containers/buildah
1
0
Fork 0
mirror of https://github.com/containers/buildah.git synced 2026-02-05 09:45:38 +01:00
Code Issues Releases Wiki Activity

internal/mkcw/embed: cross-compile using Go

Browse Source 
Use the Go toolchain to cross-compile the "This image is designed to be
run as a confidential workload using libkrun." entrypoint that we add to
confidential workload images.  It's bigger than it was before, but
easier to port and can be built from source every time when desired.

Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
This commit is contained in:
Nalin Dahyabhai
2025-11-04 16:31:03 -05:00
parent d0235c9c9e
commit b6098a2c5c
12 changed files with 111 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
Makefile
View File

@@ -66,16 +66,31 @@ bin/buildah: $(SOURCES) internal/mkcw/embed/entrypoint_amd64.gz
$(GO_BUILD) $(BUILDAH_LDFLAGS) $(GO_GCFLAGS) "$(GOGCFLAGS)" -o $@ $(BUILDFLAGS) ./cmd/buildah $(GO_BUILD) $(BUILDAH_LDFLAGS) $(GO_GCFLAGS) "$(GOGCFLAGS)" -o $@ $(BUILDFLAGS) ./cmd/buildah
test -z "${SELINUXOPT}" || chcon --verbose -t $(SELINUXTYPE) $@ test -z "${SELINUXOPT}" || chcon --verbose -t $(SELINUXTYPE) $@
ifneq ($(shell $(AS) --version | grep x86_64),)
internal/mkcw/embed/entrypoint_amd64.gz: internal/mkcw/embed/entrypoint_amd64 internal/mkcw/embed/entrypoint_amd64.gz: internal/mkcw/embed/entrypoint_amd64
gzip -k9nf $^ gzip -k9nf $^
internal/mkcw/embed/entrypoint_arm64.gz: internal/mkcw/embed/entrypoint_arm64
gzip -k9nf $^
internal/mkcw/embed/entrypoint_ppc64le.gz: internal/mkcw/embed/entrypoint_ppc64le
gzip -k9nf $^
internal/mkcw/embed/entrypoint_s390x.gz: internal/mkcw/embed/entrypoint_s390x
gzip -k9nf $^
internal/mkcw/embed/entrypoint_amd64: internal/mkcw/embed/entrypoint_amd64.s ifneq ($(shell $(AS) --version | grep -E 'x86_64-([^-]+-)?linux'),)
internal/mkcw/embed/entrypoint_amd64: internal/mkcw/embed/asm/entrypoint_amd64.s
$(AS) -o $(patsubst %.s,%.o,$^) $^ $(AS) -o $(patsubst %.s,%.o,$^) $^
$(LD) -o $@ $(patsubst %.s,%.o,$^) $(LD) -o $@ $(patsubst %.s,%.o,$^)
$(STRIP) $@ $(STRIP) $@
else
internal/mkcw/embed/entrypoint_amd64: internal/mkcw/embed/entrypoint_amd64.s internal/mkcw/embed/entrypoint.go
GOOS=linux GOARCH=amd64 $(GO) build -ldflags "-E _start -s" -o $@ ./internal/mkcw/embed
endif endif
internal/mkcw/embed/entrypoint_arm64: internal/mkcw/embed/entrypoint_arm64.s internal/mkcw/embed/entrypoint.go
GOOS=linux GOARCH=arm64 $(GO) build -ldflags "-E _start -s" -o $@ ./internal/mkcw/embed
internal/mkcw/embed/entrypoint_ppc64le: internal/mkcw/embed/entrypoint_ppc64le.s internal/mkcw/embed/entrypoint.go
GOOS=linux GOARCH=ppc64le $(GO) build -ldflags "-E _start -s" -o $@ ./internal/mkcw/embed
internal/mkcw/embed/entrypoint_s390x: internal/mkcw/embed/entrypoint_s390x.s internal/mkcw/embed/entrypoint.go
GOOS=linux GOARCH=s390x $(GO) build -ldflags "-E _start -s" -o $@ ./internal/mkcw/embed
.PHONY: buildah .PHONY: buildah
buildah: bin/buildah buildah: bin/buildah
@@ -88,7 +103,7 @@ FREEBSD_CROSS_TARGETS := $(filter bin/buildah.freebsd.%,$(ALL_CROSS_TARGETS))
.PHONY: cross .PHONY: cross
cross: $(LINUX_CROSS_TARGETS) $(DARWIN_CROSS_TARGETS) $(WINDOWS_CROSS_TARGETS) $(FREEBSD_CROSS_TARGETS) cross: $(LINUX_CROSS_TARGETS) $(DARWIN_CROSS_TARGETS) $(WINDOWS_CROSS_TARGETS) $(FREEBSD_CROSS_TARGETS)
bin/buildah.%: $(SOURCES) bin/buildah.%: $(SOURCES) internal/mkcw/embed/entrypoint_amd64.gz
mkdir -p ./bin mkdir -p ./bin
GOOS=$(word 2,$(subst ., ,$@)) GOARCH=$(word 3,$(subst ., ,$@)) $(GO_BUILD) $(BUILDAH_LDFLAGS) -o $@ -tags "containers_image_openpgp" ./cmd/buildah GOOS=$(word 2,$(subst ., ,$@)) GOARCH=$(word 3,$(subst ., ,$@)) $(GO_BUILD) $(BUILDAH_LDFLAGS) -o $@ -tags "containers_image_openpgp" ./cmd/buildah
@@ -118,7 +133,7 @@ bin/passwd: tests/passwd/passwd.go
.PHONY: clean .PHONY: clean
clean: clean:
$(RM) -r bin tests/testreport/testreport tests/conformance/testdata/mount-targets/true $(RM) -r bin tests/testreport/testreport tests/conformance/testdata/mount-targets/true internal/mkcw/embed/entrypoint_amd64 internal/mkcw/embed/entrypoint_arm64 internal/mkcw/embed/entrypoint_ppc64le internal/mkcw/embed/entrypoint_s390x internal/mkcw/embed/*.gz internal/mkcw/embed/asm/*.o
$(MAKE) -C docs clean $(MAKE) -C docs clean
.PHONY: docs .PHONY: docs

1
internal/mkcw/embed/asm/doc.md Normal file
View File

@@ -0,0 +1 @@
If we have a toolchain for the target that can handle plain assembly, build with that.

16
internal/mkcw/embed/asm/entrypoint_amd64.s Normal file
View File

@@ -0,0 +1,16 @@
.section .rodata.1,"aMS",@progbits,1
msg:
.string "This image is designed to be run as a confidential workload using libkrun.\n"
.section .text._start,"ax",@progbits
.globl _start
.type _start,@function
_start:
movq $1, %rax # write
movq $2, %rdi # fd=stderr_fileno
movq $msg, %rsi # message
movq $75, %rdx # length
syscall
movq $60, %rax # exit
movq $1, %rdi # status=1
syscall
.section .note.GNU-stack,"",@progbits

16
internal/mkcw/embed/check.sh Executable file
View File

@@ -0,0 +1,16 @@
#!/usr/bin/env bash
expected="This image is designed to be run as a confidential workload using libkrun."
cd $(dirname ${BASH_SOURCE[0]})
for GOARCH in amd64 arm64 ppc64le s390x ; do
make -C ../../.. internal/mkcw/embed/entrypoint_$GOARCH
case $GOARCH in
amd64) QEMUARCH=x86_64;;
arm64) QEMUARCH=aarch64;;
ppc64le|s390x) QEMUARCH=$GOARCH;;
esac
actual="$(qemu-$QEMUARCH ./entrypoint_$GOARCH 2>&1)"
if test "$actual" != "$expected" ; then
echo unexpected error from entrypoint_$GOARCH: "$actual"
exit 1
fi
done

4
internal/mkcw/embed/doc.go Normal file
View File

@@ -0,0 +1,4 @@
// Supplying our own _start that just writes the message and exits avoids
// pulling in the proper standard library, which produces a smaller binary, but
// we still end up pulling in the language runtime.
package main

1
internal/mkcw/embed/entrypoint.go Normal file
View File

@@ -0,0 +1 @@
package main

BIN
internal/mkcw/embed/entrypoint_amd64.gz
View File

Binary file not shown.

29
internal/mkcw/embed/entrypoint_amd64.s
View File

@@ -1,16 +1,13 @@
.section .rodata.1,"aMS",@progbits,1 DATA msg+0(SB)/75, $"This image is designed to be run as a confidential workload using libkrun.\n"
msg:
.string "This image is designed to be run as a confidential workload using libkrun.\n" GLOBL msg(SB),8,$75
.section .text._start,"ax",@progbits
.globl _start TEXT _start(SB),8-0,$0
.type _start,@function MOVQ $1, AX // syscall=write
_start: MOVQ $2, DI // descriptor=2
movq $1, %rax # write MOVQ $msg(SB), SI // buffer (msg) address
movq $2, %rdi # fd=stderr_fileno MOVQ $75, DX // buffer (msg) length
movq $msg, %rsi # message SYSCALL
movq $75, %rdx # length MOVQ $60, AX // syscall=exit
syscall MOVQ $1, DI // status=1
movq $60, %rax # exit SYSCALL
movq $1, %rdi # status=1
syscall
.section .note.GNU-stack,"",@progbits

13
internal/mkcw/embed/entrypoint_arm64.s Normal file
View File

@@ -0,0 +1,13 @@
DATA msg+0(SB)/75, $"This image is designed to be run as a confidential workload using libkrun.\n"
GLOBL msg(SB),8,$75
TEXT _start(SB),8-0,$0
MOVD $64, R8 // syscall=write
MOVD $2, R0 // descriptor=2
MOVD $msg(SB), R1 // buffer (msg) address
MOVD $75, R2 // buffer (msg) length
SVC
MOVD $93, R8 // syscall=exit
MOVD $1, R0 // status=1
SVC

13
internal/mkcw/embed/entrypoint_ppc64le.s Normal file
View File

@@ -0,0 +1,13 @@
DATA msg+0(SB)/75, $"This image is designed to be run as a confidential workload using libkrun.\n"
GLOBL msg(SB),8,$75
TEXT _start(SB),8-0,$0
MOVD $4, R0 // syscall=write
MOVD $2, R3 // descriptor=2
MOVD $msg(SB), R4 // buffer (msg) address
MOVD $75, R5 // buffer (msg) length
SYSCALL
MOVD $1, R0 // syscall=exit
MOVD $1, R3 // status=1
SYSCALL

13
internal/mkcw/embed/entrypoint_s390x.s Normal file
View File

@@ -0,0 +1,13 @@
DATA msg+0(SB)/75, $"This image is designed to be run as a confidential workload using libkrun.\n"
GLOBL msg(SB),8,$75
TEXT _start(SB),8-0,$0
MOVD $4, R1 // syscall=write
MOVD $2, R2 // descriptor=2
MOVD $msg(SB), R3 // buffer (msg) address
MOVD $75, R4 // buffer (msg) length
SYSCALL
MOVD $1, R1 // syscall=exit
MOVD $1, R2 // status=1
SYSCALL

2
rpm/buildah.spec
View File

@@ -142,6 +142,8 @@ export BUILDTAGS+=" libtrust_openssl"
export BUILDTAGS+=" containers_image_sequoia" export BUILDTAGS+=" containers_image_sequoia"
%endif %endif
%{__rm} -f internal/mkcw/embed/entrypoint_amd64.gz
%{__make} internal/mkcw/embed/entrypoint_amd64.gz
%gobuild -o bin/%{name} ./cmd/%{name} %gobuild -o bin/%{name} ./cmd/%{name}
%gobuild -o bin/imgtype ./tests/imgtype %gobuild -o bin/imgtype ./tests/imgtype
%gobuild -o bin/copy ./tests/copy %gobuild -o bin/copy ./tests/copy