1 # SPDX-License-Identifier: GPL-2.0
3 # Generic algorithms support
9 # async_tx api: hardware offloaded memory transfer/transform support
11 source "crypto/async_tx/Kconfig"
14 # Cryptographic API Configuration
17 tristate "Cryptographic API"
20 This option provides the core Cryptographic API.
24 comment "Crypto core or helper"
27 bool "FIPS 200 compliance"
28 depends on (CRYPTO_ANSI_CPRNG || CRYPTO_DRBG) && !CRYPTO_MANAGER_DISABLE_TESTS
29 depends on (MODULE_SIG || !MODULES)
31 This option enables the fips boot option which is
32 required if you want the system to operate in a FIPS 200
33 certification. You should say no unless you know what
40 This option provides the API for cryptographic algorithms.
56 config CRYPTO_SKCIPHER
58 select CRYPTO_SKCIPHER2
61 config CRYPTO_SKCIPHER2
84 config CRYPTO_RNG_DEFAULT
86 select CRYPTO_DRBG_MENU
88 config CRYPTO_AKCIPHER2
92 config CRYPTO_AKCIPHER
94 select CRYPTO_AKCIPHER2
108 select CRYPTO_ALGAPI2
116 config CRYPTO_MANAGER
117 tristate "Cryptographic algorithm manager"
118 select CRYPTO_MANAGER2
120 Create default cryptographic template instantiations such as
123 config CRYPTO_MANAGER2
124 def_tristate CRYPTO_MANAGER || (CRYPTO_MANAGER!=n && CRYPTO_ALGAPI=y)
127 select CRYPTO_SKCIPHER2
128 select CRYPTO_AKCIPHER2
133 tristate "Userspace cryptographic algorithm configuration"
135 select CRYPTO_MANAGER
137 Userspace configuration for cryptographic instantiations such as
140 config CRYPTO_MANAGER_DISABLE_TESTS
141 bool "Disable run-time self tests"
144 Disable run-time self tests that normally take place at
145 algorithm registration.
147 config CRYPTO_MANAGER_EXTRA_TESTS
148 bool "Enable extra run-time crypto self tests"
149 depends on DEBUG_KERNEL && !CRYPTO_MANAGER_DISABLE_TESTS && CRYPTO_MANAGER
151 Enable extra run-time self tests of registered crypto algorithms,
152 including randomized fuzz tests.
154 This is intended for developer use only, as these tests take much
155 longer to run than the normal self tests.
157 config CRYPTO_GF128MUL
161 tristate "Null algorithms"
164 These are 'Null' algorithms, used by IPsec, which do nothing.
168 select CRYPTO_ALGAPI2
169 select CRYPTO_SKCIPHER2
173 tristate "Parallel crypto engine"
176 select CRYPTO_MANAGER
179 This converts an arbitrary crypto algorithm into a parallel
180 algorithm that executes in kernel threads.
183 tristate "Software async crypto daemon"
184 select CRYPTO_SKCIPHER
186 select CRYPTO_MANAGER
188 This is a generic software asynchronous crypto daemon that
189 converts an arbitrary synchronous software crypto algorithm
190 into an asynchronous algorithm that executes in a kernel thread.
192 config CRYPTO_AUTHENC
193 tristate "Authenc support"
195 select CRYPTO_SKCIPHER
196 select CRYPTO_MANAGER
200 Authenc: Combined mode wrapper for IPsec.
201 This is required for IPSec.
204 tristate "Testing module"
206 select CRYPTO_MANAGER
208 Quick & dirty crypto test module.
214 config CRYPTO_GLUE_HELPER_X86
217 select CRYPTO_SKCIPHER
222 comment "Public-key cryptography"
225 tristate "RSA algorithm"
226 select CRYPTO_AKCIPHER
227 select CRYPTO_MANAGER
231 Generic implementation of the RSA public key algorithm.
234 tristate "Diffie-Hellman algorithm"
238 Generic implementation of the Diffie-Hellman algorithm.
242 select CRYPTO_RNG_DEFAULT
245 tristate "ECDH algorithm"
249 Generic implementation of the ECDH algorithm
252 tristate "EC-RDSA (GOST 34.10) algorithm"
254 select CRYPTO_AKCIPHER
255 select CRYPTO_STREEBOG
259 Elliptic Curve Russian Digital Signature Algorithm (GOST R 34.10-2012,
260 RFC 7091, ISO/IEC 14888-3:2018) is one of the Russian cryptographic
261 standard algorithms (called GOST algorithms). Only signature verification
265 tristate "SM2 algorithm"
267 select CRYPTO_AKCIPHER
268 select CRYPTO_MANAGER
272 Generic implementation of the SM2 public key algorithm. It was
273 published by State Encryption Management Bureau, China.
274 as specified by OSCCA GM/T 0003.1-2012 -- 0003.5-2012.
277 https://tools.ietf.org/html/draft-shen-sm2-ecdsa-02
278 http://www.oscca.gov.cn/sca/xxgk/2010-12/17/content_1002386.shtml
279 http://www.gmbz.org.cn/main/bzlb.html
281 config CRYPTO_CURVE25519
282 tristate "Curve25519 algorithm"
284 select CRYPTO_LIB_CURVE25519_GENERIC
286 config CRYPTO_CURVE25519_X86
287 tristate "x86_64 accelerated Curve25519 scalar multiplication library"
288 depends on X86 && 64BIT
289 select CRYPTO_LIB_CURVE25519_GENERIC
290 select CRYPTO_ARCH_HAVE_LIB_CURVE25519
292 comment "Authenticated Encryption with Associated Data"
295 tristate "CCM support"
299 select CRYPTO_MANAGER
301 Support for Counter with CBC MAC. Required for IPsec.
304 tristate "GCM/GMAC support"
309 select CRYPTO_MANAGER
311 Support for Galois/Counter Mode (GCM) and Galois Message
312 Authentication Code (GMAC). Required for IPSec.
314 config CRYPTO_CHACHA20POLY1305
315 tristate "ChaCha20-Poly1305 AEAD support"
316 select CRYPTO_CHACHA20
317 select CRYPTO_POLY1305
319 select CRYPTO_MANAGER
321 ChaCha20-Poly1305 AEAD support, RFC7539.
323 Support for the AEAD wrapper using the ChaCha20 stream cipher combined
324 with the Poly1305 authenticator. It is defined in RFC7539 for use in
327 config CRYPTO_AEGIS128
328 tristate "AEGIS-128 AEAD algorithm"
330 select CRYPTO_AES # for AES S-box tables
332 Support for the AEGIS-128 dedicated AEAD algorithm.
334 config CRYPTO_AEGIS128_SIMD
335 bool "Support SIMD acceleration for AEGIS-128"
336 depends on CRYPTO_AEGIS128 && ((ARM || ARM64) && KERNEL_MODE_NEON)
339 config CRYPTO_AEGIS128_AESNI_SSE2
340 tristate "AEGIS-128 AEAD algorithm (x86_64 AESNI+SSE2 implementation)"
341 depends on X86 && 64BIT
345 AESNI+SSE2 implementation of the AEGIS-128 dedicated AEAD algorithm.
348 tristate "Sequence Number IV Generator"
350 select CRYPTO_SKCIPHER
352 select CRYPTO_RNG_DEFAULT
353 select CRYPTO_MANAGER
355 This IV generator generates an IV based on a sequence number by
356 xoring it with a salt. This algorithm is mainly useful for CTR
358 config CRYPTO_ECHAINIV
359 tristate "Encrypted Chain IV Generator"
362 select CRYPTO_RNG_DEFAULT
363 select CRYPTO_MANAGER
365 This IV generator generates an IV based on the encryption of
366 a sequence number xored with a salt. This is the default
369 comment "Block modes"
372 tristate "CBC support"
373 select CRYPTO_SKCIPHER
374 select CRYPTO_MANAGER
376 CBC: Cipher Block Chaining mode
377 This block cipher algorithm is required for IPSec.
380 tristate "CFB support"
381 select CRYPTO_SKCIPHER
382 select CRYPTO_MANAGER
384 CFB: Cipher FeedBack mode
385 This block cipher algorithm is required for TPM2 Cryptography.
388 tristate "CTR support"
389 select CRYPTO_SKCIPHER
390 select CRYPTO_MANAGER
393 This block cipher algorithm is required for IPSec.
396 tristate "CTS support"
397 select CRYPTO_SKCIPHER
398 select CRYPTO_MANAGER
400 CTS: Cipher Text Stealing
401 This is the Cipher Text Stealing mode as described by
402 Section 8 of rfc2040 and referenced by rfc3962
403 (rfc3962 includes errata information in its Appendix A) or
404 CBC-CS3 as defined by NIST in Sp800-38A addendum from Oct 2010.
405 This mode is required for Kerberos gss mechanism support
408 See: https://csrc.nist.gov/publications/detail/sp/800-38a/addendum/final
411 tristate "ECB support"
412 select CRYPTO_SKCIPHER
413 select CRYPTO_MANAGER
415 ECB: Electronic CodeBook mode
416 This is the simplest block cipher algorithm. It simply encrypts
417 the input block by block.
420 tristate "LRW support"
421 select CRYPTO_SKCIPHER
422 select CRYPTO_MANAGER
423 select CRYPTO_GF128MUL
425 LRW: Liskov Rivest Wagner, a tweakable, non malleable, non movable
426 narrow block cipher mode for dm-crypt. Use it with cipher
427 specification string aes-lrw-benbi, the key must be 256, 320 or 384.
428 The first 128, 192 or 256 bits in the key are used for AES and the
429 rest is used to tie each cipher block to its logical position.
432 tristate "OFB support"
433 select CRYPTO_SKCIPHER
434 select CRYPTO_MANAGER
436 OFB: the Output Feedback mode makes a block cipher into a synchronous
437 stream cipher. It generates keystream blocks, which are then XORed
438 with the plaintext blocks to get the ciphertext. Flipping a bit in the
439 ciphertext produces a flipped bit in the plaintext at the same
440 location. This property allows many error correcting codes to function
441 normally even when applied before encryption.
444 tristate "PCBC support"
445 select CRYPTO_SKCIPHER
446 select CRYPTO_MANAGER
448 PCBC: Propagating Cipher Block Chaining mode
449 This block cipher algorithm is required for RxRPC.
452 tristate "XTS support"
453 select CRYPTO_SKCIPHER
454 select CRYPTO_MANAGER
457 XTS: IEEE1619/D16 narrow block cipher use with aes-xts-plain,
458 key size 256, 384 or 512 bits. This implementation currently
459 can't handle a sectorsize which is not a multiple of 16 bytes.
461 config CRYPTO_KEYWRAP
462 tristate "Key wrapping support"
463 select CRYPTO_SKCIPHER
464 select CRYPTO_MANAGER
466 Support for key wrapping (NIST SP800-38F / RFC3394) without
469 config CRYPTO_NHPOLY1305
472 select CRYPTO_LIB_POLY1305_GENERIC
474 config CRYPTO_NHPOLY1305_SSE2
475 tristate "NHPoly1305 hash function (x86_64 SSE2 implementation)"
476 depends on X86 && 64BIT
477 select CRYPTO_NHPOLY1305
479 SSE2 optimized implementation of the hash function used by the
480 Adiantum encryption mode.
482 config CRYPTO_NHPOLY1305_AVX2
483 tristate "NHPoly1305 hash function (x86_64 AVX2 implementation)"
484 depends on X86 && 64BIT
485 select CRYPTO_NHPOLY1305
487 AVX2 optimized implementation of the hash function used by the
488 Adiantum encryption mode.
490 config CRYPTO_ADIANTUM
491 tristate "Adiantum support"
492 select CRYPTO_CHACHA20
493 select CRYPTO_LIB_POLY1305_GENERIC
494 select CRYPTO_NHPOLY1305
495 select CRYPTO_MANAGER
497 Adiantum is a tweakable, length-preserving encryption mode
498 designed for fast and secure disk encryption, especially on
499 CPUs without dedicated crypto instructions. It encrypts
500 each sector using the XChaCha12 stream cipher, two passes of
501 an ε-almost-∆-universal hash function, and an invocation of
502 the AES-256 block cipher on a single 16-byte block. On CPUs
503 without AES instructions, Adiantum is much faster than
506 Adiantum's security is provably reducible to that of its
507 underlying stream and block ciphers, subject to a security
508 bound. Unlike XTS, Adiantum is a true wide-block encryption
509 mode, so it actually provides an even stronger notion of
510 security than XTS, subject to the security bound.
515 tristate "ESSIV support for block encryption"
516 select CRYPTO_AUTHENC
518 Encrypted salt-sector initialization vector (ESSIV) is an IV
519 generation method that is used in some cases by fscrypt and/or
520 dm-crypt. It uses the hash of the block encryption key as the
521 symmetric key for a block encryption pass applied to the input
522 IV, making low entropy IV sources more suitable for block
525 This driver implements a crypto API template that can be
526 instantiated either as an skcipher or as an AEAD (depending on the
527 type of the first template argument), and which defers encryption
528 and decryption requests to the encapsulated cipher after applying
529 ESSIV to the input IV. Note that in the AEAD case, it is assumed
530 that the keys are presented in the same format used by the authenc
531 template, and that the IV appears at the end of the authenticated
532 associated data (AAD) region (which is how dm-crypt uses it.)
534 Note that the use of ESSIV is not recommended for new deployments,
535 and so this only needs to be enabled when interoperability with
536 existing encrypted volumes of filesystems is required, or when
537 building for a particular system that requires it (e.g., when
538 the SoC in question has accelerated CBC but not XTS, making CBC
539 combined with ESSIV the only feasible mode for h/w accelerated
545 tristate "CMAC support"
547 select CRYPTO_MANAGER
549 Cipher-based Message Authentication Code (CMAC) specified by
550 The National Institute of Standards and Technology (NIST).
552 https://tools.ietf.org/html/rfc4493
553 http://csrc.nist.gov/publications/nistpubs/800-38B/SP_800-38B.pdf
556 tristate "HMAC support"
558 select CRYPTO_MANAGER
560 HMAC: Keyed-Hashing for Message Authentication (RFC2104).
561 This is required for IPSec.
564 tristate "XCBC support"
566 select CRYPTO_MANAGER
568 XCBC: Keyed-Hashing with encryption algorithm
569 https://www.ietf.org/rfc/rfc3566.txt
570 http://csrc.nist.gov/encryption/modes/proposedmodes/
571 xcbc-mac/xcbc-mac-spec.pdf
574 tristate "VMAC support"
576 select CRYPTO_MANAGER
578 VMAC is a message authentication algorithm designed for
579 very high speed on 64-bit architectures.
582 <https://fastcrypto.org/vmac>
587 tristate "CRC32c CRC algorithm"
591 Castagnoli, et al Cyclic Redundancy-Check Algorithm. Used
592 by iSCSI for header and data digests and by others.
593 See Castagnoli93. Module will be crc32c.
595 config CRYPTO_CRC32C_INTEL
596 tristate "CRC32c INTEL hardware acceleration"
600 In Intel processor with SSE4.2 supported, the processor will
601 support CRC32C implementation using hardware accelerated CRC32
602 instruction. This option will create 'crc32c-intel' module,
603 which will enable any routine to use the CRC32 instruction to
604 gain performance compared with software implementation.
605 Module will be crc32c-intel.
607 config CRYPTO_CRC32C_VPMSUM
608 tristate "CRC32c CRC algorithm (powerpc64)"
609 depends on PPC64 && ALTIVEC
613 CRC32c algorithm implemented using vector polynomial multiply-sum
614 (vpmsum) instructions, introduced in POWER8. Enable on POWER8
615 and newer processors for improved performance.
618 config CRYPTO_CRC32C_SPARC64
619 tristate "CRC32c CRC algorithm (SPARC64)"
624 CRC32c CRC algorithm implemented using sparc64 crypto instructions,
628 tristate "CRC32 CRC algorithm"
632 CRC-32-IEEE 802.3 cyclic redundancy-check algorithm.
633 Shash crypto api wrappers to crc32_le function.
635 config CRYPTO_CRC32_PCLMUL
636 tristate "CRC32 PCLMULQDQ hardware acceleration"
641 From Intel Westmere and AMD Bulldozer processor with SSE4.2
642 and PCLMULQDQ supported, the processor will support
643 CRC32 PCLMULQDQ implementation using hardware accelerated PCLMULQDQ
644 instruction. This option will create 'crc32-pclmul' module,
645 which will enable any routine to use the CRC-32-IEEE 802.3 checksum
646 and gain better performance as compared with the table implementation.
648 config CRYPTO_CRC32_MIPS
649 tristate "CRC32c and CRC32 CRC algorithm (MIPS)"
650 depends on MIPS_CRC_SUPPORT
653 CRC32c and CRC32 CRC algorithms implemented using mips crypto
654 instructions, when available.
658 tristate "xxHash hash algorithm"
662 xxHash non-cryptographic hash algorithm. Extremely fast, working at
663 speeds close to RAM limits.
665 config CRYPTO_BLAKE2B
666 tristate "BLAKE2b digest algorithm"
669 Implementation of cryptographic hash function BLAKE2b (or just BLAKE2),
670 optimized for 64bit platforms and can produce digests of any size
671 between 1 to 64. The keyed hash is also implemented.
673 This module provides the following algorithms:
680 See https://blake2.net for further information.
682 config CRYPTO_BLAKE2S
683 tristate "BLAKE2s digest algorithm"
684 select CRYPTO_LIB_BLAKE2S_GENERIC
687 Implementation of cryptographic hash function BLAKE2s
688 optimized for 8-32bit platforms and can produce digests of any size
689 between 1 to 32. The keyed hash is also implemented.
691 This module provides the following algorithms:
698 See https://blake2.net for further information.
700 config CRYPTO_BLAKE2S_X86
701 tristate "BLAKE2s digest algorithm (x86 accelerated version)"
702 depends on X86 && 64BIT
703 select CRYPTO_LIB_BLAKE2S_GENERIC
704 select CRYPTO_ARCH_HAVE_LIB_BLAKE2S
706 config CRYPTO_CRCT10DIF
707 tristate "CRCT10DIF algorithm"
710 CRC T10 Data Integrity Field computation is being cast as
711 a crypto transform. This allows for faster crc t10 diff
712 transforms to be used if they are available.
714 config CRYPTO_CRCT10DIF_PCLMUL
715 tristate "CRCT10DIF PCLMULQDQ hardware acceleration"
716 depends on X86 && 64BIT && CRC_T10DIF
719 For x86_64 processors with SSE4.2 and PCLMULQDQ supported,
720 CRC T10 DIF PCLMULQDQ computation can be hardware
721 accelerated PCLMULQDQ instruction. This option will create
722 'crct10dif-pclmul' module, which is faster when computing the
723 crct10dif checksum as compared with the generic table implementation.
725 config CRYPTO_CRCT10DIF_VPMSUM
726 tristate "CRC32T10DIF powerpc64 hardware acceleration"
727 depends on PPC64 && ALTIVEC && CRC_T10DIF
730 CRC10T10DIF algorithm implemented using vector polynomial
731 multiply-sum (vpmsum) instructions, introduced in POWER8. Enable on
732 POWER8 and newer processors for improved performance.
734 config CRYPTO_VPMSUM_TESTER
735 tristate "Powerpc64 vpmsum hardware acceleration tester"
736 depends on CRYPTO_CRCT10DIF_VPMSUM && CRYPTO_CRC32C_VPMSUM
738 Stress test for CRC32c and CRC-T10DIF algorithms implemented with
739 POWER8 vpmsum instructions.
740 Unless you are testing these algorithms, you don't need this.
743 tristate "GHASH hash function"
744 select CRYPTO_GF128MUL
747 GHASH is the hash function used in GCM (Galois/Counter Mode).
748 It is not a general-purpose cryptographic hash function.
750 config CRYPTO_POLY1305
751 tristate "Poly1305 authenticator algorithm"
753 select CRYPTO_LIB_POLY1305_GENERIC
755 Poly1305 authenticator algorithm, RFC7539.
757 Poly1305 is an authenticator algorithm designed by Daniel J. Bernstein.
758 It is used for the ChaCha20-Poly1305 AEAD, specified in RFC7539 for use
759 in IETF protocols. This is the portable C implementation of Poly1305.
761 config CRYPTO_POLY1305_X86_64
762 tristate "Poly1305 authenticator algorithm (x86_64/SSE2/AVX2)"
763 depends on X86 && 64BIT
764 select CRYPTO_LIB_POLY1305_GENERIC
765 select CRYPTO_ARCH_HAVE_LIB_POLY1305
767 Poly1305 authenticator algorithm, RFC7539.
769 Poly1305 is an authenticator algorithm designed by Daniel J. Bernstein.
770 It is used for the ChaCha20-Poly1305 AEAD, specified in RFC7539 for use
771 in IETF protocols. This is the x86_64 assembler implementation using SIMD
774 config CRYPTO_POLY1305_MIPS
775 tristate "Poly1305 authenticator algorithm (MIPS optimized)"
777 select CRYPTO_ARCH_HAVE_LIB_POLY1305
780 tristate "MD4 digest algorithm"
783 MD4 message digest algorithm (RFC1320).
786 tristate "MD5 digest algorithm"
789 MD5 message digest algorithm (RFC1321).
791 config CRYPTO_MD5_OCTEON
792 tristate "MD5 digest algorithm (OCTEON)"
793 depends on CPU_CAVIUM_OCTEON
797 MD5 message digest algorithm (RFC1321) implemented
798 using OCTEON crypto instructions, when available.
800 config CRYPTO_MD5_PPC
801 tristate "MD5 digest algorithm (PPC)"
805 MD5 message digest algorithm (RFC1321) implemented
808 config CRYPTO_MD5_SPARC64
809 tristate "MD5 digest algorithm (SPARC64)"
814 MD5 message digest algorithm (RFC1321) implemented
815 using sparc64 crypto instructions, when available.
817 config CRYPTO_MICHAEL_MIC
818 tristate "Michael MIC keyed digest algorithm"
821 Michael MIC is used for message integrity protection in TKIP
822 (IEEE 802.11i). This algorithm is required for TKIP, but it
823 should not be used for other purposes because of the weakness
827 tristate "RIPEMD-128 digest algorithm"
830 RIPEMD-128 (ISO/IEC 10118-3:2004).
832 RIPEMD-128 is a 128-bit cryptographic hash function. It should only
833 be used as a secure replacement for RIPEMD. For other use cases,
834 RIPEMD-160 should be used.
836 Developed by Hans Dobbertin, Antoon Bosselaers and Bart Preneel.
837 See <https://homes.esat.kuleuven.be/~bosselae/ripemd160.html>
840 tristate "RIPEMD-160 digest algorithm"
843 RIPEMD-160 (ISO/IEC 10118-3:2004).
845 RIPEMD-160 is a 160-bit cryptographic hash function. It is intended
846 to be used as a secure replacement for the 128-bit hash functions
847 MD4, MD5 and it's predecessor RIPEMD
848 (not to be confused with RIPEMD-128).
850 It's speed is comparable to SHA1 and there are no known attacks
853 Developed by Hans Dobbertin, Antoon Bosselaers and Bart Preneel.
854 See <https://homes.esat.kuleuven.be/~bosselae/ripemd160.html>
857 tristate "RIPEMD-256 digest algorithm"
860 RIPEMD-256 is an optional extension of RIPEMD-128 with a
861 256 bit hash. It is intended for applications that require
862 longer hash-results, without needing a larger security level
865 Developed by Hans Dobbertin, Antoon Bosselaers and Bart Preneel.
866 See <https://homes.esat.kuleuven.be/~bosselae/ripemd160.html>
869 tristate "RIPEMD-320 digest algorithm"
872 RIPEMD-320 is an optional extension of RIPEMD-160 with a
873 320 bit hash. It is intended for applications that require
874 longer hash-results, without needing a larger security level
877 Developed by Hans Dobbertin, Antoon Bosselaers and Bart Preneel.
878 See <https://homes.esat.kuleuven.be/~bosselae/ripemd160.html>
881 tristate "SHA1 digest algorithm"
884 SHA-1 secure hash standard (FIPS 180-1/DFIPS 180-2).
886 config CRYPTO_SHA1_SSSE3
887 tristate "SHA1 digest algorithm (SSSE3/AVX/AVX2/SHA-NI)"
888 depends on X86 && 64BIT
892 SHA-1 secure hash standard (FIPS 180-1/DFIPS 180-2) implemented
893 using Supplemental SSE3 (SSSE3) instructions or Advanced Vector
894 Extensions (AVX/AVX2) or SHA-NI(SHA Extensions New Instructions),
897 config CRYPTO_SHA256_SSSE3
898 tristate "SHA256 digest algorithm (SSSE3/AVX/AVX2/SHA-NI)"
899 depends on X86 && 64BIT
903 SHA-256 secure hash standard (DFIPS 180-2) implemented
904 using Supplemental SSE3 (SSSE3) instructions, or Advanced Vector
905 Extensions version 1 (AVX1), or Advanced Vector Extensions
906 version 2 (AVX2) instructions, or SHA-NI (SHA Extensions New
907 Instructions) when available.
909 config CRYPTO_SHA512_SSSE3
910 tristate "SHA512 digest algorithm (SSSE3/AVX/AVX2)"
911 depends on X86 && 64BIT
915 SHA-512 secure hash standard (DFIPS 180-2) implemented
916 using Supplemental SSE3 (SSSE3) instructions, or Advanced Vector
917 Extensions version 1 (AVX1), or Advanced Vector Extensions
918 version 2 (AVX2) instructions, when available.
920 config CRYPTO_SHA1_OCTEON
921 tristate "SHA1 digest algorithm (OCTEON)"
922 depends on CPU_CAVIUM_OCTEON
926 SHA-1 secure hash standard (FIPS 180-1/DFIPS 180-2) implemented
927 using OCTEON crypto instructions, when available.
929 config CRYPTO_SHA1_SPARC64
930 tristate "SHA1 digest algorithm (SPARC64)"
935 SHA-1 secure hash standard (FIPS 180-1/DFIPS 180-2) implemented
936 using sparc64 crypto instructions, when available.
938 config CRYPTO_SHA1_PPC
939 tristate "SHA1 digest algorithm (powerpc)"
942 This is the powerpc hardware accelerated implementation of the
943 SHA-1 secure hash standard (FIPS 180-1/DFIPS 180-2).
945 config CRYPTO_SHA1_PPC_SPE
946 tristate "SHA1 digest algorithm (PPC SPE)"
947 depends on PPC && SPE
949 SHA-1 secure hash standard (DFIPS 180-4) implemented
950 using powerpc SPE SIMD instruction set.
953 tristate "SHA224 and SHA256 digest algorithm"
955 select CRYPTO_LIB_SHA256
957 SHA256 secure hash standard (DFIPS 180-2).
959 This version of SHA implements a 256 bit hash with 128 bits of
960 security against collision attacks.
962 This code also includes SHA-224, a 224 bit hash with 112 bits
963 of security against collision attacks.
965 config CRYPTO_SHA256_PPC_SPE
966 tristate "SHA224 and SHA256 digest algorithm (PPC SPE)"
967 depends on PPC && SPE
971 SHA224 and SHA256 secure hash standard (DFIPS 180-2)
972 implemented using powerpc SPE SIMD instruction set.
974 config CRYPTO_SHA256_OCTEON
975 tristate "SHA224 and SHA256 digest algorithm (OCTEON)"
976 depends on CPU_CAVIUM_OCTEON
980 SHA-256 secure hash standard (DFIPS 180-2) implemented
981 using OCTEON crypto instructions, when available.
983 config CRYPTO_SHA256_SPARC64
984 tristate "SHA224 and SHA256 digest algorithm (SPARC64)"
989 SHA-256 secure hash standard (DFIPS 180-2) implemented
990 using sparc64 crypto instructions, when available.
993 tristate "SHA384 and SHA512 digest algorithms"
996 SHA512 secure hash standard (DFIPS 180-2).
998 This version of SHA implements a 512 bit hash with 256 bits of
999 security against collision attacks.
1001 This code also includes SHA-384, a 384 bit hash with 192 bits
1002 of security against collision attacks.
1004 config CRYPTO_SHA512_OCTEON
1005 tristate "SHA384 and SHA512 digest algorithms (OCTEON)"
1006 depends on CPU_CAVIUM_OCTEON
1007 select CRYPTO_SHA512
1010 SHA-512 secure hash standard (DFIPS 180-2) implemented
1011 using OCTEON crypto instructions, when available.
1013 config CRYPTO_SHA512_SPARC64
1014 tristate "SHA384 and SHA512 digest algorithm (SPARC64)"
1016 select CRYPTO_SHA512
1019 SHA-512 secure hash standard (DFIPS 180-2) implemented
1020 using sparc64 crypto instructions, when available.
1023 tristate "SHA3 digest algorithm"
1026 SHA-3 secure hash standard (DFIPS 202). It's based on
1027 cryptographic sponge function family called Keccak.
1030 http://keccak.noekeon.org/
1033 tristate "SM3 digest algorithm"
1036 SM3 secure hash function as defined by OSCCA GM/T 0004-2012 SM3).
1037 It is part of the Chinese Commercial Cryptography suite.
1040 http://www.oscca.gov.cn/UpFile/20101222141857786.pdf
1041 https://datatracker.ietf.org/doc/html/draft-shen-sm3-hash
1043 config CRYPTO_STREEBOG
1044 tristate "Streebog Hash Function"
1047 Streebog Hash Function (GOST R 34.11-2012, RFC 6986) is one of the Russian
1048 cryptographic standard algorithms (called GOST algorithms).
1049 This setting enables two hash algorithms with 256 and 512 bits output.
1052 https://tc26.ru/upload/iblock/fed/feddbb4d26b685903faa2ba11aea43f6.pdf
1053 https://tools.ietf.org/html/rfc6986
1055 config CRYPTO_TGR192
1056 tristate "Tiger digest algorithms"
1059 Tiger hash algorithm 192, 160 and 128-bit hashes
1061 Tiger is a hash function optimized for 64-bit processors while
1062 still having decent performance on 32-bit processors.
1063 Tiger was developed by Ross Anderson and Eli Biham.
1066 <https://www.cs.technion.ac.il/~biham/Reports/Tiger/>.
1069 tristate "Whirlpool digest algorithms"
1072 Whirlpool hash algorithm 512, 384 and 256-bit hashes
1074 Whirlpool-512 is part of the NESSIE cryptographic primitives.
1075 Whirlpool will be part of the ISO/IEC 10118-3:2003(E) standard
1078 <http://www.larc.usp.br/~pbarreto/WhirlpoolPage.html>
1080 config CRYPTO_GHASH_CLMUL_NI_INTEL
1081 tristate "GHASH hash function (CLMUL-NI accelerated)"
1082 depends on X86 && 64BIT
1083 select CRYPTO_CRYPTD
1085 This is the x86_64 CLMUL-NI accelerated implementation of
1086 GHASH, the hash function used in GCM (Galois/Counter mode).
1091 tristate "AES cipher algorithms"
1092 select CRYPTO_ALGAPI
1093 select CRYPTO_LIB_AES
1095 AES cipher algorithms (FIPS-197). AES uses the Rijndael
1098 Rijndael appears to be consistently a very good performer in
1099 both hardware and software across a wide range of computing
1100 environments regardless of its use in feedback or non-feedback
1101 modes. Its key setup time is excellent, and its key agility is
1102 good. Rijndael's very low memory requirements make it very well
1103 suited for restricted-space environments, in which it also
1104 demonstrates excellent performance. Rijndael's operations are
1105 among the easiest to defend against power and timing attacks.
1107 The AES specifies three key sizes: 128, 192 and 256 bits
1109 See <http://csrc.nist.gov/CryptoToolkit/aes/> for more information.
1111 config CRYPTO_AES_TI
1112 tristate "Fixed time AES cipher"
1113 select CRYPTO_ALGAPI
1114 select CRYPTO_LIB_AES
1116 This is a generic implementation of AES that attempts to eliminate
1117 data dependent latencies as much as possible without affecting
1118 performance too much. It is intended for use by the generic CCM
1119 and GCM drivers, and other CTR or CMAC/XCBC based modes that rely
1120 solely on encryption (although decryption is supported as well, but
1121 with a more dramatic performance hit)
1123 Instead of using 16 lookup tables of 1 KB each, (8 for encryption and
1124 8 for decryption), this implementation only uses just two S-boxes of
1125 256 bytes each, and attempts to eliminate data dependent latencies by
1126 prefetching the entire table into the cache at the start of each
1127 block. Interrupts are also disabled to avoid races where cachelines
1128 are evicted when the CPU is interrupted to do something else.
1130 config CRYPTO_AES_NI_INTEL
1131 tristate "AES cipher algorithms (AES-NI)"
1134 select CRYPTO_LIB_AES
1135 select CRYPTO_ALGAPI
1136 select CRYPTO_SKCIPHER
1137 select CRYPTO_GLUE_HELPER_X86 if 64BIT
1140 Use Intel AES-NI instructions for AES algorithm.
1142 AES cipher algorithms (FIPS-197). AES uses the Rijndael
1145 Rijndael appears to be consistently a very good performer in
1146 both hardware and software across a wide range of computing
1147 environments regardless of its use in feedback or non-feedback
1148 modes. Its key setup time is excellent, and its key agility is
1149 good. Rijndael's very low memory requirements make it very well
1150 suited for restricted-space environments, in which it also
1151 demonstrates excellent performance. Rijndael's operations are
1152 among the easiest to defend against power and timing attacks.
1154 The AES specifies three key sizes: 128, 192 and 256 bits
1156 See <http://csrc.nist.gov/encryption/aes/> for more information.
1158 In addition to AES cipher algorithm support, the acceleration
1159 for some popular block cipher mode is supported too, including
1160 ECB, CBC, LRW, XTS. The 64 bit version has additional
1161 acceleration for CTR.
1163 config CRYPTO_AES_SPARC64
1164 tristate "AES cipher algorithms (SPARC64)"
1166 select CRYPTO_SKCIPHER
1168 Use SPARC64 crypto opcodes for AES algorithm.
1170 AES cipher algorithms (FIPS-197). AES uses the Rijndael
1173 Rijndael appears to be consistently a very good performer in
1174 both hardware and software across a wide range of computing
1175 environments regardless of its use in feedback or non-feedback
1176 modes. Its key setup time is excellent, and its key agility is
1177 good. Rijndael's very low memory requirements make it very well
1178 suited for restricted-space environments, in which it also
1179 demonstrates excellent performance. Rijndael's operations are
1180 among the easiest to defend against power and timing attacks.
1182 The AES specifies three key sizes: 128, 192 and 256 bits
1184 See <http://csrc.nist.gov/encryption/aes/> for more information.
1186 In addition to AES cipher algorithm support, the acceleration
1187 for some popular block cipher mode is supported too, including
1190 config CRYPTO_AES_PPC_SPE
1191 tristate "AES cipher algorithms (PPC SPE)"
1192 depends on PPC && SPE
1193 select CRYPTO_SKCIPHER
1195 AES cipher algorithms (FIPS-197). Additionally the acceleration
1196 for popular block cipher modes ECB, CBC, CTR and XTS is supported.
1197 This module should only be used for low power (router) devices
1198 without hardware AES acceleration (e.g. caam crypto). It reduces the
1199 size of the AES tables from 16KB to 8KB + 256 bytes and mitigates
1200 timining attacks. Nevertheless it might be not as secure as other
1201 architecture specific assembler implementations that work on 1KB
1202 tables or 256 bytes S-boxes.
1204 config CRYPTO_ANUBIS
1205 tristate "Anubis cipher algorithm"
1206 depends on CRYPTO_USER_API_ENABLE_OBSOLETE
1207 select CRYPTO_ALGAPI
1209 Anubis cipher algorithm.
1211 Anubis is a variable key length cipher which can use keys from
1212 128 bits to 320 bits in length. It was evaluated as a entrant
1213 in the NESSIE competition.
1216 <https://www.cosic.esat.kuleuven.be/nessie/reports/>
1217 <http://www.larc.usp.br/~pbarreto/AnubisPage.html>
1220 tristate "ARC4 cipher algorithm"
1221 depends on CRYPTO_USER_API_ENABLE_OBSOLETE
1222 select CRYPTO_SKCIPHER
1223 select CRYPTO_LIB_ARC4
1225 ARC4 cipher algorithm.
1227 ARC4 is a stream cipher using keys ranging from 8 bits to 2048
1228 bits in length. This algorithm is required for driver-based
1229 WEP, but it should not be for other purposes because of the
1230 weakness of the algorithm.
1232 config CRYPTO_BLOWFISH
1233 tristate "Blowfish cipher algorithm"
1234 select CRYPTO_ALGAPI
1235 select CRYPTO_BLOWFISH_COMMON
1237 Blowfish cipher algorithm, by Bruce Schneier.
1239 This is a variable key length cipher which can use keys from 32
1240 bits to 448 bits in length. It's fast, simple and specifically
1241 designed for use on "large microprocessors".
1244 <https://www.schneier.com/blowfish.html>
1246 config CRYPTO_BLOWFISH_COMMON
1249 Common parts of the Blowfish cipher algorithm shared by the
1250 generic c and the assembler implementations.
1253 <https://www.schneier.com/blowfish.html>
1255 config CRYPTO_BLOWFISH_X86_64
1256 tristate "Blowfish cipher algorithm (x86_64)"
1257 depends on X86 && 64BIT
1258 select CRYPTO_SKCIPHER
1259 select CRYPTO_BLOWFISH_COMMON
1261 Blowfish cipher algorithm (x86_64), by Bruce Schneier.
1263 This is a variable key length cipher which can use keys from 32
1264 bits to 448 bits in length. It's fast, simple and specifically
1265 designed for use on "large microprocessors".
1268 <https://www.schneier.com/blowfish.html>
1270 config CRYPTO_CAMELLIA
1271 tristate "Camellia cipher algorithms"
1273 select CRYPTO_ALGAPI
1275 Camellia cipher algorithms module.
1277 Camellia is a symmetric key block cipher developed jointly
1278 at NTT and Mitsubishi Electric Corporation.
1280 The Camellia specifies three key sizes: 128, 192 and 256 bits.
1283 <https://info.isl.ntt.co.jp/crypt/eng/camellia/index_s.html>
1285 config CRYPTO_CAMELLIA_X86_64
1286 tristate "Camellia cipher algorithm (x86_64)"
1287 depends on X86 && 64BIT
1289 select CRYPTO_SKCIPHER
1290 select CRYPTO_GLUE_HELPER_X86
1292 Camellia cipher algorithm module (x86_64).
1294 Camellia is a symmetric key block cipher developed jointly
1295 at NTT and Mitsubishi Electric Corporation.
1297 The Camellia specifies three key sizes: 128, 192 and 256 bits.
1300 <https://info.isl.ntt.co.jp/crypt/eng/camellia/index_s.html>
1302 config CRYPTO_CAMELLIA_AESNI_AVX_X86_64
1303 tristate "Camellia cipher algorithm (x86_64/AES-NI/AVX)"
1304 depends on X86 && 64BIT
1306 select CRYPTO_SKCIPHER
1307 select CRYPTO_CAMELLIA_X86_64
1308 select CRYPTO_GLUE_HELPER_X86
1312 Camellia cipher algorithm module (x86_64/AES-NI/AVX).
1314 Camellia is a symmetric key block cipher developed jointly
1315 at NTT and Mitsubishi Electric Corporation.
1317 The Camellia specifies three key sizes: 128, 192 and 256 bits.
1320 <https://info.isl.ntt.co.jp/crypt/eng/camellia/index_s.html>
1322 config CRYPTO_CAMELLIA_AESNI_AVX2_X86_64
1323 tristate "Camellia cipher algorithm (x86_64/AES-NI/AVX2)"
1324 depends on X86 && 64BIT
1326 select CRYPTO_CAMELLIA_AESNI_AVX_X86_64
1328 Camellia cipher algorithm module (x86_64/AES-NI/AVX2).
1330 Camellia is a symmetric key block cipher developed jointly
1331 at NTT and Mitsubishi Electric Corporation.
1333 The Camellia specifies three key sizes: 128, 192 and 256 bits.
1336 <https://info.isl.ntt.co.jp/crypt/eng/camellia/index_s.html>
1338 config CRYPTO_CAMELLIA_SPARC64
1339 tristate "Camellia cipher algorithm (SPARC64)"
1342 select CRYPTO_ALGAPI
1343 select CRYPTO_SKCIPHER
1345 Camellia cipher algorithm module (SPARC64).
1347 Camellia is a symmetric key block cipher developed jointly
1348 at NTT and Mitsubishi Electric Corporation.
1350 The Camellia specifies three key sizes: 128, 192 and 256 bits.
1353 <https://info.isl.ntt.co.jp/crypt/eng/camellia/index_s.html>
1355 config CRYPTO_CAST_COMMON
1358 Common parts of the CAST cipher algorithms shared by the
1359 generic c and the assembler implementations.
1362 tristate "CAST5 (CAST-128) cipher algorithm"
1363 select CRYPTO_ALGAPI
1364 select CRYPTO_CAST_COMMON
1366 The CAST5 encryption algorithm (synonymous with CAST-128) is
1367 described in RFC2144.
1369 config CRYPTO_CAST5_AVX_X86_64
1370 tristate "CAST5 (CAST-128) cipher algorithm (x86_64/AVX)"
1371 depends on X86 && 64BIT
1372 select CRYPTO_SKCIPHER
1374 select CRYPTO_CAST_COMMON
1377 The CAST5 encryption algorithm (synonymous with CAST-128) is
1378 described in RFC2144.
1380 This module provides the Cast5 cipher algorithm that processes
1381 sixteen blocks parallel using the AVX instruction set.
1384 tristate "CAST6 (CAST-256) cipher algorithm"
1385 select CRYPTO_ALGAPI
1386 select CRYPTO_CAST_COMMON
1388 The CAST6 encryption algorithm (synonymous with CAST-256) is
1389 described in RFC2612.
1391 config CRYPTO_CAST6_AVX_X86_64
1392 tristate "CAST6 (CAST-256) cipher algorithm (x86_64/AVX)"
1393 depends on X86 && 64BIT
1394 select CRYPTO_SKCIPHER
1396 select CRYPTO_CAST_COMMON
1397 select CRYPTO_GLUE_HELPER_X86
1401 The CAST6 encryption algorithm (synonymous with CAST-256) is
1402 described in RFC2612.
1404 This module provides the Cast6 cipher algorithm that processes
1405 eight blocks parallel using the AVX instruction set.
1408 tristate "DES and Triple DES EDE cipher algorithms"
1409 select CRYPTO_ALGAPI
1410 select CRYPTO_LIB_DES
1412 DES cipher algorithm (FIPS 46-2), and Triple DES EDE (FIPS 46-3).
1414 config CRYPTO_DES_SPARC64
1415 tristate "DES and Triple DES EDE cipher algorithms (SPARC64)"
1417 select CRYPTO_ALGAPI
1418 select CRYPTO_LIB_DES
1419 select CRYPTO_SKCIPHER
1421 DES cipher algorithm (FIPS 46-2), and Triple DES EDE (FIPS 46-3),
1422 optimized using SPARC64 crypto opcodes.
1424 config CRYPTO_DES3_EDE_X86_64
1425 tristate "Triple DES EDE cipher algorithm (x86-64)"
1426 depends on X86 && 64BIT
1427 select CRYPTO_SKCIPHER
1428 select CRYPTO_LIB_DES
1430 Triple DES EDE (FIPS 46-3) algorithm.
1432 This module provides implementation of the Triple DES EDE cipher
1433 algorithm that is optimized for x86-64 processors. Two versions of
1434 algorithm are provided; regular processing one input block and
1435 one that processes three blocks parallel.
1437 config CRYPTO_FCRYPT
1438 tristate "FCrypt cipher algorithm"
1439 select CRYPTO_ALGAPI
1440 select CRYPTO_SKCIPHER
1442 FCrypt algorithm used by RxRPC.
1444 config CRYPTO_KHAZAD
1445 tristate "Khazad cipher algorithm"
1446 depends on CRYPTO_USER_API_ENABLE_OBSOLETE
1447 select CRYPTO_ALGAPI
1449 Khazad cipher algorithm.
1451 Khazad was a finalist in the initial NESSIE competition. It is
1452 an algorithm optimized for 64-bit processors with good performance
1453 on 32-bit processors. Khazad uses an 128 bit key size.
1456 <http://www.larc.usp.br/~pbarreto/KhazadPage.html>
1458 config CRYPTO_SALSA20
1459 tristate "Salsa20 stream cipher algorithm"
1460 select CRYPTO_SKCIPHER
1462 Salsa20 stream cipher algorithm.
1464 Salsa20 is a stream cipher submitted to eSTREAM, the ECRYPT
1465 Stream Cipher Project. See <https://www.ecrypt.eu.org/stream/>
1467 The Salsa20 stream cipher algorithm is designed by Daniel J.
1468 Bernstein <djb@cr.yp.to>. See <https://cr.yp.to/snuffle.html>
1470 config CRYPTO_CHACHA20
1471 tristate "ChaCha stream cipher algorithms"
1472 select CRYPTO_LIB_CHACHA_GENERIC
1473 select CRYPTO_SKCIPHER
1475 The ChaCha20, XChaCha20, and XChaCha12 stream cipher algorithms.
1477 ChaCha20 is a 256-bit high-speed stream cipher designed by Daniel J.
1478 Bernstein and further specified in RFC7539 for use in IETF protocols.
1479 This is the portable C implementation of ChaCha20. See also:
1480 <https://cr.yp.to/chacha/chacha-20080128.pdf>
1482 XChaCha20 is the application of the XSalsa20 construction to ChaCha20
1483 rather than to Salsa20. XChaCha20 extends ChaCha20's nonce length
1484 from 64 bits (or 96 bits using the RFC7539 convention) to 192 bits,
1485 while provably retaining ChaCha20's security. See also:
1486 <https://cr.yp.to/snuffle/xsalsa-20081128.pdf>
1488 XChaCha12 is XChaCha20 reduced to 12 rounds, with correspondingly
1489 reduced security margin but increased performance. It can be needed
1490 in some performance-sensitive scenarios.
1492 config CRYPTO_CHACHA20_X86_64
1493 tristate "ChaCha stream cipher algorithms (x86_64/SSSE3/AVX2/AVX-512VL)"
1494 depends on X86 && 64BIT
1495 select CRYPTO_SKCIPHER
1496 select CRYPTO_LIB_CHACHA_GENERIC
1497 select CRYPTO_ARCH_HAVE_LIB_CHACHA
1499 SSSE3, AVX2, and AVX-512VL optimized implementations of the ChaCha20,
1500 XChaCha20, and XChaCha12 stream ciphers.
1502 config CRYPTO_CHACHA_MIPS
1503 tristate "ChaCha stream cipher algorithms (MIPS 32r2 optimized)"
1504 depends on CPU_MIPS32_R2
1505 select CRYPTO_SKCIPHER
1506 select CRYPTO_ARCH_HAVE_LIB_CHACHA
1509 tristate "SEED cipher algorithm"
1510 depends on CRYPTO_USER_API_ENABLE_OBSOLETE
1511 select CRYPTO_ALGAPI
1513 SEED cipher algorithm (RFC4269).
1515 SEED is a 128-bit symmetric key block cipher that has been
1516 developed by KISA (Korea Information Security Agency) as a
1517 national standard encryption algorithm of the Republic of Korea.
1518 It is a 16 round block cipher with the key size of 128 bit.
1521 <http://www.kisa.or.kr/kisa/seed/jsp/seed_eng.jsp>
1523 config CRYPTO_SERPENT
1524 tristate "Serpent cipher algorithm"
1525 select CRYPTO_ALGAPI
1527 Serpent cipher algorithm, by Anderson, Biham & Knudsen.
1529 Keys are allowed to be from 0 to 256 bits in length, in steps
1530 of 8 bits. Also includes the 'Tnepres' algorithm, a reversed
1531 variant of Serpent for compatibility with old kerneli.org code.
1534 <https://www.cl.cam.ac.uk/~rja14/serpent.html>
1536 config CRYPTO_SERPENT_SSE2_X86_64
1537 tristate "Serpent cipher algorithm (x86_64/SSE2)"
1538 depends on X86 && 64BIT
1539 select CRYPTO_SKCIPHER
1540 select CRYPTO_GLUE_HELPER_X86
1541 select CRYPTO_SERPENT
1544 Serpent cipher algorithm, by Anderson, Biham & Knudsen.
1546 Keys are allowed to be from 0 to 256 bits in length, in steps
1549 This module provides Serpent cipher algorithm that processes eight
1550 blocks parallel using SSE2 instruction set.
1553 <https://www.cl.cam.ac.uk/~rja14/serpent.html>
1555 config CRYPTO_SERPENT_SSE2_586
1556 tristate "Serpent cipher algorithm (i586/SSE2)"
1557 depends on X86 && !64BIT
1558 select CRYPTO_SKCIPHER
1559 select CRYPTO_GLUE_HELPER_X86
1560 select CRYPTO_SERPENT
1563 Serpent cipher algorithm, by Anderson, Biham & Knudsen.
1565 Keys are allowed to be from 0 to 256 bits in length, in steps
1568 This module provides Serpent cipher algorithm that processes four
1569 blocks parallel using SSE2 instruction set.
1572 <https://www.cl.cam.ac.uk/~rja14/serpent.html>
1574 config CRYPTO_SERPENT_AVX_X86_64
1575 tristate "Serpent cipher algorithm (x86_64/AVX)"
1576 depends on X86 && 64BIT
1577 select CRYPTO_SKCIPHER
1578 select CRYPTO_GLUE_HELPER_X86
1579 select CRYPTO_SERPENT
1583 Serpent cipher algorithm, by Anderson, Biham & Knudsen.
1585 Keys are allowed to be from 0 to 256 bits in length, in steps
1588 This module provides the Serpent cipher algorithm that processes
1589 eight blocks parallel using the AVX instruction set.
1592 <https://www.cl.cam.ac.uk/~rja14/serpent.html>
1594 config CRYPTO_SERPENT_AVX2_X86_64
1595 tristate "Serpent cipher algorithm (x86_64/AVX2)"
1596 depends on X86 && 64BIT
1597 select CRYPTO_SERPENT_AVX_X86_64
1599 Serpent cipher algorithm, by Anderson, Biham & Knudsen.
1601 Keys are allowed to be from 0 to 256 bits in length, in steps
1604 This module provides Serpent cipher algorithm that processes 16
1605 blocks parallel using AVX2 instruction set.
1608 <https://www.cl.cam.ac.uk/~rja14/serpent.html>
1611 tristate "SM4 cipher algorithm"
1612 select CRYPTO_ALGAPI
1614 SM4 cipher algorithms (OSCCA GB/T 32907-2016).
1616 SM4 (GBT.32907-2016) is a cryptographic standard issued by the
1617 Organization of State Commercial Administration of China (OSCCA)
1618 as an authorized cryptographic algorithms for the use within China.
1620 SMS4 was originally created for use in protecting wireless
1621 networks, and is mandated in the Chinese National Standard for
1622 Wireless LAN WAPI (Wired Authentication and Privacy Infrastructure)
1625 The latest SM4 standard (GBT.32907-2016) was proposed by OSCCA and
1626 standardized through TC 260 of the Standardization Administration
1627 of the People's Republic of China (SAC).
1629 The input, output, and key of SMS4 are each 128 bits.
1631 See also: <https://eprint.iacr.org/2008/329.pdf>
1636 tristate "TEA, XTEA and XETA cipher algorithms"
1637 depends on CRYPTO_USER_API_ENABLE_OBSOLETE
1638 select CRYPTO_ALGAPI
1640 TEA cipher algorithm.
1642 Tiny Encryption Algorithm is a simple cipher that uses
1643 many rounds for security. It is very fast and uses
1646 Xtendend Tiny Encryption Algorithm is a modification to
1647 the TEA algorithm to address a potential key weakness
1648 in the TEA algorithm.
1650 Xtendend Encryption Tiny Algorithm is a mis-implementation
1651 of the XTEA algorithm for compatibility purposes.
1653 config CRYPTO_TWOFISH
1654 tristate "Twofish cipher algorithm"
1655 select CRYPTO_ALGAPI
1656 select CRYPTO_TWOFISH_COMMON
1658 Twofish cipher algorithm.
1660 Twofish was submitted as an AES (Advanced Encryption Standard)
1661 candidate cipher by researchers at CounterPane Systems. It is a
1662 16 round block cipher supporting key sizes of 128, 192, and 256
1666 <https://www.schneier.com/twofish.html>
1668 config CRYPTO_TWOFISH_COMMON
1671 Common parts of the Twofish cipher algorithm shared by the
1672 generic c and the assembler implementations.
1674 config CRYPTO_TWOFISH_586
1675 tristate "Twofish cipher algorithms (i586)"
1676 depends on (X86 || UML_X86) && !64BIT
1677 select CRYPTO_ALGAPI
1678 select CRYPTO_TWOFISH_COMMON
1680 Twofish cipher algorithm.
1682 Twofish was submitted as an AES (Advanced Encryption Standard)
1683 candidate cipher by researchers at CounterPane Systems. It is a
1684 16 round block cipher supporting key sizes of 128, 192, and 256
1688 <https://www.schneier.com/twofish.html>
1690 config CRYPTO_TWOFISH_X86_64
1691 tristate "Twofish cipher algorithm (x86_64)"
1692 depends on (X86 || UML_X86) && 64BIT
1693 select CRYPTO_ALGAPI
1694 select CRYPTO_TWOFISH_COMMON
1696 Twofish cipher algorithm (x86_64).
1698 Twofish was submitted as an AES (Advanced Encryption Standard)
1699 candidate cipher by researchers at CounterPane Systems. It is a
1700 16 round block cipher supporting key sizes of 128, 192, and 256
1704 <https://www.schneier.com/twofish.html>
1706 config CRYPTO_TWOFISH_X86_64_3WAY
1707 tristate "Twofish cipher algorithm (x86_64, 3-way parallel)"
1708 depends on X86 && 64BIT
1709 select CRYPTO_SKCIPHER
1710 select CRYPTO_TWOFISH_COMMON
1711 select CRYPTO_TWOFISH_X86_64
1712 select CRYPTO_GLUE_HELPER_X86
1714 Twofish cipher algorithm (x86_64, 3-way parallel).
1716 Twofish was submitted as an AES (Advanced Encryption Standard)
1717 candidate cipher by researchers at CounterPane Systems. It is a
1718 16 round block cipher supporting key sizes of 128, 192, and 256
1721 This module provides Twofish cipher algorithm that processes three
1722 blocks parallel, utilizing resources of out-of-order CPUs better.
1725 <https://www.schneier.com/twofish.html>
1727 config CRYPTO_TWOFISH_AVX_X86_64
1728 tristate "Twofish cipher algorithm (x86_64/AVX)"
1729 depends on X86 && 64BIT
1730 select CRYPTO_SKCIPHER
1731 select CRYPTO_GLUE_HELPER_X86
1733 select CRYPTO_TWOFISH_COMMON
1734 select CRYPTO_TWOFISH_X86_64
1735 select CRYPTO_TWOFISH_X86_64_3WAY
1737 Twofish cipher algorithm (x86_64/AVX).
1739 Twofish was submitted as an AES (Advanced Encryption Standard)
1740 candidate cipher by researchers at CounterPane Systems. It is a
1741 16 round block cipher supporting key sizes of 128, 192, and 256
1744 This module provides the Twofish cipher algorithm that processes
1745 eight blocks parallel using the AVX Instruction Set.
1748 <https://www.schneier.com/twofish.html>
1750 comment "Compression"
1752 config CRYPTO_DEFLATE
1753 tristate "Deflate compression algorithm"
1754 select CRYPTO_ALGAPI
1755 select CRYPTO_ACOMP2
1759 This is the Deflate algorithm (RFC1951), specified for use in
1760 IPSec with the IPCOMP protocol (RFC3173, RFC2394).
1762 You will most probably want this if using IPSec.
1765 tristate "LZO compression algorithm"
1766 select CRYPTO_ALGAPI
1767 select CRYPTO_ACOMP2
1769 select LZO_DECOMPRESS
1771 This is the LZO algorithm.
1774 tristate "842 compression algorithm"
1775 select CRYPTO_ALGAPI
1776 select CRYPTO_ACOMP2
1778 select 842_DECOMPRESS
1780 This is the 842 algorithm.
1783 tristate "LZ4 compression algorithm"
1784 select CRYPTO_ALGAPI
1785 select CRYPTO_ACOMP2
1787 select LZ4_DECOMPRESS
1789 This is the LZ4 algorithm.
1792 tristate "LZ4HC compression algorithm"
1793 select CRYPTO_ALGAPI
1794 select CRYPTO_ACOMP2
1795 select LZ4HC_COMPRESS
1796 select LZ4_DECOMPRESS
1798 This is the LZ4 high compression mode algorithm.
1801 tristate "Zstd compression algorithm"
1802 select CRYPTO_ALGAPI
1803 select CRYPTO_ACOMP2
1804 select ZSTD_COMPRESS
1805 select ZSTD_DECOMPRESS
1807 This is the zstd algorithm.
1809 comment "Random Number Generation"
1811 config CRYPTO_ANSI_CPRNG
1812 tristate "Pseudo Random Number Generation for Cryptographic modules"
1816 This option enables the generic pseudo random number generator
1817 for cryptographic modules. Uses the Algorithm specified in
1818 ANSI X9.31 A.2.4. Note that this option must be enabled if
1819 CRYPTO_FIPS is selected
1821 menuconfig CRYPTO_DRBG_MENU
1822 tristate "NIST SP800-90A DRBG"
1824 NIST SP800-90A compliant DRBG. In the following submenu, one or
1825 more of the DRBG types must be selected.
1829 config CRYPTO_DRBG_HMAC
1833 select CRYPTO_SHA256
1835 config CRYPTO_DRBG_HASH
1836 bool "Enable Hash DRBG"
1837 select CRYPTO_SHA256
1839 Enable the Hash DRBG variant as defined in NIST SP800-90A.
1841 config CRYPTO_DRBG_CTR
1842 bool "Enable CTR DRBG"
1846 Enable the CTR DRBG variant as defined in NIST SP800-90A.
1850 default CRYPTO_DRBG_MENU
1852 select CRYPTO_JITTERENTROPY
1854 endif # if CRYPTO_DRBG_MENU
1856 config CRYPTO_JITTERENTROPY
1857 tristate "Jitterentropy Non-Deterministic Random Number Generator"
1860 The Jitterentropy RNG is a noise that is intended
1861 to provide seed to another RNG. The RNG does not
1862 perform any cryptographic whitening of the generated
1863 random numbers. This Jitterentropy RNG registers with
1864 the kernel crypto API and can be used by any caller.
1866 config CRYPTO_USER_API
1869 config CRYPTO_USER_API_HASH
1870 tristate "User-space interface for hash algorithms"
1873 select CRYPTO_USER_API
1875 This option enables the user-spaces interface for hash
1878 config CRYPTO_USER_API_SKCIPHER
1879 tristate "User-space interface for symmetric key cipher algorithms"
1881 select CRYPTO_SKCIPHER
1882 select CRYPTO_USER_API
1884 This option enables the user-spaces interface for symmetric
1885 key cipher algorithms.
1887 config CRYPTO_USER_API_RNG
1888 tristate "User-space interface for random number generator algorithms"
1891 select CRYPTO_USER_API
1893 This option enables the user-spaces interface for random
1894 number generator algorithms.
1896 config CRYPTO_USER_API_RNG_CAVP
1897 bool "Enable CAVP testing of DRBG"
1898 depends on CRYPTO_USER_API_RNG && CRYPTO_DRBG
1900 This option enables extra API for CAVP testing via the user-space
1901 interface: resetting of DRBG entropy, and providing Additional Data.
1902 This should only be enabled for CAVP testing. You should say
1903 no unless you know what this is.
1905 config CRYPTO_USER_API_AEAD
1906 tristate "User-space interface for AEAD cipher algorithms"
1909 select CRYPTO_SKCIPHER
1911 select CRYPTO_USER_API
1913 This option enables the user-spaces interface for AEAD
1916 config CRYPTO_USER_API_ENABLE_OBSOLETE
1917 bool "Enable obsolete cryptographic algorithms for userspace"
1918 depends on CRYPTO_USER_API
1921 Allow obsolete cryptographic algorithms to be selected that have
1922 already been phased out from internal use by the kernel, and are
1923 only useful for userspace clients that still rely on them.
1926 bool "Crypto usage statistics for User-space"
1927 depends on CRYPTO_USER
1929 This option enables the gathering of crypto stats.
1931 - encrypt/decrypt size and numbers of symmeric operations
1932 - compress/decompress size and numbers of compress operations
1933 - size and numbers of hash operations
1934 - encrypt/decrypt/sign/verify numbers for asymmetric operations
1935 - generate/seed numbers for rng operations
1937 config CRYPTO_HASH_INFO
1940 source "drivers/crypto/Kconfig"
1941 source "crypto/asymmetric_keys/Kconfig"
1942 source "certs/Kconfig"