From b6098a2c5cefe800e290b3b084f6e374794a3f33 Mon Sep 17 00:00:00 2001
From: Nalin Dahyabhai <nalin@redhat.com>
Date: Tue, 4 Nov 2025 16:31:03 -0500
Subject: [PATCH] internal/mkcw/embed: cross-compile using Go

Use the Go toolchain to cross-compile the "This image is designed to be
run as a confidential workload using libkrun." entrypoint that we add to
confidential workload images.  It's bigger than it was before, but
easier to port and can be built from source every time when desired.

Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
---
 Makefile                                   |  23 +++++++++++++---
 internal/mkcw/embed/asm/doc.md             |   1 +
 internal/mkcw/embed/asm/entrypoint_amd64.s |  16 ++++++++++++
 internal/mkcw/embed/check.sh               |  16 ++++++++++++
 internal/mkcw/embed/doc.go                 |   4 +++
 internal/mkcw/embed/entrypoint.go          |   1 +
 internal/mkcw/embed/entrypoint_amd64.gz    | Bin 375 -> 362 bytes
 internal/mkcw/embed/entrypoint_amd64.s     |  29 +++++++++------------
 internal/mkcw/embed/entrypoint_arm64.s     |  13 +++++++++
 internal/mkcw/embed/entrypoint_ppc64le.s   |  13 +++++++++
 internal/mkcw/embed/entrypoint_s390x.s     |  13 +++++++++
 rpm/buildah.spec                           |   2 ++
 12 files changed, 111 insertions(+), 20 deletions(-)
 create mode 100644 internal/mkcw/embed/asm/doc.md
 create mode 100644 internal/mkcw/embed/asm/entrypoint_amd64.s
 create mode 100755 internal/mkcw/embed/check.sh
 create mode 100644 internal/mkcw/embed/doc.go
 create mode 100644 internal/mkcw/embed/entrypoint.go
 create mode 100644 internal/mkcw/embed/entrypoint_arm64.s
 create mode 100644 internal/mkcw/embed/entrypoint_ppc64le.s
 create mode 100644 internal/mkcw/embed/entrypoint_s390x.s

diff --git a/Makefile b/Makefile
index 42a25d017..2c5ec1bde 100644
--- a/Makefile
+++ b/Makefile
@@ -66,16 +66,31 @@ bin/buildah: $(SOURCES) internal/mkcw/embed/entrypoint_amd64.gz
 	$(GO_BUILD) $(BUILDAH_LDFLAGS) $(GO_GCFLAGS) "$(GOGCFLAGS)" -o $@ $(BUILDFLAGS) ./cmd/buildah
 	test -z "${SELINUXOPT}" || chcon --verbose -t $(SELINUXTYPE) $@
 
-ifneq ($(shell $(AS) --version | grep x86_64),)
 internal/mkcw/embed/entrypoint_amd64.gz: internal/mkcw/embed/entrypoint_amd64
 	gzip -k9nf $^
+internal/mkcw/embed/entrypoint_arm64.gz: internal/mkcw/embed/entrypoint_arm64
+	gzip -k9nf $^
+internal/mkcw/embed/entrypoint_ppc64le.gz: internal/mkcw/embed/entrypoint_ppc64le
+	gzip -k9nf $^
+internal/mkcw/embed/entrypoint_s390x.gz: internal/mkcw/embed/entrypoint_s390x
+	gzip -k9nf $^
 
-internal/mkcw/embed/entrypoint_amd64: internal/mkcw/embed/entrypoint_amd64.s
+ifneq ($(shell $(AS) --version | grep -E 'x86_64-([^-]+-)?linux'),)
+internal/mkcw/embed/entrypoint_amd64: internal/mkcw/embed/asm/entrypoint_amd64.s
 	$(AS) -o $(patsubst %.s,%.o,$^) $^
 	$(LD) -o $@ $(patsubst %.s,%.o,$^)
 	$(STRIP) $@
+else
+internal/mkcw/embed/entrypoint_amd64: internal/mkcw/embed/entrypoint_amd64.s internal/mkcw/embed/entrypoint.go
+	GOOS=linux GOARCH=amd64 $(GO) build -ldflags "-E _start -s" -o $@ ./internal/mkcw/embed
 endif
 
+internal/mkcw/embed/entrypoint_arm64: internal/mkcw/embed/entrypoint_arm64.s internal/mkcw/embed/entrypoint.go
+	GOOS=linux GOARCH=arm64 $(GO) build -ldflags "-E _start -s" -o $@ ./internal/mkcw/embed
+internal/mkcw/embed/entrypoint_ppc64le: internal/mkcw/embed/entrypoint_ppc64le.s internal/mkcw/embed/entrypoint.go
+	GOOS=linux GOARCH=ppc64le $(GO) build -ldflags "-E _start -s" -o $@ ./internal/mkcw/embed
+internal/mkcw/embed/entrypoint_s390x: internal/mkcw/embed/entrypoint_s390x.s internal/mkcw/embed/entrypoint.go
+	GOOS=linux GOARCH=s390x $(GO) build -ldflags "-E _start -s" -o $@ ./internal/mkcw/embed
 
 .PHONY: buildah
 buildah: bin/buildah
@@ -88,7 +103,7 @@ FREEBSD_CROSS_TARGETS := $(filter bin/buildah.freebsd.%,$(ALL_CROSS_TARGETS))
 .PHONY: cross
 cross: $(LINUX_CROSS_TARGETS) $(DARWIN_CROSS_TARGETS) $(WINDOWS_CROSS_TARGETS) $(FREEBSD_CROSS_TARGETS)
 
-bin/buildah.%: $(SOURCES)
+bin/buildah.%: $(SOURCES) internal/mkcw/embed/entrypoint_amd64.gz
 	mkdir -p ./bin
 	GOOS=$(word 2,$(subst ., ,$@)) GOARCH=$(word 3,$(subst ., ,$@)) $(GO_BUILD) $(BUILDAH_LDFLAGS) -o $@ -tags "containers_image_openpgp" ./cmd/buildah
 
@@ -118,7 +133,7 @@ bin/passwd: tests/passwd/passwd.go
 
 .PHONY: clean
 clean:
-	$(RM) -r bin tests/testreport/testreport tests/conformance/testdata/mount-targets/true
+	$(RM) -r bin tests/testreport/testreport tests/conformance/testdata/mount-targets/true internal/mkcw/embed/entrypoint_amd64 internal/mkcw/embed/entrypoint_arm64 internal/mkcw/embed/entrypoint_ppc64le internal/mkcw/embed/entrypoint_s390x internal/mkcw/embed/*.gz internal/mkcw/embed/asm/*.o
 	$(MAKE) -C docs clean
 
 .PHONY: docs
diff --git a/internal/mkcw/embed/asm/doc.md b/internal/mkcw/embed/asm/doc.md
new file mode 100644
index 000000000..a69fe0e73
--- /dev/null
+++ b/internal/mkcw/embed/asm/doc.md
@@ -0,0 +1 @@
+If we have a toolchain for the target that can handle plain assembly, build with that.
diff --git a/internal/mkcw/embed/asm/entrypoint_amd64.s b/internal/mkcw/embed/asm/entrypoint_amd64.s
new file mode 100644
index 000000000..8af880cd5
--- /dev/null
+++ b/internal/mkcw/embed/asm/entrypoint_amd64.s
@@ -0,0 +1,16 @@
+	.section	.rodata.1,"aMS",@progbits,1
+msg:
+	.string	"This image is designed to be run as a confidential workload using libkrun.\n"
+	.section	.text._start,"ax",@progbits
+	.globl	_start
+	.type	_start,@function
+_start:
+	movq	$1, %rax	# write
+	movq	$2, %rdi	# fd=stderr_fileno
+	movq	$msg, %rsi	# message
+	movq	$75, %rdx	# length
+	syscall
+	movq	$60, %rax	# exit
+	movq	$1, %rdi	# status=1
+	syscall
+	.section	.note.GNU-stack,"",@progbits
diff --git a/internal/mkcw/embed/check.sh b/internal/mkcw/embed/check.sh
new file mode 100755
index 000000000..0103e95d7
--- /dev/null
+++ b/internal/mkcw/embed/check.sh
@@ -0,0 +1,16 @@
+#!/usr/bin/env bash
+expected="This image is designed to be run as a confidential workload using libkrun."
+cd $(dirname ${BASH_SOURCE[0]})
+for GOARCH in amd64 arm64 ppc64le s390x ; do
+	make -C ../../.. internal/mkcw/embed/entrypoint_$GOARCH
+	case $GOARCH in
+		amd64) QEMUARCH=x86_64;;
+		arm64) QEMUARCH=aarch64;;
+		ppc64le|s390x) QEMUARCH=$GOARCH;;
+	esac
+	actual="$(qemu-$QEMUARCH ./entrypoint_$GOARCH 2>&1)"
+	if test "$actual" != "$expected" ; then
+		echo unexpected error from entrypoint_$GOARCH: "$actual"
+		exit 1
+	fi
+done
diff --git a/internal/mkcw/embed/doc.go b/internal/mkcw/embed/doc.go
new file mode 100644
index 000000000..e3c375966
--- /dev/null
+++ b/internal/mkcw/embed/doc.go
@@ -0,0 +1,4 @@
+// Supplying our own _start that just writes the message and exits avoids
+// pulling in the proper standard library, which produces a smaller binary, but
+// we still end up pulling in the language runtime.
+package main
diff --git a/internal/mkcw/embed/entrypoint.go b/internal/mkcw/embed/entrypoint.go
new file mode 100644
index 000000000..06ab7d0f9
--- /dev/null
+++ b/internal/mkcw/embed/entrypoint.go
@@ -0,0 +1 @@
+package main
diff --git a/internal/mkcw/embed/entrypoint_amd64.gz b/internal/mkcw/embed/entrypoint_amd64.gz
index 953670818fe136267f5a1624e4298358495fb743..c2399f9e90498614417059bc4e59aa87229a23e9 100755
GIT binary patch
literal 362
zcmV-w0hRtAiwFP!000021MQf>O2a@9hG%P{q6h06?7^cf#ghk-T-1U^5EXjenl)Wo
zcT2KGg@QMq#m6Wf?34H&Zqr$5f}$wi=7Z$V%+5?Qxy?Ktb&ea1L7)MLFt@raDeVOP
z&&`hz@7ssi-(!f%*cg^cD*A+_g96r>o6(XD&7`6ebO#M_(KmT5bO&8Wy?Ar!Z}QH4
z-YWc@P`*8zvQlP^QeIpBMeW(kskgRbe|oSuWu*-SK@bE%5ClOG1o5xTXJU>s{K?ss
zpUc@a!ufo$52)IgeO+*UD>KFYL#hg$8I^Kpc~9|tY`84A<k!~R=u{b}<&fXmd@!^!
z<>Nw|j1P5h-~+`5fGGNf%bo0jaO&QHFxDxNnXwq<cBFFm03x@kbn?%AZekB%mJj=l
zE;c4=@vLTV`)jTIANBn~b#DN*{Xt*{Ywm?TL)bfDe&>t#FYC%DeN8Zb_nYs32iY;U
I73dKF0FPF*hyVZp

literal 375
zcmV--0f_z|iwFP!000021MQkYO2a@DhF@Z%MHki^%)+G%!IcY<Y}A595cL34Gp3<6
zDajNS3SP%!6c_d+y@!+OOlgBs(T&3YLGsW4=DkTKyYS}av~%Wr9yxqEA>&$+@sW+c
zvPFuH9Z{g~0X0l+K+8lc%3HLeWVNbmR0Fpzi&k`O!%kgYV@+LX!%mx4uV*U$N!^vM
z+obQ)A^-pY000000O0S@o=!X?Q{TvYsDFst)3*!lb^|?oJfHQ9$M*sN000000002~
zBUMkF(Y%L$etAnCd6O#UP6YThf744#mOh9?GChc8nI@TxnaWvLvSO4mQ8K~q^6Wm1
zWu{UwV2^pxALJrtqcY7BHb}dDoyfO|c-bpep+uLsl23|wmMh7VY{Z8}K9q%eCSK&R
zP~zA7+_8ID^z!Zb2G_9XwS2GU_w==8zK3OTeqb(PEx%dw`*zJk>qB?$z}9!Zc>c0(
Ve6p{xtv^`v{vQyN#K-6%007vKwlx3%

diff --git a/internal/mkcw/embed/entrypoint_amd64.s b/internal/mkcw/embed/entrypoint_amd64.s
index 8af880cd5..9e55cf415 100644
--- a/internal/mkcw/embed/entrypoint_amd64.s
+++ b/internal/mkcw/embed/entrypoint_amd64.s
@@ -1,16 +1,13 @@
-	.section	.rodata.1,"aMS",@progbits,1
-msg:
-	.string	"This image is designed to be run as a confidential workload using libkrun.\n"
-	.section	.text._start,"ax",@progbits
-	.globl	_start
-	.type	_start,@function
-_start:
-	movq	$1, %rax	# write
-	movq	$2, %rdi	# fd=stderr_fileno
-	movq	$msg, %rsi	# message
-	movq	$75, %rdx	# length
-	syscall
-	movq	$60, %rax	# exit
-	movq	$1, %rdi	# status=1
-	syscall
-	.section	.note.GNU-stack,"",@progbits
+DATA msg+0(SB)/75, $"This image is designed to be run as a confidential workload using libkrun.\n"
+
+GLOBL msg(SB),8,$75
+
+TEXT _start(SB),8-0,$0
+	MOVQ	$1, AX		// syscall=write
+	MOVQ	$2, DI		// descriptor=2
+	MOVQ	$msg(SB), SI	// buffer (msg) address
+	MOVQ	$75, DX		// buffer (msg) length
+	SYSCALL
+	MOVQ	$60, AX		// syscall=exit
+	MOVQ	$1, DI		// status=1
+	SYSCALL
diff --git a/internal/mkcw/embed/entrypoint_arm64.s b/internal/mkcw/embed/entrypoint_arm64.s
new file mode 100644
index 000000000..62b63aab2
--- /dev/null
+++ b/internal/mkcw/embed/entrypoint_arm64.s
@@ -0,0 +1,13 @@
+DATA msg+0(SB)/75, $"This image is designed to be run as a confidential workload using libkrun.\n"
+
+GLOBL msg(SB),8,$75
+
+TEXT _start(SB),8-0,$0
+	MOVD	$64, R8		// syscall=write
+	MOVD	$2, R0		// descriptor=2
+	MOVD	$msg(SB), R1	// buffer (msg) address
+	MOVD	$75, R2		// buffer (msg) length
+	SVC
+	MOVD	$93, R8		// syscall=exit
+	MOVD	$1, R0		// status=1
+	SVC
diff --git a/internal/mkcw/embed/entrypoint_ppc64le.s b/internal/mkcw/embed/entrypoint_ppc64le.s
new file mode 100644
index 000000000..2668ffe00
--- /dev/null
+++ b/internal/mkcw/embed/entrypoint_ppc64le.s
@@ -0,0 +1,13 @@
+DATA msg+0(SB)/75, $"This image is designed to be run as a confidential workload using libkrun.\n"
+
+GLOBL msg(SB),8,$75
+
+TEXT _start(SB),8-0,$0
+	MOVD	$4, R0		// syscall=write
+	MOVD	$2, R3		// descriptor=2
+	MOVD	$msg(SB), R4	// buffer (msg) address
+	MOVD	$75, R5		// buffer (msg) length
+	SYSCALL
+	MOVD	$1, R0		// syscall=exit
+	MOVD	$1, R3		// status=1
+	SYSCALL
diff --git a/internal/mkcw/embed/entrypoint_s390x.s b/internal/mkcw/embed/entrypoint_s390x.s
new file mode 100644
index 000000000..d24b44e55
--- /dev/null
+++ b/internal/mkcw/embed/entrypoint_s390x.s
@@ -0,0 +1,13 @@
+DATA msg+0(SB)/75, $"This image is designed to be run as a confidential workload using libkrun.\n"
+
+GLOBL msg(SB),8,$75
+
+TEXT _start(SB),8-0,$0
+	MOVD	$4, R1		// syscall=write
+	MOVD	$2, R2		// descriptor=2
+	MOVD	$msg(SB), R3	// buffer (msg) address
+	MOVD	$75, R4		// buffer (msg) length
+	SYSCALL
+	MOVD	$1, R1		// syscall=exit
+	MOVD	$1, R2		// status=1
+	SYSCALL
diff --git a/rpm/buildah.spec b/rpm/buildah.spec
index 0848d7058..be032ec86 100644
--- a/rpm/buildah.spec
+++ b/rpm/buildah.spec
@@ -142,6 +142,8 @@ export BUILDTAGS+=" libtrust_openssl"
 export BUILDTAGS+=" containers_image_sequoia"
 %endif
 
+%{__rm} -f internal/mkcw/embed/entrypoint_amd64.gz
+%{__make} internal/mkcw/embed/entrypoint_amd64.gz
 %gobuild -o bin/%{name} ./cmd/%{name}
 %gobuild -o bin/imgtype ./tests/imgtype
 %gobuild -o bin/copy ./tests/copy