Add TROPIC01 simulator

.github/workflows/tropic01-sdk-test.yml

@@ -0,0 +1,30 @@
+name: TROPIC01 SDK test
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: ['**']
+  workflow_dispatch:
+
+jobs:
+  sdk-test:
+    name: libtropic-driven integration
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: docker/setup-buildx-action@v3
+
+      - name: Build sdk-test image
+        uses: docker/build-push-action@v6
+        with:
+          context: TROPIC01Sim
+          file: TROPIC01Sim/Dockerfile.sdk-test
+          tags: tropic01-sdk-test:ci
+          load: true
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+      - name: Run sdk-test suite
+        run: docker run --rm tropic01-sdk-test:ci

.github/workflows/tropic01-test-suite.yml

@@ -0,0 +1,26 @@
+name: TROPIC01 test suite
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: ['**']
+  workflow_dispatch:
+
+jobs:
+  cargo-test:
+    name: cargo test (unit + integration)
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: dtolnay/rust-toolchain@stable
+
+      - uses: Swatinem/rust-cache@v2
+        with:
+          workspaces: TROPIC01Sim/tropic01-sim
+
+      - name: cargo test
+        run: |
+          cargo test --manifest-path TROPIC01Sim/tropic01-sim/Cargo.toml \
+            -- --test-threads=1

.github/workflows/tropic01-wolfcrypt-test.yml

@@ -0,0 +1,30 @@
+name: TROPIC01 wolfCrypt test
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: ['**']
+  workflow_dispatch:
+
+jobs:
+  wolfcrypt-test:
+    name: wolfCrypt + libtropic integration
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: docker/setup-buildx-action@v3
+
+      - name: Build wolfcrypt-test image
+        uses: docker/build-push-action@v6
+        with:
+          context: TROPIC01Sim
+          file: TROPIC01Sim/Dockerfile.wolfcrypt
+          tags: tropic01-wolfcrypt-test:ci
+          load: true
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+      - name: Run wolfCrypt test suite
+        run: docker run --rm tropic01-wolfcrypt-test:ci

README.md

@@ -23,6 +23,16 @@ ECDSA, ECDH, RNG, and a slot/zone store with a default device certificate.
 It plugs into ST's open-source STSELib middleware via a custom Linux PAL
 that pipes the I2C transport over TCP.
 
+## TROPIC01Sim
+
+The [TROPIC01Sim](TROPIC01Sim/) is a simulator for the Tropic Square TROPIC01
+secure element. It speaks libtropic's "TROPIC01 Model" wire protocol over
+TCP and performs the full Noise_KK1_25519_AESGCM_SHA256 secure-channel
+handshake, then answers the L3 commands the wolfSSL TROPIC01 port exercises:
+RNG, ECC keygen/read for P-256 + Ed25519, R-memory read/write, and the
+pairing-key surface. The simulator is consumed unmodified by libtropic via
+its `hal/posix/tcp/` HAL.
+
 ## STM32Sim
 
 The [STM32Sim](STM32Sim/) is a Unicorn-Engine-based simulator for STM32
@@ -31,3 +41,4 @@ microcontrollers focused on the on-chip cryptographic accelerators
 the Renode-based CI flow for wolfSSL on STM32 targets and to close the
 gaps Renode has in hardware-crypto modelling (HASH peripheral, full AES
 mode set, PKA).
+

STSAFEA120Sim/.gitignore

@@ -3,3 +3,4 @@ target/
 *.a
 *.so
 stsafe_a120_store.json
+Cargo.lock

TROPIC01Sim/.gitignore

@@ -0,0 +1,6 @@
+target/
+*.o
+*.a
+*.so
+tropic01_store.json
+Cargo.lock

TROPIC01Sim/Dockerfile

@@ -0,0 +1,21 @@
+# Dockerfile
+#
+# Copyright (C) 2026 wolfSSL Inc.
+#
+# This file is part of TROPIC01Sim.
+#
+# TROPIC01Sim is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+
+# Rust unit + TCP integration tests.
+FROM rust:1.85-bookworm
+
+WORKDIR /app
+
+COPY tropic01-sim/ /app/tropic01-sim/
+
+RUN cd /app/tropic01-sim && cargo build 2>&1
+
+CMD ["cargo", "test", "--manifest-path", "/app/tropic01-sim/Cargo.toml", "--", "--test-threads=1", "--nocapture"]

TROPIC01Sim/Dockerfile.sdk-test

@@ -0,0 +1,53 @@
+# Dockerfile.sdk-test
+#
+# Copyright (C) 2026 wolfSSL Inc.
+#
+# This file is part of TROPIC01Sim.
+#
+# TROPIC01Sim is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+
+# Stage 1: build the Rust simulator TCP server.
+FROM rust:1.85-bookworm AS sim-builder
+
+WORKDIR /app
+COPY tropic01-sim/ /app/tropic01-sim/
+RUN cd /app/tropic01-sim && cargo build --release --bin tcp_server 2>&1
+
+# =============================================================================
+# Stage 2: build libtropic (with mbedTLS v4 CAL + posix/tcp HAL) and our
+# integration test binary that drives it against the simulator.
+# =============================================================================
+FROM debian:bookworm
+
+RUN apt-get update && apt-get install -y \
+    build-essential cmake git ca-certificates pkg-config python3 \
+    && rm -rf /var/lib/apt/lists/*
+
+COPY --from=sim-builder /app/tropic01-sim/target/release/tcp_server /app/tcp_server
+
+# ---- Clone libtropic at a pinned commit ----
+# Pinned to an explicit commit so the simulator's L2/L3 wire-protocol
+# expectations stay reproducible. Bump deliberately if the upstream
+# protocol changes (CHANGELOG.md tracks renames and structural shifts).
+ARG LIBTROPIC_REF=51044cdc2e0aabff42305130b344c5db3136f158
+RUN git clone https://github.com/tropicsquare/libtropic.git /app/libtropic && \
+    git -C /app/libtropic checkout ${LIBTROPIC_REF}
+
+# ---- Drop in our test source as a libtropic example tree ----
+# Easiest way to inherit libtropic's CMake setup (mbedTLS v4 fetch, CAL
+# wiring, posix/tcp HAL) is to live inside `examples/model/`. We borrow
+# the hello_world CMakeLists.txt as a template and swap in our own main.
+COPY sdk-test/ /app/libtropic/examples/model/sim_test/
+WORKDIR /app/libtropic/examples/model/sim_test/build
+RUN cmake .. && make -j$(nproc)
+
+COPY sdk-test/run_test.sh /app/run_test.sh
+RUN chmod +x /app/run_test.sh
+
+ENV TROPIC01_SIM_HOST=127.0.0.1
+ENV TROPIC01_SIM_PORT=28992
+
+CMD ["/app/run_test.sh"]

TROPIC01Sim/Dockerfile.wolfcrypt

@@ -0,0 +1,94 @@
+# Dockerfile.wolfcrypt
+#
+# Copyright (C) 2026 wolfSSL Inc.
+#
+# This file is part of TROPIC01Sim.
+#
+# TROPIC01Sim is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+
+# Stage 1: build the Rust simulator TCP server.
+FROM rust:1.85-bookworm AS sim-builder
+
+WORKDIR /app
+COPY tropic01-sim/ /app/tropic01-sim/
+RUN cd /app/tropic01-sim && cargo build --release --bin tcp_server 2>&1
+
+# =============================================================================
+# Stage 2: build libtropic v0.1.0, build wolfSSL --with-tropic01, build
+# Tropic Square's wolfssl-test app, run it against the simulator.
+#
+# Why v0.1.0: wolfSSL's `wolfcrypt/src/port/tropicsquare/tropic01.c` calls
+# `lt_random_get`, `verify_chip_and_start_secure_session`, `CURVE_ED25519`,
+# and `lt_r_mem_data_read(h, slot, buf, size)` (4-arg form). All of these
+# were renamed in libtropic v1.0.0. The wolfSSL port has not been updated
+# upstream, so we pin to the last release that matches its API.
+# =============================================================================
+FROM debian:bookworm
+
+RUN apt-get update && apt-get install -y \
+    build-essential cmake git autoconf automake libtool pkg-config \
+    ca-certificates wget python3 \
+    && rm -rf /var/lib/apt/lists/*
+
+COPY --from=sim-builder /app/tropic01-sim/target/release/tcp_server /app/tcp_server
+
+# ---- Clone libtropic at the v0.1.0 tag matching wolfSSL's port ----
+ARG LIBTROPIC_REF=v0.1.0
+RUN git clone --branch ${LIBTROPIC_REF} --depth 1 \
+    https://github.com/tropicsquare/libtropic.git /app/libtropic
+
+# ---- Build libtropic with trezor_crypto + the v0.1.0 unix_tcp HAL.
+# The HAL bypass: v0.1.0's hal/port/unix/lt_port_unix_tcp.c is exactly
+# the protocol our simulator speaks (TAG_E_SPI_* over TCP at port 28992),
+# so no custom shim is needed. We just point it at our simulator.
+WORKDIR /app/libtropic/build
+RUN cmake -DLT_USE_TREZOR_CRYPTO=1 -DLT_BUILD_TESTS=0 .. && make -j$(nproc) tropic
+
+# ---- Clone + build wolfSSL master with --with-tropic01 ----
+ARG WOLFSSL_REF=master
+RUN git clone --branch ${WOLFSSL_REF} --depth 1 \
+    https://github.com/wolfSSL/wolfssl.git /app/wolfssl
+WORKDIR /app/wolfssl
+# Patch the upstream wolfSSL TROPIC01 port for two known issues:
+#  - It calls `ForceZero` (a non-existent symbol). The library has
+#    `wc_ForceZero`. Both with -Werror=nested-externs the implicit
+#    declaration is fatal, so we sed-fix it.
+#  - It expects libtropic v0.x's `LT_SEPARATE_L3_BUFF` macro to be
+#    defined. We set it to 0 via CFLAGS below.
+RUN sed -i 's/\bForceZero\b/wc_ForceZero/g' \
+    /app/wolfssl/wolfcrypt/src/port/tropicsquare/tropic01.c
+
+RUN ./autogen.sh && \
+    ./configure \
+        --with-tropic01=/app/libtropic \
+        --enable-cryptocb \
+        --enable-ed25519 \
+        --enable-static --disable-shared \
+        --disable-crypttests --disable-examples \
+        CFLAGS="-DWOLFSSL_TROPIC01 -DLT_SEPARATE_L3_BUFF=0" && \
+    make -j$(nproc) && \
+    make install
+
+# ---- Clone Tropic Square's upstream wolfSSL test ----
+ARG TROPIC_TEST_REF=main
+RUN git clone --branch ${TROPIC_TEST_REF} --depth 1 \
+    https://github.com/tropicsquare/tropic01-wolfssl-test.git /app/tropic01-wolfssl-test
+
+# ---- Patch the test's Makefile to use the v0.1.0 unix_tcp HAL instead
+# of the USB dongle HAL (we don't have a USB dongle in CI, just TCP) ----
+WORKDIR /app/tropic01-wolfssl-test
+RUN sed -i 's|lt_port_unix_usb_dongle.c|lt_port_unix_tcp.c|' Makefile && \
+    sed -i 's|^LIBTROPIC_DIR =.*|LIBTROPIC_DIR = /app/libtropic|' Makefile && \
+    make 2>&1
+
+COPY wolfcrypt-test/run_test.sh /app/run_test.sh
+RUN chmod +x /app/run_test.sh
+
+ENV LD_LIBRARY_PATH=/usr/local/lib
+ENV TROPIC01_SIM_HOST=127.0.0.1
+ENV TROPIC01_SIM_PORT=28992
+
+CMD ["/app/run_test.sh"]