Skip to content

Add seal/unseal examples with PCR, PolicyAuthorize, and NV policies#464

Merged
dgarske merged 3 commits intowolfSSL:masterfrom
aidangarske:add-seal-test-ci
Feb 28, 2026
Merged

Add seal/unseal examples with PCR, PolicyAuthorize, and NV policies#464
dgarske merged 3 commits intowolfSSL:masterfrom
aidangarske:add-seal-test-ci

Conversation

@aidangarske
Copy link
Member

@aidangarske aidangarske commented Feb 27, 2026
edited
Loading

Description

Adds three new TPM 2.0 seal/unseal example programs demonstrating different
authorization policies, along with build system integration, a standalone
test suite, and a dedicated CI workflow.

New examples

  • seal_pcr (examples/seal/seal_pcr.c, 363 lines) — PCR-only policy
    seal/unseal. Binds secrets to specific PCR values without requiring a
    password or signing key. Supports separate -seal/-unseal operations,
    combined -both mode, configurable PCR index (-pcr=N), custom blob
    filenames (-sealblob=), and XOR/AES parameter encryption.

  • seal_policy_auth (examples/seal/seal_policy_auth.c, 529 lines) —
    PolicyAuthorize seal/unseal with a TPM-resident signing key. Creates an
    ECC or RSA signing key that can re-authorize the PCR policy, allowing
    secrets to survive authorized PCR changes (e.g., OS updates). Supports
    -ecc/-rsa key types, split seal/unseal with persistent authkey.bin,
    and XOR/AES parameter encryption.

  • seal_nv (examples/nvram/seal_nv.c, 364 lines) — NV storage with
    PCR policy. Stores secrets directly in TPM non-volatile memory protected
    by a PCR policy, with -store/-read/-delete lifecycle operations and
    configurable NV index (-nvindex=). No external blob files needed.

Build system

  • Autotools: Updated examples/seal/include.am and
    examples/nvram/include.am with build targets for all three new examples.
  • CMake: Updated CMakeLists.txt with add_tpm_example() entries.
  • Headers: Updated examples/seal/seal.h and examples/nvram/nvram.h
    with new function prototypes; removed old TPM2_PCR_Seal_With_Policy_Auth_*
    declarations that these examples replace.
  • .gitignore: Added built binaries (seal_pcr, seal_policy_auth,
    seal_nv).

Integration testing

  • run_examples.sh: Added ~110 lines of integration tests covering
    seal_pcr (seal/unseal + PCR mismatch negative test),
    seal_policy_auth (ECC + RSA variants), and seal_nv (store/read/delete
    lifecycle). These run as part of the existing make check CI.

Standalone test suite

  • seal_test.sh (262 lines, 28 tests) — Comprehensive standalone test
    script organized into 3 groups:
    • Group 1 (seal_pcr): Combined and split seal/unseal, PCR mismatch
      negative test, XOR/AES parameter encryption, custom blob filenames
    • Group 2 (seal_policy_auth): ECC and RSA key types, split
      seal/unseal, missing auth key negative test, XOR/AES encryption
    • Group 3 (seal_nv): Store/read/delete lifecycle, PCR mismatch
      negative test, custom NV index
    • Colored PASS/FAIL/SKIP output with summary; verbose log to seal_test.log
    • Respects WOLFCRYPT_ENABLE, WOLFCRYPT_DEFAULT, WOLFCRYPT_ECC,
      WOLFCRYPT_RSA environment variables for feature gating

CI workflow

  • .github/workflows/seal-test.yml — Dedicated GitHub Actions workflow
    that builds wolfSSL + wolfTPM with SWTPM simulator and runs seal_test.sh.
    Path-filtered to only trigger on changes to seal-related files. Follows
    the same build pattern as make-test-swtpm.yml. Uploads seal_test.log
    on failure.

Documentation

  • examples/seal/README.md — Documents all four seal examples (existing
    seal/unseal + new three) with usage examples, environment variable
    reference, and a policy comparison table.

Test plan

  • All 28 standalone seal tests pass locally (bash examples/seal/seal_test.sh)
  • CI workflow triggers and passes on seal-related file changes
  • verified all 28 tests pass and manual tests on slb9672 HW
  • Copilot review

@aidangarske
Add seal/unseal examples with PCR, PolicyAuthorize, and NV policies
bb6a71c 
   New examples:
   - seal_pcr: PCR-only policy seal/unseal. Binds secrets to specific PCR
     values without password or signing key. Supports split seal/unseal,
     configurable PCR index, custom blob filenames, XOR/AES param encryption.
   - seal_policy_auth: PolicyAuthorize with TPM-resident signing key (ECC/RSA).
     Signing key can re-authorize PCR policy, allowing secrets to survive
     authorized PCR changes (e.g., OS updates). Supports split seal/unseal,
     XOR/AES param encryption.
   - seal_nv: NV storage with PCR policy. Stores secrets directly in TPM
     non-volatile memory with store/read/delete lifecycle and configurable
     NV index. No external blob files needed.

   Build system:
   - Autotools: Updated include.am for seal and nvram with new build targets
   - CMake: Added add_tpm_example() entries for all three examples
   - Headers: Updated seal.h and nvram.h with new prototypes, removed old
     TPM2_PCR_Seal_With_Policy_Auth_* declarations
   - .gitignore: Added built binaries

   Testing:
   - run_examples.sh: Added ~110 lines of integration tests for seal_pcr,
     seal_policy_auth (ECC + RSA), and seal_nv (store/read/delete lifecycle)
   - seal_test.sh: Standalone test script with 28 tests across 3 groups
     including positive, negative, param encryption, and custom path tests
   - seal-test.yml: Dedicated CI workflow with SWTPM, path-filtered to
     seal-related files, follows make-test-swtpm.yml pattern

   Documentation:
   - README.md: Usage examples and policy comparison table for all seal examples
@aidangarske aidangarske self-assigned this Feb 27, 2026
Copilot AI review requested due to automatic review settings February 27, 2026 01:07
Copilot AI reviewed Feb 27, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds new TPM 2.0 seal/unseal example programs covering PCR-only, PolicyAuthorize, and NV+PCR policies, plus build integration and automated test coverage (standalone + CI) to validate the new examples.

Changes:

  • Added three new example programs: seal_pcr, seal_policy_auth, and seal_nv.
  • Integrated new examples into Autotools/CMake builds and updated example headers.
  • Added standalone seal_test.sh, expanded run_examples.sh integration testing, and introduced a dedicated GitHub Actions workflow.

Reviewed changes

Copilot reviewed 14 out of 15 changed files in this pull request and generated 7 comments.

Show a summary per file
File Description
examples/seal/seal_test.sh New standalone test runner for seal-related examples (3 test groups, logging, gating).
examples/seal/seal_policy_auth.c New self-contained PolicyAuthorize + PCR seal/unseal example.
examples/seal/seal_pcr.c New PCR-only policy seal/unseal example.
examples/nvram/seal_nv.c New NV storage (PCR policy) example.
examples/seal/seal.h Updates example function prototypes to include new seal examples.
examples/pcr/pcr.h Removes obsolete PolicyAuth seal prototype from PCR header.
examples/nvram/nvram.h Adds TPM2_NVRAM_SealNV_Example prototype and removes obsolete ones.
examples/seal/include.am Autotools build + dist integration for new seal examples and seal_test.sh.
examples/nvram/include.am Autotools build + dist integration for seal_nv.
examples/seal/README.md New documentation covering seal examples, usage, testing, and policy comparison.
examples/run_examples.sh Adds CI integration tests for the new seal examples.
CMakeLists.txt Adds CMake build targets for the new examples.
.gitignore Ignores the newly built example binaries.
.github/workflows/seal-test.yml Adds a dedicated workflow to run seal_test.sh under SWTPM.
.github/workflows/zephyr.yml Narrows push branch triggers to master/main/release/**.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@aidangarske
1. .github/workflows/seal-test.yml — Pin actions/checkout@master → @v4
c12aa6b 
…for supply-chain safety. Add explicit ref: master for wolfSSL, no ref for ibmswtpm2 (matches other workflows).

  2. examples/seal/seal_policy_auth.c — Clarify header comment: no pre-existing key needed, but authkey.bin must be retained for unseal.
  3. examples/seal/seal_test.sh
  - Add || return 1 to setup_pcr/change_pcr extend calls
  - Use grep -F -q -- for fixed-string secret matching
  - Add 6 new param enc tests (3.4a-c XOR, 3.5a-c AES) for seal_nv
  4. examples/nvram/seal_nv.c — Implement real parameter encryption:
  - Add paramEncSession (separate from tpmSession to avoid conflict)
  - Start unsalted HMAC session with XOR/AES-CFB
  - Place on session slot 2 (slot 1 is used internally by NVWriteData for NV handle auth)
  - Clean up session in exit path
  5. examples/run_examples.sh — Add seal_nv XOR param encryption integration test
@aidangarske aidangarske requested a review from dgarske February 27, 2026 19:30
@aidangarske aidangarske mentioned this pull request Feb 27, 2026
Closed
@aidangarske aidangarske requested review from Copilot and removed request for Copilot February 27, 2026 19:58
@dgarske dgarske merged commit dcb54b3 into wolfSSL:master Feb 28, 2026
75 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@dgarske dgarske dgarske approved these changes

Assignees

@dgarske dgarske

@wolfSSL-Bot wolfSSL-Bot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@aidangarske @dgarske @wolfSSL-Bot