Cleanups from copilot review. Fix m33mu test.

Author: dgarske

examples/run_examples.sh

@@ -449,7 +449,11 @@ run_tpm_tls_client() { # Usage: run_tpm_tls_client [ecc/rsa] [tpmargs] [tlsversi
     echo -e "./examples/server/server -v $3 -p $port -w -g -A ./certs/tpm-ca-$1-cert.pem -R $READY_FILE"
     ./examples/server/server -v $3 -p $port -w -g -A ./certs/tpm-ca-$1-cert.pem -R "$READY_FILE" >> $TPMPWD/run.out 2>&1 &
     popd >> $TPMPWD/run.out 2>&1
-    wait_for_ready "$READY_FILE" 500
+    if ! wait_for_ready "$READY_FILE" 500; then
+        echo -e "wolfSSL server failed to start for $1 $2"
+        rm -f "$READY_FILE"
+        exit 1
+    fi
     rm -f "$READY_FILE"
 
     echo -e "./examples/tls/tls_client -p=$port -$1 $2"
@@ -464,7 +468,10 @@ run_tpm_tls_server() { # Usage: run_tpm_tls_server [ecc/rsa] [tpmargs] [tlsversi
 
     echo -e "./examples/tls/tls_server -p=$port -$1 $2"
     ./examples/tls/tls_server -p=$port -$1 $2 >> $TPMPWD/run.out 2>&1 &
-    wait_for_port "$port" 500
+    if ! wait_for_port "$port" 500; then
+        echo -e "TPM TLS server failed to start on port $port for $1 $2"
+        exit 1
+    fi
     pushd $WOLFSSL_PATH >> $TPMPWD/run.out 2>&1
 
     echo -e "./examples/client/client -v $3 -p $port -w -g -A ./certs/tpm-ca-$1-cert.pem $4"

hal/tpm_io_fwtpm.c

@@ -45,7 +45,9 @@
 #include <sys/mman.h>
 #include <semaphore.h>
 
-/* Static client context (one connection per process) */
+/* Static client context (one connection per process).
+ * By design, only one fwTPM server instance is connected per process.
+ * Thread safety is provided by TPM2_AcquireLock in tpm2_tis.c. */
 static FWTPM_TIS_CLIENT_CTX gFwtpmClient;
 static int gFwtpmClientInit = 0;
 

scripts/fwtpm_emu_test.sh

@@ -64,6 +64,15 @@ if [ -z "$M33MU" ] || [ ! -x "$M33MU" ]; then
     exit 1
 fi
 
+# Verify m33mu can actually run (catch missing shared libs)
+if ! "$M33MU" --version > /dev/null 2>&1; then
+    echo "ERROR: m33mu found at $M33MU but failed to execute."
+    echo "  Checking shared library dependencies:"
+    ldd "$M33MU" 2>&1 | grep -i "not found" || echo "  (no missing libraries detected)"
+    echo "  File type: $(file "$M33MU")"
+    exit 1
+fi
+
 echo "=== fwTPM Emulator Test ==="
 echo "  m33mu: $M33MU"
 echo "  TZEN: $TZEN"
@@ -94,8 +103,10 @@ fi
 
 echo "Running in m33mu emulator..."
 LOG="/tmp/fwtpm_emu_test.log"
+set +e
 $M33MU $M33MU_ARGS "$ELF" > "$LOG" 2>&1
 RC=$?
+set -e
 
 # Show UART output (filter emulator noise)
 echo ""

src/fwtpm/fwtpm_tis.c

@@ -309,6 +309,12 @@ static void TisHandleRegAccess(FWTPM_CTX* ctx, FWTPM_TIS_REGS* regs)
                 break;
         }
 
+        /* Clamp len for scalar registers (max 4 bytes) and zero-fill
+         * to prevent stale data in reg_data from being read back */
+        if (len > 4) {
+            len = 4;
+        }
+        XMEMSET(regs->reg_data, 0, len);
         /* Pack value into reg_data (little-endian, matching TIS spec) */
         if (len >= 1) regs->reg_data[0] = (BYTE)(val);
         if (len >= 2) regs->reg_data[1] = (BYTE)(val >> 8);

src/tpm2.c

@@ -816,6 +816,11 @@ TPM_RC TPM2_Cleanup(TPM2_CTX* ctx)
         close(ctx->fd);
 #endif
 
+#ifdef WOLFTPM_SWTPM_UART
+    /* Close the persistent UART connection */
+    TPM2_SwtpmCloseUART(ctx);
+#endif
+
     return TPM_RC_SUCCESS;
 }
 

src/tpm2_crypto.c

@@ -396,7 +396,8 @@ int TPM2_HmacCompute(
     int hashType;
     int dSz;
 
-    if (digest == NULL || (data == NULL && dataSz > 0)) {
+    if (digest == NULL || (key == NULL && keySz > 0) ||
+        (data == NULL && dataSz > 0)) {
         return BAD_FUNC_ARG;
     }
 

src/tpm2_swtpm.c

@@ -352,7 +352,8 @@ static TPM_RC SwTpmDisconnect(TPM2_CTX* ctx)
 
 #ifdef WOLFTPM_SWTPM_UART
     /* UART: keep the port open for the next command.
-     * The SESSION_END tells the server the command sequence is done. */
+     * The SESSION_END tells the server the command sequence is done.
+     * Final cleanup of the UART FD is handled in TPM2_SwtpmCloseUART. */
     (void)ctx;
 #else
     if (0 != close(ctx->tcpCtx.fd)) {
@@ -479,4 +480,15 @@ int TPM2_SWTPM_SendCommand(TPM2_CTX* ctx, TPM2_Packet* packet)
 
     return rc;
 }
+
+#ifdef WOLFTPM_SWTPM_UART
+/* Close the persistent UART FD during final TPM context cleanup */
+void TPM2_SwtpmCloseUART(TPM2_CTX* ctx)
+{
+    if (ctx != NULL && ctx->tcpCtx.fd >= 0) {
+        close(ctx->tcpCtx.fd);
+        ctx->tcpCtx.fd = -1;
+    }
+}
+#endif
 #endif /* WOLFTPM_SWTPM */

tests/fwtpm_check.sh

@@ -84,42 +84,35 @@ check_wolfssl_options() {
 }
 
 ensure_wolfssl() {
+    local src
+
     # 1. Explicit WOLFSSL_PATH from environment
     if [ -n "$WOLFSSL_PATH" ] && check_wolfssl_options "$WOLFSSL_PATH"; then
         echo "  wolfSSL: using $WOLFSSL_PATH"
         return 0
     fi
 
     # 2. Reuse prior /tmp build
-    local src="/tmp/wolfssl-fwtpm"
+    src="/tmp/wolfssl-fwtpm"
     if [ -d "$src" ] && check_wolfssl_options "$src"; then
         WOLFSSL_PATH="$src"
         echo "  wolfSSL: using $WOLFSSL_PATH"
         return 0
     fi
 
-    # 3. Clone and build to /tmp (no sudo)
-    echo "  Building wolfSSL to $src"
-    if [ ! -d "$src/.git" ]; then
-        rm -rf "$src"
-        git clone --depth 1 https://github.com/wolfssl/wolfssl.git "$src" \
-            > /tmp/wolfssl-fwtpm-clone.log 2>&1 || return 1
-    fi
-    if ! check_wolfssl_options "$src"; then
-        (cd "$src" && \
-            ./autogen.sh > /dev/null 2>&1 && \
-            ./configure \
-                --enable-wolftpm --enable-pkcallbacks --enable-keygen \
-                CFLAGS="-DWC_RSA_NO_PADDING" \
-                > /tmp/wolfssl-fwtpm-configure.log 2>&1 && \
-            make > /tmp/wolfssl-fwtpm-build.log 2>&1) || {
-            echo "  wolfSSL build failed -- see /tmp/wolfssl-fwtpm-*.log"
-            return 1
-        }
-    fi
-    WOLFSSL_PATH="$src"
-    echo "  wolfSSL: built at $WOLFSSL_PATH"
-    return 0
+    # 3. Check system install paths
+    for src in /usr/local /usr /opt/homebrew /opt/local; do
+        if check_wolfssl_options "$src"; then
+            WOLFSSL_PATH="$src"
+            echo "  wolfSSL: using system install at $WOLFSSL_PATH"
+            return 0
+        fi
+    done
+
+    echo "  wolfSSL not available with required options."
+    echo "  Set WOLFSSL_PATH or install wolfSSL system-wide."
+    echo "  Skipping TLS-dependent tests."
+    return 1
 }
 
 # --- Cleanup ---
@@ -260,9 +253,16 @@ if [ $IS_FWTPM_MODE -eq 1 ]; then
         rm -f "$BUILD_DIR"/certs/tpm-*-cert.pem "$BUILD_DIR"/certs/tpm-*-cert.csr
         rm -f "$BUILD_DIR"/certs/server-*-cert.pem "$BUILD_DIR"/certs/client-*-cert.pem
 
-        # Kill any orphaned servers from prior crashed runs (intentional pre-flight)
-        killall fwtpm_server 2>/dev/null || true
-        sleep 0.3
+        # Clean up any stale PID files from prior crashed runs
+        for stale_pid_file in /tmp/fwtpm_check_*.pid; do
+            [ -f "$stale_pid_file" ] || continue
+            stale_pid="$(cat "$stale_pid_file" 2>/dev/null)"
+            if [ -n "$stale_pid" ] && kill -0 "$stale_pid" 2>/dev/null; then
+                kill "$stale_pid" 2>/dev/null
+                sleep 0.3
+            fi
+            rm -f "$stale_pid_file"
+        done
 
         if [ $HAS_GETENV -eq 1 ] && [ $IS_SWTPM_MODE -eq 1 ]; then
             FWTPM_PORT=$(pick_available_port)

wolftpm/tpm2_swtpm.h

@@ -47,6 +47,11 @@
 /* TPM2 IO for using TPM through a Socket connection */
 WOLFTPM_LOCAL int TPM2_SWTPM_SendCommand(TPM2_CTX* ctx, TPM2_Packet* packet);
 
+#ifdef WOLFTPM_SWTPM_UART
+/* Close the persistent UART FD during final TPM context cleanup */
+WOLFTPM_LOCAL void TPM2_SwtpmCloseUART(TPM2_CTX* ctx);
+#endif
+
 #ifdef __cplusplus
     }  /* extern "C" */
 #endif