summaryrefslogtreecommitdiffstats
path: root/crypto/Kconfig
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--crypto/Kconfig1454
1 files changed, 1454 insertions, 0 deletions
diff --git a/crypto/Kconfig b/crypto/Kconfig
new file mode 100644
index 0000000000..650b1b3620
--- /dev/null
+++ b/crypto/Kconfig
@@ -0,0 +1,1454 @@
+# SPDX-License-Identifier: GPL-2.0
+#
+# Generic algorithms support
+#
+config XOR_BLOCKS
+ tristate
+
+#
+# async_tx api: hardware offloaded memory transfer/transform support
+#
+source "crypto/async_tx/Kconfig"
+
+#
+# Cryptographic API Configuration
+#
+menuconfig CRYPTO
+ tristate "Cryptographic API"
+ select CRYPTO_LIB_UTILS
+ help
+ This option provides the core Cryptographic API.
+
+if CRYPTO
+
+menu "Crypto core or helper"
+
+config CRYPTO_FIPS
+ bool "FIPS 200 compliance"
+ depends on (CRYPTO_ANSI_CPRNG || CRYPTO_DRBG) && !CRYPTO_MANAGER_DISABLE_TESTS
+ depends on (MODULE_SIG || !MODULES)
+ help
+ This option enables the fips boot option which is
+ required if you want the system to operate in a FIPS 200
+ certification. You should say no unless you know what
+ this is.
+
+config CRYPTO_FIPS_NAME
+ string "FIPS Module Name"
+ default "Linux Kernel Cryptographic API"
+ depends on CRYPTO_FIPS
+ help
+ This option sets the FIPS Module name reported by the Crypto API via
+ the /proc/sys/crypto/fips_name file.
+
+config CRYPTO_FIPS_CUSTOM_VERSION
+ bool "Use Custom FIPS Module Version"
+ depends on CRYPTO_FIPS
+ default n
+
+config CRYPTO_FIPS_VERSION
+ string "FIPS Module Version"
+ default "(none)"
+ depends on CRYPTO_FIPS_CUSTOM_VERSION
+ help
+ This option provides the ability to override the FIPS Module Version.
+ By default the KERNELRELEASE value is used.
+
+config CRYPTO_ALGAPI
+ tristate
+ select CRYPTO_ALGAPI2
+ help
+ This option provides the API for cryptographic algorithms.
+
+config CRYPTO_ALGAPI2
+ tristate
+
+config CRYPTO_AEAD
+ tristate
+ select CRYPTO_AEAD2
+ select CRYPTO_ALGAPI
+
+config CRYPTO_AEAD2
+ tristate
+ select CRYPTO_ALGAPI2
+
+config CRYPTO_SIG
+ tristate
+ select CRYPTO_SIG2
+ select CRYPTO_ALGAPI
+
+config CRYPTO_SIG2
+ tristate
+ select CRYPTO_ALGAPI2
+
+config CRYPTO_SKCIPHER
+ tristate
+ select CRYPTO_SKCIPHER2
+ select CRYPTO_ALGAPI
+
+config CRYPTO_SKCIPHER2
+ tristate
+ select CRYPTO_ALGAPI2
+
+config CRYPTO_HASH
+ tristate
+ select CRYPTO_HASH2
+ select CRYPTO_ALGAPI
+
+config CRYPTO_HASH2
+ tristate
+ select CRYPTO_ALGAPI2
+
+config CRYPTO_RNG
+ tristate
+ select CRYPTO_RNG2
+ select CRYPTO_ALGAPI
+
+config CRYPTO_RNG2
+ tristate
+ select CRYPTO_ALGAPI2
+
+config CRYPTO_RNG_DEFAULT
+ tristate
+ select CRYPTO_DRBG_MENU
+
+config CRYPTO_AKCIPHER2
+ tristate
+ select CRYPTO_ALGAPI2
+
+config CRYPTO_AKCIPHER
+ tristate
+ select CRYPTO_AKCIPHER2
+ select CRYPTO_ALGAPI
+
+config CRYPTO_KPP2
+ tristate
+ select CRYPTO_ALGAPI2
+
+config CRYPTO_KPP
+ tristate
+ select CRYPTO_ALGAPI
+ select CRYPTO_KPP2
+
+config CRYPTO_ACOMP2
+ tristate
+ select CRYPTO_ALGAPI2
+ select SGL_ALLOC
+
+config CRYPTO_ACOMP
+ tristate
+ select CRYPTO_ALGAPI
+ select CRYPTO_ACOMP2
+
+config CRYPTO_MANAGER
+ tristate "Cryptographic algorithm manager"
+ select CRYPTO_MANAGER2
+ help
+ Create default cryptographic template instantiations such as
+ cbc(aes).
+
+config CRYPTO_MANAGER2
+ def_tristate CRYPTO_MANAGER || (CRYPTO_MANAGER!=n && CRYPTO_ALGAPI=y)
+ select CRYPTO_ACOMP2
+ select CRYPTO_AEAD2
+ select CRYPTO_AKCIPHER2
+ select CRYPTO_SIG2
+ select CRYPTO_HASH2
+ select CRYPTO_KPP2
+ select CRYPTO_RNG2
+ select CRYPTO_SKCIPHER2
+
+config CRYPTO_USER
+ tristate "Userspace cryptographic algorithm configuration"
+ depends on NET
+ select CRYPTO_MANAGER
+ help
+ Userspace configuration for cryptographic instantiations such as
+ cbc(aes).
+
+config CRYPTO_MANAGER_DISABLE_TESTS
+ bool "Disable run-time self tests"
+ default y
+ help
+ Disable run-time self tests that normally take place at
+ algorithm registration.
+
+config CRYPTO_MANAGER_EXTRA_TESTS
+ bool "Enable extra run-time crypto self tests"
+ depends on DEBUG_KERNEL && !CRYPTO_MANAGER_DISABLE_TESTS && CRYPTO_MANAGER
+ help
+ Enable extra run-time self tests of registered crypto algorithms,
+ including randomized fuzz tests.
+
+ This is intended for developer use only, as these tests take much
+ longer to run than the normal self tests.
+
+config CRYPTO_NULL
+ tristate "Null algorithms"
+ select CRYPTO_NULL2
+ help
+ These are 'Null' algorithms, used by IPsec, which do nothing.
+
+config CRYPTO_NULL2
+ tristate
+ select CRYPTO_ALGAPI2
+ select CRYPTO_SKCIPHER2
+ select CRYPTO_HASH2
+
+config CRYPTO_PCRYPT
+ tristate "Parallel crypto engine"
+ depends on SMP
+ select PADATA
+ select CRYPTO_MANAGER
+ select CRYPTO_AEAD
+ help
+ This converts an arbitrary crypto algorithm into a parallel
+ algorithm that executes in kernel threads.
+
+config CRYPTO_CRYPTD
+ tristate "Software async crypto daemon"
+ select CRYPTO_SKCIPHER
+ select CRYPTO_HASH
+ select CRYPTO_MANAGER
+ help
+ This is a generic software asynchronous crypto daemon that
+ converts an arbitrary synchronous software crypto algorithm
+ into an asynchronous algorithm that executes in a kernel thread.
+
+config CRYPTO_AUTHENC
+ tristate "Authenc support"
+ select CRYPTO_AEAD
+ select CRYPTO_SKCIPHER
+ select CRYPTO_MANAGER
+ select CRYPTO_HASH
+ select CRYPTO_NULL
+ help
+ Authenc: Combined mode wrapper for IPsec.
+
+ This is required for IPSec ESP (XFRM_ESP).
+
+config CRYPTO_TEST
+ tristate "Testing module"
+ depends on m || EXPERT
+ select CRYPTO_MANAGER
+ help
+ Quick & dirty crypto test module.
+
+config CRYPTO_SIMD
+ tristate
+ select CRYPTO_CRYPTD
+
+config CRYPTO_ENGINE
+ tristate
+
+endmenu
+
+menu "Public-key cryptography"
+
+config CRYPTO_RSA
+ tristate "RSA (Rivest-Shamir-Adleman)"
+ select CRYPTO_AKCIPHER
+ select CRYPTO_MANAGER
+ select MPILIB
+ select ASN1
+ help
+ RSA (Rivest-Shamir-Adleman) public key algorithm (RFC8017)
+
+config CRYPTO_DH
+ tristate "DH (Diffie-Hellman)"
+ select CRYPTO_KPP
+ select MPILIB
+ help
+ DH (Diffie-Hellman) key exchange algorithm
+
+config CRYPTO_DH_RFC7919_GROUPS
+ bool "RFC 7919 FFDHE groups"
+ depends on CRYPTO_DH
+ select CRYPTO_RNG_DEFAULT
+ help
+ FFDHE (Finite-Field-based Diffie-Hellman Ephemeral) groups
+ defined in RFC7919.
+
+ Support these finite-field groups in DH key exchanges:
+ - ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192
+
+ If unsure, say N.
+
+config CRYPTO_ECC
+ tristate
+ select CRYPTO_RNG_DEFAULT
+
+config CRYPTO_ECDH
+ tristate "ECDH (Elliptic Curve Diffie-Hellman)"
+ select CRYPTO_ECC
+ select CRYPTO_KPP
+ help
+ ECDH (Elliptic Curve Diffie-Hellman) key exchange algorithm
+ using curves P-192, P-256, and P-384 (FIPS 186)
+
+config CRYPTO_ECDSA
+ tristate "ECDSA (Elliptic Curve Digital Signature Algorithm)"
+ select CRYPTO_ECC
+ select CRYPTO_AKCIPHER
+ select ASN1
+ help
+ ECDSA (Elliptic Curve Digital Signature Algorithm) (FIPS 186,
+ ISO/IEC 14888-3)
+ using curves P-192, P-256, and P-384
+
+ Only signature verification is implemented.
+
+config CRYPTO_ECRDSA
+ tristate "EC-RDSA (Elliptic Curve Russian Digital Signature Algorithm)"
+ select CRYPTO_ECC
+ select CRYPTO_AKCIPHER
+ select CRYPTO_STREEBOG
+ select OID_REGISTRY
+ select ASN1
+ help
+ Elliptic Curve Russian Digital Signature Algorithm (GOST R 34.10-2012,
+ RFC 7091, ISO/IEC 14888-3)
+
+ One of the Russian cryptographic standard algorithms (called GOST
+ algorithms). Only signature verification is implemented.
+
+config CRYPTO_SM2
+ tristate "SM2 (ShangMi 2)"
+ select CRYPTO_SM3
+ select CRYPTO_AKCIPHER
+ select CRYPTO_MANAGER
+ select MPILIB
+ select ASN1
+ help
+ SM2 (ShangMi 2) public key algorithm
+
+ Published by State Encryption Management Bureau, China,
+ as specified by OSCCA GM/T 0003.1-2012 -- 0003.5-2012.
+
+ References:
+ https://datatracker.ietf.org/doc/draft-shen-sm2-ecdsa/
+ http://www.oscca.gov.cn/sca/xxgk/2010-12/17/content_1002386.shtml
+ http://www.gmbz.org.cn/main/bzlb.html
+
+config CRYPTO_CURVE25519
+ tristate "Curve25519"
+ select CRYPTO_KPP
+ select CRYPTO_LIB_CURVE25519_GENERIC
+ help
+ Curve25519 elliptic curve (RFC7748)
+
+endmenu
+
+menu "Block ciphers"
+
+config CRYPTO_AES
+ tristate "AES (Advanced Encryption Standard)"
+ select CRYPTO_ALGAPI
+ select CRYPTO_LIB_AES
+ help
+ AES cipher algorithms (Rijndael)(FIPS-197, ISO/IEC 18033-3)
+
+ Rijndael appears to be consistently a very good performer in
+ both hardware and software across a wide range of computing
+ environments regardless of its use in feedback or non-feedback
+ modes. Its key setup time is excellent, and its key agility is
+ good. Rijndael's very low memory requirements make it very well
+ suited for restricted-space environments, in which it also
+ demonstrates excellent performance. Rijndael's operations are
+ among the easiest to defend against power and timing attacks.
+
+ The AES specifies three key sizes: 128, 192 and 256 bits
+
+config CRYPTO_AES_TI
+ tristate "AES (Advanced Encryption Standard) (fixed time)"
+ select CRYPTO_ALGAPI
+ select CRYPTO_LIB_AES
+ help
+ AES cipher algorithms (Rijndael)(FIPS-197, ISO/IEC 18033-3)
+
+ This is a generic implementation of AES that attempts to eliminate
+ data dependent latencies as much as possible without affecting
+ performance too much. It is intended for use by the generic CCM
+ and GCM drivers, and other CTR or CMAC/XCBC based modes that rely
+ solely on encryption (although decryption is supported as well, but
+ with a more dramatic performance hit)
+
+ Instead of using 16 lookup tables of 1 KB each, (8 for encryption and
+ 8 for decryption), this implementation only uses just two S-boxes of
+ 256 bytes each, and attempts to eliminate data dependent latencies by
+ prefetching the entire table into the cache at the start of each
+ block. Interrupts are also disabled to avoid races where cachelines
+ are evicted when the CPU is interrupted to do something else.
+
+config CRYPTO_ANUBIS
+ tristate "Anubis"
+ depends on CRYPTO_USER_API_ENABLE_OBSOLETE
+ select CRYPTO_ALGAPI
+ help
+ Anubis cipher algorithm
+
+ Anubis is a variable key length cipher which can use keys from
+ 128 bits to 320 bits in length. It was evaluated as a entrant
+ in the NESSIE competition.
+
+ See https://web.archive.org/web/20160606112246/http://www.larc.usp.br/~pbarreto/AnubisPage.html
+ for further information.
+
+config CRYPTO_ARIA
+ tristate "ARIA"
+ select CRYPTO_ALGAPI
+ help
+ ARIA cipher algorithm (RFC5794)
+
+ ARIA is a standard encryption algorithm of the Republic of Korea.
+ The ARIA specifies three key sizes and rounds.
+ 128-bit: 12 rounds.
+ 192-bit: 14 rounds.
+ 256-bit: 16 rounds.
+
+ See:
+ https://seed.kisa.or.kr/kisa/algorithm/EgovAriaInfo.do
+
+config CRYPTO_BLOWFISH
+ tristate "Blowfish"
+ select CRYPTO_ALGAPI
+ select CRYPTO_BLOWFISH_COMMON
+ help
+ Blowfish cipher algorithm, by Bruce Schneier
+
+ This is a variable key length cipher which can use keys from 32
+ bits to 448 bits in length. It's fast, simple and specifically
+ designed for use on "large microprocessors".
+
+ See https://www.schneier.com/blowfish.html for further information.
+
+config CRYPTO_BLOWFISH_COMMON
+ tristate
+ help
+ Common parts of the Blowfish cipher algorithm shared by the
+ generic c and the assembler implementations.
+
+config CRYPTO_CAMELLIA
+ tristate "Camellia"
+ select CRYPTO_ALGAPI
+ help
+ Camellia cipher algorithms (ISO/IEC 18033-3)
+
+ Camellia is a symmetric key block cipher developed jointly
+ at NTT and Mitsubishi Electric Corporation.
+
+ The Camellia specifies three key sizes: 128, 192 and 256 bits.
+
+ See https://info.isl.ntt.co.jp/crypt/eng/camellia/ for further information.
+
+config CRYPTO_CAST_COMMON
+ tristate
+ help
+ Common parts of the CAST cipher algorithms shared by the
+ generic c and the assembler implementations.
+
+config CRYPTO_CAST5
+ tristate "CAST5 (CAST-128)"
+ select CRYPTO_ALGAPI
+ select CRYPTO_CAST_COMMON
+ help
+ CAST5 (CAST-128) cipher algorithm (RFC2144, ISO/IEC 18033-3)
+
+config CRYPTO_CAST6
+ tristate "CAST6 (CAST-256)"
+ select CRYPTO_ALGAPI
+ select CRYPTO_CAST_COMMON
+ help
+ CAST6 (CAST-256) encryption algorithm (RFC2612)
+
+config CRYPTO_DES
+ tristate "DES and Triple DES EDE"
+ select CRYPTO_ALGAPI
+ select CRYPTO_LIB_DES
+ help
+ DES (Data Encryption Standard)(FIPS 46-2, ISO/IEC 18033-3) and
+ Triple DES EDE (Encrypt/Decrypt/Encrypt) (FIPS 46-3, ISO/IEC 18033-3)
+ cipher algorithms
+
+config CRYPTO_FCRYPT
+ tristate "FCrypt"
+ select CRYPTO_ALGAPI
+ select CRYPTO_SKCIPHER
+ help
+ FCrypt algorithm used by RxRPC
+
+ See https://ota.polyonymo.us/fcrypt-paper.txt
+
+config CRYPTO_KHAZAD
+ tristate "Khazad"
+ depends on CRYPTO_USER_API_ENABLE_OBSOLETE
+ select CRYPTO_ALGAPI
+ help
+ Khazad cipher algorithm
+
+ Khazad was a finalist in the initial NESSIE competition. It is
+ an algorithm optimized for 64-bit processors with good performance
+ on 32-bit processors. Khazad uses an 128 bit key size.
+
+ See https://web.archive.org/web/20171011071731/http://www.larc.usp.br/~pbarreto/KhazadPage.html
+ for further information.
+
+config CRYPTO_SEED
+ tristate "SEED"
+ depends on CRYPTO_USER_API_ENABLE_OBSOLETE
+ select CRYPTO_ALGAPI
+ help
+ SEED cipher algorithm (RFC4269, ISO/IEC 18033-3)
+
+ SEED is a 128-bit symmetric key block cipher that has been
+ developed by KISA (Korea Information Security Agency) as a
+ national standard encryption algorithm of the Republic of Korea.
+ It is a 16 round block cipher with the key size of 128 bit.
+
+ See https://seed.kisa.or.kr/kisa/algorithm/EgovSeedInfo.do
+ for further information.
+
+config CRYPTO_SERPENT
+ tristate "Serpent"
+ select CRYPTO_ALGAPI
+ help
+ Serpent cipher algorithm, by Anderson, Biham & Knudsen
+
+ Keys are allowed to be from 0 to 256 bits in length, in steps
+ of 8 bits.
+
+ See https://www.cl.cam.ac.uk/~rja14/serpent.html for further information.
+
+config CRYPTO_SM4
+ tristate
+
+config CRYPTO_SM4_GENERIC
+ tristate "SM4 (ShangMi 4)"
+ select CRYPTO_ALGAPI
+ select CRYPTO_SM4
+ help
+ SM4 cipher algorithms (OSCCA GB/T 32907-2016,
+ ISO/IEC 18033-3:2010/Amd 1:2021)
+
+ SM4 (GBT.32907-2016) is a cryptographic standard issued by the
+ Organization of State Commercial Administration of China (OSCCA)
+ as an authorized cryptographic algorithms for the use within China.
+
+ SMS4 was originally created for use in protecting wireless
+ networks, and is mandated in the Chinese National Standard for
+ Wireless LAN WAPI (Wired Authentication and Privacy Infrastructure)
+ (GB.15629.11-2003).
+
+ The latest SM4 standard (GBT.32907-2016) was proposed by OSCCA and
+ standardized through TC 260 of the Standardization Administration
+ of the People's Republic of China (SAC).
+
+ The input, output, and key of SMS4 are each 128 bits.
+
+ See https://eprint.iacr.org/2008/329.pdf for further information.
+
+ If unsure, say N.
+
+config CRYPTO_TEA
+ tristate "TEA, XTEA and XETA"
+ depends on CRYPTO_USER_API_ENABLE_OBSOLETE
+ select CRYPTO_ALGAPI
+ help
+ TEA (Tiny Encryption Algorithm) cipher algorithms
+
+ Tiny Encryption Algorithm is a simple cipher that uses
+ many rounds for security. It is very fast and uses
+ little memory.
+
+ Xtendend Tiny Encryption Algorithm is a modification to
+ the TEA algorithm to address a potential key weakness
+ in the TEA algorithm.
+
+ Xtendend Encryption Tiny Algorithm is a mis-implementation
+ of the XTEA algorithm for compatibility purposes.
+
+config CRYPTO_TWOFISH
+ tristate "Twofish"
+ select CRYPTO_ALGAPI
+ select CRYPTO_TWOFISH_COMMON
+ help
+ Twofish cipher algorithm
+
+ Twofish was submitted as an AES (Advanced Encryption Standard)
+ candidate cipher by researchers at CounterPane Systems. It is a
+ 16 round block cipher supporting key sizes of 128, 192, and 256
+ bits.
+
+ See https://www.schneier.com/twofish.html for further information.
+
+config CRYPTO_TWOFISH_COMMON
+ tristate
+ help
+ Common parts of the Twofish cipher algorithm shared by the
+ generic c and the assembler implementations.
+
+endmenu
+
+menu "Length-preserving ciphers and modes"
+
+config CRYPTO_ADIANTUM
+ tristate "Adiantum"
+ select CRYPTO_CHACHA20
+ select CRYPTO_LIB_POLY1305_GENERIC
+ select CRYPTO_NHPOLY1305
+ select CRYPTO_MANAGER
+ help
+ Adiantum tweakable, length-preserving encryption mode
+
+ Designed for fast and secure disk encryption, especially on
+ CPUs without dedicated crypto instructions. It encrypts
+ each sector using the XChaCha12 stream cipher, two passes of
+ an ε-almost-∆-universal hash function, and an invocation of
+ the AES-256 block cipher on a single 16-byte block. On CPUs
+ without AES instructions, Adiantum is much faster than
+ AES-XTS.
+
+ Adiantum's security is provably reducible to that of its
+ underlying stream and block ciphers, subject to a security
+ bound. Unlike XTS, Adiantum is a true wide-block encryption
+ mode, so it actually provides an even stronger notion of
+ security than XTS, subject to the security bound.
+
+ If unsure, say N.
+
+config CRYPTO_ARC4
+ tristate "ARC4 (Alleged Rivest Cipher 4)"
+ depends on CRYPTO_USER_API_ENABLE_OBSOLETE
+ select CRYPTO_SKCIPHER
+ select CRYPTO_LIB_ARC4
+ help
+ ARC4 cipher algorithm
+
+ ARC4 is a stream cipher using keys ranging from 8 bits to 2048
+ bits in length. This algorithm is required for driver-based
+ WEP, but it should not be for other purposes because of the
+ weakness of the algorithm.
+
+config CRYPTO_CHACHA20
+ tristate "ChaCha"
+ select CRYPTO_LIB_CHACHA_GENERIC
+ select CRYPTO_SKCIPHER
+ help
+ The ChaCha20, XChaCha20, and XChaCha12 stream cipher algorithms
+
+ ChaCha20 is a 256-bit high-speed stream cipher designed by Daniel J.
+ Bernstein and further specified in RFC7539 for use in IETF protocols.
+ This is the portable C implementation of ChaCha20. See
+ https://cr.yp.to/chacha/chacha-20080128.pdf for further information.
+
+ XChaCha20 is the application of the XSalsa20 construction to ChaCha20
+ rather than to Salsa20. XChaCha20 extends ChaCha20's nonce length
+ from 64 bits (or 96 bits using the RFC7539 convention) to 192 bits,
+ while provably retaining ChaCha20's security. See
+ https://cr.yp.to/snuffle/xsalsa-20081128.pdf for further information.
+
+ XChaCha12 is XChaCha20 reduced to 12 rounds, with correspondingly
+ reduced security margin but increased performance. It can be needed
+ in some performance-sensitive scenarios.
+
+config CRYPTO_CBC
+ tristate "CBC (Cipher Block Chaining)"
+ select CRYPTO_SKCIPHER
+ select CRYPTO_MANAGER
+ help
+ CBC (Cipher Block Chaining) mode (NIST SP800-38A)
+
+ This block cipher mode is required for IPSec ESP (XFRM_ESP).
+
+config CRYPTO_CFB
+ tristate "CFB (Cipher Feedback)"
+ select CRYPTO_SKCIPHER
+ select CRYPTO_MANAGER
+ help
+ CFB (Cipher Feedback) mode (NIST SP800-38A)
+
+ This block cipher mode is required for TPM2 Cryptography.
+
+config CRYPTO_CTR
+ tristate "CTR (Counter)"
+ select CRYPTO_SKCIPHER
+ select CRYPTO_MANAGER
+ help
+ CTR (Counter) mode (NIST SP800-38A)
+
+config CRYPTO_CTS
+ tristate "CTS (Cipher Text Stealing)"
+ select CRYPTO_SKCIPHER
+ select CRYPTO_MANAGER
+ help
+ CBC-CS3 variant of CTS (Cipher Text Stealing) (NIST
+ Addendum to SP800-38A (October 2010))
+
+ This mode is required for Kerberos gss mechanism support
+ for AES encryption.
+
+config CRYPTO_ECB
+ tristate "ECB (Electronic Codebook)"
+ select CRYPTO_SKCIPHER
+ select CRYPTO_MANAGER
+ help
+ ECB (Electronic Codebook) mode (NIST SP800-38A)
+
+config CRYPTO_HCTR2
+ tristate "HCTR2"
+ select CRYPTO_XCTR
+ select CRYPTO_POLYVAL
+ select CRYPTO_MANAGER
+ help
+ HCTR2 length-preserving encryption mode
+
+ A mode for storage encryption that is efficient on processors with
+ instructions to accelerate AES and carryless multiplication, e.g.
+ x86 processors with AES-NI and CLMUL, and ARM processors with the
+ ARMv8 crypto extensions.
+
+ See https://eprint.iacr.org/2021/1441
+
+config CRYPTO_KEYWRAP
+ tristate "KW (AES Key Wrap)"
+ select CRYPTO_SKCIPHER
+ select CRYPTO_MANAGER
+ help
+ KW (AES Key Wrap) authenticated encryption mode (NIST SP800-38F
+ and RFC3394) without padding.
+
+config CRYPTO_LRW
+ tristate "LRW (Liskov Rivest Wagner)"
+ select CRYPTO_LIB_GF128MUL
+ select CRYPTO_SKCIPHER
+ select CRYPTO_MANAGER
+ select CRYPTO_ECB
+ help
+ LRW (Liskov Rivest Wagner) mode
+
+ A tweakable, non malleable, non movable
+ narrow block cipher mode for dm-crypt. Use it with cipher
+ specification string aes-lrw-benbi, the key must be 256, 320 or 384.
+ The first 128, 192 or 256 bits in the key are used for AES and the
+ rest is used to tie each cipher block to its logical position.
+
+ See https://people.csail.mit.edu/rivest/pubs/LRW02.pdf
+
+config CRYPTO_OFB
+ tristate "OFB (Output Feedback)"
+ select CRYPTO_SKCIPHER
+ select CRYPTO_MANAGER
+ help
+ OFB (Output Feedback) mode (NIST SP800-38A)
+
+ This mode makes a block cipher into a synchronous
+ stream cipher. It generates keystream blocks, which are then XORed
+ with the plaintext blocks to get the ciphertext. Flipping a bit in the
+ ciphertext produces a flipped bit in the plaintext at the same
+ location. This property allows many error correcting codes to function
+ normally even when applied before encryption.
+
+config CRYPTO_PCBC
+ tristate "PCBC (Propagating Cipher Block Chaining)"
+ select CRYPTO_SKCIPHER
+ select CRYPTO_MANAGER
+ help
+ PCBC (Propagating Cipher Block Chaining) mode
+
+ This block cipher mode is required for RxRPC.
+
+config CRYPTO_XCTR
+ tristate
+ select CRYPTO_SKCIPHER
+ select CRYPTO_MANAGER
+ help
+ XCTR (XOR Counter) mode for HCTR2
+
+ This blockcipher mode is a variant of CTR mode using XORs and little-endian
+ addition rather than big-endian arithmetic.
+
+ XCTR mode is used to implement HCTR2.
+
+config CRYPTO_XTS
+ tristate "XTS (XOR Encrypt XOR with ciphertext stealing)"
+ select CRYPTO_SKCIPHER
+ select CRYPTO_MANAGER
+ select CRYPTO_ECB
+ help
+ XTS (XOR Encrypt XOR with ciphertext stealing) mode (NIST SP800-38E
+ and IEEE 1619)
+
+ Use with aes-xts-plain, key size 256, 384 or 512 bits. This
+ implementation currently can't handle a sectorsize which is not a
+ multiple of 16 bytes.
+
+config CRYPTO_NHPOLY1305
+ tristate
+ select CRYPTO_HASH
+ select CRYPTO_LIB_POLY1305_GENERIC
+
+endmenu
+
+menu "AEAD (authenticated encryption with associated data) ciphers"
+
+config CRYPTO_AEGIS128
+ tristate "AEGIS-128"
+ select CRYPTO_AEAD
+ select CRYPTO_AES # for AES S-box tables
+ help
+ AEGIS-128 AEAD algorithm
+
+config CRYPTO_AEGIS128_SIMD
+ bool "AEGIS-128 (arm NEON, arm64 NEON)"
+ depends on CRYPTO_AEGIS128 && ((ARM || ARM64) && KERNEL_MODE_NEON)
+ default y
+ help
+ AEGIS-128 AEAD algorithm
+
+ Architecture: arm or arm64 using:
+ - NEON (Advanced SIMD) extension
+
+config CRYPTO_CHACHA20POLY1305
+ tristate "ChaCha20-Poly1305"
+ select CRYPTO_CHACHA20
+ select CRYPTO_POLY1305
+ select CRYPTO_AEAD
+ select CRYPTO_MANAGER
+ help
+ ChaCha20 stream cipher and Poly1305 authenticator combined
+ mode (RFC8439)
+
+config CRYPTO_CCM
+ tristate "CCM (Counter with Cipher Block Chaining-MAC)"
+ select CRYPTO_CTR
+ select CRYPTO_HASH
+ select CRYPTO_AEAD
+ select CRYPTO_MANAGER
+ help
+ CCM (Counter with Cipher Block Chaining-Message Authentication Code)
+ authenticated encryption mode (NIST SP800-38C)
+
+config CRYPTO_GCM
+ tristate "GCM (Galois/Counter Mode) and GMAC (GCM MAC)"
+ select CRYPTO_CTR
+ select CRYPTO_AEAD
+ select CRYPTO_GHASH
+ select CRYPTO_NULL
+ select CRYPTO_MANAGER
+ help
+ GCM (Galois/Counter Mode) authenticated encryption mode and GMAC
+ (GCM Message Authentication Code) (NIST SP800-38D)
+
+ This is required for IPSec ESP (XFRM_ESP).
+
+config CRYPTO_GENIV
+ tristate
+ select CRYPTO_AEAD
+ select CRYPTO_NULL
+ select CRYPTO_MANAGER
+ select CRYPTO_RNG_DEFAULT
+
+config CRYPTO_SEQIV
+ tristate "Sequence Number IV Generator"
+ select CRYPTO_GENIV
+ help
+ Sequence Number IV generator
+
+ This IV generator generates an IV based on a sequence number by
+ xoring it with a salt. This algorithm is mainly useful for CTR.
+
+ This is required for IPsec ESP (XFRM_ESP).
+
+config CRYPTO_ECHAINIV
+ tristate "Encrypted Chain IV Generator"
+ select CRYPTO_GENIV
+ help
+ Encrypted Chain IV generator
+
+ This IV generator generates an IV based on the encryption of
+ a sequence number xored with a salt. This is the default
+ algorithm for CBC.
+
+config CRYPTO_ESSIV
+ tristate "Encrypted Salt-Sector IV Generator"
+ select CRYPTO_AUTHENC
+ help
+ Encrypted Salt-Sector IV generator
+
+ This IV generator is used in some cases by fscrypt and/or
+ dm-crypt. It uses the hash of the block encryption key as the
+ symmetric key for a block encryption pass applied to the input
+ IV, making low entropy IV sources more suitable for block
+ encryption.
+
+ This driver implements a crypto API template that can be
+ instantiated either as an skcipher or as an AEAD (depending on the
+ type of the first template argument), and which defers encryption
+ and decryption requests to the encapsulated cipher after applying
+ ESSIV to the input IV. Note that in the AEAD case, it is assumed
+ that the keys are presented in the same format used by the authenc
+ template, and that the IV appears at the end of the authenticated
+ associated data (AAD) region (which is how dm-crypt uses it.)
+
+ Note that the use of ESSIV is not recommended for new deployments,
+ and so this only needs to be enabled when interoperability with
+ existing encrypted volumes of filesystems is required, or when
+ building for a particular system that requires it (e.g., when
+ the SoC in question has accelerated CBC but not XTS, making CBC
+ combined with ESSIV the only feasible mode for h/w accelerated
+ block encryption)
+
+endmenu
+
+menu "Hashes, digests, and MACs"
+
+config CRYPTO_BLAKE2B
+ tristate "BLAKE2b"
+ select CRYPTO_HASH
+ help
+ BLAKE2b cryptographic hash function (RFC 7693)
+
+ BLAKE2b is optimized for 64-bit platforms and can produce digests
+ of any size between 1 and 64 bytes. The keyed hash is also implemented.
+
+ This module provides the following algorithms:
+ - blake2b-160
+ - blake2b-256
+ - blake2b-384
+ - blake2b-512
+
+ Used by the btrfs filesystem.
+
+ See https://blake2.net for further information.
+
+config CRYPTO_CMAC
+ tristate "CMAC (Cipher-based MAC)"
+ select CRYPTO_HASH
+ select CRYPTO_MANAGER
+ help
+ CMAC (Cipher-based Message Authentication Code) authentication
+ mode (NIST SP800-38B and IETF RFC4493)
+
+config CRYPTO_GHASH
+ tristate "GHASH"
+ select CRYPTO_HASH
+ select CRYPTO_LIB_GF128MUL
+ help
+ GCM GHASH function (NIST SP800-38D)
+
+config CRYPTO_HMAC
+ tristate "HMAC (Keyed-Hash MAC)"
+ select CRYPTO_HASH
+ select CRYPTO_MANAGER
+ help
+ HMAC (Keyed-Hash Message Authentication Code) (FIPS 198 and
+ RFC2104)
+
+ This is required for IPsec AH (XFRM_AH) and IPsec ESP (XFRM_ESP).
+
+config CRYPTO_MD4
+ tristate "MD4"
+ select CRYPTO_HASH
+ help
+ MD4 message digest algorithm (RFC1320)
+
+config CRYPTO_MD5
+ tristate "MD5"
+ select CRYPTO_HASH
+ help
+ MD5 message digest algorithm (RFC1321)
+
+config CRYPTO_MICHAEL_MIC
+ tristate "Michael MIC"
+ select CRYPTO_HASH
+ help
+ Michael MIC (Message Integrity Code) (IEEE 802.11i)
+
+ Defined by the IEEE 802.11i TKIP (Temporal Key Integrity Protocol),
+ known as WPA (Wif-Fi Protected Access).
+
+ This algorithm is required for TKIP, but it should not be used for
+ other purposes because of the weakness of the algorithm.
+
+config CRYPTO_POLYVAL
+ tristate
+ select CRYPTO_HASH
+ select CRYPTO_LIB_GF128MUL
+ help
+ POLYVAL hash function for HCTR2
+
+ This is used in HCTR2. It is not a general-purpose
+ cryptographic hash function.
+
+config CRYPTO_POLY1305
+ tristate "Poly1305"
+ select CRYPTO_HASH
+ select CRYPTO_LIB_POLY1305_GENERIC
+ help
+ Poly1305 authenticator algorithm (RFC7539)
+
+ Poly1305 is an authenticator algorithm designed by Daniel J. Bernstein.
+ It is used for the ChaCha20-Poly1305 AEAD, specified in RFC7539 for use
+ in IETF protocols. This is the portable C implementation of Poly1305.
+
+config CRYPTO_RMD160
+ tristate "RIPEMD-160"
+ select CRYPTO_HASH
+ help
+ RIPEMD-160 hash function (ISO/IEC 10118-3)
+
+ RIPEMD-160 is a 160-bit cryptographic hash function. It is intended
+ to be used as a secure replacement for the 128-bit hash functions
+ MD4, MD5 and its predecessor RIPEMD
+ (not to be confused with RIPEMD-128).
+
+ Its speed is comparable to SHA-1 and there are no known attacks
+ against RIPEMD-160.
+
+ Developed by Hans Dobbertin, Antoon Bosselaers and Bart Preneel.
+ See https://homes.esat.kuleuven.be/~bosselae/ripemd160.html
+ for further information.
+
+config CRYPTO_SHA1
+ tristate "SHA-1"
+ select CRYPTO_HASH
+ select CRYPTO_LIB_SHA1
+ help
+ SHA-1 secure hash algorithm (FIPS 180, ISO/IEC 10118-3)
+
+config CRYPTO_SHA256
+ tristate "SHA-224 and SHA-256"
+ select CRYPTO_HASH
+ select CRYPTO_LIB_SHA256
+ help
+ SHA-224 and SHA-256 secure hash algorithms (FIPS 180, ISO/IEC 10118-3)
+
+ This is required for IPsec AH (XFRM_AH) and IPsec ESP (XFRM_ESP).
+ Used by the btrfs filesystem, Ceph, NFS, and SMB.
+
+config CRYPTO_SHA512
+ tristate "SHA-384 and SHA-512"
+ select CRYPTO_HASH
+ help
+ SHA-384 and SHA-512 secure hash algorithms (FIPS 180, ISO/IEC 10118-3)
+
+config CRYPTO_SHA3
+ tristate "SHA-3"
+ select CRYPTO_HASH
+ help
+ SHA-3 secure hash algorithms (FIPS 202, ISO/IEC 10118-3)
+
+config CRYPTO_SM3
+ tristate
+
+config CRYPTO_SM3_GENERIC
+ tristate "SM3 (ShangMi 3)"
+ select CRYPTO_HASH
+ select CRYPTO_SM3
+ help
+ SM3 (ShangMi 3) secure hash function (OSCCA GM/T 0004-2012, ISO/IEC 10118-3)
+
+ This is part of the Chinese Commercial Cryptography suite.
+
+ References:
+ http://www.oscca.gov.cn/UpFile/20101222141857786.pdf
+ https://datatracker.ietf.org/doc/html/draft-shen-sm3-hash
+
+config CRYPTO_STREEBOG
+ tristate "Streebog"
+ select CRYPTO_HASH
+ help
+ Streebog Hash Function (GOST R 34.11-2012, RFC 6986, ISO/IEC 10118-3)
+
+ This is one of the Russian cryptographic standard algorithms (called
+ GOST algorithms). This setting enables two hash algorithms with
+ 256 and 512 bits output.
+
+ References:
+ https://tc26.ru/upload/iblock/fed/feddbb4d26b685903faa2ba11aea43f6.pdf
+ https://tools.ietf.org/html/rfc6986
+
+config CRYPTO_VMAC
+ tristate "VMAC"
+ select CRYPTO_HASH
+ select CRYPTO_MANAGER
+ help
+ VMAC is a message authentication algorithm designed for
+ very high speed on 64-bit architectures.
+
+ See https://fastcrypto.org/vmac for further information.
+
+config CRYPTO_WP512
+ tristate "Whirlpool"
+ select CRYPTO_HASH
+ help
+ Whirlpool hash function (ISO/IEC 10118-3)
+
+ 512, 384 and 256-bit hashes.
+
+ Whirlpool-512 is part of the NESSIE cryptographic primitives.
+
+ See https://web.archive.org/web/20171129084214/http://www.larc.usp.br/~pbarreto/WhirlpoolPage.html
+ for further information.
+
+config CRYPTO_XCBC
+ tristate "XCBC-MAC (Extended Cipher Block Chaining MAC)"
+ select CRYPTO_HASH
+ select CRYPTO_MANAGER
+ help
+ XCBC-MAC (Extended Cipher Block Chaining Message Authentication
+ Code) (RFC3566)
+
+config CRYPTO_XXHASH
+ tristate "xxHash"
+ select CRYPTO_HASH
+ select XXHASH
+ help
+ xxHash non-cryptographic hash algorithm
+
+ Extremely fast, working at speeds close to RAM limits.
+
+ Used by the btrfs filesystem.
+
+endmenu
+
+menu "CRCs (cyclic redundancy checks)"
+
+config CRYPTO_CRC32C
+ tristate "CRC32c"
+ select CRYPTO_HASH
+ select CRC32
+ help
+ CRC32c CRC algorithm with the iSCSI polynomial (RFC 3385 and RFC 3720)
+
+ A 32-bit CRC (cyclic redundancy check) with a polynomial defined
+ by G. Castagnoli, S. Braeuer and M. Herrman in "Optimization of Cyclic
+ Redundancy-Check Codes with 24 and 32 Parity Bits", IEEE Transactions
+ on Communications, Vol. 41, No. 6, June 1993, selected for use with
+ iSCSI.
+
+ Used by btrfs, ext4, jbd2, NVMeoF/TCP, and iSCSI.
+
+config CRYPTO_CRC32
+ tristate "CRC32"
+ select CRYPTO_HASH
+ select CRC32
+ help
+ CRC32 CRC algorithm (IEEE 802.3)
+
+ Used by RoCEv2 and f2fs.
+
+config CRYPTO_CRCT10DIF
+ tristate "CRCT10DIF"
+ select CRYPTO_HASH
+ help
+ CRC16 CRC algorithm used for the T10 (SCSI) Data Integrity Field (DIF)
+
+ CRC algorithm used by the SCSI Block Commands standard.
+
+config CRYPTO_CRC64_ROCKSOFT
+ tristate "CRC64 based on Rocksoft Model algorithm"
+ depends on CRC64
+ select CRYPTO_HASH
+ help
+ CRC64 CRC algorithm based on the Rocksoft Model CRC Algorithm
+
+ Used by the NVMe implementation of T10 DIF (BLK_DEV_INTEGRITY)
+
+ See https://zlib.net/crc_v3.txt
+
+endmenu
+
+menu "Compression"
+
+config CRYPTO_DEFLATE
+ tristate "Deflate"
+ select CRYPTO_ALGAPI
+ select CRYPTO_ACOMP2
+ select ZLIB_INFLATE
+ select ZLIB_DEFLATE
+ help
+ Deflate compression algorithm (RFC1951)
+
+ Used by IPSec with the IPCOMP protocol (RFC3173, RFC2394)
+
+config CRYPTO_LZO
+ tristate "LZO"
+ select CRYPTO_ALGAPI
+ select CRYPTO_ACOMP2
+ select LZO_COMPRESS
+ select LZO_DECOMPRESS
+ help
+ LZO compression algorithm
+
+ See https://www.oberhumer.com/opensource/lzo/ for further information.
+
+config CRYPTO_842
+ tristate "842"
+ select CRYPTO_ALGAPI
+ select CRYPTO_ACOMP2
+ select 842_COMPRESS
+ select 842_DECOMPRESS
+ help
+ 842 compression algorithm by IBM
+
+ See https://github.com/plauth/lib842 for further information.
+
+config CRYPTO_LZ4
+ tristate "LZ4"
+ select CRYPTO_ALGAPI
+ select CRYPTO_ACOMP2
+ select LZ4_COMPRESS
+ select LZ4_DECOMPRESS
+ help
+ LZ4 compression algorithm
+
+ See https://github.com/lz4/lz4 for further information.
+
+config CRYPTO_LZ4HC
+ tristate "LZ4HC"
+ select CRYPTO_ALGAPI
+ select CRYPTO_ACOMP2
+ select LZ4HC_COMPRESS
+ select LZ4_DECOMPRESS
+ help
+ LZ4 high compression mode algorithm
+
+ See https://github.com/lz4/lz4 for further information.
+
+config CRYPTO_ZSTD
+ tristate "Zstd"
+ select CRYPTO_ALGAPI
+ select CRYPTO_ACOMP2
+ select ZSTD_COMPRESS
+ select ZSTD_DECOMPRESS
+ help
+ zstd compression algorithm
+
+ See https://github.com/facebook/zstd for further information.
+
+endmenu
+
+menu "Random number generation"
+
+config CRYPTO_ANSI_CPRNG
+ tristate "ANSI PRNG (Pseudo Random Number Generator)"
+ select CRYPTO_AES
+ select CRYPTO_RNG
+ help
+ Pseudo RNG (random number generator) (ANSI X9.31 Appendix A.2.4)
+
+ This uses the AES cipher algorithm.
+
+ Note that this option must be enabled if CRYPTO_FIPS is selected
+
+menuconfig CRYPTO_DRBG_MENU
+ tristate "NIST SP800-90A DRBG (Deterministic Random Bit Generator)"
+ help
+ DRBG (Deterministic Random Bit Generator) (NIST SP800-90A)
+
+ In the following submenu, one or more of the DRBG types must be selected.
+
+if CRYPTO_DRBG_MENU
+
+config CRYPTO_DRBG_HMAC
+ bool
+ default y
+ select CRYPTO_HMAC
+ select CRYPTO_SHA512
+
+config CRYPTO_DRBG_HASH
+ bool "Hash_DRBG"
+ select CRYPTO_SHA256
+ help
+ Hash_DRBG variant as defined in NIST SP800-90A.
+
+ This uses the SHA-1, SHA-256, SHA-384, or SHA-512 hash algorithms.
+
+config CRYPTO_DRBG_CTR
+ bool "CTR_DRBG"
+ select CRYPTO_AES
+ select CRYPTO_CTR
+ help
+ CTR_DRBG variant as defined in NIST SP800-90A.
+
+ This uses the AES cipher algorithm with the counter block mode.
+
+config CRYPTO_DRBG
+ tristate
+ default CRYPTO_DRBG_MENU
+ select CRYPTO_RNG
+ select CRYPTO_JITTERENTROPY
+
+endif # if CRYPTO_DRBG_MENU
+
+config CRYPTO_JITTERENTROPY
+ tristate "CPU Jitter Non-Deterministic RNG (Random Number Generator)"
+ select CRYPTO_RNG
+ select CRYPTO_SHA3
+ help
+ CPU Jitter RNG (Random Number Generator) from the Jitterentropy library
+
+ A non-physical non-deterministic ("true") RNG (e.g., an entropy source
+ compliant with NIST SP800-90B) intended to provide a seed to a
+ deterministic RNG (e.g. per NIST SP800-90C).
+ This RNG does not perform any cryptographic whitening of the generated
+
+ See https://www.chronox.de/jent.html
+
+config CRYPTO_JITTERENTROPY_TESTINTERFACE
+ bool "CPU Jitter RNG Test Interface"
+ depends on CRYPTO_JITTERENTROPY
+ help
+ The test interface allows a privileged process to capture
+ the raw unconditioned high resolution time stamp noise that
+ is collected by the Jitter RNG for statistical analysis. As
+ this data is used at the same time to generate random bits,
+ the Jitter RNG operates in an insecure mode as long as the
+ recording is enabled. This interface therefore is only
+ intended for testing purposes and is not suitable for
+ production systems.
+
+ The raw noise data can be obtained using the jent_raw_hires
+ debugfs file. Using the option
+ jitterentropy_testing.boot_raw_hires_test=1 the raw noise of
+ the first 1000 entropy events since boot can be sampled.
+
+ If unsure, select N.
+
+config CRYPTO_KDF800108_CTR
+ tristate
+ select CRYPTO_HMAC
+ select CRYPTO_SHA256
+
+endmenu
+menu "Userspace interface"
+
+config CRYPTO_USER_API
+ tristate
+
+config CRYPTO_USER_API_HASH
+ tristate "Hash algorithms"
+ depends on NET
+ select CRYPTO_HASH
+ select CRYPTO_USER_API
+ help
+ Enable the userspace interface for hash algorithms.
+
+ See Documentation/crypto/userspace-if.rst and
+ https://www.chronox.de/libkcapi/html/index.html
+
+config CRYPTO_USER_API_SKCIPHER
+ tristate "Symmetric key cipher algorithms"
+ depends on NET
+ select CRYPTO_SKCIPHER
+ select CRYPTO_USER_API
+ help
+ Enable the userspace interface for symmetric key cipher algorithms.
+
+ See Documentation/crypto/userspace-if.rst and
+ https://www.chronox.de/libkcapi/html/index.html
+
+config CRYPTO_USER_API_RNG
+ tristate "RNG (random number generator) algorithms"
+ depends on NET
+ select CRYPTO_RNG
+ select CRYPTO_USER_API
+ help
+ Enable the userspace interface for RNG (random number generator)
+ algorithms.
+
+ See Documentation/crypto/userspace-if.rst and
+ https://www.chronox.de/libkcapi/html/index.html
+
+config CRYPTO_USER_API_RNG_CAVP
+ bool "Enable CAVP testing of DRBG"
+ depends on CRYPTO_USER_API_RNG && CRYPTO_DRBG
+ help
+ Enable extra APIs in the userspace interface for NIST CAVP
+ (Cryptographic Algorithm Validation Program) testing:
+ - resetting DRBG entropy
+ - providing Additional Data
+
+ This should only be enabled for CAVP testing. You should say
+ no unless you know what this is.
+
+config CRYPTO_USER_API_AEAD
+ tristate "AEAD cipher algorithms"
+ depends on NET
+ select CRYPTO_AEAD
+ select CRYPTO_SKCIPHER
+ select CRYPTO_NULL
+ select CRYPTO_USER_API
+ help
+ Enable the userspace interface for AEAD cipher algorithms.
+
+ See Documentation/crypto/userspace-if.rst and
+ https://www.chronox.de/libkcapi/html/index.html
+
+config CRYPTO_USER_API_ENABLE_OBSOLETE
+ bool "Obsolete cryptographic algorithms"
+ depends on CRYPTO_USER_API
+ default y
+ help
+ Allow obsolete cryptographic algorithms to be selected that have
+ already been phased out from internal use by the kernel, and are
+ only useful for userspace clients that still rely on them.
+
+config CRYPTO_STATS
+ bool "Crypto usage statistics"
+ depends on CRYPTO_USER
+ help
+ Enable the gathering of crypto stats.
+
+ Enabling this option reduces the performance of the crypto API. It
+ should only be enabled when there is actually a use case for it.
+
+ This collects data sizes, numbers of requests, and numbers
+ of errors processed by:
+ - AEAD ciphers (encrypt, decrypt)
+ - asymmetric key ciphers (encrypt, decrypt, verify, sign)
+ - symmetric key ciphers (encrypt, decrypt)
+ - compression algorithms (compress, decompress)
+ - hash algorithms (hash)
+ - key-agreement protocol primitives (setsecret, generate
+ public key, compute shared secret)
+ - RNG (generate, seed)
+
+endmenu
+
+config CRYPTO_HASH_INFO
+ bool
+
+if !KMSAN # avoid false positives from assembly
+if ARM
+source "arch/arm/crypto/Kconfig"
+endif
+if ARM64
+source "arch/arm64/crypto/Kconfig"
+endif
+if LOONGARCH
+source "arch/loongarch/crypto/Kconfig"
+endif
+if MIPS
+source "arch/mips/crypto/Kconfig"
+endif
+if PPC
+source "arch/powerpc/crypto/Kconfig"
+endif
+if S390
+source "arch/s390/crypto/Kconfig"
+endif
+if SPARC
+source "arch/sparc/crypto/Kconfig"
+endif
+if X86
+source "arch/x86/crypto/Kconfig"
+endif
+endif
+
+source "drivers/crypto/Kconfig"
+source "crypto/asymmetric_keys/Kconfig"
+source "certs/Kconfig"
+
+endif # if CRYPTO