From ec14af0649d2d64795295619f188a8fb013e6163 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Wed, 12 Nov 2025 12:06:16 +0000 Subject: [PATCH 1/3] HOL-Light: Add support for cross-compilation Signed-off-by: Hanno Becker --- .github/workflows/ci.yml | 52 ++++++++++++++++++++++++++-------- flake.nix | 9 ++++++ proofs/hol_light/arm/Makefile | 53 +++++++++++++++-------------------- scripts/simpasm | 2 +- 4 files changed, 74 insertions(+), 42 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 0a22bd2ce3..2dedc073ec 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -677,27 +677,57 @@ jobs: verbose: true cflags: "-O0" secrets: inherit - check_autogenerated_files: + check_hol_light_bytecode: strategy: fail-fast: false matrix: - system: [ubuntu-latest, pqcp-arm64] - runs-on: ${{ matrix.system }} - name: Check autogenerated files + target: + - system: macos-latest + nix_shell: hol_light + nix_cache: false + - system: macos-15-intel + nix_shell: hol_light + nix_cache: false + - system: ubuntu-latest + nix_shell: hol_light-cross-aarch64 + nix_cache: true + - system: pqcp-arm64 + nix_shell: hol_light + nix_cache: false + runs-on: ${{ matrix.target.system }} + name: Check HOL-Light bytecode ${{ matrix.target.system }} steps: - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - uses: ./.github/actions/setup-shell with: - nix-shell: 'ci-cross' # Need cross-compiler for ASM simplification - nix-cache: 'true' + nix-shell: ${{ matrix.target.nix_shell }} + nix-cache: ${{ matrix.target.nix_cache }} gh_token: ${{ secrets.GITHUB_TOKEN }} script: | - python3 ./scripts/autogen --dry-run --force-cross + python3 ./scripts/autogen --dry-run --update-hol-light-bytecode + check_autogenerated_files: + strategy: + fail-fast: false + matrix: + target: + - system: macos-latest + nix_shell: 'ci' + - system: macos-15-intel + nix_shell: 'ci' + - system: ubuntu-latest + nix_shell: 'ci-cross' + extra_args: '--force-cross' + - system: pqcp-arm64 + nix_shell: 'ci-cross' + extra_args: '--force-cross' + runs-on: ${{ matrix.target.system }} + name: Check autogenerated files + steps: + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - uses: ./.github/actions/setup-shell - # Building the HOL-Light bytecode currently requires native compilation - if: ${{ matrix.system == 'pqcp-arm64' }} with: - nix-shell: 'hol_light' + nix-shell: ${{ matrix.target.nix_shell }} + nix-cache: 'true' gh_token: ${{ secrets.GITHUB_TOKEN }} script: | - python3 ./scripts/autogen --dry-run --update-hol-light-bytecode + python3 ./scripts/autogen --dry-run ${{ matrix.target.extra_args }} diff --git a/flake.nix b/flake.nix index f7bb2975f8..2148c91d68 100644 --- a/flake.nix +++ b/flake.nix @@ -117,6 +117,15 @@ devShells.ci-slothy = util.mkShell { packages = builtins.attrValues { inherit (config.packages) slothy linters toolchains_native; }; }; + devShells.hol_light-cross = util.mkShell { + packages = builtins.attrValues { inherit (config.packages) linters toolchains hol_light s2n_bignum; }; + }; + devShells.hol_light-cross-aarch64 = util.mkShell { + packages = builtins.attrValues { inherit (config.packages) linters toolchain_aarch64 hol_light s2n_bignum; }; + }; + devShells.hol_light-cross-x86_64 = util.mkShell { + packages = builtins.attrValues { inherit (config.packages) linters toolchain_x86_64 hol_light s2n_bignum; }; + }; devShells.ci-cross = util.mkShell { packages = builtins.attrValues { inherit (config.packages) linters toolchains; }; }; diff --git a/proofs/hol_light/arm/Makefile b/proofs/hol_light/arm/Makefile index e43d435921..4010796209 100644 --- a/proofs/hol_light/arm/Makefile +++ b/proofs/hol_light/arm/Makefile @@ -19,6 +19,28 @@ ARCHTYPE_RESULT=$(shell uname -m) SRC ?= $(S2N_BIGNUM_DIR) SRC_ARM ?= $(SRC)/arm +ARCHFLAGS=-march=armv8.4-a+sha3 + +# If actually on an AArch64 machine, just use the assembler (as). Otherwise +# use a cross-assembling version so that the code can still be assembled +# and the proofs checked against the object files (though you won't be able +# to run code without additional emulation infrastructure). + +ifeq ($(ARCHTYPE_RESULT)-$(OSTYPE_RESULT),x86_64-Darwin) +ASSEMBLE=as -arch arm64 +OBJDUMP=otool -tvV +else +ifeq ($(filter $(ARCHTYPE_RESULT),aarch64 arm64),) +CROSS_PREFIX=aarch64-unknown-linux-gnu- +# Check if cross-toolchain exists +ifeq ($(shell command -v $(ASSEMBLE) >/dev/null 2>&1 && echo yes || echo no),no) +$(error Cross-toolchain not found. Please run in the 'hol_light' nix shell via: nix develop .#hol_light) +endif +endif +ASSEMBLE=$(CROSS_PREFIX)as $(ARCHFLAGS) +OBJDUMP=$(CROSS_PREFIX)objdump -d +endif + # Add explicit language input parameter to cpp, otherwise the use of #n for # numeric literals in ARM code is a problem when used inside #define macros # since normally that means stringization. @@ -26,11 +48,10 @@ SRC_ARM ?= $(SRC)/arm # Some clang-based preprocessors seem to behave differently, and get confused # by single-quote characters in comments, so we eliminate // comments first. -ARCHFLAGS=-march=armv8.4-a+sha3 ifeq ($(OSTYPE_RESULT),Darwin) PREPROCESS=sed -e 's/\/\/.*//' | $(CC) -E -xassembler-with-cpp - else -PREPROCESS=$(CC) $(ARCHFLAGS) -E -xassembler-with-cpp - +PREPROCESS=$(CC) -E -xassembler-with-cpp - endif # Generally GNU-type assemblers are happy with multiple instructions on @@ -38,34 +59,6 @@ endif SPLIT=tr ';' '\n' -# If actually on an ARM8 machine, just use the assembler (as). Otherwise -# use a cross-assembling version so that the code can still be assembled -# and the proofs checked against the object files (though you won't be able -# to run code without additional emulation infrastructure). For the clang -# version on OS X we just add the "-arch arm64" option. For the Linux/gcc -# toolchain we assume the presence of the special cross-assembler. This -# can be installed via something like: -# -# sudo apt-get install binutils-aarch64-linux-gnu - -ifeq ($(ARCHTYPE_RESULT),aarch64) -ASSEMBLE=as $(ARCHFLAGS) -OBJDUMP=objdump -d -else -ifeq ($(ARCHTYPE_RESULT),arm64) -ASSEMBLE=as $(ARCHFLAGS) -OBJDUMP=objdump -d -else -ifeq ($(OSTYPE_RESULT),Darwin) -ASSEMBLE=as -arch arm64 -OBJDUMP=otool -tvV -else -ASSEMBLE=aarch64-linux-gnu-as $(ARCHFLAGS) -OBJDUMP=aarch64-linux-gnu-objdump -d -endif -endif -endif - OBJ = mlkem/mlkem_ntt.o \ mlkem/mlkem_intt.o \ mlkem/mlkem_poly_tomont.o \ diff --git a/scripts/simpasm b/scripts/simpasm index 6ef3e37cb3..a2e625dc26 100755 --- a/scripts/simpasm +++ b/scripts/simpasm @@ -246,7 +246,7 @@ def simplify(logger, args, asm_input, asm_output=None): logger.debug(f"Using raw global symbol {sym} going forward ...") cmd = [args.objdump, "--disassemble", tmp_objfile0] - if platform.system() == "Darwin": + if platform.system() == "Darwin" and args.arch == "aarch64": cmd += ["--triple=aarch64"] # Add syntax option if specified From 644f5ed3b96e46b53c8895a21f1df449578fb07c Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Wed, 12 Nov 2025 17:02:45 +0000 Subject: [PATCH 2/3] [TEST] Reduce CI Signed-off-by: Hanno Becker --- .github/workflows/all.yml | 179 +++-- .github/workflows/ci.yml | 1388 ++++++++++++++++++------------------- 2 files changed, 783 insertions(+), 784 deletions(-) diff --git a/.github/workflows/all.yml b/.github/workflows/all.yml index 0a5989b107..cf68787eb3 100644 --- a/.github/workflows/all.yml +++ b/.github/workflows/all.yml @@ -13,100 +13,99 @@ on: types: [ "opened", "synchronize" ] jobs: - base: - name: Base - permissions: - contents: 'read' - id-token: 'write' - uses: ./.github/workflows/base.yml - secrets: inherit - lint-markdown: - name: Lint Markdown - permissions: - contents: 'read' - id-token: 'write' - uses: ./.github/workflows/lint_markdown.yml - nix: - name: Nix - permissions: - actions: 'write' - contents: 'read' - id-token: 'write' - uses: ./.github/workflows/nix.yml - secrets: inherit + # base: + # name: Base + # permissions: + # contents: 'read' + # id-token: 'write' + # uses: ./.github/workflows/base.yml + # secrets: inherit + # lint-markdown: + # name: Lint Markdown + # permissions: + # contents: 'read' + # id-token: 'write' + # uses: ./.github/workflows/lint_markdown.yml + # nix: + # name: Nix + # permissions: + # actions: 'write' + # contents: 'read' + # id-token: 'write' + # uses: ./.github/workflows/nix.yml + # secrets: inherit ci: name: Extended permissions: contents: 'read' id-token: 'write' - needs: [ base, nix ] uses: ./.github/workflows/ci.yml secrets: inherit - cbmc: - name: CBMC - permissions: - contents: 'read' - id-token: 'write' - needs: [ base, nix ] - uses: ./.github/workflows/cbmc.yml - secrets: inherit - oqs_integration: - name: libOQS - permissions: - contents: 'read' - id-token: 'write' - needs: [ base ] - uses: ./.github/workflows/integration-liboqs.yml - secrets: inherit - opentitan_integration: - name: OpenTitan - permissions: - contents: 'read' - id-token: 'write' - needs: [ base ] - uses: ./.github/workflows/integration-opentitan.yml - secrets: inherit - awslc_integration_fixed: - name: AWS-LC (873ca6f2) - permissions: - contents: 'read' - id-token: 'write' - needs: [ base ] - uses: ./.github/workflows/integration-awslc.yml - with: - commit: 6d2eb62ba375ebba7ab20ab277332f5bff9e13f0 - secrets: inherit - awslc_integration_head: - name: AWS-LC (HEAD) - permissions: - contents: 'read' - id-token: 'write' - needs: [ base ] - uses: ./.github/workflows/integration-awslc.yml - with: - commit: main - secrets: inherit - ct-test: - name: Constant-time - permissions: - contents: 'read' - id-token: 'write' - needs: [ base, nix ] - uses: ./.github/workflows/ct-tests.yml - secrets: inherit - slothy: - name: SLOTHY - permissions: - contents: 'read' - id-token: 'write' - needs: [ base, nix ] - uses: ./.github/workflows/slothy.yml - secrets: inherit - baremetal: - name: Baremetal - permissions: - contents: 'read' - id-token: 'write' - needs: [ base ] - uses: ./.github/workflows/baremetal.yml - secrets: inherit + # cbmc: + # name: CBMC + # permissions: + # contents: 'read' + # id-token: 'write' + # needs: [ base, nix ] + # uses: ./.github/workflows/cbmc.yml + # secrets: inherit + # oqs_integration: + # name: libOQS + # permissions: + # contents: 'read' + # id-token: 'write' + # needs: [ base ] + # uses: ./.github/workflows/integration-liboqs.yml + # secrets: inherit + # opentitan_integration: + # name: OpenTitan + # permissions: + # contents: 'read' + # id-token: 'write' + # needs: [ base ] + # uses: ./.github/workflows/integration-opentitan.yml + # secrets: inherit + # awslc_integration_fixed: + # name: AWS-LC (873ca6f2) + # permissions: + # contents: 'read' + # id-token: 'write' + # needs: [ base ] + # uses: ./.github/workflows/integration-awslc.yml + # with: + # commit: 6d2eb62ba375ebba7ab20ab277332f5bff9e13f0 + # secrets: inherit + # awslc_integration_head: + # name: AWS-LC (HEAD) + # permissions: + # contents: 'read' + # id-token: 'write' + # needs: [ base ] + # uses: ./.github/workflows/integration-awslc.yml + # with: + # commit: main + # secrets: inherit + # ct-test: + # name: Constant-time + # permissions: + # contents: 'read' + # id-token: 'write' + # needs: [ base, nix ] + # uses: ./.github/workflows/ct-tests.yml + # secrets: inherit + # slothy: + # name: SLOTHY + # permissions: + # contents: 'read' + # id-token: 'write' + # needs: [ base, nix ] + # uses: ./.github/workflows/slothy.yml + # secrets: inherit + # baremetal: + # name: Baremetal + # permissions: + # contents: 'read' + # id-token: 'write' + # needs: [ base ] + # uses: ./.github/workflows/baremetal.yml + # secrets: inherit diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 2dedc073ec..df3c3f835e 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -9,702 +9,702 @@ on: workflow_dispatch: jobs: - build_kat: - strategy: - fail-fast: false - matrix: - external: - - ${{ github.repository_owner != 'pq-code-package' }} - target: - - runner: macos-latest - name: 'MacOS (aarch64)' - arch: mac - mode: native - nix_shell: ci - - runner: macos-15-intel - name: 'MacOS (x86_64)' - arch: mac - mode: native - nix_shell: ci - - runner: pqcp-arm64 - name: 'ubuntu-latest (aarch64)' - arch: aarch64 - mode: native - nix_shell: ci - - runner: pqcp-arm64 - name: 'ubuntu-latest (aarch64)' - arch: x86_64 - mode: cross-x86_64 - nix_shell: ci-cross-x86_64 - - runner: pqcp-arm64 - name: 'ubuntu-latest (aarch64)' - arch: riscv64 - mode: cross-riscv64 - nix_shell: ci-cross-riscv64 - - runner: pqcp-arm64 - name: 'ubuntu-latest (aarch64)' - arch: riscv32 - mode: cross-riscv32 - nix_shell: ci-cross-riscv32 - - runner: pqcp-arm64 - name: 'ubuntu-latest (ppc64le)' - arch: ppc64le - mode: cross-ppc64le - nix_shell: ci-cross-ppc64le - - runner: pqcp-x64 - name: 'ubuntu-latest (x86_64)' - arch: x86_64 - mode: native - nix_shell: ci - - runner: pqcp-x64 - name: 'ubuntu-latest (x86_64)' - arch: aarch64 - mode: cross-aarch64 - nix_shell: ci-cross-aarch64 - - runner: pqcp-x64 - name: 'ubuntu-latest (x86_64)' - arch: aarch64_be - mode: cross-aarch64_be - nix_shell: ci-cross-aarch64_be - exclude: - - {external: true, - target: { - runner: pqcp-arm64, - name: 'ubuntu-latest (aarch64)', - arch: aarch64, - mode: native, - nix_shell: ci - }} - - {external: true, - target: { - runner: pqcp-arm64, - name: 'ubuntu-latest (aarch64)', - arch: x86_64, - mode: cross-x86_64, - nix_shell: ci-cross-x86_64 - }} - - {external: true, - target: { - runner: pqcp-arm64, - name: 'ubuntu-latest (aarch64)', - arch: riscv64, - mode: cross-riscv64, - nix_shell: ci-cross-riscv64 - }} - - {external: true, - target: { - runner: pqcp-arm64, - name: 'ubuntu-latest (aarch64)', - arch: riscv32, - mode: cross-riscv32, - nix_shell: ci-cross-riscv32 - }} - - {external: true, - target: { - runner: pqcp-arm64, - name: 'ubuntu-latest (ppc64le)', - arch: ppc64le, - mode: cross-ppc64le, - nix_shell: ci-cross-ppc64le - }} - - {external: true, - target: { - runner: pqcp-x64, - name: 'ubuntu-latest (x86_64)', - arch: x86_64, - mode: native, - nix_shell: ci - }} - - {external: true, - target: { - runner: pqcp-x64, - name: 'ubuntu-latest (x86_64)', - arch: aarch64, - mode: cross-aarch64, - nix_shell: ci-cross-aarch64 - }} - - {external: true, - target: { - runner: pqcp-x64, - name: 'ubuntu-latest (x86_64)', - arch: aarch64_be, - mode: cross-aarch64_be, - nix_shell: ci-cross-aarch64_be - }} - name: Functional tests (${{ matrix.target.arch }}${{ matrix.target.mode != 'native' && ', cross' || ''}}) - runs-on: ${{ matrix.target.runner }} - steps: - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - - name: build + test (no-opt) - uses: ./.github/actions/multi-functest - with: - nix-shell: ${{ matrix.target.nix_shell }} - nix-cache: ${{ matrix.target.mode == 'native' && 'false' || 'true' }} - gh_token: ${{ secrets.GITHUB_TOKEN }} - compile_mode: ${{ matrix.target.mode }} - opt: 'no_opt' - - name: build + test (+debug+memsan+ubsan, native) - uses: ./.github/actions/multi-functest - if: ${{ matrix.target.mode == 'native' }} - with: - gh_token: ${{ secrets.GITHUB_TOKEN }} - compile_mode: native - cflags: "-DMLKEM_DEBUG -fsanitize=address -fsanitize=undefined -fno-sanitize-recover=all" - ldflags: "-fsanitize=address -fsanitize=undefined -fno-sanitize-recover=all" - check_namespace: 'false' - - name: build + test (cross, opt) - uses: ./.github/actions/multi-functest - # There is no native code yet on PPC64LE, riscv32 or AArch64_be, so no point running opt tests - if: ${{ matrix.target.mode != 'native' && (matrix.target.arch != 'ppc64le' && matrix.target.arch != 'riscv32' && matrix.target.arch != 'aarch64_be') }} - with: - nix-shell: ${{ matrix.target.nix_shell }} - nix-cache: ${{ matrix.target.mode == 'native' && 'false' || 'true' }} - gh_token: ${{ secrets.GITHUB_TOKEN }} - compile_mode: ${{ matrix.target.mode }} - opt: 'opt' - - name: build + test (cross, opt, +debug) - uses: ./.github/actions/multi-functest - # There is no native code yet on PPC64LE, riscv32 or AArch64_be, so no point running opt tests - if: ${{ matrix.target.mode != 'native' && (matrix.target.arch != 'ppc64le' && matrix.target.arch != 'riscv32' && matrix.target.arch != 'aarch64_be') }} - with: - nix-shell: ${{ matrix.target.nix_shell }} - nix-cache: ${{ matrix.target.mode == 'native' && 'false' || 'true' }} - gh_token: ${{ secrets.GITHUB_TOKEN }} - compile_mode: ${{ matrix.target.mode }} - cflags: "-DMLKEM_DEBUG" - opt: 'opt' - backend_tests: - name: AArch64 FIPS202 backends (${{ matrix.backend }}) - strategy: - fail-fast: false - matrix: - backend: [x1_scalar, x1_v84a, x2_v84a, x4_v8a_scalar, x4_v8a_v84a_scalar] - runs-on: macos-latest - steps: - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - - name: build + test - uses: ./.github/actions/multi-functest - with: - nix-shell: 'ci' - nix-cache: 'false' - gh_token: ${{ secrets.GITHUB_TOKEN }} - compile_mode: 'native' - opt: 'opt' - examples: 'false' - cflags: "-DMLKEM_DEBUG -fsanitize=address -fsanitize=undefined -fno-sanitize-recover=all" - ldflags: "-fsanitize=address -fsanitize=undefined -fno-sanitize-recover=all" - check_namespace: 'false' - extra_args: "--fips202-aarch64-backend ${{ matrix.backend }}" - compiler_tests: - name: Compiler tests (${{ matrix.compiler.name }}, ${{ matrix.target.name }}, ${{ matrix.cflags }}) - strategy: - fail-fast: false - matrix: - cflags: [ "-O0", "-Os", "-O3" ] - target: - - runner: pqcp-arm64 - name: 'aarch64' - - runner: ubuntu-latest - name: 'x86_64' - - runner: macos-latest - name: 'macos' - compiler: - - name: gcc-4.8 - shell: ci_gcc48 - darwin: False - c17: False - c23: False - opt: all - examples: true - - name: gcc-4.9 - shell: ci_gcc49 - darwin: False - c17: False - c23: False - opt: all - examples: true - - name: gcc-7 - shell: ci_gcc7 - darwin: False - c17: False - c23: False - opt: all - examples: true - - name: gcc-11 - shell: ci_gcc11 - darwin: True - c17: True - c23: False - opt: all - examples: true - - name: gcc-13 - shell: ci_gcc13 - darwin: True - c17: True - c23: False - opt: all - examples: true - - name: gcc-14 - shell: ci_gcc14 - darwin: True - c17: True - c23: True - opt: all - examples: true - - name: gcc-15 - shell: ci_gcc15 - # TODO: Add this once gcc15 is supported in nix on aarch64-Darwin - darwin: False - c17: True - c23: True - opt: all - examples: true - - name: clang-18 - shell: ci_clang18 - darwin: True - c17: True - c23: True - opt: all - examples: true - - name: clang-19 - shell: ci_clang19 - darwin: True - c17: True - c23: True - opt: all - examples: true - - name: clang-20 - shell: ci_clang20 - darwin: True - c17: True - c23: True - opt: all - examples: true - - name: clang-21 - shell: ci_clang21 - darwin: True - c17: True - c23: True - opt: all - examples: true - # CPU flags are not correctly passed to the zig assembler - # https://github.com/ziglang/zig/issues/23576 - # We therefore only test the C backend - # - # We omit all examples since there is currently no way to run - # only those examples not involving native code. - - name: zig-0.12 - shell: ci_zig0_12 - darwin: True - c17: True - c23: False - examples: False - opt: no_opt - - name: zig-0.13 - shell: ci_zig0_13 - darwin: True - c17: True - c23: False - examples: False - opt: no_opt - - name: zig-0.14 - shell: ci_zig0_14 - darwin: True - c17: True - c23: True - examples: False - opt: no_opt - - name: zig-0.15 - shell: ci_zig0_15 - darwin: True - c17: True - c23: True - examples: False - opt: no_opt - runs-on: ${{ matrix.target.runner }} - steps: - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - - name: native build+functest (default) - if: ${{ matrix.compiler.darwin || matrix.target.runner != 'macos-latest' }} - uses: ./.github/actions/multi-functest - with: - gh_token: ${{ secrets.GITHUB_TOKEN }} - compile_mode: native - func: true - kat: false - acvp: false - examples: ${{ matrix.compiler.examples }} - opt: ${{ matrix.compiler.opt }} - nix-shell: ${{ matrix.compiler.shell }} - cflags: "${{ matrix.cflags }}" - - name: native build+functest (C90) - if: ${{ matrix.compiler.darwin || matrix.target.runner != 'macos-latest' }} - uses: ./.github/actions/multi-functest - with: - gh_token: ${{ secrets.GITHUB_TOKEN }} - compile_mode: native - func: true - kat: false - acvp: false - examples: ${{ matrix.compiler.examples }} - opt: ${{ matrix.compiler.opt }} - nix-shell: ${{ matrix.compiler.shell }} - cflags: "-std=c90 ${{ matrix.cflags }}" - - name: native build+functest (C99) - if: ${{ matrix.compiler.darwin || matrix.target.runner != 'macos-latest' }} - uses: ./.github/actions/multi-functest - with: - gh_token: ${{ secrets.GITHUB_TOKEN }} - compile_mode: native - func: true - kat: false - acvp: false - examples: ${{ matrix.compiler.examples }} - opt: ${{ matrix.compiler.opt }} - nix-shell: ${{ matrix.compiler.shell }} - cflags: "-std=c99 ${{ matrix.cflags }}" - - name: native build+functest (C11) - if: ${{ matrix.compiler.darwin || matrix.target.runner != 'macos-latest' }} - uses: ./.github/actions/multi-functest - with: - gh_token: ${{ secrets.GITHUB_TOKEN }} - compile_mode: native - func: true - kat: false - acvp: false - examples: ${{ matrix.compiler.examples }} - opt: ${{ matrix.compiler.opt }} - nix-shell: ${{ matrix.compiler.shell }} - cflags: "-std=c11 ${{ matrix.cflags }}" - - name: native build+functest (C17) - if: ${{ (matrix.compiler.darwin || matrix.target.runner != 'macos-latest') && - matrix.compiler.c17 }} - uses: ./.github/actions/multi-functest - with: - gh_token: ${{ secrets.GITHUB_TOKEN }} - compile_mode: native - func: true - kat: false - acvp: false - examples: ${{ matrix.compiler.examples }} - opt: ${{ matrix.compiler.opt }} - nix-shell: ${{ matrix.compiler.shell }} - cflags: "-std=c17 ${{ matrix.cflags }}" - - name: native build+functest (C23) - if: ${{ (matrix.compiler.darwin || matrix.target.runner != 'macos-latest') && - matrix.compiler.c23 }} - uses: ./.github/actions/multi-functest - with: - gh_token: ${{ secrets.GITHUB_TOKEN }} - compile_mode: native - func: true - kat: false - acvp: false - examples: ${{ matrix.compiler.examples }} - opt: ${{ matrix.compiler.opt }} - nix-shell: ${{ matrix.compiler.shell }} - cflags: "-std=c23 ${{ matrix.cflags }}" - stack_analysis: - name: Stack analysis (${{ matrix.target.name }}, ${{ matrix.cflags }}) - strategy: - fail-fast: false - matrix: - external: - - ${{ github.repository_owner != 'pq-code-package' }} - target: - - runner: pqcp-x64 - name: x86_64 - - runner: pqcp-arm64 - name: aarch64 - cflags: ['-O3', '-Os'] - exclude: - - external: true - runs-on: ${{ matrix.target.runner }} - steps: - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - - name: Stack analysis - uses: ./.github/actions/multi-functest - with: - gh_token: ${{ secrets.GITHUB_TOKEN }} - compile_mode: native - nix-shell: ci_valgrind-varlat_gcc15 - nix-cache: false - opt: all - cflags: "${{ matrix.cflags }}" - func: false - kat: false - acvp: false - examples: false - stack: true - check_namespace: false - config_variations: - name: Non-standard configurations - strategy: - fail-fast: false - matrix: - external: - - ${{ github.repository_owner != 'pq-code-package' }} - target: - - runner: pqcp-arm64 - name: 'ubuntu-latest (aarch64)' - - runner: pqcp-x64 - name: 'ubuntu-latest (x86_64)' - exclude: - - {external: true, - target: { - runner: pqcp-arm64, - name: 'ubuntu-latest (aarch64)', - }} - - {external: true, - target: { - runner: pqcp-x64, - name: 'ubuntu-latest (x86_64)', - }} - runs-on: ${{ matrix.target.runner }} - steps: - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - - name: "Config Variations" - uses: ./.github/actions/config-variations - with: - gh_token: ${{ secrets.GITHUB_TOKEN }} - check-cf-protections: - name: Test control-flow protections (${{ matrix.compiler.name }}, x86_64) - strategy: - fail-fast: false - matrix: - compiler: - - name: gcc-14 - shell: ci_gcc14 - - name: gcc-15 - shell: ci_gcc15 - - name: clang-19 - shell: ci_clang19 - # On AArch64 -fcf-protection is not supported anyway - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - - name: Test control-flow protections - uses: ./.github/actions/multi-functest - with: - gh_token: ${{ secrets.GITHUB_TOKEN }} - compile_mode: native - cflags: "-Wl,-z,cet-report=error -fcf-protection=full" - func: true - kat: true - acvp: true - nix-shell: ${{ matrix.compiler.shell }} - # ensure that kem.h and mlkem_native.h; api.h and native backends are compatible - check-apis: - strategy: - fail-fast: false - matrix: - external: - - ${{ github.repository_owner != 'pq-code-package' }} - target: - - runner: pqcp-arm64 - name: 'aarch64' - - runner: ubuntu-latest - name: 'x86_64' - exclude: - - {external: true, - target: { - runner: pqcp-arm64, - name: 'aarch64' - }} - name: Check API consistency - runs-on: ${{ matrix.target.runner }} - steps: - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - - name: make quickcheck - run: | - OPT=0 CFLAGS="-Imlkem -DMLK_CHECK_APIS -Wno-redundant-decls" make quickcheck - make clean >/dev/null - OPT=1 CFLAGS="-Imlkem -DMLK_CHECK_APIS -Wno-redundant-decls" make quickcheck - - uses: ./.github/actions/setup-apt - - name: tests func - run: | - ./scripts/tests func --cflags="-Imlkem -DMLK_CHECK_APIS -Wno-redundant-decls" - ec2_functests: - strategy: - fail-fast: false - matrix: - target: - - name: AMD EPYC 4th gen (t3a) - ec2_instance_type: t3a.small - ec2_ami: ubuntu-latest (x86_64) - ec2_volume_size: 20 - compile_mode: native - opt: all - config_variations: 'native-cap-CPUID_AVX2' - - name: Intel Xeon 4th gen (t3) - ec2_instance_type: t3.small - ec2_ami: ubuntu-latest (x86_64) - ec2_volume_size: 20 - compile_mode: native - opt: all - config_variations: 'native-cap-CPUID_AVX2' - - name: Graviton2 (c6g.medium) - ec2_instance_type: c6g.medium - ec2_ami: ubuntu-latest (aarch64) - ec2_volume_size: 20 - compile_mode: native - opt: all - config_variations: 'native-cap-ON native-cap-OFF native-cap-ID_AA64PFR1_EL1' - - name: Graviton3 (c7g.medium) - ec2_instance_type: c7g.medium - ec2_ami: ubuntu-latest (aarch64) - ec2_volume_size: 20 - compile_mode: native - opt: all - config_variations: 'native-cap-ID_AA64PFR1_EL1' - name: Platform tests (${{ matrix.target.name }}) - permissions: - contents: 'read' - id-token: 'write' - if: github.repository_owner == 'pq-code-package' && !github.event.pull_request.head.repo.fork - uses: ./.github/workflows/ci_ec2_reusable.yml - with: - name: ${{ matrix.target.name }} - ec2_instance_type: ${{ matrix.target.ec2_instance_type }} - ec2_ami: ${{ matrix.target.ec2_ami }} - ec2_ami_id: ${{ matrix.target.ec2_ami_id }} - compile_mode: ${{ matrix.target.compile_mode }} - opt: ${{ matrix.target.opt }} - config_variations: ${{ matrix.target.config_variations || '' }} - functest: true - kattest: true - acvptest: true - lint: false - verbose: true - secrets: inherit - compatibility_tests: - strategy: - max-parallel: 4 - fail-fast: false - matrix: - container: - - id: debian:bullseye - - id: debian:bookworm - - id: nixos/nix:latest - nix_shell: 'nix-shell -p python3 gcc gnumake perl' - name: Compatibility tests (${{ matrix.container.id }}) - runs-on: ubuntu-latest - container: - ${{ matrix.container.id }} - steps: - # We're not using the checkout action here because on it's not supported - # on all containers we want to test. Resort to a manual checkout. + # build_kat: + # strategy: + # fail-fast: false + # matrix: + # external: + # - ${{ github.repository_owner != 'pq-code-package' }} + # target: + # - runner: macos-latest + # name: 'MacOS (aarch64)' + # arch: mac + # mode: native + # nix_shell: ci + # - runner: macos-15-intel + # name: 'MacOS (x86_64)' + # arch: mac + # mode: native + # nix_shell: ci + # - runner: pqcp-arm64 + # name: 'ubuntu-latest (aarch64)' + # arch: aarch64 + # mode: native + # nix_shell: ci + # - runner: pqcp-arm64 + # name: 'ubuntu-latest (aarch64)' + # arch: x86_64 + # mode: cross-x86_64 + # nix_shell: ci-cross-x86_64 + # - runner: pqcp-arm64 + # name: 'ubuntu-latest (aarch64)' + # arch: riscv64 + # mode: cross-riscv64 + # nix_shell: ci-cross-riscv64 + # - runner: pqcp-arm64 + # name: 'ubuntu-latest (aarch64)' + # arch: riscv32 + # mode: cross-riscv32 + # nix_shell: ci-cross-riscv32 + # - runner: pqcp-arm64 + # name: 'ubuntu-latest (ppc64le)' + # arch: ppc64le + # mode: cross-ppc64le + # nix_shell: ci-cross-ppc64le + # - runner: pqcp-x64 + # name: 'ubuntu-latest (x86_64)' + # arch: x86_64 + # mode: native + # nix_shell: ci + # - runner: pqcp-x64 + # name: 'ubuntu-latest (x86_64)' + # arch: aarch64 + # mode: cross-aarch64 + # nix_shell: ci-cross-aarch64 + # - runner: pqcp-x64 + # name: 'ubuntu-latest (x86_64)' + # arch: aarch64_be + # mode: cross-aarch64_be + # nix_shell: ci-cross-aarch64_be + # exclude: + # - {external: true, + # target: { + # runner: pqcp-arm64, + # name: 'ubuntu-latest (aarch64)', + # arch: aarch64, + # mode: native, + # nix_shell: ci + # }} + # - {external: true, + # target: { + # runner: pqcp-arm64, + # name: 'ubuntu-latest (aarch64)', + # arch: x86_64, + # mode: cross-x86_64, + # nix_shell: ci-cross-x86_64 + # }} + # - {external: true, + # target: { + # runner: pqcp-arm64, + # name: 'ubuntu-latest (aarch64)', + # arch: riscv64, + # mode: cross-riscv64, + # nix_shell: ci-cross-riscv64 + # }} + # - {external: true, + # target: { + # runner: pqcp-arm64, + # name: 'ubuntu-latest (aarch64)', + # arch: riscv32, + # mode: cross-riscv32, + # nix_shell: ci-cross-riscv32 + # }} + # - {external: true, + # target: { + # runner: pqcp-arm64, + # name: 'ubuntu-latest (ppc64le)', + # arch: ppc64le, + # mode: cross-ppc64le, + # nix_shell: ci-cross-ppc64le + # }} + # - {external: true, + # target: { + # runner: pqcp-x64, + # name: 'ubuntu-latest (x86_64)', + # arch: x86_64, + # mode: native, + # nix_shell: ci + # }} + # - {external: true, + # target: { + # runner: pqcp-x64, + # name: 'ubuntu-latest (x86_64)', + # arch: aarch64, + # mode: cross-aarch64, + # nix_shell: ci-cross-aarch64 + # }} + # - {external: true, + # target: { + # runner: pqcp-x64, + # name: 'ubuntu-latest (x86_64)', + # arch: aarch64_be, + # mode: cross-aarch64_be, + # nix_shell: ci-cross-aarch64_be + # }} + # name: Functional tests (${{ matrix.target.arch }}${{ matrix.target.mode != 'native' && ', cross' || ''}}) + # runs-on: ${{ matrix.target.runner }} + # steps: + # - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + # - name: build + test (no-opt) + # uses: ./.github/actions/multi-functest + # with: + # nix-shell: ${{ matrix.target.nix_shell }} + # nix-cache: ${{ matrix.target.mode == 'native' && 'false' || 'true' }} + # gh_token: ${{ secrets.GITHUB_TOKEN }} + # compile_mode: ${{ matrix.target.mode }} + # opt: 'no_opt' + # - name: build + test (+debug+memsan+ubsan, native) + # uses: ./.github/actions/multi-functest + # if: ${{ matrix.target.mode == 'native' }} + # with: + # gh_token: ${{ secrets.GITHUB_TOKEN }} + # compile_mode: native + # cflags: "-DMLKEM_DEBUG -fsanitize=address -fsanitize=undefined -fno-sanitize-recover=all" + # ldflags: "-fsanitize=address -fsanitize=undefined -fno-sanitize-recover=all" + # check_namespace: 'false' + # - name: build + test (cross, opt) + # uses: ./.github/actions/multi-functest + # # There is no native code yet on PPC64LE, riscv32 or AArch64_be, so no point running opt tests + # if: ${{ matrix.target.mode != 'native' && (matrix.target.arch != 'ppc64le' && matrix.target.arch != 'riscv32' && matrix.target.arch != 'aarch64_be') }} + # with: + # nix-shell: ${{ matrix.target.nix_shell }} + # nix-cache: ${{ matrix.target.mode == 'native' && 'false' || 'true' }} + # gh_token: ${{ secrets.GITHUB_TOKEN }} + # compile_mode: ${{ matrix.target.mode }} + # opt: 'opt' + # - name: build + test (cross, opt, +debug) + # uses: ./.github/actions/multi-functest + # # There is no native code yet on PPC64LE, riscv32 or AArch64_be, so no point running opt tests + # if: ${{ matrix.target.mode != 'native' && (matrix.target.arch != 'ppc64le' && matrix.target.arch != 'riscv32' && matrix.target.arch != 'aarch64_be') }} + # with: + # nix-shell: ${{ matrix.target.nix_shell }} + # nix-cache: ${{ matrix.target.mode == 'native' && 'false' || 'true' }} + # gh_token: ${{ secrets.GITHUB_TOKEN }} + # compile_mode: ${{ matrix.target.mode }} + # cflags: "-DMLKEM_DEBUG" + # opt: 'opt' + # backend_tests: + # name: AArch64 FIPS202 backends (${{ matrix.backend }}) + # strategy: + # fail-fast: false + # matrix: + # backend: [x1_scalar, x1_v84a, x2_v84a, x4_v8a_scalar, x4_v8a_v84a_scalar] + # runs-on: macos-latest + # steps: + # - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + # - name: build + test + # uses: ./.github/actions/multi-functest + # with: + # nix-shell: 'ci' + # nix-cache: 'false' + # gh_token: ${{ secrets.GITHUB_TOKEN }} + # compile_mode: 'native' + # opt: 'opt' + # examples: 'false' + # cflags: "-DMLKEM_DEBUG -fsanitize=address -fsanitize=undefined -fno-sanitize-recover=all" + # ldflags: "-fsanitize=address -fsanitize=undefined -fno-sanitize-recover=all" + # check_namespace: 'false' + # extra_args: "--fips202-aarch64-backend ${{ matrix.backend }}" + # compiler_tests: + # name: Compiler tests (${{ matrix.compiler.name }}, ${{ matrix.target.name }}, ${{ matrix.cflags }}) + # strategy: + # fail-fast: false + # matrix: + # cflags: [ "-O0", "-Os", "-O3" ] + # target: + # - runner: pqcp-arm64 + # name: 'aarch64' + # - runner: ubuntu-latest + # name: 'x86_64' + # - runner: macos-latest + # name: 'macos' + # compiler: + # - name: gcc-4.8 + # shell: ci_gcc48 + # darwin: False + # c17: False + # c23: False + # opt: all + # examples: true + # - name: gcc-4.9 + # shell: ci_gcc49 + # darwin: False + # c17: False + # c23: False + # opt: all + # examples: true + # - name: gcc-7 + # shell: ci_gcc7 + # darwin: False + # c17: False + # c23: False + # opt: all + # examples: true + # - name: gcc-11 + # shell: ci_gcc11 + # darwin: True + # c17: True + # c23: False + # opt: all + # examples: true + # - name: gcc-13 + # shell: ci_gcc13 + # darwin: True + # c17: True + # c23: False + # opt: all + # examples: true + # - name: gcc-14 + # shell: ci_gcc14 + # darwin: True + # c17: True + # c23: True + # opt: all + # examples: true + # - name: gcc-15 + # shell: ci_gcc15 + # # TODO: Add this once gcc15 is supported in nix on aarch64-Darwin + # darwin: False + # c17: True + # c23: True + # opt: all + # examples: true + # - name: clang-18 + # shell: ci_clang18 + # darwin: True + # c17: True + # c23: True + # opt: all + # examples: true + # - name: clang-19 + # shell: ci_clang19 + # darwin: True + # c17: True + # c23: True + # opt: all + # examples: true + # - name: clang-20 + # shell: ci_clang20 + # darwin: True + # c17: True + # c23: True + # opt: all + # examples: true + # - name: clang-21 + # shell: ci_clang21 + # darwin: True + # c17: True + # c23: True + # opt: all + # examples: true + # # CPU flags are not correctly passed to the zig assembler + # # https://github.com/ziglang/zig/issues/23576 + # # We therefore only test the C backend + # # + # # We omit all examples since there is currently no way to run + # # only those examples not involving native code. + # - name: zig-0.12 + # shell: ci_zig0_12 + # darwin: True + # c17: True + # c23: False + # examples: False + # opt: no_opt + # - name: zig-0.13 + # shell: ci_zig0_13 + # darwin: True + # c17: True + # c23: False + # examples: False + # opt: no_opt + # - name: zig-0.14 + # shell: ci_zig0_14 + # darwin: True + # c17: True + # c23: True + # examples: False + # opt: no_opt + # - name: zig-0.15 + # shell: ci_zig0_15 + # darwin: True + # c17: True + # c23: True + # examples: False + # opt: no_opt + # runs-on: ${{ matrix.target.runner }} + # steps: + # - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + # - name: native build+functest (default) + # if: ${{ matrix.compiler.darwin || matrix.target.runner != 'macos-latest' }} + # uses: ./.github/actions/multi-functest + # with: + # gh_token: ${{ secrets.GITHUB_TOKEN }} + # compile_mode: native + # func: true + # kat: false + # acvp: false + # examples: ${{ matrix.compiler.examples }} + # opt: ${{ matrix.compiler.opt }} + # nix-shell: ${{ matrix.compiler.shell }} + # cflags: "${{ matrix.cflags }}" + # - name: native build+functest (C90) + # if: ${{ matrix.compiler.darwin || matrix.target.runner != 'macos-latest' }} + # uses: ./.github/actions/multi-functest + # with: + # gh_token: ${{ secrets.GITHUB_TOKEN }} + # compile_mode: native + # func: true + # kat: false + # acvp: false + # examples: ${{ matrix.compiler.examples }} + # opt: ${{ matrix.compiler.opt }} + # nix-shell: ${{ matrix.compiler.shell }} + # cflags: "-std=c90 ${{ matrix.cflags }}" + # - name: native build+functest (C99) + # if: ${{ matrix.compiler.darwin || matrix.target.runner != 'macos-latest' }} + # uses: ./.github/actions/multi-functest + # with: + # gh_token: ${{ secrets.GITHUB_TOKEN }} + # compile_mode: native + # func: true + # kat: false + # acvp: false + # examples: ${{ matrix.compiler.examples }} + # opt: ${{ matrix.compiler.opt }} + # nix-shell: ${{ matrix.compiler.shell }} + # cflags: "-std=c99 ${{ matrix.cflags }}" + # - name: native build+functest (C11) + # if: ${{ matrix.compiler.darwin || matrix.target.runner != 'macos-latest' }} + # uses: ./.github/actions/multi-functest + # with: + # gh_token: ${{ secrets.GITHUB_TOKEN }} + # compile_mode: native + # func: true + # kat: false + # acvp: false + # examples: ${{ matrix.compiler.examples }} + # opt: ${{ matrix.compiler.opt }} + # nix-shell: ${{ matrix.compiler.shell }} + # cflags: "-std=c11 ${{ matrix.cflags }}" + # - name: native build+functest (C17) + # if: ${{ (matrix.compiler.darwin || matrix.target.runner != 'macos-latest') && + # matrix.compiler.c17 }} + # uses: ./.github/actions/multi-functest + # with: + # gh_token: ${{ secrets.GITHUB_TOKEN }} + # compile_mode: native + # func: true + # kat: false + # acvp: false + # examples: ${{ matrix.compiler.examples }} + # opt: ${{ matrix.compiler.opt }} + # nix-shell: ${{ matrix.compiler.shell }} + # cflags: "-std=c17 ${{ matrix.cflags }}" + # - name: native build+functest (C23) + # if: ${{ (matrix.compiler.darwin || matrix.target.runner != 'macos-latest') && + # matrix.compiler.c23 }} + # uses: ./.github/actions/multi-functest + # with: + # gh_token: ${{ secrets.GITHUB_TOKEN }} + # compile_mode: native + # func: true + # kat: false + # acvp: false + # examples: ${{ matrix.compiler.examples }} + # opt: ${{ matrix.compiler.opt }} + # nix-shell: ${{ matrix.compiler.shell }} + # cflags: "-std=c23 ${{ matrix.cflags }}" + # stack_analysis: + # name: Stack analysis (${{ matrix.target.name }}, ${{ matrix.cflags }}) + # strategy: + # fail-fast: false + # matrix: + # external: + # - ${{ github.repository_owner != 'pq-code-package' }} + # target: + # - runner: pqcp-x64 + # name: x86_64 + # - runner: pqcp-arm64 + # name: aarch64 + # cflags: ['-O3', '-Os'] + # exclude: + # - external: true + # runs-on: ${{ matrix.target.runner }} + # steps: + # - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + # - name: Stack analysis + # uses: ./.github/actions/multi-functest + # with: + # gh_token: ${{ secrets.GITHUB_TOKEN }} + # compile_mode: native + # nix-shell: ci_valgrind-varlat_gcc15 + # nix-cache: false + # opt: all + # cflags: "${{ matrix.cflags }}" + # func: false + # kat: false + # acvp: false + # examples: false + # stack: true + # check_namespace: false + # config_variations: + # name: Non-standard configurations + # strategy: + # fail-fast: false + # matrix: + # external: + # - ${{ github.repository_owner != 'pq-code-package' }} + # target: + # - runner: pqcp-arm64 + # name: 'ubuntu-latest (aarch64)' + # - runner: pqcp-x64 + # name: 'ubuntu-latest (x86_64)' + # exclude: + # - {external: true, + # target: { + # runner: pqcp-arm64, + # name: 'ubuntu-latest (aarch64)', + # }} + # - {external: true, + # target: { + # runner: pqcp-x64, + # name: 'ubuntu-latest (x86_64)', + # }} + # runs-on: ${{ matrix.target.runner }} + # steps: + # - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + # - name: "Config Variations" + # uses: ./.github/actions/config-variations + # with: + # gh_token: ${{ secrets.GITHUB_TOKEN }} + # check-cf-protections: + # name: Test control-flow protections (${{ matrix.compiler.name }}, x86_64) + # strategy: + # fail-fast: false + # matrix: + # compiler: + # - name: gcc-14 + # shell: ci_gcc14 + # - name: gcc-15 + # shell: ci_gcc15 + # - name: clang-19 + # shell: ci_clang19 + # # On AArch64 -fcf-protection is not supported anyway + # runs-on: ubuntu-latest + # steps: + # - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + # - name: Test control-flow protections + # uses: ./.github/actions/multi-functest + # with: + # gh_token: ${{ secrets.GITHUB_TOKEN }} + # compile_mode: native + # cflags: "-Wl,-z,cet-report=error -fcf-protection=full" + # func: true + # kat: true + # acvp: true + # nix-shell: ${{ matrix.compiler.shell }} + # # ensure that kem.h and mlkem_native.h; api.h and native backends are compatible + # check-apis: + # strategy: + # fail-fast: false + # matrix: + # external: + # - ${{ github.repository_owner != 'pq-code-package' }} + # target: + # - runner: pqcp-arm64 + # name: 'aarch64' + # - runner: ubuntu-latest + # name: 'x86_64' + # exclude: + # - {external: true, + # target: { + # runner: pqcp-arm64, + # name: 'aarch64' + # }} + # name: Check API consistency + # runs-on: ${{ matrix.target.runner }} + # steps: + # - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + # - name: make quickcheck + # run: | + # OPT=0 CFLAGS="-Imlkem -DMLK_CHECK_APIS -Wno-redundant-decls" make quickcheck + # make clean >/dev/null + # OPT=1 CFLAGS="-Imlkem -DMLK_CHECK_APIS -Wno-redundant-decls" make quickcheck + # - uses: ./.github/actions/setup-apt + # - name: tests func + # run: | + # ./scripts/tests func --cflags="-Imlkem -DMLK_CHECK_APIS -Wno-redundant-decls" + # ec2_functests: + # strategy: + # fail-fast: false + # matrix: + # target: + # - name: AMD EPYC 4th gen (t3a) + # ec2_instance_type: t3a.small + # ec2_ami: ubuntu-latest (x86_64) + # ec2_volume_size: 20 + # compile_mode: native + # opt: all + # config_variations: 'native-cap-CPUID_AVX2' + # - name: Intel Xeon 4th gen (t3) + # ec2_instance_type: t3.small + # ec2_ami: ubuntu-latest (x86_64) + # ec2_volume_size: 20 + # compile_mode: native + # opt: all + # config_variations: 'native-cap-CPUID_AVX2' + # - name: Graviton2 (c6g.medium) + # ec2_instance_type: c6g.medium + # ec2_ami: ubuntu-latest (aarch64) + # ec2_volume_size: 20 + # compile_mode: native + # opt: all + # config_variations: 'native-cap-ON native-cap-OFF native-cap-ID_AA64PFR1_EL1' + # - name: Graviton3 (c7g.medium) + # ec2_instance_type: c7g.medium + # ec2_ami: ubuntu-latest (aarch64) + # ec2_volume_size: 20 + # compile_mode: native + # opt: all + # config_variations: 'native-cap-ID_AA64PFR1_EL1' + # name: Platform tests (${{ matrix.target.name }}) + # permissions: + # contents: 'read' + # id-token: 'write' + # if: github.repository_owner == 'pq-code-package' && !github.event.pull_request.head.repo.fork + # uses: ./.github/workflows/ci_ec2_reusable.yml + # with: + # name: ${{ matrix.target.name }} + # ec2_instance_type: ${{ matrix.target.ec2_instance_type }} + # ec2_ami: ${{ matrix.target.ec2_ami }} + # ec2_ami_id: ${{ matrix.target.ec2_ami_id }} + # compile_mode: ${{ matrix.target.compile_mode }} + # opt: ${{ matrix.target.opt }} + # config_variations: ${{ matrix.target.config_variations || '' }} + # functest: true + # kattest: true + # acvptest: true + # lint: false + # verbose: true + # secrets: inherit + # compatibility_tests: + # strategy: + # max-parallel: 4 + # fail-fast: false + # matrix: + # container: + # - id: debian:bullseye + # - id: debian:bookworm + # - id: nixos/nix:latest + # nix_shell: 'nix-shell -p python3 gcc gnumake perl' + # name: Compatibility tests (${{ matrix.container.id }}) + # runs-on: ubuntu-latest + # container: + # ${{ matrix.container.id }} + # steps: + # # We're not using the checkout action here because on it's not supported + # # on all containers we want to test. Resort to a manual checkout. - # We can't hoist this into an action since calling an action can only - # be done after checkout. - - name: Manual checkout - shell: bash - run: | - if (which yum > /dev/null); then - yum install git -y - elif (which apt > /dev/null); then - apt update - apt install git -y - fi + # # We can't hoist this into an action since calling an action can only + # # be done after checkout. + # - name: Manual checkout + # shell: bash + # run: | + # if (which yum > /dev/null); then + # yum install git -y + # elif (which apt > /dev/null); then + # apt update + # apt install git -y + # fi - git config --global --add safe.directory $GITHUB_WORKSPACE - git init - git remote add origin $GITHUB_SERVER_URL/$GITHUB_REPOSITORY - git fetch origin --depth 1 $GITHUB_SHA - git checkout FETCH_HEAD - - uses: ./.github/actions/setup-os - with: - sudo: "" - - name: make quickcheck - shell: bash - run: | - if [ -n "${{ matrix.container.nix_shell }}" ]; then - ${{ matrix.container.nix_shell }} --run "CC=gcc OPT=0 make quickcheck && make clean >/dev/null && CC=gcc OPT=1 make quickcheck" - else - CC=gcc OPT=0 make quickcheck - make clean >/dev/null - CC=gcc OPT=1 make quickcheck - fi - - name: Functional Tests - uses: ./.github/actions/multi-functest - with: - nix-shell: "" - custom_shell: ${{ matrix.container.nix_shell && format('{0} --run \"bash -e {{0}}\"', matrix.container.nix_shell) || 'bash' }} - gh_token: ${{ secrets.AWS_GITHUB_TOKEN }} - ec2_compatibilitytests: - strategy: - max-parallel: 8 - fail-fast: false - matrix: - container: - - id: amazonlinux-2-aarch:base - - id: amazonlinux-2-aarch:gcc-7x - - id: amazonlinux-2-aarch:clang-7x - - id: amazonlinux-2023-aarch:base - - id: amazonlinux-2023-aarch:gcc-11x - - id: amazonlinux-2023-aarch:clang-15x - - id: amazonlinux-2023-aarch:clang-15x-sanitizer - # - id: amazonlinux-2023-aarch:cryptofuzz Not yet supported - - id: ubuntu-22.04-aarch:gcc-12x - - id: ubuntu-22.04-aarch:gcc-11x - - id: ubuntu-20.04-aarch:gcc-8x - - id: ubuntu-20.04-aarch:gcc-7x - - id: ubuntu-20.04-aarch:clang-9x - - id: ubuntu-20.04-aarch:clang-8x - - id: ubuntu-20.04-aarch:clang-7x-bm-framework - - id: ubuntu-20.04-aarch:clang-7x - - id: ubuntu-20.04-aarch:clang-10x - - id: ubuntu-22.04-aarch:base - - id: ubuntu-20.04-aarch:base - name: Compatibility tests (${{ matrix.container.id }}) - permissions: - contents: 'read' - id-token: 'write' - uses: ./.github/workflows/ci_ec2_container.yml - if: github.repository_owner == 'pq-code-package' && !github.event.pull_request.head.repo.fork - with: - container: ${{ matrix.container.id }} - name: ${{ matrix.container.id }} - ec2_instance_type: t4g.small - ec2_ami: ubuntu-latest (custom AMI) - ec2_ami_id: ami-0c9bc1901ef0d1066 # Has docker images preinstalled - compile_mode: native - opt: all - functest: true - kattest: true - acvptest: true - lint: false - verbose: true - cflags: "-O0" - secrets: inherit - check_hol_light_bytecode: - strategy: - fail-fast: false - matrix: - target: - - system: macos-latest - nix_shell: hol_light - nix_cache: false - - system: macos-15-intel - nix_shell: hol_light - nix_cache: false - - system: ubuntu-latest - nix_shell: hol_light-cross-aarch64 - nix_cache: true - - system: pqcp-arm64 - nix_shell: hol_light - nix_cache: false - runs-on: ${{ matrix.target.system }} - name: Check HOL-Light bytecode ${{ matrix.target.system }} - steps: - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - - uses: ./.github/actions/setup-shell - with: - nix-shell: ${{ matrix.target.nix_shell }} - nix-cache: ${{ matrix.target.nix_cache }} - gh_token: ${{ secrets.GITHUB_TOKEN }} - script: | - python3 ./scripts/autogen --dry-run --update-hol-light-bytecode + # git config --global --add safe.directory $GITHUB_WORKSPACE + # git init + # git remote add origin $GITHUB_SERVER_URL/$GITHUB_REPOSITORY + # git fetch origin --depth 1 $GITHUB_SHA + # git checkout FETCH_HEAD + # - uses: ./.github/actions/setup-os + # with: + # sudo: "" + # - name: make quickcheck + # shell: bash + # run: | + # if [ -n "${{ matrix.container.nix_shell }}" ]; then + # ${{ matrix.container.nix_shell }} --run "CC=gcc OPT=0 make quickcheck && make clean >/dev/null && CC=gcc OPT=1 make quickcheck" + # else + # CC=gcc OPT=0 make quickcheck + # make clean >/dev/null + # CC=gcc OPT=1 make quickcheck + # fi + # - name: Functional Tests + # uses: ./.github/actions/multi-functest + # with: + # nix-shell: "" + # custom_shell: ${{ matrix.container.nix_shell && format('{0} --run \"bash -e {{0}}\"', matrix.container.nix_shell) || 'bash' }} + # gh_token: ${{ secrets.AWS_GITHUB_TOKEN }} + # ec2_compatibilitytests: + # strategy: + # max-parallel: 8 + # fail-fast: false + # matrix: + # container: + # - id: amazonlinux-2-aarch:base + # - id: amazonlinux-2-aarch:gcc-7x + # - id: amazonlinux-2-aarch:clang-7x + # - id: amazonlinux-2023-aarch:base + # - id: amazonlinux-2023-aarch:gcc-11x + # - id: amazonlinux-2023-aarch:clang-15x + # - id: amazonlinux-2023-aarch:clang-15x-sanitizer + # # - id: amazonlinux-2023-aarch:cryptofuzz Not yet supported + # - id: ubuntu-22.04-aarch:gcc-12x + # - id: ubuntu-22.04-aarch:gcc-11x + # - id: ubuntu-20.04-aarch:gcc-8x + # - id: ubuntu-20.04-aarch:gcc-7x + # - id: ubuntu-20.04-aarch:clang-9x + # - id: ubuntu-20.04-aarch:clang-8x + # - id: ubuntu-20.04-aarch:clang-7x-bm-framework + # - id: ubuntu-20.04-aarch:clang-7x + # - id: ubuntu-20.04-aarch:clang-10x + # - id: ubuntu-22.04-aarch:base + # - id: ubuntu-20.04-aarch:base + # name: Compatibility tests (${{ matrix.container.id }}) + # permissions: + # contents: 'read' + # id-token: 'write' + # uses: ./.github/workflows/ci_ec2_container.yml + # if: github.repository_owner == 'pq-code-package' && !github.event.pull_request.head.repo.fork + # with: + # container: ${{ matrix.container.id }} + # name: ${{ matrix.container.id }} + # ec2_instance_type: t4g.small + # ec2_ami: ubuntu-latest (custom AMI) + # ec2_ami_id: ami-0c9bc1901ef0d1066 # Has docker images preinstalled + # compile_mode: native + # opt: all + # functest: true + # kattest: true + # acvptest: true + # lint: false + # verbose: true + # cflags: "-O0" + # secrets: inherit + # check_hol_light_bytecode: + # strategy: + # fail-fast: false + # matrix: + # target: + # - system: macos-latest + # nix_shell: hol_light + # nix_cache: false + # - system: macos-15-intel + # nix_shell: hol_light + # nix_cache: false + # - system: ubuntu-latest + # nix_shell: hol_light-cross-aarch64 + # nix_cache: true + # - system: pqcp-arm64 + # nix_shell: hol_light + # nix_cache: false + # runs-on: ${{ matrix.target.system }} + # name: Check HOL-Light bytecode ${{ matrix.target.system }} + # steps: + # - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + # - uses: ./.github/actions/setup-shell + # with: + # nix-shell: ${{ matrix.target.nix_shell }} + # nix-cache: ${{ matrix.target.nix_cache }} + # gh_token: ${{ secrets.GITHUB_TOKEN }} + # script: | + # python3 ./scripts/autogen --dry-run --update-hol-light-bytecode check_autogenerated_files: strategy: fail-fast: false From 1c64ce0ca01371cc20326ab65f22b4e157a6953d Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Thu, 13 Nov 2025 04:41:02 +0000 Subject: [PATCH 3/3] WIP Signed-off-by: Hanno Becker --- dev/x86_64/src/poly_basemul.inc | 18 +++++++++--------- mlkem/src/native/x86_64/src/poly_basemul.inc | 18 +++++++++--------- scripts/autogen | 8 +++++--- scripts/simpasm | 2 ++ 4 files changed, 25 insertions(+), 21 deletions(-) diff --git a/dev/x86_64/src/poly_basemul.inc b/dev/x86_64/src/poly_basemul.inc index 2a17f94e8c..832c0d68ef 100644 --- a/dev/x86_64/src/poly_basemul.inc +++ b/dev/x86_64/src/poly_basemul.inc @@ -50,7 +50,7 @@ * r = ac + bdz = r0 + r1, * s = ad + bc = s0 + s1. */ -.macro schoolbook iter k +.macro schoolbook iter, k vmovdqa (256*\k + 32*\iter + 0)*2(%rsi), _a vmovdqa (256*\k + 32*\iter + 16)*2(%rsi), _b vmovdqa (256*\k + 32*\iter + 0)*2(%rdx), _c @@ -114,14 +114,14 @@ vmovdqa _s0, (32*\iter + 16)*2(%rdi) .endm .macro poly_basemul k -schoolbook 0 \k -schoolbook 1 \k -schoolbook 2 \k -schoolbook 3 \k -schoolbook 4 \k -schoolbook 5 \k -schoolbook 6 \k -schoolbook 7 \k +schoolbook 0, \k +schoolbook 1, \k +schoolbook 2, \k +schoolbook 3, \k +schoolbook 4, \k +schoolbook 5, \k +schoolbook 6, \k +schoolbook 7, \k .endm .macro polyvec_basemul k diff --git a/mlkem/src/native/x86_64/src/poly_basemul.inc b/mlkem/src/native/x86_64/src/poly_basemul.inc index 2a17f94e8c..832c0d68ef 100644 --- a/mlkem/src/native/x86_64/src/poly_basemul.inc +++ b/mlkem/src/native/x86_64/src/poly_basemul.inc @@ -50,7 +50,7 @@ * r = ac + bdz = r0 + r1, * s = ad + bc = s0 + s1. */ -.macro schoolbook iter k +.macro schoolbook iter, k vmovdqa (256*\k + 32*\iter + 0)*2(%rsi), _a vmovdqa (256*\k + 32*\iter + 16)*2(%rsi), _b vmovdqa (256*\k + 32*\iter + 0)*2(%rdx), _c @@ -114,14 +114,14 @@ vmovdqa _s0, (32*\iter + 16)*2(%rdi) .endm .macro poly_basemul k -schoolbook 0 \k -schoolbook 1 \k -schoolbook 2 \k -schoolbook 3 \k -schoolbook 4 \k -schoolbook 5 \k -schoolbook 6 \k -schoolbook 7 \k +schoolbook 0, \k +schoolbook 1, \k +schoolbook 2, \k +schoolbook 3, \k +schoolbook 4, \k +schoolbook 5, \k +schoolbook 6, \k +schoolbook 7, \k .endm .macro polyvec_basemul k diff --git a/scripts/autogen b/scripts/autogen index 9bccd3f865..ac1d493717 100755 --- a/scripts/autogen +++ b/scripts/autogen @@ -2116,17 +2116,19 @@ def update_via_simpasm( # Add syntax option for x86_64 if arch == "x86_64" and x86_64_syntax != "att": cmd += ["--syntax", x86_64_syntax] + cmd += ["-v"] r = subprocess.run( cmd, - stdout=subprocess.DEVNULL, - stderr=subprocess.PIPE, + stdout=subprocess.PIPE, + stderr=subprocess.STDOUT, check=True, text=True, ) + print(r.stdout) except subprocess.CalledProcessError as e: print(f"Command failed: {' '.join(cmd)}") print(f"Exit code: {e.returncode}") - print(f"stderr: {e.stderr}") + print(f"stdout/stderr: {e.stdout}") raise Exception("Failed to run simpasm") from e tmp.seek(0) new_contents = tmp.read().decode() diff --git a/scripts/simpasm b/scripts/simpasm index a2e625dc26..1b9bf0dd9b 100755 --- a/scripts/simpasm +++ b/scripts/simpasm @@ -256,6 +256,8 @@ def simplify(logger, args, asm_input, asm_output=None): logger.debug(f"Disassembling temporary object file {tmp_objfile0} ...") disasm = run_cmd(cmd).stdout + print(disasm) + logger.debug("Patching up disassembly ...") simplified = patchup_disasm(disasm, cfify=args.cfify)