1. .github/workflows/seal-test.yml — Pin actions/checkout@master → @v4 for supply-chain safety. Add explicit ref: master for wolfSSL, no ref for ibmswtpm2 (matches other workflows).

  2. examples/seal/seal_policy_auth.c — Clarify header comment: no pre-existing key needed, but authkey.bin must be retained for unseal.
  3. examples/seal/seal_test.sh
  - Add || return 1 to setup_pcr/change_pcr extend calls
  - Use grep -F -q -- for fixed-string secret matching
  - Add 6 new param enc tests (3.4a-c XOR, 3.5a-c AES) for seal_nv
  4. examples/nvram/seal_nv.c — Implement real parameter encryption:
  - Add paramEncSession (separate from tpmSession to avoid conflict)
  - Start unsalted HMAC session with XOR/AES-CFB
  - Place on session slot 2 (slot 1 is used internally by NVWriteData for NV handle auth)
  - Clean up session in exit path
  5. examples/run_examples.sh — Add seal_nv XOR param encryption integration test

Author: aidangarske

.github/workflows/seal-test.yml

@@ -23,12 +23,13 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout wolfTPM
-        uses: actions/checkout@master
+        uses: actions/checkout@v4
 
       - name: Checkout wolfSSL
-        uses: actions/checkout@master
+        uses: actions/checkout@v4
         with:
           repository: wolfssl/wolfssl
+          ref: master
           path: wolfssl
 
       - name: Build and install wolfSSL
@@ -41,7 +42,7 @@ jobs:
           sudo ldconfig
 
       - name: Checkout ibmswtpm2
-        uses: actions/checkout@master
+        uses: actions/checkout@v4
         with:
           repository: kgoldman/ibmswtpm2
           path: ibmswtpm2

examples/nvram/seal_nv.c

@@ -74,6 +74,7 @@ int TPM2_NVRAM_SealNV_Example(void* userCtx, int argc, char *argv[])
     int rc;
     WOLFTPM2_DEV dev;
     WOLFTPM2_SESSION tpmSession;
+    WOLFTPM2_SESSION paramEncSession;
     WOLFTPM2_HANDLE parent;
     WOLFTPM2_NV nv;
     TPM_ALG_ID paramEncAlg = TPM_ALG_NULL;
@@ -94,6 +95,7 @@ int TPM2_NVRAM_SealNV_Example(void* userCtx, int argc, char *argv[])
 
     XMEMSET(&dev, 0, sizeof(dev));
     XMEMSET(&tpmSession, 0, sizeof(tpmSession));
+    XMEMSET(&paramEncSession, 0, sizeof(paramEncSession));
     XMEMSET(&parent, 0, sizeof(parent));
     XMEMSET(&nv, 0, sizeof(nv));
 
@@ -167,6 +169,21 @@ int TPM2_NVRAM_SealNV_Example(void* userCtx, int argc, char *argv[])
         goto exit;
     }
 
+    if (paramEncAlg != TPM_ALG_NULL) {
+        /* Start TPM session for parameter encryption */
+        rc = wolfTPM2_StartSession(&dev, &paramEncSession, NULL, NULL,
+            TPM_SE_HMAC, paramEncAlg);
+        if (rc != 0) goto exit;
+        printf("TPM2_StartAuthSession: sessionHandle 0x%x\n",
+            (word32)paramEncSession.handle.hndl);
+        /* Set TPM session attributes for parameter encryption.
+         * Use index 2 to avoid conflict with NV handle auth on index 1 */
+        rc = wolfTPM2_SetAuthSession(&dev, 2, &paramEncSession,
+            (TPMA_SESSION_decrypt | TPMA_SESSION_encrypt |
+             TPMA_SESSION_continueSession));
+        if (rc != 0) goto exit;
+    }
+
     /* Validate that the PCR bank is available */
     pcrDigestSz = (int)sizeof(pcrDigest);
     rc = wolfTPM2_ReadPCR(&dev, pcrIndex, pcrAlg, pcrDigest, &pcrDigestSz);
@@ -335,6 +352,7 @@ int TPM2_NVRAM_SealNV_Example(void* userCtx, int argc, char *argv[])
     }
 
     wolfTPM2_UnloadHandle(&dev, &tpmSession.handle);
+    wolfTPM2_UnloadHandle(&dev, &paramEncSession.handle);
 
     wolfTPM2_Cleanup(&dev);
 

examples/run_examples.sh

@@ -793,6 +793,33 @@ if [ $NO_FILESYSTEM -eq 0 ]; then
     [ $RESULT -ne 0 ] && echo -e "seal_nv delete failed! $RESULT" && exit 1
 
     rm -f $TMPFILE aaa_nv.bin
+
+    # seal_nv with XOR parameter encryption
+    if [ $WOLFCRYPT_ENABLE -eq 1 ]; then
+        echo aaa > aaa_nv.bin
+        ./examples/pcr/reset 16 >> $TPMPWD/run.out 2>&1
+        ./examples/pcr/extend 16 aaa_nv.bin >> $TPMPWD/run.out 2>&1
+
+        SECRET_STRING="NVSealXorTest"
+        ./examples/nvram/seal_nv -store -pcr=16 -xor -secretstr=$SECRET_STRING >> $TPMPWD/run.out 2>&1
+        RESULT=$?
+        [ $RESULT -ne 0 ] && echo -e "seal_nv store -xor failed! $RESULT" && exit 1
+
+        TMPFILE=$(mktemp)
+        ./examples/nvram/seal_nv -read -pcr=16 -xor &> $TMPFILE
+        RESULT=$?
+        cat $TMPFILE >> $TPMPWD/run.out
+        [ $RESULT -ne 0 ] && echo -e "seal_nv read -xor failed! $RESULT" && exit 1
+        grep "$SECRET_STRING" $TMPFILE >> $TPMPWD/run.out 2>&1
+        RESULT=$?
+        [ $RESULT -ne 0 ] && echo -e "seal_nv read -xor match failed! $RESULT" && exit 1
+
+        ./examples/nvram/seal_nv -delete >> $TPMPWD/run.out 2>&1
+        RESULT=$?
+        [ $RESULT -ne 0 ] && echo -e "seal_nv delete (xor) failed! $RESULT" && exit 1
+
+        rm -f $TMPFILE aaa_nv.bin
+    fi
 fi
 
 run_tpm_policy() { # Usage: run_tpm_policy [ecc/rsa] [key] [pcrs]

examples/seal/seal_policy_auth.c

@@ -22,8 +22,9 @@
 /* Self-contained PolicyAuthorize seal/unseal example.
  *
  * Creates a TPM-internal signing key, seals a secret with PolicyAuthorize
- * + PCR policy, then unseals using the same key. Single program, no
- * external key files needed.
+ * + PCR policy, then unseals using the same key. No pre-existing signing
+ * key is required — the TPM generates one internally. However, the key
+ * blob file (authkey.bin) must be retained for subsequent unseal operations.
  *
  * Sealing method: PolicyAuthorize (with PCR policy)
  *   Complexity:   High

examples/seal/seal_test.sh

@@ -53,7 +53,7 @@ run_test() {
         if [ $rc -ne 0 ]; then
             fail "$desc (exit code: $rc)"; rm -f "$tmpout"; return 1
         fi
-        if [ -n "$secret" ] && ! grep -q "$secret" "$tmpout"; then
+        if [ -n "$secret" ] && ! grep -F -q -- "$secret" "$tmpout"; then
             fail "$desc (secret not found in output)"; rm -f "$tmpout"; return 1
         fi
         pass "$desc"; rm -f "$tmpout"; return 0
@@ -66,12 +66,12 @@ run_test() {
 setup_pcr() {
     ./examples/pcr/reset 16 >> "$LOGFILE" 2>&1 || return 1
     echo aaa > aaa_pcr16.bin
-    ./examples/pcr/extend 16 aaa_pcr16.bin >> "$LOGFILE" 2>&1
+    ./examples/pcr/extend 16 aaa_pcr16.bin >> "$LOGFILE" 2>&1 || return 1
 }
 
 change_pcr() {
     echo bbb > bbb_pcr16.bin
-    ./examples/pcr/extend 16 bbb_pcr16.bin >> "$LOGFILE" 2>&1
+    ./examples/pcr/extend 16 bbb_pcr16.bin >> "$LOGFILE" 2>&1 || return 1
 }
 
 # Pre-flight
@@ -248,6 +248,32 @@ else
         ./examples/nvram/seal_nv -read -pcr=16 -nvindex=0x01800204
     run_test "3.3c seal_nv -delete nvindex=0x01800204" expect_pass -- \
         ./examples/nvram/seal_nv -delete -nvindex=0x01800204
+
+    # 3.4: XOR param encryption
+    if [ $WOLFCRYPT_ENABLE -eq 1 ]; then
+        setup_pcr; S="NVSealXor004"
+        run_test "3.4a seal_nv -store -xor" expect_pass -- \
+            ./examples/nvram/seal_nv -store -pcr=16 -xor -secretstr="$S"
+        run_test "3.4b seal_nv -read -xor (verify)" expect_pass "$S" -- \
+            ./examples/nvram/seal_nv -read -pcr=16 -xor
+        run_test "3.4c seal_nv -delete" expect_pass -- \
+            ./examples/nvram/seal_nv -delete
+    else
+        skip "3.4 seal_nv -xor (wolfCrypt disabled)"
+    fi
+
+    # 3.5: AES param encryption
+    if [ $WOLFCRYPT_ENABLE -eq 1 ] && [ $WOLFCRYPT_DEFAULT -eq 0 ]; then
+        setup_pcr; S="NVSealAes005"
+        run_test "3.5a seal_nv -store -aes" expect_pass -- \
+            ./examples/nvram/seal_nv -store -pcr=16 -aes -secretstr="$S"
+        run_test "3.5b seal_nv -read -aes (verify)" expect_pass "$S" -- \
+            ./examples/nvram/seal_nv -read -pcr=16 -aes
+        run_test "3.5c seal_nv -delete" expect_pass -- \
+            ./examples/nvram/seal_nv -delete
+    else
+        skip "3.5 seal_nv -aes (wolfCrypt default or disabled)"
+    fi
 fi
 echo ""