wolfSSL · dgarske · Nov 25, 2025 · Nov 19, 2025 · Nov 19, 2025 · Nov 19, 2025
diff --git a/.github/workflows/test-build-cmake-dot-config.yml b/.github/workflows/test-build-cmake-dot-config.yml
@@ -0,0 +1,151 @@
+name: wolfboot CMake (.config)
+on:
+  push:
+    branches: [ 'master', 'main', 'release/**' ]
+  pull_request:
+    branches: [ '*' ]
+
+jobs:
+  wolfboot_dot_config_test:
+    name: cmake .config test (${{ matrix.target }})
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+
+    strategy:
+      fail-fast: false
+      matrix:
+        target:
+          # These are exact file names from config/examples (including .config)
+          # - imx-rt1040.config # Disabled, requires NXP SDK
+          - sim.config
+          - stm32c0.config
+          - stm32f1.config
+          - stm32f4-small-blocks-uart-update.config
+          - stm32f7.config
+          - stm32g0.config
+          - stm32h5.config
+          - stm32h7.config
+          - stm32l0.config
+          - stm32l4-cube.config
+          - stm32l5.config
+          - stm32u5.config
+          - stm32wb.config
+
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          submodules: true
+
+      - name: Workaround for sources.list
+        run: |
+            # Replace sources
+
+            set -euxo pipefail
+
+            # Peek (what repos are active now)
+            apt-cache policy
+            grep -RInE '^(deb|Types|URIs)' /etc/apt || true
+
+            # Enable nullglob so *.list/*.sources that don't exist don't break sed
+            shopt -s nullglob
+
+            echo "Replace sources.list (legacy)"
+            sudo sed -i \
+              -e "s|https\?://azure\.archive\.ubuntu\.com/ubuntu/?|http://mirror.arizona.edu/ubuntu/|g" \
+              /etc/apt/sources.list || true
+
+            echo "Replace sources.list.d/*.list (legacy)"
+            for f in /etc/apt/sources.list.d/*.list; do
+              sudo sed -i \
+                -e "s|https\?://azure\.archive\.ubuntu\.com/ubuntu/?|http://mirror.arizona.edu/ubuntu/|g" \
+                "$f"
+            done
+
+            echo "Replace sources.list.d/*.sources (deb822)"
+            for f in /etc/apt/sources.list.d/*.sources; do
+              sudo sed -i \
+                -e "s|https\?://azure\.archive\.ubuntu\.com/ubuntu/?|http://mirror.arizona.edu/ubuntu/|g" \
+                -e "s|https\?://azure\.archive\.ubuntu\.com|http://mirror.arizona.edu|g" \
+                "$f"
+            done
+
+            echo "Fix /etc/apt/apt-mirrors.txt (used by URIs: mirror+file:...)"
+            if grep -qE '^[[:space:]]*https?://azure\.archive\.ubuntu\.com/ubuntu/?' /etc/apt/apt-mirrors.txt; then
+              # Replace azure with our mirror (idempotent)
+              sudo sed -i 's|https\?://azure\.archive\.ubuntu\.com/ubuntu/|http://mirror.arizona.edu/ubuntu/|g' /etc/apt/apt-mirrors.txt
+            fi
+
+            # Peek (verify changes)
+            grep -RIn "azure.archive.ubuntu.com" /etc/apt || true
+            grep -RInE '^(deb|Types|URIs)' /etc/apt || true
+            echo "--- apt-mirrors.txt ---"
+            cat /etc/apt/apt-mirrors.txt || true
+
+      - name: Install requirements
+        run: |
+            # Run system updates and install toolchain
+            sudo apt-get update
+            sudo apt-get install -y gcc-arm-none-eabi gcc-powerpc-linux-gnu cmake
+
+      - name: Run dot-config examples
+        run: |
+            # Sample .config cmake test
+
+            set -euo pipefail
+
+            TARGET="${{ matrix.target }}"
+            TARGET="${TARGET%.config}"
+            TARGET="${TARGET%%-*}"
+
+            BUILD_DIR="build-${TARGET}"
+            LOG_FILE="run-${TARGET}.log"
+            KEYWORD="Config mode: dot"
+
+            echo "Target: ${TARGET}"
+            echo "Build dir: ${BUILD_DIR}"
+            echo "Saving output to ${LOG_FILE}"
+
+            CONFIG_SRC="./config/examples/${{ matrix.target }}"
+
+            echo "Fetch ${TARGET} example .config (source: ${CONFIG_SRC})"
+            if [ ! -f "${CONFIG_SRC}" ]; then
+                echo "Missing config file: ${CONFIG_SRC}" >&2
+                exit 1
+            fi
+
+            cp "${CONFIG_SRC}" ./.config
+            ls  .config
+            cat .config
+            echo ""
+
+            echo "Clean"
+            rm -rf "./${BUILD_DIR}"
+
+            # Here we should see the .config file values read and displayed:
+            cmake -S . -B "${BUILD_DIR}" \
+              -DUSE_DOT_CONFIG=ON        \
+              -DWOLFBOOT_TARGET="${TARGET}" 2>&1 | tee "${LOG_FILE}"
+
+            # Config dot-config mode
+            if grep -q -- "${KEYWORD}" "${LOG_FILE}"; then
+                echo "Keyword found: ${KEYWORD}"
+            else
+                echo "Keyword not found: ${KEYWORD}" >&2
+                exit 1
+            fi
+
+            # First: build keygen explicitly and inspect it
+            echo "Building keygen_build for ${TARGET}"
+            cmake --build "${BUILD_DIR}" --parallel 1 --target keygen_build
+
+            if [ -f "${BUILD_DIR}/keygen" ]; then
+                echo "Inspecting keygen:"
+                ls -l "${BUILD_DIR}/keygen"
+                file "${BUILD_DIR}/keygen" || true
+            else
+                echo "keygen not found at ${BUILD_DIR}/keygen"
+            fi
+
+            # Now run the normal build
+            echo "Running full build"
+            cmake --build "${BUILD_DIR}" --parallel 8
diff --git a/.github/workflows/test-build-cmake-mac.yml b/.github/workflows/test-build-cmake-mac.yml
@@ -0,0 +1,109 @@
+name: WolfBoot CMake Build (macOS)
+
+on:
+  push:
+    branches: [ 'master', 'main', 'release/**' ]
+  pull_request:
+    branches: [ "*" ]
+
+jobs:
+  macos-cmake:
+    name: Build on macOS (CMake + Ninja)
+    runs-on: macos-14
+    timeout-minutes: 20
+
+    strategy:
+      fail-fast: false
+      matrix:
+        target:
+          # - imx-rt # Disabled, requires NXP SDK
+          - stm32c0
+          - stm32f1
+          - stm32f4
+          - stm32f7
+          - stm32g0
+          - stm32h5
+          - stm32h7
+          - stm32l0
+          - stm32l4
+          - stm32l5
+          - stm32u5
+          - stm32wb
+
+    env:
+      HOMEBREW_NO_AUTO_UPDATE: "1"    # avoid updating taps during install
+      HOMEBREW_NO_ANALYTICS: "1"
+      HOMEBREW_CURL_RETRIES: "6"      # ask curl inside brew to retry
+
+    steps:
+      - name: Checkout (with submodules)
+        uses: actions/checkout@v4
+        with:
+          submodules: true
+
+      - name: Cache Homebrew bottles # downloads (so retries don't redownload)
+        uses: actions/cache@v4
+        with:
+          path: |
+            ~/Library/Caches/Homebrew
+            /Users/runner/Library/Caches/Homebrew
+          key: homebrew-${{ runner.os }}-mac14-cmake-gcc-newlib
+          restore-keys: |
+            homebrew-${{ runner.os }}-
+
+      - name: Install toolchain and build tools
+        run: |
+          # Install with step throttle to hopefully avoid stuck jobs
+
+          set -euxo pipefail
+
+          throttle_delay=5
+          brew update
+
+          sleep "$throttle_delay"
+          brew install --force-bottle cmake
+
+          sleep "$throttle_delay"
+          brew install --force-bottle ninja
+
+          # Use cask to include headers such as <stdlib.h>
+          sleep "$throttle_delay"
+          brew install --cask gcc-arm-embedded
+
+      - name: Probe ARM GCC (paths + smoke build)
+        run: |
+          set -euxo pipefail
+
+          which arm-none-eabi-gcc
+          arm-none-eabi-gcc --version
+
+          echo "=== GCC search dirs ==="
+          arm-none-eabi-gcc -print-search-dirs
+
+          echo "=== GCC verbose include paths (preprocess only) ==="
+          # This prints the built-in include search order; harmless with empty stdin.
+          arm-none-eabi-gcc -x c -E -v - < /dev/null || true
+
+          echo "=== Compile a freestanding object (no stdlib headers needed) ==="
+          cat > hello.c <<'EOF'
+          int main(void) { return 0; }
+          EOF
+          arm-none-eabi-gcc -mcpu=cortex-m4 -mthumb -ffreestanding -nostdlib -c hello.c -o hello.o
+          ls -l hello.o
+
+      - name: Configure (STM32L4)
+        run: |
+          echo "Disabled, missing params"
+          # rm -rf build
+          # cmake -B build -G Ninja         \
+          #   -DWOLFBOOT_CONFIG_MODE=preset \
+          #   -DWOLFBOOT_TARGET=stm32l4     \
+          #   -DBUILD_TEST_APPS=ON          \
+          #   -DCMAKE_TOOLCHAIN_FILE=cmake/toolchain_arm-none-eabi.cmake
+
+      - name: Cmake Configure & Build Preset (${{ matrix.target }})
+        run: |
+          rm -rf ./build-${{ matrix.target }}
+
+          cmake --preset ${{ matrix.target }}
+          cmake --build --preset ${{ matrix.target }}
diff --git a/.github/workflows/test-build-cmake-presets.yml b/.github/workflows/test-build-cmake-presets.yml
@@ -0,0 +1,113 @@
+name: WolfBoot CMake Presets Build
+
+on:
+  push:
+    branches: [ 'master', 'main', 'release/**' ]
+  pull_request:
+    branches: [ "*" ]
+
+permissions:
+  contents: read
+
+jobs:
+  ubuntu-cmake:
+    name: Build on Ubuntu
+    runs-on: ubuntu-latest
+    timeout-minutes: 20
+    defaults:
+      run:
+        shell: bash
+
+    strategy:
+      fail-fast: false
+      matrix:
+        target:
+          # - sim
+          # - imx-rt # Disabled, requires NXP SDK
+          - stm32c0
+          - stm32f1
+          - stm32f4
+          - stm32f7
+          - stm32g0
+          - stm32h5
+          - stm32h7
+          - stm32l0
+          - stm32l4
+          - stm32l5
+          - stm32u5
+          - stm32wb
+
+        include:
+          # Optional per-target cache variables you might want to pass later.
+          # Keep empty for now to avoid guessing addresses.
+          - target: stm32l4
+            extra_cache: ""
+          - target: stm32h7
+            extra_cache: ""
+          - target: stm32g0
+            extra_cache: ""
+
+    steps:
+      - name: Checkout (with submodules)
+        uses: actions/checkout@v4
+        with:
+          submodules: true
+
+      # Lock down network/runner
+      # See https://github.com/step-security/harden-runner/releases
+      # Currently only supported on Ubuntu
+
+      # ARM GCC toolchain (adds the bin dir to PATH)
+      - name: Set up ARM none-eabi GCC 14.x
+        if: matrix.target != 'sim'
+        uses: carlosperate/arm-none-eabi-gcc-action@v1
+        with:
+          release: "14.2.Rel1" # <-- use 'release', not 'version'
+          path-env-var: ARM_NONE_EABI_GCC_PATH
+
+
+      - name: List all environment variables
+        run: |
+          # Show environment settings
+
+          echo "All environment settings"
+          env | sort
+
+      - name: List Presets
+        run: |
+          # Check available presets in CMakePresets.json
+
+          cmake -S . -B build-list --list-presets=configure
+
+      - name: Configure Preset "${{ matrix.target }}"
+        run: |
+          # cmake runs in git bash
+
+          cmake --preset "${{ matrix.target }}"
+          echo "Configured: ${{ matrix.target }}"
+
+      - name: Build "${{ matrix.target }}"
+        run: |
+          # cmake runs in git bash
+          # BUILD_DIR="build-${{ matrix.target }}"
+          cmake --build "build-${{ matrix.target }}" --parallel
+
+      # Optional: show interesting artifacts
+      - name: List build outputs
+        if: always()
+        run: |
+          BUILD_DIR="build-${{ matrix.target }}"
+          echo "=== Artifacts in $BUILD_DIR ==="
+          find "$BUILD_DIR" -maxdepth 3 -type f \( -name "*.elf" -o -name "*.bin" -o -name "*.hex" -o -name "bin-assemble" -o -name "keystore" \) -print || true
+
+      # Upload binaries if present (non-fatal if none)
+      - name: Upload firmware/artifacts
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: wolfboot-${{ matrix.target }}
+          path: |
+            build-${{ matrix.target }}/**/*.elf
+            build-${{ matrix.target }}/**/*.bin
+            build-${{ matrix.target }}/**/*.hex
+          if-no-files-found: warn