Skip to content
Back to pull request #625

Improved image, keygen, sign, test lib messages. Polish #330

Sign in to view logs

Improved image, keygen, sign, test lib messages. Polish

Improved image, keygen, sign, test lib messages. Polish #330

Workflow file for this run

.github/workflows/test-library.yml at 622d9fb
name: wolfBoot as Library test
on:
push:
branches: [ 'master', 'main', 'release/**' ]
pull_request:
branches: [ '*' ]
jobs:
test-lib:
# If jobs cancel, consider pinning to ubuntu-24.04
# The ubuntu-latest alias can point to different images during migrations (and sometimes be extra busy),
# while ubuntu-24.04 always targets the 24.04 pool
runs-on: ubuntu-latest
# The timeout is run time after a runner starts, not time in queue
timeout-minutes: 15
strategy:
fail-fast: false
# Limit concurrent jobs for scheduling problem on GitHub's hosted runner pool.
max-parallel: 10
matrix:
math:
- "SPMATH=1 WOLFBOOT_SMALL_STACK=0"
- "SPMATH=1 WOLFBOOT_SMALL_STACK=1"
- "SPMATHALL=1 WOLFBOOT_SMALL_STACK=0"
- "SPMATHALL=1 WOLFBOOT_SMALL_STACK=1"
- "SPMATH=0 SPMATHALL=0 WOLFBOOT_SMALL_STACK=0"
- "SPMATH=0 SPMATHALL=0 WOLFBOOT_SMALL_STACK=1"
asym: [ed25519, ecc256, ecc384, ecc521, rsa2048, rsa3072, rsa4096, ed448]
hash: [sha256, sha384, sha3] # --sha256 for commandline, SHA256 for make
# See https://github.com/wolfSSL/wolfBoot/issues/614 regarding exclusions:
exclude:
- math: "SPMATH=1 WOLFBOOT_SMALL_STACK=1"
- math: "SPMATHALL=1 WOLFBOOT_SMALL_STACK=1"
steps:
- uses: actions/checkout@v4
with:
clean: true
submodules: true
- name: dist clean
run: |
# Ensure parallel build did not leave behind any debris
make distclean
- name: Build test-lib
env:
shell: bash
ASYM: ${{ matrix.asym }} # MAKE_SIGN in upper case
HASH: ${{ matrix.hash }}
MATH: ${{ matrix.math }}
run: |
# Test various library parameters
export MAKE_SIGN="${ASYM^^}"
export MAKE_HASH="${HASH^^}"
export MAKE_MATH='${{ matrix.math }}' # e.g., "SPMATH=1 WOLFBOOT_SMALL_STACK=1"
export PRIVATE_KEY="wolfboot_signing_private_key.der"
echo "This MAKE_SIGN=$MAKE_SIGN"
echo "This MAKE_HASH=$MAKE_HASH"
echo "This MAKE_MATH=$MAKE_MATH"
# Sample build
build_once() {
# Convert asym and hash to upper case, optionally add additional param
echo "Build test-lib..."
echo "make -j1 test-lib SIGN=${MAKE_SIGN} HASH=${MAKE_HASH} ${MATH} \"$@\""
make -j1 test-lib SIGN=${MAKE_SIGN} HASH=${MAKE_HASH} ${MATH} "$@"
}
set -euo pipefail
# Get the reference config
cp config/examples/library.config .config
# peek
echo "Existing files?"
if [ -f "src/keystore.c" ]; then
echo "WARNING: Found unexpected src/keystore.c"
fi
if [ -f "include/target.h" ]; then
echo "WARNING: Found unexpected include/target.h"
fi
if [ -f "keystore.der" ]; then
echo "WARNING: Found unexpected keystore.der"
fi
if [ -f "wolfboot_signing_private_key.der" ]; then
echo "WARNING: Found unexpected wolfboot_signing_private_key.der"
fi
if [ -f "./tools/keytools/keystore.der" ]; then
echo "WARNING: Found unexpected ./tools/keytools/keystore.der"
fi
if [ -f "./tools/keytools/wolfboot_signing_private_key.der" ]; then
echo "WARNING: Found unexpected ./tools/keytools/wolfboot_signing_private_key.der"
fi
# Keytools
echo ""
echo "make -j1 keytools SIGN=\"${MAKE_SIGN}\" HASH=\"${MAKE_HASH}\" $MATH"
make -j1 keytools SIGN="${MAKE_SIGN}" HASH="${MAKE_HASH}" $MATH
# Generate keys
echo ""
echo "./tools/keytools/keygen --${ASYM} -g wolfboot_signing_private_key.der"
./tools/keytools/keygen --${ASYM} -g wolfboot_signing_private_key.der
# Force fresh files
# peek
echo "Existing files?"
if [ -f "src/keystore.c" ]; then
echo "Found unexpected src/keystore.c"
fi
if [ -f "include/target.h" ]; then
echo "Found unexpected include/target.h"
fi
if [ -f "keystore.der" ]; then
echo "Found unexpected keystore.der"
fi
if [ -f "wolfboot_signing_private_key.der" ]; then
echo "Found unexpected wolfboot_signing_private_key.der"
fi
# Sign
echo ""
echo "Test" > test.bin
echo "Sign test.bin"
echo "./tools/keytools/sign --${ASYM} --${HASH} test.bin wolfboot_signing_private_key.der 1"
./tools/keytools/sign --${ASYM} --${HASH} test.bin wolfboot_signing_private_key.der 1
# First attempt
if build_once >build.out 2>build.err; then
echo "Success on first attempt, WOLFBOOT_HUGE_STACK not applied."
cat build.out
cat build.err
exit 0
fi
# If it failed due to the TFM huge stack guard, retry with the flag
if grep -Fq 'If this is OK, please compile with WOLFBOOT_HUGE_STACK=1' build.err; then
echo "Retrying with WOLFBOOT_HUGE_STACK=1 due to stack requirement error."
# Always print the entire message
grep -Fn 'If this is OK, please compile with WOLFBOOT_HUGE_STACK=1' build.err || true
# Try again with huge stack allowed
build_once WOLFBOOT_HUGE_STACK=1
else
echo "Build failed for another reason:"
cat build.out
cat build.err
exit 1
fi
- name: Run test-lib
run: |
# Check test_v1_signed.bin
echo "./test-lib test_v1_signed.bin"
./test-lib test_v1_signed.bin
./test-lib test_v1_signed.bin 2>&1 | grep "Firmware Valid"
- name: Run test-lib (expect failure)
run: |
# Corrupt signed binary
truncate -s -1 test_v1_signed.bin
echo "A" >> test_v1_signed.bin
# Run once, capture output and status
set +e
output=$(./test-lib test_v1_signed.bin 2>&1)
status=$?
set -e
echo "$output"
# Must have failed (non-zero exit)
if [ $status -eq 0 ]; then
echo "Expected failure, but exit code was 0"
exit 1
fi
# Must include the expected Failure message
echo "$output" | grep -F "Failure" >/dev/null || {
echo "Expected 'Failure' not found in output"
exit 1
}
echo "Got expected non-zero exit and 'Failure' message."