Merge pull request #589 from pq-code-package/nix-compat

Make nix config compatible for nix version >= 2.6

Author: hanno-becker

.github/workflows/nix.yml

@@ -0,0 +1,87 @@
+# SPDX-License-Identifier: Apache-2.0
+
+name: Nix
+permissions:
+  contents: read
+on:
+  push:
+    branches: ["main"]
+    # Only run upon changes to nix files
+    paths:
+      - 'flake.lock'
+      - 'flake.nix'
+      - 'nix/**'
+  pull_request:
+    branches: ["main"]
+    # Only run upon changes to nix files
+    paths:
+      - 'flake.lock'
+      - 'flake.nix'
+      - 'nix/**'
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  develop_environment:
+    strategy:
+      fail-fast: false
+      matrix:
+        target:
+          - runner: ubuntu-latest
+            container: nixos/nix:2.6.1
+            install: 'native'
+          - runner: ubuntu-22.04
+            container:
+            install: 'apt'
+          - runner: ubuntu-24.04
+            container:
+            install: 'apt'
+          - runner: macos-latest
+            container:
+            install: 'installer'
+          - runner: ubuntu-20.04
+            container:
+            install: 'installer'
+          - runner: ubuntu-22.04
+            container:
+            install: 'installer'
+          - runner: ubuntu-24.04
+            container:
+            install: 'installer'
+    name: nix setup test (${{ matrix.target.container != '' && matrix.target.container || matrix.target.runner }}, nix via ${{ matrix.target.install }})
+    runs-on: ${{ matrix.target.runner }}
+    if: github.repository_owner == 'pq-code-package' && !github.event.pull_request.head.repo.fork
+    container:
+      ${{ matrix.target.container }}
+    steps:
+      - name: Install git
+        shell: bash
+        run: |
+          if ! which git 2>&1 >/dev/null; then
+            ${{ matrix.target.container == '' && 'sudo' || '' }} apt update
+            ${{ matrix.target.container == '' && 'sudo' || '' }} apt install git -y
+          fi
+      - name: Manual checkout
+        shell: bash
+        run: |
+          git init
+          git config --global --add safe.directory $GITHUB_WORKSPACE
+          git remote add origin $GITHUB_SERVER_URL/$GITHUB_REPOSITORY
+          git fetch origin --depth 1 $GITHUB_SHA
+          git checkout FETCH_HEAD
+      - name: Install nix via apt
+        if: ${{ matrix.target.install == 'apt' }}
+        run: |
+          ${{ matrix.target.container == '' && 'sudo' || '' }} apt install nix -y
+      - name: Install nix via installer script
+        if: ${{ matrix.target.install == 'installer' }}
+        shell: bash
+        run: |
+          sh <(curl -L https://nixos.org/nix/install) --daemon
+          . /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh
+          echo "$(dirname $(which nix))" >> $GITHUB_PATH
+      - name: nix develop
+        run: |
+          ${{ matrix.target.install == 'apt' && 'sudo' || '' }} nix develop --experimental-features "nix-command flakes"

BUILDING.md

@@ -71,7 +71,9 @@ There are further scripts used for development of mlkem-native, such as `format`
 
 ### nix setup
 
-We specify the development environment for mlkem-native using nix. If you want to help develop mlkem-native, please setup nix using the [nix installer script](https://nixos.org/download/), not your package manager.
+We specify the development environment for mlkem-native using `nix`. If you want to help develop mlkem-native, please
+use `nix`. We recommend using the latest Nix version provided by the [nix installer
+script](https://nixos.org/download/), but we currently support all Nix versions >= 2.6.
 
 All the development and build dependencies are specified in [flake.nix](flake.nix). To execute a bash shell, run
 ```bash

flake.nix

@@ -17,139 +17,57 @@
     flake-parts.lib.mkFlake { inherit inputs; } {
       imports = [ ];
       systems = [ "x86_64-linux" "aarch64-linux" "aarch64-darwin" "x86_64-darwin" ];
-      perSystem = { config, pkgs, system, inputs', ... }:
+      perSystem = { config, pkgs, system, ... }:
         let
-          glibc-join = p: p.buildPackages.symlinkJoin {
-            name = "glibc-join";
-            paths = [ p.glibc p.glibc.static ];
-          };
-
-          wrap-gcc = p: p.buildPackages.wrapCCWith {
-            cc = p.buildPackages.gcc13.cc;
-            bintools = p.buildPackages.wrapBintoolsWith {
-              bintools = p.buildPackages.binutils-unwrapped;
-              libc = glibc-join p;
-            };
-          };
-
-          native-gcc =
-            if pkgs.stdenv.isDarwin
-            then null
-            else wrap-gcc pkgs;
-
-          # cross is for determining whether to install the cross toolchain or not
-          core = { cross ? true }:
-            let
-              x86_64-gcc = wrap-gcc pkgs.pkgsCross.gnu64;
-              aarch64-gcc = wrap-gcc pkgs.pkgsCross.aarch64-multiplatform;
-              riscv64-gcc = wrap-gcc pkgs.pkgsCross.riscv64;
-              aarch64_be-gcc = (pkgs.callPackage ./nix/aarch64_be-none-linux-gnu-gcc.nix { });
-            in
-            # NOTE:
-              # - native toolchain should be equipped in the shell via `mkShellWithCC` (see `mkShell`)
-              # - only install extra cross-compiled toolchains if not on darwin or `cross` is specifally set to true
-              # - providing cross compilation toolchain (x86_64/aarch64-linux) for darwin can be cumbersome
-              #   and won't just work for now
-              # - equip all toolchains if cross is explicitly set to true
-              # - On some machines, `native-gcc` needed to be evaluated lastly (placed as the last element of the toolchain list), or else would result in environment variables (CC, AR, ...) overriding issue.
-            pkgs.lib.optionals (cross && !pkgs.stdenv.isDarwin) [
-              (pkgs.lib.optional (! pkgs.stdenv.hostPlatform.isx86_64) x86_64-gcc)
-              (pkgs.lib.optional (! pkgs.stdenv.hostPlatform.isAarch64) aarch64-gcc)
-              (pkgs.lib.optional (! pkgs.stdenv.hostPlatform.isRiscV64) riscv64-gcc)
-              (pkgs.lib.optional (pkgs.stdenv.hostPlatform.isx86_64) aarch64_be-gcc)
-              native-gcc
-            ]
-            ++ builtins.attrValues {
-              inherit (config.packages) base;
-              inherit (pkgs)
-                qemu; # 8.2.4
-            };
-
-          wrapShell = mkShell: attrs:
-            mkShell (attrs // {
-              shellHook = ''
-                export PATH=$PWD/scripts:$PWD/scripts/ci:$PATH
-              '' +
-              # NOTE: we don't support nix gcc toolchains for darwin system, therefore explicitly setting environment variables like CC, AR, AS, ... is required
-              pkgs.lib.optionalString pkgs.stdenv.isDarwin ''
-                export CC=gcc
-                export CXX=g++
-                for cmd in \
-                    ar as ld nm objcopy objdump readelf ranlib strip strings size windres
-                do
-                    export ''${cmd^^}=$cmd
-                done
-              '';
-            });
-
-          # NOTE: idiomatic nix way of properly setting the $CC in a nix shell
-          mkShellWithCC = cc: pkgs.mkShellNoCC.override { stdenv = pkgs.overrideCC pkgs.stdenv cc; };
-          mkShell = mkShellWithCC native-gcc;
+          util = pkgs.callPackage ./nix/util.nix { bitwuzla = inputs.nixpkgs-unstable.legacyPackages.${system}.bitwuzla; };
         in
         {
-          # NOTE: hack for replacing bitwuzla in nixos-24.05 (0.4.0) to the one in nixos-unstable (0.6.0) by nix overlays
-          _module.args.pkgs = import inputs.nixpkgs {
-            inherit system;
-            overlays = [
-              (_: _: { bitwuzla = inputs'.nixpkgs-unstable.legacyPackages.bitwuzla; })
-            ];
-          };
-
-          packages.linters = pkgs.buildEnv
-            {
-              name = "pqcp-linters";
-              paths = builtins.attrValues {
-                clang-tools = pkgs.clang-tools.overrideAttrs {
-                  unwrapped = pkgs.llvmPackages_17.clang-unwrapped;
-                };
+          packages.cbmc = util.cbmc;
 
-                inherit (pkgs)
-                  nixpkgs-fmt
-                  shfmt;
-
-                inherit (pkgs.python3Packages)
-                  black;
-              };
-            };
-
-          packages.cbmc = pkgs.callPackage ./nix/cbmc { }; # 6.4.1
-
-          packages.base = pkgs.buildEnv {
-            name = "pqcp-base";
-            paths = builtins.attrValues {
-              inherit (pkgs.python3Packages)
-                pyyaml
-                python
-                click;
-            };
-          };
-
-          devShells.default = wrapShell mkShell {
+          devShells.default = util.wrapShell util.mkShell {
             packages =
-              core { } ++
+              util.core { } ++
+              util.linters ++
               builtins.attrValues
                 {
-                  inherit (config.packages) linters cbmc;
+                  inherit (config.packages) cbmc;
                   inherit (pkgs)
                     direnv
                     nix-direnv;
                 };
           };
 
-          devShells.ci = wrapShell mkShell { packages = core { cross = false; }; };
-          devShells.ci-cross = wrapShell mkShell { packages = core { }; };
-          devShells.ci-cbmc = wrapShell mkShell { packages = core { cross = false; } ++ [ config.packages.cbmc ]; };
-          devShells.ci-cbmc-cross = wrapShell mkShell { packages = core { } ++ [ config.packages.cbmc ]; };
-          devShells.ci-linter = wrapShell pkgs.mkShellNoCC { packages = [ config.packages.linters ]; };
-
-          devShells.ci_clang18 = wrapShell (mkShellWithCC pkgs.clang_18) { packages = [ config.packages.base ]; };
-          devShells.ci_gcc48 = wrapShell (mkShellWithCC pkgs.gcc48) { packages = [ config.packages.base ]; };
-          devShells.ci_gcc49 = wrapShell (mkShellWithCC pkgs.gcc49) { packages = [ config.packages.base ]; };
-          devShells.ci_gcc7 = wrapShell (mkShellWithCC pkgs.gcc7) { packages = [ config.packages.base ]; };
-          devShells.ci_gcc11 = wrapShell (mkShellWithCC pkgs.gcc11) { packages = [ config.packages.base ]; };
-          devShells.ci_gcc14 = wrapShell (mkShellWithCC pkgs.gcc14) { packages = [ config.packages.base ]; };
+          devShells.ci = util.wrapShell util.mkShell { packages = util.core { cross = false; }; };
+          devShells.ci-cross = util.wrapShell util.mkShell { packages = util.core { }; };
+          devShells.ci-cbmc = util.wrapShell util.mkShell { packages = util.core { cross = false; } ++ [ config.packages.cbmc ]; };
+          devShells.ci-cbmc-cross = util.wrapShell util.mkShell { packages = util.core { } ++ [ config.packages.cbmc ]; };
+          devShells.ci-linter = util.wrapShell pkgs.mkShellNoCC { packages = util.linters; };
+
+          devShells.ci_clang18 = util.wrapShell (util.mkShellWithCC pkgs.clang_18) { packages = [ pkgs.python3 ]; };
+          devShells.ci_gcc48 = util.wrapShell (util.mkShellWithCC pkgs.gcc48) { packages = [ pkgs.python3 ]; };
+          devShells.ci_gcc49 = util.wrapShell (util.mkShellWithCC pkgs.gcc49) { packages = [ pkgs.python3 ]; };
+          devShells.ci_gcc7 = util.wrapShell (util.mkShellWithCC pkgs.gcc7) { packages = [ pkgs.python3 ]; };
+          devShells.ci_gcc11 = util.wrapShell (util.mkShellWithCC pkgs.gcc11) { packages = [ pkgs.python3 ]; };
+          devShells.ci_gcc14 = util.wrapShell (util.mkShellWithCC pkgs.gcc14) { packages = [ pkgs.python3 ]; };
         };
       flake = {
+        devShell.x86_64-linux =
+          let
+            pkgs = inputs.nixpkgs.legacyPackages.x86_64-linux;
+            pkgs-unstable = inputs.nixpkgs-unstable.legacyPackages.x86_64-linux;
+            util = pkgs.callPackage ./nix/util.nix {
+              inherit pkgs;
+              bitwuzla = pkgs-unstable.bitwuzla;
+            };
+          in
+          util.wrapShell util.mkShell {
+            packages =
+              util.core { } ++
+              util.linters ++
+              [
+                util.cbmc
+              ];
+          };
         # The usual flake attributes can be defined here, including system-
         # agnostic ones like nixosModule and system-enumerating ones, although
         # those are more easily expressed in perSystem.

nix/util.nix

@@ -0,0 +1,87 @@
+# SPDX-License-Identifier: Apache-2.0
+
+{ pkgs, bitwuzla }:
+rec {
+  glibc-join = p: p.buildPackages.symlinkJoin {
+    name = "glibc-join";
+    paths = [ p.glibc p.glibc.static ];
+  };
+
+  wrap-gcc = p: p.buildPackages.wrapCCWith {
+    cc = p.buildPackages.gcc13.cc;
+    bintools = p.buildPackages.wrapBintoolsWith {
+      bintools = p.buildPackages.binutils-unwrapped;
+      libc = glibc-join p;
+    };
+  };
+
+  native-gcc =
+    if pkgs.stdenv.isDarwin
+    then null
+    else wrap-gcc pkgs;
+
+  # cross is for determining whether to install the cross toolchain or not
+  core = { cross ? true }:
+    let
+      x86_64-gcc = wrap-gcc pkgs.pkgsCross.gnu64;
+      aarch64-gcc = wrap-gcc pkgs.pkgsCross.aarch64-multiplatform;
+      riscv64-gcc = wrap-gcc pkgs.pkgsCross.riscv64;
+      aarch64_be-gcc = (pkgs.callPackage ./aarch64_be-none-linux-gnu-gcc.nix { });
+    in
+    # NOTE:
+      # - native toolchain should be equipped in the shell via `mkShellWithCC` (see `mkShell`)
+      # - only install extra cross-compiled toolchains if not on darwin or `cross` is specifally set to true
+      # - providing cross compilation toolchain (x86_64/aarch64-linux) for darwin can be cumbersome
+      #   and won't just work for now
+      # - equip all toolchains if cross is explicitly set to true
+      # - On some machines, `native-gcc` needed to be evaluated lastly (placed as the last element of the toolchain list), or else would result in environment variables (CC, AR, ...) overriding issue.
+    pkgs.lib.optionals (cross && !pkgs.stdenv.isDarwin) [
+      (pkgs.lib.optional (! pkgs.stdenv.isx86_64) x86_64-gcc)
+      (pkgs.lib.optional (! pkgs.stdenv.isAarch64) aarch64-gcc)
+      (pkgs.lib.optional (pkgs.stdenv.isx86_64 || pkgs.stdenv.isAarch64) riscv64-gcc)
+      (pkgs.lib.optional (pkgs.stdenv.isx86_64) aarch64_be-gcc)
+      native-gcc
+    ]
+    ++ builtins.attrValues {
+      inherit (pkgs)
+        python3
+        qemu; # 8.2.4
+    };
+
+  wrapShell = mkShell: attrs:
+    mkShell (attrs // {
+      shellHook = ''
+        export PATH=$PWD/scripts:$PWD/scripts/ci:$PATH
+      '' +
+      # NOTE: we don't support nix gcc toolchains for darwin system, therefore explicitly setting environment variables like CC, AR, AS, ... is required
+      pkgs.lib.optionalString pkgs.stdenv.isDarwin ''
+        export CC=gcc
+        export CXX=g++
+        for cmd in \
+            ar as ld nm objcopy objdump readelf ranlib strip strings size windres
+        do
+            export ''${cmd^^}=$cmd
+        done
+      '';
+    });
+
+  # NOTE: idiomatic nix way of properly setting the $CC in a nix shell
+  mkShellWithCC = cc: pkgs.mkShellNoCC.override { stdenv = pkgs.overrideCC pkgs.stdenv cc; };
+  mkShell = mkShellWithCC native-gcc;
+
+  linters =
+    builtins.attrValues {
+      clang-tools = pkgs.clang-tools.overrideAttrs {
+        unwrapped = pkgs.llvmPackages_17.clang-unwrapped;
+      };
+
+      inherit (pkgs)
+        nixpkgs-fmt
+        shfmt;
+
+      inherit (pkgs.python3Packages)
+        black;
+    };
+
+  cbmc = pkgs.callPackage ./cbmc { inherit bitwuzla; };
+}