| # SPDX-License-Identifier: GPL-2.0 |
| # |
| # Generic algorithms support |
| # |
| config XOR_BLOCKS |
| tristate |
| |
| # |
| # async_tx api: hardware offloaded memory transfer/transform support |
| # |
| source "crypto/async_tx/Kconfig" |
| |
| # |
| # Cryptographic API Configuration |
| # |
| menuconfig CRYPTO |
| tristate "Cryptographic API" |
| select CRYPTO_LIB_UTILS |
| help |
| This option provides the core Cryptographic API. |
| |
| if CRYPTO |
| |
| menu "Crypto core or helper" |
| |
| config CRYPTO_FIPS |
| bool "FIPS 200 compliance" |
| depends on (CRYPTO_ANSI_CPRNG || CRYPTO_DRBG) && !CRYPTO_MANAGER_DISABLE_TESTS |
| depends on (MODULE_SIG || !MODULES) |
| help |
| This option enables the fips boot option which is |
| required if you want the system to operate in a FIPS 200 |
| certification. You should say no unless you know what |
| this is. |
| |
| config CRYPTO_FIPS_NAME |
| string "FIPS Module Name" |
| default "Linux Kernel Cryptographic API" |
| depends on CRYPTO_FIPS |
| help |
| This option sets the FIPS Module name reported by the Crypto API via |
| the /proc/sys/crypto/fips_name file. |
| |
| config CRYPTO_FIPS_CUSTOM_VERSION |
| bool "Use Custom FIPS Module Version" |
| depends on CRYPTO_FIPS |
| default n |
| |
| config CRYPTO_FIPS_VERSION |
| string "FIPS Module Version" |
| default "(none)" |
| depends on CRYPTO_FIPS_CUSTOM_VERSION |
| help |
| This option provides the ability to override the FIPS Module Version. |
| By default the KERNELRELEASE value is used. |
| |
| config CRYPTO_ALGAPI |
| tristate |
| select CRYPTO_ALGAPI2 |
| help |
| This option provides the API for cryptographic algorithms. |
| |
| config CRYPTO_ALGAPI2 |
| tristate |
| |
| config CRYPTO_AEAD |
| tristate |
| select CRYPTO_AEAD2 |
| select CRYPTO_ALGAPI |
| |
| config CRYPTO_AEAD2 |
| tristate |
| select CRYPTO_ALGAPI2 |
| |
| config CRYPTO_SIG |
| tristate |
| select CRYPTO_SIG2 |
| select CRYPTO_ALGAPI |
| |
| config CRYPTO_SIG2 |
| tristate |
| select CRYPTO_ALGAPI2 |
| |
| config CRYPTO_SKCIPHER |
| tristate |
| select CRYPTO_SKCIPHER2 |
| select CRYPTO_ALGAPI |
| select CRYPTO_ECB |
| |
| config CRYPTO_SKCIPHER2 |
| tristate |
| select CRYPTO_ALGAPI2 |
| |
| config CRYPTO_HASH |
| tristate |
| select CRYPTO_HASH2 |
| select CRYPTO_ALGAPI |
| |
| config CRYPTO_HASH2 |
| tristate |
| select CRYPTO_ALGAPI2 |
| |
| config CRYPTO_RNG |
| tristate |
| select CRYPTO_RNG2 |
| select CRYPTO_ALGAPI |
| |
| config CRYPTO_RNG2 |
| tristate |
| select CRYPTO_ALGAPI2 |
| |
| config CRYPTO_RNG_DEFAULT |
| tristate |
| select CRYPTO_DRBG_MENU |
| |
| config CRYPTO_AKCIPHER2 |
| tristate |
| select CRYPTO_ALGAPI2 |
| |
| config CRYPTO_AKCIPHER |
| tristate |
| select CRYPTO_AKCIPHER2 |
| select CRYPTO_ALGAPI |
| |
| config CRYPTO_KPP2 |
| tristate |
| select CRYPTO_ALGAPI2 |
| |
| config CRYPTO_KPP |
| tristate |
| select CRYPTO_ALGAPI |
| select CRYPTO_KPP2 |
| |
| config CRYPTO_ACOMP2 |
| tristate |
| select CRYPTO_ALGAPI2 |
| select SGL_ALLOC |
| |
| config CRYPTO_ACOMP |
| tristate |
| select CRYPTO_ALGAPI |
| select CRYPTO_ACOMP2 |
| |
| config CRYPTO_MANAGER |
| tristate "Cryptographic algorithm manager" |
| select CRYPTO_MANAGER2 |
| help |
| Create default cryptographic template instantiations such as |
| cbc(aes). |
| |
| config CRYPTO_MANAGER2 |
| def_tristate CRYPTO_MANAGER || (CRYPTO_MANAGER!=n && CRYPTO_ALGAPI=y) |
| select CRYPTO_ACOMP2 |
| select CRYPTO_AEAD2 |
| select CRYPTO_AKCIPHER2 |
| select CRYPTO_SIG2 |
| select CRYPTO_HASH2 |
| select CRYPTO_KPP2 |
| select CRYPTO_RNG2 |
| select CRYPTO_SKCIPHER2 |
| |
| config CRYPTO_USER |
| tristate "Userspace cryptographic algorithm configuration" |
| depends on NET |
| select CRYPTO_MANAGER |
| help |
| Userspace configuration for cryptographic instantiations such as |
| cbc(aes). |
| |
| config CRYPTO_MANAGER_DISABLE_TESTS |
| bool "Disable run-time self tests" |
| default y |
| help |
| Disable run-time self tests that normally take place at |
| algorithm registration. |
| |
| config CRYPTO_MANAGER_EXTRA_TESTS |
| bool "Enable extra run-time crypto self tests" |
| depends on DEBUG_KERNEL && !CRYPTO_MANAGER_DISABLE_TESTS && CRYPTO_MANAGER |
| help |
| Enable extra run-time self tests of registered crypto algorithms, |
| including randomized fuzz tests. |
| |
| This is intended for developer use only, as these tests take much |
| longer to run than the normal self tests. |
| |
| config CRYPTO_NULL |
| tristate "Null algorithms" |
| select CRYPTO_NULL2 |
| help |
| These are 'Null' algorithms, used by IPsec, which do nothing. |
| |
| config CRYPTO_NULL2 |
| tristate |
| select CRYPTO_ALGAPI2 |
| select CRYPTO_SKCIPHER2 |
| select CRYPTO_HASH2 |
| |
| config CRYPTO_PCRYPT |
| tristate "Parallel crypto engine" |
| depends on SMP |
| select PADATA |
| select CRYPTO_MANAGER |
| select CRYPTO_AEAD |
| help |
| This converts an arbitrary crypto algorithm into a parallel |
| algorithm that executes in kernel threads. |
| |
| config CRYPTO_CRYPTD |
| tristate "Software async crypto daemon" |
| select CRYPTO_SKCIPHER |
| select CRYPTO_HASH |
| select CRYPTO_MANAGER |
| help |
| This is a generic software asynchronous crypto daemon that |
| converts an arbitrary synchronous software crypto algorithm |
| into an asynchronous algorithm that executes in a kernel thread. |
| |
| config CRYPTO_AUTHENC |
| tristate "Authenc support" |
| select CRYPTO_AEAD |
| select CRYPTO_SKCIPHER |
| select CRYPTO_MANAGER |
| select CRYPTO_HASH |
| select CRYPTO_NULL |
| help |
| Authenc: Combined mode wrapper for IPsec. |
| |
| This is required for IPSec ESP (XFRM_ESP). |
| |
| config CRYPTO_TEST |
| tristate "Testing module" |
| depends on m || EXPERT |
| select CRYPTO_MANAGER |
| help |
| Quick & dirty crypto test module. |
| |
| config CRYPTO_SIMD |
| tristate |
| select CRYPTO_CRYPTD |
| |
| config CRYPTO_ENGINE |
| tristate |
| |
| endmenu |
| |
| menu "Public-key cryptography" |
| |
| config CRYPTO_RSA |
| tristate "RSA (Rivest-Shamir-Adleman)" |
| select CRYPTO_AKCIPHER |
| select CRYPTO_MANAGER |
| select MPILIB |
| select ASN1 |
| help |
| RSA (Rivest-Shamir-Adleman) public key algorithm (RFC8017) |
| |
| config CRYPTO_DH |
| tristate "DH (Diffie-Hellman)" |
| select CRYPTO_KPP |
| select MPILIB |
| help |
| DH (Diffie-Hellman) key exchange algorithm |
| |
| config CRYPTO_DH_RFC7919_GROUPS |
| bool "RFC 7919 FFDHE groups" |
| depends on CRYPTO_DH |
| select CRYPTO_RNG_DEFAULT |
| help |
| FFDHE (Finite-Field-based Diffie-Hellman Ephemeral) groups |
| defined in RFC7919. |
| |
| Support these finite-field groups in DH key exchanges: |
| - ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192 |
| |
| If unsure, say N. |
| |
| config CRYPTO_ECC |
| tristate |
| select CRYPTO_RNG_DEFAULT |
| |
| config CRYPTO_ECDH |
| tristate "ECDH (Elliptic Curve Diffie-Hellman)" |
| select CRYPTO_ECC |
| select CRYPTO_KPP |
| help |
| ECDH (Elliptic Curve Diffie-Hellman) key exchange algorithm |
| using curves P-192, P-256, and P-384 (FIPS 186) |
| |
| config CRYPTO_ECDSA |
| tristate "ECDSA (Elliptic Curve Digital Signature Algorithm)" |
| select CRYPTO_ECC |
| select CRYPTO_AKCIPHER |
| select ASN1 |
| help |
| ECDSA (Elliptic Curve Digital Signature Algorithm) (FIPS 186, |
| ISO/IEC 14888-3) |
| using curves P-192, P-256, and P-384 |
| |
| Only signature verification is implemented. |
| |
| config CRYPTO_ECRDSA |
| tristate "EC-RDSA (Elliptic Curve Russian Digital Signature Algorithm)" |
| select CRYPTO_ECC |
| select CRYPTO_AKCIPHER |
| select CRYPTO_STREEBOG |
| select OID_REGISTRY |
| select ASN1 |
| help |
| Elliptic Curve Russian Digital Signature Algorithm (GOST R 34.10-2012, |
| RFC 7091, ISO/IEC 14888-3) |
| |
| One of the Russian cryptographic standard algorithms (called GOST |
| algorithms). Only signature verification is implemented. |
| |
| config CRYPTO_SM2 |
| tristate "SM2 (ShangMi 2)" |
| select CRYPTO_SM3 |
| select CRYPTO_AKCIPHER |
| select CRYPTO_MANAGER |
| select MPILIB |
| select ASN1 |
| help |
| SM2 (ShangMi 2) public key algorithm |
| |
| Published by State Encryption Management Bureau, China, |
| as specified by OSCCA GM/T 0003.1-2012 -- 0003.5-2012. |
| |
| References: |
| https://datatracker.ietf.org/doc/draft-shen-sm2-ecdsa/ |
| http://www.oscca.gov.cn/sca/xxgk/2010-12/17/content_1002386.shtml |
| http://www.gmbz.org.cn/main/bzlb.html |
| |
| config CRYPTO_CURVE25519 |
| tristate "Curve25519" |
| select CRYPTO_KPP |
| select CRYPTO_LIB_CURVE25519_GENERIC |
| help |
| Curve25519 elliptic curve (RFC7748) |
| |
| endmenu |
| |
| menu "Block ciphers" |
| |
| config CRYPTO_AES |
| tristate "AES (Advanced Encryption Standard)" |
| select CRYPTO_ALGAPI |
| select CRYPTO_LIB_AES |
| help |
| AES cipher algorithms (Rijndael)(FIPS-197, ISO/IEC 18033-3) |
| |
| Rijndael appears to be consistently a very good performer in |
| both hardware and software across a wide range of computing |
| environments regardless of its use in feedback or non-feedback |
| modes. Its key setup time is excellent, and its key agility is |
| good. Rijndael's very low memory requirements make it very well |
| suited for restricted-space environments, in which it also |
| demonstrates excellent performance. Rijndael's operations are |
| among the easiest to defend against power and timing attacks. |
| |
| The AES specifies three key sizes: 128, 192 and 256 bits |
| |
| config CRYPTO_AES_TI |
| tristate "AES (Advanced Encryption Standard) (fixed time)" |
| select CRYPTO_ALGAPI |
| select CRYPTO_LIB_AES |
| help |
| AES cipher algorithms (Rijndael)(FIPS-197, ISO/IEC 18033-3) |
| |
| This is a generic implementation of AES that attempts to eliminate |
| data dependent latencies as much as possible without affecting |
| performance too much. It is intended for use by the generic CCM |
| and GCM drivers, and other CTR or CMAC/XCBC based modes that rely |
| solely on encryption (although decryption is supported as well, but |
| with a more dramatic performance hit) |
| |
| Instead of using 16 lookup tables of 1 KB each, (8 for encryption and |
| 8 for decryption), this implementation only uses just two S-boxes of |
| 256 bytes each, and attempts to eliminate data dependent latencies by |
| prefetching the entire table into the cache at the start of each |
| block. Interrupts are also disabled to avoid races where cachelines |
| are evicted when the CPU is interrupted to do something else. |
| |
| config CRYPTO_ANUBIS |
| tristate "Anubis" |
| depends on CRYPTO_USER_API_ENABLE_OBSOLETE |
| select CRYPTO_ALGAPI |
| help |
| Anubis cipher algorithm |
| |
| Anubis is a variable key length cipher which can use keys from |
| 128 bits to 320 bits in length. It was evaluated as a entrant |
| in the NESSIE competition. |
| |
| See https://web.archive.org/web/20160606112246/http://www.larc.usp.br/~pbarreto/AnubisPage.html |
| for further information. |
| |
| config CRYPTO_ARIA |
| tristate "ARIA" |
| select CRYPTO_ALGAPI |
| help |
| ARIA cipher algorithm (RFC5794) |
| |
| ARIA is a standard encryption algorithm of the Republic of Korea. |
| The ARIA specifies three key sizes and rounds. |
| 128-bit: 12 rounds. |
| 192-bit: 14 rounds. |
| 256-bit: 16 rounds. |
| |
| See: |
| https://seed.kisa.or.kr/kisa/algorithm/EgovAriaInfo.do |
| |
| config CRYPTO_BLOWFISH |
| tristate "Blowfish" |
| select CRYPTO_ALGAPI |
| select CRYPTO_BLOWFISH_COMMON |
| help |
| Blowfish cipher algorithm, by Bruce Schneier |
| |
| This is a variable key length cipher which can use keys from 32 |
| bits to 448 bits in length. It's fast, simple and specifically |
| designed for use on "large microprocessors". |
| |
| See https://www.schneier.com/blowfish.html for further information. |
| |
| config CRYPTO_BLOWFISH_COMMON |
| tristate |
| help |
| Common parts of the Blowfish cipher algorithm shared by the |
| generic c and the assembler implementations. |
| |
| config CRYPTO_CAMELLIA |
| tristate "Camellia" |
| select CRYPTO_ALGAPI |
| help |
| Camellia cipher algorithms (ISO/IEC 18033-3) |
| |
| Camellia is a symmetric key block cipher developed jointly |
| at NTT and Mitsubishi Electric Corporation. |
| |
| The Camellia specifies three key sizes: 128, 192 and 256 bits. |
| |
| See https://info.isl.ntt.co.jp/crypt/eng/camellia/ for further information. |
| |
| config CRYPTO_CAST_COMMON |
| tristate |
| help |
| Common parts of the CAST cipher algorithms shared by the |
| generic c and the assembler implementations. |
| |
| config CRYPTO_CAST5 |
| tristate "CAST5 (CAST-128)" |
| select CRYPTO_ALGAPI |
| select CRYPTO_CAST_COMMON |
| help |
| CAST5 (CAST-128) cipher algorithm (RFC2144, ISO/IEC 18033-3) |
| |
| config CRYPTO_CAST6 |
| tristate "CAST6 (CAST-256)" |
| select CRYPTO_ALGAPI |
| select CRYPTO_CAST_COMMON |
| help |
| CAST6 (CAST-256) encryption algorithm (RFC2612) |
| |
| config CRYPTO_DES |
| tristate "DES and Triple DES EDE" |
| select CRYPTO_ALGAPI |
| select CRYPTO_LIB_DES |
| help |
| DES (Data Encryption Standard)(FIPS 46-2, ISO/IEC 18033-3) and |
| Triple DES EDE (Encrypt/Decrypt/Encrypt) (FIPS 46-3, ISO/IEC 18033-3) |
| cipher algorithms |
| |
| config CRYPTO_FCRYPT |
| tristate "FCrypt" |
| select CRYPTO_ALGAPI |
| select CRYPTO_SKCIPHER |
| help |
| FCrypt algorithm used by RxRPC |
| |
| See https://ota.polyonymo.us/fcrypt-paper.txt |
| |
| config CRYPTO_KHAZAD |
| tristate "Khazad" |
| depends on CRYPTO_USER_API_ENABLE_OBSOLETE |
| select CRYPTO_ALGAPI |
| help |
| Khazad cipher algorithm |
| |
| Khazad was a finalist in the initial NESSIE competition. It is |
| an algorithm optimized for 64-bit processors with good performance |
| on 32-bit processors. Khazad uses an 128 bit key size. |
| |
| See https://web.archive.org/web/20171011071731/http://www.larc.usp.br/~pbarreto/KhazadPage.html |
| for further information. |
| |
| config CRYPTO_SEED |
| tristate "SEED" |
| depends on CRYPTO_USER_API_ENABLE_OBSOLETE |
| select CRYPTO_ALGAPI |
| help |
| SEED cipher algorithm (RFC4269, ISO/IEC 18033-3) |
| |
| SEED is a 128-bit symmetric key block cipher that has been |
| developed by KISA (Korea Information Security Agency) as a |
| national standard encryption algorithm of the Republic of Korea. |
| It is a 16 round block cipher with the key size of 128 bit. |
| |
| See https://seed.kisa.or.kr/kisa/algorithm/EgovSeedInfo.do |
| for further information. |
| |
| config CRYPTO_SERPENT |
| tristate "Serpent" |
| select CRYPTO_ALGAPI |
| help |
| Serpent cipher algorithm, by Anderson, Biham & Knudsen |
| |
| Keys are allowed to be from 0 to 256 bits in length, in steps |
| of 8 bits. |
| |
| See https://www.cl.cam.ac.uk/~rja14/serpent.html for further information. |
| |
| config CRYPTO_SM4 |
| tristate |
| |
| config CRYPTO_SM4_GENERIC |
| tristate "SM4 (ShangMi 4)" |
| select CRYPTO_ALGAPI |
| select CRYPTO_SM4 |
| help |
| SM4 cipher algorithms (OSCCA GB/T 32907-2016, |
| ISO/IEC 18033-3:2010/Amd 1:2021) |
| |
| SM4 (GBT.32907-2016) is a cryptographic standard issued by the |
| Organization of State Commercial Administration of China (OSCCA) |
| as an authorized cryptographic algorithms for the use within China. |
| |
| SMS4 was originally created for use in protecting wireless |
| networks, and is mandated in the Chinese National Standard for |
| Wireless LAN WAPI (Wired Authentication and Privacy Infrastructure) |
| (GB.15629.11-2003). |
| |
| The latest SM4 standard (GBT.32907-2016) was proposed by OSCCA and |
| standardized through TC 260 of the Standardization Administration |
| of the People's Republic of China (SAC). |
| |
| The input, output, and key of SMS4 are each 128 bits. |
| |
| See https://eprint.iacr.org/2008/329.pdf for further information. |
| |
| If unsure, say N. |
| |
| config CRYPTO_TEA |
| tristate "TEA, XTEA and XETA" |
| depends on CRYPTO_USER_API_ENABLE_OBSOLETE |
| select CRYPTO_ALGAPI |
| help |
| TEA (Tiny Encryption Algorithm) cipher algorithms |
| |
| Tiny Encryption Algorithm is a simple cipher that uses |
| many rounds for security. It is very fast and uses |
| little memory. |
| |
| Xtendend Tiny Encryption Algorithm is a modification to |
| the TEA algorithm to address a potential key weakness |
| in the TEA algorithm. |
| |
| Xtendend Encryption Tiny Algorithm is a mis-implementation |
| of the XTEA algorithm for compatibility purposes. |
| |
| config CRYPTO_TWOFISH |
| tristate "Twofish" |
| select CRYPTO_ALGAPI |
| select CRYPTO_TWOFISH_COMMON |
| help |
| Twofish cipher algorithm |
| |
| Twofish was submitted as an AES (Advanced Encryption Standard) |
| candidate cipher by researchers at CounterPane Systems. It is a |
| 16 round block cipher supporting key sizes of 128, 192, and 256 |
| bits. |
| |
| See https://www.schneier.com/twofish.html for further information. |
| |
| config CRYPTO_TWOFISH_COMMON |
| tristate |
| help |
| Common parts of the Twofish cipher algorithm shared by the |
| generic c and the assembler implementations. |
| |
| endmenu |
| |
| menu "Length-preserving ciphers and modes" |
| |
| config CRYPTO_ADIANTUM |
| tristate "Adiantum" |
| select CRYPTO_CHACHA20 |
| select CRYPTO_LIB_POLY1305_GENERIC |
| select CRYPTO_NHPOLY1305 |
| select CRYPTO_MANAGER |
| help |
| Adiantum tweakable, length-preserving encryption mode |
| |
| Designed for fast and secure disk encryption, especially on |
| CPUs without dedicated crypto instructions. It encrypts |
| each sector using the XChaCha12 stream cipher, two passes of |
| an ε-almost-∆-universal hash function, and an invocation of |
| the AES-256 block cipher on a single 16-byte block. On CPUs |
| without AES instructions, Adiantum is much faster than |
| AES-XTS. |
| |
| Adiantum's security is provably reducible to that of its |
| underlying stream and block ciphers, subject to a security |
| bound. Unlike XTS, Adiantum is a true wide-block encryption |
| mode, so it actually provides an even stronger notion of |
| security than XTS, subject to the security bound. |
| |
| If unsure, say N. |
| |
| config CRYPTO_ARC4 |
| tristate "ARC4 (Alleged Rivest Cipher 4)" |
| depends on CRYPTO_USER_API_ENABLE_OBSOLETE |
| select CRYPTO_SKCIPHER |
| select CRYPTO_LIB_ARC4 |
| help |
| ARC4 cipher algorithm |
| |
| ARC4 is a stream cipher using keys ranging from 8 bits to 2048 |
| bits in length. This algorithm is required for driver-based |
| WEP, but it should not be for other purposes because of the |
| weakness of the algorithm. |
| |
| config CRYPTO_CHACHA20 |
| tristate "ChaCha" |
| select CRYPTO_LIB_CHACHA_GENERIC |
| select CRYPTO_SKCIPHER |
| help |
| The ChaCha20, XChaCha20, and XChaCha12 stream cipher algorithms |
| |
| ChaCha20 is a 256-bit high-speed stream cipher designed by Daniel J. |
| Bernstein and further specified in RFC7539 for use in IETF protocols. |
| This is the portable C implementation of ChaCha20. See |
| https://cr.yp.to/chacha/chacha-20080128.pdf for further information. |
| |
| XChaCha20 is the application of the XSalsa20 construction to ChaCha20 |
| rather than to Salsa20. XChaCha20 extends ChaCha20's nonce length |
| from 64 bits (or 96 bits using the RFC7539 convention) to 192 bits, |
| while provably retaining ChaCha20's security. See |
| https://cr.yp.to/snuffle/xsalsa-20081128.pdf for further information. |
| |
| XChaCha12 is XChaCha20 reduced to 12 rounds, with correspondingly |
| reduced security margin but increased performance. It can be needed |
| in some performance-sensitive scenarios. |
| |
| config CRYPTO_CBC |
| tristate "CBC (Cipher Block Chaining)" |
| select CRYPTO_SKCIPHER |
| select CRYPTO_MANAGER |
| help |
| CBC (Cipher Block Chaining) mode (NIST SP800-38A) |
| |
| This block cipher mode is required for IPSec ESP (XFRM_ESP). |
| |
| config CRYPTO_CFB |
| tristate "CFB (Cipher Feedback)" |
| select CRYPTO_SKCIPHER |
| select CRYPTO_MANAGER |
| help |
| CFB (Cipher Feedback) mode (NIST SP800-38A) |
| |
| This block cipher mode is required for TPM2 Cryptography. |
| |
| config CRYPTO_CTR |
| tristate "CTR (Counter)" |
| select CRYPTO_SKCIPHER |
| select CRYPTO_MANAGER |
| help |
| CTR (Counter) mode (NIST SP800-38A) |
| |
| config CRYPTO_CTS |
| tristate "CTS (Cipher Text Stealing)" |
| select CRYPTO_SKCIPHER |
| select CRYPTO_MANAGER |
| help |
| CBC-CS3 variant of CTS (Cipher Text Stealing) (NIST |
| Addendum to SP800-38A (October 2010)) |
| |
| This mode is required for Kerberos gss mechanism support |
| for AES encryption. |
| |
| config CRYPTO_ECB |
| tristate "ECB (Electronic Codebook)" |
| select CRYPTO_SKCIPHER2 |
| select CRYPTO_MANAGER |
| help |
| ECB (Electronic Codebook) mode (NIST SP800-38A) |
| |
| config CRYPTO_HCTR2 |
| tristate "HCTR2" |
| select CRYPTO_XCTR |
| select CRYPTO_POLYVAL |
| select CRYPTO_MANAGER |
| help |
| HCTR2 length-preserving encryption mode |
| |
| A mode for storage encryption that is efficient on processors with |
| instructions to accelerate AES and carryless multiplication, e.g. |
| x86 processors with AES-NI and CLMUL, and ARM processors with the |
| ARMv8 crypto extensions. |
| |
| See https://eprint.iacr.org/2021/1441 |
| |
| config CRYPTO_KEYWRAP |
| tristate "KW (AES Key Wrap)" |
| select CRYPTO_SKCIPHER |
| select CRYPTO_MANAGER |
| help |
| KW (AES Key Wrap) authenticated encryption mode (NIST SP800-38F |
| and RFC3394) without padding. |
| |
| config CRYPTO_LRW |
| tristate "LRW (Liskov Rivest Wagner)" |
| select CRYPTO_LIB_GF128MUL |
| select CRYPTO_SKCIPHER |
| select CRYPTO_MANAGER |
| select CRYPTO_ECB |
| help |
| LRW (Liskov Rivest Wagner) mode |
| |
| A tweakable, non malleable, non movable |
| narrow block cipher mode for dm-crypt. Use it with cipher |
| specification string aes-lrw-benbi, the key must be 256, 320 or 384. |
| The first 128, 192 or 256 bits in the key are used for AES and the |
| rest is used to tie each cipher block to its logical position. |
| |
| See https://people.csail.mit.edu/rivest/pubs/LRW02.pdf |
| |
| config CRYPTO_OFB |
| tristate "OFB (Output Feedback)" |
| select CRYPTO_SKCIPHER |
| select CRYPTO_MANAGER |
| help |
| OFB (Output Feedback) mode (NIST SP800-38A) |
| |
| This mode makes a block cipher into a synchronous |
| stream cipher. It generates keystream blocks, which are then XORed |
| with the plaintext blocks to get the ciphertext. Flipping a bit in the |
| ciphertext produces a flipped bit in the plaintext at the same |
| location. This property allows many error correcting codes to function |
| normally even when applied before encryption. |
| |
| config CRYPTO_PCBC |
| tristate "PCBC (Propagating Cipher Block Chaining)" |
| select CRYPTO_SKCIPHER |
| select CRYPTO_MANAGER |
| help |
| PCBC (Propagating Cipher Block Chaining) mode |
| |
| This block cipher mode is required for RxRPC. |
| |
| config CRYPTO_XCTR |
| tristate |
| select CRYPTO_SKCIPHER |
| select CRYPTO_MANAGER |
| help |
| XCTR (XOR Counter) mode for HCTR2 |
| |
| This blockcipher mode is a variant of CTR mode using XORs and little-endian |
| addition rather than big-endian arithmetic. |
| |
| XCTR mode is used to implement HCTR2. |
| |
| config CRYPTO_XTS |
| tristate "XTS (XOR Encrypt XOR with ciphertext stealing)" |
| select CRYPTO_SKCIPHER |
| select CRYPTO_MANAGER |
| select CRYPTO_ECB |
| help |
| XTS (XOR Encrypt XOR with ciphertext stealing) mode (NIST SP800-38E |
| and IEEE 1619) |
| |
| Use with aes-xts-plain, key size 256, 384 or 512 bits. This |
| implementation currently can't handle a sectorsize which is not a |
| multiple of 16 bytes. |
| |
| config CRYPTO_NHPOLY1305 |
| tristate |
| select CRYPTO_HASH |
| select CRYPTO_LIB_POLY1305_GENERIC |
| |
| endmenu |
| |
| menu "AEAD (authenticated encryption with associated data) ciphers" |
| |
| config CRYPTO_AEGIS128 |
| tristate "AEGIS-128" |
| select CRYPTO_AEAD |
| select CRYPTO_AES # for AES S-box tables |
| help |
| AEGIS-128 AEAD algorithm |
| |
| config CRYPTO_AEGIS128_SIMD |
| bool "AEGIS-128 (arm NEON, arm64 NEON)" |
| depends on CRYPTO_AEGIS128 && ((ARM || ARM64) && KERNEL_MODE_NEON) |
| default y |
| help |
| AEGIS-128 AEAD algorithm |
| |
| Architecture: arm or arm64 using: |
| - NEON (Advanced SIMD) extension |
| |
| config CRYPTO_CHACHA20POLY1305 |
| tristate "ChaCha20-Poly1305" |
| select CRYPTO_CHACHA20 |
| select CRYPTO_POLY1305 |
| select CRYPTO_AEAD |
| select CRYPTO_MANAGER |
| help |
| ChaCha20 stream cipher and Poly1305 authenticator combined |
| mode (RFC8439) |
| |
| config CRYPTO_CCM |
| tristate "CCM (Counter with Cipher Block Chaining-MAC)" |
| select CRYPTO_CTR |
| select CRYPTO_HASH |
| select CRYPTO_AEAD |
| select CRYPTO_MANAGER |
| help |
| CCM (Counter with Cipher Block Chaining-Message Authentication Code) |
| authenticated encryption mode (NIST SP800-38C) |
| |
| config CRYPTO_GCM |
| tristate "GCM (Galois/Counter Mode) and GMAC (GCM MAC)" |
| select CRYPTO_CTR |
| select CRYPTO_AEAD |
| select CRYPTO_GHASH |
| select CRYPTO_NULL |
| select CRYPTO_MANAGER |
| help |
| GCM (Galois/Counter Mode) authenticated encryption mode and GMAC |
| (GCM Message Authentication Code) (NIST SP800-38D) |
| |
| This is required for IPSec ESP (XFRM_ESP). |
| |
| config CRYPTO_GENIV |
| tristate |
| select CRYPTO_AEAD |
| select CRYPTO_NULL |
| select CRYPTO_MANAGER |
| select CRYPTO_RNG_DEFAULT |
| |
| config CRYPTO_SEQIV |
| tristate "Sequence Number IV Generator" |
| select CRYPTO_GENIV |
| help |
| Sequence Number IV generator |
| |
| This IV generator generates an IV based on a sequence number by |
| xoring it with a salt. This algorithm is mainly useful for CTR. |
| |
| This is required for IPsec ESP (XFRM_ESP). |
| |
| config CRYPTO_ECHAINIV |
| tristate "Encrypted Chain IV Generator" |
| select CRYPTO_GENIV |
| help |
| Encrypted Chain IV generator |
| |
| This IV generator generates an IV based on the encryption of |
| a sequence number xored with a salt. This is the default |
| algorithm for CBC. |
| |
| config CRYPTO_ESSIV |
| tristate "Encrypted Salt-Sector IV Generator" |
| select CRYPTO_AUTHENC |
| help |
| Encrypted Salt-Sector IV generator |
| |
| This IV generator is used in some cases by fscrypt and/or |
| dm-crypt. It uses the hash of the block encryption key as the |
| symmetric key for a block encryption pass applied to the input |
| IV, making low entropy IV sources more suitable for block |
| encryption. |
| |
| This driver implements a crypto API template that can be |
| instantiated either as an skcipher or as an AEAD (depending on the |
| type of the first template argument), and which defers encryption |
| and decryption requests to the encapsulated cipher after applying |
| ESSIV to the input IV. Note that in the AEAD case, it is assumed |
| that the keys are presented in the same format used by the authenc |
| template, and that the IV appears at the end of the authenticated |
| associated data (AAD) region (which is how dm-crypt uses it.) |
| |
| Note that the use of ESSIV is not recommended for new deployments, |
| and so this only needs to be enabled when interoperability with |
| existing encrypted volumes of filesystems is required, or when |
| building for a particular system that requires it (e.g., when |
| the SoC in question has accelerated CBC but not XTS, making CBC |
| combined with ESSIV the only feasible mode for h/w accelerated |
| block encryption) |
| |
| endmenu |
| |
| menu "Hashes, digests, and MACs" |
| |
| config CRYPTO_BLAKE2B |
| tristate "BLAKE2b" |
| select CRYPTO_HASH |
| help |
| BLAKE2b cryptographic hash function (RFC 7693) |
| |
| BLAKE2b is optimized for 64-bit platforms and can produce digests |
| of any size between 1 and 64 bytes. The keyed hash is also implemented. |
| |
| This module provides the following algorithms: |
| - blake2b-160 |
| - blake2b-256 |
| - blake2b-384 |
| - blake2b-512 |
| |
| Used by the btrfs filesystem. |
| |
| See https://blake2.net for further information. |
| |
| config CRYPTO_CMAC |
| tristate "CMAC (Cipher-based MAC)" |
| select CRYPTO_HASH |
| select CRYPTO_MANAGER |
| help |
| CMAC (Cipher-based Message Authentication Code) authentication |
| mode (NIST SP800-38B and IETF RFC4493) |
| |
| config CRYPTO_GHASH |
| tristate "GHASH" |
| select CRYPTO_HASH |
| select CRYPTO_LIB_GF128MUL |
| help |
| GCM GHASH function (NIST SP800-38D) |
| |
| config CRYPTO_HMAC |
| tristate "HMAC (Keyed-Hash MAC)" |
| select CRYPTO_HASH |
| select CRYPTO_MANAGER |
| help |
| HMAC (Keyed-Hash Message Authentication Code) (FIPS 198 and |
| RFC2104) |
| |
| This is required for IPsec AH (XFRM_AH) and IPsec ESP (XFRM_ESP). |
| |
| config CRYPTO_MD4 |
| tristate "MD4" |
| select CRYPTO_HASH |
| help |
| MD4 message digest algorithm (RFC1320) |
| |
| config CRYPTO_MD5 |
| tristate "MD5" |
| select CRYPTO_HASH |
| help |
| MD5 message digest algorithm (RFC1321) |
| |
| config CRYPTO_MICHAEL_MIC |
| tristate "Michael MIC" |
| select CRYPTO_HASH |
| help |
| Michael MIC (Message Integrity Code) (IEEE 802.11i) |
| |
| Defined by the IEEE 802.11i TKIP (Temporal Key Integrity Protocol), |
| known as WPA (Wif-Fi Protected Access). |
| |
| This algorithm is required for TKIP, but it should not be used for |
| other purposes because of the weakness of the algorithm. |
| |
| config CRYPTO_POLYVAL |
| tristate |
| select CRYPTO_HASH |
| select CRYPTO_LIB_GF128MUL |
| help |
| POLYVAL hash function for HCTR2 |
| |
| This is used in HCTR2. It is not a general-purpose |
| cryptographic hash function. |
| |
| config CRYPTO_POLY1305 |
| tristate "Poly1305" |
| select CRYPTO_HASH |
| select CRYPTO_LIB_POLY1305_GENERIC |
| help |
| Poly1305 authenticator algorithm (RFC7539) |
| |
| Poly1305 is an authenticator algorithm designed by Daniel J. Bernstein. |
| It is used for the ChaCha20-Poly1305 AEAD, specified in RFC7539 for use |
| in IETF protocols. This is the portable C implementation of Poly1305. |
| |
| config CRYPTO_RMD160 |
| tristate "RIPEMD-160" |
| select CRYPTO_HASH |
| help |
| RIPEMD-160 hash function (ISO/IEC 10118-3) |
| |
| RIPEMD-160 is a 160-bit cryptographic hash function. It is intended |
| to be used as a secure replacement for the 128-bit hash functions |
| MD4, MD5 and its predecessor RIPEMD |
| (not to be confused with RIPEMD-128). |
| |
| Its speed is comparable to SHA-1 and there are no known attacks |
| against RIPEMD-160. |
| |
| Developed by Hans Dobbertin, Antoon Bosselaers and Bart Preneel. |
| See https://homes.esat.kuleuven.be/~bosselae/ripemd160.html |
| for further information. |
| |
| config CRYPTO_SHA1 |
| tristate "SHA-1" |
| select CRYPTO_HASH |
| select CRYPTO_LIB_SHA1 |
| help |
| SHA-1 secure hash algorithm (FIPS 180, ISO/IEC 10118-3) |
| |
| config CRYPTO_SHA256 |
| tristate "SHA-224 and SHA-256" |
| select CRYPTO_HASH |
| select CRYPTO_LIB_SHA256 |
| help |
| SHA-224 and SHA-256 secure hash algorithms (FIPS 180, ISO/IEC 10118-3) |
| |
| This is required for IPsec AH (XFRM_AH) and IPsec ESP (XFRM_ESP). |
| Used by the btrfs filesystem, Ceph, NFS, and SMB. |
| |
| config CRYPTO_SHA512 |
| tristate "SHA-384 and SHA-512" |
| select CRYPTO_HASH |
| help |
| SHA-384 and SHA-512 secure hash algorithms (FIPS 180, ISO/IEC 10118-3) |
| |
| config CRYPTO_SHA3 |
| tristate "SHA-3" |
| select CRYPTO_HASH |
| help |
| SHA-3 secure hash algorithms (FIPS 202, ISO/IEC 10118-3) |
| |
| config CRYPTO_SM3 |
| tristate |
| |
| config CRYPTO_SM3_GENERIC |
| tristate "SM3 (ShangMi 3)" |
| select CRYPTO_HASH |
| select CRYPTO_SM3 |
| help |
| SM3 (ShangMi 3) secure hash function (OSCCA GM/T 0004-2012, ISO/IEC 10118-3) |
| |
| This is part of the Chinese Commercial Cryptography suite. |
| |
| References: |
| http://www.oscca.gov.cn/UpFile/20101222141857786.pdf |
| https://datatracker.ietf.org/doc/html/draft-shen-sm3-hash |
| |
| config CRYPTO_STREEBOG |
| tristate "Streebog" |
| select CRYPTO_HASH |
| help |
| Streebog Hash Function (GOST R 34.11-2012, RFC 6986, ISO/IEC 10118-3) |
| |
| This is one of the Russian cryptographic standard algorithms (called |
| GOST algorithms). This setting enables two hash algorithms with |
| 256 and 512 bits output. |
| |
| References: |
| https://tc26.ru/upload/iblock/fed/feddbb4d26b685903faa2ba11aea43f6.pdf |
| https://tools.ietf.org/html/rfc6986 |
| |
| config CRYPTO_VMAC |
| tristate "VMAC" |
| select CRYPTO_HASH |
| select CRYPTO_MANAGER |
| help |
| VMAC is a message authentication algorithm designed for |
| very high speed on 64-bit architectures. |
| |
| See https://fastcrypto.org/vmac for further information. |
| |
| config CRYPTO_WP512 |
| tristate "Whirlpool" |
| select CRYPTO_HASH |
| help |
| Whirlpool hash function (ISO/IEC 10118-3) |
| |
| 512, 384 and 256-bit hashes. |
| |
| Whirlpool-512 is part of the NESSIE cryptographic primitives. |
| |
| See https://web.archive.org/web/20171129084214/http://www.larc.usp.br/~pbarreto/WhirlpoolPage.html |
| for further information. |
| |
| config CRYPTO_XCBC |
| tristate "XCBC-MAC (Extended Cipher Block Chaining MAC)" |
| select CRYPTO_HASH |
| select CRYPTO_MANAGER |
| help |
| XCBC-MAC (Extended Cipher Block Chaining Message Authentication |
| Code) (RFC3566) |
| |
| config CRYPTO_XXHASH |
| tristate "xxHash" |
| select CRYPTO_HASH |
| select XXHASH |
| help |
| xxHash non-cryptographic hash algorithm |
| |
| Extremely fast, working at speeds close to RAM limits. |
| |
| Used by the btrfs filesystem. |
| |
| endmenu |
| |
| menu "CRCs (cyclic redundancy checks)" |
| |
| config CRYPTO_CRC32C |
| tristate "CRC32c" |
| select CRYPTO_HASH |
| select CRC32 |
| help |
| CRC32c CRC algorithm with the iSCSI polynomial (RFC 3385 and RFC 3720) |
| |
| A 32-bit CRC (cyclic redundancy check) with a polynomial defined |
| by G. Castagnoli, S. Braeuer and M. Herrman in "Optimization of Cyclic |
| Redundancy-Check Codes with 24 and 32 Parity Bits", IEEE Transactions |
| on Communications, Vol. 41, No. 6, June 1993, selected for use with |
| iSCSI. |
| |
| Used by btrfs, ext4, jbd2, NVMeoF/TCP, and iSCSI. |
| |
| config CRYPTO_CRC32 |
| tristate "CRC32" |
| select CRYPTO_HASH |
| select CRC32 |
| help |
| CRC32 CRC algorithm (IEEE 802.3) |
| |
| Used by RoCEv2 and f2fs. |
| |
| config CRYPTO_CRCT10DIF |
| tristate "CRCT10DIF" |
| select CRYPTO_HASH |
| help |
| CRC16 CRC algorithm used for the T10 (SCSI) Data Integrity Field (DIF) |
| |
| CRC algorithm used by the SCSI Block Commands standard. |
| |
| config CRYPTO_CRC64_ROCKSOFT |
| tristate "CRC64 based on Rocksoft Model algorithm" |
| depends on CRC64 |
| select CRYPTO_HASH |
| help |
| CRC64 CRC algorithm based on the Rocksoft Model CRC Algorithm |
| |
| Used by the NVMe implementation of T10 DIF (BLK_DEV_INTEGRITY) |
| |
| See https://zlib.net/crc_v3.txt |
| |
| endmenu |
| |
| menu "Compression" |
| |
| config CRYPTO_DEFLATE |
| tristate "Deflate" |
| select CRYPTO_ALGAPI |
| select CRYPTO_ACOMP2 |
| select ZLIB_INFLATE |
| select ZLIB_DEFLATE |
| help |
| Deflate compression algorithm (RFC1951) |
| |
| Used by IPSec with the IPCOMP protocol (RFC3173, RFC2394) |
| |
| config CRYPTO_LZO |
| tristate "LZO" |
| select CRYPTO_ALGAPI |
| select CRYPTO_ACOMP2 |
| select LZO_COMPRESS |
| select LZO_DECOMPRESS |
| help |
| LZO compression algorithm |
| |
| See https://www.oberhumer.com/opensource/lzo/ for further information. |
| |
| config CRYPTO_842 |
| tristate "842" |
| select CRYPTO_ALGAPI |
| select CRYPTO_ACOMP2 |
| select 842_COMPRESS |
| select 842_DECOMPRESS |
| help |
| 842 compression algorithm by IBM |
| |
| See https://github.com/plauth/lib842 for further information. |
| |
| config CRYPTO_LZ4 |
| tristate "LZ4" |
| select CRYPTO_ALGAPI |
| select CRYPTO_ACOMP2 |
| select LZ4_COMPRESS |
| select LZ4_DECOMPRESS |
| help |
| LZ4 compression algorithm |
| |
| See https://github.com/lz4/lz4 for further information. |
| |
| config CRYPTO_LZ4HC |
| tristate "LZ4HC" |
| select CRYPTO_ALGAPI |
| select CRYPTO_ACOMP2 |
| select LZ4HC_COMPRESS |
| select LZ4_DECOMPRESS |
| help |
| LZ4 high compression mode algorithm |
| |
| See https://github.com/lz4/lz4 for further information. |
| |
| config CRYPTO_ZSTD |
| tristate "Zstd" |
| select CRYPTO_ALGAPI |
| select CRYPTO_ACOMP2 |
| select ZSTD_COMPRESS |
| select ZSTD_DECOMPRESS |
| help |
| zstd compression algorithm |
| |
| See https://github.com/facebook/zstd for further information. |
| |
| endmenu |
| |
| menu "Random number generation" |
| |
| config CRYPTO_ANSI_CPRNG |
| tristate "ANSI PRNG (Pseudo Random Number Generator)" |
| select CRYPTO_AES |
| select CRYPTO_RNG |
| help |
| Pseudo RNG (random number generator) (ANSI X9.31 Appendix A.2.4) |
| |
| This uses the AES cipher algorithm. |
| |
| Note that this option must be enabled if CRYPTO_FIPS is selected |
| |
| menuconfig CRYPTO_DRBG_MENU |
| tristate "NIST SP800-90A DRBG (Deterministic Random Bit Generator)" |
| help |
| DRBG (Deterministic Random Bit Generator) (NIST SP800-90A) |
| |
| In the following submenu, one or more of the DRBG types must be selected. |
| |
| if CRYPTO_DRBG_MENU |
| |
| config CRYPTO_DRBG_HMAC |
| bool |
| default y |
| select CRYPTO_HMAC |
| select CRYPTO_SHA512 |
| |
| config CRYPTO_DRBG_HASH |
| bool "Hash_DRBG" |
| select CRYPTO_SHA256 |
| help |
| Hash_DRBG variant as defined in NIST SP800-90A. |
| |
| This uses the SHA-1, SHA-256, SHA-384, or SHA-512 hash algorithms. |
| |
| config CRYPTO_DRBG_CTR |
| bool "CTR_DRBG" |
| select CRYPTO_AES |
| select CRYPTO_CTR |
| help |
| CTR_DRBG variant as defined in NIST SP800-90A. |
| |
| This uses the AES cipher algorithm with the counter block mode. |
| |
| config CRYPTO_DRBG |
| tristate |
| default CRYPTO_DRBG_MENU |
| select CRYPTO_RNG |
| select CRYPTO_JITTERENTROPY |
| |
| endif # if CRYPTO_DRBG_MENU |
| |
| config CRYPTO_JITTERENTROPY |
| tristate "CPU Jitter Non-Deterministic RNG (Random Number Generator)" |
| select CRYPTO_RNG |
| select CRYPTO_SHA3 |
| help |
| CPU Jitter RNG (Random Number Generator) from the Jitterentropy library |
| |
| A non-physical non-deterministic ("true") RNG (e.g., an entropy source |
| compliant with NIST SP800-90B) intended to provide a seed to a |
| deterministic RNG (e.g. per NIST SP800-90C). |
| This RNG does not perform any cryptographic whitening of the generated |
| |
| See https://www.chronox.de/jent.html |
| |
| if CRYPTO_JITTERENTROPY |
| if CRYPTO_FIPS && EXPERT |
| |
| choice |
| prompt "CPU Jitter RNG Memory Size" |
| default CRYPTO_JITTERENTROPY_MEMSIZE_2 |
| help |
| The Jitter RNG measures the execution time of memory accesses. |
| Multiple consecutive memory accesses are performed. If the memory |
| size fits into a cache (e.g. L1), only the memory access timing |
| to that cache is measured. The closer the cache is to the CPU |
| the less variations are measured and thus the less entropy is |
| obtained. Thus, if the memory size fits into the L1 cache, the |
| obtained entropy is less than if the memory size fits within |
| L1 + L2, which in turn is less if the memory fits into |
| L1 + L2 + L3. Thus, by selecting a different memory size, |
| the entropy rate produced by the Jitter RNG can be modified. |
| |
| config CRYPTO_JITTERENTROPY_MEMSIZE_2 |
| bool "2048 Bytes (default)" |
| |
| config CRYPTO_JITTERENTROPY_MEMSIZE_128 |
| bool "128 kBytes" |
| |
| config CRYPTO_JITTERENTROPY_MEMSIZE_1024 |
| bool "1024 kBytes" |
| |
| config CRYPTO_JITTERENTROPY_MEMSIZE_8192 |
| bool "8192 kBytes" |
| endchoice |
| |
| config CRYPTO_JITTERENTROPY_MEMORY_BLOCKS |
| int |
| default 64 if CRYPTO_JITTERENTROPY_MEMSIZE_2 |
| default 512 if CRYPTO_JITTERENTROPY_MEMSIZE_128 |
| default 1024 if CRYPTO_JITTERENTROPY_MEMSIZE_1024 |
| default 4096 if CRYPTO_JITTERENTROPY_MEMSIZE_8192 |
| |
| config CRYPTO_JITTERENTROPY_MEMORY_BLOCKSIZE |
| int |
| default 32 if CRYPTO_JITTERENTROPY_MEMSIZE_2 |
| default 256 if CRYPTO_JITTERENTROPY_MEMSIZE_128 |
| default 1024 if CRYPTO_JITTERENTROPY_MEMSIZE_1024 |
| default 2048 if CRYPTO_JITTERENTROPY_MEMSIZE_8192 |
| |
| config CRYPTO_JITTERENTROPY_OSR |
| int "CPU Jitter RNG Oversampling Rate" |
| range 1 15 |
| default 1 |
| help |
| The Jitter RNG allows the specification of an oversampling rate (OSR). |
| The Jitter RNG operation requires a fixed amount of timing |
| measurements to produce one output block of random numbers. The |
| OSR value is multiplied with the amount of timing measurements to |
| generate one output block. Thus, the timing measurement is oversampled |
| by the OSR factor. The oversampling allows the Jitter RNG to operate |
| on hardware whose timers deliver limited amount of entropy (e.g. |
| the timer is coarse) by setting the OSR to a higher value. The |
| trade-off, however, is that the Jitter RNG now requires more time |
| to generate random numbers. |
| |
| config CRYPTO_JITTERENTROPY_TESTINTERFACE |
| bool "CPU Jitter RNG Test Interface" |
| help |
| The test interface allows a privileged process to capture |
| the raw unconditioned high resolution time stamp noise that |
| is collected by the Jitter RNG for statistical analysis. As |
| this data is used at the same time to generate random bits, |
| the Jitter RNG operates in an insecure mode as long as the |
| recording is enabled. This interface therefore is only |
| intended for testing purposes and is not suitable for |
| production systems. |
| |
| The raw noise data can be obtained using the jent_raw_hires |
| debugfs file. Using the option |
| jitterentropy_testing.boot_raw_hires_test=1 the raw noise of |
| the first 1000 entropy events since boot can be sampled. |
| |
| If unsure, select N. |
| |
| endif # if CRYPTO_FIPS && EXPERT |
| |
| if !(CRYPTO_FIPS && EXPERT) |
| |
| config CRYPTO_JITTERENTROPY_MEMORY_BLOCKS |
| int |
| default 64 |
| |
| config CRYPTO_JITTERENTROPY_MEMORY_BLOCKSIZE |
| int |
| default 32 |
| |
| config CRYPTO_JITTERENTROPY_OSR |
| int |
| default 1 |
| |
| config CRYPTO_JITTERENTROPY_TESTINTERFACE |
| bool |
| |
| endif # if !(CRYPTO_FIPS && EXPERT) |
| endif # if CRYPTO_JITTERENTROPY |
| |
| config CRYPTO_KDF800108_CTR |
| tristate |
| select CRYPTO_HMAC |
| select CRYPTO_SHA256 |
| |
| endmenu |
| menu "Userspace interface" |
| |
| config CRYPTO_USER_API |
| tristate |
| |
| config CRYPTO_USER_API_HASH |
| tristate "Hash algorithms" |
| depends on NET |
| select CRYPTO_HASH |
| select CRYPTO_USER_API |
| help |
| Enable the userspace interface for hash algorithms. |
| |
| See Documentation/crypto/userspace-if.rst and |
| https://www.chronox.de/libkcapi/html/index.html |
| |
| config CRYPTO_USER_API_SKCIPHER |
| tristate "Symmetric key cipher algorithms" |
| depends on NET |
| select CRYPTO_SKCIPHER |
| select CRYPTO_USER_API |
| help |
| Enable the userspace interface for symmetric key cipher algorithms. |
| |
| See Documentation/crypto/userspace-if.rst and |
| https://www.chronox.de/libkcapi/html/index.html |
| |
| config CRYPTO_USER_API_RNG |
| tristate "RNG (random number generator) algorithms" |
| depends on NET |
| select CRYPTO_RNG |
| select CRYPTO_USER_API |
| help |
| Enable the userspace interface for RNG (random number generator) |
| algorithms. |
| |
| See Documentation/crypto/userspace-if.rst and |
| https://www.chronox.de/libkcapi/html/index.html |
| |
| config CRYPTO_USER_API_RNG_CAVP |
| bool "Enable CAVP testing of DRBG" |
| depends on CRYPTO_USER_API_RNG && CRYPTO_DRBG |
| help |
| Enable extra APIs in the userspace interface for NIST CAVP |
| (Cryptographic Algorithm Validation Program) testing: |
| - resetting DRBG entropy |
| - providing Additional Data |
| |
| This should only be enabled for CAVP testing. You should say |
| no unless you know what this is. |
| |
| config CRYPTO_USER_API_AEAD |
| tristate "AEAD cipher algorithms" |
| depends on NET |
| select CRYPTO_AEAD |
| select CRYPTO_SKCIPHER |
| select CRYPTO_NULL |
| select CRYPTO_USER_API |
| help |
| Enable the userspace interface for AEAD cipher algorithms. |
| |
| See Documentation/crypto/userspace-if.rst and |
| https://www.chronox.de/libkcapi/html/index.html |
| |
| config CRYPTO_USER_API_ENABLE_OBSOLETE |
| bool "Obsolete cryptographic algorithms" |
| depends on CRYPTO_USER_API |
| default y |
| help |
| Allow obsolete cryptographic algorithms to be selected that have |
| already been phased out from internal use by the kernel, and are |
| only useful for userspace clients that still rely on them. |
| |
| config CRYPTO_STATS |
| bool "Crypto usage statistics" |
| depends on CRYPTO_USER |
| help |
| Enable the gathering of crypto stats. |
| |
| Enabling this option reduces the performance of the crypto API. It |
| should only be enabled when there is actually a use case for it. |
| |
| This collects data sizes, numbers of requests, and numbers |
| of errors processed by: |
| - AEAD ciphers (encrypt, decrypt) |
| - asymmetric key ciphers (encrypt, decrypt, verify, sign) |
| - symmetric key ciphers (encrypt, decrypt) |
| - compression algorithms (compress, decompress) |
| - hash algorithms (hash) |
| - key-agreement protocol primitives (setsecret, generate |
| public key, compute shared secret) |
| - RNG (generate, seed) |
| |
| endmenu |
| |
| config CRYPTO_HASH_INFO |
| bool |
| |
| if !KMSAN # avoid false positives from assembly |
| if ARM |
| source "arch/arm/crypto/Kconfig" |
| endif |
| if ARM64 |
| source "arch/arm64/crypto/Kconfig" |
| endif |
| if LOONGARCH |
| source "arch/loongarch/crypto/Kconfig" |
| endif |
| if MIPS |
| source "arch/mips/crypto/Kconfig" |
| endif |
| if PPC |
| source "arch/powerpc/crypto/Kconfig" |
| endif |
| if S390 |
| source "arch/s390/crypto/Kconfig" |
| endif |
| if SPARC |
| source "arch/sparc/crypto/Kconfig" |
| endif |
| if X86 |
| source "arch/x86/crypto/Kconfig" |
| endif |
| endif |
| |
| source "drivers/crypto/Kconfig" |
| source "crypto/asymmetric_keys/Kconfig" |
| source "certs/Kconfig" |
| |
| endif # if CRYPTO |