containers · openshift-merge-bot · Nov 6, 2025 · Nov 4, 2025 · Luap99 · Nov 5, 2025
diff --git a/Makefile b/Makefile
@@ -66,16 +66,31 @@ bin/buildah: $(SOURCES) internal/mkcw/embed/entrypoint_amd64.gz
 	$(GO_BUILD) $(BUILDAH_LDFLAGS) $(GO_GCFLAGS) "$(GOGCFLAGS)" -o $@ $(BUILDFLAGS) ./cmd/buildah
 	test -z "${SELINUXOPT}" || chcon --verbose -t $(SELINUXTYPE) $@
 
-ifneq ($(shell $(AS) --version | grep x86_64),)
 internal/mkcw/embed/entrypoint_amd64.gz: internal/mkcw/embed/entrypoint_amd64
 	gzip -k9nf $^
+internal/mkcw/embed/entrypoint_arm64.gz: internal/mkcw/embed/entrypoint_arm64
+	gzip -k9nf $^
+internal/mkcw/embed/entrypoint_ppc64le.gz: internal/mkcw/embed/entrypoint_ppc64le
+	gzip -k9nf $^
+internal/mkcw/embed/entrypoint_s390x.gz: internal/mkcw/embed/entrypoint_s390x
+	gzip -k9nf $^
 
-internal/mkcw/embed/entrypoint_amd64: internal/mkcw/embed/entrypoint_amd64.s
+ifneq ($(shell $(AS) --version | grep -E 'x86_64-([^-]+-)?linux'),)
+internal/mkcw/embed/entrypoint_amd64: internal/mkcw/embed/asm/entrypoint_amd64.s
 	$(AS) -o $(patsubst %.s,%.o,$^) $^
 	$(LD) -o $@ $(patsubst %.s,%.o,$^)
 	$(STRIP) $@
+else
+internal/mkcw/embed/entrypoint_amd64: internal/mkcw/embed/entrypoint_amd64.s internal/mkcw/embed/entrypoint.go
+	GOOS=linux GOARCH=amd64 $(GO) build -ldflags "-E _start -s" -o $@ ./internal/mkcw/embed
 endif
 
+internal/mkcw/embed/entrypoint_arm64: internal/mkcw/embed/entrypoint_arm64.s internal/mkcw/embed/entrypoint.go
+	GOOS=linux GOARCH=arm64 $(GO) build -ldflags "-E _start -s" -o $@ ./internal/mkcw/embed
+internal/mkcw/embed/entrypoint_ppc64le: internal/mkcw/embed/entrypoint_ppc64le.s internal/mkcw/embed/entrypoint.go
+	GOOS=linux GOARCH=ppc64le $(GO) build -ldflags "-E _start -s" -o $@ ./internal/mkcw/embed
+internal/mkcw/embed/entrypoint_s390x: internal/mkcw/embed/entrypoint_s390x.s internal/mkcw/embed/entrypoint.go
+	GOOS=linux GOARCH=s390x $(GO) build -ldflags "-E _start -s" -o $@ ./internal/mkcw/embed
 
 .PHONY: buildah
 buildah: bin/buildah
@@ -88,7 +103,7 @@ FREEBSD_CROSS_TARGETS := $(filter bin/buildah.freebsd.%,$(ALL_CROSS_TARGETS))
 .PHONY: cross
 cross: $(LINUX_CROSS_TARGETS) $(DARWIN_CROSS_TARGETS) $(WINDOWS_CROSS_TARGETS) $(FREEBSD_CROSS_TARGETS)
 
-bin/buildah.%: $(SOURCES)
+bin/buildah.%: $(SOURCES) internal/mkcw/embed/entrypoint_amd64.gz
 	mkdir -p ./bin
 	GOOS=$(word 2,$(subst ., ,$@)) GOARCH=$(word 3,$(subst ., ,$@)) $(GO_BUILD) $(BUILDAH_LDFLAGS) -o $@ -tags "containers_image_openpgp" ./cmd/buildah
 
@@ -118,7 +133,7 @@ bin/passwd: tests/passwd/passwd.go
 
 .PHONY: clean
 clean:
-	$(RM) -r bin tests/testreport/testreport tests/conformance/testdata/mount-targets/true
+	$(RM) -r bin tests/testreport/testreport tests/conformance/testdata/mount-targets/true internal/mkcw/embed/entrypoint_amd64 internal/mkcw/embed/entrypoint_arm64 internal/mkcw/embed/entrypoint_ppc64le internal/mkcw/embed/entrypoint_s390x internal/mkcw/embed/*.gz internal/mkcw/embed/asm/*.o
 	$(MAKE) -C docs clean
 
 .PHONY: docs

diff --git a/internal/mkcw/embed/asm/doc.md b/internal/mkcw/embed/asm/doc.md
@@ -0,0 +1 @@
+If we have a toolchain for the target that can handle plain assembly, build with that.
diff --git a/internal/mkcw/embed/asm/entrypoint_amd64.s b/internal/mkcw/embed/asm/entrypoint_amd64.s
@@ -0,0 +1,16 @@
+	.section	.rodata.1,"aMS",@progbits,1
+msg:
+	.string	"This image is designed to be run as a confidential workload using libkrun.\n"
+	.section	.text._start,"ax",@progbits
+	.globl	_start
+	.type	_start,@function
+_start:
+	movq	$1, %rax	# write
+	movq	$2, %rdi	# fd=stderr_fileno
+	movq	$msg, %rsi	# message
+	movq	$75, %rdx	# length
+	syscall
+	movq	$60, %rax	# exit
+	movq	$1, %rdi	# status=1
+	syscall
+	.section	.note.GNU-stack,"",@progbits
diff --git a/internal/mkcw/embed/check.sh b/internal/mkcw/embed/check.sh
@@ -0,0 +1,16 @@
+#!/usr/bin/env bash
+expected="This image is designed to be run as a confidential workload using libkrun."
+cd $(dirname ${BASH_SOURCE[0]})
+for GOARCH in amd64 arm64 ppc64le s390x ; do
+	make -C ../../.. internal/mkcw/embed/entrypoint_$GOARCH
+	case $GOARCH in
+		amd64) QEMUARCH=x86_64;;
+		arm64) QEMUARCH=aarch64;;
+		ppc64le|s390x) QEMUARCH=$GOARCH;;
+	esac
+	actual="$(qemu-$QEMUARCH ./entrypoint_$GOARCH 2>&1)"
+	if test "$actual" != "$expected" ; then
+		echo unexpected error from entrypoint_$GOARCH: "$actual"
+		exit 1
+	fi
+done
diff --git a/internal/mkcw/embed/doc.go b/internal/mkcw/embed/doc.go
@@ -0,0 +1,4 @@
+// Supplying our own _start that just writes the message and exits avoids
+// pulling in the proper standard library, which produces a smaller binary, but
+// we still end up pulling in the language runtime.
+package main
diff --git a/internal/mkcw/embed/entrypoint.go b/internal/mkcw/embed/entrypoint.go
@@ -0,0 +1 @@
+package main
diff --git a/internal/mkcw/embed/entrypoint_amd64.gz b/internal/mkcw/embed/entrypoint_amd64.gz
diff --git a/internal/mkcw/embed/entrypoint_amd64.s b/internal/mkcw/embed/entrypoint_amd64.s
@@ -1,16 +1,13 @@
-	.section	.rodata.1,"aMS",@progbits,1
-msg:
-	.string	"This image is designed to be run as a confidential workload using libkrun.\n"
-	.section	.text._start,"ax",@progbits
-	.globl	_start
-	.type	_start,@function
-_start:
-	movq	$1, %rax	# write
-	movq	$2, %rdi	# fd=stderr_fileno
-	movq	$msg, %rsi	# message
-	movq	$75, %rdx	# length
-	syscall
-	movq	$60, %rax	# exit
-	movq	$1, %rdi	# status=1
-	syscall
-	.section	.note.GNU-stack,"",@progbits
+DATA msg+0(SB)/75, $"This image is designed to be run as a confidential workload using libkrun.\n"
+
+GLOBL msg(SB),8,$75
+
+TEXT _start(SB),8-0,$0
+	MOVQ	$1, AX		// syscall=write
+	MOVQ	$2, DI		// descriptor=2
+	MOVQ	$msg(SB), SI	// buffer (msg) address
+	MOVQ	$75, DX		// buffer (msg) length
+	SYSCALL
+	MOVQ	$60, AX		// syscall=exit
+	MOVQ	$1, DI		// status=1
+	SYSCALL
diff --git a/internal/mkcw/embed/entrypoint_arm64.s b/internal/mkcw/embed/entrypoint_arm64.s
@@ -0,0 +1,13 @@
+DATA msg+0(SB)/75, $"This image is designed to be run as a confidential workload using libkrun.\n"
+
+GLOBL msg(SB),8,$75
+
+TEXT _start(SB),8-0,$0
+	MOVD	$64, R8		// syscall=write
+	MOVD	$2, R0		// descriptor=2
+	MOVD	$msg(SB), R1	// buffer (msg) address
+	MOVD	$75, R2		// buffer (msg) length
+	SVC
+	MOVD	$93, R8		// syscall=exit
+	MOVD	$1, R0		// status=1
+	SVC
diff --git a/internal/mkcw/embed/entrypoint_ppc64le.s b/internal/mkcw/embed/entrypoint_ppc64le.s
@@ -0,0 +1,13 @@
+DATA msg+0(SB)/75, $"This image is designed to be run as a confidential workload using libkrun.\n"
+
+GLOBL msg(SB),8,$75
+
+TEXT _start(SB),8-0,$0
+	MOVD	$4, R0		// syscall=write
+	MOVD	$2, R3		// descriptor=2
+	MOVD	$msg(SB), R4	// buffer (msg) address
+	MOVD	$75, R5		// buffer (msg) length
+	SYSCALL
+	MOVD	$1, R0		// syscall=exit
+	MOVD	$1, R3		// status=1
+	SYSCALL
diff --git a/internal/mkcw/embed/entrypoint_s390x.s b/internal/mkcw/embed/entrypoint_s390x.s
@@ -0,0 +1,13 @@
+DATA msg+0(SB)/75, $"This image is designed to be run as a confidential workload using libkrun.\n"
+
+GLOBL msg(SB),8,$75
+
+TEXT _start(SB),8-0,$0
+	MOVD	$4, R1		// syscall=write
+	MOVD	$2, R2		// descriptor=2
+	MOVD	$msg(SB), R3	// buffer (msg) address
+	MOVD	$75, R4		// buffer (msg) length
+	SYSCALL
+	MOVD	$1, R1		// syscall=exit
+	MOVD	$1, R2		// status=1
+	SYSCALL
diff --git a/rpm/buildah.spec b/rpm/buildah.spec
@@ -142,6 +142,8 @@ export BUILDTAGS+=" libtrust_openssl"
 export BUILDTAGS+=" containers_image_sequoia"
 %endif
 
+%{__rm} -f internal/mkcw/embed/entrypoint_amd64.gz
+%{__make} internal/mkcw/embed/entrypoint_amd64.gz
 %gobuild -o bin/%{name} ./cmd/%{name}
 %gobuild -o bin/imgtype ./tests/imgtype
 %gobuild -o bin/copy ./tests/copy
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		If we have a toolchain for the target that can handle plain assembly, build with that.