From 704b69b7ba815d22192a4409752de91aeff70e8a Mon Sep 17 00:00:00 2001
From: Doug Chapman <54039637+dougch@users.noreply.github.com>
Date: Fri, 7 Feb 2025 11:16:52 -0800
Subject: [PATCH] chore: ktls buildspec (#5083)

---
 codebuild/spec/buildspec_ktls.yml | 44 ++++++++++++++++++++-----------
 1 file changed, 29 insertions(+), 15 deletions(-)

diff --git a/codebuild/spec/buildspec_ktls.yml b/codebuild/spec/buildspec_ktls.yml
index 1ed9938ed16..bfe71eedb64 100644
--- a/codebuild/spec/buildspec_ktls.yml
+++ b/codebuild/spec/buildspec_ktls.yml
@@ -11,26 +11,40 @@
 # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
 # implied. See the License for the specific language governing permissions and
 # limitations under the License.
+
 version: 0.2
+# This is designed to work with CodeBuild's reserved instances fleet and
+# curated Ec2 AMI for AL2023.
+# TODO: Move to a NixOS AMI
+env:
+  shell: bash
+  variables:
+    NIX_CACHE_BUCKET: "s3://s2n-tls-nixcachebucket-x86-64?region=us-west-2"
+    S2N_KTLS_TESTING_EXPECTED: 1
 phases:
   install:
     commands:
-      - apt update
-      - apt upgrade -y
-      - apt install -y qemu qemu-system-x86 wget cloud-image-utils
+      - yum update -y; yum upgrade -y
   pre_build:
     commands:
-      - aws s3 --quiet sync s3://s2n-ktls-testing ./qemu
-      - cd qemu; bash ./run.sh; cd ..
-      - rsync -avz --exclude=qemu --exclude=tests/fuzz -e 'ssh -p 2222' . codebuild@localhost:/home/codebuild/s2n-tls
+      - id; groupadd nixbld||true
+      - useradd -m -g nixbld -G nixbld nix || true
+      - |
+        echo "Working around the faulty yaml parser..."
+        echo 'nix ALL=NOPASSWD: ALL' > /etc/sudoers.d/nix
+      # (Re)Install nix
+      - sh <(curl -L https://nixos.org/nix/install) --no-daemon
+      # Make sure nix exists in the PATH
+      - export PATH=$HOME/.nix-profile/bin:$PATH
+      # Turn on flakes
+      - mkdir -p ~/.config/nix; echo "experimental-features = nix-command flakes" >> ~/.config/nix/nix.conf
+      # Populate the store from the nix cache
+      - nix copy --from $NIX_CACHE_BUCKET --all  --no-check-sigs
+      # Load the TLS kernel module
+      - sudo modprobe tls
+      - echo "Checking that the TLS kernel mod loaded..."; test $(sudo lsmod|grep -c tls) = 1
   build:
     commands:
-      - codebuild-breakpoint
-      - |
-        ssh -p 2222 codebuild@localhost " \
-            cd s2n-tls; sudo modprobe tls; \
-            export S2N_CMAKE_OPTIONS=${S2N_CMAKE_OPTIONS}; \
-            export S2N_KTLS_TESTING_EXPECTED=1; \
-            nix develop .#openssl111 --command bash -c \
-                'source ./nix/shell.sh && clean && configure && unit' \
-        "
+      - nix develop .#awslc --command bash -c  'source ./nix/shell.sh && clean && configure && unit'
+      - S2N_CMAKE_OPTIONS="-DASAN=ON" nix develop .#awslc --command bash -c  'source ./nix/shell.sh && clean && configure && unit'
+