mirror of https://github.com/wolfSSL/wolfssl.git synced 2026-01-26 21:22:19 +01:00

Files

Daniel Pouzzner 0059f1647e move WC_RNG_BANK_SUPPORT implementation from wolfcrypt/src/random.c and wolfssl/wolfcrypt/random.h to new files wolfcrypt/src/rng_bank.c and wolfssl/wolfcrypt/rng_bank.h;

wolfcrypt/src/rng_bank.c:

  * add wc_local_rng_bank_checkout_for_bankref, wc_BankRef_Release(), wc_rng_bank_new(), and wc_rng_bank_free();

  * in wc_rng_bank_checkin(), take a struct wc_rng_bank_inst **rng_inst and NULL it before return;

  * in wc_rng_bank_init(), add a devId arg, and handle devId in wc_rng_bank_inst_reinit();

  * add WC_RNG_BANK_INST_LOCK_* and use them in wc_rng_bank_checkout() and wc_rng_bank_checkin();

  * fix order of operations in wc_rng_bank_checkout() re DISABLE_VECTOR_REGISTERS();

wolfcrypt/src/random.c:

  * refactor per-instance salting for wc_rng_bank_inst: remove changes in Hash_df(), Hash_DRBG_Instantiate(), and _InitRng(), and in wc_rng_bank_init() and wc_rng_bank_inst_reinit(), use wc_InitRngNonce_ex() and pass the wc_rng_bank_inst pointer as the nonce;

  * simplify the WC_RNG_BANK_SUPPORT variant of wc_RNG_GenerateBlock() -- delegate to wc_local_rng_bank_checkout_for_bankref() and remove supplementary error checking;

  * in wc_FreeRng(), call wc_BankRef_Release() when WC_DRBG_BANKREF, and in wc_BankRef_Release(), fix refcount flub (not wolfSSL_RefFree, rather wolfSSL_RefDec);

  * streamline the WOLFSSL_LINUXKM wc_GenerateSeed();

wolfcrypt/test/test.c: add random_bank_test();

linuxkm/lkcapi_sha_glue.c: use WC_RNG_BANK_INST_TO_RNG() opportunistically;

configure.ac: add --enable-amdrdseed as a synonym for --enable-amdrand;

linuxkm/linuxkm_wc_port.h: when LINUXKM_LKCAPI_REGISTER_HASH_DRBG_DEFAULT, don't include get_random_bytes() in struct wolfssl_linuxkm_pie_redirect_table;

add various comments for clarity.

2026-01-07 22:54:07 -06:00

patches

add linuxkm/patches/5.17-ubuntu-jammy-tegra/WOLFSSL_LINUXKM_HAVE_GET_RANDOM_CALLBACKS-5v17-ubuntu-jammy-tegra.patch

2025-12-10 11:51:29 -06:00

get_thread_size.c

updating license from GPLv2 to GPLv3

2025-07-10 16:11:36 -06:00

include.am

linuxkm: add a readme.

2025-12-12 17:07:07 -06:00

Kbuild

linuxkm: fix Tegra Yocto FIPS build issues (ARM64, RT, PIE)

2025-12-17 14:32:26 +02:00

linuxkm_memory.c

globally rename WC_PIE_RELOC_TABLES to WC_SYM_RELOC_TABLES;

2025-11-25 18:01:25 -06:00

linuxkm_wc_port.h

move WC_RNG_BANK_SUPPORT implementation from wolfcrypt/src/random.c and wolfssl/wolfcrypt/random.h to new files wolfcrypt/src/rng_bank.c and wolfssl/wolfcrypt/rng_bank.h;

2026-01-07 22:54:07 -06:00

lkcapi_aes_glue.c

linuxkm/lkcapi_{dh,ecdh,ecdsa,rsa,aes}_glue.c: when LINUXKM_LKCAPI_REGISTER_ALL_KCONFIG, don't "#error Config conflict" if explicit LINUXKM_LKCAPI_DONT_REGISTER_foo is defined for the missing algorithm.

2025-12-17 11:01:10 -06:00

lkcapi_dh_glue.c

linuxkm/{lkcapi_dh_glue.c,lkcapi_ecdh_glue.c,lkcapi_rsa_glue.c}: use LKCAPI_INITRNG() rather than wc_InitRng(), and remove calls to LKCAPI_INITRNG_FOR_SELFTEST(). also, in km_rsa_ctx_init_rng(), recognize WC_DRBG_BANKREF as a usable RNG status.

2026-01-07 22:54:07 -06:00

lkcapi_ecdh_glue.c

2026-01-07 22:54:07 -06:00

lkcapi_ecdsa_glue.c

2025-12-17 11:01:10 -06:00

lkcapi_glue.c

linuxkm/lkcapi_sha_glue.c:

2025-12-22 22:58:29 -06:00

lkcapi_rsa_glue.c

2026-01-07 22:54:07 -06:00

lkcapi_sha_glue.c

move WC_RNG_BANK_SUPPORT implementation from wolfcrypt/src/random.c and wolfssl/wolfcrypt/random.h to new files wolfcrypt/src/rng_bank.c and wolfssl/wolfcrypt/rng_bank.h;

2026-01-07 22:54:07 -06:00

Makefile

linuxkm/Makefile: fix bash cleanup in recipe for libwolfssl.ko -- new trap for an event replaces previous trap rather than adding to it.

2025-12-29 20:55:36 -06:00

module_exports.c.template

move WC_RNG_BANK_SUPPORT implementation from wolfcrypt/src/random.c and wolfssl/wolfcrypt/random.h to new files wolfcrypt/src/rng_bank.c and wolfssl/wolfcrypt/rng_bank.h;

2026-01-07 22:54:07 -06:00

module_hooks.c

move WC_RNG_BANK_SUPPORT implementation from wolfcrypt/src/random.c and wolfssl/wolfcrypt/random.h to new files wolfcrypt/src/rng_bank.c and wolfssl/wolfcrypt/rng_bank.h;

2026-01-07 22:54:07 -06:00

pie_redirect_table.c

globally rename WC_PIE_RELOC_TABLES to WC_SYM_RELOC_TABLES;

2025-11-25 18:01:25 -06:00

README.md

linuxkm: readme patch description.

2025-12-12 18:58:10 -06:00

wolfcrypt.lds

linuxkm: rename FIPS container segments from foo.wolfcrypt to foo_wolfcrypt to avoid getting rearranged by kernel scripts/module.lds klp/kpatch clauses expected in kernel 6.19.

2025-10-18 03:23:38 -05:00

x86_vector_register_glue.c

linuxkm/x86_vector_register_glue.c: in wc_save_vector_registers_x86(), don't render warning of call while non-preemptible if WC_SVR_FLAG_INHIBIT was passed in.

2026-01-07 22:54:07 -06:00

README.md

wolfSSL linuxkm (linux kernel module)

libwolfssl supports building as a linux kernel module (libwolfssl.ko). When loaded, wolfCrypt and wolfSSL API are made available to the rest of the kernel, supporting cryptography and TLS in kernel space.

Performing cryptographic operations in kernel space has significant advantages over user space for high throughput network (VPN, IPsec, MACsec, TLS, etc) and filesystem (dm-crypt/LUKS, fscrypt disk encryption) IO processing, with the added benefit that keys can be kept isolated to kernel space. Additionally, when wolfCrypt-FIPS is used, this provides a simple recipe for FIPS-compliant kernels.

Supported features:

crypto acceleration: AES-NI, AVX, etc.
kernel crypto API registration (wolfCrypt algs appear as drivers in /proc/crypto.).
CONFIG_CRYPTO_FIPS, and crypto-manager self-tests.
FIPS-compliant patches to drivers/char/random.c, covering kernels 5.10 to 6.15.
Supports FIPS-compliant WireGuard (https://github.com/wolfssl/wolfguard).
TLS 1.3 and DTLS 1.3 kernel offload.

Building and Installing

Build linuxkm with:

$ ./configure --enable-linuxkm --with-linux-source=/usr/src/linux
$ make -j module

note: replace /usr/src/linux with a path to your fully configured and built target kernel source tree.

Assuming you are targeting your native system, install with:

$ sudo make install
$ sudo modprobe libwolfssl

options

linuxkm option	description
--enable-linuxkm-lkcapi-register	Register wolfcrypt algs with linux kernel crypto API. Options are 'all', 'none', or comma separated list of algs.
--enable-linuxkm-pie	Enable relocatable object build of module
--enable-linuxkm-benchmarks	Run crypto benchmark at module load

Kernel Patches

The dir linuxkm/patches contains a patch to the linux kernel CRNG. The CRNG provides the implementation for /dev/random, /dev/urandom, and getrandom().

The patch updates these two sources

drivers/char/random.c
include/linux/random.h

to use FIPS-compliant algorithms, instead of chacha and blake2s.

Patches are provided for several kernel versions, ranging from 5.10.x to 6.15.

patch procedure

Ensure kernel src tree is clean before patching:

cd ~/kernelsrc/
make mrproper

Verify patches will apply clean with a dry run check:

patch -p1 --dry-run  <~/wolfssl-5.8.2/linuxkm/patches/6.12/WOLFSSL_LINUXKM_HAVE_GET_RANDOM_CALLBACKS-6v12.patch
checking file drivers/char/random.c
checking file include/linux/random.h

Finally patch the kernel:

patch -p1 <~/wolfssl-5.8.2/linuxkm/patches/6.12/WOLFSSL_LINUXKM_HAVE_GET_RANDOM_CALLBACKS-6v12.patch
patching file drivers/char/random.c
patching file include/linux/random.h

Build kernel.