Move pkcs11/tz test to its own module in test-app

+ added m33mu two-runs test for persistent storage coverage

Author: danielinux

.github/workflows/trustzone-emulator-tests.yml

@@ -27,6 +27,47 @@ jobs:
         run: |
           ./test.sh
 
+      - name: Build and run persistent PKCS11 test app (stm32h5)
+        run: |
+          set -euo pipefail
+
+          make clean distclean
+          cp config/examples/stm32h5-tz.config .config
+          make wolfboot.bin PKCS11_TESTAPP=1
+
+          first_log=/tmp/m33mu-pkcs11-first.log
+          second_log=/tmp/m33mu-pkcs11-second.log
+          persist_dir=/tmp/m33mu-pkcs11-persist
+          rm -f "$first_log" "$second_log"
+          rm -rf "$persist_dir"
+          mkdir -p "$persist_dir"
+
+          (
+            cd "$persist_dir"
+            m33mu "$GITHUB_WORKSPACE/wolfboot.bin" \
+              "$GITHUB_WORKSPACE/test-app/image_v1_signed.bin:0x60000" \
+              --persist --uart-stdout --timeout 120 --expect-bkpt 0x7f \
+              >"$first_log" 2>&1
+          )
+
+          grep -q "pkcs11: first boot path, creating persistent objects" "$first_log"
+          grep -q "pkcs11: created persistent PKCS11 objects" "$first_log"
+          grep -q "pkcs11: success" "$first_log"
+          grep -q "\\[EXPECT BKPT\\] Success" "$first_log"
+
+          (
+            cd "$persist_dir"
+            m33mu "$GITHUB_WORKSPACE/wolfboot.bin" \
+              "$GITHUB_WORKSPACE/test-app/image_v1_signed.bin:0x60000" \
+              --persist --uart-stdout --timeout 120 --expect-bkpt 0x7f \
+              >"$second_log" 2>&1
+          )
+
+          grep -q "pkcs11: second boot path, restoring persistent objects" "$second_log"
+          grep -q "pkcs11: restored persistent PKCS11 objects" "$second_log"
+          grep -q "pkcs11: success" "$second_log"
+          grep -q "\\[EXPECT BKPT\\] Success" "$second_log"
+
       - name: Clean and build stm32u5 (TZ + wolfcrypt)
         run: |
           make clean distclean

lib/wolfssl

@@ -206,9 +206,12 @@ if(BUILD_TEST_APPS)
 
     if(WOLFCRYPT_TZ_PKCS11)
         list(APPEND TEST_APP_COMPILE_DEFINITIONS WOLFBOOT_PKCS11_APP SECURE_PKCS11 WOLFPKCS11_USER_SETTINGS)
+        if(PKCS11_TESTAPP)
+            list(APPEND TEST_APP_COMPILE_DEFINITIONS WOLFBOOT_PKCS11_TESTAPP)
+        endif()
         set(WOLFSSL_PKCS11_SOURCES
+            test_pkcs11.c
             wcs/pkcs11_stub.c
-            wcs/pkcs11_test_ecc.c
             ../lib/wolfssl/wolfcrypt/src/ecc.c
             ../lib/wolfssl/wolfcrypt/src/rsa.c
             ../lib/wolfssl/wolfcrypt/src/asn.c

test-app/CMakeLists.txt

@@ -247,8 +247,11 @@ ifeq ($(TZEN),1)
         ifeq ($(WOLFCRYPT_TZ_PKCS11),1)
             CFLAGS+=-DWOLFSSL_USER_SETTINGS -DWOLFTPM_USER_SETTINGS
             CFLAGS+=-DWOLFBOOT_PKCS11_APP -DSECURE_PKCS11 -DWOLFBOOT_TZ_PKCS11
+            ifeq ($(PKCS11_TESTAPP),1)
+                CFLAGS+=-DWOLFBOOT_PKCS11_TESTAPP
+            endif
             CFLAGS+=-I"$(WOLFBOOT_LIB_WOLFPKCS11)"
-            APP_OBJS+=./wcs/pkcs11_test_ecc.o
+            APP_OBJS+=./test_pkcs11.o
             APP_OBJS+=./wcs/pkcs11_stub.o
             APP_OBJS+=./wcs/ecc.o
             APP_OBJS+=./wcs/rsa.o

test-app/Makefile

@@ -41,12 +41,7 @@
 #endif
 
 #ifdef WOLFBOOT_TZ_PKCS11
-#include "wcs/user_settings.h"
-#include "wolfssl/wolfcrypt/settings.h"
-#include "wolfssl/wolfcrypt/wc_pkcs11.h"
-#include "wolfssl/wolfcrypt/random.h"
-extern const char pkcs11_library_name[];
-extern const CK_FUNCTION_LIST wolfpkcs11nsFunctionList;
+#include "test_pkcs11.h"
 #endif
 
 #ifdef WOLFCRYPT_SECURE_MODE
@@ -192,8 +187,6 @@ void extra_led_off(void)
     GPIOF_BSRR |= (1 << (LED_EXTRA_PIN + 16));
 }
 
-extern int ecdsa_sign_verify(int devId);
-
 /* Command line commands */
 static int cmd_help(const char *args);
 static int cmd_info(const char *args);
@@ -837,98 +830,8 @@ static int run_psa_boot_attestation(void)
 #ifdef WOLFBOOT_TZ_PKCS11
 static int cmd_login_pkcs11(const char *args)
 {
-    int ret = -1;
-    unsigned int devId = 0;
-    Pkcs11Token token;
-    Pkcs11Dev PKCS11_d;
-    unsigned long session;
-    char TokenPin[] = "0123456789ABCDEF";
-    char UserPin[] = "ABCDEF0123456789";
-    char SoPinName[] = "SO-PIN";
-    static int pkcs11_initialized = 0;
-
-    if (pkcs11_initialized) {
-        printf("PKCS11 already initialized.\r\n");
-        return 0;
-    }
-
-    printf("PKCS11 Login\r\n");
-
-    printf("Initializing wolfCrypt...");
-    fflush(stdout);
-    wolfCrypt_Init();
-    printf("Done.\r\n");
-
-    PKCS11_d.heap = NULL,
-    PKCS11_d.func = (CK_FUNCTION_LIST *)&wolfpkcs11nsFunctionList;
-
-    printf("Initializing EccKey token...");
-    fflush(stdout);
-    ret = wc_Pkcs11Token_Init(&token, &PKCS11_d, 1, "EccKey",
-            (const byte*)TokenPin, strlen(TokenPin));
-
-    if (ret == 0) {
-        printf("Done.\r\n");
-        printf("Initializing token...");
-        fflush(stdout);
-        ret = wolfpkcs11nsFunctionList.C_InitToken(1,
-                (byte *)TokenPin, strlen(TokenPin), (byte *)SoPinName);
-    }
-    if (ret == 0) {
-        printf("Done.\r\n");
-        printf("Opening session...");
-        fflush(stdout);
-        ret = wolfpkcs11nsFunctionList.C_OpenSession(1,
-                CKF_SERIAL_SESSION | CKF_RW_SESSION,
-                NULL, NULL, &session);
-    }
-
-    if (ret == 0) {
-        printf("Done.\r\n");
-        printf("Logging in as SO...");
-        ret = wolfpkcs11nsFunctionList.C_Login(session, CKU_SO,
-                (byte *)TokenPin,
-                strlen(TokenPin));
-    }
-    if (ret == 0) {
-        extra_led_on();
-        printf("Done.\r\n");
-        printf("Setting PIN...");
-        ret = wolfpkcs11nsFunctionList.C_InitPIN(session,
-                (byte *)TokenPin,
-                strlen(TokenPin));
-    }
-    if (ret == 0) {
-        printf("Done.\r\n");
-        printf("Logging out...");
-        ret = wolfpkcs11nsFunctionList.C_Logout(session);
-    }
-    if (ret == 0) {
-        printf("Done.\r\n");
-        printf("Registering crypto calls with wolfCrypt...");
-        ret = wc_CryptoDev_RegisterDevice(devId, wc_Pkcs11_CryptoDevCb,
-                &token);
-    }
-    if (ret == 0) {
-        printf("Done.\r\n");
-#ifdef HAVE_ECC
-        printf("Testing ECC...");
-        ret = ecdsa_sign_verify(devId);
-        if (ret != 0) {
-            ret = -1;
-            printf("Failed.\r\n");
-        }
-        else {
-            usr_led_on();
-            printf("Done.\r\n");
-        }
-#endif
-    }
-    if (ret == 0) {
-        printf("PKCS11 initialization completed successfully.\r\n");
-        pkcs11_initialized = 1;
-    }
-    return ret;
+    (void)args;
+    return test_pkcs11_start();
 }
 #endif /* WOLFBOOT_TZ_PKCS11 */
 
@@ -1377,6 +1280,14 @@ void main(void)
     (void)run_psa_boot_attestation();
 #endif
 
+#ifdef WOLFBOOT_PKCS11_TESTAPP
+    ret = test_pkcs11_start();
+    if (ret == 0)
+        asm volatile ("bkpt #0x7f");
+    else
+        asm volatile ("bkpt #0x7e");
+#endif
+
     console_loop();
 
     while(1)