Slight build fix and migrate to GHA for MacOS ARM CI (#1245)

The FIPS Shared build on MacOSX wasn't working if OSX_VERSION_MIN_FLAG
wasn't defined, so this fixes that.
Github Actions also finally released MacOS ARM runners. We can deprecate the
Codebuild->SSM->ec2 workaround for now.

.github/workflows/osx.yml

@@ -32,3 +32,26 @@ jobs:
     - name: Build ${{ env.PACKAGE_NAME }} with FIPS mode
       run: |
         ./tests/ci/run_fips_tests.sh
+
+  macOS-ARM:
+    runs-on: macos-latest-xlarge
+    steps:
+    - uses: actions/checkout@v2
+    - name: Install dependencies
+      run: |
+        brew install ninja golang
+    - name: Build ${{ env.PACKAGE_NAME }}
+      run: |
+        ./tests/ci/run_posix_tests.sh
+
+  macOS-ARM-FIPS:
+    runs-on: macos-latest-xlarge
+    steps:
+    - uses: actions/checkout@v2
+    - name: Install dependencies
+      run: |
+        brew install ninja golang
+    - name: Build ${{ env.PACKAGE_NAME }} with FIPS mode
+      run: |
+        ./tests/ci/run_fips_tests.sh
+

crypto/fipsmodule/CMakeLists.txt

@@ -458,17 +458,19 @@ elseif(FIPS_SHARED)
     # generate the output object file where all the code in the __text section
     # and all the read-only data in the __const section are between the
     # respective start and end markers.
+    if (CMAKE_OSX_DEPLOYMENT_TARGET)
+      set(OSX_VERSION_MIN_FLAG "-mmacosx-version-min=${CMAKE_OSX_DEPLOYMENT_TARGET}")
+    endif()
     add_custom_command(
       OUTPUT fips_apple_start.o
-      COMMAND ${CMAKE_C_COMPILER} -arch ${CMAKE_SYSTEM_PROCESSOR} -isysroot ${CMAKE_OSX_SYSROOT} -mmacosx-version-min=${CMAKE_OSX_DEPLOYMENT_TARGET} -c ${CMAKE_CURRENT_SOURCE_DIR}/fips_shared_library_marker.c -DAWSLC_FIPS_SHARED_START -o fips_apple_start.o
+      COMMAND ${CMAKE_C_COMPILER} -arch ${CMAKE_SYSTEM_PROCESSOR} -isysroot ${CMAKE_OSX_SYSROOT} ${OSX_VERSION_MIN_FLAG} -c ${CMAKE_CURRENT_SOURCE_DIR}/fips_shared_library_marker.c -DAWSLC_FIPS_SHARED_START -o fips_apple_start.o
       DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/fips_shared_library_marker.c
     )
     add_custom_command(
       OUTPUT fips_apple_end.o
-      COMMAND ${CMAKE_C_COMPILER} -arch ${CMAKE_SYSTEM_PROCESSOR} -isysroot ${CMAKE_OSX_SYSROOT} -mmacosx-version-min=${CMAKE_OSX_DEPLOYMENT_TARGET} -c ${CMAKE_CURRENT_SOURCE_DIR}/fips_shared_library_marker.c -DAWSLC_FIPS_SHARED_END -o fips_apple_end.o
+      COMMAND ${CMAKE_C_COMPILER} -arch ${CMAKE_SYSTEM_PROCESSOR} -isysroot ${CMAKE_OSX_SYSROOT} ${OSX_VERSION_MIN_FLAG} -c ${CMAKE_CURRENT_SOURCE_DIR}/fips_shared_library_marker.c -DAWSLC_FIPS_SHARED_END -o fips_apple_end.o
       DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/fips_shared_library_marker.c
     )
-
     add_custom_command(
       OUTPUT bcm.o
       COMMAND ${CMAKE_LINKER} -r fips_apple_start.o -force_load $<TARGET_FILE:bcm_library> fips_apple_end.o -keep_private_externs -o bcm.o

tests/ci/cdk/cdk/aws_lc_ec2_test_framework_ci_stack.py

@@ -98,26 +98,6 @@ def __init__(self,
                           vpc=vpc,
                           security_group_name='codebuild_ec2_sg')
 
-        # MacOS EC2 tag names must be specific for use in general tests/ci/run_m1_ec2_instance.sh script.
-        # Dedicated Hosts are required for Mac ec2 instances.
-        cfn_host = ec2.CfnHost(self, id="{}-dedicated-host".format(id),
-                                availability_zone="us-west-2a",
-                                auto_placement="off",
-                                instance_type="mac2.metal")
-        Tags.of(cfn_host).add("Name", "{}-dedicated-host".format(id))
-        # AMI is for M1 MacOS Monterey.
-        ami_id="ami-084c6ab9d03ad4d46"
-        macos_arm_instance = ec2.CfnInstance(self, "aws-lc-ci-macos-arm-ec2-instance",
-                        availability_zone="us-west-2a",
-                        tenancy="host",
-                        host_id=cfn_host.attr_host_id,
-                        iam_instance_profile="{}-ec2-profile".format(id),
-                        image_id=ami_id,
-                        instance_type="mac2.metal",
-                        security_group_ids=[security_group.security_group_id],
-                        subnet_id=selection.subnet_ids[0],
-                        tags=[CfnTag(key="Name",value="aws-lc-ci-macos-arm-ec2-instance")])
-
         # Define logs for SSM.
         log_group_name = "{}-cw-logs".format(id)
         log_group = logs.CfnLogGroup(self, log_group_name,

tests/ci/cdk/cdk/codebuild/ec2_test_framework_omnibus.yaml

@@ -6,17 +6,6 @@ version: 0.2
 # Doc for batch https://docs.aws.amazon.com/codebuild/latest/userguide/batch-build-buildspec.html#build-spec.batch.build-list
 batch:
   build-list:
-    # Actual tests are ran on an m1 ec2 instance via SSM Commands.
-    # MacOS is special since the ec2 instance can't be spun up and closed on the fly.
-    # TODO: Migrate this to Github Actions when https://github.com/actions/runner-images/issues/2187 is resolved.
-    - identifier: macos_arm_tests
-      buildspec: ./tests/ci/codebuild/macos-aarch/run_m1_tests.yml
-      env:
-        type: LINUX_CONTAINER
-        privileged-mode: true
-        compute-type: BUILD_GENERAL1_LARGE
-        image: 620771051181.dkr.ecr.us-west-2.amazonaws.com/aws-lc-docker-images-linux-x86:ubuntu-20.04_clang-7x-bm-framework_latest
-
     # Actual tests are ran on an Graviton3 ec2 instance via SSM Commands.
     - identifier: graviton3_tests
       buildspec: ./tests/ci/codebuild/common/run_ec2_target.yml