1# SPDX-License-Identifier: GPL-2.0-only
2#
3# XFRM configuration
4#
5config XFRM
6	bool
7	depends on INET
8	select GRO_CELLS
9	select SKB_EXTENSIONS
10
11config XFRM_OFFLOAD
12	bool
13
14config XFRM_ALGO
15	tristate
16	select XFRM
17	select CRYPTO
18	select CRYPTO_HASH
19	select CRYPTO_SKCIPHER
20
21if INET
22config XFRM_USER
23	tristate "Transformation user configuration interface"
24	select XFRM_ALGO
25	help
26	  Support for Transformation(XFRM) user configuration interface
27	  like IPsec used by native Linux tools.
28
29	  If unsure, say Y.
30
31config XFRM_USER_COMPAT
32	tristate "Compatible ABI support"
33	depends on XFRM_USER && COMPAT_FOR_U64_ALIGNMENT && \
34		HAVE_EFFICIENT_UNALIGNED_ACCESS
35	select WANT_COMPAT_NETLINK_MESSAGES
36	help
37	  Transformation(XFRM) user configuration interface like IPsec
38	  used by compatible Linux applications.
39
40	  If unsure, say N.
41
42config XFRM_INTERFACE
43	tristate "Transformation virtual interface"
44	depends on XFRM && IPV6
45	help
46	  This provides a virtual interface to route IPsec traffic.
47
48	  If unsure, say N.
49
50config XFRM_SUB_POLICY
51	bool "Transformation sub policy support"
52	depends on XFRM
53	help
54	  Support sub policy for developers. By using sub policy with main
55	  one, two policies can be applied to the same packet at once.
56	  Policy which lives shorter time in kernel should be a sub.
57
58	  If unsure, say N.
59
60config XFRM_MIGRATE
61	bool "Transformation migrate database"
62	depends on XFRM
63	help
64	  A feature to update locator(s) of a given IPsec security
65	  association dynamically.  This feature is required, for
66	  instance, in a Mobile IPv6 environment with IPsec configuration
67	  where mobile nodes change their attachment point to the Internet.
68
69	  If unsure, say N.
70
71config XFRM_STATISTICS
72	bool "Transformation statistics"
73	depends on XFRM && PROC_FS
74	help
75	  This statistics is not a SNMP/MIB specification but shows
76	  statistics about transformation error (or almost error) factor
77	  at packet processing for developer.
78
79	  If unsure, say N.
80
81# This option selects XFRM_ALGO along with the AH authentication algorithms that
82# RFC 8221 lists as MUST be implemented.
83config XFRM_AH
84	tristate
85	select XFRM_ALGO
86	select CRYPTO
87	select CRYPTO_HMAC
88	select CRYPTO_SHA256
89
90# This option selects XFRM_ALGO along with the ESP encryption and authentication
91# algorithms that RFC 8221 lists as MUST be implemented.
92config XFRM_ESP
93	tristate
94	select XFRM_ALGO
95	select CRYPTO
96	select CRYPTO_AES
97	select CRYPTO_AUTHENC
98	select CRYPTO_CBC
99	select CRYPTO_ECHAINIV
100	select CRYPTO_GCM
101	select CRYPTO_HMAC
102	select CRYPTO_SEQIV
103	select CRYPTO_SHA256
104
105config XFRM_IPCOMP
106	tristate
107	select XFRM_ALGO
108	select CRYPTO
109	select CRYPTO_DEFLATE
110
111config NET_KEY
112	tristate "PF_KEY sockets"
113	select XFRM_ALGO
114	help
115	  PF_KEYv2 socket family, compatible to KAME ones.
116	  They are required if you are going to use IPsec tools ported
117	  from KAME.
118
119	  Say Y unless you know what you are doing.
120
121config NET_KEY_MIGRATE
122	bool "PF_KEY MIGRATE"
123	depends on NET_KEY
124	select XFRM_MIGRATE
125	help
126	  Add a PF_KEY MIGRATE message to PF_KEYv2 socket family.
127	  The PF_KEY MIGRATE message is used to dynamically update
128	  locator(s) of a given IPsec security association.
129	  This feature is required, for instance, in a Mobile IPv6
130	  environment with IPsec configuration where mobile nodes
131	  change their attachment point to the Internet.  Detail
132	  information can be found in the internet-draft
133	  <draft-sugimoto-mip6-pfkey-migrate>.
134
135	  If unsure, say N.
136
137config XFRM_ESPINTCP
138	bool
139
140endif # INET
141