For nearly 20 years, the wolfSSL library has set the benchmark for performant, full-featured cryptography and TLS transport on embedded targets. Since 2015, wolfSSL has been the premier FIPS-certified cryptography software module for the embedded space. Now, we bring that depth of experience to the Linux kernel.
libwolfssl.ko implements the same comprehensive set of algorithms and modes as our application library, based on the same underlying cryptographic implementations, and with the same acceleration options (AES-NI, AVX, etc.). Emerging quantum-resistant algorithm standards are also available using native high-performance implementations, including ML-KEM and ML-DSA.
libwolfssl.ko includes code-free plug-and-play for our entire FIPS algorithm suite, including AES-XTS, AES-GCM, SHA256-HMAC, SHA3-HMAC, HASH-DRBG, ECDSA/ECDH, RSA, and DH. When enabled (–enable-linuxkm-lkcapi-register), our module registers its FIPS compliant implementations with the kernel, including AES-XTS and AES-CBC for LUKS/dm-crypt disk encryption, and AES-GCM for VPN, MACsec, 802.11 WPA3, and TLS kernel offload. These registrations are completely transparent to other kernel modules and KCAPI/AF_ALG users — after libwolfssl.ko is loaded, the wolfCrypt FIPS compliant implementations are used for all newly instantiated kernel cryptography system-wide.
Our open source WolfGuard kernel VPN technology, based on WireGuard, directly uses our kernel AES-GCM, ECDH, SHA256-HMAC, and HASH-DRBG implementations. In combination with FIPS libwolfssl.ko, WolfGuard delivers a fully FIPS-compliant turnkey wire-rate VPN, with the same simplicity as WireGuard. The companion WolfGuard-Go provides for interoperability with Windows and Mac.
Our kernel module also includes logic that fully implements FIPS-certified randomness and entropy gathering, transforming /dev/random, /dev/urandom, and getrandom(), into FIPS-compliant DRBG sources. Our DRBG callback implementation replaces kernel native non-FIPS entropy harvesting and DRBG generation, including internal utility integer generators, with NIST SP 800-90B true entropy derivation and persistent FIPS 140-3 DRBG instances.
The FIPS variants of libwolfssl.ko include all customary FIPS functionality, including mandatory algorithmic self-test, on-demand retest, in-memory binary image stabilization and integrity verification, private key access controls, and continual DRBG health checks.
Our extensive kernel module testing program integrates customer kernels and configurations into our automated test harness, assuring predictably correct functionality through upgrade cycles. Our test harness comprehensively tests functionality, through debug-level operational testing, FIPS self-test, kernel native algorithm tests including native fuzz testing, user-space testing through KCAPI, and LUKS filesystem exercises, confirming comprehensively correct and interoperable implementations.
If you have questions about any of the above, please contact us at facts@wolfssl.com or call us at +1 425 245 8247.
Download wolfSSL Now