Add nat20 integration test suite for linux examples (#105)

Adds a C integration test binary (nat20_integration_test) that exercises
the full DICE service stack via /dev/nat200. The test generates
certificate
  chains across all supported key type (P-256, P-384) and format (X.509,
COSE) permutations, verifies cryptographic signatures at each link, and
  confirms that parent_path-based issuance produces identical results to
  direct issuance after promote.

  Test structure:
  - Phase 1 (level 1): Generate CDI1, CDI2, ECA, ECA_EE certs and
    signatures using parent paths of varying depth from the UDS level.
    Verify all X.509 and COSE chains cryptographically.
- Phase 2 (level 2): After one promote, regenerate CDI2/ECA/ECA_EE/sign
    with reduced parent path depth and assert byte-for-byte equality.
  - Phase 3 (level 3): After second promote, regenerate ECA/ECA_EE/sign
    with no parent path and assert equality.

  Also includes:
- test_helpers.c: OpenSSL-based X.509 signature verification, public key
    extraction, COSE_Sign1 parsing and verification, CWT subject public
    key extraction, and compressed input computation.
  - nat20_qemu_init.sh: init wrapper for running tests in QEMU CI.
- GitHub Action steps to build the rootfs and run the test suite in
QEMU.
  - Buildroot package (nat20test) with OpenSSL dependency.

---------

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>

Author: werwurm

.github/workflows/linux-kmod-build.yml

@@ -49,7 +49,7 @@ jobs:
     steps:
       - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b #v4.1.5
 
-      - name: Install Buildroot dependencies
+      - name: Install build and test dependencies
         run: |
           sudo apt-get update
           sudo apt-get install -y \
@@ -60,6 +60,7 @@ jobs:
             git \
             libncurses-dev \
             python3 \
+            qemu-system-x86 \
             rsync \
             unzip \
             wget
@@ -152,3 +153,38 @@ jobs:
           find ${{ runner.temp }}/buildroot.build -name 'libnat20.a' | grep -q libnat20.a
           echo "libnat20.a built successfully:"
           find ${{ runner.temp }}/buildroot.build -name 'libnat20.a' -exec ls -la {} \;
+
+      - name: Build rootfs image
+        env:
+          NAT20LIB_OVERRIDE_SRCDIR: ${{ github.workspace }}
+          NAT20DEVICE_OVERRIDE_SRCDIR: ${{ github.workspace }}
+          NAT20CRYPTO_OVERRIDE_SRCDIR: ${{ github.workspace }}
+          NAT20SW_OVERRIDE_SRCDIR: ${{ github.workspace }}
+          LIBNAT20_OVERRIDE_SRCDIR: ${{ github.workspace }}
+          NAT20TEST_OVERRIDE_SRCDIR: ${{ github.workspace }}
+        run: make -C ${{ runner.temp }}/buildroot.build/buildroot -j $(( $(nproc) + 1 ))
+
+      - name: Run integration tests in QEMU
+        timeout-minutes: 5
+        run: |
+          BUILDROOT_DIR="${{ runner.temp }}/buildroot.build/buildroot"
+          KERNEL="${BUILDROOT_DIR}/output/images/bzImage"
+          ROOTFS="${BUILDROOT_DIR}/output/images/rootfs.ext2"
+
+          qemu-system-x86_64 \
+            -M pc \
+            -kernel "${KERNEL}" \
+            -drive file="${ROOTFS}",if=virtio,format=raw \
+            -append "rootwait root=/dev/vda console=ttyS0 init=/usr/bin/nat20test_qemu_init.sh" \
+            -nographic \
+            -no-reboot \
+            -net none \
+            2>&1 | tee qemu_output.log
+
+          if grep -q "INTEGRATION_TESTS_PASSED" qemu_output.log; then
+            echo "Integration tests passed."
+          else
+            echo "Integration tests failed. QEMU output:"
+            cat qemu_output.log
+            exit 1
+          fi

.gitignore

@@ -49,4 +49,3 @@ build/
 cmake_install.cmake
 compile_commands.json
 html/
-nat20test

examples/linux/br_external/Config.in

@@ -38,3 +38,4 @@ source "$BR2_EXTERNAL_NAT20_PATH/package/nat20device/Config.in"
 source "$BR2_EXTERNAL_NAT20_PATH/package/nat20sw/Config.in"
 source "$BR2_EXTERNAL_NAT20_PATH/package/nat20lib/Config.in"
 source "$BR2_EXTERNAL_NAT20_PATH/package/libnat20/Config.in"
+source "$BR2_EXTERNAL_NAT20_PATH/package/nat20test/Config.in"

examples/linux/br_external/bootstrap.sh

@@ -99,6 +99,7 @@ pushd ${LIBNAT20_BR_BUILD_DIR}
 
 echo "LIBNAT20_BR_BUILD_DIR=${LIBNAT20_BR_BUILD_DIR}" | tee .env
 echo "LIBNAT20_ROOT=${LIBNAT20_ROOT}" | tee -a .env
+echo "LIBNAT20_PROJECT=${PROJECT}" | tee -a .env
 
 cp ${LIBNAT20_ROOT}/examples/linux/br_external/utils/envsetup.sh ./
 
@@ -109,7 +110,6 @@ git clone --depth 1 --branch "2025.08.1" https://gitlab.com/buildroot.org/buildr
 case "$PROJECT" in
 	qemu)
 		cp ${LIBNAT20_ROOT}/examples/linux/br_external/configs/qemu_br_defconfig buildroot/.config
-		cp ${LIBNAT20_ROOT}/examples/linux/br_external/run-qemu.sh ./
 		;;
 	esac
 

examples/linux/br_external/configs/qemu_br_defconfig

@@ -3981,3 +3981,4 @@ BR2_PACKAGE_NAT20DEVICE=y
 BR2_PACKAGE_NAT20SW=y
 BR2_PACKAGE_NAT20LIB=y
 BR2_PACKAGE_LIBNAT20=y
+BR2_PACKAGE_NAT20TEST=y

examples/linux/br_external/package/nat20test/Config.in

@@ -0,0 +1,42 @@
+# Copyright 2026 Aurora Operations, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0
+#
+# This work is dual licensed.
+# You may use it under Apache-2.0 or GPL-2.0 at your option.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# OR
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, see
+# <https://www.gnu.org/licenses/>.
+
+config BR2_PACKAGE_NAT20TEST
+    bool "nat20test"
+    depends on BR2_PACKAGE_LIBNAT20
+    depends on BR2_PACKAGE_OPENSSL
+    select BR2_PACKAGE_NAT20SW
+    help
+        Enable building the nat20test, an integration test for nat20device with nat20sw.

examples/linux/br_external/package/nat20test/nat20test.mk

@@ -0,0 +1,51 @@
+# Copyright 2026 Aurora Operations, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0
+#
+# This work is dual licensed.
+# You may use it under Apache-2.0 or GPL-2.0 at your option.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# OR
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, see
+# <https://www.gnu.org/licenses/>.
+
+# In CI NAT20TEST_OVERRIDE_SRCDIR is set to the root of the repository,
+# so that the source under test is always the current branch.
+# Integrators who use this configuration should pin the version
+# to a specific commit or branch to avoid breakages when the main branch changes.
+NAT20TEST_VERSION = origin/main
+NAT20TEST_SITE = https://github.com/aurora-opensource/libnat20.git
+NAT20TEST_SITE_METHOD = git
+NAT20TEST_LICENSE = Apache-2.0 OR GPL-2.0
+NAT20TEST_LICENSE_FILES = LICENSE-Apache-2.0.txt LICENSE-GPL-2.0.txt
+
+NAT20TEST_SUBDIR = examples/linux/nat20test
+
+NAT20TEST_INSTALL_TARGET = YES
+NAT20TEST_DEPENDENCIES += libnat20 openssl
+
+$(eval $(cmake-package))

examples/linux/br_external/utils/envsetup.sh

@@ -50,6 +50,7 @@ export NAT20CRYPTO_OVERRIDE_SRCDIR="$LIBNAT20_ROOT"
 export NAT20SW_OVERRIDE_SRCDIR="$LIBNAT20_ROOT"
 export NAT20DEVICE_OVERRIDE_SRCDIR="$LIBNAT20_ROOT"
 export NAT20LIB_OVERRIDE_SRCDIR="$LIBNAT20_ROOT"
+export NAT20TEST_OVERRIDE_SRCDIR="$LIBNAT20_ROOT"
 export LIBNAT20_OVERRIDE_SRCDIR="$LIBNAT20_ROOT"
 
 function ensure_popd() {
@@ -77,16 +78,40 @@ function brrebuild() {
         echo "  nat20device  - Rebuild the nat20device module"
         echo "  nat20sw      - Rebuild the nat20sw module"
         echo "  nat20lib     - Rebuild the nat20lib library"
+        echo "  nat20test    - Rebuild the nat20device integration test"
         popd
         return 1
     fi
 
     case "$1" in
         all)
-            ensure_popd make linux-rebuild nat20lib-rebuild nat20crypto-rebuild nat20device-rebuild nat20sw-rebuild libnat20-rebuild all
+            ensure_popd make linux-rebuild nat20lib-rebuild nat20crypto-rebuild nat20device-rebuild nat20sw-rebuild libnat20-rebuild nat20test-rebuild all
             ;;
         *)
             ensure_popd make $1-rebuild all
             ;;
     esac
 }
+
+function run-qemu() {
+    if [ $LIBNAT20_PROJECT != "qemu" ]; then
+        echo "Error: run-qemu is only supported for the qemu project."
+        return 1
+    fi
+
+    QEMU_BIN=qemu-system-x86_64
+
+    BUILDROOT_DIR="${LIBNAT20_BR_BUILD_DIR}/buildroot"
+    KERNEL_IMAGE="${BUILDROOT_DIR}/output/images/bzImage"
+    FS_IMAGE="${BUILDROOT_DIR}/output/images/rootfs.ext2"
+
+    if [ -n "$1" ]; then
+        "${QEMU_BIN}" -M pc -kernel "${KERNEL_IMAGE}" -nographic -drive file="${FS_IMAGE}",if=virtio,format=raw -append "rootwait root=/dev/vda console=ttyS0 init=$1" -serial mon:stdio -net nic,model=virtio -net user
+    else
+        "${QEMU_BIN}" -M pc -kernel "${KERNEL_IMAGE}" -nographic -drive file="${FS_IMAGE}",if=virtio,format=raw -append "rootwait root=/dev/vda console=ttyS0" -serial mon:stdio -net nic,model=virtio -net user
+    fi
+}
+
+function run-nat20test-test() {
+    run-qemu "/usr/bin/nat20test_qemu_init.sh"
+}

examples/linux/nat20test/CMakeLists.txt

@@ -0,0 +1,82 @@
+# Copyright 2026 Aurora Operations, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0
+#
+# This work is dual licensed.
+# You may use it under Apache-2.0 or GPL-2.0 at your option.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# OR
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, see
+# <https://www.gnu.org/licenses/>.
+
+cmake_minimum_required(VERSION 3.22)
+
+project(NAT20TEST VERSION 0.0.1 LANGUAGES C)
+
+# The C standard shall be C11.
+set(CMAKE_C_STANDARD 11)
+
+# CMake shall generate a compile_commands.json file for
+# the benefit of clangd based IDE support.
+set(CMAKE_EXPORT_COMPILE_COMMANDS ON)
+
+
+###################################################################################################
+# Integration test binary — exercises the nat20 DICE service via /dev/nat200.
+add_executable(nat20_integration_test)
+
+find_package(LibNat20 REQUIRED)
+find_package(OpenSSL REQUIRED)
+
+target_sources(nat20_integration_test
+PRIVATE test/nat20_integration_test.c
+PRIVATE test/test_helpers.c
+)
+
+target_include_directories(nat20_integration_test
+    PRIVATE test
+)
+
+target_link_libraries(nat20_integration_test
+PRIVATE LibNat20::nat20
+PRIVATE LibNat20::nat20_service
+PRIVATE LibNat20::nat20_crypto_nat20
+PRIVATE OpenSSL::Crypto
+)
+
+target_compile_options(nat20_integration_test
+PRIVATE -pedantic
+PRIVATE -Wall
+PRIVATE -Wextra
+PRIVATE -Werror
+)
+
+install(TARGETS nat20_integration_test RUNTIME DESTINATION bin)
+install(PROGRAMS nat20test.sh DESTINATION bin)
+install(PROGRAMS nat20test_qemu_init.sh DESTINATION bin)
+
+###################################################################################################

examples/linux/br_external/run-qemu.sh examples/linux/nat20test/nat20test.shexamples/linux/br_external/run-qemu.sh renamed to examples/linux/nat20test/nat20test.sh

@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/bin/sh
 
 # Copyright 2026 Aurora Operations, Inc.
 #
@@ -35,18 +35,12 @@
 # along with this program; if not, see
 # <https://www.gnu.org/licenses/>.
 
-QEMU_BIN=qemu-system-x86_64
+set -e
 
-if [ ! -f ".env" ]; then
-    echo ".env file not found. Please run bootstrap.sh first."
-    exit 1
-fi
+SCRIPT_DIR="$(dirname "$0")"
 
-source .env
+modprobe nat20sw
+mount -t securityfs none /sys/kernel/security
 
-BUILDROOT_DIR="${LIBNAT20_BR_BUILD_DIR}/buildroot"
-KERNEL_IMAGE="${BUILDROOT_DIR}/output/images/bzImage"
-FS_IMAGE="${BUILDROOT_DIR}/output/images/rootfs.ext2"
-
-
-"${QEMU_BIN}" -M pc -kernel "${KERNEL_IMAGE}" -nographic -drive file="${FS_IMAGE}",if=virtio,format=raw -append "rootwait root=/dev/vda console=ttyS0" -serial mon:stdio -net nic,model=virtio -net user
+echo "Running integration test suite..."
+"${SCRIPT_DIR}/nat20_integration_test"