Enhance Side Channel resistance of TPM2 RSA Decryption Wrapper #84
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# (C) 2023 Jack Lloyd | |
# (C) 2023 Fabian Albert, Rohde & Schwarz Cybersecurity | |
# | |
# Botan is released under the Simplified BSD License (see license.txt) | |
name: nightly | |
permissions: | |
contents: read | |
# implicitly all other scopes not listed become none | |
on: | |
workflow_dispatch: | |
push: | |
paths: | |
# Run if a pull request changes this workflow to | |
# validate it works properly before merging. | |
- '.github/workflows/nightly.yml' | |
schedule: | |
# runs every day at 3:14 AM UTC | |
- cron: '14 3 * * *' | |
jobs: | |
sanitizer: | |
name: "Sanitizers" | |
strategy: | |
fail-fast: false | |
matrix: | |
include: | |
- target: sanitizer | |
compiler: msvc | |
host_os: windows-2022 | |
make_tool: ninja | |
- target: sanitizer | |
compiler: gcc | |
host_os: ubuntu-24.04 | |
runs-on: ${{ matrix.host_os }} | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
path: ./source | |
- name: Read Repository Configuration | |
uses: ./source/.github/actions/read-repo-config | |
- name: Fetch BoringSSL fork for BoGo tests | |
uses: actions/checkout@v4 | |
with: | |
repository: ${{ env.BORINGSSL_REPO }} | |
ref: ${{ env.BORINGSSL_BRANCH }} | |
path: ./boringssl | |
- name: Setup Build Agent | |
uses: ./source/.github/actions/setup-build-agent | |
with: | |
target: ${{ matrix.target }} | |
cache-key: ${{ matrix.host_os }}-${{ matrix.compiler }}-x86_64-${{ matrix.target }} | |
- name: Build and Test Botan | |
run: python3 ./source/src/scripts/ci_build.py --root-dir=${{ github.workspace }}/source --build-dir=${{ github.workspace }}/build --boringssl-dir=${{ github.workspace }}/boringssl --cc='${{ matrix.compiler }}' --make-tool='${{ matrix.make_tool }}' --test-results-dir=junit_results ${{ matrix.target }} | |
x-compile: | |
name: "Cross" | |
strategy: | |
fail-fast: false | |
matrix: | |
include: | |
- target: cross-alpha | |
compiler: gcc | |
host_os: ubuntu-24.04 | |
- target: cross-hppa64 | |
compiler: gcc | |
host_os: ubuntu-24.04 | |
- target: cross-m68k | |
compiler: gcc | |
host_os: ubuntu-24.04 | |
- target: cross-mips | |
compiler: gcc | |
host_os: ubuntu-24.04 | |
- target: cross-ppc32 | |
compiler: gcc | |
host_os: ubuntu-24.04 | |
- target: cross-sh4 | |
compiler: gcc | |
host_os: ubuntu-24.04 | |
- target: cross-sparc64 | |
compiler: gcc | |
host_os: ubuntu-24.04 | |
- target: cross-riscv64 | |
compiler: gcc | |
host_os: ubuntu-24.04 | |
- target: cross-s390x | |
compiler: gcc | |
host_os: ubuntu-24.04 | |
- target: cross-android-arm64-amalgamation | |
compiler: clang | |
host_os: ubuntu-24.04 | |
- target: cross-arm64-amalgamation | |
compiler: gcc | |
host_os: ubuntu-24.04 | |
- target: emscripten | |
compiler: emcc | |
host_os: macos-14 | |
- target: sde | |
compiler: gcc | |
host_os: ubuntu-24.04 | |
runs-on: ${{ matrix.host_os }} | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Read Repository Configuration | |
uses: ./.github/actions/read-repo-config | |
- name: Setup Build Agent | |
uses: ./.github/actions/setup-build-agent | |
with: | |
target: ${{ matrix.target }} | |
cache-key: ${{ matrix.host_os }}-${{ matrix.compiler }}-xcompile-${{ matrix.target }} | |
- name: Build and Test Botan | |
run: python3 ./src/scripts/ci_build.py --cc='${{ matrix.compiler }}' --make-tool='${{ matrix.make_tool }}' --test-results-dir=junit_results ${{ matrix.target }} | |
clang_tidy: | |
name: "clang-tidy" | |
runs-on: ubuntu-24.04 | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Read Repository Configuration | |
uses: ./.github/actions/read-repo-config | |
- name: Setup Build Agent | |
uses: ./.github/actions/setup-build-agent | |
with: | |
target: clang-tidy | |
cache-key: linux-x86_64-clang-tidy | |
- name: Install dependencies | |
run: sudo apt-get -qq install libboost-dev libbz2-dev liblzma-dev libsqlite3-dev | |
- name: Configure Build | |
run: python3 ./configure.py --cc=clang --build-targets=shared,cli,tests,examples,bogo_shim --build-fuzzers=test --with-boost --with-sqlite --with-zlib --with-lzma --with-bzip2 | |
- name: Run Clang Tidy | |
run: python3 ./src/scripts/dev_tools/run_clang_tidy.py --verbose | |
valgrind: | |
name: "valgrind" | |
strategy: | |
fail-fast: false | |
# Targets: | |
# - valgrind-full: all tests on valgrind, aiming to catch memory bugs | |
# - valgrind: reduced set of tests on valgrind, aiming to catch memory bugs | |
# - valgrind-ct-full: all tests on valgrind, aiming to catch secret-dependent execution issues | |
# - valgrind-ct: reduced set of tests on valgrind, aiming to catch secret-dependent execution issues | |
matrix: | |
# Run a matrix of compiler and optimization flag combinations to maximize | |
# the signal of secret-dependent execution issues introduced by compilers. | |
compiler: ["clang", "gcc"] | |
cxxflags: ["-O1", "-O2", "-O3"] | |
target: ["valgrind-ct-full"] | |
include: | |
- compiler: clang | |
cxxflags: "" # default compilation flags | |
target: "valgrind-full" # memory bug detection | |
- compiler: clang | |
cxxflags: "-Os" | |
# Clang's -Os generated binary is fast enough to run the full test suite. | |
target: "valgrind-ct-full" | |
- compiler: gcc | |
cxxflags: "-Os" | |
# GCC with -Os generates a much slower binary, that won't finish | |
# before timing out on GH Actions, so we run a reduced set of tests. | |
target: "valgrind-ct" | |
runs-on: ubuntu-24.04 | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Read Repository Configuration | |
uses: ./.github/actions/read-repo-config | |
- name: Setup Build Agent | |
uses: ./.github/actions/setup-build-agent | |
with: | |
target: ${{ matrix.target }} | |
cache-key: linux-x86_64-${{ matrix.compiler }}-${{ matrix.target }}-${{ matrix.cxxflags }} | |
- name: Valgrind Checks | |
run: python3 ./src/scripts/ci_build.py --make-tool=make --cc=${{ matrix.compiler }} --custom-optimization-flags="${{ matrix.cxxflags }}" ${{ matrix.target }} | |
hybrid_tls_interop: | |
name: "PQ/T TLS 1.3" | |
runs-on: ubuntu-24.04 | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Read Repository Configuration | |
uses: ./.github/actions/read-repo-config | |
- name: Setup Build Agent | |
uses: ./.github/actions/setup-build-agent | |
with: | |
target: hybrid-tls13-interop-test | |
cache-key: linux-x86_64-hybrid_tls | |
- name: Hybrid PQ/T TLS 1.3 Online Interop Checks | |
run: python3 ./src/scripts/ci_build.py --cc=gcc --make-tool=make hybrid-tls13-interop-test | |
tls_anvil_server_test: | |
name: "TLS-Anvil (server)" | |
runs-on: ubuntu-24.04 | |
steps: | |
- name: Fetch Botan Repository | |
uses: actions/checkout@v4 | |
- name: Read Repository Configuration | |
uses: ./.github/actions/read-repo-config | |
- name: Setup Build Agent | |
uses: ./.github/actions/setup-build-agent | |
with: | |
target: tlsanvil | |
cache-key: linux-x86_64-tlsanvil | |
- name: Build and Test Botan Server with TLS-Anvil | |
run: > | |
python3 ./src/scripts/ci/ci_tlsanvil_test.py | |
--botan-dir . | |
--test-target server | |
--parallel $(nproc) | |
- uses: actions/upload-artifact@v4 | |
with: | |
name: tls-anvil-server-test-results | |
path: | | |
./TestSuiteResults/ | |
./logs/ | |
- name: Check TLS-Anvil Test Results | |
run: python3 ./src/scripts/ci/ci_tlsanvil_check.py --verbose ./TestSuiteResults |