sync with upstream to resolve conflict

Author: gojimmypi

.github/workflows/test-configs.yml

@@ -320,6 +320,12 @@ jobs:
       arch: arm
       config-file: ./config/examples/stm32h5-tz.config
 
+  stm32h5_tz_dualbank_test:
+    uses: ./.github/workflows/test-build.yml
+    with:
+      arch: arm
+      config-file: ./config/examples/stm32h5-tz-dualbank.config
+
   stm32h5_tz_dualbank_otp_test:
     uses: ./.github/workflows/test-build.yml
     with:

.github/workflows/test-filesystem.yml

@@ -0,0 +1,46 @@
+name: Test Filesystem
+
+on:
+  push:
+    branches: [ 'master', 'main', 'release/**' ]
+  pull_request:
+    branches: [ '*' ]
+
+jobs:
+  build-lib-fs-example:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          submodules: true
+
+      - name: Install build dependencies
+        run: sudo apt-get update && sudo apt-get install -y build-essential
+
+      - name: Set simulation config and build signed boot partition
+        run: |
+          cp config/examples/sim.config .config
+          make clean
+          make
+
+      - name: Check for internal_flash.dd
+        run: |
+          if [ ! -f internal_flash.dd ]; then
+            echo "Error: internal_flash.dd not found. Build may have failed."
+            exit 1
+          fi
+
+      - name: Switch to library_fs config
+        run: cp config/examples/library_fs.config .config
+
+      - name: Clean and build lib-fs
+        run: |
+          make clean
+          make lib-fs
+
+      - name: Mark BOOT partition as SUCCESS
+        run: ./lib-fs success
+
+      - name: Verify BOOT partition integrity and authenticity
+        run: ./lib-fs verify-boot

.github/workflows/test-library.yml

@@ -8,20 +8,36 @@ on:
 
 jobs:
   test-lib:
+    # If jobs cancel, consider pinning to ubuntu-24.04
+    # The ubuntu-latest alias can point to different images during migrations (and sometimes be extra busy),
+    # while ubuntu-24.04 always targets the 24.04 pool
     runs-on: ubuntu-latest
+
+    # The timeout is run time after a runner starts, not time in queue
     timeout-minutes: 15
 
     strategy:
       fail-fast: false
+
+      # Limit concurrent jobs for scheduling problem on GitHub's hosted runner pool.
+      max-parallel: 12
+
       matrix:
-        math: [SPMATH=1 WOLFBOOT_SMALL_STACK=0,
-               SPMATH=1 WOLFBOOT_SMALL_STACK=1,
-               SPMATHALL=1 WOLFBOOT_SMALL_STACK=0,
-               SPMATHALL=1 WOLFBOOT_SMALL_STACK=1,
-               SPMATH=0 SPMATHALL=0 WOLFBOOT_SMALL_STACK=0,
-               SPMATH=0 SPMATHALL=0 WOLFBOOT_SMALL_STACK=1]
+        math:
+          - "SPMATH=1 WOLFBOOT_SMALL_STACK=0"
+          - "SPMATH=1 WOLFBOOT_SMALL_STACK=1"
+          - "SPMATHALL=1 WOLFBOOT_SMALL_STACK=0"
+          - "SPMATHALL=1 WOLFBOOT_SMALL_STACK=1"
+          - "SPMATH=0 SPMATHALL=0 WOLFBOOT_SMALL_STACK=0"
+          - "SPMATH=0 SPMATHALL=0 WOLFBOOT_SMALL_STACK=1"
         asym: [ed25519, ecc256, ecc384, ecc521, rsa2048, rsa3072, rsa4096, ed448]
         hash: [sha256, sha384, sha3]
+
+        # See https://github.com/wolfSSL/wolfBoot/issues/614 regarding exclusions:
+        exclude:
+          - math: "SPMATH=1 WOLFBOOT_SMALL_STACK=1"
+          - math: "SPMATHALL=1 WOLFBOOT_SMALL_STACK=1"
+
     steps:
       - uses: actions/checkout@v4
         with:
@@ -33,16 +49,50 @@ jobs:
 
       - name: Build test-lib
         env:
+          shell: bash
           ASYM: ${{ matrix.asym }}
           HASH: ${{ matrix.hash }}
+          MATH: ${{ matrix.math }}
         run: |
+          # Sample build
+          build_once() {
+              # Convert asym and hash to upper case, optionally add additional param
+              make -j test-lib SIGN=${ASYM^^} HASH=${HASH^^} ${MATH} "$@"
+          }
+
+          set -euo pipefail
+
+          # Get the reference config
           cp config/examples/library.config .config
+
+          # Keytools
           make keytools
-          ./tools/keytools/keygen --${{ matrix.asym }} -g wolfboot_signing_private_key.der
+          ./tools/keytools/keygen --${ASYM} -g wolfboot_signing_private_key.der
+
+          # Sign
           echo "Test" > test.bin
-          ./tools/keytools/sign --${{ matrix.asym }} --${{ matrix.hash }} test.bin wolfboot_signing_private_key.der 1
-          # Convert asym and hash to upper case
-          make test-lib SIGN=${ASYM^^} HASH=${HASH^^}
+          ./tools/keytools/sign --${ASYM} --${HASH} test.bin wolfboot_signing_private_key.der 1
+
+          # First attempt
+          if build_once >build.out 2>build.err; then
+            echo "Success on first attempt, WOLFBOOT_HUGE_STACK not applied."
+            exit 0
+          fi
+
+          # If it failed due to the TFM huge stack guard, retry with the flag
+          if grep -Fq 'If this is OK, please compile with WOLFBOOT_HUGE_STACK=1' build.err; then
+            echo "Retrying with WOLFBOOT_HUGE_STACK=1 due to stack requirement error."
+
+            # Always print the entire message
+            grep -Fn 'If this is OK, please compile with WOLFBOOT_HUGE_STACK=1' build.err || true
+
+            # Try again with huge stack allowed
+            build_once WOLFBOOT_HUGE_STACK=1
+          else
+            echo "Build failed for another reason:"
+            cat build.err
+            exit 1
+          fi
 
       - name: Run test-lib
         run: |

.gitignore

@@ -60,6 +60,12 @@ src/ecc384_pub_key.c
 src/ecc512_pub_key.c
 src/rsa2048_pub_key.c
 src/rsa4096_pub_key.c
+
+# Any other generated keystore files
+/**/keystore.c
+/**/wolfboot_signing_private_key.der
+/**/keystore.der
+
 # Renesas key data files
 include/key_data.*
 include/enckey_data.*
@@ -118,6 +124,7 @@ tools/tpm/policy_create
 tools/tpm/policy_sign
 config/*.ld
 test-lib
+lib-fs
 
 # Elf preprocessing tools
 tools/squashelf/**
@@ -266,17 +273,16 @@ language.settings.xml
 /**/.vs
 /**/.visualgdb/*
 
+# Defaults are set in files otherwise excluded:
+!/.vs/README.md
+!/.vs/VSWorkspaceState.json
+!/.vs/VSWorkspaceSettings.json
+
 # Any build directories
 /**/build
 /**/build-**
 
-/IDE/VisualGDB
-/commit_squash.sh
-/evars.txt
-/evars_non_dev.txt
-/gpg_refresh.sh
-/IDE/VisualStudio/EmbeddedProject1
-/IDE/VisualStudio/wolfboot
-/.gitignore.wip
-/run.log
-/stm32.mak
+# Eclipse
+.cproject
+.project
+.settings/

IDE/MPLAB/README.md

@@ -1,6 +1,6 @@
 # wolfBoot demo application for MPLABx IDE
 
-Instruction to compile and test under Windows or Linux OS.
+Instructions to compile and test under Windows or Linux OS.
 
 
 ## Target platform
@@ -81,7 +81,7 @@ you plan to modify the geometry of your partitions in FLASH.
 
 The FLASH memory configuration for this demo is located in include/MPLAB/target.h.
 
-The file can be changed manually to set a new partitions geometry, or a new target.h 
+The file can be changed manually to set a new partitions geometry, or a new target.h
 could be created in the include/ directory by running `make`, which will be based
 on the chosen configuration via the `.config` file. If a custom `target.h` is created
 by `make`, the demo version in `include/MPLAB` can be removed.

IDE/MPLAB/test/README.md

@@ -0,0 +1 @@
+See the [../README.md](../README.md) for instructions on populating this directory.

IDE/MPLAB/test/keystore.c

@@ -186,6 +186,10 @@ ifeq ($(TARGET),library)
     MAIN_TARGET:=libwolfboot.a
 endif
 
+ifeq ($(TARGET),library_fs)
+    MAIN_TARGET:=libwolfboot.a
+endif
+
 ifeq ($(TARGET),raspi3)
     MAIN_TARGET:=wolfboot.bin
 endif
@@ -236,6 +240,10 @@ test-lib: libwolfboot.a hal/library.o
 	@echo "\t[BIN] $@"
 	$(Q)$(CC) $(CFLAGS) -o $@ hal/library.o libwolfboot.a
 
+lib-fs: libwolfboot.a hal/library_fs.o hal/filesystem.o
+	@echo "\t[BIN] $@"
+	$(Q)$(CC) $(CFLAGS) -o $@ hal/library_fs.o hal/filesystem.o libwolfboot.a
+
 wolfboot.efi: wolfboot.elf
 	@echo "\t[BIN] $@"
 	$(Q)$(OBJCOPY) -j .rodata -j .text -j .sdata -j .data \
@@ -466,6 +474,8 @@ clean:
 	$(Q)rm -f tools/keytools/otp/otp-keystore-gen
 	$(Q)rm -f .stack_usage
 	$(Q)rm -f $(WH_NVM_BIN) $(WH_NVM_HEX)
+	$(Q)rm -f test-lib
+	$(Q)rm -f lib-fs
 	$(Q)$(MAKE) -C test-app clean V=$(V)
 	$(Q)$(MAKE) -C tools/check_config -s clean
 	$(Q)$(MAKE) -C stage1 -s clean