wolfSSL/wolfssl
1
0
Fork 1
mirror of https://github.com/wolfSSL/wolfssl.git synced 2026-01-26 21:02:21 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
20b2fd200f331400e4d7ad261809fb9bd4047e65
wolfssl/linuxkm
History
Daniel Pouzzner ba53051457 add linuxkm/patches/5.14.0-570.58.1.el9_6/WOLFSSL_LINUXKM_HAVE_GET_RANDOM_CALLBACKS-5v14-570v58v1-el9_6.patch
2026-01-20 15:07:44 -06:00
..
patches
add linuxkm/patches/5.14.0-570.58.1.el9_6/WOLFSSL_LINUXKM_HAVE_GET_RANDOM_CALLBACKS-5v14-570v58v1-el9_6.patch
2026-01-20 15:07:44 -06:00
get_thread_size.c
updating license from GPLv2 to GPLv3
2025-07-10 16:11:36 -06:00
include.am
add linuxkm/patches/5.14.0-570.58.1.el9_6/WOLFSSL_LINUXKM_HAVE_GET_RANDOM_CALLBACKS-5v14-570v58v1-el9_6.patch
2026-01-20 15:07:44 -06:00
Kbuild
linuxkm: fix Tegra Yocto FIPS build issues (ARM64, RT, PIE)
2025-12-17 14:32:26 +02:00
linuxkm_memory.c
globally rename WC_PIE_RELOC_TABLES to WC_SYM_RELOC_TABLES;
2025-11-25 18:01:25 -06:00
linuxkm_wc_port.h
move WC_RNG_BANK_SUPPORT implementation from wolfcrypt/src/random.c and wolfssl/wolfcrypt/random.h to new files wolfcrypt/src/rng_bank.c and wolfssl/wolfcrypt/rng_bank.h;
2026-01-07 22:54:07 -06:00
lkcapi_aes_glue.c
linuxkm/lkcapi_{dh,ecdh,ecdsa,rsa,aes}_glue.c: when LINUXKM_LKCAPI_REGISTER_ALL_KCONFIG, don't "#error Config conflict" if explicit LINUXKM_LKCAPI_DONT_REGISTER_foo is defined for the missing algorithm.
2025-12-17 11:01:10 -06:00
lkcapi_dh_glue.c
linuxkm/{lkcapi_dh_glue.c,lkcapi_ecdh_glue.c,lkcapi_rsa_glue.c}: use LKCAPI_INITRNG() rather than wc_InitRng(), and remove calls to LKCAPI_INITRNG_FOR_SELFTEST(). also, in km_rsa_ctx_init_rng(), recognize WC_DRBG_BANKREF as a usable RNG status.
2026-01-07 22:54:07 -06:00
lkcapi_ecdh_glue.c
linuxkm/{lkcapi_dh_glue.c,lkcapi_ecdh_glue.c,lkcapi_rsa_glue.c}: use LKCAPI_INITRNG() rather than wc_InitRng(), and remove calls to LKCAPI_INITRNG_FOR_SELFTEST(). also, in km_rsa_ctx_init_rng(), recognize WC_DRBG_BANKREF as a usable RNG status.
2026-01-07 22:54:07 -06:00
lkcapi_ecdsa_glue.c
linuxkm/lkcapi_{dh,ecdh,ecdsa,rsa,aes}_glue.c: when LINUXKM_LKCAPI_REGISTER_ALL_KCONFIG, don't "#error Config conflict" if explicit LINUXKM_LKCAPI_DONT_REGISTER_foo is defined for the missing algorithm.
2025-12-17 11:01:10 -06:00
lkcapi_glue.c
linuxkm/lkcapi_sha_glue.c:
2025-12-22 22:58:29 -06:00
lkcapi_rsa_glue.c
linuxkm/{lkcapi_dh_glue.c,lkcapi_ecdh_glue.c,lkcapi_rsa_glue.c}: use LKCAPI_INITRNG() rather than wc_InitRng(), and remove calls to LKCAPI_INITRNG_FOR_SELFTEST(). also, in km_rsa_ctx_init_rng(), recognize WC_DRBG_BANKREF as a usable RNG status.
2026-01-07 22:54:07 -06:00
lkcapi_sha_glue.c
move WC_RNG_BANK_SUPPORT implementation from wolfcrypt/src/random.c and wolfssl/wolfcrypt/random.h to new files wolfcrypt/src/rng_bank.c and wolfssl/wolfcrypt/rng_bank.h;
2026-01-07 22:54:07 -06:00
Makefile
linuxkm/Makefile: fix bash cleanup in recipe for libwolfssl.ko -- new trap for an event replaces previous trap rather than adding to it.
2025-12-29 20:55:36 -06:00
module_exports.c.template
move WC_RNG_BANK_SUPPORT implementation from wolfcrypt/src/random.c and wolfssl/wolfcrypt/random.h to new files wolfcrypt/src/rng_bank.c and wolfssl/wolfcrypt/rng_bank.h;
2026-01-07 22:54:07 -06:00
module_hooks.c
move WC_RNG_BANK_SUPPORT implementation from wolfcrypt/src/random.c and wolfssl/wolfcrypt/random.h to new files wolfcrypt/src/rng_bank.c and wolfssl/wolfcrypt/rng_bank.h;
2026-01-07 22:54:07 -06:00
pie_redirect_table.c
globally rename WC_PIE_RELOC_TABLES to WC_SYM_RELOC_TABLES;
2025-11-25 18:01:25 -06:00
README.md
linuxkm: readme patch description.
2025-12-12 18:58:10 -06:00
wolfcrypt.lds
linuxkm: rename FIPS container segments from foo.wolfcrypt to foo_wolfcrypt to avoid getting rearranged by kernel scripts/module.lds klp/kpatch clauses expected in kernel 6.19.
2025-10-18 03:23:38 -05:00
x86_vector_register_glue.c
linuxkm/x86_vector_register_glue.c: in wc_save_vector_registers_x86(), don't render warning of call while non-preemptible if WC_SVR_FLAG_INHIBIT was passed in.
2026-01-07 22:54:07 -06:00

README.md

wolfSSL linuxkm (linux kernel module)

libwolfssl supports building as a linux kernel module (libwolfssl.ko). When loaded, wolfCrypt and wolfSSL API are made available to the rest of the kernel, supporting cryptography and TLS in kernel space.

Performing cryptographic operations in kernel space has significant advantages over user space for high throughput network (VPN, IPsec, MACsec, TLS, etc) and filesystem (dm-crypt/LUKS, fscrypt disk encryption) IO processing, with the added benefit that keys can be kept isolated to kernel space. Additionally, when wolfCrypt-FIPS is used, this provides a simple recipe for FIPS-compliant kernels.

Supported features:

  • crypto acceleration: AES-NI, AVX, etc.
  • kernel crypto API registration (wolfCrypt algs appear as drivers in /proc/crypto.).
  • CONFIG_CRYPTO_FIPS, and crypto-manager self-tests.
  • FIPS-compliant patches to drivers/char/random.c, covering kernels 5.10 to 6.15.
  • Supports FIPS-compliant WireGuard (https://github.com/wolfssl/wolfguard).
  • TLS 1.3 and DTLS 1.3 kernel offload.

Building and Installing

Build linuxkm with:

$ ./configure --enable-linuxkm --with-linux-source=/usr/src/linux
$ make -j module

note: replace /usr/src/linux with a path to your fully configured and built target kernel source tree.

Assuming you are targeting your native system, install with:

$ sudo make install
$ sudo modprobe libwolfssl

options

linuxkm option description
--enable-linuxkm-lkcapi-register Register wolfcrypt algs with linux kernel
crypto API. Options are 'all', 'none', or
comma separated list of algs.
--enable-linuxkm-pie Enable relocatable object build of module
--enable-linuxkm-benchmarks Run crypto benchmark at module load

Kernel Patches

The dir linuxkm/patches contains a patch to the linux kernel CRNG. The CRNG provides the implementation for /dev/random, /dev/urandom, and getrandom().

The patch updates these two sources

  • drivers/char/random.c
  • include/linux/random.h

to use FIPS-compliant algorithms, instead of chacha and blake2s.

Patches are provided for several kernel versions, ranging from 5.10.x to 6.15.

patch procedure

  1. Ensure kernel src tree is clean before patching:
cd ~/kernelsrc/
make mrproper
  1. Verify patches will apply clean with a dry run check:
patch -p1 --dry-run  <~/wolfssl-5.8.2/linuxkm/patches/6.12/WOLFSSL_LINUXKM_HAVE_GET_RANDOM_CALLBACKS-6v12.patch
checking file drivers/char/random.c
checking file include/linux/random.h
  1. Finally patch the kernel:
patch -p1 <~/wolfssl-5.8.2/linuxkm/patches/6.12/WOLFSSL_LINUXKM_HAVE_GET_RANDOM_CALLBACKS-6v12.patch
patching file drivers/char/random.c
patching file include/linux/random.h
  1. Build kernel.
Reference in New Issue View Git Blame Copy Permalink