Improve ./configure defaults and expand make check

dgarske · dgarske · commit f3ee6258dbc7 · 2026-04-10T13:32:57.000-07:00
diff --git a/.github/workflows/fwtpm-test.yml b/.github/workflows/fwtpm-test.yml
@@ -166,6 +166,12 @@ jobs:
           repository: wolfssl/wolfssl
           path: wolfssl
 
+      - name: Install tpm2-tools
+        if: ${{ !matrix.build_only }}
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y tpm2-tools libtss2-tcti-mssim0
+
       - name: ASLR workaround (sanitizers)
         if: ${{ matrix.sanitizer }}
         run: sudo sysctl vm.mmap_rnd_bits=28
@@ -227,74 +233,14 @@ jobs:
             /tmp/fwtpm_check_*.log
           retention-days: 5
 
-  # ----------------------------------------------------------------
-  # tpm2-tools compatibility (socket transport)
-  # ----------------------------------------------------------------
-  fwtpm-tpm2tools:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout wolfTPM
-        uses: actions/checkout@v4
-
-      - name: Checkout wolfSSL
-        uses: actions/checkout@v4
-        with:
-          repository: wolfssl/wolfssl
-          path: wolfssl
-
-      - name: Build wolfSSL
-        working-directory: ./wolfssl
-        run: |
-          ./autogen.sh
-          ./configure --enable-wolftpm --enable-pkcallbacks --enable-keygen \
-              CFLAGS="-DWC_RSA_NO_PADDING"
-          make
-          sudo make install
-          sudo ldconfig
-
-      - name: Install tpm2-tools
-        run: |
-          sudo apt-get update
-          sudo apt-get install -y tpm2-tools libtss2-tcti-mssim0
-
-      - name: Build wolfTPM
-        run: |
-          ./autogen.sh
-          ./configure --enable-fwtpm --enable-swtpm --enable-debug
-          make
-
-      - name: Start fwtpm_server
-        run: |
-          rm -f fwtpm_nv.bin
-          src/fwtpm/fwtpm_server \
-              > /tmp/fwtpm_srv.log 2>&1 &
-          echo $! > /tmp/fwtpm_server.pid
-          sleep 0.5
-          kill -0 $(cat /tmp/fwtpm_server.pid)
-
-      - name: Run tpm2-tools tests
-        run: scripts/tpm2_tools_test.sh --no-start
-
-      - name: Stop fwtpm_server
-        if: always()
-        run: |
-          if [ -f /tmp/fwtpm_server.pid ]; then
-            kill $(cat /tmp/fwtpm_server.pid) 2>/dev/null || true
-          fi
-
-      - name: Upload failure logs
-        if: failure()
-        uses: actions/upload-artifact@v4
-        with:
-          name: fwtpm-tpm2tools-logs
-          path: |
-            /tmp/fwtpm_srv.log
-            /tmp/fwtpm_tpm2tools_srv.log
-          retention-days: 5
-
   # ----------------------------------------------------------------
   # tpm2-tools compatibility test against IBM SW TPM
-  # Validates that tpm2_tools_test.sh works on a reference TPM
+  # Validates that tpm2_tools_test.sh works on a reference TPM.
+  #
+  # NOTE: tpm2-tools compatibility against fwtpm_server is now exercised
+  # by the fwtpm-examples matrix entries (fwtpm-socket, fwtpm-asan,
+  # fwtpm-ubsan) via `make check` — the standalone fwtpm-tpm2tools job
+  # was removed to eliminate duplication.
   # ----------------------------------------------------------------
   ibmswtpm-tpm2tools:
     runs-on: ubuntu-latest
diff --git a/configure.ac b/configure.ac
@@ -225,11 +225,31 @@ then
     AM_CFLAGS="$AM_CFLAGS -DWOLFTPM_LINUX_DEV"
 fi
 
+# Native host defaults — auto-enable fwTPM and swTPM on Linux/BSD x86_64 / aarch64
+# so `make check` provides full coverage out of the box. Users can still
+# explicitly disable with --disable-fwtpm / --disable-swtpm.
+WOLFTPM_DEFAULT_FWTPM=no
+WOLFTPM_DEFAULT_SWTPM=no
+case $host_cpu in
+    x86_64|amd64|aarch64)
+        # Defensive exclusion: fwtpm_server uses POSIX sockets and is not
+        # currently portable to Windows / Darwin. Auto-enable on Linux/BSD only.
+        case $host_os in
+            *mingw*|*cygwin*|*msys*|*darwin*|*win32*)
+                ;;
+            *)
+                WOLFTPM_DEFAULT_FWTPM=yes
+                WOLFTPM_DEFAULT_SWTPM=yes
+                ;;
+        esac
+        ;;
+esac
+
 # SW TPM device Support
 AC_ARG_ENABLE([swtpm],
-    [AS_HELP_STRING([--enable-swtpm],[Enable use of TPM through the SW socket driver (default: disabled)])],
+    [AS_HELP_STRING([--enable-swtpm],[Enable use of TPM through the SW socket driver (default: enabled on Linux x86_64/aarch64, disabled elsewhere)])],
     [ ENABLED_SWTPM=$enableval ],
-    [ ENABLED_SWTPM=no ]
+    [ ENABLED_SWTPM=$WOLFTPM_DEFAULT_SWTPM ]
     )
 
 # SWTPM port configuration
@@ -279,9 +299,9 @@ AC_SUBST([DISTCHECK_SWTPM_PORT_FLAG])
 
 # Firmware TPM (fwTPM) - software TPM 2.0 simulator
 AC_ARG_ENABLE([fwtpm],
-    [AS_HELP_STRING([--enable-fwtpm],[Enable firmware TPM (fwTPM) server (default: disabled)])],
+    [AS_HELP_STRING([--enable-fwtpm],[Enable firmware TPM (fwTPM) server (default: enabled on Linux x86_64/aarch64, disabled elsewhere)])],
     [ ENABLED_FWTPM=$enableval ],
-    [ ENABLED_FWTPM=no ]
+    [ ENABLED_FWTPM=$WOLFTPM_DEFAULT_FWTPM ]
     )
 
 if test "x$ENABLED_FWTPM" = "xyes"
diff --git a/scripts/tpm2_tools_test.sh b/scripts/tpm2_tools_test.sh
@@ -6,6 +6,11 @@
 # Usage:
 #   scripts/tpm2_tools_test.sh [--no-start] [--verbose] [--tcti=mssim|swtpm]
 #
+# Environment:
+#   TPM2_SWTPM_PORT  TCP port the running TPM server listens on (default: 2321).
+#                    Used when this script is invoked from `make check` to
+#                    target the random port picked by tests/fwtpm_check.sh.
+#
 # Requirements: tpm2-tools >= 5.0, libtss2-tcti-mssim (or libtss2-tcti-swtpm)
 #
 # Exit: 0 if all tests pass, 77 if tpm2-tools not installed (SKIP), 1 on failure
@@ -19,7 +24,7 @@ WOLFTPM_ROOT="$(cd "$SCRIPT_DIR/.." && pwd)"
 # wolfTPM fwtpm_server auto-detects the TCTI protocol (mssim or swtpm).
 # Both are supported. Default to mssim for backward compatibility.
 TCTI_TYPE="${TCTI_TYPE:-mssim}"
-export TPM2TOOLS_TCTI="${TCTI_TYPE}:host=localhost,port=2321"
+export TPM2TOOLS_TCTI="${TCTI_TYPE}:host=localhost,port=${TPM2_SWTPM_PORT:-2321}"
 TEST_TMPDIR=/tmp/fwtpm_tpm2tools
 VERBOSE=0
 NO_START=0
@@ -38,7 +43,7 @@ for arg in "$@"; do
         --no-start) NO_START=1 ;;
         --tcti=*)
             TCTI_TYPE="${arg#--tcti=}"
-            export TPM2TOOLS_TCTI="${TCTI_TYPE}:host=localhost,port=2321"
+            export TPM2TOOLS_TCTI="${TCTI_TYPE}:host=localhost,port=${TPM2_SWTPM_PORT:-2321}"
             ;;
         --help|-h)
             grep '^#' "$0" | sed 's/^# \{0,1\}//' | head -12; exit 0 ;;
@@ -160,7 +165,7 @@ server_stop() {
 server_restart() {
     # Send tpm2_shutdown to flush volatile state before stopping server.
     # Use explicit TCTI in case environment is not set.
-    TPM2TOOLS_TCTI="${TCTI_TYPE}:host=localhost,port=2321" \
+    TPM2TOOLS_TCTI="${TCTI_TYPE}:host=localhost,port=${TPM2_SWTPM_PORT:-2321}" \
         tpm2_shutdown 2>/dev/null || true
     sleep 0.2
 
diff --git a/tests/fwtpm_check.sh b/tests/fwtpm_check.sh
@@ -390,11 +390,58 @@ fi
 
 # --- Run tpm2-tools tests if available ---
 
-# tpm2-tools tests are handled by their own CI job (fwtpm-tpm2tools)
-# and scripts/tpm2_tools_test.sh. Not included in make check because
-# the test script hardcodes port 2321 and we use random ports here.
-echo "SKIP: tpm2-tools (run separately via scripts/tpm2_tools_test.sh)"
-SKIP=$((SKIP + 1))
+# tpm2-tools speaks TCP TCTI (mssim/swtpm) only — TIS/SHM-only builds have no
+# socket and must skip. Otherwise reuse our fwtpm_server on $FWTPM_PORT and
+# call the script with --no-start. The script honors TPM2_SWTPM_PORT.
+TPM2_TOOLS_SCRIPT="$SRC_DIR/scripts/tpm2_tools_test.sh"
+if [ $IS_SWTPM_MODE -ne 1 ]; then
+    echo "SKIP: tpm2-tools (requires --enable-swtpm for TCP socket transport)"
+    SKIP=$((SKIP + 1))
+elif [ -x "$TPM2_TOOLS_SCRIPT" ]; then
+    echo ""
+    echo "=== Running tpm2_tools_test.sh ==="
+    cd "$BUILD_DIR"
+
+    # Restart fwtpm_server with a clean NV file so the tpm2-tools tests get
+    # isolated state. tpm2_clear is not enough — example NV indices created
+    # in run_examples.sh (e.g. 0x1500001) are not always cleared by it.
+    # Only restart if we actually started the server ourselves.
+    if [ $STARTED_SERVER -eq 1 ]; then
+        if [ -f "$PID_FILE" ]; then
+            kill "$(cat "$PID_FILE")" 2>/dev/null || true
+            sleep 0.3
+        fi
+        rm -f "$BUILD_DIR/fwtpm_nv.bin"
+        "$FWTPM_SERVER" --port "$FWTPM_PORT" \
+            --platform-port "$FWTPM_PLAT_PORT" \
+            > /tmp/fwtpm_check_$$.log 2>&1 &
+        echo $! > "$PID_FILE"
+        if ! wait_for_port "$FWTPM_PORT" 500; then
+            echo "FAIL: fwtpm_server restart failed before tpm2-tools tests"
+            cat /tmp/fwtpm_check_$$.log
+            FAIL=$((FAIL + 1))
+            echo ""
+            echo "=== fwTPM Integration Results: $PASS passed, $FAIL failed, $SKIP skipped ==="
+            exit 1
+        fi
+    fi
+
+    TPM2_SWTPM_PORT="$FWTPM_PORT" "$TPM2_TOOLS_SCRIPT" --no-start
+    rc=$?
+    if [ $rc -eq 0 ]; then
+        PASS=$((PASS + 1))
+        echo "PASS: tpm2_tools_test.sh"
+    elif [ $rc -eq 77 ]; then
+        SKIP=$((SKIP + 1))
+        echo "SKIP: tpm2_tools_test.sh (tpm2-tools not installed)"
+    else
+        FAIL=$((FAIL + 1))
+        echo "FAIL: tpm2_tools_test.sh (exit $rc)"
+    fi
+else
+    echo "SKIP: tpm2_tools_test.sh not found"
+    SKIP=$((SKIP + 1))
+fi
 
 echo ""
 echo "=== fwTPM Integration Results: $PASS passed, $FAIL failed, $SKIP skipped ==="
