1# SPDX-License-Identifier: GPL-2.0
2#
3# Generic algorithms support
4#
5config XOR_BLOCKS
6	tristate
7
8#
9# async_tx api: hardware offloaded memory transfer/transform support
10#
11source "crypto/async_tx/Kconfig"
12
13#
14# Cryptographic API Configuration
15#
16menuconfig CRYPTO
17	tristate "Cryptographic API"
18	select CRYPTO_LIB_UTILS
19	help
20	  This option provides the core Cryptographic API.
21
22if CRYPTO
23
24menu "Crypto core or helper"
25
26config CRYPTO_FIPS
27	bool "FIPS 200 compliance"
28	depends on (CRYPTO_ANSI_CPRNG || CRYPTO_DRBG) && CRYPTO_SELFTESTS
29	depends on (MODULE_SIG || !MODULES)
30	help
31	  This option enables the fips boot option which is
32	  required if you want the system to operate in a FIPS 200
33	  certification.  You should say no unless you know what
34	  this is.
35
36config CRYPTO_FIPS_NAME
37	string "FIPS Module Name"
38	default "Linux Kernel Cryptographic API"
39	depends on CRYPTO_FIPS
40	help
41	  This option sets the FIPS Module name reported by the Crypto API via
42	  the /proc/sys/crypto/fips_name file.
43
44config CRYPTO_FIPS_CUSTOM_VERSION
45	bool "Use Custom FIPS Module Version"
46	depends on CRYPTO_FIPS
47	default n
48
49config CRYPTO_FIPS_VERSION
50	string "FIPS Module Version"
51	default "(none)"
52	depends on CRYPTO_FIPS_CUSTOM_VERSION
53	help
54	  This option provides the ability to override the FIPS Module Version.
55	  By default the KERNELRELEASE value is used.
56
57config CRYPTO_ALGAPI
58	tristate
59	select CRYPTO_ALGAPI2
60	help
61	  This option provides the API for cryptographic algorithms.
62
63config CRYPTO_ALGAPI2
64	tristate
65
66config CRYPTO_AEAD
67	tristate
68	select CRYPTO_AEAD2
69	select CRYPTO_ALGAPI
70
71config CRYPTO_AEAD2
72	tristate
73	select CRYPTO_ALGAPI2
74
75config CRYPTO_SIG
76	tristate
77	select CRYPTO_SIG2
78	select CRYPTO_ALGAPI
79
80config CRYPTO_SIG2
81	tristate
82	select CRYPTO_ALGAPI2
83
84config CRYPTO_SKCIPHER
85	tristate
86	select CRYPTO_SKCIPHER2
87	select CRYPTO_ALGAPI
88	select CRYPTO_ECB
89
90config CRYPTO_SKCIPHER2
91	tristate
92	select CRYPTO_ALGAPI2
93
94config CRYPTO_HASH
95	tristate
96	select CRYPTO_HASH2
97	select CRYPTO_ALGAPI
98
99config CRYPTO_HASH2
100	tristate
101	select CRYPTO_ALGAPI2
102
103config CRYPTO_RNG
104	tristate
105	select CRYPTO_RNG2
106	select CRYPTO_ALGAPI
107
108config CRYPTO_RNG2
109	tristate
110	select CRYPTO_ALGAPI2
111
112config CRYPTO_RNG_DEFAULT
113	tristate
114	select CRYPTO_DRBG_MENU
115
116config CRYPTO_AKCIPHER2
117	tristate
118	select CRYPTO_ALGAPI2
119
120config CRYPTO_AKCIPHER
121	tristate
122	select CRYPTO_AKCIPHER2
123	select CRYPTO_ALGAPI
124
125config CRYPTO_KPP2
126	tristate
127	select CRYPTO_ALGAPI2
128
129config CRYPTO_KPP
130	tristate
131	select CRYPTO_ALGAPI
132	select CRYPTO_KPP2
133
134config CRYPTO_ACOMP2
135	tristate
136	select CRYPTO_ALGAPI2
137	select SGL_ALLOC
138
139config CRYPTO_ACOMP
140	tristate
141	select CRYPTO_ALGAPI
142	select CRYPTO_ACOMP2
143
144config CRYPTO_HKDF
145	tristate
146	select CRYPTO_SHA256 if CRYPTO_SELFTESTS
147	select CRYPTO_SHA512 if CRYPTO_SELFTESTS
148	select CRYPTO_HASH2
149
150config CRYPTO_MANAGER
151	tristate
152	default CRYPTO_ALGAPI if CRYPTO_SELFTESTS
153	select CRYPTO_MANAGER2
154	help
155	  This provides the support for instantiating templates such as
156	  cbc(aes), and the support for the crypto self-tests.
157
158config CRYPTO_MANAGER2
159	def_tristate CRYPTO_MANAGER || (CRYPTO_MANAGER!=n && CRYPTO_ALGAPI=y)
160	select CRYPTO_ACOMP2
161	select CRYPTO_AEAD2
162	select CRYPTO_AKCIPHER2
163	select CRYPTO_SIG2
164	select CRYPTO_HASH2
165	select CRYPTO_KPP2
166	select CRYPTO_RNG2
167	select CRYPTO_SKCIPHER2
168
169config CRYPTO_USER
170	tristate "Userspace cryptographic algorithm configuration"
171	depends on NET
172	select CRYPTO_MANAGER
173	help
174	  Userspace configuration for cryptographic instantiations such as
175	  cbc(aes).
176
177config CRYPTO_SELFTESTS
178	bool "Enable cryptographic self-tests"
179	depends on DEBUG_KERNEL
180	help
181	  Enable the cryptographic self-tests.
182
183	  The cryptographic self-tests run at boot time, or at algorithm
184	  registration time if algorithms are dynamically loaded later.
185
186	  This is primarily intended for developer use.  It should not be
187	  enabled in production kernels, unless you are trying to use these
188	  tests to fulfill a FIPS testing requirement.
189
190config CRYPTO_NULL
191	tristate "Null algorithms"
192	select CRYPTO_ALGAPI
193	select CRYPTO_SKCIPHER
194	select CRYPTO_HASH
195	help
196	  These are 'Null' algorithms, used by IPsec, which do nothing.
197
198config CRYPTO_PCRYPT
199	tristate "Parallel crypto engine"
200	depends on SMP
201	select PADATA
202	select CRYPTO_MANAGER
203	select CRYPTO_AEAD
204	help
205	  This converts an arbitrary crypto algorithm into a parallel
206	  algorithm that executes in kernel threads.
207
208config CRYPTO_CRYPTD
209	tristate "Software async crypto daemon"
210	select CRYPTO_SKCIPHER
211	select CRYPTO_HASH
212	select CRYPTO_MANAGER
213	help
214	  This is a generic software asynchronous crypto daemon that
215	  converts an arbitrary synchronous software crypto algorithm
216	  into an asynchronous algorithm that executes in a kernel thread.
217
218config CRYPTO_AUTHENC
219	tristate "Authenc support"
220	select CRYPTO_AEAD
221	select CRYPTO_SKCIPHER
222	select CRYPTO_MANAGER
223	select CRYPTO_HASH
224	help
225	  Authenc: Combined mode wrapper for IPsec.
226
227	  This is required for IPSec ESP (XFRM_ESP).
228
229config CRYPTO_KRB5ENC
230	tristate "Kerberos 5 combined hash+cipher support"
231	select CRYPTO_AEAD
232	select CRYPTO_SKCIPHER
233	select CRYPTO_MANAGER
234	select CRYPTO_HASH
235	help
236	  Combined hash and cipher support for Kerberos 5 RFC3961 simplified
237	  profile.  This is required for Kerberos 5-style encryption, used by
238	  sunrpc/NFS and rxrpc/AFS.
239
240config CRYPTO_BENCHMARK
241	tristate "Crypto benchmarking module"
242	depends on m || EXPERT
243	select CRYPTO_MANAGER
244	help
245	  Quick & dirty crypto benchmarking module.
246
247	  This is mainly intended for use by people developing cryptographic
248	  algorithms in the kernel.  It should not be enabled in production
249	  kernels.
250
251config CRYPTO_SIMD
252	tristate
253	select CRYPTO_CRYPTD
254
255config CRYPTO_ENGINE
256	tristate
257
258endmenu
259
260menu "Public-key cryptography"
261
262config CRYPTO_RSA
263	tristate "RSA (Rivest-Shamir-Adleman)"
264	select CRYPTO_AKCIPHER
265	select CRYPTO_MANAGER
266	select CRYPTO_SIG
267	select MPILIB
268	select ASN1
269	help
270	  RSA (Rivest-Shamir-Adleman) public key algorithm (RFC8017)
271
272config CRYPTO_DH
273	tristate "DH (Diffie-Hellman)"
274	select CRYPTO_KPP
275	select MPILIB
276	help
277	  DH (Diffie-Hellman) key exchange algorithm
278
279config CRYPTO_DH_RFC7919_GROUPS
280	bool "RFC 7919 FFDHE groups"
281	depends on CRYPTO_DH
282	select CRYPTO_RNG_DEFAULT
283	help
284	  FFDHE (Finite-Field-based Diffie-Hellman Ephemeral) groups
285	  defined in RFC7919.
286
287	  Support these finite-field groups in DH key exchanges:
288	  - ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192
289
290	  If unsure, say N.
291
292config CRYPTO_ECC
293	tristate
294	select CRYPTO_RNG_DEFAULT
295
296config CRYPTO_ECDH
297	tristate "ECDH (Elliptic Curve Diffie-Hellman)"
298	select CRYPTO_ECC
299	select CRYPTO_KPP
300	help
301	  ECDH (Elliptic Curve Diffie-Hellman) key exchange algorithm
302	  using curves P-192, P-256, and P-384 (FIPS 186)
303
304config CRYPTO_ECDSA
305	tristate "ECDSA (Elliptic Curve Digital Signature Algorithm)"
306	select CRYPTO_ECC
307	select CRYPTO_SIG
308	select ASN1
309	help
310	  ECDSA (Elliptic Curve Digital Signature Algorithm) (FIPS 186,
311	  ISO/IEC 14888-3)
312	  using curves P-192, P-256, P-384 and P-521
313
314	  Only signature verification is implemented.
315
316config CRYPTO_ECRDSA
317	tristate "EC-RDSA (Elliptic Curve Russian Digital Signature Algorithm)"
318	select CRYPTO_ECC
319	select CRYPTO_SIG
320	select CRYPTO_STREEBOG
321	select OID_REGISTRY
322	select ASN1
323	help
324	  Elliptic Curve Russian Digital Signature Algorithm (GOST R 34.10-2012,
325	  RFC 7091, ISO/IEC 14888-3)
326
327	  One of the Russian cryptographic standard algorithms (called GOST
328	  algorithms). Only signature verification is implemented.
329
330config CRYPTO_CURVE25519
331	tristate "Curve25519"
332	select CRYPTO_KPP
333	select CRYPTO_LIB_CURVE25519_GENERIC
334	select CRYPTO_LIB_CURVE25519_INTERNAL
335	help
336	  Curve25519 elliptic curve (RFC7748)
337
338endmenu
339
340menu "Block ciphers"
341
342config CRYPTO_AES
343	tristate "AES (Advanced Encryption Standard)"
344	select CRYPTO_ALGAPI
345	select CRYPTO_LIB_AES
346	help
347	  AES cipher algorithms (Rijndael)(FIPS-197, ISO/IEC 18033-3)
348
349	  Rijndael appears to be consistently a very good performer in
350	  both hardware and software across a wide range of computing
351	  environments regardless of its use in feedback or non-feedback
352	  modes. Its key setup time is excellent, and its key agility is
353	  good. Rijndael's very low memory requirements make it very well
354	  suited for restricted-space environments, in which it also
355	  demonstrates excellent performance. Rijndael's operations are
356	  among the easiest to defend against power and timing attacks.
357
358	  The AES specifies three key sizes: 128, 192 and 256 bits
359
360config CRYPTO_AES_TI
361	tristate "AES (Advanced Encryption Standard) (fixed time)"
362	select CRYPTO_ALGAPI
363	select CRYPTO_LIB_AES
364	help
365	  AES cipher algorithms (Rijndael)(FIPS-197, ISO/IEC 18033-3)
366
367	  This is a generic implementation of AES that attempts to eliminate
368	  data dependent latencies as much as possible without affecting
369	  performance too much. It is intended for use by the generic CCM
370	  and GCM drivers, and other CTR or CMAC/XCBC based modes that rely
371	  solely on encryption (although decryption is supported as well, but
372	  with a more dramatic performance hit)
373
374	  Instead of using 16 lookup tables of 1 KB each, (8 for encryption and
375	  8 for decryption), this implementation only uses just two S-boxes of
376	  256 bytes each, and attempts to eliminate data dependent latencies by
377	  prefetching the entire table into the cache at the start of each
378	  block. Interrupts are also disabled to avoid races where cachelines
379	  are evicted when the CPU is interrupted to do something else.
380
381config CRYPTO_ANUBIS
382	tristate "Anubis"
383	depends on CRYPTO_USER_API_ENABLE_OBSOLETE
384	select CRYPTO_ALGAPI
385	help
386	  Anubis cipher algorithm
387
388	  Anubis is a variable key length cipher which can use keys from
389	  128 bits to 320 bits in length.  It was evaluated as a entrant
390	  in the NESSIE competition.
391
392	  See https://web.archive.org/web/20160606112246/http://www.larc.usp.br/~pbarreto/AnubisPage.html
393	  for further information.
394
395config CRYPTO_ARIA
396	tristate "ARIA"
397	select CRYPTO_ALGAPI
398	help
399	  ARIA cipher algorithm (RFC5794)
400
401	  ARIA is a standard encryption algorithm of the Republic of Korea.
402	  The ARIA specifies three key sizes and rounds.
403	  128-bit: 12 rounds.
404	  192-bit: 14 rounds.
405	  256-bit: 16 rounds.
406
407	  See:
408	  https://seed.kisa.or.kr/kisa/algorithm/EgovAriaInfo.do
409
410config CRYPTO_BLOWFISH
411	tristate "Blowfish"
412	select CRYPTO_ALGAPI
413	select CRYPTO_BLOWFISH_COMMON
414	help
415	  Blowfish cipher algorithm, by Bruce Schneier
416
417	  This is a variable key length cipher which can use keys from 32
418	  bits to 448 bits in length.  It's fast, simple and specifically
419	  designed for use on "large microprocessors".
420
421	  See https://www.schneier.com/blowfish.html for further information.
422
423config CRYPTO_BLOWFISH_COMMON
424	tristate
425	help
426	  Common parts of the Blowfish cipher algorithm shared by the
427	  generic c and the assembler implementations.
428
429config CRYPTO_CAMELLIA
430	tristate "Camellia"
431	select CRYPTO_ALGAPI
432	help
433	  Camellia cipher algorithms (ISO/IEC 18033-3)
434
435	  Camellia is a symmetric key block cipher developed jointly
436	  at NTT and Mitsubishi Electric Corporation.
437
438	  The Camellia specifies three key sizes: 128, 192 and 256 bits.
439
440	  See https://info.isl.ntt.co.jp/crypt/eng/camellia/ for further information.
441
442config CRYPTO_CAST_COMMON
443	tristate
444	help
445	  Common parts of the CAST cipher algorithms shared by the
446	  generic c and the assembler implementations.
447
448config CRYPTO_CAST5
449	tristate "CAST5 (CAST-128)"
450	select CRYPTO_ALGAPI
451	select CRYPTO_CAST_COMMON
452	help
453	  CAST5 (CAST-128) cipher algorithm (RFC2144, ISO/IEC 18033-3)
454
455config CRYPTO_CAST6
456	tristate "CAST6 (CAST-256)"
457	select CRYPTO_ALGAPI
458	select CRYPTO_CAST_COMMON
459	help
460	  CAST6 (CAST-256) encryption algorithm (RFC2612)
461
462config CRYPTO_DES
463	tristate "DES and Triple DES EDE"
464	select CRYPTO_ALGAPI
465	select CRYPTO_LIB_DES
466	help
467	  DES (Data Encryption Standard)(FIPS 46-2, ISO/IEC 18033-3) and
468	  Triple DES EDE (Encrypt/Decrypt/Encrypt) (FIPS 46-3, ISO/IEC 18033-3)
469	  cipher algorithms
470
471config CRYPTO_FCRYPT
472	tristate "FCrypt"
473	select CRYPTO_ALGAPI
474	select CRYPTO_SKCIPHER
475	help
476	  FCrypt algorithm used by RxRPC
477
478	  See https://ota.polyonymo.us/fcrypt-paper.txt
479
480config CRYPTO_KHAZAD
481	tristate "Khazad"
482	depends on CRYPTO_USER_API_ENABLE_OBSOLETE
483	select CRYPTO_ALGAPI
484	help
485	  Khazad cipher algorithm
486
487	  Khazad was a finalist in the initial NESSIE competition.  It is
488	  an algorithm optimized for 64-bit processors with good performance
489	  on 32-bit processors.  Khazad uses an 128 bit key size.
490
491	  See https://web.archive.org/web/20171011071731/http://www.larc.usp.br/~pbarreto/KhazadPage.html
492	  for further information.
493
494config CRYPTO_SEED
495	tristate "SEED"
496	depends on CRYPTO_USER_API_ENABLE_OBSOLETE
497	select CRYPTO_ALGAPI
498	help
499	  SEED cipher algorithm (RFC4269, ISO/IEC 18033-3)
500
501	  SEED is a 128-bit symmetric key block cipher that has been
502	  developed by KISA (Korea Information Security Agency) as a
503	  national standard encryption algorithm of the Republic of Korea.
504	  It is a 16 round block cipher with the key size of 128 bit.
505
506	  See https://seed.kisa.or.kr/kisa/algorithm/EgovSeedInfo.do
507	  for further information.
508
509config CRYPTO_SERPENT
510	tristate "Serpent"
511	select CRYPTO_ALGAPI
512	help
513	  Serpent cipher algorithm, by Anderson, Biham & Knudsen
514
515	  Keys are allowed to be from 0 to 256 bits in length, in steps
516	  of 8 bits.
517
518	  See https://www.cl.cam.ac.uk/~rja14/serpent.html for further information.
519
520config CRYPTO_SM4
521	tristate
522
523config CRYPTO_SM4_GENERIC
524	tristate "SM4 (ShangMi 4)"
525	select CRYPTO_ALGAPI
526	select CRYPTO_SM4
527	help
528	  SM4 cipher algorithms (OSCCA GB/T 32907-2016,
529	  ISO/IEC 18033-3:2010/Amd 1:2021)
530
531	  SM4 (GBT.32907-2016) is a cryptographic standard issued by the
532	  Organization of State Commercial Administration of China (OSCCA)
533	  as an authorized cryptographic algorithms for the use within China.
534
535	  SMS4 was originally created for use in protecting wireless
536	  networks, and is mandated in the Chinese National Standard for
537	  Wireless LAN WAPI (Wired Authentication and Privacy Infrastructure)
538	  (GB.15629.11-2003).
539
540	  The latest SM4 standard (GBT.32907-2016) was proposed by OSCCA and
541	  standardized through TC 260 of the Standardization Administration
542	  of the People's Republic of China (SAC).
543
544	  The input, output, and key of SMS4 are each 128 bits.
545
546	  See https://eprint.iacr.org/2008/329.pdf for further information.
547
548	  If unsure, say N.
549
550config CRYPTO_TEA
551	tristate "TEA, XTEA and XETA"
552	depends on CRYPTO_USER_API_ENABLE_OBSOLETE
553	select CRYPTO_ALGAPI
554	help
555	  TEA (Tiny Encryption Algorithm) cipher algorithms
556
557	  Tiny Encryption Algorithm is a simple cipher that uses
558	  many rounds for security.  It is very fast and uses
559	  little memory.
560
561	  Xtendend Tiny Encryption Algorithm is a modification to
562	  the TEA algorithm to address a potential key weakness
563	  in the TEA algorithm.
564
565	  Xtendend Encryption Tiny Algorithm is a mis-implementation
566	  of the XTEA algorithm for compatibility purposes.
567
568config CRYPTO_TWOFISH
569	tristate "Twofish"
570	select CRYPTO_ALGAPI
571	select CRYPTO_TWOFISH_COMMON
572	help
573	  Twofish cipher algorithm
574
575	  Twofish was submitted as an AES (Advanced Encryption Standard)
576	  candidate cipher by researchers at CounterPane Systems.  It is a
577	  16 round block cipher supporting key sizes of 128, 192, and 256
578	  bits.
579
580	  See https://www.schneier.com/twofish.html for further information.
581
582config CRYPTO_TWOFISH_COMMON
583	tristate
584	help
585	  Common parts of the Twofish cipher algorithm shared by the
586	  generic c and the assembler implementations.
587
588endmenu
589
590menu "Length-preserving ciphers and modes"
591
592config CRYPTO_ADIANTUM
593	tristate "Adiantum"
594	select CRYPTO_CHACHA20
595	select CRYPTO_LIB_POLY1305_GENERIC
596	select CRYPTO_NHPOLY1305
597	select CRYPTO_MANAGER
598	help
599	  Adiantum tweakable, length-preserving encryption mode
600
601	  Designed for fast and secure disk encryption, especially on
602	  CPUs without dedicated crypto instructions.  It encrypts
603	  each sector using the XChaCha12 stream cipher, two passes of
604	  an ε-almost-∆-universal hash function, and an invocation of
605	  the AES-256 block cipher on a single 16-byte block.  On CPUs
606	  without AES instructions, Adiantum is much faster than
607	  AES-XTS.
608
609	  Adiantum's security is provably reducible to that of its
610	  underlying stream and block ciphers, subject to a security
611	  bound.  Unlike XTS, Adiantum is a true wide-block encryption
612	  mode, so it actually provides an even stronger notion of
613	  security than XTS, subject to the security bound.
614
615	  If unsure, say N.
616
617config CRYPTO_ARC4
618	tristate "ARC4 (Alleged Rivest Cipher 4)"
619	depends on CRYPTO_USER_API_ENABLE_OBSOLETE
620	select CRYPTO_SKCIPHER
621	select CRYPTO_LIB_ARC4
622	help
623	  ARC4 cipher algorithm
624
625	  ARC4 is a stream cipher using keys ranging from 8 bits to 2048
626	  bits in length.  This algorithm is required for driver-based
627	  WEP, but it should not be for other purposes because of the
628	  weakness of the algorithm.
629
630config CRYPTO_CHACHA20
631	tristate "ChaCha"
632	select CRYPTO_LIB_CHACHA
633	select CRYPTO_LIB_CHACHA_GENERIC
634	select CRYPTO_SKCIPHER
635	help
636	  The ChaCha20, XChaCha20, and XChaCha12 stream cipher algorithms
637
638	  ChaCha20 is a 256-bit high-speed stream cipher designed by Daniel J.
639	  Bernstein and further specified in RFC7539 for use in IETF protocols.
640	  This is the portable C implementation of ChaCha20.  See
641	  https://cr.yp.to/chacha/chacha-20080128.pdf for further information.
642
643	  XChaCha20 is the application of the XSalsa20 construction to ChaCha20
644	  rather than to Salsa20.  XChaCha20 extends ChaCha20's nonce length
645	  from 64 bits (or 96 bits using the RFC7539 convention) to 192 bits,
646	  while provably retaining ChaCha20's security.  See
647	  https://cr.yp.to/snuffle/xsalsa-20081128.pdf for further information.
648
649	  XChaCha12 is XChaCha20 reduced to 12 rounds, with correspondingly
650	  reduced security margin but increased performance.  It can be needed
651	  in some performance-sensitive scenarios.
652
653config CRYPTO_CBC
654	tristate "CBC (Cipher Block Chaining)"
655	select CRYPTO_SKCIPHER
656	select CRYPTO_MANAGER
657	help
658	  CBC (Cipher Block Chaining) mode (NIST SP800-38A)
659
660	  This block cipher mode is required for IPSec ESP (XFRM_ESP).
661
662config CRYPTO_CTR
663	tristate "CTR (Counter)"
664	select CRYPTO_SKCIPHER
665	select CRYPTO_MANAGER
666	help
667	  CTR (Counter) mode (NIST SP800-38A)
668
669config CRYPTO_CTS
670	tristate "CTS (Cipher Text Stealing)"
671	select CRYPTO_SKCIPHER
672	select CRYPTO_MANAGER
673	help
674	  CBC-CS3 variant of CTS (Cipher Text Stealing) (NIST
675	  Addendum to SP800-38A (October 2010))
676
677	  This mode is required for Kerberos gss mechanism support
678	  for AES encryption.
679
680config CRYPTO_ECB
681	tristate "ECB (Electronic Codebook)"
682	select CRYPTO_SKCIPHER2
683	select CRYPTO_MANAGER
684	help
685	  ECB (Electronic Codebook) mode (NIST SP800-38A)
686
687config CRYPTO_HCTR2
688	tristate "HCTR2"
689	select CRYPTO_XCTR
690	select CRYPTO_POLYVAL
691	select CRYPTO_MANAGER
692	help
693	  HCTR2 length-preserving encryption mode
694
695	  A mode for storage encryption that is efficient on processors with
696	  instructions to accelerate AES and carryless multiplication, e.g.
697	  x86 processors with AES-NI and CLMUL, and ARM processors with the
698	  ARMv8 crypto extensions.
699
700	  See https://eprint.iacr.org/2021/1441
701
702config CRYPTO_LRW
703	tristate "LRW (Liskov Rivest Wagner)"
704	select CRYPTO_LIB_GF128MUL
705	select CRYPTO_SKCIPHER
706	select CRYPTO_MANAGER
707	select CRYPTO_ECB
708	help
709	  LRW (Liskov Rivest Wagner) mode
710
711	  A tweakable, non malleable, non movable
712	  narrow block cipher mode for dm-crypt.  Use it with cipher
713	  specification string aes-lrw-benbi, the key must be 256, 320 or 384.
714	  The first 128, 192 or 256 bits in the key are used for AES and the
715	  rest is used to tie each cipher block to its logical position.
716
717	  See https://people.csail.mit.edu/rivest/pubs/LRW02.pdf
718
719config CRYPTO_PCBC
720	tristate "PCBC (Propagating Cipher Block Chaining)"
721	select CRYPTO_SKCIPHER
722	select CRYPTO_MANAGER
723	help
724	  PCBC (Propagating Cipher Block Chaining) mode
725
726	  This block cipher mode is required for RxRPC.
727
728config CRYPTO_XCTR
729	tristate
730	select CRYPTO_SKCIPHER
731	select CRYPTO_MANAGER
732	help
733	  XCTR (XOR Counter) mode for HCTR2
734
735	  This blockcipher mode is a variant of CTR mode using XORs and little-endian
736	  addition rather than big-endian arithmetic.
737
738	  XCTR mode is used to implement HCTR2.
739
740config CRYPTO_XTS
741	tristate "XTS (XOR Encrypt XOR with ciphertext stealing)"
742	select CRYPTO_SKCIPHER
743	select CRYPTO_MANAGER
744	select CRYPTO_ECB
745	help
746	  XTS (XOR Encrypt XOR with ciphertext stealing) mode (NIST SP800-38E
747	  and IEEE 1619)
748
749	  Use with aes-xts-plain, key size 256, 384 or 512 bits. This
750	  implementation currently can't handle a sectorsize which is not a
751	  multiple of 16 bytes.
752
753config CRYPTO_NHPOLY1305
754	tristate
755	select CRYPTO_HASH
756	select CRYPTO_LIB_POLY1305_GENERIC
757
758endmenu
759
760menu "AEAD (authenticated encryption with associated data) ciphers"
761
762config CRYPTO_AEGIS128
763	tristate "AEGIS-128"
764	select CRYPTO_AEAD
765	select CRYPTO_AES  # for AES S-box tables
766	help
767	  AEGIS-128 AEAD algorithm
768
769config CRYPTO_AEGIS128_SIMD
770	bool "AEGIS-128 (arm NEON, arm64 NEON)"
771	depends on CRYPTO_AEGIS128 && ((ARM || ARM64) && KERNEL_MODE_NEON)
772	default y
773	help
774	  AEGIS-128 AEAD algorithm
775
776	  Architecture: arm or arm64 using:
777	  - NEON (Advanced SIMD) extension
778
779config CRYPTO_CHACHA20POLY1305
780	tristate "ChaCha20-Poly1305"
781	select CRYPTO_CHACHA20
782	select CRYPTO_AEAD
783	select CRYPTO_LIB_POLY1305
784	select CRYPTO_MANAGER
785	help
786	  ChaCha20 stream cipher and Poly1305 authenticator combined
787	  mode (RFC8439)
788
789config CRYPTO_CCM
790	tristate "CCM (Counter with Cipher Block Chaining-MAC)"
791	select CRYPTO_CTR
792	select CRYPTO_HASH
793	select CRYPTO_AEAD
794	select CRYPTO_MANAGER
795	help
796	  CCM (Counter with Cipher Block Chaining-Message Authentication Code)
797	  authenticated encryption mode (NIST SP800-38C)
798
799config CRYPTO_GCM
800	tristate "GCM (Galois/Counter Mode) and GMAC (GCM MAC)"
801	select CRYPTO_CTR
802	select CRYPTO_AEAD
803	select CRYPTO_GHASH
804	select CRYPTO_MANAGER
805	help
806	  GCM (Galois/Counter Mode) authenticated encryption mode and GMAC
807	  (GCM Message Authentication Code) (NIST SP800-38D)
808
809	  This is required for IPSec ESP (XFRM_ESP).
810
811config CRYPTO_GENIV
812	tristate
813	select CRYPTO_AEAD
814	select CRYPTO_MANAGER
815	select CRYPTO_RNG_DEFAULT
816
817config CRYPTO_SEQIV
818	tristate "Sequence Number IV Generator"
819	select CRYPTO_GENIV
820	help
821	  Sequence Number IV generator
822
823	  This IV generator generates an IV based on a sequence number by
824	  xoring it with a salt.  This algorithm is mainly useful for CTR.
825
826	  This is required for IPsec ESP (XFRM_ESP).
827
828config CRYPTO_ECHAINIV
829	tristate "Encrypted Chain IV Generator"
830	select CRYPTO_GENIV
831	help
832	  Encrypted Chain IV generator
833
834	  This IV generator generates an IV based on the encryption of
835	  a sequence number xored with a salt.  This is the default
836	  algorithm for CBC.
837
838config CRYPTO_ESSIV
839	tristate "Encrypted Salt-Sector IV Generator"
840	select CRYPTO_AUTHENC
841	help
842	  Encrypted Salt-Sector IV generator
843
844	  This IV generator is used in some cases by fscrypt and/or
845	  dm-crypt. It uses the hash of the block encryption key as the
846	  symmetric key for a block encryption pass applied to the input
847	  IV, making low entropy IV sources more suitable for block
848	  encryption.
849
850	  This driver implements a crypto API template that can be
851	  instantiated either as an skcipher or as an AEAD (depending on the
852	  type of the first template argument), and which defers encryption
853	  and decryption requests to the encapsulated cipher after applying
854	  ESSIV to the input IV. Note that in the AEAD case, it is assumed
855	  that the keys are presented in the same format used by the authenc
856	  template, and that the IV appears at the end of the authenticated
857	  associated data (AAD) region (which is how dm-crypt uses it.)
858
859	  Note that the use of ESSIV is not recommended for new deployments,
860	  and so this only needs to be enabled when interoperability with
861	  existing encrypted volumes of filesystems is required, or when
862	  building for a particular system that requires it (e.g., when
863	  the SoC in question has accelerated CBC but not XTS, making CBC
864	  combined with ESSIV the only feasible mode for h/w accelerated
865	  block encryption)
866
867endmenu
868
869menu "Hashes, digests, and MACs"
870
871config CRYPTO_BLAKE2B
872	tristate "BLAKE2b"
873	select CRYPTO_HASH
874	help
875	  BLAKE2b cryptographic hash function (RFC 7693)
876
877	  BLAKE2b is optimized for 64-bit platforms and can produce digests
878	  of any size between 1 and 64 bytes. The keyed hash is also implemented.
879
880	  This module provides the following algorithms:
881	  - blake2b-160
882	  - blake2b-256
883	  - blake2b-384
884	  - blake2b-512
885
886	  Used by the btrfs filesystem.
887
888	  See https://blake2.net for further information.
889
890config CRYPTO_CMAC
891	tristate "CMAC (Cipher-based MAC)"
892	select CRYPTO_HASH
893	select CRYPTO_MANAGER
894	help
895	  CMAC (Cipher-based Message Authentication Code) authentication
896	  mode (NIST SP800-38B and IETF RFC4493)
897
898config CRYPTO_GHASH
899	tristate "GHASH"
900	select CRYPTO_HASH
901	select CRYPTO_LIB_GF128MUL
902	help
903	  GCM GHASH function (NIST SP800-38D)
904
905config CRYPTO_HMAC
906	tristate "HMAC (Keyed-Hash MAC)"
907	select CRYPTO_HASH
908	select CRYPTO_MANAGER
909	help
910	  HMAC (Keyed-Hash Message Authentication Code) (FIPS 198 and
911	  RFC2104)
912
913	  This is required for IPsec AH (XFRM_AH) and IPsec ESP (XFRM_ESP).
914
915config CRYPTO_MD4
916	tristate "MD4"
917	select CRYPTO_HASH
918	help
919	  MD4 message digest algorithm (RFC1320)
920
921config CRYPTO_MD5
922	tristate "MD5"
923	select CRYPTO_HASH
924	help
925	  MD5 message digest algorithm (RFC1321)
926
927config CRYPTO_MICHAEL_MIC
928	tristate "Michael MIC"
929	select CRYPTO_HASH
930	help
931	  Michael MIC (Message Integrity Code) (IEEE 802.11i)
932
933	  Defined by the IEEE 802.11i TKIP (Temporal Key Integrity Protocol),
934	  known as WPA (Wif-Fi Protected Access).
935
936	  This algorithm is required for TKIP, but it should not be used for
937	  other purposes because of the weakness of the algorithm.
938
939config CRYPTO_POLYVAL
940	tristate
941	select CRYPTO_HASH
942	select CRYPTO_LIB_GF128MUL
943	help
944	  POLYVAL hash function for HCTR2
945
946	  This is used in HCTR2.  It is not a general-purpose
947	  cryptographic hash function.
948
949config CRYPTO_RMD160
950	tristate "RIPEMD-160"
951	select CRYPTO_HASH
952	help
953	  RIPEMD-160 hash function (ISO/IEC 10118-3)
954
955	  RIPEMD-160 is a 160-bit cryptographic hash function. It is intended
956	  to be used as a secure replacement for the 128-bit hash functions
957	  MD4, MD5 and its predecessor RIPEMD
958	  (not to be confused with RIPEMD-128).
959
960	  Its speed is comparable to SHA-1 and there are no known attacks
961	  against RIPEMD-160.
962
963	  Developed by Hans Dobbertin, Antoon Bosselaers and Bart Preneel.
964	  See https://homes.esat.kuleuven.be/~bosselae/ripemd160.html
965	  for further information.
966
967config CRYPTO_SHA1
968	tristate "SHA-1"
969	select CRYPTO_HASH
970	select CRYPTO_LIB_SHA1
971	help
972	  SHA-1 secure hash algorithm (FIPS 180, ISO/IEC 10118-3)
973
974config CRYPTO_SHA256
975	tristate "SHA-224 and SHA-256"
976	select CRYPTO_HASH
977	select CRYPTO_LIB_SHA256
978	select CRYPTO_LIB_SHA256_GENERIC
979	help
980	  SHA-224 and SHA-256 secure hash algorithms (FIPS 180, ISO/IEC 10118-3)
981
982	  This is required for IPsec AH (XFRM_AH) and IPsec ESP (XFRM_ESP).
983	  Used by the btrfs filesystem, Ceph, NFS, and SMB.
984
985config CRYPTO_SHA512
986	tristate "SHA-384 and SHA-512"
987	select CRYPTO_HASH
988	help
989	  SHA-384 and SHA-512 secure hash algorithms (FIPS 180, ISO/IEC 10118-3)
990
991config CRYPTO_SHA3
992	tristate "SHA-3"
993	select CRYPTO_HASH
994	help
995	  SHA-3 secure hash algorithms (FIPS 202, ISO/IEC 10118-3)
996
997config CRYPTO_SM3_GENERIC
998	tristate "SM3 (ShangMi 3)"
999	select CRYPTO_HASH
1000	select CRYPTO_LIB_SM3
1001	help
1002	  SM3 (ShangMi 3) secure hash function (OSCCA GM/T 0004-2012, ISO/IEC 10118-3)
1003
1004	  This is part of the Chinese Commercial Cryptography suite.
1005
1006	  References:
1007	  http://www.oscca.gov.cn/UpFile/20101222141857786.pdf
1008	  https://datatracker.ietf.org/doc/html/draft-shen-sm3-hash
1009
1010config CRYPTO_STREEBOG
1011	tristate "Streebog"
1012	select CRYPTO_HASH
1013	help
1014	  Streebog Hash Function (GOST R 34.11-2012, RFC 6986, ISO/IEC 10118-3)
1015
1016	  This is one of the Russian cryptographic standard algorithms (called
1017	  GOST algorithms). This setting enables two hash algorithms with
1018	  256 and 512 bits output.
1019
1020	  References:
1021	  https://tc26.ru/upload/iblock/fed/feddbb4d26b685903faa2ba11aea43f6.pdf
1022	  https://tools.ietf.org/html/rfc6986
1023
1024config CRYPTO_WP512
1025	tristate "Whirlpool"
1026	select CRYPTO_HASH
1027	help
1028	  Whirlpool hash function (ISO/IEC 10118-3)
1029
1030	  512, 384 and 256-bit hashes.
1031
1032	  Whirlpool-512 is part of the NESSIE cryptographic primitives.
1033
1034	  See https://web.archive.org/web/20171129084214/http://www.larc.usp.br/~pbarreto/WhirlpoolPage.html
1035	  for further information.
1036
1037config CRYPTO_XCBC
1038	tristate "XCBC-MAC (Extended Cipher Block Chaining MAC)"
1039	select CRYPTO_HASH
1040	select CRYPTO_MANAGER
1041	help
1042	  XCBC-MAC (Extended Cipher Block Chaining Message Authentication
1043	  Code) (RFC3566)
1044
1045config CRYPTO_XXHASH
1046	tristate "xxHash"
1047	select CRYPTO_HASH
1048	select XXHASH
1049	help
1050	  xxHash non-cryptographic hash algorithm
1051
1052	  Extremely fast, working at speeds close to RAM limits.
1053
1054	  Used by the btrfs filesystem.
1055
1056endmenu
1057
1058menu "CRCs (cyclic redundancy checks)"
1059
1060config CRYPTO_CRC32C
1061	tristate "CRC32c"
1062	select CRYPTO_HASH
1063	select CRC32
1064	help
1065	  CRC32c CRC algorithm with the iSCSI polynomial (RFC 3385 and RFC 3720)
1066
1067	  A 32-bit CRC (cyclic redundancy check) with a polynomial defined
1068	  by G. Castagnoli, S. Braeuer and M. Herrman in "Optimization of Cyclic
1069	  Redundancy-Check Codes with 24 and 32 Parity Bits", IEEE Transactions
1070	  on Communications, Vol. 41, No. 6, June 1993, selected for use with
1071	  iSCSI.
1072
1073	  Used by btrfs, ext4, jbd2, NVMeoF/TCP, and iSCSI.
1074
1075config CRYPTO_CRC32
1076	tristate "CRC32"
1077	select CRYPTO_HASH
1078	select CRC32
1079	help
1080	  CRC32 CRC algorithm (IEEE 802.3)
1081
1082	  Used by RoCEv2 and f2fs.
1083
1084endmenu
1085
1086menu "Compression"
1087
1088config CRYPTO_DEFLATE
1089	tristate "Deflate"
1090	select CRYPTO_ALGAPI
1091	select CRYPTO_ACOMP2
1092	select ZLIB_INFLATE
1093	select ZLIB_DEFLATE
1094	help
1095	  Deflate compression algorithm (RFC1951)
1096
1097	  Used by IPSec with the IPCOMP protocol (RFC3173, RFC2394)
1098
1099config CRYPTO_LZO
1100	tristate "LZO"
1101	select CRYPTO_ALGAPI
1102	select CRYPTO_ACOMP2
1103	select LZO_COMPRESS
1104	select LZO_DECOMPRESS
1105	help
1106	  LZO compression algorithm
1107
1108	  See https://www.oberhumer.com/opensource/lzo/ for further information.
1109
1110config CRYPTO_842
1111	tristate "842"
1112	select CRYPTO_ALGAPI
1113	select CRYPTO_ACOMP2
1114	select 842_COMPRESS
1115	select 842_DECOMPRESS
1116	help
1117	  842 compression algorithm by IBM
1118
1119	  See https://github.com/plauth/lib842 for further information.
1120
1121config CRYPTO_LZ4
1122	tristate "LZ4"
1123	select CRYPTO_ALGAPI
1124	select CRYPTO_ACOMP2
1125	select LZ4_COMPRESS
1126	select LZ4_DECOMPRESS
1127	help
1128	  LZ4 compression algorithm
1129
1130	  See https://github.com/lz4/lz4 for further information.
1131
1132config CRYPTO_LZ4HC
1133	tristate "LZ4HC"
1134	select CRYPTO_ALGAPI
1135	select CRYPTO_ACOMP2
1136	select LZ4HC_COMPRESS
1137	select LZ4_DECOMPRESS
1138	help
1139	  LZ4 high compression mode algorithm
1140
1141	  See https://github.com/lz4/lz4 for further information.
1142
1143config CRYPTO_ZSTD
1144	tristate "Zstd"
1145	select CRYPTO_ALGAPI
1146	select CRYPTO_ACOMP2
1147	select ZSTD_COMPRESS
1148	select ZSTD_DECOMPRESS
1149	help
1150	  zstd compression algorithm
1151
1152	  See https://github.com/facebook/zstd for further information.
1153
1154endmenu
1155
1156menu "Random number generation"
1157
1158config CRYPTO_ANSI_CPRNG
1159	tristate "ANSI PRNG (Pseudo Random Number Generator)"
1160	select CRYPTO_AES
1161	select CRYPTO_RNG
1162	help
1163	  Pseudo RNG (random number generator) (ANSI X9.31 Appendix A.2.4)
1164
1165	  This uses the AES cipher algorithm.
1166
1167	  Note that this option must be enabled if CRYPTO_FIPS is selected
1168
1169menuconfig CRYPTO_DRBG_MENU
1170	tristate "NIST SP800-90A DRBG (Deterministic Random Bit Generator)"
1171	help
1172	  DRBG (Deterministic Random Bit Generator) (NIST SP800-90A)
1173
1174	  In the following submenu, one or more of the DRBG types must be selected.
1175
1176if CRYPTO_DRBG_MENU
1177
1178config CRYPTO_DRBG_HMAC
1179	bool
1180	default y
1181	select CRYPTO_HMAC
1182	select CRYPTO_SHA512
1183
1184config CRYPTO_DRBG_HASH
1185	bool "Hash_DRBG"
1186	select CRYPTO_SHA256
1187	help
1188	  Hash_DRBG variant as defined in NIST SP800-90A.
1189
1190	  This uses the SHA-1, SHA-256, SHA-384, or SHA-512 hash algorithms.
1191
1192config CRYPTO_DRBG_CTR
1193	bool "CTR_DRBG"
1194	select CRYPTO_AES
1195	select CRYPTO_CTR
1196	help
1197	  CTR_DRBG variant as defined in NIST SP800-90A.
1198
1199	  This uses the AES cipher algorithm with the counter block mode.
1200
1201config CRYPTO_DRBG
1202	tristate
1203	default CRYPTO_DRBG_MENU
1204	select CRYPTO_RNG
1205	select CRYPTO_JITTERENTROPY
1206
1207endif	# if CRYPTO_DRBG_MENU
1208
1209config CRYPTO_JITTERENTROPY
1210	tristate "CPU Jitter Non-Deterministic RNG (Random Number Generator)"
1211	select CRYPTO_RNG
1212	select CRYPTO_SHA3
1213	help
1214	  CPU Jitter RNG (Random Number Generator) from the Jitterentropy library
1215
1216	  A non-physical non-deterministic ("true") RNG (e.g., an entropy source
1217	  compliant with NIST SP800-90B) intended to provide a seed to a
1218	  deterministic RNG (e.g., per NIST SP800-90C).
1219	  This RNG does not perform any cryptographic whitening of the generated
1220	  random numbers.
1221
1222	  See https://www.chronox.de/jent/
1223
1224if CRYPTO_JITTERENTROPY
1225if CRYPTO_FIPS && EXPERT
1226
1227choice
1228	prompt "CPU Jitter RNG Memory Size"
1229	default CRYPTO_JITTERENTROPY_MEMSIZE_2
1230	help
1231	  The Jitter RNG measures the execution time of memory accesses.
1232	  Multiple consecutive memory accesses are performed. If the memory
1233	  size fits into a cache (e.g. L1), only the memory access timing
1234	  to that cache is measured. The closer the cache is to the CPU
1235	  the less variations are measured and thus the less entropy is
1236	  obtained. Thus, if the memory size fits into the L1 cache, the
1237	  obtained entropy is less than if the memory size fits within
1238	  L1 + L2, which in turn is less if the memory fits into
1239	  L1 + L2 + L3. Thus, by selecting a different memory size,
1240	  the entropy rate produced by the Jitter RNG can be modified.
1241
1242	config CRYPTO_JITTERENTROPY_MEMSIZE_2
1243		bool "2048 Bytes (default)"
1244
1245	config CRYPTO_JITTERENTROPY_MEMSIZE_128
1246		bool "128 kBytes"
1247
1248	config CRYPTO_JITTERENTROPY_MEMSIZE_1024
1249		bool "1024 kBytes"
1250
1251	config CRYPTO_JITTERENTROPY_MEMSIZE_8192
1252		bool "8192 kBytes"
1253endchoice
1254
1255config CRYPTO_JITTERENTROPY_MEMORY_BLOCKS
1256	int
1257	default 64 if CRYPTO_JITTERENTROPY_MEMSIZE_2
1258	default 512 if CRYPTO_JITTERENTROPY_MEMSIZE_128
1259	default 1024 if CRYPTO_JITTERENTROPY_MEMSIZE_1024
1260	default 4096 if CRYPTO_JITTERENTROPY_MEMSIZE_8192
1261
1262config CRYPTO_JITTERENTROPY_MEMORY_BLOCKSIZE
1263	int
1264	default 32 if CRYPTO_JITTERENTROPY_MEMSIZE_2
1265	default 256 if CRYPTO_JITTERENTROPY_MEMSIZE_128
1266	default 1024 if CRYPTO_JITTERENTROPY_MEMSIZE_1024
1267	default 2048 if CRYPTO_JITTERENTROPY_MEMSIZE_8192
1268
1269config CRYPTO_JITTERENTROPY_OSR
1270	int "CPU Jitter RNG Oversampling Rate"
1271	range 1 15
1272	default 3
1273	help
1274	  The Jitter RNG allows the specification of an oversampling rate (OSR).
1275	  The Jitter RNG operation requires a fixed amount of timing
1276	  measurements to produce one output block of random numbers. The
1277	  OSR value is multiplied with the amount of timing measurements to
1278	  generate one output block. Thus, the timing measurement is oversampled
1279	  by the OSR factor. The oversampling allows the Jitter RNG to operate
1280	  on hardware whose timers deliver limited amount of entropy (e.g.
1281	  the timer is coarse) by setting the OSR to a higher value. The
1282	  trade-off, however, is that the Jitter RNG now requires more time
1283	  to generate random numbers.
1284
1285config CRYPTO_JITTERENTROPY_TESTINTERFACE
1286	bool "CPU Jitter RNG Test Interface"
1287	help
1288	  The test interface allows a privileged process to capture
1289	  the raw unconditioned high resolution time stamp noise that
1290	  is collected by the Jitter RNG for statistical analysis. As
1291	  this data is used at the same time to generate random bits,
1292	  the Jitter RNG operates in an insecure mode as long as the
1293	  recording is enabled. This interface therefore is only
1294	  intended for testing purposes and is not suitable for
1295	  production systems.
1296
1297	  The raw noise data can be obtained using the jent_raw_hires
1298	  debugfs file. Using the option
1299	  jitterentropy_testing.boot_raw_hires_test=1 the raw noise of
1300	  the first 1000 entropy events since boot can be sampled.
1301
1302	  If unsure, select N.
1303
1304endif	# if CRYPTO_FIPS && EXPERT
1305
1306if !(CRYPTO_FIPS && EXPERT)
1307
1308config CRYPTO_JITTERENTROPY_MEMORY_BLOCKS
1309	int
1310	default 64
1311
1312config CRYPTO_JITTERENTROPY_MEMORY_BLOCKSIZE
1313	int
1314	default 32
1315
1316config CRYPTO_JITTERENTROPY_OSR
1317	int
1318	default 1
1319
1320config CRYPTO_JITTERENTROPY_TESTINTERFACE
1321	bool
1322
1323endif	# if !(CRYPTO_FIPS && EXPERT)
1324endif	# if CRYPTO_JITTERENTROPY
1325
1326config CRYPTO_KDF800108_CTR
1327	tristate
1328	select CRYPTO_HMAC
1329	select CRYPTO_SHA256
1330
1331endmenu
1332menu "Userspace interface"
1333
1334config CRYPTO_USER_API
1335	tristate
1336
1337config CRYPTO_USER_API_HASH
1338	tristate "Hash algorithms"
1339	depends on NET
1340	select CRYPTO_HASH
1341	select CRYPTO_USER_API
1342	help
1343	  Enable the userspace interface for hash algorithms.
1344
1345	  See Documentation/crypto/userspace-if.rst and
1346	  https://www.chronox.de/libkcapi/html/index.html
1347
1348config CRYPTO_USER_API_SKCIPHER
1349	tristate "Symmetric key cipher algorithms"
1350	depends on NET
1351	select CRYPTO_SKCIPHER
1352	select CRYPTO_USER_API
1353	help
1354	  Enable the userspace interface for symmetric key cipher algorithms.
1355
1356	  See Documentation/crypto/userspace-if.rst and
1357	  https://www.chronox.de/libkcapi/html/index.html
1358
1359config CRYPTO_USER_API_RNG
1360	tristate "RNG (random number generator) algorithms"
1361	depends on NET
1362	select CRYPTO_RNG
1363	select CRYPTO_USER_API
1364	help
1365	  Enable the userspace interface for RNG (random number generator)
1366	  algorithms.
1367
1368	  See Documentation/crypto/userspace-if.rst and
1369	  https://www.chronox.de/libkcapi/html/index.html
1370
1371config CRYPTO_USER_API_RNG_CAVP
1372	bool "Enable CAVP testing of DRBG"
1373	depends on CRYPTO_USER_API_RNG && CRYPTO_DRBG
1374	help
1375	  Enable extra APIs in the userspace interface for NIST CAVP
1376	  (Cryptographic Algorithm Validation Program) testing:
1377	  - resetting DRBG entropy
1378	  - providing Additional Data
1379
1380	  This should only be enabled for CAVP testing. You should say
1381	  no unless you know what this is.
1382
1383config CRYPTO_USER_API_AEAD
1384	tristate "AEAD cipher algorithms"
1385	depends on NET
1386	select CRYPTO_AEAD
1387	select CRYPTO_SKCIPHER
1388	select CRYPTO_USER_API
1389	help
1390	  Enable the userspace interface for AEAD cipher algorithms.
1391
1392	  See Documentation/crypto/userspace-if.rst and
1393	  https://www.chronox.de/libkcapi/html/index.html
1394
1395config CRYPTO_USER_API_ENABLE_OBSOLETE
1396	bool "Obsolete cryptographic algorithms"
1397	depends on CRYPTO_USER_API
1398	default y
1399	help
1400	  Allow obsolete cryptographic algorithms to be selected that have
1401	  already been phased out from internal use by the kernel, and are
1402	  only useful for userspace clients that still rely on them.
1403
1404endmenu
1405
1406config CRYPTO_HASH_INFO
1407	bool
1408
1409if !KMSAN # avoid false positives from assembly
1410if ARM
1411source "arch/arm/crypto/Kconfig"
1412endif
1413if ARM64
1414source "arch/arm64/crypto/Kconfig"
1415endif
1416if LOONGARCH
1417source "arch/loongarch/crypto/Kconfig"
1418endif
1419if MIPS
1420source "arch/mips/crypto/Kconfig"
1421endif
1422if PPC
1423source "arch/powerpc/crypto/Kconfig"
1424endif
1425if RISCV
1426source "arch/riscv/crypto/Kconfig"
1427endif
1428if S390
1429source "arch/s390/crypto/Kconfig"
1430endif
1431if SPARC
1432source "arch/sparc/crypto/Kconfig"
1433endif
1434if X86
1435source "arch/x86/crypto/Kconfig"
1436endif
1437endif
1438
1439source "drivers/crypto/Kconfig"
1440source "crypto/asymmetric_keys/Kconfig"
1441source "certs/Kconfig"
1442source "crypto/krb5/Kconfig"
1443
1444endif	# if CRYPTO
1445