[feat] Add Key Management Enclaves with YubiKey and NanoPC-T6 Support #864

Workflow file for this run

	# this ci pipeline will build, test and publish (can but currently does not) artifacts for linux, win, macosx

	name: CI

	on:
	push:
	branches: [ "-dev-"]
	pull_request:
	branches: [ "*" ]

	jobs:
	build:
	name: ${{ matrix.name }}

	env:
	CHECK_DOC: "0"
	CCACHE_SIZE: "100M"
	CCACHE_TEMPDIR: /tmp/.ccache-temp
	CCACHE_COMPRESS: "1"
	PYTHON_DEBUG: "1"
	MAC_SDK_URL: https://bitcoincore.org/depends-sources/sdks
	ANDROID_NDK_URL: https://dl.google.com/android/repository/

	strategy:
	fail-fast: false
	matrix:
	name:
	- armhf-linux
	- aarch64-linux
	- aarch64-linux-optee
	- aarch64-android
	- x86_64-nixos
	- x86_64-linux-dbg
	- x86_64-linux-openenclave
	- x86_64-macos
	# - arm64-macos
	- x86_64-win
	- x86_64-win-native
	- i686-win
	- i686-linux
	include:
	- name: armhf-linux
	host: arm-linux-gnueabihf
	os: ubuntu-20.04
	packages: g++-arm-linux-gnueabihf qemu-user-static qemu-user
	dep-opts: "CROSS_COMPILE='yes' SPEED=slow V=1"
	config-opts: "--enable-static --disable-shared --enable-test-passwd"
	run-tests: true
	goal: install
	- name: aarch64-linux
	host: aarch64-linux-gnu
	os: ubuntu-20.04
	packages: g++-aarch64-linux-gnu qemu-user-static qemu-user
	dep-opts: "CROSS_COMPILE='yes' SPEED=slow V=1"
	config-opts: "LIBS='-levent_pthreads' --enable-static --disable-shared --enable-test-passwd"
	run-tests: true
	goal: install
	- name: aarch64-linux-optee
	host: aarch64-linux-gnu
	os: ubuntu-20.04
	run-tests: true
	run-container: true
	packages: g++-aarch64-linux-gnu qemu-user-static qemu-user
	dep-opts: "CROSS_COMPILE='yes' SPEED=slow V=1"
	config-opts: "LIBS=-levent_pthreads --enable-static --disable-shared --enable-test-passwd --enable-optee CFLAGS=-U_FORTIFY_SOURCE"
	goal: install
	- name: aarch64-android
	host: aarch64-linux-android
	os: ubuntu-20.04
	packages: unzip
	dep-opts: "CROSS_COMPILE='yes' SPEED=slow V=1"
	config-opts: "--enable-static --disable-shared --enable-test-passwd"
	run-tests: true
	goal: install
	android-ndk: android-ndk-r25c-linux
	android-ndk-shasum: "769ee342ea75f80619d985c2da990c48b3d8eaf45f48783a2d48870d04b46108"
	- name: x86_64-nixos
	host: x86_64-pc-linux-gnu
	os: ubuntu-20.04
	packages: docker.io
	dep-opts: "SPEED=slow V=1"
	config-opts: "--enable-static --disable-shared --enable-test-passwd"
	run-tests: true
	run-container: true
	goal: install
	- name: x86_64-linux-dbg
	host: x86_64-pc-linux-gnu
	os: ubuntu-20.04
	run-tests: true
	packages: python3-dev python3-dbg python
	dep-opts: "DEBUG=1 SPEED=slow V=1"
	config-opts: "--enable-debug --enable-test-passwd"
	goal: install
	- name: x86_64-linux-openenclave
	host: x86_64-pc-linux-gnu
	os: ubuntu-20.04
	run-tests: true
	run-container: true
	packages: python3-dev python3-dbg python
	dep-opts: "DEBUG=1 SPEED=slow V=1"
	config-opts: "--enable-openenclave --enable-test-passwd CFLAGS=-U_FORTIFY_SOURCE"
	goal: install
	- name: x86_64-macos
	host: x86_64-apple-darwin15
	os: macos-12
	run-tests: true
	dep-opts: "SPEED=slow V=1"
	config-opts: "--enable-static --disable-shared --enable-test-passwd"
	packages: cmake zlib xorriso
	goal: install
	mac-sdk: 12.2
	mac-sdk-build: 12B45b
	mac-sdk-shasum: "df75d30ecafc429e905134333aeae56ac65fac67cb4182622398fd717df77619"
	# - name: arm64-macos
	# host: arm64-apple-darwin
	# os: macos-13-xlarge
	# run-tests: true
	# dep-opts: "SPEED=slow V=1"
	# config-opts: "--enable-static --disable-shared --enable-test-passwd"
	# packages: cmake zlib xorriso libtool
	# goal: install
	# mac-sdk: 12.2
	# mac-sdk-build: 12B45b
	# mac-sdk-shasum: "df75d30ecafc429e905134333aeae56ac65fac67cb4182622398fd717df77619"
	- name: x86_64-win
	host: x86_64-w64-mingw32
	arch: i386
	os: ubuntu-20.04
	packages: python3 nsis g++-mingw-w64-x86-64 wine64 wine-stable bc wine-binfmt
	postinstall: \|
	sudo dpkg -s mono-runtime && sudo apt-get remove mono-runtime \|\| echo "Very nothing to uninstall."
	sudo update-alternatives --set x86_64-w64-mingw32-gcc /usr/bin/x86_64-w64-mingw32-gcc-posix
	sudo update-alternatives --set x86_64-w64-mingw32-g++ /usr/bin/x86_64-w64-mingw32-g++-posix
	sudo update-binfmts --import /usr/share/binfmts/wine
	dep-opts: "CROSS_COMPILE='yes' SPEED=slow V=1"
	config-opts: "--enable-test-passwd"
	run-tests: true
	- name: x86_64-win-native
	host: x86_64-pc-windows-msvc
	os: windows-latest
	packages: cmake
	postinstall: \|
	choco install visualstudio2019buildtools --package-parameters "--add Microsoft.VisualStudio.Component.VC.Tools.x86.x64"
	dep-opts: "CROSS_COMPILE='no' SPEED=slow V=1"
	config-opts: ""
	run-tests: false
	goal: install
	- name: i686-win
	host: i686-w64-mingw32
	arch: i386
	os: ubuntu-20.04
	packages: python3-pip python3-setuptools nsis g++ g++-mingw-w64-i686 mingw-w64-i686-dev wine-stable winehq-stable bc wine-binfmt binfmt-support
	preinstall: \|
	OS_FLAVOR=$(cat /etc/*ease \| grep UBUNTU_CODENAME \| cut -d "=" -f 2)
	if [ ! -d "/etc/apt/keyrings" ]; then sudo mkdir -pm755 /etc/apt/keyrings; fi
	sudo wget -O /etc/apt/keyrings/winehq-archive.key https://dl.winehq.org/wine-builds/winehq.key
	sudo wget -NP /etc/apt/sources.list.d/ https://dl.winehq.org/wine-builds/ubuntu/dists/$OS_FLAVOR/winehq-$OS_FLAVOR.sources
	sudo rm -f /etc/apt/sources.list.d/microsoft-prod.list
	sudo apt-get update -qq
	sudo apt-get install -yqq --allow-downgrades libgd3/focal libpcre2-8-0/focal libpcre2-16-0/focal libpcre2-32-0/focal libpcre2-posix2/focal
	sudo apt-get purge -yqq libmono* moby* mono* php* libgdiplus libpcre2-posix3 libzip4
	postinstall: \|
	sudo update-alternatives --set i686-w64-mingw32-gcc /usr/bin/i686-w64-mingw32-gcc-posix
	sudo update-alternatives --set i686-w64-mingw32-g++ /usr/bin/i686-w64-mingw32-g++-posix
	sudo update-binfmts --import /usr/share/binfmts/wine
	dep-opts: "CROSS_COMPILE='yes' SPEED=slow V=1"
	config-opts: "--enable-test-passwd"
	run-tests: true
	goal: install
	- name: i686-linux
	host: i686-pc-linux-gnu
	os: ubuntu-20.04
	packages: g++-multilib bc
	run-tests: true
	dep-opts: "SPEED=slow V=1"
	config-opts: "--enable-static --disable-shared --enable-test-passwd"
	goal: install

	runs-on: ${{ matrix.os }}

	steps:
	- name: add architecture
	if: ${{ matrix.arch }}
	run: \|
	sudo dpkg --add-architecture ${{ matrix.arch }}

	- name: Pre install
	if: ${{ matrix.preinstall }}
	run: ${{ matrix.preinstall }}

	- name: install packages
	run: \|
	if ([ "${{ matrix.name }}" != "x86_64-win-native" ]); then
	if ([ "${{ matrix.name }}" == "x86_64-macos" ] \|\| [ "${{ matrix.name }}" == "arm64-macos" ]); then
	brew update
	brew install automake coreutils ${{ matrix.packages }}
	echo PATH="/usr/local/opt/coreutils/libexec/gnubin:$PATH" >> ~/.bashrc
	source ~/.bashrc
	else
	sudo apt-get update
	DEBIAN_FRONTEND=noninteractive sudo apt-get install -y autoconf automake libtool-bin build-essential curl python3 valgrind ${{ matrix.packages }}
	fi
	fi
	shell: bash

	- name: post install
	if: ${{ matrix.postinstall }}
	run: ${{ matrix.postinstall }}

	- name: checkout
	uses: actions/checkout@v4

	- name: mac sdk cache
	if: ${{ matrix.mac-sdk }}
	uses: actions/cache@v4
	env:
	cache-name: sdk
	with:
	path: ./depends/sdk-sources
	key: ${{ matrix.name }}-${{ env.cache-name }}-${{ hashFiles('.github/workflows/ci.yml') }}

	- name: install mac sdk
	if: ${{ matrix.mac-sdk }}
	env:
	sdk-filename: Xcode-${{ matrix.mac-sdk }}-${{ matrix.mac-sdk-build }}-extracted-SDK-with-libcxx-headers.tar.gz
	run: \|
	mkdir -p ./depends/sdk-sources
	mkdir -p ./depends/SDKs
	echo "${{ matrix.mac-sdk-shasum }} depends/sdk-sources/${{ env.sdk-filename }}" \| sha256sum -c \|\| \
	curl --location --fail $MAC_SDK_URL/${{ env.sdk-filename }} -o depends/sdk-sources/${{ env.sdk-filename }} &&\
	echo "${{ matrix.mac-sdk-shasum }} depends/sdk-sources/${{ env.sdk-filename }}" \| sha256sum -c
	tar -C depends/SDKs -xf depends/sdk-sources/${{ env.sdk-filename }}

	- name: android ndk cache
	if: ${{ matrix.android-ndk }}
	uses: actions/cache@v4
	env:
	cache-name: android-ndk
	with:
	path: ./depends/sdk-sources
	key: ${{ matrix.name }}-${{ env.cache-name }}-${{ hashFiles('.github/workflows/ci.yml') }}

	- name: install android ndk
	if: ${{ matrix.android-ndk }}
	env:
	ndk-filename: ${{ matrix.android-ndk }}.zip
	run: \|
	mkdir -p ./depends/sdk-sources
	mkdir -p ./depends/SDKs
	echo "${{ matrix.android-ndk-shasum }} depends/sdk-sources/${{ env.ndk-filename }}" \| sha256sum -c \|\| \
	curl --location --fail $ANDROID_NDK_URL/${{ env.ndk-filename }} -o depends/sdk-sources/${{ env.ndk-filename }} &&\
	echo "${{ matrix.android-ndk-shasum }} depends/sdk-sources/${{ env.ndk-filename }}" \| sha256sum -c
	unzip depends/sdk-sources/${{ env.ndk-filename }} -d depends/SDKs

	- name: dependency cache
	uses: actions/cache@v4
	env:
	cache-name: depends
	with:
	path: ./depends/built
	key: ${{ matrix.name }}-${{ env.cache-name }}-${{ hashFiles('depends/packages/*') }}

	- name: build depends
	run: \|
	make $MAKEJOBS -C depends HOST=${{ matrix.host }} ${{ matrix.dep-opts }}
	if: matrix.host != 'x86_64-pc-windows-msvc'

	- name: ccache
	uses: actions/cache@v4
	env:
	cache-name: ccache
	with:
	path: ~/.ccache
	key: ${{ matrix.name }}-${{ env.cache-name }}-${{ hashFiles('**/configure.ac') }}

	- name: configure libdogecoin
	run: \|
	depends/${{ matrix.host }}/native/bin/ccache --max-size=$CCACHE_SIZE
	./autogen.sh
	./configure --prefix=`pwd`/depends/${{ matrix.host }} ${{ matrix.config-opts }} HOST=${{ matrix.host }} \|\| ( cat config.log && false)
	if: matrix.host != 'x86_64-pc-windows-msvc'

	- name: build libdogecoin
	run: \|
	build_dir=./build/libdogecoin-${{ github.sha }}-${{ matrix.name }}
	mkdir -p $build_dir/bin $build_dir/docs $build_dir/examples $build_dir/include $build_dir/lib $build_dir/test/ $build_dir/test/wordlist
	if ([ "${{ matrix.host }}" == "x86_64-pc-windows-msvc" ]); then
	cmake -B $build_dir
	cmake --build $build_dir
	else
	make -j"$(getconf _NPROCESSORS_ONLN)" SPEED=slow V=1
	if ([ "${{ matrix.name }}" == "x86_64-win" ] \|\| [ "${{ matrix.name }}" == "i686-win" ]); then
	cp spvnode.exe such.exe sendtx.exe $build_dir/bin/
	else
	cp spvnode such sendtx $build_dir/bin/
	fi
	cp doc/*.md $build_dir/docs/
	cp contrib/examples/example.c $build_dir/examples/
	cp include/dogecoin/dogecoin.h \
	include/dogecoin/libdogecoin.h \
	include/dogecoin/constants.h \
	config/libdogecoin-config.h \
	include/dogecoin/uthash.h $build_dir/include/
	cp test/wordlist/* $build_dir/test/wordlist/
	cp .libs/* $build_dir/lib/
	cp LICENSE $build_dir/
	chmod +x ./build/libdogecoin-${{ github.sha }}-${{ matrix.name }}/*
	fi
	shell: bash

	- name: test libdogecoin
	if: ${{ matrix.run-tests }}
	run: \|
	case "${{ matrix.name }}" in
	"armhf-linux")
	qemu-arm -E LD_LIBRARY_PATH=/usr/arm-linux-gnueabihf/lib/ /usr/arm-linux-gnueabihf/lib/ld-linux-armhf.so.3 ./tests
	;;
	"aarch64-linux" \| "aarch64-linux-optee")
	qemu-aarch64 -E LD_LIBRARY_PATH=/usr/aarch64-linux-gnu/lib/ /usr/aarch64-linux-gnu/lib/ld-linux-aarch64.so.1 ./tests
	;;
	"x86_64-linux-dbg" \| "x86_64-linux-openenclave" \| "x86_64-nixos")
	make check -j"$(getconf _NPROCESSORS_ONLN)" V=1
	python3 tooltests.py
	sudo ./rpctest/fetch.py --host x86_64-linux-gnu
	sudo rm /usr/local/bin/dogecoind
	;;
	"aarch64-android"):
	wget https://dl.google.com/android/repository/commandlinetools-linux-6858069_latest.zip
	unzip commandlinetools-linux-6858069_latest.zip
	mkdir -p ~/.android-sdk/cmdline-tools/latest
	mv cmdline-tools/* ~/.android-sdk/cmdline-tools/latest
	export ANDROID_SDK_ROOT=~/.android-sdk
	export PATH=$PATH:$ANDROID_SDK_ROOT/cmdline-tools/latest/bin:$ANDROID_SDK_ROOT/platform-tools
	yes \| sdkmanager --licenses --sdk_root=$ANDROID_SDK_ROOT
	sdkmanager --update --sdk_root=$ANDROID_SDK_ROOT
	sdkmanager "platform-tools" --sdk_root=$ANDROID_SDK_ROOT
	DOCKER_IMAGE=us-docker.pkg.dev/android-emulator-268719/images/r-google-x64:30.0.23
	PORT=15555
	container_id=$(docker run -d \
	--device /dev/kvm \
	--publish 8554:8554/tcp \
	--publish $PORT:5555/tcp \
	-e TOKEN="$(cat ~/.emulator_console_auth_token)" \
	-e ADBKEY="$(cat ~/.android/adbkey)" \
	$DOCKER_IMAGE)
	echo "The container is running with id: $container_id"
	adb connect localhost:$PORT
	adb wait-for-device
	while [ "$(adb shell getprop sys.boot_completed \| tr -d '\r')" != "1" ]; do
	sleep 1
	done
	echo "The device is ready"
	adb push ./tests /data/local/tmp/
	adb shell "mkdir -p /data/local/tmp/test"
	adb push ./test/wordlist /data/local/tmp/test
	adb shell "cd /data/local/tmp/; chmod 755 tests; ./tests"
	echo "docker stop ${container_id}"
	;;
	*)
	make check -j"$(getconf _NPROCESSORS_ONLN)" V=1
	;;
	esac

	- name: run container
	if: ${{ matrix.run-container }}
	shell: bash
	run: \|
	case "${{ matrix.name }}" in
	"x86_64-linux-openenclave" \| "aarch64-linux-optee" \| "x86_64-nixos"):
	if ([ "${{ matrix.name }}" == "aarch64-linux-optee" ]); then
	make install
	printf "%s" "${{ secrets.DEFAULT_TA_PEM }}" > rsa_private.pem
	docker pull jforissier/optee_os_ci:qemu_check
	docker run -v "$(pwd):/src" -w /src jforissier/optee_os_ci:qemu_check /bin/bash -c "\
	# Set up the environment and build the OP-TEE SDK
	set -e && \
	apt update && \
	apt -y upgrade && \
	apt -y install netcat libusb-1.0-0-dev swig python2 python3-dev python3-setuptools e2tools && \
	curl https://storage.googleapis.com/git-repo-downloads/repo > /bin/repo && chmod a+x /bin/repo && \
	mkdir -p optee && \
	cd optee && \
	repo init -u https://github.com/edtubbs/manifest.git -m nanopc-t6.xml -b nanopc-t6 && \
	export FORCE_UNSAFE_CONFIGURE=1 && \
	repo sync -j\"$(getconf _NPROCESSORS_ONLN)\" && \
	mv /src/rsa_private.pem /src/optee/optee_os/keys/default_ta.pem && \
	patch -F 4 /src/optee/build/common.mk < /src/src/optee/common.mk.patch && \
	patch /src/optee/build/kconfigs/qemu.conf < /src/src/optee/qemu.conf.patch && \
	patch /src/optee/linux/arch/arm64/boot/dts/rockchip/rk3588-nanopi6-common.dtsi < /src/src/optee/rk3588-nanopi6-common.dtsi.patch && \
	patch /src/optee/u-boot/include/configs/nanopi6.h < /src/src/optee/nanopi6.h.patch && \
	cp /src/src/optee/platform.mk /src/optee/trusted-firmware-a/plat/rockchip/rk3588/platform.mk && \
	cp /src/src/optee/plat_helpers.S /src/optee/trusted-firmware-a/plat/rockchip/common/aarch64/plat_helpers.S && \
	cp /src/src/optee/pmu.c /src/optee/trusted-firmware-a/plat/rockchip/rk3588/drivers/pmu/pmu.c && \
	cd build && \
	make toolchains -j\"$(getconf _NPROCESSORS_ONLN)\" && \
	export CFG_TEE_CORE_LOG_LEVEL=0 && \
	export CFG_ATTESTATION_PTA=y && \
	export CFG_ATTESTATION_PTA_KEY_SIZE=1024 && \
	export CFG_WITH_USER_TA=y && \

	# Generate subkeys
	openssl genrsa -out /src/optee/optee_test/ta/top_level_subkey.pem && \
	openssl genrsa -out /src/optee/optee_test/ta/mid_level_subkey.pem && \
	openssl genrsa -out /src/optee/optee_test/ta/identity_subkey2.pem && \

	# Sign the top-level subkey with the root key
	/src/optee/optee_os/scripts/sign_encrypt.py sign-subkey \
	--uuid f04fa996-148a-453c-b037-1dcfbad120a6 \
	--key /src/optee/optee_os/keys/default_ta.pem --in /src/optee/optee_test/ta/top_level_subkey.pem \
	--out /src/optee/optee_test/ta/top_level_subkey.bin --max-depth 4 --name-size 64 \
	--subkey-version 1 && \

	# Generate UUID for the mid-level subkey
	/src/optee/optee_os/scripts/sign_encrypt.py subkey-uuid --in /src/optee/optee_test/ta/top_level_subkey.bin \
	--name mid_level_subkey && \

	# Sign the mid-level subkey with the top-level subkey
	/src/optee/optee_os/scripts/sign_encrypt.py sign-subkey \
	--uuid 1a5948c5-1aa0-518c-86f4-be6f6a057b16 \
	--key /src/optee/optee_test/ta/top_level_subkey.pem --subkey /src/optee/optee_test/ta/top_level_subkey.bin \
	--name-size 64 --subkey-version 1 \
	--name mid_level_subkey \
	--in /src/optee/optee_test/ta/mid_level_subkey.pem --out /src/optee/optee_test/ta/mid_level_subkey.bin && \

	# Generate UUID for subkey1_ta
	/src/optee/optee_os/scripts/sign_encrypt.py subkey-uuid --in /src/optee/optee_test/ta/mid_level_subkey.bin \
	--name subkey1_ta && \

	# Sign the identity subkey2 with the root key
	/src/optee/optee_os/scripts/sign_encrypt.py sign-subkey \
	--uuid a720ccbb-51da-417d-b82e-e5445d474a7a \
	--key /src/optee/optee_os/keys/default_ta.pem --in /src/optee/optee_test/ta/identity_subkey2.pem \
	--out /src/optee/optee_test/ta/identity_subkey2.bin --max-depth 0 --name-size 0 \
	--subkey-version 1 && \

	# Build and test the OP-TEE OS and client
	make -j\"$(getconf _NPROCESSORS_ONLN)\" && \
	cd /src && \
	git clone https://github.com/OP-TEE/optee_client.git && \
	cd optee_client && \
	mkdir -p build && \
	cd build && \
	export PATH=/src/optee/toolchains/aarch64/bin:$PATH && \
	export CC=aarch64-linux-gnu-gcc && \
	cmake .. -DCMAKE_C_COMPILER=aarch64-linux-gnu-gcc -DCMAKE_INSTALL_PREFIX=/src/optee/toolchains/aarch64 && \
	make -j\"$(getconf _NPROCESSORS_ONLN)\" VERBOSE=1 && \
	make install"
	docker run --privileged -v "$(pwd):/src" -w /src jforissier/optee_os_ci:qemu_check /bin/bash -c "\
	export PATH=/src/optee/toolchains/aarch64/bin:$PATH && \
	export CC=aarch64-linux-gnu-gcc && \

	# Run the libdogecoin TA
	cd /src/src/optee/host && \
	make -j"$(getconf _NPROCESSORS_ONLN)" \
	CROSS_COMPILE=aarch64-linux-gnu- \
	LDFLAGS=\"-L/src/optee/toolchains/aarch64/lib -L/src/depends/aarch64-linux-gnu/lib -ldogecoin -lunistring\" \
	CFLAGS=\"-I/src/optee/toolchains/aarch64/include -I/src/src/optee/ta/include -I/src/depends/aarch64-linux-gnu/include -I/src/depends/aarch64-linux-gnu/include/ykpers-1 -I/src/depends/aarch64-linux-gnu/include/dogecoin\" && \

	# Build the Trusted Application
	cd ../ta && \
	make -j"$(getconf _NPROCESSORS_ONLN)" \
	CROSS_COMPILE=aarch64-linux-gnu- \
	LDFLAGS=\"-L/src/depends/aarch64-linux-gnu/lib -ldogecoin -lunistring\" \
	CFLAGS=\"-I/src/depends/aarch64-linux-gnu/include -I/src/depends/aarch64-linux-gnu/include/dogecoin\" \
	PLATFORM=vexpress-qemu_armv8a \
	TA_DEV_KIT_DIR=/src/optee/optee_os/out/arm/export-ta_arm64 && \

	# Create symbolic links and prepare image
	mkdir -p /src/optee/out/bin && \
	cd /src/optee/out/bin && \
	ln -sf ../../linux/arch/arm64/boot/Image Image && \
	ln -sf ../../trusted-firmware-a/build/qemu/release/bl1.bin bl1.bin && \
	ln -sf ../../trusted-firmware-a/build/qemu/release/bl2.bin bl2.bin && \
	ln -sf ../../trusted-firmware-a/build/qemu/release/bl31.bin bl31.bin && \
	ln -sf ../../optee_os/out/arm/core/tee-header_v2.bin bl32.bin && \
	ln -sf ../../optee_os/out/arm/core/tee-pager_v2.bin bl32_extra1.bin && \
	ln -sf ../../optee_os/out/arm/core/tee-pageable_v2.bin bl32_extra2.bin && \
	ln -sf ../../edk2/Build/ArmVirtQemuKernel-AARCH64/RELEASE_GCC5/FV/QEMU_EFI.fd bl33.bin && \
	ln -sf ../../out-br/images/rootfs.cpio.gz rootfs.cpio.gz && \
	dd if=/dev/zero of=/src/optee/out/bin/libdogecoin.img bs=1M count=32 && \
	mkfs.ext4 /src/optee/out/bin/libdogecoin.img && \
	mkdir -p /src/optee/out-br/mnt && \
	mount -o loop /src/optee/out/bin/libdogecoin.img /src/optee/out-br/mnt && \
	cp /src/src/optee/ta/*.ta /src/optee/out-br/mnt && \
	cp /src/src/optee/host/optee_libdogecoin /src/optee/out-br/mnt && \
	cp /src/spvnode /src/optee/out-br/mnt && \
	cp /src/sendtx /src/optee/out-br/mnt && \
	cp /src/such /src/optee/out-br/mnt && \
	cp /src/tests /src/optee/out-br/mnt && \
	cp /src/bench /src/optee/out-br/mnt && \
	mkdir -p /src/optee/out-br/mnt/data/tee && \
	umount /src/optee/out-br/mnt && \
	exit"
	elif ([ "${{ matrix.name }}" == "x86_64-linux-openenclave" ]); then
	make install && \
	mkdir -p src/openenclave/build && \
	printf "%s" "${{ secrets.OE_PRIVATE_PEM }}" > src/openenclave/build/private.pem && \
	openssl rsa -pubout -in src/openenclave/build/private.pem -out src/openenclave/build/public.pem && \
	docker run -v $PWD:/src -w /src ubuntu:20.04 bash -c "\
	# Install dependencies
	export DEBIAN_FRONTEND=noninteractive && \
	apt-get update && \
	apt-get install -y wget gnupg2 cmake && \
	cd /src/src/openenclave && \
	echo 'deb [arch=amd64] https://download.01.org/intel-sgx/sgx_repo/ubuntu focal main' \| tee /etc/apt/sources.list.d/intel-sgx.list && \
	wget -qO - https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key \| apt-key add - && \
	echo 'deb http://apt.llvm.org/focal/ llvm-toolchain-focal-11 main' \| tee /etc/apt/sources.list.d/llvm-toolchain-focal-11.list && \
	wget -qO - https://apt.llvm.org/llvm-snapshot.gpg.key \| apt-key add - && \
	echo 'deb [arch=amd64] https://packages.microsoft.com/ubuntu/20.04/prod focal main' \| tee /etc/apt/sources.list.d/msprod.list && \
	wget -qO - https://packages.microsoft.com/keys/microsoft.asc \| apt-key add - && \
	apt update && \
	apt -y install clang-11 libssl-dev gdb libsgx-enclave-common libsgx-quote-ex libprotobuf17 libsgx-dcap-ql libsgx-dcap-ql-dev az-dcap-client open-enclave && \
	apt -y install dkms && \

	# Build OpenEnclave
	source /opt/openenclave/share/openenclave/openenclaverc && \
	cd build && cmake .. && make && make simulate"
	elif ([ "${{ matrix.name }}" == "x86_64-nixos" ]); then
	docker run -v "$(pwd)":/src -w /src --rm -i ghcr.io/nixos/nix:latest /bin/sh -c "\
	nix-shell -p gnumake gcc stdenv autoconf automake libtool 'pkg-config' openssl python3 libevent libunistring \
	--run ' \
	./autogen.sh && \
	./configure --prefix=/src/depends/${{ matrix.host }} ${{ matrix.config-opts }} HOST=${{ matrix.host }} \|\| ( cat config.log && false) && \
	make && \
	make check'"
	fi
	;;
	esac

	- name: Upload artifacts
	uses: actions/upload-artifact@v4
	with:
	name: libdogecoin-${{ github.sha }}-${{ matrix.name }}
	path: ${{ github.workspace }}/build/libdogecoin-${{ github.sha }}-${{ matrix.name }}

	- name: Upload OP-TEE artifacts
	if: matrix.name == 'aarch64-linux-optee'
	uses: actions/upload-artifact@v4
	with:
	name: libdogecoin-${{ github.sha }}-optee-artifacts
	path: \|
	${{ github.workspace }}/optee/linux/arch/arm64/boot/Image
	${{ github.workspace }}/optee/trusted-firmware-a/build/qemu/release/bl1.bin
	${{ github.workspace }}/optee/trusted-firmware-a/build/qemu/release/bl2.bin
	${{ github.workspace }}/optee/trusted-firmware-a/build/qemu/release/bl31.bin
	${{ github.workspace }}/optee/optee_os/out/arm/core/tee-header_v2.bin
	${{ github.workspace }}/optee/optee_os/out/arm/core/tee-pager_v2.bin
	${{ github.workspace }}/optee/optee_os/out/arm/core/tee-pageable_v2.bin
	${{ github.workspace }}/optee/edk2/Build/ArmVirtQemuKernel-AARCH64/RELEASE_GCC5/FV/QEMU_EFI.fd
	${{ github.workspace }}/optee/out-br/images/rootfs.cpio.gz
	${{ github.workspace }}/src/optee/ta/*.ta
	${{ github.workspace }}/src/optee/host/optee_libdogecoin
	${{ github.workspace }}/optee/out/*

	- name: Upload OpenEnclave artifacts
	if: matrix.name == 'x86_64-linux-openenclave'
	uses: actions/upload-artifact@v4
	with:
	name: libdogecoin-${{ github.sha }}-openenclave-artifacts
	path: \|
	${{ github.workspace }}/src/openenclave/build/host/host
	${{ github.workspace }}/src/openenclave/build/enclave/enclave.signed

	sign-x86_64-win:
	needs: build
	runs-on: windows-latest
	if: startsWith(github.ref, 'refs/tags/')
	steps:
	- name: Download artifacts
	uses: actions/download-artifact@v4
	with:
	name: libdogecoin-${{ github.sha }}-x86_64-win

	- name: Import certificate (x86_64-win)
	run: \|
	$certData = "${{ secrets.LIBDOGECOIN_DEV_WINDOWS_CERT_DATA }}"
	$certBytes = [Convert]::FromBase64String($certData)
	[IO.File]::WriteAllBytes("./mycert.pfx", $certBytes)
	$password = ConvertTo-SecureString -String "${{ secrets.LIBDOGECOIN_DEV_WINDOWS_CERT_PASSWORD }}" -Force -AsPlainText
	Import-PfxCertificate -FilePath ./mycert.pfx -CertStoreLocation Cert:\LocalMachine\Root -Password $password
	Remove-Item ./mycert.pfx
	shell: pwsh

	- name: Sign spvnode.exe (x86_64-win)
	uses: lando/code-sign-action@v2
	with:
	file: bin/spvnode.exe
	certificate-data: ${{ secrets.LIBDOGECOIN_DEV_WINDOWS_CERT_DATA }}
	certificate-password: ${{ secrets.LIBDOGECOIN_DEV_WINDOWS_CERT_PASSWORD }}

	- name: Sign such.exe (x86_64-win)
	uses: lando/code-sign-action@v2
	with:
	file: bin/such.exe
	certificate-data: ${{ secrets.LIBDOGECOIN_DEV_WINDOWS_CERT_DATA }}
	certificate-password: ${{ secrets.LIBDOGECOIN_DEV_WINDOWS_CERT_PASSWORD }}

	- name: Sign sendtx.exe (x86_64-win)
	uses: lando/code-sign-action@v2
	with:
	file: bin/sendtx.exe
	certificate-data: ${{ secrets.LIBDOGECOIN_DEV_WINDOWS_CERT_DATA }}
	certificate-password: ${{ secrets.LIBDOGECOIN_DEV_WINDOWS_CERT_PASSWORD }}

	- name: Upload artifacts (x86_64-win)
	uses: actions/upload-artifact@v4
	with:
	name: libdogecoin-${{ github.sha }}-x86_64-win-signed
	path: \|
	bin/**
	docs/**
	examples/**
	include/**
	lib/**
	test/**
	LICENSE

	sign-x86_64-win-native:
	needs: build
	runs-on: windows-latest
	if: startsWith(github.ref, 'refs/tags/')
	steps:
	- name: Download artifacts
	uses: actions/download-artifact@v4
	with:
	name: libdogecoin-${{ github.sha }}-x86_64-win-native

	- name: Import certificate (x86_64-win)
	run: \|
	$certData = "${{ secrets.LIBDOGECOIN_DEV_WINDOWS_CERT_DATA }}"
	$certBytes = [Convert]::FromBase64String($certData)
	[IO.File]::WriteAllBytes("./mycert.pfx", $certBytes)
	$password = ConvertTo-SecureString -String "${{ secrets.LIBDOGECOIN_DEV_WINDOWS_CERT_PASSWORD }}" -Force -AsPlainText
	Import-PfxCertificate -FilePath ./mycert.pfx -CertStoreLocation Cert:\LocalMachine\Root -Password $password
	Remove-Item ./mycert.pfx
	shell: pwsh

	- name: Sign spvnode.exe (x86_64-win-native)
	uses: lando/code-sign-action@v2
	with:
	file: Debug/spvnode.exe
	certificate-data: ${{ secrets.LIBDOGECOIN_DEV_WINDOWS_CERT_DATA }}
	certificate-password: ${{ secrets.LIBDOGECOIN_DEV_WINDOWS_CERT_PASSWORD }}

	- name: Sign such.exe (x86_64-win-native)
	uses: lando/code-sign-action@v2
	with:
	file: Debug/such.exe
	certificate-data: ${{ secrets.LIBDOGECOIN_DEV_WINDOWS_CERT_DATA }}
	certificate-password: ${{ secrets.LIBDOGECOIN_DEV_WINDOWS_CERT_PASSWORD }}

	- name: Sign sendtx.exe (x86_64-win-native)
	uses: lando/code-sign-action@v2
	with:
	file: Debug/sendtx.exe
	certificate-data: ${{ secrets.LIBDOGECOIN_DEV_WINDOWS_CERT_DATA }}
	certificate-password: ${{ secrets.LIBDOGECOIN_DEV_WINDOWS_CERT_PASSWORD }}

	- name: Upload artifacts (x86_64-win-native)
	uses: actions/upload-artifact@v4
	with:
	name: libdogecoin-${{ github.sha }}-x86_64-win-native-signed
	path: \|
	Debug/**
	test/**

	sign-i686-win:
	needs: build
	runs-on: windows-latest
	if: startsWith(github.ref, 'refs/tags/')
	steps:
	- name: Download artifacts
	uses: actions/download-artifact@v4
	with:
	name: libdogecoin-${{ github.sha }}-i686-win

	- name: Import certificate (i686-win)
	run: \|
	$certData = "${{ secrets.LIBDOGECOIN_DEV_WINDOWS_CERT_DATA }}"
	$certBytes = [Convert]::FromBase64String($certData)
	[IO.File]::WriteAllBytes("./mycert.pfx", $certBytes)
	$password = ConvertTo-SecureString -String "${{ secrets.LIBDOGECOIN_DEV_WINDOWS_CERT_PASSWORD }}" -Force -AsPlainText
	Import-PfxCertificate -FilePath ./mycert.pfx -CertStoreLocation Cert:\LocalMachine\Root -Password $password
	Remove-Item ./mycert.pfx
	shell: pwsh

	- name: Sign spvnode.exe (i686-win)
	uses: lando/code-sign-action@v2
	with:
	file: bin/spvnode.exe
	certificate-data: ${{ secrets.LIBDOGECOIN_DEV_WINDOWS_CERT_DATA }}
	certificate-password: ${{ secrets.LIBDOGECOIN_DEV_WINDOWS_CERT_PASSWORD }}

	- name: Sign such.exe (i686-win)
	uses: lando/code-sign-action@v2
	with:
	file: bin/such.exe
	certificate-data: ${{ secrets.LIBDOGECOIN_DEV_WINDOWS_CERT_DATA }}
	certificate-password: ${{ secrets.LIBDOGECOIN_DEV_WINDOWS_CERT_PASSWORD }}

	- name: Sign sendtx.exe (i686-win)
	uses: lando/code-sign-action@v2
	with:
	file: bin/sendtx.exe
	certificate-data: ${{ secrets.LIBDOGECOIN_DEV_WINDOWS_CERT_DATA }}
	certificate-password: ${{ secrets.LIBDOGECOIN_DEV_WINDOWS_CERT_PASSWORD }}

	- name: Upload artifacts (i686-win)
	uses: actions/upload-artifact@v4
	with:
	name: libdogecoin-${{ github.sha }}-i686-win-signed
	path: \|
	bin/**
	docs/**
	examples/**
	include/**
	lib/**
	test/**
	LICENSE

	sign-x86_64-macos:
	needs: build
	runs-on: macos-latest
	if: startsWith(github.ref, 'refs/tags/')
	steps:
	- name: Download artifacts
	uses: actions/download-artifact@v4
	with:
	name: libdogecoin-${{ github.sha }}-x86_64-macos

	- name: Import certificate to keychain (x86_64-macos)
	env:
	LIBDOGECOIN_DEV_MACOS_CERT_DATA: ${{ secrets.LIBDOGECOIN_DEV_MACOS_CERT_DATA }}
	LIBDOGECOIN_DEV_MACOS_CERT_PASS: ${{ secrets.LIBDOGECOIN_DEV_MACOS_CERT_PASSWORD }}
	run: \|
	echo $LIBDOGECOIN_DEV_MACOS_CERT_DATA \| base64 --decode > certificate.p12
	security create-keychain -p $LIBDOGECOIN_DEV_MACOS_CERT_PASS ~/Library/Keychains/build.keychain
	security default-keychain -s ~/Library/Keychains/build.keychain
	security unlock-keychain -p $LIBDOGECOIN_DEV_MACOS_CERT_PASS ~/Library/Keychains/build.keychain
	security import certificate.p12 -k ~/Library/Keychains/build.keychain -P $LIBDOGECOIN_DEV_MACOS_CERT_PASS -T /usr/bin/codesign
	security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k $LIBDOGECOIN_DEV_MACOS_CERT_PASS ~/Library/Keychains/build.keychain

	- name: Sign spvnode (x86_64-macos)
	env:
	MACOS_CODE_CERT_TEAM_ID: ${{ secrets.LIBDOGECOIN_DEV_APPLE_TEAM_ID }}
	MACOS_EXECUTABLE_PATH: bin/spvnode
	run: \|
	/usr/bin/codesign --force --keychain ~/Library/Keychains/build.keychain -s $MACOS_CODE_CERT_TEAM_ID --deep --options=runtime "$MACOS_EXECUTABLE_PATH"

	- name: Sign such (x86_64-macos)
	env:
	MACOS_CODE_CERT_TEAM_ID: ${{ secrets.LIBDOGECOIN_DEV_APPLE_TEAM_ID }}
	MACOS_EXECUTABLE_PATH: bin/such
	run: \|
	/usr/bin/codesign --force --keychain ~/Library/Keychains/build.keychain -s $MACOS_CODE_CERT_TEAM_ID --deep --options=runtime "$MACOS_EXECUTABLE_PATH"

	- name: Sign sendtx (x86_64-macos)
	env:
	MACOS_CODE_CERT_TEAM_ID: ${{ secrets.LIBDOGECOIN_DEV_APPLE_TEAM_ID }}
	MACOS_EXECUTABLE_PATH: bin/sendtx
	run: \|
	/usr/bin/codesign --force --keychain ~/Library/Keychains/build.keychain -s $MACOS_CODE_CERT_TEAM_ID --deep --options=runtime "$MACOS_EXECUTABLE_PATH"

	- name: Upload artifacts (i686-win)
	uses: actions/upload-artifact@v4
	with:
	name: libdogecoin-${{ github.sha }}-i686-win-signed
	path: \|
	bin/**
	docs/**
	examples/**
	include/**
	lib/**
	test/**
	LICENSE

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[feat] Add Key Management Enclaves with YubiKey and NanoPC-T6 Support #864

Workflow file

[feat] Add Key Management Enclaves with YubiKey and NanoPC-T6 Support #864

Jobs

Run details

Workflow file for this run