wolfSSL
diff --git a/‎.github/workflows/cmake-build.yml‎
Lines changed: 24 additions & 7 deletions b/‎.github/workflows/cmake-build.yml‎
Lines changed: 24 additions & 7 deletions
diff --git a/‎.github/workflows/fwtpm-test.yml‎
Lines changed: 43 additions & 24 deletions b/‎.github/workflows/fwtpm-test.yml‎
Lines changed: 43 additions & 24 deletions
diff --git a/‎.github/workflows/sanitizer.yml‎
Lines changed: 7 additions & 1 deletion b/‎.github/workflows/sanitizer.yml‎
Lines changed: 7 additions & 1 deletion
diff --git a/‎CMakeLists.txt‎
Lines changed: 8 additions & 3 deletions b/‎CMakeLists.txt‎
Lines changed: 8 additions & 3 deletions
diff --git a/‎configure.ac‎
Lines changed: 9 additions & 3 deletions b/‎configure.ac‎
Lines changed: 9 additions & 3 deletions
@@ -9,7 +9,7 @@ on:
 jobs:
   build:
 
-    runs-on: ubuntu-latest
+    runs-on: ${{ matrix.config.os || 'ubuntu-latest' }}
     strategy:
       fail-fast: false
       matrix:
@@ -93,13 +93,18 @@ jobs:
           # fwTPM server-only mode (no client library or examples)
           - name: "fwTPM Only"
             options: "-DWOLFTPM_FWTPM_ONLY=yes -DWOLFTPM_INTERFACE=SWTPM"
+          # fwTPM socket on Windows (build-only)
+          - name: "fwTPM Socket (Windows)"
+            options: "-DWOLFTPM_FWTPM=yes -DWOLFTPM_INTERFACE=SWTPM"
+            os: windows-latest
 
     steps:
 #pull wolfTPM
     - uses: actions/checkout@master
 
 # Install cmake
     - name: Install cmake
+      if: runner.os == 'Linux'
       run: |
         sudo apt-get update
         sudo apt-get install -y cmake
@@ -112,25 +117,37 @@ jobs:
         path: wolfssl
     - name: Build wolfssl
       working-directory: ./wolfssl
+      shell: bash
       run: |
         mkdir build
         cd build
+        EXTRA_CFLAGS="-DWC_RSA_NO_PADDING -DWOLFSSL_PUBLIC_MP"
+        if [ "$RUNNER_OS" = "Windows" ]; then
+          # Suppress MSVC struct padding warnings from wolfSSL headers
+          EXTRA_CFLAGS="$EXTRA_CFLAGS /wd4820"
+        fi
         # wolfSSL PR 7188 broke "make install" unless WOLFSSL_INSTALL is set
-        cmake -DWOLFSSL_TPM=yes -DWOLFSSL_INSTALL=yes -DCMAKE_INSTALL_PREFIX="$GITHUB_WORKSPACE/install" -DCMAKE_C_FLAGS="-DWC_RSA_NO_PADDING" ..
-        cmake --build .
-        cmake --install .
+        cmake -DWOLFSSL_TPM=yes -DWOLFSSL_INSTALL=yes -DCMAKE_INSTALL_PREFIX="$GITHUB_WORKSPACE/install" -DCMAKE_C_FLAGS="$EXTRA_CFLAGS" ..
+        cmake --build . --config Release
+        cmake --install . --config Release
 
 #build wolftpm
     - name: Build wolfTPM (${{ matrix.config.name }})
+      shell: bash
       run: |
         mkdir build
         cd build
-        cmake ${{ matrix.config.options }} -DCMAKE_INSTALL_PREFIX="$GITHUB_WORKSPACE/install" -DWITH_WOLFSSL="$GITHUB_WORKSPACE/install" ..
-        cmake --build .
-        cmake --install .
+        EXTRA_CFLAGS=""
+        if [ "$RUNNER_OS" = "Windows" ]; then
+          EXTRA_CFLAGS="/wd4820"
+        fi
+        cmake ${{ matrix.config.options }} -DCMAKE_INSTALL_PREFIX="$GITHUB_WORKSPACE/install" -DWITH_WOLFSSL="$GITHUB_WORKSPACE/install" -DCMAKE_C_FLAGS="$EXTRA_CFLAGS" ..
+        cmake --build . --config Release
+        cmake --install . --config Release
 
     - name: Test fwTPM
       if: contains(matrix.config.options, 'WOLFTPM_FWTPM')
+      shell: bash
       run: |
         cd build
         LD_LIBRARY_PATH="$GITHUB_WORKSPACE/install/lib" ctest --output-on-failure
@@ -11,7 +11,7 @@ jobs:
   # make check — unit tests + examples against fwtpm_server
   # ----------------------------------------------------------------
   fwtpm-examples:
-    runs-on: ubuntu-latest
+    runs-on: ${{ matrix.os || 'ubuntu-latest' }}
     strategy:
       fail-fast: false
       matrix:
@@ -148,6 +148,13 @@ jobs:
 
           # Note: ASan / UBSan / LeakSan coverage moved to sanitizer.yml
 
+          # macOS: fwTPM with socket transport
+          - name: fwtpm-macos-socket
+            wolftpm_config: --enable-fwtpm --enable-swtpm --enable-debug
+            wolfssl_config: --enable-wolftpm --enable-pkcallbacks --enable-keygen
+            build_only: false
+            os: macos-latest
+
     steps:
       - name: Checkout wolfTPM
         uses: actions/checkout@v4
@@ -161,8 +168,12 @@ jobs:
       - name: Install tpm2-tools
         if: ${{ !matrix.build_only }}
         run: |
-          sudo apt-get update
-          sudo apt-get install -y tpm2-tools libtss2-tcti-mssim0
+          if [ "$(uname)" = "Darwin" ]; then
+            brew install tpm2-tools
+          else
+            sudo apt-get update
+            sudo apt-get install -y tpm2-tools libtss2-tcti-mssim0
+          fi
 
       - name: Build wolfSSL
         working-directory: ./wolfssl
@@ -182,7 +193,9 @@ jobs:
           CC=${{ matrix.cc || 'gcc' }} eval ./configure $CONFIGURE_ARGS
           make
           sudo make install
-          sudo ldconfig
+          if command -v ldconfig >/dev/null 2>&1; then
+            sudo ldconfig
+          fi
 
       - name: Build wolfTPM
         run: |
@@ -208,7 +221,17 @@ jobs:
         if: ${{ !matrix.build_only }}
         env:
           WOLFSSL_PATH: ./wolfssl
-        run: make check
+        run: |
+          if command -v unshare >/dev/null 2>&1; then
+            FWTPM_USE_FIXED_PORT=1 \
+            unshare --user --net --map-root-user /bin/bash -c '
+              set -e
+              ip link set lo up
+              make check
+            '
+          else
+            make check
+          fi
 
       - name: Print test-suite.log on failure
         if: ${{ failure() && !matrix.build_only }}
@@ -404,27 +427,23 @@ jobs:
               CFLAGS="${{ matrix.extra_cflags }} -g -O1"
           make
 
-      - name: Start fwtpm_server
-        run: |
-          rm -f fwtpm_nv.bin
-          ./src/fwtpm/fwtpm_server > /tmp/fwtpm_server.log 2>&1 &
-          echo $! > /tmp/fwtpm_server.pid
-          sleep 1
-          kill -0 $(cat /tmp/fwtpm_server.pid)
-
       - name: Run unit.test under valgrind
         run: |
-          valgrind --error-exitcode=1 --leak-check=full \
-                   --errors-for-leak-kinds=definite \
-                   --show-leak-kinds=definite \
-                   ./tests/unit.test
-
-      - name: Stop fwtpm_server
-        if: always()
-        run: |
-          if [ -f /tmp/fwtpm_server.pid ]; then
-            kill $(cat /tmp/fwtpm_server.pid) 2>/dev/null || true
-          fi
+          unshare --user --net --map-root-user /bin/bash -c '
+            ip link set lo up
+            rm -f fwtpm_nv.bin
+            ./src/fwtpm/fwtpm_server > /tmp/fwtpm_server.log 2>&1 &
+            SERVER_PID=$!
+            sleep 1
+            kill -0 $SERVER_PID
+            valgrind --error-exitcode=1 --leak-check=full \
+                     --errors-for-leak-kinds=definite \
+                     --show-leak-kinds=definite \
+                     ./tests/unit.test
+            RC=$?
+            kill $SERVER_PID 2>/dev/null || true
+            exit $RC
+          '
 
       - name: Upload failure logs
         if: failure()
 
@@ -78,7 +78,13 @@ jobs:
           LD_LIBRARY_PATH: /tmp/wolfssl-install/lib
           ASAN_OPTIONS: ${{ matrix.asan_options }}
           UBSAN_OPTIONS: ${{ matrix.ubsan_options }}
-        run: make check
+        run: |
+          FWTPM_USE_FIXED_PORT=1 \
+          unshare --user --net --map-root-user /bin/bash -c '
+            set -e
+            ip link set lo up
+            make check
+          '
 
       - name: Upload failure logs
         if: failure()
 
@@ -520,8 +520,13 @@ if(WOLFTPM_FWTPM)
         ${CMAKE_CURRENT_SOURCE_DIR}
         ${CMAKE_CURRENT_BINARY_DIR}
     )
-    if(UNIX AND NOT APPLE)
-        target_link_libraries(fwtpm_server PRIVATE pthread rt)
+    if(UNIX)
+        target_link_libraries(fwtpm_server PRIVATE pthread)
+        if(NOT APPLE)
+            target_link_libraries(fwtpm_server PRIVATE rt)
+        endif()
+    elseif(WIN32)
+        target_link_libraries(fwtpm_server PRIVATE ws2_32)
     endif()
 
     # fwtpm_unit_test executable
@@ -538,7 +543,7 @@ if(WOLFTPM_FWTPM)
         ${CMAKE_CURRENT_SOURCE_DIR}
         ${CMAKE_CURRENT_BINARY_DIR}
     )
-    if(UNIX AND NOT APPLE)
+    if(UNIX)
         target_link_libraries(fwtpm_unit_test PRIVATE pthread)
     endif()
 
 
@@ -233,9 +233,9 @@ WOLFTPM_DEFAULT_SWTPM=no
 case $host_cpu in
     x86_64|amd64|aarch64)
         # Defensive exclusion: fwtpm_server uses POSIX sockets and is not
-        # currently portable to Windows / Darwin. Auto-enable on Linux/BSD only.
+        # currently portable to Windows. Auto-enable on Linux/BSD/macOS only.
         case $host_os in
-            *mingw*|*cygwin*|*msys*|*darwin*|*win32*)
+            *mingw*|*cygwin*|*msys*|*win32*)
                 ;;
             *)
                 WOLFTPM_DEFAULT_FWTPM=yes
@@ -341,7 +341,13 @@ then
     # as a compile flag only for the fwtpm_server target in src/fwtpm/include.am.
     if test "x$ENABLED_SWTPM" != "xyes" && test "x$ENABLED_SWTPM" != "xuart"
     then
-        # TIS/shared-memory transport for fwTPM (instead of socket)
+        # TIS/shared-memory transport uses POSIX mmap/sem_open — not available
+        # on Windows. Require socket transport (--enable-swtpm) on Windows.
+        case $host_os in
+            *mingw*|*cygwin*|*msys*|*win32*)
+                AC_MSG_ERROR([fwTPM TIS/SHM transport is not supported on Windows. Use --enable-fwtpm --enable-swtpm for socket transport.])
+                ;;
+        esac
         AM_CFLAGS="$AM_CFLAGS -DWOLFTPM_FWTPM_HAL -DWOLFTPM_ADV_IO"
         ENABLED_FWTPM_TIS=yes
     fi