From cd3ee2f9fc3dff0da2fdd0bcf99f1fd6e3ae68b5 Mon Sep 17 00:00:00 2001 From: Daniele Lacamera Date: Fri, 20 Mar 2026 19:14:41 +0100 Subject: [PATCH] Added wolfboot integration test to intercept regressions --- .github/workflows/wolfboot-integration.yml | 89 ++++++++++++++++++++++ 1 file changed, 89 insertions(+) create mode 100644 .github/workflows/wolfboot-integration.yml diff --git a/.github/workflows/wolfboot-integration.yml b/.github/workflows/wolfboot-integration.yml new file mode 100644 index 0000000..f5e713a --- /dev/null +++ b/.github/workflows/wolfboot-integration.yml @@ -0,0 +1,89 @@ +name: WolfPKCS11 wolfBoot emulator tests + +on: + push: + branches: [ 'master', 'main', 'release/**' ] + pull_request: + branches: [ '*' ] + +env: + WOLFBOOT_REPO: https://github.com/wolfSSL/wolfBoot.git + WOLFBOOT_BRANCH: master + +jobs: + stm32h5_pkcs11_persist: + name: stm32h5-pkcs11-persist + runs-on: ubuntu-latest + container: + image: ghcr.io/danielinux/m33mu-ci:1.8 + timeout-minutes: 25 + + steps: + - name: Checkout wolfPKCS11 + uses: actions/checkout@v4 + + - name: Clone wolfBoot and link tested wolfPKCS11 + run: | + set -euxo pipefail + + git config --global --add safe.directory "${GITHUB_WORKSPACE}" + git clone --depth 1 --branch "${WOLFBOOT_BRANCH}" "${WOLFBOOT_REPO}" wolfboot + git -C wolfboot config --global --add safe.directory "${GITHUB_WORKSPACE}/wolfboot" + git -C wolfboot submodule update --init --recursive + rm -rf wolfboot/lib/wolfPKCS11 + ln -s "${GITHUB_WORKSPACE}" wolfboot/lib/wolfPKCS11 + test -L wolfboot/lib/wolfPKCS11 + test "$(realpath wolfboot/lib/wolfPKCS11)" = "${GITHUB_WORKSPACE}" + + - name: Clean build tree for PKCS11 test (stm32h5) + working-directory: wolfboot + run: | + make clean distclean + + - name: Configure PKCS11 test (stm32h5) + working-directory: wolfboot + run: | + cp config/examples/stm32h5-tz.config .config + + - name: Build persistent PKCS11 test app (stm32h5) + working-directory: wolfboot + run: | + make PKCS11_TESTAPP=1 + + - name: Prepare PKCS11 persistence directory + run: | + rm -rf /tmp/m33mu-pkcs11-persist + mkdir -p /tmp/m33mu-pkcs11-persist + rm -f /tmp/m33mu-pkcs11-first.log /tmp/m33mu-pkcs11-second.log + + - name: Run PKCS11 first boot (stm32h5) + run: | + cd /tmp/m33mu-pkcs11-persist + m33mu "${GITHUB_WORKSPACE}/wolfboot/wolfboot.bin" \ + "${GITHUB_WORKSPACE}/wolfboot/test-app/image_v1_signed.bin:0x60000" \ + --persist --uart-stdout --timeout 120 --expect-bkpt 0x7d \ + | tee /tmp/m33mu-pkcs11-first.log + + - name: Verify PKCS11 first boot (stm32h5) + run: | + grep -q "pkcs11: first boot path, creating persistent objects" /tmp/m33mu-pkcs11-first.log + grep -q "pkcs11: created persistent PKCS11 objects" /tmp/m33mu-pkcs11-first.log + grep -q "pkcs11: success" /tmp/m33mu-pkcs11-first.log + grep -q "\\[BKPT\\] imm=0x7d" /tmp/m33mu-pkcs11-first.log + grep -q "\\[EXPECT BKPT\\] Success" /tmp/m33mu-pkcs11-first.log + + - name: Run PKCS11 second boot (stm32h5) + run: | + cd /tmp/m33mu-pkcs11-persist + m33mu "${GITHUB_WORKSPACE}/wolfboot/wolfboot.bin" \ + "${GITHUB_WORKSPACE}/wolfboot/test-app/image_v1_signed.bin:0x60000" \ + --persist --uart-stdout --timeout 120 --expect-bkpt 0x7f \ + | tee /tmp/m33mu-pkcs11-second.log + + - name: Verify PKCS11 second boot (stm32h5) + run: | + grep -q "pkcs11: second boot path, restoring persistent objects" /tmp/m33mu-pkcs11-second.log + grep -q "pkcs11: restored persistent PKCS11 objects" /tmp/m33mu-pkcs11-second.log + grep -q "pkcs11: success" /tmp/m33mu-pkcs11-second.log + grep -q "\\[BKPT\\] imm=0x7f" /tmp/m33mu-pkcs11-second.log + grep -q "\\[EXPECT BKPT\\] Success" /tmp/m33mu-pkcs11-second.log