diff --git a/.github/actions/bench/action.yml b/.github/actions/bench/action.yml index 6ef1d5be8..4b19a0be0 100644 --- a/.github/actions/bench/action.yml +++ b/.github/actions/bench/action.yml @@ -29,11 +29,11 @@ inputs: gh_token: description: GitHub access token required: true - use-nix: - description: Whether to run in the default Nix environment - default: "true" + nix-shell: + description: Run in the specified Nix environment if exists + default: "ci" custom_shell: - description: The shell to use. Only relevant if use-nix is "false" + description: The shell to use. Only relevant if no nix-shell specified default: "bash" cross_prefix: description: "Binary prefix for cross-compilation builds" @@ -42,10 +42,10 @@ runs: using: composite steps: - name: Setup nix - if: ${{ inputs.use-nix }} + if: ${{ inputs.nix-shell != '' }} uses: ./.github/actions/setup-nix with: - devShell: ci + devShell: ${{ inputs.nix-shell }} script: | ARCH=$(uname -m) cat >> $GITHUB_STEP_SUMMARY <<-EOF @@ -61,7 +61,12 @@ runs: EOF - name: Set shell shell: bash - run: echo SHELL="${{ inputs.use-nix && 'nix develop .#ci -c bash -e {0}' || inputs.custom_shell }}" >> $GITHUB_ENV + run: | + if [[ ${{ inputs.nix-shell }} != '' ]]; then + echo SHELL="nix develop .#${{ inputs.nix-shell }} -c bash -e {0}" >> $GITHUB_ENV + else + echo SHELL="${{ inputs.custom_shell }}" >> $GITHUB_ENV + fi - name: Run benchmark shell: ${{ env.SHELL }} run: | diff --git a/.github/actions/cbmc/action.yml b/.github/actions/cbmc/action.yml index 73318c1f9..8eff05ec3 100644 --- a/.github/actions/cbmc/action.yml +++ b/.github/actions/cbmc/action.yml @@ -4,9 +4,9 @@ name: CBMC description: Run CBMC proofs for MLKEM-C_AArch64 inputs: - use-nix: - description: Whether to run in the default Nix environment - default: "true" + nix-shell: + description: Run in the specified Nix environment if exists + default: "ci-cbmc" custom_shell: description: The shell to use. Only relevant if use-nix is 'false' default: "bash" @@ -18,10 +18,10 @@ runs: steps: - uses: actions/checkout@v4 - name: Setup nix - if: ${{ inputs.use-nix }} + if: ${{ inputs.nix-shell != '' }} uses: ./.github/actions/setup-nix with: - devShell: ci-cbmc + devShell: ${{ inputs.nix-shell }} script: | cat >> $GITHUB_STEP_SUMMARY << EOF ## Setup @@ -35,7 +35,12 @@ runs: EOF - name: Set shell shell: bash - run: echo SHELL="${{ inputs.use-nix && 'nix develop .#ci-cbmc -c bash -e {0}' || inputs.custom_shell }}" >> $GITHUB_ENV + run: | + if [[ ${{ inputs.nix-shell }} != '' ]]; then + echo SHELL="nix develop .#${{ inputs.nix-shell }} -c bash -e {0}" >> $GITHUB_ENV + else + echo SHELL="${{ inputs.custom_shell }}" >> $GITHUB_ENV + fi - name: Run CBMC proofs shell: ${{ env.SHELL }} run: | diff --git a/.github/actions/functest/action.yml b/.github/actions/functest/action.yml index 4aa259f4c..5520f7011 100644 --- a/.github/actions/functest/action.yml +++ b/.github/actions/functest/action.yml @@ -4,9 +4,12 @@ name: Functional tests description: Run functional tests for MLKEM-C_AArch64 inputs: - use-nix: - description: Whether to run in the default Nix environment - default: "true" + nix-shell: + description: Run in the specified Nix environment if exists + default: "ci" + custom_shell: + description: The shell to use. Only relevant if no nix-shell specified + default: "bash" cflags: description: CFLAGS to pass to compilation default: "" @@ -21,9 +24,9 @@ runs: steps: - name: Setup nix uses: ./.github/actions/setup-nix - if: ${{ inputs.use-nix }} + if: ${{ inputs.nix-shell != '' }} with: - devShell: ci + devShell: ${{ inputs.nix-shell }} script: | ARCH=$(uname -m) cat >> $GITHUB_STEP_SUMMARY <<-EOF @@ -36,7 +39,12 @@ runs: EOF - name: Set shell shell: bash - run: echo SHELL="${{ inputs.use-nix && 'nix develop .#ci -c bash -e {0}' || inputs.custom_shell }}" >> $GITHUB_ENV + run: | + if [[ ${{ inputs.nix-shell }} != '' ]]; then + echo SHELL="nix develop .#${{ inputs.nix-shell }} -c bash -e {0}" >> $GITHUB_ENV + else + echo SHELL="${{ inputs.custom_shell }}" >> $GITHUB_ENV + fi - name: Run functional tests id: func_test shell: ${{ env.SHELL }} diff --git a/.github/actions/lint/action.yml b/.github/actions/lint/action.yml index aa1f95ddf..b7ccd4689 100644 --- a/.github/actions/lint/action.yml +++ b/.github/actions/lint/action.yml @@ -4,11 +4,11 @@ name: Lint description: Lint MLKEM-C_AArch64 inputs: - use-nix: - description: Whether to run in the default Nix environment - default: "true" + nix-shell: + description: Run in the specified Nix environment if exists + default: "ci-linter" custom_shell: - description: The shell to use. Only relevant if use-nix is 'false' + description: The shell to use. Only relevant if no nix-shell specified default: "bash" cross-prefix: description: Binary prefix for cross compilation @@ -17,10 +17,10 @@ runs: using: composite steps: - name: Setup nix - if: ${{ inputs.use-nix }} + if: ${{ inputs.nix-shell != '' }} uses: ./.github/actions/setup-nix with: - devShell: ci-linter + devShell: ${{ inputs.nix-shell }} script: | cat >> $GITHUB_STEP_SUMMARY << EOF ## Setup @@ -33,7 +33,12 @@ runs: EOF - name: Set shell shell: bash - run: echo SHELL="${{ inputs.use-nix && 'nix develop .#ci-linter -c bash -e {0}' || inputs.custom_shell }}" >> $GITHUB_ENV + run: | + if [[ ${{ inputs.nix-shell }} != '' ]]; then + echo SHELL="nix develop .#${{ inputs.nix-shell }} -c bash -e {0}" >> $GITHUB_ENV + else + echo SHELL="${{ inputs.custom_shell }}" >> $GITHUB_ENV + fi - name: Run linter shell: ${{ env.SHELL }} run: | diff --git a/.github/workflows/bench_ec2_reusable.yml b/.github/workflows/bench_ec2_reusable.yml index 97685a3d0..d63b5f59e 100644 --- a/.github/workflows/bench_ec2_reusable.yml +++ b/.github/workflows/bench_ec2_reusable.yml @@ -106,7 +106,7 @@ jobs: - uses: actions/checkout@v4 - uses: ./.github/actions/bench with: - use-nix: true + nix-shell: ci name: ${{ inputs.name }} cflags: ${{ inputs.cflags }} archflags: ${{ inputs.archflags }} diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 7c381c17c..b3ad23252 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -19,20 +19,24 @@ jobs: arch: 'arm64' cross-prefix: ' ' cflags: '-DFORCE_AARCH64' + nix-shell: ci - runner: pqcp-arm64 name: 'ubuntu-latest (aarch64)' arch: 'aarch64' cross-prefix: ' ' cflags: '-DFORCE_AARCH64' + nix-shell: 'ci' - runner: ubuntu-latest name: 'ubuntu-latest (x86_64, cross)' arch: 'x86_64' cross-prefix: 'aarch64-unknown-linux-gnu-' cflags: '-DFORCE_AARCH64' + nix-shell: 'x86_64-linux-cross-ci' - runner: ubuntu-latest name: 'ubuntu-latest (x86_64, native)' arch: 'x86_64' cross-prefix: '' + nix-shell: 'ci' exclude: - {external: true, target: { @@ -40,7 +44,8 @@ jobs: name: 'ubuntu-latest (aarch64)', arch: 'aarch64', cross-prefix: ' ', - cflags: '-DFORCE_AARCH64' + cflags: '-DFORCE_AARCH64', + nix-shell: 'ci' }} name: Functional tests (${{ matrix.target.name }}) runs-on: ${{ matrix.target.runner }} @@ -49,14 +54,14 @@ jobs: - name: functest opt uses: ./.github/actions/functest with: - use-nix: true + nix-shell: ${{ matrix.target.nix-shell }} cflags: ${{ matrix.target.cflags }} cross-prefix: ${{ matrix.target.cross-prefix }} opt: true - name: functest non-opt uses: ./.github/actions/functest with: - use-nix: true + nix-shell: ${{ matrix.target.nix-shell }} cflags: ${{ matrix.target.cflags }} cross-prefix: ${{ matrix.target.cross-prefix }} opt: false @@ -70,7 +75,7 @@ jobs: - uses: actions/checkout@v4 - uses: ./.github/actions/lint with: - use-nix: true + nix-shell: ci-linter cross-prefix: "aarch64-unknown-linux-gnu-" cbmc: strategy: @@ -82,4 +87,4 @@ jobs: - uses: actions/checkout@v4 - uses: ./.github/actions/cbmc with: - use-nix: true + nix-shell: ci-cbmc diff --git a/.github/workflows/ci_ec2_reusable.yml b/.github/workflows/ci_ec2_reusable.yml index c703606b2..311b4039b 100644 --- a/.github/workflows/ci_ec2_reusable.yml +++ b/.github/workflows/ci_ec2_reusable.yml @@ -104,7 +104,7 @@ jobs: - uses: actions/checkout@v4 - uses: ./.github/actions/functest with: - use-nix: true + nix-shell: ci cflags: ${{ inputs.cflags }} cross-prefix: ${{ inputs.cross-prefix }} opt: ${{ inputs.opt }} @@ -117,7 +117,7 @@ jobs: - uses: actions/checkout@v4 - uses: ./.github/actions/lint with: - use-nix: true + nix-shell: ci-linter cross-prefix: ${{ inputs.cross-prefix }} cbmc: name: CBMC ${{ inputs.name }} @@ -128,7 +128,7 @@ jobs: - uses: actions/checkout@v4 - uses: ./.github/actions/cbmc with: - use-nix: true + nix-shell: ci-cbmc cross-prefix: ${{ inputs.cross-prefix }} stop-ec2-runner: name: Stop ${{ inputs.name }} (${{ inputs.ec2_instance_type }}) diff --git a/flake.nix b/flake.nix index 5208a59fb..b1ab99dca 100644 --- a/flake.nix +++ b/flake.nix @@ -37,23 +37,41 @@ black; }; - core = + aarch64-gcc = [ + ( + pkgs.pkgsCross.aarch64-multiplatform.buildPackages.gcc13.override { + propagateDoc = true; + isGNU = true; + } + ) + pkgs.pkgsCross.aarch64-multiplatform.glibc + pkgs.pkgsCross.aarch64-multiplatform.glibc.static + ]; + + native-gcc = [ + (pkgs.gcc13.override { + propagateDoc = true; + isGNU = true; + }) + pkgs.glibc + pkgs.glibc.static + ]; + + core = { cross ? false }: let - aarch64-gcc = - pkgs.lib.optionals - (! (pkgs.stdenv.isDarwin && pkgs.stdenv.isAarch64)) - [ - ( - pkgs.pkgsCross.aarch64-multiplatform.buildPackages.gcc13.override { - propagateDoc = true; - isGNU = true; - } - ) - pkgs.pkgsCross.aarch64-multiplatform.glibc - pkgs.pkgsCross.aarch64-multiplatform.glibc.static - ]; + gcc = + if pkgs.stdenv.isDarwin + then + if pkgs.stdenv.isx86_64 + then [ ] + else aarch64-gcc + else + if cross + then aarch64-gcc + else native-gcc + ; in - aarch64-gcc ++ + gcc ++ builtins.attrValues { inherit (pkgs) yq @@ -75,7 +93,7 @@ in { devShells.default = wrapShell pkgs.mkShellNoCC { - packages = core ++ linters ++ cbmcpkg ++ + packages = core { } ++ linters ++ cbmcpkg ++ builtins.attrValues { inherit (pkgs) direnv @@ -83,8 +101,25 @@ }; }; - devShells.ci = wrapShell pkgs.mkShellNoCC { packages = core; }; - devShells.ci-cbmc = wrapShell pkgs.mkShellNoCC { packages = (core ++ cbmcpkg); }; + devShells.x86_64-linux-cross = wrapShell pkgs.mkShellNoCC { + packages = core { cross = true; } ++ linters ++ cbmcpkg ++ + builtins.attrValues { + inherit (pkgs) + direnv + nix-direnv; + }; + }; + + devShells.ci = wrapShell pkgs.mkShellNoCC { packages = core { }; }; + devShells.x86_64-linux-cross-ci = wrapShell pkgs.mkShellNoCC { + packages = core { cross = true; }; + }; + + devShells.ci-cbmc = wrapShell pkgs.mkShellNoCC { packages = core { } ++ cbmcpkg; }; + devShells.x86_64-linux-cross-ci-cbmc = wrapShell pkgs.mkShellNoCC { + packages = core { cross = true; } ++ cbmcpkg; + }; + devShells.ci-linter = wrapShell pkgs.mkShellNoCC { packages = linters; }; }; flake = { diff --git a/mk/config.mk b/mk/config.mk index 841e74ea8..f893ebd74 100644 --- a/mk/config.mk +++ b/mk/config.mk @@ -45,7 +45,7 @@ QEMU = qemu-aarch64 HOST_PLATFORM := $(shell uname -s)-$(shell uname -m) ifeq ($(HOST_PLATFORM),Linux-x86_64) - CFLAGS += -static + CFLAGS += -z noexecstack endif CYCLES ?= NO