Big news for Linux kernel module developers with crypto requirements! wolfCrypt and wolfSSL are now loadable as modules in the Linux kernel, providing the entire libwolfssl API natively to other kernel modules. For the first time on Linux, the entire TLS protocol stack can be loaded as a module, allowing fully kernel-resident TLS/DTLS endpoints with in-kernel handshaking.
Configuration and building is turnkey via the new --enable-linuxkm
option, and can optionally be configured for cryptographic self-test at load time (POST). As with library builds, the kernel module can be configured in detail to meet application requirements, while staying within target capabilities and limitations. In particular, developers can opt to link in only the wolfCrypt suite of low level cryptographic algorithms, or can include the full TLS protocol stack with TLS 1.3 support. When configured for AES-NI acceleration, the module delivers AES256-GCM encrypt/decrypt at better than 1 byte per cycle.
The kernel module configuration leverages our new function-complete “single precision” bignum implementation, featuring state of the art performance and side channel attack immunity. Watch this space — we’ll have a lot more to say about the many advantages of our new bignum implementation!
As a proof of concept, we have retargeted the Linux WireGuard kernel module to use wolfCrypt for all cryptography, with full interoperability, and will soon be sharing more on those results. Kernel module builds of libwolfssl will be supported in wolfSSL release 4.6, and are available immediately in our mainline github repository, supporting the 3.x, 4.x, and 5.x Linux version lines on x86-64.
If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.