fwTPM v185: CI fixes for non-PQC builds + Tier 5 server lifetime

aidangarske · aidangarske · commit 6c6a2a86533a · 2026-04-28T13:35:03.000-07:00
diff --git a/.github/workflows/pqc-examples.yml b/.github/workflows/pqc-examples.yml
@@ -96,21 +96,30 @@ jobs:
         run: ./examples/pqc/mlkem_encap
 
       - name: Stop Tier 2 fwtpm_server (free port 2321 for E2E)
-        if: always()
         run: |
           if [ -f /tmp/fwtpm_server.pid ]; then
             kill "$(cat /tmp/fwtpm_server.pid)" 2>/dev/null || true
             rm -f /tmp/fwtpm_server.pid
           fi
-          # Defensive: kill any other default-port server lingering. Don't
-          # match the test helper's --port-qualified server (it isn't up
-          # yet anyway).
+          # Defensive: kill any other default-port server lingering.
           pkill -f "fwtpm_server$" 2>/dev/null || true
           sleep 1
 
       - name: PQC mssim E2E (MLKEM-768 + HashMLDSA-65 round-trips)
         run: ./tests/pqc_mssim_e2e.sh
 
+      - name: Restart fwtpm_server for Tier 5 (run_examples.sh)
+        run: |
+          # pqc_mssim_e2e.sh started + stopped its own server; Tier 5 needs
+          # one again. Reuse the same default-port launch as Tier 2.
+          pkill -f "fwtpm_server" 2>/dev/null || true
+          sleep 1
+          rm -f fwtpm_nv.bin
+          ./src/fwtpm/fwtpm_server > /tmp/fwtpm_server.log 2>&1 &
+          echo $! > /tmp/fwtpm_server.pid
+          sleep 1
+          kill -0 "$(cat /tmp/fwtpm_server.pid)"
+
       - name: Doc constants parity check
         run: |
           ./tests/check_doc_constants.sh
diff --git a/examples/run_examples.sh b/examples/run_examples.sh
@@ -25,18 +25,27 @@ fi
 if [ -z "$WOLFCRYPT_RSA" ]; then
     WOLFCRYPT_RSA=1
 fi
-# Detect WOLFTPM_V185 (post-quantum keys) from the actual generated config
-# header. Search both the source-tree fallback and the autoconf-generated
-# location used by `make check`. ENABLE_V185 may be set by the caller to
-# override autodetection.
+# Detect WOLFTPM_V185 (post-quantum keys). Probe several known generated /
+# installed header locations: autoconf may write src/config.h or config.h
+# depending on AC_CONFIG_HEADERS, and tracked headers under wolftpm/ may
+# also gate the macro. ENABLE_V185 may be set by the caller to override.
 if [ -z "$ENABLE_V185" ]; then
     ENABLE_V185=0
-    for cfg in src/config.h config.h ../src/config.h ../config.h; do
-        if [ -f "$cfg" ] && grep -q "WOLFTPM_V185 1" "$cfg"; then
+    for cfg in src/config.h config.h ../src/config.h ../config.h \
+               wolftpm/options.h wolftpm/version.h; do
+        if [ -f "$cfg" ] && grep -q "WOLFTPM_V185[[:space:]]*1" "$cfg"; then
             ENABLE_V185=1
             break
         fi
     done
+    # Last-resort fallback: if any built example links a v1.85-only symbol
+    # we can ask `nm` directly. nm's quiet on missing files; safe to try.
+    if [ "$ENABLE_V185" = "0" ] && [ -x ./examples/keygen/keygen ]; then
+        if nm ./examples/keygen/keygen 2>/dev/null | \
+                grep -q "FwGenerateMlkemKey\|wolfTPM2_GetKeyTemplate_MLKEM"; then
+            ENABLE_V185=1
+        fi
+    fi
 fi
 rm -f run.out
 touch run.out
diff --git a/src/fwtpm/fwtpm_crypto.c b/src/fwtpm/fwtpm_crypto.c
@@ -2468,6 +2468,7 @@ TPM_RC FwDecryptSeed(FWTPM_CTX* ctx,
     }
     else
 #endif /* HAVE_ECC */
+#ifdef WOLFTPM_V185
     if (keyObj->pub.type == TPM_ALG_MLKEM) {
         /* ML-KEM Labeled KEM per Part 1 Sec.47.4 Eq.66:
          *   K = ML-KEM.Decap(privateKey, ciphertext)
@@ -2497,6 +2498,7 @@ TPM_RC FwDecryptSeed(FWTPM_CTX* ctx,
         (void)oaepLabel; (void)oaepLabelSz;
     }
     else
+#endif /* WOLFTPM_V185 */
     {
         (void)ctx; (void)encSeedBuf; (void)encSeedSz;
         (void)oaepLabel; (void)oaepLabelSz; (void)kdfLabel;
@@ -2704,6 +2706,7 @@ TPM_RC FwEncryptSeed(FWTPM_CTX* ctx,
     }
     else
 #endif /* HAVE_ECC */
+#ifdef WOLFTPM_V185
     if (keyObj->pub.type == TPM_ALG_MLKEM) {
         /* ML-KEM Labeled KEM per Part 1 Sec.47.4 Eq.66:
          *   (K, ciphertext) = ML-KEM.Encap(publicKey)
@@ -2751,6 +2754,7 @@ TPM_RC FwEncryptSeed(FWTPM_CTX* ctx,
         (void)oaepLabel; (void)oaepLabelSz;
     }
     else
+#endif /* WOLFTPM_V185 */
     {
         (void)ctx; (void)oaepLabel; (void)oaepLabelSz; (void)kdfLabel;
         (void)seedBuf; (void)seedBufSz; (void)seedSzOut;

Original file line number	Diff line number	Diff line change
`@@ -2468,6 +2468,7 @@ TPM_RC FwDecryptSeed(FWTPM_CTX* ctx,`
`2468`	`2468`	`}`
`2469`	`2469`	`else`
`2470`	`2470`	`#endif /* HAVE_ECC */`
	`2471`	`+#ifdef WOLFTPM_V185`
`2471`	`2472`	`if (keyObj->pub.type == TPM_ALG_MLKEM) {`
`2472`	`2473`	`/* ML-KEM Labeled KEM per Part 1 Sec.47.4 Eq.66:`
`2473`	`2474`	`* K = ML-KEM.Decap(privateKey, ciphertext)`
`@@ -2497,6 +2498,7 @@ TPM_RC FwDecryptSeed(FWTPM_CTX* ctx,`
`2497`	`2498`	`(void)oaepLabel; (void)oaepLabelSz;`
`2498`	`2499`	`}`
`2499`	`2500`	`else`
	`2501`	`+#endif /* WOLFTPM_V185 */`
`2500`	`2502`	`{`
`2501`	`2503`	`(void)ctx; (void)encSeedBuf; (void)encSeedSz;`
`2502`	`2504`	`(void)oaepLabel; (void)oaepLabelSz; (void)kdfLabel;`
`@@ -2704,6 +2706,7 @@ TPM_RC FwEncryptSeed(FWTPM_CTX* ctx,`
`2704`	`2706`	`}`
`2705`	`2707`	`else`
`2706`	`2708`	`#endif /* HAVE_ECC */`
	`2709`	`+#ifdef WOLFTPM_V185`
`2707`	`2710`	`if (keyObj->pub.type == TPM_ALG_MLKEM) {`
`2708`	`2711`	`/* ML-KEM Labeled KEM per Part 1 Sec.47.4 Eq.66:`
`2709`	`2712`	`* (K, ciphertext) = ML-KEM.Encap(publicKey)`
`@@ -2751,6 +2754,7 @@ TPM_RC FwEncryptSeed(FWTPM_CTX* ctx,`
`2751`	`2754`	`(void)oaepLabel; (void)oaepLabelSz;`
`2752`	`2755`	`}`
`2753`	`2756`	`else`
	`2757`	`+#endif /* WOLFTPM_V185 */`
`2754`	`2758`	`{`
`2755`	`2759`	`(void)ctx; (void)oaepLabel; (void)oaepLabelSz; (void)kdfLabel;`
`2756`	`2760`	`(void)seedBuf; (void)seedBufSz; (void)seedSzOut;`