1 # SPDX-License-Identifier: GPL-2.0
3 # Generic algorithms support
9 # async_tx api: hardware offloaded memory transfer/transform support
11 source "crypto/async_tx/Kconfig"
14 # Cryptographic API Configuration
17 tristate "Cryptographic API"
19 This option provides the core Cryptographic API.
23 comment "Crypto core or helper"
26 bool "FIPS 200 compliance"
27 depends on (CRYPTO_ANSI_CPRNG || CRYPTO_DRBG) && !CRYPTO_MANAGER_DISABLE_TESTS
28 depends on (MODULE_SIG || !MODULES)
30 This option enables the fips boot option which is
31 required if you want the system to operate in a FIPS 200
32 certification. You should say no unless you know what
39 This option provides the API for cryptographic algorithms.
55 config CRYPTO_SKCIPHER
57 select CRYPTO_SKCIPHER2
60 config CRYPTO_SKCIPHER2
83 config CRYPTO_RNG_DEFAULT
85 select CRYPTO_DRBG_MENU
87 config CRYPTO_AKCIPHER2
91 config CRYPTO_AKCIPHER
93 select CRYPTO_AKCIPHER2
107 select CRYPTO_ALGAPI2
115 config CRYPTO_MANAGER
116 tristate "Cryptographic algorithm manager"
117 select CRYPTO_MANAGER2
119 Create default cryptographic template instantiations such as
122 config CRYPTO_MANAGER2
123 def_tristate CRYPTO_MANAGER || (CRYPTO_MANAGER!=n && CRYPTO_ALGAPI=y)
126 select CRYPTO_SKCIPHER2
127 select CRYPTO_AKCIPHER2
132 tristate "Userspace cryptographic algorithm configuration"
134 select CRYPTO_MANAGER
136 Userspace configuration for cryptographic instantiations such as
141 config CRYPTO_MANAGER_DISABLE_TESTS
142 bool "Disable run-time self tests"
145 Disable run-time self tests that normally take place at
146 algorithm registration.
148 config CRYPTO_MANAGER_EXTRA_TESTS
149 bool "Enable extra run-time crypto self tests"
150 depends on DEBUG_KERNEL && !CRYPTO_MANAGER_DISABLE_TESTS
152 Enable extra run-time self tests of registered crypto algorithms,
153 including randomized fuzz tests.
155 This is intended for developer use only, as these tests take much
156 longer to run than the normal self tests.
158 endif # if CRYPTO_MANAGER2
160 config CRYPTO_GF128MUL
164 tristate "Null algorithms"
167 These are 'Null' algorithms, used by IPsec, which do nothing.
171 select CRYPTO_ALGAPI2
172 select CRYPTO_SKCIPHER2
176 tristate "Parallel crypto engine"
179 select CRYPTO_MANAGER
182 This converts an arbitrary crypto algorithm into a parallel
183 algorithm that executes in kernel threads.
186 tristate "Software async crypto daemon"
187 select CRYPTO_SKCIPHER
189 select CRYPTO_MANAGER
191 This is a generic software asynchronous crypto daemon that
192 converts an arbitrary synchronous software crypto algorithm
193 into an asynchronous algorithm that executes in a kernel thread.
195 config CRYPTO_AUTHENC
196 tristate "Authenc support"
198 select CRYPTO_SKCIPHER
199 select CRYPTO_MANAGER
203 Authenc: Combined mode wrapper for IPsec.
204 This is required for IPSec.
207 tristate "Testing module"
209 select CRYPTO_MANAGER
211 Quick & dirty crypto test module.
217 config CRYPTO_GLUE_HELPER_X86
220 select CRYPTO_SKCIPHER
225 comment "Public-key cryptography"
228 tristate "RSA algorithm"
229 select CRYPTO_AKCIPHER
230 select CRYPTO_MANAGER
234 Generic implementation of the RSA public key algorithm.
237 tristate "Diffie-Hellman algorithm"
241 Generic implementation of the Diffie-Hellman algorithm.
247 tristate "ECDH algorithm"
250 select CRYPTO_RNG_DEFAULT
252 Generic implementation of the ECDH algorithm
255 tristate "EC-RDSA (GOST 34.10) algorithm"
257 select CRYPTO_AKCIPHER
258 select CRYPTO_STREEBOG
262 Elliptic Curve Russian Digital Signature Algorithm (GOST R 34.10-2012,
263 RFC 7091, ISO/IEC 14888-3:2018) is one of the Russian cryptographic
264 standard algorithms (called GOST algorithms). Only signature verification
267 config CRYPTO_CURVE25519
268 tristate "Curve25519 algorithm"
270 select CRYPTO_LIB_CURVE25519_GENERIC
272 config CRYPTO_CURVE25519_X86
273 tristate "x86_64 accelerated Curve25519 scalar multiplication library"
274 depends on X86 && 64BIT
275 select CRYPTO_LIB_CURVE25519_GENERIC
276 select CRYPTO_ARCH_HAVE_LIB_CURVE25519
278 comment "Authenticated Encryption with Associated Data"
281 tristate "CCM support"
285 select CRYPTO_MANAGER
287 Support for Counter with CBC MAC. Required for IPsec.
290 tristate "GCM/GMAC support"
295 select CRYPTO_MANAGER
297 Support for Galois/Counter Mode (GCM) and Galois Message
298 Authentication Code (GMAC). Required for IPSec.
300 config CRYPTO_CHACHA20POLY1305
301 tristate "ChaCha20-Poly1305 AEAD support"
302 select CRYPTO_CHACHA20
303 select CRYPTO_POLY1305
305 select CRYPTO_MANAGER
307 ChaCha20-Poly1305 AEAD support, RFC7539.
309 Support for the AEAD wrapper using the ChaCha20 stream cipher combined
310 with the Poly1305 authenticator. It is defined in RFC7539 for use in
313 config CRYPTO_AEGIS128
314 tristate "AEGIS-128 AEAD algorithm"
316 select CRYPTO_AES # for AES S-box tables
318 Support for the AEGIS-128 dedicated AEAD algorithm.
320 config CRYPTO_AEGIS128_SIMD
321 bool "Support SIMD acceleration for AEGIS-128"
322 depends on CRYPTO_AEGIS128 && ((ARM || ARM64) && KERNEL_MODE_NEON)
323 depends on !ARM || CC_IS_CLANG || GCC_VERSION >= 40800
326 config CRYPTO_AEGIS128_AESNI_SSE2
327 tristate "AEGIS-128 AEAD algorithm (x86_64 AESNI+SSE2 implementation)"
328 depends on X86 && 64BIT
332 AESNI+SSE2 implementation of the AEGIS-128 dedicated AEAD algorithm.
335 tristate "Sequence Number IV Generator"
337 select CRYPTO_SKCIPHER
339 select CRYPTO_RNG_DEFAULT
340 select CRYPTO_MANAGER
342 This IV generator generates an IV based on a sequence number by
343 xoring it with a salt. This algorithm is mainly useful for CTR
345 config CRYPTO_ECHAINIV
346 tristate "Encrypted Chain IV Generator"
349 select CRYPTO_RNG_DEFAULT
350 select CRYPTO_MANAGER
352 This IV generator generates an IV based on the encryption of
353 a sequence number xored with a salt. This is the default
356 comment "Block modes"
359 tristate "CBC support"
360 select CRYPTO_SKCIPHER
361 select CRYPTO_MANAGER
363 CBC: Cipher Block Chaining mode
364 This block cipher algorithm is required for IPSec.
367 tristate "CFB support"
368 select CRYPTO_SKCIPHER
369 select CRYPTO_MANAGER
371 CFB: Cipher FeedBack mode
372 This block cipher algorithm is required for TPM2 Cryptography.
375 tristate "CTR support"
376 select CRYPTO_SKCIPHER
378 select CRYPTO_MANAGER
381 This block cipher algorithm is required for IPSec.
384 tristate "CTS support"
385 select CRYPTO_SKCIPHER
386 select CRYPTO_MANAGER
388 CTS: Cipher Text Stealing
389 This is the Cipher Text Stealing mode as described by
390 Section 8 of rfc2040 and referenced by rfc3962
391 (rfc3962 includes errata information in its Appendix A) or
392 CBC-CS3 as defined by NIST in Sp800-38A addendum from Oct 2010.
393 This mode is required for Kerberos gss mechanism support
396 See: https://csrc.nist.gov/publications/detail/sp/800-38a/addendum/final
399 tristate "ECB support"
400 select CRYPTO_SKCIPHER
401 select CRYPTO_MANAGER
403 ECB: Electronic CodeBook mode
404 This is the simplest block cipher algorithm. It simply encrypts
405 the input block by block.
408 tristate "LRW support"
409 select CRYPTO_SKCIPHER
410 select CRYPTO_MANAGER
411 select CRYPTO_GF128MUL
413 LRW: Liskov Rivest Wagner, a tweakable, non malleable, non movable
414 narrow block cipher mode for dm-crypt. Use it with cipher
415 specification string aes-lrw-benbi, the key must be 256, 320 or 384.
416 The first 128, 192 or 256 bits in the key are used for AES and the
417 rest is used to tie each cipher block to its logical position.
420 tristate "OFB support"
421 select CRYPTO_SKCIPHER
422 select CRYPTO_MANAGER
424 OFB: the Output Feedback mode makes a block cipher into a synchronous
425 stream cipher. It generates keystream blocks, which are then XORed
426 with the plaintext blocks to get the ciphertext. Flipping a bit in the
427 ciphertext produces a flipped bit in the plaintext at the same
428 location. This property allows many error correcting codes to function
429 normally even when applied before encryption.
432 tristate "PCBC support"
433 select CRYPTO_SKCIPHER
434 select CRYPTO_MANAGER
436 PCBC: Propagating Cipher Block Chaining mode
437 This block cipher algorithm is required for RxRPC.
440 tristate "XTS support"
441 select CRYPTO_SKCIPHER
442 select CRYPTO_MANAGER
445 XTS: IEEE1619/D16 narrow block cipher use with aes-xts-plain,
446 key size 256, 384 or 512 bits. This implementation currently
447 can't handle a sectorsize which is not a multiple of 16 bytes.
449 config CRYPTO_KEYWRAP
450 tristate "Key wrapping support"
451 select CRYPTO_SKCIPHER
452 select CRYPTO_MANAGER
454 Support for key wrapping (NIST SP800-38F / RFC3394) without
457 config CRYPTO_NHPOLY1305
460 select CRYPTO_LIB_POLY1305_GENERIC
462 config CRYPTO_NHPOLY1305_SSE2
463 tristate "NHPoly1305 hash function (x86_64 SSE2 implementation)"
464 depends on X86 && 64BIT
465 select CRYPTO_NHPOLY1305
467 SSE2 optimized implementation of the hash function used by the
468 Adiantum encryption mode.
470 config CRYPTO_NHPOLY1305_AVX2
471 tristate "NHPoly1305 hash function (x86_64 AVX2 implementation)"
472 depends on X86 && 64BIT
473 select CRYPTO_NHPOLY1305
475 AVX2 optimized implementation of the hash function used by the
476 Adiantum encryption mode.
478 config CRYPTO_ADIANTUM
479 tristate "Adiantum support"
480 select CRYPTO_CHACHA20
481 select CRYPTO_LIB_POLY1305_GENERIC
482 select CRYPTO_NHPOLY1305
483 select CRYPTO_MANAGER
485 Adiantum is a tweakable, length-preserving encryption mode
486 designed for fast and secure disk encryption, especially on
487 CPUs without dedicated crypto instructions. It encrypts
488 each sector using the XChaCha12 stream cipher, two passes of
489 an ε-almost-∆-universal hash function, and an invocation of
490 the AES-256 block cipher on a single 16-byte block. On CPUs
491 without AES instructions, Adiantum is much faster than
494 Adiantum's security is provably reducible to that of its
495 underlying stream and block ciphers, subject to a security
496 bound. Unlike XTS, Adiantum is a true wide-block encryption
497 mode, so it actually provides an even stronger notion of
498 security than XTS, subject to the security bound.
503 tristate "ESSIV support for block encryption"
504 select CRYPTO_AUTHENC
506 Encrypted salt-sector initialization vector (ESSIV) is an IV
507 generation method that is used in some cases by fscrypt and/or
508 dm-crypt. It uses the hash of the block encryption key as the
509 symmetric key for a block encryption pass applied to the input
510 IV, making low entropy IV sources more suitable for block
513 This driver implements a crypto API template that can be
514 instantiated either as an skcipher or as an AEAD (depending on the
515 type of the first template argument), and which defers encryption
516 and decryption requests to the encapsulated cipher after applying
517 ESSIV to the input IV. Note that in the AEAD case, it is assumed
518 that the keys are presented in the same format used by the authenc
519 template, and that the IV appears at the end of the authenticated
520 associated data (AAD) region (which is how dm-crypt uses it.)
522 Note that the use of ESSIV is not recommended for new deployments,
523 and so this only needs to be enabled when interoperability with
524 existing encrypted volumes of filesystems is required, or when
525 building for a particular system that requires it (e.g., when
526 the SoC in question has accelerated CBC but not XTS, making CBC
527 combined with ESSIV the only feasible mode for h/w accelerated
533 tristate "CMAC support"
535 select CRYPTO_MANAGER
537 Cipher-based Message Authentication Code (CMAC) specified by
538 The National Institute of Standards and Technology (NIST).
540 https://tools.ietf.org/html/rfc4493
541 http://csrc.nist.gov/publications/nistpubs/800-38B/SP_800-38B.pdf
544 tristate "HMAC support"
546 select CRYPTO_MANAGER
548 HMAC: Keyed-Hashing for Message Authentication (RFC2104).
549 This is required for IPSec.
552 tristate "XCBC support"
554 select CRYPTO_MANAGER
556 XCBC: Keyed-Hashing with encryption algorithm
557 http://www.ietf.org/rfc/rfc3566.txt
558 http://csrc.nist.gov/encryption/modes/proposedmodes/
559 xcbc-mac/xcbc-mac-spec.pdf
562 tristate "VMAC support"
564 select CRYPTO_MANAGER
566 VMAC is a message authentication algorithm designed for
567 very high speed on 64-bit architectures.
570 <http://fastcrypto.org/vmac>
575 tristate "CRC32c CRC algorithm"
579 Castagnoli, et al Cyclic Redundancy-Check Algorithm. Used
580 by iSCSI for header and data digests and by others.
581 See Castagnoli93. Module will be crc32c.
583 config CRYPTO_CRC32C_INTEL
584 tristate "CRC32c INTEL hardware acceleration"
588 In Intel processor with SSE4.2 supported, the processor will
589 support CRC32C implementation using hardware accelerated CRC32
590 instruction. This option will create 'crc32c-intel' module,
591 which will enable any routine to use the CRC32 instruction to
592 gain performance compared with software implementation.
593 Module will be crc32c-intel.
595 config CRYPTO_CRC32C_VPMSUM
596 tristate "CRC32c CRC algorithm (powerpc64)"
597 depends on PPC64 && ALTIVEC
601 CRC32c algorithm implemented using vector polynomial multiply-sum
602 (vpmsum) instructions, introduced in POWER8. Enable on POWER8
603 and newer processors for improved performance.
606 config CRYPTO_CRC32C_SPARC64
607 tristate "CRC32c CRC algorithm (SPARC64)"
612 CRC32c CRC algorithm implemented using sparc64 crypto instructions,
616 tristate "CRC32 CRC algorithm"
620 CRC-32-IEEE 802.3 cyclic redundancy-check algorithm.
621 Shash crypto api wrappers to crc32_le function.
623 config CRYPTO_CRC32_PCLMUL
624 tristate "CRC32 PCLMULQDQ hardware acceleration"
629 From Intel Westmere and AMD Bulldozer processor with SSE4.2
630 and PCLMULQDQ supported, the processor will support
631 CRC32 PCLMULQDQ implementation using hardware accelerated PCLMULQDQ
632 instruction. This option will create 'crc32-pclmul' module,
633 which will enable any routine to use the CRC-32-IEEE 802.3 checksum
634 and gain better performance as compared with the table implementation.
636 config CRYPTO_CRC32_MIPS
637 tristate "CRC32c and CRC32 CRC algorithm (MIPS)"
638 depends on MIPS_CRC_SUPPORT
641 CRC32c and CRC32 CRC algorithms implemented using mips crypto
642 instructions, when available.
646 tristate "xxHash hash algorithm"
650 xxHash non-cryptographic hash algorithm. Extremely fast, working at
651 speeds close to RAM limits.
653 config CRYPTO_BLAKE2B
654 tristate "BLAKE2b digest algorithm"
657 Implementation of cryptographic hash function BLAKE2b (or just BLAKE2),
658 optimized for 64bit platforms and can produce digests of any size
659 between 1 to 64. The keyed hash is also implemented.
661 This module provides the following algorithms:
668 See https://blake2.net for further information.
670 config CRYPTO_BLAKE2S
671 tristate "BLAKE2s digest algorithm"
672 select CRYPTO_LIB_BLAKE2S_GENERIC
675 Implementation of cryptographic hash function BLAKE2s
676 optimized for 8-32bit platforms and can produce digests of any size
677 between 1 to 32. The keyed hash is also implemented.
679 This module provides the following algorithms:
686 See https://blake2.net for further information.
688 config CRYPTO_BLAKE2S_X86
689 tristate "BLAKE2s digest algorithm (x86 accelerated version)"
690 depends on X86 && 64BIT
691 select CRYPTO_LIB_BLAKE2S_GENERIC
692 select CRYPTO_ARCH_HAVE_LIB_BLAKE2S
694 config CRYPTO_CRCT10DIF
695 tristate "CRCT10DIF algorithm"
698 CRC T10 Data Integrity Field computation is being cast as
699 a crypto transform. This allows for faster crc t10 diff
700 transforms to be used if they are available.
702 config CRYPTO_CRCT10DIF_PCLMUL
703 tristate "CRCT10DIF PCLMULQDQ hardware acceleration"
704 depends on X86 && 64BIT && CRC_T10DIF
707 For x86_64 processors with SSE4.2 and PCLMULQDQ supported,
708 CRC T10 DIF PCLMULQDQ computation can be hardware
709 accelerated PCLMULQDQ instruction. This option will create
710 'crct10dif-pclmul' module, which is faster when computing the
711 crct10dif checksum as compared with the generic table implementation.
713 config CRYPTO_CRCT10DIF_VPMSUM
714 tristate "CRC32T10DIF powerpc64 hardware acceleration"
715 depends on PPC64 && ALTIVEC && CRC_T10DIF
718 CRC10T10DIF algorithm implemented using vector polynomial
719 multiply-sum (vpmsum) instructions, introduced in POWER8. Enable on
720 POWER8 and newer processors for improved performance.
722 config CRYPTO_VPMSUM_TESTER
723 tristate "Powerpc64 vpmsum hardware acceleration tester"
724 depends on CRYPTO_CRCT10DIF_VPMSUM && CRYPTO_CRC32C_VPMSUM
726 Stress test for CRC32c and CRC-T10DIF algorithms implemented with
727 POWER8 vpmsum instructions.
728 Unless you are testing these algorithms, you don't need this.
731 tristate "GHASH hash function"
732 select CRYPTO_GF128MUL
735 GHASH is the hash function used in GCM (Galois/Counter Mode).
736 It is not a general-purpose cryptographic hash function.
738 config CRYPTO_POLY1305
739 tristate "Poly1305 authenticator algorithm"
741 select CRYPTO_LIB_POLY1305_GENERIC
743 Poly1305 authenticator algorithm, RFC7539.
745 Poly1305 is an authenticator algorithm designed by Daniel J. Bernstein.
746 It is used for the ChaCha20-Poly1305 AEAD, specified in RFC7539 for use
747 in IETF protocols. This is the portable C implementation of Poly1305.
749 config CRYPTO_POLY1305_X86_64
750 tristate "Poly1305 authenticator algorithm (x86_64/SSE2/AVX2)"
751 depends on X86 && 64BIT
752 select CRYPTO_LIB_POLY1305_GENERIC
753 select CRYPTO_ARCH_HAVE_LIB_POLY1305
755 Poly1305 authenticator algorithm, RFC7539.
757 Poly1305 is an authenticator algorithm designed by Daniel J. Bernstein.
758 It is used for the ChaCha20-Poly1305 AEAD, specified in RFC7539 for use
759 in IETF protocols. This is the x86_64 assembler implementation using SIMD
762 config CRYPTO_POLY1305_MIPS
763 tristate "Poly1305 authenticator algorithm (MIPS optimized)"
764 depends on CPU_MIPS32 || (CPU_MIPS64 && 64BIT)
765 select CRYPTO_ARCH_HAVE_LIB_POLY1305
768 tristate "MD4 digest algorithm"
771 MD4 message digest algorithm (RFC1320).
774 tristate "MD5 digest algorithm"
777 MD5 message digest algorithm (RFC1321).
779 config CRYPTO_MD5_OCTEON
780 tristate "MD5 digest algorithm (OCTEON)"
781 depends on CPU_CAVIUM_OCTEON
785 MD5 message digest algorithm (RFC1321) implemented
786 using OCTEON crypto instructions, when available.
788 config CRYPTO_MD5_PPC
789 tristate "MD5 digest algorithm (PPC)"
793 MD5 message digest algorithm (RFC1321) implemented
796 config CRYPTO_MD5_SPARC64
797 tristate "MD5 digest algorithm (SPARC64)"
802 MD5 message digest algorithm (RFC1321) implemented
803 using sparc64 crypto instructions, when available.
805 config CRYPTO_MICHAEL_MIC
806 tristate "Michael MIC keyed digest algorithm"
809 Michael MIC is used for message integrity protection in TKIP
810 (IEEE 802.11i). This algorithm is required for TKIP, but it
811 should not be used for other purposes because of the weakness
815 tristate "RIPEMD-128 digest algorithm"
818 RIPEMD-128 (ISO/IEC 10118-3:2004).
820 RIPEMD-128 is a 128-bit cryptographic hash function. It should only
821 be used as a secure replacement for RIPEMD. For other use cases,
822 RIPEMD-160 should be used.
824 Developed by Hans Dobbertin, Antoon Bosselaers and Bart Preneel.
825 See <http://homes.esat.kuleuven.be/~bosselae/ripemd160.html>
828 tristate "RIPEMD-160 digest algorithm"
831 RIPEMD-160 (ISO/IEC 10118-3:2004).
833 RIPEMD-160 is a 160-bit cryptographic hash function. It is intended
834 to be used as a secure replacement for the 128-bit hash functions
835 MD4, MD5 and it's predecessor RIPEMD
836 (not to be confused with RIPEMD-128).
838 It's speed is comparable to SHA1 and there are no known attacks
841 Developed by Hans Dobbertin, Antoon Bosselaers and Bart Preneel.
842 See <http://homes.esat.kuleuven.be/~bosselae/ripemd160.html>
845 tristate "RIPEMD-256 digest algorithm"
848 RIPEMD-256 is an optional extension of RIPEMD-128 with a
849 256 bit hash. It is intended for applications that require
850 longer hash-results, without needing a larger security level
853 Developed by Hans Dobbertin, Antoon Bosselaers and Bart Preneel.
854 See <http://homes.esat.kuleuven.be/~bosselae/ripemd160.html>
857 tristate "RIPEMD-320 digest algorithm"
860 RIPEMD-320 is an optional extension of RIPEMD-160 with a
861 320 bit hash. It is intended for applications that require
862 longer hash-results, without needing a larger security level
865 Developed by Hans Dobbertin, Antoon Bosselaers and Bart Preneel.
866 See <http://homes.esat.kuleuven.be/~bosselae/ripemd160.html>
869 tristate "SHA1 digest algorithm"
872 SHA-1 secure hash standard (FIPS 180-1/DFIPS 180-2).
874 config CRYPTO_SHA1_SSSE3
875 tristate "SHA1 digest algorithm (SSSE3/AVX/AVX2/SHA-NI)"
876 depends on X86 && 64BIT
880 SHA-1 secure hash standard (FIPS 180-1/DFIPS 180-2) implemented
881 using Supplemental SSE3 (SSSE3) instructions or Advanced Vector
882 Extensions (AVX/AVX2) or SHA-NI(SHA Extensions New Instructions),
885 config CRYPTO_SHA256_SSSE3
886 tristate "SHA256 digest algorithm (SSSE3/AVX/AVX2/SHA-NI)"
887 depends on X86 && 64BIT
891 SHA-256 secure hash standard (DFIPS 180-2) implemented
892 using Supplemental SSE3 (SSSE3) instructions, or Advanced Vector
893 Extensions version 1 (AVX1), or Advanced Vector Extensions
894 version 2 (AVX2) instructions, or SHA-NI (SHA Extensions New
895 Instructions) when available.
897 config CRYPTO_SHA512_SSSE3
898 tristate "SHA512 digest algorithm (SSSE3/AVX/AVX2)"
899 depends on X86 && 64BIT
903 SHA-512 secure hash standard (DFIPS 180-2) implemented
904 using Supplemental SSE3 (SSSE3) instructions, or Advanced Vector
905 Extensions version 1 (AVX1), or Advanced Vector Extensions
906 version 2 (AVX2) instructions, when available.
908 config CRYPTO_SHA1_OCTEON
909 tristate "SHA1 digest algorithm (OCTEON)"
910 depends on CPU_CAVIUM_OCTEON
914 SHA-1 secure hash standard (FIPS 180-1/DFIPS 180-2) implemented
915 using OCTEON crypto instructions, when available.
917 config CRYPTO_SHA1_SPARC64
918 tristate "SHA1 digest algorithm (SPARC64)"
923 SHA-1 secure hash standard (FIPS 180-1/DFIPS 180-2) implemented
924 using sparc64 crypto instructions, when available.
926 config CRYPTO_SHA1_PPC
927 tristate "SHA1 digest algorithm (powerpc)"
930 This is the powerpc hardware accelerated implementation of the
931 SHA-1 secure hash standard (FIPS 180-1/DFIPS 180-2).
933 config CRYPTO_SHA1_PPC_SPE
934 tristate "SHA1 digest algorithm (PPC SPE)"
935 depends on PPC && SPE
937 SHA-1 secure hash standard (DFIPS 180-4) implemented
938 using powerpc SPE SIMD instruction set.
941 tristate "SHA224 and SHA256 digest algorithm"
943 select CRYPTO_LIB_SHA256
945 SHA256 secure hash standard (DFIPS 180-2).
947 This version of SHA implements a 256 bit hash with 128 bits of
948 security against collision attacks.
950 This code also includes SHA-224, a 224 bit hash with 112 bits
951 of security against collision attacks.
953 config CRYPTO_SHA256_PPC_SPE
954 tristate "SHA224 and SHA256 digest algorithm (PPC SPE)"
955 depends on PPC && SPE
959 SHA224 and SHA256 secure hash standard (DFIPS 180-2)
960 implemented using powerpc SPE SIMD instruction set.
962 config CRYPTO_SHA256_OCTEON
963 tristate "SHA224 and SHA256 digest algorithm (OCTEON)"
964 depends on CPU_CAVIUM_OCTEON
968 SHA-256 secure hash standard (DFIPS 180-2) implemented
969 using OCTEON crypto instructions, when available.
971 config CRYPTO_SHA256_SPARC64
972 tristate "SHA224 and SHA256 digest algorithm (SPARC64)"
977 SHA-256 secure hash standard (DFIPS 180-2) implemented
978 using sparc64 crypto instructions, when available.
981 tristate "SHA384 and SHA512 digest algorithms"
984 SHA512 secure hash standard (DFIPS 180-2).
986 This version of SHA implements a 512 bit hash with 256 bits of
987 security against collision attacks.
989 This code also includes SHA-384, a 384 bit hash with 192 bits
990 of security against collision attacks.
992 config CRYPTO_SHA512_OCTEON
993 tristate "SHA384 and SHA512 digest algorithms (OCTEON)"
994 depends on CPU_CAVIUM_OCTEON
998 SHA-512 secure hash standard (DFIPS 180-2) implemented
999 using OCTEON crypto instructions, when available.
1001 config CRYPTO_SHA512_SPARC64
1002 tristate "SHA384 and SHA512 digest algorithm (SPARC64)"
1004 select CRYPTO_SHA512
1007 SHA-512 secure hash standard (DFIPS 180-2) implemented
1008 using sparc64 crypto instructions, when available.
1011 tristate "SHA3 digest algorithm"
1014 SHA-3 secure hash standard (DFIPS 202). It's based on
1015 cryptographic sponge function family called Keccak.
1018 http://keccak.noekeon.org/
1021 tristate "SM3 digest algorithm"
1024 SM3 secure hash function as defined by OSCCA GM/T 0004-2012 SM3).
1025 It is part of the Chinese Commercial Cryptography suite.
1028 http://www.oscca.gov.cn/UpFile/20101222141857786.pdf
1029 https://datatracker.ietf.org/doc/html/draft-shen-sm3-hash
1031 config CRYPTO_STREEBOG
1032 tristate "Streebog Hash Function"
1035 Streebog Hash Function (GOST R 34.11-2012, RFC 6986) is one of the Russian
1036 cryptographic standard algorithms (called GOST algorithms).
1037 This setting enables two hash algorithms with 256 and 512 bits output.
1040 https://tc26.ru/upload/iblock/fed/feddbb4d26b685903faa2ba11aea43f6.pdf
1041 https://tools.ietf.org/html/rfc6986
1043 config CRYPTO_TGR192
1044 tristate "Tiger digest algorithms"
1047 Tiger hash algorithm 192, 160 and 128-bit hashes
1049 Tiger is a hash function optimized for 64-bit processors while
1050 still having decent performance on 32-bit processors.
1051 Tiger was developed by Ross Anderson and Eli Biham.
1054 <http://www.cs.technion.ac.il/~biham/Reports/Tiger/>.
1057 tristate "Whirlpool digest algorithms"
1060 Whirlpool hash algorithm 512, 384 and 256-bit hashes
1062 Whirlpool-512 is part of the NESSIE cryptographic primitives.
1063 Whirlpool will be part of the ISO/IEC 10118-3:2003(E) standard
1066 <http://www.larc.usp.br/~pbarreto/WhirlpoolPage.html>
1068 config CRYPTO_GHASH_CLMUL_NI_INTEL
1069 tristate "GHASH hash function (CLMUL-NI accelerated)"
1070 depends on X86 && 64BIT
1071 select CRYPTO_CRYPTD
1073 This is the x86_64 CLMUL-NI accelerated implementation of
1074 GHASH, the hash function used in GCM (Galois/Counter mode).
1079 tristate "AES cipher algorithms"
1080 select CRYPTO_ALGAPI
1081 select CRYPTO_LIB_AES
1083 AES cipher algorithms (FIPS-197). AES uses the Rijndael
1086 Rijndael appears to be consistently a very good performer in
1087 both hardware and software across a wide range of computing
1088 environments regardless of its use in feedback or non-feedback
1089 modes. Its key setup time is excellent, and its key agility is
1090 good. Rijndael's very low memory requirements make it very well
1091 suited for restricted-space environments, in which it also
1092 demonstrates excellent performance. Rijndael's operations are
1093 among the easiest to defend against power and timing attacks.
1095 The AES specifies three key sizes: 128, 192 and 256 bits
1097 See <http://csrc.nist.gov/CryptoToolkit/aes/> for more information.
1099 config CRYPTO_AES_TI
1100 tristate "Fixed time AES cipher"
1101 select CRYPTO_ALGAPI
1102 select CRYPTO_LIB_AES
1104 This is a generic implementation of AES that attempts to eliminate
1105 data dependent latencies as much as possible without affecting
1106 performance too much. It is intended for use by the generic CCM
1107 and GCM drivers, and other CTR or CMAC/XCBC based modes that rely
1108 solely on encryption (although decryption is supported as well, but
1109 with a more dramatic performance hit)
1111 Instead of using 16 lookup tables of 1 KB each, (8 for encryption and
1112 8 for decryption), this implementation only uses just two S-boxes of
1113 256 bytes each, and attempts to eliminate data dependent latencies by
1114 prefetching the entire table into the cache at the start of each
1115 block. Interrupts are also disabled to avoid races where cachelines
1116 are evicted when the CPU is interrupted to do something else.
1118 config CRYPTO_AES_NI_INTEL
1119 tristate "AES cipher algorithms (AES-NI)"
1122 select CRYPTO_LIB_AES
1123 select CRYPTO_ALGAPI
1124 select CRYPTO_SKCIPHER
1125 select CRYPTO_GLUE_HELPER_X86 if 64BIT
1128 Use Intel AES-NI instructions for AES algorithm.
1130 AES cipher algorithms (FIPS-197). AES uses the Rijndael
1133 Rijndael appears to be consistently a very good performer in
1134 both hardware and software across a wide range of computing
1135 environments regardless of its use in feedback or non-feedback
1136 modes. Its key setup time is excellent, and its key agility is
1137 good. Rijndael's very low memory requirements make it very well
1138 suited for restricted-space environments, in which it also
1139 demonstrates excellent performance. Rijndael's operations are
1140 among the easiest to defend against power and timing attacks.
1142 The AES specifies three key sizes: 128, 192 and 256 bits
1144 See <http://csrc.nist.gov/encryption/aes/> for more information.
1146 In addition to AES cipher algorithm support, the acceleration
1147 for some popular block cipher mode is supported too, including
1148 ECB, CBC, LRW, XTS. The 64 bit version has additional
1149 acceleration for CTR.
1151 config CRYPTO_AES_SPARC64
1152 tristate "AES cipher algorithms (SPARC64)"
1154 select CRYPTO_SKCIPHER
1156 Use SPARC64 crypto opcodes for AES algorithm.
1158 AES cipher algorithms (FIPS-197). AES uses the Rijndael
1161 Rijndael appears to be consistently a very good performer in
1162 both hardware and software across a wide range of computing
1163 environments regardless of its use in feedback or non-feedback
1164 modes. Its key setup time is excellent, and its key agility is
1165 good. Rijndael's very low memory requirements make it very well
1166 suited for restricted-space environments, in which it also
1167 demonstrates excellent performance. Rijndael's operations are
1168 among the easiest to defend against power and timing attacks.
1170 The AES specifies three key sizes: 128, 192 and 256 bits
1172 See <http://csrc.nist.gov/encryption/aes/> for more information.
1174 In addition to AES cipher algorithm support, the acceleration
1175 for some popular block cipher mode is supported too, including
1178 config CRYPTO_AES_PPC_SPE
1179 tristate "AES cipher algorithms (PPC SPE)"
1180 depends on PPC && SPE
1181 select CRYPTO_SKCIPHER
1183 AES cipher algorithms (FIPS-197). Additionally the acceleration
1184 for popular block cipher modes ECB, CBC, CTR and XTS is supported.
1185 This module should only be used for low power (router) devices
1186 without hardware AES acceleration (e.g. caam crypto). It reduces the
1187 size of the AES tables from 16KB to 8KB + 256 bytes and mitigates
1188 timining attacks. Nevertheless it might be not as secure as other
1189 architecture specific assembler implementations that work on 1KB
1190 tables or 256 bytes S-boxes.
1192 config CRYPTO_ANUBIS
1193 tristate "Anubis cipher algorithm"
1194 select CRYPTO_ALGAPI
1196 Anubis cipher algorithm.
1198 Anubis is a variable key length cipher which can use keys from
1199 128 bits to 320 bits in length. It was evaluated as a entrant
1200 in the NESSIE competition.
1203 <https://www.cosic.esat.kuleuven.be/nessie/reports/>
1204 <http://www.larc.usp.br/~pbarreto/AnubisPage.html>
1207 tristate "ARC4 cipher algorithm"
1208 select CRYPTO_SKCIPHER
1209 select CRYPTO_LIB_ARC4
1211 ARC4 cipher algorithm.
1213 ARC4 is a stream cipher using keys ranging from 8 bits to 2048
1214 bits in length. This algorithm is required for driver-based
1215 WEP, but it should not be for other purposes because of the
1216 weakness of the algorithm.
1218 config CRYPTO_BLOWFISH
1219 tristate "Blowfish cipher algorithm"
1220 select CRYPTO_ALGAPI
1221 select CRYPTO_BLOWFISH_COMMON
1223 Blowfish cipher algorithm, by Bruce Schneier.
1225 This is a variable key length cipher which can use keys from 32
1226 bits to 448 bits in length. It's fast, simple and specifically
1227 designed for use on "large microprocessors".
1230 <http://www.schneier.com/blowfish.html>
1232 config CRYPTO_BLOWFISH_COMMON
1235 Common parts of the Blowfish cipher algorithm shared by the
1236 generic c and the assembler implementations.
1239 <http://www.schneier.com/blowfish.html>
1241 config CRYPTO_BLOWFISH_X86_64
1242 tristate "Blowfish cipher algorithm (x86_64)"
1243 depends on X86 && 64BIT
1244 select CRYPTO_SKCIPHER
1245 select CRYPTO_BLOWFISH_COMMON
1247 Blowfish cipher algorithm (x86_64), by Bruce Schneier.
1249 This is a variable key length cipher which can use keys from 32
1250 bits to 448 bits in length. It's fast, simple and specifically
1251 designed for use on "large microprocessors".
1254 <http://www.schneier.com/blowfish.html>
1256 config CRYPTO_CAMELLIA
1257 tristate "Camellia cipher algorithms"
1259 select CRYPTO_ALGAPI
1261 Camellia cipher algorithms module.
1263 Camellia is a symmetric key block cipher developed jointly
1264 at NTT and Mitsubishi Electric Corporation.
1266 The Camellia specifies three key sizes: 128, 192 and 256 bits.
1269 <https://info.isl.ntt.co.jp/crypt/eng/camellia/index_s.html>
1271 config CRYPTO_CAMELLIA_X86_64
1272 tristate "Camellia cipher algorithm (x86_64)"
1273 depends on X86 && 64BIT
1275 select CRYPTO_SKCIPHER
1276 select CRYPTO_GLUE_HELPER_X86
1278 Camellia cipher algorithm module (x86_64).
1280 Camellia is a symmetric key block cipher developed jointly
1281 at NTT and Mitsubishi Electric Corporation.
1283 The Camellia specifies three key sizes: 128, 192 and 256 bits.
1286 <https://info.isl.ntt.co.jp/crypt/eng/camellia/index_s.html>
1288 config CRYPTO_CAMELLIA_AESNI_AVX_X86_64
1289 tristate "Camellia cipher algorithm (x86_64/AES-NI/AVX)"
1290 depends on X86 && 64BIT
1292 select CRYPTO_SKCIPHER
1293 select CRYPTO_CAMELLIA_X86_64
1294 select CRYPTO_GLUE_HELPER_X86
1298 Camellia cipher algorithm module (x86_64/AES-NI/AVX).
1300 Camellia is a symmetric key block cipher developed jointly
1301 at NTT and Mitsubishi Electric Corporation.
1303 The Camellia specifies three key sizes: 128, 192 and 256 bits.
1306 <https://info.isl.ntt.co.jp/crypt/eng/camellia/index_s.html>
1308 config CRYPTO_CAMELLIA_AESNI_AVX2_X86_64
1309 tristate "Camellia cipher algorithm (x86_64/AES-NI/AVX2)"
1310 depends on X86 && 64BIT
1312 select CRYPTO_CAMELLIA_AESNI_AVX_X86_64
1314 Camellia cipher algorithm module (x86_64/AES-NI/AVX2).
1316 Camellia is a symmetric key block cipher developed jointly
1317 at NTT and Mitsubishi Electric Corporation.
1319 The Camellia specifies three key sizes: 128, 192 and 256 bits.
1322 <https://info.isl.ntt.co.jp/crypt/eng/camellia/index_s.html>
1324 config CRYPTO_CAMELLIA_SPARC64
1325 tristate "Camellia cipher algorithm (SPARC64)"
1328 select CRYPTO_ALGAPI
1329 select CRYPTO_SKCIPHER
1331 Camellia cipher algorithm module (SPARC64).
1333 Camellia is a symmetric key block cipher developed jointly
1334 at NTT and Mitsubishi Electric Corporation.
1336 The Camellia specifies three key sizes: 128, 192 and 256 bits.
1339 <https://info.isl.ntt.co.jp/crypt/eng/camellia/index_s.html>
1341 config CRYPTO_CAST_COMMON
1344 Common parts of the CAST cipher algorithms shared by the
1345 generic c and the assembler implementations.
1348 tristate "CAST5 (CAST-128) cipher algorithm"
1349 select CRYPTO_ALGAPI
1350 select CRYPTO_CAST_COMMON
1352 The CAST5 encryption algorithm (synonymous with CAST-128) is
1353 described in RFC2144.
1355 config CRYPTO_CAST5_AVX_X86_64
1356 tristate "CAST5 (CAST-128) cipher algorithm (x86_64/AVX)"
1357 depends on X86 && 64BIT
1358 select CRYPTO_SKCIPHER
1360 select CRYPTO_CAST_COMMON
1363 The CAST5 encryption algorithm (synonymous with CAST-128) is
1364 described in RFC2144.
1366 This module provides the Cast5 cipher algorithm that processes
1367 sixteen blocks parallel using the AVX instruction set.
1370 tristate "CAST6 (CAST-256) cipher algorithm"
1371 select CRYPTO_ALGAPI
1372 select CRYPTO_CAST_COMMON
1374 The CAST6 encryption algorithm (synonymous with CAST-256) is
1375 described in RFC2612.
1377 config CRYPTO_CAST6_AVX_X86_64
1378 tristate "CAST6 (CAST-256) cipher algorithm (x86_64/AVX)"
1379 depends on X86 && 64BIT
1380 select CRYPTO_SKCIPHER
1382 select CRYPTO_CAST_COMMON
1383 select CRYPTO_GLUE_HELPER_X86
1387 The CAST6 encryption algorithm (synonymous with CAST-256) is
1388 described in RFC2612.
1390 This module provides the Cast6 cipher algorithm that processes
1391 eight blocks parallel using the AVX instruction set.
1394 tristate "DES and Triple DES EDE cipher algorithms"
1395 select CRYPTO_ALGAPI
1396 select CRYPTO_LIB_DES
1398 DES cipher algorithm (FIPS 46-2), and Triple DES EDE (FIPS 46-3).
1400 config CRYPTO_DES_SPARC64
1401 tristate "DES and Triple DES EDE cipher algorithms (SPARC64)"
1403 select CRYPTO_ALGAPI
1404 select CRYPTO_LIB_DES
1405 select CRYPTO_SKCIPHER
1407 DES cipher algorithm (FIPS 46-2), and Triple DES EDE (FIPS 46-3),
1408 optimized using SPARC64 crypto opcodes.
1410 config CRYPTO_DES3_EDE_X86_64
1411 tristate "Triple DES EDE cipher algorithm (x86-64)"
1412 depends on X86 && 64BIT
1413 select CRYPTO_SKCIPHER
1414 select CRYPTO_LIB_DES
1416 Triple DES EDE (FIPS 46-3) algorithm.
1418 This module provides implementation of the Triple DES EDE cipher
1419 algorithm that is optimized for x86-64 processors. Two versions of
1420 algorithm are provided; regular processing one input block and
1421 one that processes three blocks parallel.
1423 config CRYPTO_FCRYPT
1424 tristate "FCrypt cipher algorithm"
1425 select CRYPTO_ALGAPI
1426 select CRYPTO_SKCIPHER
1428 FCrypt algorithm used by RxRPC.
1430 config CRYPTO_KHAZAD
1431 tristate "Khazad cipher algorithm"
1432 select CRYPTO_ALGAPI
1434 Khazad cipher algorithm.
1436 Khazad was a finalist in the initial NESSIE competition. It is
1437 an algorithm optimized for 64-bit processors with good performance
1438 on 32-bit processors. Khazad uses an 128 bit key size.
1441 <http://www.larc.usp.br/~pbarreto/KhazadPage.html>
1443 config CRYPTO_SALSA20
1444 tristate "Salsa20 stream cipher algorithm"
1445 select CRYPTO_SKCIPHER
1447 Salsa20 stream cipher algorithm.
1449 Salsa20 is a stream cipher submitted to eSTREAM, the ECRYPT
1450 Stream Cipher Project. See <http://www.ecrypt.eu.org/stream/>
1452 The Salsa20 stream cipher algorithm is designed by Daniel J.
1453 Bernstein <djb@cr.yp.to>. See <http://cr.yp.to/snuffle.html>
1455 config CRYPTO_CHACHA20
1456 tristate "ChaCha stream cipher algorithms"
1457 select CRYPTO_LIB_CHACHA_GENERIC
1458 select CRYPTO_SKCIPHER
1460 The ChaCha20, XChaCha20, and XChaCha12 stream cipher algorithms.
1462 ChaCha20 is a 256-bit high-speed stream cipher designed by Daniel J.
1463 Bernstein and further specified in RFC7539 for use in IETF protocols.
1464 This is the portable C implementation of ChaCha20. See also:
1465 <http://cr.yp.to/chacha/chacha-20080128.pdf>
1467 XChaCha20 is the application of the XSalsa20 construction to ChaCha20
1468 rather than to Salsa20. XChaCha20 extends ChaCha20's nonce length
1469 from 64 bits (or 96 bits using the RFC7539 convention) to 192 bits,
1470 while provably retaining ChaCha20's security. See also:
1471 <https://cr.yp.to/snuffle/xsalsa-20081128.pdf>
1473 XChaCha12 is XChaCha20 reduced to 12 rounds, with correspondingly
1474 reduced security margin but increased performance. It can be needed
1475 in some performance-sensitive scenarios.
1477 config CRYPTO_CHACHA20_X86_64
1478 tristate "ChaCha stream cipher algorithms (x86_64/SSSE3/AVX2/AVX-512VL)"
1479 depends on X86 && 64BIT
1480 select CRYPTO_SKCIPHER
1481 select CRYPTO_LIB_CHACHA_GENERIC
1482 select CRYPTO_ARCH_HAVE_LIB_CHACHA
1484 SSSE3, AVX2, and AVX-512VL optimized implementations of the ChaCha20,
1485 XChaCha20, and XChaCha12 stream ciphers.
1487 config CRYPTO_CHACHA_MIPS
1488 tristate "ChaCha stream cipher algorithms (MIPS 32r2 optimized)"
1489 depends on CPU_MIPS32_R2
1490 select CRYPTO_SKCIPHER
1491 select CRYPTO_ARCH_HAVE_LIB_CHACHA
1494 tristate "SEED cipher algorithm"
1495 select CRYPTO_ALGAPI
1497 SEED cipher algorithm (RFC4269).
1499 SEED is a 128-bit symmetric key block cipher that has been
1500 developed by KISA (Korea Information Security Agency) as a
1501 national standard encryption algorithm of the Republic of Korea.
1502 It is a 16 round block cipher with the key size of 128 bit.
1505 <http://www.kisa.or.kr/kisa/seed/jsp/seed_eng.jsp>
1507 config CRYPTO_SERPENT
1508 tristate "Serpent cipher algorithm"
1509 select CRYPTO_ALGAPI
1511 Serpent cipher algorithm, by Anderson, Biham & Knudsen.
1513 Keys are allowed to be from 0 to 256 bits in length, in steps
1514 of 8 bits. Also includes the 'Tnepres' algorithm, a reversed
1515 variant of Serpent for compatibility with old kerneli.org code.
1518 <http://www.cl.cam.ac.uk/~rja14/serpent.html>
1520 config CRYPTO_SERPENT_SSE2_X86_64
1521 tristate "Serpent cipher algorithm (x86_64/SSE2)"
1522 depends on X86 && 64BIT
1523 select CRYPTO_SKCIPHER
1524 select CRYPTO_GLUE_HELPER_X86
1525 select CRYPTO_SERPENT
1528 Serpent cipher algorithm, by Anderson, Biham & Knudsen.
1530 Keys are allowed to be from 0 to 256 bits in length, in steps
1533 This module provides Serpent cipher algorithm that processes eight
1534 blocks parallel using SSE2 instruction set.
1537 <http://www.cl.cam.ac.uk/~rja14/serpent.html>
1539 config CRYPTO_SERPENT_SSE2_586
1540 tristate "Serpent cipher algorithm (i586/SSE2)"
1541 depends on X86 && !64BIT
1542 select CRYPTO_SKCIPHER
1543 select CRYPTO_GLUE_HELPER_X86
1544 select CRYPTO_SERPENT
1547 Serpent cipher algorithm, by Anderson, Biham & Knudsen.
1549 Keys are allowed to be from 0 to 256 bits in length, in steps
1552 This module provides Serpent cipher algorithm that processes four
1553 blocks parallel using SSE2 instruction set.
1556 <http://www.cl.cam.ac.uk/~rja14/serpent.html>
1558 config CRYPTO_SERPENT_AVX_X86_64
1559 tristate "Serpent cipher algorithm (x86_64/AVX)"
1560 depends on X86 && 64BIT
1561 select CRYPTO_SKCIPHER
1562 select CRYPTO_GLUE_HELPER_X86
1563 select CRYPTO_SERPENT
1567 Serpent cipher algorithm, by Anderson, Biham & Knudsen.
1569 Keys are allowed to be from 0 to 256 bits in length, in steps
1572 This module provides the Serpent cipher algorithm that processes
1573 eight blocks parallel using the AVX instruction set.
1576 <http://www.cl.cam.ac.uk/~rja14/serpent.html>
1578 config CRYPTO_SERPENT_AVX2_X86_64
1579 tristate "Serpent cipher algorithm (x86_64/AVX2)"
1580 depends on X86 && 64BIT
1581 select CRYPTO_SERPENT_AVX_X86_64
1583 Serpent cipher algorithm, by Anderson, Biham & Knudsen.
1585 Keys are allowed to be from 0 to 256 bits in length, in steps
1588 This module provides Serpent cipher algorithm that processes 16
1589 blocks parallel using AVX2 instruction set.
1592 <http://www.cl.cam.ac.uk/~rja14/serpent.html>
1595 tristate "SM4 cipher algorithm"
1596 select CRYPTO_ALGAPI
1598 SM4 cipher algorithms (OSCCA GB/T 32907-2016).
1600 SM4 (GBT.32907-2016) is a cryptographic standard issued by the
1601 Organization of State Commercial Administration of China (OSCCA)
1602 as an authorized cryptographic algorithms for the use within China.
1604 SMS4 was originally created for use in protecting wireless
1605 networks, and is mandated in the Chinese National Standard for
1606 Wireless LAN WAPI (Wired Authentication and Privacy Infrastructure)
1609 The latest SM4 standard (GBT.32907-2016) was proposed by OSCCA and
1610 standardized through TC 260 of the Standardization Administration
1611 of the People's Republic of China (SAC).
1613 The input, output, and key of SMS4 are each 128 bits.
1615 See also: <https://eprint.iacr.org/2008/329.pdf>
1620 tristate "TEA, XTEA and XETA cipher algorithms"
1621 select CRYPTO_ALGAPI
1623 TEA cipher algorithm.
1625 Tiny Encryption Algorithm is a simple cipher that uses
1626 many rounds for security. It is very fast and uses
1629 Xtendend Tiny Encryption Algorithm is a modification to
1630 the TEA algorithm to address a potential key weakness
1631 in the TEA algorithm.
1633 Xtendend Encryption Tiny Algorithm is a mis-implementation
1634 of the XTEA algorithm for compatibility purposes.
1636 config CRYPTO_TWOFISH
1637 tristate "Twofish cipher algorithm"
1638 select CRYPTO_ALGAPI
1639 select CRYPTO_TWOFISH_COMMON
1641 Twofish cipher algorithm.
1643 Twofish was submitted as an AES (Advanced Encryption Standard)
1644 candidate cipher by researchers at CounterPane Systems. It is a
1645 16 round block cipher supporting key sizes of 128, 192, and 256
1649 <http://www.schneier.com/twofish.html>
1651 config CRYPTO_TWOFISH_COMMON
1654 Common parts of the Twofish cipher algorithm shared by the
1655 generic c and the assembler implementations.
1657 config CRYPTO_TWOFISH_586
1658 tristate "Twofish cipher algorithms (i586)"
1659 depends on (X86 || UML_X86) && !64BIT
1660 select CRYPTO_ALGAPI
1661 select CRYPTO_TWOFISH_COMMON
1663 Twofish cipher algorithm.
1665 Twofish was submitted as an AES (Advanced Encryption Standard)
1666 candidate cipher by researchers at CounterPane Systems. It is a
1667 16 round block cipher supporting key sizes of 128, 192, and 256
1671 <http://www.schneier.com/twofish.html>
1673 config CRYPTO_TWOFISH_X86_64
1674 tristate "Twofish cipher algorithm (x86_64)"
1675 depends on (X86 || UML_X86) && 64BIT
1676 select CRYPTO_ALGAPI
1677 select CRYPTO_TWOFISH_COMMON
1679 Twofish cipher algorithm (x86_64).
1681 Twofish was submitted as an AES (Advanced Encryption Standard)
1682 candidate cipher by researchers at CounterPane Systems. It is a
1683 16 round block cipher supporting key sizes of 128, 192, and 256
1687 <http://www.schneier.com/twofish.html>
1689 config CRYPTO_TWOFISH_X86_64_3WAY
1690 tristate "Twofish cipher algorithm (x86_64, 3-way parallel)"
1691 depends on X86 && 64BIT
1692 select CRYPTO_SKCIPHER
1693 select CRYPTO_TWOFISH_COMMON
1694 select CRYPTO_TWOFISH_X86_64
1695 select CRYPTO_GLUE_HELPER_X86
1697 Twofish cipher algorithm (x86_64, 3-way parallel).
1699 Twofish was submitted as an AES (Advanced Encryption Standard)
1700 candidate cipher by researchers at CounterPane Systems. It is a
1701 16 round block cipher supporting key sizes of 128, 192, and 256
1704 This module provides Twofish cipher algorithm that processes three
1705 blocks parallel, utilizing resources of out-of-order CPUs better.
1708 <http://www.schneier.com/twofish.html>
1710 config CRYPTO_TWOFISH_AVX_X86_64
1711 tristate "Twofish cipher algorithm (x86_64/AVX)"
1712 depends on X86 && 64BIT
1713 select CRYPTO_SKCIPHER
1714 select CRYPTO_GLUE_HELPER_X86
1716 select CRYPTO_TWOFISH_COMMON
1717 select CRYPTO_TWOFISH_X86_64
1718 select CRYPTO_TWOFISH_X86_64_3WAY
1720 Twofish cipher algorithm (x86_64/AVX).
1722 Twofish was submitted as an AES (Advanced Encryption Standard)
1723 candidate cipher by researchers at CounterPane Systems. It is a
1724 16 round block cipher supporting key sizes of 128, 192, and 256
1727 This module provides the Twofish cipher algorithm that processes
1728 eight blocks parallel using the AVX Instruction Set.
1731 <http://www.schneier.com/twofish.html>
1733 comment "Compression"
1735 config CRYPTO_DEFLATE
1736 tristate "Deflate compression algorithm"
1737 select CRYPTO_ALGAPI
1738 select CRYPTO_ACOMP2
1742 This is the Deflate algorithm (RFC1951), specified for use in
1743 IPSec with the IPCOMP protocol (RFC3173, RFC2394).
1745 You will most probably want this if using IPSec.
1748 tristate "LZO compression algorithm"
1749 select CRYPTO_ALGAPI
1750 select CRYPTO_ACOMP2
1752 select LZO_DECOMPRESS
1754 This is the LZO algorithm.
1757 tristate "842 compression algorithm"
1758 select CRYPTO_ALGAPI
1759 select CRYPTO_ACOMP2
1761 select 842_DECOMPRESS
1763 This is the 842 algorithm.
1766 tristate "LZ4 compression algorithm"
1767 select CRYPTO_ALGAPI
1768 select CRYPTO_ACOMP2
1770 select LZ4_DECOMPRESS
1772 This is the LZ4 algorithm.
1775 tristate "LZ4HC compression algorithm"
1776 select CRYPTO_ALGAPI
1777 select CRYPTO_ACOMP2
1778 select LZ4HC_COMPRESS
1779 select LZ4_DECOMPRESS
1781 This is the LZ4 high compression mode algorithm.
1784 tristate "Zstd compression algorithm"
1785 select CRYPTO_ALGAPI
1786 select CRYPTO_ACOMP2
1787 select ZSTD_COMPRESS
1788 select ZSTD_DECOMPRESS
1790 This is the zstd algorithm.
1792 comment "Random Number Generation"
1794 config CRYPTO_ANSI_CPRNG
1795 tristate "Pseudo Random Number Generation for Cryptographic modules"
1799 This option enables the generic pseudo random number generator
1800 for cryptographic modules. Uses the Algorithm specified in
1801 ANSI X9.31 A.2.4. Note that this option must be enabled if
1802 CRYPTO_FIPS is selected
1804 menuconfig CRYPTO_DRBG_MENU
1805 tristate "NIST SP800-90A DRBG"
1807 NIST SP800-90A compliant DRBG. In the following submenu, one or
1808 more of the DRBG types must be selected.
1812 config CRYPTO_DRBG_HMAC
1816 select CRYPTO_SHA256
1818 config CRYPTO_DRBG_HASH
1819 bool "Enable Hash DRBG"
1820 select CRYPTO_SHA256
1822 Enable the Hash DRBG variant as defined in NIST SP800-90A.
1824 config CRYPTO_DRBG_CTR
1825 bool "Enable CTR DRBG"
1827 depends on CRYPTO_CTR
1829 Enable the CTR DRBG variant as defined in NIST SP800-90A.
1833 default CRYPTO_DRBG_MENU
1835 select CRYPTO_JITTERENTROPY
1837 endif # if CRYPTO_DRBG_MENU
1839 config CRYPTO_JITTERENTROPY
1840 tristate "Jitterentropy Non-Deterministic Random Number Generator"
1843 The Jitterentropy RNG is a noise that is intended
1844 to provide seed to another RNG. The RNG does not
1845 perform any cryptographic whitening of the generated
1846 random numbers. This Jitterentropy RNG registers with
1847 the kernel crypto API and can be used by any caller.
1849 config CRYPTO_USER_API
1852 config CRYPTO_USER_API_HASH
1853 tristate "User-space interface for hash algorithms"
1856 select CRYPTO_USER_API
1858 This option enables the user-spaces interface for hash
1861 config CRYPTO_USER_API_SKCIPHER
1862 tristate "User-space interface for symmetric key cipher algorithms"
1864 select CRYPTO_SKCIPHER
1865 select CRYPTO_USER_API
1867 This option enables the user-spaces interface for symmetric
1868 key cipher algorithms.
1870 config CRYPTO_USER_API_RNG
1871 tristate "User-space interface for random number generator algorithms"
1874 select CRYPTO_USER_API
1876 This option enables the user-spaces interface for random
1877 number generator algorithms.
1879 config CRYPTO_USER_API_AEAD
1880 tristate "User-space interface for AEAD cipher algorithms"
1883 select CRYPTO_SKCIPHER
1885 select CRYPTO_USER_API
1887 This option enables the user-spaces interface for AEAD
1891 bool "Crypto usage statistics for User-space"
1892 depends on CRYPTO_USER
1894 This option enables the gathering of crypto stats.
1896 - encrypt/decrypt size and numbers of symmeric operations
1897 - compress/decompress size and numbers of compress operations
1898 - size and numbers of hash operations
1899 - encrypt/decrypt/sign/verify numbers for asymmetric operations
1900 - generate/seed numbers for rng operations
1902 config CRYPTO_HASH_INFO
1905 source "lib/crypto/Kconfig"
1906 source "drivers/crypto/Kconfig"
1907 source "crypto/asymmetric_keys/Kconfig"
1908 source "certs/Kconfig"