From 3b3aa2e7c37e7dbde71041cb08aff3e6b1e454e4 Mon Sep 17 00:00:00 2001
From: Daniele Lacamera <root@danielinux.net>
Date: Wed, 26 Nov 2025 15:50:13 +0100
Subject: [PATCH 1/2] Updated ChangeLog & version number.

+ Updated wolfTPM submodule
---
 README.md                  | 29 +++++++++++++++++++++++++++++
 include/wolfboot/version.h |  4 ++--
 lib/wolfTPM                |  2 +-
 3 files changed, 32 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index d95b3af9f8..01ee44d9ac 100644
--- a/README.md
+++ b/README.md
@@ -646,3 +646,32 @@ For Visual Studio, the developer command prompt will need to be activated.
     * wolfPKCS11: latest (ddeb887)
     * wolfHSM: latest (e0b2019)
 
+### V 2.7.0 - (2025-11-26)
+  * New hardware targets
+    * Vorago VA416x0 (new HAL, linker scripts, test application, and programming helpers)
+    * Nordic nRF5340 TrustZone build and configuration
+  * Improvements to supported targets
+    * TrustZone-M support unified across ARMv8-M targets
+    * TrustZone-M aware dual-bank configuration, increased update/erase reliability and isolation
+    * nRF5340: Added support for TrustZone-M
+    * STM32H5: SPI driver and TPM support with new TrustZone NSC APIs,
+    * Simulator: dual-bank flow and bank-swap test script to validate redundant-slot updates
+    * RP2350: RAM cache for flash writes to improve robustness
+    * Infineon AURIX TC3xx: replaced IDE project with HAL module integration and UART/boot flag handling fixes
+  * New features and improvements
+    * Filesystem-backed partition state access with `library_fs` target and CLI tool for querying or managing boot partitions
+    * libwolfboot: added MTD (Memory Technology Device) backed tracking of update status
+    * CMake: Added presets. Improve support for more reliable out-of-tree builds and list handling. Improve documentation.
+    * Key tools: `keygen --no-overwrite` option, stricter image header/sector size checks, and expanded ML-DSA test configurations
+    * Added `WOLFBOOT_RESTORE_CLOCK` configuration and additional logging/debugging for library filesystem status and keystore handling
+  * Bug fixes
+    * Hardened encrypted and delta update flows (IV reuse prevention, fallback/regression fixes, improved unit coverage)
+    * Fixed SPI flash protocol errors and write verification issues
+    * Corrected STM32 internal flash page erase masks and multiple STM32H5 update path fixes (including dual-bank and TPM builds)
+    * Resolved P1021 stage1 and MMU build issues
+    * cleanup of compiler warnings across targets (STM32WB55 PKA, nRF5340 non-TZ, others)
+  * Updated modules
+    * wolfSSL v5.8.4-stable (59f4fa568)
+    * wolfTPM v2.4.0-594-g6d5df60
+    * wolfPKCS11 v2.0.0-stable-33-g81af264
+    * wolfHSM v1.3.0 (8ac56d7)
diff --git a/include/wolfboot/version.h b/include/wolfboot/version.h
index e2e16b6741..e8bdf144b9 100644
--- a/include/wolfboot/version.h
+++ b/include/wolfboot/version.h
@@ -29,8 +29,8 @@ extern "C" {
 #endif
 
 
-#define LIBWOLFBOOT_VERSION_STRING "2.6.0"
-#define LIBWOLFBOOT_VERSION_HEX 0x02060000
+#define LIBWOLFBOOT_VERSION_STRING "2.7.0"
+#define LIBWOLFBOOT_VERSION_HEX 0x02070000
 
 #ifndef WOLFBOOT_VERSION
     #define WOLFBOOT_VERSION LIBWOLFBOOT_VERSION_HEX
diff --git a/lib/wolfTPM b/lib/wolfTPM
index 4a5c75585b..6d5df60e24 160000
--- a/lib/wolfTPM
+++ b/lib/wolfTPM
@@ -1 +1 @@
-Subproject commit 4a5c75585bb02d643554ddf082c8d027f86568d7
+Subproject commit 6d5df60e2416a88cdd5dbad1967169aa2a9e6f7a

From d70344653c43310ffbc3736bfce7ffbf9c555109 Mon Sep 17 00:00:00 2001
From: Daniele Lacamera <root@danielinux.net>
Date: Wed, 26 Nov 2025 16:08:43 +0100
Subject: [PATCH 2/2] Attempt to fix job failures

---
 .github/workflows/test-build-cmake-mac.yml    | 37 ++++++++-----------
 .../workflows/test-build-cmake-presets.yml    | 11 ++----
 2 files changed, 20 insertions(+), 28 deletions(-)

diff --git a/.github/workflows/test-build-cmake-mac.yml b/.github/workflows/test-build-cmake-mac.yml
index babe776195..d3f76ebf2c 100644
--- a/.github/workflows/test-build-cmake-mac.yml
+++ b/.github/workflows/test-build-cmake-mac.yml
@@ -34,6 +34,7 @@ jobs:
       HOMEBREW_NO_AUTO_UPDATE: "1"    # avoid updating taps during install
       HOMEBREW_NO_ANALYTICS: "1"
       HOMEBREW_CURL_RETRIES: "6"      # ask curl inside brew to retry
+      HOMEBREW_NO_INSTALL_CLEANUP: "1"
 
     steps:
       - name: Checkout (with submodules)
@@ -41,34 +42,28 @@ jobs:
         with:
           submodules: true
 
-      - name: Cache Homebrew bottles # downloads (so retries don't redownload)
-        uses: actions/cache@v4
-        with:
-          path: |
-            ~/Library/Caches/Homebrew
-            /Users/runner/Library/Caches/Homebrew
-          key: homebrew-${{ runner.os }}-mac14-cmake-gcc-newlib
-          restore-keys: |
-            homebrew-${{ runner.os }}-
-
       - name: Install toolchain and build tools
         run: |
-          # Install with step throttle to hopefully avoid stuck jobs
-
           set -euxo pipefail
 
-          throttle_delay=5
-          brew update
+          # Keep Homebrew pinned on the runner; only install what we need.
+          brew list cmake >/dev/null 2>&1 || brew install --force-bottle cmake
+          brew list ninja >/dev/null 2>&1 || brew install --force-bottle ninja
+
+          # Fetch ARM GCC directly (avoid Homebrew cask checksum churn)
+          ARM_GCC_VERSION="14.3.rel1"
+          ARM_GCC_BASENAME="arm-gnu-toolchain-${ARM_GCC_VERSION}-darwin-arm64-arm-none-eabi"
+          ARM_GCC_TARBALL="${ARM_GCC_BASENAME}.tar.xz"
+          ARM_GCC_URL="https://developer.arm.com/-/media/Files/downloads/gnu/${ARM_GCC_VERSION}/binrel/${ARM_GCC_TARBALL}"
+          ARM_GCC_DIR="$HOME/.local/arm-gcc"
 
-          sleep "$throttle_delay"
-          brew install --force-bottle cmake
+          rm -rf "${ARM_GCC_DIR}"
+          mkdir -p "${ARM_GCC_DIR}"
 
-          sleep "$throttle_delay"
-          brew install --force-bottle ninja
+          curl -L --retry 3 --retry-delay 5 -o "${ARM_GCC_TARBALL}" "${ARM_GCC_URL}"
+          tar -xJf "${ARM_GCC_TARBALL}" -C "${ARM_GCC_DIR}"
 
-          # Use cask to include headers such as <stdlib.h>
-          sleep "$throttle_delay"
-          brew install --cask gcc-arm-embedded
+          echo "${ARM_GCC_DIR}/${ARM_GCC_BASENAME}/bin" >> "$GITHUB_PATH"
 
       - name: Probe ARM GCC (paths + smoke build)
         run: |
diff --git a/.github/workflows/test-build-cmake-presets.yml b/.github/workflows/test-build-cmake-presets.yml
index 4381964734..5910f0bbf6 100644
--- a/.github/workflows/test-build-cmake-presets.yml
+++ b/.github/workflows/test-build-cmake-presets.yml
@@ -58,13 +58,10 @@ jobs:
       # Currently only supported on Ubuntu
 
       # ARM GCC toolchain (adds the bin dir to PATH)
-      - name: Set up ARM none-eabi GCC 14.x
-        if: matrix.target != 'sim'
-        uses: carlosperate/arm-none-eabi-gcc-action@v1
-        with:
-          release: "14.2.Rel1" # <-- use 'release', not 'version'
-          path-env-var: ARM_NONE_EABI_GCC_PATH
-
+      - name: Set up ARM none-eabi GCC
+        run: |
+          sudo apt update
+          sudo apt install -y gcc-arm-none-eabi
 
       - name: List all environment variables
         run: |