1 # SPDX-License-Identifier: GPL-2.0
3 # Generic algorithms support
9 # async_tx api: hardware offloaded memory transfer/transform support
11 source "crypto/async_tx/Kconfig"
14 # Cryptographic API Configuration
17 tristate "Cryptographic API"
18 select CRYPTO_LIB_UTILS
20 This option provides the core Cryptographic API.
24 menu "Crypto core or helper"
27 bool "FIPS 200 compliance"
28 depends on (CRYPTO_ANSI_CPRNG || CRYPTO_DRBG) && !CRYPTO_MANAGER_DISABLE_TESTS
29 depends on (MODULE_SIG || !MODULES)
31 This option enables the fips boot option which is
32 required if you want the system to operate in a FIPS 200
33 certification. You should say no unless you know what
36 config CRYPTO_FIPS_NAME
37 string "FIPS Module Name"
38 default "Linux Kernel Cryptographic API"
39 depends on CRYPTO_FIPS
41 This option sets the FIPS Module name reported by the Crypto API via
42 the /proc/sys/crypto/fips_name file.
44 config CRYPTO_FIPS_CUSTOM_VERSION
45 bool "Use Custom FIPS Module Version"
46 depends on CRYPTO_FIPS
49 config CRYPTO_FIPS_VERSION
50 string "FIPS Module Version"
52 depends on CRYPTO_FIPS_CUSTOM_VERSION
54 This option provides the ability to override the FIPS Module Version.
55 By default the KERNELRELEASE value is used.
61 This option provides the API for cryptographic algorithms.
77 config CRYPTO_SKCIPHER
79 select CRYPTO_SKCIPHER2
82 config CRYPTO_SKCIPHER2
103 select CRYPTO_ALGAPI2
105 config CRYPTO_RNG_DEFAULT
107 select CRYPTO_DRBG_MENU
109 config CRYPTO_AKCIPHER2
111 select CRYPTO_ALGAPI2
113 config CRYPTO_AKCIPHER
115 select CRYPTO_AKCIPHER2
120 select CRYPTO_ALGAPI2
129 select CRYPTO_ALGAPI2
137 config CRYPTO_MANAGER
138 tristate "Cryptographic algorithm manager"
139 select CRYPTO_MANAGER2
141 Create default cryptographic template instantiations such as
144 config CRYPTO_MANAGER2
145 def_tristate CRYPTO_MANAGER || (CRYPTO_MANAGER!=n && CRYPTO_ALGAPI=y)
148 select CRYPTO_SKCIPHER2
149 select CRYPTO_AKCIPHER2
154 tristate "Userspace cryptographic algorithm configuration"
156 select CRYPTO_MANAGER
158 Userspace configuration for cryptographic instantiations such as
161 config CRYPTO_MANAGER_DISABLE_TESTS
162 bool "Disable run-time self tests"
165 Disable run-time self tests that normally take place at
166 algorithm registration.
168 config CRYPTO_MANAGER_EXTRA_TESTS
169 bool "Enable extra run-time crypto self tests"
170 depends on DEBUG_KERNEL && !CRYPTO_MANAGER_DISABLE_TESTS && CRYPTO_MANAGER
172 Enable extra run-time self tests of registered crypto algorithms,
173 including randomized fuzz tests.
175 This is intended for developer use only, as these tests take much
176 longer to run than the normal self tests.
179 tristate "Null algorithms"
182 These are 'Null' algorithms, used by IPsec, which do nothing.
186 select CRYPTO_ALGAPI2
187 select CRYPTO_SKCIPHER2
191 tristate "Parallel crypto engine"
194 select CRYPTO_MANAGER
197 This converts an arbitrary crypto algorithm into a parallel
198 algorithm that executes in kernel threads.
201 tristate "Software async crypto daemon"
202 select CRYPTO_SKCIPHER
204 select CRYPTO_MANAGER
206 This is a generic software asynchronous crypto daemon that
207 converts an arbitrary synchronous software crypto algorithm
208 into an asynchronous algorithm that executes in a kernel thread.
210 config CRYPTO_AUTHENC
211 tristate "Authenc support"
213 select CRYPTO_SKCIPHER
214 select CRYPTO_MANAGER
218 Authenc: Combined mode wrapper for IPsec.
220 This is required for IPSec ESP (XFRM_ESP).
223 tristate "Testing module"
224 depends on m || EXPERT
225 select CRYPTO_MANAGER
227 Quick & dirty crypto test module.
238 menu "Public-key cryptography"
241 tristate "RSA (Rivest-Shamir-Adleman)"
242 select CRYPTO_AKCIPHER
243 select CRYPTO_MANAGER
247 RSA (Rivest-Shamir-Adleman) public key algorithm (RFC8017)
250 tristate "DH (Diffie-Hellman)"
254 DH (Diffie-Hellman) key exchange algorithm
256 config CRYPTO_DH_RFC7919_GROUPS
257 bool "RFC 7919 FFDHE groups"
259 select CRYPTO_RNG_DEFAULT
261 FFDHE (Finite-Field-based Diffie-Hellman Ephemeral) groups
264 Support these finite-field groups in DH key exchanges:
265 - ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192
271 select CRYPTO_RNG_DEFAULT
274 tristate "ECDH (Elliptic Curve Diffie-Hellman)"
278 ECDH (Elliptic Curve Diffie-Hellman) key exchange algorithm
279 using curves P-192, P-256, and P-384 (FIPS 186)
282 tristate "ECDSA (Elliptic Curve Digital Signature Algorithm)"
284 select CRYPTO_AKCIPHER
287 ECDSA (Elliptic Curve Digital Signature Algorithm) (FIPS 186,
289 using curves P-192, P-256, and P-384
291 Only signature verification is implemented.
294 tristate "EC-RDSA (Elliptic Curve Russian Digital Signature Algorithm)"
296 select CRYPTO_AKCIPHER
297 select CRYPTO_STREEBOG
301 Elliptic Curve Russian Digital Signature Algorithm (GOST R 34.10-2012,
302 RFC 7091, ISO/IEC 14888-3)
304 One of the Russian cryptographic standard algorithms (called GOST
305 algorithms). Only signature verification is implemented.
308 tristate "SM2 (ShangMi 2)"
310 select CRYPTO_AKCIPHER
311 select CRYPTO_MANAGER
315 SM2 (ShangMi 2) public key algorithm
317 Published by State Encryption Management Bureau, China,
318 as specified by OSCCA GM/T 0003.1-2012 -- 0003.5-2012.
321 https://datatracker.ietf.org/doc/draft-shen-sm2-ecdsa/
322 http://www.oscca.gov.cn/sca/xxgk/2010-12/17/content_1002386.shtml
323 http://www.gmbz.org.cn/main/bzlb.html
325 config CRYPTO_CURVE25519
326 tristate "Curve25519"
328 select CRYPTO_LIB_CURVE25519_GENERIC
330 Curve25519 elliptic curve (RFC7748)
337 tristate "AES (Advanced Encryption Standard)"
339 select CRYPTO_LIB_AES
341 AES cipher algorithms (Rijndael)(FIPS-197, ISO/IEC 18033-3)
343 Rijndael appears to be consistently a very good performer in
344 both hardware and software across a wide range of computing
345 environments regardless of its use in feedback or non-feedback
346 modes. Its key setup time is excellent, and its key agility is
347 good. Rijndael's very low memory requirements make it very well
348 suited for restricted-space environments, in which it also
349 demonstrates excellent performance. Rijndael's operations are
350 among the easiest to defend against power and timing attacks.
352 The AES specifies three key sizes: 128, 192 and 256 bits
355 tristate "AES (Advanced Encryption Standard) (fixed time)"
357 select CRYPTO_LIB_AES
359 AES cipher algorithms (Rijndael)(FIPS-197, ISO/IEC 18033-3)
361 This is a generic implementation of AES that attempts to eliminate
362 data dependent latencies as much as possible without affecting
363 performance too much. It is intended for use by the generic CCM
364 and GCM drivers, and other CTR or CMAC/XCBC based modes that rely
365 solely on encryption (although decryption is supported as well, but
366 with a more dramatic performance hit)
368 Instead of using 16 lookup tables of 1 KB each, (8 for encryption and
369 8 for decryption), this implementation only uses just two S-boxes of
370 256 bytes each, and attempts to eliminate data dependent latencies by
371 prefetching the entire table into the cache at the start of each
372 block. Interrupts are also disabled to avoid races where cachelines
373 are evicted when the CPU is interrupted to do something else.
377 depends on CRYPTO_USER_API_ENABLE_OBSOLETE
380 Anubis cipher algorithm
382 Anubis is a variable key length cipher which can use keys from
383 128 bits to 320 bits in length. It was evaluated as a entrant
384 in the NESSIE competition.
386 See https://web.archive.org/web/20160606112246/http://www.larc.usp.br/~pbarreto/AnubisPage.html
387 for further information.
393 ARIA cipher algorithm (RFC5794)
395 ARIA is a standard encryption algorithm of the Republic of Korea.
396 The ARIA specifies three key sizes and rounds.
402 https://seed.kisa.or.kr/kisa/algorithm/EgovAriaInfo.do
404 config CRYPTO_BLOWFISH
407 select CRYPTO_BLOWFISH_COMMON
409 Blowfish cipher algorithm, by Bruce Schneier
411 This is a variable key length cipher which can use keys from 32
412 bits to 448 bits in length. It's fast, simple and specifically
413 designed for use on "large microprocessors".
415 See https://www.schneier.com/blowfish.html for further information.
417 config CRYPTO_BLOWFISH_COMMON
420 Common parts of the Blowfish cipher algorithm shared by the
421 generic c and the assembler implementations.
423 config CRYPTO_CAMELLIA
427 Camellia cipher algorithms (ISO/IEC 18033-3)
429 Camellia is a symmetric key block cipher developed jointly
430 at NTT and Mitsubishi Electric Corporation.
432 The Camellia specifies three key sizes: 128, 192 and 256 bits.
434 See https://info.isl.ntt.co.jp/crypt/eng/camellia/ for further information.
436 config CRYPTO_CAST_COMMON
439 Common parts of the CAST cipher algorithms shared by the
440 generic c and the assembler implementations.
443 tristate "CAST5 (CAST-128)"
445 select CRYPTO_CAST_COMMON
447 CAST5 (CAST-128) cipher algorithm (RFC2144, ISO/IEC 18033-3)
450 tristate "CAST6 (CAST-256)"
452 select CRYPTO_CAST_COMMON
454 CAST6 (CAST-256) encryption algorithm (RFC2612)
457 tristate "DES and Triple DES EDE"
459 select CRYPTO_LIB_DES
461 DES (Data Encryption Standard)(FIPS 46-2, ISO/IEC 18033-3) and
462 Triple DES EDE (Encrypt/Decrypt/Encrypt) (FIPS 46-3, ISO/IEC 18033-3)
468 select CRYPTO_SKCIPHER
470 FCrypt algorithm used by RxRPC
472 See https://ota.polyonymo.us/fcrypt-paper.txt
476 depends on CRYPTO_USER_API_ENABLE_OBSOLETE
479 Khazad cipher algorithm
481 Khazad was a finalist in the initial NESSIE competition. It is
482 an algorithm optimized for 64-bit processors with good performance
483 on 32-bit processors. Khazad uses an 128 bit key size.
485 See https://web.archive.org/web/20171011071731/http://www.larc.usp.br/~pbarreto/KhazadPage.html
486 for further information.
490 depends on CRYPTO_USER_API_ENABLE_OBSOLETE
493 SEED cipher algorithm (RFC4269, ISO/IEC 18033-3)
495 SEED is a 128-bit symmetric key block cipher that has been
496 developed by KISA (Korea Information Security Agency) as a
497 national standard encryption algorithm of the Republic of Korea.
498 It is a 16 round block cipher with the key size of 128 bit.
500 See https://seed.kisa.or.kr/kisa/algorithm/EgovSeedInfo.do
501 for further information.
503 config CRYPTO_SERPENT
507 Serpent cipher algorithm, by Anderson, Biham & Knudsen
509 Keys are allowed to be from 0 to 256 bits in length, in steps
512 See https://www.cl.cam.ac.uk/~rja14/serpent.html for further information.
517 config CRYPTO_SM4_GENERIC
518 tristate "SM4 (ShangMi 4)"
522 SM4 cipher algorithms (OSCCA GB/T 32907-2016,
523 ISO/IEC 18033-3:2010/Amd 1:2021)
525 SM4 (GBT.32907-2016) is a cryptographic standard issued by the
526 Organization of State Commercial Administration of China (OSCCA)
527 as an authorized cryptographic algorithms for the use within China.
529 SMS4 was originally created for use in protecting wireless
530 networks, and is mandated in the Chinese National Standard for
531 Wireless LAN WAPI (Wired Authentication and Privacy Infrastructure)
534 The latest SM4 standard (GBT.32907-2016) was proposed by OSCCA and
535 standardized through TC 260 of the Standardization Administration
536 of the People's Republic of China (SAC).
538 The input, output, and key of SMS4 are each 128 bits.
540 See https://eprint.iacr.org/2008/329.pdf for further information.
545 tristate "TEA, XTEA and XETA"
546 depends on CRYPTO_USER_API_ENABLE_OBSOLETE
549 TEA (Tiny Encryption Algorithm) cipher algorithms
551 Tiny Encryption Algorithm is a simple cipher that uses
552 many rounds for security. It is very fast and uses
555 Xtendend Tiny Encryption Algorithm is a modification to
556 the TEA algorithm to address a potential key weakness
557 in the TEA algorithm.
559 Xtendend Encryption Tiny Algorithm is a mis-implementation
560 of the XTEA algorithm for compatibility purposes.
562 config CRYPTO_TWOFISH
565 select CRYPTO_TWOFISH_COMMON
567 Twofish cipher algorithm
569 Twofish was submitted as an AES (Advanced Encryption Standard)
570 candidate cipher by researchers at CounterPane Systems. It is a
571 16 round block cipher supporting key sizes of 128, 192, and 256
574 See https://www.schneier.com/twofish.html for further information.
576 config CRYPTO_TWOFISH_COMMON
579 Common parts of the Twofish cipher algorithm shared by the
580 generic c and the assembler implementations.
584 menu "Length-preserving ciphers and modes"
586 config CRYPTO_ADIANTUM
588 select CRYPTO_CHACHA20
589 select CRYPTO_LIB_POLY1305_GENERIC
590 select CRYPTO_NHPOLY1305
591 select CRYPTO_MANAGER
593 Adiantum tweakable, length-preserving encryption mode
595 Designed for fast and secure disk encryption, especially on
596 CPUs without dedicated crypto instructions. It encrypts
597 each sector using the XChaCha12 stream cipher, two passes of
598 an ε-almost-∆-universal hash function, and an invocation of
599 the AES-256 block cipher on a single 16-byte block. On CPUs
600 without AES instructions, Adiantum is much faster than
603 Adiantum's security is provably reducible to that of its
604 underlying stream and block ciphers, subject to a security
605 bound. Unlike XTS, Adiantum is a true wide-block encryption
606 mode, so it actually provides an even stronger notion of
607 security than XTS, subject to the security bound.
612 tristate "ARC4 (Alleged Rivest Cipher 4)"
613 depends on CRYPTO_USER_API_ENABLE_OBSOLETE
614 select CRYPTO_SKCIPHER
615 select CRYPTO_LIB_ARC4
617 ARC4 cipher algorithm
619 ARC4 is a stream cipher using keys ranging from 8 bits to 2048
620 bits in length. This algorithm is required for driver-based
621 WEP, but it should not be for other purposes because of the
622 weakness of the algorithm.
624 config CRYPTO_CHACHA20
626 select CRYPTO_LIB_CHACHA_GENERIC
627 select CRYPTO_SKCIPHER
629 The ChaCha20, XChaCha20, and XChaCha12 stream cipher algorithms
631 ChaCha20 is a 256-bit high-speed stream cipher designed by Daniel J.
632 Bernstein and further specified in RFC7539 for use in IETF protocols.
633 This is the portable C implementation of ChaCha20. See
634 https://cr.yp.to/chacha/chacha-20080128.pdf for further information.
636 XChaCha20 is the application of the XSalsa20 construction to ChaCha20
637 rather than to Salsa20. XChaCha20 extends ChaCha20's nonce length
638 from 64 bits (or 96 bits using the RFC7539 convention) to 192 bits,
639 while provably retaining ChaCha20's security. See
640 https://cr.yp.to/snuffle/xsalsa-20081128.pdf for further information.
642 XChaCha12 is XChaCha20 reduced to 12 rounds, with correspondingly
643 reduced security margin but increased performance. It can be needed
644 in some performance-sensitive scenarios.
647 tristate "CBC (Cipher Block Chaining)"
648 select CRYPTO_SKCIPHER
649 select CRYPTO_MANAGER
651 CBC (Cipher Block Chaining) mode (NIST SP800-38A)
653 This block cipher mode is required for IPSec ESP (XFRM_ESP).
656 tristate "CFB (Cipher Feedback)"
657 select CRYPTO_SKCIPHER
658 select CRYPTO_MANAGER
660 CFB (Cipher Feedback) mode (NIST SP800-38A)
662 This block cipher mode is required for TPM2 Cryptography.
665 tristate "CTR (Counter)"
666 select CRYPTO_SKCIPHER
667 select CRYPTO_MANAGER
669 CTR (Counter) mode (NIST SP800-38A)
672 tristate "CTS (Cipher Text Stealing)"
673 select CRYPTO_SKCIPHER
674 select CRYPTO_MANAGER
676 CBC-CS3 variant of CTS (Cipher Text Stealing) (NIST
677 Addendum to SP800-38A (October 2010))
679 This mode is required for Kerberos gss mechanism support
683 tristate "ECB (Electronic Codebook)"
684 select CRYPTO_SKCIPHER
685 select CRYPTO_MANAGER
687 ECB (Electronic Codebook) mode (NIST SP800-38A)
692 select CRYPTO_POLYVAL
693 select CRYPTO_MANAGER
695 HCTR2 length-preserving encryption mode
697 A mode for storage encryption that is efficient on processors with
698 instructions to accelerate AES and carryless multiplication, e.g.
699 x86 processors with AES-NI and CLMUL, and ARM processors with the
700 ARMv8 crypto extensions.
702 See https://eprint.iacr.org/2021/1441
704 config CRYPTO_KEYWRAP
705 tristate "KW (AES Key Wrap)"
706 select CRYPTO_SKCIPHER
707 select CRYPTO_MANAGER
709 KW (AES Key Wrap) authenticated encryption mode (NIST SP800-38F
710 and RFC3394) without padding.
713 tristate "LRW (Liskov Rivest Wagner)"
714 select CRYPTO_LIB_GF128MUL
715 select CRYPTO_SKCIPHER
716 select CRYPTO_MANAGER
719 LRW (Liskov Rivest Wagner) mode
721 A tweakable, non malleable, non movable
722 narrow block cipher mode for dm-crypt. Use it with cipher
723 specification string aes-lrw-benbi, the key must be 256, 320 or 384.
724 The first 128, 192 or 256 bits in the key are used for AES and the
725 rest is used to tie each cipher block to its logical position.
727 See https://people.csail.mit.edu/rivest/pubs/LRW02.pdf
730 tristate "OFB (Output Feedback)"
731 select CRYPTO_SKCIPHER
732 select CRYPTO_MANAGER
734 OFB (Output Feedback) mode (NIST SP800-38A)
736 This mode makes a block cipher into a synchronous
737 stream cipher. It generates keystream blocks, which are then XORed
738 with the plaintext blocks to get the ciphertext. Flipping a bit in the
739 ciphertext produces a flipped bit in the plaintext at the same
740 location. This property allows many error correcting codes to function
741 normally even when applied before encryption.
744 tristate "PCBC (Propagating Cipher Block Chaining)"
745 select CRYPTO_SKCIPHER
746 select CRYPTO_MANAGER
748 PCBC (Propagating Cipher Block Chaining) mode
750 This block cipher mode is required for RxRPC.
754 select CRYPTO_SKCIPHER
755 select CRYPTO_MANAGER
757 XCTR (XOR Counter) mode for HCTR2
759 This blockcipher mode is a variant of CTR mode using XORs and little-endian
760 addition rather than big-endian arithmetic.
762 XCTR mode is used to implement HCTR2.
765 tristate "XTS (XOR Encrypt XOR with ciphertext stealing)"
766 select CRYPTO_SKCIPHER
767 select CRYPTO_MANAGER
770 XTS (XOR Encrypt XOR with ciphertext stealing) mode (NIST SP800-38E
773 Use with aes-xts-plain, key size 256, 384 or 512 bits. This
774 implementation currently can't handle a sectorsize which is not a
775 multiple of 16 bytes.
777 config CRYPTO_NHPOLY1305
780 select CRYPTO_LIB_POLY1305_GENERIC
784 menu "AEAD (authenticated encryption with associated data) ciphers"
786 config CRYPTO_AEGIS128
789 select CRYPTO_AES # for AES S-box tables
791 AEGIS-128 AEAD algorithm
793 config CRYPTO_AEGIS128_SIMD
794 bool "AEGIS-128 (arm NEON, arm64 NEON)"
795 depends on CRYPTO_AEGIS128 && ((ARM || ARM64) && KERNEL_MODE_NEON)
798 AEGIS-128 AEAD algorithm
800 Architecture: arm or arm64 using:
801 - NEON (Advanced SIMD) extension
803 config CRYPTO_CHACHA20POLY1305
804 tristate "ChaCha20-Poly1305"
805 select CRYPTO_CHACHA20
806 select CRYPTO_POLY1305
808 select CRYPTO_MANAGER
810 ChaCha20 stream cipher and Poly1305 authenticator combined
814 tristate "CCM (Counter with Cipher Block Chaining-MAC)"
818 select CRYPTO_MANAGER
820 CCM (Counter with Cipher Block Chaining-Message Authentication Code)
821 authenticated encryption mode (NIST SP800-38C)
824 tristate "GCM (Galois/Counter Mode) and GMAC (GCM MAC)"
829 select CRYPTO_MANAGER
831 GCM (Galois/Counter Mode) authenticated encryption mode and GMAC
832 (GCM Message Authentication Code) (NIST SP800-38D)
834 This is required for IPSec ESP (XFRM_ESP).
837 tristate "Sequence Number IV Generator"
839 select CRYPTO_SKCIPHER
841 select CRYPTO_RNG_DEFAULT
842 select CRYPTO_MANAGER
844 Sequence Number IV generator
846 This IV generator generates an IV based on a sequence number by
847 xoring it with a salt. This algorithm is mainly useful for CTR.
849 This is required for IPsec ESP (XFRM_ESP).
851 config CRYPTO_ECHAINIV
852 tristate "Encrypted Chain IV Generator"
855 select CRYPTO_RNG_DEFAULT
856 select CRYPTO_MANAGER
858 Encrypted Chain IV generator
860 This IV generator generates an IV based on the encryption of
861 a sequence number xored with a salt. This is the default
865 tristate "Encrypted Salt-Sector IV Generator"
866 select CRYPTO_AUTHENC
868 Encrypted Salt-Sector IV generator
870 This IV generator is used in some cases by fscrypt and/or
871 dm-crypt. It uses the hash of the block encryption key as the
872 symmetric key for a block encryption pass applied to the input
873 IV, making low entropy IV sources more suitable for block
876 This driver implements a crypto API template that can be
877 instantiated either as an skcipher or as an AEAD (depending on the
878 type of the first template argument), and which defers encryption
879 and decryption requests to the encapsulated cipher after applying
880 ESSIV to the input IV. Note that in the AEAD case, it is assumed
881 that the keys are presented in the same format used by the authenc
882 template, and that the IV appears at the end of the authenticated
883 associated data (AAD) region (which is how dm-crypt uses it.)
885 Note that the use of ESSIV is not recommended for new deployments,
886 and so this only needs to be enabled when interoperability with
887 existing encrypted volumes of filesystems is required, or when
888 building for a particular system that requires it (e.g., when
889 the SoC in question has accelerated CBC but not XTS, making CBC
890 combined with ESSIV the only feasible mode for h/w accelerated
895 menu "Hashes, digests, and MACs"
897 config CRYPTO_BLAKE2B
901 BLAKE2b cryptographic hash function (RFC 7693)
903 BLAKE2b is optimized for 64-bit platforms and can produce digests
904 of any size between 1 and 64 bytes. The keyed hash is also implemented.
906 This module provides the following algorithms:
912 Used by the btrfs filesystem.
914 See https://blake2.net for further information.
917 tristate "CMAC (Cipher-based MAC)"
919 select CRYPTO_MANAGER
921 CMAC (Cipher-based Message Authentication Code) authentication
922 mode (NIST SP800-38B and IETF RFC4493)
927 select CRYPTO_LIB_GF128MUL
929 GCM GHASH function (NIST SP800-38D)
932 tristate "HMAC (Keyed-Hash MAC)"
934 select CRYPTO_MANAGER
936 HMAC (Keyed-Hash Message Authentication Code) (FIPS 198 and
939 This is required for IPsec AH (XFRM_AH) and IPsec ESP (XFRM_ESP).
945 MD4 message digest algorithm (RFC1320)
951 MD5 message digest algorithm (RFC1321)
953 config CRYPTO_MICHAEL_MIC
954 tristate "Michael MIC"
957 Michael MIC (Message Integrity Code) (IEEE 802.11i)
959 Defined by the IEEE 802.11i TKIP (Temporal Key Integrity Protocol),
960 known as WPA (Wif-Fi Protected Access).
962 This algorithm is required for TKIP, but it should not be used for
963 other purposes because of the weakness of the algorithm.
965 config CRYPTO_POLYVAL
968 select CRYPTO_LIB_GF128MUL
970 POLYVAL hash function for HCTR2
972 This is used in HCTR2. It is not a general-purpose
973 cryptographic hash function.
975 config CRYPTO_POLY1305
978 select CRYPTO_LIB_POLY1305_GENERIC
980 Poly1305 authenticator algorithm (RFC7539)
982 Poly1305 is an authenticator algorithm designed by Daniel J. Bernstein.
983 It is used for the ChaCha20-Poly1305 AEAD, specified in RFC7539 for use
984 in IETF protocols. This is the portable C implementation of Poly1305.
987 tristate "RIPEMD-160"
990 RIPEMD-160 hash function (ISO/IEC 10118-3)
992 RIPEMD-160 is a 160-bit cryptographic hash function. It is intended
993 to be used as a secure replacement for the 128-bit hash functions
994 MD4, MD5 and its predecessor RIPEMD
995 (not to be confused with RIPEMD-128).
997 Its speed is comparable to SHA-1 and there are no known attacks
1000 Developed by Hans Dobbertin, Antoon Bosselaers and Bart Preneel.
1001 See https://homes.esat.kuleuven.be/~bosselae/ripemd160.html
1002 for further information.
1007 select CRYPTO_LIB_SHA1
1009 SHA-1 secure hash algorithm (FIPS 180, ISO/IEC 10118-3)
1011 config CRYPTO_SHA256
1012 tristate "SHA-224 and SHA-256"
1014 select CRYPTO_LIB_SHA256
1016 SHA-224 and SHA-256 secure hash algorithms (FIPS 180, ISO/IEC 10118-3)
1018 This is required for IPsec AH (XFRM_AH) and IPsec ESP (XFRM_ESP).
1019 Used by the btrfs filesystem, Ceph, NFS, and SMB.
1021 config CRYPTO_SHA512
1022 tristate "SHA-384 and SHA-512"
1025 SHA-384 and SHA-512 secure hash algorithms (FIPS 180, ISO/IEC 10118-3)
1031 SHA-3 secure hash algorithms (FIPS 202, ISO/IEC 10118-3)
1036 config CRYPTO_SM3_GENERIC
1037 tristate "SM3 (ShangMi 3)"
1041 SM3 (ShangMi 3) secure hash function (OSCCA GM/T 0004-2012, ISO/IEC 10118-3)
1043 This is part of the Chinese Commercial Cryptography suite.
1046 http://www.oscca.gov.cn/UpFile/20101222141857786.pdf
1047 https://datatracker.ietf.org/doc/html/draft-shen-sm3-hash
1049 config CRYPTO_STREEBOG
1053 Streebog Hash Function (GOST R 34.11-2012, RFC 6986, ISO/IEC 10118-3)
1055 This is one of the Russian cryptographic standard algorithms (called
1056 GOST algorithms). This setting enables two hash algorithms with
1057 256 and 512 bits output.
1060 https://tc26.ru/upload/iblock/fed/feddbb4d26b685903faa2ba11aea43f6.pdf
1061 https://tools.ietf.org/html/rfc6986
1066 select CRYPTO_MANAGER
1068 VMAC is a message authentication algorithm designed for
1069 very high speed on 64-bit architectures.
1071 See https://fastcrypto.org/vmac for further information.
1074 tristate "Whirlpool"
1077 Whirlpool hash function (ISO/IEC 10118-3)
1079 512, 384 and 256-bit hashes.
1081 Whirlpool-512 is part of the NESSIE cryptographic primitives.
1083 See https://web.archive.org/web/20171129084214/http://www.larc.usp.br/~pbarreto/WhirlpoolPage.html
1084 for further information.
1087 tristate "XCBC-MAC (Extended Cipher Block Chaining MAC)"
1089 select CRYPTO_MANAGER
1091 XCBC-MAC (Extended Cipher Block Chaining Message Authentication
1094 config CRYPTO_XXHASH
1099 xxHash non-cryptographic hash algorithm
1101 Extremely fast, working at speeds close to RAM limits.
1103 Used by the btrfs filesystem.
1107 menu "CRCs (cyclic redundancy checks)"
1109 config CRYPTO_CRC32C
1114 CRC32c CRC algorithm with the iSCSI polynomial (RFC 3385 and RFC 3720)
1116 A 32-bit CRC (cyclic redundancy check) with a polynomial defined
1117 by G. Castagnoli, S. Braeuer and M. Herrman in "Optimization of Cyclic
1118 Redundancy-Check Codes with 24 and 32 Parity Bits", IEEE Transactions
1119 on Communications, Vol. 41, No. 6, June 1993, selected for use with
1122 Used by btrfs, ext4, jbd2, NVMeoF/TCP, and iSCSI.
1129 CRC32 CRC algorithm (IEEE 802.3)
1131 Used by RoCEv2 and f2fs.
1133 config CRYPTO_CRCT10DIF
1134 tristate "CRCT10DIF"
1137 CRC16 CRC algorithm used for the T10 (SCSI) Data Integrity Field (DIF)
1139 CRC algorithm used by the SCSI Block Commands standard.
1141 config CRYPTO_CRC64_ROCKSOFT
1142 tristate "CRC64 based on Rocksoft Model algorithm"
1146 CRC64 CRC algorithm based on the Rocksoft Model CRC Algorithm
1148 Used by the NVMe implementation of T10 DIF (BLK_DEV_INTEGRITY)
1150 See https://zlib.net/crc_v3.txt
1156 config CRYPTO_DEFLATE
1158 select CRYPTO_ALGAPI
1159 select CRYPTO_ACOMP2
1163 Deflate compression algorithm (RFC1951)
1165 Used by IPSec with the IPCOMP protocol (RFC3173, RFC2394)
1169 select CRYPTO_ALGAPI
1170 select CRYPTO_ACOMP2
1172 select LZO_DECOMPRESS
1174 LZO compression algorithm
1176 See https://www.oberhumer.com/opensource/lzo/ for further information.
1180 select CRYPTO_ALGAPI
1181 select CRYPTO_ACOMP2
1183 select 842_DECOMPRESS
1185 842 compression algorithm by IBM
1187 See https://github.com/plauth/lib842 for further information.
1191 select CRYPTO_ALGAPI
1192 select CRYPTO_ACOMP2
1194 select LZ4_DECOMPRESS
1196 LZ4 compression algorithm
1198 See https://github.com/lz4/lz4 for further information.
1202 select CRYPTO_ALGAPI
1203 select CRYPTO_ACOMP2
1204 select LZ4HC_COMPRESS
1205 select LZ4_DECOMPRESS
1207 LZ4 high compression mode algorithm
1209 See https://github.com/lz4/lz4 for further information.
1213 select CRYPTO_ALGAPI
1214 select CRYPTO_ACOMP2
1215 select ZSTD_COMPRESS
1216 select ZSTD_DECOMPRESS
1218 zstd compression algorithm
1220 See https://github.com/facebook/zstd for further information.
1224 menu "Random number generation"
1226 config CRYPTO_ANSI_CPRNG
1227 tristate "ANSI PRNG (Pseudo Random Number Generator)"
1231 Pseudo RNG (random number generator) (ANSI X9.31 Appendix A.2.4)
1233 This uses the AES cipher algorithm.
1235 Note that this option must be enabled if CRYPTO_FIPS is selected
1237 menuconfig CRYPTO_DRBG_MENU
1238 tristate "NIST SP800-90A DRBG (Deterministic Random Bit Generator)"
1240 DRBG (Deterministic Random Bit Generator) (NIST SP800-90A)
1242 In the following submenu, one or more of the DRBG types must be selected.
1246 config CRYPTO_DRBG_HMAC
1250 select CRYPTO_SHA512
1252 config CRYPTO_DRBG_HASH
1254 select CRYPTO_SHA256
1256 Hash_DRBG variant as defined in NIST SP800-90A.
1258 This uses the SHA-1, SHA-256, SHA-384, or SHA-512 hash algorithms.
1260 config CRYPTO_DRBG_CTR
1265 CTR_DRBG variant as defined in NIST SP800-90A.
1267 This uses the AES cipher algorithm with the counter block mode.
1271 default CRYPTO_DRBG_MENU
1273 select CRYPTO_JITTERENTROPY
1275 endif # if CRYPTO_DRBG_MENU
1277 config CRYPTO_JITTERENTROPY
1278 tristate "CPU Jitter Non-Deterministic RNG (Random Number Generator)"
1281 CPU Jitter RNG (Random Number Generator) from the Jitterentropy library
1283 A non-physical non-deterministic ("true") RNG (e.g., an entropy source
1284 compliant with NIST SP800-90B) intended to provide a seed to a
1285 deterministic RNG (e.g. per NIST SP800-90C).
1286 This RNG does not perform any cryptographic whitening of the generated
1288 See https://www.chronox.de/jent.html
1290 config CRYPTO_KDF800108_CTR
1293 select CRYPTO_SHA256
1296 menu "Userspace interface"
1298 config CRYPTO_USER_API
1301 config CRYPTO_USER_API_HASH
1302 tristate "Hash algorithms"
1305 select CRYPTO_USER_API
1307 Enable the userspace interface for hash algorithms.
1309 See Documentation/crypto/userspace-if.rst and
1310 https://www.chronox.de/libkcapi/html/index.html
1312 config CRYPTO_USER_API_SKCIPHER
1313 tristate "Symmetric key cipher algorithms"
1315 select CRYPTO_SKCIPHER
1316 select CRYPTO_USER_API
1318 Enable the userspace interface for symmetric key cipher algorithms.
1320 See Documentation/crypto/userspace-if.rst and
1321 https://www.chronox.de/libkcapi/html/index.html
1323 config CRYPTO_USER_API_RNG
1324 tristate "RNG (random number generator) algorithms"
1327 select CRYPTO_USER_API
1329 Enable the userspace interface for RNG (random number generator)
1332 See Documentation/crypto/userspace-if.rst and
1333 https://www.chronox.de/libkcapi/html/index.html
1335 config CRYPTO_USER_API_RNG_CAVP
1336 bool "Enable CAVP testing of DRBG"
1337 depends on CRYPTO_USER_API_RNG && CRYPTO_DRBG
1339 Enable extra APIs in the userspace interface for NIST CAVP
1340 (Cryptographic Algorithm Validation Program) testing:
1341 - resetting DRBG entropy
1342 - providing Additional Data
1344 This should only be enabled for CAVP testing. You should say
1345 no unless you know what this is.
1347 config CRYPTO_USER_API_AEAD
1348 tristate "AEAD cipher algorithms"
1351 select CRYPTO_SKCIPHER
1353 select CRYPTO_USER_API
1355 Enable the userspace interface for AEAD cipher algorithms.
1357 See Documentation/crypto/userspace-if.rst and
1358 https://www.chronox.de/libkcapi/html/index.html
1360 config CRYPTO_USER_API_ENABLE_OBSOLETE
1361 bool "Obsolete cryptographic algorithms"
1362 depends on CRYPTO_USER_API
1365 Allow obsolete cryptographic algorithms to be selected that have
1366 already been phased out from internal use by the kernel, and are
1367 only useful for userspace clients that still rely on them.
1370 bool "Crypto usage statistics"
1371 depends on CRYPTO_USER
1373 Enable the gathering of crypto stats.
1375 This collects data sizes, numbers of requests, and numbers
1376 of errors processed by:
1377 - AEAD ciphers (encrypt, decrypt)
1378 - asymmetric key ciphers (encrypt, decrypt, verify, sign)
1379 - symmetric key ciphers (encrypt, decrypt)
1380 - compression algorithms (compress, decompress)
1381 - hash algorithms (hash)
1382 - key-agreement protocol primitives (setsecret, generate
1383 public key, compute shared secret)
1384 - RNG (generate, seed)
1388 config CRYPTO_HASH_INFO
1391 if !KMSAN # avoid false positives from assembly
1393 source "arch/arm/crypto/Kconfig"
1396 source "arch/arm64/crypto/Kconfig"
1399 source "arch/mips/crypto/Kconfig"
1402 source "arch/powerpc/crypto/Kconfig"
1405 source "arch/s390/crypto/Kconfig"
1408 source "arch/sparc/crypto/Kconfig"
1411 source "arch/x86/crypto/Kconfig"
1415 source "drivers/crypto/Kconfig"
1416 source "crypto/asymmetric_keys/Kconfig"
1417 source "certs/Kconfig"