Merge tag 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mst/vhost

[linux-2.6-microblaze.git] / net / xfrm / Kconfig

# SPDX-License-Identifier: GPL-2.0-only
#
# XFRM configuration
#
config XFRM
        bool
        depends on INET
        select GRO_CELLS
        select SKB_EXTENSIONS

config XFRM_OFFLOAD
        bool

config XFRM_ALGO
        tristate
        select XFRM
        select CRYPTO
        select CRYPTO_HASH
        select CRYPTO_SKCIPHER

if INET
config XFRM_USER
        tristate "Transformation user configuration interface"
        select XFRM_ALGO
        help
          Support for Transformation(XFRM) user configuration interface
          like IPsec used by native Linux tools.

          If unsure, say Y.

config XFRM_INTERFACE
        tristate "Transformation virtual interface"
        depends on XFRM && IPV6
        help
          This provides a virtual interface to route IPsec traffic.

          If unsure, say N.

config XFRM_SUB_POLICY
        bool "Transformation sub policy support"
        depends on XFRM
        help
          Support sub policy for developers. By using sub policy with main
          one, two policies can be applied to the same packet at once.
          Policy which lives shorter time in kernel should be a sub.

          If unsure, say N.

config XFRM_MIGRATE
        bool "Transformation migrate database"
        depends on XFRM
        help
          A feature to update locator(s) of a given IPsec security
          association dynamically.  This feature is required, for
          instance, in a Mobile IPv6 environment with IPsec configuration
          where mobile nodes change their attachment point to the Internet.

          If unsure, say N.

config XFRM_STATISTICS
        bool "Transformation statistics"
        depends on XFRM && PROC_FS
        help
          This statistics is not a SNMP/MIB specification but shows
          statistics about transformation error (or almost error) factor
          at packet processing for developer.

          If unsure, say N.

# This option selects XFRM_ALGO along with the AH authentication algorithms that
# RFC 8221 lists as MUST be implemented.
config XFRM_AH
        tristate
        select XFRM_ALGO
        select CRYPTO
        select CRYPTO_HMAC
        select CRYPTO_SHA256

# This option selects XFRM_ALGO along with the ESP encryption and authentication
# algorithms that RFC 8221 lists as MUST be implemented.
config XFRM_ESP
        tristate
        select XFRM_ALGO
        select CRYPTO
        select CRYPTO_AES
        select CRYPTO_AUTHENC
        select CRYPTO_CBC
        select CRYPTO_ECHAINIV
        select CRYPTO_GCM
        select CRYPTO_HMAC
        select CRYPTO_SEQIV
        select CRYPTO_SHA256

config XFRM_IPCOMP
        tristate
        select XFRM_ALGO
        select CRYPTO
        select CRYPTO_DEFLATE

config NET_KEY
        tristate "PF_KEY sockets"
        select XFRM_ALGO
        help
          PF_KEYv2 socket family, compatible to KAME ones.
          They are required if you are going to use IPsec tools ported
          from KAME.

          Say Y unless you know what you are doing.

config NET_KEY_MIGRATE
        bool "PF_KEY MIGRATE"
        depends on NET_KEY
        select XFRM_MIGRATE
        help
          Add a PF_KEY MIGRATE message to PF_KEYv2 socket family.
          The PF_KEY MIGRATE message is used to dynamically update
          locator(s) of a given IPsec security association.
          This feature is required, for instance, in a Mobile IPv6
          environment with IPsec configuration where mobile nodes
          change their attachment point to the Internet.  Detail
          information can be found in the internet-draft
          <draft-sugimoto-mip6-pfkey-migrate>.

          If unsure, say N.

config XFRM_ESPINTCP
        bool

endif # INET