wolfBoot/.github/workflows/trustzone-emulator-tests.yml at 5f20062c3bc4825d40e58f98185b745bd6949b01 · wolfSSL/wolfBoot · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
name: trustzone-emulator-tests

on:
  push:
  pull_request:

jobs:
  trustzone-emulator-tests:
    runs-on: ubuntu-latest
    container:
      image: ghcr.io/wolfssl/wolfboot-ci-m33mu:latest
    steps:
      - uses: actions/checkout@v4

      - name: Init submodules
        run: |
          git config --global --add safe.directory "$GITHUB_WORKSPACE"
          git submodule update --init --single-branch

      - name: Configure stm32h5 (TZ) and build wolfboot
        run: |
          cp config/examples/stm32h5-tz.config .config
          make wolfboot.bin

      - name: Run emu test (stm32h5)
        working-directory: test-app/emu-test-apps
        run: |
          ./test.sh

      - name: Clean build tree for PKCS11 test (stm32h5)
        run: |
          make clean distclean

      - name: Configure PKCS11 test (stm32h5)
        run: |
          cp config/examples/stm32h5-tz.config .config

      - name: Build persistent PKCS11 test app (stm32h5)
        run: |
          make PKCS11_TESTAPP=1

      - name: Prepare PKCS11 persistence directory
        run: |
          rm -rf /tmp/m33mu-pkcs11-persist
          mkdir -p /tmp/m33mu-pkcs11-persist
          rm -f /tmp/m33mu-pkcs11-first.log /tmp/m33mu-pkcs11-second.log

      - name: Run PKCS11 first boot (stm32h5)
        run: |
          cd /tmp/m33mu-pkcs11-persist
          m33mu "$GITHUB_WORKSPACE/wolfboot.bin" \
            "$GITHUB_WORKSPACE/test-app/image_v1_signed.bin:0x60000" \
            --persist --uart-stdout --timeout 120 --expect-bkpt 0x7d \
            | tee /tmp/m33mu-pkcs11-first.log

      - name: Verify PKCS11 first boot (stm32h5)
        run: |
          grep -q "pkcs11: first boot path, creating persistent objects" /tmp/m33mu-pkcs11-first.log
          grep -q "pkcs11: created persistent PKCS11 objects" /tmp/m33mu-pkcs11-first.log
          grep -q "pkcs11: success" /tmp/m33mu-pkcs11-first.log
          grep -q "\\[BKPT\\] imm=0x7d" /tmp/m33mu-pkcs11-first.log
          grep -q "\\[EXPECT BKPT\\] Success" /tmp/m33mu-pkcs11-first.log

      - name: Run PKCS11 second boot (stm32h5)
        run: |
          cd /tmp/m33mu-pkcs11-persist
          m33mu "$GITHUB_WORKSPACE/wolfboot.bin" \
            "$GITHUB_WORKSPACE/test-app/image_v1_signed.bin:0x60000" \
            --persist --uart-stdout --timeout 120 --expect-bkpt 0x7f \
            | tee /tmp/m33mu-pkcs11-second.log

      - name: Verify PKCS11 second boot (stm32h5)
        run: |
          grep -q "pkcs11: second boot path, restoring persistent objects" /tmp/m33mu-pkcs11-second.log
          grep -q "pkcs11: restored persistent PKCS11 objects" /tmp/m33mu-pkcs11-second.log
          grep -q "pkcs11: success" /tmp/m33mu-pkcs11-second.log
          grep -q "\\[BKPT\\] imm=0x7f" /tmp/m33mu-pkcs11-second.log
          grep -q "\\[EXPECT BKPT\\] Success" /tmp/m33mu-pkcs11-second.log

      - name: Clean and build stm32u5 (TZ + wolfcrypt)
        run: |
          make clean distclean
          cp config/examples/stm32u5-wolfcrypt-tz.config .config
          make wolfboot.bin

      - name: Run emu test (stm32u5)
        working-directory: test-app/emu-test-apps
        run: |
          TARGET=stm32u5 ./test.sh

      - name: Clean and build stm32l5 (TZ + wolfcrypt)
        run: |
          make clean distclean
          cp config/examples/stm32l5-wolfcrypt-tz.config .config
          make wolfboot.bin

      - name: Run emu test (stm32l5)
        working-directory: test-app/emu-test-apps
        run: |
          TARGET=stm32l5 ./test.sh

      - name: Clean and build test with DICE attestation (stm32h5)
        run: |
          make clean distclean
          cp config/examples/stm32h5-tz-psa.config .config
          make
          m33mu wolfboot.bin test-app/image_v1_signed.bin:0x60000 --uart-stdout --expect-bkpt 0x7f --timeout 600

      - name: Clean and build test with fwTPM (stm32h5)
        run: |
          make clean distclean
          cp config/examples/stm32h5-tz-fwtpm.config .config
          make
          m33mu wolfboot.bin test-app/image_v1_signed.bin:0x60000 --uart-stdout --expect-bkpt 0x7f --timeout 600 \
            | tee /tmp/m33mu-fwtpm.log
          grep -q "fwTPM PCR0 extended:" /tmp/m33mu-fwtpm.log
          grep -q "fwTPM unsealed secret: wolfBoot fwTPM PCR secret" /tmp/m33mu-fwtpm.log
          grep -q "fwTPM NSC tests passed" /tmp/m33mu-fwtpm.log
          grep -q "\\[BKPT\\] imm=0x7f" /tmp/m33mu-fwtpm.log
          grep -q "\\[EXPECT BKPT\\] Success" /tmp/m33mu-fwtpm.log

      - name: Clean and build test with DICE attestation + OTP (stm32h5)
        run: |
          make clean distclean
          cp config/examples/stm32h5-tz-psa-otp.config .config
          make
          make -C tools/keytools/otp TARGET=stm32h5 otp-keystore-primer.bin otp-keystore-gen
          ./tools/keytools/otp/otp-keystore-gen
          m33mu tools/keytools/otp/otp-keystore-primer.bin --persist --timeout 10 || true
          m33mu wolfboot.bin test-app/image_v1_signed.bin:0x60000 --uart-stdout --expect-bkpt 0x7f --timeout 600 --persist