Adding GitHub Action CI testing for TPM features.

Author: dgarske

.github/workflows/footprint.yml

@@ -1,10 +1,10 @@
 name: Footprint test
 
 on:
-  push:
-    branches: [master]
+    push:
+    branches: [ 'master', 'main', 'release/**' ]
   pull_request:
-    branches: [master]
+    branches: [ '*' ]
 
 jobs:
   footprint_test:

.github/workflows/test-build-sim-tpm.yml

@@ -0,0 +1,63 @@
+name: Wolfboot Reusable Build Workflow - Simulator with TPM
+
+on:
+
+  workflow_call:
+    inputs:
+      arch:
+        required: true
+        type: string
+      config-file:
+        required: true
+        type: string
+      make-args:
+        required: false
+        type: string
+      rot-args:
+        required: false
+        type: string
+
+jobs:
+
+  build:
+    runs-on: ubuntu-20.04
+
+    steps:
+      # setup ibmswtpm2
+      - uses: actions/checkout@master
+        with:
+          repository: kgoldman/ibmswtpm2
+          path: ibmswtpm2
+      - name: ibmswtpm2 make
+        working-directory: ./ibmswtpm2/src
+        run: |
+          make
+          ./ibmswtpm2/src/tpm_server &
+
+      - uses: actions/checkout@v3
+        with:
+          submodules: true
+
+      - name: make distclean
+        run: |
+          make distclean
+
+      - name: Select config
+        run: |
+          cp ${{inputs.config-file}} .config
+
+      - name: Build tools
+        run: |
+          make keytools && make tpmtools
+
+      - name: Write TPM ROT to TPM
+        run: |
+          ./tools/tpm/rot -write ${{rot-args}}
+
+      - name: Build wolfboot
+        run: |
+          make ${{inputs.make-args}}
+
+      - name: Run wolfBoot
+        run: |
+          ./wolfboot.elf get_version

.github/workflows/test-configs.yml

@@ -1,10 +1,10 @@
 name: Test Example Configs
 
 on:
-  push:
-    branches: [master]
+    push:
+    branches: [ 'master', 'main', 'release/**' ]
   pull_request:
-    branches: [master]
+    branches: [ '*' ]
 
 jobs:
 

.github/workflows/test-keytools.yml

@@ -1,10 +1,10 @@
 name: Wolfboot keytools test workflow
 
 on:
-  push:
-    branches: [master]
+    push:
+    branches: [ 'master', 'main', 'release/**' ]
   pull_request:
-    branches: [master]
+    branches: [ '*' ]
 
 jobs:
 

.github/workflows/test-powerfail-simulator.yml

@@ -1,10 +1,10 @@
 name: Power-failure during update - test with simulator target
 
 on:
-  push:
-    branches: [master]
+    push:
+    branches: [ 'master', 'main', 'release/**' ]
   pull_request:
-    branches: [master]
+    branches: [ '*' ]
 
 jobs:
   powerfail_simulator_tests:

.github/workflows/test-renode-fastmath-smallstack.yml

@@ -1,10 +1,10 @@
 name: Renode Automated multi memory configurations
 
 on:
-  push:
-    branches: [master]
+    push:
+    branches: [ 'master', 'main', 'release/**' ]
   pull_request:
-    branches: [master]
+    branches: [ '*' ]
 
 jobs:
   renode_automated_fastmath_smallstack:

.github/workflows/test-renode-fastmath.yml

@@ -1,10 +1,10 @@
 name: Renode Automated multi memory configurations
 
 on:
-  push:
-    branches: [master]
+    push:
+    branches: [ 'master', 'main', 'release/**' ]
   pull_request:
-    branches: [master]
+    branches: [ '*' ]
 
 jobs:
   renode_automated_fastmath:

.github/workflows/test-renode-noasm-smallstack.yml

@@ -1,10 +1,10 @@
 name: Renode Automated multi memory configurations
 
 on:
-  push:
-    branches: [master]
+    push:
+    branches: [ 'master', 'main', 'release/**' ]
   pull_request:
-    branches: [master]
+    branches: [ '*' ]
 
 jobs:
   renode_automated_noasm_smallstack:

.github/workflows/test-renode-noasm.yml

@@ -1,10 +1,10 @@
 name: Renode Automated multi memory configurations
 
 on:
-  push:
-    branches: [master]
+    push:
+    branches: [ 'master', 'main', 'release/**' ]
   pull_request:
-    branches: [master]
+    branches: [ '*' ]
 
 jobs:
   renode_automated_noasm:

.github/workflows/test-renode-nrf52.yml

@@ -1,10 +1,10 @@
 name: Renode Automated - Base Tests
 
 on:
-  push:
-    branches: [master]
+    push:
+    branches: [ 'master', 'main', 'release/**' ]
   pull_request:
-    branches: [master]
+    branches: [ '*' ]
 
 jobs:
   renode_automated_base:

.github/workflows/test-renode-sha3.yml

@@ -1,10 +1,10 @@
 name: Renode Automated multi SHA algorithms
 
 on:
-  push:
-    branches: [master]
+    push:
+    branches: [ 'master', 'main', 'release/**' ]
   pull_request:
-    branches: [master]
+    branches: [ '*' ]
 
 jobs:
   renode_automated_multi_sha:

.github/workflows/test-renode-sha384.yml

@@ -1,10 +1,10 @@
 name: Renode Automated multi SHA algorithms
 
 on:
-  push:
-    branches: [master]
+    push:
+    branches: [ 'master', 'main', 'release/**' ]
   pull_request:
-    branches: [master]
+    branches: [ '*' ]
 
 jobs:
   renode_automated_multi_sha:

.github/workflows/test-renode-smallstack.yml

@@ -1,10 +1,10 @@
 name: Renode Automated multi memory configurations
 
 on:
-  push:
-    branches: [master]
+    push:
+    branches: [ 'master', 'main', 'release/**' ]
   pull_request:
-    branches: [master]
+    branches: [ '*' ]
 
 jobs:
   renode_automated_smallstack:

.github/workflows/test-tpm.yml

@@ -0,0 +1,75 @@
+name: Test TPM Configs
+
+on:
+  push:
+    branches: [ 'master', 'main', 'release/**' ]
+  pull_request:
+    branches: [ '*' ]
+
+jobs:
+
+  sim_tpm_ecc256:
+    uses: ./.github/workflows/test-build-sim-tpm.yml
+    with:
+      arch: host
+      config-file: ./config/examples/sim-tpm.config
+      make-args: SIGN=ECC256 HASH=SHA256
+
+  sim_tpm_ecc384:
+    uses: ./.github/workflows/test-build-sim-tpm.yml
+    with:
+      arch: host
+      config-file: ./config/examples/sim-tpm.config
+      make-args: SIGN=ECC384 HASH=SHA384
+
+  sim_tpm_rsa2048:
+    uses: ./.github/workflows/test-build-sim-tpm.yml
+    with:
+      arch: host
+      config-file: ./config/examples/sim-tpm.config
+      make-args: SIGN=RSA2048 HASH=SHA256
+
+
+  sim_tpm_measure_ecc256:
+    uses: ./.github/workflows/test-build-sim-tpm.yml
+    with:
+      arch: host
+      config-file: ./config/examples/sim-tpm-measured.config
+      make-args: SIGN=ECC256 HASH=SHA256
+
+  sim_tpm_measure_ecc384:
+    uses: ./.github/workflows/test-build-sim-tpm.yml
+    with:
+      arch: host
+      config-file: ./config/examples/sim-tpm-measured.config
+      make-args: SIGN=ECC384 HASH=SHA384
+
+  sim_tpm_measure_rsa2048:
+    uses: ./.github/workflows/test-build-sim-tpm.yml
+    with:
+      arch: host
+      config-file: ./config/examples/sim-tpm-measured.config
+      make-args: SIGN=RSA2048 HASH=SHA256
+
+
+  sim_tpm_keystore_ecc256:
+    uses: ./.github/workflows/test-build-sim-tpm.yml
+    with:
+      arch: host
+      config-file: ./config/examples/sim-tpm-keystore.config
+      make-args: SIGN=ECC256 HASH=SHA256
+
+  sim_tpm_keystore_ecc384:
+    uses: ./.github/workflows/test-build-sim-tpm.yml
+    with:
+      arch: host
+      config-file: ./config/examples/sim-tpm-keystore.config
+      make-args: SIGN=ECC384 HASH=SHA384
+      rot-args: -sha384
+
+  sim_tpm_keystore_rsa2048:
+    uses: ./.github/workflows/test-build-sim-tpm.yml
+    with:
+      arch: host
+      config-file: ./config/examples/sim-tpm-keystore.config
+      make-args: SIGN=RSA2048 HASH=SHA256

.github/workflows/test-units.yml

@@ -1,10 +1,10 @@
 name: Unit tests
 
 on:
-  push:
-    branches: [master]
+    push:
+    branches: [ 'master', 'main', 'release/**' ]
   pull_request:
-    branches: [master]
+    branches: [ '*' ]
 
 jobs:
   unit_tests:

.gitignore

@@ -100,6 +100,7 @@ tools/uart-flash-server/ufserver
 tools/unit-tests/unit-parser
 tools/bin-assemble/bin-assemble
 tools/elf-parser/elf-parser
+tools/tpm/rot
 config/*.ld
 
 # Generated confiuguration file

Makefile

@@ -167,6 +167,11 @@ keytools:
 	@$(MAKE) -C tools/keytools -s clean
 	@$(MAKE) -C tools/keytools -j
 
+tpmtools:
+	@echo "Building TPM tools"
+	@$(MAKE) -C tools/tpm -s clean
+	@$(MAKE) -C tools/tpm -j
+
 test-app/image_v1_signed.bin: $(BOOT_IMG)
 	@echo "\t[SIGN] $(BOOT_IMG)"
 	$(Q)(test $(SIGN) = NONE) || $(SIGN_TOOL) $(SIGN_OPTIONS) $(BOOT_IMG) $(PRIVATE_KEY) 1

config/examples/sim-tpm-keystore.config

@@ -1,11 +1,16 @@
 ARCH=sim
 TARGET=sim
-SIGN?=ECC384
-HASH?=SHA384
+SIGN?=ECC256
+HASH?=SHA256
 SPI_FLASH=0
 DEBUG=1
 WOLFTPM=1
 
+# Measured boot at test PCR index 16
+MEASURED_BOOT?=1
+MEASURED_PCR_A?=16
+
+# Use NV for TPM based Root of Trust
 WOLFBOOT_TPM_KEYSTORE?=1
 WOLFBOOT_TPM_KEYSTORE_NV_INDEX?=0x01400200
 

config/examples/sim-tpm-measured.config

@@ -1,6 +1,6 @@
 ARCH=sim
 TARGET=sim
-SIGN?=ED25519
+SIGN?=ECC256
 HASH?=SHA256
 WOLFBOOT_SMALL_STACK=1
 SPI_FLASH=0

config/examples/sim-tpm.config

@@ -1,7 +1,7 @@
 ARCH=sim
 TARGET=sim
-SIGN?=ECC384
-HASH?=SHA384
+SIGN?=ECC256
+HASH?=SHA256
 SPI_FLASH=0
 DEBUG=1
 WOLFTPM=1

hal/sim.c

@@ -140,7 +140,7 @@ void hal_init(void)
     ret = mmap_file(EXTERNAL_FLASH_FILE,
         (uint8_t*)ARCH_FLASH_OFFSET + 0x10000000, &flash_base);
     if (ret != 0) {
-        fprintf(stderr, "failed to load internal flash file\n");
+        fprintf(stderr, "failed to load external flash file\n");
         exit(-1);
     }
 #endif /* EXT_FLASH */