internal/mkcw/embed: cross-compile using Go

Use the Go toolchain to cross-compile the "This image is designed to be
run as a confidential workload using libkrun." entrypoint that we add to
confidential workload images.  It's bigger than it was before, but
easier to port and can be built from source every time when desired.

Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>

Makefile

@@ -66,16 +66,31 @@ bin/buildah: $(SOURCES) internal/mkcw/embed/entrypoint_amd64.gz
 	$(GO_BUILD) $(BUILDAH_LDFLAGS) $(GO_GCFLAGS) "$(GOGCFLAGS)" -o $@ $(BUILDFLAGS) ./cmd/buildah
 	test -z "${SELINUXOPT}" || chcon --verbose -t $(SELINUXTYPE) $@
 
-ifneq ($(shell $(AS) --version | grep x86_64),)
 internal/mkcw/embed/entrypoint_amd64.gz: internal/mkcw/embed/entrypoint_amd64
 	gzip -k9nf $^
+internal/mkcw/embed/entrypoint_arm64.gz: internal/mkcw/embed/entrypoint_arm64
+	gzip -k9nf $^
+internal/mkcw/embed/entrypoint_ppc64le.gz: internal/mkcw/embed/entrypoint_ppc64le
+	gzip -k9nf $^
+internal/mkcw/embed/entrypoint_s390x.gz: internal/mkcw/embed/entrypoint_s390x
+	gzip -k9nf $^
 
-internal/mkcw/embed/entrypoint_amd64: internal/mkcw/embed/entrypoint_amd64.s
+ifneq ($(shell $(AS) --version | grep -E 'x86_64-([^-]+-)?linux'),)
+internal/mkcw/embed/entrypoint_amd64: internal/mkcw/embed/asm/entrypoint_amd64.s
 	$(AS) -o $(patsubst %.s,%.o,$^) $^
 	$(LD) -o $@ $(patsubst %.s,%.o,$^)
 	$(STRIP) $@
+else
+internal/mkcw/embed/entrypoint_amd64: internal/mkcw/embed/entrypoint_amd64.s internal/mkcw/embed/entrypoint.go
+	GOOS=linux GOARCH=amd64 $(GO) build -ldflags "-E _start -s" -o $@ ./internal/mkcw/embed
 endif
 
+internal/mkcw/embed/entrypoint_arm64: internal/mkcw/embed/entrypoint_arm64.s internal/mkcw/embed/entrypoint.go
+	GOOS=linux GOARCH=arm64 $(GO) build -ldflags "-E _start -s" -o $@ ./internal/mkcw/embed
+internal/mkcw/embed/entrypoint_ppc64le: internal/mkcw/embed/entrypoint_ppc64le.s internal/mkcw/embed/entrypoint.go
+	GOOS=linux GOARCH=ppc64le $(GO) build -ldflags "-E _start -s" -o $@ ./internal/mkcw/embed
+internal/mkcw/embed/entrypoint_s390x: internal/mkcw/embed/entrypoint_s390x.s internal/mkcw/embed/entrypoint.go
+	GOOS=linux GOARCH=s390x $(GO) build -ldflags "-E _start -s" -o $@ ./internal/mkcw/embed
 
 .PHONY: buildah
 buildah: bin/buildah
@@ -88,7 +103,7 @@ FREEBSD_CROSS_TARGETS := $(filter bin/buildah.freebsd.%,$(ALL_CROSS_TARGETS))
 .PHONY: cross
 cross: $(LINUX_CROSS_TARGETS) $(DARWIN_CROSS_TARGETS) $(WINDOWS_CROSS_TARGETS) $(FREEBSD_CROSS_TARGETS)
 
-bin/buildah.%: $(SOURCES)
+bin/buildah.%: $(SOURCES) internal/mkcw/embed/entrypoint_amd64.gz
 	mkdir -p ./bin
 	GOOS=$(word 2,$(subst ., ,$@)) GOARCH=$(word 3,$(subst ., ,$@)) $(GO_BUILD) $(BUILDAH_LDFLAGS) -o $@ -tags "containers_image_openpgp" ./cmd/buildah
 
@@ -118,7 +133,7 @@ bin/passwd: tests/passwd/passwd.go
 
 .PHONY: clean
 clean:
-	$(RM) -r bin tests/testreport/testreport tests/conformance/testdata/mount-targets/true
+	$(RM) -r bin tests/testreport/testreport tests/conformance/testdata/mount-targets/true internal/mkcw/embed/entrypoint_amd64 internal/mkcw/embed/entrypoint_arm64 internal/mkcw/embed/entrypoint_ppc64le internal/mkcw/embed/entrypoint_s390x internal/mkcw/embed/*.gz internal/mkcw/embed/asm/*.o
 	$(MAKE) -C docs clean
 
 .PHONY: docs

internal/mkcw/embed/asm/doc.md

@@ -0,0 +1 @@
+If we have a toolchain for the target that can handle plain assembly, build with that.

internal/mkcw/embed/asm/entrypoint_amd64.s

@@ -0,0 +1,16 @@
+	.section	.rodata.1,"aMS",@progbits,1
+msg:
+	.string	"This image is designed to be run as a confidential workload using libkrun.\n"
+	.section	.text._start,"ax",@progbits
+	.globl	_start
+	.type	_start,@function
+_start:
+	movq	$1, %rax	# write
+	movq	$2, %rdi	# fd=stderr_fileno
+	movq	$msg, %rsi	# message
+	movq	$75, %rdx	# length
+	syscall
+	movq	$60, %rax	# exit
+	movq	$1, %rdi	# status=1
+	syscall
+	.section	.note.GNU-stack,"",@progbits

internal/mkcw/embed/check.sh

@@ -0,0 +1,16 @@
+#!/usr/bin/env bash
+expected="This image is designed to be run as a confidential workload using libkrun."
+cd $(dirname ${BASH_SOURCE[0]})
+for GOARCH in amd64 arm64 ppc64le s390x ; do
+	make -C ../../.. internal/mkcw/embed/entrypoint_$GOARCH
+	case $GOARCH in
+		amd64) QEMUARCH=x86_64;;
+		arm64) QEMUARCH=aarch64;;
+		ppc64le|s390x) QEMUARCH=$GOARCH;;
+	esac
+	actual="$(qemu-$QEMUARCH ./entrypoint_$GOARCH 2>&1)"
+	if test "$actual" != "$expected" ; then
+		echo unexpected error from entrypoint_$GOARCH: "$actual"
+		exit 1
+	fi
+done

internal/mkcw/embed/doc.go

@@ -0,0 +1,4 @@
+// Supplying our own _start that just writes the message and exits avoids
+// pulling in the proper standard library, which produces a smaller binary, but
+// we still end up pulling in the language runtime.
+package main

internal/mkcw/embed/entrypoint.go

@@ -0,0 +1 @@
+package main

internal/mkcw/embed/entrypoint_amd64.s

@@ -1,16 +1,13 @@
-	.section	.rodata.1,"aMS",@progbits,1
-msg:
-	.string	"This image is designed to be run as a confidential workload using libkrun.\n"
-	.section	.text._start,"ax",@progbits
-	.globl	_start
-	.type	_start,@function
-_start:
-	movq	$1, %rax	# write
-	movq	$2, %rdi	# fd=stderr_fileno
-	movq	$msg, %rsi	# message
-	movq	$75, %rdx	# length
-	syscall
-	movq	$60, %rax	# exit
-	movq	$1, %rdi	# status=1
-	syscall
-	.section	.note.GNU-stack,"",@progbits
+DATA msg+0(SB)/75, $"This image is designed to be run as a confidential workload using libkrun.\n"
+
+GLOBL msg(SB),8,$75
+
+TEXT _start(SB),8-0,$0
+	MOVQ	$1, AX		// syscall=write
+	MOVQ	$2, DI		// descriptor=2
+	MOVQ	$msg(SB), SI	// buffer (msg) address
+	MOVQ	$75, DX		// buffer (msg) length
+	SYSCALL
+	MOVQ	$60, AX		// syscall=exit
+	MOVQ	$1, DI		// status=1
+	SYSCALL

internal/mkcw/embed/entrypoint_arm64.s

@@ -0,0 +1,13 @@
+DATA msg+0(SB)/75, $"This image is designed to be run as a confidential workload using libkrun.\n"
+
+GLOBL msg(SB),8,$75
+
+TEXT _start(SB),8-0,$0
+	MOVD	$64, R8		// syscall=write
+	MOVD	$2, R0		// descriptor=2
+	MOVD	$msg(SB), R1	// buffer (msg) address
+	MOVD	$75, R2		// buffer (msg) length
+	SVC
+	MOVD	$93, R8		// syscall=exit
+	MOVD	$1, R0		// status=1
+	SVC

internal/mkcw/embed/entrypoint_ppc64le.s

@@ -0,0 +1,13 @@
+DATA msg+0(SB)/75, $"This image is designed to be run as a confidential workload using libkrun.\n"
+
+GLOBL msg(SB),8,$75
+
+TEXT _start(SB),8-0,$0
+	MOVD	$4, R0		// syscall=write
+	MOVD	$2, R3		// descriptor=2
+	MOVD	$msg(SB), R4	// buffer (msg) address
+	MOVD	$75, R5		// buffer (msg) length
+	SYSCALL
+	MOVD	$1, R0		// syscall=exit
+	MOVD	$1, R3		// status=1
+	SYSCALL

internal/mkcw/embed/entrypoint_s390x.s

@@ -0,0 +1,13 @@
+DATA msg+0(SB)/75, $"This image is designed to be run as a confidential workload using libkrun.\n"
+
+GLOBL msg(SB),8,$75
+
+TEXT _start(SB),8-0,$0
+	MOVD	$4, R1		// syscall=write
+	MOVD	$2, R2		// descriptor=2
+	MOVD	$msg(SB), R3	// buffer (msg) address
+	MOVD	$75, R4		// buffer (msg) length
+	SYSCALL
+	MOVD	$1, R1		// syscall=exit
+	MOVD	$1, R2		// status=1
+	SYSCALL

rpm/buildah.spec

@@ -142,6 +142,8 @@ export BUILDTAGS+=" libtrust_openssl"
 export BUILDTAGS+=" containers_image_sequoia"
 %endif
 
+%{__rm} -f internal/mkcw/embed/entrypoint_amd64.gz
+%{__make} internal/mkcw/embed/entrypoint_amd64.gz
 %gobuild -o bin/%{name} ./cmd/%{name}
 %gobuild -o bin/imgtype ./tests/imgtype
 %gobuild -o bin/copy ./tests/copy