CI: Migrate OpenTitan integration to Pavona

.github/actions/setup-pavona/action.yml

@@ -0,0 +1,46 @@
+# Copyright (c) The mldsa-native project authors
+# Copyright (c) The mlkem-native project authors
+# SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT
+
+name: Setup Pavona
+description: Setup Pavona for build testing
+
+inputs:
+  pavona-repository:
+    description: 'Pavona repository to clone'
+    required: false
+    default: 'https://github.com/pavona/pavona'
+  pavona-commit:
+    description: 'Pavona commit to checkout'
+    required: false
+    default: 'main'
+
+runs:
+  using: composite
+  steps:
+    - name: Fetch pavona repository
+      shell: bash
+      run: |
+        # Ensure HOME is set for self-hosted runners
+        echo "HOME=${HOME:-/home/runner}" >> $GITHUB_ENV
+
+        git clone ${{ inputs.pavona-repository }}
+        cd pavona
+        git checkout ${{ inputs.pavona-commit }}
+
+        # Remember pavona directory
+        echo PAVONA_DIR="$GITHUB_WORKSPACE/pavona" >> $GITHUB_ENV
+
+    - name: Install Pavona dependencies
+      shell: bash
+      run: |
+        sudo apt update
+        cd pavona
+        sed '/^#/d' apt-requirements.txt | xargs sudo apt install -y
+
+    - name: Set Bazel cache directory and mirror
+      shell: bash
+      run: |
+        echo "BAZEL_CACHE_DIR=/home/runner/bazel_cache" >> $GITHUB_ENV
+        # Use GitHub mirror for Bazel binaries to avoid certificate issues with releases.bazel.build
+        echo "BAZELISK_BASE_URL=https://github.com/bazelbuild/bazel/releases/download" >> $GITHUB_ENV

.github/workflows/all.yml

@@ -93,13 +93,13 @@ jobs:
     needs: [ base ]
     uses: ./.github/workflows/baremetal.yml
     secrets: inherit
-  opentitan_integration:
-    name: OpenTitan
+  pavona_integration:
+    name: Pavona
     permissions:
       contents: 'read'
       id-token: 'write'
     needs: [ base ]
-    uses: ./.github/workflows/integration-opentitan.yml
+    uses: ./.github/workflows/integration-pavona.yml
     secrets: inherit
   isabelle:
     name: Isabelle

.github/workflows/integration-opentitan.yml → .github/workflows/integration-pavona.yml

@@ -2,7 +2,7 @@
 # Copyright (c) The mlkem-native project authors
 # SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT
 
-name: OpenTitan
+name: Pavona
 permissions:
   contents: read
 on:
@@ -12,7 +12,7 @@ on:
 env:
   AWS_ROLE: arn:aws:iam::904233116199:role/mldsa-native-ci
   AWS_REGION: us-east-1
-  AMI_UBUNTU_22_04_X86_64: ami-0bbdd8c17ed981ef9
+  AMI_UBUNTU_X86_64: ami-05cf1e9f73fbad2e2 # Ubuntu 24.04 LTS (2026-04-24)
 
 jobs:
   start-ec2-runner:
@@ -43,29 +43,29 @@ jobs:
           ec2-instance-type: c7i.2xlarge
           ec2-volume-size: 32
           availability-zones-config: >-
-            [{"imageId":"${{ env.AMI_UBUNTU_22_04_X86_64 }}","subnetId":"subnet-094d73eb42eb6bf5b","securityGroupId":"sg-0282706dbc92a1579"},
-             {"imageId":"${{ env.AMI_UBUNTU_22_04_X86_64 }}","subnetId":"subnet-04a982f6584de8063","securityGroupId":"sg-0282706dbc92a1579"},
-             {"imageId":"${{ env.AMI_UBUNTU_22_04_X86_64 }}","subnetId":"subnet-077637f396b264f82","securityGroupId":"sg-0282706dbc92a1579"},
-             {"imageId":"${{ env.AMI_UBUNTU_22_04_X86_64 }}","subnetId":"subnet-00e89932da1332c35","securityGroupId":"sg-0282706dbc92a1579"},
-             {"imageId":"${{ env.AMI_UBUNTU_22_04_X86_64 }}","subnetId":"subnet-0262f9d5f938f38bc","securityGroupId":"sg-0282706dbc92a1579"},
-             {"imageId":"${{ env.AMI_UBUNTU_22_04_X86_64 }}","subnetId":"subnet-06e0645f1b6520c42","securityGroupId":"sg-0282706dbc92a1579"},
-             {"imageId":"${{ env.AMI_UBUNTU_22_04_X86_64 }}","subnetId":"subnet-0c726ece1c22f45d9","securityGroupId":"sg-0282706dbc92a1579"}]
+            [{"imageId":"${{ env.AMI_UBUNTU_X86_64 }}","subnetId":"subnet-094d73eb42eb6bf5b","securityGroupId":"sg-0282706dbc92a1579"},
+             {"imageId":"${{ env.AMI_UBUNTU_X86_64 }}","subnetId":"subnet-04a982f6584de8063","securityGroupId":"sg-0282706dbc92a1579"},
+             {"imageId":"${{ env.AMI_UBUNTU_X86_64 }}","subnetId":"subnet-077637f396b264f82","securityGroupId":"sg-0282706dbc92a1579"},
+             {"imageId":"${{ env.AMI_UBUNTU_X86_64 }}","subnetId":"subnet-00e89932da1332c35","securityGroupId":"sg-0282706dbc92a1579"},
+             {"imageId":"${{ env.AMI_UBUNTU_X86_64 }}","subnetId":"subnet-0262f9d5f938f38bc","securityGroupId":"sg-0282706dbc92a1579"},
+             {"imageId":"${{ env.AMI_UBUNTU_X86_64 }}","subnetId":"subnet-06e0645f1b6520c42","securityGroupId":"sg-0282706dbc92a1579"},
+             {"imageId":"${{ env.AMI_UBUNTU_X86_64 }}","subnetId":"subnet-0c726ece1c22f45d9","securityGroupId":"sg-0282706dbc92a1579"}]
 
-  opentitan_build:
-    name: OpenTitan ML-DSA Build Test
+  pavona_build:
+    name: Pavona ML-DSA Build Test
     needs: start-ec2-runner
     if: ${{ github.repository_owner == 'pq-code-package' && !github.event.pull_request.head.repo.fork }}
     runs-on: ${{ needs.start-ec2-runner.outputs.label }}
     steps:
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-      - uses: ./.github/actions/setup-opentitan
+      - uses: ./.github/actions/setup-pavona
         with:
-          expo-repository: https://github.com/zerorisc/expo
-          expo-commit: 53619a73e64cb96ee6e61a4b4b992f7250ab7477 # master (2026-04-21)
+          pavona-repository: https://github.com/pavona/pavona
+          pavona-commit: release/2026.05.p0
 
       - name: Patch mldsa-native dependency
         run: |
-          cd "$EXPO_DIR"
+          cd "$PAVONA_DIR"
 
           # Calculate sha256 of mldsa-native at the new commit
           SHA256=$(curl -sL "https://github.com/$GITHUB_REPOSITORY/archive/$GITHUB_SHA.tar.gz" | sha256sum | cut -d' ' -f1)
@@ -83,8 +83,8 @@ jobs:
 
       - name: Apply integration patches
         run: |
-          cd "$EXPO_DIR"
-          for patch in "$GITHUB_WORKSPACE"/integration/opentitan/*.patch; do
+          cd "$PAVONA_DIR"
+          for patch in "$GITHUB_WORKSPACE"/integration/pavona/*.patch; do
             if [ -f "$patch" ]; then
               echo "Applying $patch"
               git apply "$patch"
@@ -93,7 +93,7 @@ jobs:
 
       - name: Build mldsa functest
         run: |
-          cd "$EXPO_DIR"
+          cd "$PAVONA_DIR"
           # Build only -- ML-DSA simulation is too slow for CI
           ./bazelisk.sh build \
             --disk_cache="$BAZEL_CACHE_DIR" \
@@ -107,7 +107,7 @@ jobs:
       id-token: 'write'
     needs:
       - start-ec2-runner
-      - opentitan_build # required to wait when the main job is done
+      - pavona_build # required to wait when the main job is done
     runs-on: ubuntu-latest
     if: ${{ always() && needs.start-ec2-runner.result != 'skipped' }} # required to stop the runner even if errors occur
     steps:

README.md

@@ -52,7 +52,7 @@ make test
 mldsa-native is used in
  - AWS' Cryptography library [AWS-LC](https://github.com/aws/aws-lc/)
  - [libOQS](https://github.com/open-quantum-safe/liboqs/) of the Open Quantum Safe project
- - The [zeroRISC's fork of OpenTitan](https://github.com/zerorisc/expo) - an open source silicon Root of Trust (RoT)
+ - [Pavona](https://github.com/pavona/pavona) - an open source silicon Root of Trust (RoT)
  - [CHERIoT-PQC](https://github.com/CHERIoT-Platform/cheriot-pqc) — post-quantum cryptography support for the CHERIoT platform
 
 ## Formal Verification