bsdkm/README.md

# wolfSSL bsdkm (bsd kernel module)

libwolfssl supports building as a FreeBSD kernel module (`libwolfssl.ko`).
When loaded, wolfCrypt is made available to the rest of the kernel, allowing
other loadable modules to link to wolfCrypt.

Supported features:
- wolfCrypt in kernel.
- FIPS-wolfcrypt.

Planned features:
- crypto acceleration: AES-NI, AVX, etc.
- kernel opencrypto driver registration.
- full wolfSSL in kernel (kernel TLS).

## Building and Installing

Build bsdkm with:

```sh
./configure --enable-freebsdkm --enable-cryptonly && make
```

The default freebsdkm build assumes kernel source tree root at `/usr/src/sys/`.
Use `--with-kernel-source=PATH` to configure a different path.

Assuming you are targeting your native system, install with:

```sh
sudo kldload bsdkm/libwolfssl.ko
```

You should see it now:
```sh
kldstat -m libwolfssl
Id  Refs Name
509    1 libwolfssl
```

Unload with:
```sh
sudo kldunload libwolfssl
```

### options

| freebsdkm option                 | description                              |
| :------------------------------- | :--------------------------------------- |
| --with-bsd-export-syms=LIST      | Export list of symbols as global. <br>. Options are 'all', 'none', or <br> comma separated list of symbols. |
| --with-kernel-source=PATH        | Path to kernel tree root (default `/usr/src/sys`) |

### FIPS

Building with FIPS is largely the same, with the additional step of
configuring a fips hash.

1. Build bsdkm (the `fips_hash` here is a placeholder):

```sh
fips_hash=0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef
./configure --enable-freebsdkm --enable-cryptonly --enable-fips=v6 \
  CFLAGS="-DWOLFCRYPT_FIPS_CORE_HASH_VALUE=$fips_hash" && make
```

2. Attempt first install. This is expected to fail, because the hash was a
placeholder.
```sh
$ sudo kldload bsdkm/libwolfssl.ko
kldload: an error occurred while loading module bsdkm/libwolfssl.ko. Please check dmesg(8) for more details.
```

3. Check dmesg output for the updated hash value (yours will be different).
```sh
$ dmesg | tail -n5
In-core integrity hash check failure.
Rebuild with "WOLFCRYPT_FIPS_CORE_HASH_VALUE=3B144A08F291DBA536324646BBD127447B8F222D29A135780E330351E0DF9F0F".
error: wc_RunAllCast_fips failed at shutdown with return value 19
info: libwolfssl unloaded
module_register_init: MOD_LOAD (libwolfssl_fips, 0xffffffff842c28d0, 0) error 85
```

4. Repeat steps 1-2 with the new hash value. The load should succeed now.

```
$ kldstat -m libwolfssl_fips
Id  Refs Name
523    1 libwolfssl_fips
```

Unload with
```
sudo kldunload libwolfssl
```

On unload, the FIPS self-test will run a final time and print its status
to system message buffer:

```
info: wolfCrypt FIPS re-self-test succeeded at unload: all algorithms re-verified.
info: libwolfssl unloaded
```
bsdkm: fips support. 2025-12-28 10:16:53 -06:00			`# wolfSSL bsdkm (bsd kernel module)`

			libwolfssl supports building as a FreeBSD kernel module (`libwolfssl.ko`).
			`When loaded, wolfCrypt is made available to the rest of the kernel, allowing`
			`other loadable modules to link to wolfCrypt.`

			`Supported features:`
			`- wolfCrypt in kernel.`
			`- FIPS-wolfcrypt.`

			`Planned features:`
			`- crypto acceleration: AES-NI, AVX, etc.`
			`- kernel opencrypto driver registration.`
			`- full wolfSSL in kernel (kernel TLS).`

			`## Building and Installing`

			`Build bsdkm with:`

			```sh
			`./configure --enable-freebsdkm --enable-cryptonly && make`
			```

			The default freebsdkm build assumes kernel source tree root at `/usr/src/sys/`.
			Use `--with-kernel-source=PATH` to configure a different path.

			`Assuming you are targeting your native system, install with:`

			```sh
			`sudo kldload bsdkm/libwolfssl.ko`
			```

			`You should see it now:`
			```sh
			`kldstat -m libwolfssl`
			`Id Refs Name`
			`509 1 libwolfssl`
			```

			`Unload with:`
			```sh
			`sudo kldunload libwolfssl`
			```

			`### options`

			`\| freebsdkm option \| description \|`
			`\| :------------------------------- \| :--------------------------------------- \|`
			`\| --with-bsd-export-syms=LIST \| Export list of symbols as global. <br>. Options are 'all', 'none', or <br> comma separated list of symbols. \|`
			\| --with-kernel-source=PATH \| Path to kernel tree root (default `/usr/src/sys`) \|

			`### FIPS`

			`Building with FIPS is largely the same, with the additional step of`
			`configuring a fips hash.`

			1. Build bsdkm (the `fips_hash` here is a placeholder):

			```sh
			`fips_hash=0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef`
			`./configure --enable-freebsdkm --enable-cryptonly --enable-fips=v6 \`
			`CFLAGS="-DWOLFCRYPT_FIPS_CORE_HASH_VALUE=$fips_hash" && make`
			```

			`2. Attempt first install. This is expected to fail, because the hash was a`
			`placeholder.`
			```sh
			`$ sudo kldload bsdkm/libwolfssl.ko`
			`kldload: an error occurred while loading module bsdkm/libwolfssl.ko. Please check dmesg(8) for more details.`
			```

			`3. Check dmesg output for the updated hash value (yours will be different).`
			```sh
			`$ dmesg \| tail -n5`
			`In-core integrity hash check failure.`
			`Rebuild with "WOLFCRYPT_FIPS_CORE_HASH_VALUE=3B144A08F291DBA536324646BBD127447B8F222D29A135780E330351E0DF9F0F".`
			`error: wc_RunAllCast_fips failed at shutdown with return value 19`
			`info: libwolfssl unloaded`
			`module_register_init: MOD_LOAD (libwolfssl_fips, 0xffffffff842c28d0, 0) error 85`
			```

			`4. Repeat steps 1-2 with the new hash value. The load should succeed now.`

			```
			`$ kldstat -m libwolfssl_fips`
			`Id Refs Name`
			`523 1 libwolfssl_fips`
			```

bsdkm: review cleanup. 2026-01-09 08:07:28 -06:00			`Unload with`
			```
			`sudo kldunload libwolfssl`
			```

bsdkm: fips support. 2025-12-28 10:16:53 -06:00			`On unload, the FIPS self-test will run a final time and print its status`
			`to system message buffer:`

			```
			`info: wolfCrypt FIPS re-self-test succeeded at unload: all algorithms re-verified.`
			`info: libwolfssl unloaded`
			```