wolfPKCS11/.github/workflows/wolfboot-integration.yml at cd3ee2f9fc3dff0da2fdd0bcf99f1fd6e3ae68b5 · wolfSSL/wolfPKCS11 · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
name: WolfPKCS11 wolfBoot emulator tests

on:
  push:
    branches: [ 'master', 'main', 'release/**' ]
  pull_request:
    branches: [ '*' ]

env:
  WOLFBOOT_REPO: https://github.com/wolfSSL/wolfBoot.git
  WOLFBOOT_BRANCH: master

jobs:
  stm32h5_pkcs11_persist:
    name: stm32h5-pkcs11-persist
    runs-on: ubuntu-latest
    container:
      image: ghcr.io/danielinux/m33mu-ci:1.8
    timeout-minutes: 25

    steps:
      - name: Checkout wolfPKCS11
        uses: actions/checkout@v4

      - name: Clone wolfBoot and link tested wolfPKCS11
        run: |
          set -euxo pipefail

          git config --global --add safe.directory "${GITHUB_WORKSPACE}"
          git clone --depth 1 --branch "${WOLFBOOT_BRANCH}" "${WOLFBOOT_REPO}" wolfboot
          git -C wolfboot config --global --add safe.directory "${GITHUB_WORKSPACE}/wolfboot"
          git -C wolfboot submodule update --init --recursive
          rm -rf wolfboot/lib/wolfPKCS11
          ln -s "${GITHUB_WORKSPACE}" wolfboot/lib/wolfPKCS11
          test -L wolfboot/lib/wolfPKCS11
          test "$(realpath wolfboot/lib/wolfPKCS11)" = "${GITHUB_WORKSPACE}"

      - name: Clean build tree for PKCS11 test (stm32h5)
        working-directory: wolfboot
        run: |
          make clean distclean

      - name: Configure PKCS11 test (stm32h5)
        working-directory: wolfboot
        run: |
          cp config/examples/stm32h5-tz.config .config

      - name: Build persistent PKCS11 test app (stm32h5)
        working-directory: wolfboot
        run: |
          make PKCS11_TESTAPP=1

      - name: Prepare PKCS11 persistence directory
        run: |
          rm -rf /tmp/m33mu-pkcs11-persist
          mkdir -p /tmp/m33mu-pkcs11-persist
          rm -f /tmp/m33mu-pkcs11-first.log /tmp/m33mu-pkcs11-second.log

      - name: Run PKCS11 first boot (stm32h5)
        run: |
          cd /tmp/m33mu-pkcs11-persist
          m33mu "${GITHUB_WORKSPACE}/wolfboot/wolfboot.bin" \
            "${GITHUB_WORKSPACE}/wolfboot/test-app/image_v1_signed.bin:0x60000" \
            --persist --uart-stdout --timeout 120 --expect-bkpt 0x7d \
            | tee /tmp/m33mu-pkcs11-first.log

      - name: Verify PKCS11 first boot (stm32h5)
        run: |
          grep -q "pkcs11: first boot path, creating persistent objects" /tmp/m33mu-pkcs11-first.log
          grep -q "pkcs11: created persistent PKCS11 objects" /tmp/m33mu-pkcs11-first.log
          grep -q "pkcs11: success" /tmp/m33mu-pkcs11-first.log
          grep -q "\\[BKPT\\] imm=0x7d" /tmp/m33mu-pkcs11-first.log
          grep -q "\\[EXPECT BKPT\\] Success" /tmp/m33mu-pkcs11-first.log

      - name: Run PKCS11 second boot (stm32h5)
        run: |
          cd /tmp/m33mu-pkcs11-persist
          m33mu "${GITHUB_WORKSPACE}/wolfboot/wolfboot.bin" \
            "${GITHUB_WORKSPACE}/wolfboot/test-app/image_v1_signed.bin:0x60000" \
            --persist --uart-stdout --timeout 120 --expect-bkpt 0x7f \
            | tee /tmp/m33mu-pkcs11-second.log

      - name: Verify PKCS11 second boot (stm32h5)
        run: |
          grep -q "pkcs11: second boot path, restoring persistent objects" /tmp/m33mu-pkcs11-second.log
          grep -q "pkcs11: restored persistent PKCS11 objects" /tmp/m33mu-pkcs11-second.log
          grep -q "pkcs11: success" /tmp/m33mu-pkcs11-second.log
          grep -q "\\[BKPT\\] imm=0x7f" /tmp/m33mu-pkcs11-second.log
          grep -q "\\[EXPECT BKPT\\] Success" /tmp/m33mu-pkcs11-second.log