Normalize NS350 chip state at entry/exit of nations SPDM tests

  NS350's Nations_IdentityKeySet returns TPM_RC_VALUE when asked to set
  the identity key to its current value. The nations test assumed the
  chip always started at identity-key=1, but self-hosted CI runners
  carry persistent NV state across runs — any prior failure left the
  chip in a state the next run could not recover from. GPIO reset
  clears volatile state but does not reset NV-persistent identity-key
  or PSK provisioning.

  Add normalize_nations_chip(): GPIO reset + idempotent --psk-clear +
  idempotent --identity-key-set. Call at entry of both nations and
  nations-psk blocks, and wire to trap EXIT so the chip is always
  cleaned up on success, failure, or set -e early exit.

  Validated on Pi hardware across five scenarios (identity-key=1,
  identity-key=0, PSK-provisioned, nations-psk clean, nations-psk
  PSK-stuck): all runs now pass and leave the chip at canonical
  identity-key=1.

Author: aidangarske

examples/spdm/spdm_test.sh

@@ -48,6 +48,25 @@ gpio_reset() {
     sleep 2
 }
 
+# normalize_nations_chip: bring NS350 to canonical clean state
+# (identity-key=1, no PSK). Idempotent — safe to call multiple times.
+# NS350 IdentityKeySet returns TPM_RC_VALUE when setting to current value,
+# so "already in target state" is indistinguishable from real errors; we
+# probe by trying both transitions rather than trusting a single call.
+normalize_nations_chip() {
+    echo "--- Normalizing NS350 to clean state (identity-key=1, no PSK) ---"
+    gpio_reset
+    # Clear PSK if set. PSKNotSet (0xffA3) means already clean — that's fine.
+    # Any other failure is also non-fatal here; the identity-key-set below
+    # will surface the real problem if state is unrecoverable.
+    "$SPDM_DEMO" --psk-clear "$NATIONS_CLEARAUTH" >/dev/null 2>&1 || true
+    # Now try to set identity key. Succeeds if at 0, benign-fails with
+    # TPM_RC_VALUE if already at 1. Either outcome = state is 1.
+    "$SPDM_DEMO" --identity-key-set >/dev/null 2>&1 || true
+    echo "--- Normalization complete ---"
+    echo ""
+}
+
 run_test() {
     local name="$1"; shift
     TOTAL=$((TOTAL + 1))
@@ -132,7 +151,12 @@ if [ "$VENDOR" = "nuvoton" ]; then
 
 elif [ "$VENDOR" = "nations" ]; then
     # Nations NS350 identity key mode — full lifecycle test
-    # Note: GPIO 4 is NOT wired to TPM_RST on NS350 daughter boards.
+    # GPIO 4 is wired to TPM_RST on NS350 and clears volatile state, but
+    # identity-key/PSK are NV-persistent across reset. The entry/exit
+    # normalization ensures the chip is always at a known starting state
+    # and always left clean, regardless of prior runs or mid-test failures.
+    normalize_nations_chip
+    trap 'normalize_nations_chip' EXIT
 
     run_test_no_reset "Unset identity key" "$SPDM_DEMO" --identity-key-unset
     run_test_no_reset "Set identity key" "$SPDM_DEMO" --identity-key-set
@@ -156,8 +180,10 @@ elif [ "$VENDOR" = "nations-psk" ]; then
     # Uses NSING reference test data (PSK_DEMO_3 from Vision's traces).
     # ClearAuth is always exactly 32 bytes per TCG spec.
 
-    # Note: GPIO 4 is NOT wired to TPM_RST on NS350 daughter boards.
-    # Use run_test_no_reset instead of run_test.
+    # Entry/exit normalization: always start clean (identity-key=1, no PSK)
+    # and always end clean, regardless of prior state or mid-test failures.
+    normalize_nations_chip
+    trap 'normalize_nations_chip' EXIT
 
     # Step 1: Ensure identity key is unset (required for PSK mode)
     run_test_no_reset "Unset identity key" "$SPDM_DEMO" --identity-key-unset