mirror of
https://github.com/AuxXxilium/linux_dsm_epyc7002.git
synced 2025-02-24 15:31:05 +07:00
be01369859
The crypto algorithms selected by the ESP and AH kconfig options are out-of-date with the guidance of RFC 8221, which lists the legacy algorithms MD5 and DES as "MUST NOT" be implemented, and some more modern algorithms like AES-GCM and HMAC-SHA256 as "MUST" be implemented. But the options select the legacy algorithms, not the modern ones. Therefore, modify these options to select the MUST algorithms -- and *only* the MUST algorithms. Also improve the help text. Note that other algorithms may still be explicitly enabled in the kconfig, and the choice of which to actually use is still controlled by userspace. This change only modifies the list of algorithms for which kernel support is guaranteed to be present. Suggested-by: Herbert Xu <herbert@gondor.apana.org.au> Suggested-by: Steffen Klassert <steffen.klassert@secunet.com> Acked-by: Herbert Xu <herbert@gondor.apana.org.au> Cc: Corentin Labbe <clabbe@baylibre.com> Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
130 lines
3.1 KiB
Plaintext
130 lines
3.1 KiB
Plaintext
# SPDX-License-Identifier: GPL-2.0-only
|
|
#
|
|
# XFRM configuration
|
|
#
|
|
config XFRM
|
|
bool
|
|
depends on INET
|
|
select GRO_CELLS
|
|
select SKB_EXTENSIONS
|
|
|
|
config XFRM_OFFLOAD
|
|
bool
|
|
|
|
config XFRM_ALGO
|
|
tristate
|
|
select XFRM
|
|
select CRYPTO
|
|
select CRYPTO_HASH
|
|
select CRYPTO_SKCIPHER
|
|
|
|
if INET
|
|
config XFRM_USER
|
|
tristate "Transformation user configuration interface"
|
|
select XFRM_ALGO
|
|
---help---
|
|
Support for Transformation(XFRM) user configuration interface
|
|
like IPsec used by native Linux tools.
|
|
|
|
If unsure, say Y.
|
|
|
|
config XFRM_INTERFACE
|
|
tristate "Transformation virtual interface"
|
|
depends on XFRM && IPV6
|
|
---help---
|
|
This provides a virtual interface to route IPsec traffic.
|
|
|
|
If unsure, say N.
|
|
|
|
config XFRM_SUB_POLICY
|
|
bool "Transformation sub policy support"
|
|
depends on XFRM
|
|
---help---
|
|
Support sub policy for developers. By using sub policy with main
|
|
one, two policies can be applied to the same packet at once.
|
|
Policy which lives shorter time in kernel should be a sub.
|
|
|
|
If unsure, say N.
|
|
|
|
config XFRM_MIGRATE
|
|
bool "Transformation migrate database"
|
|
depends on XFRM
|
|
---help---
|
|
A feature to update locator(s) of a given IPsec security
|
|
association dynamically. This feature is required, for
|
|
instance, in a Mobile IPv6 environment with IPsec configuration
|
|
where mobile nodes change their attachment point to the Internet.
|
|
|
|
If unsure, say N.
|
|
|
|
config XFRM_STATISTICS
|
|
bool "Transformation statistics"
|
|
depends on XFRM && PROC_FS
|
|
---help---
|
|
This statistics is not a SNMP/MIB specification but shows
|
|
statistics about transformation error (or almost error) factor
|
|
at packet processing for developer.
|
|
|
|
If unsure, say N.
|
|
|
|
# This option selects XFRM_ALGO along with the AH authentication algorithms that
|
|
# RFC 8221 lists as MUST be implemented.
|
|
config XFRM_AH
|
|
tristate
|
|
select XFRM_ALGO
|
|
select CRYPTO
|
|
select CRYPTO_HMAC
|
|
select CRYPTO_SHA256
|
|
|
|
# This option selects XFRM_ALGO along with the ESP encryption and authentication
|
|
# algorithms that RFC 8221 lists as MUST be implemented.
|
|
config XFRM_ESP
|
|
tristate
|
|
select XFRM_ALGO
|
|
select CRYPTO
|
|
select CRYPTO_AES
|
|
select CRYPTO_AUTHENC
|
|
select CRYPTO_CBC
|
|
select CRYPTO_ECHAINIV
|
|
select CRYPTO_GCM
|
|
select CRYPTO_HMAC
|
|
select CRYPTO_SEQIV
|
|
select CRYPTO_SHA256
|
|
|
|
config XFRM_IPCOMP
|
|
tristate
|
|
select XFRM_ALGO
|
|
select CRYPTO
|
|
select CRYPTO_DEFLATE
|
|
|
|
config NET_KEY
|
|
tristate "PF_KEY sockets"
|
|
select XFRM_ALGO
|
|
---help---
|
|
PF_KEYv2 socket family, compatible to KAME ones.
|
|
They are required if you are going to use IPsec tools ported
|
|
from KAME.
|
|
|
|
Say Y unless you know what you are doing.
|
|
|
|
config NET_KEY_MIGRATE
|
|
bool "PF_KEY MIGRATE"
|
|
depends on NET_KEY
|
|
select XFRM_MIGRATE
|
|
---help---
|
|
Add a PF_KEY MIGRATE message to PF_KEYv2 socket family.
|
|
The PF_KEY MIGRATE message is used to dynamically update
|
|
locator(s) of a given IPsec security association.
|
|
This feature is required, for instance, in a Mobile IPv6
|
|
environment with IPsec configuration where mobile nodes
|
|
change their attachment point to the Internet. Detail
|
|
information can be found in the internet-draft
|
|
<draft-sugimoto-mip6-pfkey-migrate>.
|
|
|
|
If unsure, say N.
|
|
|
|
config XFRM_ESPINTCP
|
|
bool
|
|
|
|
endif # INET
|