wolfPKCS11/.github/workflows/storage-upgrade-test-tpm.yml at e5d92695a65368c0e8e9b1a67f9f396ee81febe3 · LinuxJedi/wolfPKCS11 · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
name: wolfPKCS11 Storage Format Upgrade Test (TPM)

on:
  pull_request:
    branches: [ '*' ]

env:
  WOLFSSL_VERSION: v5.8.0-stable

jobs:
  storage-upgrade-test-tpm:
    runs-on: ubuntu-latest
    strategy:
      matrix:
        base-ref:
          - name: master
            ref: master
            branch-dir: master-branch
          - name: v1.3.0
            ref: v1.3.0-stable
            branch-dir: v1.3.0-stable-branch

    steps:
    # Checkout the PR branch
    - name: Checkout PR branch
      uses: actions/checkout@v4
      with:
        path: pr-branch

    # Checkout base branch/tag separately
    - name: Checkout ${{ matrix.base-ref.name }} branch
      uses: actions/checkout@v4
      with:
        ref: ${{ matrix.base-ref.ref }}
        path: ${{ matrix.base-ref.branch-dir }}

    - name: Cache wolfSSL
      id: cache-wolfssl
      uses: actions/cache@v4
      with:
        path: wolfssl
        key: wolfssl-${{ env.WOLFSSL_VERSION }}-tpm-upgrade

    # Setup wolfssl (required dependency)
    - name: Checkout wolfssl
      if: steps.cache-wolfssl.outputs.cache-hit != 'true'
      uses: actions/checkout@v4
      with:
        repository: wolfssl/wolfssl
        path: wolfssl
        ref: ${{ env.WOLFSSL_VERSION }}

    - name: Build wolfssl
      if: steps.cache-wolfssl.outputs.cache-hit != 'true'
      working-directory: ./wolfssl
      run: |
        ./autogen.sh
        ./configure --enable-md5 --enable-cryptocb --enable-aescfb --enable-rsapss --enable-keygen --enable-pwdbased --enable-scrypt \
            C_EXTRA_FLAGS="-DWOLFSSL_PUBLIC_MP -DWC_RSA_DIRECT"
        make

    - name: Install wolfssl
      working-directory: ./wolfssl
      run: |
        sudo make install
        sudo ldconfig

    # Setup IBM Software TPM simulator
    - name: Setup IBM Software TPM
      run: |
        git clone https://github.com/kgoldman/ibmswtpm2.git
        cd ibmswtpm2/src
        make
        ./tpm_server &
        sleep 2
        cd ../..

    # Build and install wolfTPM (required for TPM operations)
    - name: Build and install wolfTPM
      run: |
        git clone https://github.com/wolfSSL/wolftpm.git
        cd wolftpm
        ./autogen.sh
        ./configure --enable-swtpm --enable-debug
        make -j$(nproc)
        sudo make install
        sudo ldconfig
        cd ..

    - name: Configure PR branch and build storage upgrade helper
      working-directory: ./pr-branch
      run: |
        echo "=== Configuring PR branch with TPM support for helper build ==="
        ./autogen.sh
        ./configure --enable-singlethreaded --enable-wolftpm --disable-dh C_EXTRA_FLAGS="-DWOLFPKCS11_TPM_STORE"
        make tests/storage_upgrade_tpm_test

    # Phase 1: Build and test base branch/tag with TPM
    - name: Build wolfPKCS11 ${{ matrix.base-ref.name }} with TPM
      working-directory: ./${{ matrix.base-ref.branch-dir }}
      run: |
        echo "=== Building wolfPKCS11 ${{ matrix.base-ref.name }} branch with TPM support ==="
        ./autogen.sh
        ./configure --enable-singlethreaded --enable-wolftpm --disable-dh C_EXTRA_FLAGS="-DWOLFPKCS11_TPM_STORE"
        make

    - name: Run storage upgrade preparation on ${{ matrix.base-ref.name }}
      working-directory: ./${{ matrix.base-ref.branch-dir }}
      run: |
        set -e
        echo "=== Preparing TPM storage with ${{ matrix.base-ref.name }} branch ==="
        ../pr-branch/tests/storage_upgrade_tpm_test --prepare
        echo "=== Storage prepared using ${{ matrix.base-ref.name }} branch ==="

    # Phase 2: Build PR branch with TPM and copy storage files from base
    - name: Build wolfPKCS11 PR branch with TPM
      working-directory: ./pr-branch
      run: |
        echo "=== Building wolfPKCS11 PR branch with TPM support ==="
        make

    - name: Test TPM storage format compatibility (${{ matrix.base-ref.name }} → PR)
      working-directory: ./pr-branch
      run: |
        echo "=== Testing TPM storage format compatibility with PR branch ==="
        echo "This tests that the PR can read TPM storage files created by ${{ matrix.base-ref.name }} branch"

        ./tests/storage_upgrade_tpm_test --verify
        echo "=== TPM storage format upgrade test (${{ matrix.base-ref.name }} → PR) completed successfully ==="

    # Capture logs on failure with TPM-specific information
    - name: Upload TPM failure logs
      if: failure() || cancelled()
      uses: actions/upload-artifact@v4
      with:
        name: tpm-storage-upgrade-test-failure-logs-${{ matrix.base-ref.name }}
        path: |
          pr-branch/test-suite.log
          pr-branch/config.log
          ${{ matrix.base-ref.branch-dir }}/test-suite.log
          ${{ matrix.base-ref.branch-dir }}/config.log
        retention-days: 5

    # Clean up TPM simulator on exit
    - name: Cleanup TPM simulator
      if: always()
      run: |
        echo "=== Cleaning up TPM simulator ==="
        pkill -f tpm_server || echo "TPM server was not running"