1# SPDX-License-Identifier: GPL-2.0-only
2#
3# XFRM configuration
4#
5config XFRM
6	bool
7	depends on INET
8	select GRO_CELLS
9	select SKB_EXTENSIONS
10
11config XFRM_OFFLOAD
12	bool
13
14config XFRM_ALGO
15	tristate
16	select XFRM
17	select CRYPTO
18	select CRYPTO_AEAD
19	select CRYPTO_HASH
20	select CRYPTO_SKCIPHER
21
22if INET
23config XFRM_USER
24	tristate "Transformation user configuration interface"
25	select XFRM_ALGO
26	help
27	  Support for Transformation(XFRM) user configuration interface
28	  like IPsec used by native Linux tools.
29
30	  If unsure, say Y.
31
32config XFRM_USER_COMPAT
33	tristate "Compatible ABI support"
34	depends on XFRM_USER && COMPAT_FOR_U64_ALIGNMENT && \
35		HAVE_EFFICIENT_UNALIGNED_ACCESS
36	select WANT_COMPAT_NETLINK_MESSAGES
37	help
38	  Transformation(XFRM) user configuration interface like IPsec
39	  used by compatible Linux applications.
40
41	  If unsure, say N.
42
43config XFRM_INTERFACE
44	tristate "Transformation virtual interface"
45	depends on XFRM && IPV6
46	help
47	  This provides a virtual interface to route IPsec traffic.
48
49	  If unsure, say N.
50
51config XFRM_SUB_POLICY
52	bool "Transformation sub policy support"
53	depends on XFRM
54	help
55	  Support sub policy for developers. By using sub policy with main
56	  one, two policies can be applied to the same packet at once.
57	  Policy which lives shorter time in kernel should be a sub.
58
59	  If unsure, say N.
60
61config XFRM_MIGRATE
62	bool "Transformation migrate database"
63	depends on XFRM
64	help
65	  A feature to update locator(s) of a given IPsec security
66	  association dynamically.  This feature is required, for
67	  instance, in a Mobile IPv6 environment with IPsec configuration
68	  where mobile nodes change their attachment point to the Internet.
69
70	  If unsure, say N.
71
72config XFRM_STATISTICS
73	bool "Transformation statistics"
74	depends on XFRM && PROC_FS
75	help
76	  This statistics is not a SNMP/MIB specification but shows
77	  statistics about transformation error (or almost error) factor
78	  at packet processing for developer.
79
80	  If unsure, say N.
81
82# This option selects XFRM_ALGO along with the AH authentication algorithms that
83# RFC 8221 lists as MUST be implemented.
84config XFRM_AH
85	tristate
86	select XFRM_ALGO
87	select CRYPTO
88	select CRYPTO_HMAC
89	select CRYPTO_SHA256
90
91# This option selects XFRM_ALGO along with the ESP encryption and authentication
92# algorithms that RFC 8221 lists as MUST be implemented.
93config XFRM_ESP
94	tristate
95	select XFRM_ALGO
96	select CRYPTO
97	select CRYPTO_AES
98	select CRYPTO_AUTHENC
99	select CRYPTO_CBC
100	select CRYPTO_ECHAINIV
101	select CRYPTO_GCM
102	select CRYPTO_HMAC
103	select CRYPTO_SEQIV
104	select CRYPTO_SHA256
105
106config XFRM_IPCOMP
107	tristate
108	select XFRM_ALGO
109	select CRYPTO
110	select CRYPTO_DEFLATE
111
112config NET_KEY
113	tristate "PF_KEY sockets"
114	select XFRM_ALGO
115	help
116	  PF_KEYv2 socket family, compatible to KAME ones.
117	  They are required if you are going to use IPsec tools ported
118	  from KAME.
119
120	  Say Y unless you know what you are doing.
121
122config NET_KEY_MIGRATE
123	bool "PF_KEY MIGRATE"
124	depends on NET_KEY
125	select XFRM_MIGRATE
126	help
127	  Add a PF_KEY MIGRATE message to PF_KEYv2 socket family.
128	  The PF_KEY MIGRATE message is used to dynamically update
129	  locator(s) of a given IPsec security association.
130	  This feature is required, for instance, in a Mobile IPv6
131	  environment with IPsec configuration where mobile nodes
132	  change their attachment point to the Internet.  Detail
133	  information can be found in the internet-draft
134	  <draft-sugimoto-mip6-pfkey-migrate>.
135
136	  If unsure, say N.
137
138config XFRM_ESPINTCP
139	bool
140
141endif # INET
142