From a6e16d6a5532245cbeaf8657d9a09c0a57c734c5 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Mon, 13 Jan 2025 06:13:58 +0000 Subject: [PATCH] Add basic AWS-LC integration test This commit extends the CI with an integration test for AWS-LC. The integration test currently works with the `mlkem_native` branch from the fork `hanno-becker/aws-lc`, which - Removes the reference implementation - Provides an importer.sh for importing mlkem-native - Provides the glue code between mlkem-native's own API and the API expected by AWS-LC. - As a temporary change, it disables `-Werror=redundant-decls`, because mlkem-native does not yet support it. The CI checks that mlkem-native successfully integrated to this fork, by building and running basic tests of AWS-LC in FIPS and non-FIPS mode. Signed-off-by: Hanno Becker --- .github/actions/setup-aws-lc/action.yml | 34 +++++++++++++++ .github/actions/setup-brew/action.yml | 30 ++++++++++++++ .github/actions/setup-os/action.yml | 8 ++++ .github/workflows/ci.yml | 55 +++++++++++++++++++++++++ 4 files changed, 127 insertions(+) create mode 100644 .github/actions/setup-aws-lc/action.yml create mode 100644 .github/actions/setup-brew/action.yml diff --git a/.github/actions/setup-aws-lc/action.yml b/.github/actions/setup-aws-lc/action.yml new file mode 100644 index 000000000..3af25a9a7 --- /dev/null +++ b/.github/actions/setup-aws-lc/action.yml @@ -0,0 +1,34 @@ +# SPDX-License-Identifier: Apache-2.0 + +name: Setup AWS-LC +description: Setup AWS-LC + +inputs: + dir: + description: Directory to fetch AWS-LC into + default: 'AWS-LC' + repository: + description: Repository to fetch from + default: 'aws/AWS-LC' + commit: + description: Commit to fetch + default: 'HEAD' + gh_token: + description: Github access token to use + required: true + +runs: + using: composite + steps: + - name: Fetch AWS-LC + shell: bash + run: | + mkdir ${{ inputs.dir }} && cd ${{ inputs.dir }} + git config --global --add safe.directory $GITHUB_WORKSPACE/${{ inputs.dir }} + git init + git remote add origin $GITHUB_SERVER_URL/${{ inputs.repository }} + git fetch origin --depth 1 ${{ inputs.commit }} + git checkout FETCH_HEAD + + # Remember AWS-LC directory + echo AWSLC_DIR="$GITHUB_WORKSPACE/${{ inputs.dir }}" >> $GITHUB_ENV diff --git a/.github/actions/setup-brew/action.yml b/.github/actions/setup-brew/action.yml new file mode 100644 index 000000000..db135910f --- /dev/null +++ b/.github/actions/setup-brew/action.yml @@ -0,0 +1,30 @@ +# SPDX-License-Identifier: Apache-2.0 + +name: Dependencies (apt) +description: Install dependencies via brew + +inputs: + packages: + description: Space-separated list of additional packages to install + required: false + default: '' + sudo: + required: false + default: 'sudo' + +runs: + using: composite + steps: + - name: Update package repository + shell: bash + run: | + brew update + - name: Install base packages + shell: bash + run: | + brew install make gcc python3 + - name: Install additional packages + if: ${{ inputs.packages != ''}} + shell: bash + run: | + brew install ${{ inputs.packages }} diff --git a/.github/actions/setup-os/action.yml b/.github/actions/setup-os/action.yml index b1b26feaa..20d82c800 100644 --- a/.github/actions/setup-os/action.yml +++ b/.github/actions/setup-os/action.yml @@ -20,6 +20,8 @@ runs: run: | if (which yum > /dev/null); then echo PKG="yum" >> $GITHUB_ENV + elif (which brew > /dev/null); then + echo PKG="brew" >> $GITHUB_ENV elif (which apt > /dev/null); then echo PKG="apt" >> $GITHUB_ENV fi @@ -35,3 +37,9 @@ runs: with: packages: ${{ inputs.packages }} sudo: ${{ inputs.sudo }} + - name: Setup via brew + if: ${{ env.PKG == 'brew' }} + uses: ./.github/actions/setup-brew + with: + packages: ${{ inputs.packages }} + sudo: ${{ inputs.sudo }} diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 1717cf664..c0b679b04 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -209,6 +209,61 @@ jobs: ./scripts/autogen ${{ matrix.backend.arg }} ${{ matrix.simplify.arg }} make clean OPT=1 make quickcheck + aws_lc_integration_fips: + strategy: + fail-fast: false + matrix: + system: [ubuntu-latest, pqcp-arm64] + fips: [0,1] + name: AWS-LC FIPS test (${{ matrix.system }}, FIPS=${{ matrix.fips }}) + runs-on: ${{ matrix.system }} + steps: + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - uses: ./.github/actions/setup-os + with: + packages: 'cmake' + - uses: ./.github/actions/setup-aws-lc + with: + repository: 'hanno-becker/aws-lc' + commit: 'mlkem_native' + - name: Run importer + run: | + cd $AWSLC_DIR/crypto/fipsmodule/ml_kem + GITHUB_REPOSITORY=$GITHUB_REPOSITORY GITHUB_SHA=$GITHUB_SHA ./importer.sh + - name: Build AWS-LC (FIPS=1) + run: | + cd $AWSLC_DIR + mkdir build + cd build + cmake -DFIPS=${{ matrix.fips }} .. + cd .. + + cmake --build ./build --target all + cmake --build ./build --target run_tests + aws_lc_integration_posix: + strategy: + fail-fast: false + matrix: + system: [ubuntu-latest, pqcp-arm64, macos-latest] + name: AWS-LC Posix test (${{ matrix.system }}) + runs-on: ${{ matrix.system }} + steps: + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - uses: ./.github/actions/setup-os + with: + packages: 'cmake golang' + - uses: ./.github/actions/setup-aws-lc + with: + repository: 'hanno-becker/aws-lc' + commit: 'mlkem_native' + - name: Run importer + run: | + cd $AWSLC_DIR/crypto/fipsmodule/ml_kem + GITHUB_REPOSITORY=$GITHUB_REPOSITORY GITHUB_SHA=$GITHUB_SHA ./importer.sh + - name: Build AWS-LC (FIPS=1) + run: | + cd $AWSLC_DIR + ./tests/ci/run_posix_tests.sh build_kat: needs: [quickcheck, quickcheck-windows, quickcheck-c90, quickcheck-lib, examples, lint, lint-markdown-link] strategy: