{"id":35252075,"url":"https://github.com/embetrix/meta-oqs","last_synced_at":"2026-04-02T02:08:13.709Z","repository":{"id":270883512,"uuid":"909722016","full_name":"embetrix/meta-oqs","owner":"embetrix","description":"OpenEmbedded/Yocto layer dedicated to Post-Quantum Cryptography providing experimental integration of quantum-safe algorithms to embedded linux","archived":false,"fork":false,"pushed_at":"2026-03-07T11:19:06.000Z","size":222,"stargazers_count":24,"open_issues_count":0,"forks_count":1,"subscribers_count":1,"default_branch":"scarthgap","last_synced_at":"2026-03-07T17:43:49.038Z","etag":null,"topics":["crypto-agility","cryptography","embedded-linux","embedded-systems","open-quantum-safe","openembedded","oqs","post-quantum-cryptography","pqcrypto","security","yocto"],"latest_commit_sha":null,"homepage":"","language":"BitBake","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/embetrix.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2024-12-29T15:35:06.000Z","updated_at":"2026-03-07T11:19:09.000Z","dependencies_parsed_at":"2025-01-03T19:35:13.293Z","dependency_job_id":"d0b26e7a-e096-4883-be7d-2f9243af0745","html_url":"https://github.com/embetrix/meta-oqs","commit_stats":null,"previous_names":["embetrix/meta-pqc","embetrix/meta-oqs"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/embetrix/meta-oqs","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/embetrix%2Fmeta-oqs","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/embetrix%2Fmeta-oqs/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/embetrix%2Fmeta-oqs/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/embetrix%2Fmeta-oqs/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/embetrix","download_url":"https://codeload.github.com/embetrix/meta-oqs/tar.gz/refs/heads/scarthgap","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/embetrix%2Fmeta-oqs/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31294398,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-02T01:43:37.129Z","status":"online","status_checked_at":"2026-04-02T02:00:08.535Z","response_time":89,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["crypto-agility","cryptography","embedded-linux","embedded-systems","open-quantum-safe","openembedded","oqs","post-quantum-cryptography","pqcrypto","security","yocto"],"created_at":"2025-12-30T06:56:03.092Z","updated_at":"2026-04-02T02:08:13.701Z","avatar_url":"https://github.com/embetrix.png","language":"BitBake","funding_links":[],"categories":[],"sub_categories":[],"readme":"# meta-oqs\n\nThis layer is an OpenEmbedded/Yocto layer dedicated to Open Quantum Safe, providing experimental integration and testing of quantum-safe cryptographic algorithms for embedded Linux systems.\n\n\n## OQS (Open Quantum Safe)\n\nThe Open Quantum Safe (OQS) project aims to develop and integrate quantum-resistant cryptographic algorithms. These algorithms are designed to be secure against the potential future threat of quantum computers. The OQS project provides a C library, liboqs, which includes implementations of various quantum-safe algorithms.\n\nOQS implements the latest [NIST-approved Post-Quantum Cryptography pqc algorithms](https://csrc.nist.gov/projects/post-quantum-cryptography).\n\nFor more information, visit the [Open Quantum Safe website](https://openquantumsafe.org).\n\n\u003e **Note:** While OpenSSL 3.5.x has added native support for NIST-approved PQC algorithms `liboqs` goes further by also including algorithms currently under evaluation in future NIST standardization rounds. Additionally `liboqs` is not tied to OpenSSL since it provides a standalone C library with bindings for different programming languages making it usable across different applications. More importantly the `oqs-provider` detects if OpenSSL 3.5+ is in use and automatically disables its own ML-KEM/ML-DSA implementations and deferring to OpenSSL's native code which is considered higher quality and more stable.\n\n**Disclaimer:** The OQS project and `liboqs` are **experimental** and should not be used in production environments. The implementations may contain security vulnerabilities and have not undergone the same level of auditing as established cryptographic libraries. Side-channel and timing attacks are not part of the OQS threat model. See the [liboqs security policy](https://github.com/open-quantum-safe/liboqs/security) for more details.\n\n\n## Architecture Overview\n\n```\n    +-------------------------------+        +--------------------------------+\n    |  OpenSSL-based Applications   |        |    Non-OpenSSL Applications    |\n    | (NGINX, OpenSSH, curl, MQTT)  |        | (C, C++, Rust, Python, Go...)  |\n    +---------------+---------------+        +---------------+----------------+\n                    |                                        |\n                    v                                        |\n            +---------------+                                |\n            |  OpenSSL 3.x  |                                |\n            +-------+-------+                                |\n                    |                                        |\n                    v                                        |\n            +---------------+                                |\n            | oqs-provider  |                                |\n            +-------+-------+                                |\n                    |                                        |\n                    +-----------------+    +-----------------+\n                                      |    |\n                                      v    v\n                                +----------------+\n                                |     liboqs     |\n                                +-------+--------+\n                                        |\n                                        v\n                                +----------------+\n                                | PQC Algorithms |\n                                +----------------+\n```\n\n## Configuration\n\nThis layer can be integrated in your layer(s) or built standalone using [kas-tool](https://github.com/siemens/kas):\n\nTo Enable `OpenSSL` with oqs support using `oqs-provider` you should set: \n\n`DISTRO_FEATURES:append = \" oqs\"`\n\nThis will make `OpenSSL` aware of Hybrid/PQC algorithms and set the default TLS group to:\n\n  `X25519MLKEM768:mlkem768:x25519:prime256v1:x448:secp521r1:secp384r1`\n\nAlso enables `OpenSSH` (fork from [open-quantum-safe/openssh](https://github.com/open-quantum-safe/openssh)) with Hybrid and pure PQC key exchange support on top of classical algorithms.\n\n**Recommendation:** Hybrid key exchange such as `X25519MLKEM768` is the recommended approach as PQC algorithms are still maturing. Hybrid combines a classical algorithm `X25519` with a post-quantum one `MLKEM-768` providing the best balance between quantum resistance if PQC hold and classical security as a fallback if it doesn't.\n\n## Language Bindings\n\nThis layer provides OQS bindings for multiple languages:\n\n| Language | Recipe | Description |\n|----------|--------|-------------|\n| *C* | [`liboqs`](recipes-crypto/liboqs) | Core PQC library, includes `oqs_test_*` and `oqs_speed_*` binaries for testing and benchmarking |\n| *C++* | [`liboqs-cpp`](recipes-crypto/liboqs-cpp) | C++ bindings, ships example binaries: `oqs_cpp_rand`, `oqs_cpp_kem`, `oqs_cpp_sig` |\n| *GO* | [`liboqs-go`](recipes-crypto/liboqs-go) | GO bindings, ships example binaries: `oqs_go_rand`, `oqs_go_kem`, `oqs_go_sig` |\n| *Python* | [`python3-liboqs`](recipes-devtools/python) | Python 3 bindings, ships example scripts: `oqs_python_rand`, `oqs_python_kem`, `oqs_python_sig` |\n| *Rust* | [`liboqs-rust`](recipes-crypto/liboqs-rust) | Rust crate bindings built with clang ships `rlib` artifacts |\n\n\n## OQS Speed Tests\nThe [`liboqs`](recipes-crypto/liboqs) recipe builds and installs the `oqs_speed_kem` and `oqs_speed_sig` benchmarking binaries (from the `liboqs-tests` package). These can be used on target to measure the performance of all available KEM and signature algorithms on the target.\n\n## OQS Demos\n\nThe [`oqs-demos`](recipes-support/oqs-demos) recipe provides ready-to-use demonstration configurations for PQC/Hybrid TLS and VPN scenarios:\n\n- *`Device certificates`*:  [`device-certs`](recipes-support/oqs-demos/files/device-certs.sh) script with a systemd unit that generates device certificates (Classical/PQC) signed by the bundled CAs.\n  \u003e **Warning:** The bundled Root CA keys (`ca-key.pem`, `pqc-ca-key.pem`) are public and part of the demo. **not** to use them for production !\n- *`Nginx`*:  Server configurations for classical, hybrid and pure PQC TLS on ports `443`|`444`|`445`\n- *`OpenVPN`*: Server configurations for classical, hybrid and pure PQC tunnels on ports `1194`|`1195`|`1196` \n- *`Mosquitto`*: MQTT broker configurations for classical, hybrid and pure PQC TLS on ports `8883`|`8884`|`8885` \n- *`Hostname Setup`*: Automatically sets a unique hostname on boot based on MAC address ensuring distinct identities for fleets of devices.\n- *`TLS handshake benchmark`*: [`tls-handshake-bench`](recipes-support/oqs-demos/files/tls-handshake-bench.sh) script to measure TLS handshake latency using curl over multiple rounds\n\n\u003e **Note:** Hybrid and pure PQC key exchange on ports `444`|`445` for Nginx, `1195`|`1196` for OpenVPN and `8884`|`8885` for MQTT require both endpoints to have PQC support enabled. To connect from a host without `oqs-provider`, you can use the [oqs-docker](https://github.com/embetrix/oqs-docker) container as a PQC-enabled client.\n\nFor further demo commands (PQC Signature, Curl, SSH, OpenVPN, MQTT) see the [GUIDES](GUIDES.md).\n\n### Quick Test \n\n#### Hybrid TLS Handshake with Google\n\nGoogle servers already support `X25519MLKEM768` hybrid key exchange. You can verify it's working from your target:\n\n\u003cpre\u003e\nroot@raspberrypi5-c8-bf-64:~# curl -v https://google.com\n* Host google.com:443 was resolved.\n* IPv4: 142.250.201.78\n*   Trying 142.250.201.78:443...\n* Connected to google.com (142.250.201.78) port 443\n* ALPN: curl offers http/1.1\n* TLSv1.3 (OUT), TLS handshake, Client hello (1):\n*  CAfile: /etc/ssl/certs/ca-certificates.crt\n*  CApath: none\n* TLSv1.3 (IN), TLS handshake, Server hello (2):\n* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):\n* TLSv1.3 (IN), TLS handshake, Certificate (11):\n* TLSv1.3 (IN), TLS handshake, CERT verify (15):\n* TLSv1.3 (IN), TLS handshake, Finished (20):\n* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):\n* TLSv1.3 (OUT), TLS handshake, Finished (20):\n\u003cmark\u003e* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 / X25519MLKEM768 / id-ecPublicKey\u003c/mark\u003e\n* ALPN: server accepted http/1.1\n* Server certificate:\n*  subject: CN=*.google.com\n*  start date: Feb  2 08:36:42 2026 GMT\n*  expire date: Apr 27 08:36:41 2026 GMT\n*  subjectAltName: host \"google.com\" matched cert's \"google.com\"\n*  issuer: C=US; O=Google Trust Services; CN=WE2\n*  SSL certificate verify ok.\n*   Certificate level 0: Public key type EC/prime256v1 (256/128 Bits/secBits), signed using ecdsa-with-SHA256\n*   Certificate level 1: Public key type EC/prime256v1 (256/128 Bits/secBits), signed using ecdsa-with-SHA384\n*   Certificate level 2: Public key type EC/secp384r1 (384/192 Bits/secBits), signed using ecdsa-with-SHA384\n* using HTTP/1.x\n\u003e GET / HTTP/1.1\n\u003e Host: google.com\n\u003e User-Agent: curl/8.7.1\n\u003e Accept: */*\n\u003c/pre\u003e\n\n#### Hybrid TLS with Chrome Browser\n\nChrome natively supports `X25519MLKEM768` hybrid key exchange. You can connect from your browser to the target's Nginx hybrid TLS server:\n\n1. Open url: `https://\u003ctarget-ip\u003e:444`\n2. Accept the self-signed certificate warning\n3. Click the lock icon → **Connection is secure** → **Certificate** to verify the connection details\n4. Open DevTools (`F12`) → **Security** tab to confirm the used key exchange:\n\n\u003cp align =\"left\"\u003e\u003cimg src=images/chrome.png width=712 height=180 /\u003e\u003c/p\u003e\n\n## Build\n\nUsing [kas](https://kas.readthedocs.io/en/latest/userguide/getting-started.html):\n\n```sh\nKAS_MACHINE=\u003cMACHINE\u003e kas build kas-oqs.yml\n```\n\nor using [kas-container](https://kas.readthedocs.io/en/latest/userguide/kas-container.html#building-in-a-container) (requires [Docker](https://docs.docker.com/engine/install/)):\n\n```sh\nKAS_MACHINE=\u003cMACHINE\u003e kas-container build kas-oqs.yml\n```\n\nfor example:\n\n```sh\nKAS_MACHINE=raspberrypi5 kas build kas-oqs.yml\n```\n\nor\n\n```sh\nKAS_MACHINE=raspberrypi5 kas-container build kas-oqs.yml\n```\n\n## Prepare SDCard\n\nFlash image on a SD Card using [bmap-tool](https://github.com/yoctoproject/bmaptool):\n\n```sh\nsudo bmaptool copy \\\n     build/tmp/deploy/images/\u003cMACHINE\u003e/oqs-demo-image-\u003cMACHINE\u003e.rootfs-\u003cVERSION\u003e.wic.bz2 \\\n     /dev/mmcblk0\n```\n\n## Emulation with Qemu\n\nBuild for `qemux86-64`:\n```sh\nKAS_MACHINE=qemux86-64 kas build kas-oqs.yml\n```\n\nRun:\n```sh\nKAS_MACHINE=qemux86-64 kas shell kas-oqs.yml -c 'runqemu kvm serialstdio nographic qemuparams=\"-m 1024\"'\n```\n\n## Tested Machines\n\n| Machine | BSP Layer | CPU | Core | Arch | PQC Optimized |\n|---------|-----------|-----|------|------|:----------------:|\n| `qemux86-64` | [poky](https://git.yoctoproject.org/poky/log/?h=scarthgap) | Generic x86-64 | core2 | x86_64 | Yes |\n| `beaglebone-yocto` | [poky](https://git.yoctoproject.org/poky/log/?h=scarthgap) | TI AM335x | Cortex-A8 | ARMv7 | No |\n| `raspberrypi5` | [meta-raspberrypi](https://github.com/agherzan/meta-raspberrypi/tree/scarthgap) | BCM2712 | Cortex-A76 | AArch64 | Yes |\n| `raspberrypi4-64` | [meta-raspberrypi](https://github.com/agherzan/meta-raspberrypi/tree/scarthgap) | BCM2711 | Cortex-A72 | AArch64 | Yes |\n| `stm32mp157f-dk2` | [meta-stm32mp15x](https://github.com/embetrix/meta-stm32mp15x/tree/scarthgap) | STM32MP157F | Cortex-A7 | ARMv7 | No |\n| `imx8mq-phanbell` | [meta-coral-ai](https://github.com/embetrix/meta-coral-ai/tree/scarthgap) | NXP i.MX 8M Quad | Cortex-A53 | AArch64 | Yes |\n| `wandboard` | [meta-freescale-3rdparty](https://github.com/Freescale/meta-freescale-3rdparty/tree/scarthgap) | NXP i.MX 6 | Cortex-A9 | ARMv7 | No |\n\n\u003e **Note:** *PQC Optimized* indicates whether `liboqs` is built with architecture-specific optimizations: AVX/SSE/AES-NI on x86_64 and NEON/AES/SHA2/SHA3 on AArch64. Other targets use generic software (non-optimized) implementations.\n\n## Layer Dependencies\n\nThis layer depends on:\n\n- [`meta-openembedded`](https://github.com/openembedded/meta-openembedded/tree/scarthgap) (`meta-oe`, `meta-python`, `meta-networking`, `meta-webserver`)\n- [`meta-clang`](https://github.com/kraj/meta-clang/tree/scarthgap) (clang toolchain)\n- [`meta-lts-mixins`](https://git.yoctoproject.org/meta-lts-mixins/log/?h=scarthgap/rust) (newer Rust toolchain for scarthgap)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fembetrix%2Fmeta-oqs","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fembetrix%2Fmeta-oqs","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fembetrix%2Fmeta-oqs/lists"}