Merge pull request #756 from danielinux/fTPM-TZ #10
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: trustzone-emulator-tests | |
| on: | |
| push: | |
| pull_request: | |
| jobs: | |
| trustzone-emulator-tests: | |
| runs-on: ubuntu-latest | |
| container: | |
| image: ghcr.io/wolfssl/wolfboot-ci-m33mu:latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Init submodules | |
| run: | | |
| git config --global --add safe.directory "$GITHUB_WORKSPACE" | |
| git submodule update --init --single-branch | |
| - name: Configure stm32h5 (TZ) and build wolfboot | |
| run: | | |
| cp config/examples/stm32h5-tz.config .config | |
| make wolfboot.bin | |
| - name: Run emu test (stm32h5) | |
| working-directory: test-app/emu-test-apps | |
| run: | | |
| ./test.sh | |
| - name: Clean build tree for PKCS11 test (stm32h5) | |
| run: | | |
| make clean distclean | |
| - name: Configure PKCS11 test (stm32h5) | |
| run: | | |
| cp config/examples/stm32h5-tz.config .config | |
| - name: Build persistent PKCS11 test app (stm32h5) | |
| run: | | |
| make PKCS11_TESTAPP=1 | |
| - name: Prepare PKCS11 persistence directory | |
| run: | | |
| rm -rf /tmp/m33mu-pkcs11-persist | |
| mkdir -p /tmp/m33mu-pkcs11-persist | |
| rm -f /tmp/m33mu-pkcs11-first.log /tmp/m33mu-pkcs11-second.log | |
| - name: Run PKCS11 first boot (stm32h5) | |
| run: | | |
| cd /tmp/m33mu-pkcs11-persist | |
| m33mu "$GITHUB_WORKSPACE/wolfboot.bin" \ | |
| "$GITHUB_WORKSPACE/test-app/image_v1_signed.bin:0x60000" \ | |
| --persist --uart-stdout --timeout 120 --expect-bkpt 0x7d \ | |
| | tee /tmp/m33mu-pkcs11-first.log | |
| - name: Verify PKCS11 first boot (stm32h5) | |
| run: | | |
| grep -q "pkcs11: first boot path, creating persistent objects" /tmp/m33mu-pkcs11-first.log | |
| grep -q "pkcs11: created persistent PKCS11 objects" /tmp/m33mu-pkcs11-first.log | |
| grep -q "pkcs11: success" /tmp/m33mu-pkcs11-first.log | |
| grep -q "\\[BKPT\\] imm=0x7d" /tmp/m33mu-pkcs11-first.log | |
| grep -q "\\[EXPECT BKPT\\] Success" /tmp/m33mu-pkcs11-first.log | |
| - name: Run PKCS11 second boot (stm32h5) | |
| run: | | |
| cd /tmp/m33mu-pkcs11-persist | |
| m33mu "$GITHUB_WORKSPACE/wolfboot.bin" \ | |
| "$GITHUB_WORKSPACE/test-app/image_v1_signed.bin:0x60000" \ | |
| --persist --uart-stdout --timeout 120 --expect-bkpt 0x7f \ | |
| | tee /tmp/m33mu-pkcs11-second.log | |
| - name: Verify PKCS11 second boot (stm32h5) | |
| run: | | |
| grep -q "pkcs11: second boot path, restoring persistent objects" /tmp/m33mu-pkcs11-second.log | |
| grep -q "pkcs11: restored persistent PKCS11 objects" /tmp/m33mu-pkcs11-second.log | |
| grep -q "pkcs11: success" /tmp/m33mu-pkcs11-second.log | |
| grep -q "\\[BKPT\\] imm=0x7f" /tmp/m33mu-pkcs11-second.log | |
| grep -q "\\[EXPECT BKPT\\] Success" /tmp/m33mu-pkcs11-second.log | |
| - name: Clean and build stm32u5 (TZ + wolfcrypt) | |
| run: | | |
| make clean distclean | |
| cp config/examples/stm32u5-wolfcrypt-tz.config .config | |
| make wolfboot.bin | |
| - name: Run emu test (stm32u5) | |
| working-directory: test-app/emu-test-apps | |
| run: | | |
| TARGET=stm32u5 ./test.sh | |
| - name: Clean and build stm32l5 (TZ + wolfcrypt) | |
| run: | | |
| make clean distclean | |
| cp config/examples/stm32l5-wolfcrypt-tz.config .config | |
| make wolfboot.bin | |
| - name: Run emu test (stm32l5) | |
| working-directory: test-app/emu-test-apps | |
| run: | | |
| TARGET=stm32l5 ./test.sh | |
| - name: Clean and build test with DICE attestation (stm32h5) | |
| run: | | |
| make clean distclean | |
| cp config/examples/stm32h5-tz-psa.config .config | |
| make | |
| m33mu wolfboot.bin test-app/image_v1_signed.bin:0x60000 --uart-stdout --expect-bkpt 0x7f --timeout 600 | |
| - name: Clean and build test with fwTPM (stm32h5) | |
| run: | | |
| make clean distclean | |
| cp config/examples/stm32h5-tz-fwtpm.config .config | |
| make | |
| m33mu wolfboot.bin test-app/image_v1_signed.bin:0x60000 --uart-stdout --expect-bkpt 0x7f --timeout 600 \ | |
| | tee /tmp/m33mu-fwtpm.log | |
| grep -q "fwTPM PCR0 extended:" /tmp/m33mu-fwtpm.log | |
| grep -q "fwTPM unsealed secret: wolfBoot fwTPM PCR secret" /tmp/m33mu-fwtpm.log | |
| grep -q "fwTPM NSC tests passed" /tmp/m33mu-fwtpm.log | |
| grep -q "\\[BKPT\\] imm=0x7f" /tmp/m33mu-fwtpm.log | |
| grep -q "\\[EXPECT BKPT\\] Success" /tmp/m33mu-fwtpm.log | |
| - name: Clean and build test with DICE attestation + OTP (stm32h5) | |
| run: | | |
| make clean distclean | |
| cp config/examples/stm32h5-tz-psa-otp.config .config | |
| make | |
| make -C tools/keytools/otp TARGET=stm32h5 otp-keystore-primer.bin otp-keystore-gen | |
| ./tools/keytools/otp/otp-keystore-gen | |
| m33mu tools/keytools/otp/otp-keystore-primer.bin --persist --timeout 10 || true | |
| m33mu wolfboot.bin test-app/image_v1_signed.bin:0x60000 --uart-stdout --expect-bkpt 0x7f --timeout 600 --persist |