From 1ff7c42ed79d78eefdbfe4c384db6cb46ac27e73 Mon Sep 17 00:00:00 2001
From: Kai Lueke <kailuke@microsoft.com>
Date: Mon, 8 Sep 2025 16:34:39 +0900
Subject: [PATCH 1/2] sys-apps/busybox: Import from Gentoo

It's from Gentoo commit 573964683c6f490e3a1ff040ec21c9d3b8d8b154.

Signed-off-by: Kai Lueke <kailuke@microsoft.com>
---
 .../workflows/portage-stable-packages-list    |   1 +
 .../portage-stable/sys-apps/busybox/Manifest  |   1 +
 .../sys-apps/busybox/busybox-1.36.1-r3.ebuild | 388 ++++++++++++++++++
 .../sys-apps/busybox/busybox-9999.ebuild      | 386 +++++++++++++++++
 .../busybox/files/busybox-1.26.2-bb.patch     |  55 +++
 .../busybox-1.34.1-skip-selinux-search.patch  |  21 +
 ...sybox-1.36.0-fortify-source-3-fixdep.patch |  32 ++
 .../files/busybox-1.36.1-kernel-6.8.patch     |  53 +++
 ...ybox-1.36.1-skip-dynamic-relocations.patch |  43 ++
 .../sys-apps/busybox/files/crond.confd        |   2 +
 .../sys-apps/busybox/files/crond.initd        |  12 +
 .../sys-apps/busybox/files/ginit.c            | 124 ++++++
 .../sys-apps/busybox/files/klogd.confd        |   9 +
 .../sys-apps/busybox/files/klogd.initd        |  11 +
 .../sys-apps/busybox/files/mdev.initd         |  52 +++
 .../sys-apps/busybox/files/mdev/dvbdev        |  18 +
 .../sys-apps/busybox/files/mdev/ide_links     |  23 ++
 .../sys-apps/busybox/files/mdev/usbdev        |  62 +++
 .../sys-apps/busybox/files/mdev/usbdisk_link  |  38 ++
 .../sys-apps/busybox/files/ntpd.confd         |   6 +
 .../sys-apps/busybox/files/ntpd.initd         |  12 +
 .../sys-apps/busybox/files/syslogd.confd      |   9 +
 .../sys-apps/busybox/files/syslogd.initd      |  12 +
 .../sys-apps/busybox/files/watchdog.confd     |   9 +
 .../sys-apps/busybox/files/watchdog.initd     |   7 +
 .../sys-apps/busybox/metadata.xml             |  19 +
 26 files changed, 1405 insertions(+)
 create mode 100644 sdk_container/src/third_party/portage-stable/sys-apps/busybox/Manifest
 create mode 100644 sdk_container/src/third_party/portage-stable/sys-apps/busybox/busybox-1.36.1-r3.ebuild
 create mode 100644 sdk_container/src/third_party/portage-stable/sys-apps/busybox/busybox-9999.ebuild
 create mode 100644 sdk_container/src/third_party/portage-stable/sys-apps/busybox/files/busybox-1.26.2-bb.patch
 create mode 100644 sdk_container/src/third_party/portage-stable/sys-apps/busybox/files/busybox-1.34.1-skip-selinux-search.patch
 create mode 100644 sdk_container/src/third_party/portage-stable/sys-apps/busybox/files/busybox-1.36.0-fortify-source-3-fixdep.patch
 create mode 100644 sdk_container/src/third_party/portage-stable/sys-apps/busybox/files/busybox-1.36.1-kernel-6.8.patch
 create mode 100644 sdk_container/src/third_party/portage-stable/sys-apps/busybox/files/busybox-1.36.1-skip-dynamic-relocations.patch
 create mode 100644 sdk_container/src/third_party/portage-stable/sys-apps/busybox/files/crond.confd
 create mode 100644 sdk_container/src/third_party/portage-stable/sys-apps/busybox/files/crond.initd
 create mode 100644 sdk_container/src/third_party/portage-stable/sys-apps/busybox/files/ginit.c
 create mode 100644 sdk_container/src/third_party/portage-stable/sys-apps/busybox/files/klogd.confd
 create mode 100644 sdk_container/src/third_party/portage-stable/sys-apps/busybox/files/klogd.initd
 create mode 100644 sdk_container/src/third_party/portage-stable/sys-apps/busybox/files/mdev.initd
 create mode 100644 sdk_container/src/third_party/portage-stable/sys-apps/busybox/files/mdev/dvbdev
 create mode 100644 sdk_container/src/third_party/portage-stable/sys-apps/busybox/files/mdev/ide_links
 create mode 100644 sdk_container/src/third_party/portage-stable/sys-apps/busybox/files/mdev/usbdev
 create mode 100644 sdk_container/src/third_party/portage-stable/sys-apps/busybox/files/mdev/usbdisk_link
 create mode 100644 sdk_container/src/third_party/portage-stable/sys-apps/busybox/files/ntpd.confd
 create mode 100644 sdk_container/src/third_party/portage-stable/sys-apps/busybox/files/ntpd.initd
 create mode 100644 sdk_container/src/third_party/portage-stable/sys-apps/busybox/files/syslogd.confd
 create mode 100644 sdk_container/src/third_party/portage-stable/sys-apps/busybox/files/syslogd.initd
 create mode 100644 sdk_container/src/third_party/portage-stable/sys-apps/busybox/files/watchdog.confd
 create mode 100644 sdk_container/src/third_party/portage-stable/sys-apps/busybox/files/watchdog.initd
 create mode 100644 sdk_container/src/third_party/portage-stable/sys-apps/busybox/metadata.xml

diff --git a/.github/workflows/portage-stable-packages-list b/.github/workflows/portage-stable-packages-list
index 7ea7b64a97..263fc25f23 100644
--- a/.github/workflows/portage-stable-packages-list
+++ b/.github/workflows/portage-stable-packages-list
@@ -581,6 +581,7 @@ sys-apps/acl
 sys-apps/attr
 sys-apps/azure-vm-utils
 sys-apps/bubblewrap
+sys-apps/busybox
 sys-apps/checkpolicy
 sys-apps/config-site
 sys-apps/coreutils
diff --git a/sdk_container/src/third_party/portage-stable/sys-apps/busybox/Manifest b/sdk_container/src/third_party/portage-stable/sys-apps/busybox/Manifest
new file mode 100644
index 0000000000..903c83e382
--- /dev/null
+++ b/sdk_container/src/third_party/portage-stable/sys-apps/busybox/Manifest
@@ -0,0 +1 @@
+DIST busybox-1.36.1.tar.bz2 2525473 BLAKE2B e515825cb3ab1c520e16b9c2512e9fc72947366a72a0466bff59b507fdffbc78fc9d16b44a26116175fc7a429d849ad944b1bc379d36c6d3a0eb20969997336e SHA512 8c0c754c9ae04b5e6b23596283a7d3a4ef96225fe179f92d6f6a99c69c0caa95b1aa56c267f52d7c807f6cc69e1f0b7dd29a8ac624098f601738f8c0c57980d4
diff --git a/sdk_container/src/third_party/portage-stable/sys-apps/busybox/busybox-1.36.1-r3.ebuild b/sdk_container/src/third_party/portage-stable/sys-apps/busybox/busybox-1.36.1-r3.ebuild
new file mode 100644
index 0000000000..a3a784ee22
--- /dev/null
+++ b/sdk_container/src/third_party/portage-stable/sys-apps/busybox/busybox-1.36.1-r3.ebuild
@@ -0,0 +1,388 @@
+# Copyright 1999-2025 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+# See `man savedconfig.eclass` for info on how to use USE=savedconfig.
+
+EAPI=8
+
+inherit eapi9-ver flag-o-matic readme.gentoo-r1 savedconfig toolchain-funcs
+
+DESCRIPTION="Utilities for rescue and embedded systems"
+HOMEPAGE="https://www.busybox.net/"
+if [[ ${PV} == "9999" ]] ; then
+	MY_P="${P}"
+	EGIT_REPO_URI="https://git.busybox.net/busybox"
+	inherit git-r3
+else
+	MY_P="${PN}-${PV/_/-}"
+	SRC_URI="https://www.busybox.net/downloads/${MY_P}.tar.bz2"
+	KEYWORDS="~alpha amd64 arm arm64 ~hppa ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 ~sparc x86 ~amd64-linux ~x86-linux"
+fi
+S="${WORKDIR}/${MY_P}"
+
+LICENSE="GPL-2" # GPL-2 only
+SLOT="0"
+IUSE="debug livecd make-symlinks math mdev pam selinux sep-usr static syslog systemd"
+REQUIRED_USE="pam? ( !static )"
+RESTRICT="test"
+
+# TODO: Could make pkgconfig conditional on selinux? bug #782829
+RDEPEND="
+	!static? (
+		virtual/libc
+		virtual/libcrypt:=
+		selinux? ( sys-libs/libselinux )
+	)
+	pam? ( sys-libs/pam )
+"
+DEPEND="${RDEPEND}
+	static? (
+		virtual/libcrypt[static-libs]
+		selinux? ( sys-libs/libselinux[static-libs(+)] )
+	)
+	sys-kernel/linux-headers"
+BDEPEND="virtual/pkgconfig"
+
+DISABLE_AUTOFORMATTING=yes
+DOC_CONTENTS='
+If you want a smaller executable, add `-Oz` to your busybox `CFLAGS`.'
+
+busybox_config_option() {
+	local flag=$1 ; shift
+	if [[ ${flag} != [yn] && ${flag} != \"* ]] ; then
+		busybox_config_option $(usex ${flag} y n) "$@"
+		return
+	fi
+	local expr
+	while [[ $# -gt 0 ]] ; do
+		case ${flag} in
+		y) expr="s:.*\<CONFIG_$1\>.*set:CONFIG_$1=y:g" ;;
+		n) expr="s:CONFIG_$1=y:# CONFIG_$1 is not set:g" ;;
+		*) expr="s:.*\<CONFIG_$1\>.*:CONFIG_$1=${flag}:g" ;;
+		esac
+		sed -i -e "${expr}" .config || die
+		einfo "$(grep "CONFIG_$1[= ]" .config || echo "Could not find CONFIG_$1 ...")"
+		shift
+	done
+}
+
+busybox_config_enabled() {
+	local val=$(sed -n "/^CONFIG_$1=/s:^[^=]*=::p" .config)
+	case ${val} in
+	"") return 1 ;;
+	y)  return 0 ;;
+	*)  echo "${val}" | sed -r 's:^"(.*)"$:\1:' ;;
+	esac
+}
+
+# patches go here!
+PATCHES=(
+	"${FILESDIR}"/${PN}-1.26.2-bb.patch
+	"${FILESDIR}"/${PN}-1.34.1-skip-selinux-search.patch
+
+	"${FILESDIR}"/${PN}-1.36.0-fortify-source-3-fixdep.patch
+	"${FILESDIR}"/${PN}-1.36.1-kernel-6.8.patch
+
+	"${FILESDIR}"/${PN}-1.36.1-skip-dynamic-relocations.patch
+
+	# "${FILESDIR}"/${P}-*.patch
+)
+
+src_prepare() {
+	default
+
+	cp "${FILESDIR}"/ginit.c init/ || die
+
+	# flag cleanup
+	sed -i -r \
+		-e 's:[[:space:]]?-(Werror|Os|Oz|falign-(functions|jumps|loops|labels)=1|fomit-frame-pointer)\>::g' \
+		Makefile.flags || die
+	sed -i \
+		-e 's:-static-libgcc::' \
+		Makefile.flags || die
+
+	# Print all link lines too
+	sed -i -e 's:debug=false:debug=true:' scripts/trylink || die
+}
+
+bbmake() {
+	local args=(
+		V=1
+		CROSS_COMPILE="${CHOST}-"
+		AR="${AR}"
+		CC="${CC}"
+		HOSTCC="${BUILD_CC}"
+		HOSTCFLAGS="${BUILD_CFLAGS}"
+		PKG_CONFIG="${PKG_CONFIG}"
+	)
+	emake "${args[@]}" "$@"
+}
+
+src_configure() {
+	unset KBUILD_OUTPUT #88088
+	export SKIP_STRIP=y
+
+	tc-export AR CC BUILD_CC PKG_CONFIG
+
+	tc-is-cross-compiler || BUILD_CFLAGS=${CFLAGS}
+	BUILD_CFLAGS+=" -D_FILE_OFFSET_BITS=64" #930513
+
+	append-flags -fno-strict-aliasing #310413
+	use ppc64 && append-flags -mminimal-toc #130943
+
+	# check for a busybox config before making one of our own.
+	# if one exist lets return and use it.
+
+	restore_config .config
+	if [ -f .config ]; then
+		yes "" | bbmake -j1 oldconfig
+		return 0
+	else
+		ewarn "Could not locate user configfile, so we will save a default one"
+	fi
+
+	# setting SKIP_SELINUX skips searching for selinux at this stage. We don't
+	# need to search now in case we end up not needing it after all.
+	# setup the config file
+	bbmake -j1 allyesconfig SKIP_SELINUX=$(usex selinux n y) #620918
+	# nommu forces a bunch of things off which we want on #387555
+	busybox_config_option n NOMMU
+	sed -i '/^#/d' .config
+	yes "" | bbmake -j1 oldconfig SKIP_SELINUX=$(usex selinux n y) #620918
+
+	# now turn off stuff we really don't want
+	busybox_config_option n DMALLOC
+	busybox_config_option n FEATURE_2_4_MODULES #607548
+	busybox_config_option n FEATURE_SUID_CONFIG
+	busybox_config_option n BUILD_AT_ONCE
+	busybox_config_option n BUILD_LIBBUSYBOX
+	busybox_config_option n FEATURE_CLEAN_UP
+	busybox_config_option n MONOTONIC_SYSCALL
+	busybox_config_option n USE_PORTABLE_CODE
+	busybox_config_option n WERROR
+	# CONFIG_MODPROBE_SMALL=y disables depmod.c and uses a smaller one that
+	# does not support -b. Setting this to no creates slightly larger and
+	# slightly more useful modutils
+	busybox_config_option n MODPROBE_SMALL #472464
+	# triming the BSS size may be dangerous
+	busybox_config_option n FEATURE_USE_BSS_TAIL
+
+	# These cause trouble with musl.
+	if use elibc_musl; then
+		busybox_config_option n FEATURE_UTMP
+		busybox_config_option n EXTRA_COMPAT
+		busybox_config_option n FEATURE_VI_REGEX_SEARCH
+	fi
+
+	# Disable standalone shell mode when using make-symlinks, else Busybox calls its
+	# applets by default without looking up in PATH.
+	# This also enables users to disable a builtin by deleting the corresponding symlink.
+	if use make-symlinks; then
+		busybox_config_option n FEATURE_PREFER_APPLETS
+		busybox_config_option n FEATURE_SH_STANDALONE
+	fi
+
+	# If these are not set and we are using a busybox setup
+	# all calls to system() will fail.
+	busybox_config_option y ASH
+	busybox_config_option y SH_IS_ASH
+	busybox_config_option n HUSH
+	busybox_config_option n SH_IS_HUSH
+
+	busybox_config_option '"/run"' PID_FILE_PATH
+	busybox_config_option '"/run/ifstate"' IFUPDOWN_IFSTATE_PATH
+
+	busybox_config_option pam PAM
+	busybox_config_option static STATIC
+	busybox_config_option syslog {K,SYS}LOGD LOGGER
+	busybox_config_option systemd FEATURE_SYSTEMD
+	busybox_config_option math FEATURE_AWK_LIBM
+
+	# all the debug options are compiler related, so punt them
+	busybox_config_option n DEBUG_SANITIZE
+	busybox_config_option n DEBUG
+	busybox_config_option y NO_DEBUG_LIB
+	busybox_config_option n DMALLOC
+	busybox_config_option n EFENCE
+	busybox_config_option $(usex debug y n) TFTP_DEBUG
+
+	busybox_config_option selinux SELINUX
+
+	# this opt only controls mounting with <linux-2.6.23
+	busybox_config_option n FEATURE_MOUNT_NFS
+
+	# glibc-2.26 and later does not ship RPC implientation
+	busybox_config_option n FEATURE_HAVE_RPC
+	busybox_config_option n FEATURE_INETD_RPC
+
+	# default a bunch of uncommon options to off
+	local opt
+	for opt in \
+		ADD_SHELL \
+		BEEP BOOTCHARTD \
+		CRONTAB \
+		DC DEVFSD DNSD DPKG{,_DEB} \
+		FAKEIDENTD FBSPLASH FOLD FSCK_MINIX FTP{GET,PUT} \
+		FEATURE_DEVFS \
+		HOSTID HUSH \
+		INETD INOTIFYD IPCALC \
+		LOCALE_SUPPORT LOGNAME LPD \
+		MAKEMIME MKFS_MINIX MSH \
+		OD \
+		RDEV READPROFILE REFORMIME REMOVE_SHELL RFKILL RUN_PARTS RUNSV{,DIR} \
+		SLATTACH SMEMCAP SULOGIN SV{,LOGD} \
+		TASKSET TCPSVD \
+		RPM RPM2CPIO \
+		UDPSVD UUDECODE UUENCODE
+	do
+		busybox_config_option n ${opt}
+	done
+
+	bbmake -j1 oldconfig
+}
+
+src_compile() {
+	bbmake busybox
+
+	# bug #701512
+	bbmake doc
+}
+
+src_install() {
+	unset KBUILD_OUTPUT #88088
+	save_config .config
+
+	into /
+	dodir /bin
+	if use sep-usr ; then
+		# install /ginit to take care of mounting stuff
+		exeinto /
+		newexe busybox_unstripped ginit
+		dosym /ginit /bin/bb
+		dosym bb /bin/busybox
+	else
+		newbin busybox_unstripped busybox
+		dosym busybox /bin/bb
+	fi
+	if use mdev ; then
+		dodir /$(get_libdir)/mdev/
+		use make-symlinks || dosym /bin/bb /sbin/mdev
+		cp "${S}"/examples/mdev_fat.conf "${ED}"/etc/mdev.conf || die
+		if [[ ! "$(get_libdir)" == "lib" ]]; then
+			#831251 - replace lib with lib64 where appropriate
+			sed -i -e "s:/lib/:/$(get_libdir)/:g" "${ED}"/etc/mdev.conf || die
+		fi
+
+		exeinto /$(get_libdir)/mdev/
+		doexe "${FILESDIR}"/mdev/*
+
+		newinitd "${FILESDIR}"/mdev.initd mdev
+	fi
+	if use livecd ; then
+		dosym busybox /bin/vi
+	fi
+
+	# add busybox daemon's, bug #444718
+	if busybox_config_enabled FEATURE_NTPD_SERVER; then
+		newconfd "${FILESDIR}"/ntpd.confd busybox-ntpd
+		newinitd "${FILESDIR}"/ntpd.initd busybox-ntpd
+	fi
+	if busybox_config_enabled SYSLOGD; then
+		newconfd "${FILESDIR}"/syslogd.confd busybox-syslogd
+		newinitd "${FILESDIR}"/syslogd.initd busybox-syslogd
+	fi
+	if busybox_config_enabled KLOGD; then
+		newconfd "${FILESDIR}"/klogd.confd busybox-klogd
+		newinitd "${FILESDIR}"/klogd.initd busybox-klogd
+	fi
+	if busybox_config_enabled WATCHDOG; then
+		newconfd "${FILESDIR}"/watchdog.confd busybox-watchdog
+		newinitd "${FILESDIR}"/watchdog.initd busybox-watchdog
+	fi
+	if busybox_config_enabled UDHCPC; then
+		sed -i 's:$((metric++)):$metric; metric=$((metric + 1)):' examples/udhcp/simple.script || die #801535
+		local path=$(busybox_config_enabled UDHCPC_DEFAULT_SCRIPT)
+		exeinto "${path%/*}"
+		newexe examples/udhcp/simple.script "${path##*/}"
+	fi
+	if busybox_config_enabled UDHCPD; then
+		insinto /etc
+		doins examples/udhcp/udhcpd.conf
+	fi
+	if busybox_config_enabled ASH && ! use make-symlinks; then
+		dosym -r /bin/busybox /bin/ash
+	fi
+	if busybox_config_enabled CROND; then
+		newconfd "${FILESDIR}"/crond.confd busybox-crond
+		newinitd "${FILESDIR}"/crond.initd busybox-crond
+	fi
+
+	# bundle up the symlink files for use later
+	bbmake DESTDIR="${ED}" install
+	# for compatibility, provide /usr/bin/env
+	mkdir -p _install/usr/bin || die
+	if [[ ! -e _install/usr/bin/env ]]; then
+		ln -s /bin/env _install/usr/bin/env || die
+	fi
+	rm _install/bin/busybox || die
+	tar cf busybox-links.tar -C _install . || : #;die
+	insinto /usr/share/${PN}
+	use make-symlinks && doins busybox-links.tar
+
+	dodoc AUTHORS README TODO
+
+	cd docs || die
+	doman busybox.1
+	docinto txt
+	dodoc *.txt
+	docinto pod
+	dodoc *.pod
+	docinto html
+	dodoc *.html
+
+	cd ../examples || die
+	docinto examples
+	dodoc inittab depmod.pl *.conf *.script undeb unrpm
+
+	cd ../networking || die
+	dodoc httpd_indexcgi.c httpd_post_upload.cgi
+
+	readme.gentoo_create_doc
+}
+
+pkg_preinst() {
+	if use make-symlinks ; then
+		mv "${ED}"/usr/share/${PN}/busybox-links.tar "${T}"/ || die
+	fi
+}
+
+pkg_postinst() {
+	savedconfig_pkg_postinst
+
+	if use make-symlinks ; then
+		cd "${T}" || die
+		mkdir _install
+		tar xf busybox-links.tar -C _install || die
+		# 907432: cp -n returns error if it skips any file, but that is expected here
+		# TODO: check if a new coreutils release has a replacement option
+		cp -nvpPR _install/* "${ROOT}"/
+	fi
+
+	if use sep-usr ; then
+		elog "In order to use the sep-usr support, you have to update your"
+		elog "kernel command line.  Add the option:"
+		elog "     init=/ginit"
+		elog "To launch a different init than /sbin/init, use:"
+		elog "     init=/ginit /sbin/yourinit"
+		elog "To get a rescue shell, you may boot with:"
+		elog "     init=/ginit bb"
+	fi
+
+	if [[ ${MERGE_TYPE} != binary ]] && ! is-flagq -Oz; then
+		if ver_replacing -le 1.36.1; then
+			FORCE_PRINT_ELOG=yes
+		fi
+
+		readme.gentoo_print_elog
+	fi
+}
diff --git a/sdk_container/src/third_party/portage-stable/sys-apps/busybox/busybox-9999.ebuild b/sdk_container/src/third_party/portage-stable/sys-apps/busybox/busybox-9999.ebuild
new file mode 100644
index 0000000000..a661171433
--- /dev/null
+++ b/sdk_container/src/third_party/portage-stable/sys-apps/busybox/busybox-9999.ebuild
@@ -0,0 +1,386 @@
+# Copyright 1999-2025 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+# See `man savedconfig.eclass` for info on how to use USE=savedconfig.
+
+EAPI=8
+
+inherit eapi9-ver flag-o-matic readme.gentoo-r1 savedconfig toolchain-funcs
+
+DESCRIPTION="Utilities for rescue and embedded systems"
+HOMEPAGE="https://www.busybox.net/"
+if [[ ${PV} == "9999" ]] ; then
+	MY_P="${P}"
+	EGIT_REPO_URI="https://git.busybox.net/busybox"
+	inherit git-r3
+else
+	MY_P="${PN}-${PV/_/-}"
+	SRC_URI="https://www.busybox.net/downloads/${MY_P}.tar.bz2"
+	KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux"
+fi
+S="${WORKDIR}/${MY_P}"
+
+LICENSE="GPL-2" # GPL-2 only
+SLOT="0"
+IUSE="debug livecd make-symlinks math mdev pam selinux sep-usr static syslog systemd"
+REQUIRED_USE="pam? ( !static )"
+RESTRICT="test"
+
+# TODO: Could make pkgconfig conditional on selinux? bug #782829
+RDEPEND="
+	!static? (
+		virtual/libc
+		virtual/libcrypt:=
+		selinux? ( sys-libs/libselinux )
+	)
+	pam? ( sys-libs/pam )
+"
+DEPEND="${RDEPEND}
+	static? (
+		virtual/libcrypt[static-libs]
+		selinux? ( sys-libs/libselinux[static-libs(+)] )
+	)
+	sys-kernel/linux-headers"
+BDEPEND="virtual/pkgconfig"
+
+DISABLE_AUTOFORMATTING=yes
+DOC_CONTENTS='
+If you want a smaller executable, add `-Oz` to your busybox `CFLAGS`.'
+
+busybox_config_option() {
+	local flag=$1 ; shift
+	if [[ ${flag} != [yn] && ${flag} != \"* ]] ; then
+		busybox_config_option $(usex ${flag} y n) "$@"
+		return
+	fi
+	local expr
+	while [[ $# -gt 0 ]] ; do
+		case ${flag} in
+		y) expr="s:.*\<CONFIG_$1\>.*set:CONFIG_$1=y:g" ;;
+		n) expr="s:CONFIG_$1=y:# CONFIG_$1 is not set:g" ;;
+		*) expr="s:.*\<CONFIG_$1\>.*:CONFIG_$1=${flag}:g" ;;
+		esac
+		sed -i -e "${expr}" .config || die
+		einfo "$(grep "CONFIG_$1[= ]" .config || echo "Could not find CONFIG_$1 ...")"
+		shift
+	done
+}
+
+busybox_config_enabled() {
+	local val=$(sed -n "/^CONFIG_$1=/s:^[^=]*=::p" .config)
+	case ${val} in
+	"") return 1 ;;
+	y)  return 0 ;;
+	*)  echo "${val}" | sed -r 's:^"(.*)"$:\1:' ;;
+	esac
+}
+
+# patches go here!
+PATCHES=(
+	"${FILESDIR}"/${PN}-1.26.2-bb.patch
+	"${FILESDIR}"/${PN}-1.34.1-skip-selinux-search.patch
+
+	"${FILESDIR}"/${PN}-1.36.0-fortify-source-3-fixdep.patch
+	"${FILESDIR}"/${PN}-1.36.1-kernel-6.8.patch
+
+	# "${FILESDIR}"/${P}-*.patch
+)
+
+src_prepare() {
+	default
+
+	cp "${FILESDIR}"/ginit.c init/ || die
+
+	# flag cleanup
+	sed -i -r \
+		-e 's:[[:space:]]?-(Werror|Os|Oz|falign-(functions|jumps|loops|labels)=1|fomit-frame-pointer)\>::g' \
+		Makefile.flags || die
+	sed -i \
+		-e 's:-static-libgcc::' \
+		Makefile.flags || die
+
+	# Print all link lines too
+	sed -i -e 's:debug=false:debug=true:' scripts/trylink || die
+}
+
+bbmake() {
+	local args=(
+		V=1
+		CROSS_COMPILE="${CHOST}-"
+		AR="${AR}"
+		CC="${CC}"
+		HOSTCC="${BUILD_CC}"
+		HOSTCFLAGS="${BUILD_CFLAGS}"
+		PKG_CONFIG="${PKG_CONFIG}"
+	)
+	emake "${args[@]}" "$@"
+}
+
+src_configure() {
+	unset KBUILD_OUTPUT #88088
+	export SKIP_STRIP=y
+
+	tc-export AR CC BUILD_CC PKG_CONFIG
+
+	tc-is-cross-compiler || BUILD_CFLAGS=${CFLAGS}
+	BUILD_CFLAGS+=" -D_FILE_OFFSET_BITS=64" #930513
+
+	append-flags -fno-strict-aliasing #310413
+	use ppc64 && append-flags -mminimal-toc #130943
+
+	# check for a busybox config before making one of our own.
+	# if one exist lets return and use it.
+
+	restore_config .config
+	if [ -f .config ]; then
+		yes "" | bbmake -j1 oldconfig
+		return 0
+	else
+		ewarn "Could not locate user configfile, so we will save a default one"
+	fi
+
+	# setting SKIP_SELINUX skips searching for selinux at this stage. We don't
+	# need to search now in case we end up not needing it after all.
+	# setup the config file
+	bbmake -j1 allyesconfig SKIP_SELINUX=$(usex selinux n y) #620918
+	# nommu forces a bunch of things off which we want on #387555
+	busybox_config_option n NOMMU
+	sed -i '/^#/d' .config
+	yes "" | bbmake -j1 oldconfig SKIP_SELINUX=$(usex selinux n y) #620918
+
+	# now turn off stuff we really don't want
+	busybox_config_option n DMALLOC
+	busybox_config_option n FEATURE_2_4_MODULES #607548
+	busybox_config_option n FEATURE_SUID_CONFIG
+	busybox_config_option n BUILD_AT_ONCE
+	busybox_config_option n BUILD_LIBBUSYBOX
+	busybox_config_option n FEATURE_CLEAN_UP
+	busybox_config_option n MONOTONIC_SYSCALL
+	busybox_config_option n USE_PORTABLE_CODE
+	busybox_config_option n WERROR
+	# CONFIG_MODPROBE_SMALL=y disables depmod.c and uses a smaller one that
+	# does not support -b. Setting this to no creates slightly larger and
+	# slightly more useful modutils
+	busybox_config_option n MODPROBE_SMALL #472464
+	# triming the BSS size may be dangerous
+	busybox_config_option n FEATURE_USE_BSS_TAIL
+
+	# These cause trouble with musl.
+	if use elibc_musl; then
+		busybox_config_option n FEATURE_UTMP
+		busybox_config_option n EXTRA_COMPAT
+		busybox_config_option n FEATURE_VI_REGEX_SEARCH
+	fi
+
+	# Disable standalone shell mode when using make-symlinks, else Busybox calls its
+	# applets by default without looking up in PATH.
+	# This also enables users to disable a builtin by deleting the corresponding symlink.
+	if use make-symlinks; then
+		busybox_config_option n FEATURE_PREFER_APPLETS
+		busybox_config_option n FEATURE_SH_STANDALONE
+	fi
+
+	# If these are not set and we are using a busybox setup
+	# all calls to system() will fail.
+	busybox_config_option y ASH
+	busybox_config_option y SH_IS_ASH
+	busybox_config_option n HUSH
+	busybox_config_option n SH_IS_HUSH
+
+	busybox_config_option '"/run"' PID_FILE_PATH
+	busybox_config_option '"/run/ifstate"' IFUPDOWN_IFSTATE_PATH
+
+	busybox_config_option pam PAM
+	busybox_config_option static STATIC
+	busybox_config_option syslog {K,SYS}LOGD LOGGER
+	busybox_config_option systemd FEATURE_SYSTEMD
+	busybox_config_option math FEATURE_AWK_LIBM
+
+	# all the debug options are compiler related, so punt them
+	busybox_config_option n DEBUG_SANITIZE
+	busybox_config_option n DEBUG
+	busybox_config_option y NO_DEBUG_LIB
+	busybox_config_option n DMALLOC
+	busybox_config_option n EFENCE
+	busybox_config_option $(usex debug y n) TFTP_DEBUG
+
+	busybox_config_option selinux SELINUX
+
+	# this opt only controls mounting with <linux-2.6.23
+	busybox_config_option n FEATURE_MOUNT_NFS
+
+	# glibc-2.26 and later does not ship RPC implientation
+	busybox_config_option n FEATURE_HAVE_RPC
+	busybox_config_option n FEATURE_INETD_RPC
+
+	# default a bunch of uncommon options to off
+	local opt
+	for opt in \
+		ADD_SHELL \
+		BEEP BOOTCHARTD \
+		CRONTAB \
+		DC DEVFSD DNSD DPKG{,_DEB} \
+		FAKEIDENTD FBSPLASH FOLD FSCK_MINIX FTP{GET,PUT} \
+		FEATURE_DEVFS \
+		HOSTID HUSH \
+		INETD INOTIFYD IPCALC \
+		LOCALE_SUPPORT LOGNAME LPD \
+		MAKEMIME MKFS_MINIX MSH \
+		OD \
+		RDEV READPROFILE REFORMIME REMOVE_SHELL RFKILL RUN_PARTS RUNSV{,DIR} \
+		SLATTACH SMEMCAP SULOGIN SV{,LOGD} \
+		TASKSET TCPSVD \
+		RPM RPM2CPIO \
+		UDPSVD UUDECODE UUENCODE
+	do
+		busybox_config_option n ${opt}
+	done
+
+	bbmake -j1 oldconfig
+}
+
+src_compile() {
+	bbmake busybox
+
+	# bug #701512
+	bbmake doc
+}
+
+src_install() {
+	unset KBUILD_OUTPUT #88088
+	save_config .config
+
+	into /
+	dodir /bin
+	if use sep-usr ; then
+		# install /ginit to take care of mounting stuff
+		exeinto /
+		newexe busybox_unstripped ginit
+		dosym /ginit /bin/bb
+		dosym bb /bin/busybox
+	else
+		newbin busybox_unstripped busybox
+		dosym busybox /bin/bb
+	fi
+	if use mdev ; then
+		dodir /$(get_libdir)/mdev/
+		use make-symlinks || dosym /bin/bb /sbin/mdev
+		cp "${S}"/examples/mdev_fat.conf "${ED}"/etc/mdev.conf || die
+		if [[ ! "$(get_libdir)" == "lib" ]]; then
+			#831251 - replace lib with lib64 where appropriate
+			sed -i -e "s:/lib/:/$(get_libdir)/:g" "${ED}"/etc/mdev.conf || die
+		fi
+
+		exeinto /$(get_libdir)/mdev/
+		doexe "${FILESDIR}"/mdev/*
+
+		newinitd "${FILESDIR}"/mdev.initd mdev
+	fi
+	if use livecd ; then
+		dosym busybox /bin/vi
+	fi
+
+	# add busybox daemon's, bug #444718
+	if busybox_config_enabled FEATURE_NTPD_SERVER; then
+		newconfd "${FILESDIR}"/ntpd.confd busybox-ntpd
+		newinitd "${FILESDIR}"/ntpd.initd busybox-ntpd
+	fi
+	if busybox_config_enabled SYSLOGD; then
+		newconfd "${FILESDIR}"/syslogd.confd busybox-syslogd
+		newinitd "${FILESDIR}"/syslogd.initd busybox-syslogd
+	fi
+	if busybox_config_enabled KLOGD; then
+		newconfd "${FILESDIR}"/klogd.confd busybox-klogd
+		newinitd "${FILESDIR}"/klogd.initd busybox-klogd
+	fi
+	if busybox_config_enabled WATCHDOG; then
+		newconfd "${FILESDIR}"/watchdog.confd busybox-watchdog
+		newinitd "${FILESDIR}"/watchdog.initd busybox-watchdog
+	fi
+	if busybox_config_enabled UDHCPC; then
+		sed -i 's:$((metric++)):$metric; metric=$((metric + 1)):' examples/udhcp/simple.script || die #801535
+		local path=$(busybox_config_enabled UDHCPC_DEFAULT_SCRIPT)
+		exeinto "${path%/*}"
+		newexe examples/udhcp/simple.script "${path##*/}"
+	fi
+	if busybox_config_enabled UDHCPD; then
+		insinto /etc
+		doins examples/udhcp/udhcpd.conf
+	fi
+	if busybox_config_enabled ASH && ! use make-symlinks; then
+		dosym -r /bin/busybox /bin/ash
+	fi
+	if busybox_config_enabled CROND; then
+		newconfd "${FILESDIR}"/crond.confd busybox-crond
+		newinitd "${FILESDIR}"/crond.initd busybox-crond
+	fi
+
+	# bundle up the symlink files for use later
+	bbmake DESTDIR="${ED}" install
+	# for compatibility, provide /usr/bin/env
+	mkdir -p _install/usr/bin || die
+	if [[ ! -e _install/usr/bin/env ]]; then
+		ln -s /bin/env _install/usr/bin/env || die
+	fi
+	rm _install/bin/busybox || die
+	tar cf busybox-links.tar -C _install . || : #;die
+	insinto /usr/share/${PN}
+	use make-symlinks && doins busybox-links.tar
+
+	dodoc AUTHORS README TODO
+
+	cd docs || die
+	doman busybox.1
+	docinto txt
+	dodoc *.txt
+	docinto pod
+	dodoc *.pod
+	docinto html
+	dodoc *.html
+
+	cd ../examples || die
+	docinto examples
+	dodoc inittab depmod.pl *.conf *.script undeb unrpm
+
+	cd ../networking || die
+	dodoc httpd_indexcgi.c httpd_post_upload.cgi
+
+	readme.gentoo_create_doc
+}
+
+pkg_preinst() {
+	if use make-symlinks ; then
+		mv "${ED}"/usr/share/${PN}/busybox-links.tar "${T}"/ || die
+	fi
+}
+
+pkg_postinst() {
+	savedconfig_pkg_postinst
+
+	if use make-symlinks ; then
+		cd "${T}" || die
+		mkdir _install
+		tar xf busybox-links.tar -C _install || die
+		# 907432: cp -n returns error if it skips any file, but that is expected here
+		# TODO: check if a new coreutils release has a replacement option
+		cp -nvpPR _install/* "${ROOT}"/
+	fi
+
+	if use sep-usr ; then
+		elog "In order to use the sep-usr support, you have to update your"
+		elog "kernel command line.  Add the option:"
+		elog "     init=/ginit"
+		elog "To launch a different init than /sbin/init, use:"
+		elog "     init=/ginit /sbin/yourinit"
+		elog "To get a rescue shell, you may boot with:"
+		elog "     init=/ginit bb"
+	fi
+
+	if [[ ${MERGE_TYPE} != binary ]] && ! is-flagq -Oz; then
+		if ver_replacing -le 1.36.1; then
+			FORCE_PRINT_ELOG=yes
+		fi
+
+		readme.gentoo_print_elog
+	fi
+}
diff --git a/sdk_container/src/third_party/portage-stable/sys-apps/busybox/files/busybox-1.26.2-bb.patch b/sdk_container/src/third_party/portage-stable/sys-apps/busybox/files/busybox-1.26.2-bb.patch
new file mode 100644
index 0000000000..5e2405c3a6
--- /dev/null
+++ b/sdk_container/src/third_party/portage-stable/sys-apps/busybox/files/busybox-1.26.2-bb.patch
@@ -0,0 +1,55 @@
+add `bb` and `bbsh` shortcuts as aliases to the main shell so we can install
+symlinks in Gentoo at /bin/bb as our recovery shell.
+
+we also add fallbacks to /bin/busybox and /bin/busybox.static in case /proc
+is not yet mounted during early boot.
+
+--- a/shell/ash.c
++++ b/shell/ash.c
+@@ -144,6 +144,8 @@
+ //applet:IF_ASH(APPLET(ash, BB_DIR_BIN, BB_SUID_DROP))
+ //applet:IF_SH_IS_ASH(APPLET_ODDNAME(sh, ash, BB_DIR_BIN, BB_SUID_DROP, ash))
+ //applet:IF_BASH_IS_ASH(APPLET_ODDNAME(bash, ash, BB_DIR_BIN, BB_SUID_DROP, ash))
++//applet:IF_ASH(APPLET_ODDNAME(bb, ash, BB_DIR_BIN, BB_SUID_DROP, ash))
++//applet:IF_ASH(APPLET_ODDNAME(bbsh, ash, BB_DIR_BIN, BB_SUID_DROP, ash))
+ 
+ //kbuild:lib-$(CONFIG_ASH) += ash.o ash_ptr_hack.o shell_common.o
+ //kbuild:lib-$(CONFIG_SH_IS_ASH) += ash.o ash_ptr_hack.o shell_common.o
+@@ -7572,6 +7574,8 @@
+ 		}
+ 		/* re-exec ourselves with the new arguments */
+ 		execve(bb_busybox_exec_path, argv, envp);
++		execve("/bin/busybox.static", argv, envp);
++		execve("/bin/busybox", argv, envp);
+ 		/* If they called chroot or otherwise made the binary no longer
+ 		 * executable, fall through */
+ 	}
+--- a/shell/hush.c
++++ b/shell/hush.c
+@@ -221,6 +221,8 @@
+ //applet:IF_MSH(APPLET_ODDNAME(msh, hush, BB_DIR_BIN, BB_SUID_DROP, hush))
+ //applet:IF_SH_IS_HUSH(APPLET_ODDNAME(sh, hush, BB_DIR_BIN, BB_SUID_DROP, hush))
+ //applet:IF_BASH_IS_HUSH(APPLET_ODDNAME(bash, hush, BB_DIR_BIN, BB_SUID_DROP, hush))
++//applet:IF_HUSH(APPLET_ODDNAME(bb, hush, BB_DIR_BIN, BB_SUID_DROP, hush))
++//applet:IF_HUSH(APPLET_ODDNAME(bbsh, hush, BB_DIR_BIN, BB_SUID_DROP, hush))
+ 
+ //kbuild:lib-$(CONFIG_HUSH) += hush.o match.o shell_common.o
+ //kbuild:lib-$(CONFIG_SH_IS_HUSH) += hush.o match.o shell_common.o
+@@ -6073,6 +6075,8 @@
+ 	if (SPECIAL_JOBSTOP_SIGS != 0)
+ 		switch_off_special_sigs(G.special_sig_mask & SPECIAL_JOBSTOP_SIGS);
+ 	execve(bb_busybox_exec_path, argv, pp);
++	execve("/bin/busybox.static", argv, pp);
++	execve("/bin/busybox", argv, pp);
+ 	/* Fallback. Useful for init=/bin/hush usage etc */
+ 	if (argv[0][0] == '/')
+ 		execve(argv[0], argv, pp);
+@@ -6931,6 +6931,8 @@
+ 			if (SPECIAL_JOBSTOP_SIGS != 0)
+ 				switch_off_special_sigs(G.special_sig_mask & SPECIAL_JOBSTOP_SIGS);
+ 			execv(bb_busybox_exec_path, argv);
++			execv("/bin/busybox.static", argv);
++			execv("/bin/busybox", argv);
+ 			/* If they called chroot or otherwise made the binary no longer
+ 			 * executable, fall through */
+ 		}
diff --git a/sdk_container/src/third_party/portage-stable/sys-apps/busybox/files/busybox-1.34.1-skip-selinux-search.patch b/sdk_container/src/third_party/portage-stable/sys-apps/busybox/files/busybox-1.34.1-skip-selinux-search.patch
new file mode 100644
index 0000000000..6fe043bf39
--- /dev/null
+++ b/sdk_container/src/third_party/portage-stable/sys-apps/busybox/files/busybox-1.34.1-skip-selinux-search.patch
@@ -0,0 +1,21 @@
+Setting SKIP_SELINUX skips searching for selinux.  The current ebuild calls
+make 3 times.  The first 2 times we don't need to search for selinux packages
+because we might end up not needing them and we get useless warnings.
+
+--- a/Makefile.flags
++++ b/Makefile.flags
+@@ -176,12 +176,14 @@
+ LDLIBS += pam pam_misc
+ endif
+ 
++ifneq ($(SKIP_SELINUX),y)
+ ifeq ($(CONFIG_SELINUX),y)
+ SELINUX_PC_MODULES = libselinux libsepol
+ $(eval $(call pkg_check_modules,SELINUX,$(SELINUX_PC_MODULES)))
+ CPPFLAGS += $(SELINUX_CFLAGS)
+ LDLIBS += $(if $(SELINUX_LIBS),$(SELINUX_LIBS:-l%=%),$(SELINUX_PC_MODULES:lib%=%))
+ endif
++endif
+ 
+ ifeq ($(CONFIG_FEATURE_NSLOOKUP_BIG),y)
+ ifneq (,$(findstring linux,$(shell $(CC) $(CFLAGS) -dumpmachine)))
diff --git a/sdk_container/src/third_party/portage-stable/sys-apps/busybox/files/busybox-1.36.0-fortify-source-3-fixdep.patch b/sdk_container/src/third_party/portage-stable/sys-apps/busybox/files/busybox-1.36.0-fortify-source-3-fixdep.patch
new file mode 100644
index 0000000000..659c81180f
--- /dev/null
+++ b/sdk_container/src/third_party/portage-stable/sys-apps/busybox/files/busybox-1.36.0-fortify-source-3-fixdep.patch
@@ -0,0 +1,32 @@
+https://bugs.gentoo.org/893776
+https://bugs.busybox.net/show_bug.cgi?id=15326
+http://lists.busybox.net/pipermail/busybox/2023-February/090173.html
+
+From 2d4a3d9e6c1493a9520b907e07a41aca90cdfd94 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Arsen=20Arsenovi=C4=87?= <arsen@gentoo.org>
+Date: Tue, 21 Feb 2023 20:20:31 +0100
+Subject: fixdep: avoid underflow when end of entry doesn't coincide with EOF
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Bug: https://bugs.gentoo.org/893776
+Closes: https://bugs.busybox.net/show_bug.cgi?id=15326
+Signed-off-by: Arsen Arsenović <arsen@gentoo.org>
+Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
+--- a/scripts/basic/fixdep.c
++++ b/scripts/basic/fixdep.c
+@@ -338,6 +338,11 @@ void parse_dep_file(void *map, size_t len)
+ 			do p--; while (!isalnum((unsigned char)*p));
+ 			p++;
+ 		}
++		if (p < m) {
++			/* we've consumed the last filename of this list
++			   already.  */
++			break;
++		}
+ 		memcpy(s, m, p-m); s[p-m] = 0;
+ 		if (strrcmp(s, "include/autoconf.h") &&
+ 		    strrcmp(s, "arch/um/include/uml-config.h") &&
+-- 
+cgit v1.2.3
diff --git a/sdk_container/src/third_party/portage-stable/sys-apps/busybox/files/busybox-1.36.1-kernel-6.8.patch b/sdk_container/src/third_party/portage-stable/sys-apps/busybox/files/busybox-1.36.1-kernel-6.8.patch
new file mode 100644
index 0000000000..4f74d51bdc
--- /dev/null
+++ b/sdk_container/src/third_party/portage-stable/sys-apps/busybox/files/busybox-1.36.1-kernel-6.8.patch
@@ -0,0 +1,53 @@
+http://lists.busybox.net/pipermail/busybox/2024-March/090678.html
+https://bugs.gentoo.org/926872
+
+Linux v6.8-rc1 removed the definitions related to CBQ making tc fail to
+build. Add some #ifdefs to handle this missing support.
+--- a/networking/tc.c
++++ b/networking/tc.c
+@@ -231,6 +231,13 @@ static int cbq_parse_opt(int argc, char **argv, struct nlmsghdr *n)
+ 	return 0;
+ }
+ #endif
++
++#ifndef TCA_CBQ_MAX
++/*
++ * Linux v6.8-rc1~131^2~60^2^2 removed the uapi definitions for CBQ.
++ * See <A HREF="https://git.kernel.org/linus/33241dca48626">https://git.kernel.org/linus/33241dca48626</A>
++ */
++#else
+ static int cbq_print_opt(struct rtattr *opt)
+ {
+ 	struct rtattr *tb[TCA_CBQ_MAX+1];
+@@ -322,6 +329,7 @@ static int cbq_print_opt(struct rtattr *opt)
+  done:
+ 	return 0;
+ }
++#endif
+ 
+ static FAST_FUNC int print_qdisc(
+ 		const struct sockaddr_nl *who UNUSED_PARAM,
+@@ -372,8 +380,10 @@ static FAST_FUNC int print_qdisc(
+ 		int qqq = index_in_strings(_q_, name);
+ 		if (qqq == 0) { /* pfifo_fast aka prio */
+ 			prio_print_opt(tb[TCA_OPTIONS]);
++#ifdef TCA_CBQ_MAX
+ 		} else if (qqq == 1) { /* class based queuing */
+ 			cbq_print_opt(tb[TCA_OPTIONS]);
++#endif
+ 		} else {
+ 			/* don't know how to print options for this qdisc */
+ 			printf(&quot;(options for %s)&quot;, name);
+@@ -442,9 +452,11 @@ static FAST_FUNC int print_class(
+ 		int qqq = index_in_strings(_q_, name);
+ 		if (qqq == 0) { /* pfifo_fast aka prio */
+ 			/* nothing. */ /*prio_print_opt(tb[TCA_OPTIONS]);*/
++#ifdef TCA_CBQ_MAX
+ 		} else if (qqq == 1) { /* class based queuing */
+ 			/* cbq_print_copt() is identical to cbq_print_opt(). */
+ 			cbq_print_opt(tb[TCA_OPTIONS]);
++#endif
+ 		} else {
+ 			/* don't know how to print options for this class */
+ 			printf(&quot;(options for %s)&quot;, name);
+
diff --git a/sdk_container/src/third_party/portage-stable/sys-apps/busybox/files/busybox-1.36.1-skip-dynamic-relocations.patch b/sdk_container/src/third_party/portage-stable/sys-apps/busybox/files/busybox-1.36.1-skip-dynamic-relocations.patch
new file mode 100644
index 0000000000..4da0d4666e
--- /dev/null
+++ b/sdk_container/src/third_party/portage-stable/sys-apps/busybox/files/busybox-1.36.1-skip-dynamic-relocations.patch
@@ -0,0 +1,43 @@
+https://git.alpinelinux.org/aports/plain/main/busybox/0025-Hackfix-to-disable-HW-acceleration-for-MD5-SHA1-on-x.patch
+https://bugs.gentoo.org/933771
+
+From 3ead51e53687e94a51beb793661363df27b00814 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?S=C3=B6ren=20Tempel?= <soeren+git@soeren-tempel.net>
+Date: Thu, 5 Jan 2023 15:47:55 +0100
+Subject: [PATCH] Hackfix to disable HW acceleration for MD5/SHA1 on x86
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This causes a direct segfault with musl libc.
+
+See: http://lists.busybox.net/pipermail/busybox/2023-January/090078.html
+--- a/libbb/hash_md5_sha.c
++++ b/libbb/hash_md5_sha.c
+@@ -14,7 +14,7 @@
+ #define NEED_SHA512 (ENABLE_SHA512SUM || ENABLE_USE_BB_CRYPT_SHA)
+ 
+ #if ENABLE_SHA1_HWACCEL || ENABLE_SHA256_HWACCEL
+-# if defined(__GNUC__) && (defined(__i386__) || defined(__x86_64__))
++# if defined(__GNUC__) && defined(__x86_64__)
+ static void cpuid(unsigned *eax, unsigned *ebx, unsigned *ecx, unsigned *edx)
+ {
+ 	asm ("cpuid"
+@@ -1173,7 +1173,7 @@ void FAST_FUNC sha1_begin(sha1_ctx_t *ctx)
+ 	ctx->total64 = 0;
+ 	ctx->process_block = sha1_process_block64;
+ #if ENABLE_SHA1_HWACCEL
+-# if defined(__GNUC__) && (defined(__i386__) || defined(__x86_64__))
++# if defined(__GNUC__) && defined(__x86_64__)
+ 	{
+ 		if (!shaNI) {
+ 			unsigned eax = 7, ebx = ebx, ecx = 0, edx = edx;
+@@ -1227,7 +1227,7 @@ void FAST_FUNC sha256_begin(sha256_ctx_t *ctx)
+ 	/*ctx->total64 = 0; - done by prepending two 32-bit zeros to init256 */
+ 	ctx->process_block = sha256_process_block64;
+ #if ENABLE_SHA256_HWACCEL
+-# if defined(__GNUC__) && (defined(__i386__) || defined(__x86_64__))
++# if defined(__GNUC__) && defined(__x86_64__)
+ 	{
+ 		if (!shaNI) {
+ 			unsigned eax = 7, ebx = ebx, ecx = 0, edx = edx;
diff --git a/sdk_container/src/third_party/portage-stable/sys-apps/busybox/files/crond.confd b/sdk_container/src/third_party/portage-stable/sys-apps/busybox/files/crond.confd
new file mode 100644
index 0000000000..7073662529
--- /dev/null
+++ b/sdk_container/src/third_party/portage-stable/sys-apps/busybox/files/crond.confd
@@ -0,0 +1,2 @@
+# Config file for /etc/init.d/busybox-crond
+CRONDARGS=
diff --git a/sdk_container/src/third_party/portage-stable/sys-apps/busybox/files/crond.initd b/sdk_container/src/third_party/portage-stable/sys-apps/busybox/files/crond.initd
new file mode 100644
index 0000000000..9d81e7a4c9
--- /dev/null
+++ b/sdk_container/src/third_party/portage-stable/sys-apps/busybox/files/crond.initd
@@ -0,0 +1,12 @@
+#!/sbin/openrc-run
+# Copyright 1999-2021 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+command="/bin/busybox crond"
+command_args="${CRONDARGS}"
+pidfile="/run/crond.pid"
+
+depend() {
+	need clock logger
+	provide cron
+}
diff --git a/sdk_container/src/third_party/portage-stable/sys-apps/busybox/files/ginit.c b/sdk_container/src/third_party/portage-stable/sys-apps/busybox/files/ginit.c
new file mode 100644
index 0000000000..de98e4ac41
--- /dev/null
+++ b/sdk_container/src/third_party/portage-stable/sys-apps/busybox/files/ginit.c
@@ -0,0 +1,124 @@
+/*
+ * simple init to bootstrap sep-/usr
+ *
+ * Copyright (C) 2012-2013 Mike Frysinger <vapier@gentoo.org>
+ *
+ * Licensed under GPLv2 or later
+ */
+
+//applet:IF_GINIT(APPLET(ginit, BB_DIR_SBIN, BB_SUID_DROP))
+
+//kbuild:lib-$(CONFIG_GINIT) += ginit.o
+
+//config:config GINIT
+//config:	bool "ginit"
+//config:	default y
+//config:	select MKDIR
+//config:	select MDEV
+//config:	select MOUNT
+//config:	select MOUNTPOINT
+//config:	help
+//config:	  sep-/usr bootstrapper
+
+//usage:#define ginit_trivial_usage NOUSAGE_STR
+//usage:#define ginit_full_usage ""
+
+#include "libbb.h"
+
+#define eprintf(fmt, args...) printf("%s" fmt, "sep-usr init: ", ## args)
+
+static void process_args(char **args)
+{
+	size_t i;
+
+	eprintf("running: ");
+	for (i = 0; args[i]; ++i) {
+		/* String needs to be writable, so dupe it */
+		args[i] = xstrdup(args[i]);
+		printf("'%s' ", args[i]);
+	}
+	printf("\n");
+}
+
+int ginit_main(int argc UNUSED_PARAM, char **argv) MAIN_EXTERNALLY_VISIBLE;
+int ginit_main(int argc UNUSED_PARAM, char **argv)
+{
+	FILE *mntlist;
+	bool ismnted_dev, ismnted_sys, ismnted_usr;
+	struct mntent *mntent;
+
+	/*
+	int fd = open("/dev/console", O_RDWR);
+	if (fd >= 0) {
+		dup2(fd, 0);
+		dup2(fd, 1);
+		dup2(fd, 2);
+	}
+	*/
+
+	/* If given an argv[] with an applet name, run it instead.
+	 * Makes recovering simple by doing: init=/ginit bb
+	 */
+	if (argv[1] && argv[1][0] != '/') {
+		eprintf("running user requested applet %s\n", argv[1]);
+		return spawn_and_wait(argv+1);
+	}
+
+#define saw(argv...) \
+	({ \
+		static const char *args[] = { argv, NULL }; \
+		/* These casts are fine -- see process_args for mem setup */ \
+		process_args((void *)args); \
+		spawn_and_wait((void *)args); \
+	})
+
+	/* First setup basic /dev */
+	if (saw("mountpoint", "-q", "/dev") != 0) {
+		/* Try /etc/fstab */
+		if (saw("mount", "-n", "/dev"))
+			/* Then devtmpfs */
+			if (saw("mount", "-n", "-t", "devtmpfs", "devtmpfs", "/dev"))
+				/* Finally normal tmpfs */
+				saw("mount", "-n", "-t", "tmpfs", "dev", "/dev");
+	} else {
+		eprintf("%s appears to be mounted; skipping its setup\n", "/dev");
+	}
+
+	/* If /dev is empty (e.g. tmpfs), run mdev to seed things */
+	if (access("/dev/console", F_OK) != 0) {
+		if (saw("mountpoint", "-q", "/sys") != 0) {
+			if (saw("mount", "-n", "/sys"))
+				saw("mount", "-n", "-t", "sysfs", "sysfs", "/sys");
+		} else {
+			eprintf("%s appears to be mounted; skipping its setup\n", "/sys");
+		}
+
+		/* Mount /proc as mdev will fork+exec /proc/self/exe */
+		if (saw("mountpoint", "-q", "/proc") != 0) {
+			/* Try /etc/fstab */
+			if (saw("mount", "-n", "/proc"))
+				saw("mount", "-n", "-t", "proc", "proc", "/proc");
+		}
+
+		saw("mdev", "-s");
+	}
+
+	/* Then seed the stuff we care about */
+	saw("mkdir", "-p", "/dev/pts", "/dev/shm");
+
+	/* Then mount /usr */
+	if (saw("mountpoint", "-q", "/usr") != 0) {
+		saw("mount", "-n", "/usr", "-o", "ro");
+	} else {
+		eprintf("%s appears to be mounted; skipping its setup\n", "/usr");
+	}
+
+	/* Now that we're all done, exec the real init */
+	if (!argv[1]) {
+		argv[0] = (void *)"/sbin/init";
+		argv[1] = NULL;
+	} else
+		++argv;
+	process_args(argv);
+	return execv(argv[0], argv);
+}
diff --git a/sdk_container/src/third_party/portage-stable/sys-apps/busybox/files/klogd.confd b/sdk_container/src/third_party/portage-stable/sys-apps/busybox/files/klogd.confd
new file mode 100644
index 0000000000..4c16096a4e
--- /dev/null
+++ b/sdk_container/src/third_party/portage-stable/sys-apps/busybox/files/klogd.confd
@@ -0,0 +1,9 @@
+# Config file for /etc/init.d/busybox-sysklogd
+
+# run "/sbin/klogd --help" to see all possible options.
+
+# activate if you need remote logging
+#rc_need="net"
+
+# send warnings and above to the console
+KLOGD_OPTS="-c 3"
diff --git a/sdk_container/src/third_party/portage-stable/sys-apps/busybox/files/klogd.initd b/sdk_container/src/third_party/portage-stable/sys-apps/busybox/files/klogd.initd
new file mode 100644
index 0000000000..95d5eb030d
--- /dev/null
+++ b/sdk_container/src/third_party/portage-stable/sys-apps/busybox/files/klogd.initd
@@ -0,0 +1,11 @@
+#!/sbin/openrc-run
+# Copyright 1999-2015 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+command="/bin/busybox klogd"
+command_args="${KLOGD_OPTS}"
+pidfile="/run/klogd.pid"
+
+depend() {
+	need clock hostname
+}
diff --git a/sdk_container/src/third_party/portage-stable/sys-apps/busybox/files/mdev.initd b/sdk_container/src/third_party/portage-stable/sys-apps/busybox/files/mdev.initd
new file mode 100644
index 0000000000..1145707439
--- /dev/null
+++ b/sdk_container/src/third_party/portage-stable/sys-apps/busybox/files/mdev.initd
@@ -0,0 +1,52 @@
+#!/sbin/openrc-run
+# Copyright 1999-2015 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+depend()
+{
+	provide dev
+	need dev-mount sysfs
+}
+
+find_mdev()
+{
+	if [ -x /sbin/mdev ] ; then
+		echo "/sbin/mdev"
+	else
+		echo "/bin/busybox mdev"
+	fi
+}
+
+populate_mdev()
+{
+	ebegin "Populating /dev with existing devices with mdev -s"
+	$(find_mdev) -s
+	eend $?
+	return 0
+}
+
+seed_dev()
+{
+	# copy over any persistent things
+	if [ -d /lib/mdev/devices ] ; then
+		cp -RPp /lib/mdev/devices/* /dev 2>/dev/null
+	fi
+}
+
+start()
+{
+	seed_dev
+
+	# Setup hotplugging (if possible)
+	if [ -e /proc/sys/kernel/hotplug ] ; then
+		ebegin "Setting up mdev as hotplug agent"
+		echo $(find_mdev) > /proc/sys/kernel/hotplug
+		eend 0
+	fi
+
+	if get_bootparam "nocoldplug" ; then
+		ewarn "Skipping mdev coldplug as requested in kernel cmdline"
+	else
+		populate_mdev
+	fi
+}
diff --git a/sdk_container/src/third_party/portage-stable/sys-apps/busybox/files/mdev/dvbdev b/sdk_container/src/third_party/portage-stable/sys-apps/busybox/files/mdev/dvbdev
new file mode 100644
index 0000000000..971b0efc90
--- /dev/null
+++ b/sdk_container/src/third_party/portage-stable/sys-apps/busybox/files/mdev/dvbdev
@@ -0,0 +1,18 @@
+#!/bin/sh
+
+# MDEV=dvb0.demux1 -> ADAPTER=dvb0 -> N=0
+ADAPTER=${MDEV%.*}
+N=${ADAPTER#dvb}
+# MDEV=dvb0.demux1 -> DEVB_DEV=demux1
+DVB_DEV=${MDEV#*.}
+
+case "$ACTION" in
+	add|"")
+		mkdir -p "dvb/adapter${N}"
+		mv "${MDEV}" "dvb/adapter${N}/${DVB_DEV}"
+		;;
+	remove)
+		rm -f "dvb/adapter${N}/${DVB_DEV}"
+		rmdir "dvb/adapter${N}" 2>/dev/null
+		rmdir dvb/ 2>/dev/null
+esac
diff --git a/sdk_container/src/third_party/portage-stable/sys-apps/busybox/files/mdev/ide_links b/sdk_container/src/third_party/portage-stable/sys-apps/busybox/files/mdev/ide_links
new file mode 100644
index 0000000000..dfb7c9cb46
--- /dev/null
+++ b/sdk_container/src/third_party/portage-stable/sys-apps/busybox/files/mdev/ide_links
@@ -0,0 +1,23 @@
+#!/bin/sh
+
+[ -f /proc/ide/"${MDEV}"/media ] || exit
+
+media=$(cat /proc/ide/"${MDEV}"/media)
+for i in "${media}" "${media}"[0-9]* ; do
+	if [ "$(readlink "$i" 2>/dev/null)" = "${MDEV}" ] ; then
+		LINK="$i"
+		break
+	fi
+done
+
+# link exist, remove if necessary and exit
+if [ "${LINK}" ] ; then
+	[ "${ACTION}" = remove ] && rm "${LINK}"
+	exit
+fi
+
+# create a link
+num=$(ls "${media}"[0-9]* 2>/dev/null | wc -l)
+ln -sf "${MDEV}" "${media}${num}"
+[ -e "${media}" ] || ln -sf "${MDEV}" "${media}"
+
diff --git a/sdk_container/src/third_party/portage-stable/sys-apps/busybox/files/mdev/usbdev b/sdk_container/src/third_party/portage-stable/sys-apps/busybox/files/mdev/usbdev
new file mode 100644
index 0000000000..eda3825df2
--- /dev/null
+++ b/sdk_container/src/third_party/portage-stable/sys-apps/busybox/files/mdev/usbdev
@@ -0,0 +1,62 @@
+#!/bin/sh
+
+# script is buggy; until patched just do exit 0
+#exit 0
+
+# add zeros to device or bus
+add_zeros () {
+	case "$(echo "$1" | wc -L)" in
+		1)	echo "00$1" ;;
+		2)	echo "0$1" ;;
+		*)	echo "$1"
+	esac
+	exit 0
+}
+
+
+# bus and device dirs in /sys
+USB_PATH=$(echo "${MDEV}" | sed -e 's/usbdev\([0-9]\).[0-9]/usb\1/')
+USB_PATH=$(find /sys/devices -type d -name "${USB_PATH}")
+USB_DEV_DIR=$(echo "${MDEV}" | sed -e 's/usbdev\([0-9]\).\([0-9]\)/\1-\2/')
+
+# dir names in /dev
+BUS=$(add_zeros "$(echo "${MDEV}" | sed -e 's/^usbdev\([0-9]\).[0-9]/\1/')")
+USB_DEV=$(add_zeros "$(echo "${MDEV}" | sed -e 's/^usbdev[0-9].\([0-9]\)/\1/')")
+
+
+# try to load the proper driver for usb devices
+case "${ACTION}" in
+	add|"")
+		# load usb bus driver
+		for i in "${USB_PATH}"/*/modalias ; do
+			modprobe "$(cat "$i")" 2>/dev/null
+		done
+		# load usb device driver if existent
+		if [ -d "${USB_PATH}/${USB_DEV_DIR}" ]; then
+			for i in "${USB_PATH}/${USB_DEV_DIR}"/*/modalias ; do
+				modprobe "$(cat "$i")" 2>/dev/null
+			done
+		fi
+		# move usb device file
+		mkdir -p "bus/usb/${BUS}"
+		mv "${MDEV}" "bus/usb/${BUS}/${USB_DEV}"
+		;;
+	remove)
+		# unload device driver, if device dir is existent
+		if [ -d "${USB_PATH}/${USB_DEV_DIR}" ]; then
+			for i in "${USB_PATH}/${USB_DEV_DIR}"/*/modalias ; do
+				modprobe -r "$(cat "$i")" 2>/dev/null
+		done
+		fi
+		# unload usb bus driver. Does this make sense?
+		# what happens, if two usb devices are plugged in
+		# and one is removed?
+		for i in "${USB_PATH}"/*/modalias ; do
+			modprobe -r "$(cat "$i")" 2>/dev/null
+		done
+		# remove device file and possible empty dirs
+		rm -f "bus/usb/${BUS}/${USB_DEV}"
+		rmdir "bus/usb/${BUS}/" 2>/dev/null
+		rmdir bus/usb/ 2>/dev/null
+		rmdir bus/ 2>/dev/null
+esac
diff --git a/sdk_container/src/third_party/portage-stable/sys-apps/busybox/files/mdev/usbdisk_link b/sdk_container/src/third_party/portage-stable/sys-apps/busybox/files/mdev/usbdisk_link
new file mode 100644
index 0000000000..e42cc8bc90
--- /dev/null
+++ b/sdk_container/src/third_party/portage-stable/sys-apps/busybox/files/mdev/usbdisk_link
@@ -0,0 +1,38 @@
+#!/bin/sh
+
+# NOTE: since mdev -s only provide $MDEV, don't depend on any hotplug vars.
+
+current=$(readlink usbdisk)
+
+if [ "${current}" = "${MDEV}" ] && [ "${ACTION}" = "remove" ]; then
+	rm -f usbdisk usba1 
+fi
+[ -n "${current}" ] && exit
+
+if [ -e /sys/block/"${MDEV}" ]; then
+	SYSDEV=$(readlink -f /sys/block/"${MDEV}"/device)
+	# if /sys device path contains '/usb[0-9]' then we assume its usb
+	# also, if it's a usb without partitions we require FAT
+	if [ "${SYSDEV##*/usb[0-9]}" != "${SYSDEV}" ]; then
+		# do not create link if there is not FAT
+		dd if=/dev/"${MDEV}" bs=512 count=1 2>/dev/null | strings | grep FAT >/dev/null || exit 0
+
+		ln -sf "${MDEV}" usbdisk
+		# keep this for compat. people have it in fstab
+		ln -sf "${MDEV}" usba1
+	fi
+
+else
+	for i in /sys/block/*/"${MDEV}"; do
+		if [ -e "$i" ]; then
+			PARENT=$(dirname "$i")
+			SYSDEV=$(readlink -f "${PARENT}"/device)
+			if [ "${SYSDEV##*/usb[0-9]}" != "${SYSDEV}" ]; then
+				ln -sf "${MDEV}" usbdisk
+				# keep this for compat. people have it in fstab
+				ln -sf "${MDEV}" usba1
+			fi
+		fi
+	done
+fi
+
diff --git a/sdk_container/src/third_party/portage-stable/sys-apps/busybox/files/ntpd.confd b/sdk_container/src/third_party/portage-stable/sys-apps/busybox/files/ntpd.confd
new file mode 100644
index 0000000000..f50d4c2e91
--- /dev/null
+++ b/sdk_container/src/third_party/portage-stable/sys-apps/busybox/files/ntpd.confd
@@ -0,0 +1,6 @@
+# Config file for /etc/init.d/busybox-ntpd
+
+# run "/sbin/ntpd --help" to see all possible options.
+
+# Get time from specified server and run in background
+NTPD_OPTS="-N -p pool.ntp.org"
diff --git a/sdk_container/src/third_party/portage-stable/sys-apps/busybox/files/ntpd.initd b/sdk_container/src/third_party/portage-stable/sys-apps/busybox/files/ntpd.initd
new file mode 100644
index 0000000000..dffea3bcde
--- /dev/null
+++ b/sdk_container/src/third_party/portage-stable/sys-apps/busybox/files/ntpd.initd
@@ -0,0 +1,12 @@
+#!/sbin/openrc-run
+# Copyright 1999-2012 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+command="/bin/busybox ntpd"
+command_args="${NTPD_OPTS}"
+pidfile="/run/ntpd.pid"
+
+depend() {
+	use net dns logger
+	after ntp-client
+}
diff --git a/sdk_container/src/third_party/portage-stable/sys-apps/busybox/files/syslogd.confd b/sdk_container/src/third_party/portage-stable/sys-apps/busybox/files/syslogd.confd
new file mode 100644
index 0000000000..7df6885ced
--- /dev/null
+++ b/sdk_container/src/third_party/portage-stable/sys-apps/busybox/files/syslogd.confd
@@ -0,0 +1,9 @@
+# Config file for /etc/init.d/busybox-sysklogd
+
+# run "/sbin/syslogd --help" to see all possible options.
+
+# activate if you need remote logging
+#rc_need="net"
+
+# Log to shared mem buffer (use logread to read it)
+SYSLOGD_OPTS="-C128"
diff --git a/sdk_container/src/third_party/portage-stable/sys-apps/busybox/files/syslogd.initd b/sdk_container/src/third_party/portage-stable/sys-apps/busybox/files/syslogd.initd
new file mode 100644
index 0000000000..b2ac5ac172
--- /dev/null
+++ b/sdk_container/src/third_party/portage-stable/sys-apps/busybox/files/syslogd.initd
@@ -0,0 +1,12 @@
+#!/sbin/openrc-run
+# Copyright 1999-2012 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+command="/bin/busybox syslogd"
+command_args="${SYSLOGD_OPTS}"
+pidfile="/run/syslogd.pid"
+
+depend() {
+	need clock hostname
+	provide logger
+}
diff --git a/sdk_container/src/third_party/portage-stable/sys-apps/busybox/files/watchdog.confd b/sdk_container/src/third_party/portage-stable/sys-apps/busybox/files/watchdog.confd
new file mode 100644
index 0000000000..bd6aec0a70
--- /dev/null
+++ b/sdk_container/src/third_party/portage-stable/sys-apps/busybox/files/watchdog.confd
@@ -0,0 +1,9 @@
+# Config file for /etc/init.d/busybox-watchdog
+
+# run "/sbin/watchdog --help" to see all possible options.
+
+# Periodically write to watchdog device
+WATCHDOG_OPTS="/dev/watchdog"
+
+# optionally set the nice-level
+#SSD_NICELEVEL="-20"
diff --git a/sdk_container/src/third_party/portage-stable/sys-apps/busybox/files/watchdog.initd b/sdk_container/src/third_party/portage-stable/sys-apps/busybox/files/watchdog.initd
new file mode 100644
index 0000000000..89043738a7
--- /dev/null
+++ b/sdk_container/src/third_party/portage-stable/sys-apps/busybox/files/watchdog.initd
@@ -0,0 +1,7 @@
+#!/sbin/openrc-run
+# Copyright 1999-2013 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+command="/bin/busybox watchdog"
+command_args="${WATCHDOG_OPTS}"
+pidfile="/run/watchdog.pid"
diff --git a/sdk_container/src/third_party/portage-stable/sys-apps/busybox/metadata.xml b/sdk_container/src/third_party/portage-stable/sys-apps/busybox/metadata.xml
new file mode 100644
index 0000000000..21b8287c85
--- /dev/null
+++ b/sdk_container/src/third_party/portage-stable/sys-apps/busybox/metadata.xml
@@ -0,0 +1,19 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+<maintainer type="project">
+<email>embedded@gentoo.org</email>
+<name>Embedded Gentoo</name>
+</maintainer>
+<use>
+<flag name="make-symlinks">Create all the appropriate symlinks in /bin and /sbin.</flag>
+<flag name="math">Enable math support in gawk (requires libm)</flag>
+<flag name="mdev">Create the appropriate symlink in /sbin and install mdev.conf and support files</flag>
+<flag name="sep-usr">Support a separate /usr without needing an initramfs by booting with init=/ginit</flag>
+<flag name="static">Make the system rescue shell (/bin/bb) static so you can recover even when glibc is broken</flag>
+<flag name="systemd">Support systemd</flag>
+</use>
+<upstream>
+<remote-id type="cpe">cpe:/a:busybox:busybox</remote-id>
+</upstream>
+</pkgmetadata>

From 5f1944b0724cec44bf97bd56306a60ba3ba72d07 Mon Sep 17 00:00:00 2001
From: Kai Lueke <kailuke@microsoft.com>
Date: Tue, 2 Sep 2025 13:23:50 +0900
Subject: [PATCH 2/2] Use a minimal initrd to switch to the full initrd stored
 in /usr

The growth of binaries over time and the inclusion of new features
filled the available boot partition space, so that the kernel+initrd
almost couldn't fit twice anymore as required for updates. We employed
workarounds such as wrapper scripts for ignition, afterburn and other
binaries so that they are loaded from /usr. However, this was still not
enough and we would have to do the same for (network) kernel modules and
firmware. To avoid making this ever more complex we can use a dedicated
initrd focused on loading the full initrd from /usr and then this full
initrd can use dracut as before and even drop all the workarounds we
accumulated.

Generate a minimal initrd to use instead of the full bootengine initrd.
The bootengine initrd gets stored as squashfs on /usr. The minimal
initrd still includes the early_cpio for amd64 microcode updates.
We have a fixed list of modules or module directories to include, only
focused on loading /usr and any emergency console interaction. This
requires also checking for module dependencies to copy over.
The busybox, veritysetup, and kmod binaries are needed and get their
required libraries resolved and copied over. They are not static and
use shared libraries which should be ok for now. The resulting vmlinuz
file is 27 MB for amd64, down from ~60 MB, so we have enough room to
include more kernel modules and so on for the next years while we also
grow the boot partition and wait for users to redeploy until we can rely
on a larger boot partition and eventually drop the minimal initrd again.

Pulls in https://github.com/flatcar/bootengine/pull/110 for the
minimal initrd script and https://github.com/flatcar/seismograph/pull/12
for making the device mapper discovery for the "rootdev" command more
reliable.

This also requied a backport of a kernel patch from 2017 that exposes
the PARTUUID in the /sys uevent file.

Co-authored-by: James Le Cuirot <jlecuirot@microsoft.com>
Signed-off-by: Kai Lueke <kailuke@microsoft.com>
---
 build_library/build_image_util.sh             | 16 ++++++
 build_library/prod_image_util.sh              |  6 +-
 .../changes/2025-09-19-minimal-initrd.md      |  1 +
 ci-automation/image_changes.sh                |  9 +++
 .../seismograph/seismograph-9999.ebuild       |  2 +-
 .../bootengine/bootengine-9999.ebuild         |  3 +-
 .../coreos-kernel-6.12.51.ebuild              | 57 +++++++++++++++++++
 .../coreos-sources-6.12.51.ebuild             |  1 +
 ...block-add-partition-uuid-into-uevent.patch | 36 ++++++++++++
 9 files changed, 128 insertions(+), 3 deletions(-)
 create mode 100644 changelog/changes/2025-09-19-minimal-initrd.md
 create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/6.12/z0009-block-add-partition-uuid-into-uevent.patch

diff --git a/build_library/build_image_util.sh b/build_library/build_image_util.sh
index 77ce920093..3339b6ec0b 100755
--- a/build_library/build_image_util.sh
+++ b/build_library/build_image_util.sh
@@ -582,6 +582,8 @@ finish_image() {
   local image_initrd_contents="${11}"
   local image_initrd_contents_wtd="${12}"
   local image_disk_space_usage="${13}"
+  local image_realinitrd_contents="${14}"
+  local image_realinitrd_contents_wtd="${15}"
 
   local install_grub=0
   local disk_img="${BUILD_DIR}/${image_name}"
@@ -877,6 +879,20 @@ EOF
       rm -rf "${BUILD_DIR}/tmp_initrd_contents"
   fi
 
+  if [[ -n ${image_realinitrd_contents} || -n ${image_realinitrd_contents_wtd} ]]; then
+        mkdir -p "${BUILD_DIR}/tmp_initrd_contents"
+        sudo mount "${root_fs_dir}/usr/lib/flatcar/bootengine.img" "${BUILD_DIR}/tmp_initrd_contents"
+        if [[ -n ${image_realinitrd_contents} ]]; then
+            write_contents "${BUILD_DIR}/tmp_initrd_contents" "${BUILD_DIR}/${image_realinitrd_contents}"
+        fi
+
+        if [[ -n ${image_realinitrd_contents_wtd} ]]; then
+            write_contents_with_technical_details "${BUILD_DIR}/tmp_initrd_contents" "${BUILD_DIR}/${image_realinitrd_contents_wtd}"
+        fi
+        sudo umount "${BUILD_DIR}/tmp_initrd_contents"
+        rm -rf "${BUILD_DIR}/tmp_initrd_contents"
+    fi
+
   if [[ -n "${image_disk_space_usage}" ]]; then
       write_disk_space_usage "${root_fs_dir}" "${BUILD_DIR}/${image_disk_space_usage}"
   fi
diff --git a/build_library/prod_image_util.sh b/build_library/prod_image_util.sh
index 245332f6a4..9beaf7f433 100755
--- a/build_library/prod_image_util.sh
+++ b/build_library/prod_image_util.sh
@@ -83,6 +83,8 @@ create_prod_image() {
   local image_initrd_contents="${image_name%.bin}_initrd_contents.txt"
   local image_initrd_contents_wtd="${image_name%.bin}_initrd_contents_wtd.txt"
   local image_disk_usage="${image_name%.bin}_disk_usage.txt"
+  local image_realinitrd_contents="${image_name%.bin}_realinitrd_contents.txt"
+  local image_realinitrd_contents_wtd="${image_name%.bin}_realinitrd_contents_wtd.txt"
   local image_sysext_base="${image_name%.bin}_sysext.squashfs"
 
   start_image "${image_name}" "${disk_layout}" "${root_fs_dir}" "${update_group}"
@@ -180,7 +182,9 @@ EOF
       "${image_kconfig}" \
       "${image_initrd_contents}" \
       "${image_initrd_contents_wtd}" \
-      "${image_disk_usage}"
+      "${image_disk_usage}" \
+      "${image_realinitrd_contents}" \
+      "${image_realinitrd_contents_wtd}"
 
   # Official builds will sign and upload these files later, so remove them to
   # prevent them from being uploaded now.
diff --git a/changelog/changes/2025-09-19-minimal-initrd.md b/changelog/changes/2025-09-19-minimal-initrd.md
new file mode 100644
index 0000000000..0886187c22
--- /dev/null
+++ b/changelog/changes/2025-09-19-minimal-initrd.md
@@ -0,0 +1 @@
+- Reduced the kernel+initrd size on `/boot` by half. Flatcar now uses a minimal first stage initrd just to access the `/usr` partition and then switches to the full initrd that does the full system preparation as before. Since this means that the set of kernel modules available in the first initrd is reduced, please report any impact.
diff --git a/ci-automation/image_changes.sh b/ci-automation/image_changes.sh
index 8c4ffd253a..61a8d3ba4b 100644
--- a/ci-automation/image_changes.sh
+++ b/ci-automation/image_changes.sh
@@ -729,6 +729,15 @@ function print_image_reports() {
     echo "Note that vmlinuz-a also contains the kernel code, which might have changed too, so the reported difference does not accurately describe the change in initrd."
     echo
 
+    yell "Real/full init ramdisk (bootengine.img) differences compared to ${previous_version_description}"
+    underline "Real/full init ramdisk (bootengine.img) file changes, compared to ${previous_version_description}:"
+    env \
+        "${package_diff_env[@]}" FILE=flatcar_production_image_realinitrd_contents.txt FILESONLY=1 CUTKERNEL=1 \
+        "${flatcar_build_scripts_repo}/package-diff" "${package_diff_params[@]}" 2>&1 || true
+
+    underline "Real/full init ramdisk (bootengine.img) file size changes, compared to ${previous_version_description}:"
+    "${size_changes_invocation[@]}" "${size_change_report_params[@]/%/:realinitrd-wtd}" 2>&1 || true
+
     local base_sysext
     for base_sysext in "${base_sysexts[@]}"; do
         yell "Base sysext ${base_sysext} changes compared to ${previous_version_description}"
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/seismograph/seismograph-9999.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-apps/seismograph/seismograph-9999.ebuild
index 5ef48b487f..e049848221 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-apps/seismograph/seismograph-9999.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/seismograph/seismograph-9999.ebuild
@@ -7,7 +7,7 @@ EGIT_REPO_URI="https://github.com/flatcar/seismograph.git"
 if [[ "${PV}" == 9999 ]]; then
 	KEYWORDS="~amd64 ~arm ~arm64 ~x86"
 else
-	EGIT_COMMIT="e32ac4d13ca44333dc77e5872dbf23f964b6f1e2" # main
+	EGIT_COMMIT="231f8b31c576133f75151d34cb90890bfaf15ebe" # main
 	KEYWORDS="amd64 arm arm64 x86"
 fi
 
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/bootengine/bootengine-9999.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/bootengine/bootengine-9999.ebuild
index cda632706f..387e4f493e 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/bootengine/bootengine-9999.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/bootengine/bootengine-9999.ebuild
@@ -7,7 +7,7 @@ EGIT_REPO_URI="https://github.com/flatcar/bootengine.git"
 if [[ "${PV}" == 9999 ]]; then
 	KEYWORDS="~amd64 ~arm ~arm64 ~x86"
 else
-	EGIT_COMMIT="daf43bf9c1ca45bf1a43566c3a6f96ec0cb44a36" # flatcar-master
+	EGIT_COMMIT="0b9d52e647289fe7793839265617afc5178d5f00" # flatcar-master
 	KEYWORDS="amd64 arm arm64 x86"
 fi
 
@@ -23,6 +23,7 @@ src_install() {
 	insinto /usr/lib/dracut/modules.d/
 	doins -r dracut/.
 	dosbin update-bootengine
+	dosbin minimal-init
 
 	# must be executable since dracut's install scripts just
 	# re-use existing filesystem permissions during initrd creation.
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-6.12.51.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-6.12.51.ebuild
index cea1123a3e..8e50a61a5e 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-6.12.51.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-6.12.51.ebuild
@@ -26,6 +26,7 @@ DEPEND="
 	coreos-base/coreos-init:=
 	sys-apps/azure-vm-utils[dracut]
 	sys-apps/baselayout
+	sys-apps/busybox
 	sys-apps/coreutils
 	sys-apps/findutils
 	sys-apps/grep
@@ -89,6 +90,59 @@ src_compile() {
 
 	tc-export PKG_CONFIG
 	"${ESYSROOT}"/usr/bin/update-bootengine -k "${KV_FULL}" -o "${S}"/build/bootengine.cpio "${BE_ARGS[@]}" || die
+	# Copy full initrd over to /usr as filesystem image
+	mkdir "${S}"/build/bootengine || die
+	pushd "${S}"/build/bootengine || die
+	lsinitrd --kver SILENCEERROR --unpack "${S}"/build/bootengine.cpio || die
+	mksquashfs . "${S}"/build/bootengine.img -noappend -xattrs-exclude ^btrfs. || die
+	popd || die
+	# Create minimal initrd
+	if use amd64; then
+		mkdir "${S}"/build/early-cpio || die
+		pushd "${S}"/build/early-cpio || die
+		lsinitrd --kver SILENCEERROR --unpackearly "${S}"/build/bootengine.cpio || die
+		# Recreate to only contain the early cpio for microcode
+		find . -print0 | cpio --null --create --verbose --format=newc > "${S}"/build/bootengine.cpio || die
+		# Debug: List contents after recreation
+		cpio -t < "${S}"/build/bootengine.cpio
+		popd || die
+	else
+		# No early cpio, drop full initrd
+		> "${S}"/build/bootengine.cpio
+	fi
+	mkdir "${S}"/build/minimal || die
+	pushd "${S}"/build/minimal || die
+	mkdir -p {etc,dev,proc,sys,dev,usr/bin,usr/lib64,realinit,sysusr/usr} || die
+	ln -s usr/bin bin || die
+	ln -s usr/bin sbin || die
+	ln -s bin usr/sbin || die
+	ln -s usr/lib64 lib || die
+	ln -s usr/lib64 lib64 || die
+	ln -s lib64 usr/lib || die
+	mkdir -p lib/modules/"${KV_FULL}"/ || die
+	# Instead from ESYSROOT we can also copy kernel modules from the dracut pre-selection
+	cp "${S}"/build/bootengine/usr/lib/modules/"${KV_FULL}"/modules.* lib/modules/"${KV_FULL}"/ || die
+	mkdir -p lib/modprobe.d/ || die
+	cp "${S}"/build/bootengine/lib/modprobe.d/* lib/modprobe.d/ || die
+	# Only include modules related to mounting /usr and for interacting with the emergency console
+	pushd "${S}/build/bootengine/usr/lib/modules/${KV_FULL}" || die
+	find kernel/drivers/{ata,block,hid,hv,input/serio,mmc,nvme,pci,scsi,usb} kernel/fs/{btrfs,overlayfs,squashfs} kernel/security/keys -name "*.ko.*" -printf "%f\0" | DRACUT_NO_XATTR=1 xargs --null "${BROOT}"/usr/lib/dracut/dracut-install --destrootdir "${S}"/build/minimal --kerneldir . --sysrootdir "${S}"/build/bootengine/ --firmwaredirs "${S}"/build/bootengine/usr/lib/firmware --module dm-verity dm-mod virtio_console || die
+	popd || die
+	echo '$MODALIAS=.*	0:0 660 @/sbin/modprobe "$MODALIAS"' > ./etc/mdev.conf || die
+	# We can't use busybox's modprobe because it doesn't support the globs in module.alias, breaking module loading
+	DRACUT_NO_XATTR=1 "${BROOT}"/usr/lib/dracut/dracut-install --destrootdir . --sysrootdir "${ESYSROOT}" --ldd /bin/veritysetup /bin/dmsetup /bin/busybox /sbin/modprobe || die
+	cp -a "${ESYSROOT}"/usr/bin/minimal-init ./init || die
+	# Make it easier to debug by not relying too much on the first commands
+	ln -s busybox ./bin/sh || die
+	mknod ./dev/console c 5 1 || die
+	mknod ./dev/null c 1 3 || die
+	mknod ./dev/tty c 5 0 || die
+	mknod ./dev/urandom c 1 9 || die
+	mknod ./dev/random c 1 8 || die
+	mknod ./dev/zero c 1 5 || die
+	# No compression because CONFIG_INITRAMFS_COMPRESSION_XZ should take care of it
+	find . -print0 | cpio --null --create --verbose --format=newc >> "${S}"/build/bootengine.cpio || die
+	popd || die
 	kmake "$(kernel_target)"
 
 	# sanity check :)
@@ -111,4 +165,7 @@ src_install() {
 	# For easy access to vdso debug symbols in gdb:
 	#   set debug-file-directory /usr/lib/debug/usr/lib/modules/${KV_FULL}/vdso/
 	kmake INSTALL_MOD_PATH="${ED}/usr/lib/debug/usr" vdso_install
+
+	insinto "/usr/lib/flatcar"
+	doins build/bootengine.img
 }
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-6.12.51.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-6.12.51.ebuild
index 5e33b6ee4d..80f25e4570 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-6.12.51.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-6.12.51.ebuild
@@ -43,4 +43,5 @@ UNIPATCH_LIST="
 	${PATCH_DIR}/z0006-mtd-disable-slram-and-phram-when-locked-down.patch \
 	${PATCH_DIR}/z0007-arm64-add-kernel-config-option-to-lock-down-when.patch \
 	${PATCH_DIR}/z0008-tools-hv-fix-cross-compilation-for-ARM64.patch \
+	${PATCH_DIR}/z0009-block-add-partition-uuid-into-uevent.patch \
 "
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/6.12/z0009-block-add-partition-uuid-into-uevent.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/6.12/z0009-block-add-partition-uuid-into-uevent.patch
new file mode 100644
index 0000000000..754309104e
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/6.12/z0009-block-add-partition-uuid-into-uevent.patch
@@ -0,0 +1,36 @@
+From 758737d86f8a2d74c0fa9f8b2523fa7fd1e0d0aa Mon Sep 17 00:00:00 2001
+From: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
+Date: Fri, 4 Oct 2024 17:13:43 -0700
+Subject: [PATCH] block: add partition uuid into uevent as "PARTUUID"
+
+Both most common formats have uuid in addition to partition name:
+GPT: standard uuid xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
+DOS: 4 byte disk signature and 1 byte partition xxxxxxxx-xx
+
+Tools from util-linux use the same notation for them.
+
+Signed-off-by: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
+Reviewed-by: Kyle Fortin <kyle.fortin@oracle.com>
+[dianders: rebased to modern kernels]
+Signed-off-by: Douglas Anderson <dianders@google.com>
+Signed-off-by: Douglas Anderson <dianders@chromium.org>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Link: https://lore.kernel.org/r/20241004171340.v2.1.I938c91d10e454e841fdf5d64499a8ae8514dc004@changeid
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+---
+ block/partitions/core.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/block/partitions/core.c b/block/partitions/core.c
+index cdad05f9764768..815ed33caa1b86 100644
+--- a/block/partitions/core.c
++++ b/block/partitions/core.c
+@@ -256,6 +256,8 @@ static int part_uevent(const struct device *dev, struct kobj_uevent_env *env)
+ 	add_uevent_var(env, "PARTN=%u", bdev_partno(part));
+ 	if (part->bd_meta_info && part->bd_meta_info->volname[0])
+ 		add_uevent_var(env, "PARTNAME=%s", part->bd_meta_info->volname);
++	if (part->bd_meta_info && part->bd_meta_info->uuid[0])
++		add_uevent_var(env, "PARTUUID=%s", part->bd_meta_info->uuid);
+ 	return 0;
+ }
+