-
Notifications
You must be signed in to change notification settings - Fork 146
198 lines (165 loc) · 6.65 KB
/
test-library.yml
File metadata and controls
198 lines (165 loc) · 6.65 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
name: wolfBoot as Library test
on:
push:
branches: [ 'master', 'main', 'release/**' ]
pull_request:
branches: [ '*' ]
jobs:
test-lib:
runs-on: ubuntu-latest
container:
image: ghcr.io/wolfssl/wolfboot-ci-sim:v1.0
timeout-minutes: 15
strategy:
fail-fast: false
# Limit concurrent jobs for scheduling problem on GitHub's hosted runner pool.
max-parallel: 12
matrix:
math:
- "SPMATH=1 WOLFBOOT_SMALL_STACK=0"
- "SPMATH=1 WOLFBOOT_SMALL_STACK=1"
- "SPMATHALL=1 WOLFBOOT_SMALL_STACK=0"
- "SPMATHALL=1 WOLFBOOT_SMALL_STACK=1"
- "SPMATH=0 SPMATHALL=0 WOLFBOOT_SMALL_STACK=0"
- "SPMATH=0 SPMATHALL=0 WOLFBOOT_SMALL_STACK=1"
asym: [ed25519, ecc256, ecc384, ecc521, rsa2048, rsa3072, rsa4096, ed448]
hash: [sha256, sha384, sha3]
steps:
- uses: actions/checkout@v4
with:
clean: true
submodules: true
- name: Trust workspace
run: git config --global --add safe.directory "$GITHUB_WORKSPACE"
- name: make clean
run: |
make keysclean && make -C tools/keytools clean && rm -f include/target.h
- name: Build test-lib
env:
shell: bash
ASYM: ${{ matrix.asym }}
HASH: ${{ matrix.hash }}
MATH: ${{ matrix.math }}
run: |
# Test various library parameters
export MAKE_SIGN="${ASYM^^}"
export MAKE_HASH="${HASH^^}"
export MAKE_MATH='${{ matrix.math }}' # e.g., "SPMATH=1 WOLFBOOT_SMALL_STACK=1"
export PRIVATE_KEY="wolfboot_signing_private_key.der"
echo "This MAKE_SIGN=$MAKE_SIGN"
echo "This MAKE_HASH=$MAKE_HASH"
echo "This MAKE_MATH=$MAKE_MATH"
# Sample build
build_once() {
# Convert asym and hash to upper case, optionally add additional param
echo "Build test-lib..."
echo "make -j1 test-lib SIGN=${MAKE_SIGN} HASH=${MAKE_HASH} ${MATH} \"$@\""
make -j1 test-lib SIGN=${MAKE_SIGN} HASH=${MAKE_HASH} ${MATH} "$@"
}
set -euo pipefail
# Get the reference config
cp config/examples/library.config .config
# peek
echo "Existing files?"
if [ -f "src/keystore.c" ]; then
echo "WARNING: Found unexpected src/keystore.c"
fi
if [ -f "include/target.h" ]; then
echo "WARNING: Found unexpected include/target.h"
fi
if [ -f "keystore.der" ]; then
echo "WARNING: Found unexpected keystore.der"
fi
if [ -f "wolfboot_signing_private_key.der" ]; then
echo "WARNING: Found unexpected wolfboot_signing_private_key.der"
fi
if [ -f "./tools/keytools/keystore.der" ]; then
echo "WARNING: Found unexpected ./tools/keytools/keystore.der"
fi
if [ -f "./tools/keytools/wolfboot_signing_private_key.der" ]; then
echo "WARNING: Found unexpected ./tools/keytools/wolfboot_signing_private_key.der"
fi
# Keytools
echo ""
echo "make -j1 keytools SIGN=\"${MAKE_SIGN}\" HASH=\"${MAKE_HASH}\" $MATH"
make -j1 keytools SIGN="${MAKE_SIGN}" HASH="${MAKE_HASH}" $MATH
# Generate keys
echo ""
echo "./tools/keytools/keygen --${ASYM} -g wolfboot_signing_private_key.der"
./tools/keytools/keygen --${ASYM} -g wolfboot_signing_private_key.der
# Force fresh files
# peek
echo "Existing files?"
if [ -f "src/keystore.c" ]; then
echo "Found unexpected src/keystore.c"
fi
if [ -f "include/target.h" ]; then
echo "Found unexpected include/target.h"
fi
if [ -f "keystore.der" ]; then
echo "Found unexpected keystore.der"
fi
if [ -f "wolfboot_signing_private_key.der" ]; then
echo "Found unexpected wolfboot_signing_private_key.der"
fi
# Sign
echo ""
echo "Test" > test.bin
echo "Sign test.bin"
echo "./tools/keytools/sign --${ASYM} --${HASH} test.bin wolfboot_signing_private_key.der 1"
./tools/keytools/sign --${ASYM} --${HASH} test.bin wolfboot_signing_private_key.der 1
# First attempt
if build_once >build.out 2>build.err; then
echo "Success on first attempt, WOLFBOOT_HUGE_STACK not applied."
cat build.out
cat build.err
exit 0
fi
# If it failed due to the TFM huge stack guard, retry with the flag
if grep -Fq 'If this is OK, please compile with WOLFBOOT_HUGE_STACK=1' build.err; then
echo "Retrying with WOLFBOOT_HUGE_STACK=1 due to stack requirement error."
# Always print the entire message
grep -Fn 'If this is OK, please compile with WOLFBOOT_HUGE_STACK=1' build.err || true
# Try again with huge stack allowed
build_once WOLFBOOT_HUGE_STACK=1
else
echo "Build failed for another reason:"
cat build.out
cat build.err
exit 1
fi
- name: Run test-lib
run: |
# Check test_v1_signed.bin
echo "./test-lib test_v1_signed.bin"
./test-lib test_v1_signed.bin
./test-lib test_v1_signed.bin 2>&1 | grep "Firmware Valid"
- name: Run test-lib (expect failure)
run: |
# Corrupt signed binary
truncate -s -1 test_v1_signed.bin
printf "A" >> test_v1_signed.bin
# Run once, capture output and status (temporarily disable errexit)
set +e
output=$(./test-lib test_v1_signed.bin 2>&1)
status=$?
set -e
echo "$output"
# TODO hal/library.c does not currently return an error code during failure
# Test only looks for the word "Failure"
# See https://github.com/wolfSSL/wolfBoot/pull/625
# If the tool printed "Failure", treat it as a failure regardless of exit code
if echo "$output" | grep -F "Failure" >/dev/null; then
status=1
fi
# Must have failed (non-zero exit)
if [ "$status" -eq 0 ]; then
echo "Expected failure, but exit code was 0"
exit 1
fi
# Must include the expected Failure message
if ! echo "$output" | grep -F "Failure" >/dev/null; then
echo "Expected 'Failure' not found in output"
exit 1
fi
echo "Got expected non-zero exit and 'Failure' message."