Merge pull request #19951 from Luap99/small-remote

podman-remote debloat: remove libimage dependency

cmd/podman/images/build.go

@@ -184,6 +184,7 @@ func buildFlags(cmd *cobra.Command) {
 		_ = flags.MarkHidden("compress")
 		_ = flags.MarkHidden("output")
 		_ = flags.MarkHidden("logsplit")
+		_ = flags.MarkHidden("cw")
 	}
 }
 
@@ -575,6 +576,14 @@ func buildFlagsWrapperToOptions(c *cobra.Command, contextDir string, flags *buil
 		}
 	}
 
+	var confidentialWorkloadOptions buildahDefine.ConfidentialWorkloadOptions
+	if c.Flag("cw").Changed {
+		confidentialWorkloadOptions, err = parse.GetConfidentialWorkloadOptions(flags.CWOptions)
+		if err != nil {
+			return nil, err
+		}
+	}
+
 	opts := buildahDefine.BuildOptions{
 		AddCapabilities:         flags.CapAdd,
 		AdditionalTags:          tags,
@@ -587,6 +596,7 @@ func buildFlagsWrapperToOptions(c *cobra.Command, contextDir string, flags *buil
 		CacheFrom:               cacheFrom,
 		CacheTo:                 cacheTo,
 		CacheTTL:                cacheTTL,
+		ConfidentialWorkload:    confidentialWorkloadOptions,
 		CommonBuildOpts:         commonOpts,
 		Compression:             compression,
 		ConfigureNetwork:        networkPolicy,
@@ -605,6 +615,7 @@ func buildFlagsWrapperToOptions(c *cobra.Command, contextDir string, flags *buil
 		Isolation:               isolation,
 		Jobs:                    &flags.Jobs,
 		Labels:                  flags.Label,
+		LayerLabels:             flags.LayerLabel,
 		Layers:                  flags.Layers,
 		LogRusage:               flags.LogRusage,
 		LogFile:                 flags.Logfile,

cmd/podman/system/reset.go

@@ -9,7 +9,7 @@ import (
 	"os"
 	"strings"
 
-	"github.com/containers/buildah/pkg/parse"
+	"github.com/containers/buildah/pkg/volumes"
 	"github.com/containers/common/pkg/completion"
 	"github.com/containers/podman/v4/cmd/podman/registry"
 	"github.com/containers/podman/v4/cmd/podman/validate"
@@ -97,7 +97,7 @@ func reset(cmd *cobra.Command, args []string) {
 		logrus.Error(err)
 	}
 	// Clean build cache if any
-	err = parse.CleanCacheMount()
+	err = volumes.CleanCacheMount()
 	if err != nil {
 		logrus.Error(err)
 	}

docs/source/markdown/podman-build.1.md.in

@@ -222,6 +222,66 @@ Set additional flags to pass to the C Preprocessor cpp(1). Containerfiles ending
 
 @@option creds
 
+#### **--cw**=*options*
+
+Produce an image suitable for use as a confidential workload running in a
+trusted execution environment (TEE) using krun (i.e., *crun* built with the
+libkrun feature enabled and invoked as *krun*).  Instead of the conventional
+contents, the root filesystem of the image will contain an encrypted disk image
+and configuration information for krun.
+
+The value for *options* is a comma-separated list of key=value pairs, supplying
+configuration information which is needed for producing the additional data
+which will be included in the container image.
+
+Recognized _keys_ are:
+
+*attestation_url*: The location of a key broker / attestation server.
+If a value is specified, the new image's workload ID, along with the passphrase
+used to encrypt the disk image, will be registered with the server, and the
+server's location will be stored in the container image.
+At run-time, krun is expected to contact the server to retrieve the passphrase
+using the workload ID, which is also stored in the container image.
+If no value is specified, a *passphrase* value *must* be specified.
+
+*cpus*: The number of virtual CPUs which the image expects to be run with at
+run-time.  If not specified, a default value will be supplied.
+
+*firmware_library*: The location of the libkrunfw-sev shared library.  If not
+specified, `buildah` checks for its presence in a number of hard-coded
+locations.
+
+*memory*: The amount of memory which the image expects to be run with at
+run-time, as a number of megabytes.  If not specified, a default value will be
+supplied.
+
+*passphrase*: The passphrase to use to encrypt the disk image which will be
+included in the container image.
+If no value is specified, but an *attestation_url* value is specified, a
+randomly-generated passphrase will be used.
+The authors recommend setting an *attestation_url* but not a *passphrase*.
+
+*slop*: Extra space to allocate for the disk image compared to the size of the
+container image's contents, expressed either as a percentage (..%) or a size
+value (bytes, or larger units if suffixes like KB or MB are present), or a sum
+of two or more such specifications.  If not specified, `buildah` guesses that
+25% more space than the contents will be enough, but this option is provided in
+case its guess is wrong.
+
+*type*: The type of trusted execution environment (TEE) which the image should
+be marked for use with.  Accepted values are "SEV" (AMD Secure Encrypted
+Virtualization - Encrypted State) and "SNP" (AMD Secure Encrypted
+Virtualization - Secure Nested Paging).  If not specified, defaults to "SNP".
+
+*workload_id*: A workload identifier which will be recorded in the container
+image, to be used at run-time for retrieving the passphrase which was used to
+encrypt the disk image.  If not specified, a semi-random value will be derived
+from the base image's image ID.
+
+This option is not supported on the remote client, including Mac and Windows
+(excluding WSL2) machines.
+
+
 #### **--decryption-key**=*key[:passphrase]*
 
 The [key[:passphrase]] to be used for decryption of images. Key can point to
@@ -396,6 +456,14 @@ capabilities is a subset of the default list.
 If the specified capabilities are not in the default set, Podman prints an error
 message and runs the container with the default capabilities.
 
+#### **--layer-label**=*label[=value]*
+
+Add an intermediate image *label* (e.g. label=*value*) to the intermediate
+image metadata. It can be used multiple times.
+
+If *label* is named, but neither `=` nor a `value` is provided, then
+the *label* is set to an empty value.
+
 #### **--layers**
 
 Cache intermediate images during the build process (Default is `true`).

go.mod

@@ -12,14 +12,14 @@ require (
 	github.com/container-orchestrated-devices/container-device-interface v0.6.1
 	github.com/containernetworking/cni v1.1.2
 	github.com/containernetworking/plugins v1.3.0
-	github.com/containers/buildah v1.31.1-0.20230722114901-5ece066f82c6
+	github.com/containers/buildah v1.31.1-0.20230914090547-70d8ab94953a
-	github.com/containers/common v0.55.1-0.20230912125309-7fa3c55bd517
+	github.com/containers/common v0.56.0
 	github.com/containers/conmon v2.0.20+incompatible
-	github.com/containers/image/v5 v5.27.1-0.20230911141411-81c35e010bab
+	github.com/containers/image/v5 v5.28.0
 	github.com/containers/libhvee v0.4.1-0.20230905135638-56fb23533417
 	github.com/containers/ocicrypt v1.1.8
 	github.com/containers/psgo v1.8.0
-	github.com/containers/storage v1.50.0
+	github.com/containers/storage v1.50.2
 	github.com/coreos/go-systemd/v22 v22.5.0
 	github.com/coreos/stream-metadata-go v0.4.3
 	github.com/crc-org/vfkit v0.1.1
@@ -78,17 +78,19 @@ require (
 require (
 	dario.cat/mergo v1.0.0 // indirect
 	github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 // indirect
-	github.com/Microsoft/hcsshim v0.11.0 // indirect
+	github.com/Microsoft/hcsshim v0.12.0-rc.0 // indirect
 	github.com/VividCortex/ewma v1.2.0 // indirect
 	github.com/acarl005/stripansi v0.0.0-20180116102854-5a71ef0e047d // indirect
+	github.com/aead/serpent v0.0.0-20160714141033-fba169763ea6 // indirect
 	github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect
 	github.com/bytedance/sonic v1.9.1 // indirect
 	github.com/chenzhuoyu/base64x v0.0.0-20221115062448-fe3a3abad311 // indirect
 	github.com/chzyer/readline v1.5.1 // indirect
-	github.com/containerd/cgroups v1.1.0 // indirect
+	github.com/containerd/cgroups/v3 v3.0.2 // indirect
-	github.com/containerd/containerd v1.7.5 // indirect
+	github.com/containerd/containerd v1.7.6 // indirect
 	github.com/containerd/stargz-snapshotter/estargz v0.14.3 // indirect
 	github.com/containers/libtrust v0.0.0-20230121012942-c1716e8a8d01 // indirect
+	github.com/containers/luksy v0.0.0-20230808154129-d2d74a56682f // indirect
 	github.com/coreos/go-oidc/v3 v3.6.0 // indirect
 	github.com/coreos/go-systemd v0.0.0-20190719114852-fd7a80b32e1f // indirect
 	github.com/cyberphone/json-canonicalization v0.0.0-20230710064741-aa7fe85c7dbd // indirect
@@ -191,7 +193,7 @@ require (
 	golang.org/x/tools v0.12.1-0.20230815132531-74c255bcf846 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20230711160842-782d3b101e98 // indirect
-	google.golang.org/grpc v1.56.2 // indirect
+	google.golang.org/grpc v1.57.0 // indirect
 	gopkg.in/go-jose/go-jose.v2 v2.6.1 // indirect
 	gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect

go.sum

@@ -67,8 +67,8 @@ github.com/Microsoft/hcsshim v0.8.15/go.mod h1:x38A4YbHbdxJtc0sF6oIz+RG0npwSCAvn
 github.com/Microsoft/hcsshim v0.8.16/go.mod h1:o5/SZqmR7x9JNKsW3pu+nqHm0MF8vbA+VxGOoXdC600=
 github.com/Microsoft/hcsshim v0.8.21/go.mod h1:+w2gRZ5ReXQhFOrvSQeNfhrYB/dg3oDwTOcER2fw4I4=
 github.com/Microsoft/hcsshim v0.9.4/go.mod h1:7pLA8lDk46WKDWlVsENo92gC0XFa8rbKfyFRBqxEbCc=
-github.com/Microsoft/hcsshim v0.11.0 h1:7EFNIY4igHEXUdj1zXgAyU3fLc7QfOKHbkldRVTBdiM=
+github.com/Microsoft/hcsshim v0.12.0-rc.0 h1:wX/F5huJxH9APBkhKSEAqaiZsuBvbbDnyBROZAqsSaY=
-github.com/Microsoft/hcsshim v0.11.0/go.mod h1:OEthFdQv/AD2RAdzR6Mm1N1KPCztGKDurW1Z8b8VGMM=
+github.com/Microsoft/hcsshim v0.12.0-rc.0/go.mod h1:rvOnw3YlfoNnEp45wReUngvsXbwRW+AFQ10GVjG1kMU=
 github.com/Microsoft/hcsshim/test v0.0.0-20201218223536-d3e5debf77da/go.mod h1:5hlzMzRKMLyo42nCZ9oml8AdTlq/0cvIaBv6tK1RehU=
 github.com/Microsoft/hcsshim/test v0.0.0-20210227013316-43a75bb4edd3/go.mod h1:mw7qgWloBUl75W/gVH3cQszUg1+gUITj7D6NY7ywVnY=
 github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46/go.mod h1:3wb06e3pkSAbeQ52E9H9iFoQsEEwGN64994WTCIhntQ=
@@ -82,6 +82,8 @@ github.com/VividCortex/ewma v1.2.0 h1:f58SaIzcDXrSy3kWaHNvuJgJ3Nmz59Zji6XoJR/q1o
 github.com/VividCortex/ewma v1.2.0/go.mod h1:nz4BbCtbLyFDeC9SUHbtcT5644juEuWfUAUnGx7j5l4=
 github.com/acarl005/stripansi v0.0.0-20180116102854-5a71ef0e047d h1:licZJFw2RwpHMqeKTCYkitsPqHNxTmd4SNR5r94FGM8=
 github.com/acarl005/stripansi v0.0.0-20180116102854-5a71ef0e047d/go.mod h1:asat636LX7Bqt5lYEZ27JNDcqxfjdBQuJ/MM4CN/Lzo=
+github.com/aead/serpent v0.0.0-20160714141033-fba169763ea6 h1:5L8Mj9Co9sJVgW3TpYk2gxGJnDjsYuboNTcRmbtGKGs=
+github.com/aead/serpent v0.0.0-20160714141033-fba169763ea6/go.mod h1:3HgLJ9d18kXMLQlJvIY3+FszZYMxCz8WfE2MQ7hDY0w=
 github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
 github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
 github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
@@ -166,8 +168,8 @@ github.com/containerd/cgroups v0.0.0-20200710171044-318312a37340/go.mod h1:s5q4S
 github.com/containerd/cgroups v0.0.0-20200824123100-0b889c03f102/go.mod h1:s5q4SojHctfxANBDvMeIaIovkq29IP48TKAxnhYRxvo=
 github.com/containerd/cgroups v0.0.0-20210114181951-8a68de567b68/go.mod h1:ZJeTFisyysqgcCdecO57Dj79RfL0LNeGiFUqLYQRYLE=
 github.com/containerd/cgroups v1.0.1/go.mod h1:0SJrPIenamHDcZhEcJMNBB85rHcUsw4f25ZfBiPYRkU=
-github.com/containerd/cgroups v1.1.0 h1:v8rEWFl6EoqHB+swVNjVoCJE8o3jX7e8nqBGPLaDFBM=
+github.com/containerd/cgroups/v3 v3.0.2 h1:f5WFqIVSgo5IZmtTT3qVBo6TzI1ON6sycSBKkymb9L0=
-github.com/containerd/cgroups v1.1.0/go.mod h1:6ppBcbh/NOOUU+dMKrykgaBnK9lCIBxHqJDGwsa1mIw=
+github.com/containerd/cgroups/v3 v3.0.2/go.mod h1:JUgITrzdFqp42uI2ryGA+ge0ap/nxzYgkGmIcetmErE=
 github.com/containerd/console v0.0.0-20180822173158-c12b1e7919c1/go.mod h1:Tj/on1eG8kiEhd0+fhSDzsPAFESxzBBvdyEgyryXffw=
 github.com/containerd/console v0.0.0-20181022165439-0650fd9eeb50/go.mod h1:Tj/on1eG8kiEhd0+fhSDzsPAFESxzBBvdyEgyryXffw=
 github.com/containerd/console v0.0.0-20191206165004-02ecf6a7291e/go.mod h1:8Pf4gM6VEbTNRIT26AyyU7hxdQU3MvAvxVI0sc00XBE=
@@ -188,8 +190,8 @@ github.com/containerd/containerd v1.5.0-beta.4/go.mod h1:GmdgZd2zA2GYIBZ0w09Zvgq
 github.com/containerd/containerd v1.5.0-rc.0/go.mod h1:V/IXoMqNGgBlabz3tHD2TWDoTJseu1FGOKuoA4nNb2s=
 github.com/containerd/containerd v1.5.1/go.mod h1:0DOxVqwDy2iZvrZp2JUx/E+hS0UNTVn7dJnIOwtYR4g=
 github.com/containerd/containerd v1.5.7/go.mod h1:gyvv6+ugqY25TiXxcZC3L5yOeYgEw0QMhscqVp1AR9c=
-github.com/containerd/containerd v1.7.5 h1:i9T9XpAWMe11BHMN7pu1BZqOGjXaKTPyz2v+KYOZgkY=
+github.com/containerd/containerd v1.7.6 h1:oNAVsnhPoy4BTPQivLgTzI9Oleml9l/+eYIDYXRCYo8=
-github.com/containerd/containerd v1.7.5/go.mod h1:ieJNCSzASw2shSGYLHx8NAE7WsZ/gEigo5fQ78W5Zvw=
+github.com/containerd/containerd v1.7.6/go.mod h1:SY6lrkkuJT40BVNO37tlYTSnKJnP5AXBc0fhx0q+TJ4=
 github.com/containerd/continuity v0.0.0-20190426062206-aaeac12a7ffc/go.mod h1:GL3xCUCBDV3CZiTSEKksMWbLE66hEyuu9qyDOOqM47Y=
 github.com/containerd/continuity v0.0.0-20190815185530-f2a389ac0a02/go.mod h1:GL3xCUCBDV3CZiTSEKksMWbLE66hEyuu9qyDOOqM47Y=
 github.com/containerd/continuity v0.0.0-20191127005431-f65d91d395eb/go.mod h1:GL3xCUCBDV3CZiTSEKksMWbLE66hEyuu9qyDOOqM47Y=
@@ -245,18 +247,20 @@ github.com/containernetworking/plugins v0.8.6/go.mod h1:qnw5mN19D8fIwkqW7oHHYDHV
 github.com/containernetworking/plugins v0.9.1/go.mod h1:xP/idU2ldlzN6m4p5LmGiwRDjeJr6FLK6vuiUwoH7P8=
 github.com/containernetworking/plugins v1.3.0 h1:QVNXMT6XloyMUoO2wUOqWTC1hWFV62Q6mVDp5H1HnjM=
 github.com/containernetworking/plugins v1.3.0/go.mod h1:Pc2wcedTQQCVuROOOaLBPPxrEXqqXBFt3cZ+/yVg6l0=
-github.com/containers/buildah v1.31.1-0.20230722114901-5ece066f82c6 h1:K/S8SFQsnnNTF0Ws58SrBD9L0EuClzAG8Zp08d7+6AA=
+github.com/containers/buildah v1.31.1-0.20230914090547-70d8ab94953a h1:2vUJdbZUfOcS0ehO16gEKZ6dPKoM+PEw7CKCdEOsoSc=
-github.com/containers/buildah v1.31.1-0.20230722114901-5ece066f82c6/go.mod h1:0sptTFBBtSznLqoTh80DfvMOCNbdRsNRgVOKhBhrupA=
+github.com/containers/buildah v1.31.1-0.20230914090547-70d8ab94953a/go.mod h1:sN3rA3DbnqekNz3bNdkqWduuirYDuMs54LUCOZOomBE=
-github.com/containers/common v0.55.1-0.20230912125309-7fa3c55bd517 h1:VbCiDKqzPx8N1gyB1vtXKbI0HpX7QaFK9/9d0n4HgU4=
+github.com/containers/common v0.56.0 h1:hysHUsEai1EkMXanU26UV55wMXns/a6AYmaFqJ4fEMY=
-github.com/containers/common v0.55.1-0.20230912125309-7fa3c55bd517/go.mod h1:udRQMEx9cbPslGo/yCKmnBr7NJ6aVrqGOLKLs/c1Lqc=
+github.com/containers/common v0.56.0/go.mod h1:IjaDdfUtcs2CfCcJMZxuut4XlvkTkY9Nlqkso9xCOq4=
 github.com/containers/conmon v2.0.20+incompatible h1:YbCVSFSCqFjjVwHTPINGdMX1F6JXHGTUje2ZYobNrkg=
 github.com/containers/conmon v2.0.20+incompatible/go.mod h1:hgwZ2mtuDrppv78a/cOBNiCm6O0UMWGx1mu7P00nu5I=
-github.com/containers/image/v5 v5.27.1-0.20230911141411-81c35e010bab h1:bAK5q9Coo11AMbtK/rojwOssSa+kXqAVhPYlHNmBZPE=
+github.com/containers/image/v5 v5.28.0 h1:H4cWbdI88UA/mDb6SxMo3IxpmS1BSs/Kifvhwt9g048=
-github.com/containers/image/v5 v5.27.1-0.20230911141411-81c35e010bab/go.mod h1:h4O2N9IxSqe/O/ThgOkPk/JaK2j+jhbEM8GhNI5WtbI=
+github.com/containers/image/v5 v5.28.0/go.mod h1:9aPnNkwHNHgGl9VlQxXEshvmOJRbdRAc1rNDD6sP2eU=
 github.com/containers/libhvee v0.4.1-0.20230905135638-56fb23533417 h1:fr+j21PD+IYR6Kvlf2Zrm1x9oAjV12T2Vz3oZIGTusw=
 github.com/containers/libhvee v0.4.1-0.20230905135638-56fb23533417/go.mod h1:HiXu8GZyjzGjU834fROO00Ka/4B1IM8qxy/6q6x1f+4=
 github.com/containers/libtrust v0.0.0-20230121012942-c1716e8a8d01 h1:Qzk5C6cYglewc+UyGf6lc8Mj2UaPTHy/iF2De0/77CA=
 github.com/containers/libtrust v0.0.0-20230121012942-c1716e8a8d01/go.mod h1:9rfv8iPl1ZP7aqh9YA68wnZv2NUDbXdcdPHVz0pFbPY=
+github.com/containers/luksy v0.0.0-20230808154129-d2d74a56682f h1:/HjLNYkVoUJNT4mm2dzGl63x7nD6YHxxI/k1kR0TkzA=
+github.com/containers/luksy v0.0.0-20230808154129-d2d74a56682f/go.mod h1:hEjwW0sePqkTahMzbzeDsQEXN2zdF2VAccqSj5vb1NY=
 github.com/containers/ocicrypt v1.0.1/go.mod h1:MeJDzk1RJHv89LjsH0Sp5KTY3ZYkjXO/C+bKAeWFIrc=
 github.com/containers/ocicrypt v1.1.0/go.mod h1:b8AOe0YR67uU8OqfVNcznfFpAzu3rdgUV4GP9qXPfu4=
 github.com/containers/ocicrypt v1.1.1/go.mod h1:Dm55fwWm1YZAjYRaJ94z2mfZikIyIN4B0oB3dj3jFxY=
@@ -265,8 +269,8 @@ github.com/containers/ocicrypt v1.1.8/go.mod h1:jM362hyBtbwLMWzXQZTlkjKGAQf/BN/L
 github.com/containers/psgo v1.8.0 h1:2loGekmGAxM9ir5OsXWEfGwFxorMPYnc6gEDsGFQvhY=
 github.com/containers/psgo v1.8.0/go.mod h1:T8ZxnX3Ur4RvnhxFJ7t8xJ1F48RhiZB4rSrOaR/qGHc=
 github.com/containers/storage v1.43.0/go.mod h1:uZ147thiIFGdVTjMmIw19knttQnUCl3y9zjreHrg11s=
-github.com/containers/storage v1.50.0 h1:b46xv6ewEV3KLP3y9fLAZ8x+ZAEaAkkFkZ8FTkY3YPA=
+github.com/containers/storage v1.50.2 h1:Fys4BjFUVNRBEXlO70hFI48VW4EXsgnGisTpk9tTMsE=
-github.com/containers/storage v1.50.0/go.mod h1:XuzgVgTBiVKOREY1AKgY1u4ZMK4+feUGHTcqabFwJ68=
+github.com/containers/storage v1.50.2/go.mod h1:dpspZsUrcKD8SpTofvKWhwPDHD0MkO4Q7VE+oYdWkiA=
 github.com/coreos/bbolt v1.3.2/go.mod h1:iRUV2dpdMOn7Bo10OQBFzIJO9kkE559Wcmn+qkEiiKk=
 github.com/coreos/etcd v3.3.10+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE=
 github.com/coreos/go-iptables v0.4.5/go.mod h1:/mVI274lEDI2ns62jHCDnCyBF9Iwsmekav8Dbxlm1MU=
@@ -1472,8 +1476,8 @@ google.golang.org/grpc v1.33.1/go.mod h1:fr5YgcSWrqhRRxogOsw7RzIpsmvOZ6IcH4kBYTp
 google.golang.org/grpc v1.33.2/go.mod h1:JMHMWHQWaTccqQQlmk3MJZS+GWXOdAesneDmEnv2fbc=
 google.golang.org/grpc v1.36.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU=
 google.golang.org/grpc v1.40.0/go.mod h1:ogyxbiOoUXAkP+4+xa6PZSE9DZgIHtSpzjDTB9KAK34=
-google.golang.org/grpc v1.56.2 h1:fVRFRnXvU+x6C4IlHZewvJOVHoOv1TUuQyoRsYnB4bI=
+google.golang.org/grpc v1.57.0 h1:kfzNeI/klCGD2YPMUlaGNT3pxvYfga7smW3Vth8Zsiw=
-google.golang.org/grpc v1.56.2/go.mod h1:I9bI3vqKfayGqPUAwGdOSu7kt6oIJLixfffKrpXqQ9s=
+google.golang.org/grpc v1.57.0/go.mod h1:Sd+9RMTACXwmub0zcNY2c4arhtrbBYD1AUHI/dt16Mo=
 google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
 google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
 google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM=

hack/golangci-lint.sh

@@ -11,7 +11,7 @@ BUILD_TAGS[tunnel]="${BUILD_TAGS[default]},remote"
 declare -A SKIP_DIRS
 SKIP_DIRS[abi]=""
 # TODO: add "remote" build tag to pkg/api
-SKIP_DIRS[tunnel]="pkg/api"
+SKIP_DIRS[tunnel]="pkg/api,pkg/domain/infra/abi"
 
 [[ $1 == run ]] && shift
 

pkg/api/handlers/compat/images_build.go

@@ -108,6 +108,7 @@ func BuildImage(w http.ResponseWriter, r *http.Request) {
 		Jobs                    int      `schema:"jobs"`
 		LabelOpts               string   `schema:"labelopts"`
 		Labels                  string   `schema:"labels"`
+		LayerLabels             []string `schema:"layerLabel"`
 		Layers                  bool     `schema:"layers"`
 		LogRusage               bool     `schema:"rusage"`
 		Manifest                string   `schema:"manifest"`
@@ -686,6 +687,7 @@ func BuildImage(w http.ResponseWriter, r *http.Request) {
 		Isolation:                      isolation,
 		Jobs:                           &jobs,
 		Labels:                         labels,
+		LayerLabels:                    query.LayerLabels,
 		Layers:                         query.Layers,
 		LogRusage:                      query.LogRusage,
 		Manifest:                       query.Manifest,

pkg/api/server/register_images.go

@@ -1552,6 +1552,12 @@ func (s *APIServer) registerImagesHandlers(r *mux.Router) error {
 	//      JSON map of key, value pairs to set as labels on the new image
 	//      (As of version 1.xx)
 	//  - in: query
+	//    name: layerLabel
+	//    description: Add an intermediate image *label* (e.g. label=*value*) to the intermediate image metadata.
+	//    type: array
+	//    items:
+	//      type: string
+	//  - in: query
 	//    name: layers
 	//    type: boolean
 	//    default: true

pkg/bindings/images/build.go

@@ -217,6 +217,9 @@ func Build(ctx context.Context, containerFiles []string, options entities.BuildO
 		params.Set("apparmor", options.CommonBuildOpts.ApparmorProfile)
 	}
 
+	for _, layerLabel := range options.LayerLabels {
+		params.Add("layerLabel", layerLabel)
+	}
 	if options.Layers {
 		params.Set("layers", "1")
 	}

pkg/checkpoint/checkpoint_restore.go

@@ -1,3 +1,6 @@
+//go:build !remote
+// +build !remote
+
 package checkpoint
 
 import (

pkg/specgen/generate/config_common.go

@@ -1,5 +1,5 @@
-//go:build linux || ignore || freebsd
+//go:build !remote
-// +build linux ignore freebsd
+// +build !remote
 
 package generate
 

pkg/specgen/generate/config_common_test.go

@@ -1,3 +1,6 @@
+//go:build !remote
+// +build !remote
+
 package generate
 
 import (

pkg/specgen/generate/config_freebsd.go

@@ -1,3 +1,6 @@
+//go:build !remote
+// +build !remote
+
 package generate
 
 import (

pkg/specgen/generate/config_linux.go

@@ -1,3 +1,6 @@
+//go:build !remote
+// +build !remote
+
 package generate
 
 import (

pkg/specgen/generate/config_linux_nocgo.go

@@ -1,16 +0,0 @@
-//go:build linux && !cgo
-// +build linux,!cgo
-
-package generate
-
-import (
-	"errors"
-
-	"github.com/containers/common/libimage"
-	"github.com/containers/podman/v4/pkg/specgen"
-	spec "github.com/opencontainers/runtime-spec/specs-go"
-)
-
-func getSeccompConfig(s *specgen.SpecGenerator, configSpec *spec.Spec, img *libimage.Image) (*spec.LinuxSeccomp, error) {
-	return nil, errors.New("not implemented")
-}

pkg/specgen/generate/config_linux_seccomp.go

@@ -1,5 +1,5 @@
-//go:build linux && cgo
+//go:build linux && !remote
-// +build linux,cgo
+// +build linux,!remote
 
 package generate
 

pkg/specgen/generate/config_linux_test.go

@@ -1,3 +1,6 @@
+//go:build !remote
+// +build !remote
+
 package generate
 
 import (

pkg/specgen/generate/container.go

@@ -1,3 +1,6 @@
+//go:build !remote
+// +build !remote
+
 package generate
 
 import (

pkg/specgen/generate/container_create.go

@@ -1,3 +1,6 @@
+//go:build !remote
+// +build !remote
+
 package generate
 
 import (

pkg/specgen/generate/kube/kube.go

@@ -1,3 +1,6 @@
+//go:build !remote
+// +build !remote
+
 package kube
 
 import (

pkg/specgen/generate/kube/kube_test.go

@@ -1,3 +1,6 @@
+//go:build !remote
+// +build !remote
+
 package kube
 
 import (

pkg/specgen/generate/kube/play_test.go

@@ -1,5 +1,5 @@
-//go:build linux
+//go:build linux && !remote
-// +build linux
+// +build linux,!remote
 
 package kube
 

pkg/specgen/generate/kube/seccomp.go

@@ -1,3 +1,6 @@
+//go:build !remote
+// +build !remote
+
 package kube
 
 import (

pkg/specgen/generate/kube/volume.go

@@ -1,3 +1,6 @@
+//go:build !remote
+// +build !remote
+
 package kube
 
 import (

pkg/specgen/generate/namespaces.go

@@ -1,3 +1,6 @@
+//go:build !remote
+// +build !remote
+
 package generate
 
 import (

pkg/specgen/generate/namespaces_freebsd.go

@@ -1,3 +1,6 @@
+//go:build !remote
+// +build !remote
+
 package generate
 
 import (

pkg/specgen/generate/namespaces_linux.go

@@ -1,3 +1,6 @@
+//go:build !remote
+// +build !remote
+
 package generate
 
 import (

pkg/specgen/generate/namespaces_unsupported.go

@@ -1,16 +0,0 @@
-//go:build !linux && !freebsd
-// +build !linux,!freebsd
-
-package generate
-
-import (
-	"errors"
-
-	"github.com/containers/podman/v4/libpod"
-	"github.com/containers/podman/v4/pkg/specgen"
-	"github.com/opencontainers/runtime-tools/generate"
-)
-
-func specConfigureNamespaces(s *specgen.SpecGenerator, g *generate.Generator, rt *libpod.Runtime, pod *libpod.Pod) error {
-	return errors.New("unsupported specConfigureNamespaces")
-}

pkg/specgen/generate/oci.go

@@ -1,3 +1,6 @@
+//go:build !remote
+// +build !remote
+
 package generate
 
 import (

pkg/specgen/generate/oci_freebsd.go

@@ -1,4 +1,5 @@
-//go:build freebsd
+//go:build !remote
+// +build !remote
 
 package generate
 

pkg/specgen/generate/oci_linux.go

@@ -1,3 +1,6 @@
+//go:build !remote
+// +build !remote
+
 package generate
 
 import (

pkg/specgen/generate/oci_unsupported.go

@@ -1,24 +0,0 @@
-//go:build !linux && !freebsd
-// +build !linux,!freebsd
-
-package generate
-
-import (
-	"context"
-	"errors"
-
-	"github.com/containers/common/libimage"
-	"github.com/containers/common/pkg/config"
-	"github.com/containers/podman/v4/libpod"
-	"github.com/containers/podman/v4/pkg/specgen"
-	spec "github.com/opencontainers/runtime-spec/specs-go"
-)
-
-// SpecGenToOCI returns the base configuration for the container.
-func SpecGenToOCI(ctx context.Context, s *specgen.SpecGenerator, rt *libpod.Runtime, rtc *config.Config, newImage *libimage.Image, mounts []spec.Mount, pod *libpod.Pod, finalCmd []string, compatibleOptions *libpod.InfraInherit) (*spec.Spec, error) {
-	return nil, errors.New("unsupported SpecGenToOCI")
-}
-
-func WeightDevices(wtDevices map[string]spec.LinuxWeightDevice) ([]spec.LinuxWeightDevice, error) {
-	return []spec.LinuxWeightDevice{}, errors.New("unsupported WeightDevices")
-}

pkg/specgen/generate/pause_image.go

@@ -1,3 +1,6 @@
+//go:build !remote
+// +build !remote
+
 package generate
 
 import (

pkg/specgen/generate/pod_create.go

@@ -1,3 +1,6 @@
+//go:build !remote
+// +build !remote
+
 package generate
 
 import (

pkg/specgen/generate/pod_create_test.go

@@ -1,3 +1,6 @@
+//go:build !remote
+// +build !remote
+
 package generate
 
 import (

pkg/specgen/generate/ports.go

@@ -1,3 +1,6 @@
+//go:build !remote
+// +build !remote
+
 package generate
 
 import (

pkg/specgen/generate/ports_bench_test.go

@@ -1,3 +1,6 @@
+//go:build !remote
+// +build !remote
+
 package generate
 
 import (

pkg/specgen/generate/ports_test.go

@@ -1,3 +1,6 @@
+//go:build !remote
+// +build !remote
+
 package generate
 
 import (

pkg/specgen/generate/security_freebsd.go

@@ -1,3 +1,6 @@
+//go:build !remote
+// +build !remote
+
 package generate
 
 import (

pkg/specgen/generate/security_linux.go

@@ -1,3 +1,6 @@
+//go:build !remote
+// +build !remote
+
 package generate
 
 import (

pkg/specgen/generate/security_unsupported.go

@@ -1,24 +0,0 @@
-//go:build !linux && !freebsd
-// +build !linux,!freebsd
-
-package generate
-
-import (
-	"errors"
-
-	"github.com/containers/common/libimage"
-	"github.com/containers/common/pkg/config"
-	"github.com/containers/podman/v4/libpod"
-	"github.com/containers/podman/v4/pkg/specgen"
-	"github.com/opencontainers/runtime-tools/generate"
-)
-
-// setLabelOpts sets the label options of the SecurityConfig according to the
-// input.
-func setLabelOpts(s *specgen.SpecGenerator, runtime *libpod.Runtime, pidConfig specgen.Namespace, ipcConfig specgen.Namespace) error {
-	return errors.New("unsupported setLabelOpts")
-}
-
-func securityConfigureGenerator(s *specgen.SpecGenerator, g *generate.Generator, newImage *libimage.Image, rtc *config.Config) error {
-	return errors.New("unsupported securityConfigureGenerator")
-}

pkg/specgen/generate/storage.go

@@ -1,3 +1,6 @@
+//go:build !remote
+// +build !remote
+
 package generate
 
 import (

pkg/specgen/generate/storage_freebsd.go

@@ -1,3 +1,6 @@
+//go:build !remote
+// +build !remote
+
 package generate
 
 import (

pkg/specgen/generate/storage_linux.go

@@ -1,3 +1,6 @@
+//go:build !remote
+// +build !remote
+
 package generate
 
 import (

pkg/specgen/generate/validate.go

@@ -1,3 +1,6 @@
+//go:build !remote
+// +build !remote
+
 package generate
 
 import (

pkg/specgen/specgen.go

@@ -6,7 +6,6 @@ import (
 	"strings"
 	"syscall"
 
-	"github.com/containers/common/libimage"
 	nettypes "github.com/containers/common/libnetwork/types"
 	"github.com/containers/image/v5/manifest"
 	"github.com/containers/podman/v4/libpod/define"
@@ -570,20 +569,9 @@ type SpecGenerator struct {
 	ContainerResourceConfig
 	ContainerHealthCheckConfig
 
-	image             *libimage.Image `json:"-"`
+	//nolint:unused // this is needed for the local client but golangci-lint
-	resolvedImageName string          `json:"-"`
+	// does not seems to happy when we test the remote stub
-}
+	cacheLibImage
-
-// SetImage sets the associated for the generator.
-func (s *SpecGenerator) SetImage(image *libimage.Image, resolvedImageName string) {
-	s.image = image
-	s.resolvedImageName = resolvedImageName
-}
-
-// Image returns the associated image for the generator.
-// May be nil if no image has been set yet.
-func (s *SpecGenerator) GetImage() (*libimage.Image, string) {
-	return s.image, s.resolvedImageName
 }
 
 func (s *SpecGenerator) IsInitContainer() bool {

pkg/specgen/specgen_local.go

@@ -0,0 +1,23 @@
+//go:build !remote
+// +build !remote
+
+package specgen
+
+import "github.com/containers/common/libimage"
+
+type cacheLibImage struct {
+	image             *libimage.Image `json:"-"`
+	resolvedImageName string          `json:"-"`
+}
+
+// SetImage sets the associated for the generator.
+func (s *SpecGenerator) SetImage(image *libimage.Image, resolvedImageName string) {
+	s.image = image
+	s.resolvedImageName = resolvedImageName
+}
+
+// Image returns the associated image for the generator.
+// May be nil if no image has been set yet.
+func (s *SpecGenerator) GetImage() (*libimage.Image, string) {
+	return s.image, s.resolvedImageName
+}

pkg/specgen/specgen_remote.go

@@ -0,0 +1,10 @@
+//go:build remote
+// +build remote
+
+package specgen
+
+// Empty stub we do not use any libimage on the remote client,
+// this drastically decreases binary size for the remote client.
+//
+//nolint:unused // this is needed for the local client
+type cacheLibImage struct{}

vendor/github.com/Microsoft/go-winio/tools/mkwinsyscall/doc.go

@@ -1,57 +0,0 @@
-/*
-mkwinsyscall generates windows system call bodies
-
-It parses all files specified on command line containing function
-prototypes (like syscall_windows.go) and prints system call bodies
-to standard output.
-
-The prototypes are marked by lines beginning with "//sys" and read
-like func declarations if //sys is replaced by func, but:
-
-  - The parameter lists must give a name for each argument. This
-    includes return parameters.
-
-  - The parameter lists must give a type for each argument:
-    the (x, y, z int) shorthand is not allowed.
-
-  - If the return parameter is an error number, it must be named err.
-
-  - If go func name needs to be different from its winapi dll name,
-    the winapi name could be specified at the end, after "=" sign, like
-
-    //sys LoadLibrary(libname string) (handle uint32, err error) = LoadLibraryA
-
-  - Each function that returns err needs to supply a condition, that
-    return value of winapi will be tested against to detect failure.
-    This would set err to windows "last-error", otherwise it will be nil.
-    The value can be provided at end of //sys declaration, like
-
-    //sys LoadLibrary(libname string) (handle uint32, err error) [failretval==-1] = LoadLibraryA
-
-    and is [failretval==0] by default.
-
-  - If the function name ends in a "?", then the function not existing is non-
-    fatal, and an error will be returned instead of panicking.
-
-Usage:
-
-	mkwinsyscall [flags] [path ...]
-
-Flags
-
-	-output string
-	      Output file name (standard output if omitted).
-	-sort
-	      Sort DLL and function declarations (default true).
-	      Intended to help transition from  older versions of mkwinsyscall by making diffs
-	      easier to read and understand.
-	-systemdll
-	      Whether all DLLs should be loaded from the Windows system directory (default true).
-	-trace
-	      Generate print statement after every syscall.
-	-utf16
-	      Encode string arguments as UTF-16 for syscalls not ending in 'A' or 'W' (default true).
-	-winio
-	      Import this package ("github.com/Microsoft/go-winio").
-*/
-package main

vendor/github.com/Microsoft/hcsshim/.gitignore

@@ -37,6 +37,10 @@ rootfs-conv/*
 deps/*
 out/*
 
+# protobuf files
+# only files at root of the repo, otherwise this will cause issues with vendoring
+/protobuf/*
+
 # test results
 test/results
 

vendor/github.com/Microsoft/hcsshim/.golangci.yml

@@ -21,17 +21,31 @@ linters:
     # - unused
 
     - gofmt # whether code was gofmt-ed
+    - govet # enabled by default, but just to be sure
     - nolintlint # ill-formed or insufficient nolint directives
     - stylecheck # golint replacement
     - thelper #  test helpers without t.Helper()
 
 linters-settings:
+  govet:
+    enable-all: true
+    disable:
+      # struct order is often for Win32 compat
+      # also, ignore pointer bytes/GC issues for now until performance becomes an issue
+      - fieldalignment
+    check-shadowing: true
+
   stylecheck:
     # https://staticcheck.io/docs/checks
     checks: ["all"]
 
 issues:
   exclude-rules:
+    # err is very often shadowed in nested scopes
+    - linters:
+        - govet
+      text: '^shadow: declaration of "err" shadows declaration'
+
     # path is relative to module root, which is ./test/
     - path: cri-containerd
       linters:
@@ -135,3 +149,19 @@ issues:
       linters:
         - stylecheck
       Text: "ST1003:"
+
+    # v0 APIs are deprecated, but still retained for backwards compatability
+    - path: cmd\\ncproxy\\
+      linters:
+        - staticcheck
+      text: "^SA1019: .*(ncproxygrpc|nodenetsvc)[/]?v0"
+
+    - path: internal\\tools\\networkagent
+      linters:
+        - staticcheck
+      text: "^SA1019: .*nodenetsvc[/]?v0"
+
+    - path: internal\\vhdx\\info
+      linters:
+        - stylecheck
+      Text: "ST1003:"

vendor/github.com/Microsoft/hcsshim/Protobuild.toml

@@ -1,48 +1,25 @@
-version = "1"
+version = "2"
-generator = "gogoctrd"
+generators = ["go", "go-grpc"]
-plugins = ["grpc", "fieldpath"]
 
-# Control protoc include paths. Below are usually some good defaults, but feel
+# Control protoc include paths.
-# free to try it without them if it works for your project.
 [includes]
-  # Include paths that will be added before all others. Typically, you want to
-  # treat the root of the project as an include, but this may not be necessary.
   before = ["./protobuf"]
 
-  # Paths that should be treated as include roots in relation to the vendor
+  # defaults are "/usr/local/include" and "/usr/include", which don't exist on Windows.
-  # directory. These will be calculated with the vendor directory nearest the
+  # override defaults to supress errors about non-existant directories.
-  # target package.
+  after = []
-  packages = ["github.com/gogo/protobuf"]
 
-# This section maps protobuf imports to Go packages. These will become
+# This section maps protobuf imports to Go packages.
-# `-M` directives in the call to the go protobuf generator.
 [packages]
-  "gogoproto/gogo.proto" = "github.com/gogo/protobuf/gogoproto"
+  # github.com/containerd/cgroups protofiles still list their go path as "github.com/containerd/cgroups/cgroup1/stats"
-  "google/protobuf/any.proto" = "github.com/gogo/protobuf/types"
+  "github.com/containerd/cgroups/v3/cgroup1/stats/metrics.proto" = "github.com/containerd/cgroups/v3/cgroup1/stats"
-  "google/protobuf/empty.proto" = "github.com/gogo/protobuf/types"
-  "google/protobuf/struct.proto" = "github.com/gogo/protobuf/types"
-  "google/protobuf/descriptor.proto" = "github.com/gogo/protobuf/protoc-gen-gogo/descriptor"
-  "google/protobuf/field_mask.proto" = "github.com/gogo/protobuf/types"
-  "google/protobuf/timestamp.proto" = "github.com/gogo/protobuf/types"
-  "google/protobuf/duration.proto" = "github.com/gogo/protobuf/types"
-  "github/containerd/cgroups/stats/v1/metrics.proto" = "github.com/containerd/cgroups/stats/v1"
 
 [[overrides]]
-prefixes = ["github.com/Microsoft/hcsshim/internal/shimdiag"]
+prefixes = [
-plugins = ["ttrpc"]
+  "github.com/Microsoft/hcsshim/internal/shimdiag",
-
+  "github.com/Microsoft/hcsshim/internal/extendedtask",
-[[overrides]]
+  "github.com/Microsoft/hcsshim/internal/computeagent",
-prefixes = ["github.com/Microsoft/hcsshim/internal/extendedtask"]
+  "github.com/Microsoft/hcsshim/internal/ncproxyttrpc",
-plugins = ["ttrpc"]
+  "github.com/Microsoft/hcsshim/internal/vmservice",
-
+]
-[[overrides]]
+generators = ["go", "go-ttrpc"]
-prefixes = ["github.com/Microsoft/hcsshim/internal/computeagent"]
-plugins = ["ttrpc"]
-
-[[overrides]]
-prefixes = ["github.com/Microsoft/hcsshim/internal/ncproxyttrpc"]
-plugins = ["ttrpc"]
-
-[[overrides]]
-prefixes = ["github.com/Microsoft/hcsshim/internal/vmservice"]
-plugins = ["ttrpc"]

vendor/github.com/Microsoft/hcsshim/computestorage/helpers.go

@@ -16,7 +16,9 @@ import (
 	"github.com/Microsoft/hcsshim/internal/security"
 )
 
-const defaultVHDXBlockSizeInMB = 1
+const (
+	defaultVHDXBlockSizeInMB = 1
+)
 
 // SetupContainerBaseLayer is a helper to setup a containers scratch. It
 // will create and format the vhdx's inside and the size is configurable with the sizeInGB

vendor/github.com/Microsoft/hcsshim/computestorage/storage.go

@@ -11,7 +11,7 @@ import (
 
 //sys hcsImportLayer(layerPath string, sourceFolderPath string, layerData string) (hr error) = computestorage.HcsImportLayer?
 //sys hcsExportLayer(layerPath string, exportFolderPath string, layerData string, options string) (hr error) = computestorage.HcsExportLayer?
-//sys hcsDestroyLayer(layerPath string) (hr error) = computestorage.HcsDestoryLayer?
+//sys hcsDestroyLayer(layerPath string) (hr error) = computestorage.HcsDestroyLayer?
 //sys hcsSetupBaseOSLayer(layerPath string, handle windows.Handle, options string) (hr error) = computestorage.HcsSetupBaseOSLayer?
 //sys hcsInitializeWritableLayer(writableLayerPath string, layerData string, options string) (hr error) = computestorage.HcsInitializeWritableLayer?
 //sys hcsAttachLayerStorageFilter(layerPath string, layerData string) (hr error) = computestorage.HcsAttachLayerStorageFilter?

vendor/github.com/Microsoft/hcsshim/computestorage/zsyscall_windows.go

@@ -43,7 +43,7 @@ var (
 	modcomputestorage = windows.NewLazySystemDLL("computestorage.dll")
 
 	procHcsAttachLayerStorageFilter = modcomputestorage.NewProc("HcsAttachLayerStorageFilter")
-	procHcsDestoryLayer             = modcomputestorage.NewProc("HcsDestoryLayer")
+	procHcsDestroyLayer             = modcomputestorage.NewProc("HcsDestroyLayer")
 	procHcsDetachLayerStorageFilter = modcomputestorage.NewProc("HcsDetachLayerStorageFilter")
 	procHcsExportLayer              = modcomputestorage.NewProc("HcsExportLayer")
 	procHcsFormatWritableLayerVhd   = modcomputestorage.NewProc("HcsFormatWritableLayerVhd")
@@ -93,11 +93,11 @@ func hcsDestroyLayer(layerPath string) (hr error) {
 }
 
 func _hcsDestroyLayer(layerPath *uint16) (hr error) {
-	hr = procHcsDestoryLayer.Find()
+	hr = procHcsDestroyLayer.Find()
 	if hr != nil {
 		return
 	}
-	r0, _, _ := syscall.Syscall(procHcsDestoryLayer.Addr(), 1, uintptr(unsafe.Pointer(layerPath)), 0, 0)
+	r0, _, _ := syscall.Syscall(procHcsDestroyLayer.Addr(), 1, uintptr(unsafe.Pointer(layerPath)), 0, 0)
 	if int32(r0) < 0 {
 		if r0&0x1fff0000 == 0x00070000 {
 			r0 &= 0xffff

vendor/github.com/Microsoft/hcsshim/internal/hcs/schema2/cim_mount.go

@@ -0,0 +1,25 @@
+/*
+ * HCS API
+ *
+ * No description provided (generated by Swagger Codegen https://github.com/swagger-api/swagger-codegen)
+ *
+ * API version: 2.5
+ * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git)
+ */
+
+package hcsschema
+
+const (
+	CimMountFlagNone         uint32 = 0x0
+	CimMountFlagChildOnly    uint32 = 0x1
+	CimMountFlagEnableDax    uint32 = 0x2
+	CimMountFlagCacheFiles   uint32 = 0x4
+	CimMountFlagCacheRegions uint32 = 0x8
+)
+
+type CimMount struct {
+	ImagePath      string `json:"ImagePath,omitempty"`
+	FileSystemName string `json:"FileSystemName,omitempty"`
+	VolumeGuid     string `json:"VolumeGuid,omitempty"`
+	MountFlags     uint32 `json:"MountFlags,omitempty"`
+}

vendor/github.com/Microsoft/hcsshim/internal/hcs/schema2/isolation_settings.go

@@ -17,5 +17,5 @@ type IsolationSettings struct {
 	DebugPort int64  `json:"DebugPort,omitempty"`
 	// Optional data passed by host on isolated virtual machine start
 	LaunchData string `json:"LaunchData,omitempty"`
-	HclEnabled bool   `json:"HclEnabled,omitempty"`
+	HclEnabled *bool  `json:"HclEnabled,omitempty"`
 }

vendor/github.com/Microsoft/hcsshim/internal/hcs/schema2/properties.go

@@ -10,7 +10,7 @@
 package hcsschema
 
 import (
-	v1 "github.com/containerd/cgroups/stats/v1"
+	v1 "github.com/containerd/cgroups/v3/cgroup1/stats"
 )
 
 type Properties struct {

vendor/github.com/Microsoft/hcsshim/internal/jobobject/jobobject.go

@@ -167,7 +167,7 @@ func Create(ctx context.Context, options *Options) (_ *JobObject, err error) {
 //
 // Returns a JobObject structure and an error if there is one.
 func Open(ctx context.Context, options *Options) (_ *JobObject, err error) {
-	if options == nil || (options != nil && options.Name == "") {
+	if options == nil || options.Name == "" {
 		return nil, errors.New("no job object name specified to open")
 	}
 

vendor/github.com/Microsoft/hcsshim/internal/log/format.go

@@ -10,6 +10,9 @@ import (
 	"time"
 
 	"github.com/containerd/containerd/log"
+	"github.com/sirupsen/logrus"
+	"google.golang.org/protobuf/encoding/protojson"
+	"google.golang.org/protobuf/proto"
 )
 
 const TimeFormat = log.RFC3339NanoFixed
@@ -59,25 +62,48 @@ func formatAddr(a net.Addr) string {
 func Format(ctx context.Context, v interface{}) string {
 	b, err := encode(v)
 	if err != nil {
-		G(ctx).WithError(err).Warning("could not format value")
+		// logging errors aren't really warning worthy, and can potentially spam a lot of logs out
+		G(ctx).WithFields(logrus.Fields{
+			logrus.ErrorKey: err,
+			"type":          fmt.Sprintf("%T", v),
+		}).Debug("could not format value")
 		return ""
 	}
 
 	return string(b)
 }
 
-func encode(v interface{}) ([]byte, error) {
+func encode(v interface{}) (_ []byte, err error) {
-	return encodeBuffer(&bytes.Buffer{}, v)
+	if m, ok := v.(proto.Message); ok {
+		// use canonical JSON encoding for protobufs (instead of [encoding/json])
+		// https://protobuf.dev/programming-guides/proto3/#json
+		var b []byte
+		b, err = protojson.MarshalOptions{
+			AllowPartial: true,
+			// protobuf defaults to camel case for JSON encoding; use proto field name instead (snake case)
+			UseProtoNames: true,
+		}.Marshal(m)
+		if err == nil {
+			// the protojson marshaller tries to unmarshal anypb.Any fields, which can
+			// fail for types encoded with "github.com/containerd/typeurl/v2"
+			// we can try creating a dedicated protoregistry.MessageTypeResolver that uses typeurl, but, its
+			// more robust to fall back on json marshalling for errors in general
+			return b, nil
 		}
 
-func encodeBuffer(buf *bytes.Buffer, v interface{}) ([]byte, error) {
+	}
+
+	buf := &bytes.Buffer{}
 	enc := json.NewEncoder(buf)
 	enc.SetEscapeHTML(false)
 	enc.SetIndent("", "")
 
-	if err := enc.Encode(v); err != nil {
+	if jErr := enc.Encode(v); jErr != nil {
-		err = fmt.Errorf("could not marshall %T to JSON for logging: %w", v, err)
+		if err != nil {
-		return nil, err
+			// TODO (go1.20): use multierror via fmt.Errorf("...: %w; ...: %w", ...)
+			return nil, fmt.Errorf("protojson encoding: %v; json encoding: %w", err, jErr)
+		}
+		return nil, fmt.Errorf("json encoding: %w", jErr)
 	}
 
 	// encoder.Encode appends a newline to the end

vendor/github.com/Microsoft/hcsshim/internal/log/scrub.go

@@ -55,7 +55,7 @@ func ScrubProcessParameters(s string) (string, error) {
 	}
 	pp.Environment = map[string]string{_scrubbedReplacement: _scrubbedReplacement}
 
-	b, err := encodeBuffer(bytes.NewBuffer(b[:0]), pp)
+	b, err := encode(pp)
 	if err != nil {
 		return "", err
 	}
@@ -89,11 +89,11 @@ func scrubBridgeCreate(m genMap) error {
 }
 
 func scrubLinuxHostedSystem(m genMap) error {
-	if m, ok := index(m, "OciSpecification"); ok {
+	if m, ok := index(m, "OciSpecification"); ok { //nolint:govet // shadow
 		if _, ok := m["annotations"]; ok {
 			m["annotations"] = map[string]string{_scrubbedReplacement: _scrubbedReplacement}
 		}
-		if m, ok := index(m, "process"); ok {
+		if m, ok := index(m, "process"); ok { //nolint:govet // shadow
 			if _, ok := m["env"]; ok {
 				m["env"] = []string{_scrubbedReplacement}
 				return nil
@@ -113,7 +113,7 @@ func scrubExecuteProcess(m genMap) error {
 	if !isRequestBase(m) {
 		return ErrUnknownType
 	}
-	if m, ok := index(m, "Settings"); ok {
+	if m, ok := index(m, "Settings"); ok { //nolint:govet // shadow
 		if ss, ok := m["ProcessParameters"]; ok {
 			// ProcessParameters is a json encoded struct passed as a regular sting field
 			s, ok := ss.(string)

vendor/github.com/Microsoft/hcsshim/internal/safefile/safeopen.go

@@ -276,7 +276,7 @@ func RemoveAllRelative(path string, root *os.File) error {
 	}
 
 	// It is necessary to use os.Open as Readdirnames does not work with
-	// OpenRelative. This is safe because the above lstatrelative fails
+	// OpenRelative. This is safe because the above LstatRelative fails
 	// if the target is outside the root, and we know this is not a
 	// symlink from the above FILE_ATTRIBUTE_REPARSE_POINT check.
 	fd, err := os.Open(filepath.Join(root.Name(), path))
@@ -293,12 +293,12 @@ func RemoveAllRelative(path string, root *os.File) error {
 	for {
 		names, err1 := fd.Readdirnames(100)
 		for _, name := range names {
-			err1 := RemoveAllRelative(path+string(os.PathSeparator)+name, root)
+			if err2 := RemoveAllRelative(path+string(os.PathSeparator)+name, root); err == nil {
-			if err == nil {
+				err = err2
-				err = err1
 			}
 		}
 		if err1 == io.EOF {
+			// Readdirnames has no more files to return
 			break
 		}
 		// If Readdirnames returned an error, use it.

vendor/github.com/Microsoft/hcsshim/internal/wclayer/baselayerreader.go

@@ -72,8 +72,8 @@ func (r *baseLayerReader) walkUntilCancelled() error {
 		return err
 	}
 
-	utilityVMAbsPath := filepath.Join(r.root, utilityVMPath)
+	utilityVMAbsPath := filepath.Join(r.root, UtilityVMPath)
-	utilityVMFilesAbsPath := filepath.Join(r.root, utilityVMFilesPath)
+	utilityVMFilesAbsPath := filepath.Join(r.root, UtilityVMFilesPath)
 
 	// Ignore a UtilityVM without Files, that's not _really_ a UtiltyVM
 	if _, err = os.Lstat(utilityVMFilesAbsPath); err != nil {

vendor/github.com/Microsoft/hcsshim/internal/wclayer/converttobaselayer.go

@@ -5,7 +5,6 @@ import (
 	"fmt"
 	"os"
 	"path/filepath"
-	"syscall"
 
 	"github.com/Microsoft/hcsshim/internal/hcserror"
 	"github.com/Microsoft/hcsshim/internal/longpath"
@@ -37,7 +36,7 @@ func ensureHive(path string, root *os.File) (err error) {
 		return fmt.Errorf("getting path: %w", err)
 	}
 
-	var key syscall.Handle
+	var key winapi.ORHKey
 	err = winapi.ORCreateHive(&key)
 	if err != nil {
 		return fmt.Errorf("creating hive: %w", err)
@@ -72,7 +71,7 @@ func ensureBaseLayer(root *os.File) (hasUtilityVM bool, err error) {
 		}
 	}
 
-	stat, err := safefile.LstatRelative(utilityVMFilesPath, root)
+	stat, err := safefile.LstatRelative(UtilityVMFilesPath, root)
 
 	if os.IsNotExist(err) {
 		return false, nil
@@ -83,7 +82,7 @@ func ensureBaseLayer(root *os.File) (hasUtilityVM bool, err error) {
 	}
 
 	if !stat.Mode().IsDir() {
-		fullPath := filepath.Join(root.Name(), utilityVMFilesPath)
+		fullPath := filepath.Join(root.Name(), UtilityVMFilesPath)
 		return false, errors.Errorf("%s has unexpected file mode %s", fullPath, stat.Mode().String())
 	}
 
@@ -92,7 +91,7 @@ func ensureBaseLayer(root *os.File) (hasUtilityVM bool, err error) {
 	// Just check that this exists as a regular file. If it exists but is not a valid registry hive,
 	// ProcessUtilityVMImage will complain:
 	// "The registry could not read in, or write out, or flush, one of the files that contain the system's image of the registry."
-	bcdPath := filepath.Join(utilityVMFilesPath, bcdRelativePath)
+	bcdPath := filepath.Join(UtilityVMFilesPath, bcdRelativePath)
 
 	stat, err = safefile.LstatRelative(bcdPath, root)
 	if err != nil {
@@ -122,12 +121,12 @@ func convertToBaseLayer(ctx context.Context, root *os.File) error {
 		return nil
 	}
 
-	err = safefile.EnsureNotReparsePointRelative(utilityVMPath, root)
+	err = safefile.EnsureNotReparsePointRelative(UtilityVMPath, root)
 	if err != nil {
 		return err
 	}
 
-	utilityVMPath := filepath.Join(root.Name(), utilityVMPath)
+	utilityVMPath := filepath.Join(root.Name(), UtilityVMPath)
 	return ProcessUtilityVMImage(ctx, utilityVMPath)
 }
 

vendor/github.com/Microsoft/hcsshim/internal/wclayer/legacy.go

@@ -30,9 +30,18 @@ var mutatedUtilityVMFiles = map[string]bool{
 
 const (
 	filesPath           = `Files`
-	hivesPath          = `Hives`
+	HivesPath           = `Hives`
-	utilityVMPath      = `UtilityVM`
+	UtilityVMPath       = `UtilityVM`
-	utilityVMFilesPath = `UtilityVM\Files`
+	UtilityVMFilesPath  = `UtilityVM\Files`
+	RegFilesPath        = `Files\Windows\System32\config`
+	BcdFilePath         = `UtilityVM\Files\EFI\Microsoft\Boot\BCD`
+	BootMgrFilePath     = `UtilityVM\Files\EFI\Microsoft\Boot\bootmgfw.efi`
+	ContainerBaseVhd    = `blank-base.vhdx`
+	ContainerScratchVhd = `blank.vhdx`
+	UtilityVMBaseVhd    = `SystemTemplateBase.vhdx`
+	UtilityVMScratchVhd = `SystemTemplate.vhdx`
+	LayoutFileName      = `layout`
+	UvmBuildFileName    = `uvmbuildversion`
 )
 
 func openFileOrDir(path string, mode uint32, createDisposition uint32) (file *os.File, err error) {
@@ -243,11 +252,11 @@ func (r *legacyLayerReader) Next() (path string, size int64, fileInfo *winio.Fil
 	if !hasPathPrefix(path, filesPath) {
 		size = fe.fi.Size()
 		r.backupReader = winio.NewBackupFileReader(f, false)
-		if path == hivesPath || path == filesPath {
+		if path == HivesPath || path == filesPath {
 			// The Hives directory has a non-deterministic file time because of the
 			// nature of the import process. Use the times from System_Delta.
 			var g *os.File
-			g, err = os.Open(filepath.Join(r.root, hivesPath, `System_Delta`))
+			g, err = os.Open(filepath.Join(r.root, HivesPath, `System_Delta`))
 			if err != nil {
 				return
 			}
@@ -409,7 +418,7 @@ func (w *legacyLayerWriter) CloseRoots() {
 
 func (w *legacyLayerWriter) initUtilityVM() error {
 	if !w.HasUtilityVM {
-		err := safefile.MkdirRelative(utilityVMPath, w.destRoot)
+		err := safefile.MkdirRelative(UtilityVMPath, w.destRoot)
 		if err != nil {
 			return err
 		}
@@ -417,7 +426,7 @@ func (w *legacyLayerWriter) initUtilityVM() error {
 		// clone the utility VM from the parent layer into this layer. Use hard
 		// links to avoid unnecessary copying, since most of the files are
 		// immutable.
-		err = cloneTree(w.parentRoots[0], w.destRoot, utilityVMFilesPath, mutatedUtilityVMFiles)
+		err = cloneTree(w.parentRoots[0], w.destRoot, UtilityVMFilesPath, mutatedUtilityVMFiles)
 		if err != nil {
 			return fmt.Errorf("cloning the parent utility VM image failed: %s", err)
 		}
@@ -592,7 +601,7 @@ func (w *legacyLayerWriter) Add(name string, fileInfo *winio.FileBasicInfo) erro
 		return err
 	}
 
-	if name == utilityVMPath {
+	if name == UtilityVMPath {
 		return w.initUtilityVM()
 	}
 
@@ -601,11 +610,11 @@ func (w *legacyLayerWriter) Add(name string, fileInfo *winio.FileBasicInfo) erro
 	}
 
 	name = filepath.Clean(name)
-	if hasPathPrefix(name, utilityVMPath) {
+	if hasPathPrefix(name, UtilityVMPath) {
 		if !w.HasUtilityVM {
 			return errors.New("missing UtilityVM directory")
 		}
-		if !hasPathPrefix(name, utilityVMFilesPath) && name != utilityVMFilesPath {
+		if !hasPathPrefix(name, UtilityVMFilesPath) && name != UtilityVMFilesPath {
 			return errors.New("invalid UtilityVM layer")
 		}
 		createDisposition := uint32(winapi.FILE_OPEN)
@@ -699,7 +708,7 @@ func (w *legacyLayerWriter) Add(name string, fileInfo *winio.FileBasicInfo) erro
 		return err
 	}
 
-	if hasPathPrefix(name, hivesPath) {
+	if hasPathPrefix(name, HivesPath) {
 		w.backupWriter = winio.NewBackupFileWriter(f, false)
 		w.bufWriter.Reset(w.backupWriter)
 	} else {
@@ -731,14 +740,14 @@ func (w *legacyLayerWriter) AddLink(name string, target string) error {
 		// Look for cross-layer hard link targets in the parent layers, since
 		// nothing is in the destination path yet.
 		roots = w.parentRoots
-	} else if hasPathPrefix(target, utilityVMFilesPath) {
+	} else if hasPathPrefix(target, UtilityVMFilesPath) {
 		// Since the utility VM is fully cloned into the destination path
 		// already, look for cross-layer hard link targets directly in the
 		// destination path.
 		roots = []*os.File{w.destRoot}
 	}
 
-	if roots == nil || (!hasPathPrefix(name, filesPath) && !hasPathPrefix(name, utilityVMFilesPath)) {
+	if roots == nil || (!hasPathPrefix(name, filesPath) && !hasPathPrefix(name, UtilityVMFilesPath)) {
 		return errors.New("invalid hard link in layer")
 	}
 
@@ -777,7 +786,7 @@ func (w *legacyLayerWriter) Remove(name string) error {
 	name = filepath.Clean(name)
 	if hasPathPrefix(name, filesPath) {
 		w.Tombstones = append(w.Tombstones, name)
-	} else if hasPathPrefix(name, utilityVMFilesPath) {
+	} else if hasPathPrefix(name, UtilityVMFilesPath) {
 		err := w.initUtilityVM()
 		if err != nil {
 			return err

vendor/github.com/Microsoft/hcsshim/internal/winapi/cimfs.go

@@ -0,0 +1,45 @@
+package winapi
+
+import (
+	"unsafe"
+
+	"github.com/Microsoft/go-winio/pkg/guid"
+	"golang.org/x/sys/windows"
+)
+
+type g = guid.GUID
+type FsHandle uintptr
+type StreamHandle uintptr
+
+type CimFsFileMetadata struct {
+	Attributes uint32
+	FileSize   int64
+
+	CreationTime   windows.Filetime
+	LastWriteTime  windows.Filetime
+	ChangeTime     windows.Filetime
+	LastAccessTime windows.Filetime
+
+	SecurityDescriptorBuffer unsafe.Pointer
+	SecurityDescriptorSize   uint32
+
+	ReparseDataBuffer unsafe.Pointer
+	ReparseDataSize   uint32
+
+	ExtendedAttributes unsafe.Pointer
+	EACount            uint32
+}
+
+//sys CimMountImage(imagePath string, fsName string, flags uint32, volumeID *g) (hr error) = cimfs.CimMountImage?
+//sys CimDismountImage(volumeID *g) (hr error) = cimfs.CimDismountImage?
+
+//sys CimCreateImage(imagePath string, oldFSName *uint16, newFSName *uint16, cimFSHandle *FsHandle) (hr error) = cimfs.CimCreateImage?
+//sys CimCloseImage(cimFSHandle FsHandle) (hr error) = cimfs.CimCloseImage?
+//sys CimCommitImage(cimFSHandle FsHandle) (hr error) = cimfs.CimCommitImage?
+
+//sys CimCreateFile(cimFSHandle FsHandle, path string, file *CimFsFileMetadata, cimStreamHandle *StreamHandle) (hr error) = cimfs.CimCreateFile?
+//sys CimCloseStream(cimStreamHandle StreamHandle) (hr error) = cimfs.CimCloseStream?
+//sys CimWriteStream(cimStreamHandle StreamHandle, buffer uintptr, bufferSize uint32) (hr error) = cimfs.CimWriteStream?
+//sys CimDeletePath(cimFSHandle FsHandle, path string) (hr error) = cimfs.CimDeletePath?
+//sys CimCreateHardLink(cimFSHandle FsHandle, newPath string, oldPath string) (hr error) = cimfs.CimCreateHardLink?
+//sys CimCreateAlternateStream(cimFSHandle FsHandle, path string, size uint64, cimStreamHandle *StreamHandle) (hr error) = cimfs.CimCreateAlternateStream?

vendor/github.com/Microsoft/hcsshim/internal/winapi/offlinereg.go

@@ -0,0 +1,37 @@
+package winapi
+
+// Offline registry management API
+
+type ORHKey uintptr
+
+type RegType uint32
+
+const (
+	// Registry value types: https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry-value-types
+	REG_TYPE_NONE                       RegType = 0
+	REG_TYPE_SZ                         RegType = 1
+	REG_TYPE_EXPAND_SZ                  RegType = 2
+	REG_TYPE_BINARY                     RegType = 3
+	REG_TYPE_DWORD                      RegType = 4
+	REG_TYPE_DWORD_LITTLE_ENDIAN        RegType = 4
+	REG_TYPE_DWORD_BIG_ENDIAN           RegType = 5
+	REG_TYPE_LINK                       RegType = 6
+	REG_TYPE_MULTI_SZ                   RegType = 7
+	REG_TYPE_RESOURCE_LIST              RegType = 8
+	REG_TYPE_FULL_RESOURCE_DESCRIPTOR   RegType = 9
+	REG_TYPE_RESOURCE_REQUIREMENTS_LIST RegType = 10
+	REG_TYPE_QWORD                      RegType = 11
+	REG_TYPE_QWORD_LITTLE_ENDIAN        RegType = 11
+)
+
+//sys ORCreateHive(key *ORHKey) (win32err error) = offreg.ORCreateHive
+//sys ORMergeHives(hiveHandles []ORHKey, result *ORHKey) (win32err error) = offreg.ORMergeHives
+//sys OROpenHive(hivePath string, result *ORHKey) (win32err error) = offreg.OROpenHive
+//sys ORCloseHive(handle ORHKey) (win32err error) = offreg.ORCloseHive
+//sys ORSaveHive(handle ORHKey, hivePath string, osMajorVersion uint32, osMinorVersion uint32) (win32err error) = offreg.ORSaveHive
+//sys OROpenKey(handle ORHKey, subKey string, result *ORHKey) (win32err error) = offreg.OROpenKey
+//sys ORCloseKey(handle ORHKey) (win32err error) = offreg.ORCloseKey
+//sys ORCreateKey(handle ORHKey, subKey string, class uintptr, options uint32, securityDescriptor uintptr, result *ORHKey, disposition *uint32) (win32err error) = offreg.ORCreateKey
+//sys ORDeleteKey(handle ORHKey, subKey string) (win32err error) = offreg.ORDeleteKey
+//sys ORGetValue(handle ORHKey, subKey string, value string, valueType *uint32, data *byte, dataLen *uint32) (win32err error) = offreg.ORGetValue
+//sys ORSetValue(handle ORHKey, valueName string, valueType uint32, data *byte, dataLen uint32) (win32err error) = offreg.ORSetValue

vendor/github.com/Microsoft/hcsshim/internal/winapi/ofreg.go

@@ -1,5 +0,0 @@
-package winapi
-
-//sys ORCreateHive(key *syscall.Handle) (regerrno error) = offreg.ORCreateHive
-//sys ORSaveHive(key syscall.Handle, file string, OsMajorVersion uint32, OsMinorVersion uint32) (regerrno error) = offreg.ORSaveHive
-//sys ORCloseHive(key syscall.Handle) (regerrno error) = offreg.ORCloseHive

vendor/github.com/Microsoft/hcsshim/internal/winapi/utils.go

@@ -80,3 +80,9 @@ func ConvertStringSetToSlice(buf []byte) ([]string, error) {
 	}
 	return nil, errors.New("string set malformed: missing null terminator at end of buffer")
 }
+
+// ParseUtf16LE parses a UTF-16LE byte array into a string (without passing
+// through a uint16 or rune array).
+func ParseUtf16LE(b []byte) string {
+	return windows.UTF16PtrToString((*uint16)(unsafe.Pointer(&b[0])))
+}

vendor/github.com/Microsoft/hcsshim/internal/winapi/zsyscall_windows.go

@@ -43,6 +43,7 @@ var (
 	modadvapi32   = windows.NewLazySystemDLL("advapi32.dll")
 	modbindfltapi = windows.NewLazySystemDLL("bindfltapi.dll")
 	modcfgmgr32   = windows.NewLazySystemDLL("cfgmgr32.dll")
+	modcimfs      = windows.NewLazySystemDLL("cimfs.dll")
 	modiphlpapi   = windows.NewLazySystemDLL("iphlpapi.dll")
 	modkernel32   = windows.NewLazySystemDLL("kernel32.dll")
 	modnetapi32   = windows.NewLazySystemDLL("netapi32.dll")
@@ -55,6 +56,17 @@ var (
 	procCM_Get_Device_ID_ListA                 = modcfgmgr32.NewProc("CM_Get_Device_ID_ListA")
 	procCM_Get_Device_ID_List_SizeA            = modcfgmgr32.NewProc("CM_Get_Device_ID_List_SizeA")
 	procCM_Locate_DevNodeW                     = modcfgmgr32.NewProc("CM_Locate_DevNodeW")
+	procCimCloseImage                          = modcimfs.NewProc("CimCloseImage")
+	procCimCloseStream                         = modcimfs.NewProc("CimCloseStream")
+	procCimCommitImage                         = modcimfs.NewProc("CimCommitImage")
+	procCimCreateAlternateStream               = modcimfs.NewProc("CimCreateAlternateStream")
+	procCimCreateFile                          = modcimfs.NewProc("CimCreateFile")
+	procCimCreateHardLink                      = modcimfs.NewProc("CimCreateHardLink")
+	procCimCreateImage                         = modcimfs.NewProc("CimCreateImage")
+	procCimDeletePath                          = modcimfs.NewProc("CimDeletePath")
+	procCimDismountImage                       = modcimfs.NewProc("CimDismountImage")
+	procCimMountImage                          = modcimfs.NewProc("CimMountImage")
+	procCimWriteStream                         = modcimfs.NewProc("CimWriteStream")
 	procSetJobCompartmentId                    = modiphlpapi.NewProc("SetJobCompartmentId")
 	procClosePseudoConsole                     = modkernel32.NewProc("ClosePseudoConsole")
 	procCopyFileW                              = modkernel32.NewProc("CopyFileW")
@@ -84,8 +96,16 @@ var (
 	procNtSetInformationFile                   = modntdll.NewProc("NtSetInformationFile")
 	procRtlNtStatusToDosError                  = modntdll.NewProc("RtlNtStatusToDosError")
 	procORCloseHive                            = modoffreg.NewProc("ORCloseHive")
+	procORCloseKey                             = modoffreg.NewProc("ORCloseKey")
 	procORCreateHive                           = modoffreg.NewProc("ORCreateHive")
+	procORCreateKey                            = modoffreg.NewProc("ORCreateKey")
+	procORDeleteKey                            = modoffreg.NewProc("ORDeleteKey")
+	procORGetValue                             = modoffreg.NewProc("ORGetValue")
+	procORMergeHives                           = modoffreg.NewProc("ORMergeHives")
+	procOROpenHive                             = modoffreg.NewProc("OROpenHive")
+	procOROpenKey                              = modoffreg.NewProc("OROpenKey")
 	procORSaveHive                             = modoffreg.NewProc("ORSaveHive")
+	procORSetValue                             = modoffreg.NewProc("ORSetValue")
 )
 
 func LogonUser(username *uint16, domain *uint16, password *uint16, logonType uint32, logonProvider uint32, token *windows.Token) (err error) {
@@ -164,6 +184,235 @@ func _CMLocateDevNode(pdnDevInst *uint32, pDeviceID *uint16, uFlags uint32) (hr
 	return
 }
 
+func CimCloseImage(cimFSHandle FsHandle) (hr error) {
+	hr = procCimCloseImage.Find()
+	if hr != nil {
+		return
+	}
+	r0, _, _ := syscall.Syscall(procCimCloseImage.Addr(), 1, uintptr(cimFSHandle), 0, 0)
+	if int32(r0) < 0 {
+		if r0&0x1fff0000 == 0x00070000 {
+			r0 &= 0xffff
+		}
+		hr = syscall.Errno(r0)
+	}
+	return
+}
+
+func CimCloseStream(cimStreamHandle StreamHandle) (hr error) {
+	hr = procCimCloseStream.Find()
+	if hr != nil {
+		return
+	}
+	r0, _, _ := syscall.Syscall(procCimCloseStream.Addr(), 1, uintptr(cimStreamHandle), 0, 0)
+	if int32(r0) < 0 {
+		if r0&0x1fff0000 == 0x00070000 {
+			r0 &= 0xffff
+		}
+		hr = syscall.Errno(r0)
+	}
+	return
+}
+
+func CimCommitImage(cimFSHandle FsHandle) (hr error) {
+	hr = procCimCommitImage.Find()
+	if hr != nil {
+		return
+	}
+	r0, _, _ := syscall.Syscall(procCimCommitImage.Addr(), 1, uintptr(cimFSHandle), 0, 0)
+	if int32(r0) < 0 {
+		if r0&0x1fff0000 == 0x00070000 {
+			r0 &= 0xffff
+		}
+		hr = syscall.Errno(r0)
+	}
+	return
+}
+
+func CimCreateAlternateStream(cimFSHandle FsHandle, path string, size uint64, cimStreamHandle *StreamHandle) (hr error) {
+	var _p0 *uint16
+	_p0, hr = syscall.UTF16PtrFromString(path)
+	if hr != nil {
+		return
+	}
+	return _CimCreateAlternateStream(cimFSHandle, _p0, size, cimStreamHandle)
+}
+
+func _CimCreateAlternateStream(cimFSHandle FsHandle, path *uint16, size uint64, cimStreamHandle *StreamHandle) (hr error) {
+	hr = procCimCreateAlternateStream.Find()
+	if hr != nil {
+		return
+	}
+	r0, _, _ := syscall.Syscall6(procCimCreateAlternateStream.Addr(), 4, uintptr(cimFSHandle), uintptr(unsafe.Pointer(path)), uintptr(size), uintptr(unsafe.Pointer(cimStreamHandle)), 0, 0)
+	if int32(r0) < 0 {
+		if r0&0x1fff0000 == 0x00070000 {
+			r0 &= 0xffff
+		}
+		hr = syscall.Errno(r0)
+	}
+	return
+}
+
+func CimCreateFile(cimFSHandle FsHandle, path string, file *CimFsFileMetadata, cimStreamHandle *StreamHandle) (hr error) {
+	var _p0 *uint16
+	_p0, hr = syscall.UTF16PtrFromString(path)
+	if hr != nil {
+		return
+	}
+	return _CimCreateFile(cimFSHandle, _p0, file, cimStreamHandle)
+}
+
+func _CimCreateFile(cimFSHandle FsHandle, path *uint16, file *CimFsFileMetadata, cimStreamHandle *StreamHandle) (hr error) {
+	hr = procCimCreateFile.Find()
+	if hr != nil {
+		return
+	}
+	r0, _, _ := syscall.Syscall6(procCimCreateFile.Addr(), 4, uintptr(cimFSHandle), uintptr(unsafe.Pointer(path)), uintptr(unsafe.Pointer(file)), uintptr(unsafe.Pointer(cimStreamHandle)), 0, 0)
+	if int32(r0) < 0 {
+		if r0&0x1fff0000 == 0x00070000 {
+			r0 &= 0xffff
+		}
+		hr = syscall.Errno(r0)
+	}
+	return
+}
+
+func CimCreateHardLink(cimFSHandle FsHandle, newPath string, oldPath string) (hr error) {
+	var _p0 *uint16
+	_p0, hr = syscall.UTF16PtrFromString(newPath)
+	if hr != nil {
+		return
+	}
+	var _p1 *uint16
+	_p1, hr = syscall.UTF16PtrFromString(oldPath)
+	if hr != nil {
+		return
+	}
+	return _CimCreateHardLink(cimFSHandle, _p0, _p1)
+}
+
+func _CimCreateHardLink(cimFSHandle FsHandle, newPath *uint16, oldPath *uint16) (hr error) {
+	hr = procCimCreateHardLink.Find()
+	if hr != nil {
+		return
+	}
+	r0, _, _ := syscall.Syscall(procCimCreateHardLink.Addr(), 3, uintptr(cimFSHandle), uintptr(unsafe.Pointer(newPath)), uintptr(unsafe.Pointer(oldPath)))
+	if int32(r0) < 0 {
+		if r0&0x1fff0000 == 0x00070000 {
+			r0 &= 0xffff
+		}
+		hr = syscall.Errno(r0)
+	}
+	return
+}
+
+func CimCreateImage(imagePath string, oldFSName *uint16, newFSName *uint16, cimFSHandle *FsHandle) (hr error) {
+	var _p0 *uint16
+	_p0, hr = syscall.UTF16PtrFromString(imagePath)
+	if hr != nil {
+		return
+	}
+	return _CimCreateImage(_p0, oldFSName, newFSName, cimFSHandle)
+}
+
+func _CimCreateImage(imagePath *uint16, oldFSName *uint16, newFSName *uint16, cimFSHandle *FsHandle) (hr error) {
+	hr = procCimCreateImage.Find()
+	if hr != nil {
+		return
+	}
+	r0, _, _ := syscall.Syscall6(procCimCreateImage.Addr(), 4, uintptr(unsafe.Pointer(imagePath)), uintptr(unsafe.Pointer(oldFSName)), uintptr(unsafe.Pointer(newFSName)), uintptr(unsafe.Pointer(cimFSHandle)), 0, 0)
+	if int32(r0) < 0 {
+		if r0&0x1fff0000 == 0x00070000 {
+			r0 &= 0xffff
+		}
+		hr = syscall.Errno(r0)
+	}
+	return
+}
+
+func CimDeletePath(cimFSHandle FsHandle, path string) (hr error) {
+	var _p0 *uint16
+	_p0, hr = syscall.UTF16PtrFromString(path)
+	if hr != nil {
+		return
+	}
+	return _CimDeletePath(cimFSHandle, _p0)
+}
+
+func _CimDeletePath(cimFSHandle FsHandle, path *uint16) (hr error) {
+	hr = procCimDeletePath.Find()
+	if hr != nil {
+		return
+	}
+	r0, _, _ := syscall.Syscall(procCimDeletePath.Addr(), 2, uintptr(cimFSHandle), uintptr(unsafe.Pointer(path)), 0)
+	if int32(r0) < 0 {
+		if r0&0x1fff0000 == 0x00070000 {
+			r0 &= 0xffff
+		}
+		hr = syscall.Errno(r0)
+	}
+	return
+}
+
+func CimDismountImage(volumeID *g) (hr error) {
+	hr = procCimDismountImage.Find()
+	if hr != nil {
+		return
+	}
+	r0, _, _ := syscall.Syscall(procCimDismountImage.Addr(), 1, uintptr(unsafe.Pointer(volumeID)), 0, 0)
+	if int32(r0) < 0 {
+		if r0&0x1fff0000 == 0x00070000 {
+			r0 &= 0xffff
+		}
+		hr = syscall.Errno(r0)
+	}
+	return
+}
+
+func CimMountImage(imagePath string, fsName string, flags uint32, volumeID *g) (hr error) {
+	var _p0 *uint16
+	_p0, hr = syscall.UTF16PtrFromString(imagePath)
+	if hr != nil {
+		return
+	}
+	var _p1 *uint16
+	_p1, hr = syscall.UTF16PtrFromString(fsName)
+	if hr != nil {
+		return
+	}
+	return _CimMountImage(_p0, _p1, flags, volumeID)
+}
+
+func _CimMountImage(imagePath *uint16, fsName *uint16, flags uint32, volumeID *g) (hr error) {
+	hr = procCimMountImage.Find()
+	if hr != nil {
+		return
+	}
+	r0, _, _ := syscall.Syscall6(procCimMountImage.Addr(), 4, uintptr(unsafe.Pointer(imagePath)), uintptr(unsafe.Pointer(fsName)), uintptr(flags), uintptr(unsafe.Pointer(volumeID)), 0, 0)
+	if int32(r0) < 0 {
+		if r0&0x1fff0000 == 0x00070000 {
+			r0 &= 0xffff
+		}
+		hr = syscall.Errno(r0)
+	}
+	return
+}
+
+func CimWriteStream(cimStreamHandle StreamHandle, buffer uintptr, bufferSize uint32) (hr error) {
+	hr = procCimWriteStream.Find()
+	if hr != nil {
+		return
+	}
+	r0, _, _ := syscall.Syscall(procCimWriteStream.Addr(), 3, uintptr(cimStreamHandle), uintptr(buffer), uintptr(bufferSize))
+	if int32(r0) < 0 {
+		if r0&0x1fff0000 == 0x00070000 {
+			r0 &= 0xffff
+		}
+		hr = syscall.Errno(r0)
+	}
+	return
+}
+
 func SetJobCompartmentId(handle windows.Handle, compartmentId uint32) (win32Err error) {
 	r0, _, _ := syscall.Syscall(procSetJobCompartmentId.Addr(), 2, uintptr(handle), uintptr(compartmentId), 0)
 	if r0 != 0 {
@@ -381,35 +630,162 @@ func RtlNtStatusToDosError(status uint32) (winerr error) {
 	return
 }
 
-func ORCloseHive(key syscall.Handle) (regerrno error) {
+func ORCloseHive(handle ORHKey) (win32err error) {
-	r0, _, _ := syscall.Syscall(procORCloseHive.Addr(), 1, uintptr(key), 0, 0)
+	r0, _, _ := syscall.Syscall(procORCloseHive.Addr(), 1, uintptr(handle), 0, 0)
 	if r0 != 0 {
-		regerrno = syscall.Errno(r0)
+		win32err = syscall.Errno(r0)
 	}
 	return
 }
 
-func ORCreateHive(key *syscall.Handle) (regerrno error) {
+func ORCloseKey(handle ORHKey) (win32err error) {
+	r0, _, _ := syscall.Syscall(procORCloseKey.Addr(), 1, uintptr(handle), 0, 0)
+	if r0 != 0 {
+		win32err = syscall.Errno(r0)
+	}
+	return
+}
+
+func ORCreateHive(key *ORHKey) (win32err error) {
 	r0, _, _ := syscall.Syscall(procORCreateHive.Addr(), 1, uintptr(unsafe.Pointer(key)), 0, 0)
 	if r0 != 0 {
-		regerrno = syscall.Errno(r0)
+		win32err = syscall.Errno(r0)
 	}
 	return
 }
 
-func ORSaveHive(key syscall.Handle, file string, OsMajorVersion uint32, OsMinorVersion uint32) (regerrno error) {
+func ORCreateKey(handle ORHKey, subKey string, class uintptr, options uint32, securityDescriptor uintptr, result *ORHKey, disposition *uint32) (win32err error) {
 	var _p0 *uint16
-	_p0, regerrno = syscall.UTF16PtrFromString(file)
+	_p0, win32err = syscall.UTF16PtrFromString(subKey)
-	if regerrno != nil {
+	if win32err != nil {
 		return
 	}
-	return _ORSaveHive(key, _p0, OsMajorVersion, OsMinorVersion)
+	return _ORCreateKey(handle, _p0, class, options, securityDescriptor, result, disposition)
 }
 
-func _ORSaveHive(key syscall.Handle, file *uint16, OsMajorVersion uint32, OsMinorVersion uint32) (regerrno error) {
+func _ORCreateKey(handle ORHKey, subKey *uint16, class uintptr, options uint32, securityDescriptor uintptr, result *ORHKey, disposition *uint32) (win32err error) {
-	r0, _, _ := syscall.Syscall6(procORSaveHive.Addr(), 4, uintptr(key), uintptr(unsafe.Pointer(file)), uintptr(OsMajorVersion), uintptr(OsMinorVersion), 0, 0)
+	r0, _, _ := syscall.Syscall9(procORCreateKey.Addr(), 7, uintptr(handle), uintptr(unsafe.Pointer(subKey)), uintptr(class), uintptr(options), uintptr(securityDescriptor), uintptr(unsafe.Pointer(result)), uintptr(unsafe.Pointer(disposition)), 0, 0)
 	if r0 != 0 {
-		regerrno = syscall.Errno(r0)
+		win32err = syscall.Errno(r0)
+	}
+	return
+}
+
+func ORDeleteKey(handle ORHKey, subKey string) (win32err error) {
+	var _p0 *uint16
+	_p0, win32err = syscall.UTF16PtrFromString(subKey)
+	if win32err != nil {
+		return
+	}
+	return _ORDeleteKey(handle, _p0)
+}
+
+func _ORDeleteKey(handle ORHKey, subKey *uint16) (win32err error) {
+	r0, _, _ := syscall.Syscall(procORDeleteKey.Addr(), 2, uintptr(handle), uintptr(unsafe.Pointer(subKey)), 0)
+	if r0 != 0 {
+		win32err = syscall.Errno(r0)
+	}
+	return
+}
+
+func ORGetValue(handle ORHKey, subKey string, value string, valueType *uint32, data *byte, dataLen *uint32) (win32err error) {
+	var _p0 *uint16
+	_p0, win32err = syscall.UTF16PtrFromString(subKey)
+	if win32err != nil {
+		return
+	}
+	var _p1 *uint16
+	_p1, win32err = syscall.UTF16PtrFromString(value)
+	if win32err != nil {
+		return
+	}
+	return _ORGetValue(handle, _p0, _p1, valueType, data, dataLen)
+}
+
+func _ORGetValue(handle ORHKey, subKey *uint16, value *uint16, valueType *uint32, data *byte, dataLen *uint32) (win32err error) {
+	r0, _, _ := syscall.Syscall6(procORGetValue.Addr(), 6, uintptr(handle), uintptr(unsafe.Pointer(subKey)), uintptr(unsafe.Pointer(value)), uintptr(unsafe.Pointer(valueType)), uintptr(unsafe.Pointer(data)), uintptr(unsafe.Pointer(dataLen)))
+	if r0 != 0 {
+		win32err = syscall.Errno(r0)
+	}
+	return
+}
+
+func ORMergeHives(hiveHandles []ORHKey, result *ORHKey) (win32err error) {
+	var _p0 *ORHKey
+	if len(hiveHandles) > 0 {
+		_p0 = &hiveHandles[0]
+	}
+	r0, _, _ := syscall.Syscall(procORMergeHives.Addr(), 3, uintptr(unsafe.Pointer(_p0)), uintptr(len(hiveHandles)), uintptr(unsafe.Pointer(result)))
+	if r0 != 0 {
+		win32err = syscall.Errno(r0)
+	}
+	return
+}
+
+func OROpenHive(hivePath string, result *ORHKey) (win32err error) {
+	var _p0 *uint16
+	_p0, win32err = syscall.UTF16PtrFromString(hivePath)
+	if win32err != nil {
+		return
+	}
+	return _OROpenHive(_p0, result)
+}
+
+func _OROpenHive(hivePath *uint16, result *ORHKey) (win32err error) {
+	r0, _, _ := syscall.Syscall(procOROpenHive.Addr(), 2, uintptr(unsafe.Pointer(hivePath)), uintptr(unsafe.Pointer(result)), 0)
+	if r0 != 0 {
+		win32err = syscall.Errno(r0)
+	}
+	return
+}
+
+func OROpenKey(handle ORHKey, subKey string, result *ORHKey) (win32err error) {
+	var _p0 *uint16
+	_p0, win32err = syscall.UTF16PtrFromString(subKey)
+	if win32err != nil {
+		return
+	}
+	return _OROpenKey(handle, _p0, result)
+}
+
+func _OROpenKey(handle ORHKey, subKey *uint16, result *ORHKey) (win32err error) {
+	r0, _, _ := syscall.Syscall(procOROpenKey.Addr(), 3, uintptr(handle), uintptr(unsafe.Pointer(subKey)), uintptr(unsafe.Pointer(result)))
+	if r0 != 0 {
+		win32err = syscall.Errno(r0)
+	}
+	return
+}
+
+func ORSaveHive(handle ORHKey, hivePath string, osMajorVersion uint32, osMinorVersion uint32) (win32err error) {
+	var _p0 *uint16
+	_p0, win32err = syscall.UTF16PtrFromString(hivePath)
+	if win32err != nil {
+		return
+	}
+	return _ORSaveHive(handle, _p0, osMajorVersion, osMinorVersion)
+}
+
+func _ORSaveHive(handle ORHKey, hivePath *uint16, osMajorVersion uint32, osMinorVersion uint32) (win32err error) {
+	r0, _, _ := syscall.Syscall6(procORSaveHive.Addr(), 4, uintptr(handle), uintptr(unsafe.Pointer(hivePath)), uintptr(osMajorVersion), uintptr(osMinorVersion), 0, 0)
+	if r0 != 0 {
+		win32err = syscall.Errno(r0)
+	}
+	return
+}
+
+func ORSetValue(handle ORHKey, valueName string, valueType uint32, data *byte, dataLen uint32) (win32err error) {
+	var _p0 *uint16
+	_p0, win32err = syscall.UTF16PtrFromString(valueName)
+	if win32err != nil {
+		return
+	}
+	return _ORSetValue(handle, _p0, valueType, data, dataLen)
+}
+
+func _ORSetValue(handle ORHKey, valueName *uint16, valueType uint32, data *byte, dataLen uint32) (win32err error) {
+	r0, _, _ := syscall.Syscall6(procORSetValue.Addr(), 5, uintptr(handle), uintptr(unsafe.Pointer(valueName)), uintptr(valueType), uintptr(unsafe.Pointer(data)), uintptr(dataLen), 0)
+	if r0 != 0 {
+		win32err = syscall.Errno(r0)
 	}
 	return
 }

vendor/github.com/Microsoft/hcsshim/osversion/osversion_windows.go

@@ -5,6 +5,7 @@ import (
 	"sync"
 
 	"golang.org/x/sys/windows"
+	"golang.org/x/sys/windows/registry"
 )
 
 // OSVersion is a wrapper for Windows version information
@@ -25,16 +26,15 @@ var (
 // The calling application must be manifested to get the correct version information.
 func Get() OSVersion {
 	once.Do(func() {
-		var err error
+		v := *windows.RtlGetVersion()
 		osv = OSVersion{}
-		osv.Version, err = windows.GetVersion()
+		osv.MajorVersion = uint8(v.MajorVersion)
-		if err != nil {
+		osv.MinorVersion = uint8(v.MinorVersion)
-			// GetVersion never fails.
+		osv.Build = uint16(v.BuildNumber)
-			panic(err)
+		// Fill version value so that existing clients don't break
-		}
+		osv.Version = v.BuildNumber << 16
-		osv.MajorVersion = uint8(osv.Version & 0xFF)
+		osv.Version = osv.Version | (uint32(v.MinorVersion) << 8)
-		osv.MinorVersion = uint8(osv.Version >> 8 & 0xFF)
+		osv.Version = osv.Version | v.MajorVersion
-		osv.Build = uint16(osv.Version >> 16)
 	})
 	return osv
 }
@@ -57,3 +57,18 @@ func (osv OSVersion) String() string {
 func (osv OSVersion) ToString() string {
 	return osv.String()
 }
+
+// Running `cmd /c ver` shows something like "10.0.20348.1000". The last component ("1000") is the revision
+// number
+func BuildRevision() (uint32, error) {
+	k, err := registry.OpenKey(registry.LOCAL_MACHINE, `SOFTWARE\Microsoft\Windows NT\CurrentVersion`, registry.QUERY_VALUE)
+	if err != nil {
+		return 0, fmt.Errorf("open `CurrentVersion` registry key: %w", err)
+	}
+	defer k.Close()
+	s, _, err := k.GetIntegerValue("UBR")
+	if err != nil {
+		return 0, fmt.Errorf("read `UBR` from registry: %w", err)
+	}
+	return uint32(s), nil
+}

vendor/github.com/Microsoft/hcsshim/tools.go

@@ -1,5 +0,0 @@
-//go:build tools
-
-package hcsshim
-
-import _ "github.com/Microsoft/go-winio/tools/mkwinsyscall"

vendor/github.com/aead/serpent/.gitignore

@@ -0,0 +1,25 @@
+# Compiled Object files, Static and Dynamic libs (Shared Objects)
+*.o
+*.a
+*.so
+
+# Folders
+_obj
+_test
+.vscode
+
+# Architecture specific extensions/prefixes
+*.[568vq]
+[568vq].out
+
+*.cgo1.go
+*.cgo2.c
+_cgo_defun.c
+_cgo_gotypes.go
+_cgo_export.*
+
+_testmain.go
+
+*.exe
+*.test
+*.prof

vendor/github.com/aead/serpent/LICENSE

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2016 Andreas Auernhammer
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

vendor/github.com/aead/serpent/README.md

@@ -0,0 +1,9 @@
+[![Godoc Reference](https://godoc.org/github.com/aead/serpent?status.svg)](https://godoc.org/github.com/aead/serpent)
+
+## The Serpent block cipher
+
+Serpent is a symmetric key block cipher that was a finalist in the Advanced Encryption Standard (AES) contest, 
+where it was ranked second to Rijndael. Serpent was designed by Ross Anderson, Eli Biham, and Lars Knudsen.
+
+### Installation
+Install in your GOPATH: `go get -u github.com/aead/serpent`  

vendor/github.com/aead/serpent/sbox_ref.go

@@ -0,0 +1,316 @@
+// Copyright (c) 2016 Andreas Auernhammer. All rights reserved.
+// Use of this source code is governed by a license that can be
+// found in the LICENSE file.
+
+package serpent
+
+// The linear transformation of serpent
+// This version, tries not to minimize the
+// number of registers, but maximize parallism.
+func linear(v0, v1, v2, v3 *uint32) {
+	t0 := ((*v0 << 13) | (*v0 >> (32 - 13)))
+	t2 := ((*v2 << 3) | (*v2 >> (32 - 3)))
+	t1 := *v1 ^ t0 ^ t2
+	t3 := *v3 ^ t2 ^ (t0 << 3)
+	*v1 = (t1 << 1) | (t1 >> (32 - 1))
+	*v3 = (t3 << 7) | (t3 >> (32 - 7))
+	t0 ^= *v1 ^ *v3
+	t2 ^= *v3 ^ (*v1 << 7)
+	*v0 = (t0 << 5) | (t0 >> (32 - 5))
+	*v2 = (t2 << 22) | (t2 >> (32 - 22))
+}
+
+// The inverse linear transformation of serpent
+// This version, tries not to minimize the
+// number of registers, but maximize parallism.
+func linearInv(v0, v1, v2, v3 *uint32) {
+	t2 := (*v2 >> 22) | (*v2 << (32 - 22))
+	t0 := (*v0 >> 5) | (*v0 << (32 - 5))
+	t2 ^= *v3 ^ (*v1 << 7)
+	t0 ^= *v1 ^ *v3
+	t3 := (*v3 >> 7) | (*v3 << (32 - 7))
+	t1 := (*v1 >> 1) | (*v1 << (32 - 1))
+	*v3 = t3 ^ t2 ^ (t0 << 3)
+	*v1 = t1 ^ t0 ^ t2
+	*v2 = (t2 >> 3) | (t2 << (32 - 3))
+	*v0 = (t0 >> 13) | (t0 << (32 - 13))
+}
+
+// The following functions sb0,sb1, ..., sb7 represent the 8 Serpent S-Boxes.
+// sb0Inv til sb7Inv are the inverse functions (e.g. sb0Inv is the Inverse to sb0
+// and vice versa).
+// The S-Boxes differ from the original Serpent definitions. This is for
+// optimisation. The functions use the Serpent S-Box improvements for (non x86)
+// from Dr. B. R. Gladman and Sam Simpson.
+
+// S-Box 0
+func sb0(r0, r1, r2, r3 *uint32) {
+	t0 := *r0 ^ *r3
+	t1 := *r2 ^ t0
+	t2 := *r1 ^ t1
+	*r3 = (*r0 & *r3) ^ t2
+	t3 := *r0 ^ (*r1 & t0)
+	*r2 = t2 ^ (*r2 | t3)
+	t4 := *r3 & (t1 ^ t3)
+	*r1 = (^t1) ^ t4
+	*r0 = t4 ^ (^t3)
+}
+
+// Inverse S-Box 0
+func sb0Inv(r0, r1, r2, r3 *uint32) {
+	t0 := ^(*r0)
+	t1 := *r0 ^ *r1
+	t2 := *r3 ^ (t0 | t1)
+	t3 := *r2 ^ t2
+	*r2 = t1 ^ t3
+	t4 := t0 ^ (*r3 & t1)
+	*r1 = t2 ^ (*r2 & t4)
+	*r3 = (*r0 & t2) ^ (t3 | *r1)
+	*r0 = *r3 ^ (t3 ^ t4)
+}
+
+// S-Box 1
+func sb1(r0, r1, r2, r3 *uint32) {
+	t0 := *r1 ^ (^(*r0))
+	t1 := *r2 ^ (*r0 | t0)
+	*r2 = *r3 ^ t1
+	t2 := *r1 ^ (*r3 | t0)
+	t3 := t0 ^ *r2
+	*r3 = t3 ^ (t1 & t2)
+	t4 := t1 ^ t2
+	*r1 = *r3 ^ t4
+	*r0 = t1 ^ (t3 & t4)
+}
+
+// Inverse S-Box 1
+func sb1Inv(r0, r1, r2, r3 *uint32) {
+	t0 := *r1 ^ *r3
+	t1 := *r0 ^ (*r1 & t0)
+	t2 := t0 ^ t1
+	*r3 = *r2 ^ t2
+	t3 := *r1 ^ (t0 & t1)
+	t4 := *r3 | t3
+	*r1 = t1 ^ t4
+	t5 := ^(*r1)
+	t6 := *r3 ^ t3
+	*r0 = t5 ^ t6
+	*r2 = t2 ^ (t5 | t6)
+}
+
+// S-Box 2
+func sb2(r0, r1, r2, r3 *uint32) {
+	v0 := *r0 // save r0
+	v3 := *r3 // save r3
+	t0 := ^v0
+	t1 := *r1 ^ v3
+	t2 := *r2 & t0
+	*r0 = t1 ^ t2
+	t3 := *r2 ^ t0
+	t4 := *r2 ^ *r0
+	t5 := *r1 & t4
+	*r3 = t3 ^ t5
+	*r2 = v0 ^ ((v3 | t5) & (*r0 | t3))
+	*r1 = (t1 ^ *r3) ^ (*r2 ^ (v3 | t0))
+}
+
+// Inverse S-Box 2
+func sb2Inv(r0, r1, r2, r3 *uint32) {
+	v0 := *r0 // save r0
+	v3 := *r3 // save r3
+	t0 := *r1 ^ v3
+	t1 := ^t0
+	t2 := v0 ^ *r2
+	t3 := *r2 ^ t0
+	t4 := *r1 & t3
+	*r0 = t2 ^ t4
+	t5 := v0 | t1
+	t6 := v3 ^ t5
+	t7 := t2 | t6
+	*r3 = t0 ^ t7
+	t8 := ^t3
+	t9 := *r0 | *r3
+	*r1 = t8 ^ t9
+	*r2 = (v3 & t8) ^ (t2 ^ t9)
+}
+
+// S-Box 3
+func sb3(r0, r1, r2, r3 *uint32) {
+	v1 := *r1 // save r1
+	v3 := *r3 // save r3
+	t0 := *r0 ^ *r1
+	t1 := *r0 & *r2
+	t2 := *r0 | *r3
+	t3 := *r2 ^ *r3
+	t4 := t0 & t2
+	t5 := t1 | t4
+	*r2 = t3 ^ t5
+	t6 := *r1 ^ t2
+	t7 := t5 ^ t6
+	t8 := t3 & t7
+	*r0 = t0 ^ t8
+	t9 := *r2 & *r0
+	*r1 = t7 ^ t9
+	*r3 = (v1 | v3) ^ (t3 ^ t9)
+}
+
+// Inverse S-Box 3
+func sb3Inv(r0, r1, r2, r3 *uint32) {
+	t0 := *r0 | *r1
+	t1 := *r1 ^ *r2
+	t2 := *r1 & t1
+	t3 := *r0 ^ t2
+	t4 := *r2 ^ t3
+	t5 := *r3 | t3
+	*r0 = t1 ^ t5
+	t6 := t1 | t5
+	t7 := *r3 ^ t6
+	*r2 = t4 ^ t7
+	t8 := t0 ^ t7
+	t9 := *r0 & t8
+	*r3 = t3 ^ t9
+	*r1 = *r3 ^ (*r0 ^ t8)
+}
+
+// S-Box 4
+func sb4(r0, r1, r2, r3 *uint32) {
+	v0 := *r0 // save r0
+	t0 := v0 ^ *r3
+	t1 := *r3 & t0
+	t2 := *r2 ^ t1
+	t3 := *r1 | t2
+	*r3 = t0 ^ t3
+	t4 := ^(*r1)
+	t5 := t0 | t4
+	*r0 = t2 ^ t5
+	t6 := v0 & *r0
+	t7 := t0 ^ t4
+	t8 := t3 & t7
+	*r2 = t6 ^ t8
+	*r1 = (v0 ^ t2) ^ (t7 & *r2)
+}
+
+// Inverse S-Box 4
+func sb4Inv(r0, r1, r2, r3 *uint32) {
+	v3 := *r3 // save r3
+	t0 := *r2 | v3
+	t1 := *r0 & t0
+	t2 := *r1 ^ t1
+	t3 := *r0 & t2
+	t4 := *r2 ^ t3
+	*r1 = v3 ^ t4
+	t5 := ^(*r0)
+	t6 := t4 & *r1
+	*r3 = t2 ^ t6
+	t7 := *r1 | t5
+	t8 := v3 ^ t7
+	*r0 = *r3 ^ t8
+	*r2 = (t2 & t8) ^ (*r1 ^ t5)
+}
+
+// S-Box 5
+func sb5(r0, r1, r2, r3 *uint32) {
+	v1 := *r1 // save r1
+	t0 := ^(*r0)
+	t1 := *r0 ^ v1
+	t2 := *r0 ^ *r3
+	t3 := *r2 ^ t0
+	t4 := t1 | t2
+	*r0 = t3 ^ t4
+	t5 := *r3 & *r0
+	t6 := t1 ^ *r0
+	*r1 = t5 ^ t6
+	t7 := t0 | *r0
+	t8 := t1 | t5
+	t9 := t2 ^ t7
+	*r2 = t8 ^ t9
+	*r3 = (v1 ^ t5) ^ (*r1 & t9)
+}
+
+// Inverse S-Box 5
+func sb5Inv(r0, r1, r2, r3 *uint32) {
+	v0 := *r0 // save r0
+	v1 := *r1 // save r1
+	v3 := *r3 // save r3
+	t0 := ^(*r2)
+	t1 := v1 & t0
+	t2 := v3 ^ t1
+	t3 := v0 & t2
+	t4 := v1 ^ t0
+	*r3 = t3 ^ t4
+	t5 := v1 | *r3
+	t6 := v0 & t5
+	*r1 = t2 ^ t6
+	t7 := v0 | v3
+	t8 := t0 ^ t5
+	*r0 = t7 ^ t8
+	*r2 = (v1 & t7) ^ (t3 | (v0 ^ *r2))
+}
+
+// S-Box 6
+func sb6(r0, r1, r2, r3 *uint32) {
+	t0 := ^(*r0)
+	t1 := *r0 ^ *r3
+	t2 := *r1 ^ t1
+	t3 := t0 | t1
+	t4 := *r2 ^ t3
+	*r1 = *r1 ^ t4
+	t5 := t1 | *r1
+	t6 := *r3 ^ t5
+	t7 := t4 & t6
+	*r2 = t2 ^ t7
+	t8 := t4 ^ t6
+	*r0 = *r2 ^ t8
+	*r3 = (^t4) ^ (t2 & t8)
+}
+
+// Inverse S-Box 6
+func sb6Inv(r0, r1, r2, r3 *uint32) {
+	v1 := *r1 // save r1
+	v3 := *r3 // save r3
+	t0 := ^(*r0)
+	t1 := *r0 ^ v1
+	t2 := *r2 ^ t1
+	t3 := *r2 | t0
+	t4 := v3 ^ t3
+	*r1 = t2 ^ t4
+	t5 := t2 & t4
+	t6 := t1 ^ t5
+	t7 := v1 | t6
+	*r3 = t4 ^ t7
+	t8 := v1 | *r3
+	*r0 = t6 ^ t8
+	*r2 = (v3 & t0) ^ (t2 ^ t8)
+}
+
+// S-Box 7
+func sb7(r0, r1, r2, r3 *uint32) {
+	t0 := *r1 ^ *r2
+	t1 := *r2 & t0
+	t2 := *r3 ^ t1
+	t3 := *r0 ^ t2
+	t4 := *r3 | t0
+	t5 := t3 & t4
+	*r1 = *r1 ^ t5
+	t6 := t2 | *r1
+	t7 := *r0 & t3
+	*r3 = t0 ^ t7
+	t8 := t3 ^ t6
+	t9 := *r3 & t8
+	*r2 = t2 ^ t9
+	*r0 = (^t8) ^ (*r3 & *r2)
+}
+
+// Inverse S-Box 7
+func sb7Inv(r0, r1, r2, r3 *uint32) {
+	v0 := *r0 // save r0
+	v3 := *r3 // save r3
+	t0 := *r2 | (v0 & *r1)
+	t1 := v3 & (v0 | *r1)
+	*r3 = t0 ^ t1
+	t2 := ^v3
+	t3 := *r1 ^ t1
+	t4 := t3 | (*r3 ^ t2)
+	*r1 = v0 ^ t4
+	*r0 = (*r2 ^ t3) ^ (v3 | *r1)
+	*r2 = (t0 ^ *r1) ^ (*r0 ^ (v0 & *r3))
+}

vendor/github.com/aead/serpent/serpent.go

@@ -0,0 +1,119 @@
+// Copyright (c) 2016 Andreas Auernhammer. All rights reserved.
+// Use of this source code is governed by a license that can be
+// found in the LICENSE file.
+
+// Package serpent implements the Serpent block cipher
+// submitted to the AES challenge. Serpent was designed by
+// Ross Anderson, Eli Biham und Lars Knudsen.
+// The block cipher takes a 128, 192 or 256 bit key and
+// has a block size of 128 bit.
+package serpent // import "github.com/aead/serpent"
+
+import (
+	"crypto/cipher"
+	"errors"
+)
+
+// BlockSize is the serpent block size in bytes.
+const BlockSize = 16
+
+const phi = 0x9e3779b9 // The Serpent phi constant (sqrt(5) - 1) * 2**31
+
+var errKeySize = errors.New("invalid key size")
+
+// NewCipher returns a new cipher.Block implementing the serpent block cipher.
+// The key argument must be 128, 192 or 256 bit (16, 24, 32 byte).
+func NewCipher(key []byte) (cipher.Block, error) {
+	if k := len(key); k != 16 && k != 24 && k != 32 {
+		return nil, errKeySize
+	}
+	s := &subkeys{}
+	s.keySchedule(key)
+	return s, nil
+}
+
+// The 132 32 bit subkeys of serpent
+type subkeys [132]uint32
+
+func (s *subkeys) BlockSize() int { return BlockSize }
+
+func (s *subkeys) Encrypt(dst, src []byte) {
+	if len(src) < BlockSize {
+		panic("src buffer to small")
+	}
+	if len(dst) < BlockSize {
+		panic("dst buffer to small")
+	}
+	encryptBlock(dst, src, s)
+}
+
+func (s *subkeys) Decrypt(dst, src []byte) {
+	if len(src) < BlockSize {
+		panic("src buffer to small")
+	}
+	if len(dst) < BlockSize {
+		panic("dst buffer to small")
+	}
+	decryptBlock(dst, src, s)
+}
+
+// The key schedule of serpent.
+func (s *subkeys) keySchedule(key []byte) {
+	var k [16]uint32
+	j := 0
+	for i := 0; i+4 <= len(key); i += 4 {
+		k[j] = uint32(key[i]) | uint32(key[i+1])<<8 | uint32(key[i+2])<<16 | uint32(key[i+3])<<24
+		j++
+	}
+	if j < 8 {
+		k[j] = 1
+	}
+
+	for i := 8; i < 16; i++ {
+		x := k[i-8] ^ k[i-5] ^ k[i-3] ^ k[i-1] ^ phi ^ uint32(i-8)
+		k[i] = (x << 11) | (x >> 21)
+		s[i-8] = k[i]
+	}
+	for i := 8; i < 132; i++ {
+		x := s[i-8] ^ s[i-5] ^ s[i-3] ^ s[i-1] ^ phi ^ uint32(i)
+		s[i] = (x << 11) | (x >> 21)
+	}
+
+	sb3(&s[0], &s[1], &s[2], &s[3])
+	sb2(&s[4], &s[5], &s[6], &s[7])
+	sb1(&s[8], &s[9], &s[10], &s[11])
+	sb0(&s[12], &s[13], &s[14], &s[15])
+	sb7(&s[16], &s[17], &s[18], &s[19])
+	sb6(&s[20], &s[21], &s[22], &s[23])
+	sb5(&s[24], &s[25], &s[26], &s[27])
+	sb4(&s[28], &s[29], &s[30], &s[31])
+
+	sb3(&s[32], &s[33], &s[34], &s[35])
+	sb2(&s[36], &s[37], &s[38], &s[39])
+	sb1(&s[40], &s[41], &s[42], &s[43])
+	sb0(&s[44], &s[45], &s[46], &s[47])
+	sb7(&s[48], &s[49], &s[50], &s[51])
+	sb6(&s[52], &s[53], &s[54], &s[55])
+	sb5(&s[56], &s[57], &s[58], &s[59])
+	sb4(&s[60], &s[61], &s[62], &s[63])
+
+	sb3(&s[64], &s[65], &s[66], &s[67])
+	sb2(&s[68], &s[69], &s[70], &s[71])
+	sb1(&s[72], &s[73], &s[74], &s[75])
+	sb0(&s[76], &s[77], &s[78], &s[79])
+	sb7(&s[80], &s[81], &s[82], &s[83])
+	sb6(&s[84], &s[85], &s[86], &s[87])
+	sb5(&s[88], &s[89], &s[90], &s[91])
+	sb4(&s[92], &s[93], &s[94], &s[95])
+
+	sb3(&s[96], &s[97], &s[98], &s[99])
+	sb2(&s[100], &s[101], &s[102], &s[103])
+	sb1(&s[104], &s[105], &s[106], &s[107])
+	sb0(&s[108], &s[109], &s[110], &s[111])
+	sb7(&s[112], &s[113], &s[114], &s[115])
+	sb6(&s[116], &s[117], &s[118], &s[119])
+	sb5(&s[120], &s[121], &s[122], &s[123])
+	sb4(&s[124], &s[125], &s[126], &s[127])
+
+	sb3(&s[128], &s[129], &s[130], &s[131])
+}

vendor/github.com/aead/serpent/serpent_ref.go

@@ -0,0 +1,276 @@
+// Copyright (c) 2016 Andreas Auernhammer. All rights reserved.
+// Use of this source code is governed by a license that can be
+// found in the LICENSE file.
+
+package serpent
+
+// Encrypts one block with the given 132 sub-keys sk.
+func encryptBlock(dst, src []byte, sk *subkeys) {
+	// Transform the input block to 4 x 32 bit registers
+	r0 := uint32(src[0]) | uint32(src[1])<<8 | uint32(src[2])<<16 | uint32(src[3])<<24
+	r1 := uint32(src[4]) | uint32(src[5])<<8 | uint32(src[6])<<16 | uint32(src[7])<<24
+	r2 := uint32(src[8]) | uint32(src[9])<<8 | uint32(src[10])<<16 | uint32(src[11])<<24
+	r3 := uint32(src[12]) | uint32(src[13])<<8 | uint32(src[14])<<16 | uint32(src[15])<<24
+
+	// Encrypt the block with the 132 sub-keys and 8 S-Boxes
+	r0, r1, r2, r3 = r0^sk[0], r1^sk[1], r2^sk[2], r3^sk[3]
+	sb0(&r0, &r1, &r2, &r3)
+	linear(&r0, &r1, &r2, &r3)
+	r0, r1, r2, r3 = r0^sk[4], r1^sk[5], r2^sk[6], r3^sk[7]
+	sb1(&r0, &r1, &r2, &r3)
+	linear(&r0, &r1, &r2, &r3)
+	r0, r1, r2, r3 = r0^sk[8], r1^sk[9], r2^sk[10], r3^sk[11]
+	sb2(&r0, &r1, &r2, &r3)
+	linear(&r0, &r1, &r2, &r3)
+	r0, r1, r2, r3 = r0^sk[12], r1^sk[13], r2^sk[14], r3^sk[15]
+	sb3(&r0, &r1, &r2, &r3)
+	linear(&r0, &r1, &r2, &r3)
+	r0, r1, r2, r3 = r0^sk[16], r1^sk[17], r2^sk[18], r3^sk[19]
+	sb4(&r0, &r1, &r2, &r3)
+	linear(&r0, &r1, &r2, &r3)
+	r0, r1, r2, r3 = r0^sk[20], r1^sk[21], r2^sk[22], r3^sk[23]
+	sb5(&r0, &r1, &r2, &r3)
+	linear(&r0, &r1, &r2, &r3)
+	r0, r1, r2, r3 = r0^sk[24], r1^sk[25], r2^sk[26], r3^sk[27]
+	sb6(&r0, &r1, &r2, &r3)
+	linear(&r0, &r1, &r2, &r3)
+	r0, r1, r2, r3 = r0^sk[28], r1^sk[29], r2^sk[30], r3^sk[31]
+	sb7(&r0, &r1, &r2, &r3)
+	linear(&r0, &r1, &r2, &r3)
+
+	r0, r1, r2, r3 = r0^sk[32], r1^sk[33], r2^sk[34], r3^sk[35]
+	sb0(&r0, &r1, &r2, &r3)
+	linear(&r0, &r1, &r2, &r3)
+	r0, r1, r2, r3 = r0^sk[36], r1^sk[37], r2^sk[38], r3^sk[39]
+	sb1(&r0, &r1, &r2, &r3)
+	linear(&r0, &r1, &r2, &r3)
+	r0, r1, r2, r3 = r0^sk[40], r1^sk[41], r2^sk[42], r3^sk[43]
+	sb2(&r0, &r1, &r2, &r3)
+	linear(&r0, &r1, &r2, &r3)
+	r0, r1, r2, r3 = r0^sk[44], r1^sk[45], r2^sk[46], r3^sk[47]
+	sb3(&r0, &r1, &r2, &r3)
+	linear(&r0, &r1, &r2, &r3)
+	r0, r1, r2, r3 = r0^sk[48], r1^sk[49], r2^sk[50], r3^sk[51]
+	sb4(&r0, &r1, &r2, &r3)
+	linear(&r0, &r1, &r2, &r3)
+	r0, r1, r2, r3 = r0^sk[52], r1^sk[53], r2^sk[54], r3^sk[55]
+	sb5(&r0, &r1, &r2, &r3)
+	linear(&r0, &r1, &r2, &r3)
+	r0, r1, r2, r3 = r0^sk[56], r1^sk[57], r2^sk[58], r3^sk[59]
+	sb6(&r0, &r1, &r2, &r3)
+	linear(&r0, &r1, &r2, &r3)
+	r0, r1, r2, r3 = r0^sk[60], r1^sk[61], r2^sk[62], r3^sk[63]
+	sb7(&r0, &r1, &r2, &r3)
+	linear(&r0, &r1, &r2, &r3)
+
+	r0, r1, r2, r3 = r0^sk[64], r1^sk[65], r2^sk[66], r3^sk[67]
+	sb0(&r0, &r1, &r2, &r3)
+	linear(&r0, &r1, &r2, &r3)
+	r0, r1, r2, r3 = r0^sk[68], r1^sk[69], r2^sk[70], r3^sk[71]
+	sb1(&r0, &r1, &r2, &r3)
+	linear(&r0, &r1, &r2, &r3)
+	r0, r1, r2, r3 = r0^sk[72], r1^sk[73], r2^sk[74], r3^sk[75]
+	sb2(&r0, &r1, &r2, &r3)
+	linear(&r0, &r1, &r2, &r3)
+	r0, r1, r2, r3 = r0^sk[76], r1^sk[77], r2^sk[78], r3^sk[79]
+	sb3(&r0, &r1, &r2, &r3)
+	linear(&r0, &r1, &r2, &r3)
+	r0, r1, r2, r3 = r0^sk[80], r1^sk[81], r2^sk[82], r3^sk[83]
+	sb4(&r0, &r1, &r2, &r3)
+	linear(&r0, &r1, &r2, &r3)
+	r0, r1, r2, r3 = r0^sk[84], r1^sk[85], r2^sk[86], r3^sk[87]
+	sb5(&r0, &r1, &r2, &r3)
+	linear(&r0, &r1, &r2, &r3)
+	r0, r1, r2, r3 = r0^sk[88], r1^sk[89], r2^sk[90], r3^sk[91]
+	sb6(&r0, &r1, &r2, &r3)
+	linear(&r0, &r1, &r2, &r3)
+	r0, r1, r2, r3 = r0^sk[92], r1^sk[93], r2^sk[94], r3^sk[95]
+	sb7(&r0, &r1, &r2, &r3)
+	linear(&r0, &r1, &r2, &r3)
+
+	r0, r1, r2, r3 = r0^sk[96], r1^sk[97], r2^sk[98], r3^sk[99]
+	sb0(&r0, &r1, &r2, &r3)
+	linear(&r0, &r1, &r2, &r3)
+	r0, r1, r2, r3 = r0^sk[100], r1^sk[101], r2^sk[102], r3^sk[103]
+	sb1(&r0, &r1, &r2, &r3)
+	linear(&r0, &r1, &r2, &r3)
+	r0, r1, r2, r3 = r0^sk[104], r1^sk[105], r2^sk[106], r3^sk[107]
+	sb2(&r0, &r1, &r2, &r3)
+	linear(&r0, &r1, &r2, &r3)
+	r0, r1, r2, r3 = r0^sk[108], r1^sk[109], r2^sk[110], r3^sk[111]
+	sb3(&r0, &r1, &r2, &r3)
+	linear(&r0, &r1, &r2, &r3)
+	r0, r1, r2, r3 = r0^sk[112], r1^sk[113], r2^sk[114], r3^sk[115]
+	sb4(&r0, &r1, &r2, &r3)
+	linear(&r0, &r1, &r2, &r3)
+	r0, r1, r2, r3 = r0^sk[116], r1^sk[117], r2^sk[118], r3^sk[119]
+	sb5(&r0, &r1, &r2, &r3)
+	linear(&r0, &r1, &r2, &r3)
+	r0, r1, r2, r3 = r0^sk[120], r1^sk[121], r2^sk[122], r3^sk[123]
+	sb6(&r0, &r1, &r2, &r3)
+	linear(&r0, &r1, &r2, &r3)
+	r0, r1, r2, r3 = r0^sk[124], r1^sk[125], r2^sk[126], r3^sk[127]
+	sb7(&r0, &r1, &r2, &r3)
+
+	// whitening
+	r0 ^= sk[128]
+	r1 ^= sk[129]
+	r2 ^= sk[130]
+	r3 ^= sk[131]
+
+	// write the encrypted block to the output
+
+	dst[0] = byte(r0)
+	dst[1] = byte(r0 >> 8)
+	dst[2] = byte(r0 >> 16)
+	dst[3] = byte(r0 >> 24)
+	dst[4] = byte(r1)
+	dst[5] = byte(r1 >> 8)
+	dst[6] = byte(r1 >> 16)
+	dst[7] = byte(r1 >> 24)
+	dst[8] = byte(r2)
+	dst[9] = byte(r2 >> 8)
+	dst[10] = byte(r2 >> 16)
+	dst[11] = byte(r2 >> 24)
+	dst[12] = byte(r3)
+	dst[13] = byte(r3 >> 8)
+	dst[14] = byte(r3 >> 16)
+	dst[15] = byte(r3 >> 24)
+}
+
+// Decrypts one block with the given 132 sub-keys sk.
+func decryptBlock(dst, src []byte, sk *subkeys) {
+	// Transform the input block to 4 x 32 bit registers
+	r0 := uint32(src[0]) | uint32(src[1])<<8 | uint32(src[2])<<16 | uint32(src[3])<<24
+	r1 := uint32(src[4]) | uint32(src[5])<<8 | uint32(src[6])<<16 | uint32(src[7])<<24
+	r2 := uint32(src[8]) | uint32(src[9])<<8 | uint32(src[10])<<16 | uint32(src[11])<<24
+	r3 := uint32(src[12]) | uint32(src[13])<<8 | uint32(src[14])<<16 | uint32(src[15])<<24
+
+	// undo whitening
+	r0 ^= sk[128]
+	r1 ^= sk[129]
+	r2 ^= sk[130]
+	r3 ^= sk[131]
+
+	// Decrypt the block with the 132 sub-keys and 8 S-Boxes
+	sb7Inv(&r0, &r1, &r2, &r3)
+	r0, r1, r2, r3 = r0^sk[124], r1^sk[125], r2^sk[126], r3^sk[127]
+	linearInv(&r0, &r1, &r2, &r3)
+	sb6Inv(&r0, &r1, &r2, &r3)
+	r0, r1, r2, r3 = r0^sk[120], r1^sk[121], r2^sk[122], r3^sk[123]
+	linearInv(&r0, &r1, &r2, &r3)
+	sb5Inv(&r0, &r1, &r2, &r3)
+	r0, r1, r2, r3 = r0^sk[116], r1^sk[117], r2^sk[118], r3^sk[119]
+	linearInv(&r0, &r1, &r2, &r3)
+	sb4Inv(&r0, &r1, &r2, &r3)
+	r0, r1, r2, r3 = r0^sk[112], r1^sk[113], r2^sk[114], r3^sk[115]
+	linearInv(&r0, &r1, &r2, &r3)
+	sb3Inv(&r0, &r1, &r2, &r3)
+	r0, r1, r2, r3 = r0^sk[108], r1^sk[109], r2^sk[110], r3^sk[111]
+	linearInv(&r0, &r1, &r2, &r3)
+	sb2Inv(&r0, &r1, &r2, &r3)
+	r0, r1, r2, r3 = r0^sk[104], r1^sk[105], r2^sk[106], r3^sk[107]
+	linearInv(&r0, &r1, &r2, &r3)
+	sb1Inv(&r0, &r1, &r2, &r3)
+	r0, r1, r2, r3 = r0^sk[100], r1^sk[101], r2^sk[102], r3^sk[103]
+	linearInv(&r0, &r1, &r2, &r3)
+	sb0Inv(&r0, &r1, &r2, &r3)
+	r0, r1, r2, r3 = r0^sk[96], r1^sk[97], r2^sk[98], r3^sk[99]
+	linearInv(&r0, &r1, &r2, &r3)
+
+	sb7Inv(&r0, &r1, &r2, &r3)
+	r0, r1, r2, r3 = r0^sk[92], r1^sk[93], r2^sk[94], r3^sk[95]
+	linearInv(&r0, &r1, &r2, &r3)
+	sb6Inv(&r0, &r1, &r2, &r3)
+	r0, r1, r2, r3 = r0^sk[88], r1^sk[89], r2^sk[90], r3^sk[91]
+	linearInv(&r0, &r1, &r2, &r3)
+	sb5Inv(&r0, &r1, &r2, &r3)
+	r0, r1, r2, r3 = r0^sk[84], r1^sk[85], r2^sk[86], r3^sk[87]
+	linearInv(&r0, &r1, &r2, &r3)
+	sb4Inv(&r0, &r1, &r2, &r3)
+	r0, r1, r2, r3 = r0^sk[80], r1^sk[81], r2^sk[82], r3^sk[83]
+	linearInv(&r0, &r1, &r2, &r3)
+	sb3Inv(&r0, &r1, &r2, &r3)
+	r0, r1, r2, r3 = r0^sk[76], r1^sk[77], r2^sk[78], r3^sk[79]
+	linearInv(&r0, &r1, &r2, &r3)
+	sb2Inv(&r0, &r1, &r2, &r3)
+	r0, r1, r2, r3 = r0^sk[72], r1^sk[73], r2^sk[74], r3^sk[75]
+	linearInv(&r0, &r1, &r2, &r3)
+	sb1Inv(&r0, &r1, &r2, &r3)
+	r0, r1, r2, r3 = r0^sk[68], r1^sk[69], r2^sk[70], r3^sk[71]
+	linearInv(&r0, &r1, &r2, &r3)
+	sb0Inv(&r0, &r1, &r2, &r3)
+	r0, r1, r2, r3 = r0^sk[64], r1^sk[65], r2^sk[66], r3^sk[67]
+	linearInv(&r0, &r1, &r2, &r3)
+
+	sb7Inv(&r0, &r1, &r2, &r3)
+	r0, r1, r2, r3 = r0^sk[60], r1^sk[61], r2^sk[62], r3^sk[63]
+	linearInv(&r0, &r1, &r2, &r3)
+	sb6Inv(&r0, &r1, &r2, &r3)
+	r0, r1, r2, r3 = r0^sk[56], r1^sk[57], r2^sk[58], r3^sk[59]
+	linearInv(&r0, &r1, &r2, &r3)
+	sb5Inv(&r0, &r1, &r2, &r3)
+	r0, r1, r2, r3 = r0^sk[52], r1^sk[53], r2^sk[54], r3^sk[55]
+	linearInv(&r0, &r1, &r2, &r3)
+	sb4Inv(&r0, &r1, &r2, &r3)
+	r0, r1, r2, r3 = r0^sk[48], r1^sk[49], r2^sk[50], r3^sk[51]
+	linearInv(&r0, &r1, &r2, &r3)
+	sb3Inv(&r0, &r1, &r2, &r3)
+	r0, r1, r2, r3 = r0^sk[44], r1^sk[45], r2^sk[46], r3^sk[47]
+	linearInv(&r0, &r1, &r2, &r3)
+	sb2Inv(&r0, &r1, &r2, &r3)
+	r0, r1, r2, r3 = r0^sk[40], r1^sk[41], r2^sk[42], r3^sk[43]
+	linearInv(&r0, &r1, &r2, &r3)
+	sb1Inv(&r0, &r1, &r2, &r3)
+	r0, r1, r2, r3 = r0^sk[36], r1^sk[37], r2^sk[38], r3^sk[39]
+	linearInv(&r0, &r1, &r2, &r3)
+	sb0Inv(&r0, &r1, &r2, &r3)
+	r0, r1, r2, r3 = r0^sk[32], r1^sk[33], r2^sk[34], r3^sk[35]
+	linearInv(&r0, &r1, &r2, &r3)
+
+	sb7Inv(&r0, &r1, &r2, &r3)
+	r0, r1, r2, r3 = r0^sk[28], r1^sk[29], r2^sk[30], r3^sk[31]
+	linearInv(&r0, &r1, &r2, &r3)
+	sb6Inv(&r0, &r1, &r2, &r3)
+	r0, r1, r2, r3 = r0^sk[24], r1^sk[25], r2^sk[26], r3^sk[27]
+	linearInv(&r0, &r1, &r2, &r3)
+	sb5Inv(&r0, &r1, &r2, &r3)
+	r0, r1, r2, r3 = r0^sk[20], r1^sk[21], r2^sk[22], r3^sk[23]
+	linearInv(&r0, &r1, &r2, &r3)
+	sb4Inv(&r0, &r1, &r2, &r3)
+	r0, r1, r2, r3 = r0^sk[16], r1^sk[17], r2^sk[18], r3^sk[19]
+	linearInv(&r0, &r1, &r2, &r3)
+	sb3Inv(&r0, &r1, &r2, &r3)
+	r0, r1, r2, r3 = r0^sk[12], r1^sk[13], r2^sk[14], r3^sk[15]
+	linearInv(&r0, &r1, &r2, &r3)
+	sb2Inv(&r0, &r1, &r2, &r3)
+	r0, r1, r2, r3 = r0^sk[8], r1^sk[9], r2^sk[10], r3^sk[11]
+	linearInv(&r0, &r1, &r2, &r3)
+	sb1Inv(&r0, &r1, &r2, &r3)
+	r0, r1, r2, r3 = r0^sk[4], r1^sk[5], r2^sk[6], r3^sk[7]
+	linearInv(&r0, &r1, &r2, &r3)
+	sb0Inv(&r0, &r1, &r2, &r3)
+
+	r0 ^= sk[0]
+	r1 ^= sk[1]
+	r2 ^= sk[2]
+	r3 ^= sk[3]
+
+	// write the decrypted block to the output
+	dst[0] = byte(r0)
+	dst[1] = byte(r0 >> 8)
+	dst[2] = byte(r0 >> 16)
+	dst[3] = byte(r0 >> 24)
+	dst[4] = byte(r1)
+	dst[5] = byte(r1 >> 8)
+	dst[6] = byte(r1 >> 16)
+	dst[7] = byte(r1 >> 24)
+	dst[8] = byte(r2)
+	dst[9] = byte(r2 >> 8)
+	dst[10] = byte(r2 >> 16)
+	dst[11] = byte(r2 >> 24)
+	dst[12] = byte(r3)
+	dst[13] = byte(r3 >> 8)
+	dst[14] = byte(r3 >> 16)
+	dst[15] = byte(r3 >> 24)
+}

vendor/github.com/containerd/cgroups/v3/cgroup1/stats/doc.go

@@ -14,4 +14,4 @@
    limitations under the License.
 */
 
-package v1
+package stats

vendor/github.com/containerd/cgroups/v3/cgroup1/stats/metrics.pb.txt

@@ -1,7 +1,6 @@
 file {
-  name: "github.com/containerd/cgroups/stats/v1/metrics.proto"
+  name: "github.com/containerd/cgroups/cgroup1/stats/metrics.proto"
   package: "io.containerd.cgroups.v1"
-  dependency: "gogoproto/gogo.proto"
   message_type {
     name: "Metrics"
     field {
@@ -26,9 +25,6 @@ file {
       label: LABEL_OPTIONAL
       type: TYPE_MESSAGE
       type_name: ".io.containerd.cgroups.v1.CPUStat"
-      options {
-        65004: "CPU"
-      }
       json_name: "cpu"
     }
     field {
@@ -175,9 +171,6 @@ file {
       number: 4
       label: LABEL_REPEATED
       type: TYPE_UINT64
-      options {
-        65004: "PerCPU"
-      }
       json_name: "perCpu"
     }
   }
@@ -219,9 +212,6 @@ file {
       number: 2
       label: LABEL_OPTIONAL
       type: TYPE_UINT64
-      options {
-        65004: "RSS"
-      }
       json_name: "rss"
     }
     field {
@@ -229,9 +219,6 @@ file {
       number: 3
       label: LABEL_OPTIONAL
       type: TYPE_UINT64
-      options {
-        65004: "RSSHuge"
-      }
       json_name: "rssHuge"
     }
     field {
@@ -344,9 +331,6 @@ file {
       number: 19
       label: LABEL_OPTIONAL
       type: TYPE_UINT64
-      options {
-        65004: "TotalRSS"
-      }
       json_name: "totalRss"
     }
     field {
@@ -354,9 +338,6 @@ file {
       number: 20
       label: LABEL_OPTIONAL
       type: TYPE_UINT64
-      options {
-        65004: "TotalRSSHuge"
-      }
       json_name: "totalRssHuge"
     }
     field {
@@ -473,9 +454,6 @@ file {
       label: LABEL_OPTIONAL
       type: TYPE_MESSAGE
       type_name: ".io.containerd.cgroups.v1.MemoryEntry"
-      options {
-        65004: "KernelTCP"
-      }
       json_name: "kernelTcp"
     }
   }
@@ -786,5 +764,8 @@ file {
       json_name: "nrIoWait"
     }
   }
+  options {
+    go_package: "github.com/containerd/cgroups/cgroup1/stats"
+  }
   syntax: "proto3"
 }

vendor/github.com/containerd/cgroups/v3/cgroup1/stats/metrics.proto

@@ -2,12 +2,12 @@ syntax = "proto3";
 
 package io.containerd.cgroups.v1;
 
-import "gogoproto/gogo.proto";
+option go_package = "github.com/containerd/cgroups/cgroup1/stats";
 
 message Metrics {
 	repeated HugetlbStat hugetlb = 1;
 	PidsStat pids = 2;
-	CPUStat cpu = 3 [(gogoproto.customname) = "CPU"];
+	CPUStat cpu = 3;
 	MemoryStat memory = 4;
 	BlkIOStat blkio = 5;
 	RdmaStat rdma = 6;
@@ -38,7 +38,7 @@ message CPUUsage {
 	uint64 total = 1;
 	uint64 kernel = 2;
 	uint64 user = 3;
-	repeated uint64 per_cpu = 4 [(gogoproto.customname) = "PerCPU"];
+	repeated uint64 per_cpu = 4;
 
 }
 
@@ -50,8 +50,8 @@ message Throttle {
 
 message MemoryStat {
 	uint64 cache = 1;
-	uint64 rss = 2 [(gogoproto.customname) = "RSS"];
+	uint64 rss = 2;
-	uint64 rss_huge = 3 [(gogoproto.customname) = "RSSHuge"];
+	uint64 rss_huge = 3;
 	uint64 mapped_file = 4;
 	uint64 dirty = 5;
 	uint64 writeback = 6;
@@ -67,8 +67,8 @@ message MemoryStat {
 	uint64 hierarchical_memory_limit = 16;
 	uint64 hierarchical_swap_limit = 17;
 	uint64 total_cache = 18;
-	uint64 total_rss = 19 [(gogoproto.customname) = "TotalRSS"];
+	uint64 total_rss = 19;
-	uint64 total_rss_huge = 20 [(gogoproto.customname) = "TotalRSSHuge"];
+	uint64 total_rss_huge = 20;
 	uint64 total_mapped_file = 21;
 	uint64 total_dirty = 22;
 	uint64 total_writeback = 23;
@@ -84,7 +84,7 @@ message MemoryStat {
 	MemoryEntry usage = 33;
 	MemoryEntry swap = 34;
 	MemoryEntry kernel = 35;
-	MemoryEntry kernel_tcp = 36 [(gogoproto.customname) = "KernelTCP"];
+	MemoryEntry kernel_tcp = 36;
 
 }
 

vendor/github.com/containerd/containerd/log/context.go

@@ -44,6 +44,12 @@ import (
 	"github.com/sirupsen/logrus"
 )
 
+// G is a shorthand for [GetLogger].
+//
+// We may want to define this locally to a package to get package tagged log
+// messages.
+var G = GetLogger
+
 // L is an alias for the standard logger.
 var L = &Entry{
 	Logger: logrus.StandardLogger(),
@@ -169,11 +175,6 @@ func WithLogger(ctx context.Context, logger *Entry) context.Context {
 // GetLogger retrieves the current logger from the context. If no logger is
 // available, the default logger is returned.
 func GetLogger(ctx context.Context) *Entry {
-	return G(ctx)
-}
-
-// G is a shorthand for [GetLogger].
-func G(ctx context.Context) *Entry {
 	if logger := ctx.Value(loggerKey{}); logger != nil {
 		return logger.(*Entry)
 	}

vendor/github.com/containerd/containerd/platforms/defaults_windows.go

@@ -22,6 +22,7 @@ import (
 	"strconv"
 	"strings"
 
+	"github.com/Microsoft/hcsshim/osversion"
 	specs "github.com/opencontainers/image-spec/specs-go/v1"
 	"golang.org/x/sys/windows"
 )
@@ -50,15 +51,36 @@ func (m windowsmatcher) Match(p specs.Platform) bool {
 	match := m.defaultMatcher.Match(p)
 
 	if match && m.OS == "windows" {
-		if strings.HasPrefix(p.OSVersion, m.osVersionPrefix) {
+		// HPC containers do not have OS version filled
+		if p.OSVersion == "" {
 			return true
 		}
-		return p.OSVersion == ""
+
+		hostOsVersion := GetOsVersion(m.osVersionPrefix)
+		ctrOsVersion := GetOsVersion(p.OSVersion)
+		return osversion.CheckHostAndContainerCompat(hostOsVersion, ctrOsVersion)
 	}
 
 	return match
 }
 
+func GetOsVersion(osVersionPrefix string) osversion.OSVersion {
+	parts := strings.Split(osVersionPrefix, ".")
+	if len(parts) < 3 {
+		return osversion.OSVersion{}
+	}
+
+	majorVersion, _ := strconv.Atoi(parts[0])
+	minorVersion, _ := strconv.Atoi(parts[1])
+	buildNumber, _ := strconv.Atoi(parts[2])
+
+	return osversion.OSVersion{
+		MajorVersion: uint8(majorVersion),
+		MinorVersion: uint8(minorVersion),
+		Build:        uint16(buildNumber),
+	}
+}
+
 // Less sorts matched platforms in front of other platforms.
 // For matched platforms, it puts platforms with larger revision
 // number in front.

vendor/github.com/containerd/containerd/platforms/platforms.go

@@ -196,6 +196,10 @@ func Parse(specifier string) (specs.Platform, error) {
 				p.Variant = cpuVariant()
 			}
 
+			if p.OS == "windows" {
+				p.OSVersion = GetWindowsOsVersion()
+			}
+
 			return p, nil
 		}
 
@@ -218,6 +222,10 @@ func Parse(specifier string) (specs.Platform, error) {
 			p.Variant = ""
 		}
 
+		if p.OS == "windows" {
+			p.OSVersion = GetWindowsOsVersion()
+		}
+
 		return p, nil
 	case 3:
 		// we have a fully specified variant, this is rare
@@ -227,6 +235,10 @@ func Parse(specifier string) (specs.Platform, error) {
 			p.Variant = "v8"
 		}
 
+		if p.OS == "windows" {
+			p.OSVersion = GetWindowsOsVersion()
+		}
+
 		return p, nil
 	}
 

vendor/github.com/containerd/containerd/platforms/platforms_other.go

@@ -28,3 +28,7 @@ func newDefaultMatcher(platform specs.Platform) Matcher {
 		Platform: Normalize(platform),
 	}
 }
+
+func GetWindowsOsVersion() string {
+	return ""
+}

vendor/github.com/containerd/containerd/platforms/platforms_windows.go

@@ -17,7 +17,10 @@
 package platforms
 
 import (
+	"fmt"
+
 	specs "github.com/opencontainers/image-spec/specs-go/v1"
+	"golang.org/x/sys/windows"
 )
 
 // NewMatcher returns a Windows matcher that will match on osVersionPrefix if
@@ -32,3 +35,8 @@ func newDefaultMatcher(platform specs.Platform) Matcher {
 		},
 	}
 }
+
+func GetWindowsOsVersion() string {
+	major, minor, build := windows.RtlGetNtVersionNumbers()
+	return fmt.Sprintf("%d.%d.%d", major, minor, build)
+}

vendor/github.com/containers/buildah/.cirrus.yml

@@ -32,7 +32,7 @@ env:
     DEBIAN_NAME: "debian-13"
 
     # Image identifiers
-    IMAGE_SUFFIX: "c20230614t132754z-f38f37d13"
+    IMAGE_SUFFIX: "c20230816t191118z-f38f37d13"
     FEDORA_CACHE_IMAGE_NAME: "fedora-${IMAGE_SUFFIX}"
     PRIOR_FEDORA_CACHE_IMAGE_NAME: "prior-fedora-${IMAGE_SUFFIX}"
     DEBIAN_CACHE_IMAGE_NAME: "debian-${IMAGE_SUFFIX}"
@@ -112,7 +112,6 @@ smoke_task:
 vendor_task:
     name: "Test Vendoring"
     alias: vendor
-    only_if: &not_multiarch $CIRRUS_CRON != 'multiarch'
 
     env:
         CIRRUS_WORKING_DIR: "/var/tmp/go/src/github.com/containers/buildah"
@@ -137,8 +136,7 @@ cross_build_task:
     name: "Cross Compile"
     alias: cross_build
     only_if: >-
-        $CIRRUS_CHANGE_TITLE !=~ '.*CI:DOCS.*' &&
+        $CIRRUS_CHANGE_TITLE !=~ '.*CI:DOCS.*'
-        $CIRRUS_CRON != 'multiarch'
 
     osx_instance:
         image: ghcr.io/cirruslabs/macos-ventura-base:latest
@@ -160,8 +158,7 @@ unit_task:
     alias: unit
     only_if: &not_build_docs >-
         $CIRRUS_CHANGE_TITLE !=~ '.*CI:DOCS.*' &&
-        $CIRRUS_CHANGE_TITLE !=~ '.*CI:BUILD.*' &&
+        $CIRRUS_CHANGE_TITLE !=~ '.*CI:BUILD.*'
-        $CIRRUS_CRON != 'multiarch'
     depends_on: &smoke_vendor_cross
       - smoke
       - vendor
@@ -322,52 +319,6 @@ in_podman_task:
         <<: *standardlogs
 
 
-image_build_task: &image-build
-    name: "Build multi-arch $FLAVOR"
-    alias: image_build
-    # Some of these container images take > 1h to build, limit
-    # this task to a specific Cirrus-Cron entry with this name.
-    only_if: $CIRRUS_CRON == 'multiarch'
-    depends_on:
-        - smoke
-    timeout_in: 120m  # emulation is sssllllooooowwww
-    gce_instance:
-        <<: *standardvm
-        image_name: build-push-${IMAGE_SUFFIX}
-        # More muscle required for parallel multi-arch build
-        type: "n2-standard-4"
-    matrix:
-        - env:
-            FLAVOR: upstream
-        - env:
-            FLAVOR: testing
-        - env:
-            FLAVOR: stable
-    env:
-        DISTRO_NV: "${FEDORA_NAME}"  # Required for repo cache extraction
-        BUILDAH_USERNAME: ENCRYPTED[70e1d4f026cba5d82fc067944baab10f7c71c64bb6b75fce4eeb5c106694b3bbc8e08f8a1b926d6e03e85cf4e21833bb]
-        BUILDAH_PASSWORD: ENCRYPTED[2dc7f4f623bfc856e1d5030df263b9e48ddab39abacea7a8bc714179c188df15fc0a5bb5d3414a24637d4e39aa51b7b5]
-        CONTAINERS_USERNAME: ENCRYPTED[88cd93c753f78d70e4beb5dbebd4402d682daf45793d7e0fe8b75b358f768e8734aef3f130ffb4ebca9bdea8d220a188]
-        CONTAINERS_PASSWORD: ENCRYPTED[886cf4cc126e50b2fd7f2792235a22bb79e4b81db43f803a6214a38d3fd6c04cd4e64570b562cb32b04e5fbc435404b6]
-    main_script:
-        - source /etc/automation_environment
-        - main.sh $CIRRUS_REPO_CLONE_URL contrib/buildahimage $FLAVOR
-
-
-test_image_build_task:
-    <<: *image-build
-    alias: test_image_build
-    # Allow this to run inside a PR w/ [CI:BUILD] only.
-    only_if: $CIRRUS_PR != '' && $CIRRUS_CHANGE_TITLE =~ '.*CI:BUILD.*'
-    # This takes a LONG time, only run when requested.  N/B: Any task
-    # made to depend on this one will block FOREVER unless triggered.
-    # DO NOT ADD THIS TASK AS DEPENDENCY FOR `success_task`.
-    trigger_type: manual
-    # Overwrite all 'env', don't push anything, just do the build.
-    env:
-        DRYRUN: 1
-
-
 # Status aggregator for all tests.  This task simply ensures a defined
 # set of tasks all passed, and allows confirming that based on the status
 # of this task.
@@ -384,7 +335,6 @@ success_task:
       - cross_build
       - integration
       - in_podman
-      - image_build
 
     container:
         image: "quay.io/libpod/alpine:latest"

vendor/github.com/containers/buildah/.packit.yaml

@@ -2,29 +2,35 @@
 # See the documentation for more information:
 # https://packit.dev/docs/configuration/
 
-# Build targets can be found at:
-# https://copr.fedorainfracloud.org/coprs/rhcontainerbot/packit-builds/
-# and
-# https://copr.fedorainfracloud.org/coprs/rhcontainerbot/podman-next/
-
 specfile_path: rpm/buildah.spec
 upstream_tag_template: v{version}
 
-jobs:
-  - &copr
-    job: copr_build
-    trigger: pull_request
-    owner: rhcontainerbot
-    project: packit-builds
-    enable_net: true
 srpm_build_deps:
   - make
 
-  - <<: *copr
+jobs:
+  - job: copr_build
+    trigger: pull_request
+    # keep in sync with https://copr.fedorainfracloud.org/coprs/rhcontainerbot/podman-next
+    enable_net: true
+    targets:
+      - fedora-all-x86_64
+      - fedora-all-aarch64
+      - fedora-eln-x86_64
+      - fedora-eln-aarch64
+      - centos-stream+epel-next-8-x86_64
+      - centos-stream+epel-next-8-aarch64
+      - centos-stream+epel-next-9-x86_64
+      - centos-stream+epel-next-9-aarch64
+    additional_repos:
+      - "copr://rhcontainerbot/podman-next"
+
   # Run on commit to main branch
+  - job: copr_build
     trigger: commit
-    branch: main
+    owner: rhcontainerbot
     project: podman-next
+    enable_net: true
 
   - job: propose_downstream
     trigger: release

vendor/github.com/containers/buildah/Makefile

@@ -39,7 +39,7 @@ LIBSECCOMP_COMMIT := release-2.3
 
 EXTRA_LDFLAGS ?=
 BUILDAH_LDFLAGS := $(GO_LDFLAGS) '-X main.GitCommit=$(GIT_COMMIT) -X main.buildInfo=$(SOURCE_DATE_EPOCH) -X main.cniVersion=$(CNI_COMMIT) $(EXTRA_LDFLAGS)'
-SOURCES=*.go imagebuildah/*.go bind/*.go chroot/*.go copier/*.go define/*.go docker/*.go internal/parse/*.go internal/source/*.go internal/util/*.go manifests/*.go pkg/chrootuser/*.go pkg/cli/*.go pkg/completion/*.go pkg/formats/*.go pkg/overlay/*.go pkg/parse/*.go pkg/rusage/*.go pkg/sshagent/*.go pkg/umask/*.go pkg/util/*.go util/*.go
+SOURCES=*.go imagebuildah/*.go bind/*.go chroot/*.go copier/*.go define/*.go docker/*.go internal/mkcw/*.go internal/mkcw/types/*.go internal/parse/*.go internal/source/*.go internal/util/*.go manifests/*.go pkg/chrootuser/*.go pkg/cli/*.go pkg/completion/*.go pkg/formats/*.go pkg/overlay/*.go pkg/parse/*.go pkg/rusage/*.go pkg/sshagent/*.go pkg/umask/*.go pkg/util/*.go util/*.go
 
 LINTFLAGS ?=
 
@@ -69,14 +69,26 @@ static:
 	mkdir -p ./bin
 	cp -rfp ./result/bin/* ./bin/
 
-bin/buildah: $(SOURCES) cmd/buildah/*.go
+bin/buildah: $(SOURCES) cmd/buildah/*.go internal/mkcw/embed/entrypoint.gz
 	$(GO_BUILD) $(BUILDAH_LDFLAGS) $(GO_GCFLAGS) "$(GOGCFLAGS)" -o $@ $(BUILDFLAGS) ./cmd/buildah
 
+ifneq ($(shell as --version | grep x86_64),)
+internal/mkcw/embed/entrypoint: internal/mkcw/embed/entrypoint.s
+	$(AS) -o $(patsubst %.s,%.o,$^) $^
+	$(LD) -o $@ $(patsubst %.s,%.o,$^)
+	strip $@
+else
+.PHONY: internal/mkcw/embed/entrypoint
+endif
+
+internal/mkcw/embed/entrypoint.gz: internal/mkcw/embed/entrypoint
+	$(RM) $@
+	gzip -k $^
+
 .PHONY: buildah
 buildah: bin/buildah
 
-# TODO: remove `grep -v loong64` from `ALL_CROSS_TARGETS` once go.etcd.io/bbolt 1.3.7 is out.
+ALL_CROSS_TARGETS := $(addprefix bin/buildah.,$(subst /,.,$(shell $(GO) tool dist list)))
-ALL_CROSS_TARGETS := $(addprefix bin/buildah.,$(subst /,.,$(shell $(GO) tool dist list | grep -v loong64)))
 LINUX_CROSS_TARGETS := $(filter bin/buildah.linux.%,$(ALL_CROSS_TARGETS))
 DARWIN_CROSS_TARGETS := $(filter bin/buildah.darwin.%,$(ALL_CROSS_TARGETS))
 WINDOWS_CROSS_TARGETS := $(addsuffix .exe,$(filter bin/buildah.windows.%,$(ALL_CROSS_TARGETS)))

vendor/github.com/containers/buildah/buildah.go

@@ -386,6 +386,11 @@ type ImportFromImageOptions struct {
 	SystemContext *types.SystemContext
 }
 
+// ConfidentialWorkloadOptions encapsulates options which control whether or not
+// we output an image whose rootfs contains a LUKS-compatibly-encrypted disk image
+// instead of the usual rootfs contents.
+type ConfidentialWorkloadOptions = define.ConfidentialWorkloadOptions
+
 // NewBuilder creates a new build container.
 func NewBuilder(ctx context.Context, store storage.Store, options BuilderOptions) (*Builder, error) {
 	if options.CommonBuildOpts == nil {
@@ -433,6 +438,9 @@ func OpenBuilder(store storage.Store, container string) (*Builder, error) {
 	b.store = store
 	b.fixupConfig(nil)
 	b.setupLogger()
+	if b.CommonBuildOpts == nil {
+		b.CommonBuildOpts = &CommonBuildOptions{}
+	}
 	return b, nil
 }
 
@@ -469,6 +477,9 @@ func OpenBuilderByPath(store storage.Store, path string) (*Builder, error) {
 			b.store = store
 			b.fixupConfig(nil)
 			b.setupLogger()
+			if b.CommonBuildOpts == nil {
+				b.CommonBuildOpts = &CommonBuildOptions{}
+			}
 			return b, nil
 		}
 		if err != nil {
@@ -506,6 +517,9 @@ func OpenAllBuilders(store storage.Store) (builders []*Builder, err error) {
 			b.store = store
 			b.setupLogger()
 			b.fixupConfig(nil)
+			if b.CommonBuildOpts == nil {
+				b.CommonBuildOpts = &CommonBuildOptions{}
+			}
 			builders = append(builders, b)
 			continue
 		}

vendor/github.com/containers/buildah/chroot/seccomp.go

@@ -79,9 +79,11 @@ func setSeccomp(spec *specs.Spec) error {
 		case specs.ArchS390X:
 			return libseccomp.ArchS390X
 		case specs.ArchPARISC:
-			/* fallthrough */ /* for now */
+			return libseccomp.ArchPARISC
 		case specs.ArchPARISC64:
-			/* fallthrough */ /* for now */
+			return libseccomp.ArchPARISC64
+		case specs.ArchRISCV64:
+			return libseccomp.ArchRISCV64
 		default:
 			logrus.Errorf("unmappable arch %v", specArch)
 		}

vendor/github.com/containers/buildah/commit.go

@@ -105,6 +105,10 @@ type CommitOptions struct {
 	// integers in the slice represent 0-indexed layer indices, with support for negative
 	// indexing. i.e. 0 is the first layer, -1 is the last (top-most) layer.
 	OciEncryptLayers *[]int
+	// ConfidentialWorkloadOptions is used to force the output image's rootfs to contain a
+	// LUKS-compatibly encrypted disk image (for use with krun) instead of the usual
+	// contents of a rootfs.
+	ConfidentialWorkloadOptions ConfidentialWorkloadOptions
 	// UnsetEnvs is a list of environments to not add to final image.
 	// Deprecated: use UnsetEnv() before committing instead.
 	UnsetEnvs []string

vendor/github.com/containers/buildah/convertcw.go

@@ -0,0 +1,217 @@
+package buildah
+
+import (
+	"context"
+	"fmt"
+	"io"
+	"time"
+
+	"github.com/containers/buildah/define"
+	"github.com/containers/buildah/internal/mkcw"
+	"github.com/containers/image/v5/docker/reference"
+	"github.com/containers/image/v5/types"
+	encconfig "github.com/containers/ocicrypt/config"
+	"github.com/containers/storage"
+	"github.com/containers/storage/pkg/archive"
+	"github.com/opencontainers/go-digest"
+	"github.com/sirupsen/logrus"
+)
+
+// CWConvertImageOptions provides both required and optional bits of
+// configuration for CWConvertImage().
+type CWConvertImageOptions struct {
+	// Required parameters.
+	InputImage string
+
+	// If supplied, we'll tag the resulting image with the specified name.
+	Tag         string
+	OutputImage types.ImageReference
+
+	// If supplied, we'll register the workload with this server.
+	// Practically necessary if DiskEncryptionPassphrase is not set, in
+	// which case we'll generate one and throw it away after.
+	AttestationURL string
+
+	// Used to measure the environment.  If left unset (0), defaults will be applied.
+	CPUs   int
+	Memory int
+
+	// Can be manually set.  If left unset ("", false, nil), reasonable values will be used.
+	TeeType                  define.TeeType
+	IgnoreAttestationErrors  bool
+	WorkloadID               string
+	DiskEncryptionPassphrase string
+	Slop                     string
+	FirmwareLibrary          string
+	BaseImage                string
+	Logger                   *logrus.Logger
+
+	// Passed through to BuilderOptions. Most settings won't make
+	// sense to be made available here because we don't launch a process.
+	ContainerSuffix     string
+	PullPolicy          PullPolicy
+	BlobDirectory       string
+	SignaturePolicyPath string
+	ReportWriter        io.Writer
+	IDMappingOptions    *IDMappingOptions
+	Format              string
+	MaxPullRetries      int
+	PullRetryDelay      time.Duration
+	OciDecryptConfig    *encconfig.DecryptConfig
+	MountLabel          string
+}
+
+// CWConvertImage takes the rootfs and configuration from one image, generates a
+// LUKS-encrypted disk image that more or less includes them both, and puts the
+// result into a new container image.
+// Returns the new image's ID and digest on success, along with a canonical
+// reference for it if a repository name was specified.
+func CWConvertImage(ctx context.Context, systemContext *types.SystemContext, store storage.Store, options CWConvertImageOptions) (string, reference.Canonical, digest.Digest, error) {
+	// Apply our defaults if some options aren't set.
+	logger := options.Logger
+	if logger == nil {
+		logger = logrus.StandardLogger()
+	}
+
+	// Now create the target working container, pulling the base image if
+	// there is one and it isn't present.
+	builderOptions := BuilderOptions{
+		FromImage:     options.BaseImage,
+		SystemContext: systemContext,
+		Logger:        logger,
+
+		ContainerSuffix:     options.ContainerSuffix,
+		PullPolicy:          options.PullPolicy,
+		BlobDirectory:       options.BlobDirectory,
+		SignaturePolicyPath: options.SignaturePolicyPath,
+		ReportWriter:        options.ReportWriter,
+		IDMappingOptions:    options.IDMappingOptions,
+		Format:              options.Format,
+		MaxPullRetries:      options.MaxPullRetries,
+		PullRetryDelay:      options.PullRetryDelay,
+		OciDecryptConfig:    options.OciDecryptConfig,
+		MountLabel:          options.MountLabel,
+	}
+	target, err := NewBuilder(ctx, store, builderOptions)
+	if err != nil {
+		return "", nil, "", fmt.Errorf("creating container from target image: %w", err)
+	}
+	defer func() {
+		if err := target.Delete(); err != nil {
+			logrus.Warnf("deleting target container: %v", err)
+		}
+	}()
+	targetDir, err := target.Mount("")
+	if err != nil {
+		return "", nil, "", fmt.Errorf("mounting target container: %w", err)
+	}
+	defer func() {
+		if err := target.Unmount(); err != nil {
+			logrus.Warnf("unmounting target container: %v", err)
+		}
+	}()
+
+	// Mount the source image, pulling it first if necessary.
+	builderOptions = BuilderOptions{
+		FromImage:     options.InputImage,
+		SystemContext: systemContext,
+		Logger:        logger,
+
+		ContainerSuffix:     options.ContainerSuffix,
+		PullPolicy:          options.PullPolicy,
+		BlobDirectory:       options.BlobDirectory,
+		SignaturePolicyPath: options.SignaturePolicyPath,
+		ReportWriter:        options.ReportWriter,
+		IDMappingOptions:    options.IDMappingOptions,
+		Format:              options.Format,
+		MaxPullRetries:      options.MaxPullRetries,
+		PullRetryDelay:      options.PullRetryDelay,
+		OciDecryptConfig:    options.OciDecryptConfig,
+		MountLabel:          options.MountLabel,
+	}
+	source, err := NewBuilder(ctx, store, builderOptions)
+	if err != nil {
+		return "", nil, "", fmt.Errorf("creating container from source image: %w", err)
+	}
+	defer func() {
+		if err := source.Delete(); err != nil {
+			logrus.Warnf("deleting source container: %v", err)
+		}
+	}()
+	sourceInfo := GetBuildInfo(source)
+	if err != nil {
+		return "", nil, "", fmt.Errorf("retrieving info about source image: %w", err)
+	}
+	sourceImageID := sourceInfo.FromImageID
+	sourceSize, err := store.ImageSize(sourceImageID)
+	if err != nil {
+		return "", nil, "", fmt.Errorf("computing size of source image: %w", err)
+	}
+	sourceDir, err := source.Mount("")
+	if err != nil {
+		return "", nil, "", fmt.Errorf("mounting source container: %w", err)
+	}
+	defer func() {
+		if err := source.Unmount(); err != nil {
+			logrus.Warnf("unmounting source container: %v", err)
+		}
+	}()
+
+	// Generate the image contents.
+	archiveOptions := mkcw.ArchiveOptions{
+		AttestationURL:           options.AttestationURL,
+		CPUs:                     options.CPUs,
+		Memory:                   options.Memory,
+		TempDir:                  targetDir,
+		TeeType:                  options.TeeType,
+		IgnoreAttestationErrors:  options.IgnoreAttestationErrors,
+		ImageSize:                sourceSize,
+		WorkloadID:               options.WorkloadID,
+		DiskEncryptionPassphrase: options.DiskEncryptionPassphrase,
+		Slop:                     options.Slop,
+		FirmwareLibrary:          options.FirmwareLibrary,
+		Logger:                   logger,
+	}
+	rc, workloadConfig, err := mkcw.Archive(sourceDir, &source.OCIv1, archiveOptions)
+	if err != nil {
+		return "", nil, "", fmt.Errorf("generating encrypted image content: %w", err)
+	}
+	if err = archive.Untar(rc, targetDir, &archive.TarOptions{}); err != nil {
+		if err = rc.Close(); err != nil {
+			logger.Warnf("cleaning up: %v", err)
+		}
+		return "", nil, "", fmt.Errorf("saving encrypted image content: %w", err)
+	}
+	if err = rc.Close(); err != nil {
+		return "", nil, "", fmt.Errorf("cleaning up: %w", err)
+	}
+
+	// Commit the image.  Clear out most of the configuration (if there is any — we default
+	// to scratch as a base) so that an engine that doesn't or can't set up a TEE will just
+	// run the static entrypoint.  The rest of the configuration which the runtime consults
+	// is in the .krun_config.json file in the encrypted filesystem.
+	logger.Log(logrus.DebugLevel, "committing disk image")
+	target.ClearAnnotations()
+	target.ClearEnv()
+	target.ClearLabels()
+	target.ClearOnBuild()
+	target.ClearPorts()
+	target.ClearVolumes()
+	target.SetCmd(nil)
+	target.SetCreatedBy(fmt.Sprintf(": convert %q for use with %q", sourceImageID, workloadConfig.Type))
+	target.SetDomainname("")
+	target.SetEntrypoint([]string{"/entrypoint"})
+	target.SetHealthcheck(nil)
+	target.SetHostname("")
+	target.SetMaintainer("")
+	target.SetShell(nil)
+	target.SetUser("")
+	target.SetWorkDir("")
+	commitOptions := CommitOptions{
+		SystemContext: systemContext,
+	}
+	if options.Tag != "" {
+		commitOptions.AdditionalTags = append(commitOptions.AdditionalTags, options.Tag)
+	}
+	return target.Commit(ctx, options.OutputImage, commitOptions)
+}

vendor/github.com/containers/buildah/copier/copier.go

@@ -19,7 +19,6 @@ import (
 	"syscall"
 	"time"
 
-	"github.com/containers/buildah/util"
 	"github.com/containers/image/v5/pkg/compression"
 	"github.com/containers/storage/pkg/archive"
 	"github.com/containers/storage/pkg/fileutils"
@@ -1141,7 +1140,7 @@ func copierHandlerGet(bulkWriter io.Writer, req request, pm *fileutils.PatternMa
 	cb := func() error {
 		tw := tar.NewWriter(bulkWriter)
 		defer tw.Close()
-		hardlinkChecker := new(util.HardlinkChecker)
+		hardlinkChecker := new(hardlinkChecker)
 		itemsCopied := 0
 		for i, item := range queue {
 			// if we're not discarding the names of individual directories, keep track of this one
@@ -1353,7 +1352,7 @@ func handleRename(rename map[string]string, name string) string {
 	return name
 }
 
-func copierHandlerGetOne(srcfi os.FileInfo, symlinkTarget, name, contentPath string, options GetOptions, tw *tar.Writer, hardlinkChecker *util.HardlinkChecker, idMappings *idtools.IDMappings) error {
+func copierHandlerGetOne(srcfi os.FileInfo, symlinkTarget, name, contentPath string, options GetOptions, tw *tar.Writer, hardlinkChecker *hardlinkChecker, idMappings *idtools.IDMappings) error {
 	// build the header using the name provided
 	hdr, err := tar.FileInfoHeader(srcfi, symlinkTarget)
 	if err != nil {

vendor/github.com/containers/buildah/copier/hardlink_not_uint64.go

@@ -1,6 +1,7 @@
+//go:build darwin || (linux && mips) || (linux && mipsle) || (linux && mips64) || (linux && mips64le)
 // +build darwin linux,mips linux,mipsle linux,mips64 linux,mips64le
 
-package util
+package copier
 
 import (
 	"syscall"

vendor/github.com/containers/buildah/copier/hardlink_uint64.go

@@ -1,7 +1,7 @@
 //go:build (linux && !mips && !mipsle && !mips64 && !mips64le) || freebsd
 // +build linux,!mips,!mipsle,!mips64,!mips64le freebsd
 
-package util
+package copier
 
 import (
 	"syscall"