1 # SPDX-License-Identifier: GPL-2.0
3 # Generic algorithms support
9 # async_tx api: hardware offloaded memory transfer/transform support
11 source "crypto/async_tx/Kconfig"
14 # Cryptographic API Configuration
17 tristate "Cryptographic API"
18 select CRYPTO_LIB_UTILS
20 This option provides the core Cryptographic API.
24 menu "Crypto core or helper"
27 bool "FIPS 200 compliance"
28 depends on (CRYPTO_ANSI_CPRNG || CRYPTO_DRBG) && !CRYPTO_MANAGER_DISABLE_TESTS
29 depends on (MODULE_SIG || !MODULES)
31 This option enables the fips boot option which is
32 required if you want the system to operate in a FIPS 200
33 certification. You should say no unless you know what
36 config CRYPTO_FIPS_NAME
37 string "FIPS Module Name"
38 default "Linux Kernel Cryptographic API"
39 depends on CRYPTO_FIPS
41 This option sets the FIPS Module name reported by the Crypto API via
42 the /proc/sys/crypto/fips_name file.
44 config CRYPTO_FIPS_CUSTOM_VERSION
45 bool "Use Custom FIPS Module Version"
46 depends on CRYPTO_FIPS
49 config CRYPTO_FIPS_VERSION
50 string "FIPS Module Version"
52 depends on CRYPTO_FIPS_CUSTOM_VERSION
54 This option provides the ability to override the FIPS Module Version.
55 By default the KERNELRELEASE value is used.
61 This option provides the API for cryptographic algorithms.
77 config CRYPTO_SKCIPHER
79 select CRYPTO_SKCIPHER2
82 config CRYPTO_SKCIPHER2
103 select CRYPTO_ALGAPI2
105 config CRYPTO_RNG_DEFAULT
107 select CRYPTO_DRBG_MENU
109 config CRYPTO_AKCIPHER2
111 select CRYPTO_ALGAPI2
113 config CRYPTO_AKCIPHER
115 select CRYPTO_AKCIPHER2
120 select CRYPTO_ALGAPI2
129 select CRYPTO_ALGAPI2
137 config CRYPTO_MANAGER
138 tristate "Cryptographic algorithm manager"
139 select CRYPTO_MANAGER2
141 Create default cryptographic template instantiations such as
144 config CRYPTO_MANAGER2
145 def_tristate CRYPTO_MANAGER || (CRYPTO_MANAGER!=n && CRYPTO_ALGAPI=y)
148 select CRYPTO_SKCIPHER2
149 select CRYPTO_AKCIPHER2
154 tristate "Userspace cryptographic algorithm configuration"
156 select CRYPTO_MANAGER
158 Userspace configuration for cryptographic instantiations such as
161 config CRYPTO_MANAGER_DISABLE_TESTS
162 bool "Disable run-time self tests"
165 Disable run-time self tests that normally take place at
166 algorithm registration.
168 config CRYPTO_MANAGER_EXTRA_TESTS
169 bool "Enable extra run-time crypto self tests"
170 depends on DEBUG_KERNEL && !CRYPTO_MANAGER_DISABLE_TESTS && CRYPTO_MANAGER
172 Enable extra run-time self tests of registered crypto algorithms,
173 including randomized fuzz tests.
175 This is intended for developer use only, as these tests take much
176 longer to run than the normal self tests.
178 config CRYPTO_GF128MUL
182 tristate "Null algorithms"
185 These are 'Null' algorithms, used by IPsec, which do nothing.
189 select CRYPTO_ALGAPI2
190 select CRYPTO_SKCIPHER2
194 tristate "Parallel crypto engine"
197 select CRYPTO_MANAGER
200 This converts an arbitrary crypto algorithm into a parallel
201 algorithm that executes in kernel threads.
204 tristate "Software async crypto daemon"
205 select CRYPTO_SKCIPHER
207 select CRYPTO_MANAGER
209 This is a generic software asynchronous crypto daemon that
210 converts an arbitrary synchronous software crypto algorithm
211 into an asynchronous algorithm that executes in a kernel thread.
213 config CRYPTO_AUTHENC
214 tristate "Authenc support"
216 select CRYPTO_SKCIPHER
217 select CRYPTO_MANAGER
221 Authenc: Combined mode wrapper for IPsec.
223 This is required for IPSec ESP (XFRM_ESP).
226 tristate "Testing module"
227 depends on m || EXPERT
228 select CRYPTO_MANAGER
230 Quick & dirty crypto test module.
241 menu "Public-key cryptography"
244 tristate "RSA (Rivest-Shamir-Adleman)"
245 select CRYPTO_AKCIPHER
246 select CRYPTO_MANAGER
250 RSA (Rivest-Shamir-Adleman) public key algorithm (RFC8017)
253 tristate "DH (Diffie-Hellman)"
257 DH (Diffie-Hellman) key exchange algorithm
259 config CRYPTO_DH_RFC7919_GROUPS
260 bool "RFC 7919 FFDHE groups"
262 select CRYPTO_RNG_DEFAULT
264 FFDHE (Finite-Field-based Diffie-Hellman Ephemeral) groups
267 Support these finite-field groups in DH key exchanges:
268 - ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192
274 select CRYPTO_RNG_DEFAULT
277 tristate "ECDH (Elliptic Curve Diffie-Hellman)"
281 ECDH (Elliptic Curve Diffie-Hellman) key exchange algorithm
282 using curves P-192, P-256, and P-384 (FIPS 186)
285 tristate "ECDSA (Elliptic Curve Digital Signature Algorithm)"
287 select CRYPTO_AKCIPHER
290 ECDSA (Elliptic Curve Digital Signature Algorithm) (FIPS 186,
292 using curves P-192, P-256, and P-384
294 Only signature verification is implemented.
297 tristate "EC-RDSA (Elliptic Curve Russian Digital Signature Algorithm)"
299 select CRYPTO_AKCIPHER
300 select CRYPTO_STREEBOG
304 Elliptic Curve Russian Digital Signature Algorithm (GOST R 34.10-2012,
305 RFC 7091, ISO/IEC 14888-3)
307 One of the Russian cryptographic standard algorithms (called GOST
308 algorithms). Only signature verification is implemented.
311 tristate "SM2 (ShangMi 2)"
313 select CRYPTO_AKCIPHER
314 select CRYPTO_MANAGER
318 SM2 (ShangMi 2) public key algorithm
320 Published by State Encryption Management Bureau, China,
321 as specified by OSCCA GM/T 0003.1-2012 -- 0003.5-2012.
324 https://datatracker.ietf.org/doc/draft-shen-sm2-ecdsa/
325 http://www.oscca.gov.cn/sca/xxgk/2010-12/17/content_1002386.shtml
326 http://www.gmbz.org.cn/main/bzlb.html
328 config CRYPTO_CURVE25519
329 tristate "Curve25519"
331 select CRYPTO_LIB_CURVE25519_GENERIC
333 Curve25519 elliptic curve (RFC7748)
340 tristate "AES (Advanced Encryption Standard)"
342 select CRYPTO_LIB_AES
344 AES cipher algorithms (Rijndael)(FIPS-197, ISO/IEC 18033-3)
346 Rijndael appears to be consistently a very good performer in
347 both hardware and software across a wide range of computing
348 environments regardless of its use in feedback or non-feedback
349 modes. Its key setup time is excellent, and its key agility is
350 good. Rijndael's very low memory requirements make it very well
351 suited for restricted-space environments, in which it also
352 demonstrates excellent performance. Rijndael's operations are
353 among the easiest to defend against power and timing attacks.
355 The AES specifies three key sizes: 128, 192 and 256 bits
358 tristate "AES (Advanced Encryption Standard) (fixed time)"
360 select CRYPTO_LIB_AES
362 AES cipher algorithms (Rijndael)(FIPS-197, ISO/IEC 18033-3)
364 This is a generic implementation of AES that attempts to eliminate
365 data dependent latencies as much as possible without affecting
366 performance too much. It is intended for use by the generic CCM
367 and GCM drivers, and other CTR or CMAC/XCBC based modes that rely
368 solely on encryption (although decryption is supported as well, but
369 with a more dramatic performance hit)
371 Instead of using 16 lookup tables of 1 KB each, (8 for encryption and
372 8 for decryption), this implementation only uses just two S-boxes of
373 256 bytes each, and attempts to eliminate data dependent latencies by
374 prefetching the entire table into the cache at the start of each
375 block. Interrupts are also disabled to avoid races where cachelines
376 are evicted when the CPU is interrupted to do something else.
380 depends on CRYPTO_USER_API_ENABLE_OBSOLETE
383 Anubis cipher algorithm
385 Anubis is a variable key length cipher which can use keys from
386 128 bits to 320 bits in length. It was evaluated as a entrant
387 in the NESSIE competition.
389 See https://web.archive.org/web/20160606112246/http://www.larc.usp.br/~pbarreto/AnubisPage.html
390 for further information.
396 ARIA cipher algorithm (RFC5794)
398 ARIA is a standard encryption algorithm of the Republic of Korea.
399 The ARIA specifies three key sizes and rounds.
405 https://seed.kisa.or.kr/kisa/algorithm/EgovAriaInfo.do
407 config CRYPTO_BLOWFISH
410 select CRYPTO_BLOWFISH_COMMON
412 Blowfish cipher algorithm, by Bruce Schneier
414 This is a variable key length cipher which can use keys from 32
415 bits to 448 bits in length. It's fast, simple and specifically
416 designed for use on "large microprocessors".
418 See https://www.schneier.com/blowfish.html for further information.
420 config CRYPTO_BLOWFISH_COMMON
423 Common parts of the Blowfish cipher algorithm shared by the
424 generic c and the assembler implementations.
426 config CRYPTO_CAMELLIA
430 Camellia cipher algorithms (ISO/IEC 18033-3)
432 Camellia is a symmetric key block cipher developed jointly
433 at NTT and Mitsubishi Electric Corporation.
435 The Camellia specifies three key sizes: 128, 192 and 256 bits.
437 See https://info.isl.ntt.co.jp/crypt/eng/camellia/ for further information.
439 config CRYPTO_CAST_COMMON
442 Common parts of the CAST cipher algorithms shared by the
443 generic c and the assembler implementations.
446 tristate "CAST5 (CAST-128)"
448 select CRYPTO_CAST_COMMON
450 CAST5 (CAST-128) cipher algorithm (RFC2144, ISO/IEC 18033-3)
453 tristate "CAST6 (CAST-256)"
455 select CRYPTO_CAST_COMMON
457 CAST6 (CAST-256) encryption algorithm (RFC2612)
460 tristate "DES and Triple DES EDE"
462 select CRYPTO_LIB_DES
464 DES (Data Encryption Standard)(FIPS 46-2, ISO/IEC 18033-3) and
465 Triple DES EDE (Encrypt/Decrypt/Encrypt) (FIPS 46-3, ISO/IEC 18033-3)
471 select CRYPTO_SKCIPHER
473 FCrypt algorithm used by RxRPC
475 See https://ota.polyonymo.us/fcrypt-paper.txt
479 depends on CRYPTO_USER_API_ENABLE_OBSOLETE
482 Khazad cipher algorithm
484 Khazad was a finalist in the initial NESSIE competition. It is
485 an algorithm optimized for 64-bit processors with good performance
486 on 32-bit processors. Khazad uses an 128 bit key size.
488 See https://web.archive.org/web/20171011071731/http://www.larc.usp.br/~pbarreto/KhazadPage.html
489 for further information.
493 depends on CRYPTO_USER_API_ENABLE_OBSOLETE
496 SEED cipher algorithm (RFC4269, ISO/IEC 18033-3)
498 SEED is a 128-bit symmetric key block cipher that has been
499 developed by KISA (Korea Information Security Agency) as a
500 national standard encryption algorithm of the Republic of Korea.
501 It is a 16 round block cipher with the key size of 128 bit.
503 See https://seed.kisa.or.kr/kisa/algorithm/EgovSeedInfo.do
504 for further information.
506 config CRYPTO_SERPENT
510 Serpent cipher algorithm, by Anderson, Biham & Knudsen
512 Keys are allowed to be from 0 to 256 bits in length, in steps
515 See https://www.cl.cam.ac.uk/~rja14/serpent.html for further information.
520 config CRYPTO_SM4_GENERIC
521 tristate "SM4 (ShangMi 4)"
525 SM4 cipher algorithms (OSCCA GB/T 32907-2016,
526 ISO/IEC 18033-3:2010/Amd 1:2021)
528 SM4 (GBT.32907-2016) is a cryptographic standard issued by the
529 Organization of State Commercial Administration of China (OSCCA)
530 as an authorized cryptographic algorithms for the use within China.
532 SMS4 was originally created for use in protecting wireless
533 networks, and is mandated in the Chinese National Standard for
534 Wireless LAN WAPI (Wired Authentication and Privacy Infrastructure)
537 The latest SM4 standard (GBT.32907-2016) was proposed by OSCCA and
538 standardized through TC 260 of the Standardization Administration
539 of the People's Republic of China (SAC).
541 The input, output, and key of SMS4 are each 128 bits.
543 See https://eprint.iacr.org/2008/329.pdf for further information.
548 tristate "TEA, XTEA and XETA"
549 depends on CRYPTO_USER_API_ENABLE_OBSOLETE
552 TEA (Tiny Encryption Algorithm) cipher algorithms
554 Tiny Encryption Algorithm is a simple cipher that uses
555 many rounds for security. It is very fast and uses
558 Xtendend Tiny Encryption Algorithm is a modification to
559 the TEA algorithm to address a potential key weakness
560 in the TEA algorithm.
562 Xtendend Encryption Tiny Algorithm is a mis-implementation
563 of the XTEA algorithm for compatibility purposes.
565 config CRYPTO_TWOFISH
568 select CRYPTO_TWOFISH_COMMON
570 Twofish cipher algorithm
572 Twofish was submitted as an AES (Advanced Encryption Standard)
573 candidate cipher by researchers at CounterPane Systems. It is a
574 16 round block cipher supporting key sizes of 128, 192, and 256
577 See https://www.schneier.com/twofish.html for further information.
579 config CRYPTO_TWOFISH_COMMON
582 Common parts of the Twofish cipher algorithm shared by the
583 generic c and the assembler implementations.
587 menu "Length-preserving ciphers and modes"
589 config CRYPTO_ADIANTUM
591 select CRYPTO_CHACHA20
592 select CRYPTO_LIB_POLY1305_GENERIC
593 select CRYPTO_NHPOLY1305
594 select CRYPTO_MANAGER
596 Adiantum tweakable, length-preserving encryption mode
598 Designed for fast and secure disk encryption, especially on
599 CPUs without dedicated crypto instructions. It encrypts
600 each sector using the XChaCha12 stream cipher, two passes of
601 an ε-almost-∆-universal hash function, and an invocation of
602 the AES-256 block cipher on a single 16-byte block. On CPUs
603 without AES instructions, Adiantum is much faster than
606 Adiantum's security is provably reducible to that of its
607 underlying stream and block ciphers, subject to a security
608 bound. Unlike XTS, Adiantum is a true wide-block encryption
609 mode, so it actually provides an even stronger notion of
610 security than XTS, subject to the security bound.
615 tristate "ARC4 (Alleged Rivest Cipher 4)"
616 depends on CRYPTO_USER_API_ENABLE_OBSOLETE
617 select CRYPTO_SKCIPHER
618 select CRYPTO_LIB_ARC4
620 ARC4 cipher algorithm
622 ARC4 is a stream cipher using keys ranging from 8 bits to 2048
623 bits in length. This algorithm is required for driver-based
624 WEP, but it should not be for other purposes because of the
625 weakness of the algorithm.
627 config CRYPTO_CHACHA20
629 select CRYPTO_LIB_CHACHA_GENERIC
630 select CRYPTO_SKCIPHER
632 The ChaCha20, XChaCha20, and XChaCha12 stream cipher algorithms
634 ChaCha20 is a 256-bit high-speed stream cipher designed by Daniel J.
635 Bernstein and further specified in RFC7539 for use in IETF protocols.
636 This is the portable C implementation of ChaCha20. See
637 https://cr.yp.to/chacha/chacha-20080128.pdf for further information.
639 XChaCha20 is the application of the XSalsa20 construction to ChaCha20
640 rather than to Salsa20. XChaCha20 extends ChaCha20's nonce length
641 from 64 bits (or 96 bits using the RFC7539 convention) to 192 bits,
642 while provably retaining ChaCha20's security. See
643 https://cr.yp.to/snuffle/xsalsa-20081128.pdf for further information.
645 XChaCha12 is XChaCha20 reduced to 12 rounds, with correspondingly
646 reduced security margin but increased performance. It can be needed
647 in some performance-sensitive scenarios.
650 tristate "CBC (Cipher Block Chaining)"
651 select CRYPTO_SKCIPHER
652 select CRYPTO_MANAGER
654 CBC (Cipher Block Chaining) mode (NIST SP800-38A)
656 This block cipher mode is required for IPSec ESP (XFRM_ESP).
659 tristate "CFB (Cipher Feedback)"
660 select CRYPTO_SKCIPHER
661 select CRYPTO_MANAGER
663 CFB (Cipher Feedback) mode (NIST SP800-38A)
665 This block cipher mode is required for TPM2 Cryptography.
668 tristate "CTR (Counter)"
669 select CRYPTO_SKCIPHER
670 select CRYPTO_MANAGER
672 CTR (Counter) mode (NIST SP800-38A)
675 tristate "CTS (Cipher Text Stealing)"
676 select CRYPTO_SKCIPHER
677 select CRYPTO_MANAGER
679 CBC-CS3 variant of CTS (Cipher Text Stealing) (NIST
680 Addendum to SP800-38A (October 2010))
682 This mode is required for Kerberos gss mechanism support
686 tristate "ECB (Electronic Codebook)"
687 select CRYPTO_SKCIPHER
688 select CRYPTO_MANAGER
690 ECB (Electronic Codebook) mode (NIST SP800-38A)
695 select CRYPTO_POLYVAL
696 select CRYPTO_MANAGER
698 HCTR2 length-preserving encryption mode
700 A mode for storage encryption that is efficient on processors with
701 instructions to accelerate AES and carryless multiplication, e.g.
702 x86 processors with AES-NI and CLMUL, and ARM processors with the
703 ARMv8 crypto extensions.
705 See https://eprint.iacr.org/2021/1441
707 config CRYPTO_KEYWRAP
708 tristate "KW (AES Key Wrap)"
709 select CRYPTO_SKCIPHER
710 select CRYPTO_MANAGER
712 KW (AES Key Wrap) authenticated encryption mode (NIST SP800-38F
713 and RFC3394) without padding.
716 tristate "LRW (Liskov Rivest Wagner)"
717 select CRYPTO_SKCIPHER
718 select CRYPTO_MANAGER
719 select CRYPTO_GF128MUL
722 LRW (Liskov Rivest Wagner) mode
724 A tweakable, non malleable, non movable
725 narrow block cipher mode for dm-crypt. Use it with cipher
726 specification string aes-lrw-benbi, the key must be 256, 320 or 384.
727 The first 128, 192 or 256 bits in the key are used for AES and the
728 rest is used to tie each cipher block to its logical position.
730 See https://people.csail.mit.edu/rivest/pubs/LRW02.pdf
733 tristate "OFB (Output Feedback)"
734 select CRYPTO_SKCIPHER
735 select CRYPTO_MANAGER
737 OFB (Output Feedback) mode (NIST SP800-38A)
739 This mode makes a block cipher into a synchronous
740 stream cipher. It generates keystream blocks, which are then XORed
741 with the plaintext blocks to get the ciphertext. Flipping a bit in the
742 ciphertext produces a flipped bit in the plaintext at the same
743 location. This property allows many error correcting codes to function
744 normally even when applied before encryption.
747 tristate "PCBC (Propagating Cipher Block Chaining)"
748 select CRYPTO_SKCIPHER
749 select CRYPTO_MANAGER
751 PCBC (Propagating Cipher Block Chaining) mode
753 This block cipher mode is required for RxRPC.
757 select CRYPTO_SKCIPHER
758 select CRYPTO_MANAGER
760 XCTR (XOR Counter) mode for HCTR2
762 This blockcipher mode is a variant of CTR mode using XORs and little-endian
763 addition rather than big-endian arithmetic.
765 XCTR mode is used to implement HCTR2.
768 tristate "XTS (XOR Encrypt XOR with ciphertext stealing)"
769 select CRYPTO_SKCIPHER
770 select CRYPTO_MANAGER
773 XTS (XOR Encrypt XOR with ciphertext stealing) mode (NIST SP800-38E
776 Use with aes-xts-plain, key size 256, 384 or 512 bits. This
777 implementation currently can't handle a sectorsize which is not a
778 multiple of 16 bytes.
780 config CRYPTO_NHPOLY1305
783 select CRYPTO_LIB_POLY1305_GENERIC
787 menu "AEAD (authenticated encryption with associated data) ciphers"
789 config CRYPTO_AEGIS128
792 select CRYPTO_AES # for AES S-box tables
794 AEGIS-128 AEAD algorithm
796 config CRYPTO_AEGIS128_SIMD
797 bool "AEGIS-128 (arm NEON, arm64 NEON)"
798 depends on CRYPTO_AEGIS128 && ((ARM || ARM64) && KERNEL_MODE_NEON)
801 AEGIS-128 AEAD algorithm
803 Architecture: arm or arm64 using:
804 - NEON (Advanced SIMD) extension
806 config CRYPTO_CHACHA20POLY1305
807 tristate "ChaCha20-Poly1305"
808 select CRYPTO_CHACHA20
809 select CRYPTO_POLY1305
811 select CRYPTO_MANAGER
813 ChaCha20 stream cipher and Poly1305 authenticator combined
817 tristate "CCM (Counter with Cipher Block Chaining-MAC)"
821 select CRYPTO_MANAGER
823 CCM (Counter with Cipher Block Chaining-Message Authentication Code)
824 authenticated encryption mode (NIST SP800-38C)
827 tristate "GCM (Galois/Counter Mode) and GMAC (GCM MAC)"
832 select CRYPTO_MANAGER
834 GCM (Galois/Counter Mode) authenticated encryption mode and GMAC
835 (GCM Message Authentication Code) (NIST SP800-38D)
837 This is required for IPSec ESP (XFRM_ESP).
840 tristate "Sequence Number IV Generator"
842 select CRYPTO_SKCIPHER
844 select CRYPTO_RNG_DEFAULT
845 select CRYPTO_MANAGER
847 Sequence Number IV generator
849 This IV generator generates an IV based on a sequence number by
850 xoring it with a salt. This algorithm is mainly useful for CTR.
852 This is required for IPsec ESP (XFRM_ESP).
854 config CRYPTO_ECHAINIV
855 tristate "Encrypted Chain IV Generator"
858 select CRYPTO_RNG_DEFAULT
859 select CRYPTO_MANAGER
861 Encrypted Chain IV generator
863 This IV generator generates an IV based on the encryption of
864 a sequence number xored with a salt. This is the default
868 tristate "Encrypted Salt-Sector IV Generator"
869 select CRYPTO_AUTHENC
871 Encrypted Salt-Sector IV generator
873 This IV generator is used in some cases by fscrypt and/or
874 dm-crypt. It uses the hash of the block encryption key as the
875 symmetric key for a block encryption pass applied to the input
876 IV, making low entropy IV sources more suitable for block
879 This driver implements a crypto API template that can be
880 instantiated either as an skcipher or as an AEAD (depending on the
881 type of the first template argument), and which defers encryption
882 and decryption requests to the encapsulated cipher after applying
883 ESSIV to the input IV. Note that in the AEAD case, it is assumed
884 that the keys are presented in the same format used by the authenc
885 template, and that the IV appears at the end of the authenticated
886 associated data (AAD) region (which is how dm-crypt uses it.)
888 Note that the use of ESSIV is not recommended for new deployments,
889 and so this only needs to be enabled when interoperability with
890 existing encrypted volumes of filesystems is required, or when
891 building for a particular system that requires it (e.g., when
892 the SoC in question has accelerated CBC but not XTS, making CBC
893 combined with ESSIV the only feasible mode for h/w accelerated
898 menu "Hashes, digests, and MACs"
900 config CRYPTO_BLAKE2B
904 BLAKE2b cryptographic hash function (RFC 7693)
906 BLAKE2b is optimized for 64-bit platforms and can produce digests
907 of any size between 1 and 64 bytes. The keyed hash is also implemented.
909 This module provides the following algorithms:
915 Used by the btrfs filesystem.
917 See https://blake2.net for further information.
920 tristate "CMAC (Cipher-based MAC)"
922 select CRYPTO_MANAGER
924 CMAC (Cipher-based Message Authentication Code) authentication
925 mode (NIST SP800-38B and IETF RFC4493)
929 select CRYPTO_GF128MUL
932 GCM GHASH function (NIST SP800-38D)
935 tristate "HMAC (Keyed-Hash MAC)"
937 select CRYPTO_MANAGER
939 HMAC (Keyed-Hash Message Authentication Code) (FIPS 198 and
942 This is required for IPsec AH (XFRM_AH) and IPsec ESP (XFRM_ESP).
948 MD4 message digest algorithm (RFC1320)
954 MD5 message digest algorithm (RFC1321)
956 config CRYPTO_MICHAEL_MIC
957 tristate "Michael MIC"
960 Michael MIC (Message Integrity Code) (IEEE 802.11i)
962 Defined by the IEEE 802.11i TKIP (Temporal Key Integrity Protocol),
963 known as WPA (Wif-Fi Protected Access).
965 This algorithm is required for TKIP, but it should not be used for
966 other purposes because of the weakness of the algorithm.
968 config CRYPTO_POLYVAL
970 select CRYPTO_GF128MUL
973 POLYVAL hash function for HCTR2
975 This is used in HCTR2. It is not a general-purpose
976 cryptographic hash function.
978 config CRYPTO_POLY1305
981 select CRYPTO_LIB_POLY1305_GENERIC
983 Poly1305 authenticator algorithm (RFC7539)
985 Poly1305 is an authenticator algorithm designed by Daniel J. Bernstein.
986 It is used for the ChaCha20-Poly1305 AEAD, specified in RFC7539 for use
987 in IETF protocols. This is the portable C implementation of Poly1305.
990 tristate "RIPEMD-160"
993 RIPEMD-160 hash function (ISO/IEC 10118-3)
995 RIPEMD-160 is a 160-bit cryptographic hash function. It is intended
996 to be used as a secure replacement for the 128-bit hash functions
997 MD4, MD5 and its predecessor RIPEMD
998 (not to be confused with RIPEMD-128).
1000 Its speed is comparable to SHA-1 and there are no known attacks
1003 Developed by Hans Dobbertin, Antoon Bosselaers and Bart Preneel.
1004 See https://homes.esat.kuleuven.be/~bosselae/ripemd160.html
1005 for further information.
1010 select CRYPTO_LIB_SHA1
1012 SHA-1 secure hash algorithm (FIPS 180, ISO/IEC 10118-3)
1014 config CRYPTO_SHA256
1015 tristate "SHA-224 and SHA-256"
1017 select CRYPTO_LIB_SHA256
1019 SHA-224 and SHA-256 secure hash algorithms (FIPS 180, ISO/IEC 10118-3)
1021 This is required for IPsec AH (XFRM_AH) and IPsec ESP (XFRM_ESP).
1022 Used by the btrfs filesystem, Ceph, NFS, and SMB.
1024 config CRYPTO_SHA512
1025 tristate "SHA-384 and SHA-512"
1028 SHA-384 and SHA-512 secure hash algorithms (FIPS 180, ISO/IEC 10118-3)
1034 SHA-3 secure hash algorithms (FIPS 202, ISO/IEC 10118-3)
1039 config CRYPTO_SM3_GENERIC
1040 tristate "SM3 (ShangMi 3)"
1044 SM3 (ShangMi 3) secure hash function (OSCCA GM/T 0004-2012, ISO/IEC 10118-3)
1046 This is part of the Chinese Commercial Cryptography suite.
1049 http://www.oscca.gov.cn/UpFile/20101222141857786.pdf
1050 https://datatracker.ietf.org/doc/html/draft-shen-sm3-hash
1052 config CRYPTO_STREEBOG
1056 Streebog Hash Function (GOST R 34.11-2012, RFC 6986, ISO/IEC 10118-3)
1058 This is one of the Russian cryptographic standard algorithms (called
1059 GOST algorithms). This setting enables two hash algorithms with
1060 256 and 512 bits output.
1063 https://tc26.ru/upload/iblock/fed/feddbb4d26b685903faa2ba11aea43f6.pdf
1064 https://tools.ietf.org/html/rfc6986
1069 select CRYPTO_MANAGER
1071 VMAC is a message authentication algorithm designed for
1072 very high speed on 64-bit architectures.
1074 See https://fastcrypto.org/vmac for further information.
1077 tristate "Whirlpool"
1080 Whirlpool hash function (ISO/IEC 10118-3)
1082 512, 384 and 256-bit hashes.
1084 Whirlpool-512 is part of the NESSIE cryptographic primitives.
1086 See https://web.archive.org/web/20171129084214/http://www.larc.usp.br/~pbarreto/WhirlpoolPage.html
1087 for further information.
1090 tristate "XCBC-MAC (Extended Cipher Block Chaining MAC)"
1092 select CRYPTO_MANAGER
1094 XCBC-MAC (Extended Cipher Block Chaining Message Authentication
1097 config CRYPTO_XXHASH
1102 xxHash non-cryptographic hash algorithm
1104 Extremely fast, working at speeds close to RAM limits.
1106 Used by the btrfs filesystem.
1110 menu "CRCs (cyclic redundancy checks)"
1112 config CRYPTO_CRC32C
1117 CRC32c CRC algorithm with the iSCSI polynomial (RFC 3385 and RFC 3720)
1119 A 32-bit CRC (cyclic redundancy check) with a polynomial defined
1120 by G. Castagnoli, S. Braeuer and M. Herrman in "Optimization of Cyclic
1121 Redundancy-Check Codes with 24 and 32 Parity Bits", IEEE Transactions
1122 on Communications, Vol. 41, No. 6, June 1993, selected for use with
1125 Used by btrfs, ext4, jbd2, NVMeoF/TCP, and iSCSI.
1132 CRC32 CRC algorithm (IEEE 802.3)
1134 Used by RoCEv2 and f2fs.
1136 config CRYPTO_CRCT10DIF
1137 tristate "CRCT10DIF"
1140 CRC16 CRC algorithm used for the T10 (SCSI) Data Integrity Field (DIF)
1142 CRC algorithm used by the SCSI Block Commands standard.
1144 config CRYPTO_CRC64_ROCKSOFT
1145 tristate "CRC64 based on Rocksoft Model algorithm"
1149 CRC64 CRC algorithm based on the Rocksoft Model CRC Algorithm
1151 Used by the NVMe implementation of T10 DIF (BLK_DEV_INTEGRITY)
1153 See https://zlib.net/crc_v3.txt
1159 config CRYPTO_DEFLATE
1161 select CRYPTO_ALGAPI
1162 select CRYPTO_ACOMP2
1166 Deflate compression algorithm (RFC1951)
1168 Used by IPSec with the IPCOMP protocol (RFC3173, RFC2394)
1172 select CRYPTO_ALGAPI
1173 select CRYPTO_ACOMP2
1175 select LZO_DECOMPRESS
1177 LZO compression algorithm
1179 See https://www.oberhumer.com/opensource/lzo/ for further information.
1183 select CRYPTO_ALGAPI
1184 select CRYPTO_ACOMP2
1186 select 842_DECOMPRESS
1188 842 compression algorithm by IBM
1190 See https://github.com/plauth/lib842 for further information.
1194 select CRYPTO_ALGAPI
1195 select CRYPTO_ACOMP2
1197 select LZ4_DECOMPRESS
1199 LZ4 compression algorithm
1201 See https://github.com/lz4/lz4 for further information.
1205 select CRYPTO_ALGAPI
1206 select CRYPTO_ACOMP2
1207 select LZ4HC_COMPRESS
1208 select LZ4_DECOMPRESS
1210 LZ4 high compression mode algorithm
1212 See https://github.com/lz4/lz4 for further information.
1216 select CRYPTO_ALGAPI
1217 select CRYPTO_ACOMP2
1218 select ZSTD_COMPRESS
1219 select ZSTD_DECOMPRESS
1221 zstd compression algorithm
1223 See https://github.com/facebook/zstd for further information.
1227 menu "Random number generation"
1229 config CRYPTO_ANSI_CPRNG
1230 tristate "ANSI PRNG (Pseudo Random Number Generator)"
1234 Pseudo RNG (random number generator) (ANSI X9.31 Appendix A.2.4)
1236 This uses the AES cipher algorithm.
1238 Note that this option must be enabled if CRYPTO_FIPS is selected
1240 menuconfig CRYPTO_DRBG_MENU
1241 tristate "NIST SP800-90A DRBG (Deterministic Random Bit Generator)"
1243 DRBG (Deterministic Random Bit Generator) (NIST SP800-90A)
1245 In the following submenu, one or more of the DRBG types must be selected.
1249 config CRYPTO_DRBG_HMAC
1253 select CRYPTO_SHA512
1255 config CRYPTO_DRBG_HASH
1257 select CRYPTO_SHA256
1259 Hash_DRBG variant as defined in NIST SP800-90A.
1261 This uses the SHA-1, SHA-256, SHA-384, or SHA-512 hash algorithms.
1263 config CRYPTO_DRBG_CTR
1268 CTR_DRBG variant as defined in NIST SP800-90A.
1270 This uses the AES cipher algorithm with the counter block mode.
1274 default CRYPTO_DRBG_MENU
1276 select CRYPTO_JITTERENTROPY
1278 endif # if CRYPTO_DRBG_MENU
1280 config CRYPTO_JITTERENTROPY
1281 tristate "CPU Jitter Non-Deterministic RNG (Random Number Generator)"
1284 CPU Jitter RNG (Random Number Generator) from the Jitterentropy library
1286 A non-physical non-deterministic ("true") RNG (e.g., an entropy source
1287 compliant with NIST SP800-90B) intended to provide a seed to a
1288 deterministic RNG (e.g. per NIST SP800-90C).
1289 This RNG does not perform any cryptographic whitening of the generated
1291 See https://www.chronox.de/jent.html
1293 config CRYPTO_KDF800108_CTR
1296 select CRYPTO_SHA256
1299 menu "Userspace interface"
1301 config CRYPTO_USER_API
1304 config CRYPTO_USER_API_HASH
1305 tristate "Hash algorithms"
1308 select CRYPTO_USER_API
1310 Enable the userspace interface for hash algorithms.
1312 See Documentation/crypto/userspace-if.rst and
1313 https://www.chronox.de/libkcapi/html/index.html
1315 config CRYPTO_USER_API_SKCIPHER
1316 tristate "Symmetric key cipher algorithms"
1318 select CRYPTO_SKCIPHER
1319 select CRYPTO_USER_API
1321 Enable the userspace interface for symmetric key cipher algorithms.
1323 See Documentation/crypto/userspace-if.rst and
1324 https://www.chronox.de/libkcapi/html/index.html
1326 config CRYPTO_USER_API_RNG
1327 tristate "RNG (random number generator) algorithms"
1330 select CRYPTO_USER_API
1332 Enable the userspace interface for RNG (random number generator)
1335 See Documentation/crypto/userspace-if.rst and
1336 https://www.chronox.de/libkcapi/html/index.html
1338 config CRYPTO_USER_API_RNG_CAVP
1339 bool "Enable CAVP testing of DRBG"
1340 depends on CRYPTO_USER_API_RNG && CRYPTO_DRBG
1342 Enable extra APIs in the userspace interface for NIST CAVP
1343 (Cryptographic Algorithm Validation Program) testing:
1344 - resetting DRBG entropy
1345 - providing Additional Data
1347 This should only be enabled for CAVP testing. You should say
1348 no unless you know what this is.
1350 config CRYPTO_USER_API_AEAD
1351 tristate "AEAD cipher algorithms"
1354 select CRYPTO_SKCIPHER
1356 select CRYPTO_USER_API
1358 Enable the userspace interface for AEAD cipher algorithms.
1360 See Documentation/crypto/userspace-if.rst and
1361 https://www.chronox.de/libkcapi/html/index.html
1363 config CRYPTO_USER_API_ENABLE_OBSOLETE
1364 bool "Obsolete cryptographic algorithms"
1365 depends on CRYPTO_USER_API
1368 Allow obsolete cryptographic algorithms to be selected that have
1369 already been phased out from internal use by the kernel, and are
1370 only useful for userspace clients that still rely on them.
1373 bool "Crypto usage statistics"
1374 depends on CRYPTO_USER
1376 Enable the gathering of crypto stats.
1378 This collects data sizes, numbers of requests, and numbers
1379 of errors processed by:
1380 - AEAD ciphers (encrypt, decrypt)
1381 - asymmetric key ciphers (encrypt, decrypt, verify, sign)
1382 - symmetric key ciphers (encrypt, decrypt)
1383 - compression algorithms (compress, decompress)
1384 - hash algorithms (hash)
1385 - key-agreement protocol primitives (setsecret, generate
1386 public key, compute shared secret)
1387 - RNG (generate, seed)
1391 config CRYPTO_HASH_INFO
1394 if !KMSAN # avoid false positives from assembly
1396 source "arch/arm/crypto/Kconfig"
1399 source "arch/arm64/crypto/Kconfig"
1402 source "arch/mips/crypto/Kconfig"
1405 source "arch/powerpc/crypto/Kconfig"
1408 source "arch/s390/crypto/Kconfig"
1411 source "arch/sparc/crypto/Kconfig"
1414 source "arch/x86/crypto/Kconfig"
1418 source "drivers/crypto/Kconfig"
1419 source "crypto/asymmetric_keys/Kconfig"
1420 source "certs/Kconfig"
projects / thirdparty / linux.git / blob