Getting FIPS-validated cryptography onto an embedded Linux platform typically involves stitching together kernel modules, userspace libraries, and building system configurations by hand. Now, the meta-wolfssl layer provides a turnkey Yocto build environment that produces a fully integrated wolfSSL FIPS image, from kernel crypto to OpenSSL, GnuTLS, and libgcrypt. You can try it yourself with our FIPS-Ready Package to simulate a FIPS-compliant system.
When FIPS is enabled, a built image can include:
- The wolfSSL FIPS cryptographic library.
- The wolfSSL FIPS kernel module, set up to load at early boot via initramfs, with LKCAPI algorithm registration.
- A kernel randomness patch routing /dev/urandom through wolfSSL’s DRBG.
- wolfProvider, an OpenSSL 3.x provider running in a replace-default mode, ensuring every application linked against OpenSSL uses wolfSSL FIPS cryptography.
- Backend integrations for libgcrypt and GnuTLS, ensuring those libraries also use wolfSSL under the hood.
These recipes are designed to drop into any Yocto Scarthgap (5.0) project. Simply add the layer to your bblayers.conf, include the FIPS configuration, and BitBake handles the rest.
Example Project: meta-wolfssl-linux-fips
To demonstrate how this comes together on real hardware, we created an example project that builds a complete FIPS-Ready Linux image for the Raspberry Pi 5 (and QEMU aarch64). This standalone reference is separate from the meta-wolfssl layer itself. It shows how to integrate the layer’s recipes into a working system, serving as a starting point for your own evaluation or for adaptation to different hardware.
How the Example Project Is Organized
The example project uses a local overrides layer (meta-wolfssl-overrides) on top of the upstream meta-wolfssl recipes. This keeps the upstream layer untouched while demonstrating how to:
- Define image recipes that extend core-image-base with the full FIPS stack.
- Apply kernel bbappends for FIPS crypto config and the wolfSSL randomness patch.
- Inject the wolfSSL kernel module into the initramfs for early boot loading.
- Wire libgcrypt, GnuTLS, OpenSSL, curl, and OpenSSH to use wolfSSL as their crypto backend.
This two-layer approach is the pattern we recommend for anyone integrating wolfSSL FIPS into their own Yocto project. Your product-specific configuration lives in your own overrides layer, keeping the upstream recipes clean. As a result, this pattern is highly portable and repeatable. The wolfSSL recipes, wolfProvider configuration, and userspace library integrations remain the same regardless of the target hardware. Bringing up a new board is primarily a matter of adjusting the machine and kernel configuration.
Ready to get started?
If you have questions about this implementation or need assistance with your specific hardware, please contact us at facts@wolfssl.com or +1 425 245 8247.
Download wolfSSL Now