wolfSSL
diff --git a/‎.github/workflows/fwtpm-test.yml‎
Lines changed: 1 addition & 23 deletions b/‎.github/workflows/fwtpm-test.yml‎
Lines changed: 1 addition & 23 deletions
diff --git a/‎.github/workflows/sanitizer.yml‎
Lines changed: 34 additions & 57 deletions b/‎.github/workflows/sanitizer.yml‎
Lines changed: 34 additions & 57 deletions
diff --git a/‎.github/workflows/seal-test.yml‎
Lines changed: 33 additions & 16 deletions b/‎.github/workflows/seal-test.yml‎
Lines changed: 33 additions & 16 deletions
diff --git a/‎docs/FWTPM.md‎
Lines changed: 4 additions & 5 deletions b/‎docs/FWTPM.md‎
Lines changed: 4 additions & 5 deletions
@@ -138,23 +138,7 @@ jobs:
             build_only: true
             make_cflags: "-Wall -Wextra -Wpedantic -Werror -Wshadow -Wstrict-prototypes -Wmissing-prototypes -Wformat=2"
 
-          # AddressSanitizer: fwTPM server + examples
-          - name: fwtpm-asan
-            wolftpm_config: --enable-fwtpm --enable-swtpm --enable-debug
-            wolfssl_config: --enable-wolftpm --enable-pkcallbacks --enable-keygen
-            build_only: false
-            extra_cflags: "-fsanitize=address -fno-omit-frame-pointer -g -O1"
-            extra_ldflags: "-fsanitize=address"
-            sanitizer: asan
-
-          # UndefinedBehaviorSanitizer: fwTPM server + examples
-          - name: fwtpm-ubsan
-            wolftpm_config: --enable-fwtpm --enable-swtpm --enable-debug
-            wolfssl_config: --enable-wolftpm --enable-pkcallbacks --enable-keygen
-            build_only: false
-            extra_cflags: "-fsanitize=undefined -fno-sanitize-recover=all -fno-omit-frame-pointer -g"
-            extra_ldflags: "-fsanitize=undefined"
-            sanitizer: ubsan
+          # Note: ASan / UBSan / LeakSan coverage moved to sanitizer.yml
 
     steps:
       - name: Checkout wolfTPM
@@ -172,10 +156,6 @@ jobs:
           sudo apt-get update
           sudo apt-get install -y tpm2-tools libtss2-tcti-mssim0
 
-      - name: ASLR workaround (sanitizers)
-        if: ${{ matrix.sanitizer }}
-        run: sudo sysctl vm.mmap_rnd_bits=28
-
       - name: Build wolfSSL
         working-directory: ./wolfssl
         run: |
@@ -220,8 +200,6 @@ jobs:
         if: ${{ !matrix.build_only }}
         env:
           WOLFSSL_PATH: ./wolfssl
-          ASAN_OPTIONS: ${{ matrix.sanitizer == 'asan' && 'detect_leaks=0' || '' }}
-          UBSAN_OPTIONS: ${{ matrix.sanitizer == 'ubsan' && 'halt_on_error=1:print_stacktrace=1' || '' }}
         run: make check
 
       - name: Upload failure logs
 
@@ -11,52 +11,22 @@ concurrency:
   cancel-in-progress: true
 
 jobs:
-  build_wolfssl:
-    name: Build wolfSSL
-    runs-on: ubuntu-latest
-    timeout-minutes: 5
-    steps:
-      - name: Checkout wolfSSL
-        uses: actions/checkout@v4
-        with:
-          repository: wolfssl/wolfssl
-          path: wolfssl
-
-      - name: Build wolfSSL
-        working-directory: ./wolfssl
-        run: |
-          ./autogen.sh
-          ./configure --enable-wolftpm --enable-pkcallbacks --enable-keygen \
-            CFLAGS="-DWC_RSA_NO_PADDING"
-          make -j$(nproc)
-          sudo make install
-          sudo ldconfig
-
-      - name: tar build-dir
-        run: tar -zcf wolfssl-install.tgz /usr/local/lib/libwolfssl* /usr/local/include/wolfssl
-
-      - name: Upload built lib
-        uses: actions/upload-artifact@v4
-        with:
-          name: wolfssl-install
-          path: wolfssl-install.tgz
-          retention-days: 5
-
   sanitizer_test:
     name: ${{ matrix.name }}
     runs-on: ubuntu-latest
-    timeout-minutes: 10
-    needs: build_wolfssl
+    timeout-minutes: 30
     strategy:
       fail-fast: false
       matrix:
         include:
           - name: "ASan"
             cflags: "-fsanitize=address -fno-omit-frame-pointer -g -O1"
             ldflags: "-fsanitize=address"
+            asan_options: "detect_leaks=0"
           - name: "UBSan"
             cflags: "-fsanitize=undefined -fno-sanitize-recover=all -fno-omit-frame-pointer -g"
             ldflags: "-fsanitize=undefined"
+            ubsan_options: "halt_on_error=1:print_stacktrace=1"
           - name: "LeakSan"
             cflags: "-fsanitize=leak -fno-omit-frame-pointer -g"
             ldflags: "-fsanitize=leak"
@@ -68,37 +38,43 @@ jobs:
       - name: Checkout wolfTPM
         uses: actions/checkout@v4
 
-      - name: Download wolfSSL
-        uses: actions/download-artifact@v4
-        with:
-          name: wolfssl-install
-
-      - name: Install wolfSSL
-        run: |
-          sudo tar -xzf wolfssl-install.tgz -C /
-          sudo ldconfig
-
-      - name: Setup ibmswtpm2
+      - name: Checkout wolfSSL
         uses: actions/checkout@v4
         with:
-          repository: kgoldman/ibmswtpm2
-          path: ibmswtpm2
+          repository: wolfssl/wolfssl
+          path: wolfssl
 
-      - name: Build and start TPM simulator
-        working-directory: ./ibmswtpm2/src
+      - name: Install tpm2-tools
         run: |
-          make -j$(nproc)
-          ./tpm_server &
-          sleep 2
+          sudo apt-get update
+          sudo apt-get install -y tpm2-tools libtss2-tcti-mssim0
 
-      - name: Build wolfTPM with ${{ matrix.name }}
+      - name: Build and install wolfSSL with ${{ matrix.name }}
+        working-directory: ./wolfssl
         run: |
           ./autogen.sh
-          ./configure --enable-swtpm --disable-fwtpm \
-            CFLAGS="${{ matrix.cflags }}" LDFLAGS="${{ matrix.ldflags }}"
-          make -j$(nproc)
+          ./configure --enable-wolftpm --enable-pkcallbacks --enable-keygen \
+              --prefix=/tmp/wolfssl-install \
+              CFLAGS="-DWC_RSA_NO_PADDING ${{ matrix.cflags }}" \
+              LDFLAGS="${{ matrix.ldflags }}"
+          make
+          make install
 
-      - name: Run tests
+      - name: Build wolfTPM with fwTPM + ${{ matrix.name }}
+        run: |
+          ./autogen.sh
+          ./configure --enable-fwtpm --enable-swtpm --enable-debug \
+              --with-wolfcrypt=/tmp/wolfssl-install \
+              CFLAGS="${{ matrix.cflags }}" \
+              LDFLAGS="${{ matrix.ldflags }}"
+          make
+
+      - name: Run tests (make check)
+        env:
+          WOLFSSL_PATH: /tmp/wolfssl-install
+          LD_LIBRARY_PATH: /tmp/wolfssl-install/lib
+          ASAN_OPTIONS: ${{ matrix.asan_options }}
+          UBSAN_OPTIONS: ${{ matrix.ubsan_options }}
         run: make check
 
       - name: Upload failure logs
@@ -107,7 +83,8 @@ jobs:
         with:
           name: wolftpm-${{ matrix.name }}-logs
           path: |
-            run.out
+            /tmp/fwtpm_check_*.log
             test-suite.log
+            tests/*.log
             config.log
           retention-days: 5
@@ -8,6 +8,7 @@ on:
       - 'examples/nvram/seal_nv.c'
       - 'examples/nvram/nvram.h'
       - 'src/tpm2_wrap.c'
+      - 'src/fwtpm/**'
       - 'wolftpm/tpm2_wrap.h'
   pull_request:
     branches: [ '*' ]
@@ -16,6 +17,7 @@ on:
       - 'examples/nvram/seal_nv.c'
       - 'examples/nvram/nvram.h'
       - 'src/tpm2_wrap.c'
+      - 'src/fwtpm/**'
       - 'wolftpm/tpm2_wrap.h'
 
 jobs:
@@ -36,36 +38,51 @@ jobs:
         working-directory: ./wolfssl
         run: |
           ./autogen.sh
-          ./configure --enable-wolftpm --enable-pkcallbacks
-          make -j
+          ./configure --enable-wolftpm --enable-pkcallbacks --enable-keygen \
+              CFLAGS="-DWC_RSA_NO_PADDING"
+          make
           sudo make install
           sudo ldconfig
 
-      - name: Checkout ibmswtpm2
-        uses: actions/checkout@v4
-        with:
-          repository: kgoldman/ibmswtpm2
-          path: ibmswtpm2
-
-      - name: Build and start SWTPM
-        working-directory: ./ibmswtpm2/src
+      - name: Build wolfTPM with fwTPM
         run: |
+          ./autogen.sh
+          ./configure --enable-fwtpm --enable-swtpm --enable-debug
           make
-          ./tpm_server &
 
-      - name: Build wolfTPM
+      - name: Start fwtpm_server
         run: |
-          ./autogen.sh
-          ./configure --enable-swtpm --enable-debug --disable-fwtpm
-          make -j
+          rm -f fwtpm_nv.bin
+          ./src/fwtpm/fwtpm_server > /tmp/seal_fwtpm.log 2>&1 &
+          echo $! > /tmp/seal_fwtpm.pid
+          for i in $(seq 1 500); do
+              ss -tln 2>/dev/null | grep -q ':2321 ' && break
+              sleep 0.01
+          done
+          if ! ss -tln 2>/dev/null | grep -q ':2321 '; then
+              echo "fwtpm_server failed to start"
+              cat /tmp/seal_fwtpm.log
+              exit 1
+          fi
 
       - name: Run seal tests
         run: bash examples/seal/seal_test.sh
 
+      - name: Stop fwtpm_server
+        if: always()
+        run: |
+          if [ -f /tmp/seal_fwtpm.pid ]; then
+              kill "$(cat /tmp/seal_fwtpm.pid)" 2>/dev/null || true
+              rm -f /tmp/seal_fwtpm.pid
+          fi
+          rm -f fwtpm_nv.bin
+
       - name: Upload failure logs
         if: failure()
         uses: actions/upload-artifact@v4
         with:
           name: seal-test-logs
-          path: seal_test.log
+          path: |
+            seal_test.log
+            /tmp/seal_fwtpm.log
           retention-days: 5
@@ -596,13 +596,12 @@ See [src/fwtpm/README.md](../src/fwtpm/README.md) for the full CI test matrix
 and test script usage. Quick reference:
 
 ```sh
-scripts/fwtpm_build_test.sh --quick    # Build + examples
-scripts/fwtpm_build_test.sh --all      # Build + examples + make check + tpm2-tools
-scripts/tpm2_tools_test.sh             # tpm2-tools only (311 tests)
+make check                  # Build + unit.test + run_examples.sh + tpm2-tools
+scripts/tpm2_tools_test.sh  # tpm2-tools only (311 tests)
 ```
 
-Test scripts manage server lifecycle automatically -- do not start
-`fwtpm_server` manually before running them.
+`make check` runs `tests/fwtpm_check.sh`, which starts and stops
+`fwtpm_server` automatically -- do not start it manually.
 
 
 ## API Reference