1# SPDX-License-Identifier: GPL-2.0
2
3menu "Accelerated Cryptographic Algorithms for CPU (arm)"
4
5config CRYPTO_CURVE25519_NEON
6	tristate
7	depends on KERNEL_MODE_NEON
8	select CRYPTO_KPP
9	select CRYPTO_LIB_CURVE25519_GENERIC
10	select CRYPTO_ARCH_HAVE_LIB_CURVE25519
11	default CRYPTO_LIB_CURVE25519_INTERNAL
12	help
13	  Curve25519 algorithm
14
15	  Architecture: arm with
16	  - NEON (Advanced SIMD) extensions
17
18config CRYPTO_GHASH_ARM_CE
19	tristate "Hash functions: GHASH (PMULL/NEON/ARMv8 Crypto Extensions)"
20	depends on KERNEL_MODE_NEON
21	select CRYPTO_AEAD
22	select CRYPTO_HASH
23	select CRYPTO_CRYPTD
24	select CRYPTO_LIB_AES
25	select CRYPTO_LIB_GF128MUL
26	help
27	  GCM GHASH function (NIST SP800-38D)
28
29	  Architecture: arm using
30	  - PMULL (Polynomial Multiply Long) instructions
31	  - NEON (Advanced SIMD) extensions
32	  - ARMv8 Crypto Extensions
33
34	  Use an implementation of GHASH (used by the GCM AEAD chaining mode)
35	  that uses the 64x64 to 128 bit polynomial multiplication (vmull.p64)
36	  that is part of the ARMv8 Crypto Extensions, or a slower variant that
37	  uses the vmull.p8 instruction that is part of the basic NEON ISA.
38
39config CRYPTO_NHPOLY1305_NEON
40	tristate "Hash functions: NHPoly1305 (NEON)"
41	depends on KERNEL_MODE_NEON
42	select CRYPTO_NHPOLY1305
43	help
44	  NHPoly1305 hash function (Adiantum)
45
46	  Architecture: arm using:
47	  - NEON (Advanced SIMD) extensions
48
49config CRYPTO_BLAKE2B_NEON
50	tristate "Hash functions: BLAKE2b (NEON)"
51	depends on KERNEL_MODE_NEON
52	select CRYPTO_BLAKE2B
53	help
54	  BLAKE2b cryptographic hash function (RFC 7693)
55
56	  Architecture: arm using
57	  - NEON (Advanced SIMD) extensions
58
59	  BLAKE2b digest algorithm optimized with ARM NEON instructions.
60	  On ARM processors that have NEON support but not the ARMv8
61	  Crypto Extensions, typically this BLAKE2b implementation is
62	  much faster than the SHA-2 family and slightly faster than
63	  SHA-1.
64
65config CRYPTO_SHA1_ARM
66	tristate "Hash functions: SHA-1"
67	select CRYPTO_SHA1
68	select CRYPTO_HASH
69	help
70	  SHA-1 secure hash algorithm (FIPS 180)
71
72	  Architecture: arm
73
74config CRYPTO_SHA1_ARM_NEON
75	tristate "Hash functions: SHA-1 (NEON)"
76	depends on KERNEL_MODE_NEON
77	select CRYPTO_SHA1_ARM
78	select CRYPTO_SHA1
79	select CRYPTO_HASH
80	help
81	  SHA-1 secure hash algorithm (FIPS 180)
82
83	  Architecture: arm using
84	  - NEON (Advanced SIMD) extensions
85
86config CRYPTO_SHA1_ARM_CE
87	tristate "Hash functions: SHA-1 (ARMv8 Crypto Extensions)"
88	depends on KERNEL_MODE_NEON
89	select CRYPTO_SHA1_ARM
90	select CRYPTO_HASH
91	help
92	  SHA-1 secure hash algorithm (FIPS 180)
93
94	  Architecture: arm using ARMv8 Crypto Extensions
95
96config CRYPTO_SHA512_ARM
97	tristate "Hash functions: SHA-384 and SHA-512 (NEON)"
98	select CRYPTO_HASH
99	depends on !CPU_V7M
100	help
101	  SHA-384 and SHA-512 secure hash algorithms (FIPS 180)
102
103	  Architecture: arm using
104	  - NEON (Advanced SIMD) extensions
105
106config CRYPTO_AES_ARM
107	tristate "Ciphers: AES"
108	select CRYPTO_ALGAPI
109	select CRYPTO_AES
110	help
111	  Block ciphers: AES cipher algorithms (FIPS-197)
112
113	  Architecture: arm
114
115	  On ARM processors without the Crypto Extensions, this is the
116	  fastest AES implementation for single blocks.  For multiple
117	  blocks, the NEON bit-sliced implementation is usually faster.
118
119	  This implementation may be vulnerable to cache timing attacks,
120	  since it uses lookup tables.  However, as countermeasures it
121	  disables IRQs and preloads the tables; it is hoped this makes
122	  such attacks very difficult.
123
124config CRYPTO_AES_ARM_BS
125	tristate "Ciphers: AES, modes: ECB/CBC/CTR/XTS (bit-sliced NEON)"
126	depends on KERNEL_MODE_NEON
127	select CRYPTO_AES_ARM
128	select CRYPTO_SKCIPHER
129	select CRYPTO_LIB_AES
130	help
131	  Length-preserving ciphers: AES cipher algorithms (FIPS-197)
132	  with block cipher modes:
133	   - ECB (Electronic Codebook) mode (NIST SP800-38A)
134	   - CBC (Cipher Block Chaining) mode (NIST SP800-38A)
135	   - CTR (Counter) mode (NIST SP800-38A)
136	   - XTS (XOR Encrypt XOR with ciphertext stealing) mode (NIST SP800-38E
137	     and IEEE 1619)
138
139	  Bit sliced AES gives around 45% speedup on Cortex-A15 for CTR mode
140	  and for XTS mode encryption, CBC and XTS mode decryption speedup is
141	  around 25%. (CBC encryption speed is not affected by this driver.)
142
143	  The bit sliced AES code does not use lookup tables, so it is believed
144	  to be invulnerable to cache timing attacks. However, since the bit
145	  sliced AES code cannot process single blocks efficiently, in certain
146	  cases table-based code with some countermeasures against cache timing
147	  attacks will still be used as a fallback method; specifically CBC
148	  encryption (not CBC decryption), the encryption of XTS tweaks, XTS
149	  ciphertext stealing when the message isn't a multiple of 16 bytes, and
150	  CTR when invoked in a context in which NEON instructions are unusable.
151
152config CRYPTO_AES_ARM_CE
153	tristate "Ciphers: AES, modes: ECB/CBC/CTS/CTR/XTS (ARMv8 Crypto Extensions)"
154	depends on KERNEL_MODE_NEON
155	select CRYPTO_SKCIPHER
156	select CRYPTO_LIB_AES
157	help
158	  Length-preserving ciphers: AES cipher algorithms (FIPS-197)
159	   with block cipher modes:
160	   - ECB (Electronic Codebook) mode (NIST SP800-38A)
161	   - CBC (Cipher Block Chaining) mode (NIST SP800-38A)
162	   - CTR (Counter) mode (NIST SP800-38A)
163	   - CTS (Cipher Text Stealing) mode (NIST SP800-38A)
164	   - XTS (XOR Encrypt XOR with ciphertext stealing) mode (NIST SP800-38E
165	     and IEEE 1619)
166
167	  Architecture: arm using:
168	  - ARMv8 Crypto Extensions
169
170endmenu
171
172