FIPS 140-3 Kernel Cryptography for Yocto

    • Introducing meta-wolfssl support for LinuxKM: build-time FIPS-validated kernel crypto for embedded Linux

    What’s New: LinuxKM Recipes in meta-wolfssl

    The meta-wolfssl Yocto layer now includes recipes for building wolfSSL’s Linux Kernel Module (LinuxKM) directly into your embedded Linux images. This means Yocto-based projects can integrate FIPS 140-3 validated cryptography at the kernel level.

    You can now:

    • Build FIPS-validated kernel crypto with a single bitbake command
    • Switch between FIPS and non-FIPS builds at configuration time
    • Include kernel crypto in initramfs for early-boot requirements
    • Target ARM64, x86_64, and vendor BSPs (including NVIDIA Tegra)

    Download wolfSSL →

    What the New Recipes Provide

    meta-wolfssl now includes two kernel module recipes:

    Recipe Source License
    wolfssl-linuxkm GitHub (upstream) GPLv3
    wolfssl-linuxkm-fips Commercial bundle Commercial

    Both recipes produce libwolfssl.ko, installed to /lib/modules//extra/. The non-FIPS recipe also installs /etc/modules-load.d/wolfssl.conf for automatic loading under systemd.

    Non-FIPS Build (wolfssl-linuxkm)

    The standard kernel module fetches wolfSSL from upstream GitHub and builds with comprehensive algorithm support:
    bitbake wolfssl-linuxkm

    This builds libwolfssl.ko against your target kernel headers. The recipe inherits module-base and autotools, handling cross-compilation automatically. Key configure flags:

    --enable-linuxkm
--with-linux-source=${STAGING_KERNEL_BUILDDIR}
--enable-all-crypto
--enable-crypttests

    FIPS Build (wolfssl-linuxkm-fips)

    The FIPS recipe builds from the commercial wolfSSL FIPS bundle (version 5.2.4), which contains the NIST-validated cryptographic module:
    bitbake wolfssl-linuxkm-fips
    This requires configuring access to the commercial bundle in your local.conf or distro configuration. The recipe uses the same wolfssl-commercial.bbclass as the user-space FIPS builds, so existing FIPS bundle configurations work automatically.

    Additional FIPS-specific configure flags:
    --enable-fips=v5.2.4

    Initramfs Integration

    Some embedded platforms require kernel cryptography to be available before the root filesystem mounts—for example, for encrypted root partitions or early secure boot verification. The meta-wolfssl layer provides optional helpers (wolfssl-initramfs.bbclass) to integrate wolfCrypt into initramfs, making FIPS-validated crypto available at early boot without manual initramfs modifications. This ensures seamless integration for Yocto-based projects while keeping build workflows simple.

    Deciding Between User-Space and Kernel-Space Crypto

    meta-wolfssl supports both user-space wolfSSL (the existing recipes) and kernel-space LinuxKM. Choosing between them depends on your requirements:

    Factor LinuxKM (Kernel) wolfSSL (User-space)
    Performance Higher (zero-copy paths) Good (syscall overhead)
    Latency Lower, deterministic Higher, variable
    Debugging Harder (kernel context) Easier (gdb, valgrind)
    Deployment Kernel version dependent Portable binary
    Use cases IPsec, dm-crypt, kTLS, early boot App TLS, HTTPS clients

    Use LinuxKM when: you need crypto in the kernel data path (network stack, block layer, kTLS), require deterministic timing on PREEMPT_RT, need crypto before rootfs mount, or want to feed the Linux Crypto API for IPsec/dm-crypt.

    Use user-space wolfSSL when: application-level TLS is sufficient, you need maximum portability, debugging convenience matters, or you’re already in user space when crypto happens.

    Both can coexist-many systems use kernel crypto for network/storage and user-space crypto for application protocols.

    Supported Platforms

    The LinuxKM recipes have been tested with:

    • Architectures: ARM64 (AArch64), x86_64, ARM (32-bit)
    • Yocto releases: Kirkstone (LTS), Scarthgap, and later
    • Kernel versions: Linux 4.x through 6.x, including vendor kernels
    • BSPs: meta-tegra (NVIDIA Jetson), meta-freescale (NXP i.MX), meta-ti (TI Sitara), meta-raspberrypi
    • Real-time: PREEMPT_RT patched kernels

    The meta-wolfssl layer, documentation, and example configurations are available at github.com/wolfSSL/meta-wolfssl.

    If you have questions about any of the above, please contact us at facts@wolfssl.com or call us at +1 425 245 8247.

    Download wolfSSL Now