Add hardware SPDM CI runner + fix SPDM auto-connect regression#482
Merged
Conversation
- src/tpm2_wrap.c: wolfTPM2_Init auto-SPDM path now calls vendor-specific
wolfTPM2_SpdmConnectNuvoton/Nations (which sets TIS I/O, mode, and the
host ephemeral key pair for mutual auth). Previous refactor to the
generic wolfTPM2_SpdmConnect dropped that setup, so FINISH failed with
WOLFSPDM_E_PEER_ERROR whenever the TPM was in SPDM-only-locked mode.
- src/tpm2_spdm.c: wolfSPDM_ParseVendorDefined returns payload dataLen
(>=0) on success per spdm_tcg.c:72 convention. wolfTPM2_SPDM_SecuredExchange
was treating any non-zero return as an error, so the first TPM command
over SPDM (10-byte Startup response) bubbled up as rc=0xa.
- tests/unit_tests.c: Add test_tpm_alg_supported() helper that queries
TPM_CAP_ALGS and skip test_wolfTPM2_EccSignVerifyDig iterations when the
hash isn't supported. Nuvoton NPCT75x lacks SHA512 and returns
TPM_RC_SIZE parameter 1 (not TPM_RC_HASH), so the prior post-hoc skip
couldn't catch it.
- .github/workflows/hw-spdm-test.yml: New workflow targeting a self-hosted
Raspberry Pi runner. Runs examples/spdm/spdm_test.sh against real Nuvoton
hardware. Fork-PR gated. Health check soft-fails with a warning if the
Pi is unhealthy so merging isn't blocked on a flaky runner. Nations
matrix entry scaffolded (commented) for when the NS350 is wired.
- scripts/hw-runner-health-check.sh: Pre-flight that verifies /dev/spidev,
/dev/gpiochip, and gpiod are present+accessible before the build.
dgarske
approved these changes
Apr 17, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Three SPDM/test bug fixes plus a new hardware-in-the-loop CI workflow that runs
examples/spdm/spdm_test.shagainst real TPMs on a Raspberry Pi 5 self-hosted runner.Validated end-to-end on my fork: here (6/6
spdm_test.sh nuvotonpasses on real Nuvoton NPCT75x).Code fixes
1.
src/tpm2_wrap.c- SPDM auto-connect regression2.
src/tpm2_spdm.c- ParseVendorDefined return-value mismatch3.
tests/unit_tests.c- unsupported-hash skip for non-ECC-complete TPMsNew CI workflow:
.github/workflows/hw-spdm-test.ymlRuns
examples/spdm/spdm_test.shon a self-hosted Pi 5. Matrix includes both Nuvoton NPCT75x (CS0) and Nations NS350 (CS1) each entry runs acapsprobe first and skips-with-::warning::if the expected vendor isn't present, so adding Nations hardware later needs no code change.Test plan
spdm_test.sh nuvotonpasses on real Pi 5 + Nuvoton NPCT75x--enable-nuvoton(SHA512 skip verified)hw-spdmjob shows Skipped, confirming fork PRs cannot reach the runnermake-test-swtpm.yml,cmake-build.yml, sanitizer, etc.) unchanged; green on fork PRSecurity
documented here