wolfTPM Zephyr Project Port

.github/workflows/zephyr.yml

@@ -0,0 +1,102 @@
+name: Zephyr wolfTPM Tests
+
+on:
+  push:
+    branches: [ '*' ]
+  pull_request:
+    branches: [ '*' ]
+
+jobs:
+  run_test:
+    name: Build
+    strategy:
+      matrix:
+        config:
+          - zephyr-ref: v3.4.0
+            zephyr-sdk: 0.16.1
+    runs-on: ubuntu-22.04
+    # This should be a safe limit for the tests to run.
+    timeout-minutes: 25
+    steps:
+      - name: Install dependencies
+        run: |
+          # Don't prompt for anything
+          export DEBIAN_FRONTEND=noninteractive
+          sudo apt-get update
+          # most of the ci-base zephyr docker image packages
+          sudo apt-get install -y zip bridge-utils uml-utilities \
+            git cmake ninja-build gperf ccache dfu-util device-tree-compiler wget \
+            python3-dev python3-pip python3-setuptools python3-tk python3-wheel xz-utils file \
+            make gcc gcc-multilib g++-multilib libsdl2-dev libmagic1 \
+            autoconf automake bison build-essential ca-certificates cargo ccache chrpath cmake \
+            cpio device-tree-compiler dfu-util diffstat dos2unix doxygen file flex g++ gawk gcc \
+            gcovr git git-core gnupg gperf gtk-sharp2 help2man iproute2 lcov libcairo2-dev \
+            libglib2.0-dev libgtk2.0-0 liblocale-gettext-perl libncurses5-dev libpcap-dev \
+            libpopt0 libsdl1.2-dev libsdl2-dev libssl-dev libtool libtool-bin locales make \
+            net-tools openssh-client parallel pkg-config python3-dev python3-pip \
+            python3-ply python3-setuptools python-is-python3 qemu-kvm rsync socat srecord sudo \
+            texinfo unzip wget ovmf xz-utils
+
+      - name: Install west
+        run: sudo pip install west
+
+      - name: Init west workspace
+        run: west init --mr ${{ matrix.config.zephyr-ref }} zephyr
+
+      - name: Update west.yml
+        working-directory: zephyr/zephyr
+        run: |
+          REF=$(echo '${{ github.ref }}' | sed -e 's/\//\\\//g')
+          sed -e 's/remotes:/remotes:\n    \- name: wolfssl\n      url\-base: https:\/\/github.com\/wolfssl/' -i west.yml
+          sed -e "s/remotes:/remotes:\n    \- name: wolftpm\n      url\-base: https:\/\/github.com\/${{ github.repository_owner }}/" -i west.yml
+          sed -e "s/projects:/projects:\n    \- name: wolftpm\n      path: modules\/lib\/wolftpm\n      remote: wolftpm\n      revision: $REF/" -i west.yml
+          sed -e 's/projects:/projects:\n    \- name: wolfssl\n      path: modules\/crypto\/wolfssl\n      remote: wolfssl\n      revision: master/' -i west.yml
+
+      - name: Update west workspace
+        working-directory: zephyr
+        run: west update -n -o=--depth=1
+
+      - name: Export zephyr
+        working-directory: zephyr
+        run: west zephyr-export
+
+      - name: Install pip dependencies
+        working-directory: zephyr
+        run: sudo pip install -r zephyr/scripts/requirements.txt
+
+      - name: Install zephyr SDK
+        run: |
+          wget -q https://github.com/zephyrproject-rtos/sdk-ng/releases/download/v${{ matrix.config.zephyr-sdk }}/zephyr-sdk-${{ matrix.config.zephyr-sdk }}_linux-x86_64_minimal.tar.xz
+          tar xf zephyr-sdk-${{ matrix.config.zephyr-sdk }}_linux-x86_64_minimal.tar.xz
+          cd zephyr-sdk-${{ matrix.config.zephyr-sdk }}
+          ./setup.sh -h -c -t x86_64-zephyr-elf
+
+      - name: Build wolftpm tests
+        id: wolftpm_build
+        working-directory: zephyr
+        run : |
+          west build -p auto -b qemu_x86 modules/lib/wolftpm/zephyr/samples/wolftpm_wrap_test
+          west build -p auto -b qemu_x86 modules/lib/wolftpm/zephyr/samples/wolftpm_wrap_caps
+
+      # skipping tests, because no simulator TPM to run
+      #- name: Run wolftpm tests
+      #  id: wolftpm_tests
+      #  working-directory: zephyr
+      #  run: |
+      #    ./zephyr/scripts/twister --testsuite-root modules/lib/wolftpm --test zephyr/samples/wolftpm_wrap_caps/sample.lib.wolftpm_wrap_caps -vvv
+      #    rm -rf zephyr/twister-out
+      #    ./zephyr/scripts/twister --testsuite-root modules/lib/wolftpm --test zephyr/samples/wolftpm_wrap_test/sample.lib.wolftpm_wrap_test -vvv
+      #    rm -rf zephyr/twister-out
+
+      - name: Zip failure logs
+        if: ${{ failure() && steps.wolftpm_build.outcome == 'failure' }}
+        run: |
+          zip -9 -r logs.zip zephyr/twister-out
+
+      - name: Upload failure logs
+        if: ${{ failure() && steps.wolftpm_build.outcome == 'failure' }}
+        uses: actions/upload-artifact@v4
+        with:
+          name: zephyr-client-test-logs
+          path: logs.zip
+          retention-days: 5

Makefile.am

@@ -42,6 +42,7 @@ include docs/include.am
 include wrapper/include.am
 include hal/include.am
 include cmake/include.am
+include zephyr/include.am
 
 EXTRA_DIST+= .cyignore
 EXTRA_DIST+= README.md

examples/csr/csr.c

@@ -38,12 +38,25 @@
 #include <wolfssl/wolfcrypt/asn_public.h>
 
 #ifndef NO_RSA
-static const char* gClientCsrRsaFile = "./certs/tpm-rsa-cert.csr";
-static const char* gClientCertRsaFile = "./certs/tpm-rsa-cert.pem";
+#ifndef RSA_CERT_CSR
+    #define RSA_CERT_CSR "./certs/tpm-rsa-cert.csr"
 #endif
+#ifndef RSA_CERT_PEM
+    #define RSA_CERT_PEM "./certs/tpm-rsa-cert.pem"
+#endif
+static const char* gClientCsrRsaFile = RSA_CERT_CSR;
+static const char* gClientCertRsaFile = RSA_CERT_PEM;
+#endif
+
 #ifdef HAVE_ECC
-static const char* gClientCsrEccFile = "./certs/tpm-ecc-cert.csr";
-static const char* gClientCertEccFile = "./certs/tpm-ecc-cert.pem";
+#ifndef ECC_CERT_CSR
+    #define ECC_CERT_CSR "./certs/tpm-ecc-cert.csr"
+#endif
+#ifndef ECC_CERT_PEM
+    #define ECC_CERT_PEM "./certs/tpm-ecc-cert.pem"
+#endif
+static const char* gClientCsrEccFile = ECC_CERT_CSR;
+static const char* gClientCertEccFile = ECC_CERT_PEM;
 #endif
 
 #ifndef MAX_PEM_SIZE

examples/keygen/keygen.c

@@ -36,6 +36,28 @@
 #include <examples/tpm_test.h>
 #include <examples/tpm_test_keys.h>
 
+/* Output file path defines with defaults */
+#ifndef OUTPUT_FILE
+    #define OUTPUT_FILE "keyblob.bin"
+#endif
+#ifndef EK_PUB_FILE
+    #define EK_PUB_FILE "ek.pub"
+#endif
+#ifndef SRK_PUB_FILE
+    #define SRK_PUB_FILE "srk.pub"
+#endif
+
+#if !defined(NO_FILESYSTEM) && !defined(NO_WRITE_TEMP_FILES)
+    #ifndef AK_NAME_FILE
+        #define AK_NAME_FILE "ak.name"
+    #endif
+    #if !defined(WOLFTPM2_NO_WOLFCRYPT) && !defined(NO_ASN)
+        /* PEM_FILE is NULL by default, but can be overridden */
+        #ifndef PEM_FILE
+            #define PEM_FILE NULL
+        #endif
+    #endif
+#endif
 
 /******************************************************************************/
 /* --- BEGIN TPM Keygen Example -- */
@@ -121,14 +143,14 @@ int TPM2_Keygen_Example(void* userCtx, int argc, char *argv[])
     int keyBits = 256;
     const char* uniqueStr = NULL;
     const char* authStr = NULL;
-    const char *outputFile = "keyblob.bin";
-    const char *ekPubFile = "ek.pub";
-    const char *srkPubFile = "srk.pub";
+    const char *outputFile = OUTPUT_FILE;
+    const char *ekPubFile = EK_PUB_FILE;
+    const char *srkPubFile = SRK_PUB_FILE;
     const char *pubFilename = NULL;
 #if !defined(NO_FILESYSTEM) && !defined(NO_WRITE_TEMP_FILES)
-    const char *nameFile = "ak.name"; /* Name Digest for attestation purposes */
+    const char *nameFile = AK_NAME_FILE; /* Name Digest for attestation purposes */
     #if !defined(WOLFTPM2_NO_WOLFCRYPT) && !defined(NO_ASN)
-    const char *pemFilename = NULL;
+    const char *pemFilename = PEM_FILE;
     #endif
 #endif
     const char* symMode = "aesctr";

examples/tls/tls_server.c

@@ -46,6 +46,34 @@ static int mStop = 0;
     double benchStart;
 #endif
 
+/* CA Certificate path defines with defaults */
+#ifndef CA_RSA_CERT_PATH
+    #define CA_RSA_CERT_PATH "./certs/ca-rsa-cert.pem"
+#endif
+#ifndef WOLF_CA_RSA_CERT_PATH
+    #define WOLF_CA_RSA_CERT_PATH "./certs/wolf-ca-rsa-cert.pem"
+#endif
+#ifndef CA_ECC_CERT_PATH
+    #define CA_ECC_CERT_PATH "./certs/ca-ecc-cert.pem"
+#endif
+#ifndef WOLF_CA_ECC_CERT_PATH
+    #define WOLF_CA_ECC_CERT_PATH "./certs/wolf-ca-ecc-cert.pem"
+#endif
+
+/* Server Certificate path defines with defaults */
+#ifndef SERVER_RSA_CERT_PATH
+    #define SERVER_RSA_CERT_PATH "./certs/server-rsa-cert.pem"
+#endif
+#ifndef TPM_RSA_CERT_PATH
+    #define TPM_RSA_CERT_PATH "./certs/tpm-rsa-cert.pem"
+#endif
+#ifndef SERVER_ECC_CERT_PATH
+    #define SERVER_ECC_CERT_PATH "./certs/server-ecc-cert.pem"
+#endif
+#ifndef TPM_ECC_CERT_PATH
+    #define TPM_ECC_CERT_PATH "./certs/tpm-ecc-cert.pem"
+#endif
+
 /*
  * Generating the Server Certificate
  *
@@ -380,14 +408,14 @@ int TPM2_TLS_ServerArgs(void* userCtx, int argc, char *argv[])
     /* Load CA Certificates */
     if (!useECC) {
     #ifndef NO_RSA
-        if (wolfSSL_CTX_load_verify_locations(ctx, "./certs/ca-rsa-cert.pem",
+        if (wolfSSL_CTX_load_verify_locations(ctx, CA_RSA_CERT_PATH,
                                               0) != WOLFSSL_SUCCESS) {
-            printf("Error loading ca-rsa-cert.pem cert\n");
+            printf("Error loading %s cert\n", CA_RSA_CERT_PATH);
             goto exit;
         }
-        if (wolfSSL_CTX_load_verify_locations(ctx, "./certs/wolf-ca-rsa-cert.pem",
+        if (wolfSSL_CTX_load_verify_locations(ctx, WOLF_CA_RSA_CERT_PATH,
                                               0) != WOLFSSL_SUCCESS) {
-            printf("Error loading wolf-ca-rsa-cert.pem cert\n");
+            printf("Error loading %s cert\n", WOLF_CA_RSA_CERT_PATH);
             goto exit;
         }
     #else
@@ -398,16 +426,16 @@ int TPM2_TLS_ServerArgs(void* userCtx, int argc, char *argv[])
     }
     else {
     #ifdef HAVE_ECC
-        if (wolfSSL_CTX_load_verify_locations(ctx, "./certs/ca-ecc-cert.pem",
+        if (wolfSSL_CTX_load_verify_locations(ctx, CA_ECC_CERT_PATH,
                                               0) != WOLFSSL_SUCCESS) {
-            printf("Error loading ca-ecc-cert.pem cert\n");
+            printf("Error loading %s cert\n", CA_ECC_CERT_PATH);
         #ifndef WOLFTPM_MFG_IDENTITY /* not fatal if using mfg identity */
             goto exit;
         #endif
         }
-        if (wolfSSL_CTX_load_verify_locations(ctx, "./certs/wolf-ca-ecc-cert.pem",
+        if (wolfSSL_CTX_load_verify_locations(ctx, WOLF_CA_ECC_CERT_PATH,
                                               0) != WOLFSSL_SUCCESS) {
-            printf("Error loading wolf-ca-ecc-cert.pem cert\n");
+            printf("Error loading %s cert\n", WOLF_CA_ECC_CERT_PATH);
             goto exit;
         }
     #else
@@ -461,14 +489,18 @@ int TPM2_TLS_ServerArgs(void* userCtx, int argc, char *argv[])
                                                 WOLFSSL_FILETYPE_ASN1);
         #endif
         #else
-        const char* useCert = "./certs/server-rsa-cert.pem";
+        const char* useCert = SERVER_RSA_CERT_PATH;
         if (useSelfSign) {
-            useCert = "./certs/tpm-rsa-cert.pem";
+            useCert = TPM_RSA_CERT_PATH;
         }
         rc = wolfSSL_CTX_use_certificate_file(ctx, useCert, WOLFSSL_FILETYPE_PEM);
         #endif
         if (rc != WOLFSSL_SUCCESS) {
+        #ifndef NO_FILESYSTEM
+            printf("Error loading RSA client cert: %s\n", useCert);
+        #else
             printf("Error loading RSA client cert\n");
+        #endif
             goto exit;
         }
 #else
@@ -496,14 +528,18 @@ int TPM2_TLS_ServerArgs(void* userCtx, int argc, char *argv[])
                                                 WOLFSSL_FILETYPE_ASN1);
         #endif
     #else
-        const char* useCert = "./certs/server-ecc-cert.pem";
+        const char* useCert = SERVER_ECC_CERT_PATH;
         if (useSelfSign) {
-            useCert = "./certs/tpm-ecc-cert.pem";
+            useCert = TPM_ECC_CERT_PATH;
         }
         rc = wolfSSL_CTX_use_certificate_file(ctx, useCert, WOLFSSL_FILETYPE_PEM);
     #endif
         if (rc != WOLFSSL_SUCCESS) {
+        #ifndef NO_FILESYSTEM
+            printf("Error loading ECC client cert: %s\n", useCert);
+        #else
             printf("Error loading ECC client cert\n");
+        #endif
             goto exit;
         }
 #else
@@ -649,7 +685,7 @@ int TPM2_TLS_ServerArgs(void* userCtx, int argc, char *argv[])
     }
 
 exit:
-
+    mStop = 0; /* Reset the stop flag for if example is compiled into a demo */
     if (rc != 0) {
         printf("Failure %d (0x%x): %s\n", rc, rc, wolfTPM2_GetRCString(rc));
     }

examples/tpm_test.h

@@ -52,6 +52,19 @@
 
 #define TPM2_DEMO_PCR_INDEX             16
 
+#ifndef PEM_FILE_AK
+    #define PEM_FILE_AK "ak.pem"
+#endif
+#ifndef PEM_FILE_EK
+    #define PEM_FILE_EK "ek.pem"
+#endif
+#ifndef PEM_FILE_SRK
+    #define PEM_FILE_SRK "srk.pem"
+#endif
+#ifndef PEM_FILE_KEY
+    #define PEM_FILE_KEY "key.pem"
+#endif
+
 static const char gStorageKeyAuth[] = "ThisIsMyStorageKeyAuth";
 static const char gAiKeyAuth[] =      "ThisIsMyAiKeyAuth";
 static const char gKeyAuth[] =        "ThisIsMyKeyAuth";
@@ -60,10 +73,10 @@ static const char gUsageAuth[] =      "ThisIsASecretUsageAuth";
 static const char gNvAuth[] =         "ThisIsMyNvAuth";
 static const char gXorAuth[] =        "ThisIsMyXorAuth";
 
-static const char pemFileAk[] = "ak.pem";
-static const char pemFileEk[] = "ek.pem";
-static const char pemFileSrk[] = "srk.pem";
-static const char pemFileKey[] = "key.pem";
+static const char pemFileAk[] = PEM_FILE_AK;
+static const char pemFileEk[] = PEM_FILE_EK;
+static const char pemFileSrk[] = PEM_FILE_SRK;
+static const char pemFileKey[] = PEM_FILE_KEY;
 
 /* Default Test PCR */
 /* PCR16 is for DEBUG purposes, thus safe to use */
@@ -100,6 +113,8 @@ static const char pemFileKey[] = "key.pem";
         #include <time.h>
 #elif defined(WOLFTPM_MICROCHIP_HARMONY)
         #include "system/time/sys_time.h"
+#elif defined(WOLFTPM_ZEPHYR)
+        #include <zephyr/kernel.h>
 #else
         #include <sys/time.h>
 #endif
@@ -119,6 +134,9 @@ static const char pemFileKey[] = "key.pem";
             SYS_TIME_CounterSet(0);
         return (double)(SYS_TIME_Counter64Get()) /
                (double)SYS_TIME_FrequencyGet();
+    #elif defined(WOLFTPM_ZEPHYR)
+        (void)reset;
+        return (double)k_uptime_get() / 1000.0;
     #else
         struct timeval tv;
         gettimeofday(&tv, 0);

examples/tpm_test_keys.c

@@ -40,8 +40,22 @@
 
 #include <stdio.h>
 
-#define RSA_FILENAME  "rsa_test_blob.raw"
-#define ECC_FILENAME  "ecc_test_blob.raw"
+#ifdef WOLFTPM_ZEPHYR
+    #include <zephyr/fs/fs.h>
+    #define XFILE struct fs_file_t*
+    /* Note: Other filesystem macros (XFOPEN, XFCLOSE etc) are already defined
+     * in wolfSSL's wc_port.h for Zephyr */
+#else
+    #define XFILE FILE*
+#endif
+
+#ifndef RSA_FILENAME
+    #define RSA_FILENAME  "rsa_test_blob.raw"
+#endif
+
+#ifndef ECC_FILENAME
+    #define ECC_FILENAME  "ecc_test_blob.raw"
+#endif
 
 #ifndef WOLFTPM2_NO_WRAPPER