wolfSSL · MarkAtwood · Apr 17, 2026 · Copilot · Apr 17, 2026 · Copilot
diff --git a/README.md b/README.md
@@ -162,6 +162,14 @@ under `/lib/modules/` where the target kernel's modules are installed.
 The `genkey` and `pubkey` ops in the final line are basic functionality tests.
 If all is well, it will succeed, and print a random public key.
 
+**Note:** When the `wolfguard.ko` kernel module is loaded, `wg genkey` (and
+`wg-fips genkey`) offloads key generation to the kernel module via netlink and
+therefore requires `CAP_NET_ADMIN`.  Non-root users will receive a permission
+error.  To resolve this, either run as root or via `sudo`, or build `wg-fips`
+with `NO_IPC_LLCRYPTO=1` (which selects the userspace key generation path), or
+grant the `wg-fips` binary the `cap_net_admin` file capability
+(`setcap cap_net_admin+ep wg-fips`).
-**Note:** When the `wolfguard.ko` kernel module is loaded, `wg genkey` (and
-`wg-fips genkey`) offloads key generation to the kernel module via netlink and
-therefore requires `CAP_NET_ADMIN`.  Non-root users will receive a permission
-error.  To resolve this, either run as root or via `sudo`, or build `wg-fips`
-with `NO_IPC_LLCRYPTO=1` (which selects the userspace key generation path), or
-grant the `wg-fips` binary the `cap_net_admin` file capability
-(`setcap cap_net_admin+ep wg-fips`).
+**Note:** When the `wolfguard.ko` kernel module is loaded, `wg genkey` and
+`wg-fips genkey` offload key generation to the kernel module via netlink and
+therefore require `CAP_NET_ADMIN`.  Non-root users will receive a permission
+error.  To resolve this, either run as root or via `sudo`, build the binary
+you are using with `NO_IPC_LLCRYPTO=1` (which selects the userspace key
+generation path), or grant that binary the `cap_net_admin` file capability,
+for example `sudo setcap cap_net_admin+ep wg-fips` or, if your install exposes
+the tool as `wg`, `sudo setcap cap_net_admin+ep wg`.
-**Note:** When the `wolfguard.ko` kernel module is loaded, `wg genkey` (and
-`wg-fips genkey`) offloads key generation to the kernel module via netlink and
-therefore requires `CAP_NET_ADMIN`.  Non-root users will receive a permission
-error.  To resolve this, either run as root or via `sudo`, or build `wg-fips`
-with `NO_IPC_LLCRYPTO=1` (which selects the userspace key generation path), or
-grant the `wg-fips` binary the `cap_net_admin` file capability
-(`setcap cap_net_admin+ep wg-fips`).
+**Note:** When the `wolfguard.ko` kernel module is loaded, `wg genkey` and
+`wg-fips genkey` offload key generation to the kernel module via netlink and
+therefore require `CAP_NET_ADMIN`.  Non-root users will receive a permission
+error.  To resolve this, either run as root or via `sudo`, build the binary
+you are using with `NO_IPC_LLCRYPTO=1` (which selects the userspace key
+generation path), or grant that binary the `cap_net_admin` file capability,
+for example `sudo setcap cap_net_admin+ep wg-fips` or, if your install exposes
+the tool as `wg`, `sudo setcap cap_net_admin+ep wg`.
+
 As for the `wg-fips` build above, compressed public key support can be enabled
 by adding `EXTRA_CFLAGS=-DWG_USE_PUBLIC_KEY_COMPRESSION` to the above `make`
 recipe.  The `WG_USE_PUBLIC_KEY_COMPRESSION` setting must be matched throughout
@@ -296,6 +304,14 @@ $ ../user-src/wg-fips genkey | ../user-src/wg-fips pubkey
 The `genkey` and `pubkey` ops in the final line are basic functionality tests.
 If all is well, it will succeed, and print a random public key.
 
+**Note:** When the `wolfguard.ko` kernel module is loaded, `wg genkey` (and
+`wg-fips genkey`) offloads key generation to the kernel module via netlink and
+therefore requires `CAP_NET_ADMIN`.  Non-root users will receive a permission
+error.  To resolve this, either run as root or via `sudo`, or build `wg-fips`
+with `NO_IPC_LLCRYPTO=1` (which selects the userspace key generation path), or
+grant the `wg-fips` binary the `cap_net_admin` file capability
+(`setcap cap_net_admin+ep wg-fips`).
+
 As with the non-FIPS-certified procedure, if all of the above succeeds, then you
 are now ready to bring up WolfGuard tunnels.  Existing playbooks and scripting
 for WireGuard can be used directly, provided you substitute `/etc/wolfguard` for

diff --git a/kernel-src/netlink.c b/kernel-src/netlink.c
@@ -876,6 +876,13 @@ struct genl_ops genl_ops[] = {
 #endif
 		.flags = GENL_UNS_ADMIN_PERM
 	}, {
+		/* Key generation is offloaded to the kernel module and
+		 * therefore requires CAP_NET_ADMIN.  Users without this
+		 * privilege should either run via sudo/root, or build
+		 * with NO_IPC_LLCRYPTO=1 to use the userspace key
+		 * generation path, or ensure the wg-fips binary has the
+		 * appropriate file capabilities set (e.g. cap_net_admin+ep).
-		 * generation path, or ensure the wg-fips binary has the
-		 * appropriate file capabilities set (e.g. cap_net_admin+ep).
+		 * generation path, or ensure the userspace client binary
+		 * (e.g. wg/wg-fips) has the appropriate file capabilities
+		 * set (e.g. cap_net_admin+ep).
-		 * generation path, or ensure the wg-fips binary has the
-		 * appropriate file capabilities set (e.g. cap_net_admin+ep).
+		 * generation path, or ensure the userspace client binary
+		 * (e.g. wg/wg-fips) has the appropriate file capabilities
+		 * set (e.g. cap_net_admin+ep).
+		 */
 		.cmd = WG_CMD_GEN_PRIVKEY,
 		.doit = wg_nl_generate_privkey,
 		.policy = device_policy,

diff --git a/kernel-src/wolfcrypt_glue.c b/kernel-src/wolfcrypt_glue.c
@@ -1196,6 +1196,10 @@ int wc_linuxkm_drbg_generate(struct wc_linuxkm_drbg_ctx *ctx,
 retry:
 
 #if defined(HAVE_FIPS) && FIPS_VERSION_LT(6,0)
+    /* FIPS v5 does not expose an API to externally reseed the DRBG.
+     * The entropy input is therefore discarded here.  The DRBG output
+     * remains safe: it was properly seeded at initialization time.
+     */
     (void)src;
     (void)slen;
 #else