pq-code-package · bremoran · Jun 16, 2026 · Jun 17, 2026 · Jun 16, 2026 · Jun 11, 2026
@@ -12,3 +12,4 @@ self-hosted-runner:
     - pqcp-x64
     # RISE RISC-V runner
     - ubuntu-24.04-riscv
+    - self-hosted-nucleo-n657x0
@@ -13,98 +13,8 @@ on:
     types: [ "opened", "synchronize" ]
 
 jobs:
-  base:
-    name: Base
+  zephyr:
+    name: Zephyr
     permissions:
       contents: 'read'
-      id-token: 'write'
-    uses: ./.github/workflows/base.yml
-    secrets: inherit
-  lint-markdown:
-    name: Lint Markdown
-    permissions:
-      contents: 'read'
-      id-token: 'write'
-    uses: ./.github/workflows/lint_markdown.yml
-  nix:
-    name: Nix
-    permissions:
-      actions: 'write'
-      contents: 'read'
-      id-token: 'write'
-    uses: ./.github/workflows/nix.yml
-    secrets: inherit
-  riscv:
-    name: RISC-V
-    permissions:
-      contents: 'read'
-      id-token: 'write'
-    needs: [ base ]
-    uses: ./.github/workflows/riscv.yml
-  ci:
-    name: Extended
-    permissions:
-      contents: 'read'
-      id-token: 'write'
-    needs: [ base, nix ]
-    uses: ./.github/workflows/ci.yml
-    secrets: inherit
-  cbmc:
-    name: CBMC
-    permissions:
-      contents: 'read'
-      id-token: 'write'
-      pull-requests: 'write'
-    needs: [ base, nix ]
-    uses: ./.github/workflows/cbmc.yml
-    secrets: inherit
-  oqs_integration:
-    name: libOQS
-    permissions:
-      contents: 'read'
-      id-token: 'write'
-    needs: [ base ]
-    uses: ./.github/workflows/integration-liboqs.yml
-    secrets: inherit
-  pavona_integration:
-    name: Pavona
-    permissions:
-      contents: 'read'
-      id-token: 'write'
-    needs: [ base ]
-    uses: ./.github/workflows/integration-pavona.yml
-    secrets: inherit
-  awslc_integration:
-    name: AWS-LC
-    permissions:
-      contents: 'read'
-      id-token: 'write'
-    needs: [ base ]
-    uses: ./.github/workflows/integration-awslc.yml
-    with:
-      commit: v5.0.0
-    secrets: inherit
-  ct-test:
-    name: Constant-time
-    permissions:
-      contents: 'read'
-      id-token: 'write'
-    needs: [ base, nix ]
-    uses: ./.github/workflows/ct-tests.yml
-    secrets: inherit
-  slothy:
-    name: SLOTHY
-    permissions:
-      contents: 'read'
-      id-token: 'write'
-    needs: [ base, nix ]
-    uses: ./.github/workflows/slothy.yml
-    secrets: inherit
-  baremetal:
-    name: Baremetal
-    permissions:
-      contents: 'read'
-      id-token: 'write'
-    needs: [ base ]
-    uses: ./.github/workflows/baremetal.yml
-    secrets: inherit
+    uses: ./.github/workflows/zephyr.yml
@@ -16,27 +16,6 @@ jobs:
       fail-fast: false
       matrix:
         target:
-         - runner: ubuntu-latest
-           name: 'M55-AN547'
-           makefile: test/baremetal/platform/m55-an547/platform.mk
-           nix-shell: cross-arm-embedded
-           func: true
-           kat: true
-           acvp: true
-           wycheproof: false
-           alloc: true
-           bench: true
-           opt: all
-         - runner: ubuntu-latest
-           name: 'M33-AN524'
-           makefile: test/baremetal/platform/m33-an524/platform.mk
-           nix-shell: cross-arm-embedded
-           func: true
-           kat: true
-           acvp: true
-           alloc: true
-           bench: true
-           opt: no_opt
          - runner: ubuntu-latest
            name: 'AVR ATmega128RFR2 (modified for 32K RAM)'
            makefile: test/baremetal/platform/avr/platform.mk

@@ -36,6 +36,8 @@ jobs:
           ldflags: "-flto"
           bench_extra_args: ""
           nix_shell: bench
+          extra_makefile: ""
+          zephyr_target: ""
         - system: rpi5
           name: Arm Cortex-A76 (Raspberry Pi 5) benchmarks
           bench_pmu: PERF
@@ -45,6 +47,8 @@ jobs:
           bench_extra_args: ""
           nix_shell: bench
           cross_prefix: ""
+          extra_makefile: ""
+          zephyr_target: ""
         - system: a55
           name: Arm Cortex-A55 (Snapdragon 888) benchmarks
           bench_pmu: PERF
@@ -53,6 +57,8 @@ jobs:
           ldflags: "-flto -static"
           bench_extra_args: -w exec-on-a55
           nix_shell: bench
+          extra_makefile: ""
+          zephyr_target: ""
         - system: bpi
           name: SpacemiT K1 8 (Banana Pi F3) benchmarks
           bench_pmu: PERF
@@ -62,6 +68,8 @@ jobs:
           bench_extra_args: -w exec-on-bpi
           cross_prefix: riscv64-unknown-linux-gnu-
           nix_shell: cross-riscv64
+          extra_makefile: ""
+          zephyr_target: ""
         - system: m1-mac-mini
           name: Mac Mini (M1, 2020) benchmarks
           bench_pmu: MAC
@@ -70,6 +78,8 @@ jobs:
           ldflags: "-flto"
           bench_extra_args: "-r"
           nix_shell: bench
+          extra_makefile: ""
+          zephyr_target: ""
         - system: pqcp-ppc64
           name:  ppc64le (POWER10) benchmarks
           bench_pmu: PERF
@@ -79,11 +89,27 @@ jobs:
           bench_extra_args: "-r"
           nix_shell: ''
           cross_prefix: ""
+          extra_makefile: ""
+          zephyr_target: ""
+        - system: nucleo-n657x0
+          name: Arm Cortex-M55 (NUCLEO-N657X0-Q) benchmarks
+          bench_pmu: NO
+          archflags: ""
+          cflags: ""
+          ldflags: ""
+          bench_extra_args: ""
+          nix_shell: zephyr
+          cross_prefix: ""
+          extra_makefile: test/zephyr/platform.mk
+          zephyr_target: nucleo-n657x0-q
     if: github.repository_owner == 'pq-code-package' && !github.event.pull_request.head.repo.fork && (github.event.label.name == 'benchmark' || github.ref == 'refs/heads/main')
     runs-on: self-hosted-${{ matrix.target.system }}
     steps:
       - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
       - uses: ./.github/actions/bench
+        env:
+          EXTRA_MAKEFILE: ${{ matrix.target.extra_makefile }}
+          ZEPHYR_TARGET: ${{ matrix.target.zephyr_target }}
         with:
           name: ${{ matrix.target.name }}
           cflags: ${{ matrix.target.cflags }}

@@ -5,34 +5,7 @@ name: HOL-Light
 permissions:
   contents: read
 on:
-  push:
-    branches: ["main"]
-    paths:
-     - '.github/workflows/hol_light.yml'
-     - 'proofs/hol_light/aarch64/Makefile'
-     - 'proofs/hol_light/aarch64/**/*.S'
-     - 'proofs/hol_light/aarch64/**/*.ml'
-     - 'proofs/hol_light/x86_64/Makefile'
-     - 'proofs/hol_light/x86_64/**/*.S'
-     - 'proofs/hol_light/x86_64/**/*.ml'
-     - 'flake.nix'
-     - 'flake.lock'
-     - 'nix/hol_light/*'
-     - 'nix/s2n_bignum/*'
-  pull_request:
-    branches: ["main"]
-    paths:
-      - '.github/workflows/hol_light.yml'
-      - 'proofs/hol_light/aarch64/Makefile'
-      - 'proofs/hol_light/aarch64/**/*.S'
-      - 'proofs/hol_light/aarch64/**/*.ml'
-      - 'proofs/hol_light/x86_64/Makefile'
-      - 'proofs/hol_light/x86_64/**/*.S'
-      - 'proofs/hol_light/x86_64/**/*.ml'
-      - 'flake.nix'
-      - 'flake.lock'
-      - 'nix/hol_light/*'
-      - 'nix/s2n_bignum/*'
+  workflow_dispatch:
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}

@@ -0,0 +1,54 @@
+# Copyright (c) The mlkem-native project authors
+# SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT
+
+name: Zephyr
+permissions:
+  contents: read
+on:
+  workflow_call:
+  workflow_dispatch:
+
+jobs:
+  zephyr_tests:
+    name: Zephyr tests (${{ matrix.target.board }}, ${{ matrix.target.cpu }})
+    strategy:
+      fail-fast: false
+      matrix:
+        target:
+          - { board: mps2-an385, cpu: Cortex-M3, opt: no_opt }
+          - { board: mps2-an386, cpu: Cortex-M4, opt: no_opt }
+          - { board: mps2-an500, cpu: Cortex-M7, opt: no_opt }
+          - { board: mps2-an521, cpu: Cortex-M33, opt: no_opt }
+          - { board: mps3-an547, cpu: Cortex-M55, opt: all }
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+      - name: zephyr build + test
+        uses: ./.github/actions/functest
+        env:
+          EXTRA_MAKEFILE: test/zephyr/platform.mk
+          ZEPHYR_TARGET: ${{ matrix.target.board }}
+        with:
+          nix-shell: zephyr
+          gh_token: ${{ secrets.GITHUB_TOKEN }}
+          opt: ${{ matrix.target.opt }}
+          func: true
+          kat: true
+          acvp: true
+          wycheproof: false
+          examples: false
+          unit: false
+          stack: false
+          alloc: false
+          rng_fail: false
+          check_namespace: false
+      # Smoke only: QEMU doesn't model useful cycle counts; Zephyr bench builds
+      # use k_cycle_get_32(), so no generic PMU/CYCCNT backend is selected.
+      - name: bench (smoke)
+        env:
+          EXTRA_MAKEFILE: test/zephyr/platform.mk
+          ZEPHYR_TARGET: ${{ matrix.target.board }}
+        run: |
+          opt=${{ matrix.target.opt == 'all' && 'opt' || 'no_opt' }}
+          nix develop .#zephyr --command ./scripts/tests bench -c NO --opt=$opt
+          nix develop .#zephyr --command ./scripts/tests bench --components -c NO --opt=$opt
@@ -182,7 +182,7 @@ lib: $(BUILD_DIR)/libmlkem.a $(BUILD_DIR)/libmlkem512.a $(BUILD_DIR)/libmlkem768
 # building benchmarking binaries
 check_defined = $(if $(value $1),, $(error $2))
 check-defined-CYCLES:
-	@:$(call check_defined,CYCLES,CYCLES undefined. Benchmarking requires setting one of NO PMU PERF MAC)
+	@:$(call check_defined,CYCLES,CYCLES undefined. Benchmarking requires setting one of NO CYCCNT PMU PERF MAC)
 
 bench_512: check-defined-CYCLES \
 	$(MLKEM512_DIR)/bin/bench_mlkem512

@@ -57,6 +57,7 @@
             export HOLLIGHT_LOAD_PATH="$IMPORTS_DIR:$S2N_BIGNUM_DIR''${HOLLIGHT_LOAD_PATH:+:$HOLLIGHT_LOAD_PATH}"
             export HOLDIR="$HOLLIGHT_DIR"
           '';
+
         in
         {
           _module.args.pkgs = import inputs.nixpkgs {
@@ -94,6 +95,19 @@
               } ++ holLightToolchain;
           }).overrideAttrs (old: { shellHook = holLightShellHook; });
 
+          # arm-none-eabi-gcc + platform files from pqmx
+          packages.m55-an547 = util.m55-an547;
+          packages.avr-toolchain = util.avr-toolchain;
+          packages.openocd = util.openocd;
+          devShells.arm-embedded = util.mkShell {
+            packages = builtins.attrValues
+              {
+                inherit (config.packages) m55-an547;
+                inherit (pkgs) gcc-arm-embedded qemu coreutils python3 git;
+              };
+          };
+
+          devShells.avr = util.mkShell (import ./nix/avr { inherit pkgs; });
           packages.hol_server = util.hol_server.hol_server_start;
           devShells.hol_light = (util.mkShell {
             packages = builtins.attrValues { inherit (config.packages) linters hol_light s2n_bignum hol_server; } ++ holLightToolchain;
@@ -148,15 +162,17 @@
               ++ pkgs.lib.optionals pkgs.stdenv.hostPlatform.isAarch64 [ config.packages.toolchain_x86_64 ];
           };
 
-          # arm-none-eabi-gcc + platform files from pqmx
-          devShells.cross-arm-embedded = util.mkShell {
+          # Zephyr build environment (board chosen at make time via EXTRA_MAKEFILE)
+          packages.zephyr = util.zephyr;
+          devShells.zephyr = util.mkShell {
             packages = builtins.attrValues
               {
-                inherit (util) pqmx;
-                inherit (config.packages) linters;
-                inherit (pkgs) gcc-arm-embedded qemu coreutils git;
-              };
+                inherit (config.packages) openocd;
+                inherit (util) zephyr;
+                inherit (pkgs) gcc-arm-embedded qemu cmake ninja dtc gperf coreutils git;
+              } ++ [ util.zephyrPythonEnv ];
           };
+
           devShells.cross-aarch64-embedded = util.mkShell {
             packages = builtins.attrValues
               {

@@ -0,0 +1,21 @@
+# Copyright (c) The mlkem-native project authors
+# SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT
+
+{ fetchFromGitHub
+, openocd
+, autoreconfHook
+}:
+
+openocd.overrideAttrs (old: rec {
+  pname = "openocd";
+  version = "unstable-2026-05-01";
+  nativeBuildInputs = (old.nativeBuildInputs or [ ]) ++ [ autoreconfHook ];
+
+  src = fetchFromGitHub {
+    owner = "openocd-org";
+    repo = "openocd";
+    rev = "4e9b167e1ae5ccb437eb0538440988b3f0ec53cb";
+    fetchSubmodules = true;
+    hash = "sha256-8aYl7JzulPxH6vgSeTKTMIZVH6d55JJlXTBkfgAPTbU=";
+  };
+})