|
| 1 | +# wolfSSL linuxkm (linux kernel module) |
| 2 | + |
| 3 | +libwolfssl supports building as a linux kernel module (`libwolfssl.ko`). |
| 4 | +When loaded, wolfCrypt and wolfSSL API are made available to the rest of |
| 5 | +the kernel, supporting cryptography and TLS in kernel space. |
| 6 | + |
| 7 | +Performing cryptographic operations in kernel space has significant advantages |
| 8 | +over user space for high throughput network (VPN, IPsec, MACsec, TLS, etc) and |
| 9 | +filesystem (dm-crypt/LUKS, fscrypt disk encryption) IO processing, with the |
| 10 | +added benefit that keys can be kept isolated to kernel space. Additionally, |
| 11 | +when wolfCrypt-FIPS is used, this provides a simple recipe for FIPS-compliant |
| 12 | +kernels. |
| 13 | + |
| 14 | +Supported features: |
| 15 | +- crypto acceleration: AES-NI, AVX, etc. |
| 16 | +- kernel crypto API registration (wolfCrypt algs appear as drivers in `/proc/crypto`.). |
| 17 | +- `CONFIG_CRYPTO_FIPS`, and crypto-manager self-tests. |
| 18 | +- FIPS-compliant patches to `drivers/char/random.c`, covering kernels 5.10 to |
| 19 | + 6.15. |
| 20 | +- Supports FIPS-compliant WireGuard (https://github.com/wolfssl/wolfguard). |
| 21 | +- TLS 1.3 and DTLS 1.3 kernel offload. |
| 22 | + |
| 23 | +## Building and Installing |
| 24 | + |
| 25 | +Build linuxkm with: |
| 26 | + |
| 27 | +```sh |
| 28 | +$ ./configure --enable-linuxkm --with-linux-source=/usr/src/linux |
| 29 | +$ make -j module |
| 30 | +``` |
| 31 | + |
| 32 | +note: replace `/usr/src/linux` with a path to your fully configured and built |
| 33 | +target kernel source tree. |
| 34 | + |
| 35 | +Assuming you are targeting your native system, install with: |
| 36 | + |
| 37 | +```sh |
| 38 | +$ sudo make install |
| 39 | +$ sudo modprobe libwolfssl |
| 40 | +``` |
| 41 | + |
| 42 | +### options |
| 43 | + |
| 44 | +| linuxkm option | description | |
| 45 | +| :------------------------------- | :--------------------------------------- | |
| 46 | +| --enable-linuxkm-lkcapi-register | Register wolfcrypt algs with linux kernel <br> crypto API. Options are 'all', 'none', or <br> comma separated list of algs. | |
| 47 | +| --enable-linuxkm-pie | Enable relocatable object build of module| |
| 48 | +| --enable-linuxkm-benchmarks | Run crypto benchmark at module load | |
| 49 | + |
| 50 | +## Kernel Patches |
| 51 | + |
| 52 | +The dir `linuxkm/patches` contains a patch to the linux kernel CRNG. The |
| 53 | +CRNG provides the implementation for `/dev/random`, `/dev/urandom`, and |
| 54 | +`getrandom()`. |
| 55 | + |
| 56 | +The patch updates these two sources |
| 57 | +- `drivers/char/random.c` |
| 58 | +- `include/linux/random.h` |
| 59 | + |
| 60 | + |
| 61 | +to use FIPS-compliant algorithms, instead of chacha and blake2s. |
| 62 | + |
| 63 | +Patches are provided for several kernel versions, ranging from `5.10.x` to |
| 64 | +`6.15`. |
| 65 | + |
| 66 | +### patch procedure |
| 67 | + |
| 68 | +1. Ensure kernel src tree is clean before patching: |
| 69 | + |
| 70 | +```sh |
| 71 | +cd ~/kernelsrc/ |
| 72 | +make mrproper |
| 73 | +``` |
| 74 | + |
| 75 | +2. Verify patches will apply clean with a dry run check: |
| 76 | + |
| 77 | +```sh |
| 78 | +patch -p1 --dry-run <~/wolfssl-5.8.2/linuxkm/patches/6.12/WOLFSSL_LINUXKM_HAVE_GET_RANDOM_CALLBACKS-6v12.patch |
| 79 | +checking file drivers/char/random.c |
| 80 | +checking file include/linux/random.h |
| 81 | +``` |
| 82 | + |
| 83 | +3. Finally patch the kernel: |
| 84 | + |
| 85 | +```sh |
| 86 | +patch -p1 <~/wolfssl-5.8.2/linuxkm/patches/6.12/WOLFSSL_LINUXKM_HAVE_GET_RANDOM_CALLBACKS-6v12.patch |
| 87 | +patching file drivers/char/random.c |
| 88 | +patching file include/linux/random.h |
| 89 | +``` |
| 90 | + |
| 91 | +4. Build kernel. |
| 92 | + |
0 commit comments