO_CAST_COMMON
437 Common parts of the CAST cipher algorithms shared by the
438 generic c and the assembler implementations.
441 tristate "CAST5 (CAST-128)"
443 select CRYPTO_CAST_COMMON
445 CAST5 (CAST-128) cipher algorithm (RFC2144, ISO/IEC 18033-3)
448 tristate "CAST6 (CAST-256)"
450 select CRYPTO_CAST_COMMON
452 CAST6 (CAST-256) encryption algorithm (RFC2612)
455 tristate "DES and Triple DES EDE"
457 select CRYPTO_LIB_DES
459 DES (Data Encryption Standard)(FIPS 46-2, ISO/IEC 18033-3) and
460 Triple DES EDE (Encrypt/Decrypt/Encrypt) (FIPS 46-3, ISO/IEC 18033-3)
466 select CRYPTO_SKCIPHER
468 FCrypt algorithm used by RxRPC
470 See https://ota.polyonymo.us/fcrypt-paper.txt
474 depends on CRYPTO_USER_API_ENABLE_OBSOLETE
477 Khazad cipher algorithm
479 Khazad was a finalist in the initial NESSIE competition. It is
480 an algorithm optimized for 64-bit processors with good performance
481 on 32-bit processors. Khazad uses an 128 bit key size.
483 See https://web.archive.org/web/20171011071731/http://www.larc.usp.br/~pbarreto/KhazadPage.html
484 for further information.
488 depends on CRYPTO_USER_API_ENABLE_OBSOLETE
491 SEED cipher algorithm (RFC4269, ISO/IEC 18033-3)
493 SEED is a 128-bit symmetric key block cipher that has been
494 developed by KISA (Korea Information Security Agency) as a
495 national standard encryption algorithm of the Republic of Korea.
496 It is a 16 round block cipher with the key size of 128 bit.
498 See https://seed.kisa.or.kr/kisa/algorithm/EgovSeedInfo.do
499 for further information.
501 config CRYPTO_SERPENT
505 Serpent cipher algorithm, by Anderson, Biham & Knudsen
507 Keys are allowed to be from 0 to 256 bits in length, in steps
510 See https://www.cl.cam.ac.uk/~rja14/serpent.html for further information.
515 config CRYPTO_SM4_GENERIC
516 tristate "SM4 (ShangMi 4)"
520 SM4 cipher algorithms (OSCCA GB/T 32907-2016,
521 ISO/IEC 18033-3:2010/Amd 1:2021)
523 SM4 (GBT.32907-2016) is a cryptographic standard issued by the
524 Organization of State Commercial Administration of China (OSCCA)
525 as an authorized cryptographic algorithms for the use within China.
527 SMS4 was originally created for use in protecting wireless
528 networks, and is mandated in the Chinese National Standard for
529 Wireless LAN WAPI (Wired Authentication and Privacy Infrastructure)
532 The latest SM4 standard (GBT.32907-2016) was proposed by OSCCA and
533 standardized through TC 260 of the Standardization Administration
534 of the People's Republic of China (SAC).
536 The input, output, and key of SMS4 are each 128 bits.
538 See https://eprint.iacr.org/2008/329.pdf for further information.
543 tristate "TEA, XTEA and XETA"
544 depends on CRYPTO_USER_API_ENABLE_OBSOLETE
547 TEA (Tiny Encryption Algorithm) cipher algorithms
549 Tiny Encryption Algorithm is a simple cipher that uses
550 many rounds for security. It is very fast and uses
553 Xtendend Tiny Encryption Algorithm is a modification to
554 the TEA algorithm to address a potential key weakness
555 in the TEA algorithm.
557 Xtendend Encryption Tiny Algorithm is a mis-implementation
558 of the XTEA algorithm for compatibility purposes.
560 config CRYPTO_TWOFISH
563 select CRYPTO_TWOFISH_COMMON
565 Twofish cipher algorithm
567 Twofish was submitted as an AES (Advanced Encryption Standard)
568 candidate cipher by researchers at CounterPane Systems. It is a
569 16 round block cipher supporting key sizes of 128, 192, and 256
572 See https://www.schneier.com/twofish.html for further information.
574 config CRYPTO_TWOFISH_COMMON
577 Common parts of the Twofish cipher algorithm shared by the
578 generic c and the assembler implementations.
582 menu "Length-preserving ciphers and modes"
584 config CRYPTO_ADIANTUM
586 select CRYPTO_CHACHA20
587 select CRYPTO_LIB_POLY1305_GENERIC
588 select CRYPTO_NHPOLY1305
589 select CRYPTO_MANAGER
591 Adiantum tweakable, length-preserving encryption mode
593 Designed for fast and secure disk encryption, especially on
594 CPUs without dedicated crypto instructions. It encrypts
595 each sector using the XChaCha12 stream cipher, two passes of
596 an ε-almost-∆-universal hash function, and an invocation of
597 the AES-256 block cipher on a single 16-byte block. On CPUs
598 without AES instructions, Adiantum is much faster than
601 Adiantum's security is provably reducible to that of its
602 underlying stream and block ciphers, subject to a security
603 bound. Unlike XTS, Adiantum is a true wide-block encryption
604 mode, so it actually provides an even stronger notion of
605 security than XTS, subject to the security bound.
610 tristate "ARC4 (Alleged Rivest Cipher 4)"
611 depends on CRYPTO_USER_API_ENABLE_OBSOLETE
612 select CRYPTO_SKCIPHER
613 select CRYPTO_LIB_ARC4
615 ARC4 cipher algorithm
617 ARC4 is a stream cipher using keys ranging from 8 bits to 2048
618 bits in length. This algorithm is required for driver-based
619 WEP, but it should not be for other purposes because of the
620 weakness of the algorithm.
622 config CRYPTO_CHACHA20
624 select CRYPTO_LIB_CHACHA_GENERIC
625 select CRYPTO_SKCIPHER
627 The ChaCha20, XChaCha20, and XChaCha12 stream cipher algorithms
629 ChaCha20 is a 256-bit high-speed stream cipher designed by Daniel J.
630 Bernstein and further specified in RFC7539 for use in IETF protocols.
631 This is the portable C implementation of ChaCha20. See
632 https://cr.yp.to/chacha/chacha-20080128.pdf for further information.
634 XChaCha20 is the application of the XSalsa20 construction to ChaCha20
635 rather than to Salsa20. XChaCha20 extends ChaCha20's nonce length
636 from 64 bits (or 96 bits using the RFC7539 convention) to 192 bits,
637 while provably retaining ChaCha20's security. See
638 https://cr.yp.to/snuffle/xsalsa-20081128.pdf for further information.
640 XChaCha12 is XChaCha20 reduced to 12 rounds, with correspondingly
641 reduced security margin but increased performance. It can be needed
642 in some performance-sensitive scenarios.
645 tristate "CBC (Cipher Block Chaining)"
646 select CRYPTO_SKCIPHER
647 select CRYPTO_MANAGER
649 CBC (Cipher Block Chaining) mode (NIST SP800-38A)
651 This block cipher mode is required for IPSec ESP (XFRM_ESP).
654 tristate "CFB (Cipher Feedback)"
655 select CRYPTO_SKCIPHER
656 select CRYPTO_MANAGER
658 CFB (Cipher Feedback) mode (NIST SP800-38A)
660 This block cipher mode is required for TPM2 Cryptography.
663 tristate "CTR (Counter)"
664 select CRYPTO_SKCIPHER
665 select CRYPTO_MANAGER
667 CTR (Counter) mode (NIST SP800-38A)
670 tristate "CTS (Cipher Text Stealing)"
671 select CRYPTO_SKCIPHER
672 select CRYPTO_MANAGER
674 CBC-CS3 variant of CTS (Cipher Text Stealing) (NIST
675 Addendum to SP800-38A (October 2010))
677 This mode is required for Kerberos gss mechanism support
681 tristate "ECB (Electronic Codebook)"
682 select CRYPTO_SKCIPHER
683 select CRYPTO_MANAGER
685 ECB (Electronic Codebook) mode (NIST SP800-38A)
690 select CRYPTO_POLYVAL
691 select CRYPTO_MANAGER
693 HCTR2 length-preserving encryption mode
695 A mode for storage encryption that is efficient on processors with
696 instructions to accelerate AES and carryless multiplication, e.g.
697 x86 processors with AES-NI and CLMUL, and ARM processors with the
698 ARMv8 crypto extensions.
700 See https://eprint.iacr.org/2021/1441
702 config CRYPTO_KEYWRAP
703 tristate "KW (AES Key Wrap)"
704 select CRYPTO_SKCIPHER
705 select CRYPTO_MANAGER
707 KW (AES Key Wrap) authenticated encryption mode (NIST SP800-38F
708 and RFC3394) without padding.
711 tristate "LRW (Liskov Rivest Wagner)"
712 select CRYPTO_LIB_GF128MUL
713 select CRYPTO_SKCIPHER
714 select CRYPTO_MANAGER
717 LRW (Liskov Rivest Wagner) mode
719 A tweakable, non malleable, non movable
720 narrow block cipher mode for dm-crypt. Use it with cipher
721 specification string aes-lrw-benbi, the key must be 256, 320 or 384.
722 The first 128, 192 or 256 bits in the key are used for AES and the
723 rest is used to tie each cipher block to its logical position.
725 See https://people.csail.mit.edu/rivest/pubs/LRW02.pdf
728 tristate "OFB (Output Feedback)"
729 select CRYPTO_SKCIPHER
730 select CRYPTO_MANAGER
732 OFB (Output Feedback) mode (NIST SP800-38A)
734 This mode makes a block cipher into a synchronous
735 stream cipher. It generates keystream blocks, which are then XORed
736 with the plaintext blocks to get the ciphertext. Flipping a bit in the
737 ciphertext produces a flipped bit in the plaintext at the same
738 location. This property allows many error correcting codes to function
739 normally even when applied before encryption.
742 tristate "PCBC (Propagating Cipher Block Chaining)"
743 select CRYPTO_SKCIPHER
744 select CRYPTO_MANAGER
746 PCBC (Propagating Cipher Block Chaining) mode
748 This block cipher mode is required for RxRPC.
752 select CRYPTO_SKCIPHER
753 select CRYPTO_MANAGER
755 XCTR (XOR Counter) mode for HCTR2
757 This blockcipher mode is a variant of CTR mode using XORs and little-endian
758 addition rather than big-endian arithmetic.
760 XCTR mode is used to implement HCTR2.
763 tristate "XTS (XOR Encrypt XOR with ciphertext stealing)"
764 select CRYPTO_SKCIPHER
765 select CRYPTO_MANAGER
768 XTS (XOR Encrypt XOR with ciphertext stealing) mode (NIST SP800-38E
771 Use with aes-xts-plain, key size 256, 384 or 512 bits. This
772 implementation currently can't handle a sectorsize which is not a
773 multiple of 16 bytes.
775 config CRYPTO_NHPOLY1305
778 select CRYPTO_LIB_POLY1305_GENERIC
782 menu "AEAD (authenticated encryption with associated data) ciphers"
784 config CRYPTO_AEGIS128
787 select CRYPTO_AES # for AES S-box tables
789 AEGIS-128 AEAD algorithm
791 config CRYPTO_AEGIS128_SIMD
792 bool "AEGIS-128 (arm NEON, arm64 NEON)"
793 depends on CRYPTO_AEGIS128 && ((ARM || ARM64) && KERNEL_MODE_NEON)
796 AEGIS-128 AEAD algorithm
798 Architecture: arm or arm64 using:
799 - NEON (Advanced SIMD) extension
801 config CRYPTO_CHACHA20POLY1305
802 tristate "ChaCha20-Poly1305"
803 select CRYPTO_CHACHA20
804 select CRYPTO_POLY1305
806 select CRYPTO_MANAGER
808 ChaCha20 stream cipher and Poly1305 authenticator combined
812 tristate "CCM (Counter with Cipher Block Chaining-MAC)"
816 select CRYPTO_MANAGER
818 CCM (Counter with Cipher Block Chaining-Message Authentication Code)
819 authenticated encryption mode (NIST SP800-38C)
822 tristate "GCM (Galois/Counter Mode) and GMAC (GCM MAC)"
827 select CRYPTO_MANAGER
829 GCM (Galois/Counter Mode) authenticated encryption mode and GMAC
830 (GCM Message Authentication Code) (NIST SP800-38D)
832 This is required for IPSec ESP (XFRM_ESP).
838 select CRYPTO_MANAGER
839 select CRYPTO_RNG_DEFAULT
842 tristate "Sequence Number IV Generator"
845 Sequence Number IV generator
847 This IV generator generates an IV based on a sequence number by
848 xoring it with a salt. This algorithm is mainly useful for CTR.
850 This is required for IPsec ESP (XFRM_ESP).
852 config CRYPTO_ECHAINIV
853 tristate "Encrypted Chain IV Generator"
856 Encrypted Chain IV generator
858 This IV generator generates an IV based on the encryption of
859 a sequence number xored with a salt. This is the default
863 tristate "Encrypted Salt-Sector IV Generator"
864 select CRYPTO_AUTHENC
866 Encrypted Salt-Sector IV generator
868 This IV generator is used in some cases by fscrypt and/or
869 dm-crypt. It uses the hash of the block encryption key as the
870 symmetric key for a block encryption pass applied to the input
871 IV, making low entropy IV sources more suitable for block
874 This driver implements a crypto API template that can be
875 instantiated either as an skcipher or as an AEAD (depending on the
876 type of the first template argument), and which defers encryption
877 and decryption requests to the encapsulated cipher after applying
878 ESSIV to the input IV. Note that in the AEAD case, it is assumed
879 that the keys are presented in the same format used by the authenc
880 template, and that the IV appears at the end of the authenticated
881 associated data (AAD) region (which is how dm-crypt uses it.)
883 Note that the use of ESSIV is not recommended for new deployments,
884 and so this only needs to be enabled when interoperability with
885 existing encrypted volumes of filesystems is required, or when
886 building for a particular system that requires it (e.g., when
887 the SoC in question has accelerated CBC but not XTS, making CBC
888 combined with ESSIV the only feasible mode for h/w accelerated
893 menu "Hashes, digests, and MACs"
895 config CRYPTO_BLAKE2B
899 BLAKE2b cryptographic hash function (RFC 7693)
901 BLAKE2b is optimized for 64-bit platforms and can produce digests
902 of any size between 1 and 64 bytes. The keyed hash is also implemented.
904 This module provides the following algorithms:
910 Used by the btrfs filesystem.
912 See https://blake2.net for further information.
915 tristate "CMAC (Cipher-based MAC)"
917 select CRYPTO_MANAGER
919 CMAC (Cipher-based Message Authentication Code) authentication
920 mode (NIST SP800-38B and IETF RFC4493)
925 select CRYPTO_LIB_GF128MUL
927 GCM GHASH function (NIST SP800-38D)
930 tristate "HMAC (Keyed-Hash MAC)"
932 select CRYPTO_MANAGER
934 HMAC (Keyed-Hash Message Authentication Code) (FIPS 198 and
937 This is required for IPsec AH (XFRM_AH) and IPsec ESP (XFRM_ESP).
943 MD4 message digest algorithm (RFC1320)
949 MD5 message digest algorithm (RFC1321)
951 config CRYPTO_MICHAEL_MIC
952 tristate "Michael MIC"
955 Michael MIC (Message Integrity Code) (IEEE 802.11i)
957 Defined by the IEEE 802.11i TKIP (Temporal Key Integrity Protocol),
958 known as WPA (Wif-Fi Protected Access).
960 This algorithm is required for TKIP, but it should not be used for
961 other purposes because of the weakness of the algorithm.
963 config CRYPTO_POLYVAL
966 select CRYPTO_LIB_GF128MUL
968 POLYVAL hash function for HCTR2
970 This is used in HCTR2. It is not a general-purpose
971 cryptographic hash function.
973 config CRYPTO_POLY1305
976 select CRYPTO_LIB_POLY1305_GENERIC
978 Poly1305 authenticator algorithm (RFC7539)
980 Poly1305 is an authenticator algorithm designed by Daniel J. Bernstein.
981 It is used for the ChaCha20-Poly1305 AEAD, specified in RFC7539 for use
982 in IETF protocols. This is the portable C implementation of Poly1305.
985 tristate "RIPEMD-160"
988 RIPEMD-160 hash function (ISO/IEC 10118-3)
990 RIPEMD-160 is a 160-bit cryptographic hash function. It is intended
991 to be used as a secure replacement for the 128-bit hash functions
992 MD4, MD5 and its predecessor RIPEMD
993 (not to be confused with RIPEMD-128).
995 Its speed is comparable to SHA-1 and there are no known attacks
998 Developed by Hans Dobbertin, Antoon Bosselaers and Bart Preneel.
999 See https://homes.esat.kuleuven.be/~bosselae/ripemd160.html
1000 for further information.
1005 select CRYPTO_LIB_SHA1
1007 SHA-1 secure hash algorithm (FIPS 180, ISO/IEC 10118-3)
1009 config CRYPTO_SHA256
1010 tristate "SHA-224 and SHA-256"
1012 select CRYPTO_LIB_SHA256
1014 SHA-224 and SHA-256 secure hash algorithms (FIPS 180, ISO/IEC 10118-3)
1016 This is required for IPsec AH (XFRM_AH) and IPsec ESP (XFRM_ESP).
1017 Used by the btrfs filesystem, Ceph, NFS, and SMB.
1019 config CRYPTO_SHA512
1020 tristate "SHA-384 and SHA-512"
1023 SHA-384 and SHA-512 secure hash algorithms (FIPS 180, ISO/IEC 10118-3)
1029 SHA-3 secure hash algorithms (FIPS 202, ISO/IEC 10118-3)
1034 config CRYPTO_SM3_GENERIC
1035 tristate "SM3 (ShangMi 3)"
1039 SM3 (ShangMi 3) secure hash function (OSCCA GM/T 0004-2012, ISO/IEC 10118-3)
1041 This is part of the Chinese Commercial Cryptography suite.
1044 http://www.oscca.gov.cn/UpFile/20101222141857786.pdf
1045 https://datatracker.ietf.org/doc/html/draft-shen-sm3-hash
1047 config CRYPTO_STREEBOG
1051 Streebog Hash Function (GOST R 34.11-2012, RFC 6986, ISO/IEC 10118-3)
1053 This is one of the Russian cryptographic standard algorithms (called
1054 GOST algorithms). This setting enables two hash algorithms with
1055 256 and 512 bits output.
1058 https://tc26.ru/upload/iblock/fed/feddbb4d26b685903faa2ba11aea43f6.pdf
1059 https://tools.ietf.org/html/rfc6986
1064 select CRYPTO_MANAGER
1066 VMAC is a message authentication algorithm designed for
1067 very high speed on 64-bit architectures.
1069 See https://fastcrypto.org/vmac for further information.
1072 tristate "Whirlpool"
1075 Whirlpool hash function (ISO/IEC 10118-3)
1077 512, 384 and 256-bit hashes.
1079 Whirlpool-512 is part of the NESSIE cryptographic primitives.
1081 See https://web.archive.org/web/20171129084214/http://www.larc.usp.br/~pbarreto/WhirlpoolPage.html
1082 for further information.
1085 tristate "XCBC-MAC (Extended Cipher Block Chaining MAC)"
1087 select CRYPTO_MANAGER
1089 XCBC-MAC (Extended Cipher Block Chaining Message Authentication
1092 config CRYPTO_XXHASH
1097 xxHash non-cryptographic hash algorithm
1099 Extremely fast, working at speeds close to RAM limits.
1101 Used by the btrfs filesystem.
1105 menu "CRCs (cyclic redundancy checks)"
1107 config CRYPTO_CRC32C
1112 CRC32c CRC algorithm with the iSCSI polynomial (RFC 3385 and RFC 3720)
1114 A 32-bit CRC (cyclic redundancy check) with a polynomial defined
1115 by G. Castagnoli, S. Braeuer and M. Herrman in "Optimization of Cyclic
1116 Redundancy-Check Codes with 24 and 32 Parity Bits", IEEE Transactions
1117 on Communications, Vol. 41, No. 6, June 1993, selected for use with
1120 Used by btrfs, ext4, jbd2, NVMeoF/TCP, and iSCSI.
1127 CRC32 CRC algorithm (IEEE 802.3)
1129 Used by RoCEv2 and f2fs.
1131 config CRYPTO_CRCT10DIF
1132 tristate "CRCT10DIF"
1135 CRC16 CRC algorithm used for the T10 (SCSI) Data Integrity Field (DIF)
1137 CRC algorithm used by the SCSI Block Commands standard.
1139 config CRYPTO_CRC64_ROCKSOFT
1140 tristate "CRC64 based on Rocksoft Model algorithm"
1144 CRC64 CRC algorithm based on the Rocksoft Model CRC Algorithm
1146 Used by the NVMe implementation of T10 DIF (BLK_DEV_INTEGRITY)
1148 See https://zlib.net/crc_v3.txt
1154 config CRYPTO_DEFLATE
1156 select CRYPTO_ALGAPI
1157 select CRYPTO_ACOMP2
1161 Deflate compression algorithm (RFC1951)
1163 Used by IPSec with the IPCOMP protocol (RFC3173, RFC2394)
1167 select CRYPTO_ALGAPI
1168 select CRYPTO_ACOMP2
1170 select LZO_DECOMPRESS
1172 LZO compression algorithm
1174 See https://www.oberhumer.com/opensource/lzo/ for further information.
1178 select CRYPTO_ALGAPI
1179 select CRYPTO_ACOMP2
1181 select 842_DECOMPRESS
1183 842 compression algorithm by IBM
1185 See https://github.com/plauth/lib842 for further information.
1189 select CRYPTO_ALGAPI
1190 select CRYPTO_ACOMP2
1192 select LZ4_DECOMPRESS
1194 LZ4 compression algorithm
1196 See https://github.com/lz4/lz4 for further information.
1200 select CRYPTO_ALGAPI
1201 select CRYPTO_ACOMP2
1202 select LZ4HC_COMPRESS
1203 select LZ4_DECOMPRESS
1205 LZ4 high compression mode algorithm
1207 See https://github.com/lz4/lz4 for further information.
1211 select CRYPTO_ALGAPI
1212 select CRYPTO_ACOMP2
1213 select ZSTD_COMPRESS
1214 select ZSTD_DECOMPRESS
1216 zstd compression algorithm
1218 See https://github.com/facebook/zstd for further information.
1222 menu "Random number generation"
1224 config CRYPTO_ANSI_CPRNG
1225 tristate "ANSI PRNG (Pseudo Random Number Generator)"
1229 Pseudo RNG (random number generator) (ANSI X9.31 Appendix A.2.4)
1231 This uses the AES cipher algorithm.
1233 Note that this option must be enabled if CRYPTO_FIPS is selected
1235 menuconfig CRYPTO_DRBG_MENU
1236 tristate "NIST SP800-90A DRBG (Deterministic Random Bit Generator)"
1238 DRBG (Deterministic Random Bit Generator) (NIST SP800-90A)
1240 In the following submenu, one or more of the DRBG types must be selected.
1244 config CRYPTO_DRBG_HMAC
1248 select CRYPTO_SHA512
1250 config CRYPTO_DRBG_HASH
1252 select CRYPTO_SHA256
1254 Hash_DRBG variant as defined in NIST SP800-90A.
1256 This uses the SHA-1, SHA-256, SHA-384, or SHA-512 hash algorithms.
1258 config CRYPTO_DRBG_CTR
1263 CTR_DRBG variant as defined in NIST SP800-90A.
1265 This uses the AES cipher algorithm with the counter block mode.
1269 default CRYPTO_DRBG_MENU
1271 select CRYPTO_JITTERENTROPY
1273 endif # if CRYPTO_DRBG_MENU
1275 config CRYPTO_JITTERENTROPY
1276 tristate "CPU Jitter Non-Deterministic RNG (Random Number Generator)"
1280 CPU Jitter RNG (Random Number Generator) from the Jitterentropy library
1282 A non-physical non-deterministic ("true") RNG (e.g., an entropy source
1283 compliant with NIST SP800-90B) intended to provide a seed to a
1284 deterministic RNG (e.g. per NIST SP800-90C).
1285 This RNG does not perform any cryptographic whitening of the generated
1287 See https://www.chronox.de/jent.html
1289 config CRYPTO_JITTERENTROPY_TESTINTERFACE
1290 bool "CPU Jitter RNG Test Interface"
1291 depends on CRYPTO_JITTERENTROPY
1293 The test interface allows a privileged process to capture
1294 the raw unconditioned high resolution time stamp noise that
1295 is collected by the Jitter RNG for statistical analysis. As
1296 this data is used at the same time to generate random bits,
1297 the Jitter RNG operates in an insecure mode as long as the
1298 recording is enabled. This interface therefore is only
1299 intended for testing purposes and is not suitable for
1302 The raw noise data can be obtained using the jent_raw_hires
1303 debugfs file. Using the option
1304 jitterentropy_testing.boot_raw_hires_test=1 the raw noise of
1305 the first 1000 entropy events since boot can be sampled.
1307 If unsure, select N.
1309 config CRYPTO_KDF800108_CTR
1312 select CRYPTO_SHA256
1315 menu "Userspace interface"
1317 config CRYPTO_USER_API
1320 config CRYPTO_USER_API_HASH
1321 tristate "Hash algorithms"
1324 select CRYPTO_USER_API
1326 Enable the userspace interface for hash algorithms.
1328 See Documentation/crypto/userspace-if.rst and
1329 https://www.chronox.de/libkcapi/html/index.html
1331 config CRYPTO_USER_API_SKCIPHER
1332 tristate "Symmetric key cipher algorithms"
1334 select CRYPTO_SKCIPHER
1335 select CRYPTO_USER_API
1337 Enable the userspace interface for symmetric key cipher algorithms.
1339 See Documentation/crypto/userspace-if.rst and
1340 https://www.chronox.de/libkcapi/html/index.html
1342 config CRYPTO_USER_API_RNG
1343 tristate "RNG (random number generator) algorithms"
1346 select CRYPTO_USER_API
1348 Enable the userspace interface for RNG (random number generator)
1351 See Documentation/crypto/userspace-if.rst and
1352 https://www.chronox.de/libkcapi/html/index.html
1354 config CRYPTO_USER_API_RNG_CAVP
1355 bool "Enable CAVP testing of DRBG"
1356 depends on CRYPTO_USER_API_RNG && CRYPTO_DRBG
1358 Enable extra APIs in the userspace interface for NIST CAVP
1359 (Cryptographic Algorithm Validation Program) testing:
1360 - resetting DRBG entropy
1361 - providing Additional Data
1363 This should only be enabled for CAVP testing. You should say
1364 no unless you know what this is.
1366 config CRYPTO_USER_API_AEAD
1367 tristate "AEAD cipher algorithms"
1370 select CRYPTO_SKCIPHER
1372 select CRYPTO_USER_API
1374 Enable the userspace interface for AEAD cipher algorithms.
1376 See Documentation/crypto/userspace-if.rst and
1377 https://www.chronox.de/libkcapi/html/index.html
1379 config CRYPTO_USER_API_ENABLE_OBSOLETE
1380 bool "Obsolete cryptographic algorithms"
1381 depends on CRYPTO_USER_API
1384 Allow obsolete cryptographic algorithms to be selected that have
1385 already been phased out from internal use by the kernel, and are
1386 only useful for userspace clients that still rely on them.
1389 bool "Crypto usage statistics"
1390 depends on CRYPTO_USER
1392 Enable the gathering of crypto stats.
1394 Enabling this option reduces the performance of the crypto API. It
1395 should only be enabled when there is actually a use case for it.
1397 This collects data sizes, numbers of requests, and numbers
1398 of errors processed by:
1399 - AEAD ciphers (encrypt, decrypt)
1400 - asymmetric key ciphers (encrypt, decrypt, verify, sign)
1401 - symmetric key ciphers (encrypt, decrypt)
1402 - compression algorithms (compress, decompress)
1403 - hash algorithms (hash)
1404 - key-agreement protocol primitives (setsecret, generate
1405 public key, compute shared secret)
1406 - RNG (generate, seed)
1410 config CRYPTO_HASH_INFO
1413 if !KMSAN # avoid false positives from assembly
1415 source "arch/arm/crypto/Kconfig"
1418 source "arch/arm64/crypto/Kconfig"
1421 source "arch/loongarch/crypto/Kconfig"
1424 source "arch/mips/crypto/Kconfig"
1427 source "arch/powerpc/crypto/Kconfig"
1430 source "arch/s390/crypto/Kconfig"
1433 source "arch/sparc/crypto/Kconfig"
1436 source "arch/x86/crypto/Kconfig"
1440 source "drivers/crypto/Kconfig"
1441 source "crypto/asymmetric_keys/Kconfig"
1442 source "certs/Kconfig"