From b69ea6659b68a0630c5aaee978d1151f706cb482 Mon Sep 17 00:00:00 2001 From: Daniele Lacamera Date: Fri, 20 Mar 2026 16:02:23 +0100 Subject: [PATCH 1/9] Add github workflow to check for wolfboot regressions --- .github/workflows/wolfboot-integration.yml | 262 +++++++++++++++++++++ 1 file changed, 262 insertions(+) create mode 100644 .github/workflows/wolfboot-integration.yml diff --git a/.github/workflows/wolfboot-integration.yml b/.github/workflows/wolfboot-integration.yml new file mode 100644 index 00000000000..953add9161c --- /dev/null +++ b/.github/workflows/wolfboot-integration.yml @@ -0,0 +1,262 @@ +name: wolfBoot Integration + +on: + push: + branches: [ 'master', 'main', 'release/**' ] + pull_request: + branches: [ '*' ] + workflow_dispatch: + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +env: + WOLFBOOT_REPO: https://github.com/wolfSSL/wolfBoot.git + WOLFBOOT_BRANCH: master + +jobs: + keytools: + name: keytools + if: github.repository_owner == 'wolfssl' + runs-on: ubuntu-24.04 + timeout-minutes: 20 + + steps: + - name: Checkout wolfSSL + uses: actions/checkout@v4 + + - name: Clone wolfBoot and link tested wolfSSL + run: | + set -euxo pipefail + + git clone --depth 1 --branch "${WOLFBOOT_BRANCH}" "${WOLFBOOT_REPO}" wolfboot + rm -rf wolfboot/lib/wolfssl + ln -s "${GITHUB_WORKSPACE}" wolfboot/lib/wolfssl + test -L wolfboot/lib/wolfssl + test "$(realpath wolfboot/lib/wolfssl)" = "${GITHUB_WORKSPACE}" + + - name: Run wolfBoot keytools integration flow + working-directory: wolfboot + run: | + set -euxo pipefail + + make_clean() { + make distclean + rm -f private-key.der private-key.pem public-key.der public-rsa2048-key.der + rm -f test-app/image_v1.sig test-app/image_v1_digest.bin test-app/image_v2_signed.bin + rm -f wolfboot_signing_private_key.der ecc384-priv-key.der keystore.der + } + + prepare_sim() { + cp config/examples/sim.config .config + make include/target.h + make -C tools/keytools + make -C tools/bin-assemble + } + + # ECC256 + make_clean + prepare_sim + make SIGN=ECC256 HASH=SHA256 + rm -f src/keystore.c + openssl ecparam -name prime256v1 -genkey -noout -outform DER -out private-key.der + openssl ec -in private-key.der -inform DER -pubout -out public-key.der -outform DER + ./tools/keytools/keygen --ecc256 -i public-key.der + ./tools/keytools/sign --ecc256 --sha-only --sha256 test-app/image.elf public-key.der 1 + openssl pkeyutl -sign -keyform der -inkey private-key.der -in test-app/image_v1_digest.bin > test-app/image_v1.sig + ./tools/keytools/sign --ecc256 --sha256 --manual-sign test-app/image.elf public-key.der 1 test-app/image_v1.sig + + # ED25519 + make_clean + prepare_sim + make SIGN=ED25519 HASH=SHA256 + rm -f src/keystore.c + openssl genpkey -algorithm ed25519 -out private-key.der -outform DER + openssl pkey -in private-key.der -inform DER -pubout -out public-key.der -outform DER + ./tools/keytools/keygen --ed25519 -i public-key.der + ./tools/keytools/sign --ed25519 --sha-only --sha256 test-app/image.elf public-key.der 1 + openssl pkeyutl -sign -keyform der -inkey private-key.der -rawin -in test-app/image_v1_digest.bin > test-app/image_v1.sig + ./tools/keytools/sign --ed25519 --sha256 --manual-sign test-app/image.elf public-key.der 1 test-app/image_v1.sig + + # RSA2048 + make_clean + prepare_sim + make SIGN=RSA2048 HASH=SHA256 + rm -f src/keystore.c + openssl genrsa -out private-key.pem 2048 + openssl rsa -in private-key.pem -inform PEM -out private-key.der -outform DER + openssl rsa -inform DER -outform DER -in private-key.der -out public-key.der -pubout + ./tools/keytools/keygen --rsa2048 -i public-key.der + ./tools/keytools/sign --rsa2048 --sha-only --sha256 test-app/image.elf public-key.der 1 + openssl pkeyutl -sign -keyform der -inkey private-key.der -in test-app/image_v1_digest.bin > test-app/image_v1.sig + ./tools/keytools/sign --rsa2048 --sha256 --manual-sign test-app/image.elf public-key.der 1 test-app/image_v1.sig + + # sign --no-ts + make_clean + prepare_sim + make SIGN=ECC256 HASH=SHA256 + ./tools/keytools/sign --ecc256 --sha256 --no-ts test-app/image.elf wolfboot_signing_private_key.der 2 + + # Universal keystore + make_clean + prepare_sim + openssl genrsa -out private-key.pem 2048 + openssl rsa -in private-key.pem -inform PEM -out private-key.der -outform DER + openssl rsa -inform DER -outform DER -in private-key.der -out public-rsa2048-key.der -pubout + ./tools/keytools/keygen --rsa2048 -i public-rsa2048-key.der --ecc256 -g wolfboot_signing_private_key.der --ecc384 -g ecc384-priv-key.der + make SIGN=ECC256 HASH=SHA256 WOLFBOOT_UNIVERSAL_KEYSTORE=1 + + renode_config_selection: + name: renode-config-selection + if: github.repository_owner == 'wolfssl' + runs-on: ubuntu-24.04 + timeout-minutes: 35 + + steps: + - name: Checkout wolfSSL + uses: actions/checkout@v4 + + - name: Clone wolfBoot and link tested wolfSSL + run: | + set -euxo pipefail + + git clone --depth 1 --branch "${WOLFBOOT_BRANCH}" "${WOLFBOOT_REPO}" wolfboot + rm -rf wolfboot/lib/wolfssl + ln -s "${GITHUB_WORKSPACE}" wolfboot/lib/wolfssl + test -L wolfboot/lib/wolfssl + test "$(realpath wolfboot/lib/wolfssl)" = "${GITHUB_WORKSPACE}" + + - name: Build Renode docker image once + working-directory: wolfboot + run: | + set -euxo pipefail + docker build -t wolfboot-renode-nrf52 -f tools/renode/Dockerfile . + + - name: Run curated wolfBoot Renode configurations + working-directory: wolfboot + run: | + set -euo pipefail + + cp config/examples/nrf52840.config .config + make include/target.h + + mkdir -p test_results + + run_case() { + local slug="$1" + local opts="$2" + local result_dir="$PWD/test_results/$slug" + mkdir -p "$result_dir" + + echo "=== Running $slug: $opts ===" + if docker run \ + --rm \ + --log-driver=none -a stdout -a stderr \ + --volume "$PWD:/workspace" \ + --volume "$result_dir:/tmp/test_results" \ + --env SCRIPT=/workspace/renode-config.resc \ + --env RENODE_CHECKOUT=/home/developer/renode \ + --env TEST_OPTIONS="$opts" \ + --workdir /workspace \ + wolfboot-renode-nrf52 \ + /bin/bash -lc 'tools/scripts/renode-test-update.sh $TEST_OPTIONS > /tmp/test_results/logs.txt 2>&1' + then + echo "$opts: PASS" | tee -a test_results/summary.txt + else + echo "$opts: FAIL" | tee -a test_results/summary.txt + if [ -f "$result_dir/logs.txt" ]; then + cat "$result_dir/logs.txt" + fi + return 1 + fi + } + + run_case sign-none "SIGN=NONE" + run_case ecc256 "SIGN=ECC256" + run_case ed25519 "SIGN=ED25519" + run_case rsa2048 "SIGN=RSA2048" + + run_case sign-none-smallstack "SIGN=NONE WOLFBOOT_SMALL_STACK=1" + run_case ecc256-smallstack "SIGN=ECC256 WOLFBOOT_SMALL_STACK=1" + run_case ed25519-smallstack "SIGN=ED25519 WOLFBOOT_SMALL_STACK=1" + run_case rsa2048-smallstack "SIGN=RSA2048 WOLFBOOT_SMALL_STACK=1" + + run_case ecc256-noasm "SIGN=ECC256 NO_ASM=1" + run_case ed25519-noasm "SIGN=ED25519 NO_ASM=1" + run_case rsa2048-noasm "SIGN=RSA2048 NO_ASM=1" + + run_case ecc256-fastmath "SIGN=ECC256 SPMATH=0" + run_case rsa2048-fastmath "SIGN=RSA2048 SPMATH=0" + + run_case ecc256-smallstack-noasm "SIGN=ECC256 WOLFBOOT_SMALL_STACK=1 NO_ASM=1" + run_case rsa2048-smallstack-noasm "SIGN=RSA2048 WOLFBOOT_SMALL_STACK=1 NO_ASM=1" + + run_case ecc256-smallstack-fastmath "SIGN=ECC256 WOLFBOOT_SMALL_STACK=1 SPMATH=0" + run_case rsa2048-smallstack-fastmath "SIGN=RSA2048 WOLFBOOT_SMALL_STACK=1 SPMATH=0" + + - name: Upload Renode logs + if: always() + uses: actions/upload-artifact@v4 + with: + name: wolfboot-renode-config-selection + path: wolfboot/test_results/ + + host_smoke: + name: host-smoke + if: github.repository_owner == 'wolfssl' + runs-on: ubuntu-24.04 + timeout-minutes: 15 + + steps: + - name: Checkout wolfSSL + uses: actions/checkout@v4 + + - name: Clone wolfBoot and link tested wolfSSL + run: | + set -euxo pipefail + + git clone --depth 1 --branch "${WOLFBOOT_BRANCH}" "${WOLFBOOT_REPO}" wolfboot + rm -rf wolfboot/lib/wolfssl + ln -s "${GITHUB_WORKSPACE}" wolfboot/lib/wolfssl + test -L wolfboot/lib/wolfssl + test "$(realpath wolfboot/lib/wolfssl)" = "${GITHUB_WORKSPACE}" + + - name: Build and exercise host-side smoke test + working-directory: wolfboot + run: | + set -euo pipefail + + cp config/examples/library.config .config + make keysclean + make clean + make keytools SIGN=ED25519 HASH=SHA256 + ./tools/keytools/keygen --ed25519 -g wolfboot_signing_private_key.der + + printf 'wolfBoot wolfSSL integration smoke\n' > test.bin + ./tools/keytools/sign --ed25519 --sha256 test.bin wolfboot_signing_private_key.der 1 + + make test-lib SIGN=ED25519 HASH=SHA256 + ./test-lib test_v1_signed.bin + ./test-lib test_v1_signed.bin 2>&1 | grep "Firmware Valid" + + truncate -s -1 test_v1_signed.bin + printf 'A' >> test_v1_signed.bin + + set +e + output=$(./test-lib test_v1_signed.bin 2>&1) + status=$? + set -e + + printf '%s\n' "$output" + + if printf '%s\n' "$output" | grep -F "Failure" >/dev/null; then + status=1 + fi + + if [ "$status" -eq 0 ]; then + echo "Expected failure, but test-lib succeeded" + exit 1 + fi + + printf '%s\n' "$output" | grep -F "Failure" >/dev/null From b695dd37b437e2c172194b49b492db7e43dae71f Mon Sep 17 00:00:00 2001 From: Daniele Lacamera Date: Fri, 20 Mar 2026 17:48:45 +0100 Subject: [PATCH 2/9] Remove artifact upload, address copilot's, fix docker boundary --- .github/workflows/wolfboot-integration.yml | 30 +++++++++++----------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/.github/workflows/wolfboot-integration.yml b/.github/workflows/wolfboot-integration.yml index 953add9161c..b75cf01c86f 100644 --- a/.github/workflows/wolfboot-integration.yml +++ b/.github/workflows/wolfboot-integration.yml @@ -18,13 +18,13 @@ env: jobs: keytools: name: keytools - if: github.repository_owner == 'wolfssl' + if: toLower(github.repository_owner) == 'wolfssl' runs-on: ubuntu-24.04 timeout-minutes: 20 steps: - name: Checkout wolfSSL - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 - name: Clone wolfBoot and link tested wolfSSL run: | @@ -109,13 +109,13 @@ jobs: renode_config_selection: name: renode-config-selection - if: github.repository_owner == 'wolfssl' + if: toLower(github.repository_owner) == 'wolfssl' runs-on: ubuntu-24.04 timeout-minutes: 35 steps: - name: Checkout wolfSSL - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 - name: Clone wolfBoot and link tested wolfSSL run: | @@ -154,6 +154,7 @@ jobs: --rm \ --log-driver=none -a stdout -a stderr \ --volume "$PWD:/workspace" \ + --volume "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:ro" \ --volume "$result_dir:/tmp/test_results" \ --env SCRIPT=/workspace/renode-config.resc \ --env RENODE_CHECKOUT=/home/developer/renode \ @@ -195,22 +196,15 @@ jobs: run_case ecc256-smallstack-fastmath "SIGN=ECC256 WOLFBOOT_SMALL_STACK=1 SPMATH=0" run_case rsa2048-smallstack-fastmath "SIGN=RSA2048 WOLFBOOT_SMALL_STACK=1 SPMATH=0" - - name: Upload Renode logs - if: always() - uses: actions/upload-artifact@v4 - with: - name: wolfboot-renode-config-selection - path: wolfboot/test_results/ - host_smoke: name: host-smoke - if: github.repository_owner == 'wolfssl' + if: toLower(github.repository_owner) == 'wolfssl' runs-on: ubuntu-24.04 timeout-minutes: 15 steps: - name: Checkout wolfSSL - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 - name: Clone wolfBoot and link tested wolfSSL run: | @@ -237,8 +231,14 @@ jobs: ./tools/keytools/sign --ed25519 --sha256 test.bin wolfboot_signing_private_key.der 1 make test-lib SIGN=ED25519 HASH=SHA256 - ./test-lib test_v1_signed.bin - ./test-lib test_v1_signed.bin 2>&1 | grep "Firmware Valid" + success_output=$(./test-lib test_v1_signed.bin 2>&1) + success_status=$? + printf '%s\n' "$success_output" + if [ "$success_status" -ne 0 ]; then + echo "Expected success, but test-lib failed" + exit 1 + fi + printf '%s\n' "$success_output" | grep -F "Firmware Valid" >/dev/null truncate -s -1 test_v1_signed.bin printf 'A' >> test_v1_signed.bin From 2c7bc0d1b32baee93eb43d00cec83b7a53cdb166 Mon Sep 17 00:00:00 2001 From: Daniele Lacamera Date: Fri, 20 Mar 2026 18:11:24 +0100 Subject: [PATCH 3/9] Removed toLower --- .github/workflows/wolfboot-integration.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/wolfboot-integration.yml b/.github/workflows/wolfboot-integration.yml index b75cf01c86f..7678519c4bd 100644 --- a/.github/workflows/wolfboot-integration.yml +++ b/.github/workflows/wolfboot-integration.yml @@ -18,7 +18,7 @@ env: jobs: keytools: name: keytools - if: toLower(github.repository_owner) == 'wolfssl' + if: github.repository_owner == 'wolfssl' runs-on: ubuntu-24.04 timeout-minutes: 20 @@ -109,7 +109,7 @@ jobs: renode_config_selection: name: renode-config-selection - if: toLower(github.repository_owner) == 'wolfssl' + if: github.repository_owner == 'wolfssl' runs-on: ubuntu-24.04 timeout-minutes: 35 @@ -198,7 +198,7 @@ jobs: host_smoke: name: host-smoke - if: toLower(github.repository_owner) == 'wolfssl' + if: github.repository_owner == 'wolfssl' runs-on: ubuntu-24.04 timeout-minutes: 15 From c7684acb6c264956874047340ed8eba7a1791ba2 Mon Sep 17 00:00:00 2001 From: Daniele Lacamera Date: Fri, 20 Mar 2026 20:24:52 +0100 Subject: [PATCH 4/9] Renode docker: fixed permission --- .github/workflows/wolfboot-integration.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/wolfboot-integration.yml b/.github/workflows/wolfboot-integration.yml index 7678519c4bd..a7d6ff405e9 100644 --- a/.github/workflows/wolfboot-integration.yml +++ b/.github/workflows/wolfboot-integration.yml @@ -154,7 +154,7 @@ jobs: --rm \ --log-driver=none -a stdout -a stderr \ --volume "$PWD:/workspace" \ - --volume "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:ro" \ + --volume "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}" \ --volume "$result_dir:/tmp/test_results" \ --env SCRIPT=/workspace/renode-config.resc \ --env RENODE_CHECKOUT=/home/developer/renode \ From cc85d5a6565fd4f576ad7daf3764a05c4c1e2744 Mon Sep 17 00:00:00 2001 From: Daniele Lacamera Date: Tue, 31 Mar 2026 07:25:52 +0200 Subject: [PATCH 5/9] Addressed copilot's comment --- .github/workflows/wolfboot-integration.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/wolfboot-integration.yml b/.github/workflows/wolfboot-integration.yml index a7d6ff405e9..747bc1b310b 100644 --- a/.github/workflows/wolfboot-integration.yml +++ b/.github/workflows/wolfboot-integration.yml @@ -231,8 +231,10 @@ jobs: ./tools/keytools/sign --ed25519 --sha256 test.bin wolfboot_signing_private_key.der 1 make test-lib SIGN=ED25519 HASH=SHA256 + set +e success_output=$(./test-lib test_v1_signed.bin 2>&1) success_status=$? + set -e printf '%s\n' "$success_output" if [ "$success_status" -ne 0 ]; then echo "Expected success, but test-lib failed" From e8ccb5c8a2f5843697dbd75c4d4c606d5f9a64b4 Mon Sep 17 00:00:00 2001 From: Daniele Lacamera Date: Tue, 31 Mar 2026 09:21:23 +0200 Subject: [PATCH 6/9] Address more comments, pin renode to v 1.15.3 --- .github/workflows/wolfboot-integration.yml | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/.github/workflows/wolfboot-integration.yml b/.github/workflows/wolfboot-integration.yml index 747bc1b310b..8bffe325ad9 100644 --- a/.github/workflows/wolfboot-integration.yml +++ b/.github/workflows/wolfboot-integration.yml @@ -14,6 +14,7 @@ concurrency: env: WOLFBOOT_REPO: https://github.com/wolfSSL/wolfBoot.git WOLFBOOT_BRANCH: master + RENODE_CONTAINER_VERSION: 1.15.3 jobs: keytools: @@ -131,7 +132,7 @@ jobs: working-directory: wolfboot run: | set -euxo pipefail - docker build -t wolfboot-renode-nrf52 -f tools/renode/Dockerfile . + docker build -t wolfboot-renode-nrf52:${RENODE_CONTAINER_VERSION} -f tools/renode/Dockerfile . - name: Run curated wolfBoot Renode configurations working-directory: wolfboot @@ -160,7 +161,7 @@ jobs: --env RENODE_CHECKOUT=/home/developer/renode \ --env TEST_OPTIONS="$opts" \ --workdir /workspace \ - wolfboot-renode-nrf52 \ + wolfboot-renode-nrf52:${RENODE_CONTAINER_VERSION} \ /bin/bash -lc 'tools/scripts/renode-test-update.sh $TEST_OPTIONS > /tmp/test_results/logs.txt 2>&1' then echo "$opts: PASS" | tee -a test_results/summary.txt @@ -252,13 +253,11 @@ jobs: printf '%s\n' "$output" - if printf '%s\n' "$output" | grep -F "Failure" >/dev/null; then - status=1 - fi - if [ "$status" -eq 0 ]; then echo "Expected failure, but test-lib succeeded" exit 1 fi - printf '%s\n' "$output" | grep -F "Failure" >/dev/null + if ! printf '%s\n' "$output" | grep -F "Failure" >/dev/null; then + echo "test-lib failed as expected, but did not print the legacy \"Failure\" marker" + fi From 8b9bb6b3c68c645b2b3888adf2de4a6fa8ba66bc Mon Sep 17 00:00:00 2001 From: Daniele Lacamera Date: Tue, 5 May 2026 14:01:49 +0200 Subject: [PATCH 7/9] Migrate wolfboot integration tests to new wolfboot-ci container --- .github/workflows/wolfboot-integration.yml | 403 ++++++++++++++++----- 1 file changed, 313 insertions(+), 90 deletions(-) diff --git a/.github/workflows/wolfboot-integration.yml b/.github/workflows/wolfboot-integration.yml index 8bffe325ad9..cececdd6522 100644 --- a/.github/workflows/wolfboot-integration.yml +++ b/.github/workflows/wolfboot-integration.yml @@ -14,7 +14,7 @@ concurrency: env: WOLFBOOT_REPO: https://github.com/wolfSSL/wolfBoot.git WOLFBOOT_BRANCH: master - RENODE_CONTAINER_VERSION: 1.15.3 + WOLFBOOT_RENODE_IMAGE: ghcr.io/wolfssl/wolfboot-ci-renode:v1.8 jobs: keytools: @@ -108,95 +108,6 @@ jobs: ./tools/keytools/keygen --rsa2048 -i public-rsa2048-key.der --ecc256 -g wolfboot_signing_private_key.der --ecc384 -g ecc384-priv-key.der make SIGN=ECC256 HASH=SHA256 WOLFBOOT_UNIVERSAL_KEYSTORE=1 - renode_config_selection: - name: renode-config-selection - if: github.repository_owner == 'wolfssl' - runs-on: ubuntu-24.04 - timeout-minutes: 35 - - steps: - - name: Checkout wolfSSL - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 - - - name: Clone wolfBoot and link tested wolfSSL - run: | - set -euxo pipefail - - git clone --depth 1 --branch "${WOLFBOOT_BRANCH}" "${WOLFBOOT_REPO}" wolfboot - rm -rf wolfboot/lib/wolfssl - ln -s "${GITHUB_WORKSPACE}" wolfboot/lib/wolfssl - test -L wolfboot/lib/wolfssl - test "$(realpath wolfboot/lib/wolfssl)" = "${GITHUB_WORKSPACE}" - - - name: Build Renode docker image once - working-directory: wolfboot - run: | - set -euxo pipefail - docker build -t wolfboot-renode-nrf52:${RENODE_CONTAINER_VERSION} -f tools/renode/Dockerfile . - - - name: Run curated wolfBoot Renode configurations - working-directory: wolfboot - run: | - set -euo pipefail - - cp config/examples/nrf52840.config .config - make include/target.h - - mkdir -p test_results - - run_case() { - local slug="$1" - local opts="$2" - local result_dir="$PWD/test_results/$slug" - mkdir -p "$result_dir" - - echo "=== Running $slug: $opts ===" - if docker run \ - --rm \ - --log-driver=none -a stdout -a stderr \ - --volume "$PWD:/workspace" \ - --volume "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}" \ - --volume "$result_dir:/tmp/test_results" \ - --env SCRIPT=/workspace/renode-config.resc \ - --env RENODE_CHECKOUT=/home/developer/renode \ - --env TEST_OPTIONS="$opts" \ - --workdir /workspace \ - wolfboot-renode-nrf52:${RENODE_CONTAINER_VERSION} \ - /bin/bash -lc 'tools/scripts/renode-test-update.sh $TEST_OPTIONS > /tmp/test_results/logs.txt 2>&1' - then - echo "$opts: PASS" | tee -a test_results/summary.txt - else - echo "$opts: FAIL" | tee -a test_results/summary.txt - if [ -f "$result_dir/logs.txt" ]; then - cat "$result_dir/logs.txt" - fi - return 1 - fi - } - - run_case sign-none "SIGN=NONE" - run_case ecc256 "SIGN=ECC256" - run_case ed25519 "SIGN=ED25519" - run_case rsa2048 "SIGN=RSA2048" - - run_case sign-none-smallstack "SIGN=NONE WOLFBOOT_SMALL_STACK=1" - run_case ecc256-smallstack "SIGN=ECC256 WOLFBOOT_SMALL_STACK=1" - run_case ed25519-smallstack "SIGN=ED25519 WOLFBOOT_SMALL_STACK=1" - run_case rsa2048-smallstack "SIGN=RSA2048 WOLFBOOT_SMALL_STACK=1" - - run_case ecc256-noasm "SIGN=ECC256 NO_ASM=1" - run_case ed25519-noasm "SIGN=ED25519 NO_ASM=1" - run_case rsa2048-noasm "SIGN=RSA2048 NO_ASM=1" - - run_case ecc256-fastmath "SIGN=ECC256 SPMATH=0" - run_case rsa2048-fastmath "SIGN=RSA2048 SPMATH=0" - - run_case ecc256-smallstack-noasm "SIGN=ECC256 WOLFBOOT_SMALL_STACK=1 NO_ASM=1" - run_case rsa2048-smallstack-noasm "SIGN=RSA2048 WOLFBOOT_SMALL_STACK=1 NO_ASM=1" - - run_case ecc256-smallstack-fastmath "SIGN=ECC256 WOLFBOOT_SMALL_STACK=1 SPMATH=0" - run_case rsa2048-smallstack-fastmath "SIGN=RSA2048 WOLFBOOT_SMALL_STACK=1 SPMATH=0" - host_smoke: name: host-smoke if: github.repository_owner == 'wolfssl' @@ -261,3 +172,315 @@ jobs: if ! printf '%s\n' "$output" | grep -F "Failure" >/dev/null; then echo "test-lib failed as expected, but did not print the legacy \"Failure\" marker" fi + + renode_multimem_smallstack: + name: renode-multimem-smallstack + if: github.repository_owner == 'wolfssl' + runs-on: ubuntu-22.04 + timeout-minutes: 45 + permissions: + contents: read + packages: read + + steps: + - name: Checkout wolfSSL + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 + + - name: Clone wolfBoot and link tested wolfSSL + run: | + set -euxo pipefail + + git clone --depth 1 --branch "${WOLFBOOT_BRANCH}" "${WOLFBOOT_REPO}" wolfboot + rm -rf wolfboot/lib/wolfssl + ln -s "${GITHUB_WORKSPACE}" wolfboot/lib/wolfssl + test -L wolfboot/lib/wolfssl + test "$(realpath wolfboot/lib/wolfssl)" = "${GITHUB_WORKSPACE}" + + - name: Log in to GHCR + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Select config + working-directory: wolfboot + run: | + cp config/examples/nrf52840.config .config && make include/target.h + +##### SMALL STACK tests (xmalloc path: most regressions land here) + + - name: Renode Tests SIGN=NONE WOLFBOOT_SMALL_STACK=1 + working-directory: wolfboot + env: + DOCKER_IMAGE: ${{ env.WOLFBOOT_RENODE_IMAGE }} + run: ./tools/renode/docker-test.sh "SIGN=NONE WOLFBOOT_SMALL_STACK=1" + + - name: Renode Tests ECC256 WOLFBOOT_SMALL_STACK=1 + working-directory: wolfboot + env: + DOCKER_IMAGE: ${{ env.WOLFBOOT_RENODE_IMAGE }} + run: ./tools/renode/docker-test.sh "SIGN=ECC256 WOLFBOOT_SMALL_STACK=1" + + - name: Renode Tests ECC384 WOLFBOOT_SMALL_STACK=1 + working-directory: wolfboot + env: + DOCKER_IMAGE: ${{ env.WOLFBOOT_RENODE_IMAGE }} + run: ./tools/renode/docker-test.sh "SIGN=ECC384 WOLFBOOT_SMALL_STACK=1" + + - name: Renode Tests ECC521 WOLFBOOT_SMALL_STACK=1 + working-directory: wolfboot + env: + DOCKER_IMAGE: ${{ env.WOLFBOOT_RENODE_IMAGE }} + run: ./tools/renode/docker-test.sh "SIGN=ECC521 WOLFBOOT_SMALL_STACK=1" + + - name: Renode Tests ED25519 WOLFBOOT_SMALL_STACK=1 + working-directory: wolfboot + env: + DOCKER_IMAGE: ${{ env.WOLFBOOT_RENODE_IMAGE }} + run: ./tools/renode/docker-test.sh "SIGN=ED25519 WOLFBOOT_SMALL_STACK=1" + + - name: Renode Tests ED448 WOLFBOOT_SMALL_STACK=1 + working-directory: wolfboot + env: + DOCKER_IMAGE: ${{ env.WOLFBOOT_RENODE_IMAGE }} + run: ./tools/renode/docker-test.sh "SIGN=ED448 WOLFBOOT_SMALL_STACK=1" + + - name: Renode Tests RSA2048 WOLFBOOT_SMALL_STACK=1 + working-directory: wolfboot + env: + DOCKER_IMAGE: ${{ env.WOLFBOOT_RENODE_IMAGE }} + run: ./tools/renode/docker-test.sh "SIGN=RSA2048 WOLFBOOT_SMALL_STACK=1" + + - name: Renode Tests RSA3072 WOLFBOOT_SMALL_STACK=1 + working-directory: wolfboot + env: + DOCKER_IMAGE: ${{ env.WOLFBOOT_RENODE_IMAGE }} + run: ./tools/renode/docker-test.sh "SIGN=RSA3072 WOLFBOOT_SMALL_STACK=1" + + - name: Renode Tests RSA4096 WOLFBOOT_SMALL_STACK=1 + working-directory: wolfboot + env: + DOCKER_IMAGE: ${{ env.WOLFBOOT_RENODE_IMAGE }} + run: ./tools/renode/docker-test.sh "SIGN=RSA4096 WOLFBOOT_SMALL_STACK=1" + + - name: Renode Tests RSAPSS2048 WOLFBOOT_SMALL_STACK=1 + working-directory: wolfboot + env: + DOCKER_IMAGE: ${{ env.WOLFBOOT_RENODE_IMAGE }} + run: ./tools/renode/docker-test.sh "SIGN=RSAPSS2048 WOLFBOOT_SMALL_STACK=1" + + - name: Renode Tests RSAPSS3072 WOLFBOOT_SMALL_STACK=1 + working-directory: wolfboot + env: + DOCKER_IMAGE: ${{ env.WOLFBOOT_RENODE_IMAGE }} + run: ./tools/renode/docker-test.sh "SIGN=RSAPSS3072 WOLFBOOT_SMALL_STACK=1" + + - name: Renode Tests RSAPSS4096 WOLFBOOT_SMALL_STACK=1 + working-directory: wolfboot + env: + DOCKER_IMAGE: ${{ env.WOLFBOOT_RENODE_IMAGE }} + run: ./tools/renode/docker-test.sh "SIGN=RSAPSS4096 WOLFBOOT_SMALL_STACK=1" + + - name: Upload Output Dir + if: always() + uses: actions/upload-artifact@v4 + with: + name: renode-multimem-smallstack-results + path: wolfboot/test_results/ + + renode_multimem_smallstack_fastmath: + name: renode-multimem-smallstack-fastmath + if: github.repository_owner == 'wolfssl' + runs-on: ubuntu-22.04 + timeout-minutes: 45 + permissions: + contents: read + packages: read + + steps: + - name: Checkout wolfSSL + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 + + - name: Clone wolfBoot and link tested wolfSSL + run: | + set -euxo pipefail + + git clone --depth 1 --branch "${WOLFBOOT_BRANCH}" "${WOLFBOOT_REPO}" wolfboot + rm -rf wolfboot/lib/wolfssl + ln -s "${GITHUB_WORKSPACE}" wolfboot/lib/wolfssl + test -L wolfboot/lib/wolfssl + test "$(realpath wolfboot/lib/wolfssl)" = "${GITHUB_WORKSPACE}" + + - name: Log in to GHCR + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Select config + working-directory: wolfboot + run: | + cp config/examples/nrf52840.config .config && make include/target.h + +##### SMALL STACK + FAST MATH tests (TFM-backed xmalloc sizing) + + - name: Renode Tests ECC256 SMALL_STACK SPMATH=0 + working-directory: wolfboot + env: + DOCKER_IMAGE: ${{ env.WOLFBOOT_RENODE_IMAGE }} + run: ./tools/renode/docker-test.sh "SIGN=ECC256 WOLFBOOT_SMALL_STACK=1 SPMATH=0" + + - name: Renode Tests ECC384 SMALL_STACK SPMATH=0 + working-directory: wolfboot + env: + DOCKER_IMAGE: ${{ env.WOLFBOOT_RENODE_IMAGE }} + run: ./tools/renode/docker-test.sh "SIGN=ECC384 WOLFBOOT_SMALL_STACK=1 SPMATH=0" + + - name: Renode Tests ECC521 SMALL_STACK SPMATH=0 + working-directory: wolfboot + env: + DOCKER_IMAGE: ${{ env.WOLFBOOT_RENODE_IMAGE }} + run: ./tools/renode/docker-test.sh "SIGN=ECC521 WOLFBOOT_SMALL_STACK=1 SPMATH=0" + + - name: Renode Tests RSA2048 SMALL_STACK SPMATH=0 + working-directory: wolfboot + env: + DOCKER_IMAGE: ${{ env.WOLFBOOT_RENODE_IMAGE }} + run: ./tools/renode/docker-test.sh "SIGN=RSA2048 WOLFBOOT_SMALL_STACK=1 SPMATH=0" + + - name: Renode Tests RSA3072 SMALL_STACK SPMATH=0 + working-directory: wolfboot + env: + DOCKER_IMAGE: ${{ env.WOLFBOOT_RENODE_IMAGE }} + run: ./tools/renode/docker-test.sh "SIGN=RSA3072 WOLFBOOT_SMALL_STACK=1 SPMATH=0" + + - name: Renode Tests RSA4096 SMALL_STACK SPMATH=0 + working-directory: wolfboot + env: + DOCKER_IMAGE: ${{ env.WOLFBOOT_RENODE_IMAGE }} + run: ./tools/renode/docker-test.sh "SIGN=RSA4096 WOLFBOOT_SMALL_STACK=1 SPMATH=0" + + - name: Renode Tests RSAPSS2048 SMALL_STACK SPMATH=0 + working-directory: wolfboot + env: + DOCKER_IMAGE: ${{ env.WOLFBOOT_RENODE_IMAGE }} + run: ./tools/renode/docker-test.sh "SIGN=RSAPSS2048 WOLFBOOT_SMALL_STACK=1 SPMATH=0" + + - name: Renode Tests RSAPSS3072 SMALL_STACK SPMATH=0 + working-directory: wolfboot + env: + DOCKER_IMAGE: ${{ env.WOLFBOOT_RENODE_IMAGE }} + run: ./tools/renode/docker-test.sh "SIGN=RSAPSS3072 WOLFBOOT_SMALL_STACK=1 SPMATH=0" + + - name: Renode Tests RSAPSS4096 SMALL_STACK SPMATH=0 + working-directory: wolfboot + env: + DOCKER_IMAGE: ${{ env.WOLFBOOT_RENODE_IMAGE }} + run: ./tools/renode/docker-test.sh "SIGN=RSAPSS4096 WOLFBOOT_SMALL_STACK=1 SPMATH=0" + + - name: Upload Output Dir + if: always() + uses: actions/upload-artifact@v4 + with: + name: renode-multimem-smallstack-fastmath-results + path: wolfboot/test_results/ + + renode_multimem_smallstack_noasm: + name: renode-multimem-smallstack-noasm + if: github.repository_owner == 'wolfssl' + runs-on: ubuntu-22.04 + timeout-minutes: 45 + permissions: + contents: read + packages: read + + steps: + - name: Checkout wolfSSL + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 + + - name: Clone wolfBoot and link tested wolfSSL + run: | + set -euxo pipefail + + git clone --depth 1 --branch "${WOLFBOOT_BRANCH}" "${WOLFBOOT_REPO}" wolfboot + rm -rf wolfboot/lib/wolfssl + ln -s "${GITHUB_WORKSPACE}" wolfboot/lib/wolfssl + test -L wolfboot/lib/wolfssl + test "$(realpath wolfboot/lib/wolfssl)" = "${GITHUB_WORKSPACE}" + + - name: Log in to GHCR + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Select config + working-directory: wolfboot + run: | + cp config/examples/nrf52840.config .config && make include/target.h + +##### SMALL STACK + NO_ASM tests (portable C path xmalloc sizing) + + - name: Renode Tests ECC256 SMALL_STACK NO_ASM=1 + working-directory: wolfboot + env: + DOCKER_IMAGE: ${{ env.WOLFBOOT_RENODE_IMAGE }} + run: ./tools/renode/docker-test.sh "SIGN=ECC256 WOLFBOOT_SMALL_STACK=1 NO_ASM=1" + + - name: Renode Tests ECC384 SMALL_STACK NO_ASM=1 + working-directory: wolfboot + env: + DOCKER_IMAGE: ${{ env.WOLFBOOT_RENODE_IMAGE }} + run: ./tools/renode/docker-test.sh "SIGN=ECC384 WOLFBOOT_SMALL_STACK=1 NO_ASM=1" + + - name: Renode Tests ECC521 SMALL_STACK NO_ASM=1 + working-directory: wolfboot + env: + DOCKER_IMAGE: ${{ env.WOLFBOOT_RENODE_IMAGE }} + run: ./tools/renode/docker-test.sh "SIGN=ECC521 WOLFBOOT_SMALL_STACK=1 NO_ASM=1" + + - name: Renode Tests RSA2048 SMALL_STACK NO_ASM=1 + working-directory: wolfboot + env: + DOCKER_IMAGE: ${{ env.WOLFBOOT_RENODE_IMAGE }} + run: ./tools/renode/docker-test.sh "SIGN=RSA2048 WOLFBOOT_SMALL_STACK=1 NO_ASM=1" + + - name: Renode Tests RSA3072 SMALL_STACK NO_ASM=1 + working-directory: wolfboot + env: + DOCKER_IMAGE: ${{ env.WOLFBOOT_RENODE_IMAGE }} + run: ./tools/renode/docker-test.sh "SIGN=RSA3072 WOLFBOOT_SMALL_STACK=1 NO_ASM=1" + + - name: Renode Tests RSA4096 SMALL_STACK NO_ASM=1 + working-directory: wolfboot + env: + DOCKER_IMAGE: ${{ env.WOLFBOOT_RENODE_IMAGE }} + run: ./tools/renode/docker-test.sh "SIGN=RSA4096 WOLFBOOT_SMALL_STACK=1 NO_ASM=1" + + - name: Renode Tests RSAPSS2048 SMALL_STACK NO_ASM=1 + working-directory: wolfboot + env: + DOCKER_IMAGE: ${{ env.WOLFBOOT_RENODE_IMAGE }} + run: ./tools/renode/docker-test.sh "SIGN=RSAPSS2048 WOLFBOOT_SMALL_STACK=1 NO_ASM=1" + + - name: Renode Tests RSAPSS3072 SMALL_STACK NO_ASM=1 + working-directory: wolfboot + env: + DOCKER_IMAGE: ${{ env.WOLFBOOT_RENODE_IMAGE }} + run: ./tools/renode/docker-test.sh "SIGN=RSAPSS3072 WOLFBOOT_SMALL_STACK=1 NO_ASM=1" + + - name: Renode Tests RSAPSS4096 SMALL_STACK NO_ASM=1 + working-directory: wolfboot + env: + DOCKER_IMAGE: ${{ env.WOLFBOOT_RENODE_IMAGE }} + run: ./tools/renode/docker-test.sh "SIGN=RSAPSS4096 WOLFBOOT_SMALL_STACK=1 NO_ASM=1" + + - name: Upload Output Dir + if: always() + uses: actions/upload-artifact@v4 + with: + name: renode-multimem-smallstack-noasm-results + path: wolfboot/test_results/ From d633a76de3cc1ee967f2d9f52314f5a47c7ac29c Mon Sep 17 00:00:00 2001 From: Daniele Lacamera Date: Tue, 5 May 2026 14:18:39 +0200 Subject: [PATCH 8/9] Properly copy wolfssl as wolfBoot lib/ submodule --- .github/workflows/wolfboot-integration.yml | 90 +++++++++++++++++----- 1 file changed, 70 insertions(+), 20 deletions(-) diff --git a/.github/workflows/wolfboot-integration.yml b/.github/workflows/wolfboot-integration.yml index cececdd6522..57e306b229b 100644 --- a/.github/workflows/wolfboot-integration.yml +++ b/.github/workflows/wolfboot-integration.yml @@ -27,15 +27,25 @@ jobs: - name: Checkout wolfSSL uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 - - name: Clone wolfBoot and link tested wolfSSL + - name: Clone wolfBoot and stage tested wolfSSL run: | set -euxo pipefail git clone --depth 1 --branch "${WOLFBOOT_BRANCH}" "${WOLFBOOT_REPO}" wolfboot + + # Materialize the wolfSSL checkout as real files under + # wolfboot/lib/wolfssl. A symlink to ${GITHUB_WORKSPACE} would + # resolve on the host but breaks inside the Renode docker + # container, which only bind-mounts the wolfboot tree. Exclude + # the cloned wolfboot subdir (self-recursion) and .git/ (size). rm -rf wolfboot/lib/wolfssl - ln -s "${GITHUB_WORKSPACE}" wolfboot/lib/wolfssl - test -L wolfboot/lib/wolfssl - test "$(realpath wolfboot/lib/wolfssl)" = "${GITHUB_WORKSPACE}" + mkdir -p wolfboot/lib/wolfssl + rsync -a \ + --exclude=/wolfboot/ \ + --exclude=/.git/ \ + "${GITHUB_WORKSPACE}/" wolfboot/lib/wolfssl/ + test -f wolfboot/lib/wolfssl/wolfssl/wolfcrypt/settings.h + test -f wolfboot/lib/wolfssl/wolfcrypt/src/asn.c - name: Run wolfBoot keytools integration flow working-directory: wolfboot @@ -118,15 +128,25 @@ jobs: - name: Checkout wolfSSL uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 - - name: Clone wolfBoot and link tested wolfSSL + - name: Clone wolfBoot and stage tested wolfSSL run: | set -euxo pipefail git clone --depth 1 --branch "${WOLFBOOT_BRANCH}" "${WOLFBOOT_REPO}" wolfboot + + # Materialize the wolfSSL checkout as real files under + # wolfboot/lib/wolfssl. A symlink to ${GITHUB_WORKSPACE} would + # resolve on the host but breaks inside the Renode docker + # container, which only bind-mounts the wolfboot tree. Exclude + # the cloned wolfboot subdir (self-recursion) and .git/ (size). rm -rf wolfboot/lib/wolfssl - ln -s "${GITHUB_WORKSPACE}" wolfboot/lib/wolfssl - test -L wolfboot/lib/wolfssl - test "$(realpath wolfboot/lib/wolfssl)" = "${GITHUB_WORKSPACE}" + mkdir -p wolfboot/lib/wolfssl + rsync -a \ + --exclude=/wolfboot/ \ + --exclude=/.git/ \ + "${GITHUB_WORKSPACE}/" wolfboot/lib/wolfssl/ + test -f wolfboot/lib/wolfssl/wolfssl/wolfcrypt/settings.h + test -f wolfboot/lib/wolfssl/wolfcrypt/src/asn.c - name: Build and exercise host-side smoke test working-directory: wolfboot @@ -186,15 +206,25 @@ jobs: - name: Checkout wolfSSL uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 - - name: Clone wolfBoot and link tested wolfSSL + - name: Clone wolfBoot and stage tested wolfSSL run: | set -euxo pipefail git clone --depth 1 --branch "${WOLFBOOT_BRANCH}" "${WOLFBOOT_REPO}" wolfboot + + # Materialize the wolfSSL checkout as real files under + # wolfboot/lib/wolfssl. A symlink to ${GITHUB_WORKSPACE} would + # resolve on the host but breaks inside the Renode docker + # container, which only bind-mounts the wolfboot tree. Exclude + # the cloned wolfboot subdir (self-recursion) and .git/ (size). rm -rf wolfboot/lib/wolfssl - ln -s "${GITHUB_WORKSPACE}" wolfboot/lib/wolfssl - test -L wolfboot/lib/wolfssl - test "$(realpath wolfboot/lib/wolfssl)" = "${GITHUB_WORKSPACE}" + mkdir -p wolfboot/lib/wolfssl + rsync -a \ + --exclude=/wolfboot/ \ + --exclude=/.git/ \ + "${GITHUB_WORKSPACE}/" wolfboot/lib/wolfssl/ + test -f wolfboot/lib/wolfssl/wolfssl/wolfcrypt/settings.h + test -f wolfboot/lib/wolfssl/wolfcrypt/src/asn.c - name: Log in to GHCR uses: docker/login-action@v3 @@ -302,15 +332,25 @@ jobs: - name: Checkout wolfSSL uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 - - name: Clone wolfBoot and link tested wolfSSL + - name: Clone wolfBoot and stage tested wolfSSL run: | set -euxo pipefail git clone --depth 1 --branch "${WOLFBOOT_BRANCH}" "${WOLFBOOT_REPO}" wolfboot + + # Materialize the wolfSSL checkout as real files under + # wolfboot/lib/wolfssl. A symlink to ${GITHUB_WORKSPACE} would + # resolve on the host but breaks inside the Renode docker + # container, which only bind-mounts the wolfboot tree. Exclude + # the cloned wolfboot subdir (self-recursion) and .git/ (size). rm -rf wolfboot/lib/wolfssl - ln -s "${GITHUB_WORKSPACE}" wolfboot/lib/wolfssl - test -L wolfboot/lib/wolfssl - test "$(realpath wolfboot/lib/wolfssl)" = "${GITHUB_WORKSPACE}" + mkdir -p wolfboot/lib/wolfssl + rsync -a \ + --exclude=/wolfboot/ \ + --exclude=/.git/ \ + "${GITHUB_WORKSPACE}/" wolfboot/lib/wolfssl/ + test -f wolfboot/lib/wolfssl/wolfssl/wolfcrypt/settings.h + test -f wolfboot/lib/wolfssl/wolfcrypt/src/asn.c - name: Log in to GHCR uses: docker/login-action@v3 @@ -400,15 +440,25 @@ jobs: - name: Checkout wolfSSL uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 - - name: Clone wolfBoot and link tested wolfSSL + - name: Clone wolfBoot and stage tested wolfSSL run: | set -euxo pipefail git clone --depth 1 --branch "${WOLFBOOT_BRANCH}" "${WOLFBOOT_REPO}" wolfboot + + # Materialize the wolfSSL checkout as real files under + # wolfboot/lib/wolfssl. A symlink to ${GITHUB_WORKSPACE} would + # resolve on the host but breaks inside the Renode docker + # container, which only bind-mounts the wolfboot tree. Exclude + # the cloned wolfboot subdir (self-recursion) and .git/ (size). rm -rf wolfboot/lib/wolfssl - ln -s "${GITHUB_WORKSPACE}" wolfboot/lib/wolfssl - test -L wolfboot/lib/wolfssl - test "$(realpath wolfboot/lib/wolfssl)" = "${GITHUB_WORKSPACE}" + mkdir -p wolfboot/lib/wolfssl + rsync -a \ + --exclude=/wolfboot/ \ + --exclude=/.git/ \ + "${GITHUB_WORKSPACE}/" wolfboot/lib/wolfssl/ + test -f wolfboot/lib/wolfssl/wolfssl/wolfcrypt/settings.h + test -f wolfboot/lib/wolfssl/wolfcrypt/src/asn.c - name: Log in to GHCR uses: docker/login-action@v3 From 59a0ec4a94af2e9dcbfa0b518b3615903bf594e1 Mon Sep 17 00:00:00 2001 From: Daniele Lacamera Date: Tue, 5 May 2026 15:10:56 +0200 Subject: [PATCH 9/9] Correctly detect expected failures --- .github/workflows/wolfboot-integration.yml | 33 ++++++++++------------ 1 file changed, 15 insertions(+), 18 deletions(-) diff --git a/.github/workflows/wolfboot-integration.yml b/.github/workflows/wolfboot-integration.yml index 57e306b229b..1a7fe9a0c62 100644 --- a/.github/workflows/wolfboot-integration.yml +++ b/.github/workflows/wolfboot-integration.yml @@ -163,34 +163,31 @@ jobs: ./tools/keytools/sign --ed25519 --sha256 test.bin wolfboot_signing_private_key.der 1 make test-lib SIGN=ED25519 HASH=SHA256 - set +e + + # test-lib (hal/library.c) always returns 0; success vs failure is + # signalled by stdout: "Firmware Valid" on the golden path, + # "Failure %d: Hdr %d, Hash %d, Sig %d" when verification rejects + # the image. Assert on output, not on exit status. + success_output=$(./test-lib test_v1_signed.bin 2>&1) - success_status=$? - set -e printf '%s\n' "$success_output" - if [ "$success_status" -ne 0 ]; then - echo "Expected success, but test-lib failed" + if ! printf '%s\n' "$success_output" | grep -qF "Firmware Valid"; then + echo "Expected golden-path success, but test-lib did not print \"Firmware Valid\"" exit 1 fi - printf '%s\n' "$success_output" | grep -F "Firmware Valid" >/dev/null truncate -s -1 test_v1_signed.bin printf 'A' >> test_v1_signed.bin - set +e - output=$(./test-lib test_v1_signed.bin 2>&1) - status=$? - set -e - - printf '%s\n' "$output" - - if [ "$status" -eq 0 ]; then - echo "Expected failure, but test-lib succeeded" + tamper_output=$(./test-lib test_v1_signed.bin 2>&1) + printf '%s\n' "$tamper_output" + if printf '%s\n' "$tamper_output" | grep -qF "Firmware Valid"; then + echo "Expected tamper rejection, but test-lib reported \"Firmware Valid\"" exit 1 fi - - if ! printf '%s\n' "$output" | grep -F "Failure" >/dev/null; then - echo "test-lib failed as expected, but did not print the legacy \"Failure\" marker" + if ! printf '%s\n' "$tamper_output" | grep -qE "^Failure -?[0-9]+: Hdr [0-9]+, Hash [0-9]+, Sig [0-9]+"; then + echo "Expected tamper rejection marker (\"Failure N: Hdr X, Hash Y, Sig Z\"), but test-lib output did not contain it" + exit 1 fi renode_multimem_smallstack: