CI: Test config variation optblocker (i.e., no inline asm barrier)

mkannwischer · mkannwischer · commit 7c3ac3cce985 · 2025-07-28T16:37:22.000+08:00
This commit adds a config variation test to CI to test the alternative
constant time functions (when no inline asm is available).
To do so, first a MLD_CONFIG_FILE configuration option is introduced
allowing to define a custom configurtion file.

This option is then used in a workflow to include a config that has
MLD_CONFIG_NO_ASM set.

Signed-off-by: Matthias J. Kannwischer &lt;matthias@kannwischer.eu&gt;
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -353,7 +353,42 @@ jobs:
           acvp: false
           examples: false
           stack: true
-
+  config_variations:
+    name: Non-standard configurations
+    strategy:
+      fail-fast: false
+      matrix:
+        external:
+         - ${{ github.repository_owner != 'pq-code-package' }}
+        target:
+         - runner: pqcp-arm64
+           name: 'ubuntu-latest (aarch64)'
+         - runner: pqcp-x64
+           name: 'ubuntu-latest (x86_64)'
+        exclude:
+          - {external: true,
+             target: {
+               runner: pqcp-arm64,
+               name: 'ubuntu-latest (aarch64)',
+             }}
+          - {external: true,
+             target: {
+               runner: pqcp-x64,
+               name: 'ubuntu-latest (x86_64)',
+             }}
+    runs-on: ${{ matrix.target.runner }}
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - name: "No ASM"
+        uses: ./.github/actions/multi-functest
+        with:
+          gh_token: ${{ secrets.GITHUB_TOKEN }}
+          compile_mode: native
+          cflags: "-std=c11 -D_GNU_SOURCE -DMLD_CONFIG_FILE=\\\\\\\"../test/no_asm_config.h\\\\\\\" -fsanitize=address -fsanitize=undefined -fno-sanitize-recover=all"
+          func: true
+          kat: true
+          acvp: true
+          examples: false # Some examples use a custom config themselves
   check_autogenerated_files:
     strategy:
       fail-fast: false
diff --git a/mldsa/common.h b/mldsa/common.h
@@ -6,6 +6,12 @@
 #ifndef MLD_COMMON_H
 #define MLD_COMMON_H
 
+#if defined(MLD_CONFIG_FILE)
+#include MLD_CONFIG_FILE
+#else
+#include "config.h"
+#endif
+
 #include "cbmc.h"
 #include "params.h"
 #include "sys.h"
diff --git a/mldsa/config.h b/mldsa/config.h
@@ -22,6 +22,25 @@
 #define MLD_NAMESPACE(s) MLD_87_ref_##s
 #endif
 
+
+/******************************************************************************
+ * Name:        MLD_CONFIG_FILE
+ *
+ * Description: If defined, this is a header that will be included instead
+ *              of this default configuration file mldsa/config.h.
+ *
+ *              When you need to build mldsa-native in multiple configurations,
+ *              using varying MLD_CONFIG_FILE can be more convenient
+ *              then configuring everything through CFLAGS.
+ *
+ *              To use, MLD_CONFIG_FILE _must_ be defined prior
+ *              to the inclusion of any mldsa-native headers. For example,
+ *              it can be set by passing `-DMLD_CONFIG_FILE="..."`
+ *              on the command line.
+ *
+ *****************************************************************************/
+/* #define MLD_CONFIG_FILE "config.h" */
+
 /******************************************************************************
  * Name:        MLD_CONFIG_ARITH_BACKEND_FILE
  *
diff --git a/mldsa/params.h b/mldsa/params.h
@@ -5,7 +5,7 @@
 #ifndef MLD_PARAMS_H
 #define MLD_PARAMS_H
 
-#include "config.h"
+#include "common.h"
 
 #define MLDSA_SEEDBYTES 32
 #define MLDSA_CRHBYTES 64
diff --git a/test/no_asm_config.h b/test/no_asm_config.h
@@ -0,0 +1,165 @@
+/*
+ * Copyright (c) The mldsa-native project authors
+ * SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT
+ */
+#ifndef MLD_CONFIG_H
+#define MLD_CONFIG_H
+
+#define MLD_RANDOMIZED_SIGNING
+
+#ifndef MLDSA_MODE
+#define MLDSA_MODE 2
+#endif
+
+#if MLDSA_MODE == 2
+#define MLD_NAMESPACETOP MLD_44_ref
+#define MLD_NAMESPACE(s) MLD_44_ref_##s
+#elif MLDSA_MODE == 3
+#define MLD_NAMESPACETOP MLD_65_ref
+#define MLD_NAMESPACE(s) MLD_65_ref_##s
+#elif MLDSA_MODE == 5
+#define MLD_NAMESPACETOP MLD_87_ref
+#define MLD_NAMESPACE(s) MLD_87_ref_##s
+#endif
+
+/******************************************************************************
+ * Name:        MLD_CONFIG_ARITH_BACKEND_FILE
+ *
+ * Description: The arithmetic backend to use.
+ *
+ *              If MLD_CONFIG_USE_NATIVE_BACKEND_ARITH is unset, this option
+ *              is ignored.
+ *
+ *              If MLD_CONFIG_USE_NATIVE_BACKEND_ARITH is set, this option must
+ *              either be undefined or the filename of an arithmetic backend.
+ *              If unset, the default backend will be used.
+ *
+ *              This can be set using CFLAGS.
+ *
+ *****************************************************************************/
+#if defined(MLD_CONFIG_USE_NATIVE_BACKEND_ARITH) && \
+    !defined(MLD_CONFIG_ARITH_BACKEND_FILE)
+#define MLD_CONFIG_ARITH_BACKEND_FILE "native/meta.h"
+#endif
+
+/******************************************************************************
+ * Name:        MLD_CONFIG_FIPS202_BACKEND_FILE
+ *
+ * Description: The FIPS-202 backend to use.
+ *
+ *              If MLD_CONFIG_USE_NATIVE_BACKEND_FIPS202 is set, this option
+ *              must either be undefined or the filename of a FIPS202 backend.
+ *              If unset, the default backend will be used.
+ *
+ *              This can be set using CFLAGS.
+ *
+ *****************************************************************************/
+#if defined(MLD_CONFIG_USE_NATIVE_BACKEND_FIPS202) && \
+    !defined(MLD_CONFIG_FIPS202_BACKEND_FILE)
+#define MLD_CONFIG_FIPS202_BACKEND_FILE "fips202/native/auto.h"
+#endif
+
+/******************************************************************************
+ * Name:        MLD_CONFIG_CUSTOM_ZEROIZE
+ *
+ * Description: In compliance with FIPS 204 Section 3.6.3, mldsa-native zeroizes
+ *              intermediate stack buffers before returning from function calls.
+ *
+ *              Set this option and define `mld_zeroize_native` if you want to
+ *              use a custom method to zeroize intermediate stack buffers.
+ *              The default implementation uses SecureZeroMemory on Windows
+ *              and a memset + compiler barrier otherwise. If neither of those
+ *              is available on the target platform, compilation will fail,
+ *              and you will need to use MLD_CONFIG_CUSTOM_ZEROIZE to provide
+ *              a custom implementation of `mld_zeroize_native()`.
+ *
+ *              WARNING:
+ *              The explicit stack zeroization conducted by mldsa-native
+ *              reduces the likelihood of data leaking on the stack, but
+ *              does not eliminate it! The C standard makes no guarantee about
+ *              where a compiler allocates structures and whether/where it makes
+ *              copies of them. Also, in addition to entire structures, there
+ *              may also be potentially exploitable leakage of individual values
+ *              on the stack.
+ *
+ *              If you need bullet-proof zeroization of the stack, you need to
+ *              consider additional measures instead of what this feature
+ *              provides. In this case, you can set mld_zeroize_native to a
+ *              no-op.
+ *
+ *****************************************************************************/
+#define MLD_CONFIG_CUSTOM_ZEROIZE
+#if !defined(__ASSEMBLER__)
+#include <stdint.h>
+#include <string.h>
+#include "../mldsa/sys.h"
+static MLD_INLINE void mld_zeroize_native(void *ptr, size_t len)
+{
+  explicit_bzero(ptr, len);
+}
+#endif
+
+
+/******************************************************************************
+ * Name:        MLD_CONFIG_KEYGEN_PCT
+ *
+ * Description: Compliance with @[FIPS140_3_IG, p.87] requires a
+ *              Pairwise Consistency Test (PCT) to be carried out on a freshly
+ *              generated keypair before it can be exported.
+ *
+ *              Set this option if such a check should be implemented.
+ *              In this case, crypto_sign_keypair_internal and
+ *              crypto_sign_keypair will return a non-zero error code if the
+ *              PCT failed.
+ *
+ *              NOTE: This feature will drastically lower the performance of
+ *              key generation.
+ *
+ *****************************************************************************/
+/* #define MLD_CONFIG_KEYGEN_PCT */
+
+/******************************************************************************
+ * Name:        MLD_CONFIG_KEYGEN_PCT_BREAKAGE_TEST
+ *
+ * Description: If this option is set, the user must provide a runtime
+ *              function `static inline int mld_break_pct() { ... }` to
+ *              indicate whether the PCT should be made fail.
+ *
+ *              This option only has an effect if MLD_CONFIG_KEYGEN_PCT is set.
+ *
+ *****************************************************************************/
+/* #define MLD_CONFIG_KEYGEN_PCT_BREAKAGE_TEST
+   #if !defined(__ASSEMBLER__)
+   #include "sys.h"
+   static MLD_INLINE int mld_break_pct(void)
+   {
+       ... return 0/1 depending on whether PCT should be broken ...
+   }
+   #endif
+*/
+
+/******************************************************************************
+ * Name:        MLD_CONFIG_NO_ASM
+ *
+ * Description: If this option is set, mldsa-native will be built without
+ *              use of native code or inline assembly.
+ *
+ *              By default, inline assembly is used to implement value barriers.
+ *              Without inline assembly, mldsa-native will use a global volatile
+ *              'opt blocker' instead; see ct.h.
+ *
+ *              Inline assembly is also used to implement a secure zeroization
+ *              function on non-Windows platforms. If this option is set and
+ *              the target platform is not Windows, you MUST set
+ *              MLK_CONFIG_CUSTOM_ZEROIZE and provide a custom zeroization
+ *              function.
+ *
+ *              If this option is set, MLD_CONFIG_USE_NATIVE_BACKEND_FIPS202 and
+ *              and MLD_CONFIG_USE_NATIVE_BACKEND_ARITH will be ignored, and no
+ *              native backends will be used.
+ *
+ *****************************************************************************/
+#define MLD_CONFIG_NO_ASM
+
+
+#endif /* !MLD_CONFIG_H */
