wolfSSL/wolfssl
1
0
Fork 1
mirror of https://github.com/wolfSSL/wolfssl.git synced 2026-01-26 21:32:26 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
6264c115ccaac84df0e3e7fca060ee792938165c
wolfssl/linuxkm
History
Daniel Pouzzner 83f7204f99 Merge pull request #9597 from sameehj/rhel9_linuxkm_sign 
linuxkm: handle RHEL9 disabled akcipher sign/decrypt ops
2026-01-05 17:23:45 -06:00
..
patches
add linuxkm/patches/5.17-ubuntu-jammy-tegra/WOLFSSL_LINUXKM_HAVE_GET_RANDOM_CALLBACKS-5v17-ubuntu-jammy-tegra.patch
2025-12-10 11:51:29 -06:00
get_thread_size.c
updating license from GPLv2 to GPLv3
2025-07-10 16:11:36 -06:00
include.am
linuxkm: add a readme.
2025-12-12 17:07:07 -06:00
Kbuild
linuxkm: fix Tegra Yocto FIPS build issues (ARM64, RT, PIE)
2025-12-17 14:32:26 +02:00
linuxkm_memory.c
globally rename WC_PIE_RELOC_TABLES to WC_SYM_RELOC_TABLES;
2025-11-25 18:01:25 -06:00
linuxkm_wc_port.h
linuxkm: fix Tegra Yocto FIPS build issues (ARM64, RT, PIE)
2025-12-17 14:32:26 +02:00
lkcapi_aes_glue.c
linuxkm/lkcapi_{dh,ecdh,ecdsa,rsa,aes}_glue.c: when LINUXKM_LKCAPI_REGISTER_ALL_KCONFIG, don't "#error Config conflict" if explicit LINUXKM_LKCAPI_DONT_REGISTER_foo is defined for the missing algorithm.
2025-12-17 11:01:10 -06:00
lkcapi_dh_glue.c
linuxkm/lkcapi_sha_glue.c:
2025-12-22 22:58:29 -06:00
lkcapi_ecdh_glue.c
linuxkm/lkcapi_sha_glue.c:
2025-12-22 22:58:29 -06:00
lkcapi_ecdsa_glue.c
linuxkm/lkcapi_{dh,ecdh,ecdsa,rsa,aes}_glue.c: when LINUXKM_LKCAPI_REGISTER_ALL_KCONFIG, don't "#error Config conflict" if explicit LINUXKM_LKCAPI_DONT_REGISTER_foo is defined for the missing algorithm.
2025-12-17 11:01:10 -06:00
lkcapi_glue.c
linuxkm/lkcapi_sha_glue.c:
2025-12-22 22:58:29 -06:00
lkcapi_rsa_glue.c
linuxkm: handle RHEL9 disabled akcipher sign/decrypt ops
2026-01-05 19:42:29 +02:00
lkcapi_sha_glue.c
fixes from peer review: added comments for clarity, and remove errant condition added in _InitRng().
2025-12-30 12:13:15 -06:00
Makefile
linuxkm/Makefile: fix bash cleanup in recipe for libwolfssl.ko -- new trap for an event replaces previous trap rather than adding to it.
2025-12-29 20:55:36 -06:00
module_exports.c.template
Include new header in the template file also
2025-11-20 09:40:18 -07:00
module_hooks.c
linuxkm: fix Tegra Yocto FIPS build issues (ARM64, RT, PIE)
2025-12-17 14:32:26 +02:00
pie_redirect_table.c
globally rename WC_PIE_RELOC_TABLES to WC_SYM_RELOC_TABLES;
2025-11-25 18:01:25 -06:00
README.md
linuxkm: readme patch description.
2025-12-12 18:58:10 -06:00
wolfcrypt.lds
linuxkm: rename FIPS container segments from foo.wolfcrypt to foo_wolfcrypt to avoid getting rearranged by kernel scripts/module.lds klp/kpatch clauses expected in kernel 6.19.
2025-10-18 03:23:38 -05:00
x86_vector_register_glue.c
linuxkm/x86_vector_register_glue.c: remove static assert on kernel >= 5.4.0 -- current implementation is unaffected by the noted bugs on < 5.4.0.
2025-10-30 18:08:54 -05:00

README.md

wolfSSL linuxkm (linux kernel module)

libwolfssl supports building as a linux kernel module (libwolfssl.ko). When loaded, wolfCrypt and wolfSSL API are made available to the rest of the kernel, supporting cryptography and TLS in kernel space.

Performing cryptographic operations in kernel space has significant advantages over user space for high throughput network (VPN, IPsec, MACsec, TLS, etc) and filesystem (dm-crypt/LUKS, fscrypt disk encryption) IO processing, with the added benefit that keys can be kept isolated to kernel space. Additionally, when wolfCrypt-FIPS is used, this provides a simple recipe for FIPS-compliant kernels.

Supported features:

  • crypto acceleration: AES-NI, AVX, etc.
  • kernel crypto API registration (wolfCrypt algs appear as drivers in /proc/crypto.).
  • CONFIG_CRYPTO_FIPS, and crypto-manager self-tests.
  • FIPS-compliant patches to drivers/char/random.c, covering kernels 5.10 to 6.15.
  • Supports FIPS-compliant WireGuard (https://github.com/wolfssl/wolfguard).
  • TLS 1.3 and DTLS 1.3 kernel offload.

Building and Installing

Build linuxkm with:

$ ./configure --enable-linuxkm --with-linux-source=/usr/src/linux
$ make -j module

note: replace /usr/src/linux with a path to your fully configured and built target kernel source tree.

Assuming you are targeting your native system, install with:

$ sudo make install
$ sudo modprobe libwolfssl

options

linuxkm option description
--enable-linuxkm-lkcapi-register Register wolfcrypt algs with linux kernel
crypto API. Options are 'all', 'none', or
comma separated list of algs.
--enable-linuxkm-pie Enable relocatable object build of module
--enable-linuxkm-benchmarks Run crypto benchmark at module load

Kernel Patches

The dir linuxkm/patches contains a patch to the linux kernel CRNG. The CRNG provides the implementation for /dev/random, /dev/urandom, and getrandom().

The patch updates these two sources

  • drivers/char/random.c
  • include/linux/random.h

to use FIPS-compliant algorithms, instead of chacha and blake2s.

Patches are provided for several kernel versions, ranging from 5.10.x to 6.15.

patch procedure

  1. Ensure kernel src tree is clean before patching:
cd ~/kernelsrc/
make mrproper
  1. Verify patches will apply clean with a dry run check:
patch -p1 --dry-run  <~/wolfssl-5.8.2/linuxkm/patches/6.12/WOLFSSL_LINUXKM_HAVE_GET_RANDOM_CALLBACKS-6v12.patch
checking file drivers/char/random.c
checking file include/linux/random.h
  1. Finally patch the kernel:
patch -p1 <~/wolfssl-5.8.2/linuxkm/patches/6.12/WOLFSSL_LINUXKM_HAVE_GET_RANDOM_CALLBACKS-6v12.patch
patching file drivers/char/random.c
patching file include/linux/random.h
  1. Build kernel.
Reference in New Issue View Git Blame Copy Permalink