arch/arm/crypto/Kconfig v5.13-rc1

ARM_CRYPTO

ARM Accelerated Cryptographic Algorithms

Say Y here to choose from a selection of cryptographic algorithms
implemented using ARM specific CPU features or instructions.

CRYPTO_SHA1_ARM

SHA1 digest algorithm (ARM-asm)

SHA-1 secure hash standard (FIPS 180-1/DFIPS 180-2) implemented
using optimized ARM assembler.

CRYPTO_SHA1_ARM_NEON

SHA1 digest algorithm (ARM NEON)

SHA-1 secure hash standard (FIPS 180-1/DFIPS 180-2) implemented
using optimized ARM NEON assembly, when NEON instructions are
available.

CRYPTO_SHA1_ARM_CE

SHA1 digest algorithm (ARM v8 Crypto Extensions)

SHA-1 secure hash standard (FIPS 180-1/DFIPS 180-2) implemented
using special ARMv8 Crypto Extensions.

CRYPTO_SHA2_ARM_CE

SHA-224/256 digest algorithm (ARM v8 Crypto Extensions)

SHA-256 secure hash standard (DFIPS 180-2) implemented
using special ARMv8 Crypto Extensions.

CRYPTO_SHA256_ARM

SHA-224/256 digest algorithm (ARM-asm and NEON)

SHA-256 secure hash standard (DFIPS 180-2) implemented
using optimized ARM assembler and NEON, when available.

CRYPTO_SHA512_ARM

SHA-384/512 digest algorithm (ARM-asm and NEON)

SHA-512 secure hash standard (DFIPS 180-2) implemented
using optimized ARM assembler and NEON, when available.

CRYPTO_BLAKE2S_ARM

BLAKE2s digest algorithm (ARM)

BLAKE2s digest algorithm optimized with ARM scalar instructions.  This
is faster than the generic implementations of BLAKE2s and BLAKE2b, but
slower than the NEON implementation of BLAKE2b.  (There is no NEON
implementation of BLAKE2s, since NEON doesn't really help with it.)

CRYPTO_BLAKE2B_NEON

BLAKE2b digest algorithm (ARM NEON)

BLAKE2b digest algorithm optimized with ARM NEON instructions.
On ARM processors that have NEON support but not the ARMv8
Crypto Extensions, typically this BLAKE2b implementation is
much faster than SHA-2 and slightly faster than SHA-1.

CRYPTO_AES_ARM

Scalar AES cipher for ARM

Use optimized AES assembler routines for ARM platforms.

On ARM processors without the Crypto Extensions, this is the
fastest AES implementation for single blocks.  For multiple
blocks, the NEON bit-sliced implementation is usually faster.

This implementation may be vulnerable to cache timing attacks,
since it uses lookup tables.  However, as countermeasures it
disables IRQs and preloads the tables; it is hoped this makes
such attacks very difficult.

CRYPTO_AES_ARM_BS

Bit sliced AES using NEON instructions

Use a faster and more secure NEON based implementation of AES in CBC,
CTR and XTS modes

Bit sliced AES gives around 45% speedup on Cortex-A15 for CTR mode
and for XTS mode encryption, CBC and XTS mode decryption speedup is
around 25%. (CBC encryption speed is not affected by this driver.)
This implementation does not rely on any lookup tables so it is
believed to be invulnerable to cache timing attacks.

CRYPTO_AES_ARM_CE

Accelerated AES using ARMv8 Crypto Extensions

Use an implementation of AES in CBC, CTR and XTS modes that uses
ARMv8 Crypto Extensions

CRYPTO_GHASH_ARM_CE

PMULL-accelerated GHASH using NEON/ARMv8 Crypto Extensions

Use an implementation of GHASH (used by the GCM AEAD chaining mode)
that uses the 64x64 to 128 bit polynomial multiplication (vmull.p64)
that is part of the ARMv8 Crypto Extensions, or a slower variant that
uses the vmull.p8 instruction that is part of the basic NEON ISA.