wolfBoot/.github/workflows/test-wolfhsm-simulator.yml at 456c3b495f2a403df5e19d39c1f9ea03a739cddf · wolfSSL/wolfBoot · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
name: wolfHSM simulator test

on:
  push:
    branches: [ 'master', 'main', 'release/**' ]
  pull_request:
    branches: [ '*' ]
  workflow_dispatch:

jobs:
  wolfhsm_simulator_test:
    # Matrix strategy runs all steps below for each config specified.
    # This allows testing multiple configurations without duplicating the workflow.
    strategy:
      matrix:
        config:
          - name: "Standard wolfHSM"
            file: "config/examples/sim-wolfHSM-client.config"
          - name: "wolfHSM ML-DSA"
            file: "config/examples/sim-wolfHSM-client-mldsa.config"
          - name: "wolfHSM cert chain verify"
            file: "config/examples/sim-wolfHSM-client-certchain.config"
          - name: "wolfHSM server cert chain verify"
            file: "config/examples/sim-wolfHSM-server-certchain.config"

      fail-fast: false

    runs-on: ubuntu-latest
    timeout-minutes: 30

    steps:
      - uses: actions/checkout@v4
        with:
          submodules: true

      - name: Workaround for sources.list
        run: |
            # Replace sources

            set -euxo pipefail

            # Peek (what repos are active now)
            apt-cache policy
            grep -RInE '^(deb|Types|URIs)' /etc/apt || true

            # Enable nullglob so *.list/*.sources that don't exist don't break sed
            shopt -s nullglob

            echo "Replace sources.list (legacy)"
            sudo sed -i \
              -e "s|https\?://azure\.archive\.ubuntu\.com/ubuntu/?|http://mirror.arizona.edu/ubuntu/|g" \
              /etc/apt/sources.list || true

            echo "Replace sources.list.d/*.list (legacy)"
            for f in /etc/apt/sources.list.d/*.list; do
              sudo sed -i \
                -e "s|https\?://azure\.archive\.ubuntu\.com/ubuntu/?|http://mirror.arizona.edu/ubuntu/|g" \
                "$f"
            done

            echo "Replace sources.list.d/*.sources (deb822)"
            for f in /etc/apt/sources.list.d/*.sources; do
              sudo sed -i \
                -e "s|https\?://azure\.archive\.ubuntu\.com/ubuntu/?|http://mirror.arizona.edu/ubuntu/|g" \
                -e "s|https\?://azure\.archive\.ubuntu\.com|http://mirror.arizona.edu|g" \
                "$f"
            done

            echo "Fix /etc/apt/apt-mirrors.txt (used by URIs: mirror+file:...)"
            if grep -qE '^[[:space:]]*https?://azure\.archive\.ubuntu\.com/ubuntu/?' /etc/apt/apt-mirrors.txt; then
              # Replace azure with our mirror (idempotent)
              sudo sed -i 's|https\?://azure\.archive\.ubuntu\.com/ubuntu/|http://mirror.arizona.edu/ubuntu/|g' /etc/apt/apt-mirrors.txt
            fi

            # Peek (verify changes)
            grep -RIn "azure.archive.ubuntu.com" /etc/apt || true
            grep -RInE '^(deb|Types|URIs)' /etc/apt || true
            echo "--- apt-mirrors.txt ---"
            cat /etc/apt/apt-mirrors.txt || true

      - name: Update repository
        run: sudo apt-get update

      - name: make clean
        run: |
          make distclean

      - name: Select config (${{ matrix.config.name }})
        run: |
          cp ${{ matrix.config.file }} .config

      - name: Build tools
        run: |
          make -C tools/keytools && make -C tools/bin-assemble

      - name: Build wolfboot.elf
        run: |
          make clean && make test-sim-internal-flash-with-update

      - name: Build example POSIX TCP server
        if: matrix.config.name != 'wolfHSM server cert chain verify'
        run: cd lib/wolfHSM/examples/posix/wh_posix_server && make WOLFSSL_DIR=../../../../wolfssl

      # Start the server in the background
      - name: Run POSIX TCP server
        if: matrix.config.name != 'wolfHSM server cert chain verify'
        run: |
          cd lib/wolfHSM/examples/posix/wh_posix_server
          if [ "${{ matrix.config.name }}" = "wolfHSM cert chain verify" ]; then
            tmpfile=$(mktemp)
            echo "obj 1 0xFFFF 0x0000 \"cert CA\" ../../../../../test-dummy-ca/root-cert.der" >> $tmpfile
            ./Build/wh_posix_server.elf --type tcp --nvminit $tmpfile &
          else
            ./Build/wh_posix_server.elf --type tcp --client 12 --id 255 --key ../../../../../wolfboot_signing_private_key_pub.der &
          fi
          TCP_SERVER_PID=$!
          echo "TCP_SERVER_PID=$TCP_SERVER_PID" >> $GITHUB_ENV

      # For testing the wolfHSM server cert chain verify feature, we need to create an NVM image containing our root CA that
      # the internal wolfHSM server can load.
      - name: Create NVM image for wolfHSM server cert chain verify
        if: matrix.config.name == 'wolfHSM server cert chain verify'
        run: |
          make -C lib/wolfHSM/tools/whnvmtool
          tmpfile=$(mktemp)
          echo "obj 1 0xFFFF 0x0000 \"cert CA\" test-dummy-ca/root-cert.der" >> $tmpfile
          ./lib/wolfHSM/tools/whnvmtool/whnvmtool --image=wolfBoot_wolfHSM_NVM.bin --size=16348 --invert-erased-byte $tmpfile

      # Run the sunny day update test against the server
      - name: Run sunny day update test
        run: |
          tools/scripts/sim-sunnyday-update.sh

      # Kill the server if it is still running
      - name: Kill POSIX TCP server
        if: always() && matrix.config.name != 'wolfHSM server cert chain verify'
        run: |
          kill $TCP_SERVER_PID || true