This image demonstrates a complete FIPS-validated Linux system using wolfSSL FIPS 140-3 certified cryptography across multiple layers:
- User-space libraries: libgcrypt and gnutls backed by wolfSSL FIPS
- OpenSSL replacement: wolfProvider in replace-default mode
- Kernel module: wolfSSL FIPS kernel module loaded via initramfs (optional)
- wolfSSL FIPS 140-3 validated cryptography
- libgcrypt with wolfSSL backend
- GnuTLS with wolfSSL backend
- wolfProvider (OpenSSL 3.x provider) in replace-default mode
- OpenSSH, curl, and other applications using FIPS crypto
- Optional: wolfSSL FIPS kernel module loaded before rootfs mount
- Comprehensive test suite with ptest support
Add to your local.conf:
# Enable FIPS image
WOLFSSL_DEMOS = "fips-image-minimal"
# Include FIPS configuration
require /path/to/meta-wolfssl/conf/wolfssl-fips.confTo load the wolfSSL FIPS kernel module in initramfs (before rootfs mounts), add to local.conf:
# FIPS initramfs configuration
INITRAMFS_IMAGE = "fips-initramfs"
INITRAMFS_IMAGE_BUNDLE = "1"Why in local.conf?
- The kernel must see
INITRAMFS_IMAGEat its build time - Setting it only in the image recipe doesn't work because the kernel builds before the image
- This ensures the kernel bundles the initramfs with the wolfSSL FIPS kernel module
When is this needed?
- Systems requiring crypto operations before rootfs mount
- Early boot security requirements
- Kernel-space crypto dependencies on wolfSSL
- FIPS compliance requirements for kernel crypto
Your wolfssl-fips.conf should include:
# wolfSSL FIPS providers (user-space)
PREFERRED_PROVIDER_virtual/wolfssl = "wolfssl-fips"
PREFERRED_PROVIDER_wolfssl = "wolfssl-fips"
# wolfSSL FIPS kernel module (optional, for initramfs)
PREFERRED_PROVIDER_virtual/wolfssl-linuxkm = "wolfssl-linuxkm-fips"
PREFERRED_PROVIDER_wolfssl-linuxkm = "wolfssl-linuxkm-fips"
# FIPS bundle details
WOLFSSL_VERSION = "x.x.x"
WOLFSSL_SRC = "wolfssl-x.x.x-commercial-fips-linux"
# ... (see conf/wolfssl-fips.conf.sample for full configuration)cd /path/to/poky
source oe-init-build-env
bitbake fips-image-minimalcd /path/to/poky
source oe-init-build-env
# First build: Build initramfs and kernel with it bundled
bitbake fips-initramfs
bitbake virtual/kernel -c cleansstate
bitbake fips-image-minimal
# Subsequent builds: Just rebuild the image
bitbake fips-image-minimalNote: Only rebuild the kernel (cleansstate) when:
- First time enabling initramfs
- Changing
INITRAMFS_IMAGEsetting - Updating the kernel module in
fips-initramfs
Use the provided script:
source oe-init-build-env
./run-fips-qemu.sh [MACHINE]Supported machines:
qemux86-64(default)qemuarm64qemuarm
# On target system
openssl version
wolfssl-fips-check
libgcrypt-config --version
gnutls-cli --version# On target system
lsmod | grep wolfssl
dmesg | grep wolfsslThe kernel module should show as loaded early in dmesg output, before the rootfs mount message.
# libgcrypt tests
ptest-runner libgcrypt
# GnuTLS tests
ptest-runner gnutls
# wolfProvider tests
wolfprovidertestThe image includes:
Core FIPS Libraries:
wolfssl-fips- FIPS 140-3 validated crypto librarylibgcrypt- With wolfSSL backendgnutls- With wolfSSL backendwolfprovider- OpenSSL 3.x provider (replace-default mode)
Applications:
openssh- SSH client/servercurl- HTTP client with FIPS cryptoopenssl-bin- OpenSSL command-line tools
Testing Tools:
ptest-runner- Run package testswolfprovidercmd- wolfProvider command-line testswolfproviderenv- Environment setup/verification- Various ptest packages for validation
Optional (with initramfs):
wolfssl-linuxkm-fips- Kernel module loaded via initramfs
┌─────────────────────────────────────┐
│ Applications (SSH, curl, etc.) │
├─────────────────────────────────────┤
│ OpenSSL API (wolfProvider) │
│ GnuTLS API │
│ libgcrypt API │
├─────────────────────────────────────┤
│ wolfSSL FIPS (User-space) │
└─────────────────────────────────────┘
Boot Sequence:
1. Kernel starts
2. Initramfs mounts
3. wolfssl-linuxkm-fips loads ← FIPS module in kernel
4. Root filesystem mounts
5. Applications start with user-space wolfSSL FIPS
┌─────────────────────────────────────┐
│ Applications (SSH, curl, etc.) │
├─────────────────────────────────────┤
│ OpenSSL API (wolfProvider) │
│ GnuTLS API │
│ libgcrypt API │
├─────────────────────────────────────┤
│ wolfSSL FIPS (User-space) │
└─────────────────────────────────────┘
┌─────────────────────────────────────┐
│ wolfSSL FIPS (Kernel-space) │
│ libwolfssl.ko │
└─────────────────────────────────────┘
Symptom: Kernel boots directly to rootfs, no initramfs messages in dmesg
Solution:
- Check
INITRAMFS_IMAGEis set inlocal.conf(not just image recipe) - Rebuild kernel:
bitbake virtual/kernel -c cleansstate && bitbake fips-image-minimal - Verify initramfs exists:
ls tmp/deploy/images/*/fips-initramfs*.cpio*
Symptom: lsmod | grep wolfssl shows nothing
Solution:
- Check initramfs was built:
bitbake fips-initramfs -e | grep PACKAGE_INSTALL - Verify module is in initramfs: Extract and check the .cpio.gz file
- Check kernel messages:
dmesg | grep -i wolf
Symptom: FIPS self-tests fail or crypto operations fail
Solution:
- Verify FIPS hash is correct in
wolfssl-fips.conf - Check license file matches bundle
- Ensure
WOLFSSL_SRC_DIRECTORYor bundle extraction is correct - Rebuild everything:
bitbake wolfssl-fips -c cleansstate && bitbake fips-image-minimal
recipes-core/images/wolfssl-linux-fips-images/fips-initramfs.bb- Initramfs recipeconf/wolfssl-fips.conf.sample- FIPS configuration templaterecipes-wolfssl/wolfssl/README-fips.md- wolfSSL FIPS recipe documentationrecipes-wolfssl/wolfssl/README-linuxkm.md- Kernel module documentationclasses/wolfssl-initramfs.bbclass- Initramfs integration helpers