Add nat20 integration test suite for linux examples

  Adds a C integration test binary (nat20_integration_test) that exercises
  the full DICE service stack via /dev/nat200. The test generates certificate
  chains across all supported key type (P-256, P-384) and format (X.509,
  COSE) permutations, verifies cryptographic signatures at each link, and
  confirms that parent_path-based issuance produces identical results to
  direct issuance after promote.

  Test structure:
  - Phase 1 (level 1): Generate CDI1, CDI2, ECA, ECA_EE certs and
    signatures using parent paths of varying depth from the UDS level.
    Verify all X.509 and COSE chains cryptographically.
  - Phase 2 (level 2): After one promote, regenerate CDI2/ECA/ECA_EE/sign
    with reduced parent path depth and assert byte-for-byte equality.
  - Phase 3 (level 3): After second promote, regenerate ECA/ECA_EE/sign
    with no parent path and assert equality.

  Also includes:
  - test_helpers.c: OpenSSL-based X.509 signature verification, public key
    extraction, COSE_Sign1 parsing and verification, CWT subject public
    key extraction, and compressed input computation.
  - nat20_qemu_init.sh: init wrapper for running tests in QEMU CI.
  - GitHub Action steps to build the rootfs and run the test suite in QEMU.
  - Buildroot package (nat20test) with OpenSSL dependency.

Author: werwurm

.github/workflows/linux-kmod-build.yml

@@ -168,3 +168,39 @@ jobs:
           find ${{ runner.temp }}/buildroot.build -name 'nat20cli' | grep -q nat20cli
           echo "nat20cli built successfully:"
           find ${{ runner.temp }}/buildroot.build -name 'nat20cli' -exec ls -la {} \;
+
+      - name: Build rootfs image
+        env:
+          NAT20LIB_OVERRIDE_SRCDIR: ${{ github.workspace }}
+          NAT20DEVICE_OVERRIDE_SRCDIR: ${{ github.workspace }}
+          NAT20CRYPTO_OVERRIDE_SRCDIR: ${{ github.workspace }}
+          NAT20SW_OVERRIDE_SRCDIR: ${{ github.workspace }}
+          LIBNAT20_OVERRIDE_SRCDIR: ${{ github.workspace }}
+          NAT20CLI_OVERRIDE_SRCDIR: ${{ github.workspace }}
+          NAT20TEST_OVERRIDE_SRCDIR: ${{ github.workspace }}
+        run: make -C ${{ runner.temp }}/buildroot.build/buildroot -j $(( $(nproc) + 1 ))
+
+      - name: Run integration tests in QEMU
+        timeout-minutes: 5
+        run: |
+          BUILDROOT_DIR="${{ runner.temp }}/buildroot.build/buildroot"
+          KERNEL="${BUILDROOT_DIR}/output/images/bzImage"
+          ROOTFS="${BUILDROOT_DIR}/output/images/rootfs.ext2"
+
+          qemu-system-x86_64 \
+            -M pc \
+            -kernel "${KERNEL}" \
+            -drive file="${ROOTFS}",if=virtio,format=raw \
+            -append "rootwait root=/dev/vda console=ttyS0 init=/usr/bin/nat20_qemu_init.sh" \
+            -nographic \
+            -no-reboot \
+            -net none \
+            2>&1 | tee qemu_output.log
+
+          if grep -q "INTEGRATION_TESTS_PASSED" qemu_output.log; then
+            echo "Integration tests passed."
+          else
+            echo "Integration tests failed. QEMU output:"
+            cat qemu_output.log
+            exit 1
+          fi

examples/linux/br_external/Config.in

@@ -39,3 +39,4 @@ source "$BR2_EXTERNAL_NAT20_PATH/package/nat20device/Config.in"
 source "$BR2_EXTERNAL_NAT20_PATH/package/nat20sw/Config.in"
 source "$BR2_EXTERNAL_NAT20_PATH/package/nat20lib/Config.in"
 source "$BR2_EXTERNAL_NAT20_PATH/package/libnat20/Config.in"
+source "$BR2_EXTERNAL_NAT20_PATH/package/nat20test/Config.in"

examples/linux/br_external/configs/qemu_br_defconfig

@@ -3982,3 +3982,4 @@ BR2_PACKAGE_NAT20DEVICE=y
 BR2_PACKAGE_NAT20SW=y
 BR2_PACKAGE_NAT20LIB=y
 BR2_PACKAGE_LIBNAT20=y
+BR2_PACKAGE_NAT20TEST=y

examples/linux/br_external/package/nat20cli/nat20cli.mk

@@ -33,6 +33,10 @@
 # along with this program; if not, see
 # <https://www.gnu.org/licenses/>.
 
+# In CI NAT20CLI_OVERRIDE_SRCDIR is set to the root of the repository,
+# so that the source under test is always the current branch.
+# Integrators who use this configuration should pin the version
+# to a specific commit or branch to avoid breakages when the main branch changes.
 NAT20CLI_VERSION = origin/main
 NAT20CLI_SITE = https://github.com/aurora-opensource/libnat20.git
 NAT20CLI_SITE_METHOD = git

examples/linux/br_external/package/nat20test/Config.in

@@ -0,0 +1,41 @@
+# Copyright 2026 Aurora Operations, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0
+#
+# This work is dual licensed.
+# You may use it under Apache-2.0 or GPL-2.0 at your option.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# OR
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, see
+# <https://www.gnu.org/licenses/>.
+
+config BR2_PACKAGE_NAT20TEST
+    bool "nat20cli"
+    depends on BR2_PACKAGE_LIBNAT20
+    depends on BR2_PACKAGE_OPENSSL
+    help
+        Enable building the nat20test, an integration test for ant20device with nat20sw.

examples/linux/br_external/package/nat20test/nat20test.mk

@@ -0,0 +1,51 @@
+# Copyright 2026 Aurora Operations, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0
+#
+# This work is dual licensed.
+# You may use it under Apache-2.0 or GPL-2.0 at your option.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# OR
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, see
+# <https://www.gnu.org/licenses/>.
+
+# In CI NAT20TEST_OVERRIDE_SRCDIR is set to the root of the repository,
+# so that the source under test is always the current branch.
+# Integrators who use this configuration should pin the version
+# to a specific commit or branch to avoid breakages when the main branch changes.
+NAT20TEST_VERSION = origin/main
+NAT20TEST_SITE = https://github.com/aurora-opensource/libnat20.git
+NAT20TEST_SITE_METHOD = git
+NAT20TEST_LICENSE = Apache-2.0 OR GPL-2.0
+NAT20TEST_LICENSE_FILES = LICENSE-Apache-2.0.txt LICENSE-GPL-2.0.txt
+
+NAT20TEST_SUBDIR = examples/linux/nat20test
+
+NAT20TEST_INSTALL_TARGET = YES
+NAT20TEST_DEPENDENCIES += libnat20 openssl
+
+$(eval $(cmake-package))

examples/linux/br_external/utils/envsetup.sh

@@ -51,6 +51,7 @@ export NAT20CRYPTO_OVERRIDE_SRCDIR="$LIBNAT20_ROOT"
 export NAT20SW_OVERRIDE_SRCDIR="$LIBNAT20_ROOT"
 export NAT20DEVICE_OVERRIDE_SRCDIR="$LIBNAT20_ROOT"
 export NAT20LIB_OVERRIDE_SRCDIR="$LIBNAT20_ROOT"
+export NAT20TEST_OVERRIDE_SRCDIR="$LIBNAT20_ROOT"
 export LIBNAT20_OVERRIDE_SRCDIR="$LIBNAT20_ROOT"
 
 function ensure_popd() {
@@ -79,13 +80,14 @@ function brrebuild() {
         echo "  nat20device  - Rebuild the nat20device module"
         echo "  nat20sw      - Rebuild the nat20sw module"
         echo "  nat20lib     - Rebuild the nat20lib library"
+        echo "  nat20test    - Rebuild the nat20device integration test"
         popd
         return 1
     fi
 
     case "$1" in
         all)
-            ensure_popd make linux-rebuild nat20lib-rebuild nat20crypto-rebuild nat20device-rebuild nat20sw-rebuild libnat20-rebuild nat20cli-rebuild all
+            ensure_popd make linux-rebuild nat20lib-rebuild nat20crypto-rebuild nat20device-rebuild nat20sw-rebuild libnat20-rebuild nat20cli-rebuild nat20test-rebuild all
             ;;
         *)
             ensure_popd make $1-rebuild all

examples/linux/nat20test/CMakeLists.txt

@@ -0,0 +1,82 @@
+# Copyright 2026 Aurora Operations, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0
+#
+# This work is dual licensed.
+# You may use it under Apache-2.0 or GPL-2.0 at your option.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# OR
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, see
+# <https://www.gnu.org/licenses/>.
+
+cmake_minimum_required(VERSION 3.22)
+
+project(NAT20TEST VERSION 0.0.1 LANGUAGES C)
+
+# The C standard shall be C11.
+set(CMAKE_C_STANDARD 11)
+
+# CMake shall generate a compile_commands.json file for
+# the benfit of clangd based IDE support.
+set(CMAKE_EXPORT_COMPILE_COMMANDS ON)
+
+
+###################################################################################################
+# Integration test binary — exercises the nat20 DICE service via /dev/nat200.
+add_executable(nat20_integration_test)
+
+find_package(LibNat20 REQUIRED)
+find_package(OpenSSL REQUIRED)
+
+target_sources(nat20_integration_test
+PRIVATE test/nat20_integration_test.c
+PRIVATE test/test_helpers.c
+)
+
+target_include_directories(nat20_integration_test
+    PRIVATE test
+)
+
+target_link_libraries(nat20_integration_test
+PRIVATE LibNat20::nat20
+PRIVATE LibNat20::nat20_service
+PRIVATE LibNat20::nat20_crypto_nat20
+PRIVATE OpenSSL::Crypto
+)
+
+target_compile_options(nat20_integration_test
+PRIVATE -pedantic
+PRIVATE -Wall
+PRIVATE -Wextra
+PRIVATE -Werror
+)
+
+install(TARGETS nat20_integration_test RUNTIME DESTINATION bin)
+install(PROGRAMS nat20test.sh DESTINATION bin)
+install(PROGRAMS nat20_qemu_init.sh DESTINATION bin)
+
+###################################################################################################

examples/linux/nat20test/nat20_qemu_init.sh

@@ -0,0 +1,60 @@
+#!/bin/sh
+
+# Copyright 2026 Aurora Operations, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0
+#
+# This work is dual licensed.
+# You may use it under Apache-2.0 or GPL-2.0 at your option.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# OR
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, see
+# <https://www.gnu.org/licenses/>.
+
+# Init wrapper for running nat20clitest.sh in a QEMU VM.
+# This script is intended to be used as the init process (PID 1).
+# It mounts the necessary filesystems, runs the test suite, prints
+# a machine-parseable result marker, and powers off the VM.
+
+export PATH="/usr/bin:/bin:/sbin:/usr/sbin"
+
+mount -t proc none /proc
+mount -t sysfs none /sys
+mount -t tmpfs none /tmp
+
+cd /tmp
+
+nat20test.sh
+rc=$?
+
+if [ $rc -eq 0 ]; then
+    echo "INTEGRATION_TESTS_PASSED"
+else
+    echo "INTEGRATION_TESTS_FAILED (exit code: $rc)"
+fi
+
+poweroff -f

examples/linux/nat20test/nat20test.sh

@@ -0,0 +1,46 @@
+#!/bin/sh
+
+# Copyright 2026 Aurora Operations, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0
+#
+# This work is dual licensed.
+# You may use it under Apache-2.0 or GPL-2.0 at your option.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# OR
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, see
+# <https://www.gnu.org/licenses/>.
+
+set -e
+
+SCRIPT_DIR="$(dirname "$0")"
+
+modprobe nat20sw
+mount -t securityfs none /sys/kernel/security
+
+echo "Running integration test suite..."
+"${SCRIPT_DIR}/nat20_integration_test"