Add STM32U5 and H7 simulators with hardware crypto

.github/workflows/stm32-test-suite.yml

@@ -0,0 +1,36 @@
+name: STM32Sim test suite
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: ['**']
+  workflow_dispatch:
+
+jobs:
+  cargo-test:
+    name: cargo test (core + smoke firmware)
+    runs-on: ubuntu-24.04
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install arm-none-eabi toolchain
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y --no-install-recommends \
+            gcc-arm-none-eabi libnewlib-arm-none-eabi build-essential
+
+      - uses: dtolnay/rust-toolchain@stable
+
+      - uses: Swatinem/rust-cache@v2
+        with:
+          workspaces: STM32Sim/stm32-sim
+
+      - name: Build smoke firmware (H7)
+        run: make -C STM32Sim/firmware/smoke-test-h7
+
+      - name: Build smoke firmware (U5)
+        run: make -C STM32Sim/firmware/smoke-test-u5
+
+      - name: cargo test
+        run: cargo test --manifest-path STM32Sim/stm32-sim/Cargo.toml --release

.github/workflows/stm32-wolfcrypt-test-h7.yml

@@ -0,0 +1,38 @@
+name: STM32Sim wolfCrypt test (H7)
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: ['**']
+  workflow_dispatch:
+
+jobs:
+  wolfcrypt-test:
+    name: wolfCrypt on STM32Sim H753 (replaces Renode)
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Checkout simulator-stm32
+        uses: actions/checkout@v4
+        with:
+          path: simulator-stm32
+
+      - name: Checkout wolfSSL
+        uses: actions/checkout@v4
+        with:
+          repository: wolfSSL/wolfssl
+          ref: master
+          path: wolfssl
+
+      - name: Build stm32sim-wolfcrypt image
+        run: |
+          docker build \
+            -t stm32sim-wolfcrypt:ci \
+            -f simulator-stm32/STM32Sim/Dockerfile.wolfcrypt \
+            simulator-stm32/STM32Sim
+
+      - name: Run wolfCrypt test on stm32-sim
+        run: |
+          docker run --rm \
+            -v "${{ github.workspace }}/wolfssl:/opt/wolfssl:ro" \
+            stm32sim-wolfcrypt:ci

.github/workflows/stm32-wolfcrypt-test-u5.yml

@@ -0,0 +1,39 @@
+name: STM32Sim wolfCrypt test (U5)
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: ['**']
+  workflow_dispatch:
+
+jobs:
+  wolfcrypt-test:
+    name: wolfCrypt on STM32Sim U585
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Checkout simulator-stm32
+        uses: actions/checkout@v4
+        with:
+          path: simulator-stm32
+
+      - name: Checkout wolfSSL
+        uses: actions/checkout@v4
+        with:
+          repository: wolfSSL/wolfssl
+          ref: master
+          path: wolfssl
+
+      - name: Build stm32sim-wolfcrypt image
+        run: |
+          docker build \
+            -t stm32sim-wolfcrypt:ci \
+            -f simulator-stm32/STM32Sim/Dockerfile.wolfcrypt \
+            simulator-stm32/STM32Sim
+
+      - name: Run U585 wolfCrypt test on stm32-sim
+        run: |
+          docker run --rm \
+            -v "${{ github.workspace }}/wolfssl:/opt/wolfssl:ro" \
+            stm32sim-wolfcrypt:ci \
+            run-wolfcrypt-u5.sh

README.md

@@ -22,3 +22,12 @@ STSAFE-A120 that covers the wolfSSL-required STSAFE-A command subset: P-256
 ECDSA, ECDH, RNG, and a slot/zone store with a default device certificate.
 It plugs into ST's open-source STSELib middleware via a custom Linux PAL
 that pipes the I2C transport over TCP.
+
+## STM32Sim
+
+The [STM32Sim](STM32Sim/) is a Unicorn-Engine-based simulator for STM32
+microcontrollers focused on the on-chip cryptographic accelerators
+(CRYP/AES, HASH, RNG, PKA) that wolfSSL uses. It is intended to replace
+the Renode-based CI flow for wolfSSL on STM32 targets and to close the
+gaps Renode has in hardware-crypto modelling (HASH peripheral, full AES
+mode set, PKA).

STM32Sim/.dockerignore

@@ -0,0 +1,8 @@
+stm32-sim/target/
+stm32-sim/Cargo.lock
+firmware/**/*.o
+firmware/**/*.elf
+firmware/**/*.map
+firmware/**/build/
+.git/
+.github/

STM32Sim/.gitignore

@@ -0,0 +1,6 @@
+stm32-sim/target/
+stm32-sim/Cargo.lock
+firmware/**/*.o
+firmware/**/*.elf
+firmware/**/*.map
+firmware/**/build/

STM32Sim/Dockerfile

@@ -0,0 +1,39 @@
+# Dockerfile
+#
+# Copyright (C) 2026 wolfSSL Inc.
+#
+# This file is part of STM32Sim.
+#
+# STM32Sim is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+
+# Builds the STM32 simulator and the smoke-test firmware, then runs the
+# Cargo test suite (which includes an end-to-end test that boots the
+# firmware on the simulator and asserts it reaches its pass marker).
+
+FROM rust:1.85-bookworm
+
+RUN apt-get update && \
+    apt-get install -y --no-install-recommends \
+        build-essential \
+        gcc-arm-none-eabi \
+        libnewlib-arm-none-eabi \
+        cmake \
+        pkg-config \
+        clang \
+        libclang-dev \
+        ca-certificates && \
+    rm -rf /var/lib/apt/lists/*
+
+WORKDIR /app
+
+COPY stm32-sim/ /app/stm32-sim/
+COPY firmware/ /app/firmware/
+
+RUN cd /app/stm32-sim && cargo build --release 2>&1
+RUN make -C /app/firmware/smoke-test-h7
+RUN make -C /app/firmware/smoke-test-u5
+
+CMD ["cargo", "test", "--manifest-path", "/app/stm32-sim/Cargo.toml", "--release", "--", "--nocapture"]

STM32Sim/Dockerfile.wolfcrypt

@@ -0,0 +1,100 @@
+# Dockerfile.wolfcrypt
+#
+# Copyright (C) 2026 wolfSSL Inc.
+#
+# This file is part of STM32Sim.
+#
+# STM32Sim is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+
+# Builds the wolfCrypt-on-STM32 firmwares (H753 and U585) that today
+# run under Renode CI, then runs them through stm32-sim instead. The
+# wolfSSL source tree is expected to be mounted at /opt/wolfssl at
+# runtime (the GitHub workflow does `docker run -v $(pwd):/opt/wolfssl
+# ...`). Default CMD runs the H7 firmware; override with
+# `run-wolfcrypt-u5.sh` for U585.
+# Image contents:
+#   - arm-none-eabi-gcc cross toolchain
+#   - CMSIS_5, cmsis-device-h7, STM32CubeH7 v1.11.2 (vendored under /opt)
+#   - cmsis-device-u5, STM32CubeU5 (vendored under /opt)
+#   - stm32-sim runner binary (built from this same repo)
+#   - run-wolfcrypt-h7.sh and run-wolfcrypt-u5.sh entrypoints
+
+# =============================================================================
+# Stage 1: build stm32-sim (Rust)
+# =============================================================================
+FROM rust:1.85-bookworm AS sim-builder
+
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    build-essential cmake pkg-config clang libclang-dev ca-certificates \
+    && rm -rf /var/lib/apt/lists/*
+
+WORKDIR /app
+COPY stm32-sim/ /app/stm32-sim/
+RUN cd /app/stm32-sim && cargo build --release --bin stm32-sim
+
+# =============================================================================
+# Stage 2: cross-toolchain + CMSIS + STM32CubeH7 + stm32-sim
+# =============================================================================
+FROM debian:bookworm
+
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    build-essential cmake ninja-build python3 git \
+    gcc-arm-none-eabi libnewlib-arm-none-eabi libstdc++-arm-none-eabi-newlib \
+    wget unzip ca-certificates \
+    && rm -rf /var/lib/apt/lists/*
+
+# Vendor STM CMSIS + HAL repos into /opt at fixed refs so the image
+# is reproducible. Tags chosen to match the wolfSSL Renode workflow.
+# STM32CubeH7's HAL_Driver is a git submodule; --recurse-submodules
+# pulls it in - without it the build fails with "stm32h7xx_hal.h: No
+# such file or directory".
+RUN git clone --depth 1 \
+        https://github.com/STMicroelectronics/cmsis-device-h7.git \
+        /opt/cmsis-device-h7 \
+ && git clone --depth 1 \
+        https://github.com/STMicroelectronics/cmsis-device-u5.git \
+        /opt/cmsis-device-u5 \
+ && git clone --depth 1 \
+        https://github.com/ARM-software/CMSIS_5.git \
+        /opt/CMSIS_5 \
+ && (git clone --depth 1 --branch v1.11.2 --recurse-submodules \
+        https://github.com/STMicroelectronics/STM32CubeH7.git \
+        /opt/STM32CubeH7 \
+     || (git clone --depth 1 --branch v1.11.2 \
+            https://github.com/STMicroelectronics/STM32CubeH7.git \
+            /opt/STM32CubeH7 \
+         && cd /opt/STM32CubeH7 \
+         && git submodule update --init --recursive --depth 1)) \
+ && (git clone --depth 1 --recurse-submodules \
+        https://github.com/STMicroelectronics/STM32CubeU5.git \
+        /opt/STM32CubeU5 \
+     || (git clone --depth 1 \
+            https://github.com/STMicroelectronics/STM32CubeU5.git \
+            /opt/STM32CubeU5 \
+         && cd /opt/STM32CubeU5 \
+         && git submodule update --init --recursive --depth 1)) \
+ && find /opt/STM32CubeH7 /opt/STM32CubeU5 -name '.git' -prune -exec rm -rf {} + \
+ && rm -rf /opt/cmsis-device-h7/.git /opt/cmsis-device-u5/.git /opt/CMSIS_5/.git
+
+COPY --from=sim-builder /app/stm32-sim/target/release/stm32-sim /usr/local/bin/stm32-sim
+
+# Firmware sources live in this repo (firmware/wolfcrypt-test-{h7,u5}/),
+# not in the wolfSSL tree. That decouples the simulator from any
+# particular wolfSSL renode-test layout and lets us drive HASH and
+# the full AES mode set - which the wolfSSL Renode setup had to
+# disable because Renode could not model them.
+COPY firmware/wolfcrypt-test-h7/ /opt/firmware-h7/
+COPY firmware/wolfcrypt-test-u5/ /opt/firmware-u5/
+
+COPY scripts/run-wolfcrypt-h7.sh /usr/local/bin/run-wolfcrypt-h7.sh
+COPY scripts/run-wolfcrypt-u5.sh /usr/local/bin/run-wolfcrypt-u5.sh
+RUN chmod +x /usr/local/bin/run-wolfcrypt-h7.sh /usr/local/bin/run-wolfcrypt-u5.sh
+
+ENV WOLFSSL_ROOT=/opt/wolfssl
+
+# Default entrypoint runs the H7 wolfCrypt test. Override by passing
+# `run-wolfcrypt-u5.sh` as the command for the U585 build.
+CMD ["run-wolfcrypt-h7.sh"]