wolfSSL in the kernel
The last year has been quite active for wolfSSL in kernel space. To give a quick recap, we’ve
- added support to register wolfCrypt algs in the Linux kernel crypto API (making them available for filesystem encryption, IPsec, etc)
- wrote patches for Linux /dev/random, giving it FIPS-compliant wolfCrypt implementations
- introduced wolfGuard, a FIPS-compliant refactor of Linux kernel-based WireGuard
- tested all of the above with: LUKS, VPNs, IPsec, Kernel TLS, etc.
With so much work done for Linux, naturally we were curious to turn our eye to a BSD-family OS, and FreeBSD was a logical target. While Linux distros obviously enjoy widespread use in server and desktop spaces, FreeBSD has carved out an enduring presence owing to its performant network stack, encrypted filesystem support, friendly licensing structure, and overall stability and simplicity.
For these reasons, FreeBSD remains an industry workhorse for specialized devices and digital infrastructure, such as video streaming, storage devices, routers and network devices, etc.
Download wolfSSL →
What’s supported in FreeBSD kernel today
We just merged initial support for wolfCrypt in FreeBSD kernel, which went into release v5.8.4. It’s built with --enable-freebsdkm, and default assumes a prepared FreeBSD kernel tree at /usr/src/sys/ (or at a configurable location with --with-kernel-source=PATH).
This initial support is wolfCrypt only (--enable-cryptonly), covers all wolfCrypt algorithms (--enable-all-crypto), and can run the wolfCrypt Test in the kernel on module load (--enable-crypttests). We also added a FreeBSD kernel example to our wolfssl-examples repo, that links to libwolfssl.ko, and demonstrates using wolfCrypt API from a FreeBSD kernel module.
This initial support allows other FreeBSD kernel modules to link to libwolfssl.ko, and directly call wolfCrypt API in kernel space.
FreeBSD support roadmap
We’re actively expanding our FreeBSD kernel support, and have a number of ideas. This is what we have planned, in no particular order:
acceleration support: AES-NI, AVX, etc.
Crypto-acceleration is a hard requirement for crypto-consuming drivers, e.g. filesystem encryption, kernel VPNs, IPsec, MACsec, etc. We would like to support all available acceleration in the kernel, as we previously did for linuxkm, and support wolfCrypt Benchmark in the FreeBSD kernel as well.
full wolfSSL support (kernel TLS)
wolfCrypt in the kernel is great for exporting our wolfCrypt API, but it’s not sufficient if one wants to do TLS in the kernel (needed for TLS based kernel VPNs, among other things). We would like to offer the full wolfSSL library as a FreeBSD kernel module.
opencrypto dev support
The FreeBSD opencrypto framework (CRYPTO(9)) allows kernel modules to register themselves as crypto drivers. This makes them available for crypto-consuming drivers and modules that implement IPsec, filesystem encryption, etc.
FIPS mode in the FreeBSD kernel
Unix-like operating systems that offer FIPS compliance are of growing interest. This would be multiple steps: the first and simplest is supporting wolfCrypt FIPS in the FreeBSD kernel. The next step would be to patch the FreeBSD kernel to ensure only FIPS-compliant algorithms are used.
Are you interested in running wolfSSL in the FreeBSD kernel? Do you have suggestions for what we should support next? If you are curious to learn more, or have questions, please email facts@wolfssl.com or call us at +1 425 245 8247.
Download wolfSSL Now