Skip to content

Commit bb6a71c

Browse files
aidangarskeaidangarske
committed
Add seal/unseal examples with PCR, PolicyAuthorize, and NV policies
 New examples: - seal_pcr: PCR-only policy seal/unseal. Binds secrets to specific PCR values without password or signing key. Supports split seal/unseal, configurable PCR index, custom blob filenames, XOR/AES param encryption. - seal_policy_auth: PolicyAuthorize with TPM-resident signing key (ECC/RSA). Signing key can re-authorize PCR policy, allowing secrets to survive authorized PCR changes (e.g., OS updates). Supports split seal/unseal, XOR/AES param encryption. - seal_nv: NV storage with PCR policy. Stores secrets directly in TPM non-volatile memory with store/read/delete lifecycle and configurable NV index. No external blob files needed. Build system: - Autotools: Updated include.am for seal and nvram with new build targets - CMake: Added add_tpm_example() entries for all three examples - Headers: Updated seal.h and nvram.h with new prototypes, removed old TPM2_PCR_Seal_With_Policy_Auth_* declarations - .gitignore: Added built binaries Testing: - run_examples.sh: Added ~110 lines of integration tests for seal_pcr, seal_policy_auth (ECC + RSA), and seal_nv (store/read/delete lifecycle) - seal_test.sh: Standalone test script with 28 tests across 3 groups including positive, negative, param encryption, and custom path tests - seal-test.yml: Dedicated CI workflow with SWTPM, path-filtered to seal-related files, follows make-test-swtpm.yml pattern Documentation: - README.md: Usage examples and policy comparison table for all seal examples
1 parent 25466a9 commit bb6a71c

15 files changed

Lines changed: 1867 additions & 9 deletions

File tree

.github/workflows/seal-test.yml

Lines changed: 70 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,70 @@
1+
name: Seal Test Suite
2+
3+
on:
4+
push:
5+
branches: [ 'master', 'main', 'release/**' ]
6+
paths:
7+
- 'examples/seal/**'
8+
- 'examples/nvram/seal_nv.c'
9+
- 'examples/nvram/nvram.h'
10+
- 'src/tpm2_wrap.c'
11+
- 'wolftpm/tpm2_wrap.h'
12+
pull_request:
13+
branches: [ '*' ]
14+
paths:
15+
- 'examples/seal/**'
16+
- 'examples/nvram/seal_nv.c'
17+
- 'examples/nvram/nvram.h'
18+
- 'src/tpm2_wrap.c'
19+
- 'wolftpm/tpm2_wrap.h'
20+
21+
jobs:
22+
seal-test:
23+
runs-on: ubuntu-latest
24+
steps:
25+
- name: Checkout wolfTPM
26+
uses: actions/checkout@master
27+
28+
- name: Checkout wolfSSL
29+
uses: actions/checkout@master
30+
with:
31+
repository: wolfssl/wolfssl
32+
path: wolfssl
33+
34+
- name: Build and install wolfSSL
35+
working-directory: ./wolfssl
36+
run: |
37+
./autogen.sh
38+
./configure --enable-wolftpm --enable-pkcallbacks
39+
make -j
40+
sudo make install
41+
sudo ldconfig
42+
43+
- name: Checkout ibmswtpm2
44+
uses: actions/checkout@master
45+
with:
46+
repository: kgoldman/ibmswtpm2
47+
path: ibmswtpm2
48+
49+
- name: Build and start SWTPM
50+
working-directory: ./ibmswtpm2/src
51+
run: |
52+
make
53+
./tpm_server &
54+
55+
- name: Build wolfTPM
56+
run: |
57+
./autogen.sh
58+
./configure --enable-swtpm --enable-debug
59+
make -j
60+
61+
- name: Run seal tests
62+
run: bash examples/seal/seal_test.sh
63+
64+
- name: Upload failure logs
65+
if: failure()
66+
uses: actions/upload-artifact@v4
67+
with:
68+
name: seal-test-logs
69+
path: seal_test.log
70+
retention-days: 5

.github/workflows/zephyr.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@ name: Zephyr wolfTPM Tests
22

33
on:
44
push:
5-
branches: [ '*' ]
5+
branches: [ 'master', 'main', 'release/**' ]
66
pull_request:
77
branches: [ '*' ]
88

.gitignore

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -70,12 +70,15 @@ examples/nvram/store
7070
examples/nvram/read
7171
examples/nvram/counter
7272
examples/nvram/policy_nv
73+
examples/nvram/seal_nv
7374
examples/gpio/gpio_config
7475
examples/gpio/gpio_set
7576
examples/gpio/gpio_read
7677
examples/gpio/gpio_nuvoton
7778
examples/seal/seal
7879
examples/seal/unseal
80+
examples/seal/seal_pcr
81+
examples/seal/seal_policy_auth
7982
examples/attestation/make_credential
8083
examples/attestation/activate_credential
8184
examples/attestation/certify

CMakeLists.txt

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -518,6 +518,7 @@ if (WOLFTPM_EXAMPLES)
518518
add_tpm_example(policy_nv nvram/policy_nv.c)
519519
add_tpm_example(read nvram/read.c)
520520
add_tpm_example(store nvram/store.c)
521+
add_tpm_example(seal_nv nvram/seal_nv.c)
521522
add_tpm_example(extend pcr/extend.c)
522523
add_tpm_example(policy_sign pcr/policy_sign.c)
523524
add_tpm_example(policy pcr/policy.c)
@@ -527,6 +528,8 @@ if (WOLFTPM_EXAMPLES)
527528
add_tpm_example(pkcs7 pkcs7/pkcs7.c)
528529
add_tpm_example(seal seal/seal.c)
529530
add_tpm_example(unseal seal/unseal.c)
531+
add_tpm_example(seal_pcr seal/seal_pcr.c)
532+
add_tpm_example(seal_policy_auth seal/seal_policy_auth.c)
530533
add_tpm_example(clock_set timestamp/clock_set.c)
531534
add_tpm_example(signed_timestamp timestamp/signed_timestamp.c)
532535
add_tpm_example(tls_client_notpm tls/tls_client_notpm.c)

examples/nvram/include.am

Lines changed: 10 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -33,6 +33,12 @@ examples_nvram_extend_SOURCES = examples/nvram/extend.c \
3333
examples/tpm_test_keys.c
3434
examples_nvram_extend_LDADD = src/libwolftpm.la $(LIB_STATIC_ADD)
3535
examples_nvram_extend_DEPENDENCIES = src/libwolftpm.la
36+
37+
noinst_PROGRAMS += examples/nvram/seal_nv
38+
examples_nvram_seal_nv_SOURCES = examples/nvram/seal_nv.c \
39+
examples/tpm_test_keys.c
40+
examples_nvram_seal_nv_LDADD = src/libwolftpm.la $(LIB_STATIC_ADD)
41+
examples_nvram_seal_nv_DEPENDENCIES = src/libwolftpm.la
3642
endif
3743

3844
example_nvramdir = $(exampledir)/nvram
@@ -41,10 +47,12 @@ dist_example_nvram_DATA = \
4147
examples/nvram/read.c \
4248
examples/nvram/counter.c \
4349
examples/nvram/policy_nv.c \
44-
examples/nvram/extend.c
50+
examples/nvram/extend.c \
51+
examples/nvram/seal_nv.c
4552

4653
DISTCLEANFILES+= examples/nvram/.libs/store \
4754
examples/nvram/.libs/read \
4855
examples/nvram/.libs/counter \
4956
examples/nvram/.libs/policy_nv \
50-
examples/nvram/.libs/extend
57+
examples/nvram/.libs/extend \
58+
examples/nvram/.libs/seal_nv

examples/nvram/nvram.h

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -29,9 +29,8 @@
2929
int TPM2_NVRAM_Store_Example(void* userCtx, int argc, char *argv[]);
3030
int TPM2_NVRAM_Read_Example(void* userCtx, int argc, char *argv[]);
3131
int TPM2_NVRAM_Counter_Example(void* userCtx, int argc, char *argv[]);
32-
int TPM2_PCR_Seal_With_Policy_Auth_NV_Test(void* userCtx, int argc, char *argv[]);
33-
int TPM2_PCR_Seal_With_Policy_Auth_NV_External_Test(void* userCtx, int argc, char *argv[]);
3432
int TPM2_NVRAM_PolicyNV_Example(void* userCtx, int argc, char *argv[]);
33+
int TPM2_NVRAM_SealNV_Example(void* userCtx, int argc, char *argv[]);
3534
int TPM2_NVRAM_Extend_Example(void* userCtx, int argc, char *argv[]);
3635

3736
#ifdef __cplusplus

0 commit comments

Comments
 (0)