nightly-trigger #176
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: fwTPM Tests | |
| on: | |
| push: | |
| branches: [ 'master', 'main', 'release/**' ] | |
| pull_request: | |
| branches: [ '*' ] | |
| repository_dispatch: | |
| types: [nightly-trigger] | |
| jobs: | |
| # ---------------------------------------------------------------- | |
| # make check — unit tests + examples against fwtpm_server | |
| # ---------------------------------------------------------------- | |
| fwtpm-examples: | |
| runs-on: ${{ matrix.os }} | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: | |
| # fwTPM with socket/swtpm transport | |
| - name: fwtpm-socket | |
| os: ubuntu-latest | |
| wolftpm_config: --enable-fwtpm --enable-swtpm --enable-debug | |
| wolfssl_config: --enable-wolftpm --enable-pkcallbacks --enable-keygen | |
| build_only: false | |
| # fwTPM with TIS/shared-memory transport | |
| - name: fwtpm-tis | |
| os: ubuntu-latest | |
| wolftpm_config: --enable-fwtpm --enable-debug | |
| wolfssl_config: --enable-wolftpm --enable-pkcallbacks --enable-keygen | |
| build_only: false | |
| # v1.85 PQC: full make check + pqc_mssim_e2e.sh + tpm2-tools | |
| # Highest-leverage entry — exercises wrapper unit tests | |
| # (tests/unit_tests.c v1.85 cases) + handler unit tests | |
| # (tests/fwtpm_unit_tests.c v1.85 cases) + the new mssim E2E | |
| # harness against fwtpm_server in one shot. --enable-swtpm omitted | |
| # because configure.ac:287 enables it by default on Linux. | |
| - name: fwtpm-v185 | |
| os: ubuntu-latest | |
| wolftpm_config: --enable-fwtpm --enable-v185 | |
| wolfssl_config: --enable-wolftpm --enable-pkcallbacks --enable-keygen --enable-dilithium --enable-mlkem --enable-experimental --enable-harden | |
| build_only: false | |
| # v1.85 PQC: build-only safety net with DEBUG_WOLFTPM so any | |
| # printf-format-string drift in v1.85-guarded debug paths breaks | |
| # the build instead of silently corrupting log output. No | |
| # --enable-swtpm because build-only never invokes the socket client. | |
| - name: fwtpm-v185-build-only | |
| os: ubuntu-latest | |
| wolftpm_config: --enable-fwtpm --enable-v185 | |
| wolfssl_config: --enable-wolftpm --enable-pkcallbacks --enable-keygen --enable-dilithium --enable-mlkem --enable-experimental --enable-harden | |
| build_only: true | |
| extra_cflags: -DDEBUG_WOLFTPM | |
| # Build-only: fwTPM with RSA disabled | |
| - name: fwtpm-no-rsa | |
| os: ubuntu-latest | |
| wolftpm_config: --enable-fwtpm --enable-swtpm | |
| wolfssl_config: --enable-wolftpm --enable-pkcallbacks --enable-keygen --disable-rsa | |
| build_only: true | |
| # Build-only: fwTPM with ECC disabled | |
| - name: fwtpm-no-ecc | |
| os: ubuntu-latest | |
| wolftpm_config: --enable-fwtpm --enable-swtpm | |
| wolfssl_config: --enable-wolftpm --enable-pkcallbacks --enable-keygen --disable-ecc | |
| build_only: true | |
| # Build-only: fwTPM with SHA-384 disabled | |
| - name: fwtpm-no-sha384 | |
| os: ubuntu-latest | |
| wolftpm_config: --enable-fwtpm --enable-swtpm | |
| wolfssl_config: --enable-wolftpm --enable-pkcallbacks --enable-keygen --disable-sha384 | |
| build_only: true | |
| # Build-only: fwTPM with SHA-1 disabled (verifies !NO_SHA gating | |
| # for SHA-1 PCR bank and RSA hash conversion) | |
| - name: fwtpm-no-sha1 | |
| os: ubuntu-latest | |
| wolftpm_config: --enable-fwtpm --enable-swtpm | |
| wolfssl_config: --enable-wolftpm --enable-pkcallbacks --enable-keygen --disable-sha | |
| build_only: true | |
| extra_cflags: -DNO_SHA | |
| # Build-only: fwTPM server only (no client library) | |
| - name: fwtpm-only | |
| os: ubuntu-latest | |
| wolftpm_config: --enable-fwtpm-only --enable-swtpm | |
| wolfssl_config: --enable-wolftpm --enable-pkcallbacks --enable-keygen | |
| build_only: true | |
| # Build-only: fwTPM with attestation and NV disabled | |
| - name: fwtpm-minimal | |
| os: ubuntu-latest | |
| wolftpm_config: --enable-fwtpm --enable-swtpm | |
| wolfssl_config: --enable-wolftpm --enable-pkcallbacks --enable-keygen | |
| build_only: true | |
| extra_cflags: -DFWTPM_NO_ATTESTATION -DFWTPM_NO_NV -DFWTPM_NO_POLICY -DFWTPM_NO_CREDENTIAL -DFWTPM_NO_DA -DFWTPM_NO_PARAM_ENC | |
| # Build-only: individual FWTPM_NO_* macro tests | |
| - name: fwtpm-no-policy | |
| os: ubuntu-latest | |
| wolftpm_config: --enable-fwtpm --enable-swtpm | |
| wolfssl_config: --enable-wolftpm --enable-pkcallbacks --enable-keygen | |
| build_only: true | |
| extra_cflags: -DFWTPM_NO_POLICY | |
| - name: fwtpm-no-nv | |
| os: ubuntu-latest | |
| wolftpm_config: --enable-fwtpm --enable-swtpm | |
| wolfssl_config: --enable-wolftpm --enable-pkcallbacks --enable-keygen | |
| build_only: true | |
| extra_cflags: -DFWTPM_NO_NV | |
| - name: fwtpm-no-attestation | |
| os: ubuntu-latest | |
| wolftpm_config: --enable-fwtpm --enable-swtpm | |
| wolfssl_config: --enable-wolftpm --enable-pkcallbacks --enable-keygen | |
| build_only: true | |
| extra_cflags: -DFWTPM_NO_ATTESTATION | |
| - name: fwtpm-no-credential | |
| os: ubuntu-latest | |
| wolftpm_config: --enable-fwtpm --enable-swtpm | |
| wolfssl_config: --enable-wolftpm --enable-pkcallbacks --enable-keygen | |
| build_only: true | |
| extra_cflags: -DFWTPM_NO_CREDENTIAL | |
| - name: fwtpm-no-da | |
| os: ubuntu-latest | |
| wolftpm_config: --enable-fwtpm --enable-swtpm | |
| wolfssl_config: --enable-wolftpm --enable-pkcallbacks --enable-keygen | |
| build_only: true | |
| extra_cflags: -DFWTPM_NO_DA | |
| - name: fwtpm-no-param-enc | |
| os: ubuntu-latest | |
| wolftpm_config: --enable-fwtpm --enable-swtpm | |
| wolfssl_config: --enable-wolftpm --enable-pkcallbacks --enable-keygen | |
| build_only: true | |
| extra_cflags: -DFWTPM_NO_PARAM_ENC | |
| # Build-only: cross-algorithm + feature macro combinations | |
| - name: fwtpm-no-rsa-no-policy | |
| os: ubuntu-latest | |
| wolftpm_config: --enable-fwtpm --enable-swtpm | |
| wolfssl_config: --enable-wolftpm --enable-pkcallbacks --enable-keygen --disable-rsa | |
| build_only: true | |
| extra_cflags: -DFWTPM_NO_POLICY | |
| - name: fwtpm-no-ecc-no-nv | |
| os: ubuntu-latest | |
| wolftpm_config: --enable-fwtpm --enable-swtpm | |
| wolfssl_config: --enable-wolftpm --enable-pkcallbacks --enable-keygen --disable-ecc | |
| build_only: true | |
| extra_cflags: -DFWTPM_NO_NV | |
| # Build-only: WOLFTPM_SMALL_STACK (heap-allocated crypto objects) | |
| - name: fwtpm-small-stack | |
| os: ubuntu-latest | |
| wolftpm_config: --enable-fwtpm --enable-swtpm | |
| wolfssl_config: --enable-wolftpm --enable-pkcallbacks --enable-keygen | |
| build_only: true | |
| extra_cflags: -DWOLFTPM_SMALL_STACK | |
| # Build-only: pedantic warnings with -Werror (GCC) | |
| - name: fwtpm-pedantic-gcc | |
| os: ubuntu-latest | |
| wolftpm_config: --enable-fwtpm --enable-swtpm | |
| wolfssl_config: --enable-wolftpm --enable-pkcallbacks --enable-keygen | |
| build_only: true | |
| make_cflags: "-Wall -Wextra -Wpedantic -Werror -Wshadow -Wstrict-prototypes -Wmissing-prototypes -Wformat=2" | |
| # Build-only: pedantic warnings with -Werror (clang) | |
| - name: fwtpm-pedantic-clang | |
| os: ubuntu-latest | |
| wolftpm_config: --enable-fwtpm --enable-swtpm | |
| wolfssl_config: --enable-wolftpm --enable-pkcallbacks --enable-keygen | |
| build_only: true | |
| cc: clang | |
| make_cflags: "-Wall -Wextra -Wpedantic -Werror -Wshadow -Wstrict-prototypes -Wmissing-prototypes -Wformat=2" | |
| # Build-only: pedantic fwTPM-only (no client library) | |
| - name: fwtpm-pedantic-only | |
| os: ubuntu-latest | |
| wolftpm_config: --enable-fwtpm-only | |
| wolfssl_config: --enable-wolftpm --enable-pkcallbacks --enable-keygen | |
| build_only: true | |
| make_cflags: "-Wall -Wextra -Wpedantic -Werror -Wshadow -Wstrict-prototypes -Wmissing-prototypes -Wformat=2" | |
| # Note: ASan / UBSan / LeakSan coverage moved to sanitizer.yml | |
| # macOS: fwTPM with socket transport | |
| - name: fwtpm-macos-socket | |
| wolftpm_config: --enable-fwtpm --enable-swtpm --enable-debug | |
| wolfssl_config: --enable-wolftpm --enable-pkcallbacks --enable-keygen | |
| build_only: false | |
| os: macos-latest | |
| steps: | |
| - name: Checkout wolfTPM | |
| uses: actions/checkout@v4 | |
| - name: Checkout wolfSSL | |
| uses: actions/checkout@v4 | |
| with: | |
| repository: wolfssl/wolfssl | |
| path: wolfssl | |
| - name: Install tpm2-tools | |
| if: ${{ !matrix.build_only && runner.os != 'macOS' }} | |
| run: | | |
| sudo apt-get update | |
| sudo apt-get install -y tpm2-tools libtss2-tcti-mssim0 | |
| - name: macOS build deps (skip tpm2-tools) | |
| if: ${{ !matrix.build_only && runner.os == 'macOS' }} | |
| run: | | |
| # wolfSSL's autogen.sh needs autoreconf (autoconf+automake+libtool), | |
| # which aren't on the macos-latest runner image by default. | |
| # tpm2-tss / tpm2-tools are no longer in homebrew-core and their | |
| # source build hits multiple Linux-isms (prctl.h, mremap, endian.h, | |
| # uchar.h, -Wl,-z,relro). fwtpm_check.sh treats tpm2-tools as | |
| # optional and will SKIP the tpm2_tools_test.sh stage when absent. | |
| brew install autoconf automake libtool pkg-config | |
| echo "tpm2-tools install skipped on macOS; fwtpm_check.sh handles absence" | |
| - name: Build wolfSSL | |
| working-directory: ./wolfssl | |
| run: | | |
| ./autogen.sh | |
| CONFIGURE_ARGS="${{ matrix.wolfssl_config }}" | |
| EXTRA_CFLAGS="${{ matrix.extra_cflags }}" | |
| EXTRA_LDFLAGS="${{ matrix.extra_ldflags }}" | |
| WOLFSSL_CFLAGS="-DWC_RSA_NO_PADDING" | |
| if [ -n "$EXTRA_CFLAGS" ]; then | |
| WOLFSSL_CFLAGS="$WOLFSSL_CFLAGS $EXTRA_CFLAGS" | |
| fi | |
| CONFIGURE_ARGS="$CONFIGURE_ARGS CFLAGS=\"$WOLFSSL_CFLAGS\"" | |
| if [ -n "$EXTRA_LDFLAGS" ]; then | |
| CONFIGURE_ARGS="$CONFIGURE_ARGS LDFLAGS=\"$EXTRA_LDFLAGS\"" | |
| fi | |
| CC=${{ matrix.cc || 'gcc' }} eval ./configure $CONFIGURE_ARGS | |
| make | |
| sudo make install | |
| if command -v ldconfig >/dev/null 2>&1; then | |
| sudo ldconfig | |
| fi | |
| - name: Build wolfTPM | |
| run: | | |
| ./autogen.sh | |
| EXTRA_CFLAGS="${{ matrix.extra_cflags }}" | |
| EXTRA_LDFLAGS="${{ matrix.extra_ldflags }}" | |
| CONFIGURE_ARGS="${{ matrix.wolftpm_config }}" | |
| if [ -n "$EXTRA_CFLAGS" ]; then | |
| CONFIGURE_ARGS="$CONFIGURE_ARGS CFLAGS=\"$EXTRA_CFLAGS\"" | |
| fi | |
| if [ -n "$EXTRA_LDFLAGS" ]; then | |
| CONFIGURE_ARGS="$CONFIGURE_ARGS LDFLAGS=\"$EXTRA_LDFLAGS\"" | |
| fi | |
| CC=${{ matrix.cc || 'gcc' }} eval ./configure $CONFIGURE_ARGS | |
| MAKE_CFLAGS="${{ matrix.make_cflags }}" | |
| if [ -n "$MAKE_CFLAGS" ]; then | |
| make CFLAGS="$MAKE_CFLAGS" | |
| else | |
| make | |
| fi | |
| - name: Run tests (make check) | |
| if: ${{ !matrix.build_only }} | |
| env: | |
| WOLFSSL_PATH: ./wolfssl | |
| run: | | |
| if command -v unshare >/dev/null 2>&1; then | |
| FWTPM_USE_FIXED_PORT=1 \ | |
| sudo -E unshare --net /bin/bash -c ' | |
| set -e | |
| ip link set lo up | |
| make check | |
| ' | |
| else | |
| make check | |
| fi | |
| - name: Print test-suite.log on failure | |
| if: ${{ failure() && !matrix.build_only }} | |
| run: | | |
| if [ -f test-suite.log ]; then | |
| echo "=== test-suite.log ===" | |
| cat test-suite.log | |
| fi | |
| for f in tests/*.log; do | |
| [ -f "$f" ] || continue | |
| echo "=== $f ===" | |
| cat "$f" | |
| done | |
| - name: Upload failure logs | |
| if: ${{ failure() && !matrix.build_only }} | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: fwtpm-logs-${{ matrix.name }} | |
| path: | | |
| /tmp/fwtpm_check_*.log | |
| test-suite.log | |
| tests/*.log | |
| retention-days: 5 | |
| # ---------------------------------------------------------------- | |
| # tpm2-tools compatibility test against IBM SW TPM | |
| # Validates that tpm2_tools_test.sh works on a reference TPM. | |
| # | |
| # NOTE: tpm2-tools compatibility against fwtpm_server is now exercised | |
| # by the fwtpm-examples matrix entries (fwtpm-socket, fwtpm-asan, | |
| # fwtpm-ubsan) via `make check` — the standalone fwtpm-tpm2tools job | |
| # was removed to eliminate duplication. | |
| # ---------------------------------------------------------------- | |
| ibmswtpm-tpm2tools: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@master | |
| - name: Build IBM SW TPM | |
| run: | | |
| git clone --depth=1 https://github.com/kgoldman/ibmswtpm2.git | |
| cd ibmswtpm2/src | |
| # Increase transient object slots — tpm2-tools ESYS creates | |
| # transient salt keys for HMAC sessions which consume extra slots | |
| sed -i 's/#define MAX_LOADED_OBJECTS.*/#define MAX_LOADED_OBJECTS 7/' \ | |
| TpmProfile_Misc.h | |
| make -j$(nproc) | |
| - name: Install tpm2-tools | |
| run: | | |
| sudo apt-get update | |
| sudo apt-get install -y tpm2-tools libtss2-tcti-mssim0 | |
| - name: Start IBM SW TPM | |
| run: | | |
| ibmswtpm2/src/tpm_server & | |
| echo $! > /tmp/tpm_server.pid | |
| sleep 1 | |
| kill -0 $(cat /tmp/tpm_server.pid) | |
| - name: Run tpm2-tools tests | |
| run: scripts/tpm2_tools_test.sh --no-start | |
| - name: Stop IBM SW TPM | |
| if: always() | |
| run: | | |
| if [ -f /tmp/tpm_server.pid ]; then | |
| kill $(cat /tmp/tpm_server.pid) 2>/dev/null || true | |
| fi | |
| # ---------------------------------------------------------------- | |
| # fwTPM STM32 emulator test (m33mu Cortex-M33 simulator) | |
| # ---------------------------------------------------------------- | |
| fwtpm-emulator: | |
| runs-on: ubuntu-latest | |
| container: ghcr.io/wolfssl/m33mu-ci:1.9 | |
| steps: | |
| - name: Checkout wolfTPM | |
| uses: actions/checkout@v4 | |
| - name: Checkout wolfSSL | |
| uses: actions/checkout@v4 | |
| with: | |
| repository: wolfssl/wolfssl | |
| path: wolfssl | |
| - name: Checkout wolftpm-examples | |
| uses: actions/checkout@v4 | |
| with: | |
| repository: wolfssl/wolftpm-examples | |
| ref: fwtpm_stm32h5 | |
| path: wolftpm-examples | |
| - name: Install build dependencies | |
| run: | | |
| apt-get update -qq | |
| apt-get install -y -qq autoconf automake libtool | |
| - name: Install STM32Cube H5 SDK | |
| run: | | |
| SDK=$HOME/STM32Cube/Repository/STM32Cube_FW_H5_V1.5.1 | |
| mkdir -p $SDK/Drivers | |
| git clone --depth 1 --branch v1.5.0 \ | |
| https://github.com/STMicroelectronics/stm32h5xx_hal_driver.git \ | |
| $SDK/Drivers/STM32H5xx_HAL_Driver | |
| git clone --depth 1 --branch v1.4.0 \ | |
| https://github.com/STMicroelectronics/cmsis_device_h5.git \ | |
| $SDK/Drivers/CMSIS/Device/ST/STM32H5xx | |
| git clone --depth 1 --branch v5.9.0 \ | |
| https://github.com/STMicroelectronics/cmsis_core.git \ | |
| /tmp/cmsis_core | |
| cp -a /tmp/cmsis_core/Include $SDK/Drivers/CMSIS/Include | |
| - name: Build wolfSSL (for fwTPM STM32 port) | |
| working-directory: ./wolfssl | |
| run: | | |
| ./autogen.sh | |
| ./configure --enable-wolftpm --enable-pkcallbacks --enable-keygen \ | |
| CFLAGS="-DWC_RSA_NO_PADDING" | |
| make | |
| make install | |
| ldconfig | |
| - name: Copy wolfSSL to /tmp/wolfssl-fwtpm | |
| run: cp -a wolfssl /tmp/wolfssl-fwtpm | |
| - name: Run fwTPM emulator test (non-TZ) | |
| env: | |
| WOLFSSL_DIR: /tmp/wolfssl-fwtpm | |
| WOLFTPM_EXAMPLES_DIR: ${{ github.workspace }}/wolftpm-examples | |
| run: scripts/fwtpm_emu_test.sh | |
| - name: Upload failure logs | |
| if: failure() | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: fwtpm-emulator-logs | |
| path: | | |
| /tmp/fwtpm_emu_test.log | |
| /tmp/fwtpm_emu_build.log | |
| retention-days: 5 | |
| # ---------------------------------------------------------------- | |
| # Valgrind memory-safety check | |
| # Runs the unit test under valgrind for three FWTPM_DECLARE_VAR | |
| # configurations (default, SMALL_STACK, NO_HEAP) so the | |
| # stack-vs-heap allocation paths are all exercised. | |
| # ---------------------------------------------------------------- | |
| fwtpm-valgrind: | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 30 | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: | |
| - name: fwtpm-valgrind-default | |
| extra_cflags: "" | |
| - name: fwtpm-valgrind-smallstack | |
| extra_cflags: "-DWOLFTPM_SMALL_STACK" | |
| - name: fwtpm-valgrind-noheap | |
| extra_cflags: "-DWOLFTPM2_NO_HEAP" | |
| steps: | |
| - name: Checkout wolfTPM | |
| uses: actions/checkout@v4 | |
| - name: Checkout wolfSSL | |
| uses: actions/checkout@v4 | |
| with: | |
| repository: wolfssl/wolfssl | |
| path: wolfssl | |
| - name: Install valgrind + tpm2-tools | |
| run: | | |
| sudo apt-get update | |
| sudo apt-get install -y valgrind tpm2-tools libtss2-tcti-mssim0 | |
| - name: Build wolfSSL | |
| working-directory: ./wolfssl | |
| run: | | |
| ./autogen.sh | |
| ./configure --enable-wolftpm --enable-pkcallbacks --enable-keygen \ | |
| CFLAGS="-DWC_RSA_NO_PADDING -g -O1" | |
| make | |
| sudo make install | |
| sudo ldconfig | |
| - name: Build wolfTPM (${{ matrix.name }}) | |
| run: | | |
| ./autogen.sh | |
| ./configure --enable-fwtpm --enable-swtpm --enable-debug \ | |
| CFLAGS="${{ matrix.extra_cflags }} -g -O1" | |
| make | |
| - name: Run unit.test under valgrind | |
| run: | | |
| sudo -E unshare --net /bin/bash -c ' | |
| ip link set lo up | |
| rm -f fwtpm_nv.bin | |
| ./src/fwtpm/fwtpm_server > /tmp/fwtpm_server.log 2>&1 & | |
| SERVER_PID=$! | |
| sleep 1 | |
| kill -0 $SERVER_PID | |
| valgrind --error-exitcode=1 --leak-check=full \ | |
| --errors-for-leak-kinds=definite \ | |
| --show-leak-kinds=definite \ | |
| ./tests/unit.test | |
| RC=$? | |
| kill $SERVER_PID 2>/dev/null || true | |
| exit $RC | |
| ' | |
| - name: Upload failure logs | |
| if: failure() | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: fwtpm-valgrind-logs-${{ matrix.name }} | |
| path: | | |
| /tmp/fwtpm_check_*.log | |
| /tmp/fwtpm_server.log | |
| test-suite.log | |
| tests/*.log | |
| config.log | |
| retention-days: 5 |