mirror of https://github.com/wolfSSL/wolfssl.git synced 2026-01-27 23:22:20 +01:00

Files

Daniel Pouzzner c1d2828daf wolfcrypt/src/random.c, wolfssl/wolfcrypt/random.h, wolfssl/wolfcrypt/wc_port.h, linuxkm/lkcapi_sha_glue.c: fixes from autotesting:

* refactor to eliminate recursion in wc_RNG_GenerateBlock();
* refactor enum wc_rng_bank_flags as word32 and macros;
* fix -Wconversions, -Wunused, and stray EINVAL in wc_rng_bank_init();
* make struct wc_rng_bank_inst a top-level definition for C++ compat;
* fix several bugprone-macro-parentheses.

2026-01-07 22:54:07 -06:00

patches

add linuxkm/patches/5.17-ubuntu-jammy-tegra/WOLFSSL_LINUXKM_HAVE_GET_RANDOM_CALLBACKS-5v17-ubuntu-jammy-tegra.patch

2025-12-10 11:51:29 -06:00

get_thread_size.c

updating license from GPLv2 to GPLv3

2025-07-10 16:11:36 -06:00

include.am

linuxkm: add a readme.

2025-12-12 17:07:07 -06:00

Kbuild

linuxkm: fix Tegra Yocto FIPS build issues (ARM64, RT, PIE)

2025-12-17 14:32:26 +02:00

linuxkm_memory.c

globally rename WC_PIE_RELOC_TABLES to WC_SYM_RELOC_TABLES;

2025-11-25 18:01:25 -06:00

linuxkm_wc_port.h

linuxkm/linuxkm_wc_port.h and linuxkm/module_hooks.c: remove WOLFSSL_DEBUG_BACKTRACE_ERROR_CODES gate around setup for wolfssl_linuxkm_pie_redirect_table.dump_stack.

2026-01-07 22:54:07 -06:00

lkcapi_aes_glue.c

linuxkm/lkcapi_{dh,ecdh,ecdsa,rsa,aes}_glue.c: when LINUXKM_LKCAPI_REGISTER_ALL_KCONFIG, don't "#error Config conflict" if explicit LINUXKM_LKCAPI_DONT_REGISTER_foo is defined for the missing algorithm.

2025-12-17 11:01:10 -06:00

lkcapi_dh_glue.c

linuxkm/{lkcapi_dh_glue.c,lkcapi_ecdh_glue.c,lkcapi_rsa_glue.c}: use LKCAPI_INITRNG() rather than wc_InitRng(), and remove calls to LKCAPI_INITRNG_FOR_SELFTEST(). also, in km_rsa_ctx_init_rng(), recognize WC_DRBG_BANKREF as a usable RNG status.

2026-01-07 22:54:07 -06:00

lkcapi_ecdh_glue.c

2026-01-07 22:54:07 -06:00

lkcapi_ecdsa_glue.c

2025-12-17 11:01:10 -06:00

lkcapi_glue.c

linuxkm/lkcapi_sha_glue.c:

2025-12-22 22:58:29 -06:00

lkcapi_rsa_glue.c

2026-01-07 22:54:07 -06:00

lkcapi_sha_glue.c

wolfcrypt/src/random.c, wolfssl/wolfcrypt/random.h, wolfssl/wolfcrypt/wc_port.h, linuxkm/lkcapi_sha_glue.c: fixes from autotesting:

2026-01-07 22:54:07 -06:00

Makefile

linuxkm/Makefile: fix bash cleanup in recipe for libwolfssl.ko -- new trap for an event replaces previous trap rather than adding to it.

2025-12-29 20:55:36 -06:00

module_exports.c.template

Include new header in the template file also

2025-11-20 09:40:18 -07:00

module_hooks.c

linuxkm/linuxkm_wc_port.h and linuxkm/module_hooks.c: remove WOLFSSL_DEBUG_BACKTRACE_ERROR_CODES gate around setup for wolfssl_linuxkm_pie_redirect_table.dump_stack.

2026-01-07 22:54:07 -06:00

pie_redirect_table.c

globally rename WC_PIE_RELOC_TABLES to WC_SYM_RELOC_TABLES;

2025-11-25 18:01:25 -06:00

README.md

linuxkm: readme patch description.

2025-12-12 18:58:10 -06:00

wolfcrypt.lds

linuxkm: rename FIPS container segments from foo.wolfcrypt to foo_wolfcrypt to avoid getting rearranged by kernel scripts/module.lds klp/kpatch clauses expected in kernel 6.19.

2025-10-18 03:23:38 -05:00

x86_vector_register_glue.c

linuxkm/x86_vector_register_glue.c: in wc_save_vector_registers_x86(), don't render warning of call while non-preemptible if WC_SVR_FLAG_INHIBIT was passed in.

2026-01-07 22:54:07 -06:00

README.md

wolfSSL linuxkm (linux kernel module)

libwolfssl supports building as a linux kernel module (libwolfssl.ko). When loaded, wolfCrypt and wolfSSL API are made available to the rest of the kernel, supporting cryptography and TLS in kernel space.

Performing cryptographic operations in kernel space has significant advantages over user space for high throughput network (VPN, IPsec, MACsec, TLS, etc) and filesystem (dm-crypt/LUKS, fscrypt disk encryption) IO processing, with the added benefit that keys can be kept isolated to kernel space. Additionally, when wolfCrypt-FIPS is used, this provides a simple recipe for FIPS-compliant kernels.

Supported features:

crypto acceleration: AES-NI, AVX, etc.
kernel crypto API registration (wolfCrypt algs appear as drivers in /proc/crypto.).
CONFIG_CRYPTO_FIPS, and crypto-manager self-tests.
FIPS-compliant patches to drivers/char/random.c, covering kernels 5.10 to 6.15.
Supports FIPS-compliant WireGuard (https://github.com/wolfssl/wolfguard).
TLS 1.3 and DTLS 1.3 kernel offload.

Building and Installing

Build linuxkm with:

$ ./configure --enable-linuxkm --with-linux-source=/usr/src/linux
$ make -j module

note: replace /usr/src/linux with a path to your fully configured and built target kernel source tree.

Assuming you are targeting your native system, install with:

$ sudo make install
$ sudo modprobe libwolfssl

options

linuxkm option	description
--enable-linuxkm-lkcapi-register	Register wolfcrypt algs with linux kernel crypto API. Options are 'all', 'none', or comma separated list of algs.
--enable-linuxkm-pie	Enable relocatable object build of module
--enable-linuxkm-benchmarks	Run crypto benchmark at module load

Kernel Patches

The dir linuxkm/patches contains a patch to the linux kernel CRNG. The CRNG provides the implementation for /dev/random, /dev/urandom, and getrandom().

The patch updates these two sources

drivers/char/random.c
include/linux/random.h

to use FIPS-compliant algorithms, instead of chacha and blake2s.

Patches are provided for several kernel versions, ranging from 5.10.x to 6.15.

patch procedure

Ensure kernel src tree is clean before patching:

cd ~/kernelsrc/
make mrproper

Verify patches will apply clean with a dry run check:

patch -p1 --dry-run  <~/wolfssl-5.8.2/linuxkm/patches/6.12/WOLFSSL_LINUXKM_HAVE_GET_RANDOM_CALLBACKS-6v12.patch
checking file drivers/char/random.c
checking file include/linux/random.h

Finally patch the kernel:

patch -p1 <~/wolfssl-5.8.2/linuxkm/patches/6.12/WOLFSSL_LINUXKM_HAVE_GET_RANDOM_CALLBACKS-6v12.patch
patching file drivers/char/random.c
patching file include/linux/random.h

Build kernel.