Added wolfboot integration test to intercept regressions

danielinux · danielinux · commit c51d136283fc · 2026-03-20T19:14:41.000+01:00
diff --git a/.github/workflows/wolfboot-integration.yml b/.github/workflows/wolfboot-integration.yml
@@ -0,0 +1,95 @@
+name: wolfBoot Integration
+
+on:
+  push:
+    branches: [ 'master', 'main', 'release/**' ]
+  pull_request:
+    branches: [ '*' ]
+  workflow_dispatch:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+env:
+  WOLFBOOT_REPO: https://github.com/wolfSSL/wolfBoot.git
+  WOLFBOOT_BRANCH: master
+
+jobs:
+  stm32h5_pkcs11_persist:
+    name: stm32h5-pkcs11-persist
+    if: toLower(github.repository_owner) == 'wolfssl'
+    runs-on: ubuntu-24.04
+    container:
+      image: ghcr.io/danielinux/m33mu-ci:1.8
+    timeout-minutes: 25
+
+    steps:
+      - name: Checkout wolfPKCS11
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
+
+      - name: Clone wolfBoot and link tested wolfPKCS11
+        run: |
+          set -euxo pipefail
+
+          git config --global --add safe.directory "${GITHUB_WORKSPACE}"
+          git clone --depth 1 --branch "${WOLFBOOT_BRANCH}" "${WOLFBOOT_REPO}" wolfboot
+          git -C wolfboot config --global --add safe.directory "${GITHUB_WORKSPACE}/wolfboot"
+          git -C wolfboot submodule update --init --recursive
+          rm -rf wolfboot/lib/wolfPKCS11
+          ln -s "${GITHUB_WORKSPACE}" wolfboot/lib/wolfPKCS11
+          test -L wolfboot/lib/wolfPKCS11
+          test "$(realpath wolfboot/lib/wolfPKCS11)" = "${GITHUB_WORKSPACE}"
+
+      - name: Clean build tree for PKCS11 test (stm32h5)
+        working-directory: wolfboot
+        run: |
+          make clean distclean
+
+      - name: Configure PKCS11 test (stm32h5)
+        working-directory: wolfboot
+        run: |
+          cp config/examples/stm32h5-tz.config .config
+
+      - name: Build persistent PKCS11 test app (stm32h5)
+        working-directory: wolfboot
+        run: |
+          make PKCS11_TESTAPP=1
+
+      - name: Prepare PKCS11 persistence directory
+        run: |
+          rm -rf /tmp/m33mu-pkcs11-persist
+          mkdir -p /tmp/m33mu-pkcs11-persist
+          rm -f /tmp/m33mu-pkcs11-first.log /tmp/m33mu-pkcs11-second.log
+
+      - name: Run PKCS11 first boot (stm32h5)
+        run: |
+          cd /tmp/m33mu-pkcs11-persist
+          m33mu "${GITHUB_WORKSPACE}/wolfboot/wolfboot.bin" \
+            "${GITHUB_WORKSPACE}/wolfboot/test-app/image_v1_signed.bin:0x60000" \
+            --persist --uart-stdout --timeout 120 --expect-bkpt 0x7d \
+            | tee /tmp/m33mu-pkcs11-first.log
+
+      - name: Verify PKCS11 first boot (stm32h5)
+        run: |
+          grep -q "pkcs11: first boot path, creating persistent objects" /tmp/m33mu-pkcs11-first.log
+          grep -q "pkcs11: created persistent PKCS11 objects" /tmp/m33mu-pkcs11-first.log
+          grep -q "pkcs11: success" /tmp/m33mu-pkcs11-first.log
+          grep -q "\\[BKPT\\] imm=0x7d" /tmp/m33mu-pkcs11-first.log
+          grep -q "\\[EXPECT BKPT\\] Success" /tmp/m33mu-pkcs11-first.log
+
+      - name: Run PKCS11 second boot (stm32h5)
+        run: |
+          cd /tmp/m33mu-pkcs11-persist
+          m33mu "${GITHUB_WORKSPACE}/wolfboot/wolfboot.bin" \
+            "${GITHUB_WORKSPACE}/wolfboot/test-app/image_v1_signed.bin:0x60000" \
+            --persist --uart-stdout --timeout 120 --expect-bkpt 0x7f \
+            | tee /tmp/m33mu-pkcs11-second.log
+
+      - name: Verify PKCS11 second boot (stm32h5)
+        run: |
+          grep -q "pkcs11: second boot path, restoring persistent objects" /tmp/m33mu-pkcs11-second.log
+          grep -q "pkcs11: restored persistent PKCS11 objects" /tmp/m33mu-pkcs11-second.log
+          grep -q "pkcs11: success" /tmp/m33mu-pkcs11-second.log
+          grep -q "\\[BKPT\\] imm=0x7f" /tmp/m33mu-pkcs11-second.log
+          grep -q "\\[EXPECT BKPT\\] Success" /tmp/m33mu-pkcs11-second.log
