# SPDX-License-Identifier: GPL-2.0-only

  #
  # XFRM configuration
  #

  config XFRM

  	bool
  	depends on INET
  	select GRO_CELLS
  	select SKB_EXTENSIONS

  config XFRM_OFFLOAD

  	bool

  config XFRM_ALGO
  	tristate
  	select XFRM
  	select CRYPTO

  	select CRYPTO_HASH

  	select CRYPTO_SKCIPHER

  if INET

  config XFRM_USER

  	tristate "Transformation user configuration interface"

  	select XFRM_ALGO

  	help

  	  Support for Transformation(XFRM) user configuration interface
  	  like IPsec used by native Linux tools.

  
  	  If unsure, say Y.

  config XFRM_USER_COMPAT
  	tristate "Compatible ABI support"

  	depends on XFRM_USER && COMPAT_FOR_U64_ALIGNMENT && \
  		HAVE_EFFICIENT_UNALIGNED_ACCESS

  	select WANT_COMPAT_NETLINK_MESSAGES
  	help
  	  Transformation(XFRM) user configuration interface like IPsec
  	  used by compatible Linux applications.
  
  	  If unsure, say N.

  config XFRM_INTERFACE
  	tristate "Transformation virtual interface"
  	depends on XFRM && IPV6

  	help

  	  This provides a virtual interface to route IPsec traffic.
  
  	  If unsure, say N.

  config XFRM_SUB_POLICY

  	bool "Transformation sub policy support"
  	depends on XFRM

  	help

  	  Support sub policy for developers. By using sub policy with main
  	  one, two policies can be applied to the same packet at once.
  	  Policy which lives shorter time in kernel should be a sub.
  
  	  If unsure, say N.

  config XFRM_MIGRATE

  	bool "Transformation migrate database"
  	depends on XFRM

  	help

  	  A feature to update locator(s) of a given IPsec security
  	  association dynamically.  This feature is required, for
  	  instance, in a Mobile IPv6 environment with IPsec configuration
  	  where mobile nodes change their attachment point to the Internet.
  
  	  If unsure, say N.

  config XFRM_STATISTICS

  	bool "Transformation statistics"

  	depends on XFRM && PROC_FS

  	help

  	  This statistics is not a SNMP/MIB specification but shows
  	  statistics about transformation error (or almost error) factor
  	  at packet processing for developer.
  
  	  If unsure, say N.

  # This option selects XFRM_ALGO along with the AH authentication algorithms that
  # RFC 8221 lists as MUST be implemented.

  config XFRM_AH
  	tristate
  	select XFRM_ALGO
  	select CRYPTO
  	select CRYPTO_HMAC

  	select CRYPTO_SHA256

  # This option selects XFRM_ALGO along with the ESP encryption and authentication
  # algorithms that RFC 8221 lists as MUST be implemented.

  config XFRM_ESP
  	tristate
  	select XFRM_ALGO
  	select CRYPTO

  	select CRYPTO_AES

  	select CRYPTO_AUTHENC

  	select CRYPTO_CBC

  	select CRYPTO_ECHAINIV

  	select CRYPTO_GCM
  	select CRYPTO_HMAC

  	select CRYPTO_SEQIV

  	select CRYPTO_SHA256

  config XFRM_IPCOMP
  	tristate

  	select XFRM_ALGO

  	select CRYPTO
  	select CRYPTO_DEFLATE

  config NET_KEY
  	tristate "PF_KEY sockets"

  	select XFRM_ALGO

  	help

  	  PF_KEYv2 socket family, compatible to KAME ones.
  	  They are required if you are going to use IPsec tools ported
  	  from KAME.
  
  	  Say Y unless you know what you are doing.

  config NET_KEY_MIGRATE

  	bool "PF_KEY MIGRATE"
  	depends on NET_KEY

  	select XFRM_MIGRATE

  	help

  	  Add a PF_KEY MIGRATE message to PF_KEYv2 socket family.
  	  The PF_KEY MIGRATE message is used to dynamically update
  	  locator(s) of a given IPsec security association.
  	  This feature is required, for instance, in a Mobile IPv6
  	  environment with IPsec configuration where mobile nodes
  	  change their attachment point to the Internet.  Detail
  	  information can be found in the internet-draft
  	  <draft-sugimoto-mip6-pfkey-migrate>.
  
  	  If unsure, say N.

  config XFRM_ESPINTCP
  	bool

  endif # INET