wolfBoot TPM improvements

.github/workflows/footprint.yml

@@ -2,9 +2,9 @@ name: Footprint test
 
 on:
   push:
-    branches: [master]
+    branches: [ 'master', 'main', 'release/**' ]
   pull_request:
-    branches: [master]
+    branches: [ '*' ]
 
 jobs:
   footprint_test:

.github/workflows/test-build-sim-tpm.yml

@@ -0,0 +1,67 @@
+name: Wolfboot Reusable Build Workflow for TPM with Simulator
+
+on:
+
+  workflow_call:
+    inputs:
+      arch:
+        required: true
+        type: string
+      config-file:
+        required: true
+        type: string
+      make-args:
+        required: false
+        type: string
+      rot-args:
+        required: false
+        type: string
+
+jobs:
+
+  build:
+    runs-on: ubuntu-20.04
+
+    steps:
+      # setup ibmswtpm2
+      - uses: actions/checkout@master
+        with:
+          repository: kgoldman/ibmswtpm2
+          path: ibmswtpm2
+      - name: ibmswtpm2 make
+        working-directory: ./ibmswtpm2/src
+        run: |
+          make
+          ./tpm_server &
+
+      - uses: actions/checkout@v3
+        with:
+          submodules: true
+
+      - name: make distclean
+        run: |
+          make distclean
+
+      - name: Select config
+        run: |
+          cp ${{inputs.config-file}} .config
+
+      - name: Build tools
+        run: |
+          make keytools
+
+      - name: Build wolfboot
+        run: |
+          make ${{inputs.make-args}}
+
+      - name: Build TPM tools
+        run: |
+          make tpmtools
+
+      - name: Write TPM ROT to TPM
+        run: |
+          ./tools/tpm/rot -write ${{inputs.rot-args}}
+
+      - name: Run wolfBoot
+        run: |
+          ./wolfboot.elf get_version

.github/workflows/test-configs.yml

@@ -2,9 +2,9 @@ name: Test Example Configs
 
 on:
   push:
-    branches: [master]
+    branches: [ 'master', 'main', 'release/**' ]
   pull_request:
-    branches: [master]
+    branches: [ '*' ]
 
 jobs:
 

.github/workflows/test-keytools.yml

@@ -2,9 +2,9 @@ name: Wolfboot keytools test workflow
 
 on:
   push:
-    branches: [master]
+    branches: [ 'master', 'main', 'release/**' ]
   pull_request:
-    branches: [master]
+    branches: [ '*' ]
 
 jobs:
 

.github/workflows/test-powerfail-simulator.yml

@@ -2,9 +2,9 @@ name: Power-failure during update - test with simulator target
 
 on:
   push:
-    branches: [master]
+    branches: [ 'master', 'main', 'release/**' ]
   pull_request:
-    branches: [master]
+    branches: [ '*' ]
 
 jobs:
   powerfail_simulator_tests:

.github/workflows/test-renode-fastmath-smallstack.yml

@@ -2,9 +2,9 @@ name: Renode Automated multi memory configurations
 
 on:
   push:
-    branches: [master]
+    branches: [ 'master', 'main', 'release/**' ]
   pull_request:
-    branches: [master]
+    branches: [ '*' ]
 
 jobs:
   renode_automated_fastmath_smallstack:

.github/workflows/test-renode-fastmath.yml

@@ -2,9 +2,9 @@ name: Renode Automated multi memory configurations
 
 on:
   push:
-    branches: [master]
+    branches: [ 'master', 'main', 'release/**' ]
   pull_request:
-    branches: [master]
+    branches: [ '*' ]
 
 jobs:
   renode_automated_fastmath:

.github/workflows/test-renode-noasm-smallstack.yml

@@ -2,9 +2,9 @@ name: Renode Automated multi memory configurations
 
 on:
   push:
-    branches: [master]
+    branches: [ 'master', 'main', 'release/**' ]
   pull_request:
-    branches: [master]
+    branches: [ '*' ]
 
 jobs:
   renode_automated_noasm_smallstack:

.github/workflows/test-renode-noasm.yml

@@ -2,9 +2,9 @@ name: Renode Automated multi memory configurations
 
 on:
   push:
-    branches: [master]
+    branches: [ 'master', 'main', 'release/**' ]
   pull_request:
-    branches: [master]
+    branches: [ '*' ]
 
 jobs:
   renode_automated_noasm:

.github/workflows/test-renode-nrf52.yml

@@ -2,9 +2,9 @@ name: Renode Automated - Base Tests
 
 on:
   push:
-    branches: [master]
+    branches: [ 'master', 'main', 'release/**' ]
   pull_request:
-    branches: [master]
+    branches: [ '*' ]
 
 jobs:
   renode_automated_base:

.github/workflows/test-renode-sha3.yml

@@ -2,9 +2,9 @@ name: Renode Automated multi SHA algorithms
 
 on:
   push:
-    branches: [master]
+    branches: [ 'master', 'main', 'release/**' ]
   pull_request:
-    branches: [master]
+    branches: [ '*' ]
 
 jobs:
   renode_automated_multi_sha:

.github/workflows/test-renode-sha384.yml

@@ -2,9 +2,9 @@ name: Renode Automated multi SHA algorithms
 
 on:
   push:
-    branches: [master]
+    branches: [ 'master', 'main', 'release/**' ]
   pull_request:
-    branches: [master]
+    branches: [ '*' ]
 
 jobs:
   renode_automated_multi_sha:

.github/workflows/test-renode-smallstack.yml

@@ -2,9 +2,9 @@ name: Renode Automated multi memory configurations
 
 on:
   push:
-    branches: [master]
+    branches: [ 'master', 'main', 'release/**' ]
   pull_request:
-    branches: [master]
+    branches: [ '*' ]
 
 jobs:
   renode_automated_smallstack:

.github/workflows/test-tpm.yml

@@ -0,0 +1,81 @@
+name: Test TPM Configs
+
+on:
+  push:
+    branches: [ 'master', 'main', 'release/**' ]
+  pull_request:
+    branches: [ '*' ]
+
+jobs:
+
+  sim_tpm_debug:
+    uses: ./.github/workflows/test-build-sim-tpm.yml
+    with:
+      arch: host
+      config-file: ./config/examples/sim-tpm.config
+      make-args: DEBUG=1
+
+  sim_tpm_ecc256:
+    uses: ./.github/workflows/test-build-sim-tpm.yml
+    with:
+      arch: host
+      config-file: ./config/examples/sim-tpm.config
+      make-args: SIGN=ECC256 HASH=SHA256
+
+  sim_tpm_ecc384:
+    uses: ./.github/workflows/test-build-sim-tpm.yml
+    with:
+      arch: host
+      config-file: ./config/examples/sim-tpm.config
+      make-args: SIGN=ECC384 HASH=SHA384
+
+  sim_tpm_rsa2048:
+    uses: ./.github/workflows/test-build-sim-tpm.yml
+    with:
+      arch: host
+      config-file: ./config/examples/sim-tpm.config
+      make-args: SIGN=RSA2048 HASH=SHA256
+
+  sim_tpm_measured_ecc256:
+    uses: ./.github/workflows/test-build-sim-tpm.yml
+    with:
+      arch: host
+      config-file: ./config/examples/sim-tpm-measured.config
+      make-args: SIGN=ECC256 HASH=SHA256
+
+  sim_tpm_measured_ecc384:
+    uses: ./.github/workflows/test-build-sim-tpm.yml
+    with:
+      arch: host
+      config-file: ./config/examples/sim-tpm-measured.config
+      make-args: SIGN=ECC384 HASH=SHA384
+
+  sim_tpm_measured_rsa2048:
+    uses: ./.github/workflows/test-build-sim-tpm.yml
+    with:
+      arch: host
+      config-file: ./config/examples/sim-tpm-measured.config
+      make-args: SIGN=RSA2048 HASH=SHA256
+
+
+  sim_tpm_keystore_ecc256:
+    uses: ./.github/workflows/test-build-sim-tpm.yml
+    with:
+      arch: host
+      config-file: ./config/examples/sim-tpm-keystore.config
+      make-args: SIGN=ECC256 HASH=SHA256
+
+  sim_tpm_keystore_ecc384:
+    uses: ./.github/workflows/test-build-sim-tpm.yml
+    with:
+      arch: host
+      config-file: ./config/examples/sim-tpm-keystore.config
+      make-args: SIGN=ECC384 HASH=SHA384
+      rot-args: -sha384
+
+  sim_tpm_keystore_rsa2048:
+    uses: ./.github/workflows/test-build-sim-tpm.yml
+    with:
+      arch: host
+      config-file: ./config/examples/sim-tpm-keystore.config
+      make-args: SIGN=RSA2048 HASH=SHA256

.github/workflows/test-units.yml

@@ -2,9 +2,9 @@ name: Unit tests
 
 on:
   push:
-    branches: [master]
+    branches: [ 'master', 'main', 'release/**' ]
   pull_request:
-    branches: [master]
+    branches: [ '*' ]
 
 jobs:
   unit_tests:

.gitignore

@@ -100,6 +100,7 @@ tools/uart-flash-server/ufserver
 tools/unit-tests/unit-parser
 tools/bin-assemble/bin-assemble
 tools/elf-parser/elf-parser
+tools/tpm/rot
 config/*.ld
 
 # Generated confiuguration file

Makefile

@@ -167,6 +167,11 @@ keytools:
 	@$(MAKE) -C tools/keytools -s clean
 	@$(MAKE) -C tools/keytools -j
 
+tpmtools:
+	@echo "Building TPM tools"
+	@$(MAKE) -C tools/tpm -s clean
+	@$(MAKE) -C tools/tpm -j
+
 test-app/image_v1_signed.bin: $(BOOT_IMG)
 	@echo "\t[SIGN] $(BOOT_IMG)"
 	$(Q)(test $(SIGN) = NONE) || $(SIGN_TOOL) $(SIGN_OPTIONS) $(BOOT_IMG) $(PRIVATE_KEY) 1
@@ -245,10 +250,10 @@ src/keystore.c: $(PRIVATE_KEY)
 keys: $(PRIVATE_KEY)
 
 clean:
-	$(Q)rm -f src/*.o hal/*.o hal/spi/*.o lib/wolfssl/wolfcrypt/src/*.o test-app/*.o
-	$(Q)rm -f *.bin *.elf wolfboot.map test-update.rom *.hex $(LSCRIPT)
-	$(Q)rm -f src/x86/*.o $(MACHINE_OBJ) $(MAIN_TARGET)
-	$(Q)rm -f lib/wolfTPM/src/*.o
+	$(Q)rm -f src/*.o hal/*.o hal/spi/*.o test-app/*.o src/x86/*.o
+	$(Q)rm -f lib/wolfssl/wolfcrypt/src/*.o lib/wolfTPM/src/*.o
+	$(Q)rm -f wolfboot.bin wolfboot.elf wolfboot.map test-update.rom wolfboot.hex
+	$(Q)rm -f $(MACHINE_OBJ) $(MAIN_TARGET) $(LSCRIPT)
 	$(Q)$(MAKE) -C test-app -s clean
 	$(Q)$(MAKE) -C tools/check_config -s clean
 	$(Q)$(MAKE) -C stage1 -s clean

config/examples/sim-tpm-keystore.config

@@ -0,0 +1,26 @@
+ARCH=sim
+TARGET=sim
+SIGN?=ECC256
+HASH?=SHA256
+SPI_FLASH=0
+DEBUG=0
+WOLFTPM=1
+
+# sizes should be multiple of system page size
+WOLFBOOT_PARTITION_SIZE=0x40000
+WOLFBOOT_SECTOR_SIZE=0x1000
+WOLFBOOT_PARTITION_BOOT_ADDRESS=0x80000
+# if on external flash, it should be multiple of system page size
+WOLFBOOT_PARTITION_UPDATE_ADDRESS=0x100000
+WOLFBOOT_PARTITION_SWAP_ADDRESS=0x180000
+
+# required for keytools
+WOLFBOOT_FIXED_PARTITIONS=1
+
+# Use NV for TPM based Root of Trust
+WOLFBOOT_TPM_KEYSTORE?=1
+WOLFBOOT_TPM_KEYSTORE_NV_INDEX?=0x01400200
+
+# TPM Logging
+#CFLAGS_EXTRA+=-DDEBUG_WOLFTPM
+#CFLAGS_EXTRA+=-DWOLFTPM_DEBUG_VERBOSE

config/examples/sim-tpm-measured.config

@@ -0,0 +1,26 @@
+ARCH=sim
+TARGET=sim
+SIGN?=ECC256
+HASH?=SHA256
+SPI_FLASH=0
+DEBUG=0
+WOLFTPM=1
+
+# sizes should be multiple of system page size
+WOLFBOOT_PARTITION_SIZE=0x40000
+WOLFBOOT_SECTOR_SIZE=0x1000
+WOLFBOOT_PARTITION_BOOT_ADDRESS=0x80000
+# if on external flash, it should be multiple of system page size
+WOLFBOOT_PARTITION_UPDATE_ADDRESS=0x100000
+WOLFBOOT_PARTITION_SWAP_ADDRESS=0x180000
+
+# required for keytools
+WOLFBOOT_FIXED_PARTITIONS=1
+
+# Measured boot at test PCR index 16
+MEASURED_BOOT?=1
+MEASURED_PCR_A?=16
+
+# TPM Logging
+#CFLAGS_EXTRA+=-DDEBUG_WOLFTPM
+#CFLAGS_EXTRA+=-DWOLFTPM_DEBUG_VERBOSE