Loading...
1# SPDX-License-Identifier: GPL-2.0-only
2#
3# XFRM configuration
4#
5config XFRM
6 bool
7 depends on INET
8 select GRO_CELLS
9 select SKB_EXTENSIONS
10
11config XFRM_OFFLOAD
12 bool
13
14config XFRM_ALGO
15 tristate
16 select XFRM
17 select CRYPTO
18 select CRYPTO_HASH
19 select CRYPTO_BLKCIPHER
20
21if INET
22config XFRM_USER
23 tristate "Transformation user configuration interface"
24 select XFRM_ALGO
25 ---help---
26 Support for Transformation(XFRM) user configuration interface
27 like IPsec used by native Linux tools.
28
29 If unsure, say Y.
30
31config XFRM_INTERFACE
32 tristate "Transformation virtual interface"
33 depends on XFRM && IPV6
34 ---help---
35 This provides a virtual interface to route IPsec traffic.
36
37 If unsure, say N.
38
39config XFRM_SUB_POLICY
40 bool "Transformation sub policy support"
41 depends on XFRM
42 ---help---
43 Support sub policy for developers. By using sub policy with main
44 one, two policies can be applied to the same packet at once.
45 Policy which lives shorter time in kernel should be a sub.
46
47 If unsure, say N.
48
49config XFRM_MIGRATE
50 bool "Transformation migrate database"
51 depends on XFRM
52 ---help---
53 A feature to update locator(s) of a given IPsec security
54 association dynamically. This feature is required, for
55 instance, in a Mobile IPv6 environment with IPsec configuration
56 where mobile nodes change their attachment point to the Internet.
57
58 If unsure, say N.
59
60config XFRM_STATISTICS
61 bool "Transformation statistics"
62 depends on XFRM && PROC_FS
63 ---help---
64 This statistics is not a SNMP/MIB specification but shows
65 statistics about transformation error (or almost error) factor
66 at packet processing for developer.
67
68 If unsure, say N.
69
70config XFRM_IPCOMP
71 tristate
72 select XFRM_ALGO
73 select CRYPTO
74 select CRYPTO_DEFLATE
75
76config NET_KEY
77 tristate "PF_KEY sockets"
78 select XFRM_ALGO
79 ---help---
80 PF_KEYv2 socket family, compatible to KAME ones.
81 They are required if you are going to use IPsec tools ported
82 from KAME.
83
84 Say Y unless you know what you are doing.
85
86config NET_KEY_MIGRATE
87 bool "PF_KEY MIGRATE"
88 depends on NET_KEY
89 select XFRM_MIGRATE
90 ---help---
91 Add a PF_KEY MIGRATE message to PF_KEYv2 socket family.
92 The PF_KEY MIGRATE message is used to dynamically update
93 locator(s) of a given IPsec security association.
94 This feature is required, for instance, in a Mobile IPv6
95 environment with IPsec configuration where mobile nodes
96 change their attachment point to the Internet. Detail
97 information can be found in the internet-draft
98 <draft-sugimoto-mip6-pfkey-migrate>.
99
100 If unsure, say N.
101
102endif # INET
1# SPDX-License-Identifier: GPL-2.0-only
2#
3# XFRM configuration
4#
5config XFRM
6 bool
7 depends on INET
8 select GRO_CELLS
9 select SKB_EXTENSIONS
10
11config XFRM_OFFLOAD
12 bool
13
14config XFRM_ALGO
15 tristate
16 select XFRM
17 select CRYPTO
18 select CRYPTO_AEAD
19 select CRYPTO_HASH
20 select CRYPTO_SKCIPHER
21
22if INET
23config XFRM_USER
24 tristate "Transformation user configuration interface"
25 select XFRM_ALGO
26 help
27 Support for Transformation(XFRM) user configuration interface
28 like IPsec used by native Linux tools.
29
30 If unsure, say Y.
31
32config XFRM_USER_COMPAT
33 tristate "Compatible ABI support"
34 depends on XFRM_USER && COMPAT_FOR_U64_ALIGNMENT && \
35 HAVE_EFFICIENT_UNALIGNED_ACCESS
36 select WANT_COMPAT_NETLINK_MESSAGES
37 help
38 Transformation(XFRM) user configuration interface like IPsec
39 used by compatible Linux applications.
40
41 If unsure, say N.
42
43config XFRM_INTERFACE
44 tristate "Transformation virtual interface"
45 depends on XFRM && IPV6
46 help
47 This provides a virtual interface to route IPsec traffic.
48
49 If unsure, say N.
50
51config XFRM_SUB_POLICY
52 bool "Transformation sub policy support"
53 depends on XFRM
54 help
55 Support sub policy for developers. By using sub policy with main
56 one, two policies can be applied to the same packet at once.
57 Policy which lives shorter time in kernel should be a sub.
58
59 If unsure, say N.
60
61config XFRM_MIGRATE
62 bool "Transformation migrate database"
63 depends on XFRM
64 help
65 A feature to update locator(s) of a given IPsec security
66 association dynamically. This feature is required, for
67 instance, in a Mobile IPv6 environment with IPsec configuration
68 where mobile nodes change their attachment point to the Internet.
69
70 If unsure, say N.
71
72config XFRM_STATISTICS
73 bool "Transformation statistics"
74 depends on XFRM && PROC_FS
75 help
76 This statistics is not a SNMP/MIB specification but shows
77 statistics about transformation error (or almost error) factor
78 at packet processing for developer.
79
80 If unsure, say N.
81
82# This option selects XFRM_ALGO along with the AH authentication algorithms that
83# RFC 8221 lists as MUST be implemented.
84config XFRM_AH
85 tristate
86 select XFRM_ALGO
87 select CRYPTO
88 select CRYPTO_HMAC
89 select CRYPTO_SHA256
90
91# This option selects XFRM_ALGO along with the ESP encryption and authentication
92# algorithms that RFC 8221 lists as MUST be implemented.
93config XFRM_ESP
94 tristate
95 select XFRM_ALGO
96 select CRYPTO
97 select CRYPTO_AES
98 select CRYPTO_AUTHENC
99 select CRYPTO_CBC
100 select CRYPTO_ECHAINIV
101 select CRYPTO_GCM
102 select CRYPTO_HMAC
103 select CRYPTO_SEQIV
104 select CRYPTO_SHA256
105
106config XFRM_IPCOMP
107 tristate
108 select XFRM_ALGO
109 select CRYPTO
110 select CRYPTO_DEFLATE
111
112config NET_KEY
113 tristate "PF_KEY sockets"
114 select XFRM_ALGO
115 help
116 PF_KEYv2 socket family, compatible to KAME ones.
117 They are required if you are going to use IPsec tools ported
118 from KAME.
119
120 Say Y unless you know what you are doing.
121
122config NET_KEY_MIGRATE
123 bool "PF_KEY MIGRATE"
124 depends on NET_KEY
125 select XFRM_MIGRATE
126 help
127 Add a PF_KEY MIGRATE message to PF_KEYv2 socket family.
128 The PF_KEY MIGRATE message is used to dynamically update
129 locator(s) of a given IPsec security association.
130 This feature is required, for instance, in a Mobile IPv6
131 environment with IPsec configuration where mobile nodes
132 change their attachment point to the Internet. Detail
133 information can be found in the internet-draft
134 <draft-sugimoto-mip6-pfkey-migrate>.
135
136 If unsure, say N.
137
138config XFRM_ESPINTCP
139 bool
140
141endif # INET