1# SPDX-License-Identifier: GPL-2.0
2#
3# Generic algorithms support
4#
5config XOR_BLOCKS
6	tristate
7
8#
9# async_tx api: hardware offloaded memory transfer/transform support
10#
11source "crypto/async_tx/Kconfig"
12
13#
14# Cryptographic API Configuration
15#
16menuconfig CRYPTO
17	tristate "Cryptographic API"
18	select CRYPTO_LIB_UTILS
19	help
20	  This option provides the core Cryptographic API.
21
22if CRYPTO
23
24menu "Crypto core or helper"
25
26config CRYPTO_FIPS
27	bool "FIPS 200 compliance"
28	depends on (CRYPTO_ANSI_CPRNG || CRYPTO_DRBG) && !CRYPTO_MANAGER_DISABLE_TESTS
29	depends on (MODULE_SIG || !MODULES)
30	help
31	  This option enables the fips boot option which is
32	  required if you want the system to operate in a FIPS 200
33	  certification.  You should say no unless you know what
34	  this is.
35
36config CRYPTO_FIPS_NAME
37	string "FIPS Module Name"
38	default "Linux Kernel Cryptographic API"
39	depends on CRYPTO_FIPS
40	help
41	  This option sets the FIPS Module name reported by the Crypto API via
42	  the /proc/sys/crypto/fips_name file.
43
44config CRYPTO_FIPS_CUSTOM_VERSION
45	bool "Use Custom FIPS Module Version"
46	depends on CRYPTO_FIPS
47	default n
48
49config CRYPTO_FIPS_VERSION
50	string "FIPS Module Version"
51	default "(none)"
52	depends on CRYPTO_FIPS_CUSTOM_VERSION
53	help
54	  This option provides the ability to override the FIPS Module Version.
55	  By default the KERNELRELEASE value is used.
56
57config CRYPTO_ALGAPI
58	tristate
59	select CRYPTO_ALGAPI2
60	help
61	  This option provides the API for cryptographic algorithms.
62
63config CRYPTO_ALGAPI2
64	tristate
65
66config CRYPTO_AEAD
67	tristate
68	select CRYPTO_AEAD2
69	select CRYPTO_ALGAPI
70
71config CRYPTO_AEAD2
72	tristate
73	select CRYPTO_ALGAPI2
74
75config CRYPTO_SIG
76	tristate
77	select CRYPTO_SIG2
78	select CRYPTO_ALGAPI
79
80config CRYPTO_SIG2
81	tristate
82	select CRYPTO_ALGAPI2
83
84config CRYPTO_SKCIPHER
85	tristate
86	select CRYPTO_SKCIPHER2
87	select CRYPTO_ALGAPI
88
89config CRYPTO_SKCIPHER2
90	tristate
91	select CRYPTO_ALGAPI2
92
93config CRYPTO_HASH
94	tristate
95	select CRYPTO_HASH2
96	select CRYPTO_ALGAPI
97
98config CRYPTO_HASH2
99	tristate
100	select CRYPTO_ALGAPI2
101
102config CRYPTO_RNG
103	tristate
104	select CRYPTO_RNG2
105	select CRYPTO_ALGAPI
106
107config CRYPTO_RNG2
108	tristate
109	select CRYPTO_ALGAPI2
110
111config CRYPTO_RNG_DEFAULT
112	tristate
113	select CRYPTO_DRBG_MENU
114
115config CRYPTO_AKCIPHER2
116	tristate
117	select CRYPTO_ALGAPI2
118
119config CRYPTO_AKCIPHER
120	tristate
121	select CRYPTO_AKCIPHER2
122	select CRYPTO_ALGAPI
123
124config CRYPTO_KPP2
125	tristate
126	select CRYPTO_ALGAPI2
127
128config CRYPTO_KPP
129	tristate
130	select CRYPTO_ALGAPI
131	select CRYPTO_KPP2
132
133config CRYPTO_ACOMP2
134	tristate
135	select CRYPTO_ALGAPI2
136	select SGL_ALLOC
137
138config CRYPTO_ACOMP
139	tristate
140	select CRYPTO_ALGAPI
141	select CRYPTO_ACOMP2
142
143config CRYPTO_MANAGER
144	tristate "Cryptographic algorithm manager"
145	select CRYPTO_MANAGER2
146	help
147	  Create default cryptographic template instantiations such as
148	  cbc(aes).
149
150config CRYPTO_MANAGER2
151	def_tristate CRYPTO_MANAGER || (CRYPTO_MANAGER!=n && CRYPTO_ALGAPI=y)
152	select CRYPTO_ACOMP2
153	select CRYPTO_AEAD2
154	select CRYPTO_AKCIPHER2
155	select CRYPTO_SIG2
156	select CRYPTO_HASH2
157	select CRYPTO_KPP2
158	select CRYPTO_RNG2
159	select CRYPTO_SKCIPHER2
160
161config CRYPTO_USER
162	tristate "Userspace cryptographic algorithm configuration"
163	depends on NET
164	select CRYPTO_MANAGER
165	help
166	  Userspace configuration for cryptographic instantiations such as
167	  cbc(aes).
168
169config CRYPTO_MANAGER_DISABLE_TESTS
170	bool "Disable run-time self tests"
171	default y
172	help
173	  Disable run-time self tests that normally take place at
174	  algorithm registration.
175
176config CRYPTO_MANAGER_EXTRA_TESTS
177	bool "Enable extra run-time crypto self tests"
178	depends on DEBUG_KERNEL && !CRYPTO_MANAGER_DISABLE_TESTS && CRYPTO_MANAGER
179	help
180	  Enable extra run-time self tests of registered crypto algorithms,
181	  including randomized fuzz tests.
182
183	  This is intended for developer use only, as these tests take much
184	  longer to run than the normal self tests.
185
186config CRYPTO_NULL
187	tristate "Null algorithms"
188	select CRYPTO_NULL2
189	help
190	  These are 'Null' algorithms, used by IPsec, which do nothing.
191
192config CRYPTO_NULL2
193	tristate
194	select CRYPTO_ALGAPI2
195	select CRYPTO_SKCIPHER2
196	select CRYPTO_HASH2
197
198config CRYPTO_PCRYPT
199	tristate "Parallel crypto engine"
200	depends on SMP
201	select PADATA
202	select CRYPTO_MANAGER
203	select CRYPTO_AEAD
204	help
205	  This converts an arbitrary crypto algorithm into a parallel
206	  algorithm that executes in kernel threads.
207
208config CRYPTO_CRYPTD
209	tristate "Software async crypto daemon"
210	select CRYPTO_SKCIPHER
211	select CRYPTO_HASH
212	select CRYPTO_MANAGER
213	help
214	  This is a generic software asynchronous crypto daemon that
215	  converts an arbitrary synchronous software crypto algorithm
216	  into an asynchronous algorithm that executes in a kernel thread.
217
218config CRYPTO_AUTHENC
219	tristate "Authenc support"
220	select CRYPTO_AEAD
221	select CRYPTO_SKCIPHER
222	select CRYPTO_MANAGER
223	select CRYPTO_HASH
224	select CRYPTO_NULL
225	help
226	  Authenc: Combined mode wrapper for IPsec.
227
228	  This is required for IPSec ESP (XFRM_ESP).
229
230config CRYPTO_TEST
231	tristate "Testing module"
232	depends on m || EXPERT
233	select CRYPTO_MANAGER
234	help
235	  Quick & dirty crypto test module.
236
237config CRYPTO_SIMD
238	tristate
239	select CRYPTO_CRYPTD
240
241config CRYPTO_ENGINE
242	tristate
243
244endmenu
245
246menu "Public-key cryptography"
247
248config CRYPTO_RSA
249	tristate "RSA (Rivest-Shamir-Adleman)"
250	select CRYPTO_AKCIPHER
251	select CRYPTO_MANAGER
252	select MPILIB
253	select ASN1
254	help
255	  RSA (Rivest-Shamir-Adleman) public key algorithm (RFC8017)
256
257config CRYPTO_DH
258	tristate "DH (Diffie-Hellman)"
259	select CRYPTO_KPP
260	select MPILIB
261	help
262	  DH (Diffie-Hellman) key exchange algorithm
263
264config CRYPTO_DH_RFC7919_GROUPS
265	bool "RFC 7919 FFDHE groups"
266	depends on CRYPTO_DH
267	select CRYPTO_RNG_DEFAULT
268	help
269	  FFDHE (Finite-Field-based Diffie-Hellman Ephemeral) groups
270	  defined in RFC7919.
271
272	  Support these finite-field groups in DH key exchanges:
273	  - ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192
274
275	  If unsure, say N.
276
277config CRYPTO_ECC
278	tristate
279	select CRYPTO_RNG_DEFAULT
280
281config CRYPTO_ECDH
282	tristate "ECDH (Elliptic Curve Diffie-Hellman)"
283	select CRYPTO_ECC
284	select CRYPTO_KPP
285	help
286	  ECDH (Elliptic Curve Diffie-Hellman) key exchange algorithm
287	  using curves P-192, P-256, and P-384 (FIPS 186)
288
289config CRYPTO_ECDSA
290	tristate "ECDSA (Elliptic Curve Digital Signature Algorithm)"
291	select CRYPTO_ECC
292	select CRYPTO_AKCIPHER
293	select ASN1
294	help
295	  ECDSA (Elliptic Curve Digital Signature Algorithm) (FIPS 186,
296	  ISO/IEC 14888-3)
297	  using curves P-192, P-256, and P-384
298
299	  Only signature verification is implemented.
300
301config CRYPTO_ECRDSA
302	tristate "EC-RDSA (Elliptic Curve Russian Digital Signature Algorithm)"
303	select CRYPTO_ECC
304	select CRYPTO_AKCIPHER
305	select CRYPTO_STREEBOG
306	select OID_REGISTRY
307	select ASN1
308	help
309	  Elliptic Curve Russian Digital Signature Algorithm (GOST R 34.10-2012,
310	  RFC 7091, ISO/IEC 14888-3)
311
312	  One of the Russian cryptographic standard algorithms (called GOST
313	  algorithms). Only signature verification is implemented.
314
315config CRYPTO_SM2
316	tristate "SM2 (ShangMi 2)"
317	select CRYPTO_SM3
318	select CRYPTO_AKCIPHER
319	select CRYPTO_MANAGER
320	select MPILIB
321	select ASN1
322	help
323	  SM2 (ShangMi 2) public key algorithm
324
325	  Published by State Encryption Management Bureau, China,
326	  as specified by OSCCA GM/T 0003.1-2012 -- 0003.5-2012.
327
328	  References:
329	  https://datatracker.ietf.org/doc/draft-shen-sm2-ecdsa/
330	  http://www.oscca.gov.cn/sca/xxgk/2010-12/17/content_1002386.shtml
331	  http://www.gmbz.org.cn/main/bzlb.html
332
333config CRYPTO_CURVE25519
334	tristate "Curve25519"
335	select CRYPTO_KPP
336	select CRYPTO_LIB_CURVE25519_GENERIC
337	help
338	  Curve25519 elliptic curve (RFC7748)
339
340endmenu
341
342menu "Block ciphers"
343
344config CRYPTO_AES
345	tristate "AES (Advanced Encryption Standard)"
346	select CRYPTO_ALGAPI
347	select CRYPTO_LIB_AES
348	help
349	  AES cipher algorithms (Rijndael)(FIPS-197, ISO/IEC 18033-3)
350
351	  Rijndael appears to be consistently a very good performer in
352	  both hardware and software across a wide range of computing
353	  environments regardless of its use in feedback or non-feedback
354	  modes. Its key setup time is excellent, and its key agility is
355	  good. Rijndael's very low memory requirements make it very well
356	  suited for restricted-space environments, in which it also
357	  demonstrates excellent performance. Rijndael's operations are
358	  among the easiest to defend against power and timing attacks.
359
360	  The AES specifies three key sizes: 128, 192 and 256 bits
361
362config CRYPTO_AES_TI
363	tristate "AES (Advanced Encryption Standard) (fixed time)"
364	select CRYPTO_ALGAPI
365	select CRYPTO_LIB_AES
366	help
367	  AES cipher algorithms (Rijndael)(FIPS-197, ISO/IEC 18033-3)
368
369	  This is a generic implementation of AES that attempts to eliminate
370	  data dependent latencies as much as possible without affecting
371	  performance too much. It is intended for use by the generic CCM
372	  and GCM drivers, and other CTR or CMAC/XCBC based modes that rely
373	  solely on encryption (although decryption is supported as well, but
374	  with a more dramatic performance hit)
375
376	  Instead of using 16 lookup tables of 1 KB each, (8 for encryption and
377	  8 for decryption), this implementation only uses just two S-boxes of
378	  256 bytes each, and attempts to eliminate data dependent latencies by
379	  prefetching the entire table into the cache at the start of each
380	  block. Interrupts are also disabled to avoid races where cachelines
381	  are evicted when the CPU is interrupted to do something else.
382
383config CRYPTO_ANUBIS
384	tristate "Anubis"
385	depends on CRYPTO_USER_API_ENABLE_OBSOLETE
386	select CRYPTO_ALGAPI
387	help
388	  Anubis cipher algorithm
389
390	  Anubis is a variable key length cipher which can use keys from
391	  128 bits to 320 bits in length.  It was evaluated as a entrant
392	  in the NESSIE competition.
393
394	  See https://web.archive.org/web/20160606112246/http://www.larc.usp.br/~pbarreto/AnubisPage.html
395	  for further information.
396
397config CRYPTO_ARIA
398	tristate "ARIA"
399	select CRYPTO_ALGAPI
400	help
401	  ARIA cipher algorithm (RFC5794)
402
403	  ARIA is a standard encryption algorithm of the Republic of Korea.
404	  The ARIA specifies three key sizes and rounds.
405	  128-bit: 12 rounds.
406	  192-bit: 14 rounds.
407	  256-bit: 16 rounds.
408
409	  See:
410	  https://seed.kisa.or.kr/kisa/algorithm/EgovAriaInfo.do
411
412config CRYPTO_BLOWFISH
413	tristate "Blowfish"
414	select CRYPTO_ALGAPI
415	select CRYPTO_BLOWFISH_COMMON
416	help
417	  Blowfish cipher algorithm, by Bruce Schneier
418
419	  This is a variable key length cipher which can use keys from 32
420	  bits to 448 bits in length.  It's fast, simple and specifically
421	  designed for use on "large microprocessors".
422
423	  See https://www.schneier.com/blowfish.html for further information.
424
425config CRYPTO_BLOWFISH_COMMON
426	tristate
427	help
428	  Common parts of the Blowfish cipher algorithm shared by the
429	  generic c and the assembler implementations.
430
431config CRYPTO_CAMELLIA
432	tristate "Camellia"
433	select CRYPTO_ALGAPI
434	help
435	  Camellia cipher algorithms (ISO/IEC 18033-3)
436
437	  Camellia is a symmetric key block cipher developed jointly
438	  at NTT and Mitsubishi Electric Corporation.
439
440	  The Camellia specifies three key sizes: 128, 192 and 256 bits.
441
442	  See https://info.isl.ntt.co.jp/crypt/eng/camellia/ for further information.
443
444config CRYPTO_CAST_COMMON
445	tristate
446	help
447	  Common parts of the CAST cipher algorithms shared by the
448	  generic c and the assembler implementations.
449
450config CRYPTO_CAST5
451	tristate "CAST5 (CAST-128)"
452	select CRYPTO_ALGAPI
453	select CRYPTO_CAST_COMMON
454	help
455	  CAST5 (CAST-128) cipher algorithm (RFC2144, ISO/IEC 18033-3)
456
457config CRYPTO_CAST6
458	tristate "CAST6 (CAST-256)"
459	select CRYPTO_ALGAPI
460	select CRYPTO_CAST_COMMON
461	help
462	  CAST6 (CAST-256) encryption algorithm (RFC2612)
463
464config CRYPTO_DES
465	tristate "DES and Triple DES EDE"
466	select CRYPTO_ALGAPI
467	select CRYPTO_LIB_DES
468	help
469	  DES (Data Encryption Standard)(FIPS 46-2, ISO/IEC 18033-3) and
470	  Triple DES EDE (Encrypt/Decrypt/Encrypt) (FIPS 46-3, ISO/IEC 18033-3)
471	  cipher algorithms
472
473config CRYPTO_FCRYPT
474	tristate "FCrypt"
475	select CRYPTO_ALGAPI
476	select CRYPTO_SKCIPHER
477	help
478	  FCrypt algorithm used by RxRPC
479
480	  See https://ota.polyonymo.us/fcrypt-paper.txt
481
482config CRYPTO_KHAZAD
483	tristate "Khazad"
484	depends on CRYPTO_USER_API_ENABLE_OBSOLETE
485	select CRYPTO_ALGAPI
486	help
487	  Khazad cipher algorithm
488
489	  Khazad was a finalist in the initial NESSIE competition.  It is
490	  an algorithm optimized for 64-bit processors with good performance
491	  on 32-bit processors.  Khazad uses an 128 bit key size.
492
493	  See https://web.archive.org/web/20171011071731/http://www.larc.usp.br/~pbarreto/KhazadPage.html
494	  for further information.
495
496config CRYPTO_SEED
497	tristate "SEED"
498	depends on CRYPTO_USER_API_ENABLE_OBSOLETE
499	select CRYPTO_ALGAPI
500	help
501	  SEED cipher algorithm (RFC4269, ISO/IEC 18033-3)
502
503	  SEED is a 128-bit symmetric key block cipher that has been
504	  developed by KISA (Korea Information Security Agency) as a
505	  national standard encryption algorithm of the Republic of Korea.
506	  It is a 16 round block cipher with the key size of 128 bit.
507
508	  See https://seed.kisa.or.kr/kisa/algorithm/EgovSeedInfo.do
509	  for further information.
510
511config CRYPTO_SERPENT
512	tristate "Serpent"
513	select CRYPTO_ALGAPI
514	help
515	  Serpent cipher algorithm, by Anderson, Biham & Knudsen
516
517	  Keys are allowed to be from 0 to 256 bits in length, in steps
518	  of 8 bits.
519
520	  See https://www.cl.cam.ac.uk/~rja14/serpent.html for further information.
521
522config CRYPTO_SM4
523	tristate
524
525config CRYPTO_SM4_GENERIC
526	tristate "SM4 (ShangMi 4)"
527	select CRYPTO_ALGAPI
528	select CRYPTO_SM4
529	help
530	  SM4 cipher algorithms (OSCCA GB/T 32907-2016,
531	  ISO/IEC 18033-3:2010/Amd 1:2021)
532
533	  SM4 (GBT.32907-2016) is a cryptographic standard issued by the
534	  Organization of State Commercial Administration of China (OSCCA)
535	  as an authorized cryptographic algorithms for the use within China.
536
537	  SMS4 was originally created for use in protecting wireless
538	  networks, and is mandated in the Chinese National Standard for
539	  Wireless LAN WAPI (Wired Authentication and Privacy Infrastructure)
540	  (GB.15629.11-2003).
541
542	  The latest SM4 standard (GBT.32907-2016) was proposed by OSCCA and
543	  standardized through TC 260 of the Standardization Administration
544	  of the People's Republic of China (SAC).
545
546	  The input, output, and key of SMS4 are each 128 bits.
547
548	  See https://eprint.iacr.org/2008/329.pdf for further information.
549
550	  If unsure, say N.
551
552config CRYPTO_TEA
553	tristate "TEA, XTEA and XETA"
554	depends on CRYPTO_USER_API_ENABLE_OBSOLETE
555	select CRYPTO_ALGAPI
556	help
557	  TEA (Tiny Encryption Algorithm) cipher algorithms
558
559	  Tiny Encryption Algorithm is a simple cipher that uses
560	  many rounds for security.  It is very fast and uses
561	  little memory.
562
563	  Xtendend Tiny Encryption Algorithm is a modification to
564	  the TEA algorithm to address a potential key weakness
565	  in the TEA algorithm.
566
567	  Xtendend Encryption Tiny Algorithm is a mis-implementation
568	  of the XTEA algorithm for compatibility purposes.
569
570config CRYPTO_TWOFISH
571	tristate "Twofish"
572	select CRYPTO_ALGAPI
573	select CRYPTO_TWOFISH_COMMON
574	help
575	  Twofish cipher algorithm
576
577	  Twofish was submitted as an AES (Advanced Encryption Standard)
578	  candidate cipher by researchers at CounterPane Systems.  It is a
579	  16 round block cipher supporting key sizes of 128, 192, and 256
580	  bits.
581
582	  See https://www.schneier.com/twofish.html for further information.
583
584config CRYPTO_TWOFISH_COMMON
585	tristate
586	help
587	  Common parts of the Twofish cipher algorithm shared by the
588	  generic c and the assembler implementations.
589
590endmenu
591
592menu "Length-preserving ciphers and modes"
593
594config CRYPTO_ADIANTUM
595	tristate "Adiantum"
596	select CRYPTO_CHACHA20
597	select CRYPTO_LIB_POLY1305_GENERIC
598	select CRYPTO_NHPOLY1305
599	select CRYPTO_MANAGER
600	help
601	  Adiantum tweakable, length-preserving encryption mode
602
603	  Designed for fast and secure disk encryption, especially on
604	  CPUs without dedicated crypto instructions.  It encrypts
605	  each sector using the XChaCha12 stream cipher, two passes of
606	  an ε-almost-∆-universal hash function, and an invocation of
607	  the AES-256 block cipher on a single 16-byte block.  On CPUs
608	  without AES instructions, Adiantum is much faster than
609	  AES-XTS.
610
611	  Adiantum's security is provably reducible to that of its
612	  underlying stream and block ciphers, subject to a security
613	  bound.  Unlike XTS, Adiantum is a true wide-block encryption
614	  mode, so it actually provides an even stronger notion of
615	  security than XTS, subject to the security bound.
616
617	  If unsure, say N.
618
619config CRYPTO_ARC4
620	tristate "ARC4 (Alleged Rivest Cipher 4)"
621	depends on CRYPTO_USER_API_ENABLE_OBSOLETE
622	select CRYPTO_SKCIPHER
623	select CRYPTO_LIB_ARC4
624	help
625	  ARC4 cipher algorithm
626
627	  ARC4 is a stream cipher using keys ranging from 8 bits to 2048
628	  bits in length.  This algorithm is required for driver-based
629	  WEP, but it should not be for other purposes because of the
630	  weakness of the algorithm.
631
632config CRYPTO_CHACHA20
633	tristate "ChaCha"
634	select CRYPTO_LIB_CHACHA_GENERIC
635	select CRYPTO_SKCIPHER
636	help
637	  The ChaCha20, XChaCha20, and XChaCha12 stream cipher algorithms
638
639	  ChaCha20 is a 256-bit high-speed stream cipher designed by Daniel J.
640	  Bernstein and further specified in RFC7539 for use in IETF protocols.
641	  This is the portable C implementation of ChaCha20.  See
642	  https://cr.yp.to/chacha/chacha-20080128.pdf for further information.
643
644	  XChaCha20 is the application of the XSalsa20 construction to ChaCha20
645	  rather than to Salsa20.  XChaCha20 extends ChaCha20's nonce length
646	  from 64 bits (or 96 bits using the RFC7539 convention) to 192 bits,
647	  while provably retaining ChaCha20's security.  See
648	  https://cr.yp.to/snuffle/xsalsa-20081128.pdf for further information.
649
650	  XChaCha12 is XChaCha20 reduced to 12 rounds, with correspondingly
651	  reduced security margin but increased performance.  It can be needed
652	  in some performance-sensitive scenarios.
653
654config CRYPTO_CBC
655	tristate "CBC (Cipher Block Chaining)"
656	select CRYPTO_SKCIPHER
657	select CRYPTO_MANAGER
658	help
659	  CBC (Cipher Block Chaining) mode (NIST SP800-38A)
660
661	  This block cipher mode is required for IPSec ESP (XFRM_ESP).
662
663config CRYPTO_CFB
664	tristate "CFB (Cipher Feedback)"
665	select CRYPTO_SKCIPHER
666	select CRYPTO_MANAGER
667	help
668	  CFB (Cipher Feedback) mode (NIST SP800-38A)
669
670	  This block cipher mode is required for TPM2 Cryptography.
671
672config CRYPTO_CTR
673	tristate "CTR (Counter)"
674	select CRYPTO_SKCIPHER
675	select CRYPTO_MANAGER
676	help
677	  CTR (Counter) mode (NIST SP800-38A)
678
679config CRYPTO_CTS
680	tristate "CTS (Cipher Text Stealing)"
681	select CRYPTO_SKCIPHER
682	select CRYPTO_MANAGER
683	help
684	  CBC-CS3 variant of CTS (Cipher Text Stealing) (NIST
685	  Addendum to SP800-38A (October 2010))
686
687	  This mode is required for Kerberos gss mechanism support
688	  for AES encryption.
689
690config CRYPTO_ECB
691	tristate "ECB (Electronic Codebook)"
692	select CRYPTO_SKCIPHER
693	select CRYPTO_MANAGER
694	help
695	  ECB (Electronic Codebook) mode (NIST SP800-38A)
696
697config CRYPTO_HCTR2
698	tristate "HCTR2"
699	select CRYPTO_XCTR
700	select CRYPTO_POLYVAL
701	select CRYPTO_MANAGER
702	help
703	  HCTR2 length-preserving encryption mode
704
705	  A mode for storage encryption that is efficient on processors with
706	  instructions to accelerate AES and carryless multiplication, e.g.
707	  x86 processors with AES-NI and CLMUL, and ARM processors with the
708	  ARMv8 crypto extensions.
709
710	  See https://eprint.iacr.org/2021/1441
711
712config CRYPTO_KEYWRAP
713	tristate "KW (AES Key Wrap)"
714	select CRYPTO_SKCIPHER
715	select CRYPTO_MANAGER
716	help
717	  KW (AES Key Wrap) authenticated encryption mode (NIST SP800-38F
718	  and RFC3394) without padding.
719
720config CRYPTO_LRW
721	tristate "LRW (Liskov Rivest Wagner)"
722	select CRYPTO_LIB_GF128MUL
723	select CRYPTO_SKCIPHER
724	select CRYPTO_MANAGER
725	select CRYPTO_ECB
726	help
727	  LRW (Liskov Rivest Wagner) mode
728
729	  A tweakable, non malleable, non movable
730	  narrow block cipher mode for dm-crypt.  Use it with cipher
731	  specification string aes-lrw-benbi, the key must be 256, 320 or 384.
732	  The first 128, 192 or 256 bits in the key are used for AES and the
733	  rest is used to tie each cipher block to its logical position.
734
735	  See https://people.csail.mit.edu/rivest/pubs/LRW02.pdf
736
737config CRYPTO_OFB
738	tristate "OFB (Output Feedback)"
739	select CRYPTO_SKCIPHER
740	select CRYPTO_MANAGER
741	help
742	  OFB (Output Feedback) mode (NIST SP800-38A)
743
744	  This mode makes a block cipher into a synchronous
745	  stream cipher. It generates keystream blocks, which are then XORed
746	  with the plaintext blocks to get the ciphertext. Flipping a bit in the
747	  ciphertext produces a flipped bit in the plaintext at the same
748	  location. This property allows many error correcting codes to function
749	  normally even when applied before encryption.
750
751config CRYPTO_PCBC
752	tristate "PCBC (Propagating Cipher Block Chaining)"
753	select CRYPTO_SKCIPHER
754	select CRYPTO_MANAGER
755	help
756	  PCBC (Propagating Cipher Block Chaining) mode
757
758	  This block cipher mode is required for RxRPC.
759
760config CRYPTO_XCTR
761	tristate
762	select CRYPTO_SKCIPHER
763	select CRYPTO_MANAGER
764	help
765	  XCTR (XOR Counter) mode for HCTR2
766
767	  This blockcipher mode is a variant of CTR mode using XORs and little-endian
768	  addition rather than big-endian arithmetic.
769
770	  XCTR mode is used to implement HCTR2.
771
772config CRYPTO_XTS
773	tristate "XTS (XOR Encrypt XOR with ciphertext stealing)"
774	select CRYPTO_SKCIPHER
775	select CRYPTO_MANAGER
776	select CRYPTO_ECB
777	help
778	  XTS (XOR Encrypt XOR with ciphertext stealing) mode (NIST SP800-38E
779	  and IEEE 1619)
780
781	  Use with aes-xts-plain, key size 256, 384 or 512 bits. This
782	  implementation currently can't handle a sectorsize which is not a
783	  multiple of 16 bytes.
784
785config CRYPTO_NHPOLY1305
786	tristate
787	select CRYPTO_HASH
788	select CRYPTO_LIB_POLY1305_GENERIC
789
790endmenu
791
792menu "AEAD (authenticated encryption with associated data) ciphers"
793
794config CRYPTO_AEGIS128
795	tristate "AEGIS-128"
796	select CRYPTO_AEAD
797	select CRYPTO_AES  # for AES S-box tables
798	help
799	  AEGIS-128 AEAD algorithm
800
801config CRYPTO_AEGIS128_SIMD
802	bool "AEGIS-128 (arm NEON, arm64 NEON)"
803	depends on CRYPTO_AEGIS128 && ((ARM || ARM64) && KERNEL_MODE_NEON)
804	default y
805	help
806	  AEGIS-128 AEAD algorithm
807
808	  Architecture: arm or arm64 using:
809	  - NEON (Advanced SIMD) extension
810
811config CRYPTO_CHACHA20POLY1305
812	tristate "ChaCha20-Poly1305"
813	select CRYPTO_CHACHA20
814	select CRYPTO_POLY1305
815	select CRYPTO_AEAD
816	select CRYPTO_MANAGER
817	help
818	  ChaCha20 stream cipher and Poly1305 authenticator combined
819	  mode (RFC8439)
820
821config CRYPTO_CCM
822	tristate "CCM (Counter with Cipher Block Chaining-MAC)"
823	select CRYPTO_CTR
824	select CRYPTO_HASH
825	select CRYPTO_AEAD
826	select CRYPTO_MANAGER
827	help
828	  CCM (Counter with Cipher Block Chaining-Message Authentication Code)
829	  authenticated encryption mode (NIST SP800-38C)
830
831config CRYPTO_GCM
832	tristate "GCM (Galois/Counter Mode) and GMAC (GCM MAC)"
833	select CRYPTO_CTR
834	select CRYPTO_AEAD
835	select CRYPTO_GHASH
836	select CRYPTO_NULL
837	select CRYPTO_MANAGER
838	help
839	  GCM (Galois/Counter Mode) authenticated encryption mode and GMAC
840	  (GCM Message Authentication Code) (NIST SP800-38D)
841
842	  This is required for IPSec ESP (XFRM_ESP).
843
844config CRYPTO_GENIV
845	tristate
846	select CRYPTO_AEAD
847	select CRYPTO_NULL
848	select CRYPTO_MANAGER
849	select CRYPTO_RNG_DEFAULT
850
851config CRYPTO_SEQIV
852	tristate "Sequence Number IV Generator"
853	select CRYPTO_GENIV
854	help
855	  Sequence Number IV generator
856
857	  This IV generator generates an IV based on a sequence number by
858	  xoring it with a salt.  This algorithm is mainly useful for CTR.
859
860	  This is required for IPsec ESP (XFRM_ESP).
861
862config CRYPTO_ECHAINIV
863	tristate "Encrypted Chain IV Generator"
864	select CRYPTO_GENIV
865	help
866	  Encrypted Chain IV generator
867
868	  This IV generator generates an IV based on the encryption of
869	  a sequence number xored with a salt.  This is the default
870	  algorithm for CBC.
871
872config CRYPTO_ESSIV
873	tristate "Encrypted Salt-Sector IV Generator"
874	select CRYPTO_AUTHENC
875	help
876	  Encrypted Salt-Sector IV generator
877
878	  This IV generator is used in some cases by fscrypt and/or
879	  dm-crypt. It uses the hash of the block encryption key as the
880	  symmetric key for a block encryption pass applied to the input
881	  IV, making low entropy IV sources more suitable for block
882	  encryption.
883
884	  This driver implements a crypto API template that can be
885	  instantiated either as an skcipher or as an AEAD (depending on the
886	  type of the first template argument), and which defers encryption
887	  and decryption requests to the encapsulated cipher after applying
888	  ESSIV to the input IV. Note that in the AEAD case, it is assumed
889	  that the keys are presented in the same format used by the authenc
890	  template, and that the IV appears at the end of the authenticated
891	  associated data (AAD) region (which is how dm-crypt uses it.)
892
893	  Note that the use of ESSIV is not recommended for new deployments,
894	  and so this only needs to be enabled when interoperability with
895	  existing encrypted volumes of filesystems is required, or when
896	  building for a particular system that requires it (e.g., when
897	  the SoC in question has accelerated CBC but not XTS, making CBC
898	  combined with ESSIV the only feasible mode for h/w accelerated
899	  block encryption)
900
901endmenu
902
903menu "Hashes, digests, and MACs"
904
905config CRYPTO_BLAKE2B
906	tristate "BLAKE2b"
907	select CRYPTO_HASH
908	help
909	  BLAKE2b cryptographic hash function (RFC 7693)
910
911	  BLAKE2b is optimized for 64-bit platforms and can produce digests
912	  of any size between 1 and 64 bytes. The keyed hash is also implemented.
913
914	  This module provides the following algorithms:
915	  - blake2b-160
916	  - blake2b-256
917	  - blake2b-384
918	  - blake2b-512
919
920	  Used by the btrfs filesystem.
921
922	  See https://blake2.net for further information.
923
924config CRYPTO_CMAC
925	tristate "CMAC (Cipher-based MAC)"
926	select CRYPTO_HASH
927	select CRYPTO_MANAGER
928	help
929	  CMAC (Cipher-based Message Authentication Code) authentication
930	  mode (NIST SP800-38B and IETF RFC4493)
931
932config CRYPTO_GHASH
933	tristate "GHASH"
934	select CRYPTO_HASH
935	select CRYPTO_LIB_GF128MUL
936	help
937	  GCM GHASH function (NIST SP800-38D)
938
939config CRYPTO_HMAC
940	tristate "HMAC (Keyed-Hash MAC)"
941	select CRYPTO_HASH
942	select CRYPTO_MANAGER
943	help
944	  HMAC (Keyed-Hash Message Authentication Code) (FIPS 198 and
945	  RFC2104)
946
947	  This is required for IPsec AH (XFRM_AH) and IPsec ESP (XFRM_ESP).
948
949config CRYPTO_MD4
950	tristate "MD4"
951	select CRYPTO_HASH
952	help
953	  MD4 message digest algorithm (RFC1320)
954
955config CRYPTO_MD5
956	tristate "MD5"
957	select CRYPTO_HASH
958	help
959	  MD5 message digest algorithm (RFC1321)
960
961config CRYPTO_MICHAEL_MIC
962	tristate "Michael MIC"
963	select CRYPTO_HASH
964	help
965	  Michael MIC (Message Integrity Code) (IEEE 802.11i)
966
967	  Defined by the IEEE 802.11i TKIP (Temporal Key Integrity Protocol),
968	  known as WPA (Wif-Fi Protected Access).
969
970	  This algorithm is required for TKIP, but it should not be used for
971	  other purposes because of the weakness of the algorithm.
972
973config CRYPTO_POLYVAL
974	tristate
975	select CRYPTO_HASH
976	select CRYPTO_LIB_GF128MUL
977	help
978	  POLYVAL hash function for HCTR2
979
980	  This is used in HCTR2.  It is not a general-purpose
981	  cryptographic hash function.
982
983config CRYPTO_POLY1305
984	tristate "Poly1305"
985	select CRYPTO_HASH
986	select CRYPTO_LIB_POLY1305_GENERIC
987	help
988	  Poly1305 authenticator algorithm (RFC7539)
989
990	  Poly1305 is an authenticator algorithm designed by Daniel J. Bernstein.
991	  It is used for the ChaCha20-Poly1305 AEAD, specified in RFC7539 for use
992	  in IETF protocols. This is the portable C implementation of Poly1305.
993
994config CRYPTO_RMD160
995	tristate "RIPEMD-160"
996	select CRYPTO_HASH
997	help
998	  RIPEMD-160 hash function (ISO/IEC 10118-3)
999
1000	  RIPEMD-160 is a 160-bit cryptographic hash function. It is intended
1001	  to be used as a secure replacement for the 128-bit hash functions
1002	  MD4, MD5 and its predecessor RIPEMD
1003	  (not to be confused with RIPEMD-128).
1004
1005	  Its speed is comparable to SHA-1 and there are no known attacks
1006	  against RIPEMD-160.
1007
1008	  Developed by Hans Dobbertin, Antoon Bosselaers and Bart Preneel.
1009	  See https://homes.esat.kuleuven.be/~bosselae/ripemd160.html
1010	  for further information.
1011
1012config CRYPTO_SHA1
1013	tristate "SHA-1"
1014	select CRYPTO_HASH
1015	select CRYPTO_LIB_SHA1
1016	help
1017	  SHA-1 secure hash algorithm (FIPS 180, ISO/IEC 10118-3)
1018
1019config CRYPTO_SHA256
1020	tristate "SHA-224 and SHA-256"
1021	select CRYPTO_HASH
1022	select CRYPTO_LIB_SHA256
1023	help
1024	  SHA-224 and SHA-256 secure hash algorithms (FIPS 180, ISO/IEC 10118-3)
1025
1026	  This is required for IPsec AH (XFRM_AH) and IPsec ESP (XFRM_ESP).
1027	  Used by the btrfs filesystem, Ceph, NFS, and SMB.
1028
1029config CRYPTO_SHA512
1030	tristate "SHA-384 and SHA-512"
1031	select CRYPTO_HASH
1032	help
1033	  SHA-384 and SHA-512 secure hash algorithms (FIPS 180, ISO/IEC 10118-3)
1034
1035config CRYPTO_SHA3
1036	tristate "SHA-3"
1037	select CRYPTO_HASH
1038	help
1039	  SHA-3 secure hash algorithms (FIPS 202, ISO/IEC 10118-3)
1040
1041config CRYPTO_SM3
1042	tristate
1043
1044config CRYPTO_SM3_GENERIC
1045	tristate "SM3 (ShangMi 3)"
1046	select CRYPTO_HASH
1047	select CRYPTO_SM3
1048	help
1049	  SM3 (ShangMi 3) secure hash function (OSCCA GM/T 0004-2012, ISO/IEC 10118-3)
1050
1051	  This is part of the Chinese Commercial Cryptography suite.
1052
1053	  References:
1054	  http://www.oscca.gov.cn/UpFile/20101222141857786.pdf
1055	  https://datatracker.ietf.org/doc/html/draft-shen-sm3-hash
1056
1057config CRYPTO_STREEBOG
1058	tristate "Streebog"
1059	select CRYPTO_HASH
1060	help
1061	  Streebog Hash Function (GOST R 34.11-2012, RFC 6986, ISO/IEC 10118-3)
1062
1063	  This is one of the Russian cryptographic standard algorithms (called
1064	  GOST algorithms). This setting enables two hash algorithms with
1065	  256 and 512 bits output.
1066
1067	  References:
1068	  https://tc26.ru/upload/iblock/fed/feddbb4d26b685903faa2ba11aea43f6.pdf
1069	  https://tools.ietf.org/html/rfc6986
1070
1071config CRYPTO_VMAC
1072	tristate "VMAC"
1073	select CRYPTO_HASH
1074	select CRYPTO_MANAGER
1075	help
1076	  VMAC is a message authentication algorithm designed for
1077	  very high speed on 64-bit architectures.
1078
1079	  See https://fastcrypto.org/vmac for further information.
1080
1081config CRYPTO_WP512
1082	tristate "Whirlpool"
1083	select CRYPTO_HASH
1084	help
1085	  Whirlpool hash function (ISO/IEC 10118-3)
1086
1087	  512, 384 and 256-bit hashes.
1088
1089	  Whirlpool-512 is part of the NESSIE cryptographic primitives.
1090
1091	  See https://web.archive.org/web/20171129084214/http://www.larc.usp.br/~pbarreto/WhirlpoolPage.html
1092	  for further information.
1093
1094config CRYPTO_XCBC
1095	tristate "XCBC-MAC (Extended Cipher Block Chaining MAC)"
1096	select CRYPTO_HASH
1097	select CRYPTO_MANAGER
1098	help
1099	  XCBC-MAC (Extended Cipher Block Chaining Message Authentication
1100	  Code) (RFC3566)
1101
1102config CRYPTO_XXHASH
1103	tristate "xxHash"
1104	select CRYPTO_HASH
1105	select XXHASH
1106	help
1107	  xxHash non-cryptographic hash algorithm
1108
1109	  Extremely fast, working at speeds close to RAM limits.
1110
1111	  Used by the btrfs filesystem.
1112
1113endmenu
1114
1115menu "CRCs (cyclic redundancy checks)"
1116
1117config CRYPTO_CRC32C
1118	tristate "CRC32c"
1119	select CRYPTO_HASH
1120	select CRC32
1121	help
1122	  CRC32c CRC algorithm with the iSCSI polynomial (RFC 3385 and RFC 3720)
1123
1124	  A 32-bit CRC (cyclic redundancy check) with a polynomial defined
1125	  by G. Castagnoli, S. Braeuer and M. Herrman in "Optimization of Cyclic
1126	  Redundancy-Check Codes with 24 and 32 Parity Bits", IEEE Transactions
1127	  on Communications, Vol. 41, No. 6, June 1993, selected for use with
1128	  iSCSI.
1129
1130	  Used by btrfs, ext4, jbd2, NVMeoF/TCP, and iSCSI.
1131
1132config CRYPTO_CRC32
1133	tristate "CRC32"
1134	select CRYPTO_HASH
1135	select CRC32
1136	help
1137	  CRC32 CRC algorithm (IEEE 802.3)
1138
1139	  Used by RoCEv2 and f2fs.
1140
1141config CRYPTO_CRCT10DIF
1142	tristate "CRCT10DIF"
1143	select CRYPTO_HASH
1144	help
1145	  CRC16 CRC algorithm used for the T10 (SCSI) Data Integrity Field (DIF)
1146
1147	  CRC algorithm used by the SCSI Block Commands standard.
1148
1149config CRYPTO_CRC64_ROCKSOFT
1150	tristate "CRC64 based on Rocksoft Model algorithm"
1151	depends on CRC64
1152	select CRYPTO_HASH
1153	help
1154	  CRC64 CRC algorithm based on the Rocksoft Model CRC Algorithm
1155
1156	  Used by the NVMe implementation of T10 DIF (BLK_DEV_INTEGRITY)
1157
1158	  See https://zlib.net/crc_v3.txt
1159
1160endmenu
1161
1162menu "Compression"
1163
1164config CRYPTO_DEFLATE
1165	tristate "Deflate"
1166	select CRYPTO_ALGAPI
1167	select CRYPTO_ACOMP2
1168	select ZLIB_INFLATE
1169	select ZLIB_DEFLATE
1170	help
1171	  Deflate compression algorithm (RFC1951)
1172
1173	  Used by IPSec with the IPCOMP protocol (RFC3173, RFC2394)
1174
1175config CRYPTO_LZO
1176	tristate "LZO"
1177	select CRYPTO_ALGAPI
1178	select CRYPTO_ACOMP2
1179	select LZO_COMPRESS
1180	select LZO_DECOMPRESS
1181	help
1182	  LZO compression algorithm
1183
1184	  See https://www.oberhumer.com/opensource/lzo/ for further information.
1185
1186config CRYPTO_842
1187	tristate "842"
1188	select CRYPTO_ALGAPI
1189	select CRYPTO_ACOMP2
1190	select 842_COMPRESS
1191	select 842_DECOMPRESS
1192	help
1193	  842 compression algorithm by IBM
1194
1195	  See https://github.com/plauth/lib842 for further information.
1196
1197config CRYPTO_LZ4
1198	tristate "LZ4"
1199	select CRYPTO_ALGAPI
1200	select CRYPTO_ACOMP2
1201	select LZ4_COMPRESS
1202	select LZ4_DECOMPRESS
1203	help
1204	  LZ4 compression algorithm
1205
1206	  See https://github.com/lz4/lz4 for further information.
1207
1208config CRYPTO_LZ4HC
1209	tristate "LZ4HC"
1210	select CRYPTO_ALGAPI
1211	select CRYPTO_ACOMP2
1212	select LZ4HC_COMPRESS
1213	select LZ4_DECOMPRESS
1214	help
1215	  LZ4 high compression mode algorithm
1216
1217	  See https://github.com/lz4/lz4 for further information.
1218
1219config CRYPTO_ZSTD
1220	tristate "Zstd"
1221	select CRYPTO_ALGAPI
1222	select CRYPTO_ACOMP2
1223	select ZSTD_COMPRESS
1224	select ZSTD_DECOMPRESS
1225	help
1226	  zstd compression algorithm
1227
1228	  See https://github.com/facebook/zstd for further information.
1229
1230endmenu
1231
1232menu "Random number generation"
1233
1234config CRYPTO_ANSI_CPRNG
1235	tristate "ANSI PRNG (Pseudo Random Number Generator)"
1236	select CRYPTO_AES
1237	select CRYPTO_RNG
1238	help
1239	  Pseudo RNG (random number generator) (ANSI X9.31 Appendix A.2.4)
1240
1241	  This uses the AES cipher algorithm.
1242
1243	  Note that this option must be enabled if CRYPTO_FIPS is selected
1244
1245menuconfig CRYPTO_DRBG_MENU
1246	tristate "NIST SP800-90A DRBG (Deterministic Random Bit Generator)"
1247	help
1248	  DRBG (Deterministic Random Bit Generator) (NIST SP800-90A)
1249
1250	  In the following submenu, one or more of the DRBG types must be selected.
1251
1252if CRYPTO_DRBG_MENU
1253
1254config CRYPTO_DRBG_HMAC
1255	bool
1256	default y
1257	select CRYPTO_HMAC
1258	select CRYPTO_SHA512
1259
1260config CRYPTO_DRBG_HASH
1261	bool "Hash_DRBG"
1262	select CRYPTO_SHA256
1263	help
1264	  Hash_DRBG variant as defined in NIST SP800-90A.
1265
1266	  This uses the SHA-1, SHA-256, SHA-384, or SHA-512 hash algorithms.
1267
1268config CRYPTO_DRBG_CTR
1269	bool "CTR_DRBG"
1270	select CRYPTO_AES
1271	select CRYPTO_CTR
1272	help
1273	  CTR_DRBG variant as defined in NIST SP800-90A.
1274
1275	  This uses the AES cipher algorithm with the counter block mode.
1276
1277config CRYPTO_DRBG
1278	tristate
1279	default CRYPTO_DRBG_MENU
1280	select CRYPTO_RNG
1281	select CRYPTO_JITTERENTROPY
1282
1283endif	# if CRYPTO_DRBG_MENU
1284
1285config CRYPTO_JITTERENTROPY
1286	tristate "CPU Jitter Non-Deterministic RNG (Random Number Generator)"
1287	select CRYPTO_RNG
1288	select CRYPTO_SHA3
1289	help
1290	  CPU Jitter RNG (Random Number Generator) from the Jitterentropy library
1291
1292	  A non-physical non-deterministic ("true") RNG (e.g., an entropy source
1293	  compliant with NIST SP800-90B) intended to provide a seed to a
1294	  deterministic RNG (e.g.  per NIST SP800-90C).
1295	  This RNG does not perform any cryptographic whitening of the generated
1296
1297	  See https://www.chronox.de/jent.html
1298
1299config CRYPTO_JITTERENTROPY_TESTINTERFACE
1300	bool "CPU Jitter RNG Test Interface"
1301	depends on CRYPTO_JITTERENTROPY
1302	help
1303	  The test interface allows a privileged process to capture
1304	  the raw unconditioned high resolution time stamp noise that
1305	  is collected by the Jitter RNG for statistical analysis. As
1306	  this data is used at the same time to generate random bits,
1307	  the Jitter RNG operates in an insecure mode as long as the
1308	  recording is enabled. This interface therefore is only
1309	  intended for testing purposes and is not suitable for
1310	  production systems.
1311
1312	  The raw noise data can be obtained using the jent_raw_hires
1313	  debugfs file. Using the option
1314	  jitterentropy_testing.boot_raw_hires_test=1 the raw noise of
1315	  the first 1000 entropy events since boot can be sampled.
1316
1317	  If unsure, select N.
1318
1319config CRYPTO_KDF800108_CTR
1320	tristate
1321	select CRYPTO_HMAC
1322	select CRYPTO_SHA256
1323
1324endmenu
1325menu "Userspace interface"
1326
1327config CRYPTO_USER_API
1328	tristate
1329
1330config CRYPTO_USER_API_HASH
1331	tristate "Hash algorithms"
1332	depends on NET
1333	select CRYPTO_HASH
1334	select CRYPTO_USER_API
1335	help
1336	  Enable the userspace interface for hash algorithms.
1337
1338	  See Documentation/crypto/userspace-if.rst and
1339	  https://www.chronox.de/libkcapi/html/index.html
1340
1341config CRYPTO_USER_API_SKCIPHER
1342	tristate "Symmetric key cipher algorithms"
1343	depends on NET
1344	select CRYPTO_SKCIPHER
1345	select CRYPTO_USER_API
1346	help
1347	  Enable the userspace interface for symmetric key cipher algorithms.
1348
1349	  See Documentation/crypto/userspace-if.rst and
1350	  https://www.chronox.de/libkcapi/html/index.html
1351
1352config CRYPTO_USER_API_RNG
1353	tristate "RNG (random number generator) algorithms"
1354	depends on NET
1355	select CRYPTO_RNG
1356	select CRYPTO_USER_API
1357	help
1358	  Enable the userspace interface for RNG (random number generator)
1359	  algorithms.
1360
1361	  See Documentation/crypto/userspace-if.rst and
1362	  https://www.chronox.de/libkcapi/html/index.html
1363
1364config CRYPTO_USER_API_RNG_CAVP
1365	bool "Enable CAVP testing of DRBG"
1366	depends on CRYPTO_USER_API_RNG && CRYPTO_DRBG
1367	help
1368	  Enable extra APIs in the userspace interface for NIST CAVP
1369	  (Cryptographic Algorithm Validation Program) testing:
1370	  - resetting DRBG entropy
1371	  - providing Additional Data
1372
1373	  This should only be enabled for CAVP testing. You should say
1374	  no unless you know what this is.
1375
1376config CRYPTO_USER_API_AEAD
1377	tristate "AEAD cipher algorithms"
1378	depends on NET
1379	select CRYPTO_AEAD
1380	select CRYPTO_SKCIPHER
1381	select CRYPTO_NULL
1382	select CRYPTO_USER_API
1383	help
1384	  Enable the userspace interface for AEAD cipher algorithms.
1385
1386	  See Documentation/crypto/userspace-if.rst and
1387	  https://www.chronox.de/libkcapi/html/index.html
1388
1389config CRYPTO_USER_API_ENABLE_OBSOLETE
1390	bool "Obsolete cryptographic algorithms"
1391	depends on CRYPTO_USER_API
1392	default y
1393	help
1394	  Allow obsolete cryptographic algorithms to be selected that have
1395	  already been phased out from internal use by the kernel, and are
1396	  only useful for userspace clients that still rely on them.
1397
1398config CRYPTO_STATS
1399	bool "Crypto usage statistics"
1400	depends on CRYPTO_USER
1401	help
1402	  Enable the gathering of crypto stats.
1403
1404	  Enabling this option reduces the performance of the crypto API.  It
1405	  should only be enabled when there is actually a use case for it.
1406
1407	  This collects data sizes, numbers of requests, and numbers
1408	  of errors processed by:
1409	  - AEAD ciphers (encrypt, decrypt)
1410	  - asymmetric key ciphers (encrypt, decrypt, verify, sign)
1411	  - symmetric key ciphers (encrypt, decrypt)
1412	  - compression algorithms (compress, decompress)
1413	  - hash algorithms (hash)
1414	  - key-agreement protocol primitives (setsecret, generate
1415	    public key, compute shared secret)
1416	  - RNG (generate, seed)
1417
1418endmenu
1419
1420config CRYPTO_HASH_INFO
1421	bool
1422
1423if !KMSAN # avoid false positives from assembly
1424if ARM
1425source "arch/arm/crypto/Kconfig"
1426endif
1427if ARM64
1428source "arch/arm64/crypto/Kconfig"
1429endif
1430if LOONGARCH
1431source "arch/loongarch/crypto/Kconfig"
1432endif
1433if MIPS
1434source "arch/mips/crypto/Kconfig"
1435endif
1436if PPC
1437source "arch/powerpc/crypto/Kconfig"
1438endif
1439if S390
1440source "arch/s390/crypto/Kconfig"
1441endif
1442if SPARC
1443source "arch/sparc/crypto/Kconfig"
1444endif
1445if X86
1446source "arch/x86/crypto/Kconfig"
1447endif
1448endif
1449
1450source "drivers/crypto/Kconfig"
1451source "crypto/asymmetric_keys/Kconfig"
1452source "certs/Kconfig"
1453
1454endif	# if CRYPTO
1455