-
Notifications
You must be signed in to change notification settings - Fork 146
140 lines (125 loc) · 5.69 KB
/
test-wolfhsm-simulator.yml
File metadata and controls
140 lines (125 loc) · 5.69 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
name: wolfHSM simulator test
on:
push:
branches: [ 'master', 'main', 'release/**' ]
pull_request:
branches: [ '*' ]
workflow_dispatch:
jobs:
wolfhsm_simulator_test:
# Matrix strategy runs all steps below for each config specified.
# This allows testing multiple configurations without duplicating the workflow.
strategy:
matrix:
config:
- name: "wolfHSM client ECC"
file: "config/examples/sim-wolfHSM-client-ecc.config"
needs_posix_server: true
posix_server_nvminit: false
needs_nvm_image: false
- name: "wolfHSM client ML-DSA"
file: "config/examples/sim-wolfHSM-client-mldsa.config"
needs_posix_server: true
posix_server_nvminit: false
needs_nvm_image: false
- name: "wolfHSM client cert chain verify ECC"
file: "config/examples/sim-wolfHSM-client-certchain-ecc.config"
needs_posix_server: true
posix_server_nvminit: true
needs_nvm_image: false
- name: "wolfHSM client cert chain verify RSA4096"
file: "config/examples/sim-wolfHSM-client-certchain-rsa4096.config"
needs_posix_server: true
posix_server_nvminit: true
needs_nvm_image: false
- name: "wolfHSM server cert chain verify ECC"
file: "config/examples/sim-wolfHSM-server-certchain-ecc.config"
needs_posix_server: false
posix_server_nvminit: false
needs_nvm_image: true
- name: "wolfHSM server cert chain verify RSA4096"
file: "config/examples/sim-wolfHSM-server-certchain-rsa4096.config"
needs_posix_server: false
posix_server_nvminit: false
needs_nvm_image: true
- name: "wolfHSM client cert chain verify mixed (ECC256 chain, RSA4096 leaf)"
file: "config/examples/sim-wolfHSM-client-certchain-mixed.config"
needs_posix_server: true
posix_server_nvminit: true
needs_nvm_image: false
- name: "wolfHSM server cert chain verify mixed (ECC256 chain, RSA4096 leaf)"
file: "config/examples/sim-wolfHSM-server-certchain-mixed.config"
needs_posix_server: false
posix_server_nvminit: false
needs_nvm_image: true
- name: "wolfHSM client cert chain verify mixed inverse (RSA4096 chain, ECC256 leaf)"
file: "config/examples/sim-wolfHSM-client-certchain-mixed.config"
needs_posix_server: true
posix_server_nvminit: true
needs_nvm_image: false
make_overrides: "SIGN=ECC256 HASH=SHA256 CERT_CHAIN_GEN_CA_ALGO=rsa4096"
- name: "wolfHSM server cert chain verify mixed inverse (RSA4096 chain, ECC256 leaf)"
file: "config/examples/sim-wolfHSM-server-certchain-mixed.config"
needs_posix_server: false
posix_server_nvminit: false
needs_nvm_image: true
make_overrides: "SIGN=ECC256 HASH=SHA256 CERT_CHAIN_GEN_CA_ALGO=rsa4096"
fail-fast: false
runs-on: ubuntu-latest
container:
image: ghcr.io/wolfssl/wolfboot-ci-sim:v1.0
timeout-minutes: 30
steps:
- uses: actions/checkout@v4
with:
submodules: true
- name: Trust workspace
run: git config --global --add safe.directory "$GITHUB_WORKSPACE"
- name: make clean
run: |
make distclean
- name: Select config (${{ matrix.config.name }})
run: |
cp ${{ matrix.config.file }} .config
- name: Build tools
run: |
make -C tools/keytools && make -C tools/bin-assemble
- name: Build wolfboot.elf
run: |
make clean && make ${{ matrix.config.make_overrides }} test-sim-internal-flash-with-update
- name: Build example POSIX TCP server
if: matrix.config.needs_posix_server
run: cd lib/wolfHSM/examples/posix/wh_posix_server && make WOLFSSL_DIR=../../../../wolfssl
# Start the server in the background
- name: Run POSIX TCP server
if: matrix.config.needs_posix_server
run: |
cd lib/wolfHSM/examples/posix/wh_posix_server
if [ "${{ matrix.config.posix_server_nvminit }}" = "true" ]; then
tmpfile=$(mktemp)
echo "obj 1 0xFFFF 0x0000 \"cert CA\" ../../../../../test-dummy-ca/root-cert.der" >> $tmpfile
./Build/wh_posix_server.elf --type tcp --nvminit $tmpfile &
else
# --flags=0x100 sets the WH_NVM_FLAGS_USAGE_VERIFY flag
./Build/wh_posix_server.elf --type tcp --client 12 --id 255 --flags 0x100 --key ../../../../../wolfboot_signing_private_key_pub.der &
fi
TCP_SERVER_PID=$!
echo "TCP_SERVER_PID=$TCP_SERVER_PID" >> $GITHUB_ENV
# For testing the wolfHSM server cert chain verify feature, we need to create an NVM image containing our root CA that
# the internal wolfHSM server can load.
- name: Create NVM image for wolfHSM server cert chain verify
if: matrix.config.needs_nvm_image
run: |
make -C lib/wolfHSM/tools/whnvmtool
tmpfile=$(mktemp)
echo "obj 1 0xFFFF 0x0000 \"cert CA\" test-dummy-ca/root-cert.der" >> $tmpfile
./lib/wolfHSM/tools/whnvmtool/whnvmtool --image=wolfBoot_wolfHSM_NVM.bin --size=16348 --invert-erased-byte $tmpfile
# Run the sunny day update test against the server
- name: Run sunny day update test
run: |
tools/scripts/sim-sunnyday-update.sh
# Kill the server if it is still running
- name: Kill POSIX TCP server
if: always() && matrix.config.needs_posix_server
run: |
kill $TCP_SERVER_PID || true