This layer provides both Yocto and OpenEmbedded recipes for wolfSSL products and examples, as well as .bbappend files for configuring common open source packages and projects with support for wolfSSL.
This layer currently provides recipes for the following wolfSSL products:
- wolfSSL embedded SSL/TLS library
- wolfSSH lightweight SSH library
- wolfMQTT lightweight MQTT client library
- wolfTPM portable TPM 2.0 library
- wolfSSL-py A Python wrapper for the wolfSSL library
- wolfCrypt-py A Python Wrapper for the wolfCrypt API
These recipes have been tested using these versions of yocto:
- Scarthgap (v5.0)
- Nanbield (v4.3)
- Langdale (v4.1)
- Kirkstone (v4.0)
- Hardknott (v3.3)
- Gatesgarth (v3.2)
- Dunfell (v3.1)
- Zeus (v3.0)
- Thud (v2.6)
- Sumo (v2.5)
The wolfSSL library recipe is also included in the openembedded meta-networking layer, located here.
wolfSSL is a lightweight SSL/TLS library written in C and targeted at embedded and RTOS environments - primarily because of its small size, speed, and feature set. With common build sizes between 20-100kB, it is typically up to 20 times smaller than OpenSSL. Other feature highlights include support for TLS 1.3 and DTLS 1.2, full client and server support, abstraction layers for easy porting, CRL and OCSP support, key and cert generation, support for hardware cryptography modules, and much more. For a full feature list, please visit the wolfSSL product page.
Clone meta-wolfssl onto your machine:
git clone https://github.com/wolfSSL/meta-wolfssl.git
After installing your build's Yocto/OpenEmbedded components:
-
Insert the 'meta-wolfssl' layer in
build/conf/bblayers.conflocation into your build's bblayers.conf file, in the BBLAYERS section:BBLAYERS ?= " \ ... /path/to/yocto/poky/meta-wolfssl \ ... " -
Once the 'meta-wolfssl' layer has been added to your BBLAYERS collection, you have two options
-
If you want to directly add wolfSSL recipes to your image recipe proceed to step 3.
-
If you want to run
bitbake wolf*on a particular recipe then it needs to be added to the IMAGE_INSTALL. This can be done by adding the following line tolocal.conflocated inpath/to/poky/build/conf.- For Dunfell and newer versions of Yocto:
IMAGE_INSTALL:append = " wolfssl wolfssh wolfmqtt wolftpm "- For versions of Yocto older than Dunfell:
IMAGE_INSTALL_append = " wolfssl wolfssh wolfmqtt wolftpm "$ bitbake wolfssl $ bitbake wolfssh $ bitbake wolfmqtt $ bitbake wolftpm $ bitbake wolfclu - This command would result in an error
-
-
Edit your build's local.conf file to install the recipes you would like to include (ie: wolfssl, wolfssh, wolfmqtt, wolftpm)
- For Dunfell and newer versions of Yocto
IMAGE_INSTALL:append = " wolfssl wolfssh wolfmqtt wolftpm wolfclu "- For versions of Yocto older than Dunfell
IMAGE_INSTALL_append = " wolfssl wolfssh wolfmqtt wolftpm wolfclu "This will add the necassary --enable-* options necassary to use your specific combination of recipes.
If you did step 2.2 make sure you comment out recipes that you don't desire because leaving them uncommented may add unneed --enable-* options in your build, which could increase the size of the build and turn on uneeded features.
Once your image has been built, the default location for the wolfSSL library on your machine will be in the "/usr/lib" directory.
Note: If you need to install the development headers for these libraries, you will want to use the "-dev" variant of the package. For example, to install both the wolfSSL library and headers into your image, use "wolfssl-dev" along with IMAGE_INSTALL:append, ie:
- For Dunfell and newer versions of Yocto
IMAGE_INSTALL:append = "wolfssl-dev"
- For versions of Yocto older than Dunfell
IMAGE_INSTALL_append = "wolfssl-dev"
After building your image, you will find wolfSSL headers in the "/usr/include" directory and applications in "usr/bin".
Custom applications that use wolfSSL libraries may wish to enable or disable specific Autoconf/configure options when the library is compiled. This can be done through the use of an application-specific .bbappend file for the wolfSSL library.
For example, if your application wanted TLS 1.3 support compiled into the wolfSSL library, you would want to create a .bbappend file for wolfSSL in your application recipe/layer, ie:
wolfssl_%.bbappend
Inside this .bbappend file, you can use the EXTRA_OECONF variable to add additional configure options to the wolfSSL library build. For enabling TLS 1.3 this would be:
EXTRA_OECONF += "--enable-tls13"
Make sure this .bbappend file gets picked up when bitbake is compiling your application.
Support for building many open source projects with wolfSSL is included in the
various recipes-* directories. As an example, take a look at
recipes_support/curl/wolfssl_%.bbappend. This .bbappend adds --enable-curl to
the wolfSSL configuration line via EXTRA_OECONF. curl_%.bbappend sets up curl
to use wolfSSL as its crypto and TLS provider. curl_7.82.0.bbappend is a
.bbappend specifically for adding wolfSSL support to curl version 7.82.0.
In the curl project, wolfSSL is supported upstream, but other projects may not have native wolfSSL support. We've added wolfSSL support to many popular open source projects, and the patches can be found in our open source projects (OSP) repository. Several of these patches are used here. OpenSSH is one example. Under recipes-connectivity/openssh/files, you'll find a patch for OpenSSH 8.5p1 that adds wolfSSL support. One directory up in recipes-connectivity/openssh, you'll find openssh_8.5p1.bbappend which
- Adds the patch to the build.
- Removes OpenSSH's OpenSSL dependency.
- Adds the wolfSSL dependency.
- Adds
--with-wolfsslto the configuration line.
Additionally, there's another wolfssl_%.bbappend which adds --enable-openssh
to the wolfSSL configuration. This is the general pattern you'll see for other
projects that depend on wolfSSL, too.
This layer offers wolfSSL support for the following open source projects:
Several wolfSSL example application recipes are included in this layer. These include:
- wolfCrypt test application (depends on wolfssl)
- wolfCrypt benchmark application (depends on wolfssl)
The recipes for these applications are located at:
meta-wolfssl/recipes-examples/wolfcrypt/wolfcrypttest/wolfcrypttest.bb
meta-wolfssl/recipes-examples/wolfcrypt/wolfcryptbenchmark/wolfcryptbenchmark.bb
These can be compiled individually with bitbake:
$ bitbake wolfcrypttest
$ bitbake wolfcryptbenchmark
To install these applications into your image, you will need to edit your "build/conf/local.conf" file and add them to the "IMAGE_INSTALL" variable. For example, to install the wolfSSL, wolfSSH, and wolfMQTT libraries in addition to the wolfCrypt test and benchmark applications:
- For Dunfell and newer versions of Yocto
IMAGE_INSTALL:append = " wolfssl wolfssh wolfmqtt wolftpm wolfclu wolfcrypttest wolfcryptbenchmark "
- For versions of Yocto older than Dunfell
IMAGE_INSTALL_append = " wolfssl wolfssh wolfmqtt wolftpm wolfclu wolfcrypttest wolfcryptbenchmark "
When your image builds, these will be installed to the '/usr/bin' system directory. When inside your executing image, you can run them from the terminal.
Recipes can be excluded from your build by deleting their respective ".bb" file, or by deleting the recipe directory.
To use the python wrapper for wolfSSL and wolfcrypt in a yocto build it will require python3, python3-cffi and wolfSSL are built on the target system.
If you are using older version of yocto (2.x) or (3.x), you will need to download and add the meta-oe and meta-python recipes from openembedded's meta-openembedded to the image.
It will be necassary then to make sure at minimum that the IMAGE_INSTALL:append looks as follows:
-
For Dunfell and newer versions of Yocto
- if wolfSSL-py is desired on target system
IMAGE_INSTALL:append = " wolfssl wolfssl-py python3 "- if wolfCrypt-py is desired on target system
IMAGE_INSTALL:append = " wolfssl wolfcrypt-py python3 "- if wolfSSL-py and wolfCrypt-py are both desired on target system
Image_INSTALL:append = " wolfssl wolfssl-py wolfcrypt-py python3 python3-cffi" -
For versions of Yocto older than Dunfell
- if wolfSSL-py is desired on target system
IMAGE_INSTALL_append = " wolfssl wolfssl-py python3 "- if wolfCrypt-py is desired on target system
IMAGE_INSTALL_append = " wolfssl wolfcrypt-py python3 "- if wolfSSL-py and wolfCrypt-py are both desired on target system
Image_INSTALL_append = " wolfssl wolfssl-py wolfcrypt-py python3 python3-cffi"
To test the python wrapper for wolfSSL and wolfcrypt in a yocto build it will require python3, python3-pytest, python3-cffi and wolfSSL are built on the target system.
It will be necassary then to make sure at minimum that the IMAGE_INSTALL:append looks as follows:
-
If wolfSSL-py and wolfCrypt-py are both desired on target system
- For Dunfell and newer versions of Yocto
IMAGE_INSTALL:append = " wolfssl wolfssl-py wolfcrypt-py wolf-py-tests python3 python3-cffi python3-pytest"- For versions of Yocto older than Dunfell
IMAGE_INSTALL_append = " wolfssl wolfssl-py wolfcrypt-py wolf-py-tests python3 python3-cffi python3-pytest"
This places the tests in the root home directory
$ cd /home/root/wolf-py-tests/
$ ls wolfcrypt-py-test wolfssl-py-test
navigate into the desired test:
+ for wolfssl-py
```
$ cd /home/root/wolf-py-tests/wolfssl-py-test
```
+ for wolfcrypt-py
```
$ cd /home/root/wolf-py-tests/wolfcrypt-py-test
```
once in the desired test directory, begin the test by calling pytest
$ pytest
This should then result in a pass or fail for the desired suit.
If you are testing this with the core-image-minimal yocto build, make sure to add a DNS server to /etc/resolv.conf like such with root perms
echo "nameserver 8.8.8.8" >> /etc/resolv.conf
To run meta-wolfssl image on the QEMU (Quick EMUlator) you can follow these general steps. For this example we will use the Yocto Project Poky. Refer to: Yocto Project for a detailed guide.
- Initialize the Build This can be done by running these commands:
$ cd poky
$ source oe-init-build-env
This will initialize the build environment and let you run bitbake in the build directory.
- Run bitbake
Next you can run bitbake to build the OS image that you want. Make sure
you have the correct variables added in the
local.confFor this example we will runcore-image-base. Which can be built by running this comamnd from thebuilddirectoy:
$ bitbake core-image-base
This will run bitbake and build the image with your added meta-wolfssl recipes.
- Run the Image in QEMU
You can now simulate your image with the QEMU This can be done by running
the qemu that comes in your Yocto Project the default system is usually
qemux86-64but you can find what its set to by looking at yourlocal.conf. We can run this command to start the emulator:
$ runqemu qemux86-64
- Run Your Recipes
Now that you are in the QEMU you can navigate your way to the
usr/bindirectory which contains the your wolfssl your applications. Lets say we included these images in ourlocal.conf
IMAGE_INSTALL:append = " wolfssl wolfcrypttest wolfcryptbenchmark "
In that case we can run wolfcrypttest and wolfcryptbenchmark examples from
the usr/bin directory like so:
$ ./wolfcrypttest
$ ./wolfcryptbenchmark
This will run the wolfcrypt test and benchmark examples from the QEMU.
To build wolfProvider view the instructions in this README
To build wolfEngine view the instructions in this README
For building FIPS-Ready for wolfSSL view the instruction in this README
For building FIPS and/or commercial bundles of wolfSSL products view the instructions in this README.
To gain access to these bundles contact [email protected] to get a qoute.
Layer maintainers:
- wolfSSL Support ([email protected])
- Chris Conlon ([email protected])
- Jacob Barthelmeh ([email protected])
wolfSSL is open source and dual licensed under both the GPLv2 and a standard commercial license. wolfSSL also offers commercial licensing for our FIPS-validated wolfCrypt module. For commercial license questions, please contact wolfSSL at [email protected]. For product support inquiries please contact [email protected].