Add basic AWS-LC integration test

hanno-becker · hanno-becker · commit a6e16d6a5532 · 2025-02-05T20:15:42.000Z
This commit extends the CI with an integration test for AWS-LC.

The integration test currently works with the `mlkem_native`
branch from the fork `hanno-becker/aws-lc`, which
- Removes the reference implementation
- Provides an importer.sh for importing mlkem-native
- Provides the glue code between mlkem-native's own API
  and the API expected by AWS-LC.
- As a temporary change, it disables `-Werror=redundant-decls`,
  because mlkem-native does not yet support it.

The CI checks that mlkem-native successfully integrated to this
fork, by building and running basic tests of AWS-LC in FIPS
and non-FIPS mode.

Signed-off-by: Hanno Becker &lt;beckphan@amazon.co.uk&gt;
diff --git a/.github/actions/setup-aws-lc/action.yml b/.github/actions/setup-aws-lc/action.yml
@@ -0,0 +1,34 @@
+# SPDX-License-Identifier: Apache-2.0
+
+name: Setup AWS-LC
+description: Setup AWS-LC
+
+inputs:
+  dir:
+    description: Directory to fetch AWS-LC into
+    default: 'AWS-LC'
+  repository:
+    description: Repository to fetch from
+    default: 'aws/AWS-LC'
+  commit:
+    description: Commit to fetch
+    default: 'HEAD'
+  gh_token:
+    description: Github access token to use
+    required: true
+
+runs:
+  using: composite
+  steps:
+    - name: Fetch AWS-LC
+      shell: bash
+      run: |
+        mkdir ${{ inputs.dir }} && cd ${{ inputs.dir }}
+        git config --global --add safe.directory $GITHUB_WORKSPACE/${{ inputs.dir }}
+        git init
+        git remote add origin $GITHUB_SERVER_URL/${{ inputs.repository }}
+        git fetch origin --depth 1 ${{ inputs.commit }}
+        git checkout FETCH_HEAD
+
+        # Remember AWS-LC directory
+        echo AWSLC_DIR="$GITHUB_WORKSPACE/${{ inputs.dir }}" >> $GITHUB_ENV
diff --git a/.github/actions/setup-brew/action.yml b/.github/actions/setup-brew/action.yml
@@ -0,0 +1,30 @@
+# SPDX-License-Identifier: Apache-2.0
+
+name: Dependencies (apt)
+description: Install dependencies via brew
+
+inputs:
+  packages:
+    description: Space-separated list of additional packages to install
+    required: false
+    default: ''
+  sudo:
+    required: false
+    default: 'sudo'
+
+runs:
+  using: composite
+  steps:
+    - name: Update package repository
+      shell: bash
+      run: |
+        brew update
+    - name: Install base packages
+      shell: bash
+      run: |
+        brew install make gcc python3
+    - name: Install additional packages
+      if: ${{ inputs.packages != ''}}
+      shell: bash
+      run: |
+        brew install ${{ inputs.packages }}
diff --git a/.github/actions/setup-os/action.yml b/.github/actions/setup-os/action.yml
@@ -20,6 +20,8 @@ runs:
       run: |
         if (which yum > /dev/null); then
            echo PKG="yum" >> $GITHUB_ENV
+        elif (which brew > /dev/null); then
+           echo PKG="brew" >> $GITHUB_ENV
         elif (which apt > /dev/null); then
            echo PKG="apt" >> $GITHUB_ENV
         fi
@@ -35,3 +37,9 @@ runs:
       with:
         packages: ${{ inputs.packages }}
         sudo: ${{ inputs.sudo }}
+    - name: Setup via brew
+      if: ${{ env.PKG == 'brew' }}
+      uses: ./.github/actions/setup-brew
+      with:
+        packages: ${{ inputs.packages }}
+        sudo: ${{ inputs.sudo }}
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -209,6 +209,61 @@ jobs:
             ./scripts/autogen ${{ matrix.backend.arg }} ${{ matrix.simplify.arg }}
             make clean
             OPT=1 make quickcheck
+  aws_lc_integration_fips:
+    strategy:
+      fail-fast: false
+      matrix:
+        system: [ubuntu-latest, pqcp-arm64]
+        fips: [0,1]
+    name: AWS-LC FIPS test (${{ matrix.system }}, FIPS=${{ matrix.fips }})
+    runs-on: ${{ matrix.system }}
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: ./.github/actions/setup-os
+        with:
+          packages: 'cmake'
+      - uses: ./.github/actions/setup-aws-lc
+        with:
+          repository: 'hanno-becker/aws-lc'
+          commit: 'mlkem_native'
+      - name: Run importer
+        run: |
+          cd $AWSLC_DIR/crypto/fipsmodule/ml_kem
+          GITHUB_REPOSITORY=$GITHUB_REPOSITORY GITHUB_SHA=$GITHUB_SHA ./importer.sh
+      - name: Build AWS-LC (FIPS=1)
+        run: |
+          cd $AWSLC_DIR
+          mkdir build
+          cd build
+          cmake -DFIPS=${{ matrix.fips }} ..
+          cd ..
+
+          cmake --build ./build --target all
+          cmake --build ./build --target run_tests
+  aws_lc_integration_posix:
+    strategy:
+      fail-fast: false
+      matrix:
+        system: [ubuntu-latest, pqcp-arm64, macos-latest]
+    name: AWS-LC Posix test (${{ matrix.system }})
+    runs-on: ${{ matrix.system }}
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: ./.github/actions/setup-os
+        with:
+          packages: 'cmake golang'
+      - uses: ./.github/actions/setup-aws-lc
+        with:
+          repository: 'hanno-becker/aws-lc'
+          commit: 'mlkem_native'
+      - name: Run importer
+        run: |
+          cd $AWSLC_DIR/crypto/fipsmodule/ml_kem
+          GITHUB_REPOSITORY=$GITHUB_REPOSITORY GITHUB_SHA=$GITHUB_SHA ./importer.sh
+      - name: Build AWS-LC (FIPS=1)
+        run: |
+          cd $AWSLC_DIR
+          ./tests/ci/run_posix_tests.sh
   build_kat:
     needs: [quickcheck, quickcheck-windows, quickcheck-c90, quickcheck-lib, examples, lint, lint-markdown-link]
     strategy:
