internal/mkcw/embed: cross-compile using Go

nalind · nalind · commit b6098a2c5cef · 2025-11-06T10:46:23.000-05:00
Use the Go toolchain to cross-compile the "This image is designed to be
run as a confidential workload using libkrun." entrypoint that we add to
confidential workload images.  It's bigger than it was before, but
easier to port and can be built from source every time when desired.

Signed-off-by: Nalin Dahyabhai &lt;nalin@redhat.com&gt;
diff --git a/Makefile b/Makefile
@@ -66,16 +66,31 @@ bin/buildah: $(SOURCES) internal/mkcw/embed/entrypoint_amd64.gz
 	$(GO_BUILD) $(BUILDAH_LDFLAGS) $(GO_GCFLAGS) "$(GOGCFLAGS)" -o $@ $(BUILDFLAGS) ./cmd/buildah
 	test -z "${SELINUXOPT}" || chcon --verbose -t $(SELINUXTYPE) $@
 
-ifneq ($(shell $(AS) --version | grep x86_64),)
 internal/mkcw/embed/entrypoint_amd64.gz: internal/mkcw/embed/entrypoint_amd64
 	gzip -k9nf $^
+internal/mkcw/embed/entrypoint_arm64.gz: internal/mkcw/embed/entrypoint_arm64
+	gzip -k9nf $^
+internal/mkcw/embed/entrypoint_ppc64le.gz: internal/mkcw/embed/entrypoint_ppc64le
+	gzip -k9nf $^
+internal/mkcw/embed/entrypoint_s390x.gz: internal/mkcw/embed/entrypoint_s390x
+	gzip -k9nf $^
 
-internal/mkcw/embed/entrypoint_amd64: internal/mkcw/embed/entrypoint_amd64.s
+ifneq ($(shell $(AS) --version | grep -E 'x86_64-([^-]+-)?linux'),)
+internal/mkcw/embed/entrypoint_amd64: internal/mkcw/embed/asm/entrypoint_amd64.s
 	$(AS) -o $(patsubst %.s,%.o,$^) $^
 	$(LD) -o $@ $(patsubst %.s,%.o,$^)
 	$(STRIP) $@
+else
+internal/mkcw/embed/entrypoint_amd64: internal/mkcw/embed/entrypoint_amd64.s internal/mkcw/embed/entrypoint.go
+	GOOS=linux GOARCH=amd64 $(GO) build -ldflags "-E _start -s" -o $@ ./internal/mkcw/embed
 endif
 
+internal/mkcw/embed/entrypoint_arm64: internal/mkcw/embed/entrypoint_arm64.s internal/mkcw/embed/entrypoint.go
+	GOOS=linux GOARCH=arm64 $(GO) build -ldflags "-E _start -s" -o $@ ./internal/mkcw/embed
+internal/mkcw/embed/entrypoint_ppc64le: internal/mkcw/embed/entrypoint_ppc64le.s internal/mkcw/embed/entrypoint.go
+	GOOS=linux GOARCH=ppc64le $(GO) build -ldflags "-E _start -s" -o $@ ./internal/mkcw/embed
+internal/mkcw/embed/entrypoint_s390x: internal/mkcw/embed/entrypoint_s390x.s internal/mkcw/embed/entrypoint.go
+	GOOS=linux GOARCH=s390x $(GO) build -ldflags "-E _start -s" -o $@ ./internal/mkcw/embed
 
 .PHONY: buildah
 buildah: bin/buildah
@@ -88,7 +103,7 @@ FREEBSD_CROSS_TARGETS := $(filter bin/buildah.freebsd.%,$(ALL_CROSS_TARGETS))
 .PHONY: cross
 cross: $(LINUX_CROSS_TARGETS) $(DARWIN_CROSS_TARGETS) $(WINDOWS_CROSS_TARGETS) $(FREEBSD_CROSS_TARGETS)
 
-bin/buildah.%: $(SOURCES)
+bin/buildah.%: $(SOURCES) internal/mkcw/embed/entrypoint_amd64.gz
 	mkdir -p ./bin
 	GOOS=$(word 2,$(subst ., ,$@)) GOARCH=$(word 3,$(subst ., ,$@)) $(GO_BUILD) $(BUILDAH_LDFLAGS) -o $@ -tags "containers_image_openpgp" ./cmd/buildah
 
@@ -118,7 +133,7 @@ bin/passwd: tests/passwd/passwd.go
 
 .PHONY: clean
 clean:
-	$(RM) -r bin tests/testreport/testreport tests/conformance/testdata/mount-targets/true
+	$(RM) -r bin tests/testreport/testreport tests/conformance/testdata/mount-targets/true internal/mkcw/embed/entrypoint_amd64 internal/mkcw/embed/entrypoint_arm64 internal/mkcw/embed/entrypoint_ppc64le internal/mkcw/embed/entrypoint_s390x internal/mkcw/embed/*.gz internal/mkcw/embed/asm/*.o
 	$(MAKE) -C docs clean
 
 .PHONY: docs
diff --git a/internal/mkcw/embed/asm/doc.md b/internal/mkcw/embed/asm/doc.md
@@ -0,0 +1 @@
+If we have a toolchain for the target that can handle plain assembly, build with that.
diff --git a/internal/mkcw/embed/asm/entrypoint_amd64.s b/internal/mkcw/embed/asm/entrypoint_amd64.s
@@ -0,0 +1,16 @@
+	.section	.rodata.1,"aMS",@progbits,1
+msg:
+	.string	"This image is designed to be run as a confidential workload using libkrun.\n"
+	.section	.text._start,"ax",@progbits
+	.globl	_start
+	.type	_start,@function
+_start:
+	movq	$1, %rax	# write
+	movq	$2, %rdi	# fd=stderr_fileno
+	movq	$msg, %rsi	# message
+	movq	$75, %rdx	# length
+	syscall
+	movq	$60, %rax	# exit
+	movq	$1, %rdi	# status=1
+	syscall
+	.section	.note.GNU-stack,"",@progbits
diff --git a/internal/mkcw/embed/check.sh b/internal/mkcw/embed/check.sh
@@ -0,0 +1,16 @@
+#!/usr/bin/env bash
+expected="This image is designed to be run as a confidential workload using libkrun."
+cd $(dirname ${BASH_SOURCE[0]})
+for GOARCH in amd64 arm64 ppc64le s390x ; do
+	make -C ../../.. internal/mkcw/embed/entrypoint_$GOARCH
+	case $GOARCH in
+		amd64) QEMUARCH=x86_64;;
+		arm64) QEMUARCH=aarch64;;
+		ppc64le|s390x) QEMUARCH=$GOARCH;;
+	esac
+	actual="$(qemu-$QEMUARCH ./entrypoint_$GOARCH 2>&1)"
+	if test "$actual" != "$expected" ; then
+		echo unexpected error from entrypoint_$GOARCH: "$actual"
+		exit 1
+	fi
+done
diff --git a/internal/mkcw/embed/doc.go b/internal/mkcw/embed/doc.go
@@ -0,0 +1,4 @@
+// Supplying our own _start that just writes the message and exits avoids
+// pulling in the proper standard library, which produces a smaller binary, but
+// we still end up pulling in the language runtime.
+package main
diff --git a/internal/mkcw/embed/entrypoint.go b/internal/mkcw/embed/entrypoint.go
@@ -0,0 +1 @@
+package main
diff --git a/internal/mkcw/embed/entrypoint_amd64.gz b/internal/mkcw/embed/entrypoint_amd64.gz
diff --git a/internal/mkcw/embed/entrypoint_amd64.s b/internal/mkcw/embed/entrypoint_amd64.s
@@ -1,16 +1,13 @@
-	.section	.rodata.1,"aMS",@progbits,1
-msg:
-	.string	"This image is designed to be run as a confidential workload using libkrun.\n"
-	.section	.text._start,"ax",@progbits
-	.globl	_start
-	.type	_start,@function
-_start:
-	movq	$1, %rax	# write
-	movq	$2, %rdi	# fd=stderr_fileno
-	movq	$msg, %rsi	# message
-	movq	$75, %rdx	# length
-	syscall
-	movq	$60, %rax	# exit
-	movq	$1, %rdi	# status=1
-	syscall
-	.section	.note.GNU-stack,"",@progbits
+DATA msg+0(SB)/75, $"This image is designed to be run as a confidential workload using libkrun.\n"
+
+GLOBL msg(SB),8,$75
+
+TEXT _start(SB),8-0,$0
+	MOVQ	$1, AX		// syscall=write
+	MOVQ	$2, DI		// descriptor=2
+	MOVQ	$msg(SB), SI	// buffer (msg) address
+	MOVQ	$75, DX		// buffer (msg) length
+	SYSCALL
+	MOVQ	$60, AX		// syscall=exit
+	MOVQ	$1, DI		// status=1
+	SYSCALL
diff --git a/internal/mkcw/embed/entrypoint_arm64.s b/internal/mkcw/embed/entrypoint_arm64.s
@@ -0,0 +1,13 @@
+DATA msg+0(SB)/75, $"This image is designed to be run as a confidential workload using libkrun.\n"
+
+GLOBL msg(SB),8,$75
+
+TEXT _start(SB),8-0,$0
+	MOVD	$64, R8		// syscall=write
+	MOVD	$2, R0		// descriptor=2
+	MOVD	$msg(SB), R1	// buffer (msg) address
+	MOVD	$75, R2		// buffer (msg) length
+	SVC
+	MOVD	$93, R8		// syscall=exit
+	MOVD	$1, R0		// status=1
+	SVC
diff --git a/internal/mkcw/embed/entrypoint_ppc64le.s b/internal/mkcw/embed/entrypoint_ppc64le.s
@@ -0,0 +1,13 @@
+DATA msg+0(SB)/75, $"This image is designed to be run as a confidential workload using libkrun.\n"
+
+GLOBL msg(SB),8,$75
+
+TEXT _start(SB),8-0,$0
+	MOVD	$4, R0		// syscall=write
+	MOVD	$2, R3		// descriptor=2
+	MOVD	$msg(SB), R4	// buffer (msg) address
+	MOVD	$75, R5		// buffer (msg) length
+	SYSCALL
+	MOVD	$1, R0		// syscall=exit
+	MOVD	$1, R3		// status=1
+	SYSCALL
diff --git a/internal/mkcw/embed/entrypoint_s390x.s b/internal/mkcw/embed/entrypoint_s390x.s
@@ -0,0 +1,13 @@
+DATA msg+0(SB)/75, $"This image is designed to be run as a confidential workload using libkrun.\n"
+
+GLOBL msg(SB),8,$75
+
+TEXT _start(SB),8-0,$0
+	MOVD	$4, R1		// syscall=write
+	MOVD	$2, R2		// descriptor=2
+	MOVD	$msg(SB), R3	// buffer (msg) address
+	MOVD	$75, R4		// buffer (msg) length
+	SYSCALL
+	MOVD	$1, R1		// syscall=exit
+	MOVD	$1, R2		// status=1
+	SYSCALL
diff --git a/rpm/buildah.spec b/rpm/buildah.spec
@@ -142,6 +142,8 @@ export BUILDTAGS+=" libtrust_openssl"
 export BUILDTAGS+=" containers_image_sequoia"
 %endif
 
+%{__rm} -f internal/mkcw/embed/entrypoint_amd64.gz
+%{__make} internal/mkcw/embed/entrypoint_amd64.gz
 %gobuild -o bin/%{name} ./cmd/%{name}
 %gobuild -o bin/imgtype ./tests/imgtype
 %gobuild -o bin/copy ./tests/copy

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+If we have a toolchain for the target that can handle plain assembly, build with that.`