Files
wolfssl/linuxkm
Daniel Pouzzner f376ae210e Implement Linux kernel module offline integrity hash calculation:
Add:

* linuxkm/linuxkm-fips-hash.c
* linuxkm/linuxkm-fips-hash-wrapper.sh
* linuxkm/linuxkm_memory.h

Move from linuxkm/module_hooks.c to linuxkm/linuxkm_memory.c:
* reloc_layouts[]
* find_reloc_tab_offset()
* the body of wc_linuxkm_normalize_relocations() as wc_reloc_normalize_text()
* most of updateFipsHash() as wc_fips_generate_hash()

Move from linuxkm/linuxkm_wc_port.h to linuxkm/linuxkm_memory.h:
* struct wc_linuxkm_pie_reloc_tab_ent
* enum wc_reloc_dest_segment
* enum wc_reloc_type

linuxkm/Makefile:
* Update GENERATE_RELOC_TAB recipe to populate new fields in struct wc_reloc_table_ent.
* Add targets:
  * libwolfssl-user-build/src/.libs/libwolfssl.so
  * linuxkm-fips-hash
  * module-with-matching-fips-hash
  * module-with-matching-fips-hash-no-sign
* Add support for alternate target module name, via LIBWOLFSSL_NAME make variable.

linuxkm/linuxkm_wc_port.h and linuxkm/module_hooks.c:
* Fixes to make linuxkm-pie work with CONFIG_KASAN.
* Implement WC_LINUXKM_STACK_DEBUG:
  * wc_linuxkm_stack_bottom()
  * wc_linuxkm_stack_top()
  * wc_linuxkm_stack_current()
  * wc_linuxkm_stack_left()
  * wc_linuxkm_stack_hwm_prepare()
  * wc_linuxkm_stack_hwm_measure_rel()
  * wc_linuxkm_stack_hwm_measure_total()

wolfssl/wolfcrypt/settings.h:
* When WOLFSSL_KERNEL_MODE, make sure WOLFSSL_GENERAL_ALIGNMENT is at least SIZEOF_LONG.
* When WOLFCRYPT_FIPS_CORE_DYNAMIC_HASH_VALUE, make sure WOLFSSL_BASE16 is defined.

configure.ac and wolfcrypt/benchmark/benchmark.c: Disable scrypt when KERNEL_MODE_DEFAULTS, due to excessive memory requirements.
2026-02-20 11:09:37 -06:00
..
2026-02-18 09:52:21 -07:00
2026-02-18 09:52:21 -07:00
2026-02-18 09:52:21 -07:00
2026-02-18 09:52:21 -07:00
2026-02-18 09:52:21 -07:00
2026-02-18 09:52:21 -07:00
2026-02-18 09:52:21 -07:00
2026-02-18 09:52:21 -07:00
2026-02-18 09:52:21 -07:00
2025-12-12 18:58:10 -06:00

wolfSSL linuxkm (linux kernel module)

libwolfssl supports building as a linux kernel module (libwolfssl.ko). When loaded, wolfCrypt and wolfSSL API are made available to the rest of the kernel, supporting cryptography and TLS in kernel space.

Performing cryptographic operations in kernel space has significant advantages over user space for high throughput network (VPN, IPsec, MACsec, TLS, etc) and filesystem (dm-crypt/LUKS, fscrypt disk encryption) IO processing, with the added benefit that keys can be kept isolated to kernel space. Additionally, when wolfCrypt-FIPS is used, this provides a simple recipe for FIPS-compliant kernels.

Supported features:

  • crypto acceleration: AES-NI, AVX, etc.
  • kernel crypto API registration (wolfCrypt algs appear as drivers in /proc/crypto.).
  • CONFIG_CRYPTO_FIPS, and crypto-manager self-tests.
  • FIPS-compliant patches to drivers/char/random.c, covering kernels 5.10 to 6.15.
  • Supports FIPS-compliant WireGuard (https://github.com/wolfssl/wolfguard).
  • TLS 1.3 and DTLS 1.3 kernel offload.

Building and Installing

Build linuxkm with:

$ ./configure --enable-linuxkm --with-linux-source=/usr/src/linux
$ make -j module

note: replace /usr/src/linux with a path to your fully configured and built target kernel source tree.

Assuming you are targeting your native system, install with:

$ sudo make install
$ sudo modprobe libwolfssl

options

linuxkm option description
--enable-linuxkm-lkcapi-register Register wolfcrypt algs with linux kernel
crypto API. Options are 'all', 'none', or
comma separated list of algs.
--enable-linuxkm-pie Enable relocatable object build of module
--enable-linuxkm-benchmarks Run crypto benchmark at module load

Kernel Patches

The dir linuxkm/patches contains a patch to the linux kernel CRNG. The CRNG provides the implementation for /dev/random, /dev/urandom, and getrandom().

The patch updates these two sources

  • drivers/char/random.c
  • include/linux/random.h

to use FIPS-compliant algorithms, instead of chacha and blake2s.

Patches are provided for several kernel versions, ranging from 5.10.x to 6.15.

patch procedure

  1. Ensure kernel src tree is clean before patching:
cd ~/kernelsrc/
make mrproper
  1. Verify patches will apply clean with a dry run check:
patch -p1 --dry-run  <~/wolfssl-5.8.2/linuxkm/patches/6.12/WOLFSSL_LINUXKM_HAVE_GET_RANDOM_CALLBACKS-6v12.patch
checking file drivers/char/random.c
checking file include/linux/random.h
  1. Finally patch the kernel:
patch -p1 <~/wolfssl-5.8.2/linuxkm/patches/6.12/WOLFSSL_LINUXKM_HAVE_GET_RANDOM_CALLBACKS-6v12.patch
patching file drivers/char/random.c
patching file include/linux/random.h
  1. Build kernel.