Merge pull request #19951 from Luap99/small-remote

podman-remote debloat: remove libimage dependency

docs/source/markdown/podman-build.1.md.in

@@ -222,6 +222,66 @@ Set additional flags to pass to the C Preprocessor cpp(1). Containerfiles ending
 
 @@option creds
 
+#### **--cw**=*options*
+
+Produce an image suitable for use as a confidential workload running in a
+trusted execution environment (TEE) using krun (i.e., *crun* built with the
+libkrun feature enabled and invoked as *krun*).  Instead of the conventional
+contents, the root filesystem of the image will contain an encrypted disk image
+and configuration information for krun.
+
+The value for *options* is a comma-separated list of key=value pairs, supplying
+configuration information which is needed for producing the additional data
+which will be included in the container image.
+
+Recognized _keys_ are:
+
+*attestation_url*: The location of a key broker / attestation server.
+If a value is specified, the new image's workload ID, along with the passphrase
+used to encrypt the disk image, will be registered with the server, and the
+server's location will be stored in the container image.
+At run-time, krun is expected to contact the server to retrieve the passphrase
+using the workload ID, which is also stored in the container image.
+If no value is specified, a *passphrase* value *must* be specified.
+
+*cpus*: The number of virtual CPUs which the image expects to be run with at
+run-time.  If not specified, a default value will be supplied.
+
+*firmware_library*: The location of the libkrunfw-sev shared library.  If not
+specified, `buildah` checks for its presence in a number of hard-coded
+locations.
+
+*memory*: The amount of memory which the image expects to be run with at
+run-time, as a number of megabytes.  If not specified, a default value will be
+supplied.
+
+*passphrase*: The passphrase to use to encrypt the disk image which will be
+included in the container image.
+If no value is specified, but an *attestation_url* value is specified, a
+randomly-generated passphrase will be used.
+The authors recommend setting an *attestation_url* but not a *passphrase*.
+
+*slop*: Extra space to allocate for the disk image compared to the size of the
+container image's contents, expressed either as a percentage (..%) or a size
+value (bytes, or larger units if suffixes like KB or MB are present), or a sum
+of two or more such specifications.  If not specified, `buildah` guesses that
+25% more space than the contents will be enough, but this option is provided in
+case its guess is wrong.
+
+*type*: The type of trusted execution environment (TEE) which the image should
+be marked for use with.  Accepted values are "SEV" (AMD Secure Encrypted
+Virtualization - Encrypted State) and "SNP" (AMD Secure Encrypted
+Virtualization - Secure Nested Paging).  If not specified, defaults to "SNP".
+
+*workload_id*: A workload identifier which will be recorded in the container
+image, to be used at run-time for retrieving the passphrase which was used to
+encrypt the disk image.  If not specified, a semi-random value will be derived
+from the base image's image ID.
+
+This option is not supported on the remote client, including Mac and Windows
+(excluding WSL2) machines.
+
+
 #### **--decryption-key**=*key[:passphrase]*
 
 The [key[:passphrase]] to be used for decryption of images. Key can point to
@@ -396,6 +456,14 @@ capabilities is a subset of the default list.
 If the specified capabilities are not in the default set, Podman prints an error
 message and runs the container with the default capabilities.
 
+#### **--layer-label**=*label[=value]*
+
+Add an intermediate image *label* (e.g. label=*value*) to the intermediate
+image metadata. It can be used multiple times.
+
+If *label* is named, but neither `=` nor a `value` is provided, then
+the *label* is set to an empty value.
+
 #### **--layers**
 
 Cache intermediate images during the build process (Default is `true`).