mirror of
https://github.com/coolsnowwolf/lede.git
synced 2025-04-16 14:23:38 +00:00
161 lines
5.1 KiB
Plaintext
161 lines
5.1 KiB
Plaintext
menu "Configuration"
|
|
depends on TARGET_x86_64
|
|
|
|
choice
|
|
prompt "Platform"
|
|
default QAT_NONE
|
|
config QAT_NONE
|
|
bool "None (Default)"
|
|
config QAT_C2XXX
|
|
bool "c2xxx - Rangeley"
|
|
depends on LINUX_4_14
|
|
select PACKAGE_quickassist-c2xxx
|
|
select PACKAGE_kmod-crypto-qat-c2xxx
|
|
select PACKAGE_kmod-crypto-qat-c2xxx-usdm
|
|
config QAT_C3XXX
|
|
bool "c3xxx - Denverton"
|
|
select PACKAGE_quickassist-c3xxx
|
|
select PACKAGE_kmod-crypto-qat-c3xxx
|
|
select PACKAGE_kmod-crypto-qat-common
|
|
select PACKAGE_kmod-crypto-qat-usdm
|
|
|
|
endchoice
|
|
|
|
config QAT_ENGINE_DISABLE_RSA
|
|
bool
|
|
default n
|
|
prompt "Disable QAT RSA offload"
|
|
|
|
config QAT_ENGINE_DISABLE_DSA
|
|
bool
|
|
default n
|
|
prompt "Disable QAT DSA offload"
|
|
|
|
config QAT_ENGINE_DISABLE_DH
|
|
bool
|
|
default n
|
|
prompt "Disable QAT DH offload"
|
|
|
|
config QAT_ENGINE_DISABLE_EDSA
|
|
bool
|
|
default n
|
|
prompt "Disable QAT ECDSA offload"
|
|
|
|
config QAT_ENGINE_DISABLE_CIPHERS
|
|
bool
|
|
default y
|
|
prompt "Disable QAT chained cipher offload"
|
|
help
|
|
Offload of chained ciphers performs significantly worse than CPU
|
|
based chained ciphers. Strongly recommended to keep this disabled
|
|
|
|
config QAT_ENGINE_DISABLE_HKDF
|
|
bool
|
|
default y
|
|
prompt "Disable QAT HKDF offload"
|
|
help
|
|
Disable QAT HKDF offload
|
|
|
|
config QAT_ENGINE_ENABLE_GCM_CIPHERS
|
|
bool
|
|
default n
|
|
prompt "Enable QAT GCM offload"
|
|
help
|
|
Enable QAT GCM offload
|
|
|
|
config QAT_ENGINE_ENABLE_SMALL_PACKET
|
|
bool
|
|
default n
|
|
prompt "Enable offload of small packet cipher operations"
|
|
help
|
|
This is generally a bad idea from a performance point of view since
|
|
there is a penalty for transfer of the data across the pci bus to the
|
|
accelerator that makes it faster for small packet operations using
|
|
only cpu resources and not QAT offloading (generally < 4k bufsize)
|
|
|
|
config QAT_ENGINE_ENABLE_WARNINGS
|
|
bool
|
|
default n
|
|
prompt "Enable warnings to aid in debugging"
|
|
help
|
|
WARNING: never leave on in a production environment as it may output
|
|
private key informtion to the logs and it may introduce side-channel
|
|
timing attack vulnerabilities
|
|
|
|
config QAT_ENGINE_ENABLE_DEBUG
|
|
bool
|
|
default n
|
|
prompt "Enable debug output"
|
|
help
|
|
WARNING: never leave on in a production environment as it may output
|
|
private key informtion to the logs and it may introduce side-channel
|
|
timing attack vulnerabilities
|
|
|
|
config QAT_ENGINE_ENABLE_QAT_MEM_WARNINGS
|
|
bool
|
|
default n
|
|
prompt "Enable warnings from the userspace memory management code"
|
|
help
|
|
WARNING: This option should never be left on in a production
|
|
environment as it may introduce side channel timing attack
|
|
vulnerabilities
|
|
|
|
config QAT_ENGINE_ENABLE_MEM_DEBUG
|
|
bool
|
|
default n
|
|
prompt "Enable debug output from userspace memory management (very verbose)"
|
|
help
|
|
This will also enable the QAT_MEM warning messages. This option
|
|
produces quite verbose output hence why it is separate to the
|
|
standard debug.
|
|
|
|
WARNING: This option should never be enabled in a production environment
|
|
as it may output private key information to the console/logs and may
|
|
also introduce side channel timing attack vulnerabilities
|
|
|
|
config QAT_ENGINE_ENABLE_MULTITHREAD
|
|
bool
|
|
default n
|
|
prompt "Optimize for multi-threaded use"
|
|
help
|
|
This alternative method will give improved performance in a
|
|
multi-threaded environment by making the slab pools thread
|
|
local to avoid locking between threads. Although this can
|
|
give better performance there are several drawbacks such as
|
|
the memory slabs will be utilized less efficiently, and you
|
|
cannot allocate in one thread and free in another thread.
|
|
Running in this mode DOES NOT support processes that fork
|
|
|
|
config QAT_ENGINE_DISABLE_LENSTRA
|
|
bool
|
|
default n
|
|
prompt "Disable protection against Lenstra attack (CVE-2017-5681)"
|
|
help
|
|
The RSA-CRT implementation in the Intel(R) QAT OpenSSL* Engine for
|
|
OpenSSL* versions prior to v0.5.19 may allow remote attackers to
|
|
obtain private RSA keys by conducting a Lenstra side-channel attack.
|
|
From version v0.5.19 onward, protection against this form of attack
|
|
is effected by performing a Verify/Encrypt operation after the Sign/Decrypt
|
|
operation, and if a failure is detected then re-running the Sign/Decrypt
|
|
operation using the CPU. However, future releases of Intel(R) QAT
|
|
driver code or firmware may effect this protection instead, in which
|
|
case the Intel(R) QAT OpenSSL* Engine code-based protection would no
|
|
longer be required and this configuration option should then be selected.
|
|
|
|
config QAT_ENGINE_DISABLE_AUTOINIT_ONFORK
|
|
bool
|
|
default y
|
|
prompt "Disable auto engine init on fork"
|
|
help
|
|
Disable the engine from being initialized automatically following a
|
|
fork operation. This is useful in a situation where you want to tightly
|
|
control how many instances are being used for processes. For instance if an
|
|
application forks to start a process that does not utilize QAT currently
|
|
the default behaviour is for the engine to still automatically get started
|
|
in the child using up an engine instance. After using this flag either the
|
|
engine needs to be initialized manually using the engine message:
|
|
INIT_ENGINE or will automatically get initialized on the first QAT crypto
|
|
operation.
|
|
|
|
endmenu
|