|  | # SPDX-License-Identifier: GPL-2.0-only | 
|  | # | 
|  | # XFRM configuration | 
|  | # | 
|  | config XFRM | 
|  | bool | 
|  | depends on INET | 
|  | select GRO_CELLS | 
|  | select SKB_EXTENSIONS | 
|  |  | 
|  | config XFRM_OFFLOAD | 
|  | bool | 
|  |  | 
|  | config XFRM_ALGO | 
|  | tristate | 
|  | select XFRM | 
|  | select CRYPTO | 
|  | select CRYPTO_HASH | 
|  | select CRYPTO_SKCIPHER | 
|  |  | 
|  | if INET | 
|  | config XFRM_USER | 
|  | tristate "Transformation user configuration interface" | 
|  | select XFRM_ALGO | 
|  | help | 
|  | Support for Transformation(XFRM) user configuration interface | 
|  | like IPsec used by native Linux tools. | 
|  |  | 
|  | If unsure, say Y. | 
|  |  | 
|  | config XFRM_USER_COMPAT | 
|  | tristate "Compatible ABI support" | 
|  | depends on XFRM_USER && COMPAT_FOR_U64_ALIGNMENT && \ | 
|  | HAVE_EFFICIENT_UNALIGNED_ACCESS | 
|  | select WANT_COMPAT_NETLINK_MESSAGES | 
|  | help | 
|  | Transformation(XFRM) user configuration interface like IPsec | 
|  | used by compatible Linux applications. | 
|  |  | 
|  | If unsure, say N. | 
|  |  | 
|  | config XFRM_INTERFACE | 
|  | tristate "Transformation virtual interface" | 
|  | depends on XFRM && IPV6 | 
|  | help | 
|  | This provides a virtual interface to route IPsec traffic. | 
|  |  | 
|  | If unsure, say N. | 
|  |  | 
|  | config XFRM_SUB_POLICY | 
|  | bool "Transformation sub policy support" | 
|  | depends on XFRM | 
|  | help | 
|  | Support sub policy for developers. By using sub policy with main | 
|  | one, two policies can be applied to the same packet at once. | 
|  | Policy which lives shorter time in kernel should be a sub. | 
|  |  | 
|  | If unsure, say N. | 
|  |  | 
|  | config XFRM_MIGRATE | 
|  | bool "Transformation migrate database" | 
|  | depends on XFRM | 
|  | help | 
|  | A feature to update locator(s) of a given IPsec security | 
|  | association dynamically.  This feature is required, for | 
|  | instance, in a Mobile IPv6 environment with IPsec configuration | 
|  | where mobile nodes change their attachment point to the Internet. | 
|  |  | 
|  | If unsure, say N. | 
|  |  | 
|  | config XFRM_STATISTICS | 
|  | bool "Transformation statistics" | 
|  | depends on XFRM && PROC_FS | 
|  | help | 
|  | This statistics is not a SNMP/MIB specification but shows | 
|  | statistics about transformation error (or almost error) factor | 
|  | at packet processing for developer. | 
|  |  | 
|  | If unsure, say N. | 
|  |  | 
|  | # This option selects XFRM_ALGO along with the AH authentication algorithms that | 
|  | # RFC 8221 lists as MUST be implemented. | 
|  | config XFRM_AH | 
|  | tristate | 
|  | select XFRM_ALGO | 
|  | select CRYPTO | 
|  | select CRYPTO_HMAC | 
|  | select CRYPTO_SHA256 | 
|  |  | 
|  | # This option selects XFRM_ALGO along with the ESP encryption and authentication | 
|  | # algorithms that RFC 8221 lists as MUST be implemented. | 
|  | config XFRM_ESP | 
|  | tristate | 
|  | select XFRM_ALGO | 
|  | select CRYPTO | 
|  | select CRYPTO_AES | 
|  | select CRYPTO_AUTHENC | 
|  | select CRYPTO_CBC | 
|  | select CRYPTO_ECHAINIV | 
|  | select CRYPTO_GCM | 
|  | select CRYPTO_HMAC | 
|  | select CRYPTO_SEQIV | 
|  | select CRYPTO_SHA256 | 
|  |  | 
|  | config XFRM_IPCOMP | 
|  | tristate | 
|  | select XFRM_ALGO | 
|  | select CRYPTO | 
|  | select CRYPTO_DEFLATE | 
|  |  | 
|  | config NET_KEY | 
|  | tristate "PF_KEY sockets" | 
|  | select XFRM_ALGO | 
|  | help | 
|  | PF_KEYv2 socket family, compatible to KAME ones. | 
|  | They are required if you are going to use IPsec tools ported | 
|  | from KAME. | 
|  |  | 
|  | Say Y unless you know what you are doing. | 
|  |  | 
|  | config NET_KEY_MIGRATE | 
|  | bool "PF_KEY MIGRATE" | 
|  | depends on NET_KEY | 
|  | select XFRM_MIGRATE | 
|  | help | 
|  | Add a PF_KEY MIGRATE message to PF_KEYv2 socket family. | 
|  | The PF_KEY MIGRATE message is used to dynamically update | 
|  | locator(s) of a given IPsec security association. | 
|  | This feature is required, for instance, in a Mobile IPv6 | 
|  | environment with IPsec configuration where mobile nodes | 
|  | change their attachment point to the Internet.  Detail | 
|  | information can be found in the internet-draft | 
|  | <draft-sugimoto-mip6-pfkey-migrate>. | 
|  |  | 
|  | If unsure, say N. | 
|  |  | 
|  | config XFRM_ESPINTCP | 
|  | bool | 
|  |  | 
|  | endif # INET |