0001 # SPDX-License-Identifier: GPL-2.0-only
0002 #
0003 # XFRM configuration
0004 #
0005 config XFRM
0006 bool
0007 depends on INET
0008 select GRO_CELLS
0009 select SKB_EXTENSIONS
0010
0011 config XFRM_OFFLOAD
0012 bool
0013
0014 config XFRM_ALGO
0015 tristate
0016 select XFRM
0017 select CRYPTO
0018 select CRYPTO_HASH
0019 select CRYPTO_SKCIPHER
0020
0021 if INET
0022 config XFRM_USER
0023 tristate "Transformation user configuration interface"
0024 select XFRM_ALGO
0025 help
0026 Support for Transformation(XFRM) user configuration interface
0027 like IPsec used by native Linux tools.
0028
0029 If unsure, say Y.
0030
0031 config XFRM_USER_COMPAT
0032 tristate "Compatible ABI support"
0033 depends on XFRM_USER && COMPAT_FOR_U64_ALIGNMENT && \
0034 HAVE_EFFICIENT_UNALIGNED_ACCESS
0035 select WANT_COMPAT_NETLINK_MESSAGES
0036 help
0037 Transformation(XFRM) user configuration interface like IPsec
0038 used by compatible Linux applications.
0039
0040 If unsure, say N.
0041
0042 config XFRM_INTERFACE
0043 tristate "Transformation virtual interface"
0044 depends on XFRM && IPV6
0045 help
0046 This provides a virtual interface to route IPsec traffic.
0047
0048 If unsure, say N.
0049
0050 config XFRM_SUB_POLICY
0051 bool "Transformation sub policy support"
0052 depends on XFRM
0053 help
0054 Support sub policy for developers. By using sub policy with main
0055 one, two policies can be applied to the same packet at once.
0056 Policy which lives shorter time in kernel should be a sub.
0057
0058 If unsure, say N.
0059
0060 config XFRM_MIGRATE
0061 bool "Transformation migrate database"
0062 depends on XFRM
0063 help
0064 A feature to update locator(s) of a given IPsec security
0065 association dynamically. This feature is required, for
0066 instance, in a Mobile IPv6 environment with IPsec configuration
0067 where mobile nodes change their attachment point to the Internet.
0068
0069 If unsure, say N.
0070
0071 config XFRM_STATISTICS
0072 bool "Transformation statistics"
0073 depends on XFRM && PROC_FS
0074 help
0075 This statistics is not a SNMP/MIB specification but shows
0076 statistics about transformation error (or almost error) factor
0077 at packet processing for developer.
0078
0079 If unsure, say N.
0080
0081 # This option selects XFRM_ALGO along with the AH authentication algorithms that
0082 # RFC 8221 lists as MUST be implemented.
0083 config XFRM_AH
0084 tristate
0085 select XFRM_ALGO
0086 select CRYPTO
0087 select CRYPTO_HMAC
0088 select CRYPTO_SHA256
0089
0090 # This option selects XFRM_ALGO along with the ESP encryption and authentication
0091 # algorithms that RFC 8221 lists as MUST be implemented.
0092 config XFRM_ESP
0093 tristate
0094 select XFRM_ALGO
0095 select CRYPTO
0096 select CRYPTO_AES
0097 select CRYPTO_AUTHENC
0098 select CRYPTO_CBC
0099 select CRYPTO_ECHAINIV
0100 select CRYPTO_GCM
0101 select CRYPTO_HMAC
0102 select CRYPTO_SEQIV
0103 select CRYPTO_SHA256
0104
0105 config XFRM_IPCOMP
0106 tristate
0107 select XFRM_ALGO
0108 select CRYPTO
0109 select CRYPTO_DEFLATE
0110
0111 config NET_KEY
0112 tristate "PF_KEY sockets"
0113 select XFRM_ALGO
0114 help
0115 PF_KEYv2 socket family, compatible to KAME ones.
0116 They are required if you are going to use IPsec tools ported
0117 from KAME.
0118
0119 Say Y unless you know what you are doing.
0120
0121 config NET_KEY_MIGRATE
0122 bool "PF_KEY MIGRATE"
0123 depends on NET_KEY
0124 select XFRM_MIGRATE
0125 help
0126 Add a PF_KEY MIGRATE message to PF_KEYv2 socket family.
0127 The PF_KEY MIGRATE message is used to dynamically update
0128 locator(s) of a given IPsec security association.
0129 This feature is required, for instance, in a Mobile IPv6
0130 environment with IPsec configuration where mobile nodes
0131 change their attachment point to the Internet. Detail
0132 information can be found in the internet-draft
0133 <draft-sugimoto-mip6-pfkey-migrate>.
0134
0135 If unsure, say N.
0136
0137 config XFRM_ESPINTCP
0138 bool
0139
0140 endif # INET
