@@ -11,12 +11,17 @@ jobs:
1111 test-tpm-ssh :
1212 runs-on : ubuntu-latest
1313
14+ strategy :
15+ fail-fast : false
16+ matrix :
17+ keytype : [ rsa, ecc ]
18+ sim : [ ibmswtpm2, fwtpm ]
19+
1420 steps :
1521 - uses : actions/checkout@v6
1622 with :
1723 path : wolfssh
1824
19- # Clone dependencies
2025 - name : Clone wolfSSL
2126 uses : actions/checkout@v6
2227 with :
@@ -29,48 +34,64 @@ jobs:
2934 repository : wolfSSL/wolftpm
3035 path : wolftpm
3136
32- # Install dependencies
3337 - name : Install Dependencies
3438 run : |
3539 sudo apt-get update
3640 sudo apt-get install -y libtool automake autoconf
3741 sudo apt-get install -y build-essential git autoconf-archive \
3842 libcmocka-dev libssl-dev uthash-dev libglib2.0-dev \
39- tpm2-tools openssh-client
43+ tpm2-tools openssh-client sshpass
4044
41- # Clone, build, and start TPM Simulator
42- - name : Clone and Build TPM Simulator
45+ name : Build wolfSSL
4346 run : |
44- git clone https://github.com/kgoldman/ibmswtpm2
45- cd ibmswtpm2/src
47+ cd wolfssl
48+ ./autogen.sh
49+ ./configure --enable-wolftpm --enable-wolfssh --enable-keygen \
50+ CFLAGS="-DWC_RSA_NO_PADDING"
4651 make
47- ./tpm_server &
48- sleep 2
49- cd ../..
52+ sudo make install
53+ sudo ldconfig
5054
51- # Build and install wolfSSL
52- - name : Build wolfSSL
55+ # The wolfTPM client library uses the SWTPM TCP transport (port 2321) for
56+ # both simulators. The fwTPM build additionally produces fwtpm_server.
57+ - name : Build wolfTPM (fwTPM)
58+ if : matrix.sim == 'fwtpm'
5359 run : |
54- cd wolfssl
60+ cd wolftpm
5561 ./autogen.sh
56- ./configure --enable-wolftpm --enable-wolfssh
62+ ./configure --enable-fwtpm --enable-swtpm
5763 make
5864 sudo make install
5965 sudo ldconfig
60- cd ..
6166
62- # Build and install wolfTPM
63- - name : Build wolfTPM
67+ name : Start fwTPM simulator
68+ if : matrix.sim == 'fwtpm'
69+ run : |
70+ cd wolftpm
71+ ./src/fwtpm/fwtpm_server &
72+ echo "fwtpm_server started with PID: $!"
73+ sleep 2
74+
75+ name : Build wolfTPM (SWTPM)
76+ if : matrix.sim == 'ibmswtpm2'
6477 run : |
6578 cd wolftpm
6679 ./autogen.sh
6780 ./configure --enable-swtpm
6881 make
6982 sudo make install
7083 sudo ldconfig
71- cd ..
7284
73- # Build wolfSSH
85+ name : Start ibmswtpm2 simulator
86+ if : matrix.sim == 'ibmswtpm2'
87+ run : |
88+ git clone https://github.com/kgoldman/ibmswtpm2
89+ cd ibmswtpm2/src
90+ make
91+ ./tpm_server &
92+ echo "tpm_server started with PID: $!"
93+ sleep 2
94+
7495name : Build wolfSSH
7596 run : |
7697 cd wolfssh
@@ -79,66 +100,53 @@ jobs:
79100 make
80101 sudo make install
81102 sudo ldconfig
82- cd ..
83103
84- # Test TPM SSH Default Password
85- - name : Test TPM SSH Default Password
104+ # Server host key resident in the TPM: the private key never enters RAM.
105+ - name : Test TPM host key (${{ matrix.keytype }})
86106 run : |
87- # Generate key with default password
88107 cd wolftpm
89- ./examples/keygen/keygen keyblob1.bin -rsa -t -pem -eh
90- cp key.pem key1.pem # Save the key for first test
91-
92- # Convert key to SSH format
93- ssh-keygen -f key1.pem -i -m PKCS8 > ../wolfssh/key1.ssh
94- cd ..
95-
96- # Start echoserver and wait for it to be ready
97- cd wolfssh
98- ./examples/echoserver/echoserver -1 -s key1.ssh &
99- echo "Echoserver started with PID: $!"
108+ ./examples/keygen/keygen hostkey.bin -${{ matrix.keytype }} -t -eh
109+ cd ../wolfssh
110+ ./examples/echoserver/echoserver -1 -p 22222 \
111+ -G ../wolftpm/hostkey.bin &
112+ echo "Echoserver (TPM ${{ matrix.keytype }} host key) PID: $!"
100113 sleep 2
101- cd ..
102-
103- # Test client connection with default password
104- cd wolfssh
105- ./examples/client/client -i ../wolftpm/keyblob1.bin -u hansel -K ThisIsMyKeyAuth
106- cd ..
107114
108- # Test the TPM SSH Custom Password
109- - name : Test TPM SSH Custom Password
115+ if [ "${{ matrix.keytype }}" = "ecc" ]; then
116+ HKA=ecdsa-sha2-nistp256
117+ else
118+ HKA=rsa-sha2-256
119+ fi
120+
121+ timeout 20 sshpass -p upthehill ssh -v -p 22222 \
122+ -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null \
123+ -o PreferredAuthentications=password -o PubkeyAuthentication=no \
124+ -o HostKeyAlgorithms=$HKA \
125+ jill@localhost exit > ssh_out.txt 2>&1 || true
126+
127+ echo "----- ssh output -----"
128+ cat ssh_out.txt
129+ grep -q "Authenticated to localhost" ssh_out.txt
130+
131+ # Client public-key authentication with a TPM-resident key (RSA only).
132+ - name : Test TPM client public-key auth
133+ if : matrix.keytype == 'rsa'
110134 run : |
111- # Test with custom password
112135 cd wolftpm
113- ./examples/keygen/keygen keyblob2.bin -rsa -t -pem -eh -auth=custompassword
114- cp key.pem key2.pem # Save the key for second test
115-
116- # Convert key to SSH format
117- ssh-keygen -f key2.pem -i -m PKCS8 > ../wolfssh/key2.ssh
118- cd ..
119-
120- # Start echoserver and wait for it to be ready
121- cd wolfssh
122- ./examples/echoserver/echoserver -1 -s key2.ssh &
123- echo "Echoserver started with PID: $!"
136+ ./examples/keygen/keygen keyblob.bin -rsa -t -pem -eh
137+ ssh-keygen -f key.pem -i -m PKCS8 > ../wolfssh/key.ssh
138+ cd ../wolfssh
139+ ./examples/echoserver/echoserver -1 -s key.ssh &
140+ echo "Echoserver (authorized TPM client key) PID: $!"
124141 sleep 2
125- cd ..
126-
127- # Test with custom password
128- cd wolfssh
129- ./examples/client/client -i ../wolftpm/keyblob2.bin -u hansel -K custompassword
130- cd ..
142+ ./examples/client/client -i ../wolftpm/keyblob.bin -u hansel \
143+ -K ThisIsMyKeyAuth
131144
132- # Archive artifacts for debugging
133145name : Archive test artifacts
134146 if : always()
135147 uses : actions/upload-artifact@v7
136148 with :
137- name : test-artifacts
149+ name : test-artifacts-${{ matrix.keytype }}-${{ matrix.sim }}
138150 path : |
139- wolftpm/keyblob1.bin
140- wolftpm/keyblob2.bin
141- wolftpm/key1.pem
142- wolftpm/key2.pem
143- wolfssh/key1.ssh
144- wolfssh/key2.ssh
151+ wolftpm/hostkey.bin
152+ wolfssh/ssh_out.txt
0 commit comments