diff --git a/.github/workflows/stale.yaml b/.github/workflows/stale.yaml
index 3a1d50ce6..8ab864ade 100644
--- a/.github/workflows/stale.yaml
+++ b/.github/workflows/stale.yaml
@@ -18,7 +18,7 @@ jobs:
     runs-on: ubuntu-latest
     if: github.repository == 'ceph/ceph-csi'
     steps:
-      - uses: actions/stale@v6
+      - uses: actions/stale@v7
         with:
           repo-token: ${{ secrets.GITHUB_TOKEN }}
           days-before-issue-stale: 30
diff --git a/actions/retest/go.mod b/actions/retest/go.mod
index 7ccbdb968..ba68adbb7 100644
--- a/actions/retest/go.mod
+++ b/actions/retest/go.mod
@@ -4,13 +4,13 @@ go 1.18
 
 require (
 	github.com/google/go-github v17.0.0+incompatible
-	golang.org/x/oauth2 v0.3.0
+	golang.org/x/oauth2 v0.4.0
 )
 
 require (
 	github.com/golang/protobuf v1.5.2 // indirect
 	github.com/google/go-querystring v1.1.0 // indirect
-	golang.org/x/net v0.3.0 // indirect
+	golang.org/x/net v0.5.0 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
 	google.golang.org/protobuf v1.28.1 // indirect
 )
diff --git a/actions/retest/go.sum b/actions/retest/go.sum
index 134ec4306..5138e091b 100644
--- a/actions/retest/go.sum
+++ b/actions/retest/go.sum
@@ -11,10 +11,10 @@ github.com/google/go-querystring v1.1.0 h1:AnCroh3fv4ZBgVIf1Iwtovgjaw/GiKJo8M8yD
 github.com/google/go-querystring v1.1.0/go.mod h1:Kcdr2DB4koayq7X8pmAG4sNG59So17icRSOU623lUBU=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks=
-golang.org/x/net v0.3.0 h1:VWL6FNY2bEEmsGVKabSlHu5Irp34xmMRoqb/9lF9lxk=
-golang.org/x/net v0.3.0/go.mod h1:MBQ8lrhLObU/6UmLb4fmbmk5OcyYmqtbGd/9yIeKjEE=
-golang.org/x/oauth2 v0.3.0 h1:6l90koy8/LaBLmLu8jpHeHexzMwEita0zFfYlggy2F8=
-golang.org/x/oauth2 v0.3.0/go.mod h1:rQrIauxkUhJ6CuwEXwymO2/eh4xz2ZWF1nBkcxS+tGk=
+golang.org/x/net v0.5.0 h1:GyT4nK/YDHSqa1c4753ouYCDajOYKTja9Xb/OHtgvSw=
+golang.org/x/net v0.5.0/go.mod h1:DivGGAXEgPSlEBzxGzZI+ZLohi+xUj054jfeKui00ws=
+golang.org/x/oauth2 v0.4.0 h1:NF0gk8LVPg1Ml7SSbGyySuoxdsXitj7TvgvuRxIMc/M=
+golang.org/x/oauth2 v0.4.0/go.mod h1:RznEsdpjGAINPTOF0UH/t+xJ75L18YO3Ho6Pyn+uRec=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
diff --git a/actions/retest/vendor/modules.txt b/actions/retest/vendor/modules.txt
index fbd606f5c..3f715538b 100644
--- a/actions/retest/vendor/modules.txt
+++ b/actions/retest/vendor/modules.txt
@@ -7,11 +7,11 @@ github.com/google/go-github/github
 # github.com/google/go-querystring v1.1.0
 ## explicit; go 1.10
 github.com/google/go-querystring/query
-# golang.org/x/net v0.3.0
+# golang.org/x/net v0.5.0
 ## explicit; go 1.17
 golang.org/x/net/context
 golang.org/x/net/context/ctxhttp
-# golang.org/x/oauth2 v0.3.0
+# golang.org/x/oauth2 v0.4.0
 ## explicit; go 1.17
 golang.org/x/oauth2
 golang.org/x/oauth2/internal
diff --git a/charts/ceph-csi-cephfs/README.md b/charts/ceph-csi-cephfs/README.md
index cc89ded10..cd0696b6c 100644
--- a/charts/ceph-csi-cephfs/README.md
+++ b/charts/ceph-csi-cephfs/README.md
@@ -115,14 +115,17 @@ charts and their default values.
 | `provisioner.provisioner.image.repository`     | Specifies the csi-provisioner image repository URL                                                                                                   | `registry.k8s.io/sig-storage/csi-provisioner`      |
 | `provisioner.provisioner.image.tag`            | Specifies image tag                                                                                                                                  | `v3.3.0`                                           |
 | `provisioner.provisioner.image.pullPolicy`     | Specifies pull policy                                                                                                                                | `IfNotPresent`                                     |
+| `provisioner.provisioner.image.extraArgs`      | Specifies extra arguments for the provisioner sidecar                                                                                                                                | `[]`                                     |
 | `provisioner.resizer.image.repository`         | Specifies the csi-resizer image repository URL                                                                                                       | `registry.k8s.io/sig-storage/csi-resizer`          |
 | `provisioner.resizer.image.tag`                | Specifies image tag                                                                                                                                  | `v1.6.0`                                           |
 | `provisioner.resizer.image.pullPolicy`         | Specifies pull policy                                                                                                                                | `IfNotPresent`                                     |
+| `provisioner.resizer.image.extraArgs`          | Specifies extra arguments for the resizer sidecar                                                                                                                                | `[]`                                     |
 | `provisioner.resizer.name`                     | Specifies the name of csi-resizer sidecar                                                                                                            | `resizer`                                          |
 | `provisioner.resizer.enabled`                  | Specifies whether resizer sidecar is enabled                                                                                                         | `true`                                             |
 | `provisioner.snapshotter.image.repository`     | Specifies the csi-snapshotter image repository URL                                                                                                   | `registry.k8s.io/sig-storage/csi-snapshotter`      |
 | `provisioner.snapshotter.image.tag`            | Specifies image tag                                                                                                                                  | `v6.1.0`                                           |
 | `provisioner.snapshotter.image.pullPolicy`     | Specifies pull policy                                                                                                                                | `IfNotPresent`                                     |
+| `provisioner.snapshotter.image.extraArgs`      | Specifies extra arguments for the snapshotter sidecar                                                                                                                                | `[]`                                     |
 | `provisioner.nodeSelector`                     | Specifies the node selector for provisioner deployment                                                                                               | `{}`                                               |
 | `provisioner.tolerations`                      | Specifies the tolerations for provisioner deployment                                                                                                 | `{}`                                               |
 | `provisioner.affinity`                         | Specifies the affinity for provisioner deployment                                                                                                    | `{}`                                               |
diff --git a/charts/ceph-csi-cephfs/templates/provisioner-deployment.yaml b/charts/ceph-csi-cephfs/templates/provisioner-deployment.yaml
index 10feec7ea..13c083aba 100644
--- a/charts/ceph-csi-cephfs/templates/provisioner-deployment.yaml
+++ b/charts/ceph-csi-cephfs/templates/provisioner-deployment.yaml
@@ -67,6 +67,9 @@ spec:
             - "--extra-create-metadata=true"
             - "--feature-gates=HonorPVReclaimPolicy=true"
             - "--prevent-volume-mode-conversion=true"
+{{- range .Values.provisioner.provisioner.extraArgs }}
+            - "--{{ . }}"
+{{- end }}
           env:
             - name: ADDRESS
               value: "unix:///csi/{{ .Values.provisionerSocketFile }}"
@@ -84,6 +87,9 @@ spec:
             - "--timeout={{ .Values.provisioner.timeout }}"
             - "--leader-election=true"
             - "--extra-create-metadata=true"
+{{- range .Values.provisioner.snapshotter.extraArgs }}
+            - "--{{ . }}"
+{{- end }}
           env:
             - name: ADDRESS
               value: "unix:///csi/{{ .Values.provisionerSocketFile }}"
@@ -104,6 +110,9 @@ spec:
             - "--retry-interval-start=500ms"
             - "--handle-volume-inuse-error=false"
             - "--feature-gates=RecoverVolumeExpansionFailure=true"
+{{- range .Values.provisioner.resizer.extraArgs }}
+            - "--{{ . }}"
+{{- end }}
           env:
             - name: ADDRESS
               value: "unix:///csi/{{ .Values.provisionerSocketFile }}"
diff --git a/charts/ceph-csi-cephfs/values.yaml b/charts/ceph-csi-cephfs/values.yaml
index fb350c40e..dfcb2787c 100644
--- a/charts/ceph-csi-cephfs/values.yaml
+++ b/charts/ceph-csi-cephfs/values.yaml
@@ -177,6 +177,9 @@ provisioner:
       tag: v3.3.0
       pullPolicy: IfNotPresent
     resources: {}
+    ## For further options, check
+    ## https://github.com/kubernetes-csi/external-provisioner#command-line-options
+    extraArgs: []
 
   # set metadata on volume
   setmetadata: true
@@ -189,6 +192,9 @@ provisioner:
       tag: v1.6.0
       pullPolicy: IfNotPresent
     resources: {}
+    ## For further options, check
+    ## https://github.com/kubernetes-csi/external-resizer#recommended-optional-arguments
+    extraArgs: []
 
   snapshotter:
     image:
@@ -196,6 +202,9 @@ provisioner:
       tag: v6.1.0
       pullPolicy: IfNotPresent
     resources: {}
+    ## For further options, check
+    ## https://github.com/kubernetes-csi/external-snapshotter#csi-external-snapshotter-sidecar-command-line-options
+    extraArgs: []
 
   nodeSelector: {}
 
diff --git a/charts/ceph-csi-rbd/README.md b/charts/ceph-csi-rbd/README.md
index 5e6c52e9f..d7bc3de92 100644
--- a/charts/ceph-csi-rbd/README.md
+++ b/charts/ceph-csi-rbd/README.md
@@ -121,19 +121,23 @@ charts and their default values.
 | `provisioner.provisioner.image.repository`     | Specifies the csi-provisioner image repository URL                                                                                                   | `registry.k8s.io/sig-storage/csi-provisioner`           |
 | `provisioner.provisioner.image.tag`            | Specifies image tag                                                                                                                                  | `v3.3.0`                                           |
 | `provisioner.provisioner.image.pullPolicy`     | Specifies pull policy                                                                                                                                | `IfNotPresent`                                     |
+| `provisioner.provisioner.image.extraArgs`      | Specifies extra arguments for the provisioner sidecar                                                                                                                                | `[]`                                     |
 | `provisioner.attacher.image.repository`        | Specifies the csi-attacher image repository URL                                                                                                      | `registry.k8s.io/sig-storage/csi-attacher`              |
 | `provisioner.attacher.image.tag`               | Specifies image tag                                                                                                                                  | `v4.0.0`                                           |
 | `provisioner.attacher.image.pullPolicy`        | Specifies pull policy                                                                                                                                | `IfNotPresent`                                     |
+| `provisioner.attacher.image.extraArgs`         | Specifies extra arguments for the attacher sidecar                                                                                                                                | `[]`                                     |
 | `provisioner.attacher.name`                    | Specifies the name of csi-attacher sidecar                                                                                                           | `attacher`                                         |
 | `provisioner.attacher.enabled`                 | Specifies whether attacher sidecar is enabled                                                                                                        | `true`                                             |
 | `provisioner.resizer.image.repository`         | Specifies the csi-resizer image repository URL                                                                                                       | `registry.k8s.io/sig-storage/csi-resizer`               |
 | `provisioner.resizer.image.tag`                | Specifies image tag                                                                                                                                  | `v1.6.0`                                           |
 | `provisioner.resizer.image.pullPolicy`         | Specifies pull policy                                                                                                                                | `IfNotPresent`                                     |
+| `provisioner.resizer.image.extraArgs`          | Specifies extra arguments for the resizer sidecar                                                                                                                                | `[]`                                     |
 | `provisioner.resizer.name`                     | Specifies the name of csi-resizer sidecar                                                                                                            | `resizer`                                          |
 | `provisioner.resizer.enabled`                  | Specifies whether resizer sidecar is enabled                                                                                                         | `true`                                             |
 | `provisioner.snapshotter.image.repository`     | Specifies the csi-snapshotter image repository URL                                                                                                   | `registry.k8s.io/sig-storage/csi-snapshotter`          |
 | `provisioner.snapshotter.image.tag`            | Specifies image tag                                                                                                                                  | `v6.1.0`                                           |
 | `provisioner.snapshotter.image.pullPolicy`     | Specifies pull policy                                                                                                                                | `IfNotPresent`                                     |
+| `provisioner.snapshotter.image.extraArgs`      | Specifies extra arguments for the snapshotter sidecar                                                                                                                                | `[]`                                     |
 | `provisioner.nodeSelector`                     | Specifies the node selector for provisioner deployment                                                                                               | `{}`                                               |
 | `provisioner.tolerations`                      | Specifies the tolerations for provisioner deployment                                                                                                 | `{}`                                               |
 | `provisioner.affinity`                         | Specifies the affinity for provisioner deployment                                                                                                    | `{}`                                               |
diff --git a/charts/ceph-csi-rbd/templates/provisioner-deployment.yaml b/charts/ceph-csi-rbd/templates/provisioner-deployment.yaml
index a7acd1324..fc1f28cdf 100644
--- a/charts/ceph-csi-rbd/templates/provisioner-deployment.yaml
+++ b/charts/ceph-csi-rbd/templates/provisioner-deployment.yaml
@@ -70,6 +70,9 @@ spec:
             - "--prevent-volume-mode-conversion=true"
 {{- if .Values.topology.enabled }}
             - "--feature-gates=Topology=true"
+{{- end }}
+{{- range .Values.provisioner.provisioner.extraArgs }}
+            - "--{{ . }}"
 {{- end }}
           env:
             - name: ADDRESS
@@ -91,6 +94,9 @@ spec:
             - "--retry-interval-start=500ms"
             - "--handle-volume-inuse-error=false"
             - "--feature-gates=RecoverVolumeExpansionFailure=true"
+{{- range .Values.provisioner.resizer.extraArgs }}
+            - "--{{ . }}"
+{{- end }}
           env:
             - name: ADDRESS
               value: "unix:///csi/{{ .Values.provisionerSocketFile }}"
@@ -109,6 +115,9 @@ spec:
             - "--timeout={{ .Values.provisioner.timeout }}"
             - "--leader-election=true"
             - "--extra-create-metadata=true"
+{{- range .Values.provisioner.snapshotter.extraArgs }}
+            - "--{{ . }}"
+{{- end }}
           env:
             - name: ADDRESS
               value: "unix:///csi/{{ .Values.provisionerSocketFile }}"
@@ -127,6 +136,9 @@ spec:
             - "--leader-election=true"
             - "--retry-interval-start=500ms"
             - "--default-fstype=ext4"
+{{- range .Values.provisioner.attacher.extraArgs }}
+            - "--{{ . }}"
+{{- end }}
           env:
             - name: ADDRESS
               value: "unix:///csi/{{ .Values.provisionerSocketFile }}"
diff --git a/charts/ceph-csi-rbd/values.yaml b/charts/ceph-csi-rbd/values.yaml
index 5d7995f72..f7f2be2b4 100644
--- a/charts/ceph-csi-rbd/values.yaml
+++ b/charts/ceph-csi-rbd/values.yaml
@@ -210,6 +210,9 @@ provisioner:
       tag: v3.3.0
       pullPolicy: IfNotPresent
     resources: {}
+    ## For further options, check
+    ## https://github.com/kubernetes-csi/external-provisioner#command-line-options
+    extraArgs: []
 
   # set metadata on volume
   setmetadata: true
@@ -222,6 +225,9 @@ provisioner:
       tag: v4.0.0
       pullPolicy: IfNotPresent
     resources: {}
+    ## For further options, check
+    ## https://github.com/kubernetes-csi/external-attacher#command-line-options
+    extraArgs: []
 
   resizer:
     name: resizer
@@ -231,6 +237,9 @@ provisioner:
       tag: v1.6.0
       pullPolicy: IfNotPresent
     resources: {}
+    ## For further options, check
+    ## https://github.com/kubernetes-csi/external-resizer#recommended-optional-arguments
+    extraArgs: []
 
   snapshotter:
     image:
@@ -238,6 +247,9 @@ provisioner:
       tag: v6.1.0
       pullPolicy: IfNotPresent
     resources: {}
+    ## For further options, check
+    ## https://github.com/kubernetes-csi/external-snapshotter#csi-external-snapshotter-sidecar-command-line-options
+    extraArgs: []
 
   nodeSelector: {}
 
diff --git a/docs/deploy-cephfs.md b/docs/deploy-cephfs.md
index 4c01ec724..d90fcec2d 100644
--- a/docs/deploy-cephfs.md
+++ b/docs/deploy-cephfs.md
@@ -148,7 +148,7 @@ for more information.
 **Deploy Ceph configuration ConfigMap for CSI pods:**
 
 ```bash
-kubectl create -f ../../../example/ceph-config.yaml
+kubectl create -f ../../../examples/ceph-conf.yaml
 ```
 
 **Deploy CSI sidecar containers:**
diff --git a/go.mod b/go.mod
index 998cb5ec6..9612152a0 100644
--- a/go.mod
+++ b/go.mod
@@ -3,12 +3,12 @@ module github.com/ceph/ceph-csi
 go 1.18
 
 require (
-	github.com/IBM/keyprotect-go-client v0.9.1
-	github.com/aws/aws-sdk-go v1.44.146
-	github.com/aws/aws-sdk-go-v2/service/sts v1.17.6
+	github.com/IBM/keyprotect-go-client v0.9.2
+	github.com/aws/aws-sdk-go v1.44.172
+	github.com/aws/aws-sdk-go-v2/service/sts v1.17.7
 	github.com/ceph/ceph-csi/api v0.0.0-00010101000000-000000000000
 	// TODO: API for managing subvolume metadata and snapshot metadata requires `ceph_ci_untested` build-tag
-	github.com/ceph/go-ceph v0.18.0
+	github.com/ceph/go-ceph v0.19.0
 	github.com/container-storage-interface/spec v1.7.0
 	github.com/csi-addons/replication-lib-utils v0.2.0
 	github.com/csi-addons/spec v0.1.2-0.20221101132540-98eff76b0ff8
@@ -20,7 +20,7 @@ require (
 	github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0
 	github.com/hashicorp/vault/api v1.8.2
 	github.com/kubernetes-csi/csi-lib-utils v0.11.0
-	github.com/kubernetes-csi/external-snapshotter/client/v6 v6.1.0
+	github.com/kubernetes-csi/external-snapshotter/client/v6 v6.2.0
 	github.com/libopenstorage/secrets v0.0.0-20210908194121-a1d19aa9713a
 	github.com/onsi/ginkgo/v2 v2.4.0
 	github.com/onsi/gomega v1.23.0
@@ -28,12 +28,12 @@ require (
 	github.com/prometheus/client_golang v1.14.0
 	github.com/stretchr/testify v1.8.1
 	golang.org/x/crypto v0.4.0
-	golang.org/x/net v0.4.0
-	golang.org/x/sys v0.3.0
+	golang.org/x/net v0.5.0
+	golang.org/x/sys v0.4.0
 	google.golang.org/grpc v1.51.0
 	google.golang.org/protobuf v1.28.1
-	k8s.io/api v0.25.4
-	k8s.io/apimachinery v0.25.4
+	k8s.io/api v0.26.0
+	k8s.io/apimachinery v0.26.0
 	k8s.io/client-go v12.0.0+incompatible
 	k8s.io/cloud-provider v0.25.4
 	k8s.io/klog/v2 v2.80.1
@@ -52,10 +52,10 @@ require (
 	github.com/ansel1/merry/v2 v2.0.1 // indirect
 	github.com/armon/go-metrics v0.3.9 // indirect
 	github.com/armon/go-radix v1.0.0 // indirect
-	github.com/aws/aws-sdk-go-v2 v1.17.2 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.26 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.20 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.20 // indirect
+	github.com/aws/aws-sdk-go-v2 v1.17.3 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.27 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.21 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.21 // indirect
 	github.com/aws/smithy-go v1.13.5 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/blang/semver/v4 v4.0.0 // indirect
@@ -149,8 +149,8 @@ require (
 	go.uber.org/multierr v1.8.0 // indirect
 	go.uber.org/zap v1.23.0 // indirect
 	golang.org/x/oauth2 v0.2.0 // indirect
-	golang.org/x/term v0.3.0 // indirect
-	golang.org/x/text v0.5.0 // indirect
+	golang.org/x/term v0.4.0 // indirect
+	golang.org/x/text v0.6.0 // indirect
 	golang.org/x/time v0.2.0 // indirect
 	gomodules.xyz/jsonpatch/v2 v2.2.0 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
@@ -163,7 +163,7 @@ require (
 	k8s.io/apiserver v0.25.4 // indirect
 	k8s.io/component-base v0.25.4 // indirect
 	k8s.io/component-helpers v0.25.4 // indirect
-	k8s.io/kube-openapi v0.0.0-20220803164354-a70c9af30aea // indirect
+	k8s.io/kube-openapi v0.0.0-20221012153701-172d655c2280 // indirect
 	k8s.io/kubectl v0.0.0 // indirect
 	k8s.io/kubelet v0.0.0 // indirect
 	sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.33 // indirect
diff --git a/go.sum b/go.sum
index 00c18aba5..b4716a3f1 100644
--- a/go.sum
+++ b/go.sum
@@ -81,8 +81,8 @@ github.com/DataDog/datadog-go v2.2.0+incompatible/go.mod h1:LButxg5PwREeZtORoXG3
 github.com/DataDog/datadog-go v3.2.0+incompatible/go.mod h1:LButxg5PwREeZtORoXG3tL4fMGNddJ+vMq1mwgfaqoQ=
 github.com/DataDog/zstd v1.4.4/go.mod h1:1jcaCB/ufaK+sKp1NBhlGmpz41jOoPQ35bpF36t7BBo=
 github.com/IBM/keyprotect-go-client v0.5.1/go.mod h1:5TwDM/4FRJq1ZOlwQL1xFahLWQ3TveR88VmL1u3njyI=
-github.com/IBM/keyprotect-go-client v0.9.1 h1:uoPmFX3voN/tH0o9+MdmGAI5/Bf1o25qv82QutQzvVU=
-github.com/IBM/keyprotect-go-client v0.9.1/go.mod h1:yr8h2noNgU8vcbs+vhqoXp3Lmv73PI0zAc6VMgFvWwM=
+github.com/IBM/keyprotect-go-client v0.9.2 h1:3fdmKVRl3gBWw6YJhPxLBJEHFbLhj/1v96qvevZdJdE=
+github.com/IBM/keyprotect-go-client v0.9.2/go.mod h1:yr8h2noNgU8vcbs+vhqoXp3Lmv73PI0zAc6VMgFvWwM=
 github.com/Jeffail/gabs v1.1.1 h1:V0uzR08Hj22EX8+8QMhyI9sX2hwRu+/RJhJUmnwda/E=
 github.com/Jeffail/gabs v1.1.1/go.mod h1:6xMvQMK4k33lb7GUUpaAPh6nKMmemQeg5d4gn7/bOXc=
 github.com/Masterminds/semver v1.4.2/go.mod h1:MB6lktGJrhw8PrUyiEoblNEGEQ+RzHPF078ddwwvV3Y=
@@ -140,18 +140,18 @@ github.com/asaskevich/govalidator v0.0.0-20180720115003-f9ffefc3facf/go.mod h1:l
 github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a/go.mod h1:lB+ZfQJz7igIIfQNfa7Ml4HSf2uFQQRzpGGRXenZAgY=
 github.com/aws/aws-sdk-go v1.25.37/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo=
 github.com/aws/aws-sdk-go v1.25.41/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo=
-github.com/aws/aws-sdk-go v1.44.146 h1:7YdGgPxDPRJu/yYffzZp/H7yHzQ6AqmuNFZPYraaN8I=
-github.com/aws/aws-sdk-go v1.44.146/go.mod h1:aVsgQcEevwlmQ7qHE9I3h+dtQgpqhFB+i8Phjh7fkwI=
-github.com/aws/aws-sdk-go-v2 v1.17.2 h1:r0yRZInwiPBNpQ4aDy/Ssh3ROWsGtKDwar2JS8Lm+N8=
-github.com/aws/aws-sdk-go-v2 v1.17.2/go.mod h1:uzbQtefpm44goOPmdKyAlXSNcwlRgF3ePWVW6EtJvvw=
-github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.26 h1:5WU31cY7m0tG+AiaXuXGoMzo2GBQ1IixtWa8Yywsgco=
-github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.26/go.mod h1:2E0LdbJW6lbeU4uxjum99GZzI0ZjDpAb0CoSCM0oeEY=
-github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.20 h1:WW0qSzDWoiWU2FS5DbKpxGilFVlCEJPwx4YtjdfI0Jw=
-github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.20/go.mod h1:/+6lSiby8TBFpTVXZgKiN/rCfkYXEGvhlM4zCgPpt7w=
-github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.20 h1:jlgyHbkZQAgAc7VIxJDmtouH8eNjOk2REVAQfVhdaiQ=
-github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.20/go.mod h1:Xs52xaLBqDEKRcAfX/hgjmD3YQ7c/W+BEyfamlO/W2E=
-github.com/aws/aws-sdk-go-v2/service/sts v1.17.6 h1:VQFOLQVL3BrKM/NLO/7FiS4vcp5bqK0mGMyk09xLoAY=
-github.com/aws/aws-sdk-go-v2/service/sts v1.17.6/go.mod h1:Az3OXXYGyfNwQNsK/31L4R75qFYnO641RZGAoV3uH1c=
+github.com/aws/aws-sdk-go v1.44.172 h1:JwhHWVkU/UUq8b4kc2ETzoYg6UXlSslK1EthXcXY8kI=
+github.com/aws/aws-sdk-go v1.44.172/go.mod h1:aVsgQcEevwlmQ7qHE9I3h+dtQgpqhFB+i8Phjh7fkwI=
+github.com/aws/aws-sdk-go-v2 v1.17.3 h1:shN7NlnVzvDUgPQ+1rLMSxY8OWRNDRYtiqe0p/PgrhY=
+github.com/aws/aws-sdk-go-v2 v1.17.3/go.mod h1:uzbQtefpm44goOPmdKyAlXSNcwlRgF3ePWVW6EtJvvw=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.27 h1:I3cakv2Uy1vNmmhRQmFptYDxOvBnwCdNwyw63N0RaRU=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.27/go.mod h1:a1/UpzeyBBerajpnP5nGZa9mGzsBn5cOKxm6NWQsvoI=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.21 h1:5NbbMrIzmUn/TXFqAle6mgrH5m9cOvMLRGL7pnG8tRE=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.21/go.mod h1:+Gxn8jYn5k9ebfHEqlhrMirFjSW0v0C9fI+KN5vk2kE=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.21 h1:5C6XgTViSb0bunmU57b3CT+MhxULqHH2721FVA+/kDM=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.21/go.mod h1:lRToEJsn+DRA9lW4O9L9+/3hjTkUzlzyzHqn8MTds5k=
+github.com/aws/aws-sdk-go-v2/service/sts v1.17.7 h1:9Mtq1KM6nD8/+HStvWcvYnixJ5N85DX+P+OY3kI3W2k=
+github.com/aws/aws-sdk-go-v2/service/sts v1.17.7/go.mod h1:+lGbb3+1ugwKrNTWcf2RT05Xmp543B06zDFTwiTLp7I=
 github.com/aws/smithy-go v1.13.5 h1:hgz0X/DX0dGqTYpGALqXJoRKRj5oQ7150i5FdTePzO8=
 github.com/aws/smithy-go v1.13.5/go.mod h1:Tg+OJXh4MB2R/uN61Ko2f6hTZwB/ZYGOtib8J3gBHzA=
 github.com/baiyubin/aliyun-sts-go-sdk v0.0.0-20180326062324-cfa1a18b161f/go.mod h1:AuiFmCCPBSrqvVMvuqFuk0qogytodnVFVSN5CeJB8Gc=
@@ -178,8 +178,8 @@ github.com/cenkalti/backoff/v3 v3.0.0 h1:ske+9nBpD9qZsTBoF41nW5L+AIuFBKMeze18XQ3
 github.com/cenkalti/backoff/v3 v3.0.0/go.mod h1:cIeZDE3IrqwwJl6VUwCN6trj1oXrTS4rc0ij+ULvLYs=
 github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
 github.com/centrify/cloud-golang-sdk v0.0.0-20190214225812-119110094d0f/go.mod h1:C0rtzmGXgN78pYR0tGJFhtHgkbAs0lIbHwkB81VxDQE=
-github.com/ceph/go-ceph v0.18.0 h1:4WM6yAq/iqBDaeeADDiPKLqKiP0iZ4fffdgCr1lnOL4=
-github.com/ceph/go-ceph v0.18.0/go.mod h1:cflETVTBNAQM6jdr7hpNHHFHKYiJiWWcAeRDrRx/1ng=
+github.com/ceph/go-ceph v0.19.0 h1:cl5apHt98pCWSoUStiLdl7Mlk3ke8fUGF4HI66Nxy/A=
+github.com/ceph/go-ceph v0.19.0/go.mod h1:sdTcqdDeIPWX3TaR5HCi5YtT+BliI6fFvvWP6Io7VQE=
 github.com/certifi/gocertifi v0.0.0-20191021191039-0944d244cd40/go.mod h1:sGbDF6GwGcLpkNXPUTkMRoywsNa/ol15pxFe6ERfguA=
 github.com/certifi/gocertifi v0.0.0-20200922220541-2c3bb06c6054/go.mod h1:sGbDF6GwGcLpkNXPUTkMRoywsNa/ol15pxFe6ERfguA=
 github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc=
@@ -371,7 +371,7 @@ github.com/go-test/deep v1.0.2/go.mod h1:wGDj63lr65AM2AQyKZd/NYHGb0R+1RLqB8NKt3a
 github.com/go-yaml/yaml v2.1.0+incompatible/go.mod h1:w2MrLa16VYP0jy6N7M5kHaCkaLENm+P+Tv+MfurjSw0=
 github.com/gocql/gocql v0.0.0-20190402132108-0e1d5de854df/go.mod h1:4Fw1eo5iaEhDUs8XyuhSVCVy52Jq3L+/3GJgYkwc+/0=
 github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
-github.com/gofrs/uuid v4.3.0+incompatible h1:CaSVZxm5B+7o45rtab4jC2G37WGYX1zQfuU2i6DSvnc=
+github.com/gofrs/uuid v4.3.1+incompatible h1:0/KbAdpx3UXAx1kEOWHJeOkpbgRFGHVgv+CFIY7dBJI=
 github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
 github.com/gogo/protobuf v1.2.0/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
 github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zVXpSg4=
@@ -737,8 +737,8 @@ github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
 github.com/kubernetes-csi/csi-lib-utils v0.11.0 h1:FHWOBtAZBA/hVk7v/qaXgG9Sxv0/n06DebPFuDwumqg=
 github.com/kubernetes-csi/csi-lib-utils v0.11.0/go.mod h1:BmGZZB16L18+9+Lgg9YWwBKfNEHIDdgGfAyuW6p2NV0=
 github.com/kubernetes-csi/external-snapshotter/client/v4 v4.0.0/go.mod h1:YBCo4DoEeDndqvAn6eeu0vWM7QdXmHEeI9cFWplmBys=
-github.com/kubernetes-csi/external-snapshotter/client/v6 v6.1.0 h1:yeuon3bOuOADwiWl2CyYrU4vbmYbAzGLCTscE1yLNHk=
-github.com/kubernetes-csi/external-snapshotter/client/v6 v6.1.0/go.mod h1:eVY6gNtSrhsblGAqKFDG3CrkCLFAjsDvOpPpt+EaS6k=
+github.com/kubernetes-csi/external-snapshotter/client/v6 v6.2.0 h1:cMM5AB37e9aRGjErygVT6EuBPB6s5a+l95OPERmSlVM=
+github.com/kubernetes-csi/external-snapshotter/client/v6 v6.2.0/go.mod h1:VQVLCPGDX5l6V5PezjlDXLa+SpCbWSVU7B16cFWVVeE=
 github.com/layeh/radius v0.0.0-20190322222518-890bc1058917/go.mod h1:fywZKyu//X7iRzaxLgPWsvc0L26IUpVvE/aeIL2JtIQ=
 github.com/lib/pq v1.2.0 h1:LXpIM/LZ5xGFhOpXAQUIMM1HdyqzVYM13zNdjCEEcA0=
 github.com/lib/pq v1.2.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo=
@@ -1241,8 +1241,8 @@ golang.org/x/net v0.0.0-20220225172249-27dd8689420f/go.mod h1:CfG3xpIq0wQ8r1q4Su
 golang.org/x/net v0.0.0-20220425223048-2871e0cb64e4/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
 golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
 golang.org/x/net v0.1.0/go.mod h1:Cx3nUiGt4eDBEyega/BKRp+/AlGL8hYe7U9odMt2Cco=
-golang.org/x/net v0.4.0 h1:Q5QPcMlvfxFTAPV0+07Xz/MpK9NTXu2VDUuy0FeMfaU=
-golang.org/x/net v0.4.0/go.mod h1:MBQ8lrhLObU/6UmLb4fmbmk5OcyYmqtbGd/9yIeKjEE=
+golang.org/x/net v0.5.0 h1:GyT4nK/YDHSqa1c4753ouYCDajOYKTja9Xb/OHtgvSw=
+golang.org/x/net v0.5.0/go.mod h1:DivGGAXEgPSlEBzxGzZI+ZLohi+xUj054jfeKui00ws=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20181203162652-d668ce993890/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190130055435-99b60b757ec1/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
@@ -1367,15 +1367,15 @@ golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.3.0 h1:w8ZOecv6NaNa/zC8944JTU3vz4u6Lagfk4RPQxv92NQ=
-golang.org/x/sys v0.3.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.4.0 h1:Zr2JFtRQNX3BCZ8YtxRE9hNJYC8J6I1MVbMg6owUp18=
+golang.org/x/sys v0.4.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210422114643-f5beecf764ed/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.1.0/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
-golang.org/x/term v0.3.0 h1:qoo4akIqOcDME5bhc/NgxUdovd6BSS2uMsVjB56q1xI=
-golang.org/x/term v0.3.0/go.mod h1:q750SLmJuPmVoN1blW3UFBPREJfb1KmY3vwxfr+nFDA=
+golang.org/x/term v0.4.0 h1:O7UWfv5+A2qiuulQk30kVinPoMtoIPeVaKLEgLpVkvg=
+golang.org/x/term v0.4.0/go.mod h1:9P2UbLfCdcvo3p/nzKvsmas4TnlujnuoV9hGgYzW1lQ=
 golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
@@ -1387,8 +1387,8 @@ golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
-golang.org/x/text v0.5.0 h1:OLmvp0KP+FVG99Ct/qFiL/Fhk4zp4QQnZ7b2U+5piUM=
-golang.org/x/text v0.5.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
+golang.org/x/text v0.6.0 h1:3XmdazWV+ubf7QgHSTWeykHOci5oeekaGJBLkrkaw4k=
+golang.org/x/text v0.6.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
@@ -1726,8 +1726,8 @@ k8s.io/klog/v2 v2.80.1 h1:atnLQ121W371wYYFawwYx1aEY2eUfs4l3J72wtgAwV4=
 k8s.io/klog/v2 v2.80.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0=
 k8s.io/kube-openapi v0.0.0-20180731170545-e3762e86a74c/go.mod h1:BXM9ceUBTj2QnfH2MK1odQs778ajze1RxcmP6S8RVVc=
 k8s.io/kube-openapi v0.0.0-20220803162953-67bda5d908f1/go.mod h1:C/N6wCaBHeBHkHUesQOQy2/MZqGgMAFPqGsGQLdbZBU=
-k8s.io/kube-openapi v0.0.0-20220803164354-a70c9af30aea h1:3QOH5+2fGsY8e1qf+GIFpg+zw/JGNrgyZRQR7/m6uWg=
-k8s.io/kube-openapi v0.0.0-20220803164354-a70c9af30aea/go.mod h1:C/N6wCaBHeBHkHUesQOQy2/MZqGgMAFPqGsGQLdbZBU=
+k8s.io/kube-openapi v0.0.0-20221012153701-172d655c2280 h1:+70TFaan3hfJzs+7VK2o+OGxg8HsuBr/5f6tVAjDu6E=
+k8s.io/kube-openapi v0.0.0-20221012153701-172d655c2280/go.mod h1:+Axhij7bCpeqhklhUTe3xmOn6bWxolyZEeyaFpjGtl4=
 k8s.io/kubectl v0.25.4 h1:O3OA1z4V1ZyvxCvScjq0pxAP7ABgznr8UvnVObgI6Dc=
 k8s.io/kubectl v0.25.4/go.mod h1:CKMrQ67Bn2YCP26tZStPQGq62zr9pvzEf65A0navm8k=
 k8s.io/kubelet v0.25.4 h1:24MmTTQGBHr08UkMYFC/RaLjuiMREM53HfRgJKWRquI=
diff --git a/internal/rbd/nodeserver.go b/internal/rbd/nodeserver.go
index 4dfdf035b..b0cc5ecdc 100644
--- a/internal/rbd/nodeserver.go
+++ b/internal/rbd/nodeserver.go
@@ -200,6 +200,8 @@ func populateRbdVol(
 		}
 	}
 
+	rv.DisableInUseChecks = disableInUseChecks
+
 	err = rv.Connect(cr)
 	if err != nil {
 		log.ErrorLog(ctx, "failed to connect to volume %s: %v", rv, err)
diff --git a/scripts/k8s-storage/create-configmap.sh b/scripts/k8s-storage/create-configmap.sh
index c236f3da5..78828e0a8 100755
--- a/scripts/k8s-storage/create-configmap.sh
+++ b/scripts/k8s-storage/create-configmap.sh
@@ -20,7 +20,7 @@ NAMESPACE="${1}"
 set -e
 
 TOOLBOX_POD=$(kubectl -n rook-ceph get pods -l app=rook-ceph-tools -o=jsonpath='{.items[0].metadata.name}')
-FS_ID=$(kubectl -n rook-ceph exec "${TOOLBOX_POD}" ceph fsid)
+FS_ID=$(kubectl -n rook-ceph exec "${TOOLBOX_POD}" -- ceph fsid)
 MONITOR=$(kubectl -n rook-ceph get services -l app=rook-ceph-mon -o=jsonpath='{.items[0].spec.clusterIP}:{.items[0].spec.ports[0].port}')
 
 # in case the ConfigMap already exists, remove it before recreating
diff --git a/scripts/k8s-storage/create-storageclasses.sh b/scripts/k8s-storage/create-storageclasses.sh
index 326705572..975fa88c9 100755
--- a/scripts/k8s-storage/create-storageclasses.sh
+++ b/scripts/k8s-storage/create-storageclasses.sh
@@ -18,7 +18,7 @@ set -e
 WORKDIR=$(dirname "${0}")
 
 TOOLBOX_POD=$(kubectl -n rook-ceph get pods --no-headers -l app=rook-ceph-tools -o=jsonpath='{.items[0].metadata.name}')
-FS_ID=$(kubectl -n rook-ceph exec "${TOOLBOX_POD}" ceph fsid)
+FS_ID=$(kubectl -n rook-ceph exec "${TOOLBOX_POD}" -- ceph fsid)
 
 for sc in "${WORKDIR}"/sc-*.yaml.in
 do
diff --git a/scripts/minikube.sh b/scripts/minikube.sh
index 0b45b943a..b2e26f147 100755
--- a/scripts/minikube.sh
+++ b/scripts/minikube.sh
@@ -85,7 +85,7 @@ function install_minikube() {
     fi
 
     echo "Installing minikube. Version: ${MINIKUBE_VERSION}"
-    curl -Lo minikube https://storage.googleapis.com/minikube/releases/"${MINIKUBE_VERSION}"/minikube-linux-"${MINIKUBE_ARCH}" && chmod +x minikube && mv minikube /usr/local/bin/
+    curl -Lo minikube https://storage.googleapis.com/minikube/releases/"${MINIKUBE_VERSION}"/minikube-linux-"${MINIKUBE_ARCH}" && chmod +x minikube && sudo mv minikube /usr/local/bin/
 }
 
 function detect_kubectl() {
diff --git a/vendor/github.com/IBM/keyprotect-go-client/.bumpversion.cfg b/vendor/github.com/IBM/keyprotect-go-client/.bumpversion.cfg
index 8c4ca48bc..1c886f04e 100644
--- a/vendor/github.com/IBM/keyprotect-go-client/.bumpversion.cfg
+++ b/vendor/github.com/IBM/keyprotect-go-client/.bumpversion.cfg
@@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 0.9.1
+current_version = 0.9.2
 commit = True
 message = Update version {current_version} -> {new_version} [skip ci]
 
diff --git a/vendor/github.com/IBM/keyprotect-go-client/CHANGELOG.md b/vendor/github.com/IBM/keyprotect-go-client/CHANGELOG.md
index fbbded89c..350210f0e 100644
--- a/vendor/github.com/IBM/keyprotect-go-client/CHANGELOG.md
+++ b/vendor/github.com/IBM/keyprotect-go-client/CHANGELOG.md
@@ -1,3 +1,10 @@
+## [0.9.2](https://github.com/IBM/keyprotect-go-client/compare/v0.9.1...v0.9.2) (2022-12-14)
+
+
+### Bug Fixes
+
+* **build:**  Support for Custom-Header ([#102](https://github.com/IBM/keyprotect-go-client/issues/102)) & wrap() with key version ([d6df84a](https://github.com/IBM/keyprotect-go-client/commit/d6df84af4c56ddcb1543eb91151942db5d5f1d28))
+
 ## [0.9.1](https://github.com/IBM/keyprotect-go-client/compare/v0.9.0...v0.9.1) (2022-12-06)
 
 
diff --git a/vendor/github.com/IBM/keyprotect-go-client/README.md b/vendor/github.com/IBM/keyprotect-go-client/README.md
index 32498649e..7203faf12 100644
--- a/vendor/github.com/IBM/keyprotect-go-client/README.md
+++ b/vendor/github.com/IBM/keyprotect-go-client/README.md
@@ -1,4 +1,4 @@
-# IBM Cloud Go SDK Version 0.9.1
+# IBM Cloud Go SDK Version 0.9.2
 
 # keyprotect-go-client
 
@@ -341,3 +341,34 @@ if err != nil {
 }
 fmt.Println(keys)
 ```
+
+### Support for Adding Custom Header
+
+
+1) From ServiceClient (For Every API Call)
+```go
+cc := kp.ClientConfig{
+    BaseURL:    "BASE_URL",
+    APIKey:     "API_KEY",
+    InstanceID: "INSTANCE_ID",
+    Headers: http.Header{
+      "Custom-Header":  {"Custom-Value"},
+    },
+  }
+```
+
+2) From ServiceCall (Per API Call)
+
+* Define Header just before the API Call and Empty out when done.
+
+```go
+client.Config.Headers = make(http.Header))
+client.Config.Headers.Set("Custom-Header", "Custom-Header-Value")
+
+key, err := client.CreateKey(params)
+  if err != nil {
+    panic(err)
+  }
+
+client.Config.Headers = http.Header{}
+```
\ No newline at end of file
diff --git a/vendor/github.com/IBM/keyprotect-go-client/keys.go b/vendor/github.com/IBM/keyprotect-go-client/keys.go
index a8671578b..3e6b63555 100644
--- a/vendor/github.com/IBM/keyprotect-go-client/keys.go
+++ b/vendor/github.com/IBM/keyprotect-go-client/keys.go
@@ -112,13 +112,20 @@ type KeyVersions struct {
 // KeysActionRequest represents request parameters for a key action
 // API call.
 type KeysActionRequest struct {
-	PlainText           string   `json:"plaintext,omitempty"`
-	AAD                 []string `json:"aad,omitempty"`
-	CipherText          string   `json:"ciphertext,omitempty"`
-	Payload             string   `json:"payload,omitempty"`
-	EncryptedNonce      string   `json:"encryptedNonce,omitempty"`
-	IV                  string   `json:"iv,omitempty"`
-	EncryptionAlgorithm string   `json:"encryptionAlgorithm,omitempty"`
+	PlainText           string      `json:"plaintext,omitempty"`
+	AAD                 []string    `json:"aad,omitempty"`
+	CipherText          string      `json:"ciphertext,omitempty"`
+	Payload             string      `json:"payload,omitempty"`
+	EncryptedNonce      string      `json:"encryptedNonce,omitempty"`
+	IV                  string      `json:"iv,omitempty"`
+	EncryptionAlgorithm string      `json:"encryptionAlgorithm,omitempty"`
+	KeyVersion          *KeyVersion `json:"keyVersion,,omitempty"`
+}
+
+type KeyActionResponse struct {
+	PlainText  string      `json:"plaintext,omitempty"`
+	CipherText string      `json:"ciphertext,omitempty"`
+	KeyVersion *KeyVersion `json:"keyVersion,,omitempty"`
 }
 
 type KeyVersion struct {
@@ -548,6 +555,43 @@ func (c *Client) wrap(ctx context.Context, idOrAlias string, plainText []byte, a
 	return pt, ct, nil
 }
 
+// WrapWithKeyVersion function supports KeyVersion Details, PlainText and Cyphertext in response
+func (c *Client) WrapV2(ctx context.Context, idOrAlias string, plainText []byte, additionalAuthData *[]string) (*KeyActionResponse, error) {
+	keysActionReq := &KeysActionRequest{}
+	keyActionRes := &KeyActionResponse{}
+
+	if plainText != nil {
+		_, err := base64.StdEncoding.DecodeString(string(plainText))
+		if err != nil {
+			return keyActionRes, err
+		}
+		keysActionReq.PlainText = string(plainText)
+	}
+
+	if additionalAuthData != nil {
+		keysActionReq.AAD = *additionalAuthData
+	}
+
+	keysAction, err := c.doKeysAction(ctx, idOrAlias, "wrap", keysActionReq)
+	if err != nil {
+		return keyActionRes, err
+	}
+
+	keyActionRes = &KeyActionResponse{
+		PlainText:  keysAction.PlainText,
+		CipherText: keysAction.CipherText,
+	}
+	if keysAction.KeyVersion != nil {
+		keyActionRes.KeyVersion = &KeyVersion{
+			ID: keysAction.KeyVersion.ID,
+		}
+		if keysAction.KeyVersion.CreationDate != nil {
+			keyActionRes.KeyVersion.CreationDate = keysAction.KeyVersion.CreationDate
+		}
+	}
+	return keyActionRes, nil
+}
+
 // Unwrap is deprecated since it returns only plaintext and doesn't know how to handle rotation.
 func (c *Client) Unwrap(ctx context.Context, idOrAlias string, cipherText []byte, additionalAuthData *[]string) ([]byte, error) {
 	plainText, _, err := c.UnwrapV2(ctx, idOrAlias, cipherText, additionalAuthData)
diff --git a/vendor/github.com/IBM/keyprotect-go-client/kp.go b/vendor/github.com/IBM/keyprotect-go-client/kp.go
index bcadb064b..976324f62 100644
--- a/vendor/github.com/IBM/keyprotect-go-client/kp.go
+++ b/vendor/github.com/IBM/keyprotect-go-client/kp.go
@@ -71,13 +71,14 @@ type ctxKey string
 // ClientConfig ...
 type ClientConfig struct {
 	BaseURL       string
-	Authorization string  // The IBM Cloud (Bluemix) access token
-	APIKey        string  // Service ID API key, can be used instead of an access token
-	TokenURL      string  // The URL used to get an access token from the API key
-	InstanceID    string  // The IBM Cloud (Bluemix) instance ID that identifies your Key Protect service instance.
-	KeyRing       string  // The ID of the target Key Ring the key is associated with. It is optional but recommended for better performance.
-	Verbose       int     // See verbose values above
-	Timeout       float64 // KP request timeout in seconds.
+	Authorization string      // The IBM Cloud (Bluemix) access token
+	APIKey        string      // Service ID API key, can be used instead of an access token
+	TokenURL      string      // The URL used to get an access token from the API key
+	InstanceID    string      // The IBM Cloud (Bluemix) instance ID that identifies your Key Protect service instance.
+	KeyRing       string      // The ID of the target Key Ring the key is associated with. It is optional but recommended for better performance.
+	Verbose       int         // See verbose values above
+	Timeout       float64     // KP request timeout in seconds.
+	Headers       http.Header // Support for Custom Header
 }
 
 // DefaultTransport ...
@@ -255,6 +256,12 @@ func (c *Client) do(ctx context.Context, req *http.Request, res interface{}) (*h
 	if c.Config.KeyRing != "" {
 		req.Header.Set("x-kms-key-ring", c.Config.KeyRing)
 	}
+	// Adding check for Custom Header Input
+	if c.Config.Headers != nil {
+		for key, value := range c.Config.Headers {
+			req.Header.Set(key, strings.Join(value, ","))
+		}
+	}
 
 	// set request up to be retryable on 500-level http codes and client errors
 	retryableClient := getRetryableClient(&c.HttpClient)
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/aws/go_module_metadata.go b/vendor/github.com/aws/aws-sdk-go-v2/aws/go_module_metadata.go
index 6d936cd50..37c643dd3 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/aws/go_module_metadata.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/aws/go_module_metadata.go
@@ -3,4 +3,4 @@
 package aws
 
 // goModuleVersion is the tagged release for this module
-const goModuleVersion = "1.17.2"
+const goModuleVersion = "1.17.3"
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/internal/configsources/CHANGELOG.md b/vendor/github.com/aws/aws-sdk-go-v2/internal/configsources/CHANGELOG.md
index 41d589b38..cffa7288a 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/internal/configsources/CHANGELOG.md
+++ b/vendor/github.com/aws/aws-sdk-go-v2/internal/configsources/CHANGELOG.md
@@ -1,3 +1,7 @@
+# v1.1.27 (2022-12-15)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
 # v1.1.26 (2022-12-02)
 
 * **Dependency Update**: Updated to the latest SDK module versions
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/internal/configsources/go_module_metadata.go b/vendor/github.com/aws/aws-sdk-go-v2/internal/configsources/go_module_metadata.go
index 58b3ba7ad..b47c6baa0 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/internal/configsources/go_module_metadata.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/internal/configsources/go_module_metadata.go
@@ -3,4 +3,4 @@
 package configsources
 
 // goModuleVersion is the tagged release for this module
-const goModuleVersion = "1.1.26"
+const goModuleVersion = "1.1.27"
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/v2/CHANGELOG.md b/vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/v2/CHANGELOG.md
index 678f6634f..fb3d33ff5 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/v2/CHANGELOG.md
+++ b/vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/v2/CHANGELOG.md
@@ -1,3 +1,7 @@
+# v2.4.21 (2022-12-15)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
 # v2.4.20 (2022-12-02)
 
 * **Dependency Update**: Updated to the latest SDK module versions
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/v2/go_module_metadata.go b/vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/v2/go_module_metadata.go
index ec010e0aa..e6a8286db 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/v2/go_module_metadata.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/v2/go_module_metadata.go
@@ -3,4 +3,4 @@
 package endpoints
 
 // goModuleVersion is the tagged release for this module
-const goModuleVersion = "2.4.20"
+const goModuleVersion = "2.4.21"
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/internal/presigned-url/CHANGELOG.md b/vendor/github.com/aws/aws-sdk-go-v2/service/internal/presigned-url/CHANGELOG.md
index a2dfc457c..ae9ae243f 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/internal/presigned-url/CHANGELOG.md
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/internal/presigned-url/CHANGELOG.md
@@ -1,3 +1,7 @@
+# v1.9.21 (2022-12-15)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
 # v1.9.20 (2022-12-02)
 
 * **Dependency Update**: Updated to the latest SDK module versions
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/internal/presigned-url/go_module_metadata.go b/vendor/github.com/aws/aws-sdk-go-v2/service/internal/presigned-url/go_module_metadata.go
index 3b99e9c4f..c49853b92 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/internal/presigned-url/go_module_metadata.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/internal/presigned-url/go_module_metadata.go
@@ -3,4 +3,4 @@
 package presignedurl
 
 // goModuleVersion is the tagged release for this module
-const goModuleVersion = "1.9.20"
+const goModuleVersion = "1.9.21"
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/CHANGELOG.md b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/CHANGELOG.md
index 106016915..ae6b48542 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/CHANGELOG.md
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/CHANGELOG.md
@@ -1,3 +1,7 @@
+# v1.17.7 (2022-12-15)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
 # v1.17.6 (2022-12-02)
 
 * **Dependency Update**: Updated to the latest SDK module versions
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/go_module_metadata.go b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/go_module_metadata.go
index ae6f9e766..b06e9398e 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/go_module_metadata.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/go_module_metadata.go
@@ -3,4 +3,4 @@
 package sts
 
 // goModuleVersion is the tagged release for this module
-const goModuleVersion = "1.17.6"
+const goModuleVersion = "1.17.7"
diff --git a/vendor/github.com/aws/aws-sdk-go/aws/endpoints/defaults.go b/vendor/github.com/aws/aws-sdk-go/aws/endpoints/defaults.go
index a1417674e..917df74ae 100644
--- a/vendor/github.com/aws/aws-sdk-go/aws/endpoints/defaults.go
+++ b/vendor/github.com/aws/aws-sdk-go/aws/endpoints/defaults.go
@@ -663,6 +663,9 @@ var awsPartition = partition{
 					},
 					Deprecated: boxedTrue,
 				},
+				endpointKey{
+					Region: "me-central-1",
+				}: endpoint{},
 				endpointKey{
 					Region: "me-south-1",
 				}: endpoint{},
@@ -927,6 +930,25 @@ var awsPartition = partition{
 				}: endpoint{},
 			},
 		},
+		"aoss": service{
+			Endpoints: serviceEndpoints{
+				endpointKey{
+					Region: "ap-northeast-1",
+				}: endpoint{},
+				endpointKey{
+					Region: "eu-west-1",
+				}: endpoint{},
+				endpointKey{
+					Region: "us-east-1",
+				}: endpoint{},
+				endpointKey{
+					Region: "us-east-2",
+				}: endpoint{},
+				endpointKey{
+					Region: "us-west-2",
+				}: endpoint{},
+			},
+		},
 		"api.detective": service{
 			Defaults: endpointDefaults{
 				defaultKey{}: endpoint{
@@ -1456,6 +1478,26 @@ var awsPartition = partition{
 				},
 			},
 		},
+		"api.ecr-public": service{
+			Endpoints: serviceEndpoints{
+				endpointKey{
+					Region: "us-east-1",
+				}: endpoint{
+					Hostname: "api.ecr-public.us-east-1.amazonaws.com",
+					CredentialScope: credentialScope{
+						Region: "us-east-1",
+					},
+				},
+				endpointKey{
+					Region: "us-west-2",
+				}: endpoint{
+					Hostname: "api.ecr-public.us-west-2.amazonaws.com",
+					CredentialScope: credentialScope{
+						Region: "us-west-2",
+					},
+				},
+			},
+		},
 		"api.elastic-inference": service{
 			Endpoints: serviceEndpoints{
 				endpointKey{
@@ -1789,6 +1831,9 @@ var awsPartition = partition{
 				endpointKey{
 					Region: "eu-west-3",
 				}: endpoint{},
+				endpointKey{
+					Region: "me-central-1",
+				}: endpoint{},
 				endpointKey{
 					Region: "me-south-1",
 				}: endpoint{},
@@ -2973,6 +3018,9 @@ var awsPartition = partition{
 					},
 					Deprecated: boxedTrue,
 				},
+				endpointKey{
+					Region: "sa-east-1",
+				}: endpoint{},
 				endpointKey{
 					Region: "us-east-1",
 				}: endpoint{},
@@ -3123,6 +3171,37 @@ var awsPartition = partition{
 				}: endpoint{},
 			},
 		},
+		"arc-zonal-shift": service{
+			Endpoints: serviceEndpoints{
+				endpointKey{
+					Region: "ap-northeast-1",
+				}: endpoint{},
+				endpointKey{
+					Region: "ap-southeast-2",
+				}: endpoint{},
+				endpointKey{
+					Region: "ap-southeast-3",
+				}: endpoint{},
+				endpointKey{
+					Region: "eu-central-1",
+				}: endpoint{},
+				endpointKey{
+					Region: "eu-north-1",
+				}: endpoint{},
+				endpointKey{
+					Region: "eu-west-1",
+				}: endpoint{},
+				endpointKey{
+					Region: "us-east-1",
+				}: endpoint{},
+				endpointKey{
+					Region: "us-east-2",
+				}: endpoint{},
+				endpointKey{
+					Region: "us-west-2",
+				}: endpoint{},
+			},
+		},
 		"athena": service{
 			Endpoints: serviceEndpoints{
 				endpointKey{
@@ -4522,6 +4601,9 @@ var awsPartition = partition{
 				endpointKey{
 					Region: "eu-central-1",
 				}: endpoint{},
+				endpointKey{
+					Region: "eu-central-2",
+				}: endpoint{},
 				endpointKey{
 					Region: "eu-north-1",
 				}: endpoint{},
@@ -4909,6 +4991,17 @@ var awsPartition = partition{
 				},
 			},
 		},
+		"codecatalyst": service{
+			PartitionEndpoint: "aws-global",
+			IsRegionalized:    boxedFalse,
+			Endpoints: serviceEndpoints{
+				endpointKey{
+					Region: "aws-global",
+				}: endpoint{
+					Hostname: "codecatalyst.global.api.aws",
+				},
+			},
+		},
 		"codecommit": service{
 			Endpoints: serviceEndpoints{
 				endpointKey{
@@ -5548,6 +5641,9 @@ var awsPartition = partition{
 				endpointKey{
 					Region: "eu-north-1",
 				}: endpoint{},
+				endpointKey{
+					Region: "eu-south-1",
+				}: endpoint{},
 				endpointKey{
 					Region: "eu-west-1",
 				}: endpoint{},
@@ -5648,6 +5744,9 @@ var awsPartition = partition{
 				endpointKey{
 					Region: "eu-north-1",
 				}: endpoint{},
+				endpointKey{
+					Region: "eu-south-1",
+				}: endpoint{},
 				endpointKey{
 					Region: "eu-west-1",
 				}: endpoint{},
@@ -7474,6 +7573,9 @@ var awsPartition = partition{
 				endpointKey{
 					Region: "eu-west-3",
 				}: endpoint{},
+				endpointKey{
+					Region: "me-central-1",
+				}: endpoint{},
 				endpointKey{
 					Region: "me-south-1",
 				}: endpoint{},
@@ -9204,6 +9306,15 @@ var awsPartition = partition{
 				}: endpoint{
 					Hostname: "elasticfilesystem-fips.eu-central-1.amazonaws.com",
 				},
+				endpointKey{
+					Region: "eu-central-2",
+				}: endpoint{},
+				endpointKey{
+					Region:  "eu-central-2",
+					Variant: fipsVariant,
+				}: endpoint{
+					Hostname: "elasticfilesystem-fips.eu-central-2.amazonaws.com",
+				},
 				endpointKey{
 					Region: "eu-north-1",
 				}: endpoint{},
@@ -9348,6 +9459,15 @@ var awsPartition = partition{
 					},
 					Deprecated: boxedTrue,
 				},
+				endpointKey{
+					Region: "fips-eu-central-2",
+				}: endpoint{
+					Hostname: "elasticfilesystem-fips.eu-central-2.amazonaws.com",
+					CredentialScope: credentialScope{
+						Region: "eu-central-2",
+					},
+					Deprecated: boxedTrue,
+				},
 				endpointKey{
 					Region: "fips-eu-north-1",
 				}: endpoint{
@@ -11641,12 +11761,18 @@ var awsPartition = partition{
 				endpointKey{
 					Region: "ap-northeast-1",
 				}: endpoint{},
+				endpointKey{
+					Region: "ap-south-1",
+				}: endpoint{},
 				endpointKey{
 					Region: "ap-southeast-1",
 				}: endpoint{},
 				endpointKey{
 					Region: "ap-southeast-2",
 				}: endpoint{},
+				endpointKey{
+					Region: "ca-central-1",
+				}: endpoint{},
 				endpointKey{
 					Region: "eu-central-1",
 				}: endpoint{},
@@ -11656,6 +11782,12 @@ var awsPartition = partition{
 				endpointKey{
 					Region: "eu-west-1",
 				}: endpoint{},
+				endpointKey{
+					Region: "eu-west-2",
+				}: endpoint{},
+				endpointKey{
+					Region: "sa-east-1",
+				}: endpoint{},
 				endpointKey{
 					Region: "us-east-1",
 				}: endpoint{},
@@ -12057,22 +12189,6 @@ var awsPartition = partition{
 				endpointKey{
 					Region: "ca-central-1",
 				}: endpoint{},
-				endpointKey{
-					Region: "dataplane-ap-south-1",
-				}: endpoint{
-					Hostname: "greengrass-ats.iot.ap-south-1.amazonaws.com",
-					CredentialScope: credentialScope{
-						Region: "ap-south-1",
-					},
-				},
-				endpointKey{
-					Region: "dataplane-us-east-2",
-				}: endpoint{
-					Hostname: "greengrass-ats.iot.us-east-2.amazonaws.com",
-					CredentialScope: credentialScope{
-						Region: "us-east-2",
-					},
-				},
 				endpointKey{
 					Region: "eu-central-1",
 				}: endpoint{},
@@ -12219,6 +12335,9 @@ var awsPartition = partition{
 				endpointKey{
 					Region: "eu-central-1",
 				}: endpoint{},
+				endpointKey{
+					Region: "eu-central-2",
+				}: endpoint{},
 				endpointKey{
 					Region: "eu-north-1",
 				}: endpoint{},
@@ -12475,12 +12594,18 @@ var awsPartition = partition{
 		},
 		"identitystore": service{
 			Endpoints: serviceEndpoints{
+				endpointKey{
+					Region: "af-south-1",
+				}: endpoint{},
 				endpointKey{
 					Region: "ap-northeast-1",
 				}: endpoint{},
 				endpointKey{
 					Region: "ap-northeast-2",
 				}: endpoint{},
+				endpointKey{
+					Region: "ap-northeast-3",
+				}: endpoint{},
 				endpointKey{
 					Region: "ap-south-1",
 				}: endpoint{},
@@ -12490,6 +12615,9 @@ var awsPartition = partition{
 				endpointKey{
 					Region: "ap-southeast-2",
 				}: endpoint{},
+				endpointKey{
+					Region: "ap-southeast-3",
+				}: endpoint{},
 				endpointKey{
 					Region: "ca-central-1",
 				}: endpoint{},
@@ -12499,12 +12627,21 @@ var awsPartition = partition{
 				endpointKey{
 					Region: "eu-north-1",
 				}: endpoint{},
+				endpointKey{
+					Region: "eu-south-1",
+				}: endpoint{},
 				endpointKey{
 					Region: "eu-west-1",
 				}: endpoint{},
 				endpointKey{
 					Region: "eu-west-2",
 				}: endpoint{},
+				endpointKey{
+					Region: "eu-west-3",
+				}: endpoint{},
+				endpointKey{
+					Region: "sa-east-1",
+				}: endpoint{},
 				endpointKey{
 					Region: "us-east-1",
 				}: endpoint{},
@@ -13769,6 +13906,9 @@ var awsPartition = partition{
 		},
 		"kendra": service{
 			Endpoints: serviceEndpoints{
+				endpointKey{
+					Region: "ap-south-1",
+				}: endpoint{},
 				endpointKey{
 					Region: "ap-southeast-1",
 				}: endpoint{},
@@ -14292,6 +14432,15 @@ var awsPartition = partition{
 					},
 					Deprecated: boxedTrue,
 				},
+				endpointKey{
+					Region: "ap-southeast-4-fips",
+				}: endpoint{
+					Hostname: "kms-fips.ap-southeast-4.amazonaws.com",
+					CredentialScope: credentialScope{
+						Region: "ap-southeast-4",
+					},
+					Deprecated: boxedTrue,
+				},
 				endpointKey{
 					Region: "ca-central-1",
 				}: endpoint{},
@@ -15137,6 +15286,121 @@ var awsPartition = partition{
 				},
 			},
 		},
+		"license-manager-linux-subscriptions": service{
+			Endpoints: serviceEndpoints{
+				endpointKey{
+					Region: "ap-northeast-1",
+				}: endpoint{},
+				endpointKey{
+					Region: "ap-northeast-2",
+				}: endpoint{},
+				endpointKey{
+					Region: "ap-northeast-3",
+				}: endpoint{},
+				endpointKey{
+					Region: "ap-south-1",
+				}: endpoint{},
+				endpointKey{
+					Region: "ap-southeast-1",
+				}: endpoint{},
+				endpointKey{
+					Region: "ap-southeast-2",
+				}: endpoint{},
+				endpointKey{
+					Region: "ca-central-1",
+				}: endpoint{},
+				endpointKey{
+					Region: "eu-central-1",
+				}: endpoint{},
+				endpointKey{
+					Region: "eu-north-1",
+				}: endpoint{},
+				endpointKey{
+					Region: "eu-west-1",
+				}: endpoint{},
+				endpointKey{
+					Region: "eu-west-2",
+				}: endpoint{},
+				endpointKey{
+					Region: "eu-west-3",
+				}: endpoint{},
+				endpointKey{
+					Region: "fips-us-east-1",
+				}: endpoint{
+					Hostname: "license-manager-linux-subscriptions-fips.us-east-1.amazonaws.com",
+					CredentialScope: credentialScope{
+						Region: "us-east-1",
+					},
+					Deprecated: boxedTrue,
+				},
+				endpointKey{
+					Region: "fips-us-east-2",
+				}: endpoint{
+					Hostname: "license-manager-linux-subscriptions-fips.us-east-2.amazonaws.com",
+					CredentialScope: credentialScope{
+						Region: "us-east-2",
+					},
+					Deprecated: boxedTrue,
+				},
+				endpointKey{
+					Region: "fips-us-west-1",
+				}: endpoint{
+					Hostname: "license-manager-linux-subscriptions-fips.us-west-1.amazonaws.com",
+					CredentialScope: credentialScope{
+						Region: "us-west-1",
+					},
+					Deprecated: boxedTrue,
+				},
+				endpointKey{
+					Region: "fips-us-west-2",
+				}: endpoint{
+					Hostname: "license-manager-linux-subscriptions-fips.us-west-2.amazonaws.com",
+					CredentialScope: credentialScope{
+						Region: "us-west-2",
+					},
+					Deprecated: boxedTrue,
+				},
+				endpointKey{
+					Region: "sa-east-1",
+				}: endpoint{},
+				endpointKey{
+					Region: "us-east-1",
+				}: endpoint{},
+				endpointKey{
+					Region:  "us-east-1",
+					Variant: fipsVariant,
+				}: endpoint{
+					Hostname: "license-manager-linux-subscriptions-fips.us-east-1.amazonaws.com",
+				},
+				endpointKey{
+					Region: "us-east-2",
+				}: endpoint{},
+				endpointKey{
+					Region:  "us-east-2",
+					Variant: fipsVariant,
+				}: endpoint{
+					Hostname: "license-manager-linux-subscriptions-fips.us-east-2.amazonaws.com",
+				},
+				endpointKey{
+					Region: "us-west-1",
+				}: endpoint{},
+				endpointKey{
+					Region:  "us-west-1",
+					Variant: fipsVariant,
+				}: endpoint{
+					Hostname: "license-manager-linux-subscriptions-fips.us-west-1.amazonaws.com",
+				},
+				endpointKey{
+					Region: "us-west-2",
+				}: endpoint{},
+				endpointKey{
+					Region:  "us-west-2",
+					Variant: fipsVariant,
+				}: endpoint{
+					Hostname: "license-manager-linux-subscriptions-fips.us-west-2.amazonaws.com",
+				},
+			},
+		},
 		"license-manager-user-subscriptions": service{
 			Endpoints: serviceEndpoints{
 				endpointKey{
@@ -15538,6 +15802,10 @@ var awsPartition = partition{
 				endpointKey{
 					Region: "ca-central-1",
 				}: endpoint{},
+				endpointKey{
+					Region:  "ca-central-1",
+					Variant: fipsVariant,
+				}: endpoint{},
 				endpointKey{
 					Region: "eu-central-1",
 				}: endpoint{},
@@ -15550,15 +15818,41 @@ var awsPartition = partition{
 				endpointKey{
 					Region: "eu-west-3",
 				}: endpoint{},
+				endpointKey{
+					Region: "fips-ca-central-1",
+				}: endpoint{
+
+					Deprecated: boxedTrue,
+				},
+				endpointKey{
+					Region: "fips-us-east-1",
+				}: endpoint{
+
+					Deprecated: boxedTrue,
+				},
+				endpointKey{
+					Region: "fips-us-west-2",
+				}: endpoint{
+
+					Deprecated: boxedTrue,
+				},
 				endpointKey{
 					Region: "sa-east-1",
 				}: endpoint{},
 				endpointKey{
 					Region: "us-east-1",
 				}: endpoint{},
+				endpointKey{
+					Region:  "us-east-1",
+					Variant: fipsVariant,
+				}: endpoint{},
 				endpointKey{
 					Region: "us-west-2",
 				}: endpoint{},
+				endpointKey{
+					Region:  "us-west-2",
+					Variant: fipsVariant,
+				}: endpoint{},
 			},
 		},
 		"machinelearning": service{
@@ -15867,6 +16161,9 @@ var awsPartition = partition{
 		},
 		"mediaconvert": service{
 			Endpoints: serviceEndpoints{
+				endpointKey{
+					Region: "af-south-1",
+				}: endpoint{},
 				endpointKey{
 					Region: "ap-northeast-1",
 				}: endpoint{},
@@ -16438,6 +16735,76 @@ var awsPartition = partition{
 				}: endpoint{},
 			},
 		},
+		"metrics.sagemaker": service{
+			Endpoints: serviceEndpoints{
+				endpointKey{
+					Region: "af-south-1",
+				}: endpoint{},
+				endpointKey{
+					Region: "ap-east-1",
+				}: endpoint{},
+				endpointKey{
+					Region: "ap-northeast-1",
+				}: endpoint{},
+				endpointKey{
+					Region: "ap-northeast-2",
+				}: endpoint{},
+				endpointKey{
+					Region: "ap-northeast-3",
+				}: endpoint{},
+				endpointKey{
+					Region: "ap-south-1",
+				}: endpoint{},
+				endpointKey{
+					Region: "ap-southeast-1",
+				}: endpoint{},
+				endpointKey{
+					Region: "ap-southeast-2",
+				}: endpoint{},
+				endpointKey{
+					Region: "ap-southeast-3",
+				}: endpoint{},
+				endpointKey{
+					Region: "ca-central-1",
+				}: endpoint{},
+				endpointKey{
+					Region: "eu-central-1",
+				}: endpoint{},
+				endpointKey{
+					Region: "eu-north-1",
+				}: endpoint{},
+				endpointKey{
+					Region: "eu-south-1",
+				}: endpoint{},
+				endpointKey{
+					Region: "eu-west-1",
+				}: endpoint{},
+				endpointKey{
+					Region: "eu-west-2",
+				}: endpoint{},
+				endpointKey{
+					Region: "me-central-1",
+				}: endpoint{},
+				endpointKey{
+					Region: "me-south-1",
+				}: endpoint{},
+				endpointKey{
+					Region: "sa-east-1",
+				}: endpoint{},
+				endpointKey{
+					Region: "us-east-1",
+				}: endpoint{},
+				endpointKey{
+					Region: "us-east-2",
+				}: endpoint{},
+				endpointKey{
+					Region: "us-west-1",
+				}: endpoint{},
+				endpointKey{
+					Region: "us-west-2",
+				}: endpoint{},
+			},
+		},
 		"mgh": service{
 			Endpoints: serviceEndpoints{
 				endpointKey{
@@ -16513,6 +16880,42 @@ var awsPartition = partition{
 				endpointKey{
 					Region: "eu-west-3",
 				}: endpoint{},
+				endpointKey{
+					Region: "fips-us-east-1",
+				}: endpoint{
+					Hostname: "mgn-fips.us-east-1.amazonaws.com",
+					CredentialScope: credentialScope{
+						Region: "us-east-1",
+					},
+					Deprecated: boxedTrue,
+				},
+				endpointKey{
+					Region: "fips-us-east-2",
+				}: endpoint{
+					Hostname: "mgn-fips.us-east-2.amazonaws.com",
+					CredentialScope: credentialScope{
+						Region: "us-east-2",
+					},
+					Deprecated: boxedTrue,
+				},
+				endpointKey{
+					Region: "fips-us-west-1",
+				}: endpoint{
+					Hostname: "mgn-fips.us-west-1.amazonaws.com",
+					CredentialScope: credentialScope{
+						Region: "us-west-1",
+					},
+					Deprecated: boxedTrue,
+				},
+				endpointKey{
+					Region: "fips-us-west-2",
+				}: endpoint{
+					Hostname: "mgn-fips.us-west-2.amazonaws.com",
+					CredentialScope: credentialScope{
+						Region: "us-west-2",
+					},
+					Deprecated: boxedTrue,
+				},
 				endpointKey{
 					Region: "me-south-1",
 				}: endpoint{},
@@ -16522,15 +16925,39 @@ var awsPartition = partition{
 				endpointKey{
 					Region: "us-east-1",
 				}: endpoint{},
+				endpointKey{
+					Region:  "us-east-1",
+					Variant: fipsVariant,
+				}: endpoint{
+					Hostname: "mgn-fips.us-east-1.amazonaws.com",
+				},
 				endpointKey{
 					Region: "us-east-2",
 				}: endpoint{},
+				endpointKey{
+					Region:  "us-east-2",
+					Variant: fipsVariant,
+				}: endpoint{
+					Hostname: "mgn-fips.us-east-2.amazonaws.com",
+				},
 				endpointKey{
 					Region: "us-west-1",
 				}: endpoint{},
+				endpointKey{
+					Region:  "us-west-1",
+					Variant: fipsVariant,
+				}: endpoint{
+					Hostname: "mgn-fips.us-west-1.amazonaws.com",
+				},
 				endpointKey{
 					Region: "us-west-2",
 				}: endpoint{},
+				endpointKey{
+					Region:  "us-west-2",
+					Variant: fipsVariant,
+				}: endpoint{
+					Hostname: "mgn-fips.us-west-2.amazonaws.com",
+				},
 			},
 		},
 		"migrationhub-orchestrator": service{
@@ -16933,6 +17360,9 @@ var awsPartition = partition{
 					},
 					Deprecated: boxedTrue,
 				},
+				endpointKey{
+					Region: "me-central-1",
+				}: endpoint{},
 				endpointKey{
 					Region: "me-south-1",
 				}: endpoint{},
@@ -17164,6 +17594,9 @@ var awsPartition = partition{
 				endpointKey{
 					Region: "ap-southeast-2",
 				}: endpoint{},
+				endpointKey{
+					Region: "ap-southeast-3",
+				}: endpoint{},
 				endpointKey{
 					Region: "ca-central-1",
 				}: endpoint{},
@@ -17400,6 +17833,14 @@ var awsPartition = partition{
 		},
 		"oidc": service{
 			Endpoints: serviceEndpoints{
+				endpointKey{
+					Region: "af-south-1",
+				}: endpoint{
+					Hostname: "oidc.af-south-1.amazonaws.com",
+					CredentialScope: credentialScope{
+						Region: "af-south-1",
+					},
+				},
 				endpointKey{
 					Region: "ap-east-1",
 				}: endpoint{
@@ -17456,6 +17897,14 @@ var awsPartition = partition{
 						Region: "ap-southeast-2",
 					},
 				},
+				endpointKey{
+					Region: "ap-southeast-3",
+				}: endpoint{
+					Hostname: "oidc.ap-southeast-3.amazonaws.com",
+					CredentialScope: credentialScope{
+						Region: "ap-southeast-3",
+					},
+				},
 				endpointKey{
 					Region: "ca-central-1",
 				}: endpoint{
@@ -17544,6 +17993,14 @@ var awsPartition = partition{
 						Region: "us-east-2",
 					},
 				},
+				endpointKey{
+					Region: "us-west-1",
+				}: endpoint{
+					Hostname: "oidc.us-west-1.amazonaws.com",
+					CredentialScope: credentialScope{
+						Region: "us-west-1",
+					},
+				},
 				endpointKey{
 					Region: "us-west-2",
 				}: endpoint{
@@ -18133,6 +18590,79 @@ var awsPartition = partition{
 				},
 			},
 		},
+		"pipes": service{
+			Endpoints: serviceEndpoints{
+				endpointKey{
+					Region: "af-south-1",
+				}: endpoint{},
+				endpointKey{
+					Region: "ap-east-1",
+				}: endpoint{},
+				endpointKey{
+					Region: "ap-northeast-1",
+				}: endpoint{},
+				endpointKey{
+					Region: "ap-northeast-2",
+				}: endpoint{},
+				endpointKey{
+					Region: "ap-northeast-3",
+				}: endpoint{},
+				endpointKey{
+					Region: "ap-south-1",
+				}: endpoint{},
+				endpointKey{
+					Region: "ap-southeast-1",
+				}: endpoint{},
+				endpointKey{
+					Region: "ap-southeast-2",
+				}: endpoint{},
+				endpointKey{
+					Region: "ap-southeast-3",
+				}: endpoint{},
+				endpointKey{
+					Region: "ca-central-1",
+				}: endpoint{},
+				endpointKey{
+					Region: "eu-central-1",
+				}: endpoint{},
+				endpointKey{
+					Region: "eu-north-1",
+				}: endpoint{},
+				endpointKey{
+					Region: "eu-south-1",
+				}: endpoint{},
+				endpointKey{
+					Region: "eu-west-1",
+				}: endpoint{},
+				endpointKey{
+					Region: "eu-west-2",
+				}: endpoint{},
+				endpointKey{
+					Region: "eu-west-3",
+				}: endpoint{},
+				endpointKey{
+					Region: "me-central-1",
+				}: endpoint{},
+				endpointKey{
+					Region: "me-south-1",
+				}: endpoint{},
+				endpointKey{
+					Region: "sa-east-1",
+				}: endpoint{},
+				endpointKey{
+					Region: "us-east-1",
+				}: endpoint{},
+				endpointKey{
+					Region: "us-east-2",
+				}: endpoint{},
+				endpointKey{
+					Region: "us-west-1",
+				}: endpoint{},
+				endpointKey{
+					Region: "us-west-2",
+				}: endpoint{},
+			},
+		},
 		"polly": service{
 			Endpoints: serviceEndpoints{
 				endpointKey{
@@ -18256,6 +18786,14 @@ var awsPartition = partition{
 		},
 		"portal.sso": service{
 			Endpoints: serviceEndpoints{
+				endpointKey{
+					Region: "af-south-1",
+				}: endpoint{
+					Hostname: "portal.sso.af-south-1.amazonaws.com",
+					CredentialScope: credentialScope{
+						Region: "af-south-1",
+					},
+				},
 				endpointKey{
 					Region: "ap-east-1",
 				}: endpoint{
@@ -18312,6 +18850,14 @@ var awsPartition = partition{
 						Region: "ap-southeast-2",
 					},
 				},
+				endpointKey{
+					Region: "ap-southeast-3",
+				}: endpoint{
+					Hostname: "portal.sso.ap-southeast-3.amazonaws.com",
+					CredentialScope: credentialScope{
+						Region: "ap-southeast-3",
+					},
+				},
 				endpointKey{
 					Region: "ca-central-1",
 				}: endpoint{
@@ -18400,6 +18946,14 @@ var awsPartition = partition{
 						Region: "us-east-2",
 					},
 				},
+				endpointKey{
+					Region: "us-west-1",
+				}: endpoint{
+					Hostname: "portal.sso.us-west-1.amazonaws.com",
+					CredentialScope: credentialScope{
+						Region: "us-west-1",
+					},
+				},
 				endpointKey{
 					Region: "us-west-2",
 				}: endpoint{
@@ -18629,12 +19183,18 @@ var awsPartition = partition{
 				endpointKey{
 					Region: "eu-central-1",
 				}: endpoint{},
+				endpointKey{
+					Region: "eu-north-1",
+				}: endpoint{},
 				endpointKey{
 					Region: "eu-west-1",
 				}: endpoint{},
 				endpointKey{
 					Region: "eu-west-2",
 				}: endpoint{},
+				endpointKey{
+					Region: "eu-west-3",
+				}: endpoint{},
 				endpointKey{
 					Region: "sa-east-1",
 				}: endpoint{},
@@ -18669,6 +19229,9 @@ var awsPartition = partition{
 				endpointKey{
 					Region: "ap-south-1",
 				}: endpoint{},
+				endpointKey{
+					Region: "ap-south-2",
+				}: endpoint{},
 				endpointKey{
 					Region: "ap-southeast-1",
 				}: endpoint{},
@@ -18690,12 +19253,18 @@ var awsPartition = partition{
 				endpointKey{
 					Region: "eu-central-1",
 				}: endpoint{},
+				endpointKey{
+					Region: "eu-central-2",
+				}: endpoint{},
 				endpointKey{
 					Region: "eu-north-1",
 				}: endpoint{},
 				endpointKey{
 					Region: "eu-south-1",
 				}: endpoint{},
+				endpointKey{
+					Region: "eu-south-2",
+				}: endpoint{},
 				endpointKey{
 					Region: "eu-west-1",
 				}: endpoint{},
@@ -18817,6 +19386,9 @@ var awsPartition = partition{
 				endpointKey{
 					Region: "ap-south-1",
 				}: endpoint{},
+				endpointKey{
+					Region: "ap-south-2",
+				}: endpoint{},
 				endpointKey{
 					Region: "ap-southeast-1",
 				}: endpoint{},
@@ -19865,7 +20437,9 @@ var awsPartition = partition{
 		},
 		"resource-explorer-2": service{
 			Defaults: endpointDefaults{
-				defaultKey{}: endpoint{},
+				defaultKey{}: endpoint{
+					DNSSuffix: "api.aws",
+				},
 				defaultKey{
 					Variant: fipsVariant,
 				}: endpoint{
@@ -20537,6 +21111,9 @@ var awsPartition = partition{
 				endpointKey{
 					Region: "eu-west-3",
 				}: endpoint{},
+				endpointKey{
+					Region: "me-central-1",
+				}: endpoint{},
 				endpointKey{
 					Region: "me-south-1",
 				}: endpoint{},
@@ -21659,6 +22236,13 @@ var awsPartition = partition{
 				}: endpoint{},
 			},
 		},
+		"sagemaker-geospatial": service{
+			Endpoints: serviceEndpoints{
+				endpointKey{
+					Region: "us-west-2",
+				}: endpoint{},
+			},
+		},
 		"savingsplans": service{
 			PartitionEndpoint: "aws-global",
 			IsRegionalized:    boxedFalse,
@@ -22082,6 +22666,31 @@ var awsPartition = partition{
 				},
 			},
 		},
+		"securitylake": service{
+			Endpoints: serviceEndpoints{
+				endpointKey{
+					Region: "ap-northeast-1",
+				}: endpoint{},
+				endpointKey{
+					Region: "ap-southeast-2",
+				}: endpoint{},
+				endpointKey{
+					Region: "eu-central-1",
+				}: endpoint{},
+				endpointKey{
+					Region: "eu-west-1",
+				}: endpoint{},
+				endpointKey{
+					Region: "us-east-1",
+				}: endpoint{},
+				endpointKey{
+					Region: "us-east-2",
+				}: endpoint{},
+				endpointKey{
+					Region: "us-west-2",
+				}: endpoint{},
+			},
+		},
 		"serverlessrepo": service{
 			Defaults: endpointDefaults{
 				defaultKey{}: endpoint{
@@ -22461,33 +23070,102 @@ var awsPartition = partition{
 				endpointKey{
 					Region: "af-south-1",
 				}: endpoint{},
+				endpointKey{
+					Region:  "af-south-1",
+					Variant: dualStackVariant,
+				}: endpoint{
+					Hostname: "servicediscovery.af-south-1.amazonaws.com",
+				},
 				endpointKey{
 					Region: "ap-east-1",
 				}: endpoint{},
+				endpointKey{
+					Region:  "ap-east-1",
+					Variant: dualStackVariant,
+				}: endpoint{
+					Hostname: "servicediscovery.ap-east-1.amazonaws.com",
+				},
 				endpointKey{
 					Region: "ap-northeast-1",
 				}: endpoint{},
+				endpointKey{
+					Region:  "ap-northeast-1",
+					Variant: dualStackVariant,
+				}: endpoint{
+					Hostname: "servicediscovery.ap-northeast-1.amazonaws.com",
+				},
 				endpointKey{
 					Region: "ap-northeast-2",
 				}: endpoint{},
+				endpointKey{
+					Region:  "ap-northeast-2",
+					Variant: dualStackVariant,
+				}: endpoint{
+					Hostname: "servicediscovery.ap-northeast-2.amazonaws.com",
+				},
 				endpointKey{
 					Region: "ap-northeast-3",
 				}: endpoint{},
+				endpointKey{
+					Region:  "ap-northeast-3",
+					Variant: dualStackVariant,
+				}: endpoint{
+					Hostname: "servicediscovery.ap-northeast-3.amazonaws.com",
+				},
 				endpointKey{
 					Region: "ap-south-1",
 				}: endpoint{},
+				endpointKey{
+					Region:  "ap-south-1",
+					Variant: dualStackVariant,
+				}: endpoint{
+					Hostname: "servicediscovery.ap-south-1.amazonaws.com",
+				},
+				endpointKey{
+					Region: "ap-south-2",
+				}: endpoint{},
+				endpointKey{
+					Region:  "ap-south-2",
+					Variant: dualStackVariant,
+				}: endpoint{
+					Hostname: "servicediscovery.ap-south-2.amazonaws.com",
+				},
 				endpointKey{
 					Region: "ap-southeast-1",
 				}: endpoint{},
+				endpointKey{
+					Region:  "ap-southeast-1",
+					Variant: dualStackVariant,
+				}: endpoint{
+					Hostname: "servicediscovery.ap-southeast-1.amazonaws.com",
+				},
 				endpointKey{
 					Region: "ap-southeast-2",
 				}: endpoint{},
+				endpointKey{
+					Region:  "ap-southeast-2",
+					Variant: dualStackVariant,
+				}: endpoint{
+					Hostname: "servicediscovery.ap-southeast-2.amazonaws.com",
+				},
 				endpointKey{
 					Region: "ap-southeast-3",
 				}: endpoint{},
+				endpointKey{
+					Region:  "ap-southeast-3",
+					Variant: dualStackVariant,
+				}: endpoint{
+					Hostname: "servicediscovery.ap-southeast-3.amazonaws.com",
+				},
 				endpointKey{
 					Region: "ca-central-1",
 				}: endpoint{},
+				endpointKey{
+					Region:  "ca-central-1",
+					Variant: dualStackVariant,
+				}: endpoint{
+					Hostname: "servicediscovery.ca-central-1.amazonaws.com",
+				},
 				endpointKey{
 					Region:  "ca-central-1",
 					Variant: fipsVariant,
@@ -22506,30 +23184,102 @@ var awsPartition = partition{
 				endpointKey{
 					Region: "eu-central-1",
 				}: endpoint{},
+				endpointKey{
+					Region:  "eu-central-1",
+					Variant: dualStackVariant,
+				}: endpoint{
+					Hostname: "servicediscovery.eu-central-1.amazonaws.com",
+				},
+				endpointKey{
+					Region: "eu-central-2",
+				}: endpoint{},
+				endpointKey{
+					Region:  "eu-central-2",
+					Variant: dualStackVariant,
+				}: endpoint{
+					Hostname: "servicediscovery.eu-central-2.amazonaws.com",
+				},
 				endpointKey{
 					Region: "eu-north-1",
 				}: endpoint{},
+				endpointKey{
+					Region:  "eu-north-1",
+					Variant: dualStackVariant,
+				}: endpoint{
+					Hostname: "servicediscovery.eu-north-1.amazonaws.com",
+				},
 				endpointKey{
 					Region: "eu-south-1",
 				}: endpoint{},
+				endpointKey{
+					Region:  "eu-south-1",
+					Variant: dualStackVariant,
+				}: endpoint{
+					Hostname: "servicediscovery.eu-south-1.amazonaws.com",
+				},
+				endpointKey{
+					Region: "eu-south-2",
+				}: endpoint{},
+				endpointKey{
+					Region:  "eu-south-2",
+					Variant: dualStackVariant,
+				}: endpoint{
+					Hostname: "servicediscovery.eu-south-2.amazonaws.com",
+				},
 				endpointKey{
 					Region: "eu-west-1",
 				}: endpoint{},
+				endpointKey{
+					Region:  "eu-west-1",
+					Variant: dualStackVariant,
+				}: endpoint{
+					Hostname: "servicediscovery.eu-west-1.amazonaws.com",
+				},
 				endpointKey{
 					Region: "eu-west-2",
 				}: endpoint{},
+				endpointKey{
+					Region:  "eu-west-2",
+					Variant: dualStackVariant,
+				}: endpoint{
+					Hostname: "servicediscovery.eu-west-2.amazonaws.com",
+				},
 				endpointKey{
 					Region: "eu-west-3",
 				}: endpoint{},
+				endpointKey{
+					Region:  "eu-west-3",
+					Variant: dualStackVariant,
+				}: endpoint{
+					Hostname: "servicediscovery.eu-west-3.amazonaws.com",
+				},
 				endpointKey{
 					Region: "me-central-1",
 				}: endpoint{},
+				endpointKey{
+					Region:  "me-central-1",
+					Variant: dualStackVariant,
+				}: endpoint{
+					Hostname: "servicediscovery.me-central-1.amazonaws.com",
+				},
 				endpointKey{
 					Region: "me-south-1",
 				}: endpoint{},
+				endpointKey{
+					Region:  "me-south-1",
+					Variant: dualStackVariant,
+				}: endpoint{
+					Hostname: "servicediscovery.me-south-1.amazonaws.com",
+				},
 				endpointKey{
 					Region: "sa-east-1",
 				}: endpoint{},
+				endpointKey{
+					Region:  "sa-east-1",
+					Variant: dualStackVariant,
+				}: endpoint{
+					Hostname: "servicediscovery.sa-east-1.amazonaws.com",
+				},
 				endpointKey{
 					Region: "servicediscovery",
 				}: endpoint{
@@ -22560,6 +23310,12 @@ var awsPartition = partition{
 				endpointKey{
 					Region: "us-east-1",
 				}: endpoint{},
+				endpointKey{
+					Region:  "us-east-1",
+					Variant: dualStackVariant,
+				}: endpoint{
+					Hostname: "servicediscovery.us-east-1.amazonaws.com",
+				},
 				endpointKey{
 					Region:  "us-east-1",
 					Variant: fipsVariant,
@@ -22578,6 +23334,12 @@ var awsPartition = partition{
 				endpointKey{
 					Region: "us-east-2",
 				}: endpoint{},
+				endpointKey{
+					Region:  "us-east-2",
+					Variant: dualStackVariant,
+				}: endpoint{
+					Hostname: "servicediscovery.us-east-2.amazonaws.com",
+				},
 				endpointKey{
 					Region:  "us-east-2",
 					Variant: fipsVariant,
@@ -22596,6 +23358,12 @@ var awsPartition = partition{
 				endpointKey{
 					Region: "us-west-1",
 				}: endpoint{},
+				endpointKey{
+					Region:  "us-west-1",
+					Variant: dualStackVariant,
+				}: endpoint{
+					Hostname: "servicediscovery.us-west-1.amazonaws.com",
+				},
 				endpointKey{
 					Region:  "us-west-1",
 					Variant: fipsVariant,
@@ -22614,6 +23382,12 @@ var awsPartition = partition{
 				endpointKey{
 					Region: "us-west-2",
 				}: endpoint{},
+				endpointKey{
+					Region:  "us-west-2",
+					Variant: dualStackVariant,
+				}: endpoint{
+					Hostname: "servicediscovery.us-west-2.amazonaws.com",
+				},
 				endpointKey{
 					Region:  "us-west-2",
 					Variant: fipsVariant,
@@ -22686,6 +23460,9 @@ var awsPartition = partition{
 				endpointKey{
 					Region: "eu-west-3",
 				}: endpoint{},
+				endpointKey{
+					Region: "me-central-1",
+				}: endpoint{},
 				endpointKey{
 					Region: "me-south-1",
 				}: endpoint{},
@@ -22826,6 +23603,34 @@ var awsPartition = partition{
 				},
 			},
 		},
+		"simspaceweaver": service{
+			Endpoints: serviceEndpoints{
+				endpointKey{
+					Region: "ap-southeast-1",
+				}: endpoint{},
+				endpointKey{
+					Region: "ap-southeast-2",
+				}: endpoint{},
+				endpointKey{
+					Region: "eu-central-1",
+				}: endpoint{},
+				endpointKey{
+					Region: "eu-north-1",
+				}: endpoint{},
+				endpointKey{
+					Region: "eu-west-1",
+				}: endpoint{},
+				endpointKey{
+					Region: "us-east-1",
+				}: endpoint{},
+				endpointKey{
+					Region: "us-east-2",
+				}: endpoint{},
+				endpointKey{
+					Region: "us-west-2",
+				}: endpoint{},
+			},
+		},
 		"sms": service{
 			Endpoints: serviceEndpoints{
 				endpointKey{
@@ -22967,6 +23772,12 @@ var awsPartition = partition{
 				endpointKey{
 					Region: "ca-central-1",
 				}: endpoint{},
+				endpointKey{
+					Region:  "ca-central-1",
+					Variant: fipsVariant,
+				}: endpoint{
+					Hostname: "sms-voice-fips.ca-central-1.amazonaws.com",
+				},
 				endpointKey{
 					Region: "eu-central-1",
 				}: endpoint{},
@@ -22976,12 +23787,51 @@ var awsPartition = partition{
 				endpointKey{
 					Region: "eu-west-2",
 				}: endpoint{},
+				endpointKey{
+					Region: "fips-ca-central-1",
+				}: endpoint{
+					Hostname: "sms-voice-fips.ca-central-1.amazonaws.com",
+					CredentialScope: credentialScope{
+						Region: "ca-central-1",
+					},
+					Deprecated: boxedTrue,
+				},
+				endpointKey{
+					Region: "fips-us-east-1",
+				}: endpoint{
+					Hostname: "sms-voice-fips.us-east-1.amazonaws.com",
+					CredentialScope: credentialScope{
+						Region: "us-east-1",
+					},
+					Deprecated: boxedTrue,
+				},
+				endpointKey{
+					Region: "fips-us-west-2",
+				}: endpoint{
+					Hostname: "sms-voice-fips.us-west-2.amazonaws.com",
+					CredentialScope: credentialScope{
+						Region: "us-west-2",
+					},
+					Deprecated: boxedTrue,
+				},
 				endpointKey{
 					Region: "us-east-1",
 				}: endpoint{},
+				endpointKey{
+					Region:  "us-east-1",
+					Variant: fipsVariant,
+				}: endpoint{
+					Hostname: "sms-voice-fips.us-east-1.amazonaws.com",
+				},
 				endpointKey{
 					Region: "us-west-2",
 				}: endpoint{},
+				endpointKey{
+					Region:  "us-west-2",
+					Variant: fipsVariant,
+				}: endpoint{
+					Hostname: "sms-voice-fips.us-west-2.amazonaws.com",
+				},
 			},
 		},
 		"snowball": service{
@@ -23798,8 +24648,18 @@ var awsPartition = partition{
 				}: endpoint{},
 			},
 		},
+		"ssm-sap": service{
+			Endpoints: serviceEndpoints{
+				endpointKey{
+					Region: "us-east-1",
+				}: endpoint{},
+			},
+		},
 		"sso": service{
 			Endpoints: serviceEndpoints{
+				endpointKey{
+					Region: "af-south-1",
+				}: endpoint{},
 				endpointKey{
 					Region: "ap-east-1",
 				}: endpoint{},
@@ -23821,6 +24681,9 @@ var awsPartition = partition{
 				endpointKey{
 					Region: "ap-southeast-2",
 				}: endpoint{},
+				endpointKey{
+					Region: "ap-southeast-3",
+				}: endpoint{},
 				endpointKey{
 					Region: "ca-central-1",
 				}: endpoint{},
@@ -23854,6 +24717,9 @@ var awsPartition = partition{
 				endpointKey{
 					Region: "us-east-2",
 				}: endpoint{},
+				endpointKey{
+					Region: "us-west-1",
+				}: endpoint{},
 				endpointKey{
 					Region: "us-west-2",
 				}: endpoint{},
@@ -25471,6 +26337,21 @@ var awsPartition = partition{
 				endpointKey{
 					Region: "ca-central-1",
 				}: endpoint{},
+				endpointKey{
+					Region:  "ca-central-1",
+					Variant: fipsVariant,
+				}: endpoint{
+					Hostname: "voice-chime-fips.ca-central-1.amazonaws.com",
+				},
+				endpointKey{
+					Region: "ca-central-1-fips",
+				}: endpoint{
+					Hostname: "voice-chime-fips.ca-central-1.amazonaws.com",
+					CredentialScope: credentialScope{
+						Region: "ca-central-1",
+					},
+					Deprecated: boxedTrue,
+				},
 				endpointKey{
 					Region: "eu-central-1",
 				}: endpoint{},
@@ -25487,12 +26368,12 @@ var awsPartition = partition{
 					Region:  "us-east-1",
 					Variant: fipsVariant,
 				}: endpoint{
-					Hostname: "fips.voice-chime.us-east-1.amazonaws.com",
+					Hostname: "voice-chime-fips.us-east-1.amazonaws.com",
 				},
 				endpointKey{
 					Region: "us-east-1-fips",
 				}: endpoint{
-					Hostname: "fips.voice-chime.us-east-1.amazonaws.com",
+					Hostname: "voice-chime-fips.us-east-1.amazonaws.com",
 					CredentialScope: credentialScope{
 						Region: "us-east-1",
 					},
@@ -25505,12 +26386,12 @@ var awsPartition = partition{
 					Region:  "us-west-2",
 					Variant: fipsVariant,
 				}: endpoint{
-					Hostname: "fips.voice-chime.us-west-2.amazonaws.com",
+					Hostname: "voice-chime-fips.us-west-2.amazonaws.com",
 				},
 				endpointKey{
 					Region: "us-west-2-fips",
 				}: endpoint{
-					Hostname: "fips.voice-chime.us-west-2.amazonaws.com",
+					Hostname: "voice-chime-fips.us-west-2.amazonaws.com",
 					CredentialScope: credentialScope{
 						Region: "us-west-2",
 					},
@@ -27463,9 +28344,21 @@ var awscnPartition = partition{
 				endpointKey{
 					Region: "cn-north-1",
 				}: endpoint{},
+				endpointKey{
+					Region:  "cn-north-1",
+					Variant: dualStackVariant,
+				}: endpoint{
+					Hostname: "athena.cn-north-1.api.amazonwebservices.com.cn",
+				},
 				endpointKey{
 					Region: "cn-northwest-1",
 				}: endpoint{},
+				endpointKey{
+					Region:  "cn-northwest-1",
+					Variant: dualStackVariant,
+				}: endpoint{
+					Hostname: "athena.cn-northwest-1.api.amazonwebservices.com.cn",
+				},
 			},
 		},
 		"autoscaling": service{
@@ -27723,6 +28616,16 @@ var awscnPartition = partition{
 				}: endpoint{},
 			},
 		},
+		"datasync": service{
+			Endpoints: serviceEndpoints{
+				endpointKey{
+					Region: "cn-north-1",
+				}: endpoint{},
+				endpointKey{
+					Region: "cn-northwest-1",
+				}: endpoint{},
+			},
+		},
 		"dax": service{
 			Endpoints: serviceEndpoints{
 				endpointKey{
@@ -28063,14 +28966,6 @@ var awscnPartition = partition{
 				endpointKey{
 					Region: "cn-north-1",
 				}: endpoint{},
-				endpointKey{
-					Region: "dataplane-cn-north-1",
-				}: endpoint{
-					Hostname: "greengrass.ats.iot.cn-north-1.amazonaws.com.cn",
-					CredentialScope: credentialScope{
-						Region: "cn-north-1",
-					},
-				},
 			},
 		},
 		"guardduty": service{
@@ -28297,6 +29192,16 @@ var awscnPartition = partition{
 				}: endpoint{},
 			},
 		},
+		"metrics.sagemaker": service{
+			Endpoints: serviceEndpoints{
+				endpointKey{
+					Region: "cn-north-1",
+				}: endpoint{},
+				endpointKey{
+					Region: "cn-northwest-1",
+				}: endpoint{},
+			},
+		},
 		"monitoring": service{
 			Defaults: endpointDefaults{
 				defaultKey{}: endpoint{
@@ -28422,7 +29327,9 @@ var awscnPartition = partition{
 		},
 		"resource-explorer-2": service{
 			Defaults: endpointDefaults{
-				defaultKey{}: endpoint{},
+				defaultKey{}: endpoint{
+					DNSSuffix: "api.amazonwebservices.com.cn",
+				},
 				defaultKey{
 					Variant: fipsVariant,
 				}: endpoint{
@@ -28638,9 +29545,21 @@ var awscnPartition = partition{
 				endpointKey{
 					Region: "cn-north-1",
 				}: endpoint{},
+				endpointKey{
+					Region:  "cn-north-1",
+					Variant: dualStackVariant,
+				}: endpoint{
+					Hostname: "servicediscovery.cn-north-1.amazonaws.com.cn",
+				},
 				endpointKey{
 					Region: "cn-northwest-1",
 				}: endpoint{},
+				endpointKey{
+					Region:  "cn-northwest-1",
+					Variant: dualStackVariant,
+				}: endpoint{
+					Hostname: "servicediscovery.cn-northwest-1.amazonaws.com.cn",
+				},
 			},
 		},
 		"sms": service{
@@ -29589,6 +30508,12 @@ var awsusgovPartition = partition{
 				endpointKey{
 					Region: "us-gov-east-1",
 				}: endpoint{},
+				endpointKey{
+					Region:  "us-gov-east-1",
+					Variant: dualStackVariant,
+				}: endpoint{
+					Hostname: "athena.us-gov-east-1.api.aws",
+				},
 				endpointKey{
 					Region:  "us-gov-east-1",
 					Variant: fipsVariant,
@@ -29598,6 +30523,12 @@ var awsusgovPartition = partition{
 				endpointKey{
 					Region: "us-gov-west-1",
 				}: endpoint{},
+				endpointKey{
+					Region:  "us-gov-west-1",
+					Variant: dualStackVariant,
+				}: endpoint{
+					Hostname: "athena.us-gov-west-1.api.aws",
+				},
 				endpointKey{
 					Region:  "us-gov-west-1",
 					Variant: fipsVariant,
@@ -32050,6 +32981,16 @@ var awsusgovPartition = partition{
 				}: endpoint{},
 			},
 		},
+		"metrics.sagemaker": service{
+			Endpoints: serviceEndpoints{
+				endpointKey{
+					Region: "us-gov-east-1",
+				}: endpoint{},
+				endpointKey{
+					Region: "us-gov-west-1",
+				}: endpoint{},
+			},
+		},
 		"models.lex": service{
 			Defaults: endpointDefaults{
 				defaultKey{}: endpoint{
@@ -32333,6 +33274,16 @@ var awsusgovPartition = partition{
 				},
 			},
 		},
+		"pi": service{
+			Endpoints: serviceEndpoints{
+				endpointKey{
+					Region: "us-gov-east-1",
+				}: endpoint{},
+				endpointKey{
+					Region: "us-gov-west-1",
+				}: endpoint{},
+			},
+		},
 		"pinpoint": service{
 			Defaults: endpointDefaults{
 				defaultKey{}: endpoint{
@@ -32619,7 +33570,9 @@ var awsusgovPartition = partition{
 		},
 		"resource-explorer-2": service{
 			Defaults: endpointDefaults{
-				defaultKey{}: endpoint{},
+				defaultKey{}: endpoint{
+					DNSSuffix: "api.aws",
+				},
 				defaultKey{
 					Variant: fipsVariant,
 				}: endpoint{
@@ -33236,6 +34189,12 @@ var awsusgovPartition = partition{
 				endpointKey{
 					Region: "us-gov-east-1",
 				}: endpoint{},
+				endpointKey{
+					Region:  "us-gov-east-1",
+					Variant: dualStackVariant,
+				}: endpoint{
+					Hostname: "servicediscovery.us-gov-east-1.amazonaws.com",
+				},
 				endpointKey{
 					Region:  "us-gov-east-1",
 					Variant: fipsVariant,
@@ -33254,6 +34213,12 @@ var awsusgovPartition = partition{
 				endpointKey{
 					Region: "us-gov-west-1",
 				}: endpoint{},
+				endpointKey{
+					Region:  "us-gov-west-1",
+					Variant: dualStackVariant,
+				}: endpoint{
+					Hostname: "servicediscovery.us-gov-west-1.amazonaws.com",
+				},
 				endpointKey{
 					Region:  "us-gov-west-1",
 					Variant: fipsVariant,
@@ -33364,9 +34329,24 @@ var awsusgovPartition = partition{
 		},
 		"sms-voice": service{
 			Endpoints: serviceEndpoints{
+				endpointKey{
+					Region: "fips-us-gov-west-1",
+				}: endpoint{
+					Hostname: "sms-voice-fips.us-gov-west-1.amazonaws.com",
+					CredentialScope: credentialScope{
+						Region: "us-gov-west-1",
+					},
+					Deprecated: boxedTrue,
+				},
 				endpointKey{
 					Region: "us-gov-west-1",
 				}: endpoint{},
+				endpointKey{
+					Region:  "us-gov-west-1",
+					Variant: fipsVariant,
+				}: endpoint{
+					Hostname: "sms-voice-fips.us-gov-west-1.amazonaws.com",
+				},
 			},
 		},
 		"snowball": service{
@@ -34648,6 +35628,13 @@ var awsisoPartition = partition{
 				}: endpoint{},
 			},
 		},
+		"glue": service{
+			Endpoints: serviceEndpoints{
+				endpointKey{
+					Region: "us-iso-east-1",
+				}: endpoint{},
+			},
+		},
 		"health": service{
 			Endpoints: serviceEndpoints{
 				endpointKey{
@@ -34769,6 +35756,13 @@ var awsisoPartition = partition{
 				}: endpoint{},
 			},
 		},
+		"metrics.sagemaker": service{
+			Endpoints: serviceEndpoints{
+				endpointKey{
+					Region: "us-iso-east-1",
+				}: endpoint{},
+			},
+		},
 		"monitoring": service{
 			Endpoints: serviceEndpoints{
 				endpointKey{
@@ -35023,6 +36017,9 @@ var awsisoPartition = partition{
 				endpointKey{
 					Region: "us-iso-east-1",
 				}: endpoint{},
+				endpointKey{
+					Region: "us-iso-west-1",
+				}: endpoint{},
 			},
 		},
 	},
@@ -35423,6 +36420,13 @@ var awsisobPartition = partition{
 				}: endpoint{},
 			},
 		},
+		"metrics.sagemaker": service{
+			Endpoints: serviceEndpoints{
+				endpointKey{
+					Region: "us-isob-east-1",
+				}: endpoint{},
+			},
+		},
 		"monitoring": service{
 			Endpoints: serviceEndpoints{
 				endpointKey{
diff --git a/vendor/github.com/aws/aws-sdk-go/aws/version.go b/vendor/github.com/aws/aws-sdk-go/aws/version.go
index 244216b09..40188dfb3 100644
--- a/vendor/github.com/aws/aws-sdk-go/aws/version.go
+++ b/vendor/github.com/aws/aws-sdk-go/aws/version.go
@@ -5,4 +5,4 @@ package aws
 const SDKName = "aws-sdk-go"
 
 // SDKVersion is the version of this SDK
-const SDKVersion = "1.44.146"
+const SDKVersion = "1.44.172"
diff --git a/vendor/github.com/aws/aws-sdk-go/private/protocol/jsonrpc/unmarshal_error.go b/vendor/github.com/aws/aws-sdk-go/private/protocol/jsonrpc/unmarshal_error.go
index c0c52e2db..4f933f2a1 100644
--- a/vendor/github.com/aws/aws-sdk-go/private/protocol/jsonrpc/unmarshal_error.go
+++ b/vendor/github.com/aws/aws-sdk-go/private/protocol/jsonrpc/unmarshal_error.go
@@ -13,10 +13,17 @@ import (
 	"github.com/aws/aws-sdk-go/private/protocol/json/jsonutil"
 )
 
+const (
+	awsQueryError = "x-amzn-query-error"
+	// A valid header example - "x-amzn-query-error": "<QueryErrorCode>;<ErrorType>"
+	awsQueryErrorPartsCount = 2
+)
+
 // UnmarshalTypedError provides unmarshaling errors API response errors
 // for both typed and untyped errors.
 type UnmarshalTypedError struct {
 	exceptions map[string]func(protocol.ResponseMetadata) error
+	queryExceptions map[string]func(protocol.ResponseMetadata, string) error
 }
 
 // NewUnmarshalTypedError returns an UnmarshalTypedError initialized for the
@@ -24,6 +31,21 @@ type UnmarshalTypedError struct {
 func NewUnmarshalTypedError(exceptions map[string]func(protocol.ResponseMetadata) error) *UnmarshalTypedError {
 	return &UnmarshalTypedError{
 		exceptions: exceptions,
+		queryExceptions: map[string]func(protocol.ResponseMetadata, string) error{},
+	}
+}
+
+func NewUnmarshalTypedErrorWithOptions(exceptions map[string]func(protocol.ResponseMetadata) error, optFns ...func(*UnmarshalTypedError)) *UnmarshalTypedError {
+	unmarshaledError := NewUnmarshalTypedError(exceptions)
+	for _, fn := range optFns {
+		fn(unmarshaledError)
+	}
+	return unmarshaledError
+}
+
+func WithQueryCompatibility(queryExceptions map[string]func(protocol.ResponseMetadata, string) error) func(*UnmarshalTypedError) {
+	return func(typedError *UnmarshalTypedError) {
+		typedError.queryExceptions = queryExceptions
 	}
 }
 
@@ -50,18 +72,32 @@ func (u *UnmarshalTypedError) UnmarshalError(
 	code := codeParts[len(codeParts)-1]
 	msg := jsonErr.Message
 
+	queryCodeParts := queryCodeParts(resp, u)
+
 	if fn, ok := u.exceptions[code]; ok {
-		// If exception code is know, use associated constructor to get a value
+		// If query-compatible exceptions are found and query-error-header is found,
+		// then use associated constructor to get exception with query error code.
+		//
+		// If exception code is known, use associated constructor to get a value
 		// for the exception that the JSON body can be unmarshaled into.
-		v := fn(respMeta)
+		var v error
+		queryErrFn, queryExceptionsFound := u.queryExceptions[code]
+		if len(queryCodeParts) == awsQueryErrorPartsCount && queryExceptionsFound {
+			v = queryErrFn(respMeta, queryCodeParts[0])
+		} else {
+			v = fn(respMeta)
+		}
 		err := jsonutil.UnmarshalJSONCaseInsensitive(v, body)
 		if err != nil {
 			return nil, err
 		}
-
 		return v, nil
 	}
 
+	if len(queryCodeParts) == awsQueryErrorPartsCount && len(u.queryExceptions) > 0 {
+		code = queryCodeParts[0]
+	}
+
 	// fallback to unmodeled generic exceptions
 	return awserr.NewRequestFailure(
 		awserr.New(code, msg, nil),
@@ -70,6 +106,16 @@ func (u *UnmarshalTypedError) UnmarshalError(
 	), nil
 }
 
+// A valid header example - "x-amzn-query-error": "<QueryErrorCode>;<ErrorType>"
+func queryCodeParts(resp *http.Response, u *UnmarshalTypedError) []string {
+	queryCodeHeader := resp.Header.Get(awsQueryError)
+	var queryCodeParts []string
+	if queryCodeHeader != "" && len(u.queryExceptions) > 0 {
+		queryCodeParts = strings.Split(queryCodeHeader, ";")
+	}
+	return queryCodeParts
+}
+
 // UnmarshalErrorHandler is a named request handler for unmarshaling jsonrpc
 // protocol request errors
 var UnmarshalErrorHandler = request.NamedHandler{
diff --git a/vendor/github.com/aws/aws-sdk-go/service/ec2/api.go b/vendor/github.com/aws/aws-sdk-go/service/ec2/api.go
index 026aa70cc..ec806017b 100644
--- a/vendor/github.com/aws/aws-sdk-go/service/ec2/api.go
+++ b/vendor/github.com/aws/aws-sdk-go/service/ec2/api.go
@@ -2450,6 +2450,81 @@ func (c *EC2) AttachNetworkInterfaceWithContext(ctx aws.Context, input *AttachNe
 	return out, req.Send()
 }
 
+const opAttachVerifiedAccessTrustProvider = "AttachVerifiedAccessTrustProvider"
+
+// AttachVerifiedAccessTrustProviderRequest generates a "aws/request.Request" representing the
+// client's request for the AttachVerifiedAccessTrustProvider operation. The "output" return
+// value will be populated with the request's response once the request completes
+// successfully.
+//
+// Use "Send" method on the returned Request to send the API call to the service.
+// the "output" return value is not valid until after Send returns without error.
+//
+// See AttachVerifiedAccessTrustProvider for more information on using the AttachVerifiedAccessTrustProvider
+// API call, and error handling.
+//
+// This method is useful when you want to inject custom logic or configuration
+// into the SDK's request lifecycle. Such as custom headers, or retry logic.
+//
+//	// Example sending a request using the AttachVerifiedAccessTrustProviderRequest method.
+//	req, resp := client.AttachVerifiedAccessTrustProviderRequest(params)
+//
+//	err := req.Send()
+//	if err == nil { // resp is now filled
+//	    fmt.Println(resp)
+//	}
+//
+// See also, https://docs.aws.amazon.com/goto/WebAPI/ec2-2016-11-15/AttachVerifiedAccessTrustProvider
+func (c *EC2) AttachVerifiedAccessTrustProviderRequest(input *AttachVerifiedAccessTrustProviderInput) (req *request.Request, output *AttachVerifiedAccessTrustProviderOutput) {
+	op := &request.Operation{
+		Name:       opAttachVerifiedAccessTrustProvider,
+		HTTPMethod: "POST",
+		HTTPPath:   "/",
+	}
+
+	if input == nil {
+		input = &AttachVerifiedAccessTrustProviderInput{}
+	}
+
+	output = &AttachVerifiedAccessTrustProviderOutput{}
+	req = c.newRequest(op, input, output)
+	return
+}
+
+// AttachVerifiedAccessTrustProvider API operation for Amazon Elastic Compute Cloud.
+//
+// A trust provider is a third-party entity that creates, maintains, and manages
+// identity information for users and devices. One or more trust providers can
+// be attached to an Amazon Web Services Verified Access instance.
+//
+// Returns awserr.Error for service API and SDK errors. Use runtime type assertions
+// with awserr.Error's Code and Message methods to get detailed information about
+// the error.
+//
+// See the AWS API reference guide for Amazon Elastic Compute Cloud's
+// API operation AttachVerifiedAccessTrustProvider for usage and error information.
+// See also, https://docs.aws.amazon.com/goto/WebAPI/ec2-2016-11-15/AttachVerifiedAccessTrustProvider
+func (c *EC2) AttachVerifiedAccessTrustProvider(input *AttachVerifiedAccessTrustProviderInput) (*AttachVerifiedAccessTrustProviderOutput, error) {
+	req, out := c.AttachVerifiedAccessTrustProviderRequest(input)
+	return out, req.Send()
+}
+
+// AttachVerifiedAccessTrustProviderWithContext is the same as AttachVerifiedAccessTrustProvider with the addition of
+// the ability to pass a context and additional request options.
+//
+// See AttachVerifiedAccessTrustProvider for details on how to use this API operation.
+//
+// The context must be non-nil and will be used for request cancellation. If
+// the context is nil a panic will occur. In the future the SDK may create
+// sub-contexts for http.Requests. See https://golang.org/pkg/context/
+// for more information on using Contexts.
+func (c *EC2) AttachVerifiedAccessTrustProviderWithContext(ctx aws.Context, input *AttachVerifiedAccessTrustProviderInput, opts ...request.Option) (*AttachVerifiedAccessTrustProviderOutput, error) {
+	req, out := c.AttachVerifiedAccessTrustProviderRequest(input)
+	req.SetContext(ctx)
+	req.ApplyOptions(opts...)
+	return out, req.Send()
+}
+
 const opAttachVolume = "AttachVolume"
 
 // AttachVolumeRequest generates a "aws/request.Request" representing the
@@ -3402,7 +3477,7 @@ func (c *EC2) CancelImageLaunchPermissionRequest(input *CancelImageLaunchPermiss
 // Removes your Amazon Web Services account from the launch permissions for
 // the specified AMI. For more information, see Cancel having an AMI shared
 // with your Amazon Web Services account (https://docs.aws.amazon.com/) in the
-// Amazon Elastic Compute Cloud User Guide.
+// Amazon EC2 User Guide.
 //
 // Returns awserr.Error for service API and SDK errors. Use runtime type assertions
 // with awserr.Error's Code and Message methods to get detailed information about
@@ -3948,11 +4023,11 @@ func (c *EC2) CopyImageRequest(input *CopyImageInput) (req *request.Request, out
 // key that you specify in the request using KmsKeyId. Outposts do not support
 // unencrypted snapshots. For more information, Amazon EBS local snapshots on
 // Outposts (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/snapshots-outposts.html#ami)
-// in the Amazon Elastic Compute Cloud User Guide.
+// in the Amazon EC2 User Guide.
 //
 // For more information about the prerequisites and limits when copying an AMI,
 // see Copy an AMI (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/CopyingAMIs.html)
-// in the Amazon Elastic Compute Cloud User Guide.
+// in the Amazon EC2 User Guide.
 //
 // Returns awserr.Error for service API and SDK errors. Use runtime type assertions
 // with awserr.Error's Code and Message methods to get detailed information about
@@ -7304,7 +7379,7 @@ func (c *EC2) CreateReplaceRootVolumeTaskRequest(input *CreateReplaceRootVolumeT
 // to a specific snapshot taken from the original root volume, or that is restored
 // from an AMI that has the same key characteristics as that of the instance.
 //
-// For more information, see Replace a root volume (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-restoring-volume.html#replace-root)
+// For more information, see Replace a root volume (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/replace-root.html)
 // in the Amazon Elastic Compute Cloud User Guide.
 //
 // Returns awserr.Error for service API and SDK errors. Use runtime type assertions
@@ -7478,10 +7553,10 @@ func (c *EC2) CreateRestoreImageTaskRequest(input *CreateRestoreImageTaskInput)
 //
 // To use this API, you must have the required permissions. For more information,
 // see Permissions for storing and restoring AMIs using Amazon S3 (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ami-store-restore.html#ami-s3-permissions)
-// in the Amazon Elastic Compute Cloud User Guide.
+// in the Amazon EC2 User Guide.
 //
 // For more information, see Store and restore an AMI using Amazon S3 (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ami-store-restore.html)
-// in the Amazon Elastic Compute Cloud User Guide.
+// in the Amazon EC2 User Guide.
 //
 // Returns awserr.Error for service API and SDK errors. Use runtime type assertions
 // with awserr.Error's Code and Message methods to get detailed information about
@@ -8100,10 +8175,10 @@ func (c *EC2) CreateStoreImageTaskRequest(input *CreateStoreImageTaskInput) (req
 //
 // To use this API, you must have the required permissions. For more information,
 // see Permissions for storing and restoring AMIs using Amazon S3 (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ami-store-restore.html#ami-s3-permissions)
-// in the Amazon Elastic Compute Cloud User Guide.
+// in the Amazon EC2 User Guide.
 //
 // For more information, see Store and restore an AMI using Amazon S3 (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ami-store-restore.html)
-// in the Amazon Elastic Compute Cloud User Guide.
+// in the Amazon EC2 User Guide.
 //
 // Returns awserr.Error for service API and SDK errors. Use runtime type assertions
 // with awserr.Error's Code and Message methods to get detailed information about
@@ -9563,6 +9638,311 @@ func (c *EC2) CreateTransitGatewayVpcAttachmentWithContext(ctx aws.Context, inpu
 	return out, req.Send()
 }
 
+const opCreateVerifiedAccessEndpoint = "CreateVerifiedAccessEndpoint"
+
+// CreateVerifiedAccessEndpointRequest generates a "aws/request.Request" representing the
+// client's request for the CreateVerifiedAccessEndpoint operation. The "output" return
+// value will be populated with the request's response once the request completes
+// successfully.
+//
+// Use "Send" method on the returned Request to send the API call to the service.
+// the "output" return value is not valid until after Send returns without error.
+//
+// See CreateVerifiedAccessEndpoint for more information on using the CreateVerifiedAccessEndpoint
+// API call, and error handling.
+//
+// This method is useful when you want to inject custom logic or configuration
+// into the SDK's request lifecycle. Such as custom headers, or retry logic.
+//
+//	// Example sending a request using the CreateVerifiedAccessEndpointRequest method.
+//	req, resp := client.CreateVerifiedAccessEndpointRequest(params)
+//
+//	err := req.Send()
+//	if err == nil { // resp is now filled
+//	    fmt.Println(resp)
+//	}
+//
+// See also, https://docs.aws.amazon.com/goto/WebAPI/ec2-2016-11-15/CreateVerifiedAccessEndpoint
+func (c *EC2) CreateVerifiedAccessEndpointRequest(input *CreateVerifiedAccessEndpointInput) (req *request.Request, output *CreateVerifiedAccessEndpointOutput) {
+	op := &request.Operation{
+		Name:       opCreateVerifiedAccessEndpoint,
+		HTTPMethod: "POST",
+		HTTPPath:   "/",
+	}
+
+	if input == nil {
+		input = &CreateVerifiedAccessEndpointInput{}
+	}
+
+	output = &CreateVerifiedAccessEndpointOutput{}
+	req = c.newRequest(op, input, output)
+	return
+}
+
+// CreateVerifiedAccessEndpoint API operation for Amazon Elastic Compute Cloud.
+//
+// An Amazon Web Services Verified Access endpoint is where you define your
+// application along with an optional endpoint-level access policy.
+//
+// Returns awserr.Error for service API and SDK errors. Use runtime type assertions
+// with awserr.Error's Code and Message methods to get detailed information about
+// the error.
+//
+// See the AWS API reference guide for Amazon Elastic Compute Cloud's
+// API operation CreateVerifiedAccessEndpoint for usage and error information.
+// See also, https://docs.aws.amazon.com/goto/WebAPI/ec2-2016-11-15/CreateVerifiedAccessEndpoint
+func (c *EC2) CreateVerifiedAccessEndpoint(input *CreateVerifiedAccessEndpointInput) (*CreateVerifiedAccessEndpointOutput, error) {
+	req, out := c.CreateVerifiedAccessEndpointRequest(input)
+	return out, req.Send()
+}
+
+// CreateVerifiedAccessEndpointWithContext is the same as CreateVerifiedAccessEndpoint with the addition of
+// the ability to pass a context and additional request options.
+//
+// See CreateVerifiedAccessEndpoint for details on how to use this API operation.
+//
+// The context must be non-nil and will be used for request cancellation. If
+// the context is nil a panic will occur. In the future the SDK may create
+// sub-contexts for http.Requests. See https://golang.org/pkg/context/
+// for more information on using Contexts.
+func (c *EC2) CreateVerifiedAccessEndpointWithContext(ctx aws.Context, input *CreateVerifiedAccessEndpointInput, opts ...request.Option) (*CreateVerifiedAccessEndpointOutput, error) {
+	req, out := c.CreateVerifiedAccessEndpointRequest(input)
+	req.SetContext(ctx)
+	req.ApplyOptions(opts...)
+	return out, req.Send()
+}
+
+const opCreateVerifiedAccessGroup = "CreateVerifiedAccessGroup"
+
+// CreateVerifiedAccessGroupRequest generates a "aws/request.Request" representing the
+// client's request for the CreateVerifiedAccessGroup operation. The "output" return
+// value will be populated with the request's response once the request completes
+// successfully.
+//
+// Use "Send" method on the returned Request to send the API call to the service.
+// the "output" return value is not valid until after Send returns without error.
+//
+// See CreateVerifiedAccessGroup for more information on using the CreateVerifiedAccessGroup
+// API call, and error handling.
+//
+// This method is useful when you want to inject custom logic or configuration
+// into the SDK's request lifecycle. Such as custom headers, or retry logic.
+//
+//	// Example sending a request using the CreateVerifiedAccessGroupRequest method.
+//	req, resp := client.CreateVerifiedAccessGroupRequest(params)
+//
+//	err := req.Send()
+//	if err == nil { // resp is now filled
+//	    fmt.Println(resp)
+//	}
+//
+// See also, https://docs.aws.amazon.com/goto/WebAPI/ec2-2016-11-15/CreateVerifiedAccessGroup
+func (c *EC2) CreateVerifiedAccessGroupRequest(input *CreateVerifiedAccessGroupInput) (req *request.Request, output *CreateVerifiedAccessGroupOutput) {
+	op := &request.Operation{
+		Name:       opCreateVerifiedAccessGroup,
+		HTTPMethod: "POST",
+		HTTPPath:   "/",
+	}
+
+	if input == nil {
+		input = &CreateVerifiedAccessGroupInput{}
+	}
+
+	output = &CreateVerifiedAccessGroupOutput{}
+	req = c.newRequest(op, input, output)
+	return
+}
+
+// CreateVerifiedAccessGroup API operation for Amazon Elastic Compute Cloud.
+//
+// An Amazon Web Services Verified Access group is a collection of Amazon Web
+// Services Verified Access endpoints who's associated applications have similar
+// security requirements. Each instance within an Amazon Web Services Verified
+// Access group shares an Amazon Web Services Verified Access policy. For example,
+// you can group all Amazon Web Services Verified Access instances associated
+// with “sales” applications together and use one common Amazon Web Services
+// Verified Access policy.
+//
+// Returns awserr.Error for service API and SDK errors. Use runtime type assertions
+// with awserr.Error's Code and Message methods to get detailed information about
+// the error.
+//
+// See the AWS API reference guide for Amazon Elastic Compute Cloud's
+// API operation CreateVerifiedAccessGroup for usage and error information.
+// See also, https://docs.aws.amazon.com/goto/WebAPI/ec2-2016-11-15/CreateVerifiedAccessGroup
+func (c *EC2) CreateVerifiedAccessGroup(input *CreateVerifiedAccessGroupInput) (*CreateVerifiedAccessGroupOutput, error) {
+	req, out := c.CreateVerifiedAccessGroupRequest(input)
+	return out, req.Send()
+}
+
+// CreateVerifiedAccessGroupWithContext is the same as CreateVerifiedAccessGroup with the addition of
+// the ability to pass a context and additional request options.
+//
+// See CreateVerifiedAccessGroup for details on how to use this API operation.
+//
+// The context must be non-nil and will be used for request cancellation. If
+// the context is nil a panic will occur. In the future the SDK may create
+// sub-contexts for http.Requests. See https://golang.org/pkg/context/
+// for more information on using Contexts.
+func (c *EC2) CreateVerifiedAccessGroupWithContext(ctx aws.Context, input *CreateVerifiedAccessGroupInput, opts ...request.Option) (*CreateVerifiedAccessGroupOutput, error) {
+	req, out := c.CreateVerifiedAccessGroupRequest(input)
+	req.SetContext(ctx)
+	req.ApplyOptions(opts...)
+	return out, req.Send()
+}
+
+const opCreateVerifiedAccessInstance = "CreateVerifiedAccessInstance"
+
+// CreateVerifiedAccessInstanceRequest generates a "aws/request.Request" representing the
+// client's request for the CreateVerifiedAccessInstance operation. The "output" return
+// value will be populated with the request's response once the request completes
+// successfully.
+//
+// Use "Send" method on the returned Request to send the API call to the service.
+// the "output" return value is not valid until after Send returns without error.
+//
+// See CreateVerifiedAccessInstance for more information on using the CreateVerifiedAccessInstance
+// API call, and error handling.
+//
+// This method is useful when you want to inject custom logic or configuration
+// into the SDK's request lifecycle. Such as custom headers, or retry logic.
+//
+//	// Example sending a request using the CreateVerifiedAccessInstanceRequest method.
+//	req, resp := client.CreateVerifiedAccessInstanceRequest(params)
+//
+//	err := req.Send()
+//	if err == nil { // resp is now filled
+//	    fmt.Println(resp)
+//	}
+//
+// See also, https://docs.aws.amazon.com/goto/WebAPI/ec2-2016-11-15/CreateVerifiedAccessInstance
+func (c *EC2) CreateVerifiedAccessInstanceRequest(input *CreateVerifiedAccessInstanceInput) (req *request.Request, output *CreateVerifiedAccessInstanceOutput) {
+	op := &request.Operation{
+		Name:       opCreateVerifiedAccessInstance,
+		HTTPMethod: "POST",
+		HTTPPath:   "/",
+	}
+
+	if input == nil {
+		input = &CreateVerifiedAccessInstanceInput{}
+	}
+
+	output = &CreateVerifiedAccessInstanceOutput{}
+	req = c.newRequest(op, input, output)
+	return
+}
+
+// CreateVerifiedAccessInstance API operation for Amazon Elastic Compute Cloud.
+//
+// An Amazon Web Services Verified Access instance is a regional entity that
+// evaluates application requests and grants access only when your security
+// requirements are met.
+//
+// Returns awserr.Error for service API and SDK errors. Use runtime type assertions
+// with awserr.Error's Code and Message methods to get detailed information about
+// the error.
+//
+// See the AWS API reference guide for Amazon Elastic Compute Cloud's
+// API operation CreateVerifiedAccessInstance for usage and error information.
+// See also, https://docs.aws.amazon.com/goto/WebAPI/ec2-2016-11-15/CreateVerifiedAccessInstance
+func (c *EC2) CreateVerifiedAccessInstance(input *CreateVerifiedAccessInstanceInput) (*CreateVerifiedAccessInstanceOutput, error) {
+	req, out := c.CreateVerifiedAccessInstanceRequest(input)
+	return out, req.Send()
+}
+
+// CreateVerifiedAccessInstanceWithContext is the same as CreateVerifiedAccessInstance with the addition of
+// the ability to pass a context and additional request options.
+//
+// See CreateVerifiedAccessInstance for details on how to use this API operation.
+//
+// The context must be non-nil and will be used for request cancellation. If
+// the context is nil a panic will occur. In the future the SDK may create
+// sub-contexts for http.Requests. See https://golang.org/pkg/context/
+// for more information on using Contexts.
+func (c *EC2) CreateVerifiedAccessInstanceWithContext(ctx aws.Context, input *CreateVerifiedAccessInstanceInput, opts ...request.Option) (*CreateVerifiedAccessInstanceOutput, error) {
+	req, out := c.CreateVerifiedAccessInstanceRequest(input)
+	req.SetContext(ctx)
+	req.ApplyOptions(opts...)
+	return out, req.Send()
+}
+
+const opCreateVerifiedAccessTrustProvider = "CreateVerifiedAccessTrustProvider"
+
+// CreateVerifiedAccessTrustProviderRequest generates a "aws/request.Request" representing the
+// client's request for the CreateVerifiedAccessTrustProvider operation. The "output" return
+// value will be populated with the request's response once the request completes
+// successfully.
+//
+// Use "Send" method on the returned Request to send the API call to the service.
+// the "output" return value is not valid until after Send returns without error.
+//
+// See CreateVerifiedAccessTrustProvider for more information on using the CreateVerifiedAccessTrustProvider
+// API call, and error handling.
+//
+// This method is useful when you want to inject custom logic or configuration
+// into the SDK's request lifecycle. Such as custom headers, or retry logic.
+//
+//	// Example sending a request using the CreateVerifiedAccessTrustProviderRequest method.
+//	req, resp := client.CreateVerifiedAccessTrustProviderRequest(params)
+//
+//	err := req.Send()
+//	if err == nil { // resp is now filled
+//	    fmt.Println(resp)
+//	}
+//
+// See also, https://docs.aws.amazon.com/goto/WebAPI/ec2-2016-11-15/CreateVerifiedAccessTrustProvider
+func (c *EC2) CreateVerifiedAccessTrustProviderRequest(input *CreateVerifiedAccessTrustProviderInput) (req *request.Request, output *CreateVerifiedAccessTrustProviderOutput) {
+	op := &request.Operation{
+		Name:       opCreateVerifiedAccessTrustProvider,
+		HTTPMethod: "POST",
+		HTTPPath:   "/",
+	}
+
+	if input == nil {
+		input = &CreateVerifiedAccessTrustProviderInput{}
+	}
+
+	output = &CreateVerifiedAccessTrustProviderOutput{}
+	req = c.newRequest(op, input, output)
+	return
+}
+
+// CreateVerifiedAccessTrustProvider API operation for Amazon Elastic Compute Cloud.
+//
+// A trust provider is a third-party entity that creates, maintains, and manages
+// identity information for users and devices. When an application request is
+// made, the identity information sent by the trust provider will be evaluated
+// by Amazon Web Services Verified Access, before allowing or denying the application
+// request.
+//
+// Returns awserr.Error for service API and SDK errors. Use runtime type assertions
+// with awserr.Error's Code and Message methods to get detailed information about
+// the error.
+//
+// See the AWS API reference guide for Amazon Elastic Compute Cloud's
+// API operation CreateVerifiedAccessTrustProvider for usage and error information.
+// See also, https://docs.aws.amazon.com/goto/WebAPI/ec2-2016-11-15/CreateVerifiedAccessTrustProvider
+func (c *EC2) CreateVerifiedAccessTrustProvider(input *CreateVerifiedAccessTrustProviderInput) (*CreateVerifiedAccessTrustProviderOutput, error) {
+	req, out := c.CreateVerifiedAccessTrustProviderRequest(input)
+	return out, req.Send()
+}
+
+// CreateVerifiedAccessTrustProviderWithContext is the same as CreateVerifiedAccessTrustProvider with the addition of
+// the ability to pass a context and additional request options.
+//
+// See CreateVerifiedAccessTrustProvider for details on how to use this API operation.
+//
+// The context must be non-nil and will be used for request cancellation. If
+// the context is nil a panic will occur. In the future the SDK may create
+// sub-contexts for http.Requests. See https://golang.org/pkg/context/
+// for more information on using Contexts.
+func (c *EC2) CreateVerifiedAccessTrustProviderWithContext(ctx aws.Context, input *CreateVerifiedAccessTrustProviderInput, opts ...request.Option) (*CreateVerifiedAccessTrustProviderOutput, error) {
+	req, out := c.CreateVerifiedAccessTrustProviderRequest(input)
+	req.SetContext(ctx)
+	req.ApplyOptions(opts...)
+	return out, req.Send()
+}
+
 const opCreateVolume = "CreateVolume"
 
 // CreateVolumeRequest generates a "aws/request.Request" representing the
@@ -14764,6 +15144,298 @@ func (c *EC2) DeleteTransitGatewayVpcAttachmentWithContext(ctx aws.Context, inpu
 	return out, req.Send()
 }
 
+const opDeleteVerifiedAccessEndpoint = "DeleteVerifiedAccessEndpoint"
+
+// DeleteVerifiedAccessEndpointRequest generates a "aws/request.Request" representing the
+// client's request for the DeleteVerifiedAccessEndpoint operation. The "output" return
+// value will be populated with the request's response once the request completes
+// successfully.
+//
+// Use "Send" method on the returned Request to send the API call to the service.
+// the "output" return value is not valid until after Send returns without error.
+//
+// See DeleteVerifiedAccessEndpoint for more information on using the DeleteVerifiedAccessEndpoint
+// API call, and error handling.
+//
+// This method is useful when you want to inject custom logic or configuration
+// into the SDK's request lifecycle. Such as custom headers, or retry logic.
+//
+//	// Example sending a request using the DeleteVerifiedAccessEndpointRequest method.
+//	req, resp := client.DeleteVerifiedAccessEndpointRequest(params)
+//
+//	err := req.Send()
+//	if err == nil { // resp is now filled
+//	    fmt.Println(resp)
+//	}
+//
+// See also, https://docs.aws.amazon.com/goto/WebAPI/ec2-2016-11-15/DeleteVerifiedAccessEndpoint
+func (c *EC2) DeleteVerifiedAccessEndpointRequest(input *DeleteVerifiedAccessEndpointInput) (req *request.Request, output *DeleteVerifiedAccessEndpointOutput) {
+	op := &request.Operation{
+		Name:       opDeleteVerifiedAccessEndpoint,
+		HTTPMethod: "POST",
+		HTTPPath:   "/",
+	}
+
+	if input == nil {
+		input = &DeleteVerifiedAccessEndpointInput{}
+	}
+
+	output = &DeleteVerifiedAccessEndpointOutput{}
+	req = c.newRequest(op, input, output)
+	return
+}
+
+// DeleteVerifiedAccessEndpoint API operation for Amazon Elastic Compute Cloud.
+//
+// Delete an Amazon Web Services Verified Access endpoint.
+//
+// Returns awserr.Error for service API and SDK errors. Use runtime type assertions
+// with awserr.Error's Code and Message methods to get detailed information about
+// the error.
+//
+// See the AWS API reference guide for Amazon Elastic Compute Cloud's
+// API operation DeleteVerifiedAccessEndpoint for usage and error information.
+// See also, https://docs.aws.amazon.com/goto/WebAPI/ec2-2016-11-15/DeleteVerifiedAccessEndpoint
+func (c *EC2) DeleteVerifiedAccessEndpoint(input *DeleteVerifiedAccessEndpointInput) (*DeleteVerifiedAccessEndpointOutput, error) {
+	req, out := c.DeleteVerifiedAccessEndpointRequest(input)
+	return out, req.Send()
+}
+
+// DeleteVerifiedAccessEndpointWithContext is the same as DeleteVerifiedAccessEndpoint with the addition of
+// the ability to pass a context and additional request options.
+//
+// See DeleteVerifiedAccessEndpoint for details on how to use this API operation.
+//
+// The context must be non-nil and will be used for request cancellation. If
+// the context is nil a panic will occur. In the future the SDK may create
+// sub-contexts for http.Requests. See https://golang.org/pkg/context/
+// for more information on using Contexts.
+func (c *EC2) DeleteVerifiedAccessEndpointWithContext(ctx aws.Context, input *DeleteVerifiedAccessEndpointInput, opts ...request.Option) (*DeleteVerifiedAccessEndpointOutput, error) {
+	req, out := c.DeleteVerifiedAccessEndpointRequest(input)
+	req.SetContext(ctx)
+	req.ApplyOptions(opts...)
+	return out, req.Send()
+}
+
+const opDeleteVerifiedAccessGroup = "DeleteVerifiedAccessGroup"
+
+// DeleteVerifiedAccessGroupRequest generates a "aws/request.Request" representing the
+// client's request for the DeleteVerifiedAccessGroup operation. The "output" return
+// value will be populated with the request's response once the request completes
+// successfully.
+//
+// Use "Send" method on the returned Request to send the API call to the service.
+// the "output" return value is not valid until after Send returns without error.
+//
+// See DeleteVerifiedAccessGroup for more information on using the DeleteVerifiedAccessGroup
+// API call, and error handling.
+//
+// This method is useful when you want to inject custom logic or configuration
+// into the SDK's request lifecycle. Such as custom headers, or retry logic.
+//
+//	// Example sending a request using the DeleteVerifiedAccessGroupRequest method.
+//	req, resp := client.DeleteVerifiedAccessGroupRequest(params)
+//
+//	err := req.Send()
+//	if err == nil { // resp is now filled
+//	    fmt.Println(resp)
+//	}
+//
+// See also, https://docs.aws.amazon.com/goto/WebAPI/ec2-2016-11-15/DeleteVerifiedAccessGroup
+func (c *EC2) DeleteVerifiedAccessGroupRequest(input *DeleteVerifiedAccessGroupInput) (req *request.Request, output *DeleteVerifiedAccessGroupOutput) {
+	op := &request.Operation{
+		Name:       opDeleteVerifiedAccessGroup,
+		HTTPMethod: "POST",
+		HTTPPath:   "/",
+	}
+
+	if input == nil {
+		input = &DeleteVerifiedAccessGroupInput{}
+	}
+
+	output = &DeleteVerifiedAccessGroupOutput{}
+	req = c.newRequest(op, input, output)
+	return
+}
+
+// DeleteVerifiedAccessGroup API operation for Amazon Elastic Compute Cloud.
+//
+// Delete an Amazon Web Services Verified Access group.
+//
+// Returns awserr.Error for service API and SDK errors. Use runtime type assertions
+// with awserr.Error's Code and Message methods to get detailed information about
+// the error.
+//
+// See the AWS API reference guide for Amazon Elastic Compute Cloud's
+// API operation DeleteVerifiedAccessGroup for usage and error information.
+// See also, https://docs.aws.amazon.com/goto/WebAPI/ec2-2016-11-15/DeleteVerifiedAccessGroup
+func (c *EC2) DeleteVerifiedAccessGroup(input *DeleteVerifiedAccessGroupInput) (*DeleteVerifiedAccessGroupOutput, error) {
+	req, out := c.DeleteVerifiedAccessGroupRequest(input)
+	return out, req.Send()
+}
+
+// DeleteVerifiedAccessGroupWithContext is the same as DeleteVerifiedAccessGroup with the addition of
+// the ability to pass a context and additional request options.
+//
+// See DeleteVerifiedAccessGroup for details on how to use this API operation.
+//
+// The context must be non-nil and will be used for request cancellation. If
+// the context is nil a panic will occur. In the future the SDK may create
+// sub-contexts for http.Requests. See https://golang.org/pkg/context/
+// for more information on using Contexts.
+func (c *EC2) DeleteVerifiedAccessGroupWithContext(ctx aws.Context, input *DeleteVerifiedAccessGroupInput, opts ...request.Option) (*DeleteVerifiedAccessGroupOutput, error) {
+	req, out := c.DeleteVerifiedAccessGroupRequest(input)
+	req.SetContext(ctx)
+	req.ApplyOptions(opts...)
+	return out, req.Send()
+}
+
+const opDeleteVerifiedAccessInstance = "DeleteVerifiedAccessInstance"
+
+// DeleteVerifiedAccessInstanceRequest generates a "aws/request.Request" representing the
+// client's request for the DeleteVerifiedAccessInstance operation. The "output" return
+// value will be populated with the request's response once the request completes
+// successfully.
+//
+// Use "Send" method on the returned Request to send the API call to the service.
+// the "output" return value is not valid until after Send returns without error.
+//
+// See DeleteVerifiedAccessInstance for more information on using the DeleteVerifiedAccessInstance
+// API call, and error handling.
+//
+// This method is useful when you want to inject custom logic or configuration
+// into the SDK's request lifecycle. Such as custom headers, or retry logic.
+//
+//	// Example sending a request using the DeleteVerifiedAccessInstanceRequest method.
+//	req, resp := client.DeleteVerifiedAccessInstanceRequest(params)
+//
+//	err := req.Send()
+//	if err == nil { // resp is now filled
+//	    fmt.Println(resp)
+//	}
+//
+// See also, https://docs.aws.amazon.com/goto/WebAPI/ec2-2016-11-15/DeleteVerifiedAccessInstance
+func (c *EC2) DeleteVerifiedAccessInstanceRequest(input *DeleteVerifiedAccessInstanceInput) (req *request.Request, output *DeleteVerifiedAccessInstanceOutput) {
+	op := &request.Operation{
+		Name:       opDeleteVerifiedAccessInstance,
+		HTTPMethod: "POST",
+		HTTPPath:   "/",
+	}
+
+	if input == nil {
+		input = &DeleteVerifiedAccessInstanceInput{}
+	}
+
+	output = &DeleteVerifiedAccessInstanceOutput{}
+	req = c.newRequest(op, input, output)
+	return
+}
+
+// DeleteVerifiedAccessInstance API operation for Amazon Elastic Compute Cloud.
+//
+// Delete an Amazon Web Services Verified Access instance.
+//
+// Returns awserr.Error for service API and SDK errors. Use runtime type assertions
+// with awserr.Error's Code and Message methods to get detailed information about
+// the error.
+//
+// See the AWS API reference guide for Amazon Elastic Compute Cloud's
+// API operation DeleteVerifiedAccessInstance for usage and error information.
+// See also, https://docs.aws.amazon.com/goto/WebAPI/ec2-2016-11-15/DeleteVerifiedAccessInstance
+func (c *EC2) DeleteVerifiedAccessInstance(input *DeleteVerifiedAccessInstanceInput) (*DeleteVerifiedAccessInstanceOutput, error) {
+	req, out := c.DeleteVerifiedAccessInstanceRequest(input)
+	return out, req.Send()
+}
+
+// DeleteVerifiedAccessInstanceWithContext is the same as DeleteVerifiedAccessInstance with the addition of
+// the ability to pass a context and additional request options.
+//
+// See DeleteVerifiedAccessInstance for details on how to use this API operation.
+//
+// The context must be non-nil and will be used for request cancellation. If
+// the context is nil a panic will occur. In the future the SDK may create
+// sub-contexts for http.Requests. See https://golang.org/pkg/context/
+// for more information on using Contexts.
+func (c *EC2) DeleteVerifiedAccessInstanceWithContext(ctx aws.Context, input *DeleteVerifiedAccessInstanceInput, opts ...request.Option) (*DeleteVerifiedAccessInstanceOutput, error) {
+	req, out := c.DeleteVerifiedAccessInstanceRequest(input)
+	req.SetContext(ctx)
+	req.ApplyOptions(opts...)
+	return out, req.Send()
+}
+
+const opDeleteVerifiedAccessTrustProvider = "DeleteVerifiedAccessTrustProvider"
+
+// DeleteVerifiedAccessTrustProviderRequest generates a "aws/request.Request" representing the
+// client's request for the DeleteVerifiedAccessTrustProvider operation. The "output" return
+// value will be populated with the request's response once the request completes
+// successfully.
+//
+// Use "Send" method on the returned Request to send the API call to the service.
+// the "output" return value is not valid until after Send returns without error.
+//
+// See DeleteVerifiedAccessTrustProvider for more information on using the DeleteVerifiedAccessTrustProvider
+// API call, and error handling.
+//
+// This method is useful when you want to inject custom logic or configuration
+// into the SDK's request lifecycle. Such as custom headers, or retry logic.
+//
+//	// Example sending a request using the DeleteVerifiedAccessTrustProviderRequest method.
+//	req, resp := client.DeleteVerifiedAccessTrustProviderRequest(params)
+//
+//	err := req.Send()
+//	if err == nil { // resp is now filled
+//	    fmt.Println(resp)
+//	}
+//
+// See also, https://docs.aws.amazon.com/goto/WebAPI/ec2-2016-11-15/DeleteVerifiedAccessTrustProvider
+func (c *EC2) DeleteVerifiedAccessTrustProviderRequest(input *DeleteVerifiedAccessTrustProviderInput) (req *request.Request, output *DeleteVerifiedAccessTrustProviderOutput) {
+	op := &request.Operation{
+		Name:       opDeleteVerifiedAccessTrustProvider,
+		HTTPMethod: "POST",
+		HTTPPath:   "/",
+	}
+
+	if input == nil {
+		input = &DeleteVerifiedAccessTrustProviderInput{}
+	}
+
+	output = &DeleteVerifiedAccessTrustProviderOutput{}
+	req = c.newRequest(op, input, output)
+	return
+}
+
+// DeleteVerifiedAccessTrustProvider API operation for Amazon Elastic Compute Cloud.
+//
+// Delete an Amazon Web Services Verified Access trust provider.
+//
+// Returns awserr.Error for service API and SDK errors. Use runtime type assertions
+// with awserr.Error's Code and Message methods to get detailed information about
+// the error.
+//
+// See the AWS API reference guide for Amazon Elastic Compute Cloud's
+// API operation DeleteVerifiedAccessTrustProvider for usage and error information.
+// See also, https://docs.aws.amazon.com/goto/WebAPI/ec2-2016-11-15/DeleteVerifiedAccessTrustProvider
+func (c *EC2) DeleteVerifiedAccessTrustProvider(input *DeleteVerifiedAccessTrustProviderInput) (*DeleteVerifiedAccessTrustProviderOutput, error) {
+	req, out := c.DeleteVerifiedAccessTrustProviderRequest(input)
+	return out, req.Send()
+}
+
+// DeleteVerifiedAccessTrustProviderWithContext is the same as DeleteVerifiedAccessTrustProvider with the addition of
+// the ability to pass a context and additional request options.
+//
+// See DeleteVerifiedAccessTrustProvider for details on how to use this API operation.
+//
+// The context must be non-nil and will be used for request cancellation. If
+// the context is nil a panic will occur. In the future the SDK may create
+// sub-contexts for http.Requests. See https://golang.org/pkg/context/
+// for more information on using Contexts.
+func (c *EC2) DeleteVerifiedAccessTrustProviderWithContext(ctx aws.Context, input *DeleteVerifiedAccessTrustProviderInput, opts ...request.Option) (*DeleteVerifiedAccessTrustProviderOutput, error) {
+	req, out := c.DeleteVerifiedAccessTrustProviderRequest(input)
+	req.SetContext(ctx)
+	req.ApplyOptions(opts...)
+	return out, req.Send()
+}
+
 const opDeleteVolume = "DeleteVolume"
 
 // DeleteVolumeRequest generates a "aws/request.Request" representing the
@@ -15759,7 +16431,7 @@ func (c *EC2) DeregisterImageRequest(input *DeregisterImageInput) (req *request.
 // If you deregister an AMI that matches a Recycle Bin retention rule, the AMI
 // is retained in the Recycle Bin for the specified retention period. For more
 // information, see Recycle Bin (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/recycle-bin.html)
-// in the Amazon Elastic Compute Cloud User Guide.
+// in the Amazon EC2 User Guide.
 //
 // When you deregister an AMI, it doesn't affect any instances that you've already
 // launched from the AMI. You'll continue to incur usage costs for those instances
@@ -16628,6 +17300,136 @@ func (c *EC2) DescribeAvailabilityZonesWithContext(ctx aws.Context, input *Descr
 	return out, req.Send()
 }
 
+const opDescribeAwsNetworkPerformanceMetricSubscriptions = "DescribeAwsNetworkPerformanceMetricSubscriptions"
+
+// DescribeAwsNetworkPerformanceMetricSubscriptionsRequest generates a "aws/request.Request" representing the
+// client's request for the DescribeAwsNetworkPerformanceMetricSubscriptions operation. The "output" return
+// value will be populated with the request's response once the request completes
+// successfully.
+//
+// Use "Send" method on the returned Request to send the API call to the service.
+// the "output" return value is not valid until after Send returns without error.
+//
+// See DescribeAwsNetworkPerformanceMetricSubscriptions for more information on using the DescribeAwsNetworkPerformanceMetricSubscriptions
+// API call, and error handling.
+//
+// This method is useful when you want to inject custom logic or configuration
+// into the SDK's request lifecycle. Such as custom headers, or retry logic.
+//
+//	// Example sending a request using the DescribeAwsNetworkPerformanceMetricSubscriptionsRequest method.
+//	req, resp := client.DescribeAwsNetworkPerformanceMetricSubscriptionsRequest(params)
+//
+//	err := req.Send()
+//	if err == nil { // resp is now filled
+//	    fmt.Println(resp)
+//	}
+//
+// See also, https://docs.aws.amazon.com/goto/WebAPI/ec2-2016-11-15/DescribeAwsNetworkPerformanceMetricSubscriptions
+func (c *EC2) DescribeAwsNetworkPerformanceMetricSubscriptionsRequest(input *DescribeAwsNetworkPerformanceMetricSubscriptionsInput) (req *request.Request, output *DescribeAwsNetworkPerformanceMetricSubscriptionsOutput) {
+	op := &request.Operation{
+		Name:       opDescribeAwsNetworkPerformanceMetricSubscriptions,
+		HTTPMethod: "POST",
+		HTTPPath:   "/",
+		Paginator: &request.Paginator{
+			InputTokens:     []string{"NextToken"},
+			OutputTokens:    []string{"NextToken"},
+			LimitToken:      "MaxResults",
+			TruncationToken: "",
+		},
+	}
+
+	if input == nil {
+		input = &DescribeAwsNetworkPerformanceMetricSubscriptionsInput{}
+	}
+
+	output = &DescribeAwsNetworkPerformanceMetricSubscriptionsOutput{}
+	req = c.newRequest(op, input, output)
+	return
+}
+
+// DescribeAwsNetworkPerformanceMetricSubscriptions API operation for Amazon Elastic Compute Cloud.
+//
+// Describes the current Infrastructure Performance metric subscriptions.
+//
+// Returns awserr.Error for service API and SDK errors. Use runtime type assertions
+// with awserr.Error's Code and Message methods to get detailed information about
+// the error.
+//
+// See the AWS API reference guide for Amazon Elastic Compute Cloud's
+// API operation DescribeAwsNetworkPerformanceMetricSubscriptions for usage and error information.
+// See also, https://docs.aws.amazon.com/goto/WebAPI/ec2-2016-11-15/DescribeAwsNetworkPerformanceMetricSubscriptions
+func (c *EC2) DescribeAwsNetworkPerformanceMetricSubscriptions(input *DescribeAwsNetworkPerformanceMetricSubscriptionsInput) (*DescribeAwsNetworkPerformanceMetricSubscriptionsOutput, error) {
+	req, out := c.DescribeAwsNetworkPerformanceMetricSubscriptionsRequest(input)
+	return out, req.Send()
+}
+
+// DescribeAwsNetworkPerformanceMetricSubscriptionsWithContext is the same as DescribeAwsNetworkPerformanceMetricSubscriptions with the addition of
+// the ability to pass a context and additional request options.
+//
+// See DescribeAwsNetworkPerformanceMetricSubscriptions for details on how to use this API operation.
+//
+// The context must be non-nil and will be used for request cancellation. If
+// the context is nil a panic will occur. In the future the SDK may create
+// sub-contexts for http.Requests. See https://golang.org/pkg/context/
+// for more information on using Contexts.
+func (c *EC2) DescribeAwsNetworkPerformanceMetricSubscriptionsWithContext(ctx aws.Context, input *DescribeAwsNetworkPerformanceMetricSubscriptionsInput, opts ...request.Option) (*DescribeAwsNetworkPerformanceMetricSubscriptionsOutput, error) {
+	req, out := c.DescribeAwsNetworkPerformanceMetricSubscriptionsRequest(input)
+	req.SetContext(ctx)
+	req.ApplyOptions(opts...)
+	return out, req.Send()
+}
+
+// DescribeAwsNetworkPerformanceMetricSubscriptionsPages iterates over the pages of a DescribeAwsNetworkPerformanceMetricSubscriptions operation,
+// calling the "fn" function with the response data for each page. To stop
+// iterating, return false from the fn function.
+//
+// See DescribeAwsNetworkPerformanceMetricSubscriptions method for more information on how to use this operation.
+//
+// Note: This operation can generate multiple requests to a service.
+//
+//	// Example iterating over at most 3 pages of a DescribeAwsNetworkPerformanceMetricSubscriptions operation.
+//	pageNum := 0
+//	err := client.DescribeAwsNetworkPerformanceMetricSubscriptionsPages(params,
+//	    func(page *ec2.DescribeAwsNetworkPerformanceMetricSubscriptionsOutput, lastPage bool) bool {
+//	        pageNum++
+//	        fmt.Println(page)
+//	        return pageNum <= 3
+//	    })
+func (c *EC2) DescribeAwsNetworkPerformanceMetricSubscriptionsPages(input *DescribeAwsNetworkPerformanceMetricSubscriptionsInput, fn func(*DescribeAwsNetworkPerformanceMetricSubscriptionsOutput, bool) bool) error {
+	return c.DescribeAwsNetworkPerformanceMetricSubscriptionsPagesWithContext(aws.BackgroundContext(), input, fn)
+}
+
+// DescribeAwsNetworkPerformanceMetricSubscriptionsPagesWithContext same as DescribeAwsNetworkPerformanceMetricSubscriptionsPages except
+// it takes a Context and allows setting request options on the pages.
+//
+// The context must be non-nil and will be used for request cancellation. If
+// the context is nil a panic will occur. In the future the SDK may create
+// sub-contexts for http.Requests. See https://golang.org/pkg/context/
+// for more information on using Contexts.
+func (c *EC2) DescribeAwsNetworkPerformanceMetricSubscriptionsPagesWithContext(ctx aws.Context, input *DescribeAwsNetworkPerformanceMetricSubscriptionsInput, fn func(*DescribeAwsNetworkPerformanceMetricSubscriptionsOutput, bool) bool, opts ...request.Option) error {
+	p := request.Pagination{
+		NewRequest: func() (*request.Request, error) {
+			var inCpy *DescribeAwsNetworkPerformanceMetricSubscriptionsInput
+			if input != nil {
+				tmp := *input
+				inCpy = &tmp
+			}
+			req, _ := c.DescribeAwsNetworkPerformanceMetricSubscriptionsRequest(inCpy)
+			req.SetContext(ctx)
+			req.ApplyOptions(opts...)
+			return req, nil
+		},
+	}
+
+	for p.Next() {
+		if !fn(p.Page().(*DescribeAwsNetworkPerformanceMetricSubscriptionsOutput), !p.HasNextPage()) {
+			break
+		}
+	}
+
+	return p.Err()
+}
+
 const opDescribeBundleTasks = "DescribeBundleTasks"
 
 // DescribeBundleTasksRequest generates a "aws/request.Request" representing the
@@ -20550,6 +21352,12 @@ func (c *EC2) DescribeImagesRequest(input *DescribeImagesInput) (req *request.Re
 		Name:       opDescribeImages,
 		HTTPMethod: "POST",
 		HTTPPath:   "/",
+		Paginator: &request.Paginator{
+			InputTokens:     []string{"NextToken"},
+			OutputTokens:    []string{"NextToken"},
+			LimitToken:      "MaxResults",
+			TruncationToken: "",
+		},
 	}
 
 	if input == nil {
@@ -20603,6 +21411,57 @@ func (c *EC2) DescribeImagesWithContext(ctx aws.Context, input *DescribeImagesIn
 	return out, req.Send()
 }
 
+// DescribeImagesPages iterates over the pages of a DescribeImages operation,
+// calling the "fn" function with the response data for each page. To stop
+// iterating, return false from the fn function.
+//
+// See DescribeImages method for more information on how to use this operation.
+//
+// Note: This operation can generate multiple requests to a service.
+//
+//	// Example iterating over at most 3 pages of a DescribeImages operation.
+//	pageNum := 0
+//	err := client.DescribeImagesPages(params,
+//	    func(page *ec2.DescribeImagesOutput, lastPage bool) bool {
+//	        pageNum++
+//	        fmt.Println(page)
+//	        return pageNum <= 3
+//	    })
+func (c *EC2) DescribeImagesPages(input *DescribeImagesInput, fn func(*DescribeImagesOutput, bool) bool) error {
+	return c.DescribeImagesPagesWithContext(aws.BackgroundContext(), input, fn)
+}
+
+// DescribeImagesPagesWithContext same as DescribeImagesPages except
+// it takes a Context and allows setting request options on the pages.
+//
+// The context must be non-nil and will be used for request cancellation. If
+// the context is nil a panic will occur. In the future the SDK may create
+// sub-contexts for http.Requests. See https://golang.org/pkg/context/
+// for more information on using Contexts.
+func (c *EC2) DescribeImagesPagesWithContext(ctx aws.Context, input *DescribeImagesInput, fn func(*DescribeImagesOutput, bool) bool, opts ...request.Option) error {
+	p := request.Pagination{
+		NewRequest: func() (*request.Request, error) {
+			var inCpy *DescribeImagesInput
+			if input != nil {
+				tmp := *input
+				inCpy = &tmp
+			}
+			req, _ := c.DescribeImagesRequest(inCpy)
+			req.SetContext(ctx)
+			req.ApplyOptions(opts...)
+			return req, nil
+		},
+	}
+
+	for p.Next() {
+		if !fn(p.Page().(*DescribeImagesOutput), !p.HasNextPage()) {
+			break
+		}
+	}
+
+	return p.Err()
+}
+
 const opDescribeImportImageTasks = "DescribeImportImageTasks"
 
 // DescribeImportImageTasksRequest generates a "aws/request.Request" representing the
@@ -25642,7 +26501,7 @@ func (c *EC2) DescribeReplaceRootVolumeTasksRequest(input *DescribeReplaceRootVo
 // DescribeReplaceRootVolumeTasks API operation for Amazon Elastic Compute Cloud.
 //
 // Describes a root volume replacement task. For more information, see Replace
-// a root volume (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-restoring-volume.html#replace-root)
+// a root volume (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/replace-root.html)
 // in the Amazon Elastic Compute Cloud User Guide.
 //
 // Returns awserr.Error for service API and SDK errors. Use runtime type assertions
@@ -28149,10 +29008,10 @@ func (c *EC2) DescribeStoreImageTasksRequest(input *DescribeStoreImageTasksInput
 //
 // To use this API, you must have the required permissions. For more information,
 // see Permissions for storing and restoring AMIs using Amazon S3 (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ami-store-restore.html#ami-s3-permissions)
-// in the Amazon Elastic Compute Cloud User Guide.
+// in the Amazon EC2 User Guide.
 //
 // For more information, see Store and restore an AMI using Amazon S3 (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ami-store-restore.html)
-// in the Amazon Elastic Compute Cloud User Guide.
+// in the Amazon EC2 User Guide.
 //
 // Returns awserr.Error for service API and SDK errors. Use runtime type assertions
 // with awserr.Error's Code and Message methods to get detailed information about
@@ -30329,6 +31188,657 @@ func (c *EC2) DescribeTrunkInterfaceAssociationsPagesWithContext(ctx aws.Context
 	return p.Err()
 }
 
+const opDescribeVerifiedAccessEndpoints = "DescribeVerifiedAccessEndpoints"
+
+// DescribeVerifiedAccessEndpointsRequest generates a "aws/request.Request" representing the
+// client's request for the DescribeVerifiedAccessEndpoints operation. The "output" return
+// value will be populated with the request's response once the request completes
+// successfully.
+//
+// Use "Send" method on the returned Request to send the API call to the service.
+// the "output" return value is not valid until after Send returns without error.
+//
+// See DescribeVerifiedAccessEndpoints for more information on using the DescribeVerifiedAccessEndpoints
+// API call, and error handling.
+//
+// This method is useful when you want to inject custom logic or configuration
+// into the SDK's request lifecycle. Such as custom headers, or retry logic.
+//
+//	// Example sending a request using the DescribeVerifiedAccessEndpointsRequest method.
+//	req, resp := client.DescribeVerifiedAccessEndpointsRequest(params)
+//
+//	err := req.Send()
+//	if err == nil { // resp is now filled
+//	    fmt.Println(resp)
+//	}
+//
+// See also, https://docs.aws.amazon.com/goto/WebAPI/ec2-2016-11-15/DescribeVerifiedAccessEndpoints
+func (c *EC2) DescribeVerifiedAccessEndpointsRequest(input *DescribeVerifiedAccessEndpointsInput) (req *request.Request, output *DescribeVerifiedAccessEndpointsOutput) {
+	op := &request.Operation{
+		Name:       opDescribeVerifiedAccessEndpoints,
+		HTTPMethod: "POST",
+		HTTPPath:   "/",
+		Paginator: &request.Paginator{
+			InputTokens:     []string{"NextToken"},
+			OutputTokens:    []string{"NextToken"},
+			LimitToken:      "MaxResults",
+			TruncationToken: "",
+		},
+	}
+
+	if input == nil {
+		input = &DescribeVerifiedAccessEndpointsInput{}
+	}
+
+	output = &DescribeVerifiedAccessEndpointsOutput{}
+	req = c.newRequest(op, input, output)
+	return
+}
+
+// DescribeVerifiedAccessEndpoints API operation for Amazon Elastic Compute Cloud.
+//
+// Describe Amazon Web Services Verified Access endpoints.
+//
+// Returns awserr.Error for service API and SDK errors. Use runtime type assertions
+// with awserr.Error's Code and Message methods to get detailed information about
+// the error.
+//
+// See the AWS API reference guide for Amazon Elastic Compute Cloud's
+// API operation DescribeVerifiedAccessEndpoints for usage and error information.
+// See also, https://docs.aws.amazon.com/goto/WebAPI/ec2-2016-11-15/DescribeVerifiedAccessEndpoints
+func (c *EC2) DescribeVerifiedAccessEndpoints(input *DescribeVerifiedAccessEndpointsInput) (*DescribeVerifiedAccessEndpointsOutput, error) {
+	req, out := c.DescribeVerifiedAccessEndpointsRequest(input)
+	return out, req.Send()
+}
+
+// DescribeVerifiedAccessEndpointsWithContext is the same as DescribeVerifiedAccessEndpoints with the addition of
+// the ability to pass a context and additional request options.
+//
+// See DescribeVerifiedAccessEndpoints for details on how to use this API operation.
+//
+// The context must be non-nil and will be used for request cancellation. If
+// the context is nil a panic will occur. In the future the SDK may create
+// sub-contexts for http.Requests. See https://golang.org/pkg/context/
+// for more information on using Contexts.
+func (c *EC2) DescribeVerifiedAccessEndpointsWithContext(ctx aws.Context, input *DescribeVerifiedAccessEndpointsInput, opts ...request.Option) (*DescribeVerifiedAccessEndpointsOutput, error) {
+	req, out := c.DescribeVerifiedAccessEndpointsRequest(input)
+	req.SetContext(ctx)
+	req.ApplyOptions(opts...)
+	return out, req.Send()
+}
+
+// DescribeVerifiedAccessEndpointsPages iterates over the pages of a DescribeVerifiedAccessEndpoints operation,
+// calling the "fn" function with the response data for each page. To stop
+// iterating, return false from the fn function.
+//
+// See DescribeVerifiedAccessEndpoints method for more information on how to use this operation.
+//
+// Note: This operation can generate multiple requests to a service.
+//
+//	// Example iterating over at most 3 pages of a DescribeVerifiedAccessEndpoints operation.
+//	pageNum := 0
+//	err := client.DescribeVerifiedAccessEndpointsPages(params,
+//	    func(page *ec2.DescribeVerifiedAccessEndpointsOutput, lastPage bool) bool {
+//	        pageNum++
+//	        fmt.Println(page)
+//	        return pageNum <= 3
+//	    })
+func (c *EC2) DescribeVerifiedAccessEndpointsPages(input *DescribeVerifiedAccessEndpointsInput, fn func(*DescribeVerifiedAccessEndpointsOutput, bool) bool) error {
+	return c.DescribeVerifiedAccessEndpointsPagesWithContext(aws.BackgroundContext(), input, fn)
+}
+
+// DescribeVerifiedAccessEndpointsPagesWithContext same as DescribeVerifiedAccessEndpointsPages except
+// it takes a Context and allows setting request options on the pages.
+//
+// The context must be non-nil and will be used for request cancellation. If
+// the context is nil a panic will occur. In the future the SDK may create
+// sub-contexts for http.Requests. See https://golang.org/pkg/context/
+// for more information on using Contexts.
+func (c *EC2) DescribeVerifiedAccessEndpointsPagesWithContext(ctx aws.Context, input *DescribeVerifiedAccessEndpointsInput, fn func(*DescribeVerifiedAccessEndpointsOutput, bool) bool, opts ...request.Option) error {
+	p := request.Pagination{
+		NewRequest: func() (*request.Request, error) {
+			var inCpy *DescribeVerifiedAccessEndpointsInput
+			if input != nil {
+				tmp := *input
+				inCpy = &tmp
+			}
+			req, _ := c.DescribeVerifiedAccessEndpointsRequest(inCpy)
+			req.SetContext(ctx)
+			req.ApplyOptions(opts...)
+			return req, nil
+		},
+	}
+
+	for p.Next() {
+		if !fn(p.Page().(*DescribeVerifiedAccessEndpointsOutput), !p.HasNextPage()) {
+			break
+		}
+	}
+
+	return p.Err()
+}
+
+const opDescribeVerifiedAccessGroups = "DescribeVerifiedAccessGroups"
+
+// DescribeVerifiedAccessGroupsRequest generates a "aws/request.Request" representing the
+// client's request for the DescribeVerifiedAccessGroups operation. The "output" return
+// value will be populated with the request's response once the request completes
+// successfully.
+//
+// Use "Send" method on the returned Request to send the API call to the service.
+// the "output" return value is not valid until after Send returns without error.
+//
+// See DescribeVerifiedAccessGroups for more information on using the DescribeVerifiedAccessGroups
+// API call, and error handling.
+//
+// This method is useful when you want to inject custom logic or configuration
+// into the SDK's request lifecycle. Such as custom headers, or retry logic.
+//
+//	// Example sending a request using the DescribeVerifiedAccessGroupsRequest method.
+//	req, resp := client.DescribeVerifiedAccessGroupsRequest(params)
+//
+//	err := req.Send()
+//	if err == nil { // resp is now filled
+//	    fmt.Println(resp)
+//	}
+//
+// See also, https://docs.aws.amazon.com/goto/WebAPI/ec2-2016-11-15/DescribeVerifiedAccessGroups
+func (c *EC2) DescribeVerifiedAccessGroupsRequest(input *DescribeVerifiedAccessGroupsInput) (req *request.Request, output *DescribeVerifiedAccessGroupsOutput) {
+	op := &request.Operation{
+		Name:       opDescribeVerifiedAccessGroups,
+		HTTPMethod: "POST",
+		HTTPPath:   "/",
+		Paginator: &request.Paginator{
+			InputTokens:     []string{"NextToken"},
+			OutputTokens:    []string{"NextToken"},
+			LimitToken:      "MaxResults",
+			TruncationToken: "",
+		},
+	}
+
+	if input == nil {
+		input = &DescribeVerifiedAccessGroupsInput{}
+	}
+
+	output = &DescribeVerifiedAccessGroupsOutput{}
+	req = c.newRequest(op, input, output)
+	return
+}
+
+// DescribeVerifiedAccessGroups API operation for Amazon Elastic Compute Cloud.
+//
+// Describe details of existing Verified Access groups.
+//
+// Returns awserr.Error for service API and SDK errors. Use runtime type assertions
+// with awserr.Error's Code and Message methods to get detailed information about
+// the error.
+//
+// See the AWS API reference guide for Amazon Elastic Compute Cloud's
+// API operation DescribeVerifiedAccessGroups for usage and error information.
+// See also, https://docs.aws.amazon.com/goto/WebAPI/ec2-2016-11-15/DescribeVerifiedAccessGroups
+func (c *EC2) DescribeVerifiedAccessGroups(input *DescribeVerifiedAccessGroupsInput) (*DescribeVerifiedAccessGroupsOutput, error) {
+	req, out := c.DescribeVerifiedAccessGroupsRequest(input)
+	return out, req.Send()
+}
+
+// DescribeVerifiedAccessGroupsWithContext is the same as DescribeVerifiedAccessGroups with the addition of
+// the ability to pass a context and additional request options.
+//
+// See DescribeVerifiedAccessGroups for details on how to use this API operation.
+//
+// The context must be non-nil and will be used for request cancellation. If
+// the context is nil a panic will occur. In the future the SDK may create
+// sub-contexts for http.Requests. See https://golang.org/pkg/context/
+// for more information on using Contexts.
+func (c *EC2) DescribeVerifiedAccessGroupsWithContext(ctx aws.Context, input *DescribeVerifiedAccessGroupsInput, opts ...request.Option) (*DescribeVerifiedAccessGroupsOutput, error) {
+	req, out := c.DescribeVerifiedAccessGroupsRequest(input)
+	req.SetContext(ctx)
+	req.ApplyOptions(opts...)
+	return out, req.Send()
+}
+
+// DescribeVerifiedAccessGroupsPages iterates over the pages of a DescribeVerifiedAccessGroups operation,
+// calling the "fn" function with the response data for each page. To stop
+// iterating, return false from the fn function.
+//
+// See DescribeVerifiedAccessGroups method for more information on how to use this operation.
+//
+// Note: This operation can generate multiple requests to a service.
+//
+//	// Example iterating over at most 3 pages of a DescribeVerifiedAccessGroups operation.
+//	pageNum := 0
+//	err := client.DescribeVerifiedAccessGroupsPages(params,
+//	    func(page *ec2.DescribeVerifiedAccessGroupsOutput, lastPage bool) bool {
+//	        pageNum++
+//	        fmt.Println(page)
+//	        return pageNum <= 3
+//	    })
+func (c *EC2) DescribeVerifiedAccessGroupsPages(input *DescribeVerifiedAccessGroupsInput, fn func(*DescribeVerifiedAccessGroupsOutput, bool) bool) error {
+	return c.DescribeVerifiedAccessGroupsPagesWithContext(aws.BackgroundContext(), input, fn)
+}
+
+// DescribeVerifiedAccessGroupsPagesWithContext same as DescribeVerifiedAccessGroupsPages except
+// it takes a Context and allows setting request options on the pages.
+//
+// The context must be non-nil and will be used for request cancellation. If
+// the context is nil a panic will occur. In the future the SDK may create
+// sub-contexts for http.Requests. See https://golang.org/pkg/context/
+// for more information on using Contexts.
+func (c *EC2) DescribeVerifiedAccessGroupsPagesWithContext(ctx aws.Context, input *DescribeVerifiedAccessGroupsInput, fn func(*DescribeVerifiedAccessGroupsOutput, bool) bool, opts ...request.Option) error {
+	p := request.Pagination{
+		NewRequest: func() (*request.Request, error) {
+			var inCpy *DescribeVerifiedAccessGroupsInput
+			if input != nil {
+				tmp := *input
+				inCpy = &tmp
+			}
+			req, _ := c.DescribeVerifiedAccessGroupsRequest(inCpy)
+			req.SetContext(ctx)
+			req.ApplyOptions(opts...)
+			return req, nil
+		},
+	}
+
+	for p.Next() {
+		if !fn(p.Page().(*DescribeVerifiedAccessGroupsOutput), !p.HasNextPage()) {
+			break
+		}
+	}
+
+	return p.Err()
+}
+
+const opDescribeVerifiedAccessInstanceLoggingConfigurations = "DescribeVerifiedAccessInstanceLoggingConfigurations"
+
+// DescribeVerifiedAccessInstanceLoggingConfigurationsRequest generates a "aws/request.Request" representing the
+// client's request for the DescribeVerifiedAccessInstanceLoggingConfigurations operation. The "output" return
+// value will be populated with the request's response once the request completes
+// successfully.
+//
+// Use "Send" method on the returned Request to send the API call to the service.
+// the "output" return value is not valid until after Send returns without error.
+//
+// See DescribeVerifiedAccessInstanceLoggingConfigurations for more information on using the DescribeVerifiedAccessInstanceLoggingConfigurations
+// API call, and error handling.
+//
+// This method is useful when you want to inject custom logic or configuration
+// into the SDK's request lifecycle. Such as custom headers, or retry logic.
+//
+//	// Example sending a request using the DescribeVerifiedAccessInstanceLoggingConfigurationsRequest method.
+//	req, resp := client.DescribeVerifiedAccessInstanceLoggingConfigurationsRequest(params)
+//
+//	err := req.Send()
+//	if err == nil { // resp is now filled
+//	    fmt.Println(resp)
+//	}
+//
+// See also, https://docs.aws.amazon.com/goto/WebAPI/ec2-2016-11-15/DescribeVerifiedAccessInstanceLoggingConfigurations
+func (c *EC2) DescribeVerifiedAccessInstanceLoggingConfigurationsRequest(input *DescribeVerifiedAccessInstanceLoggingConfigurationsInput) (req *request.Request, output *DescribeVerifiedAccessInstanceLoggingConfigurationsOutput) {
+	op := &request.Operation{
+		Name:       opDescribeVerifiedAccessInstanceLoggingConfigurations,
+		HTTPMethod: "POST",
+		HTTPPath:   "/",
+		Paginator: &request.Paginator{
+			InputTokens:     []string{"NextToken"},
+			OutputTokens:    []string{"NextToken"},
+			LimitToken:      "MaxResults",
+			TruncationToken: "",
+		},
+	}
+
+	if input == nil {
+		input = &DescribeVerifiedAccessInstanceLoggingConfigurationsInput{}
+	}
+
+	output = &DescribeVerifiedAccessInstanceLoggingConfigurationsOutput{}
+	req = c.newRequest(op, input, output)
+	return
+}
+
+// DescribeVerifiedAccessInstanceLoggingConfigurations API operation for Amazon Elastic Compute Cloud.
+//
+// Describes the current logging configuration for the Amazon Web Services Verified
+// Access instances.
+//
+// Returns awserr.Error for service API and SDK errors. Use runtime type assertions
+// with awserr.Error's Code and Message methods to get detailed information about
+// the error.
+//
+// See the AWS API reference guide for Amazon Elastic Compute Cloud's
+// API operation DescribeVerifiedAccessInstanceLoggingConfigurations for usage and error information.
+// See also, https://docs.aws.amazon.com/goto/WebAPI/ec2-2016-11-15/DescribeVerifiedAccessInstanceLoggingConfigurations
+func (c *EC2) DescribeVerifiedAccessInstanceLoggingConfigurations(input *DescribeVerifiedAccessInstanceLoggingConfigurationsInput) (*DescribeVerifiedAccessInstanceLoggingConfigurationsOutput, error) {
+	req, out := c.DescribeVerifiedAccessInstanceLoggingConfigurationsRequest(input)
+	return out, req.Send()
+}
+
+// DescribeVerifiedAccessInstanceLoggingConfigurationsWithContext is the same as DescribeVerifiedAccessInstanceLoggingConfigurations with the addition of
+// the ability to pass a context and additional request options.
+//
+// See DescribeVerifiedAccessInstanceLoggingConfigurations for details on how to use this API operation.
+//
+// The context must be non-nil and will be used for request cancellation. If
+// the context is nil a panic will occur. In the future the SDK may create
+// sub-contexts for http.Requests. See https://golang.org/pkg/context/
+// for more information on using Contexts.
+func (c *EC2) DescribeVerifiedAccessInstanceLoggingConfigurationsWithContext(ctx aws.Context, input *DescribeVerifiedAccessInstanceLoggingConfigurationsInput, opts ...request.Option) (*DescribeVerifiedAccessInstanceLoggingConfigurationsOutput, error) {
+	req, out := c.DescribeVerifiedAccessInstanceLoggingConfigurationsRequest(input)
+	req.SetContext(ctx)
+	req.ApplyOptions(opts...)
+	return out, req.Send()
+}
+
+// DescribeVerifiedAccessInstanceLoggingConfigurationsPages iterates over the pages of a DescribeVerifiedAccessInstanceLoggingConfigurations operation,
+// calling the "fn" function with the response data for each page. To stop
+// iterating, return false from the fn function.
+//
+// See DescribeVerifiedAccessInstanceLoggingConfigurations method for more information on how to use this operation.
+//
+// Note: This operation can generate multiple requests to a service.
+//
+//	// Example iterating over at most 3 pages of a DescribeVerifiedAccessInstanceLoggingConfigurations operation.
+//	pageNum := 0
+//	err := client.DescribeVerifiedAccessInstanceLoggingConfigurationsPages(params,
+//	    func(page *ec2.DescribeVerifiedAccessInstanceLoggingConfigurationsOutput, lastPage bool) bool {
+//	        pageNum++
+//	        fmt.Println(page)
+//	        return pageNum <= 3
+//	    })
+func (c *EC2) DescribeVerifiedAccessInstanceLoggingConfigurationsPages(input *DescribeVerifiedAccessInstanceLoggingConfigurationsInput, fn func(*DescribeVerifiedAccessInstanceLoggingConfigurationsOutput, bool) bool) error {
+	return c.DescribeVerifiedAccessInstanceLoggingConfigurationsPagesWithContext(aws.BackgroundContext(), input, fn)
+}
+
+// DescribeVerifiedAccessInstanceLoggingConfigurationsPagesWithContext same as DescribeVerifiedAccessInstanceLoggingConfigurationsPages except
+// it takes a Context and allows setting request options on the pages.
+//
+// The context must be non-nil and will be used for request cancellation. If
+// the context is nil a panic will occur. In the future the SDK may create
+// sub-contexts for http.Requests. See https://golang.org/pkg/context/
+// for more information on using Contexts.
+func (c *EC2) DescribeVerifiedAccessInstanceLoggingConfigurationsPagesWithContext(ctx aws.Context, input *DescribeVerifiedAccessInstanceLoggingConfigurationsInput, fn func(*DescribeVerifiedAccessInstanceLoggingConfigurationsOutput, bool) bool, opts ...request.Option) error {
+	p := request.Pagination{
+		NewRequest: func() (*request.Request, error) {
+			var inCpy *DescribeVerifiedAccessInstanceLoggingConfigurationsInput
+			if input != nil {
+				tmp := *input
+				inCpy = &tmp
+			}
+			req, _ := c.DescribeVerifiedAccessInstanceLoggingConfigurationsRequest(inCpy)
+			req.SetContext(ctx)
+			req.ApplyOptions(opts...)
+			return req, nil
+		},
+	}
+
+	for p.Next() {
+		if !fn(p.Page().(*DescribeVerifiedAccessInstanceLoggingConfigurationsOutput), !p.HasNextPage()) {
+			break
+		}
+	}
+
+	return p.Err()
+}
+
+const opDescribeVerifiedAccessInstances = "DescribeVerifiedAccessInstances"
+
+// DescribeVerifiedAccessInstancesRequest generates a "aws/request.Request" representing the
+// client's request for the DescribeVerifiedAccessInstances operation. The "output" return
+// value will be populated with the request's response once the request completes
+// successfully.
+//
+// Use "Send" method on the returned Request to send the API call to the service.
+// the "output" return value is not valid until after Send returns without error.
+//
+// See DescribeVerifiedAccessInstances for more information on using the DescribeVerifiedAccessInstances
+// API call, and error handling.
+//
+// This method is useful when you want to inject custom logic or configuration
+// into the SDK's request lifecycle. Such as custom headers, or retry logic.
+//
+//	// Example sending a request using the DescribeVerifiedAccessInstancesRequest method.
+//	req, resp := client.DescribeVerifiedAccessInstancesRequest(params)
+//
+//	err := req.Send()
+//	if err == nil { // resp is now filled
+//	    fmt.Println(resp)
+//	}
+//
+// See also, https://docs.aws.amazon.com/goto/WebAPI/ec2-2016-11-15/DescribeVerifiedAccessInstances
+func (c *EC2) DescribeVerifiedAccessInstancesRequest(input *DescribeVerifiedAccessInstancesInput) (req *request.Request, output *DescribeVerifiedAccessInstancesOutput) {
+	op := &request.Operation{
+		Name:       opDescribeVerifiedAccessInstances,
+		HTTPMethod: "POST",
+		HTTPPath:   "/",
+		Paginator: &request.Paginator{
+			InputTokens:     []string{"NextToken"},
+			OutputTokens:    []string{"NextToken"},
+			LimitToken:      "MaxResults",
+			TruncationToken: "",
+		},
+	}
+
+	if input == nil {
+		input = &DescribeVerifiedAccessInstancesInput{}
+	}
+
+	output = &DescribeVerifiedAccessInstancesOutput{}
+	req = c.newRequest(op, input, output)
+	return
+}
+
+// DescribeVerifiedAccessInstances API operation for Amazon Elastic Compute Cloud.
+//
+// Describe Verified Access instances.
+//
+// Returns awserr.Error for service API and SDK errors. Use runtime type assertions
+// with awserr.Error's Code and Message methods to get detailed information about
+// the error.
+//
+// See the AWS API reference guide for Amazon Elastic Compute Cloud's
+// API operation DescribeVerifiedAccessInstances for usage and error information.
+// See also, https://docs.aws.amazon.com/goto/WebAPI/ec2-2016-11-15/DescribeVerifiedAccessInstances
+func (c *EC2) DescribeVerifiedAccessInstances(input *DescribeVerifiedAccessInstancesInput) (*DescribeVerifiedAccessInstancesOutput, error) {
+	req, out := c.DescribeVerifiedAccessInstancesRequest(input)
+	return out, req.Send()
+}
+
+// DescribeVerifiedAccessInstancesWithContext is the same as DescribeVerifiedAccessInstances with the addition of
+// the ability to pass a context and additional request options.
+//
+// See DescribeVerifiedAccessInstances for details on how to use this API operation.
+//
+// The context must be non-nil and will be used for request cancellation. If
+// the context is nil a panic will occur. In the future the SDK may create
+// sub-contexts for http.Requests. See https://golang.org/pkg/context/
+// for more information on using Contexts.
+func (c *EC2) DescribeVerifiedAccessInstancesWithContext(ctx aws.Context, input *DescribeVerifiedAccessInstancesInput, opts ...request.Option) (*DescribeVerifiedAccessInstancesOutput, error) {
+	req, out := c.DescribeVerifiedAccessInstancesRequest(input)
+	req.SetContext(ctx)
+	req.ApplyOptions(opts...)
+	return out, req.Send()
+}
+
+// DescribeVerifiedAccessInstancesPages iterates over the pages of a DescribeVerifiedAccessInstances operation,
+// calling the "fn" function with the response data for each page. To stop
+// iterating, return false from the fn function.
+//
+// See DescribeVerifiedAccessInstances method for more information on how to use this operation.
+//
+// Note: This operation can generate multiple requests to a service.
+//
+//	// Example iterating over at most 3 pages of a DescribeVerifiedAccessInstances operation.
+//	pageNum := 0
+//	err := client.DescribeVerifiedAccessInstancesPages(params,
+//	    func(page *ec2.DescribeVerifiedAccessInstancesOutput, lastPage bool) bool {
+//	        pageNum++
+//	        fmt.Println(page)
+//	        return pageNum <= 3
+//	    })
+func (c *EC2) DescribeVerifiedAccessInstancesPages(input *DescribeVerifiedAccessInstancesInput, fn func(*DescribeVerifiedAccessInstancesOutput, bool) bool) error {
+	return c.DescribeVerifiedAccessInstancesPagesWithContext(aws.BackgroundContext(), input, fn)
+}
+
+// DescribeVerifiedAccessInstancesPagesWithContext same as DescribeVerifiedAccessInstancesPages except
+// it takes a Context and allows setting request options on the pages.
+//
+// The context must be non-nil and will be used for request cancellation. If
+// the context is nil a panic will occur. In the future the SDK may create
+// sub-contexts for http.Requests. See https://golang.org/pkg/context/
+// for more information on using Contexts.
+func (c *EC2) DescribeVerifiedAccessInstancesPagesWithContext(ctx aws.Context, input *DescribeVerifiedAccessInstancesInput, fn func(*DescribeVerifiedAccessInstancesOutput, bool) bool, opts ...request.Option) error {
+	p := request.Pagination{
+		NewRequest: func() (*request.Request, error) {
+			var inCpy *DescribeVerifiedAccessInstancesInput
+			if input != nil {
+				tmp := *input
+				inCpy = &tmp
+			}
+			req, _ := c.DescribeVerifiedAccessInstancesRequest(inCpy)
+			req.SetContext(ctx)
+			req.ApplyOptions(opts...)
+			return req, nil
+		},
+	}
+
+	for p.Next() {
+		if !fn(p.Page().(*DescribeVerifiedAccessInstancesOutput), !p.HasNextPage()) {
+			break
+		}
+	}
+
+	return p.Err()
+}
+
+const opDescribeVerifiedAccessTrustProviders = "DescribeVerifiedAccessTrustProviders"
+
+// DescribeVerifiedAccessTrustProvidersRequest generates a "aws/request.Request" representing the
+// client's request for the DescribeVerifiedAccessTrustProviders operation. The "output" return
+// value will be populated with the request's response once the request completes
+// successfully.
+//
+// Use "Send" method on the returned Request to send the API call to the service.
+// the "output" return value is not valid until after Send returns without error.
+//
+// See DescribeVerifiedAccessTrustProviders for more information on using the DescribeVerifiedAccessTrustProviders
+// API call, and error handling.
+//
+// This method is useful when you want to inject custom logic or configuration
+// into the SDK's request lifecycle. Such as custom headers, or retry logic.
+//
+//	// Example sending a request using the DescribeVerifiedAccessTrustProvidersRequest method.
+//	req, resp := client.DescribeVerifiedAccessTrustProvidersRequest(params)
+//
+//	err := req.Send()
+//	if err == nil { // resp is now filled
+//	    fmt.Println(resp)
+//	}
+//
+// See also, https://docs.aws.amazon.com/goto/WebAPI/ec2-2016-11-15/DescribeVerifiedAccessTrustProviders
+func (c *EC2) DescribeVerifiedAccessTrustProvidersRequest(input *DescribeVerifiedAccessTrustProvidersInput) (req *request.Request, output *DescribeVerifiedAccessTrustProvidersOutput) {
+	op := &request.Operation{
+		Name:       opDescribeVerifiedAccessTrustProviders,
+		HTTPMethod: "POST",
+		HTTPPath:   "/",
+		Paginator: &request.Paginator{
+			InputTokens:     []string{"NextToken"},
+			OutputTokens:    []string{"NextToken"},
+			LimitToken:      "MaxResults",
+			TruncationToken: "",
+		},
+	}
+
+	if input == nil {
+		input = &DescribeVerifiedAccessTrustProvidersInput{}
+	}
+
+	output = &DescribeVerifiedAccessTrustProvidersOutput{}
+	req = c.newRequest(op, input, output)
+	return
+}
+
+// DescribeVerifiedAccessTrustProviders API operation for Amazon Elastic Compute Cloud.
+//
+// Describe details of existing Verified Access trust providers.
+//
+// Returns awserr.Error for service API and SDK errors. Use runtime type assertions
+// with awserr.Error's Code and Message methods to get detailed information about
+// the error.
+//
+// See the AWS API reference guide for Amazon Elastic Compute Cloud's
+// API operation DescribeVerifiedAccessTrustProviders for usage and error information.
+// See also, https://docs.aws.amazon.com/goto/WebAPI/ec2-2016-11-15/DescribeVerifiedAccessTrustProviders
+func (c *EC2) DescribeVerifiedAccessTrustProviders(input *DescribeVerifiedAccessTrustProvidersInput) (*DescribeVerifiedAccessTrustProvidersOutput, error) {
+	req, out := c.DescribeVerifiedAccessTrustProvidersRequest(input)
+	return out, req.Send()
+}
+
+// DescribeVerifiedAccessTrustProvidersWithContext is the same as DescribeVerifiedAccessTrustProviders with the addition of
+// the ability to pass a context and additional request options.
+//
+// See DescribeVerifiedAccessTrustProviders for details on how to use this API operation.
+//
+// The context must be non-nil and will be used for request cancellation. If
+// the context is nil a panic will occur. In the future the SDK may create
+// sub-contexts for http.Requests. See https://golang.org/pkg/context/
+// for more information on using Contexts.
+func (c *EC2) DescribeVerifiedAccessTrustProvidersWithContext(ctx aws.Context, input *DescribeVerifiedAccessTrustProvidersInput, opts ...request.Option) (*DescribeVerifiedAccessTrustProvidersOutput, error) {
+	req, out := c.DescribeVerifiedAccessTrustProvidersRequest(input)
+	req.SetContext(ctx)
+	req.ApplyOptions(opts...)
+	return out, req.Send()
+}
+
+// DescribeVerifiedAccessTrustProvidersPages iterates over the pages of a DescribeVerifiedAccessTrustProviders operation,
+// calling the "fn" function with the response data for each page. To stop
+// iterating, return false from the fn function.
+//
+// See DescribeVerifiedAccessTrustProviders method for more information on how to use this operation.
+//
+// Note: This operation can generate multiple requests to a service.
+//
+//	// Example iterating over at most 3 pages of a DescribeVerifiedAccessTrustProviders operation.
+//	pageNum := 0
+//	err := client.DescribeVerifiedAccessTrustProvidersPages(params,
+//	    func(page *ec2.DescribeVerifiedAccessTrustProvidersOutput, lastPage bool) bool {
+//	        pageNum++
+//	        fmt.Println(page)
+//	        return pageNum <= 3
+//	    })
+func (c *EC2) DescribeVerifiedAccessTrustProvidersPages(input *DescribeVerifiedAccessTrustProvidersInput, fn func(*DescribeVerifiedAccessTrustProvidersOutput, bool) bool) error {
+	return c.DescribeVerifiedAccessTrustProvidersPagesWithContext(aws.BackgroundContext(), input, fn)
+}
+
+// DescribeVerifiedAccessTrustProvidersPagesWithContext same as DescribeVerifiedAccessTrustProvidersPages except
+// it takes a Context and allows setting request options on the pages.
+//
+// The context must be non-nil and will be used for request cancellation. If
+// the context is nil a panic will occur. In the future the SDK may create
+// sub-contexts for http.Requests. See https://golang.org/pkg/context/
+// for more information on using Contexts.
+func (c *EC2) DescribeVerifiedAccessTrustProvidersPagesWithContext(ctx aws.Context, input *DescribeVerifiedAccessTrustProvidersInput, fn func(*DescribeVerifiedAccessTrustProvidersOutput, bool) bool, opts ...request.Option) error {
+	p := request.Pagination{
+		NewRequest: func() (*request.Request, error) {
+			var inCpy *DescribeVerifiedAccessTrustProvidersInput
+			if input != nil {
+				tmp := *input
+				inCpy = &tmp
+			}
+			req, _ := c.DescribeVerifiedAccessTrustProvidersRequest(inCpy)
+			req.SetContext(ctx)
+			req.ApplyOptions(opts...)
+			return req, nil
+		},
+	}
+
+	for p.Next() {
+		if !fn(p.Page().(*DescribeVerifiedAccessTrustProvidersOutput), !p.HasNextPage()) {
+			break
+		}
+	}
+
+	return p.Err()
+}
+
 const opDescribeVolumeAttribute = "DescribeVolumeAttribute"
 
 // DescribeVolumeAttributeRequest generates a "aws/request.Request" representing the
@@ -32517,6 +34027,79 @@ func (c *EC2) DetachNetworkInterfaceWithContext(ctx aws.Context, input *DetachNe
 	return out, req.Send()
 }
 
+const opDetachVerifiedAccessTrustProvider = "DetachVerifiedAccessTrustProvider"
+
+// DetachVerifiedAccessTrustProviderRequest generates a "aws/request.Request" representing the
+// client's request for the DetachVerifiedAccessTrustProvider operation. The "output" return
+// value will be populated with the request's response once the request completes
+// successfully.
+//
+// Use "Send" method on the returned Request to send the API call to the service.
+// the "output" return value is not valid until after Send returns without error.
+//
+// See DetachVerifiedAccessTrustProvider for more information on using the DetachVerifiedAccessTrustProvider
+// API call, and error handling.
+//
+// This method is useful when you want to inject custom logic or configuration
+// into the SDK's request lifecycle. Such as custom headers, or retry logic.
+//
+//	// Example sending a request using the DetachVerifiedAccessTrustProviderRequest method.
+//	req, resp := client.DetachVerifiedAccessTrustProviderRequest(params)
+//
+//	err := req.Send()
+//	if err == nil { // resp is now filled
+//	    fmt.Println(resp)
+//	}
+//
+// See also, https://docs.aws.amazon.com/goto/WebAPI/ec2-2016-11-15/DetachVerifiedAccessTrustProvider
+func (c *EC2) DetachVerifiedAccessTrustProviderRequest(input *DetachVerifiedAccessTrustProviderInput) (req *request.Request, output *DetachVerifiedAccessTrustProviderOutput) {
+	op := &request.Operation{
+		Name:       opDetachVerifiedAccessTrustProvider,
+		HTTPMethod: "POST",
+		HTTPPath:   "/",
+	}
+
+	if input == nil {
+		input = &DetachVerifiedAccessTrustProviderInput{}
+	}
+
+	output = &DetachVerifiedAccessTrustProviderOutput{}
+	req = c.newRequest(op, input, output)
+	return
+}
+
+// DetachVerifiedAccessTrustProvider API operation for Amazon Elastic Compute Cloud.
+//
+// Detach a trust provider from an Amazon Web Services Verified Access instance.
+//
+// Returns awserr.Error for service API and SDK errors. Use runtime type assertions
+// with awserr.Error's Code and Message methods to get detailed information about
+// the error.
+//
+// See the AWS API reference guide for Amazon Elastic Compute Cloud's
+// API operation DetachVerifiedAccessTrustProvider for usage and error information.
+// See also, https://docs.aws.amazon.com/goto/WebAPI/ec2-2016-11-15/DetachVerifiedAccessTrustProvider
+func (c *EC2) DetachVerifiedAccessTrustProvider(input *DetachVerifiedAccessTrustProviderInput) (*DetachVerifiedAccessTrustProviderOutput, error) {
+	req, out := c.DetachVerifiedAccessTrustProviderRequest(input)
+	return out, req.Send()
+}
+
+// DetachVerifiedAccessTrustProviderWithContext is the same as DetachVerifiedAccessTrustProvider with the addition of
+// the ability to pass a context and additional request options.
+//
+// See DetachVerifiedAccessTrustProvider for details on how to use this API operation.
+//
+// The context must be non-nil and will be used for request cancellation. If
+// the context is nil a panic will occur. In the future the SDK may create
+// sub-contexts for http.Requests. See https://golang.org/pkg/context/
+// for more information on using Contexts.
+func (c *EC2) DetachVerifiedAccessTrustProviderWithContext(ctx aws.Context, input *DetachVerifiedAccessTrustProviderInput, opts ...request.Option) (*DetachVerifiedAccessTrustProviderOutput, error) {
+	req, out := c.DetachVerifiedAccessTrustProviderRequest(input)
+	req.SetContext(ctx)
+	req.ApplyOptions(opts...)
+	return out, req.Send()
+}
+
 const opDetachVolume = "DetachVolume"
 
 // DetachVolumeRequest generates a "aws/request.Request" representing the
@@ -32759,6 +34342,79 @@ func (c *EC2) DisableAddressTransferWithContext(ctx aws.Context, input *DisableA
 	return out, req.Send()
 }
 
+const opDisableAwsNetworkPerformanceMetricSubscription = "DisableAwsNetworkPerformanceMetricSubscription"
+
+// DisableAwsNetworkPerformanceMetricSubscriptionRequest generates a "aws/request.Request" representing the
+// client's request for the DisableAwsNetworkPerformanceMetricSubscription operation. The "output" return
+// value will be populated with the request's response once the request completes
+// successfully.
+//
+// Use "Send" method on the returned Request to send the API call to the service.
+// the "output" return value is not valid until after Send returns without error.
+//
+// See DisableAwsNetworkPerformanceMetricSubscription for more information on using the DisableAwsNetworkPerformanceMetricSubscription
+// API call, and error handling.
+//
+// This method is useful when you want to inject custom logic or configuration
+// into the SDK's request lifecycle. Such as custom headers, or retry logic.
+//
+//	// Example sending a request using the DisableAwsNetworkPerformanceMetricSubscriptionRequest method.
+//	req, resp := client.DisableAwsNetworkPerformanceMetricSubscriptionRequest(params)
+//
+//	err := req.Send()
+//	if err == nil { // resp is now filled
+//	    fmt.Println(resp)
+//	}
+//
+// See also, https://docs.aws.amazon.com/goto/WebAPI/ec2-2016-11-15/DisableAwsNetworkPerformanceMetricSubscription
+func (c *EC2) DisableAwsNetworkPerformanceMetricSubscriptionRequest(input *DisableAwsNetworkPerformanceMetricSubscriptionInput) (req *request.Request, output *DisableAwsNetworkPerformanceMetricSubscriptionOutput) {
+	op := &request.Operation{
+		Name:       opDisableAwsNetworkPerformanceMetricSubscription,
+		HTTPMethod: "POST",
+		HTTPPath:   "/",
+	}
+
+	if input == nil {
+		input = &DisableAwsNetworkPerformanceMetricSubscriptionInput{}
+	}
+
+	output = &DisableAwsNetworkPerformanceMetricSubscriptionOutput{}
+	req = c.newRequest(op, input, output)
+	return
+}
+
+// DisableAwsNetworkPerformanceMetricSubscription API operation for Amazon Elastic Compute Cloud.
+//
+// Disables Infrastructure Performance metric subscriptions.
+//
+// Returns awserr.Error for service API and SDK errors. Use runtime type assertions
+// with awserr.Error's Code and Message methods to get detailed information about
+// the error.
+//
+// See the AWS API reference guide for Amazon Elastic Compute Cloud's
+// API operation DisableAwsNetworkPerformanceMetricSubscription for usage and error information.
+// See also, https://docs.aws.amazon.com/goto/WebAPI/ec2-2016-11-15/DisableAwsNetworkPerformanceMetricSubscription
+func (c *EC2) DisableAwsNetworkPerformanceMetricSubscription(input *DisableAwsNetworkPerformanceMetricSubscriptionInput) (*DisableAwsNetworkPerformanceMetricSubscriptionOutput, error) {
+	req, out := c.DisableAwsNetworkPerformanceMetricSubscriptionRequest(input)
+	return out, req.Send()
+}
+
+// DisableAwsNetworkPerformanceMetricSubscriptionWithContext is the same as DisableAwsNetworkPerformanceMetricSubscription with the addition of
+// the ability to pass a context and additional request options.
+//
+// See DisableAwsNetworkPerformanceMetricSubscription for details on how to use this API operation.
+//
+// The context must be non-nil and will be used for request cancellation. If
+// the context is nil a panic will occur. In the future the SDK may create
+// sub-contexts for http.Requests. See https://golang.org/pkg/context/
+// for more information on using Contexts.
+func (c *EC2) DisableAwsNetworkPerformanceMetricSubscriptionWithContext(ctx aws.Context, input *DisableAwsNetworkPerformanceMetricSubscriptionInput, opts ...request.Option) (*DisableAwsNetworkPerformanceMetricSubscriptionOutput, error) {
+	req, out := c.DisableAwsNetworkPerformanceMetricSubscriptionRequest(input)
+	req.SetContext(ctx)
+	req.ApplyOptions(opts...)
+	return out, req.Send()
+}
+
 const opDisableEbsEncryptionByDefault = "DisableEbsEncryptionByDefault"
 
 // DisableEbsEncryptionByDefaultRequest generates a "aws/request.Request" representing the
@@ -33039,7 +34695,7 @@ func (c *EC2) DisableImageDeprecationRequest(input *DisableImageDeprecationInput
 // Cancels the deprecation of the specified AMI.
 //
 // For more information, see Deprecate an AMI (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ami-deprecate.html)
-// in the Amazon Elastic Compute Cloud User Guide.
+// in the Amazon EC2 User Guide.
 //
 // Returns awserr.Error for service API and SDK errors. Use runtime type assertions
 // with awserr.Error's Code and Message methods to get detailed information about
@@ -34533,6 +36189,79 @@ func (c *EC2) EnableAddressTransferWithContext(ctx aws.Context, input *EnableAdd
 	return out, req.Send()
 }
 
+const opEnableAwsNetworkPerformanceMetricSubscription = "EnableAwsNetworkPerformanceMetricSubscription"
+
+// EnableAwsNetworkPerformanceMetricSubscriptionRequest generates a "aws/request.Request" representing the
+// client's request for the EnableAwsNetworkPerformanceMetricSubscription operation. The "output" return
+// value will be populated with the request's response once the request completes
+// successfully.
+//
+// Use "Send" method on the returned Request to send the API call to the service.
+// the "output" return value is not valid until after Send returns without error.
+//
+// See EnableAwsNetworkPerformanceMetricSubscription for more information on using the EnableAwsNetworkPerformanceMetricSubscription
+// API call, and error handling.
+//
+// This method is useful when you want to inject custom logic or configuration
+// into the SDK's request lifecycle. Such as custom headers, or retry logic.
+//
+//	// Example sending a request using the EnableAwsNetworkPerformanceMetricSubscriptionRequest method.
+//	req, resp := client.EnableAwsNetworkPerformanceMetricSubscriptionRequest(params)
+//
+//	err := req.Send()
+//	if err == nil { // resp is now filled
+//	    fmt.Println(resp)
+//	}
+//
+// See also, https://docs.aws.amazon.com/goto/WebAPI/ec2-2016-11-15/EnableAwsNetworkPerformanceMetricSubscription
+func (c *EC2) EnableAwsNetworkPerformanceMetricSubscriptionRequest(input *EnableAwsNetworkPerformanceMetricSubscriptionInput) (req *request.Request, output *EnableAwsNetworkPerformanceMetricSubscriptionOutput) {
+	op := &request.Operation{
+		Name:       opEnableAwsNetworkPerformanceMetricSubscription,
+		HTTPMethod: "POST",
+		HTTPPath:   "/",
+	}
+
+	if input == nil {
+		input = &EnableAwsNetworkPerformanceMetricSubscriptionInput{}
+	}
+
+	output = &EnableAwsNetworkPerformanceMetricSubscriptionOutput{}
+	req = c.newRequest(op, input, output)
+	return
+}
+
+// EnableAwsNetworkPerformanceMetricSubscription API operation for Amazon Elastic Compute Cloud.
+//
+// Enables Infrastructure Performance subscriptions.
+//
+// Returns awserr.Error for service API and SDK errors. Use runtime type assertions
+// with awserr.Error's Code and Message methods to get detailed information about
+// the error.
+//
+// See the AWS API reference guide for Amazon Elastic Compute Cloud's
+// API operation EnableAwsNetworkPerformanceMetricSubscription for usage and error information.
+// See also, https://docs.aws.amazon.com/goto/WebAPI/ec2-2016-11-15/EnableAwsNetworkPerformanceMetricSubscription
+func (c *EC2) EnableAwsNetworkPerformanceMetricSubscription(input *EnableAwsNetworkPerformanceMetricSubscriptionInput) (*EnableAwsNetworkPerformanceMetricSubscriptionOutput, error) {
+	req, out := c.EnableAwsNetworkPerformanceMetricSubscriptionRequest(input)
+	return out, req.Send()
+}
+
+// EnableAwsNetworkPerformanceMetricSubscriptionWithContext is the same as EnableAwsNetworkPerformanceMetricSubscription with the addition of
+// the ability to pass a context and additional request options.
+//
+// See EnableAwsNetworkPerformanceMetricSubscription for details on how to use this API operation.
+//
+// The context must be non-nil and will be used for request cancellation. If
+// the context is nil a panic will occur. In the future the SDK may create
+// sub-contexts for http.Requests. See https://golang.org/pkg/context/
+// for more information on using Contexts.
+func (c *EC2) EnableAwsNetworkPerformanceMetricSubscriptionWithContext(ctx aws.Context, input *EnableAwsNetworkPerformanceMetricSubscriptionInput, opts ...request.Option) (*EnableAwsNetworkPerformanceMetricSubscriptionOutput, error) {
+	req, out := c.EnableAwsNetworkPerformanceMetricSubscriptionRequest(input)
+	req.SetContext(ctx)
+	req.ApplyOptions(opts...)
+	return out, req.Send()
+}
+
 const opEnableEbsEncryptionByDefault = "EnableEbsEncryptionByDefault"
 
 // EnableEbsEncryptionByDefaultRequest generates a "aws/request.Request" representing the
@@ -34829,7 +36558,7 @@ func (c *EC2) EnableImageDeprecationRequest(input *EnableImageDeprecationInput)
 // Enables deprecation of the specified AMI at the specified date and time.
 //
 // For more information, see Deprecate an AMI (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ami-deprecate.html)
-// in the Amazon Elastic Compute Cloud User Guide.
+// in the Amazon EC2 User Guide.
 //
 // Returns awserr.Error for service API and SDK errors. Use runtime type assertions
 // with awserr.Error's Code and Message methods to get detailed information about
@@ -34935,6 +36664,84 @@ func (c *EC2) EnableIpamOrganizationAdminAccountWithContext(ctx aws.Context, inp
 	return out, req.Send()
 }
 
+const opEnableReachabilityAnalyzerOrganizationSharing = "EnableReachabilityAnalyzerOrganizationSharing"
+
+// EnableReachabilityAnalyzerOrganizationSharingRequest generates a "aws/request.Request" representing the
+// client's request for the EnableReachabilityAnalyzerOrganizationSharing operation. The "output" return
+// value will be populated with the request's response once the request completes
+// successfully.
+//
+// Use "Send" method on the returned Request to send the API call to the service.
+// the "output" return value is not valid until after Send returns without error.
+//
+// See EnableReachabilityAnalyzerOrganizationSharing for more information on using the EnableReachabilityAnalyzerOrganizationSharing
+// API call, and error handling.
+//
+// This method is useful when you want to inject custom logic or configuration
+// into the SDK's request lifecycle. Such as custom headers, or retry logic.
+//
+//	// Example sending a request using the EnableReachabilityAnalyzerOrganizationSharingRequest method.
+//	req, resp := client.EnableReachabilityAnalyzerOrganizationSharingRequest(params)
+//
+//	err := req.Send()
+//	if err == nil { // resp is now filled
+//	    fmt.Println(resp)
+//	}
+//
+// See also, https://docs.aws.amazon.com/goto/WebAPI/ec2-2016-11-15/EnableReachabilityAnalyzerOrganizationSharing
+func (c *EC2) EnableReachabilityAnalyzerOrganizationSharingRequest(input *EnableReachabilityAnalyzerOrganizationSharingInput) (req *request.Request, output *EnableReachabilityAnalyzerOrganizationSharingOutput) {
+	op := &request.Operation{
+		Name:       opEnableReachabilityAnalyzerOrganizationSharing,
+		HTTPMethod: "POST",
+		HTTPPath:   "/",
+	}
+
+	if input == nil {
+		input = &EnableReachabilityAnalyzerOrganizationSharingInput{}
+	}
+
+	output = &EnableReachabilityAnalyzerOrganizationSharingOutput{}
+	req = c.newRequest(op, input, output)
+	return
+}
+
+// EnableReachabilityAnalyzerOrganizationSharing API operation for Amazon Elastic Compute Cloud.
+//
+// Establishes a trust relationship between Reachability Analyzer and Organizations.
+// This operation must be performed by the management account for the organization.
+//
+// After you establish a trust relationship, a user in the management account
+// or a delegated administrator account can run a cross-account analysis using
+// resources from the member accounts.
+//
+// Returns awserr.Error for service API and SDK errors. Use runtime type assertions
+// with awserr.Error's Code and Message methods to get detailed information about
+// the error.
+//
+// See the AWS API reference guide for Amazon Elastic Compute Cloud's
+// API operation EnableReachabilityAnalyzerOrganizationSharing for usage and error information.
+// See also, https://docs.aws.amazon.com/goto/WebAPI/ec2-2016-11-15/EnableReachabilityAnalyzerOrganizationSharing
+func (c *EC2) EnableReachabilityAnalyzerOrganizationSharing(input *EnableReachabilityAnalyzerOrganizationSharingInput) (*EnableReachabilityAnalyzerOrganizationSharingOutput, error) {
+	req, out := c.EnableReachabilityAnalyzerOrganizationSharingRequest(input)
+	return out, req.Send()
+}
+
+// EnableReachabilityAnalyzerOrganizationSharingWithContext is the same as EnableReachabilityAnalyzerOrganizationSharing with the addition of
+// the ability to pass a context and additional request options.
+//
+// See EnableReachabilityAnalyzerOrganizationSharing for details on how to use this API operation.
+//
+// The context must be non-nil and will be used for request cancellation. If
+// the context is nil a panic will occur. In the future the SDK may create
+// sub-contexts for http.Requests. See https://golang.org/pkg/context/
+// for more information on using Contexts.
+func (c *EC2) EnableReachabilityAnalyzerOrganizationSharingWithContext(ctx aws.Context, input *EnableReachabilityAnalyzerOrganizationSharingInput, opts ...request.Option) (*EnableReachabilityAnalyzerOrganizationSharingOutput, error) {
+	req, out := c.EnableReachabilityAnalyzerOrganizationSharingRequest(input)
+	req.SetContext(ctx)
+	req.ApplyOptions(opts...)
+	return out, req.Send()
+}
+
 const opEnableSerialConsoleAccess = "EnableSerialConsoleAccess"
 
 // EnableSerialConsoleAccessRequest generates a "aws/request.Request" representing the
@@ -35916,6 +37723,136 @@ func (c *EC2) GetAssociatedIpv6PoolCidrsPagesWithContext(ctx aws.Context, input
 	return p.Err()
 }
 
+const opGetAwsNetworkPerformanceData = "GetAwsNetworkPerformanceData"
+
+// GetAwsNetworkPerformanceDataRequest generates a "aws/request.Request" representing the
+// client's request for the GetAwsNetworkPerformanceData operation. The "output" return
+// value will be populated with the request's response once the request completes
+// successfully.
+//
+// Use "Send" method on the returned Request to send the API call to the service.
+// the "output" return value is not valid until after Send returns without error.
+//
+// See GetAwsNetworkPerformanceData for more information on using the GetAwsNetworkPerformanceData
+// API call, and error handling.
+//
+// This method is useful when you want to inject custom logic or configuration
+// into the SDK's request lifecycle. Such as custom headers, or retry logic.
+//
+//	// Example sending a request using the GetAwsNetworkPerformanceDataRequest method.
+//	req, resp := client.GetAwsNetworkPerformanceDataRequest(params)
+//
+//	err := req.Send()
+//	if err == nil { // resp is now filled
+//	    fmt.Println(resp)
+//	}
+//
+// See also, https://docs.aws.amazon.com/goto/WebAPI/ec2-2016-11-15/GetAwsNetworkPerformanceData
+func (c *EC2) GetAwsNetworkPerformanceDataRequest(input *GetAwsNetworkPerformanceDataInput) (req *request.Request, output *GetAwsNetworkPerformanceDataOutput) {
+	op := &request.Operation{
+		Name:       opGetAwsNetworkPerformanceData,
+		HTTPMethod: "POST",
+		HTTPPath:   "/",
+		Paginator: &request.Paginator{
+			InputTokens:     []string{"NextToken"},
+			OutputTokens:    []string{"NextToken"},
+			LimitToken:      "MaxResults",
+			TruncationToken: "",
+		},
+	}
+
+	if input == nil {
+		input = &GetAwsNetworkPerformanceDataInput{}
+	}
+
+	output = &GetAwsNetworkPerformanceDataOutput{}
+	req = c.newRequest(op, input, output)
+	return
+}
+
+// GetAwsNetworkPerformanceData API operation for Amazon Elastic Compute Cloud.
+//
+// Gets network performance data.
+//
+// Returns awserr.Error for service API and SDK errors. Use runtime type assertions
+// with awserr.Error's Code and Message methods to get detailed information about
+// the error.
+//
+// See the AWS API reference guide for Amazon Elastic Compute Cloud's
+// API operation GetAwsNetworkPerformanceData for usage and error information.
+// See also, https://docs.aws.amazon.com/goto/WebAPI/ec2-2016-11-15/GetAwsNetworkPerformanceData
+func (c *EC2) GetAwsNetworkPerformanceData(input *GetAwsNetworkPerformanceDataInput) (*GetAwsNetworkPerformanceDataOutput, error) {
+	req, out := c.GetAwsNetworkPerformanceDataRequest(input)
+	return out, req.Send()
+}
+
+// GetAwsNetworkPerformanceDataWithContext is the same as GetAwsNetworkPerformanceData with the addition of
+// the ability to pass a context and additional request options.
+//
+// See GetAwsNetworkPerformanceData for details on how to use this API operation.
+//
+// The context must be non-nil and will be used for request cancellation. If
+// the context is nil a panic will occur. In the future the SDK may create
+// sub-contexts for http.Requests. See https://golang.org/pkg/context/
+// for more information on using Contexts.
+func (c *EC2) GetAwsNetworkPerformanceDataWithContext(ctx aws.Context, input *GetAwsNetworkPerformanceDataInput, opts ...request.Option) (*GetAwsNetworkPerformanceDataOutput, error) {
+	req, out := c.GetAwsNetworkPerformanceDataRequest(input)
+	req.SetContext(ctx)
+	req.ApplyOptions(opts...)
+	return out, req.Send()
+}
+
+// GetAwsNetworkPerformanceDataPages iterates over the pages of a GetAwsNetworkPerformanceData operation,
+// calling the "fn" function with the response data for each page. To stop
+// iterating, return false from the fn function.
+//
+// See GetAwsNetworkPerformanceData method for more information on how to use this operation.
+//
+// Note: This operation can generate multiple requests to a service.
+//
+//	// Example iterating over at most 3 pages of a GetAwsNetworkPerformanceData operation.
+//	pageNum := 0
+//	err := client.GetAwsNetworkPerformanceDataPages(params,
+//	    func(page *ec2.GetAwsNetworkPerformanceDataOutput, lastPage bool) bool {
+//	        pageNum++
+//	        fmt.Println(page)
+//	        return pageNum <= 3
+//	    })
+func (c *EC2) GetAwsNetworkPerformanceDataPages(input *GetAwsNetworkPerformanceDataInput, fn func(*GetAwsNetworkPerformanceDataOutput, bool) bool) error {
+	return c.GetAwsNetworkPerformanceDataPagesWithContext(aws.BackgroundContext(), input, fn)
+}
+
+// GetAwsNetworkPerformanceDataPagesWithContext same as GetAwsNetworkPerformanceDataPages except
+// it takes a Context and allows setting request options on the pages.
+//
+// The context must be non-nil and will be used for request cancellation. If
+// the context is nil a panic will occur. In the future the SDK may create
+// sub-contexts for http.Requests. See https://golang.org/pkg/context/
+// for more information on using Contexts.
+func (c *EC2) GetAwsNetworkPerformanceDataPagesWithContext(ctx aws.Context, input *GetAwsNetworkPerformanceDataInput, fn func(*GetAwsNetworkPerformanceDataOutput, bool) bool, opts ...request.Option) error {
+	p := request.Pagination{
+		NewRequest: func() (*request.Request, error) {
+			var inCpy *GetAwsNetworkPerformanceDataInput
+			if input != nil {
+				tmp := *input
+				inCpy = &tmp
+			}
+			req, _ := c.GetAwsNetworkPerformanceDataRequest(inCpy)
+			req.SetContext(ctx)
+			req.ApplyOptions(opts...)
+			return req, nil
+		},
+	}
+
+	for p.Next() {
+		if !fn(p.Page().(*GetAwsNetworkPerformanceDataOutput), !p.HasNextPage()) {
+			break
+		}
+	}
+
+	return p.Err()
+}
+
 const opGetCapacityReservationUsage = "GetCapacityReservationUsage"
 
 // GetCapacityReservationUsageRequest generates a "aws/request.Request" representing the
@@ -39308,6 +41245,152 @@ func (c *EC2) GetTransitGatewayRouteTablePropagationsPagesWithContext(ctx aws.Co
 	return p.Err()
 }
 
+const opGetVerifiedAccessEndpointPolicy = "GetVerifiedAccessEndpointPolicy"
+
+// GetVerifiedAccessEndpointPolicyRequest generates a "aws/request.Request" representing the
+// client's request for the GetVerifiedAccessEndpointPolicy operation. The "output" return
+// value will be populated with the request's response once the request completes
+// successfully.
+//
+// Use "Send" method on the returned Request to send the API call to the service.
+// the "output" return value is not valid until after Send returns without error.
+//
+// See GetVerifiedAccessEndpointPolicy for more information on using the GetVerifiedAccessEndpointPolicy
+// API call, and error handling.
+//
+// This method is useful when you want to inject custom logic or configuration
+// into the SDK's request lifecycle. Such as custom headers, or retry logic.
+//
+//	// Example sending a request using the GetVerifiedAccessEndpointPolicyRequest method.
+//	req, resp := client.GetVerifiedAccessEndpointPolicyRequest(params)
+//
+//	err := req.Send()
+//	if err == nil { // resp is now filled
+//	    fmt.Println(resp)
+//	}
+//
+// See also, https://docs.aws.amazon.com/goto/WebAPI/ec2-2016-11-15/GetVerifiedAccessEndpointPolicy
+func (c *EC2) GetVerifiedAccessEndpointPolicyRequest(input *GetVerifiedAccessEndpointPolicyInput) (req *request.Request, output *GetVerifiedAccessEndpointPolicyOutput) {
+	op := &request.Operation{
+		Name:       opGetVerifiedAccessEndpointPolicy,
+		HTTPMethod: "POST",
+		HTTPPath:   "/",
+	}
+
+	if input == nil {
+		input = &GetVerifiedAccessEndpointPolicyInput{}
+	}
+
+	output = &GetVerifiedAccessEndpointPolicyOutput{}
+	req = c.newRequest(op, input, output)
+	return
+}
+
+// GetVerifiedAccessEndpointPolicy API operation for Amazon Elastic Compute Cloud.
+//
+// Get the Verified Access policy associated with the endpoint.
+//
+// Returns awserr.Error for service API and SDK errors. Use runtime type assertions
+// with awserr.Error's Code and Message methods to get detailed information about
+// the error.
+//
+// See the AWS API reference guide for Amazon Elastic Compute Cloud's
+// API operation GetVerifiedAccessEndpointPolicy for usage and error information.
+// See also, https://docs.aws.amazon.com/goto/WebAPI/ec2-2016-11-15/GetVerifiedAccessEndpointPolicy
+func (c *EC2) GetVerifiedAccessEndpointPolicy(input *GetVerifiedAccessEndpointPolicyInput) (*GetVerifiedAccessEndpointPolicyOutput, error) {
+	req, out := c.GetVerifiedAccessEndpointPolicyRequest(input)
+	return out, req.Send()
+}
+
+// GetVerifiedAccessEndpointPolicyWithContext is the same as GetVerifiedAccessEndpointPolicy with the addition of
+// the ability to pass a context and additional request options.
+//
+// See GetVerifiedAccessEndpointPolicy for details on how to use this API operation.
+//
+// The context must be non-nil and will be used for request cancellation. If
+// the context is nil a panic will occur. In the future the SDK may create
+// sub-contexts for http.Requests. See https://golang.org/pkg/context/
+// for more information on using Contexts.
+func (c *EC2) GetVerifiedAccessEndpointPolicyWithContext(ctx aws.Context, input *GetVerifiedAccessEndpointPolicyInput, opts ...request.Option) (*GetVerifiedAccessEndpointPolicyOutput, error) {
+	req, out := c.GetVerifiedAccessEndpointPolicyRequest(input)
+	req.SetContext(ctx)
+	req.ApplyOptions(opts...)
+	return out, req.Send()
+}
+
+const opGetVerifiedAccessGroupPolicy = "GetVerifiedAccessGroupPolicy"
+
+// GetVerifiedAccessGroupPolicyRequest generates a "aws/request.Request" representing the
+// client's request for the GetVerifiedAccessGroupPolicy operation. The "output" return
+// value will be populated with the request's response once the request completes
+// successfully.
+//
+// Use "Send" method on the returned Request to send the API call to the service.
+// the "output" return value is not valid until after Send returns without error.
+//
+// See GetVerifiedAccessGroupPolicy for more information on using the GetVerifiedAccessGroupPolicy
+// API call, and error handling.
+//
+// This method is useful when you want to inject custom logic or configuration
+// into the SDK's request lifecycle. Such as custom headers, or retry logic.
+//
+//	// Example sending a request using the GetVerifiedAccessGroupPolicyRequest method.
+//	req, resp := client.GetVerifiedAccessGroupPolicyRequest(params)
+//
+//	err := req.Send()
+//	if err == nil { // resp is now filled
+//	    fmt.Println(resp)
+//	}
+//
+// See also, https://docs.aws.amazon.com/goto/WebAPI/ec2-2016-11-15/GetVerifiedAccessGroupPolicy
+func (c *EC2) GetVerifiedAccessGroupPolicyRequest(input *GetVerifiedAccessGroupPolicyInput) (req *request.Request, output *GetVerifiedAccessGroupPolicyOutput) {
+	op := &request.Operation{
+		Name:       opGetVerifiedAccessGroupPolicy,
+		HTTPMethod: "POST",
+		HTTPPath:   "/",
+	}
+
+	if input == nil {
+		input = &GetVerifiedAccessGroupPolicyInput{}
+	}
+
+	output = &GetVerifiedAccessGroupPolicyOutput{}
+	req = c.newRequest(op, input, output)
+	return
+}
+
+// GetVerifiedAccessGroupPolicy API operation for Amazon Elastic Compute Cloud.
+//
+// Shows the contents of the Verified Access policy associated with the group.
+//
+// Returns awserr.Error for service API and SDK errors. Use runtime type assertions
+// with awserr.Error's Code and Message methods to get detailed information about
+// the error.
+//
+// See the AWS API reference guide for Amazon Elastic Compute Cloud's
+// API operation GetVerifiedAccessGroupPolicy for usage and error information.
+// See also, https://docs.aws.amazon.com/goto/WebAPI/ec2-2016-11-15/GetVerifiedAccessGroupPolicy
+func (c *EC2) GetVerifiedAccessGroupPolicy(input *GetVerifiedAccessGroupPolicyInput) (*GetVerifiedAccessGroupPolicyOutput, error) {
+	req, out := c.GetVerifiedAccessGroupPolicyRequest(input)
+	return out, req.Send()
+}
+
+// GetVerifiedAccessGroupPolicyWithContext is the same as GetVerifiedAccessGroupPolicy with the addition of
+// the ability to pass a context and additional request options.
+//
+// See GetVerifiedAccessGroupPolicy for details on how to use this API operation.
+//
+// The context must be non-nil and will be used for request cancellation. If
+// the context is nil a panic will occur. In the future the SDK may create
+// sub-contexts for http.Requests. See https://golang.org/pkg/context/
+// for more information on using Contexts.
+func (c *EC2) GetVerifiedAccessGroupPolicyWithContext(ctx aws.Context, input *GetVerifiedAccessGroupPolicyInput, opts ...request.Option) (*GetVerifiedAccessGroupPolicyOutput, error) {
+	req, out := c.GetVerifiedAccessGroupPolicyRequest(input)
+	req.SetContext(ctx)
+	req.ApplyOptions(opts...)
+	return out, req.Send()
+}
+
 const opGetVpnConnectionDeviceSampleConfiguration = "GetVpnConnectionDeviceSampleConfiguration"
 
 // GetVpnConnectionDeviceSampleConfigurationRequest generates a "aws/request.Request" representing the
@@ -40055,7 +42138,7 @@ func (c *EC2) ListImagesInRecycleBinRequest(input *ListImagesInRecycleBinInput)
 //
 // Lists one or more AMIs that are currently in the Recycle Bin. For more information,
 // see Recycle Bin (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/recycle-bin.html)
-// in the Amazon Elastic Compute Cloud User Guide.
+// in the Amazon EC2 User Guide.
 //
 // Returns awserr.Error for service API and SDK errors. Use runtime type assertions
 // with awserr.Error's Code and Message methods to get detailed information about
@@ -43642,6 +45725,519 @@ func (c *EC2) ModifyTransitGatewayVpcAttachmentWithContext(ctx aws.Context, inpu
 	return out, req.Send()
 }
 
+const opModifyVerifiedAccessEndpoint = "ModifyVerifiedAccessEndpoint"
+
+// ModifyVerifiedAccessEndpointRequest generates a "aws/request.Request" representing the
+// client's request for the ModifyVerifiedAccessEndpoint operation. The "output" return
+// value will be populated with the request's response once the request completes
+// successfully.
+//
+// Use "Send" method on the returned Request to send the API call to the service.
+// the "output" return value is not valid until after Send returns without error.
+//
+// See ModifyVerifiedAccessEndpoint for more information on using the ModifyVerifiedAccessEndpoint
+// API call, and error handling.
+//
+// This method is useful when you want to inject custom logic or configuration
+// into the SDK's request lifecycle. Such as custom headers, or retry logic.
+//
+//	// Example sending a request using the ModifyVerifiedAccessEndpointRequest method.
+//	req, resp := client.ModifyVerifiedAccessEndpointRequest(params)
+//
+//	err := req.Send()
+//	if err == nil { // resp is now filled
+//	    fmt.Println(resp)
+//	}
+//
+// See also, https://docs.aws.amazon.com/goto/WebAPI/ec2-2016-11-15/ModifyVerifiedAccessEndpoint
+func (c *EC2) ModifyVerifiedAccessEndpointRequest(input *ModifyVerifiedAccessEndpointInput) (req *request.Request, output *ModifyVerifiedAccessEndpointOutput) {
+	op := &request.Operation{
+		Name:       opModifyVerifiedAccessEndpoint,
+		HTTPMethod: "POST",
+		HTTPPath:   "/",
+	}
+
+	if input == nil {
+		input = &ModifyVerifiedAccessEndpointInput{}
+	}
+
+	output = &ModifyVerifiedAccessEndpointOutput{}
+	req = c.newRequest(op, input, output)
+	return
+}
+
+// ModifyVerifiedAccessEndpoint API operation for Amazon Elastic Compute Cloud.
+//
+// Modifies the configuration of an Amazon Web Services Verified Access endpoint.
+//
+// Returns awserr.Error for service API and SDK errors. Use runtime type assertions
+// with awserr.Error's Code and Message methods to get detailed information about
+// the error.
+//
+// See the AWS API reference guide for Amazon Elastic Compute Cloud's
+// API operation ModifyVerifiedAccessEndpoint for usage and error information.
+// See also, https://docs.aws.amazon.com/goto/WebAPI/ec2-2016-11-15/ModifyVerifiedAccessEndpoint
+func (c *EC2) ModifyVerifiedAccessEndpoint(input *ModifyVerifiedAccessEndpointInput) (*ModifyVerifiedAccessEndpointOutput, error) {
+	req, out := c.ModifyVerifiedAccessEndpointRequest(input)
+	return out, req.Send()
+}
+
+// ModifyVerifiedAccessEndpointWithContext is the same as ModifyVerifiedAccessEndpoint with the addition of
+// the ability to pass a context and additional request options.
+//
+// See ModifyVerifiedAccessEndpoint for details on how to use this API operation.
+//
+// The context must be non-nil and will be used for request cancellation. If
+// the context is nil a panic will occur. In the future the SDK may create
+// sub-contexts for http.Requests. See https://golang.org/pkg/context/
+// for more information on using Contexts.
+func (c *EC2) ModifyVerifiedAccessEndpointWithContext(ctx aws.Context, input *ModifyVerifiedAccessEndpointInput, opts ...request.Option) (*ModifyVerifiedAccessEndpointOutput, error) {
+	req, out := c.ModifyVerifiedAccessEndpointRequest(input)
+	req.SetContext(ctx)
+	req.ApplyOptions(opts...)
+	return out, req.Send()
+}
+
+const opModifyVerifiedAccessEndpointPolicy = "ModifyVerifiedAccessEndpointPolicy"
+
+// ModifyVerifiedAccessEndpointPolicyRequest generates a "aws/request.Request" representing the
+// client's request for the ModifyVerifiedAccessEndpointPolicy operation. The "output" return
+// value will be populated with the request's response once the request completes
+// successfully.
+//
+// Use "Send" method on the returned Request to send the API call to the service.
+// the "output" return value is not valid until after Send returns without error.
+//
+// See ModifyVerifiedAccessEndpointPolicy for more information on using the ModifyVerifiedAccessEndpointPolicy
+// API call, and error handling.
+//
+// This method is useful when you want to inject custom logic or configuration
+// into the SDK's request lifecycle. Such as custom headers, or retry logic.
+//
+//	// Example sending a request using the ModifyVerifiedAccessEndpointPolicyRequest method.
+//	req, resp := client.ModifyVerifiedAccessEndpointPolicyRequest(params)
+//
+//	err := req.Send()
+//	if err == nil { // resp is now filled
+//	    fmt.Println(resp)
+//	}
+//
+// See also, https://docs.aws.amazon.com/goto/WebAPI/ec2-2016-11-15/ModifyVerifiedAccessEndpointPolicy
+func (c *EC2) ModifyVerifiedAccessEndpointPolicyRequest(input *ModifyVerifiedAccessEndpointPolicyInput) (req *request.Request, output *ModifyVerifiedAccessEndpointPolicyOutput) {
+	op := &request.Operation{
+		Name:       opModifyVerifiedAccessEndpointPolicy,
+		HTTPMethod: "POST",
+		HTTPPath:   "/",
+	}
+
+	if input == nil {
+		input = &ModifyVerifiedAccessEndpointPolicyInput{}
+	}
+
+	output = &ModifyVerifiedAccessEndpointPolicyOutput{}
+	req = c.newRequest(op, input, output)
+	return
+}
+
+// ModifyVerifiedAccessEndpointPolicy API operation for Amazon Elastic Compute Cloud.
+//
+// Modifies the specified Verified Access endpoint policy.
+//
+// Returns awserr.Error for service API and SDK errors. Use runtime type assertions
+// with awserr.Error's Code and Message methods to get detailed information about
+// the error.
+//
+// See the AWS API reference guide for Amazon Elastic Compute Cloud's
+// API operation ModifyVerifiedAccessEndpointPolicy for usage and error information.
+// See also, https://docs.aws.amazon.com/goto/WebAPI/ec2-2016-11-15/ModifyVerifiedAccessEndpointPolicy
+func (c *EC2) ModifyVerifiedAccessEndpointPolicy(input *ModifyVerifiedAccessEndpointPolicyInput) (*ModifyVerifiedAccessEndpointPolicyOutput, error) {
+	req, out := c.ModifyVerifiedAccessEndpointPolicyRequest(input)
+	return out, req.Send()
+}
+
+// ModifyVerifiedAccessEndpointPolicyWithContext is the same as ModifyVerifiedAccessEndpointPolicy with the addition of
+// the ability to pass a context and additional request options.
+//
+// See ModifyVerifiedAccessEndpointPolicy for details on how to use this API operation.
+//
+// The context must be non-nil and will be used for request cancellation. If
+// the context is nil a panic will occur. In the future the SDK may create
+// sub-contexts for http.Requests. See https://golang.org/pkg/context/
+// for more information on using Contexts.
+func (c *EC2) ModifyVerifiedAccessEndpointPolicyWithContext(ctx aws.Context, input *ModifyVerifiedAccessEndpointPolicyInput, opts ...request.Option) (*ModifyVerifiedAccessEndpointPolicyOutput, error) {
+	req, out := c.ModifyVerifiedAccessEndpointPolicyRequest(input)
+	req.SetContext(ctx)
+	req.ApplyOptions(opts...)
+	return out, req.Send()
+}
+
+const opModifyVerifiedAccessGroup = "ModifyVerifiedAccessGroup"
+
+// ModifyVerifiedAccessGroupRequest generates a "aws/request.Request" representing the
+// client's request for the ModifyVerifiedAccessGroup operation. The "output" return
+// value will be populated with the request's response once the request completes
+// successfully.
+//
+// Use "Send" method on the returned Request to send the API call to the service.
+// the "output" return value is not valid until after Send returns without error.
+//
+// See ModifyVerifiedAccessGroup for more information on using the ModifyVerifiedAccessGroup
+// API call, and error handling.
+//
+// This method is useful when you want to inject custom logic or configuration
+// into the SDK's request lifecycle. Such as custom headers, or retry logic.
+//
+//	// Example sending a request using the ModifyVerifiedAccessGroupRequest method.
+//	req, resp := client.ModifyVerifiedAccessGroupRequest(params)
+//
+//	err := req.Send()
+//	if err == nil { // resp is now filled
+//	    fmt.Println(resp)
+//	}
+//
+// See also, https://docs.aws.amazon.com/goto/WebAPI/ec2-2016-11-15/ModifyVerifiedAccessGroup
+func (c *EC2) ModifyVerifiedAccessGroupRequest(input *ModifyVerifiedAccessGroupInput) (req *request.Request, output *ModifyVerifiedAccessGroupOutput) {
+	op := &request.Operation{
+		Name:       opModifyVerifiedAccessGroup,
+		HTTPMethod: "POST",
+		HTTPPath:   "/",
+	}
+
+	if input == nil {
+		input = &ModifyVerifiedAccessGroupInput{}
+	}
+
+	output = &ModifyVerifiedAccessGroupOutput{}
+	req = c.newRequest(op, input, output)
+	return
+}
+
+// ModifyVerifiedAccessGroup API operation for Amazon Elastic Compute Cloud.
+//
+// Modifies the specified Verified Access group configuration.
+//
+// Returns awserr.Error for service API and SDK errors. Use runtime type assertions
+// with awserr.Error's Code and Message methods to get detailed information about
+// the error.
+//
+// See the AWS API reference guide for Amazon Elastic Compute Cloud's
+// API operation ModifyVerifiedAccessGroup for usage and error information.
+// See also, https://docs.aws.amazon.com/goto/WebAPI/ec2-2016-11-15/ModifyVerifiedAccessGroup
+func (c *EC2) ModifyVerifiedAccessGroup(input *ModifyVerifiedAccessGroupInput) (*ModifyVerifiedAccessGroupOutput, error) {
+	req, out := c.ModifyVerifiedAccessGroupRequest(input)
+	return out, req.Send()
+}
+
+// ModifyVerifiedAccessGroupWithContext is the same as ModifyVerifiedAccessGroup with the addition of
+// the ability to pass a context and additional request options.
+//
+// See ModifyVerifiedAccessGroup for details on how to use this API operation.
+//
+// The context must be non-nil and will be used for request cancellation. If
+// the context is nil a panic will occur. In the future the SDK may create
+// sub-contexts for http.Requests. See https://golang.org/pkg/context/
+// for more information on using Contexts.
+func (c *EC2) ModifyVerifiedAccessGroupWithContext(ctx aws.Context, input *ModifyVerifiedAccessGroupInput, opts ...request.Option) (*ModifyVerifiedAccessGroupOutput, error) {
+	req, out := c.ModifyVerifiedAccessGroupRequest(input)
+	req.SetContext(ctx)
+	req.ApplyOptions(opts...)
+	return out, req.Send()
+}
+
+const opModifyVerifiedAccessGroupPolicy = "ModifyVerifiedAccessGroupPolicy"
+
+// ModifyVerifiedAccessGroupPolicyRequest generates a "aws/request.Request" representing the
+// client's request for the ModifyVerifiedAccessGroupPolicy operation. The "output" return
+// value will be populated with the request's response once the request completes
+// successfully.
+//
+// Use "Send" method on the returned Request to send the API call to the service.
+// the "output" return value is not valid until after Send returns without error.
+//
+// See ModifyVerifiedAccessGroupPolicy for more information on using the ModifyVerifiedAccessGroupPolicy
+// API call, and error handling.
+//
+// This method is useful when you want to inject custom logic or configuration
+// into the SDK's request lifecycle. Such as custom headers, or retry logic.
+//
+//	// Example sending a request using the ModifyVerifiedAccessGroupPolicyRequest method.
+//	req, resp := client.ModifyVerifiedAccessGroupPolicyRequest(params)
+//
+//	err := req.Send()
+//	if err == nil { // resp is now filled
+//	    fmt.Println(resp)
+//	}
+//
+// See also, https://docs.aws.amazon.com/goto/WebAPI/ec2-2016-11-15/ModifyVerifiedAccessGroupPolicy
+func (c *EC2) ModifyVerifiedAccessGroupPolicyRequest(input *ModifyVerifiedAccessGroupPolicyInput) (req *request.Request, output *ModifyVerifiedAccessGroupPolicyOutput) {
+	op := &request.Operation{
+		Name:       opModifyVerifiedAccessGroupPolicy,
+		HTTPMethod: "POST",
+		HTTPPath:   "/",
+	}
+
+	if input == nil {
+		input = &ModifyVerifiedAccessGroupPolicyInput{}
+	}
+
+	output = &ModifyVerifiedAccessGroupPolicyOutput{}
+	req = c.newRequest(op, input, output)
+	return
+}
+
+// ModifyVerifiedAccessGroupPolicy API operation for Amazon Elastic Compute Cloud.
+//
+// Modifies the specified Verified Access group policy.
+//
+// Returns awserr.Error for service API and SDK errors. Use runtime type assertions
+// with awserr.Error's Code and Message methods to get detailed information about
+// the error.
+//
+// See the AWS API reference guide for Amazon Elastic Compute Cloud's
+// API operation ModifyVerifiedAccessGroupPolicy for usage and error information.
+// See also, https://docs.aws.amazon.com/goto/WebAPI/ec2-2016-11-15/ModifyVerifiedAccessGroupPolicy
+func (c *EC2) ModifyVerifiedAccessGroupPolicy(input *ModifyVerifiedAccessGroupPolicyInput) (*ModifyVerifiedAccessGroupPolicyOutput, error) {
+	req, out := c.ModifyVerifiedAccessGroupPolicyRequest(input)
+	return out, req.Send()
+}
+
+// ModifyVerifiedAccessGroupPolicyWithContext is the same as ModifyVerifiedAccessGroupPolicy with the addition of
+// the ability to pass a context and additional request options.
+//
+// See ModifyVerifiedAccessGroupPolicy for details on how to use this API operation.
+//
+// The context must be non-nil and will be used for request cancellation. If
+// the context is nil a panic will occur. In the future the SDK may create
+// sub-contexts for http.Requests. See https://golang.org/pkg/context/
+// for more information on using Contexts.
+func (c *EC2) ModifyVerifiedAccessGroupPolicyWithContext(ctx aws.Context, input *ModifyVerifiedAccessGroupPolicyInput, opts ...request.Option) (*ModifyVerifiedAccessGroupPolicyOutput, error) {
+	req, out := c.ModifyVerifiedAccessGroupPolicyRequest(input)
+	req.SetContext(ctx)
+	req.ApplyOptions(opts...)
+	return out, req.Send()
+}
+
+const opModifyVerifiedAccessInstance = "ModifyVerifiedAccessInstance"
+
+// ModifyVerifiedAccessInstanceRequest generates a "aws/request.Request" representing the
+// client's request for the ModifyVerifiedAccessInstance operation. The "output" return
+// value will be populated with the request's response once the request completes
+// successfully.
+//
+// Use "Send" method on the returned Request to send the API call to the service.
+// the "output" return value is not valid until after Send returns without error.
+//
+// See ModifyVerifiedAccessInstance for more information on using the ModifyVerifiedAccessInstance
+// API call, and error handling.
+//
+// This method is useful when you want to inject custom logic or configuration
+// into the SDK's request lifecycle. Such as custom headers, or retry logic.
+//
+//	// Example sending a request using the ModifyVerifiedAccessInstanceRequest method.
+//	req, resp := client.ModifyVerifiedAccessInstanceRequest(params)
+//
+//	err := req.Send()
+//	if err == nil { // resp is now filled
+//	    fmt.Println(resp)
+//	}
+//
+// See also, https://docs.aws.amazon.com/goto/WebAPI/ec2-2016-11-15/ModifyVerifiedAccessInstance
+func (c *EC2) ModifyVerifiedAccessInstanceRequest(input *ModifyVerifiedAccessInstanceInput) (req *request.Request, output *ModifyVerifiedAccessInstanceOutput) {
+	op := &request.Operation{
+		Name:       opModifyVerifiedAccessInstance,
+		HTTPMethod: "POST",
+		HTTPPath:   "/",
+	}
+
+	if input == nil {
+		input = &ModifyVerifiedAccessInstanceInput{}
+	}
+
+	output = &ModifyVerifiedAccessInstanceOutput{}
+	req = c.newRequest(op, input, output)
+	return
+}
+
+// ModifyVerifiedAccessInstance API operation for Amazon Elastic Compute Cloud.
+//
+// Modifies the configuration of the specified Verified Access instance.
+//
+// Returns awserr.Error for service API and SDK errors. Use runtime type assertions
+// with awserr.Error's Code and Message methods to get detailed information about
+// the error.
+//
+// See the AWS API reference guide for Amazon Elastic Compute Cloud's
+// API operation ModifyVerifiedAccessInstance for usage and error information.
+// See also, https://docs.aws.amazon.com/goto/WebAPI/ec2-2016-11-15/ModifyVerifiedAccessInstance
+func (c *EC2) ModifyVerifiedAccessInstance(input *ModifyVerifiedAccessInstanceInput) (*ModifyVerifiedAccessInstanceOutput, error) {
+	req, out := c.ModifyVerifiedAccessInstanceRequest(input)
+	return out, req.Send()
+}
+
+// ModifyVerifiedAccessInstanceWithContext is the same as ModifyVerifiedAccessInstance with the addition of
+// the ability to pass a context and additional request options.
+//
+// See ModifyVerifiedAccessInstance for details on how to use this API operation.
+//
+// The context must be non-nil and will be used for request cancellation. If
+// the context is nil a panic will occur. In the future the SDK may create
+// sub-contexts for http.Requests. See https://golang.org/pkg/context/
+// for more information on using Contexts.
+func (c *EC2) ModifyVerifiedAccessInstanceWithContext(ctx aws.Context, input *ModifyVerifiedAccessInstanceInput, opts ...request.Option) (*ModifyVerifiedAccessInstanceOutput, error) {
+	req, out := c.ModifyVerifiedAccessInstanceRequest(input)
+	req.SetContext(ctx)
+	req.ApplyOptions(opts...)
+	return out, req.Send()
+}
+
+const opModifyVerifiedAccessInstanceLoggingConfiguration = "ModifyVerifiedAccessInstanceLoggingConfiguration"
+
+// ModifyVerifiedAccessInstanceLoggingConfigurationRequest generates a "aws/request.Request" representing the
+// client's request for the ModifyVerifiedAccessInstanceLoggingConfiguration operation. The "output" return
+// value will be populated with the request's response once the request completes
+// successfully.
+//
+// Use "Send" method on the returned Request to send the API call to the service.
+// the "output" return value is not valid until after Send returns without error.
+//
+// See ModifyVerifiedAccessInstanceLoggingConfiguration for more information on using the ModifyVerifiedAccessInstanceLoggingConfiguration
+// API call, and error handling.
+//
+// This method is useful when you want to inject custom logic or configuration
+// into the SDK's request lifecycle. Such as custom headers, or retry logic.
+//
+//	// Example sending a request using the ModifyVerifiedAccessInstanceLoggingConfigurationRequest method.
+//	req, resp := client.ModifyVerifiedAccessInstanceLoggingConfigurationRequest(params)
+//
+//	err := req.Send()
+//	if err == nil { // resp is now filled
+//	    fmt.Println(resp)
+//	}
+//
+// See also, https://docs.aws.amazon.com/goto/WebAPI/ec2-2016-11-15/ModifyVerifiedAccessInstanceLoggingConfiguration
+func (c *EC2) ModifyVerifiedAccessInstanceLoggingConfigurationRequest(input *ModifyVerifiedAccessInstanceLoggingConfigurationInput) (req *request.Request, output *ModifyVerifiedAccessInstanceLoggingConfigurationOutput) {
+	op := &request.Operation{
+		Name:       opModifyVerifiedAccessInstanceLoggingConfiguration,
+		HTTPMethod: "POST",
+		HTTPPath:   "/",
+	}
+
+	if input == nil {
+		input = &ModifyVerifiedAccessInstanceLoggingConfigurationInput{}
+	}
+
+	output = &ModifyVerifiedAccessInstanceLoggingConfigurationOutput{}
+	req = c.newRequest(op, input, output)
+	return
+}
+
+// ModifyVerifiedAccessInstanceLoggingConfiguration API operation for Amazon Elastic Compute Cloud.
+//
+// Modifies the logging configuration for the specified Amazon Web Services
+// Verified Access instance.
+//
+// Returns awserr.Error for service API and SDK errors. Use runtime type assertions
+// with awserr.Error's Code and Message methods to get detailed information about
+// the error.
+//
+// See the AWS API reference guide for Amazon Elastic Compute Cloud's
+// API operation ModifyVerifiedAccessInstanceLoggingConfiguration for usage and error information.
+// See also, https://docs.aws.amazon.com/goto/WebAPI/ec2-2016-11-15/ModifyVerifiedAccessInstanceLoggingConfiguration
+func (c *EC2) ModifyVerifiedAccessInstanceLoggingConfiguration(input *ModifyVerifiedAccessInstanceLoggingConfigurationInput) (*ModifyVerifiedAccessInstanceLoggingConfigurationOutput, error) {
+	req, out := c.ModifyVerifiedAccessInstanceLoggingConfigurationRequest(input)
+	return out, req.Send()
+}
+
+// ModifyVerifiedAccessInstanceLoggingConfigurationWithContext is the same as ModifyVerifiedAccessInstanceLoggingConfiguration with the addition of
+// the ability to pass a context and additional request options.
+//
+// See ModifyVerifiedAccessInstanceLoggingConfiguration for details on how to use this API operation.
+//
+// The context must be non-nil and will be used for request cancellation. If
+// the context is nil a panic will occur. In the future the SDK may create
+// sub-contexts for http.Requests. See https://golang.org/pkg/context/
+// for more information on using Contexts.
+func (c *EC2) ModifyVerifiedAccessInstanceLoggingConfigurationWithContext(ctx aws.Context, input *ModifyVerifiedAccessInstanceLoggingConfigurationInput, opts ...request.Option) (*ModifyVerifiedAccessInstanceLoggingConfigurationOutput, error) {
+	req, out := c.ModifyVerifiedAccessInstanceLoggingConfigurationRequest(input)
+	req.SetContext(ctx)
+	req.ApplyOptions(opts...)
+	return out, req.Send()
+}
+
+const opModifyVerifiedAccessTrustProvider = "ModifyVerifiedAccessTrustProvider"
+
+// ModifyVerifiedAccessTrustProviderRequest generates a "aws/request.Request" representing the
+// client's request for the ModifyVerifiedAccessTrustProvider operation. The "output" return
+// value will be populated with the request's response once the request completes
+// successfully.
+//
+// Use "Send" method on the returned Request to send the API call to the service.
+// the "output" return value is not valid until after Send returns without error.
+//
+// See ModifyVerifiedAccessTrustProvider for more information on using the ModifyVerifiedAccessTrustProvider
+// API call, and error handling.
+//
+// This method is useful when you want to inject custom logic or configuration
+// into the SDK's request lifecycle. Such as custom headers, or retry logic.
+//
+//	// Example sending a request using the ModifyVerifiedAccessTrustProviderRequest method.
+//	req, resp := client.ModifyVerifiedAccessTrustProviderRequest(params)
+//
+//	err := req.Send()
+//	if err == nil { // resp is now filled
+//	    fmt.Println(resp)
+//	}
+//
+// See also, https://docs.aws.amazon.com/goto/WebAPI/ec2-2016-11-15/ModifyVerifiedAccessTrustProvider
+func (c *EC2) ModifyVerifiedAccessTrustProviderRequest(input *ModifyVerifiedAccessTrustProviderInput) (req *request.Request, output *ModifyVerifiedAccessTrustProviderOutput) {
+	op := &request.Operation{
+		Name:       opModifyVerifiedAccessTrustProvider,
+		HTTPMethod: "POST",
+		HTTPPath:   "/",
+	}
+
+	if input == nil {
+		input = &ModifyVerifiedAccessTrustProviderInput{}
+	}
+
+	output = &ModifyVerifiedAccessTrustProviderOutput{}
+	req = c.newRequest(op, input, output)
+	return
+}
+
+// ModifyVerifiedAccessTrustProvider API operation for Amazon Elastic Compute Cloud.
+//
+// Modifies the configuration of the specified Amazon Web Services Verified
+// Access trust provider.
+//
+// Returns awserr.Error for service API and SDK errors. Use runtime type assertions
+// with awserr.Error's Code and Message methods to get detailed information about
+// the error.
+//
+// See the AWS API reference guide for Amazon Elastic Compute Cloud's
+// API operation ModifyVerifiedAccessTrustProvider for usage and error information.
+// See also, https://docs.aws.amazon.com/goto/WebAPI/ec2-2016-11-15/ModifyVerifiedAccessTrustProvider
+func (c *EC2) ModifyVerifiedAccessTrustProvider(input *ModifyVerifiedAccessTrustProviderInput) (*ModifyVerifiedAccessTrustProviderOutput, error) {
+	req, out := c.ModifyVerifiedAccessTrustProviderRequest(input)
+	return out, req.Send()
+}
+
+// ModifyVerifiedAccessTrustProviderWithContext is the same as ModifyVerifiedAccessTrustProvider with the addition of
+// the ability to pass a context and additional request options.
+//
+// See ModifyVerifiedAccessTrustProvider for details on how to use this API operation.
+//
+// The context must be non-nil and will be used for request cancellation. If
+// the context is nil a panic will occur. In the future the SDK may create
+// sub-contexts for http.Requests. See https://golang.org/pkg/context/
+// for more information on using Contexts.
+func (c *EC2) ModifyVerifiedAccessTrustProviderWithContext(ctx aws.Context, input *ModifyVerifiedAccessTrustProviderInput, opts ...request.Option) (*ModifyVerifiedAccessTrustProviderOutput, error) {
+	req, out := c.ModifyVerifiedAccessTrustProviderRequest(input)
+	req.SetContext(ctx)
+	req.ApplyOptions(opts...)
+	return out, req.Send()
+}
+
 const opModifyVolume = "ModifyVolume"
 
 // ModifyVolumeRequest generates a "aws/request.Request" representing the
@@ -45717,7 +48313,7 @@ func (c *EC2) RegisterImageRequest(input *RegisterImageInput) (req *request.Requ
 // Instance will not be applied to the On-Demand Instance. For information about
 // how to obtain the platform details and billing information of an AMI, see
 // Understand AMI billing information (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ami-billing-info.html)
-// in the Amazon Elastic Compute Cloud User Guide.
+// in the Amazon EC2 User Guide.
 //
 // Returns awserr.Error for service API and SDK errors. Use runtime type assertions
 // with awserr.Error's Code and Message methods to get detailed information about
@@ -48015,7 +50611,7 @@ func (c *EC2) RestoreImageFromRecycleBinRequest(input *RestoreImageFromRecycleBi
 //
 // Restores an AMI from the Recycle Bin. For more information, see Recycle Bin
 // (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/recycle-bin.html) in
-// the Amazon Elastic Compute Cloud User Guide.
+// the Amazon EC2 User Guide.
 //
 // Returns awserr.Error for service API and SDK errors. Use runtime type assertions
 // with awserr.Error's Code and Message methods to get detailed information about
@@ -50721,7 +53317,7 @@ func (s *AcceptTransitGatewayMulticastDomainAssociationsInput) SetTransitGateway
 type AcceptTransitGatewayMulticastDomainAssociationsOutput struct {
 	_ struct{} `type:"structure"`
 
-	// Describes the multicast domain associations.
+	// Information about the multicast domain associations.
 	Associations *TransitGatewayMulticastDomainAssociations `locationName:"associations" type:"structure"`
 }
 
@@ -55561,6 +58157,10 @@ type AttachNetworkInterfaceInput struct {
 	// it is UnauthorizedOperation.
 	DryRun *bool `locationName:"dryRun" type:"boolean"`
 
+	// Configures ENA Express for the network interface that this action attaches
+	// to the instance.
+	EnaSrdSpecification *EnaSrdSpecification `type:"structure"`
+
 	// The ID of the instance.
 	//
 	// InstanceId is a required field
@@ -55626,6 +58226,12 @@ func (s *AttachNetworkInterfaceInput) SetDryRun(v bool) *AttachNetworkInterfaceI
 	return s
 }
 
+// SetEnaSrdSpecification sets the EnaSrdSpecification field's value.
+func (s *AttachNetworkInterfaceInput) SetEnaSrdSpecification(v *EnaSrdSpecification) *AttachNetworkInterfaceInput {
+	s.EnaSrdSpecification = v
+	return s
+}
+
 // SetInstanceId sets the InstanceId field's value.
 func (s *AttachNetworkInterfaceInput) SetInstanceId(v string) *AttachNetworkInterfaceInput {
 	s.InstanceId = &v
@@ -55685,6 +58291,129 @@ func (s *AttachNetworkInterfaceOutput) SetNetworkCardIndex(v int64) *AttachNetwo
 	return s
 }
 
+type AttachVerifiedAccessTrustProviderInput struct {
+	_ struct{} `type:"structure"`
+
+	// A unique, case-sensitive token that you provide to ensure idempotency of
+	// your modification request. For more information, see Ensuring Idempotency
+	// (https://docs.aws.amazon.com/AWSEC2/latest/APIReference/Run_Instance_Idempotency.html).
+	ClientToken *string `type:"string" idempotencyToken:"true"`
+
+	// Checks whether you have the required permissions for the action, without
+	// actually making the request, and provides an error response. If you have
+	// the required permissions, the error response is DryRunOperation. Otherwise,
+	// it is UnauthorizedOperation.
+	DryRun *bool `type:"boolean"`
+
+	// The ID of the Amazon Web Services Verified Access instance.
+	//
+	// VerifiedAccessInstanceId is a required field
+	VerifiedAccessInstanceId *string `type:"string" required:"true"`
+
+	// The ID of the Amazon Web Services Verified Access trust provider.
+	//
+	// VerifiedAccessTrustProviderId is a required field
+	VerifiedAccessTrustProviderId *string `type:"string" required:"true"`
+}
+
+// String returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s AttachVerifiedAccessTrustProviderInput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s AttachVerifiedAccessTrustProviderInput) GoString() string {
+	return s.String()
+}
+
+// Validate inspects the fields of the type to determine if they are valid.
+func (s *AttachVerifiedAccessTrustProviderInput) Validate() error {
+	invalidParams := request.ErrInvalidParams{Context: "AttachVerifiedAccessTrustProviderInput"}
+	if s.VerifiedAccessInstanceId == nil {
+		invalidParams.Add(request.NewErrParamRequired("VerifiedAccessInstanceId"))
+	}
+	if s.VerifiedAccessTrustProviderId == nil {
+		invalidParams.Add(request.NewErrParamRequired("VerifiedAccessTrustProviderId"))
+	}
+
+	if invalidParams.Len() > 0 {
+		return invalidParams
+	}
+	return nil
+}
+
+// SetClientToken sets the ClientToken field's value.
+func (s *AttachVerifiedAccessTrustProviderInput) SetClientToken(v string) *AttachVerifiedAccessTrustProviderInput {
+	s.ClientToken = &v
+	return s
+}
+
+// SetDryRun sets the DryRun field's value.
+func (s *AttachVerifiedAccessTrustProviderInput) SetDryRun(v bool) *AttachVerifiedAccessTrustProviderInput {
+	s.DryRun = &v
+	return s
+}
+
+// SetVerifiedAccessInstanceId sets the VerifiedAccessInstanceId field's value.
+func (s *AttachVerifiedAccessTrustProviderInput) SetVerifiedAccessInstanceId(v string) *AttachVerifiedAccessTrustProviderInput {
+	s.VerifiedAccessInstanceId = &v
+	return s
+}
+
+// SetVerifiedAccessTrustProviderId sets the VerifiedAccessTrustProviderId field's value.
+func (s *AttachVerifiedAccessTrustProviderInput) SetVerifiedAccessTrustProviderId(v string) *AttachVerifiedAccessTrustProviderInput {
+	s.VerifiedAccessTrustProviderId = &v
+	return s
+}
+
+type AttachVerifiedAccessTrustProviderOutput struct {
+	_ struct{} `type:"structure"`
+
+	// The ID of the Amazon Web Services Verified Access instance.
+	VerifiedAccessInstance *VerifiedAccessInstance `locationName:"verifiedAccessInstance" type:"structure"`
+
+	// The ID of the Amazon Web Services Verified Access trust provider.
+	VerifiedAccessTrustProvider *VerifiedAccessTrustProvider `locationName:"verifiedAccessTrustProvider" type:"structure"`
+}
+
+// String returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s AttachVerifiedAccessTrustProviderOutput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s AttachVerifiedAccessTrustProviderOutput) GoString() string {
+	return s.String()
+}
+
+// SetVerifiedAccessInstance sets the VerifiedAccessInstance field's value.
+func (s *AttachVerifiedAccessTrustProviderOutput) SetVerifiedAccessInstance(v *VerifiedAccessInstance) *AttachVerifiedAccessTrustProviderOutput {
+	s.VerifiedAccessInstance = v
+	return s
+}
+
+// SetVerifiedAccessTrustProvider sets the VerifiedAccessTrustProvider field's value.
+func (s *AttachVerifiedAccessTrustProviderOutput) SetVerifiedAccessTrustProvider(v *VerifiedAccessTrustProvider) *AttachVerifiedAccessTrustProviderOutput {
+	s.VerifiedAccessTrustProvider = v
+	return s
+}
+
 type AttachVolumeInput struct {
 	_ struct{} `type:"structure"`
 
@@ -55877,6 +58606,83 @@ func (s *AttachVpnGatewayOutput) SetVpcAttachment(v *VpcAttachment) *AttachVpnGa
 	return s
 }
 
+// Describes the ENA Express configuration for the network interface that's
+// attached to the instance.
+type AttachmentEnaSrdSpecification struct {
+	_ struct{} `type:"structure"`
+
+	// Indicates whether ENA Express is enabled for the network interface that's
+	// attached to the instance.
+	EnaSrdEnabled *bool `locationName:"enaSrdEnabled" type:"boolean"`
+
+	// ENA Express configuration for UDP network traffic.
+	EnaSrdUdpSpecification *AttachmentEnaSrdUdpSpecification `locationName:"enaSrdUdpSpecification" type:"structure"`
+}
+
+// String returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s AttachmentEnaSrdSpecification) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s AttachmentEnaSrdSpecification) GoString() string {
+	return s.String()
+}
+
+// SetEnaSrdEnabled sets the EnaSrdEnabled field's value.
+func (s *AttachmentEnaSrdSpecification) SetEnaSrdEnabled(v bool) *AttachmentEnaSrdSpecification {
+	s.EnaSrdEnabled = &v
+	return s
+}
+
+// SetEnaSrdUdpSpecification sets the EnaSrdUdpSpecification field's value.
+func (s *AttachmentEnaSrdSpecification) SetEnaSrdUdpSpecification(v *AttachmentEnaSrdUdpSpecification) *AttachmentEnaSrdSpecification {
+	s.EnaSrdUdpSpecification = v
+	return s
+}
+
+// Describes the ENA Express configuration for UDP traffic on the network interface
+// that's attached to the instance.
+type AttachmentEnaSrdUdpSpecification struct {
+	_ struct{} `type:"structure"`
+
+	// Indicates whether UDP traffic to and from the instance uses ENA Express.
+	// To specify this setting, you must first enable ENA Express.
+	EnaSrdUdpEnabled *bool `locationName:"enaSrdUdpEnabled" type:"boolean"`
+}
+
+// String returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s AttachmentEnaSrdUdpSpecification) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s AttachmentEnaSrdUdpSpecification) GoString() string {
+	return s.String()
+}
+
+// SetEnaSrdUdpEnabled sets the EnaSrdUdpEnabled field's value.
+func (s *AttachmentEnaSrdUdpSpecification) SetEnaSrdUdpEnabled(v bool) *AttachmentEnaSrdUdpSpecification {
+	s.EnaSrdUdpEnabled = &v
+	return s
+}
+
 // Describes a value for a resource attribute that is a Boolean value.
 type AttributeBooleanValue struct {
 	_ struct{} `type:"structure"`
@@ -61667,7 +64473,7 @@ type CopyImageInput struct {
 	//
 	// For more information, see Copy AMIs from an Amazon Web Services Region to
 	// an Outpost (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/snapshots-outposts.html#copy-amis)
-	// in the Amazon Elastic Compute Cloud User Guide.
+	// in the Amazon EC2 User Guide.
 	DestinationOutpostArn *string `type:"string"`
 
 	// Checks whether you have the required permissions for the action, without
@@ -61682,7 +64488,7 @@ type CopyImageInput struct {
 	// for Amazon EBS is used unless you specify a non-default Key Management Service
 	// (KMS) KMS key using KmsKeyId. For more information, see Amazon EBS encryption
 	// (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html)
-	// in the Amazon Elastic Compute Cloud User Guide.
+	// in the Amazon EC2 User Guide.
 	Encrypted *bool `locationName:"encrypted" type:"boolean"`
 
 	// The identifier of the symmetric Key Management Service (KMS) KMS key to use
@@ -63469,7 +66275,7 @@ func (s *CreateCoipPoolInput) SetTagSpecifications(v []*TagSpecification) *Creat
 type CreateCoipPoolOutput struct {
 	_ struct{} `type:"structure"`
 
-	// Describes a customer-owned address pool.
+	// Information about the CoIP address pool.
 	CoipPool *CoipPool `locationName:"coipPool" type:"structure"`
 }
 
@@ -66525,7 +69331,7 @@ func (s *CreateLocalGatewayRouteTableInput) SetTagSpecifications(v []*TagSpecifi
 type CreateLocalGatewayRouteTableOutput struct {
 	_ struct{} `type:"structure"`
 
-	// Describes a local gateway route table.
+	// Information about the local gateway route table.
 	LocalGatewayRouteTable *LocalGatewayRouteTable `locationName:"localGatewayRouteTable" type:"structure"`
 }
 
@@ -66638,8 +69444,7 @@ func (s *CreateLocalGatewayRouteTableVirtualInterfaceGroupAssociationInput) SetT
 type CreateLocalGatewayRouteTableVirtualInterfaceGroupAssociationOutput struct {
 	_ struct{} `type:"structure"`
 
-	// Describes an association between a local gateway route table and a virtual
-	// interface group.
+	// Information about the local gateway route table virtual interface group association.
 	LocalGatewayRouteTableVirtualInterfaceGroupAssociation *LocalGatewayRouteTableVirtualInterfaceGroupAssociation `locationName:"localGatewayRouteTableVirtualInterfaceGroupAssociation" type:"structure"`
 }
 
@@ -72138,6 +74943,891 @@ func (s *CreateTransitGatewayVpcAttachmentRequestOptions) SetIpv6Support(v strin
 	return s
 }
 
+// Options for a network interface-type endpoint.
+type CreateVerifiedAccessEndpointEniOptions struct {
+	_ struct{} `type:"structure"`
+
+	// The ID of the network interface.
+	NetworkInterfaceId *string `type:"string"`
+
+	// The IP port number.
+	Port *int64 `min:"1" type:"integer"`
+
+	// The IP protocol.
+	Protocol *string `type:"string" enum:"VerifiedAccessEndpointProtocol"`
+}
+
+// String returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s CreateVerifiedAccessEndpointEniOptions) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s CreateVerifiedAccessEndpointEniOptions) GoString() string {
+	return s.String()
+}
+
+// Validate inspects the fields of the type to determine if they are valid.
+func (s *CreateVerifiedAccessEndpointEniOptions) Validate() error {
+	invalidParams := request.ErrInvalidParams{Context: "CreateVerifiedAccessEndpointEniOptions"}
+	if s.Port != nil && *s.Port < 1 {
+		invalidParams.Add(request.NewErrParamMinValue("Port", 1))
+	}
+
+	if invalidParams.Len() > 0 {
+		return invalidParams
+	}
+	return nil
+}
+
+// SetNetworkInterfaceId sets the NetworkInterfaceId field's value.
+func (s *CreateVerifiedAccessEndpointEniOptions) SetNetworkInterfaceId(v string) *CreateVerifiedAccessEndpointEniOptions {
+	s.NetworkInterfaceId = &v
+	return s
+}
+
+// SetPort sets the Port field's value.
+func (s *CreateVerifiedAccessEndpointEniOptions) SetPort(v int64) *CreateVerifiedAccessEndpointEniOptions {
+	s.Port = &v
+	return s
+}
+
+// SetProtocol sets the Protocol field's value.
+func (s *CreateVerifiedAccessEndpointEniOptions) SetProtocol(v string) *CreateVerifiedAccessEndpointEniOptions {
+	s.Protocol = &v
+	return s
+}
+
+type CreateVerifiedAccessEndpointInput struct {
+	_ struct{} `type:"structure"`
+
+	// The DNS name for users to reach your application.
+	//
+	// ApplicationDomain is a required field
+	ApplicationDomain *string `type:"string" required:"true"`
+
+	// The Amazon Web Services network component Verified Access attaches to.
+	//
+	// AttachmentType is a required field
+	AttachmentType *string `type:"string" required:"true" enum:"VerifiedAccessEndpointAttachmentType"`
+
+	// A unique, case-sensitive token that you provide to ensure idempotency of
+	// your modification request. For more information, see Ensuring Idempotency
+	// (https://docs.aws.amazon.com/AWSEC2/latest/APIReference/Run_Instance_Idempotency.html).
+	ClientToken *string `type:"string" idempotencyToken:"true"`
+
+	// A description for the Amazon Web Services Verified Access endpoint.
+	Description *string `type:"string"`
+
+	// The ARN of the public TLS/SSL certificate in Amazon Web Services Certificate
+	// Manager to associate with the endpoint. The CN in the certificate must match
+	// the DNS name your end users will use to reach your application.
+	//
+	// DomainCertificateArn is a required field
+	DomainCertificateArn *string `type:"string" required:"true"`
+
+	// Checks whether you have the required permissions for the action, without
+	// actually making the request, and provides an error response. If you have
+	// the required permissions, the error response is DryRunOperation. Otherwise,
+	// it is UnauthorizedOperation.
+	DryRun *bool `type:"boolean"`
+
+	// A custom identifier that gets prepended to a DNS name that is generated for
+	// the endpoint.
+	//
+	// EndpointDomainPrefix is a required field
+	EndpointDomainPrefix *string `type:"string" required:"true"`
+
+	// The type of Amazon Web Services Verified Access endpoint to create.
+	//
+	// EndpointType is a required field
+	EndpointType *string `type:"string" required:"true" enum:"VerifiedAccessEndpointType"`
+
+	// The load balancer details if creating the Amazon Web Services Verified Access
+	// endpoint as load-balancertype.
+	LoadBalancerOptions *CreateVerifiedAccessEndpointLoadBalancerOptions `type:"structure"`
+
+	// The network interface details if creating the Amazon Web Services Verified
+	// Access endpoint as network-interfacetype.
+	NetworkInterfaceOptions *CreateVerifiedAccessEndpointEniOptions `type:"structure"`
+
+	// The Amazon Web Services Verified Access policy document.
+	PolicyDocument *string `type:"string"`
+
+	// The Amazon EC2 security groups to associate with the Amazon Web Services
+	// Verified Access endpoint.
+	SecurityGroupIds []*string `locationName:"SecurityGroupId" locationNameList:"item" type:"list"`
+
+	// The tags to assign to the Amazon Web Services Verified Access endpoint.
+	TagSpecifications []*TagSpecification `locationName:"TagSpecification" locationNameList:"item" type:"list"`
+
+	// The ID of the Verified Access group to associate the endpoint with.
+	//
+	// VerifiedAccessGroupId is a required field
+	VerifiedAccessGroupId *string `type:"string" required:"true"`
+}
+
+// String returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s CreateVerifiedAccessEndpointInput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s CreateVerifiedAccessEndpointInput) GoString() string {
+	return s.String()
+}
+
+// Validate inspects the fields of the type to determine if they are valid.
+func (s *CreateVerifiedAccessEndpointInput) Validate() error {
+	invalidParams := request.ErrInvalidParams{Context: "CreateVerifiedAccessEndpointInput"}
+	if s.ApplicationDomain == nil {
+		invalidParams.Add(request.NewErrParamRequired("ApplicationDomain"))
+	}
+	if s.AttachmentType == nil {
+		invalidParams.Add(request.NewErrParamRequired("AttachmentType"))
+	}
+	if s.DomainCertificateArn == nil {
+		invalidParams.Add(request.NewErrParamRequired("DomainCertificateArn"))
+	}
+	if s.EndpointDomainPrefix == nil {
+		invalidParams.Add(request.NewErrParamRequired("EndpointDomainPrefix"))
+	}
+	if s.EndpointType == nil {
+		invalidParams.Add(request.NewErrParamRequired("EndpointType"))
+	}
+	if s.VerifiedAccessGroupId == nil {
+		invalidParams.Add(request.NewErrParamRequired("VerifiedAccessGroupId"))
+	}
+	if s.LoadBalancerOptions != nil {
+		if err := s.LoadBalancerOptions.Validate(); err != nil {
+			invalidParams.AddNested("LoadBalancerOptions", err.(request.ErrInvalidParams))
+		}
+	}
+	if s.NetworkInterfaceOptions != nil {
+		if err := s.NetworkInterfaceOptions.Validate(); err != nil {
+			invalidParams.AddNested("NetworkInterfaceOptions", err.(request.ErrInvalidParams))
+		}
+	}
+
+	if invalidParams.Len() > 0 {
+		return invalidParams
+	}
+	return nil
+}
+
+// SetApplicationDomain sets the ApplicationDomain field's value.
+func (s *CreateVerifiedAccessEndpointInput) SetApplicationDomain(v string) *CreateVerifiedAccessEndpointInput {
+	s.ApplicationDomain = &v
+	return s
+}
+
+// SetAttachmentType sets the AttachmentType field's value.
+func (s *CreateVerifiedAccessEndpointInput) SetAttachmentType(v string) *CreateVerifiedAccessEndpointInput {
+	s.AttachmentType = &v
+	return s
+}
+
+// SetClientToken sets the ClientToken field's value.
+func (s *CreateVerifiedAccessEndpointInput) SetClientToken(v string) *CreateVerifiedAccessEndpointInput {
+	s.ClientToken = &v
+	return s
+}
+
+// SetDescription sets the Description field's value.
+func (s *CreateVerifiedAccessEndpointInput) SetDescription(v string) *CreateVerifiedAccessEndpointInput {
+	s.Description = &v
+	return s
+}
+
+// SetDomainCertificateArn sets the DomainCertificateArn field's value.
+func (s *CreateVerifiedAccessEndpointInput) SetDomainCertificateArn(v string) *CreateVerifiedAccessEndpointInput {
+	s.DomainCertificateArn = &v
+	return s
+}
+
+// SetDryRun sets the DryRun field's value.
+func (s *CreateVerifiedAccessEndpointInput) SetDryRun(v bool) *CreateVerifiedAccessEndpointInput {
+	s.DryRun = &v
+	return s
+}
+
+// SetEndpointDomainPrefix sets the EndpointDomainPrefix field's value.
+func (s *CreateVerifiedAccessEndpointInput) SetEndpointDomainPrefix(v string) *CreateVerifiedAccessEndpointInput {
+	s.EndpointDomainPrefix = &v
+	return s
+}
+
+// SetEndpointType sets the EndpointType field's value.
+func (s *CreateVerifiedAccessEndpointInput) SetEndpointType(v string) *CreateVerifiedAccessEndpointInput {
+	s.EndpointType = &v
+	return s
+}
+
+// SetLoadBalancerOptions sets the LoadBalancerOptions field's value.
+func (s *CreateVerifiedAccessEndpointInput) SetLoadBalancerOptions(v *CreateVerifiedAccessEndpointLoadBalancerOptions) *CreateVerifiedAccessEndpointInput {
+	s.LoadBalancerOptions = v
+	return s
+}
+
+// SetNetworkInterfaceOptions sets the NetworkInterfaceOptions field's value.
+func (s *CreateVerifiedAccessEndpointInput) SetNetworkInterfaceOptions(v *CreateVerifiedAccessEndpointEniOptions) *CreateVerifiedAccessEndpointInput {
+	s.NetworkInterfaceOptions = v
+	return s
+}
+
+// SetPolicyDocument sets the PolicyDocument field's value.
+func (s *CreateVerifiedAccessEndpointInput) SetPolicyDocument(v string) *CreateVerifiedAccessEndpointInput {
+	s.PolicyDocument = &v
+	return s
+}
+
+// SetSecurityGroupIds sets the SecurityGroupIds field's value.
+func (s *CreateVerifiedAccessEndpointInput) SetSecurityGroupIds(v []*string) *CreateVerifiedAccessEndpointInput {
+	s.SecurityGroupIds = v
+	return s
+}
+
+// SetTagSpecifications sets the TagSpecifications field's value.
+func (s *CreateVerifiedAccessEndpointInput) SetTagSpecifications(v []*TagSpecification) *CreateVerifiedAccessEndpointInput {
+	s.TagSpecifications = v
+	return s
+}
+
+// SetVerifiedAccessGroupId sets the VerifiedAccessGroupId field's value.
+func (s *CreateVerifiedAccessEndpointInput) SetVerifiedAccessGroupId(v string) *CreateVerifiedAccessEndpointInput {
+	s.VerifiedAccessGroupId = &v
+	return s
+}
+
+// Describes a load balancer when creating an Amazon Web Services Verified Access
+// endpoint using the load-balancer type.
+type CreateVerifiedAccessEndpointLoadBalancerOptions struct {
+	_ struct{} `type:"structure"`
+
+	// The ARN of the load balancer.
+	LoadBalancerArn *string `type:"string"`
+
+	// The IP port number.
+	Port *int64 `min:"1" type:"integer"`
+
+	// The IP protocol.
+	Protocol *string `type:"string" enum:"VerifiedAccessEndpointProtocol"`
+
+	// The IDs of the subnets.
+	SubnetIds []*string `locationName:"SubnetId" locationNameList:"item" type:"list"`
+}
+
+// String returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s CreateVerifiedAccessEndpointLoadBalancerOptions) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s CreateVerifiedAccessEndpointLoadBalancerOptions) GoString() string {
+	return s.String()
+}
+
+// Validate inspects the fields of the type to determine if they are valid.
+func (s *CreateVerifiedAccessEndpointLoadBalancerOptions) Validate() error {
+	invalidParams := request.ErrInvalidParams{Context: "CreateVerifiedAccessEndpointLoadBalancerOptions"}
+	if s.Port != nil && *s.Port < 1 {
+		invalidParams.Add(request.NewErrParamMinValue("Port", 1))
+	}
+
+	if invalidParams.Len() > 0 {
+		return invalidParams
+	}
+	return nil
+}
+
+// SetLoadBalancerArn sets the LoadBalancerArn field's value.
+func (s *CreateVerifiedAccessEndpointLoadBalancerOptions) SetLoadBalancerArn(v string) *CreateVerifiedAccessEndpointLoadBalancerOptions {
+	s.LoadBalancerArn = &v
+	return s
+}
+
+// SetPort sets the Port field's value.
+func (s *CreateVerifiedAccessEndpointLoadBalancerOptions) SetPort(v int64) *CreateVerifiedAccessEndpointLoadBalancerOptions {
+	s.Port = &v
+	return s
+}
+
+// SetProtocol sets the Protocol field's value.
+func (s *CreateVerifiedAccessEndpointLoadBalancerOptions) SetProtocol(v string) *CreateVerifiedAccessEndpointLoadBalancerOptions {
+	s.Protocol = &v
+	return s
+}
+
+// SetSubnetIds sets the SubnetIds field's value.
+func (s *CreateVerifiedAccessEndpointLoadBalancerOptions) SetSubnetIds(v []*string) *CreateVerifiedAccessEndpointLoadBalancerOptions {
+	s.SubnetIds = v
+	return s
+}
+
+type CreateVerifiedAccessEndpointOutput struct {
+	_ struct{} `type:"structure"`
+
+	// The ID of the Amazon Web Services Verified Access endpoint.
+	VerifiedAccessEndpoint *VerifiedAccessEndpoint `locationName:"verifiedAccessEndpoint" type:"structure"`
+}
+
+// String returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s CreateVerifiedAccessEndpointOutput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s CreateVerifiedAccessEndpointOutput) GoString() string {
+	return s.String()
+}
+
+// SetVerifiedAccessEndpoint sets the VerifiedAccessEndpoint field's value.
+func (s *CreateVerifiedAccessEndpointOutput) SetVerifiedAccessEndpoint(v *VerifiedAccessEndpoint) *CreateVerifiedAccessEndpointOutput {
+	s.VerifiedAccessEndpoint = v
+	return s
+}
+
+type CreateVerifiedAccessGroupInput struct {
+	_ struct{} `type:"structure"`
+
+	// A unique, case-sensitive token that you provide to ensure idempotency of
+	// your modification request. For more information, see Ensuring Idempotency
+	// (https://docs.aws.amazon.com/AWSEC2/latest/APIReference/Run_Instance_Idempotency.html).
+	ClientToken *string `type:"string" idempotencyToken:"true"`
+
+	// A description for the Amazon Web Services Verified Access group.
+	Description *string `type:"string"`
+
+	// Checks whether you have the required permissions for the action, without
+	// actually making the request, and provides an error response. If you have
+	// the required permissions, the error response is DryRunOperation. Otherwise,
+	// it is UnauthorizedOperation.
+	DryRun *bool `type:"boolean"`
+
+	// The Amazon Web Services Verified Access policy document.
+	PolicyDocument *string `type:"string"`
+
+	// The tags to assign to the Amazon Web Services Verified Access group.
+	TagSpecifications []*TagSpecification `locationName:"TagSpecification" locationNameList:"item" type:"list"`
+
+	// The ID of the Amazon Web Services Verified Access instance.
+	//
+	// VerifiedAccessInstanceId is a required field
+	VerifiedAccessInstanceId *string `type:"string" required:"true"`
+}
+
+// String returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s CreateVerifiedAccessGroupInput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s CreateVerifiedAccessGroupInput) GoString() string {
+	return s.String()
+}
+
+// Validate inspects the fields of the type to determine if they are valid.
+func (s *CreateVerifiedAccessGroupInput) Validate() error {
+	invalidParams := request.ErrInvalidParams{Context: "CreateVerifiedAccessGroupInput"}
+	if s.VerifiedAccessInstanceId == nil {
+		invalidParams.Add(request.NewErrParamRequired("VerifiedAccessInstanceId"))
+	}
+
+	if invalidParams.Len() > 0 {
+		return invalidParams
+	}
+	return nil
+}
+
+// SetClientToken sets the ClientToken field's value.
+func (s *CreateVerifiedAccessGroupInput) SetClientToken(v string) *CreateVerifiedAccessGroupInput {
+	s.ClientToken = &v
+	return s
+}
+
+// SetDescription sets the Description field's value.
+func (s *CreateVerifiedAccessGroupInput) SetDescription(v string) *CreateVerifiedAccessGroupInput {
+	s.Description = &v
+	return s
+}
+
+// SetDryRun sets the DryRun field's value.
+func (s *CreateVerifiedAccessGroupInput) SetDryRun(v bool) *CreateVerifiedAccessGroupInput {
+	s.DryRun = &v
+	return s
+}
+
+// SetPolicyDocument sets the PolicyDocument field's value.
+func (s *CreateVerifiedAccessGroupInput) SetPolicyDocument(v string) *CreateVerifiedAccessGroupInput {
+	s.PolicyDocument = &v
+	return s
+}
+
+// SetTagSpecifications sets the TagSpecifications field's value.
+func (s *CreateVerifiedAccessGroupInput) SetTagSpecifications(v []*TagSpecification) *CreateVerifiedAccessGroupInput {
+	s.TagSpecifications = v
+	return s
+}
+
+// SetVerifiedAccessInstanceId sets the VerifiedAccessInstanceId field's value.
+func (s *CreateVerifiedAccessGroupInput) SetVerifiedAccessInstanceId(v string) *CreateVerifiedAccessGroupInput {
+	s.VerifiedAccessInstanceId = &v
+	return s
+}
+
+type CreateVerifiedAccessGroupOutput struct {
+	_ struct{} `type:"structure"`
+
+	// The ID of the Verified Access group.
+	VerifiedAccessGroup *VerifiedAccessGroup `locationName:"verifiedAccessGroup" type:"structure"`
+}
+
+// String returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s CreateVerifiedAccessGroupOutput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s CreateVerifiedAccessGroupOutput) GoString() string {
+	return s.String()
+}
+
+// SetVerifiedAccessGroup sets the VerifiedAccessGroup field's value.
+func (s *CreateVerifiedAccessGroupOutput) SetVerifiedAccessGroup(v *VerifiedAccessGroup) *CreateVerifiedAccessGroupOutput {
+	s.VerifiedAccessGroup = v
+	return s
+}
+
+type CreateVerifiedAccessInstanceInput struct {
+	_ struct{} `type:"structure"`
+
+	// A unique, case-sensitive token that you provide to ensure idempotency of
+	// your modification request. For more information, see Ensuring Idempotency
+	// (https://docs.aws.amazon.com/AWSEC2/latest/APIReference/Run_Instance_Idempotency.html).
+	ClientToken *string `type:"string" idempotencyToken:"true"`
+
+	// A description for the Amazon Web Services Verified Access instance.
+	Description *string `type:"string"`
+
+	// Checks whether you have the required permissions for the action, without
+	// actually making the request, and provides an error response. If you have
+	// the required permissions, the error response is DryRunOperation. Otherwise,
+	// it is UnauthorizedOperation.
+	DryRun *bool `type:"boolean"`
+
+	// The tags to assign to the Amazon Web Services Verified Access instance.
+	TagSpecifications []*TagSpecification `locationName:"TagSpecification" locationNameList:"item" type:"list"`
+}
+
+// String returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s CreateVerifiedAccessInstanceInput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s CreateVerifiedAccessInstanceInput) GoString() string {
+	return s.String()
+}
+
+// SetClientToken sets the ClientToken field's value.
+func (s *CreateVerifiedAccessInstanceInput) SetClientToken(v string) *CreateVerifiedAccessInstanceInput {
+	s.ClientToken = &v
+	return s
+}
+
+// SetDescription sets the Description field's value.
+func (s *CreateVerifiedAccessInstanceInput) SetDescription(v string) *CreateVerifiedAccessInstanceInput {
+	s.Description = &v
+	return s
+}
+
+// SetDryRun sets the DryRun field's value.
+func (s *CreateVerifiedAccessInstanceInput) SetDryRun(v bool) *CreateVerifiedAccessInstanceInput {
+	s.DryRun = &v
+	return s
+}
+
+// SetTagSpecifications sets the TagSpecifications field's value.
+func (s *CreateVerifiedAccessInstanceInput) SetTagSpecifications(v []*TagSpecification) *CreateVerifiedAccessInstanceInput {
+	s.TagSpecifications = v
+	return s
+}
+
+type CreateVerifiedAccessInstanceOutput struct {
+	_ struct{} `type:"structure"`
+
+	// The ID of the Amazon Web Services Verified Access instance.
+	VerifiedAccessInstance *VerifiedAccessInstance `locationName:"verifiedAccessInstance" type:"structure"`
+}
+
+// String returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s CreateVerifiedAccessInstanceOutput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s CreateVerifiedAccessInstanceOutput) GoString() string {
+	return s.String()
+}
+
+// SetVerifiedAccessInstance sets the VerifiedAccessInstance field's value.
+func (s *CreateVerifiedAccessInstanceOutput) SetVerifiedAccessInstance(v *VerifiedAccessInstance) *CreateVerifiedAccessInstanceOutput {
+	s.VerifiedAccessInstance = v
+	return s
+}
+
+// Options for a device-identity type trust provider.
+type CreateVerifiedAccessTrustProviderDeviceOptions struct {
+	_ struct{} `type:"structure"`
+
+	// The ID of the tenant application with the device-identity provider.
+	TenantId *string `type:"string"`
+}
+
+// String returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s CreateVerifiedAccessTrustProviderDeviceOptions) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s CreateVerifiedAccessTrustProviderDeviceOptions) GoString() string {
+	return s.String()
+}
+
+// SetTenantId sets the TenantId field's value.
+func (s *CreateVerifiedAccessTrustProviderDeviceOptions) SetTenantId(v string) *CreateVerifiedAccessTrustProviderDeviceOptions {
+	s.TenantId = &v
+	return s
+}
+
+type CreateVerifiedAccessTrustProviderInput struct {
+	_ struct{} `type:"structure"`
+
+	// A unique, case-sensitive token that you provide to ensure idempotency of
+	// your modification request. For more information, see Ensuring Idempotency
+	// (https://docs.aws.amazon.com/AWSEC2/latest/APIReference/Run_Instance_Idempotency.html).
+	ClientToken *string `type:"string" idempotencyToken:"true"`
+
+	// A description for the Amazon Web Services Verified Access trust provider.
+	Description *string `type:"string"`
+
+	// The options for device identity based trust providers.
+	DeviceOptions *CreateVerifiedAccessTrustProviderDeviceOptions `type:"structure"`
+
+	// The type of device-based trust provider.
+	DeviceTrustProviderType *string `type:"string" enum:"DeviceTrustProviderType"`
+
+	// Checks whether you have the required permissions for the action, without
+	// actually making the request, and provides an error response. If you have
+	// the required permissions, the error response is DryRunOperation. Otherwise,
+	// it is UnauthorizedOperation.
+	DryRun *bool `type:"boolean"`
+
+	// The OpenID Connect details for an oidc-type, user-identity based trust provider.
+	OidcOptions *CreateVerifiedAccessTrustProviderOidcOptions `type:"structure"`
+
+	// The identifier to be used when working with policy rules.
+	//
+	// PolicyReferenceName is a required field
+	PolicyReferenceName *string `type:"string" required:"true"`
+
+	// The tags to assign to the Amazon Web Services Verified Access trust provider.
+	TagSpecifications []*TagSpecification `locationName:"TagSpecification" locationNameList:"item" type:"list"`
+
+	// The type of trust provider can be either user or device-based.
+	//
+	// TrustProviderType is a required field
+	TrustProviderType *string `type:"string" required:"true" enum:"TrustProviderType"`
+
+	// The type of user-based trust provider.
+	UserTrustProviderType *string `type:"string" enum:"UserTrustProviderType"`
+}
+
+// String returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s CreateVerifiedAccessTrustProviderInput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s CreateVerifiedAccessTrustProviderInput) GoString() string {
+	return s.String()
+}
+
+// Validate inspects the fields of the type to determine if they are valid.
+func (s *CreateVerifiedAccessTrustProviderInput) Validate() error {
+	invalidParams := request.ErrInvalidParams{Context: "CreateVerifiedAccessTrustProviderInput"}
+	if s.PolicyReferenceName == nil {
+		invalidParams.Add(request.NewErrParamRequired("PolicyReferenceName"))
+	}
+	if s.TrustProviderType == nil {
+		invalidParams.Add(request.NewErrParamRequired("TrustProviderType"))
+	}
+
+	if invalidParams.Len() > 0 {
+		return invalidParams
+	}
+	return nil
+}
+
+// SetClientToken sets the ClientToken field's value.
+func (s *CreateVerifiedAccessTrustProviderInput) SetClientToken(v string) *CreateVerifiedAccessTrustProviderInput {
+	s.ClientToken = &v
+	return s
+}
+
+// SetDescription sets the Description field's value.
+func (s *CreateVerifiedAccessTrustProviderInput) SetDescription(v string) *CreateVerifiedAccessTrustProviderInput {
+	s.Description = &v
+	return s
+}
+
+// SetDeviceOptions sets the DeviceOptions field's value.
+func (s *CreateVerifiedAccessTrustProviderInput) SetDeviceOptions(v *CreateVerifiedAccessTrustProviderDeviceOptions) *CreateVerifiedAccessTrustProviderInput {
+	s.DeviceOptions = v
+	return s
+}
+
+// SetDeviceTrustProviderType sets the DeviceTrustProviderType field's value.
+func (s *CreateVerifiedAccessTrustProviderInput) SetDeviceTrustProviderType(v string) *CreateVerifiedAccessTrustProviderInput {
+	s.DeviceTrustProviderType = &v
+	return s
+}
+
+// SetDryRun sets the DryRun field's value.
+func (s *CreateVerifiedAccessTrustProviderInput) SetDryRun(v bool) *CreateVerifiedAccessTrustProviderInput {
+	s.DryRun = &v
+	return s
+}
+
+// SetOidcOptions sets the OidcOptions field's value.
+func (s *CreateVerifiedAccessTrustProviderInput) SetOidcOptions(v *CreateVerifiedAccessTrustProviderOidcOptions) *CreateVerifiedAccessTrustProviderInput {
+	s.OidcOptions = v
+	return s
+}
+
+// SetPolicyReferenceName sets the PolicyReferenceName field's value.
+func (s *CreateVerifiedAccessTrustProviderInput) SetPolicyReferenceName(v string) *CreateVerifiedAccessTrustProviderInput {
+	s.PolicyReferenceName = &v
+	return s
+}
+
+// SetTagSpecifications sets the TagSpecifications field's value.
+func (s *CreateVerifiedAccessTrustProviderInput) SetTagSpecifications(v []*TagSpecification) *CreateVerifiedAccessTrustProviderInput {
+	s.TagSpecifications = v
+	return s
+}
+
+// SetTrustProviderType sets the TrustProviderType field's value.
+func (s *CreateVerifiedAccessTrustProviderInput) SetTrustProviderType(v string) *CreateVerifiedAccessTrustProviderInput {
+	s.TrustProviderType = &v
+	return s
+}
+
+// SetUserTrustProviderType sets the UserTrustProviderType field's value.
+func (s *CreateVerifiedAccessTrustProviderInput) SetUserTrustProviderType(v string) *CreateVerifiedAccessTrustProviderInput {
+	s.UserTrustProviderType = &v
+	return s
+}
+
+// Options for an OIDC-based, user-identity type trust provider.
+type CreateVerifiedAccessTrustProviderOidcOptions struct {
+	_ struct{} `type:"structure"`
+
+	// The OIDC authorization endpoint.
+	AuthorizationEndpoint *string `type:"string"`
+
+	// The client identifier.
+	ClientId *string `type:"string"`
+
+	// The client secret.
+	ClientSecret *string `type:"string"`
+
+	// The OIDC issuer.
+	Issuer *string `type:"string"`
+
+	// OpenID Connect (OIDC) scopes are used by an application during authentication
+	// to authorize access to a user's details. Each scope returns a specific set
+	// of user attributes.
+	Scope *string `type:"string"`
+
+	// The OIDC token endpoint.
+	TokenEndpoint *string `type:"string"`
+
+	// The OIDC user info endpoint.
+	UserInfoEndpoint *string `type:"string"`
+}
+
+// String returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s CreateVerifiedAccessTrustProviderOidcOptions) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s CreateVerifiedAccessTrustProviderOidcOptions) GoString() string {
+	return s.String()
+}
+
+// SetAuthorizationEndpoint sets the AuthorizationEndpoint field's value.
+func (s *CreateVerifiedAccessTrustProviderOidcOptions) SetAuthorizationEndpoint(v string) *CreateVerifiedAccessTrustProviderOidcOptions {
+	s.AuthorizationEndpoint = &v
+	return s
+}
+
+// SetClientId sets the ClientId field's value.
+func (s *CreateVerifiedAccessTrustProviderOidcOptions) SetClientId(v string) *CreateVerifiedAccessTrustProviderOidcOptions {
+	s.ClientId = &v
+	return s
+}
+
+// SetClientSecret sets the ClientSecret field's value.
+func (s *CreateVerifiedAccessTrustProviderOidcOptions) SetClientSecret(v string) *CreateVerifiedAccessTrustProviderOidcOptions {
+	s.ClientSecret = &v
+	return s
+}
+
+// SetIssuer sets the Issuer field's value.
+func (s *CreateVerifiedAccessTrustProviderOidcOptions) SetIssuer(v string) *CreateVerifiedAccessTrustProviderOidcOptions {
+	s.Issuer = &v
+	return s
+}
+
+// SetScope sets the Scope field's value.
+func (s *CreateVerifiedAccessTrustProviderOidcOptions) SetScope(v string) *CreateVerifiedAccessTrustProviderOidcOptions {
+	s.Scope = &v
+	return s
+}
+
+// SetTokenEndpoint sets the TokenEndpoint field's value.
+func (s *CreateVerifiedAccessTrustProviderOidcOptions) SetTokenEndpoint(v string) *CreateVerifiedAccessTrustProviderOidcOptions {
+	s.TokenEndpoint = &v
+	return s
+}
+
+// SetUserInfoEndpoint sets the UserInfoEndpoint field's value.
+func (s *CreateVerifiedAccessTrustProviderOidcOptions) SetUserInfoEndpoint(v string) *CreateVerifiedAccessTrustProviderOidcOptions {
+	s.UserInfoEndpoint = &v
+	return s
+}
+
+type CreateVerifiedAccessTrustProviderOutput struct {
+	_ struct{} `type:"structure"`
+
+	// The ID of the Amazon Web Services Verified Access trust provider.
+	VerifiedAccessTrustProvider *VerifiedAccessTrustProvider `locationName:"verifiedAccessTrustProvider" type:"structure"`
+}
+
+// String returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s CreateVerifiedAccessTrustProviderOutput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s CreateVerifiedAccessTrustProviderOutput) GoString() string {
+	return s.String()
+}
+
+// SetVerifiedAccessTrustProvider sets the VerifiedAccessTrustProvider field's value.
+func (s *CreateVerifiedAccessTrustProviderOutput) SetVerifiedAccessTrustProvider(v *VerifiedAccessTrustProvider) *CreateVerifiedAccessTrustProviderOutput {
+	s.VerifiedAccessTrustProvider = v
+	return s
+}
+
 type CreateVolumeInput struct {
 	_ struct{} `type:"structure"`
 
@@ -73811,6 +77501,182 @@ func (s *CustomerGateway) SetType(v string) *CustomerGateway {
 	return s
 }
 
+// A query used for retrieving network health data.
+type DataQuery struct {
+	_ struct{} `type:"structure"`
+
+	// The Region or Availability Zone that's the target for the data query. For
+	// example, eu-north-1.
+	Destination *string `type:"string"`
+
+	// A user-defined ID associated with a data query that's returned in the dataResponse
+	// identifying the query. For example, if you set the Id to MyQuery01in the
+	// query, the dataResponse identifies the query as MyQuery01.
+	Id *string `type:"string"`
+
+	// The aggregation metric used for the data query. Currently only aggregation-latency
+	// is supported, indicating network latency.
+	Metric *string `type:"string" enum:"MetricType"`
+
+	// The aggregation period used for the data query.
+	Period *string `type:"string" enum:"PeriodType"`
+
+	// The Region or Availability Zone that's the source for the data query. For
+	// example, us-east-1.
+	Source *string `type:"string"`
+
+	// Metric data aggregations over specified periods of time. The following are
+	// the supported Infrastructure Performance statistics:
+	//
+	//    * p50 - The median value of the metric aggregated over a specified start
+	//    and end time. For example, a metric of five_minutes is the median of all
+	//    the data points gathered within those five minutes.
+	Statistic *string `type:"string" enum:"StatisticType"`
+}
+
+// String returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s DataQuery) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s DataQuery) GoString() string {
+	return s.String()
+}
+
+// SetDestination sets the Destination field's value.
+func (s *DataQuery) SetDestination(v string) *DataQuery {
+	s.Destination = &v
+	return s
+}
+
+// SetId sets the Id field's value.
+func (s *DataQuery) SetId(v string) *DataQuery {
+	s.Id = &v
+	return s
+}
+
+// SetMetric sets the Metric field's value.
+func (s *DataQuery) SetMetric(v string) *DataQuery {
+	s.Metric = &v
+	return s
+}
+
+// SetPeriod sets the Period field's value.
+func (s *DataQuery) SetPeriod(v string) *DataQuery {
+	s.Period = &v
+	return s
+}
+
+// SetSource sets the Source field's value.
+func (s *DataQuery) SetSource(v string) *DataQuery {
+	s.Source = &v
+	return s
+}
+
+// SetStatistic sets the Statistic field's value.
+func (s *DataQuery) SetStatistic(v string) *DataQuery {
+	s.Statistic = &v
+	return s
+}
+
+// The response to a DataQuery.
+type DataResponse struct {
+	_ struct{} `type:"structure"`
+
+	// The Region or Availability Zone that's the destination for the data query.
+	// For example, eu-west-1.
+	Destination *string `locationName:"destination" type:"string"`
+
+	// The ID passed in the DataQuery.
+	Id *string `locationName:"id" type:"string"`
+
+	// The metric used for the network performance request. Currently only aggregate-latency
+	// is supported, showing network latency during a specified period.
+	Metric *string `locationName:"metric" type:"string" enum:"MetricType"`
+
+	// A list of MetricPoint objects.
+	MetricPoints []*MetricPoint `locationName:"metricPointSet" locationNameList:"item" type:"list"`
+
+	// The period used for the network performance request.
+	Period *string `locationName:"period" type:"string" enum:"PeriodType"`
+
+	// The Region or Availability Zone that's the source for the data query. For
+	// example, us-east-1.
+	Source *string `locationName:"source" type:"string"`
+
+	// The statistic used for the network performance request.
+	Statistic *string `locationName:"statistic" type:"string" enum:"StatisticType"`
+}
+
+// String returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s DataResponse) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s DataResponse) GoString() string {
+	return s.String()
+}
+
+// SetDestination sets the Destination field's value.
+func (s *DataResponse) SetDestination(v string) *DataResponse {
+	s.Destination = &v
+	return s
+}
+
+// SetId sets the Id field's value.
+func (s *DataResponse) SetId(v string) *DataResponse {
+	s.Id = &v
+	return s
+}
+
+// SetMetric sets the Metric field's value.
+func (s *DataResponse) SetMetric(v string) *DataResponse {
+	s.Metric = &v
+	return s
+}
+
+// SetMetricPoints sets the MetricPoints field's value.
+func (s *DataResponse) SetMetricPoints(v []*MetricPoint) *DataResponse {
+	s.MetricPoints = v
+	return s
+}
+
+// SetPeriod sets the Period field's value.
+func (s *DataResponse) SetPeriod(v string) *DataResponse {
+	s.Period = &v
+	return s
+}
+
+// SetSource sets the Source field's value.
+func (s *DataResponse) SetSource(v string) *DataResponse {
+	s.Source = &v
+	return s
+}
+
+// SetStatistic sets the Statistic field's value.
+func (s *DataResponse) SetStatistic(v string) *DataResponse {
+	s.Statistic = &v
+	return s
+}
+
 type DeleteCarrierGatewayInput struct {
 	_ struct{} `type:"structure"`
 
@@ -74265,7 +78131,7 @@ func (s *DeleteCoipPoolInput) SetDryRun(v bool) *DeleteCoipPoolInput {
 type DeleteCoipPoolOutput struct {
 	_ struct{} `type:"structure"`
 
-	// Describes a customer-owned address pool.
+	// Information about the CoIP address pool.
 	CoipPool *CoipPool `locationName:"coipPool" type:"structure"`
 }
 
@@ -76019,7 +79885,7 @@ func (s *DeleteLocalGatewayRouteTableInput) SetLocalGatewayRouteTableId(v string
 type DeleteLocalGatewayRouteTableOutput struct {
 	_ struct{} `type:"structure"`
 
-	// Describes a local gateway route table.
+	// Information about the local gateway route table.
 	LocalGatewayRouteTable *LocalGatewayRouteTable `locationName:"localGatewayRouteTable" type:"structure"`
 }
 
@@ -76108,8 +79974,7 @@ func (s *DeleteLocalGatewayRouteTableVirtualInterfaceGroupAssociationInput) SetL
 type DeleteLocalGatewayRouteTableVirtualInterfaceGroupAssociationOutput struct {
 	_ struct{} `type:"structure"`
 
-	// Describes an association between a local gateway route table and a virtual
-	// interface group.
+	// Information about the association.
 	LocalGatewayRouteTableVirtualInterfaceGroupAssociation *LocalGatewayRouteTableVirtualInterfaceGroupAssociation `locationName:"localGatewayRouteTableVirtualInterfaceGroupAssociation" type:"structure"`
 }
 
@@ -79478,6 +83343,406 @@ func (s *DeleteTransitGatewayVpcAttachmentOutput) SetTransitGatewayVpcAttachment
 	return s
 }
 
+type DeleteVerifiedAccessEndpointInput struct {
+	_ struct{} `type:"structure"`
+
+	// A unique, case-sensitive token that you provide to ensure idempotency of
+	// your modification request. For more information, see Ensuring Idempotency
+	// (https://docs.aws.amazon.com/AWSEC2/latest/APIReference/Run_Instance_Idempotency.html).
+	ClientToken *string `type:"string" idempotencyToken:"true"`
+
+	// Checks whether you have the required permissions for the action, without
+	// actually making the request, and provides an error response. If you have
+	// the required permissions, the error response is DryRunOperation. Otherwise,
+	// it is UnauthorizedOperation.
+	DryRun *bool `type:"boolean"`
+
+	// The ID of the Amazon Web Services Verified Access endpoint.
+	//
+	// VerifiedAccessEndpointId is a required field
+	VerifiedAccessEndpointId *string `type:"string" required:"true"`
+}
+
+// String returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s DeleteVerifiedAccessEndpointInput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s DeleteVerifiedAccessEndpointInput) GoString() string {
+	return s.String()
+}
+
+// Validate inspects the fields of the type to determine if they are valid.
+func (s *DeleteVerifiedAccessEndpointInput) Validate() error {
+	invalidParams := request.ErrInvalidParams{Context: "DeleteVerifiedAccessEndpointInput"}
+	if s.VerifiedAccessEndpointId == nil {
+		invalidParams.Add(request.NewErrParamRequired("VerifiedAccessEndpointId"))
+	}
+
+	if invalidParams.Len() > 0 {
+		return invalidParams
+	}
+	return nil
+}
+
+// SetClientToken sets the ClientToken field's value.
+func (s *DeleteVerifiedAccessEndpointInput) SetClientToken(v string) *DeleteVerifiedAccessEndpointInput {
+	s.ClientToken = &v
+	return s
+}
+
+// SetDryRun sets the DryRun field's value.
+func (s *DeleteVerifiedAccessEndpointInput) SetDryRun(v bool) *DeleteVerifiedAccessEndpointInput {
+	s.DryRun = &v
+	return s
+}
+
+// SetVerifiedAccessEndpointId sets the VerifiedAccessEndpointId field's value.
+func (s *DeleteVerifiedAccessEndpointInput) SetVerifiedAccessEndpointId(v string) *DeleteVerifiedAccessEndpointInput {
+	s.VerifiedAccessEndpointId = &v
+	return s
+}
+
+type DeleteVerifiedAccessEndpointOutput struct {
+	_ struct{} `type:"structure"`
+
+	// The ID of the Amazon Web Services Verified Access endpoint.
+	VerifiedAccessEndpoint *VerifiedAccessEndpoint `locationName:"verifiedAccessEndpoint" type:"structure"`
+}
+
+// String returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s DeleteVerifiedAccessEndpointOutput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s DeleteVerifiedAccessEndpointOutput) GoString() string {
+	return s.String()
+}
+
+// SetVerifiedAccessEndpoint sets the VerifiedAccessEndpoint field's value.
+func (s *DeleteVerifiedAccessEndpointOutput) SetVerifiedAccessEndpoint(v *VerifiedAccessEndpoint) *DeleteVerifiedAccessEndpointOutput {
+	s.VerifiedAccessEndpoint = v
+	return s
+}
+
+type DeleteVerifiedAccessGroupInput struct {
+	_ struct{} `type:"structure"`
+
+	// A unique, case-sensitive token that you provide to ensure idempotency of
+	// your modification request. For more information, see Ensuring Idempotency
+	// (https://docs.aws.amazon.com/AWSEC2/latest/APIReference/Run_Instance_Idempotency.html).
+	ClientToken *string `type:"string" idempotencyToken:"true"`
+
+	// Checks whether you have the required permissions for the action, without
+	// actually making the request, and provides an error response. If you have
+	// the required permissions, the error response is DryRunOperation. Otherwise,
+	// it is UnauthorizedOperation.
+	DryRun *bool `type:"boolean"`
+
+	// The ID of the Amazon Web Services Verified Access group.
+	//
+	// VerifiedAccessGroupId is a required field
+	VerifiedAccessGroupId *string `type:"string" required:"true"`
+}
+
+// String returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s DeleteVerifiedAccessGroupInput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s DeleteVerifiedAccessGroupInput) GoString() string {
+	return s.String()
+}
+
+// Validate inspects the fields of the type to determine if they are valid.
+func (s *DeleteVerifiedAccessGroupInput) Validate() error {
+	invalidParams := request.ErrInvalidParams{Context: "DeleteVerifiedAccessGroupInput"}
+	if s.VerifiedAccessGroupId == nil {
+		invalidParams.Add(request.NewErrParamRequired("VerifiedAccessGroupId"))
+	}
+
+	if invalidParams.Len() > 0 {
+		return invalidParams
+	}
+	return nil
+}
+
+// SetClientToken sets the ClientToken field's value.
+func (s *DeleteVerifiedAccessGroupInput) SetClientToken(v string) *DeleteVerifiedAccessGroupInput {
+	s.ClientToken = &v
+	return s
+}
+
+// SetDryRun sets the DryRun field's value.
+func (s *DeleteVerifiedAccessGroupInput) SetDryRun(v bool) *DeleteVerifiedAccessGroupInput {
+	s.DryRun = &v
+	return s
+}
+
+// SetVerifiedAccessGroupId sets the VerifiedAccessGroupId field's value.
+func (s *DeleteVerifiedAccessGroupInput) SetVerifiedAccessGroupId(v string) *DeleteVerifiedAccessGroupInput {
+	s.VerifiedAccessGroupId = &v
+	return s
+}
+
+type DeleteVerifiedAccessGroupOutput struct {
+	_ struct{} `type:"structure"`
+
+	// The ID of the Amazon Web Services Verified Access group.
+	VerifiedAccessGroup *VerifiedAccessGroup `locationName:"verifiedAccessGroup" type:"structure"`
+}
+
+// String returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s DeleteVerifiedAccessGroupOutput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s DeleteVerifiedAccessGroupOutput) GoString() string {
+	return s.String()
+}
+
+// SetVerifiedAccessGroup sets the VerifiedAccessGroup field's value.
+func (s *DeleteVerifiedAccessGroupOutput) SetVerifiedAccessGroup(v *VerifiedAccessGroup) *DeleteVerifiedAccessGroupOutput {
+	s.VerifiedAccessGroup = v
+	return s
+}
+
+type DeleteVerifiedAccessInstanceInput struct {
+	_ struct{} `type:"structure"`
+
+	// A unique, case-sensitive token that you provide to ensure idempotency of
+	// your modification request. For more information, see Ensuring Idempotency
+	// (https://docs.aws.amazon.com/AWSEC2/latest/APIReference/Run_Instance_Idempotency.html).
+	ClientToken *string `type:"string" idempotencyToken:"true"`
+
+	// Checks whether you have the required permissions for the action, without
+	// actually making the request, and provides an error response. If you have
+	// the required permissions, the error response is DryRunOperation. Otherwise,
+	// it is UnauthorizedOperation.
+	DryRun *bool `type:"boolean"`
+
+	// The ID of the Amazon Web Services Verified Access instance.
+	//
+	// VerifiedAccessInstanceId is a required field
+	VerifiedAccessInstanceId *string `type:"string" required:"true"`
+}
+
+// String returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s DeleteVerifiedAccessInstanceInput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s DeleteVerifiedAccessInstanceInput) GoString() string {
+	return s.String()
+}
+
+// Validate inspects the fields of the type to determine if they are valid.
+func (s *DeleteVerifiedAccessInstanceInput) Validate() error {
+	invalidParams := request.ErrInvalidParams{Context: "DeleteVerifiedAccessInstanceInput"}
+	if s.VerifiedAccessInstanceId == nil {
+		invalidParams.Add(request.NewErrParamRequired("VerifiedAccessInstanceId"))
+	}
+
+	if invalidParams.Len() > 0 {
+		return invalidParams
+	}
+	return nil
+}
+
+// SetClientToken sets the ClientToken field's value.
+func (s *DeleteVerifiedAccessInstanceInput) SetClientToken(v string) *DeleteVerifiedAccessInstanceInput {
+	s.ClientToken = &v
+	return s
+}
+
+// SetDryRun sets the DryRun field's value.
+func (s *DeleteVerifiedAccessInstanceInput) SetDryRun(v bool) *DeleteVerifiedAccessInstanceInput {
+	s.DryRun = &v
+	return s
+}
+
+// SetVerifiedAccessInstanceId sets the VerifiedAccessInstanceId field's value.
+func (s *DeleteVerifiedAccessInstanceInput) SetVerifiedAccessInstanceId(v string) *DeleteVerifiedAccessInstanceInput {
+	s.VerifiedAccessInstanceId = &v
+	return s
+}
+
+type DeleteVerifiedAccessInstanceOutput struct {
+	_ struct{} `type:"structure"`
+
+	// The ID of the Amazon Web Services Verified Access instance.
+	VerifiedAccessInstance *VerifiedAccessInstance `locationName:"verifiedAccessInstance" type:"structure"`
+}
+
+// String returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s DeleteVerifiedAccessInstanceOutput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s DeleteVerifiedAccessInstanceOutput) GoString() string {
+	return s.String()
+}
+
+// SetVerifiedAccessInstance sets the VerifiedAccessInstance field's value.
+func (s *DeleteVerifiedAccessInstanceOutput) SetVerifiedAccessInstance(v *VerifiedAccessInstance) *DeleteVerifiedAccessInstanceOutput {
+	s.VerifiedAccessInstance = v
+	return s
+}
+
+type DeleteVerifiedAccessTrustProviderInput struct {
+	_ struct{} `type:"structure"`
+
+	// A unique, case-sensitive token that you provide to ensure idempotency of
+	// your modification request. For more information, see Ensuring Idempotency
+	// (https://docs.aws.amazon.com/AWSEC2/latest/APIReference/Run_Instance_Idempotency.html).
+	ClientToken *string `type:"string" idempotencyToken:"true"`
+
+	// Checks whether you have the required permissions for the action, without
+	// actually making the request, and provides an error response. If you have
+	// the required permissions, the error response is DryRunOperation. Otherwise,
+	// it is UnauthorizedOperation.
+	DryRun *bool `type:"boolean"`
+
+	// The ID of the Amazon Web Services Verified Access trust provider.
+	//
+	// VerifiedAccessTrustProviderId is a required field
+	VerifiedAccessTrustProviderId *string `type:"string" required:"true"`
+}
+
+// String returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s DeleteVerifiedAccessTrustProviderInput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s DeleteVerifiedAccessTrustProviderInput) GoString() string {
+	return s.String()
+}
+
+// Validate inspects the fields of the type to determine if they are valid.
+func (s *DeleteVerifiedAccessTrustProviderInput) Validate() error {
+	invalidParams := request.ErrInvalidParams{Context: "DeleteVerifiedAccessTrustProviderInput"}
+	if s.VerifiedAccessTrustProviderId == nil {
+		invalidParams.Add(request.NewErrParamRequired("VerifiedAccessTrustProviderId"))
+	}
+
+	if invalidParams.Len() > 0 {
+		return invalidParams
+	}
+	return nil
+}
+
+// SetClientToken sets the ClientToken field's value.
+func (s *DeleteVerifiedAccessTrustProviderInput) SetClientToken(v string) *DeleteVerifiedAccessTrustProviderInput {
+	s.ClientToken = &v
+	return s
+}
+
+// SetDryRun sets the DryRun field's value.
+func (s *DeleteVerifiedAccessTrustProviderInput) SetDryRun(v bool) *DeleteVerifiedAccessTrustProviderInput {
+	s.DryRun = &v
+	return s
+}
+
+// SetVerifiedAccessTrustProviderId sets the VerifiedAccessTrustProviderId field's value.
+func (s *DeleteVerifiedAccessTrustProviderInput) SetVerifiedAccessTrustProviderId(v string) *DeleteVerifiedAccessTrustProviderInput {
+	s.VerifiedAccessTrustProviderId = &v
+	return s
+}
+
+type DeleteVerifiedAccessTrustProviderOutput struct {
+	_ struct{} `type:"structure"`
+
+	// The ID of the Amazon Web Services Verified Access trust provider.
+	VerifiedAccessTrustProvider *VerifiedAccessTrustProvider `locationName:"verifiedAccessTrustProvider" type:"structure"`
+}
+
+// String returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s DeleteVerifiedAccessTrustProviderOutput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s DeleteVerifiedAccessTrustProviderOutput) GoString() string {
+	return s.String()
+}
+
+// SetVerifiedAccessTrustProvider sets the VerifiedAccessTrustProvider field's value.
+func (s *DeleteVerifiedAccessTrustProviderOutput) SetVerifiedAccessTrustProvider(v *VerifiedAccessTrustProvider) *DeleteVerifiedAccessTrustProviderOutput {
+	s.VerifiedAccessTrustProvider = v
+	return s
+}
+
 type DeleteVolumeInput struct {
 	_ struct{} `type:"structure"`
 
@@ -81581,6 +85846,109 @@ func (s *DescribeAvailabilityZonesOutput) SetAvailabilityZones(v []*Availability
 	return s
 }
 
+type DescribeAwsNetworkPerformanceMetricSubscriptionsInput struct {
+	_ struct{} `type:"structure"`
+
+	// Checks whether you have the required permissions for the action, without
+	// actually making the request, and provides an error response. If you have
+	// the required permissions, the error response is DryRunOperation. Otherwise,
+	// it is UnauthorizedOperation.
+	DryRun *bool `type:"boolean"`
+
+	// One or more filters.
+	Filters []*Filter `locationName:"Filter" locationNameList:"Filter" type:"list"`
+
+	// The maximum number of results to return with a single call. To retrieve the
+	// remaining results, make another call with the returned nextToken value.
+	MaxResults *int64 `type:"integer"`
+
+	// The token for the next page of results.
+	NextToken *string `type:"string"`
+}
+
+// String returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s DescribeAwsNetworkPerformanceMetricSubscriptionsInput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s DescribeAwsNetworkPerformanceMetricSubscriptionsInput) GoString() string {
+	return s.String()
+}
+
+// SetDryRun sets the DryRun field's value.
+func (s *DescribeAwsNetworkPerformanceMetricSubscriptionsInput) SetDryRun(v bool) *DescribeAwsNetworkPerformanceMetricSubscriptionsInput {
+	s.DryRun = &v
+	return s
+}
+
+// SetFilters sets the Filters field's value.
+func (s *DescribeAwsNetworkPerformanceMetricSubscriptionsInput) SetFilters(v []*Filter) *DescribeAwsNetworkPerformanceMetricSubscriptionsInput {
+	s.Filters = v
+	return s
+}
+
+// SetMaxResults sets the MaxResults field's value.
+func (s *DescribeAwsNetworkPerformanceMetricSubscriptionsInput) SetMaxResults(v int64) *DescribeAwsNetworkPerformanceMetricSubscriptionsInput {
+	s.MaxResults = &v
+	return s
+}
+
+// SetNextToken sets the NextToken field's value.
+func (s *DescribeAwsNetworkPerformanceMetricSubscriptionsInput) SetNextToken(v string) *DescribeAwsNetworkPerformanceMetricSubscriptionsInput {
+	s.NextToken = &v
+	return s
+}
+
+type DescribeAwsNetworkPerformanceMetricSubscriptionsOutput struct {
+	_ struct{} `type:"structure"`
+
+	// The token to use to retrieve the next page of results. This value is null
+	// when there are no more results to return.
+	NextToken *string `locationName:"nextToken" type:"string"`
+
+	// Describes the current Infrastructure Performance subscriptions.
+	Subscriptions []*Subscription `locationName:"subscriptionSet" locationNameList:"item" type:"list"`
+}
+
+// String returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s DescribeAwsNetworkPerformanceMetricSubscriptionsOutput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s DescribeAwsNetworkPerformanceMetricSubscriptionsOutput) GoString() string {
+	return s.String()
+}
+
+// SetNextToken sets the NextToken field's value.
+func (s *DescribeAwsNetworkPerformanceMetricSubscriptionsOutput) SetNextToken(v string) *DescribeAwsNetworkPerformanceMetricSubscriptionsOutput {
+	s.NextToken = &v
+	return s
+}
+
+// SetSubscriptions sets the Subscriptions field's value.
+func (s *DescribeAwsNetworkPerformanceMetricSubscriptionsOutput) SetSubscriptions(v []*Subscription) *DescribeAwsNetworkPerformanceMetricSubscriptionsOutput {
+	s.Subscriptions = v
+	return s
+}
+
 type DescribeBundleTasksInput struct {
 	_ struct{} `type:"structure"`
 
@@ -86269,7 +90637,7 @@ type DescribeImageAttributeOutput struct {
 	// by default, the instance requires that IMDSv2 is used when requesting instance
 	// metadata. In addition, HttpPutResponseHopLimit is set to 2. For more information,
 	// see Configure the AMI (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-IMDS-new-instances.html#configure-IMDS-new-instances-ami-configuration)
-	// in the Amazon Elastic Compute Cloud User Guide.
+	// in the Amazon EC2 User Guide.
 	ImdsSupport *AttributeValue `locationName:"imdsSupport" type:"structure"`
 
 	// The kernel ID.
@@ -86303,7 +90671,7 @@ type DescribeImageAttributeOutput struct {
 	// command. You can inspect and modify the UEFI data by using the python-uefivars
 	// tool (https://github.com/awslabs/python-uefivars) on GitHub. For more information,
 	// see UEFI Secure Boot (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/uefi-secure-boot.html)
-	// in the Amazon Elastic Compute Cloud User Guide.
+	// in the Amazon EC2 User Guide.
 	UefiData *AttributeValue `locationName:"uefiData" type:"structure"`
 }
 
@@ -86530,6 +90898,13 @@ type DescribeImagesInput struct {
 	// of what you specify for this parameter.
 	IncludeDeprecated *bool `type:"boolean"`
 
+	// The maximum number of results to return with a single call. To retrieve the
+	// remaining results, make another call with the returned nextToken value.
+	MaxResults *int64 `type:"integer"`
+
+	// The token for the next page of results.
+	NextToken *string `type:"string"`
+
 	// Scopes the results to images with the specified owners. You can specify a
 	// combination of Amazon Web Services account IDs, self, amazon, and aws-marketplace.
 	// If you omit this parameter, the results include all images for which you
@@ -86585,6 +90960,18 @@ func (s *DescribeImagesInput) SetIncludeDeprecated(v bool) *DescribeImagesInput
 	return s
 }
 
+// SetMaxResults sets the MaxResults field's value.
+func (s *DescribeImagesInput) SetMaxResults(v int64) *DescribeImagesInput {
+	s.MaxResults = &v
+	return s
+}
+
+// SetNextToken sets the NextToken field's value.
+func (s *DescribeImagesInput) SetNextToken(v string) *DescribeImagesInput {
+	s.NextToken = &v
+	return s
+}
+
 // SetOwners sets the Owners field's value.
 func (s *DescribeImagesInput) SetOwners(v []*string) *DescribeImagesInput {
 	s.Owners = v
@@ -86596,6 +90983,10 @@ type DescribeImagesOutput struct {
 
 	// Information about the images.
 	Images []*Image `locationName:"imagesSet" locationNameList:"item" type:"list"`
+
+	// The token to use to retrieve the next page of results. This value is null
+	// when there are no more results to return.
+	NextToken *string `locationName:"nextToken" type:"string"`
 }
 
 // String returns the string representation.
@@ -86622,6 +91013,12 @@ func (s *DescribeImagesOutput) SetImages(v []*Image) *DescribeImagesOutput {
 	return s
 }
 
+// SetNextToken sets the NextToken field's value.
+func (s *DescribeImagesOutput) SetNextToken(v string) *DescribeImagesOutput {
+	s.NextToken = &v
+	return s
+}
+
 type DescribeImportImageTasksInput struct {
 	_ struct{} `type:"structure"`
 
@@ -98132,6 +102529,659 @@ func (s *DescribeTrunkInterfaceAssociationsOutput) SetNextToken(v string) *Descr
 	return s
 }
 
+type DescribeVerifiedAccessEndpointsInput struct {
+	_ struct{} `type:"structure"`
+
+	// Checks whether you have the required permissions for the action, without
+	// actually making the request, and provides an error response. If you have
+	// the required permissions, the error response is DryRunOperation. Otherwise,
+	// it is UnauthorizedOperation.
+	DryRun *bool `type:"boolean"`
+
+	// One or more filters. Filter names and values are case-sensitive.
+	Filters []*Filter `locationName:"Filter" locationNameList:"Filter" type:"list"`
+
+	// The maximum number of results to return with a single call. To retrieve the
+	// remaining results, make another call with the returned nextToken value.
+	MaxResults *int64 `min:"5" type:"integer"`
+
+	// The token for the next page of results.
+	NextToken *string `type:"string"`
+
+	// The ID of the Amazon Web Services Verified Access endpoint.
+	VerifiedAccessEndpointIds []*string `locationName:"VerifiedAccessEndpointId" locationNameList:"item" type:"list"`
+
+	// The ID of the Amazon Web Services Verified Access group.
+	VerifiedAccessGroupId *string `type:"string"`
+
+	// The ID of the Amazon Web Services Verified Access instance.
+	VerifiedAccessInstanceId *string `type:"string"`
+}
+
+// String returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s DescribeVerifiedAccessEndpointsInput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s DescribeVerifiedAccessEndpointsInput) GoString() string {
+	return s.String()
+}
+
+// Validate inspects the fields of the type to determine if they are valid.
+func (s *DescribeVerifiedAccessEndpointsInput) Validate() error {
+	invalidParams := request.ErrInvalidParams{Context: "DescribeVerifiedAccessEndpointsInput"}
+	if s.MaxResults != nil && *s.MaxResults < 5 {
+		invalidParams.Add(request.NewErrParamMinValue("MaxResults", 5))
+	}
+
+	if invalidParams.Len() > 0 {
+		return invalidParams
+	}
+	return nil
+}
+
+// SetDryRun sets the DryRun field's value.
+func (s *DescribeVerifiedAccessEndpointsInput) SetDryRun(v bool) *DescribeVerifiedAccessEndpointsInput {
+	s.DryRun = &v
+	return s
+}
+
+// SetFilters sets the Filters field's value.
+func (s *DescribeVerifiedAccessEndpointsInput) SetFilters(v []*Filter) *DescribeVerifiedAccessEndpointsInput {
+	s.Filters = v
+	return s
+}
+
+// SetMaxResults sets the MaxResults field's value.
+func (s *DescribeVerifiedAccessEndpointsInput) SetMaxResults(v int64) *DescribeVerifiedAccessEndpointsInput {
+	s.MaxResults = &v
+	return s
+}
+
+// SetNextToken sets the NextToken field's value.
+func (s *DescribeVerifiedAccessEndpointsInput) SetNextToken(v string) *DescribeVerifiedAccessEndpointsInput {
+	s.NextToken = &v
+	return s
+}
+
+// SetVerifiedAccessEndpointIds sets the VerifiedAccessEndpointIds field's value.
+func (s *DescribeVerifiedAccessEndpointsInput) SetVerifiedAccessEndpointIds(v []*string) *DescribeVerifiedAccessEndpointsInput {
+	s.VerifiedAccessEndpointIds = v
+	return s
+}
+
+// SetVerifiedAccessGroupId sets the VerifiedAccessGroupId field's value.
+func (s *DescribeVerifiedAccessEndpointsInput) SetVerifiedAccessGroupId(v string) *DescribeVerifiedAccessEndpointsInput {
+	s.VerifiedAccessGroupId = &v
+	return s
+}
+
+// SetVerifiedAccessInstanceId sets the VerifiedAccessInstanceId field's value.
+func (s *DescribeVerifiedAccessEndpointsInput) SetVerifiedAccessInstanceId(v string) *DescribeVerifiedAccessEndpointsInput {
+	s.VerifiedAccessInstanceId = &v
+	return s
+}
+
+type DescribeVerifiedAccessEndpointsOutput struct {
+	_ struct{} `type:"structure"`
+
+	// The token to use to retrieve the next page of results. This value is null
+	// when there are no more results to return.
+	NextToken *string `locationName:"nextToken" type:"string"`
+
+	// The ID of the Amazon Web Services Verified Access endpoint.
+	VerifiedAccessEndpoints []*VerifiedAccessEndpoint `locationName:"verifiedAccessEndpointSet" locationNameList:"item" type:"list"`
+}
+
+// String returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s DescribeVerifiedAccessEndpointsOutput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s DescribeVerifiedAccessEndpointsOutput) GoString() string {
+	return s.String()
+}
+
+// SetNextToken sets the NextToken field's value.
+func (s *DescribeVerifiedAccessEndpointsOutput) SetNextToken(v string) *DescribeVerifiedAccessEndpointsOutput {
+	s.NextToken = &v
+	return s
+}
+
+// SetVerifiedAccessEndpoints sets the VerifiedAccessEndpoints field's value.
+func (s *DescribeVerifiedAccessEndpointsOutput) SetVerifiedAccessEndpoints(v []*VerifiedAccessEndpoint) *DescribeVerifiedAccessEndpointsOutput {
+	s.VerifiedAccessEndpoints = v
+	return s
+}
+
+type DescribeVerifiedAccessGroupsInput struct {
+	_ struct{} `type:"structure"`
+
+	// Checks whether you have the required permissions for the action, without
+	// actually making the request, and provides an error response. If you have
+	// the required permissions, the error response is DryRunOperation. Otherwise,
+	// it is UnauthorizedOperation.
+	DryRun *bool `type:"boolean"`
+
+	// One or more filters. Filter names and values are case-sensitive.
+	Filters []*Filter `locationName:"Filter" locationNameList:"Filter" type:"list"`
+
+	// The maximum number of results to return with a single call. To retrieve the
+	// remaining results, make another call with the returned nextToken value.
+	MaxResults *int64 `min:"5" type:"integer"`
+
+	// The token for the next page of results.
+	NextToken *string `type:"string"`
+
+	// The ID of the Amazon Web Services Verified Access groups.
+	VerifiedAccessGroupIds []*string `locationName:"VerifiedAccessGroupId" locationNameList:"item" type:"list"`
+
+	// The ID of the Amazon Web Services Verified Access instance.
+	VerifiedAccessInstanceId *string `type:"string"`
+}
+
+// String returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s DescribeVerifiedAccessGroupsInput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s DescribeVerifiedAccessGroupsInput) GoString() string {
+	return s.String()
+}
+
+// Validate inspects the fields of the type to determine if they are valid.
+func (s *DescribeVerifiedAccessGroupsInput) Validate() error {
+	invalidParams := request.ErrInvalidParams{Context: "DescribeVerifiedAccessGroupsInput"}
+	if s.MaxResults != nil && *s.MaxResults < 5 {
+		invalidParams.Add(request.NewErrParamMinValue("MaxResults", 5))
+	}
+
+	if invalidParams.Len() > 0 {
+		return invalidParams
+	}
+	return nil
+}
+
+// SetDryRun sets the DryRun field's value.
+func (s *DescribeVerifiedAccessGroupsInput) SetDryRun(v bool) *DescribeVerifiedAccessGroupsInput {
+	s.DryRun = &v
+	return s
+}
+
+// SetFilters sets the Filters field's value.
+func (s *DescribeVerifiedAccessGroupsInput) SetFilters(v []*Filter) *DescribeVerifiedAccessGroupsInput {
+	s.Filters = v
+	return s
+}
+
+// SetMaxResults sets the MaxResults field's value.
+func (s *DescribeVerifiedAccessGroupsInput) SetMaxResults(v int64) *DescribeVerifiedAccessGroupsInput {
+	s.MaxResults = &v
+	return s
+}
+
+// SetNextToken sets the NextToken field's value.
+func (s *DescribeVerifiedAccessGroupsInput) SetNextToken(v string) *DescribeVerifiedAccessGroupsInput {
+	s.NextToken = &v
+	return s
+}
+
+// SetVerifiedAccessGroupIds sets the VerifiedAccessGroupIds field's value.
+func (s *DescribeVerifiedAccessGroupsInput) SetVerifiedAccessGroupIds(v []*string) *DescribeVerifiedAccessGroupsInput {
+	s.VerifiedAccessGroupIds = v
+	return s
+}
+
+// SetVerifiedAccessInstanceId sets the VerifiedAccessInstanceId field's value.
+func (s *DescribeVerifiedAccessGroupsInput) SetVerifiedAccessInstanceId(v string) *DescribeVerifiedAccessGroupsInput {
+	s.VerifiedAccessInstanceId = &v
+	return s
+}
+
+type DescribeVerifiedAccessGroupsOutput struct {
+	_ struct{} `type:"structure"`
+
+	// The token to use to retrieve the next page of results. This value is null
+	// when there are no more results to return.
+	NextToken *string `locationName:"nextToken" type:"string"`
+
+	// The ID of the Verified Access group.
+	VerifiedAccessGroups []*VerifiedAccessGroup `locationName:"verifiedAccessGroupSet" locationNameList:"item" type:"list"`
+}
+
+// String returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s DescribeVerifiedAccessGroupsOutput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s DescribeVerifiedAccessGroupsOutput) GoString() string {
+	return s.String()
+}
+
+// SetNextToken sets the NextToken field's value.
+func (s *DescribeVerifiedAccessGroupsOutput) SetNextToken(v string) *DescribeVerifiedAccessGroupsOutput {
+	s.NextToken = &v
+	return s
+}
+
+// SetVerifiedAccessGroups sets the VerifiedAccessGroups field's value.
+func (s *DescribeVerifiedAccessGroupsOutput) SetVerifiedAccessGroups(v []*VerifiedAccessGroup) *DescribeVerifiedAccessGroupsOutput {
+	s.VerifiedAccessGroups = v
+	return s
+}
+
+type DescribeVerifiedAccessInstanceLoggingConfigurationsInput struct {
+	_ struct{} `type:"structure"`
+
+	// Checks whether you have the required permissions for the action, without
+	// actually making the request, and provides an error response. If you have
+	// the required permissions, the error response is DryRunOperation. Otherwise,
+	// it is UnauthorizedOperation.
+	DryRun *bool `type:"boolean"`
+
+	// One or more filters. Filter names and values are case-sensitive.
+	Filters []*Filter `locationName:"Filter" locationNameList:"Filter" type:"list"`
+
+	// The maximum number of results to return with a single call. To retrieve the
+	// remaining results, make another call with the returned nextToken value.
+	MaxResults *int64 `min:"1" type:"integer"`
+
+	// The token for the next page of results.
+	NextToken *string `type:"string"`
+
+	// The IDs of the Amazon Web Services Verified Access instances.
+	VerifiedAccessInstanceIds []*string `locationName:"VerifiedAccessInstanceId" locationNameList:"item" type:"list"`
+}
+
+// String returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s DescribeVerifiedAccessInstanceLoggingConfigurationsInput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s DescribeVerifiedAccessInstanceLoggingConfigurationsInput) GoString() string {
+	return s.String()
+}
+
+// Validate inspects the fields of the type to determine if they are valid.
+func (s *DescribeVerifiedAccessInstanceLoggingConfigurationsInput) Validate() error {
+	invalidParams := request.ErrInvalidParams{Context: "DescribeVerifiedAccessInstanceLoggingConfigurationsInput"}
+	if s.MaxResults != nil && *s.MaxResults < 1 {
+		invalidParams.Add(request.NewErrParamMinValue("MaxResults", 1))
+	}
+
+	if invalidParams.Len() > 0 {
+		return invalidParams
+	}
+	return nil
+}
+
+// SetDryRun sets the DryRun field's value.
+func (s *DescribeVerifiedAccessInstanceLoggingConfigurationsInput) SetDryRun(v bool) *DescribeVerifiedAccessInstanceLoggingConfigurationsInput {
+	s.DryRun = &v
+	return s
+}
+
+// SetFilters sets the Filters field's value.
+func (s *DescribeVerifiedAccessInstanceLoggingConfigurationsInput) SetFilters(v []*Filter) *DescribeVerifiedAccessInstanceLoggingConfigurationsInput {
+	s.Filters = v
+	return s
+}
+
+// SetMaxResults sets the MaxResults field's value.
+func (s *DescribeVerifiedAccessInstanceLoggingConfigurationsInput) SetMaxResults(v int64) *DescribeVerifiedAccessInstanceLoggingConfigurationsInput {
+	s.MaxResults = &v
+	return s
+}
+
+// SetNextToken sets the NextToken field's value.
+func (s *DescribeVerifiedAccessInstanceLoggingConfigurationsInput) SetNextToken(v string) *DescribeVerifiedAccessInstanceLoggingConfigurationsInput {
+	s.NextToken = &v
+	return s
+}
+
+// SetVerifiedAccessInstanceIds sets the VerifiedAccessInstanceIds field's value.
+func (s *DescribeVerifiedAccessInstanceLoggingConfigurationsInput) SetVerifiedAccessInstanceIds(v []*string) *DescribeVerifiedAccessInstanceLoggingConfigurationsInput {
+	s.VerifiedAccessInstanceIds = v
+	return s
+}
+
+type DescribeVerifiedAccessInstanceLoggingConfigurationsOutput struct {
+	_ struct{} `type:"structure"`
+
+	// The current logging configuration for the Amazon Web Services Verified Access
+	// instances.
+	LoggingConfigurations []*VerifiedAccessInstanceLoggingConfiguration `locationName:"loggingConfigurationSet" locationNameList:"item" type:"list"`
+
+	// The token to use to retrieve the next page of results. This value is null
+	// when there are no more results to return.
+	NextToken *string `locationName:"nextToken" type:"string"`
+}
+
+// String returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s DescribeVerifiedAccessInstanceLoggingConfigurationsOutput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s DescribeVerifiedAccessInstanceLoggingConfigurationsOutput) GoString() string {
+	return s.String()
+}
+
+// SetLoggingConfigurations sets the LoggingConfigurations field's value.
+func (s *DescribeVerifiedAccessInstanceLoggingConfigurationsOutput) SetLoggingConfigurations(v []*VerifiedAccessInstanceLoggingConfiguration) *DescribeVerifiedAccessInstanceLoggingConfigurationsOutput {
+	s.LoggingConfigurations = v
+	return s
+}
+
+// SetNextToken sets the NextToken field's value.
+func (s *DescribeVerifiedAccessInstanceLoggingConfigurationsOutput) SetNextToken(v string) *DescribeVerifiedAccessInstanceLoggingConfigurationsOutput {
+	s.NextToken = &v
+	return s
+}
+
+type DescribeVerifiedAccessInstancesInput struct {
+	_ struct{} `type:"structure"`
+
+	// Checks whether you have the required permissions for the action, without
+	// actually making the request, and provides an error response. If you have
+	// the required permissions, the error response is DryRunOperation. Otherwise,
+	// it is UnauthorizedOperation.
+	DryRun *bool `type:"boolean"`
+
+	// One or more filters. Filter names and values are case-sensitive.
+	Filters []*Filter `locationName:"Filter" locationNameList:"Filter" type:"list"`
+
+	// The maximum number of results to return with a single call. To retrieve the
+	// remaining results, make another call with the returned nextToken value.
+	MaxResults *int64 `min:"5" type:"integer"`
+
+	// The token for the next page of results.
+	NextToken *string `type:"string"`
+
+	// The IDs of the Amazon Web Services Verified Access instances.
+	VerifiedAccessInstanceIds []*string `locationName:"VerifiedAccessInstanceId" locationNameList:"item" type:"list"`
+}
+
+// String returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s DescribeVerifiedAccessInstancesInput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s DescribeVerifiedAccessInstancesInput) GoString() string {
+	return s.String()
+}
+
+// Validate inspects the fields of the type to determine if they are valid.
+func (s *DescribeVerifiedAccessInstancesInput) Validate() error {
+	invalidParams := request.ErrInvalidParams{Context: "DescribeVerifiedAccessInstancesInput"}
+	if s.MaxResults != nil && *s.MaxResults < 5 {
+		invalidParams.Add(request.NewErrParamMinValue("MaxResults", 5))
+	}
+
+	if invalidParams.Len() > 0 {
+		return invalidParams
+	}
+	return nil
+}
+
+// SetDryRun sets the DryRun field's value.
+func (s *DescribeVerifiedAccessInstancesInput) SetDryRun(v bool) *DescribeVerifiedAccessInstancesInput {
+	s.DryRun = &v
+	return s
+}
+
+// SetFilters sets the Filters field's value.
+func (s *DescribeVerifiedAccessInstancesInput) SetFilters(v []*Filter) *DescribeVerifiedAccessInstancesInput {
+	s.Filters = v
+	return s
+}
+
+// SetMaxResults sets the MaxResults field's value.
+func (s *DescribeVerifiedAccessInstancesInput) SetMaxResults(v int64) *DescribeVerifiedAccessInstancesInput {
+	s.MaxResults = &v
+	return s
+}
+
+// SetNextToken sets the NextToken field's value.
+func (s *DescribeVerifiedAccessInstancesInput) SetNextToken(v string) *DescribeVerifiedAccessInstancesInput {
+	s.NextToken = &v
+	return s
+}
+
+// SetVerifiedAccessInstanceIds sets the VerifiedAccessInstanceIds field's value.
+func (s *DescribeVerifiedAccessInstancesInput) SetVerifiedAccessInstanceIds(v []*string) *DescribeVerifiedAccessInstancesInput {
+	s.VerifiedAccessInstanceIds = v
+	return s
+}
+
+type DescribeVerifiedAccessInstancesOutput struct {
+	_ struct{} `type:"structure"`
+
+	// The token to use to retrieve the next page of results. This value is null
+	// when there are no more results to return.
+	NextToken *string `locationName:"nextToken" type:"string"`
+
+	// The IDs of the Amazon Web Services Verified Access instances.
+	VerifiedAccessInstances []*VerifiedAccessInstance `locationName:"verifiedAccessInstanceSet" locationNameList:"item" type:"list"`
+}
+
+// String returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s DescribeVerifiedAccessInstancesOutput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s DescribeVerifiedAccessInstancesOutput) GoString() string {
+	return s.String()
+}
+
+// SetNextToken sets the NextToken field's value.
+func (s *DescribeVerifiedAccessInstancesOutput) SetNextToken(v string) *DescribeVerifiedAccessInstancesOutput {
+	s.NextToken = &v
+	return s
+}
+
+// SetVerifiedAccessInstances sets the VerifiedAccessInstances field's value.
+func (s *DescribeVerifiedAccessInstancesOutput) SetVerifiedAccessInstances(v []*VerifiedAccessInstance) *DescribeVerifiedAccessInstancesOutput {
+	s.VerifiedAccessInstances = v
+	return s
+}
+
+type DescribeVerifiedAccessTrustProvidersInput struct {
+	_ struct{} `type:"structure"`
+
+	// Checks whether you have the required permissions for the action, without
+	// actually making the request, and provides an error response. If you have
+	// the required permissions, the error response is DryRunOperation. Otherwise,
+	// it is UnauthorizedOperation.
+	DryRun *bool `type:"boolean"`
+
+	// One or more filters. Filter names and values are case-sensitive.
+	Filters []*Filter `locationName:"Filter" locationNameList:"Filter" type:"list"`
+
+	// The maximum number of results to return with a single call. To retrieve the
+	// remaining results, make another call with the returned nextToken value.
+	MaxResults *int64 `min:"5" type:"integer"`
+
+	// The token for the next page of results.
+	NextToken *string `type:"string"`
+
+	// The IDs of the Amazon Web Services Verified Access trust providers.
+	VerifiedAccessTrustProviderIds []*string `locationName:"VerifiedAccessTrustProviderId" locationNameList:"item" type:"list"`
+}
+
+// String returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s DescribeVerifiedAccessTrustProvidersInput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s DescribeVerifiedAccessTrustProvidersInput) GoString() string {
+	return s.String()
+}
+
+// Validate inspects the fields of the type to determine if they are valid.
+func (s *DescribeVerifiedAccessTrustProvidersInput) Validate() error {
+	invalidParams := request.ErrInvalidParams{Context: "DescribeVerifiedAccessTrustProvidersInput"}
+	if s.MaxResults != nil && *s.MaxResults < 5 {
+		invalidParams.Add(request.NewErrParamMinValue("MaxResults", 5))
+	}
+
+	if invalidParams.Len() > 0 {
+		return invalidParams
+	}
+	return nil
+}
+
+// SetDryRun sets the DryRun field's value.
+func (s *DescribeVerifiedAccessTrustProvidersInput) SetDryRun(v bool) *DescribeVerifiedAccessTrustProvidersInput {
+	s.DryRun = &v
+	return s
+}
+
+// SetFilters sets the Filters field's value.
+func (s *DescribeVerifiedAccessTrustProvidersInput) SetFilters(v []*Filter) *DescribeVerifiedAccessTrustProvidersInput {
+	s.Filters = v
+	return s
+}
+
+// SetMaxResults sets the MaxResults field's value.
+func (s *DescribeVerifiedAccessTrustProvidersInput) SetMaxResults(v int64) *DescribeVerifiedAccessTrustProvidersInput {
+	s.MaxResults = &v
+	return s
+}
+
+// SetNextToken sets the NextToken field's value.
+func (s *DescribeVerifiedAccessTrustProvidersInput) SetNextToken(v string) *DescribeVerifiedAccessTrustProvidersInput {
+	s.NextToken = &v
+	return s
+}
+
+// SetVerifiedAccessTrustProviderIds sets the VerifiedAccessTrustProviderIds field's value.
+func (s *DescribeVerifiedAccessTrustProvidersInput) SetVerifiedAccessTrustProviderIds(v []*string) *DescribeVerifiedAccessTrustProvidersInput {
+	s.VerifiedAccessTrustProviderIds = v
+	return s
+}
+
+type DescribeVerifiedAccessTrustProvidersOutput struct {
+	_ struct{} `type:"structure"`
+
+	// The token to use to retrieve the next page of results. This value is null
+	// when there are no more results to return.
+	NextToken *string `locationName:"nextToken" type:"string"`
+
+	// The IDs of the Amazon Web Services Verified Access trust providers.
+	VerifiedAccessTrustProviders []*VerifiedAccessTrustProvider `locationName:"verifiedAccessTrustProviderSet" locationNameList:"item" type:"list"`
+}
+
+// String returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s DescribeVerifiedAccessTrustProvidersOutput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s DescribeVerifiedAccessTrustProvidersOutput) GoString() string {
+	return s.String()
+}
+
+// SetNextToken sets the NextToken field's value.
+func (s *DescribeVerifiedAccessTrustProvidersOutput) SetNextToken(v string) *DescribeVerifiedAccessTrustProvidersOutput {
+	s.NextToken = &v
+	return s
+}
+
+// SetVerifiedAccessTrustProviders sets the VerifiedAccessTrustProviders field's value.
+func (s *DescribeVerifiedAccessTrustProvidersOutput) SetVerifiedAccessTrustProviders(v []*VerifiedAccessTrustProvider) *DescribeVerifiedAccessTrustProvidersOutput {
+	s.VerifiedAccessTrustProviders = v
+	return s
+}
+
 type DescribeVolumeAttributeInput struct {
 	_ struct{} `type:"structure"`
 
@@ -99576,9 +104626,12 @@ type DescribeVpcEndpointServicesInput struct {
 
 	// One or more filters.
 	//
+	//    * owner - The ID or alias of the Amazon Web Services account that owns
+	//    the service.
+	//
 	//    * service-name - The name of the service.
 	//
-	//    * service-type - The type of service (Interface | Gateway).
+	//    * service-type - The type of service (Interface | Gateway | GatewayLoadBalancer).
 	//
 	//    * supported-ip-address-types - The IP address type (ipv4 | ipv6).
 	//
@@ -99723,16 +104776,6 @@ type DescribeVpcEndpointsInput struct {
 	//
 	//    * service-name - The name of the service.
 	//
-	//    * vpc-id - The ID of the VPC in which the endpoint resides.
-	//
-	//    * vpc-endpoint-id - The ID of the endpoint.
-	//
-	//    * vpc-endpoint-state - The state of the endpoint (pendingAcceptance |
-	//    pending | available | deleting | deleted | rejected | failed).
-	//
-	//    * vpc-endpoint-type - The type of VPC endpoint (Interface | Gateway |
-	//    GatewayLoadBalancer).
-	//
 	//    * tag:<key> - The key/value combination of a tag assigned to the resource.
 	//    Use the tag key in the filter name and the tag value as the filter value.
 	//    For example, to find all resources that have a tag with the key Owner
@@ -99742,6 +104785,16 @@ type DescribeVpcEndpointsInput struct {
 	//    * tag-key - The key of a tag assigned to the resource. Use this filter
 	//    to find all resources assigned a tag with a specific key, regardless of
 	//    the tag value.
+	//
+	//    * vpc-id - The ID of the VPC in which the endpoint resides.
+	//
+	//    * vpc-endpoint-id - The ID of the endpoint.
+	//
+	//    * vpc-endpoint-state - The state of the endpoint (pendingAcceptance |
+	//    pending | available | deleting | deleted | rejected | failed).
+	//
+	//    * vpc-endpoint-type - The type of VPC endpoint (Interface | Gateway |
+	//    GatewayLoadBalancer).
 	Filters []*Filter `locationName:"Filter" locationNameList:"Filter" type:"list"`
 
 	// The maximum number of items to return for this request. The request returns
@@ -100830,6 +105883,129 @@ func (s DetachNetworkInterfaceOutput) GoString() string {
 	return s.String()
 }
 
+type DetachVerifiedAccessTrustProviderInput struct {
+	_ struct{} `type:"structure"`
+
+	// A unique, case-sensitive token that you provide to ensure idempotency of
+	// your modification request. For more information, see Ensuring Idempotency
+	// (https://docs.aws.amazon.com/AWSEC2/latest/APIReference/Run_Instance_Idempotency.html).
+	ClientToken *string `type:"string" idempotencyToken:"true"`
+
+	// Checks whether you have the required permissions for the action, without
+	// actually making the request, and provides an error response. If you have
+	// the required permissions, the error response is DryRunOperation. Otherwise,
+	// it is UnauthorizedOperation.
+	DryRun *bool `type:"boolean"`
+
+	// The ID of the Amazon Web Services Verified Access instance.
+	//
+	// VerifiedAccessInstanceId is a required field
+	VerifiedAccessInstanceId *string `type:"string" required:"true"`
+
+	// The ID of the Amazon Web Services Verified Access trust provider.
+	//
+	// VerifiedAccessTrustProviderId is a required field
+	VerifiedAccessTrustProviderId *string `type:"string" required:"true"`
+}
+
+// String returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s DetachVerifiedAccessTrustProviderInput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s DetachVerifiedAccessTrustProviderInput) GoString() string {
+	return s.String()
+}
+
+// Validate inspects the fields of the type to determine if they are valid.
+func (s *DetachVerifiedAccessTrustProviderInput) Validate() error {
+	invalidParams := request.ErrInvalidParams{Context: "DetachVerifiedAccessTrustProviderInput"}
+	if s.VerifiedAccessInstanceId == nil {
+		invalidParams.Add(request.NewErrParamRequired("VerifiedAccessInstanceId"))
+	}
+	if s.VerifiedAccessTrustProviderId == nil {
+		invalidParams.Add(request.NewErrParamRequired("VerifiedAccessTrustProviderId"))
+	}
+
+	if invalidParams.Len() > 0 {
+		return invalidParams
+	}
+	return nil
+}
+
+// SetClientToken sets the ClientToken field's value.
+func (s *DetachVerifiedAccessTrustProviderInput) SetClientToken(v string) *DetachVerifiedAccessTrustProviderInput {
+	s.ClientToken = &v
+	return s
+}
+
+// SetDryRun sets the DryRun field's value.
+func (s *DetachVerifiedAccessTrustProviderInput) SetDryRun(v bool) *DetachVerifiedAccessTrustProviderInput {
+	s.DryRun = &v
+	return s
+}
+
+// SetVerifiedAccessInstanceId sets the VerifiedAccessInstanceId field's value.
+func (s *DetachVerifiedAccessTrustProviderInput) SetVerifiedAccessInstanceId(v string) *DetachVerifiedAccessTrustProviderInput {
+	s.VerifiedAccessInstanceId = &v
+	return s
+}
+
+// SetVerifiedAccessTrustProviderId sets the VerifiedAccessTrustProviderId field's value.
+func (s *DetachVerifiedAccessTrustProviderInput) SetVerifiedAccessTrustProviderId(v string) *DetachVerifiedAccessTrustProviderInput {
+	s.VerifiedAccessTrustProviderId = &v
+	return s
+}
+
+type DetachVerifiedAccessTrustProviderOutput struct {
+	_ struct{} `type:"structure"`
+
+	// The ID of the Amazon Web Services Verified Access instance.
+	VerifiedAccessInstance *VerifiedAccessInstance `locationName:"verifiedAccessInstance" type:"structure"`
+
+	// The ID of the Amazon Web Services Verified Access trust provider.
+	VerifiedAccessTrustProvider *VerifiedAccessTrustProvider `locationName:"verifiedAccessTrustProvider" type:"structure"`
+}
+
+// String returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s DetachVerifiedAccessTrustProviderOutput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s DetachVerifiedAccessTrustProviderOutput) GoString() string {
+	return s.String()
+}
+
+// SetVerifiedAccessInstance sets the VerifiedAccessInstance field's value.
+func (s *DetachVerifiedAccessTrustProviderOutput) SetVerifiedAccessInstance(v *VerifiedAccessInstance) *DetachVerifiedAccessTrustProviderOutput {
+	s.VerifiedAccessInstance = v
+	return s
+}
+
+// SetVerifiedAccessTrustProvider sets the VerifiedAccessTrustProvider field's value.
+func (s *DetachVerifiedAccessTrustProviderOutput) SetVerifiedAccessTrustProvider(v *VerifiedAccessTrustProvider) *DetachVerifiedAccessTrustProviderOutput {
+	s.VerifiedAccessTrustProvider = v
+	return s
+}
+
 type DetachVolumeInput struct {
 	_ struct{} `type:"structure"`
 
@@ -101017,6 +106193,39 @@ func (s DetachVpnGatewayOutput) GoString() string {
 	return s.String()
 }
 
+// Options for an Amazon Web Services Verified Access device-identity based
+// trust provider.
+type DeviceOptions struct {
+	_ struct{} `type:"structure"`
+
+	// The ID of the tenant application with the device-identity provider.
+	TenantId *string `locationName:"tenantId" type:"string"`
+}
+
+// String returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s DeviceOptions) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s DeviceOptions) GoString() string {
+	return s.String()
+}
+
+// SetTenantId sets the TenantId field's value.
+func (s *DeviceOptions) SetTenantId(v string) *DeviceOptions {
+	s.TenantId = &v
+	return s
+}
+
 // Describes a DHCP configuration option.
 type DhcpConfiguration struct {
 	_ struct{} `type:"structure"`
@@ -101270,6 +106479,109 @@ func (s *DisableAddressTransferOutput) SetAddressTransfer(v *AddressTransfer) *D
 	return s
 }
 
+type DisableAwsNetworkPerformanceMetricSubscriptionInput struct {
+	_ struct{} `type:"structure"`
+
+	// The target Region or Availability Zone that the metric subscription is disabled
+	// for. For example, eu-north-1.
+	Destination *string `type:"string"`
+
+	// Checks whether you have the required permissions for the action, without
+	// actually making the request, and provides an error response. If you have
+	// the required permissions, the error response is DryRunOperation. Otherwise,
+	// it is UnauthorizedOperation.
+	DryRun *bool `type:"boolean"`
+
+	// The metric used for the disabled subscription.
+	Metric *string `type:"string" enum:"MetricType"`
+
+	// The source Region or Availability Zone that the metric subscription is disabled
+	// for. For example, us-east-1.
+	Source *string `type:"string"`
+
+	// The statistic used for the disabled subscription.
+	Statistic *string `type:"string" enum:"StatisticType"`
+}
+
+// String returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s DisableAwsNetworkPerformanceMetricSubscriptionInput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s DisableAwsNetworkPerformanceMetricSubscriptionInput) GoString() string {
+	return s.String()
+}
+
+// SetDestination sets the Destination field's value.
+func (s *DisableAwsNetworkPerformanceMetricSubscriptionInput) SetDestination(v string) *DisableAwsNetworkPerformanceMetricSubscriptionInput {
+	s.Destination = &v
+	return s
+}
+
+// SetDryRun sets the DryRun field's value.
+func (s *DisableAwsNetworkPerformanceMetricSubscriptionInput) SetDryRun(v bool) *DisableAwsNetworkPerformanceMetricSubscriptionInput {
+	s.DryRun = &v
+	return s
+}
+
+// SetMetric sets the Metric field's value.
+func (s *DisableAwsNetworkPerformanceMetricSubscriptionInput) SetMetric(v string) *DisableAwsNetworkPerformanceMetricSubscriptionInput {
+	s.Metric = &v
+	return s
+}
+
+// SetSource sets the Source field's value.
+func (s *DisableAwsNetworkPerformanceMetricSubscriptionInput) SetSource(v string) *DisableAwsNetworkPerformanceMetricSubscriptionInput {
+	s.Source = &v
+	return s
+}
+
+// SetStatistic sets the Statistic field's value.
+func (s *DisableAwsNetworkPerformanceMetricSubscriptionInput) SetStatistic(v string) *DisableAwsNetworkPerformanceMetricSubscriptionInput {
+	s.Statistic = &v
+	return s
+}
+
+type DisableAwsNetworkPerformanceMetricSubscriptionOutput struct {
+	_ struct{} `type:"structure"`
+
+	// Indicates whether the unsubscribe action was successful.
+	Output *bool `locationName:"output" type:"boolean"`
+}
+
+// String returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s DisableAwsNetworkPerformanceMetricSubscriptionOutput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s DisableAwsNetworkPerformanceMetricSubscriptionOutput) GoString() string {
+	return s.String()
+}
+
+// SetOutput sets the Output field's value.
+func (s *DisableAwsNetworkPerformanceMetricSubscriptionOutput) SetOutput(v bool) *DisableAwsNetworkPerformanceMetricSubscriptionOutput {
+	s.Output = &v
+	return s
+}
+
 type DisableEbsEncryptionByDefaultInput struct {
 	_ struct{} `type:"structure"`
 
@@ -104946,6 +110258,96 @@ func (s *ElasticInferenceAcceleratorAssociation) SetElasticInferenceAcceleratorA
 	return s
 }
 
+// ENA Express uses Amazon Web Services Scalable Reliable Datagram (SRD) technology
+// to increase the maximum bandwidth used per stream and minimize tail latency
+// of network traffic between EC2 instances. With ENA Express, you can communicate
+// between two EC2 instances in the same subnet within the same account, or
+// in different accounts. Both sending and receiving instances must have ENA
+// Express enabled.
+//
+// To improve the reliability of network packet delivery, ENA Express reorders
+// network packets on the receiving end by default. However, some UDP-based
+// applications are designed to handle network packets that are out of order
+// to reduce the overhead for packet delivery at the network layer. When ENA
+// Express is enabled, you can specify whether UDP network traffic uses it.
+type EnaSrdSpecification struct {
+	_ struct{} `type:"structure"`
+
+	// Indicates whether ENA Express is enabled for the network interface.
+	EnaSrdEnabled *bool `type:"boolean"`
+
+	// Configures ENA Express for UDP network traffic.
+	EnaSrdUdpSpecification *EnaSrdUdpSpecification `type:"structure"`
+}
+
+// String returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s EnaSrdSpecification) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s EnaSrdSpecification) GoString() string {
+	return s.String()
+}
+
+// SetEnaSrdEnabled sets the EnaSrdEnabled field's value.
+func (s *EnaSrdSpecification) SetEnaSrdEnabled(v bool) *EnaSrdSpecification {
+	s.EnaSrdEnabled = &v
+	return s
+}
+
+// SetEnaSrdUdpSpecification sets the EnaSrdUdpSpecification field's value.
+func (s *EnaSrdSpecification) SetEnaSrdUdpSpecification(v *EnaSrdUdpSpecification) *EnaSrdSpecification {
+	s.EnaSrdUdpSpecification = v
+	return s
+}
+
+// ENA Express is compatible with both TCP and UDP transport protocols. When
+// it’s enabled, TCP traffic automatically uses it. However, some UDP-based
+// applications are designed to handle network packets that are out of order,
+// without a need for retransmission, such as live video broadcasting or other
+// near-real-time applications. For UDP traffic, you can specify whether to
+// use ENA Express, based on your application environment needs.
+type EnaSrdUdpSpecification struct {
+	_ struct{} `type:"structure"`
+
+	// Indicates whether UDP traffic uses ENA Express. To specify this setting,
+	// you must first enable ENA Express.
+	EnaSrdUdpEnabled *bool `type:"boolean"`
+}
+
+// String returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s EnaSrdUdpSpecification) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s EnaSrdUdpSpecification) GoString() string {
+	return s.String()
+}
+
+// SetEnaSrdUdpEnabled sets the EnaSrdUdpEnabled field's value.
+func (s *EnaSrdUdpSpecification) SetEnaSrdUdpEnabled(v bool) *EnaSrdUdpSpecification {
+	s.EnaSrdUdpEnabled = &v
+	return s
+}
+
 type EnableAddressTransferInput struct {
 	_ struct{} `type:"structure"`
 
@@ -105049,6 +110451,109 @@ func (s *EnableAddressTransferOutput) SetAddressTransfer(v *AddressTransfer) *En
 	return s
 }
 
+type EnableAwsNetworkPerformanceMetricSubscriptionInput struct {
+	_ struct{} `type:"structure"`
+
+	// The target Region or Availability Zone that the metric subscription is enabled
+	// for. For example, eu-west-1.
+	Destination *string `type:"string"`
+
+	// Checks whether you have the required permissions for the action, without
+	// actually making the request, and provides an error response. If you have
+	// the required permissions, the error response is DryRunOperation. Otherwise,
+	// it is UnauthorizedOperation.
+	DryRun *bool `type:"boolean"`
+
+	// The metric used for the enabled subscription.
+	Metric *string `type:"string" enum:"MetricType"`
+
+	// The source Region or Availability Zone that the metric subscription is enabled
+	// for. For example, us-east-1.
+	Source *string `type:"string"`
+
+	// The statistic used for the enabled subscription.
+	Statistic *string `type:"string" enum:"StatisticType"`
+}
+
+// String returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s EnableAwsNetworkPerformanceMetricSubscriptionInput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s EnableAwsNetworkPerformanceMetricSubscriptionInput) GoString() string {
+	return s.String()
+}
+
+// SetDestination sets the Destination field's value.
+func (s *EnableAwsNetworkPerformanceMetricSubscriptionInput) SetDestination(v string) *EnableAwsNetworkPerformanceMetricSubscriptionInput {
+	s.Destination = &v
+	return s
+}
+
+// SetDryRun sets the DryRun field's value.
+func (s *EnableAwsNetworkPerformanceMetricSubscriptionInput) SetDryRun(v bool) *EnableAwsNetworkPerformanceMetricSubscriptionInput {
+	s.DryRun = &v
+	return s
+}
+
+// SetMetric sets the Metric field's value.
+func (s *EnableAwsNetworkPerformanceMetricSubscriptionInput) SetMetric(v string) *EnableAwsNetworkPerformanceMetricSubscriptionInput {
+	s.Metric = &v
+	return s
+}
+
+// SetSource sets the Source field's value.
+func (s *EnableAwsNetworkPerformanceMetricSubscriptionInput) SetSource(v string) *EnableAwsNetworkPerformanceMetricSubscriptionInput {
+	s.Source = &v
+	return s
+}
+
+// SetStatistic sets the Statistic field's value.
+func (s *EnableAwsNetworkPerformanceMetricSubscriptionInput) SetStatistic(v string) *EnableAwsNetworkPerformanceMetricSubscriptionInput {
+	s.Statistic = &v
+	return s
+}
+
+type EnableAwsNetworkPerformanceMetricSubscriptionOutput struct {
+	_ struct{} `type:"structure"`
+
+	// Indicates whether the subscribe action was successful.
+	Output *bool `locationName:"output" type:"boolean"`
+}
+
+// String returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s EnableAwsNetworkPerformanceMetricSubscriptionOutput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s EnableAwsNetworkPerformanceMetricSubscriptionOutput) GoString() string {
+	return s.String()
+}
+
+// SetOutput sets the Output field's value.
+func (s *EnableAwsNetworkPerformanceMetricSubscriptionOutput) SetOutput(v bool) *EnableAwsNetworkPerformanceMetricSubscriptionOutput {
+	s.Output = &v
+	return s
+}
+
 type EnableEbsEncryptionByDefaultInput struct {
 	_ struct{} `type:"structure"`
 
@@ -105896,6 +111401,71 @@ func (s *EnableIpamOrganizationAdminAccountOutput) SetSuccess(v bool) *EnableIpa
 	return s
 }
 
+type EnableReachabilityAnalyzerOrganizationSharingInput struct {
+	_ struct{} `type:"structure"`
+
+	// Checks whether you have the required permissions for the action, without
+	// actually making the request, and provides an error response. If you have
+	// the required permissions, the error response is DryRunOperation. Otherwise,
+	// it is UnauthorizedOperation.
+	DryRun *bool `type:"boolean"`
+}
+
+// String returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s EnableReachabilityAnalyzerOrganizationSharingInput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s EnableReachabilityAnalyzerOrganizationSharingInput) GoString() string {
+	return s.String()
+}
+
+// SetDryRun sets the DryRun field's value.
+func (s *EnableReachabilityAnalyzerOrganizationSharingInput) SetDryRun(v bool) *EnableReachabilityAnalyzerOrganizationSharingInput {
+	s.DryRun = &v
+	return s
+}
+
+type EnableReachabilityAnalyzerOrganizationSharingOutput struct {
+	_ struct{} `type:"structure"`
+
+	// Returns true if the request succeeds; otherwise, returns an error.
+	ReturnValue *bool `locationName:"returnValue" type:"boolean"`
+}
+
+// String returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s EnableReachabilityAnalyzerOrganizationSharingOutput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s EnableReachabilityAnalyzerOrganizationSharingOutput) GoString() string {
+	return s.String()
+}
+
+// SetReturnValue sets the ReturnValue field's value.
+func (s *EnableReachabilityAnalyzerOrganizationSharingOutput) SetReturnValue(v bool) *EnableReachabilityAnalyzerOrganizationSharingOutput {
+	s.ReturnValue = &v
+	return s
+}
+
 type EnableSerialConsoleAccessInput struct {
 	_ struct{} `type:"structure"`
 
@@ -109876,6 +115446,8 @@ type FpgaImage struct {
 	// The FPGA image identifier (AFI ID).
 	FpgaImageId *string `locationName:"fpgaImageId" type:"string"`
 
+	InstanceTypes []*string `locationName:"instanceTypes" locationNameList:"item" type:"list"`
+
 	// The name of the AFI.
 	Name *string `locationName:"name" type:"string"`
 
@@ -109956,6 +115528,12 @@ func (s *FpgaImage) SetFpgaImageId(v string) *FpgaImage {
 	return s
 }
 
+// SetInstanceTypes sets the InstanceTypes field's value.
+func (s *FpgaImage) SetInstanceTypes(v []*string) *FpgaImage {
+	s.InstanceTypes = v
+	return s
+}
+
 // SetName sets the Name field's value.
 func (s *FpgaImage) SetName(v string) *FpgaImage {
 	s.Name = &v
@@ -110384,6 +115962,129 @@ func (s *GetAssociatedIpv6PoolCidrsOutput) SetNextToken(v string) *GetAssociated
 	return s
 }
 
+type GetAwsNetworkPerformanceDataInput struct {
+	_ struct{} `type:"structure"`
+
+	// A list of network performance data queries.
+	DataQueries []*DataQuery `locationName:"DataQuery" type:"list"`
+
+	// Checks whether you have the required permissions for the action, without
+	// actually making the request, and provides an error response. If you have
+	// the required permissions, the error response is DryRunOperation. Otherwise,
+	// it is UnauthorizedOperation.
+	DryRun *bool `type:"boolean"`
+
+	// The ending time for the performance data request. The end time must be formatted
+	// as yyyy-mm-ddThh:mm:ss. For example, 2022-06-12T12:00:00.000Z.
+	EndTime *time.Time `type:"timestamp"`
+
+	// The maximum number of results to return with a single call. To retrieve the
+	// remaining results, make another call with the returned nextToken value.
+	MaxResults *int64 `type:"integer"`
+
+	// The token for the next page of results.
+	NextToken *string `type:"string"`
+
+	// The starting time for the performance data request. The starting time must
+	// be formatted as yyyy-mm-ddThh:mm:ss. For example, 2022-06-10T12:00:00.000Z.
+	StartTime *time.Time `type:"timestamp"`
+}
+
+// String returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s GetAwsNetworkPerformanceDataInput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s GetAwsNetworkPerformanceDataInput) GoString() string {
+	return s.String()
+}
+
+// SetDataQueries sets the DataQueries field's value.
+func (s *GetAwsNetworkPerformanceDataInput) SetDataQueries(v []*DataQuery) *GetAwsNetworkPerformanceDataInput {
+	s.DataQueries = v
+	return s
+}
+
+// SetDryRun sets the DryRun field's value.
+func (s *GetAwsNetworkPerformanceDataInput) SetDryRun(v bool) *GetAwsNetworkPerformanceDataInput {
+	s.DryRun = &v
+	return s
+}
+
+// SetEndTime sets the EndTime field's value.
+func (s *GetAwsNetworkPerformanceDataInput) SetEndTime(v time.Time) *GetAwsNetworkPerformanceDataInput {
+	s.EndTime = &v
+	return s
+}
+
+// SetMaxResults sets the MaxResults field's value.
+func (s *GetAwsNetworkPerformanceDataInput) SetMaxResults(v int64) *GetAwsNetworkPerformanceDataInput {
+	s.MaxResults = &v
+	return s
+}
+
+// SetNextToken sets the NextToken field's value.
+func (s *GetAwsNetworkPerformanceDataInput) SetNextToken(v string) *GetAwsNetworkPerformanceDataInput {
+	s.NextToken = &v
+	return s
+}
+
+// SetStartTime sets the StartTime field's value.
+func (s *GetAwsNetworkPerformanceDataInput) SetStartTime(v time.Time) *GetAwsNetworkPerformanceDataInput {
+	s.StartTime = &v
+	return s
+}
+
+type GetAwsNetworkPerformanceDataOutput struct {
+	_ struct{} `type:"structure"`
+
+	// The list of data responses.
+	DataResponses []*DataResponse `locationName:"dataResponseSet" locationNameList:"item" type:"list"`
+
+	// The token to use to retrieve the next page of results. This value is null
+	// when there are no more results to return.
+	NextToken *string `locationName:"nextToken" type:"string"`
+}
+
+// String returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s GetAwsNetworkPerformanceDataOutput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s GetAwsNetworkPerformanceDataOutput) GoString() string {
+	return s.String()
+}
+
+// SetDataResponses sets the DataResponses field's value.
+func (s *GetAwsNetworkPerformanceDataOutput) SetDataResponses(v []*DataResponse) *GetAwsNetworkPerformanceDataOutput {
+	s.DataResponses = v
+	return s
+}
+
+// SetNextToken sets the NextToken field's value.
+func (s *GetAwsNetworkPerformanceDataOutput) SetNextToken(v string) *GetAwsNetworkPerformanceDataOutput {
+	s.NextToken = &v
+	return s
+}
+
 type GetCapacityReservationUsageInput struct {
 	_ struct{} `type:"structure"`
 
@@ -114620,6 +120321,202 @@ func (s *GetTransitGatewayRouteTablePropagationsOutput) SetTransitGatewayRouteTa
 	return s
 }
 
+type GetVerifiedAccessEndpointPolicyInput struct {
+	_ struct{} `type:"structure"`
+
+	// Checks whether you have the required permissions for the action, without
+	// actually making the request, and provides an error response. If you have
+	// the required permissions, the error response is DryRunOperation. Otherwise,
+	// it is UnauthorizedOperation.
+	DryRun *bool `type:"boolean"`
+
+	// The ID of the Amazon Web Services Verified Access endpoint.
+	//
+	// VerifiedAccessEndpointId is a required field
+	VerifiedAccessEndpointId *string `type:"string" required:"true"`
+}
+
+// String returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s GetVerifiedAccessEndpointPolicyInput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s GetVerifiedAccessEndpointPolicyInput) GoString() string {
+	return s.String()
+}
+
+// Validate inspects the fields of the type to determine if they are valid.
+func (s *GetVerifiedAccessEndpointPolicyInput) Validate() error {
+	invalidParams := request.ErrInvalidParams{Context: "GetVerifiedAccessEndpointPolicyInput"}
+	if s.VerifiedAccessEndpointId == nil {
+		invalidParams.Add(request.NewErrParamRequired("VerifiedAccessEndpointId"))
+	}
+
+	if invalidParams.Len() > 0 {
+		return invalidParams
+	}
+	return nil
+}
+
+// SetDryRun sets the DryRun field's value.
+func (s *GetVerifiedAccessEndpointPolicyInput) SetDryRun(v bool) *GetVerifiedAccessEndpointPolicyInput {
+	s.DryRun = &v
+	return s
+}
+
+// SetVerifiedAccessEndpointId sets the VerifiedAccessEndpointId field's value.
+func (s *GetVerifiedAccessEndpointPolicyInput) SetVerifiedAccessEndpointId(v string) *GetVerifiedAccessEndpointPolicyInput {
+	s.VerifiedAccessEndpointId = &v
+	return s
+}
+
+type GetVerifiedAccessEndpointPolicyOutput struct {
+	_ struct{} `type:"structure"`
+
+	// The Amazon Web Services Verified Access policy document.
+	PolicyDocument *string `locationName:"policyDocument" type:"string"`
+
+	// The status of the Verified Access policy.
+	PolicyEnabled *bool `locationName:"policyEnabled" type:"boolean"`
+}
+
+// String returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s GetVerifiedAccessEndpointPolicyOutput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s GetVerifiedAccessEndpointPolicyOutput) GoString() string {
+	return s.String()
+}
+
+// SetPolicyDocument sets the PolicyDocument field's value.
+func (s *GetVerifiedAccessEndpointPolicyOutput) SetPolicyDocument(v string) *GetVerifiedAccessEndpointPolicyOutput {
+	s.PolicyDocument = &v
+	return s
+}
+
+// SetPolicyEnabled sets the PolicyEnabled field's value.
+func (s *GetVerifiedAccessEndpointPolicyOutput) SetPolicyEnabled(v bool) *GetVerifiedAccessEndpointPolicyOutput {
+	s.PolicyEnabled = &v
+	return s
+}
+
+type GetVerifiedAccessGroupPolicyInput struct {
+	_ struct{} `type:"structure"`
+
+	// Checks whether you have the required permissions for the action, without
+	// actually making the request, and provides an error response. If you have
+	// the required permissions, the error response is DryRunOperation. Otherwise,
+	// it is UnauthorizedOperation.
+	DryRun *bool `type:"boolean"`
+
+	// The ID of the Amazon Web Services Verified Access group.
+	//
+	// VerifiedAccessGroupId is a required field
+	VerifiedAccessGroupId *string `type:"string" required:"true"`
+}
+
+// String returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s GetVerifiedAccessGroupPolicyInput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s GetVerifiedAccessGroupPolicyInput) GoString() string {
+	return s.String()
+}
+
+// Validate inspects the fields of the type to determine if they are valid.
+func (s *GetVerifiedAccessGroupPolicyInput) Validate() error {
+	invalidParams := request.ErrInvalidParams{Context: "GetVerifiedAccessGroupPolicyInput"}
+	if s.VerifiedAccessGroupId == nil {
+		invalidParams.Add(request.NewErrParamRequired("VerifiedAccessGroupId"))
+	}
+
+	if invalidParams.Len() > 0 {
+		return invalidParams
+	}
+	return nil
+}
+
+// SetDryRun sets the DryRun field's value.
+func (s *GetVerifiedAccessGroupPolicyInput) SetDryRun(v bool) *GetVerifiedAccessGroupPolicyInput {
+	s.DryRun = &v
+	return s
+}
+
+// SetVerifiedAccessGroupId sets the VerifiedAccessGroupId field's value.
+func (s *GetVerifiedAccessGroupPolicyInput) SetVerifiedAccessGroupId(v string) *GetVerifiedAccessGroupPolicyInput {
+	s.VerifiedAccessGroupId = &v
+	return s
+}
+
+type GetVerifiedAccessGroupPolicyOutput struct {
+	_ struct{} `type:"structure"`
+
+	// The Amazon Web Services Verified Access policy document.
+	PolicyDocument *string `locationName:"policyDocument" type:"string"`
+
+	// The status of the Verified Access policy.
+	PolicyEnabled *bool `locationName:"policyEnabled" type:"boolean"`
+}
+
+// String returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s GetVerifiedAccessGroupPolicyOutput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s GetVerifiedAccessGroupPolicyOutput) GoString() string {
+	return s.String()
+}
+
+// SetPolicyDocument sets the PolicyDocument field's value.
+func (s *GetVerifiedAccessGroupPolicyOutput) SetPolicyDocument(v string) *GetVerifiedAccessGroupPolicyOutput {
+	s.PolicyDocument = &v
+	return s
+}
+
+// SetPolicyEnabled sets the PolicyEnabled field's value.
+func (s *GetVerifiedAccessGroupPolicyOutput) SetPolicyEnabled(v bool) *GetVerifiedAccessGroupPolicyOutput {
+	s.PolicyEnabled = &v
+	return s
+}
+
 type GetVpnConnectionDeviceSampleConfigurationInput struct {
 	_ struct{} `type:"structure"`
 
@@ -116083,7 +121980,7 @@ type Image struct {
 	BlockDeviceMappings []*BlockDeviceMapping `locationName:"blockDeviceMapping" locationNameList:"item" type:"list"`
 
 	// The boot mode of the image. For more information, see Boot modes (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ami-boot.html)
-	// in the Amazon Elastic Compute Cloud User Guide.
+	// in the Amazon EC2 User Guide.
 	BootMode *string `locationName:"bootMode" type:"string" enum:"BootModeValues"`
 
 	// The date and time the image was created.
@@ -116121,7 +122018,7 @@ type Image struct {
 	// by default, the instance requires that IMDSv2 is used when requesting instance
 	// metadata. In addition, HttpPutResponseHopLimit is set to 2. For more information,
 	// see Configure the AMI (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-IMDS-new-instances.html#configure-IMDS-new-instances-ami-configuration)
-	// in the Amazon Elastic Compute Cloud User Guide.
+	// in the Amazon EC2 User Guide.
 	ImdsSupport *string `locationName:"imdsSupport" type:"string" enum:"ImdsSupportValues"`
 
 	// The kernel associated with the image, if any. Only applicable for machine
@@ -116139,7 +122036,7 @@ type Image struct {
 
 	// The platform details associated with the billing code of the AMI. For more
 	// information, see Understand AMI billing information (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ami-billing-info.html)
-	// in the Amazon Elastic Compute Cloud User Guide.
+	// in the Amazon EC2 User Guide.
 	PlatformDetails *string `locationName:"platformDetails" type:"string"`
 
 	// Any product codes associated with the AMI.
@@ -116177,7 +122074,7 @@ type Image struct {
 
 	// If the image is configured for NitroTPM support, the value is v2.0. For more
 	// information, see NitroTPM (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitrotpm.html)
-	// in the Amazon Elastic Compute Cloud User Guide.
+	// in the Amazon EC2 User Guide.
 	TpmSupport *string `locationName:"tpmSupport" type:"string" enum:"TpmSupportValues"`
 
 	// The operation of the Amazon EC2 instance and the billing code that is associated
@@ -128417,7 +134314,7 @@ type LocalGatewayRouteTable struct {
 	// The state of the local gateway route table.
 	State *string `locationName:"state" type:"string"`
 
-	// Describes a state change.
+	// Information about the state change.
 	StateReason *StateReason `locationName:"stateReason" type:"structure"`
 
 	// The tags assigned to the local gateway route table.
@@ -129197,6 +135094,69 @@ func (s *MemoryMiBRequest) SetMin(v int64) *MemoryMiBRequest {
 	return s
 }
 
+// Indicates whether the network was healthy or unhealthy at a particular point.
+// The value is aggregated from the startDate to the endDate. Currently only
+// five_minutes is supported.
+type MetricPoint struct {
+	_ struct{} `type:"structure"`
+
+	// The end date for the metric point. The ending time must be formatted as yyyy-mm-ddThh:mm:ss.
+	// For example, 2022-06-12T12:00:00.000Z.
+	EndDate *time.Time `locationName:"endDate" type:"timestamp"`
+
+	// The start date for the metric point. The starting date for the metric point.
+	// The starting time must be formatted as yyyy-mm-ddThh:mm:ss. For example,
+	// 2022-06-10T12:00:00.000Z.
+	StartDate *time.Time `locationName:"startDate" type:"timestamp"`
+
+	// The status of the metric point.
+	Status *string `locationName:"status" type:"string"`
+
+	Value *float64 `locationName:"value" type:"float"`
+}
+
+// String returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s MetricPoint) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s MetricPoint) GoString() string {
+	return s.String()
+}
+
+// SetEndDate sets the EndDate field's value.
+func (s *MetricPoint) SetEndDate(v time.Time) *MetricPoint {
+	s.EndDate = &v
+	return s
+}
+
+// SetStartDate sets the StartDate field's value.
+func (s *MetricPoint) SetStartDate(v time.Time) *MetricPoint {
+	s.StartDate = &v
+	return s
+}
+
+// SetStatus sets the Status field's value.
+func (s *MetricPoint) SetStatus(v string) *MetricPoint {
+	s.Status = &v
+	return s
+}
+
+// SetValue sets the Value field's value.
+func (s *MetricPoint) SetValue(v float64) *MetricPoint {
+	s.Value = &v
+	return s
+}
+
 type ModifyAddressAttributeInput struct {
 	_ struct{} `type:"structure"`
 
@@ -132877,7 +138837,7 @@ func (s *ModifyLocalGatewayRouteInput) SetNetworkInterfaceId(v string) *ModifyLo
 type ModifyLocalGatewayRouteOutput struct {
 	_ struct{} `type:"structure"`
 
-	// Describes a route for a local gateway route table.
+	// Information about the local gateway route table.
 	Route *LocalGatewayRoute `locationName:"route" type:"structure"`
 }
 
@@ -133069,7 +139029,7 @@ func (s *ModifyManagedPrefixListOutput) SetPrefixList(v *ManagedPrefixList) *Mod
 type ModifyNetworkInterfaceAttributeInput struct {
 	_ struct{} `type:"structure"`
 
-	// Information about the interface attachment. If modifying the 'delete on termination'
+	// Information about the interface attachment. If modifying the delete on termination
 	// attribute, you must specify the ID of the interface attachment.
 	Attachment *NetworkInterfaceAttachmentChanges `locationName:"attachment" type:"structure"`
 
@@ -133082,6 +139042,10 @@ type ModifyNetworkInterfaceAttributeInput struct {
 	// it is UnauthorizedOperation.
 	DryRun *bool `locationName:"dryRun" type:"boolean"`
 
+	// Updates the ENA Express configuration for the network interface that’s
+	// attached to the instance.
+	EnaSrdSpecification *EnaSrdSpecification `type:"structure"`
+
 	// Changes the security groups for the network interface. The new set of groups
 	// you specify replaces the current set. You must specify at least one group,
 	// even if it's just the default security group in the VPC. You must specify
@@ -133151,6 +139115,12 @@ func (s *ModifyNetworkInterfaceAttributeInput) SetDryRun(v bool) *ModifyNetworkI
 	return s
 }
 
+// SetEnaSrdSpecification sets the EnaSrdSpecification field's value.
+func (s *ModifyNetworkInterfaceAttributeInput) SetEnaSrdSpecification(v *EnaSrdSpecification) *ModifyNetworkInterfaceAttributeInput {
+	s.EnaSrdSpecification = v
+	return s
+}
+
 // SetGroups sets the Groups field's value.
 func (s *ModifyNetworkInterfaceAttributeInput) SetGroups(v []*string) *ModifyNetworkInterfaceAttributeInput {
 	s.Groups = v
@@ -134716,7 +140686,7 @@ func (s *ModifyTransitGatewayOptions) SetVpnEcmpSupport(v string) *ModifyTransit
 type ModifyTransitGatewayOutput struct {
 	_ struct{} `type:"structure"`
 
-	// Describes a transit gateway.
+	// Information about the transit gateway.
 	TransitGateway *TransitGateway `locationName:"transitGateway" type:"structure"`
 }
 
@@ -135034,6 +141004,1033 @@ func (s *ModifyTransitGatewayVpcAttachmentRequestOptions) SetIpv6Support(v strin
 	return s
 }
 
+// Options for a network-interface type Verified Access endpoint.
+type ModifyVerifiedAccessEndpointEniOptions struct {
+	_ struct{} `type:"structure"`
+
+	// The IP port number.
+	Port *int64 `min:"1" type:"integer"`
+
+	// The IP protocol.
+	Protocol *string `type:"string" enum:"VerifiedAccessEndpointProtocol"`
+}
+
+// String returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s ModifyVerifiedAccessEndpointEniOptions) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s ModifyVerifiedAccessEndpointEniOptions) GoString() string {
+	return s.String()
+}
+
+// Validate inspects the fields of the type to determine if they are valid.
+func (s *ModifyVerifiedAccessEndpointEniOptions) Validate() error {
+	invalidParams := request.ErrInvalidParams{Context: "ModifyVerifiedAccessEndpointEniOptions"}
+	if s.Port != nil && *s.Port < 1 {
+		invalidParams.Add(request.NewErrParamMinValue("Port", 1))
+	}
+
+	if invalidParams.Len() > 0 {
+		return invalidParams
+	}
+	return nil
+}
+
+// SetPort sets the Port field's value.
+func (s *ModifyVerifiedAccessEndpointEniOptions) SetPort(v int64) *ModifyVerifiedAccessEndpointEniOptions {
+	s.Port = &v
+	return s
+}
+
+// SetProtocol sets the Protocol field's value.
+func (s *ModifyVerifiedAccessEndpointEniOptions) SetProtocol(v string) *ModifyVerifiedAccessEndpointEniOptions {
+	s.Protocol = &v
+	return s
+}
+
+type ModifyVerifiedAccessEndpointInput struct {
+	_ struct{} `type:"structure"`
+
+	// A unique, case-sensitive token that you provide to ensure idempotency of
+	// your modification request. For more information, see Ensuring Idempotency
+	// (https://docs.aws.amazon.com/AWSEC2/latest/APIReference/Run_Instance_Idempotency.html).
+	ClientToken *string `type:"string" idempotencyToken:"true"`
+
+	// A description for the Amazon Web Services Verified Access endpoint.
+	Description *string `type:"string"`
+
+	// Checks whether you have the required permissions for the action, without
+	// actually making the request, and provides an error response. If you have
+	// the required permissions, the error response is DryRunOperation. Otherwise,
+	// it is UnauthorizedOperation.
+	DryRun *bool `type:"boolean"`
+
+	// The load balancer details if creating the Amazon Web Services Verified Access
+	// endpoint as load-balancertype.
+	LoadBalancerOptions *ModifyVerifiedAccessEndpointLoadBalancerOptions `type:"structure"`
+
+	// The network interface options.
+	NetworkInterfaceOptions *ModifyVerifiedAccessEndpointEniOptions `type:"structure"`
+
+	// The ID of the Amazon Web Services Verified Access endpoint.
+	//
+	// VerifiedAccessEndpointId is a required field
+	VerifiedAccessEndpointId *string `type:"string" required:"true"`
+
+	// The ID of the Amazon Web Services Verified Access group.
+	VerifiedAccessGroupId *string `type:"string"`
+}
+
+// String returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s ModifyVerifiedAccessEndpointInput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s ModifyVerifiedAccessEndpointInput) GoString() string {
+	return s.String()
+}
+
+// Validate inspects the fields of the type to determine if they are valid.
+func (s *ModifyVerifiedAccessEndpointInput) Validate() error {
+	invalidParams := request.ErrInvalidParams{Context: "ModifyVerifiedAccessEndpointInput"}
+	if s.VerifiedAccessEndpointId == nil {
+		invalidParams.Add(request.NewErrParamRequired("VerifiedAccessEndpointId"))
+	}
+	if s.LoadBalancerOptions != nil {
+		if err := s.LoadBalancerOptions.Validate(); err != nil {
+			invalidParams.AddNested("LoadBalancerOptions", err.(request.ErrInvalidParams))
+		}
+	}
+	if s.NetworkInterfaceOptions != nil {
+		if err := s.NetworkInterfaceOptions.Validate(); err != nil {
+			invalidParams.AddNested("NetworkInterfaceOptions", err.(request.ErrInvalidParams))
+		}
+	}
+
+	if invalidParams.Len() > 0 {
+		return invalidParams
+	}
+	return nil
+}
+
+// SetClientToken sets the ClientToken field's value.
+func (s *ModifyVerifiedAccessEndpointInput) SetClientToken(v string) *ModifyVerifiedAccessEndpointInput {
+	s.ClientToken = &v
+	return s
+}
+
+// SetDescription sets the Description field's value.
+func (s *ModifyVerifiedAccessEndpointInput) SetDescription(v string) *ModifyVerifiedAccessEndpointInput {
+	s.Description = &v
+	return s
+}
+
+// SetDryRun sets the DryRun field's value.
+func (s *ModifyVerifiedAccessEndpointInput) SetDryRun(v bool) *ModifyVerifiedAccessEndpointInput {
+	s.DryRun = &v
+	return s
+}
+
+// SetLoadBalancerOptions sets the LoadBalancerOptions field's value.
+func (s *ModifyVerifiedAccessEndpointInput) SetLoadBalancerOptions(v *ModifyVerifiedAccessEndpointLoadBalancerOptions) *ModifyVerifiedAccessEndpointInput {
+	s.LoadBalancerOptions = v
+	return s
+}
+
+// SetNetworkInterfaceOptions sets the NetworkInterfaceOptions field's value.
+func (s *ModifyVerifiedAccessEndpointInput) SetNetworkInterfaceOptions(v *ModifyVerifiedAccessEndpointEniOptions) *ModifyVerifiedAccessEndpointInput {
+	s.NetworkInterfaceOptions = v
+	return s
+}
+
+// SetVerifiedAccessEndpointId sets the VerifiedAccessEndpointId field's value.
+func (s *ModifyVerifiedAccessEndpointInput) SetVerifiedAccessEndpointId(v string) *ModifyVerifiedAccessEndpointInput {
+	s.VerifiedAccessEndpointId = &v
+	return s
+}
+
+// SetVerifiedAccessGroupId sets the VerifiedAccessGroupId field's value.
+func (s *ModifyVerifiedAccessEndpointInput) SetVerifiedAccessGroupId(v string) *ModifyVerifiedAccessEndpointInput {
+	s.VerifiedAccessGroupId = &v
+	return s
+}
+
+// Describes a load balancer when creating an Amazon Web Services Verified Access
+// endpoint using the load-balancer type.
+type ModifyVerifiedAccessEndpointLoadBalancerOptions struct {
+	_ struct{} `type:"structure"`
+
+	// The IP port number.
+	Port *int64 `min:"1" type:"integer"`
+
+	// The IP protocol.
+	Protocol *string `type:"string" enum:"VerifiedAccessEndpointProtocol"`
+
+	// The IDs of the subnets.
+	SubnetIds []*string `locationName:"SubnetId" locationNameList:"item" type:"list"`
+}
+
+// String returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s ModifyVerifiedAccessEndpointLoadBalancerOptions) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s ModifyVerifiedAccessEndpointLoadBalancerOptions) GoString() string {
+	return s.String()
+}
+
+// Validate inspects the fields of the type to determine if they are valid.
+func (s *ModifyVerifiedAccessEndpointLoadBalancerOptions) Validate() error {
+	invalidParams := request.ErrInvalidParams{Context: "ModifyVerifiedAccessEndpointLoadBalancerOptions"}
+	if s.Port != nil && *s.Port < 1 {
+		invalidParams.Add(request.NewErrParamMinValue("Port", 1))
+	}
+
+	if invalidParams.Len() > 0 {
+		return invalidParams
+	}
+	return nil
+}
+
+// SetPort sets the Port field's value.
+func (s *ModifyVerifiedAccessEndpointLoadBalancerOptions) SetPort(v int64) *ModifyVerifiedAccessEndpointLoadBalancerOptions {
+	s.Port = &v
+	return s
+}
+
+// SetProtocol sets the Protocol field's value.
+func (s *ModifyVerifiedAccessEndpointLoadBalancerOptions) SetProtocol(v string) *ModifyVerifiedAccessEndpointLoadBalancerOptions {
+	s.Protocol = &v
+	return s
+}
+
+// SetSubnetIds sets the SubnetIds field's value.
+func (s *ModifyVerifiedAccessEndpointLoadBalancerOptions) SetSubnetIds(v []*string) *ModifyVerifiedAccessEndpointLoadBalancerOptions {
+	s.SubnetIds = v
+	return s
+}
+
+type ModifyVerifiedAccessEndpointOutput struct {
+	_ struct{} `type:"structure"`
+
+	// The Amazon Web Services Verified Access endpoint details.
+	VerifiedAccessEndpoint *VerifiedAccessEndpoint `locationName:"verifiedAccessEndpoint" type:"structure"`
+}
+
+// String returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s ModifyVerifiedAccessEndpointOutput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s ModifyVerifiedAccessEndpointOutput) GoString() string {
+	return s.String()
+}
+
+// SetVerifiedAccessEndpoint sets the VerifiedAccessEndpoint field's value.
+func (s *ModifyVerifiedAccessEndpointOutput) SetVerifiedAccessEndpoint(v *VerifiedAccessEndpoint) *ModifyVerifiedAccessEndpointOutput {
+	s.VerifiedAccessEndpoint = v
+	return s
+}
+
+type ModifyVerifiedAccessEndpointPolicyInput struct {
+	_ struct{} `type:"structure"`
+
+	// A unique, case-sensitive token that you provide to ensure idempotency of
+	// your modification request. For more information, see Ensuring Idempotency
+	// (https://docs.aws.amazon.com/AWSEC2/latest/APIReference/Run_Instance_Idempotency.html).
+	ClientToken *string `type:"string" idempotencyToken:"true"`
+
+	// Checks whether you have the required permissions for the action, without
+	// actually making the request, and provides an error response. If you have
+	// the required permissions, the error response is DryRunOperation. Otherwise,
+	// it is UnauthorizedOperation.
+	DryRun *bool `type:"boolean"`
+
+	// The Amazon Web Services Verified Access policy document.
+	PolicyDocument *string `type:"string"`
+
+	// The status of the Verified Access policy.
+	//
+	// PolicyEnabled is a required field
+	PolicyEnabled *bool `type:"boolean" required:"true"`
+
+	// The ID of the Amazon Web Services Verified Access endpoint.
+	//
+	// VerifiedAccessEndpointId is a required field
+	VerifiedAccessEndpointId *string `type:"string" required:"true"`
+}
+
+// String returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s ModifyVerifiedAccessEndpointPolicyInput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s ModifyVerifiedAccessEndpointPolicyInput) GoString() string {
+	return s.String()
+}
+
+// Validate inspects the fields of the type to determine if they are valid.
+func (s *ModifyVerifiedAccessEndpointPolicyInput) Validate() error {
+	invalidParams := request.ErrInvalidParams{Context: "ModifyVerifiedAccessEndpointPolicyInput"}
+	if s.PolicyEnabled == nil {
+		invalidParams.Add(request.NewErrParamRequired("PolicyEnabled"))
+	}
+	if s.VerifiedAccessEndpointId == nil {
+		invalidParams.Add(request.NewErrParamRequired("VerifiedAccessEndpointId"))
+	}
+
+	if invalidParams.Len() > 0 {
+		return invalidParams
+	}
+	return nil
+}
+
+// SetClientToken sets the ClientToken field's value.
+func (s *ModifyVerifiedAccessEndpointPolicyInput) SetClientToken(v string) *ModifyVerifiedAccessEndpointPolicyInput {
+	s.ClientToken = &v
+	return s
+}
+
+// SetDryRun sets the DryRun field's value.
+func (s *ModifyVerifiedAccessEndpointPolicyInput) SetDryRun(v bool) *ModifyVerifiedAccessEndpointPolicyInput {
+	s.DryRun = &v
+	return s
+}
+
+// SetPolicyDocument sets the PolicyDocument field's value.
+func (s *ModifyVerifiedAccessEndpointPolicyInput) SetPolicyDocument(v string) *ModifyVerifiedAccessEndpointPolicyInput {
+	s.PolicyDocument = &v
+	return s
+}
+
+// SetPolicyEnabled sets the PolicyEnabled field's value.
+func (s *ModifyVerifiedAccessEndpointPolicyInput) SetPolicyEnabled(v bool) *ModifyVerifiedAccessEndpointPolicyInput {
+	s.PolicyEnabled = &v
+	return s
+}
+
+// SetVerifiedAccessEndpointId sets the VerifiedAccessEndpointId field's value.
+func (s *ModifyVerifiedAccessEndpointPolicyInput) SetVerifiedAccessEndpointId(v string) *ModifyVerifiedAccessEndpointPolicyInput {
+	s.VerifiedAccessEndpointId = &v
+	return s
+}
+
+type ModifyVerifiedAccessEndpointPolicyOutput struct {
+	_ struct{} `type:"structure"`
+
+	// The Amazon Web Services Verified Access policy document.
+	PolicyDocument *string `locationName:"policyDocument" type:"string"`
+
+	// The status of the Verified Access policy.
+	PolicyEnabled *bool `locationName:"policyEnabled" type:"boolean"`
+}
+
+// String returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s ModifyVerifiedAccessEndpointPolicyOutput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s ModifyVerifiedAccessEndpointPolicyOutput) GoString() string {
+	return s.String()
+}
+
+// SetPolicyDocument sets the PolicyDocument field's value.
+func (s *ModifyVerifiedAccessEndpointPolicyOutput) SetPolicyDocument(v string) *ModifyVerifiedAccessEndpointPolicyOutput {
+	s.PolicyDocument = &v
+	return s
+}
+
+// SetPolicyEnabled sets the PolicyEnabled field's value.
+func (s *ModifyVerifiedAccessEndpointPolicyOutput) SetPolicyEnabled(v bool) *ModifyVerifiedAccessEndpointPolicyOutput {
+	s.PolicyEnabled = &v
+	return s
+}
+
+type ModifyVerifiedAccessGroupInput struct {
+	_ struct{} `type:"structure"`
+
+	// A unique, case-sensitive token that you provide to ensure idempotency of
+	// your modification request. For more information, see Ensuring Idempotency
+	// (https://docs.aws.amazon.com/AWSEC2/latest/APIReference/Run_Instance_Idempotency.html).
+	ClientToken *string `type:"string" idempotencyToken:"true"`
+
+	// A description for the Amazon Web Services Verified Access group.
+	Description *string `type:"string"`
+
+	// Checks whether you have the required permissions for the action, without
+	// actually making the request, and provides an error response. If you have
+	// the required permissions, the error response is DryRunOperation. Otherwise,
+	// it is UnauthorizedOperation.
+	DryRun *bool `type:"boolean"`
+
+	// The ID of the Amazon Web Services Verified Access group.
+	//
+	// VerifiedAccessGroupId is a required field
+	VerifiedAccessGroupId *string `type:"string" required:"true"`
+
+	// The ID of the Amazon Web Services Verified Access instance.
+	VerifiedAccessInstanceId *string `type:"string"`
+}
+
+// String returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s ModifyVerifiedAccessGroupInput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s ModifyVerifiedAccessGroupInput) GoString() string {
+	return s.String()
+}
+
+// Validate inspects the fields of the type to determine if they are valid.
+func (s *ModifyVerifiedAccessGroupInput) Validate() error {
+	invalidParams := request.ErrInvalidParams{Context: "ModifyVerifiedAccessGroupInput"}
+	if s.VerifiedAccessGroupId == nil {
+		invalidParams.Add(request.NewErrParamRequired("VerifiedAccessGroupId"))
+	}
+
+	if invalidParams.Len() > 0 {
+		return invalidParams
+	}
+	return nil
+}
+
+// SetClientToken sets the ClientToken field's value.
+func (s *ModifyVerifiedAccessGroupInput) SetClientToken(v string) *ModifyVerifiedAccessGroupInput {
+	s.ClientToken = &v
+	return s
+}
+
+// SetDescription sets the Description field's value.
+func (s *ModifyVerifiedAccessGroupInput) SetDescription(v string) *ModifyVerifiedAccessGroupInput {
+	s.Description = &v
+	return s
+}
+
+// SetDryRun sets the DryRun field's value.
+func (s *ModifyVerifiedAccessGroupInput) SetDryRun(v bool) *ModifyVerifiedAccessGroupInput {
+	s.DryRun = &v
+	return s
+}
+
+// SetVerifiedAccessGroupId sets the VerifiedAccessGroupId field's value.
+func (s *ModifyVerifiedAccessGroupInput) SetVerifiedAccessGroupId(v string) *ModifyVerifiedAccessGroupInput {
+	s.VerifiedAccessGroupId = &v
+	return s
+}
+
+// SetVerifiedAccessInstanceId sets the VerifiedAccessInstanceId field's value.
+func (s *ModifyVerifiedAccessGroupInput) SetVerifiedAccessInstanceId(v string) *ModifyVerifiedAccessGroupInput {
+	s.VerifiedAccessInstanceId = &v
+	return s
+}
+
+type ModifyVerifiedAccessGroupOutput struct {
+	_ struct{} `type:"structure"`
+
+	// Details of Amazon Web Services Verified Access group.
+	VerifiedAccessGroup *VerifiedAccessGroup `locationName:"verifiedAccessGroup" type:"structure"`
+}
+
+// String returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s ModifyVerifiedAccessGroupOutput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s ModifyVerifiedAccessGroupOutput) GoString() string {
+	return s.String()
+}
+
+// SetVerifiedAccessGroup sets the VerifiedAccessGroup field's value.
+func (s *ModifyVerifiedAccessGroupOutput) SetVerifiedAccessGroup(v *VerifiedAccessGroup) *ModifyVerifiedAccessGroupOutput {
+	s.VerifiedAccessGroup = v
+	return s
+}
+
+type ModifyVerifiedAccessGroupPolicyInput struct {
+	_ struct{} `type:"structure"`
+
+	// A unique, case-sensitive token that you provide to ensure idempotency of
+	// your modification request. For more information, see Ensuring Idempotency
+	// (https://docs.aws.amazon.com/AWSEC2/latest/APIReference/Run_Instance_Idempotency.html).
+	ClientToken *string `type:"string" idempotencyToken:"true"`
+
+	// Checks whether you have the required permissions for the action, without
+	// actually making the request, and provides an error response. If you have
+	// the required permissions, the error response is DryRunOperation. Otherwise,
+	// it is UnauthorizedOperation.
+	DryRun *bool `type:"boolean"`
+
+	// The Amazon Web Services Verified Access policy document.
+	PolicyDocument *string `type:"string"`
+
+	// The status of the Verified Access policy.
+	//
+	// PolicyEnabled is a required field
+	PolicyEnabled *bool `type:"boolean" required:"true"`
+
+	// The ID of the Amazon Web Services Verified Access group.
+	//
+	// VerifiedAccessGroupId is a required field
+	VerifiedAccessGroupId *string `type:"string" required:"true"`
+}
+
+// String returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s ModifyVerifiedAccessGroupPolicyInput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s ModifyVerifiedAccessGroupPolicyInput) GoString() string {
+	return s.String()
+}
+
+// Validate inspects the fields of the type to determine if they are valid.
+func (s *ModifyVerifiedAccessGroupPolicyInput) Validate() error {
+	invalidParams := request.ErrInvalidParams{Context: "ModifyVerifiedAccessGroupPolicyInput"}
+	if s.PolicyEnabled == nil {
+		invalidParams.Add(request.NewErrParamRequired("PolicyEnabled"))
+	}
+	if s.VerifiedAccessGroupId == nil {
+		invalidParams.Add(request.NewErrParamRequired("VerifiedAccessGroupId"))
+	}
+
+	if invalidParams.Len() > 0 {
+		return invalidParams
+	}
+	return nil
+}
+
+// SetClientToken sets the ClientToken field's value.
+func (s *ModifyVerifiedAccessGroupPolicyInput) SetClientToken(v string) *ModifyVerifiedAccessGroupPolicyInput {
+	s.ClientToken = &v
+	return s
+}
+
+// SetDryRun sets the DryRun field's value.
+func (s *ModifyVerifiedAccessGroupPolicyInput) SetDryRun(v bool) *ModifyVerifiedAccessGroupPolicyInput {
+	s.DryRun = &v
+	return s
+}
+
+// SetPolicyDocument sets the PolicyDocument field's value.
+func (s *ModifyVerifiedAccessGroupPolicyInput) SetPolicyDocument(v string) *ModifyVerifiedAccessGroupPolicyInput {
+	s.PolicyDocument = &v
+	return s
+}
+
+// SetPolicyEnabled sets the PolicyEnabled field's value.
+func (s *ModifyVerifiedAccessGroupPolicyInput) SetPolicyEnabled(v bool) *ModifyVerifiedAccessGroupPolicyInput {
+	s.PolicyEnabled = &v
+	return s
+}
+
+// SetVerifiedAccessGroupId sets the VerifiedAccessGroupId field's value.
+func (s *ModifyVerifiedAccessGroupPolicyInput) SetVerifiedAccessGroupId(v string) *ModifyVerifiedAccessGroupPolicyInput {
+	s.VerifiedAccessGroupId = &v
+	return s
+}
+
+type ModifyVerifiedAccessGroupPolicyOutput struct {
+	_ struct{} `type:"structure"`
+
+	// The Amazon Web Services Verified Access policy document.
+	PolicyDocument *string `locationName:"policyDocument" type:"string"`
+
+	// The status of the Verified Access policy.
+	PolicyEnabled *bool `locationName:"policyEnabled" type:"boolean"`
+}
+
+// String returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s ModifyVerifiedAccessGroupPolicyOutput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s ModifyVerifiedAccessGroupPolicyOutput) GoString() string {
+	return s.String()
+}
+
+// SetPolicyDocument sets the PolicyDocument field's value.
+func (s *ModifyVerifiedAccessGroupPolicyOutput) SetPolicyDocument(v string) *ModifyVerifiedAccessGroupPolicyOutput {
+	s.PolicyDocument = &v
+	return s
+}
+
+// SetPolicyEnabled sets the PolicyEnabled field's value.
+func (s *ModifyVerifiedAccessGroupPolicyOutput) SetPolicyEnabled(v bool) *ModifyVerifiedAccessGroupPolicyOutput {
+	s.PolicyEnabled = &v
+	return s
+}
+
+type ModifyVerifiedAccessInstanceInput struct {
+	_ struct{} `type:"structure"`
+
+	// A unique, case-sensitive token that you provide to ensure idempotency of
+	// your modification request. For more information, see Ensuring Idempotency
+	// (https://docs.aws.amazon.com/AWSEC2/latest/APIReference/Run_Instance_Idempotency.html).
+	ClientToken *string `type:"string" idempotencyToken:"true"`
+
+	// A description for the Amazon Web Services Verified Access instance.
+	Description *string `type:"string"`
+
+	// Checks whether you have the required permissions for the action, without
+	// actually making the request, and provides an error response. If you have
+	// the required permissions, the error response is DryRunOperation. Otherwise,
+	// it is UnauthorizedOperation.
+	DryRun *bool `type:"boolean"`
+
+	// The ID of the Amazon Web Services Verified Access instance.
+	//
+	// VerifiedAccessInstanceId is a required field
+	VerifiedAccessInstanceId *string `type:"string" required:"true"`
+}
+
+// String returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s ModifyVerifiedAccessInstanceInput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s ModifyVerifiedAccessInstanceInput) GoString() string {
+	return s.String()
+}
+
+// Validate inspects the fields of the type to determine if they are valid.
+func (s *ModifyVerifiedAccessInstanceInput) Validate() error {
+	invalidParams := request.ErrInvalidParams{Context: "ModifyVerifiedAccessInstanceInput"}
+	if s.VerifiedAccessInstanceId == nil {
+		invalidParams.Add(request.NewErrParamRequired("VerifiedAccessInstanceId"))
+	}
+
+	if invalidParams.Len() > 0 {
+		return invalidParams
+	}
+	return nil
+}
+
+// SetClientToken sets the ClientToken field's value.
+func (s *ModifyVerifiedAccessInstanceInput) SetClientToken(v string) *ModifyVerifiedAccessInstanceInput {
+	s.ClientToken = &v
+	return s
+}
+
+// SetDescription sets the Description field's value.
+func (s *ModifyVerifiedAccessInstanceInput) SetDescription(v string) *ModifyVerifiedAccessInstanceInput {
+	s.Description = &v
+	return s
+}
+
+// SetDryRun sets the DryRun field's value.
+func (s *ModifyVerifiedAccessInstanceInput) SetDryRun(v bool) *ModifyVerifiedAccessInstanceInput {
+	s.DryRun = &v
+	return s
+}
+
+// SetVerifiedAccessInstanceId sets the VerifiedAccessInstanceId field's value.
+func (s *ModifyVerifiedAccessInstanceInput) SetVerifiedAccessInstanceId(v string) *ModifyVerifiedAccessInstanceInput {
+	s.VerifiedAccessInstanceId = &v
+	return s
+}
+
+type ModifyVerifiedAccessInstanceLoggingConfigurationInput struct {
+	_ struct{} `type:"structure"`
+
+	// The configuration options for Amazon Web Services Verified Access instances.
+	//
+	// AccessLogs is a required field
+	AccessLogs *VerifiedAccessLogOptions `type:"structure" required:"true"`
+
+	// A unique, case-sensitive token that you provide to ensure idempotency of
+	// your modification request. For more information, see Ensuring Idempotency
+	// (https://docs.aws.amazon.com/AWSEC2/latest/APIReference/Run_Instance_Idempotency.html).
+	ClientToken *string `type:"string" idempotencyToken:"true"`
+
+	// Checks whether you have the required permissions for the action, without
+	// actually making the request, and provides an error response. If you have
+	// the required permissions, the error response is DryRunOperation. Otherwise,
+	// it is UnauthorizedOperation.
+	DryRun *bool `type:"boolean"`
+
+	// The ID of the Amazon Web Services Verified Access instance.
+	//
+	// VerifiedAccessInstanceId is a required field
+	VerifiedAccessInstanceId *string `type:"string" required:"true"`
+}
+
+// String returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s ModifyVerifiedAccessInstanceLoggingConfigurationInput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s ModifyVerifiedAccessInstanceLoggingConfigurationInput) GoString() string {
+	return s.String()
+}
+
+// Validate inspects the fields of the type to determine if they are valid.
+func (s *ModifyVerifiedAccessInstanceLoggingConfigurationInput) Validate() error {
+	invalidParams := request.ErrInvalidParams{Context: "ModifyVerifiedAccessInstanceLoggingConfigurationInput"}
+	if s.AccessLogs == nil {
+		invalidParams.Add(request.NewErrParamRequired("AccessLogs"))
+	}
+	if s.VerifiedAccessInstanceId == nil {
+		invalidParams.Add(request.NewErrParamRequired("VerifiedAccessInstanceId"))
+	}
+	if s.AccessLogs != nil {
+		if err := s.AccessLogs.Validate(); err != nil {
+			invalidParams.AddNested("AccessLogs", err.(request.ErrInvalidParams))
+		}
+	}
+
+	if invalidParams.Len() > 0 {
+		return invalidParams
+	}
+	return nil
+}
+
+// SetAccessLogs sets the AccessLogs field's value.
+func (s *ModifyVerifiedAccessInstanceLoggingConfigurationInput) SetAccessLogs(v *VerifiedAccessLogOptions) *ModifyVerifiedAccessInstanceLoggingConfigurationInput {
+	s.AccessLogs = v
+	return s
+}
+
+// SetClientToken sets the ClientToken field's value.
+func (s *ModifyVerifiedAccessInstanceLoggingConfigurationInput) SetClientToken(v string) *ModifyVerifiedAccessInstanceLoggingConfigurationInput {
+	s.ClientToken = &v
+	return s
+}
+
+// SetDryRun sets the DryRun field's value.
+func (s *ModifyVerifiedAccessInstanceLoggingConfigurationInput) SetDryRun(v bool) *ModifyVerifiedAccessInstanceLoggingConfigurationInput {
+	s.DryRun = &v
+	return s
+}
+
+// SetVerifiedAccessInstanceId sets the VerifiedAccessInstanceId field's value.
+func (s *ModifyVerifiedAccessInstanceLoggingConfigurationInput) SetVerifiedAccessInstanceId(v string) *ModifyVerifiedAccessInstanceLoggingConfigurationInput {
+	s.VerifiedAccessInstanceId = &v
+	return s
+}
+
+type ModifyVerifiedAccessInstanceLoggingConfigurationOutput struct {
+	_ struct{} `type:"structure"`
+
+	// The logging configuration for Amazon Web Services Verified Access instance.
+	LoggingConfiguration *VerifiedAccessInstanceLoggingConfiguration `locationName:"loggingConfiguration" type:"structure"`
+}
+
+// String returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s ModifyVerifiedAccessInstanceLoggingConfigurationOutput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s ModifyVerifiedAccessInstanceLoggingConfigurationOutput) GoString() string {
+	return s.String()
+}
+
+// SetLoggingConfiguration sets the LoggingConfiguration field's value.
+func (s *ModifyVerifiedAccessInstanceLoggingConfigurationOutput) SetLoggingConfiguration(v *VerifiedAccessInstanceLoggingConfiguration) *ModifyVerifiedAccessInstanceLoggingConfigurationOutput {
+	s.LoggingConfiguration = v
+	return s
+}
+
+type ModifyVerifiedAccessInstanceOutput struct {
+	_ struct{} `type:"structure"`
+
+	// The ID of the Amazon Web Services Verified Access instance.
+	VerifiedAccessInstance *VerifiedAccessInstance `locationName:"verifiedAccessInstance" type:"structure"`
+}
+
+// String returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s ModifyVerifiedAccessInstanceOutput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s ModifyVerifiedAccessInstanceOutput) GoString() string {
+	return s.String()
+}
+
+// SetVerifiedAccessInstance sets the VerifiedAccessInstance field's value.
+func (s *ModifyVerifiedAccessInstanceOutput) SetVerifiedAccessInstance(v *VerifiedAccessInstance) *ModifyVerifiedAccessInstanceOutput {
+	s.VerifiedAccessInstance = v
+	return s
+}
+
+type ModifyVerifiedAccessTrustProviderInput struct {
+	_ struct{} `type:"structure"`
+
+	// A unique, case-sensitive token that you provide to ensure idempotency of
+	// your modification request. For more information, see Ensuring Idempotency
+	// (https://docs.aws.amazon.com/AWSEC2/latest/APIReference/Run_Instance_Idempotency.html).
+	ClientToken *string `type:"string" idempotencyToken:"true"`
+
+	// A description for the Amazon Web Services Verified Access trust provider.
+	Description *string `type:"string"`
+
+	// Checks whether you have the required permissions for the action, without
+	// actually making the request, and provides an error response. If you have
+	// the required permissions, the error response is DryRunOperation. Otherwise,
+	// it is UnauthorizedOperation.
+	DryRun *bool `type:"boolean"`
+
+	// The OpenID Connect details for an oidc-type, user-identity based trust provider.
+	OidcOptions *ModifyVerifiedAccessTrustProviderOidcOptions `type:"structure"`
+
+	// The ID of the Amazon Web Services Verified Access trust provider.
+	//
+	// VerifiedAccessTrustProviderId is a required field
+	VerifiedAccessTrustProviderId *string `type:"string" required:"true"`
+}
+
+// String returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s ModifyVerifiedAccessTrustProviderInput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s ModifyVerifiedAccessTrustProviderInput) GoString() string {
+	return s.String()
+}
+
+// Validate inspects the fields of the type to determine if they are valid.
+func (s *ModifyVerifiedAccessTrustProviderInput) Validate() error {
+	invalidParams := request.ErrInvalidParams{Context: "ModifyVerifiedAccessTrustProviderInput"}
+	if s.VerifiedAccessTrustProviderId == nil {
+		invalidParams.Add(request.NewErrParamRequired("VerifiedAccessTrustProviderId"))
+	}
+
+	if invalidParams.Len() > 0 {
+		return invalidParams
+	}
+	return nil
+}
+
+// SetClientToken sets the ClientToken field's value.
+func (s *ModifyVerifiedAccessTrustProviderInput) SetClientToken(v string) *ModifyVerifiedAccessTrustProviderInput {
+	s.ClientToken = &v
+	return s
+}
+
+// SetDescription sets the Description field's value.
+func (s *ModifyVerifiedAccessTrustProviderInput) SetDescription(v string) *ModifyVerifiedAccessTrustProviderInput {
+	s.Description = &v
+	return s
+}
+
+// SetDryRun sets the DryRun field's value.
+func (s *ModifyVerifiedAccessTrustProviderInput) SetDryRun(v bool) *ModifyVerifiedAccessTrustProviderInput {
+	s.DryRun = &v
+	return s
+}
+
+// SetOidcOptions sets the OidcOptions field's value.
+func (s *ModifyVerifiedAccessTrustProviderInput) SetOidcOptions(v *ModifyVerifiedAccessTrustProviderOidcOptions) *ModifyVerifiedAccessTrustProviderInput {
+	s.OidcOptions = v
+	return s
+}
+
+// SetVerifiedAccessTrustProviderId sets the VerifiedAccessTrustProviderId field's value.
+func (s *ModifyVerifiedAccessTrustProviderInput) SetVerifiedAccessTrustProviderId(v string) *ModifyVerifiedAccessTrustProviderInput {
+	s.VerifiedAccessTrustProviderId = &v
+	return s
+}
+
+// OpenID Connect options for an oidc-type, user-identity based trust provider.
+type ModifyVerifiedAccessTrustProviderOidcOptions struct {
+	_ struct{} `type:"structure"`
+
+	// OpenID Connect (OIDC) scopes are used by an application during authentication
+	// to authorize access to a user's details. Each scope returns a specific set
+	// of user attributes.
+	Scope *string `type:"string"`
+}
+
+// String returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s ModifyVerifiedAccessTrustProviderOidcOptions) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s ModifyVerifiedAccessTrustProviderOidcOptions) GoString() string {
+	return s.String()
+}
+
+// SetScope sets the Scope field's value.
+func (s *ModifyVerifiedAccessTrustProviderOidcOptions) SetScope(v string) *ModifyVerifiedAccessTrustProviderOidcOptions {
+	s.Scope = &v
+	return s
+}
+
+type ModifyVerifiedAccessTrustProviderOutput struct {
+	_ struct{} `type:"structure"`
+
+	// The ID of the Amazon Web Services Verified Access trust provider.
+	VerifiedAccessTrustProvider *VerifiedAccessTrustProvider `locationName:"verifiedAccessTrustProvider" type:"structure"`
+}
+
+// String returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s ModifyVerifiedAccessTrustProviderOutput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s ModifyVerifiedAccessTrustProviderOutput) GoString() string {
+	return s.String()
+}
+
+// SetVerifiedAccessTrustProvider sets the VerifiedAccessTrustProvider field's value.
+func (s *ModifyVerifiedAccessTrustProviderOutput) SetVerifiedAccessTrustProvider(v *VerifiedAccessTrustProvider) *ModifyVerifiedAccessTrustProviderOutput {
+	s.VerifiedAccessTrustProvider = v
+	return s
+}
+
 type ModifyVolumeAttributeInput struct {
 	_ struct{} `type:"structure"`
 
@@ -136518,7 +143515,7 @@ func (s *ModifyVpnConnectionOptionsInput) SetVpnConnectionId(v string) *ModifyVp
 type ModifyVpnConnectionOptionsOutput struct {
 	_ struct{} `type:"structure"`
 
-	// Describes a VPN connection.
+	// Information about the VPN connection.
 	VpnConnection *VpnConnection `locationName:"vpnConnection" type:"structure"`
 }
 
@@ -136549,7 +143546,7 @@ func (s *ModifyVpnConnectionOptionsOutput) SetVpnConnection(v *VpnConnection) *M
 type ModifyVpnConnectionOutput struct {
 	_ struct{} `type:"structure"`
 
-	// Describes a VPN connection.
+	// Information about the VPN connection.
 	VpnConnection *VpnConnection `locationName:"vpnConnection" type:"structure"`
 }
 
@@ -136652,7 +143649,7 @@ func (s *ModifyVpnTunnelCertificateInput) SetVpnTunnelOutsideIpAddress(v string)
 type ModifyVpnTunnelCertificateOutput struct {
 	_ struct{} `type:"structure"`
 
-	// Describes a VPN connection.
+	// Information about the VPN connection.
 	VpnConnection *VpnConnection `locationName:"vpnConnection" type:"structure"`
 }
 
@@ -136769,7 +143766,7 @@ func (s *ModifyVpnTunnelOptionsInput) SetVpnTunnelOutsideIpAddress(v string) *Mo
 type ModifyVpnTunnelOptionsOutput struct {
 	_ struct{} `type:"structure"`
 
-	// Describes a VPN connection.
+	// Information about the VPN connection.
 	VpnConnection *VpnConnection `locationName:"vpnConnection" type:"structure"`
 }
 
@@ -138092,6 +145089,12 @@ type NetworkInfo struct {
 	// Indicates whether Elastic Fabric Adapter (EFA) is supported.
 	EfaSupported *bool `locationName:"efaSupported" type:"boolean"`
 
+	// Indicates whether the instance type supports ENA Express. ENA Express uses
+	// Amazon Web Services Scalable Reliable Datagram (SRD) technology to increase
+	// the maximum bandwidth used per stream and minimize tail latency of network
+	// traffic between EC2 instances.
+	EnaSrdSupported *bool `locationName:"enaSrdSupported" type:"boolean"`
+
 	// Indicates whether Elastic Network Adapter (ENA) is supported.
 	EnaSupport *string `locationName:"enaSupport" type:"string" enum:"EnaSupport"`
 
@@ -138158,6 +145161,12 @@ func (s *NetworkInfo) SetEfaSupported(v bool) *NetworkInfo {
 	return s
 }
 
+// SetEnaSrdSupported sets the EnaSrdSupported field's value.
+func (s *NetworkInfo) SetEnaSrdSupported(v bool) *NetworkInfo {
+	s.EnaSrdSupported = &v
+	return s
+}
+
 // SetEnaSupport sets the EnaSupport field's value.
 func (s *NetworkInfo) SetEnaSupport(v string) *NetworkInfo {
 	s.EnaSupport = &v
@@ -138456,6 +145465,9 @@ func (s *NetworkInsightsAccessScopeContent) SetNetworkInsightsAccessScopeId(v st
 type NetworkInsightsAnalysis struct {
 	_ struct{} `type:"structure"`
 
+	// The member accounts that contain resources that the path can traverse.
+	AdditionalAccounts []*string `locationName:"additionalAccountSet" locationNameList:"item" type:"list"`
+
 	// Potential intermediate components.
 	AlternatePathHints []*AlternatePathHint `locationName:"alternatePathHintSet" locationNameList:"item" type:"list"`
 
@@ -138494,6 +145506,9 @@ type NetworkInsightsAnalysis struct {
 	// The status message, if the status is failed.
 	StatusMessage *string `locationName:"statusMessage" type:"string"`
 
+	// Potential intermediate accounts.
+	SuggestedAccounts []*string `locationName:"suggestedAccountSet" locationNameList:"item" type:"list"`
+
 	// The tags.
 	Tags []*Tag `locationName:"tagSet" locationNameList:"item" type:"list"`
 
@@ -138519,6 +145534,12 @@ func (s NetworkInsightsAnalysis) GoString() string {
 	return s.String()
 }
 
+// SetAdditionalAccounts sets the AdditionalAccounts field's value.
+func (s *NetworkInsightsAnalysis) SetAdditionalAccounts(v []*string) *NetworkInsightsAnalysis {
+	s.AdditionalAccounts = v
+	return s
+}
+
 // SetAlternatePathHints sets the AlternatePathHints field's value.
 func (s *NetworkInsightsAnalysis) SetAlternatePathHints(v []*AlternatePathHint) *NetworkInsightsAnalysis {
 	s.AlternatePathHints = v
@@ -138591,6 +145612,12 @@ func (s *NetworkInsightsAnalysis) SetStatusMessage(v string) *NetworkInsightsAna
 	return s
 }
 
+// SetSuggestedAccounts sets the SuggestedAccounts field's value.
+func (s *NetworkInsightsAnalysis) SetSuggestedAccounts(v []*string) *NetworkInsightsAnalysis {
+	s.SuggestedAccounts = v
+	return s
+}
+
 // SetTags sets the Tags field's value.
 func (s *NetworkInsightsAnalysis) SetTags(v []*Tag) *NetworkInsightsAnalysis {
 	s.Tags = v
@@ -138613,6 +145640,9 @@ type NetworkInsightsPath struct {
 	// The Amazon Web Services resource that is the destination of the path.
 	Destination *string `locationName:"destination" type:"string"`
 
+	// The Amazon Resource Name (ARN) of the destination.
+	DestinationArn *string `locationName:"destinationArn" min:"1" type:"string"`
+
 	// The IP address of the Amazon Web Services resource that is the destination
 	// of the path.
 	DestinationIp *string `locationName:"destinationIp" type:"string"`
@@ -138632,6 +145662,9 @@ type NetworkInsightsPath struct {
 	// The Amazon Web Services resource that is the source of the path.
 	Source *string `locationName:"source" type:"string"`
 
+	// The Amazon Resource Name (ARN) of the source.
+	SourceArn *string `locationName:"sourceArn" min:"1" type:"string"`
+
 	// The IP address of the Amazon Web Services resource that is the source of
 	// the path.
 	SourceIp *string `locationName:"sourceIp" type:"string"`
@@ -138670,6 +145703,12 @@ func (s *NetworkInsightsPath) SetDestination(v string) *NetworkInsightsPath {
 	return s
 }
 
+// SetDestinationArn sets the DestinationArn field's value.
+func (s *NetworkInsightsPath) SetDestinationArn(v string) *NetworkInsightsPath {
+	s.DestinationArn = &v
+	return s
+}
+
 // SetDestinationIp sets the DestinationIp field's value.
 func (s *NetworkInsightsPath) SetDestinationIp(v string) *NetworkInsightsPath {
 	s.DestinationIp = &v
@@ -138706,6 +145745,12 @@ func (s *NetworkInsightsPath) SetSource(v string) *NetworkInsightsPath {
 	return s
 }
 
+// SetSourceArn sets the SourceArn field's value.
+func (s *NetworkInsightsPath) SetSourceArn(v string) *NetworkInsightsPath {
+	s.SourceArn = &v
+	return s
+}
+
 // SetSourceIp sets the SourceIp field's value.
 func (s *NetworkInsightsPath) SetSourceIp(v string) *NetworkInsightsPath {
 	s.SourceIp = &v
@@ -139088,6 +146133,10 @@ type NetworkInterfaceAttachment struct {
 	// The device index of the network interface attachment on the instance.
 	DeviceIndex *int64 `locationName:"deviceIndex" type:"integer"`
 
+	// Configures ENA Express for the network interface that this action attaches
+	// to the instance.
+	EnaSrdSpecification *AttachmentEnaSrdSpecification `locationName:"enaSrdSpecification" type:"structure"`
+
 	// The ID of the instance.
 	InstanceId *string `locationName:"instanceId" type:"string"`
 
@@ -139143,6 +146192,12 @@ func (s *NetworkInterfaceAttachment) SetDeviceIndex(v int64) *NetworkInterfaceAt
 	return s
 }
 
+// SetEnaSrdSpecification sets the EnaSrdSpecification field's value.
+func (s *NetworkInterfaceAttachment) SetEnaSrdSpecification(v *AttachmentEnaSrdSpecification) *NetworkInterfaceAttachment {
+	s.EnaSrdSpecification = v
+	return s
+}
+
 // SetInstanceId sets the InstanceId field's value.
 func (s *NetworkInterfaceAttachment) SetInstanceId(v string) *NetworkInterfaceAttachment {
 	s.InstanceId = &v
@@ -139543,6 +146598,92 @@ func (s *NewDhcpConfiguration) SetValues(v []*string) *NewDhcpConfiguration {
 	return s
 }
 
+// Options for OIDC-based, user-identity type trust provider.
+type OidcOptions struct {
+	_ struct{} `type:"structure"`
+
+	// The OIDC authorization endpoint.
+	AuthorizationEndpoint *string `locationName:"authorizationEndpoint" type:"string"`
+
+	// The client identifier.
+	ClientId *string `locationName:"clientId" type:"string"`
+
+	// The client secret.
+	ClientSecret *string `locationName:"clientSecret" type:"string"`
+
+	// The OIDC issuer.
+	Issuer *string `locationName:"issuer" type:"string"`
+
+	// The OpenID Connect (OIDC) scope specified.
+	Scope *string `locationName:"scope" type:"string"`
+
+	// The OIDC token endpoint.
+	TokenEndpoint *string `locationName:"tokenEndpoint" type:"string"`
+
+	// The OIDC user info endpoint.
+	UserInfoEndpoint *string `locationName:"userInfoEndpoint" type:"string"`
+}
+
+// String returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s OidcOptions) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s OidcOptions) GoString() string {
+	return s.String()
+}
+
+// SetAuthorizationEndpoint sets the AuthorizationEndpoint field's value.
+func (s *OidcOptions) SetAuthorizationEndpoint(v string) *OidcOptions {
+	s.AuthorizationEndpoint = &v
+	return s
+}
+
+// SetClientId sets the ClientId field's value.
+func (s *OidcOptions) SetClientId(v string) *OidcOptions {
+	s.ClientId = &v
+	return s
+}
+
+// SetClientSecret sets the ClientSecret field's value.
+func (s *OidcOptions) SetClientSecret(v string) *OidcOptions {
+	s.ClientSecret = &v
+	return s
+}
+
+// SetIssuer sets the Issuer field's value.
+func (s *OidcOptions) SetIssuer(v string) *OidcOptions {
+	s.Issuer = &v
+	return s
+}
+
+// SetScope sets the Scope field's value.
+func (s *OidcOptions) SetScope(v string) *OidcOptions {
+	s.Scope = &v
+	return s
+}
+
+// SetTokenEndpoint sets the TokenEndpoint field's value.
+func (s *OidcOptions) SetTokenEndpoint(v string) *OidcOptions {
+	s.TokenEndpoint = &v
+	return s
+}
+
+// SetUserInfoEndpoint sets the UserInfoEndpoint field's value.
+func (s *OidcOptions) SetUserInfoEndpoint(v string) *OidcOptions {
+	s.UserInfoEndpoint = &v
+	return s
+}
+
 // Describes the configuration of On-Demand Instances in an EC2 Fleet.
 type OnDemandOptions struct {
 	_ struct{} `type:"structure"`
@@ -140841,11 +147982,10 @@ func (s *Phase2IntegrityAlgorithmsRequestListValue) SetValue(v string) *Phase2In
 type Placement struct {
 	_ struct{} `type:"structure"`
 
-	// The affinity setting for the instance on the Dedicated Host. This parameter
-	// is not supported for the ImportInstance (https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ImportInstance.html)
-	// command.
+	// The affinity setting for the instance on the Dedicated Host.
 	//
-	// This parameter is not supported by CreateFleet (https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateFleet).
+	// This parameter is not supported for CreateFleet (https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateFleet)
+	// or ImportInstance (https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ImportInstance.html).
 	Affinity *string `locationName:"affinity" type:"string"`
 
 	// The Availability Zone of the instance.
@@ -140853,49 +147993,46 @@ type Placement struct {
 	// If not specified, an Availability Zone will be automatically chosen for you
 	// based on the load balancing criteria for the Region.
 	//
-	// This parameter is not supported by CreateFleet (https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateFleet).
+	// This parameter is not supported for CreateFleet (https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateFleet).
 	AvailabilityZone *string `locationName:"availabilityZone" type:"string"`
 
-	// The Group Id of the placement group.
+	// The ID of the placement group that the instance is in. If you specify GroupId,
+	// you can't specify GroupName.
 	GroupId *string `locationName:"groupId" type:"string"`
 
-	// The name of the placement group the instance is in.
+	// The name of the placement group that the instance is in. If you specify GroupName,
+	// you can't specify GroupId.
 	GroupName *string `locationName:"groupName" type:"string"`
 
-	// The ID of the Dedicated Host on which the instance resides. This parameter
-	// is not supported for the ImportInstance (https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ImportInstance.html)
-	// command.
+	// The ID of the Dedicated Host on which the instance resides.
 	//
-	// This parameter is not supported by CreateFleet (https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateFleet).
+	// This parameter is not supported for CreateFleet (https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateFleet)
+	// or ImportInstance (https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ImportInstance.html).
 	HostId *string `locationName:"hostId" type:"string"`
 
-	// The ARN of the host resource group in which to launch the instances. If you
-	// specify a host resource group ARN, omit the Tenancy parameter or set it to
-	// host.
+	// The ARN of the host resource group in which to launch the instances.
 	//
-	// This parameter is not supported by CreateFleet (https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateFleet).
+	// If you specify this parameter, either omit the Tenancy parameter or set it
+	// to host.
+	//
+	// This parameter is not supported for CreateFleet (https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateFleet).
 	HostResourceGroupArn *string `locationName:"hostResourceGroupArn" type:"string"`
 
 	// The number of the partition that the instance is in. Valid only if the placement
 	// group strategy is set to partition.
 	//
-	// This parameter is not supported by CreateFleet (https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateFleet).
+	// This parameter is not supported for CreateFleet (https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateFleet).
 	PartitionNumber *int64 `locationName:"partitionNumber" type:"integer"`
 
 	// Reserved for future use.
-	//
-	// This parameter is not supported by CreateFleet (https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateFleet).
 	SpreadDomain *string `locationName:"spreadDomain" type:"string"`
 
 	// The tenancy of the instance (if the instance is running in a VPC). An instance
-	// with a tenancy of dedicated runs on single-tenant hardware. The host tenancy
-	// is not supported for the ImportInstance (https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ImportInstance.html)
-	// command.
+	// with a tenancy of dedicated runs on single-tenant hardware.
 	//
-	// This parameter is not supported by CreateFleet (https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateFleet).
-	//
-	// T3 instances that use the unlimited CPU credit option do not support host
-	// tenancy.
+	// This parameter is not supported for CreateFleet (https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateFleet).
+	// The host tenancy is not supported for ImportInstance (https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ImportInstance.html)
+	// or for T3 instances that are configured for the unlimited CPU credit option.
 	Tenancy *string `locationName:"tenancy" type:"string" enum:"Tenancy"`
 }
 
@@ -143484,8 +150621,15 @@ type RegisterImageInput struct {
 	Architecture *string `locationName:"architecture" type:"string" enum:"ArchitectureValues"`
 
 	// The billing product codes. Your account must be authorized to specify billing
-	// product codes. Otherwise, you can use the Amazon Web Services Marketplace
-	// to bill for the use of an AMI.
+	// product codes.
+	//
+	// If your account is not authorized to specify billing product codes, you can
+	// publish AMIs that include billable software and list them on the Amazon Web
+	// Services Marketplace. You must first register as a seller on the Amazon Web
+	// Services Marketplace. For more information, see Getting started as a seller
+	// (https://docs.aws.amazon.com/marketplace/latest/userguide/user-guide-for-sellers.html)
+	// and AMI-based products (https://docs.aws.amazon.com/marketplace/latest/userguide/ami-products.html)
+	// in the Amazon Web Services Marketplace Seller Guide.
 	BillingProducts []*string `locationName:"BillingProduct" locationNameList:"item" type:"list"`
 
 	// The block device mapping entries.
@@ -143497,11 +150641,11 @@ type RegisterImageInput struct {
 	// the same Outpost or in the Region of that Outpost. AMIs on an Outpost that
 	// include local snapshots can be used to launch instances on the same Outpost
 	// only. For more information, Amazon EBS local snapshots on Outposts (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/snapshots-outposts.html#ami)
-	// in the Amazon Elastic Compute Cloud User Guide.
+	// in the Amazon EC2 User Guide.
 	BlockDeviceMappings []*BlockDeviceMapping `locationName:"BlockDeviceMapping" locationNameList:"BlockDeviceMapping" type:"list"`
 
 	// The boot mode of the AMI. For more information, see Boot modes (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ami-boot.html)
-	// in the Amazon Elastic Compute Cloud User Guide.
+	// in the Amazon EC2 User Guide.
 	BootMode *string `type:"string" enum:"BootModeValues"`
 
 	// A description for your AMI.
@@ -143531,7 +150675,7 @@ type RegisterImageInput struct {
 	// by default, the instance requires that IMDSv2 is used when requesting instance
 	// metadata. In addition, HttpPutResponseHopLimit is set to 2. For more information,
 	// see Configure the AMI (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-IMDS-new-instances.html#configure-IMDS-new-instances-ami-configuration)
-	// in the Amazon Elastic Compute Cloud User Guide.
+	// in the Amazon EC2 User Guide.
 	//
 	// If you set the value to v2.0, make sure that your AMI software can support
 	// IMDSv2.
@@ -143567,7 +150711,7 @@ type RegisterImageInput struct {
 
 	// Set to v2.0 to enable Trusted Platform Module (TPM) support. For more information,
 	// see NitroTPM (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitrotpm.html)
-	// in the Amazon Elastic Compute Cloud User Guide.
+	// in the Amazon EC2 User Guide.
 	TpmSupport *string `type:"string" enum:"TpmSupportValues"`
 
 	// Base64 representation of the non-volatile UEFI variable store. To retrieve
@@ -143575,7 +150719,7 @@ type RegisterImageInput struct {
 	// command. You can inspect and modify the UEFI data by using the python-uefivars
 	// tool (https://github.com/awslabs/python-uefivars) on GitHub. For more information,
 	// see UEFI Secure Boot (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/uefi-secure-boot.html)
-	// in the Amazon Elastic Compute Cloud User Guide.
+	// in the Amazon EC2 User Guide.
 	UefiData *string `type:"string"`
 
 	// The type of virtualization (hvm | paravirtual).
@@ -144118,7 +151262,7 @@ func (s *RejectTransitGatewayMulticastDomainAssociationsInput) SetTransitGateway
 type RejectTransitGatewayMulticastDomainAssociationsOutput struct {
 	_ struct{} `type:"structure"`
 
-	// Describes the multicast domain associations.
+	// Information about the multicast domain associations.
 	Associations *TransitGatewayMulticastDomainAssociations `locationName:"associations" type:"structure"`
 }
 
@@ -155445,27 +162589,44 @@ type SpotFleetRequestConfigData struct {
 	// For more information, see Allocation strategies for Spot Instances (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/spot-fleet-allocation-strategy.html)
 	// in the Amazon EC2 User Guide.
 	//
-	// lowestPrice - Spot Fleet launches instances from the lowest-price Spot Instance
-	// pool that has available capacity. If the cheapest pool doesn't have available
-	// capacity, the Spot Instances come from the next cheapest pool that has available
-	// capacity. If a pool runs out of capacity before fulfilling your desired capacity,
-	// Spot Fleet will continue to fulfill your request by drawing from the next
-	// cheapest pool. To ensure that your desired capacity is met, you might receive
-	// Spot Instances from several pools.
+	// priceCapacityOptimized (recommended)
 	//
-	// diversified - Spot Fleet launches instances from all of the Spot Instance
-	// pools that you specify.
+	// Spot Fleet identifies the pools with the highest capacity availability for
+	// the number of instances that are launching. This means that we will request
+	// Spot Instances from the pools that we believe have the lowest chance of interruption
+	// in the near term. Spot Fleet then requests Spot Instances from the lowest
+	// priced of these pools.
 	//
-	// capacityOptimized (recommended) - Spot Fleet launches instances from Spot
-	// Instance pools with optimal capacity for the number of instances that are
-	// launching. To give certain instance types a higher chance of launching first,
-	// use capacityOptimizedPrioritized. Set a priority for each instance type by
-	// using the Priority parameter for LaunchTemplateOverrides. You can assign
-	// the same priority to different LaunchTemplateOverrides. EC2 implements the
-	// priorities on a best-effort basis, but optimizes for capacity first. capacityOptimizedPrioritized
-	// is supported only if your Spot Fleet uses a launch template. Note that if
-	// the OnDemandAllocationStrategy is set to prioritized, the same priority is
-	// applied when fulfilling On-Demand capacity.
+	// capacityOptimized
+	//
+	// Spot Fleet identifies the pools with the highest capacity availability for
+	// the number of instances that are launching. This means that we will request
+	// Spot Instances from the pools that we believe have the lowest chance of interruption
+	// in the near term. To give certain instance types a higher chance of launching
+	// first, use capacityOptimizedPrioritized. Set a priority for each instance
+	// type by using the Priority parameter for LaunchTemplateOverrides. You can
+	// assign the same priority to different LaunchTemplateOverrides. EC2 implements
+	// the priorities on a best-effort basis, but optimizes for capacity first.
+	// capacityOptimizedPrioritized is supported only if your Spot Fleet uses a
+	// launch template. Note that if the OnDemandAllocationStrategy is set to prioritized,
+	// the same priority is applied when fulfilling On-Demand capacity.
+	//
+	// diversified
+	//
+	// Spot Fleet requests instances from all of the Spot Instance pools that you
+	// specify.
+	//
+	// lowestPrice
+	//
+	// Spot Fleet requests instances from the lowest priced Spot Instance pool that
+	// has available capacity. If the lowest priced pool doesn't have available
+	// capacity, the Spot Instances come from the next lowest priced pool that has
+	// available capacity. If a pool runs out of capacity before fulfilling your
+	// desired capacity, Spot Fleet will continue to fulfill your request by drawing
+	// from the next lowest priced pool. To ensure that your desired capacity is
+	// met, you might receive Spot Instances from several pools. Because this strategy
+	// only considers instance price and not capacity availability, it might lead
+	// to high interruption rates.
 	//
 	// Default: lowestPrice
 	AllocationStrategy *string `locationName:"allocationStrategy" type:"string" enum:"AllocationStrategy"`
@@ -156329,27 +163490,44 @@ type SpotOptions struct {
 	// For more information, see Allocation strategies for Spot Instances (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-fleet-allocation-strategy.html)
 	// in the Amazon EC2 User Guide.
 	//
-	// lowest-price - EC2 Fleet launches instances from the lowest-price Spot Instance
-	// pool that has available capacity. If the cheapest pool doesn't have available
-	// capacity, the Spot Instances come from the next cheapest pool that has available
-	// capacity. If a pool runs out of capacity before fulfilling your desired capacity,
-	// EC2 Fleet will continue to fulfill your request by drawing from the next
-	// cheapest pool. To ensure that your desired capacity is met, you might receive
-	// Spot Instances from several pools.
+	// price-capacity-optimized (recommended)
 	//
-	// diversified - EC2 Fleet launches instances from all of the Spot Instance
-	// pools that you specify.
+	// EC2 Fleet identifies the pools with the highest capacity availability for
+	// the number of instances that are launching. This means that we will request
+	// Spot Instances from the pools that we believe have the lowest chance of interruption
+	// in the near term. EC2 Fleet then requests Spot Instances from the lowest
+	// priced of these pools.
 	//
-	// capacity-optimized (recommended) - EC2 Fleet launches instances from Spot
-	// Instance pools with optimal capacity for the number of instances that are
-	// launching. To give certain instance types a higher chance of launching first,
-	// use capacity-optimized-prioritized. Set a priority for each instance type
-	// by using the Priority parameter for LaunchTemplateOverrides. You can assign
-	// the same priority to different LaunchTemplateOverrides. EC2 implements the
-	// priorities on a best-effort basis, but optimizes for capacity first. capacity-optimized-prioritized
-	// is supported only if your fleet uses a launch template. Note that if the
-	// On-Demand AllocationStrategy is set to prioritized, the same priority is
-	// applied when fulfilling On-Demand capacity.
+	// capacity-optimized
+	//
+	// EC2 Fleet identifies the pools with the highest capacity availability for
+	// the number of instances that are launching. This means that we will request
+	// Spot Instances from the pools that we believe have the lowest chance of interruption
+	// in the near term. To give certain instance types a higher chance of launching
+	// first, use capacity-optimized-prioritized. Set a priority for each instance
+	// type by using the Priority parameter for LaunchTemplateOverrides. You can
+	// assign the same priority to different LaunchTemplateOverrides. EC2 implements
+	// the priorities on a best-effort basis, but optimizes for capacity first.
+	// capacity-optimized-prioritized is supported only if your EC2 Fleet uses a
+	// launch template. Note that if the On-Demand AllocationStrategy is set to
+	// prioritized, the same priority is applied when fulfilling On-Demand capacity.
+	//
+	// diversified
+	//
+	// EC2 Fleet requests instances from all of the Spot Instance pools that you
+	// specify.
+	//
+	// lowest-price
+	//
+	// EC2 Fleet requests instances from the lowest priced Spot Instance pool that
+	// has available capacity. If the lowest priced pool doesn't have available
+	// capacity, the Spot Instances come from the next lowest priced pool that has
+	// available capacity. If a pool runs out of capacity before fulfilling your
+	// desired capacity, EC2 Fleet will continue to fulfill your request by drawing
+	// from the next lowest priced pool. To ensure that your desired capacity is
+	// met, you might receive Spot Instances from several pools. Because this strategy
+	// only considers instance price and not capacity availability, it might lead
+	// to high interruption rates.
 	//
 	// Default: lowest-price
 	AllocationStrategy *string `locationName:"allocationStrategy" type:"string" enum:"SpotAllocationStrategy"`
@@ -156484,27 +163662,44 @@ type SpotOptionsRequest struct {
 	// For more information, see Allocation strategies for Spot Instances (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-fleet-allocation-strategy.html)
 	// in the Amazon EC2 User Guide.
 	//
-	// lowest-price - EC2 Fleet launches instances from the lowest-price Spot Instance
-	// pool that has available capacity. If the cheapest pool doesn't have available
-	// capacity, the Spot Instances come from the next cheapest pool that has available
-	// capacity. If a pool runs out of capacity before fulfilling your desired capacity,
-	// EC2 Fleet will continue to fulfill your request by drawing from the next
-	// cheapest pool. To ensure that your desired capacity is met, you might receive
-	// Spot Instances from several pools.
+	// price-capacity-optimized (recommended)
 	//
-	// diversified - EC2 Fleet launches instances from all of the Spot Instance
-	// pools that you specify.
+	// EC2 Fleet identifies the pools with the highest capacity availability for
+	// the number of instances that are launching. This means that we will request
+	// Spot Instances from the pools that we believe have the lowest chance of interruption
+	// in the near term. EC2 Fleet then requests Spot Instances from the lowest
+	// priced of these pools.
 	//
-	// capacity-optimized (recommended) - EC2 Fleet launches instances from Spot
-	// Instance pools with optimal capacity for the number of instances that are
-	// launching. To give certain instance types a higher chance of launching first,
-	// use capacity-optimized-prioritized. Set a priority for each instance type
-	// by using the Priority parameter for LaunchTemplateOverrides. You can assign
-	// the same priority to different LaunchTemplateOverrides. EC2 implements the
-	// priorities on a best-effort basis, but optimizes for capacity first. capacity-optimized-prioritized
-	// is supported only if your fleet uses a launch template. Note that if the
-	// On-Demand AllocationStrategy is set to prioritized, the same priority is
-	// applied when fulfilling On-Demand capacity.
+	// capacity-optimized
+	//
+	// EC2 Fleet identifies the pools with the highest capacity availability for
+	// the number of instances that are launching. This means that we will request
+	// Spot Instances from the pools that we believe have the lowest chance of interruption
+	// in the near term. To give certain instance types a higher chance of launching
+	// first, use capacity-optimized-prioritized. Set a priority for each instance
+	// type by using the Priority parameter for LaunchTemplateOverrides. You can
+	// assign the same priority to different LaunchTemplateOverrides. EC2 implements
+	// the priorities on a best-effort basis, but optimizes for capacity first.
+	// capacity-optimized-prioritized is supported only if your EC2 Fleet uses a
+	// launch template. Note that if the On-Demand AllocationStrategy is set to
+	// prioritized, the same priority is applied when fulfilling On-Demand capacity.
+	//
+	// diversified
+	//
+	// EC2 Fleet requests instances from all of the Spot Instance pools that you
+	// specify.
+	//
+	// lowest-price
+	//
+	// EC2 Fleet requests instances from the lowest priced Spot Instance pool that
+	// has available capacity. If the lowest priced pool doesn't have available
+	// capacity, the Spot Instances come from the next lowest priced pool that has
+	// available capacity. If a pool runs out of capacity before fulfilling your
+	// desired capacity, EC2 Fleet will continue to fulfill your request by drawing
+	// from the next lowest priced pool. To ensure that your desired capacity is
+	// met, you might receive Spot Instances from several pools. Because this strategy
+	// only considers instance price and not capacity availability, it might lead
+	// to high interruption rates.
 	//
 	// Default: lowest-price
 	AllocationStrategy *string `type:"string" enum:"SpotAllocationStrategy"`
@@ -157187,6 +164382,9 @@ func (s *StartNetworkInsightsAccessScopeAnalysisOutput) SetNetworkInsightsAccess
 type StartNetworkInsightsAnalysisInput struct {
 	_ struct{} `type:"structure"`
 
+	// The member accounts that contain resources that the path can traverse.
+	AdditionalAccounts []*string `locationName:"AdditionalAccount" locationNameList:"item" type:"list"`
+
 	// Unique, case-sensitive identifier that you provide to ensure the idempotency
 	// of the request. For more information, see How to ensure idempotency (https://docs.aws.amazon.com/AWSEC2/latest/APIReference/Run_Instance_Idempotency.html).
 	ClientToken *string `type:"string" idempotencyToken:"true"`
@@ -157240,6 +164438,12 @@ func (s *StartNetworkInsightsAnalysisInput) Validate() error {
 	return nil
 }
 
+// SetAdditionalAccounts sets the AdditionalAccounts field's value.
+func (s *StartNetworkInsightsAnalysisInput) SetAdditionalAccounts(v []*string) *StartNetworkInsightsAnalysisInput {
+	s.AdditionalAccounts = v
+	return s
+}
+
 // SetClientToken sets the ClientToken field's value.
 func (s *StartNetworkInsightsAnalysisInput) SetClientToken(v string) *StartNetworkInsightsAnalysisInput {
 	s.ClientToken = &v
@@ -158185,6 +165389,76 @@ func (s *SubnetIpv6CidrBlockAssociation) SetIpv6CidrBlockState(v *SubnetCidrBloc
 	return s
 }
 
+// Describes an Infrastructure Performance subscription.
+type Subscription struct {
+	_ struct{} `type:"structure"`
+
+	// The Region or Availability Zone that's the target for the subscription. For
+	// example, eu-west-1.
+	Destination *string `locationName:"destination" type:"string"`
+
+	// The metric used for the subscription.
+	Metric *string `locationName:"metric" type:"string" enum:"MetricType"`
+
+	// The data aggregation time for the subscription.
+	Period *string `locationName:"period" type:"string" enum:"PeriodType"`
+
+	// The Region or Availability Zone that's the source for the subscription. For
+	// example, us-east-1.
+	Source *string `locationName:"source" type:"string"`
+
+	// The statistic used for the subscription.
+	Statistic *string `locationName:"statistic" type:"string" enum:"StatisticType"`
+}
+
+// String returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s Subscription) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s Subscription) GoString() string {
+	return s.String()
+}
+
+// SetDestination sets the Destination field's value.
+func (s *Subscription) SetDestination(v string) *Subscription {
+	s.Destination = &v
+	return s
+}
+
+// SetMetric sets the Metric field's value.
+func (s *Subscription) SetMetric(v string) *Subscription {
+	s.Metric = &v
+	return s
+}
+
+// SetPeriod sets the Period field's value.
+func (s *Subscription) SetPeriod(v string) *Subscription {
+	s.Period = &v
+	return s
+}
+
+// SetSource sets the Source field's value.
+func (s *Subscription) SetSource(v string) *Subscription {
+	s.Source = &v
+	return s
+}
+
+// SetStatistic sets the Statistic field's value.
+func (s *Subscription) SetStatistic(v string) *Subscription {
+	s.Statistic = &v
+	return s
+}
+
 // Describes the burstable performance instance whose credit option for CPU
 // usage was successfully modified.
 type SuccessfulInstanceCreditSpecificationItem struct {
@@ -164164,6 +171438,1282 @@ func (s *ValidationWarning) SetErrors(v []*ValidationError) *ValidationWarning {
 	return s
 }
 
+// An Amazon Web Services Verified Access endpoint specifies the application
+// that Amazon Web Services Verified Access provides access to. It must be attached
+// to an Amazon Web Services Verified Access group. An Amazon Web Services Verified
+// Access endpoint must also have an attached access policy before you attached
+// it to a group.
+type VerifiedAccessEndpoint struct {
+	_ struct{} `type:"structure"`
+
+	// The DNS name for users to reach your application.
+	ApplicationDomain *string `locationName:"applicationDomain" type:"string"`
+
+	// The type of attachment used to provide connectivity between the Amazon Web
+	// Services Verified Access endpoint and the application.
+	AttachmentType *string `locationName:"attachmentType" type:"string" enum:"VerifiedAccessEndpointAttachmentType"`
+
+	// The creation time.
+	CreationTime *string `locationName:"creationTime" type:"string"`
+
+	// The deletion time.
+	DeletionTime *string `locationName:"deletionTime" type:"string"`
+
+	// A description for the Amazon Web Services Verified Access endpoint.
+	Description *string `locationName:"description" type:"string"`
+
+	// Returned if endpoint has a device trust provider attached.
+	DeviceValidationDomain *string `locationName:"deviceValidationDomain" type:"string"`
+
+	// The ARN of a public TLS/SSL certificate imported into or created with ACM.
+	DomainCertificateArn *string `locationName:"domainCertificateArn" type:"string"`
+
+	// A DNS name that is generated for the endpoint.
+	EndpointDomain *string `locationName:"endpointDomain" type:"string"`
+
+	// The type of Amazon Web Services Verified Access endpoint. Incoming application
+	// requests will be sent to an IP address, load balancer or a network interface
+	// depending on the endpoint type specified.
+	EndpointType *string `locationName:"endpointType" type:"string" enum:"VerifiedAccessEndpointType"`
+
+	// The last updated time.
+	LastUpdatedTime *string `locationName:"lastUpdatedTime" type:"string"`
+
+	// The load balancer details if creating the Amazon Web Services Verified Access
+	// endpoint as load-balancertype.
+	LoadBalancerOptions *VerifiedAccessEndpointLoadBalancerOptions `locationName:"loadBalancerOptions" type:"structure"`
+
+	// The options for network-interface type endpoint.
+	NetworkInterfaceOptions *VerifiedAccessEndpointEniOptions `locationName:"networkInterfaceOptions" type:"structure"`
+
+	// The IDs of the security groups for the endpoint.
+	SecurityGroupIds []*string `locationName:"securityGroupIdSet" locationNameList:"item" type:"list"`
+
+	// The endpoint status.
+	Status *VerifiedAccessEndpointStatus `locationName:"status" type:"structure"`
+
+	// The tags.
+	Tags []*Tag `locationName:"tagSet" locationNameList:"item" type:"list"`
+
+	// The ID of the Amazon Web Services Verified Access endpoint.
+	VerifiedAccessEndpointId *string `locationName:"verifiedAccessEndpointId" type:"string"`
+
+	// The ID of the Amazon Web Services Verified Access group.
+	VerifiedAccessGroupId *string `locationName:"verifiedAccessGroupId" type:"string"`
+
+	// The ID of the Amazon Web Services Verified Access instance.
+	VerifiedAccessInstanceId *string `locationName:"verifiedAccessInstanceId" type:"string"`
+}
+
+// String returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s VerifiedAccessEndpoint) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s VerifiedAccessEndpoint) GoString() string {
+	return s.String()
+}
+
+// SetApplicationDomain sets the ApplicationDomain field's value.
+func (s *VerifiedAccessEndpoint) SetApplicationDomain(v string) *VerifiedAccessEndpoint {
+	s.ApplicationDomain = &v
+	return s
+}
+
+// SetAttachmentType sets the AttachmentType field's value.
+func (s *VerifiedAccessEndpoint) SetAttachmentType(v string) *VerifiedAccessEndpoint {
+	s.AttachmentType = &v
+	return s
+}
+
+// SetCreationTime sets the CreationTime field's value.
+func (s *VerifiedAccessEndpoint) SetCreationTime(v string) *VerifiedAccessEndpoint {
+	s.CreationTime = &v
+	return s
+}
+
+// SetDeletionTime sets the DeletionTime field's value.
+func (s *VerifiedAccessEndpoint) SetDeletionTime(v string) *VerifiedAccessEndpoint {
+	s.DeletionTime = &v
+	return s
+}
+
+// SetDescription sets the Description field's value.
+func (s *VerifiedAccessEndpoint) SetDescription(v string) *VerifiedAccessEndpoint {
+	s.Description = &v
+	return s
+}
+
+// SetDeviceValidationDomain sets the DeviceValidationDomain field's value.
+func (s *VerifiedAccessEndpoint) SetDeviceValidationDomain(v string) *VerifiedAccessEndpoint {
+	s.DeviceValidationDomain = &v
+	return s
+}
+
+// SetDomainCertificateArn sets the DomainCertificateArn field's value.
+func (s *VerifiedAccessEndpoint) SetDomainCertificateArn(v string) *VerifiedAccessEndpoint {
+	s.DomainCertificateArn = &v
+	return s
+}
+
+// SetEndpointDomain sets the EndpointDomain field's value.
+func (s *VerifiedAccessEndpoint) SetEndpointDomain(v string) *VerifiedAccessEndpoint {
+	s.EndpointDomain = &v
+	return s
+}
+
+// SetEndpointType sets the EndpointType field's value.
+func (s *VerifiedAccessEndpoint) SetEndpointType(v string) *VerifiedAccessEndpoint {
+	s.EndpointType = &v
+	return s
+}
+
+// SetLastUpdatedTime sets the LastUpdatedTime field's value.
+func (s *VerifiedAccessEndpoint) SetLastUpdatedTime(v string) *VerifiedAccessEndpoint {
+	s.LastUpdatedTime = &v
+	return s
+}
+
+// SetLoadBalancerOptions sets the LoadBalancerOptions field's value.
+func (s *VerifiedAccessEndpoint) SetLoadBalancerOptions(v *VerifiedAccessEndpointLoadBalancerOptions) *VerifiedAccessEndpoint {
+	s.LoadBalancerOptions = v
+	return s
+}
+
+// SetNetworkInterfaceOptions sets the NetworkInterfaceOptions field's value.
+func (s *VerifiedAccessEndpoint) SetNetworkInterfaceOptions(v *VerifiedAccessEndpointEniOptions) *VerifiedAccessEndpoint {
+	s.NetworkInterfaceOptions = v
+	return s
+}
+
+// SetSecurityGroupIds sets the SecurityGroupIds field's value.
+func (s *VerifiedAccessEndpoint) SetSecurityGroupIds(v []*string) *VerifiedAccessEndpoint {
+	s.SecurityGroupIds = v
+	return s
+}
+
+// SetStatus sets the Status field's value.
+func (s *VerifiedAccessEndpoint) SetStatus(v *VerifiedAccessEndpointStatus) *VerifiedAccessEndpoint {
+	s.Status = v
+	return s
+}
+
+// SetTags sets the Tags field's value.
+func (s *VerifiedAccessEndpoint) SetTags(v []*Tag) *VerifiedAccessEndpoint {
+	s.Tags = v
+	return s
+}
+
+// SetVerifiedAccessEndpointId sets the VerifiedAccessEndpointId field's value.
+func (s *VerifiedAccessEndpoint) SetVerifiedAccessEndpointId(v string) *VerifiedAccessEndpoint {
+	s.VerifiedAccessEndpointId = &v
+	return s
+}
+
+// SetVerifiedAccessGroupId sets the VerifiedAccessGroupId field's value.
+func (s *VerifiedAccessEndpoint) SetVerifiedAccessGroupId(v string) *VerifiedAccessEndpoint {
+	s.VerifiedAccessGroupId = &v
+	return s
+}
+
+// SetVerifiedAccessInstanceId sets the VerifiedAccessInstanceId field's value.
+func (s *VerifiedAccessEndpoint) SetVerifiedAccessInstanceId(v string) *VerifiedAccessEndpoint {
+	s.VerifiedAccessInstanceId = &v
+	return s
+}
+
+// Options for a network-interface type endpoint.
+type VerifiedAccessEndpointEniOptions struct {
+	_ struct{} `type:"structure"`
+
+	// The ID of the network interface.
+	NetworkInterfaceId *string `locationName:"networkInterfaceId" type:"string"`
+
+	// The IP port number.
+	Port *int64 `locationName:"port" min:"1" type:"integer"`
+
+	// The IP protocol.
+	Protocol *string `locationName:"protocol" type:"string" enum:"VerifiedAccessEndpointProtocol"`
+}
+
+// String returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s VerifiedAccessEndpointEniOptions) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s VerifiedAccessEndpointEniOptions) GoString() string {
+	return s.String()
+}
+
+// SetNetworkInterfaceId sets the NetworkInterfaceId field's value.
+func (s *VerifiedAccessEndpointEniOptions) SetNetworkInterfaceId(v string) *VerifiedAccessEndpointEniOptions {
+	s.NetworkInterfaceId = &v
+	return s
+}
+
+// SetPort sets the Port field's value.
+func (s *VerifiedAccessEndpointEniOptions) SetPort(v int64) *VerifiedAccessEndpointEniOptions {
+	s.Port = &v
+	return s
+}
+
+// SetProtocol sets the Protocol field's value.
+func (s *VerifiedAccessEndpointEniOptions) SetProtocol(v string) *VerifiedAccessEndpointEniOptions {
+	s.Protocol = &v
+	return s
+}
+
+// Describes a load balancer when creating an Amazon Web Services Verified Access
+// endpoint using the load-balancer type.
+type VerifiedAccessEndpointLoadBalancerOptions struct {
+	_ struct{} `type:"structure"`
+
+	// The ARN of the load balancer.
+	LoadBalancerArn *string `locationName:"loadBalancerArn" type:"string"`
+
+	// The IP port number.
+	Port *int64 `locationName:"port" min:"1" type:"integer"`
+
+	// The IP protocol.
+	Protocol *string `locationName:"protocol" type:"string" enum:"VerifiedAccessEndpointProtocol"`
+
+	// The IDs of the subnets.
+	SubnetIds []*string `locationName:"subnetIdSet" locationNameList:"item" type:"list"`
+}
+
+// String returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s VerifiedAccessEndpointLoadBalancerOptions) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s VerifiedAccessEndpointLoadBalancerOptions) GoString() string {
+	return s.String()
+}
+
+// SetLoadBalancerArn sets the LoadBalancerArn field's value.
+func (s *VerifiedAccessEndpointLoadBalancerOptions) SetLoadBalancerArn(v string) *VerifiedAccessEndpointLoadBalancerOptions {
+	s.LoadBalancerArn = &v
+	return s
+}
+
+// SetPort sets the Port field's value.
+func (s *VerifiedAccessEndpointLoadBalancerOptions) SetPort(v int64) *VerifiedAccessEndpointLoadBalancerOptions {
+	s.Port = &v
+	return s
+}
+
+// SetProtocol sets the Protocol field's value.
+func (s *VerifiedAccessEndpointLoadBalancerOptions) SetProtocol(v string) *VerifiedAccessEndpointLoadBalancerOptions {
+	s.Protocol = &v
+	return s
+}
+
+// SetSubnetIds sets the SubnetIds field's value.
+func (s *VerifiedAccessEndpointLoadBalancerOptions) SetSubnetIds(v []*string) *VerifiedAccessEndpointLoadBalancerOptions {
+	s.SubnetIds = v
+	return s
+}
+
+// Describes the status of a Verified Access endpoint.
+type VerifiedAccessEndpointStatus struct {
+	_ struct{} `type:"structure"`
+
+	// The status code of the Verified Access endpoint.
+	Code *string `locationName:"code" type:"string" enum:"VerifiedAccessEndpointStatusCode"`
+
+	// The status message of the Verified Access endpoint.
+	Message *string `locationName:"message" type:"string"`
+}
+
+// String returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s VerifiedAccessEndpointStatus) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s VerifiedAccessEndpointStatus) GoString() string {
+	return s.String()
+}
+
+// SetCode sets the Code field's value.
+func (s *VerifiedAccessEndpointStatus) SetCode(v string) *VerifiedAccessEndpointStatus {
+	s.Code = &v
+	return s
+}
+
+// SetMessage sets the Message field's value.
+func (s *VerifiedAccessEndpointStatus) SetMessage(v string) *VerifiedAccessEndpointStatus {
+	s.Message = &v
+	return s
+}
+
+// Describes a Verified Access group.
+type VerifiedAccessGroup struct {
+	_ struct{} `type:"structure"`
+
+	// The creation time.
+	CreationTime *string `locationName:"creationTime" type:"string"`
+
+	// The deletion time.
+	DeletionTime *string `locationName:"deletionTime" type:"string"`
+
+	// A description for the Amazon Web Services Verified Access group.
+	Description *string `locationName:"description" type:"string"`
+
+	// The last updated time.
+	LastUpdatedTime *string `locationName:"lastUpdatedTime" type:"string"`
+
+	// The Amazon Web Services account number that owns the group.
+	Owner *string `locationName:"owner" type:"string"`
+
+	// The tags.
+	Tags []*Tag `locationName:"tagSet" locationNameList:"item" type:"list"`
+
+	// The ARN of the Verified Access group.
+	VerifiedAccessGroupArn *string `locationName:"verifiedAccessGroupArn" type:"string"`
+
+	// The ID of the Verified Access group.
+	VerifiedAccessGroupId *string `locationName:"verifiedAccessGroupId" type:"string"`
+
+	// The ID of the Amazon Web Services Verified Access instance.
+	VerifiedAccessInstanceId *string `locationName:"verifiedAccessInstanceId" type:"string"`
+}
+
+// String returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s VerifiedAccessGroup) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s VerifiedAccessGroup) GoString() string {
+	return s.String()
+}
+
+// SetCreationTime sets the CreationTime field's value.
+func (s *VerifiedAccessGroup) SetCreationTime(v string) *VerifiedAccessGroup {
+	s.CreationTime = &v
+	return s
+}
+
+// SetDeletionTime sets the DeletionTime field's value.
+func (s *VerifiedAccessGroup) SetDeletionTime(v string) *VerifiedAccessGroup {
+	s.DeletionTime = &v
+	return s
+}
+
+// SetDescription sets the Description field's value.
+func (s *VerifiedAccessGroup) SetDescription(v string) *VerifiedAccessGroup {
+	s.Description = &v
+	return s
+}
+
+// SetLastUpdatedTime sets the LastUpdatedTime field's value.
+func (s *VerifiedAccessGroup) SetLastUpdatedTime(v string) *VerifiedAccessGroup {
+	s.LastUpdatedTime = &v
+	return s
+}
+
+// SetOwner sets the Owner field's value.
+func (s *VerifiedAccessGroup) SetOwner(v string) *VerifiedAccessGroup {
+	s.Owner = &v
+	return s
+}
+
+// SetTags sets the Tags field's value.
+func (s *VerifiedAccessGroup) SetTags(v []*Tag) *VerifiedAccessGroup {
+	s.Tags = v
+	return s
+}
+
+// SetVerifiedAccessGroupArn sets the VerifiedAccessGroupArn field's value.
+func (s *VerifiedAccessGroup) SetVerifiedAccessGroupArn(v string) *VerifiedAccessGroup {
+	s.VerifiedAccessGroupArn = &v
+	return s
+}
+
+// SetVerifiedAccessGroupId sets the VerifiedAccessGroupId field's value.
+func (s *VerifiedAccessGroup) SetVerifiedAccessGroupId(v string) *VerifiedAccessGroup {
+	s.VerifiedAccessGroupId = &v
+	return s
+}
+
+// SetVerifiedAccessInstanceId sets the VerifiedAccessInstanceId field's value.
+func (s *VerifiedAccessGroup) SetVerifiedAccessInstanceId(v string) *VerifiedAccessGroup {
+	s.VerifiedAccessInstanceId = &v
+	return s
+}
+
+// Describes a Verified Access instance.
+type VerifiedAccessInstance struct {
+	_ struct{} `type:"structure"`
+
+	// The creation time.
+	CreationTime *string `locationName:"creationTime" type:"string"`
+
+	// A description for the Amazon Web Services Verified Access instance.
+	Description *string `locationName:"description" type:"string"`
+
+	// The last updated time.
+	LastUpdatedTime *string `locationName:"lastUpdatedTime" type:"string"`
+
+	// The tags.
+	Tags []*Tag `locationName:"tagSet" locationNameList:"item" type:"list"`
+
+	// The ID of the Amazon Web Services Verified Access instance.
+	VerifiedAccessInstanceId *string `locationName:"verifiedAccessInstanceId" type:"string"`
+
+	// The IDs of the Amazon Web Services Verified Access trust providers.
+	VerifiedAccessTrustProviders []*VerifiedAccessTrustProviderCondensed `locationName:"verifiedAccessTrustProviderSet" locationNameList:"item" type:"list"`
+}
+
+// String returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s VerifiedAccessInstance) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s VerifiedAccessInstance) GoString() string {
+	return s.String()
+}
+
+// SetCreationTime sets the CreationTime field's value.
+func (s *VerifiedAccessInstance) SetCreationTime(v string) *VerifiedAccessInstance {
+	s.CreationTime = &v
+	return s
+}
+
+// SetDescription sets the Description field's value.
+func (s *VerifiedAccessInstance) SetDescription(v string) *VerifiedAccessInstance {
+	s.Description = &v
+	return s
+}
+
+// SetLastUpdatedTime sets the LastUpdatedTime field's value.
+func (s *VerifiedAccessInstance) SetLastUpdatedTime(v string) *VerifiedAccessInstance {
+	s.LastUpdatedTime = &v
+	return s
+}
+
+// SetTags sets the Tags field's value.
+func (s *VerifiedAccessInstance) SetTags(v []*Tag) *VerifiedAccessInstance {
+	s.Tags = v
+	return s
+}
+
+// SetVerifiedAccessInstanceId sets the VerifiedAccessInstanceId field's value.
+func (s *VerifiedAccessInstance) SetVerifiedAccessInstanceId(v string) *VerifiedAccessInstance {
+	s.VerifiedAccessInstanceId = &v
+	return s
+}
+
+// SetVerifiedAccessTrustProviders sets the VerifiedAccessTrustProviders field's value.
+func (s *VerifiedAccessInstance) SetVerifiedAccessTrustProviders(v []*VerifiedAccessTrustProviderCondensed) *VerifiedAccessInstance {
+	s.VerifiedAccessTrustProviders = v
+	return s
+}
+
+// Describes logging options for an Amazon Web Services Verified Access instance.
+type VerifiedAccessInstanceLoggingConfiguration struct {
+	_ struct{} `type:"structure"`
+
+	// Details about the logging options.
+	AccessLogs *VerifiedAccessLogs `locationName:"accessLogs" type:"structure"`
+
+	// The ID of the Amazon Web Services Verified Access instance.
+	VerifiedAccessInstanceId *string `locationName:"verifiedAccessInstanceId" type:"string"`
+}
+
+// String returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s VerifiedAccessInstanceLoggingConfiguration) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s VerifiedAccessInstanceLoggingConfiguration) GoString() string {
+	return s.String()
+}
+
+// SetAccessLogs sets the AccessLogs field's value.
+func (s *VerifiedAccessInstanceLoggingConfiguration) SetAccessLogs(v *VerifiedAccessLogs) *VerifiedAccessInstanceLoggingConfiguration {
+	s.AccessLogs = v
+	return s
+}
+
+// SetVerifiedAccessInstanceId sets the VerifiedAccessInstanceId field's value.
+func (s *VerifiedAccessInstanceLoggingConfiguration) SetVerifiedAccessInstanceId(v string) *VerifiedAccessInstanceLoggingConfiguration {
+	s.VerifiedAccessInstanceId = &v
+	return s
+}
+
+// Options for CloudWatch Logs as a logging destination.
+type VerifiedAccessLogCloudWatchLogsDestination struct {
+	_ struct{} `type:"structure"`
+
+	// The delivery status for access logs.
+	DeliveryStatus *VerifiedAccessLogDeliveryStatus `locationName:"deliveryStatus" type:"structure"`
+
+	// Indicates whether logging is enabled.
+	Enabled *bool `locationName:"enabled" type:"boolean"`
+
+	// The ID of the CloudWatch Logs log group.
+	LogGroup *string `locationName:"logGroup" type:"string"`
+}
+
+// String returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s VerifiedAccessLogCloudWatchLogsDestination) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s VerifiedAccessLogCloudWatchLogsDestination) GoString() string {
+	return s.String()
+}
+
+// SetDeliveryStatus sets the DeliveryStatus field's value.
+func (s *VerifiedAccessLogCloudWatchLogsDestination) SetDeliveryStatus(v *VerifiedAccessLogDeliveryStatus) *VerifiedAccessLogCloudWatchLogsDestination {
+	s.DeliveryStatus = v
+	return s
+}
+
+// SetEnabled sets the Enabled field's value.
+func (s *VerifiedAccessLogCloudWatchLogsDestination) SetEnabled(v bool) *VerifiedAccessLogCloudWatchLogsDestination {
+	s.Enabled = &v
+	return s
+}
+
+// SetLogGroup sets the LogGroup field's value.
+func (s *VerifiedAccessLogCloudWatchLogsDestination) SetLogGroup(v string) *VerifiedAccessLogCloudWatchLogsDestination {
+	s.LogGroup = &v
+	return s
+}
+
+// Options for CloudWatch Logs as a logging destination.
+type VerifiedAccessLogCloudWatchLogsDestinationOptions struct {
+	_ struct{} `type:"structure"`
+
+	// Indicates whether logging is enabled.
+	//
+	// Enabled is a required field
+	Enabled *bool `type:"boolean" required:"true"`
+
+	// The ID of the CloudWatch Logs log group.
+	LogGroup *string `type:"string"`
+}
+
+// String returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s VerifiedAccessLogCloudWatchLogsDestinationOptions) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s VerifiedAccessLogCloudWatchLogsDestinationOptions) GoString() string {
+	return s.String()
+}
+
+// Validate inspects the fields of the type to determine if they are valid.
+func (s *VerifiedAccessLogCloudWatchLogsDestinationOptions) Validate() error {
+	invalidParams := request.ErrInvalidParams{Context: "VerifiedAccessLogCloudWatchLogsDestinationOptions"}
+	if s.Enabled == nil {
+		invalidParams.Add(request.NewErrParamRequired("Enabled"))
+	}
+
+	if invalidParams.Len() > 0 {
+		return invalidParams
+	}
+	return nil
+}
+
+// SetEnabled sets the Enabled field's value.
+func (s *VerifiedAccessLogCloudWatchLogsDestinationOptions) SetEnabled(v bool) *VerifiedAccessLogCloudWatchLogsDestinationOptions {
+	s.Enabled = &v
+	return s
+}
+
+// SetLogGroup sets the LogGroup field's value.
+func (s *VerifiedAccessLogCloudWatchLogsDestinationOptions) SetLogGroup(v string) *VerifiedAccessLogCloudWatchLogsDestinationOptions {
+	s.LogGroup = &v
+	return s
+}
+
+// Describes a log delivery status.
+type VerifiedAccessLogDeliveryStatus struct {
+	_ struct{} `type:"structure"`
+
+	// The status code.
+	Code *string `locationName:"code" type:"string" enum:"VerifiedAccessLogDeliveryStatusCode"`
+
+	// The status message.
+	Message *string `locationName:"message" type:"string"`
+}
+
+// String returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s VerifiedAccessLogDeliveryStatus) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s VerifiedAccessLogDeliveryStatus) GoString() string {
+	return s.String()
+}
+
+// SetCode sets the Code field's value.
+func (s *VerifiedAccessLogDeliveryStatus) SetCode(v string) *VerifiedAccessLogDeliveryStatus {
+	s.Code = &v
+	return s
+}
+
+// SetMessage sets the Message field's value.
+func (s *VerifiedAccessLogDeliveryStatus) SetMessage(v string) *VerifiedAccessLogDeliveryStatus {
+	s.Message = &v
+	return s
+}
+
+// Options for Kinesis as a logging destination.
+type VerifiedAccessLogKinesisDataFirehoseDestination struct {
+	_ struct{} `type:"structure"`
+
+	// The delivery status.
+	DeliveryStatus *VerifiedAccessLogDeliveryStatus `locationName:"deliveryStatus" type:"structure"`
+
+	// The ID of the delivery stream.
+	DeliveryStream *string `locationName:"deliveryStream" type:"string"`
+
+	// Indicates whether logging is enabled.
+	Enabled *bool `locationName:"enabled" type:"boolean"`
+}
+
+// String returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s VerifiedAccessLogKinesisDataFirehoseDestination) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s VerifiedAccessLogKinesisDataFirehoseDestination) GoString() string {
+	return s.String()
+}
+
+// SetDeliveryStatus sets the DeliveryStatus field's value.
+func (s *VerifiedAccessLogKinesisDataFirehoseDestination) SetDeliveryStatus(v *VerifiedAccessLogDeliveryStatus) *VerifiedAccessLogKinesisDataFirehoseDestination {
+	s.DeliveryStatus = v
+	return s
+}
+
+// SetDeliveryStream sets the DeliveryStream field's value.
+func (s *VerifiedAccessLogKinesisDataFirehoseDestination) SetDeliveryStream(v string) *VerifiedAccessLogKinesisDataFirehoseDestination {
+	s.DeliveryStream = &v
+	return s
+}
+
+// SetEnabled sets the Enabled field's value.
+func (s *VerifiedAccessLogKinesisDataFirehoseDestination) SetEnabled(v bool) *VerifiedAccessLogKinesisDataFirehoseDestination {
+	s.Enabled = &v
+	return s
+}
+
+// Describes Amazon Kinesis Data Firehose logging options.
+type VerifiedAccessLogKinesisDataFirehoseDestinationOptions struct {
+	_ struct{} `type:"structure"`
+
+	// The ID of the delivery stream.
+	DeliveryStream *string `type:"string"`
+
+	// Indicates whether logging is enabled.
+	//
+	// Enabled is a required field
+	Enabled *bool `type:"boolean" required:"true"`
+}
+
+// String returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s VerifiedAccessLogKinesisDataFirehoseDestinationOptions) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s VerifiedAccessLogKinesisDataFirehoseDestinationOptions) GoString() string {
+	return s.String()
+}
+
+// Validate inspects the fields of the type to determine if they are valid.
+func (s *VerifiedAccessLogKinesisDataFirehoseDestinationOptions) Validate() error {
+	invalidParams := request.ErrInvalidParams{Context: "VerifiedAccessLogKinesisDataFirehoseDestinationOptions"}
+	if s.Enabled == nil {
+		invalidParams.Add(request.NewErrParamRequired("Enabled"))
+	}
+
+	if invalidParams.Len() > 0 {
+		return invalidParams
+	}
+	return nil
+}
+
+// SetDeliveryStream sets the DeliveryStream field's value.
+func (s *VerifiedAccessLogKinesisDataFirehoseDestinationOptions) SetDeliveryStream(v string) *VerifiedAccessLogKinesisDataFirehoseDestinationOptions {
+	s.DeliveryStream = &v
+	return s
+}
+
+// SetEnabled sets the Enabled field's value.
+func (s *VerifiedAccessLogKinesisDataFirehoseDestinationOptions) SetEnabled(v bool) *VerifiedAccessLogKinesisDataFirehoseDestinationOptions {
+	s.Enabled = &v
+	return s
+}
+
+// Describes the destinations for Verified Access logs.
+type VerifiedAccessLogOptions struct {
+	_ struct{} `type:"structure"`
+
+	// Sends Verified Access logs to CloudWatch Logs.
+	CloudWatchLogs *VerifiedAccessLogCloudWatchLogsDestinationOptions `type:"structure"`
+
+	// Sends Verified Access logs to Kinesis.
+	KinesisDataFirehose *VerifiedAccessLogKinesisDataFirehoseDestinationOptions `type:"structure"`
+
+	// Sends Verified Access logs to Amazon S3.
+	S3 *VerifiedAccessLogS3DestinationOptions `type:"structure"`
+}
+
+// String returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s VerifiedAccessLogOptions) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s VerifiedAccessLogOptions) GoString() string {
+	return s.String()
+}
+
+// Validate inspects the fields of the type to determine if they are valid.
+func (s *VerifiedAccessLogOptions) Validate() error {
+	invalidParams := request.ErrInvalidParams{Context: "VerifiedAccessLogOptions"}
+	if s.CloudWatchLogs != nil {
+		if err := s.CloudWatchLogs.Validate(); err != nil {
+			invalidParams.AddNested("CloudWatchLogs", err.(request.ErrInvalidParams))
+		}
+	}
+	if s.KinesisDataFirehose != nil {
+		if err := s.KinesisDataFirehose.Validate(); err != nil {
+			invalidParams.AddNested("KinesisDataFirehose", err.(request.ErrInvalidParams))
+		}
+	}
+	if s.S3 != nil {
+		if err := s.S3.Validate(); err != nil {
+			invalidParams.AddNested("S3", err.(request.ErrInvalidParams))
+		}
+	}
+
+	if invalidParams.Len() > 0 {
+		return invalidParams
+	}
+	return nil
+}
+
+// SetCloudWatchLogs sets the CloudWatchLogs field's value.
+func (s *VerifiedAccessLogOptions) SetCloudWatchLogs(v *VerifiedAccessLogCloudWatchLogsDestinationOptions) *VerifiedAccessLogOptions {
+	s.CloudWatchLogs = v
+	return s
+}
+
+// SetKinesisDataFirehose sets the KinesisDataFirehose field's value.
+func (s *VerifiedAccessLogOptions) SetKinesisDataFirehose(v *VerifiedAccessLogKinesisDataFirehoseDestinationOptions) *VerifiedAccessLogOptions {
+	s.KinesisDataFirehose = v
+	return s
+}
+
+// SetS3 sets the S3 field's value.
+func (s *VerifiedAccessLogOptions) SetS3(v *VerifiedAccessLogS3DestinationOptions) *VerifiedAccessLogOptions {
+	s.S3 = v
+	return s
+}
+
+// Options for Amazon S3 as a logging destination.
+type VerifiedAccessLogS3Destination struct {
+	_ struct{} `type:"structure"`
+
+	// The bucket name.
+	BucketName *string `locationName:"bucketName" type:"string"`
+
+	// The Amazon Web Services account number that owns the bucket.
+	BucketOwner *string `locationName:"bucketOwner" type:"string"`
+
+	// The delivery status.
+	DeliveryStatus *VerifiedAccessLogDeliveryStatus `locationName:"deliveryStatus" type:"structure"`
+
+	// Indicates whether logging is enabled.
+	Enabled *bool `locationName:"enabled" type:"boolean"`
+
+	// The bucket prefix.
+	Prefix *string `locationName:"prefix" type:"string"`
+}
+
+// String returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s VerifiedAccessLogS3Destination) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s VerifiedAccessLogS3Destination) GoString() string {
+	return s.String()
+}
+
+// SetBucketName sets the BucketName field's value.
+func (s *VerifiedAccessLogS3Destination) SetBucketName(v string) *VerifiedAccessLogS3Destination {
+	s.BucketName = &v
+	return s
+}
+
+// SetBucketOwner sets the BucketOwner field's value.
+func (s *VerifiedAccessLogS3Destination) SetBucketOwner(v string) *VerifiedAccessLogS3Destination {
+	s.BucketOwner = &v
+	return s
+}
+
+// SetDeliveryStatus sets the DeliveryStatus field's value.
+func (s *VerifiedAccessLogS3Destination) SetDeliveryStatus(v *VerifiedAccessLogDeliveryStatus) *VerifiedAccessLogS3Destination {
+	s.DeliveryStatus = v
+	return s
+}
+
+// SetEnabled sets the Enabled field's value.
+func (s *VerifiedAccessLogS3Destination) SetEnabled(v bool) *VerifiedAccessLogS3Destination {
+	s.Enabled = &v
+	return s
+}
+
+// SetPrefix sets the Prefix field's value.
+func (s *VerifiedAccessLogS3Destination) SetPrefix(v string) *VerifiedAccessLogS3Destination {
+	s.Prefix = &v
+	return s
+}
+
+// Options for Amazon S3 as a logging destination.
+type VerifiedAccessLogS3DestinationOptions struct {
+	_ struct{} `type:"structure"`
+
+	// The bucket name.
+	BucketName *string `type:"string"`
+
+	// The ID of the Amazon Web Services account that owns the Amazon S3 bucket.
+	BucketOwner *string `type:"string"`
+
+	// Indicates whether logging is enabled.
+	//
+	// Enabled is a required field
+	Enabled *bool `type:"boolean" required:"true"`
+
+	// The bucket prefix.
+	Prefix *string `type:"string"`
+}
+
+// String returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s VerifiedAccessLogS3DestinationOptions) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s VerifiedAccessLogS3DestinationOptions) GoString() string {
+	return s.String()
+}
+
+// Validate inspects the fields of the type to determine if they are valid.
+func (s *VerifiedAccessLogS3DestinationOptions) Validate() error {
+	invalidParams := request.ErrInvalidParams{Context: "VerifiedAccessLogS3DestinationOptions"}
+	if s.Enabled == nil {
+		invalidParams.Add(request.NewErrParamRequired("Enabled"))
+	}
+
+	if invalidParams.Len() > 0 {
+		return invalidParams
+	}
+	return nil
+}
+
+// SetBucketName sets the BucketName field's value.
+func (s *VerifiedAccessLogS3DestinationOptions) SetBucketName(v string) *VerifiedAccessLogS3DestinationOptions {
+	s.BucketName = &v
+	return s
+}
+
+// SetBucketOwner sets the BucketOwner field's value.
+func (s *VerifiedAccessLogS3DestinationOptions) SetBucketOwner(v string) *VerifiedAccessLogS3DestinationOptions {
+	s.BucketOwner = &v
+	return s
+}
+
+// SetEnabled sets the Enabled field's value.
+func (s *VerifiedAccessLogS3DestinationOptions) SetEnabled(v bool) *VerifiedAccessLogS3DestinationOptions {
+	s.Enabled = &v
+	return s
+}
+
+// SetPrefix sets the Prefix field's value.
+func (s *VerifiedAccessLogS3DestinationOptions) SetPrefix(v string) *VerifiedAccessLogS3DestinationOptions {
+	s.Prefix = &v
+	return s
+}
+
+// Describes the destinations for Verified Access logs.
+type VerifiedAccessLogs struct {
+	_ struct{} `type:"structure"`
+
+	// CloudWatch Logs logging destination.
+	CloudWatchLogs *VerifiedAccessLogCloudWatchLogsDestination `locationName:"cloudWatchLogs" type:"structure"`
+
+	// Kinesis logging destination.
+	KinesisDataFirehose *VerifiedAccessLogKinesisDataFirehoseDestination `locationName:"kinesisDataFirehose" type:"structure"`
+
+	// Amazon S3 logging options.
+	S3 *VerifiedAccessLogS3Destination `locationName:"s3" type:"structure"`
+}
+
+// String returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s VerifiedAccessLogs) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s VerifiedAccessLogs) GoString() string {
+	return s.String()
+}
+
+// SetCloudWatchLogs sets the CloudWatchLogs field's value.
+func (s *VerifiedAccessLogs) SetCloudWatchLogs(v *VerifiedAccessLogCloudWatchLogsDestination) *VerifiedAccessLogs {
+	s.CloudWatchLogs = v
+	return s
+}
+
+// SetKinesisDataFirehose sets the KinesisDataFirehose field's value.
+func (s *VerifiedAccessLogs) SetKinesisDataFirehose(v *VerifiedAccessLogKinesisDataFirehoseDestination) *VerifiedAccessLogs {
+	s.KinesisDataFirehose = v
+	return s
+}
+
+// SetS3 sets the S3 field's value.
+func (s *VerifiedAccessLogs) SetS3(v *VerifiedAccessLogS3Destination) *VerifiedAccessLogs {
+	s.S3 = v
+	return s
+}
+
+// Describes a Verified Access trust provider.
+type VerifiedAccessTrustProvider struct {
+	_ struct{} `type:"structure"`
+
+	// The creation time.
+	CreationTime *string `locationName:"creationTime" type:"string"`
+
+	// A description for the Amazon Web Services Verified Access trust provider.
+	Description *string `locationName:"description" type:"string"`
+
+	// The options for device-identity type trust provider.
+	DeviceOptions *DeviceOptions `locationName:"deviceOptions" type:"structure"`
+
+	// The type of device-based trust provider.
+	DeviceTrustProviderType *string `locationName:"deviceTrustProviderType" type:"string" enum:"DeviceTrustProviderType"`
+
+	// The last updated time.
+	LastUpdatedTime *string `locationName:"lastUpdatedTime" type:"string"`
+
+	// The OpenID Connect details for an oidc-type, user-identity based trust provider.
+	OidcOptions *OidcOptions `locationName:"oidcOptions" type:"structure"`
+
+	// The identifier to be used when working with policy rules.
+	PolicyReferenceName *string `locationName:"policyReferenceName" type:"string"`
+
+	// The tags.
+	Tags []*Tag `locationName:"tagSet" locationNameList:"item" type:"list"`
+
+	// The type of Verified Access trust provider.
+	TrustProviderType *string `locationName:"trustProviderType" type:"string" enum:"TrustProviderType"`
+
+	// The type of user-based trust provider.
+	UserTrustProviderType *string `locationName:"userTrustProviderType" type:"string" enum:"UserTrustProviderType"`
+
+	// The ID of the Amazon Web Services Verified Access trust provider.
+	VerifiedAccessTrustProviderId *string `locationName:"verifiedAccessTrustProviderId" type:"string"`
+}
+
+// String returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s VerifiedAccessTrustProvider) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s VerifiedAccessTrustProvider) GoString() string {
+	return s.String()
+}
+
+// SetCreationTime sets the CreationTime field's value.
+func (s *VerifiedAccessTrustProvider) SetCreationTime(v string) *VerifiedAccessTrustProvider {
+	s.CreationTime = &v
+	return s
+}
+
+// SetDescription sets the Description field's value.
+func (s *VerifiedAccessTrustProvider) SetDescription(v string) *VerifiedAccessTrustProvider {
+	s.Description = &v
+	return s
+}
+
+// SetDeviceOptions sets the DeviceOptions field's value.
+func (s *VerifiedAccessTrustProvider) SetDeviceOptions(v *DeviceOptions) *VerifiedAccessTrustProvider {
+	s.DeviceOptions = v
+	return s
+}
+
+// SetDeviceTrustProviderType sets the DeviceTrustProviderType field's value.
+func (s *VerifiedAccessTrustProvider) SetDeviceTrustProviderType(v string) *VerifiedAccessTrustProvider {
+	s.DeviceTrustProviderType = &v
+	return s
+}
+
+// SetLastUpdatedTime sets the LastUpdatedTime field's value.
+func (s *VerifiedAccessTrustProvider) SetLastUpdatedTime(v string) *VerifiedAccessTrustProvider {
+	s.LastUpdatedTime = &v
+	return s
+}
+
+// SetOidcOptions sets the OidcOptions field's value.
+func (s *VerifiedAccessTrustProvider) SetOidcOptions(v *OidcOptions) *VerifiedAccessTrustProvider {
+	s.OidcOptions = v
+	return s
+}
+
+// SetPolicyReferenceName sets the PolicyReferenceName field's value.
+func (s *VerifiedAccessTrustProvider) SetPolicyReferenceName(v string) *VerifiedAccessTrustProvider {
+	s.PolicyReferenceName = &v
+	return s
+}
+
+// SetTags sets the Tags field's value.
+func (s *VerifiedAccessTrustProvider) SetTags(v []*Tag) *VerifiedAccessTrustProvider {
+	s.Tags = v
+	return s
+}
+
+// SetTrustProviderType sets the TrustProviderType field's value.
+func (s *VerifiedAccessTrustProvider) SetTrustProviderType(v string) *VerifiedAccessTrustProvider {
+	s.TrustProviderType = &v
+	return s
+}
+
+// SetUserTrustProviderType sets the UserTrustProviderType field's value.
+func (s *VerifiedAccessTrustProvider) SetUserTrustProviderType(v string) *VerifiedAccessTrustProvider {
+	s.UserTrustProviderType = &v
+	return s
+}
+
+// SetVerifiedAccessTrustProviderId sets the VerifiedAccessTrustProviderId field's value.
+func (s *VerifiedAccessTrustProvider) SetVerifiedAccessTrustProviderId(v string) *VerifiedAccessTrustProvider {
+	s.VerifiedAccessTrustProviderId = &v
+	return s
+}
+
+// Condensed information about a trust provider.
+type VerifiedAccessTrustProviderCondensed struct {
+	_ struct{} `type:"structure"`
+
+	// The description of trust provider.
+	Description *string `locationName:"description" type:"string"`
+
+	// The type of device-based trust provider.
+	DeviceTrustProviderType *string `locationName:"deviceTrustProviderType" type:"string" enum:"DeviceTrustProviderType"`
+
+	// The type of trust provider (user- or device-based).
+	TrustProviderType *string `locationName:"trustProviderType" type:"string" enum:"TrustProviderType"`
+
+	// The type of user-based trust provider.
+	UserTrustProviderType *string `locationName:"userTrustProviderType" type:"string" enum:"UserTrustProviderType"`
+
+	// The ID of the trust provider.
+	VerifiedAccessTrustProviderId *string `locationName:"verifiedAccessTrustProviderId" type:"string"`
+}
+
+// String returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s VerifiedAccessTrustProviderCondensed) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s VerifiedAccessTrustProviderCondensed) GoString() string {
+	return s.String()
+}
+
+// SetDescription sets the Description field's value.
+func (s *VerifiedAccessTrustProviderCondensed) SetDescription(v string) *VerifiedAccessTrustProviderCondensed {
+	s.Description = &v
+	return s
+}
+
+// SetDeviceTrustProviderType sets the DeviceTrustProviderType field's value.
+func (s *VerifiedAccessTrustProviderCondensed) SetDeviceTrustProviderType(v string) *VerifiedAccessTrustProviderCondensed {
+	s.DeviceTrustProviderType = &v
+	return s
+}
+
+// SetTrustProviderType sets the TrustProviderType field's value.
+func (s *VerifiedAccessTrustProviderCondensed) SetTrustProviderType(v string) *VerifiedAccessTrustProviderCondensed {
+	s.TrustProviderType = &v
+	return s
+}
+
+// SetUserTrustProviderType sets the UserTrustProviderType field's value.
+func (s *VerifiedAccessTrustProviderCondensed) SetUserTrustProviderType(v string) *VerifiedAccessTrustProviderCondensed {
+	s.UserTrustProviderType = &v
+	return s
+}
+
+// SetVerifiedAccessTrustProviderId sets the VerifiedAccessTrustProviderId field's value.
+func (s *VerifiedAccessTrustProviderCondensed) SetVerifiedAccessTrustProviderId(v string) *VerifiedAccessTrustProviderCondensed {
+	s.VerifiedAccessTrustProviderId = &v
+	return s
+}
+
 // Describes telemetry for a VPN tunnel.
 type VgwTelemetry struct {
 	_ struct{} `type:"structure"`
@@ -168436,6 +176986,22 @@ func DestinationFileFormat_Values() []string {
 	}
 }
 
+const (
+	// DeviceTrustProviderTypeJamf is a DeviceTrustProviderType enum value
+	DeviceTrustProviderTypeJamf = "jamf"
+
+	// DeviceTrustProviderTypeCrowdstrike is a DeviceTrustProviderType enum value
+	DeviceTrustProviderTypeCrowdstrike = "crowdstrike"
+)
+
+// DeviceTrustProviderType_Values returns all elements of the DeviceTrustProviderType enum
+func DeviceTrustProviderType_Values() []string {
+	return []string{
+		DeviceTrustProviderTypeJamf,
+		DeviceTrustProviderTypeCrowdstrike,
+	}
+}
+
 const (
 	// DeviceTypeEbs is a DeviceType enum value
 	DeviceTypeEbs = "ebs"
@@ -171507,6 +180073,9 @@ const (
 
 	// InstanceTypeTrn132xlarge is a InstanceType enum value
 	InstanceTypeTrn132xlarge = "trn1.32xlarge"
+
+	// InstanceTypeHpc6id32xlarge is a InstanceType enum value
+	InstanceTypeHpc6id32xlarge = "hpc6id.32xlarge"
 )
 
 // InstanceType_Values returns all elements of the InstanceType enum
@@ -172085,6 +180654,7 @@ func InstanceType_Values() []string {
 		InstanceTypeU24tb1112xlarge,
 		InstanceTypeTrn12xlarge,
 		InstanceTypeTrn132xlarge,
+		InstanceTypeHpc6id32xlarge,
 	}
 }
 
@@ -172936,6 +181506,18 @@ func MembershipType_Values() []string {
 	}
 }
 
+const (
+	// MetricTypeAggregateLatency is a MetricType enum value
+	MetricTypeAggregateLatency = "aggregate-latency"
+)
+
+// MetricType_Values returns all elements of the MetricType enum
+func MetricType_Values() []string {
+	return []string{
+		MetricTypeAggregateLatency,
+	}
+}
+
 const (
 	// ModifyAvailabilityZoneOptInStatusOptedIn is a ModifyAvailabilityZoneOptInStatus enum value
 	ModifyAvailabilityZoneOptInStatusOptedIn = "opted-in"
@@ -173344,6 +181926,38 @@ func PaymentOption_Values() []string {
 	}
 }
 
+const (
+	// PeriodTypeFiveMinutes is a PeriodType enum value
+	PeriodTypeFiveMinutes = "five-minutes"
+
+	// PeriodTypeFifteenMinutes is a PeriodType enum value
+	PeriodTypeFifteenMinutes = "fifteen-minutes"
+
+	// PeriodTypeOneHour is a PeriodType enum value
+	PeriodTypeOneHour = "one-hour"
+
+	// PeriodTypeThreeHours is a PeriodType enum value
+	PeriodTypeThreeHours = "three-hours"
+
+	// PeriodTypeOneDay is a PeriodType enum value
+	PeriodTypeOneDay = "one-day"
+
+	// PeriodTypeOneWeek is a PeriodType enum value
+	PeriodTypeOneWeek = "one-week"
+)
+
+// PeriodType_Values returns all elements of the PeriodType enum
+func PeriodType_Values() []string {
+	return []string{
+		PeriodTypeFiveMinutes,
+		PeriodTypeFifteenMinutes,
+		PeriodTypeOneHour,
+		PeriodTypeThreeHours,
+		PeriodTypeOneDay,
+		PeriodTypeOneWeek,
+	}
+}
+
 const (
 	// PermissionGroupAll is a PermissionGroup enum value
 	PermissionGroupAll = "all"
@@ -174017,8 +182631,26 @@ const (
 	// ResourceTypeVpcEndpointConnectionDeviceType is a ResourceType enum value
 	ResourceTypeVpcEndpointConnectionDeviceType = "vpc-endpoint-connection-device-type"
 
+	// ResourceTypeVerifiedAccessInstance is a ResourceType enum value
+	ResourceTypeVerifiedAccessInstance = "verified-access-instance"
+
+	// ResourceTypeVerifiedAccessGroup is a ResourceType enum value
+	ResourceTypeVerifiedAccessGroup = "verified-access-group"
+
+	// ResourceTypeVerifiedAccessEndpoint is a ResourceType enum value
+	ResourceTypeVerifiedAccessEndpoint = "verified-access-endpoint"
+
+	// ResourceTypeVerifiedAccessPolicy is a ResourceType enum value
+	ResourceTypeVerifiedAccessPolicy = "verified-access-policy"
+
+	// ResourceTypeVerifiedAccessTrustProvider is a ResourceType enum value
+	ResourceTypeVerifiedAccessTrustProvider = "verified-access-trust-provider"
+
 	// ResourceTypeVpnConnectionDeviceType is a ResourceType enum value
 	ResourceTypeVpnConnectionDeviceType = "vpn-connection-device-type"
+
+	// ResourceTypeVpcBlockPublicAccessExclusion is a ResourceType enum value
+	ResourceTypeVpcBlockPublicAccessExclusion = "vpc-block-public-access-exclusion"
 )
 
 // ResourceType_Values returns all elements of the ResourceType enum
@@ -174100,7 +182732,13 @@ func ResourceType_Values() []string {
 		ResourceTypeCapacityReservationFleet,
 		ResourceTypeTrafficMirrorFilterRule,
 		ResourceTypeVpcEndpointConnectionDeviceType,
+		ResourceTypeVerifiedAccessInstance,
+		ResourceTypeVerifiedAccessGroup,
+		ResourceTypeVerifiedAccessEndpoint,
+		ResourceTypeVerifiedAccessPolicy,
+		ResourceTypeVerifiedAccessTrustProvider,
 		ResourceTypeVpnConnectionDeviceType,
+		ResourceTypeVpcBlockPublicAccessExclusion,
 	}
 }
 
@@ -174520,6 +183158,18 @@ func StaticSourcesSupportValue_Values() []string {
 	}
 }
 
+const (
+	// StatisticTypeP50 is a StatisticType enum value
+	StatisticTypeP50 = "p50"
+)
+
+// StatisticType_Values returns all elements of the StatisticType enum
+func StatisticType_Values() []string {
+	return []string{
+		StatisticTypeP50,
+	}
+}
+
 const (
 	// StatusMoveInProgress is a Status enum value
 	StatusMoveInProgress = "MoveInProgress"
@@ -175368,6 +184018,22 @@ func TransportProtocol_Values() []string {
 	}
 }
 
+const (
+	// TrustProviderTypeUser is a TrustProviderType enum value
+	TrustProviderTypeUser = "user"
+
+	// TrustProviderTypeDevice is a TrustProviderType enum value
+	TrustProviderTypeDevice = "device"
+)
+
+// TrustProviderType_Values returns all elements of the TrustProviderType enum
+func TrustProviderType_Values() []string {
+	return []string{
+		TrustProviderTypeUser,
+		TrustProviderTypeDevice,
+	}
+}
+
 const (
 	// TunnelInsideIpVersionIpv4 is a TunnelInsideIpVersion enum value
 	TunnelInsideIpVersionIpv4 = "ipv4"
@@ -175448,6 +184114,110 @@ func UsageClassType_Values() []string {
 	}
 }
 
+const (
+	// UserTrustProviderTypeIamIdentityCenter is a UserTrustProviderType enum value
+	UserTrustProviderTypeIamIdentityCenter = "iam-identity-center"
+
+	// UserTrustProviderTypeOidc is a UserTrustProviderType enum value
+	UserTrustProviderTypeOidc = "oidc"
+)
+
+// UserTrustProviderType_Values returns all elements of the UserTrustProviderType enum
+func UserTrustProviderType_Values() []string {
+	return []string{
+		UserTrustProviderTypeIamIdentityCenter,
+		UserTrustProviderTypeOidc,
+	}
+}
+
+const (
+	// VerifiedAccessEndpointAttachmentTypeVpc is a VerifiedAccessEndpointAttachmentType enum value
+	VerifiedAccessEndpointAttachmentTypeVpc = "vpc"
+)
+
+// VerifiedAccessEndpointAttachmentType_Values returns all elements of the VerifiedAccessEndpointAttachmentType enum
+func VerifiedAccessEndpointAttachmentType_Values() []string {
+	return []string{
+		VerifiedAccessEndpointAttachmentTypeVpc,
+	}
+}
+
+const (
+	// VerifiedAccessEndpointProtocolHttp is a VerifiedAccessEndpointProtocol enum value
+	VerifiedAccessEndpointProtocolHttp = "http"
+
+	// VerifiedAccessEndpointProtocolHttps is a VerifiedAccessEndpointProtocol enum value
+	VerifiedAccessEndpointProtocolHttps = "https"
+)
+
+// VerifiedAccessEndpointProtocol_Values returns all elements of the VerifiedAccessEndpointProtocol enum
+func VerifiedAccessEndpointProtocol_Values() []string {
+	return []string{
+		VerifiedAccessEndpointProtocolHttp,
+		VerifiedAccessEndpointProtocolHttps,
+	}
+}
+
+const (
+	// VerifiedAccessEndpointStatusCodePending is a VerifiedAccessEndpointStatusCode enum value
+	VerifiedAccessEndpointStatusCodePending = "pending"
+
+	// VerifiedAccessEndpointStatusCodeActive is a VerifiedAccessEndpointStatusCode enum value
+	VerifiedAccessEndpointStatusCodeActive = "active"
+
+	// VerifiedAccessEndpointStatusCodeUpdating is a VerifiedAccessEndpointStatusCode enum value
+	VerifiedAccessEndpointStatusCodeUpdating = "updating"
+
+	// VerifiedAccessEndpointStatusCodeDeleting is a VerifiedAccessEndpointStatusCode enum value
+	VerifiedAccessEndpointStatusCodeDeleting = "deleting"
+
+	// VerifiedAccessEndpointStatusCodeDeleted is a VerifiedAccessEndpointStatusCode enum value
+	VerifiedAccessEndpointStatusCodeDeleted = "deleted"
+)
+
+// VerifiedAccessEndpointStatusCode_Values returns all elements of the VerifiedAccessEndpointStatusCode enum
+func VerifiedAccessEndpointStatusCode_Values() []string {
+	return []string{
+		VerifiedAccessEndpointStatusCodePending,
+		VerifiedAccessEndpointStatusCodeActive,
+		VerifiedAccessEndpointStatusCodeUpdating,
+		VerifiedAccessEndpointStatusCodeDeleting,
+		VerifiedAccessEndpointStatusCodeDeleted,
+	}
+}
+
+const (
+	// VerifiedAccessEndpointTypeLoadBalancer is a VerifiedAccessEndpointType enum value
+	VerifiedAccessEndpointTypeLoadBalancer = "load-balancer"
+
+	// VerifiedAccessEndpointTypeNetworkInterface is a VerifiedAccessEndpointType enum value
+	VerifiedAccessEndpointTypeNetworkInterface = "network-interface"
+)
+
+// VerifiedAccessEndpointType_Values returns all elements of the VerifiedAccessEndpointType enum
+func VerifiedAccessEndpointType_Values() []string {
+	return []string{
+		VerifiedAccessEndpointTypeLoadBalancer,
+		VerifiedAccessEndpointTypeNetworkInterface,
+	}
+}
+
+const (
+	// VerifiedAccessLogDeliveryStatusCodeSuccess is a VerifiedAccessLogDeliveryStatusCode enum value
+	VerifiedAccessLogDeliveryStatusCodeSuccess = "success"
+
+	// VerifiedAccessLogDeliveryStatusCodeFailed is a VerifiedAccessLogDeliveryStatusCode enum value
+	VerifiedAccessLogDeliveryStatusCodeFailed = "failed"
+)
+
+// VerifiedAccessLogDeliveryStatusCode_Values returns all elements of the VerifiedAccessLogDeliveryStatusCode enum
+func VerifiedAccessLogDeliveryStatusCode_Values() []string {
+	return []string{
+		VerifiedAccessLogDeliveryStatusCodeSuccess,
+		VerifiedAccessLogDeliveryStatusCodeFailed,
+	}
+}
+
 const (
 	// VirtualizationTypeHvm is a VirtualizationType enum value
 	VirtualizationTypeHvm = "hvm"
diff --git a/vendor/github.com/aws/aws-sdk-go/service/kms/api.go b/vendor/github.com/aws/aws-sdk-go/service/kms/api.go
index 2ac8aa1be..dc0252cd0 100644
--- a/vendor/github.com/aws/aws-sdk-go/service/kms/api.go
+++ b/vendor/github.com/aws/aws-sdk-go/service/kms/api.go
@@ -93,8 +93,8 @@ func (c *KMS) CancelKeyDeletionRequest(input *CancelKeyDeletionInput) (req *requ
 //     is not valid.
 //
 //   - DependencyTimeoutException
-//     The system timed out while trying to fulfill the request. The request can
-//     be retried.
+//     The system timed out while trying to fulfill the request. You can retry the
+//     request.
 //
 //   - InternalException
 //     The request was rejected because an internal exception occurred. The request
@@ -104,10 +104,18 @@ func (c *KMS) CancelKeyDeletionRequest(input *CancelKeyDeletionInput) (req *requ
 //     The request was rejected because the state of the specified resource is not
 //     valid for this request.
 //
-//     For more information about how key state affects the use of a KMS key, see
-//     Key states of KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
+//     This exceptions means one of the following:
+//
+//   - The key state of the KMS key is not compatible with the operation. To
+//     find the key state, use the DescribeKey operation. For more information
+//     about which key states are compatible with each KMS operation, see Key
+//     states of KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
 //     in the Key Management Service Developer Guide .
 //
+//   - For cryptographic operations on KMS keys in custom key stores, this
+//     exception represents a general failure with many possible causes. To identify
+//     the cause, see the error message that accompanies the exception.
+//
 // See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CancelKeyDeletion
 func (c *KMS) CancelKeyDeletion(input *CancelKeyDeletionInput) (*CancelKeyDeletionOutput, error) {
 	req, out := c.CancelKeyDeletionRequest(input)
@@ -175,32 +183,26 @@ func (c *KMS) ConnectCustomKeyStoreRequest(input *ConnectCustomKeyStoreInput) (r
 // ConnectCustomKeyStore API operation for AWS Key Management Service.
 //
 // Connects or reconnects a custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html)
-// to its associated CloudHSM cluster.
+// to its backing key store. For an CloudHSM key store, ConnectCustomKeyStore
+// connects the key store to its associated CloudHSM cluster. For an external
+// key store, ConnectCustomKeyStore connects the key store to the external key
+// store proxy that communicates with your external key manager.
 //
 // The custom key store must be connected before you can create KMS keys in
 // the key store or use the KMS keys it contains. You can disconnect and reconnect
 // a custom key store at any time.
 //
-// To connect a custom key store, its associated CloudHSM cluster must have
-// at least one active HSM. To get the number of active HSMs in a cluster, use
-// the DescribeClusters (https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.html)
-// operation. To add HSMs to the cluster, use the CreateHsm (https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_CreateHsm.html)
-// operation. Also, the kmsuser crypto user (https://docs.aws.amazon.com/kms/latest/developerguide/key-store-concepts.html#concept-kmsuser)
-// (CU) must not be logged into the cluster. This prevents KMS from using this
-// account to log in.
-//
-// The connection process can take an extended amount of time to complete; up
-// to 20 minutes. This operation starts the connection process, but it does
-// not wait for it to complete. When it succeeds, this operation quickly returns
-// an HTTP 200 response and a JSON object with no properties. However, this
-// response does not indicate that the custom key store is connected. To get
-// the connection state of the custom key store, use the DescribeCustomKeyStores
+// The connection process for a custom key store can take an extended amount
+// of time to complete. This operation starts the connection process, but it
+// does not wait for it to complete. When it succeeds, this operation quickly
+// returns an HTTP 200 response and a JSON object with no properties. However,
+// this response does not indicate that the custom key store is connected. To
+// get the connection state of the custom key store, use the DescribeCustomKeyStores
 // operation.
 //
-// During the connection process, KMS finds the CloudHSM cluster that is associated
-// with the custom key store, creates the connection infrastructure, connects
-// to the cluster, logs into the CloudHSM client as the kmsuser CU, and rotates
-// its password.
+// This operation is part of the custom key stores (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html)
+// feature in KMS, which combines the convenience and extensive integration
+// of KMS with the isolation and control of a key store that you own and manage.
 //
 // The ConnectCustomKeyStore operation might fail for various reasons. To find
 // the reason, use the DescribeCustomKeyStores operation and see the ConnectionErrorCode
@@ -210,8 +212,44 @@ func (c *KMS) ConnectCustomKeyStoreRequest(input *ConnectCustomKeyStoreInput) (r
 // the custom key store, correct the error, use the UpdateCustomKeyStore operation
 // if necessary, and then use ConnectCustomKeyStore again.
 //
-// If you are having trouble connecting or disconnecting a custom key store,
-// see Troubleshooting a Custom Key Store (https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html)
+// # CloudHSM key store
+//
+// During the connection process for an CloudHSM key store, KMS finds the CloudHSM
+// cluster that is associated with the custom key store, creates the connection
+// infrastructure, connects to the cluster, logs into the CloudHSM client as
+// the kmsuser CU, and rotates its password.
+//
+// To connect an CloudHSM key store, its associated CloudHSM cluster must have
+// at least one active HSM. To get the number of active HSMs in a cluster, use
+// the DescribeClusters (https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.html)
+// operation. To add HSMs to the cluster, use the CreateHsm (https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_CreateHsm.html)
+// operation. Also, the kmsuser crypto user (https://docs.aws.amazon.com/kms/latest/developerguide/key-store-concepts.html#concept-kmsuser)
+// (CU) must not be logged into the cluster. This prevents KMS from using this
+// account to log in.
+//
+// If you are having trouble connecting or disconnecting a CloudHSM key store,
+// see Troubleshooting an CloudHSM key store (https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html)
+// in the Key Management Service Developer Guide.
+//
+// # External key store
+//
+// When you connect an external key store that uses public endpoint connectivity,
+// KMS tests its ability to communicate with your external key manager by sending
+// a request via the external key store proxy.
+//
+// When you connect to an external key store that uses VPC endpoint service
+// connectivity, KMS establishes the networking elements that it needs to communicate
+// with your external key manager via the external key store proxy. This includes
+// creating an interface endpoint to the VPC endpoint service and a private
+// hosted zone for traffic between KMS and the VPC endpoint service.
+//
+// To connect an external key store, KMS must be able to connect to the external
+// key store proxy, the external key store proxy must be able to communicate
+// with your external key manager, and the external key manager must be available
+// for cryptographic operations.
+//
+// If you are having trouble connecting or disconnecting an external key store,
+// see Troubleshooting an external key store (https://docs.aws.amazon.com/kms/latest/developerguide/xks-troubleshooting.html)
 // in the Key Management Service Developer Guide.
 //
 // Cross-account use: No. You cannot perform this operation on a custom key
@@ -242,10 +280,9 @@ func (c *KMS) ConnectCustomKeyStoreRequest(input *ConnectCustomKeyStoreInput) (r
 // Returned Error Types:
 //
 //   - CloudHsmClusterNotActiveException
-//     The request was rejected because the CloudHSM cluster that is associated
-//     with the custom key store is not active. Initialize and activate the cluster
-//     and try the command again. For detailed instructions, see Getting Started
-//     (https://docs.aws.amazon.com/cloudhsm/latest/userguide/getting-started.html)
+//     The request was rejected because the CloudHSM cluster associated with the
+//     CloudHSM key store is not active. Initialize and activate the cluster and
+//     try the command again. For detailed instructions, see Getting Started (https://docs.aws.amazon.com/cloudhsm/latest/userguide/getting-started.html)
 //     in the CloudHSM User Guide.
 //
 //   - CustomKeyStoreInvalidStateException
@@ -255,17 +292,27 @@ func (c *KMS) ConnectCustomKeyStoreRequest(input *ConnectCustomKeyStoreInput) (r
 //
 //     This exception is thrown under the following conditions:
 //
-//   - You requested the CreateKey or GenerateRandom operation in a custom
-//     key store that is not connected. These operations are valid only when
-//     the custom key store ConnectionState is CONNECTED.
+//   - You requested the ConnectCustomKeyStore operation on a custom key store
+//     with a ConnectionState of DISCONNECTING or FAILED. This operation is valid
+//     for all other ConnectionState values. To reconnect a custom key store
+//     in a FAILED state, disconnect it (DisconnectCustomKeyStore), then connect
+//     it (ConnectCustomKeyStore).
+//
+//   - You requested the CreateKey operation in a custom key store that is
+//     not connected. This operations is valid only when the custom key store
+//     ConnectionState is CONNECTED.
+//
+//   - You requested the DisconnectCustomKeyStore operation on a custom key
+//     store with a ConnectionState of DISCONNECTING or DISCONNECTED. This operation
+//     is valid for all other ConnectionState values.
 //
 //   - You requested the UpdateCustomKeyStore or DeleteCustomKeyStore operation
 //     on a custom key store that is not disconnected. This operation is valid
 //     only when the custom key store ConnectionState is DISCONNECTED.
 //
-//   - You requested the ConnectCustomKeyStore operation on a custom key store
-//     with a ConnectionState of DISCONNECTING or FAILED. This operation is valid
-//     for all other ConnectionState values.
+//   - You requested the GenerateRandom operation in an CloudHSM key store
+//     that is not connected. This operation is valid only when the CloudHSM
+//     key store ConnectionState is CONNECTED.
 //
 //   - CustomKeyStoreNotFoundException
 //     The request was rejected because KMS cannot find a custom key store with
@@ -277,29 +324,29 @@ func (c *KMS) ConnectCustomKeyStoreRequest(input *ConnectCustomKeyStoreInput) (r
 //
 //   - CloudHsmClusterInvalidConfigurationException
 //     The request was rejected because the associated CloudHSM cluster did not
-//     meet the configuration requirements for a custom key store.
+//     meet the configuration requirements for an CloudHSM key store.
 //
-//   - The cluster must be configured with private subnets in at least two
-//     different Availability Zones in the Region.
+//   - The CloudHSM cluster must be configured with private subnets in at least
+//     two different Availability Zones in the Region.
 //
 //   - The security group for the cluster (https://docs.aws.amazon.com/cloudhsm/latest/userguide/configure-sg.html)
 //     (cloudhsm-cluster-<cluster-id>-sg) must include inbound rules and outbound
 //     rules that allow TCP traffic on ports 2223-2225. The Source in the inbound
 //     rules and the Destination in the outbound rules must match the security
-//     group ID. These rules are set by default when you create the cluster.
-//     Do not delete or change them. To get information about a particular security
-//     group, use the DescribeSecurityGroups (https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeSecurityGroups.html)
+//     group ID. These rules are set by default when you create the CloudHSM
+//     cluster. Do not delete or change them. To get information about a particular
+//     security group, use the DescribeSecurityGroups (https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeSecurityGroups.html)
 //     operation.
 //
-//   - The cluster must contain at least as many HSMs as the operation requires.
-//     To add HSMs, use the CloudHSM CreateHsm (https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_CreateHsm.html)
+//   - The CloudHSM cluster must contain at least as many HSMs as the operation
+//     requires. To add HSMs, use the CloudHSM CreateHsm (https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_CreateHsm.html)
 //     operation. For the CreateCustomKeyStore, UpdateCustomKeyStore, and CreateKey
 //     operations, the CloudHSM cluster must have at least two active HSMs, each
 //     in a different Availability Zone. For the ConnectCustomKeyStore operation,
 //     the CloudHSM must contain at least one active HSM.
 //
 //     For information about the requirements for an CloudHSM cluster that is associated
-//     with a custom key store, see Assemble the Prerequisites (https://docs.aws.amazon.com/kms/latest/developerguide/create-keystore.html#before-keystore)
+//     with an CloudHSM key store, see Assemble the Prerequisites (https://docs.aws.amazon.com/kms/latest/developerguide/create-keystore.html#before-keystore)
 //     in the Key Management Service Developer Guide. For information about creating
 //     a private subnet for an CloudHSM cluster, see Create a Private Subnet (https://docs.aws.amazon.com/cloudhsm/latest/userguide/create-subnets.html)
 //     in the CloudHSM User Guide. For information about cluster security groups,
@@ -375,7 +422,7 @@ func (c *KMS) CreateAliasRequest(input *CreateAliasInput) (req *request.Request,
 // Creates a friendly name for a KMS key.
 //
 // Adding, deleting, or updating an alias can allow or deny permission to the
-// KMS key. For details, see ABAC in KMS (https://docs.aws.amazon.com/kms/latest/developerguide/abac.html)
+// KMS key. For details, see ABAC for KMS (https://docs.aws.amazon.com/kms/latest/developerguide/abac.html)
 // in the Key Management Service Developer Guide.
 //
 // You can use an alias to identify a KMS key in the KMS console, in the DescribeKey
@@ -433,8 +480,8 @@ func (c *KMS) CreateAliasRequest(input *CreateAliasInput) (req *request.Request,
 // Returned Error Types:
 //
 //   - DependencyTimeoutException
-//     The system timed out while trying to fulfill the request. The request can
-//     be retried.
+//     The system timed out while trying to fulfill the request. You can retry the
+//     request.
 //
 //   - AlreadyExistsException
 //     The request was rejected because it attempted to create a resource that already
@@ -460,10 +507,18 @@ func (c *KMS) CreateAliasRequest(input *CreateAliasInput) (req *request.Request,
 //     The request was rejected because the state of the specified resource is not
 //     valid for this request.
 //
-//     For more information about how key state affects the use of a KMS key, see
-//     Key states of KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
+//     This exceptions means one of the following:
+//
+//   - The key state of the KMS key is not compatible with the operation. To
+//     find the key state, use the DescribeKey operation. For more information
+//     about which key states are compatible with each KMS operation, see Key
+//     states of KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
 //     in the Key Management Service Developer Guide .
 //
+//   - For cryptographic operations on KMS keys in custom key stores, this
+//     exception represents a general failure with many possible causes. To identify
+//     the cause, see the error message that accompanies the exception.
+//
 // See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CreateAlias
 func (c *KMS) CreateAlias(input *CreateAliasInput) (*CreateAliasOutput, error) {
 	req, out := c.CreateAliasRequest(input)
@@ -530,27 +585,65 @@ func (c *KMS) CreateCustomKeyStoreRequest(input *CreateCustomKeyStoreInput) (req
 // CreateCustomKeyStore API operation for AWS Key Management Service.
 //
 // Creates a custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html)
-// that is associated with an CloudHSM cluster (https://docs.aws.amazon.com/cloudhsm/latest/userguide/clusters.html)
-// that you own and manage.
+// backed by a key store that you own and manage. When you use a KMS key in
+// a custom key store for a cryptographic operation, the cryptographic operation
+// is actually performed in your key store using your keys. KMS supports CloudHSM
+// key stores (https://docs.aws.amazon.com/kms/latest/developerguide/keystore-cloudhsm.html)
+// backed by an CloudHSM cluster (https://docs.aws.amazon.com/cloudhsm/latest/userguide/clusters.html)
+// and external key stores (https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html)
+// backed by an external key store proxy and external key manager outside of
+// Amazon Web Services.
 //
-// This operation is part of the custom key store feature (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html)
+// This operation is part of the custom key stores (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html)
 // feature in KMS, which combines the convenience and extensive integration
-// of KMS with the isolation and control of a single-tenant key store.
+// of KMS with the isolation and control of a key store that you own and manage.
 //
-// Before you create the custom key store, you must assemble the required elements,
-// including an CloudHSM cluster that fulfills the requirements for a custom
-// key store. For details about the required elements, see Assemble the Prerequisites
-// (https://docs.aws.amazon.com/kms/latest/developerguide/create-keystore.html#before-keystore)
+// Before you create the custom key store, the required elements must be in
+// place and operational. We recommend that you use the test tools that KMS
+// provides to verify the configuration your external key store proxy. For details
+// about the required elements and verification tests, see Assemble the prerequisites
+// (for CloudHSM key stores) (https://docs.aws.amazon.com/kms/latest/developerguide/create-keystore.html#before-keystore)
+// or Assemble the prerequisites (for external key stores) (https://docs.aws.amazon.com/kms/latest/developerguide/create-xks-keystore.html#xks-requirements)
 // in the Key Management Service Developer Guide.
 //
+// To create a custom key store, use the following parameters.
+//
+//   - To create an CloudHSM key store, specify the CustomKeyStoreName, CloudHsmClusterId,
+//     KeyStorePassword, and TrustAnchorCertificate. The CustomKeyStoreType parameter
+//     is optional for CloudHSM key stores. If you include it, set it to the
+//     default value, AWS_CLOUDHSM. For help with failures, see Troubleshooting
+//     an CloudHSM key store (https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html)
+//     in the Key Management Service Developer Guide.
+//
+//   - To create an external key store, specify the CustomKeyStoreName and
+//     a CustomKeyStoreType of EXTERNAL_KEY_STORE. Also, specify values for XksProxyConnectivity,
+//     XksProxyAuthenticationCredential, XksProxyUriEndpoint, and XksProxyUriPath.
+//     If your XksProxyConnectivity value is VPC_ENDPOINT_SERVICE, specify the
+//     XksProxyVpcEndpointServiceName parameter. For help with failures, see
+//     Troubleshooting an external key store (https://docs.aws.amazon.com/kms/latest/developerguide/xks-troubleshooting.html)
+//     in the Key Management Service Developer Guide.
+//
+// For external key stores:
+//
+// Some external key managers provide a simpler method for creating an external
+// key store. For details, see your external key manager documentation.
+//
+// When creating an external key store in the KMS console, you can upload a
+// JSON-based proxy configuration file with the desired values. You cannot use
+// a proxy configuration with the CreateCustomKeyStore operation. However, you
+// can use the values in the file to help you determine the correct values for
+// the CreateCustomKeyStore parameters.
+//
 // When the operation completes successfully, it returns the ID of the new custom
 // key store. Before you can use your new custom key store, you need to use
-// the ConnectCustomKeyStore operation to connect the new key store to its CloudHSM
-// cluster. Even if you are not going to use your custom key store immediately,
-// you might want to connect it to verify that all settings are correct and
-// then disconnect it until you are ready to use it.
+// the ConnectCustomKeyStore operation to connect a new CloudHSM key store to
+// its CloudHSM cluster, or to connect a new external key store to the external
+// key store proxy for your external key manager. Even if you are not going
+// to use your custom key store immediately, you might want to connect it to
+// verify that all settings are correct and then disconnect it until you are
+// ready to use it.
 //
-// For help with failures, see Troubleshooting a Custom Key Store (https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html)
+// For help with failures, see Troubleshooting a custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html)
 // in the Key Management Service Developer Guide.
 //
 // Cross-account use: No. You cannot perform this operation on a custom key
@@ -582,12 +675,13 @@ func (c *KMS) CreateCustomKeyStoreRequest(input *CreateCustomKeyStoreInput) (req
 //
 //   - CloudHsmClusterInUseException
 //     The request was rejected because the specified CloudHSM cluster is already
-//     associated with a custom key store or it shares a backup history with a cluster
-//     that is associated with a custom key store. Each custom key store must be
-//     associated with a different CloudHSM cluster.
+//     associated with an CloudHSM key store in the account, or it shares a backup
+//     history with an CloudHSM key store in the account. Each CloudHSM key store
+//     in the account must be associated with a different CloudHSM cluster.
 //
-//     Clusters that share a backup history have the same cluster certificate. To
-//     view the cluster certificate of a cluster, use the DescribeClusters (https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.html)
+//     CloudHSM clusters that share a backup history have the same cluster certificate.
+//     To view the cluster certificate of an CloudHSM cluster, use the DescribeClusters
+//     (https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.html)
 //     operation.
 //
 //   - CustomKeyStoreNameInUseException
@@ -604,51 +698,113 @@ func (c *KMS) CreateCustomKeyStoreRequest(input *CreateCustomKeyStoreInput) (req
 //     can be retried.
 //
 //   - CloudHsmClusterNotActiveException
-//     The request was rejected because the CloudHSM cluster that is associated
-//     with the custom key store is not active. Initialize and activate the cluster
-//     and try the command again. For detailed instructions, see Getting Started
-//     (https://docs.aws.amazon.com/cloudhsm/latest/userguide/getting-started.html)
+//     The request was rejected because the CloudHSM cluster associated with the
+//     CloudHSM key store is not active. Initialize and activate the cluster and
+//     try the command again. For detailed instructions, see Getting Started (https://docs.aws.amazon.com/cloudhsm/latest/userguide/getting-started.html)
 //     in the CloudHSM User Guide.
 //
 //   - IncorrectTrustAnchorException
 //     The request was rejected because the trust anchor certificate in the request
-//     is not the trust anchor certificate for the specified CloudHSM cluster.
+//     to create an CloudHSM key store is not the trust anchor certificate for the
+//     specified CloudHSM cluster.
 //
-//     When you initialize the cluster (https://docs.aws.amazon.com/cloudhsm/latest/userguide/initialize-cluster.html#sign-csr),
+//     When you initialize the CloudHSM cluster (https://docs.aws.amazon.com/cloudhsm/latest/userguide/initialize-cluster.html#sign-csr),
 //     you create the trust anchor certificate and save it in the customerCA.crt
 //     file.
 //
 //   - CloudHsmClusterInvalidConfigurationException
 //     The request was rejected because the associated CloudHSM cluster did not
-//     meet the configuration requirements for a custom key store.
+//     meet the configuration requirements for an CloudHSM key store.
 //
-//   - The cluster must be configured with private subnets in at least two
-//     different Availability Zones in the Region.
+//   - The CloudHSM cluster must be configured with private subnets in at least
+//     two different Availability Zones in the Region.
 //
 //   - The security group for the cluster (https://docs.aws.amazon.com/cloudhsm/latest/userguide/configure-sg.html)
 //     (cloudhsm-cluster-<cluster-id>-sg) must include inbound rules and outbound
 //     rules that allow TCP traffic on ports 2223-2225. The Source in the inbound
 //     rules and the Destination in the outbound rules must match the security
-//     group ID. These rules are set by default when you create the cluster.
-//     Do not delete or change them. To get information about a particular security
-//     group, use the DescribeSecurityGroups (https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeSecurityGroups.html)
+//     group ID. These rules are set by default when you create the CloudHSM
+//     cluster. Do not delete or change them. To get information about a particular
+//     security group, use the DescribeSecurityGroups (https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeSecurityGroups.html)
 //     operation.
 //
-//   - The cluster must contain at least as many HSMs as the operation requires.
-//     To add HSMs, use the CloudHSM CreateHsm (https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_CreateHsm.html)
+//   - The CloudHSM cluster must contain at least as many HSMs as the operation
+//     requires. To add HSMs, use the CloudHSM CreateHsm (https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_CreateHsm.html)
 //     operation. For the CreateCustomKeyStore, UpdateCustomKeyStore, and CreateKey
 //     operations, the CloudHSM cluster must have at least two active HSMs, each
 //     in a different Availability Zone. For the ConnectCustomKeyStore operation,
 //     the CloudHSM must contain at least one active HSM.
 //
 //     For information about the requirements for an CloudHSM cluster that is associated
-//     with a custom key store, see Assemble the Prerequisites (https://docs.aws.amazon.com/kms/latest/developerguide/create-keystore.html#before-keystore)
+//     with an CloudHSM key store, see Assemble the Prerequisites (https://docs.aws.amazon.com/kms/latest/developerguide/create-keystore.html#before-keystore)
 //     in the Key Management Service Developer Guide. For information about creating
 //     a private subnet for an CloudHSM cluster, see Create a Private Subnet (https://docs.aws.amazon.com/cloudhsm/latest/userguide/create-subnets.html)
 //     in the CloudHSM User Guide. For information about cluster security groups,
 //     see Configure a Default Security Group (https://docs.aws.amazon.com/cloudhsm/latest/userguide/configure-sg.html)
 //     in the CloudHSM User Guide .
 //
+//   - LimitExceededException
+//     The request was rejected because a quota was exceeded. For more information,
+//     see Quotas (https://docs.aws.amazon.com/kms/latest/developerguide/limits.html)
+//     in the Key Management Service Developer Guide.
+//
+//   - XksProxyUriInUseException
+//     The request was rejected because the concatenation of the XksProxyUriEndpoint
+//     and XksProxyUriPath is already associated with an external key store in the
+//     Amazon Web Services account and Region. Each external key store in an account
+//     and Region must use a unique external key store proxy API address.
+//
+//   - XksProxyUriEndpointInUseException
+//     The request was rejected because the concatenation of the XksProxyUriEndpoint
+//     is already associated with an external key store in the Amazon Web Services
+//     account and Region. Each external key store in an account and Region must
+//     use a unique external key store proxy address.
+//
+//   - XksProxyUriUnreachableException
+//     KMS was unable to reach the specified XksProxyUriPath. The path must be reachable
+//     before you create the external key store or update its settings.
+//
+//     This exception is also thrown when the external key store proxy response
+//     to a GetHealthStatus request indicates that all external key manager instances
+//     are unavailable.
+//
+//   - XksProxyIncorrectAuthenticationCredentialException
+//     The request was rejected because the proxy credentials failed to authenticate
+//     to the specified external key store proxy. The specified external key store
+//     proxy rejected a status request from KMS due to invalid credentials. This
+//     can indicate an error in the credentials or in the identification of the
+//     external key store proxy.
+//
+//   - XksProxyVpcEndpointServiceInUseException
+//     The request was rejected because the specified Amazon VPC endpoint service
+//     is already associated with an external key store in the Amazon Web Services
+//     account and Region. Each external key store in an Amazon Web Services account
+//     and Region must use a different Amazon VPC endpoint service.
+//
+//   - XksProxyVpcEndpointServiceNotFoundException
+//     The request was rejected because KMS could not find the specified VPC endpoint
+//     service. Use DescribeCustomKeyStores to verify the VPC endpoint service name
+//     for the external key store. Also, confirm that the Allow principals list
+//     for the VPC endpoint service includes the KMS service principal for the Region,
+//     such as cks.kms.us-east-1.amazonaws.com.
+//
+//   - XksProxyVpcEndpointServiceInvalidConfigurationException
+//     The request was rejected because the Amazon VPC endpoint service configuration
+//     does not fulfill the requirements for an external key store proxy. For details,
+//     see the exception message and review the requirements (kms/latest/developerguide/vpc-connectivity.html#xks-vpc-requirements)
+//     for Amazon VPC endpoint service connectivity for an external key store.
+//
+//   - XksProxyInvalidResponseException
+//     KMS cannot interpret the response it received from the external key store
+//     proxy. The problem might be a poorly constructed response, but it could also
+//     be a transient network issue. If you see this error repeatedly, report it
+//     to the proxy vendor.
+//
+//   - XksProxyInvalidConfigurationException
+//     The request was rejected because the Amazon VPC endpoint service configuration
+//     does not fulfill the requirements for an external key store proxy. For details,
+//     see the exception message.
+//
 // See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CreateCustomKeyStore
 func (c *KMS) CreateCustomKeyStore(input *CreateCustomKeyStoreInput) (*CreateCustomKeyStoreOutput, error) {
 	req, out := c.CreateCustomKeyStoreRequest(input)
@@ -783,8 +939,8 @@ func (c *KMS) CreateGrantRequest(input *CreateGrantInput) (req *request.Request,
 //     The request was rejected because the specified KMS key is not enabled.
 //
 //   - DependencyTimeoutException
-//     The system timed out while trying to fulfill the request. The request can
-//     be retried.
+//     The system timed out while trying to fulfill the request. You can retry the
+//     request.
 //
 //   - InvalidArnException
 //     The request was rejected because a specified ARN, or an ARN in a key policy,
@@ -806,10 +962,18 @@ func (c *KMS) CreateGrantRequest(input *CreateGrantInput) (req *request.Request,
 //     The request was rejected because the state of the specified resource is not
 //     valid for this request.
 //
-//     For more information about how key state affects the use of a KMS key, see
-//     Key states of KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
+//     This exceptions means one of the following:
+//
+//   - The key state of the KMS key is not compatible with the operation. To
+//     find the key state, use the DescribeKey operation. For more information
+//     about which key states are compatible with each KMS operation, see Key
+//     states of KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
 //     in the Key Management Service Developer Guide .
 //
+//   - For cryptographic operations on KMS keys in custom key stores, this
+//     exception represents a general failure with many possible causes. To identify
+//     the cause, see the error message that accompanies the exception.
+//
 // See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CreateGrant
 func (c *KMS) CreateGrant(input *CreateGrantInput) (*CreateGrantOutput, error) {
 	req, out := c.CreateGrantRequest(input)
@@ -876,13 +1040,21 @@ func (c *KMS) CreateKeyRequest(input *CreateKeyInput) (req *request.Request, out
 // CreateKey API operation for AWS Key Management Service.
 //
 // Creates a unique customer managed KMS key (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#kms-keys)
-// in your Amazon Web Services account and Region.
+// in your Amazon Web Services account and Region. You can use a KMS key in
+// cryptographic operations, such as encryption and signing. Some Amazon Web
+// Services services let you use KMS keys that you create and manage to protect
+// your service resources.
 //
-// In addition to the required parameters, you can use the optional parameters
-// to specify a key policy, description, tags, and other useful elements for
-// any key type.
+// A KMS key is a logical representation of a cryptographic key. In addition
+// to the key material used in cryptographic operations, a KMS key includes
+// metadata, such as the key ID, key policy, creation date, description, and
+// key state. For details, see Managing keys (https://docs.aws.amazon.com/kms/latest/developerguide/getting-started.html)
+// in the Key Management Service Developer Guide
 //
-// KMS is replacing the term customer master key (CMK) with KMS key and KMS
+// Use the parameters of CreateKey to specify the type of KMS key, the source
+// of its key material, its key policy, description, tags, and other properties.
+//
+// KMS has replaced the term customer master key (CMK) with KMS key and KMS
 // key. The concept has not changed. To prevent breaking changes, KMS is keeping
 // some variations of this term.
 //
@@ -890,11 +1062,14 @@ func (c *KMS) CreateKeyRequest(input *CreateKeyInput) (req *request.Request, out
 //
 // # Symmetric encryption KMS key
 //
-// To create a symmetric encryption KMS key, you aren't required to specify
-// any parameters. The default value for KeySpec, SYMMETRIC_DEFAULT, and the
-// default value for KeyUsage, ENCRYPT_DECRYPT, create a symmetric encryption
-// KMS key. For technical details, see SYMMETRIC_DEFAULT key spec (https://docs.aws.amazon.com/kms/latest/developerguide/asymmetric-key-specs.html#key-spec-symmetric-default)
-// in the Key Management Service Developer Guide.
+// By default, CreateKey creates a symmetric encryption KMS key with key material
+// that KMS generates. This is the basic and most widely used type of KMS key,
+// and provides the best performance.
+//
+// To create a symmetric encryption KMS key, you don't need to specify any parameters.
+// The default value for KeySpec, SYMMETRIC_DEFAULT, the default value for KeyUsage,
+// ENCRYPT_DECRYPT, and the default value for Origin, AWS_KMS, create a symmetric
+// encryption KMS key with KMS key material.
 //
 // If you need a key for basic encryption and decryption or you are creating
 // a KMS key to protect your resources in an Amazon Web Services service, create
@@ -965,12 +1140,13 @@ func (c *KMS) CreateKeyRequest(input *CreateKeyInput) (req *request.Request, out
 // keys, see Multi-Region keys in KMS (https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html)
 // in the Key Management Service Developer Guide.
 //
-// To import your own key material, begin by creating a symmetric encryption
-// KMS key with no key material. To do this, use the Origin parameter of CreateKey
-// with a value of EXTERNAL. Next, use GetParametersForImport operation to get
-// a public key and import token, and use the public key to encrypt your key
-// material. Then, use ImportKeyMaterial with your import token to import the
-// key material. For step-by-step instructions, see Importing Key Material (https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html)
+// To import your own key material into a KMS key, begin by creating a symmetric
+// encryption KMS key with no key material. To do this, use the Origin parameter
+// of CreateKey with a value of EXTERNAL. Next, use GetParametersForImport operation
+// to get a public key and import token, and use the public key to encrypt your
+// key material. Then, use ImportKeyMaterial with your import token to import
+// the key material. For step-by-step instructions, see Importing Key Material
+// (https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html)
 // in the Key Management Service Developer Guide .
 //
 // This feature supports only symmetric encryption KMS keys, including multi-Region
@@ -980,22 +1156,52 @@ func (c *KMS) CreateKeyRequest(input *CreateKeyInput) (req *request.Request, out
 // To create a multi-Region primary key with imported key material, use the
 // Origin parameter of CreateKey with a value of EXTERNAL and the MultiRegion
 // parameter with a value of True. To create replicas of the multi-Region primary
-// key, use the ReplicateKey operation. For more information about multi-Region
-// keys, see Multi-Region keys in KMS (https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html)
+// key, use the ReplicateKey operation. For instructions, see Importing key
+// material into multi-Region keys (https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-import.html).
+// For more information about multi-Region keys, see Multi-Region keys in KMS
+// (https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html)
 // in the Key Management Service Developer Guide.
 //
 // # Custom key store
 //
-// To create a symmetric encryption KMS key in a custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html),
-// use the CustomKeyStoreId parameter to specify the custom key store. You must
-// also use the Origin parameter with a value of AWS_CLOUDHSM. The CloudHSM
-// cluster that is associated with the custom key store must have at least two
-// active HSMs in different Availability Zones in the Amazon Web Services Region.
+// A custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html)
+// lets you protect your Amazon Web Services resources using keys in a backing
+// key store that you own and manage. When you request a cryptographic operation
+// with a KMS key in a custom key store, the operation is performed in the backing
+// key store using its cryptographic keys.
 //
-// Custom key stores support only symmetric encryption KMS keys. You cannot
-// create an HMAC KMS key or an asymmetric KMS key in a custom key store. For
-// information about custom key stores in KMS see Custom key stores in KMS (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html)
-// in the Key Management Service Developer Guide .
+// KMS supports CloudHSM key stores (https://docs.aws.amazon.com/kms/latest/developerguide/keystore-cloudhsm.html)
+// backed by an CloudHSM cluster and external key stores (https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html)
+// backed by an external key manager outside of Amazon Web Services. When you
+// create a KMS key in an CloudHSM key store, KMS generates an encryption key
+// in the CloudHSM cluster and associates it with the KMS key. When you create
+// a KMS key in an external key store, you specify an existing encryption key
+// in the external key manager.
+//
+// Some external key managers provide a simpler method for creating a KMS key
+// in an external key store. For details, see your external key manager documentation.
+//
+// Before you create a KMS key in a custom key store, the ConnectionState of
+// the key store must be CONNECTED. To connect the custom key store, use the
+// ConnectCustomKeyStore operation. To find the ConnectionState, use the DescribeCustomKeyStores
+// operation.
+//
+// To create a KMS key in a custom key store, use the CustomKeyStoreId. Use
+// the default KeySpec value, SYMMETRIC_DEFAULT, and the default KeyUsage value,
+// ENCRYPT_DECRYPT to create a symmetric encryption key. No other key type is
+// supported in a custom key store.
+//
+// To create a KMS key in an CloudHSM key store (https://docs.aws.amazon.com/kms/latest/developerguide/keystore-cloudhsm.html),
+// use the Origin parameter with a value of AWS_CLOUDHSM. The CloudHSM cluster
+// that is associated with the custom key store must have at least two active
+// HSMs in different Availability Zones in the Amazon Web Services Region.
+//
+// To create a KMS key in an external key store (https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html),
+// use the Origin parameter with a value of EXTERNAL_KEY_STORE and an XksKeyId
+// parameter that identifies an existing external key.
+//
+// Some external key managers provide a simpler method for creating a KMS key
+// in an external key store. For details, see your external key manager documentation.
 //
 // Cross-account use: No. You cannot use this operation to create a KMS key
 // in a different Amazon Web Services account.
@@ -1028,8 +1234,8 @@ func (c *KMS) CreateKeyRequest(input *CreateKeyInput) (req *request.Request, out
 //     or semantically correct.
 //
 //   - DependencyTimeoutException
-//     The system timed out while trying to fulfill the request. The request can
-//     be retried.
+//     The system timed out while trying to fulfill the request. You can retry the
+//     request.
 //
 //   - InvalidArnException
 //     The request was rejected because a specified ARN, or an ARN in a key policy,
@@ -1062,49 +1268,83 @@ func (c *KMS) CreateKeyRequest(input *CreateKeyInput) (req *request.Request, out
 //
 //     This exception is thrown under the following conditions:
 //
-//   - You requested the CreateKey or GenerateRandom operation in a custom
-//     key store that is not connected. These operations are valid only when
-//     the custom key store ConnectionState is CONNECTED.
+//   - You requested the ConnectCustomKeyStore operation on a custom key store
+//     with a ConnectionState of DISCONNECTING or FAILED. This operation is valid
+//     for all other ConnectionState values. To reconnect a custom key store
+//     in a FAILED state, disconnect it (DisconnectCustomKeyStore), then connect
+//     it (ConnectCustomKeyStore).
+//
+//   - You requested the CreateKey operation in a custom key store that is
+//     not connected. This operations is valid only when the custom key store
+//     ConnectionState is CONNECTED.
+//
+//   - You requested the DisconnectCustomKeyStore operation on a custom key
+//     store with a ConnectionState of DISCONNECTING or DISCONNECTED. This operation
+//     is valid for all other ConnectionState values.
 //
 //   - You requested the UpdateCustomKeyStore or DeleteCustomKeyStore operation
 //     on a custom key store that is not disconnected. This operation is valid
 //     only when the custom key store ConnectionState is DISCONNECTED.
 //
-//   - You requested the ConnectCustomKeyStore operation on a custom key store
-//     with a ConnectionState of DISCONNECTING or FAILED. This operation is valid
-//     for all other ConnectionState values.
+//   - You requested the GenerateRandom operation in an CloudHSM key store
+//     that is not connected. This operation is valid only when the CloudHSM
+//     key store ConnectionState is CONNECTED.
 //
 //   - CloudHsmClusterInvalidConfigurationException
 //     The request was rejected because the associated CloudHSM cluster did not
-//     meet the configuration requirements for a custom key store.
+//     meet the configuration requirements for an CloudHSM key store.
 //
-//   - The cluster must be configured with private subnets in at least two
-//     different Availability Zones in the Region.
+//   - The CloudHSM cluster must be configured with private subnets in at least
+//     two different Availability Zones in the Region.
 //
 //   - The security group for the cluster (https://docs.aws.amazon.com/cloudhsm/latest/userguide/configure-sg.html)
 //     (cloudhsm-cluster-<cluster-id>-sg) must include inbound rules and outbound
 //     rules that allow TCP traffic on ports 2223-2225. The Source in the inbound
 //     rules and the Destination in the outbound rules must match the security
-//     group ID. These rules are set by default when you create the cluster.
-//     Do not delete or change them. To get information about a particular security
-//     group, use the DescribeSecurityGroups (https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeSecurityGroups.html)
+//     group ID. These rules are set by default when you create the CloudHSM
+//     cluster. Do not delete or change them. To get information about a particular
+//     security group, use the DescribeSecurityGroups (https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeSecurityGroups.html)
 //     operation.
 //
-//   - The cluster must contain at least as many HSMs as the operation requires.
-//     To add HSMs, use the CloudHSM CreateHsm (https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_CreateHsm.html)
+//   - The CloudHSM cluster must contain at least as many HSMs as the operation
+//     requires. To add HSMs, use the CloudHSM CreateHsm (https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_CreateHsm.html)
 //     operation. For the CreateCustomKeyStore, UpdateCustomKeyStore, and CreateKey
 //     operations, the CloudHSM cluster must have at least two active HSMs, each
 //     in a different Availability Zone. For the ConnectCustomKeyStore operation,
 //     the CloudHSM must contain at least one active HSM.
 //
 //     For information about the requirements for an CloudHSM cluster that is associated
-//     with a custom key store, see Assemble the Prerequisites (https://docs.aws.amazon.com/kms/latest/developerguide/create-keystore.html#before-keystore)
+//     with an CloudHSM key store, see Assemble the Prerequisites (https://docs.aws.amazon.com/kms/latest/developerguide/create-keystore.html#before-keystore)
 //     in the Key Management Service Developer Guide. For information about creating
 //     a private subnet for an CloudHSM cluster, see Create a Private Subnet (https://docs.aws.amazon.com/cloudhsm/latest/userguide/create-subnets.html)
 //     in the CloudHSM User Guide. For information about cluster security groups,
 //     see Configure a Default Security Group (https://docs.aws.amazon.com/cloudhsm/latest/userguide/configure-sg.html)
 //     in the CloudHSM User Guide .
 //
+//   - XksKeyInvalidConfigurationException
+//     The request was rejected because the external key specified by the XksKeyId
+//     parameter did not meet the configuration requirements for an external key
+//     store.
+//
+//     The external key must be an AES-256 symmetric key that is enabled and performs
+//     encryption and decryption.
+//
+//   - XksKeyAlreadyInUseException
+//     The request was rejected because the (XksKeyId) is already associated with
+//     a KMS key in this external key store. Each KMS key in an external key store
+//     must be associated with a different external key.
+//
+//   - XksKeyNotFoundException
+//     The request was rejected because the external key store proxy could not find
+//     the external key. This exception is thrown when the value of the XksKeyId
+//     parameter doesn't identify a key in the external key manager associated with
+//     the external key proxy.
+//
+//     Verify that the XksKeyId represents an existing key in the external key manager.
+//     Use the key identifier that the external key store proxy uses to identify
+//     the key. For details, see the documentation provided with your external key
+//     store proxy or key manager.
+//
 // See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CreateKey
 func (c *KMS) CreateKey(input *CreateKeyInput) (*CreateKeyOutput, error) {
 	req, out := c.CreateKeyRequest(input)
@@ -1192,8 +1432,8 @@ func (c *KMS) DecryptRequest(input *DecryptInput) (req *request.Request, output
 //
 // The Decrypt operation also decrypts ciphertext that was encrypted outside
 // of KMS by the public key in an KMS asymmetric KMS key. However, it cannot
-// decrypt ciphertext produced by other libraries, such as the Amazon Web Services
-// Encryption SDK (https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/)
+// decrypt symmetric ciphertext produced by other libraries, such as the Amazon
+// Web Services Encryption SDK (https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/)
 // or Amazon S3 client-side encryption (https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingClientSideEncryption.html).
 // These libraries return a ciphertext format that is incompatible with KMS.
 //
@@ -1297,8 +1537,8 @@ func (c *KMS) DecryptRequest(input *DecryptInput) (req *request.Request, output
 //     key, use the DescribeKey operation.
 //
 //   - DependencyTimeoutException
-//     The system timed out while trying to fulfill the request. The request can
-//     be retried.
+//     The system timed out while trying to fulfill the request. You can retry the
+//     request.
 //
 //   - InvalidGrantTokenException
 //     The request was rejected because the specified grant token is not valid.
@@ -1311,10 +1551,18 @@ func (c *KMS) DecryptRequest(input *DecryptInput) (req *request.Request, output
 //     The request was rejected because the state of the specified resource is not
 //     valid for this request.
 //
-//     For more information about how key state affects the use of a KMS key, see
-//     Key states of KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
+//     This exceptions means one of the following:
+//
+//   - The key state of the KMS key is not compatible with the operation. To
+//     find the key state, use the DescribeKey operation. For more information
+//     about which key states are compatible with each KMS operation, see Key
+//     states of KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
 //     in the Key Management Service Developer Guide .
 //
+//   - For cryptographic operations on KMS keys in custom key stores, this
+//     exception represents a general failure with many possible causes. To identify
+//     the cause, see the error message that accompanies the exception.
+//
 // See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/Decrypt
 func (c *KMS) Decrypt(input *DecryptInput) (*DecryptOutput, error) {
 	req, out := c.DecryptRequest(input)
@@ -1384,7 +1632,7 @@ func (c *KMS) DeleteAliasRequest(input *DeleteAliasInput) (req *request.Request,
 // Deletes the specified alias.
 //
 // Adding, deleting, or updating an alias can allow or deny permission to the
-// KMS key. For details, see ABAC in KMS (https://docs.aws.amazon.com/kms/latest/developerguide/abac.html)
+// KMS key. For details, see ABAC for KMS (https://docs.aws.amazon.com/kms/latest/developerguide/abac.html)
 // in the Key Management Service Developer Guide.
 //
 // Because an alias is not a property of a KMS key, you can delete and change
@@ -1428,8 +1676,8 @@ func (c *KMS) DeleteAliasRequest(input *DeleteAliasInput) (req *request.Request,
 // Returned Error Types:
 //
 //   - DependencyTimeoutException
-//     The system timed out while trying to fulfill the request. The request can
-//     be retried.
+//     The system timed out while trying to fulfill the request. You can retry the
+//     request.
 //
 //   - NotFoundException
 //     The request was rejected because the specified entity or resource could not
@@ -1443,10 +1691,18 @@ func (c *KMS) DeleteAliasRequest(input *DeleteAliasInput) (req *request.Request,
 //     The request was rejected because the state of the specified resource is not
 //     valid for this request.
 //
-//     For more information about how key state affects the use of a KMS key, see
-//     Key states of KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
+//     This exceptions means one of the following:
+//
+//   - The key state of the KMS key is not compatible with the operation. To
+//     find the key state, use the DescribeKey operation. For more information
+//     about which key states are compatible with each KMS operation, see Key
+//     states of KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
 //     in the Key Management Service Developer Guide .
 //
+//   - For cryptographic operations on KMS keys in custom key stores, this
+//     exception represents a general failure with many possible causes. To identify
+//     the cause, see the error message that accompanies the exception.
+//
 // See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DeleteAlias
 func (c *KMS) DeleteAlias(input *DeleteAliasInput) (*DeleteAliasOutput, error) {
 	req, out := c.DeleteAliasRequest(input)
@@ -1514,33 +1770,39 @@ func (c *KMS) DeleteCustomKeyStoreRequest(input *DeleteCustomKeyStoreInput) (req
 // DeleteCustomKeyStore API operation for AWS Key Management Service.
 //
 // Deletes a custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html).
-// This operation does not delete the CloudHSM cluster that is associated with
-// the custom key store, or affect any users or keys in the cluster.
+// This operation does not affect any backing elements of the custom key store.
+// It does not delete the CloudHSM cluster that is associated with an CloudHSM
+// key store, or affect any users or keys in the cluster. For an external key
+// store, it does not affect the external key store proxy, external key manager,
+// or any external keys.
+//
+// This operation is part of the custom key stores (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html)
+// feature in KMS, which combines the convenience and extensive integration
+// of KMS with the isolation and control of a key store that you own and manage.
 //
 // The custom key store that you delete cannot contain any KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#kms_keys).
 // Before deleting the key store, verify that you will never need to use any
 // of the KMS keys in the key store for any cryptographic operations (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations).
 // Then, use ScheduleKeyDeletion to delete the KMS keys from the key store.
-// When the scheduled waiting period expires, the ScheduleKeyDeletion operation
-// deletes the KMS keys. Then it makes a best effort to delete the key material
-// from the associated cluster. However, you might need to manually delete the
-// orphaned key material (https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html#fix-keystore-orphaned-key)
-// from the cluster and its backups.
+// After the required waiting period expires and all KMS keys are deleted from
+// the custom key store, use DisconnectCustomKeyStore to disconnect the key
+// store from KMS. Then, you can delete the custom key store.
 //
-// After all KMS keys are deleted from KMS, use DisconnectCustomKeyStore to
-// disconnect the key store from KMS. Then, you can delete the custom key store.
+// For keys in an CloudHSM key store, the ScheduleKeyDeletion operation makes
+// a best effort to delete the key material from the associated cluster. However,
+// you might need to manually delete the orphaned key material (https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html#fix-keystore-orphaned-key)
+// from the cluster and its backups. KMS never creates, manages, or deletes
+// cryptographic keys in the external key manager associated with an external
+// key store. You must manage them using your external key manager tools.
 //
-// Instead of deleting the custom key store, consider using DisconnectCustomKeyStore
-// to disconnect it from KMS. While the key store is disconnected, you cannot
-// create or use the KMS keys in the key store. But, you do not need to delete
-// KMS keys and you can reconnect a disconnected custom key store at any time.
+// Instead of deleting the custom key store, consider using the DisconnectCustomKeyStore
+// operation to disconnect the custom key store from its backing key store.
+// While the key store is disconnected, you cannot create or use the KMS keys
+// in the key store. But, you do not need to delete KMS keys and you can reconnect
+// a disconnected custom key store at any time.
 //
 // If the operation succeeds, it returns a JSON object with no properties.
 //
-// This operation is part of the custom key store feature (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html)
-// feature in KMS, which combines the convenience and extensive integration
-// of KMS with the isolation and control of a single-tenant key store.
-//
 // Cross-account use: No. You cannot perform this operation on a custom key
 // store in a different Amazon Web Services account.
 //
@@ -1581,17 +1843,27 @@ func (c *KMS) DeleteCustomKeyStoreRequest(input *DeleteCustomKeyStoreInput) (req
 //
 //     This exception is thrown under the following conditions:
 //
-//   - You requested the CreateKey or GenerateRandom operation in a custom
-//     key store that is not connected. These operations are valid only when
-//     the custom key store ConnectionState is CONNECTED.
+//   - You requested the ConnectCustomKeyStore operation on a custom key store
+//     with a ConnectionState of DISCONNECTING or FAILED. This operation is valid
+//     for all other ConnectionState values. To reconnect a custom key store
+//     in a FAILED state, disconnect it (DisconnectCustomKeyStore), then connect
+//     it (ConnectCustomKeyStore).
+//
+//   - You requested the CreateKey operation in a custom key store that is
+//     not connected. This operations is valid only when the custom key store
+//     ConnectionState is CONNECTED.
+//
+//   - You requested the DisconnectCustomKeyStore operation on a custom key
+//     store with a ConnectionState of DISCONNECTING or DISCONNECTED. This operation
+//     is valid for all other ConnectionState values.
 //
 //   - You requested the UpdateCustomKeyStore or DeleteCustomKeyStore operation
 //     on a custom key store that is not disconnected. This operation is valid
 //     only when the custom key store ConnectionState is DISCONNECTED.
 //
-//   - You requested the ConnectCustomKeyStore operation on a custom key store
-//     with a ConnectionState of DISCONNECTING or FAILED. This operation is valid
-//     for all other ConnectionState values.
+//   - You requested the GenerateRandom operation in an CloudHSM key store
+//     that is not connected. This operation is valid only when the CloudHSM
+//     key store ConnectionState is CONNECTED.
 //
 //   - CustomKeyStoreNotFoundException
 //     The request was rejected because KMS cannot find a custom key store with
@@ -1713,8 +1985,8 @@ func (c *KMS) DeleteImportedKeyMaterialRequest(input *DeleteImportedKeyMaterialI
 //     a specified resource is not valid for this operation.
 //
 //   - DependencyTimeoutException
-//     The system timed out while trying to fulfill the request. The request can
-//     be retried.
+//     The system timed out while trying to fulfill the request. You can retry the
+//     request.
 //
 //   - NotFoundException
 //     The request was rejected because the specified entity or resource could not
@@ -1728,10 +2000,18 @@ func (c *KMS) DeleteImportedKeyMaterialRequest(input *DeleteImportedKeyMaterialI
 //     The request was rejected because the state of the specified resource is not
 //     valid for this request.
 //
-//     For more information about how key state affects the use of a KMS key, see
-//     Key states of KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
+//     This exceptions means one of the following:
+//
+//   - The key state of the KMS key is not compatible with the operation. To
+//     find the key state, use the DescribeKey operation. For more information
+//     about which key states are compatible with each KMS operation, see Key
+//     states of KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
 //     in the Key Management Service Developer Guide .
 //
+//   - For cryptographic operations on KMS keys in custom key stores, this
+//     exception represents a general failure with many possible causes. To identify
+//     the cause, see the error message that accompanies the exception.
+//
 // See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DeleteImportedKeyMaterial
 func (c *KMS) DeleteImportedKeyMaterial(input *DeleteImportedKeyMaterialInput) (*DeleteImportedKeyMaterialOutput, error) {
 	req, out := c.DeleteImportedKeyMaterialRequest(input)
@@ -1788,7 +2068,7 @@ func (c *KMS) DescribeCustomKeyStoresRequest(input *DescribeCustomKeyStoresInput
 			InputTokens:     []string{"Marker"},
 			OutputTokens:    []string{"NextMarker"},
 			LimitToken:      "Limit",
-			TruncationToken: "Truncated",
+			TruncationToken: "",
 		},
 	}
 
@@ -1806,30 +2086,37 @@ func (c *KMS) DescribeCustomKeyStoresRequest(input *DescribeCustomKeyStoresInput
 // Gets information about custom key stores (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html)
 // in the account and Region.
 //
-// This operation is part of the custom key store feature (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html)
+// This operation is part of the custom key stores (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html)
 // feature in KMS, which combines the convenience and extensive integration
-// of KMS with the isolation and control of a single-tenant key store.
+// of KMS with the isolation and control of a key store that you own and manage.
 //
 // By default, this operation returns information about all custom key stores
 // in the account and Region. To get only information about a particular custom
 // key store, use either the CustomKeyStoreName or CustomKeyStoreId parameter
 // (but not both).
 //
-// To determine whether the custom key store is connected to its CloudHSM cluster,
-// use the ConnectionState element in the response. If an attempt to connect
-// the custom key store failed, the ConnectionState value is FAILED and the
-// ConnectionErrorCode element in the response indicates the cause of the failure.
-// For help interpreting the ConnectionErrorCode, see CustomKeyStoresListEntry.
+// To determine whether the custom key store is connected to its CloudHSM cluster
+// or external key store proxy, use the ConnectionState element in the response.
+// If an attempt to connect the custom key store failed, the ConnectionState
+// value is FAILED and the ConnectionErrorCode element in the response indicates
+// the cause of the failure. For help interpreting the ConnectionErrorCode,
+// see CustomKeyStoresListEntry.
 //
 // Custom key stores have a DISCONNECTED connection state if the key store has
-// never been connected or you use the DisconnectCustomKeyStore operation to
-// disconnect it. If your custom key store state is CONNECTED but you are having
-// trouble using it, make sure that its associated CloudHSM cluster is active
-// and contains the minimum number of HSMs required for the operation, if any.
+// never been connected or you used the DisconnectCustomKeyStore operation to
+// disconnect it. Otherwise, the connection state is CONNECTED. If your custom
+// key store connection state is CONNECTED but you are having trouble using
+// it, verify that the backing store is active and available. For an CloudHSM
+// key store, verify that the associated CloudHSM cluster is active and contains
+// the minimum number of HSMs required for the operation, if any. For an external
+// key store, verify that the external key store proxy and its associated external
+// key manager are reachable and enabled.
 //
-// For help repairing your custom key store, see the Troubleshooting Custom
-// Key Stores (https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html)
-// topic in the Key Management Service Developer Guide.
+// For help repairing your CloudHSM key store, see the Troubleshooting CloudHSM
+// key stores (https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html).
+// For help repairing your external key store, see the Troubleshooting external
+// key stores (https://docs.aws.amazon.com/kms/latest/developerguide/xks-troubleshooting.html).
+// Both topics are in the Key Management Service Developer Guide.
 //
 // Cross-account use: No. You cannot perform this operation on a custom key
 // store in a different Amazon Web Services account.
@@ -1995,10 +2282,14 @@ func (c *KMS) DescribeKeyRequest(input *DescribeKeyInput) (req *request.Request,
 // any) of the key material. It includes fields, like KeySpec, that help you
 // distinguish different types of KMS keys. It also displays the key usage (encryption,
 // signing, or generating and verifying MACs) and the algorithms that the KMS
-// key supports. For KMS keys in custom key stores, it includes information
-// about the custom key store, such as the key store ID and the CloudHSM cluster
-// ID. For multi-Region keys, it displays the primary key and all related replica
-// keys.
+// key supports.
+//
+// For multi-Region keys (kms/latest/developerguide/multi-region-keys-overview.html),
+// DescribeKey displays the primary key and all related replica keys. For KMS
+// keys in CloudHSM key stores (kms/latest/developerguide/keystore-cloudhsm.html),
+// it includes information about the key store, such as the key store ID and
+// the CloudHSM cluster ID. For KMS keys in external key stores (kms/latest/developerguide/keystore-external.html),
+// it includes the custom key store ID and the ID of the external key.
 //
 // DescribeKey does not return the following information:
 //
@@ -2061,8 +2352,8 @@ func (c *KMS) DescribeKeyRequest(input *DescribeKeyInput) (req *request.Request,
 //     is not valid.
 //
 //   - DependencyTimeoutException
-//     The system timed out while trying to fulfill the request. The request can
-//     be retried.
+//     The system timed out while trying to fulfill the request. You can retry the
+//     request.
 //
 //   - InternalException
 //     The request was rejected because an internal exception occurred. The request
@@ -2171,8 +2462,8 @@ func (c *KMS) DisableKeyRequest(input *DisableKeyInput) (req *request.Request, o
 //     is not valid.
 //
 //   - DependencyTimeoutException
-//     The system timed out while trying to fulfill the request. The request can
-//     be retried.
+//     The system timed out while trying to fulfill the request. You can retry the
+//     request.
 //
 //   - InternalException
 //     The request was rejected because an internal exception occurred. The request
@@ -2182,10 +2473,18 @@ func (c *KMS) DisableKeyRequest(input *DisableKeyInput) (req *request.Request, o
 //     The request was rejected because the state of the specified resource is not
 //     valid for this request.
 //
-//     For more information about how key state affects the use of a KMS key, see
-//     Key states of KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
+//     This exceptions means one of the following:
+//
+//   - The key state of the KMS key is not compatible with the operation. To
+//     find the key state, use the DescribeKey operation. For more information
+//     about which key states are compatible with each KMS operation, see Key
+//     states of KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
 //     in the Key Management Service Developer Guide .
 //
+//   - For cryptographic operations on KMS keys in custom key stores, this
+//     exception represents a general failure with many possible causes. To identify
+//     the cause, see the error message that accompanies the exception.
+//
 // See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DisableKey
 func (c *KMS) DisableKey(input *DisableKeyInput) (*DisableKeyOutput, error) {
 	req, out := c.DisableKeyRequest(input)
@@ -2256,12 +2555,12 @@ func (c *KMS) DisableKeyRotationRequest(input *DisableKeyRotationInput) (req *re
 // of the specified symmetric encryption KMS key.
 //
 // Automatic key rotation is supported only on symmetric encryption KMS keys.
-// You cannot enable or disable automatic rotation of asymmetric KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html),
+// You cannot enable automatic rotation of asymmetric KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html),
 // HMAC KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html),
 // KMS keys with imported key material (https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html),
 // or KMS keys in a custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html).
-// The key rotation status of these KMS keys is always false. To enable or disable
-// automatic rotation of a set of related multi-Region keys (https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-manage.html#multi-region-rotate),
+// To enable or disable automatic rotation of a set of related multi-Region
+// keys (https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-manage.html#multi-region-rotate),
 // set the property on the primary key.
 //
 // You can enable (EnableKeyRotation) and disable automatic rotation of the
@@ -2311,8 +2610,8 @@ func (c *KMS) DisableKeyRotationRequest(input *DisableKeyRotationInput) (req *re
 //     is not valid.
 //
 //   - DependencyTimeoutException
-//     The system timed out while trying to fulfill the request. The request can
-//     be retried.
+//     The system timed out while trying to fulfill the request. You can retry the
+//     request.
 //
 //   - InternalException
 //     The request was rejected because an internal exception occurred. The request
@@ -2322,10 +2621,18 @@ func (c *KMS) DisableKeyRotationRequest(input *DisableKeyRotationInput) (req *re
 //     The request was rejected because the state of the specified resource is not
 //     valid for this request.
 //
-//     For more information about how key state affects the use of a KMS key, see
-//     Key states of KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
+//     This exceptions means one of the following:
+//
+//   - The key state of the KMS key is not compatible with the operation. To
+//     find the key state, use the DescribeKey operation. For more information
+//     about which key states are compatible with each KMS operation, see Key
+//     states of KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
 //     in the Key Management Service Developer Guide .
 //
+//   - For cryptographic operations on KMS keys in custom key stores, this
+//     exception represents a general failure with many possible causes. To identify
+//     the cause, see the error message that accompanies the exception.
+//
 //   - UnsupportedOperationException
 //     The request was rejected because a specified parameter is not supported or
 //     a specified resource is not valid for this operation.
@@ -2397,10 +2704,18 @@ func (c *KMS) DisconnectCustomKeyStoreRequest(input *DisconnectCustomKeyStoreInp
 // DisconnectCustomKeyStore API operation for AWS Key Management Service.
 //
 // Disconnects the custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html)
-// from its associated CloudHSM cluster. While a custom key store is disconnected,
-// you can manage the custom key store and its KMS keys, but you cannot create
-// or use KMS keys in the custom key store. You can reconnect the custom key
-// store at any time.
+// from its backing key store. This operation disconnects an CloudHSM key store
+// from its associated CloudHSM cluster or disconnects an external key store
+// from the external key store proxy that communicates with your external key
+// manager.
+//
+// This operation is part of the custom key stores (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html)
+// feature in KMS, which combines the convenience and extensive integration
+// of KMS with the isolation and control of a key store that you own and manage.
+//
+// While a custom key store is disconnected, you can manage the custom key store
+// and its KMS keys, but you cannot create or use its KMS keys. You can reconnect
+// the custom key store at any time.
 //
 // While a custom key store is disconnected, all attempts to create KMS keys
 // in the custom key store or to use existing KMS keys in cryptographic operations
@@ -2408,16 +2723,13 @@ func (c *KMS) DisconnectCustomKeyStoreRequest(input *DisconnectCustomKeyStoreInp
 // will fail. This action can prevent users from storing and accessing sensitive
 // data.
 //
+// When you disconnect a custom key store, its ConnectionState changes to Disconnected.
 // To find the connection state of a custom key store, use the DescribeCustomKeyStores
 // operation. To reconnect a custom key store, use the ConnectCustomKeyStore
 // operation.
 //
 // If the operation succeeds, it returns a JSON object with no properties.
 //
-// This operation is part of the custom key store feature (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html)
-// feature in KMS, which combines the convenience and extensive integration
-// of KMS with the isolation and control of a single-tenant key store.
-//
 // Cross-account use: No. You cannot perform this operation on a custom key
 // store in a different Amazon Web Services account.
 //
@@ -2452,17 +2764,27 @@ func (c *KMS) DisconnectCustomKeyStoreRequest(input *DisconnectCustomKeyStoreInp
 //
 //     This exception is thrown under the following conditions:
 //
-//   - You requested the CreateKey or GenerateRandom operation in a custom
-//     key store that is not connected. These operations are valid only when
-//     the custom key store ConnectionState is CONNECTED.
+//   - You requested the ConnectCustomKeyStore operation on a custom key store
+//     with a ConnectionState of DISCONNECTING or FAILED. This operation is valid
+//     for all other ConnectionState values. To reconnect a custom key store
+//     in a FAILED state, disconnect it (DisconnectCustomKeyStore), then connect
+//     it (ConnectCustomKeyStore).
+//
+//   - You requested the CreateKey operation in a custom key store that is
+//     not connected. This operations is valid only when the custom key store
+//     ConnectionState is CONNECTED.
+//
+//   - You requested the DisconnectCustomKeyStore operation on a custom key
+//     store with a ConnectionState of DISCONNECTING or DISCONNECTED. This operation
+//     is valid for all other ConnectionState values.
 //
 //   - You requested the UpdateCustomKeyStore or DeleteCustomKeyStore operation
 //     on a custom key store that is not disconnected. This operation is valid
 //     only when the custom key store ConnectionState is DISCONNECTED.
 //
-//   - You requested the ConnectCustomKeyStore operation on a custom key store
-//     with a ConnectionState of DISCONNECTING or FAILED. This operation is valid
-//     for all other ConnectionState values.
+//   - You requested the GenerateRandom operation in an CloudHSM key store
+//     that is not connected. This operation is valid only when the CloudHSM
+//     key store ConnectionState is CONNECTED.
 //
 //   - CustomKeyStoreNotFoundException
 //     The request was rejected because KMS cannot find a custom key store with
@@ -2571,8 +2893,8 @@ func (c *KMS) EnableKeyRequest(input *EnableKeyInput) (req *request.Request, out
 //     is not valid.
 //
 //   - DependencyTimeoutException
-//     The system timed out while trying to fulfill the request. The request can
-//     be retried.
+//     The system timed out while trying to fulfill the request. You can retry the
+//     request.
 //
 //   - InternalException
 //     The request was rejected because an internal exception occurred. The request
@@ -2587,10 +2909,18 @@ func (c *KMS) EnableKeyRequest(input *EnableKeyInput) (req *request.Request, out
 //     The request was rejected because the state of the specified resource is not
 //     valid for this request.
 //
-//     For more information about how key state affects the use of a KMS key, see
-//     Key states of KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
+//     This exceptions means one of the following:
+//
+//   - The key state of the KMS key is not compatible with the operation. To
+//     find the key state, use the DescribeKey operation. For more information
+//     about which key states are compatible with each KMS operation, see Key
+//     states of KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
 //     in the Key Management Service Developer Guide .
 //
+//   - For cryptographic operations on KMS keys in custom key stores, this
+//     exception represents a general failure with many possible causes. To identify
+//     the cause, see the error message that accompanies the exception.
+//
 // See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/EnableKey
 func (c *KMS) EnableKey(input *EnableKeyInput) (*EnableKeyOutput, error) {
 	req, out := c.EnableKeyRequest(input)
@@ -2669,12 +2999,12 @@ func (c *KMS) EnableKeyRotationRequest(input *EnableKeyRotationInput) (req *requ
 //
 // Automatic key rotation is supported only on symmetric encryption KMS keys
 // (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#symmetric-cmks).
-// You cannot enable or disable automatic rotation of asymmetric KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html),
+// You cannot enable automatic rotation of asymmetric KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html),
 // HMAC KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html),
 // KMS keys with imported key material (https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html),
 // or KMS keys in a custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html).
-// The key rotation status of these KMS keys is always false. To enable or disable
-// automatic rotation of a set of related multi-Region keys (https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-manage.html#multi-region-rotate),
+// To enable or disable automatic rotation of a set of related multi-Region
+// keys (https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-manage.html#multi-region-rotate),
 // set the property on the primary key.
 //
 // You cannot enable or disable automatic rotation Amazon Web Services managed
@@ -2730,8 +3060,8 @@ func (c *KMS) EnableKeyRotationRequest(input *EnableKeyRotationInput) (req *requ
 //     is not valid.
 //
 //   - DependencyTimeoutException
-//     The system timed out while trying to fulfill the request. The request can
-//     be retried.
+//     The system timed out while trying to fulfill the request. You can retry the
+//     request.
 //
 //   - InternalException
 //     The request was rejected because an internal exception occurred. The request
@@ -2741,10 +3071,18 @@ func (c *KMS) EnableKeyRotationRequest(input *EnableKeyRotationInput) (req *requ
 //     The request was rejected because the state of the specified resource is not
 //     valid for this request.
 //
-//     For more information about how key state affects the use of a KMS key, see
-//     Key states of KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
+//     This exceptions means one of the following:
+//
+//   - The key state of the KMS key is not compatible with the operation. To
+//     find the key state, use the DescribeKey operation. For more information
+//     about which key states are compatible with each KMS operation, see Key
+//     states of KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
 //     in the Key Management Service Developer Guide .
 //
+//   - For cryptographic operations on KMS keys in custom key stores, this
+//     exception represents a general failure with many possible causes. To identify
+//     the cause, see the error message that accompanies the exception.
+//
 //   - UnsupportedOperationException
 //     The request was rejected because a specified parameter is not supported or
 //     a specified resource is not valid for this operation.
@@ -2899,8 +3237,8 @@ func (c *KMS) EncryptRequest(input *EncryptInput) (req *request.Request, output
 //     You can retry the request.
 //
 //   - DependencyTimeoutException
-//     The system timed out while trying to fulfill the request. The request can
-//     be retried.
+//     The system timed out while trying to fulfill the request. You can retry the
+//     request.
 //
 //   - InvalidKeyUsageException
 //     The request was rejected for one of the following reasons:
@@ -2930,10 +3268,18 @@ func (c *KMS) EncryptRequest(input *EncryptInput) (req *request.Request, output
 //     The request was rejected because the state of the specified resource is not
 //     valid for this request.
 //
-//     For more information about how key state affects the use of a KMS key, see
-//     Key states of KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
+//     This exceptions means one of the following:
+//
+//   - The key state of the KMS key is not compatible with the operation. To
+//     find the key state, use the DescribeKey operation. For more information
+//     about which key states are compatible with each KMS operation, see Key
+//     states of KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
 //     in the Key Management Service Developer Guide .
 //
+//   - For cryptographic operations on KMS keys in custom key stores, this
+//     exception represents a general failure with many possible causes. To identify
+//     the cause, see the error message that accompanies the exception.
+//
 // See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/Encrypt
 func (c *KMS) Encrypt(input *EncryptInput) (*EncryptOutput, error) {
 	req, out := c.EncryptRequest(input)
@@ -3106,8 +3452,8 @@ func (c *KMS) GenerateDataKeyRequest(input *GenerateDataKeyInput) (req *request.
 //     You can retry the request.
 //
 //   - DependencyTimeoutException
-//     The system timed out while trying to fulfill the request. The request can
-//     be retried.
+//     The system timed out while trying to fulfill the request. You can retry the
+//     request.
 //
 //   - InvalidKeyUsageException
 //     The request was rejected for one of the following reasons:
@@ -3137,10 +3483,18 @@ func (c *KMS) GenerateDataKeyRequest(input *GenerateDataKeyInput) (req *request.
 //     The request was rejected because the state of the specified resource is not
 //     valid for this request.
 //
-//     For more information about how key state affects the use of a KMS key, see
-//     Key states of KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
+//     This exceptions means one of the following:
+//
+//   - The key state of the KMS key is not compatible with the operation. To
+//     find the key state, use the DescribeKey operation. For more information
+//     about which key states are compatible with each KMS operation, see Key
+//     states of KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
 //     in the Key Management Service Developer Guide .
 //
+//   - For cryptographic operations on KMS keys in custom key stores, this
+//     exception represents a general failure with many possible causes. To identify
+//     the cause, see the error message that accompanies the exception.
+//
 // See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKey
 func (c *KMS) GenerateDataKey(input *GenerateDataKeyInput) (*GenerateDataKeyOutput, error) {
 	req, out := c.GenerateDataKeyRequest(input)
@@ -3296,8 +3650,8 @@ func (c *KMS) GenerateDataKeyPairRequest(input *GenerateDataKeyPairInput) (req *
 //     You can retry the request.
 //
 //   - DependencyTimeoutException
-//     The system timed out while trying to fulfill the request. The request can
-//     be retried.
+//     The system timed out while trying to fulfill the request. You can retry the
+//     request.
 //
 //   - InvalidKeyUsageException
 //     The request was rejected for one of the following reasons:
@@ -3327,10 +3681,18 @@ func (c *KMS) GenerateDataKeyPairRequest(input *GenerateDataKeyPairInput) (req *
 //     The request was rejected because the state of the specified resource is not
 //     valid for this request.
 //
-//     For more information about how key state affects the use of a KMS key, see
-//     Key states of KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
+//     This exceptions means one of the following:
+//
+//   - The key state of the KMS key is not compatible with the operation. To
+//     find the key state, use the DescribeKey operation. For more information
+//     about which key states are compatible with each KMS operation, see Key
+//     states of KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
 //     in the Key Management Service Developer Guide .
 //
+//   - For cryptographic operations on KMS keys in custom key stores, this
+//     exception represents a general failure with many possible causes. To identify
+//     the cause, see the error message that accompanies the exception.
+//
 //   - UnsupportedOperationException
 //     The request was rejected because a specified parameter is not supported or
 //     a specified resource is not valid for this operation.
@@ -3479,8 +3841,8 @@ func (c *KMS) GenerateDataKeyPairWithoutPlaintextRequest(input *GenerateDataKeyP
 //     You can retry the request.
 //
 //   - DependencyTimeoutException
-//     The system timed out while trying to fulfill the request. The request can
-//     be retried.
+//     The system timed out while trying to fulfill the request. You can retry the
+//     request.
 //
 //   - InvalidKeyUsageException
 //     The request was rejected for one of the following reasons:
@@ -3510,10 +3872,18 @@ func (c *KMS) GenerateDataKeyPairWithoutPlaintextRequest(input *GenerateDataKeyP
 //     The request was rejected because the state of the specified resource is not
 //     valid for this request.
 //
-//     For more information about how key state affects the use of a KMS key, see
-//     Key states of KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
+//     This exceptions means one of the following:
+//
+//   - The key state of the KMS key is not compatible with the operation. To
+//     find the key state, use the DescribeKey operation. For more information
+//     about which key states are compatible with each KMS operation, see Key
+//     states of KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
 //     in the Key Management Service Developer Guide .
 //
+//   - For cryptographic operations on KMS keys in custom key stores, this
+//     exception represents a general failure with many possible causes. To identify
+//     the cause, see the error message that accompanies the exception.
+//
 //   - UnsupportedOperationException
 //     The request was rejected because a specified parameter is not supported or
 //     a specified resource is not valid for this operation.
@@ -3612,6 +3982,14 @@ func (c *KMS) GenerateDataKeyWithoutPlaintextRequest(input *GenerateDataKeyWitho
 // or a key in a custom key store to generate a data key. To get the type of
 // your KMS key, use the DescribeKey operation.
 //
+// You must also specify the length of the data key. Use either the KeySpec
+// or NumberOfBytes parameters (but not both). For 128-bit and 256-bit data
+// keys, use the KeySpec parameter.
+//
+// To generate an SM4 data key (China Regions only), specify a KeySpec value
+// of AES_128 or NumberOfBytes value of 128. The symmetric encryption key used
+// in China Regions to encrypt your data key is an SM4 encryption key.
+//
 // If the operation succeeds, you will find the encrypted copy of the data key
 // in the CiphertextBlob field.
 //
@@ -3666,8 +4044,8 @@ func (c *KMS) GenerateDataKeyWithoutPlaintextRequest(input *GenerateDataKeyWitho
 //     You can retry the request.
 //
 //   - DependencyTimeoutException
-//     The system timed out while trying to fulfill the request. The request can
-//     be retried.
+//     The system timed out while trying to fulfill the request. You can retry the
+//     request.
 //
 //   - InvalidKeyUsageException
 //     The request was rejected for one of the following reasons:
@@ -3697,10 +4075,18 @@ func (c *KMS) GenerateDataKeyWithoutPlaintextRequest(input *GenerateDataKeyWitho
 //     The request was rejected because the state of the specified resource is not
 //     valid for this request.
 //
-//     For more information about how key state affects the use of a KMS key, see
-//     Key states of KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
+//     This exceptions means one of the following:
+//
+//   - The key state of the KMS key is not compatible with the operation. To
+//     find the key state, use the DescribeKey operation. For more information
+//     about which key states are compatible with each KMS operation, see Key
+//     states of KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
 //     in the Key Management Service Developer Guide .
 //
+//   - For cryptographic operations on KMS keys in custom key stores, this
+//     exception represents a general failure with many possible causes. To identify
+//     the cause, see the error message that accompanies the exception.
+//
 // See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyWithoutPlaintext
 func (c *KMS) GenerateDataKeyWithoutPlaintext(input *GenerateDataKeyWithoutPlaintextInput) (*GenerateDataKeyWithoutPlaintextOutput, error) {
 	req, out := c.GenerateDataKeyWithoutPlaintextRequest(input)
@@ -3767,15 +4153,18 @@ func (c *KMS) GenerateMacRequest(input *GenerateMacInput) (req *request.Request,
 // GenerateMac API operation for AWS Key Management Service.
 //
 // Generates a hash-based message authentication code (HMAC) for a message using
-// an HMAC KMS key and a MAC algorithm that the key supports. The MAC algorithm
-// computes the HMAC for the message and the key as described in RFC 2104 (https://datatracker.ietf.org/doc/html/rfc2104).
+// an HMAC KMS key and a MAC algorithm that the key supports. HMAC KMS keys
+// and the HMAC algorithms that KMS uses conform to industry standards defined
+// in RFC 2104 (https://datatracker.ietf.org/doc/html/rfc2104).
 //
-// You can use the HMAC that this operation generates with the VerifyMac operation
-// to demonstrate that the original message has not changed. Also, because a
-// secret key is used to create the hash, you can verify that the party that
-// generated the hash has the required secret key. This operation is part of
-// KMS support for HMAC KMS keys. For details, see HMAC keys in KMS (https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html)
-// in the Key Management Service Developer Guide .
+// You can use value that GenerateMac returns in the VerifyMac operation to
+// demonstrate that the original message has not changed. Also, because a secret
+// key is used to create the hash, you can verify that the party that generated
+// the hash has the required secret key. You can also use the raw result to
+// implement HMAC-based algorithms such as key derivation functions. This operation
+// is part of KMS support for HMAC KMS keys. For details, see HMAC keys in KMS
+// (https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html) in the
+// Key Management Service Developer Guide .
 //
 // Best practices recommend that you limit the time during which any signing
 // mechanism, including an HMAC, is effective. This deters an attack where the
@@ -3845,10 +4234,18 @@ func (c *KMS) GenerateMacRequest(input *GenerateMacInput) (req *request.Request,
 //     The request was rejected because the state of the specified resource is not
 //     valid for this request.
 //
-//     For more information about how key state affects the use of a KMS key, see
-//     Key states of KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
+//     This exceptions means one of the following:
+//
+//   - The key state of the KMS key is not compatible with the operation. To
+//     find the key state, use the DescribeKey operation. For more information
+//     about which key states are compatible with each KMS operation, see Key
+//     states of KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
 //     in the Key Management Service Developer Guide .
 //
+//   - For cryptographic operations on KMS keys in custom key stores, this
+//     exception represents a general failure with many possible causes. To identify
+//     the cause, see the error message that accompanies the exception.
+//
 // See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateMac
 func (c *KMS) GenerateMac(input *GenerateMacInput) (*GenerateMacOutput, error) {
 	req, out := c.GenerateMacRequest(input)
@@ -3920,9 +4317,8 @@ func (c *KMS) GenerateRandomRequest(input *GenerateRandomInput) (req *request.Re
 // byte string. There is no default value for string length.
 //
 // By default, the random byte string is generated in KMS. To generate the byte
-// string in the CloudHSM cluster that is associated with a custom key store
-// (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html),
-// specify the custom key store ID.
+// string in the CloudHSM cluster associated with an CloudHSM key store, use
+// the CustomKeyStoreId parameter.
 //
 // Applications in Amazon Web Services Nitro Enclaves can call this operation
 // by using the Amazon Web Services Nitro Enclaves Development Kit (https://github.com/aws/aws-nitro-enclaves-sdk-c).
@@ -3949,13 +4345,17 @@ func (c *KMS) GenerateRandomRequest(input *GenerateRandomInput) (req *request.Re
 // Returned Error Types:
 //
 //   - DependencyTimeoutException
-//     The system timed out while trying to fulfill the request. The request can
-//     be retried.
+//     The system timed out while trying to fulfill the request. You can retry the
+//     request.
 //
 //   - InternalException
 //     The request was rejected because an internal exception occurred. The request
 //     can be retried.
 //
+//   - UnsupportedOperationException
+//     The request was rejected because a specified parameter is not supported or
+//     a specified resource is not valid for this operation.
+//
 //   - CustomKeyStoreNotFoundException
 //     The request was rejected because KMS cannot find a custom key store with
 //     the specified key store name or ID.
@@ -3967,17 +4367,27 @@ func (c *KMS) GenerateRandomRequest(input *GenerateRandomInput) (req *request.Re
 //
 //     This exception is thrown under the following conditions:
 //
-//   - You requested the CreateKey or GenerateRandom operation in a custom
-//     key store that is not connected. These operations are valid only when
-//     the custom key store ConnectionState is CONNECTED.
+//   - You requested the ConnectCustomKeyStore operation on a custom key store
+//     with a ConnectionState of DISCONNECTING or FAILED. This operation is valid
+//     for all other ConnectionState values. To reconnect a custom key store
+//     in a FAILED state, disconnect it (DisconnectCustomKeyStore), then connect
+//     it (ConnectCustomKeyStore).
+//
+//   - You requested the CreateKey operation in a custom key store that is
+//     not connected. This operations is valid only when the custom key store
+//     ConnectionState is CONNECTED.
+//
+//   - You requested the DisconnectCustomKeyStore operation on a custom key
+//     store with a ConnectionState of DISCONNECTING or DISCONNECTED. This operation
+//     is valid for all other ConnectionState values.
 //
 //   - You requested the UpdateCustomKeyStore or DeleteCustomKeyStore operation
 //     on a custom key store that is not disconnected. This operation is valid
 //     only when the custom key store ConnectionState is DISCONNECTED.
 //
-//   - You requested the ConnectCustomKeyStore operation on a custom key store
-//     with a ConnectionState of DISCONNECTING or FAILED. This operation is valid
-//     for all other ConnectionState values.
+//   - You requested the GenerateRandom operation in an CloudHSM key store
+//     that is not connected. This operation is valid only when the CloudHSM
+//     key store ConnectionState is CONNECTED.
 //
 // See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateRandom
 func (c *KMS) GenerateRandom(input *GenerateRandomInput) (*GenerateRandomOutput, error) {
@@ -4072,8 +4482,8 @@ func (c *KMS) GetKeyPolicyRequest(input *GetKeyPolicyInput) (req *request.Reques
 //     is not valid.
 //
 //   - DependencyTimeoutException
-//     The system timed out while trying to fulfill the request. The request can
-//     be retried.
+//     The system timed out while trying to fulfill the request. You can retry the
+//     request.
 //
 //   - InternalException
 //     The request was rejected because an internal exception occurred. The request
@@ -4083,10 +4493,18 @@ func (c *KMS) GetKeyPolicyRequest(input *GetKeyPolicyInput) (req *request.Reques
 //     The request was rejected because the state of the specified resource is not
 //     valid for this request.
 //
-//     For more information about how key state affects the use of a KMS key, see
-//     Key states of KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
+//     This exceptions means one of the following:
+//
+//   - The key state of the KMS key is not compatible with the operation. To
+//     find the key state, use the DescribeKey operation. For more information
+//     about which key states are compatible with each KMS operation, see Key
+//     states of KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
 //     in the Key Management Service Developer Guide .
 //
+//   - For cryptographic operations on KMS keys in custom key stores, this
+//     exception represents a general failure with many possible causes. To identify
+//     the cause, see the error message that accompanies the exception.
+//
 // See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GetKeyPolicy
 func (c *KMS) GetKeyPolicy(input *GetKeyPolicyInput) (*GetKeyPolicyOutput, error) {
 	req, out := c.GetKeyPolicyRequest(input)
@@ -4163,12 +4581,12 @@ func (c *KMS) GetKeyRotationStatusRequest(input *GetKeyRotationStatusInput) (req
 //
 // Automatic key rotation is supported only on symmetric encryption KMS keys
 // (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#symmetric-cmks).
-// You cannot enable or disable automatic rotation of asymmetric KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html),
+// You cannot enable automatic rotation of asymmetric KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html),
 // HMAC KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html),
 // KMS keys with imported key material (https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html),
 // or KMS keys in a custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html).
-// The key rotation status of these KMS keys is always false. To enable or disable
-// automatic rotation of a set of related multi-Region keys (https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-manage.html#multi-region-rotate),
+// To enable or disable automatic rotation of a set of related multi-Region
+// keys (https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-manage.html#multi-region-rotate),
 // set the property on the primary key..
 //
 // You can enable (EnableKeyRotation) and disable automatic rotation (DisableKeyRotation)
@@ -4228,8 +4646,8 @@ func (c *KMS) GetKeyRotationStatusRequest(input *GetKeyRotationStatusInput) (req
 //     is not valid.
 //
 //   - DependencyTimeoutException
-//     The system timed out while trying to fulfill the request. The request can
-//     be retried.
+//     The system timed out while trying to fulfill the request. You can retry the
+//     request.
 //
 //   - InternalException
 //     The request was rejected because an internal exception occurred. The request
@@ -4239,10 +4657,18 @@ func (c *KMS) GetKeyRotationStatusRequest(input *GetKeyRotationStatusInput) (req
 //     The request was rejected because the state of the specified resource is not
 //     valid for this request.
 //
-//     For more information about how key state affects the use of a KMS key, see
-//     Key states of KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
+//     This exceptions means one of the following:
+//
+//   - The key state of the KMS key is not compatible with the operation. To
+//     find the key state, use the DescribeKey operation. For more information
+//     about which key states are compatible with each KMS operation, see Key
+//     states of KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
 //     in the Key Management Service Developer Guide .
 //
+//   - For cryptographic operations on KMS keys in custom key stores, this
+//     exception represents a general failure with many possible causes. To identify
+//     the cause, see the error message that accompanies the exception.
+//
 //   - UnsupportedOperationException
 //     The request was rejected because a specified parameter is not supported or
 //     a specified resource is not valid for this operation.
@@ -4322,11 +4748,11 @@ func (c *KMS) GetParametersForImportRequest(input *GetParametersForImportInput)
 // a subsequent ImportKeyMaterial request.
 //
 // You must specify the key ID of the symmetric encryption KMS key into which
-// you will import key material. This KMS key's Origin must be EXTERNAL. You
-// must also specify the wrapping algorithm and type of wrapping key (public
-// key) that you will use to encrypt the key material. You cannot perform this
-// operation on an asymmetric KMS key, an HMAC KMS key, or on any KMS key in
-// a different Amazon Web Services account.
+// you will import key material. The KMS key Origin must be EXTERNAL. You must
+// also specify the wrapping algorithm and type of wrapping key (public key)
+// that you will use to encrypt the key material. You cannot perform this operation
+// on an asymmetric KMS key, an HMAC KMS key, or on any KMS key in a different
+// Amazon Web Services account.
 //
 // To import key material, you must use the public key and import token from
 // the same response. These items are valid for 24 hours. The expiration date
@@ -4368,8 +4794,8 @@ func (c *KMS) GetParametersForImportRequest(input *GetParametersForImportInput)
 //     a specified resource is not valid for this operation.
 //
 //   - DependencyTimeoutException
-//     The system timed out while trying to fulfill the request. The request can
-//     be retried.
+//     The system timed out while trying to fulfill the request. You can retry the
+//     request.
 //
 //   - NotFoundException
 //     The request was rejected because the specified entity or resource could not
@@ -4383,10 +4809,18 @@ func (c *KMS) GetParametersForImportRequest(input *GetParametersForImportInput)
 //     The request was rejected because the state of the specified resource is not
 //     valid for this request.
 //
-//     For more information about how key state affects the use of a KMS key, see
-//     Key states of KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
+//     This exceptions means one of the following:
+//
+//   - The key state of the KMS key is not compatible with the operation. To
+//     find the key state, use the DescribeKey operation. For more information
+//     about which key states are compatible with each KMS operation, see Key
+//     states of KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
 //     in the Key Management Service Developer Guide .
 //
+//   - For cryptographic operations on KMS keys in custom key stores, this
+//     exception represents a general failure with many possible causes. To identify
+//     the cause, see the error message that accompanies the exception.
+//
 // See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GetParametersForImport
 func (c *KMS) GetParametersForImport(input *GetParametersForImportInput) (*GetParametersForImportOutput, error) {
 	req, out := c.GetParametersForImportRequest(input)
@@ -4467,11 +4901,6 @@ func (c *KMS) GetPublicKeyRequest(input *GetPublicKeyInput) (req *request.Reques
 // are part of every KMS operation. You also reduce of risk of encrypting data
 // that cannot be decrypted. These features are not effective outside of KMS.
 //
-// To verify a signature outside of KMS with an SM2 public key (China Regions
-// only), you must specify the distinguishing ID. By default, KMS uses 1234567812345678
-// as the distinguishing ID. For more information, see Offline verification
-// with SM2 key pairs (https://docs.aws.amazon.com/kms/latest/developerguide/asymmetric-key-specs.html#key-spec-sm-offline-verification).
-//
 // To help you use the public key safely outside of KMS, GetPublicKey returns
 // important information about the public key in the response, including:
 //
@@ -4493,6 +4922,11 @@ func (c *KMS) GetPublicKeyRequest(input *GetPublicKeyInput) (req *request.Reques
 // algorithm that is not supported by KMS. You can also avoid errors, such as
 // using the wrong signing algorithm in a verification operation.
 //
+// To verify a signature outside of KMS with an SM2 public key (China Regions
+// only), you must specify the distinguishing ID. By default, KMS uses 1234567812345678
+// as the distinguishing ID. For more information, see Offline verification
+// with SM2 key pairs (https://docs.aws.amazon.com/kms/latest/developerguide/asymmetric-key-specs.html#key-spec-sm-offline-verification).
+//
 // The KMS key that you use for this operation must be in a compatible key state.
 // For details, see Key states of KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
 // in the Key Management Service Developer Guide.
@@ -4527,8 +4961,8 @@ func (c *KMS) GetPublicKeyRequest(input *GetPublicKeyInput) (req *request.Reques
 //     You can retry the request.
 //
 //   - DependencyTimeoutException
-//     The system timed out while trying to fulfill the request. The request can
-//     be retried.
+//     The system timed out while trying to fulfill the request. You can retry the
+//     request.
 //
 //   - UnsupportedOperationException
 //     The request was rejected because a specified parameter is not supported or
@@ -4566,10 +5000,18 @@ func (c *KMS) GetPublicKeyRequest(input *GetPublicKeyInput) (req *request.Reques
 //     The request was rejected because the state of the specified resource is not
 //     valid for this request.
 //
-//     For more information about how key state affects the use of a KMS key, see
-//     Key states of KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
+//     This exceptions means one of the following:
+//
+//   - The key state of the KMS key is not compatible with the operation. To
+//     find the key state, use the DescribeKey operation. For more information
+//     about which key states are compatible with each KMS operation, see Key
+//     states of KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
 //     in the Key Management Service Developer Guide .
 //
+//   - For cryptographic operations on KMS keys in custom key stores, this
+//     exception represents a general failure with many possible causes. To identify
+//     the cause, see the error message that accompanies the exception.
+//
 // See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GetPublicKey
 func (c *KMS) GetPublicKey(input *GetPublicKeyInput) (*GetPublicKeyOutput, error) {
 	req, out := c.GetPublicKeyRequest(input)
@@ -4664,11 +5106,13 @@ func (c *KMS) ImportKeyMaterialRequest(input *ImportKeyMaterialInput) (req *requ
 //   - The import token that GetParametersForImport returned. You must use
 //     a public key and token from the same GetParametersForImport response.
 //
-//   - Whether the key material expires and if so, when. If you set an expiration
-//     date, KMS deletes the key material from the KMS key on the specified date,
-//     and the KMS key becomes unusable. To use the KMS key again, you must reimport
-//     the same key material. The only way to change an expiration date is by
-//     reimporting the same key material and specifying a new expiration date.
+//   - Whether the key material expires (ExpirationModel) and, if so, when
+//     (ValidTo). If you set an expiration date, on the specified date, KMS deletes
+//     the key material from the KMS key, making the KMS key unusable. To use
+//     the KMS key in cryptographic operations again, you must reimport the same
+//     key material. The only way to change the expiration model or expiration
+//     date is by reimporting the same key material and specifying a new expiration
+//     date.
 //
 // When this operation is successful, the key state of the KMS key changes from
 // PendingImport to Enabled, and you can use the KMS key.
@@ -4714,8 +5158,8 @@ func (c *KMS) ImportKeyMaterialRequest(input *ImportKeyMaterialInput) (req *requ
 //     a specified resource is not valid for this operation.
 //
 //   - DependencyTimeoutException
-//     The system timed out while trying to fulfill the request. The request can
-//     be retried.
+//     The system timed out while trying to fulfill the request. You can retry the
+//     request.
 //
 //   - NotFoundException
 //     The request was rejected because the specified entity or resource could not
@@ -4729,10 +5173,18 @@ func (c *KMS) ImportKeyMaterialRequest(input *ImportKeyMaterialInput) (req *requ
 //     The request was rejected because the state of the specified resource is not
 //     valid for this request.
 //
-//     For more information about how key state affects the use of a KMS key, see
-//     Key states of KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
+//     This exceptions means one of the following:
+//
+//   - The key state of the KMS key is not compatible with the operation. To
+//     find the key state, use the DescribeKey operation. For more information
+//     about which key states are compatible with each KMS operation, see Key
+//     states of KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
 //     in the Key Management Service Developer Guide .
 //
+//   - For cryptographic operations on KMS keys in custom key stores, this
+//     exception represents a general failure with many possible causes. To identify
+//     the cause, see the error message that accompanies the exception.
+//
 //   - InvalidCiphertextException
 //     From the Decrypt or ReEncrypt operation, the request was rejected because
 //     the specified ciphertext, or additional authenticated data incorporated into
@@ -4812,7 +5264,7 @@ func (c *KMS) ListAliasesRequest(input *ListAliasesInput) (req *request.Request,
 			InputTokens:     []string{"Marker"},
 			OutputTokens:    []string{"NextMarker"},
 			LimitToken:      "Limit",
-			TruncationToken: "Truncated",
+			TruncationToken: "",
 		},
 	}
 
@@ -4873,8 +5325,8 @@ func (c *KMS) ListAliasesRequest(input *ListAliasesInput) (req *request.Request,
 // Returned Error Types:
 //
 //   - DependencyTimeoutException
-//     The system timed out while trying to fulfill the request. The request can
-//     be retried.
+//     The system timed out while trying to fulfill the request. You can retry the
+//     request.
 //
 //   - InvalidMarkerException
 //     The request was rejected because the marker that specifies where pagination
@@ -4999,7 +5451,7 @@ func (c *KMS) ListGrantsRequest(input *ListGrantsInput) (req *request.Request, o
 			InputTokens:     []string{"Marker"},
 			OutputTokens:    []string{"NextMarker"},
 			LimitToken:      "Limit",
-			TruncationToken: "Truncated",
+			TruncationToken: "",
 		},
 	}
 
@@ -5061,8 +5513,8 @@ func (c *KMS) ListGrantsRequest(input *ListGrantsInput) (req *request.Request, o
 //     be found.
 //
 //   - DependencyTimeoutException
-//     The system timed out while trying to fulfill the request. The request can
-//     be retried.
+//     The system timed out while trying to fulfill the request. You can retry the
+//     request.
 //
 //   - InvalidMarkerException
 //     The request was rejected because the marker that specifies where pagination
@@ -5083,10 +5535,18 @@ func (c *KMS) ListGrantsRequest(input *ListGrantsInput) (req *request.Request, o
 //     The request was rejected because the state of the specified resource is not
 //     valid for this request.
 //
-//     For more information about how key state affects the use of a KMS key, see
-//     Key states of KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
+//     This exceptions means one of the following:
+//
+//   - The key state of the KMS key is not compatible with the operation. To
+//     find the key state, use the DescribeKey operation. For more information
+//     about which key states are compatible with each KMS operation, see Key
+//     states of KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
 //     in the Key Management Service Developer Guide .
 //
+//   - For cryptographic operations on KMS keys in custom key stores, this
+//     exception represents a general failure with many possible causes. To identify
+//     the cause, see the error message that accompanies the exception.
+//
 // See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListGrants
 func (c *KMS) ListGrants(input *ListGrantsInput) (*ListGrantsResponse, error) {
 	req, out := c.ListGrantsRequest(input)
@@ -5194,7 +5654,7 @@ func (c *KMS) ListKeyPoliciesRequest(input *ListKeyPoliciesInput) (req *request.
 			InputTokens:     []string{"Marker"},
 			OutputTokens:    []string{"NextMarker"},
 			LimitToken:      "Limit",
-			TruncationToken: "Truncated",
+			TruncationToken: "",
 		},
 	}
 
@@ -5243,8 +5703,8 @@ func (c *KMS) ListKeyPoliciesRequest(input *ListKeyPoliciesInput) (req *request.
 //     is not valid.
 //
 //   - DependencyTimeoutException
-//     The system timed out while trying to fulfill the request. The request can
-//     be retried.
+//     The system timed out while trying to fulfill the request. You can retry the
+//     request.
 //
 //   - InternalException
 //     The request was rejected because an internal exception occurred. The request
@@ -5254,10 +5714,18 @@ func (c *KMS) ListKeyPoliciesRequest(input *ListKeyPoliciesInput) (req *request.
 //     The request was rejected because the state of the specified resource is not
 //     valid for this request.
 //
-//     For more information about how key state affects the use of a KMS key, see
-//     Key states of KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
+//     This exceptions means one of the following:
+//
+//   - The key state of the KMS key is not compatible with the operation. To
+//     find the key state, use the DescribeKey operation. For more information
+//     about which key states are compatible with each KMS operation, see Key
+//     states of KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
 //     in the Key Management Service Developer Guide .
 //
+//   - For cryptographic operations on KMS keys in custom key stores, this
+//     exception represents a general failure with many possible causes. To identify
+//     the cause, see the error message that accompanies the exception.
+//
 // See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListKeyPolicies
 func (c *KMS) ListKeyPolicies(input *ListKeyPoliciesInput) (*ListKeyPoliciesOutput, error) {
 	req, out := c.ListKeyPoliciesRequest(input)
@@ -5365,7 +5833,7 @@ func (c *KMS) ListKeysRequest(input *ListKeysInput) (req *request.Request, outpu
 			InputTokens:     []string{"Marker"},
 			OutputTokens:    []string{"NextMarker"},
 			LimitToken:      "Limit",
-			TruncationToken: "Truncated",
+			TruncationToken: "",
 		},
 	}
 
@@ -5409,8 +5877,8 @@ func (c *KMS) ListKeysRequest(input *ListKeysInput) (req *request.Request, outpu
 // Returned Error Types:
 //
 //   - DependencyTimeoutException
-//     The system timed out while trying to fulfill the request. The request can
-//     be retried.
+//     The system timed out while trying to fulfill the request. You can retry the
+//     request.
 //
 //   - InternalException
 //     The request was rejected because an internal exception occurred. The request
@@ -5527,7 +5995,7 @@ func (c *KMS) ListResourceTagsRequest(input *ListResourceTagsInput) (req *reques
 			InputTokens:     []string{"Marker"},
 			OutputTokens:    []string{"NextMarker"},
 			LimitToken:      "Limit",
-			TruncationToken: "Truncated",
+			TruncationToken: "",
 		},
 	}
 
@@ -5697,7 +6165,7 @@ func (c *KMS) ListRetirableGrantsRequest(input *ListRetirableGrantsInput) (req *
 			InputTokens:     []string{"Marker"},
 			OutputTokens:    []string{"NextMarker"},
 			LimitToken:      "Limit",
-			TruncationToken: "Truncated",
+			TruncationToken: "",
 		},
 	}
 
@@ -5755,8 +6223,8 @@ func (c *KMS) ListRetirableGrantsRequest(input *ListRetirableGrantsInput) (req *
 // Returned Error Types:
 //
 //   - DependencyTimeoutException
-//     The system timed out while trying to fulfill the request. The request can
-//     be retried.
+//     The system timed out while trying to fulfill the request. You can retry the
+//     request.
 //
 //   - InvalidMarkerException
 //     The request was rejected because the marker that specifies where pagination
@@ -5931,8 +6399,8 @@ func (c *KMS) PutKeyPolicyRequest(input *PutKeyPolicyInput) (req *request.Reques
 //     or semantically correct.
 //
 //   - DependencyTimeoutException
-//     The system timed out while trying to fulfill the request. The request can
-//     be retried.
+//     The system timed out while trying to fulfill the request. You can retry the
+//     request.
 //
 //   - UnsupportedOperationException
 //     The request was rejected because a specified parameter is not supported or
@@ -5951,10 +6419,18 @@ func (c *KMS) PutKeyPolicyRequest(input *PutKeyPolicyInput) (req *request.Reques
 //     The request was rejected because the state of the specified resource is not
 //     valid for this request.
 //
-//     For more information about how key state affects the use of a KMS key, see
-//     Key states of KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
+//     This exceptions means one of the following:
+//
+//   - The key state of the KMS key is not compatible with the operation. To
+//     find the key state, use the DescribeKey operation. For more information
+//     about which key states are compatible with each KMS operation, see Key
+//     states of KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
 //     in the Key Management Service Developer Guide .
 //
+//   - For cryptographic operations on KMS keys in custom key stores, this
+//     exception represents a general failure with many possible causes. To identify
+//     the cause, see the error message that accompanies the exception.
+//
 // See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/PutKeyPolicy
 func (c *KMS) PutKeyPolicy(input *PutKeyPolicyInput) (*PutKeyPolicyOutput, error) {
 	req, out := c.PutKeyPolicyRequest(input)
@@ -6056,20 +6532,20 @@ func (c *KMS) ReEncryptRequest(input *ReEncryptInput) (req *request.Request, out
 //     was encrypted under a different KMS key, the ReEncrypt operation fails.
 //     This practice ensures that you use the KMS key that you intend.
 //
-//   - To reencrypt the data, you must use the DestinationKeyId parameter specify
-//     the KMS key that re-encrypts the data after it is decrypted. If the destination
-//     KMS key is an asymmetric KMS key, you must also provide the encryption
-//     algorithm. The algorithm that you choose must be compatible with the KMS
-//     key. When you use an asymmetric KMS key to encrypt or reencrypt data,
-//     be sure to record the KMS key and encryption algorithm that you choose.
-//     You will be required to provide the same KMS key and encryption algorithm
-//     when you decrypt the data. If the KMS key and algorithm do not match the
-//     values used to encrypt the data, the decrypt operation fails. You are
-//     not required to supply the key ID and encryption algorithm when you decrypt
-//     with symmetric encryption KMS keys because KMS stores this information
-//     in the ciphertext blob. KMS cannot store metadata in ciphertext generated
-//     with asymmetric keys. The standard format for asymmetric key ciphertext
-//     does not include configurable fields.
+//   - To reencrypt the data, you must use the DestinationKeyId parameter to
+//     specify the KMS key that re-encrypts the data after it is decrypted. If
+//     the destination KMS key is an asymmetric KMS key, you must also provide
+//     the encryption algorithm. The algorithm that you choose must be compatible
+//     with the KMS key. When you use an asymmetric KMS key to encrypt or reencrypt
+//     data, be sure to record the KMS key and encryption algorithm that you
+//     choose. You will be required to provide the same KMS key and encryption
+//     algorithm when you decrypt the data. If the KMS key and algorithm do not
+//     match the values used to encrypt the data, the decrypt operation fails.
+//     You are not required to supply the key ID and encryption algorithm when
+//     you decrypt with symmetric encryption KMS keys because KMS stores this
+//     information in the ciphertext blob. KMS cannot store metadata in ciphertext
+//     generated with asymmetric keys. The standard format for asymmetric key
+//     ciphertext does not include configurable fields.
 //
 // The KMS key that you use for this operation must be in a compatible key state.
 // For details, see Key states of KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
@@ -6140,8 +6616,8 @@ func (c *KMS) ReEncryptRequest(input *ReEncryptInput) (req *request.Request, out
 //     must identify the same KMS key that was used to encrypt the ciphertext.
 //
 //   - DependencyTimeoutException
-//     The system timed out while trying to fulfill the request. The request can
-//     be retried.
+//     The system timed out while trying to fulfill the request. You can retry the
+//     request.
 //
 //   - InvalidKeyUsageException
 //     The request was rejected for one of the following reasons:
@@ -6171,10 +6647,18 @@ func (c *KMS) ReEncryptRequest(input *ReEncryptInput) (req *request.Request, out
 //     The request was rejected because the state of the specified resource is not
 //     valid for this request.
 //
-//     For more information about how key state affects the use of a KMS key, see
-//     Key states of KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
+//     This exceptions means one of the following:
+//
+//   - The key state of the KMS key is not compatible with the operation. To
+//     find the key state, use the DescribeKey operation. For more information
+//     about which key states are compatible with each KMS operation, see Key
+//     states of KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
 //     in the Key Management Service Developer Guide .
 //
+//   - For cryptographic operations on KMS keys in custom key stores, this
+//     exception represents a general failure with many possible causes. To identify
+//     the cause, see the error message that accompanies the exception.
+//
 // See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ReEncrypt
 func (c *KMS) ReEncrypt(input *ReEncryptInput) (*ReEncryptOutput, error) {
 	req, out := c.ReEncryptRequest(input)
@@ -6348,10 +6832,18 @@ func (c *KMS) ReplicateKeyRequest(input *ReplicateKeyInput) (req *request.Reques
 //     The request was rejected because the state of the specified resource is not
 //     valid for this request.
 //
-//     For more information about how key state affects the use of a KMS key, see
-//     Key states of KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
+//     This exceptions means one of the following:
+//
+//   - The key state of the KMS key is not compatible with the operation. To
+//     find the key state, use the DescribeKey operation. For more information
+//     about which key states are compatible with each KMS operation, see Key
+//     states of KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
 //     in the Key Management Service Developer Guide .
 //
+//   - For cryptographic operations on KMS keys in custom key stores, this
+//     exception represents a general failure with many possible causes. To identify
+//     the cause, see the error message that accompanies the exception.
+//
 //   - InternalException
 //     The request was rejected because an internal exception occurred. The request
 //     can be retried.
@@ -6500,8 +6992,8 @@ func (c *KMS) RetireGrantRequest(input *RetireGrantInput) (req *request.Request,
 //     be found.
 //
 //   - DependencyTimeoutException
-//     The system timed out while trying to fulfill the request. The request can
-//     be retried.
+//     The system timed out while trying to fulfill the request. You can retry the
+//     request.
 //
 //   - InternalException
 //     The request was rejected because an internal exception occurred. The request
@@ -6511,10 +7003,18 @@ func (c *KMS) RetireGrantRequest(input *RetireGrantInput) (req *request.Request,
 //     The request was rejected because the state of the specified resource is not
 //     valid for this request.
 //
-//     For more information about how key state affects the use of a KMS key, see
-//     Key states of KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
+//     This exceptions means one of the following:
+//
+//   - The key state of the KMS key is not compatible with the operation. To
+//     find the key state, use the DescribeKey operation. For more information
+//     about which key states are compatible with each KMS operation, see Key
+//     states of KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
 //     in the Key Management Service Developer Guide .
 //
+//   - For cryptographic operations on KMS keys in custom key stores, this
+//     exception represents a general failure with many possible causes. To identify
+//     the cause, see the error message that accompanies the exception.
+//
 // See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/RetireGrant
 func (c *KMS) RetireGrant(input *RetireGrantInput) (*RetireGrantOutput, error) {
 	req, out := c.RetireGrantRequest(input)
@@ -6628,8 +7128,8 @@ func (c *KMS) RevokeGrantRequest(input *RevokeGrantInput) (req *request.Request,
 //     be found.
 //
 //   - DependencyTimeoutException
-//     The system timed out while trying to fulfill the request. The request can
-//     be retried.
+//     The system timed out while trying to fulfill the request. You can retry the
+//     request.
 //
 //   - InvalidArnException
 //     The request was rejected because a specified ARN, or an ARN in a key policy,
@@ -6646,10 +7146,18 @@ func (c *KMS) RevokeGrantRequest(input *RevokeGrantInput) (req *request.Request,
 //     The request was rejected because the state of the specified resource is not
 //     valid for this request.
 //
-//     For more information about how key state affects the use of a KMS key, see
-//     Key states of KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
+//     This exceptions means one of the following:
+//
+//   - The key state of the KMS key is not compatible with the operation. To
+//     find the key state, use the DescribeKey operation. For more information
+//     about which key states are compatible with each KMS operation, see Key
+//     states of KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
 //     in the Key Management Service Developer Guide .
 //
+//   - For cryptographic operations on KMS keys in custom key stores, this
+//     exception represents a general failure with many possible causes. To identify
+//     the cause, see the error message that accompanies the exception.
+//
 // See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/RevokeGrant
 func (c *KMS) RevokeGrant(input *RevokeGrantInput) (*RevokeGrantOutput, error) {
 	req, out := c.RevokeGrantRequest(input)
@@ -6730,13 +7238,6 @@ func (c *KMS) ScheduleKeyDeletionRequest(input *ScheduleKeyDeletionInput) (req *
 // is unrecoverable. (The only exception is a multi-Region replica key.) To
 // prevent the use of a KMS key without deleting it, use DisableKey.
 //
-// If you schedule deletion of a KMS key from a custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html),
-// when the waiting period expires, ScheduleKeyDeletion deletes the KMS key
-// from KMS. Then KMS makes a best effort to delete the key material from the
-// associated CloudHSM cluster. However, you might need to manually delete the
-// orphaned key material (https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html#fix-keystore-orphaned-key)
-// from the cluster and its backups.
-//
 // You can schedule the deletion of a multi-Region primary key and its replica
 // keys at any time. However, KMS will not delete a multi-Region primary key
 // with existing replica keys. If you schedule the deletion of a primary key
@@ -6748,6 +7249,18 @@ func (c *KMS) ScheduleKeyDeletionRequest(input *ScheduleKeyDeletionInput) (req *
 // keys (https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-delete.html)
 // in the Key Management Service Developer Guide.
 //
+// When KMS deletes a KMS key from an CloudHSM key store (https://docs.aws.amazon.com/kms/latest/developerguide/delete-cmk-keystore.html),
+// it makes a best effort to delete the associated key material from the associated
+// CloudHSM cluster. However, you might need to manually delete the orphaned
+// key material (https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html#fix-keystore-orphaned-key)
+// from the cluster and its backups. Deleting a KMS key from an external key
+// store (https://docs.aws.amazon.com/kms/latest/developerguide/delete-xks-key.html)
+// has no effect on the associated external key. However, for both types of
+// custom key stores, deleting a KMS key is destructive and irreversible. You
+// cannot decrypt ciphertext encrypted under the KMS key by using only its associated
+// external key or CloudHSM key. Also, you cannot recreate a KMS key in an external
+// key store by creating a new KMS key with the same key material.
+//
 // For more information about scheduling a KMS key for deletion, see Deleting
 // KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys.html)
 // in the Key Management Service Developer Guide.
@@ -6785,8 +7298,8 @@ func (c *KMS) ScheduleKeyDeletionRequest(input *ScheduleKeyDeletionInput) (req *
 //     is not valid.
 //
 //   - DependencyTimeoutException
-//     The system timed out while trying to fulfill the request. The request can
-//     be retried.
+//     The system timed out while trying to fulfill the request. You can retry the
+//     request.
 //
 //   - InternalException
 //     The request was rejected because an internal exception occurred. The request
@@ -6796,10 +7309,18 @@ func (c *KMS) ScheduleKeyDeletionRequest(input *ScheduleKeyDeletionInput) (req *
 //     The request was rejected because the state of the specified resource is not
 //     valid for this request.
 //
-//     For more information about how key state affects the use of a KMS key, see
-//     Key states of KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
+//     This exceptions means one of the following:
+//
+//   - The key state of the KMS key is not compatible with the operation. To
+//     find the key state, use the DescribeKey operation. For more information
+//     about which key states are compatible with each KMS operation, see Key
+//     states of KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
 //     in the Key Management Service Developer Guide .
 //
+//   - For cryptographic operations on KMS keys in custom key stores, this
+//     exception represents a general failure with many possible causes. To identify
+//     the cause, see the error message that accompanies the exception.
+//
 // See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ScheduleKeyDeletion
 func (c *KMS) ScheduleKeyDeletion(input *ScheduleKeyDeletionInput) (*ScheduleKeyDeletionOutput, error) {
 	req, out := c.ScheduleKeyDeletionRequest(input)
@@ -6940,8 +7461,8 @@ func (c *KMS) SignRequest(input *SignInput) (req *request.Request, output *SignO
 //     You can retry the request.
 //
 //   - DependencyTimeoutException
-//     The system timed out while trying to fulfill the request. The request can
-//     be retried.
+//     The system timed out while trying to fulfill the request. You can retry the
+//     request.
 //
 //   - InvalidKeyUsageException
 //     The request was rejected for one of the following reasons:
@@ -6971,10 +7492,18 @@ func (c *KMS) SignRequest(input *SignInput) (req *request.Request, output *SignO
 //     The request was rejected because the state of the specified resource is not
 //     valid for this request.
 //
-//     For more information about how key state affects the use of a KMS key, see
-//     Key states of KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
+//     This exceptions means one of the following:
+//
+//   - The key state of the KMS key is not compatible with the operation. To
+//     find the key state, use the DescribeKey operation. For more information
+//     about which key states are compatible with each KMS operation, see Key
+//     states of KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
 //     in the Key Management Service Developer Guide .
 //
+//   - For cryptographic operations on KMS keys in custom key stores, this
+//     exception represents a general failure with many possible causes. To identify
+//     the cause, see the error message that accompanies the exception.
+//
 // See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/Sign
 func (c *KMS) Sign(input *SignInput) (*SignOutput, error) {
 	req, out := c.SignRequest(input)
@@ -7044,7 +7573,7 @@ func (c *KMS) TagResourceRequest(input *TagResourceInput) (req *request.Request,
 // Adds or edits tags on a customer managed key (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk).
 //
 // Tagging or untagging a KMS key can allow or deny permission to the KMS key.
-// For details, see ABAC in KMS (https://docs.aws.amazon.com/kms/latest/developerguide/abac.html)
+// For details, see ABAC for KMS (https://docs.aws.amazon.com/kms/latest/developerguide/abac.html)
 // in the Key Management Service Developer Guide.
 //
 // Each tag consists of a tag key and a tag value, both of which are case-sensitive
@@ -7111,10 +7640,18 @@ func (c *KMS) TagResourceRequest(input *TagResourceInput) (req *request.Request,
 //     The request was rejected because the state of the specified resource is not
 //     valid for this request.
 //
-//     For more information about how key state affects the use of a KMS key, see
-//     Key states of KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
+//     This exceptions means one of the following:
+//
+//   - The key state of the KMS key is not compatible with the operation. To
+//     find the key state, use the DescribeKey operation. For more information
+//     about which key states are compatible with each KMS operation, see Key
+//     states of KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
 //     in the Key Management Service Developer Guide .
 //
+//   - For cryptographic operations on KMS keys in custom key stores, this
+//     exception represents a general failure with many possible causes. To identify
+//     the cause, see the error message that accompanies the exception.
+//
 //   - LimitExceededException
 //     The request was rejected because a quota was exceeded. For more information,
 //     see Quotas (https://docs.aws.amazon.com/kms/latest/developerguide/limits.html)
@@ -7193,7 +7730,7 @@ func (c *KMS) UntagResourceRequest(input *UntagResourceInput) (req *request.Requ
 // To delete a tag, specify the tag key and the KMS key.
 //
 // Tagging or untagging a KMS key can allow or deny permission to the KMS key.
-// For details, see ABAC in KMS (https://docs.aws.amazon.com/kms/latest/developerguide/abac.html)
+// For details, see ABAC for KMS (https://docs.aws.amazon.com/kms/latest/developerguide/abac.html)
 // in the Key Management Service Developer Guide.
 //
 // When it succeeds, the UntagResource operation doesn't return any output.
@@ -7251,10 +7788,18 @@ func (c *KMS) UntagResourceRequest(input *UntagResourceInput) (req *request.Requ
 //     The request was rejected because the state of the specified resource is not
 //     valid for this request.
 //
-//     For more information about how key state affects the use of a KMS key, see
-//     Key states of KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
+//     This exceptions means one of the following:
+//
+//   - The key state of the KMS key is not compatible with the operation. To
+//     find the key state, use the DescribeKey operation. For more information
+//     about which key states are compatible with each KMS operation, see Key
+//     states of KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
 //     in the Key Management Service Developer Guide .
 //
+//   - For cryptographic operations on KMS keys in custom key stores, this
+//     exception represents a general failure with many possible causes. To identify
+//     the cause, see the error message that accompanies the exception.
+//
 //   - TagException
 //     The request was rejected because one or more tags are not valid.
 //
@@ -7330,14 +7875,14 @@ func (c *KMS) UpdateAliasRequest(input *UpdateAliasInput) (req *request.Request,
 // account and Region.
 //
 // Adding, deleting, or updating an alias can allow or deny permission to the
-// KMS key. For details, see ABAC in KMS (https://docs.aws.amazon.com/kms/latest/developerguide/abac.html)
+// KMS key. For details, see ABAC for KMS (https://docs.aws.amazon.com/kms/latest/developerguide/abac.html)
 // in the Key Management Service Developer Guide.
 //
 // The current and new KMS key must be the same type (both symmetric or both
-// asymmetric), and they must have the same key usage (ENCRYPT_DECRYPT or SIGN_VERIFY).
-// This restriction prevents errors in code that uses aliases. If you must assign
-// an alias to a different type of KMS key, use DeleteAlias to delete the old
-// alias and CreateAlias to create a new alias.
+// asymmetric or both HMAC), and they must have the same key usage. This restriction
+// prevents errors in code that uses aliases. If you must assign an alias to
+// a different type of KMS key, use DeleteAlias to delete the old alias and
+// CreateAlias to create a new alias.
 //
 // You cannot use UpdateAlias to change an alias name. To change an alias name,
 // use DeleteAlias to delete the old alias and CreateAlias to create a new alias.
@@ -7386,8 +7931,8 @@ func (c *KMS) UpdateAliasRequest(input *UpdateAliasInput) (req *request.Request,
 // Returned Error Types:
 //
 //   - DependencyTimeoutException
-//     The system timed out while trying to fulfill the request. The request can
-//     be retried.
+//     The system timed out while trying to fulfill the request. You can retry the
+//     request.
 //
 //   - NotFoundException
 //     The request was rejected because the specified entity or resource could not
@@ -7406,10 +7951,18 @@ func (c *KMS) UpdateAliasRequest(input *UpdateAliasInput) (req *request.Request,
 //     The request was rejected because the state of the specified resource is not
 //     valid for this request.
 //
-//     For more information about how key state affects the use of a KMS key, see
-//     Key states of KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
+//     This exceptions means one of the following:
+//
+//   - The key state of the KMS key is not compatible with the operation. To
+//     find the key state, use the DescribeKey operation. For more information
+//     about which key states are compatible with each KMS operation, see Key
+//     states of KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
 //     in the Key Management Service Developer Guide .
 //
+//   - For cryptographic operations on KMS keys in custom key stores, this
+//     exception represents a general failure with many possible causes. To identify
+//     the cause, see the error message that accompanies the exception.
+//
 // See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/UpdateAlias
 func (c *KMS) UpdateAlias(input *UpdateAliasInput) (*UpdateAliasOutput, error) {
 	req, out := c.UpdateAliasRequest(input)
@@ -7476,42 +8029,70 @@ func (c *KMS) UpdateCustomKeyStoreRequest(input *UpdateCustomKeyStoreInput) (req
 
 // UpdateCustomKeyStore API operation for AWS Key Management Service.
 //
-// Changes the properties of a custom key store. Use the CustomKeyStoreId parameter
-// to identify the custom key store you want to edit. Use the remaining parameters
-// to change the properties of the custom key store.
+// Changes the properties of a custom key store. You can use this operation
+// to change the properties of an CloudHSM key store or an external key store.
 //
-// You can only update a custom key store that is disconnected. To disconnect
-// the custom key store, use DisconnectCustomKeyStore. To reconnect the custom
-// key store after the update completes, use ConnectCustomKeyStore. To find
-// the connection state of a custom key store, use the DescribeCustomKeyStores
-// operation.
+// Use the required CustomKeyStoreId parameter to identify the custom key store.
+// Use the remaining optional parameters to change its properties. This operation
+// does not return any property values. To verify the updated property values,
+// use the DescribeCustomKeyStores operation.
 //
-// The CustomKeyStoreId parameter is required in all commands. Use the other
-// parameters of UpdateCustomKeyStore to edit your key store settings.
+// This operation is part of the custom key stores (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html)
+// feature in KMS, which combines the convenience and extensive integration
+// of KMS with the isolation and control of a key store that you own and manage.
 //
-//   - Use the NewCustomKeyStoreName parameter to change the friendly name
-//     of the custom key store to the value that you specify.
+// When updating the properties of an external key store, verify that the updated
+// settings connect your key store, via the external key store proxy, to the
+// same external key manager as the previous settings, or to a backup or snapshot
+// of the external key manager with the same cryptographic keys. If the updated
+// connection settings fail, you can fix them and retry, although an extended
+// delay might disrupt Amazon Web Services services. However, if KMS permanently
+// loses its access to cryptographic keys, ciphertext encrypted under those
+// keys is unrecoverable.
 //
-//   - Use the KeyStorePassword parameter tell KMS the current password of
-//     the kmsuser crypto user (CU) (https://docs.aws.amazon.com/kms/latest/developerguide/key-store-concepts.html#concept-kmsuser)
-//     in the associated CloudHSM cluster. You can use this parameter to fix
-//     connection failures (https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html#fix-keystore-password)
-//     that occur when KMS cannot log into the associated cluster because the
-//     kmsuser password has changed. This value does not change the password
-//     in the CloudHSM cluster.
+// For external key stores:
 //
-//   - Use the CloudHsmClusterId parameter to associate the custom key store
-//     with a different, but related, CloudHSM cluster. You can use this parameter
-//     to repair a custom key store if its CloudHSM cluster becomes corrupted
-//     or is deleted, or when you need to create or restore a cluster from a
-//     backup.
+// Some external key managers provide a simpler method for updating an external
+// key store. For details, see your external key manager documentation.
+//
+// When updating an external key store in the KMS console, you can upload a
+// JSON-based proxy configuration file with the desired values. You cannot upload
+// the proxy configuration file to the UpdateCustomKeyStore operation. However,
+// you can use the file to help you determine the correct values for the UpdateCustomKeyStore
+// parameters.
+//
+// For an CloudHSM key store, you can use this operation to change the custom
+// key store friendly name (NewCustomKeyStoreName), to tell KMS about a change
+// to the kmsuser crypto user password (KeyStorePassword), or to associate the
+// custom key store with a different, but related, CloudHSM cluster (CloudHsmClusterId).
+// To update any property of an CloudHSM key store, the ConnectionState of the
+// CloudHSM key store must be DISCONNECTED.
+//
+// For an external key store, you can use this operation to change the custom
+// key store friendly name (NewCustomKeyStoreName), or to tell KMS about a change
+// to the external key store proxy authentication credentials (XksProxyAuthenticationCredential),
+// connection method (XksProxyConnectivity), external proxy endpoint (XksProxyUriEndpoint)
+// and path (XksProxyUriPath). For external key stores with an XksProxyConnectivity
+// of VPC_ENDPOINT_SERVICE, you can also update the Amazon VPC endpoint service
+// name (XksProxyVpcEndpointServiceName). To update most properties of an external
+// key store, the ConnectionState of the external key store must be DISCONNECTED.
+// However, you can update the CustomKeyStoreName, XksProxyAuthenticationCredential,
+// and XksProxyUriPath of an external key store when it is in the CONNECTED
+// or DISCONNECTED state.
+//
+// If your update requires a DISCONNECTED state, before using UpdateCustomKeyStore,
+// use the DisconnectCustomKeyStore operation to disconnect the custom key store.
+// After the UpdateCustomKeyStore operation completes, use the ConnectCustomKeyStore
+// to reconnect the custom key store. To find the ConnectionState of the custom
+// key store, use the DescribeCustomKeyStores operation.
+//
+// Before updating the custom key store, verify that the new values allow KMS
+// to connect the custom key store to its backing key store. For example, before
+// you change the XksProxyUriPath value, verify that the external key store
+// proxy is reachable at the new path.
 //
 // If the operation succeeds, it returns a JSON object with no properties.
 //
-// This operation is part of the custom key store feature (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html)
-// feature in KMS, which combines the convenience and extensive integration
-// of KMS with the isolation and control of a single-tenant key store.
-//
 // Cross-account use: No. You cannot perform this operation on a custom key
 // store in a different Amazon Web Services account.
 //
@@ -7555,15 +8136,16 @@ func (c *KMS) UpdateCustomKeyStoreRequest(input *UpdateCustomKeyStoreInput) (req
 //   - CloudHsmClusterNotRelatedException
 //     The request was rejected because the specified CloudHSM cluster has a different
 //     cluster certificate than the original cluster. You cannot use the operation
-//     to specify an unrelated cluster.
+//     to specify an unrelated cluster for an CloudHSM key store.
 //
-//     Specify a cluster that shares a backup history with the original cluster.
-//     This includes clusters that were created from a backup of the current cluster,
-//     and clusters that were created from the same backup that produced the current
-//     cluster.
+//     Specify an CloudHSM cluster that shares a backup history with the original
+//     cluster. This includes clusters that were created from a backup of the current
+//     cluster, and clusters that were created from the same backup that produced
+//     the current cluster.
 //
-//     Clusters that share a backup history have the same cluster certificate. To
-//     view the cluster certificate of a cluster, use the DescribeClusters (https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.html)
+//     CloudHSM clusters that share a backup history have the same cluster certificate.
+//     To view the cluster certificate of an CloudHSM cluster, use the DescribeClusters
+//     (https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.html)
 //     operation.
 //
 //   - CustomKeyStoreInvalidStateException
@@ -7573,60 +8155,126 @@ func (c *KMS) UpdateCustomKeyStoreRequest(input *UpdateCustomKeyStoreInput) (req
 //
 //     This exception is thrown under the following conditions:
 //
-//   - You requested the CreateKey or GenerateRandom operation in a custom
-//     key store that is not connected. These operations are valid only when
-//     the custom key store ConnectionState is CONNECTED.
+//   - You requested the ConnectCustomKeyStore operation on a custom key store
+//     with a ConnectionState of DISCONNECTING or FAILED. This operation is valid
+//     for all other ConnectionState values. To reconnect a custom key store
+//     in a FAILED state, disconnect it (DisconnectCustomKeyStore), then connect
+//     it (ConnectCustomKeyStore).
+//
+//   - You requested the CreateKey operation in a custom key store that is
+//     not connected. This operations is valid only when the custom key store
+//     ConnectionState is CONNECTED.
+//
+//   - You requested the DisconnectCustomKeyStore operation on a custom key
+//     store with a ConnectionState of DISCONNECTING or DISCONNECTED. This operation
+//     is valid for all other ConnectionState values.
 //
 //   - You requested the UpdateCustomKeyStore or DeleteCustomKeyStore operation
 //     on a custom key store that is not disconnected. This operation is valid
 //     only when the custom key store ConnectionState is DISCONNECTED.
 //
-//   - You requested the ConnectCustomKeyStore operation on a custom key store
-//     with a ConnectionState of DISCONNECTING or FAILED. This operation is valid
-//     for all other ConnectionState values.
+//   - You requested the GenerateRandom operation in an CloudHSM key store
+//     that is not connected. This operation is valid only when the CloudHSM
+//     key store ConnectionState is CONNECTED.
 //
 //   - InternalException
 //     The request was rejected because an internal exception occurred. The request
 //     can be retried.
 //
 //   - CloudHsmClusterNotActiveException
-//     The request was rejected because the CloudHSM cluster that is associated
-//     with the custom key store is not active. Initialize and activate the cluster
-//     and try the command again. For detailed instructions, see Getting Started
-//     (https://docs.aws.amazon.com/cloudhsm/latest/userguide/getting-started.html)
+//     The request was rejected because the CloudHSM cluster associated with the
+//     CloudHSM key store is not active. Initialize and activate the cluster and
+//     try the command again. For detailed instructions, see Getting Started (https://docs.aws.amazon.com/cloudhsm/latest/userguide/getting-started.html)
 //     in the CloudHSM User Guide.
 //
 //   - CloudHsmClusterInvalidConfigurationException
 //     The request was rejected because the associated CloudHSM cluster did not
-//     meet the configuration requirements for a custom key store.
+//     meet the configuration requirements for an CloudHSM key store.
 //
-//   - The cluster must be configured with private subnets in at least two
-//     different Availability Zones in the Region.
+//   - The CloudHSM cluster must be configured with private subnets in at least
+//     two different Availability Zones in the Region.
 //
 //   - The security group for the cluster (https://docs.aws.amazon.com/cloudhsm/latest/userguide/configure-sg.html)
 //     (cloudhsm-cluster-<cluster-id>-sg) must include inbound rules and outbound
 //     rules that allow TCP traffic on ports 2223-2225. The Source in the inbound
 //     rules and the Destination in the outbound rules must match the security
-//     group ID. These rules are set by default when you create the cluster.
-//     Do not delete or change them. To get information about a particular security
-//     group, use the DescribeSecurityGroups (https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeSecurityGroups.html)
+//     group ID. These rules are set by default when you create the CloudHSM
+//     cluster. Do not delete or change them. To get information about a particular
+//     security group, use the DescribeSecurityGroups (https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeSecurityGroups.html)
 //     operation.
 //
-//   - The cluster must contain at least as many HSMs as the operation requires.
-//     To add HSMs, use the CloudHSM CreateHsm (https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_CreateHsm.html)
+//   - The CloudHSM cluster must contain at least as many HSMs as the operation
+//     requires. To add HSMs, use the CloudHSM CreateHsm (https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_CreateHsm.html)
 //     operation. For the CreateCustomKeyStore, UpdateCustomKeyStore, and CreateKey
 //     operations, the CloudHSM cluster must have at least two active HSMs, each
 //     in a different Availability Zone. For the ConnectCustomKeyStore operation,
 //     the CloudHSM must contain at least one active HSM.
 //
 //     For information about the requirements for an CloudHSM cluster that is associated
-//     with a custom key store, see Assemble the Prerequisites (https://docs.aws.amazon.com/kms/latest/developerguide/create-keystore.html#before-keystore)
+//     with an CloudHSM key store, see Assemble the Prerequisites (https://docs.aws.amazon.com/kms/latest/developerguide/create-keystore.html#before-keystore)
 //     in the Key Management Service Developer Guide. For information about creating
 //     a private subnet for an CloudHSM cluster, see Create a Private Subnet (https://docs.aws.amazon.com/cloudhsm/latest/userguide/create-subnets.html)
 //     in the CloudHSM User Guide. For information about cluster security groups,
 //     see Configure a Default Security Group (https://docs.aws.amazon.com/cloudhsm/latest/userguide/configure-sg.html)
 //     in the CloudHSM User Guide .
 //
+//   - XksProxyUriInUseException
+//     The request was rejected because the concatenation of the XksProxyUriEndpoint
+//     and XksProxyUriPath is already associated with an external key store in the
+//     Amazon Web Services account and Region. Each external key store in an account
+//     and Region must use a unique external key store proxy API address.
+//
+//   - XksProxyUriEndpointInUseException
+//     The request was rejected because the concatenation of the XksProxyUriEndpoint
+//     is already associated with an external key store in the Amazon Web Services
+//     account and Region. Each external key store in an account and Region must
+//     use a unique external key store proxy address.
+//
+//   - XksProxyUriUnreachableException
+//     KMS was unable to reach the specified XksProxyUriPath. The path must be reachable
+//     before you create the external key store or update its settings.
+//
+//     This exception is also thrown when the external key store proxy response
+//     to a GetHealthStatus request indicates that all external key manager instances
+//     are unavailable.
+//
+//   - XksProxyIncorrectAuthenticationCredentialException
+//     The request was rejected because the proxy credentials failed to authenticate
+//     to the specified external key store proxy. The specified external key store
+//     proxy rejected a status request from KMS due to invalid credentials. This
+//     can indicate an error in the credentials or in the identification of the
+//     external key store proxy.
+//
+//   - XksProxyVpcEndpointServiceInUseException
+//     The request was rejected because the specified Amazon VPC endpoint service
+//     is already associated with an external key store in the Amazon Web Services
+//     account and Region. Each external key store in an Amazon Web Services account
+//     and Region must use a different Amazon VPC endpoint service.
+//
+//   - XksProxyVpcEndpointServiceNotFoundException
+//     The request was rejected because KMS could not find the specified VPC endpoint
+//     service. Use DescribeCustomKeyStores to verify the VPC endpoint service name
+//     for the external key store. Also, confirm that the Allow principals list
+//     for the VPC endpoint service includes the KMS service principal for the Region,
+//     such as cks.kms.us-east-1.amazonaws.com.
+//
+//   - XksProxyVpcEndpointServiceInvalidConfigurationException
+//     The request was rejected because the Amazon VPC endpoint service configuration
+//     does not fulfill the requirements for an external key store proxy. For details,
+//     see the exception message and review the requirements (kms/latest/developerguide/vpc-connectivity.html#xks-vpc-requirements)
+//     for Amazon VPC endpoint service connectivity for an external key store.
+//
+//   - XksProxyInvalidResponseException
+//     KMS cannot interpret the response it received from the external key store
+//     proxy. The problem might be a poorly constructed response, but it could also
+//     be a transient network issue. If you see this error repeatedly, report it
+//     to the proxy vendor.
+//
+//   - XksProxyInvalidConfigurationException
+//     The request was rejected because the Amazon VPC endpoint service configuration
+//     does not fulfill the requirements for an external key store proxy. For details,
+//     see the exception message.
+//
 // See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/UpdateCustomKeyStore
 func (c *KMS) UpdateCustomKeyStore(input *UpdateCustomKeyStoreInput) (*UpdateCustomKeyStoreOutput, error) {
 	req, out := c.UpdateCustomKeyStoreRequest(input)
@@ -7730,8 +8378,8 @@ func (c *KMS) UpdateKeyDescriptionRequest(input *UpdateKeyDescriptionInput) (req
 //     is not valid.
 //
 //   - DependencyTimeoutException
-//     The system timed out while trying to fulfill the request. The request can
-//     be retried.
+//     The system timed out while trying to fulfill the request. You can retry the
+//     request.
 //
 //   - InternalException
 //     The request was rejected because an internal exception occurred. The request
@@ -7741,10 +8389,18 @@ func (c *KMS) UpdateKeyDescriptionRequest(input *UpdateKeyDescriptionInput) (req
 //     The request was rejected because the state of the specified resource is not
 //     valid for this request.
 //
-//     For more information about how key state affects the use of a KMS key, see
-//     Key states of KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
+//     This exceptions means one of the following:
+//
+//   - The key state of the KMS key is not compatible with the operation. To
+//     find the key state, use the DescribeKey operation. For more information
+//     about which key states are compatible with each KMS operation, see Key
+//     states of KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
 //     in the Key Management Service Developer Guide .
 //
+//   - For cryptographic operations on KMS keys in custom key stores, this
+//     exception represents a general failure with many possible causes. To identify
+//     the cause, see the error message that accompanies the exception.
+//
 // See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/UpdateKeyDescription
 func (c *KMS) UpdateKeyDescription(input *UpdateKeyDescriptionInput) (*UpdateKeyDescriptionOutput, error) {
 	req, out := c.UpdateKeyDescriptionRequest(input)
@@ -7902,10 +8558,18 @@ func (c *KMS) UpdatePrimaryRegionRequest(input *UpdatePrimaryRegionInput) (req *
 //     The request was rejected because the state of the specified resource is not
 //     valid for this request.
 //
-//     For more information about how key state affects the use of a KMS key, see
-//     Key states of KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
+//     This exceptions means one of the following:
+//
+//   - The key state of the KMS key is not compatible with the operation. To
+//     find the key state, use the DescribeKey operation. For more information
+//     about which key states are compatible with each KMS operation, see Key
+//     states of KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
 //     in the Key Management Service Developer Guide .
 //
+//   - For cryptographic operations on KMS keys in custom key stores, this
+//     exception represents a general failure with many possible causes. To identify
+//     the cause, see the error message that accompanies the exception.
+//
 //   - InternalException
 //     The request was rejected because an internal exception occurred. The request
 //     can be retried.
@@ -8004,15 +8668,16 @@ func (c *KMS) VerifyRequest(input *VerifyInput) (req *request.Request, output *V
 // You can also verify the digital signature by using the public key of the
 // KMS key outside of KMS. Use the GetPublicKey operation to download the public
 // key in the asymmetric KMS key and then use the public key to verify the signature
-// outside of KMS. To verify a signature outside of KMS with an SM2 public key,
-// you must specify the distinguishing ID. By default, KMS uses 1234567812345678
+// outside of KMS. The advantage of using the Verify operation is that it is
+// performed within KMS. As a result, it's easy to call, the operation is performed
+// within the FIPS boundary, it is logged in CloudTrail, and you can use key
+// policy and IAM policy to determine who is authorized to use the KMS key to
+// verify signatures.
+//
+// To verify a signature outside of KMS with an SM2 public key (China Regions
+// only), you must specify the distinguishing ID. By default, KMS uses 1234567812345678
 // as the distinguishing ID. For more information, see Offline verification
-// with SM2 key pairs (https://docs.aws.amazon.com/kms/latest/developerguide/asymmetric-key-specs.html#key-spec-sm-offline-verification)
-// in Key Management Service Developer Guide. The advantage of using the Verify
-// operation is that it is performed within KMS. As a result, it's easy to call,
-// the operation is performed within the FIPS boundary, it is logged in CloudTrail,
-// and you can use key policy and IAM policy to determine who is authorized
-// to use the KMS key to verify signatures.
+// with SM2 key pairs (https://docs.aws.amazon.com/kms/latest/developerguide/asymmetric-key-specs.html#key-spec-sm-offline-verification).
 //
 // The KMS key that you use for this operation must be in a compatible key state.
 // For details, see Key states of KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
@@ -8048,8 +8713,8 @@ func (c *KMS) VerifyRequest(input *VerifyInput) (req *request.Request, output *V
 //     You can retry the request.
 //
 //   - DependencyTimeoutException
-//     The system timed out while trying to fulfill the request. The request can
-//     be retried.
+//     The system timed out while trying to fulfill the request. You can retry the
+//     request.
 //
 //   - InvalidKeyUsageException
 //     The request was rejected for one of the following reasons:
@@ -8079,10 +8744,18 @@ func (c *KMS) VerifyRequest(input *VerifyInput) (req *request.Request, output *V
 //     The request was rejected because the state of the specified resource is not
 //     valid for this request.
 //
-//     For more information about how key state affects the use of a KMS key, see
-//     Key states of KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
+//     This exceptions means one of the following:
+//
+//   - The key state of the KMS key is not compatible with the operation. To
+//     find the key state, use the DescribeKey operation. For more information
+//     about which key states are compatible with each KMS operation, see Key
+//     states of KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
 //     in the Key Management Service Developer Guide .
 //
+//   - For cryptographic operations on KMS keys in custom key stores, this
+//     exception represents a general failure with many possible causes. To identify
+//     the cause, see the error message that accompanies the exception.
+//
 //   - KMSInvalidSignatureException
 //     The request was rejected because the signature verification failed. Signature
 //     verification fails when it cannot confirm that signature was produced by
@@ -8157,10 +8830,12 @@ func (c *KMS) VerifyMacRequest(input *VerifyMacInput) (req *request.Request, out
 // message, HMAC KMS key, and MAC algorithm. To verify the HMAC, VerifyMac computes
 // an HMAC using the message, HMAC KMS key, and MAC algorithm that you specify,
 // and compares the computed HMAC to the HMAC that you specify. If the HMACs
-// are identical, the verification succeeds; otherwise, it fails.
+// are identical, the verification succeeds; otherwise, it fails. Verification
+// indicates that the message hasn't changed since the HMAC was calculated,
+// and the specified key was used to generate and verify the HMAC.
 //
-// Verification indicates that the message hasn't changed since the HMAC was
-// calculated, and the specified key was used to generate and verify the HMAC.
+// HMAC KMS keys and the HMAC algorithms that KMS uses conform to industry standards
+// defined in RFC 2104 (https://datatracker.ietf.org/doc/html/rfc2104).
 //
 // This operation is part of KMS support for HMAC KMS keys. For details, see
 // HMAC keys in KMS (https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html)
@@ -8232,10 +8907,18 @@ func (c *KMS) VerifyMacRequest(input *VerifyMacInput) (req *request.Request, out
 //     The request was rejected because the state of the specified resource is not
 //     valid for this request.
 //
-//     For more information about how key state affects the use of a KMS key, see
-//     Key states of KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
+//     This exceptions means one of the following:
+//
+//   - The key state of the KMS key is not compatible with the operation. To
+//     find the key state, use the DescribeKey operation. For more information
+//     about which key states are compatible with each KMS operation, see Key
+//     states of KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
 //     in the Key Management Service Developer Guide .
 //
+//   - For cryptographic operations on KMS keys in custom key stores, this
+//     exception represents a general failure with many possible causes. To identify
+//     the cause, see the error message that accompanies the exception.
+//
 // See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/VerifyMac
 func (c *KMS) VerifyMac(input *VerifyMacInput) (*VerifyMacOutput, error) {
 	req, out := c.VerifyMacRequest(input)
@@ -8486,12 +9169,13 @@ func (s *CancelKeyDeletionOutput) SetKeyId(v string) *CancelKeyDeletionOutput {
 }
 
 // The request was rejected because the specified CloudHSM cluster is already
-// associated with a custom key store or it shares a backup history with a cluster
-// that is associated with a custom key store. Each custom key store must be
-// associated with a different CloudHSM cluster.
+// associated with an CloudHSM key store in the account, or it shares a backup
+// history with an CloudHSM key store in the account. Each CloudHSM key store
+// in the account must be associated with a different CloudHSM cluster.
 //
-// Clusters that share a backup history have the same cluster certificate. To
-// view the cluster certificate of a cluster, use the DescribeClusters (https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.html)
+// CloudHSM clusters that share a backup history have the same cluster certificate.
+// To view the cluster certificate of an CloudHSM cluster, use the DescribeClusters
+// (https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.html)
 // operation.
 type CloudHsmClusterInUseException struct {
 	_            struct{}                  `type:"structure"`
@@ -8557,29 +9241,29 @@ func (s *CloudHsmClusterInUseException) RequestID() string {
 }
 
 // The request was rejected because the associated CloudHSM cluster did not
-// meet the configuration requirements for a custom key store.
+// meet the configuration requirements for an CloudHSM key store.
 //
-//   - The cluster must be configured with private subnets in at least two
-//     different Availability Zones in the Region.
+//   - The CloudHSM cluster must be configured with private subnets in at least
+//     two different Availability Zones in the Region.
 //
 //   - The security group for the cluster (https://docs.aws.amazon.com/cloudhsm/latest/userguide/configure-sg.html)
 //     (cloudhsm-cluster-<cluster-id>-sg) must include inbound rules and outbound
 //     rules that allow TCP traffic on ports 2223-2225. The Source in the inbound
 //     rules and the Destination in the outbound rules must match the security
-//     group ID. These rules are set by default when you create the cluster.
-//     Do not delete or change them. To get information about a particular security
-//     group, use the DescribeSecurityGroups (https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeSecurityGroups.html)
+//     group ID. These rules are set by default when you create the CloudHSM
+//     cluster. Do not delete or change them. To get information about a particular
+//     security group, use the DescribeSecurityGroups (https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeSecurityGroups.html)
 //     operation.
 //
-//   - The cluster must contain at least as many HSMs as the operation requires.
-//     To add HSMs, use the CloudHSM CreateHsm (https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_CreateHsm.html)
+//   - The CloudHSM cluster must contain at least as many HSMs as the operation
+//     requires. To add HSMs, use the CloudHSM CreateHsm (https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_CreateHsm.html)
 //     operation. For the CreateCustomKeyStore, UpdateCustomKeyStore, and CreateKey
 //     operations, the CloudHSM cluster must have at least two active HSMs, each
 //     in a different Availability Zone. For the ConnectCustomKeyStore operation,
 //     the CloudHSM must contain at least one active HSM.
 //
 // For information about the requirements for an CloudHSM cluster that is associated
-// with a custom key store, see Assemble the Prerequisites (https://docs.aws.amazon.com/kms/latest/developerguide/create-keystore.html#before-keystore)
+// with an CloudHSM key store, see Assemble the Prerequisites (https://docs.aws.amazon.com/kms/latest/developerguide/create-keystore.html#before-keystore)
 // in the Key Management Service Developer Guide. For information about creating
 // a private subnet for an CloudHSM cluster, see Create a Private Subnet (https://docs.aws.amazon.com/cloudhsm/latest/userguide/create-subnets.html)
 // in the CloudHSM User Guide. For information about cluster security groups,
@@ -8648,10 +9332,9 @@ func (s *CloudHsmClusterInvalidConfigurationException) RequestID() string {
 	return s.RespMetadata.RequestID
 }
 
-// The request was rejected because the CloudHSM cluster that is associated
-// with the custom key store is not active. Initialize and activate the cluster
-// and try the command again. For detailed instructions, see Getting Started
-// (https://docs.aws.amazon.com/cloudhsm/latest/userguide/getting-started.html)
+// The request was rejected because the CloudHSM cluster associated with the
+// CloudHSM key store is not active. Initialize and activate the cluster and
+// try the command again. For detailed instructions, see Getting Started (https://docs.aws.amazon.com/cloudhsm/latest/userguide/getting-started.html)
 // in the CloudHSM User Guide.
 type CloudHsmClusterNotActiveException struct {
 	_            struct{}                  `type:"structure"`
@@ -8783,15 +9466,16 @@ func (s *CloudHsmClusterNotFoundException) RequestID() string {
 
 // The request was rejected because the specified CloudHSM cluster has a different
 // cluster certificate than the original cluster. You cannot use the operation
-// to specify an unrelated cluster.
+// to specify an unrelated cluster for an CloudHSM key store.
 //
-// Specify a cluster that shares a backup history with the original cluster.
-// This includes clusters that were created from a backup of the current cluster,
-// and clusters that were created from the same backup that produced the current
-// cluster.
+// Specify an CloudHSM cluster that shares a backup history with the original
+// cluster. This includes clusters that were created from a backup of the current
+// cluster, and clusters that were created from the same backup that produced
+// the current cluster.
 //
-// Clusters that share a backup history have the same cluster certificate. To
-// view the cluster certificate of a cluster, use the DescribeClusters (https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.html)
+// CloudHSM clusters that share a backup history have the same cluster certificate.
+// To view the cluster certificate of an CloudHSM cluster, use the DescribeClusters
+// (https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.html)
 // operation.
 type CloudHsmClusterNotRelatedException struct {
 	_            struct{}                  `type:"structure"`
@@ -9042,18 +9726,33 @@ func (s CreateAliasOutput) GoString() string {
 type CreateCustomKeyStoreInput struct {
 	_ struct{} `type:"structure"`
 
-	// Identifies the CloudHSM cluster for the custom key store. Enter the cluster
-	// ID of any active CloudHSM cluster that is not already associated with a custom
-	// key store. To find the cluster ID, use the DescribeClusters (https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.html)
+	// Identifies the CloudHSM cluster for an CloudHSM key store. This parameter
+	// is required for custom key stores with CustomKeyStoreType of AWS_CLOUDHSM.
+	//
+	// Enter the cluster ID of any active CloudHSM cluster that is not already associated
+	// with a custom key store. To find the cluster ID, use the DescribeClusters
+	// (https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.html)
 	// operation.
 	CloudHsmClusterId *string `min:"19" type:"string"`
 
 	// Specifies a friendly name for the custom key store. The name must be unique
-	// in your Amazon Web Services account.
+	// in your Amazon Web Services account and Region. This parameter is required
+	// for all custom key stores.
 	//
 	// CustomKeyStoreName is a required field
 	CustomKeyStoreName *string `min:"1" type:"string" required:"true"`
 
+	// Specifies the type of custom key store. The default value is AWS_CLOUDHSM.
+	//
+	// For a custom key store backed by an CloudHSM cluster, omit the parameter
+	// or enter AWS_CLOUDHSM. For a custom key store backed by an external key manager
+	// outside of Amazon Web Services, enter EXTERNAL_KEY_STORE. You cannot change
+	// this property after the key store is created.
+	CustomKeyStoreType *string `type:"string" enum:"CustomKeyStoreType"`
+
+	// Specifies the kmsuser password for an CloudHSM key store. This parameter
+	// is required for custom key stores with a CustomKeyStoreType of AWS_CLOUDHSM.
+	//
 	// Enter the password of the kmsuser crypto user (CU) account (https://docs.aws.amazon.com/kms/latest/developerguide/key-store-concepts.html#concept-kmsuser)
 	// in the specified CloudHSM cluster. KMS logs into the cluster as this user
 	// to manage key material on your behalf.
@@ -9068,10 +9767,118 @@ type CreateCustomKeyStoreInput struct {
 	// String and GoString methods.
 	KeyStorePassword *string `min:"7" type:"string" sensitive:"true"`
 
-	// Enter the content of the trust anchor certificate for the cluster. This is
-	// the content of the customerCA.crt file that you created when you initialized
-	// the cluster (https://docs.aws.amazon.com/cloudhsm/latest/userguide/initialize-cluster.html).
+	// Specifies the certificate for an CloudHSM key store. This parameter is required
+	// for custom key stores with a CustomKeyStoreType of AWS_CLOUDHSM.
+	//
+	// Enter the content of the trust anchor certificate for the CloudHSM cluster.
+	// This is the content of the customerCA.crt file that you created when you
+	// initialized the cluster (https://docs.aws.amazon.com/cloudhsm/latest/userguide/initialize-cluster.html).
 	TrustAnchorCertificate *string `min:"1" type:"string"`
+
+	// Specifies an authentication credential for the external key store proxy (XKS
+	// proxy). This parameter is required for all custom key stores with a CustomKeyStoreType
+	// of EXTERNAL_KEY_STORE.
+	//
+	// The XksProxyAuthenticationCredential has two required elements: RawSecretAccessKey,
+	// a secret key, and AccessKeyId, a unique identifier for the RawSecretAccessKey.
+	// For character requirements, see XksProxyAuthenticationCredentialType (kms/latest/APIReference/API_XksProxyAuthenticationCredentialType.html).
+	//
+	// KMS uses this authentication credential to sign requests to the external
+	// key store proxy on your behalf. This credential is unrelated to Identity
+	// and Access Management (IAM) and Amazon Web Services credentials.
+	//
+	// This parameter doesn't set or change the authentication credentials on the
+	// XKS proxy. It just tells KMS the credential that you established on your
+	// external key store proxy. If you rotate your proxy authentication credential,
+	// use the UpdateCustomKeyStore operation to provide the new credential to KMS.
+	XksProxyAuthenticationCredential *XksProxyAuthenticationCredentialType `type:"structure"`
+
+	// Indicates how KMS communicates with the external key store proxy. This parameter
+	// is required for custom key stores with a CustomKeyStoreType of EXTERNAL_KEY_STORE.
+	//
+	// If the external key store proxy uses a public endpoint, specify PUBLIC_ENDPOINT.
+	// If the external key store proxy uses a Amazon VPC endpoint service for communication
+	// with KMS, specify VPC_ENDPOINT_SERVICE. For help making this choice, see
+	// Choosing a connectivity option (https://docs.aws.amazon.com/kms/latest/developerguide/plan-xks-keystore.html#choose-xks-connectivity)
+	// in the Key Management Service Developer Guide.
+	//
+	// An Amazon VPC endpoint service keeps your communication with KMS in a private
+	// address space entirely within Amazon Web Services, but it requires more configuration,
+	// including establishing a Amazon VPC with multiple subnets, a VPC endpoint
+	// service, a network load balancer, and a verified private DNS name. A public
+	// endpoint is simpler to set up, but it might be slower and might not fulfill
+	// your security requirements. You might consider testing with a public endpoint,
+	// and then establishing a VPC endpoint service for production tasks. Note that
+	// this choice does not determine the location of the external key store proxy.
+	// Even if you choose a VPC endpoint service, the proxy can be hosted within
+	// the VPC or outside of Amazon Web Services such as in your corporate data
+	// center.
+	XksProxyConnectivity *string `type:"string" enum:"XksProxyConnectivityType"`
+
+	// Specifies the endpoint that KMS uses to send requests to the external key
+	// store proxy (XKS proxy). This parameter is required for custom key stores
+	// with a CustomKeyStoreType of EXTERNAL_KEY_STORE.
+	//
+	// The protocol must be HTTPS. KMS communicates on port 443. Do not specify
+	// the port in the XksProxyUriEndpoint value.
+	//
+	// For external key stores with XksProxyConnectivity value of VPC_ENDPOINT_SERVICE,
+	// specify https:// followed by the private DNS name of the VPC endpoint service.
+	//
+	// For external key stores with PUBLIC_ENDPOINT connectivity, this endpoint
+	// must be reachable before you create the custom key store. KMS connects to
+	// the external key store proxy while creating the custom key store. For external
+	// key stores with VPC_ENDPOINT_SERVICE connectivity, KMS connects when you
+	// call the ConnectCustomKeyStore operation.
+	//
+	// The value of this parameter must begin with https://. The remainder can contain
+	// upper and lower case letters (A-Z and a-z), numbers (0-9), dots (.), and
+	// hyphens (-). Additional slashes (/ and \) are not permitted.
+	//
+	// Uniqueness requirements:
+	//
+	//    * The combined XksProxyUriEndpoint and XksProxyUriPath values must be
+	//    unique in the Amazon Web Services account and Region.
+	//
+	//    * An external key store with PUBLIC_ENDPOINT connectivity cannot use the
+	//    same XksProxyUriEndpoint value as an external key store with VPC_ENDPOINT_SERVICE
+	//    connectivity in the same Amazon Web Services Region.
+	//
+	//    * Each external key store with VPC_ENDPOINT_SERVICE connectivity must
+	//    have its own private DNS name. The XksProxyUriEndpoint value for external
+	//    key stores with VPC_ENDPOINT_SERVICE connectivity (private DNS name) must
+	//    be unique in the Amazon Web Services account and Region.
+	XksProxyUriEndpoint *string `min:"10" type:"string"`
+
+	// Specifies the base path to the proxy APIs for this external key store. To
+	// find this value, see the documentation for your external key store proxy.
+	// This parameter is required for all custom key stores with a CustomKeyStoreType
+	// of EXTERNAL_KEY_STORE.
+	//
+	// The value must start with / and must end with /kms/xks/v1 where v1 represents
+	// the version of the KMS external key store proxy API. This path can include
+	// an optional prefix between the required elements such as /prefix/kms/xks/v1.
+	//
+	// Uniqueness requirements:
+	//
+	//    * The combined XksProxyUriEndpoint and XksProxyUriPath values must be
+	//    unique in the Amazon Web Services account and Region.
+	XksProxyUriPath *string `min:"10" type:"string"`
+
+	// Specifies the name of the Amazon VPC endpoint service for interface endpoints
+	// that is used to communicate with your external key store proxy (XKS proxy).
+	// This parameter is required when the value of CustomKeyStoreType is EXTERNAL_KEY_STORE
+	// and the value of XksProxyConnectivity is VPC_ENDPOINT_SERVICE.
+	//
+	// The Amazon VPC endpoint service must fulfill all requirements (https://docs.aws.amazon.com/kms/latest/developerguide/create-xks-keystore.html#xks-requirements)
+	// for use with an external key store.
+	//
+	// Uniqueness requirements:
+	//
+	//    * External key stores with VPC_ENDPOINT_SERVICE connectivity can share
+	//    an Amazon VPC, but each external key store must have its own VPC endpoint
+	//    service and private DNS name.
+	XksProxyVpcEndpointServiceName *string `min:"20" type:"string"`
 }
 
 // String returns the string representation.
@@ -9110,6 +9917,20 @@ func (s *CreateCustomKeyStoreInput) Validate() error {
 	if s.TrustAnchorCertificate != nil && len(*s.TrustAnchorCertificate) < 1 {
 		invalidParams.Add(request.NewErrParamMinLen("TrustAnchorCertificate", 1))
 	}
+	if s.XksProxyUriEndpoint != nil && len(*s.XksProxyUriEndpoint) < 10 {
+		invalidParams.Add(request.NewErrParamMinLen("XksProxyUriEndpoint", 10))
+	}
+	if s.XksProxyUriPath != nil && len(*s.XksProxyUriPath) < 10 {
+		invalidParams.Add(request.NewErrParamMinLen("XksProxyUriPath", 10))
+	}
+	if s.XksProxyVpcEndpointServiceName != nil && len(*s.XksProxyVpcEndpointServiceName) < 20 {
+		invalidParams.Add(request.NewErrParamMinLen("XksProxyVpcEndpointServiceName", 20))
+	}
+	if s.XksProxyAuthenticationCredential != nil {
+		if err := s.XksProxyAuthenticationCredential.Validate(); err != nil {
+			invalidParams.AddNested("XksProxyAuthenticationCredential", err.(request.ErrInvalidParams))
+		}
+	}
 
 	if invalidParams.Len() > 0 {
 		return invalidParams
@@ -9129,6 +9950,12 @@ func (s *CreateCustomKeyStoreInput) SetCustomKeyStoreName(v string) *CreateCusto
 	return s
 }
 
+// SetCustomKeyStoreType sets the CustomKeyStoreType field's value.
+func (s *CreateCustomKeyStoreInput) SetCustomKeyStoreType(v string) *CreateCustomKeyStoreInput {
+	s.CustomKeyStoreType = &v
+	return s
+}
+
 // SetKeyStorePassword sets the KeyStorePassword field's value.
 func (s *CreateCustomKeyStoreInput) SetKeyStorePassword(v string) *CreateCustomKeyStoreInput {
 	s.KeyStorePassword = &v
@@ -9141,6 +9968,36 @@ func (s *CreateCustomKeyStoreInput) SetTrustAnchorCertificate(v string) *CreateC
 	return s
 }
 
+// SetXksProxyAuthenticationCredential sets the XksProxyAuthenticationCredential field's value.
+func (s *CreateCustomKeyStoreInput) SetXksProxyAuthenticationCredential(v *XksProxyAuthenticationCredentialType) *CreateCustomKeyStoreInput {
+	s.XksProxyAuthenticationCredential = v
+	return s
+}
+
+// SetXksProxyConnectivity sets the XksProxyConnectivity field's value.
+func (s *CreateCustomKeyStoreInput) SetXksProxyConnectivity(v string) *CreateCustomKeyStoreInput {
+	s.XksProxyConnectivity = &v
+	return s
+}
+
+// SetXksProxyUriEndpoint sets the XksProxyUriEndpoint field's value.
+func (s *CreateCustomKeyStoreInput) SetXksProxyUriEndpoint(v string) *CreateCustomKeyStoreInput {
+	s.XksProxyUriEndpoint = &v
+	return s
+}
+
+// SetXksProxyUriPath sets the XksProxyUriPath field's value.
+func (s *CreateCustomKeyStoreInput) SetXksProxyUriPath(v string) *CreateCustomKeyStoreInput {
+	s.XksProxyUriPath = &v
+	return s
+}
+
+// SetXksProxyVpcEndpointServiceName sets the XksProxyVpcEndpointServiceName field's value.
+func (s *CreateCustomKeyStoreInput) SetXksProxyVpcEndpointServiceName(v string) *CreateCustomKeyStoreInput {
+	s.XksProxyVpcEndpointServiceName = &v
+	return s
+}
+
 type CreateCustomKeyStoreOutput struct {
 	_ struct{} `type:"structure"`
 
@@ -9446,31 +10303,25 @@ type CreateKeyInput struct {
 	// The default value is false.
 	BypassPolicyLockoutSafetyCheck *bool `type:"boolean"`
 
-	// Creates the KMS key in the specified custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html)
-	// and the key material in its associated CloudHSM cluster. To create a KMS
-	// key in a custom key store, you must also specify the Origin parameter with
-	// a value of AWS_CLOUDHSM. The CloudHSM cluster that is associated with the
-	// custom key store must have at least two active HSMs, each in a different
-	// Availability Zone in the Region.
+	// Creates the KMS key in the specified custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html).
+	// The ConnectionState of the custom key store must be CONNECTED. To find the
+	// CustomKeyStoreID and ConnectionState use the DescribeCustomKeyStores operation.
 	//
 	// This parameter is valid only for symmetric encryption KMS keys in a single
 	// Region. You cannot create any other type of KMS key in a custom key store.
 	//
-	// To find the ID of a custom key store, use the DescribeCustomKeyStores operation.
-	//
-	// The response includes the custom key store ID and the ID of the CloudHSM
-	// cluster.
-	//
-	// This operation is part of the custom key store feature (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html)
-	// feature in KMS, which combines the convenience and extensive integration
-	// of KMS with the isolation and control of a single-tenant key store.
+	// When you create a KMS key in an CloudHSM key store, KMS generates a non-exportable
+	// 256-bit symmetric key in its associated CloudHSM cluster and associates it
+	// with the KMS key. When you create a KMS key in an external key store, you
+	// must use the XksKeyId parameter to specify an external key that serves as
+	// key material for the KMS key.
 	CustomKeyStoreId *string `min:"1" type:"string"`
 
 	// Instead, use the KeySpec parameter.
 	//
 	// The KeySpec and CustomerMasterKeySpec parameters work the same way. Only
 	// the names differ. We recommend that you use KeySpec parameter in your code.
-	// However, to avoid breaking changes, KMS will support both parameters.
+	// However, to avoid breaking changes, KMS supports both parameters.
 	//
 	// Deprecated: This parameter has been deprecated. Instead, use the KeySpec parameter.
 	CustomerMasterKeySpec *string `deprecated:"true" type:"string" enum:"CustomerMasterKeySpec"`
@@ -9491,11 +10342,11 @@ type CreateKeyInput struct {
 	// in the Key Management Service Developer Guide .
 	//
 	// The KeySpec determines whether the KMS key contains a symmetric key or an
-	// asymmetric key pair. It also determines the cryptographic algorithms that
-	// the KMS key supports. You can't change the KeySpec after the KMS key is created.
-	// To further restrict the algorithms that can be used with the KMS key, use
-	// a condition key in its key policy or IAM policy. For more information, see
-	// kms:EncryptionAlgorithm (https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-encryption-algorithm),
+	// asymmetric key pair. It also determines the algorithms that the KMS key supports.
+	// You can't change the KeySpec after the KMS key is created. To further restrict
+	// the algorithms that can be used with the KMS key, use a condition key in
+	// its key policy or IAM policy. For more information, see kms:EncryptionAlgorithm
+	// (https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-encryption-algorithm),
 	// kms:MacAlgorithm (https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-mac-algorithm)
 	// or kms:Signing Algorithm (https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-signing-algorithm)
 	// in the Key Management Service Developer Guide .
@@ -9561,36 +10412,37 @@ type CreateKeyInput struct {
 	// This value creates a primary key, not a replica. To create a replica key,
 	// use the ReplicateKey operation.
 	//
-	// You can create a multi-Region version of a symmetric encryption KMS key,
-	// an HMAC KMS key, an asymmetric KMS key, or a KMS key with imported key material.
-	// However, you cannot create a multi-Region key in a custom key store.
+	// You can create a symmetric or asymmetric multi-Region key, and you can create
+	// a multi-Region key with imported key material. However, you cannot create
+	// a multi-Region key in a custom key store.
 	MultiRegion *bool `type:"boolean"`
 
 	// The source of the key material for the KMS key. You cannot change the origin
 	// after you create the KMS key. The default is AWS_KMS, which means that KMS
 	// creates the key material.
 	//
-	// To create a KMS key with no key material (for imported key material), set
-	// the value to EXTERNAL. For more information about importing key material
-	// into KMS, see Importing Key Material (https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html)
-	// in the Key Management Service Developer Guide. This value is valid only for
-	// symmetric encryption KMS keys.
+	// To create a KMS key with no key material (https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys-create-cmk.html)
+	// (for imported key material), set this value to EXTERNAL. For more information
+	// about importing key material into KMS, see Importing Key Material (https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html)
+	// in the Key Management Service Developer Guide. The EXTERNAL origin value
+	// is valid only for symmetric KMS keys.
 	//
-	// To create a KMS key in an KMS custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html)
+	// To create a KMS key in an CloudHSM key store (https://docs.aws.amazon.com/kms/latest/developerguide/create-cmk-keystore.html)
 	// and create its key material in the associated CloudHSM cluster, set this
 	// value to AWS_CLOUDHSM. You must also use the CustomKeyStoreId parameter to
-	// identify the custom key store. This value is valid only for symmetric encryption
-	// KMS keys.
+	// identify the CloudHSM key store. The KeySpec value must be SYMMETRIC_DEFAULT.
+	//
+	// To create a KMS key in an external key store (https://docs.aws.amazon.com/kms/latest/developerguide/create-xks-keys.html),
+	// set this value to EXTERNAL_KEY_STORE. You must also use the CustomKeyStoreId
+	// parameter to identify the external key store and the XksKeyId parameter to
+	// identify the associated external key. The KeySpec value must be SYMMETRIC_DEFAULT.
 	Origin *string `type:"string" enum:"OriginType"`
 
-	// The key policy to attach to the KMS key. If you do not specify a key policy,
-	// KMS attaches a default key policy to the KMS key. For more information, see
-	// Default key policy (https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default)
-	// in the Key Management Service Developer Guide.
+	// The key policy to attach to the KMS key.
 	//
 	// If you provide a key policy, it must meet the following criteria:
 	//
-	//    * If you don't set BypassPolicyLockoutSafetyCheck to True, the key policy
+	//    * If you don't set BypassPolicyLockoutSafetyCheck to true, the key policy
 	//    must allow the principal that is making the CreateKey request to make
 	//    a subsequent PutKeyPolicy request on the KMS key. This reduces the risk
 	//    that the KMS key becomes unmanageable. For more information, refer to
@@ -9606,20 +10458,14 @@ type CreateKeyInput struct {
 	//    visible (https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency)
 	//    in the Amazon Web Services Identity and Access Management User Guide.
 	//
-	// A key policy document can include only the following characters:
+	// If you do not provide a key policy, KMS attaches a default key policy to
+	// the KMS key. For more information, see Default Key Policy (https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default)
+	// in the Key Management Service Developer Guide.
 	//
-	//    * Printable ASCII characters from the space character (\u0020) through
-	//    the end of the ASCII character range.
+	// The key policy size quota is 32 kilobytes (32768 bytes).
 	//
-	//    * Printable characters in the Basic Latin and Latin-1 Supplement character
-	//    set (through \u00FF).
-	//
-	//    * The tab (\u0009), line feed (\u000A), and carriage return (\u000D) special
-	//    characters
-	//
-	// For information about key policies, see Key policies in KMS (https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html)
-	// in the Key Management Service Developer Guide. For help writing and formatting
-	// a JSON policy document, see the IAM JSON Policy Reference (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html)
+	// For help writing and formatting a JSON policy document, see the IAM JSON
+	// Policy Reference (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html)
 	// in the Identity and Access Management User Guide .
 	Policy *string `min:"1" type:"string"`
 
@@ -9627,7 +10473,7 @@ type CreateKeyInput struct {
 	// key when it is created. To tag an existing KMS key, use the TagResource operation.
 	//
 	// Tagging or untagging a KMS key can allow or deny permission to the KMS key.
-	// For details, see ABAC in KMS (https://docs.aws.amazon.com/kms/latest/developerguide/abac.html)
+	// For details, see ABAC for KMS (https://docs.aws.amazon.com/kms/latest/developerguide/abac.html)
 	// in the Key Management Service Developer Guide.
 	//
 	// To use this parameter, you must have kms:TagResource (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html)
@@ -9644,6 +10490,33 @@ type CreateKeyInput struct {
 	// Tags can also be used to control access to a KMS key. For details, see Tagging
 	// Keys (https://docs.aws.amazon.com/kms/latest/developerguide/tagging-keys.html).
 	Tags []*Tag `type:"list"`
+
+	// Identifies the external key (https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html#concept-external-key)
+	// that serves as key material for the KMS key in an external key store (https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html).
+	// Specify the ID that the external key store proxy (https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html#concept-xks-proxy)
+	// uses to refer to the external key. For help, see the documentation for your
+	// external key store proxy.
+	//
+	// This parameter is required for a KMS key with an Origin value of EXTERNAL_KEY_STORE.
+	// It is not valid for KMS keys with any other Origin value.
+	//
+	// The external key must be an existing 256-bit AES symmetric encryption key
+	// hosted outside of Amazon Web Services in an external key manager associated
+	// with the external key store specified by the CustomKeyStoreId parameter.
+	// This key must be enabled and configured to perform encryption and decryption.
+	// Each KMS key in an external key store must use a different external key.
+	// For details, see Requirements for a KMS key in an external key store (https://docs.aws.amazon.com/create-xks-keys.html#xks-key-requirements)
+	// in the Key Management Service Developer Guide.
+	//
+	// Each KMS key in an external key store is associated two backing keys. One
+	// is key material that KMS generates. The other is the external key specified
+	// by this parameter. When you use the KMS key in an external key store to encrypt
+	// data, the encryption operation is performed first by KMS using the KMS key
+	// material, and then by the external key manager using the specified external
+	// key, a process known as double encryption. For details, see Double encryption
+	// (https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html#concept-double-encryption)
+	// in the Key Management Service Developer Guide.
+	XksKeyId *string `min:"1" type:"string"`
 }
 
 // String returns the string representation.
@@ -9673,6 +10546,9 @@ func (s *CreateKeyInput) Validate() error {
 	if s.Policy != nil && len(*s.Policy) < 1 {
 		invalidParams.Add(request.NewErrParamMinLen("Policy", 1))
 	}
+	if s.XksKeyId != nil && len(*s.XksKeyId) < 1 {
+		invalidParams.Add(request.NewErrParamMinLen("XksKeyId", 1))
+	}
 	if s.Tags != nil {
 		for i, v := range s.Tags {
 			if v == nil {
@@ -9750,6 +10626,12 @@ func (s *CreateKeyInput) SetTags(v []*Tag) *CreateKeyInput {
 	return s
 }
 
+// SetXksKeyId sets the XksKeyId field's value.
+func (s *CreateKeyInput) SetXksKeyId(v string) *CreateKeyInput {
+	s.XksKeyId = &v
+	return s
+}
+
 type CreateKeyOutput struct {
 	_ struct{} `type:"structure"`
 
@@ -9854,17 +10736,27 @@ func (s *CustomKeyStoreHasCMKsException) RequestID() string {
 //
 // This exception is thrown under the following conditions:
 //
-//   - You requested the CreateKey or GenerateRandom operation in a custom
-//     key store that is not connected. These operations are valid only when
-//     the custom key store ConnectionState is CONNECTED.
+//   - You requested the ConnectCustomKeyStore operation on a custom key store
+//     with a ConnectionState of DISCONNECTING or FAILED. This operation is valid
+//     for all other ConnectionState values. To reconnect a custom key store
+//     in a FAILED state, disconnect it (DisconnectCustomKeyStore), then connect
+//     it (ConnectCustomKeyStore).
+//
+//   - You requested the CreateKey operation in a custom key store that is
+//     not connected. This operations is valid only when the custom key store
+//     ConnectionState is CONNECTED.
+//
+//   - You requested the DisconnectCustomKeyStore operation on a custom key
+//     store with a ConnectionState of DISCONNECTING or DISCONNECTED. This operation
+//     is valid for all other ConnectionState values.
 //
 //   - You requested the UpdateCustomKeyStore or DeleteCustomKeyStore operation
 //     on a custom key store that is not disconnected. This operation is valid
 //     only when the custom key store ConnectionState is DISCONNECTED.
 //
-//   - You requested the ConnectCustomKeyStore operation on a custom key store
-//     with a ConnectionState of DISCONNECTING or FAILED. This operation is valid
-//     for all other ConnectionState values.
+//   - You requested the GenerateRandom operation in an CloudHSM key store
+//     that is not connected. This operation is valid only when the CloudHSM
+//     key store ConnectionState is CONNECTED.
 type CustomKeyStoreInvalidStateException struct {
 	_            struct{}                  `type:"structure"`
 	RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"`
@@ -10064,39 +10956,53 @@ func (s *CustomKeyStoreNotFoundException) RequestID() string {
 type CustomKeyStoresListEntry struct {
 	_ struct{} `type:"structure"`
 
-	// A unique identifier for the CloudHSM cluster that is associated with the
-	// custom key store.
+	// A unique identifier for the CloudHSM cluster that is associated with an CloudHSM
+	// key store. This field appears only when the CustomKeyStoreType is AWS_CLOUDHSM.
 	CloudHsmClusterId *string `min:"19" type:"string"`
 
 	// Describes the connection error. This field appears in the response only when
-	// the ConnectionState is FAILED. For help resolving these errors, see How to
-	// Fix a Connection Failure (https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html#fix-keystore-failed)
+	// the ConnectionState is FAILED.
+	//
+	// Many failures can be resolved by updating the properties of the custom key
+	// store. To update a custom key store, disconnect it (DisconnectCustomKeyStore),
+	// correct the errors (UpdateCustomKeyStore), and try to connect again (ConnectCustomKeyStore).
+	// For additional help resolving these errors, see How to Fix a Connection Failure
+	// (https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html#fix-keystore-failed)
 	// in Key Management Service Developer Guide.
 	//
-	// Valid values are:
+	// All custom key stores:
 	//
-	//    * CLUSTER_NOT_FOUND - KMS cannot find the CloudHSM cluster with the specified
-	//    cluster ID.
-	//
-	//    * INSUFFICIENT_CLOUDHSM_HSMS - The associated CloudHSM cluster does not
-	//    contain any active HSMs. To connect a custom key store to its CloudHSM
-	//    cluster, the cluster must contain at least one active HSM.
-	//
-	//    * INTERNAL_ERROR - KMS could not complete the request due to an internal
+	//    * INTERNAL_ERROR — KMS could not complete the request due to an internal
 	//    error. Retry the request. For ConnectCustomKeyStore requests, disconnect
 	//    the custom key store before trying to connect again.
 	//
-	//    * INVALID_CREDENTIALS - KMS does not have the correct password for the
-	//    kmsuser crypto user in the CloudHSM cluster. Before you can connect your
-	//    custom key store to its CloudHSM cluster, you must change the kmsuser
-	//    account password and update the key store password value for the custom
-	//    key store.
+	//    * NETWORK_ERRORS — Network errors are preventing KMS from connecting
+	//    the custom key store to its backing key store.
 	//
-	//    * NETWORK_ERRORS - Network errors are preventing KMS from connecting to
-	//    the custom key store.
+	// CloudHSM key stores:
 	//
-	//    * SUBNET_NOT_FOUND - A subnet in the CloudHSM cluster configuration was
-	//    deleted. If KMS cannot find all of the subnets in the cluster configuration,
+	//    * CLUSTER_NOT_FOUND — KMS cannot find the CloudHSM cluster with the
+	//    specified cluster ID.
+	//
+	//    * INSUFFICIENT_CLOUDHSM_HSMS — The associated CloudHSM cluster does
+	//    not contain any active HSMs. To connect a custom key store to its CloudHSM
+	//    cluster, the cluster must contain at least one active HSM.
+	//
+	//    * INSUFFICIENT_FREE_ADDRESSES_IN_SUBNET — At least one private subnet
+	//    associated with the CloudHSM cluster doesn't have any available IP addresses.
+	//    A CloudHSM key store connection requires one free IP address in each of
+	//    the associated private subnets, although two are preferable. For details,
+	//    see How to Fix a Connection Failure (https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html#fix-keystore-failed)
+	//    in the Key Management Service Developer Guide.
+	//
+	//    * INVALID_CREDENTIALS — The KeyStorePassword for the custom key store
+	//    doesn't match the current password of the kmsuser crypto user in the CloudHSM
+	//    cluster. Before you can connect your custom key store to its CloudHSM
+	//    cluster, you must change the kmsuser account password and update the KeyStorePassword
+	//    value for the custom key store.
+	//
+	//    * SUBNET_NOT_FOUND — A subnet in the CloudHSM cluster configuration
+	//    was deleted. If KMS cannot find all of the subnets in the cluster configuration,
 	//    attempts to connect the custom key store to the CloudHSM cluster fail.
 	//    To fix this error, create a cluster from a recent backup and associate
 	//    it with your custom key store. (This process creates a new cluster configuration
@@ -10104,13 +11010,13 @@ type CustomKeyStoresListEntry struct {
 	//    Failure (https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html#fix-keystore-failed)
 	//    in the Key Management Service Developer Guide.
 	//
-	//    * USER_LOCKED_OUT - The kmsuser CU account is locked out of the associated
+	//    * USER_LOCKED_OUT — The kmsuser CU account is locked out of the associated
 	//    CloudHSM cluster due to too many failed password attempts. Before you
 	//    can connect your custom key store to its CloudHSM cluster, you must change
 	//    the kmsuser account password and update the key store password value for
 	//    the custom key store.
 	//
-	//    * USER_LOGGED_IN - The kmsuser CU account is logged into the the associated
+	//    * USER_LOGGED_IN — The kmsuser CU account is logged into the associated
 	//    CloudHSM cluster. This prevents KMS from rotating the kmsuser account
 	//    password and logging into the cluster. Before you can connect your custom
 	//    key store to its CloudHSM cluster, you must log the kmsuser CU out of
@@ -10119,27 +11025,94 @@ type CustomKeyStoresListEntry struct {
 	//    store. For help, see How to Log Out and Reconnect (https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html#login-kmsuser-2)
 	//    in the Key Management Service Developer Guide.
 	//
-	//    * USER_NOT_FOUND - KMS cannot find a kmsuser CU account in the associated
+	//    * USER_NOT_FOUND — KMS cannot find a kmsuser CU account in the associated
 	//    CloudHSM cluster. Before you can connect your custom key store to its
 	//    CloudHSM cluster, you must create a kmsuser CU account in the cluster,
 	//    and then update the key store password value for the custom key store.
+	//
+	// External key stores:
+	//
+	//    * INVALID_CREDENTIALS — One or both of the XksProxyAuthenticationCredential
+	//    values is not valid on the specified external key store proxy.
+	//
+	//    * XKS_PROXY_ACCESS_DENIED — KMS requests are denied access to the external
+	//    key store proxy. If the external key store proxy has authorization rules,
+	//    verify that they permit KMS to communicate with the proxy on your behalf.
+	//
+	//    * XKS_PROXY_INVALID_CONFIGURATION — A configuration error is preventing
+	//    the external key store from connecting to its proxy. Verify the value
+	//    of the XksProxyUriPath.
+	//
+	//    * XKS_PROXY_INVALID_RESPONSE — KMS cannot interpret the response from
+	//    the external key store proxy. If you see this connection error code repeatedly,
+	//    notify your external key store proxy vendor.
+	//
+	//    * XKS_PROXY_INVALID_TLS_CONFIGURATION — KMS cannot connect to the external
+	//    key store proxy because the TLS configuration is invalid. Verify that
+	//    the XKS proxy supports TLS 1.2 or 1.3. Also, verify that the TLS certificate
+	//    is not expired, and that it matches the hostname in the XksProxyUriEndpoint
+	//    value, and that it is signed by a certificate authority included in the
+	//    Trusted Certificate Authorities (https://github.com/aws/aws-kms-xksproxy-api-spec/blob/main/TrustedCertificateAuthorities)
+	//    list.
+	//
+	//    * XKS_PROXY_NOT_REACHABLE — KMS can't communicate with your external
+	//    key store proxy. Verify that the XksProxyUriEndpoint and XksProxyUriPath
+	//    are correct. Use the tools for your external key store proxy to verify
+	//    that the proxy is active and available on its network. Also, verify that
+	//    your external key manager instances are operating properly. Connection
+	//    attempts fail with this connection error code if the proxy reports that
+	//    all external key manager instances are unavailable.
+	//
+	//    * XKS_PROXY_TIMED_OUT — KMS can connect to the external key store proxy,
+	//    but the proxy does not respond to KMS in the time allotted. If you see
+	//    this connection error code repeatedly, notify your external key store
+	//    proxy vendor.
+	//
+	//    * XKS_VPC_ENDPOINT_SERVICE_INVALID_CONFIGURATION — The Amazon VPC endpoint
+	//    service configuration doesn't conform to the requirements for an KMS external
+	//    key store. The VPC endpoint service must be an endpoint service for interface
+	//    endpoints in the caller's Amazon Web Services account. It must have a
+	//    network load balancer (NLB) connected to at least two subnets, each in
+	//    a different Availability Zone. The Allow principals list must include
+	//    the KMS service principal for the Region, cks.kms.<region>.amazonaws.com,
+	//    such as cks.kms.us-east-1.amazonaws.com. It must not require acceptance
+	//    (https://docs.aws.amazon.com/vpc/latest/privatelink/create-endpoint-service.html)
+	//    of connection requests. It must have a private DNS name. The private DNS
+	//    name for an external key store with VPC_ENDPOINT_SERVICE connectivity
+	//    must be unique in its Amazon Web Services Region. The domain of the private
+	//    DNS name must have a verification status (https://docs.aws.amazon.com/vpc/latest/privatelink/verify-domains.html)
+	//    of verified. The TLS certificate (https://docs.aws.amazon.com/elasticloadbalancing/latest/network/create-tls-listener.html)
+	//    specifies the private DNS hostname at which the endpoint is reachable.
+	//
+	//    * XKS_VPC_ENDPOINT_SERVICE_NOT_FOUND — KMS can't find the VPC endpoint
+	//    service that it uses to communicate with the external key store proxy.
+	//    Verify that the XksProxyVpcEndpointServiceName is correct and the KMS
+	//    service principal has service consumer permissions on the Amazon VPC endpoint
+	//    service.
 	ConnectionErrorCode *string `type:"string" enum:"ConnectionErrorCodeType"`
 
-	// Indicates whether the custom key store is connected to its CloudHSM cluster.
+	// Indicates whether the custom key store is connected to its backing key store.
+	// For an CloudHSM key store, the ConnectionState indicates whether it is connected
+	// to its CloudHSM cluster. For an external key store, the ConnectionState indicates
+	// whether it is connected to the external key store proxy that communicates
+	// with your external key manager.
 	//
-	// You can create and use KMS keys in your custom key stores only when its connection
-	// state is CONNECTED.
+	// You can create and use KMS keys in your custom key stores only when its ConnectionState
+	// is CONNECTED.
 	//
-	// The value is DISCONNECTED if the key store has never been connected or you
-	// use the DisconnectCustomKeyStore operation to disconnect it. If the value
-	// is CONNECTED but you are having trouble using the custom key store, make
-	// sure that its associated CloudHSM cluster is active and contains at least
-	// one active HSM.
+	// The ConnectionState value is DISCONNECTED only if the key store has never
+	// been connected or you use the DisconnectCustomKeyStore operation to disconnect
+	// it. If the value is CONNECTED but you are having trouble using the custom
+	// key store, make sure that the backing key store is reachable and active.
+	// For an CloudHSM key store, verify that its associated CloudHSM cluster is
+	// active and contains at least one active HSM. For an external key store, verify
+	// that the external key store proxy and external key manager are connected
+	// and enabled.
 	//
 	// A value of FAILED indicates that an attempt to connect was unsuccessful.
 	// The ConnectionErrorCode field in the response indicates the cause of the
-	// failure. For help resolving a connection failure, see Troubleshooting a Custom
-	// Key Store (https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html)
+	// failure. For help resolving a connection failure, see Troubleshooting a custom
+	// key store (https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html)
 	// in the Key Management Service Developer Guide.
 	ConnectionState *string `type:"string" enum:"ConnectionStateType"`
 
@@ -10152,10 +11125,26 @@ type CustomKeyStoresListEntry struct {
 	// The user-specified friendly name for the custom key store.
 	CustomKeyStoreName *string `min:"1" type:"string"`
 
-	// The trust anchor certificate of the associated CloudHSM cluster. When you
-	// initialize the cluster (https://docs.aws.amazon.com/cloudhsm/latest/userguide/initialize-cluster.html#sign-csr),
+	// Indicates the type of the custom key store. AWS_CLOUDHSM indicates a custom
+	// key store backed by an CloudHSM cluster. EXTERNAL_KEY_STORE indicates a custom
+	// key store backed by an external key store proxy and external key manager
+	// outside of Amazon Web Services.
+	CustomKeyStoreType *string `type:"string" enum:"CustomKeyStoreType"`
+
+	// The trust anchor certificate of the CloudHSM cluster associated with an CloudHSM
+	// key store. When you initialize the cluster (https://docs.aws.amazon.com/cloudhsm/latest/userguide/initialize-cluster.html#sign-csr),
 	// you create this certificate and save it in the customerCA.crt file.
+	//
+	// This field appears only when the CustomKeyStoreType is AWS_CLOUDHSM.
 	TrustAnchorCertificate *string `min:"1" type:"string"`
+
+	// Configuration settings for the external key store proxy (XKS proxy). The
+	// external key store proxy translates KMS requests into a format that your
+	// external key manager can understand. The proxy configuration includes connection
+	// information that KMS requires.
+	//
+	// This field appears only when the CustomKeyStoreType is EXTERNAL_KEY_STORE.
+	XksProxyConfiguration *XksProxyConfigurationType `type:"structure"`
 }
 
 // String returns the string representation.
@@ -10212,12 +11201,24 @@ func (s *CustomKeyStoresListEntry) SetCustomKeyStoreName(v string) *CustomKeySto
 	return s
 }
 
+// SetCustomKeyStoreType sets the CustomKeyStoreType field's value.
+func (s *CustomKeyStoresListEntry) SetCustomKeyStoreType(v string) *CustomKeyStoresListEntry {
+	s.CustomKeyStoreType = &v
+	return s
+}
+
 // SetTrustAnchorCertificate sets the TrustAnchorCertificate field's value.
 func (s *CustomKeyStoresListEntry) SetTrustAnchorCertificate(v string) *CustomKeyStoresListEntry {
 	s.TrustAnchorCertificate = &v
 	return s
 }
 
+// SetXksProxyConfiguration sets the XksProxyConfiguration field's value.
+func (s *CustomKeyStoresListEntry) SetXksProxyConfiguration(v *XksProxyConfigurationType) *CustomKeyStoresListEntry {
+	s.XksProxyConfiguration = v
+	return s
+}
+
 type DecryptInput struct {
 	_ struct{} `type:"structure"`
 
@@ -10643,8 +11644,8 @@ func (s DeleteImportedKeyMaterialOutput) GoString() string {
 	return s.String()
 }
 
-// The system timed out while trying to fulfill the request. The request can
-// be retried.
+// The system timed out while trying to fulfill the request. You can retry the
+// request.
 type DependencyTimeoutException struct {
 	_            struct{}                  `type:"structure"`
 	RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"`
@@ -10716,8 +11717,8 @@ type DescribeCustomKeyStoresInput struct {
 	//
 	// By default, this operation gets information about all custom key stores in
 	// the account and Region. To limit the output to a particular custom key store,
-	// you can use either the CustomKeyStoreId or CustomKeyStoreName parameter,
-	// but not both.
+	// provide either the CustomKeyStoreId or CustomKeyStoreName parameter, but
+	// not both.
 	CustomKeyStoreId *string `min:"1" type:"string"`
 
 	// Gets only information about the specified custom key store. Enter the friendly
@@ -10725,8 +11726,8 @@ type DescribeCustomKeyStoresInput struct {
 	//
 	// By default, this operation gets information about all custom key stores in
 	// the account and Region. To limit the output to a particular custom key store,
-	// you can use either the CustomKeyStoreId or CustomKeyStoreName parameter,
-	// but not both.
+	// provide either the CustomKeyStoreId or CustomKeyStoreName parameter, but
+	// not both.
 	CustomKeyStoreName *string `min:"1" type:"string"`
 
 	// Use this parameter to specify the maximum number of items to return. When
@@ -11361,13 +12362,13 @@ func (s EnableKeyOutput) GoString() string {
 type EnableKeyRotationInput struct {
 	_ struct{} `type:"structure"`
 
-	// Identifies a symmetric encryption KMS key. You cannot enable or disable automatic
-	// rotation of asymmetric KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html),
+	// Identifies a symmetric encryption KMS key. You cannot enable automatic rotation
+	// of asymmetric KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html),
 	// HMAC KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html),
 	// KMS keys with imported key material (https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html),
 	// or KMS keys in a custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html).
-	// The key rotation status of these KMS keys is always false. To enable or disable
-	// automatic rotation of a set of related multi-Region keys (https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-manage.html#multi-region-rotate),
+	// To enable or disable automatic rotation of a set of related multi-Region
+	// keys (https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-manage.html#multi-region-rotate),
 	// set the property on the primary key.
 	//
 	// Specify the key ID or key ARN of the KMS key.
@@ -11455,6 +12456,8 @@ type EncryptInput struct {
 	// This parameter is required only for asymmetric KMS keys. The default value,
 	// SYMMETRIC_DEFAULT, is the algorithm used for symmetric encryption KMS keys.
 	// If you are using an asymmetric KMS key, we recommend RSAES_OAEP_SHA_256.
+	//
+	// The SM2PKE algorithm is only available in China Regions.
 	EncryptionAlgorithm *string `type:"string" enum:"EncryptionAlgorithmSpec"`
 
 	// Specifies the encryption context that will be used to encrypt the data. An
@@ -11963,8 +12966,7 @@ type GenerateDataKeyPairInput struct {
 	// encrypt and decrypt or to sign and verify (but not both), and the rule that
 	// permits you to use ECC KMS keys only to sign and verify, are not effective
 	// on data key pairs, which are used outside of KMS. The SM2 key spec is only
-	// available in China Regions. RSA and ECC asymmetric key pairs are also available
-	// in China Regions.
+	// available in China Regions.
 	//
 	// KeyPairSpec is a required field
 	KeyPairSpec *string `type:"string" required:"true" enum:"DataKeyPairSpec"`
@@ -12169,8 +13171,7 @@ type GenerateDataKeyPairWithoutPlaintextInput struct {
 	// encrypt and decrypt or to sign and verify (but not both), and the rule that
 	// permits you to use ECC KMS keys only to sign and verify, are not effective
 	// on data key pairs, which are used outside of KMS. The SM2 key spec is only
-	// available in China Regions. RSA and ECC asymmetric key pairs are also available
-	// in China Regions.
+	// available in China Regions.
 	//
 	// KeyPairSpec is a required field
 	KeyPairSpec *string `type:"string" required:"true" enum:"DataKeyPairSpec"`
@@ -12592,8 +13593,10 @@ type GenerateMacOutput struct {
 	// The HMAC KMS key used in the operation.
 	KeyId *string `min:"1" type:"string"`
 
-	// The hash-based message authentication code (HMAC) for the given message,
-	// key, and MAC algorithm.
+	// The hash-based message authentication code (HMAC) that was generated for
+	// the specified message, HMAC KMS key, and MAC algorithm.
+	//
+	// This is the standard, raw HMAC defined in RFC 2104 (https://datatracker.ietf.org/doc/html/rfc2104).
 	// Mac is automatically base64 encoded/decoded by the SDK.
 	Mac []byte `min:"1" type:"blob"`
 
@@ -12641,8 +13644,11 @@ type GenerateRandomInput struct {
 	_ struct{} `type:"structure"`
 
 	// Generates the random byte string in the CloudHSM cluster that is associated
-	// with the specified custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html).
-	// To find the ID of a custom key store, use the DescribeCustomKeyStores operation.
+	// with the specified CloudHSM key store. To find the ID of a custom key store,
+	// use the DescribeCustomKeyStores operation.
+	//
+	// External key store IDs are not valid for this parameter. If you specify the
+	// ID of an external key store, GenerateRandom throws an UnsupportedOperationException.
 	CustomKeyStoreId *string `min:"1" type:"string"`
 
 	// The length of the random byte string. This parameter is required.
@@ -13183,7 +14189,7 @@ type GetPublicKeyOutput struct {
 	//
 	// The KeySpec and CustomerMasterKeySpec fields have the same value. We recommend
 	// that you use the KeySpec field in your code. However, to avoid breaking changes,
-	// KMS will support both fields.
+	// KMS supports both fields.
 	//
 	// Deprecated: This field has been deprecated. Instead, use the KeySpec field.
 	CustomerMasterKeySpec *string `deprecated:"true" type:"string" enum:"CustomerMasterKeySpec"`
@@ -13293,10 +14299,10 @@ func (s *GetPublicKeyOutput) SetSigningAlgorithms(v []*string) *GetPublicKeyOutp
 //
 // KMS applies the grant constraints only to cryptographic operations that support
 // an encryption context, that is, all cryptographic operations with a symmetric
-// encryption KMS key (https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-concepts.html#symmetric-cmks).
+// KMS key (https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-concepts.html#symmetric-cmks).
 // Grant constraints are not applied to operations that do not support an encryption
-// context, such as cryptographic operations with HMAC KMS keys or asymmetric
-// KMS keys, and management operations, such as DescribeKey or RetireGrant.
+// context, such as cryptographic operations with asymmetric KMS keys and management
+// operations, such as DescribeKey or RetireGrant.
 //
 // In a cryptographic operation, the encryption context in the decryption operation
 // must be an exact, case-sensitive match for the keys and values in the encryption
@@ -13481,9 +14487,15 @@ type ImportKeyMaterialInput struct {
 	// EncryptedKeyMaterial is a required field
 	EncryptedKeyMaterial []byte `min:"1" type:"blob" required:"true"`
 
-	// Specifies whether the key material expires. The default is KEY_MATERIAL_EXPIRES,
-	// in which case you must include the ValidTo parameter. When this parameter
-	// is set to KEY_MATERIAL_DOES_NOT_EXPIRE, you must omit the ValidTo parameter.
+	// Specifies whether the key material expires. The default is KEY_MATERIAL_EXPIRES.
+	//
+	// When the value of ExpirationModel is KEY_MATERIAL_EXPIRES, you must specify
+	// a value for the ValidTo parameter. When value is KEY_MATERIAL_DOES_NOT_EXPIRE,
+	// you must omit the ValidTo parameter.
+	//
+	// You cannot change the ExpirationModel or ValidTo values for the current import
+	// after the request completes. To change either value, you must delete (DeleteImportedKeyMaterial)
+	// and reimport the key material.
 	ExpirationModel *string `type:"string" enum:"ExpirationModelType"`
 
 	// The import token that you received in the response to a previous GetParametersForImport
@@ -13514,10 +14526,20 @@ type ImportKeyMaterialInput struct {
 	// KeyId is a required field
 	KeyId *string `min:"1" type:"string" required:"true"`
 
-	// The time at which the imported key material expires. When the key material
-	// expires, KMS deletes the key material and the KMS key becomes unusable. You
-	// must omit this parameter when the ExpirationModel parameter is set to KEY_MATERIAL_DOES_NOT_EXPIRE.
-	// Otherwise it is required.
+	// The date and time when the imported key material expires. This parameter
+	// is required when the value of the ExpirationModel parameter is KEY_MATERIAL_EXPIRES.
+	// Otherwise it is not valid.
+	//
+	// The value of this parameter must be a future date and time. The maximum value
+	// is 365 days from the request date.
+	//
+	// When the key material expires, KMS deletes the key material from the KMS
+	// key. Without its key material, the KMS key is unusable. To use the KMS key
+	// in cryptographic operations, you must reimport the same key material.
+	//
+	// You cannot change the ExpirationModel or ValidTo values for the current import
+	// after the request completes. To change either value, you must delete (DeleteImportedKeyMaterial)
+	// and reimport the key material.
 	ValidTo *time.Time `type:"timestamp"`
 }
 
@@ -13752,9 +14774,10 @@ func (s *IncorrectKeyMaterialException) RequestID() string {
 }
 
 // The request was rejected because the trust anchor certificate in the request
-// is not the trust anchor certificate for the specified CloudHSM cluster.
+// to create an CloudHSM key store is not the trust anchor certificate for the
+// specified CloudHSM cluster.
 //
-// When you initialize the cluster (https://docs.aws.amazon.com/cloudhsm/latest/userguide/initialize-cluster.html#sign-csr),
+// When you initialize the CloudHSM cluster (https://docs.aws.amazon.com/cloudhsm/latest/userguide/initialize-cluster.html#sign-csr),
 // you create the trust anchor certificate and save it in the customerCA.crt
 // file.
 type IncorrectTrustAnchorException struct {
@@ -14423,9 +15446,17 @@ func (s *InvalidMarkerException) RequestID() string {
 // The request was rejected because the state of the specified resource is not
 // valid for this request.
 //
-// For more information about how key state affects the use of a KMS key, see
-// Key states of KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
-// in the Key Management Service Developer Guide .
+// This exceptions means one of the following:
+//
+//   - The key state of the KMS key is not compatible with the operation. To
+//     find the key state, use the DescribeKey operation. For more information
+//     about which key states are compatible with each KMS operation, see Key
+//     states of KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
+//     in the Key Management Service Developer Guide .
+//
+//   - For cryptographic operations on KMS keys in custom key stores, this
+//     exception represents a general failure with many possible causes. To identify
+//     the cause, see the error message that accompanies the exception.
 type InvalidStateException struct {
 	_            struct{}                  `type:"structure"`
 	RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"`
@@ -14664,8 +15695,8 @@ func (s *KeyListEntry) SetKeyId(v string) *KeyListEntry {
 
 // Contains metadata about a KMS key.
 //
-// This data type is used as a response element for the CreateKey and DescribeKey
-// operations.
+// This data type is used as a response element for the CreateKey, DescribeKey,
+// and ReplicateKey operations.
 type KeyMetadata struct {
 	_ struct{} `type:"structure"`
 
@@ -14679,16 +15710,17 @@ type KeyMetadata struct {
 	Arn *string `min:"20" type:"string"`
 
 	// The cluster ID of the CloudHSM cluster that contains the key material for
-	// the KMS key. When you create a KMS key in a custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html),
+	// the KMS key. When you create a KMS key in an CloudHSM custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html),
 	// KMS creates the key material for the KMS key in the associated CloudHSM cluster.
-	// This value is present only when the KMS key is created in a custom key store.
+	// This field is present only when the KMS key is created in an CloudHSM key
+	// store.
 	CloudHsmClusterId *string `min:"19" type:"string"`
 
 	// The date and time when the KMS key was created.
 	CreationDate *time.Time `type:"timestamp"`
 
 	// A unique identifier for the custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html)
-	// that contains the KMS key. This value is present only when the KMS key is
+	// that contains the KMS key. This field is present only when the KMS key is
 	// created in a custom key store.
 	CustomKeyStoreId *string `min:"1" type:"string"`
 
@@ -14696,7 +15728,7 @@ type KeyMetadata struct {
 	//
 	// The KeySpec and CustomerMasterKeySpec fields have the same value. We recommend
 	// that you use the KeySpec field in your code. However, to avoid breaking changes,
-	// KMS will support both fields.
+	// KMS supports both fields.
 	//
 	// Deprecated: This field has been deprecated. Instead, use the KeySpec field.
 	CustomerMasterKeySpec *string `deprecated:"true" type:"string" enum:"CustomerMasterKeySpec"`
@@ -14814,6 +15846,13 @@ type KeyMetadata struct {
 	// value is present only for KMS keys whose Origin is EXTERNAL and whose ExpirationModel
 	// is KEY_MATERIAL_EXPIRES, otherwise this value is omitted.
 	ValidTo *time.Time `type:"timestamp"`
+
+	// Information about the external key that is associated with a KMS key in an
+	// external key store.
+	//
+	// For more information, see External key (https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html#concept-external-key)
+	// in the Key Management Service Developer Guide.
+	XksKeyConfiguration *XksKeyConfigurationType `type:"structure"`
 }
 
 // String returns the string representation.
@@ -14972,6 +16011,12 @@ func (s *KeyMetadata) SetValidTo(v time.Time) *KeyMetadata {
 	return s
 }
 
+// SetXksKeyConfiguration sets the XksKeyConfiguration field's value.
+func (s *KeyMetadata) SetXksKeyConfiguration(v *XksKeyConfigurationType) *KeyMetadata {
+	s.XksKeyConfiguration = v
+	return s
+}
+
 // The request was rejected because the specified KMS key was not available.
 // You can retry the request.
 type KeyUnavailableException struct {
@@ -15781,7 +16826,7 @@ type ListResourceTagsOutput struct {
 	// A list of tags. Each tag consists of a tag key and a tag value.
 	//
 	// Tagging or untagging a KMS key can allow or deny permission to the KMS key.
-	// For details, see ABAC in KMS (https://docs.aws.amazon.com/kms/latest/developerguide/abac.html)
+	// For details, see ABAC for KMS (https://docs.aws.amazon.com/kms/latest/developerguide/abac.html)
 	// in the Key Management Service Developer Guide.
 	Tags []*Tag `type:"list"`
 
@@ -16208,7 +17253,7 @@ type PutKeyPolicyInput struct {
 	//    characters
 	//
 	// For information about key policies, see Key policies in KMS (https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html)
-	// in the Key Management Service Developer Guide. For help writing and formatting
+	// in the Key Management Service Developer Guide.For help writing and formatting
 	// a JSON policy document, see the IAM JSON Policy Reference (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html)
 	// in the Identity and Access Management User Guide .
 	//
@@ -16720,7 +17765,7 @@ type ReplicateKeyInput struct {
 	// operation.
 	//
 	// Tagging or untagging a KMS key can allow or deny permission to the KMS key.
-	// For details, see ABAC in KMS (https://docs.aws.amazon.com/kms/latest/developerguide/abac.html)
+	// For details, see ABAC for KMS (https://docs.aws.amazon.com/kms/latest/developerguide/abac.html)
 	// in the Key Management Service Developer Guide.
 	//
 	// To use this parameter, you must have kms:TagResource (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html)
@@ -17863,8 +18908,8 @@ type UpdateAliasInput struct {
 	//
 	// The KMS key must be in the same Amazon Web Services account and Region as
 	// the alias. Also, the new target KMS key must be the same type as the current
-	// target KMS key (both symmetric or both asymmetric) and they must have the
-	// same key usage.
+	// target KMS key (both symmetric or both asymmetric or both HMAC) and they
+	// must have the same key usage.
 	//
 	// Specify the key ID or key ARN of the KMS key.
 	//
@@ -17959,7 +19004,8 @@ func (s UpdateAliasOutput) GoString() string {
 type UpdateCustomKeyStoreInput struct {
 	_ struct{} `type:"structure"`
 
-	// Associates the custom key store with a related CloudHSM cluster.
+	// Associates the custom key store with a related CloudHSM cluster. This parameter
+	// is valid only for custom key stores with a CustomKeyStoreType of AWS_CLOUDHSM.
 	//
 	// Enter the cluster ID of the cluster that you used to create the custom key
 	// store or a cluster that shares a backup history and has the same cluster
@@ -17969,6 +19015,8 @@ type UpdateCustomKeyStoreInput struct {
 	// for a cluster associated with a custom key store. To view the cluster certificate
 	// of a cluster, use the DescribeClusters (https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.html)
 	// operation.
+	//
+	// To change this value, the CloudHSM key store must be disconnected.
 	CloudHsmClusterId *string `min:"19" type:"string"`
 
 	// Identifies the custom key store that you want to update. Enter the ID of
@@ -17979,12 +19027,15 @@ type UpdateCustomKeyStoreInput struct {
 	CustomKeyStoreId *string `min:"1" type:"string" required:"true"`
 
 	// Enter the current password of the kmsuser crypto user (CU) in the CloudHSM
-	// cluster that is associated with the custom key store.
+	// cluster that is associated with the custom key store. This parameter is valid
+	// only for custom key stores with a CustomKeyStoreType of AWS_CLOUDHSM.
 	//
 	// This parameter tells KMS the current password of the kmsuser crypto user
 	// (CU). It does not set or change the password of any users in the CloudHSM
 	// cluster.
 	//
+	// To change this value, the CloudHSM key store must be disconnected.
+	//
 	// KeyStorePassword is a sensitive parameter and its value will be
 	// replaced with "sensitive" in string returned by UpdateCustomKeyStoreInput's
 	// String and GoString methods.
@@ -17992,7 +19043,82 @@ type UpdateCustomKeyStoreInput struct {
 
 	// Changes the friendly name of the custom key store to the value that you specify.
 	// The custom key store name must be unique in the Amazon Web Services account.
+	//
+	// To change this value, an CloudHSM key store must be disconnected. An external
+	// key store can be connected or disconnected.
 	NewCustomKeyStoreName *string `min:"1" type:"string"`
+
+	// Changes the credentials that KMS uses to sign requests to the external key
+	// store proxy (XKS proxy). This parameter is valid only for custom key stores
+	// with a CustomKeyStoreType of EXTERNAL_KEY_STORE.
+	//
+	// You must specify both the AccessKeyId and SecretAccessKey value in the authentication
+	// credential, even if you are only updating one value.
+	//
+	// This parameter doesn't establish or change your authentication credentials
+	// on the proxy. It just tells KMS the credential that you established with
+	// your external key store proxy. For example, if you rotate the credential
+	// on your external key store proxy, you can use this parameter to update the
+	// credential in KMS.
+	//
+	// You can change this value when the external key store is connected or disconnected.
+	XksProxyAuthenticationCredential *XksProxyAuthenticationCredentialType `type:"structure"`
+
+	// Changes the connectivity setting for the external key store. To indicate
+	// that the external key store proxy uses a Amazon VPC endpoint service to communicate
+	// with KMS, specify VPC_ENDPOINT_SERVICE. Otherwise, specify PUBLIC_ENDPOINT.
+	//
+	// If you change the XksProxyConnectivity to VPC_ENDPOINT_SERVICE, you must
+	// also change the XksProxyUriEndpoint and add an XksProxyVpcEndpointServiceName
+	// value.
+	//
+	// If you change the XksProxyConnectivity to PUBLIC_ENDPOINT, you must also
+	// change the XksProxyUriEndpoint and specify a null or empty string for the
+	// XksProxyVpcEndpointServiceName value.
+	//
+	// To change this value, the external key store must be disconnected.
+	XksProxyConnectivity *string `type:"string" enum:"XksProxyConnectivityType"`
+
+	// Changes the URI endpoint that KMS uses to connect to your external key store
+	// proxy (XKS proxy). This parameter is valid only for custom key stores with
+	// a CustomKeyStoreType of EXTERNAL_KEY_STORE.
+	//
+	// For external key stores with an XksProxyConnectivity value of PUBLIC_ENDPOINT,
+	// the protocol must be HTTPS.
+	//
+	// For external key stores with an XksProxyConnectivity value of VPC_ENDPOINT_SERVICE,
+	// specify https:// followed by the private DNS name associated with the VPC
+	// endpoint service. Each external key store must use a different private DNS
+	// name.
+	//
+	// The combined XksProxyUriEndpoint and XksProxyUriPath values must be unique
+	// in the Amazon Web Services account and Region.
+	//
+	// To change this value, the external key store must be disconnected.
+	XksProxyUriEndpoint *string `min:"10" type:"string"`
+
+	// Changes the base path to the proxy APIs for this external key store. To find
+	// this value, see the documentation for your external key manager and external
+	// key store proxy (XKS proxy). This parameter is valid only for custom key
+	// stores with a CustomKeyStoreType of EXTERNAL_KEY_STORE.
+	//
+	// The value must start with / and must end with /kms/xks/v1, where v1 represents
+	// the version of the KMS external key store proxy API. You can include an optional
+	// prefix between the required elements such as /example/kms/xks/v1.
+	//
+	// The combined XksProxyUriEndpoint and XksProxyUriPath values must be unique
+	// in the Amazon Web Services account and Region.
+	//
+	// You can change this value when the external key store is connected or disconnected.
+	XksProxyUriPath *string `min:"10" type:"string"`
+
+	// Changes the name that KMS uses to identify the Amazon VPC endpoint service
+	// for your external key store proxy (XKS proxy). This parameter is valid when
+	// the CustomKeyStoreType is EXTERNAL_KEY_STORE and the XksProxyConnectivity
+	// is VPC_ENDPOINT_SERVICE.
+	//
+	// To change this value, the external key store must be disconnected.
+	XksProxyVpcEndpointServiceName *string `min:"20" type:"string"`
 }
 
 // String returns the string representation.
@@ -18031,6 +19157,20 @@ func (s *UpdateCustomKeyStoreInput) Validate() error {
 	if s.NewCustomKeyStoreName != nil && len(*s.NewCustomKeyStoreName) < 1 {
 		invalidParams.Add(request.NewErrParamMinLen("NewCustomKeyStoreName", 1))
 	}
+	if s.XksProxyUriEndpoint != nil && len(*s.XksProxyUriEndpoint) < 10 {
+		invalidParams.Add(request.NewErrParamMinLen("XksProxyUriEndpoint", 10))
+	}
+	if s.XksProxyUriPath != nil && len(*s.XksProxyUriPath) < 10 {
+		invalidParams.Add(request.NewErrParamMinLen("XksProxyUriPath", 10))
+	}
+	if s.XksProxyVpcEndpointServiceName != nil && len(*s.XksProxyVpcEndpointServiceName) < 20 {
+		invalidParams.Add(request.NewErrParamMinLen("XksProxyVpcEndpointServiceName", 20))
+	}
+	if s.XksProxyAuthenticationCredential != nil {
+		if err := s.XksProxyAuthenticationCredential.Validate(); err != nil {
+			invalidParams.AddNested("XksProxyAuthenticationCredential", err.(request.ErrInvalidParams))
+		}
+	}
 
 	if invalidParams.Len() > 0 {
 		return invalidParams
@@ -18062,6 +19202,36 @@ func (s *UpdateCustomKeyStoreInput) SetNewCustomKeyStoreName(v string) *UpdateCu
 	return s
 }
 
+// SetXksProxyAuthenticationCredential sets the XksProxyAuthenticationCredential field's value.
+func (s *UpdateCustomKeyStoreInput) SetXksProxyAuthenticationCredential(v *XksProxyAuthenticationCredentialType) *UpdateCustomKeyStoreInput {
+	s.XksProxyAuthenticationCredential = v
+	return s
+}
+
+// SetXksProxyConnectivity sets the XksProxyConnectivity field's value.
+func (s *UpdateCustomKeyStoreInput) SetXksProxyConnectivity(v string) *UpdateCustomKeyStoreInput {
+	s.XksProxyConnectivity = &v
+	return s
+}
+
+// SetXksProxyUriEndpoint sets the XksProxyUriEndpoint field's value.
+func (s *UpdateCustomKeyStoreInput) SetXksProxyUriEndpoint(v string) *UpdateCustomKeyStoreInput {
+	s.XksProxyUriEndpoint = &v
+	return s
+}
+
+// SetXksProxyUriPath sets the XksProxyUriPath field's value.
+func (s *UpdateCustomKeyStoreInput) SetXksProxyUriPath(v string) *UpdateCustomKeyStoreInput {
+	s.XksProxyUriPath = &v
+	return s
+}
+
+// SetXksProxyVpcEndpointServiceName sets the XksProxyVpcEndpointServiceName field's value.
+func (s *UpdateCustomKeyStoreInput) SetXksProxyVpcEndpointServiceName(v string) *UpdateCustomKeyStoreInput {
+	s.XksProxyVpcEndpointServiceName = &v
+	return s
+}
+
 type UpdateCustomKeyStoreOutput struct {
 	_ struct{} `type:"structure"`
 }
@@ -18683,6 +19853,1028 @@ func (s *VerifyOutput) SetSigningAlgorithm(v string) *VerifyOutput {
 	return s
 }
 
+// The request was rejected because the (XksKeyId) is already associated with
+// a KMS key in this external key store. Each KMS key in an external key store
+// must be associated with a different external key.
+type XksKeyAlreadyInUseException struct {
+	_            struct{}                  `type:"structure"`
+	RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"`
+
+	Message_ *string `locationName:"message" type:"string"`
+}
+
+// String returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s XksKeyAlreadyInUseException) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s XksKeyAlreadyInUseException) GoString() string {
+	return s.String()
+}
+
+func newErrorXksKeyAlreadyInUseException(v protocol.ResponseMetadata) error {
+	return &XksKeyAlreadyInUseException{
+		RespMetadata: v,
+	}
+}
+
+// Code returns the exception type name.
+func (s *XksKeyAlreadyInUseException) Code() string {
+	return "XksKeyAlreadyInUseException"
+}
+
+// Message returns the exception's message.
+func (s *XksKeyAlreadyInUseException) Message() string {
+	if s.Message_ != nil {
+		return *s.Message_
+	}
+	return ""
+}
+
+// OrigErr always returns nil, satisfies awserr.Error interface.
+func (s *XksKeyAlreadyInUseException) OrigErr() error {
+	return nil
+}
+
+func (s *XksKeyAlreadyInUseException) Error() string {
+	return fmt.Sprintf("%s: %s", s.Code(), s.Message())
+}
+
+// Status code returns the HTTP status code for the request's response error.
+func (s *XksKeyAlreadyInUseException) StatusCode() int {
+	return s.RespMetadata.StatusCode
+}
+
+// RequestID returns the service's response RequestID for request.
+func (s *XksKeyAlreadyInUseException) RequestID() string {
+	return s.RespMetadata.RequestID
+}
+
+// Information about the external key (https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html#concept-external-key)that
+// is associated with a KMS key in an external key store.
+//
+// This element appears in a CreateKey or DescribeKey response only for a KMS
+// key in an external key store.
+//
+// The external key is a symmetric encryption key that is hosted by an external
+// key manager outside of Amazon Web Services. When you use the KMS key in an
+// external key store in a cryptographic operation, the cryptographic operation
+// is performed in the external key manager using the specified external key.
+// For more information, see External key (https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html#concept-external-key)
+// in the Key Management Service Developer Guide.
+type XksKeyConfigurationType struct {
+	_ struct{} `type:"structure"`
+
+	// The ID of the external key in its external key manager. This is the ID that
+	// the external key store proxy uses to identify the external key.
+	Id *string `min:"1" type:"string"`
+}
+
+// String returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s XksKeyConfigurationType) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s XksKeyConfigurationType) GoString() string {
+	return s.String()
+}
+
+// SetId sets the Id field's value.
+func (s *XksKeyConfigurationType) SetId(v string) *XksKeyConfigurationType {
+	s.Id = &v
+	return s
+}
+
+// The request was rejected because the external key specified by the XksKeyId
+// parameter did not meet the configuration requirements for an external key
+// store.
+//
+// The external key must be an AES-256 symmetric key that is enabled and performs
+// encryption and decryption.
+type XksKeyInvalidConfigurationException struct {
+	_            struct{}                  `type:"structure"`
+	RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"`
+
+	Message_ *string `locationName:"message" type:"string"`
+}
+
+// String returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s XksKeyInvalidConfigurationException) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s XksKeyInvalidConfigurationException) GoString() string {
+	return s.String()
+}
+
+func newErrorXksKeyInvalidConfigurationException(v protocol.ResponseMetadata) error {
+	return &XksKeyInvalidConfigurationException{
+		RespMetadata: v,
+	}
+}
+
+// Code returns the exception type name.
+func (s *XksKeyInvalidConfigurationException) Code() string {
+	return "XksKeyInvalidConfigurationException"
+}
+
+// Message returns the exception's message.
+func (s *XksKeyInvalidConfigurationException) Message() string {
+	if s.Message_ != nil {
+		return *s.Message_
+	}
+	return ""
+}
+
+// OrigErr always returns nil, satisfies awserr.Error interface.
+func (s *XksKeyInvalidConfigurationException) OrigErr() error {
+	return nil
+}
+
+func (s *XksKeyInvalidConfigurationException) Error() string {
+	return fmt.Sprintf("%s: %s", s.Code(), s.Message())
+}
+
+// Status code returns the HTTP status code for the request's response error.
+func (s *XksKeyInvalidConfigurationException) StatusCode() int {
+	return s.RespMetadata.StatusCode
+}
+
+// RequestID returns the service's response RequestID for request.
+func (s *XksKeyInvalidConfigurationException) RequestID() string {
+	return s.RespMetadata.RequestID
+}
+
+// The request was rejected because the external key store proxy could not find
+// the external key. This exception is thrown when the value of the XksKeyId
+// parameter doesn't identify a key in the external key manager associated with
+// the external key proxy.
+//
+// Verify that the XksKeyId represents an existing key in the external key manager.
+// Use the key identifier that the external key store proxy uses to identify
+// the key. For details, see the documentation provided with your external key
+// store proxy or key manager.
+type XksKeyNotFoundException struct {
+	_            struct{}                  `type:"structure"`
+	RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"`
+
+	Message_ *string `locationName:"message" type:"string"`
+}
+
+// String returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s XksKeyNotFoundException) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s XksKeyNotFoundException) GoString() string {
+	return s.String()
+}
+
+func newErrorXksKeyNotFoundException(v protocol.ResponseMetadata) error {
+	return &XksKeyNotFoundException{
+		RespMetadata: v,
+	}
+}
+
+// Code returns the exception type name.
+func (s *XksKeyNotFoundException) Code() string {
+	return "XksKeyNotFoundException"
+}
+
+// Message returns the exception's message.
+func (s *XksKeyNotFoundException) Message() string {
+	if s.Message_ != nil {
+		return *s.Message_
+	}
+	return ""
+}
+
+// OrigErr always returns nil, satisfies awserr.Error interface.
+func (s *XksKeyNotFoundException) OrigErr() error {
+	return nil
+}
+
+func (s *XksKeyNotFoundException) Error() string {
+	return fmt.Sprintf("%s: %s", s.Code(), s.Message())
+}
+
+// Status code returns the HTTP status code for the request's response error.
+func (s *XksKeyNotFoundException) StatusCode() int {
+	return s.RespMetadata.StatusCode
+}
+
+// RequestID returns the service's response RequestID for request.
+func (s *XksKeyNotFoundException) RequestID() string {
+	return s.RespMetadata.RequestID
+}
+
+// KMS uses the authentication credential to sign requests that it sends to
+// the external key store proxy (XKS proxy) on your behalf. You establish these
+// credentials on your external key store proxy and report them to KMS.
+//
+// The XksProxyAuthenticationCredential includes two required elements.
+type XksProxyAuthenticationCredentialType struct {
+	_ struct{} `type:"structure"`
+
+	// A unique identifier for the raw secret access key.
+	//
+	// AccessKeyId is a sensitive parameter and its value will be
+	// replaced with "sensitive" in string returned by XksProxyAuthenticationCredentialType's
+	// String and GoString methods.
+	//
+	// AccessKeyId is a required field
+	AccessKeyId *string `min:"20" type:"string" required:"true" sensitive:"true"`
+
+	// A secret string of 43-64 characters. Valid characters are a-z, A-Z, 0-9,
+	// /, +, and =.
+	//
+	// RawSecretAccessKey is a sensitive parameter and its value will be
+	// replaced with "sensitive" in string returned by XksProxyAuthenticationCredentialType's
+	// String and GoString methods.
+	//
+	// RawSecretAccessKey is a required field
+	RawSecretAccessKey *string `min:"43" type:"string" required:"true" sensitive:"true"`
+}
+
+// String returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s XksProxyAuthenticationCredentialType) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s XksProxyAuthenticationCredentialType) GoString() string {
+	return s.String()
+}
+
+// Validate inspects the fields of the type to determine if they are valid.
+func (s *XksProxyAuthenticationCredentialType) Validate() error {
+	invalidParams := request.ErrInvalidParams{Context: "XksProxyAuthenticationCredentialType"}
+	if s.AccessKeyId == nil {
+		invalidParams.Add(request.NewErrParamRequired("AccessKeyId"))
+	}
+	if s.AccessKeyId != nil && len(*s.AccessKeyId) < 20 {
+		invalidParams.Add(request.NewErrParamMinLen("AccessKeyId", 20))
+	}
+	if s.RawSecretAccessKey == nil {
+		invalidParams.Add(request.NewErrParamRequired("RawSecretAccessKey"))
+	}
+	if s.RawSecretAccessKey != nil && len(*s.RawSecretAccessKey) < 43 {
+		invalidParams.Add(request.NewErrParamMinLen("RawSecretAccessKey", 43))
+	}
+
+	if invalidParams.Len() > 0 {
+		return invalidParams
+	}
+	return nil
+}
+
+// SetAccessKeyId sets the AccessKeyId field's value.
+func (s *XksProxyAuthenticationCredentialType) SetAccessKeyId(v string) *XksProxyAuthenticationCredentialType {
+	s.AccessKeyId = &v
+	return s
+}
+
+// SetRawSecretAccessKey sets the RawSecretAccessKey field's value.
+func (s *XksProxyAuthenticationCredentialType) SetRawSecretAccessKey(v string) *XksProxyAuthenticationCredentialType {
+	s.RawSecretAccessKey = &v
+	return s
+}
+
+// Detailed information about the external key store proxy (XKS proxy). Your
+// external key store proxy translates KMS requests into a format that your
+// external key manager can understand. These fields appear in a DescribeCustomKeyStores
+// response only when the CustomKeyStoreType is EXTERNAL_KEY_STORE.
+type XksProxyConfigurationType struct {
+	_ struct{} `type:"structure"`
+
+	// The part of the external key store proxy authentication credential (https://docs.aws.amazon.com/kms/latest/APIReference/API_CreateCustomKeyStore.html#KMS-CreateCustomKeyStore-request-XksProxyAuthenticationCredential)
+	// that uniquely identifies the secret access key.
+	//
+	// AccessKeyId is a sensitive parameter and its value will be
+	// replaced with "sensitive" in string returned by XksProxyConfigurationType's
+	// String and GoString methods.
+	AccessKeyId *string `min:"20" type:"string" sensitive:"true"`
+
+	// Indicates whether the external key store proxy uses a public endpoint or
+	// an Amazon VPC endpoint service to communicate with KMS.
+	Connectivity *string `type:"string" enum:"XksProxyConnectivityType"`
+
+	// The URI endpoint for the external key store proxy.
+	//
+	// If the external key store proxy has a public endpoint, it is displayed here.
+	//
+	// If the external key store proxy uses an Amazon VPC endpoint service name,
+	// this field displays the private DNS name associated with the VPC endpoint
+	// service.
+	UriEndpoint *string `min:"10" type:"string"`
+
+	// The path to the external key store proxy APIs.
+	UriPath *string `min:"10" type:"string"`
+
+	// The Amazon VPC endpoint service used to communicate with the external key
+	// store proxy. This field appears only when the external key store proxy uses
+	// an Amazon VPC endpoint service to communicate with KMS.
+	VpcEndpointServiceName *string `min:"20" type:"string"`
+}
+
+// String returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s XksProxyConfigurationType) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s XksProxyConfigurationType) GoString() string {
+	return s.String()
+}
+
+// SetAccessKeyId sets the AccessKeyId field's value.
+func (s *XksProxyConfigurationType) SetAccessKeyId(v string) *XksProxyConfigurationType {
+	s.AccessKeyId = &v
+	return s
+}
+
+// SetConnectivity sets the Connectivity field's value.
+func (s *XksProxyConfigurationType) SetConnectivity(v string) *XksProxyConfigurationType {
+	s.Connectivity = &v
+	return s
+}
+
+// SetUriEndpoint sets the UriEndpoint field's value.
+func (s *XksProxyConfigurationType) SetUriEndpoint(v string) *XksProxyConfigurationType {
+	s.UriEndpoint = &v
+	return s
+}
+
+// SetUriPath sets the UriPath field's value.
+func (s *XksProxyConfigurationType) SetUriPath(v string) *XksProxyConfigurationType {
+	s.UriPath = &v
+	return s
+}
+
+// SetVpcEndpointServiceName sets the VpcEndpointServiceName field's value.
+func (s *XksProxyConfigurationType) SetVpcEndpointServiceName(v string) *XksProxyConfigurationType {
+	s.VpcEndpointServiceName = &v
+	return s
+}
+
+// The request was rejected because the proxy credentials failed to authenticate
+// to the specified external key store proxy. The specified external key store
+// proxy rejected a status request from KMS due to invalid credentials. This
+// can indicate an error in the credentials or in the identification of the
+// external key store proxy.
+type XksProxyIncorrectAuthenticationCredentialException struct {
+	_            struct{}                  `type:"structure"`
+	RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"`
+
+	Message_ *string `locationName:"message" type:"string"`
+}
+
+// String returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s XksProxyIncorrectAuthenticationCredentialException) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s XksProxyIncorrectAuthenticationCredentialException) GoString() string {
+	return s.String()
+}
+
+func newErrorXksProxyIncorrectAuthenticationCredentialException(v protocol.ResponseMetadata) error {
+	return &XksProxyIncorrectAuthenticationCredentialException{
+		RespMetadata: v,
+	}
+}
+
+// Code returns the exception type name.
+func (s *XksProxyIncorrectAuthenticationCredentialException) Code() string {
+	return "XksProxyIncorrectAuthenticationCredentialException"
+}
+
+// Message returns the exception's message.
+func (s *XksProxyIncorrectAuthenticationCredentialException) Message() string {
+	if s.Message_ != nil {
+		return *s.Message_
+	}
+	return ""
+}
+
+// OrigErr always returns nil, satisfies awserr.Error interface.
+func (s *XksProxyIncorrectAuthenticationCredentialException) OrigErr() error {
+	return nil
+}
+
+func (s *XksProxyIncorrectAuthenticationCredentialException) Error() string {
+	return fmt.Sprintf("%s: %s", s.Code(), s.Message())
+}
+
+// Status code returns the HTTP status code for the request's response error.
+func (s *XksProxyIncorrectAuthenticationCredentialException) StatusCode() int {
+	return s.RespMetadata.StatusCode
+}
+
+// RequestID returns the service's response RequestID for request.
+func (s *XksProxyIncorrectAuthenticationCredentialException) RequestID() string {
+	return s.RespMetadata.RequestID
+}
+
+// The request was rejected because the Amazon VPC endpoint service configuration
+// does not fulfill the requirements for an external key store proxy. For details,
+// see the exception message.
+type XksProxyInvalidConfigurationException struct {
+	_            struct{}                  `type:"structure"`
+	RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"`
+
+	Message_ *string `locationName:"message" type:"string"`
+}
+
+// String returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s XksProxyInvalidConfigurationException) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s XksProxyInvalidConfigurationException) GoString() string {
+	return s.String()
+}
+
+func newErrorXksProxyInvalidConfigurationException(v protocol.ResponseMetadata) error {
+	return &XksProxyInvalidConfigurationException{
+		RespMetadata: v,
+	}
+}
+
+// Code returns the exception type name.
+func (s *XksProxyInvalidConfigurationException) Code() string {
+	return "XksProxyInvalidConfigurationException"
+}
+
+// Message returns the exception's message.
+func (s *XksProxyInvalidConfigurationException) Message() string {
+	if s.Message_ != nil {
+		return *s.Message_
+	}
+	return ""
+}
+
+// OrigErr always returns nil, satisfies awserr.Error interface.
+func (s *XksProxyInvalidConfigurationException) OrigErr() error {
+	return nil
+}
+
+func (s *XksProxyInvalidConfigurationException) Error() string {
+	return fmt.Sprintf("%s: %s", s.Code(), s.Message())
+}
+
+// Status code returns the HTTP status code for the request's response error.
+func (s *XksProxyInvalidConfigurationException) StatusCode() int {
+	return s.RespMetadata.StatusCode
+}
+
+// RequestID returns the service's response RequestID for request.
+func (s *XksProxyInvalidConfigurationException) RequestID() string {
+	return s.RespMetadata.RequestID
+}
+
+// KMS cannot interpret the response it received from the external key store
+// proxy. The problem might be a poorly constructed response, but it could also
+// be a transient network issue. If you see this error repeatedly, report it
+// to the proxy vendor.
+type XksProxyInvalidResponseException struct {
+	_            struct{}                  `type:"structure"`
+	RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"`
+
+	Message_ *string `locationName:"message" type:"string"`
+}
+
+// String returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s XksProxyInvalidResponseException) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s XksProxyInvalidResponseException) GoString() string {
+	return s.String()
+}
+
+func newErrorXksProxyInvalidResponseException(v protocol.ResponseMetadata) error {
+	return &XksProxyInvalidResponseException{
+		RespMetadata: v,
+	}
+}
+
+// Code returns the exception type name.
+func (s *XksProxyInvalidResponseException) Code() string {
+	return "XksProxyInvalidResponseException"
+}
+
+// Message returns the exception's message.
+func (s *XksProxyInvalidResponseException) Message() string {
+	if s.Message_ != nil {
+		return *s.Message_
+	}
+	return ""
+}
+
+// OrigErr always returns nil, satisfies awserr.Error interface.
+func (s *XksProxyInvalidResponseException) OrigErr() error {
+	return nil
+}
+
+func (s *XksProxyInvalidResponseException) Error() string {
+	return fmt.Sprintf("%s: %s", s.Code(), s.Message())
+}
+
+// Status code returns the HTTP status code for the request's response error.
+func (s *XksProxyInvalidResponseException) StatusCode() int {
+	return s.RespMetadata.StatusCode
+}
+
+// RequestID returns the service's response RequestID for request.
+func (s *XksProxyInvalidResponseException) RequestID() string {
+	return s.RespMetadata.RequestID
+}
+
+// The request was rejected because the concatenation of the XksProxyUriEndpoint
+// is already associated with an external key store in the Amazon Web Services
+// account and Region. Each external key store in an account and Region must
+// use a unique external key store proxy address.
+type XksProxyUriEndpointInUseException struct {
+	_            struct{}                  `type:"structure"`
+	RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"`
+
+	Message_ *string `locationName:"message" type:"string"`
+}
+
+// String returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s XksProxyUriEndpointInUseException) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s XksProxyUriEndpointInUseException) GoString() string {
+	return s.String()
+}
+
+func newErrorXksProxyUriEndpointInUseException(v protocol.ResponseMetadata) error {
+	return &XksProxyUriEndpointInUseException{
+		RespMetadata: v,
+	}
+}
+
+// Code returns the exception type name.
+func (s *XksProxyUriEndpointInUseException) Code() string {
+	return "XksProxyUriEndpointInUseException"
+}
+
+// Message returns the exception's message.
+func (s *XksProxyUriEndpointInUseException) Message() string {
+	if s.Message_ != nil {
+		return *s.Message_
+	}
+	return ""
+}
+
+// OrigErr always returns nil, satisfies awserr.Error interface.
+func (s *XksProxyUriEndpointInUseException) OrigErr() error {
+	return nil
+}
+
+func (s *XksProxyUriEndpointInUseException) Error() string {
+	return fmt.Sprintf("%s: %s", s.Code(), s.Message())
+}
+
+// Status code returns the HTTP status code for the request's response error.
+func (s *XksProxyUriEndpointInUseException) StatusCode() int {
+	return s.RespMetadata.StatusCode
+}
+
+// RequestID returns the service's response RequestID for request.
+func (s *XksProxyUriEndpointInUseException) RequestID() string {
+	return s.RespMetadata.RequestID
+}
+
+// The request was rejected because the concatenation of the XksProxyUriEndpoint
+// and XksProxyUriPath is already associated with an external key store in the
+// Amazon Web Services account and Region. Each external key store in an account
+// and Region must use a unique external key store proxy API address.
+type XksProxyUriInUseException struct {
+	_            struct{}                  `type:"structure"`
+	RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"`
+
+	Message_ *string `locationName:"message" type:"string"`
+}
+
+// String returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s XksProxyUriInUseException) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s XksProxyUriInUseException) GoString() string {
+	return s.String()
+}
+
+func newErrorXksProxyUriInUseException(v protocol.ResponseMetadata) error {
+	return &XksProxyUriInUseException{
+		RespMetadata: v,
+	}
+}
+
+// Code returns the exception type name.
+func (s *XksProxyUriInUseException) Code() string {
+	return "XksProxyUriInUseException"
+}
+
+// Message returns the exception's message.
+func (s *XksProxyUriInUseException) Message() string {
+	if s.Message_ != nil {
+		return *s.Message_
+	}
+	return ""
+}
+
+// OrigErr always returns nil, satisfies awserr.Error interface.
+func (s *XksProxyUriInUseException) OrigErr() error {
+	return nil
+}
+
+func (s *XksProxyUriInUseException) Error() string {
+	return fmt.Sprintf("%s: %s", s.Code(), s.Message())
+}
+
+// Status code returns the HTTP status code for the request's response error.
+func (s *XksProxyUriInUseException) StatusCode() int {
+	return s.RespMetadata.StatusCode
+}
+
+// RequestID returns the service's response RequestID for request.
+func (s *XksProxyUriInUseException) RequestID() string {
+	return s.RespMetadata.RequestID
+}
+
+// KMS was unable to reach the specified XksProxyUriPath. The path must be reachable
+// before you create the external key store or update its settings.
+//
+// This exception is also thrown when the external key store proxy response
+// to a GetHealthStatus request indicates that all external key manager instances
+// are unavailable.
+type XksProxyUriUnreachableException struct {
+	_            struct{}                  `type:"structure"`
+	RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"`
+
+	Message_ *string `locationName:"message" type:"string"`
+}
+
+// String returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s XksProxyUriUnreachableException) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s XksProxyUriUnreachableException) GoString() string {
+	return s.String()
+}
+
+func newErrorXksProxyUriUnreachableException(v protocol.ResponseMetadata) error {
+	return &XksProxyUriUnreachableException{
+		RespMetadata: v,
+	}
+}
+
+// Code returns the exception type name.
+func (s *XksProxyUriUnreachableException) Code() string {
+	return "XksProxyUriUnreachableException"
+}
+
+// Message returns the exception's message.
+func (s *XksProxyUriUnreachableException) Message() string {
+	if s.Message_ != nil {
+		return *s.Message_
+	}
+	return ""
+}
+
+// OrigErr always returns nil, satisfies awserr.Error interface.
+func (s *XksProxyUriUnreachableException) OrigErr() error {
+	return nil
+}
+
+func (s *XksProxyUriUnreachableException) Error() string {
+	return fmt.Sprintf("%s: %s", s.Code(), s.Message())
+}
+
+// Status code returns the HTTP status code for the request's response error.
+func (s *XksProxyUriUnreachableException) StatusCode() int {
+	return s.RespMetadata.StatusCode
+}
+
+// RequestID returns the service's response RequestID for request.
+func (s *XksProxyUriUnreachableException) RequestID() string {
+	return s.RespMetadata.RequestID
+}
+
+// The request was rejected because the specified Amazon VPC endpoint service
+// is already associated with an external key store in the Amazon Web Services
+// account and Region. Each external key store in an Amazon Web Services account
+// and Region must use a different Amazon VPC endpoint service.
+type XksProxyVpcEndpointServiceInUseException struct {
+	_            struct{}                  `type:"structure"`
+	RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"`
+
+	Message_ *string `locationName:"message" type:"string"`
+}
+
+// String returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s XksProxyVpcEndpointServiceInUseException) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s XksProxyVpcEndpointServiceInUseException) GoString() string {
+	return s.String()
+}
+
+func newErrorXksProxyVpcEndpointServiceInUseException(v protocol.ResponseMetadata) error {
+	return &XksProxyVpcEndpointServiceInUseException{
+		RespMetadata: v,
+	}
+}
+
+// Code returns the exception type name.
+func (s *XksProxyVpcEndpointServiceInUseException) Code() string {
+	return "XksProxyVpcEndpointServiceInUseException"
+}
+
+// Message returns the exception's message.
+func (s *XksProxyVpcEndpointServiceInUseException) Message() string {
+	if s.Message_ != nil {
+		return *s.Message_
+	}
+	return ""
+}
+
+// OrigErr always returns nil, satisfies awserr.Error interface.
+func (s *XksProxyVpcEndpointServiceInUseException) OrigErr() error {
+	return nil
+}
+
+func (s *XksProxyVpcEndpointServiceInUseException) Error() string {
+	return fmt.Sprintf("%s: %s", s.Code(), s.Message())
+}
+
+// Status code returns the HTTP status code for the request's response error.
+func (s *XksProxyVpcEndpointServiceInUseException) StatusCode() int {
+	return s.RespMetadata.StatusCode
+}
+
+// RequestID returns the service's response RequestID for request.
+func (s *XksProxyVpcEndpointServiceInUseException) RequestID() string {
+	return s.RespMetadata.RequestID
+}
+
+// The request was rejected because the Amazon VPC endpoint service configuration
+// does not fulfill the requirements for an external key store proxy. For details,
+// see the exception message and review the requirements (kms/latest/developerguide/vpc-connectivity.html#xks-vpc-requirements)
+// for Amazon VPC endpoint service connectivity for an external key store.
+type XksProxyVpcEndpointServiceInvalidConfigurationException struct {
+	_            struct{}                  `type:"structure"`
+	RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"`
+
+	Message_ *string `locationName:"message" type:"string"`
+}
+
+// String returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s XksProxyVpcEndpointServiceInvalidConfigurationException) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s XksProxyVpcEndpointServiceInvalidConfigurationException) GoString() string {
+	return s.String()
+}
+
+func newErrorXksProxyVpcEndpointServiceInvalidConfigurationException(v protocol.ResponseMetadata) error {
+	return &XksProxyVpcEndpointServiceInvalidConfigurationException{
+		RespMetadata: v,
+	}
+}
+
+// Code returns the exception type name.
+func (s *XksProxyVpcEndpointServiceInvalidConfigurationException) Code() string {
+	return "XksProxyVpcEndpointServiceInvalidConfigurationException"
+}
+
+// Message returns the exception's message.
+func (s *XksProxyVpcEndpointServiceInvalidConfigurationException) Message() string {
+	if s.Message_ != nil {
+		return *s.Message_
+	}
+	return ""
+}
+
+// OrigErr always returns nil, satisfies awserr.Error interface.
+func (s *XksProxyVpcEndpointServiceInvalidConfigurationException) OrigErr() error {
+	return nil
+}
+
+func (s *XksProxyVpcEndpointServiceInvalidConfigurationException) Error() string {
+	return fmt.Sprintf("%s: %s", s.Code(), s.Message())
+}
+
+// Status code returns the HTTP status code for the request's response error.
+func (s *XksProxyVpcEndpointServiceInvalidConfigurationException) StatusCode() int {
+	return s.RespMetadata.StatusCode
+}
+
+// RequestID returns the service's response RequestID for request.
+func (s *XksProxyVpcEndpointServiceInvalidConfigurationException) RequestID() string {
+	return s.RespMetadata.RequestID
+}
+
+// The request was rejected because KMS could not find the specified VPC endpoint
+// service. Use DescribeCustomKeyStores to verify the VPC endpoint service name
+// for the external key store. Also, confirm that the Allow principals list
+// for the VPC endpoint service includes the KMS service principal for the Region,
+// such as cks.kms.us-east-1.amazonaws.com.
+type XksProxyVpcEndpointServiceNotFoundException struct {
+	_            struct{}                  `type:"structure"`
+	RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"`
+
+	Message_ *string `locationName:"message" type:"string"`
+}
+
+// String returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s XksProxyVpcEndpointServiceNotFoundException) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s XksProxyVpcEndpointServiceNotFoundException) GoString() string {
+	return s.String()
+}
+
+func newErrorXksProxyVpcEndpointServiceNotFoundException(v protocol.ResponseMetadata) error {
+	return &XksProxyVpcEndpointServiceNotFoundException{
+		RespMetadata: v,
+	}
+}
+
+// Code returns the exception type name.
+func (s *XksProxyVpcEndpointServiceNotFoundException) Code() string {
+	return "XksProxyVpcEndpointServiceNotFoundException"
+}
+
+// Message returns the exception's message.
+func (s *XksProxyVpcEndpointServiceNotFoundException) Message() string {
+	if s.Message_ != nil {
+		return *s.Message_
+	}
+	return ""
+}
+
+// OrigErr always returns nil, satisfies awserr.Error interface.
+func (s *XksProxyVpcEndpointServiceNotFoundException) OrigErr() error {
+	return nil
+}
+
+func (s *XksProxyVpcEndpointServiceNotFoundException) Error() string {
+	return fmt.Sprintf("%s: %s", s.Code(), s.Message())
+}
+
+// Status code returns the HTTP status code for the request's response error.
+func (s *XksProxyVpcEndpointServiceNotFoundException) StatusCode() int {
+	return s.RespMetadata.StatusCode
+}
+
+// RequestID returns the service's response RequestID for request.
+func (s *XksProxyVpcEndpointServiceNotFoundException) RequestID() string {
+	return s.RespMetadata.RequestID
+}
+
 const (
 	// AlgorithmSpecRsaesPkcs1V15 is a AlgorithmSpec enum value
 	AlgorithmSpecRsaesPkcs1V15 = "RSAES_PKCS1_V1_5"
@@ -18733,6 +20925,30 @@ const (
 
 	// ConnectionErrorCodeTypeInsufficientFreeAddressesInSubnet is a ConnectionErrorCodeType enum value
 	ConnectionErrorCodeTypeInsufficientFreeAddressesInSubnet = "INSUFFICIENT_FREE_ADDRESSES_IN_SUBNET"
+
+	// ConnectionErrorCodeTypeXksProxyAccessDenied is a ConnectionErrorCodeType enum value
+	ConnectionErrorCodeTypeXksProxyAccessDenied = "XKS_PROXY_ACCESS_DENIED"
+
+	// ConnectionErrorCodeTypeXksProxyNotReachable is a ConnectionErrorCodeType enum value
+	ConnectionErrorCodeTypeXksProxyNotReachable = "XKS_PROXY_NOT_REACHABLE"
+
+	// ConnectionErrorCodeTypeXksVpcEndpointServiceNotFound is a ConnectionErrorCodeType enum value
+	ConnectionErrorCodeTypeXksVpcEndpointServiceNotFound = "XKS_VPC_ENDPOINT_SERVICE_NOT_FOUND"
+
+	// ConnectionErrorCodeTypeXksProxyInvalidResponse is a ConnectionErrorCodeType enum value
+	ConnectionErrorCodeTypeXksProxyInvalidResponse = "XKS_PROXY_INVALID_RESPONSE"
+
+	// ConnectionErrorCodeTypeXksProxyInvalidConfiguration is a ConnectionErrorCodeType enum value
+	ConnectionErrorCodeTypeXksProxyInvalidConfiguration = "XKS_PROXY_INVALID_CONFIGURATION"
+
+	// ConnectionErrorCodeTypeXksVpcEndpointServiceInvalidConfiguration is a ConnectionErrorCodeType enum value
+	ConnectionErrorCodeTypeXksVpcEndpointServiceInvalidConfiguration = "XKS_VPC_ENDPOINT_SERVICE_INVALID_CONFIGURATION"
+
+	// ConnectionErrorCodeTypeXksProxyTimedOut is a ConnectionErrorCodeType enum value
+	ConnectionErrorCodeTypeXksProxyTimedOut = "XKS_PROXY_TIMED_OUT"
+
+	// ConnectionErrorCodeTypeXksProxyInvalidTlsConfiguration is a ConnectionErrorCodeType enum value
+	ConnectionErrorCodeTypeXksProxyInvalidTlsConfiguration = "XKS_PROXY_INVALID_TLS_CONFIGURATION"
 )
 
 // ConnectionErrorCodeType_Values returns all elements of the ConnectionErrorCodeType enum
@@ -18748,6 +20964,14 @@ func ConnectionErrorCodeType_Values() []string {
 		ConnectionErrorCodeTypeUserLoggedIn,
 		ConnectionErrorCodeTypeSubnetNotFound,
 		ConnectionErrorCodeTypeInsufficientFreeAddressesInSubnet,
+		ConnectionErrorCodeTypeXksProxyAccessDenied,
+		ConnectionErrorCodeTypeXksProxyNotReachable,
+		ConnectionErrorCodeTypeXksVpcEndpointServiceNotFound,
+		ConnectionErrorCodeTypeXksProxyInvalidResponse,
+		ConnectionErrorCodeTypeXksProxyInvalidConfiguration,
+		ConnectionErrorCodeTypeXksVpcEndpointServiceInvalidConfiguration,
+		ConnectionErrorCodeTypeXksProxyTimedOut,
+		ConnectionErrorCodeTypeXksProxyInvalidTlsConfiguration,
 	}
 }
 
@@ -18779,6 +21003,22 @@ func ConnectionStateType_Values() []string {
 	}
 }
 
+const (
+	// CustomKeyStoreTypeAwsCloudhsm is a CustomKeyStoreType enum value
+	CustomKeyStoreTypeAwsCloudhsm = "AWS_CLOUDHSM"
+
+	// CustomKeyStoreTypeExternalKeyStore is a CustomKeyStoreType enum value
+	CustomKeyStoreTypeExternalKeyStore = "EXTERNAL_KEY_STORE"
+)
+
+// CustomKeyStoreType_Values returns all elements of the CustomKeyStoreType enum
+func CustomKeyStoreType_Values() []string {
+	return []string{
+		CustomKeyStoreTypeAwsCloudhsm,
+		CustomKeyStoreTypeExternalKeyStore,
+	}
+}
+
 const (
 	// CustomerMasterKeySpecRsa2048 is a CustomerMasterKeySpec enum value
 	CustomerMasterKeySpecRsa2048 = "RSA_2048"
@@ -19208,6 +21448,9 @@ const (
 
 	// OriginTypeAwsCloudhsm is a OriginType enum value
 	OriginTypeAwsCloudhsm = "AWS_CLOUDHSM"
+
+	// OriginTypeExternalKeyStore is a OriginType enum value
+	OriginTypeExternalKeyStore = "EXTERNAL_KEY_STORE"
 )
 
 // OriginType_Values returns all elements of the OriginType enum
@@ -19216,6 +21459,7 @@ func OriginType_Values() []string {
 		OriginTypeAwsKms,
 		OriginTypeExternal,
 		OriginTypeAwsCloudhsm,
+		OriginTypeExternalKeyStore,
 	}
 }
 
@@ -19278,3 +21522,19 @@ func WrappingKeySpec_Values() []string {
 		WrappingKeySpecRsa2048,
 	}
 }
+
+const (
+	// XksProxyConnectivityTypePublicEndpoint is a XksProxyConnectivityType enum value
+	XksProxyConnectivityTypePublicEndpoint = "PUBLIC_ENDPOINT"
+
+	// XksProxyConnectivityTypeVpcEndpointService is a XksProxyConnectivityType enum value
+	XksProxyConnectivityTypeVpcEndpointService = "VPC_ENDPOINT_SERVICE"
+)
+
+// XksProxyConnectivityType_Values returns all elements of the XksProxyConnectivityType enum
+func XksProxyConnectivityType_Values() []string {
+	return []string{
+		XksProxyConnectivityTypePublicEndpoint,
+		XksProxyConnectivityTypeVpcEndpointService,
+	}
+}
diff --git a/vendor/github.com/aws/aws-sdk-go/service/kms/doc.go b/vendor/github.com/aws/aws-sdk-go/service/kms/doc.go
index d926e08e6..7dc9bd442 100644
--- a/vendor/github.com/aws/aws-sdk-go/service/kms/doc.go
+++ b/vendor/github.com/aws/aws-sdk-go/service/kms/doc.go
@@ -8,7 +8,7 @@
 // For general information about KMS, see the Key Management Service Developer
 // Guide (https://docs.aws.amazon.com/kms/latest/developerguide/).
 //
-// KMS is replacing the term customer master key (CMK) with KMS key and KMS
+// KMS has replaced the term customer master key (CMK) with KMS key and KMS
 // key. The concept has not changed. To prevent breaking changes, KMS is keeping
 // some variations of this term.
 //
@@ -40,7 +40,7 @@
 //
 // Requests must be signed by using an access key ID and a secret access key.
 // We strongly recommend that you do not use your Amazon Web Services account
-// (root) access key ID and secret key for everyday work with KMS. Instead,
+// (root) access key ID and secret access key for everyday work with KMS. Instead,
 // use the access key ID and secret access key for an IAM user. You can also
 // use the Amazon Web Services Security Token Service to generate temporary
 // security credentials that you can use to sign requests.
diff --git a/vendor/github.com/aws/aws-sdk-go/service/kms/errors.go b/vendor/github.com/aws/aws-sdk-go/service/kms/errors.go
index 4f8fc2104..c897f6389 100644
--- a/vendor/github.com/aws/aws-sdk-go/service/kms/errors.go
+++ b/vendor/github.com/aws/aws-sdk-go/service/kms/errors.go
@@ -19,12 +19,13 @@ const (
 	// "CloudHsmClusterInUseException".
 	//
 	// The request was rejected because the specified CloudHSM cluster is already
-	// associated with a custom key store or it shares a backup history with a cluster
-	// that is associated with a custom key store. Each custom key store must be
-	// associated with a different CloudHSM cluster.
+	// associated with an CloudHSM key store in the account, or it shares a backup
+	// history with an CloudHSM key store in the account. Each CloudHSM key store
+	// in the account must be associated with a different CloudHSM cluster.
 	//
-	// Clusters that share a backup history have the same cluster certificate. To
-	// view the cluster certificate of a cluster, use the DescribeClusters (https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.html)
+	// CloudHSM clusters that share a backup history have the same cluster certificate.
+	// To view the cluster certificate of an CloudHSM cluster, use the DescribeClusters
+	// (https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.html)
 	// operation.
 	ErrCodeCloudHsmClusterInUseException = "CloudHsmClusterInUseException"
 
@@ -32,29 +33,29 @@ const (
 	// "CloudHsmClusterInvalidConfigurationException".
 	//
 	// The request was rejected because the associated CloudHSM cluster did not
-	// meet the configuration requirements for a custom key store.
+	// meet the configuration requirements for an CloudHSM key store.
 	//
-	//    * The cluster must be configured with private subnets in at least two
-	//    different Availability Zones in the Region.
+	//    * The CloudHSM cluster must be configured with private subnets in at least
+	//    two different Availability Zones in the Region.
 	//
 	//    * The security group for the cluster (https://docs.aws.amazon.com/cloudhsm/latest/userguide/configure-sg.html)
 	//    (cloudhsm-cluster-<cluster-id>-sg) must include inbound rules and outbound
 	//    rules that allow TCP traffic on ports 2223-2225. The Source in the inbound
 	//    rules and the Destination in the outbound rules must match the security
-	//    group ID. These rules are set by default when you create the cluster.
-	//    Do not delete or change them. To get information about a particular security
-	//    group, use the DescribeSecurityGroups (https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeSecurityGroups.html)
+	//    group ID. These rules are set by default when you create the CloudHSM
+	//    cluster. Do not delete or change them. To get information about a particular
+	//    security group, use the DescribeSecurityGroups (https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeSecurityGroups.html)
 	//    operation.
 	//
-	//    * The cluster must contain at least as many HSMs as the operation requires.
-	//    To add HSMs, use the CloudHSM CreateHsm (https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_CreateHsm.html)
+	//    * The CloudHSM cluster must contain at least as many HSMs as the operation
+	//    requires. To add HSMs, use the CloudHSM CreateHsm (https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_CreateHsm.html)
 	//    operation. For the CreateCustomKeyStore, UpdateCustomKeyStore, and CreateKey
 	//    operations, the CloudHSM cluster must have at least two active HSMs, each
 	//    in a different Availability Zone. For the ConnectCustomKeyStore operation,
 	//    the CloudHSM must contain at least one active HSM.
 	//
 	// For information about the requirements for an CloudHSM cluster that is associated
-	// with a custom key store, see Assemble the Prerequisites (https://docs.aws.amazon.com/kms/latest/developerguide/create-keystore.html#before-keystore)
+	// with an CloudHSM key store, see Assemble the Prerequisites (https://docs.aws.amazon.com/kms/latest/developerguide/create-keystore.html#before-keystore)
 	// in the Key Management Service Developer Guide. For information about creating
 	// a private subnet for an CloudHSM cluster, see Create a Private Subnet (https://docs.aws.amazon.com/cloudhsm/latest/userguide/create-subnets.html)
 	// in the CloudHSM User Guide. For information about cluster security groups,
@@ -65,10 +66,9 @@ const (
 	// ErrCodeCloudHsmClusterNotActiveException for service response error code
 	// "CloudHsmClusterNotActiveException".
 	//
-	// The request was rejected because the CloudHSM cluster that is associated
-	// with the custom key store is not active. Initialize and activate the cluster
-	// and try the command again. For detailed instructions, see Getting Started
-	// (https://docs.aws.amazon.com/cloudhsm/latest/userguide/getting-started.html)
+	// The request was rejected because the CloudHSM cluster associated with the
+	// CloudHSM key store is not active. Initialize and activate the cluster and
+	// try the command again. For detailed instructions, see Getting Started (https://docs.aws.amazon.com/cloudhsm/latest/userguide/getting-started.html)
 	// in the CloudHSM User Guide.
 	ErrCodeCloudHsmClusterNotActiveException = "CloudHsmClusterNotActiveException"
 
@@ -84,15 +84,16 @@ const (
 	//
 	// The request was rejected because the specified CloudHSM cluster has a different
 	// cluster certificate than the original cluster. You cannot use the operation
-	// to specify an unrelated cluster.
+	// to specify an unrelated cluster for an CloudHSM key store.
 	//
-	// Specify a cluster that shares a backup history with the original cluster.
-	// This includes clusters that were created from a backup of the current cluster,
-	// and clusters that were created from the same backup that produced the current
-	// cluster.
+	// Specify an CloudHSM cluster that shares a backup history with the original
+	// cluster. This includes clusters that were created from a backup of the current
+	// cluster, and clusters that were created from the same backup that produced
+	// the current cluster.
 	//
-	// Clusters that share a backup history have the same cluster certificate. To
-	// view the cluster certificate of a cluster, use the DescribeClusters (https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.html)
+	// CloudHSM clusters that share a backup history have the same cluster certificate.
+	// To view the cluster certificate of an CloudHSM cluster, use the DescribeClusters
+	// (https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.html)
 	// operation.
 	ErrCodeCloudHsmClusterNotRelatedException = "CloudHsmClusterNotRelatedException"
 
@@ -114,17 +115,27 @@ const (
 	//
 	// This exception is thrown under the following conditions:
 	//
-	//    * You requested the CreateKey or GenerateRandom operation in a custom
-	//    key store that is not connected. These operations are valid only when
-	//    the custom key store ConnectionState is CONNECTED.
+	//    * You requested the ConnectCustomKeyStore operation on a custom key store
+	//    with a ConnectionState of DISCONNECTING or FAILED. This operation is valid
+	//    for all other ConnectionState values. To reconnect a custom key store
+	//    in a FAILED state, disconnect it (DisconnectCustomKeyStore), then connect
+	//    it (ConnectCustomKeyStore).
+	//
+	//    * You requested the CreateKey operation in a custom key store that is
+	//    not connected. This operations is valid only when the custom key store
+	//    ConnectionState is CONNECTED.
+	//
+	//    * You requested the DisconnectCustomKeyStore operation on a custom key
+	//    store with a ConnectionState of DISCONNECTING or DISCONNECTED. This operation
+	//    is valid for all other ConnectionState values.
 	//
 	//    * You requested the UpdateCustomKeyStore or DeleteCustomKeyStore operation
 	//    on a custom key store that is not disconnected. This operation is valid
 	//    only when the custom key store ConnectionState is DISCONNECTED.
 	//
-	//    * You requested the ConnectCustomKeyStore operation on a custom key store
-	//    with a ConnectionState of DISCONNECTING or FAILED. This operation is valid
-	//    for all other ConnectionState values.
+	//    * You requested the GenerateRandom operation in an CloudHSM key store
+	//    that is not connected. This operation is valid only when the CloudHSM
+	//    key store ConnectionState is CONNECTED.
 	ErrCodeCustomKeyStoreInvalidStateException = "CustomKeyStoreInvalidStateException"
 
 	// ErrCodeCustomKeyStoreNameInUseException for service response error code
@@ -145,8 +156,8 @@ const (
 	// ErrCodeDependencyTimeoutException for service response error code
 	// "DependencyTimeoutException".
 	//
-	// The system timed out while trying to fulfill the request. The request can
-	// be retried.
+	// The system timed out while trying to fulfill the request. You can retry the
+	// request.
 	ErrCodeDependencyTimeoutException = "DependencyTimeoutException"
 
 	// ErrCodeDisabledException for service response error code
@@ -183,9 +194,10 @@ const (
 	// "IncorrectTrustAnchorException".
 	//
 	// The request was rejected because the trust anchor certificate in the request
-	// is not the trust anchor certificate for the specified CloudHSM cluster.
+	// to create an CloudHSM key store is not the trust anchor certificate for the
+	// specified CloudHSM cluster.
 	//
-	// When you initialize the cluster (https://docs.aws.amazon.com/cloudhsm/latest/userguide/initialize-cluster.html#sign-csr),
+	// When you initialize the CloudHSM cluster (https://docs.aws.amazon.com/cloudhsm/latest/userguide/initialize-cluster.html#sign-csr),
 	// you create the trust anchor certificate and save it in the customerCA.crt
 	// file.
 	ErrCodeIncorrectTrustAnchorException = "IncorrectTrustAnchorException"
@@ -274,9 +286,17 @@ const (
 	// The request was rejected because the state of the specified resource is not
 	// valid for this request.
 	//
-	// For more information about how key state affects the use of a KMS key, see
-	// Key states of KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
-	// in the Key Management Service Developer Guide .
+	// This exceptions means one of the following:
+	//
+	//    * The key state of the KMS key is not compatible with the operation. To
+	//    find the key state, use the DescribeKey operation. For more information
+	//    about which key states are compatible with each KMS operation, see Key
+	//    states of KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
+	//    in the Key Management Service Developer Guide .
+	//
+	//    * For cryptographic operations on KMS keys in custom key stores, this
+	//    exception represents a general failure with many possible causes. To identify
+	//    the cause, see the error message that accompanies the exception.
 	ErrCodeInvalidStateException = "KMSInvalidStateException"
 
 	// ErrCodeKMSInvalidMacException for service response error code
@@ -336,41 +356,170 @@ const (
 	// The request was rejected because a specified parameter is not supported or
 	// a specified resource is not valid for this operation.
 	ErrCodeUnsupportedOperationException = "UnsupportedOperationException"
+
+	// ErrCodeXksKeyAlreadyInUseException for service response error code
+	// "XksKeyAlreadyInUseException".
+	//
+	// The request was rejected because the (XksKeyId) is already associated with
+	// a KMS key in this external key store. Each KMS key in an external key store
+	// must be associated with a different external key.
+	ErrCodeXksKeyAlreadyInUseException = "XksKeyAlreadyInUseException"
+
+	// ErrCodeXksKeyInvalidConfigurationException for service response error code
+	// "XksKeyInvalidConfigurationException".
+	//
+	// The request was rejected because the external key specified by the XksKeyId
+	// parameter did not meet the configuration requirements for an external key
+	// store.
+	//
+	// The external key must be an AES-256 symmetric key that is enabled and performs
+	// encryption and decryption.
+	ErrCodeXksKeyInvalidConfigurationException = "XksKeyInvalidConfigurationException"
+
+	// ErrCodeXksKeyNotFoundException for service response error code
+	// "XksKeyNotFoundException".
+	//
+	// The request was rejected because the external key store proxy could not find
+	// the external key. This exception is thrown when the value of the XksKeyId
+	// parameter doesn't identify a key in the external key manager associated with
+	// the external key proxy.
+	//
+	// Verify that the XksKeyId represents an existing key in the external key manager.
+	// Use the key identifier that the external key store proxy uses to identify
+	// the key. For details, see the documentation provided with your external key
+	// store proxy or key manager.
+	ErrCodeXksKeyNotFoundException = "XksKeyNotFoundException"
+
+	// ErrCodeXksProxyIncorrectAuthenticationCredentialException for service response error code
+	// "XksProxyIncorrectAuthenticationCredentialException".
+	//
+	// The request was rejected because the proxy credentials failed to authenticate
+	// to the specified external key store proxy. The specified external key store
+	// proxy rejected a status request from KMS due to invalid credentials. This
+	// can indicate an error in the credentials or in the identification of the
+	// external key store proxy.
+	ErrCodeXksProxyIncorrectAuthenticationCredentialException = "XksProxyIncorrectAuthenticationCredentialException"
+
+	// ErrCodeXksProxyInvalidConfigurationException for service response error code
+	// "XksProxyInvalidConfigurationException".
+	//
+	// The request was rejected because the Amazon VPC endpoint service configuration
+	// does not fulfill the requirements for an external key store proxy. For details,
+	// see the exception message.
+	ErrCodeXksProxyInvalidConfigurationException = "XksProxyInvalidConfigurationException"
+
+	// ErrCodeXksProxyInvalidResponseException for service response error code
+	// "XksProxyInvalidResponseException".
+	//
+	// KMS cannot interpret the response it received from the external key store
+	// proxy. The problem might be a poorly constructed response, but it could also
+	// be a transient network issue. If you see this error repeatedly, report it
+	// to the proxy vendor.
+	ErrCodeXksProxyInvalidResponseException = "XksProxyInvalidResponseException"
+
+	// ErrCodeXksProxyUriEndpointInUseException for service response error code
+	// "XksProxyUriEndpointInUseException".
+	//
+	// The request was rejected because the concatenation of the XksProxyUriEndpoint
+	// is already associated with an external key store in the Amazon Web Services
+	// account and Region. Each external key store in an account and Region must
+	// use a unique external key store proxy address.
+	ErrCodeXksProxyUriEndpointInUseException = "XksProxyUriEndpointInUseException"
+
+	// ErrCodeXksProxyUriInUseException for service response error code
+	// "XksProxyUriInUseException".
+	//
+	// The request was rejected because the concatenation of the XksProxyUriEndpoint
+	// and XksProxyUriPath is already associated with an external key store in the
+	// Amazon Web Services account and Region. Each external key store in an account
+	// and Region must use a unique external key store proxy API address.
+	ErrCodeXksProxyUriInUseException = "XksProxyUriInUseException"
+
+	// ErrCodeXksProxyUriUnreachableException for service response error code
+	// "XksProxyUriUnreachableException".
+	//
+	// KMS was unable to reach the specified XksProxyUriPath. The path must be reachable
+	// before you create the external key store or update its settings.
+	//
+	// This exception is also thrown when the external key store proxy response
+	// to a GetHealthStatus request indicates that all external key manager instances
+	// are unavailable.
+	ErrCodeXksProxyUriUnreachableException = "XksProxyUriUnreachableException"
+
+	// ErrCodeXksProxyVpcEndpointServiceInUseException for service response error code
+	// "XksProxyVpcEndpointServiceInUseException".
+	//
+	// The request was rejected because the specified Amazon VPC endpoint service
+	// is already associated with an external key store in the Amazon Web Services
+	// account and Region. Each external key store in an Amazon Web Services account
+	// and Region must use a different Amazon VPC endpoint service.
+	ErrCodeXksProxyVpcEndpointServiceInUseException = "XksProxyVpcEndpointServiceInUseException"
+
+	// ErrCodeXksProxyVpcEndpointServiceInvalidConfigurationException for service response error code
+	// "XksProxyVpcEndpointServiceInvalidConfigurationException".
+	//
+	// The request was rejected because the Amazon VPC endpoint service configuration
+	// does not fulfill the requirements for an external key store proxy. For details,
+	// see the exception message and review the requirements (kms/latest/developerguide/vpc-connectivity.html#xks-vpc-requirements)
+	// for Amazon VPC endpoint service connectivity for an external key store.
+	ErrCodeXksProxyVpcEndpointServiceInvalidConfigurationException = "XksProxyVpcEndpointServiceInvalidConfigurationException"
+
+	// ErrCodeXksProxyVpcEndpointServiceNotFoundException for service response error code
+	// "XksProxyVpcEndpointServiceNotFoundException".
+	//
+	// The request was rejected because KMS could not find the specified VPC endpoint
+	// service. Use DescribeCustomKeyStores to verify the VPC endpoint service name
+	// for the external key store. Also, confirm that the Allow principals list
+	// for the VPC endpoint service includes the KMS service principal for the Region,
+	// such as cks.kms.us-east-1.amazonaws.com.
+	ErrCodeXksProxyVpcEndpointServiceNotFoundException = "XksProxyVpcEndpointServiceNotFoundException"
 )
 
 var exceptionFromCode = map[string]func(protocol.ResponseMetadata) error{
-	"AlreadyExistsException":                       newErrorAlreadyExistsException,
-	"CloudHsmClusterInUseException":                newErrorCloudHsmClusterInUseException,
-	"CloudHsmClusterInvalidConfigurationException": newErrorCloudHsmClusterInvalidConfigurationException,
-	"CloudHsmClusterNotActiveException":            newErrorCloudHsmClusterNotActiveException,
-	"CloudHsmClusterNotFoundException":             newErrorCloudHsmClusterNotFoundException,
-	"CloudHsmClusterNotRelatedException":           newErrorCloudHsmClusterNotRelatedException,
-	"CustomKeyStoreHasCMKsException":               newErrorCustomKeyStoreHasCMKsException,
-	"CustomKeyStoreInvalidStateException":          newErrorCustomKeyStoreInvalidStateException,
-	"CustomKeyStoreNameInUseException":             newErrorCustomKeyStoreNameInUseException,
-	"CustomKeyStoreNotFoundException":              newErrorCustomKeyStoreNotFoundException,
-	"DependencyTimeoutException":                   newErrorDependencyTimeoutException,
-	"DisabledException":                            newErrorDisabledException,
-	"ExpiredImportTokenException":                  newErrorExpiredImportTokenException,
-	"IncorrectKeyException":                        newErrorIncorrectKeyException,
-	"IncorrectKeyMaterialException":                newErrorIncorrectKeyMaterialException,
-	"IncorrectTrustAnchorException":                newErrorIncorrectTrustAnchorException,
-	"KMSInternalException":                         newErrorInternalException,
-	"InvalidAliasNameException":                    newErrorInvalidAliasNameException,
-	"InvalidArnException":                          newErrorInvalidArnException,
-	"InvalidCiphertextException":                   newErrorInvalidCiphertextException,
-	"InvalidGrantIdException":                      newErrorInvalidGrantIdException,
-	"InvalidGrantTokenException":                   newErrorInvalidGrantTokenException,
-	"InvalidImportTokenException":                  newErrorInvalidImportTokenException,
-	"InvalidKeyUsageException":                     newErrorInvalidKeyUsageException,
-	"InvalidMarkerException":                       newErrorInvalidMarkerException,
-	"KMSInvalidStateException":                     newErrorInvalidStateException,
-	"KMSInvalidMacException":                       newErrorKMSInvalidMacException,
-	"KMSInvalidSignatureException":                 newErrorKMSInvalidSignatureException,
-	"KeyUnavailableException":                      newErrorKeyUnavailableException,
-	"LimitExceededException":                       newErrorLimitExceededException,
-	"MalformedPolicyDocumentException":             newErrorMalformedPolicyDocumentException,
-	"NotFoundException":                            newErrorNotFoundException,
-	"TagException":                                 newErrorTagException,
-	"UnsupportedOperationException":                newErrorUnsupportedOperationException,
+	"AlreadyExistsException":                                  newErrorAlreadyExistsException,
+	"CloudHsmClusterInUseException":                           newErrorCloudHsmClusterInUseException,
+	"CloudHsmClusterInvalidConfigurationException":            newErrorCloudHsmClusterInvalidConfigurationException,
+	"CloudHsmClusterNotActiveException":                       newErrorCloudHsmClusterNotActiveException,
+	"CloudHsmClusterNotFoundException":                        newErrorCloudHsmClusterNotFoundException,
+	"CloudHsmClusterNotRelatedException":                      newErrorCloudHsmClusterNotRelatedException,
+	"CustomKeyStoreHasCMKsException":                          newErrorCustomKeyStoreHasCMKsException,
+	"CustomKeyStoreInvalidStateException":                     newErrorCustomKeyStoreInvalidStateException,
+	"CustomKeyStoreNameInUseException":                        newErrorCustomKeyStoreNameInUseException,
+	"CustomKeyStoreNotFoundException":                         newErrorCustomKeyStoreNotFoundException,
+	"DependencyTimeoutException":                              newErrorDependencyTimeoutException,
+	"DisabledException":                                       newErrorDisabledException,
+	"ExpiredImportTokenException":                             newErrorExpiredImportTokenException,
+	"IncorrectKeyException":                                   newErrorIncorrectKeyException,
+	"IncorrectKeyMaterialException":                           newErrorIncorrectKeyMaterialException,
+	"IncorrectTrustAnchorException":                           newErrorIncorrectTrustAnchorException,
+	"KMSInternalException":                                    newErrorInternalException,
+	"InvalidAliasNameException":                               newErrorInvalidAliasNameException,
+	"InvalidArnException":                                     newErrorInvalidArnException,
+	"InvalidCiphertextException":                              newErrorInvalidCiphertextException,
+	"InvalidGrantIdException":                                 newErrorInvalidGrantIdException,
+	"InvalidGrantTokenException":                              newErrorInvalidGrantTokenException,
+	"InvalidImportTokenException":                             newErrorInvalidImportTokenException,
+	"InvalidKeyUsageException":                                newErrorInvalidKeyUsageException,
+	"InvalidMarkerException":                                  newErrorInvalidMarkerException,
+	"KMSInvalidStateException":                                newErrorInvalidStateException,
+	"KMSInvalidMacException":                                  newErrorKMSInvalidMacException,
+	"KMSInvalidSignatureException":                            newErrorKMSInvalidSignatureException,
+	"KeyUnavailableException":                                 newErrorKeyUnavailableException,
+	"LimitExceededException":                                  newErrorLimitExceededException,
+	"MalformedPolicyDocumentException":                        newErrorMalformedPolicyDocumentException,
+	"NotFoundException":                                       newErrorNotFoundException,
+	"TagException":                                            newErrorTagException,
+	"UnsupportedOperationException":                           newErrorUnsupportedOperationException,
+	"XksKeyAlreadyInUseException":                             newErrorXksKeyAlreadyInUseException,
+	"XksKeyInvalidConfigurationException":                     newErrorXksKeyInvalidConfigurationException,
+	"XksKeyNotFoundException":                                 newErrorXksKeyNotFoundException,
+	"XksProxyIncorrectAuthenticationCredentialException":      newErrorXksProxyIncorrectAuthenticationCredentialException,
+	"XksProxyInvalidConfigurationException":                   newErrorXksProxyInvalidConfigurationException,
+	"XksProxyInvalidResponseException":                        newErrorXksProxyInvalidResponseException,
+	"XksProxyUriEndpointInUseException":                       newErrorXksProxyUriEndpointInUseException,
+	"XksProxyUriInUseException":                               newErrorXksProxyUriInUseException,
+	"XksProxyUriUnreachableException":                         newErrorXksProxyUriUnreachableException,
+	"XksProxyVpcEndpointServiceInUseException":                newErrorXksProxyVpcEndpointServiceInUseException,
+	"XksProxyVpcEndpointServiceInvalidConfigurationException": newErrorXksProxyVpcEndpointServiceInvalidConfigurationException,
+	"XksProxyVpcEndpointServiceNotFoundException":             newErrorXksProxyVpcEndpointServiceNotFoundException,
 }
diff --git a/vendor/github.com/ceph/go-ceph/rados/ioctx_pool_alignment.go b/vendor/github.com/ceph/go-ceph/rados/ioctx_pool_alignment.go
index 7ea47df84..5e47aaafb 100644
--- a/vendor/github.com/ceph/go-ceph/rados/ioctx_pool_alignment.go
+++ b/vendor/github.com/ceph/go-ceph/rados/ioctx_pool_alignment.go
@@ -1,6 +1,3 @@
-//go:build ceph_preview
-// +build ceph_preview
-
 package rados
 
 // #cgo LDFLAGS: -lrados
diff --git a/vendor/github.com/ceph/go-ceph/rados/ioctx_pool_requires_alignment.go b/vendor/github.com/ceph/go-ceph/rados/ioctx_pool_requires_alignment.go
index 0ec5fed27..a1b4c5c00 100644
--- a/vendor/github.com/ceph/go-ceph/rados/ioctx_pool_requires_alignment.go
+++ b/vendor/github.com/ceph/go-ceph/rados/ioctx_pool_requires_alignment.go
@@ -1,6 +1,3 @@
-//go:build ceph_preview
-// +build ceph_preview
-
 package rados
 
 // #cgo LDFLAGS: -lrados
diff --git a/vendor/github.com/ceph/go-ceph/rados/ioctx_set_alloc_hint.go b/vendor/github.com/ceph/go-ceph/rados/ioctx_set_alloc_hint.go
index dbb75188d..7cc2df563 100644
--- a/vendor/github.com/ceph/go-ceph/rados/ioctx_set_alloc_hint.go
+++ b/vendor/github.com/ceph/go-ceph/rados/ioctx_set_alloc_hint.go
@@ -1,6 +1,3 @@
-//go:build ceph_preview
-// +build ceph_preview
-
 package rados
 
 // #cgo LDFLAGS: -lrados
diff --git a/vendor/github.com/ceph/go-ceph/rados/write_op_set_alloc_hint.go b/vendor/github.com/ceph/go-ceph/rados/write_op_set_alloc_hint.go
index c9cc65729..83cfe9e4d 100644
--- a/vendor/github.com/ceph/go-ceph/rados/write_op_set_alloc_hint.go
+++ b/vendor/github.com/ceph/go-ceph/rados/write_op_set_alloc_hint.go
@@ -1,6 +1,3 @@
-//go:build ceph_preview
-// +build ceph_preview
-
 package rados
 
 // #cgo LDFLAGS: -lrados
diff --git a/vendor/github.com/ceph/go-ceph/rbd/rbd.go b/vendor/github.com/ceph/go-ceph/rbd/rbd.go
index 5f27bb7d2..51deddfb0 100644
--- a/vendor/github.com/ceph/go-ceph/rbd/rbd.go
+++ b/vendor/github.com/ceph/go-ceph/rbd/rbd.go
@@ -984,7 +984,7 @@ func GetTrashList(ioctx *rados.IOContext) ([]TrashInfo, error) {
 		count   C.size_t
 		entries []C.rbd_trash_image_info_t
 	)
-	retry.WithSizes(32, 1024, func(size int) retry.Hint {
+	retry.WithSizes(32, 10240, func(size int) retry.Hint {
 		count = C.size_t(size)
 		entries = make([]C.rbd_trash_image_info_t, count)
 		ret := C.rbd_trash_list(cephIoctx(ioctx), &entries[0], &count)
diff --git a/vendor/golang.org/x/net/http2/flow.go b/vendor/golang.org/x/net/http2/flow.go
index b51f0e0cf..750ac52f2 100644
--- a/vendor/golang.org/x/net/http2/flow.go
+++ b/vendor/golang.org/x/net/http2/flow.go
@@ -6,23 +6,91 @@
 
 package http2
 
-// flow is the flow control window's size.
-type flow struct {
+// inflowMinRefresh is the minimum number of bytes we'll send for a
+// flow control window update.
+const inflowMinRefresh = 4 << 10
+
+// inflow accounts for an inbound flow control window.
+// It tracks both the latest window sent to the peer (used for enforcement)
+// and the accumulated unsent window.
+type inflow struct {
+	avail  int32
+	unsent int32
+}
+
+// set sets the initial window.
+func (f *inflow) init(n int32) {
+	f.avail = n
+}
+
+// add adds n bytes to the window, with a maximum window size of max,
+// indicating that the peer can now send us more data.
+// For example, the user read from a {Request,Response} body and consumed
+// some of the buffered data, so the peer can now send more.
+// It returns the number of bytes to send in a WINDOW_UPDATE frame to the peer.
+// Window updates are accumulated and sent when the unsent capacity
+// is at least inflowMinRefresh or will at least double the peer's available window.
+func (f *inflow) add(n int) (connAdd int32) {
+	if n < 0 {
+		panic("negative update")
+	}
+	unsent := int64(f.unsent) + int64(n)
+	// "A sender MUST NOT allow a flow-control window to exceed 2^31-1 octets."
+	// RFC 7540 Section 6.9.1.
+	const maxWindow = 1<<31 - 1
+	if unsent+int64(f.avail) > maxWindow {
+		panic("flow control update exceeds maximum window size")
+	}
+	f.unsent = int32(unsent)
+	if f.unsent < inflowMinRefresh && f.unsent < f.avail {
+		// If there aren't at least inflowMinRefresh bytes of window to send,
+		// and this update won't at least double the window, buffer the update for later.
+		return 0
+	}
+	f.avail += f.unsent
+	f.unsent = 0
+	return int32(unsent)
+}
+
+// take attempts to take n bytes from the peer's flow control window.
+// It reports whether the window has available capacity.
+func (f *inflow) take(n uint32) bool {
+	if n > uint32(f.avail) {
+		return false
+	}
+	f.avail -= int32(n)
+	return true
+}
+
+// takeInflows attempts to take n bytes from two inflows,
+// typically connection-level and stream-level flows.
+// It reports whether both windows have available capacity.
+func takeInflows(f1, f2 *inflow, n uint32) bool {
+	if n > uint32(f1.avail) || n > uint32(f2.avail) {
+		return false
+	}
+	f1.avail -= int32(n)
+	f2.avail -= int32(n)
+	return true
+}
+
+// outflow is the outbound flow control window's size.
+type outflow struct {
 	_ incomparable
 
 	// n is the number of DATA bytes we're allowed to send.
-	// A flow is kept both on a conn and a per-stream.
+	// An outflow is kept both on a conn and a per-stream.
 	n int32
 
-	// conn points to the shared connection-level flow that is
-	// shared by all streams on that conn. It is nil for the flow
+	// conn points to the shared connection-level outflow that is
+	// shared by all streams on that conn. It is nil for the outflow
 	// that's on the conn directly.
-	conn *flow
+	conn *outflow
 }
 
-func (f *flow) setConnFlow(cf *flow) { f.conn = cf }
+func (f *outflow) setConnFlow(cf *outflow) { f.conn = cf }
 
-func (f *flow) available() int32 {
+func (f *outflow) available() int32 {
 	n := f.n
 	if f.conn != nil && f.conn.n < n {
 		n = f.conn.n
@@ -30,7 +98,7 @@ func (f *flow) available() int32 {
 	return n
 }
 
-func (f *flow) take(n int32) {
+func (f *outflow) take(n int32) {
 	if n > f.available() {
 		panic("internal error: took too much")
 	}
@@ -42,7 +110,7 @@ func (f *flow) take(n int32) {
 
 // add adds n bytes (positive or negative) to the flow control window.
 // It returns false if the sum would exceed 2^31-1.
-func (f *flow) add(n int32) bool {
+func (f *outflow) add(n int32) bool {
 	sum := f.n + n
 	if (sum > n) == (f.n > 0) {
 		f.n = sum
diff --git a/vendor/golang.org/x/net/http2/server.go b/vendor/golang.org/x/net/http2/server.go
index 4eb7617fa..b624dc0a7 100644
--- a/vendor/golang.org/x/net/http2/server.go
+++ b/vendor/golang.org/x/net/http2/server.go
@@ -448,7 +448,7 @@ func (s *Server) ServeConn(c net.Conn, opts *ServeConnOpts) {
 	// configured value for inflow, that will be updated when we send a
 	// WINDOW_UPDATE shortly after sending SETTINGS.
 	sc.flow.add(initialWindowSize)
-	sc.inflow.add(initialWindowSize)
+	sc.inflow.init(initialWindowSize)
 	sc.hpackEncoder = hpack.NewEncoder(&sc.headerWriteBuf)
 	sc.hpackEncoder.SetMaxDynamicTableSizeLimit(s.maxEncoderHeaderTableSize())
 
@@ -563,8 +563,8 @@ type serverConn struct {
 	wroteFrameCh     chan frameWriteResult  // from writeFrameAsync -> serve, tickles more frame writes
 	bodyReadCh       chan bodyReadMsg       // from handlers -> serve
 	serveMsgCh       chan interface{}       // misc messages & code to send to / run on the serve loop
-	flow             flow                   // conn-wide (not stream-specific) outbound flow control
-	inflow           flow                   // conn-wide inbound flow control
+	flow             outflow                // conn-wide (not stream-specific) outbound flow control
+	inflow           inflow                 // conn-wide inbound flow control
 	tlsState         *tls.ConnectionState   // shared by all handlers, like net/http
 	remoteAddrStr    string
 	writeSched       WriteScheduler
@@ -641,10 +641,10 @@ type stream struct {
 	cancelCtx func()
 
 	// owned by serverConn's serve loop:
-	bodyBytes        int64 // body bytes seen so far
-	declBodyBytes    int64 // or -1 if undeclared
-	flow             flow  // limits writing from Handler to client
-	inflow           flow  // what the client is allowed to POST/etc to us
+	bodyBytes        int64   // body bytes seen so far
+	declBodyBytes    int64   // or -1 if undeclared
+	flow             outflow // limits writing from Handler to client
+	inflow           inflow  // what the client is allowed to POST/etc to us
 	state            streamState
 	resetQueued      bool        // RST_STREAM queued for write; set by sc.resetStream
 	gotTrailerHeader bool        // HEADER frame for trailers was seen
@@ -1503,7 +1503,7 @@ func (sc *serverConn) processFrame(f Frame) error {
 	if sc.inGoAway && (sc.goAwayCode != ErrCodeNo || f.Header().StreamID > sc.maxClientStreamID) {
 
 		if f, ok := f.(*DataFrame); ok {
-			if sc.inflow.available() < int32(f.Length) {
+			if !sc.inflow.take(f.Length) {
 				return sc.countError("data_flow", streamError(f.Header().StreamID, ErrCodeFlowControl))
 			}
 			sc.sendWindowUpdate(nil, int(f.Length)) // conn-level
@@ -1775,14 +1775,9 @@ func (sc *serverConn) processData(f *DataFrame) error {
 		// But still enforce their connection-level flow control,
 		// and return any flow control bytes since we're not going
 		// to consume them.
-		if sc.inflow.available() < int32(f.Length) {
+		if !sc.inflow.take(f.Length) {
 			return sc.countError("data_flow", streamError(id, ErrCodeFlowControl))
 		}
-		// Deduct the flow control from inflow, since we're
-		// going to immediately add it back in
-		// sendWindowUpdate, which also schedules sending the
-		// frames.
-		sc.inflow.take(int32(f.Length))
 		sc.sendWindowUpdate(nil, int(f.Length)) // conn-level
 
 		if st != nil && st.resetQueued {
@@ -1797,10 +1792,9 @@ func (sc *serverConn) processData(f *DataFrame) error {
 
 	// Sender sending more than they'd declared?
 	if st.declBodyBytes != -1 && st.bodyBytes+int64(len(data)) > st.declBodyBytes {
-		if sc.inflow.available() < int32(f.Length) {
+		if !sc.inflow.take(f.Length) {
 			return sc.countError("data_flow", streamError(id, ErrCodeFlowControl))
 		}
-		sc.inflow.take(int32(f.Length))
 		sc.sendWindowUpdate(nil, int(f.Length)) // conn-level
 
 		st.body.CloseWithError(fmt.Errorf("sender tried to send more than declared Content-Length of %d bytes", st.declBodyBytes))
@@ -1811,10 +1805,9 @@ func (sc *serverConn) processData(f *DataFrame) error {
 	}
 	if f.Length > 0 {
 		// Check whether the client has flow control quota.
-		if st.inflow.available() < int32(f.Length) {
+		if !takeInflows(&sc.inflow, &st.inflow, f.Length) {
 			return sc.countError("flow_on_data_length", streamError(id, ErrCodeFlowControl))
 		}
-		st.inflow.take(int32(f.Length))
 
 		if len(data) > 0 {
 			wrote, err := st.body.Write(data)
@@ -1830,10 +1823,12 @@ func (sc *serverConn) processData(f *DataFrame) error {
 
 		// Return any padded flow control now, since we won't
 		// refund it later on body reads.
-		if pad := int32(f.Length) - int32(len(data)); pad > 0 {
-			sc.sendWindowUpdate32(nil, pad)
-			sc.sendWindowUpdate32(st, pad)
-		}
+		// Call sendWindowUpdate even if there is no padding,
+		// to return buffered flow control credit if the sent
+		// window has shrunk.
+		pad := int32(f.Length) - int32(len(data))
+		sc.sendWindowUpdate32(nil, pad)
+		sc.sendWindowUpdate32(st, pad)
 	}
 	if f.StreamEnded() {
 		st.endStream()
@@ -2105,8 +2100,7 @@ func (sc *serverConn) newStream(id, pusherID uint32, state streamState) *stream
 	st.cw.Init()
 	st.flow.conn = &sc.flow // link to conn-level counter
 	st.flow.add(sc.initialStreamSendWindowSize)
-	st.inflow.conn = &sc.inflow // link to conn-level counter
-	st.inflow.add(sc.srv.initialStreamRecvWindowSize())
+	st.inflow.init(sc.srv.initialStreamRecvWindowSize())
 	if sc.hs.WriteTimeout != 0 {
 		st.writeDeadline = time.AfterFunc(sc.hs.WriteTimeout, st.onWriteTimeout)
 	}
@@ -2388,47 +2382,28 @@ func (sc *serverConn) noteBodyRead(st *stream, n int) {
 }
 
 // st may be nil for conn-level
-func (sc *serverConn) sendWindowUpdate(st *stream, n int) {
-	sc.serveG.check()
-	// "The legal range for the increment to the flow control
-	// window is 1 to 2^31-1 (2,147,483,647) octets."
-	// A Go Read call on 64-bit machines could in theory read
-	// a larger Read than this. Very unlikely, but we handle it here
-	// rather than elsewhere for now.
-	const maxUint31 = 1<<31 - 1
-	for n > maxUint31 {
-		sc.sendWindowUpdate32(st, maxUint31)
-		n -= maxUint31
-	}
-	sc.sendWindowUpdate32(st, int32(n))
+func (sc *serverConn) sendWindowUpdate32(st *stream, n int32) {
+	sc.sendWindowUpdate(st, int(n))
 }
 
 // st may be nil for conn-level
-func (sc *serverConn) sendWindowUpdate32(st *stream, n int32) {
+func (sc *serverConn) sendWindowUpdate(st *stream, n int) {
 	sc.serveG.check()
-	if n == 0 {
+	var streamID uint32
+	var send int32
+	if st == nil {
+		send = sc.inflow.add(n)
+	} else {
+		streamID = st.id
+		send = st.inflow.add(n)
+	}
+	if send == 0 {
 		return
 	}
-	if n < 0 {
-		panic("negative update")
-	}
-	var streamID uint32
-	if st != nil {
-		streamID = st.id
-	}
 	sc.writeFrame(FrameWriteRequest{
-		write:  writeWindowUpdate{streamID: streamID, n: uint32(n)},
+		write:  writeWindowUpdate{streamID: streamID, n: uint32(send)},
 		stream: st,
 	})
-	var ok bool
-	if st == nil {
-		ok = sc.inflow.add(n)
-	} else {
-		ok = st.inflow.add(n)
-	}
-	if !ok {
-		panic("internal error; sent too many window updates without decrements?")
-	}
 }
 
 // requestBody is the Handler's Request.Body type.
diff --git a/vendor/golang.org/x/net/http2/transport.go b/vendor/golang.org/x/net/http2/transport.go
index 30f706e6c..b43ec10cf 100644
--- a/vendor/golang.org/x/net/http2/transport.go
+++ b/vendor/golang.org/x/net/http2/transport.go
@@ -47,10 +47,6 @@ const (
 	// we buffer per stream.
 	transportDefaultStreamFlow = 4 << 20
 
-	// transportDefaultStreamMinRefresh is the minimum number of bytes we'll send
-	// a stream-level WINDOW_UPDATE for at a time.
-	transportDefaultStreamMinRefresh = 4 << 10
-
 	defaultUserAgent = "Go-http-client/2.0"
 
 	// initialMaxConcurrentStreams is a connections maxConcurrentStreams until
@@ -310,8 +306,8 @@ type ClientConn struct {
 
 	mu              sync.Mutex // guards following
 	cond            *sync.Cond // hold mu; broadcast on flow/closed changes
-	flow            flow       // our conn-level flow control quota (cs.flow is per stream)
-	inflow          flow       // peer's conn-level flow control
+	flow            outflow    // our conn-level flow control quota (cs.outflow is per stream)
+	inflow          inflow     // peer's conn-level flow control
 	doNotReuse      bool       // whether conn is marked to not be reused for any future requests
 	closing         bool
 	closed          bool
@@ -376,10 +372,10 @@ type clientStream struct {
 	respHeaderRecv chan struct{}  // closed when headers are received
 	res            *http.Response // set if respHeaderRecv is closed
 
-	flow        flow  // guarded by cc.mu
-	inflow      flow  // guarded by cc.mu
-	bytesRemain int64 // -1 means unknown; owned by transportResponseBody.Read
-	readErr     error // sticky read error; owned by transportResponseBody.Read
+	flow        outflow // guarded by cc.mu
+	inflow      inflow  // guarded by cc.mu
+	bytesRemain int64   // -1 means unknown; owned by transportResponseBody.Read
+	readErr     error   // sticky read error; owned by transportResponseBody.Read
 
 	reqBody              io.ReadCloser
 	reqBodyContentLength int64         // -1 means unknown
@@ -811,7 +807,7 @@ func (t *Transport) newClientConn(c net.Conn, singleUse bool) (*ClientConn, erro
 	cc.bw.Write(clientPreface)
 	cc.fr.WriteSettings(initialSettings...)
 	cc.fr.WriteWindowUpdate(0, transportDefaultConnFlow)
-	cc.inflow.add(transportDefaultConnFlow + initialWindowSize)
+	cc.inflow.init(transportDefaultConnFlow + initialWindowSize)
 	cc.bw.Flush()
 	if cc.werr != nil {
 		cc.Close()
@@ -2073,8 +2069,7 @@ type resAndError struct {
 func (cc *ClientConn) addStreamLocked(cs *clientStream) {
 	cs.flow.add(int32(cc.initialWindowSize))
 	cs.flow.setConnFlow(&cc.flow)
-	cs.inflow.add(transportDefaultStreamFlow)
-	cs.inflow.setConnFlow(&cc.inflow)
+	cs.inflow.init(transportDefaultStreamFlow)
 	cs.ID = cc.nextStreamID
 	cc.nextStreamID += 2
 	cc.streams[cs.ID] = cs
@@ -2533,21 +2528,10 @@ func (b transportResponseBody) Read(p []byte) (n int, err error) {
 	}
 
 	cc.mu.Lock()
-	var connAdd, streamAdd int32
-	// Check the conn-level first, before the stream-level.
-	if v := cc.inflow.available(); v < transportDefaultConnFlow/2 {
-		connAdd = transportDefaultConnFlow - v
-		cc.inflow.add(connAdd)
-	}
+	connAdd := cc.inflow.add(n)
+	var streamAdd int32
 	if err == nil { // No need to refresh if the stream is over or failed.
-		// Consider any buffered body data (read from the conn but not
-		// consumed by the client) when computing flow control for this
-		// stream.
-		v := int(cs.inflow.available()) + cs.bufPipe.Len()
-		if v < transportDefaultStreamFlow-transportDefaultStreamMinRefresh {
-			streamAdd = int32(transportDefaultStreamFlow - v)
-			cs.inflow.add(streamAdd)
-		}
+		streamAdd = cs.inflow.add(n)
 	}
 	cc.mu.Unlock()
 
@@ -2575,17 +2559,15 @@ func (b transportResponseBody) Close() error {
 	if unread > 0 {
 		cc.mu.Lock()
 		// Return connection-level flow control.
-		if unread > 0 {
-			cc.inflow.add(int32(unread))
-		}
+		connAdd := cc.inflow.add(unread)
 		cc.mu.Unlock()
 
 		// TODO(dneil): Acquiring this mutex can block indefinitely.
 		// Move flow control return to a goroutine?
 		cc.wmu.Lock()
 		// Return connection-level flow control.
-		if unread > 0 {
-			cc.fr.WriteWindowUpdate(0, uint32(unread))
+		if connAdd > 0 {
+			cc.fr.WriteWindowUpdate(0, uint32(connAdd))
 		}
 		cc.bw.Flush()
 		cc.wmu.Unlock()
@@ -2628,13 +2610,18 @@ func (rl *clientConnReadLoop) processData(f *DataFrame) error {
 		// But at least return their flow control:
 		if f.Length > 0 {
 			cc.mu.Lock()
-			cc.inflow.add(int32(f.Length))
+			ok := cc.inflow.take(f.Length)
+			connAdd := cc.inflow.add(int(f.Length))
 			cc.mu.Unlock()
-
-			cc.wmu.Lock()
-			cc.fr.WriteWindowUpdate(0, uint32(f.Length))
-			cc.bw.Flush()
-			cc.wmu.Unlock()
+			if !ok {
+				return ConnectionError(ErrCodeFlowControl)
+			}
+			if connAdd > 0 {
+				cc.wmu.Lock()
+				cc.fr.WriteWindowUpdate(0, uint32(connAdd))
+				cc.bw.Flush()
+				cc.wmu.Unlock()
+			}
 		}
 		return nil
 	}
@@ -2665,9 +2652,7 @@ func (rl *clientConnReadLoop) processData(f *DataFrame) error {
 		}
 		// Check connection-level flow control.
 		cc.mu.Lock()
-		if cs.inflow.available() >= int32(f.Length) {
-			cs.inflow.take(int32(f.Length))
-		} else {
+		if !takeInflows(&cc.inflow, &cs.inflow, f.Length) {
 			cc.mu.Unlock()
 			return ConnectionError(ErrCodeFlowControl)
 		}
@@ -2689,19 +2674,20 @@ func (rl *clientConnReadLoop) processData(f *DataFrame) error {
 			}
 		}
 
-		if refund > 0 {
-			cc.inflow.add(int32(refund))
-			if !didReset {
-				cs.inflow.add(int32(refund))
-			}
+		sendConn := cc.inflow.add(refund)
+		var sendStream int32
+		if !didReset {
+			sendStream = cs.inflow.add(refund)
 		}
 		cc.mu.Unlock()
 
-		if refund > 0 {
+		if sendConn > 0 || sendStream > 0 {
 			cc.wmu.Lock()
-			cc.fr.WriteWindowUpdate(0, uint32(refund))
-			if !didReset {
-				cc.fr.WriteWindowUpdate(cs.ID, uint32(refund))
+			if sendConn > 0 {
+				cc.fr.WriteWindowUpdate(0, uint32(sendConn))
+			}
+			if sendStream > 0 {
+				cc.fr.WriteWindowUpdate(cs.ID, uint32(sendStream))
 			}
 			cc.bw.Flush()
 			cc.wmu.Unlock()
diff --git a/vendor/golang.org/x/sys/cpu/cpu_linux_arm64.go b/vendor/golang.org/x/sys/cpu/cpu_linux_arm64.go
index 79a38a0b9..a968b80fa 100644
--- a/vendor/golang.org/x/sys/cpu/cpu_linux_arm64.go
+++ b/vendor/golang.org/x/sys/cpu/cpu_linux_arm64.go
@@ -4,6 +4,11 @@
 
 package cpu
 
+import (
+	"strings"
+	"syscall"
+)
+
 // HWCAP/HWCAP2 bits. These are exposed by Linux.
 const (
 	hwcap_FP       = 1 << 0
@@ -32,10 +37,45 @@ const (
 	hwcap_ASIMDFHM = 1 << 23
 )
 
+// linuxKernelCanEmulateCPUID reports whether we're running
+// on Linux 4.11+. Ideally we'd like to ask the question about
+// whether the current kernel contains
+// https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=77c97b4ee21290f5f083173d957843b615abbff2
+// but the version number will have to do.
+func linuxKernelCanEmulateCPUID() bool {
+	var un syscall.Utsname
+	syscall.Uname(&un)
+	var sb strings.Builder
+	for _, b := range un.Release[:] {
+		if b == 0 {
+			break
+		}
+		sb.WriteByte(byte(b))
+	}
+	major, minor, _, ok := parseRelease(sb.String())
+	return ok && (major > 4 || major == 4 && minor >= 11)
+}
+
 func doinit() {
 	if err := readHWCAP(); err != nil {
-		// failed to read /proc/self/auxv, try reading registers directly
-		readARM64Registers()
+		// We failed to read /proc/self/auxv. This can happen if the binary has
+		// been given extra capabilities(7) with /bin/setcap.
+		//
+		// When this happens, we have two options. If the Linux kernel is new
+		// enough (4.11+), we can read the arm64 registers directly which'll
+		// trap into the kernel and then return back to userspace.
+		//
+		// But on older kernels, such as Linux 4.4.180 as used on many Synology
+		// devices, calling readARM64Registers (specifically getisar0) will
+		// cause a SIGILL and we'll die. So for older kernels, parse /proc/cpuinfo
+		// instead.
+		//
+		// See golang/go#57336.
+		if linuxKernelCanEmulateCPUID() {
+			readARM64Registers()
+		} else {
+			readLinuxProcCPUInfo()
+		}
 		return
 	}
 
diff --git a/vendor/golang.org/x/sys/cpu/parse.go b/vendor/golang.org/x/sys/cpu/parse.go
new file mode 100644
index 000000000..762b63d68
--- /dev/null
+++ b/vendor/golang.org/x/sys/cpu/parse.go
@@ -0,0 +1,43 @@
+// Copyright 2022 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package cpu
+
+import "strconv"
+
+// parseRelease parses a dot-separated version number. It follows the semver
+// syntax, but allows the minor and patch versions to be elided.
+//
+// This is a copy of the Go runtime's parseRelease from
+// https://golang.org/cl/209597.
+func parseRelease(rel string) (major, minor, patch int, ok bool) {
+	// Strip anything after a dash or plus.
+	for i := 0; i < len(rel); i++ {
+		if rel[i] == '-' || rel[i] == '+' {
+			rel = rel[:i]
+			break
+		}
+	}
+
+	next := func() (int, bool) {
+		for i := 0; i < len(rel); i++ {
+			if rel[i] == '.' {
+				ver, err := strconv.Atoi(rel[:i])
+				rel = rel[i+1:]
+				return ver, err == nil
+			}
+		}
+		ver, err := strconv.Atoi(rel)
+		rel = ""
+		return ver, err == nil
+	}
+	if major, ok = next(); !ok || rel == "" {
+		return
+	}
+	if minor, ok = next(); !ok || rel == "" {
+		return
+	}
+	patch, ok = next()
+	return
+}
diff --git a/vendor/golang.org/x/sys/cpu/proc_cpuinfo_linux.go b/vendor/golang.org/x/sys/cpu/proc_cpuinfo_linux.go
new file mode 100644
index 000000000..d87bd6b3e
--- /dev/null
+++ b/vendor/golang.org/x/sys/cpu/proc_cpuinfo_linux.go
@@ -0,0 +1,54 @@
+// Copyright 2022 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+//go:build linux && arm64
+// +build linux,arm64
+
+package cpu
+
+import (
+	"errors"
+	"io"
+	"os"
+	"strings"
+)
+
+func readLinuxProcCPUInfo() error {
+	f, err := os.Open("/proc/cpuinfo")
+	if err != nil {
+		return err
+	}
+	defer f.Close()
+
+	var buf [1 << 10]byte // enough for first CPU
+	n, err := io.ReadFull(f, buf[:])
+	if err != nil && err != io.ErrUnexpectedEOF {
+		return err
+	}
+	in := string(buf[:n])
+	const features = "\nFeatures	: "
+	i := strings.Index(in, features)
+	if i == -1 {
+		return errors.New("no CPU features found")
+	}
+	in = in[i+len(features):]
+	if i := strings.Index(in, "\n"); i != -1 {
+		in = in[:i]
+	}
+	m := map[string]*bool{}
+
+	initOptions() // need it early here; it's harmless to call twice
+	for _, o := range options {
+		m[o.Name] = o.Feature
+	}
+	// The EVTSTRM field has alias "evstrm" in Go, but Linux calls it "evtstrm".
+	m["evtstrm"] = &ARM64.HasEVTSTRM
+
+	for _, f := range strings.Fields(in) {
+		if p, ok := m[f]; ok {
+			*p = true
+		}
+	}
+	return nil
+}
diff --git a/vendor/golang.org/x/sys/unix/gccgo.go b/vendor/golang.org/x/sys/unix/gccgo.go
index 0dee23222..b06f52d74 100644
--- a/vendor/golang.org/x/sys/unix/gccgo.go
+++ b/vendor/golang.org/x/sys/unix/gccgo.go
@@ -2,8 +2,8 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-//go:build gccgo && !aix
-// +build gccgo,!aix
+//go:build gccgo && !aix && !hurd
+// +build gccgo,!aix,!hurd
 
 package unix
 
diff --git a/vendor/golang.org/x/sys/unix/gccgo_c.c b/vendor/golang.org/x/sys/unix/gccgo_c.c
index 2cb1fefac..c4fce0e70 100644
--- a/vendor/golang.org/x/sys/unix/gccgo_c.c
+++ b/vendor/golang.org/x/sys/unix/gccgo_c.c
@@ -2,8 +2,8 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-// +build gccgo
-// +build !aix
+// +build gccgo,!hurd
+// +build !aix,!hurd
 
 #include <errno.h>
 #include <stdint.h>
diff --git a/vendor/golang.org/x/sys/unix/ioctl.go b/vendor/golang.org/x/sys/unix/ioctl.go
index 6c7ad052e..1c51b0ec2 100644
--- a/vendor/golang.org/x/sys/unix/ioctl.go
+++ b/vendor/golang.org/x/sys/unix/ioctl.go
@@ -2,8 +2,8 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-//go:build aix || darwin || dragonfly || freebsd || linux || netbsd || openbsd || solaris
-// +build aix darwin dragonfly freebsd linux netbsd openbsd solaris
+//go:build aix || darwin || dragonfly || freebsd || hurd || linux || netbsd || openbsd || solaris
+// +build aix darwin dragonfly freebsd hurd linux netbsd openbsd solaris
 
 package unix
 
diff --git a/vendor/golang.org/x/sys/unix/mkall.sh b/vendor/golang.org/x/sys/unix/mkall.sh
index 727cba212..8e3947c36 100644
--- a/vendor/golang.org/x/sys/unix/mkall.sh
+++ b/vendor/golang.org/x/sys/unix/mkall.sh
@@ -174,10 +174,10 @@ openbsd_arm64)
 	mktypes="GOARCH=$GOARCH go tool cgo -godefs -- -fsigned-char"
 	;;
 openbsd_mips64)
+	mkasm="go run mkasm.go"
 	mkerrors="$mkerrors -m64"
-	mksyscall="go run mksyscall.go -openbsd"
+	mksyscall="go run mksyscall.go -openbsd -libc"
 	mksysctl="go run mksysctl_openbsd.go"
-	mksysnum="go run mksysnum.go 'https://cvsweb.openbsd.org/cgi-bin/cvsweb/~checkout~/src/sys/kern/syscalls.master'"
 	# Let the type of C char be signed for making the bare syscall
 	# API consistent across platforms.
 	mktypes="GOARCH=$GOARCH go tool cgo -godefs -- -fsigned-char"
diff --git a/vendor/golang.org/x/sys/unix/syscall_dragonfly.go b/vendor/golang.org/x/sys/unix/syscall_dragonfly.go
index 61c0d0de1..a41111a79 100644
--- a/vendor/golang.org/x/sys/unix/syscall_dragonfly.go
+++ b/vendor/golang.org/x/sys/unix/syscall_dragonfly.go
@@ -255,6 +255,7 @@ func Sendfile(outfd int, infd int, offset *int64, count int) (written int, err e
 //sys	Chmod(path string, mode uint32) (err error)
 //sys	Chown(path string, uid int, gid int) (err error)
 //sys	Chroot(path string) (err error)
+//sys	ClockGettime(clockid int32, time *Timespec) (err error)
 //sys	Close(fd int) (err error)
 //sys	Dup(fd int) (nfd int, err error)
 //sys	Dup2(from int, to int) (err error)
diff --git a/vendor/golang.org/x/sys/unix/syscall_freebsd.go b/vendor/golang.org/x/sys/unix/syscall_freebsd.go
index de7c23e06..d50b9dc25 100644
--- a/vendor/golang.org/x/sys/unix/syscall_freebsd.go
+++ b/vendor/golang.org/x/sys/unix/syscall_freebsd.go
@@ -319,6 +319,7 @@ func PtraceSingleStep(pid int) (err error) {
 //sys	Chmod(path string, mode uint32) (err error)
 //sys	Chown(path string, uid int, gid int) (err error)
 //sys	Chroot(path string) (err error)
+//sys	ClockGettime(clockid int32, time *Timespec) (err error)
 //sys	Close(fd int) (err error)
 //sys	Dup(fd int) (nfd int, err error)
 //sys	Dup2(from int, to int) (err error)
diff --git a/vendor/golang.org/x/sys/unix/syscall_hurd.go b/vendor/golang.org/x/sys/unix/syscall_hurd.go
new file mode 100644
index 000000000..4ffb64808
--- /dev/null
+++ b/vendor/golang.org/x/sys/unix/syscall_hurd.go
@@ -0,0 +1,22 @@
+// Copyright 2022 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+//go:build hurd
+// +build hurd
+
+package unix
+
+/*
+#include <stdint.h>
+int ioctl(int, unsigned long int, uintptr_t);
+*/
+import "C"
+
+func ioctl(fd int, req uint, arg uintptr) (err error) {
+	r0, er := C.ioctl(C.int(fd), C.ulong(req), C.uintptr_t(arg))
+	if r0 == -1 && er != nil {
+		err = er
+	}
+	return
+}
diff --git a/vendor/golang.org/x/sys/unix/syscall_hurd_386.go b/vendor/golang.org/x/sys/unix/syscall_hurd_386.go
new file mode 100644
index 000000000..7cf54a3e4
--- /dev/null
+++ b/vendor/golang.org/x/sys/unix/syscall_hurd_386.go
@@ -0,0 +1,29 @@
+// Copyright 2022 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+//go:build 386 && hurd
+// +build 386,hurd
+
+package unix
+
+const (
+	TIOCGETA = 0x62251713
+)
+
+type Winsize struct {
+	Row    uint16
+	Col    uint16
+	Xpixel uint16
+	Ypixel uint16
+}
+
+type Termios struct {
+	Iflag  uint32
+	Oflag  uint32
+	Cflag  uint32
+	Lflag  uint32
+	Cc     [20]uint8
+	Ispeed int32
+	Ospeed int32
+}
diff --git a/vendor/golang.org/x/sys/unix/syscall_linux.go b/vendor/golang.org/x/sys/unix/syscall_linux.go
index c5a98440e..d839962e6 100644
--- a/vendor/golang.org/x/sys/unix/syscall_linux.go
+++ b/vendor/golang.org/x/sys/unix/syscall_linux.go
@@ -1973,36 +1973,46 @@ func Signalfd(fd int, sigmask *Sigset_t, flags int) (newfd int, err error) {
 //sys	preadv2(fd int, iovs []Iovec, offs_l uintptr, offs_h uintptr, flags int) (n int, err error) = SYS_PREADV2
 //sys	pwritev2(fd int, iovs []Iovec, offs_l uintptr, offs_h uintptr, flags int) (n int, err error) = SYS_PWRITEV2
 
-func bytes2iovec(bs [][]byte) []Iovec {
-	iovecs := make([]Iovec, len(bs))
-	for i, b := range bs {
-		iovecs[i].SetLen(len(b))
+// minIovec is the size of the small initial allocation used by
+// Readv, Writev, etc.
+//
+// This small allocation gets stack allocated, which lets the
+// common use case of len(iovs) <= minIovs avoid more expensive
+// heap allocations.
+const minIovec = 8
+
+// appendBytes converts bs to Iovecs and appends them to vecs.
+func appendBytes(vecs []Iovec, bs [][]byte) []Iovec {
+	for _, b := range bs {
+		var v Iovec
+		v.SetLen(len(b))
 		if len(b) > 0 {
-			iovecs[i].Base = &b[0]
+			v.Base = &b[0]
 		} else {
-			iovecs[i].Base = (*byte)(unsafe.Pointer(&_zero))
+			v.Base = (*byte)(unsafe.Pointer(&_zero))
 		}
+		vecs = append(vecs, v)
 	}
-	return iovecs
+	return vecs
 }
 
-// offs2lohi splits offs into its lower and upper unsigned long. On 64-bit
-// systems, hi will always be 0. On 32-bit systems, offs will be split in half.
-// preadv/pwritev chose this calling convention so they don't need to add a
-// padding-register for alignment on ARM.
+// offs2lohi splits offs into its low and high order bits.
 func offs2lohi(offs int64) (lo, hi uintptr) {
-	return uintptr(offs), uintptr(uint64(offs) >> SizeofLong)
+	const longBits = SizeofLong * 8
+	return uintptr(offs), uintptr(uint64(offs) >> longBits)
 }
 
 func Readv(fd int, iovs [][]byte) (n int, err error) {
-	iovecs := bytes2iovec(iovs)
+	iovecs := make([]Iovec, 0, minIovec)
+	iovecs = appendBytes(iovecs, iovs)
 	n, err = readv(fd, iovecs)
 	readvRacedetect(iovecs, n, err)
 	return n, err
 }
 
 func Preadv(fd int, iovs [][]byte, offset int64) (n int, err error) {
-	iovecs := bytes2iovec(iovs)
+	iovecs := make([]Iovec, 0, minIovec)
+	iovecs = appendBytes(iovecs, iovs)
 	lo, hi := offs2lohi(offset)
 	n, err = preadv(fd, iovecs, lo, hi)
 	readvRacedetect(iovecs, n, err)
@@ -2010,7 +2020,8 @@ func Preadv(fd int, iovs [][]byte, offset int64) (n int, err error) {
 }
 
 func Preadv2(fd int, iovs [][]byte, offset int64, flags int) (n int, err error) {
-	iovecs := bytes2iovec(iovs)
+	iovecs := make([]Iovec, 0, minIovec)
+	iovecs = appendBytes(iovecs, iovs)
 	lo, hi := offs2lohi(offset)
 	n, err = preadv2(fd, iovecs, lo, hi, flags)
 	readvRacedetect(iovecs, n, err)
@@ -2037,7 +2048,8 @@ func readvRacedetect(iovecs []Iovec, n int, err error) {
 }
 
 func Writev(fd int, iovs [][]byte) (n int, err error) {
-	iovecs := bytes2iovec(iovs)
+	iovecs := make([]Iovec, 0, minIovec)
+	iovecs = appendBytes(iovecs, iovs)
 	if raceenabled {
 		raceReleaseMerge(unsafe.Pointer(&ioSync))
 	}
@@ -2047,7 +2059,8 @@ func Writev(fd int, iovs [][]byte) (n int, err error) {
 }
 
 func Pwritev(fd int, iovs [][]byte, offset int64) (n int, err error) {
-	iovecs := bytes2iovec(iovs)
+	iovecs := make([]Iovec, 0, minIovec)
+	iovecs = appendBytes(iovecs, iovs)
 	if raceenabled {
 		raceReleaseMerge(unsafe.Pointer(&ioSync))
 	}
@@ -2058,7 +2071,8 @@ func Pwritev(fd int, iovs [][]byte, offset int64) (n int, err error) {
 }
 
 func Pwritev2(fd int, iovs [][]byte, offset int64, flags int) (n int, err error) {
-	iovecs := bytes2iovec(iovs)
+	iovecs := make([]Iovec, 0, minIovec)
+	iovecs = appendBytes(iovecs, iovs)
 	if raceenabled {
 		raceReleaseMerge(unsafe.Pointer(&ioSync))
 	}
diff --git a/vendor/golang.org/x/sys/unix/syscall_netbsd.go b/vendor/golang.org/x/sys/unix/syscall_netbsd.go
index 666f0a1b3..35a3ad758 100644
--- a/vendor/golang.org/x/sys/unix/syscall_netbsd.go
+++ b/vendor/golang.org/x/sys/unix/syscall_netbsd.go
@@ -110,6 +110,20 @@ func direntNamlen(buf []byte) (uint64, bool) {
 	return readInt(buf, unsafe.Offsetof(Dirent{}.Namlen), unsafe.Sizeof(Dirent{}.Namlen))
 }
 
+func SysctlUvmexp(name string) (*Uvmexp, error) {
+	mib, err := sysctlmib(name)
+	if err != nil {
+		return nil, err
+	}
+
+	n := uintptr(SizeofUvmexp)
+	var u Uvmexp
+	if err := sysctl(mib, (*byte)(unsafe.Pointer(&u)), &n, nil, 0); err != nil {
+		return nil, err
+	}
+	return &u, nil
+}
+
 func Pipe(p []int) (err error) {
 	return Pipe2(p, 0)
 }
@@ -245,6 +259,7 @@ func Statvfs(path string, buf *Statvfs_t) (err error) {
 //sys	Chmod(path string, mode uint32) (err error)
 //sys	Chown(path string, uid int, gid int) (err error)
 //sys	Chroot(path string) (err error)
+//sys	ClockGettime(clockid int32, time *Timespec) (err error)
 //sys	Close(fd int) (err error)
 //sys	Dup(fd int) (nfd int, err error)
 //sys	Dup2(from int, to int) (err error)
diff --git a/vendor/golang.org/x/sys/unix/syscall_openbsd.go b/vendor/golang.org/x/sys/unix/syscall_openbsd.go
index 78daceb33..9b67b908e 100644
--- a/vendor/golang.org/x/sys/unix/syscall_openbsd.go
+++ b/vendor/golang.org/x/sys/unix/syscall_openbsd.go
@@ -220,6 +220,7 @@ func Uname(uname *Utsname) error {
 //sys	Chmod(path string, mode uint32) (err error)
 //sys	Chown(path string, uid int, gid int) (err error)
 //sys	Chroot(path string) (err error)
+//sys	ClockGettime(clockid int32, time *Timespec) (err error)
 //sys	Close(fd int) (err error)
 //sys	Dup(fd int) (nfd int, err error)
 //sys	Dup2(from int, to int) (err error)
diff --git a/vendor/golang.org/x/sys/unix/syscall_openbsd_libc.go b/vendor/golang.org/x/sys/unix/syscall_openbsd_libc.go
index e23c5394e..04aa43f41 100644
--- a/vendor/golang.org/x/sys/unix/syscall_openbsd_libc.go
+++ b/vendor/golang.org/x/sys/unix/syscall_openbsd_libc.go
@@ -2,8 +2,8 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-//go:build openbsd && !mips64
-// +build openbsd,!mips64
+//go:build openbsd
+// +build openbsd
 
 package unix
 
diff --git a/vendor/golang.org/x/sys/unix/syscall_solaris.go b/vendor/golang.org/x/sys/unix/syscall_solaris.go
index 2109e569c..07ac56109 100644
--- a/vendor/golang.org/x/sys/unix/syscall_solaris.go
+++ b/vendor/golang.org/x/sys/unix/syscall_solaris.go
@@ -590,6 +590,7 @@ func Sendfile(outfd int, infd int, offset *int64, count int) (written int, err e
 //sys	Chmod(path string, mode uint32) (err error)
 //sys	Chown(path string, uid int, gid int) (err error)
 //sys	Chroot(path string) (err error)
+//sys	ClockGettime(clockid int32, time *Timespec) (err error)
 //sys	Close(fd int) (err error)
 //sys	Creat(path string, mode uint32) (fd int, err error)
 //sys	Dup(fd int) (nfd int, err error)
diff --git a/vendor/golang.org/x/sys/unix/syscall_unix.go b/vendor/golang.org/x/sys/unix/syscall_unix.go
index 00bafda86..a386f8897 100644
--- a/vendor/golang.org/x/sys/unix/syscall_unix.go
+++ b/vendor/golang.org/x/sys/unix/syscall_unix.go
@@ -331,6 +331,19 @@ func Recvfrom(fd int, p []byte, flags int) (n int, from Sockaddr, err error) {
 	return
 }
 
+// Recvmsg receives a message from a socket using the recvmsg system call. The
+// received non-control data will be written to p, and any "out of band"
+// control data will be written to oob. The flags are passed to recvmsg.
+//
+// The results are:
+//   - n is the number of non-control data bytes read into p
+//   - oobn is the number of control data bytes read into oob; this may be interpreted using [ParseSocketControlMessage]
+//   - recvflags is flags returned by recvmsg
+//   - from is the address of the sender
+//
+// If the underlying socket type is not SOCK_DGRAM, a received message
+// containing oob data and a single '\0' of non-control data is treated as if
+// the message contained only control data, i.e. n will be zero on return.
 func Recvmsg(fd int, p, oob []byte, flags int) (n, oobn int, recvflags int, from Sockaddr, err error) {
 	var iov [1]Iovec
 	if len(p) > 0 {
@@ -346,13 +359,9 @@ func Recvmsg(fd int, p, oob []byte, flags int) (n, oobn int, recvflags int, from
 	return
 }
 
-// RecvmsgBuffers receives a message from a socket using the recvmsg
-// system call. The flags are passed to recvmsg. Any non-control data
-// read is scattered into the buffers slices. The results are:
-//   - n is the number of non-control data read into bufs
-//   - oobn is the number of control data read into oob; this may be interpreted using [ParseSocketControlMessage]
-//   - recvflags is flags returned by recvmsg
-//   - from is the address of the sender
+// RecvmsgBuffers receives a message from a socket using the recvmsg system
+// call. This function is equivalent to Recvmsg, but non-control data read is
+// scattered into the buffers slices.
 func RecvmsgBuffers(fd int, buffers [][]byte, oob []byte, flags int) (n, oobn int, recvflags int, from Sockaddr, err error) {
 	iov := make([]Iovec, len(buffers))
 	for i := range buffers {
@@ -371,11 +380,38 @@ func RecvmsgBuffers(fd int, buffers [][]byte, oob []byte, flags int) (n, oobn in
 	return
 }
 
+// Sendmsg sends a message on a socket to an address using the sendmsg system
+// call. This function is equivalent to SendmsgN, but does not return the
+// number of bytes actually sent.
 func Sendmsg(fd int, p, oob []byte, to Sockaddr, flags int) (err error) {
 	_, err = SendmsgN(fd, p, oob, to, flags)
 	return
 }
 
+// SendmsgN sends a message on a socket to an address using the sendmsg system
+// call. p contains the non-control data to send, and oob contains the "out of
+// band" control data. The flags are passed to sendmsg. The number of
+// non-control bytes actually written to the socket is returned.
+//
+// Some socket types do not support sending control data without accompanying
+// non-control data. If p is empty, and oob contains control data, and the
+// underlying socket type is not SOCK_DGRAM, p will be treated as containing a
+// single '\0' and the return value will indicate zero bytes sent.
+//
+// The Go function Recvmsg, if called with an empty p and a non-empty oob,
+// will read and ignore this additional '\0'.  If the message is received by
+// code that does not use Recvmsg, or that does not use Go at all, that code
+// will need to be written to expect and ignore the additional '\0'.
+//
+// If you need to send non-empty oob with p actually empty, and if the
+// underlying socket type supports it, you can do so via a raw system call as
+// follows:
+//
+//	msg := &unix.Msghdr{
+//	    Control: &oob[0],
+//	}
+//	msg.SetControllen(len(oob))
+//	n, _, errno := unix.Syscall(unix.SYS_SENDMSG, uintptr(fd), uintptr(unsafe.Pointer(msg)), flags)
 func SendmsgN(fd int, p, oob []byte, to Sockaddr, flags int) (n int, err error) {
 	var iov [1]Iovec
 	if len(p) > 0 {
@@ -394,9 +430,8 @@ func SendmsgN(fd int, p, oob []byte, to Sockaddr, flags int) (n int, err error)
 }
 
 // SendmsgBuffers sends a message on a socket to an address using the sendmsg
-// system call. The flags are passed to sendmsg. Any non-control data written
-// is gathered from buffers. The function returns the number of bytes written
-// to the socket.
+// system call. This function is equivalent to SendmsgN, but the non-control
+// data is gathered from buffers.
 func SendmsgBuffers(fd int, buffers [][]byte, oob []byte, to Sockaddr, flags int) (n int, err error) {
 	iov := make([]Iovec, len(buffers))
 	for i := range buffers {
diff --git a/vendor/golang.org/x/sys/unix/zerrors_openbsd_386.go b/vendor/golang.org/x/sys/unix/zerrors_openbsd_386.go
index 6d56edc05..af20e474b 100644
--- a/vendor/golang.org/x/sys/unix/zerrors_openbsd_386.go
+++ b/vendor/golang.org/x/sys/unix/zerrors_openbsd_386.go
@@ -46,6 +46,7 @@ const (
 	AF_SNA                            = 0xb
 	AF_UNIX                           = 0x1
 	AF_UNSPEC                         = 0x0
+	ALTWERASE                         = 0x200
 	ARPHRD_ETHER                      = 0x1
 	ARPHRD_FRELAY                     = 0xf
 	ARPHRD_IEEE1394                   = 0x18
@@ -108,6 +109,15 @@ const (
 	BPF_DIRECTION_IN                  = 0x1
 	BPF_DIRECTION_OUT                 = 0x2
 	BPF_DIV                           = 0x30
+	BPF_FILDROP_CAPTURE               = 0x1
+	BPF_FILDROP_DROP                  = 0x2
+	BPF_FILDROP_PASS                  = 0x0
+	BPF_F_DIR_IN                      = 0x10
+	BPF_F_DIR_MASK                    = 0x30
+	BPF_F_DIR_OUT                     = 0x20
+	BPF_F_DIR_SHIFT                   = 0x4
+	BPF_F_FLOWID                      = 0x8
+	BPF_F_PRI_MASK                    = 0x7
 	BPF_H                             = 0x8
 	BPF_IMM                           = 0x0
 	BPF_IND                           = 0x40
@@ -136,6 +146,7 @@ const (
 	BPF_OR                            = 0x40
 	BPF_RELEASE                       = 0x30bb6
 	BPF_RET                           = 0x6
+	BPF_RND                           = 0xc0
 	BPF_RSH                           = 0x70
 	BPF_ST                            = 0x2
 	BPF_STX                           = 0x3
@@ -147,6 +158,12 @@ const (
 	BRKINT                            = 0x2
 	CFLUSH                            = 0xf
 	CLOCAL                            = 0x8000
+	CLOCK_BOOTTIME                    = 0x6
+	CLOCK_MONOTONIC                   = 0x3
+	CLOCK_PROCESS_CPUTIME_ID          = 0x2
+	CLOCK_REALTIME                    = 0x0
+	CLOCK_THREAD_CPUTIME_ID           = 0x4
+	CLOCK_UPTIME                      = 0x5
 	CPUSTATES                         = 0x6
 	CP_IDLE                           = 0x5
 	CP_INTR                           = 0x4
@@ -170,7 +187,65 @@ const (
 	CTL_KERN                          = 0x1
 	CTL_MAXNAME                       = 0xc
 	CTL_NET                           = 0x4
+	DIOCADDQUEUE                      = 0xc100445d
+	DIOCADDRULE                       = 0xccc84404
+	DIOCADDSTATE                      = 0xc1084425
+	DIOCCHANGERULE                    = 0xccc8441a
+	DIOCCLRIFFLAG                     = 0xc024445a
+	DIOCCLRSRCNODES                   = 0x20004455
+	DIOCCLRSTATES                     = 0xc0d04412
+	DIOCCLRSTATUS                     = 0xc0244416
+	DIOCGETLIMIT                      = 0xc0084427
+	DIOCGETQSTATS                     = 0xc1084460
+	DIOCGETQUEUE                      = 0xc100445f
+	DIOCGETQUEUES                     = 0xc100445e
+	DIOCGETRULE                       = 0xccc84407
+	DIOCGETRULES                      = 0xccc84406
+	DIOCGETRULESET                    = 0xc444443b
+	DIOCGETRULESETS                   = 0xc444443a
+	DIOCGETSRCNODES                   = 0xc0084454
+	DIOCGETSTATE                      = 0xc1084413
+	DIOCGETSTATES                     = 0xc0084419
+	DIOCGETSTATUS                     = 0xc1e84415
+	DIOCGETSYNFLWATS                  = 0xc0084463
+	DIOCGETTIMEOUT                    = 0xc008441e
+	DIOCIGETIFACES                    = 0xc0244457
+	DIOCKILLSRCNODES                  = 0xc068445b
+	DIOCKILLSTATES                    = 0xc0d04429
+	DIOCNATLOOK                       = 0xc0504417
+	DIOCOSFPADD                       = 0xc084444f
 	DIOCOSFPFLUSH                     = 0x2000444e
+	DIOCOSFPGET                       = 0xc0844450
+	DIOCRADDADDRS                     = 0xc44c4443
+	DIOCRADDTABLES                    = 0xc44c443d
+	DIOCRCLRADDRS                     = 0xc44c4442
+	DIOCRCLRASTATS                    = 0xc44c4448
+	DIOCRCLRTABLES                    = 0xc44c443c
+	DIOCRCLRTSTATS                    = 0xc44c4441
+	DIOCRDELADDRS                     = 0xc44c4444
+	DIOCRDELTABLES                    = 0xc44c443e
+	DIOCRGETADDRS                     = 0xc44c4446
+	DIOCRGETASTATS                    = 0xc44c4447
+	DIOCRGETTABLES                    = 0xc44c443f
+	DIOCRGETTSTATS                    = 0xc44c4440
+	DIOCRINADEFINE                    = 0xc44c444d
+	DIOCRSETADDRS                     = 0xc44c4445
+	DIOCRSETTFLAGS                    = 0xc44c444a
+	DIOCRTSTADDRS                     = 0xc44c4449
+	DIOCSETDEBUG                      = 0xc0044418
+	DIOCSETHOSTID                     = 0xc0044456
+	DIOCSETIFFLAG                     = 0xc0244459
+	DIOCSETLIMIT                      = 0xc0084428
+	DIOCSETREASS                      = 0xc004445c
+	DIOCSETSTATUSIF                   = 0xc0244414
+	DIOCSETSYNCOOKIES                 = 0xc0014462
+	DIOCSETSYNFLWATS                  = 0xc0084461
+	DIOCSETTIMEOUT                    = 0xc008441d
+	DIOCSTART                         = 0x20004401
+	DIOCSTOP                          = 0x20004402
+	DIOCXBEGIN                        = 0xc00c4451
+	DIOCXCOMMIT                       = 0xc00c4452
+	DIOCXROLLBACK                     = 0xc00c4453
 	DLT_ARCNET                        = 0x7
 	DLT_ATM_RFC1483                   = 0xb
 	DLT_AX25                          = 0x3
@@ -186,6 +261,7 @@ const (
 	DLT_LOOP                          = 0xc
 	DLT_MPLS                          = 0xdb
 	DLT_NULL                          = 0x0
+	DLT_OPENFLOW                      = 0x10b
 	DLT_PFLOG                         = 0x75
 	DLT_PFSYNC                        = 0x12
 	DLT_PPP                           = 0x9
@@ -196,6 +272,23 @@ const (
 	DLT_RAW                           = 0xe
 	DLT_SLIP                          = 0x8
 	DLT_SLIP_BSDOS                    = 0xf
+	DLT_USBPCAP                       = 0xf9
+	DLT_USER0                         = 0x93
+	DLT_USER1                         = 0x94
+	DLT_USER10                        = 0x9d
+	DLT_USER11                        = 0x9e
+	DLT_USER12                        = 0x9f
+	DLT_USER13                        = 0xa0
+	DLT_USER14                        = 0xa1
+	DLT_USER15                        = 0xa2
+	DLT_USER2                         = 0x95
+	DLT_USER3                         = 0x96
+	DLT_USER4                         = 0x97
+	DLT_USER5                         = 0x98
+	DLT_USER6                         = 0x99
+	DLT_USER7                         = 0x9a
+	DLT_USER8                         = 0x9b
+	DLT_USER9                         = 0x9c
 	DT_BLK                            = 0x6
 	DT_CHR                            = 0x2
 	DT_DIR                            = 0x4
@@ -215,6 +308,8 @@ const (
 	EMUL_ENABLED                      = 0x1
 	EMUL_NATIVE                       = 0x2
 	ENDRUNDISC                        = 0x9
+	ETH64_8021_RSVD_MASK              = 0xfffffffffff0
+	ETH64_8021_RSVD_PREFIX            = 0x180c2000000
 	ETHERMIN                          = 0x2e
 	ETHERMTU                          = 0x5dc
 	ETHERTYPE_8023                    = 0x4
@@ -267,6 +362,7 @@ const (
 	ETHERTYPE_DN                      = 0x6003
 	ETHERTYPE_DOGFIGHT                = 0x1989
 	ETHERTYPE_DSMD                    = 0x8039
+	ETHERTYPE_EAPOL                   = 0x888e
 	ETHERTYPE_ECMA                    = 0x803
 	ETHERTYPE_ENCRYPT                 = 0x803d
 	ETHERTYPE_ES                      = 0x805d
@@ -298,6 +394,7 @@ const (
 	ETHERTYPE_LLDP                    = 0x88cc
 	ETHERTYPE_LOGICRAFT               = 0x8148
 	ETHERTYPE_LOOPBACK                = 0x9000
+	ETHERTYPE_MACSEC                  = 0x88e5
 	ETHERTYPE_MATRA                   = 0x807a
 	ETHERTYPE_MAX                     = 0xffff
 	ETHERTYPE_MERIT                   = 0x807c
@@ -326,15 +423,17 @@ const (
 	ETHERTYPE_NCD                     = 0x8149
 	ETHERTYPE_NESTAR                  = 0x8006
 	ETHERTYPE_NETBEUI                 = 0x8191
+	ETHERTYPE_NHRP                    = 0x2001
 	ETHERTYPE_NOVELL                  = 0x8138
 	ETHERTYPE_NS                      = 0x600
 	ETHERTYPE_NSAT                    = 0x601
 	ETHERTYPE_NSCOMPAT                = 0x807
+	ETHERTYPE_NSH                     = 0x984f
 	ETHERTYPE_NTRAILER                = 0x10
 	ETHERTYPE_OS9                     = 0x7007
 	ETHERTYPE_OS9NET                  = 0x7009
 	ETHERTYPE_PACER                   = 0x80c6
-	ETHERTYPE_PAE                     = 0x888e
+	ETHERTYPE_PBB                     = 0x88e7
 	ETHERTYPE_PCS                     = 0x4242
 	ETHERTYPE_PLANNING                = 0x8044
 	ETHERTYPE_PPP                     = 0x880b
@@ -409,28 +508,40 @@ const (
 	ETHER_CRC_POLY_LE                 = 0xedb88320
 	ETHER_HDR_LEN                     = 0xe
 	ETHER_MAX_DIX_LEN                 = 0x600
+	ETHER_MAX_HARDMTU_LEN             = 0xff9b
 	ETHER_MAX_LEN                     = 0x5ee
 	ETHER_MIN_LEN                     = 0x40
 	ETHER_TYPE_LEN                    = 0x2
 	ETHER_VLAN_ENCAP_LEN              = 0x4
 	EVFILT_AIO                        = -0x3
+	EVFILT_DEVICE                     = -0x8
+	EVFILT_EXCEPT                     = -0x9
 	EVFILT_PROC                       = -0x5
 	EVFILT_READ                       = -0x1
 	EVFILT_SIGNAL                     = -0x6
-	EVFILT_SYSCOUNT                   = 0x7
+	EVFILT_SYSCOUNT                   = 0x9
 	EVFILT_TIMER                      = -0x7
 	EVFILT_VNODE                      = -0x4
 	EVFILT_WRITE                      = -0x2
+	EVL_ENCAPLEN                      = 0x4
+	EVL_PRIO_BITS                     = 0xd
+	EVL_PRIO_MAX                      = 0x7
+	EVL_VLID_MASK                     = 0xfff
+	EVL_VLID_MAX                      = 0xffe
+	EVL_VLID_MIN                      = 0x1
+	EVL_VLID_NULL                     = 0x0
 	EV_ADD                            = 0x1
 	EV_CLEAR                          = 0x20
 	EV_DELETE                         = 0x2
 	EV_DISABLE                        = 0x8
+	EV_DISPATCH                       = 0x80
 	EV_ENABLE                         = 0x4
 	EV_EOF                            = 0x8000
 	EV_ERROR                          = 0x4000
 	EV_FLAG1                          = 0x2000
 	EV_ONESHOT                        = 0x10
-	EV_SYSFLAGS                       = 0xf000
+	EV_RECEIPT                        = 0x40
+	EV_SYSFLAGS                       = 0xf800
 	EXTA                              = 0x4b00
 	EXTB                              = 0x9600
 	EXTPROC                           = 0x800
@@ -443,6 +554,7 @@ const (
 	F_GETFL                           = 0x3
 	F_GETLK                           = 0x7
 	F_GETOWN                          = 0x5
+	F_ISATTY                          = 0xb
 	F_OK                              = 0x0
 	F_RDLCK                           = 0x1
 	F_SETFD                           = 0x2
@@ -460,7 +572,6 @@ const (
 	IEXTEN                            = 0x400
 	IFAN_ARRIVAL                      = 0x0
 	IFAN_DEPARTURE                    = 0x1
-	IFA_ROUTE                         = 0x1
 	IFF_ALLMULTI                      = 0x200
 	IFF_BROADCAST                     = 0x2
 	IFF_CANTCHANGE                    = 0x8e52
@@ -471,12 +582,12 @@ const (
 	IFF_LOOPBACK                      = 0x8
 	IFF_MULTICAST                     = 0x8000
 	IFF_NOARP                         = 0x80
-	IFF_NOTRAILERS                    = 0x20
 	IFF_OACTIVE                       = 0x400
 	IFF_POINTOPOINT                   = 0x10
 	IFF_PROMISC                       = 0x100
 	IFF_RUNNING                       = 0x40
 	IFF_SIMPLEX                       = 0x800
+	IFF_STATICARP                     = 0x20
 	IFF_UP                            = 0x1
 	IFNAMSIZ                          = 0x10
 	IFT_1822                          = 0x2
@@ -605,6 +716,7 @@ const (
 	IFT_LINEGROUP                     = 0xd2
 	IFT_LOCALTALK                     = 0x2a
 	IFT_LOOP                          = 0x18
+	IFT_MBIM                          = 0xfa
 	IFT_MEDIAMAILOVERIP               = 0x8b
 	IFT_MFSIGLINK                     = 0xa7
 	IFT_MIOX25                        = 0x26
@@ -695,6 +807,7 @@ const (
 	IFT_VOICEOVERCABLE                = 0xc6
 	IFT_VOICEOVERFRAMERELAY           = 0x99
 	IFT_VOICEOVERIP                   = 0x68
+	IFT_WIREGUARD                     = 0xfb
 	IFT_X213                          = 0x5d
 	IFT_X25                           = 0x5
 	IFT_X25DDN                        = 0x4
@@ -729,8 +842,6 @@ const (
 	IPPROTO_AH                        = 0x33
 	IPPROTO_CARP                      = 0x70
 	IPPROTO_DIVERT                    = 0x102
-	IPPROTO_DIVERT_INIT               = 0x2
-	IPPROTO_DIVERT_RESP               = 0x1
 	IPPROTO_DONE                      = 0x101
 	IPPROTO_DSTOPTS                   = 0x3c
 	IPPROTO_EGP                       = 0x8
@@ -762,9 +873,11 @@ const (
 	IPPROTO_RAW                       = 0xff
 	IPPROTO_ROUTING                   = 0x2b
 	IPPROTO_RSVP                      = 0x2e
+	IPPROTO_SCTP                      = 0x84
 	IPPROTO_TCP                       = 0x6
 	IPPROTO_TP                        = 0x1d
 	IPPROTO_UDP                       = 0x11
+	IPPROTO_UDPLITE                   = 0x88
 	IPV6_AUTH_LEVEL                   = 0x35
 	IPV6_AUTOFLOWLABEL                = 0x3b
 	IPV6_CHECKSUM                     = 0x1a
@@ -787,6 +900,7 @@ const (
 	IPV6_LEAVE_GROUP                  = 0xd
 	IPV6_MAXHLIM                      = 0xff
 	IPV6_MAXPACKET                    = 0xffff
+	IPV6_MINHOPCOUNT                  = 0x41
 	IPV6_MMTU                         = 0x500
 	IPV6_MULTICAST_HOPS               = 0xa
 	IPV6_MULTICAST_IF                 = 0x9
@@ -826,12 +940,12 @@ const (
 	IP_DEFAULT_MULTICAST_LOOP         = 0x1
 	IP_DEFAULT_MULTICAST_TTL          = 0x1
 	IP_DF                             = 0x4000
-	IP_DIVERTFL                       = 0x1022
 	IP_DROP_MEMBERSHIP                = 0xd
 	IP_ESP_NETWORK_LEVEL              = 0x16
 	IP_ESP_TRANS_LEVEL                = 0x15
 	IP_HDRINCL                        = 0x2
 	IP_IPCOMP_LEVEL                   = 0x1d
+	IP_IPDEFTTL                       = 0x25
 	IP_IPSECFLOWINFO                  = 0x24
 	IP_IPSEC_LOCAL_AUTH               = 0x1b
 	IP_IPSEC_LOCAL_CRED               = 0x19
@@ -865,10 +979,15 @@ const (
 	IP_RETOPTS                        = 0x8
 	IP_RF                             = 0x8000
 	IP_RTABLE                         = 0x1021
+	IP_SENDSRCADDR                    = 0x7
 	IP_TOS                            = 0x3
 	IP_TTL                            = 0x4
 	ISIG                              = 0x80
 	ISTRIP                            = 0x20
+	ITIMER_PROF                       = 0x2
+	ITIMER_REAL                       = 0x0
+	ITIMER_VIRTUAL                    = 0x1
+	IUCLC                             = 0x1000
 	IXANY                             = 0x800
 	IXOFF                             = 0x400
 	IXON                              = 0x200
@@ -900,10 +1019,11 @@ const (
 	MAP_INHERIT_COPY                  = 0x1
 	MAP_INHERIT_NONE                  = 0x2
 	MAP_INHERIT_SHARE                 = 0x0
-	MAP_NOEXTEND                      = 0x100
-	MAP_NORESERVE                     = 0x40
+	MAP_INHERIT_ZERO                  = 0x3
+	MAP_NOEXTEND                      = 0x0
+	MAP_NORESERVE                     = 0x0
 	MAP_PRIVATE                       = 0x2
-	MAP_RENAME                        = 0x20
+	MAP_RENAME                        = 0x0
 	MAP_SHARED                        = 0x1
 	MAP_STACK                         = 0x4000
 	MAP_TRYFIXED                      = 0x0
@@ -922,6 +1042,7 @@ const (
 	MNT_NOATIME                       = 0x8000
 	MNT_NODEV                         = 0x10
 	MNT_NOEXEC                        = 0x4
+	MNT_NOPERM                        = 0x20
 	MNT_NOSUID                        = 0x8
 	MNT_NOWAIT                        = 0x2
 	MNT_QUOTA                         = 0x2000
@@ -929,13 +1050,29 @@ const (
 	MNT_RELOAD                        = 0x40000
 	MNT_ROOTFS                        = 0x4000
 	MNT_SOFTDEP                       = 0x4000000
+	MNT_STALLED                       = 0x100000
+	MNT_SWAPPABLE                     = 0x200000
 	MNT_SYNCHRONOUS                   = 0x2
 	MNT_UPDATE                        = 0x10000
 	MNT_VISFLAGMASK                   = 0x400ffff
 	MNT_WAIT                          = 0x1
 	MNT_WANTRDWR                      = 0x2000000
 	MNT_WXALLOWED                     = 0x800
+	MOUNT_AFS                         = "afs"
+	MOUNT_CD9660                      = "cd9660"
+	MOUNT_EXT2FS                      = "ext2fs"
+	MOUNT_FFS                         = "ffs"
+	MOUNT_FUSEFS                      = "fuse"
+	MOUNT_MFS                         = "mfs"
+	MOUNT_MSDOS                       = "msdos"
+	MOUNT_NCPFS                       = "ncpfs"
+	MOUNT_NFS                         = "nfs"
+	MOUNT_NTFS                        = "ntfs"
+	MOUNT_TMPFS                       = "tmpfs"
+	MOUNT_UDF                         = "udf"
+	MOUNT_UFS                         = "ffs"
 	MSG_BCAST                         = 0x100
+	MSG_CMSG_CLOEXEC                  = 0x800
 	MSG_CTRUNC                        = 0x20
 	MSG_DONTROUTE                     = 0x4
 	MSG_DONTWAIT                      = 0x80
@@ -946,6 +1083,7 @@ const (
 	MSG_PEEK                          = 0x2
 	MSG_TRUNC                         = 0x10
 	MSG_WAITALL                       = 0x40
+	MSG_WAITFORONE                    = 0x1000
 	MS_ASYNC                          = 0x1
 	MS_INVALIDATE                     = 0x4
 	MS_SYNC                           = 0x2
@@ -953,12 +1091,16 @@ const (
 	NET_RT_DUMP                       = 0x1
 	NET_RT_FLAGS                      = 0x2
 	NET_RT_IFLIST                     = 0x3
-	NET_RT_MAXID                      = 0x6
+	NET_RT_IFNAMES                    = 0x6
+	NET_RT_MAXID                      = 0x8
+	NET_RT_SOURCE                     = 0x7
 	NET_RT_STATS                      = 0x4
 	NET_RT_TABLE                      = 0x5
 	NFDBITS                           = 0x20
 	NOFLSH                            = 0x80000000
+	NOKERNINFO                        = 0x2000000
 	NOTE_ATTRIB                       = 0x8
+	NOTE_CHANGE                       = 0x1
 	NOTE_CHILD                        = 0x4
 	NOTE_DELETE                       = 0x1
 	NOTE_EOF                          = 0x2
@@ -968,6 +1110,7 @@ const (
 	NOTE_FORK                         = 0x40000000
 	NOTE_LINK                         = 0x10
 	NOTE_LOWAT                        = 0x1
+	NOTE_OOB                          = 0x4
 	NOTE_PCTRLMASK                    = 0xf0000000
 	NOTE_PDATAMASK                    = 0xfffff
 	NOTE_RENAME                       = 0x20
@@ -977,11 +1120,13 @@ const (
 	NOTE_TRUNCATE                     = 0x80
 	NOTE_WRITE                        = 0x2
 	OCRNL                             = 0x10
+	OLCUC                             = 0x20
 	ONLCR                             = 0x2
 	ONLRET                            = 0x80
 	ONOCR                             = 0x40
 	ONOEOT                            = 0x8
 	OPOST                             = 0x1
+	OXTABS                            = 0x4
 	O_ACCMODE                         = 0x3
 	O_APPEND                          = 0x8
 	O_ASYNC                           = 0x40
@@ -1015,7 +1160,6 @@ const (
 	PROT_NONE                         = 0x0
 	PROT_READ                         = 0x1
 	PROT_WRITE                        = 0x2
-	PT_MASK                           = 0x3ff000
 	RLIMIT_CORE                       = 0x4
 	RLIMIT_CPU                        = 0x0
 	RLIMIT_DATA                       = 0x2
@@ -1027,19 +1171,25 @@ const (
 	RLIMIT_STACK                      = 0x3
 	RLIM_INFINITY                     = 0x7fffffffffffffff
 	RTAX_AUTHOR                       = 0x6
+	RTAX_BFD                          = 0xb
 	RTAX_BRD                          = 0x7
+	RTAX_DNS                          = 0xc
 	RTAX_DST                          = 0x0
 	RTAX_GATEWAY                      = 0x1
 	RTAX_GENMASK                      = 0x3
 	RTAX_IFA                          = 0x5
 	RTAX_IFP                          = 0x4
 	RTAX_LABEL                        = 0xa
-	RTAX_MAX                          = 0xb
+	RTAX_MAX                          = 0xf
 	RTAX_NETMASK                      = 0x2
+	RTAX_SEARCH                       = 0xe
 	RTAX_SRC                          = 0x8
 	RTAX_SRCMASK                      = 0x9
+	RTAX_STATIC                       = 0xd
 	RTA_AUTHOR                        = 0x40
+	RTA_BFD                           = 0x800
 	RTA_BRD                           = 0x80
+	RTA_DNS                           = 0x1000
 	RTA_DST                           = 0x1
 	RTA_GATEWAY                       = 0x2
 	RTA_GENMASK                       = 0x8
@@ -1047,49 +1197,57 @@ const (
 	RTA_IFP                           = 0x10
 	RTA_LABEL                         = 0x400
 	RTA_NETMASK                       = 0x4
+	RTA_SEARCH                        = 0x4000
 	RTA_SRC                           = 0x100
 	RTA_SRCMASK                       = 0x200
+	RTA_STATIC                        = 0x2000
 	RTF_ANNOUNCE                      = 0x4000
+	RTF_BFD                           = 0x1000000
 	RTF_BLACKHOLE                     = 0x1000
+	RTF_BROADCAST                     = 0x400000
+	RTF_CACHED                        = 0x20000
 	RTF_CLONED                        = 0x10000
 	RTF_CLONING                       = 0x100
+	RTF_CONNECTED                     = 0x800000
 	RTF_DONE                          = 0x40
 	RTF_DYNAMIC                       = 0x10
-	RTF_FMASK                         = 0x10f808
+	RTF_FMASK                         = 0x110fc08
 	RTF_GATEWAY                       = 0x2
 	RTF_HOST                          = 0x4
 	RTF_LLINFO                        = 0x400
-	RTF_MASK                          = 0x80
+	RTF_LOCAL                         = 0x200000
 	RTF_MODIFIED                      = 0x20
 	RTF_MPATH                         = 0x40000
 	RTF_MPLS                          = 0x100000
+	RTF_MULTICAST                     = 0x200
 	RTF_PERMANENT_ARP                 = 0x2000
 	RTF_PROTO1                        = 0x8000
 	RTF_PROTO2                        = 0x4000
 	RTF_PROTO3                        = 0x2000
 	RTF_REJECT                        = 0x8
-	RTF_SOURCE                        = 0x20000
 	RTF_STATIC                        = 0x800
-	RTF_TUNNEL                        = 0x100000
 	RTF_UP                            = 0x1
 	RTF_USETRAILERS                   = 0x8000
-	RTF_XRESOLVE                      = 0x200
+	RTM_80211INFO                     = 0x15
 	RTM_ADD                           = 0x1
+	RTM_BFD                           = 0x12
 	RTM_CHANGE                        = 0x3
+	RTM_CHGADDRATTR                   = 0x14
 	RTM_DELADDR                       = 0xd
 	RTM_DELETE                        = 0x2
 	RTM_DESYNC                        = 0x10
 	RTM_GET                           = 0x4
 	RTM_IFANNOUNCE                    = 0xf
 	RTM_IFINFO                        = 0xe
-	RTM_LOCK                          = 0x8
+	RTM_INVALIDATE                    = 0x11
 	RTM_LOSING                        = 0x5
 	RTM_MAXSIZE                       = 0x800
 	RTM_MISS                          = 0x7
 	RTM_NEWADDR                       = 0xc
+	RTM_PROPOSAL                      = 0x13
 	RTM_REDIRECT                      = 0x6
 	RTM_RESOLVE                       = 0xb
-	RTM_RTTUNIT                       = 0xf4240
+	RTM_SOURCE                        = 0x16
 	RTM_VERSION                       = 0x5
 	RTV_EXPIRE                        = 0x4
 	RTV_HOPCOUNT                      = 0x2
@@ -1099,67 +1257,74 @@ const (
 	RTV_RTTVAR                        = 0x80
 	RTV_SPIPE                         = 0x10
 	RTV_SSTHRESH                      = 0x20
+	RT_TABLEID_BITS                   = 0x8
+	RT_TABLEID_MASK                   = 0xff
 	RT_TABLEID_MAX                    = 0xff
 	RUSAGE_CHILDREN                   = -0x1
 	RUSAGE_SELF                       = 0x0
 	RUSAGE_THREAD                     = 0x1
 	SCM_RIGHTS                        = 0x1
 	SCM_TIMESTAMP                     = 0x4
+	SEEK_CUR                          = 0x1
+	SEEK_END                          = 0x2
+	SEEK_SET                          = 0x0
 	SHUT_RD                           = 0x0
 	SHUT_RDWR                         = 0x2
 	SHUT_WR                           = 0x1
 	SIOCADDMULTI                      = 0x80206931
 	SIOCAIFADDR                       = 0x8040691a
 	SIOCAIFGROUP                      = 0x80246987
-	SIOCALIFADDR                      = 0x8218691c
 	SIOCATMARK                        = 0x40047307
-	SIOCBRDGADD                       = 0x8054693c
-	SIOCBRDGADDS                      = 0x80546941
-	SIOCBRDGARL                       = 0x806e694d
+	SIOCBRDGADD                       = 0x805c693c
+	SIOCBRDGADDL                      = 0x805c6949
+	SIOCBRDGADDS                      = 0x805c6941
+	SIOCBRDGARL                       = 0x808c694d
 	SIOCBRDGDADDR                     = 0x81286947
-	SIOCBRDGDEL                       = 0x8054693d
-	SIOCBRDGDELS                      = 0x80546942
-	SIOCBRDGFLUSH                     = 0x80546948
-	SIOCBRDGFRL                       = 0x806e694e
+	SIOCBRDGDEL                       = 0x805c693d
+	SIOCBRDGDELS                      = 0x805c6942
+	SIOCBRDGFLUSH                     = 0x805c6948
+	SIOCBRDGFRL                       = 0x808c694e
 	SIOCBRDGGCACHE                    = 0xc0146941
 	SIOCBRDGGFD                       = 0xc0146952
 	SIOCBRDGGHT                       = 0xc0146951
-	SIOCBRDGGIFFLGS                   = 0xc054693e
+	SIOCBRDGGIFFLGS                   = 0xc05c693e
 	SIOCBRDGGMA                       = 0xc0146953
 	SIOCBRDGGPARAM                    = 0xc03c6958
 	SIOCBRDGGPRI                      = 0xc0146950
 	SIOCBRDGGRL                       = 0xc028694f
-	SIOCBRDGGSIFS                     = 0xc054693c
 	SIOCBRDGGTO                       = 0xc0146946
-	SIOCBRDGIFS                       = 0xc0546942
+	SIOCBRDGIFS                       = 0xc05c6942
 	SIOCBRDGRTS                       = 0xc0186943
 	SIOCBRDGSADDR                     = 0xc1286944
 	SIOCBRDGSCACHE                    = 0x80146940
 	SIOCBRDGSFD                       = 0x80146952
 	SIOCBRDGSHT                       = 0x80146951
-	SIOCBRDGSIFCOST                   = 0x80546955
-	SIOCBRDGSIFFLGS                   = 0x8054693f
-	SIOCBRDGSIFPRIO                   = 0x80546954
+	SIOCBRDGSIFCOST                   = 0x805c6955
+	SIOCBRDGSIFFLGS                   = 0x805c693f
+	SIOCBRDGSIFPRIO                   = 0x805c6954
+	SIOCBRDGSIFPROT                   = 0x805c694a
 	SIOCBRDGSMA                       = 0x80146953
 	SIOCBRDGSPRI                      = 0x80146950
 	SIOCBRDGSPROTO                    = 0x8014695a
 	SIOCBRDGSTO                       = 0x80146945
 	SIOCBRDGSTXHC                     = 0x80146959
+	SIOCDELLABEL                      = 0x80206997
 	SIOCDELMULTI                      = 0x80206932
 	SIOCDIFADDR                       = 0x80206919
 	SIOCDIFGROUP                      = 0x80246989
+	SIOCDIFPARENT                     = 0x802069b4
 	SIOCDIFPHYADDR                    = 0x80206949
-	SIOCDLIFADDR                      = 0x8218691e
+	SIOCDPWE3NEIGHBOR                 = 0x802069de
+	SIOCDVNETID                       = 0x802069af
 	SIOCGETKALIVE                     = 0xc01869a4
 	SIOCGETLABEL                      = 0x8020699a
+	SIOCGETMPWCFG                     = 0xc02069ae
 	SIOCGETPFLOW                      = 0xc02069fe
 	SIOCGETPFSYNC                     = 0xc02069f8
 	SIOCGETSGCNT                      = 0xc0147534
 	SIOCGETVIFCNT                     = 0xc0147533
 	SIOCGETVLAN                       = 0xc0206990
-	SIOCGHIWAT                        = 0x40047301
 	SIOCGIFADDR                       = 0xc0206921
-	SIOCGIFASYNCMAP                   = 0xc020697c
 	SIOCGIFBRDADDR                    = 0xc0206923
 	SIOCGIFCONF                       = 0xc0086924
 	SIOCGIFDATA                       = 0xc020691b
@@ -1168,40 +1333,53 @@ const (
 	SIOCGIFFLAGS                      = 0xc0206911
 	SIOCGIFGATTR                      = 0xc024698b
 	SIOCGIFGENERIC                    = 0xc020693a
+	SIOCGIFGLIST                      = 0xc024698d
 	SIOCGIFGMEMB                      = 0xc024698a
 	SIOCGIFGROUP                      = 0xc0246988
 	SIOCGIFHARDMTU                    = 0xc02069a5
-	SIOCGIFMEDIA                      = 0xc0286936
+	SIOCGIFLLPRIO                     = 0xc02069b6
+	SIOCGIFMEDIA                      = 0xc0386938
 	SIOCGIFMETRIC                     = 0xc0206917
 	SIOCGIFMTU                        = 0xc020697e
 	SIOCGIFNETMASK                    = 0xc0206925
-	SIOCGIFPDSTADDR                   = 0xc0206948
+	SIOCGIFPAIR                       = 0xc02069b1
+	SIOCGIFPARENT                     = 0xc02069b3
 	SIOCGIFPRIORITY                   = 0xc020699c
-	SIOCGIFPSRCADDR                   = 0xc0206947
 	SIOCGIFRDOMAIN                    = 0xc02069a0
 	SIOCGIFRTLABEL                    = 0xc0206983
-	SIOCGIFTIMESLOT                   = 0xc0206986
+	SIOCGIFRXR                        = 0x802069aa
+	SIOCGIFSFFPAGE                    = 0xc1126939
 	SIOCGIFXFLAGS                     = 0xc020699e
-	SIOCGLIFADDR                      = 0xc218691d
 	SIOCGLIFPHYADDR                   = 0xc218694b
+	SIOCGLIFPHYDF                     = 0xc02069c2
+	SIOCGLIFPHYECN                    = 0xc02069c8
 	SIOCGLIFPHYRTABLE                 = 0xc02069a2
 	SIOCGLIFPHYTTL                    = 0xc02069a9
-	SIOCGLOWAT                        = 0x40047303
 	SIOCGPGRP                         = 0x40047309
+	SIOCGPWE3                         = 0xc0206998
+	SIOCGPWE3CTRLWORD                 = 0xc02069dc
+	SIOCGPWE3FAT                      = 0xc02069dd
+	SIOCGPWE3NEIGHBOR                 = 0xc21869de
+	SIOCGRXHPRIO                      = 0xc02069db
 	SIOCGSPPPPARAMS                   = 0xc0206994
+	SIOCGTXHPRIO                      = 0xc02069c6
+	SIOCGUMBINFO                      = 0xc02069be
+	SIOCGUMBPARAM                     = 0xc02069c0
 	SIOCGVH                           = 0xc02069f6
+	SIOCGVNETFLOWID                   = 0xc02069c4
 	SIOCGVNETID                       = 0xc02069a7
+	SIOCIFAFATTACH                    = 0x801169ab
+	SIOCIFAFDETACH                    = 0x801169ac
 	SIOCIFCREATE                      = 0x8020697a
 	SIOCIFDESTROY                     = 0x80206979
 	SIOCIFGCLONERS                    = 0xc00c6978
 	SIOCSETKALIVE                     = 0x801869a3
 	SIOCSETLABEL                      = 0x80206999
+	SIOCSETMPWCFG                     = 0x802069ad
 	SIOCSETPFLOW                      = 0x802069fd
 	SIOCSETPFSYNC                     = 0x802069f7
 	SIOCSETVLAN                       = 0x8020698f
-	SIOCSHIWAT                        = 0x80047300
 	SIOCSIFADDR                       = 0x8020690c
-	SIOCSIFASYNCMAP                   = 0x8020697d
 	SIOCSIFBRDADDR                    = 0x80206913
 	SIOCSIFDESCR                      = 0x80206980
 	SIOCSIFDSTADDR                    = 0x8020690e
@@ -1209,25 +1387,37 @@ const (
 	SIOCSIFGATTR                      = 0x8024698c
 	SIOCSIFGENERIC                    = 0x80206939
 	SIOCSIFLLADDR                     = 0x8020691f
-	SIOCSIFMEDIA                      = 0xc0206935
+	SIOCSIFLLPRIO                     = 0x802069b5
+	SIOCSIFMEDIA                      = 0xc0206937
 	SIOCSIFMETRIC                     = 0x80206918
 	SIOCSIFMTU                        = 0x8020697f
 	SIOCSIFNETMASK                    = 0x80206916
-	SIOCSIFPHYADDR                    = 0x80406946
+	SIOCSIFPAIR                       = 0x802069b0
+	SIOCSIFPARENT                     = 0x802069b2
 	SIOCSIFPRIORITY                   = 0x8020699b
 	SIOCSIFRDOMAIN                    = 0x8020699f
 	SIOCSIFRTLABEL                    = 0x80206982
-	SIOCSIFTIMESLOT                   = 0x80206985
 	SIOCSIFXFLAGS                     = 0x8020699d
 	SIOCSLIFPHYADDR                   = 0x8218694a
+	SIOCSLIFPHYDF                     = 0x802069c1
+	SIOCSLIFPHYECN                    = 0x802069c7
 	SIOCSLIFPHYRTABLE                 = 0x802069a1
 	SIOCSLIFPHYTTL                    = 0x802069a8
-	SIOCSLOWAT                        = 0x80047302
 	SIOCSPGRP                         = 0x80047308
+	SIOCSPWE3CTRLWORD                 = 0x802069dc
+	SIOCSPWE3FAT                      = 0x802069dd
+	SIOCSPWE3NEIGHBOR                 = 0x821869de
+	SIOCSRXHPRIO                      = 0x802069db
 	SIOCSSPPPPARAMS                   = 0x80206993
+	SIOCSTXHPRIO                      = 0x802069c5
+	SIOCSUMBPARAM                     = 0x802069bf
 	SIOCSVH                           = 0xc02069f5
+	SIOCSVNETFLOWID                   = 0x802069c3
 	SIOCSVNETID                       = 0x802069a6
+	SOCK_CLOEXEC                      = 0x8000
 	SOCK_DGRAM                        = 0x2
+	SOCK_DNS                          = 0x1000
+	SOCK_NONBLOCK                     = 0x4000
 	SOCK_RAW                          = 0x3
 	SOCK_RDM                          = 0x4
 	SOCK_SEQPACKET                    = 0x5
@@ -1238,6 +1428,7 @@ const (
 	SO_BINDANY                        = 0x1000
 	SO_BROADCAST                      = 0x20
 	SO_DEBUG                          = 0x1
+	SO_DOMAIN                         = 0x1024
 	SO_DONTROUTE                      = 0x10
 	SO_ERROR                          = 0x1007
 	SO_KEEPALIVE                      = 0x8
@@ -1245,6 +1436,7 @@ const (
 	SO_NETPROC                        = 0x1020
 	SO_OOBINLINE                      = 0x100
 	SO_PEERCRED                       = 0x1022
+	SO_PROTOCOL                       = 0x1025
 	SO_RCVBUF                         = 0x1002
 	SO_RCVLOWAT                       = 0x1004
 	SO_RCVTIMEO                       = 0x1006
@@ -1258,6 +1450,7 @@ const (
 	SO_TIMESTAMP                      = 0x800
 	SO_TYPE                           = 0x1008
 	SO_USELOOPBACK                    = 0x40
+	SO_ZEROIZE                        = 0x2000
 	S_BLKSIZE                         = 0x200
 	S_IEXEC                           = 0x40
 	S_IFBLK                           = 0x6000
@@ -1287,9 +1480,24 @@ const (
 	S_IXOTH                           = 0x1
 	S_IXUSR                           = 0x40
 	TCIFLUSH                          = 0x1
+	TCIOFF                            = 0x3
 	TCIOFLUSH                         = 0x3
+	TCION                             = 0x4
 	TCOFLUSH                          = 0x2
-	TCP_MAXBURST                      = 0x4
+	TCOOFF                            = 0x1
+	TCOON                             = 0x2
+	TCPOPT_EOL                        = 0x0
+	TCPOPT_MAXSEG                     = 0x2
+	TCPOPT_NOP                        = 0x1
+	TCPOPT_SACK                       = 0x5
+	TCPOPT_SACK_HDR                   = 0x1010500
+	TCPOPT_SACK_PERMITTED             = 0x4
+	TCPOPT_SACK_PERMIT_HDR            = 0x1010402
+	TCPOPT_SIGNATURE                  = 0x13
+	TCPOPT_TIMESTAMP                  = 0x8
+	TCPOPT_TSTAMP_HDR                 = 0x101080a
+	TCPOPT_WINDOW                     = 0x3
+	TCP_INFO                          = 0x9
 	TCP_MAXSEG                        = 0x2
 	TCP_MAXWIN                        = 0xffff
 	TCP_MAX_SACK                      = 0x3
@@ -1298,11 +1506,15 @@ const (
 	TCP_MSS                           = 0x200
 	TCP_NODELAY                       = 0x1
 	TCP_NOPUSH                        = 0x10
-	TCP_NSTATES                       = 0xb
+	TCP_SACKHOLE_LIMIT                = 0x80
 	TCP_SACK_ENABLE                   = 0x8
 	TCSAFLUSH                         = 0x2
+	TIMER_ABSTIME                     = 0x1
+	TIMER_RELTIME                     = 0x0
 	TIOCCBRK                          = 0x2000747a
 	TIOCCDTR                          = 0x20007478
+	TIOCCHKVERAUTH                    = 0x2000741e
+	TIOCCLRVERAUTH                    = 0x2000741d
 	TIOCCONS                          = 0x80047462
 	TIOCDRAIN                         = 0x2000745e
 	TIOCEXCL                          = 0x2000740d
@@ -1357,17 +1569,21 @@ const (
 	TIOCSETAF                         = 0x802c7416
 	TIOCSETAW                         = 0x802c7415
 	TIOCSETD                          = 0x8004741b
+	TIOCSETVERAUTH                    = 0x8004741c
 	TIOCSFLAGS                        = 0x8004745c
 	TIOCSIG                           = 0x8004745f
 	TIOCSPGRP                         = 0x80047476
 	TIOCSTART                         = 0x2000746e
-	TIOCSTAT                          = 0x80047465
-	TIOCSTI                           = 0x80017472
+	TIOCSTAT                          = 0x20007465
 	TIOCSTOP                          = 0x2000746f
 	TIOCSTSTAMP                       = 0x8008745a
 	TIOCSWINSZ                        = 0x80087467
 	TIOCUCNTL                         = 0x80047466
+	TIOCUCNTL_CBRK                    = 0x7a
+	TIOCUCNTL_SBRK                    = 0x7b
 	TOSTOP                            = 0x400000
+	UTIME_NOW                         = -0x2
+	UTIME_OMIT                        = -0x1
 	VDISCARD                          = 0xf
 	VDSUSP                            = 0xb
 	VEOF                              = 0x0
@@ -1378,6 +1594,19 @@ const (
 	VKILL                             = 0x5
 	VLNEXT                            = 0xe
 	VMIN                              = 0x10
+	VM_ANONMIN                        = 0x7
+	VM_LOADAVG                        = 0x2
+	VM_MALLOC_CONF                    = 0xc
+	VM_MAXID                          = 0xd
+	VM_MAXSLP                         = 0xa
+	VM_METER                          = 0x1
+	VM_NKMEMPAGES                     = 0x6
+	VM_PSSTRINGS                      = 0x3
+	VM_SWAPENCRYPT                    = 0x5
+	VM_USPACE                         = 0xb
+	VM_UVMEXP                         = 0x4
+	VM_VNODEMIN                       = 0x9
+	VM_VTEXTMIN                       = 0x8
 	VQUIT                             = 0x9
 	VREPRINT                          = 0x6
 	VSTART                            = 0xc
@@ -1390,8 +1619,8 @@ const (
 	WCONTINUED                        = 0x8
 	WCOREFLAG                         = 0x80
 	WNOHANG                           = 0x1
-	WSTOPPED                          = 0x7f
 	WUNTRACED                         = 0x2
+	XCASE                             = 0x1000000
 )
 
 // Errors
@@ -1405,6 +1634,7 @@ const (
 	EALREADY        = syscall.Errno(0x25)
 	EAUTH           = syscall.Errno(0x50)
 	EBADF           = syscall.Errno(0x9)
+	EBADMSG         = syscall.Errno(0x5c)
 	EBADRPC         = syscall.Errno(0x48)
 	EBUSY           = syscall.Errno(0x10)
 	ECANCELED       = syscall.Errno(0x58)
@@ -1431,7 +1661,7 @@ const (
 	EIPSEC          = syscall.Errno(0x52)
 	EISCONN         = syscall.Errno(0x38)
 	EISDIR          = syscall.Errno(0x15)
-	ELAST           = syscall.Errno(0x5b)
+	ELAST           = syscall.Errno(0x5f)
 	ELOOP           = syscall.Errno(0x3e)
 	EMEDIUMTYPE     = syscall.Errno(0x56)
 	EMFILE          = syscall.Errno(0x18)
@@ -1459,12 +1689,14 @@ const (
 	ENOTCONN        = syscall.Errno(0x39)
 	ENOTDIR         = syscall.Errno(0x14)
 	ENOTEMPTY       = syscall.Errno(0x42)
+	ENOTRECOVERABLE = syscall.Errno(0x5d)
 	ENOTSOCK        = syscall.Errno(0x26)
 	ENOTSUP         = syscall.Errno(0x5b)
 	ENOTTY          = syscall.Errno(0x19)
 	ENXIO           = syscall.Errno(0x6)
 	EOPNOTSUPP      = syscall.Errno(0x2d)
 	EOVERFLOW       = syscall.Errno(0x57)
+	EOWNERDEAD      = syscall.Errno(0x5e)
 	EPERM           = syscall.Errno(0x1)
 	EPFNOSUPPORT    = syscall.Errno(0x2e)
 	EPIPE           = syscall.Errno(0x20)
@@ -1472,6 +1704,7 @@ const (
 	EPROCUNAVAIL    = syscall.Errno(0x4c)
 	EPROGMISMATCH   = syscall.Errno(0x4b)
 	EPROGUNAVAIL    = syscall.Errno(0x4a)
+	EPROTO          = syscall.Errno(0x5f)
 	EPROTONOSUPPORT = syscall.Errno(0x2b)
 	EPROTOTYPE      = syscall.Errno(0x29)
 	ERANGE          = syscall.Errno(0x22)
@@ -1568,7 +1801,7 @@ var errorList = [...]struct {
 	{32, "EPIPE", "broken pipe"},
 	{33, "EDOM", "numerical argument out of domain"},
 	{34, "ERANGE", "result too large"},
-	{35, "EWOULDBLOCK", "resource temporarily unavailable"},
+	{35, "EAGAIN", "resource temporarily unavailable"},
 	{36, "EINPROGRESS", "operation now in progress"},
 	{37, "EALREADY", "operation already in progress"},
 	{38, "ENOTSOCK", "socket operation on non-socket"},
@@ -1624,7 +1857,11 @@ var errorList = [...]struct {
 	{88, "ECANCELED", "operation canceled"},
 	{89, "EIDRM", "identifier removed"},
 	{90, "ENOMSG", "no message of desired type"},
-	{91, "ELAST", "not supported"},
+	{91, "ENOTSUP", "not supported"},
+	{92, "EBADMSG", "bad message"},
+	{93, "ENOTRECOVERABLE", "state not recoverable"},
+	{94, "EOWNERDEAD", "previous owner died"},
+	{95, "ELAST", "protocol error"},
 }
 
 // Signal table
@@ -1638,7 +1875,7 @@ var signalList = [...]struct {
 	{3, "SIGQUIT", "quit"},
 	{4, "SIGILL", "illegal instruction"},
 	{5, "SIGTRAP", "trace/BPT trap"},
-	{6, "SIGABRT", "abort trap"},
+	{6, "SIGIOT", "abort trap"},
 	{7, "SIGEMT", "EMT trap"},
 	{8, "SIGFPE", "floating point exception"},
 	{9, "SIGKILL", "killed"},
@@ -1665,4 +1902,5 @@ var signalList = [...]struct {
 	{30, "SIGUSR1", "user defined signal 1"},
 	{31, "SIGUSR2", "user defined signal 2"},
 	{32, "SIGTHR", "thread AST"},
+	{28672, "SIGSTKSZ", "unknown signal"},
 }
diff --git a/vendor/golang.org/x/sys/unix/zerrors_openbsd_amd64.go b/vendor/golang.org/x/sys/unix/zerrors_openbsd_amd64.go
index 25cb60948..6015fcb2b 100644
--- a/vendor/golang.org/x/sys/unix/zerrors_openbsd_amd64.go
+++ b/vendor/golang.org/x/sys/unix/zerrors_openbsd_amd64.go
@@ -109,6 +109,15 @@ const (
 	BPF_DIRECTION_IN                  = 0x1
 	BPF_DIRECTION_OUT                 = 0x2
 	BPF_DIV                           = 0x30
+	BPF_FILDROP_CAPTURE               = 0x1
+	BPF_FILDROP_DROP                  = 0x2
+	BPF_FILDROP_PASS                  = 0x0
+	BPF_F_DIR_IN                      = 0x10
+	BPF_F_DIR_MASK                    = 0x30
+	BPF_F_DIR_OUT                     = 0x20
+	BPF_F_DIR_SHIFT                   = 0x4
+	BPF_F_FLOWID                      = 0x8
+	BPF_F_PRI_MASK                    = 0x7
 	BPF_H                             = 0x8
 	BPF_IMM                           = 0x0
 	BPF_IND                           = 0x40
@@ -137,6 +146,7 @@ const (
 	BPF_OR                            = 0x40
 	BPF_RELEASE                       = 0x30bb6
 	BPF_RET                           = 0x6
+	BPF_RND                           = 0xc0
 	BPF_RSH                           = 0x70
 	BPF_ST                            = 0x2
 	BPF_STX                           = 0x3
@@ -177,7 +187,65 @@ const (
 	CTL_KERN                          = 0x1
 	CTL_MAXNAME                       = 0xc
 	CTL_NET                           = 0x4
+	DIOCADDQUEUE                      = 0xc110445d
+	DIOCADDRULE                       = 0xcd604404
+	DIOCADDSTATE                      = 0xc1084425
+	DIOCCHANGERULE                    = 0xcd60441a
+	DIOCCLRIFFLAG                     = 0xc028445a
+	DIOCCLRSRCNODES                   = 0x20004455
+	DIOCCLRSTATES                     = 0xc0e04412
+	DIOCCLRSTATUS                     = 0xc0284416
+	DIOCGETLIMIT                      = 0xc0084427
+	DIOCGETQSTATS                     = 0xc1204460
+	DIOCGETQUEUE                      = 0xc110445f
+	DIOCGETQUEUES                     = 0xc110445e
+	DIOCGETRULE                       = 0xcd604407
+	DIOCGETRULES                      = 0xcd604406
+	DIOCGETRULESET                    = 0xc444443b
+	DIOCGETRULESETS                   = 0xc444443a
+	DIOCGETSRCNODES                   = 0xc0104454
+	DIOCGETSTATE                      = 0xc1084413
+	DIOCGETSTATES                     = 0xc0104419
+	DIOCGETSTATUS                     = 0xc1e84415
+	DIOCGETSYNFLWATS                  = 0xc0084463
+	DIOCGETTIMEOUT                    = 0xc008441e
+	DIOCIGETIFACES                    = 0xc0284457
+	DIOCKILLSRCNODES                  = 0xc080445b
+	DIOCKILLSTATES                    = 0xc0e04429
+	DIOCNATLOOK                       = 0xc0504417
+	DIOCOSFPADD                       = 0xc088444f
 	DIOCOSFPFLUSH                     = 0x2000444e
+	DIOCOSFPGET                       = 0xc0884450
+	DIOCRADDADDRS                     = 0xc4504443
+	DIOCRADDTABLES                    = 0xc450443d
+	DIOCRCLRADDRS                     = 0xc4504442
+	DIOCRCLRASTATS                    = 0xc4504448
+	DIOCRCLRTABLES                    = 0xc450443c
+	DIOCRCLRTSTATS                    = 0xc4504441
+	DIOCRDELADDRS                     = 0xc4504444
+	DIOCRDELTABLES                    = 0xc450443e
+	DIOCRGETADDRS                     = 0xc4504446
+	DIOCRGETASTATS                    = 0xc4504447
+	DIOCRGETTABLES                    = 0xc450443f
+	DIOCRGETTSTATS                    = 0xc4504440
+	DIOCRINADEFINE                    = 0xc450444d
+	DIOCRSETADDRS                     = 0xc4504445
+	DIOCRSETTFLAGS                    = 0xc450444a
+	DIOCRTSTADDRS                     = 0xc4504449
+	DIOCSETDEBUG                      = 0xc0044418
+	DIOCSETHOSTID                     = 0xc0044456
+	DIOCSETIFFLAG                     = 0xc0284459
+	DIOCSETLIMIT                      = 0xc0084428
+	DIOCSETREASS                      = 0xc004445c
+	DIOCSETSTATUSIF                   = 0xc0284414
+	DIOCSETSYNCOOKIES                 = 0xc0014462
+	DIOCSETSYNFLWATS                  = 0xc0084461
+	DIOCSETTIMEOUT                    = 0xc008441d
+	DIOCSTART                         = 0x20004401
+	DIOCSTOP                          = 0x20004402
+	DIOCXBEGIN                        = 0xc0104451
+	DIOCXCOMMIT                       = 0xc0104452
+	DIOCXROLLBACK                     = 0xc0104453
 	DLT_ARCNET                        = 0x7
 	DLT_ATM_RFC1483                   = 0xb
 	DLT_AX25                          = 0x3
@@ -240,6 +308,8 @@ const (
 	EMUL_ENABLED                      = 0x1
 	EMUL_NATIVE                       = 0x2
 	ENDRUNDISC                        = 0x9
+	ETH64_8021_RSVD_MASK              = 0xfffffffffff0
+	ETH64_8021_RSVD_PREFIX            = 0x180c2000000
 	ETHERMIN                          = 0x2e
 	ETHERMTU                          = 0x5dc
 	ETHERTYPE_8023                    = 0x4
@@ -292,6 +362,7 @@ const (
 	ETHERTYPE_DN                      = 0x6003
 	ETHERTYPE_DOGFIGHT                = 0x1989
 	ETHERTYPE_DSMD                    = 0x8039
+	ETHERTYPE_EAPOL                   = 0x888e
 	ETHERTYPE_ECMA                    = 0x803
 	ETHERTYPE_ENCRYPT                 = 0x803d
 	ETHERTYPE_ES                      = 0x805d
@@ -323,6 +394,7 @@ const (
 	ETHERTYPE_LLDP                    = 0x88cc
 	ETHERTYPE_LOGICRAFT               = 0x8148
 	ETHERTYPE_LOOPBACK                = 0x9000
+	ETHERTYPE_MACSEC                  = 0x88e5
 	ETHERTYPE_MATRA                   = 0x807a
 	ETHERTYPE_MAX                     = 0xffff
 	ETHERTYPE_MERIT                   = 0x807c
@@ -351,15 +423,17 @@ const (
 	ETHERTYPE_NCD                     = 0x8149
 	ETHERTYPE_NESTAR                  = 0x8006
 	ETHERTYPE_NETBEUI                 = 0x8191
+	ETHERTYPE_NHRP                    = 0x2001
 	ETHERTYPE_NOVELL                  = 0x8138
 	ETHERTYPE_NS                      = 0x600
 	ETHERTYPE_NSAT                    = 0x601
 	ETHERTYPE_NSCOMPAT                = 0x807
+	ETHERTYPE_NSH                     = 0x984f
 	ETHERTYPE_NTRAILER                = 0x10
 	ETHERTYPE_OS9                     = 0x7007
 	ETHERTYPE_OS9NET                  = 0x7009
 	ETHERTYPE_PACER                   = 0x80c6
-	ETHERTYPE_PAE                     = 0x888e
+	ETHERTYPE_PBB                     = 0x88e7
 	ETHERTYPE_PCS                     = 0x4242
 	ETHERTYPE_PLANNING                = 0x8044
 	ETHERTYPE_PPP                     = 0x880b
@@ -441,10 +515,11 @@ const (
 	ETHER_VLAN_ENCAP_LEN              = 0x4
 	EVFILT_AIO                        = -0x3
 	EVFILT_DEVICE                     = -0x8
+	EVFILT_EXCEPT                     = -0x9
 	EVFILT_PROC                       = -0x5
 	EVFILT_READ                       = -0x1
 	EVFILT_SIGNAL                     = -0x6
-	EVFILT_SYSCOUNT                   = 0x8
+	EVFILT_SYSCOUNT                   = 0x9
 	EVFILT_TIMER                      = -0x7
 	EVFILT_VNODE                      = -0x4
 	EVFILT_WRITE                      = -0x2
@@ -466,7 +541,7 @@ const (
 	EV_FLAG1                          = 0x2000
 	EV_ONESHOT                        = 0x10
 	EV_RECEIPT                        = 0x40
-	EV_SYSFLAGS                       = 0xf000
+	EV_SYSFLAGS                       = 0xf800
 	EXTA                              = 0x4b00
 	EXTB                              = 0x9600
 	EXTPROC                           = 0x800
@@ -732,6 +807,7 @@ const (
 	IFT_VOICEOVERCABLE                = 0xc6
 	IFT_VOICEOVERFRAMERELAY           = 0x99
 	IFT_VOICEOVERIP                   = 0x68
+	IFT_WIREGUARD                     = 0xfb
 	IFT_X213                          = 0x5d
 	IFT_X25                           = 0x5
 	IFT_X25DDN                        = 0x4
@@ -797,9 +873,11 @@ const (
 	IPPROTO_RAW                       = 0xff
 	IPPROTO_ROUTING                   = 0x2b
 	IPPROTO_RSVP                      = 0x2e
+	IPPROTO_SCTP                      = 0x84
 	IPPROTO_TCP                       = 0x6
 	IPPROTO_TP                        = 0x1d
 	IPPROTO_UDP                       = 0x11
+	IPPROTO_UDPLITE                   = 0x88
 	IPV6_AUTH_LEVEL                   = 0x35
 	IPV6_AUTOFLOWLABEL                = 0x3b
 	IPV6_CHECKSUM                     = 0x1a
@@ -906,6 +984,9 @@ const (
 	IP_TTL                            = 0x4
 	ISIG                              = 0x80
 	ISTRIP                            = 0x20
+	ITIMER_PROF                       = 0x2
+	ITIMER_REAL                       = 0x0
+	ITIMER_VIRTUAL                    = 0x1
 	IUCLC                             = 0x1000
 	IXANY                             = 0x800
 	IXOFF                             = 0x400
@@ -970,12 +1051,26 @@ const (
 	MNT_ROOTFS                        = 0x4000
 	MNT_SOFTDEP                       = 0x4000000
 	MNT_STALLED                       = 0x100000
+	MNT_SWAPPABLE                     = 0x200000
 	MNT_SYNCHRONOUS                   = 0x2
 	MNT_UPDATE                        = 0x10000
 	MNT_VISFLAGMASK                   = 0x400ffff
 	MNT_WAIT                          = 0x1
 	MNT_WANTRDWR                      = 0x2000000
 	MNT_WXALLOWED                     = 0x800
+	MOUNT_AFS                         = "afs"
+	MOUNT_CD9660                      = "cd9660"
+	MOUNT_EXT2FS                      = "ext2fs"
+	MOUNT_FFS                         = "ffs"
+	MOUNT_FUSEFS                      = "fuse"
+	MOUNT_MFS                         = "mfs"
+	MOUNT_MSDOS                       = "msdos"
+	MOUNT_NCPFS                       = "ncpfs"
+	MOUNT_NFS                         = "nfs"
+	MOUNT_NTFS                        = "ntfs"
+	MOUNT_TMPFS                       = "tmpfs"
+	MOUNT_UDF                         = "udf"
+	MOUNT_UFS                         = "ffs"
 	MSG_BCAST                         = 0x100
 	MSG_CMSG_CLOEXEC                  = 0x800
 	MSG_CTRUNC                        = 0x20
@@ -988,6 +1083,7 @@ const (
 	MSG_PEEK                          = 0x2
 	MSG_TRUNC                         = 0x10
 	MSG_WAITALL                       = 0x40
+	MSG_WAITFORONE                    = 0x1000
 	MS_ASYNC                          = 0x1
 	MS_INVALIDATE                     = 0x4
 	MS_SYNC                           = 0x2
@@ -996,7 +1092,8 @@ const (
 	NET_RT_FLAGS                      = 0x2
 	NET_RT_IFLIST                     = 0x3
 	NET_RT_IFNAMES                    = 0x6
-	NET_RT_MAXID                      = 0x7
+	NET_RT_MAXID                      = 0x8
+	NET_RT_SOURCE                     = 0x7
 	NET_RT_STATS                      = 0x4
 	NET_RT_TABLE                      = 0x5
 	NFDBITS                           = 0x20
@@ -1013,6 +1110,7 @@ const (
 	NOTE_FORK                         = 0x40000000
 	NOTE_LINK                         = 0x10
 	NOTE_LOWAT                        = 0x1
+	NOTE_OOB                          = 0x4
 	NOTE_PCTRLMASK                    = 0xf0000000
 	NOTE_PDATAMASK                    = 0xfffff
 	NOTE_RENAME                       = 0x20
@@ -1130,9 +1228,11 @@ const (
 	RTF_STATIC                        = 0x800
 	RTF_UP                            = 0x1
 	RTF_USETRAILERS                   = 0x8000
+	RTM_80211INFO                     = 0x15
 	RTM_ADD                           = 0x1
 	RTM_BFD                           = 0x12
 	RTM_CHANGE                        = 0x3
+	RTM_CHGADDRATTR                   = 0x14
 	RTM_DELADDR                       = 0xd
 	RTM_DELETE                        = 0x2
 	RTM_DESYNC                        = 0x10
@@ -1140,7 +1240,6 @@ const (
 	RTM_IFANNOUNCE                    = 0xf
 	RTM_IFINFO                        = 0xe
 	RTM_INVALIDATE                    = 0x11
-	RTM_LOCK                          = 0x8
 	RTM_LOSING                        = 0x5
 	RTM_MAXSIZE                       = 0x800
 	RTM_MISS                          = 0x7
@@ -1148,7 +1247,7 @@ const (
 	RTM_PROPOSAL                      = 0x13
 	RTM_REDIRECT                      = 0x6
 	RTM_RESOLVE                       = 0xb
-	RTM_RTTUNIT                       = 0xf4240
+	RTM_SOURCE                        = 0x16
 	RTM_VERSION                       = 0x5
 	RTV_EXPIRE                        = 0x4
 	RTV_HOPCOUNT                      = 0x2
@@ -1166,6 +1265,9 @@ const (
 	RUSAGE_THREAD                     = 0x1
 	SCM_RIGHTS                        = 0x1
 	SCM_TIMESTAMP                     = 0x4
+	SEEK_CUR                          = 0x1
+	SEEK_END                          = 0x2
+	SEEK_SET                          = 0x0
 	SHUT_RD                           = 0x0
 	SHUT_RDWR                         = 0x2
 	SHUT_WR                           = 0x1
@@ -1182,35 +1284,37 @@ const (
 	SIOCBRDGDELS                      = 0x80606942
 	SIOCBRDGFLUSH                     = 0x80606948
 	SIOCBRDGFRL                       = 0x808c694e
-	SIOCBRDGGCACHE                    = 0xc0186941
-	SIOCBRDGGFD                       = 0xc0186952
-	SIOCBRDGGHT                       = 0xc0186951
+	SIOCBRDGGCACHE                    = 0xc0146941
+	SIOCBRDGGFD                       = 0xc0146952
+	SIOCBRDGGHT                       = 0xc0146951
 	SIOCBRDGGIFFLGS                   = 0xc060693e
-	SIOCBRDGGMA                       = 0xc0186953
+	SIOCBRDGGMA                       = 0xc0146953
 	SIOCBRDGGPARAM                    = 0xc0406958
-	SIOCBRDGGPRI                      = 0xc0186950
+	SIOCBRDGGPRI                      = 0xc0146950
 	SIOCBRDGGRL                       = 0xc030694f
-	SIOCBRDGGTO                       = 0xc0186946
+	SIOCBRDGGTO                       = 0xc0146946
 	SIOCBRDGIFS                       = 0xc0606942
 	SIOCBRDGRTS                       = 0xc0206943
 	SIOCBRDGSADDR                     = 0xc1286944
-	SIOCBRDGSCACHE                    = 0x80186940
-	SIOCBRDGSFD                       = 0x80186952
-	SIOCBRDGSHT                       = 0x80186951
+	SIOCBRDGSCACHE                    = 0x80146940
+	SIOCBRDGSFD                       = 0x80146952
+	SIOCBRDGSHT                       = 0x80146951
 	SIOCBRDGSIFCOST                   = 0x80606955
 	SIOCBRDGSIFFLGS                   = 0x8060693f
 	SIOCBRDGSIFPRIO                   = 0x80606954
 	SIOCBRDGSIFPROT                   = 0x8060694a
-	SIOCBRDGSMA                       = 0x80186953
-	SIOCBRDGSPRI                      = 0x80186950
-	SIOCBRDGSPROTO                    = 0x8018695a
-	SIOCBRDGSTO                       = 0x80186945
-	SIOCBRDGSTXHC                     = 0x80186959
+	SIOCBRDGSMA                       = 0x80146953
+	SIOCBRDGSPRI                      = 0x80146950
+	SIOCBRDGSPROTO                    = 0x8014695a
+	SIOCBRDGSTO                       = 0x80146945
+	SIOCBRDGSTXHC                     = 0x80146959
+	SIOCDELLABEL                      = 0x80206997
 	SIOCDELMULTI                      = 0x80206932
 	SIOCDIFADDR                       = 0x80206919
 	SIOCDIFGROUP                      = 0x80286989
 	SIOCDIFPARENT                     = 0x802069b4
 	SIOCDIFPHYADDR                    = 0x80206949
+	SIOCDPWE3NEIGHBOR                 = 0x802069de
 	SIOCDVNETID                       = 0x802069af
 	SIOCGETKALIVE                     = 0xc01869a4
 	SIOCGETLABEL                      = 0x8020699a
@@ -1229,6 +1333,7 @@ const (
 	SIOCGIFFLAGS                      = 0xc0206911
 	SIOCGIFGATTR                      = 0xc028698b
 	SIOCGIFGENERIC                    = 0xc020693a
+	SIOCGIFGLIST                      = 0xc028698d
 	SIOCGIFGMEMB                      = 0xc028698a
 	SIOCGIFGROUP                      = 0xc0286988
 	SIOCGIFHARDMTU                    = 0xc02069a5
@@ -1243,13 +1348,21 @@ const (
 	SIOCGIFRDOMAIN                    = 0xc02069a0
 	SIOCGIFRTLABEL                    = 0xc0206983
 	SIOCGIFRXR                        = 0x802069aa
+	SIOCGIFSFFPAGE                    = 0xc1126939
 	SIOCGIFXFLAGS                     = 0xc020699e
 	SIOCGLIFPHYADDR                   = 0xc218694b
 	SIOCGLIFPHYDF                     = 0xc02069c2
+	SIOCGLIFPHYECN                    = 0xc02069c8
 	SIOCGLIFPHYRTABLE                 = 0xc02069a2
 	SIOCGLIFPHYTTL                    = 0xc02069a9
 	SIOCGPGRP                         = 0x40047309
+	SIOCGPWE3                         = 0xc0206998
+	SIOCGPWE3CTRLWORD                 = 0xc02069dc
+	SIOCGPWE3FAT                      = 0xc02069dd
+	SIOCGPWE3NEIGHBOR                 = 0xc21869de
+	SIOCGRXHPRIO                      = 0xc02069db
 	SIOCGSPPPPARAMS                   = 0xc0206994
+	SIOCGTXHPRIO                      = 0xc02069c6
 	SIOCGUMBINFO                      = 0xc02069be
 	SIOCGUMBPARAM                     = 0xc02069c0
 	SIOCGVH                           = 0xc02069f6
@@ -1287,19 +1400,20 @@ const (
 	SIOCSIFXFLAGS                     = 0x8020699d
 	SIOCSLIFPHYADDR                   = 0x8218694a
 	SIOCSLIFPHYDF                     = 0x802069c1
+	SIOCSLIFPHYECN                    = 0x802069c7
 	SIOCSLIFPHYRTABLE                 = 0x802069a1
 	SIOCSLIFPHYTTL                    = 0x802069a8
 	SIOCSPGRP                         = 0x80047308
+	SIOCSPWE3CTRLWORD                 = 0x802069dc
+	SIOCSPWE3FAT                      = 0x802069dd
+	SIOCSPWE3NEIGHBOR                 = 0x821869de
+	SIOCSRXHPRIO                      = 0x802069db
 	SIOCSSPPPPARAMS                   = 0x80206993
+	SIOCSTXHPRIO                      = 0x802069c5
 	SIOCSUMBPARAM                     = 0x802069bf
 	SIOCSVH                           = 0xc02069f5
 	SIOCSVNETFLOWID                   = 0x802069c3
 	SIOCSVNETID                       = 0x802069a6
-	SIOCSWGDPID                       = 0xc018695b
-	SIOCSWGMAXFLOW                    = 0xc0186960
-	SIOCSWGMAXGROUP                   = 0xc018695d
-	SIOCSWSDPID                       = 0x8018695c
-	SIOCSWSPORTNO                     = 0xc060695f
 	SOCK_CLOEXEC                      = 0x8000
 	SOCK_DGRAM                        = 0x2
 	SOCK_DNS                          = 0x1000
@@ -1314,6 +1428,7 @@ const (
 	SO_BINDANY                        = 0x1000
 	SO_BROADCAST                      = 0x20
 	SO_DEBUG                          = 0x1
+	SO_DOMAIN                         = 0x1024
 	SO_DONTROUTE                      = 0x10
 	SO_ERROR                          = 0x1007
 	SO_KEEPALIVE                      = 0x8
@@ -1321,6 +1436,7 @@ const (
 	SO_NETPROC                        = 0x1020
 	SO_OOBINLINE                      = 0x100
 	SO_PEERCRED                       = 0x1022
+	SO_PROTOCOL                       = 0x1025
 	SO_RCVBUF                         = 0x1002
 	SO_RCVLOWAT                       = 0x1004
 	SO_RCVTIMEO                       = 0x1006
@@ -1370,7 +1486,18 @@ const (
 	TCOFLUSH                          = 0x2
 	TCOOFF                            = 0x1
 	TCOON                             = 0x2
-	TCP_MAXBURST                      = 0x4
+	TCPOPT_EOL                        = 0x0
+	TCPOPT_MAXSEG                     = 0x2
+	TCPOPT_NOP                        = 0x1
+	TCPOPT_SACK                       = 0x5
+	TCPOPT_SACK_HDR                   = 0x1010500
+	TCPOPT_SACK_PERMITTED             = 0x4
+	TCPOPT_SACK_PERMIT_HDR            = 0x1010402
+	TCPOPT_SIGNATURE                  = 0x13
+	TCPOPT_TIMESTAMP                  = 0x8
+	TCPOPT_TSTAMP_HDR                 = 0x101080a
+	TCPOPT_WINDOW                     = 0x3
+	TCP_INFO                          = 0x9
 	TCP_MAXSEG                        = 0x2
 	TCP_MAXWIN                        = 0xffff
 	TCP_MAX_SACK                      = 0x3
@@ -1379,8 +1506,11 @@ const (
 	TCP_MSS                           = 0x200
 	TCP_NODELAY                       = 0x1
 	TCP_NOPUSH                        = 0x10
+	TCP_SACKHOLE_LIMIT                = 0x80
 	TCP_SACK_ENABLE                   = 0x8
 	TCSAFLUSH                         = 0x2
+	TIMER_ABSTIME                     = 0x1
+	TIMER_RELTIME                     = 0x0
 	TIOCCBRK                          = 0x2000747a
 	TIOCCDTR                          = 0x20007478
 	TIOCCHKVERAUTH                    = 0x2000741e
@@ -1445,7 +1575,6 @@ const (
 	TIOCSPGRP                         = 0x80047476
 	TIOCSTART                         = 0x2000746e
 	TIOCSTAT                          = 0x20007465
-	TIOCSTI                           = 0x80017472
 	TIOCSTOP                          = 0x2000746f
 	TIOCSTSTAMP                       = 0x8008745a
 	TIOCSWINSZ                        = 0x80087467
@@ -1467,7 +1596,8 @@ const (
 	VMIN                              = 0x10
 	VM_ANONMIN                        = 0x7
 	VM_LOADAVG                        = 0x2
-	VM_MAXID                          = 0xc
+	VM_MALLOC_CONF                    = 0xc
+	VM_MAXID                          = 0xd
 	VM_MAXSLP                         = 0xa
 	VM_METER                          = 0x1
 	VM_NKMEMPAGES                     = 0x6
@@ -1745,7 +1875,7 @@ var signalList = [...]struct {
 	{3, "SIGQUIT", "quit"},
 	{4, "SIGILL", "illegal instruction"},
 	{5, "SIGTRAP", "trace/BPT trap"},
-	{6, "SIGABRT", "abort trap"},
+	{6, "SIGIOT", "abort trap"},
 	{7, "SIGEMT", "EMT trap"},
 	{8, "SIGFPE", "floating point exception"},
 	{9, "SIGKILL", "killed"},
@@ -1772,4 +1902,5 @@ var signalList = [...]struct {
 	{30, "SIGUSR1", "user defined signal 1"},
 	{31, "SIGUSR2", "user defined signal 2"},
 	{32, "SIGTHR", "thread AST"},
+	{28672, "SIGSTKSZ", "unknown signal"},
 }
diff --git a/vendor/golang.org/x/sys/unix/zerrors_openbsd_arm.go b/vendor/golang.org/x/sys/unix/zerrors_openbsd_arm.go
index aef6c0856..8d44955e4 100644
--- a/vendor/golang.org/x/sys/unix/zerrors_openbsd_arm.go
+++ b/vendor/golang.org/x/sys/unix/zerrors_openbsd_arm.go
@@ -46,6 +46,7 @@ const (
 	AF_SNA                            = 0xb
 	AF_UNIX                           = 0x1
 	AF_UNSPEC                         = 0x0
+	ALTWERASE                         = 0x200
 	ARPHRD_ETHER                      = 0x1
 	ARPHRD_FRELAY                     = 0xf
 	ARPHRD_IEEE1394                   = 0x18
@@ -82,7 +83,7 @@ const (
 	BIOCGFILDROP                      = 0x40044278
 	BIOCGHDRCMPLT                     = 0x40044274
 	BIOCGRSIG                         = 0x40044273
-	BIOCGRTIMEOUT                     = 0x400c426e
+	BIOCGRTIMEOUT                     = 0x4010426e
 	BIOCGSTATS                        = 0x4008426f
 	BIOCIMMEDIATE                     = 0x80044270
 	BIOCLOCK                          = 0x20004276
@@ -96,7 +97,7 @@ const (
 	BIOCSFILDROP                      = 0x80044279
 	BIOCSHDRCMPLT                     = 0x80044275
 	BIOCSRSIG                         = 0x80044272
-	BIOCSRTIMEOUT                     = 0x800c426d
+	BIOCSRTIMEOUT                     = 0x8010426d
 	BIOCVERSION                       = 0x40044271
 	BPF_A                             = 0x10
 	BPF_ABS                           = 0x20
@@ -108,6 +109,15 @@ const (
 	BPF_DIRECTION_IN                  = 0x1
 	BPF_DIRECTION_OUT                 = 0x2
 	BPF_DIV                           = 0x30
+	BPF_FILDROP_CAPTURE               = 0x1
+	BPF_FILDROP_DROP                  = 0x2
+	BPF_FILDROP_PASS                  = 0x0
+	BPF_F_DIR_IN                      = 0x10
+	BPF_F_DIR_MASK                    = 0x30
+	BPF_F_DIR_OUT                     = 0x20
+	BPF_F_DIR_SHIFT                   = 0x4
+	BPF_F_FLOWID                      = 0x8
+	BPF_F_PRI_MASK                    = 0x7
 	BPF_H                             = 0x8
 	BPF_IMM                           = 0x0
 	BPF_IND                           = 0x40
@@ -136,6 +146,7 @@ const (
 	BPF_OR                            = 0x40
 	BPF_RELEASE                       = 0x30bb6
 	BPF_RET                           = 0x6
+	BPF_RND                           = 0xc0
 	BPF_RSH                           = 0x70
 	BPF_ST                            = 0x2
 	BPF_STX                           = 0x3
@@ -147,6 +158,12 @@ const (
 	BRKINT                            = 0x2
 	CFLUSH                            = 0xf
 	CLOCAL                            = 0x8000
+	CLOCK_BOOTTIME                    = 0x6
+	CLOCK_MONOTONIC                   = 0x3
+	CLOCK_PROCESS_CPUTIME_ID          = 0x2
+	CLOCK_REALTIME                    = 0x0
+	CLOCK_THREAD_CPUTIME_ID           = 0x4
+	CLOCK_UPTIME                      = 0x5
 	CPUSTATES                         = 0x6
 	CP_IDLE                           = 0x5
 	CP_INTR                           = 0x4
@@ -170,7 +187,65 @@ const (
 	CTL_KERN                          = 0x1
 	CTL_MAXNAME                       = 0xc
 	CTL_NET                           = 0x4
+	DIOCADDQUEUE                      = 0xc100445d
+	DIOCADDRULE                       = 0xcce04404
+	DIOCADDSTATE                      = 0xc1084425
+	DIOCCHANGERULE                    = 0xcce0441a
+	DIOCCLRIFFLAG                     = 0xc024445a
+	DIOCCLRSRCNODES                   = 0x20004455
+	DIOCCLRSTATES                     = 0xc0d04412
+	DIOCCLRSTATUS                     = 0xc0244416
+	DIOCGETLIMIT                      = 0xc0084427
+	DIOCGETQSTATS                     = 0xc1084460
+	DIOCGETQUEUE                      = 0xc100445f
+	DIOCGETQUEUES                     = 0xc100445e
+	DIOCGETRULE                       = 0xcce04407
+	DIOCGETRULES                      = 0xcce04406
+	DIOCGETRULESET                    = 0xc444443b
+	DIOCGETRULESETS                   = 0xc444443a
+	DIOCGETSRCNODES                   = 0xc0084454
+	DIOCGETSTATE                      = 0xc1084413
+	DIOCGETSTATES                     = 0xc0084419
+	DIOCGETSTATUS                     = 0xc1e84415
+	DIOCGETSYNFLWATS                  = 0xc0084463
+	DIOCGETTIMEOUT                    = 0xc008441e
+	DIOCIGETIFACES                    = 0xc0244457
+	DIOCKILLSRCNODES                  = 0xc068445b
+	DIOCKILLSTATES                    = 0xc0d04429
+	DIOCNATLOOK                       = 0xc0504417
+	DIOCOSFPADD                       = 0xc088444f
 	DIOCOSFPFLUSH                     = 0x2000444e
+	DIOCOSFPGET                       = 0xc0884450
+	DIOCRADDADDRS                     = 0xc44c4443
+	DIOCRADDTABLES                    = 0xc44c443d
+	DIOCRCLRADDRS                     = 0xc44c4442
+	DIOCRCLRASTATS                    = 0xc44c4448
+	DIOCRCLRTABLES                    = 0xc44c443c
+	DIOCRCLRTSTATS                    = 0xc44c4441
+	DIOCRDELADDRS                     = 0xc44c4444
+	DIOCRDELTABLES                    = 0xc44c443e
+	DIOCRGETADDRS                     = 0xc44c4446
+	DIOCRGETASTATS                    = 0xc44c4447
+	DIOCRGETTABLES                    = 0xc44c443f
+	DIOCRGETTSTATS                    = 0xc44c4440
+	DIOCRINADEFINE                    = 0xc44c444d
+	DIOCRSETADDRS                     = 0xc44c4445
+	DIOCRSETTFLAGS                    = 0xc44c444a
+	DIOCRTSTADDRS                     = 0xc44c4449
+	DIOCSETDEBUG                      = 0xc0044418
+	DIOCSETHOSTID                     = 0xc0044456
+	DIOCSETIFFLAG                     = 0xc0244459
+	DIOCSETLIMIT                      = 0xc0084428
+	DIOCSETREASS                      = 0xc004445c
+	DIOCSETSTATUSIF                   = 0xc0244414
+	DIOCSETSYNCOOKIES                 = 0xc0014462
+	DIOCSETSYNFLWATS                  = 0xc0084461
+	DIOCSETTIMEOUT                    = 0xc008441d
+	DIOCSTART                         = 0x20004401
+	DIOCSTOP                          = 0x20004402
+	DIOCXBEGIN                        = 0xc00c4451
+	DIOCXCOMMIT                       = 0xc00c4452
+	DIOCXROLLBACK                     = 0xc00c4453
 	DLT_ARCNET                        = 0x7
 	DLT_ATM_RFC1483                   = 0xb
 	DLT_AX25                          = 0x3
@@ -186,6 +261,7 @@ const (
 	DLT_LOOP                          = 0xc
 	DLT_MPLS                          = 0xdb
 	DLT_NULL                          = 0x0
+	DLT_OPENFLOW                      = 0x10b
 	DLT_PFLOG                         = 0x75
 	DLT_PFSYNC                        = 0x12
 	DLT_PPP                           = 0x9
@@ -196,6 +272,23 @@ const (
 	DLT_RAW                           = 0xe
 	DLT_SLIP                          = 0x8
 	DLT_SLIP_BSDOS                    = 0xf
+	DLT_USBPCAP                       = 0xf9
+	DLT_USER0                         = 0x93
+	DLT_USER1                         = 0x94
+	DLT_USER10                        = 0x9d
+	DLT_USER11                        = 0x9e
+	DLT_USER12                        = 0x9f
+	DLT_USER13                        = 0xa0
+	DLT_USER14                        = 0xa1
+	DLT_USER15                        = 0xa2
+	DLT_USER2                         = 0x95
+	DLT_USER3                         = 0x96
+	DLT_USER4                         = 0x97
+	DLT_USER5                         = 0x98
+	DLT_USER6                         = 0x99
+	DLT_USER7                         = 0x9a
+	DLT_USER8                         = 0x9b
+	DLT_USER9                         = 0x9c
 	DT_BLK                            = 0x6
 	DT_CHR                            = 0x2
 	DT_DIR                            = 0x4
@@ -215,6 +308,8 @@ const (
 	EMUL_ENABLED                      = 0x1
 	EMUL_NATIVE                       = 0x2
 	ENDRUNDISC                        = 0x9
+	ETH64_8021_RSVD_MASK              = 0xfffffffffff0
+	ETH64_8021_RSVD_PREFIX            = 0x180c2000000
 	ETHERMIN                          = 0x2e
 	ETHERMTU                          = 0x5dc
 	ETHERTYPE_8023                    = 0x4
@@ -267,6 +362,7 @@ const (
 	ETHERTYPE_DN                      = 0x6003
 	ETHERTYPE_DOGFIGHT                = 0x1989
 	ETHERTYPE_DSMD                    = 0x8039
+	ETHERTYPE_EAPOL                   = 0x888e
 	ETHERTYPE_ECMA                    = 0x803
 	ETHERTYPE_ENCRYPT                 = 0x803d
 	ETHERTYPE_ES                      = 0x805d
@@ -298,6 +394,7 @@ const (
 	ETHERTYPE_LLDP                    = 0x88cc
 	ETHERTYPE_LOGICRAFT               = 0x8148
 	ETHERTYPE_LOOPBACK                = 0x9000
+	ETHERTYPE_MACSEC                  = 0x88e5
 	ETHERTYPE_MATRA                   = 0x807a
 	ETHERTYPE_MAX                     = 0xffff
 	ETHERTYPE_MERIT                   = 0x807c
@@ -326,15 +423,17 @@ const (
 	ETHERTYPE_NCD                     = 0x8149
 	ETHERTYPE_NESTAR                  = 0x8006
 	ETHERTYPE_NETBEUI                 = 0x8191
+	ETHERTYPE_NHRP                    = 0x2001
 	ETHERTYPE_NOVELL                  = 0x8138
 	ETHERTYPE_NS                      = 0x600
 	ETHERTYPE_NSAT                    = 0x601
 	ETHERTYPE_NSCOMPAT                = 0x807
+	ETHERTYPE_NSH                     = 0x984f
 	ETHERTYPE_NTRAILER                = 0x10
 	ETHERTYPE_OS9                     = 0x7007
 	ETHERTYPE_OS9NET                  = 0x7009
 	ETHERTYPE_PACER                   = 0x80c6
-	ETHERTYPE_PAE                     = 0x888e
+	ETHERTYPE_PBB                     = 0x88e7
 	ETHERTYPE_PCS                     = 0x4242
 	ETHERTYPE_PLANNING                = 0x8044
 	ETHERTYPE_PPP                     = 0x880b
@@ -409,28 +508,40 @@ const (
 	ETHER_CRC_POLY_LE                 = 0xedb88320
 	ETHER_HDR_LEN                     = 0xe
 	ETHER_MAX_DIX_LEN                 = 0x600
+	ETHER_MAX_HARDMTU_LEN             = 0xff9b
 	ETHER_MAX_LEN                     = 0x5ee
 	ETHER_MIN_LEN                     = 0x40
 	ETHER_TYPE_LEN                    = 0x2
 	ETHER_VLAN_ENCAP_LEN              = 0x4
 	EVFILT_AIO                        = -0x3
+	EVFILT_DEVICE                     = -0x8
+	EVFILT_EXCEPT                     = -0x9
 	EVFILT_PROC                       = -0x5
 	EVFILT_READ                       = -0x1
 	EVFILT_SIGNAL                     = -0x6
-	EVFILT_SYSCOUNT                   = 0x7
+	EVFILT_SYSCOUNT                   = 0x9
 	EVFILT_TIMER                      = -0x7
 	EVFILT_VNODE                      = -0x4
 	EVFILT_WRITE                      = -0x2
+	EVL_ENCAPLEN                      = 0x4
+	EVL_PRIO_BITS                     = 0xd
+	EVL_PRIO_MAX                      = 0x7
+	EVL_VLID_MASK                     = 0xfff
+	EVL_VLID_MAX                      = 0xffe
+	EVL_VLID_MIN                      = 0x1
+	EVL_VLID_NULL                     = 0x0
 	EV_ADD                            = 0x1
 	EV_CLEAR                          = 0x20
 	EV_DELETE                         = 0x2
 	EV_DISABLE                        = 0x8
+	EV_DISPATCH                       = 0x80
 	EV_ENABLE                         = 0x4
 	EV_EOF                            = 0x8000
 	EV_ERROR                          = 0x4000
 	EV_FLAG1                          = 0x2000
 	EV_ONESHOT                        = 0x10
-	EV_SYSFLAGS                       = 0xf000
+	EV_RECEIPT                        = 0x40
+	EV_SYSFLAGS                       = 0xf800
 	EXTA                              = 0x4b00
 	EXTB                              = 0x9600
 	EXTPROC                           = 0x800
@@ -443,6 +554,8 @@ const (
 	F_GETFL                           = 0x3
 	F_GETLK                           = 0x7
 	F_GETOWN                          = 0x5
+	F_ISATTY                          = 0xb
+	F_OK                              = 0x0
 	F_RDLCK                           = 0x1
 	F_SETFD                           = 0x2
 	F_SETFL                           = 0x4
@@ -459,7 +572,6 @@ const (
 	IEXTEN                            = 0x400
 	IFAN_ARRIVAL                      = 0x0
 	IFAN_DEPARTURE                    = 0x1
-	IFA_ROUTE                         = 0x1
 	IFF_ALLMULTI                      = 0x200
 	IFF_BROADCAST                     = 0x2
 	IFF_CANTCHANGE                    = 0x8e52
@@ -470,12 +582,12 @@ const (
 	IFF_LOOPBACK                      = 0x8
 	IFF_MULTICAST                     = 0x8000
 	IFF_NOARP                         = 0x80
-	IFF_NOTRAILERS                    = 0x20
 	IFF_OACTIVE                       = 0x400
 	IFF_POINTOPOINT                   = 0x10
 	IFF_PROMISC                       = 0x100
 	IFF_RUNNING                       = 0x40
 	IFF_SIMPLEX                       = 0x800
+	IFF_STATICARP                     = 0x20
 	IFF_UP                            = 0x1
 	IFNAMSIZ                          = 0x10
 	IFT_1822                          = 0x2
@@ -604,6 +716,7 @@ const (
 	IFT_LINEGROUP                     = 0xd2
 	IFT_LOCALTALK                     = 0x2a
 	IFT_LOOP                          = 0x18
+	IFT_MBIM                          = 0xfa
 	IFT_MEDIAMAILOVERIP               = 0x8b
 	IFT_MFSIGLINK                     = 0xa7
 	IFT_MIOX25                        = 0x26
@@ -694,6 +807,7 @@ const (
 	IFT_VOICEOVERCABLE                = 0xc6
 	IFT_VOICEOVERFRAMERELAY           = 0x99
 	IFT_VOICEOVERIP                   = 0x68
+	IFT_WIREGUARD                     = 0xfb
 	IFT_X213                          = 0x5d
 	IFT_X25                           = 0x5
 	IFT_X25DDN                        = 0x4
@@ -728,8 +842,6 @@ const (
 	IPPROTO_AH                        = 0x33
 	IPPROTO_CARP                      = 0x70
 	IPPROTO_DIVERT                    = 0x102
-	IPPROTO_DIVERT_INIT               = 0x2
-	IPPROTO_DIVERT_RESP               = 0x1
 	IPPROTO_DONE                      = 0x101
 	IPPROTO_DSTOPTS                   = 0x3c
 	IPPROTO_EGP                       = 0x8
@@ -761,9 +873,11 @@ const (
 	IPPROTO_RAW                       = 0xff
 	IPPROTO_ROUTING                   = 0x2b
 	IPPROTO_RSVP                      = 0x2e
+	IPPROTO_SCTP                      = 0x84
 	IPPROTO_TCP                       = 0x6
 	IPPROTO_TP                        = 0x1d
 	IPPROTO_UDP                       = 0x11
+	IPPROTO_UDPLITE                   = 0x88
 	IPV6_AUTH_LEVEL                   = 0x35
 	IPV6_AUTOFLOWLABEL                = 0x3b
 	IPV6_CHECKSUM                     = 0x1a
@@ -786,6 +900,7 @@ const (
 	IPV6_LEAVE_GROUP                  = 0xd
 	IPV6_MAXHLIM                      = 0xff
 	IPV6_MAXPACKET                    = 0xffff
+	IPV6_MINHOPCOUNT                  = 0x41
 	IPV6_MMTU                         = 0x500
 	IPV6_MULTICAST_HOPS               = 0xa
 	IPV6_MULTICAST_IF                 = 0x9
@@ -825,12 +940,12 @@ const (
 	IP_DEFAULT_MULTICAST_LOOP         = 0x1
 	IP_DEFAULT_MULTICAST_TTL          = 0x1
 	IP_DF                             = 0x4000
-	IP_DIVERTFL                       = 0x1022
 	IP_DROP_MEMBERSHIP                = 0xd
 	IP_ESP_NETWORK_LEVEL              = 0x16
 	IP_ESP_TRANS_LEVEL                = 0x15
 	IP_HDRINCL                        = 0x2
 	IP_IPCOMP_LEVEL                   = 0x1d
+	IP_IPDEFTTL                       = 0x25
 	IP_IPSECFLOWINFO                  = 0x24
 	IP_IPSEC_LOCAL_AUTH               = 0x1b
 	IP_IPSEC_LOCAL_CRED               = 0x19
@@ -864,10 +979,15 @@ const (
 	IP_RETOPTS                        = 0x8
 	IP_RF                             = 0x8000
 	IP_RTABLE                         = 0x1021
+	IP_SENDSRCADDR                    = 0x7
 	IP_TOS                            = 0x3
 	IP_TTL                            = 0x4
 	ISIG                              = 0x80
 	ISTRIP                            = 0x20
+	ITIMER_PROF                       = 0x2
+	ITIMER_REAL                       = 0x0
+	ITIMER_VIRTUAL                    = 0x1
+	IUCLC                             = 0x1000
 	IXANY                             = 0x800
 	IXOFF                             = 0x400
 	IXON                              = 0x200
@@ -922,6 +1042,7 @@ const (
 	MNT_NOATIME                       = 0x8000
 	MNT_NODEV                         = 0x10
 	MNT_NOEXEC                        = 0x4
+	MNT_NOPERM                        = 0x20
 	MNT_NOSUID                        = 0x8
 	MNT_NOWAIT                        = 0x2
 	MNT_QUOTA                         = 0x2000
@@ -929,12 +1050,27 @@ const (
 	MNT_RELOAD                        = 0x40000
 	MNT_ROOTFS                        = 0x4000
 	MNT_SOFTDEP                       = 0x4000000
+	MNT_STALLED                       = 0x100000
+	MNT_SWAPPABLE                     = 0x200000
 	MNT_SYNCHRONOUS                   = 0x2
 	MNT_UPDATE                        = 0x10000
 	MNT_VISFLAGMASK                   = 0x400ffff
 	MNT_WAIT                          = 0x1
 	MNT_WANTRDWR                      = 0x2000000
 	MNT_WXALLOWED                     = 0x800
+	MOUNT_AFS                         = "afs"
+	MOUNT_CD9660                      = "cd9660"
+	MOUNT_EXT2FS                      = "ext2fs"
+	MOUNT_FFS                         = "ffs"
+	MOUNT_FUSEFS                      = "fuse"
+	MOUNT_MFS                         = "mfs"
+	MOUNT_MSDOS                       = "msdos"
+	MOUNT_NCPFS                       = "ncpfs"
+	MOUNT_NFS                         = "nfs"
+	MOUNT_NTFS                        = "ntfs"
+	MOUNT_TMPFS                       = "tmpfs"
+	MOUNT_UDF                         = "udf"
+	MOUNT_UFS                         = "ffs"
 	MSG_BCAST                         = 0x100
 	MSG_CMSG_CLOEXEC                  = 0x800
 	MSG_CTRUNC                        = 0x20
@@ -947,6 +1083,7 @@ const (
 	MSG_PEEK                          = 0x2
 	MSG_TRUNC                         = 0x10
 	MSG_WAITALL                       = 0x40
+	MSG_WAITFORONE                    = 0x1000
 	MS_ASYNC                          = 0x1
 	MS_INVALIDATE                     = 0x4
 	MS_SYNC                           = 0x2
@@ -954,12 +1091,16 @@ const (
 	NET_RT_DUMP                       = 0x1
 	NET_RT_FLAGS                      = 0x2
 	NET_RT_IFLIST                     = 0x3
-	NET_RT_MAXID                      = 0x6
+	NET_RT_IFNAMES                    = 0x6
+	NET_RT_MAXID                      = 0x8
+	NET_RT_SOURCE                     = 0x7
 	NET_RT_STATS                      = 0x4
 	NET_RT_TABLE                      = 0x5
 	NFDBITS                           = 0x20
 	NOFLSH                            = 0x80000000
+	NOKERNINFO                        = 0x2000000
 	NOTE_ATTRIB                       = 0x8
+	NOTE_CHANGE                       = 0x1
 	NOTE_CHILD                        = 0x4
 	NOTE_DELETE                       = 0x1
 	NOTE_EOF                          = 0x2
@@ -969,6 +1110,7 @@ const (
 	NOTE_FORK                         = 0x40000000
 	NOTE_LINK                         = 0x10
 	NOTE_LOWAT                        = 0x1
+	NOTE_OOB                          = 0x4
 	NOTE_PCTRLMASK                    = 0xf0000000
 	NOTE_PDATAMASK                    = 0xfffff
 	NOTE_RENAME                       = 0x20
@@ -978,11 +1120,13 @@ const (
 	NOTE_TRUNCATE                     = 0x80
 	NOTE_WRITE                        = 0x2
 	OCRNL                             = 0x10
+	OLCUC                             = 0x20
 	ONLCR                             = 0x2
 	ONLRET                            = 0x80
 	ONOCR                             = 0x40
 	ONOEOT                            = 0x8
 	OPOST                             = 0x1
+	OXTABS                            = 0x4
 	O_ACCMODE                         = 0x3
 	O_APPEND                          = 0x8
 	O_ASYNC                           = 0x40
@@ -1027,19 +1171,25 @@ const (
 	RLIMIT_STACK                      = 0x3
 	RLIM_INFINITY                     = 0x7fffffffffffffff
 	RTAX_AUTHOR                       = 0x6
+	RTAX_BFD                          = 0xb
 	RTAX_BRD                          = 0x7
+	RTAX_DNS                          = 0xc
 	RTAX_DST                          = 0x0
 	RTAX_GATEWAY                      = 0x1
 	RTAX_GENMASK                      = 0x3
 	RTAX_IFA                          = 0x5
 	RTAX_IFP                          = 0x4
 	RTAX_LABEL                        = 0xa
-	RTAX_MAX                          = 0xb
+	RTAX_MAX                          = 0xf
 	RTAX_NETMASK                      = 0x2
+	RTAX_SEARCH                       = 0xe
 	RTAX_SRC                          = 0x8
 	RTAX_SRCMASK                      = 0x9
+	RTAX_STATIC                       = 0xd
 	RTA_AUTHOR                        = 0x40
+	RTA_BFD                           = 0x800
 	RTA_BRD                           = 0x80
+	RTA_DNS                           = 0x1000
 	RTA_DST                           = 0x1
 	RTA_GATEWAY                       = 0x2
 	RTA_GENMASK                       = 0x8
@@ -1047,24 +1197,29 @@ const (
 	RTA_IFP                           = 0x10
 	RTA_LABEL                         = 0x400
 	RTA_NETMASK                       = 0x4
+	RTA_SEARCH                        = 0x4000
 	RTA_SRC                           = 0x100
 	RTA_SRCMASK                       = 0x200
+	RTA_STATIC                        = 0x2000
 	RTF_ANNOUNCE                      = 0x4000
+	RTF_BFD                           = 0x1000000
 	RTF_BLACKHOLE                     = 0x1000
 	RTF_BROADCAST                     = 0x400000
+	RTF_CACHED                        = 0x20000
 	RTF_CLONED                        = 0x10000
 	RTF_CLONING                       = 0x100
+	RTF_CONNECTED                     = 0x800000
 	RTF_DONE                          = 0x40
 	RTF_DYNAMIC                       = 0x10
-	RTF_FMASK                         = 0x70f808
+	RTF_FMASK                         = 0x110fc08
 	RTF_GATEWAY                       = 0x2
 	RTF_HOST                          = 0x4
 	RTF_LLINFO                        = 0x400
 	RTF_LOCAL                         = 0x200000
-	RTF_MASK                          = 0x80
 	RTF_MODIFIED                      = 0x20
 	RTF_MPATH                         = 0x40000
 	RTF_MPLS                          = 0x100000
+	RTF_MULTICAST                     = 0x200
 	RTF_PERMANENT_ARP                 = 0x2000
 	RTF_PROTO1                        = 0x8000
 	RTF_PROTO2                        = 0x4000
@@ -1073,23 +1228,26 @@ const (
 	RTF_STATIC                        = 0x800
 	RTF_UP                            = 0x1
 	RTF_USETRAILERS                   = 0x8000
-	RTF_XRESOLVE                      = 0x200
+	RTM_80211INFO                     = 0x15
 	RTM_ADD                           = 0x1
+	RTM_BFD                           = 0x12
 	RTM_CHANGE                        = 0x3
+	RTM_CHGADDRATTR                   = 0x14
 	RTM_DELADDR                       = 0xd
 	RTM_DELETE                        = 0x2
 	RTM_DESYNC                        = 0x10
 	RTM_GET                           = 0x4
 	RTM_IFANNOUNCE                    = 0xf
 	RTM_IFINFO                        = 0xe
-	RTM_LOCK                          = 0x8
+	RTM_INVALIDATE                    = 0x11
 	RTM_LOSING                        = 0x5
 	RTM_MAXSIZE                       = 0x800
 	RTM_MISS                          = 0x7
 	RTM_NEWADDR                       = 0xc
+	RTM_PROPOSAL                      = 0x13
 	RTM_REDIRECT                      = 0x6
 	RTM_RESOLVE                       = 0xb
-	RTM_RTTUNIT                       = 0xf4240
+	RTM_SOURCE                        = 0x16
 	RTM_VERSION                       = 0x5
 	RTV_EXPIRE                        = 0x4
 	RTV_HOPCOUNT                      = 0x2
@@ -1099,67 +1257,74 @@ const (
 	RTV_RTTVAR                        = 0x80
 	RTV_SPIPE                         = 0x10
 	RTV_SSTHRESH                      = 0x20
+	RT_TABLEID_BITS                   = 0x8
+	RT_TABLEID_MASK                   = 0xff
 	RT_TABLEID_MAX                    = 0xff
 	RUSAGE_CHILDREN                   = -0x1
 	RUSAGE_SELF                       = 0x0
 	RUSAGE_THREAD                     = 0x1
 	SCM_RIGHTS                        = 0x1
 	SCM_TIMESTAMP                     = 0x4
+	SEEK_CUR                          = 0x1
+	SEEK_END                          = 0x2
+	SEEK_SET                          = 0x0
 	SHUT_RD                           = 0x0
 	SHUT_RDWR                         = 0x2
 	SHUT_WR                           = 0x1
 	SIOCADDMULTI                      = 0x80206931
 	SIOCAIFADDR                       = 0x8040691a
 	SIOCAIFGROUP                      = 0x80246987
-	SIOCALIFADDR                      = 0x8218691c
 	SIOCATMARK                        = 0x40047307
-	SIOCBRDGADD                       = 0x8054693c
-	SIOCBRDGADDS                      = 0x80546941
-	SIOCBRDGARL                       = 0x806e694d
+	SIOCBRDGADD                       = 0x8060693c
+	SIOCBRDGADDL                      = 0x80606949
+	SIOCBRDGADDS                      = 0x80606941
+	SIOCBRDGARL                       = 0x808c694d
 	SIOCBRDGDADDR                     = 0x81286947
-	SIOCBRDGDEL                       = 0x8054693d
-	SIOCBRDGDELS                      = 0x80546942
-	SIOCBRDGFLUSH                     = 0x80546948
-	SIOCBRDGFRL                       = 0x806e694e
+	SIOCBRDGDEL                       = 0x8060693d
+	SIOCBRDGDELS                      = 0x80606942
+	SIOCBRDGFLUSH                     = 0x80606948
+	SIOCBRDGFRL                       = 0x808c694e
 	SIOCBRDGGCACHE                    = 0xc0146941
 	SIOCBRDGGFD                       = 0xc0146952
 	SIOCBRDGGHT                       = 0xc0146951
-	SIOCBRDGGIFFLGS                   = 0xc054693e
+	SIOCBRDGGIFFLGS                   = 0xc060693e
 	SIOCBRDGGMA                       = 0xc0146953
-	SIOCBRDGGPARAM                    = 0xc03c6958
+	SIOCBRDGGPARAM                    = 0xc0406958
 	SIOCBRDGGPRI                      = 0xc0146950
 	SIOCBRDGGRL                       = 0xc028694f
-	SIOCBRDGGSIFS                     = 0xc054693c
 	SIOCBRDGGTO                       = 0xc0146946
-	SIOCBRDGIFS                       = 0xc0546942
+	SIOCBRDGIFS                       = 0xc0606942
 	SIOCBRDGRTS                       = 0xc0186943
 	SIOCBRDGSADDR                     = 0xc1286944
 	SIOCBRDGSCACHE                    = 0x80146940
 	SIOCBRDGSFD                       = 0x80146952
 	SIOCBRDGSHT                       = 0x80146951
-	SIOCBRDGSIFCOST                   = 0x80546955
-	SIOCBRDGSIFFLGS                   = 0x8054693f
-	SIOCBRDGSIFPRIO                   = 0x80546954
+	SIOCBRDGSIFCOST                   = 0x80606955
+	SIOCBRDGSIFFLGS                   = 0x8060693f
+	SIOCBRDGSIFPRIO                   = 0x80606954
+	SIOCBRDGSIFPROT                   = 0x8060694a
 	SIOCBRDGSMA                       = 0x80146953
 	SIOCBRDGSPRI                      = 0x80146950
 	SIOCBRDGSPROTO                    = 0x8014695a
 	SIOCBRDGSTO                       = 0x80146945
 	SIOCBRDGSTXHC                     = 0x80146959
+	SIOCDELLABEL                      = 0x80206997
 	SIOCDELMULTI                      = 0x80206932
 	SIOCDIFADDR                       = 0x80206919
 	SIOCDIFGROUP                      = 0x80246989
+	SIOCDIFPARENT                     = 0x802069b4
 	SIOCDIFPHYADDR                    = 0x80206949
-	SIOCDLIFADDR                      = 0x8218691e
+	SIOCDPWE3NEIGHBOR                 = 0x802069de
+	SIOCDVNETID                       = 0x802069af
 	SIOCGETKALIVE                     = 0xc01869a4
 	SIOCGETLABEL                      = 0x8020699a
+	SIOCGETMPWCFG                     = 0xc02069ae
 	SIOCGETPFLOW                      = 0xc02069fe
 	SIOCGETPFSYNC                     = 0xc02069f8
 	SIOCGETSGCNT                      = 0xc0147534
 	SIOCGETVIFCNT                     = 0xc0147533
 	SIOCGETVLAN                       = 0xc0206990
-	SIOCGHIWAT                        = 0x40047301
 	SIOCGIFADDR                       = 0xc0206921
-	SIOCGIFASYNCMAP                   = 0xc020697c
 	SIOCGIFBRDADDR                    = 0xc0206923
 	SIOCGIFCONF                       = 0xc0086924
 	SIOCGIFDATA                       = 0xc020691b
@@ -1168,41 +1333,53 @@ const (
 	SIOCGIFFLAGS                      = 0xc0206911
 	SIOCGIFGATTR                      = 0xc024698b
 	SIOCGIFGENERIC                    = 0xc020693a
+	SIOCGIFGLIST                      = 0xc024698d
 	SIOCGIFGMEMB                      = 0xc024698a
 	SIOCGIFGROUP                      = 0xc0246988
 	SIOCGIFHARDMTU                    = 0xc02069a5
-	SIOCGIFMEDIA                      = 0xc0286936
+	SIOCGIFLLPRIO                     = 0xc02069b6
+	SIOCGIFMEDIA                      = 0xc0386938
 	SIOCGIFMETRIC                     = 0xc0206917
 	SIOCGIFMTU                        = 0xc020697e
 	SIOCGIFNETMASK                    = 0xc0206925
-	SIOCGIFPDSTADDR                   = 0xc0206948
+	SIOCGIFPAIR                       = 0xc02069b1
+	SIOCGIFPARENT                     = 0xc02069b3
 	SIOCGIFPRIORITY                   = 0xc020699c
-	SIOCGIFPSRCADDR                   = 0xc0206947
 	SIOCGIFRDOMAIN                    = 0xc02069a0
 	SIOCGIFRTLABEL                    = 0xc0206983
 	SIOCGIFRXR                        = 0x802069aa
-	SIOCGIFTIMESLOT                   = 0xc0206986
+	SIOCGIFSFFPAGE                    = 0xc1126939
 	SIOCGIFXFLAGS                     = 0xc020699e
-	SIOCGLIFADDR                      = 0xc218691d
 	SIOCGLIFPHYADDR                   = 0xc218694b
+	SIOCGLIFPHYDF                     = 0xc02069c2
+	SIOCGLIFPHYECN                    = 0xc02069c8
 	SIOCGLIFPHYRTABLE                 = 0xc02069a2
 	SIOCGLIFPHYTTL                    = 0xc02069a9
-	SIOCGLOWAT                        = 0x40047303
 	SIOCGPGRP                         = 0x40047309
+	SIOCGPWE3                         = 0xc0206998
+	SIOCGPWE3CTRLWORD                 = 0xc02069dc
+	SIOCGPWE3FAT                      = 0xc02069dd
+	SIOCGPWE3NEIGHBOR                 = 0xc21869de
+	SIOCGRXHPRIO                      = 0xc02069db
 	SIOCGSPPPPARAMS                   = 0xc0206994
+	SIOCGTXHPRIO                      = 0xc02069c6
+	SIOCGUMBINFO                      = 0xc02069be
+	SIOCGUMBPARAM                     = 0xc02069c0
 	SIOCGVH                           = 0xc02069f6
+	SIOCGVNETFLOWID                   = 0xc02069c4
 	SIOCGVNETID                       = 0xc02069a7
+	SIOCIFAFATTACH                    = 0x801169ab
+	SIOCIFAFDETACH                    = 0x801169ac
 	SIOCIFCREATE                      = 0x8020697a
 	SIOCIFDESTROY                     = 0x80206979
 	SIOCIFGCLONERS                    = 0xc00c6978
 	SIOCSETKALIVE                     = 0x801869a3
 	SIOCSETLABEL                      = 0x80206999
+	SIOCSETMPWCFG                     = 0x802069ad
 	SIOCSETPFLOW                      = 0x802069fd
 	SIOCSETPFSYNC                     = 0x802069f7
 	SIOCSETVLAN                       = 0x8020698f
-	SIOCSHIWAT                        = 0x80047300
 	SIOCSIFADDR                       = 0x8020690c
-	SIOCSIFASYNCMAP                   = 0x8020697d
 	SIOCSIFBRDADDR                    = 0x80206913
 	SIOCSIFDESCR                      = 0x80206980
 	SIOCSIFDSTADDR                    = 0x8020690e
@@ -1210,26 +1387,36 @@ const (
 	SIOCSIFGATTR                      = 0x8024698c
 	SIOCSIFGENERIC                    = 0x80206939
 	SIOCSIFLLADDR                     = 0x8020691f
-	SIOCSIFMEDIA                      = 0xc0206935
+	SIOCSIFLLPRIO                     = 0x802069b5
+	SIOCSIFMEDIA                      = 0xc0206937
 	SIOCSIFMETRIC                     = 0x80206918
 	SIOCSIFMTU                        = 0x8020697f
 	SIOCSIFNETMASK                    = 0x80206916
-	SIOCSIFPHYADDR                    = 0x80406946
+	SIOCSIFPAIR                       = 0x802069b0
+	SIOCSIFPARENT                     = 0x802069b2
 	SIOCSIFPRIORITY                   = 0x8020699b
 	SIOCSIFRDOMAIN                    = 0x8020699f
 	SIOCSIFRTLABEL                    = 0x80206982
-	SIOCSIFTIMESLOT                   = 0x80206985
 	SIOCSIFXFLAGS                     = 0x8020699d
 	SIOCSLIFPHYADDR                   = 0x8218694a
+	SIOCSLIFPHYDF                     = 0x802069c1
+	SIOCSLIFPHYECN                    = 0x802069c7
 	SIOCSLIFPHYRTABLE                 = 0x802069a1
 	SIOCSLIFPHYTTL                    = 0x802069a8
-	SIOCSLOWAT                        = 0x80047302
 	SIOCSPGRP                         = 0x80047308
+	SIOCSPWE3CTRLWORD                 = 0x802069dc
+	SIOCSPWE3FAT                      = 0x802069dd
+	SIOCSPWE3NEIGHBOR                 = 0x821869de
+	SIOCSRXHPRIO                      = 0x802069db
 	SIOCSSPPPPARAMS                   = 0x80206993
+	SIOCSTXHPRIO                      = 0x802069c5
+	SIOCSUMBPARAM                     = 0x802069bf
 	SIOCSVH                           = 0xc02069f5
+	SIOCSVNETFLOWID                   = 0x802069c3
 	SIOCSVNETID                       = 0x802069a6
 	SOCK_CLOEXEC                      = 0x8000
 	SOCK_DGRAM                        = 0x2
+	SOCK_DNS                          = 0x1000
 	SOCK_NONBLOCK                     = 0x4000
 	SOCK_RAW                          = 0x3
 	SOCK_RDM                          = 0x4
@@ -1241,6 +1428,7 @@ const (
 	SO_BINDANY                        = 0x1000
 	SO_BROADCAST                      = 0x20
 	SO_DEBUG                          = 0x1
+	SO_DOMAIN                         = 0x1024
 	SO_DONTROUTE                      = 0x10
 	SO_ERROR                          = 0x1007
 	SO_KEEPALIVE                      = 0x8
@@ -1248,6 +1436,7 @@ const (
 	SO_NETPROC                        = 0x1020
 	SO_OOBINLINE                      = 0x100
 	SO_PEERCRED                       = 0x1022
+	SO_PROTOCOL                       = 0x1025
 	SO_RCVBUF                         = 0x1002
 	SO_RCVLOWAT                       = 0x1004
 	SO_RCVTIMEO                       = 0x1006
@@ -1261,6 +1450,7 @@ const (
 	SO_TIMESTAMP                      = 0x800
 	SO_TYPE                           = 0x1008
 	SO_USELOOPBACK                    = 0x40
+	SO_ZEROIZE                        = 0x2000
 	S_BLKSIZE                         = 0x200
 	S_IEXEC                           = 0x40
 	S_IFBLK                           = 0x6000
@@ -1290,9 +1480,24 @@ const (
 	S_IXOTH                           = 0x1
 	S_IXUSR                           = 0x40
 	TCIFLUSH                          = 0x1
+	TCIOFF                            = 0x3
 	TCIOFLUSH                         = 0x3
+	TCION                             = 0x4
 	TCOFLUSH                          = 0x2
-	TCP_MAXBURST                      = 0x4
+	TCOOFF                            = 0x1
+	TCOON                             = 0x2
+	TCPOPT_EOL                        = 0x0
+	TCPOPT_MAXSEG                     = 0x2
+	TCPOPT_NOP                        = 0x1
+	TCPOPT_SACK                       = 0x5
+	TCPOPT_SACK_HDR                   = 0x1010500
+	TCPOPT_SACK_PERMITTED             = 0x4
+	TCPOPT_SACK_PERMIT_HDR            = 0x1010402
+	TCPOPT_SIGNATURE                  = 0x13
+	TCPOPT_TIMESTAMP                  = 0x8
+	TCPOPT_TSTAMP_HDR                 = 0x101080a
+	TCPOPT_WINDOW                     = 0x3
+	TCP_INFO                          = 0x9
 	TCP_MAXSEG                        = 0x2
 	TCP_MAXWIN                        = 0xffff
 	TCP_MAX_SACK                      = 0x3
@@ -1301,11 +1506,15 @@ const (
 	TCP_MSS                           = 0x200
 	TCP_NODELAY                       = 0x1
 	TCP_NOPUSH                        = 0x10
-	TCP_NSTATES                       = 0xb
+	TCP_SACKHOLE_LIMIT                = 0x80
 	TCP_SACK_ENABLE                   = 0x8
 	TCSAFLUSH                         = 0x2
+	TIMER_ABSTIME                     = 0x1
+	TIMER_RELTIME                     = 0x0
 	TIOCCBRK                          = 0x2000747a
 	TIOCCDTR                          = 0x20007478
+	TIOCCHKVERAUTH                    = 0x2000741e
+	TIOCCLRVERAUTH                    = 0x2000741d
 	TIOCCONS                          = 0x80047462
 	TIOCDRAIN                         = 0x2000745e
 	TIOCEXCL                          = 0x2000740d
@@ -1321,7 +1530,7 @@ const (
 	TIOCGFLAGS                        = 0x4004745d
 	TIOCGPGRP                         = 0x40047477
 	TIOCGSID                          = 0x40047463
-	TIOCGTSTAMP                       = 0x400c745b
+	TIOCGTSTAMP                       = 0x4010745b
 	TIOCGWINSZ                        = 0x40087468
 	TIOCMBIC                          = 0x8004746b
 	TIOCMBIS                          = 0x8004746c
@@ -1360,17 +1569,21 @@ const (
 	TIOCSETAF                         = 0x802c7416
 	TIOCSETAW                         = 0x802c7415
 	TIOCSETD                          = 0x8004741b
+	TIOCSETVERAUTH                    = 0x8004741c
 	TIOCSFLAGS                        = 0x8004745c
 	TIOCSIG                           = 0x8004745f
 	TIOCSPGRP                         = 0x80047476
 	TIOCSTART                         = 0x2000746e
-	TIOCSTAT                          = 0x80047465
-	TIOCSTI                           = 0x80017472
+	TIOCSTAT                          = 0x20007465
 	TIOCSTOP                          = 0x2000746f
 	TIOCSTSTAMP                       = 0x8008745a
 	TIOCSWINSZ                        = 0x80087467
 	TIOCUCNTL                         = 0x80047466
+	TIOCUCNTL_CBRK                    = 0x7a
+	TIOCUCNTL_SBRK                    = 0x7b
 	TOSTOP                            = 0x400000
+	UTIME_NOW                         = -0x2
+	UTIME_OMIT                        = -0x1
 	VDISCARD                          = 0xf
 	VDSUSP                            = 0xb
 	VEOF                              = 0x0
@@ -1381,6 +1594,19 @@ const (
 	VKILL                             = 0x5
 	VLNEXT                            = 0xe
 	VMIN                              = 0x10
+	VM_ANONMIN                        = 0x7
+	VM_LOADAVG                        = 0x2
+	VM_MALLOC_CONF                    = 0xc
+	VM_MAXID                          = 0xd
+	VM_MAXSLP                         = 0xa
+	VM_METER                          = 0x1
+	VM_NKMEMPAGES                     = 0x6
+	VM_PSSTRINGS                      = 0x3
+	VM_SWAPENCRYPT                    = 0x5
+	VM_USPACE                         = 0xb
+	VM_UVMEXP                         = 0x4
+	VM_VNODEMIN                       = 0x9
+	VM_VTEXTMIN                       = 0x8
 	VQUIT                             = 0x9
 	VREPRINT                          = 0x6
 	VSTART                            = 0xc
@@ -1394,6 +1620,7 @@ const (
 	WCOREFLAG                         = 0x80
 	WNOHANG                           = 0x1
 	WUNTRACED                         = 0x2
+	XCASE                             = 0x1000000
 )
 
 // Errors
@@ -1407,6 +1634,7 @@ const (
 	EALREADY        = syscall.Errno(0x25)
 	EAUTH           = syscall.Errno(0x50)
 	EBADF           = syscall.Errno(0x9)
+	EBADMSG         = syscall.Errno(0x5c)
 	EBADRPC         = syscall.Errno(0x48)
 	EBUSY           = syscall.Errno(0x10)
 	ECANCELED       = syscall.Errno(0x58)
@@ -1433,7 +1661,7 @@ const (
 	EIPSEC          = syscall.Errno(0x52)
 	EISCONN         = syscall.Errno(0x38)
 	EISDIR          = syscall.Errno(0x15)
-	ELAST           = syscall.Errno(0x5b)
+	ELAST           = syscall.Errno(0x5f)
 	ELOOP           = syscall.Errno(0x3e)
 	EMEDIUMTYPE     = syscall.Errno(0x56)
 	EMFILE          = syscall.Errno(0x18)
@@ -1461,12 +1689,14 @@ const (
 	ENOTCONN        = syscall.Errno(0x39)
 	ENOTDIR         = syscall.Errno(0x14)
 	ENOTEMPTY       = syscall.Errno(0x42)
+	ENOTRECOVERABLE = syscall.Errno(0x5d)
 	ENOTSOCK        = syscall.Errno(0x26)
 	ENOTSUP         = syscall.Errno(0x5b)
 	ENOTTY          = syscall.Errno(0x19)
 	ENXIO           = syscall.Errno(0x6)
 	EOPNOTSUPP      = syscall.Errno(0x2d)
 	EOVERFLOW       = syscall.Errno(0x57)
+	EOWNERDEAD      = syscall.Errno(0x5e)
 	EPERM           = syscall.Errno(0x1)
 	EPFNOSUPPORT    = syscall.Errno(0x2e)
 	EPIPE           = syscall.Errno(0x20)
@@ -1474,6 +1704,7 @@ const (
 	EPROCUNAVAIL    = syscall.Errno(0x4c)
 	EPROGMISMATCH   = syscall.Errno(0x4b)
 	EPROGUNAVAIL    = syscall.Errno(0x4a)
+	EPROTO          = syscall.Errno(0x5f)
 	EPROTONOSUPPORT = syscall.Errno(0x2b)
 	EPROTOTYPE      = syscall.Errno(0x29)
 	ERANGE          = syscall.Errno(0x22)
@@ -1570,7 +1801,7 @@ var errorList = [...]struct {
 	{32, "EPIPE", "broken pipe"},
 	{33, "EDOM", "numerical argument out of domain"},
 	{34, "ERANGE", "result too large"},
-	{35, "EWOULDBLOCK", "resource temporarily unavailable"},
+	{35, "EAGAIN", "resource temporarily unavailable"},
 	{36, "EINPROGRESS", "operation now in progress"},
 	{37, "EALREADY", "operation already in progress"},
 	{38, "ENOTSOCK", "socket operation on non-socket"},
@@ -1626,7 +1857,11 @@ var errorList = [...]struct {
 	{88, "ECANCELED", "operation canceled"},
 	{89, "EIDRM", "identifier removed"},
 	{90, "ENOMSG", "no message of desired type"},
-	{91, "ELAST", "not supported"},
+	{91, "ENOTSUP", "not supported"},
+	{92, "EBADMSG", "bad message"},
+	{93, "ENOTRECOVERABLE", "state not recoverable"},
+	{94, "EOWNERDEAD", "previous owner died"},
+	{95, "ELAST", "protocol error"},
 }
 
 // Signal table
@@ -1640,7 +1875,7 @@ var signalList = [...]struct {
 	{3, "SIGQUIT", "quit"},
 	{4, "SIGILL", "illegal instruction"},
 	{5, "SIGTRAP", "trace/BPT trap"},
-	{6, "SIGABRT", "abort trap"},
+	{6, "SIGIOT", "abort trap"},
 	{7, "SIGEMT", "EMT trap"},
 	{8, "SIGFPE", "floating point exception"},
 	{9, "SIGKILL", "killed"},
@@ -1667,4 +1902,5 @@ var signalList = [...]struct {
 	{30, "SIGUSR1", "user defined signal 1"},
 	{31, "SIGUSR2", "user defined signal 2"},
 	{32, "SIGTHR", "thread AST"},
+	{28672, "SIGSTKSZ", "unknown signal"},
 }
diff --git a/vendor/golang.org/x/sys/unix/zerrors_openbsd_arm64.go b/vendor/golang.org/x/sys/unix/zerrors_openbsd_arm64.go
index 90de7dfc3..ae16fe754 100644
--- a/vendor/golang.org/x/sys/unix/zerrors_openbsd_arm64.go
+++ b/vendor/golang.org/x/sys/unix/zerrors_openbsd_arm64.go
@@ -112,6 +112,12 @@ const (
 	BPF_FILDROP_CAPTURE               = 0x1
 	BPF_FILDROP_DROP                  = 0x2
 	BPF_FILDROP_PASS                  = 0x0
+	BPF_F_DIR_IN                      = 0x10
+	BPF_F_DIR_MASK                    = 0x30
+	BPF_F_DIR_OUT                     = 0x20
+	BPF_F_DIR_SHIFT                   = 0x4
+	BPF_F_FLOWID                      = 0x8
+	BPF_F_PRI_MASK                    = 0x7
 	BPF_H                             = 0x8
 	BPF_IMM                           = 0x0
 	BPF_IND                           = 0x40
@@ -140,6 +146,7 @@ const (
 	BPF_OR                            = 0x40
 	BPF_RELEASE                       = 0x30bb6
 	BPF_RET                           = 0x6
+	BPF_RND                           = 0xc0
 	BPF_RSH                           = 0x70
 	BPF_ST                            = 0x2
 	BPF_STX                           = 0x3
@@ -180,7 +187,65 @@ const (
 	CTL_KERN                          = 0x1
 	CTL_MAXNAME                       = 0xc
 	CTL_NET                           = 0x4
+	DIOCADDQUEUE                      = 0xc110445d
+	DIOCADDRULE                       = 0xcd604404
+	DIOCADDSTATE                      = 0xc1084425
+	DIOCCHANGERULE                    = 0xcd60441a
+	DIOCCLRIFFLAG                     = 0xc028445a
+	DIOCCLRSRCNODES                   = 0x20004455
+	DIOCCLRSTATES                     = 0xc0e04412
+	DIOCCLRSTATUS                     = 0xc0284416
+	DIOCGETLIMIT                      = 0xc0084427
+	DIOCGETQSTATS                     = 0xc1204460
+	DIOCGETQUEUE                      = 0xc110445f
+	DIOCGETQUEUES                     = 0xc110445e
+	DIOCGETRULE                       = 0xcd604407
+	DIOCGETRULES                      = 0xcd604406
+	DIOCGETRULESET                    = 0xc444443b
+	DIOCGETRULESETS                   = 0xc444443a
+	DIOCGETSRCNODES                   = 0xc0104454
+	DIOCGETSTATE                      = 0xc1084413
+	DIOCGETSTATES                     = 0xc0104419
+	DIOCGETSTATUS                     = 0xc1e84415
+	DIOCGETSYNFLWATS                  = 0xc0084463
+	DIOCGETTIMEOUT                    = 0xc008441e
+	DIOCIGETIFACES                    = 0xc0284457
+	DIOCKILLSRCNODES                  = 0xc080445b
+	DIOCKILLSTATES                    = 0xc0e04429
+	DIOCNATLOOK                       = 0xc0504417
+	DIOCOSFPADD                       = 0xc088444f
 	DIOCOSFPFLUSH                     = 0x2000444e
+	DIOCOSFPGET                       = 0xc0884450
+	DIOCRADDADDRS                     = 0xc4504443
+	DIOCRADDTABLES                    = 0xc450443d
+	DIOCRCLRADDRS                     = 0xc4504442
+	DIOCRCLRASTATS                    = 0xc4504448
+	DIOCRCLRTABLES                    = 0xc450443c
+	DIOCRCLRTSTATS                    = 0xc4504441
+	DIOCRDELADDRS                     = 0xc4504444
+	DIOCRDELTABLES                    = 0xc450443e
+	DIOCRGETADDRS                     = 0xc4504446
+	DIOCRGETASTATS                    = 0xc4504447
+	DIOCRGETTABLES                    = 0xc450443f
+	DIOCRGETTSTATS                    = 0xc4504440
+	DIOCRINADEFINE                    = 0xc450444d
+	DIOCRSETADDRS                     = 0xc4504445
+	DIOCRSETTFLAGS                    = 0xc450444a
+	DIOCRTSTADDRS                     = 0xc4504449
+	DIOCSETDEBUG                      = 0xc0044418
+	DIOCSETHOSTID                     = 0xc0044456
+	DIOCSETIFFLAG                     = 0xc0284459
+	DIOCSETLIMIT                      = 0xc0084428
+	DIOCSETREASS                      = 0xc004445c
+	DIOCSETSTATUSIF                   = 0xc0284414
+	DIOCSETSYNCOOKIES                 = 0xc0014462
+	DIOCSETSYNFLWATS                  = 0xc0084461
+	DIOCSETTIMEOUT                    = 0xc008441d
+	DIOCSTART                         = 0x20004401
+	DIOCSTOP                          = 0x20004402
+	DIOCXBEGIN                        = 0xc0104451
+	DIOCXCOMMIT                       = 0xc0104452
+	DIOCXROLLBACK                     = 0xc0104453
 	DLT_ARCNET                        = 0x7
 	DLT_ATM_RFC1483                   = 0xb
 	DLT_AX25                          = 0x3
@@ -243,6 +308,8 @@ const (
 	EMUL_ENABLED                      = 0x1
 	EMUL_NATIVE                       = 0x2
 	ENDRUNDISC                        = 0x9
+	ETH64_8021_RSVD_MASK              = 0xfffffffffff0
+	ETH64_8021_RSVD_PREFIX            = 0x180c2000000
 	ETHERMIN                          = 0x2e
 	ETHERMTU                          = 0x5dc
 	ETHERTYPE_8023                    = 0x4
@@ -295,6 +362,7 @@ const (
 	ETHERTYPE_DN                      = 0x6003
 	ETHERTYPE_DOGFIGHT                = 0x1989
 	ETHERTYPE_DSMD                    = 0x8039
+	ETHERTYPE_EAPOL                   = 0x888e
 	ETHERTYPE_ECMA                    = 0x803
 	ETHERTYPE_ENCRYPT                 = 0x803d
 	ETHERTYPE_ES                      = 0x805d
@@ -326,6 +394,7 @@ const (
 	ETHERTYPE_LLDP                    = 0x88cc
 	ETHERTYPE_LOGICRAFT               = 0x8148
 	ETHERTYPE_LOOPBACK                = 0x9000
+	ETHERTYPE_MACSEC                  = 0x88e5
 	ETHERTYPE_MATRA                   = 0x807a
 	ETHERTYPE_MAX                     = 0xffff
 	ETHERTYPE_MERIT                   = 0x807c
@@ -354,15 +423,16 @@ const (
 	ETHERTYPE_NCD                     = 0x8149
 	ETHERTYPE_NESTAR                  = 0x8006
 	ETHERTYPE_NETBEUI                 = 0x8191
+	ETHERTYPE_NHRP                    = 0x2001
 	ETHERTYPE_NOVELL                  = 0x8138
 	ETHERTYPE_NS                      = 0x600
 	ETHERTYPE_NSAT                    = 0x601
 	ETHERTYPE_NSCOMPAT                = 0x807
+	ETHERTYPE_NSH                     = 0x984f
 	ETHERTYPE_NTRAILER                = 0x10
 	ETHERTYPE_OS9                     = 0x7007
 	ETHERTYPE_OS9NET                  = 0x7009
 	ETHERTYPE_PACER                   = 0x80c6
-	ETHERTYPE_PAE                     = 0x888e
 	ETHERTYPE_PBB                     = 0x88e7
 	ETHERTYPE_PCS                     = 0x4242
 	ETHERTYPE_PLANNING                = 0x8044
@@ -445,10 +515,11 @@ const (
 	ETHER_VLAN_ENCAP_LEN              = 0x4
 	EVFILT_AIO                        = -0x3
 	EVFILT_DEVICE                     = -0x8
+	EVFILT_EXCEPT                     = -0x9
 	EVFILT_PROC                       = -0x5
 	EVFILT_READ                       = -0x1
 	EVFILT_SIGNAL                     = -0x6
-	EVFILT_SYSCOUNT                   = 0x8
+	EVFILT_SYSCOUNT                   = 0x9
 	EVFILT_TIMER                      = -0x7
 	EVFILT_VNODE                      = -0x4
 	EVFILT_WRITE                      = -0x2
@@ -470,7 +541,7 @@ const (
 	EV_FLAG1                          = 0x2000
 	EV_ONESHOT                        = 0x10
 	EV_RECEIPT                        = 0x40
-	EV_SYSFLAGS                       = 0xf000
+	EV_SYSFLAGS                       = 0xf800
 	EXTA                              = 0x4b00
 	EXTB                              = 0x9600
 	EXTPROC                           = 0x800
@@ -736,6 +807,7 @@ const (
 	IFT_VOICEOVERCABLE                = 0xc6
 	IFT_VOICEOVERFRAMERELAY           = 0x99
 	IFT_VOICEOVERIP                   = 0x68
+	IFT_WIREGUARD                     = 0xfb
 	IFT_X213                          = 0x5d
 	IFT_X25                           = 0x5
 	IFT_X25DDN                        = 0x4
@@ -801,9 +873,11 @@ const (
 	IPPROTO_RAW                       = 0xff
 	IPPROTO_ROUTING                   = 0x2b
 	IPPROTO_RSVP                      = 0x2e
+	IPPROTO_SCTP                      = 0x84
 	IPPROTO_TCP                       = 0x6
 	IPPROTO_TP                        = 0x1d
 	IPPROTO_UDP                       = 0x11
+	IPPROTO_UDPLITE                   = 0x88
 	IPV6_AUTH_LEVEL                   = 0x35
 	IPV6_AUTOFLOWLABEL                = 0x3b
 	IPV6_CHECKSUM                     = 0x1a
@@ -910,6 +984,9 @@ const (
 	IP_TTL                            = 0x4
 	ISIG                              = 0x80
 	ISTRIP                            = 0x20
+	ITIMER_PROF                       = 0x2
+	ITIMER_REAL                       = 0x0
+	ITIMER_VIRTUAL                    = 0x1
 	IUCLC                             = 0x1000
 	IXANY                             = 0x800
 	IXOFF                             = 0x400
@@ -981,6 +1058,19 @@ const (
 	MNT_WAIT                          = 0x1
 	MNT_WANTRDWR                      = 0x2000000
 	MNT_WXALLOWED                     = 0x800
+	MOUNT_AFS                         = "afs"
+	MOUNT_CD9660                      = "cd9660"
+	MOUNT_EXT2FS                      = "ext2fs"
+	MOUNT_FFS                         = "ffs"
+	MOUNT_FUSEFS                      = "fuse"
+	MOUNT_MFS                         = "mfs"
+	MOUNT_MSDOS                       = "msdos"
+	MOUNT_NCPFS                       = "ncpfs"
+	MOUNT_NFS                         = "nfs"
+	MOUNT_NTFS                        = "ntfs"
+	MOUNT_TMPFS                       = "tmpfs"
+	MOUNT_UDF                         = "udf"
+	MOUNT_UFS                         = "ffs"
 	MSG_BCAST                         = 0x100
 	MSG_CMSG_CLOEXEC                  = 0x800
 	MSG_CTRUNC                        = 0x20
@@ -993,6 +1083,7 @@ const (
 	MSG_PEEK                          = 0x2
 	MSG_TRUNC                         = 0x10
 	MSG_WAITALL                       = 0x40
+	MSG_WAITFORONE                    = 0x1000
 	MS_ASYNC                          = 0x1
 	MS_INVALIDATE                     = 0x4
 	MS_SYNC                           = 0x2
@@ -1001,7 +1092,8 @@ const (
 	NET_RT_FLAGS                      = 0x2
 	NET_RT_IFLIST                     = 0x3
 	NET_RT_IFNAMES                    = 0x6
-	NET_RT_MAXID                      = 0x7
+	NET_RT_MAXID                      = 0x8
+	NET_RT_SOURCE                     = 0x7
 	NET_RT_STATS                      = 0x4
 	NET_RT_TABLE                      = 0x5
 	NFDBITS                           = 0x20
@@ -1018,6 +1110,7 @@ const (
 	NOTE_FORK                         = 0x40000000
 	NOTE_LINK                         = 0x10
 	NOTE_LOWAT                        = 0x1
+	NOTE_OOB                          = 0x4
 	NOTE_PCTRLMASK                    = 0xf0000000
 	NOTE_PDATAMASK                    = 0xfffff
 	NOTE_RENAME                       = 0x20
@@ -1154,7 +1247,7 @@ const (
 	RTM_PROPOSAL                      = 0x13
 	RTM_REDIRECT                      = 0x6
 	RTM_RESOLVE                       = 0xb
-	RTM_RTTUNIT                       = 0xf4240
+	RTM_SOURCE                        = 0x16
 	RTM_VERSION                       = 0x5
 	RTV_EXPIRE                        = 0x4
 	RTV_HOPCOUNT                      = 0x2
@@ -1172,6 +1265,9 @@ const (
 	RUSAGE_THREAD                     = 0x1
 	SCM_RIGHTS                        = 0x1
 	SCM_TIMESTAMP                     = 0x4
+	SEEK_CUR                          = 0x1
+	SEEK_END                          = 0x2
+	SEEK_SET                          = 0x0
 	SHUT_RD                           = 0x0
 	SHUT_RDWR                         = 0x2
 	SHUT_WR                           = 0x1
@@ -1188,30 +1284,30 @@ const (
 	SIOCBRDGDELS                      = 0x80606942
 	SIOCBRDGFLUSH                     = 0x80606948
 	SIOCBRDGFRL                       = 0x808c694e
-	SIOCBRDGGCACHE                    = 0xc0186941
-	SIOCBRDGGFD                       = 0xc0186952
-	SIOCBRDGGHT                       = 0xc0186951
+	SIOCBRDGGCACHE                    = 0xc0146941
+	SIOCBRDGGFD                       = 0xc0146952
+	SIOCBRDGGHT                       = 0xc0146951
 	SIOCBRDGGIFFLGS                   = 0xc060693e
-	SIOCBRDGGMA                       = 0xc0186953
+	SIOCBRDGGMA                       = 0xc0146953
 	SIOCBRDGGPARAM                    = 0xc0406958
-	SIOCBRDGGPRI                      = 0xc0186950
+	SIOCBRDGGPRI                      = 0xc0146950
 	SIOCBRDGGRL                       = 0xc030694f
-	SIOCBRDGGTO                       = 0xc0186946
+	SIOCBRDGGTO                       = 0xc0146946
 	SIOCBRDGIFS                       = 0xc0606942
 	SIOCBRDGRTS                       = 0xc0206943
 	SIOCBRDGSADDR                     = 0xc1286944
-	SIOCBRDGSCACHE                    = 0x80186940
-	SIOCBRDGSFD                       = 0x80186952
-	SIOCBRDGSHT                       = 0x80186951
+	SIOCBRDGSCACHE                    = 0x80146940
+	SIOCBRDGSFD                       = 0x80146952
+	SIOCBRDGSHT                       = 0x80146951
 	SIOCBRDGSIFCOST                   = 0x80606955
 	SIOCBRDGSIFFLGS                   = 0x8060693f
 	SIOCBRDGSIFPRIO                   = 0x80606954
 	SIOCBRDGSIFPROT                   = 0x8060694a
-	SIOCBRDGSMA                       = 0x80186953
-	SIOCBRDGSPRI                      = 0x80186950
-	SIOCBRDGSPROTO                    = 0x8018695a
-	SIOCBRDGSTO                       = 0x80186945
-	SIOCBRDGSTXHC                     = 0x80186959
+	SIOCBRDGSMA                       = 0x80146953
+	SIOCBRDGSPRI                      = 0x80146950
+	SIOCBRDGSPROTO                    = 0x8014695a
+	SIOCBRDGSTO                       = 0x80146945
+	SIOCBRDGSTXHC                     = 0x80146959
 	SIOCDELLABEL                      = 0x80206997
 	SIOCDELMULTI                      = 0x80206932
 	SIOCDIFADDR                       = 0x80206919
@@ -1264,6 +1360,7 @@ const (
 	SIOCGPWE3CTRLWORD                 = 0xc02069dc
 	SIOCGPWE3FAT                      = 0xc02069dd
 	SIOCGPWE3NEIGHBOR                 = 0xc21869de
+	SIOCGRXHPRIO                      = 0xc02069db
 	SIOCGSPPPPARAMS                   = 0xc0206994
 	SIOCGTXHPRIO                      = 0xc02069c6
 	SIOCGUMBINFO                      = 0xc02069be
@@ -1310,17 +1407,13 @@ const (
 	SIOCSPWE3CTRLWORD                 = 0x802069dc
 	SIOCSPWE3FAT                      = 0x802069dd
 	SIOCSPWE3NEIGHBOR                 = 0x821869de
+	SIOCSRXHPRIO                      = 0x802069db
 	SIOCSSPPPPARAMS                   = 0x80206993
 	SIOCSTXHPRIO                      = 0x802069c5
 	SIOCSUMBPARAM                     = 0x802069bf
 	SIOCSVH                           = 0xc02069f5
 	SIOCSVNETFLOWID                   = 0x802069c3
 	SIOCSVNETID                       = 0x802069a6
-	SIOCSWGDPID                       = 0xc018695b
-	SIOCSWGMAXFLOW                    = 0xc0186960
-	SIOCSWGMAXGROUP                   = 0xc018695d
-	SIOCSWSDPID                       = 0x8018695c
-	SIOCSWSPORTNO                     = 0xc060695f
 	SOCK_CLOEXEC                      = 0x8000
 	SOCK_DGRAM                        = 0x2
 	SOCK_DNS                          = 0x1000
@@ -1335,6 +1428,7 @@ const (
 	SO_BINDANY                        = 0x1000
 	SO_BROADCAST                      = 0x20
 	SO_DEBUG                          = 0x1
+	SO_DOMAIN                         = 0x1024
 	SO_DONTROUTE                      = 0x10
 	SO_ERROR                          = 0x1007
 	SO_KEEPALIVE                      = 0x8
@@ -1342,6 +1436,7 @@ const (
 	SO_NETPROC                        = 0x1020
 	SO_OOBINLINE                      = 0x100
 	SO_PEERCRED                       = 0x1022
+	SO_PROTOCOL                       = 0x1025
 	SO_RCVBUF                         = 0x1002
 	SO_RCVLOWAT                       = 0x1004
 	SO_RCVTIMEO                       = 0x1006
@@ -1391,7 +1486,18 @@ const (
 	TCOFLUSH                          = 0x2
 	TCOOFF                            = 0x1
 	TCOON                             = 0x2
-	TCP_MAXBURST                      = 0x4
+	TCPOPT_EOL                        = 0x0
+	TCPOPT_MAXSEG                     = 0x2
+	TCPOPT_NOP                        = 0x1
+	TCPOPT_SACK                       = 0x5
+	TCPOPT_SACK_HDR                   = 0x1010500
+	TCPOPT_SACK_PERMITTED             = 0x4
+	TCPOPT_SACK_PERMIT_HDR            = 0x1010402
+	TCPOPT_SIGNATURE                  = 0x13
+	TCPOPT_TIMESTAMP                  = 0x8
+	TCPOPT_TSTAMP_HDR                 = 0x101080a
+	TCPOPT_WINDOW                     = 0x3
+	TCP_INFO                          = 0x9
 	TCP_MAXSEG                        = 0x2
 	TCP_MAXWIN                        = 0xffff
 	TCP_MAX_SACK                      = 0x3
@@ -1400,6 +1506,7 @@ const (
 	TCP_MSS                           = 0x200
 	TCP_NODELAY                       = 0x1
 	TCP_NOPUSH                        = 0x10
+	TCP_SACKHOLE_LIMIT                = 0x80
 	TCP_SACK_ENABLE                   = 0x8
 	TCSAFLUSH                         = 0x2
 	TIMER_ABSTIME                     = 0x1
@@ -1768,7 +1875,7 @@ var signalList = [...]struct {
 	{3, "SIGQUIT", "quit"},
 	{4, "SIGILL", "illegal instruction"},
 	{5, "SIGTRAP", "trace/BPT trap"},
-	{6, "SIGABRT", "abort trap"},
+	{6, "SIGIOT", "abort trap"},
 	{7, "SIGEMT", "EMT trap"},
 	{8, "SIGFPE", "floating point exception"},
 	{9, "SIGKILL", "killed"},
@@ -1795,4 +1902,5 @@ var signalList = [...]struct {
 	{30, "SIGUSR1", "user defined signal 1"},
 	{31, "SIGUSR2", "user defined signal 2"},
 	{32, "SIGTHR", "thread AST"},
+	{28672, "SIGSTKSZ", "unknown signal"},
 }
diff --git a/vendor/golang.org/x/sys/unix/zerrors_openbsd_mips64.go b/vendor/golang.org/x/sys/unix/zerrors_openbsd_mips64.go
index f1154ff56..03d90fe35 100644
--- a/vendor/golang.org/x/sys/unix/zerrors_openbsd_mips64.go
+++ b/vendor/golang.org/x/sys/unix/zerrors_openbsd_mips64.go
@@ -112,6 +112,12 @@ const (
 	BPF_FILDROP_CAPTURE               = 0x1
 	BPF_FILDROP_DROP                  = 0x2
 	BPF_FILDROP_PASS                  = 0x0
+	BPF_F_DIR_IN                      = 0x10
+	BPF_F_DIR_MASK                    = 0x30
+	BPF_F_DIR_OUT                     = 0x20
+	BPF_F_DIR_SHIFT                   = 0x4
+	BPF_F_FLOWID                      = 0x8
+	BPF_F_PRI_MASK                    = 0x7
 	BPF_H                             = 0x8
 	BPF_IMM                           = 0x0
 	BPF_IND                           = 0x40
@@ -140,6 +146,7 @@ const (
 	BPF_OR                            = 0x40
 	BPF_RELEASE                       = 0x30bb6
 	BPF_RET                           = 0x6
+	BPF_RND                           = 0xc0
 	BPF_RSH                           = 0x70
 	BPF_ST                            = 0x2
 	BPF_STX                           = 0x3
@@ -301,6 +308,8 @@ const (
 	EMUL_ENABLED                      = 0x1
 	EMUL_NATIVE                       = 0x2
 	ENDRUNDISC                        = 0x9
+	ETH64_8021_RSVD_MASK              = 0xfffffffffff0
+	ETH64_8021_RSVD_PREFIX            = 0x180c2000000
 	ETHERMIN                          = 0x2e
 	ETHERMTU                          = 0x5dc
 	ETHERTYPE_8023                    = 0x4
@@ -353,6 +362,7 @@ const (
 	ETHERTYPE_DN                      = 0x6003
 	ETHERTYPE_DOGFIGHT                = 0x1989
 	ETHERTYPE_DSMD                    = 0x8039
+	ETHERTYPE_EAPOL                   = 0x888e
 	ETHERTYPE_ECMA                    = 0x803
 	ETHERTYPE_ENCRYPT                 = 0x803d
 	ETHERTYPE_ES                      = 0x805d
@@ -413,15 +423,16 @@ const (
 	ETHERTYPE_NCD                     = 0x8149
 	ETHERTYPE_NESTAR                  = 0x8006
 	ETHERTYPE_NETBEUI                 = 0x8191
+	ETHERTYPE_NHRP                    = 0x2001
 	ETHERTYPE_NOVELL                  = 0x8138
 	ETHERTYPE_NS                      = 0x600
 	ETHERTYPE_NSAT                    = 0x601
 	ETHERTYPE_NSCOMPAT                = 0x807
+	ETHERTYPE_NSH                     = 0x984f
 	ETHERTYPE_NTRAILER                = 0x10
 	ETHERTYPE_OS9                     = 0x7007
 	ETHERTYPE_OS9NET                  = 0x7009
 	ETHERTYPE_PACER                   = 0x80c6
-	ETHERTYPE_PAE                     = 0x888e
 	ETHERTYPE_PBB                     = 0x88e7
 	ETHERTYPE_PCS                     = 0x4242
 	ETHERTYPE_PLANNING                = 0x8044
@@ -504,10 +515,11 @@ const (
 	ETHER_VLAN_ENCAP_LEN              = 0x4
 	EVFILT_AIO                        = -0x3
 	EVFILT_DEVICE                     = -0x8
+	EVFILT_EXCEPT                     = -0x9
 	EVFILT_PROC                       = -0x5
 	EVFILT_READ                       = -0x1
 	EVFILT_SIGNAL                     = -0x6
-	EVFILT_SYSCOUNT                   = 0x8
+	EVFILT_SYSCOUNT                   = 0x9
 	EVFILT_TIMER                      = -0x7
 	EVFILT_VNODE                      = -0x4
 	EVFILT_WRITE                      = -0x2
@@ -529,7 +541,7 @@ const (
 	EV_FLAG1                          = 0x2000
 	EV_ONESHOT                        = 0x10
 	EV_RECEIPT                        = 0x40
-	EV_SYSFLAGS                       = 0xf000
+	EV_SYSFLAGS                       = 0xf800
 	EXTA                              = 0x4b00
 	EXTB                              = 0x9600
 	EXTPROC                           = 0x800
@@ -795,6 +807,7 @@ const (
 	IFT_VOICEOVERCABLE                = 0xc6
 	IFT_VOICEOVERFRAMERELAY           = 0x99
 	IFT_VOICEOVERIP                   = 0x68
+	IFT_WIREGUARD                     = 0xfb
 	IFT_X213                          = 0x5d
 	IFT_X25                           = 0x5
 	IFT_X25DDN                        = 0x4
@@ -860,6 +873,7 @@ const (
 	IPPROTO_RAW                       = 0xff
 	IPPROTO_ROUTING                   = 0x2b
 	IPPROTO_RSVP                      = 0x2e
+	IPPROTO_SCTP                      = 0x84
 	IPPROTO_TCP                       = 0x6
 	IPPROTO_TP                        = 0x1d
 	IPPROTO_UDP                       = 0x11
@@ -970,6 +984,9 @@ const (
 	IP_TTL                            = 0x4
 	ISIG                              = 0x80
 	ISTRIP                            = 0x20
+	ITIMER_PROF                       = 0x2
+	ITIMER_REAL                       = 0x0
+	ITIMER_VIRTUAL                    = 0x1
 	IUCLC                             = 0x1000
 	IXANY                             = 0x800
 	IXOFF                             = 0x400
@@ -1041,6 +1058,19 @@ const (
 	MNT_WAIT                          = 0x1
 	MNT_WANTRDWR                      = 0x2000000
 	MNT_WXALLOWED                     = 0x800
+	MOUNT_AFS                         = "afs"
+	MOUNT_CD9660                      = "cd9660"
+	MOUNT_EXT2FS                      = "ext2fs"
+	MOUNT_FFS                         = "ffs"
+	MOUNT_FUSEFS                      = "fuse"
+	MOUNT_MFS                         = "mfs"
+	MOUNT_MSDOS                       = "msdos"
+	MOUNT_NCPFS                       = "ncpfs"
+	MOUNT_NFS                         = "nfs"
+	MOUNT_NTFS                        = "ntfs"
+	MOUNT_TMPFS                       = "tmpfs"
+	MOUNT_UDF                         = "udf"
+	MOUNT_UFS                         = "ffs"
 	MSG_BCAST                         = 0x100
 	MSG_CMSG_CLOEXEC                  = 0x800
 	MSG_CTRUNC                        = 0x20
@@ -1053,6 +1083,7 @@ const (
 	MSG_PEEK                          = 0x2
 	MSG_TRUNC                         = 0x10
 	MSG_WAITALL                       = 0x40
+	MSG_WAITFORONE                    = 0x1000
 	MS_ASYNC                          = 0x1
 	MS_INVALIDATE                     = 0x4
 	MS_SYNC                           = 0x2
@@ -1061,7 +1092,8 @@ const (
 	NET_RT_FLAGS                      = 0x2
 	NET_RT_IFLIST                     = 0x3
 	NET_RT_IFNAMES                    = 0x6
-	NET_RT_MAXID                      = 0x7
+	NET_RT_MAXID                      = 0x8
+	NET_RT_SOURCE                     = 0x7
 	NET_RT_STATS                      = 0x4
 	NET_RT_TABLE                      = 0x5
 	NFDBITS                           = 0x20
@@ -1078,6 +1110,7 @@ const (
 	NOTE_FORK                         = 0x40000000
 	NOTE_LINK                         = 0x10
 	NOTE_LOWAT                        = 0x1
+	NOTE_OOB                          = 0x4
 	NOTE_PCTRLMASK                    = 0xf0000000
 	NOTE_PDATAMASK                    = 0xfffff
 	NOTE_RENAME                       = 0x20
@@ -1214,7 +1247,7 @@ const (
 	RTM_PROPOSAL                      = 0x13
 	RTM_REDIRECT                      = 0x6
 	RTM_RESOLVE                       = 0xb
-	RTM_RTTUNIT                       = 0xf4240
+	RTM_SOURCE                        = 0x16
 	RTM_VERSION                       = 0x5
 	RTV_EXPIRE                        = 0x4
 	RTV_HOPCOUNT                      = 0x2
@@ -1232,6 +1265,9 @@ const (
 	RUSAGE_THREAD                     = 0x1
 	SCM_RIGHTS                        = 0x1
 	SCM_TIMESTAMP                     = 0x4
+	SEEK_CUR                          = 0x1
+	SEEK_END                          = 0x2
+	SEEK_SET                          = 0x0
 	SHUT_RD                           = 0x0
 	SHUT_RDWR                         = 0x2
 	SHUT_WR                           = 0x1
@@ -1248,30 +1284,30 @@ const (
 	SIOCBRDGDELS                      = 0x80606942
 	SIOCBRDGFLUSH                     = 0x80606948
 	SIOCBRDGFRL                       = 0x808c694e
-	SIOCBRDGGCACHE                    = 0xc0186941
-	SIOCBRDGGFD                       = 0xc0186952
-	SIOCBRDGGHT                       = 0xc0186951
+	SIOCBRDGGCACHE                    = 0xc0146941
+	SIOCBRDGGFD                       = 0xc0146952
+	SIOCBRDGGHT                       = 0xc0146951
 	SIOCBRDGGIFFLGS                   = 0xc060693e
-	SIOCBRDGGMA                       = 0xc0186953
+	SIOCBRDGGMA                       = 0xc0146953
 	SIOCBRDGGPARAM                    = 0xc0406958
-	SIOCBRDGGPRI                      = 0xc0186950
+	SIOCBRDGGPRI                      = 0xc0146950
 	SIOCBRDGGRL                       = 0xc030694f
-	SIOCBRDGGTO                       = 0xc0186946
+	SIOCBRDGGTO                       = 0xc0146946
 	SIOCBRDGIFS                       = 0xc0606942
 	SIOCBRDGRTS                       = 0xc0206943
 	SIOCBRDGSADDR                     = 0xc1286944
-	SIOCBRDGSCACHE                    = 0x80186940
-	SIOCBRDGSFD                       = 0x80186952
-	SIOCBRDGSHT                       = 0x80186951
+	SIOCBRDGSCACHE                    = 0x80146940
+	SIOCBRDGSFD                       = 0x80146952
+	SIOCBRDGSHT                       = 0x80146951
 	SIOCBRDGSIFCOST                   = 0x80606955
 	SIOCBRDGSIFFLGS                   = 0x8060693f
 	SIOCBRDGSIFPRIO                   = 0x80606954
 	SIOCBRDGSIFPROT                   = 0x8060694a
-	SIOCBRDGSMA                       = 0x80186953
-	SIOCBRDGSPRI                      = 0x80186950
-	SIOCBRDGSPROTO                    = 0x8018695a
-	SIOCBRDGSTO                       = 0x80186945
-	SIOCBRDGSTXHC                     = 0x80186959
+	SIOCBRDGSMA                       = 0x80146953
+	SIOCBRDGSPRI                      = 0x80146950
+	SIOCBRDGSPROTO                    = 0x8014695a
+	SIOCBRDGSTO                       = 0x80146945
+	SIOCBRDGSTXHC                     = 0x80146959
 	SIOCDELLABEL                      = 0x80206997
 	SIOCDELMULTI                      = 0x80206932
 	SIOCDIFADDR                       = 0x80206919
@@ -1378,11 +1414,6 @@ const (
 	SIOCSVH                           = 0xc02069f5
 	SIOCSVNETFLOWID                   = 0x802069c3
 	SIOCSVNETID                       = 0x802069a6
-	SIOCSWGDPID                       = 0xc018695b
-	SIOCSWGMAXFLOW                    = 0xc0186960
-	SIOCSWGMAXGROUP                   = 0xc018695d
-	SIOCSWSDPID                       = 0x8018695c
-	SIOCSWSPORTNO                     = 0xc060695f
 	SOCK_CLOEXEC                      = 0x8000
 	SOCK_DGRAM                        = 0x2
 	SOCK_DNS                          = 0x1000
@@ -1455,7 +1486,18 @@ const (
 	TCOFLUSH                          = 0x2
 	TCOOFF                            = 0x1
 	TCOON                             = 0x2
-	TCP_MAXBURST                      = 0x4
+	TCPOPT_EOL                        = 0x0
+	TCPOPT_MAXSEG                     = 0x2
+	TCPOPT_NOP                        = 0x1
+	TCPOPT_SACK                       = 0x5
+	TCPOPT_SACK_HDR                   = 0x1010500
+	TCPOPT_SACK_PERMITTED             = 0x4
+	TCPOPT_SACK_PERMIT_HDR            = 0x1010402
+	TCPOPT_SIGNATURE                  = 0x13
+	TCPOPT_TIMESTAMP                  = 0x8
+	TCPOPT_TSTAMP_HDR                 = 0x101080a
+	TCPOPT_WINDOW                     = 0x3
+	TCP_INFO                          = 0x9
 	TCP_MAXSEG                        = 0x2
 	TCP_MAXWIN                        = 0xffff
 	TCP_MAX_SACK                      = 0x3
@@ -1833,7 +1875,7 @@ var signalList = [...]struct {
 	{3, "SIGQUIT", "quit"},
 	{4, "SIGILL", "illegal instruction"},
 	{5, "SIGTRAP", "trace/BPT trap"},
-	{6, "SIGABRT", "abort trap"},
+	{6, "SIGIOT", "abort trap"},
 	{7, "SIGEMT", "EMT trap"},
 	{8, "SIGFPE", "floating point exception"},
 	{9, "SIGKILL", "killed"},
@@ -1860,4 +1902,5 @@ var signalList = [...]struct {
 	{30, "SIGUSR1", "user defined signal 1"},
 	{31, "SIGUSR2", "user defined signal 2"},
 	{32, "SIGTHR", "thread AST"},
+	{81920, "SIGSTKSZ", "unknown signal"},
 }
diff --git a/vendor/golang.org/x/sys/unix/zsyscall_dragonfly_amd64.go b/vendor/golang.org/x/sys/unix/zsyscall_dragonfly_amd64.go
index 1b6eedfa6..54749f9c5 100644
--- a/vendor/golang.org/x/sys/unix/zsyscall_dragonfly_amd64.go
+++ b/vendor/golang.org/x/sys/unix/zsyscall_dragonfly_amd64.go
@@ -552,6 +552,16 @@ func Chroot(path string) (err error) {
 
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
+func ClockGettime(clockid int32, time *Timespec) (err error) {
+	_, _, e1 := Syscall(SYS_CLOCK_GETTIME, uintptr(clockid), uintptr(unsafe.Pointer(time)), 0)
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
 func Close(fd int) (err error) {
 	_, _, e1 := Syscall(SYS_CLOSE, uintptr(fd), 0, 0)
 	if e1 != 0 {
diff --git a/vendor/golang.org/x/sys/unix/zsyscall_freebsd_386.go b/vendor/golang.org/x/sys/unix/zsyscall_freebsd_386.go
index 039c4aa06..77479d458 100644
--- a/vendor/golang.org/x/sys/unix/zsyscall_freebsd_386.go
+++ b/vendor/golang.org/x/sys/unix/zsyscall_freebsd_386.go
@@ -544,6 +544,16 @@ func Chroot(path string) (err error) {
 
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
+func ClockGettime(clockid int32, time *Timespec) (err error) {
+	_, _, e1 := Syscall(SYS_CLOCK_GETTIME, uintptr(clockid), uintptr(unsafe.Pointer(time)), 0)
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
 func Close(fd int) (err error) {
 	_, _, e1 := Syscall(SYS_CLOSE, uintptr(fd), 0, 0)
 	if e1 != 0 {
diff --git a/vendor/golang.org/x/sys/unix/zsyscall_freebsd_amd64.go b/vendor/golang.org/x/sys/unix/zsyscall_freebsd_amd64.go
index 0535d3cfd..2e966d4d7 100644
--- a/vendor/golang.org/x/sys/unix/zsyscall_freebsd_amd64.go
+++ b/vendor/golang.org/x/sys/unix/zsyscall_freebsd_amd64.go
@@ -544,6 +544,16 @@ func Chroot(path string) (err error) {
 
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
+func ClockGettime(clockid int32, time *Timespec) (err error) {
+	_, _, e1 := Syscall(SYS_CLOCK_GETTIME, uintptr(clockid), uintptr(unsafe.Pointer(time)), 0)
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
 func Close(fd int) (err error) {
 	_, _, e1 := Syscall(SYS_CLOSE, uintptr(fd), 0, 0)
 	if e1 != 0 {
diff --git a/vendor/golang.org/x/sys/unix/zsyscall_freebsd_arm.go b/vendor/golang.org/x/sys/unix/zsyscall_freebsd_arm.go
index 1018b5221..d65a7c0fa 100644
--- a/vendor/golang.org/x/sys/unix/zsyscall_freebsd_arm.go
+++ b/vendor/golang.org/x/sys/unix/zsyscall_freebsd_arm.go
@@ -544,6 +544,16 @@ func Chroot(path string) (err error) {
 
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
+func ClockGettime(clockid int32, time *Timespec) (err error) {
+	_, _, e1 := Syscall(SYS_CLOCK_GETTIME, uintptr(clockid), uintptr(unsafe.Pointer(time)), 0)
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
 func Close(fd int) (err error) {
 	_, _, e1 := Syscall(SYS_CLOSE, uintptr(fd), 0, 0)
 	if e1 != 0 {
diff --git a/vendor/golang.org/x/sys/unix/zsyscall_freebsd_arm64.go b/vendor/golang.org/x/sys/unix/zsyscall_freebsd_arm64.go
index 3802f4b37..6f0b97c6d 100644
--- a/vendor/golang.org/x/sys/unix/zsyscall_freebsd_arm64.go
+++ b/vendor/golang.org/x/sys/unix/zsyscall_freebsd_arm64.go
@@ -544,6 +544,16 @@ func Chroot(path string) (err error) {
 
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
+func ClockGettime(clockid int32, time *Timespec) (err error) {
+	_, _, e1 := Syscall(SYS_CLOCK_GETTIME, uintptr(clockid), uintptr(unsafe.Pointer(time)), 0)
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
 func Close(fd int) (err error) {
 	_, _, e1 := Syscall(SYS_CLOSE, uintptr(fd), 0, 0)
 	if e1 != 0 {
diff --git a/vendor/golang.org/x/sys/unix/zsyscall_freebsd_riscv64.go b/vendor/golang.org/x/sys/unix/zsyscall_freebsd_riscv64.go
index 8a2db7da9..e1c23b527 100644
--- a/vendor/golang.org/x/sys/unix/zsyscall_freebsd_riscv64.go
+++ b/vendor/golang.org/x/sys/unix/zsyscall_freebsd_riscv64.go
@@ -544,6 +544,16 @@ func Chroot(path string) (err error) {
 
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
+func ClockGettime(clockid int32, time *Timespec) (err error) {
+	_, _, e1 := Syscall(SYS_CLOCK_GETTIME, uintptr(clockid), uintptr(unsafe.Pointer(time)), 0)
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
 func Close(fd int) (err error) {
 	_, _, e1 := Syscall(SYS_CLOSE, uintptr(fd), 0, 0)
 	if e1 != 0 {
diff --git a/vendor/golang.org/x/sys/unix/zsyscall_netbsd_386.go b/vendor/golang.org/x/sys/unix/zsyscall_netbsd_386.go
index 4af561a48..79f738996 100644
--- a/vendor/golang.org/x/sys/unix/zsyscall_netbsd_386.go
+++ b/vendor/golang.org/x/sys/unix/zsyscall_netbsd_386.go
@@ -521,6 +521,16 @@ func Chroot(path string) (err error) {
 
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
+func ClockGettime(clockid int32, time *Timespec) (err error) {
+	_, _, e1 := Syscall(SYS_CLOCK_GETTIME, uintptr(clockid), uintptr(unsafe.Pointer(time)), 0)
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
 func Close(fd int) (err error) {
 	_, _, e1 := Syscall(SYS_CLOSE, uintptr(fd), 0, 0)
 	if e1 != 0 {
diff --git a/vendor/golang.org/x/sys/unix/zsyscall_netbsd_amd64.go b/vendor/golang.org/x/sys/unix/zsyscall_netbsd_amd64.go
index 3b90e9448..fb161f3a2 100644
--- a/vendor/golang.org/x/sys/unix/zsyscall_netbsd_amd64.go
+++ b/vendor/golang.org/x/sys/unix/zsyscall_netbsd_amd64.go
@@ -521,6 +521,16 @@ func Chroot(path string) (err error) {
 
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
+func ClockGettime(clockid int32, time *Timespec) (err error) {
+	_, _, e1 := Syscall(SYS_CLOCK_GETTIME, uintptr(clockid), uintptr(unsafe.Pointer(time)), 0)
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
 func Close(fd int) (err error) {
 	_, _, e1 := Syscall(SYS_CLOSE, uintptr(fd), 0, 0)
 	if e1 != 0 {
diff --git a/vendor/golang.org/x/sys/unix/zsyscall_netbsd_arm.go b/vendor/golang.org/x/sys/unix/zsyscall_netbsd_arm.go
index 890f4ccd1..4c8ac993a 100644
--- a/vendor/golang.org/x/sys/unix/zsyscall_netbsd_arm.go
+++ b/vendor/golang.org/x/sys/unix/zsyscall_netbsd_arm.go
@@ -521,6 +521,16 @@ func Chroot(path string) (err error) {
 
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
+func ClockGettime(clockid int32, time *Timespec) (err error) {
+	_, _, e1 := Syscall(SYS_CLOCK_GETTIME, uintptr(clockid), uintptr(unsafe.Pointer(time)), 0)
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
 func Close(fd int) (err error) {
 	_, _, e1 := Syscall(SYS_CLOSE, uintptr(fd), 0, 0)
 	if e1 != 0 {
diff --git a/vendor/golang.org/x/sys/unix/zsyscall_netbsd_arm64.go b/vendor/golang.org/x/sys/unix/zsyscall_netbsd_arm64.go
index c79f071fc..76dd8ec4f 100644
--- a/vendor/golang.org/x/sys/unix/zsyscall_netbsd_arm64.go
+++ b/vendor/golang.org/x/sys/unix/zsyscall_netbsd_arm64.go
@@ -521,6 +521,16 @@ func Chroot(path string) (err error) {
 
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
+func ClockGettime(clockid int32, time *Timespec) (err error) {
+	_, _, e1 := Syscall(SYS_CLOCK_GETTIME, uintptr(clockid), uintptr(unsafe.Pointer(time)), 0)
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
 func Close(fd int) (err error) {
 	_, _, e1 := Syscall(SYS_CLOSE, uintptr(fd), 0, 0)
 	if e1 != 0 {
diff --git a/vendor/golang.org/x/sys/unix/zsyscall_openbsd_386.go b/vendor/golang.org/x/sys/unix/zsyscall_openbsd_386.go
index 2925fe0a7..caeb807bd 100644
--- a/vendor/golang.org/x/sys/unix/zsyscall_openbsd_386.go
+++ b/vendor/golang.org/x/sys/unix/zsyscall_openbsd_386.go
@@ -696,6 +696,20 @@ var libc_chroot_trampoline_addr uintptr
 
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
+func ClockGettime(clockid int32, time *Timespec) (err error) {
+	_, _, e1 := syscall_syscall(libc_clock_gettime_trampoline_addr, uintptr(clockid), uintptr(unsafe.Pointer(time)), 0)
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+var libc_clock_gettime_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_clock_gettime clock_gettime "libc.so"
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
 func Close(fd int) (err error) {
 	_, _, e1 := syscall_syscall(libc_close_trampoline_addr, uintptr(fd), 0, 0)
 	if e1 != 0 {
diff --git a/vendor/golang.org/x/sys/unix/zsyscall_openbsd_386.s b/vendor/golang.org/x/sys/unix/zsyscall_openbsd_386.s
index 75eb2f5f3..087444250 100644
--- a/vendor/golang.org/x/sys/unix/zsyscall_openbsd_386.s
+++ b/vendor/golang.org/x/sys/unix/zsyscall_openbsd_386.s
@@ -5,792 +5,665 @@
 
 TEXT libc_getgroups_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_getgroups(SB)
-
 GLOBL	·libc_getgroups_trampoline_addr(SB), RODATA, $4
 DATA	·libc_getgroups_trampoline_addr(SB)/4, $libc_getgroups_trampoline<>(SB)
 
 TEXT libc_setgroups_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_setgroups(SB)
-
 GLOBL	·libc_setgroups_trampoline_addr(SB), RODATA, $4
 DATA	·libc_setgroups_trampoline_addr(SB)/4, $libc_setgroups_trampoline<>(SB)
 
 TEXT libc_wait4_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_wait4(SB)
-
 GLOBL	·libc_wait4_trampoline_addr(SB), RODATA, $4
 DATA	·libc_wait4_trampoline_addr(SB)/4, $libc_wait4_trampoline<>(SB)
 
 TEXT libc_accept_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_accept(SB)
-
 GLOBL	·libc_accept_trampoline_addr(SB), RODATA, $4
 DATA	·libc_accept_trampoline_addr(SB)/4, $libc_accept_trampoline<>(SB)
 
 TEXT libc_bind_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_bind(SB)
-
 GLOBL	·libc_bind_trampoline_addr(SB), RODATA, $4
 DATA	·libc_bind_trampoline_addr(SB)/4, $libc_bind_trampoline<>(SB)
 
 TEXT libc_connect_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_connect(SB)
-
 GLOBL	·libc_connect_trampoline_addr(SB), RODATA, $4
 DATA	·libc_connect_trampoline_addr(SB)/4, $libc_connect_trampoline<>(SB)
 
 TEXT libc_socket_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_socket(SB)
-
 GLOBL	·libc_socket_trampoline_addr(SB), RODATA, $4
 DATA	·libc_socket_trampoline_addr(SB)/4, $libc_socket_trampoline<>(SB)
 
 TEXT libc_getsockopt_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_getsockopt(SB)
-
 GLOBL	·libc_getsockopt_trampoline_addr(SB), RODATA, $4
 DATA	·libc_getsockopt_trampoline_addr(SB)/4, $libc_getsockopt_trampoline<>(SB)
 
 TEXT libc_setsockopt_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_setsockopt(SB)
-
 GLOBL	·libc_setsockopt_trampoline_addr(SB), RODATA, $4
 DATA	·libc_setsockopt_trampoline_addr(SB)/4, $libc_setsockopt_trampoline<>(SB)
 
 TEXT libc_getpeername_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_getpeername(SB)
-
 GLOBL	·libc_getpeername_trampoline_addr(SB), RODATA, $4
 DATA	·libc_getpeername_trampoline_addr(SB)/4, $libc_getpeername_trampoline<>(SB)
 
 TEXT libc_getsockname_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_getsockname(SB)
-
 GLOBL	·libc_getsockname_trampoline_addr(SB), RODATA, $4
 DATA	·libc_getsockname_trampoline_addr(SB)/4, $libc_getsockname_trampoline<>(SB)
 
 TEXT libc_shutdown_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_shutdown(SB)
-
 GLOBL	·libc_shutdown_trampoline_addr(SB), RODATA, $4
 DATA	·libc_shutdown_trampoline_addr(SB)/4, $libc_shutdown_trampoline<>(SB)
 
 TEXT libc_socketpair_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_socketpair(SB)
-
 GLOBL	·libc_socketpair_trampoline_addr(SB), RODATA, $4
 DATA	·libc_socketpair_trampoline_addr(SB)/4, $libc_socketpair_trampoline<>(SB)
 
 TEXT libc_recvfrom_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_recvfrom(SB)
-
 GLOBL	·libc_recvfrom_trampoline_addr(SB), RODATA, $4
 DATA	·libc_recvfrom_trampoline_addr(SB)/4, $libc_recvfrom_trampoline<>(SB)
 
 TEXT libc_sendto_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_sendto(SB)
-
 GLOBL	·libc_sendto_trampoline_addr(SB), RODATA, $4
 DATA	·libc_sendto_trampoline_addr(SB)/4, $libc_sendto_trampoline<>(SB)
 
 TEXT libc_recvmsg_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_recvmsg(SB)
-
 GLOBL	·libc_recvmsg_trampoline_addr(SB), RODATA, $4
 DATA	·libc_recvmsg_trampoline_addr(SB)/4, $libc_recvmsg_trampoline<>(SB)
 
 TEXT libc_sendmsg_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_sendmsg(SB)
-
 GLOBL	·libc_sendmsg_trampoline_addr(SB), RODATA, $4
 DATA	·libc_sendmsg_trampoline_addr(SB)/4, $libc_sendmsg_trampoline<>(SB)
 
 TEXT libc_kevent_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_kevent(SB)
-
 GLOBL	·libc_kevent_trampoline_addr(SB), RODATA, $4
 DATA	·libc_kevent_trampoline_addr(SB)/4, $libc_kevent_trampoline<>(SB)
 
 TEXT libc_utimes_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_utimes(SB)
-
 GLOBL	·libc_utimes_trampoline_addr(SB), RODATA, $4
 DATA	·libc_utimes_trampoline_addr(SB)/4, $libc_utimes_trampoline<>(SB)
 
 TEXT libc_futimes_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_futimes(SB)
-
 GLOBL	·libc_futimes_trampoline_addr(SB), RODATA, $4
 DATA	·libc_futimes_trampoline_addr(SB)/4, $libc_futimes_trampoline<>(SB)
 
 TEXT libc_poll_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_poll(SB)
-
 GLOBL	·libc_poll_trampoline_addr(SB), RODATA, $4
 DATA	·libc_poll_trampoline_addr(SB)/4, $libc_poll_trampoline<>(SB)
 
 TEXT libc_madvise_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_madvise(SB)
-
 GLOBL	·libc_madvise_trampoline_addr(SB), RODATA, $4
 DATA	·libc_madvise_trampoline_addr(SB)/4, $libc_madvise_trampoline<>(SB)
 
 TEXT libc_mlock_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_mlock(SB)
-
 GLOBL	·libc_mlock_trampoline_addr(SB), RODATA, $4
 DATA	·libc_mlock_trampoline_addr(SB)/4, $libc_mlock_trampoline<>(SB)
 
 TEXT libc_mlockall_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_mlockall(SB)
-
 GLOBL	·libc_mlockall_trampoline_addr(SB), RODATA, $4
 DATA	·libc_mlockall_trampoline_addr(SB)/4, $libc_mlockall_trampoline<>(SB)
 
 TEXT libc_mprotect_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_mprotect(SB)
-
 GLOBL	·libc_mprotect_trampoline_addr(SB), RODATA, $4
 DATA	·libc_mprotect_trampoline_addr(SB)/4, $libc_mprotect_trampoline<>(SB)
 
 TEXT libc_msync_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_msync(SB)
-
 GLOBL	·libc_msync_trampoline_addr(SB), RODATA, $4
 DATA	·libc_msync_trampoline_addr(SB)/4, $libc_msync_trampoline<>(SB)
 
 TEXT libc_munlock_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_munlock(SB)
-
 GLOBL	·libc_munlock_trampoline_addr(SB), RODATA, $4
 DATA	·libc_munlock_trampoline_addr(SB)/4, $libc_munlock_trampoline<>(SB)
 
 TEXT libc_munlockall_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_munlockall(SB)
-
 GLOBL	·libc_munlockall_trampoline_addr(SB), RODATA, $4
 DATA	·libc_munlockall_trampoline_addr(SB)/4, $libc_munlockall_trampoline<>(SB)
 
 TEXT libc_pipe2_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_pipe2(SB)
-
 GLOBL	·libc_pipe2_trampoline_addr(SB), RODATA, $4
 DATA	·libc_pipe2_trampoline_addr(SB)/4, $libc_pipe2_trampoline<>(SB)
 
 TEXT libc_getdents_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_getdents(SB)
-
 GLOBL	·libc_getdents_trampoline_addr(SB), RODATA, $4
 DATA	·libc_getdents_trampoline_addr(SB)/4, $libc_getdents_trampoline<>(SB)
 
 TEXT libc_getcwd_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_getcwd(SB)
-
 GLOBL	·libc_getcwd_trampoline_addr(SB), RODATA, $4
 DATA	·libc_getcwd_trampoline_addr(SB)/4, $libc_getcwd_trampoline<>(SB)
 
 TEXT libc_ioctl_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_ioctl(SB)
-
 GLOBL	·libc_ioctl_trampoline_addr(SB), RODATA, $4
 DATA	·libc_ioctl_trampoline_addr(SB)/4, $libc_ioctl_trampoline<>(SB)
 
 TEXT libc_sysctl_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_sysctl(SB)
-
 GLOBL	·libc_sysctl_trampoline_addr(SB), RODATA, $4
 DATA	·libc_sysctl_trampoline_addr(SB)/4, $libc_sysctl_trampoline<>(SB)
 
 TEXT libc_ppoll_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_ppoll(SB)
-
 GLOBL	·libc_ppoll_trampoline_addr(SB), RODATA, $4
 DATA	·libc_ppoll_trampoline_addr(SB)/4, $libc_ppoll_trampoline<>(SB)
 
 TEXT libc_access_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_access(SB)
-
 GLOBL	·libc_access_trampoline_addr(SB), RODATA, $4
 DATA	·libc_access_trampoline_addr(SB)/4, $libc_access_trampoline<>(SB)
 
 TEXT libc_adjtime_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_adjtime(SB)
-
 GLOBL	·libc_adjtime_trampoline_addr(SB), RODATA, $4
 DATA	·libc_adjtime_trampoline_addr(SB)/4, $libc_adjtime_trampoline<>(SB)
 
 TEXT libc_chdir_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_chdir(SB)
-
 GLOBL	·libc_chdir_trampoline_addr(SB), RODATA, $4
 DATA	·libc_chdir_trampoline_addr(SB)/4, $libc_chdir_trampoline<>(SB)
 
 TEXT libc_chflags_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_chflags(SB)
-
 GLOBL	·libc_chflags_trampoline_addr(SB), RODATA, $4
 DATA	·libc_chflags_trampoline_addr(SB)/4, $libc_chflags_trampoline<>(SB)
 
 TEXT libc_chmod_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_chmod(SB)
-
 GLOBL	·libc_chmod_trampoline_addr(SB), RODATA, $4
 DATA	·libc_chmod_trampoline_addr(SB)/4, $libc_chmod_trampoline<>(SB)
 
 TEXT libc_chown_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_chown(SB)
-
 GLOBL	·libc_chown_trampoline_addr(SB), RODATA, $4
 DATA	·libc_chown_trampoline_addr(SB)/4, $libc_chown_trampoline<>(SB)
 
 TEXT libc_chroot_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_chroot(SB)
-
 GLOBL	·libc_chroot_trampoline_addr(SB), RODATA, $4
 DATA	·libc_chroot_trampoline_addr(SB)/4, $libc_chroot_trampoline<>(SB)
 
+TEXT libc_clock_gettime_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_clock_gettime(SB)
+GLOBL	·libc_clock_gettime_trampoline_addr(SB), RODATA, $4
+DATA	·libc_clock_gettime_trampoline_addr(SB)/4, $libc_clock_gettime_trampoline<>(SB)
+
 TEXT libc_close_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_close(SB)
-
 GLOBL	·libc_close_trampoline_addr(SB), RODATA, $4
 DATA	·libc_close_trampoline_addr(SB)/4, $libc_close_trampoline<>(SB)
 
 TEXT libc_dup_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_dup(SB)
-
 GLOBL	·libc_dup_trampoline_addr(SB), RODATA, $4
 DATA	·libc_dup_trampoline_addr(SB)/4, $libc_dup_trampoline<>(SB)
 
 TEXT libc_dup2_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_dup2(SB)
-
 GLOBL	·libc_dup2_trampoline_addr(SB), RODATA, $4
 DATA	·libc_dup2_trampoline_addr(SB)/4, $libc_dup2_trampoline<>(SB)
 
 TEXT libc_dup3_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_dup3(SB)
-
 GLOBL	·libc_dup3_trampoline_addr(SB), RODATA, $4
 DATA	·libc_dup3_trampoline_addr(SB)/4, $libc_dup3_trampoline<>(SB)
 
 TEXT libc_exit_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_exit(SB)
-
 GLOBL	·libc_exit_trampoline_addr(SB), RODATA, $4
 DATA	·libc_exit_trampoline_addr(SB)/4, $libc_exit_trampoline<>(SB)
 
 TEXT libc_faccessat_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_faccessat(SB)
-
 GLOBL	·libc_faccessat_trampoline_addr(SB), RODATA, $4
 DATA	·libc_faccessat_trampoline_addr(SB)/4, $libc_faccessat_trampoline<>(SB)
 
 TEXT libc_fchdir_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_fchdir(SB)
-
 GLOBL	·libc_fchdir_trampoline_addr(SB), RODATA, $4
 DATA	·libc_fchdir_trampoline_addr(SB)/4, $libc_fchdir_trampoline<>(SB)
 
 TEXT libc_fchflags_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_fchflags(SB)
-
 GLOBL	·libc_fchflags_trampoline_addr(SB), RODATA, $4
 DATA	·libc_fchflags_trampoline_addr(SB)/4, $libc_fchflags_trampoline<>(SB)
 
 TEXT libc_fchmod_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_fchmod(SB)
-
 GLOBL	·libc_fchmod_trampoline_addr(SB), RODATA, $4
 DATA	·libc_fchmod_trampoline_addr(SB)/4, $libc_fchmod_trampoline<>(SB)
 
 TEXT libc_fchmodat_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_fchmodat(SB)
-
 GLOBL	·libc_fchmodat_trampoline_addr(SB), RODATA, $4
 DATA	·libc_fchmodat_trampoline_addr(SB)/4, $libc_fchmodat_trampoline<>(SB)
 
 TEXT libc_fchown_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_fchown(SB)
-
 GLOBL	·libc_fchown_trampoline_addr(SB), RODATA, $4
 DATA	·libc_fchown_trampoline_addr(SB)/4, $libc_fchown_trampoline<>(SB)
 
 TEXT libc_fchownat_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_fchownat(SB)
-
 GLOBL	·libc_fchownat_trampoline_addr(SB), RODATA, $4
 DATA	·libc_fchownat_trampoline_addr(SB)/4, $libc_fchownat_trampoline<>(SB)
 
 TEXT libc_flock_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_flock(SB)
-
 GLOBL	·libc_flock_trampoline_addr(SB), RODATA, $4
 DATA	·libc_flock_trampoline_addr(SB)/4, $libc_flock_trampoline<>(SB)
 
 TEXT libc_fpathconf_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_fpathconf(SB)
-
 GLOBL	·libc_fpathconf_trampoline_addr(SB), RODATA, $4
 DATA	·libc_fpathconf_trampoline_addr(SB)/4, $libc_fpathconf_trampoline<>(SB)
 
 TEXT libc_fstat_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_fstat(SB)
-
 GLOBL	·libc_fstat_trampoline_addr(SB), RODATA, $4
 DATA	·libc_fstat_trampoline_addr(SB)/4, $libc_fstat_trampoline<>(SB)
 
 TEXT libc_fstatat_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_fstatat(SB)
-
 GLOBL	·libc_fstatat_trampoline_addr(SB), RODATA, $4
 DATA	·libc_fstatat_trampoline_addr(SB)/4, $libc_fstatat_trampoline<>(SB)
 
 TEXT libc_fstatfs_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_fstatfs(SB)
-
 GLOBL	·libc_fstatfs_trampoline_addr(SB), RODATA, $4
 DATA	·libc_fstatfs_trampoline_addr(SB)/4, $libc_fstatfs_trampoline<>(SB)
 
 TEXT libc_fsync_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_fsync(SB)
-
 GLOBL	·libc_fsync_trampoline_addr(SB), RODATA, $4
 DATA	·libc_fsync_trampoline_addr(SB)/4, $libc_fsync_trampoline<>(SB)
 
 TEXT libc_ftruncate_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_ftruncate(SB)
-
 GLOBL	·libc_ftruncate_trampoline_addr(SB), RODATA, $4
 DATA	·libc_ftruncate_trampoline_addr(SB)/4, $libc_ftruncate_trampoline<>(SB)
 
 TEXT libc_getegid_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_getegid(SB)
-
 GLOBL	·libc_getegid_trampoline_addr(SB), RODATA, $4
 DATA	·libc_getegid_trampoline_addr(SB)/4, $libc_getegid_trampoline<>(SB)
 
 TEXT libc_geteuid_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_geteuid(SB)
-
 GLOBL	·libc_geteuid_trampoline_addr(SB), RODATA, $4
 DATA	·libc_geteuid_trampoline_addr(SB)/4, $libc_geteuid_trampoline<>(SB)
 
 TEXT libc_getgid_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_getgid(SB)
-
 GLOBL	·libc_getgid_trampoline_addr(SB), RODATA, $4
 DATA	·libc_getgid_trampoline_addr(SB)/4, $libc_getgid_trampoline<>(SB)
 
 TEXT libc_getpgid_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_getpgid(SB)
-
 GLOBL	·libc_getpgid_trampoline_addr(SB), RODATA, $4
 DATA	·libc_getpgid_trampoline_addr(SB)/4, $libc_getpgid_trampoline<>(SB)
 
 TEXT libc_getpgrp_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_getpgrp(SB)
-
 GLOBL	·libc_getpgrp_trampoline_addr(SB), RODATA, $4
 DATA	·libc_getpgrp_trampoline_addr(SB)/4, $libc_getpgrp_trampoline<>(SB)
 
 TEXT libc_getpid_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_getpid(SB)
-
 GLOBL	·libc_getpid_trampoline_addr(SB), RODATA, $4
 DATA	·libc_getpid_trampoline_addr(SB)/4, $libc_getpid_trampoline<>(SB)
 
 TEXT libc_getppid_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_getppid(SB)
-
 GLOBL	·libc_getppid_trampoline_addr(SB), RODATA, $4
 DATA	·libc_getppid_trampoline_addr(SB)/4, $libc_getppid_trampoline<>(SB)
 
 TEXT libc_getpriority_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_getpriority(SB)
-
 GLOBL	·libc_getpriority_trampoline_addr(SB), RODATA, $4
 DATA	·libc_getpriority_trampoline_addr(SB)/4, $libc_getpriority_trampoline<>(SB)
 
 TEXT libc_getrlimit_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_getrlimit(SB)
-
 GLOBL	·libc_getrlimit_trampoline_addr(SB), RODATA, $4
 DATA	·libc_getrlimit_trampoline_addr(SB)/4, $libc_getrlimit_trampoline<>(SB)
 
 TEXT libc_getrtable_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_getrtable(SB)
-
 GLOBL	·libc_getrtable_trampoline_addr(SB), RODATA, $4
 DATA	·libc_getrtable_trampoline_addr(SB)/4, $libc_getrtable_trampoline<>(SB)
 
 TEXT libc_getrusage_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_getrusage(SB)
-
 GLOBL	·libc_getrusage_trampoline_addr(SB), RODATA, $4
 DATA	·libc_getrusage_trampoline_addr(SB)/4, $libc_getrusage_trampoline<>(SB)
 
 TEXT libc_getsid_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_getsid(SB)
-
 GLOBL	·libc_getsid_trampoline_addr(SB), RODATA, $4
 DATA	·libc_getsid_trampoline_addr(SB)/4, $libc_getsid_trampoline<>(SB)
 
 TEXT libc_gettimeofday_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_gettimeofday(SB)
-
 GLOBL	·libc_gettimeofday_trampoline_addr(SB), RODATA, $4
 DATA	·libc_gettimeofday_trampoline_addr(SB)/4, $libc_gettimeofday_trampoline<>(SB)
 
 TEXT libc_getuid_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_getuid(SB)
-
 GLOBL	·libc_getuid_trampoline_addr(SB), RODATA, $4
 DATA	·libc_getuid_trampoline_addr(SB)/4, $libc_getuid_trampoline<>(SB)
 
 TEXT libc_issetugid_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_issetugid(SB)
-
 GLOBL	·libc_issetugid_trampoline_addr(SB), RODATA, $4
 DATA	·libc_issetugid_trampoline_addr(SB)/4, $libc_issetugid_trampoline<>(SB)
 
 TEXT libc_kill_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_kill(SB)
-
 GLOBL	·libc_kill_trampoline_addr(SB), RODATA, $4
 DATA	·libc_kill_trampoline_addr(SB)/4, $libc_kill_trampoline<>(SB)
 
 TEXT libc_kqueue_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_kqueue(SB)
-
 GLOBL	·libc_kqueue_trampoline_addr(SB), RODATA, $4
 DATA	·libc_kqueue_trampoline_addr(SB)/4, $libc_kqueue_trampoline<>(SB)
 
 TEXT libc_lchown_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_lchown(SB)
-
 GLOBL	·libc_lchown_trampoline_addr(SB), RODATA, $4
 DATA	·libc_lchown_trampoline_addr(SB)/4, $libc_lchown_trampoline<>(SB)
 
 TEXT libc_link_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_link(SB)
-
 GLOBL	·libc_link_trampoline_addr(SB), RODATA, $4
 DATA	·libc_link_trampoline_addr(SB)/4, $libc_link_trampoline<>(SB)
 
 TEXT libc_linkat_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_linkat(SB)
-
 GLOBL	·libc_linkat_trampoline_addr(SB), RODATA, $4
 DATA	·libc_linkat_trampoline_addr(SB)/4, $libc_linkat_trampoline<>(SB)
 
 TEXT libc_listen_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_listen(SB)
-
 GLOBL	·libc_listen_trampoline_addr(SB), RODATA, $4
 DATA	·libc_listen_trampoline_addr(SB)/4, $libc_listen_trampoline<>(SB)
 
 TEXT libc_lstat_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_lstat(SB)
-
 GLOBL	·libc_lstat_trampoline_addr(SB), RODATA, $4
 DATA	·libc_lstat_trampoline_addr(SB)/4, $libc_lstat_trampoline<>(SB)
 
 TEXT libc_mkdir_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_mkdir(SB)
-
 GLOBL	·libc_mkdir_trampoline_addr(SB), RODATA, $4
 DATA	·libc_mkdir_trampoline_addr(SB)/4, $libc_mkdir_trampoline<>(SB)
 
 TEXT libc_mkdirat_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_mkdirat(SB)
-
 GLOBL	·libc_mkdirat_trampoline_addr(SB), RODATA, $4
 DATA	·libc_mkdirat_trampoline_addr(SB)/4, $libc_mkdirat_trampoline<>(SB)
 
 TEXT libc_mkfifo_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_mkfifo(SB)
-
 GLOBL	·libc_mkfifo_trampoline_addr(SB), RODATA, $4
 DATA	·libc_mkfifo_trampoline_addr(SB)/4, $libc_mkfifo_trampoline<>(SB)
 
 TEXT libc_mkfifoat_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_mkfifoat(SB)
-
 GLOBL	·libc_mkfifoat_trampoline_addr(SB), RODATA, $4
 DATA	·libc_mkfifoat_trampoline_addr(SB)/4, $libc_mkfifoat_trampoline<>(SB)
 
 TEXT libc_mknod_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_mknod(SB)
-
 GLOBL	·libc_mknod_trampoline_addr(SB), RODATA, $4
 DATA	·libc_mknod_trampoline_addr(SB)/4, $libc_mknod_trampoline<>(SB)
 
 TEXT libc_mknodat_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_mknodat(SB)
-
 GLOBL	·libc_mknodat_trampoline_addr(SB), RODATA, $4
 DATA	·libc_mknodat_trampoline_addr(SB)/4, $libc_mknodat_trampoline<>(SB)
 
 TEXT libc_nanosleep_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_nanosleep(SB)
-
 GLOBL	·libc_nanosleep_trampoline_addr(SB), RODATA, $4
 DATA	·libc_nanosleep_trampoline_addr(SB)/4, $libc_nanosleep_trampoline<>(SB)
 
 TEXT libc_open_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_open(SB)
-
 GLOBL	·libc_open_trampoline_addr(SB), RODATA, $4
 DATA	·libc_open_trampoline_addr(SB)/4, $libc_open_trampoline<>(SB)
 
 TEXT libc_openat_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_openat(SB)
-
 GLOBL	·libc_openat_trampoline_addr(SB), RODATA, $4
 DATA	·libc_openat_trampoline_addr(SB)/4, $libc_openat_trampoline<>(SB)
 
 TEXT libc_pathconf_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_pathconf(SB)
-
 GLOBL	·libc_pathconf_trampoline_addr(SB), RODATA, $4
 DATA	·libc_pathconf_trampoline_addr(SB)/4, $libc_pathconf_trampoline<>(SB)
 
 TEXT libc_pread_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_pread(SB)
-
 GLOBL	·libc_pread_trampoline_addr(SB), RODATA, $4
 DATA	·libc_pread_trampoline_addr(SB)/4, $libc_pread_trampoline<>(SB)
 
 TEXT libc_pwrite_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_pwrite(SB)
-
 GLOBL	·libc_pwrite_trampoline_addr(SB), RODATA, $4
 DATA	·libc_pwrite_trampoline_addr(SB)/4, $libc_pwrite_trampoline<>(SB)
 
 TEXT libc_read_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_read(SB)
-
 GLOBL	·libc_read_trampoline_addr(SB), RODATA, $4
 DATA	·libc_read_trampoline_addr(SB)/4, $libc_read_trampoline<>(SB)
 
 TEXT libc_readlink_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_readlink(SB)
-
 GLOBL	·libc_readlink_trampoline_addr(SB), RODATA, $4
 DATA	·libc_readlink_trampoline_addr(SB)/4, $libc_readlink_trampoline<>(SB)
 
 TEXT libc_readlinkat_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_readlinkat(SB)
-
 GLOBL	·libc_readlinkat_trampoline_addr(SB), RODATA, $4
 DATA	·libc_readlinkat_trampoline_addr(SB)/4, $libc_readlinkat_trampoline<>(SB)
 
 TEXT libc_rename_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_rename(SB)
-
 GLOBL	·libc_rename_trampoline_addr(SB), RODATA, $4
 DATA	·libc_rename_trampoline_addr(SB)/4, $libc_rename_trampoline<>(SB)
 
 TEXT libc_renameat_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_renameat(SB)
-
 GLOBL	·libc_renameat_trampoline_addr(SB), RODATA, $4
 DATA	·libc_renameat_trampoline_addr(SB)/4, $libc_renameat_trampoline<>(SB)
 
 TEXT libc_revoke_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_revoke(SB)
-
 GLOBL	·libc_revoke_trampoline_addr(SB), RODATA, $4
 DATA	·libc_revoke_trampoline_addr(SB)/4, $libc_revoke_trampoline<>(SB)
 
 TEXT libc_rmdir_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_rmdir(SB)
-
 GLOBL	·libc_rmdir_trampoline_addr(SB), RODATA, $4
 DATA	·libc_rmdir_trampoline_addr(SB)/4, $libc_rmdir_trampoline<>(SB)
 
 TEXT libc_lseek_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_lseek(SB)
-
 GLOBL	·libc_lseek_trampoline_addr(SB), RODATA, $4
 DATA	·libc_lseek_trampoline_addr(SB)/4, $libc_lseek_trampoline<>(SB)
 
 TEXT libc_select_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_select(SB)
-
 GLOBL	·libc_select_trampoline_addr(SB), RODATA, $4
 DATA	·libc_select_trampoline_addr(SB)/4, $libc_select_trampoline<>(SB)
 
 TEXT libc_setegid_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_setegid(SB)
-
 GLOBL	·libc_setegid_trampoline_addr(SB), RODATA, $4
 DATA	·libc_setegid_trampoline_addr(SB)/4, $libc_setegid_trampoline<>(SB)
 
 TEXT libc_seteuid_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_seteuid(SB)
-
 GLOBL	·libc_seteuid_trampoline_addr(SB), RODATA, $4
 DATA	·libc_seteuid_trampoline_addr(SB)/4, $libc_seteuid_trampoline<>(SB)
 
 TEXT libc_setgid_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_setgid(SB)
-
 GLOBL	·libc_setgid_trampoline_addr(SB), RODATA, $4
 DATA	·libc_setgid_trampoline_addr(SB)/4, $libc_setgid_trampoline<>(SB)
 
 TEXT libc_setlogin_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_setlogin(SB)
-
 GLOBL	·libc_setlogin_trampoline_addr(SB), RODATA, $4
 DATA	·libc_setlogin_trampoline_addr(SB)/4, $libc_setlogin_trampoline<>(SB)
 
 TEXT libc_setpgid_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_setpgid(SB)
-
 GLOBL	·libc_setpgid_trampoline_addr(SB), RODATA, $4
 DATA	·libc_setpgid_trampoline_addr(SB)/4, $libc_setpgid_trampoline<>(SB)
 
 TEXT libc_setpriority_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_setpriority(SB)
-
 GLOBL	·libc_setpriority_trampoline_addr(SB), RODATA, $4
 DATA	·libc_setpriority_trampoline_addr(SB)/4, $libc_setpriority_trampoline<>(SB)
 
 TEXT libc_setregid_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_setregid(SB)
-
 GLOBL	·libc_setregid_trampoline_addr(SB), RODATA, $4
 DATA	·libc_setregid_trampoline_addr(SB)/4, $libc_setregid_trampoline<>(SB)
 
 TEXT libc_setreuid_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_setreuid(SB)
-
 GLOBL	·libc_setreuid_trampoline_addr(SB), RODATA, $4
 DATA	·libc_setreuid_trampoline_addr(SB)/4, $libc_setreuid_trampoline<>(SB)
 
 TEXT libc_setresgid_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_setresgid(SB)
-
 GLOBL	·libc_setresgid_trampoline_addr(SB), RODATA, $4
 DATA	·libc_setresgid_trampoline_addr(SB)/4, $libc_setresgid_trampoline<>(SB)
 
 TEXT libc_setresuid_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_setresuid(SB)
-
 GLOBL	·libc_setresuid_trampoline_addr(SB), RODATA, $4
 DATA	·libc_setresuid_trampoline_addr(SB)/4, $libc_setresuid_trampoline<>(SB)
 
 TEXT libc_setrlimit_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_setrlimit(SB)
-
 GLOBL	·libc_setrlimit_trampoline_addr(SB), RODATA, $4
 DATA	·libc_setrlimit_trampoline_addr(SB)/4, $libc_setrlimit_trampoline<>(SB)
 
 TEXT libc_setrtable_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_setrtable(SB)
-
 GLOBL	·libc_setrtable_trampoline_addr(SB), RODATA, $4
 DATA	·libc_setrtable_trampoline_addr(SB)/4, $libc_setrtable_trampoline<>(SB)
 
 TEXT libc_setsid_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_setsid(SB)
-
 GLOBL	·libc_setsid_trampoline_addr(SB), RODATA, $4
 DATA	·libc_setsid_trampoline_addr(SB)/4, $libc_setsid_trampoline<>(SB)
 
 TEXT libc_settimeofday_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_settimeofday(SB)
-
 GLOBL	·libc_settimeofday_trampoline_addr(SB), RODATA, $4
 DATA	·libc_settimeofday_trampoline_addr(SB)/4, $libc_settimeofday_trampoline<>(SB)
 
 TEXT libc_setuid_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_setuid(SB)
-
 GLOBL	·libc_setuid_trampoline_addr(SB), RODATA, $4
 DATA	·libc_setuid_trampoline_addr(SB)/4, $libc_setuid_trampoline<>(SB)
 
 TEXT libc_stat_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_stat(SB)
-
 GLOBL	·libc_stat_trampoline_addr(SB), RODATA, $4
 DATA	·libc_stat_trampoline_addr(SB)/4, $libc_stat_trampoline<>(SB)
 
 TEXT libc_statfs_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_statfs(SB)
-
 GLOBL	·libc_statfs_trampoline_addr(SB), RODATA, $4
 DATA	·libc_statfs_trampoline_addr(SB)/4, $libc_statfs_trampoline<>(SB)
 
 TEXT libc_symlink_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_symlink(SB)
-
 GLOBL	·libc_symlink_trampoline_addr(SB), RODATA, $4
 DATA	·libc_symlink_trampoline_addr(SB)/4, $libc_symlink_trampoline<>(SB)
 
 TEXT libc_symlinkat_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_symlinkat(SB)
-
 GLOBL	·libc_symlinkat_trampoline_addr(SB), RODATA, $4
 DATA	·libc_symlinkat_trampoline_addr(SB)/4, $libc_symlinkat_trampoline<>(SB)
 
 TEXT libc_sync_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_sync(SB)
-
 GLOBL	·libc_sync_trampoline_addr(SB), RODATA, $4
 DATA	·libc_sync_trampoline_addr(SB)/4, $libc_sync_trampoline<>(SB)
 
 TEXT libc_truncate_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_truncate(SB)
-
 GLOBL	·libc_truncate_trampoline_addr(SB), RODATA, $4
 DATA	·libc_truncate_trampoline_addr(SB)/4, $libc_truncate_trampoline<>(SB)
 
 TEXT libc_umask_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_umask(SB)
-
 GLOBL	·libc_umask_trampoline_addr(SB), RODATA, $4
 DATA	·libc_umask_trampoline_addr(SB)/4, $libc_umask_trampoline<>(SB)
 
 TEXT libc_unlink_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_unlink(SB)
-
 GLOBL	·libc_unlink_trampoline_addr(SB), RODATA, $4
 DATA	·libc_unlink_trampoline_addr(SB)/4, $libc_unlink_trampoline<>(SB)
 
 TEXT libc_unlinkat_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_unlinkat(SB)
-
 GLOBL	·libc_unlinkat_trampoline_addr(SB), RODATA, $4
 DATA	·libc_unlinkat_trampoline_addr(SB)/4, $libc_unlinkat_trampoline<>(SB)
 
 TEXT libc_unmount_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_unmount(SB)
-
 GLOBL	·libc_unmount_trampoline_addr(SB), RODATA, $4
 DATA	·libc_unmount_trampoline_addr(SB)/4, $libc_unmount_trampoline<>(SB)
 
 TEXT libc_write_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_write(SB)
-
 GLOBL	·libc_write_trampoline_addr(SB), RODATA, $4
 DATA	·libc_write_trampoline_addr(SB)/4, $libc_write_trampoline<>(SB)
 
 TEXT libc_mmap_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_mmap(SB)
-
 GLOBL	·libc_mmap_trampoline_addr(SB), RODATA, $4
 DATA	·libc_mmap_trampoline_addr(SB)/4, $libc_mmap_trampoline<>(SB)
 
 TEXT libc_munmap_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_munmap(SB)
-
 GLOBL	·libc_munmap_trampoline_addr(SB), RODATA, $4
 DATA	·libc_munmap_trampoline_addr(SB)/4, $libc_munmap_trampoline<>(SB)
 
 TEXT libc_utimensat_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_utimensat(SB)
-
 GLOBL	·libc_utimensat_trampoline_addr(SB), RODATA, $4
 DATA	·libc_utimensat_trampoline_addr(SB)/4, $libc_utimensat_trampoline<>(SB)
diff --git a/vendor/golang.org/x/sys/unix/zsyscall_openbsd_amd64.go b/vendor/golang.org/x/sys/unix/zsyscall_openbsd_amd64.go
index 98446d2b9..a05e5f4ff 100644
--- a/vendor/golang.org/x/sys/unix/zsyscall_openbsd_amd64.go
+++ b/vendor/golang.org/x/sys/unix/zsyscall_openbsd_amd64.go
@@ -696,6 +696,20 @@ var libc_chroot_trampoline_addr uintptr
 
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
+func ClockGettime(clockid int32, time *Timespec) (err error) {
+	_, _, e1 := syscall_syscall(libc_clock_gettime_trampoline_addr, uintptr(clockid), uintptr(unsafe.Pointer(time)), 0)
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+var libc_clock_gettime_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_clock_gettime clock_gettime "libc.so"
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
 func Close(fd int) (err error) {
 	_, _, e1 := syscall_syscall(libc_close_trampoline_addr, uintptr(fd), 0, 0)
 	if e1 != 0 {
diff --git a/vendor/golang.org/x/sys/unix/zsyscall_openbsd_amd64.s b/vendor/golang.org/x/sys/unix/zsyscall_openbsd_amd64.s
index 243a6663c..5782cd108 100644
--- a/vendor/golang.org/x/sys/unix/zsyscall_openbsd_amd64.s
+++ b/vendor/golang.org/x/sys/unix/zsyscall_openbsd_amd64.s
@@ -5,792 +5,665 @@
 
 TEXT libc_getgroups_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_getgroups(SB)
-
 GLOBL	·libc_getgroups_trampoline_addr(SB), RODATA, $8
 DATA	·libc_getgroups_trampoline_addr(SB)/8, $libc_getgroups_trampoline<>(SB)
 
 TEXT libc_setgroups_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_setgroups(SB)
-
 GLOBL	·libc_setgroups_trampoline_addr(SB), RODATA, $8
 DATA	·libc_setgroups_trampoline_addr(SB)/8, $libc_setgroups_trampoline<>(SB)
 
 TEXT libc_wait4_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_wait4(SB)
-
 GLOBL	·libc_wait4_trampoline_addr(SB), RODATA, $8
 DATA	·libc_wait4_trampoline_addr(SB)/8, $libc_wait4_trampoline<>(SB)
 
 TEXT libc_accept_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_accept(SB)
-
 GLOBL	·libc_accept_trampoline_addr(SB), RODATA, $8
 DATA	·libc_accept_trampoline_addr(SB)/8, $libc_accept_trampoline<>(SB)
 
 TEXT libc_bind_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_bind(SB)
-
 GLOBL	·libc_bind_trampoline_addr(SB), RODATA, $8
 DATA	·libc_bind_trampoline_addr(SB)/8, $libc_bind_trampoline<>(SB)
 
 TEXT libc_connect_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_connect(SB)
-
 GLOBL	·libc_connect_trampoline_addr(SB), RODATA, $8
 DATA	·libc_connect_trampoline_addr(SB)/8, $libc_connect_trampoline<>(SB)
 
 TEXT libc_socket_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_socket(SB)
-
 GLOBL	·libc_socket_trampoline_addr(SB), RODATA, $8
 DATA	·libc_socket_trampoline_addr(SB)/8, $libc_socket_trampoline<>(SB)
 
 TEXT libc_getsockopt_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_getsockopt(SB)
-
 GLOBL	·libc_getsockopt_trampoline_addr(SB), RODATA, $8
 DATA	·libc_getsockopt_trampoline_addr(SB)/8, $libc_getsockopt_trampoline<>(SB)
 
 TEXT libc_setsockopt_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_setsockopt(SB)
-
 GLOBL	·libc_setsockopt_trampoline_addr(SB), RODATA, $8
 DATA	·libc_setsockopt_trampoline_addr(SB)/8, $libc_setsockopt_trampoline<>(SB)
 
 TEXT libc_getpeername_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_getpeername(SB)
-
 GLOBL	·libc_getpeername_trampoline_addr(SB), RODATA, $8
 DATA	·libc_getpeername_trampoline_addr(SB)/8, $libc_getpeername_trampoline<>(SB)
 
 TEXT libc_getsockname_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_getsockname(SB)
-
 GLOBL	·libc_getsockname_trampoline_addr(SB), RODATA, $8
 DATA	·libc_getsockname_trampoline_addr(SB)/8, $libc_getsockname_trampoline<>(SB)
 
 TEXT libc_shutdown_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_shutdown(SB)
-
 GLOBL	·libc_shutdown_trampoline_addr(SB), RODATA, $8
 DATA	·libc_shutdown_trampoline_addr(SB)/8, $libc_shutdown_trampoline<>(SB)
 
 TEXT libc_socketpair_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_socketpair(SB)
-
 GLOBL	·libc_socketpair_trampoline_addr(SB), RODATA, $8
 DATA	·libc_socketpair_trampoline_addr(SB)/8, $libc_socketpair_trampoline<>(SB)
 
 TEXT libc_recvfrom_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_recvfrom(SB)
-
 GLOBL	·libc_recvfrom_trampoline_addr(SB), RODATA, $8
 DATA	·libc_recvfrom_trampoline_addr(SB)/8, $libc_recvfrom_trampoline<>(SB)
 
 TEXT libc_sendto_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_sendto(SB)
-
 GLOBL	·libc_sendto_trampoline_addr(SB), RODATA, $8
 DATA	·libc_sendto_trampoline_addr(SB)/8, $libc_sendto_trampoline<>(SB)
 
 TEXT libc_recvmsg_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_recvmsg(SB)
-
 GLOBL	·libc_recvmsg_trampoline_addr(SB), RODATA, $8
 DATA	·libc_recvmsg_trampoline_addr(SB)/8, $libc_recvmsg_trampoline<>(SB)
 
 TEXT libc_sendmsg_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_sendmsg(SB)
-
 GLOBL	·libc_sendmsg_trampoline_addr(SB), RODATA, $8
 DATA	·libc_sendmsg_trampoline_addr(SB)/8, $libc_sendmsg_trampoline<>(SB)
 
 TEXT libc_kevent_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_kevent(SB)
-
 GLOBL	·libc_kevent_trampoline_addr(SB), RODATA, $8
 DATA	·libc_kevent_trampoline_addr(SB)/8, $libc_kevent_trampoline<>(SB)
 
 TEXT libc_utimes_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_utimes(SB)
-
 GLOBL	·libc_utimes_trampoline_addr(SB), RODATA, $8
 DATA	·libc_utimes_trampoline_addr(SB)/8, $libc_utimes_trampoline<>(SB)
 
 TEXT libc_futimes_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_futimes(SB)
-
 GLOBL	·libc_futimes_trampoline_addr(SB), RODATA, $8
 DATA	·libc_futimes_trampoline_addr(SB)/8, $libc_futimes_trampoline<>(SB)
 
 TEXT libc_poll_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_poll(SB)
-
 GLOBL	·libc_poll_trampoline_addr(SB), RODATA, $8
 DATA	·libc_poll_trampoline_addr(SB)/8, $libc_poll_trampoline<>(SB)
 
 TEXT libc_madvise_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_madvise(SB)
-
 GLOBL	·libc_madvise_trampoline_addr(SB), RODATA, $8
 DATA	·libc_madvise_trampoline_addr(SB)/8, $libc_madvise_trampoline<>(SB)
 
 TEXT libc_mlock_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_mlock(SB)
-
 GLOBL	·libc_mlock_trampoline_addr(SB), RODATA, $8
 DATA	·libc_mlock_trampoline_addr(SB)/8, $libc_mlock_trampoline<>(SB)
 
 TEXT libc_mlockall_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_mlockall(SB)
-
 GLOBL	·libc_mlockall_trampoline_addr(SB), RODATA, $8
 DATA	·libc_mlockall_trampoline_addr(SB)/8, $libc_mlockall_trampoline<>(SB)
 
 TEXT libc_mprotect_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_mprotect(SB)
-
 GLOBL	·libc_mprotect_trampoline_addr(SB), RODATA, $8
 DATA	·libc_mprotect_trampoline_addr(SB)/8, $libc_mprotect_trampoline<>(SB)
 
 TEXT libc_msync_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_msync(SB)
-
 GLOBL	·libc_msync_trampoline_addr(SB), RODATA, $8
 DATA	·libc_msync_trampoline_addr(SB)/8, $libc_msync_trampoline<>(SB)
 
 TEXT libc_munlock_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_munlock(SB)
-
 GLOBL	·libc_munlock_trampoline_addr(SB), RODATA, $8
 DATA	·libc_munlock_trampoline_addr(SB)/8, $libc_munlock_trampoline<>(SB)
 
 TEXT libc_munlockall_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_munlockall(SB)
-
 GLOBL	·libc_munlockall_trampoline_addr(SB), RODATA, $8
 DATA	·libc_munlockall_trampoline_addr(SB)/8, $libc_munlockall_trampoline<>(SB)
 
 TEXT libc_pipe2_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_pipe2(SB)
-
 GLOBL	·libc_pipe2_trampoline_addr(SB), RODATA, $8
 DATA	·libc_pipe2_trampoline_addr(SB)/8, $libc_pipe2_trampoline<>(SB)
 
 TEXT libc_getdents_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_getdents(SB)
-
 GLOBL	·libc_getdents_trampoline_addr(SB), RODATA, $8
 DATA	·libc_getdents_trampoline_addr(SB)/8, $libc_getdents_trampoline<>(SB)
 
 TEXT libc_getcwd_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_getcwd(SB)
-
 GLOBL	·libc_getcwd_trampoline_addr(SB), RODATA, $8
 DATA	·libc_getcwd_trampoline_addr(SB)/8, $libc_getcwd_trampoline<>(SB)
 
 TEXT libc_ioctl_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_ioctl(SB)
-
 GLOBL	·libc_ioctl_trampoline_addr(SB), RODATA, $8
 DATA	·libc_ioctl_trampoline_addr(SB)/8, $libc_ioctl_trampoline<>(SB)
 
 TEXT libc_sysctl_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_sysctl(SB)
-
 GLOBL	·libc_sysctl_trampoline_addr(SB), RODATA, $8
 DATA	·libc_sysctl_trampoline_addr(SB)/8, $libc_sysctl_trampoline<>(SB)
 
 TEXT libc_ppoll_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_ppoll(SB)
-
 GLOBL	·libc_ppoll_trampoline_addr(SB), RODATA, $8
 DATA	·libc_ppoll_trampoline_addr(SB)/8, $libc_ppoll_trampoline<>(SB)
 
 TEXT libc_access_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_access(SB)
-
 GLOBL	·libc_access_trampoline_addr(SB), RODATA, $8
 DATA	·libc_access_trampoline_addr(SB)/8, $libc_access_trampoline<>(SB)
 
 TEXT libc_adjtime_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_adjtime(SB)
-
 GLOBL	·libc_adjtime_trampoline_addr(SB), RODATA, $8
 DATA	·libc_adjtime_trampoline_addr(SB)/8, $libc_adjtime_trampoline<>(SB)
 
 TEXT libc_chdir_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_chdir(SB)
-
 GLOBL	·libc_chdir_trampoline_addr(SB), RODATA, $8
 DATA	·libc_chdir_trampoline_addr(SB)/8, $libc_chdir_trampoline<>(SB)
 
 TEXT libc_chflags_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_chflags(SB)
-
 GLOBL	·libc_chflags_trampoline_addr(SB), RODATA, $8
 DATA	·libc_chflags_trampoline_addr(SB)/8, $libc_chflags_trampoline<>(SB)
 
 TEXT libc_chmod_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_chmod(SB)
-
 GLOBL	·libc_chmod_trampoline_addr(SB), RODATA, $8
 DATA	·libc_chmod_trampoline_addr(SB)/8, $libc_chmod_trampoline<>(SB)
 
 TEXT libc_chown_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_chown(SB)
-
 GLOBL	·libc_chown_trampoline_addr(SB), RODATA, $8
 DATA	·libc_chown_trampoline_addr(SB)/8, $libc_chown_trampoline<>(SB)
 
 TEXT libc_chroot_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_chroot(SB)
-
 GLOBL	·libc_chroot_trampoline_addr(SB), RODATA, $8
 DATA	·libc_chroot_trampoline_addr(SB)/8, $libc_chroot_trampoline<>(SB)
 
+TEXT libc_clock_gettime_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_clock_gettime(SB)
+GLOBL	·libc_clock_gettime_trampoline_addr(SB), RODATA, $8
+DATA	·libc_clock_gettime_trampoline_addr(SB)/8, $libc_clock_gettime_trampoline<>(SB)
+
 TEXT libc_close_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_close(SB)
-
 GLOBL	·libc_close_trampoline_addr(SB), RODATA, $8
 DATA	·libc_close_trampoline_addr(SB)/8, $libc_close_trampoline<>(SB)
 
 TEXT libc_dup_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_dup(SB)
-
 GLOBL	·libc_dup_trampoline_addr(SB), RODATA, $8
 DATA	·libc_dup_trampoline_addr(SB)/8, $libc_dup_trampoline<>(SB)
 
 TEXT libc_dup2_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_dup2(SB)
-
 GLOBL	·libc_dup2_trampoline_addr(SB), RODATA, $8
 DATA	·libc_dup2_trampoline_addr(SB)/8, $libc_dup2_trampoline<>(SB)
 
 TEXT libc_dup3_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_dup3(SB)
-
 GLOBL	·libc_dup3_trampoline_addr(SB), RODATA, $8
 DATA	·libc_dup3_trampoline_addr(SB)/8, $libc_dup3_trampoline<>(SB)
 
 TEXT libc_exit_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_exit(SB)
-
 GLOBL	·libc_exit_trampoline_addr(SB), RODATA, $8
 DATA	·libc_exit_trampoline_addr(SB)/8, $libc_exit_trampoline<>(SB)
 
 TEXT libc_faccessat_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_faccessat(SB)
-
 GLOBL	·libc_faccessat_trampoline_addr(SB), RODATA, $8
 DATA	·libc_faccessat_trampoline_addr(SB)/8, $libc_faccessat_trampoline<>(SB)
 
 TEXT libc_fchdir_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_fchdir(SB)
-
 GLOBL	·libc_fchdir_trampoline_addr(SB), RODATA, $8
 DATA	·libc_fchdir_trampoline_addr(SB)/8, $libc_fchdir_trampoline<>(SB)
 
 TEXT libc_fchflags_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_fchflags(SB)
-
 GLOBL	·libc_fchflags_trampoline_addr(SB), RODATA, $8
 DATA	·libc_fchflags_trampoline_addr(SB)/8, $libc_fchflags_trampoline<>(SB)
 
 TEXT libc_fchmod_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_fchmod(SB)
-
 GLOBL	·libc_fchmod_trampoline_addr(SB), RODATA, $8
 DATA	·libc_fchmod_trampoline_addr(SB)/8, $libc_fchmod_trampoline<>(SB)
 
 TEXT libc_fchmodat_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_fchmodat(SB)
-
 GLOBL	·libc_fchmodat_trampoline_addr(SB), RODATA, $8
 DATA	·libc_fchmodat_trampoline_addr(SB)/8, $libc_fchmodat_trampoline<>(SB)
 
 TEXT libc_fchown_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_fchown(SB)
-
 GLOBL	·libc_fchown_trampoline_addr(SB), RODATA, $8
 DATA	·libc_fchown_trampoline_addr(SB)/8, $libc_fchown_trampoline<>(SB)
 
 TEXT libc_fchownat_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_fchownat(SB)
-
 GLOBL	·libc_fchownat_trampoline_addr(SB), RODATA, $8
 DATA	·libc_fchownat_trampoline_addr(SB)/8, $libc_fchownat_trampoline<>(SB)
 
 TEXT libc_flock_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_flock(SB)
-
 GLOBL	·libc_flock_trampoline_addr(SB), RODATA, $8
 DATA	·libc_flock_trampoline_addr(SB)/8, $libc_flock_trampoline<>(SB)
 
 TEXT libc_fpathconf_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_fpathconf(SB)
-
 GLOBL	·libc_fpathconf_trampoline_addr(SB), RODATA, $8
 DATA	·libc_fpathconf_trampoline_addr(SB)/8, $libc_fpathconf_trampoline<>(SB)
 
 TEXT libc_fstat_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_fstat(SB)
-
 GLOBL	·libc_fstat_trampoline_addr(SB), RODATA, $8
 DATA	·libc_fstat_trampoline_addr(SB)/8, $libc_fstat_trampoline<>(SB)
 
 TEXT libc_fstatat_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_fstatat(SB)
-
 GLOBL	·libc_fstatat_trampoline_addr(SB), RODATA, $8
 DATA	·libc_fstatat_trampoline_addr(SB)/8, $libc_fstatat_trampoline<>(SB)
 
 TEXT libc_fstatfs_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_fstatfs(SB)
-
 GLOBL	·libc_fstatfs_trampoline_addr(SB), RODATA, $8
 DATA	·libc_fstatfs_trampoline_addr(SB)/8, $libc_fstatfs_trampoline<>(SB)
 
 TEXT libc_fsync_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_fsync(SB)
-
 GLOBL	·libc_fsync_trampoline_addr(SB), RODATA, $8
 DATA	·libc_fsync_trampoline_addr(SB)/8, $libc_fsync_trampoline<>(SB)
 
 TEXT libc_ftruncate_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_ftruncate(SB)
-
 GLOBL	·libc_ftruncate_trampoline_addr(SB), RODATA, $8
 DATA	·libc_ftruncate_trampoline_addr(SB)/8, $libc_ftruncate_trampoline<>(SB)
 
 TEXT libc_getegid_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_getegid(SB)
-
 GLOBL	·libc_getegid_trampoline_addr(SB), RODATA, $8
 DATA	·libc_getegid_trampoline_addr(SB)/8, $libc_getegid_trampoline<>(SB)
 
 TEXT libc_geteuid_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_geteuid(SB)
-
 GLOBL	·libc_geteuid_trampoline_addr(SB), RODATA, $8
 DATA	·libc_geteuid_trampoline_addr(SB)/8, $libc_geteuid_trampoline<>(SB)
 
 TEXT libc_getgid_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_getgid(SB)
-
 GLOBL	·libc_getgid_trampoline_addr(SB), RODATA, $8
 DATA	·libc_getgid_trampoline_addr(SB)/8, $libc_getgid_trampoline<>(SB)
 
 TEXT libc_getpgid_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_getpgid(SB)
-
 GLOBL	·libc_getpgid_trampoline_addr(SB), RODATA, $8
 DATA	·libc_getpgid_trampoline_addr(SB)/8, $libc_getpgid_trampoline<>(SB)
 
 TEXT libc_getpgrp_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_getpgrp(SB)
-
 GLOBL	·libc_getpgrp_trampoline_addr(SB), RODATA, $8
 DATA	·libc_getpgrp_trampoline_addr(SB)/8, $libc_getpgrp_trampoline<>(SB)
 
 TEXT libc_getpid_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_getpid(SB)
-
 GLOBL	·libc_getpid_trampoline_addr(SB), RODATA, $8
 DATA	·libc_getpid_trampoline_addr(SB)/8, $libc_getpid_trampoline<>(SB)
 
 TEXT libc_getppid_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_getppid(SB)
-
 GLOBL	·libc_getppid_trampoline_addr(SB), RODATA, $8
 DATA	·libc_getppid_trampoline_addr(SB)/8, $libc_getppid_trampoline<>(SB)
 
 TEXT libc_getpriority_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_getpriority(SB)
-
 GLOBL	·libc_getpriority_trampoline_addr(SB), RODATA, $8
 DATA	·libc_getpriority_trampoline_addr(SB)/8, $libc_getpriority_trampoline<>(SB)
 
 TEXT libc_getrlimit_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_getrlimit(SB)
-
 GLOBL	·libc_getrlimit_trampoline_addr(SB), RODATA, $8
 DATA	·libc_getrlimit_trampoline_addr(SB)/8, $libc_getrlimit_trampoline<>(SB)
 
 TEXT libc_getrtable_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_getrtable(SB)
-
 GLOBL	·libc_getrtable_trampoline_addr(SB), RODATA, $8
 DATA	·libc_getrtable_trampoline_addr(SB)/8, $libc_getrtable_trampoline<>(SB)
 
 TEXT libc_getrusage_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_getrusage(SB)
-
 GLOBL	·libc_getrusage_trampoline_addr(SB), RODATA, $8
 DATA	·libc_getrusage_trampoline_addr(SB)/8, $libc_getrusage_trampoline<>(SB)
 
 TEXT libc_getsid_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_getsid(SB)
-
 GLOBL	·libc_getsid_trampoline_addr(SB), RODATA, $8
 DATA	·libc_getsid_trampoline_addr(SB)/8, $libc_getsid_trampoline<>(SB)
 
 TEXT libc_gettimeofday_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_gettimeofday(SB)
-
 GLOBL	·libc_gettimeofday_trampoline_addr(SB), RODATA, $8
 DATA	·libc_gettimeofday_trampoline_addr(SB)/8, $libc_gettimeofday_trampoline<>(SB)
 
 TEXT libc_getuid_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_getuid(SB)
-
 GLOBL	·libc_getuid_trampoline_addr(SB), RODATA, $8
 DATA	·libc_getuid_trampoline_addr(SB)/8, $libc_getuid_trampoline<>(SB)
 
 TEXT libc_issetugid_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_issetugid(SB)
-
 GLOBL	·libc_issetugid_trampoline_addr(SB), RODATA, $8
 DATA	·libc_issetugid_trampoline_addr(SB)/8, $libc_issetugid_trampoline<>(SB)
 
 TEXT libc_kill_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_kill(SB)
-
 GLOBL	·libc_kill_trampoline_addr(SB), RODATA, $8
 DATA	·libc_kill_trampoline_addr(SB)/8, $libc_kill_trampoline<>(SB)
 
 TEXT libc_kqueue_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_kqueue(SB)
-
 GLOBL	·libc_kqueue_trampoline_addr(SB), RODATA, $8
 DATA	·libc_kqueue_trampoline_addr(SB)/8, $libc_kqueue_trampoline<>(SB)
 
 TEXT libc_lchown_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_lchown(SB)
-
 GLOBL	·libc_lchown_trampoline_addr(SB), RODATA, $8
 DATA	·libc_lchown_trampoline_addr(SB)/8, $libc_lchown_trampoline<>(SB)
 
 TEXT libc_link_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_link(SB)
-
 GLOBL	·libc_link_trampoline_addr(SB), RODATA, $8
 DATA	·libc_link_trampoline_addr(SB)/8, $libc_link_trampoline<>(SB)
 
 TEXT libc_linkat_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_linkat(SB)
-
 GLOBL	·libc_linkat_trampoline_addr(SB), RODATA, $8
 DATA	·libc_linkat_trampoline_addr(SB)/8, $libc_linkat_trampoline<>(SB)
 
 TEXT libc_listen_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_listen(SB)
-
 GLOBL	·libc_listen_trampoline_addr(SB), RODATA, $8
 DATA	·libc_listen_trampoline_addr(SB)/8, $libc_listen_trampoline<>(SB)
 
 TEXT libc_lstat_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_lstat(SB)
-
 GLOBL	·libc_lstat_trampoline_addr(SB), RODATA, $8
 DATA	·libc_lstat_trampoline_addr(SB)/8, $libc_lstat_trampoline<>(SB)
 
 TEXT libc_mkdir_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_mkdir(SB)
-
 GLOBL	·libc_mkdir_trampoline_addr(SB), RODATA, $8
 DATA	·libc_mkdir_trampoline_addr(SB)/8, $libc_mkdir_trampoline<>(SB)
 
 TEXT libc_mkdirat_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_mkdirat(SB)
-
 GLOBL	·libc_mkdirat_trampoline_addr(SB), RODATA, $8
 DATA	·libc_mkdirat_trampoline_addr(SB)/8, $libc_mkdirat_trampoline<>(SB)
 
 TEXT libc_mkfifo_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_mkfifo(SB)
-
 GLOBL	·libc_mkfifo_trampoline_addr(SB), RODATA, $8
 DATA	·libc_mkfifo_trampoline_addr(SB)/8, $libc_mkfifo_trampoline<>(SB)
 
 TEXT libc_mkfifoat_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_mkfifoat(SB)
-
 GLOBL	·libc_mkfifoat_trampoline_addr(SB), RODATA, $8
 DATA	·libc_mkfifoat_trampoline_addr(SB)/8, $libc_mkfifoat_trampoline<>(SB)
 
 TEXT libc_mknod_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_mknod(SB)
-
 GLOBL	·libc_mknod_trampoline_addr(SB), RODATA, $8
 DATA	·libc_mknod_trampoline_addr(SB)/8, $libc_mknod_trampoline<>(SB)
 
 TEXT libc_mknodat_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_mknodat(SB)
-
 GLOBL	·libc_mknodat_trampoline_addr(SB), RODATA, $8
 DATA	·libc_mknodat_trampoline_addr(SB)/8, $libc_mknodat_trampoline<>(SB)
 
 TEXT libc_nanosleep_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_nanosleep(SB)
-
 GLOBL	·libc_nanosleep_trampoline_addr(SB), RODATA, $8
 DATA	·libc_nanosleep_trampoline_addr(SB)/8, $libc_nanosleep_trampoline<>(SB)
 
 TEXT libc_open_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_open(SB)
-
 GLOBL	·libc_open_trampoline_addr(SB), RODATA, $8
 DATA	·libc_open_trampoline_addr(SB)/8, $libc_open_trampoline<>(SB)
 
 TEXT libc_openat_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_openat(SB)
-
 GLOBL	·libc_openat_trampoline_addr(SB), RODATA, $8
 DATA	·libc_openat_trampoline_addr(SB)/8, $libc_openat_trampoline<>(SB)
 
 TEXT libc_pathconf_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_pathconf(SB)
-
 GLOBL	·libc_pathconf_trampoline_addr(SB), RODATA, $8
 DATA	·libc_pathconf_trampoline_addr(SB)/8, $libc_pathconf_trampoline<>(SB)
 
 TEXT libc_pread_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_pread(SB)
-
 GLOBL	·libc_pread_trampoline_addr(SB), RODATA, $8
 DATA	·libc_pread_trampoline_addr(SB)/8, $libc_pread_trampoline<>(SB)
 
 TEXT libc_pwrite_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_pwrite(SB)
-
 GLOBL	·libc_pwrite_trampoline_addr(SB), RODATA, $8
 DATA	·libc_pwrite_trampoline_addr(SB)/8, $libc_pwrite_trampoline<>(SB)
 
 TEXT libc_read_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_read(SB)
-
 GLOBL	·libc_read_trampoline_addr(SB), RODATA, $8
 DATA	·libc_read_trampoline_addr(SB)/8, $libc_read_trampoline<>(SB)
 
 TEXT libc_readlink_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_readlink(SB)
-
 GLOBL	·libc_readlink_trampoline_addr(SB), RODATA, $8
 DATA	·libc_readlink_trampoline_addr(SB)/8, $libc_readlink_trampoline<>(SB)
 
 TEXT libc_readlinkat_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_readlinkat(SB)
-
 GLOBL	·libc_readlinkat_trampoline_addr(SB), RODATA, $8
 DATA	·libc_readlinkat_trampoline_addr(SB)/8, $libc_readlinkat_trampoline<>(SB)
 
 TEXT libc_rename_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_rename(SB)
-
 GLOBL	·libc_rename_trampoline_addr(SB), RODATA, $8
 DATA	·libc_rename_trampoline_addr(SB)/8, $libc_rename_trampoline<>(SB)
 
 TEXT libc_renameat_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_renameat(SB)
-
 GLOBL	·libc_renameat_trampoline_addr(SB), RODATA, $8
 DATA	·libc_renameat_trampoline_addr(SB)/8, $libc_renameat_trampoline<>(SB)
 
 TEXT libc_revoke_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_revoke(SB)
-
 GLOBL	·libc_revoke_trampoline_addr(SB), RODATA, $8
 DATA	·libc_revoke_trampoline_addr(SB)/8, $libc_revoke_trampoline<>(SB)
 
 TEXT libc_rmdir_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_rmdir(SB)
-
 GLOBL	·libc_rmdir_trampoline_addr(SB), RODATA, $8
 DATA	·libc_rmdir_trampoline_addr(SB)/8, $libc_rmdir_trampoline<>(SB)
 
 TEXT libc_lseek_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_lseek(SB)
-
 GLOBL	·libc_lseek_trampoline_addr(SB), RODATA, $8
 DATA	·libc_lseek_trampoline_addr(SB)/8, $libc_lseek_trampoline<>(SB)
 
 TEXT libc_select_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_select(SB)
-
 GLOBL	·libc_select_trampoline_addr(SB), RODATA, $8
 DATA	·libc_select_trampoline_addr(SB)/8, $libc_select_trampoline<>(SB)
 
 TEXT libc_setegid_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_setegid(SB)
-
 GLOBL	·libc_setegid_trampoline_addr(SB), RODATA, $8
 DATA	·libc_setegid_trampoline_addr(SB)/8, $libc_setegid_trampoline<>(SB)
 
 TEXT libc_seteuid_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_seteuid(SB)
-
 GLOBL	·libc_seteuid_trampoline_addr(SB), RODATA, $8
 DATA	·libc_seteuid_trampoline_addr(SB)/8, $libc_seteuid_trampoline<>(SB)
 
 TEXT libc_setgid_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_setgid(SB)
-
 GLOBL	·libc_setgid_trampoline_addr(SB), RODATA, $8
 DATA	·libc_setgid_trampoline_addr(SB)/8, $libc_setgid_trampoline<>(SB)
 
 TEXT libc_setlogin_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_setlogin(SB)
-
 GLOBL	·libc_setlogin_trampoline_addr(SB), RODATA, $8
 DATA	·libc_setlogin_trampoline_addr(SB)/8, $libc_setlogin_trampoline<>(SB)
 
 TEXT libc_setpgid_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_setpgid(SB)
-
 GLOBL	·libc_setpgid_trampoline_addr(SB), RODATA, $8
 DATA	·libc_setpgid_trampoline_addr(SB)/8, $libc_setpgid_trampoline<>(SB)
 
 TEXT libc_setpriority_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_setpriority(SB)
-
 GLOBL	·libc_setpriority_trampoline_addr(SB), RODATA, $8
 DATA	·libc_setpriority_trampoline_addr(SB)/8, $libc_setpriority_trampoline<>(SB)
 
 TEXT libc_setregid_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_setregid(SB)
-
 GLOBL	·libc_setregid_trampoline_addr(SB), RODATA, $8
 DATA	·libc_setregid_trampoline_addr(SB)/8, $libc_setregid_trampoline<>(SB)
 
 TEXT libc_setreuid_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_setreuid(SB)
-
 GLOBL	·libc_setreuid_trampoline_addr(SB), RODATA, $8
 DATA	·libc_setreuid_trampoline_addr(SB)/8, $libc_setreuid_trampoline<>(SB)
 
 TEXT libc_setresgid_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_setresgid(SB)
-
 GLOBL	·libc_setresgid_trampoline_addr(SB), RODATA, $8
 DATA	·libc_setresgid_trampoline_addr(SB)/8, $libc_setresgid_trampoline<>(SB)
 
 TEXT libc_setresuid_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_setresuid(SB)
-
 GLOBL	·libc_setresuid_trampoline_addr(SB), RODATA, $8
 DATA	·libc_setresuid_trampoline_addr(SB)/8, $libc_setresuid_trampoline<>(SB)
 
 TEXT libc_setrlimit_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_setrlimit(SB)
-
 GLOBL	·libc_setrlimit_trampoline_addr(SB), RODATA, $8
 DATA	·libc_setrlimit_trampoline_addr(SB)/8, $libc_setrlimit_trampoline<>(SB)
 
 TEXT libc_setrtable_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_setrtable(SB)
-
 GLOBL	·libc_setrtable_trampoline_addr(SB), RODATA, $8
 DATA	·libc_setrtable_trampoline_addr(SB)/8, $libc_setrtable_trampoline<>(SB)
 
 TEXT libc_setsid_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_setsid(SB)
-
 GLOBL	·libc_setsid_trampoline_addr(SB), RODATA, $8
 DATA	·libc_setsid_trampoline_addr(SB)/8, $libc_setsid_trampoline<>(SB)
 
 TEXT libc_settimeofday_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_settimeofday(SB)
-
 GLOBL	·libc_settimeofday_trampoline_addr(SB), RODATA, $8
 DATA	·libc_settimeofday_trampoline_addr(SB)/8, $libc_settimeofday_trampoline<>(SB)
 
 TEXT libc_setuid_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_setuid(SB)
-
 GLOBL	·libc_setuid_trampoline_addr(SB), RODATA, $8
 DATA	·libc_setuid_trampoline_addr(SB)/8, $libc_setuid_trampoline<>(SB)
 
 TEXT libc_stat_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_stat(SB)
-
 GLOBL	·libc_stat_trampoline_addr(SB), RODATA, $8
 DATA	·libc_stat_trampoline_addr(SB)/8, $libc_stat_trampoline<>(SB)
 
 TEXT libc_statfs_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_statfs(SB)
-
 GLOBL	·libc_statfs_trampoline_addr(SB), RODATA, $8
 DATA	·libc_statfs_trampoline_addr(SB)/8, $libc_statfs_trampoline<>(SB)
 
 TEXT libc_symlink_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_symlink(SB)
-
 GLOBL	·libc_symlink_trampoline_addr(SB), RODATA, $8
 DATA	·libc_symlink_trampoline_addr(SB)/8, $libc_symlink_trampoline<>(SB)
 
 TEXT libc_symlinkat_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_symlinkat(SB)
-
 GLOBL	·libc_symlinkat_trampoline_addr(SB), RODATA, $8
 DATA	·libc_symlinkat_trampoline_addr(SB)/8, $libc_symlinkat_trampoline<>(SB)
 
 TEXT libc_sync_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_sync(SB)
-
 GLOBL	·libc_sync_trampoline_addr(SB), RODATA, $8
 DATA	·libc_sync_trampoline_addr(SB)/8, $libc_sync_trampoline<>(SB)
 
 TEXT libc_truncate_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_truncate(SB)
-
 GLOBL	·libc_truncate_trampoline_addr(SB), RODATA, $8
 DATA	·libc_truncate_trampoline_addr(SB)/8, $libc_truncate_trampoline<>(SB)
 
 TEXT libc_umask_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_umask(SB)
-
 GLOBL	·libc_umask_trampoline_addr(SB), RODATA, $8
 DATA	·libc_umask_trampoline_addr(SB)/8, $libc_umask_trampoline<>(SB)
 
 TEXT libc_unlink_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_unlink(SB)
-
 GLOBL	·libc_unlink_trampoline_addr(SB), RODATA, $8
 DATA	·libc_unlink_trampoline_addr(SB)/8, $libc_unlink_trampoline<>(SB)
 
 TEXT libc_unlinkat_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_unlinkat(SB)
-
 GLOBL	·libc_unlinkat_trampoline_addr(SB), RODATA, $8
 DATA	·libc_unlinkat_trampoline_addr(SB)/8, $libc_unlinkat_trampoline<>(SB)
 
 TEXT libc_unmount_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_unmount(SB)
-
 GLOBL	·libc_unmount_trampoline_addr(SB), RODATA, $8
 DATA	·libc_unmount_trampoline_addr(SB)/8, $libc_unmount_trampoline<>(SB)
 
 TEXT libc_write_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_write(SB)
-
 GLOBL	·libc_write_trampoline_addr(SB), RODATA, $8
 DATA	·libc_write_trampoline_addr(SB)/8, $libc_write_trampoline<>(SB)
 
 TEXT libc_mmap_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_mmap(SB)
-
 GLOBL	·libc_mmap_trampoline_addr(SB), RODATA, $8
 DATA	·libc_mmap_trampoline_addr(SB)/8, $libc_mmap_trampoline<>(SB)
 
 TEXT libc_munmap_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_munmap(SB)
-
 GLOBL	·libc_munmap_trampoline_addr(SB), RODATA, $8
 DATA	·libc_munmap_trampoline_addr(SB)/8, $libc_munmap_trampoline<>(SB)
 
 TEXT libc_utimensat_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_utimensat(SB)
-
 GLOBL	·libc_utimensat_trampoline_addr(SB), RODATA, $8
 DATA	·libc_utimensat_trampoline_addr(SB)/8, $libc_utimensat_trampoline<>(SB)
diff --git a/vendor/golang.org/x/sys/unix/zsyscall_openbsd_arm.go b/vendor/golang.org/x/sys/unix/zsyscall_openbsd_arm.go
index 8da6791d1..b2da8e50c 100644
--- a/vendor/golang.org/x/sys/unix/zsyscall_openbsd_arm.go
+++ b/vendor/golang.org/x/sys/unix/zsyscall_openbsd_arm.go
@@ -696,6 +696,20 @@ var libc_chroot_trampoline_addr uintptr
 
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
+func ClockGettime(clockid int32, time *Timespec) (err error) {
+	_, _, e1 := syscall_syscall(libc_clock_gettime_trampoline_addr, uintptr(clockid), uintptr(unsafe.Pointer(time)), 0)
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+var libc_clock_gettime_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_clock_gettime clock_gettime "libc.so"
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
 func Close(fd int) (err error) {
 	_, _, e1 := syscall_syscall(libc_close_trampoline_addr, uintptr(fd), 0, 0)
 	if e1 != 0 {
diff --git a/vendor/golang.org/x/sys/unix/zsyscall_openbsd_arm.s b/vendor/golang.org/x/sys/unix/zsyscall_openbsd_arm.s
index 9ad116d9f..cf310420c 100644
--- a/vendor/golang.org/x/sys/unix/zsyscall_openbsd_arm.s
+++ b/vendor/golang.org/x/sys/unix/zsyscall_openbsd_arm.s
@@ -5,792 +5,665 @@
 
 TEXT libc_getgroups_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_getgroups(SB)
-
 GLOBL	·libc_getgroups_trampoline_addr(SB), RODATA, $4
 DATA	·libc_getgroups_trampoline_addr(SB)/4, $libc_getgroups_trampoline<>(SB)
 
 TEXT libc_setgroups_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_setgroups(SB)
-
 GLOBL	·libc_setgroups_trampoline_addr(SB), RODATA, $4
 DATA	·libc_setgroups_trampoline_addr(SB)/4, $libc_setgroups_trampoline<>(SB)
 
 TEXT libc_wait4_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_wait4(SB)
-
 GLOBL	·libc_wait4_trampoline_addr(SB), RODATA, $4
 DATA	·libc_wait4_trampoline_addr(SB)/4, $libc_wait4_trampoline<>(SB)
 
 TEXT libc_accept_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_accept(SB)
-
 GLOBL	·libc_accept_trampoline_addr(SB), RODATA, $4
 DATA	·libc_accept_trampoline_addr(SB)/4, $libc_accept_trampoline<>(SB)
 
 TEXT libc_bind_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_bind(SB)
-
 GLOBL	·libc_bind_trampoline_addr(SB), RODATA, $4
 DATA	·libc_bind_trampoline_addr(SB)/4, $libc_bind_trampoline<>(SB)
 
 TEXT libc_connect_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_connect(SB)
-
 GLOBL	·libc_connect_trampoline_addr(SB), RODATA, $4
 DATA	·libc_connect_trampoline_addr(SB)/4, $libc_connect_trampoline<>(SB)
 
 TEXT libc_socket_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_socket(SB)
-
 GLOBL	·libc_socket_trampoline_addr(SB), RODATA, $4
 DATA	·libc_socket_trampoline_addr(SB)/4, $libc_socket_trampoline<>(SB)
 
 TEXT libc_getsockopt_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_getsockopt(SB)
-
 GLOBL	·libc_getsockopt_trampoline_addr(SB), RODATA, $4
 DATA	·libc_getsockopt_trampoline_addr(SB)/4, $libc_getsockopt_trampoline<>(SB)
 
 TEXT libc_setsockopt_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_setsockopt(SB)
-
 GLOBL	·libc_setsockopt_trampoline_addr(SB), RODATA, $4
 DATA	·libc_setsockopt_trampoline_addr(SB)/4, $libc_setsockopt_trampoline<>(SB)
 
 TEXT libc_getpeername_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_getpeername(SB)
-
 GLOBL	·libc_getpeername_trampoline_addr(SB), RODATA, $4
 DATA	·libc_getpeername_trampoline_addr(SB)/4, $libc_getpeername_trampoline<>(SB)
 
 TEXT libc_getsockname_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_getsockname(SB)
-
 GLOBL	·libc_getsockname_trampoline_addr(SB), RODATA, $4
 DATA	·libc_getsockname_trampoline_addr(SB)/4, $libc_getsockname_trampoline<>(SB)
 
 TEXT libc_shutdown_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_shutdown(SB)
-
 GLOBL	·libc_shutdown_trampoline_addr(SB), RODATA, $4
 DATA	·libc_shutdown_trampoline_addr(SB)/4, $libc_shutdown_trampoline<>(SB)
 
 TEXT libc_socketpair_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_socketpair(SB)
-
 GLOBL	·libc_socketpair_trampoline_addr(SB), RODATA, $4
 DATA	·libc_socketpair_trampoline_addr(SB)/4, $libc_socketpair_trampoline<>(SB)
 
 TEXT libc_recvfrom_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_recvfrom(SB)
-
 GLOBL	·libc_recvfrom_trampoline_addr(SB), RODATA, $4
 DATA	·libc_recvfrom_trampoline_addr(SB)/4, $libc_recvfrom_trampoline<>(SB)
 
 TEXT libc_sendto_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_sendto(SB)
-
 GLOBL	·libc_sendto_trampoline_addr(SB), RODATA, $4
 DATA	·libc_sendto_trampoline_addr(SB)/4, $libc_sendto_trampoline<>(SB)
 
 TEXT libc_recvmsg_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_recvmsg(SB)
-
 GLOBL	·libc_recvmsg_trampoline_addr(SB), RODATA, $4
 DATA	·libc_recvmsg_trampoline_addr(SB)/4, $libc_recvmsg_trampoline<>(SB)
 
 TEXT libc_sendmsg_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_sendmsg(SB)
-
 GLOBL	·libc_sendmsg_trampoline_addr(SB), RODATA, $4
 DATA	·libc_sendmsg_trampoline_addr(SB)/4, $libc_sendmsg_trampoline<>(SB)
 
 TEXT libc_kevent_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_kevent(SB)
-
 GLOBL	·libc_kevent_trampoline_addr(SB), RODATA, $4
 DATA	·libc_kevent_trampoline_addr(SB)/4, $libc_kevent_trampoline<>(SB)
 
 TEXT libc_utimes_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_utimes(SB)
-
 GLOBL	·libc_utimes_trampoline_addr(SB), RODATA, $4
 DATA	·libc_utimes_trampoline_addr(SB)/4, $libc_utimes_trampoline<>(SB)
 
 TEXT libc_futimes_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_futimes(SB)
-
 GLOBL	·libc_futimes_trampoline_addr(SB), RODATA, $4
 DATA	·libc_futimes_trampoline_addr(SB)/4, $libc_futimes_trampoline<>(SB)
 
 TEXT libc_poll_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_poll(SB)
-
 GLOBL	·libc_poll_trampoline_addr(SB), RODATA, $4
 DATA	·libc_poll_trampoline_addr(SB)/4, $libc_poll_trampoline<>(SB)
 
 TEXT libc_madvise_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_madvise(SB)
-
 GLOBL	·libc_madvise_trampoline_addr(SB), RODATA, $4
 DATA	·libc_madvise_trampoline_addr(SB)/4, $libc_madvise_trampoline<>(SB)
 
 TEXT libc_mlock_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_mlock(SB)
-
 GLOBL	·libc_mlock_trampoline_addr(SB), RODATA, $4
 DATA	·libc_mlock_trampoline_addr(SB)/4, $libc_mlock_trampoline<>(SB)
 
 TEXT libc_mlockall_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_mlockall(SB)
-
 GLOBL	·libc_mlockall_trampoline_addr(SB), RODATA, $4
 DATA	·libc_mlockall_trampoline_addr(SB)/4, $libc_mlockall_trampoline<>(SB)
 
 TEXT libc_mprotect_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_mprotect(SB)
-
 GLOBL	·libc_mprotect_trampoline_addr(SB), RODATA, $4
 DATA	·libc_mprotect_trampoline_addr(SB)/4, $libc_mprotect_trampoline<>(SB)
 
 TEXT libc_msync_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_msync(SB)
-
 GLOBL	·libc_msync_trampoline_addr(SB), RODATA, $4
 DATA	·libc_msync_trampoline_addr(SB)/4, $libc_msync_trampoline<>(SB)
 
 TEXT libc_munlock_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_munlock(SB)
-
 GLOBL	·libc_munlock_trampoline_addr(SB), RODATA, $4
 DATA	·libc_munlock_trampoline_addr(SB)/4, $libc_munlock_trampoline<>(SB)
 
 TEXT libc_munlockall_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_munlockall(SB)
-
 GLOBL	·libc_munlockall_trampoline_addr(SB), RODATA, $4
 DATA	·libc_munlockall_trampoline_addr(SB)/4, $libc_munlockall_trampoline<>(SB)
 
 TEXT libc_pipe2_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_pipe2(SB)
-
 GLOBL	·libc_pipe2_trampoline_addr(SB), RODATA, $4
 DATA	·libc_pipe2_trampoline_addr(SB)/4, $libc_pipe2_trampoline<>(SB)
 
 TEXT libc_getdents_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_getdents(SB)
-
 GLOBL	·libc_getdents_trampoline_addr(SB), RODATA, $4
 DATA	·libc_getdents_trampoline_addr(SB)/4, $libc_getdents_trampoline<>(SB)
 
 TEXT libc_getcwd_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_getcwd(SB)
-
 GLOBL	·libc_getcwd_trampoline_addr(SB), RODATA, $4
 DATA	·libc_getcwd_trampoline_addr(SB)/4, $libc_getcwd_trampoline<>(SB)
 
 TEXT libc_ioctl_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_ioctl(SB)
-
 GLOBL	·libc_ioctl_trampoline_addr(SB), RODATA, $4
 DATA	·libc_ioctl_trampoline_addr(SB)/4, $libc_ioctl_trampoline<>(SB)
 
 TEXT libc_sysctl_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_sysctl(SB)
-
 GLOBL	·libc_sysctl_trampoline_addr(SB), RODATA, $4
 DATA	·libc_sysctl_trampoline_addr(SB)/4, $libc_sysctl_trampoline<>(SB)
 
 TEXT libc_ppoll_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_ppoll(SB)
-
 GLOBL	·libc_ppoll_trampoline_addr(SB), RODATA, $4
 DATA	·libc_ppoll_trampoline_addr(SB)/4, $libc_ppoll_trampoline<>(SB)
 
 TEXT libc_access_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_access(SB)
-
 GLOBL	·libc_access_trampoline_addr(SB), RODATA, $4
 DATA	·libc_access_trampoline_addr(SB)/4, $libc_access_trampoline<>(SB)
 
 TEXT libc_adjtime_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_adjtime(SB)
-
 GLOBL	·libc_adjtime_trampoline_addr(SB), RODATA, $4
 DATA	·libc_adjtime_trampoline_addr(SB)/4, $libc_adjtime_trampoline<>(SB)
 
 TEXT libc_chdir_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_chdir(SB)
-
 GLOBL	·libc_chdir_trampoline_addr(SB), RODATA, $4
 DATA	·libc_chdir_trampoline_addr(SB)/4, $libc_chdir_trampoline<>(SB)
 
 TEXT libc_chflags_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_chflags(SB)
-
 GLOBL	·libc_chflags_trampoline_addr(SB), RODATA, $4
 DATA	·libc_chflags_trampoline_addr(SB)/4, $libc_chflags_trampoline<>(SB)
 
 TEXT libc_chmod_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_chmod(SB)
-
 GLOBL	·libc_chmod_trampoline_addr(SB), RODATA, $4
 DATA	·libc_chmod_trampoline_addr(SB)/4, $libc_chmod_trampoline<>(SB)
 
 TEXT libc_chown_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_chown(SB)
-
 GLOBL	·libc_chown_trampoline_addr(SB), RODATA, $4
 DATA	·libc_chown_trampoline_addr(SB)/4, $libc_chown_trampoline<>(SB)
 
 TEXT libc_chroot_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_chroot(SB)
-
 GLOBL	·libc_chroot_trampoline_addr(SB), RODATA, $4
 DATA	·libc_chroot_trampoline_addr(SB)/4, $libc_chroot_trampoline<>(SB)
 
+TEXT libc_clock_gettime_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_clock_gettime(SB)
+GLOBL	·libc_clock_gettime_trampoline_addr(SB), RODATA, $4
+DATA	·libc_clock_gettime_trampoline_addr(SB)/4, $libc_clock_gettime_trampoline<>(SB)
+
 TEXT libc_close_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_close(SB)
-
 GLOBL	·libc_close_trampoline_addr(SB), RODATA, $4
 DATA	·libc_close_trampoline_addr(SB)/4, $libc_close_trampoline<>(SB)
 
 TEXT libc_dup_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_dup(SB)
-
 GLOBL	·libc_dup_trampoline_addr(SB), RODATA, $4
 DATA	·libc_dup_trampoline_addr(SB)/4, $libc_dup_trampoline<>(SB)
 
 TEXT libc_dup2_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_dup2(SB)
-
 GLOBL	·libc_dup2_trampoline_addr(SB), RODATA, $4
 DATA	·libc_dup2_trampoline_addr(SB)/4, $libc_dup2_trampoline<>(SB)
 
 TEXT libc_dup3_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_dup3(SB)
-
 GLOBL	·libc_dup3_trampoline_addr(SB), RODATA, $4
 DATA	·libc_dup3_trampoline_addr(SB)/4, $libc_dup3_trampoline<>(SB)
 
 TEXT libc_exit_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_exit(SB)
-
 GLOBL	·libc_exit_trampoline_addr(SB), RODATA, $4
 DATA	·libc_exit_trampoline_addr(SB)/4, $libc_exit_trampoline<>(SB)
 
 TEXT libc_faccessat_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_faccessat(SB)
-
 GLOBL	·libc_faccessat_trampoline_addr(SB), RODATA, $4
 DATA	·libc_faccessat_trampoline_addr(SB)/4, $libc_faccessat_trampoline<>(SB)
 
 TEXT libc_fchdir_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_fchdir(SB)
-
 GLOBL	·libc_fchdir_trampoline_addr(SB), RODATA, $4
 DATA	·libc_fchdir_trampoline_addr(SB)/4, $libc_fchdir_trampoline<>(SB)
 
 TEXT libc_fchflags_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_fchflags(SB)
-
 GLOBL	·libc_fchflags_trampoline_addr(SB), RODATA, $4
 DATA	·libc_fchflags_trampoline_addr(SB)/4, $libc_fchflags_trampoline<>(SB)
 
 TEXT libc_fchmod_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_fchmod(SB)
-
 GLOBL	·libc_fchmod_trampoline_addr(SB), RODATA, $4
 DATA	·libc_fchmod_trampoline_addr(SB)/4, $libc_fchmod_trampoline<>(SB)
 
 TEXT libc_fchmodat_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_fchmodat(SB)
-
 GLOBL	·libc_fchmodat_trampoline_addr(SB), RODATA, $4
 DATA	·libc_fchmodat_trampoline_addr(SB)/4, $libc_fchmodat_trampoline<>(SB)
 
 TEXT libc_fchown_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_fchown(SB)
-
 GLOBL	·libc_fchown_trampoline_addr(SB), RODATA, $4
 DATA	·libc_fchown_trampoline_addr(SB)/4, $libc_fchown_trampoline<>(SB)
 
 TEXT libc_fchownat_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_fchownat(SB)
-
 GLOBL	·libc_fchownat_trampoline_addr(SB), RODATA, $4
 DATA	·libc_fchownat_trampoline_addr(SB)/4, $libc_fchownat_trampoline<>(SB)
 
 TEXT libc_flock_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_flock(SB)
-
 GLOBL	·libc_flock_trampoline_addr(SB), RODATA, $4
 DATA	·libc_flock_trampoline_addr(SB)/4, $libc_flock_trampoline<>(SB)
 
 TEXT libc_fpathconf_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_fpathconf(SB)
-
 GLOBL	·libc_fpathconf_trampoline_addr(SB), RODATA, $4
 DATA	·libc_fpathconf_trampoline_addr(SB)/4, $libc_fpathconf_trampoline<>(SB)
 
 TEXT libc_fstat_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_fstat(SB)
-
 GLOBL	·libc_fstat_trampoline_addr(SB), RODATA, $4
 DATA	·libc_fstat_trampoline_addr(SB)/4, $libc_fstat_trampoline<>(SB)
 
 TEXT libc_fstatat_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_fstatat(SB)
-
 GLOBL	·libc_fstatat_trampoline_addr(SB), RODATA, $4
 DATA	·libc_fstatat_trampoline_addr(SB)/4, $libc_fstatat_trampoline<>(SB)
 
 TEXT libc_fstatfs_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_fstatfs(SB)
-
 GLOBL	·libc_fstatfs_trampoline_addr(SB), RODATA, $4
 DATA	·libc_fstatfs_trampoline_addr(SB)/4, $libc_fstatfs_trampoline<>(SB)
 
 TEXT libc_fsync_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_fsync(SB)
-
 GLOBL	·libc_fsync_trampoline_addr(SB), RODATA, $4
 DATA	·libc_fsync_trampoline_addr(SB)/4, $libc_fsync_trampoline<>(SB)
 
 TEXT libc_ftruncate_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_ftruncate(SB)
-
 GLOBL	·libc_ftruncate_trampoline_addr(SB), RODATA, $4
 DATA	·libc_ftruncate_trampoline_addr(SB)/4, $libc_ftruncate_trampoline<>(SB)
 
 TEXT libc_getegid_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_getegid(SB)
-
 GLOBL	·libc_getegid_trampoline_addr(SB), RODATA, $4
 DATA	·libc_getegid_trampoline_addr(SB)/4, $libc_getegid_trampoline<>(SB)
 
 TEXT libc_geteuid_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_geteuid(SB)
-
 GLOBL	·libc_geteuid_trampoline_addr(SB), RODATA, $4
 DATA	·libc_geteuid_trampoline_addr(SB)/4, $libc_geteuid_trampoline<>(SB)
 
 TEXT libc_getgid_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_getgid(SB)
-
 GLOBL	·libc_getgid_trampoline_addr(SB), RODATA, $4
 DATA	·libc_getgid_trampoline_addr(SB)/4, $libc_getgid_trampoline<>(SB)
 
 TEXT libc_getpgid_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_getpgid(SB)
-
 GLOBL	·libc_getpgid_trampoline_addr(SB), RODATA, $4
 DATA	·libc_getpgid_trampoline_addr(SB)/4, $libc_getpgid_trampoline<>(SB)
 
 TEXT libc_getpgrp_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_getpgrp(SB)
-
 GLOBL	·libc_getpgrp_trampoline_addr(SB), RODATA, $4
 DATA	·libc_getpgrp_trampoline_addr(SB)/4, $libc_getpgrp_trampoline<>(SB)
 
 TEXT libc_getpid_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_getpid(SB)
-
 GLOBL	·libc_getpid_trampoline_addr(SB), RODATA, $4
 DATA	·libc_getpid_trampoline_addr(SB)/4, $libc_getpid_trampoline<>(SB)
 
 TEXT libc_getppid_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_getppid(SB)
-
 GLOBL	·libc_getppid_trampoline_addr(SB), RODATA, $4
 DATA	·libc_getppid_trampoline_addr(SB)/4, $libc_getppid_trampoline<>(SB)
 
 TEXT libc_getpriority_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_getpriority(SB)
-
 GLOBL	·libc_getpriority_trampoline_addr(SB), RODATA, $4
 DATA	·libc_getpriority_trampoline_addr(SB)/4, $libc_getpriority_trampoline<>(SB)
 
 TEXT libc_getrlimit_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_getrlimit(SB)
-
 GLOBL	·libc_getrlimit_trampoline_addr(SB), RODATA, $4
 DATA	·libc_getrlimit_trampoline_addr(SB)/4, $libc_getrlimit_trampoline<>(SB)
 
 TEXT libc_getrtable_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_getrtable(SB)
-
 GLOBL	·libc_getrtable_trampoline_addr(SB), RODATA, $4
 DATA	·libc_getrtable_trampoline_addr(SB)/4, $libc_getrtable_trampoline<>(SB)
 
 TEXT libc_getrusage_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_getrusage(SB)
-
 GLOBL	·libc_getrusage_trampoline_addr(SB), RODATA, $4
 DATA	·libc_getrusage_trampoline_addr(SB)/4, $libc_getrusage_trampoline<>(SB)
 
 TEXT libc_getsid_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_getsid(SB)
-
 GLOBL	·libc_getsid_trampoline_addr(SB), RODATA, $4
 DATA	·libc_getsid_trampoline_addr(SB)/4, $libc_getsid_trampoline<>(SB)
 
 TEXT libc_gettimeofday_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_gettimeofday(SB)
-
 GLOBL	·libc_gettimeofday_trampoline_addr(SB), RODATA, $4
 DATA	·libc_gettimeofday_trampoline_addr(SB)/4, $libc_gettimeofday_trampoline<>(SB)
 
 TEXT libc_getuid_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_getuid(SB)
-
 GLOBL	·libc_getuid_trampoline_addr(SB), RODATA, $4
 DATA	·libc_getuid_trampoline_addr(SB)/4, $libc_getuid_trampoline<>(SB)
 
 TEXT libc_issetugid_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_issetugid(SB)
-
 GLOBL	·libc_issetugid_trampoline_addr(SB), RODATA, $4
 DATA	·libc_issetugid_trampoline_addr(SB)/4, $libc_issetugid_trampoline<>(SB)
 
 TEXT libc_kill_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_kill(SB)
-
 GLOBL	·libc_kill_trampoline_addr(SB), RODATA, $4
 DATA	·libc_kill_trampoline_addr(SB)/4, $libc_kill_trampoline<>(SB)
 
 TEXT libc_kqueue_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_kqueue(SB)
-
 GLOBL	·libc_kqueue_trampoline_addr(SB), RODATA, $4
 DATA	·libc_kqueue_trampoline_addr(SB)/4, $libc_kqueue_trampoline<>(SB)
 
 TEXT libc_lchown_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_lchown(SB)
-
 GLOBL	·libc_lchown_trampoline_addr(SB), RODATA, $4
 DATA	·libc_lchown_trampoline_addr(SB)/4, $libc_lchown_trampoline<>(SB)
 
 TEXT libc_link_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_link(SB)
-
 GLOBL	·libc_link_trampoline_addr(SB), RODATA, $4
 DATA	·libc_link_trampoline_addr(SB)/4, $libc_link_trampoline<>(SB)
 
 TEXT libc_linkat_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_linkat(SB)
-
 GLOBL	·libc_linkat_trampoline_addr(SB), RODATA, $4
 DATA	·libc_linkat_trampoline_addr(SB)/4, $libc_linkat_trampoline<>(SB)
 
 TEXT libc_listen_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_listen(SB)
-
 GLOBL	·libc_listen_trampoline_addr(SB), RODATA, $4
 DATA	·libc_listen_trampoline_addr(SB)/4, $libc_listen_trampoline<>(SB)
 
 TEXT libc_lstat_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_lstat(SB)
-
 GLOBL	·libc_lstat_trampoline_addr(SB), RODATA, $4
 DATA	·libc_lstat_trampoline_addr(SB)/4, $libc_lstat_trampoline<>(SB)
 
 TEXT libc_mkdir_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_mkdir(SB)
-
 GLOBL	·libc_mkdir_trampoline_addr(SB), RODATA, $4
 DATA	·libc_mkdir_trampoline_addr(SB)/4, $libc_mkdir_trampoline<>(SB)
 
 TEXT libc_mkdirat_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_mkdirat(SB)
-
 GLOBL	·libc_mkdirat_trampoline_addr(SB), RODATA, $4
 DATA	·libc_mkdirat_trampoline_addr(SB)/4, $libc_mkdirat_trampoline<>(SB)
 
 TEXT libc_mkfifo_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_mkfifo(SB)
-
 GLOBL	·libc_mkfifo_trampoline_addr(SB), RODATA, $4
 DATA	·libc_mkfifo_trampoline_addr(SB)/4, $libc_mkfifo_trampoline<>(SB)
 
 TEXT libc_mkfifoat_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_mkfifoat(SB)
-
 GLOBL	·libc_mkfifoat_trampoline_addr(SB), RODATA, $4
 DATA	·libc_mkfifoat_trampoline_addr(SB)/4, $libc_mkfifoat_trampoline<>(SB)
 
 TEXT libc_mknod_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_mknod(SB)
-
 GLOBL	·libc_mknod_trampoline_addr(SB), RODATA, $4
 DATA	·libc_mknod_trampoline_addr(SB)/4, $libc_mknod_trampoline<>(SB)
 
 TEXT libc_mknodat_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_mknodat(SB)
-
 GLOBL	·libc_mknodat_trampoline_addr(SB), RODATA, $4
 DATA	·libc_mknodat_trampoline_addr(SB)/4, $libc_mknodat_trampoline<>(SB)
 
 TEXT libc_nanosleep_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_nanosleep(SB)
-
 GLOBL	·libc_nanosleep_trampoline_addr(SB), RODATA, $4
 DATA	·libc_nanosleep_trampoline_addr(SB)/4, $libc_nanosleep_trampoline<>(SB)
 
 TEXT libc_open_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_open(SB)
-
 GLOBL	·libc_open_trampoline_addr(SB), RODATA, $4
 DATA	·libc_open_trampoline_addr(SB)/4, $libc_open_trampoline<>(SB)
 
 TEXT libc_openat_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_openat(SB)
-
 GLOBL	·libc_openat_trampoline_addr(SB), RODATA, $4
 DATA	·libc_openat_trampoline_addr(SB)/4, $libc_openat_trampoline<>(SB)
 
 TEXT libc_pathconf_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_pathconf(SB)
-
 GLOBL	·libc_pathconf_trampoline_addr(SB), RODATA, $4
 DATA	·libc_pathconf_trampoline_addr(SB)/4, $libc_pathconf_trampoline<>(SB)
 
 TEXT libc_pread_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_pread(SB)
-
 GLOBL	·libc_pread_trampoline_addr(SB), RODATA, $4
 DATA	·libc_pread_trampoline_addr(SB)/4, $libc_pread_trampoline<>(SB)
 
 TEXT libc_pwrite_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_pwrite(SB)
-
 GLOBL	·libc_pwrite_trampoline_addr(SB), RODATA, $4
 DATA	·libc_pwrite_trampoline_addr(SB)/4, $libc_pwrite_trampoline<>(SB)
 
 TEXT libc_read_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_read(SB)
-
 GLOBL	·libc_read_trampoline_addr(SB), RODATA, $4
 DATA	·libc_read_trampoline_addr(SB)/4, $libc_read_trampoline<>(SB)
 
 TEXT libc_readlink_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_readlink(SB)
-
 GLOBL	·libc_readlink_trampoline_addr(SB), RODATA, $4
 DATA	·libc_readlink_trampoline_addr(SB)/4, $libc_readlink_trampoline<>(SB)
 
 TEXT libc_readlinkat_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_readlinkat(SB)
-
 GLOBL	·libc_readlinkat_trampoline_addr(SB), RODATA, $4
 DATA	·libc_readlinkat_trampoline_addr(SB)/4, $libc_readlinkat_trampoline<>(SB)
 
 TEXT libc_rename_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_rename(SB)
-
 GLOBL	·libc_rename_trampoline_addr(SB), RODATA, $4
 DATA	·libc_rename_trampoline_addr(SB)/4, $libc_rename_trampoline<>(SB)
 
 TEXT libc_renameat_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_renameat(SB)
-
 GLOBL	·libc_renameat_trampoline_addr(SB), RODATA, $4
 DATA	·libc_renameat_trampoline_addr(SB)/4, $libc_renameat_trampoline<>(SB)
 
 TEXT libc_revoke_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_revoke(SB)
-
 GLOBL	·libc_revoke_trampoline_addr(SB), RODATA, $4
 DATA	·libc_revoke_trampoline_addr(SB)/4, $libc_revoke_trampoline<>(SB)
 
 TEXT libc_rmdir_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_rmdir(SB)
-
 GLOBL	·libc_rmdir_trampoline_addr(SB), RODATA, $4
 DATA	·libc_rmdir_trampoline_addr(SB)/4, $libc_rmdir_trampoline<>(SB)
 
 TEXT libc_lseek_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_lseek(SB)
-
 GLOBL	·libc_lseek_trampoline_addr(SB), RODATA, $4
 DATA	·libc_lseek_trampoline_addr(SB)/4, $libc_lseek_trampoline<>(SB)
 
 TEXT libc_select_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_select(SB)
-
 GLOBL	·libc_select_trampoline_addr(SB), RODATA, $4
 DATA	·libc_select_trampoline_addr(SB)/4, $libc_select_trampoline<>(SB)
 
 TEXT libc_setegid_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_setegid(SB)
-
 GLOBL	·libc_setegid_trampoline_addr(SB), RODATA, $4
 DATA	·libc_setegid_trampoline_addr(SB)/4, $libc_setegid_trampoline<>(SB)
 
 TEXT libc_seteuid_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_seteuid(SB)
-
 GLOBL	·libc_seteuid_trampoline_addr(SB), RODATA, $4
 DATA	·libc_seteuid_trampoline_addr(SB)/4, $libc_seteuid_trampoline<>(SB)
 
 TEXT libc_setgid_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_setgid(SB)
-
 GLOBL	·libc_setgid_trampoline_addr(SB), RODATA, $4
 DATA	·libc_setgid_trampoline_addr(SB)/4, $libc_setgid_trampoline<>(SB)
 
 TEXT libc_setlogin_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_setlogin(SB)
-
 GLOBL	·libc_setlogin_trampoline_addr(SB), RODATA, $4
 DATA	·libc_setlogin_trampoline_addr(SB)/4, $libc_setlogin_trampoline<>(SB)
 
 TEXT libc_setpgid_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_setpgid(SB)
-
 GLOBL	·libc_setpgid_trampoline_addr(SB), RODATA, $4
 DATA	·libc_setpgid_trampoline_addr(SB)/4, $libc_setpgid_trampoline<>(SB)
 
 TEXT libc_setpriority_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_setpriority(SB)
-
 GLOBL	·libc_setpriority_trampoline_addr(SB), RODATA, $4
 DATA	·libc_setpriority_trampoline_addr(SB)/4, $libc_setpriority_trampoline<>(SB)
 
 TEXT libc_setregid_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_setregid(SB)
-
 GLOBL	·libc_setregid_trampoline_addr(SB), RODATA, $4
 DATA	·libc_setregid_trampoline_addr(SB)/4, $libc_setregid_trampoline<>(SB)
 
 TEXT libc_setreuid_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_setreuid(SB)
-
 GLOBL	·libc_setreuid_trampoline_addr(SB), RODATA, $4
 DATA	·libc_setreuid_trampoline_addr(SB)/4, $libc_setreuid_trampoline<>(SB)
 
 TEXT libc_setresgid_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_setresgid(SB)
-
 GLOBL	·libc_setresgid_trampoline_addr(SB), RODATA, $4
 DATA	·libc_setresgid_trampoline_addr(SB)/4, $libc_setresgid_trampoline<>(SB)
 
 TEXT libc_setresuid_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_setresuid(SB)
-
 GLOBL	·libc_setresuid_trampoline_addr(SB), RODATA, $4
 DATA	·libc_setresuid_trampoline_addr(SB)/4, $libc_setresuid_trampoline<>(SB)
 
 TEXT libc_setrlimit_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_setrlimit(SB)
-
 GLOBL	·libc_setrlimit_trampoline_addr(SB), RODATA, $4
 DATA	·libc_setrlimit_trampoline_addr(SB)/4, $libc_setrlimit_trampoline<>(SB)
 
 TEXT libc_setrtable_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_setrtable(SB)
-
 GLOBL	·libc_setrtable_trampoline_addr(SB), RODATA, $4
 DATA	·libc_setrtable_trampoline_addr(SB)/4, $libc_setrtable_trampoline<>(SB)
 
 TEXT libc_setsid_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_setsid(SB)
-
 GLOBL	·libc_setsid_trampoline_addr(SB), RODATA, $4
 DATA	·libc_setsid_trampoline_addr(SB)/4, $libc_setsid_trampoline<>(SB)
 
 TEXT libc_settimeofday_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_settimeofday(SB)
-
 GLOBL	·libc_settimeofday_trampoline_addr(SB), RODATA, $4
 DATA	·libc_settimeofday_trampoline_addr(SB)/4, $libc_settimeofday_trampoline<>(SB)
 
 TEXT libc_setuid_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_setuid(SB)
-
 GLOBL	·libc_setuid_trampoline_addr(SB), RODATA, $4
 DATA	·libc_setuid_trampoline_addr(SB)/4, $libc_setuid_trampoline<>(SB)
 
 TEXT libc_stat_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_stat(SB)
-
 GLOBL	·libc_stat_trampoline_addr(SB), RODATA, $4
 DATA	·libc_stat_trampoline_addr(SB)/4, $libc_stat_trampoline<>(SB)
 
 TEXT libc_statfs_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_statfs(SB)
-
 GLOBL	·libc_statfs_trampoline_addr(SB), RODATA, $4
 DATA	·libc_statfs_trampoline_addr(SB)/4, $libc_statfs_trampoline<>(SB)
 
 TEXT libc_symlink_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_symlink(SB)
-
 GLOBL	·libc_symlink_trampoline_addr(SB), RODATA, $4
 DATA	·libc_symlink_trampoline_addr(SB)/4, $libc_symlink_trampoline<>(SB)
 
 TEXT libc_symlinkat_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_symlinkat(SB)
-
 GLOBL	·libc_symlinkat_trampoline_addr(SB), RODATA, $4
 DATA	·libc_symlinkat_trampoline_addr(SB)/4, $libc_symlinkat_trampoline<>(SB)
 
 TEXT libc_sync_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_sync(SB)
-
 GLOBL	·libc_sync_trampoline_addr(SB), RODATA, $4
 DATA	·libc_sync_trampoline_addr(SB)/4, $libc_sync_trampoline<>(SB)
 
 TEXT libc_truncate_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_truncate(SB)
-
 GLOBL	·libc_truncate_trampoline_addr(SB), RODATA, $4
 DATA	·libc_truncate_trampoline_addr(SB)/4, $libc_truncate_trampoline<>(SB)
 
 TEXT libc_umask_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_umask(SB)
-
 GLOBL	·libc_umask_trampoline_addr(SB), RODATA, $4
 DATA	·libc_umask_trampoline_addr(SB)/4, $libc_umask_trampoline<>(SB)
 
 TEXT libc_unlink_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_unlink(SB)
-
 GLOBL	·libc_unlink_trampoline_addr(SB), RODATA, $4
 DATA	·libc_unlink_trampoline_addr(SB)/4, $libc_unlink_trampoline<>(SB)
 
 TEXT libc_unlinkat_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_unlinkat(SB)
-
 GLOBL	·libc_unlinkat_trampoline_addr(SB), RODATA, $4
 DATA	·libc_unlinkat_trampoline_addr(SB)/4, $libc_unlinkat_trampoline<>(SB)
 
 TEXT libc_unmount_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_unmount(SB)
-
 GLOBL	·libc_unmount_trampoline_addr(SB), RODATA, $4
 DATA	·libc_unmount_trampoline_addr(SB)/4, $libc_unmount_trampoline<>(SB)
 
 TEXT libc_write_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_write(SB)
-
 GLOBL	·libc_write_trampoline_addr(SB), RODATA, $4
 DATA	·libc_write_trampoline_addr(SB)/4, $libc_write_trampoline<>(SB)
 
 TEXT libc_mmap_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_mmap(SB)
-
 GLOBL	·libc_mmap_trampoline_addr(SB), RODATA, $4
 DATA	·libc_mmap_trampoline_addr(SB)/4, $libc_mmap_trampoline<>(SB)
 
 TEXT libc_munmap_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_munmap(SB)
-
 GLOBL	·libc_munmap_trampoline_addr(SB), RODATA, $4
 DATA	·libc_munmap_trampoline_addr(SB)/4, $libc_munmap_trampoline<>(SB)
 
 TEXT libc_utimensat_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_utimensat(SB)
-
 GLOBL	·libc_utimensat_trampoline_addr(SB), RODATA, $4
 DATA	·libc_utimensat_trampoline_addr(SB)/4, $libc_utimensat_trampoline<>(SB)
diff --git a/vendor/golang.org/x/sys/unix/zsyscall_openbsd_arm64.go b/vendor/golang.org/x/sys/unix/zsyscall_openbsd_arm64.go
index 800aab6e3..048b2655e 100644
--- a/vendor/golang.org/x/sys/unix/zsyscall_openbsd_arm64.go
+++ b/vendor/golang.org/x/sys/unix/zsyscall_openbsd_arm64.go
@@ -696,6 +696,20 @@ var libc_chroot_trampoline_addr uintptr
 
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
+func ClockGettime(clockid int32, time *Timespec) (err error) {
+	_, _, e1 := syscall_syscall(libc_clock_gettime_trampoline_addr, uintptr(clockid), uintptr(unsafe.Pointer(time)), 0)
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+var libc_clock_gettime_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_clock_gettime clock_gettime "libc.so"
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
 func Close(fd int) (err error) {
 	_, _, e1 := syscall_syscall(libc_close_trampoline_addr, uintptr(fd), 0, 0)
 	if e1 != 0 {
diff --git a/vendor/golang.org/x/sys/unix/zsyscall_openbsd_arm64.s b/vendor/golang.org/x/sys/unix/zsyscall_openbsd_arm64.s
index 4efeff9ab..484bb42e0 100644
--- a/vendor/golang.org/x/sys/unix/zsyscall_openbsd_arm64.s
+++ b/vendor/golang.org/x/sys/unix/zsyscall_openbsd_arm64.s
@@ -5,792 +5,665 @@
 
 TEXT libc_getgroups_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_getgroups(SB)
-
 GLOBL	·libc_getgroups_trampoline_addr(SB), RODATA, $8
 DATA	·libc_getgroups_trampoline_addr(SB)/8, $libc_getgroups_trampoline<>(SB)
 
 TEXT libc_setgroups_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_setgroups(SB)
-
 GLOBL	·libc_setgroups_trampoline_addr(SB), RODATA, $8
 DATA	·libc_setgroups_trampoline_addr(SB)/8, $libc_setgroups_trampoline<>(SB)
 
 TEXT libc_wait4_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_wait4(SB)
-
 GLOBL	·libc_wait4_trampoline_addr(SB), RODATA, $8
 DATA	·libc_wait4_trampoline_addr(SB)/8, $libc_wait4_trampoline<>(SB)
 
 TEXT libc_accept_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_accept(SB)
-
 GLOBL	·libc_accept_trampoline_addr(SB), RODATA, $8
 DATA	·libc_accept_trampoline_addr(SB)/8, $libc_accept_trampoline<>(SB)
 
 TEXT libc_bind_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_bind(SB)
-
 GLOBL	·libc_bind_trampoline_addr(SB), RODATA, $8
 DATA	·libc_bind_trampoline_addr(SB)/8, $libc_bind_trampoline<>(SB)
 
 TEXT libc_connect_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_connect(SB)
-
 GLOBL	·libc_connect_trampoline_addr(SB), RODATA, $8
 DATA	·libc_connect_trampoline_addr(SB)/8, $libc_connect_trampoline<>(SB)
 
 TEXT libc_socket_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_socket(SB)
-
 GLOBL	·libc_socket_trampoline_addr(SB), RODATA, $8
 DATA	·libc_socket_trampoline_addr(SB)/8, $libc_socket_trampoline<>(SB)
 
 TEXT libc_getsockopt_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_getsockopt(SB)
-
 GLOBL	·libc_getsockopt_trampoline_addr(SB), RODATA, $8
 DATA	·libc_getsockopt_trampoline_addr(SB)/8, $libc_getsockopt_trampoline<>(SB)
 
 TEXT libc_setsockopt_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_setsockopt(SB)
-
 GLOBL	·libc_setsockopt_trampoline_addr(SB), RODATA, $8
 DATA	·libc_setsockopt_trampoline_addr(SB)/8, $libc_setsockopt_trampoline<>(SB)
 
 TEXT libc_getpeername_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_getpeername(SB)
-
 GLOBL	·libc_getpeername_trampoline_addr(SB), RODATA, $8
 DATA	·libc_getpeername_trampoline_addr(SB)/8, $libc_getpeername_trampoline<>(SB)
 
 TEXT libc_getsockname_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_getsockname(SB)
-
 GLOBL	·libc_getsockname_trampoline_addr(SB), RODATA, $8
 DATA	·libc_getsockname_trampoline_addr(SB)/8, $libc_getsockname_trampoline<>(SB)
 
 TEXT libc_shutdown_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_shutdown(SB)
-
 GLOBL	·libc_shutdown_trampoline_addr(SB), RODATA, $8
 DATA	·libc_shutdown_trampoline_addr(SB)/8, $libc_shutdown_trampoline<>(SB)
 
 TEXT libc_socketpair_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_socketpair(SB)
-
 GLOBL	·libc_socketpair_trampoline_addr(SB), RODATA, $8
 DATA	·libc_socketpair_trampoline_addr(SB)/8, $libc_socketpair_trampoline<>(SB)
 
 TEXT libc_recvfrom_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_recvfrom(SB)
-
 GLOBL	·libc_recvfrom_trampoline_addr(SB), RODATA, $8
 DATA	·libc_recvfrom_trampoline_addr(SB)/8, $libc_recvfrom_trampoline<>(SB)
 
 TEXT libc_sendto_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_sendto(SB)
-
 GLOBL	·libc_sendto_trampoline_addr(SB), RODATA, $8
 DATA	·libc_sendto_trampoline_addr(SB)/8, $libc_sendto_trampoline<>(SB)
 
 TEXT libc_recvmsg_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_recvmsg(SB)
-
 GLOBL	·libc_recvmsg_trampoline_addr(SB), RODATA, $8
 DATA	·libc_recvmsg_trampoline_addr(SB)/8, $libc_recvmsg_trampoline<>(SB)
 
 TEXT libc_sendmsg_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_sendmsg(SB)
-
 GLOBL	·libc_sendmsg_trampoline_addr(SB), RODATA, $8
 DATA	·libc_sendmsg_trampoline_addr(SB)/8, $libc_sendmsg_trampoline<>(SB)
 
 TEXT libc_kevent_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_kevent(SB)
-
 GLOBL	·libc_kevent_trampoline_addr(SB), RODATA, $8
 DATA	·libc_kevent_trampoline_addr(SB)/8, $libc_kevent_trampoline<>(SB)
 
 TEXT libc_utimes_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_utimes(SB)
-
 GLOBL	·libc_utimes_trampoline_addr(SB), RODATA, $8
 DATA	·libc_utimes_trampoline_addr(SB)/8, $libc_utimes_trampoline<>(SB)
 
 TEXT libc_futimes_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_futimes(SB)
-
 GLOBL	·libc_futimes_trampoline_addr(SB), RODATA, $8
 DATA	·libc_futimes_trampoline_addr(SB)/8, $libc_futimes_trampoline<>(SB)
 
 TEXT libc_poll_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_poll(SB)
-
 GLOBL	·libc_poll_trampoline_addr(SB), RODATA, $8
 DATA	·libc_poll_trampoline_addr(SB)/8, $libc_poll_trampoline<>(SB)
 
 TEXT libc_madvise_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_madvise(SB)
-
 GLOBL	·libc_madvise_trampoline_addr(SB), RODATA, $8
 DATA	·libc_madvise_trampoline_addr(SB)/8, $libc_madvise_trampoline<>(SB)
 
 TEXT libc_mlock_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_mlock(SB)
-
 GLOBL	·libc_mlock_trampoline_addr(SB), RODATA, $8
 DATA	·libc_mlock_trampoline_addr(SB)/8, $libc_mlock_trampoline<>(SB)
 
 TEXT libc_mlockall_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_mlockall(SB)
-
 GLOBL	·libc_mlockall_trampoline_addr(SB), RODATA, $8
 DATA	·libc_mlockall_trampoline_addr(SB)/8, $libc_mlockall_trampoline<>(SB)
 
 TEXT libc_mprotect_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_mprotect(SB)
-
 GLOBL	·libc_mprotect_trampoline_addr(SB), RODATA, $8
 DATA	·libc_mprotect_trampoline_addr(SB)/8, $libc_mprotect_trampoline<>(SB)
 
 TEXT libc_msync_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_msync(SB)
-
 GLOBL	·libc_msync_trampoline_addr(SB), RODATA, $8
 DATA	·libc_msync_trampoline_addr(SB)/8, $libc_msync_trampoline<>(SB)
 
 TEXT libc_munlock_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_munlock(SB)
-
 GLOBL	·libc_munlock_trampoline_addr(SB), RODATA, $8
 DATA	·libc_munlock_trampoline_addr(SB)/8, $libc_munlock_trampoline<>(SB)
 
 TEXT libc_munlockall_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_munlockall(SB)
-
 GLOBL	·libc_munlockall_trampoline_addr(SB), RODATA, $8
 DATA	·libc_munlockall_trampoline_addr(SB)/8, $libc_munlockall_trampoline<>(SB)
 
 TEXT libc_pipe2_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_pipe2(SB)
-
 GLOBL	·libc_pipe2_trampoline_addr(SB), RODATA, $8
 DATA	·libc_pipe2_trampoline_addr(SB)/8, $libc_pipe2_trampoline<>(SB)
 
 TEXT libc_getdents_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_getdents(SB)
-
 GLOBL	·libc_getdents_trampoline_addr(SB), RODATA, $8
 DATA	·libc_getdents_trampoline_addr(SB)/8, $libc_getdents_trampoline<>(SB)
 
 TEXT libc_getcwd_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_getcwd(SB)
-
 GLOBL	·libc_getcwd_trampoline_addr(SB), RODATA, $8
 DATA	·libc_getcwd_trampoline_addr(SB)/8, $libc_getcwd_trampoline<>(SB)
 
 TEXT libc_ioctl_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_ioctl(SB)
-
 GLOBL	·libc_ioctl_trampoline_addr(SB), RODATA, $8
 DATA	·libc_ioctl_trampoline_addr(SB)/8, $libc_ioctl_trampoline<>(SB)
 
 TEXT libc_sysctl_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_sysctl(SB)
-
 GLOBL	·libc_sysctl_trampoline_addr(SB), RODATA, $8
 DATA	·libc_sysctl_trampoline_addr(SB)/8, $libc_sysctl_trampoline<>(SB)
 
 TEXT libc_ppoll_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_ppoll(SB)
-
 GLOBL	·libc_ppoll_trampoline_addr(SB), RODATA, $8
 DATA	·libc_ppoll_trampoline_addr(SB)/8, $libc_ppoll_trampoline<>(SB)
 
 TEXT libc_access_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_access(SB)
-
 GLOBL	·libc_access_trampoline_addr(SB), RODATA, $8
 DATA	·libc_access_trampoline_addr(SB)/8, $libc_access_trampoline<>(SB)
 
 TEXT libc_adjtime_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_adjtime(SB)
-
 GLOBL	·libc_adjtime_trampoline_addr(SB), RODATA, $8
 DATA	·libc_adjtime_trampoline_addr(SB)/8, $libc_adjtime_trampoline<>(SB)
 
 TEXT libc_chdir_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_chdir(SB)
-
 GLOBL	·libc_chdir_trampoline_addr(SB), RODATA, $8
 DATA	·libc_chdir_trampoline_addr(SB)/8, $libc_chdir_trampoline<>(SB)
 
 TEXT libc_chflags_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_chflags(SB)
-
 GLOBL	·libc_chflags_trampoline_addr(SB), RODATA, $8
 DATA	·libc_chflags_trampoline_addr(SB)/8, $libc_chflags_trampoline<>(SB)
 
 TEXT libc_chmod_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_chmod(SB)
-
 GLOBL	·libc_chmod_trampoline_addr(SB), RODATA, $8
 DATA	·libc_chmod_trampoline_addr(SB)/8, $libc_chmod_trampoline<>(SB)
 
 TEXT libc_chown_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_chown(SB)
-
 GLOBL	·libc_chown_trampoline_addr(SB), RODATA, $8
 DATA	·libc_chown_trampoline_addr(SB)/8, $libc_chown_trampoline<>(SB)
 
 TEXT libc_chroot_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_chroot(SB)
-
 GLOBL	·libc_chroot_trampoline_addr(SB), RODATA, $8
 DATA	·libc_chroot_trampoline_addr(SB)/8, $libc_chroot_trampoline<>(SB)
 
+TEXT libc_clock_gettime_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_clock_gettime(SB)
+GLOBL	·libc_clock_gettime_trampoline_addr(SB), RODATA, $8
+DATA	·libc_clock_gettime_trampoline_addr(SB)/8, $libc_clock_gettime_trampoline<>(SB)
+
 TEXT libc_close_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_close(SB)
-
 GLOBL	·libc_close_trampoline_addr(SB), RODATA, $8
 DATA	·libc_close_trampoline_addr(SB)/8, $libc_close_trampoline<>(SB)
 
 TEXT libc_dup_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_dup(SB)
-
 GLOBL	·libc_dup_trampoline_addr(SB), RODATA, $8
 DATA	·libc_dup_trampoline_addr(SB)/8, $libc_dup_trampoline<>(SB)
 
 TEXT libc_dup2_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_dup2(SB)
-
 GLOBL	·libc_dup2_trampoline_addr(SB), RODATA, $8
 DATA	·libc_dup2_trampoline_addr(SB)/8, $libc_dup2_trampoline<>(SB)
 
 TEXT libc_dup3_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_dup3(SB)
-
 GLOBL	·libc_dup3_trampoline_addr(SB), RODATA, $8
 DATA	·libc_dup3_trampoline_addr(SB)/8, $libc_dup3_trampoline<>(SB)
 
 TEXT libc_exit_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_exit(SB)
-
 GLOBL	·libc_exit_trampoline_addr(SB), RODATA, $8
 DATA	·libc_exit_trampoline_addr(SB)/8, $libc_exit_trampoline<>(SB)
 
 TEXT libc_faccessat_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_faccessat(SB)
-
 GLOBL	·libc_faccessat_trampoline_addr(SB), RODATA, $8
 DATA	·libc_faccessat_trampoline_addr(SB)/8, $libc_faccessat_trampoline<>(SB)
 
 TEXT libc_fchdir_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_fchdir(SB)
-
 GLOBL	·libc_fchdir_trampoline_addr(SB), RODATA, $8
 DATA	·libc_fchdir_trampoline_addr(SB)/8, $libc_fchdir_trampoline<>(SB)
 
 TEXT libc_fchflags_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_fchflags(SB)
-
 GLOBL	·libc_fchflags_trampoline_addr(SB), RODATA, $8
 DATA	·libc_fchflags_trampoline_addr(SB)/8, $libc_fchflags_trampoline<>(SB)
 
 TEXT libc_fchmod_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_fchmod(SB)
-
 GLOBL	·libc_fchmod_trampoline_addr(SB), RODATA, $8
 DATA	·libc_fchmod_trampoline_addr(SB)/8, $libc_fchmod_trampoline<>(SB)
 
 TEXT libc_fchmodat_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_fchmodat(SB)
-
 GLOBL	·libc_fchmodat_trampoline_addr(SB), RODATA, $8
 DATA	·libc_fchmodat_trampoline_addr(SB)/8, $libc_fchmodat_trampoline<>(SB)
 
 TEXT libc_fchown_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_fchown(SB)
-
 GLOBL	·libc_fchown_trampoline_addr(SB), RODATA, $8
 DATA	·libc_fchown_trampoline_addr(SB)/8, $libc_fchown_trampoline<>(SB)
 
 TEXT libc_fchownat_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_fchownat(SB)
-
 GLOBL	·libc_fchownat_trampoline_addr(SB), RODATA, $8
 DATA	·libc_fchownat_trampoline_addr(SB)/8, $libc_fchownat_trampoline<>(SB)
 
 TEXT libc_flock_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_flock(SB)
-
 GLOBL	·libc_flock_trampoline_addr(SB), RODATA, $8
 DATA	·libc_flock_trampoline_addr(SB)/8, $libc_flock_trampoline<>(SB)
 
 TEXT libc_fpathconf_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_fpathconf(SB)
-
 GLOBL	·libc_fpathconf_trampoline_addr(SB), RODATA, $8
 DATA	·libc_fpathconf_trampoline_addr(SB)/8, $libc_fpathconf_trampoline<>(SB)
 
 TEXT libc_fstat_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_fstat(SB)
-
 GLOBL	·libc_fstat_trampoline_addr(SB), RODATA, $8
 DATA	·libc_fstat_trampoline_addr(SB)/8, $libc_fstat_trampoline<>(SB)
 
 TEXT libc_fstatat_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_fstatat(SB)
-
 GLOBL	·libc_fstatat_trampoline_addr(SB), RODATA, $8
 DATA	·libc_fstatat_trampoline_addr(SB)/8, $libc_fstatat_trampoline<>(SB)
 
 TEXT libc_fstatfs_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_fstatfs(SB)
-
 GLOBL	·libc_fstatfs_trampoline_addr(SB), RODATA, $8
 DATA	·libc_fstatfs_trampoline_addr(SB)/8, $libc_fstatfs_trampoline<>(SB)
 
 TEXT libc_fsync_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_fsync(SB)
-
 GLOBL	·libc_fsync_trampoline_addr(SB), RODATA, $8
 DATA	·libc_fsync_trampoline_addr(SB)/8, $libc_fsync_trampoline<>(SB)
 
 TEXT libc_ftruncate_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_ftruncate(SB)
-
 GLOBL	·libc_ftruncate_trampoline_addr(SB), RODATA, $8
 DATA	·libc_ftruncate_trampoline_addr(SB)/8, $libc_ftruncate_trampoline<>(SB)
 
 TEXT libc_getegid_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_getegid(SB)
-
 GLOBL	·libc_getegid_trampoline_addr(SB), RODATA, $8
 DATA	·libc_getegid_trampoline_addr(SB)/8, $libc_getegid_trampoline<>(SB)
 
 TEXT libc_geteuid_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_geteuid(SB)
-
 GLOBL	·libc_geteuid_trampoline_addr(SB), RODATA, $8
 DATA	·libc_geteuid_trampoline_addr(SB)/8, $libc_geteuid_trampoline<>(SB)
 
 TEXT libc_getgid_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_getgid(SB)
-
 GLOBL	·libc_getgid_trampoline_addr(SB), RODATA, $8
 DATA	·libc_getgid_trampoline_addr(SB)/8, $libc_getgid_trampoline<>(SB)
 
 TEXT libc_getpgid_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_getpgid(SB)
-
 GLOBL	·libc_getpgid_trampoline_addr(SB), RODATA, $8
 DATA	·libc_getpgid_trampoline_addr(SB)/8, $libc_getpgid_trampoline<>(SB)
 
 TEXT libc_getpgrp_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_getpgrp(SB)
-
 GLOBL	·libc_getpgrp_trampoline_addr(SB), RODATA, $8
 DATA	·libc_getpgrp_trampoline_addr(SB)/8, $libc_getpgrp_trampoline<>(SB)
 
 TEXT libc_getpid_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_getpid(SB)
-
 GLOBL	·libc_getpid_trampoline_addr(SB), RODATA, $8
 DATA	·libc_getpid_trampoline_addr(SB)/8, $libc_getpid_trampoline<>(SB)
 
 TEXT libc_getppid_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_getppid(SB)
-
 GLOBL	·libc_getppid_trampoline_addr(SB), RODATA, $8
 DATA	·libc_getppid_trampoline_addr(SB)/8, $libc_getppid_trampoline<>(SB)
 
 TEXT libc_getpriority_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_getpriority(SB)
-
 GLOBL	·libc_getpriority_trampoline_addr(SB), RODATA, $8
 DATA	·libc_getpriority_trampoline_addr(SB)/8, $libc_getpriority_trampoline<>(SB)
 
 TEXT libc_getrlimit_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_getrlimit(SB)
-
 GLOBL	·libc_getrlimit_trampoline_addr(SB), RODATA, $8
 DATA	·libc_getrlimit_trampoline_addr(SB)/8, $libc_getrlimit_trampoline<>(SB)
 
 TEXT libc_getrtable_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_getrtable(SB)
-
 GLOBL	·libc_getrtable_trampoline_addr(SB), RODATA, $8
 DATA	·libc_getrtable_trampoline_addr(SB)/8, $libc_getrtable_trampoline<>(SB)
 
 TEXT libc_getrusage_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_getrusage(SB)
-
 GLOBL	·libc_getrusage_trampoline_addr(SB), RODATA, $8
 DATA	·libc_getrusage_trampoline_addr(SB)/8, $libc_getrusage_trampoline<>(SB)
 
 TEXT libc_getsid_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_getsid(SB)
-
 GLOBL	·libc_getsid_trampoline_addr(SB), RODATA, $8
 DATA	·libc_getsid_trampoline_addr(SB)/8, $libc_getsid_trampoline<>(SB)
 
 TEXT libc_gettimeofday_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_gettimeofday(SB)
-
 GLOBL	·libc_gettimeofday_trampoline_addr(SB), RODATA, $8
 DATA	·libc_gettimeofday_trampoline_addr(SB)/8, $libc_gettimeofday_trampoline<>(SB)
 
 TEXT libc_getuid_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_getuid(SB)
-
 GLOBL	·libc_getuid_trampoline_addr(SB), RODATA, $8
 DATA	·libc_getuid_trampoline_addr(SB)/8, $libc_getuid_trampoline<>(SB)
 
 TEXT libc_issetugid_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_issetugid(SB)
-
 GLOBL	·libc_issetugid_trampoline_addr(SB), RODATA, $8
 DATA	·libc_issetugid_trampoline_addr(SB)/8, $libc_issetugid_trampoline<>(SB)
 
 TEXT libc_kill_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_kill(SB)
-
 GLOBL	·libc_kill_trampoline_addr(SB), RODATA, $8
 DATA	·libc_kill_trampoline_addr(SB)/8, $libc_kill_trampoline<>(SB)
 
 TEXT libc_kqueue_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_kqueue(SB)
-
 GLOBL	·libc_kqueue_trampoline_addr(SB), RODATA, $8
 DATA	·libc_kqueue_trampoline_addr(SB)/8, $libc_kqueue_trampoline<>(SB)
 
 TEXT libc_lchown_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_lchown(SB)
-
 GLOBL	·libc_lchown_trampoline_addr(SB), RODATA, $8
 DATA	·libc_lchown_trampoline_addr(SB)/8, $libc_lchown_trampoline<>(SB)
 
 TEXT libc_link_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_link(SB)
-
 GLOBL	·libc_link_trampoline_addr(SB), RODATA, $8
 DATA	·libc_link_trampoline_addr(SB)/8, $libc_link_trampoline<>(SB)
 
 TEXT libc_linkat_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_linkat(SB)
-
 GLOBL	·libc_linkat_trampoline_addr(SB), RODATA, $8
 DATA	·libc_linkat_trampoline_addr(SB)/8, $libc_linkat_trampoline<>(SB)
 
 TEXT libc_listen_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_listen(SB)
-
 GLOBL	·libc_listen_trampoline_addr(SB), RODATA, $8
 DATA	·libc_listen_trampoline_addr(SB)/8, $libc_listen_trampoline<>(SB)
 
 TEXT libc_lstat_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_lstat(SB)
-
 GLOBL	·libc_lstat_trampoline_addr(SB), RODATA, $8
 DATA	·libc_lstat_trampoline_addr(SB)/8, $libc_lstat_trampoline<>(SB)
 
 TEXT libc_mkdir_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_mkdir(SB)
-
 GLOBL	·libc_mkdir_trampoline_addr(SB), RODATA, $8
 DATA	·libc_mkdir_trampoline_addr(SB)/8, $libc_mkdir_trampoline<>(SB)
 
 TEXT libc_mkdirat_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_mkdirat(SB)
-
 GLOBL	·libc_mkdirat_trampoline_addr(SB), RODATA, $8
 DATA	·libc_mkdirat_trampoline_addr(SB)/8, $libc_mkdirat_trampoline<>(SB)
 
 TEXT libc_mkfifo_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_mkfifo(SB)
-
 GLOBL	·libc_mkfifo_trampoline_addr(SB), RODATA, $8
 DATA	·libc_mkfifo_trampoline_addr(SB)/8, $libc_mkfifo_trampoline<>(SB)
 
 TEXT libc_mkfifoat_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_mkfifoat(SB)
-
 GLOBL	·libc_mkfifoat_trampoline_addr(SB), RODATA, $8
 DATA	·libc_mkfifoat_trampoline_addr(SB)/8, $libc_mkfifoat_trampoline<>(SB)
 
 TEXT libc_mknod_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_mknod(SB)
-
 GLOBL	·libc_mknod_trampoline_addr(SB), RODATA, $8
 DATA	·libc_mknod_trampoline_addr(SB)/8, $libc_mknod_trampoline<>(SB)
 
 TEXT libc_mknodat_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_mknodat(SB)
-
 GLOBL	·libc_mknodat_trampoline_addr(SB), RODATA, $8
 DATA	·libc_mknodat_trampoline_addr(SB)/8, $libc_mknodat_trampoline<>(SB)
 
 TEXT libc_nanosleep_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_nanosleep(SB)
-
 GLOBL	·libc_nanosleep_trampoline_addr(SB), RODATA, $8
 DATA	·libc_nanosleep_trampoline_addr(SB)/8, $libc_nanosleep_trampoline<>(SB)
 
 TEXT libc_open_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_open(SB)
-
 GLOBL	·libc_open_trampoline_addr(SB), RODATA, $8
 DATA	·libc_open_trampoline_addr(SB)/8, $libc_open_trampoline<>(SB)
 
 TEXT libc_openat_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_openat(SB)
-
 GLOBL	·libc_openat_trampoline_addr(SB), RODATA, $8
 DATA	·libc_openat_trampoline_addr(SB)/8, $libc_openat_trampoline<>(SB)
 
 TEXT libc_pathconf_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_pathconf(SB)
-
 GLOBL	·libc_pathconf_trampoline_addr(SB), RODATA, $8
 DATA	·libc_pathconf_trampoline_addr(SB)/8, $libc_pathconf_trampoline<>(SB)
 
 TEXT libc_pread_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_pread(SB)
-
 GLOBL	·libc_pread_trampoline_addr(SB), RODATA, $8
 DATA	·libc_pread_trampoline_addr(SB)/8, $libc_pread_trampoline<>(SB)
 
 TEXT libc_pwrite_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_pwrite(SB)
-
 GLOBL	·libc_pwrite_trampoline_addr(SB), RODATA, $8
 DATA	·libc_pwrite_trampoline_addr(SB)/8, $libc_pwrite_trampoline<>(SB)
 
 TEXT libc_read_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_read(SB)
-
 GLOBL	·libc_read_trampoline_addr(SB), RODATA, $8
 DATA	·libc_read_trampoline_addr(SB)/8, $libc_read_trampoline<>(SB)
 
 TEXT libc_readlink_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_readlink(SB)
-
 GLOBL	·libc_readlink_trampoline_addr(SB), RODATA, $8
 DATA	·libc_readlink_trampoline_addr(SB)/8, $libc_readlink_trampoline<>(SB)
 
 TEXT libc_readlinkat_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_readlinkat(SB)
-
 GLOBL	·libc_readlinkat_trampoline_addr(SB), RODATA, $8
 DATA	·libc_readlinkat_trampoline_addr(SB)/8, $libc_readlinkat_trampoline<>(SB)
 
 TEXT libc_rename_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_rename(SB)
-
 GLOBL	·libc_rename_trampoline_addr(SB), RODATA, $8
 DATA	·libc_rename_trampoline_addr(SB)/8, $libc_rename_trampoline<>(SB)
 
 TEXT libc_renameat_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_renameat(SB)
-
 GLOBL	·libc_renameat_trampoline_addr(SB), RODATA, $8
 DATA	·libc_renameat_trampoline_addr(SB)/8, $libc_renameat_trampoline<>(SB)
 
 TEXT libc_revoke_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_revoke(SB)
-
 GLOBL	·libc_revoke_trampoline_addr(SB), RODATA, $8
 DATA	·libc_revoke_trampoline_addr(SB)/8, $libc_revoke_trampoline<>(SB)
 
 TEXT libc_rmdir_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_rmdir(SB)
-
 GLOBL	·libc_rmdir_trampoline_addr(SB), RODATA, $8
 DATA	·libc_rmdir_trampoline_addr(SB)/8, $libc_rmdir_trampoline<>(SB)
 
 TEXT libc_lseek_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_lseek(SB)
-
 GLOBL	·libc_lseek_trampoline_addr(SB), RODATA, $8
 DATA	·libc_lseek_trampoline_addr(SB)/8, $libc_lseek_trampoline<>(SB)
 
 TEXT libc_select_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_select(SB)
-
 GLOBL	·libc_select_trampoline_addr(SB), RODATA, $8
 DATA	·libc_select_trampoline_addr(SB)/8, $libc_select_trampoline<>(SB)
 
 TEXT libc_setegid_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_setegid(SB)
-
 GLOBL	·libc_setegid_trampoline_addr(SB), RODATA, $8
 DATA	·libc_setegid_trampoline_addr(SB)/8, $libc_setegid_trampoline<>(SB)
 
 TEXT libc_seteuid_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_seteuid(SB)
-
 GLOBL	·libc_seteuid_trampoline_addr(SB), RODATA, $8
 DATA	·libc_seteuid_trampoline_addr(SB)/8, $libc_seteuid_trampoline<>(SB)
 
 TEXT libc_setgid_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_setgid(SB)
-
 GLOBL	·libc_setgid_trampoline_addr(SB), RODATA, $8
 DATA	·libc_setgid_trampoline_addr(SB)/8, $libc_setgid_trampoline<>(SB)
 
 TEXT libc_setlogin_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_setlogin(SB)
-
 GLOBL	·libc_setlogin_trampoline_addr(SB), RODATA, $8
 DATA	·libc_setlogin_trampoline_addr(SB)/8, $libc_setlogin_trampoline<>(SB)
 
 TEXT libc_setpgid_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_setpgid(SB)
-
 GLOBL	·libc_setpgid_trampoline_addr(SB), RODATA, $8
 DATA	·libc_setpgid_trampoline_addr(SB)/8, $libc_setpgid_trampoline<>(SB)
 
 TEXT libc_setpriority_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_setpriority(SB)
-
 GLOBL	·libc_setpriority_trampoline_addr(SB), RODATA, $8
 DATA	·libc_setpriority_trampoline_addr(SB)/8, $libc_setpriority_trampoline<>(SB)
 
 TEXT libc_setregid_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_setregid(SB)
-
 GLOBL	·libc_setregid_trampoline_addr(SB), RODATA, $8
 DATA	·libc_setregid_trampoline_addr(SB)/8, $libc_setregid_trampoline<>(SB)
 
 TEXT libc_setreuid_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_setreuid(SB)
-
 GLOBL	·libc_setreuid_trampoline_addr(SB), RODATA, $8
 DATA	·libc_setreuid_trampoline_addr(SB)/8, $libc_setreuid_trampoline<>(SB)
 
 TEXT libc_setresgid_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_setresgid(SB)
-
 GLOBL	·libc_setresgid_trampoline_addr(SB), RODATA, $8
 DATA	·libc_setresgid_trampoline_addr(SB)/8, $libc_setresgid_trampoline<>(SB)
 
 TEXT libc_setresuid_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_setresuid(SB)
-
 GLOBL	·libc_setresuid_trampoline_addr(SB), RODATA, $8
 DATA	·libc_setresuid_trampoline_addr(SB)/8, $libc_setresuid_trampoline<>(SB)
 
 TEXT libc_setrlimit_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_setrlimit(SB)
-
 GLOBL	·libc_setrlimit_trampoline_addr(SB), RODATA, $8
 DATA	·libc_setrlimit_trampoline_addr(SB)/8, $libc_setrlimit_trampoline<>(SB)
 
 TEXT libc_setrtable_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_setrtable(SB)
-
 GLOBL	·libc_setrtable_trampoline_addr(SB), RODATA, $8
 DATA	·libc_setrtable_trampoline_addr(SB)/8, $libc_setrtable_trampoline<>(SB)
 
 TEXT libc_setsid_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_setsid(SB)
-
 GLOBL	·libc_setsid_trampoline_addr(SB), RODATA, $8
 DATA	·libc_setsid_trampoline_addr(SB)/8, $libc_setsid_trampoline<>(SB)
 
 TEXT libc_settimeofday_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_settimeofday(SB)
-
 GLOBL	·libc_settimeofday_trampoline_addr(SB), RODATA, $8
 DATA	·libc_settimeofday_trampoline_addr(SB)/8, $libc_settimeofday_trampoline<>(SB)
 
 TEXT libc_setuid_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_setuid(SB)
-
 GLOBL	·libc_setuid_trampoline_addr(SB), RODATA, $8
 DATA	·libc_setuid_trampoline_addr(SB)/8, $libc_setuid_trampoline<>(SB)
 
 TEXT libc_stat_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_stat(SB)
-
 GLOBL	·libc_stat_trampoline_addr(SB), RODATA, $8
 DATA	·libc_stat_trampoline_addr(SB)/8, $libc_stat_trampoline<>(SB)
 
 TEXT libc_statfs_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_statfs(SB)
-
 GLOBL	·libc_statfs_trampoline_addr(SB), RODATA, $8
 DATA	·libc_statfs_trampoline_addr(SB)/8, $libc_statfs_trampoline<>(SB)
 
 TEXT libc_symlink_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_symlink(SB)
-
 GLOBL	·libc_symlink_trampoline_addr(SB), RODATA, $8
 DATA	·libc_symlink_trampoline_addr(SB)/8, $libc_symlink_trampoline<>(SB)
 
 TEXT libc_symlinkat_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_symlinkat(SB)
-
 GLOBL	·libc_symlinkat_trampoline_addr(SB), RODATA, $8
 DATA	·libc_symlinkat_trampoline_addr(SB)/8, $libc_symlinkat_trampoline<>(SB)
 
 TEXT libc_sync_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_sync(SB)
-
 GLOBL	·libc_sync_trampoline_addr(SB), RODATA, $8
 DATA	·libc_sync_trampoline_addr(SB)/8, $libc_sync_trampoline<>(SB)
 
 TEXT libc_truncate_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_truncate(SB)
-
 GLOBL	·libc_truncate_trampoline_addr(SB), RODATA, $8
 DATA	·libc_truncate_trampoline_addr(SB)/8, $libc_truncate_trampoline<>(SB)
 
 TEXT libc_umask_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_umask(SB)
-
 GLOBL	·libc_umask_trampoline_addr(SB), RODATA, $8
 DATA	·libc_umask_trampoline_addr(SB)/8, $libc_umask_trampoline<>(SB)
 
 TEXT libc_unlink_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_unlink(SB)
-
 GLOBL	·libc_unlink_trampoline_addr(SB), RODATA, $8
 DATA	·libc_unlink_trampoline_addr(SB)/8, $libc_unlink_trampoline<>(SB)
 
 TEXT libc_unlinkat_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_unlinkat(SB)
-
 GLOBL	·libc_unlinkat_trampoline_addr(SB), RODATA, $8
 DATA	·libc_unlinkat_trampoline_addr(SB)/8, $libc_unlinkat_trampoline<>(SB)
 
 TEXT libc_unmount_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_unmount(SB)
-
 GLOBL	·libc_unmount_trampoline_addr(SB), RODATA, $8
 DATA	·libc_unmount_trampoline_addr(SB)/8, $libc_unmount_trampoline<>(SB)
 
 TEXT libc_write_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_write(SB)
-
 GLOBL	·libc_write_trampoline_addr(SB), RODATA, $8
 DATA	·libc_write_trampoline_addr(SB)/8, $libc_write_trampoline<>(SB)
 
 TEXT libc_mmap_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_mmap(SB)
-
 GLOBL	·libc_mmap_trampoline_addr(SB), RODATA, $8
 DATA	·libc_mmap_trampoline_addr(SB)/8, $libc_mmap_trampoline<>(SB)
 
 TEXT libc_munmap_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_munmap(SB)
-
 GLOBL	·libc_munmap_trampoline_addr(SB), RODATA, $8
 DATA	·libc_munmap_trampoline_addr(SB)/8, $libc_munmap_trampoline<>(SB)
 
 TEXT libc_utimensat_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_utimensat(SB)
-
 GLOBL	·libc_utimensat_trampoline_addr(SB), RODATA, $8
 DATA	·libc_utimensat_trampoline_addr(SB)/8, $libc_utimensat_trampoline<>(SB)
diff --git a/vendor/golang.org/x/sys/unix/zsyscall_openbsd_mips64.go b/vendor/golang.org/x/sys/unix/zsyscall_openbsd_mips64.go
index 016d959bc..6f33e37e7 100644
--- a/vendor/golang.org/x/sys/unix/zsyscall_openbsd_mips64.go
+++ b/vendor/golang.org/x/sys/unix/zsyscall_openbsd_mips64.go
@@ -1,4 +1,4 @@
-// go run mksyscall.go -openbsd -tags openbsd,mips64 syscall_bsd.go syscall_openbsd.go syscall_openbsd_mips64.go
+// go run mksyscall.go -openbsd -libc -tags openbsd,mips64 syscall_bsd.go syscall_openbsd.go syscall_openbsd_mips64.go
 // Code generated by the command above; see README.md. DO NOT EDIT.
 
 //go:build openbsd && mips64
@@ -16,7 +16,7 @@ var _ syscall.Errno
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
 func getgroups(ngid int, gid *_Gid_t) (n int, err error) {
-	r0, _, e1 := RawSyscall(SYS_GETGROUPS, uintptr(ngid), uintptr(unsafe.Pointer(gid)), 0)
+	r0, _, e1 := syscall_rawSyscall(libc_getgroups_trampoline_addr, uintptr(ngid), uintptr(unsafe.Pointer(gid)), 0)
 	n = int(r0)
 	if e1 != 0 {
 		err = errnoErr(e1)
@@ -24,20 +24,28 @@ func getgroups(ngid int, gid *_Gid_t) (n int, err error) {
 	return
 }
 
+var libc_getgroups_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_getgroups getgroups "libc.so"
+
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
 func setgroups(ngid int, gid *_Gid_t) (err error) {
-	_, _, e1 := RawSyscall(SYS_SETGROUPS, uintptr(ngid), uintptr(unsafe.Pointer(gid)), 0)
+	_, _, e1 := syscall_rawSyscall(libc_setgroups_trampoline_addr, uintptr(ngid), uintptr(unsafe.Pointer(gid)), 0)
 	if e1 != 0 {
 		err = errnoErr(e1)
 	}
 	return
 }
 
+var libc_setgroups_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_setgroups setgroups "libc.so"
+
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
 func wait4(pid int, wstatus *_C_int, options int, rusage *Rusage) (wpid int, err error) {
-	r0, _, e1 := Syscall6(SYS_WAIT4, uintptr(pid), uintptr(unsafe.Pointer(wstatus)), uintptr(options), uintptr(unsafe.Pointer(rusage)), 0, 0)
+	r0, _, e1 := syscall_syscall6(libc_wait4_trampoline_addr, uintptr(pid), uintptr(unsafe.Pointer(wstatus)), uintptr(options), uintptr(unsafe.Pointer(rusage)), 0, 0)
 	wpid = int(r0)
 	if e1 != 0 {
 		err = errnoErr(e1)
@@ -45,10 +53,14 @@ func wait4(pid int, wstatus *_C_int, options int, rusage *Rusage) (wpid int, err
 	return
 }
 
+var libc_wait4_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_wait4 wait4 "libc.so"
+
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
 func accept(s int, rsa *RawSockaddrAny, addrlen *_Socklen) (fd int, err error) {
-	r0, _, e1 := Syscall(SYS_ACCEPT, uintptr(s), uintptr(unsafe.Pointer(rsa)), uintptr(unsafe.Pointer(addrlen)))
+	r0, _, e1 := syscall_syscall(libc_accept_trampoline_addr, uintptr(s), uintptr(unsafe.Pointer(rsa)), uintptr(unsafe.Pointer(addrlen)))
 	fd = int(r0)
 	if e1 != 0 {
 		err = errnoErr(e1)
@@ -56,30 +68,42 @@ func accept(s int, rsa *RawSockaddrAny, addrlen *_Socklen) (fd int, err error) {
 	return
 }
 
+var libc_accept_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_accept accept "libc.so"
+
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
 func bind(s int, addr unsafe.Pointer, addrlen _Socklen) (err error) {
-	_, _, e1 := Syscall(SYS_BIND, uintptr(s), uintptr(addr), uintptr(addrlen))
+	_, _, e1 := syscall_syscall(libc_bind_trampoline_addr, uintptr(s), uintptr(addr), uintptr(addrlen))
 	if e1 != 0 {
 		err = errnoErr(e1)
 	}
 	return
 }
 
+var libc_bind_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_bind bind "libc.so"
+
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
 func connect(s int, addr unsafe.Pointer, addrlen _Socklen) (err error) {
-	_, _, e1 := Syscall(SYS_CONNECT, uintptr(s), uintptr(addr), uintptr(addrlen))
+	_, _, e1 := syscall_syscall(libc_connect_trampoline_addr, uintptr(s), uintptr(addr), uintptr(addrlen))
 	if e1 != 0 {
 		err = errnoErr(e1)
 	}
 	return
 }
 
+var libc_connect_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_connect connect "libc.so"
+
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
 func socket(domain int, typ int, proto int) (fd int, err error) {
-	r0, _, e1 := RawSyscall(SYS_SOCKET, uintptr(domain), uintptr(typ), uintptr(proto))
+	r0, _, e1 := syscall_rawSyscall(libc_socket_trampoline_addr, uintptr(domain), uintptr(typ), uintptr(proto))
 	fd = int(r0)
 	if e1 != 0 {
 		err = errnoErr(e1)
@@ -87,66 +111,94 @@ func socket(domain int, typ int, proto int) (fd int, err error) {
 	return
 }
 
+var libc_socket_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_socket socket "libc.so"
+
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
 func getsockopt(s int, level int, name int, val unsafe.Pointer, vallen *_Socklen) (err error) {
-	_, _, e1 := Syscall6(SYS_GETSOCKOPT, uintptr(s), uintptr(level), uintptr(name), uintptr(val), uintptr(unsafe.Pointer(vallen)), 0)
+	_, _, e1 := syscall_syscall6(libc_getsockopt_trampoline_addr, uintptr(s), uintptr(level), uintptr(name), uintptr(val), uintptr(unsafe.Pointer(vallen)), 0)
 	if e1 != 0 {
 		err = errnoErr(e1)
 	}
 	return
 }
 
+var libc_getsockopt_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_getsockopt getsockopt "libc.so"
+
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
 func setsockopt(s int, level int, name int, val unsafe.Pointer, vallen uintptr) (err error) {
-	_, _, e1 := Syscall6(SYS_SETSOCKOPT, uintptr(s), uintptr(level), uintptr(name), uintptr(val), uintptr(vallen), 0)
+	_, _, e1 := syscall_syscall6(libc_setsockopt_trampoline_addr, uintptr(s), uintptr(level), uintptr(name), uintptr(val), uintptr(vallen), 0)
 	if e1 != 0 {
 		err = errnoErr(e1)
 	}
 	return
 }
 
+var libc_setsockopt_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_setsockopt setsockopt "libc.so"
+
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
 func getpeername(fd int, rsa *RawSockaddrAny, addrlen *_Socklen) (err error) {
-	_, _, e1 := RawSyscall(SYS_GETPEERNAME, uintptr(fd), uintptr(unsafe.Pointer(rsa)), uintptr(unsafe.Pointer(addrlen)))
+	_, _, e1 := syscall_rawSyscall(libc_getpeername_trampoline_addr, uintptr(fd), uintptr(unsafe.Pointer(rsa)), uintptr(unsafe.Pointer(addrlen)))
 	if e1 != 0 {
 		err = errnoErr(e1)
 	}
 	return
 }
 
+var libc_getpeername_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_getpeername getpeername "libc.so"
+
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
 func getsockname(fd int, rsa *RawSockaddrAny, addrlen *_Socklen) (err error) {
-	_, _, e1 := RawSyscall(SYS_GETSOCKNAME, uintptr(fd), uintptr(unsafe.Pointer(rsa)), uintptr(unsafe.Pointer(addrlen)))
+	_, _, e1 := syscall_rawSyscall(libc_getsockname_trampoline_addr, uintptr(fd), uintptr(unsafe.Pointer(rsa)), uintptr(unsafe.Pointer(addrlen)))
 	if e1 != 0 {
 		err = errnoErr(e1)
 	}
 	return
 }
 
+var libc_getsockname_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_getsockname getsockname "libc.so"
+
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
 func Shutdown(s int, how int) (err error) {
-	_, _, e1 := Syscall(SYS_SHUTDOWN, uintptr(s), uintptr(how), 0)
+	_, _, e1 := syscall_syscall(libc_shutdown_trampoline_addr, uintptr(s), uintptr(how), 0)
 	if e1 != 0 {
 		err = errnoErr(e1)
 	}
 	return
 }
 
+var libc_shutdown_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_shutdown shutdown "libc.so"
+
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
 func socketpair(domain int, typ int, proto int, fd *[2]int32) (err error) {
-	_, _, e1 := RawSyscall6(SYS_SOCKETPAIR, uintptr(domain), uintptr(typ), uintptr(proto), uintptr(unsafe.Pointer(fd)), 0, 0)
+	_, _, e1 := syscall_rawSyscall6(libc_socketpair_trampoline_addr, uintptr(domain), uintptr(typ), uintptr(proto), uintptr(unsafe.Pointer(fd)), 0, 0)
 	if e1 != 0 {
 		err = errnoErr(e1)
 	}
 	return
 }
 
+var libc_socketpair_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_socketpair socketpair "libc.so"
+
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
 func recvfrom(fd int, p []byte, flags int, from *RawSockaddrAny, fromlen *_Socklen) (n int, err error) {
@@ -156,7 +208,7 @@ func recvfrom(fd int, p []byte, flags int, from *RawSockaddrAny, fromlen *_Sockl
 	} else {
 		_p0 = unsafe.Pointer(&_zero)
 	}
-	r0, _, e1 := Syscall6(SYS_RECVFROM, uintptr(fd), uintptr(_p0), uintptr(len(p)), uintptr(flags), uintptr(unsafe.Pointer(from)), uintptr(unsafe.Pointer(fromlen)))
+	r0, _, e1 := syscall_syscall6(libc_recvfrom_trampoline_addr, uintptr(fd), uintptr(_p0), uintptr(len(p)), uintptr(flags), uintptr(unsafe.Pointer(from)), uintptr(unsafe.Pointer(fromlen)))
 	n = int(r0)
 	if e1 != 0 {
 		err = errnoErr(e1)
@@ -164,6 +216,10 @@ func recvfrom(fd int, p []byte, flags int, from *RawSockaddrAny, fromlen *_Sockl
 	return
 }
 
+var libc_recvfrom_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_recvfrom recvfrom "libc.so"
+
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
 func sendto(s int, buf []byte, flags int, to unsafe.Pointer, addrlen _Socklen) (err error) {
@@ -173,17 +229,21 @@ func sendto(s int, buf []byte, flags int, to unsafe.Pointer, addrlen _Socklen) (
 	} else {
 		_p0 = unsafe.Pointer(&_zero)
 	}
-	_, _, e1 := Syscall6(SYS_SENDTO, uintptr(s), uintptr(_p0), uintptr(len(buf)), uintptr(flags), uintptr(to), uintptr(addrlen))
+	_, _, e1 := syscall_syscall6(libc_sendto_trampoline_addr, uintptr(s), uintptr(_p0), uintptr(len(buf)), uintptr(flags), uintptr(to), uintptr(addrlen))
 	if e1 != 0 {
 		err = errnoErr(e1)
 	}
 	return
 }
 
+var libc_sendto_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_sendto sendto "libc.so"
+
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
 func recvmsg(s int, msg *Msghdr, flags int) (n int, err error) {
-	r0, _, e1 := Syscall(SYS_RECVMSG, uintptr(s), uintptr(unsafe.Pointer(msg)), uintptr(flags))
+	r0, _, e1 := syscall_syscall(libc_recvmsg_trampoline_addr, uintptr(s), uintptr(unsafe.Pointer(msg)), uintptr(flags))
 	n = int(r0)
 	if e1 != 0 {
 		err = errnoErr(e1)
@@ -191,10 +251,14 @@ func recvmsg(s int, msg *Msghdr, flags int) (n int, err error) {
 	return
 }
 
+var libc_recvmsg_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_recvmsg recvmsg "libc.so"
+
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
 func sendmsg(s int, msg *Msghdr, flags int) (n int, err error) {
-	r0, _, e1 := Syscall(SYS_SENDMSG, uintptr(s), uintptr(unsafe.Pointer(msg)), uintptr(flags))
+	r0, _, e1 := syscall_syscall(libc_sendmsg_trampoline_addr, uintptr(s), uintptr(unsafe.Pointer(msg)), uintptr(flags))
 	n = int(r0)
 	if e1 != 0 {
 		err = errnoErr(e1)
@@ -202,10 +266,14 @@ func sendmsg(s int, msg *Msghdr, flags int) (n int, err error) {
 	return
 }
 
+var libc_sendmsg_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_sendmsg sendmsg "libc.so"
+
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
 func kevent(kq int, change unsafe.Pointer, nchange int, event unsafe.Pointer, nevent int, timeout *Timespec) (n int, err error) {
-	r0, _, e1 := Syscall6(SYS_KEVENT, uintptr(kq), uintptr(change), uintptr(nchange), uintptr(event), uintptr(nevent), uintptr(unsafe.Pointer(timeout)))
+	r0, _, e1 := syscall_syscall6(libc_kevent_trampoline_addr, uintptr(kq), uintptr(change), uintptr(nchange), uintptr(event), uintptr(nevent), uintptr(unsafe.Pointer(timeout)))
 	n = int(r0)
 	if e1 != 0 {
 		err = errnoErr(e1)
@@ -213,6 +281,10 @@ func kevent(kq int, change unsafe.Pointer, nchange int, event unsafe.Pointer, ne
 	return
 }
 
+var libc_kevent_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_kevent kevent "libc.so"
+
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
 func utimes(path string, timeval *[2]Timeval) (err error) {
@@ -221,27 +293,35 @@ func utimes(path string, timeval *[2]Timeval) (err error) {
 	if err != nil {
 		return
 	}
-	_, _, e1 := Syscall(SYS_UTIMES, uintptr(unsafe.Pointer(_p0)), uintptr(unsafe.Pointer(timeval)), 0)
+	_, _, e1 := syscall_syscall(libc_utimes_trampoline_addr, uintptr(unsafe.Pointer(_p0)), uintptr(unsafe.Pointer(timeval)), 0)
 	if e1 != 0 {
 		err = errnoErr(e1)
 	}
 	return
 }
 
+var libc_utimes_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_utimes utimes "libc.so"
+
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
 func futimes(fd int, timeval *[2]Timeval) (err error) {
-	_, _, e1 := Syscall(SYS_FUTIMES, uintptr(fd), uintptr(unsafe.Pointer(timeval)), 0)
+	_, _, e1 := syscall_syscall(libc_futimes_trampoline_addr, uintptr(fd), uintptr(unsafe.Pointer(timeval)), 0)
 	if e1 != 0 {
 		err = errnoErr(e1)
 	}
 	return
 }
 
+var libc_futimes_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_futimes futimes "libc.so"
+
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
 func poll(fds *PollFd, nfds int, timeout int) (n int, err error) {
-	r0, _, e1 := Syscall(SYS_POLL, uintptr(unsafe.Pointer(fds)), uintptr(nfds), uintptr(timeout))
+	r0, _, e1 := syscall_syscall(libc_poll_trampoline_addr, uintptr(unsafe.Pointer(fds)), uintptr(nfds), uintptr(timeout))
 	n = int(r0)
 	if e1 != 0 {
 		err = errnoErr(e1)
@@ -249,6 +329,10 @@ func poll(fds *PollFd, nfds int, timeout int) (n int, err error) {
 	return
 }
 
+var libc_poll_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_poll poll "libc.so"
+
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
 func Madvise(b []byte, behav int) (err error) {
@@ -258,13 +342,17 @@ func Madvise(b []byte, behav int) (err error) {
 	} else {
 		_p0 = unsafe.Pointer(&_zero)
 	}
-	_, _, e1 := Syscall(SYS_MADVISE, uintptr(_p0), uintptr(len(b)), uintptr(behav))
+	_, _, e1 := syscall_syscall(libc_madvise_trampoline_addr, uintptr(_p0), uintptr(len(b)), uintptr(behav))
 	if e1 != 0 {
 		err = errnoErr(e1)
 	}
 	return
 }
 
+var libc_madvise_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_madvise madvise "libc.so"
+
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
 func Mlock(b []byte) (err error) {
@@ -274,23 +362,31 @@ func Mlock(b []byte) (err error) {
 	} else {
 		_p0 = unsafe.Pointer(&_zero)
 	}
-	_, _, e1 := Syscall(SYS_MLOCK, uintptr(_p0), uintptr(len(b)), 0)
+	_, _, e1 := syscall_syscall(libc_mlock_trampoline_addr, uintptr(_p0), uintptr(len(b)), 0)
 	if e1 != 0 {
 		err = errnoErr(e1)
 	}
 	return
 }
 
+var libc_mlock_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_mlock mlock "libc.so"
+
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
 func Mlockall(flags int) (err error) {
-	_, _, e1 := Syscall(SYS_MLOCKALL, uintptr(flags), 0, 0)
+	_, _, e1 := syscall_syscall(libc_mlockall_trampoline_addr, uintptr(flags), 0, 0)
 	if e1 != 0 {
 		err = errnoErr(e1)
 	}
 	return
 }
 
+var libc_mlockall_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_mlockall mlockall "libc.so"
+
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
 func Mprotect(b []byte, prot int) (err error) {
@@ -300,13 +396,17 @@ func Mprotect(b []byte, prot int) (err error) {
 	} else {
 		_p0 = unsafe.Pointer(&_zero)
 	}
-	_, _, e1 := Syscall(SYS_MPROTECT, uintptr(_p0), uintptr(len(b)), uintptr(prot))
+	_, _, e1 := syscall_syscall(libc_mprotect_trampoline_addr, uintptr(_p0), uintptr(len(b)), uintptr(prot))
 	if e1 != 0 {
 		err = errnoErr(e1)
 	}
 	return
 }
 
+var libc_mprotect_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_mprotect mprotect "libc.so"
+
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
 func Msync(b []byte, flags int) (err error) {
@@ -316,13 +416,17 @@ func Msync(b []byte, flags int) (err error) {
 	} else {
 		_p0 = unsafe.Pointer(&_zero)
 	}
-	_, _, e1 := Syscall(SYS_MSYNC, uintptr(_p0), uintptr(len(b)), uintptr(flags))
+	_, _, e1 := syscall_syscall(libc_msync_trampoline_addr, uintptr(_p0), uintptr(len(b)), uintptr(flags))
 	if e1 != 0 {
 		err = errnoErr(e1)
 	}
 	return
 }
 
+var libc_msync_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_msync msync "libc.so"
+
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
 func Munlock(b []byte) (err error) {
@@ -332,33 +436,45 @@ func Munlock(b []byte) (err error) {
 	} else {
 		_p0 = unsafe.Pointer(&_zero)
 	}
-	_, _, e1 := Syscall(SYS_MUNLOCK, uintptr(_p0), uintptr(len(b)), 0)
+	_, _, e1 := syscall_syscall(libc_munlock_trampoline_addr, uintptr(_p0), uintptr(len(b)), 0)
 	if e1 != 0 {
 		err = errnoErr(e1)
 	}
 	return
 }
 
+var libc_munlock_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_munlock munlock "libc.so"
+
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
 func Munlockall() (err error) {
-	_, _, e1 := Syscall(SYS_MUNLOCKALL, 0, 0, 0)
+	_, _, e1 := syscall_syscall(libc_munlockall_trampoline_addr, 0, 0, 0)
 	if e1 != 0 {
 		err = errnoErr(e1)
 	}
 	return
 }
 
+var libc_munlockall_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_munlockall munlockall "libc.so"
+
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
 func pipe2(p *[2]_C_int, flags int) (err error) {
-	_, _, e1 := RawSyscall(SYS_PIPE2, uintptr(unsafe.Pointer(p)), uintptr(flags), 0)
+	_, _, e1 := syscall_rawSyscall(libc_pipe2_trampoline_addr, uintptr(unsafe.Pointer(p)), uintptr(flags), 0)
 	if e1 != 0 {
 		err = errnoErr(e1)
 	}
 	return
 }
 
+var libc_pipe2_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_pipe2 pipe2 "libc.so"
+
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
 func Getdents(fd int, buf []byte) (n int, err error) {
@@ -368,7 +484,7 @@ func Getdents(fd int, buf []byte) (n int, err error) {
 	} else {
 		_p0 = unsafe.Pointer(&_zero)
 	}
-	r0, _, e1 := Syscall(SYS_GETDENTS, uintptr(fd), uintptr(_p0), uintptr(len(buf)))
+	r0, _, e1 := syscall_syscall(libc_getdents_trampoline_addr, uintptr(fd), uintptr(_p0), uintptr(len(buf)))
 	n = int(r0)
 	if e1 != 0 {
 		err = errnoErr(e1)
@@ -376,6 +492,10 @@ func Getdents(fd int, buf []byte) (n int, err error) {
 	return
 }
 
+var libc_getdents_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_getdents getdents "libc.so"
+
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
 func Getcwd(buf []byte) (n int, err error) {
@@ -385,7 +505,7 @@ func Getcwd(buf []byte) (n int, err error) {
 	} else {
 		_p0 = unsafe.Pointer(&_zero)
 	}
-	r0, _, e1 := Syscall(SYS___GETCWD, uintptr(_p0), uintptr(len(buf)), 0)
+	r0, _, e1 := syscall_syscall(libc_getcwd_trampoline_addr, uintptr(_p0), uintptr(len(buf)), 0)
 	n = int(r0)
 	if e1 != 0 {
 		err = errnoErr(e1)
@@ -393,16 +513,24 @@ func Getcwd(buf []byte) (n int, err error) {
 	return
 }
 
+var libc_getcwd_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_getcwd getcwd "libc.so"
+
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
 func ioctl(fd int, req uint, arg uintptr) (err error) {
-	_, _, e1 := Syscall(SYS_IOCTL, uintptr(fd), uintptr(req), uintptr(arg))
+	_, _, e1 := syscall_syscall(libc_ioctl_trampoline_addr, uintptr(fd), uintptr(req), uintptr(arg))
 	if e1 != 0 {
 		err = errnoErr(e1)
 	}
 	return
 }
 
+var libc_ioctl_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_ioctl ioctl "libc.so"
+
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
 func sysctl(mib []_C_int, old *byte, oldlen *uintptr, new *byte, newlen uintptr) (err error) {
@@ -412,17 +540,21 @@ func sysctl(mib []_C_int, old *byte, oldlen *uintptr, new *byte, newlen uintptr)
 	} else {
 		_p0 = unsafe.Pointer(&_zero)
 	}
-	_, _, e1 := Syscall6(SYS___SYSCTL, uintptr(_p0), uintptr(len(mib)), uintptr(unsafe.Pointer(old)), uintptr(unsafe.Pointer(oldlen)), uintptr(unsafe.Pointer(new)), uintptr(newlen))
+	_, _, e1 := syscall_syscall6(libc_sysctl_trampoline_addr, uintptr(_p0), uintptr(len(mib)), uintptr(unsafe.Pointer(old)), uintptr(unsafe.Pointer(oldlen)), uintptr(unsafe.Pointer(new)), uintptr(newlen))
 	if e1 != 0 {
 		err = errnoErr(e1)
 	}
 	return
 }
 
+var libc_sysctl_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_sysctl sysctl "libc.so"
+
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
 func ppoll(fds *PollFd, nfds int, timeout *Timespec, sigmask *Sigset_t) (n int, err error) {
-	r0, _, e1 := Syscall6(SYS_PPOLL, uintptr(unsafe.Pointer(fds)), uintptr(nfds), uintptr(unsafe.Pointer(timeout)), uintptr(unsafe.Pointer(sigmask)), 0, 0)
+	r0, _, e1 := syscall_syscall6(libc_ppoll_trampoline_addr, uintptr(unsafe.Pointer(fds)), uintptr(nfds), uintptr(unsafe.Pointer(timeout)), uintptr(unsafe.Pointer(sigmask)), 0, 0)
 	n = int(r0)
 	if e1 != 0 {
 		err = errnoErr(e1)
@@ -430,6 +562,10 @@ func ppoll(fds *PollFd, nfds int, timeout *Timespec, sigmask *Sigset_t) (n int,
 	return
 }
 
+var libc_ppoll_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_ppoll ppoll "libc.so"
+
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
 func Access(path string, mode uint32) (err error) {
@@ -438,23 +574,31 @@ func Access(path string, mode uint32) (err error) {
 	if err != nil {
 		return
 	}
-	_, _, e1 := Syscall(SYS_ACCESS, uintptr(unsafe.Pointer(_p0)), uintptr(mode), 0)
+	_, _, e1 := syscall_syscall(libc_access_trampoline_addr, uintptr(unsafe.Pointer(_p0)), uintptr(mode), 0)
 	if e1 != 0 {
 		err = errnoErr(e1)
 	}
 	return
 }
 
+var libc_access_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_access access "libc.so"
+
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
 func Adjtime(delta *Timeval, olddelta *Timeval) (err error) {
-	_, _, e1 := Syscall(SYS_ADJTIME, uintptr(unsafe.Pointer(delta)), uintptr(unsafe.Pointer(olddelta)), 0)
+	_, _, e1 := syscall_syscall(libc_adjtime_trampoline_addr, uintptr(unsafe.Pointer(delta)), uintptr(unsafe.Pointer(olddelta)), 0)
 	if e1 != 0 {
 		err = errnoErr(e1)
 	}
 	return
 }
 
+var libc_adjtime_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_adjtime adjtime "libc.so"
+
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
 func Chdir(path string) (err error) {
@@ -463,13 +607,17 @@ func Chdir(path string) (err error) {
 	if err != nil {
 		return
 	}
-	_, _, e1 := Syscall(SYS_CHDIR, uintptr(unsafe.Pointer(_p0)), 0, 0)
+	_, _, e1 := syscall_syscall(libc_chdir_trampoline_addr, uintptr(unsafe.Pointer(_p0)), 0, 0)
 	if e1 != 0 {
 		err = errnoErr(e1)
 	}
 	return
 }
 
+var libc_chdir_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_chdir chdir "libc.so"
+
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
 func Chflags(path string, flags int) (err error) {
@@ -478,13 +626,17 @@ func Chflags(path string, flags int) (err error) {
 	if err != nil {
 		return
 	}
-	_, _, e1 := Syscall(SYS_CHFLAGS, uintptr(unsafe.Pointer(_p0)), uintptr(flags), 0)
+	_, _, e1 := syscall_syscall(libc_chflags_trampoline_addr, uintptr(unsafe.Pointer(_p0)), uintptr(flags), 0)
 	if e1 != 0 {
 		err = errnoErr(e1)
 	}
 	return
 }
 
+var libc_chflags_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_chflags chflags "libc.so"
+
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
 func Chmod(path string, mode uint32) (err error) {
@@ -493,13 +645,17 @@ func Chmod(path string, mode uint32) (err error) {
 	if err != nil {
 		return
 	}
-	_, _, e1 := Syscall(SYS_CHMOD, uintptr(unsafe.Pointer(_p0)), uintptr(mode), 0)
+	_, _, e1 := syscall_syscall(libc_chmod_trampoline_addr, uintptr(unsafe.Pointer(_p0)), uintptr(mode), 0)
 	if e1 != 0 {
 		err = errnoErr(e1)
 	}
 	return
 }
 
+var libc_chmod_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_chmod chmod "libc.so"
+
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
 func Chown(path string, uid int, gid int) (err error) {
@@ -508,13 +664,17 @@ func Chown(path string, uid int, gid int) (err error) {
 	if err != nil {
 		return
 	}
-	_, _, e1 := Syscall(SYS_CHOWN, uintptr(unsafe.Pointer(_p0)), uintptr(uid), uintptr(gid))
+	_, _, e1 := syscall_syscall(libc_chown_trampoline_addr, uintptr(unsafe.Pointer(_p0)), uintptr(uid), uintptr(gid))
 	if e1 != 0 {
 		err = errnoErr(e1)
 	}
 	return
 }
 
+var libc_chown_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_chown chown "libc.so"
+
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
 func Chroot(path string) (err error) {
@@ -523,27 +683,49 @@ func Chroot(path string) (err error) {
 	if err != nil {
 		return
 	}
-	_, _, e1 := Syscall(SYS_CHROOT, uintptr(unsafe.Pointer(_p0)), 0, 0)
+	_, _, e1 := syscall_syscall(libc_chroot_trampoline_addr, uintptr(unsafe.Pointer(_p0)), 0, 0)
 	if e1 != 0 {
 		err = errnoErr(e1)
 	}
 	return
 }
 
+var libc_chroot_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_chroot chroot "libc.so"
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
+func ClockGettime(clockid int32, time *Timespec) (err error) {
+	_, _, e1 := syscall_syscall(libc_clock_gettime_trampoline_addr, uintptr(clockid), uintptr(unsafe.Pointer(time)), 0)
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+var libc_clock_gettime_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_clock_gettime clock_gettime "libc.so"
+
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
 func Close(fd int) (err error) {
-	_, _, e1 := Syscall(SYS_CLOSE, uintptr(fd), 0, 0)
+	_, _, e1 := syscall_syscall(libc_close_trampoline_addr, uintptr(fd), 0, 0)
 	if e1 != 0 {
 		err = errnoErr(e1)
 	}
 	return
 }
 
+var libc_close_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_close close "libc.so"
+
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
 func Dup(fd int) (nfd int, err error) {
-	r0, _, e1 := Syscall(SYS_DUP, uintptr(fd), 0, 0)
+	r0, _, e1 := syscall_syscall(libc_dup_trampoline_addr, uintptr(fd), 0, 0)
 	nfd = int(r0)
 	if e1 != 0 {
 		err = errnoErr(e1)
@@ -551,33 +733,49 @@ func Dup(fd int) (nfd int, err error) {
 	return
 }
 
+var libc_dup_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_dup dup "libc.so"
+
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
 func Dup2(from int, to int) (err error) {
-	_, _, e1 := Syscall(SYS_DUP2, uintptr(from), uintptr(to), 0)
+	_, _, e1 := syscall_syscall(libc_dup2_trampoline_addr, uintptr(from), uintptr(to), 0)
 	if e1 != 0 {
 		err = errnoErr(e1)
 	}
 	return
 }
 
+var libc_dup2_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_dup2 dup2 "libc.so"
+
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
 func Dup3(from int, to int, flags int) (err error) {
-	_, _, e1 := Syscall(SYS_DUP3, uintptr(from), uintptr(to), uintptr(flags))
+	_, _, e1 := syscall_syscall(libc_dup3_trampoline_addr, uintptr(from), uintptr(to), uintptr(flags))
 	if e1 != 0 {
 		err = errnoErr(e1)
 	}
 	return
 }
 
+var libc_dup3_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_dup3 dup3 "libc.so"
+
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
 func Exit(code int) {
-	Syscall(SYS_EXIT, uintptr(code), 0, 0)
+	syscall_syscall(libc_exit_trampoline_addr, uintptr(code), 0, 0)
 	return
 }
 
+var libc_exit_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_exit exit "libc.so"
+
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
 func Faccessat(dirfd int, path string, mode uint32, flags int) (err error) {
@@ -586,43 +784,59 @@ func Faccessat(dirfd int, path string, mode uint32, flags int) (err error) {
 	if err != nil {
 		return
 	}
-	_, _, e1 := Syscall6(SYS_FACCESSAT, uintptr(dirfd), uintptr(unsafe.Pointer(_p0)), uintptr(mode), uintptr(flags), 0, 0)
+	_, _, e1 := syscall_syscall6(libc_faccessat_trampoline_addr, uintptr(dirfd), uintptr(unsafe.Pointer(_p0)), uintptr(mode), uintptr(flags), 0, 0)
 	if e1 != 0 {
 		err = errnoErr(e1)
 	}
 	return
 }
 
+var libc_faccessat_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_faccessat faccessat "libc.so"
+
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
 func Fchdir(fd int) (err error) {
-	_, _, e1 := Syscall(SYS_FCHDIR, uintptr(fd), 0, 0)
+	_, _, e1 := syscall_syscall(libc_fchdir_trampoline_addr, uintptr(fd), 0, 0)
 	if e1 != 0 {
 		err = errnoErr(e1)
 	}
 	return
 }
 
+var libc_fchdir_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_fchdir fchdir "libc.so"
+
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
 func Fchflags(fd int, flags int) (err error) {
-	_, _, e1 := Syscall(SYS_FCHFLAGS, uintptr(fd), uintptr(flags), 0)
+	_, _, e1 := syscall_syscall(libc_fchflags_trampoline_addr, uintptr(fd), uintptr(flags), 0)
 	if e1 != 0 {
 		err = errnoErr(e1)
 	}
 	return
 }
 
+var libc_fchflags_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_fchflags fchflags "libc.so"
+
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
 func Fchmod(fd int, mode uint32) (err error) {
-	_, _, e1 := Syscall(SYS_FCHMOD, uintptr(fd), uintptr(mode), 0)
+	_, _, e1 := syscall_syscall(libc_fchmod_trampoline_addr, uintptr(fd), uintptr(mode), 0)
 	if e1 != 0 {
 		err = errnoErr(e1)
 	}
 	return
 }
 
+var libc_fchmod_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_fchmod fchmod "libc.so"
+
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
 func Fchmodat(dirfd int, path string, mode uint32, flags int) (err error) {
@@ -631,23 +845,31 @@ func Fchmodat(dirfd int, path string, mode uint32, flags int) (err error) {
 	if err != nil {
 		return
 	}
-	_, _, e1 := Syscall6(SYS_FCHMODAT, uintptr(dirfd), uintptr(unsafe.Pointer(_p0)), uintptr(mode), uintptr(flags), 0, 0)
+	_, _, e1 := syscall_syscall6(libc_fchmodat_trampoline_addr, uintptr(dirfd), uintptr(unsafe.Pointer(_p0)), uintptr(mode), uintptr(flags), 0, 0)
 	if e1 != 0 {
 		err = errnoErr(e1)
 	}
 	return
 }
 
+var libc_fchmodat_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_fchmodat fchmodat "libc.so"
+
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
 func Fchown(fd int, uid int, gid int) (err error) {
-	_, _, e1 := Syscall(SYS_FCHOWN, uintptr(fd), uintptr(uid), uintptr(gid))
+	_, _, e1 := syscall_syscall(libc_fchown_trampoline_addr, uintptr(fd), uintptr(uid), uintptr(gid))
 	if e1 != 0 {
 		err = errnoErr(e1)
 	}
 	return
 }
 
+var libc_fchown_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_fchown fchown "libc.so"
+
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
 func Fchownat(dirfd int, path string, uid int, gid int, flags int) (err error) {
@@ -656,27 +878,35 @@ func Fchownat(dirfd int, path string, uid int, gid int, flags int) (err error) {
 	if err != nil {
 		return
 	}
-	_, _, e1 := Syscall6(SYS_FCHOWNAT, uintptr(dirfd), uintptr(unsafe.Pointer(_p0)), uintptr(uid), uintptr(gid), uintptr(flags), 0)
+	_, _, e1 := syscall_syscall6(libc_fchownat_trampoline_addr, uintptr(dirfd), uintptr(unsafe.Pointer(_p0)), uintptr(uid), uintptr(gid), uintptr(flags), 0)
 	if e1 != 0 {
 		err = errnoErr(e1)
 	}
 	return
 }
 
+var libc_fchownat_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_fchownat fchownat "libc.so"
+
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
 func Flock(fd int, how int) (err error) {
-	_, _, e1 := Syscall(SYS_FLOCK, uintptr(fd), uintptr(how), 0)
+	_, _, e1 := syscall_syscall(libc_flock_trampoline_addr, uintptr(fd), uintptr(how), 0)
 	if e1 != 0 {
 		err = errnoErr(e1)
 	}
 	return
 }
 
+var libc_flock_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_flock flock "libc.so"
+
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
 func Fpathconf(fd int, name int) (val int, err error) {
-	r0, _, e1 := Syscall(SYS_FPATHCONF, uintptr(fd), uintptr(name), 0)
+	r0, _, e1 := syscall_syscall(libc_fpathconf_trampoline_addr, uintptr(fd), uintptr(name), 0)
 	val = int(r0)
 	if e1 != 0 {
 		err = errnoErr(e1)
@@ -684,16 +914,24 @@ func Fpathconf(fd int, name int) (val int, err error) {
 	return
 }
 
+var libc_fpathconf_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_fpathconf fpathconf "libc.so"
+
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
 func Fstat(fd int, stat *Stat_t) (err error) {
-	_, _, e1 := Syscall(SYS_FSTAT, uintptr(fd), uintptr(unsafe.Pointer(stat)), 0)
+	_, _, e1 := syscall_syscall(libc_fstat_trampoline_addr, uintptr(fd), uintptr(unsafe.Pointer(stat)), 0)
 	if e1 != 0 {
 		err = errnoErr(e1)
 	}
 	return
 }
 
+var libc_fstat_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_fstat fstat "libc.so"
+
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
 func Fstatat(fd int, path string, stat *Stat_t, flags int) (err error) {
@@ -702,71 +940,99 @@ func Fstatat(fd int, path string, stat *Stat_t, flags int) (err error) {
 	if err != nil {
 		return
 	}
-	_, _, e1 := Syscall6(SYS_FSTATAT, uintptr(fd), uintptr(unsafe.Pointer(_p0)), uintptr(unsafe.Pointer(stat)), uintptr(flags), 0, 0)
+	_, _, e1 := syscall_syscall6(libc_fstatat_trampoline_addr, uintptr(fd), uintptr(unsafe.Pointer(_p0)), uintptr(unsafe.Pointer(stat)), uintptr(flags), 0, 0)
 	if e1 != 0 {
 		err = errnoErr(e1)
 	}
 	return
 }
 
+var libc_fstatat_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_fstatat fstatat "libc.so"
+
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
 func Fstatfs(fd int, stat *Statfs_t) (err error) {
-	_, _, e1 := Syscall(SYS_FSTATFS, uintptr(fd), uintptr(unsafe.Pointer(stat)), 0)
+	_, _, e1 := syscall_syscall(libc_fstatfs_trampoline_addr, uintptr(fd), uintptr(unsafe.Pointer(stat)), 0)
 	if e1 != 0 {
 		err = errnoErr(e1)
 	}
 	return
 }
 
+var libc_fstatfs_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_fstatfs fstatfs "libc.so"
+
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
 func Fsync(fd int) (err error) {
-	_, _, e1 := Syscall(SYS_FSYNC, uintptr(fd), 0, 0)
+	_, _, e1 := syscall_syscall(libc_fsync_trampoline_addr, uintptr(fd), 0, 0)
 	if e1 != 0 {
 		err = errnoErr(e1)
 	}
 	return
 }
 
+var libc_fsync_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_fsync fsync "libc.so"
+
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
 func Ftruncate(fd int, length int64) (err error) {
-	_, _, e1 := Syscall(SYS_FTRUNCATE, uintptr(fd), 0, uintptr(length))
+	_, _, e1 := syscall_syscall(libc_ftruncate_trampoline_addr, uintptr(fd), uintptr(length), 0)
 	if e1 != 0 {
 		err = errnoErr(e1)
 	}
 	return
 }
 
+var libc_ftruncate_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_ftruncate ftruncate "libc.so"
+
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
 func Getegid() (egid int) {
-	r0, _, _ := RawSyscall(SYS_GETEGID, 0, 0, 0)
+	r0, _, _ := syscall_rawSyscall(libc_getegid_trampoline_addr, 0, 0, 0)
 	egid = int(r0)
 	return
 }
 
+var libc_getegid_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_getegid getegid "libc.so"
+
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
 func Geteuid() (uid int) {
-	r0, _, _ := RawSyscall(SYS_GETEUID, 0, 0, 0)
+	r0, _, _ := syscall_rawSyscall(libc_geteuid_trampoline_addr, 0, 0, 0)
 	uid = int(r0)
 	return
 }
 
+var libc_geteuid_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_geteuid geteuid "libc.so"
+
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
 func Getgid() (gid int) {
-	r0, _, _ := RawSyscall(SYS_GETGID, 0, 0, 0)
+	r0, _, _ := syscall_rawSyscall(libc_getgid_trampoline_addr, 0, 0, 0)
 	gid = int(r0)
 	return
 }
 
+var libc_getgid_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_getgid getgid "libc.so"
+
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
 func Getpgid(pid int) (pgid int, err error) {
-	r0, _, e1 := RawSyscall(SYS_GETPGID, uintptr(pid), 0, 0)
+	r0, _, e1 := syscall_rawSyscall(libc_getpgid_trampoline_addr, uintptr(pid), 0, 0)
 	pgid = int(r0)
 	if e1 != 0 {
 		err = errnoErr(e1)
@@ -774,34 +1040,50 @@ func Getpgid(pid int) (pgid int, err error) {
 	return
 }
 
+var libc_getpgid_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_getpgid getpgid "libc.so"
+
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
 func Getpgrp() (pgrp int) {
-	r0, _, _ := RawSyscall(SYS_GETPGRP, 0, 0, 0)
+	r0, _, _ := syscall_rawSyscall(libc_getpgrp_trampoline_addr, 0, 0, 0)
 	pgrp = int(r0)
 	return
 }
 
+var libc_getpgrp_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_getpgrp getpgrp "libc.so"
+
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
 func Getpid() (pid int) {
-	r0, _, _ := RawSyscall(SYS_GETPID, 0, 0, 0)
+	r0, _, _ := syscall_rawSyscall(libc_getpid_trampoline_addr, 0, 0, 0)
 	pid = int(r0)
 	return
 }
 
+var libc_getpid_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_getpid getpid "libc.so"
+
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
 func Getppid() (ppid int) {
-	r0, _, _ := RawSyscall(SYS_GETPPID, 0, 0, 0)
+	r0, _, _ := syscall_rawSyscall(libc_getppid_trampoline_addr, 0, 0, 0)
 	ppid = int(r0)
 	return
 }
 
+var libc_getppid_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_getppid getppid "libc.so"
+
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
 func Getpriority(which int, who int) (prio int, err error) {
-	r0, _, e1 := Syscall(SYS_GETPRIORITY, uintptr(which), uintptr(who), 0)
+	r0, _, e1 := syscall_syscall(libc_getpriority_trampoline_addr, uintptr(which), uintptr(who), 0)
 	prio = int(r0)
 	if e1 != 0 {
 		err = errnoErr(e1)
@@ -809,20 +1091,28 @@ func Getpriority(which int, who int) (prio int, err error) {
 	return
 }
 
+var libc_getpriority_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_getpriority getpriority "libc.so"
+
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
 func Getrlimit(which int, lim *Rlimit) (err error) {
-	_, _, e1 := RawSyscall(SYS_GETRLIMIT, uintptr(which), uintptr(unsafe.Pointer(lim)), 0)
+	_, _, e1 := syscall_rawSyscall(libc_getrlimit_trampoline_addr, uintptr(which), uintptr(unsafe.Pointer(lim)), 0)
 	if e1 != 0 {
 		err = errnoErr(e1)
 	}
 	return
 }
 
+var libc_getrlimit_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_getrlimit getrlimit "libc.so"
+
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
 func Getrtable() (rtable int, err error) {
-	r0, _, e1 := RawSyscall(SYS_GETRTABLE, 0, 0, 0)
+	r0, _, e1 := syscall_rawSyscall(libc_getrtable_trampoline_addr, 0, 0, 0)
 	rtable = int(r0)
 	if e1 != 0 {
 		err = errnoErr(e1)
@@ -830,20 +1120,28 @@ func Getrtable() (rtable int, err error) {
 	return
 }
 
+var libc_getrtable_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_getrtable getrtable "libc.so"
+
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
 func Getrusage(who int, rusage *Rusage) (err error) {
-	_, _, e1 := RawSyscall(SYS_GETRUSAGE, uintptr(who), uintptr(unsafe.Pointer(rusage)), 0)
+	_, _, e1 := syscall_rawSyscall(libc_getrusage_trampoline_addr, uintptr(who), uintptr(unsafe.Pointer(rusage)), 0)
 	if e1 != 0 {
 		err = errnoErr(e1)
 	}
 	return
 }
 
+var libc_getrusage_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_getrusage getrusage "libc.so"
+
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
 func Getsid(pid int) (sid int, err error) {
-	r0, _, e1 := RawSyscall(SYS_GETSID, uintptr(pid), 0, 0)
+	r0, _, e1 := syscall_rawSyscall(libc_getsid_trampoline_addr, uintptr(pid), 0, 0)
 	sid = int(r0)
 	if e1 != 0 {
 		err = errnoErr(e1)
@@ -851,46 +1149,66 @@ func Getsid(pid int) (sid int, err error) {
 	return
 }
 
+var libc_getsid_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_getsid getsid "libc.so"
+
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
 func Gettimeofday(tv *Timeval) (err error) {
-	_, _, e1 := RawSyscall(SYS_GETTIMEOFDAY, uintptr(unsafe.Pointer(tv)), 0, 0)
+	_, _, e1 := syscall_rawSyscall(libc_gettimeofday_trampoline_addr, uintptr(unsafe.Pointer(tv)), 0, 0)
 	if e1 != 0 {
 		err = errnoErr(e1)
 	}
 	return
 }
 
+var libc_gettimeofday_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_gettimeofday gettimeofday "libc.so"
+
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
 func Getuid() (uid int) {
-	r0, _, _ := RawSyscall(SYS_GETUID, 0, 0, 0)
+	r0, _, _ := syscall_rawSyscall(libc_getuid_trampoline_addr, 0, 0, 0)
 	uid = int(r0)
 	return
 }
 
+var libc_getuid_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_getuid getuid "libc.so"
+
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
 func Issetugid() (tainted bool) {
-	r0, _, _ := Syscall(SYS_ISSETUGID, 0, 0, 0)
+	r0, _, _ := syscall_syscall(libc_issetugid_trampoline_addr, 0, 0, 0)
 	tainted = bool(r0 != 0)
 	return
 }
 
+var libc_issetugid_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_issetugid issetugid "libc.so"
+
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
 func Kill(pid int, signum syscall.Signal) (err error) {
-	_, _, e1 := Syscall(SYS_KILL, uintptr(pid), uintptr(signum), 0)
+	_, _, e1 := syscall_syscall(libc_kill_trampoline_addr, uintptr(pid), uintptr(signum), 0)
 	if e1 != 0 {
 		err = errnoErr(e1)
 	}
 	return
 }
 
+var libc_kill_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_kill kill "libc.so"
+
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
 func Kqueue() (fd int, err error) {
-	r0, _, e1 := Syscall(SYS_KQUEUE, 0, 0, 0)
+	r0, _, e1 := syscall_syscall(libc_kqueue_trampoline_addr, 0, 0, 0)
 	fd = int(r0)
 	if e1 != 0 {
 		err = errnoErr(e1)
@@ -898,6 +1216,10 @@ func Kqueue() (fd int, err error) {
 	return
 }
 
+var libc_kqueue_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_kqueue kqueue "libc.so"
+
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
 func Lchown(path string, uid int, gid int) (err error) {
@@ -906,13 +1228,17 @@ func Lchown(path string, uid int, gid int) (err error) {
 	if err != nil {
 		return
 	}
-	_, _, e1 := Syscall(SYS_LCHOWN, uintptr(unsafe.Pointer(_p0)), uintptr(uid), uintptr(gid))
+	_, _, e1 := syscall_syscall(libc_lchown_trampoline_addr, uintptr(unsafe.Pointer(_p0)), uintptr(uid), uintptr(gid))
 	if e1 != 0 {
 		err = errnoErr(e1)
 	}
 	return
 }
 
+var libc_lchown_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_lchown lchown "libc.so"
+
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
 func Link(path string, link string) (err error) {
@@ -926,13 +1252,17 @@ func Link(path string, link string) (err error) {
 	if err != nil {
 		return
 	}
-	_, _, e1 := Syscall(SYS_LINK, uintptr(unsafe.Pointer(_p0)), uintptr(unsafe.Pointer(_p1)), 0)
+	_, _, e1 := syscall_syscall(libc_link_trampoline_addr, uintptr(unsafe.Pointer(_p0)), uintptr(unsafe.Pointer(_p1)), 0)
 	if e1 != 0 {
 		err = errnoErr(e1)
 	}
 	return
 }
 
+var libc_link_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_link link "libc.so"
+
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
 func Linkat(pathfd int, path string, linkfd int, link string, flags int) (err error) {
@@ -946,23 +1276,31 @@ func Linkat(pathfd int, path string, linkfd int, link string, flags int) (err er
 	if err != nil {
 		return
 	}
-	_, _, e1 := Syscall6(SYS_LINKAT, uintptr(pathfd), uintptr(unsafe.Pointer(_p0)), uintptr(linkfd), uintptr(unsafe.Pointer(_p1)), uintptr(flags), 0)
+	_, _, e1 := syscall_syscall6(libc_linkat_trampoline_addr, uintptr(pathfd), uintptr(unsafe.Pointer(_p0)), uintptr(linkfd), uintptr(unsafe.Pointer(_p1)), uintptr(flags), 0)
 	if e1 != 0 {
 		err = errnoErr(e1)
 	}
 	return
 }
 
+var libc_linkat_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_linkat linkat "libc.so"
+
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
 func Listen(s int, backlog int) (err error) {
-	_, _, e1 := Syscall(SYS_LISTEN, uintptr(s), uintptr(backlog), 0)
+	_, _, e1 := syscall_syscall(libc_listen_trampoline_addr, uintptr(s), uintptr(backlog), 0)
 	if e1 != 0 {
 		err = errnoErr(e1)
 	}
 	return
 }
 
+var libc_listen_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_listen listen "libc.so"
+
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
 func Lstat(path string, stat *Stat_t) (err error) {
@@ -971,13 +1309,17 @@ func Lstat(path string, stat *Stat_t) (err error) {
 	if err != nil {
 		return
 	}
-	_, _, e1 := Syscall(SYS_LSTAT, uintptr(unsafe.Pointer(_p0)), uintptr(unsafe.Pointer(stat)), 0)
+	_, _, e1 := syscall_syscall(libc_lstat_trampoline_addr, uintptr(unsafe.Pointer(_p0)), uintptr(unsafe.Pointer(stat)), 0)
 	if e1 != 0 {
 		err = errnoErr(e1)
 	}
 	return
 }
 
+var libc_lstat_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_lstat lstat "libc.so"
+
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
 func Mkdir(path string, mode uint32) (err error) {
@@ -986,13 +1328,17 @@ func Mkdir(path string, mode uint32) (err error) {
 	if err != nil {
 		return
 	}
-	_, _, e1 := Syscall(SYS_MKDIR, uintptr(unsafe.Pointer(_p0)), uintptr(mode), 0)
+	_, _, e1 := syscall_syscall(libc_mkdir_trampoline_addr, uintptr(unsafe.Pointer(_p0)), uintptr(mode), 0)
 	if e1 != 0 {
 		err = errnoErr(e1)
 	}
 	return
 }
 
+var libc_mkdir_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_mkdir mkdir "libc.so"
+
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
 func Mkdirat(dirfd int, path string, mode uint32) (err error) {
@@ -1001,13 +1347,17 @@ func Mkdirat(dirfd int, path string, mode uint32) (err error) {
 	if err != nil {
 		return
 	}
-	_, _, e1 := Syscall(SYS_MKDIRAT, uintptr(dirfd), uintptr(unsafe.Pointer(_p0)), uintptr(mode))
+	_, _, e1 := syscall_syscall(libc_mkdirat_trampoline_addr, uintptr(dirfd), uintptr(unsafe.Pointer(_p0)), uintptr(mode))
 	if e1 != 0 {
 		err = errnoErr(e1)
 	}
 	return
 }
 
+var libc_mkdirat_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_mkdirat mkdirat "libc.so"
+
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
 func Mkfifo(path string, mode uint32) (err error) {
@@ -1016,13 +1366,17 @@ func Mkfifo(path string, mode uint32) (err error) {
 	if err != nil {
 		return
 	}
-	_, _, e1 := Syscall(SYS_MKFIFO, uintptr(unsafe.Pointer(_p0)), uintptr(mode), 0)
+	_, _, e1 := syscall_syscall(libc_mkfifo_trampoline_addr, uintptr(unsafe.Pointer(_p0)), uintptr(mode), 0)
 	if e1 != 0 {
 		err = errnoErr(e1)
 	}
 	return
 }
 
+var libc_mkfifo_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_mkfifo mkfifo "libc.so"
+
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
 func Mkfifoat(dirfd int, path string, mode uint32) (err error) {
@@ -1031,13 +1385,17 @@ func Mkfifoat(dirfd int, path string, mode uint32) (err error) {
 	if err != nil {
 		return
 	}
-	_, _, e1 := Syscall(SYS_MKFIFOAT, uintptr(dirfd), uintptr(unsafe.Pointer(_p0)), uintptr(mode))
+	_, _, e1 := syscall_syscall(libc_mkfifoat_trampoline_addr, uintptr(dirfd), uintptr(unsafe.Pointer(_p0)), uintptr(mode))
 	if e1 != 0 {
 		err = errnoErr(e1)
 	}
 	return
 }
 
+var libc_mkfifoat_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_mkfifoat mkfifoat "libc.so"
+
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
 func Mknod(path string, mode uint32, dev int) (err error) {
@@ -1046,13 +1404,17 @@ func Mknod(path string, mode uint32, dev int) (err error) {
 	if err != nil {
 		return
 	}
-	_, _, e1 := Syscall(SYS_MKNOD, uintptr(unsafe.Pointer(_p0)), uintptr(mode), uintptr(dev))
+	_, _, e1 := syscall_syscall(libc_mknod_trampoline_addr, uintptr(unsafe.Pointer(_p0)), uintptr(mode), uintptr(dev))
 	if e1 != 0 {
 		err = errnoErr(e1)
 	}
 	return
 }
 
+var libc_mknod_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_mknod mknod "libc.so"
+
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
 func Mknodat(dirfd int, path string, mode uint32, dev int) (err error) {
@@ -1061,23 +1423,31 @@ func Mknodat(dirfd int, path string, mode uint32, dev int) (err error) {
 	if err != nil {
 		return
 	}
-	_, _, e1 := Syscall6(SYS_MKNODAT, uintptr(dirfd), uintptr(unsafe.Pointer(_p0)), uintptr(mode), uintptr(dev), 0, 0)
+	_, _, e1 := syscall_syscall6(libc_mknodat_trampoline_addr, uintptr(dirfd), uintptr(unsafe.Pointer(_p0)), uintptr(mode), uintptr(dev), 0, 0)
 	if e1 != 0 {
 		err = errnoErr(e1)
 	}
 	return
 }
 
+var libc_mknodat_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_mknodat mknodat "libc.so"
+
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
 func Nanosleep(time *Timespec, leftover *Timespec) (err error) {
-	_, _, e1 := Syscall(SYS_NANOSLEEP, uintptr(unsafe.Pointer(time)), uintptr(unsafe.Pointer(leftover)), 0)
+	_, _, e1 := syscall_syscall(libc_nanosleep_trampoline_addr, uintptr(unsafe.Pointer(time)), uintptr(unsafe.Pointer(leftover)), 0)
 	if e1 != 0 {
 		err = errnoErr(e1)
 	}
 	return
 }
 
+var libc_nanosleep_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_nanosleep nanosleep "libc.so"
+
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
 func Open(path string, mode int, perm uint32) (fd int, err error) {
@@ -1086,7 +1456,7 @@ func Open(path string, mode int, perm uint32) (fd int, err error) {
 	if err != nil {
 		return
 	}
-	r0, _, e1 := Syscall(SYS_OPEN, uintptr(unsafe.Pointer(_p0)), uintptr(mode), uintptr(perm))
+	r0, _, e1 := syscall_syscall(libc_open_trampoline_addr, uintptr(unsafe.Pointer(_p0)), uintptr(mode), uintptr(perm))
 	fd = int(r0)
 	if e1 != 0 {
 		err = errnoErr(e1)
@@ -1094,6 +1464,10 @@ func Open(path string, mode int, perm uint32) (fd int, err error) {
 	return
 }
 
+var libc_open_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_open open "libc.so"
+
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
 func Openat(dirfd int, path string, mode int, perm uint32) (fd int, err error) {
@@ -1102,7 +1476,7 @@ func Openat(dirfd int, path string, mode int, perm uint32) (fd int, err error) {
 	if err != nil {
 		return
 	}
-	r0, _, e1 := Syscall6(SYS_OPENAT, uintptr(dirfd), uintptr(unsafe.Pointer(_p0)), uintptr(mode), uintptr(perm), 0, 0)
+	r0, _, e1 := syscall_syscall6(libc_openat_trampoline_addr, uintptr(dirfd), uintptr(unsafe.Pointer(_p0)), uintptr(mode), uintptr(perm), 0, 0)
 	fd = int(r0)
 	if e1 != 0 {
 		err = errnoErr(e1)
@@ -1110,6 +1484,10 @@ func Openat(dirfd int, path string, mode int, perm uint32) (fd int, err error) {
 	return
 }
 
+var libc_openat_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_openat openat "libc.so"
+
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
 func Pathconf(path string, name int) (val int, err error) {
@@ -1118,7 +1496,7 @@ func Pathconf(path string, name int) (val int, err error) {
 	if err != nil {
 		return
 	}
-	r0, _, e1 := Syscall(SYS_PATHCONF, uintptr(unsafe.Pointer(_p0)), uintptr(name), 0)
+	r0, _, e1 := syscall_syscall(libc_pathconf_trampoline_addr, uintptr(unsafe.Pointer(_p0)), uintptr(name), 0)
 	val = int(r0)
 	if e1 != 0 {
 		err = errnoErr(e1)
@@ -1126,6 +1504,10 @@ func Pathconf(path string, name int) (val int, err error) {
 	return
 }
 
+var libc_pathconf_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_pathconf pathconf "libc.so"
+
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
 func pread(fd int, p []byte, offset int64) (n int, err error) {
@@ -1135,7 +1517,7 @@ func pread(fd int, p []byte, offset int64) (n int, err error) {
 	} else {
 		_p0 = unsafe.Pointer(&_zero)
 	}
-	r0, _, e1 := Syscall6(SYS_PREAD, uintptr(fd), uintptr(_p0), uintptr(len(p)), 0, uintptr(offset), 0)
+	r0, _, e1 := syscall_syscall6(libc_pread_trampoline_addr, uintptr(fd), uintptr(_p0), uintptr(len(p)), uintptr(offset), 0, 0)
 	n = int(r0)
 	if e1 != 0 {
 		err = errnoErr(e1)
@@ -1143,6 +1525,10 @@ func pread(fd int, p []byte, offset int64) (n int, err error) {
 	return
 }
 
+var libc_pread_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_pread pread "libc.so"
+
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
 func pwrite(fd int, p []byte, offset int64) (n int, err error) {
@@ -1152,7 +1538,7 @@ func pwrite(fd int, p []byte, offset int64) (n int, err error) {
 	} else {
 		_p0 = unsafe.Pointer(&_zero)
 	}
-	r0, _, e1 := Syscall6(SYS_PWRITE, uintptr(fd), uintptr(_p0), uintptr(len(p)), 0, uintptr(offset), 0)
+	r0, _, e1 := syscall_syscall6(libc_pwrite_trampoline_addr, uintptr(fd), uintptr(_p0), uintptr(len(p)), uintptr(offset), 0, 0)
 	n = int(r0)
 	if e1 != 0 {
 		err = errnoErr(e1)
@@ -1160,6 +1546,10 @@ func pwrite(fd int, p []byte, offset int64) (n int, err error) {
 	return
 }
 
+var libc_pwrite_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_pwrite pwrite "libc.so"
+
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
 func read(fd int, p []byte) (n int, err error) {
@@ -1169,7 +1559,7 @@ func read(fd int, p []byte) (n int, err error) {
 	} else {
 		_p0 = unsafe.Pointer(&_zero)
 	}
-	r0, _, e1 := Syscall(SYS_READ, uintptr(fd), uintptr(_p0), uintptr(len(p)))
+	r0, _, e1 := syscall_syscall(libc_read_trampoline_addr, uintptr(fd), uintptr(_p0), uintptr(len(p)))
 	n = int(r0)
 	if e1 != 0 {
 		err = errnoErr(e1)
@@ -1177,6 +1567,10 @@ func read(fd int, p []byte) (n int, err error) {
 	return
 }
 
+var libc_read_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_read read "libc.so"
+
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
 func Readlink(path string, buf []byte) (n int, err error) {
@@ -1191,7 +1585,7 @@ func Readlink(path string, buf []byte) (n int, err error) {
 	} else {
 		_p1 = unsafe.Pointer(&_zero)
 	}
-	r0, _, e1 := Syscall(SYS_READLINK, uintptr(unsafe.Pointer(_p0)), uintptr(_p1), uintptr(len(buf)))
+	r0, _, e1 := syscall_syscall(libc_readlink_trampoline_addr, uintptr(unsafe.Pointer(_p0)), uintptr(_p1), uintptr(len(buf)))
 	n = int(r0)
 	if e1 != 0 {
 		err = errnoErr(e1)
@@ -1199,6 +1593,10 @@ func Readlink(path string, buf []byte) (n int, err error) {
 	return
 }
 
+var libc_readlink_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_readlink readlink "libc.so"
+
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
 func Readlinkat(dirfd int, path string, buf []byte) (n int, err error) {
@@ -1213,7 +1611,7 @@ func Readlinkat(dirfd int, path string, buf []byte) (n int, err error) {
 	} else {
 		_p1 = unsafe.Pointer(&_zero)
 	}
-	r0, _, e1 := Syscall6(SYS_READLINKAT, uintptr(dirfd), uintptr(unsafe.Pointer(_p0)), uintptr(_p1), uintptr(len(buf)), 0, 0)
+	r0, _, e1 := syscall_syscall6(libc_readlinkat_trampoline_addr, uintptr(dirfd), uintptr(unsafe.Pointer(_p0)), uintptr(_p1), uintptr(len(buf)), 0, 0)
 	n = int(r0)
 	if e1 != 0 {
 		err = errnoErr(e1)
@@ -1221,6 +1619,10 @@ func Readlinkat(dirfd int, path string, buf []byte) (n int, err error) {
 	return
 }
 
+var libc_readlinkat_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_readlinkat readlinkat "libc.so"
+
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
 func Rename(from string, to string) (err error) {
@@ -1234,13 +1636,17 @@ func Rename(from string, to string) (err error) {
 	if err != nil {
 		return
 	}
-	_, _, e1 := Syscall(SYS_RENAME, uintptr(unsafe.Pointer(_p0)), uintptr(unsafe.Pointer(_p1)), 0)
+	_, _, e1 := syscall_syscall(libc_rename_trampoline_addr, uintptr(unsafe.Pointer(_p0)), uintptr(unsafe.Pointer(_p1)), 0)
 	if e1 != 0 {
 		err = errnoErr(e1)
 	}
 	return
 }
 
+var libc_rename_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_rename rename "libc.so"
+
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
 func Renameat(fromfd int, from string, tofd int, to string) (err error) {
@@ -1254,13 +1660,17 @@ func Renameat(fromfd int, from string, tofd int, to string) (err error) {
 	if err != nil {
 		return
 	}
-	_, _, e1 := Syscall6(SYS_RENAMEAT, uintptr(fromfd), uintptr(unsafe.Pointer(_p0)), uintptr(tofd), uintptr(unsafe.Pointer(_p1)), 0, 0)
+	_, _, e1 := syscall_syscall6(libc_renameat_trampoline_addr, uintptr(fromfd), uintptr(unsafe.Pointer(_p0)), uintptr(tofd), uintptr(unsafe.Pointer(_p1)), 0, 0)
 	if e1 != 0 {
 		err = errnoErr(e1)
 	}
 	return
 }
 
+var libc_renameat_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_renameat renameat "libc.so"
+
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
 func Revoke(path string) (err error) {
@@ -1269,13 +1679,17 @@ func Revoke(path string) (err error) {
 	if err != nil {
 		return
 	}
-	_, _, e1 := Syscall(SYS_REVOKE, uintptr(unsafe.Pointer(_p0)), 0, 0)
+	_, _, e1 := syscall_syscall(libc_revoke_trampoline_addr, uintptr(unsafe.Pointer(_p0)), 0, 0)
 	if e1 != 0 {
 		err = errnoErr(e1)
 	}
 	return
 }
 
+var libc_revoke_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_revoke revoke "libc.so"
+
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
 func Rmdir(path string) (err error) {
@@ -1284,17 +1698,21 @@ func Rmdir(path string) (err error) {
 	if err != nil {
 		return
 	}
-	_, _, e1 := Syscall(SYS_RMDIR, uintptr(unsafe.Pointer(_p0)), 0, 0)
+	_, _, e1 := syscall_syscall(libc_rmdir_trampoline_addr, uintptr(unsafe.Pointer(_p0)), 0, 0)
 	if e1 != 0 {
 		err = errnoErr(e1)
 	}
 	return
 }
 
+var libc_rmdir_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_rmdir rmdir "libc.so"
+
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
 func Seek(fd int, offset int64, whence int) (newoffset int64, err error) {
-	r0, _, e1 := Syscall6(SYS_LSEEK, uintptr(fd), 0, uintptr(offset), uintptr(whence), 0, 0)
+	r0, _, e1 := syscall_syscall(libc_lseek_trampoline_addr, uintptr(fd), uintptr(offset), uintptr(whence))
 	newoffset = int64(r0)
 	if e1 != 0 {
 		err = errnoErr(e1)
@@ -1302,10 +1720,14 @@ func Seek(fd int, offset int64, whence int) (newoffset int64, err error) {
 	return
 }
 
+var libc_lseek_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_lseek lseek "libc.so"
+
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
 func Select(nfd int, r *FdSet, w *FdSet, e *FdSet, timeout *Timeval) (n int, err error) {
-	r0, _, e1 := Syscall6(SYS_SELECT, uintptr(nfd), uintptr(unsafe.Pointer(r)), uintptr(unsafe.Pointer(w)), uintptr(unsafe.Pointer(e)), uintptr(unsafe.Pointer(timeout)), 0)
+	r0, _, e1 := syscall_syscall6(libc_select_trampoline_addr, uintptr(nfd), uintptr(unsafe.Pointer(r)), uintptr(unsafe.Pointer(w)), uintptr(unsafe.Pointer(e)), uintptr(unsafe.Pointer(timeout)), 0)
 	n = int(r0)
 	if e1 != 0 {
 		err = errnoErr(e1)
@@ -1313,36 +1735,52 @@ func Select(nfd int, r *FdSet, w *FdSet, e *FdSet, timeout *Timeval) (n int, err
 	return
 }
 
+var libc_select_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_select select "libc.so"
+
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
 func Setegid(egid int) (err error) {
-	_, _, e1 := RawSyscall(SYS_SETEGID, uintptr(egid), 0, 0)
+	_, _, e1 := syscall_rawSyscall(libc_setegid_trampoline_addr, uintptr(egid), 0, 0)
 	if e1 != 0 {
 		err = errnoErr(e1)
 	}
 	return
 }
 
+var libc_setegid_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_setegid setegid "libc.so"
+
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
 func Seteuid(euid int) (err error) {
-	_, _, e1 := RawSyscall(SYS_SETEUID, uintptr(euid), 0, 0)
+	_, _, e1 := syscall_rawSyscall(libc_seteuid_trampoline_addr, uintptr(euid), 0, 0)
 	if e1 != 0 {
 		err = errnoErr(e1)
 	}
 	return
 }
 
+var libc_seteuid_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_seteuid seteuid "libc.so"
+
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
 func Setgid(gid int) (err error) {
-	_, _, e1 := RawSyscall(SYS_SETGID, uintptr(gid), 0, 0)
+	_, _, e1 := syscall_rawSyscall(libc_setgid_trampoline_addr, uintptr(gid), 0, 0)
 	if e1 != 0 {
 		err = errnoErr(e1)
 	}
 	return
 }
 
+var libc_setgid_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_setgid setgid "libc.so"
+
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
 func Setlogin(name string) (err error) {
@@ -1351,97 +1789,133 @@ func Setlogin(name string) (err error) {
 	if err != nil {
 		return
 	}
-	_, _, e1 := Syscall(SYS_SETLOGIN, uintptr(unsafe.Pointer(_p0)), 0, 0)
+	_, _, e1 := syscall_syscall(libc_setlogin_trampoline_addr, uintptr(unsafe.Pointer(_p0)), 0, 0)
 	if e1 != 0 {
 		err = errnoErr(e1)
 	}
 	return
 }
 
+var libc_setlogin_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_setlogin setlogin "libc.so"
+
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
 func Setpgid(pid int, pgid int) (err error) {
-	_, _, e1 := RawSyscall(SYS_SETPGID, uintptr(pid), uintptr(pgid), 0)
+	_, _, e1 := syscall_rawSyscall(libc_setpgid_trampoline_addr, uintptr(pid), uintptr(pgid), 0)
 	if e1 != 0 {
 		err = errnoErr(e1)
 	}
 	return
 }
 
+var libc_setpgid_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_setpgid setpgid "libc.so"
+
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
 func Setpriority(which int, who int, prio int) (err error) {
-	_, _, e1 := Syscall(SYS_SETPRIORITY, uintptr(which), uintptr(who), uintptr(prio))
+	_, _, e1 := syscall_syscall(libc_setpriority_trampoline_addr, uintptr(which), uintptr(who), uintptr(prio))
 	if e1 != 0 {
 		err = errnoErr(e1)
 	}
 	return
 }
 
+var libc_setpriority_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_setpriority setpriority "libc.so"
+
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
 func Setregid(rgid int, egid int) (err error) {
-	_, _, e1 := RawSyscall(SYS_SETREGID, uintptr(rgid), uintptr(egid), 0)
+	_, _, e1 := syscall_rawSyscall(libc_setregid_trampoline_addr, uintptr(rgid), uintptr(egid), 0)
 	if e1 != 0 {
 		err = errnoErr(e1)
 	}
 	return
 }
 
+var libc_setregid_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_setregid setregid "libc.so"
+
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
 func Setreuid(ruid int, euid int) (err error) {
-	_, _, e1 := RawSyscall(SYS_SETREUID, uintptr(ruid), uintptr(euid), 0)
+	_, _, e1 := syscall_rawSyscall(libc_setreuid_trampoline_addr, uintptr(ruid), uintptr(euid), 0)
 	if e1 != 0 {
 		err = errnoErr(e1)
 	}
 	return
 }
 
+var libc_setreuid_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_setreuid setreuid "libc.so"
+
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
 func Setresgid(rgid int, egid int, sgid int) (err error) {
-	_, _, e1 := RawSyscall(SYS_SETRESGID, uintptr(rgid), uintptr(egid), uintptr(sgid))
+	_, _, e1 := syscall_rawSyscall(libc_setresgid_trampoline_addr, uintptr(rgid), uintptr(egid), uintptr(sgid))
 	if e1 != 0 {
 		err = errnoErr(e1)
 	}
 	return
 }
 
+var libc_setresgid_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_setresgid setresgid "libc.so"
+
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
 func Setresuid(ruid int, euid int, suid int) (err error) {
-	_, _, e1 := RawSyscall(SYS_SETRESUID, uintptr(ruid), uintptr(euid), uintptr(suid))
+	_, _, e1 := syscall_rawSyscall(libc_setresuid_trampoline_addr, uintptr(ruid), uintptr(euid), uintptr(suid))
 	if e1 != 0 {
 		err = errnoErr(e1)
 	}
 	return
 }
 
+var libc_setresuid_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_setresuid setresuid "libc.so"
+
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
 func Setrlimit(which int, lim *Rlimit) (err error) {
-	_, _, e1 := RawSyscall(SYS_SETRLIMIT, uintptr(which), uintptr(unsafe.Pointer(lim)), 0)
+	_, _, e1 := syscall_rawSyscall(libc_setrlimit_trampoline_addr, uintptr(which), uintptr(unsafe.Pointer(lim)), 0)
 	if e1 != 0 {
 		err = errnoErr(e1)
 	}
 	return
 }
 
+var libc_setrlimit_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_setrlimit setrlimit "libc.so"
+
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
 func Setrtable(rtable int) (err error) {
-	_, _, e1 := RawSyscall(SYS_SETRTABLE, uintptr(rtable), 0, 0)
+	_, _, e1 := syscall_rawSyscall(libc_setrtable_trampoline_addr, uintptr(rtable), 0, 0)
 	if e1 != 0 {
 		err = errnoErr(e1)
 	}
 	return
 }
 
+var libc_setrtable_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_setrtable setrtable "libc.so"
+
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
 func Setsid() (pid int, err error) {
-	r0, _, e1 := RawSyscall(SYS_SETSID, 0, 0, 0)
+	r0, _, e1 := syscall_rawSyscall(libc_setsid_trampoline_addr, 0, 0, 0)
 	pid = int(r0)
 	if e1 != 0 {
 		err = errnoErr(e1)
@@ -1449,26 +1923,38 @@ func Setsid() (pid int, err error) {
 	return
 }
 
+var libc_setsid_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_setsid setsid "libc.so"
+
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
 func Settimeofday(tp *Timeval) (err error) {
-	_, _, e1 := RawSyscall(SYS_SETTIMEOFDAY, uintptr(unsafe.Pointer(tp)), 0, 0)
+	_, _, e1 := syscall_rawSyscall(libc_settimeofday_trampoline_addr, uintptr(unsafe.Pointer(tp)), 0, 0)
 	if e1 != 0 {
 		err = errnoErr(e1)
 	}
 	return
 }
 
+var libc_settimeofday_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_settimeofday settimeofday "libc.so"
+
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
 func Setuid(uid int) (err error) {
-	_, _, e1 := RawSyscall(SYS_SETUID, uintptr(uid), 0, 0)
+	_, _, e1 := syscall_rawSyscall(libc_setuid_trampoline_addr, uintptr(uid), 0, 0)
 	if e1 != 0 {
 		err = errnoErr(e1)
 	}
 	return
 }
 
+var libc_setuid_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_setuid setuid "libc.so"
+
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
 func Stat(path string, stat *Stat_t) (err error) {
@@ -1477,13 +1963,17 @@ func Stat(path string, stat *Stat_t) (err error) {
 	if err != nil {
 		return
 	}
-	_, _, e1 := Syscall(SYS_STAT, uintptr(unsafe.Pointer(_p0)), uintptr(unsafe.Pointer(stat)), 0)
+	_, _, e1 := syscall_syscall(libc_stat_trampoline_addr, uintptr(unsafe.Pointer(_p0)), uintptr(unsafe.Pointer(stat)), 0)
 	if e1 != 0 {
 		err = errnoErr(e1)
 	}
 	return
 }
 
+var libc_stat_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_stat stat "libc.so"
+
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
 func Statfs(path string, stat *Statfs_t) (err error) {
@@ -1492,13 +1982,17 @@ func Statfs(path string, stat *Statfs_t) (err error) {
 	if err != nil {
 		return
 	}
-	_, _, e1 := Syscall(SYS_STATFS, uintptr(unsafe.Pointer(_p0)), uintptr(unsafe.Pointer(stat)), 0)
+	_, _, e1 := syscall_syscall(libc_statfs_trampoline_addr, uintptr(unsafe.Pointer(_p0)), uintptr(unsafe.Pointer(stat)), 0)
 	if e1 != 0 {
 		err = errnoErr(e1)
 	}
 	return
 }
 
+var libc_statfs_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_statfs statfs "libc.so"
+
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
 func Symlink(path string, link string) (err error) {
@@ -1512,13 +2006,17 @@ func Symlink(path string, link string) (err error) {
 	if err != nil {
 		return
 	}
-	_, _, e1 := Syscall(SYS_SYMLINK, uintptr(unsafe.Pointer(_p0)), uintptr(unsafe.Pointer(_p1)), 0)
+	_, _, e1 := syscall_syscall(libc_symlink_trampoline_addr, uintptr(unsafe.Pointer(_p0)), uintptr(unsafe.Pointer(_p1)), 0)
 	if e1 != 0 {
 		err = errnoErr(e1)
 	}
 	return
 }
 
+var libc_symlink_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_symlink symlink "libc.so"
+
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
 func Symlinkat(oldpath string, newdirfd int, newpath string) (err error) {
@@ -1532,23 +2030,31 @@ func Symlinkat(oldpath string, newdirfd int, newpath string) (err error) {
 	if err != nil {
 		return
 	}
-	_, _, e1 := Syscall(SYS_SYMLINKAT, uintptr(unsafe.Pointer(_p0)), uintptr(newdirfd), uintptr(unsafe.Pointer(_p1)))
+	_, _, e1 := syscall_syscall(libc_symlinkat_trampoline_addr, uintptr(unsafe.Pointer(_p0)), uintptr(newdirfd), uintptr(unsafe.Pointer(_p1)))
 	if e1 != 0 {
 		err = errnoErr(e1)
 	}
 	return
 }
 
+var libc_symlinkat_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_symlinkat symlinkat "libc.so"
+
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
 func Sync() (err error) {
-	_, _, e1 := Syscall(SYS_SYNC, 0, 0, 0)
+	_, _, e1 := syscall_syscall(libc_sync_trampoline_addr, 0, 0, 0)
 	if e1 != 0 {
 		err = errnoErr(e1)
 	}
 	return
 }
 
+var libc_sync_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_sync sync "libc.so"
+
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
 func Truncate(path string, length int64) (err error) {
@@ -1557,21 +2063,29 @@ func Truncate(path string, length int64) (err error) {
 	if err != nil {
 		return
 	}
-	_, _, e1 := Syscall(SYS_TRUNCATE, uintptr(unsafe.Pointer(_p0)), 0, uintptr(length))
+	_, _, e1 := syscall_syscall(libc_truncate_trampoline_addr, uintptr(unsafe.Pointer(_p0)), uintptr(length), 0)
 	if e1 != 0 {
 		err = errnoErr(e1)
 	}
 	return
 }
 
+var libc_truncate_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_truncate truncate "libc.so"
+
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
 func Umask(newmask int) (oldmask int) {
-	r0, _, _ := Syscall(SYS_UMASK, uintptr(newmask), 0, 0)
+	r0, _, _ := syscall_syscall(libc_umask_trampoline_addr, uintptr(newmask), 0, 0)
 	oldmask = int(r0)
 	return
 }
 
+var libc_umask_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_umask umask "libc.so"
+
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
 func Unlink(path string) (err error) {
@@ -1580,13 +2094,17 @@ func Unlink(path string) (err error) {
 	if err != nil {
 		return
 	}
-	_, _, e1 := Syscall(SYS_UNLINK, uintptr(unsafe.Pointer(_p0)), 0, 0)
+	_, _, e1 := syscall_syscall(libc_unlink_trampoline_addr, uintptr(unsafe.Pointer(_p0)), 0, 0)
 	if e1 != 0 {
 		err = errnoErr(e1)
 	}
 	return
 }
 
+var libc_unlink_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_unlink unlink "libc.so"
+
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
 func Unlinkat(dirfd int, path string, flags int) (err error) {
@@ -1595,13 +2113,17 @@ func Unlinkat(dirfd int, path string, flags int) (err error) {
 	if err != nil {
 		return
 	}
-	_, _, e1 := Syscall(SYS_UNLINKAT, uintptr(dirfd), uintptr(unsafe.Pointer(_p0)), uintptr(flags))
+	_, _, e1 := syscall_syscall(libc_unlinkat_trampoline_addr, uintptr(dirfd), uintptr(unsafe.Pointer(_p0)), uintptr(flags))
 	if e1 != 0 {
 		err = errnoErr(e1)
 	}
 	return
 }
 
+var libc_unlinkat_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_unlinkat unlinkat "libc.so"
+
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
 func Unmount(path string, flags int) (err error) {
@@ -1610,13 +2132,17 @@ func Unmount(path string, flags int) (err error) {
 	if err != nil {
 		return
 	}
-	_, _, e1 := Syscall(SYS_UNMOUNT, uintptr(unsafe.Pointer(_p0)), uintptr(flags), 0)
+	_, _, e1 := syscall_syscall(libc_unmount_trampoline_addr, uintptr(unsafe.Pointer(_p0)), uintptr(flags), 0)
 	if e1 != 0 {
 		err = errnoErr(e1)
 	}
 	return
 }
 
+var libc_unmount_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_unmount unmount "libc.so"
+
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
 func write(fd int, p []byte) (n int, err error) {
@@ -1626,7 +2152,7 @@ func write(fd int, p []byte) (n int, err error) {
 	} else {
 		_p0 = unsafe.Pointer(&_zero)
 	}
-	r0, _, e1 := Syscall(SYS_WRITE, uintptr(fd), uintptr(_p0), uintptr(len(p)))
+	r0, _, e1 := syscall_syscall(libc_write_trampoline_addr, uintptr(fd), uintptr(_p0), uintptr(len(p)))
 	n = int(r0)
 	if e1 != 0 {
 		err = errnoErr(e1)
@@ -1634,10 +2160,14 @@ func write(fd int, p []byte) (n int, err error) {
 	return
 }
 
+var libc_write_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_write write "libc.so"
+
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
 func mmap(addr uintptr, length uintptr, prot int, flag int, fd int, pos int64) (ret uintptr, err error) {
-	r0, _, e1 := Syscall9(SYS_MMAP, uintptr(addr), uintptr(length), uintptr(prot), uintptr(flag), uintptr(fd), 0, uintptr(pos), 0, 0)
+	r0, _, e1 := syscall_syscall6(libc_mmap_trampoline_addr, uintptr(addr), uintptr(length), uintptr(prot), uintptr(flag), uintptr(fd), uintptr(pos))
 	ret = uintptr(r0)
 	if e1 != 0 {
 		err = errnoErr(e1)
@@ -1645,20 +2175,28 @@ func mmap(addr uintptr, length uintptr, prot int, flag int, fd int, pos int64) (
 	return
 }
 
+var libc_mmap_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_mmap mmap "libc.so"
+
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
 func munmap(addr uintptr, length uintptr) (err error) {
-	_, _, e1 := Syscall(SYS_MUNMAP, uintptr(addr), uintptr(length), 0)
+	_, _, e1 := syscall_syscall(libc_munmap_trampoline_addr, uintptr(addr), uintptr(length), 0)
 	if e1 != 0 {
 		err = errnoErr(e1)
 	}
 	return
 }
 
+var libc_munmap_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_munmap munmap "libc.so"
+
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
 func readlen(fd int, buf *byte, nbuf int) (n int, err error) {
-	r0, _, e1 := Syscall(SYS_READ, uintptr(fd), uintptr(unsafe.Pointer(buf)), uintptr(nbuf))
+	r0, _, e1 := syscall_syscall(libc_read_trampoline_addr, uintptr(fd), uintptr(unsafe.Pointer(buf)), uintptr(nbuf))
 	n = int(r0)
 	if e1 != 0 {
 		err = errnoErr(e1)
@@ -1669,7 +2207,7 @@ func readlen(fd int, buf *byte, nbuf int) (n int, err error) {
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
 func writelen(fd int, buf *byte, nbuf int) (n int, err error) {
-	r0, _, e1 := Syscall(SYS_WRITE, uintptr(fd), uintptr(unsafe.Pointer(buf)), uintptr(nbuf))
+	r0, _, e1 := syscall_syscall(libc_write_trampoline_addr, uintptr(fd), uintptr(unsafe.Pointer(buf)), uintptr(nbuf))
 	n = int(r0)
 	if e1 != 0 {
 		err = errnoErr(e1)
@@ -1685,9 +2223,13 @@ func utimensat(dirfd int, path string, times *[2]Timespec, flags int) (err error
 	if err != nil {
 		return
 	}
-	_, _, e1 := Syscall6(SYS_UTIMENSAT, uintptr(dirfd), uintptr(unsafe.Pointer(_p0)), uintptr(unsafe.Pointer(times)), uintptr(flags), 0, 0)
+	_, _, e1 := syscall_syscall6(libc_utimensat_trampoline_addr, uintptr(dirfd), uintptr(unsafe.Pointer(_p0)), uintptr(unsafe.Pointer(times)), uintptr(flags), 0, 0)
 	if e1 != 0 {
 		err = errnoErr(e1)
 	}
 	return
 }
+
+var libc_utimensat_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_utimensat utimensat "libc.so"
diff --git a/vendor/golang.org/x/sys/unix/zsyscall_openbsd_mips64.s b/vendor/golang.org/x/sys/unix/zsyscall_openbsd_mips64.s
new file mode 100644
index 000000000..55af27263
--- /dev/null
+++ b/vendor/golang.org/x/sys/unix/zsyscall_openbsd_mips64.s
@@ -0,0 +1,669 @@
+// go run mkasm.go openbsd mips64
+// Code generated by the command above; DO NOT EDIT.
+
+#include "textflag.h"
+
+TEXT libc_getgroups_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_getgroups(SB)
+GLOBL	·libc_getgroups_trampoline_addr(SB), RODATA, $8
+DATA	·libc_getgroups_trampoline_addr(SB)/8, $libc_getgroups_trampoline<>(SB)
+
+TEXT libc_setgroups_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_setgroups(SB)
+GLOBL	·libc_setgroups_trampoline_addr(SB), RODATA, $8
+DATA	·libc_setgroups_trampoline_addr(SB)/8, $libc_setgroups_trampoline<>(SB)
+
+TEXT libc_wait4_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_wait4(SB)
+GLOBL	·libc_wait4_trampoline_addr(SB), RODATA, $8
+DATA	·libc_wait4_trampoline_addr(SB)/8, $libc_wait4_trampoline<>(SB)
+
+TEXT libc_accept_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_accept(SB)
+GLOBL	·libc_accept_trampoline_addr(SB), RODATA, $8
+DATA	·libc_accept_trampoline_addr(SB)/8, $libc_accept_trampoline<>(SB)
+
+TEXT libc_bind_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_bind(SB)
+GLOBL	·libc_bind_trampoline_addr(SB), RODATA, $8
+DATA	·libc_bind_trampoline_addr(SB)/8, $libc_bind_trampoline<>(SB)
+
+TEXT libc_connect_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_connect(SB)
+GLOBL	·libc_connect_trampoline_addr(SB), RODATA, $8
+DATA	·libc_connect_trampoline_addr(SB)/8, $libc_connect_trampoline<>(SB)
+
+TEXT libc_socket_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_socket(SB)
+GLOBL	·libc_socket_trampoline_addr(SB), RODATA, $8
+DATA	·libc_socket_trampoline_addr(SB)/8, $libc_socket_trampoline<>(SB)
+
+TEXT libc_getsockopt_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_getsockopt(SB)
+GLOBL	·libc_getsockopt_trampoline_addr(SB), RODATA, $8
+DATA	·libc_getsockopt_trampoline_addr(SB)/8, $libc_getsockopt_trampoline<>(SB)
+
+TEXT libc_setsockopt_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_setsockopt(SB)
+GLOBL	·libc_setsockopt_trampoline_addr(SB), RODATA, $8
+DATA	·libc_setsockopt_trampoline_addr(SB)/8, $libc_setsockopt_trampoline<>(SB)
+
+TEXT libc_getpeername_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_getpeername(SB)
+GLOBL	·libc_getpeername_trampoline_addr(SB), RODATA, $8
+DATA	·libc_getpeername_trampoline_addr(SB)/8, $libc_getpeername_trampoline<>(SB)
+
+TEXT libc_getsockname_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_getsockname(SB)
+GLOBL	·libc_getsockname_trampoline_addr(SB), RODATA, $8
+DATA	·libc_getsockname_trampoline_addr(SB)/8, $libc_getsockname_trampoline<>(SB)
+
+TEXT libc_shutdown_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_shutdown(SB)
+GLOBL	·libc_shutdown_trampoline_addr(SB), RODATA, $8
+DATA	·libc_shutdown_trampoline_addr(SB)/8, $libc_shutdown_trampoline<>(SB)
+
+TEXT libc_socketpair_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_socketpair(SB)
+GLOBL	·libc_socketpair_trampoline_addr(SB), RODATA, $8
+DATA	·libc_socketpair_trampoline_addr(SB)/8, $libc_socketpair_trampoline<>(SB)
+
+TEXT libc_recvfrom_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_recvfrom(SB)
+GLOBL	·libc_recvfrom_trampoline_addr(SB), RODATA, $8
+DATA	·libc_recvfrom_trampoline_addr(SB)/8, $libc_recvfrom_trampoline<>(SB)
+
+TEXT libc_sendto_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_sendto(SB)
+GLOBL	·libc_sendto_trampoline_addr(SB), RODATA, $8
+DATA	·libc_sendto_trampoline_addr(SB)/8, $libc_sendto_trampoline<>(SB)
+
+TEXT libc_recvmsg_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_recvmsg(SB)
+GLOBL	·libc_recvmsg_trampoline_addr(SB), RODATA, $8
+DATA	·libc_recvmsg_trampoline_addr(SB)/8, $libc_recvmsg_trampoline<>(SB)
+
+TEXT libc_sendmsg_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_sendmsg(SB)
+GLOBL	·libc_sendmsg_trampoline_addr(SB), RODATA, $8
+DATA	·libc_sendmsg_trampoline_addr(SB)/8, $libc_sendmsg_trampoline<>(SB)
+
+TEXT libc_kevent_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_kevent(SB)
+GLOBL	·libc_kevent_trampoline_addr(SB), RODATA, $8
+DATA	·libc_kevent_trampoline_addr(SB)/8, $libc_kevent_trampoline<>(SB)
+
+TEXT libc_utimes_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_utimes(SB)
+GLOBL	·libc_utimes_trampoline_addr(SB), RODATA, $8
+DATA	·libc_utimes_trampoline_addr(SB)/8, $libc_utimes_trampoline<>(SB)
+
+TEXT libc_futimes_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_futimes(SB)
+GLOBL	·libc_futimes_trampoline_addr(SB), RODATA, $8
+DATA	·libc_futimes_trampoline_addr(SB)/8, $libc_futimes_trampoline<>(SB)
+
+TEXT libc_poll_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_poll(SB)
+GLOBL	·libc_poll_trampoline_addr(SB), RODATA, $8
+DATA	·libc_poll_trampoline_addr(SB)/8, $libc_poll_trampoline<>(SB)
+
+TEXT libc_madvise_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_madvise(SB)
+GLOBL	·libc_madvise_trampoline_addr(SB), RODATA, $8
+DATA	·libc_madvise_trampoline_addr(SB)/8, $libc_madvise_trampoline<>(SB)
+
+TEXT libc_mlock_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_mlock(SB)
+GLOBL	·libc_mlock_trampoline_addr(SB), RODATA, $8
+DATA	·libc_mlock_trampoline_addr(SB)/8, $libc_mlock_trampoline<>(SB)
+
+TEXT libc_mlockall_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_mlockall(SB)
+GLOBL	·libc_mlockall_trampoline_addr(SB), RODATA, $8
+DATA	·libc_mlockall_trampoline_addr(SB)/8, $libc_mlockall_trampoline<>(SB)
+
+TEXT libc_mprotect_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_mprotect(SB)
+GLOBL	·libc_mprotect_trampoline_addr(SB), RODATA, $8
+DATA	·libc_mprotect_trampoline_addr(SB)/8, $libc_mprotect_trampoline<>(SB)
+
+TEXT libc_msync_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_msync(SB)
+GLOBL	·libc_msync_trampoline_addr(SB), RODATA, $8
+DATA	·libc_msync_trampoline_addr(SB)/8, $libc_msync_trampoline<>(SB)
+
+TEXT libc_munlock_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_munlock(SB)
+GLOBL	·libc_munlock_trampoline_addr(SB), RODATA, $8
+DATA	·libc_munlock_trampoline_addr(SB)/8, $libc_munlock_trampoline<>(SB)
+
+TEXT libc_munlockall_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_munlockall(SB)
+GLOBL	·libc_munlockall_trampoline_addr(SB), RODATA, $8
+DATA	·libc_munlockall_trampoline_addr(SB)/8, $libc_munlockall_trampoline<>(SB)
+
+TEXT libc_pipe2_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_pipe2(SB)
+GLOBL	·libc_pipe2_trampoline_addr(SB), RODATA, $8
+DATA	·libc_pipe2_trampoline_addr(SB)/8, $libc_pipe2_trampoline<>(SB)
+
+TEXT libc_getdents_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_getdents(SB)
+GLOBL	·libc_getdents_trampoline_addr(SB), RODATA, $8
+DATA	·libc_getdents_trampoline_addr(SB)/8, $libc_getdents_trampoline<>(SB)
+
+TEXT libc_getcwd_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_getcwd(SB)
+GLOBL	·libc_getcwd_trampoline_addr(SB), RODATA, $8
+DATA	·libc_getcwd_trampoline_addr(SB)/8, $libc_getcwd_trampoline<>(SB)
+
+TEXT libc_ioctl_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_ioctl(SB)
+GLOBL	·libc_ioctl_trampoline_addr(SB), RODATA, $8
+DATA	·libc_ioctl_trampoline_addr(SB)/8, $libc_ioctl_trampoline<>(SB)
+
+TEXT libc_sysctl_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_sysctl(SB)
+GLOBL	·libc_sysctl_trampoline_addr(SB), RODATA, $8
+DATA	·libc_sysctl_trampoline_addr(SB)/8, $libc_sysctl_trampoline<>(SB)
+
+TEXT libc_ppoll_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_ppoll(SB)
+GLOBL	·libc_ppoll_trampoline_addr(SB), RODATA, $8
+DATA	·libc_ppoll_trampoline_addr(SB)/8, $libc_ppoll_trampoline<>(SB)
+
+TEXT libc_access_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_access(SB)
+GLOBL	·libc_access_trampoline_addr(SB), RODATA, $8
+DATA	·libc_access_trampoline_addr(SB)/8, $libc_access_trampoline<>(SB)
+
+TEXT libc_adjtime_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_adjtime(SB)
+GLOBL	·libc_adjtime_trampoline_addr(SB), RODATA, $8
+DATA	·libc_adjtime_trampoline_addr(SB)/8, $libc_adjtime_trampoline<>(SB)
+
+TEXT libc_chdir_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_chdir(SB)
+GLOBL	·libc_chdir_trampoline_addr(SB), RODATA, $8
+DATA	·libc_chdir_trampoline_addr(SB)/8, $libc_chdir_trampoline<>(SB)
+
+TEXT libc_chflags_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_chflags(SB)
+GLOBL	·libc_chflags_trampoline_addr(SB), RODATA, $8
+DATA	·libc_chflags_trampoline_addr(SB)/8, $libc_chflags_trampoline<>(SB)
+
+TEXT libc_chmod_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_chmod(SB)
+GLOBL	·libc_chmod_trampoline_addr(SB), RODATA, $8
+DATA	·libc_chmod_trampoline_addr(SB)/8, $libc_chmod_trampoline<>(SB)
+
+TEXT libc_chown_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_chown(SB)
+GLOBL	·libc_chown_trampoline_addr(SB), RODATA, $8
+DATA	·libc_chown_trampoline_addr(SB)/8, $libc_chown_trampoline<>(SB)
+
+TEXT libc_chroot_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_chroot(SB)
+GLOBL	·libc_chroot_trampoline_addr(SB), RODATA, $8
+DATA	·libc_chroot_trampoline_addr(SB)/8, $libc_chroot_trampoline<>(SB)
+
+TEXT libc_clock_gettime_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_clock_gettime(SB)
+GLOBL	·libc_clock_gettime_trampoline_addr(SB), RODATA, $8
+DATA	·libc_clock_gettime_trampoline_addr(SB)/8, $libc_clock_gettime_trampoline<>(SB)
+
+TEXT libc_close_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_close(SB)
+GLOBL	·libc_close_trampoline_addr(SB), RODATA, $8
+DATA	·libc_close_trampoline_addr(SB)/8, $libc_close_trampoline<>(SB)
+
+TEXT libc_dup_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_dup(SB)
+GLOBL	·libc_dup_trampoline_addr(SB), RODATA, $8
+DATA	·libc_dup_trampoline_addr(SB)/8, $libc_dup_trampoline<>(SB)
+
+TEXT libc_dup2_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_dup2(SB)
+GLOBL	·libc_dup2_trampoline_addr(SB), RODATA, $8
+DATA	·libc_dup2_trampoline_addr(SB)/8, $libc_dup2_trampoline<>(SB)
+
+TEXT libc_dup3_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_dup3(SB)
+GLOBL	·libc_dup3_trampoline_addr(SB), RODATA, $8
+DATA	·libc_dup3_trampoline_addr(SB)/8, $libc_dup3_trampoline<>(SB)
+
+TEXT libc_exit_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_exit(SB)
+GLOBL	·libc_exit_trampoline_addr(SB), RODATA, $8
+DATA	·libc_exit_trampoline_addr(SB)/8, $libc_exit_trampoline<>(SB)
+
+TEXT libc_faccessat_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_faccessat(SB)
+GLOBL	·libc_faccessat_trampoline_addr(SB), RODATA, $8
+DATA	·libc_faccessat_trampoline_addr(SB)/8, $libc_faccessat_trampoline<>(SB)
+
+TEXT libc_fchdir_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_fchdir(SB)
+GLOBL	·libc_fchdir_trampoline_addr(SB), RODATA, $8
+DATA	·libc_fchdir_trampoline_addr(SB)/8, $libc_fchdir_trampoline<>(SB)
+
+TEXT libc_fchflags_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_fchflags(SB)
+GLOBL	·libc_fchflags_trampoline_addr(SB), RODATA, $8
+DATA	·libc_fchflags_trampoline_addr(SB)/8, $libc_fchflags_trampoline<>(SB)
+
+TEXT libc_fchmod_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_fchmod(SB)
+GLOBL	·libc_fchmod_trampoline_addr(SB), RODATA, $8
+DATA	·libc_fchmod_trampoline_addr(SB)/8, $libc_fchmod_trampoline<>(SB)
+
+TEXT libc_fchmodat_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_fchmodat(SB)
+GLOBL	·libc_fchmodat_trampoline_addr(SB), RODATA, $8
+DATA	·libc_fchmodat_trampoline_addr(SB)/8, $libc_fchmodat_trampoline<>(SB)
+
+TEXT libc_fchown_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_fchown(SB)
+GLOBL	·libc_fchown_trampoline_addr(SB), RODATA, $8
+DATA	·libc_fchown_trampoline_addr(SB)/8, $libc_fchown_trampoline<>(SB)
+
+TEXT libc_fchownat_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_fchownat(SB)
+GLOBL	·libc_fchownat_trampoline_addr(SB), RODATA, $8
+DATA	·libc_fchownat_trampoline_addr(SB)/8, $libc_fchownat_trampoline<>(SB)
+
+TEXT libc_flock_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_flock(SB)
+GLOBL	·libc_flock_trampoline_addr(SB), RODATA, $8
+DATA	·libc_flock_trampoline_addr(SB)/8, $libc_flock_trampoline<>(SB)
+
+TEXT libc_fpathconf_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_fpathconf(SB)
+GLOBL	·libc_fpathconf_trampoline_addr(SB), RODATA, $8
+DATA	·libc_fpathconf_trampoline_addr(SB)/8, $libc_fpathconf_trampoline<>(SB)
+
+TEXT libc_fstat_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_fstat(SB)
+GLOBL	·libc_fstat_trampoline_addr(SB), RODATA, $8
+DATA	·libc_fstat_trampoline_addr(SB)/8, $libc_fstat_trampoline<>(SB)
+
+TEXT libc_fstatat_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_fstatat(SB)
+GLOBL	·libc_fstatat_trampoline_addr(SB), RODATA, $8
+DATA	·libc_fstatat_trampoline_addr(SB)/8, $libc_fstatat_trampoline<>(SB)
+
+TEXT libc_fstatfs_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_fstatfs(SB)
+GLOBL	·libc_fstatfs_trampoline_addr(SB), RODATA, $8
+DATA	·libc_fstatfs_trampoline_addr(SB)/8, $libc_fstatfs_trampoline<>(SB)
+
+TEXT libc_fsync_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_fsync(SB)
+GLOBL	·libc_fsync_trampoline_addr(SB), RODATA, $8
+DATA	·libc_fsync_trampoline_addr(SB)/8, $libc_fsync_trampoline<>(SB)
+
+TEXT libc_ftruncate_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_ftruncate(SB)
+GLOBL	·libc_ftruncate_trampoline_addr(SB), RODATA, $8
+DATA	·libc_ftruncate_trampoline_addr(SB)/8, $libc_ftruncate_trampoline<>(SB)
+
+TEXT libc_getegid_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_getegid(SB)
+GLOBL	·libc_getegid_trampoline_addr(SB), RODATA, $8
+DATA	·libc_getegid_trampoline_addr(SB)/8, $libc_getegid_trampoline<>(SB)
+
+TEXT libc_geteuid_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_geteuid(SB)
+GLOBL	·libc_geteuid_trampoline_addr(SB), RODATA, $8
+DATA	·libc_geteuid_trampoline_addr(SB)/8, $libc_geteuid_trampoline<>(SB)
+
+TEXT libc_getgid_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_getgid(SB)
+GLOBL	·libc_getgid_trampoline_addr(SB), RODATA, $8
+DATA	·libc_getgid_trampoline_addr(SB)/8, $libc_getgid_trampoline<>(SB)
+
+TEXT libc_getpgid_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_getpgid(SB)
+GLOBL	·libc_getpgid_trampoline_addr(SB), RODATA, $8
+DATA	·libc_getpgid_trampoline_addr(SB)/8, $libc_getpgid_trampoline<>(SB)
+
+TEXT libc_getpgrp_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_getpgrp(SB)
+GLOBL	·libc_getpgrp_trampoline_addr(SB), RODATA, $8
+DATA	·libc_getpgrp_trampoline_addr(SB)/8, $libc_getpgrp_trampoline<>(SB)
+
+TEXT libc_getpid_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_getpid(SB)
+GLOBL	·libc_getpid_trampoline_addr(SB), RODATA, $8
+DATA	·libc_getpid_trampoline_addr(SB)/8, $libc_getpid_trampoline<>(SB)
+
+TEXT libc_getppid_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_getppid(SB)
+GLOBL	·libc_getppid_trampoline_addr(SB), RODATA, $8
+DATA	·libc_getppid_trampoline_addr(SB)/8, $libc_getppid_trampoline<>(SB)
+
+TEXT libc_getpriority_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_getpriority(SB)
+GLOBL	·libc_getpriority_trampoline_addr(SB), RODATA, $8
+DATA	·libc_getpriority_trampoline_addr(SB)/8, $libc_getpriority_trampoline<>(SB)
+
+TEXT libc_getrlimit_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_getrlimit(SB)
+GLOBL	·libc_getrlimit_trampoline_addr(SB), RODATA, $8
+DATA	·libc_getrlimit_trampoline_addr(SB)/8, $libc_getrlimit_trampoline<>(SB)
+
+TEXT libc_getrtable_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_getrtable(SB)
+GLOBL	·libc_getrtable_trampoline_addr(SB), RODATA, $8
+DATA	·libc_getrtable_trampoline_addr(SB)/8, $libc_getrtable_trampoline<>(SB)
+
+TEXT libc_getrusage_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_getrusage(SB)
+GLOBL	·libc_getrusage_trampoline_addr(SB), RODATA, $8
+DATA	·libc_getrusage_trampoline_addr(SB)/8, $libc_getrusage_trampoline<>(SB)
+
+TEXT libc_getsid_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_getsid(SB)
+GLOBL	·libc_getsid_trampoline_addr(SB), RODATA, $8
+DATA	·libc_getsid_trampoline_addr(SB)/8, $libc_getsid_trampoline<>(SB)
+
+TEXT libc_gettimeofday_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_gettimeofday(SB)
+GLOBL	·libc_gettimeofday_trampoline_addr(SB), RODATA, $8
+DATA	·libc_gettimeofday_trampoline_addr(SB)/8, $libc_gettimeofday_trampoline<>(SB)
+
+TEXT libc_getuid_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_getuid(SB)
+GLOBL	·libc_getuid_trampoline_addr(SB), RODATA, $8
+DATA	·libc_getuid_trampoline_addr(SB)/8, $libc_getuid_trampoline<>(SB)
+
+TEXT libc_issetugid_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_issetugid(SB)
+GLOBL	·libc_issetugid_trampoline_addr(SB), RODATA, $8
+DATA	·libc_issetugid_trampoline_addr(SB)/8, $libc_issetugid_trampoline<>(SB)
+
+TEXT libc_kill_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_kill(SB)
+GLOBL	·libc_kill_trampoline_addr(SB), RODATA, $8
+DATA	·libc_kill_trampoline_addr(SB)/8, $libc_kill_trampoline<>(SB)
+
+TEXT libc_kqueue_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_kqueue(SB)
+GLOBL	·libc_kqueue_trampoline_addr(SB), RODATA, $8
+DATA	·libc_kqueue_trampoline_addr(SB)/8, $libc_kqueue_trampoline<>(SB)
+
+TEXT libc_lchown_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_lchown(SB)
+GLOBL	·libc_lchown_trampoline_addr(SB), RODATA, $8
+DATA	·libc_lchown_trampoline_addr(SB)/8, $libc_lchown_trampoline<>(SB)
+
+TEXT libc_link_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_link(SB)
+GLOBL	·libc_link_trampoline_addr(SB), RODATA, $8
+DATA	·libc_link_trampoline_addr(SB)/8, $libc_link_trampoline<>(SB)
+
+TEXT libc_linkat_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_linkat(SB)
+GLOBL	·libc_linkat_trampoline_addr(SB), RODATA, $8
+DATA	·libc_linkat_trampoline_addr(SB)/8, $libc_linkat_trampoline<>(SB)
+
+TEXT libc_listen_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_listen(SB)
+GLOBL	·libc_listen_trampoline_addr(SB), RODATA, $8
+DATA	·libc_listen_trampoline_addr(SB)/8, $libc_listen_trampoline<>(SB)
+
+TEXT libc_lstat_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_lstat(SB)
+GLOBL	·libc_lstat_trampoline_addr(SB), RODATA, $8
+DATA	·libc_lstat_trampoline_addr(SB)/8, $libc_lstat_trampoline<>(SB)
+
+TEXT libc_mkdir_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_mkdir(SB)
+GLOBL	·libc_mkdir_trampoline_addr(SB), RODATA, $8
+DATA	·libc_mkdir_trampoline_addr(SB)/8, $libc_mkdir_trampoline<>(SB)
+
+TEXT libc_mkdirat_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_mkdirat(SB)
+GLOBL	·libc_mkdirat_trampoline_addr(SB), RODATA, $8
+DATA	·libc_mkdirat_trampoline_addr(SB)/8, $libc_mkdirat_trampoline<>(SB)
+
+TEXT libc_mkfifo_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_mkfifo(SB)
+GLOBL	·libc_mkfifo_trampoline_addr(SB), RODATA, $8
+DATA	·libc_mkfifo_trampoline_addr(SB)/8, $libc_mkfifo_trampoline<>(SB)
+
+TEXT libc_mkfifoat_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_mkfifoat(SB)
+GLOBL	·libc_mkfifoat_trampoline_addr(SB), RODATA, $8
+DATA	·libc_mkfifoat_trampoline_addr(SB)/8, $libc_mkfifoat_trampoline<>(SB)
+
+TEXT libc_mknod_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_mknod(SB)
+GLOBL	·libc_mknod_trampoline_addr(SB), RODATA, $8
+DATA	·libc_mknod_trampoline_addr(SB)/8, $libc_mknod_trampoline<>(SB)
+
+TEXT libc_mknodat_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_mknodat(SB)
+GLOBL	·libc_mknodat_trampoline_addr(SB), RODATA, $8
+DATA	·libc_mknodat_trampoline_addr(SB)/8, $libc_mknodat_trampoline<>(SB)
+
+TEXT libc_nanosleep_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_nanosleep(SB)
+GLOBL	·libc_nanosleep_trampoline_addr(SB), RODATA, $8
+DATA	·libc_nanosleep_trampoline_addr(SB)/8, $libc_nanosleep_trampoline<>(SB)
+
+TEXT libc_open_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_open(SB)
+GLOBL	·libc_open_trampoline_addr(SB), RODATA, $8
+DATA	·libc_open_trampoline_addr(SB)/8, $libc_open_trampoline<>(SB)
+
+TEXT libc_openat_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_openat(SB)
+GLOBL	·libc_openat_trampoline_addr(SB), RODATA, $8
+DATA	·libc_openat_trampoline_addr(SB)/8, $libc_openat_trampoline<>(SB)
+
+TEXT libc_pathconf_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_pathconf(SB)
+GLOBL	·libc_pathconf_trampoline_addr(SB), RODATA, $8
+DATA	·libc_pathconf_trampoline_addr(SB)/8, $libc_pathconf_trampoline<>(SB)
+
+TEXT libc_pread_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_pread(SB)
+GLOBL	·libc_pread_trampoline_addr(SB), RODATA, $8
+DATA	·libc_pread_trampoline_addr(SB)/8, $libc_pread_trampoline<>(SB)
+
+TEXT libc_pwrite_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_pwrite(SB)
+GLOBL	·libc_pwrite_trampoline_addr(SB), RODATA, $8
+DATA	·libc_pwrite_trampoline_addr(SB)/8, $libc_pwrite_trampoline<>(SB)
+
+TEXT libc_read_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_read(SB)
+GLOBL	·libc_read_trampoline_addr(SB), RODATA, $8
+DATA	·libc_read_trampoline_addr(SB)/8, $libc_read_trampoline<>(SB)
+
+TEXT libc_readlink_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_readlink(SB)
+GLOBL	·libc_readlink_trampoline_addr(SB), RODATA, $8
+DATA	·libc_readlink_trampoline_addr(SB)/8, $libc_readlink_trampoline<>(SB)
+
+TEXT libc_readlinkat_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_readlinkat(SB)
+GLOBL	·libc_readlinkat_trampoline_addr(SB), RODATA, $8
+DATA	·libc_readlinkat_trampoline_addr(SB)/8, $libc_readlinkat_trampoline<>(SB)
+
+TEXT libc_rename_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_rename(SB)
+GLOBL	·libc_rename_trampoline_addr(SB), RODATA, $8
+DATA	·libc_rename_trampoline_addr(SB)/8, $libc_rename_trampoline<>(SB)
+
+TEXT libc_renameat_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_renameat(SB)
+GLOBL	·libc_renameat_trampoline_addr(SB), RODATA, $8
+DATA	·libc_renameat_trampoline_addr(SB)/8, $libc_renameat_trampoline<>(SB)
+
+TEXT libc_revoke_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_revoke(SB)
+GLOBL	·libc_revoke_trampoline_addr(SB), RODATA, $8
+DATA	·libc_revoke_trampoline_addr(SB)/8, $libc_revoke_trampoline<>(SB)
+
+TEXT libc_rmdir_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_rmdir(SB)
+GLOBL	·libc_rmdir_trampoline_addr(SB), RODATA, $8
+DATA	·libc_rmdir_trampoline_addr(SB)/8, $libc_rmdir_trampoline<>(SB)
+
+TEXT libc_lseek_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_lseek(SB)
+GLOBL	·libc_lseek_trampoline_addr(SB), RODATA, $8
+DATA	·libc_lseek_trampoline_addr(SB)/8, $libc_lseek_trampoline<>(SB)
+
+TEXT libc_select_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_select(SB)
+GLOBL	·libc_select_trampoline_addr(SB), RODATA, $8
+DATA	·libc_select_trampoline_addr(SB)/8, $libc_select_trampoline<>(SB)
+
+TEXT libc_setegid_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_setegid(SB)
+GLOBL	·libc_setegid_trampoline_addr(SB), RODATA, $8
+DATA	·libc_setegid_trampoline_addr(SB)/8, $libc_setegid_trampoline<>(SB)
+
+TEXT libc_seteuid_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_seteuid(SB)
+GLOBL	·libc_seteuid_trampoline_addr(SB), RODATA, $8
+DATA	·libc_seteuid_trampoline_addr(SB)/8, $libc_seteuid_trampoline<>(SB)
+
+TEXT libc_setgid_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_setgid(SB)
+GLOBL	·libc_setgid_trampoline_addr(SB), RODATA, $8
+DATA	·libc_setgid_trampoline_addr(SB)/8, $libc_setgid_trampoline<>(SB)
+
+TEXT libc_setlogin_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_setlogin(SB)
+GLOBL	·libc_setlogin_trampoline_addr(SB), RODATA, $8
+DATA	·libc_setlogin_trampoline_addr(SB)/8, $libc_setlogin_trampoline<>(SB)
+
+TEXT libc_setpgid_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_setpgid(SB)
+GLOBL	·libc_setpgid_trampoline_addr(SB), RODATA, $8
+DATA	·libc_setpgid_trampoline_addr(SB)/8, $libc_setpgid_trampoline<>(SB)
+
+TEXT libc_setpriority_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_setpriority(SB)
+GLOBL	·libc_setpriority_trampoline_addr(SB), RODATA, $8
+DATA	·libc_setpriority_trampoline_addr(SB)/8, $libc_setpriority_trampoline<>(SB)
+
+TEXT libc_setregid_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_setregid(SB)
+GLOBL	·libc_setregid_trampoline_addr(SB), RODATA, $8
+DATA	·libc_setregid_trampoline_addr(SB)/8, $libc_setregid_trampoline<>(SB)
+
+TEXT libc_setreuid_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_setreuid(SB)
+GLOBL	·libc_setreuid_trampoline_addr(SB), RODATA, $8
+DATA	·libc_setreuid_trampoline_addr(SB)/8, $libc_setreuid_trampoline<>(SB)
+
+TEXT libc_setresgid_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_setresgid(SB)
+GLOBL	·libc_setresgid_trampoline_addr(SB), RODATA, $8
+DATA	·libc_setresgid_trampoline_addr(SB)/8, $libc_setresgid_trampoline<>(SB)
+
+TEXT libc_setresuid_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_setresuid(SB)
+GLOBL	·libc_setresuid_trampoline_addr(SB), RODATA, $8
+DATA	·libc_setresuid_trampoline_addr(SB)/8, $libc_setresuid_trampoline<>(SB)
+
+TEXT libc_setrlimit_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_setrlimit(SB)
+GLOBL	·libc_setrlimit_trampoline_addr(SB), RODATA, $8
+DATA	·libc_setrlimit_trampoline_addr(SB)/8, $libc_setrlimit_trampoline<>(SB)
+
+TEXT libc_setrtable_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_setrtable(SB)
+GLOBL	·libc_setrtable_trampoline_addr(SB), RODATA, $8
+DATA	·libc_setrtable_trampoline_addr(SB)/8, $libc_setrtable_trampoline<>(SB)
+
+TEXT libc_setsid_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_setsid(SB)
+GLOBL	·libc_setsid_trampoline_addr(SB), RODATA, $8
+DATA	·libc_setsid_trampoline_addr(SB)/8, $libc_setsid_trampoline<>(SB)
+
+TEXT libc_settimeofday_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_settimeofday(SB)
+GLOBL	·libc_settimeofday_trampoline_addr(SB), RODATA, $8
+DATA	·libc_settimeofday_trampoline_addr(SB)/8, $libc_settimeofday_trampoline<>(SB)
+
+TEXT libc_setuid_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_setuid(SB)
+GLOBL	·libc_setuid_trampoline_addr(SB), RODATA, $8
+DATA	·libc_setuid_trampoline_addr(SB)/8, $libc_setuid_trampoline<>(SB)
+
+TEXT libc_stat_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_stat(SB)
+GLOBL	·libc_stat_trampoline_addr(SB), RODATA, $8
+DATA	·libc_stat_trampoline_addr(SB)/8, $libc_stat_trampoline<>(SB)
+
+TEXT libc_statfs_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_statfs(SB)
+GLOBL	·libc_statfs_trampoline_addr(SB), RODATA, $8
+DATA	·libc_statfs_trampoline_addr(SB)/8, $libc_statfs_trampoline<>(SB)
+
+TEXT libc_symlink_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_symlink(SB)
+GLOBL	·libc_symlink_trampoline_addr(SB), RODATA, $8
+DATA	·libc_symlink_trampoline_addr(SB)/8, $libc_symlink_trampoline<>(SB)
+
+TEXT libc_symlinkat_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_symlinkat(SB)
+GLOBL	·libc_symlinkat_trampoline_addr(SB), RODATA, $8
+DATA	·libc_symlinkat_trampoline_addr(SB)/8, $libc_symlinkat_trampoline<>(SB)
+
+TEXT libc_sync_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_sync(SB)
+GLOBL	·libc_sync_trampoline_addr(SB), RODATA, $8
+DATA	·libc_sync_trampoline_addr(SB)/8, $libc_sync_trampoline<>(SB)
+
+TEXT libc_truncate_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_truncate(SB)
+GLOBL	·libc_truncate_trampoline_addr(SB), RODATA, $8
+DATA	·libc_truncate_trampoline_addr(SB)/8, $libc_truncate_trampoline<>(SB)
+
+TEXT libc_umask_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_umask(SB)
+GLOBL	·libc_umask_trampoline_addr(SB), RODATA, $8
+DATA	·libc_umask_trampoline_addr(SB)/8, $libc_umask_trampoline<>(SB)
+
+TEXT libc_unlink_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_unlink(SB)
+GLOBL	·libc_unlink_trampoline_addr(SB), RODATA, $8
+DATA	·libc_unlink_trampoline_addr(SB)/8, $libc_unlink_trampoline<>(SB)
+
+TEXT libc_unlinkat_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_unlinkat(SB)
+GLOBL	·libc_unlinkat_trampoline_addr(SB), RODATA, $8
+DATA	·libc_unlinkat_trampoline_addr(SB)/8, $libc_unlinkat_trampoline<>(SB)
+
+TEXT libc_unmount_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_unmount(SB)
+GLOBL	·libc_unmount_trampoline_addr(SB), RODATA, $8
+DATA	·libc_unmount_trampoline_addr(SB)/8, $libc_unmount_trampoline<>(SB)
+
+TEXT libc_write_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_write(SB)
+GLOBL	·libc_write_trampoline_addr(SB), RODATA, $8
+DATA	·libc_write_trampoline_addr(SB)/8, $libc_write_trampoline<>(SB)
+
+TEXT libc_mmap_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_mmap(SB)
+GLOBL	·libc_mmap_trampoline_addr(SB), RODATA, $8
+DATA	·libc_mmap_trampoline_addr(SB)/8, $libc_mmap_trampoline<>(SB)
+
+TEXT libc_munmap_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_munmap(SB)
+GLOBL	·libc_munmap_trampoline_addr(SB), RODATA, $8
+DATA	·libc_munmap_trampoline_addr(SB)/8, $libc_munmap_trampoline<>(SB)
+
+TEXT libc_utimensat_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_utimensat(SB)
+GLOBL	·libc_utimensat_trampoline_addr(SB), RODATA, $8
+DATA	·libc_utimensat_trampoline_addr(SB)/8, $libc_utimensat_trampoline<>(SB)
diff --git a/vendor/golang.org/x/sys/unix/zsyscall_openbsd_ppc64.go b/vendor/golang.org/x/sys/unix/zsyscall_openbsd_ppc64.go
index c85de2d97..330cf7f7a 100644
--- a/vendor/golang.org/x/sys/unix/zsyscall_openbsd_ppc64.go
+++ b/vendor/golang.org/x/sys/unix/zsyscall_openbsd_ppc64.go
@@ -696,6 +696,20 @@ var libc_chroot_trampoline_addr uintptr
 
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
+func ClockGettime(clockid int32, time *Timespec) (err error) {
+	_, _, e1 := syscall_syscall(libc_clock_gettime_trampoline_addr, uintptr(clockid), uintptr(unsafe.Pointer(time)), 0)
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+var libc_clock_gettime_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_clock_gettime clock_gettime "libc.so"
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
 func Close(fd int) (err error) {
 	_, _, e1 := syscall_syscall(libc_close_trampoline_addr, uintptr(fd), 0, 0)
 	if e1 != 0 {
diff --git a/vendor/golang.org/x/sys/unix/zsyscall_openbsd_ppc64.s b/vendor/golang.org/x/sys/unix/zsyscall_openbsd_ppc64.s
index 7c9223b64..4028255b0 100644
--- a/vendor/golang.org/x/sys/unix/zsyscall_openbsd_ppc64.s
+++ b/vendor/golang.org/x/sys/unix/zsyscall_openbsd_ppc64.s
@@ -249,6 +249,12 @@ TEXT libc_chroot_trampoline<>(SB),NOSPLIT,$0-0
 GLOBL	·libc_chroot_trampoline_addr(SB), RODATA, $8
 DATA	·libc_chroot_trampoline_addr(SB)/8, $libc_chroot_trampoline<>(SB)
 
+TEXT libc_clock_gettime_trampoline<>(SB),NOSPLIT,$0-0
+	CALL	libc_clock_gettime(SB)
+	RET
+GLOBL	·libc_clock_gettime_trampoline_addr(SB), RODATA, $8
+DATA	·libc_clock_gettime_trampoline_addr(SB)/8, $libc_clock_gettime_trampoline<>(SB)
+
 TEXT libc_close_trampoline<>(SB),NOSPLIT,$0-0
 	CALL	libc_close(SB)
 	RET
diff --git a/vendor/golang.org/x/sys/unix/zsyscall_openbsd_riscv64.go b/vendor/golang.org/x/sys/unix/zsyscall_openbsd_riscv64.go
index 8e3e7873f..5f24de0d9 100644
--- a/vendor/golang.org/x/sys/unix/zsyscall_openbsd_riscv64.go
+++ b/vendor/golang.org/x/sys/unix/zsyscall_openbsd_riscv64.go
@@ -696,6 +696,20 @@ var libc_chroot_trampoline_addr uintptr
 
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
+func ClockGettime(clockid int32, time *Timespec) (err error) {
+	_, _, e1 := syscall_syscall(libc_clock_gettime_trampoline_addr, uintptr(clockid), uintptr(unsafe.Pointer(time)), 0)
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+var libc_clock_gettime_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_clock_gettime clock_gettime "libc.so"
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
 func Close(fd int) (err error) {
 	_, _, e1 := syscall_syscall(libc_close_trampoline_addr, uintptr(fd), 0, 0)
 	if e1 != 0 {
diff --git a/vendor/golang.org/x/sys/unix/zsyscall_openbsd_riscv64.s b/vendor/golang.org/x/sys/unix/zsyscall_openbsd_riscv64.s
index 7dba78927..e1fbd4dfa 100644
--- a/vendor/golang.org/x/sys/unix/zsyscall_openbsd_riscv64.s
+++ b/vendor/golang.org/x/sys/unix/zsyscall_openbsd_riscv64.s
@@ -5,792 +5,665 @@
 
 TEXT libc_getgroups_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_getgroups(SB)
-
 GLOBL	·libc_getgroups_trampoline_addr(SB), RODATA, $8
 DATA	·libc_getgroups_trampoline_addr(SB)/8, $libc_getgroups_trampoline<>(SB)
 
 TEXT libc_setgroups_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_setgroups(SB)
-
 GLOBL	·libc_setgroups_trampoline_addr(SB), RODATA, $8
 DATA	·libc_setgroups_trampoline_addr(SB)/8, $libc_setgroups_trampoline<>(SB)
 
 TEXT libc_wait4_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_wait4(SB)
-
 GLOBL	·libc_wait4_trampoline_addr(SB), RODATA, $8
 DATA	·libc_wait4_trampoline_addr(SB)/8, $libc_wait4_trampoline<>(SB)
 
 TEXT libc_accept_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_accept(SB)
-
 GLOBL	·libc_accept_trampoline_addr(SB), RODATA, $8
 DATA	·libc_accept_trampoline_addr(SB)/8, $libc_accept_trampoline<>(SB)
 
 TEXT libc_bind_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_bind(SB)
-
 GLOBL	·libc_bind_trampoline_addr(SB), RODATA, $8
 DATA	·libc_bind_trampoline_addr(SB)/8, $libc_bind_trampoline<>(SB)
 
 TEXT libc_connect_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_connect(SB)
-
 GLOBL	·libc_connect_trampoline_addr(SB), RODATA, $8
 DATA	·libc_connect_trampoline_addr(SB)/8, $libc_connect_trampoline<>(SB)
 
 TEXT libc_socket_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_socket(SB)
-
 GLOBL	·libc_socket_trampoline_addr(SB), RODATA, $8
 DATA	·libc_socket_trampoline_addr(SB)/8, $libc_socket_trampoline<>(SB)
 
 TEXT libc_getsockopt_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_getsockopt(SB)
-
 GLOBL	·libc_getsockopt_trampoline_addr(SB), RODATA, $8
 DATA	·libc_getsockopt_trampoline_addr(SB)/8, $libc_getsockopt_trampoline<>(SB)
 
 TEXT libc_setsockopt_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_setsockopt(SB)
-
 GLOBL	·libc_setsockopt_trampoline_addr(SB), RODATA, $8
 DATA	·libc_setsockopt_trampoline_addr(SB)/8, $libc_setsockopt_trampoline<>(SB)
 
 TEXT libc_getpeername_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_getpeername(SB)
-
 GLOBL	·libc_getpeername_trampoline_addr(SB), RODATA, $8
 DATA	·libc_getpeername_trampoline_addr(SB)/8, $libc_getpeername_trampoline<>(SB)
 
 TEXT libc_getsockname_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_getsockname(SB)
-
 GLOBL	·libc_getsockname_trampoline_addr(SB), RODATA, $8
 DATA	·libc_getsockname_trampoline_addr(SB)/8, $libc_getsockname_trampoline<>(SB)
 
 TEXT libc_shutdown_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_shutdown(SB)
-
 GLOBL	·libc_shutdown_trampoline_addr(SB), RODATA, $8
 DATA	·libc_shutdown_trampoline_addr(SB)/8, $libc_shutdown_trampoline<>(SB)
 
 TEXT libc_socketpair_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_socketpair(SB)
-
 GLOBL	·libc_socketpair_trampoline_addr(SB), RODATA, $8
 DATA	·libc_socketpair_trampoline_addr(SB)/8, $libc_socketpair_trampoline<>(SB)
 
 TEXT libc_recvfrom_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_recvfrom(SB)
-
 GLOBL	·libc_recvfrom_trampoline_addr(SB), RODATA, $8
 DATA	·libc_recvfrom_trampoline_addr(SB)/8, $libc_recvfrom_trampoline<>(SB)
 
 TEXT libc_sendto_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_sendto(SB)
-
 GLOBL	·libc_sendto_trampoline_addr(SB), RODATA, $8
 DATA	·libc_sendto_trampoline_addr(SB)/8, $libc_sendto_trampoline<>(SB)
 
 TEXT libc_recvmsg_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_recvmsg(SB)
-
 GLOBL	·libc_recvmsg_trampoline_addr(SB), RODATA, $8
 DATA	·libc_recvmsg_trampoline_addr(SB)/8, $libc_recvmsg_trampoline<>(SB)
 
 TEXT libc_sendmsg_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_sendmsg(SB)
-
 GLOBL	·libc_sendmsg_trampoline_addr(SB), RODATA, $8
 DATA	·libc_sendmsg_trampoline_addr(SB)/8, $libc_sendmsg_trampoline<>(SB)
 
 TEXT libc_kevent_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_kevent(SB)
-
 GLOBL	·libc_kevent_trampoline_addr(SB), RODATA, $8
 DATA	·libc_kevent_trampoline_addr(SB)/8, $libc_kevent_trampoline<>(SB)
 
 TEXT libc_utimes_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_utimes(SB)
-
 GLOBL	·libc_utimes_trampoline_addr(SB), RODATA, $8
 DATA	·libc_utimes_trampoline_addr(SB)/8, $libc_utimes_trampoline<>(SB)
 
 TEXT libc_futimes_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_futimes(SB)
-
 GLOBL	·libc_futimes_trampoline_addr(SB), RODATA, $8
 DATA	·libc_futimes_trampoline_addr(SB)/8, $libc_futimes_trampoline<>(SB)
 
 TEXT libc_poll_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_poll(SB)
-
 GLOBL	·libc_poll_trampoline_addr(SB), RODATA, $8
 DATA	·libc_poll_trampoline_addr(SB)/8, $libc_poll_trampoline<>(SB)
 
 TEXT libc_madvise_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_madvise(SB)
-
 GLOBL	·libc_madvise_trampoline_addr(SB), RODATA, $8
 DATA	·libc_madvise_trampoline_addr(SB)/8, $libc_madvise_trampoline<>(SB)
 
 TEXT libc_mlock_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_mlock(SB)
-
 GLOBL	·libc_mlock_trampoline_addr(SB), RODATA, $8
 DATA	·libc_mlock_trampoline_addr(SB)/8, $libc_mlock_trampoline<>(SB)
 
 TEXT libc_mlockall_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_mlockall(SB)
-
 GLOBL	·libc_mlockall_trampoline_addr(SB), RODATA, $8
 DATA	·libc_mlockall_trampoline_addr(SB)/8, $libc_mlockall_trampoline<>(SB)
 
 TEXT libc_mprotect_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_mprotect(SB)
-
 GLOBL	·libc_mprotect_trampoline_addr(SB), RODATA, $8
 DATA	·libc_mprotect_trampoline_addr(SB)/8, $libc_mprotect_trampoline<>(SB)
 
 TEXT libc_msync_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_msync(SB)
-
 GLOBL	·libc_msync_trampoline_addr(SB), RODATA, $8
 DATA	·libc_msync_trampoline_addr(SB)/8, $libc_msync_trampoline<>(SB)
 
 TEXT libc_munlock_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_munlock(SB)
-
 GLOBL	·libc_munlock_trampoline_addr(SB), RODATA, $8
 DATA	·libc_munlock_trampoline_addr(SB)/8, $libc_munlock_trampoline<>(SB)
 
 TEXT libc_munlockall_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_munlockall(SB)
-
 GLOBL	·libc_munlockall_trampoline_addr(SB), RODATA, $8
 DATA	·libc_munlockall_trampoline_addr(SB)/8, $libc_munlockall_trampoline<>(SB)
 
 TEXT libc_pipe2_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_pipe2(SB)
-
 GLOBL	·libc_pipe2_trampoline_addr(SB), RODATA, $8
 DATA	·libc_pipe2_trampoline_addr(SB)/8, $libc_pipe2_trampoline<>(SB)
 
 TEXT libc_getdents_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_getdents(SB)
-
 GLOBL	·libc_getdents_trampoline_addr(SB), RODATA, $8
 DATA	·libc_getdents_trampoline_addr(SB)/8, $libc_getdents_trampoline<>(SB)
 
 TEXT libc_getcwd_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_getcwd(SB)
-
 GLOBL	·libc_getcwd_trampoline_addr(SB), RODATA, $8
 DATA	·libc_getcwd_trampoline_addr(SB)/8, $libc_getcwd_trampoline<>(SB)
 
 TEXT libc_ioctl_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_ioctl(SB)
-
 GLOBL	·libc_ioctl_trampoline_addr(SB), RODATA, $8
 DATA	·libc_ioctl_trampoline_addr(SB)/8, $libc_ioctl_trampoline<>(SB)
 
 TEXT libc_sysctl_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_sysctl(SB)
-
 GLOBL	·libc_sysctl_trampoline_addr(SB), RODATA, $8
 DATA	·libc_sysctl_trampoline_addr(SB)/8, $libc_sysctl_trampoline<>(SB)
 
 TEXT libc_ppoll_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_ppoll(SB)
-
 GLOBL	·libc_ppoll_trampoline_addr(SB), RODATA, $8
 DATA	·libc_ppoll_trampoline_addr(SB)/8, $libc_ppoll_trampoline<>(SB)
 
 TEXT libc_access_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_access(SB)
-
 GLOBL	·libc_access_trampoline_addr(SB), RODATA, $8
 DATA	·libc_access_trampoline_addr(SB)/8, $libc_access_trampoline<>(SB)
 
 TEXT libc_adjtime_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_adjtime(SB)
-
 GLOBL	·libc_adjtime_trampoline_addr(SB), RODATA, $8
 DATA	·libc_adjtime_trampoline_addr(SB)/8, $libc_adjtime_trampoline<>(SB)
 
 TEXT libc_chdir_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_chdir(SB)
-
 GLOBL	·libc_chdir_trampoline_addr(SB), RODATA, $8
 DATA	·libc_chdir_trampoline_addr(SB)/8, $libc_chdir_trampoline<>(SB)
 
 TEXT libc_chflags_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_chflags(SB)
-
 GLOBL	·libc_chflags_trampoline_addr(SB), RODATA, $8
 DATA	·libc_chflags_trampoline_addr(SB)/8, $libc_chflags_trampoline<>(SB)
 
 TEXT libc_chmod_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_chmod(SB)
-
 GLOBL	·libc_chmod_trampoline_addr(SB), RODATA, $8
 DATA	·libc_chmod_trampoline_addr(SB)/8, $libc_chmod_trampoline<>(SB)
 
 TEXT libc_chown_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_chown(SB)
-
 GLOBL	·libc_chown_trampoline_addr(SB), RODATA, $8
 DATA	·libc_chown_trampoline_addr(SB)/8, $libc_chown_trampoline<>(SB)
 
 TEXT libc_chroot_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_chroot(SB)
-
 GLOBL	·libc_chroot_trampoline_addr(SB), RODATA, $8
 DATA	·libc_chroot_trampoline_addr(SB)/8, $libc_chroot_trampoline<>(SB)
 
+TEXT libc_clock_gettime_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_clock_gettime(SB)
+GLOBL	·libc_clock_gettime_trampoline_addr(SB), RODATA, $8
+DATA	·libc_clock_gettime_trampoline_addr(SB)/8, $libc_clock_gettime_trampoline<>(SB)
+
 TEXT libc_close_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_close(SB)
-
 GLOBL	·libc_close_trampoline_addr(SB), RODATA, $8
 DATA	·libc_close_trampoline_addr(SB)/8, $libc_close_trampoline<>(SB)
 
 TEXT libc_dup_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_dup(SB)
-
 GLOBL	·libc_dup_trampoline_addr(SB), RODATA, $8
 DATA	·libc_dup_trampoline_addr(SB)/8, $libc_dup_trampoline<>(SB)
 
 TEXT libc_dup2_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_dup2(SB)
-
 GLOBL	·libc_dup2_trampoline_addr(SB), RODATA, $8
 DATA	·libc_dup2_trampoline_addr(SB)/8, $libc_dup2_trampoline<>(SB)
 
 TEXT libc_dup3_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_dup3(SB)
-
 GLOBL	·libc_dup3_trampoline_addr(SB), RODATA, $8
 DATA	·libc_dup3_trampoline_addr(SB)/8, $libc_dup3_trampoline<>(SB)
 
 TEXT libc_exit_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_exit(SB)
-
 GLOBL	·libc_exit_trampoline_addr(SB), RODATA, $8
 DATA	·libc_exit_trampoline_addr(SB)/8, $libc_exit_trampoline<>(SB)
 
 TEXT libc_faccessat_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_faccessat(SB)
-
 GLOBL	·libc_faccessat_trampoline_addr(SB), RODATA, $8
 DATA	·libc_faccessat_trampoline_addr(SB)/8, $libc_faccessat_trampoline<>(SB)
 
 TEXT libc_fchdir_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_fchdir(SB)
-
 GLOBL	·libc_fchdir_trampoline_addr(SB), RODATA, $8
 DATA	·libc_fchdir_trampoline_addr(SB)/8, $libc_fchdir_trampoline<>(SB)
 
 TEXT libc_fchflags_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_fchflags(SB)
-
 GLOBL	·libc_fchflags_trampoline_addr(SB), RODATA, $8
 DATA	·libc_fchflags_trampoline_addr(SB)/8, $libc_fchflags_trampoline<>(SB)
 
 TEXT libc_fchmod_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_fchmod(SB)
-
 GLOBL	·libc_fchmod_trampoline_addr(SB), RODATA, $8
 DATA	·libc_fchmod_trampoline_addr(SB)/8, $libc_fchmod_trampoline<>(SB)
 
 TEXT libc_fchmodat_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_fchmodat(SB)
-
 GLOBL	·libc_fchmodat_trampoline_addr(SB), RODATA, $8
 DATA	·libc_fchmodat_trampoline_addr(SB)/8, $libc_fchmodat_trampoline<>(SB)
 
 TEXT libc_fchown_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_fchown(SB)
-
 GLOBL	·libc_fchown_trampoline_addr(SB), RODATA, $8
 DATA	·libc_fchown_trampoline_addr(SB)/8, $libc_fchown_trampoline<>(SB)
 
 TEXT libc_fchownat_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_fchownat(SB)
-
 GLOBL	·libc_fchownat_trampoline_addr(SB), RODATA, $8
 DATA	·libc_fchownat_trampoline_addr(SB)/8, $libc_fchownat_trampoline<>(SB)
 
 TEXT libc_flock_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_flock(SB)
-
 GLOBL	·libc_flock_trampoline_addr(SB), RODATA, $8
 DATA	·libc_flock_trampoline_addr(SB)/8, $libc_flock_trampoline<>(SB)
 
 TEXT libc_fpathconf_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_fpathconf(SB)
-
 GLOBL	·libc_fpathconf_trampoline_addr(SB), RODATA, $8
 DATA	·libc_fpathconf_trampoline_addr(SB)/8, $libc_fpathconf_trampoline<>(SB)
 
 TEXT libc_fstat_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_fstat(SB)
-
 GLOBL	·libc_fstat_trampoline_addr(SB), RODATA, $8
 DATA	·libc_fstat_trampoline_addr(SB)/8, $libc_fstat_trampoline<>(SB)
 
 TEXT libc_fstatat_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_fstatat(SB)
-
 GLOBL	·libc_fstatat_trampoline_addr(SB), RODATA, $8
 DATA	·libc_fstatat_trampoline_addr(SB)/8, $libc_fstatat_trampoline<>(SB)
 
 TEXT libc_fstatfs_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_fstatfs(SB)
-
 GLOBL	·libc_fstatfs_trampoline_addr(SB), RODATA, $8
 DATA	·libc_fstatfs_trampoline_addr(SB)/8, $libc_fstatfs_trampoline<>(SB)
 
 TEXT libc_fsync_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_fsync(SB)
-
 GLOBL	·libc_fsync_trampoline_addr(SB), RODATA, $8
 DATA	·libc_fsync_trampoline_addr(SB)/8, $libc_fsync_trampoline<>(SB)
 
 TEXT libc_ftruncate_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_ftruncate(SB)
-
 GLOBL	·libc_ftruncate_trampoline_addr(SB), RODATA, $8
 DATA	·libc_ftruncate_trampoline_addr(SB)/8, $libc_ftruncate_trampoline<>(SB)
 
 TEXT libc_getegid_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_getegid(SB)
-
 GLOBL	·libc_getegid_trampoline_addr(SB), RODATA, $8
 DATA	·libc_getegid_trampoline_addr(SB)/8, $libc_getegid_trampoline<>(SB)
 
 TEXT libc_geteuid_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_geteuid(SB)
-
 GLOBL	·libc_geteuid_trampoline_addr(SB), RODATA, $8
 DATA	·libc_geteuid_trampoline_addr(SB)/8, $libc_geteuid_trampoline<>(SB)
 
 TEXT libc_getgid_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_getgid(SB)
-
 GLOBL	·libc_getgid_trampoline_addr(SB), RODATA, $8
 DATA	·libc_getgid_trampoline_addr(SB)/8, $libc_getgid_trampoline<>(SB)
 
 TEXT libc_getpgid_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_getpgid(SB)
-
 GLOBL	·libc_getpgid_trampoline_addr(SB), RODATA, $8
 DATA	·libc_getpgid_trampoline_addr(SB)/8, $libc_getpgid_trampoline<>(SB)
 
 TEXT libc_getpgrp_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_getpgrp(SB)
-
 GLOBL	·libc_getpgrp_trampoline_addr(SB), RODATA, $8
 DATA	·libc_getpgrp_trampoline_addr(SB)/8, $libc_getpgrp_trampoline<>(SB)
 
 TEXT libc_getpid_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_getpid(SB)
-
 GLOBL	·libc_getpid_trampoline_addr(SB), RODATA, $8
 DATA	·libc_getpid_trampoline_addr(SB)/8, $libc_getpid_trampoline<>(SB)
 
 TEXT libc_getppid_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_getppid(SB)
-
 GLOBL	·libc_getppid_trampoline_addr(SB), RODATA, $8
 DATA	·libc_getppid_trampoline_addr(SB)/8, $libc_getppid_trampoline<>(SB)
 
 TEXT libc_getpriority_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_getpriority(SB)
-
 GLOBL	·libc_getpriority_trampoline_addr(SB), RODATA, $8
 DATA	·libc_getpriority_trampoline_addr(SB)/8, $libc_getpriority_trampoline<>(SB)
 
 TEXT libc_getrlimit_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_getrlimit(SB)
-
 GLOBL	·libc_getrlimit_trampoline_addr(SB), RODATA, $8
 DATA	·libc_getrlimit_trampoline_addr(SB)/8, $libc_getrlimit_trampoline<>(SB)
 
 TEXT libc_getrtable_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_getrtable(SB)
-
 GLOBL	·libc_getrtable_trampoline_addr(SB), RODATA, $8
 DATA	·libc_getrtable_trampoline_addr(SB)/8, $libc_getrtable_trampoline<>(SB)
 
 TEXT libc_getrusage_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_getrusage(SB)
-
 GLOBL	·libc_getrusage_trampoline_addr(SB), RODATA, $8
 DATA	·libc_getrusage_trampoline_addr(SB)/8, $libc_getrusage_trampoline<>(SB)
 
 TEXT libc_getsid_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_getsid(SB)
-
 GLOBL	·libc_getsid_trampoline_addr(SB), RODATA, $8
 DATA	·libc_getsid_trampoline_addr(SB)/8, $libc_getsid_trampoline<>(SB)
 
 TEXT libc_gettimeofday_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_gettimeofday(SB)
-
 GLOBL	·libc_gettimeofday_trampoline_addr(SB), RODATA, $8
 DATA	·libc_gettimeofday_trampoline_addr(SB)/8, $libc_gettimeofday_trampoline<>(SB)
 
 TEXT libc_getuid_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_getuid(SB)
-
 GLOBL	·libc_getuid_trampoline_addr(SB), RODATA, $8
 DATA	·libc_getuid_trampoline_addr(SB)/8, $libc_getuid_trampoline<>(SB)
 
 TEXT libc_issetugid_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_issetugid(SB)
-
 GLOBL	·libc_issetugid_trampoline_addr(SB), RODATA, $8
 DATA	·libc_issetugid_trampoline_addr(SB)/8, $libc_issetugid_trampoline<>(SB)
 
 TEXT libc_kill_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_kill(SB)
-
 GLOBL	·libc_kill_trampoline_addr(SB), RODATA, $8
 DATA	·libc_kill_trampoline_addr(SB)/8, $libc_kill_trampoline<>(SB)
 
 TEXT libc_kqueue_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_kqueue(SB)
-
 GLOBL	·libc_kqueue_trampoline_addr(SB), RODATA, $8
 DATA	·libc_kqueue_trampoline_addr(SB)/8, $libc_kqueue_trampoline<>(SB)
 
 TEXT libc_lchown_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_lchown(SB)
-
 GLOBL	·libc_lchown_trampoline_addr(SB), RODATA, $8
 DATA	·libc_lchown_trampoline_addr(SB)/8, $libc_lchown_trampoline<>(SB)
 
 TEXT libc_link_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_link(SB)
-
 GLOBL	·libc_link_trampoline_addr(SB), RODATA, $8
 DATA	·libc_link_trampoline_addr(SB)/8, $libc_link_trampoline<>(SB)
 
 TEXT libc_linkat_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_linkat(SB)
-
 GLOBL	·libc_linkat_trampoline_addr(SB), RODATA, $8
 DATA	·libc_linkat_trampoline_addr(SB)/8, $libc_linkat_trampoline<>(SB)
 
 TEXT libc_listen_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_listen(SB)
-
 GLOBL	·libc_listen_trampoline_addr(SB), RODATA, $8
 DATA	·libc_listen_trampoline_addr(SB)/8, $libc_listen_trampoline<>(SB)
 
 TEXT libc_lstat_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_lstat(SB)
-
 GLOBL	·libc_lstat_trampoline_addr(SB), RODATA, $8
 DATA	·libc_lstat_trampoline_addr(SB)/8, $libc_lstat_trampoline<>(SB)
 
 TEXT libc_mkdir_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_mkdir(SB)
-
 GLOBL	·libc_mkdir_trampoline_addr(SB), RODATA, $8
 DATA	·libc_mkdir_trampoline_addr(SB)/8, $libc_mkdir_trampoline<>(SB)
 
 TEXT libc_mkdirat_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_mkdirat(SB)
-
 GLOBL	·libc_mkdirat_trampoline_addr(SB), RODATA, $8
 DATA	·libc_mkdirat_trampoline_addr(SB)/8, $libc_mkdirat_trampoline<>(SB)
 
 TEXT libc_mkfifo_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_mkfifo(SB)
-
 GLOBL	·libc_mkfifo_trampoline_addr(SB), RODATA, $8
 DATA	·libc_mkfifo_trampoline_addr(SB)/8, $libc_mkfifo_trampoline<>(SB)
 
 TEXT libc_mkfifoat_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_mkfifoat(SB)
-
 GLOBL	·libc_mkfifoat_trampoline_addr(SB), RODATA, $8
 DATA	·libc_mkfifoat_trampoline_addr(SB)/8, $libc_mkfifoat_trampoline<>(SB)
 
 TEXT libc_mknod_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_mknod(SB)
-
 GLOBL	·libc_mknod_trampoline_addr(SB), RODATA, $8
 DATA	·libc_mknod_trampoline_addr(SB)/8, $libc_mknod_trampoline<>(SB)
 
 TEXT libc_mknodat_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_mknodat(SB)
-
 GLOBL	·libc_mknodat_trampoline_addr(SB), RODATA, $8
 DATA	·libc_mknodat_trampoline_addr(SB)/8, $libc_mknodat_trampoline<>(SB)
 
 TEXT libc_nanosleep_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_nanosleep(SB)
-
 GLOBL	·libc_nanosleep_trampoline_addr(SB), RODATA, $8
 DATA	·libc_nanosleep_trampoline_addr(SB)/8, $libc_nanosleep_trampoline<>(SB)
 
 TEXT libc_open_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_open(SB)
-
 GLOBL	·libc_open_trampoline_addr(SB), RODATA, $8
 DATA	·libc_open_trampoline_addr(SB)/8, $libc_open_trampoline<>(SB)
 
 TEXT libc_openat_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_openat(SB)
-
 GLOBL	·libc_openat_trampoline_addr(SB), RODATA, $8
 DATA	·libc_openat_trampoline_addr(SB)/8, $libc_openat_trampoline<>(SB)
 
 TEXT libc_pathconf_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_pathconf(SB)
-
 GLOBL	·libc_pathconf_trampoline_addr(SB), RODATA, $8
 DATA	·libc_pathconf_trampoline_addr(SB)/8, $libc_pathconf_trampoline<>(SB)
 
 TEXT libc_pread_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_pread(SB)
-
 GLOBL	·libc_pread_trampoline_addr(SB), RODATA, $8
 DATA	·libc_pread_trampoline_addr(SB)/8, $libc_pread_trampoline<>(SB)
 
 TEXT libc_pwrite_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_pwrite(SB)
-
 GLOBL	·libc_pwrite_trampoline_addr(SB), RODATA, $8
 DATA	·libc_pwrite_trampoline_addr(SB)/8, $libc_pwrite_trampoline<>(SB)
 
 TEXT libc_read_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_read(SB)
-
 GLOBL	·libc_read_trampoline_addr(SB), RODATA, $8
 DATA	·libc_read_trampoline_addr(SB)/8, $libc_read_trampoline<>(SB)
 
 TEXT libc_readlink_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_readlink(SB)
-
 GLOBL	·libc_readlink_trampoline_addr(SB), RODATA, $8
 DATA	·libc_readlink_trampoline_addr(SB)/8, $libc_readlink_trampoline<>(SB)
 
 TEXT libc_readlinkat_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_readlinkat(SB)
-
 GLOBL	·libc_readlinkat_trampoline_addr(SB), RODATA, $8
 DATA	·libc_readlinkat_trampoline_addr(SB)/8, $libc_readlinkat_trampoline<>(SB)
 
 TEXT libc_rename_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_rename(SB)
-
 GLOBL	·libc_rename_trampoline_addr(SB), RODATA, $8
 DATA	·libc_rename_trampoline_addr(SB)/8, $libc_rename_trampoline<>(SB)
 
 TEXT libc_renameat_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_renameat(SB)
-
 GLOBL	·libc_renameat_trampoline_addr(SB), RODATA, $8
 DATA	·libc_renameat_trampoline_addr(SB)/8, $libc_renameat_trampoline<>(SB)
 
 TEXT libc_revoke_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_revoke(SB)
-
 GLOBL	·libc_revoke_trampoline_addr(SB), RODATA, $8
 DATA	·libc_revoke_trampoline_addr(SB)/8, $libc_revoke_trampoline<>(SB)
 
 TEXT libc_rmdir_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_rmdir(SB)
-
 GLOBL	·libc_rmdir_trampoline_addr(SB), RODATA, $8
 DATA	·libc_rmdir_trampoline_addr(SB)/8, $libc_rmdir_trampoline<>(SB)
 
 TEXT libc_lseek_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_lseek(SB)
-
 GLOBL	·libc_lseek_trampoline_addr(SB), RODATA, $8
 DATA	·libc_lseek_trampoline_addr(SB)/8, $libc_lseek_trampoline<>(SB)
 
 TEXT libc_select_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_select(SB)
-
 GLOBL	·libc_select_trampoline_addr(SB), RODATA, $8
 DATA	·libc_select_trampoline_addr(SB)/8, $libc_select_trampoline<>(SB)
 
 TEXT libc_setegid_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_setegid(SB)
-
 GLOBL	·libc_setegid_trampoline_addr(SB), RODATA, $8
 DATA	·libc_setegid_trampoline_addr(SB)/8, $libc_setegid_trampoline<>(SB)
 
 TEXT libc_seteuid_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_seteuid(SB)
-
 GLOBL	·libc_seteuid_trampoline_addr(SB), RODATA, $8
 DATA	·libc_seteuid_trampoline_addr(SB)/8, $libc_seteuid_trampoline<>(SB)
 
 TEXT libc_setgid_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_setgid(SB)
-
 GLOBL	·libc_setgid_trampoline_addr(SB), RODATA, $8
 DATA	·libc_setgid_trampoline_addr(SB)/8, $libc_setgid_trampoline<>(SB)
 
 TEXT libc_setlogin_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_setlogin(SB)
-
 GLOBL	·libc_setlogin_trampoline_addr(SB), RODATA, $8
 DATA	·libc_setlogin_trampoline_addr(SB)/8, $libc_setlogin_trampoline<>(SB)
 
 TEXT libc_setpgid_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_setpgid(SB)
-
 GLOBL	·libc_setpgid_trampoline_addr(SB), RODATA, $8
 DATA	·libc_setpgid_trampoline_addr(SB)/8, $libc_setpgid_trampoline<>(SB)
 
 TEXT libc_setpriority_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_setpriority(SB)
-
 GLOBL	·libc_setpriority_trampoline_addr(SB), RODATA, $8
 DATA	·libc_setpriority_trampoline_addr(SB)/8, $libc_setpriority_trampoline<>(SB)
 
 TEXT libc_setregid_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_setregid(SB)
-
 GLOBL	·libc_setregid_trampoline_addr(SB), RODATA, $8
 DATA	·libc_setregid_trampoline_addr(SB)/8, $libc_setregid_trampoline<>(SB)
 
 TEXT libc_setreuid_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_setreuid(SB)
-
 GLOBL	·libc_setreuid_trampoline_addr(SB), RODATA, $8
 DATA	·libc_setreuid_trampoline_addr(SB)/8, $libc_setreuid_trampoline<>(SB)
 
 TEXT libc_setresgid_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_setresgid(SB)
-
 GLOBL	·libc_setresgid_trampoline_addr(SB), RODATA, $8
 DATA	·libc_setresgid_trampoline_addr(SB)/8, $libc_setresgid_trampoline<>(SB)
 
 TEXT libc_setresuid_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_setresuid(SB)
-
 GLOBL	·libc_setresuid_trampoline_addr(SB), RODATA, $8
 DATA	·libc_setresuid_trampoline_addr(SB)/8, $libc_setresuid_trampoline<>(SB)
 
 TEXT libc_setrlimit_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_setrlimit(SB)
-
 GLOBL	·libc_setrlimit_trampoline_addr(SB), RODATA, $8
 DATA	·libc_setrlimit_trampoline_addr(SB)/8, $libc_setrlimit_trampoline<>(SB)
 
 TEXT libc_setrtable_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_setrtable(SB)
-
 GLOBL	·libc_setrtable_trampoline_addr(SB), RODATA, $8
 DATA	·libc_setrtable_trampoline_addr(SB)/8, $libc_setrtable_trampoline<>(SB)
 
 TEXT libc_setsid_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_setsid(SB)
-
 GLOBL	·libc_setsid_trampoline_addr(SB), RODATA, $8
 DATA	·libc_setsid_trampoline_addr(SB)/8, $libc_setsid_trampoline<>(SB)
 
 TEXT libc_settimeofday_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_settimeofday(SB)
-
 GLOBL	·libc_settimeofday_trampoline_addr(SB), RODATA, $8
 DATA	·libc_settimeofday_trampoline_addr(SB)/8, $libc_settimeofday_trampoline<>(SB)
 
 TEXT libc_setuid_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_setuid(SB)
-
 GLOBL	·libc_setuid_trampoline_addr(SB), RODATA, $8
 DATA	·libc_setuid_trampoline_addr(SB)/8, $libc_setuid_trampoline<>(SB)
 
 TEXT libc_stat_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_stat(SB)
-
 GLOBL	·libc_stat_trampoline_addr(SB), RODATA, $8
 DATA	·libc_stat_trampoline_addr(SB)/8, $libc_stat_trampoline<>(SB)
 
 TEXT libc_statfs_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_statfs(SB)
-
 GLOBL	·libc_statfs_trampoline_addr(SB), RODATA, $8
 DATA	·libc_statfs_trampoline_addr(SB)/8, $libc_statfs_trampoline<>(SB)
 
 TEXT libc_symlink_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_symlink(SB)
-
 GLOBL	·libc_symlink_trampoline_addr(SB), RODATA, $8
 DATA	·libc_symlink_trampoline_addr(SB)/8, $libc_symlink_trampoline<>(SB)
 
 TEXT libc_symlinkat_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_symlinkat(SB)
-
 GLOBL	·libc_symlinkat_trampoline_addr(SB), RODATA, $8
 DATA	·libc_symlinkat_trampoline_addr(SB)/8, $libc_symlinkat_trampoline<>(SB)
 
 TEXT libc_sync_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_sync(SB)
-
 GLOBL	·libc_sync_trampoline_addr(SB), RODATA, $8
 DATA	·libc_sync_trampoline_addr(SB)/8, $libc_sync_trampoline<>(SB)
 
 TEXT libc_truncate_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_truncate(SB)
-
 GLOBL	·libc_truncate_trampoline_addr(SB), RODATA, $8
 DATA	·libc_truncate_trampoline_addr(SB)/8, $libc_truncate_trampoline<>(SB)
 
 TEXT libc_umask_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_umask(SB)
-
 GLOBL	·libc_umask_trampoline_addr(SB), RODATA, $8
 DATA	·libc_umask_trampoline_addr(SB)/8, $libc_umask_trampoline<>(SB)
 
 TEXT libc_unlink_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_unlink(SB)
-
 GLOBL	·libc_unlink_trampoline_addr(SB), RODATA, $8
 DATA	·libc_unlink_trampoline_addr(SB)/8, $libc_unlink_trampoline<>(SB)
 
 TEXT libc_unlinkat_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_unlinkat(SB)
-
 GLOBL	·libc_unlinkat_trampoline_addr(SB), RODATA, $8
 DATA	·libc_unlinkat_trampoline_addr(SB)/8, $libc_unlinkat_trampoline<>(SB)
 
 TEXT libc_unmount_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_unmount(SB)
-
 GLOBL	·libc_unmount_trampoline_addr(SB), RODATA, $8
 DATA	·libc_unmount_trampoline_addr(SB)/8, $libc_unmount_trampoline<>(SB)
 
 TEXT libc_write_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_write(SB)
-
 GLOBL	·libc_write_trampoline_addr(SB), RODATA, $8
 DATA	·libc_write_trampoline_addr(SB)/8, $libc_write_trampoline<>(SB)
 
 TEXT libc_mmap_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_mmap(SB)
-
 GLOBL	·libc_mmap_trampoline_addr(SB), RODATA, $8
 DATA	·libc_mmap_trampoline_addr(SB)/8, $libc_mmap_trampoline<>(SB)
 
 TEXT libc_munmap_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_munmap(SB)
-
 GLOBL	·libc_munmap_trampoline_addr(SB), RODATA, $8
 DATA	·libc_munmap_trampoline_addr(SB)/8, $libc_munmap_trampoline<>(SB)
 
 TEXT libc_utimensat_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_utimensat(SB)
-
 GLOBL	·libc_utimensat_trampoline_addr(SB), RODATA, $8
 DATA	·libc_utimensat_trampoline_addr(SB)/8, $libc_utimensat_trampoline<>(SB)
diff --git a/vendor/golang.org/x/sys/unix/zsyscall_solaris_amd64.go b/vendor/golang.org/x/sys/unix/zsyscall_solaris_amd64.go
index 91f5a2bde..78d4a4240 100644
--- a/vendor/golang.org/x/sys/unix/zsyscall_solaris_amd64.go
+++ b/vendor/golang.org/x/sys/unix/zsyscall_solaris_amd64.go
@@ -38,6 +38,7 @@ import (
 //go:cgo_import_dynamic libc_chmod chmod "libc.so"
 //go:cgo_import_dynamic libc_chown chown "libc.so"
 //go:cgo_import_dynamic libc_chroot chroot "libc.so"
+//go:cgo_import_dynamic libc_clockgettime clockgettime "libc.so"
 //go:cgo_import_dynamic libc_close close "libc.so"
 //go:cgo_import_dynamic libc_creat creat "libc.so"
 //go:cgo_import_dynamic libc_dup dup "libc.so"
@@ -177,6 +178,7 @@ import (
 //go:linkname procChmod libc_chmod
 //go:linkname procChown libc_chown
 //go:linkname procChroot libc_chroot
+//go:linkname procClockGettime libc_clockgettime
 //go:linkname procClose libc_close
 //go:linkname procCreat libc_creat
 //go:linkname procDup libc_dup
@@ -317,6 +319,7 @@ var (
 	procChmod,
 	procChown,
 	procChroot,
+	procClockGettime,
 	procClose,
 	procCreat,
 	procDup,
@@ -750,6 +753,16 @@ func Chroot(path string) (err error) {
 
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
+func ClockGettime(clockid int32, time *Timespec) (err error) {
+	_, _, e1 := sysvicall6(uintptr(unsafe.Pointer(&procClockGettime)), 2, uintptr(clockid), uintptr(unsafe.Pointer(time)), 0, 0, 0, 0)
+	if e1 != 0 {
+		err = e1
+	}
+	return
+}
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
 func Close(fd int) (err error) {
 	_, _, e1 := sysvicall6(uintptr(unsafe.Pointer(&procClose)), 1, uintptr(fd), 0, 0, 0, 0, 0)
 	if e1 != 0 {
diff --git a/vendor/golang.org/x/sys/unix/zsysctl_openbsd_386.go b/vendor/golang.org/x/sys/unix/zsysctl_openbsd_386.go
index 9e9d0b2a9..55e048471 100644
--- a/vendor/golang.org/x/sys/unix/zsysctl_openbsd_386.go
+++ b/vendor/golang.org/x/sys/unix/zsysctl_openbsd_386.go
@@ -17,6 +17,7 @@ var sysctlMib = []mibentry{
 	{"ddb.max_line", []_C_int{9, 3}},
 	{"ddb.max_width", []_C_int{9, 2}},
 	{"ddb.panic", []_C_int{9, 5}},
+	{"ddb.profile", []_C_int{9, 9}},
 	{"ddb.radix", []_C_int{9, 1}},
 	{"ddb.tab_stop_width", []_C_int{9, 4}},
 	{"ddb.trigger", []_C_int{9, 8}},
@@ -33,29 +34,37 @@ var sysctlMib = []mibentry{
 	{"hw.ncpufound", []_C_int{6, 21}},
 	{"hw.ncpuonline", []_C_int{6, 25}},
 	{"hw.pagesize", []_C_int{6, 7}},
+	{"hw.perfpolicy", []_C_int{6, 23}},
 	{"hw.physmem", []_C_int{6, 19}},
+	{"hw.power", []_C_int{6, 26}},
 	{"hw.product", []_C_int{6, 15}},
 	{"hw.serialno", []_C_int{6, 17}},
 	{"hw.setperf", []_C_int{6, 13}},
+	{"hw.smt", []_C_int{6, 24}},
 	{"hw.usermem", []_C_int{6, 20}},
 	{"hw.uuid", []_C_int{6, 18}},
 	{"hw.vendor", []_C_int{6, 14}},
 	{"hw.version", []_C_int{6, 16}},
-	{"kern.arandom", []_C_int{1, 37}},
+	{"kern.allowdt", []_C_int{1, 65}},
+	{"kern.allowkmem", []_C_int{1, 52}},
 	{"kern.argmax", []_C_int{1, 8}},
+	{"kern.audio", []_C_int{1, 84}},
 	{"kern.boottime", []_C_int{1, 21}},
 	{"kern.bufcachepercent", []_C_int{1, 72}},
 	{"kern.ccpu", []_C_int{1, 45}},
 	{"kern.clockrate", []_C_int{1, 12}},
+	{"kern.consbuf", []_C_int{1, 83}},
+	{"kern.consbufsize", []_C_int{1, 82}},
 	{"kern.consdev", []_C_int{1, 75}},
 	{"kern.cp_time", []_C_int{1, 40}},
 	{"kern.cp_time2", []_C_int{1, 71}},
-	{"kern.cryptodevallowsoft", []_C_int{1, 53}},
+	{"kern.cpustats", []_C_int{1, 85}},
 	{"kern.domainname", []_C_int{1, 22}},
 	{"kern.file", []_C_int{1, 73}},
 	{"kern.forkstat", []_C_int{1, 42}},
 	{"kern.fscale", []_C_int{1, 46}},
 	{"kern.fsync", []_C_int{1, 33}},
+	{"kern.global_ptrace", []_C_int{1, 81}},
 	{"kern.hostid", []_C_int{1, 11}},
 	{"kern.hostname", []_C_int{1, 10}},
 	{"kern.intrcnt.nintrcnt", []_C_int{1, 63, 1}},
@@ -78,17 +87,16 @@ var sysctlMib = []mibentry{
 	{"kern.ngroups", []_C_int{1, 18}},
 	{"kern.nosuidcoredump", []_C_int{1, 32}},
 	{"kern.nprocs", []_C_int{1, 47}},
-	{"kern.nselcoll", []_C_int{1, 43}},
 	{"kern.nthreads", []_C_int{1, 26}},
 	{"kern.numvnodes", []_C_int{1, 58}},
 	{"kern.osrelease", []_C_int{1, 2}},
 	{"kern.osrevision", []_C_int{1, 3}},
 	{"kern.ostype", []_C_int{1, 1}},
 	{"kern.osversion", []_C_int{1, 27}},
+	{"kern.pfstatus", []_C_int{1, 86}},
 	{"kern.pool_debug", []_C_int{1, 77}},
 	{"kern.posix1version", []_C_int{1, 17}},
 	{"kern.proc", []_C_int{1, 66}},
-	{"kern.random", []_C_int{1, 31}},
 	{"kern.rawpartition", []_C_int{1, 24}},
 	{"kern.saved_ids", []_C_int{1, 20}},
 	{"kern.securelevel", []_C_int{1, 9}},
@@ -106,21 +114,20 @@ var sysctlMib = []mibentry{
 	{"kern.timecounter.hardware", []_C_int{1, 69, 3}},
 	{"kern.timecounter.tick", []_C_int{1, 69, 1}},
 	{"kern.timecounter.timestepwarnings", []_C_int{1, 69, 2}},
-	{"kern.tty.maxptys", []_C_int{1, 44, 6}},
-	{"kern.tty.nptys", []_C_int{1, 44, 7}},
+	{"kern.timeout_stats", []_C_int{1, 87}},
 	{"kern.tty.tk_cancc", []_C_int{1, 44, 4}},
 	{"kern.tty.tk_nin", []_C_int{1, 44, 1}},
 	{"kern.tty.tk_nout", []_C_int{1, 44, 2}},
 	{"kern.tty.tk_rawcc", []_C_int{1, 44, 3}},
 	{"kern.tty.ttyinfo", []_C_int{1, 44, 5}},
 	{"kern.ttycount", []_C_int{1, 57}},
-	{"kern.userasymcrypto", []_C_int{1, 60}},
-	{"kern.usercrypto", []_C_int{1, 52}},
-	{"kern.usermount", []_C_int{1, 30}},
+	{"kern.utc_offset", []_C_int{1, 88}},
 	{"kern.version", []_C_int{1, 4}},
-	{"kern.vnode", []_C_int{1, 13}},
+	{"kern.video", []_C_int{1, 89}},
 	{"kern.watchdog.auto", []_C_int{1, 64, 2}},
 	{"kern.watchdog.period", []_C_int{1, 64, 1}},
+	{"kern.witnesswatch", []_C_int{1, 53}},
+	{"kern.wxabort", []_C_int{1, 74}},
 	{"net.bpf.bufsize", []_C_int{4, 31, 1}},
 	{"net.bpf.maxbufsize", []_C_int{4, 31, 2}},
 	{"net.inet.ah.enable", []_C_int{4, 2, 51, 1}},
@@ -148,7 +155,9 @@ var sysctlMib = []mibentry{
 	{"net.inet.icmp.stats", []_C_int{4, 2, 1, 7}},
 	{"net.inet.icmp.tstamprepl", []_C_int{4, 2, 1, 6}},
 	{"net.inet.igmp.stats", []_C_int{4, 2, 2, 1}},
+	{"net.inet.ip.arpdown", []_C_int{4, 2, 0, 40}},
 	{"net.inet.ip.arpqueued", []_C_int{4, 2, 0, 36}},
+	{"net.inet.ip.arptimeout", []_C_int{4, 2, 0, 39}},
 	{"net.inet.ip.encdebug", []_C_int{4, 2, 0, 12}},
 	{"net.inet.ip.forwarding", []_C_int{4, 2, 0, 1}},
 	{"net.inet.ip.ifq.congestion", []_C_int{4, 2, 0, 30, 4}},
@@ -157,8 +166,10 @@ var sysctlMib = []mibentry{
 	{"net.inet.ip.ifq.maxlen", []_C_int{4, 2, 0, 30, 2}},
 	{"net.inet.ip.maxqueue", []_C_int{4, 2, 0, 11}},
 	{"net.inet.ip.mforwarding", []_C_int{4, 2, 0, 31}},
+	{"net.inet.ip.mrtmfc", []_C_int{4, 2, 0, 37}},
 	{"net.inet.ip.mrtproto", []_C_int{4, 2, 0, 34}},
 	{"net.inet.ip.mrtstats", []_C_int{4, 2, 0, 35}},
+	{"net.inet.ip.mrtvif", []_C_int{4, 2, 0, 38}},
 	{"net.inet.ip.mtu", []_C_int{4, 2, 0, 4}},
 	{"net.inet.ip.mtudisc", []_C_int{4, 2, 0, 27}},
 	{"net.inet.ip.mtudisctimeout", []_C_int{4, 2, 0, 28}},
@@ -175,9 +186,7 @@ var sysctlMib = []mibentry{
 	{"net.inet.ipcomp.stats", []_C_int{4, 2, 108, 2}},
 	{"net.inet.ipip.allow", []_C_int{4, 2, 4, 1}},
 	{"net.inet.ipip.stats", []_C_int{4, 2, 4, 2}},
-	{"net.inet.mobileip.allow", []_C_int{4, 2, 55, 1}},
 	{"net.inet.pfsync.stats", []_C_int{4, 2, 240, 1}},
-	{"net.inet.pim.stats", []_C_int{4, 2, 103, 1}},
 	{"net.inet.tcp.ackonpush", []_C_int{4, 2, 6, 13}},
 	{"net.inet.tcp.always_keepalive", []_C_int{4, 2, 6, 22}},
 	{"net.inet.tcp.baddynamic", []_C_int{4, 2, 6, 6}},
@@ -191,6 +200,7 @@ var sysctlMib = []mibentry{
 	{"net.inet.tcp.reasslimit", []_C_int{4, 2, 6, 18}},
 	{"net.inet.tcp.rfc1323", []_C_int{4, 2, 6, 1}},
 	{"net.inet.tcp.rfc3390", []_C_int{4, 2, 6, 17}},
+	{"net.inet.tcp.rootonly", []_C_int{4, 2, 6, 24}},
 	{"net.inet.tcp.rstppslimit", []_C_int{4, 2, 6, 12}},
 	{"net.inet.tcp.sack", []_C_int{4, 2, 6, 10}},
 	{"net.inet.tcp.sackholelimit", []_C_int{4, 2, 6, 20}},
@@ -198,9 +208,12 @@ var sysctlMib = []mibentry{
 	{"net.inet.tcp.stats", []_C_int{4, 2, 6, 21}},
 	{"net.inet.tcp.synbucketlimit", []_C_int{4, 2, 6, 16}},
 	{"net.inet.tcp.syncachelimit", []_C_int{4, 2, 6, 15}},
+	{"net.inet.tcp.synhashsize", []_C_int{4, 2, 6, 25}},
+	{"net.inet.tcp.synuselimit", []_C_int{4, 2, 6, 23}},
 	{"net.inet.udp.baddynamic", []_C_int{4, 2, 17, 2}},
 	{"net.inet.udp.checksum", []_C_int{4, 2, 17, 1}},
 	{"net.inet.udp.recvspace", []_C_int{4, 2, 17, 3}},
+	{"net.inet.udp.rootonly", []_C_int{4, 2, 17, 6}},
 	{"net.inet.udp.sendspace", []_C_int{4, 2, 17, 4}},
 	{"net.inet.udp.stats", []_C_int{4, 2, 17, 5}},
 	{"net.inet6.divert.recvspace", []_C_int{4, 24, 86, 1}},
@@ -213,13 +226,8 @@ var sysctlMib = []mibentry{
 	{"net.inet6.icmp6.nd6_delay", []_C_int{4, 24, 30, 8}},
 	{"net.inet6.icmp6.nd6_maxnudhint", []_C_int{4, 24, 30, 15}},
 	{"net.inet6.icmp6.nd6_mmaxtries", []_C_int{4, 24, 30, 10}},
-	{"net.inet6.icmp6.nd6_prune", []_C_int{4, 24, 30, 6}},
 	{"net.inet6.icmp6.nd6_umaxtries", []_C_int{4, 24, 30, 9}},
-	{"net.inet6.icmp6.nd6_useloopback", []_C_int{4, 24, 30, 11}},
-	{"net.inet6.icmp6.nodeinfo", []_C_int{4, 24, 30, 13}},
-	{"net.inet6.icmp6.rediraccept", []_C_int{4, 24, 30, 2}},
 	{"net.inet6.icmp6.redirtimeout", []_C_int{4, 24, 30, 3}},
-	{"net.inet6.ip6.accept_rtadv", []_C_int{4, 24, 17, 12}},
 	{"net.inet6.ip6.auto_flowlabel", []_C_int{4, 24, 17, 17}},
 	{"net.inet6.ip6.dad_count", []_C_int{4, 24, 17, 16}},
 	{"net.inet6.ip6.dad_pending", []_C_int{4, 24, 17, 49}},
@@ -232,20 +240,19 @@ var sysctlMib = []mibentry{
 	{"net.inet6.ip6.maxdynroutes", []_C_int{4, 24, 17, 48}},
 	{"net.inet6.ip6.maxfragpackets", []_C_int{4, 24, 17, 9}},
 	{"net.inet6.ip6.maxfrags", []_C_int{4, 24, 17, 41}},
-	{"net.inet6.ip6.maxifdefrouters", []_C_int{4, 24, 17, 47}},
-	{"net.inet6.ip6.maxifprefixes", []_C_int{4, 24, 17, 46}},
 	{"net.inet6.ip6.mforwarding", []_C_int{4, 24, 17, 42}},
+	{"net.inet6.ip6.mrtmfc", []_C_int{4, 24, 17, 53}},
+	{"net.inet6.ip6.mrtmif", []_C_int{4, 24, 17, 52}},
 	{"net.inet6.ip6.mrtproto", []_C_int{4, 24, 17, 8}},
 	{"net.inet6.ip6.mtudisctimeout", []_C_int{4, 24, 17, 50}},
 	{"net.inet6.ip6.multicast_mtudisc", []_C_int{4, 24, 17, 44}},
 	{"net.inet6.ip6.multipath", []_C_int{4, 24, 17, 43}},
 	{"net.inet6.ip6.neighborgcthresh", []_C_int{4, 24, 17, 45}},
 	{"net.inet6.ip6.redirect", []_C_int{4, 24, 17, 2}},
-	{"net.inet6.ip6.rr_prune", []_C_int{4, 24, 17, 22}},
+	{"net.inet6.ip6.soiikey", []_C_int{4, 24, 17, 54}},
 	{"net.inet6.ip6.sourcecheck", []_C_int{4, 24, 17, 10}},
 	{"net.inet6.ip6.sourcecheck_logint", []_C_int{4, 24, 17, 11}},
 	{"net.inet6.ip6.use_deprecated", []_C_int{4, 24, 17, 21}},
-	{"net.inet6.ip6.v6only", []_C_int{4, 24, 17, 24}},
 	{"net.key.sadb_dump", []_C_int{4, 30, 1}},
 	{"net.key.spd_dump", []_C_int{4, 30, 2}},
 	{"net.mpls.ifq.congestion", []_C_int{4, 33, 3, 4}},
@@ -254,12 +261,12 @@ var sysctlMib = []mibentry{
 	{"net.mpls.ifq.maxlen", []_C_int{4, 33, 3, 2}},
 	{"net.mpls.mapttl_ip", []_C_int{4, 33, 5}},
 	{"net.mpls.mapttl_ip6", []_C_int{4, 33, 6}},
-	{"net.mpls.maxloop_inkernel", []_C_int{4, 33, 4}},
 	{"net.mpls.ttl", []_C_int{4, 33, 2}},
 	{"net.pflow.stats", []_C_int{4, 34, 1}},
 	{"net.pipex.enable", []_C_int{4, 35, 1}},
 	{"vm.anonmin", []_C_int{2, 7}},
 	{"vm.loadavg", []_C_int{2, 2}},
+	{"vm.malloc_conf", []_C_int{2, 12}},
 	{"vm.maxslp", []_C_int{2, 10}},
 	{"vm.nkmempages", []_C_int{2, 6}},
 	{"vm.psstrings", []_C_int{2, 3}},
diff --git a/vendor/golang.org/x/sys/unix/zsysctl_openbsd_amd64.go b/vendor/golang.org/x/sys/unix/zsysctl_openbsd_amd64.go
index adecd0966..d2243cf83 100644
--- a/vendor/golang.org/x/sys/unix/zsysctl_openbsd_amd64.go
+++ b/vendor/golang.org/x/sys/unix/zsysctl_openbsd_amd64.go
@@ -36,23 +36,29 @@ var sysctlMib = []mibentry{
 	{"hw.pagesize", []_C_int{6, 7}},
 	{"hw.perfpolicy", []_C_int{6, 23}},
 	{"hw.physmem", []_C_int{6, 19}},
+	{"hw.power", []_C_int{6, 26}},
 	{"hw.product", []_C_int{6, 15}},
 	{"hw.serialno", []_C_int{6, 17}},
 	{"hw.setperf", []_C_int{6, 13}},
+	{"hw.smt", []_C_int{6, 24}},
 	{"hw.usermem", []_C_int{6, 20}},
 	{"hw.uuid", []_C_int{6, 18}},
 	{"hw.vendor", []_C_int{6, 14}},
 	{"hw.version", []_C_int{6, 16}},
+	{"kern.allowdt", []_C_int{1, 65}},
 	{"kern.allowkmem", []_C_int{1, 52}},
 	{"kern.argmax", []_C_int{1, 8}},
+	{"kern.audio", []_C_int{1, 84}},
 	{"kern.boottime", []_C_int{1, 21}},
 	{"kern.bufcachepercent", []_C_int{1, 72}},
 	{"kern.ccpu", []_C_int{1, 45}},
 	{"kern.clockrate", []_C_int{1, 12}},
+	{"kern.consbuf", []_C_int{1, 83}},
+	{"kern.consbufsize", []_C_int{1, 82}},
 	{"kern.consdev", []_C_int{1, 75}},
 	{"kern.cp_time", []_C_int{1, 40}},
 	{"kern.cp_time2", []_C_int{1, 71}},
-	{"kern.dnsjackport", []_C_int{1, 13}},
+	{"kern.cpustats", []_C_int{1, 85}},
 	{"kern.domainname", []_C_int{1, 22}},
 	{"kern.file", []_C_int{1, 73}},
 	{"kern.forkstat", []_C_int{1, 42}},
@@ -81,13 +87,13 @@ var sysctlMib = []mibentry{
 	{"kern.ngroups", []_C_int{1, 18}},
 	{"kern.nosuidcoredump", []_C_int{1, 32}},
 	{"kern.nprocs", []_C_int{1, 47}},
-	{"kern.nselcoll", []_C_int{1, 43}},
 	{"kern.nthreads", []_C_int{1, 26}},
 	{"kern.numvnodes", []_C_int{1, 58}},
 	{"kern.osrelease", []_C_int{1, 2}},
 	{"kern.osrevision", []_C_int{1, 3}},
 	{"kern.ostype", []_C_int{1, 1}},
 	{"kern.osversion", []_C_int{1, 27}},
+	{"kern.pfstatus", []_C_int{1, 86}},
 	{"kern.pool_debug", []_C_int{1, 77}},
 	{"kern.posix1version", []_C_int{1, 17}},
 	{"kern.proc", []_C_int{1, 66}},
@@ -108,15 +114,19 @@ var sysctlMib = []mibentry{
 	{"kern.timecounter.hardware", []_C_int{1, 69, 3}},
 	{"kern.timecounter.tick", []_C_int{1, 69, 1}},
 	{"kern.timecounter.timestepwarnings", []_C_int{1, 69, 2}},
+	{"kern.timeout_stats", []_C_int{1, 87}},
 	{"kern.tty.tk_cancc", []_C_int{1, 44, 4}},
 	{"kern.tty.tk_nin", []_C_int{1, 44, 1}},
 	{"kern.tty.tk_nout", []_C_int{1, 44, 2}},
 	{"kern.tty.tk_rawcc", []_C_int{1, 44, 3}},
 	{"kern.tty.ttyinfo", []_C_int{1, 44, 5}},
 	{"kern.ttycount", []_C_int{1, 57}},
+	{"kern.utc_offset", []_C_int{1, 88}},
 	{"kern.version", []_C_int{1, 4}},
+	{"kern.video", []_C_int{1, 89}},
 	{"kern.watchdog.auto", []_C_int{1, 64, 2}},
 	{"kern.watchdog.period", []_C_int{1, 64, 1}},
+	{"kern.witnesswatch", []_C_int{1, 53}},
 	{"kern.wxabort", []_C_int{1, 74}},
 	{"net.bpf.bufsize", []_C_int{4, 31, 1}},
 	{"net.bpf.maxbufsize", []_C_int{4, 31, 2}},
@@ -176,7 +186,6 @@ var sysctlMib = []mibentry{
 	{"net.inet.ipcomp.stats", []_C_int{4, 2, 108, 2}},
 	{"net.inet.ipip.allow", []_C_int{4, 2, 4, 1}},
 	{"net.inet.ipip.stats", []_C_int{4, 2, 4, 2}},
-	{"net.inet.mobileip.allow", []_C_int{4, 2, 55, 1}},
 	{"net.inet.pfsync.stats", []_C_int{4, 2, 240, 1}},
 	{"net.inet.tcp.ackonpush", []_C_int{4, 2, 6, 13}},
 	{"net.inet.tcp.always_keepalive", []_C_int{4, 2, 6, 22}},
@@ -252,12 +261,12 @@ var sysctlMib = []mibentry{
 	{"net.mpls.ifq.maxlen", []_C_int{4, 33, 3, 2}},
 	{"net.mpls.mapttl_ip", []_C_int{4, 33, 5}},
 	{"net.mpls.mapttl_ip6", []_C_int{4, 33, 6}},
-	{"net.mpls.maxloop_inkernel", []_C_int{4, 33, 4}},
 	{"net.mpls.ttl", []_C_int{4, 33, 2}},
 	{"net.pflow.stats", []_C_int{4, 34, 1}},
 	{"net.pipex.enable", []_C_int{4, 35, 1}},
 	{"vm.anonmin", []_C_int{2, 7}},
 	{"vm.loadavg", []_C_int{2, 2}},
+	{"vm.malloc_conf", []_C_int{2, 12}},
 	{"vm.maxslp", []_C_int{2, 10}},
 	{"vm.nkmempages", []_C_int{2, 6}},
 	{"vm.psstrings", []_C_int{2, 3}},
diff --git a/vendor/golang.org/x/sys/unix/zsysctl_openbsd_arm.go b/vendor/golang.org/x/sys/unix/zsysctl_openbsd_arm.go
index 8ea52a4a1..82dc51bd8 100644
--- a/vendor/golang.org/x/sys/unix/zsysctl_openbsd_arm.go
+++ b/vendor/golang.org/x/sys/unix/zsysctl_openbsd_arm.go
@@ -17,6 +17,7 @@ var sysctlMib = []mibentry{
 	{"ddb.max_line", []_C_int{9, 3}},
 	{"ddb.max_width", []_C_int{9, 2}},
 	{"ddb.panic", []_C_int{9, 5}},
+	{"ddb.profile", []_C_int{9, 9}},
 	{"ddb.radix", []_C_int{9, 1}},
 	{"ddb.tab_stop_width", []_C_int{9, 4}},
 	{"ddb.trigger", []_C_int{9, 8}},
@@ -33,29 +34,37 @@ var sysctlMib = []mibentry{
 	{"hw.ncpufound", []_C_int{6, 21}},
 	{"hw.ncpuonline", []_C_int{6, 25}},
 	{"hw.pagesize", []_C_int{6, 7}},
+	{"hw.perfpolicy", []_C_int{6, 23}},
 	{"hw.physmem", []_C_int{6, 19}},
+	{"hw.power", []_C_int{6, 26}},
 	{"hw.product", []_C_int{6, 15}},
 	{"hw.serialno", []_C_int{6, 17}},
 	{"hw.setperf", []_C_int{6, 13}},
+	{"hw.smt", []_C_int{6, 24}},
 	{"hw.usermem", []_C_int{6, 20}},
 	{"hw.uuid", []_C_int{6, 18}},
 	{"hw.vendor", []_C_int{6, 14}},
 	{"hw.version", []_C_int{6, 16}},
-	{"kern.arandom", []_C_int{1, 37}},
+	{"kern.allowdt", []_C_int{1, 65}},
+	{"kern.allowkmem", []_C_int{1, 52}},
 	{"kern.argmax", []_C_int{1, 8}},
+	{"kern.audio", []_C_int{1, 84}},
 	{"kern.boottime", []_C_int{1, 21}},
 	{"kern.bufcachepercent", []_C_int{1, 72}},
 	{"kern.ccpu", []_C_int{1, 45}},
 	{"kern.clockrate", []_C_int{1, 12}},
+	{"kern.consbuf", []_C_int{1, 83}},
+	{"kern.consbufsize", []_C_int{1, 82}},
 	{"kern.consdev", []_C_int{1, 75}},
 	{"kern.cp_time", []_C_int{1, 40}},
 	{"kern.cp_time2", []_C_int{1, 71}},
-	{"kern.cryptodevallowsoft", []_C_int{1, 53}},
+	{"kern.cpustats", []_C_int{1, 85}},
 	{"kern.domainname", []_C_int{1, 22}},
 	{"kern.file", []_C_int{1, 73}},
 	{"kern.forkstat", []_C_int{1, 42}},
 	{"kern.fscale", []_C_int{1, 46}},
 	{"kern.fsync", []_C_int{1, 33}},
+	{"kern.global_ptrace", []_C_int{1, 81}},
 	{"kern.hostid", []_C_int{1, 11}},
 	{"kern.hostname", []_C_int{1, 10}},
 	{"kern.intrcnt.nintrcnt", []_C_int{1, 63, 1}},
@@ -78,17 +87,16 @@ var sysctlMib = []mibentry{
 	{"kern.ngroups", []_C_int{1, 18}},
 	{"kern.nosuidcoredump", []_C_int{1, 32}},
 	{"kern.nprocs", []_C_int{1, 47}},
-	{"kern.nselcoll", []_C_int{1, 43}},
 	{"kern.nthreads", []_C_int{1, 26}},
 	{"kern.numvnodes", []_C_int{1, 58}},
 	{"kern.osrelease", []_C_int{1, 2}},
 	{"kern.osrevision", []_C_int{1, 3}},
 	{"kern.ostype", []_C_int{1, 1}},
 	{"kern.osversion", []_C_int{1, 27}},
+	{"kern.pfstatus", []_C_int{1, 86}},
 	{"kern.pool_debug", []_C_int{1, 77}},
 	{"kern.posix1version", []_C_int{1, 17}},
 	{"kern.proc", []_C_int{1, 66}},
-	{"kern.random", []_C_int{1, 31}},
 	{"kern.rawpartition", []_C_int{1, 24}},
 	{"kern.saved_ids", []_C_int{1, 20}},
 	{"kern.securelevel", []_C_int{1, 9}},
@@ -106,21 +114,20 @@ var sysctlMib = []mibentry{
 	{"kern.timecounter.hardware", []_C_int{1, 69, 3}},
 	{"kern.timecounter.tick", []_C_int{1, 69, 1}},
 	{"kern.timecounter.timestepwarnings", []_C_int{1, 69, 2}},
-	{"kern.tty.maxptys", []_C_int{1, 44, 6}},
-	{"kern.tty.nptys", []_C_int{1, 44, 7}},
+	{"kern.timeout_stats", []_C_int{1, 87}},
 	{"kern.tty.tk_cancc", []_C_int{1, 44, 4}},
 	{"kern.tty.tk_nin", []_C_int{1, 44, 1}},
 	{"kern.tty.tk_nout", []_C_int{1, 44, 2}},
 	{"kern.tty.tk_rawcc", []_C_int{1, 44, 3}},
 	{"kern.tty.ttyinfo", []_C_int{1, 44, 5}},
 	{"kern.ttycount", []_C_int{1, 57}},
-	{"kern.userasymcrypto", []_C_int{1, 60}},
-	{"kern.usercrypto", []_C_int{1, 52}},
-	{"kern.usermount", []_C_int{1, 30}},
+	{"kern.utc_offset", []_C_int{1, 88}},
 	{"kern.version", []_C_int{1, 4}},
-	{"kern.vnode", []_C_int{1, 13}},
+	{"kern.video", []_C_int{1, 89}},
 	{"kern.watchdog.auto", []_C_int{1, 64, 2}},
 	{"kern.watchdog.period", []_C_int{1, 64, 1}},
+	{"kern.witnesswatch", []_C_int{1, 53}},
+	{"kern.wxabort", []_C_int{1, 74}},
 	{"net.bpf.bufsize", []_C_int{4, 31, 1}},
 	{"net.bpf.maxbufsize", []_C_int{4, 31, 2}},
 	{"net.inet.ah.enable", []_C_int{4, 2, 51, 1}},
@@ -148,7 +155,9 @@ var sysctlMib = []mibentry{
 	{"net.inet.icmp.stats", []_C_int{4, 2, 1, 7}},
 	{"net.inet.icmp.tstamprepl", []_C_int{4, 2, 1, 6}},
 	{"net.inet.igmp.stats", []_C_int{4, 2, 2, 1}},
+	{"net.inet.ip.arpdown", []_C_int{4, 2, 0, 40}},
 	{"net.inet.ip.arpqueued", []_C_int{4, 2, 0, 36}},
+	{"net.inet.ip.arptimeout", []_C_int{4, 2, 0, 39}},
 	{"net.inet.ip.encdebug", []_C_int{4, 2, 0, 12}},
 	{"net.inet.ip.forwarding", []_C_int{4, 2, 0, 1}},
 	{"net.inet.ip.ifq.congestion", []_C_int{4, 2, 0, 30, 4}},
@@ -157,8 +166,10 @@ var sysctlMib = []mibentry{
 	{"net.inet.ip.ifq.maxlen", []_C_int{4, 2, 0, 30, 2}},
 	{"net.inet.ip.maxqueue", []_C_int{4, 2, 0, 11}},
 	{"net.inet.ip.mforwarding", []_C_int{4, 2, 0, 31}},
+	{"net.inet.ip.mrtmfc", []_C_int{4, 2, 0, 37}},
 	{"net.inet.ip.mrtproto", []_C_int{4, 2, 0, 34}},
 	{"net.inet.ip.mrtstats", []_C_int{4, 2, 0, 35}},
+	{"net.inet.ip.mrtvif", []_C_int{4, 2, 0, 38}},
 	{"net.inet.ip.mtu", []_C_int{4, 2, 0, 4}},
 	{"net.inet.ip.mtudisc", []_C_int{4, 2, 0, 27}},
 	{"net.inet.ip.mtudisctimeout", []_C_int{4, 2, 0, 28}},
@@ -175,9 +186,7 @@ var sysctlMib = []mibentry{
 	{"net.inet.ipcomp.stats", []_C_int{4, 2, 108, 2}},
 	{"net.inet.ipip.allow", []_C_int{4, 2, 4, 1}},
 	{"net.inet.ipip.stats", []_C_int{4, 2, 4, 2}},
-	{"net.inet.mobileip.allow", []_C_int{4, 2, 55, 1}},
 	{"net.inet.pfsync.stats", []_C_int{4, 2, 240, 1}},
-	{"net.inet.pim.stats", []_C_int{4, 2, 103, 1}},
 	{"net.inet.tcp.ackonpush", []_C_int{4, 2, 6, 13}},
 	{"net.inet.tcp.always_keepalive", []_C_int{4, 2, 6, 22}},
 	{"net.inet.tcp.baddynamic", []_C_int{4, 2, 6, 6}},
@@ -191,6 +200,7 @@ var sysctlMib = []mibentry{
 	{"net.inet.tcp.reasslimit", []_C_int{4, 2, 6, 18}},
 	{"net.inet.tcp.rfc1323", []_C_int{4, 2, 6, 1}},
 	{"net.inet.tcp.rfc3390", []_C_int{4, 2, 6, 17}},
+	{"net.inet.tcp.rootonly", []_C_int{4, 2, 6, 24}},
 	{"net.inet.tcp.rstppslimit", []_C_int{4, 2, 6, 12}},
 	{"net.inet.tcp.sack", []_C_int{4, 2, 6, 10}},
 	{"net.inet.tcp.sackholelimit", []_C_int{4, 2, 6, 20}},
@@ -198,9 +208,12 @@ var sysctlMib = []mibentry{
 	{"net.inet.tcp.stats", []_C_int{4, 2, 6, 21}},
 	{"net.inet.tcp.synbucketlimit", []_C_int{4, 2, 6, 16}},
 	{"net.inet.tcp.syncachelimit", []_C_int{4, 2, 6, 15}},
+	{"net.inet.tcp.synhashsize", []_C_int{4, 2, 6, 25}},
+	{"net.inet.tcp.synuselimit", []_C_int{4, 2, 6, 23}},
 	{"net.inet.udp.baddynamic", []_C_int{4, 2, 17, 2}},
 	{"net.inet.udp.checksum", []_C_int{4, 2, 17, 1}},
 	{"net.inet.udp.recvspace", []_C_int{4, 2, 17, 3}},
+	{"net.inet.udp.rootonly", []_C_int{4, 2, 17, 6}},
 	{"net.inet.udp.sendspace", []_C_int{4, 2, 17, 4}},
 	{"net.inet.udp.stats", []_C_int{4, 2, 17, 5}},
 	{"net.inet6.divert.recvspace", []_C_int{4, 24, 86, 1}},
@@ -213,13 +226,8 @@ var sysctlMib = []mibentry{
 	{"net.inet6.icmp6.nd6_delay", []_C_int{4, 24, 30, 8}},
 	{"net.inet6.icmp6.nd6_maxnudhint", []_C_int{4, 24, 30, 15}},
 	{"net.inet6.icmp6.nd6_mmaxtries", []_C_int{4, 24, 30, 10}},
-	{"net.inet6.icmp6.nd6_prune", []_C_int{4, 24, 30, 6}},
 	{"net.inet6.icmp6.nd6_umaxtries", []_C_int{4, 24, 30, 9}},
-	{"net.inet6.icmp6.nd6_useloopback", []_C_int{4, 24, 30, 11}},
-	{"net.inet6.icmp6.nodeinfo", []_C_int{4, 24, 30, 13}},
-	{"net.inet6.icmp6.rediraccept", []_C_int{4, 24, 30, 2}},
 	{"net.inet6.icmp6.redirtimeout", []_C_int{4, 24, 30, 3}},
-	{"net.inet6.ip6.accept_rtadv", []_C_int{4, 24, 17, 12}},
 	{"net.inet6.ip6.auto_flowlabel", []_C_int{4, 24, 17, 17}},
 	{"net.inet6.ip6.dad_count", []_C_int{4, 24, 17, 16}},
 	{"net.inet6.ip6.dad_pending", []_C_int{4, 24, 17, 49}},
@@ -232,20 +240,19 @@ var sysctlMib = []mibentry{
 	{"net.inet6.ip6.maxdynroutes", []_C_int{4, 24, 17, 48}},
 	{"net.inet6.ip6.maxfragpackets", []_C_int{4, 24, 17, 9}},
 	{"net.inet6.ip6.maxfrags", []_C_int{4, 24, 17, 41}},
-	{"net.inet6.ip6.maxifdefrouters", []_C_int{4, 24, 17, 47}},
-	{"net.inet6.ip6.maxifprefixes", []_C_int{4, 24, 17, 46}},
 	{"net.inet6.ip6.mforwarding", []_C_int{4, 24, 17, 42}},
+	{"net.inet6.ip6.mrtmfc", []_C_int{4, 24, 17, 53}},
+	{"net.inet6.ip6.mrtmif", []_C_int{4, 24, 17, 52}},
 	{"net.inet6.ip6.mrtproto", []_C_int{4, 24, 17, 8}},
 	{"net.inet6.ip6.mtudisctimeout", []_C_int{4, 24, 17, 50}},
 	{"net.inet6.ip6.multicast_mtudisc", []_C_int{4, 24, 17, 44}},
 	{"net.inet6.ip6.multipath", []_C_int{4, 24, 17, 43}},
 	{"net.inet6.ip6.neighborgcthresh", []_C_int{4, 24, 17, 45}},
 	{"net.inet6.ip6.redirect", []_C_int{4, 24, 17, 2}},
-	{"net.inet6.ip6.rr_prune", []_C_int{4, 24, 17, 22}},
+	{"net.inet6.ip6.soiikey", []_C_int{4, 24, 17, 54}},
 	{"net.inet6.ip6.sourcecheck", []_C_int{4, 24, 17, 10}},
 	{"net.inet6.ip6.sourcecheck_logint", []_C_int{4, 24, 17, 11}},
 	{"net.inet6.ip6.use_deprecated", []_C_int{4, 24, 17, 21}},
-	{"net.inet6.ip6.v6only", []_C_int{4, 24, 17, 24}},
 	{"net.key.sadb_dump", []_C_int{4, 30, 1}},
 	{"net.key.spd_dump", []_C_int{4, 30, 2}},
 	{"net.mpls.ifq.congestion", []_C_int{4, 33, 3, 4}},
@@ -254,12 +261,12 @@ var sysctlMib = []mibentry{
 	{"net.mpls.ifq.maxlen", []_C_int{4, 33, 3, 2}},
 	{"net.mpls.mapttl_ip", []_C_int{4, 33, 5}},
 	{"net.mpls.mapttl_ip6", []_C_int{4, 33, 6}},
-	{"net.mpls.maxloop_inkernel", []_C_int{4, 33, 4}},
 	{"net.mpls.ttl", []_C_int{4, 33, 2}},
 	{"net.pflow.stats", []_C_int{4, 34, 1}},
 	{"net.pipex.enable", []_C_int{4, 35, 1}},
 	{"vm.anonmin", []_C_int{2, 7}},
 	{"vm.loadavg", []_C_int{2, 2}},
+	{"vm.malloc_conf", []_C_int{2, 12}},
 	{"vm.maxslp", []_C_int{2, 10}},
 	{"vm.nkmempages", []_C_int{2, 6}},
 	{"vm.psstrings", []_C_int{2, 3}},
diff --git a/vendor/golang.org/x/sys/unix/zsysctl_openbsd_arm64.go b/vendor/golang.org/x/sys/unix/zsysctl_openbsd_arm64.go
index 154b57ae3..cbdda1a4a 100644
--- a/vendor/golang.org/x/sys/unix/zsysctl_openbsd_arm64.go
+++ b/vendor/golang.org/x/sys/unix/zsysctl_openbsd_arm64.go
@@ -36,6 +36,7 @@ var sysctlMib = []mibentry{
 	{"hw.pagesize", []_C_int{6, 7}},
 	{"hw.perfpolicy", []_C_int{6, 23}},
 	{"hw.physmem", []_C_int{6, 19}},
+	{"hw.power", []_C_int{6, 26}},
 	{"hw.product", []_C_int{6, 15}},
 	{"hw.serialno", []_C_int{6, 17}},
 	{"hw.setperf", []_C_int{6, 13}},
@@ -44,6 +45,7 @@ var sysctlMib = []mibentry{
 	{"hw.uuid", []_C_int{6, 18}},
 	{"hw.vendor", []_C_int{6, 14}},
 	{"hw.version", []_C_int{6, 16}},
+	{"kern.allowdt", []_C_int{1, 65}},
 	{"kern.allowkmem", []_C_int{1, 52}},
 	{"kern.argmax", []_C_int{1, 8}},
 	{"kern.audio", []_C_int{1, 84}},
@@ -51,6 +53,8 @@ var sysctlMib = []mibentry{
 	{"kern.bufcachepercent", []_C_int{1, 72}},
 	{"kern.ccpu", []_C_int{1, 45}},
 	{"kern.clockrate", []_C_int{1, 12}},
+	{"kern.consbuf", []_C_int{1, 83}},
+	{"kern.consbufsize", []_C_int{1, 82}},
 	{"kern.consdev", []_C_int{1, 75}},
 	{"kern.cp_time", []_C_int{1, 40}},
 	{"kern.cp_time2", []_C_int{1, 71}},
@@ -83,13 +87,13 @@ var sysctlMib = []mibentry{
 	{"kern.ngroups", []_C_int{1, 18}},
 	{"kern.nosuidcoredump", []_C_int{1, 32}},
 	{"kern.nprocs", []_C_int{1, 47}},
-	{"kern.nselcoll", []_C_int{1, 43}},
 	{"kern.nthreads", []_C_int{1, 26}},
 	{"kern.numvnodes", []_C_int{1, 58}},
 	{"kern.osrelease", []_C_int{1, 2}},
 	{"kern.osrevision", []_C_int{1, 3}},
 	{"kern.ostype", []_C_int{1, 1}},
 	{"kern.osversion", []_C_int{1, 27}},
+	{"kern.pfstatus", []_C_int{1, 86}},
 	{"kern.pool_debug", []_C_int{1, 77}},
 	{"kern.posix1version", []_C_int{1, 17}},
 	{"kern.proc", []_C_int{1, 66}},
@@ -110,13 +114,16 @@ var sysctlMib = []mibentry{
 	{"kern.timecounter.hardware", []_C_int{1, 69, 3}},
 	{"kern.timecounter.tick", []_C_int{1, 69, 1}},
 	{"kern.timecounter.timestepwarnings", []_C_int{1, 69, 2}},
+	{"kern.timeout_stats", []_C_int{1, 87}},
 	{"kern.tty.tk_cancc", []_C_int{1, 44, 4}},
 	{"kern.tty.tk_nin", []_C_int{1, 44, 1}},
 	{"kern.tty.tk_nout", []_C_int{1, 44, 2}},
 	{"kern.tty.tk_rawcc", []_C_int{1, 44, 3}},
 	{"kern.tty.ttyinfo", []_C_int{1, 44, 5}},
 	{"kern.ttycount", []_C_int{1, 57}},
+	{"kern.utc_offset", []_C_int{1, 88}},
 	{"kern.version", []_C_int{1, 4}},
+	{"kern.video", []_C_int{1, 89}},
 	{"kern.watchdog.auto", []_C_int{1, 64, 2}},
 	{"kern.watchdog.period", []_C_int{1, 64, 1}},
 	{"kern.witnesswatch", []_C_int{1, 53}},
@@ -179,7 +186,6 @@ var sysctlMib = []mibentry{
 	{"net.inet.ipcomp.stats", []_C_int{4, 2, 108, 2}},
 	{"net.inet.ipip.allow", []_C_int{4, 2, 4, 1}},
 	{"net.inet.ipip.stats", []_C_int{4, 2, 4, 2}},
-	{"net.inet.mobileip.allow", []_C_int{4, 2, 55, 1}},
 	{"net.inet.pfsync.stats", []_C_int{4, 2, 240, 1}},
 	{"net.inet.tcp.ackonpush", []_C_int{4, 2, 6, 13}},
 	{"net.inet.tcp.always_keepalive", []_C_int{4, 2, 6, 22}},
@@ -255,7 +261,6 @@ var sysctlMib = []mibentry{
 	{"net.mpls.ifq.maxlen", []_C_int{4, 33, 3, 2}},
 	{"net.mpls.mapttl_ip", []_C_int{4, 33, 5}},
 	{"net.mpls.mapttl_ip6", []_C_int{4, 33, 6}},
-	{"net.mpls.maxloop_inkernel", []_C_int{4, 33, 4}},
 	{"net.mpls.ttl", []_C_int{4, 33, 2}},
 	{"net.pflow.stats", []_C_int{4, 34, 1}},
 	{"net.pipex.enable", []_C_int{4, 35, 1}},
diff --git a/vendor/golang.org/x/sys/unix/zsysctl_openbsd_mips64.go b/vendor/golang.org/x/sys/unix/zsysctl_openbsd_mips64.go
index d96bb2ba4..f55eae1a8 100644
--- a/vendor/golang.org/x/sys/unix/zsysctl_openbsd_mips64.go
+++ b/vendor/golang.org/x/sys/unix/zsysctl_openbsd_mips64.go
@@ -36,6 +36,7 @@ var sysctlMib = []mibentry{
 	{"hw.pagesize", []_C_int{6, 7}},
 	{"hw.perfpolicy", []_C_int{6, 23}},
 	{"hw.physmem", []_C_int{6, 19}},
+	{"hw.power", []_C_int{6, 26}},
 	{"hw.product", []_C_int{6, 15}},
 	{"hw.serialno", []_C_int{6, 17}},
 	{"hw.setperf", []_C_int{6, 13}},
@@ -86,7 +87,6 @@ var sysctlMib = []mibentry{
 	{"kern.ngroups", []_C_int{1, 18}},
 	{"kern.nosuidcoredump", []_C_int{1, 32}},
 	{"kern.nprocs", []_C_int{1, 47}},
-	{"kern.nselcoll", []_C_int{1, 43}},
 	{"kern.nthreads", []_C_int{1, 26}},
 	{"kern.numvnodes", []_C_int{1, 58}},
 	{"kern.osrelease", []_C_int{1, 2}},
@@ -123,6 +123,7 @@ var sysctlMib = []mibentry{
 	{"kern.ttycount", []_C_int{1, 57}},
 	{"kern.utc_offset", []_C_int{1, 88}},
 	{"kern.version", []_C_int{1, 4}},
+	{"kern.video", []_C_int{1, 89}},
 	{"kern.watchdog.auto", []_C_int{1, 64, 2}},
 	{"kern.watchdog.period", []_C_int{1, 64, 1}},
 	{"kern.witnesswatch", []_C_int{1, 53}},
diff --git a/vendor/golang.org/x/sys/unix/zsysnum_openbsd_mips64.go b/vendor/golang.org/x/sys/unix/zsysnum_openbsd_mips64.go
index a37f77375..01c43a01f 100644
--- a/vendor/golang.org/x/sys/unix/zsysnum_openbsd_mips64.go
+++ b/vendor/golang.org/x/sys/unix/zsysnum_openbsd_mips64.go
@@ -6,6 +6,7 @@
 
 package unix
 
+// Deprecated: Use libc wrappers instead of direct syscalls.
 const (
 	SYS_EXIT           = 1   // { void sys_exit(int rval); }
 	SYS_FORK           = 2   // { int sys_fork(void); }
diff --git a/vendor/golang.org/x/sys/unix/ztypes_netbsd_386.go b/vendor/golang.org/x/sys/unix/ztypes_netbsd_386.go
index 2fd2060e6..9bc4c8f9d 100644
--- a/vendor/golang.org/x/sys/unix/ztypes_netbsd_386.go
+++ b/vendor/golang.org/x/sys/unix/ztypes_netbsd_386.go
@@ -491,6 +491,90 @@ type Utsname struct {
 	Machine  [256]byte
 }
 
+const SizeofUvmexp = 0x278
+
+type Uvmexp struct {
+	Pagesize           int64
+	Pagemask           int64
+	Pageshift          int64
+	Npages             int64
+	Free               int64
+	Active             int64
+	Inactive           int64
+	Paging             int64
+	Wired              int64
+	Zeropages          int64
+	Reserve_pagedaemon int64
+	Reserve_kernel     int64
+	Freemin            int64
+	Freetarg           int64
+	Inactarg           int64
+	Wiredmax           int64
+	Nswapdev           int64
+	Swpages            int64
+	Swpginuse          int64
+	Swpgonly           int64
+	Nswget             int64
+	Unused1            int64
+	Cpuhit             int64
+	Cpumiss            int64
+	Faults             int64
+	Traps              int64
+	Intrs              int64
+	Swtch              int64
+	Softs              int64
+	Syscalls           int64
+	Pageins            int64
+	Swapins            int64
+	Swapouts           int64
+	Pgswapin           int64
+	Pgswapout          int64
+	Forks              int64
+	Forks_ppwait       int64
+	Forks_sharevm      int64
+	Pga_zerohit        int64
+	Pga_zeromiss       int64
+	Zeroaborts         int64
+	Fltnoram           int64
+	Fltnoanon          int64
+	Fltpgwait          int64
+	Fltpgrele          int64
+	Fltrelck           int64
+	Fltrelckok         int64
+	Fltanget           int64
+	Fltanretry         int64
+	Fltamcopy          int64
+	Fltnamap           int64
+	Fltnomap           int64
+	Fltlget            int64
+	Fltget             int64
+	Flt_anon           int64
+	Flt_acow           int64
+	Flt_obj            int64
+	Flt_prcopy         int64
+	Flt_przero         int64
+	Pdwoke             int64
+	Pdrevs             int64
+	Unused4            int64
+	Pdfreed            int64
+	Pdscans            int64
+	Pdanscan           int64
+	Pdobscan           int64
+	Pdreact            int64
+	Pdbusy             int64
+	Pdpageouts         int64
+	Pdpending          int64
+	Pddeact            int64
+	Anonpages          int64
+	Filepages          int64
+	Execpages          int64
+	Colorhit           int64
+	Colormiss          int64
+	Ncolors            int64
+	Bootpages          int64
+	Poolpages          int64
+}
+
 const SizeofClockinfo = 0x14
 
 type Clockinfo struct {
diff --git a/vendor/golang.org/x/sys/unix/ztypes_netbsd_amd64.go b/vendor/golang.org/x/sys/unix/ztypes_netbsd_amd64.go
index 6a5a1a8ae..bb05f655d 100644
--- a/vendor/golang.org/x/sys/unix/ztypes_netbsd_amd64.go
+++ b/vendor/golang.org/x/sys/unix/ztypes_netbsd_amd64.go
@@ -499,6 +499,90 @@ type Utsname struct {
 	Machine  [256]byte
 }
 
+const SizeofUvmexp = 0x278
+
+type Uvmexp struct {
+	Pagesize           int64
+	Pagemask           int64
+	Pageshift          int64
+	Npages             int64
+	Free               int64
+	Active             int64
+	Inactive           int64
+	Paging             int64
+	Wired              int64
+	Zeropages          int64
+	Reserve_pagedaemon int64
+	Reserve_kernel     int64
+	Freemin            int64
+	Freetarg           int64
+	Inactarg           int64
+	Wiredmax           int64
+	Nswapdev           int64
+	Swpages            int64
+	Swpginuse          int64
+	Swpgonly           int64
+	Nswget             int64
+	Unused1            int64
+	Cpuhit             int64
+	Cpumiss            int64
+	Faults             int64
+	Traps              int64
+	Intrs              int64
+	Swtch              int64
+	Softs              int64
+	Syscalls           int64
+	Pageins            int64
+	Swapins            int64
+	Swapouts           int64
+	Pgswapin           int64
+	Pgswapout          int64
+	Forks              int64
+	Forks_ppwait       int64
+	Forks_sharevm      int64
+	Pga_zerohit        int64
+	Pga_zeromiss       int64
+	Zeroaborts         int64
+	Fltnoram           int64
+	Fltnoanon          int64
+	Fltpgwait          int64
+	Fltpgrele          int64
+	Fltrelck           int64
+	Fltrelckok         int64
+	Fltanget           int64
+	Fltanretry         int64
+	Fltamcopy          int64
+	Fltnamap           int64
+	Fltnomap           int64
+	Fltlget            int64
+	Fltget             int64
+	Flt_anon           int64
+	Flt_acow           int64
+	Flt_obj            int64
+	Flt_prcopy         int64
+	Flt_przero         int64
+	Pdwoke             int64
+	Pdrevs             int64
+	Unused4            int64
+	Pdfreed            int64
+	Pdscans            int64
+	Pdanscan           int64
+	Pdobscan           int64
+	Pdreact            int64
+	Pdbusy             int64
+	Pdpageouts         int64
+	Pdpending          int64
+	Pddeact            int64
+	Anonpages          int64
+	Filepages          int64
+	Execpages          int64
+	Colorhit           int64
+	Colormiss          int64
+	Ncolors            int64
+	Bootpages          int64
+	Poolpages          int64
+}
+
 const SizeofClockinfo = 0x14
 
 type Clockinfo struct {
diff --git a/vendor/golang.org/x/sys/unix/ztypes_netbsd_arm.go b/vendor/golang.org/x/sys/unix/ztypes_netbsd_arm.go
index 84cc8d01e..db40e3a19 100644
--- a/vendor/golang.org/x/sys/unix/ztypes_netbsd_arm.go
+++ b/vendor/golang.org/x/sys/unix/ztypes_netbsd_arm.go
@@ -496,6 +496,90 @@ type Utsname struct {
 	Machine  [256]byte
 }
 
+const SizeofUvmexp = 0x278
+
+type Uvmexp struct {
+	Pagesize           int64
+	Pagemask           int64
+	Pageshift          int64
+	Npages             int64
+	Free               int64
+	Active             int64
+	Inactive           int64
+	Paging             int64
+	Wired              int64
+	Zeropages          int64
+	Reserve_pagedaemon int64
+	Reserve_kernel     int64
+	Freemin            int64
+	Freetarg           int64
+	Inactarg           int64
+	Wiredmax           int64
+	Nswapdev           int64
+	Swpages            int64
+	Swpginuse          int64
+	Swpgonly           int64
+	Nswget             int64
+	Unused1            int64
+	Cpuhit             int64
+	Cpumiss            int64
+	Faults             int64
+	Traps              int64
+	Intrs              int64
+	Swtch              int64
+	Softs              int64
+	Syscalls           int64
+	Pageins            int64
+	Swapins            int64
+	Swapouts           int64
+	Pgswapin           int64
+	Pgswapout          int64
+	Forks              int64
+	Forks_ppwait       int64
+	Forks_sharevm      int64
+	Pga_zerohit        int64
+	Pga_zeromiss       int64
+	Zeroaborts         int64
+	Fltnoram           int64
+	Fltnoanon          int64
+	Fltpgwait          int64
+	Fltpgrele          int64
+	Fltrelck           int64
+	Fltrelckok         int64
+	Fltanget           int64
+	Fltanretry         int64
+	Fltamcopy          int64
+	Fltnamap           int64
+	Fltnomap           int64
+	Fltlget            int64
+	Fltget             int64
+	Flt_anon           int64
+	Flt_acow           int64
+	Flt_obj            int64
+	Flt_prcopy         int64
+	Flt_przero         int64
+	Pdwoke             int64
+	Pdrevs             int64
+	Unused4            int64
+	Pdfreed            int64
+	Pdscans            int64
+	Pdanscan           int64
+	Pdobscan           int64
+	Pdreact            int64
+	Pdbusy             int64
+	Pdpageouts         int64
+	Pdpending          int64
+	Pddeact            int64
+	Anonpages          int64
+	Filepages          int64
+	Execpages          int64
+	Colorhit           int64
+	Colormiss          int64
+	Ncolors            int64
+	Bootpages          int64
+	Poolpages          int64
+}
+
 const SizeofClockinfo = 0x14
 
 type Clockinfo struct {
diff --git a/vendor/golang.org/x/sys/unix/ztypes_netbsd_arm64.go b/vendor/golang.org/x/sys/unix/ztypes_netbsd_arm64.go
index c844e7096..11121151c 100644
--- a/vendor/golang.org/x/sys/unix/ztypes_netbsd_arm64.go
+++ b/vendor/golang.org/x/sys/unix/ztypes_netbsd_arm64.go
@@ -499,6 +499,90 @@ type Utsname struct {
 	Machine  [256]byte
 }
 
+const SizeofUvmexp = 0x278
+
+type Uvmexp struct {
+	Pagesize           int64
+	Pagemask           int64
+	Pageshift          int64
+	Npages             int64
+	Free               int64
+	Active             int64
+	Inactive           int64
+	Paging             int64
+	Wired              int64
+	Zeropages          int64
+	Reserve_pagedaemon int64
+	Reserve_kernel     int64
+	Freemin            int64
+	Freetarg           int64
+	Inactarg           int64
+	Wiredmax           int64
+	Nswapdev           int64
+	Swpages            int64
+	Swpginuse          int64
+	Swpgonly           int64
+	Nswget             int64
+	Unused1            int64
+	Cpuhit             int64
+	Cpumiss            int64
+	Faults             int64
+	Traps              int64
+	Intrs              int64
+	Swtch              int64
+	Softs              int64
+	Syscalls           int64
+	Pageins            int64
+	Swapins            int64
+	Swapouts           int64
+	Pgswapin           int64
+	Pgswapout          int64
+	Forks              int64
+	Forks_ppwait       int64
+	Forks_sharevm      int64
+	Pga_zerohit        int64
+	Pga_zeromiss       int64
+	Zeroaborts         int64
+	Fltnoram           int64
+	Fltnoanon          int64
+	Fltpgwait          int64
+	Fltpgrele          int64
+	Fltrelck           int64
+	Fltrelckok         int64
+	Fltanget           int64
+	Fltanretry         int64
+	Fltamcopy          int64
+	Fltnamap           int64
+	Fltnomap           int64
+	Fltlget            int64
+	Fltget             int64
+	Flt_anon           int64
+	Flt_acow           int64
+	Flt_obj            int64
+	Flt_prcopy         int64
+	Flt_przero         int64
+	Pdwoke             int64
+	Pdrevs             int64
+	Unused4            int64
+	Pdfreed            int64
+	Pdscans            int64
+	Pdanscan           int64
+	Pdobscan           int64
+	Pdreact            int64
+	Pdbusy             int64
+	Pdpageouts         int64
+	Pdpending          int64
+	Pddeact            int64
+	Anonpages          int64
+	Filepages          int64
+	Execpages          int64
+	Colorhit           int64
+	Colormiss          int64
+	Ncolors            int64
+	Bootpages          int64
+	Poolpages          int64
+}
+
 const SizeofClockinfo = 0x14
 
 type Clockinfo struct {
diff --git a/vendor/golang.org/x/sys/unix/ztypes_openbsd_386.go b/vendor/golang.org/x/sys/unix/ztypes_openbsd_386.go
index 2ed718ca0..26eba23b7 100644
--- a/vendor/golang.org/x/sys/unix/ztypes_openbsd_386.go
+++ b/vendor/golang.org/x/sys/unix/ztypes_openbsd_386.go
@@ -58,22 +58,22 @@ type Rlimit struct {
 type _Gid_t uint32
 
 type Stat_t struct {
-	Mode           uint32
-	Dev            int32
-	Ino            uint64
-	Nlink          uint32
-	Uid            uint32
-	Gid            uint32
-	Rdev           int32
-	Atim           Timespec
-	Mtim           Timespec
-	Ctim           Timespec
-	Size           int64
-	Blocks         int64
-	Blksize        uint32
-	Flags          uint32
-	Gen            uint32
-	X__st_birthtim Timespec
+	Mode    uint32
+	Dev     int32
+	Ino     uint64
+	Nlink   uint32
+	Uid     uint32
+	Gid     uint32
+	Rdev    int32
+	Atim    Timespec
+	Mtim    Timespec
+	Ctim    Timespec
+	Size    int64
+	Blocks  int64
+	Blksize int32
+	Flags   uint32
+	Gen     uint32
+	_       Timespec
 }
 
 type Statfs_t struct {
@@ -98,7 +98,7 @@ type Statfs_t struct {
 	F_mntonname   [90]byte
 	F_mntfromname [90]byte
 	F_mntfromspec [90]byte
-	Pad_cgo_0     [2]byte
+	_             [2]byte
 	Mount_info    [160]byte
 }
 
@@ -111,13 +111,13 @@ type Flock_t struct {
 }
 
 type Dirent struct {
-	Fileno       uint64
-	Off          int64
-	Reclen       uint16
-	Type         uint8
-	Namlen       uint8
-	X__d_padding [4]uint8
-	Name         [256]int8
+	Fileno uint64
+	Off    int64
+	Reclen uint16
+	Type   uint8
+	Namlen uint8
+	_      [4]uint8
+	Name   [256]int8
 }
 
 type Fsid struct {
@@ -262,8 +262,8 @@ type FdSet struct {
 }
 
 const (
-	SizeofIfMsghdr         = 0xec
-	SizeofIfData           = 0xd4
+	SizeofIfMsghdr         = 0xa0
+	SizeofIfData           = 0x88
 	SizeofIfaMsghdr        = 0x18
 	SizeofIfAnnounceMsghdr = 0x1a
 	SizeofRtMsghdr         = 0x60
@@ -292,7 +292,7 @@ type IfData struct {
 	Link_state   uint8
 	Mtu          uint32
 	Metric       uint32
-	Pad          uint32
+	Rdomain      uint32
 	Baudrate     uint64
 	Ipackets     uint64
 	Ierrors      uint64
@@ -304,10 +304,10 @@ type IfData struct {
 	Imcasts      uint64
 	Omcasts      uint64
 	Iqdrops      uint64
+	Oqdrops      uint64
 	Noproto      uint64
 	Capabilities uint32
 	Lastchange   Timeval
-	Mclpool      [7]Mclpool
 }
 
 type IfaMsghdr struct {
@@ -368,20 +368,12 @@ type RtMetrics struct {
 	Pad      uint32
 }
 
-type Mclpool struct {
-	Grown int32
-	Alive uint16
-	Hwm   uint16
-	Cwm   uint16
-	Lwm   uint16
-}
-
 const (
 	SizeofBpfVersion = 0x4
 	SizeofBpfStat    = 0x8
 	SizeofBpfProgram = 0x8
 	SizeofBpfInsn    = 0x8
-	SizeofBpfHdr     = 0x14
+	SizeofBpfHdr     = 0x18
 )
 
 type BpfVersion struct {
@@ -407,11 +399,14 @@ type BpfInsn struct {
 }
 
 type BpfHdr struct {
-	Tstamp    BpfTimeval
-	Caplen    uint32
-	Datalen   uint32
-	Hdrlen    uint16
-	Pad_cgo_0 [2]byte
+	Tstamp  BpfTimeval
+	Caplen  uint32
+	Datalen uint32
+	Hdrlen  uint16
+	Ifidx   uint16
+	Flowid  uint16
+	Flags   uint8
+	Drops   uint8
 }
 
 type BpfTimeval struct {
@@ -488,7 +483,7 @@ type Uvmexp struct {
 	Zeropages          int32
 	Reserve_pagedaemon int32
 	Reserve_kernel     int32
-	Anonpages          int32
+	Unused01           int32
 	Vnodepages         int32
 	Vtextpages         int32
 	Freemin            int32
@@ -507,8 +502,8 @@ type Uvmexp struct {
 	Swpgonly           int32
 	Nswget             int32
 	Nanon              int32
-	Nanonneeded        int32
-	Nfreeanon          int32
+	Unused05           int32
+	Unused06           int32
 	Faults             int32
 	Traps              int32
 	Intrs              int32
@@ -516,8 +511,8 @@ type Uvmexp struct {
 	Softs              int32
 	Syscalls           int32
 	Pageins            int32
-	Obsolete_swapins   int32
-	Obsolete_swapouts  int32
+	Unused07           int32
+	Unused08           int32
 	Pgswapin           int32
 	Pgswapout          int32
 	Forks              int32
@@ -525,7 +520,7 @@ type Uvmexp struct {
 	Forks_sharevm      int32
 	Pga_zerohit        int32
 	Pga_zeromiss       int32
-	Zeroaborts         int32
+	Unused09           int32
 	Fltnoram           int32
 	Fltnoanon          int32
 	Fltnoamap          int32
@@ -557,9 +552,9 @@ type Uvmexp struct {
 	Pdpageouts         int32
 	Pdpending          int32
 	Pddeact            int32
-	Pdreanon           int32
-	Pdrevnode          int32
-	Pdrevtext          int32
+	Unused11           int32
+	Unused12           int32
+	Unused13           int32
 	Fpswtch            int32
 	Kmapent            int32
 }
diff --git a/vendor/golang.org/x/sys/unix/ztypes_openbsd_amd64.go b/vendor/golang.org/x/sys/unix/ztypes_openbsd_amd64.go
index b4fb97ebe..5a5479886 100644
--- a/vendor/golang.org/x/sys/unix/ztypes_openbsd_amd64.go
+++ b/vendor/golang.org/x/sys/unix/ztypes_openbsd_amd64.go
@@ -73,7 +73,6 @@ type Stat_t struct {
 	Blksize int32
 	Flags   uint32
 	Gen     uint32
-	_       [4]byte
 	_       Timespec
 }
 
@@ -81,7 +80,6 @@ type Statfs_t struct {
 	F_flags       uint32
 	F_bsize       uint32
 	F_iosize      uint32
-	_             [4]byte
 	F_blocks      uint64
 	F_bfree       uint64
 	F_bavail      int64
@@ -200,10 +198,8 @@ type IPv6Mreq struct {
 type Msghdr struct {
 	Name       *byte
 	Namelen    uint32
-	_          [4]byte
 	Iov        *Iovec
 	Iovlen     uint32
-	_          [4]byte
 	Control    *byte
 	Controllen uint32
 	Flags      int32
@@ -311,7 +307,6 @@ type IfData struct {
 	Oqdrops      uint64
 	Noproto      uint64
 	Capabilities uint32
-	_            [4]byte
 	Lastchange   Timeval
 }
 
@@ -373,14 +368,12 @@ type RtMetrics struct {
 	Pad      uint32
 }
 
-type Mclpool struct{}
-
 const (
 	SizeofBpfVersion = 0x4
 	SizeofBpfStat    = 0x8
 	SizeofBpfProgram = 0x10
 	SizeofBpfInsn    = 0x8
-	SizeofBpfHdr     = 0x14
+	SizeofBpfHdr     = 0x18
 )
 
 type BpfVersion struct {
@@ -395,7 +388,6 @@ type BpfStat struct {
 
 type BpfProgram struct {
 	Len   uint32
-	_     [4]byte
 	Insns *BpfInsn
 }
 
@@ -411,7 +403,10 @@ type BpfHdr struct {
 	Caplen  uint32
 	Datalen uint32
 	Hdrlen  uint16
-	_       [2]byte
+	Ifidx   uint16
+	Flowid  uint16
+	Flags   uint8
+	Drops   uint8
 }
 
 type BpfTimeval struct {
@@ -488,7 +483,7 @@ type Uvmexp struct {
 	Zeropages          int32
 	Reserve_pagedaemon int32
 	Reserve_kernel     int32
-	Anonpages          int32
+	Unused01           int32
 	Vnodepages         int32
 	Vtextpages         int32
 	Freemin            int32
@@ -507,8 +502,8 @@ type Uvmexp struct {
 	Swpgonly           int32
 	Nswget             int32
 	Nanon              int32
-	Nanonneeded        int32
-	Nfreeanon          int32
+	Unused05           int32
+	Unused06           int32
 	Faults             int32
 	Traps              int32
 	Intrs              int32
@@ -516,8 +511,8 @@ type Uvmexp struct {
 	Softs              int32
 	Syscalls           int32
 	Pageins            int32
-	Obsolete_swapins   int32
-	Obsolete_swapouts  int32
+	Unused07           int32
+	Unused08           int32
 	Pgswapin           int32
 	Pgswapout          int32
 	Forks              int32
@@ -525,7 +520,7 @@ type Uvmexp struct {
 	Forks_sharevm      int32
 	Pga_zerohit        int32
 	Pga_zeromiss       int32
-	Zeroaborts         int32
+	Unused09           int32
 	Fltnoram           int32
 	Fltnoanon          int32
 	Fltnoamap          int32
@@ -557,9 +552,9 @@ type Uvmexp struct {
 	Pdpageouts         int32
 	Pdpending          int32
 	Pddeact            int32
-	Pdreanon           int32
-	Pdrevnode          int32
-	Pdrevtext          int32
+	Unused11           int32
+	Unused12           int32
+	Unused13           int32
 	Fpswtch            int32
 	Kmapent            int32
 }
diff --git a/vendor/golang.org/x/sys/unix/ztypes_openbsd_arm.go b/vendor/golang.org/x/sys/unix/ztypes_openbsd_arm.go
index 2c4675040..be58c4e1f 100644
--- a/vendor/golang.org/x/sys/unix/ztypes_openbsd_arm.go
+++ b/vendor/golang.org/x/sys/unix/ztypes_openbsd_arm.go
@@ -375,14 +375,12 @@ type RtMetrics struct {
 	Pad      uint32
 }
 
-type Mclpool struct{}
-
 const (
 	SizeofBpfVersion = 0x4
 	SizeofBpfStat    = 0x8
 	SizeofBpfProgram = 0x8
 	SizeofBpfInsn    = 0x8
-	SizeofBpfHdr     = 0x14
+	SizeofBpfHdr     = 0x18
 )
 
 type BpfVersion struct {
@@ -412,7 +410,10 @@ type BpfHdr struct {
 	Caplen  uint32
 	Datalen uint32
 	Hdrlen  uint16
-	_       [2]byte
+	Ifidx   uint16
+	Flowid  uint16
+	Flags   uint8
+	Drops   uint8
 }
 
 type BpfTimeval struct {
diff --git a/vendor/golang.org/x/sys/unix/ztypes_openbsd_arm64.go b/vendor/golang.org/x/sys/unix/ztypes_openbsd_arm64.go
index ddee04514..52338266c 100644
--- a/vendor/golang.org/x/sys/unix/ztypes_openbsd_arm64.go
+++ b/vendor/golang.org/x/sys/unix/ztypes_openbsd_arm64.go
@@ -368,14 +368,12 @@ type RtMetrics struct {
 	Pad      uint32
 }
 
-type Mclpool struct{}
-
 const (
 	SizeofBpfVersion = 0x4
 	SizeofBpfStat    = 0x8
 	SizeofBpfProgram = 0x10
 	SizeofBpfInsn    = 0x8
-	SizeofBpfHdr     = 0x14
+	SizeofBpfHdr     = 0x18
 )
 
 type BpfVersion struct {
@@ -405,7 +403,10 @@ type BpfHdr struct {
 	Caplen  uint32
 	Datalen uint32
 	Hdrlen  uint16
-	_       [2]byte
+	Ifidx   uint16
+	Flowid  uint16
+	Flags   uint8
+	Drops   uint8
 }
 
 type BpfTimeval struct {
diff --git a/vendor/golang.org/x/sys/unix/ztypes_openbsd_mips64.go b/vendor/golang.org/x/sys/unix/ztypes_openbsd_mips64.go
index eb13d4e8b..605cfdb12 100644
--- a/vendor/golang.org/x/sys/unix/ztypes_openbsd_mips64.go
+++ b/vendor/golang.org/x/sys/unix/ztypes_openbsd_mips64.go
@@ -368,14 +368,12 @@ type RtMetrics struct {
 	Pad      uint32
 }
 
-type Mclpool struct{}
-
 const (
 	SizeofBpfVersion = 0x4
 	SizeofBpfStat    = 0x8
 	SizeofBpfProgram = 0x10
 	SizeofBpfInsn    = 0x8
-	SizeofBpfHdr     = 0x14
+	SizeofBpfHdr     = 0x18
 )
 
 type BpfVersion struct {
@@ -405,7 +403,10 @@ type BpfHdr struct {
 	Caplen  uint32
 	Datalen uint32
 	Hdrlen  uint16
-	_       [2]byte
+	Ifidx   uint16
+	Flowid  uint16
+	Flags   uint8
+	Drops   uint8
 }
 
 type BpfTimeval struct {
diff --git a/vendor/k8s.io/kube-openapi/pkg/internal/flags.go b/vendor/k8s.io/kube-openapi/pkg/internal/flags.go
new file mode 100644
index 000000000..3ff3c8d89
--- /dev/null
+++ b/vendor/k8s.io/kube-openapi/pkg/internal/flags.go
@@ -0,0 +1,20 @@
+/*
+Copyright 2022 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package internal
+
+// Used by tests to selectively disable experimental JSON unmarshaler
+var UseOptimizedJSONUnmarshaling bool = true
diff --git a/vendor/k8s.io/kube-openapi/pkg/internal/third_party/go-json-experiment/json/AUTHORS b/vendor/k8s.io/kube-openapi/pkg/internal/third_party/go-json-experiment/json/AUTHORS
new file mode 100644
index 000000000..2b00ddba0
--- /dev/null
+++ b/vendor/k8s.io/kube-openapi/pkg/internal/third_party/go-json-experiment/json/AUTHORS
@@ -0,0 +1,3 @@
+# This source code refers to The Go Authors for copyright purposes.
+# The master list of authors is in the main Go distribution,
+# visible at https://tip.golang.org/AUTHORS.
diff --git a/vendor/k8s.io/kube-openapi/pkg/internal/third_party/go-json-experiment/json/CONTRIBUTORS b/vendor/k8s.io/kube-openapi/pkg/internal/third_party/go-json-experiment/json/CONTRIBUTORS
new file mode 100644
index 000000000..1fbd3e976
--- /dev/null
+++ b/vendor/k8s.io/kube-openapi/pkg/internal/third_party/go-json-experiment/json/CONTRIBUTORS
@@ -0,0 +1,3 @@
+# This source code was written by the Go contributors.
+# The master list of contributors is in the main Go distribution,
+# visible at https://tip.golang.org/CONTRIBUTORS.
diff --git a/vendor/k8s.io/kube-openapi/pkg/internal/third_party/go-json-experiment/json/LICENSE b/vendor/k8s.io/kube-openapi/pkg/internal/third_party/go-json-experiment/json/LICENSE
new file mode 100644
index 000000000..244127300
--- /dev/null
+++ b/vendor/k8s.io/kube-openapi/pkg/internal/third_party/go-json-experiment/json/LICENSE
@@ -0,0 +1,27 @@
+Copyright (c) 2020 The Go Authors. All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are
+met:
+
+   * Redistributions of source code must retain the above copyright
+notice, this list of conditions and the following disclaimer.
+   * Redistributions in binary form must reproduce the above
+copyright notice, this list of conditions and the following disclaimer
+in the documentation and/or other materials provided with the
+distribution.
+   * Neither the name of Google Inc. nor the names of its
+contributors may be used to endorse or promote products derived from
+this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
diff --git a/vendor/k8s.io/kube-openapi/pkg/internal/third_party/go-json-experiment/json/README.md b/vendor/k8s.io/kube-openapi/pkg/internal/third_party/go-json-experiment/json/README.md
new file mode 100644
index 000000000..0349adf69
--- /dev/null
+++ b/vendor/k8s.io/kube-openapi/pkg/internal/third_party/go-json-experiment/json/README.md
@@ -0,0 +1,321 @@
+# JSON Serialization (v2)
+
+[![GoDev](https://img.shields.io/static/v1?label=godev&message=reference&color=00add8)](https://pkg.go.dev/github.com/go-json-experiment/json)
+[![Build Status](https://github.com/go-json-experiment/json/actions/workflows/test.yml/badge.svg?branch=master)](https://github.com/go-json-experiment/json/actions)
+
+This module hosts an experimental implementation of v2 `encoding/json`.
+The API is unstable and breaking changes will regularly be made.
+Do not depend on this in publicly available modules.
+
+## Goals and objectives
+
+* **Mostly backwards compatible:** If possible, v2 should aim to be _mostly_
+compatible with v1 in terms of both API and default behavior to ease migration.
+For example, the `Marshal` and `Unmarshal` functions are the most widely used
+declarations in the v1 package. It seems sensible for equivalent functionality
+in v2 to be named the same and have the same signature.
+Behaviorally, we should aim for 95% to 99% backwards compatibility.
+We do not aim for 100% compatibility since we want the freedom to break
+certain behaviors that are now considered to have been a mistake.
+We may provide options that can bring the v2 implementation to 100% compatibility,
+but it will not be the default.
+
+* **More flexible:** There is a
+[long list of feature requests](https://github.com/golang/go/issues?q=is%3Aissue+is%3Aopen+encoding%2Fjson+in%3Atitle).
+We should aim to provide the most flexible features that addresses most usages.
+We do not want to over fit the v2 API to handle every possible use case.
+Ideally, the features provided should be orthogonal in nature such that
+any combination of features results in as few surprising edge cases as possible.
+
+* **More performant:** JSON serialization is widely used and any bit of extra
+performance gains will be greatly appreciated. Some rarely used behaviors of v1
+may be dropped in favor of better performance. For example,
+despite `Encoder` and `Decoder` operating on an `io.Writer` and `io.Reader`,
+they do not operate in a truly streaming manner,
+leading to a loss in performance. The v2 implementation should aim to be truly
+streaming by default (see [#33714](https://golang.org/issue/33714)).
+
+* **Easy to use (hard to misuse):** The v2 API should aim to make
+the common case easy and the less common case at least possible.
+The API should avoid behavior that goes contrary to user expectation,
+which may result in subtle bugs (see [#36225](https://golang.org/issue/36225)).
+
+* **v1 and v2 maintainability:** Since the v1 implementation must stay forever,
+it would be beneficial if v1 could be implemented under the hood with v2,
+allowing for less maintenance burden in the future. This probably implies that
+behavioral changes in v2 relative to v1 need to be exposed as options.
+
+* **Avoid unsafe:** Standard library packages generally avoid the use of
+package `unsafe` even if it could provide a performance boost.
+We aim to preserve this property.
+
+## Expectations
+
+While this module aims to possibly be the v2 implementation of `encoding/json`,
+there is no guarantee that this outcome will occur. As with any major change
+to the Go standard library, this will eventually go through the
+[Go proposal process](https://github.com/golang/proposal#readme).
+At the present moment, this is still in the design and experimentation phase
+and is not ready for a formal proposal.
+
+There are several possible outcomes from this experiment:
+1. We determine that a v2 `encoding/json` would not provide sufficient benefit
+over the existing v1 `encoding/json` package. Thus, we abandon this effort.
+2. We propose a v2 `encoding/json` design, but it is rejected in favor of some
+other design that is considered superior.
+3. We propose a v2 `encoding/json` design, but rather than adding an entirely
+new v2 `encoding/json` package, we decide to merge its functionality into
+the existing v1 `encoding/json` package.
+4. We propose a v2 `encoding/json` design and it is accepted, resulting in
+its addition to the standard library.
+5. Some other unforeseen outcome (among the infinite number of possibilities).
+
+## Development
+
+This module is primarily developed by
+[@dsnet](https://github.com/dsnet),
+[@mvdan](https://github.com/mvdan), and
+[@johanbrandhorst](https://github.com/johanbrandhorst)
+with feedback provided by
+[@rogpeppe](https://github.com/rogpeppe),
+[@ChrisHines](https://github.com/ChrisHines), and
+[@rsc](https://github.com/rsc).
+
+Discussion about semantics occur semi-regularly, where a
+[record of past meetings can be found here](https://docs.google.com/document/d/1rovrOTd-wTawGMPPlPuKhwXaYBg9VszTXR9AQQL5LfI/edit?usp=sharing).
+
+## Design overview
+
+This package aims to provide a clean separation between syntax and semantics.
+Syntax deals with the structural representation of JSON (as specified in
+[RFC 4627](https://tools.ietf.org/html/rfc4627),
+[RFC 7159](https://tools.ietf.org/html/rfc7159),
+[RFC 7493](https://tools.ietf.org/html/rfc7493),
+[RFC 8259](https://tools.ietf.org/html/rfc8259), and
+[RFC 8785](https://tools.ietf.org/html/rfc8785)).
+Semantics deals with the meaning of syntactic data as usable application data.
+
+The `Encoder` and `Decoder` types are streaming tokenizers concerned with the
+packing or parsing of JSON data. They operate on `Token` and `RawValue` types
+which represent the common data structures that are representable in JSON.
+`Encoder` and `Decoder` do not aim to provide any interpretation of the data.
+
+Functions like `Marshal`, `MarshalFull`, `MarshalNext`, `Unmarshal`,
+`UnmarshalFull`, and `UnmarshalNext` provide semantic meaning by correlating
+any arbitrary Go type with some JSON representation of that type (as stored in
+data types like `[]byte`, `io.Writer`, `io.Reader`, `Encoder`, or `Decoder`).
+
+![API overview](api.png)
+
+This diagram provides a high-level overview of the v2 `json` package.
+Purple blocks represent types, while blue blocks represent functions or methods.
+The arrows and their direction represent the approximate flow of data.
+The bottom half of the diagram contains functionality that is only concerned
+with syntax, while the upper half contains functionality that assigns
+semantic meaning to syntactic data handled by the bottom half.
+
+In contrast to v1 `encoding/json`, options are represented as separate types
+rather than being setter methods on the `Encoder` or `Decoder` types.
+
+## Behavior changes
+
+The v2 `json` package changes the default behavior of `Marshal` and `Unmarshal`
+relative to the v1 `json` package to be more sensible.
+Some of these behavior changes have options and workarounds to opt into
+behavior similar to what v1 provided.
+
+This table shows an overview of the changes:
+
+| v1 | v2 | Details |
+| -- | -- | ------- |
+| JSON object members are unmarshaled into a Go struct using a **case-insensitive name match**. | JSON object members are unmarshaled into a Go struct using a **case-sensitive name match**. | [CaseSensitivity](/diff_test.go#:~:text=TestCaseSensitivity) |
+| When marshaling a Go struct, a struct field marked as `omitempty` is omitted if **the field value is an empty Go value**, which is defined as false, 0, a nil pointer, a nil interface value, and any empty array, slice, map, or string. | When marshaling a Go struct, a struct field marked as `omitempty` is omitted if **the field value would encode as an empty JSON value**, which is defined as a JSON null, or an empty JSON string, object, or array. | [OmitEmptyOption](/diff_test.go#:~:text=TestOmitEmptyOption) |
+| The `string` option **does affect** Go bools. | The `string` option **does not affect** Go bools. | [StringOption](/diff_test.go#:~:text=TestStringOption) |
+| The `string` option **does not recursively affect** sub-values of the Go field value. | The `string` option **does recursively affect** sub-values of the Go field value. | [StringOption](/diff_test.go#:~:text=TestStringOption) |
+| The `string` option **sometimes accepts** a JSON null escaped within a JSON string. | The `string` option **never accepts** a JSON null escaped within a JSON string. | [StringOption](/diff_test.go#:~:text=TestStringOption) |
+| A nil Go slice is marshaled as a **JSON null**. | A nil Go slice is marshaled as an **empty JSON array**. | [NilSlicesAndMaps](/diff_test.go#:~:text=TestNilSlicesAndMaps) |
+| A nil Go map is marshaled as a **JSON null**. | A nil Go map is marshaled as an **empty JSON object**. | [NilSlicesAndMaps](/diff_test.go#:~:text=TestNilSlicesAndMaps) |
+| A Go array may be unmarshaled from a **JSON array of any length**. | A Go array must be unmarshaled from a **JSON array of the same length**. | [Arrays](/diff_test.go#:~:text=Arrays) |
+| A Go byte array is represented as a **JSON array of JSON numbers**. | A Go byte array is represented as a **Base64-encoded JSON string**. | [ByteArrays](/diff_test.go#:~:text=TestByteArrays) |
+| `MarshalJSON` and `UnmarshalJSON` methods declared on a pointer receiver are **inconsistently called**. | `MarshalJSON` and `UnmarshalJSON` methods declared on a pointer receiver are **consistently called**. | [PointerReceiver](/diff_test.go#:~:text=TestPointerReceiver) |
+| A Go map is marshaled in a **deterministic order**. | A Go map is marshaled in a **non-deterministic order**. | [MapDeterminism](/diff_test.go#:~:text=TestMapDeterminism) |
+| JSON strings are encoded **with HTML-specific characters being escaped**. | JSON strings are encoded **without any characters being escaped** (unless necessary). | [EscapeHTML](/diff_test.go#:~:text=TestEscapeHTML) |
+| When marshaling, invalid UTF-8 within a Go string **are silently replaced**. | When marshaling, invalid UTF-8 within a Go string **results in an error**. | [InvalidUTF8](/diff_test.go#:~:text=TestInvalidUTF8) |
+| When unmarshaling, invalid UTF-8 within a JSON string **are silently replaced**. | When unmarshaling, invalid UTF-8 within a JSON string **results in an error**. | [InvalidUTF8](/diff_test.go#:~:text=TestInvalidUTF8) |
+| When marshaling, **an error does not occur** if the output JSON value contains objects with duplicate names. | When marshaling, **an error does occur** if the output JSON value contains objects with duplicate names. | [DuplicateNames](/diff_test.go#:~:text=TestDuplicateNames) |
+| When unmarshaling, **an error does not occur** if the input JSON value contains objects with duplicate names. | When unmarshaling, **an error does occur** if the input JSON value contains objects with duplicate names. | [DuplicateNames](/diff_test.go#:~:text=TestDuplicateNames) |
+| Unmarshaling a JSON null into a non-empty Go value **inconsistently clears the value or does nothing**. | Unmarshaling a JSON null into a non-empty Go value **always clears the value**. | [MergeNull](/diff_test.go#:~:text=TestMergeNull) |
+| Unmarshaling a JSON value into a non-empty Go value **follows inconsistent and bizarre behavior**. | Unmarshaling a JSON value into a non-empty Go value **always merges if the input is an object, and otherwise replaces**.  | [MergeComposite](/diff_test.go#:~:text=TestMergeComposite) |
+| A `time.Duration` is represented as a **JSON number containing the decimal number of nanoseconds**. | A `time.Duration` is represented as a **JSON string containing the formatted duration (e.g., "1h2m3.456s")**. | [TimeDurations](/diff_test.go#:~:text=TestTimeDurations) |
+| Unmarshaling a JSON number into a Go float beyond its representation **results in an error**. | Unmarshaling a JSON number into a Go float beyond its representation **uses the closest representable value (e.g., ±`math.MaxFloat`)**. | [MaxFloats](/diff_test.go#:~:text=TestMaxFloats) |
+| A Go struct with only unexported fields **can be serialized**. | A Go struct with only unexported fields **cannot be serialized**. | [EmptyStructs](/diff_test.go#:~:text=TestEmptyStructs) |
+| A Go struct that embeds an unexported struct type **can sometimes be serialized**. | A Go struct that embeds an unexported struct type **cannot be serialized**. | [EmbedUnexported](/diff_test.go#:~:text=TestEmbedUnexported) |
+
+See [diff_test.go](/diff_test.go) for details about every change.
+
+## Performance
+
+One of the goals of the v2 module is to be more performant than v1.
+
+Each of the charts below show the performance across
+several different JSON implementations:
+
+* `JSONv1` is `encoding/json` at `v1.18.2`
+* `JSONv2` is `github.com/go-json-experiment/json` at `v0.0.0-20220524042235-dd8be80fc4a7`
+* `JSONIterator` is `github.com/json-iterator/go` at `v1.1.12`
+* `SegmentJSON` is `github.com/segmentio/encoding/json` at `v0.3.5`
+* `GoJSON` is `github.com/goccy/go-json` at `v0.9.7`
+* `SonicJSON` is `github.com/bytedance/sonic` at `v1.3.0`
+
+Benchmarks were run across various datasets:
+
+* `CanadaGeometry` is a GeoJSON (RFC 7946) representation of Canada.
+  It contains many JSON arrays of arrays of two-element arrays of numbers.
+* `CITMCatalog` contains many JSON objects using numeric names.
+* `SyntheaFHIR` is sample JSON data from the healthcare industry.
+  It contains many nested JSON objects with mostly string values,
+  where the set of unique string values is relatively small.
+* `TwitterStatus` is the JSON response from the Twitter API.
+  It contains a mix of all different JSON kinds, where string values
+  are a mix of both single-byte ASCII and multi-byte Unicode.
+* `GolangSource` is a simple tree representing the Go source code.
+  It contains many nested JSON objects, each with the same schema.
+* `StringUnicode` contains many strings with multi-byte Unicode runes.
+
+All of the implementations other than `JSONv1` and `JSONv2` make
+extensive use of `unsafe`. As such, we expect those to generally be faster,
+but at the cost of memory and type safety. `SonicJSON` goes a step even further
+and uses just-in-time compilation to generate machine code specialized
+for the Go type being marshaled or unmarshaled.
+Also, `SonicJSON` does not validate JSON strings for valid UTF-8,
+and so gains a notable performance boost on datasets with multi-byte Unicode.
+Benchmarks are performed based on the default marshal and unmarshal behavior
+of each package. Note that `JSONv2` aims to be safe and correct by default,
+which may not be the most performant strategy.
+
+`JSONv2` has several semantic changes relative to `JSONv1` that
+impacts performance:
+
+1.  When marshaling, `JSONv2` no longer sorts the keys of a Go map.
+    This will improve performance.
+2.  When marshaling or unmarshaling, `JSONv2` always checks
+    to make sure JSON object names are unique.
+    This will hurt performance, but is more correct.
+3.  When marshaling or unmarshaling, `JSONv2` always
+    shallow copies the underlying value for a Go interface and
+    shallow copies the key and value for entries in a Go map.
+    This is done to keep the value as addressable so that `JSONv2` can
+    call methods and functions that operate on a pointer receiver.
+    This will hurt performance, but is more correct.
+
+All of the charts are unit-less since the values are normalized
+relative to `JSONv1`, which is why `JSONv1` always has a value of 1.
+A lower value is better (i.e., runs faster).
+
+Benchmarks were performed on an AMD Ryzen 9 5900X.
+
+The code for the benchmarks is located at
+https://github.com/go-json-experiment/jsonbench.
+
+### Marshal Performance
+
+#### Concrete types
+
+![Benchmark Marshal Concrete](benchmark-marshal-concrete.png)
+
+* This compares marshal performance when serializing
+  [from concrete types](/testdata_test.go).
+* The `JSONv1` implementation is close to optimal (without the use of `unsafe`).
+* Relative to `JSONv1`, `JSONv2` is generally as fast or slightly faster.
+* Relative to `JSONIterator`, `JSONv2` is up to 1.3x faster.
+* Relative to `SegmentJSON`, `JSONv2` is up to 1.8x slower.
+* Relative to `GoJSON`, `JSONv2` is up to 2.0x slower.
+* Relative to `SonicJSON`, `JSONv2` is about 1.8x to 3.2x slower
+  (ignoring `StringUnicode` since `SonicJSON` does not validate UTF-8).
+* For `JSONv1` and `JSONv2`, marshaling from concrete types is
+  mostly limited by the performance of Go reflection.
+
+#### Interface types
+
+![Benchmark Marshal Interface](benchmark-marshal-interface.png)
+
+* This compares marshal performance when serializing from
+  `any`, `map[string]any`, and `[]any` types.
+* Relative to `JSONv1`, `JSONv2` is about 1.5x to 4.2x faster.
+* Relative to `JSONIterator`, `JSONv2` is about 1.1x to 2.4x faster.
+* Relative to `SegmentJSON`, `JSONv2` is about 1.2x to 1.8x faster.
+* Relative to `GoJSON`, `JSONv2` is about 1.1x to 2.5x faster.
+* Relative to `SonicJSON`, `JSONv2` is up to 1.5x slower
+  (ignoring `StringUnicode` since `SonicJSON` does not validate UTF-8).
+* `JSONv2` is faster than the alternatives.
+  One advantange is because it does not sort the keys for a `map[string]any`,
+  while alternatives (except `SonicJSON` and `JSONIterator`) do sort the keys.
+
+#### RawValue types
+
+![Benchmark Marshal Rawvalue](benchmark-marshal-rawvalue.png)
+
+* This compares performance when marshaling from a `json.RawValue`.
+  This mostly exercises the underlying encoder and
+  hides the cost of Go reflection.
+* Relative to `JSONv1`, `JSONv2` is about 3.5x to 7.8x faster.
+* `JSONIterator` is blazingly fast because
+  [it does not validate whether the raw value is valid](https://go.dev/play/p/bun9IXQCKRe)
+  and simply copies it to the output.
+* Relative to `SegmentJSON`, `JSONv2` is about 1.5x to 2.7x faster.
+* Relative to `GoJSON`, `JSONv2` is up to 2.2x faster.
+* Relative to `SonicJSON`, `JSONv2` is up to 1.5x faster.
+* Aside from `JSONIterator`, `JSONv2` is generally the fastest.
+
+### Unmarshal Performance
+
+#### Concrete types
+
+![Benchmark Unmarshal Concrete](benchmark-unmarshal-concrete.png)
+
+* This compares unmarshal performance when deserializing
+  [into concrete types](/testdata_test.go).
+* Relative to `JSONv1`, `JSONv2` is about 1.8x to 5.7x faster.
+* Relative to `JSONIterator`, `JSONv2` is about 1.1x to 1.6x slower.
+* Relative to `SegmentJSON`, `JSONv2` is up to 2.5x slower.
+* Relative to `GoJSON`, `JSONv2` is about 1.4x to 2.1x slower.
+* Relative to `SonicJSON`, `JSONv2` is up to 4.0x slower
+  (ignoring `StringUnicode` since `SonicJSON` does not validate UTF-8).
+* For `JSONv1` and `JSONv2`, unmarshaling into concrete types is
+  mostly limited by the performance of Go reflection.
+
+#### Interface types
+
+![Benchmark Unmarshal Interface](benchmark-unmarshal-interface.png)
+
+* This compares unmarshal performance when deserializing into
+  `any`, `map[string]any`, and `[]any` types.
+* Relative to `JSONv1`, `JSONv2` is about 1.tx to 4.3x faster.
+* Relative to `JSONIterator`, `JSONv2` is up to 1.5x faster.
+* Relative to `SegmentJSON`, `JSONv2` is about 1.5 to 3.7x faster.
+* Relative to `GoJSON`, `JSONv2` is up to 1.3x faster.
+* Relative to `SonicJSON`, `JSONv2` is up to 1.5x slower
+  (ignoring `StringUnicode` since `SonicJSON` does not validate UTF-8).
+* Aside from `SonicJSON`, `JSONv2` is generally just as fast
+  or faster than all the alternatives.
+
+#### RawValue types
+
+![Benchmark Unmarshal Rawvalue](benchmark-unmarshal-rawvalue.png)
+
+* This compares performance when unmarshaling into a `json.RawValue`.
+  This mostly exercises the underlying decoder and
+  hides away most of the cost of Go reflection.
+* Relative to `JSONv1`, `JSONv2` is about 8.3x to 17.0x faster.
+* Relative to `JSONIterator`, `JSONv2` is up to 2.0x faster.
+* Relative to `SegmentJSON`, `JSONv2` is up to 1.6x faster or 1.7x slower.
+* Relative to `GoJSON`, `JSONv2` is up to 1.9x faster or 2.1x slower.
+* Relative to `SonicJSON`, `JSONv2` is up to 2.0x faster
+  (ignoring `StringUnicode` since `SonicJSON` does not validate UTF-8).
+* `JSONv1` takes a
+  [lexical scanning approach](https://talks.golang.org/2011/lex.slide#1),
+  which performs a virtual function call for every byte of input.
+  In contrast, `JSONv2` makes heavy use of iterative and linear parsing logic
+  (with extra complexity to resume parsing when encountering segmented buffers).
+* `JSONv2` is comparable to the alternatives that use `unsafe`.
+  Generally it is faster, but sometimes it is slower.
diff --git a/vendor/k8s.io/kube-openapi/pkg/internal/third_party/go-json-experiment/json/arshal.go b/vendor/k8s.io/kube-openapi/pkg/internal/third_party/go-json-experiment/json/arshal.go
new file mode 100644
index 000000000..febde20f9
--- /dev/null
+++ b/vendor/k8s.io/kube-openapi/pkg/internal/third_party/go-json-experiment/json/arshal.go
@@ -0,0 +1,506 @@
+// Copyright 2020 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package json
+
+import (
+	"errors"
+	"io"
+	"reflect"
+	"sync"
+)
+
+// MarshalOptions configures how Go data is serialized as JSON data.
+// The zero value is equivalent to the default marshal settings.
+type MarshalOptions struct {
+	requireKeyedLiterals
+	nonComparable
+
+	// Marshalers is a list of type-specific marshalers to use.
+	Marshalers *Marshalers
+
+	// StringifyNumbers specifies that numeric Go types should be serialized
+	// as a JSON string containing the equivalent JSON number value.
+	//
+	// According to RFC 8259, section 6, a JSON implementation may choose to
+	// limit the representation of a JSON number to an IEEE 754 binary64 value.
+	// This may cause decoders to lose precision for int64 and uint64 types.
+	// Escaping JSON numbers as a JSON string preserves the exact precision.
+	StringifyNumbers bool
+
+	// DiscardUnknownMembers specifies that marshaling should ignore any
+	// JSON object members stored in Go struct fields dedicated to storing
+	// unknown JSON object members.
+	DiscardUnknownMembers bool
+
+	// formatDepth is the depth at which we respect the format flag.
+	formatDepth int
+	// format is custom formatting for the value at the specified depth.
+	format string
+}
+
+// Marshal serializes a Go value as a []byte with default options.
+// It is a thin wrapper over MarshalOptions.Marshal.
+func Marshal(in any) (out []byte, err error) {
+	return MarshalOptions{}.Marshal(EncodeOptions{}, in)
+}
+
+// MarshalFull serializes a Go value into an io.Writer with default options.
+// It is a thin wrapper over MarshalOptions.MarshalFull.
+func MarshalFull(out io.Writer, in any) error {
+	return MarshalOptions{}.MarshalFull(EncodeOptions{}, out, in)
+}
+
+// Marshal serializes a Go value as a []byte according to the provided
+// marshal and encode options. It does not terminate the output with a newline.
+// See MarshalNext for details about the conversion of a Go value into JSON.
+func (mo MarshalOptions) Marshal(eo EncodeOptions, in any) (out []byte, err error) {
+	enc := getBufferedEncoder(eo)
+	defer putBufferedEncoder(enc)
+	enc.options.omitTopLevelNewline = true
+	err = mo.MarshalNext(enc, in)
+	// TODO(https://go.dev/issue/45038): Use bytes.Clone.
+	return append([]byte(nil), enc.buf...), err
+}
+
+// MarshalFull serializes a Go value into an io.Writer according to the provided
+// marshal and encode options. It does not terminate the output with a newline.
+// See MarshalNext for details about the conversion of a Go value into JSON.
+func (mo MarshalOptions) MarshalFull(eo EncodeOptions, out io.Writer, in any) error {
+	enc := getStreamingEncoder(out, eo)
+	defer putStreamingEncoder(enc)
+	enc.options.omitTopLevelNewline = true
+	err := mo.MarshalNext(enc, in)
+	return err
+}
+
+// MarshalNext encodes a Go value as the next JSON value according to
+// the provided marshal options.
+//
+// Type-specific marshal functions and methods take precedence
+// over the default representation of a value.
+// Functions or methods that operate on *T are only called when encoding
+// a value of type T (by taking its address) or a non-nil value of *T.
+// MarshalNext ensures that a value is always addressable
+// (by boxing it on the heap if necessary) so that
+// these functions and methods can be consistently called. For performance,
+// it is recommended that MarshalNext be passed a non-nil pointer to the value.
+//
+// The input value is encoded as JSON according the following rules:
+//
+//   - If any type-specific functions in MarshalOptions.Marshalers match
+//     the value type, then those functions are called to encode the value.
+//     If all applicable functions return SkipFunc,
+//     then the value is encoded according to subsequent rules.
+//
+//   - If the value type implements MarshalerV2,
+//     then the MarshalNextJSON method is called to encode the value.
+//
+//   - If the value type implements MarshalerV1,
+//     then the MarshalJSON method is called to encode the value.
+//
+//   - If the value type implements encoding.TextMarshaler,
+//     then the MarshalText method is called to encode the value and
+//     subsequently encode its result as a JSON string.
+//
+//   - Otherwise, the value is encoded according to the value's type
+//     as described in detail below.
+//
+// Most Go types have a default JSON representation.
+// Certain types support specialized formatting according to
+// a format flag optionally specified in the Go struct tag
+// for the struct field that contains the current value
+// (see the “JSON Representation of Go structs” section for more details).
+//
+// The representation of each type is as follows:
+//
+//   - A Go boolean is encoded as a JSON boolean (e.g., true or false).
+//     It does not support any custom format flags.
+//
+//   - A Go string is encoded as a JSON string.
+//     It does not support any custom format flags.
+//
+//   - A Go []byte or [N]byte is encoded as a JSON string containing
+//     the binary value encoded using RFC 4648.
+//     If the format is "base64" or unspecified, then this uses RFC 4648, section 4.
+//     If the format is "base64url", then this uses RFC 4648, section 5.
+//     If the format is "base32", then this uses RFC 4648, section 6.
+//     If the format is "base32hex", then this uses RFC 4648, section 7.
+//     If the format is "base16" or "hex", then this uses RFC 4648, section 8.
+//     If the format is "array", then the bytes value is encoded as a JSON array
+//     where each byte is recursively JSON-encoded as each JSON array element.
+//
+//   - A Go integer is encoded as a JSON number without fractions or exponents.
+//     If MarshalOptions.StringifyNumbers is specified, then the JSON number is
+//     encoded within a JSON string. It does not support any custom format
+//     flags.
+//
+//   - A Go float is encoded as a JSON number.
+//     If MarshalOptions.StringifyNumbers is specified,
+//     then the JSON number is encoded within a JSON string.
+//     If the format is "nonfinite", then NaN, +Inf, and -Inf are encoded as
+//     the JSON strings "NaN", "Infinity", and "-Infinity", respectively.
+//     Otherwise, the presence of non-finite numbers results in a SemanticError.
+//
+//   - A Go map is encoded as a JSON object, where each Go map key and value
+//     is recursively encoded as a name and value pair in the JSON object.
+//     The Go map key must encode as a JSON string, otherwise this results
+//     in a SemanticError. When encoding keys, MarshalOptions.StringifyNumbers
+//     is automatically applied so that numeric keys encode as JSON strings.
+//     The Go map is traversed in a non-deterministic order.
+//     For deterministic encoding, consider using RawValue.Canonicalize.
+//     If the format is "emitnull", then a nil map is encoded as a JSON null.
+//     Otherwise by default, a nil map is encoded as an empty JSON object.
+//
+//   - A Go struct is encoded as a JSON object.
+//     See the “JSON Representation of Go structs” section
+//     in the package-level documentation for more details.
+//
+//   - A Go slice is encoded as a JSON array, where each Go slice element
+//     is recursively JSON-encoded as the elements of the JSON array.
+//     If the format is "emitnull", then a nil slice is encoded as a JSON null.
+//     Otherwise by default, a nil slice is encoded as an empty JSON array.
+//
+//   - A Go array is encoded as a JSON array, where each Go array element
+//     is recursively JSON-encoded as the elements of the JSON array.
+//     The JSON array length is always identical to the Go array length.
+//     It does not support any custom format flags.
+//
+//   - A Go pointer is encoded as a JSON null if nil, otherwise it is
+//     the recursively JSON-encoded representation of the underlying value.
+//     Format flags are forwarded to the encoding of the underlying value.
+//
+//   - A Go interface is encoded as a JSON null if nil, otherwise it is
+//     the recursively JSON-encoded representation of the underlying value.
+//     It does not support any custom format flags.
+//
+//   - A Go time.Time is encoded as a JSON string containing the timestamp
+//     formatted in RFC 3339 with nanosecond resolution.
+//     If the format matches one of the format constants declared
+//     in the time package (e.g., RFC1123), then that format is used.
+//     Otherwise, the format is used as-is with time.Time.Format if non-empty.
+//
+//   - A Go time.Duration is encoded as a JSON string containing the duration
+//     formatted according to time.Duration.String.
+//     If the format is "nanos", it is encoded as a JSON number
+//     containing the number of nanoseconds in the duration.
+//
+//   - All other Go types (e.g., complex numbers, channels, and functions)
+//     have no default representation and result in a SemanticError.
+//
+// JSON cannot represent cyclic data structures and
+// MarshalNext does not handle them.
+// Passing cyclic structures will result in an error.
+func (mo MarshalOptions) MarshalNext(out *Encoder, in any) error {
+	v := reflect.ValueOf(in)
+	if !v.IsValid() || (v.Kind() == reflect.Pointer && v.IsNil()) {
+		return out.WriteToken(Null)
+	}
+	// Shallow copy non-pointer values to obtain an addressable value.
+	// It is beneficial to performance to always pass pointers to avoid this.
+	if v.Kind() != reflect.Pointer {
+		v2 := reflect.New(v.Type())
+		v2.Elem().Set(v)
+		v = v2
+	}
+	va := addressableValue{v.Elem()} // dereferenced pointer is always addressable
+	t := va.Type()
+
+	// Lookup and call the marshal function for this type.
+	marshal := lookupArshaler(t).marshal
+	if mo.Marshalers != nil {
+		marshal, _ = mo.Marshalers.lookup(marshal, t)
+	}
+	if err := marshal(mo, out, va); err != nil {
+		if !out.options.AllowDuplicateNames {
+			out.tokens.invalidateDisabledNamespaces()
+		}
+		return err
+	}
+	return nil
+}
+
+// UnmarshalOptions configures how JSON data is deserialized as Go data.
+// The zero value is equivalent to the default unmarshal settings.
+type UnmarshalOptions struct {
+	requireKeyedLiterals
+	nonComparable
+
+	// Unmarshalers is a list of type-specific unmarshalers to use.
+	Unmarshalers *Unmarshalers
+
+	// StringifyNumbers specifies that numeric Go types can be deserialized
+	// from either a JSON number or a JSON string containing a JSON number
+	// without any surrounding whitespace.
+	StringifyNumbers bool
+
+	// RejectUnknownMembers specifies that unknown members should be rejected
+	// when unmarshaling a JSON object, regardless of whether there is a field
+	// to store unknown members.
+	RejectUnknownMembers bool
+
+	// formatDepth is the depth at which we respect the format flag.
+	formatDepth int
+	// format is custom formatting for the value at the specified depth.
+	format string
+}
+
+// Unmarshal deserializes a Go value from a []byte with default options.
+// It is a thin wrapper over UnmarshalOptions.Unmarshal.
+func Unmarshal(in []byte, out any) error {
+	return UnmarshalOptions{}.Unmarshal(DecodeOptions{}, in, out)
+}
+
+// UnmarshalFull deserializes a Go value from an io.Reader with default options.
+// It is a thin wrapper over UnmarshalOptions.UnmarshalFull.
+func UnmarshalFull(in io.Reader, out any) error {
+	return UnmarshalOptions{}.UnmarshalFull(DecodeOptions{}, in, out)
+}
+
+// Unmarshal deserializes a Go value from a []byte according to the
+// provided unmarshal and decode options. The output must be a non-nil pointer.
+// The input must be a single JSON value with optional whitespace interspersed.
+// See UnmarshalNext for details about the conversion of JSON into a Go value.
+func (uo UnmarshalOptions) Unmarshal(do DecodeOptions, in []byte, out any) error {
+	dec := getBufferedDecoder(in, do)
+	defer putBufferedDecoder(dec)
+	return uo.unmarshalFull(dec, out)
+}
+
+// UnmarshalFull deserializes a Go value from an io.Reader according to the
+// provided unmarshal and decode options. The output must be a non-nil pointer.
+// The input must be a single JSON value with optional whitespace interspersed.
+// It consumes the entirety of io.Reader until io.EOF is encountered.
+// See UnmarshalNext for details about the conversion of JSON into a Go value.
+func (uo UnmarshalOptions) UnmarshalFull(do DecodeOptions, in io.Reader, out any) error {
+	dec := getStreamingDecoder(in, do)
+	defer putStreamingDecoder(dec)
+	return uo.unmarshalFull(dec, out)
+}
+func (uo UnmarshalOptions) unmarshalFull(in *Decoder, out any) error {
+	switch err := uo.UnmarshalNext(in, out); err {
+	case nil:
+		return in.checkEOF()
+	case io.EOF:
+		return io.ErrUnexpectedEOF
+	default:
+		return err
+	}
+}
+
+// UnmarshalNext decodes the next JSON value into a Go value according to
+// the provided unmarshal options. The output must be a non-nil pointer.
+//
+// Type-specific unmarshal functions and methods take precedence
+// over the default representation of a value.
+// Functions or methods that operate on *T are only called when decoding
+// a value of type T (by taking its address) or a non-nil value of *T.
+// UnmarshalNext ensures that a value is always addressable
+// (by boxing it on the heap if necessary) so that
+// these functions and methods can be consistently called.
+//
+// The input is decoded into the output according the following rules:
+//
+//   - If any type-specific functions in UnmarshalOptions.Unmarshalers match
+//     the value type, then those functions are called to decode the JSON
+//     value. If all applicable functions return SkipFunc,
+//     then the input is decoded according to subsequent rules.
+//
+//   - If the value type implements UnmarshalerV2,
+//     then the UnmarshalNextJSON method is called to decode the JSON value.
+//
+//   - If the value type implements UnmarshalerV1,
+//     then the UnmarshalJSON method is called to decode the JSON value.
+//
+//   - If the value type implements encoding.TextUnmarshaler,
+//     then the input is decoded as a JSON string and
+//     the UnmarshalText method is called with the decoded string value.
+//     This fails with a SemanticError if the input is not a JSON string.
+//
+//   - Otherwise, the JSON value is decoded according to the value's type
+//     as described in detail below.
+//
+// Most Go types have a default JSON representation.
+// Certain types support specialized formatting according to
+// a format flag optionally specified in the Go struct tag
+// for the struct field that contains the current value
+// (see the “JSON Representation of Go structs” section for more details).
+// A JSON null may be decoded into every supported Go value where
+// it is equivalent to storing the zero value of the Go value.
+// If the input JSON kind is not handled by the current Go value type,
+// then this fails with a SemanticError. Unless otherwise specified,
+// the decoded value replaces any pre-existing value.
+//
+// The representation of each type is as follows:
+//
+//   - A Go boolean is decoded from a JSON boolean (e.g., true or false).
+//     It does not support any custom format flags.
+//
+//   - A Go string is decoded from a JSON string.
+//     It does not support any custom format flags.
+//
+//   - A Go []byte or [N]byte is decoded from a JSON string
+//     containing the binary value encoded using RFC 4648.
+//     If the format is "base64" or unspecified, then this uses RFC 4648, section 4.
+//     If the format is "base64url", then this uses RFC 4648, section 5.
+//     If the format is "base32", then this uses RFC 4648, section 6.
+//     If the format is "base32hex", then this uses RFC 4648, section 7.
+//     If the format is "base16" or "hex", then this uses RFC 4648, section 8.
+//     If the format is "array", then the Go slice or array is decoded from a
+//     JSON array where each JSON element is recursively decoded for each byte.
+//     When decoding into a non-nil []byte, the slice length is reset to zero
+//     and the decoded input is appended to it.
+//     When decoding into a [N]byte, the input must decode to exactly N bytes,
+//     otherwise it fails with a SemanticError.
+//
+//   - A Go integer is decoded from a JSON number.
+//     It may also be decoded from a JSON string containing a JSON number
+//     if UnmarshalOptions.StringifyNumbers is specified.
+//     It fails with a SemanticError if the JSON number
+//     has a fractional or exponent component.
+//     It also fails if it overflows the representation of the Go integer type.
+//     It does not support any custom format flags.
+//
+//   - A Go float is decoded from a JSON number.
+//     It may also be decoded from a JSON string containing a JSON number
+//     if UnmarshalOptions.StringifyNumbers is specified.
+//     The JSON number is parsed as the closest representable Go float value.
+//     If the format is "nonfinite", then the JSON strings
+//     "NaN", "Infinity", and "-Infinity" are decoded as NaN, +Inf, and -Inf.
+//     Otherwise, the presence of such strings results in a SemanticError.
+//
+//   - A Go map is decoded from a JSON object,
+//     where each JSON object name and value pair is recursively decoded
+//     as the Go map key and value. When decoding keys,
+//     UnmarshalOptions.StringifyNumbers is automatically applied so that
+//     numeric keys can decode from JSON strings. Maps are not cleared.
+//     If the Go map is nil, then a new map is allocated to decode into.
+//     If the decoded key matches an existing Go map entry, the entry value
+//     is reused by decoding the JSON object value into it.
+//     The only supported format is "emitnull" and has no effect when decoding.
+//
+//   - A Go struct is decoded from a JSON object.
+//     See the “JSON Representation of Go structs” section
+//     in the package-level documentation for more details.
+//
+//   - A Go slice is decoded from a JSON array, where each JSON element
+//     is recursively decoded and appended to the Go slice.
+//     Before appending into a Go slice, a new slice is allocated if it is nil,
+//     otherwise the slice length is reset to zero.
+//     The only supported format is "emitnull" and has no effect when decoding.
+//
+//   - A Go array is decoded from a JSON array, where each JSON array element
+//     is recursively decoded as each corresponding Go array element.
+//     Each Go array element is zeroed before decoding into it.
+//     It fails with a SemanticError if the JSON array does not contain
+//     the exact same number of elements as the Go array.
+//     It does not support any custom format flags.
+//
+//   - A Go pointer is decoded based on the JSON kind and underlying Go type.
+//     If the input is a JSON null, then this stores a nil pointer.
+//     Otherwise, it allocates a new underlying value if the pointer is nil,
+//     and recursively JSON decodes into the underlying value.
+//     Format flags are forwarded to the decoding of the underlying type.
+//
+//   - A Go interface is decoded based on the JSON kind and underlying Go type.
+//     If the input is a JSON null, then this stores a nil interface value.
+//     Otherwise, a nil interface value of an empty interface type is initialized
+//     with a zero Go bool, string, float64, map[string]any, or []any if the
+//     input is a JSON boolean, string, number, object, or array, respectively.
+//     If the interface value is still nil, then this fails with a SemanticError
+//     since decoding could not determine an appropriate Go type to decode into.
+//     For example, unmarshaling into a nil io.Reader fails since
+//     there is no concrete type to populate the interface value with.
+//     Otherwise an underlying value exists and it recursively decodes
+//     the JSON input into it. It does not support any custom format flags.
+//
+//   - A Go time.Time is decoded from a JSON string containing the time
+//     formatted in RFC 3339 with nanosecond resolution.
+//     If the format matches one of the format constants declared in
+//     the time package (e.g., RFC1123), then that format is used for parsing.
+//     Otherwise, the format is used as-is with time.Time.Parse if non-empty.
+//
+//   - A Go time.Duration is decoded from a JSON string by
+//     passing the decoded string to time.ParseDuration.
+//     If the format is "nanos", it is instead decoded from a JSON number
+//     containing the number of nanoseconds in the duration.
+//
+//   - All other Go types (e.g., complex numbers, channels, and functions)
+//     have no default representation and result in a SemanticError.
+//
+// In general, unmarshaling follows merge semantics (similar to RFC 7396)
+// where the decoded Go value replaces the destination value
+// for any JSON kind other than an object.
+// For JSON objects, the input object is merged into the destination value
+// where matching object members recursively apply merge semantics.
+func (uo UnmarshalOptions) UnmarshalNext(in *Decoder, out any) error {
+	v := reflect.ValueOf(out)
+	if !v.IsValid() || v.Kind() != reflect.Pointer || v.IsNil() {
+		var t reflect.Type
+		if v.IsValid() {
+			t = v.Type()
+			if t.Kind() == reflect.Pointer {
+				t = t.Elem()
+			}
+		}
+		err := errors.New("value must be passed as a non-nil pointer reference")
+		return &SemanticError{action: "unmarshal", GoType: t, Err: err}
+	}
+	va := addressableValue{v.Elem()} // dereferenced pointer is always addressable
+	t := va.Type()
+
+	// Lookup and call the unmarshal function for this type.
+	unmarshal := lookupArshaler(t).unmarshal
+	if uo.Unmarshalers != nil {
+		unmarshal, _ = uo.Unmarshalers.lookup(unmarshal, t)
+	}
+	if err := unmarshal(uo, in, va); err != nil {
+		if !in.options.AllowDuplicateNames {
+			in.tokens.invalidateDisabledNamespaces()
+		}
+		return err
+	}
+	return nil
+}
+
+// addressableValue is a reflect.Value that is guaranteed to be addressable
+// such that calling the Addr and Set methods do not panic.
+//
+// There is no compile magic that enforces this property,
+// but rather the need to construct this type makes it easier to examine each
+// construction site to ensure that this property is upheld.
+type addressableValue struct{ reflect.Value }
+
+// newAddressableValue constructs a new addressable value of type t.
+func newAddressableValue(t reflect.Type) addressableValue {
+	return addressableValue{reflect.New(t).Elem()}
+}
+
+// All marshal and unmarshal behavior is implemented using these signatures.
+type (
+	marshaler   = func(MarshalOptions, *Encoder, addressableValue) error
+	unmarshaler = func(UnmarshalOptions, *Decoder, addressableValue) error
+)
+
+type arshaler struct {
+	marshal    marshaler
+	unmarshal  unmarshaler
+	nonDefault bool
+}
+
+var lookupArshalerCache sync.Map // map[reflect.Type]*arshaler
+
+func lookupArshaler(t reflect.Type) *arshaler {
+	if v, ok := lookupArshalerCache.Load(t); ok {
+		return v.(*arshaler)
+	}
+
+	fncs := makeDefaultArshaler(t)
+	fncs = makeMethodArshaler(fncs, t)
+	fncs = makeTimeArshaler(fncs, t)
+
+	// Use the last stored so that duplicate arshalers can be garbage collected.
+	v, _ := lookupArshalerCache.LoadOrStore(t, fncs)
+	return v.(*arshaler)
+}
diff --git a/vendor/k8s.io/kube-openapi/pkg/internal/third_party/go-json-experiment/json/arshal_any.go b/vendor/k8s.io/kube-openapi/pkg/internal/third_party/go-json-experiment/json/arshal_any.go
new file mode 100644
index 000000000..204d0648d
--- /dev/null
+++ b/vendor/k8s.io/kube-openapi/pkg/internal/third_party/go-json-experiment/json/arshal_any.go
@@ -0,0 +1,219 @@
+// Copyright 2022 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package json
+
+import "reflect"
+
+// This files contains an optimized marshal and unmarshal implementation
+// for the any type. This type is often used when the Go program has
+// no knowledge of the JSON schema. This is a common enough occurrence
+// to justify the complexity of adding logic for this.
+
+func marshalValueAny(mo MarshalOptions, enc *Encoder, val any) error {
+	switch val := val.(type) {
+	case nil:
+		return enc.WriteToken(Null)
+	case bool:
+		return enc.WriteToken(Bool(val))
+	case string:
+		return enc.WriteToken(String(val))
+	case float64:
+		return enc.WriteToken(Float(val))
+	case map[string]any:
+		return marshalObjectAny(mo, enc, val)
+	case []any:
+		return marshalArrayAny(mo, enc, val)
+	default:
+		v := newAddressableValue(reflect.TypeOf(val))
+		v.Set(reflect.ValueOf(val))
+		marshal := lookupArshaler(v.Type()).marshal
+		if mo.Marshalers != nil {
+			marshal, _ = mo.Marshalers.lookup(marshal, v.Type())
+		}
+		return marshal(mo, enc, v)
+	}
+}
+
+func unmarshalValueAny(uo UnmarshalOptions, dec *Decoder) (any, error) {
+	switch k := dec.PeekKind(); k {
+	case '{':
+		return unmarshalObjectAny(uo, dec)
+	case '[':
+		return unmarshalArrayAny(uo, dec)
+	default:
+		var flags valueFlags
+		val, err := dec.readValue(&flags)
+		if err != nil {
+			return nil, err
+		}
+		switch val.Kind() {
+		case 'n':
+			return nil, nil
+		case 'f':
+			return false, nil
+		case 't':
+			return true, nil
+		case '"':
+			val = unescapeStringMayCopy(val, flags.isVerbatim())
+			if dec.stringCache == nil {
+				dec.stringCache = new(stringCache)
+			}
+			return dec.stringCache.make(val), nil
+		case '0':
+			fv, _ := parseFloat(val, 64) // ignore error since readValue gaurantees val is valid
+			return fv, nil
+		default:
+			panic("BUG: invalid kind: " + k.String())
+		}
+	}
+}
+
+func marshalObjectAny(mo MarshalOptions, enc *Encoder, obj map[string]any) error {
+	// Check for cycles.
+	if enc.tokens.depth() > startDetectingCyclesAfter {
+		v := reflect.ValueOf(obj)
+		if err := enc.seenPointers.visit(v); err != nil {
+			return err
+		}
+		defer enc.seenPointers.leave(v)
+	}
+
+	// Optimize for marshaling an empty map without any preceding whitespace.
+	if len(obj) == 0 && !enc.options.multiline && !enc.tokens.last.needObjectName() {
+		enc.buf = enc.tokens.mayAppendDelim(enc.buf, '{')
+		enc.buf = append(enc.buf, "{}"...)
+		enc.tokens.last.increment()
+		if enc.needFlush() {
+			return enc.flush()
+		}
+		return nil
+	}
+
+	if err := enc.WriteToken(ObjectStart); err != nil {
+		return err
+	}
+	// A Go map guarantees that each entry has a unique key
+	// The only possibility of duplicates is due to invalid UTF-8.
+	if !enc.options.AllowInvalidUTF8 {
+		enc.tokens.last.disableNamespace()
+	}
+	for name, val := range obj {
+		if err := enc.WriteToken(String(name)); err != nil {
+			return err
+		}
+		if err := marshalValueAny(mo, enc, val); err != nil {
+			return err
+		}
+	}
+	if err := enc.WriteToken(ObjectEnd); err != nil {
+		return err
+	}
+	return nil
+}
+
+func unmarshalObjectAny(uo UnmarshalOptions, dec *Decoder) (map[string]any, error) {
+	tok, err := dec.ReadToken()
+	if err != nil {
+		return nil, err
+	}
+	k := tok.Kind()
+	switch k {
+	case 'n':
+		return nil, nil
+	case '{':
+		obj := make(map[string]any)
+		// A Go map guarantees that each entry has a unique key
+		// The only possibility of duplicates is due to invalid UTF-8.
+		if !dec.options.AllowInvalidUTF8 {
+			dec.tokens.last.disableNamespace()
+		}
+		for dec.PeekKind() != '}' {
+			tok, err := dec.ReadToken()
+			if err != nil {
+				return obj, err
+			}
+			name := tok.String()
+
+			// Manually check for duplicate names.
+			if _, ok := obj[name]; ok {
+				name := dec.previousBuffer()
+				err := &SyntacticError{str: "duplicate name " + string(name) + " in object"}
+				return obj, err.withOffset(dec.InputOffset() - int64(len(name)))
+			}
+
+			val, err := unmarshalValueAny(uo, dec)
+			obj[name] = val
+			if err != nil {
+				return obj, err
+			}
+		}
+		if _, err := dec.ReadToken(); err != nil {
+			return obj, err
+		}
+		return obj, nil
+	}
+	return nil, &SemanticError{action: "unmarshal", JSONKind: k, GoType: mapStringAnyType}
+}
+
+func marshalArrayAny(mo MarshalOptions, enc *Encoder, arr []any) error {
+	// Check for cycles.
+	if enc.tokens.depth() > startDetectingCyclesAfter {
+		v := reflect.ValueOf(arr)
+		if err := enc.seenPointers.visit(v); err != nil {
+			return err
+		}
+		defer enc.seenPointers.leave(v)
+	}
+
+	// Optimize for marshaling an empty slice without any preceding whitespace.
+	if len(arr) == 0 && !enc.options.multiline && !enc.tokens.last.needObjectName() {
+		enc.buf = enc.tokens.mayAppendDelim(enc.buf, '[')
+		enc.buf = append(enc.buf, "[]"...)
+		enc.tokens.last.increment()
+		if enc.needFlush() {
+			return enc.flush()
+		}
+		return nil
+	}
+
+	if err := enc.WriteToken(ArrayStart); err != nil {
+		return err
+	}
+	for _, val := range arr {
+		if err := marshalValueAny(mo, enc, val); err != nil {
+			return err
+		}
+	}
+	if err := enc.WriteToken(ArrayEnd); err != nil {
+		return err
+	}
+	return nil
+}
+
+func unmarshalArrayAny(uo UnmarshalOptions, dec *Decoder) ([]any, error) {
+	tok, err := dec.ReadToken()
+	if err != nil {
+		return nil, err
+	}
+	k := tok.Kind()
+	switch k {
+	case 'n':
+		return nil, nil
+	case '[':
+		arr := []any{}
+		for dec.PeekKind() != ']' {
+			val, err := unmarshalValueAny(uo, dec)
+			arr = append(arr, val)
+			if err != nil {
+				return arr, err
+			}
+		}
+		if _, err := dec.ReadToken(); err != nil {
+			return arr, err
+		}
+		return arr, nil
+	}
+	return nil, &SemanticError{action: "unmarshal", JSONKind: k, GoType: sliceAnyType}
+}
diff --git a/vendor/k8s.io/kube-openapi/pkg/internal/third_party/go-json-experiment/json/arshal_default.go b/vendor/k8s.io/kube-openapi/pkg/internal/third_party/go-json-experiment/json/arshal_default.go
new file mode 100644
index 000000000..fcf3d5000
--- /dev/null
+++ b/vendor/k8s.io/kube-openapi/pkg/internal/third_party/go-json-experiment/json/arshal_default.go
@@ -0,0 +1,1446 @@
+// Copyright 2020 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package json
+
+import (
+	"encoding/base32"
+	"encoding/base64"
+	"encoding/hex"
+	"errors"
+	"fmt"
+	"math"
+	"reflect"
+	"strconv"
+	"sync"
+)
+
+// optimizeCommon specifies whether to use optimizations targeted for certain
+// common patterns, rather than using the slower, but more general logic.
+// All tests should pass regardless of whether this is true or not.
+const optimizeCommon = true
+
+var (
+	// Most natural Go type that correspond with each JSON type.
+	anyType          = reflect.TypeOf((*any)(nil)).Elem()            // JSON value
+	boolType         = reflect.TypeOf((*bool)(nil)).Elem()           // JSON bool
+	stringType       = reflect.TypeOf((*string)(nil)).Elem()         // JSON string
+	float64Type      = reflect.TypeOf((*float64)(nil)).Elem()        // JSON number
+	mapStringAnyType = reflect.TypeOf((*map[string]any)(nil)).Elem() // JSON object
+	sliceAnyType     = reflect.TypeOf((*[]any)(nil)).Elem()          // JSON array
+
+	bytesType       = reflect.TypeOf((*[]byte)(nil)).Elem()
+	emptyStructType = reflect.TypeOf((*struct{})(nil)).Elem()
+)
+
+const startDetectingCyclesAfter = 1000
+
+type seenPointers map[typedPointer]struct{}
+
+type typedPointer struct {
+	typ reflect.Type
+	ptr any // always stores unsafe.Pointer, but avoids depending on unsafe
+}
+
+// visit visits pointer p of type t, reporting an error if seen before.
+// If successfully visited, then the caller must eventually call leave.
+func (m *seenPointers) visit(v reflect.Value) error {
+	p := typedPointer{v.Type(), v.UnsafePointer()}
+	if _, ok := (*m)[p]; ok {
+		return &SemanticError{action: "marshal", GoType: p.typ, Err: errors.New("encountered a cycle")}
+	}
+	if *m == nil {
+		*m = make(map[typedPointer]struct{})
+	}
+	(*m)[p] = struct{}{}
+	return nil
+}
+func (m *seenPointers) leave(v reflect.Value) {
+	p := typedPointer{v.Type(), v.UnsafePointer()}
+	delete(*m, p)
+}
+
+func makeDefaultArshaler(t reflect.Type) *arshaler {
+	switch t.Kind() {
+	case reflect.Bool:
+		return makeBoolArshaler(t)
+	case reflect.String:
+		return makeStringArshaler(t)
+	case reflect.Int, reflect.Int8, reflect.Int16, reflect.Int32, reflect.Int64:
+		return makeIntArshaler(t)
+	case reflect.Uint, reflect.Uint8, reflect.Uint16, reflect.Uint32, reflect.Uint64:
+		return makeUintArshaler(t)
+	case reflect.Float32, reflect.Float64:
+		return makeFloatArshaler(t)
+	case reflect.Map:
+		return makeMapArshaler(t)
+	case reflect.Struct:
+		return makeStructArshaler(t)
+	case reflect.Slice:
+		fncs := makeSliceArshaler(t)
+		if t.AssignableTo(bytesType) {
+			return makeBytesArshaler(t, fncs)
+		}
+		return fncs
+	case reflect.Array:
+		fncs := makeArrayArshaler(t)
+		if reflect.SliceOf(t.Elem()).AssignableTo(bytesType) {
+			return makeBytesArshaler(t, fncs)
+		}
+		return fncs
+	case reflect.Pointer:
+		return makePointerArshaler(t)
+	case reflect.Interface:
+		return makeInterfaceArshaler(t)
+	default:
+		return makeInvalidArshaler(t)
+	}
+}
+
+func makeBoolArshaler(t reflect.Type) *arshaler {
+	var fncs arshaler
+	fncs.marshal = func(mo MarshalOptions, enc *Encoder, va addressableValue) error {
+		if mo.format != "" && mo.formatDepth == enc.tokens.depth() {
+			return newInvalidFormatError("marshal", t, mo.format)
+		}
+
+		// Optimize for marshaling without preceding whitespace.
+		if optimizeCommon && !enc.options.multiline && !enc.tokens.last.needObjectName() {
+			enc.buf = enc.tokens.mayAppendDelim(enc.buf, 't')
+			if va.Bool() {
+				enc.buf = append(enc.buf, "true"...)
+			} else {
+				enc.buf = append(enc.buf, "false"...)
+			}
+			enc.tokens.last.increment()
+			if enc.needFlush() {
+				return enc.flush()
+			}
+			return nil
+		}
+
+		return enc.WriteToken(Bool(va.Bool()))
+	}
+	fncs.unmarshal = func(uo UnmarshalOptions, dec *Decoder, va addressableValue) error {
+		if uo.format != "" && uo.formatDepth == dec.tokens.depth() {
+			return newInvalidFormatError("unmarshal", t, uo.format)
+		}
+		tok, err := dec.ReadToken()
+		if err != nil {
+			return err
+		}
+		k := tok.Kind()
+		switch k {
+		case 'n':
+			va.SetBool(false)
+			return nil
+		case 't', 'f':
+			va.SetBool(tok.Bool())
+			return nil
+		}
+		return &SemanticError{action: "unmarshal", JSONKind: k, GoType: t}
+	}
+	return &fncs
+}
+
+func makeStringArshaler(t reflect.Type) *arshaler {
+	var fncs arshaler
+	fncs.marshal = func(mo MarshalOptions, enc *Encoder, va addressableValue) error {
+		if mo.format != "" && mo.formatDepth == enc.tokens.depth() {
+			return newInvalidFormatError("marshal", t, mo.format)
+		}
+		return enc.WriteToken(String(va.String()))
+	}
+	fncs.unmarshal = func(uo UnmarshalOptions, dec *Decoder, va addressableValue) error {
+		if uo.format != "" && uo.formatDepth == dec.tokens.depth() {
+			return newInvalidFormatError("unmarshal", t, uo.format)
+		}
+		var flags valueFlags
+		val, err := dec.readValue(&flags)
+		if err != nil {
+			return err
+		}
+		k := val.Kind()
+		switch k {
+		case 'n':
+			va.SetString("")
+			return nil
+		case '"':
+			val = unescapeStringMayCopy(val, flags.isVerbatim())
+			if dec.stringCache == nil {
+				dec.stringCache = new(stringCache)
+			}
+			str := dec.stringCache.make(val)
+			va.SetString(str)
+			return nil
+		}
+		return &SemanticError{action: "unmarshal", JSONKind: k, GoType: t}
+	}
+	return &fncs
+}
+
+var (
+	encodeBase16        = func(dst, src []byte) { hex.Encode(dst, src) }
+	encodeBase32        = base32.StdEncoding.Encode
+	encodeBase32Hex     = base32.HexEncoding.Encode
+	encodeBase64        = base64.StdEncoding.Encode
+	encodeBase64URL     = base64.URLEncoding.Encode
+	encodedLenBase16    = hex.EncodedLen
+	encodedLenBase32    = base32.StdEncoding.EncodedLen
+	encodedLenBase32Hex = base32.HexEncoding.EncodedLen
+	encodedLenBase64    = base64.StdEncoding.EncodedLen
+	encodedLenBase64URL = base64.URLEncoding.EncodedLen
+	decodeBase16        = hex.Decode
+	decodeBase32        = base32.StdEncoding.Decode
+	decodeBase32Hex     = base32.HexEncoding.Decode
+	decodeBase64        = base64.StdEncoding.Decode
+	decodeBase64URL     = base64.URLEncoding.Decode
+	decodedLenBase16    = hex.DecodedLen
+	decodedLenBase32    = base32.StdEncoding.WithPadding(base32.NoPadding).DecodedLen
+	decodedLenBase32Hex = base32.HexEncoding.WithPadding(base32.NoPadding).DecodedLen
+	decodedLenBase64    = base64.StdEncoding.WithPadding(base64.NoPadding).DecodedLen
+	decodedLenBase64URL = base64.URLEncoding.WithPadding(base64.NoPadding).DecodedLen
+)
+
+func makeBytesArshaler(t reflect.Type, fncs *arshaler) *arshaler {
+	// NOTE: This handles both []byte and [N]byte.
+	marshalDefault := fncs.marshal
+	fncs.marshal = func(mo MarshalOptions, enc *Encoder, va addressableValue) error {
+		encode, encodedLen := encodeBase64, encodedLenBase64
+		if mo.format != "" && mo.formatDepth == enc.tokens.depth() {
+			switch mo.format {
+			case "base64":
+				encode, encodedLen = encodeBase64, encodedLenBase64
+			case "base64url":
+				encode, encodedLen = encodeBase64URL, encodedLenBase64URL
+			case "base32":
+				encode, encodedLen = encodeBase32, encodedLenBase32
+			case "base32hex":
+				encode, encodedLen = encodeBase32Hex, encodedLenBase32Hex
+			case "base16", "hex":
+				encode, encodedLen = encodeBase16, encodedLenBase16
+			case "array":
+				mo.format = ""
+				return marshalDefault(mo, enc, va)
+			default:
+				return newInvalidFormatError("marshal", t, mo.format)
+			}
+		}
+		val := enc.UnusedBuffer()
+		var b []byte
+		if va.Kind() == reflect.Array {
+			// TODO(https://go.dev/issue/47066): Avoid reflect.Value.Slice.
+			b = va.Slice(0, va.Len()).Bytes()
+		} else {
+			b = va.Bytes()
+		}
+		n := len(`"`) + encodedLen(len(b)) + len(`"`)
+		if cap(val) < n {
+			val = make([]byte, n)
+		} else {
+			val = val[:n]
+		}
+		val[0] = '"'
+		encode(val[len(`"`):len(val)-len(`"`)], b)
+		val[len(val)-1] = '"'
+		return enc.WriteValue(val)
+	}
+	unmarshalDefault := fncs.unmarshal
+	fncs.unmarshal = func(uo UnmarshalOptions, dec *Decoder, va addressableValue) error {
+		decode, decodedLen := decodeBase64, decodedLenBase64
+		if uo.format != "" && uo.formatDepth == dec.tokens.depth() {
+			switch uo.format {
+			case "base64":
+				decode, decodedLen = decodeBase64, decodedLenBase64
+			case "base64url":
+				decode, decodedLen = decodeBase64URL, decodedLenBase64URL
+			case "base32":
+				decode, decodedLen = decodeBase32, decodedLenBase32
+			case "base32hex":
+				decode, decodedLen = decodeBase32Hex, decodedLenBase32Hex
+			case "base16", "hex":
+				decode, decodedLen = decodeBase16, decodedLenBase16
+			case "array":
+				uo.format = ""
+				return unmarshalDefault(uo, dec, va)
+			default:
+				return newInvalidFormatError("unmarshal", t, uo.format)
+			}
+		}
+		var flags valueFlags
+		val, err := dec.readValue(&flags)
+		if err != nil {
+			return err
+		}
+		k := val.Kind()
+		switch k {
+		case 'n':
+			va.Set(reflect.Zero(t))
+			return nil
+		case '"':
+			val = unescapeStringMayCopy(val, flags.isVerbatim())
+
+			// For base64 and base32, decodedLen computes the maximum output size
+			// when given the original input size. To compute the exact size,
+			// adjust the input size by excluding trailing padding characters.
+			// This is unnecessary for base16, but also harmless.
+			n := len(val)
+			for n > 0 && val[n-1] == '=' {
+				n--
+			}
+			n = decodedLen(n)
+			var b []byte
+			if va.Kind() == reflect.Array {
+				// TODO(https://go.dev/issue/47066): Avoid reflect.Value.Slice.
+				b = va.Slice(0, va.Len()).Bytes()
+				if n != len(b) {
+					err := fmt.Errorf("decoded base64 length of %d mismatches array length of %d", n, len(b))
+					return &SemanticError{action: "unmarshal", JSONKind: k, GoType: t, Err: err}
+				}
+			} else {
+				b = va.Bytes()
+				if b == nil || cap(b) < n {
+					b = make([]byte, n)
+				} else {
+					b = b[:n]
+				}
+			}
+			if _, err := decode(b, val); err != nil {
+				return &SemanticError{action: "unmarshal", JSONKind: k, GoType: t, Err: err}
+			}
+			if va.Kind() == reflect.Slice {
+				va.SetBytes(b)
+			}
+			return nil
+		}
+		return &SemanticError{action: "unmarshal", JSONKind: k, GoType: t}
+	}
+	return fncs
+}
+
+func makeIntArshaler(t reflect.Type) *arshaler {
+	var fncs arshaler
+	bits := t.Bits()
+	fncs.marshal = func(mo MarshalOptions, enc *Encoder, va addressableValue) error {
+		if mo.format != "" && mo.formatDepth == enc.tokens.depth() {
+			return newInvalidFormatError("marshal", t, mo.format)
+		}
+
+		// Optimize for marshaling without preceding whitespace or string escaping.
+		if optimizeCommon && !enc.options.multiline && !mo.StringifyNumbers && !enc.tokens.last.needObjectName() {
+			enc.buf = enc.tokens.mayAppendDelim(enc.buf, '0')
+			enc.buf = strconv.AppendInt(enc.buf, va.Int(), 10)
+			enc.tokens.last.increment()
+			if enc.needFlush() {
+				return enc.flush()
+			}
+			return nil
+		}
+
+		x := math.Float64frombits(uint64(va.Int()))
+		return enc.writeNumber(x, rawIntNumber, mo.StringifyNumbers)
+	}
+	fncs.unmarshal = func(uo UnmarshalOptions, dec *Decoder, va addressableValue) error {
+		if uo.format != "" && uo.formatDepth == dec.tokens.depth() {
+			return newInvalidFormatError("unmarshal", t, uo.format)
+		}
+		var flags valueFlags
+		val, err := dec.readValue(&flags)
+		if err != nil {
+			return err
+		}
+		k := val.Kind()
+		switch k {
+		case 'n':
+			va.SetInt(0)
+			return nil
+		case '"':
+			if !uo.StringifyNumbers {
+				break
+			}
+			val = unescapeStringMayCopy(val, flags.isVerbatim())
+			fallthrough
+		case '0':
+			var negOffset int
+			neg := val[0] == '-'
+			if neg {
+				negOffset = 1
+			}
+			n, ok := parseDecUint(val[negOffset:])
+			maxInt := uint64(1) << (bits - 1)
+			overflow := (neg && n > maxInt) || (!neg && n > maxInt-1)
+			if !ok {
+				if n != math.MaxUint64 {
+					err := fmt.Errorf("cannot parse %q as signed integer: %w", val, strconv.ErrSyntax)
+					return &SemanticError{action: "unmarshal", JSONKind: k, GoType: t, Err: err}
+				}
+				overflow = true
+			}
+			if overflow {
+				err := fmt.Errorf("cannot parse %q as signed integer: %w", val, strconv.ErrRange)
+				return &SemanticError{action: "unmarshal", JSONKind: k, GoType: t, Err: err}
+			}
+			if neg {
+				va.SetInt(int64(-n))
+			} else {
+				va.SetInt(int64(+n))
+			}
+			return nil
+		}
+		return &SemanticError{action: "unmarshal", JSONKind: k, GoType: t}
+	}
+	return &fncs
+}
+
+func makeUintArshaler(t reflect.Type) *arshaler {
+	var fncs arshaler
+	bits := t.Bits()
+	fncs.marshal = func(mo MarshalOptions, enc *Encoder, va addressableValue) error {
+		if mo.format != "" && mo.formatDepth == enc.tokens.depth() {
+			return newInvalidFormatError("marshal", t, mo.format)
+		}
+
+		// Optimize for marshaling without preceding whitespace or string escaping.
+		if optimizeCommon && !enc.options.multiline && !mo.StringifyNumbers && !enc.tokens.last.needObjectName() {
+			enc.buf = enc.tokens.mayAppendDelim(enc.buf, '0')
+			enc.buf = strconv.AppendUint(enc.buf, va.Uint(), 10)
+			enc.tokens.last.increment()
+			if enc.needFlush() {
+				return enc.flush()
+			}
+			return nil
+		}
+
+		x := math.Float64frombits(uint64(va.Uint()))
+		return enc.writeNumber(x, rawUintNumber, mo.StringifyNumbers)
+	}
+	fncs.unmarshal = func(uo UnmarshalOptions, dec *Decoder, va addressableValue) error {
+		if uo.format != "" && uo.formatDepth == dec.tokens.depth() {
+			return newInvalidFormatError("unmarshal", t, uo.format)
+		}
+		var flags valueFlags
+		val, err := dec.readValue(&flags)
+		if err != nil {
+			return err
+		}
+		k := val.Kind()
+		switch k {
+		case 'n':
+			va.SetUint(0)
+			return nil
+		case '"':
+			if !uo.StringifyNumbers {
+				break
+			}
+			val = unescapeStringMayCopy(val, flags.isVerbatim())
+			fallthrough
+		case '0':
+			n, ok := parseDecUint(val)
+			maxUint := uint64(1) << bits
+			overflow := n > maxUint-1
+			if !ok {
+				if n != math.MaxUint64 {
+					err := fmt.Errorf("cannot parse %q as unsigned integer: %w", val, strconv.ErrSyntax)
+					return &SemanticError{action: "unmarshal", JSONKind: k, GoType: t, Err: err}
+				}
+				overflow = true
+			}
+			if overflow {
+				err := fmt.Errorf("cannot parse %q as unsigned integer: %w", val, strconv.ErrRange)
+				return &SemanticError{action: "unmarshal", JSONKind: k, GoType: t, Err: err}
+			}
+			va.SetUint(uint64(n))
+			return nil
+		}
+		return &SemanticError{action: "unmarshal", JSONKind: k, GoType: t}
+	}
+	return &fncs
+}
+
+func makeFloatArshaler(t reflect.Type) *arshaler {
+	var fncs arshaler
+	bits := t.Bits()
+	fncs.marshal = func(mo MarshalOptions, enc *Encoder, va addressableValue) error {
+		var allowNonFinite bool
+		if mo.format != "" && mo.formatDepth == enc.tokens.depth() {
+			if mo.format == "nonfinite" {
+				allowNonFinite = true
+			} else {
+				return newInvalidFormatError("marshal", t, mo.format)
+			}
+		}
+
+		fv := va.Float()
+		if math.IsNaN(fv) || math.IsInf(fv, 0) {
+			if !allowNonFinite {
+				err := fmt.Errorf("invalid value: %v", fv)
+				return &SemanticError{action: "marshal", GoType: t, Err: err}
+			}
+			return enc.WriteToken(Float(fv))
+		}
+
+		// Optimize for marshaling without preceding whitespace or string escaping.
+		if optimizeCommon && !enc.options.multiline && !mo.StringifyNumbers && !enc.tokens.last.needObjectName() {
+			enc.buf = enc.tokens.mayAppendDelim(enc.buf, '0')
+			enc.buf = appendNumber(enc.buf, fv, bits)
+			enc.tokens.last.increment()
+			if enc.needFlush() {
+				return enc.flush()
+			}
+			return nil
+		}
+
+		return enc.writeNumber(fv, bits, mo.StringifyNumbers)
+	}
+	fncs.unmarshal = func(uo UnmarshalOptions, dec *Decoder, va addressableValue) error {
+		var allowNonFinite bool
+		if uo.format != "" && uo.formatDepth == dec.tokens.depth() {
+			if uo.format == "nonfinite" {
+				allowNonFinite = true
+			} else {
+				return newInvalidFormatError("unmarshal", t, uo.format)
+			}
+		}
+		var flags valueFlags
+		val, err := dec.readValue(&flags)
+		if err != nil {
+			return err
+		}
+		k := val.Kind()
+		switch k {
+		case 'n':
+			va.SetFloat(0)
+			return nil
+		case '"':
+			val = unescapeStringMayCopy(val, flags.isVerbatim())
+			if allowNonFinite {
+				switch string(val) {
+				case "NaN":
+					va.SetFloat(math.NaN())
+					return nil
+				case "Infinity":
+					va.SetFloat(math.Inf(+1))
+					return nil
+				case "-Infinity":
+					va.SetFloat(math.Inf(-1))
+					return nil
+				}
+			}
+			if !uo.StringifyNumbers {
+				break
+			}
+			if n, err := consumeNumber(val); n != len(val) || err != nil {
+				err := fmt.Errorf("cannot parse %q as JSON number: %w", val, strconv.ErrSyntax)
+				return &SemanticError{action: "unmarshal", JSONKind: k, GoType: t, Err: err}
+			}
+			fallthrough
+		case '0':
+			// NOTE: Floating-point parsing is by nature a lossy operation.
+			// We never report an overflow condition since we can always
+			// round the input to the closest representable finite value.
+			// For extremely large numbers, the closest value is ±MaxFloat.
+			fv, _ := parseFloat(val, bits)
+			va.SetFloat(fv)
+			return nil
+		}
+		return &SemanticError{action: "unmarshal", JSONKind: k, GoType: t}
+	}
+	return &fncs
+}
+
+var mapIterPool = sync.Pool{
+	New: func() any { return new(reflect.MapIter) },
+}
+
+func getMapIter(mv reflect.Value) *reflect.MapIter {
+	iter := mapIterPool.Get().(*reflect.MapIter)
+	iter.Reset(mv)
+	return iter
+}
+func putMapIter(iter *reflect.MapIter) {
+	iter.Reset(reflect.Value{}) // allow underlying map to be garbage collected
+	mapIterPool.Put(iter)
+}
+
+func makeMapArshaler(t reflect.Type) *arshaler {
+	// NOTE: The logic below disables namespaces for tracking duplicate names
+	// when handling map keys with a unique represention.
+
+	// NOTE: Values retrieved from a map are not addressable,
+	// so we shallow copy the values to make them addressable and
+	// store them back into the map afterwards.
+
+	var fncs arshaler
+	var (
+		once    sync.Once
+		keyFncs *arshaler
+		valFncs *arshaler
+	)
+	init := func() {
+		keyFncs = lookupArshaler(t.Key())
+		valFncs = lookupArshaler(t.Elem())
+	}
+	fncs.marshal = func(mo MarshalOptions, enc *Encoder, va addressableValue) error {
+		// Check for cycles.
+		if enc.tokens.depth() > startDetectingCyclesAfter {
+			if err := enc.seenPointers.visit(va.Value); err != nil {
+				return err
+			}
+			defer enc.seenPointers.leave(va.Value)
+		}
+
+		if mo.format != "" && mo.formatDepth == enc.tokens.depth() {
+			if mo.format == "emitnull" {
+				if va.IsNil() {
+					return enc.WriteToken(Null)
+				}
+				mo.format = ""
+			} else {
+				return newInvalidFormatError("marshal", t, mo.format)
+			}
+		}
+
+		// Optimize for marshaling an empty map without any preceding whitespace.
+		n := va.Len()
+		if optimizeCommon && n == 0 && !enc.options.multiline && !enc.tokens.last.needObjectName() {
+			enc.buf = enc.tokens.mayAppendDelim(enc.buf, '{')
+			enc.buf = append(enc.buf, "{}"...)
+			enc.tokens.last.increment()
+			if enc.needFlush() {
+				return enc.flush()
+			}
+			return nil
+		}
+
+		once.Do(init)
+		if err := enc.WriteToken(ObjectStart); err != nil {
+			return err
+		}
+		if n > 0 {
+			// Handle maps with numeric key types by stringifying them.
+			mko := mo
+			mko.StringifyNumbers = true
+
+			nonDefaultKey := keyFncs.nonDefault
+			marshalKey := keyFncs.marshal
+			marshalVal := valFncs.marshal
+			if mo.Marshalers != nil {
+				var ok bool
+				marshalKey, ok = mo.Marshalers.lookup(marshalKey, t.Key())
+				marshalVal, _ = mo.Marshalers.lookup(marshalVal, t.Elem())
+				nonDefaultKey = nonDefaultKey || ok
+			}
+			k := newAddressableValue(t.Key())
+			v := newAddressableValue(t.Elem())
+
+			// A Go map guarantees that each entry has a unique key.
+			// As such, disable the expensive duplicate name check if we know
+			// that every Go key will serialize as a unique JSON string.
+			if !nonDefaultKey && mapKeyWithUniqueRepresentation(k.Kind(), enc.options.AllowInvalidUTF8) {
+				enc.tokens.last.disableNamespace()
+			}
+
+			// NOTE: Map entries are serialized in a non-deterministic order.
+			// Users that need stable output should call RawValue.Canonicalize.
+			// TODO(go1.19): Remove use of a sync.Pool with reflect.MapIter.
+			// Calling reflect.Value.MapRange no longer allocates.
+			// See https://go.dev/cl/400675.
+			iter := getMapIter(va.Value)
+			defer putMapIter(iter)
+			for iter.Next() {
+				k.SetIterKey(iter)
+				if err := marshalKey(mko, enc, k); err != nil {
+					// TODO: If err is errMissingName, then wrap it as a
+					// SemanticError since this key type cannot be serialized
+					// as a JSON string.
+					return err
+				}
+				v.SetIterValue(iter)
+				if err := marshalVal(mo, enc, v); err != nil {
+					return err
+				}
+			}
+		}
+		if err := enc.WriteToken(ObjectEnd); err != nil {
+			return err
+		}
+		return nil
+	}
+	fncs.unmarshal = func(uo UnmarshalOptions, dec *Decoder, va addressableValue) error {
+		if uo.format != "" && uo.formatDepth == dec.tokens.depth() {
+			if uo.format == "emitnull" {
+				uo.format = "" // only relevant for marshaling
+			} else {
+				return newInvalidFormatError("unmarshal", t, uo.format)
+			}
+		}
+		tok, err := dec.ReadToken()
+		if err != nil {
+			return err
+		}
+		k := tok.Kind()
+		switch k {
+		case 'n':
+			va.Set(reflect.Zero(t))
+			return nil
+		case '{':
+			once.Do(init)
+			if va.IsNil() {
+				va.Set(reflect.MakeMap(t))
+			}
+
+			// Handle maps with numeric key types by stringifying them.
+			uko := uo
+			uko.StringifyNumbers = true
+
+			nonDefaultKey := keyFncs.nonDefault
+			unmarshalKey := keyFncs.unmarshal
+			unmarshalVal := valFncs.unmarshal
+			if uo.Unmarshalers != nil {
+				var ok bool
+				unmarshalKey, ok = uo.Unmarshalers.lookup(unmarshalKey, t.Key())
+				unmarshalVal, _ = uo.Unmarshalers.lookup(unmarshalVal, t.Elem())
+				nonDefaultKey = nonDefaultKey || ok
+			}
+			k := newAddressableValue(t.Key())
+			v := newAddressableValue(t.Elem())
+
+			// Manually check for duplicate entries by virtue of whether the
+			// unmarshaled key already exists in the destination Go map.
+			// Consequently, syntactically different names (e.g., "0" and "-0")
+			// will be rejected as duplicates since they semantically refer
+			// to the same Go value. This is an unusual interaction
+			// between syntax and semantics, but is more correct.
+			if !nonDefaultKey && mapKeyWithUniqueRepresentation(k.Kind(), dec.options.AllowInvalidUTF8) {
+				dec.tokens.last.disableNamespace()
+			}
+
+			// In the rare case where the map is not already empty,
+			// then we need to manually track which keys we already saw
+			// since existing presence alone is insufficient to indicate
+			// whether the input had a duplicate name.
+			var seen reflect.Value
+			if !dec.options.AllowDuplicateNames && va.Len() > 0 {
+				seen = reflect.MakeMap(reflect.MapOf(k.Type(), emptyStructType))
+			}
+
+			for dec.PeekKind() != '}' {
+				k.Set(reflect.Zero(t.Key()))
+				if err := unmarshalKey(uko, dec, k); err != nil {
+					return err
+				}
+				if k.Kind() == reflect.Interface && !k.IsNil() && !k.Elem().Type().Comparable() {
+					err := fmt.Errorf("invalid incomparable key type %v", k.Elem().Type())
+					return &SemanticError{action: "unmarshal", GoType: t, Err: err}
+				}
+
+				if v2 := va.MapIndex(k.Value); v2.IsValid() {
+					if !dec.options.AllowDuplicateNames && (!seen.IsValid() || seen.MapIndex(k.Value).IsValid()) {
+						// TODO: Unread the object name.
+						name := dec.previousBuffer()
+						err := &SyntacticError{str: "duplicate name " + string(name) + " in object"}
+						return err.withOffset(dec.InputOffset() - int64(len(name)))
+					}
+					v.Set(v2)
+				} else {
+					v.Set(reflect.Zero(v.Type()))
+				}
+				err := unmarshalVal(uo, dec, v)
+				va.SetMapIndex(k.Value, v.Value)
+				if seen.IsValid() {
+					seen.SetMapIndex(k.Value, reflect.Zero(emptyStructType))
+				}
+				if err != nil {
+					return err
+				}
+			}
+			if _, err := dec.ReadToken(); err != nil {
+				return err
+			}
+			return nil
+		}
+		return &SemanticError{action: "unmarshal", JSONKind: k, GoType: t}
+	}
+	return &fncs
+}
+
+// mapKeyWithUniqueRepresentation reports whether all possible values of k
+// marshal to a different JSON value, and whether all possible JSON values
+// that can unmarshal into k unmarshal to different Go values.
+// In other words, the representation must be a bijective.
+func mapKeyWithUniqueRepresentation(k reflect.Kind, allowInvalidUTF8 bool) bool {
+	switch k {
+	case reflect.Bool,
+		reflect.Int, reflect.Int8, reflect.Int16, reflect.Int32, reflect.Int64,
+		reflect.Uint, reflect.Uint8, reflect.Uint16, reflect.Uint32, reflect.Uint64:
+		return true
+	case reflect.String:
+		// For strings, we have to be careful since names with invalid UTF-8
+		// maybe unescape to the same Go string value.
+		return !allowInvalidUTF8
+	default:
+		// Floating-point kinds are not listed above since NaNs
+		// can appear multiple times and all serialize as "NaN".
+		return false
+	}
+}
+
+func makeStructArshaler(t reflect.Type) *arshaler {
+	// NOTE: The logic below disables namespaces for tracking duplicate names
+	// and does the tracking locally with an efficient bit-set based on which
+	// Go struct fields were seen.
+
+	var fncs arshaler
+	var (
+		once    sync.Once
+		fields  structFields
+		errInit *SemanticError
+	)
+	init := func() {
+		fields, errInit = makeStructFields(t)
+	}
+	fncs.marshal = func(mo MarshalOptions, enc *Encoder, va addressableValue) error {
+		if mo.format != "" && mo.formatDepth == enc.tokens.depth() {
+			return newInvalidFormatError("marshal", t, mo.format)
+		}
+		once.Do(init)
+		if errInit != nil {
+			err := *errInit // shallow copy SemanticError
+			err.action = "marshal"
+			return &err
+		}
+		if err := enc.WriteToken(ObjectStart); err != nil {
+			return err
+		}
+		var seenIdxs uintSet
+		prevIdx := -1
+		enc.tokens.last.disableNamespace() // we manually ensure unique names below
+		for i := range fields.flattened {
+			f := &fields.flattened[i]
+			v := addressableValue{va.Field(f.index[0])} // addressable if struct value is addressable
+			if len(f.index) > 1 {
+				v = v.fieldByIndex(f.index[1:], false)
+				if !v.IsValid() {
+					continue // implies a nil inlined field
+				}
+			}
+
+			// OmitZero skips the field if the Go value is zero,
+			// which we can determine up front without calling the marshaler.
+			if f.omitzero && ((f.isZero == nil && v.IsZero()) || (f.isZero != nil && f.isZero(v))) {
+				continue
+			}
+
+			marshal := f.fncs.marshal
+			nonDefault := f.fncs.nonDefault
+			if mo.Marshalers != nil {
+				var ok bool
+				marshal, ok = mo.Marshalers.lookup(marshal, f.typ)
+				nonDefault = nonDefault || ok
+			}
+
+			// OmitEmpty skips the field if the marshaled JSON value is empty,
+			// which we can know up front if there are no custom marshalers,
+			// otherwise we must marshal the value and unwrite it if empty.
+			if f.omitempty && !nonDefault && f.isEmpty != nil && f.isEmpty(v) {
+				continue // fast path for omitempty
+			}
+
+			// Write the object member name.
+			//
+			// The logic below is semantically equivalent to:
+			//	enc.WriteToken(String(f.name))
+			// but specialized and simplified because:
+			//	1. The Encoder must be expecting an object name.
+			//	2. The object namespace is guaranteed to be disabled.
+			//	3. The object name is guaranteed to be valid and pre-escaped.
+			//	4. There is no need to flush the buffer (for unwrite purposes).
+			//	5. There is no possibility of an error occuring.
+			if optimizeCommon {
+				// Append any delimiters or optional whitespace.
+				if enc.tokens.last.length() > 0 {
+					enc.buf = append(enc.buf, ',')
+				}
+				if enc.options.multiline {
+					enc.buf = enc.appendIndent(enc.buf, enc.tokens.needIndent('"'))
+				}
+
+				// Append the token to the output and to the state machine.
+				n0 := len(enc.buf) // offset before calling appendString
+				if enc.options.EscapeRune == nil {
+					enc.buf = append(enc.buf, f.quotedName...)
+				} else {
+					enc.buf, _ = appendString(enc.buf, f.name, false, enc.options.EscapeRune)
+				}
+				if !enc.options.AllowDuplicateNames {
+					enc.names.replaceLastQuotedOffset(n0)
+				}
+				enc.tokens.last.increment()
+			} else {
+				if err := enc.WriteToken(String(f.name)); err != nil {
+					return err
+				}
+			}
+
+			// Write the object member value.
+			mo2 := mo
+			if f.string {
+				mo2.StringifyNumbers = true
+			}
+			if f.format != "" {
+				mo2.formatDepth = enc.tokens.depth()
+				mo2.format = f.format
+			}
+			if err := marshal(mo2, enc, v); err != nil {
+				return err
+			}
+
+			// Try unwriting the member if empty (slow path for omitempty).
+			if f.omitempty {
+				var prevName *string
+				if prevIdx >= 0 {
+					prevName = &fields.flattened[prevIdx].name
+				}
+				if enc.unwriteEmptyObjectMember(prevName) {
+					continue
+				}
+			}
+
+			// Remember the previous written object member.
+			// The set of seen fields only needs to be updated to detect
+			// duplicate names with those from the inlined fallback.
+			if !enc.options.AllowDuplicateNames && fields.inlinedFallback != nil {
+				seenIdxs.insert(uint(f.id))
+			}
+			prevIdx = f.id
+		}
+		if fields.inlinedFallback != nil && !(mo.DiscardUnknownMembers && fields.inlinedFallback.unknown) {
+			var insertUnquotedName func([]byte) bool
+			if !enc.options.AllowDuplicateNames {
+				insertUnquotedName = func(name []byte) bool {
+					// Check that the name from inlined fallback does not match
+					// one of the previously marshaled names from known fields.
+					if foldedFields := fields.byFoldedName[string(foldName(name))]; len(foldedFields) > 0 {
+						if f := fields.byActualName[string(name)]; f != nil {
+							return seenIdxs.insert(uint(f.id))
+						}
+						for _, f := range foldedFields {
+							if f.nocase {
+								return seenIdxs.insert(uint(f.id))
+							}
+						}
+					}
+
+					// Check that the name does not match any other name
+					// previously marshaled from the inlined fallback.
+					return enc.namespaces.last().insertUnquoted(name)
+				}
+			}
+			if err := marshalInlinedFallbackAll(mo, enc, va, fields.inlinedFallback, insertUnquotedName); err != nil {
+				return err
+			}
+		}
+		if err := enc.WriteToken(ObjectEnd); err != nil {
+			return err
+		}
+		return nil
+	}
+	fncs.unmarshal = func(uo UnmarshalOptions, dec *Decoder, va addressableValue) error {
+		if uo.format != "" && uo.formatDepth == dec.tokens.depth() {
+			return newInvalidFormatError("unmarshal", t, uo.format)
+		}
+		tok, err := dec.ReadToken()
+		if err != nil {
+			return err
+		}
+		k := tok.Kind()
+		switch k {
+		case 'n':
+			va.Set(reflect.Zero(t))
+			return nil
+		case '{':
+			once.Do(init)
+			if errInit != nil {
+				err := *errInit // shallow copy SemanticError
+				err.action = "unmarshal"
+				return &err
+			}
+			var seenIdxs uintSet
+			dec.tokens.last.disableNamespace()
+			for dec.PeekKind() != '}' {
+				// Process the object member name.
+				var flags valueFlags
+				val, err := dec.readValue(&flags)
+				if err != nil {
+					return err
+				}
+				name := unescapeStringMayCopy(val, flags.isVerbatim())
+				f := fields.byActualName[string(name)]
+				if f == nil {
+					for _, f2 := range fields.byFoldedName[string(foldName(name))] {
+						if f2.nocase {
+							f = f2
+							break
+						}
+					}
+					if f == nil {
+						if uo.RejectUnknownMembers && (fields.inlinedFallback == nil || fields.inlinedFallback.unknown) {
+							return &SemanticError{action: "unmarshal", GoType: t, Err: fmt.Errorf("unknown name %s", val)}
+						}
+						if !dec.options.AllowDuplicateNames && !dec.namespaces.last().insertUnquoted(name) {
+							// TODO: Unread the object name.
+							err := &SyntacticError{str: "duplicate name " + string(val) + " in object"}
+							return err.withOffset(dec.InputOffset() - int64(len(val)))
+						}
+
+						if fields.inlinedFallback == nil {
+							// Skip unknown value since we have no place to store it.
+							if err := dec.skipValue(); err != nil {
+								return err
+							}
+						} else {
+							// Marshal into value capable of storing arbitrary object members.
+							if err := unmarshalInlinedFallbackNext(uo, dec, va, fields.inlinedFallback, val, name); err != nil {
+								return err
+							}
+						}
+						continue
+					}
+				}
+				if !dec.options.AllowDuplicateNames && !seenIdxs.insert(uint(f.id)) {
+					// TODO: Unread the object name.
+					err := &SyntacticError{str: "duplicate name " + string(val) + " in object"}
+					return err.withOffset(dec.InputOffset() - int64(len(val)))
+				}
+
+				// Process the object member value.
+				unmarshal := f.fncs.unmarshal
+				if uo.Unmarshalers != nil {
+					unmarshal, _ = uo.Unmarshalers.lookup(unmarshal, f.typ)
+				}
+				uo2 := uo
+				if f.string {
+					uo2.StringifyNumbers = true
+				}
+				if f.format != "" {
+					uo2.formatDepth = dec.tokens.depth()
+					uo2.format = f.format
+				}
+				v := addressableValue{va.Field(f.index[0])} // addressable if struct value is addressable
+				if len(f.index) > 1 {
+					v = v.fieldByIndex(f.index[1:], true)
+				}
+				if err := unmarshal(uo2, dec, v); err != nil {
+					return err
+				}
+			}
+			if _, err := dec.ReadToken(); err != nil {
+				return err
+			}
+			return nil
+		}
+		return &SemanticError{action: "unmarshal", JSONKind: k, GoType: t}
+	}
+	return &fncs
+}
+
+func (va addressableValue) fieldByIndex(index []int, mayAlloc bool) addressableValue {
+	for _, i := range index {
+		va = va.indirect(mayAlloc)
+		if !va.IsValid() {
+			return va
+		}
+		va = addressableValue{va.Field(i)} // addressable if struct value is addressable
+	}
+	return va
+}
+
+func (va addressableValue) indirect(mayAlloc bool) addressableValue {
+	if va.Kind() == reflect.Pointer {
+		if va.IsNil() {
+			if !mayAlloc {
+				return addressableValue{}
+			}
+			va.Set(reflect.New(va.Type().Elem()))
+		}
+		va = addressableValue{va.Elem()} // dereferenced pointer is always addressable
+	}
+	return va
+}
+
+func makeSliceArshaler(t reflect.Type) *arshaler {
+	var fncs arshaler
+	var (
+		once    sync.Once
+		valFncs *arshaler
+	)
+	init := func() {
+		valFncs = lookupArshaler(t.Elem())
+	}
+	fncs.marshal = func(mo MarshalOptions, enc *Encoder, va addressableValue) error {
+		// Check for cycles.
+		if enc.tokens.depth() > startDetectingCyclesAfter {
+			if err := enc.seenPointers.visit(va.Value); err != nil {
+				return err
+			}
+			defer enc.seenPointers.leave(va.Value)
+		}
+
+		if mo.format != "" && mo.formatDepth == enc.tokens.depth() {
+			if mo.format == "emitnull" {
+				if va.IsNil() {
+					return enc.WriteToken(Null)
+				}
+				mo.format = ""
+			} else {
+				return newInvalidFormatError("marshal", t, mo.format)
+			}
+		}
+
+		// Optimize for marshaling an empty slice without any preceding whitespace.
+		n := va.Len()
+		if optimizeCommon && n == 0 && !enc.options.multiline && !enc.tokens.last.needObjectName() {
+			enc.buf = enc.tokens.mayAppendDelim(enc.buf, '[')
+			enc.buf = append(enc.buf, "[]"...)
+			enc.tokens.last.increment()
+			if enc.needFlush() {
+				return enc.flush()
+			}
+			return nil
+		}
+
+		once.Do(init)
+		if err := enc.WriteToken(ArrayStart); err != nil {
+			return err
+		}
+		marshal := valFncs.marshal
+		if mo.Marshalers != nil {
+			marshal, _ = mo.Marshalers.lookup(marshal, t.Elem())
+		}
+		for i := 0; i < n; i++ {
+			v := addressableValue{va.Index(i)} // indexed slice element is always addressable
+			if err := marshal(mo, enc, v); err != nil {
+				return err
+			}
+		}
+		if err := enc.WriteToken(ArrayEnd); err != nil {
+			return err
+		}
+		return nil
+	}
+	emptySlice := reflect.MakeSlice(t, 0, 0)
+	fncs.unmarshal = func(uo UnmarshalOptions, dec *Decoder, va addressableValue) error {
+		if uo.format != "" && uo.formatDepth == dec.tokens.depth() {
+			if uo.format == "emitnull" {
+				uo.format = "" // only relevant for marshaling
+			} else {
+				return newInvalidFormatError("unmarshal", t, uo.format)
+			}
+		}
+
+		tok, err := dec.ReadToken()
+		if err != nil {
+			return err
+		}
+		k := tok.Kind()
+		switch k {
+		case 'n':
+			va.Set(reflect.Zero(t))
+			return nil
+		case '[':
+			once.Do(init)
+			unmarshal := valFncs.unmarshal
+			if uo.Unmarshalers != nil {
+				unmarshal, _ = uo.Unmarshalers.lookup(unmarshal, t.Elem())
+			}
+			mustZero := true // we do not know the cleanliness of unused capacity
+			cap := va.Cap()
+			if cap > 0 {
+				va.SetLen(cap)
+			}
+			var i int
+			for dec.PeekKind() != ']' {
+				if i == cap {
+					// TODO(https://go.dev/issue/48000): Use reflect.Value.Append.
+					va.Set(reflect.Append(va.Value, reflect.Zero(t.Elem())))
+					cap = va.Cap()
+					va.SetLen(cap)
+					mustZero = false // append guarantees that unused capacity is zero-initialized
+				}
+				v := addressableValue{va.Index(i)} // indexed slice element is always addressable
+				i++
+				if mustZero {
+					v.Set(reflect.Zero(t.Elem()))
+				}
+				if err := unmarshal(uo, dec, v); err != nil {
+					va.SetLen(i)
+					return err
+				}
+			}
+			if i == 0 {
+				va.Set(emptySlice)
+			} else {
+				va.SetLen(i)
+			}
+			if _, err := dec.ReadToken(); err != nil {
+				return err
+			}
+			return nil
+		}
+		return &SemanticError{action: "unmarshal", JSONKind: k, GoType: t}
+	}
+	return &fncs
+}
+
+func makeArrayArshaler(t reflect.Type) *arshaler {
+	var fncs arshaler
+	var (
+		once    sync.Once
+		valFncs *arshaler
+	)
+	init := func() {
+		valFncs = lookupArshaler(t.Elem())
+	}
+	n := t.Len()
+	fncs.marshal = func(mo MarshalOptions, enc *Encoder, va addressableValue) error {
+		if mo.format != "" && mo.formatDepth == enc.tokens.depth() {
+			return newInvalidFormatError("marshal", t, mo.format)
+		}
+		once.Do(init)
+		if err := enc.WriteToken(ArrayStart); err != nil {
+			return err
+		}
+		marshal := valFncs.marshal
+		if mo.Marshalers != nil {
+			marshal, _ = mo.Marshalers.lookup(marshal, t.Elem())
+		}
+		for i := 0; i < n; i++ {
+			v := addressableValue{va.Index(i)} // indexed array element is addressable if array is addressable
+			if err := marshal(mo, enc, v); err != nil {
+				return err
+			}
+		}
+		if err := enc.WriteToken(ArrayEnd); err != nil {
+			return err
+		}
+		return nil
+	}
+	fncs.unmarshal = func(uo UnmarshalOptions, dec *Decoder, va addressableValue) error {
+		if uo.format != "" && uo.formatDepth == dec.tokens.depth() {
+			return newInvalidFormatError("unmarshal", t, uo.format)
+		}
+		tok, err := dec.ReadToken()
+		if err != nil {
+			return err
+		}
+		k := tok.Kind()
+		switch k {
+		case 'n':
+			va.Set(reflect.Zero(t))
+			return nil
+		case '[':
+			once.Do(init)
+			unmarshal := valFncs.unmarshal
+			if uo.Unmarshalers != nil {
+				unmarshal, _ = uo.Unmarshalers.lookup(unmarshal, t.Elem())
+			}
+			var i int
+			for dec.PeekKind() != ']' {
+				if i >= n {
+					err := errors.New("too many array elements")
+					return &SemanticError{action: "unmarshal", GoType: t, Err: err}
+				}
+				v := addressableValue{va.Index(i)} // indexed array element is addressable if array is addressable
+				v.Set(reflect.Zero(v.Type()))
+				if err := unmarshal(uo, dec, v); err != nil {
+					return err
+				}
+				i++
+			}
+			if _, err := dec.ReadToken(); err != nil {
+				return err
+			}
+			if i < n {
+				err := errors.New("too few array elements")
+				return &SemanticError{action: "unmarshal", GoType: t, Err: err}
+			}
+			return nil
+		}
+		return &SemanticError{action: "unmarshal", JSONKind: k, GoType: t}
+	}
+	return &fncs
+}
+
+func makePointerArshaler(t reflect.Type) *arshaler {
+	var fncs arshaler
+	var (
+		once    sync.Once
+		valFncs *arshaler
+	)
+	init := func() {
+		valFncs = lookupArshaler(t.Elem())
+	}
+	fncs.marshal = func(mo MarshalOptions, enc *Encoder, va addressableValue) error {
+		// Check for cycles.
+		if enc.tokens.depth() > startDetectingCyclesAfter {
+			if err := enc.seenPointers.visit(va.Value); err != nil {
+				return err
+			}
+			defer enc.seenPointers.leave(va.Value)
+		}
+
+		// NOTE: MarshalOptions.format is forwarded to underlying marshal.
+		if va.IsNil() {
+			return enc.WriteToken(Null)
+		}
+		once.Do(init)
+		marshal := valFncs.marshal
+		if mo.Marshalers != nil {
+			marshal, _ = mo.Marshalers.lookup(marshal, t.Elem())
+		}
+		v := addressableValue{va.Elem()} // dereferenced pointer is always addressable
+		return marshal(mo, enc, v)
+	}
+	fncs.unmarshal = func(uo UnmarshalOptions, dec *Decoder, va addressableValue) error {
+		// NOTE: UnmarshalOptions.format is forwarded to underlying unmarshal.
+		if dec.PeekKind() == 'n' {
+			if _, err := dec.ReadToken(); err != nil {
+				return err
+			}
+			va.Set(reflect.Zero(t))
+			return nil
+		}
+		once.Do(init)
+		unmarshal := valFncs.unmarshal
+		if uo.Unmarshalers != nil {
+			unmarshal, _ = uo.Unmarshalers.lookup(unmarshal, t.Elem())
+		}
+		if va.IsNil() {
+			va.Set(reflect.New(t.Elem()))
+		}
+		v := addressableValue{va.Elem()} // dereferenced pointer is always addressable
+		return unmarshal(uo, dec, v)
+	}
+	return &fncs
+}
+
+func makeInterfaceArshaler(t reflect.Type) *arshaler {
+	// NOTE: Values retrieved from an interface are not addressable,
+	// so we shallow copy the values to make them addressable and
+	// store them back into the interface afterwards.
+
+	var fncs arshaler
+	fncs.marshal = func(mo MarshalOptions, enc *Encoder, va addressableValue) error {
+		if mo.format != "" && mo.formatDepth == enc.tokens.depth() {
+			return newInvalidFormatError("marshal", t, mo.format)
+		}
+		if va.IsNil() {
+			return enc.WriteToken(Null)
+		}
+		v := newAddressableValue(va.Elem().Type())
+		v.Set(va.Elem())
+		marshal := lookupArshaler(v.Type()).marshal
+		if mo.Marshalers != nil {
+			marshal, _ = mo.Marshalers.lookup(marshal, v.Type())
+		}
+		// Optimize for the any type if there are no special options.
+		if optimizeCommon && t == anyType && !mo.StringifyNumbers && mo.format == "" && (mo.Marshalers == nil || !mo.Marshalers.fromAny) {
+			return marshalValueAny(mo, enc, va.Elem().Interface())
+		}
+		return marshal(mo, enc, v)
+	}
+	fncs.unmarshal = func(uo UnmarshalOptions, dec *Decoder, va addressableValue) error {
+		if uo.format != "" && uo.formatDepth == dec.tokens.depth() {
+			return newInvalidFormatError("unmarshal", t, uo.format)
+		}
+		if dec.PeekKind() == 'n' {
+			if _, err := dec.ReadToken(); err != nil {
+				return err
+			}
+			va.Set(reflect.Zero(t))
+			return nil
+		}
+		var v addressableValue
+		if va.IsNil() {
+			// Optimize for the any type if there are no special options.
+			// We do not care about stringified numbers since JSON strings
+			// are always unmarshaled into an any value as Go strings.
+			// Duplicate name check must be enforced since unmarshalValueAny
+			// does not implement merge semantics.
+			if optimizeCommon && t == anyType && uo.format == "" && (uo.Unmarshalers == nil || !uo.Unmarshalers.fromAny) && !dec.options.AllowDuplicateNames {
+				v, err := unmarshalValueAny(uo, dec)
+				// We must check for nil interface values up front.
+				// See https://go.dev/issue/52310.
+				if v != nil {
+					va.Set(reflect.ValueOf(v))
+				}
+				return err
+			}
+
+			k := dec.PeekKind()
+			if !isAnyType(t) {
+				err := errors.New("cannot derive concrete type for non-empty interface")
+				return &SemanticError{action: "unmarshal", JSONKind: k, GoType: t, Err: err}
+			}
+			switch k {
+			case 'f', 't':
+				v = newAddressableValue(boolType)
+			case '"':
+				v = newAddressableValue(stringType)
+			case '0':
+				v = newAddressableValue(float64Type)
+			case '{':
+				v = newAddressableValue(mapStringAnyType)
+			case '[':
+				v = newAddressableValue(sliceAnyType)
+			default:
+				// If k is invalid (e.g., due to an I/O or syntax error), then
+				// that will be cached by PeekKind and returned by ReadValue.
+				// If k is '}' or ']', then ReadValue must error since
+				// those are invalid kinds at the start of a JSON value.
+				_, err := dec.ReadValue()
+				return err
+			}
+		} else {
+			// Shallow copy the existing value to keep it addressable.
+			// Any mutations at the top-level of the value will be observable
+			// since we always store this value back into the interface value.
+			v = newAddressableValue(va.Elem().Type())
+			v.Set(va.Elem())
+		}
+		unmarshal := lookupArshaler(v.Type()).unmarshal
+		if uo.Unmarshalers != nil {
+			unmarshal, _ = uo.Unmarshalers.lookup(unmarshal, v.Type())
+		}
+		err := unmarshal(uo, dec, v)
+		va.Set(v.Value)
+		return err
+	}
+	return &fncs
+}
+
+// isAnyType reports wether t is equivalent to the any interface type.
+func isAnyType(t reflect.Type) bool {
+	// This is forward compatible if the Go language permits type sets within
+	// ordinary interfaces where an interface with zero methods does not
+	// necessarily mean it can hold every possible Go type.
+	// See https://go.dev/issue/45346.
+	return t == anyType || anyType.Implements(t)
+}
+
+func makeInvalidArshaler(t reflect.Type) *arshaler {
+	var fncs arshaler
+	fncs.marshal = func(mo MarshalOptions, enc *Encoder, va addressableValue) error {
+		return &SemanticError{action: "marshal", GoType: t}
+	}
+	fncs.unmarshal = func(uo UnmarshalOptions, dec *Decoder, va addressableValue) error {
+		return &SemanticError{action: "unmarshal", GoType: t}
+	}
+	return &fncs
+}
+
+func newInvalidFormatError(action string, t reflect.Type, format string) error {
+	err := fmt.Errorf("invalid format flag: %q", format)
+	return &SemanticError{action: action, GoType: t, Err: err}
+}
diff --git a/vendor/k8s.io/kube-openapi/pkg/internal/third_party/go-json-experiment/json/arshal_funcs.go b/vendor/k8s.io/kube-openapi/pkg/internal/third_party/go-json-experiment/json/arshal_funcs.go
new file mode 100644
index 000000000..8a4e70083
--- /dev/null
+++ b/vendor/k8s.io/kube-openapi/pkg/internal/third_party/go-json-experiment/json/arshal_funcs.go
@@ -0,0 +1,387 @@
+// Copyright 2020 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package json
+
+import (
+	"errors"
+	"fmt"
+	"reflect"
+	"sync"
+)
+
+// SkipFunc may be returned by MarshalFuncV2 and UnmarshalFuncV2 functions.
+//
+// Any function that returns SkipFunc must not cause observable side effects
+// on the provided Encoder or Decoder. For example, it is permissible to call
+// Decoder.PeekKind, but not permissible to call Decoder.ReadToken or
+// Encoder.WriteToken since such methods mutate the state.
+const SkipFunc = jsonError("skip function")
+
+// Marshalers is a list of functions that may override the marshal behavior
+// of specific types. Populate MarshalOptions.Marshalers to use it.
+// A nil *Marshalers is equivalent to an empty list.
+type Marshalers = typedMarshalers
+
+// NewMarshalers constructs a flattened list of marshal functions.
+// If multiple functions in the list are applicable for a value of a given type,
+// then those earlier in the list take precedence over those that come later.
+// If a function returns SkipFunc, then the next applicable function is called,
+// otherwise the default marshaling behavior is used.
+//
+// For example:
+//
+//	m1 := NewMarshalers(f1, f2)
+//	m2 := NewMarshalers(f0, m1, f3)     // equivalent to m3
+//	m3 := NewMarshalers(f0, f1, f2, f3) // equivalent to m2
+func NewMarshalers(ms ...*Marshalers) *Marshalers {
+	return newMarshalers(ms...)
+}
+
+// Unmarshalers is a list of functions that may override the unmarshal behavior
+// of specific types. Populate UnmarshalOptions.Unmarshalers to use it.
+// A nil *Unmarshalers is equivalent to an empty list.
+type Unmarshalers = typedUnmarshalers
+
+// NewUnmarshalers constructs a flattened list of unmarshal functions.
+// If multiple functions in the list are applicable for a value of a given type,
+// then those earlier in the list take precedence over those that come later.
+// If a function returns SkipFunc, then the next applicable function is called,
+// otherwise the default unmarshaling behavior is used.
+//
+// For example:
+//
+//	u1 := NewUnmarshalers(f1, f2)
+//	u2 := NewUnmarshalers(f0, u1, f3)     // equivalent to u3
+//	u3 := NewUnmarshalers(f0, f1, f2, f3) // equivalent to u2
+func NewUnmarshalers(us ...*Unmarshalers) *Unmarshalers {
+	return newUnmarshalers(us...)
+}
+
+type typedMarshalers = typedArshalers[MarshalOptions, Encoder]
+type typedUnmarshalers = typedArshalers[UnmarshalOptions, Decoder]
+type typedArshalers[Options, Coder any] struct {
+	nonComparable
+
+	fncVals  []typedArshaler[Options, Coder]
+	fncCache sync.Map // map[reflect.Type]arshaler
+
+	// fromAny reports whether any of Go types used to represent arbitrary JSON
+	// (i.e., any, bool, string, float64, map[string]any, or []any) matches
+	// any of the provided type-specific arshalers.
+	//
+	// This bit of information is needed in arshal_default.go to determine
+	// whether to use the specialized logic in arshal_any.go to handle
+	// the any interface type. The logic in arshal_any.go does not support
+	// type-specific arshal functions, so we must avoid using that logic
+	// if this is true.
+	fromAny bool
+}
+type typedMarshaler = typedArshaler[MarshalOptions, Encoder]
+type typedUnmarshaler = typedArshaler[UnmarshalOptions, Decoder]
+type typedArshaler[Options, Coder any] struct {
+	typ     reflect.Type
+	fnc     func(Options, *Coder, addressableValue) error
+	maySkip bool
+}
+
+func newMarshalers(ms ...*Marshalers) *Marshalers       { return newTypedArshalers(ms...) }
+func newUnmarshalers(us ...*Unmarshalers) *Unmarshalers { return newTypedArshalers(us...) }
+func newTypedArshalers[Options, Coder any](as ...*typedArshalers[Options, Coder]) *typedArshalers[Options, Coder] {
+	var a typedArshalers[Options, Coder]
+	for _, a2 := range as {
+		if a2 != nil {
+			a.fncVals = append(a.fncVals, a2.fncVals...)
+			a.fromAny = a.fromAny || a2.fromAny
+		}
+	}
+	if len(a.fncVals) == 0 {
+		return nil
+	}
+	return &a
+}
+
+func (a *typedArshalers[Options, Coder]) lookup(fnc func(Options, *Coder, addressableValue) error, t reflect.Type) (func(Options, *Coder, addressableValue) error, bool) {
+	if a == nil {
+		return fnc, false
+	}
+	if v, ok := a.fncCache.Load(t); ok {
+		if v == nil {
+			return fnc, false
+		}
+		return v.(func(Options, *Coder, addressableValue) error), true
+	}
+
+	// Collect a list of arshalers that can be called for this type.
+	// This list may be longer than 1 since some arshalers can be skipped.
+	var fncs []func(Options, *Coder, addressableValue) error
+	for _, fncVal := range a.fncVals {
+		if !castableTo(t, fncVal.typ) {
+			continue
+		}
+		fncs = append(fncs, fncVal.fnc)
+		if !fncVal.maySkip {
+			break // subsequent arshalers will never be called
+		}
+	}
+
+	if len(fncs) == 0 {
+		a.fncCache.Store(t, nil) // nil to indicate that no funcs found
+		return fnc, false
+	}
+
+	// Construct an arshaler that may call every applicable arshaler.
+	fncDefault := fnc
+	fnc = func(o Options, c *Coder, v addressableValue) error {
+		for _, fnc := range fncs {
+			if err := fnc(o, c, v); err != SkipFunc {
+				return err // may be nil or non-nil
+			}
+		}
+		return fncDefault(o, c, v)
+	}
+
+	// Use the first stored so duplicate work can be garbage collected.
+	v, _ := a.fncCache.LoadOrStore(t, fnc)
+	return v.(func(Options, *Coder, addressableValue) error), true
+}
+
+// MarshalFuncV1 constructs a type-specific marshaler that
+// specifies how to marshal values of type T.
+// T can be any type except a named pointer.
+// The function is always provided with a non-nil pointer value
+// if T is an interface or pointer type.
+//
+// The function must marshal exactly one JSON value.
+// The value of T must not be retained outside the function call.
+// It may not return SkipFunc.
+func MarshalFuncV1[T any](fn func(T) ([]byte, error)) *Marshalers {
+	t := reflect.TypeOf((*T)(nil)).Elem()
+	assertCastableTo(t, true)
+	typFnc := typedMarshaler{
+		typ: t,
+		fnc: func(mo MarshalOptions, enc *Encoder, va addressableValue) error {
+			val, err := fn(va.castTo(t).Interface().(T))
+			if err != nil {
+				err = wrapSkipFunc(err, "marshal function of type func(T) ([]byte, error)")
+				// TODO: Avoid wrapping semantic errors.
+				return &SemanticError{action: "marshal", GoType: t, Err: err}
+			}
+			if err := enc.WriteValue(val); err != nil {
+				// TODO: Avoid wrapping semantic or I/O errors.
+				return &SemanticError{action: "marshal", JSONKind: RawValue(val).Kind(), GoType: t, Err: err}
+			}
+			return nil
+		},
+	}
+	return &Marshalers{fncVals: []typedMarshaler{typFnc}, fromAny: castableToFromAny(t)}
+}
+
+// MarshalFuncV2 constructs a type-specific marshaler that
+// specifies how to marshal values of type T.
+// T can be any type except a named pointer.
+// The function is always provided with a non-nil pointer value
+// if T is an interface or pointer type.
+//
+// The function must marshal exactly one JSON value by calling write methods
+// on the provided encoder. It may return SkipFunc such that marshaling can
+// move on to the next marshal function. However, no mutable method calls may
+// be called on the encoder if SkipFunc is returned.
+// The pointer to Encoder and the value of T must not be retained
+// outside the function call.
+func MarshalFuncV2[T any](fn func(MarshalOptions, *Encoder, T) error) *Marshalers {
+	t := reflect.TypeOf((*T)(nil)).Elem()
+	assertCastableTo(t, true)
+	typFnc := typedMarshaler{
+		typ: t,
+		fnc: func(mo MarshalOptions, enc *Encoder, va addressableValue) error {
+			prevDepth, prevLength := enc.tokens.depthLength()
+			err := fn(mo, enc, va.castTo(t).Interface().(T))
+			currDepth, currLength := enc.tokens.depthLength()
+			if err == nil && (prevDepth != currDepth || prevLength+1 != currLength) {
+				err = errors.New("must write exactly one JSON value")
+			}
+			if err != nil {
+				if err == SkipFunc {
+					if prevDepth == currDepth && prevLength == currLength {
+						return SkipFunc
+					}
+					err = errors.New("must not write any JSON tokens when skipping")
+				}
+				// TODO: Avoid wrapping semantic or I/O errors.
+				return &SemanticError{action: "marshal", GoType: t, Err: err}
+			}
+			return nil
+		},
+		maySkip: true,
+	}
+	return &Marshalers{fncVals: []typedMarshaler{typFnc}, fromAny: castableToFromAny(t)}
+}
+
+// UnmarshalFuncV1 constructs a type-specific unmarshaler that
+// specifies how to unmarshal values of type T.
+// T must be an unnamed pointer or an interface type.
+// The function is always provided with a non-nil pointer value.
+//
+// The function must unmarshal exactly one JSON value.
+// The input []byte must not be mutated.
+// The input []byte and value T must not be retained outside the function call.
+// It may not return SkipFunc.
+func UnmarshalFuncV1[T any](fn func([]byte, T) error) *Unmarshalers {
+	t := reflect.TypeOf((*T)(nil)).Elem()
+	assertCastableTo(t, false)
+	typFnc := typedUnmarshaler{
+		typ: t,
+		fnc: func(uo UnmarshalOptions, dec *Decoder, va addressableValue) error {
+			val, err := dec.ReadValue()
+			if err != nil {
+				return err // must be a syntactic or I/O error
+			}
+			err = fn(val, va.castTo(t).Interface().(T))
+			if err != nil {
+				err = wrapSkipFunc(err, "unmarshal function of type func([]byte, T) error")
+				// TODO: Avoid wrapping semantic, syntactic, or I/O errors.
+				return &SemanticError{action: "unmarshal", JSONKind: val.Kind(), GoType: t, Err: err}
+			}
+			return nil
+		},
+	}
+	return &Unmarshalers{fncVals: []typedUnmarshaler{typFnc}, fromAny: castableToFromAny(t)}
+}
+
+// UnmarshalFuncV2 constructs a type-specific unmarshaler that
+// specifies how to unmarshal values of type T.
+// T must be an unnamed pointer or an interface type.
+// The function is always provided with a non-nil pointer value.
+//
+// The function must unmarshal exactly one JSON value by calling read methods
+// on the provided decoder. It may return SkipFunc such that unmarshaling can
+// move on to the next unmarshal function. However, no mutable method calls may
+// be called on the decoder if SkipFunc is returned.
+// The pointer to Decoder and the value of T must not be retained
+// outside the function call.
+func UnmarshalFuncV2[T any](fn func(UnmarshalOptions, *Decoder, T) error) *Unmarshalers {
+	t := reflect.TypeOf((*T)(nil)).Elem()
+	assertCastableTo(t, false)
+	typFnc := typedUnmarshaler{
+		typ: t,
+		fnc: func(uo UnmarshalOptions, dec *Decoder, va addressableValue) error {
+			prevDepth, prevLength := dec.tokens.depthLength()
+			err := fn(uo, dec, va.castTo(t).Interface().(T))
+			currDepth, currLength := dec.tokens.depthLength()
+			if err == nil && (prevDepth != currDepth || prevLength+1 != currLength) {
+				err = errors.New("must read exactly one JSON value")
+			}
+			if err != nil {
+				if err == SkipFunc {
+					if prevDepth == currDepth && prevLength == currLength {
+						return SkipFunc
+					}
+					err = errors.New("must not read any JSON tokens when skipping")
+				}
+				// TODO: Avoid wrapping semantic, syntactic, or I/O errors.
+				return &SemanticError{action: "unmarshal", GoType: t, Err: err}
+			}
+			return nil
+		},
+		maySkip: true,
+	}
+	return &Unmarshalers{fncVals: []typedUnmarshaler{typFnc}, fromAny: castableToFromAny(t)}
+}
+
+// assertCastableTo asserts that "to" is a valid type to be casted to.
+// These are the Go types that type-specific arshalers may operate upon.
+//
+// Let AllTypes be the universal set of all possible Go types.
+// This function generally asserts that:
+//
+//	len([from for from in AllTypes if castableTo(from, to)]) > 0
+//
+// otherwise it panics.
+//
+// As a special-case if marshal is false, then we forbid any non-pointer or
+// non-interface type since it is almost always a bug trying to unmarshal
+// into something where the end-user caller did not pass in an addressable value
+// since they will not observe the mutations.
+func assertCastableTo(to reflect.Type, marshal bool) {
+	switch to.Kind() {
+	case reflect.Interface:
+		return
+	case reflect.Pointer:
+		// Only allow unnamed pointers to be consistent with the fact that
+		// taking the address of a value produces an unnamed pointer type.
+		if to.Name() == "" {
+			return
+		}
+	default:
+		// Technically, non-pointer types are permissible for unmarshal.
+		// However, they are often a bug since the receiver would be immutable.
+		// Thus, only allow them for marshaling.
+		if marshal {
+			return
+		}
+	}
+	if marshal {
+		panic(fmt.Sprintf("input type %v must be an interface type, an unnamed pointer type, or a non-pointer type", to))
+	} else {
+		panic(fmt.Sprintf("input type %v must be an interface type or an unnamed pointer type", to))
+	}
+}
+
+// castableTo checks whether values of type "from" can be casted to type "to".
+// Nil pointer or interface "from" values are never considered castable.
+//
+// This function must be kept in sync with addressableValue.castTo.
+func castableTo(from, to reflect.Type) bool {
+	switch to.Kind() {
+	case reflect.Interface:
+		// TODO: This breaks when ordinary interfaces can have type sets
+		// since interfaces now exist where only the value form of a type (T)
+		// implements the interface, but not the pointer variant (*T).
+		// See https://go.dev/issue/45346.
+		return reflect.PointerTo(from).Implements(to)
+	case reflect.Pointer:
+		// Common case for unmarshaling.
+		// From must be a concrete or interface type.
+		return reflect.PointerTo(from) == to
+	default:
+		// Common case for marshaling.
+		// From must be a concrete type.
+		return from == to
+	}
+}
+
+// castTo casts va to the specified type.
+// If the type is an interface, then the underlying type will always
+// be a non-nil pointer to a concrete type.
+//
+// Requirement: castableTo(va.Type(), to) must hold.
+func (va addressableValue) castTo(to reflect.Type) reflect.Value {
+	switch to.Kind() {
+	case reflect.Interface:
+		return va.Addr().Convert(to)
+	case reflect.Pointer:
+		return va.Addr()
+	default:
+		return va.Value
+	}
+}
+
+// castableToFromAny reports whether "to" can be casted to from any
+// of the dynamic types used to represent arbitrary JSON.
+func castableToFromAny(to reflect.Type) bool {
+	for _, from := range []reflect.Type{anyType, boolType, stringType, float64Type, mapStringAnyType, sliceAnyType} {
+		if castableTo(from, to) {
+			return true
+		}
+	}
+	return false
+}
+
+func wrapSkipFunc(err error, what string) error {
+	if err == SkipFunc {
+		return errors.New(what + " cannot be skipped")
+	}
+	return err
+}
diff --git a/vendor/k8s.io/kube-openapi/pkg/internal/third_party/go-json-experiment/json/arshal_inlined.go b/vendor/k8s.io/kube-openapi/pkg/internal/third_party/go-json-experiment/json/arshal_inlined.go
new file mode 100644
index 000000000..7476eda30
--- /dev/null
+++ b/vendor/k8s.io/kube-openapi/pkg/internal/third_party/go-json-experiment/json/arshal_inlined.go
@@ -0,0 +1,186 @@
+// Copyright 2020 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package json
+
+import (
+	"errors"
+	"reflect"
+)
+
+// This package supports "inlining" a Go struct field, where the contents
+// of the serialized field (which must be a JSON object) are treated as if
+// they are part of the parent Go struct (which represents a JSON object).
+//
+// Generally, inlined fields are of a Go struct type, where the fields of the
+// nested struct are virtually hoisted up to the parent struct using rules
+// similar to how Go embedding works (but operating within the JSON namespace).
+//
+// However, inlined fields may also be of a Go map type with a string key
+// or a RawValue. Such inlined fields are called "fallback" fields since they
+// represent any arbitrary JSON object member. Explicitly named fields take
+// precedence over the inlined fallback. Only one inlined fallback is allowed.
+
+var rawValueType = reflect.TypeOf((*RawValue)(nil)).Elem()
+
+// marshalInlinedFallbackAll marshals all the members in an inlined fallback.
+func marshalInlinedFallbackAll(mo MarshalOptions, enc *Encoder, va addressableValue, f *structField, insertUnquotedName func([]byte) bool) error {
+	v := addressableValue{va.Field(f.index[0])} // addressable if struct value is addressable
+	if len(f.index) > 1 {
+		v = v.fieldByIndex(f.index[1:], false)
+		if !v.IsValid() {
+			return nil // implies a nil inlined field
+		}
+	}
+	v = v.indirect(false)
+	if !v.IsValid() {
+		return nil
+	}
+
+	if v.Type() == rawValueType {
+		b := v.Interface().(RawValue)
+		if len(b) == 0 { // TODO: Should this be nil? What if it were all whitespace?
+			return nil
+		}
+
+		dec := getBufferedDecoder(b, DecodeOptions{AllowDuplicateNames: true, AllowInvalidUTF8: true})
+		defer putBufferedDecoder(dec)
+
+		tok, err := dec.ReadToken()
+		if err != nil {
+			return &SemanticError{action: "marshal", GoType: rawValueType, Err: err}
+		}
+		if tok.Kind() != '{' {
+			err := errors.New("inlined raw value must be a JSON object")
+			return &SemanticError{action: "marshal", JSONKind: tok.Kind(), GoType: rawValueType, Err: err}
+		}
+		for dec.PeekKind() != '}' {
+			// Parse the JSON object name.
+			var flags valueFlags
+			val, err := dec.readValue(&flags)
+			if err != nil {
+				return &SemanticError{action: "marshal", GoType: rawValueType, Err: err}
+			}
+			if insertUnquotedName != nil {
+				name := unescapeStringMayCopy(val, flags.isVerbatim())
+				if !insertUnquotedName(name) {
+					return &SyntacticError{str: "duplicate name " + string(val) + " in object"}
+				}
+			}
+			if err := enc.WriteValue(val); err != nil {
+				return err
+			}
+
+			// Parse the JSON object value.
+			val, err = dec.readValue(&flags)
+			if err != nil {
+				return &SemanticError{action: "marshal", GoType: rawValueType, Err: err}
+			}
+			if err := enc.WriteValue(val); err != nil {
+				return err
+			}
+		}
+		if _, err := dec.ReadToken(); err != nil {
+			return &SemanticError{action: "marshal", GoType: rawValueType, Err: err}
+		}
+		if err := dec.checkEOF(); err != nil {
+			return &SemanticError{action: "marshal", GoType: rawValueType, Err: err}
+		}
+		return nil
+	} else {
+		if v.Len() == 0 {
+			return nil
+		}
+		m := v
+		mv := newAddressableValue(m.Type().Elem())
+		for iter := m.MapRange(); iter.Next(); {
+			b, err := appendString(enc.UnusedBuffer(), iter.Key().String(), !enc.options.AllowInvalidUTF8, nil)
+			if err != nil {
+				return err
+			}
+			if insertUnquotedName != nil {
+				isVerbatim := consumeSimpleString(b) == len(b)
+				name := unescapeStringMayCopy(b, isVerbatim)
+				if !insertUnquotedName(name) {
+					return &SyntacticError{str: "duplicate name " + string(b) + " in object"}
+				}
+			}
+			if err := enc.WriteValue(b); err != nil {
+				return err
+			}
+
+			mv.Set(iter.Value())
+			marshal := f.fncs.marshal
+			if mo.Marshalers != nil {
+				marshal, _ = mo.Marshalers.lookup(marshal, mv.Type())
+			}
+			if err := marshal(mo, enc, mv); err != nil {
+				return err
+			}
+		}
+		return nil
+	}
+}
+
+// unmarshalInlinedFallbackNext unmarshals only the next member in an inlined fallback.
+func unmarshalInlinedFallbackNext(uo UnmarshalOptions, dec *Decoder, va addressableValue, f *structField, quotedName, unquotedName []byte) error {
+	v := addressableValue{va.Field(f.index[0])} // addressable if struct value is addressable
+	if len(f.index) > 1 {
+		v = v.fieldByIndex(f.index[1:], true)
+	}
+	v = v.indirect(true)
+
+	if v.Type() == rawValueType {
+		b := v.Addr().Interface().(*RawValue)
+		if len(*b) == 0 { // TODO: Should this be nil? What if it were all whitespace?
+			*b = append(*b, '{')
+		} else {
+			*b = trimSuffixWhitespace(*b)
+			if hasSuffixByte(*b, '}') {
+				// TODO: When merging into an object for the first time,
+				// should we verify that it is valid?
+				*b = trimSuffixByte(*b, '}')
+				*b = trimSuffixWhitespace(*b)
+				if !hasSuffixByte(*b, ',') && !hasSuffixByte(*b, '{') {
+					*b = append(*b, ',')
+				}
+			} else {
+				err := errors.New("inlined raw value must be a JSON object")
+				return &SemanticError{action: "unmarshal", GoType: rawValueType, Err: err}
+			}
+		}
+		*b = append(*b, quotedName...)
+		*b = append(*b, ':')
+		rawValue, err := dec.ReadValue()
+		if err != nil {
+			return err
+		}
+		*b = append(*b, rawValue...)
+		*b = append(*b, '}')
+		return nil
+	} else {
+		name := string(unquotedName) // TODO: Intern this?
+
+		m := v
+		if m.IsNil() {
+			m.Set(reflect.MakeMap(m.Type()))
+		}
+		mk := reflect.ValueOf(name)
+		mv := newAddressableValue(v.Type().Elem()) // TODO: Cache across calls?
+		if v2 := m.MapIndex(mk); v2.IsValid() {
+			mv.Set(v2)
+		}
+
+		unmarshal := f.fncs.unmarshal
+		if uo.Unmarshalers != nil {
+			unmarshal, _ = uo.Unmarshalers.lookup(unmarshal, mv.Type())
+		}
+		err := unmarshal(uo, dec, mv)
+		m.SetMapIndex(mk, mv.Value)
+		if err != nil {
+			return err
+		}
+		return nil
+	}
+}
diff --git a/vendor/k8s.io/kube-openapi/pkg/internal/third_party/go-json-experiment/json/arshal_methods.go b/vendor/k8s.io/kube-openapi/pkg/internal/third_party/go-json-experiment/json/arshal_methods.go
new file mode 100644
index 000000000..ef4e1f5e3
--- /dev/null
+++ b/vendor/k8s.io/kube-openapi/pkg/internal/third_party/go-json-experiment/json/arshal_methods.go
@@ -0,0 +1,229 @@
+// Copyright 2020 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package json
+
+import (
+	"encoding"
+	"errors"
+	"reflect"
+)
+
+// Interfaces for custom serialization.
+var (
+	jsonMarshalerV1Type   = reflect.TypeOf((*MarshalerV1)(nil)).Elem()
+	jsonMarshalerV2Type   = reflect.TypeOf((*MarshalerV2)(nil)).Elem()
+	jsonUnmarshalerV1Type = reflect.TypeOf((*UnmarshalerV1)(nil)).Elem()
+	jsonUnmarshalerV2Type = reflect.TypeOf((*UnmarshalerV2)(nil)).Elem()
+	textMarshalerType     = reflect.TypeOf((*encoding.TextMarshaler)(nil)).Elem()
+	textUnmarshalerType   = reflect.TypeOf((*encoding.TextUnmarshaler)(nil)).Elem()
+)
+
+// MarshalerV1 is implemented by types that can marshal themselves.
+// It is recommended that types implement MarshalerV2 unless
+// the implementation is trying to avoid a hard dependency on this package.
+//
+// It is recommended that implementations return a buffer that is safe
+// for the caller to retain and potentially mutate.
+type MarshalerV1 interface {
+	MarshalJSON() ([]byte, error)
+}
+
+// MarshalerV2 is implemented by types that can marshal themselves.
+// It is recommended that types implement MarshalerV2 instead of MarshalerV1
+// since this is both more performant and flexible.
+// If a type implements both MarshalerV1 and MarshalerV2,
+// then MarshalerV2 takes precedence. In such a case, both implementations
+// should aim to have equivalent behavior for the default marshal options.
+//
+// The implementation must write only one JSON value to the Encoder and
+// must not retain the pointer to Encoder.
+type MarshalerV2 interface {
+	MarshalNextJSON(MarshalOptions, *Encoder) error
+
+	// TODO: Should users call the MarshalOptions.MarshalNext method or
+	// should/can they call this method directly? Does it matter?
+}
+
+// UnmarshalerV1 is implemented by types that can unmarshal themselves.
+// It is recommended that types implement UnmarshalerV2 unless
+// the implementation is trying to avoid a hard dependency on this package.
+//
+// The input can be assumed to be a valid encoding of a JSON value
+// if called from unmarshal functionality in this package.
+// UnmarshalJSON must copy the JSON data if it is retained after returning.
+// It is recommended that UnmarshalJSON implement merge semantics when
+// unmarshaling into a pre-populated value.
+//
+// Implementations must not retain or mutate the input []byte.
+type UnmarshalerV1 interface {
+	UnmarshalJSON([]byte) error
+}
+
+// UnmarshalerV2 is implemented by types that can unmarshal themselves.
+// It is recommended that types implement UnmarshalerV2 instead of UnmarshalerV1
+// since this is both more performant and flexible.
+// If a type implements both UnmarshalerV1 and UnmarshalerV2,
+// then UnmarshalerV2 takes precedence. In such a case, both implementations
+// should aim to have equivalent behavior for the default unmarshal options.
+//
+// The implementation must read only one JSON value from the Decoder.
+// It is recommended that UnmarshalNextJSON implement merge semantics when
+// unmarshaling into a pre-populated value.
+//
+// Implementations must not retain the pointer to Decoder.
+type UnmarshalerV2 interface {
+	UnmarshalNextJSON(UnmarshalOptions, *Decoder) error
+
+	// TODO: Should users call the UnmarshalOptions.UnmarshalNext method or
+	// should/can they call this method directly? Does it matter?
+}
+
+func makeMethodArshaler(fncs *arshaler, t reflect.Type) *arshaler {
+	// Avoid injecting method arshaler on the pointer or interface version
+	// to avoid ever calling the method on a nil pointer or interface receiver.
+	// Let it be injected on the value receiver (which is always addressable).
+	if t.Kind() == reflect.Pointer || t.Kind() == reflect.Interface {
+		return fncs
+	}
+
+	// Handle custom marshaler.
+	switch which, needAddr := implementsWhich(t, jsonMarshalerV2Type, jsonMarshalerV1Type, textMarshalerType); which {
+	case jsonMarshalerV2Type:
+		fncs.nonDefault = true
+		fncs.marshal = func(mo MarshalOptions, enc *Encoder, va addressableValue) error {
+			prevDepth, prevLength := enc.tokens.depthLength()
+			err := va.addrWhen(needAddr).Interface().(MarshalerV2).MarshalNextJSON(mo, enc)
+			currDepth, currLength := enc.tokens.depthLength()
+			if (prevDepth != currDepth || prevLength+1 != currLength) && err == nil {
+				err = errors.New("must write exactly one JSON value")
+			}
+			if err != nil {
+				err = wrapSkipFunc(err, "marshal method")
+				// TODO: Avoid wrapping semantic or I/O errors.
+				return &SemanticError{action: "marshal", GoType: t, Err: err}
+			}
+			return nil
+		}
+	case jsonMarshalerV1Type:
+		fncs.nonDefault = true
+		fncs.marshal = func(mo MarshalOptions, enc *Encoder, va addressableValue) error {
+			marshaler := va.addrWhen(needAddr).Interface().(MarshalerV1)
+			val, err := marshaler.MarshalJSON()
+			if err != nil {
+				err = wrapSkipFunc(err, "marshal method")
+				// TODO: Avoid wrapping semantic errors.
+				return &SemanticError{action: "marshal", GoType: t, Err: err}
+			}
+			if err := enc.WriteValue(val); err != nil {
+				// TODO: Avoid wrapping semantic or I/O errors.
+				return &SemanticError{action: "marshal", JSONKind: RawValue(val).Kind(), GoType: t, Err: err}
+			}
+			return nil
+		}
+	case textMarshalerType:
+		fncs.nonDefault = true
+		fncs.marshal = func(mo MarshalOptions, enc *Encoder, va addressableValue) error {
+			marshaler := va.addrWhen(needAddr).Interface().(encoding.TextMarshaler)
+			s, err := marshaler.MarshalText()
+			if err != nil {
+				err = wrapSkipFunc(err, "marshal method")
+				// TODO: Avoid wrapping semantic errors.
+				return &SemanticError{action: "marshal", JSONKind: '"', GoType: t, Err: err}
+			}
+			val := enc.UnusedBuffer()
+			val, err = appendString(val, string(s), true, nil)
+			if err != nil {
+				return &SemanticError{action: "marshal", JSONKind: '"', GoType: t, Err: err}
+			}
+			if err := enc.WriteValue(val); err != nil {
+				// TODO: Avoid wrapping syntactic or I/O errors.
+				return &SemanticError{action: "marshal", JSONKind: '"', GoType: t, Err: err}
+			}
+			return nil
+		}
+	}
+
+	// Handle custom unmarshaler.
+	switch which, needAddr := implementsWhich(t, jsonUnmarshalerV2Type, jsonUnmarshalerV1Type, textUnmarshalerType); which {
+	case jsonUnmarshalerV2Type:
+		fncs.nonDefault = true
+		fncs.unmarshal = func(uo UnmarshalOptions, dec *Decoder, va addressableValue) error {
+			prevDepth, prevLength := dec.tokens.depthLength()
+			err := va.addrWhen(needAddr).Interface().(UnmarshalerV2).UnmarshalNextJSON(uo, dec)
+			currDepth, currLength := dec.tokens.depthLength()
+			if (prevDepth != currDepth || prevLength+1 != currLength) && err == nil {
+				err = errors.New("must read exactly one JSON value")
+			}
+			if err != nil {
+				err = wrapSkipFunc(err, "unmarshal method")
+				// TODO: Avoid wrapping semantic, syntactic, or I/O errors.
+				return &SemanticError{action: "unmarshal", GoType: t, Err: err}
+			}
+			return nil
+		}
+	case jsonUnmarshalerV1Type:
+		fncs.nonDefault = true
+		fncs.unmarshal = func(uo UnmarshalOptions, dec *Decoder, va addressableValue) error {
+			val, err := dec.ReadValue()
+			if err != nil {
+				return err // must be a syntactic or I/O error
+			}
+			unmarshaler := va.addrWhen(needAddr).Interface().(UnmarshalerV1)
+			if err := unmarshaler.UnmarshalJSON(val); err != nil {
+				err = wrapSkipFunc(err, "unmarshal method")
+				// TODO: Avoid wrapping semantic, syntactic, or I/O errors.
+				return &SemanticError{action: "unmarshal", JSONKind: val.Kind(), GoType: t, Err: err}
+			}
+			return nil
+		}
+	case textUnmarshalerType:
+		fncs.nonDefault = true
+		fncs.unmarshal = func(uo UnmarshalOptions, dec *Decoder, va addressableValue) error {
+			var flags valueFlags
+			val, err := dec.readValue(&flags)
+			if err != nil {
+				return err // must be a syntactic or I/O error
+			}
+			if val.Kind() != '"' {
+				err = errors.New("JSON value must be string type")
+				return &SemanticError{action: "unmarshal", JSONKind: val.Kind(), GoType: t, Err: err}
+			}
+			s := unescapeStringMayCopy(val, flags.isVerbatim())
+			unmarshaler := va.addrWhen(needAddr).Interface().(encoding.TextUnmarshaler)
+			if err := unmarshaler.UnmarshalText(s); err != nil {
+				err = wrapSkipFunc(err, "unmarshal method")
+				// TODO: Avoid wrapping semantic, syntactic, or I/O errors.
+				return &SemanticError{action: "unmarshal", JSONKind: val.Kind(), GoType: t, Err: err}
+			}
+			return nil
+		}
+	}
+
+	return fncs
+}
+
+// implementsWhich is like t.Implements(ifaceType) for a list of interfaces,
+// but checks whether either t or reflect.PointerTo(t) implements the interface.
+// It returns the first interface type that matches and whether a value of t
+// needs to be addressed first before it implements the interface.
+func implementsWhich(t reflect.Type, ifaceTypes ...reflect.Type) (which reflect.Type, needAddr bool) {
+	for _, ifaceType := range ifaceTypes {
+		switch {
+		case t.Implements(ifaceType):
+			return ifaceType, false
+		case reflect.PointerTo(t).Implements(ifaceType):
+			return ifaceType, true
+		}
+	}
+	return nil, false
+}
+
+// addrWhen returns va.Addr if addr is specified, otherwise it returns itself.
+func (va addressableValue) addrWhen(addr bool) reflect.Value {
+	if addr {
+		return va.Addr()
+	}
+	return va.Value
+}
diff --git a/vendor/k8s.io/kube-openapi/pkg/internal/third_party/go-json-experiment/json/arshal_time.go b/vendor/k8s.io/kube-openapi/pkg/internal/third_party/go-json-experiment/json/arshal_time.go
new file mode 100644
index 000000000..22e802221
--- /dev/null
+++ b/vendor/k8s.io/kube-openapi/pkg/internal/third_party/go-json-experiment/json/arshal_time.go
@@ -0,0 +1,196 @@
+// Copyright 2020 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package json
+
+import (
+	"fmt"
+	"reflect"
+	"strings"
+	"time"
+)
+
+var (
+	timeDurationType = reflect.TypeOf((*time.Duration)(nil)).Elem()
+	timeTimeType     = reflect.TypeOf((*time.Time)(nil)).Elem()
+)
+
+func makeTimeArshaler(fncs *arshaler, t reflect.Type) *arshaler {
+	// Ideally, time types would implement MarshalerV2 and UnmarshalerV2,
+	// but that would incur a dependency on package json from package time.
+	// Given how widely used time is, it is more acceptable that we incur a
+	// dependency on time from json.
+	//
+	// Injecting the arshaling functionality like this will not be identical
+	// to actually declaring methods on the time types since embedding of the
+	// time types will not be able to forward this functionality.
+	switch t {
+	case timeDurationType:
+		fncs.nonDefault = true
+		marshalNanos := fncs.marshal
+		fncs.marshal = func(mo MarshalOptions, enc *Encoder, va addressableValue) error {
+			if mo.format != "" && mo.formatDepth == enc.tokens.depth() {
+				if mo.format == "nanos" {
+					mo.format = ""
+					return marshalNanos(mo, enc, va)
+				} else {
+					return newInvalidFormatError("marshal", t, mo.format)
+				}
+			}
+
+			td := va.Interface().(time.Duration)
+			b := enc.UnusedBuffer()
+			b = append(b, '"')
+			b = append(b, td.String()...) // never contains special characters
+			b = append(b, '"')
+			return enc.WriteValue(b)
+		}
+		unmarshalNanos := fncs.unmarshal
+		fncs.unmarshal = func(uo UnmarshalOptions, dec *Decoder, va addressableValue) error {
+			// TODO: Should there be a flag that specifies that we can unmarshal
+			// from either form since there would be no ambiguity?
+			if uo.format != "" && uo.formatDepth == dec.tokens.depth() {
+				if uo.format == "nanos" {
+					uo.format = ""
+					return unmarshalNanos(uo, dec, va)
+				} else {
+					return newInvalidFormatError("unmarshal", t, uo.format)
+				}
+			}
+
+			var flags valueFlags
+			td := va.Addr().Interface().(*time.Duration)
+			val, err := dec.readValue(&flags)
+			if err != nil {
+				return err
+			}
+			switch k := val.Kind(); k {
+			case 'n':
+				*td = time.Duration(0)
+				return nil
+			case '"':
+				val = unescapeStringMayCopy(val, flags.isVerbatim())
+				td2, err := time.ParseDuration(string(val))
+				if err != nil {
+					return &SemanticError{action: "unmarshal", JSONKind: k, GoType: t, Err: err}
+				}
+				*td = td2
+				return nil
+			default:
+				return &SemanticError{action: "unmarshal", JSONKind: k, GoType: t}
+			}
+		}
+	case timeTimeType:
+		fncs.nonDefault = true
+		fncs.marshal = func(mo MarshalOptions, enc *Encoder, va addressableValue) error {
+			format := time.RFC3339Nano
+			if mo.format != "" && mo.formatDepth == enc.tokens.depth() {
+				var err error
+				format, err = checkTimeFormat(mo.format)
+				if err != nil {
+					return &SemanticError{action: "marshal", GoType: t, Err: err}
+				}
+			}
+
+			tt := va.Interface().(time.Time)
+			if y := tt.Year(); y < 0 || y >= 10000 {
+				// RFC 3339 is clear that years are 4 digits exactly.
+				// See https://go.dev/issue/4556#c15 for more discussion.
+				err := fmt.Errorf("year %d outside of range [0,9999]", y)
+				return &SemanticError{action: "marshal", GoType: t, Err: err}
+			}
+			b := enc.UnusedBuffer()
+			b = append(b, '"')
+			b = tt.AppendFormat(b, format)
+			b = append(b, '"')
+			// The format may contain special characters that need escaping.
+			// Verify that the result is a valid JSON string (common case),
+			// otherwise escape the string correctly (slower case).
+			if consumeSimpleString(b) != len(b) {
+				b, _ = appendString(nil, string(b[len(`"`):len(b)-len(`"`)]), true, nil)
+			}
+			return enc.WriteValue(b)
+		}
+		fncs.unmarshal = func(uo UnmarshalOptions, dec *Decoder, va addressableValue) error {
+			format := time.RFC3339Nano
+			if uo.format != "" && uo.formatDepth == dec.tokens.depth() {
+				var err error
+				format, err = checkTimeFormat(uo.format)
+				if err != nil {
+					return &SemanticError{action: "unmarshal", GoType: t, Err: err}
+				}
+			}
+
+			var flags valueFlags
+			tt := va.Addr().Interface().(*time.Time)
+			val, err := dec.readValue(&flags)
+			if err != nil {
+				return err
+			}
+			k := val.Kind()
+			switch k {
+			case 'n':
+				*tt = time.Time{}
+				return nil
+			case '"':
+				val = unescapeStringMayCopy(val, flags.isVerbatim())
+				tt2, err := time.Parse(format, string(val))
+				if err != nil {
+					return &SemanticError{action: "unmarshal", JSONKind: k, GoType: t, Err: err}
+				}
+				*tt = tt2
+				return nil
+			default:
+				return &SemanticError{action: "unmarshal", JSONKind: k, GoType: t}
+			}
+		}
+	}
+	return fncs
+}
+
+func checkTimeFormat(format string) (string, error) {
+	// We assume that an exported constant in the time package will
+	// always start with an uppercase ASCII letter.
+	if len(format) > 0 && 'A' <= format[0] && format[0] <= 'Z' {
+		switch format {
+		case "ANSIC":
+			return time.ANSIC, nil
+		case "UnixDate":
+			return time.UnixDate, nil
+		case "RubyDate":
+			return time.RubyDate, nil
+		case "RFC822":
+			return time.RFC822, nil
+		case "RFC822Z":
+			return time.RFC822Z, nil
+		case "RFC850":
+			return time.RFC850, nil
+		case "RFC1123":
+			return time.RFC1123, nil
+		case "RFC1123Z":
+			return time.RFC1123Z, nil
+		case "RFC3339":
+			return time.RFC3339, nil
+		case "RFC3339Nano":
+			return time.RFC3339Nano, nil
+		case "Kitchen":
+			return time.Kitchen, nil
+		case "Stamp":
+			return time.Stamp, nil
+		case "StampMilli":
+			return time.StampMilli, nil
+		case "StampMicro":
+			return time.StampMicro, nil
+		case "StampNano":
+			return time.StampNano, nil
+		default:
+			// Reject any format that is an exported Go identifier in case
+			// new format constants are added to the time package.
+			if strings.TrimFunc(format, isLetterOrDigit) == "" {
+				return "", fmt.Errorf("undefined format layout: %v", format)
+			}
+		}
+	}
+	return format, nil
+}
diff --git a/vendor/k8s.io/kube-openapi/pkg/internal/third_party/go-json-experiment/json/decode.go b/vendor/k8s.io/kube-openapi/pkg/internal/third_party/go-json-experiment/json/decode.go
new file mode 100644
index 000000000..998ad68fc
--- /dev/null
+++ b/vendor/k8s.io/kube-openapi/pkg/internal/third_party/go-json-experiment/json/decode.go
@@ -0,0 +1,1655 @@
+// Copyright 2020 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package json
+
+import (
+	"bytes"
+	"errors"
+	"io"
+	"math"
+	"strconv"
+	"unicode/utf16"
+	"unicode/utf8"
+)
+
+// NOTE: The logic for decoding is complicated by the fact that reading from
+// an io.Reader into a temporary buffer means that the buffer may contain a
+// truncated portion of some valid input, requiring the need to fetch more data.
+//
+// This file is structured in the following way:
+//
+//   - consumeXXX functions parse an exact JSON token from a []byte.
+//     If the buffer appears truncated, then it returns io.ErrUnexpectedEOF.
+//     The consumeSimpleXXX functions are so named because they only handle
+//     a subset of the grammar for the JSON token being parsed.
+//     They do not handle the full grammar to keep these functions inlineable.
+//
+//   - Decoder.consumeXXX methods parse the next JSON token from Decoder.buf,
+//     automatically fetching more input if necessary. These methods take
+//     a position relative to the start of Decoder.buf as an argument and
+//     return the end of the consumed JSON token as a position,
+//     also relative to the start of Decoder.buf.
+//
+//   - In the event of an I/O errors or state machine violations,
+//     the implementation avoids mutating the state of Decoder
+//     (aside from the book-keeping needed to implement Decoder.fetch).
+//     For this reason, only Decoder.ReadToken and Decoder.ReadValue are
+//     responsible for updated Decoder.prevStart and Decoder.prevEnd.
+//
+//   - For performance, much of the implementation uses the pattern of calling
+//     the inlineable consumeXXX functions first, and if more work is necessary,
+//     then it calls the slower Decoder.consumeXXX methods.
+//     TODO: Revisit this pattern if the Go compiler provides finer control
+//     over exactly which calls are inlined or not.
+
+// DecodeOptions configures how JSON decoding operates.
+// The zero value is equivalent to the default settings,
+// which is compliant with both RFC 7493 and RFC 8259.
+type DecodeOptions struct {
+	requireKeyedLiterals
+	nonComparable
+
+	// AllowDuplicateNames specifies that JSON objects may contain
+	// duplicate member names. Disabling the duplicate name check may provide
+	// computational and performance benefits, but breaks compliance with
+	// RFC 7493, section 2.3. The input will still be compliant with RFC 8259,
+	// which leaves the handling of duplicate names as unspecified behavior.
+	AllowDuplicateNames bool
+
+	// AllowInvalidUTF8 specifies that JSON strings may contain invalid UTF-8,
+	// which will be mangled as the Unicode replacement character, U+FFFD.
+	// This causes the decoder to break compliance with
+	// RFC 7493, section 2.1, and RFC 8259, section 8.1.
+	AllowInvalidUTF8 bool
+}
+
+// Decoder is a streaming decoder for raw JSON tokens and values.
+// It is used to read a stream of top-level JSON values,
+// each separated by optional whitespace characters.
+//
+// ReadToken and ReadValue calls may be interleaved.
+// For example, the following JSON value:
+//
+//	{"name":"value","array":[null,false,true,3.14159],"object":{"k":"v"}}
+//
+// can be parsed with the following calls (ignoring errors for brevity):
+//
+//	d.ReadToken() // {
+//	d.ReadToken() // "name"
+//	d.ReadToken() // "value"
+//	d.ReadValue() // "array"
+//	d.ReadToken() // [
+//	d.ReadToken() // null
+//	d.ReadToken() // false
+//	d.ReadValue() // true
+//	d.ReadToken() // 3.14159
+//	d.ReadToken() // ]
+//	d.ReadValue() // "object"
+//	d.ReadValue() // {"k":"v"}
+//	d.ReadToken() // }
+//
+// The above is one of many possible sequence of calls and
+// may not represent the most sensible method to call for any given token/value.
+// For example, it is probably more common to call ReadToken to obtain a
+// string token for object names.
+type Decoder struct {
+	state
+	decodeBuffer
+	options DecodeOptions
+
+	stringCache *stringCache // only used when unmarshaling
+}
+
+// decodeBuffer is a buffer split into 4 segments:
+//
+//   - buf[0:prevEnd]         // already read portion of the buffer
+//   - buf[prevStart:prevEnd] // previously read value
+//   - buf[prevEnd:len(buf)]  // unread portion of the buffer
+//   - buf[len(buf):cap(buf)] // unused portion of the buffer
+//
+// Invariants:
+//
+//	0 ≤ prevStart ≤ prevEnd ≤ len(buf) ≤ cap(buf)
+type decodeBuffer struct {
+	peekPos int   // non-zero if valid offset into buf for start of next token
+	peekErr error // implies peekPos is -1
+
+	buf       []byte // may alias rd if it is a bytes.Buffer
+	prevStart int
+	prevEnd   int
+
+	// baseOffset is added to prevStart and prevEnd to obtain
+	// the absolute offset relative to the start of io.Reader stream.
+	baseOffset int64
+
+	rd io.Reader
+}
+
+// NewDecoder constructs a new streaming decoder reading from r.
+//
+// If r is a bytes.Buffer, then the decoder parses directly from the buffer
+// without first copying the contents to an intermediate buffer.
+// Additional writes to the buffer must not occur while the decoder is in use.
+func NewDecoder(r io.Reader) *Decoder {
+	return DecodeOptions{}.NewDecoder(r)
+}
+
+// NewDecoder constructs a new streaming decoder reading from r
+// configured with the provided options.
+func (o DecodeOptions) NewDecoder(r io.Reader) *Decoder {
+	d := new(Decoder)
+	o.ResetDecoder(d, r)
+	return d
+}
+
+// ResetDecoder resets a decoder such that it is reading afresh from r and
+// configured with the provided options.
+func (o DecodeOptions) ResetDecoder(d *Decoder, r io.Reader) {
+	if d == nil {
+		panic("json: invalid nil Decoder")
+	}
+	if r == nil {
+		panic("json: invalid nil io.Reader")
+	}
+	d.reset(nil, r, o)
+}
+
+func (d *Decoder) reset(b []byte, r io.Reader, o DecodeOptions) {
+	d.state.reset()
+	d.decodeBuffer = decodeBuffer{buf: b, rd: r}
+	d.options = o
+}
+
+// Reset resets a decoder such that it is reading afresh from r but
+// keep any pre-existing decoder options.
+func (d *Decoder) Reset(r io.Reader) {
+	d.options.ResetDecoder(d, r)
+}
+
+var errBufferWriteAfterNext = errors.New("invalid bytes.Buffer.Write call after calling bytes.Buffer.Next")
+
+// fetch reads at least 1 byte from the underlying io.Reader.
+// It returns io.ErrUnexpectedEOF if zero bytes were read and io.EOF was seen.
+func (d *Decoder) fetch() error {
+	if d.rd == nil {
+		return io.ErrUnexpectedEOF
+	}
+
+	// Inform objectNameStack that we are about to fetch new buffer content.
+	d.names.copyQuotedBuffer(d.buf)
+
+	// Specialize bytes.Buffer for better performance.
+	if bb, ok := d.rd.(*bytes.Buffer); ok {
+		switch {
+		case bb.Len() == 0:
+			return io.ErrUnexpectedEOF
+		case len(d.buf) == 0:
+			d.buf = bb.Next(bb.Len()) // "read" all data in the buffer
+			return nil
+		default:
+			// This only occurs if a partially filled bytes.Buffer was provided
+			// and more data is written to it while Decoder is reading from it.
+			// This practice will lead to data corruption since future writes
+			// may overwrite the contents of the current buffer.
+			//
+			// The user is trying to use a bytes.Buffer as a pipe,
+			// but a bytes.Buffer is poor implementation of a pipe,
+			// the purpose-built io.Pipe should be used instead.
+			return &ioError{action: "read", err: errBufferWriteAfterNext}
+		}
+	}
+
+	// Allocate initial buffer if empty.
+	if cap(d.buf) == 0 {
+		d.buf = make([]byte, 0, 64)
+	}
+
+	// Check whether to grow the buffer.
+	const maxBufferSize = 4 << 10
+	const growthSizeFactor = 2 // higher value is faster
+	const growthRateFactor = 2 // higher value is slower
+	// By default, grow if below the maximum buffer size.
+	grow := cap(d.buf) <= maxBufferSize/growthSizeFactor
+	// Growing can be expensive, so only grow
+	// if a sufficient number of bytes have been processed.
+	grow = grow && int64(cap(d.buf)) < d.previousOffsetEnd()/growthRateFactor
+	// If prevStart==0, then fetch was called in order to fetch more data
+	// to finish consuming a large JSON value contiguously.
+	// Grow if less than 25% of the remaining capacity is available.
+	// Note that this may cause the input buffer to exceed maxBufferSize.
+	grow = grow || (d.prevStart == 0 && len(d.buf) >= 3*cap(d.buf)/4)
+
+	if grow {
+		// Allocate a new buffer and copy the contents of the old buffer over.
+		// TODO: Provide a hard limit on the maximum internal buffer size?
+		buf := make([]byte, 0, cap(d.buf)*growthSizeFactor)
+		d.buf = append(buf, d.buf[d.prevStart:]...)
+	} else {
+		// Move unread portion of the data to the front.
+		n := copy(d.buf[:cap(d.buf)], d.buf[d.prevStart:])
+		d.buf = d.buf[:n]
+	}
+	d.baseOffset += int64(d.prevStart)
+	d.prevEnd -= d.prevStart
+	d.prevStart = 0
+
+	// Read more data into the internal buffer.
+	for {
+		n, err := d.rd.Read(d.buf[len(d.buf):cap(d.buf)])
+		switch {
+		case n > 0:
+			d.buf = d.buf[:len(d.buf)+n]
+			return nil // ignore errors if any bytes are read
+		case err == io.EOF:
+			return io.ErrUnexpectedEOF
+		case err != nil:
+			return &ioError{action: "read", err: err}
+		default:
+			continue // Read returned (0, nil)
+		}
+	}
+}
+
+const invalidateBufferByte = '#' // invalid starting character for JSON grammar
+
+// invalidatePreviousRead invalidates buffers returned by Peek and Read calls
+// so that the first byte is an invalid character.
+// This Hyrum-proofs the API against faulty application code that assumes
+// values returned by ReadValue remain valid past subsequent Read calls.
+func (d *decodeBuffer) invalidatePreviousRead() {
+	// Avoid mutating the buffer if d.rd is nil which implies that d.buf
+	// is provided by the user code and may not expect mutations.
+	isBytesBuffer := func(r io.Reader) bool {
+		_, ok := r.(*bytes.Buffer)
+		return ok
+	}
+	if d.rd != nil && !isBytesBuffer(d.rd) && d.prevStart < d.prevEnd && uint(d.prevStart) < uint(len(d.buf)) {
+		d.buf[d.prevStart] = invalidateBufferByte
+		d.prevStart = d.prevEnd
+	}
+}
+
+// needMore reports whether there are no more unread bytes.
+func (d *decodeBuffer) needMore(pos int) bool {
+	// NOTE: The arguments and logic are kept simple to keep this inlineable.
+	return pos == len(d.buf)
+}
+
+// injectSyntacticErrorWithPosition wraps a SyntacticError with the position,
+// otherwise it returns the error as is.
+// It takes a position relative to the start of the start of d.buf.
+func (d *decodeBuffer) injectSyntacticErrorWithPosition(err error, pos int) error {
+	if serr, ok := err.(*SyntacticError); ok {
+		return serr.withOffset(d.baseOffset + int64(pos))
+	}
+	return err
+}
+
+func (d *decodeBuffer) previousOffsetStart() int64 { return d.baseOffset + int64(d.prevStart) }
+func (d *decodeBuffer) previousOffsetEnd() int64   { return d.baseOffset + int64(d.prevEnd) }
+func (d *decodeBuffer) previousBuffer() []byte     { return d.buf[d.prevStart:d.prevEnd] }
+func (d *decodeBuffer) unreadBuffer() []byte       { return d.buf[d.prevEnd:len(d.buf)] }
+
+// PeekKind retrieves the next token kind, but does not advance the read offset.
+// It returns 0 if there are no more tokens.
+func (d *Decoder) PeekKind() Kind {
+	// Check whether we have a cached peek result.
+	if d.peekPos > 0 {
+		return Kind(d.buf[d.peekPos]).normalize()
+	}
+
+	var err error
+	d.invalidatePreviousRead()
+	pos := d.prevEnd
+
+	// Consume leading whitespace.
+	pos += consumeWhitespace(d.buf[pos:])
+	if d.needMore(pos) {
+		if pos, err = d.consumeWhitespace(pos); err != nil {
+			if err == io.ErrUnexpectedEOF && d.tokens.depth() == 1 {
+				err = io.EOF // EOF possibly if no Tokens present after top-level value
+			}
+			d.peekPos, d.peekErr = -1, err
+			return invalidKind
+		}
+	}
+
+	// Consume colon or comma.
+	var delim byte
+	if c := d.buf[pos]; c == ':' || c == ',' {
+		delim = c
+		pos += 1
+		pos += consumeWhitespace(d.buf[pos:])
+		if d.needMore(pos) {
+			if pos, err = d.consumeWhitespace(pos); err != nil {
+				d.peekPos, d.peekErr = -1, err
+				return invalidKind
+			}
+		}
+	}
+	next := Kind(d.buf[pos]).normalize()
+	if d.tokens.needDelim(next) != delim {
+		pos = d.prevEnd // restore position to right after leading whitespace
+		pos += consumeWhitespace(d.buf[pos:])
+		err = d.tokens.checkDelim(delim, next)
+		err = d.injectSyntacticErrorWithPosition(err, pos)
+		d.peekPos, d.peekErr = -1, err
+		return invalidKind
+	}
+
+	// This may set peekPos to zero, which is indistinguishable from
+	// the uninitialized state. While a small hit to performance, it is correct
+	// since ReadValue and ReadToken will disregard the cached result and
+	// recompute the next kind.
+	d.peekPos, d.peekErr = pos, nil
+	return next
+}
+
+// skipValue is semantically equivalent to calling ReadValue and discarding
+// the result except that memory is not wasted trying to hold the entire result.
+func (d *Decoder) skipValue() error {
+	switch d.PeekKind() {
+	case '{', '[':
+		// For JSON objects and arrays, keep skipping all tokens
+		// until the depth matches the starting depth.
+		depth := d.tokens.depth()
+		for {
+			if _, err := d.ReadToken(); err != nil {
+				return err
+			}
+			if depth >= d.tokens.depth() {
+				return nil
+			}
+		}
+	default:
+		// Trying to skip a value when the next token is a '}' or ']'
+		// will result in an error being returned here.
+		if _, err := d.ReadValue(); err != nil {
+			return err
+		}
+		return nil
+	}
+}
+
+// ReadToken reads the next Token, advancing the read offset.
+// The returned token is only valid until the next Peek or Read call.
+// It returns io.EOF if there are no more tokens.
+func (d *Decoder) ReadToken() (Token, error) {
+	// Determine the next kind.
+	var err error
+	var next Kind
+	pos := d.peekPos
+	if pos != 0 {
+		// Use cached peek result.
+		if d.peekErr != nil {
+			err := d.peekErr
+			d.peekPos, d.peekErr = 0, nil // possibly a transient I/O error
+			return Token{}, err
+		}
+		next = Kind(d.buf[pos]).normalize()
+		d.peekPos = 0 // reset cache
+	} else {
+		d.invalidatePreviousRead()
+		pos = d.prevEnd
+
+		// Consume leading whitespace.
+		pos += consumeWhitespace(d.buf[pos:])
+		if d.needMore(pos) {
+			if pos, err = d.consumeWhitespace(pos); err != nil {
+				if err == io.ErrUnexpectedEOF && d.tokens.depth() == 1 {
+					err = io.EOF // EOF possibly if no Tokens present after top-level value
+				}
+				return Token{}, err
+			}
+		}
+
+		// Consume colon or comma.
+		var delim byte
+		if c := d.buf[pos]; c == ':' || c == ',' {
+			delim = c
+			pos += 1
+			pos += consumeWhitespace(d.buf[pos:])
+			if d.needMore(pos) {
+				if pos, err = d.consumeWhitespace(pos); err != nil {
+					return Token{}, err
+				}
+			}
+		}
+		next = Kind(d.buf[pos]).normalize()
+		if d.tokens.needDelim(next) != delim {
+			pos = d.prevEnd // restore position to right after leading whitespace
+			pos += consumeWhitespace(d.buf[pos:])
+			err = d.tokens.checkDelim(delim, next)
+			return Token{}, d.injectSyntacticErrorWithPosition(err, pos)
+		}
+	}
+
+	// Handle the next token.
+	var n int
+	switch next {
+	case 'n':
+		if consumeNull(d.buf[pos:]) == 0 {
+			pos, err = d.consumeLiteral(pos, "null")
+			if err != nil {
+				return Token{}, d.injectSyntacticErrorWithPosition(err, pos)
+			}
+		} else {
+			pos += len("null")
+		}
+		if err = d.tokens.appendLiteral(); err != nil {
+			return Token{}, d.injectSyntacticErrorWithPosition(err, pos-len("null")) // report position at start of literal
+		}
+		d.prevStart, d.prevEnd = pos, pos
+		return Null, nil
+
+	case 'f':
+		if consumeFalse(d.buf[pos:]) == 0 {
+			pos, err = d.consumeLiteral(pos, "false")
+			if err != nil {
+				return Token{}, d.injectSyntacticErrorWithPosition(err, pos)
+			}
+		} else {
+			pos += len("false")
+		}
+		if err = d.tokens.appendLiteral(); err != nil {
+			return Token{}, d.injectSyntacticErrorWithPosition(err, pos-len("false")) // report position at start of literal
+		}
+		d.prevStart, d.prevEnd = pos, pos
+		return False, nil
+
+	case 't':
+		if consumeTrue(d.buf[pos:]) == 0 {
+			pos, err = d.consumeLiteral(pos, "true")
+			if err != nil {
+				return Token{}, d.injectSyntacticErrorWithPosition(err, pos)
+			}
+		} else {
+			pos += len("true")
+		}
+		if err = d.tokens.appendLiteral(); err != nil {
+			return Token{}, d.injectSyntacticErrorWithPosition(err, pos-len("true")) // report position at start of literal
+		}
+		d.prevStart, d.prevEnd = pos, pos
+		return True, nil
+
+	case '"':
+		var flags valueFlags // TODO: Preserve this in Token?
+		if n = consumeSimpleString(d.buf[pos:]); n == 0 {
+			oldAbsPos := d.baseOffset + int64(pos)
+			pos, err = d.consumeString(&flags, pos)
+			newAbsPos := d.baseOffset + int64(pos)
+			n = int(newAbsPos - oldAbsPos)
+			if err != nil {
+				return Token{}, d.injectSyntacticErrorWithPosition(err, pos)
+			}
+		} else {
+			pos += n
+		}
+		if !d.options.AllowDuplicateNames && d.tokens.last.needObjectName() {
+			if !d.tokens.last.isValidNamespace() {
+				return Token{}, errInvalidNamespace
+			}
+			if d.tokens.last.isActiveNamespace() && !d.namespaces.last().insertQuoted(d.buf[pos-n:pos], flags.isVerbatim()) {
+				err = &SyntacticError{str: "duplicate name " + string(d.buf[pos-n:pos]) + " in object"}
+				return Token{}, d.injectSyntacticErrorWithPosition(err, pos-n) // report position at start of string
+			}
+			d.names.replaceLastQuotedOffset(pos - n) // only replace if insertQuoted succeeds
+		}
+		if err = d.tokens.appendString(); err != nil {
+			return Token{}, d.injectSyntacticErrorWithPosition(err, pos-n) // report position at start of string
+		}
+		d.prevStart, d.prevEnd = pos-n, pos
+		return Token{raw: &d.decodeBuffer, num: uint64(d.previousOffsetStart())}, nil
+
+	case '0':
+		// NOTE: Since JSON numbers are not self-terminating,
+		// we need to make sure that the next byte is not part of a number.
+		if n = consumeSimpleNumber(d.buf[pos:]); n == 0 || d.needMore(pos+n) {
+			oldAbsPos := d.baseOffset + int64(pos)
+			pos, err = d.consumeNumber(pos)
+			newAbsPos := d.baseOffset + int64(pos)
+			n = int(newAbsPos - oldAbsPos)
+			if err != nil {
+				return Token{}, d.injectSyntacticErrorWithPosition(err, pos)
+			}
+		} else {
+			pos += n
+		}
+		if err = d.tokens.appendNumber(); err != nil {
+			return Token{}, d.injectSyntacticErrorWithPosition(err, pos-n) // report position at start of number
+		}
+		d.prevStart, d.prevEnd = pos-n, pos
+		return Token{raw: &d.decodeBuffer, num: uint64(d.previousOffsetStart())}, nil
+
+	case '{':
+		if err = d.tokens.pushObject(); err != nil {
+			return Token{}, d.injectSyntacticErrorWithPosition(err, pos)
+		}
+		if !d.options.AllowDuplicateNames {
+			d.names.push()
+			d.namespaces.push()
+		}
+		pos += 1
+		d.prevStart, d.prevEnd = pos, pos
+		return ObjectStart, nil
+
+	case '}':
+		if err = d.tokens.popObject(); err != nil {
+			return Token{}, d.injectSyntacticErrorWithPosition(err, pos)
+		}
+		if !d.options.AllowDuplicateNames {
+			d.names.pop()
+			d.namespaces.pop()
+		}
+		pos += 1
+		d.prevStart, d.prevEnd = pos, pos
+		return ObjectEnd, nil
+
+	case '[':
+		if err = d.tokens.pushArray(); err != nil {
+			return Token{}, d.injectSyntacticErrorWithPosition(err, pos)
+		}
+		pos += 1
+		d.prevStart, d.prevEnd = pos, pos
+		return ArrayStart, nil
+
+	case ']':
+		if err = d.tokens.popArray(); err != nil {
+			return Token{}, d.injectSyntacticErrorWithPosition(err, pos)
+		}
+		pos += 1
+		d.prevStart, d.prevEnd = pos, pos
+		return ArrayEnd, nil
+
+	default:
+		err = newInvalidCharacterError(d.buf[pos:], "at start of token")
+		return Token{}, d.injectSyntacticErrorWithPosition(err, pos)
+	}
+}
+
+type valueFlags uint
+
+const (
+	_ valueFlags = (1 << iota) / 2 // powers of two starting with zero
+
+	stringNonVerbatim  // string cannot be naively treated as valid UTF-8
+	stringNonCanonical // string not formatted according to RFC 8785, section 3.2.2.2.
+	// TODO: Track whether a number is a non-integer?
+)
+
+func (f *valueFlags) set(f2 valueFlags) { *f |= f2 }
+func (f valueFlags) isVerbatim() bool   { return f&stringNonVerbatim == 0 }
+func (f valueFlags) isCanonical() bool  { return f&stringNonCanonical == 0 }
+
+// ReadValue returns the next raw JSON value, advancing the read offset.
+// The value is stripped of any leading or trailing whitespace.
+// The returned value is only valid until the next Peek or Read call and
+// may not be mutated while the Decoder remains in use.
+// If the decoder is currently at the end token for an object or array,
+// then it reports a SyntacticError and the internal state remains unchanged.
+// It returns io.EOF if there are no more values.
+func (d *Decoder) ReadValue() (RawValue, error) {
+	var flags valueFlags
+	return d.readValue(&flags)
+}
+func (d *Decoder) readValue(flags *valueFlags) (RawValue, error) {
+	// Determine the next kind.
+	var err error
+	var next Kind
+	pos := d.peekPos
+	if pos != 0 {
+		// Use cached peek result.
+		if d.peekErr != nil {
+			err := d.peekErr
+			d.peekPos, d.peekErr = 0, nil // possibly a transient I/O error
+			return nil, err
+		}
+		next = Kind(d.buf[pos]).normalize()
+		d.peekPos = 0 // reset cache
+	} else {
+		d.invalidatePreviousRead()
+		pos = d.prevEnd
+
+		// Consume leading whitespace.
+		pos += consumeWhitespace(d.buf[pos:])
+		if d.needMore(pos) {
+			if pos, err = d.consumeWhitespace(pos); err != nil {
+				if err == io.ErrUnexpectedEOF && d.tokens.depth() == 1 {
+					err = io.EOF // EOF possibly if no Tokens present after top-level value
+				}
+				return nil, err
+			}
+		}
+
+		// Consume colon or comma.
+		var delim byte
+		if c := d.buf[pos]; c == ':' || c == ',' {
+			delim = c
+			pos += 1
+			pos += consumeWhitespace(d.buf[pos:])
+			if d.needMore(pos) {
+				if pos, err = d.consumeWhitespace(pos); err != nil {
+					return nil, err
+				}
+			}
+		}
+		next = Kind(d.buf[pos]).normalize()
+		if d.tokens.needDelim(next) != delim {
+			pos = d.prevEnd // restore position to right after leading whitespace
+			pos += consumeWhitespace(d.buf[pos:])
+			err = d.tokens.checkDelim(delim, next)
+			return nil, d.injectSyntacticErrorWithPosition(err, pos)
+		}
+	}
+
+	// Handle the next value.
+	oldAbsPos := d.baseOffset + int64(pos)
+	pos, err = d.consumeValue(flags, pos)
+	newAbsPos := d.baseOffset + int64(pos)
+	n := int(newAbsPos - oldAbsPos)
+	if err != nil {
+		return nil, d.injectSyntacticErrorWithPosition(err, pos)
+	}
+	switch next {
+	case 'n', 't', 'f':
+		err = d.tokens.appendLiteral()
+	case '"':
+		if !d.options.AllowDuplicateNames && d.tokens.last.needObjectName() {
+			if !d.tokens.last.isValidNamespace() {
+				err = errInvalidNamespace
+				break
+			}
+			if d.tokens.last.isActiveNamespace() && !d.namespaces.last().insertQuoted(d.buf[pos-n:pos], flags.isVerbatim()) {
+				err = &SyntacticError{str: "duplicate name " + string(d.buf[pos-n:pos]) + " in object"}
+				break
+			}
+			d.names.replaceLastQuotedOffset(pos - n) // only replace if insertQuoted succeeds
+		}
+		err = d.tokens.appendString()
+	case '0':
+		err = d.tokens.appendNumber()
+	case '{':
+		if err = d.tokens.pushObject(); err != nil {
+			break
+		}
+		if err = d.tokens.popObject(); err != nil {
+			panic("BUG: popObject should never fail immediately after pushObject: " + err.Error())
+		}
+	case '[':
+		if err = d.tokens.pushArray(); err != nil {
+			break
+		}
+		if err = d.tokens.popArray(); err != nil {
+			panic("BUG: popArray should never fail immediately after pushArray: " + err.Error())
+		}
+	}
+	if err != nil {
+		return nil, d.injectSyntacticErrorWithPosition(err, pos-n) // report position at start of value
+	}
+	d.prevEnd = pos
+	d.prevStart = pos - n
+	return d.buf[pos-n : pos : pos], nil
+}
+
+// checkEOF verifies that the input has no more data.
+func (d *Decoder) checkEOF() error {
+	switch pos, err := d.consumeWhitespace(d.prevEnd); err {
+	case nil:
+		return newInvalidCharacterError(d.buf[pos:], "after top-level value")
+	case io.ErrUnexpectedEOF:
+		return nil
+	default:
+		return err
+	}
+}
+
+// consumeWhitespace consumes all whitespace starting at d.buf[pos:].
+// It returns the new position in d.buf immediately after the last whitespace.
+// If it returns nil, there is guaranteed to at least be one unread byte.
+//
+// The following pattern is common in this implementation:
+//
+//	pos += consumeWhitespace(d.buf[pos:])
+//	if d.needMore(pos) {
+//		if pos, err = d.consumeWhitespace(pos); err != nil {
+//			return ...
+//		}
+//	}
+//
+// It is difficult to simplify this without sacrificing performance since
+// consumeWhitespace must be inlined. The body of the if statement is
+// executed only in rare situations where we need to fetch more data.
+// Since fetching may return an error, we also need to check the error.
+func (d *Decoder) consumeWhitespace(pos int) (newPos int, err error) {
+	for {
+		pos += consumeWhitespace(d.buf[pos:])
+		if d.needMore(pos) {
+			absPos := d.baseOffset + int64(pos)
+			err = d.fetch() // will mutate d.buf and invalidate pos
+			pos = int(absPos - d.baseOffset)
+			if err != nil {
+				return pos, err
+			}
+			continue
+		}
+		return pos, nil
+	}
+}
+
+// consumeValue consumes a single JSON value starting at d.buf[pos:].
+// It returns the new position in d.buf immediately after the value.
+func (d *Decoder) consumeValue(flags *valueFlags, pos int) (newPos int, err error) {
+	for {
+		var n int
+		var err error
+		switch next := Kind(d.buf[pos]).normalize(); next {
+		case 'n':
+			if n = consumeNull(d.buf[pos:]); n == 0 {
+				n, err = consumeLiteral(d.buf[pos:], "null")
+			}
+		case 'f':
+			if n = consumeFalse(d.buf[pos:]); n == 0 {
+				n, err = consumeLiteral(d.buf[pos:], "false")
+			}
+		case 't':
+			if n = consumeTrue(d.buf[pos:]); n == 0 {
+				n, err = consumeLiteral(d.buf[pos:], "true")
+			}
+		case '"':
+			if n = consumeSimpleString(d.buf[pos:]); n == 0 {
+				return d.consumeString(flags, pos)
+			}
+		case '0':
+			// NOTE: Since JSON numbers are not self-terminating,
+			// we need to make sure that the next byte is not part of a number.
+			if n = consumeSimpleNumber(d.buf[pos:]); n == 0 || d.needMore(pos+n) {
+				return d.consumeNumber(pos)
+			}
+		case '{':
+			return d.consumeObject(flags, pos)
+		case '[':
+			return d.consumeArray(flags, pos)
+		default:
+			return pos, newInvalidCharacterError(d.buf[pos:], "at start of value")
+		}
+		if err == io.ErrUnexpectedEOF {
+			absPos := d.baseOffset + int64(pos)
+			err = d.fetch() // will mutate d.buf and invalidate pos
+			pos = int(absPos - d.baseOffset)
+			if err != nil {
+				return pos, err
+			}
+			continue
+		}
+		return pos + n, err
+	}
+}
+
+// consumeLiteral consumes a single JSON literal starting at d.buf[pos:].
+// It returns the new position in d.buf immediately after the literal.
+func (d *Decoder) consumeLiteral(pos int, lit string) (newPos int, err error) {
+	for {
+		n, err := consumeLiteral(d.buf[pos:], lit)
+		if err == io.ErrUnexpectedEOF {
+			absPos := d.baseOffset + int64(pos)
+			err = d.fetch() // will mutate d.buf and invalidate pos
+			pos = int(absPos - d.baseOffset)
+			if err != nil {
+				return pos, err
+			}
+			continue
+		}
+		return pos + n, err
+	}
+}
+
+// consumeString consumes a single JSON string starting at d.buf[pos:].
+// It returns the new position in d.buf immediately after the string.
+func (d *Decoder) consumeString(flags *valueFlags, pos int) (newPos int, err error) {
+	var n int
+	for {
+		n, err = consumeStringResumable(flags, d.buf[pos:], n, !d.options.AllowInvalidUTF8)
+		if err == io.ErrUnexpectedEOF {
+			absPos := d.baseOffset + int64(pos)
+			err = d.fetch() // will mutate d.buf and invalidate pos
+			pos = int(absPos - d.baseOffset)
+			if err != nil {
+				return pos, err
+			}
+			continue
+		}
+		return pos + n, err
+	}
+}
+
+// consumeNumber consumes a single JSON number starting at d.buf[pos:].
+// It returns the new position in d.buf immediately after the number.
+func (d *Decoder) consumeNumber(pos int) (newPos int, err error) {
+	var n int
+	var state consumeNumberState
+	for {
+		n, state, err = consumeNumberResumable(d.buf[pos:], n, state)
+		// NOTE: Since JSON numbers are not self-terminating,
+		// we need to make sure that the next byte is not part of a number.
+		if err == io.ErrUnexpectedEOF || d.needMore(pos+n) {
+			mayTerminate := err == nil
+			absPos := d.baseOffset + int64(pos)
+			err = d.fetch() // will mutate d.buf and invalidate pos
+			pos = int(absPos - d.baseOffset)
+			if err != nil {
+				if mayTerminate && err == io.ErrUnexpectedEOF {
+					return pos + n, nil
+				}
+				return pos, err
+			}
+			continue
+		}
+		return pos + n, err
+	}
+}
+
+// consumeObject consumes a single JSON object starting at d.buf[pos:].
+// It returns the new position in d.buf immediately after the object.
+func (d *Decoder) consumeObject(flags *valueFlags, pos int) (newPos int, err error) {
+	var n int
+	var names *objectNamespace
+	if !d.options.AllowDuplicateNames {
+		d.namespaces.push()
+		defer d.namespaces.pop()
+		names = d.namespaces.last()
+	}
+
+	// Handle before start.
+	if d.buf[pos] != '{' {
+		panic("BUG: consumeObject must be called with a buffer that starts with '{'")
+	}
+	pos++
+
+	// Handle after start.
+	pos += consumeWhitespace(d.buf[pos:])
+	if d.needMore(pos) {
+		if pos, err = d.consumeWhitespace(pos); err != nil {
+			return pos, err
+		}
+	}
+	if d.buf[pos] == '}' {
+		pos++
+		return pos, nil
+	}
+
+	for {
+		// Handle before name.
+		pos += consumeWhitespace(d.buf[pos:])
+		if d.needMore(pos) {
+			if pos, err = d.consumeWhitespace(pos); err != nil {
+				return pos, err
+			}
+		}
+		var flags2 valueFlags
+		if n = consumeSimpleString(d.buf[pos:]); n == 0 {
+			oldAbsPos := d.baseOffset + int64(pos)
+			pos, err = d.consumeString(&flags2, pos)
+			newAbsPos := d.baseOffset + int64(pos)
+			n = int(newAbsPos - oldAbsPos)
+			flags.set(flags2)
+			if err != nil {
+				return pos, err
+			}
+		} else {
+			pos += n
+		}
+		if !d.options.AllowDuplicateNames && !names.insertQuoted(d.buf[pos-n:pos], flags2.isVerbatim()) {
+			return pos - n, &SyntacticError{str: "duplicate name " + string(d.buf[pos-n:pos]) + " in object"}
+		}
+
+		// Handle after name.
+		pos += consumeWhitespace(d.buf[pos:])
+		if d.needMore(pos) {
+			if pos, err = d.consumeWhitespace(pos); err != nil {
+				return pos, err
+			}
+		}
+		if d.buf[pos] != ':' {
+			return pos, newInvalidCharacterError(d.buf[pos:], "after object name (expecting ':')")
+		}
+		pos++
+
+		// Handle before value.
+		pos += consumeWhitespace(d.buf[pos:])
+		if d.needMore(pos) {
+			if pos, err = d.consumeWhitespace(pos); err != nil {
+				return pos, err
+			}
+		}
+		pos, err = d.consumeValue(flags, pos)
+		if err != nil {
+			return pos, err
+		}
+
+		// Handle after value.
+		pos += consumeWhitespace(d.buf[pos:])
+		if d.needMore(pos) {
+			if pos, err = d.consumeWhitespace(pos); err != nil {
+				return pos, err
+			}
+		}
+		switch d.buf[pos] {
+		case ',':
+			pos++
+			continue
+		case '}':
+			pos++
+			return pos, nil
+		default:
+			return pos, newInvalidCharacterError(d.buf[pos:], "after object value (expecting ',' or '}')")
+		}
+	}
+}
+
+// consumeArray consumes a single JSON array starting at d.buf[pos:].
+// It returns the new position in d.buf immediately after the array.
+func (d *Decoder) consumeArray(flags *valueFlags, pos int) (newPos int, err error) {
+	// Handle before start.
+	if d.buf[pos] != '[' {
+		panic("BUG: consumeArray must be called with a buffer that starts with '['")
+	}
+	pos++
+
+	// Handle after start.
+	pos += consumeWhitespace(d.buf[pos:])
+	if d.needMore(pos) {
+		if pos, err = d.consumeWhitespace(pos); err != nil {
+			return pos, err
+		}
+	}
+	if d.buf[pos] == ']' {
+		pos++
+		return pos, nil
+	}
+
+	for {
+		// Handle before value.
+		pos += consumeWhitespace(d.buf[pos:])
+		if d.needMore(pos) {
+			if pos, err = d.consumeWhitespace(pos); err != nil {
+				return pos, err
+			}
+		}
+		pos, err = d.consumeValue(flags, pos)
+		if err != nil {
+			return pos, err
+		}
+
+		// Handle after value.
+		pos += consumeWhitespace(d.buf[pos:])
+		if d.needMore(pos) {
+			if pos, err = d.consumeWhitespace(pos); err != nil {
+				return pos, err
+			}
+		}
+		switch d.buf[pos] {
+		case ',':
+			pos++
+			continue
+		case ']':
+			pos++
+			return pos, nil
+		default:
+			return pos, newInvalidCharacterError(d.buf[pos:], "after array value (expecting ',' or ']')")
+		}
+	}
+}
+
+// InputOffset returns the current input byte offset. It gives the location
+// of the next byte immediately after the most recently returned token or value.
+// The number of bytes actually read from the underlying io.Reader may be more
+// than this offset due to internal buffering effects.
+func (d *Decoder) InputOffset() int64 {
+	return d.previousOffsetEnd()
+}
+
+// UnreadBuffer returns the data remaining in the unread buffer,
+// which may contain zero or more bytes.
+// The returned buffer must not be mutated while Decoder continues to be used.
+// The buffer contents are valid until the next Peek or Read call.
+func (d *Decoder) UnreadBuffer() []byte {
+	return d.unreadBuffer()
+}
+
+// StackDepth returns the depth of the state machine for read JSON data.
+// Each level on the stack represents a nested JSON object or array.
+// It is incremented whenever an ObjectStart or ArrayStart token is encountered
+// and decremented whenever an ObjectEnd or ArrayEnd token is encountered.
+// The depth is zero-indexed, where zero represents the top-level JSON value.
+func (d *Decoder) StackDepth() int {
+	// NOTE: Keep in sync with Encoder.StackDepth.
+	return d.tokens.depth() - 1
+}
+
+// StackIndex returns information about the specified stack level.
+// It must be a number between 0 and StackDepth, inclusive.
+// For each level, it reports the kind:
+//
+//   - 0 for a level of zero,
+//   - '{' for a level representing a JSON object, and
+//   - '[' for a level representing a JSON array.
+//
+// It also reports the length of that JSON object or array.
+// Each name and value in a JSON object is counted separately,
+// so the effective number of members would be half the length.
+// A complete JSON object must have an even length.
+func (d *Decoder) StackIndex(i int) (Kind, int) {
+	// NOTE: Keep in sync with Encoder.StackIndex.
+	switch s := d.tokens.index(i); {
+	case i > 0 && s.isObject():
+		return '{', s.length()
+	case i > 0 && s.isArray():
+		return '[', s.length()
+	default:
+		return 0, s.length()
+	}
+}
+
+// StackPointer returns a JSON Pointer (RFC 6901) to the most recently read value.
+// Object names are only present if AllowDuplicateNames is false, otherwise
+// object members are represented using their index within the object.
+func (d *Decoder) StackPointer() string {
+	d.names.copyQuotedBuffer(d.buf)
+	return string(d.appendStackPointer(nil))
+}
+
+// consumeWhitespace consumes leading JSON whitespace per RFC 7159, section 2.
+func consumeWhitespace(b []byte) (n int) {
+	// NOTE: The arguments and logic are kept simple to keep this inlineable.
+	for len(b) > n && (b[n] == ' ' || b[n] == '\t' || b[n] == '\r' || b[n] == '\n') {
+		n++
+	}
+	return n
+}
+
+// consumeNull consumes the next JSON null literal per RFC 7159, section 3.
+// It returns 0 if it is invalid, in which case consumeLiteral should be used.
+func consumeNull(b []byte) int {
+	// NOTE: The arguments and logic are kept simple to keep this inlineable.
+	const literal = "null"
+	if len(b) >= len(literal) && string(b[:len(literal)]) == literal {
+		return len(literal)
+	}
+	return 0
+}
+
+// consumeFalse consumes the next JSON false literal per RFC 7159, section 3.
+// It returns 0 if it is invalid, in which case consumeLiteral should be used.
+func consumeFalse(b []byte) int {
+	// NOTE: The arguments and logic are kept simple to keep this inlineable.
+	const literal = "false"
+	if len(b) >= len(literal) && string(b[:len(literal)]) == literal {
+		return len(literal)
+	}
+	return 0
+}
+
+// consumeTrue consumes the next JSON true literal per RFC 7159, section 3.
+// It returns 0 if it is invalid, in which case consumeLiteral should be used.
+func consumeTrue(b []byte) int {
+	// NOTE: The arguments and logic are kept simple to keep this inlineable.
+	const literal = "true"
+	if len(b) >= len(literal) && string(b[:len(literal)]) == literal {
+		return len(literal)
+	}
+	return 0
+}
+
+// consumeLiteral consumes the next JSON literal per RFC 7159, section 3.
+// If the input appears truncated, it returns io.ErrUnexpectedEOF.
+func consumeLiteral(b []byte, lit string) (n int, err error) {
+	for i := 0; i < len(b) && i < len(lit); i++ {
+		if b[i] != lit[i] {
+			return i, newInvalidCharacterError(b[i:], "within literal "+lit+" (expecting "+strconv.QuoteRune(rune(lit[i]))+")")
+		}
+	}
+	if len(b) < len(lit) {
+		return len(b), io.ErrUnexpectedEOF
+	}
+	return len(lit), nil
+}
+
+// consumeSimpleString consumes the next JSON string per RFC 7159, section 7
+// but is limited to the grammar for an ASCII string without escape sequences.
+// It returns 0 if it is invalid or more complicated than a simple string,
+// in which case consumeString should be called.
+func consumeSimpleString(b []byte) (n int) {
+	// NOTE: The arguments and logic are kept simple to keep this inlineable.
+	if len(b) > 0 && b[0] == '"' {
+		n++
+		for len(b) > n && (' ' <= b[n] && b[n] != '\\' && b[n] != '"' && b[n] < utf8.RuneSelf) {
+			n++
+		}
+		if len(b) > n && b[n] == '"' {
+			n++
+			return n
+		}
+	}
+	return 0
+}
+
+// consumeString consumes the next JSON string per RFC 7159, section 7.
+// If validateUTF8 is false, then this allows the presence of invalid UTF-8
+// characters within the string itself.
+// It reports the number of bytes consumed and whether an error was encountered.
+// If the input appears truncated, it returns io.ErrUnexpectedEOF.
+func consumeString(flags *valueFlags, b []byte, validateUTF8 bool) (n int, err error) {
+	return consumeStringResumable(flags, b, 0, validateUTF8)
+}
+
+// consumeStringResumable is identical to consumeString but supports resuming
+// from a previous call that returned io.ErrUnexpectedEOF.
+func consumeStringResumable(flags *valueFlags, b []byte, resumeOffset int, validateUTF8 bool) (n int, err error) {
+	// Consume the leading double quote.
+	switch {
+	case resumeOffset > 0:
+		n = resumeOffset // already handled the leading quote
+	case uint(len(b)) == 0:
+		return n, io.ErrUnexpectedEOF
+	case b[0] == '"':
+		n++
+	default:
+		return n, newInvalidCharacterError(b[n:], `at start of string (expecting '"')`)
+	}
+
+	// Consume every character in the string.
+	for uint(len(b)) > uint(n) {
+		// Optimize for long sequences of unescaped characters.
+		noEscape := func(c byte) bool {
+			return c < utf8.RuneSelf && ' ' <= c && c != '\\' && c != '"'
+		}
+		for uint(len(b)) > uint(n) && noEscape(b[n]) {
+			n++
+		}
+		if uint(len(b)) <= uint(n) {
+			return n, io.ErrUnexpectedEOF
+		}
+
+		// Check for terminating double quote.
+		if b[n] == '"' {
+			n++
+			return n, nil
+		}
+
+		switch r, rn := utf8.DecodeRune(b[n:]); {
+		// Handle UTF-8 encoded byte sequence.
+		// Due to specialized handling of ASCII above, we know that
+		// all normal sequences at this point must be 2 bytes or larger.
+		case rn > 1:
+			n += rn
+		// Handle escape sequence.
+		case r == '\\':
+			flags.set(stringNonVerbatim)
+			resumeOffset = n
+			if uint(len(b)) < uint(n+2) {
+				return resumeOffset, io.ErrUnexpectedEOF
+			}
+			switch r := b[n+1]; r {
+			case '/':
+				// Forward slash is the only character with 3 representations.
+				// Per RFC 8785, section 3.2.2.2., this must not be escaped.
+				flags.set(stringNonCanonical)
+				n += 2
+			case '"', '\\', 'b', 'f', 'n', 'r', 't':
+				n += 2
+			case 'u':
+				if uint(len(b)) < uint(n+6) {
+					if !hasEscapeSequencePrefix(b[n:]) {
+						flags.set(stringNonCanonical)
+						return n, &SyntacticError{str: "invalid escape sequence " + strconv.Quote(string(b[n:])) + " within string"}
+					}
+					return resumeOffset, io.ErrUnexpectedEOF
+				}
+				v1, ok := parseHexUint16(b[n+2 : n+6])
+				if !ok {
+					flags.set(stringNonCanonical)
+					return n, &SyntacticError{str: "invalid escape sequence " + strconv.Quote(string(b[n:n+6])) + " within string"}
+				}
+				// Only certain control characters can use the \uFFFF notation
+				// for canonical formating (per RFC 8785, section 3.2.2.2.).
+				switch v1 {
+				// \uFFFF notation not permitted for these characters.
+				case '\b', '\f', '\n', '\r', '\t':
+					flags.set(stringNonCanonical)
+				default:
+					// \uFFFF notation only permitted for control characters.
+					if v1 >= ' ' {
+						flags.set(stringNonCanonical)
+					} else {
+						// \uFFFF notation must be lower case.
+						for _, c := range b[n+2 : n+6] {
+							if 'A' <= c && c <= 'F' {
+								flags.set(stringNonCanonical)
+							}
+						}
+					}
+				}
+				n += 6
+
+				if validateUTF8 && utf16.IsSurrogate(rune(v1)) {
+					if uint(len(b)) >= uint(n+2) && (b[n] != '\\' || b[n+1] != 'u') {
+						return n, &SyntacticError{str: "invalid unpaired surrogate half within string"}
+					}
+					if uint(len(b)) < uint(n+6) {
+						if !hasEscapeSequencePrefix(b[n:]) {
+							flags.set(stringNonCanonical)
+							return n, &SyntacticError{str: "invalid escape sequence " + strconv.Quote(string(b[n:])) + " within string"}
+						}
+						return resumeOffset, io.ErrUnexpectedEOF
+					}
+					v2, ok := parseHexUint16(b[n+2 : n+6])
+					if !ok {
+						return n, &SyntacticError{str: "invalid escape sequence " + strconv.Quote(string(b[n:n+6])) + " within string"}
+					}
+					if utf16.DecodeRune(rune(v1), rune(v2)) == utf8.RuneError {
+						return n, &SyntacticError{str: "invalid surrogate pair in string"}
+					}
+					n += 6
+				}
+			default:
+				flags.set(stringNonCanonical)
+				return n, &SyntacticError{str: "invalid escape sequence " + strconv.Quote(string(b[n:n+2])) + " within string"}
+			}
+		// Handle invalid UTF-8.
+		case r == utf8.RuneError:
+			if !utf8.FullRune(b[n:]) {
+				return n, io.ErrUnexpectedEOF
+			}
+			flags.set(stringNonVerbatim | stringNonCanonical)
+			if validateUTF8 {
+				return n, &SyntacticError{str: "invalid UTF-8 within string"}
+			}
+			n++
+		// Handle invalid control characters.
+		case r < ' ':
+			flags.set(stringNonVerbatim | stringNonCanonical)
+			return n, newInvalidCharacterError(b[n:], "within string (expecting non-control character)")
+		default:
+			panic("BUG: unhandled character " + quoteRune(b[n:]))
+		}
+	}
+	return n, io.ErrUnexpectedEOF
+}
+
+// hasEscapeSequencePrefix reports whether b is possibly
+// the truncated prefix of a \uFFFF escape sequence.
+func hasEscapeSequencePrefix(b []byte) bool {
+	for i, c := range b {
+		switch {
+		case i == 0 && c != '\\':
+			return false
+		case i == 1 && c != 'u':
+			return false
+		case i >= 2 && i < 6 && !('0' <= c && c <= '9') && !('a' <= c && c <= 'f') && !('A' <= c && c <= 'F'):
+			return false
+		}
+	}
+	return true
+}
+
+// unescapeString appends the unescaped form of a JSON string in src to dst.
+// Any invalid UTF-8 within the string will be replaced with utf8.RuneError.
+// The input must be an entire JSON string with no surrounding whitespace.
+func unescapeString(dst, src []byte) (v []byte, ok bool) {
+	// Consume leading double quote.
+	if uint(len(src)) == 0 || src[0] != '"' {
+		return dst, false
+	}
+	i, n := 1, 1
+
+	// Consume every character until completion.
+	for uint(len(src)) > uint(n) {
+		// Optimize for long sequences of unescaped characters.
+		noEscape := func(c byte) bool {
+			return c < utf8.RuneSelf && ' ' <= c && c != '\\' && c != '"'
+		}
+		for uint(len(src)) > uint(n) && noEscape(src[n]) {
+			n++
+		}
+		if uint(len(src)) <= uint(n) {
+			break
+		}
+
+		// Check for terminating double quote.
+		if src[n] == '"' {
+			dst = append(dst, src[i:n]...)
+			n++
+			return dst, len(src) == n
+		}
+
+		switch r, rn := utf8.DecodeRune(src[n:]); {
+		// Handle UTF-8 encoded byte sequence.
+		// Due to specialized handling of ASCII above, we know that
+		// all normal sequences at this point must be 2 bytes or larger.
+		case rn > 1:
+			n += rn
+		// Handle escape sequence.
+		case r == '\\':
+			dst = append(dst, src[i:n]...)
+			if r < ' ' {
+				return dst, false // invalid control character or unescaped quote
+			}
+
+			// Handle escape sequence.
+			if uint(len(src)) < uint(n+2) {
+				return dst, false // truncated escape sequence
+			}
+			switch r := src[n+1]; r {
+			case '"', '\\', '/':
+				dst = append(dst, r)
+				n += 2
+			case 'b':
+				dst = append(dst, '\b')
+				n += 2
+			case 'f':
+				dst = append(dst, '\f')
+				n += 2
+			case 'n':
+				dst = append(dst, '\n')
+				n += 2
+			case 'r':
+				dst = append(dst, '\r')
+				n += 2
+			case 't':
+				dst = append(dst, '\t')
+				n += 2
+			case 'u':
+				if uint(len(src)) < uint(n+6) {
+					return dst, false // truncated escape sequence
+				}
+				v1, ok := parseHexUint16(src[n+2 : n+6])
+				if !ok {
+					return dst, false // invalid escape sequence
+				}
+				n += 6
+
+				// Check whether this is a surrogate half.
+				r := rune(v1)
+				if utf16.IsSurrogate(r) {
+					r = utf8.RuneError // assume failure unless the following succeeds
+					if uint(len(src)) >= uint(n+6) && src[n+0] == '\\' && src[n+1] == 'u' {
+						if v2, ok := parseHexUint16(src[n+2 : n+6]); ok {
+							if r = utf16.DecodeRune(rune(v1), rune(v2)); r != utf8.RuneError {
+								n += 6
+							}
+						}
+					}
+				}
+
+				dst = utf8.AppendRune(dst, r)
+			default:
+				return dst, false // invalid escape sequence
+			}
+			i = n
+		// Handle invalid UTF-8.
+		case r == utf8.RuneError:
+			// NOTE: An unescaped string may be longer than the escaped string
+			// because invalid UTF-8 bytes are being replaced.
+			dst = append(dst, src[i:n]...)
+			dst = append(dst, "\uFFFD"...)
+			n += rn
+			i = n
+		// Handle invalid control characters.
+		case r < ' ':
+			dst = append(dst, src[i:n]...)
+			return dst, false // invalid control character or unescaped quote
+		default:
+			panic("BUG: unhandled character " + quoteRune(src[n:]))
+		}
+	}
+	dst = append(dst, src[i:n]...)
+	return dst, false // truncated input
+}
+
+// unescapeStringMayCopy returns the unescaped form of b.
+// If there are no escaped characters, the output is simply a subslice of
+// the input with the surrounding quotes removed.
+// Otherwise, a new buffer is allocated for the output.
+func unescapeStringMayCopy(b []byte, isVerbatim bool) []byte {
+	// NOTE: The arguments and logic are kept simple to keep this inlineable.
+	if isVerbatim {
+		return b[len(`"`) : len(b)-len(`"`)]
+	}
+	b, _ = unescapeString(make([]byte, 0, len(b)), b)
+	return b
+}
+
+// consumeSimpleNumber consumes the next JSON number per RFC 7159, section 6
+// but is limited to the grammar for a positive integer.
+// It returns 0 if it is invalid or more complicated than a simple integer,
+// in which case consumeNumber should be called.
+func consumeSimpleNumber(b []byte) (n int) {
+	// NOTE: The arguments and logic are kept simple to keep this inlineable.
+	if len(b) > 0 {
+		if b[0] == '0' {
+			n++
+		} else if '1' <= b[0] && b[0] <= '9' {
+			n++
+			for len(b) > n && ('0' <= b[n] && b[n] <= '9') {
+				n++
+			}
+		} else {
+			return 0
+		}
+		if len(b) == n || !(b[n] == '.' || b[n] == 'e' || b[n] == 'E') {
+			return n
+		}
+	}
+	return 0
+}
+
+type consumeNumberState uint
+
+const (
+	consumeNumberInit consumeNumberState = iota
+	beforeIntegerDigits
+	withinIntegerDigits
+	beforeFractionalDigits
+	withinFractionalDigits
+	beforeExponentDigits
+	withinExponentDigits
+)
+
+// consumeNumber consumes the next JSON number per RFC 7159, section 6.
+// It reports the number of bytes consumed and whether an error was encountered.
+// If the input appears truncated, it returns io.ErrUnexpectedEOF.
+//
+// Note that JSON numbers are not self-terminating.
+// If the entire input is consumed, then the caller needs to consider whether
+// there may be subsequent unread data that may still be part of this number.
+func consumeNumber(b []byte) (n int, err error) {
+	n, _, err = consumeNumberResumable(b, 0, consumeNumberInit)
+	return n, err
+}
+
+// consumeNumberResumable is identical to consumeNumber but supports resuming
+// from a previous call that returned io.ErrUnexpectedEOF.
+func consumeNumberResumable(b []byte, resumeOffset int, state consumeNumberState) (n int, _ consumeNumberState, err error) {
+	// Jump to the right state when resuming from a partial consumption.
+	n = resumeOffset
+	if state > consumeNumberInit {
+		switch state {
+		case withinIntegerDigits, withinFractionalDigits, withinExponentDigits:
+			// Consume leading digits.
+			for len(b) > n && ('0' <= b[n] && b[n] <= '9') {
+				n++
+			}
+			if len(b) == n {
+				return n, state, nil // still within the same state
+			}
+			state++ // switches "withinX" to "beforeY" where Y is the state after X
+		}
+		switch state {
+		case beforeIntegerDigits:
+			goto beforeInteger
+		case beforeFractionalDigits:
+			goto beforeFractional
+		case beforeExponentDigits:
+			goto beforeExponent
+		default:
+			return n, state, nil
+		}
+	}
+
+	// Consume required integer component (with optional minus sign).
+beforeInteger:
+	resumeOffset = n
+	if len(b) > 0 && b[0] == '-' {
+		n++
+	}
+	switch {
+	case len(b) == n:
+		return resumeOffset, beforeIntegerDigits, io.ErrUnexpectedEOF
+	case b[n] == '0':
+		n++
+		state = beforeFractionalDigits
+	case '1' <= b[n] && b[n] <= '9':
+		n++
+		for len(b) > n && ('0' <= b[n] && b[n] <= '9') {
+			n++
+		}
+		state = withinIntegerDigits
+	default:
+		return n, state, newInvalidCharacterError(b[n:], "within number (expecting digit)")
+	}
+
+	// Consume optional fractional component.
+beforeFractional:
+	if len(b) > n && b[n] == '.' {
+		resumeOffset = n
+		n++
+		switch {
+		case len(b) == n:
+			return resumeOffset, beforeFractionalDigits, io.ErrUnexpectedEOF
+		case '0' <= b[n] && b[n] <= '9':
+			n++
+		default:
+			return n, state, newInvalidCharacterError(b[n:], "within number (expecting digit)")
+		}
+		for len(b) > n && ('0' <= b[n] && b[n] <= '9') {
+			n++
+		}
+		state = withinFractionalDigits
+	}
+
+	// Consume optional exponent component.
+beforeExponent:
+	if len(b) > n && (b[n] == 'e' || b[n] == 'E') {
+		resumeOffset = n
+		n++
+		if len(b) > n && (b[n] == '-' || b[n] == '+') {
+			n++
+		}
+		switch {
+		case len(b) == n:
+			return resumeOffset, beforeExponentDigits, io.ErrUnexpectedEOF
+		case '0' <= b[n] && b[n] <= '9':
+			n++
+		default:
+			return n, state, newInvalidCharacterError(b[n:], "within number (expecting digit)")
+		}
+		for len(b) > n && ('0' <= b[n] && b[n] <= '9') {
+			n++
+		}
+		state = withinExponentDigits
+	}
+
+	return n, state, nil
+}
+
+// parseHexUint16 is similar to strconv.ParseUint,
+// but operates directly on []byte and is optimized for base-16.
+// See https://go.dev/issue/42429.
+func parseHexUint16(b []byte) (v uint16, ok bool) {
+	if len(b) != 4 {
+		return 0, false
+	}
+	for _, c := range b[:4] {
+		switch {
+		case '0' <= c && c <= '9':
+			c = c - '0'
+		case 'a' <= c && c <= 'f':
+			c = 10 + c - 'a'
+		case 'A' <= c && c <= 'F':
+			c = 10 + c - 'A'
+		default:
+			return 0, false
+		}
+		v = v*16 + uint16(c)
+	}
+	return v, true
+}
+
+// parseDecUint is similar to strconv.ParseUint,
+// but operates directly on []byte and is optimized for base-10.
+// If the number is syntactically valid but overflows uint64,
+// then it returns (math.MaxUint64, false).
+// See https://go.dev/issue/42429.
+func parseDecUint(b []byte) (v uint64, ok bool) {
+	// Overflow logic is based on strconv/atoi.go:138-149 from Go1.15, where:
+	//   - cutoff is equal to math.MaxUint64/10+1, and
+	//   - the n1 > maxVal check is unnecessary
+	//     since maxVal is equivalent to math.MaxUint64.
+	var n int
+	var overflow bool
+	for len(b) > n && ('0' <= b[n] && b[n] <= '9') {
+		overflow = overflow || v >= math.MaxUint64/10+1
+		v *= 10
+
+		v1 := v + uint64(b[n]-'0')
+		overflow = overflow || v1 < v
+		v = v1
+
+		n++
+	}
+	if n == 0 || len(b) != n {
+		return 0, false
+	}
+	if overflow {
+		return math.MaxUint64, false
+	}
+	return v, true
+}
+
+// parseFloat parses a floating point number according to the Go float grammar.
+// Note that the JSON number grammar is a strict subset.
+//
+// If the number overflows the finite representation of a float,
+// then we return MaxFloat since any finite value will always be infinitely
+// more accurate at representing another finite value than an infinite value.
+func parseFloat(b []byte, bits int) (v float64, ok bool) {
+	// Fast path for exact integer numbers which fit in the
+	// 24-bit or 53-bit significand of a float32 or float64.
+	var negLen int // either 0 or 1
+	if len(b) > 0 && b[0] == '-' {
+		negLen = 1
+	}
+	u, ok := parseDecUint(b[negLen:])
+	if ok && ((bits == 32 && u <= 1<<24) || (bits == 64 && u <= 1<<53)) {
+		return math.Copysign(float64(u), float64(-1*negLen)), true
+	}
+
+	// Note that the []byte->string conversion unfortunately allocates.
+	// See https://go.dev/issue/42429 for more information.
+	fv, err := strconv.ParseFloat(string(b), bits)
+	if math.IsInf(fv, 0) {
+		switch {
+		case bits == 32 && math.IsInf(fv, +1):
+			return +math.MaxFloat32, true
+		case bits == 64 && math.IsInf(fv, +1):
+			return +math.MaxFloat64, true
+		case bits == 32 && math.IsInf(fv, -1):
+			return -math.MaxFloat32, true
+		case bits == 64 && math.IsInf(fv, -1):
+			return -math.MaxFloat64, true
+		}
+	}
+	return fv, err == nil
+}
diff --git a/vendor/k8s.io/kube-openapi/pkg/internal/third_party/go-json-experiment/json/doc.go b/vendor/k8s.io/kube-openapi/pkg/internal/third_party/go-json-experiment/json/doc.go
new file mode 100644
index 000000000..ba4af4b7b
--- /dev/null
+++ b/vendor/k8s.io/kube-openapi/pkg/internal/third_party/go-json-experiment/json/doc.go
@@ -0,0 +1,185 @@
+// Copyright 2020 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Package json implements serialization of JSON
+// as specified in RFC 4627, RFC 7159, RFC 7493, RFC 8259, and RFC 8785.
+// JSON is a simple data interchange format that can represent
+// primitive data types such as booleans, strings, and numbers,
+// in addition to structured data types such as objects and arrays.
+//
+//
+// Terminology
+//
+// This package uses the terms "encode" and "decode" for syntactic functionality
+// that is concerned with processing JSON based on its grammar, and
+// uses the terms "marshal" and "unmarshal" for semantic functionality
+// that determines the meaning of JSON values as Go values and vice-versa.
+// It aims to provide a clear distinction between functionality that
+// is purely concerned with encoding versus that of marshaling.
+// For example, one can directly encode a stream of JSON tokens without
+// needing to marshal a concrete Go value representing them.
+// Similarly, one can decode a stream of JSON tokens without
+// needing to unmarshal them into a concrete Go value.
+//
+// This package uses JSON terminology when discussing JSON, which may differ
+// from related concepts in Go or elsewhere in computing literature.
+//
+//   - A JSON "object" refers to an unordered collection of name/value members.
+//   - A JSON "array" refers to an ordered sequence of elements.
+//   - A JSON "value" refers to either a literal (i.e., null, false, or true),
+//     string, number, object, or array.
+//
+// See RFC 8259 for more information.
+//
+//
+// Specifications
+//
+// Relevant specifications include RFC 4627, RFC 7159, RFC 7493, RFC 8259,
+// and RFC 8785. Each RFC is generally a stricter subset of another RFC.
+// In increasing order of strictness:
+//
+//   - RFC 4627 and RFC 7159 do not require (but recommend) the use of UTF-8
+//     and also do not require (but recommend) that object names be unique.
+//   - RFC 8259 requires the use of UTF-8,
+//     but does not require (but recommends) that object names be unique.
+//   - RFC 7493 requires the use of UTF-8
+//     and also requires that object names be unique.
+//   - RFC 8785 defines a canonical representation. It requires the use of UTF-8
+//     and also requires that object names be unique and in a specific ordering.
+//     It specifies exactly how strings and numbers must be formatted.
+//
+// The primary difference between RFC 4627 and RFC 7159 is that the former
+// restricted top-level values to only JSON objects and arrays, while
+// RFC 7159 and subsequent RFCs permit top-level values to additionally be
+// JSON nulls, booleans, strings, or numbers.
+//
+// By default, this package operates on RFC 7493, but can be configured
+// to operate according to the other RFC specifications.
+// RFC 7493 is a stricter subset of RFC 8259 and fully compliant with it.
+// In particular, it makes specific choices about behavior that RFC 8259
+// leaves as undefined in order to ensure greater interoperability.
+//
+//
+// JSON Representation of Go structs
+//
+// A Go struct is naturally represented as a JSON object,
+// where each Go struct field corresponds with a JSON object member.
+// When marshaling, all Go struct fields are recursively encoded in depth-first
+// order as JSON object members except those that are ignored or omitted.
+// When unmarshaling, JSON object members are recursively decoded
+// into the corresponding Go struct fields.
+// Object members that do not match any struct fields,
+// also known as “unknown members”, are ignored by default or rejected
+// if UnmarshalOptions.RejectUnknownMembers is specified.
+//
+// The representation of each struct field can be customized in the
+// "json" struct field tag, where the tag is a comma separated list of options.
+// As a special case, if the entire tag is `json:"-"`,
+// then the field is ignored with regard to its JSON representation.
+//
+// The first option is the JSON object name override for the Go struct field.
+// If the name is not specified, then the Go struct field name
+// is used as the JSON object name. JSON names containing commas or quotes,
+// or names identical to "" or "-", can be specified using
+// a single-quoted string literal, where the syntax is identical to
+// the Go grammar for a double-quoted string literal,
+// but instead uses single quotes as the delimiters.
+// By default, unmarshaling uses case-sensitive matching to identify
+// the Go struct field associated with a JSON object name.
+//
+// After the name, the following tag options are supported:
+//
+//   - omitzero: When marshaling, the "omitzero" option specifies that
+//     the struct field should be omitted if the field value is zero
+//     as determined by the "IsZero() bool" method if present,
+//     otherwise based on whether the field is the zero Go value.
+//     This option has no effect when unmarshaling.
+//
+//   - omitempty: When marshaling, the "omitempty" option specifies that
+//     the struct field should be omitted if the field value would have been
+//     encoded as a JSON null, empty string, empty object, or empty array.
+//     This option has no effect when unmarshaling.
+//
+//   - string: The "string" option specifies that
+//     MarshalOptions.StringifyNumbers and UnmarshalOptions.StringifyNumbers
+//     be set when marshaling or unmarshaling a struct field value.
+//     This causes numeric types to be encoded as a JSON number
+//     within a JSON string, and to be decoded from either a JSON number or
+//     a JSON string containing a JSON number.
+//     This extra level of encoding is often necessary since
+//     many JSON parsers cannot precisely represent 64-bit integers.
+//
+//   - nocase: When unmarshaling, the "nocase" option specifies that
+//     if the JSON object name does not exactly match the JSON name
+//     for any of the struct fields, then it attempts to match the struct field
+//     using a case-insensitive match that also ignores dashes and underscores.
+//     If multiple fields match, the first declared field in breadth-first order
+//     takes precedence. This option has no effect when marshaling.
+//
+//   - inline: The "inline" option specifies that
+//     the JSON representable content of this field type is to be promoted
+//     as if they were specified in the parent struct.
+//     It is the JSON equivalent of Go struct embedding.
+//     A Go embedded field is implicitly inlined unless an explicit JSON name
+//     is specified. The inlined field must be a Go struct
+//     (that does not implement any JSON methods), RawValue, map[string]T,
+//     or an unnamed pointer to such types. When marshaling,
+//     inlined fields from a pointer type are omitted if it is nil.
+//     Inlined fields of type RawValue and map[string]T are called
+//     “inlined fallbacks” as they can represent all possible
+//     JSON object members not directly handled by the parent struct.
+//     Only one inlined fallback field may be specified in a struct,
+//     while many non-fallback fields may be specified. This option
+//     must not be specified with any other option (including the JSON name).
+//
+//   - unknown: The "unknown" option is a specialized variant
+//     of the inlined fallback to indicate that this Go struct field
+//     contains any number of unknown JSON object members. The field type
+//     must be a RawValue, map[string]T, or an unnamed pointer to such types.
+//     If MarshalOptions.DiscardUnknownMembers is specified when marshaling,
+//     the contents of this field are ignored.
+//     If UnmarshalOptions.RejectUnknownMembers is specified when unmarshaling,
+//     any unknown object members are rejected regardless of whether
+//     an inlined fallback with the "unknown" option exists. This option
+//     must not be specified with any other option (including the JSON name).
+//
+//   - format: The "format" option specifies a format flag
+//     used to specialize the formatting of the field value.
+//     The option is a key-value pair specified as "format:value" where
+//     the value must be either a literal consisting of letters and numbers
+//     (e.g., "format:RFC3339") or a single-quoted string literal
+//     (e.g., "format:'2006-01-02'"). The interpretation of the format flag
+//     is determined by the struct field type.
+//
+// The "omitzero" and "omitempty" options are mostly semantically identical.
+// The former is defined in terms of the Go type system,
+// while the latter in terms of the JSON type system.
+// Consequently they behave differently in some circumstances.
+// For example, only a nil slice or map is omitted under "omitzero", while
+// an empty slice or map is omitted under "omitempty" regardless of nilness.
+// The "omitzero" option is useful for types with a well-defined zero value
+// (e.g., netip.Addr) or have an IsZero method (e.g., time.Time).
+//
+// Every Go struct corresponds to a list of JSON representable fields
+// which is constructed by performing a breadth-first search over
+// all struct fields (excluding unexported or ignored fields),
+// where the search recursively descends into inlined structs.
+// The set of non-inlined fields in a struct must have unique JSON names.
+// If multiple fields all have the same JSON name, then the one
+// at shallowest depth takes precedence and the other fields at deeper depths
+// are excluded from the list of JSON representable fields.
+// If multiple fields at the shallowest depth have the same JSON name,
+// then all of those fields are excluded from the list. This is analogous to
+// Go visibility rules for struct field selection with embedded struct types.
+//
+// Marshaling or unmarshaling a non-empty struct
+// without any JSON representable fields results in a SemanticError.
+// Unexported fields must not have any `json` tags except for `json:"-"`.
+package json
+
+// requireKeyedLiterals can be embedded in a struct to require keyed literals.
+type requireKeyedLiterals struct{}
+
+// nonComparable can be embedded in a struct to prevent comparability.
+type nonComparable [0]func()
diff --git a/vendor/k8s.io/kube-openapi/pkg/internal/third_party/go-json-experiment/json/encode.go b/vendor/k8s.io/kube-openapi/pkg/internal/third_party/go-json-experiment/json/encode.go
new file mode 100644
index 000000000..5f98a8409
--- /dev/null
+++ b/vendor/k8s.io/kube-openapi/pkg/internal/third_party/go-json-experiment/json/encode.go
@@ -0,0 +1,1146 @@
+// Copyright 2020 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package json
+
+import (
+	"bytes"
+	"io"
+	"math"
+	"math/bits"
+	"strconv"
+	"unicode/utf16"
+	"unicode/utf8"
+)
+
+// EncodeOptions configures how JSON encoding operates.
+// The zero value is equivalent to the default settings,
+// which is compliant with both RFC 7493 and RFC 8259.
+type EncodeOptions struct {
+	requireKeyedLiterals
+	nonComparable
+
+	// multiline specifies whether the encoder should emit multiline output.
+	multiline bool
+
+	// omitTopLevelNewline specifies whether to omit the newline
+	// that is appended after every top-level JSON value when streaming.
+	omitTopLevelNewline bool
+
+	// AllowDuplicateNames specifies that JSON objects may contain
+	// duplicate member names. Disabling the duplicate name check may provide
+	// performance benefits, but breaks compliance with RFC 7493, section 2.3.
+	// The output will still be compliant with RFC 8259,
+	// which leaves the handling of duplicate names as unspecified behavior.
+	AllowDuplicateNames bool
+
+	// AllowInvalidUTF8 specifies that JSON strings may contain invalid UTF-8,
+	// which will be mangled as the Unicode replacement character, U+FFFD.
+	// This causes the encoder to break compliance with
+	// RFC 7493, section 2.1, and RFC 8259, section 8.1.
+	AllowInvalidUTF8 bool
+
+	// preserveRawStrings specifies that WriteToken and WriteValue should not
+	// reformat any JSON string, but keep the formatting verbatim.
+	preserveRawStrings bool
+
+	// canonicalizeNumbers specifies that WriteToken and WriteValue should
+	// reformat any JSON numbers according to RFC 8785, section 3.2.2.3.
+	canonicalizeNumbers bool
+
+	// EscapeRune reports whether the provided character should be escaped
+	// as a hexadecimal Unicode codepoint (e.g., \ufffd).
+	// If nil, the shortest and simplest encoding will be used,
+	// which is also the formatting specified by RFC 8785, section 3.2.2.2.
+	EscapeRune func(rune) bool
+
+	// Indent (if non-empty) specifies that the encoder should emit multiline
+	// output where each element in a JSON object or array begins on a new,
+	// indented line beginning with the indent prefix followed by one or more
+	// copies of indent according to the indentation nesting.
+	// It may only be composed of space or tab characters.
+	Indent string
+
+	// IndentPrefix is prepended to each line within a JSON object or array.
+	// The purpose of the indent prefix is to encode data that can more easily
+	// be embedded inside other formatted JSON data.
+	// It may only be composed of space or tab characters.
+	// It is ignored if Indent is empty.
+	IndentPrefix string
+}
+
+// Encoder is a streaming encoder from raw JSON tokens and values.
+// It is used to write a stream of top-level JSON values,
+// each terminated with a newline character.
+//
+// WriteToken and WriteValue calls may be interleaved.
+// For example, the following JSON value:
+//
+//	{"name":"value","array":[null,false,true,3.14159],"object":{"k":"v"}}
+//
+// can be composed with the following calls (ignoring errors for brevity):
+//
+//	e.WriteToken(ObjectStart)           // {
+//	e.WriteToken(String("name"))        // "name"
+//	e.WriteToken(String("value"))       // "value"
+//	e.WriteValue(RawValue(`"array"`))   // "array"
+//	e.WriteToken(ArrayStart)            // [
+//	e.WriteToken(Null)                  // null
+//	e.WriteToken(False)                 // false
+//	e.WriteValue(RawValue("true"))      // true
+//	e.WriteToken(Float(3.14159))        // 3.14159
+//	e.WriteToken(ArrayEnd)              // ]
+//	e.WriteValue(RawValue(`"object"`))  // "object"
+//	e.WriteValue(RawValue(`{"k":"v"}`)) // {"k":"v"}
+//	e.WriteToken(ObjectEnd)             // }
+//
+// The above is one of many possible sequence of calls and
+// may not represent the most sensible method to call for any given token/value.
+// For example, it is probably more common to call WriteToken with a string
+// for object names.
+type Encoder struct {
+	state
+	encodeBuffer
+	options EncodeOptions
+
+	seenPointers seenPointers // only used when marshaling
+}
+
+// encodeBuffer is a buffer split into 2 segments:
+//
+//   - buf[0:len(buf)]        // written (but unflushed) portion of the buffer
+//   - buf[len(buf):cap(buf)] // unused portion of the buffer
+type encodeBuffer struct {
+	buf []byte // may alias wr if it is a bytes.Buffer
+
+	// baseOffset is added to len(buf) to obtain the absolute offset
+	// relative to the start of io.Writer stream.
+	baseOffset int64
+
+	wr io.Writer
+
+	// maxValue is the approximate maximum RawValue size passed to WriteValue.
+	maxValue int
+	// unusedCache is the buffer returned by the UnusedBuffer method.
+	unusedCache []byte
+	// bufStats is statistics about buffer utilization.
+	// It is only used with pooled encoders in pools.go.
+	bufStats bufferStatistics
+}
+
+// NewEncoder constructs a new streaming encoder writing to w.
+func NewEncoder(w io.Writer) *Encoder {
+	return EncodeOptions{}.NewEncoder(w)
+}
+
+// NewEncoder constructs a new streaming encoder writing to w
+// configured with the provided options.
+// It flushes the internal buffer when the buffer is sufficiently full or
+// when a top-level value has been written.
+//
+// If w is a bytes.Buffer, then the encoder appends directly into the buffer
+// without copying the contents from an intermediate buffer.
+func (o EncodeOptions) NewEncoder(w io.Writer) *Encoder {
+	e := new(Encoder)
+	o.ResetEncoder(e, w)
+	return e
+}
+
+// ResetEncoder resets an encoder such that it is writing afresh to w and
+// configured with the provided options.
+func (o EncodeOptions) ResetEncoder(e *Encoder, w io.Writer) {
+	if e == nil {
+		panic("json: invalid nil Encoder")
+	}
+	if w == nil {
+		panic("json: invalid nil io.Writer")
+	}
+	e.reset(nil, w, o)
+}
+
+func (e *Encoder) reset(b []byte, w io.Writer, o EncodeOptions) {
+	if len(o.Indent) > 0 {
+		o.multiline = true
+		if s := trimLeftSpaceTab(o.IndentPrefix); len(s) > 0 {
+			panic("json: invalid character " + quoteRune([]byte(s)) + " in indent prefix")
+		}
+		if s := trimLeftSpaceTab(o.Indent); len(s) > 0 {
+			panic("json: invalid character " + quoteRune([]byte(s)) + " in indent")
+		}
+	}
+	e.state.reset()
+	e.encodeBuffer = encodeBuffer{buf: b, wr: w, bufStats: e.bufStats}
+	e.options = o
+	if bb, ok := w.(*bytes.Buffer); ok && bb != nil {
+		e.buf = bb.Bytes()[bb.Len():] // alias the unused buffer of bb
+	}
+}
+
+// Reset resets an encoder such that it is writing afresh to w but
+// keeps any pre-existing encoder options.
+func (e *Encoder) Reset(w io.Writer) {
+	e.options.ResetEncoder(e, w)
+}
+
+// needFlush determines whether to flush at this point.
+func (e *Encoder) needFlush() bool {
+	// NOTE: This function is carefully written to be inlineable.
+
+	// Avoid flushing if e.wr is nil since there is no underlying writer.
+	// Flush if less than 25% of the capacity remains.
+	// Flushing at some constant fraction ensures that the buffer stops growing
+	// so long as the largest Token or Value fits within that unused capacity.
+	return e.wr != nil && (e.tokens.depth() == 1 || len(e.buf) > 3*cap(e.buf)/4)
+}
+
+// flush flushes the buffer to the underlying io.Writer.
+// It may append a trailing newline after the top-level value.
+func (e *Encoder) flush() error {
+	if e.wr == nil || e.avoidFlush() {
+		return nil
+	}
+
+	// In streaming mode, always emit a newline after the top-level value.
+	if e.tokens.depth() == 1 && !e.options.omitTopLevelNewline {
+		e.buf = append(e.buf, '\n')
+	}
+
+	// Inform objectNameStack that we are about to flush the buffer content.
+	e.names.copyQuotedBuffer(e.buf)
+
+	// Specialize bytes.Buffer for better performance.
+	if bb, ok := e.wr.(*bytes.Buffer); ok {
+		// If e.buf already aliases the internal buffer of bb,
+		// then the Write call simply increments the internal offset,
+		// otherwise Write operates as expected.
+		// See https://go.dev/issue/42986.
+		n, _ := bb.Write(e.buf) // never fails unless bb is nil
+		e.baseOffset += int64(n)
+
+		// If the internal buffer of bytes.Buffer is too small,
+		// append operations elsewhere in the Encoder may grow the buffer.
+		// This would be semantically correct, but hurts performance.
+		// As such, ensure 25% of the current length is always available
+		// to reduce the probability that other appends must allocate.
+		if avail := bb.Cap() - bb.Len(); avail < bb.Len()/4 {
+			bb.Grow(avail + 1)
+		}
+
+		e.buf = bb.Bytes()[bb.Len():] // alias the unused buffer of bb
+		return nil
+	}
+
+	// Flush the internal buffer to the underlying io.Writer.
+	n, err := e.wr.Write(e.buf)
+	e.baseOffset += int64(n)
+	if err != nil {
+		// In the event of an error, preserve the unflushed portion.
+		// Thus, write errors aren't fatal so long as the io.Writer
+		// maintains consistent state after errors.
+		if n > 0 {
+			e.buf = e.buf[:copy(e.buf, e.buf[n:])]
+		}
+		return &ioError{action: "write", err: err}
+	}
+	e.buf = e.buf[:0]
+
+	// Check whether to grow the buffer.
+	// Note that cap(e.buf) may already exceed maxBufferSize since
+	// an append elsewhere already grew it to store a large token.
+	const maxBufferSize = 4 << 10
+	const growthSizeFactor = 2 // higher value is faster
+	const growthRateFactor = 2 // higher value is slower
+	// By default, grow if below the maximum buffer size.
+	grow := cap(e.buf) <= maxBufferSize/growthSizeFactor
+	// Growing can be expensive, so only grow
+	// if a sufficient number of bytes have been processed.
+	grow = grow && int64(cap(e.buf)) < e.previousOffsetEnd()/growthRateFactor
+	if grow {
+		e.buf = make([]byte, 0, cap(e.buf)*growthSizeFactor)
+	}
+
+	return nil
+}
+
+func (e *encodeBuffer) previousOffsetEnd() int64 { return e.baseOffset + int64(len(e.buf)) }
+func (e *encodeBuffer) unflushedBuffer() []byte  { return e.buf }
+
+// avoidFlush indicates whether to avoid flushing to ensure there is always
+// enough in the buffer to unwrite the last object member if it were empty.
+func (e *Encoder) avoidFlush() bool {
+	switch {
+	case e.tokens.last.length() == 0:
+		// Never flush after ObjectStart or ArrayStart since we don't know yet
+		// if the object or array will end up being empty.
+		return true
+	case e.tokens.last.needObjectValue():
+		// Never flush before the object value since we don't know yet
+		// if the object value will end up being empty.
+		return true
+	case e.tokens.last.needObjectName() && len(e.buf) >= 2:
+		// Never flush after the object value if it does turn out to be empty.
+		switch string(e.buf[len(e.buf)-2:]) {
+		case `ll`, `""`, `{}`, `[]`: // last two bytes of every empty value
+			return true
+		}
+	}
+	return false
+}
+
+// unwriteEmptyObjectMember unwrites the last object member if it is empty
+// and reports whether it performed an unwrite operation.
+func (e *Encoder) unwriteEmptyObjectMember(prevName *string) bool {
+	if last := e.tokens.last; !last.isObject() || !last.needObjectName() || last.length() == 0 {
+		panic("BUG: must be called on an object after writing a value")
+	}
+
+	// The flushing logic is modified to never flush a trailing empty value.
+	// The encoder never writes trailing whitespace eagerly.
+	b := e.unflushedBuffer()
+
+	// Detect whether the last value was empty.
+	var n int
+	if len(b) >= 3 {
+		switch string(b[len(b)-2:]) {
+		case "ll": // last two bytes of `null`
+			n = len(`null`)
+		case `""`:
+			// It is possible for a non-empty string to have `""` as a suffix
+			// if the second to the last quote was escaped.
+			if b[len(b)-3] == '\\' {
+				return false // e.g., `"\""` is not empty
+			}
+			n = len(`""`)
+		case `{}`:
+			n = len(`{}`)
+		case `[]`:
+			n = len(`[]`)
+		}
+	}
+	if n == 0 {
+		return false
+	}
+
+	// Unwrite the value, whitespace, colon, name, whitespace, and comma.
+	b = b[:len(b)-n]
+	b = trimSuffixWhitespace(b)
+	b = trimSuffixByte(b, ':')
+	b = trimSuffixString(b)
+	b = trimSuffixWhitespace(b)
+	b = trimSuffixByte(b, ',')
+	e.buf = b // store back truncated unflushed buffer
+
+	// Undo state changes.
+	e.tokens.last.decrement() // for object member value
+	e.tokens.last.decrement() // for object member name
+	if !e.options.AllowDuplicateNames {
+		if e.tokens.last.isActiveNamespace() {
+			e.namespaces.last().removeLast()
+		}
+		e.names.clearLast()
+		if prevName != nil {
+			e.names.copyQuotedBuffer(e.buf) // required by objectNameStack.replaceLastUnquotedName
+			e.names.replaceLastUnquotedName(*prevName)
+		}
+	}
+	return true
+}
+
+func trimSuffixWhitespace(b []byte) []byte {
+	// NOTE: The arguments and logic are kept simple to keep this inlineable.
+	n := len(b) - 1
+	for n >= 0 && (b[n] == ' ' || b[n] == '\t' || b[n] == '\r' || b[n] == '\n') {
+		n--
+	}
+	return b[:n+1]
+}
+
+func trimSuffixString(b []byte) []byte {
+	// NOTE: The arguments and logic are kept simple to keep this inlineable.
+	if len(b) > 0 && b[len(b)-1] == '"' {
+		b = b[:len(b)-1]
+	}
+	for len(b) >= 2 && !(b[len(b)-1] == '"' && b[len(b)-2] != '\\') {
+		b = b[:len(b)-1] // trim all characters except an unescaped quote
+	}
+	if len(b) > 0 && b[len(b)-1] == '"' {
+		b = b[:len(b)-1]
+	}
+	return b
+}
+
+func hasSuffixByte(b []byte, c byte) bool {
+	// NOTE: The arguments and logic are kept simple to keep this inlineable.
+	return len(b) > 0 && b[len(b)-1] == c
+}
+
+func trimSuffixByte(b []byte, c byte) []byte {
+	// NOTE: The arguments and logic are kept simple to keep this inlineable.
+	if len(b) > 0 && b[len(b)-1] == c {
+		return b[:len(b)-1]
+	}
+	return b
+}
+
+// WriteToken writes the next token and advances the internal write offset.
+//
+// The provided token kind must be consistent with the JSON grammar.
+// For example, it is an error to provide a number when the encoder
+// is expecting an object name (which is always a string), or
+// to provide an end object delimiter when the encoder is finishing an array.
+// If the provided token is invalid, then it reports a SyntacticError and
+// the internal state remains unchanged.
+func (e *Encoder) WriteToken(t Token) error {
+	k := t.Kind()
+	b := e.buf // use local variable to avoid mutating e in case of error
+
+	// Append any delimiters or optional whitespace.
+	b = e.tokens.mayAppendDelim(b, k)
+	if e.options.multiline {
+		b = e.appendWhitespace(b, k)
+	}
+
+	// Append the token to the output and to the state machine.
+	var err error
+	switch k {
+	case 'n':
+		b = append(b, "null"...)
+		err = e.tokens.appendLiteral()
+	case 'f':
+		b = append(b, "false"...)
+		err = e.tokens.appendLiteral()
+	case 't':
+		b = append(b, "true"...)
+		err = e.tokens.appendLiteral()
+	case '"':
+		n0 := len(b) // offset before calling t.appendString
+		if b, err = t.appendString(b, !e.options.AllowInvalidUTF8, e.options.preserveRawStrings, e.options.EscapeRune); err != nil {
+			break
+		}
+		if !e.options.AllowDuplicateNames && e.tokens.last.needObjectName() {
+			if !e.tokens.last.isValidNamespace() {
+				err = errInvalidNamespace
+				break
+			}
+			if e.tokens.last.isActiveNamespace() && !e.namespaces.last().insertQuoted(b[n0:], false) {
+				err = &SyntacticError{str: "duplicate name " + string(b[n0:]) + " in object"}
+				break
+			}
+			e.names.replaceLastQuotedOffset(n0) // only replace if insertQuoted succeeds
+		}
+		err = e.tokens.appendString()
+	case '0':
+		if b, err = t.appendNumber(b, e.options.canonicalizeNumbers); err != nil {
+			break
+		}
+		err = e.tokens.appendNumber()
+	case '{':
+		b = append(b, '{')
+		if err = e.tokens.pushObject(); err != nil {
+			break
+		}
+		if !e.options.AllowDuplicateNames {
+			e.names.push()
+			e.namespaces.push()
+		}
+	case '}':
+		b = append(b, '}')
+		if err = e.tokens.popObject(); err != nil {
+			break
+		}
+		if !e.options.AllowDuplicateNames {
+			e.names.pop()
+			e.namespaces.pop()
+		}
+	case '[':
+		b = append(b, '[')
+		err = e.tokens.pushArray()
+	case ']':
+		b = append(b, ']')
+		err = e.tokens.popArray()
+	default:
+		return &SyntacticError{str: "invalid json.Token"}
+	}
+	if err != nil {
+		return err
+	}
+
+	// Finish off the buffer and store it back into e.
+	e.buf = b
+	if e.needFlush() {
+		return e.flush()
+	}
+	return nil
+}
+
+const (
+	rawIntNumber  = -1
+	rawUintNumber = -2
+)
+
+// writeNumber is specialized version of WriteToken, but optimized for numbers.
+// As a special-case, if bits is -1 or -2, it will treat v as
+// the raw-encoded bits of an int64 or uint64, respectively.
+// It is only called from arshal_default.go.
+func (e *Encoder) writeNumber(v float64, bits int, quote bool) error {
+	b := e.buf // use local variable to avoid mutating e in case of error
+
+	// Append any delimiters or optional whitespace.
+	b = e.tokens.mayAppendDelim(b, '0')
+	if e.options.multiline {
+		b = e.appendWhitespace(b, '0')
+	}
+
+	if quote {
+		// Append the value to the output.
+		n0 := len(b) // offset before appending the number
+		b = append(b, '"')
+		switch bits {
+		case rawIntNumber:
+			b = strconv.AppendInt(b, int64(math.Float64bits(v)), 10)
+		case rawUintNumber:
+			b = strconv.AppendUint(b, uint64(math.Float64bits(v)), 10)
+		default:
+			b = appendNumber(b, v, bits)
+		}
+		b = append(b, '"')
+
+		// Escape the string if necessary.
+		if e.options.EscapeRune != nil {
+			b2 := append(e.unusedCache, b[n0+len(`"`):len(b)-len(`"`)]...)
+			b, _ = appendString(b[:n0], string(b2), false, e.options.EscapeRune)
+			e.unusedCache = b2[:0]
+		}
+
+		// Update the state machine.
+		if !e.options.AllowDuplicateNames && e.tokens.last.needObjectName() {
+			if !e.tokens.last.isValidNamespace() {
+				return errInvalidNamespace
+			}
+			if e.tokens.last.isActiveNamespace() && !e.namespaces.last().insertQuoted(b[n0:], false) {
+				return &SyntacticError{str: "duplicate name " + string(b[n0:]) + " in object"}
+			}
+			e.names.replaceLastQuotedOffset(n0) // only replace if insertQuoted succeeds
+		}
+		if err := e.tokens.appendString(); err != nil {
+			return err
+		}
+	} else {
+		switch bits {
+		case rawIntNumber:
+			b = strconv.AppendInt(b, int64(math.Float64bits(v)), 10)
+		case rawUintNumber:
+			b = strconv.AppendUint(b, uint64(math.Float64bits(v)), 10)
+		default:
+			b = appendNumber(b, v, bits)
+		}
+		if err := e.tokens.appendNumber(); err != nil {
+			return err
+		}
+	}
+
+	// Finish off the buffer and store it back into e.
+	e.buf = b
+	if e.needFlush() {
+		return e.flush()
+	}
+	return nil
+}
+
+// WriteValue writes the next raw value and advances the internal write offset.
+// The Encoder does not simply copy the provided value verbatim, but
+// parses it to ensure that it is syntactically valid and reformats it
+// according to how the Encoder is configured to format whitespace and strings.
+//
+// The provided value kind must be consistent with the JSON grammar
+// (see examples on Encoder.WriteToken). If the provided value is invalid,
+// then it reports a SyntacticError and the internal state remains unchanged.
+func (e *Encoder) WriteValue(v RawValue) error {
+	e.maxValue |= len(v) // bitwise OR is a fast approximation of max
+
+	k := v.Kind()
+	b := e.buf // use local variable to avoid mutating e in case of error
+
+	// Append any delimiters or optional whitespace.
+	b = e.tokens.mayAppendDelim(b, k)
+	if e.options.multiline {
+		b = e.appendWhitespace(b, k)
+	}
+
+	// Append the value the output.
+	var err error
+	v = v[consumeWhitespace(v):]
+	n0 := len(b) // offset before calling e.reformatValue
+	b, v, err = e.reformatValue(b, v, e.tokens.depth())
+	if err != nil {
+		return err
+	}
+	v = v[consumeWhitespace(v):]
+	if len(v) > 0 {
+		return newInvalidCharacterError(v[0:], "after top-level value")
+	}
+
+	// Append the kind to the state machine.
+	switch k {
+	case 'n', 'f', 't':
+		err = e.tokens.appendLiteral()
+	case '"':
+		if !e.options.AllowDuplicateNames && e.tokens.last.needObjectName() {
+			if !e.tokens.last.isValidNamespace() {
+				err = errInvalidNamespace
+				break
+			}
+			if e.tokens.last.isActiveNamespace() && !e.namespaces.last().insertQuoted(b[n0:], false) {
+				err = &SyntacticError{str: "duplicate name " + string(b[n0:]) + " in object"}
+				break
+			}
+			e.names.replaceLastQuotedOffset(n0) // only replace if insertQuoted succeeds
+		}
+		err = e.tokens.appendString()
+	case '0':
+		err = e.tokens.appendNumber()
+	case '{':
+		if err = e.tokens.pushObject(); err != nil {
+			break
+		}
+		if err = e.tokens.popObject(); err != nil {
+			panic("BUG: popObject should never fail immediately after pushObject: " + err.Error())
+		}
+	case '[':
+		if err = e.tokens.pushArray(); err != nil {
+			break
+		}
+		if err = e.tokens.popArray(); err != nil {
+			panic("BUG: popArray should never fail immediately after pushArray: " + err.Error())
+		}
+	}
+	if err != nil {
+		return err
+	}
+
+	// Finish off the buffer and store it back into e.
+	e.buf = b
+	if e.needFlush() {
+		return e.flush()
+	}
+	return nil
+}
+
+// appendWhitespace appends whitespace that immediately precedes the next token.
+func (e *Encoder) appendWhitespace(b []byte, next Kind) []byte {
+	if e.tokens.needDelim(next) == ':' {
+		return append(b, ' ')
+	} else {
+		return e.appendIndent(b, e.tokens.needIndent(next))
+	}
+}
+
+// appendIndent appends the appropriate number of indentation characters
+// for the current nested level, n.
+func (e *Encoder) appendIndent(b []byte, n int) []byte {
+	if n == 0 {
+		return b
+	}
+	b = append(b, '\n')
+	b = append(b, e.options.IndentPrefix...)
+	for ; n > 1; n-- {
+		b = append(b, e.options.Indent...)
+	}
+	return b
+}
+
+// reformatValue parses a JSON value from the start of src and
+// appends it to the end of dst, reformatting whitespace and strings as needed.
+// It returns the updated versions of dst and src.
+func (e *Encoder) reformatValue(dst []byte, src RawValue, depth int) ([]byte, RawValue, error) {
+	// TODO: Should this update valueFlags as input?
+	if len(src) == 0 {
+		return dst, src, io.ErrUnexpectedEOF
+	}
+	var n int
+	var err error
+	switch k := Kind(src[0]).normalize(); k {
+	case 'n':
+		if n = consumeNull(src); n == 0 {
+			n, err = consumeLiteral(src, "null")
+		}
+	case 'f':
+		if n = consumeFalse(src); n == 0 {
+			n, err = consumeLiteral(src, "false")
+		}
+	case 't':
+		if n = consumeTrue(src); n == 0 {
+			n, err = consumeLiteral(src, "true")
+		}
+	case '"':
+		if n := consumeSimpleString(src); n > 0 && e.options.EscapeRune == nil {
+			dst, src = append(dst, src[:n]...), src[n:] // copy simple strings verbatim
+			return dst, src, nil
+		}
+		return reformatString(dst, src, !e.options.AllowInvalidUTF8, e.options.preserveRawStrings, e.options.EscapeRune)
+	case '0':
+		if n := consumeSimpleNumber(src); n > 0 && !e.options.canonicalizeNumbers {
+			dst, src = append(dst, src[:n]...), src[n:] // copy simple numbers verbatim
+			return dst, src, nil
+		}
+		return reformatNumber(dst, src, e.options.canonicalizeNumbers)
+	case '{':
+		return e.reformatObject(dst, src, depth)
+	case '[':
+		return e.reformatArray(dst, src, depth)
+	default:
+		return dst, src, newInvalidCharacterError(src, "at start of value")
+	}
+	if err != nil {
+		return dst, src, err
+	}
+	dst, src = append(dst, src[:n]...), src[n:]
+	return dst, src, nil
+}
+
+// reformatObject parses a JSON object from the start of src and
+// appends it to the end of src, reformatting whitespace and strings as needed.
+// It returns the updated versions of dst and src.
+func (e *Encoder) reformatObject(dst []byte, src RawValue, depth int) ([]byte, RawValue, error) {
+	// Append object start.
+	if src[0] != '{' {
+		panic("BUG: reformatObject must be called with a buffer that starts with '{'")
+	}
+	dst, src = append(dst, '{'), src[1:]
+
+	// Append (possible) object end.
+	src = src[consumeWhitespace(src):]
+	if len(src) == 0 {
+		return dst, src, io.ErrUnexpectedEOF
+	}
+	if src[0] == '}' {
+		dst, src = append(dst, '}'), src[1:]
+		return dst, src, nil
+	}
+
+	var err error
+	var names *objectNamespace
+	if !e.options.AllowDuplicateNames {
+		e.namespaces.push()
+		defer e.namespaces.pop()
+		names = e.namespaces.last()
+	}
+	depth++
+	for {
+		// Append optional newline and indentation.
+		if e.options.multiline {
+			dst = e.appendIndent(dst, depth)
+		}
+
+		// Append object name.
+		src = src[consumeWhitespace(src):]
+		if len(src) == 0 {
+			return dst, src, io.ErrUnexpectedEOF
+		}
+		n0 := len(dst) // offset before calling reformatString
+		n := consumeSimpleString(src)
+		if n > 0 && e.options.EscapeRune == nil {
+			dst, src = append(dst, src[:n]...), src[n:] // copy simple strings verbatim
+		} else {
+			dst, src, err = reformatString(dst, src, !e.options.AllowInvalidUTF8, e.options.preserveRawStrings, e.options.EscapeRune)
+		}
+		if err != nil {
+			return dst, src, err
+		}
+		if !e.options.AllowDuplicateNames && !names.insertQuoted(dst[n0:], false) {
+			return dst, src, &SyntacticError{str: "duplicate name " + string(dst[n0:]) + " in object"}
+		}
+
+		// Append colon.
+		src = src[consumeWhitespace(src):]
+		if len(src) == 0 {
+			return dst, src, io.ErrUnexpectedEOF
+		}
+		if src[0] != ':' {
+			return dst, src, newInvalidCharacterError(src, "after object name (expecting ':')")
+		}
+		dst, src = append(dst, ':'), src[1:]
+		if e.options.multiline {
+			dst = append(dst, ' ')
+		}
+
+		// Append object value.
+		src = src[consumeWhitespace(src):]
+		if len(src) == 0 {
+			return dst, src, io.ErrUnexpectedEOF
+		}
+		dst, src, err = e.reformatValue(dst, src, depth)
+		if err != nil {
+			return dst, src, err
+		}
+
+		// Append comma or object end.
+		src = src[consumeWhitespace(src):]
+		if len(src) == 0 {
+			return dst, src, io.ErrUnexpectedEOF
+		}
+		switch src[0] {
+		case ',':
+			dst, src = append(dst, ','), src[1:]
+			continue
+		case '}':
+			if e.options.multiline {
+				dst = e.appendIndent(dst, depth-1)
+			}
+			dst, src = append(dst, '}'), src[1:]
+			return dst, src, nil
+		default:
+			return dst, src, newInvalidCharacterError(src, "after object value (expecting ',' or '}')")
+		}
+	}
+}
+
+// reformatArray parses a JSON array from the start of src and
+// appends it to the end of dst, reformatting whitespace and strings as needed.
+// It returns the updated versions of dst and src.
+func (e *Encoder) reformatArray(dst []byte, src RawValue, depth int) ([]byte, RawValue, error) {
+	// Append array start.
+	if src[0] != '[' {
+		panic("BUG: reformatArray must be called with a buffer that starts with '['")
+	}
+	dst, src = append(dst, '['), src[1:]
+
+	// Append (possible) array end.
+	src = src[consumeWhitespace(src):]
+	if len(src) == 0 {
+		return dst, src, io.ErrUnexpectedEOF
+	}
+	if src[0] == ']' {
+		dst, src = append(dst, ']'), src[1:]
+		return dst, src, nil
+	}
+
+	var err error
+	depth++
+	for {
+		// Append optional newline and indentation.
+		if e.options.multiline {
+			dst = e.appendIndent(dst, depth)
+		}
+
+		// Append array value.
+		src = src[consumeWhitespace(src):]
+		if len(src) == 0 {
+			return dst, src, io.ErrUnexpectedEOF
+		}
+		dst, src, err = e.reformatValue(dst, src, depth)
+		if err != nil {
+			return dst, src, err
+		}
+
+		// Append comma or array end.
+		src = src[consumeWhitespace(src):]
+		if len(src) == 0 {
+			return dst, src, io.ErrUnexpectedEOF
+		}
+		switch src[0] {
+		case ',':
+			dst, src = append(dst, ','), src[1:]
+			continue
+		case ']':
+			if e.options.multiline {
+				dst = e.appendIndent(dst, depth-1)
+			}
+			dst, src = append(dst, ']'), src[1:]
+			return dst, src, nil
+		default:
+			return dst, src, newInvalidCharacterError(src, "after array value (expecting ',' or ']')")
+		}
+	}
+}
+
+// OutputOffset returns the current output byte offset. It gives the location
+// of the next byte immediately after the most recently written token or value.
+// The number of bytes actually written to the underlying io.Writer may be less
+// than this offset due to internal buffering effects.
+func (e *Encoder) OutputOffset() int64 {
+	return e.previousOffsetEnd()
+}
+
+// UnusedBuffer returns a zero-length buffer with a possible non-zero capacity.
+// This buffer is intended to be used to populate a RawValue
+// being passed to an immediately succeeding WriteValue call.
+//
+// Example usage:
+//
+//	b := d.UnusedBuffer()
+//	b = append(b, '"')
+//	b = appendString(b, v) // append the string formatting of v
+//	b = append(b, '"')
+//	... := d.WriteValue(b)
+//
+// It is the user's responsibility to ensure that the value is valid JSON.
+func (e *Encoder) UnusedBuffer() []byte {
+	// NOTE: We don't return e.buf[len(e.buf):cap(e.buf)] since WriteValue would
+	// need to take special care to avoid mangling the data while reformatting.
+	// WriteValue can't easily identify whether the input RawValue aliases e.buf
+	// without using unsafe.Pointer. Thus, we just return a different buffer.
+	// Should this ever alias e.buf, we need to consider how it operates with
+	// the specialized performance optimization for bytes.Buffer.
+	n := 1 << bits.Len(uint(e.maxValue|63)) // fast approximation for max length
+	if cap(e.unusedCache) < n {
+		e.unusedCache = make([]byte, 0, n)
+	}
+	return e.unusedCache
+}
+
+// StackDepth returns the depth of the state machine for written JSON data.
+// Each level on the stack represents a nested JSON object or array.
+// It is incremented whenever an ObjectStart or ArrayStart token is encountered
+// and decremented whenever an ObjectEnd or ArrayEnd token is encountered.
+// The depth is zero-indexed, where zero represents the top-level JSON value.
+func (e *Encoder) StackDepth() int {
+	// NOTE: Keep in sync with Decoder.StackDepth.
+	return e.tokens.depth() - 1
+}
+
+// StackIndex returns information about the specified stack level.
+// It must be a number between 0 and StackDepth, inclusive.
+// For each level, it reports the kind:
+//
+//   - 0 for a level of zero,
+//   - '{' for a level representing a JSON object, and
+//   - '[' for a level representing a JSON array.
+//
+// It also reports the length of that JSON object or array.
+// Each name and value in a JSON object is counted separately,
+// so the effective number of members would be half the length.
+// A complete JSON object must have an even length.
+func (e *Encoder) StackIndex(i int) (Kind, int) {
+	// NOTE: Keep in sync with Decoder.StackIndex.
+	switch s := e.tokens.index(i); {
+	case i > 0 && s.isObject():
+		return '{', s.length()
+	case i > 0 && s.isArray():
+		return '[', s.length()
+	default:
+		return 0, s.length()
+	}
+}
+
+// StackPointer returns a JSON Pointer (RFC 6901) to the most recently written value.
+// Object names are only present if AllowDuplicateNames is false, otherwise
+// object members are represented using their index within the object.
+func (e *Encoder) StackPointer() string {
+	e.names.copyQuotedBuffer(e.buf)
+	return string(e.appendStackPointer(nil))
+}
+
+// appendString appends src to dst as a JSON string per RFC 7159, section 7.
+//
+// If validateUTF8 is specified, this rejects input that contains invalid UTF-8
+// otherwise invalid bytes are replaced with the Unicode replacement character.
+// If escapeRune is provided, it specifies which runes to escape using
+// hexadecimal sequences. If nil, the shortest representable form is used,
+// which is also the canonical form for strings (RFC 8785, section 3.2.2.2).
+//
+// Note that this API allows full control over the formatting of strings
+// except for whether a forward solidus '/' may be formatted as '\/' and
+// the casing of hexadecimal Unicode escape sequences.
+func appendString(dst []byte, src string, validateUTF8 bool, escapeRune func(rune) bool) ([]byte, error) {
+	appendEscapedASCII := func(dst []byte, c byte) []byte {
+		switch c {
+		case '"', '\\':
+			dst = append(dst, '\\', c)
+		case '\b':
+			dst = append(dst, "\\b"...)
+		case '\f':
+			dst = append(dst, "\\f"...)
+		case '\n':
+			dst = append(dst, "\\n"...)
+		case '\r':
+			dst = append(dst, "\\r"...)
+		case '\t':
+			dst = append(dst, "\\t"...)
+		default:
+			dst = append(dst, "\\u"...)
+			dst = appendHexUint16(dst, uint16(c))
+		}
+		return dst
+	}
+	appendEscapedUnicode := func(dst []byte, r rune) []byte {
+		if r1, r2 := utf16.EncodeRune(r); r1 != '\ufffd' && r2 != '\ufffd' {
+			dst = append(dst, "\\u"...)
+			dst = appendHexUint16(dst, uint16(r1))
+			dst = append(dst, "\\u"...)
+			dst = appendHexUint16(dst, uint16(r2))
+		} else {
+			dst = append(dst, "\\u"...)
+			dst = appendHexUint16(dst, uint16(r))
+		}
+		return dst
+	}
+
+	// Optimize for when escapeRune is nil.
+	if escapeRune == nil {
+		var i, n int
+		dst = append(dst, '"')
+		for uint(len(src)) > uint(n) {
+			// Handle single-byte ASCII.
+			if c := src[n]; c < utf8.RuneSelf {
+				n++
+				if c < ' ' || c == '"' || c == '\\' {
+					dst = append(dst, src[i:n-1]...)
+					dst = appendEscapedASCII(dst, c)
+					i = n
+				}
+				continue
+			}
+
+			// Handle multi-byte Unicode.
+			_, rn := utf8.DecodeRuneInString(src[n:])
+			n += rn
+			if rn == 1 { // must be utf8.RuneError since we already checked for single-byte ASCII
+				dst = append(dst, src[i:n-rn]...)
+				if validateUTF8 {
+					return dst, &SyntacticError{str: "invalid UTF-8 within string"}
+				}
+				dst = append(dst, "\ufffd"...)
+				i = n
+			}
+		}
+		dst = append(dst, src[i:n]...)
+		dst = append(dst, '"')
+		return dst, nil
+	}
+
+	// Slower implementation for when escapeRune is non-nil.
+	var i, n int
+	dst = append(dst, '"')
+	for uint(len(src)) > uint(n) {
+		switch r, rn := utf8.DecodeRuneInString(src[n:]); {
+		case r == utf8.RuneError && rn == 1:
+			dst = append(dst, src[i:n]...)
+			if validateUTF8 {
+				return dst, &SyntacticError{str: "invalid UTF-8 within string"}
+			}
+			if escapeRune('\ufffd') {
+				dst = append(dst, `\ufffd`...)
+			} else {
+				dst = append(dst, "\ufffd"...)
+			}
+			n += rn
+			i = n
+		case escapeRune(r):
+			dst = append(dst, src[i:n]...)
+			dst = appendEscapedUnicode(dst, r)
+			n += rn
+			i = n
+		case r < ' ' || r == '"' || r == '\\':
+			dst = append(dst, src[i:n]...)
+			dst = appendEscapedASCII(dst, byte(r))
+			n += rn
+			i = n
+		default:
+			n += rn
+		}
+	}
+	dst = append(dst, src[i:n]...)
+	dst = append(dst, '"')
+	return dst, nil
+}
+
+// reformatString consumes a JSON string from src and appends it to dst,
+// reformatting it if necessary for the given escapeRune parameter.
+// It returns the appended output and the remainder of the input.
+func reformatString(dst, src []byte, validateUTF8, preserveRaw bool, escapeRune func(rune) bool) ([]byte, []byte, error) {
+	// TODO: Should this update valueFlags as input?
+	var flags valueFlags
+	n, err := consumeString(&flags, src, validateUTF8)
+	if err != nil {
+		return dst, src[n:], err
+	}
+	if preserveRaw || (escapeRune == nil && flags.isCanonical()) {
+		dst = append(dst, src[:n]...) // copy the string verbatim
+		return dst, src[n:], nil
+	}
+
+	// TODO: Implement a direct, raw-to-raw reformat for strings.
+	// If the escapeRune option would have resulted in no changes to the output,
+	// it would be faster to simply append src to dst without going through
+	// an intermediary representation in a separate buffer.
+	b, _ := unescapeString(make([]byte, 0, n), src[:n])
+	dst, _ = appendString(dst, string(b), validateUTF8, escapeRune)
+	return dst, src[n:], nil
+}
+
+// appendNumber appends src to dst as a JSON number per RFC 7159, section 6.
+// It formats numbers similar to the ES6 number-to-string conversion.
+// See https://go.dev/issue/14135.
+//
+// The output is identical to ECMA-262, 6th edition, section 7.1.12.1 and with
+// RFC 8785, section 3.2.2.3 for 64-bit floating-point numbers except for -0,
+// which is formatted as -0 instead of just 0.
+//
+// For 32-bit floating-point numbers,
+// the output is a 32-bit equivalent of the algorithm.
+// Note that ECMA-262 specifies no algorithm for 32-bit numbers.
+func appendNumber(dst []byte, src float64, bits int) []byte {
+	if bits == 32 {
+		src = float64(float32(src))
+	}
+
+	abs := math.Abs(src)
+	fmt := byte('f')
+	if abs != 0 {
+		if bits == 64 && (float64(abs) < 1e-6 || float64(abs) >= 1e21) ||
+			bits == 32 && (float32(abs) < 1e-6 || float32(abs) >= 1e21) {
+			fmt = 'e'
+		}
+	}
+	dst = strconv.AppendFloat(dst, src, fmt, -1, bits)
+	if fmt == 'e' {
+		// Clean up e-09 to e-9.
+		n := len(dst)
+		if n >= 4 && dst[n-4] == 'e' && dst[n-3] == '-' && dst[n-2] == '0' {
+			dst[n-2] = dst[n-1]
+			dst = dst[:n-1]
+		}
+	}
+	return dst
+}
+
+// reformatNumber consumes a JSON string from src and appends it to dst,
+// canonicalizing it if specified.
+// It returns the appended output and the remainder of the input.
+func reformatNumber(dst, src []byte, canonicalize bool) ([]byte, []byte, error) {
+	n, err := consumeNumber(src)
+	if err != nil {
+		return dst, src[n:], err
+	}
+	if !canonicalize {
+		dst = append(dst, src[:n]...) // copy the number verbatim
+		return dst, src[n:], nil
+	}
+
+	// Canonicalize the number per RFC 8785, section 3.2.2.3.
+	// As an optimization, we can copy integer numbers below 2⁵³ verbatim.
+	const maxExactIntegerDigits = 16 // len(strconv.AppendUint(nil, 1<<53, 10))
+	if n < maxExactIntegerDigits && consumeSimpleNumber(src[:n]) == n {
+		dst = append(dst, src[:n]...) // copy the number verbatim
+		return dst, src[n:], nil
+	}
+	fv, _ := strconv.ParseFloat(string(src[:n]), 64)
+	switch {
+	case fv == 0:
+		fv = 0 // normalize negative zero as just zero
+	case math.IsInf(fv, +1):
+		fv = +math.MaxFloat64
+	case math.IsInf(fv, -1):
+		fv = -math.MaxFloat64
+	}
+	return appendNumber(dst, fv, 64), src[n:], nil
+}
+
+// appendHexUint16 appends src to dst as a 4-byte hexadecimal number.
+func appendHexUint16(dst []byte, src uint16) []byte {
+	dst = append(dst, "0000"[1+(bits.Len16(src)-1)/4:]...)
+	dst = strconv.AppendUint(dst, uint64(src), 16)
+	return dst
+}
diff --git a/vendor/k8s.io/kube-openapi/pkg/internal/third_party/go-json-experiment/json/errors.go b/vendor/k8s.io/kube-openapi/pkg/internal/third_party/go-json-experiment/json/errors.go
new file mode 100644
index 000000000..35be8601e
--- /dev/null
+++ b/vendor/k8s.io/kube-openapi/pkg/internal/third_party/go-json-experiment/json/errors.go
@@ -0,0 +1,183 @@
+// Copyright 2020 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package json
+
+import (
+	"errors"
+	"reflect"
+	"strconv"
+	"strings"
+	"unicode/utf8"
+)
+
+const errorPrefix = "json: "
+
+// Error matches errors returned by this package according to errors.Is.
+const Error = jsonError("json error")
+
+type jsonError string
+
+func (e jsonError) Error() string {
+	return string(e)
+}
+func (e jsonError) Is(target error) bool {
+	return e == target || target == Error
+}
+
+type ioError struct {
+	action string // either "read" or "write"
+	err    error
+}
+
+func (e *ioError) Error() string {
+	return errorPrefix + e.action + " error: " + e.err.Error()
+}
+func (e *ioError) Unwrap() error {
+	return e.err
+}
+func (e *ioError) Is(target error) bool {
+	return e == target || target == Error || errors.Is(e.err, target)
+}
+
+// SemanticError describes an error determining the meaning
+// of JSON data as Go data or vice-versa.
+//
+// The contents of this error as produced by this package may change over time.
+type SemanticError struct {
+	requireKeyedLiterals
+	nonComparable
+
+	action string // either "marshal" or "unmarshal"
+
+	// ByteOffset indicates that an error occurred after this byte offset.
+	ByteOffset int64
+	// JSONPointer indicates that an error occurred within this JSON value
+	// as indicated using the JSON Pointer notation (see RFC 6901).
+	JSONPointer string
+
+	// JSONKind is the JSON kind that could not be handled.
+	JSONKind Kind // may be zero if unknown
+	// GoType is the Go type that could not be handled.
+	GoType reflect.Type // may be nil if unknown
+
+	// Err is the underlying error.
+	Err error // may be nil
+}
+
+func (e *SemanticError) Error() string {
+	var sb strings.Builder
+	sb.WriteString(errorPrefix)
+
+	// Hyrum-proof the error message by deliberately switching between
+	// two equivalent renderings of the same error message.
+	// The randomization is tied to the Hyrum-proofing already applied
+	// on map iteration in Go.
+	for phrase := range map[string]struct{}{"cannot": {}, "unable to": {}} {
+		sb.WriteString(phrase)
+		break // use whichever phrase we get in the first iteration
+	}
+
+	// Format action.
+	var preposition string
+	switch e.action {
+	case "marshal":
+		sb.WriteString(" marshal")
+		preposition = " from"
+	case "unmarshal":
+		sb.WriteString(" unmarshal")
+		preposition = " into"
+	default:
+		sb.WriteString(" handle")
+		preposition = " with"
+	}
+
+	// Format JSON kind.
+	var omitPreposition bool
+	switch e.JSONKind {
+	case 'n':
+		sb.WriteString(" JSON null")
+	case 'f', 't':
+		sb.WriteString(" JSON boolean")
+	case '"':
+		sb.WriteString(" JSON string")
+	case '0':
+		sb.WriteString(" JSON number")
+	case '{', '}':
+		sb.WriteString(" JSON object")
+	case '[', ']':
+		sb.WriteString(" JSON array")
+	default:
+		omitPreposition = true
+	}
+
+	// Format Go type.
+	if e.GoType != nil {
+		if !omitPreposition {
+			sb.WriteString(preposition)
+		}
+		sb.WriteString(" Go value of type ")
+		sb.WriteString(e.GoType.String())
+	}
+
+	// Format where.
+	switch {
+	case e.JSONPointer != "":
+		sb.WriteString(" within JSON value at ")
+		sb.WriteString(strconv.Quote(e.JSONPointer))
+	case e.ByteOffset > 0:
+		sb.WriteString(" after byte offset ")
+		sb.WriteString(strconv.FormatInt(e.ByteOffset, 10))
+	}
+
+	// Format underlying error.
+	if e.Err != nil {
+		sb.WriteString(": ")
+		sb.WriteString(e.Err.Error())
+	}
+
+	return sb.String()
+}
+func (e *SemanticError) Is(target error) bool {
+	return e == target || target == Error || errors.Is(e.Err, target)
+}
+func (e *SemanticError) Unwrap() error {
+	return e.Err
+}
+
+// SyntacticError is a description of a syntactic error that occurred when
+// encoding or decoding JSON according to the grammar.
+//
+// The contents of this error as produced by this package may change over time.
+type SyntacticError struct {
+	requireKeyedLiterals
+	nonComparable
+
+	// ByteOffset indicates that an error occurred after this byte offset.
+	ByteOffset int64
+	str        string
+}
+
+func (e *SyntacticError) Error() string {
+	return errorPrefix + e.str
+}
+func (e *SyntacticError) Is(target error) bool {
+	return e == target || target == Error
+}
+func (e *SyntacticError) withOffset(pos int64) error {
+	return &SyntacticError{ByteOffset: pos, str: e.str}
+}
+
+func newInvalidCharacterError(prefix []byte, where string) *SyntacticError {
+	what := quoteRune(prefix)
+	return &SyntacticError{str: "invalid character " + what + " " + where}
+}
+
+func quoteRune(b []byte) string {
+	r, n := utf8.DecodeRune(b)
+	if r == utf8.RuneError && n == 1 {
+		return `'\x` + strconv.FormatUint(uint64(b[0]), 16) + `'`
+	}
+	return strconv.QuoteRune(r)
+}
diff --git a/vendor/k8s.io/kube-openapi/pkg/internal/third_party/go-json-experiment/json/fields.go b/vendor/k8s.io/kube-openapi/pkg/internal/third_party/go-json-experiment/json/fields.go
new file mode 100644
index 000000000..c0ee36166
--- /dev/null
+++ b/vendor/k8s.io/kube-openapi/pkg/internal/third_party/go-json-experiment/json/fields.go
@@ -0,0 +1,509 @@
+// Copyright 2021 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package json
+
+import (
+	"errors"
+	"fmt"
+	"io"
+	"reflect"
+	"sort"
+	"strconv"
+	"strings"
+	"unicode"
+	"unicode/utf8"
+)
+
+var errIgnoredField = errors.New("ignored field")
+
+type isZeroer interface {
+	IsZero() bool
+}
+
+var isZeroerType = reflect.TypeOf((*isZeroer)(nil)).Elem()
+
+type structFields struct {
+	flattened       []structField // listed in depth-first ordering
+	byActualName    map[string]*structField
+	byFoldedName    map[string][]*structField
+	inlinedFallback *structField
+}
+
+type structField struct {
+	id      int   // unique numeric ID in breadth-first ordering
+	index   []int // index into a struct according to reflect.Type.FieldByIndex
+	typ     reflect.Type
+	fncs    *arshaler
+	isZero  func(addressableValue) bool
+	isEmpty func(addressableValue) bool
+	fieldOptions
+}
+
+func makeStructFields(root reflect.Type) (structFields, *SemanticError) {
+	var fs structFields
+	fs.byActualName = make(map[string]*structField, root.NumField())
+	fs.byFoldedName = make(map[string][]*structField, root.NumField())
+
+	// ambiguous is a sentinel value to indicate that at least two fields
+	// at the same depth have the same name, and thus cancel each other out.
+	// This follows the same rules as selecting a field on embedded structs
+	// where the shallowest field takes precedence. If more than one field
+	// exists at the shallowest depth, then the selection is illegal.
+	// See https://go.dev/ref/spec#Selectors.
+	ambiguous := new(structField)
+
+	// Setup a queue for a breath-first search.
+	var queueIndex int
+	type queueEntry struct {
+		typ           reflect.Type
+		index         []int
+		visitChildren bool // whether to recursively visit inlined field in this struct
+	}
+	queue := []queueEntry{{root, nil, true}}
+	seen := map[reflect.Type]bool{root: true}
+
+	// Perform a breadth-first search over all reachable fields.
+	// This ensures that len(f.index) will be monotonically increasing.
+	for queueIndex < len(queue) {
+		qe := queue[queueIndex]
+		queueIndex++
+
+		t := qe.typ
+		inlinedFallbackIndex := -1         // index of last inlined fallback field in current struct
+		namesIndex := make(map[string]int) // index of each field with a given JSON object name in current struct
+		var hasAnyJSONTag bool             // whether any Go struct field has a `json` tag
+		var hasAnyJSONField bool           // whether any JSON serializable fields exist in current struct
+		for i := 0; i < t.NumField(); i++ {
+			sf := t.Field(i)
+			_, hasTag := sf.Tag.Lookup("json")
+			hasAnyJSONTag = hasAnyJSONTag || hasTag
+			options, err := parseFieldOptions(sf)
+			if err != nil {
+				if err == errIgnoredField {
+					continue
+				}
+				return structFields{}, &SemanticError{GoType: t, Err: err}
+			}
+			hasAnyJSONField = true
+			f := structField{
+				// Allocate a new slice (len=N+1) to hold both
+				// the parent index (len=N) and the current index (len=1).
+				// Do this to avoid clobbering the memory of the parent index.
+				index:        append(append(make([]int, 0, len(qe.index)+1), qe.index...), i),
+				typ:          sf.Type,
+				fieldOptions: options,
+			}
+			if sf.Anonymous && !f.hasName {
+				f.inline = true // implied by use of Go embedding without an explicit name
+			}
+			if f.inline || f.unknown {
+				// Handle an inlined field that serializes to/from
+				// zero or more JSON object members.
+
+				if f.inline && f.unknown {
+					err := fmt.Errorf("Go struct field %s cannot have both `inline` and `unknown` specified", sf.Name)
+					return structFields{}, &SemanticError{GoType: t, Err: err}
+				}
+				switch f.fieldOptions {
+				case fieldOptions{name: f.name, quotedName: f.quotedName, inline: true}:
+				case fieldOptions{name: f.name, quotedName: f.quotedName, unknown: true}:
+				default:
+					err := fmt.Errorf("Go struct field %s cannot have any options other than `inline` or `unknown` specified", sf.Name)
+					return structFields{}, &SemanticError{GoType: t, Err: err}
+				}
+
+				// Unwrap one level of pointer indirection similar to how Go
+				// only allows embedding either T or *T, but not **T.
+				tf := f.typ
+				if tf.Kind() == reflect.Pointer && tf.Name() == "" {
+					tf = tf.Elem()
+				}
+				// Reject any types with custom serialization otherwise
+				// it becomes impossible to know what sub-fields to inline.
+				if which, _ := implementsWhich(tf,
+					jsonMarshalerV2Type, jsonMarshalerV1Type, textMarshalerType,
+					jsonUnmarshalerV2Type, jsonUnmarshalerV1Type, textUnmarshalerType,
+				); which != nil && tf != rawValueType {
+					err := fmt.Errorf("inlined Go struct field %s of type %s must not implement JSON marshal or unmarshal methods", sf.Name, tf)
+					return structFields{}, &SemanticError{GoType: t, Err: err}
+				}
+
+				// Handle an inlined field that serializes to/from
+				// a finite number of JSON object members backed by a Go struct.
+				if tf.Kind() == reflect.Struct {
+					if f.unknown {
+						err := fmt.Errorf("inlined Go struct field %s of type %s with `unknown` tag must be a Go map of string key or a json.RawValue", sf.Name, tf)
+						return structFields{}, &SemanticError{GoType: t, Err: err}
+					}
+					if qe.visitChildren {
+						queue = append(queue, queueEntry{tf, f.index, !seen[tf]})
+					}
+					seen[tf] = true
+					continue
+				}
+
+				// Handle an inlined field that serializes to/from any number of
+				// JSON object members back by a Go map or RawValue.
+				switch {
+				case tf == rawValueType:
+					f.fncs = nil // specially handled in arshal_inlined.go
+				case tf.Kind() == reflect.Map && tf.Key() == stringType:
+					f.fncs = lookupArshaler(tf.Elem())
+				default:
+					err := fmt.Errorf("inlined Go struct field %s of type %s must be a Go struct, Go map of string key, or json.RawValue", sf.Name, tf)
+					return structFields{}, &SemanticError{GoType: t, Err: err}
+				}
+
+				// Reject multiple inlined fallback fields within the same struct.
+				if inlinedFallbackIndex >= 0 {
+					err := fmt.Errorf("inlined Go struct fields %s and %s cannot both be a Go map or json.RawValue", t.Field(inlinedFallbackIndex).Name, sf.Name)
+					return structFields{}, &SemanticError{GoType: t, Err: err}
+				}
+				inlinedFallbackIndex = i
+
+				// Multiple inlined fallback fields across different structs
+				// follow the same precedence rules as Go struct embedding.
+				if fs.inlinedFallback == nil {
+					fs.inlinedFallback = &f // store first occurrence at lowest depth
+				} else if len(fs.inlinedFallback.index) == len(f.index) {
+					fs.inlinedFallback = ambiguous // at least two occurrences at same depth
+				}
+			} else {
+				// Handle normal Go struct field that serializes to/from
+				// a single JSON object member.
+
+				// Provide a function that uses a type's IsZero method.
+				switch {
+				case sf.Type.Kind() == reflect.Interface && sf.Type.Implements(isZeroerType):
+					f.isZero = func(va addressableValue) bool {
+						// Avoid panics calling IsZero on a nil interface or
+						// non-nil interface with nil pointer.
+						return va.IsNil() || (va.Elem().Kind() == reflect.Pointer && va.Elem().IsNil()) || va.Interface().(isZeroer).IsZero()
+					}
+				case sf.Type.Kind() == reflect.Pointer && sf.Type.Implements(isZeroerType):
+					f.isZero = func(va addressableValue) bool {
+						// Avoid panics calling IsZero on nil pointer.
+						return va.IsNil() || va.Interface().(isZeroer).IsZero()
+					}
+				case sf.Type.Implements(isZeroerType):
+					f.isZero = func(va addressableValue) bool { return va.Interface().(isZeroer).IsZero() }
+				case reflect.PointerTo(sf.Type).Implements(isZeroerType):
+					f.isZero = func(va addressableValue) bool { return va.Addr().Interface().(isZeroer).IsZero() }
+				}
+
+				// Provide a function that can determine whether the value would
+				// serialize as an empty JSON value.
+				switch sf.Type.Kind() {
+				case reflect.String, reflect.Map, reflect.Array, reflect.Slice:
+					f.isEmpty = func(va addressableValue) bool { return va.Len() == 0 }
+				case reflect.Pointer, reflect.Interface:
+					f.isEmpty = func(va addressableValue) bool { return va.IsNil() }
+				}
+
+				f.id = len(fs.flattened)
+				f.fncs = lookupArshaler(sf.Type)
+				fs.flattened = append(fs.flattened, f)
+
+				// Reject user-specified names with invalid UTF-8.
+				if !utf8.ValidString(f.name) {
+					err := fmt.Errorf("Go struct field %s has JSON object name %q with invalid UTF-8", sf.Name, f.name)
+					return structFields{}, &SemanticError{GoType: t, Err: err}
+				}
+				// Reject multiple fields with same name within the same struct.
+				if j, ok := namesIndex[f.name]; ok {
+					err := fmt.Errorf("Go struct fields %s and %s conflict over JSON object name %q", t.Field(j).Name, sf.Name, f.name)
+					return structFields{}, &SemanticError{GoType: t, Err: err}
+				}
+				namesIndex[f.name] = i
+
+				// Multiple fields of the same name across different structs
+				// follow the same precedence rules as Go struct embedding.
+				if f2 := fs.byActualName[f.name]; f2 == nil {
+					fs.byActualName[f.name] = &fs.flattened[len(fs.flattened)-1] // store first occurrence at lowest depth
+				} else if len(f2.index) == len(f.index) {
+					fs.byActualName[f.name] = ambiguous // at least two occurrences at same depth
+				}
+			}
+		}
+
+		// NOTE: New users to the json package are occasionally surprised that
+		// unexported fields are ignored. This occurs by necessity due to our
+		// inability to directly introspect such fields with Go reflection
+		// without the use of unsafe.
+		//
+		// To reduce friction here, refuse to serialize any Go struct that
+		// has no JSON serializable fields, has at least one Go struct field,
+		// and does not have any `json` tags present. For example,
+		// errors returned by errors.New would fail to serialize.
+		isEmptyStruct := t.NumField() == 0
+		if !isEmptyStruct && !hasAnyJSONTag && !hasAnyJSONField {
+			err := errors.New("Go struct has no exported fields")
+			return structFields{}, &SemanticError{GoType: t, Err: err}
+		}
+	}
+
+	// Remove all fields that are duplicates.
+	// This may move elements forward to fill the holes from removed fields.
+	var n int
+	for _, f := range fs.flattened {
+		switch f2 := fs.byActualName[f.name]; {
+		case f2 == ambiguous:
+			delete(fs.byActualName, f.name)
+		case f2 == nil:
+			continue // may be nil due to previous delete
+		// TODO(https://go.dev/issue/45955): Use slices.Equal.
+		case reflect.DeepEqual(f.index, f2.index):
+			f.id = n
+			fs.flattened[n] = f
+			fs.byActualName[f.name] = &fs.flattened[n] // fix pointer to new location
+			n++
+		}
+	}
+	fs.flattened = fs.flattened[:n]
+	if fs.inlinedFallback == ambiguous {
+		fs.inlinedFallback = nil
+	}
+	if len(fs.flattened) != len(fs.byActualName) {
+		panic(fmt.Sprintf("BUG: flattened list of fields mismatches fields mapped by name: %d != %d", len(fs.flattened), len(fs.byActualName)))
+	}
+
+	// Sort the fields according to a depth-first ordering.
+	// This operation will cause pointers in byActualName to become incorrect,
+	// which we will correct in another loop shortly thereafter.
+	sort.Slice(fs.flattened, func(i, j int) bool {
+		si := fs.flattened[i].index
+		sj := fs.flattened[j].index
+		for len(si) > 0 && len(sj) > 0 {
+			switch {
+			case si[0] < sj[0]:
+				return true
+			case si[0] > sj[0]:
+				return false
+			default:
+				si = si[1:]
+				sj = sj[1:]
+			}
+		}
+		return len(si) < len(sj)
+	})
+
+	// Recompute the mapping of fields in the byActualName map.
+	// Pre-fold all names so that we can lookup folded names quickly.
+	for i, f := range fs.flattened {
+		foldedName := string(foldName([]byte(f.name)))
+		fs.byActualName[f.name] = &fs.flattened[i]
+		fs.byFoldedName[foldedName] = append(fs.byFoldedName[foldedName], &fs.flattened[i])
+	}
+	for foldedName, fields := range fs.byFoldedName {
+		if len(fields) > 1 {
+			// The precedence order for conflicting nocase names
+			// is by breadth-first order, rather than depth-first order.
+			sort.Slice(fields, func(i, j int) bool {
+				return fields[i].id < fields[j].id
+			})
+			fs.byFoldedName[foldedName] = fields
+		}
+	}
+
+	return fs, nil
+}
+
+type fieldOptions struct {
+	name       string
+	quotedName string // quoted name per RFC 8785, section 3.2.2.2.
+	hasName    bool
+	nocase     bool
+	inline     bool
+	unknown    bool
+	omitzero   bool
+	omitempty  bool
+	string     bool
+	format     string
+}
+
+// parseFieldOptions parses the `json` tag in a Go struct field as
+// a structured set of options configuring parameters such as
+// the JSON member name and other features.
+// As a special case, it returns errIgnoredField if the field is ignored.
+func parseFieldOptions(sf reflect.StructField) (out fieldOptions, err error) {
+	tag, hasTag := sf.Tag.Lookup("json")
+
+	// Check whether this field is explicitly ignored.
+	if tag == "-" {
+		return fieldOptions{}, errIgnoredField
+	}
+
+	// Check whether this field is unexported.
+	if !sf.IsExported() {
+		// In contrast to v1, v2 no longer forwards exported fields from
+		// embedded fields of unexported types since Go reflection does not
+		// allow the same set of operations that are available in normal cases
+		// of purely exported fields.
+		// See https://go.dev/issue/21357 and https://go.dev/issue/24153.
+		if sf.Anonymous {
+			return fieldOptions{}, fmt.Errorf("embedded Go struct field %s of an unexported type must be explicitly ignored with a `json:\"-\"` tag", sf.Type.Name())
+		}
+		// Tag options specified on an unexported field suggests user error.
+		if hasTag {
+			return fieldOptions{}, fmt.Errorf("unexported Go struct field %s cannot have non-ignored `json:%q` tag", sf.Name, tag)
+		}
+		return fieldOptions{}, errIgnoredField
+	}
+
+	// Determine the JSON member name for this Go field. A user-specified name
+	// may be provided as either an identifier or a single-quoted string.
+	// The single-quoted string allows arbitrary characters in the name.
+	// See https://go.dev/issue/2718 and https://go.dev/issue/3546.
+	out.name = sf.Name // always starts with an uppercase character
+	if len(tag) > 0 && !strings.HasPrefix(tag, ",") {
+		// For better compatibility with v1, accept almost any unescaped name.
+		n := len(tag) - len(strings.TrimLeftFunc(tag, func(r rune) bool {
+			return !strings.ContainsRune(",\\'\"`", r) // reserve comma, backslash, and quotes
+		}))
+		opt := tag[:n]
+		if n == 0 {
+			// Allow a single quoted string for arbitrary names.
+			opt, n, err = consumeTagOption(tag)
+			if err != nil {
+				return fieldOptions{}, fmt.Errorf("Go struct field %s has malformed `json` tag: %v", sf.Name, err)
+			}
+		}
+		out.hasName = true
+		out.name = opt
+		tag = tag[n:]
+	}
+	b, _ := appendString(nil, out.name, false, nil)
+	out.quotedName = string(b)
+
+	// Handle any additional tag options (if any).
+	var wasFormat bool
+	seenOpts := make(map[string]bool)
+	for len(tag) > 0 {
+		// Consume comma delimiter.
+		if tag[0] != ',' {
+			return fieldOptions{}, fmt.Errorf("Go struct field %s has malformed `json` tag: invalid character %q before next option (expecting ',')", sf.Name, tag[0])
+		}
+		tag = tag[len(","):]
+		if len(tag) == 0 {
+			return fieldOptions{}, fmt.Errorf("Go struct field %s has malformed `json` tag: invalid trailing ',' character", sf.Name)
+		}
+
+		// Consume and process the tag option.
+		opt, n, err := consumeTagOption(tag)
+		if err != nil {
+			return fieldOptions{}, fmt.Errorf("Go struct field %s has malformed `json` tag: %v", sf.Name, err)
+		}
+		rawOpt := tag[:n]
+		tag = tag[n:]
+		switch {
+		case wasFormat:
+			return fieldOptions{}, fmt.Errorf("Go struct field %s has `format` tag option that was not specified last", sf.Name)
+		case strings.HasPrefix(rawOpt, "'") && strings.TrimFunc(opt, isLetterOrDigit) == "":
+			return fieldOptions{}, fmt.Errorf("Go struct field %s has unnecessarily quoted appearance of `%s` tag option; specify `%s` instead", sf.Name, rawOpt, opt)
+		}
+		switch opt {
+		case "nocase":
+			out.nocase = true
+		case "inline":
+			out.inline = true
+		case "unknown":
+			out.unknown = true
+		case "omitzero":
+			out.omitzero = true
+		case "omitempty":
+			out.omitempty = true
+		case "string":
+			out.string = true
+		case "format":
+			if !strings.HasPrefix(tag, ":") {
+				return fieldOptions{}, fmt.Errorf("Go struct field %s is missing value for `format` tag option", sf.Name)
+			}
+			tag = tag[len(":"):]
+			opt, n, err := consumeTagOption(tag)
+			if err != nil {
+				return fieldOptions{}, fmt.Errorf("Go struct field %s has malformed value for `format` tag option: %v", sf.Name, err)
+			}
+			tag = tag[n:]
+			out.format = opt
+			wasFormat = true
+		default:
+			// Reject keys that resemble one of the supported options.
+			// This catches invalid mutants such as "omitEmpty" or "omit_empty".
+			normOpt := strings.ReplaceAll(strings.ToLower(opt), "_", "")
+			switch normOpt {
+			case "nocase", "inline", "unknown", "omitzero", "omitempty", "string", "format":
+				return fieldOptions{}, fmt.Errorf("Go struct field %s has invalid appearance of `%s` tag option; specify `%s` instead", sf.Name, opt, normOpt)
+			}
+
+			// NOTE: Everything else is ignored. This does not mean it is
+			// forward compatible to insert arbitrary tag options since
+			// a future version of this package may understand that tag.
+		}
+
+		// Reject duplicates.
+		if seenOpts[opt] {
+			return fieldOptions{}, fmt.Errorf("Go struct field %s has duplicate appearance of `%s` tag option", sf.Name, rawOpt)
+		}
+		seenOpts[opt] = true
+	}
+	return out, nil
+}
+
+func consumeTagOption(in string) (string, int, error) {
+	switch r, _ := utf8.DecodeRuneInString(in); {
+	// Option as a Go identifier.
+	case r == '_' || unicode.IsLetter(r):
+		n := len(in) - len(strings.TrimLeftFunc(in, isLetterOrDigit))
+		return in[:n], n, nil
+	// Option as a single-quoted string.
+	case r == '\'':
+		// The grammar is nearly identical to a double-quoted Go string literal,
+		// but uses single quotes as the terminators. The reason for a custom
+		// grammar is because both backtick and double quotes cannot be used
+		// verbatim in a struct tag.
+		//
+		// Convert a single-quoted string to a double-quote string and rely on
+		// strconv.Unquote to handle the rest.
+		var inEscape bool
+		b := []byte{'"'}
+		n := len(`'`)
+		for len(in) > n {
+			r, rn := utf8.DecodeRuneInString(in[n:])
+			switch {
+			case inEscape:
+				if r == '\'' {
+					b = b[:len(b)-1] // remove escape character: `\'` => `'`
+				}
+				inEscape = false
+			case r == '\\':
+				inEscape = true
+			case r == '"':
+				b = append(b, '\\') // insert escape character: `"` => `\"`
+			case r == '\'':
+				b = append(b, '"')
+				n += len(`'`)
+				out, err := strconv.Unquote(string(b))
+				if err != nil {
+					return "", 0, fmt.Errorf("invalid single-quoted string: %s", in[:n])
+				}
+				return out, n, nil
+			}
+			b = append(b, in[n:][:rn]...)
+			n += rn
+		}
+		if n > 10 {
+			n = 10 // limit the amount of context printed in the error
+		}
+		return "", 0, fmt.Errorf("single-quoted string not terminated: %s...", in[:n])
+	case len(in) == 0:
+		return "", 0, io.ErrUnexpectedEOF
+	default:
+		return "", 0, fmt.Errorf("invalid character %q at start of option (expecting Unicode letter or single quote)", r)
+	}
+}
+
+func isLetterOrDigit(r rune) bool {
+	return r == '_' || unicode.IsLetter(r) || unicode.IsNumber(r)
+}
diff --git a/vendor/k8s.io/kube-openapi/pkg/internal/third_party/go-json-experiment/json/fold.go b/vendor/k8s.io/kube-openapi/pkg/internal/third_party/go-json-experiment/json/fold.go
new file mode 100644
index 000000000..9ab735814
--- /dev/null
+++ b/vendor/k8s.io/kube-openapi/pkg/internal/third_party/go-json-experiment/json/fold.go
@@ -0,0 +1,56 @@
+// Copyright 2020 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package json
+
+import (
+	"unicode"
+	"unicode/utf8"
+)
+
+// foldName returns a folded string such that foldName(x) == foldName(y)
+// is similar to strings.EqualFold(x, y), but ignores underscore and dashes.
+// This allows foldName to match common naming conventions.
+func foldName(in []byte) []byte {
+	// This is inlinable to take advantage of "function outlining".
+	// See https://blog.filippo.io/efficient-go-apis-with-the-inliner/
+	var arr [32]byte // large enough for most JSON names
+	return appendFoldedName(arr[:0], in)
+}
+func appendFoldedName(out, in []byte) []byte {
+	for i := 0; i < len(in); {
+		// Handle single-byte ASCII.
+		if c := in[i]; c < utf8.RuneSelf {
+			if c != '_' && c != '-' {
+				if 'a' <= c && c <= 'z' {
+					c -= 'a' - 'A'
+				}
+				out = append(out, c)
+			}
+			i++
+			continue
+		}
+		// Handle multi-byte Unicode.
+		r, n := utf8.DecodeRune(in[i:])
+		out = utf8.AppendRune(out, foldRune(r))
+		i += n
+	}
+	return out
+}
+
+// foldRune is a variation on unicode.SimpleFold that returns the same rune
+// for all runes in the same fold set.
+//
+// Invariant:
+//
+//	foldRune(x) == foldRune(y) ⇔ strings.EqualFold(string(x), string(y))
+func foldRune(r rune) rune {
+	for {
+		r2 := unicode.SimpleFold(r)
+		if r2 <= r {
+			return r2 // smallest character in the fold set
+		}
+		r = r2
+	}
+}
diff --git a/vendor/k8s.io/kube-openapi/pkg/internal/third_party/go-json-experiment/json/intern.go b/vendor/k8s.io/kube-openapi/pkg/internal/third_party/go-json-experiment/json/intern.go
new file mode 100644
index 000000000..700a56db0
--- /dev/null
+++ b/vendor/k8s.io/kube-openapi/pkg/internal/third_party/go-json-experiment/json/intern.go
@@ -0,0 +1,86 @@
+// Copyright 2022 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package json
+
+import (
+	"encoding/binary"
+	"math/bits"
+)
+
+// stringCache is a cache for strings converted from a []byte.
+type stringCache [256]string // 256*unsafe.Sizeof(string("")) => 4KiB
+
+// make returns the string form of b.
+// It returns a pre-allocated string from c if present, otherwise
+// it allocates a new string, inserts it into the cache, and returns it.
+func (c *stringCache) make(b []byte) string {
+	const (
+		minCachedLen = 2   // single byte strings are already interned by the runtime
+		maxCachedLen = 256 // large enough for UUIDs, IPv6 addresses, SHA-256 checksums, etc.
+	)
+	if c == nil || len(b) < minCachedLen || len(b) > maxCachedLen {
+		return string(b)
+	}
+
+	// Compute a hash from the fixed-width prefix and suffix of the string.
+	// This ensures hashing a string is a constant time operation.
+	var h uint32
+	switch {
+	case len(b) >= 8:
+		lo := binary.LittleEndian.Uint64(b[:8])
+		hi := binary.LittleEndian.Uint64(b[len(b)-8:])
+		h = hash64(uint32(lo), uint32(lo>>32)) ^ hash64(uint32(hi), uint32(hi>>32))
+	case len(b) >= 4:
+		lo := binary.LittleEndian.Uint32(b[:4])
+		hi := binary.LittleEndian.Uint32(b[len(b)-4:])
+		h = hash64(lo, hi)
+	case len(b) >= 2:
+		lo := binary.LittleEndian.Uint16(b[:2])
+		hi := binary.LittleEndian.Uint16(b[len(b)-2:])
+		h = hash64(uint32(lo), uint32(hi))
+	}
+
+	// Check the cache for the string.
+	i := h % uint32(len(*c))
+	if s := (*c)[i]; s == string(b) {
+		return s
+	}
+	s := string(b)
+	(*c)[i] = s
+	return s
+}
+
+// hash64 returns the hash of two uint32s as a single uint32.
+func hash64(lo, hi uint32) uint32 {
+	// If avalanche=true, this is identical to XXH32 hash on a 8B string:
+	//	var b [8]byte
+	//	binary.LittleEndian.PutUint32(b[:4], lo)
+	//	binary.LittleEndian.PutUint32(b[4:], hi)
+	//	return xxhash.Sum32(b[:])
+	const (
+		prime1 = 0x9e3779b1
+		prime2 = 0x85ebca77
+		prime3 = 0xc2b2ae3d
+		prime4 = 0x27d4eb2f
+		prime5 = 0x165667b1
+	)
+	h := prime5 + uint32(8)
+	h += lo * prime3
+	h = bits.RotateLeft32(h, 17) * prime4
+	h += hi * prime3
+	h = bits.RotateLeft32(h, 17) * prime4
+	// Skip final mix (avalanche) step of XXH32 for performance reasons.
+	// Empirical testing shows that the improvements in unbiased distribution
+	// does not outweigh the extra cost in computational complexity.
+	const avalanche = false
+	if avalanche {
+		h ^= h >> 15
+		h *= prime2
+		h ^= h >> 13
+		h *= prime3
+		h ^= h >> 16
+	}
+	return h
+}
diff --git a/vendor/k8s.io/kube-openapi/pkg/internal/third_party/go-json-experiment/json/pools.go b/vendor/k8s.io/kube-openapi/pkg/internal/third_party/go-json-experiment/json/pools.go
new file mode 100644
index 000000000..f72282211
--- /dev/null
+++ b/vendor/k8s.io/kube-openapi/pkg/internal/third_party/go-json-experiment/json/pools.go
@@ -0,0 +1,150 @@
+// Copyright 2020 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package json
+
+import (
+	"bytes"
+	"io"
+	"math/bits"
+	"sync"
+)
+
+// TODO(https://go.dev/issue/47657): Use sync.PoolOf.
+
+var (
+	// This owns the internal buffer since there is no io.Writer to output to.
+	// Since the buffer can get arbitrarily large in normal usage,
+	// there is statistical tracking logic to determine whether to recycle
+	// the internal buffer or not based on a history of utilization.
+	bufferedEncoderPool = &sync.Pool{New: func() any { return new(Encoder) }}
+
+	// This owns the internal buffer, but it is only used to temporarily store
+	// buffered JSON before flushing it to the underlying io.Writer.
+	// In a sufficiently efficient streaming mode, we do not expect the buffer
+	// to grow arbitrarily large. Thus, we avoid recycling large buffers.
+	streamingEncoderPool = &sync.Pool{New: func() any { return new(Encoder) }}
+
+	// This does not own the internal buffer since
+	// it is taken directly from the provided bytes.Buffer.
+	bytesBufferEncoderPool = &sync.Pool{New: func() any { return new(Encoder) }}
+)
+
+// bufferStatistics is statistics to track buffer utilization.
+// It is used to determine whether to recycle a buffer or not
+// to avoid https://go.dev/issue/23199.
+type bufferStatistics struct {
+	strikes int // number of times the buffer was under-utilized
+	prevLen int // length of previous buffer
+}
+
+func getBufferedEncoder(o EncodeOptions) *Encoder {
+	e := bufferedEncoderPool.Get().(*Encoder)
+	if e.buf == nil {
+		// Round up to nearest 2ⁿ to make best use of malloc size classes.
+		// See runtime/sizeclasses.go on Go1.15.
+		// Logical OR with 63 to ensure 64 as the minimum buffer size.
+		n := 1 << bits.Len(uint(e.bufStats.prevLen|63))
+		e.buf = make([]byte, 0, n)
+	}
+	e.reset(e.buf[:0], nil, o)
+	return e
+}
+func putBufferedEncoder(e *Encoder) {
+	// Recycle large buffers only if sufficiently utilized.
+	// If a buffer is under-utilized enough times sequentially,
+	// then it is discarded, ensuring that a single large buffer
+	// won't be kept alive by a continuous stream of small usages.
+	//
+	// The worst case utilization is computed as:
+	//	MIN_UTILIZATION_THRESHOLD / (1 + MAX_NUM_STRIKES)
+	//
+	// For the constants chosen below, this is (25%)/(1+4) ⇒ 5%.
+	// This may seem low, but it ensures a lower bound on
+	// the absolute worst-case utilization. Without this check,
+	// this would be theoretically 0%, which is infinitely worse.
+	//
+	// See https://go.dev/issue/27735.
+	switch {
+	case cap(e.buf) <= 4<<10: // always recycle buffers smaller than 4KiB
+		e.bufStats.strikes = 0
+	case cap(e.buf)/4 <= len(e.buf): // at least 25% utilization
+		e.bufStats.strikes = 0
+	case e.bufStats.strikes < 4: // at most 4 strikes
+		e.bufStats.strikes++
+	default: // discard the buffer; too large and too often under-utilized
+		e.bufStats.strikes = 0
+		e.bufStats.prevLen = len(e.buf) // heuristic for size to allocate next time
+		e.buf = nil
+	}
+	bufferedEncoderPool.Put(e)
+}
+
+func getStreamingEncoder(w io.Writer, o EncodeOptions) *Encoder {
+	if _, ok := w.(*bytes.Buffer); ok {
+		e := bytesBufferEncoderPool.Get().(*Encoder)
+		e.reset(nil, w, o) // buffer taken from bytes.Buffer
+		return e
+	} else {
+		e := streamingEncoderPool.Get().(*Encoder)
+		e.reset(e.buf[:0], w, o) // preserve existing buffer
+		return e
+	}
+}
+func putStreamingEncoder(e *Encoder) {
+	if _, ok := e.wr.(*bytes.Buffer); ok {
+		bytesBufferEncoderPool.Put(e)
+	} else {
+		if cap(e.buf) > 64<<10 {
+			e.buf = nil // avoid pinning arbitrarily large amounts of memory
+		}
+		streamingEncoderPool.Put(e)
+	}
+}
+
+var (
+	// This does not own the internal buffer since it is externally provided.
+	bufferedDecoderPool = &sync.Pool{New: func() any { return new(Decoder) }}
+
+	// This owns the internal buffer, but it is only used to temporarily store
+	// buffered JSON fetched from the underlying io.Reader.
+	// In a sufficiently efficient streaming mode, we do not expect the buffer
+	// to grow arbitrarily large. Thus, we avoid recycling large buffers.
+	streamingDecoderPool = &sync.Pool{New: func() any { return new(Decoder) }}
+
+	// This does not own the internal buffer since
+	// it is taken directly from the provided bytes.Buffer.
+	bytesBufferDecoderPool = bufferedDecoderPool
+)
+
+func getBufferedDecoder(b []byte, o DecodeOptions) *Decoder {
+	d := bufferedDecoderPool.Get().(*Decoder)
+	d.reset(b, nil, o)
+	return d
+}
+func putBufferedDecoder(d *Decoder) {
+	bufferedDecoderPool.Put(d)
+}
+
+func getStreamingDecoder(r io.Reader, o DecodeOptions) *Decoder {
+	if _, ok := r.(*bytes.Buffer); ok {
+		d := bytesBufferDecoderPool.Get().(*Decoder)
+		d.reset(nil, r, o) // buffer taken from bytes.Buffer
+		return d
+	} else {
+		d := streamingDecoderPool.Get().(*Decoder)
+		d.reset(d.buf[:0], r, o) // preserve existing buffer
+		return d
+	}
+}
+func putStreamingDecoder(d *Decoder) {
+	if _, ok := d.rd.(*bytes.Buffer); ok {
+		bytesBufferDecoderPool.Put(d)
+	} else {
+		if cap(d.buf) > 64<<10 {
+			d.buf = nil // avoid pinning arbitrarily large amounts of memory
+		}
+		streamingDecoderPool.Put(d)
+	}
+}
diff --git a/vendor/k8s.io/kube-openapi/pkg/internal/third_party/go-json-experiment/json/state.go b/vendor/k8s.io/kube-openapi/pkg/internal/third_party/go-json-experiment/json/state.go
new file mode 100644
index 000000000..d9c33f2b4
--- /dev/null
+++ b/vendor/k8s.io/kube-openapi/pkg/internal/third_party/go-json-experiment/json/state.go
@@ -0,0 +1,747 @@
+// Copyright 2020 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package json
+
+import (
+	"math"
+	"strconv"
+)
+
+var (
+	errMissingName   = &SyntacticError{str: "missing string for object name"}
+	errMissingColon  = &SyntacticError{str: "missing character ':' after object name"}
+	errMissingValue  = &SyntacticError{str: "missing value after object name"}
+	errMissingComma  = &SyntacticError{str: "missing character ',' after object or array value"}
+	errMismatchDelim = &SyntacticError{str: "mismatching structural token for object or array"}
+)
+
+const errInvalidNamespace = jsonError("object namespace is in an invalid state")
+
+type state struct {
+	// tokens validates whether the next token kind is valid.
+	tokens stateMachine
+
+	// names is a stack of object names.
+	// Not used if AllowDuplicateNames is true.
+	names objectNameStack
+
+	// namespaces is a stack of object namespaces.
+	// For performance reasons, Encoder or Decoder may not update this
+	// if Marshal or Unmarshal is able to track names in a more efficient way.
+	// See makeMapArshaler and makeStructArshaler.
+	// Not used if AllowDuplicateNames is true.
+	namespaces objectNamespaceStack
+}
+
+func (s *state) reset() {
+	s.tokens.reset()
+	s.names.reset()
+	s.namespaces.reset()
+}
+
+// appendStackPointer appends a JSON Pointer (RFC 6901) to the current value.
+// The returned pointer is only accurate if s.names is populated,
+// otherwise it uses the numeric index as the object member name.
+//
+// Invariant: Must call s.names.copyQuotedBuffer beforehand.
+func (s state) appendStackPointer(b []byte) []byte {
+	var objectDepth int
+	for i := 1; i < s.tokens.depth(); i++ {
+		e := s.tokens.index(i)
+		if e.length() == 0 {
+			break // empty object or array
+		}
+		b = append(b, '/')
+		switch {
+		case e.isObject():
+			if objectDepth < s.names.length() {
+				for _, c := range s.names.getUnquoted(objectDepth) {
+					// Per RFC 6901, section 3, escape '~' and '/' characters.
+					switch c {
+					case '~':
+						b = append(b, "~0"...)
+					case '/':
+						b = append(b, "~1"...)
+					default:
+						b = append(b, c)
+					}
+				}
+			} else {
+				// Since the names stack is unpopulated, the name is unknown.
+				// As a best-effort replacement, use the numeric member index.
+				// While inaccurate, it produces a syntactically valid pointer.
+				b = strconv.AppendUint(b, uint64((e.length()-1)/2), 10)
+			}
+			objectDepth++
+		case e.isArray():
+			b = strconv.AppendUint(b, uint64(e.length()-1), 10)
+		}
+	}
+	return b
+}
+
+// stateMachine is a push-down automaton that validates whether
+// a sequence of tokens is valid or not according to the JSON grammar.
+// It is useful for both encoding and decoding.
+//
+// It is a stack where each entry represents a nested JSON object or array.
+// The stack has a minimum depth of 1 where the first level is a
+// virtual JSON array to handle a stream of top-level JSON values.
+// The top-level virtual JSON array is special in that it doesn't require commas
+// between each JSON value.
+//
+// For performance, most methods are carefully written to be inlineable.
+// The zero value is a valid state machine ready for use.
+type stateMachine struct {
+	stack []stateEntry
+	last  stateEntry
+}
+
+// reset resets the state machine.
+// The machine always starts with a minimum depth of 1.
+func (m *stateMachine) reset() {
+	m.stack = m.stack[:0]
+	if cap(m.stack) > 1<<10 {
+		m.stack = nil
+	}
+	m.last = stateTypeArray
+}
+
+// depth is the current nested depth of JSON objects and arrays.
+// It is one-indexed (i.e., top-level values have a depth of 1).
+func (m stateMachine) depth() int {
+	return len(m.stack) + 1
+}
+
+// index returns a reference to the ith entry.
+// It is only valid until the next push method call.
+func (m *stateMachine) index(i int) *stateEntry {
+	if i == len(m.stack) {
+		return &m.last
+	}
+	return &m.stack[i]
+}
+
+// depthLength reports the current nested depth and
+// the length of the last JSON object or array.
+func (m stateMachine) depthLength() (int, int) {
+	return m.depth(), m.last.length()
+}
+
+// appendLiteral appends a JSON literal as the next token in the sequence.
+// If an error is returned, the state is not mutated.
+func (m *stateMachine) appendLiteral() error {
+	switch {
+	case m.last.needObjectName():
+		return errMissingName
+	case !m.last.isValidNamespace():
+		return errInvalidNamespace
+	default:
+		m.last.increment()
+		return nil
+	}
+}
+
+// appendString appends a JSON string as the next token in the sequence.
+// If an error is returned, the state is not mutated.
+func (m *stateMachine) appendString() error {
+	switch {
+	case !m.last.isValidNamespace():
+		return errInvalidNamespace
+	default:
+		m.last.increment()
+		return nil
+	}
+}
+
+// appendNumber appends a JSON number as the next token in the sequence.
+// If an error is returned, the state is not mutated.
+func (m *stateMachine) appendNumber() error {
+	return m.appendLiteral()
+}
+
+// pushObject appends a JSON start object token as next in the sequence.
+// If an error is returned, the state is not mutated.
+func (m *stateMachine) pushObject() error {
+	switch {
+	case m.last.needObjectName():
+		return errMissingName
+	case !m.last.isValidNamespace():
+		return errInvalidNamespace
+	default:
+		m.last.increment()
+		m.stack = append(m.stack, m.last)
+		m.last = stateTypeObject
+		return nil
+	}
+}
+
+// popObject appends a JSON end object token as next in the sequence.
+// If an error is returned, the state is not mutated.
+func (m *stateMachine) popObject() error {
+	switch {
+	case !m.last.isObject():
+		return errMismatchDelim
+	case m.last.needObjectValue():
+		return errMissingValue
+	case !m.last.isValidNamespace():
+		return errInvalidNamespace
+	default:
+		m.last = m.stack[len(m.stack)-1]
+		m.stack = m.stack[:len(m.stack)-1]
+		return nil
+	}
+}
+
+// pushArray appends a JSON start array token as next in the sequence.
+// If an error is returned, the state is not mutated.
+func (m *stateMachine) pushArray() error {
+	switch {
+	case m.last.needObjectName():
+		return errMissingName
+	case !m.last.isValidNamespace():
+		return errInvalidNamespace
+	default:
+		m.last.increment()
+		m.stack = append(m.stack, m.last)
+		m.last = stateTypeArray
+		return nil
+	}
+}
+
+// popArray appends a JSON end array token as next in the sequence.
+// If an error is returned, the state is not mutated.
+func (m *stateMachine) popArray() error {
+	switch {
+	case !m.last.isArray() || len(m.stack) == 0: // forbid popping top-level virtual JSON array
+		return errMismatchDelim
+	case !m.last.isValidNamespace():
+		return errInvalidNamespace
+	default:
+		m.last = m.stack[len(m.stack)-1]
+		m.stack = m.stack[:len(m.stack)-1]
+		return nil
+	}
+}
+
+// needIndent reports whether indent whitespace should be injected.
+// A zero value means that no whitespace should be injected.
+// A positive value means '\n', indentPrefix, and (n-1) copies of indentBody
+// should be appended to the output immediately before the next token.
+func (m stateMachine) needIndent(next Kind) (n int) {
+	willEnd := next == '}' || next == ']'
+	switch {
+	case m.depth() == 1:
+		return 0 // top-level values are never indented
+	case m.last.length() == 0 && willEnd:
+		return 0 // an empty object or array is never indented
+	case m.last.length() == 0 || m.last.needImplicitComma(next):
+		return m.depth()
+	case willEnd:
+		return m.depth() - 1
+	default:
+		return 0
+	}
+}
+
+// mayAppendDelim appends a colon or comma that may precede the next token.
+func (m stateMachine) mayAppendDelim(b []byte, next Kind) []byte {
+	switch {
+	case m.last.needImplicitColon():
+		return append(b, ':')
+	case m.last.needImplicitComma(next) && len(m.stack) != 0: // comma not needed for top-level values
+		return append(b, ',')
+	default:
+		return b
+	}
+}
+
+// needDelim reports whether a colon or comma token should be implicitly emitted
+// before the next token of the specified kind.
+// A zero value means no delimiter should be emitted.
+func (m stateMachine) needDelim(next Kind) (delim byte) {
+	switch {
+	case m.last.needImplicitColon():
+		return ':'
+	case m.last.needImplicitComma(next) && len(m.stack) != 0: // comma not needed for top-level values
+		return ','
+	default:
+		return 0
+	}
+}
+
+// checkDelim reports whether the specified delimiter should be there given
+// the kind of the next token that appears immediately afterwards.
+func (m stateMachine) checkDelim(delim byte, next Kind) error {
+	switch needDelim := m.needDelim(next); {
+	case needDelim == delim:
+		return nil
+	case needDelim == ':':
+		return errMissingColon
+	case needDelim == ',':
+		return errMissingComma
+	default:
+		return newInvalidCharacterError([]byte{delim}, "before next token")
+	}
+}
+
+// invalidateDisabledNamespaces marks all disabled namespaces as invalid.
+//
+// For efficiency, Marshal and Unmarshal may disable namespaces since there are
+// more efficient ways to track duplicate names. However, if an error occurs,
+// the namespaces in Encoder or Decoder will be left in an inconsistent state.
+// Mark the namespaces as invalid so that future method calls on
+// Encoder or Decoder will return an error.
+func (m *stateMachine) invalidateDisabledNamespaces() {
+	for i := 0; i < m.depth(); i++ {
+		e := m.index(i)
+		if !e.isActiveNamespace() {
+			e.invalidateNamespace()
+		}
+	}
+}
+
+// stateEntry encodes several artifacts within a single unsigned integer:
+//   - whether this represents a JSON object or array,
+//   - whether this object should check for duplicate names, and
+//   - how many elements are in this JSON object or array.
+type stateEntry uint64
+
+const (
+	// The type mask (1 bit) records whether this is a JSON object or array.
+	stateTypeMask   stateEntry = 0x8000_0000_0000_0000
+	stateTypeObject stateEntry = 0x8000_0000_0000_0000
+	stateTypeArray  stateEntry = 0x0000_0000_0000_0000
+
+	// The name check mask (2 bit) records whether to update
+	// the namespaces for the current JSON object and
+	// whether the namespace is valid.
+	stateNamespaceMask    stateEntry = 0x6000_0000_0000_0000
+	stateDisableNamespace stateEntry = 0x4000_0000_0000_0000
+	stateInvalidNamespace stateEntry = 0x2000_0000_0000_0000
+
+	// The count mask (61 bits) records the number of elements.
+	stateCountMask    stateEntry = 0x1fff_ffff_ffff_ffff
+	stateCountLSBMask stateEntry = 0x0000_0000_0000_0001
+	stateCountOdd     stateEntry = 0x0000_0000_0000_0001
+	stateCountEven    stateEntry = 0x0000_0000_0000_0000
+)
+
+// length reports the number of elements in the JSON object or array.
+// Each name and value in an object entry is treated as a separate element.
+func (e stateEntry) length() int {
+	return int(e & stateCountMask)
+}
+
+// isObject reports whether this is a JSON object.
+func (e stateEntry) isObject() bool {
+	return e&stateTypeMask == stateTypeObject
+}
+
+// isArray reports whether this is a JSON array.
+func (e stateEntry) isArray() bool {
+	return e&stateTypeMask == stateTypeArray
+}
+
+// needObjectName reports whether the next token must be a JSON string,
+// which is necessary for JSON object names.
+func (e stateEntry) needObjectName() bool {
+	return e&(stateTypeMask|stateCountLSBMask) == stateTypeObject|stateCountEven
+}
+
+// needImplicitColon reports whether an colon should occur next,
+// which always occurs after JSON object names.
+func (e stateEntry) needImplicitColon() bool {
+	return e.needObjectValue()
+}
+
+// needObjectValue reports whether the next token must be a JSON value,
+// which is necessary after every JSON object name.
+func (e stateEntry) needObjectValue() bool {
+	return e&(stateTypeMask|stateCountLSBMask) == stateTypeObject|stateCountOdd
+}
+
+// needImplicitComma reports whether an comma should occur next,
+// which always occurs after a value in a JSON object or array
+// before the next value (or name).
+func (e stateEntry) needImplicitComma(next Kind) bool {
+	return !e.needObjectValue() && e.length() > 0 && next != '}' && next != ']'
+}
+
+// increment increments the number of elements for the current object or array.
+// This assumes that overflow won't practically be an issue since
+// 1<<bits.OnesCount(stateCountMask) is sufficiently large.
+func (e *stateEntry) increment() {
+	(*e)++
+}
+
+// decrement decrements the number of elements for the current object or array.
+// It is the callers responsibility to ensure that e.length > 0.
+func (e *stateEntry) decrement() {
+	(*e)--
+}
+
+// disableNamespace disables the JSON object namespace such that the
+// Encoder or Decoder no longer updates the namespace.
+func (e *stateEntry) disableNamespace() {
+	*e |= stateDisableNamespace
+}
+
+// isActiveNamespace reports whether the JSON object namespace is actively
+// being updated and used for duplicate name checks.
+func (e stateEntry) isActiveNamespace() bool {
+	return e&(stateDisableNamespace) == 0
+}
+
+// invalidateNamespace marks the JSON object namespace as being invalid.
+func (e *stateEntry) invalidateNamespace() {
+	*e |= stateInvalidNamespace
+}
+
+// isValidNamespace reports whether the JSON object namespace is valid.
+func (e stateEntry) isValidNamespace() bool {
+	return e&(stateInvalidNamespace) == 0
+}
+
+// objectNameStack is a stack of names when descending into a JSON object.
+// In contrast to objectNamespaceStack, this only has to remember a single name
+// per JSON object.
+//
+// This data structure may contain offsets to encodeBuffer or decodeBuffer.
+// It violates clean abstraction of layers, but is significantly more efficient.
+// This ensures that popping and pushing in the common case is a trivial
+// push/pop of an offset integer.
+//
+// The zero value is an empty names stack ready for use.
+type objectNameStack struct {
+	// offsets is a stack of offsets for each name.
+	// A non-negative offset is the ending offset into the local names buffer.
+	// A negative offset is the bit-wise inverse of a starting offset into
+	// a remote buffer (e.g., encodeBuffer or decodeBuffer).
+	// A math.MinInt offset at the end implies that the last object is empty.
+	// Invariant: Positive offsets always occur before negative offsets.
+	offsets []int
+	// unquotedNames is a back-to-back concatenation of names.
+	unquotedNames []byte
+}
+
+func (ns *objectNameStack) reset() {
+	ns.offsets = ns.offsets[:0]
+	ns.unquotedNames = ns.unquotedNames[:0]
+	if cap(ns.offsets) > 1<<6 {
+		ns.offsets = nil // avoid pinning arbitrarily large amounts of memory
+	}
+	if cap(ns.unquotedNames) > 1<<10 {
+		ns.unquotedNames = nil // avoid pinning arbitrarily large amounts of memory
+	}
+}
+
+func (ns *objectNameStack) length() int {
+	return len(ns.offsets)
+}
+
+// getUnquoted retrieves the ith unquoted name in the namespace.
+// It returns an empty string if the last object is empty.
+//
+// Invariant: Must call copyQuotedBuffer beforehand.
+func (ns *objectNameStack) getUnquoted(i int) []byte {
+	ns.ensureCopiedBuffer()
+	if i == 0 {
+		return ns.unquotedNames[:ns.offsets[0]]
+	} else {
+		return ns.unquotedNames[ns.offsets[i-1]:ns.offsets[i-0]]
+	}
+}
+
+// invalidOffset indicates that the last JSON object currently has no name.
+const invalidOffset = math.MinInt
+
+// push descends into a nested JSON object.
+func (ns *objectNameStack) push() {
+	ns.offsets = append(ns.offsets, invalidOffset)
+}
+
+// replaceLastQuotedOffset replaces the last name with the starting offset
+// to the quoted name in some remote buffer. All offsets provided must be
+// relative to the same buffer until copyQuotedBuffer is called.
+func (ns *objectNameStack) replaceLastQuotedOffset(i int) {
+	// Use bit-wise inversion instead of naive multiplication by -1 to avoid
+	// ambiguity regarding zero (which is a valid offset into the names field).
+	// Bit-wise inversion is mathematically equivalent to -i-1,
+	// such that 0 becomes -1, 1 becomes -2, and so forth.
+	// This ensures that remote offsets are always negative.
+	ns.offsets[len(ns.offsets)-1] = ^i
+}
+
+// replaceLastUnquotedName replaces the last name with the provided name.
+//
+// Invariant: Must call copyQuotedBuffer beforehand.
+func (ns *objectNameStack) replaceLastUnquotedName(s string) {
+	ns.ensureCopiedBuffer()
+	var startOffset int
+	if len(ns.offsets) > 1 {
+		startOffset = ns.offsets[len(ns.offsets)-2]
+	}
+	ns.unquotedNames = append(ns.unquotedNames[:startOffset], s...)
+	ns.offsets[len(ns.offsets)-1] = len(ns.unquotedNames)
+}
+
+// clearLast removes any name in the last JSON object.
+// It is semantically equivalent to ns.push followed by ns.pop.
+func (ns *objectNameStack) clearLast() {
+	ns.offsets[len(ns.offsets)-1] = invalidOffset
+}
+
+// pop ascends out of a nested JSON object.
+func (ns *objectNameStack) pop() {
+	ns.offsets = ns.offsets[:len(ns.offsets)-1]
+}
+
+// copyQuotedBuffer copies names from the remote buffer into the local names
+// buffer so that there are no more offset references into the remote buffer.
+// This allows the remote buffer to change contents without affecting
+// the names that this data structure is trying to remember.
+func (ns *objectNameStack) copyQuotedBuffer(b []byte) {
+	// Find the first negative offset.
+	var i int
+	for i = len(ns.offsets) - 1; i >= 0 && ns.offsets[i] < 0; i-- {
+		continue
+	}
+
+	// Copy each name from the remote buffer into the local buffer.
+	for i = i + 1; i < len(ns.offsets); i++ {
+		if i == len(ns.offsets)-1 && ns.offsets[i] == invalidOffset {
+			if i == 0 {
+				ns.offsets[i] = 0
+			} else {
+				ns.offsets[i] = ns.offsets[i-1]
+			}
+			break // last JSON object had a push without any names
+		}
+
+		// As a form of Hyrum proofing, we write an invalid character into the
+		// buffer to make misuse of Decoder.ReadToken more obvious.
+		// We need to undo that mutation here.
+		quotedName := b[^ns.offsets[i]:]
+		if quotedName[0] == invalidateBufferByte {
+			quotedName[0] = '"'
+		}
+
+		// Append the unquoted name to the local buffer.
+		var startOffset int
+		if i > 0 {
+			startOffset = ns.offsets[i-1]
+		}
+		if n := consumeSimpleString(quotedName); n > 0 {
+			ns.unquotedNames = append(ns.unquotedNames[:startOffset], quotedName[len(`"`):n-len(`"`)]...)
+		} else {
+			ns.unquotedNames, _ = unescapeString(ns.unquotedNames[:startOffset], quotedName)
+		}
+		ns.offsets[i] = len(ns.unquotedNames)
+	}
+}
+
+func (ns *objectNameStack) ensureCopiedBuffer() {
+	if len(ns.offsets) > 0 && ns.offsets[len(ns.offsets)-1] < 0 {
+		panic("BUG: copyQuotedBuffer not called beforehand")
+	}
+}
+
+// objectNamespaceStack is a stack of object namespaces.
+// This data structure assists in detecting duplicate names.
+type objectNamespaceStack []objectNamespace
+
+// reset resets the object namespace stack.
+func (nss *objectNamespaceStack) reset() {
+	if cap(*nss) > 1<<10 {
+		*nss = nil
+	}
+	*nss = (*nss)[:0]
+}
+
+// push starts a new namespace for a nested JSON object.
+func (nss *objectNamespaceStack) push() {
+	if cap(*nss) > len(*nss) {
+		*nss = (*nss)[:len(*nss)+1]
+		nss.last().reset()
+	} else {
+		*nss = append(*nss, objectNamespace{})
+	}
+}
+
+// last returns a pointer to the last JSON object namespace.
+func (nss objectNamespaceStack) last() *objectNamespace {
+	return &nss[len(nss)-1]
+}
+
+// pop terminates the namespace for a nested JSON object.
+func (nss *objectNamespaceStack) pop() {
+	*nss = (*nss)[:len(*nss)-1]
+}
+
+// objectNamespace is the namespace for a JSON object.
+// In contrast to objectNameStack, this needs to remember a all names
+// per JSON object.
+//
+// The zero value is an empty namespace ready for use.
+type objectNamespace struct {
+	// It relies on a linear search over all the names before switching
+	// to use a Go map for direct lookup.
+
+	// endOffsets is a list of offsets to the end of each name in buffers.
+	// The length of offsets is the number of names in the namespace.
+	endOffsets []uint
+	// allUnquotedNames is a back-to-back concatenation of every name in the namespace.
+	allUnquotedNames []byte
+	// mapNames is a Go map containing every name in the namespace.
+	// Only valid if non-nil.
+	mapNames map[string]struct{}
+}
+
+// reset resets the namespace to be empty.
+func (ns *objectNamespace) reset() {
+	ns.endOffsets = ns.endOffsets[:0]
+	ns.allUnquotedNames = ns.allUnquotedNames[:0]
+	ns.mapNames = nil
+	if cap(ns.endOffsets) > 1<<6 {
+		ns.endOffsets = nil // avoid pinning arbitrarily large amounts of memory
+	}
+	if cap(ns.allUnquotedNames) > 1<<10 {
+		ns.allUnquotedNames = nil // avoid pinning arbitrarily large amounts of memory
+	}
+}
+
+// length reports the number of names in the namespace.
+func (ns *objectNamespace) length() int {
+	return len(ns.endOffsets)
+}
+
+// getUnquoted retrieves the ith unquoted name in the namespace.
+func (ns *objectNamespace) getUnquoted(i int) []byte {
+	if i == 0 {
+		return ns.allUnquotedNames[:ns.endOffsets[0]]
+	} else {
+		return ns.allUnquotedNames[ns.endOffsets[i-1]:ns.endOffsets[i-0]]
+	}
+}
+
+// lastUnquoted retrieves the last name in the namespace.
+func (ns *objectNamespace) lastUnquoted() []byte {
+	return ns.getUnquoted(ns.length() - 1)
+}
+
+// insertQuoted inserts a name and reports whether it was inserted,
+// which only occurs if name is not already in the namespace.
+// The provided name must be a valid JSON string.
+func (ns *objectNamespace) insertQuoted(name []byte, isVerbatim bool) bool {
+	if isVerbatim {
+		name = name[len(`"`) : len(name)-len(`"`)]
+	}
+	return ns.insert(name, !isVerbatim)
+}
+func (ns *objectNamespace) insertUnquoted(name []byte) bool {
+	return ns.insert(name, false)
+}
+func (ns *objectNamespace) insert(name []byte, quoted bool) bool {
+	var allNames []byte
+	if quoted {
+		allNames, _ = unescapeString(ns.allUnquotedNames, name)
+	} else {
+		allNames = append(ns.allUnquotedNames, name...)
+	}
+	name = allNames[len(ns.allUnquotedNames):]
+
+	// Switch to a map if the buffer is too large for linear search.
+	// This does not add the current name to the map.
+	if ns.mapNames == nil && (ns.length() > 64 || len(ns.allUnquotedNames) > 1024) {
+		ns.mapNames = make(map[string]struct{})
+		var startOffset uint
+		for _, endOffset := range ns.endOffsets {
+			name := ns.allUnquotedNames[startOffset:endOffset]
+			ns.mapNames[string(name)] = struct{}{} // allocates a new string
+			startOffset = endOffset
+		}
+	}
+
+	if ns.mapNames == nil {
+		// Perform linear search over the buffer to find matching names.
+		// It provides O(n) lookup, but does not require any allocations.
+		var startOffset uint
+		for _, endOffset := range ns.endOffsets {
+			if string(ns.allUnquotedNames[startOffset:endOffset]) == string(name) {
+				return false
+			}
+			startOffset = endOffset
+		}
+	} else {
+		// Use the map if it is populated.
+		// It provides O(1) lookup, but requires a string allocation per name.
+		if _, ok := ns.mapNames[string(name)]; ok {
+			return false
+		}
+		ns.mapNames[string(name)] = struct{}{} // allocates a new string
+	}
+
+	ns.allUnquotedNames = allNames
+	ns.endOffsets = append(ns.endOffsets, uint(len(ns.allUnquotedNames)))
+	return true
+}
+
+// removeLast removes the last name in the namespace.
+func (ns *objectNamespace) removeLast() {
+	if ns.mapNames != nil {
+		delete(ns.mapNames, string(ns.lastUnquoted()))
+	}
+	if ns.length()-1 == 0 {
+		ns.endOffsets = ns.endOffsets[:0]
+		ns.allUnquotedNames = ns.allUnquotedNames[:0]
+	} else {
+		ns.endOffsets = ns.endOffsets[:ns.length()-1]
+		ns.allUnquotedNames = ns.allUnquotedNames[:ns.endOffsets[ns.length()-1]]
+	}
+}
+
+type uintSet64 uint64
+
+func (s uintSet64) has(i uint) bool { return s&(1<<i) > 0 }
+func (s *uintSet64) set(i uint)     { *s |= 1 << i }
+
+// uintSet is a set of unsigned integers.
+// It is optimized for most integers being close to zero.
+type uintSet struct {
+	lo uintSet64
+	hi []uintSet64
+}
+
+// has reports whether i is in the set.
+func (s *uintSet) has(i uint) bool {
+	if i < 64 {
+		return s.lo.has(i)
+	} else {
+		i -= 64
+		iHi, iLo := int(i/64), uint(i%64)
+		return iHi < len(s.hi) && s.hi[iHi].has(iLo)
+	}
+}
+
+// insert inserts i into the set and reports whether it was the first insertion.
+func (s *uintSet) insert(i uint) bool {
+	// TODO: Make this inlineable at least for the lower 64-bit case.
+	if i < 64 {
+		has := s.lo.has(i)
+		s.lo.set(i)
+		return !has
+	} else {
+		i -= 64
+		iHi, iLo := int(i/64), uint(i%64)
+		if iHi >= len(s.hi) {
+			s.hi = append(s.hi, make([]uintSet64, iHi+1-len(s.hi))...)
+			s.hi = s.hi[:cap(s.hi)]
+		}
+		has := s.hi[iHi].has(iLo)
+		s.hi[iHi].set(iLo)
+		return !has
+	}
+}
diff --git a/vendor/k8s.io/kube-openapi/pkg/internal/third_party/go-json-experiment/json/token.go b/vendor/k8s.io/kube-openapi/pkg/internal/third_party/go-json-experiment/json/token.go
new file mode 100644
index 000000000..08509c296
--- /dev/null
+++ b/vendor/k8s.io/kube-openapi/pkg/internal/third_party/go-json-experiment/json/token.go
@@ -0,0 +1,522 @@
+// Copyright 2020 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package json
+
+import (
+	"math"
+	"strconv"
+)
+
+// NOTE: Token is analogous to v1 json.Token.
+
+const (
+	maxInt64  = math.MaxInt64
+	minInt64  = math.MinInt64
+	maxUint64 = math.MaxUint64
+	minUint64 = 0 // for consistency and readability purposes
+
+	invalidTokenPanic = "invalid json.Token; it has been voided by a subsequent json.Decoder call"
+)
+
+// Token represents a lexical JSON token, which may be one of the following:
+//   - a JSON literal (i.e., null, true, or false)
+//   - a JSON string (e.g., "hello, world!")
+//   - a JSON number (e.g., 123.456)
+//   - a start or end delimiter for a JSON object (i.e., { or } )
+//   - a start or end delimiter for a JSON array (i.e., [ or ] )
+//
+// A Token cannot represent entire array or object values, while a RawValue can.
+// There is no Token to represent commas and colons since
+// these structural tokens can be inferred from the surrounding context.
+type Token struct {
+	nonComparable
+
+	// Tokens can exist in either a "raw" or an "exact" form.
+	// Tokens produced by the Decoder are in the "raw" form.
+	// Tokens returned by constructors are usually in the "exact" form.
+	// The Encoder accepts Tokens in either the "raw" or "exact" form.
+	//
+	// The following chart shows the possible values for each Token type:
+	//	╔═════════════════╦════════════╤════════════╤════════════╗
+	//	║ Token type      ║ raw field  │ str field  │ num field  ║
+	//	╠═════════════════╬════════════╪════════════╪════════════╣
+	//	║ null   (raw)    ║ "null"     │ ""         │ 0          ║
+	//	║ false  (raw)    ║ "false"    │ ""         │ 0          ║
+	//	║ true   (raw)    ║ "true"     │ ""         │ 0          ║
+	//	║ string (raw)    ║ non-empty  │ ""         │ offset     ║
+	//	║ string (string) ║ nil        │ non-empty  │ 0          ║
+	//	║ number (raw)    ║ non-empty  │ ""         │ offset     ║
+	//	║ number (float)  ║ nil        │ "f"        │ non-zero   ║
+	//	║ number (int64)  ║ nil        │ "i"        │ non-zero   ║
+	//	║ number (uint64) ║ nil        │ "u"        │ non-zero   ║
+	//	║ object (delim)  ║ "{" or "}" │ ""         │ 0          ║
+	//	║ array  (delim)  ║ "[" or "]" │ ""         │ 0          ║
+	//	╚═════════════════╩════════════╧════════════╧════════════╝
+	//
+	// Notes:
+	//   - For tokens stored in "raw" form, the num field contains the
+	//     absolute offset determined by raw.previousOffsetStart().
+	//     The buffer itself is stored in raw.previousBuffer().
+	//   - JSON literals and structural characters are always in the "raw" form.
+	//   - JSON strings and numbers can be in either "raw" or "exact" forms.
+	//   - The exact zero value of JSON strings and numbers in the "exact" forms
+	//     have ambiguous representation. Thus, they are always represented
+	//     in the "raw" form.
+
+	// raw contains a reference to the raw decode buffer.
+	// If non-nil, then its value takes precedence over str and num.
+	// It is only valid if num == raw.previousOffsetStart().
+	raw *decodeBuffer
+
+	// str is the unescaped JSON string if num is zero.
+	// Otherwise, it is "f", "i", or "u" if num should be interpreted
+	// as a float64, int64, or uint64, respectively.
+	str string
+
+	// num is a float64, int64, or uint64 stored as a uint64 value.
+	// It is non-zero for any JSON number in the "exact" form.
+	num uint64
+}
+
+// TODO: Does representing 1-byte delimiters as *decodeBuffer cause performance issues?
+
+var (
+	Null  Token = rawToken("null")
+	False Token = rawToken("false")
+	True  Token = rawToken("true")
+
+	ObjectStart Token = rawToken("{")
+	ObjectEnd   Token = rawToken("}")
+	ArrayStart  Token = rawToken("[")
+	ArrayEnd    Token = rawToken("]")
+
+	zeroString Token = rawToken(`""`)
+	zeroNumber Token = rawToken(`0`)
+
+	nanString  Token = String("NaN")
+	pinfString Token = String("Infinity")
+	ninfString Token = String("-Infinity")
+)
+
+func rawToken(s string) Token {
+	return Token{raw: &decodeBuffer{buf: []byte(s), prevStart: 0, prevEnd: len(s)}}
+}
+
+// Bool constructs a Token representing a JSON boolean.
+func Bool(b bool) Token {
+	if b {
+		return True
+	}
+	return False
+}
+
+// String construct a Token representing a JSON string.
+// The provided string should contain valid UTF-8, otherwise invalid characters
+// may be mangled as the Unicode replacement character.
+func String(s string) Token {
+	if len(s) == 0 {
+		return zeroString
+	}
+	return Token{str: s}
+}
+
+// Float constructs a Token representing a JSON number.
+// The values NaN, +Inf, and -Inf will be represented
+// as a JSON string with the values "NaN", "Infinity", and "-Infinity".
+func Float(n float64) Token {
+	switch {
+	case math.Float64bits(n) == 0:
+		return zeroNumber
+	case math.IsNaN(n):
+		return nanString
+	case math.IsInf(n, +1):
+		return pinfString
+	case math.IsInf(n, -1):
+		return ninfString
+	}
+	return Token{str: "f", num: math.Float64bits(n)}
+}
+
+// Int constructs a Token representing a JSON number from an int64.
+func Int(n int64) Token {
+	if n == 0 {
+		return zeroNumber
+	}
+	return Token{str: "i", num: uint64(n)}
+}
+
+// Uint constructs a Token representing a JSON number from a uint64.
+func Uint(n uint64) Token {
+	if n == 0 {
+		return zeroNumber
+	}
+	return Token{str: "u", num: uint64(n)}
+}
+
+// Clone makes a copy of the Token such that its value remains valid
+// even after a subsequent Decoder.Read call.
+func (t Token) Clone() Token {
+	// TODO: Allow caller to avoid any allocations?
+	if raw := t.raw; raw != nil {
+		// Avoid copying globals.
+		if t.raw.prevStart == 0 {
+			switch t.raw {
+			case Null.raw:
+				return Null
+			case False.raw:
+				return False
+			case True.raw:
+				return True
+			case ObjectStart.raw:
+				return ObjectStart
+			case ObjectEnd.raw:
+				return ObjectEnd
+			case ArrayStart.raw:
+				return ArrayStart
+			case ArrayEnd.raw:
+				return ArrayEnd
+			}
+		}
+
+		if uint64(raw.previousOffsetStart()) != t.num {
+			panic(invalidTokenPanic)
+		}
+		// TODO(https://go.dev/issue/45038): Use bytes.Clone.
+		buf := append([]byte(nil), raw.previousBuffer()...)
+		return Token{raw: &decodeBuffer{buf: buf, prevStart: 0, prevEnd: len(buf)}}
+	}
+	return t
+}
+
+// Bool returns the value for a JSON boolean.
+// It panics if the token kind is not a JSON boolean.
+func (t Token) Bool() bool {
+	switch t.raw {
+	case True.raw:
+		return true
+	case False.raw:
+		return false
+	default:
+		panic("invalid JSON token kind: " + t.Kind().String())
+	}
+}
+
+// appendString appends a JSON string to dst and returns it.
+// It panics if t is not a JSON string.
+func (t Token) appendString(dst []byte, validateUTF8, preserveRaw bool, escapeRune func(rune) bool) ([]byte, error) {
+	if raw := t.raw; raw != nil {
+		// Handle raw string value.
+		buf := raw.previousBuffer()
+		if Kind(buf[0]) == '"' {
+			if escapeRune == nil && consumeSimpleString(buf) == len(buf) {
+				return append(dst, buf...), nil
+			}
+			dst, _, err := reformatString(dst, buf, validateUTF8, preserveRaw, escapeRune)
+			return dst, err
+		}
+	} else if len(t.str) != 0 && t.num == 0 {
+		// Handle exact string value.
+		return appendString(dst, t.str, validateUTF8, escapeRune)
+	}
+
+	panic("invalid JSON token kind: " + t.Kind().String())
+}
+
+// String returns the unescaped string value for a JSON string.
+// For other JSON kinds, this returns the raw JSON represention.
+func (t Token) String() string {
+	// This is inlinable to take advantage of "function outlining".
+	// This avoids an allocation for the string(b) conversion
+	// if the caller does not use the string in an escaping manner.
+	// See https://blog.filippo.io/efficient-go-apis-with-the-inliner/
+	s, b := t.string()
+	if len(b) > 0 {
+		return string(b)
+	}
+	return s
+}
+func (t Token) string() (string, []byte) {
+	if raw := t.raw; raw != nil {
+		if uint64(raw.previousOffsetStart()) != t.num {
+			panic(invalidTokenPanic)
+		}
+		buf := raw.previousBuffer()
+		if buf[0] == '"' {
+			// TODO: Preserve valueFlags in Token?
+			isVerbatim := consumeSimpleString(buf) == len(buf)
+			return "", unescapeStringMayCopy(buf, isVerbatim)
+		}
+		// Handle tokens that are not JSON strings for fmt.Stringer.
+		return "", buf
+	}
+	if len(t.str) != 0 && t.num == 0 {
+		return t.str, nil
+	}
+	// Handle tokens that are not JSON strings for fmt.Stringer.
+	if t.num > 0 {
+		switch t.str[0] {
+		case 'f':
+			return string(appendNumber(nil, math.Float64frombits(t.num), 64)), nil
+		case 'i':
+			return strconv.FormatInt(int64(t.num), 10), nil
+		case 'u':
+			return strconv.FormatUint(uint64(t.num), 10), nil
+		}
+	}
+	return "<invalid json.Token>", nil
+}
+
+// appendNumber appends a JSON number to dst and returns it.
+// It panics if t is not a JSON number.
+func (t Token) appendNumber(dst []byte, canonicalize bool) ([]byte, error) {
+	if raw := t.raw; raw != nil {
+		// Handle raw number value.
+		buf := raw.previousBuffer()
+		if Kind(buf[0]).normalize() == '0' {
+			if !canonicalize {
+				return append(dst, buf...), nil
+			}
+			dst, _, err := reformatNumber(dst, buf, canonicalize)
+			return dst, err
+		}
+	} else if t.num != 0 {
+		// Handle exact number value.
+		switch t.str[0] {
+		case 'f':
+			return appendNumber(dst, math.Float64frombits(t.num), 64), nil
+		case 'i':
+			return strconv.AppendInt(dst, int64(t.num), 10), nil
+		case 'u':
+			return strconv.AppendUint(dst, uint64(t.num), 10), nil
+		}
+	}
+
+	panic("invalid JSON token kind: " + t.Kind().String())
+}
+
+// Float returns the floating-point value for a JSON number.
+// It returns a NaN, +Inf, or -Inf value for any JSON string
+// with the values "NaN", "Infinity", or "-Infinity".
+// It panics for all other cases.
+func (t Token) Float() float64 {
+	if raw := t.raw; raw != nil {
+		// Handle raw number value.
+		if uint64(raw.previousOffsetStart()) != t.num {
+			panic(invalidTokenPanic)
+		}
+		buf := raw.previousBuffer()
+		if Kind(buf[0]).normalize() == '0' {
+			fv, _ := parseFloat(buf, 64)
+			return fv
+		}
+	} else if t.num != 0 {
+		// Handle exact number value.
+		switch t.str[0] {
+		case 'f':
+			return math.Float64frombits(t.num)
+		case 'i':
+			return float64(int64(t.num))
+		case 'u':
+			return float64(uint64(t.num))
+		}
+	}
+
+	// Handle string values with "NaN", "Infinity", or "-Infinity".
+	if t.Kind() == '"' {
+		switch t.String() {
+		case "NaN":
+			return math.NaN()
+		case "Infinity":
+			return math.Inf(+1)
+		case "-Infinity":
+			return math.Inf(-1)
+		}
+	}
+
+	panic("invalid JSON token kind: " + t.Kind().String())
+}
+
+// Int returns the signed integer value for a JSON number.
+// The fractional component of any number is ignored (truncation toward zero).
+// Any number beyond the representation of an int64 will be saturated
+// to the closest representable value.
+// It panics if the token kind is not a JSON number.
+func (t Token) Int() int64 {
+	if raw := t.raw; raw != nil {
+		// Handle raw integer value.
+		if uint64(raw.previousOffsetStart()) != t.num {
+			panic(invalidTokenPanic)
+		}
+		neg := false
+		buf := raw.previousBuffer()
+		if len(buf) > 0 && buf[0] == '-' {
+			neg, buf = true, buf[1:]
+		}
+		if numAbs, ok := parseDecUint(buf); ok {
+			if neg {
+				if numAbs > -minInt64 {
+					return minInt64
+				}
+				return -1 * int64(numAbs)
+			} else {
+				if numAbs > +maxInt64 {
+					return maxInt64
+				}
+				return +1 * int64(numAbs)
+			}
+		}
+	} else if t.num != 0 {
+		// Handle exact integer value.
+		switch t.str[0] {
+		case 'i':
+			return int64(t.num)
+		case 'u':
+			if uint64(t.num) > maxInt64 {
+				return maxInt64
+			}
+			return int64(uint64(t.num))
+		}
+	}
+
+	// Handle JSON number that is a floating-point value.
+	if t.Kind() == '0' {
+		switch fv := t.Float(); {
+		case fv >= maxInt64:
+			return maxInt64
+		case fv <= minInt64:
+			return minInt64
+		default:
+			return int64(fv) // truncation toward zero
+		}
+	}
+
+	panic("invalid JSON token kind: " + t.Kind().String())
+}
+
+// Uint returns the unsigned integer value for a JSON number.
+// The fractional component of any number is ignored (truncation toward zero).
+// Any number beyond the representation of an uint64 will be saturated
+// to the closest representable value.
+// It panics if the token kind is not a JSON number.
+func (t Token) Uint() uint64 {
+	// NOTE: This accessor returns 0 for any negative JSON number,
+	// which might be surprising, but is at least consistent with the behavior
+	// of saturating out-of-bounds numbers to the closest representable number.
+
+	if raw := t.raw; raw != nil {
+		// Handle raw integer value.
+		if uint64(raw.previousOffsetStart()) != t.num {
+			panic(invalidTokenPanic)
+		}
+		neg := false
+		buf := raw.previousBuffer()
+		if len(buf) > 0 && buf[0] == '-' {
+			neg, buf = true, buf[1:]
+		}
+		if num, ok := parseDecUint(buf); ok {
+			if neg {
+				return minUint64
+			}
+			return num
+		}
+	} else if t.num != 0 {
+		// Handle exact integer value.
+		switch t.str[0] {
+		case 'u':
+			return uint64(t.num)
+		case 'i':
+			if int64(t.num) < minUint64 {
+				return minUint64
+			}
+			return uint64(int64(t.num))
+		}
+	}
+
+	// Handle JSON number that is a floating-point value.
+	if t.Kind() == '0' {
+		switch fv := t.Float(); {
+		case fv >= maxUint64:
+			return maxUint64
+		case fv <= minUint64:
+			return minUint64
+		default:
+			return uint64(fv) // truncation toward zero
+		}
+	}
+
+	panic("invalid JSON token kind: " + t.Kind().String())
+}
+
+// Kind returns the token kind.
+func (t Token) Kind() Kind {
+	switch {
+	case t.raw != nil:
+		raw := t.raw
+		if uint64(raw.previousOffsetStart()) != t.num {
+			panic(invalidTokenPanic)
+		}
+		return Kind(t.raw.buf[raw.prevStart]).normalize()
+	case t.num != 0:
+		return '0'
+	case len(t.str) != 0:
+		return '"'
+	default:
+		return invalidKind
+	}
+}
+
+// Kind represents each possible JSON token kind with a single byte,
+// which is conveniently the first byte of that kind's grammar
+// with the restriction that numbers always be represented with '0':
+//
+//   - 'n': null
+//   - 'f': false
+//   - 't': true
+//   - '"': string
+//   - '0': number
+//   - '{': object start
+//   - '}': object end
+//   - '[': array start
+//   - ']': array end
+//
+// An invalid kind is usually represented using 0,
+// but may be non-zero due to invalid JSON data.
+type Kind byte
+
+const invalidKind Kind = 0
+
+// String prints the kind in a humanly readable fashion.
+func (k Kind) String() string {
+	switch k {
+	case 'n':
+		return "null"
+	case 'f':
+		return "false"
+	case 't':
+		return "true"
+	case '"':
+		return "string"
+	case '0':
+		return "number"
+	case '{':
+		return "{"
+	case '}':
+		return "}"
+	case '[':
+		return "["
+	case ']':
+		return "]"
+	default:
+		return "<invalid json.Kind: " + quoteRune([]byte{byte(k)}) + ">"
+	}
+}
+
+// normalize coalesces all possible starting characters of a number as just '0'.
+func (k Kind) normalize() Kind {
+	if k == '-' || ('0' <= k && k <= '9') {
+		return '0'
+	}
+	return k
+}
diff --git a/vendor/k8s.io/kube-openapi/pkg/internal/third_party/go-json-experiment/json/value.go b/vendor/k8s.io/kube-openapi/pkg/internal/third_party/go-json-experiment/json/value.go
new file mode 100644
index 000000000..fe88e4fb5
--- /dev/null
+++ b/vendor/k8s.io/kube-openapi/pkg/internal/third_party/go-json-experiment/json/value.go
@@ -0,0 +1,375 @@
+// Copyright 2020 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package json
+
+import (
+	"bytes"
+	"errors"
+	"io"
+	"sort"
+	"sync"
+	"unicode/utf16"
+	"unicode/utf8"
+)
+
+// NOTE: RawValue is analogous to v1 json.RawMessage.
+
+// RawValue represents a single raw JSON value, which may be one of the following:
+//   - a JSON literal (i.e., null, true, or false)
+//   - a JSON string (e.g., "hello, world!")
+//   - a JSON number (e.g., 123.456)
+//   - an entire JSON object (e.g., {"fizz":"buzz"} )
+//   - an entire JSON array (e.g., [1,2,3] )
+//
+// RawValue can represent entire array or object values, while Token cannot.
+// RawValue may contain leading and/or trailing whitespace.
+type RawValue []byte
+
+// Clone returns a copy of v.
+func (v RawValue) Clone() RawValue {
+	if v == nil {
+		return nil
+	}
+	return append(RawValue{}, v...)
+}
+
+// String returns the string formatting of v.
+func (v RawValue) String() string {
+	if v == nil {
+		return "null"
+	}
+	return string(v)
+}
+
+// IsValid reports whether the raw JSON value is syntactically valid
+// according to RFC 7493.
+//
+// It verifies whether the input is properly encoded as UTF-8,
+// that escape sequences within strings decode to valid Unicode codepoints, and
+// that all names in each object are unique.
+// It does not verify whether numbers are representable within the limits
+// of any common numeric type (e.g., float64, int64, or uint64).
+func (v RawValue) IsValid() bool {
+	d := getBufferedDecoder(v, DecodeOptions{})
+	defer putBufferedDecoder(d)
+	_, errVal := d.ReadValue()
+	_, errEOF := d.ReadToken()
+	return errVal == nil && errEOF == io.EOF
+}
+
+// Compact removes all whitespace from the raw JSON value.
+//
+// It does not reformat JSON strings to use any other representation.
+// It is guaranteed to succeed if the input is valid.
+// If the value is already compacted, then the buffer is not mutated.
+func (v *RawValue) Compact() error {
+	return v.reformat(false, false, "", "")
+}
+
+// Indent reformats the whitespace in the raw JSON value so that each element
+// in a JSON object or array begins on a new, indented line beginning with
+// prefix followed by one or more copies of indent according to the nesting.
+// The value does not begin with the prefix nor any indention,
+// to make it easier to embed inside other formatted JSON data.
+//
+// It does not reformat JSON strings to use any other representation.
+// It is guaranteed to succeed if the input is valid.
+// If the value is already indented properly, then the buffer is not mutated.
+func (v *RawValue) Indent(prefix, indent string) error {
+	return v.reformat(false, true, prefix, indent)
+}
+
+// Canonicalize canonicalizes the raw JSON value according to the
+// JSON Canonicalization Scheme (JCS) as defined by RFC 8785
+// where it produces a stable representation of a JSON value.
+//
+// The output stability is dependent on the stability of the application data
+// (see RFC 8785, Appendix E). It cannot produce stable output from
+// fundamentally unstable input. For example, if the JSON value
+// contains ephemeral data (e.g., a frequently changing timestamp),
+// then the value is still unstable regardless of whether this is called.
+//
+// Note that JCS treats all JSON numbers as IEEE 754 double precision numbers.
+// Any numbers with precision beyond what is representable by that form
+// will lose their precision when canonicalized. For example, integer values
+// beyond ±2⁵³ will lose their precision. It is recommended that
+// int64 and uint64 data types be represented as a JSON string.
+//
+// It is guaranteed to succeed if the input is valid.
+// If the value is already canonicalized, then the buffer is not mutated.
+func (v *RawValue) Canonicalize() error {
+	return v.reformat(true, false, "", "")
+}
+
+// TODO: Instead of implementing the v1 Marshaler/Unmarshaler,
+// consider implementing the v2 versions instead.
+
+// MarshalJSON returns v as the JSON encoding of v.
+// It returns the stored value as the raw JSON output without any validation.
+// If v is nil, then this returns a JSON null.
+func (v RawValue) MarshalJSON() ([]byte, error) {
+	// NOTE: This matches the behavior of v1 json.RawMessage.MarshalJSON.
+	if v == nil {
+		return []byte("null"), nil
+	}
+	return v, nil
+}
+
+// UnmarshalJSON sets v as the JSON encoding of b.
+// It stores a copy of the provided raw JSON input without any validation.
+func (v *RawValue) UnmarshalJSON(b []byte) error {
+	// NOTE: This matches the behavior of v1 json.RawMessage.UnmarshalJSON.
+	if v == nil {
+		return errors.New("json.RawValue: UnmarshalJSON on nil pointer")
+	}
+	*v = append((*v)[:0], b...)
+	return nil
+}
+
+// Kind returns the starting token kind.
+// For a valid value, this will never include '}' or ']'.
+func (v RawValue) Kind() Kind {
+	if v := v[consumeWhitespace(v):]; len(v) > 0 {
+		return Kind(v[0]).normalize()
+	}
+	return invalidKind
+}
+
+func (v *RawValue) reformat(canonical, multiline bool, prefix, indent string) error {
+	var eo EncodeOptions
+	if canonical {
+		eo.AllowInvalidUTF8 = false    // per RFC 8785, section 3.2.4
+		eo.AllowDuplicateNames = false // per RFC 8785, section 3.1
+		eo.canonicalizeNumbers = true  // per RFC 8785, section 3.2.2.3
+		eo.EscapeRune = nil            // per RFC 8785, section 3.2.2.2
+		eo.multiline = false           // per RFC 8785, section 3.2.1
+	} else {
+		if s := trimLeftSpaceTab(prefix); len(s) > 0 {
+			panic("json: invalid character " + quoteRune([]byte(s)) + " in indent prefix")
+		}
+		if s := trimLeftSpaceTab(indent); len(s) > 0 {
+			panic("json: invalid character " + quoteRune([]byte(s)) + " in indent")
+		}
+		eo.AllowInvalidUTF8 = true
+		eo.AllowDuplicateNames = true
+		eo.preserveRawStrings = true
+		eo.multiline = multiline // in case indent is empty
+		eo.IndentPrefix = prefix
+		eo.Indent = indent
+	}
+	eo.omitTopLevelNewline = true
+
+	// Write the entire value to reformat all tokens and whitespace.
+	e := getBufferedEncoder(eo)
+	defer putBufferedEncoder(e)
+	if err := e.WriteValue(*v); err != nil {
+		return err
+	}
+
+	// For canonical output, we may need to reorder object members.
+	if canonical {
+		// Obtain a buffered encoder just to use its internal buffer as
+		// a scratch buffer in reorderObjects for reordering object members.
+		e2 := getBufferedEncoder(EncodeOptions{})
+		defer putBufferedEncoder(e2)
+
+		// Disable redundant checks performed earlier during encoding.
+		d := getBufferedDecoder(e.buf, DecodeOptions{AllowInvalidUTF8: true, AllowDuplicateNames: true})
+		defer putBufferedDecoder(d)
+		reorderObjects(d, &e2.buf) // per RFC 8785, section 3.2.3
+	}
+
+	// Store the result back into the value if different.
+	if !bytes.Equal(*v, e.buf) {
+		*v = append((*v)[:0], e.buf...)
+	}
+	return nil
+}
+
+func trimLeftSpaceTab(s string) string {
+	for i, r := range s {
+		switch r {
+		case ' ', '\t':
+		default:
+			return s[i:]
+		}
+	}
+	return ""
+}
+
+type memberName struct {
+	// name is the unescaped name.
+	name []byte
+	// before and after are byte offsets into Decoder.buf that represents
+	// the entire name/value pair. It may contain leading commas.
+	before, after int64
+}
+
+var memberNamePool = sync.Pool{New: func() any { return new(memberNames) }}
+
+func getMemberNames() *memberNames {
+	ns := memberNamePool.Get().(*memberNames)
+	*ns = (*ns)[:0]
+	return ns
+}
+func putMemberNames(ns *memberNames) {
+	if cap(*ns) < 1<<10 {
+		for i := range *ns {
+			(*ns)[i] = memberName{} // avoid pinning name
+		}
+		memberNamePool.Put(ns)
+	}
+}
+
+type memberNames []memberName
+
+func (m *memberNames) Len() int           { return len(*m) }
+func (m *memberNames) Less(i, j int) bool { return lessUTF16((*m)[i].name, (*m)[j].name) }
+func (m *memberNames) Swap(i, j int)      { (*m)[i], (*m)[j] = (*m)[j], (*m)[i] }
+
+// reorderObjects recursively reorders all object members in place
+// according to the ordering specified in RFC 8785, section 3.2.3.
+//
+// Pre-conditions:
+//   - The value is valid (i.e., no decoder errors should ever occur).
+//   - The value is compact (i.e., no whitespace is present).
+//   - Initial call is provided a Decoder reading from the start of v.
+//
+// Post-conditions:
+//   - Exactly one JSON value is read from the Decoder.
+//   - All fully-parsed JSON objects are reordered by directly moving
+//     the members in the value buffer.
+//
+// The runtime is approximately O(n·log(n)) + O(m·log(m)),
+// where n is len(v) and m is the total number of object members.
+func reorderObjects(d *Decoder, scratch *[]byte) {
+	switch tok, _ := d.ReadToken(); tok.Kind() {
+	case '{':
+		// Iterate and collect the name and offsets for every object member.
+		members := getMemberNames()
+		defer putMemberNames(members)
+		var prevName []byte
+		isSorted := true
+
+		beforeBody := d.InputOffset() // offset after '{'
+		for d.PeekKind() != '}' {
+			beforeName := d.InputOffset()
+			var flags valueFlags
+			name, _ := d.readValue(&flags)
+			name = unescapeStringMayCopy(name, flags.isVerbatim())
+			reorderObjects(d, scratch)
+			afterValue := d.InputOffset()
+
+			if isSorted && len(*members) > 0 {
+				isSorted = lessUTF16(prevName, name)
+			}
+			*members = append(*members, memberName{name, beforeName, afterValue})
+			prevName = name
+		}
+		afterBody := d.InputOffset() // offset before '}'
+		d.ReadToken()
+
+		// Sort the members; return early if it's already sorted.
+		if isSorted {
+			return
+		}
+		// TODO(https://go.dev/issue/47619): Use slices.Sort.
+		sort.Sort(members)
+
+		// Append the reordered members to a new buffer,
+		// then copy the reordered members back over the original members.
+		// Avoid swapping in place since each member may be a different size
+		// where moving a member over a smaller member may corrupt the data
+		// for subsequent members before they have been moved.
+		//
+		// The following invariant must hold:
+		//	sum([m.after-m.before for m in members]) == afterBody-beforeBody
+		sorted := (*scratch)[:0]
+		for i, member := range *members {
+			if d.buf[member.before] == ',' {
+				member.before++ // trim leading comma
+			}
+			sorted = append(sorted, d.buf[member.before:member.after]...)
+			if i < len(*members)-1 {
+				sorted = append(sorted, ',') // append trailing comma
+			}
+		}
+		if int(afterBody-beforeBody) != len(sorted) {
+			panic("BUG: length invariant violated")
+		}
+		copy(d.buf[beforeBody:afterBody], sorted)
+
+		// Update scratch buffer to the largest amount ever used.
+		if len(sorted) > len(*scratch) {
+			*scratch = sorted
+		}
+	case '[':
+		for d.PeekKind() != ']' {
+			reorderObjects(d, scratch)
+		}
+		d.ReadToken()
+	}
+}
+
+// lessUTF16 reports whether x is lexicographically less than y according
+// to the UTF-16 codepoints of the UTF-8 encoded input strings.
+// This implements the ordering specified in RFC 8785, section 3.2.3.
+// The inputs must be valid UTF-8, otherwise this may panic.
+func lessUTF16(x, y []byte) bool {
+	// NOTE: This is an optimized, allocation-free implementation
+	// of lessUTF16Simple in fuzz_test.go. FuzzLessUTF16 verifies that the
+	// two implementations agree on the result of comparing any two strings.
+
+	isUTF16Self := func(r rune) bool {
+		return ('\u0000' <= r && r <= '\uD7FF') || ('\uE000' <= r && r <= '\uFFFF')
+	}
+
+	for {
+		if len(x) == 0 || len(y) == 0 {
+			return len(x) < len(y)
+		}
+
+		// ASCII fast-path.
+		if x[0] < utf8.RuneSelf || y[0] < utf8.RuneSelf {
+			if x[0] != y[0] {
+				return x[0] < y[0]
+			}
+			x, y = x[1:], y[1:]
+			continue
+		}
+
+		// Decode next pair of runes as UTF-8.
+		rx, nx := utf8.DecodeRune(x)
+		ry, ny := utf8.DecodeRune(y)
+		switch {
+
+		// Both runes encode as either a single or surrogate pair
+		// of UTF-16 codepoints.
+		case isUTF16Self(rx) == isUTF16Self(ry):
+			if rx != ry {
+				return rx < ry
+			}
+
+		// The x rune is a single UTF-16 codepoint, while
+		// the y rune is a surrogate pair of UTF-16 codepoints.
+		case isUTF16Self(rx):
+			ry, _ := utf16.EncodeRune(ry)
+			if rx != ry {
+				return rx < ry
+			}
+			panic("BUG: invalid UTF-8") // implies rx is an unpaired surrogate half
+
+		// The y rune is a single UTF-16 codepoint, while
+		// the x rune is a surrogate pair of UTF-16 codepoints.
+		case isUTF16Self(ry):
+			rx, _ := utf16.EncodeRune(rx)
+			if rx != ry {
+				return rx < ry
+			}
+			panic("BUG: invalid UTF-8") // implies ry is an unpaired surrogate half
+		}
+		x, y = x[nx:], y[ny:]
+	}
+}
diff --git a/vendor/k8s.io/kube-openapi/pkg/validation/spec/fuzz.go b/vendor/k8s.io/kube-openapi/pkg/validation/spec/fuzz.go
new file mode 100644
index 000000000..c66f998f5
--- /dev/null
+++ b/vendor/k8s.io/kube-openapi/pkg/validation/spec/fuzz.go
@@ -0,0 +1,502 @@
+/*
+Copyright 2022 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+	http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package spec
+
+import (
+	"github.com/go-openapi/jsonreference"
+	"github.com/google/go-cmp/cmp"
+	fuzz "github.com/google/gofuzz"
+)
+
+var SwaggerFuzzFuncs []interface{} = []interface{}{
+	func(v *Responses, c fuzz.Continue) {
+		c.FuzzNoCustom(v)
+		if v.Default != nil {
+			// Check if we hit maxDepth and left an incomplete value
+			if v.Default.Description == "" {
+				v.Default = nil
+				v.StatusCodeResponses = nil
+			}
+		}
+
+		// conversion has no way to discern empty statusCodeResponses from
+		// nil, since "default" is always included in the map.
+		// So avoid empty responses list
+		if len(v.StatusCodeResponses) == 0 {
+			v.StatusCodeResponses = nil
+		}
+	},
+	func(v *Operation, c fuzz.Continue) {
+		c.FuzzNoCustom(v)
+
+		if v != nil {
+			// force non-nil
+			v.Responses = &Responses{}
+			c.Fuzz(v.Responses)
+
+			v.Schemes = nil
+			if c.RandBool() {
+				v.Schemes = append(v.Schemes, "http")
+			}
+
+			if c.RandBool() {
+				v.Schemes = append(v.Schemes, "https")
+			}
+
+			if c.RandBool() {
+				v.Schemes = append(v.Schemes, "ws")
+			}
+
+			if c.RandBool() {
+				v.Schemes = append(v.Schemes, "wss")
+			}
+
+			// Gnostic unconditionally makes security values non-null
+			// So do not fuzz null values into the array.
+			for i, val := range v.Security {
+				if val == nil {
+					v.Security[i] = make(map[string][]string)
+				}
+
+				for k, v := range val {
+					if v == nil {
+						val[k] = make([]string, 0)
+					}
+				}
+			}
+		}
+	},
+	func(v map[int]Response, c fuzz.Continue) {
+		n := 0
+		c.Fuzz(&n)
+		if n == 0 {
+			// Test that fuzzer is not at maxDepth so we do not
+			// end up with empty elements
+			return
+		}
+
+		// Prevent negative numbers
+		num := c.Intn(4)
+		for i := 0; i < num+2; i++ {
+			val := Response{}
+			c.Fuzz(&val)
+
+			val.Description = c.RandString() + "x"
+			v[100*(i+1)+c.Intn(100)] = val
+		}
+	},
+	func(v map[string]PathItem, c fuzz.Continue) {
+		n := 0
+		c.Fuzz(&n)
+		if n == 0 {
+			// Test that fuzzer is not at maxDepth so we do not
+			// end up with empty elements
+			return
+		}
+
+		num := c.Intn(5)
+		for i := 0; i < num+2; i++ {
+			val := PathItem{}
+			c.Fuzz(&val)
+
+			// Ref params are only allowed in certain locations, so
+			// possibly add a few to PathItems
+			numRefsToAdd := c.Intn(5)
+			for i := 0; i < numRefsToAdd; i++ {
+				theRef := Parameter{}
+				c.Fuzz(&theRef.Refable)
+
+				val.Parameters = append(val.Parameters, theRef)
+			}
+
+			v["/"+c.RandString()] = val
+		}
+	},
+	func(v *SchemaOrArray, c fuzz.Continue) {
+		*v = SchemaOrArray{}
+		// gnostic parser just doesn't support more
+		// than one Schema here
+		v.Schema = &Schema{}
+		c.Fuzz(&v.Schema)
+
+	},
+	func(v *SchemaOrBool, c fuzz.Continue) {
+		*v = SchemaOrBool{}
+
+		if c.RandBool() {
+			v.Allows = c.RandBool()
+		} else {
+			v.Schema = &Schema{}
+			v.Allows = true
+			c.Fuzz(&v.Schema)
+		}
+	},
+	func(v map[string]Response, c fuzz.Continue) {
+		n := 0
+		c.Fuzz(&n)
+		if n == 0 {
+			// Test that fuzzer is not at maxDepth so we do not
+			// end up with empty elements
+			return
+		}
+
+		// Response definitions are not allowed to
+		// be refs
+		for i := 0; i < c.Intn(5)+1; i++ {
+			resp := &Response{}
+
+			c.Fuzz(resp)
+			resp.Ref = Ref{}
+			resp.Description = c.RandString() + "x"
+
+			// Response refs are not vendor extensible by gnostic
+			resp.VendorExtensible.Extensions = nil
+			v[c.RandString()+"x"] = *resp
+		}
+	},
+	func(v *Header, c fuzz.Continue) {
+		if v != nil {
+			c.FuzzNoCustom(v)
+
+			// descendant Items of Header may not be refs
+			cur := v.Items
+			for cur != nil {
+				cur.Ref = Ref{}
+				cur = cur.Items
+			}
+		}
+	},
+	func(v *Ref, c fuzz.Continue) {
+		*v = Ref{}
+		v.Ref, _ = jsonreference.New("http://asd.com/" + c.RandString())
+	},
+	func(v *Response, c fuzz.Continue) {
+		*v = Response{}
+		if c.RandBool() {
+			v.Ref = Ref{}
+			v.Ref.Ref, _ = jsonreference.New("http://asd.com/" + c.RandString())
+		} else {
+			c.Fuzz(&v.VendorExtensible)
+			c.Fuzz(&v.Schema)
+			c.Fuzz(&v.ResponseProps)
+
+			v.Headers = nil
+			v.Ref = Ref{}
+
+			n := 0
+			c.Fuzz(&n)
+			if n != 0 {
+				// Test that fuzzer is not at maxDepth so we do not
+				// end up with empty elements
+				num := c.Intn(4)
+				for i := 0; i < num; i++ {
+					if v.Headers == nil {
+						v.Headers = make(map[string]Header)
+					}
+					hdr := Header{}
+					c.Fuzz(&hdr)
+					if hdr.Type == "" {
+						// hit maxDepth, just abort trying to make haders
+						v.Headers = nil
+						break
+					}
+					v.Headers[c.RandString()+"x"] = hdr
+				}
+			} else {
+				v.Headers = nil
+			}
+		}
+
+		v.Description = c.RandString() + "x"
+
+		// Gnostic parses empty as nil, so to keep avoid putting empty
+		if len(v.Headers) == 0 {
+			v.Headers = nil
+		}
+	},
+	func(v **Info, c fuzz.Continue) {
+		// Info is never nil
+		*v = &Info{}
+		c.FuzzNoCustom(*v)
+
+		(*v).Title = c.RandString() + "x"
+	},
+	func(v *Extensions, c fuzz.Continue) {
+		// gnostic parser only picks up x- vendor extensions
+		numChildren := c.Intn(5)
+		for i := 0; i < numChildren; i++ {
+			if *v == nil {
+				*v = Extensions{}
+			}
+			(*v)["x-"+c.RandString()] = c.RandString()
+		}
+	},
+	func(v *Swagger, c fuzz.Continue) {
+		c.FuzzNoCustom(v)
+
+		if v.Paths == nil {
+			// Force paths non-nil since it does not have omitempty in json tag.
+			// This means a perfect roundtrip (via json) is impossible,
+			// since we can't tell the difference between empty/unspecified paths
+			v.Paths = &Paths{}
+			c.Fuzz(v.Paths)
+		}
+
+		v.Swagger = "2.0"
+
+		// Gnostic support serializing ID at all
+		// unavoidable data loss
+		v.ID = ""
+
+		v.Schemes = nil
+		if c.RandUint64()%2 == 1 {
+			v.Schemes = append(v.Schemes, "http")
+		}
+
+		if c.RandUint64()%2 == 1 {
+			v.Schemes = append(v.Schemes, "https")
+		}
+
+		if c.RandUint64()%2 == 1 {
+			v.Schemes = append(v.Schemes, "ws")
+		}
+
+		if c.RandUint64()%2 == 1 {
+			v.Schemes = append(v.Schemes, "wss")
+		}
+
+		// Gnostic unconditionally makes security values non-null
+		// So do not fuzz null values into the array.
+		for i, val := range v.Security {
+			if val == nil {
+				v.Security[i] = make(map[string][]string)
+			}
+
+			for k, v := range val {
+				if v == nil {
+					val[k] = make([]string, 0)
+				}
+			}
+		}
+	},
+	func(v *SecurityScheme, c fuzz.Continue) {
+		v.Description = c.RandString() + "x"
+		c.Fuzz(&v.VendorExtensible)
+
+		switch c.Intn(3) {
+		case 0:
+			v.Type = "basic"
+		case 1:
+			v.Type = "apiKey"
+			switch c.Intn(2) {
+			case 0:
+				v.In = "header"
+			case 1:
+				v.In = "query"
+			default:
+				panic("unreachable")
+			}
+			v.Name = "x" + c.RandString()
+		case 2:
+			v.Type = "oauth2"
+
+			switch c.Intn(4) {
+			case 0:
+				v.Flow = "accessCode"
+				v.TokenURL = "https://" + c.RandString()
+				v.AuthorizationURL = "https://" + c.RandString()
+			case 1:
+				v.Flow = "application"
+				v.TokenURL = "https://" + c.RandString()
+			case 2:
+				v.Flow = "implicit"
+				v.AuthorizationURL = "https://" + c.RandString()
+			case 3:
+				v.Flow = "password"
+				v.TokenURL = "https://" + c.RandString()
+			default:
+				panic("unreachable")
+			}
+			c.Fuzz(&v.Scopes)
+		default:
+			panic("unreachable")
+		}
+	},
+	func(v *interface{}, c fuzz.Continue) {
+		*v = c.RandString() + "x"
+	},
+	func(v *string, c fuzz.Continue) {
+		*v = c.RandString() + "x"
+	},
+	func(v *ExternalDocumentation, c fuzz.Continue) {
+		v.Description = c.RandString() + "x"
+		v.URL = c.RandString() + "x"
+	},
+	func(v *SimpleSchema, c fuzz.Continue) {
+		c.FuzzNoCustom(v)
+
+		switch c.Intn(5) {
+		case 0:
+			v.Type = "string"
+		case 1:
+			v.Type = "number"
+		case 2:
+			v.Type = "boolean"
+		case 3:
+			v.Type = "integer"
+		case 4:
+			v.Type = "array"
+		default:
+			panic("unreachable")
+		}
+
+		switch c.Intn(5) {
+		case 0:
+			v.CollectionFormat = "csv"
+		case 1:
+			v.CollectionFormat = "ssv"
+		case 2:
+			v.CollectionFormat = "tsv"
+		case 3:
+			v.CollectionFormat = "pipes"
+		case 4:
+			v.CollectionFormat = ""
+		default:
+			panic("unreachable")
+		}
+
+		// None of the types which include SimpleSchema in our definitions
+		// actually support "example" in the official spec
+		v.Example = nil
+
+		// unsupported by openapi
+		v.Nullable = false
+	},
+	func(v *int64, c fuzz.Continue) {
+		c.Fuzz(v)
+
+		// Gnostic does not differentiate between 0 and non-specified
+		// so avoid using 0 for fuzzer
+		if *v == 0 {
+			*v = 1
+		}
+	},
+	func(v *float64, c fuzz.Continue) {
+		c.Fuzz(v)
+
+		// Gnostic does not differentiate between 0 and non-specified
+		// so avoid using 0 for fuzzer
+		if *v == 0.0 {
+			*v = 1.0
+		}
+	},
+	func(v *Parameter, c fuzz.Continue) {
+		if v == nil {
+			return
+		}
+		c.Fuzz(&v.VendorExtensible)
+		if c.RandBool() {
+			// body param
+			v.Description = c.RandString() + "x"
+			v.Name = c.RandString() + "x"
+			v.In = "body"
+			c.Fuzz(&v.Description)
+			c.Fuzz(&v.Required)
+
+			v.Schema = &Schema{}
+			c.Fuzz(&v.Schema)
+
+		} else {
+			c.Fuzz(&v.SimpleSchema)
+			c.Fuzz(&v.CommonValidations)
+			v.AllowEmptyValue = false
+			v.Description = c.RandString() + "x"
+			v.Name = c.RandString() + "x"
+
+			switch c.Intn(4) {
+			case 0:
+				// Header param
+				v.In = "header"
+			case 1:
+				// Form data param
+				v.In = "formData"
+				v.AllowEmptyValue = c.RandBool()
+			case 2:
+				// Query param
+				v.In = "query"
+				v.AllowEmptyValue = c.RandBool()
+			case 3:
+				// Path param
+				v.In = "path"
+				v.Required = true
+			default:
+				panic("unreachable")
+			}
+
+			// descendant Items of Parameter may not be refs
+			cur := v.Items
+			for cur != nil {
+				cur.Ref = Ref{}
+				cur = cur.Items
+			}
+		}
+	},
+	func(v *Schema, c fuzz.Continue) {
+		if c.RandBool() {
+			// file schema
+			c.Fuzz(&v.Default)
+			c.Fuzz(&v.Description)
+			c.Fuzz(&v.Example)
+			c.Fuzz(&v.ExternalDocs)
+
+			c.Fuzz(&v.Format)
+			c.Fuzz(&v.ReadOnly)
+			c.Fuzz(&v.Required)
+			c.Fuzz(&v.Title)
+			v.Type = StringOrArray{"file"}
+
+		} else {
+			// normal schema
+			c.Fuzz(&v.SchemaProps)
+			c.Fuzz(&v.SwaggerSchemaProps)
+			c.Fuzz(&v.VendorExtensible)
+			// c.Fuzz(&v.ExtraProps)
+			// ExtraProps will not roundtrip - gnostic throws out
+			// unrecognized keys
+		}
+
+		// Not supported by official openapi v2 spec
+		// and stripped by k8s apiserver
+		v.ID = ""
+		v.AnyOf = nil
+		v.OneOf = nil
+		v.Not = nil
+		v.Nullable = false
+		v.AdditionalItems = nil
+		v.Schema = ""
+		v.PatternProperties = nil
+		v.Definitions = nil
+		v.Dependencies = nil
+	},
+}
+
+var SwaggerDiffOptions = []cmp.Option{
+	// cmp.Diff panics on Ref since jsonreference.Ref uses unexported fields
+	cmp.Comparer(func(a Ref, b Ref) bool {
+		return a.String() == b.String()
+	}),
+}
diff --git a/vendor/k8s.io/kube-openapi/pkg/validation/spec/gnostic.go b/vendor/k8s.io/kube-openapi/pkg/validation/spec/gnostic.go
index 35fd57920..406a09d9d 100644
--- a/vendor/k8s.io/kube-openapi/pkg/validation/spec/gnostic.go
+++ b/vendor/k8s.io/kube-openapi/pkg/validation/spec/gnostic.go
@@ -219,8 +219,8 @@ func (k *Ref) FromGnostic(g string) error {
 // Caveats:
 //
 // - gnostic v2 documents treats zero as unspecified for numerical fields of
-//CommonValidations fields such as Maximum, Minimum, MaximumItems, etc.
-//There will always be data loss if one of the values of these fields is set to zero.
+// CommonValidations fields such as Maximum, Minimum, MaximumItems, etc.
+// There will always be data loss if one of the values of these fields is set to zero.
 //
 // Returns:
 //
@@ -1263,6 +1263,8 @@ func (k *Schema) FromGnostic(g *openapi_v2.Schema) (ok bool, err error) {
 			k.AdditionalProperties.Allows = g.AdditionalProperties.GetBoolean()
 		} else {
 			k.AdditionalProperties.Schema = &Schema{}
+			k.AdditionalProperties.Allows = true
+
 			if nok, err := k.AdditionalProperties.Schema.FromGnostic(g.AdditionalProperties.GetSchema()); err != nil {
 				return false, err
 			} else if !nok {
diff --git a/vendor/k8s.io/kube-openapi/pkg/validation/spec/header.go b/vendor/k8s.io/kube-openapi/pkg/validation/spec/header.go
index 597fc9631..9a2556306 100644
--- a/vendor/k8s.io/kube-openapi/pkg/validation/spec/header.go
+++ b/vendor/k8s.io/kube-openapi/pkg/validation/spec/header.go
@@ -18,6 +18,8 @@ import (
 	"encoding/json"
 
 	"github.com/go-openapi/swag"
+	"k8s.io/kube-openapi/pkg/internal"
+	jsonv2 "k8s.io/kube-openapi/pkg/internal/third_party/go-json-experiment/json"
 )
 
 const (
@@ -62,6 +64,10 @@ func (h Header) MarshalJSON() ([]byte, error) {
 
 // UnmarshalJSON unmarshals this header from JSON
 func (h *Header) UnmarshalJSON(data []byte) error {
+	if internal.UseOptimizedJSONUnmarshaling {
+		return jsonv2.Unmarshal(data, h)
+	}
+
 	if err := json.Unmarshal(data, &h.CommonValidations); err != nil {
 		return err
 	}
@@ -73,3 +79,27 @@ func (h *Header) UnmarshalJSON(data []byte) error {
 	}
 	return json.Unmarshal(data, &h.HeaderProps)
 }
+
+func (h *Header) UnmarshalNextJSON(opts jsonv2.UnmarshalOptions, dec *jsonv2.Decoder) error {
+	var x struct {
+		CommonValidations
+		SimpleSchema
+		Extensions
+		HeaderProps
+	}
+
+	if err := opts.UnmarshalNext(dec, &x); err != nil {
+		return err
+	}
+
+	h.CommonValidations = x.CommonValidations
+	h.SimpleSchema = x.SimpleSchema
+	h.Extensions = x.Extensions
+	h.HeaderProps = x.HeaderProps
+
+	h.Extensions.sanitize()
+	if len(h.Extensions) == 0 {
+		h.Extensions = nil
+	}
+	return nil
+}
diff --git a/vendor/k8s.io/kube-openapi/pkg/validation/spec/info.go b/vendor/k8s.io/kube-openapi/pkg/validation/spec/info.go
index 51a2f5781..395ececae 100644
--- a/vendor/k8s.io/kube-openapi/pkg/validation/spec/info.go
+++ b/vendor/k8s.io/kube-openapi/pkg/validation/spec/info.go
@@ -19,6 +19,8 @@ import (
 	"strings"
 
 	"github.com/go-openapi/swag"
+	"k8s.io/kube-openapi/pkg/internal"
+	jsonv2 "k8s.io/kube-openapi/pkg/internal/third_party/go-json-experiment/json"
 )
 
 // Extensions vendor specific extensions
@@ -87,6 +89,31 @@ func (e Extensions) GetObject(key string, out interface{}) error {
 	return nil
 }
 
+func (e Extensions) sanitize() {
+	for k := range e {
+		if !isExtensionKey(k) {
+			delete(e, k)
+		}
+	}
+}
+
+func (e Extensions) sanitizeWithExtra() (extra map[string]any) {
+	for k, v := range e {
+		if !isExtensionKey(k) {
+			if extra == nil {
+				extra = make(map[string]any)
+			}
+			extra[k] = v
+			delete(e, k)
+		}
+	}
+	return extra
+}
+
+func isExtensionKey(k string) bool {
+	return len(k) > 1 && (k[0] == 'x' || k[0] == 'X') && k[1] == '-'
+}
+
 // VendorExtensible composition block.
 type VendorExtensible struct {
 	Extensions Extensions
@@ -167,8 +194,29 @@ func (i Info) MarshalJSON() ([]byte, error) {
 
 // UnmarshalJSON marshal this from JSON
 func (i *Info) UnmarshalJSON(data []byte) error {
+	if internal.UseOptimizedJSONUnmarshaling {
+		return jsonv2.Unmarshal(data, i)
+	}
+
 	if err := json.Unmarshal(data, &i.InfoProps); err != nil {
 		return err
 	}
 	return json.Unmarshal(data, &i.VendorExtensible)
 }
+
+func (i *Info) UnmarshalNextJSON(opts jsonv2.UnmarshalOptions, dec *jsonv2.Decoder) error {
+	var x struct {
+		Extensions
+		InfoProps
+	}
+	if err := opts.UnmarshalNext(dec, &x); err != nil {
+		return err
+	}
+	x.Extensions.sanitize()
+	if len(x.Extensions) == 0 {
+		x.Extensions = nil
+	}
+	i.VendorExtensible.Extensions = x.Extensions
+	i.InfoProps = x.InfoProps
+	return nil
+}
diff --git a/vendor/k8s.io/kube-openapi/pkg/validation/spec/items.go b/vendor/k8s.io/kube-openapi/pkg/validation/spec/items.go
index b75aefe16..374f90d28 100644
--- a/vendor/k8s.io/kube-openapi/pkg/validation/spec/items.go
+++ b/vendor/k8s.io/kube-openapi/pkg/validation/spec/items.go
@@ -18,6 +18,8 @@ import (
 	"encoding/json"
 
 	"github.com/go-openapi/swag"
+	"k8s.io/kube-openapi/pkg/internal"
+	jsonv2 "k8s.io/kube-openapi/pkg/internal/third_party/go-json-experiment/json"
 )
 
 const (
@@ -64,6 +66,10 @@ type Items struct {
 
 // UnmarshalJSON hydrates this items instance with the data from JSON
 func (i *Items) UnmarshalJSON(data []byte) error {
+	if internal.UseOptimizedJSONUnmarshaling {
+		return jsonv2.Unmarshal(data, i)
+	}
+
 	var validations CommonValidations
 	if err := json.Unmarshal(data, &validations); err != nil {
 		return err
@@ -87,6 +93,28 @@ func (i *Items) UnmarshalJSON(data []byte) error {
 	return nil
 }
 
+func (i *Items) UnmarshalNextJSON(opts jsonv2.UnmarshalOptions, dec *jsonv2.Decoder) error {
+	var x struct {
+		CommonValidations
+		SimpleSchema
+		Extensions
+	}
+	if err := opts.UnmarshalNext(dec, &x); err != nil {
+		return err
+	}
+	if err := i.Refable.Ref.fromMap(x.Extensions); err != nil {
+		return err
+	}
+	x.Extensions.sanitize()
+	if len(x.Extensions) == 0 {
+		x.Extensions = nil
+	}
+	i.CommonValidations = x.CommonValidations
+	i.SimpleSchema = x.SimpleSchema
+	i.VendorExtensible.Extensions = x.Extensions
+	return nil
+}
+
 // MarshalJSON converts this items object to JSON
 func (i Items) MarshalJSON() ([]byte, error) {
 	b1, err := json.Marshal(i.CommonValidations)
diff --git a/vendor/k8s.io/kube-openapi/pkg/validation/spec/operation.go b/vendor/k8s.io/kube-openapi/pkg/validation/spec/operation.go
index c7acd8672..923769ae0 100644
--- a/vendor/k8s.io/kube-openapi/pkg/validation/spec/operation.go
+++ b/vendor/k8s.io/kube-openapi/pkg/validation/spec/operation.go
@@ -18,6 +18,8 @@ import (
 	"encoding/json"
 
 	"github.com/go-openapi/swag"
+	"k8s.io/kube-openapi/pkg/internal"
+	jsonv2 "k8s.io/kube-openapi/pkg/internal/third_party/go-json-experiment/json"
 )
 
 // OperationProps describes an operation
@@ -75,12 +77,34 @@ type Operation struct {
 
 // UnmarshalJSON hydrates this items instance with the data from JSON
 func (o *Operation) UnmarshalJSON(data []byte) error {
+	if internal.UseOptimizedJSONUnmarshaling {
+		return jsonv2.Unmarshal(data, o)
+	}
+
 	if err := json.Unmarshal(data, &o.OperationProps); err != nil {
 		return err
 	}
 	return json.Unmarshal(data, &o.VendorExtensible)
 }
 
+func (o *Operation) UnmarshalNextJSON(opts jsonv2.UnmarshalOptions, dec *jsonv2.Decoder) error {
+	type OperationPropsNoMethods OperationProps // strip MarshalJSON method
+	var x struct {
+		Extensions
+		OperationPropsNoMethods
+	}
+	if err := opts.UnmarshalNext(dec, &x); err != nil {
+		return err
+	}
+	x.Extensions.sanitize()
+	if len(x.Extensions) == 0 {
+		x.Extensions = nil
+	}
+	o.VendorExtensible.Extensions = x.Extensions
+	o.OperationProps = OperationProps(x.OperationPropsNoMethods)
+	return nil
+}
+
 // MarshalJSON converts this items object to JSON
 func (o Operation) MarshalJSON() ([]byte, error) {
 	b1, err := json.Marshal(o.OperationProps)
diff --git a/vendor/k8s.io/kube-openapi/pkg/validation/spec/parameter.go b/vendor/k8s.io/kube-openapi/pkg/validation/spec/parameter.go
index 218513974..7cb229ac1 100644
--- a/vendor/k8s.io/kube-openapi/pkg/validation/spec/parameter.go
+++ b/vendor/k8s.io/kube-openapi/pkg/validation/spec/parameter.go
@@ -18,6 +18,8 @@ import (
 	"encoding/json"
 
 	"github.com/go-openapi/swag"
+	"k8s.io/kube-openapi/pkg/internal"
+	jsonv2 "k8s.io/kube-openapi/pkg/internal/third_party/go-json-experiment/json"
 )
 
 // ParamProps describes the specific attributes of an operation parameter
@@ -38,26 +40,31 @@ type ParamProps struct {
 //
 // There are five possible parameter types.
 // * Path - Used together with [Path Templating](#pathTemplating), where the parameter value is actually part
-//   of the operation's URL. This does not include the host or base path of the API. For example, in `/items/{itemId}`,
-//   the path parameter is `itemId`.
+//
+//	of the operation's URL. This does not include the host or base path of the API. For example, in `/items/{itemId}`,
+//	the path parameter is `itemId`.
+//
 // * Query - Parameters that are appended to the URL. For example, in `/items?id=###`, the query parameter is `id`.
 // * Header - Custom headers that are expected as part of the request.
 // * Body - The payload that's appended to the HTTP request. Since there can only be one payload, there can only be
-//   _one_ body parameter. The name of the body parameter has no effect on the parameter itself and is used for
-//   documentation purposes only. Since Form parameters are also in the payload, body and form parameters cannot exist
-//   together for the same operation.
+//
+//	_one_ body parameter. The name of the body parameter has no effect on the parameter itself and is used for
+//	documentation purposes only. Since Form parameters are also in the payload, body and form parameters cannot exist
+//	together for the same operation.
+//
 // * Form - Used to describe the payload of an HTTP request when either `application/x-www-form-urlencoded` or
-//   `multipart/form-data` are used as the content type of the request (in Swagger's definition,
-//   the [`consumes`](#operationConsumes) property of an operation). This is the only parameter type that can be used
-//   to send files, thus supporting the `file` type. Since form parameters are sent in the payload, they cannot be
-//   declared together with a body parameter for the same operation. Form parameters have a different format based on
-//   the content-type used (for further details, consult http://www.w3.org/TR/html401/interact/forms.html#h-17.13.4).
-//   * `application/x-www-form-urlencoded` - Similar to the format of Query parameters but as a payload.
-//   For example, `foo=1&bar=swagger` - both `foo` and `bar` are form parameters. This is normally used for simple
-//   parameters that are being transferred.
-//   * `multipart/form-data` - each parameter takes a section in the payload with an internal header.
-//   For example, for the header `Content-Disposition: form-data; name="submit-name"` the name of the parameter is
-//   `submit-name`. This type of form parameters is more commonly used for file transfers.
+//
+//	`multipart/form-data` are used as the content type of the request (in Swagger's definition,
+//	the [`consumes`](#operationConsumes) property of an operation). This is the only parameter type that can be used
+//	to send files, thus supporting the `file` type. Since form parameters are sent in the payload, they cannot be
+//	declared together with a body parameter for the same operation. Form parameters have a different format based on
+//	the content-type used (for further details, consult http://www.w3.org/TR/html401/interact/forms.html#h-17.13.4).
+//	* `application/x-www-form-urlencoded` - Similar to the format of Query parameters but as a payload.
+//	For example, `foo=1&bar=swagger` - both `foo` and `bar` are form parameters. This is normally used for simple
+//	parameters that are being transferred.
+//	* `multipart/form-data` - each parameter takes a section in the payload with an internal header.
+//	For example, for the header `Content-Disposition: form-data; name="submit-name"` the name of the parameter is
+//	`submit-name`. This type of form parameters is more commonly used for file transfers.
 //
 // For more information: http://goo.gl/8us55a#parameterObject
 type Parameter struct {
@@ -70,6 +77,10 @@ type Parameter struct {
 
 // UnmarshalJSON hydrates this items instance with the data from JSON
 func (p *Parameter) UnmarshalJSON(data []byte) error {
+	if internal.UseOptimizedJSONUnmarshaling {
+		return jsonv2.Unmarshal(data, p)
+	}
+
 	if err := json.Unmarshal(data, &p.CommonValidations); err != nil {
 		return err
 	}
@@ -85,6 +96,30 @@ func (p *Parameter) UnmarshalJSON(data []byte) error {
 	return json.Unmarshal(data, &p.ParamProps)
 }
 
+func (p *Parameter) UnmarshalNextJSON(opts jsonv2.UnmarshalOptions, dec *jsonv2.Decoder) error {
+	var x struct {
+		CommonValidations
+		SimpleSchema
+		Extensions
+		ParamProps
+	}
+	if err := opts.UnmarshalNext(dec, &x); err != nil {
+		return err
+	}
+	if err := p.Refable.Ref.fromMap(x.Extensions); err != nil {
+		return err
+	}
+	x.Extensions.sanitize()
+	if len(x.Extensions) == 0 {
+		x.Extensions = nil
+	}
+	p.CommonValidations = x.CommonValidations
+	p.SimpleSchema = x.SimpleSchema
+	p.VendorExtensible.Extensions = x.Extensions
+	p.ParamProps = x.ParamProps
+	return nil
+}
+
 // MarshalJSON converts this items object to JSON
 func (p Parameter) MarshalJSON() ([]byte, error) {
 	b1, err := json.Marshal(p.CommonValidations)
diff --git a/vendor/k8s.io/kube-openapi/pkg/validation/spec/path_item.go b/vendor/k8s.io/kube-openapi/pkg/validation/spec/path_item.go
index 04de58f00..03741fcfb 100644
--- a/vendor/k8s.io/kube-openapi/pkg/validation/spec/path_item.go
+++ b/vendor/k8s.io/kube-openapi/pkg/validation/spec/path_item.go
@@ -18,6 +18,8 @@ import (
 	"encoding/json"
 
 	"github.com/go-openapi/swag"
+	"k8s.io/kube-openapi/pkg/internal"
+	jsonv2 "k8s.io/kube-openapi/pkg/internal/third_party/go-json-experiment/json"
 )
 
 // PathItemProps the path item specific properties
@@ -46,6 +48,10 @@ type PathItem struct {
 
 // UnmarshalJSON hydrates this items instance with the data from JSON
 func (p *PathItem) UnmarshalJSON(data []byte) error {
+	if internal.UseOptimizedJSONUnmarshaling {
+		return jsonv2.Unmarshal(data, p)
+	}
+
 	if err := json.Unmarshal(data, &p.Refable); err != nil {
 		return err
 	}
@@ -55,6 +61,31 @@ func (p *PathItem) UnmarshalJSON(data []byte) error {
 	return json.Unmarshal(data, &p.PathItemProps)
 }
 
+func (p *PathItem) UnmarshalNextJSON(opts jsonv2.UnmarshalOptions, dec *jsonv2.Decoder) error {
+	var x struct {
+		Extensions
+		PathItemProps
+	}
+
+	if err := opts.UnmarshalNext(dec, &x); err != nil {
+		return err
+	}
+
+	p.Extensions = x.Extensions
+	p.PathItemProps = x.PathItemProps
+
+	if err := p.Refable.Ref.fromMap(p.Extensions); err != nil {
+		return err
+	}
+
+	p.Extensions.sanitize()
+	if len(p.Extensions) == 0 {
+		p.Extensions = nil
+	}
+
+	return nil
+}
+
 // MarshalJSON converts this items object to JSON
 func (p PathItem) MarshalJSON() ([]byte, error) {
 	b3, err := json.Marshal(p.Refable)
diff --git a/vendor/k8s.io/kube-openapi/pkg/validation/spec/paths.go b/vendor/k8s.io/kube-openapi/pkg/validation/spec/paths.go
index 319aba879..7c63d440a 100644
--- a/vendor/k8s.io/kube-openapi/pkg/validation/spec/paths.go
+++ b/vendor/k8s.io/kube-openapi/pkg/validation/spec/paths.go
@@ -16,9 +16,12 @@ package spec
 
 import (
 	"encoding/json"
+	"fmt"
 	"strings"
 
 	"github.com/go-openapi/swag"
+	"k8s.io/kube-openapi/pkg/internal"
+	jsonv2 "k8s.io/kube-openapi/pkg/internal/third_party/go-json-experiment/json"
 )
 
 // Paths holds the relative paths to the individual endpoints.
@@ -34,6 +37,10 @@ type Paths struct {
 
 // UnmarshalJSON hydrates this items instance with the data from JSON
 func (p *Paths) UnmarshalJSON(data []byte) error {
+	if internal.UseOptimizedJSONUnmarshaling {
+		return jsonv2.Unmarshal(data, p)
+	}
+
 	var res map[string]json.RawMessage
 	if err := json.Unmarshal(data, &res); err != nil {
 		return err
@@ -63,6 +70,58 @@ func (p *Paths) UnmarshalJSON(data []byte) error {
 	return nil
 }
 
+func (p *Paths) UnmarshalNextJSON(opts jsonv2.UnmarshalOptions, dec *jsonv2.Decoder) error {
+	tok, err := dec.ReadToken()
+	if err != nil {
+		return err
+	}
+	var ext any
+	var pi PathItem
+	switch k := tok.Kind(); k {
+	case 'n':
+		return nil // noop
+	case '{':
+		for {
+			tok, err := dec.ReadToken()
+			if err != nil {
+				return err
+			}
+
+			if tok.Kind() == '}' {
+				return nil
+			}
+
+			switch k := tok.String(); {
+			case isExtensionKey(k):
+				ext = nil
+				if err := opts.UnmarshalNext(dec, &ext); err != nil {
+					return err
+				}
+
+				if p.Extensions == nil {
+					p.Extensions = make(map[string]any)
+				}
+				p.Extensions[k] = ext
+			case len(k) > 0 && k[0] == '/':
+				pi = PathItem{}
+				if err := opts.UnmarshalNext(dec, &pi); err != nil {
+					return err
+				}
+
+				if p.Paths == nil {
+					p.Paths = make(map[string]PathItem)
+				}
+				p.Paths[k] = pi
+			default:
+				_, err := dec.ReadValue() // skip value
+				return err
+			}
+		}
+	default:
+		return fmt.Errorf("unknown JSON kind: %v", k)
+	}
+}
+
 // MarshalJSON converts this items object to JSON
 func (p Paths) MarshalJSON() ([]byte, error) {
 	b1, err := json.Marshal(p.VendorExtensible)
diff --git a/vendor/k8s.io/kube-openapi/pkg/validation/spec/response.go b/vendor/k8s.io/kube-openapi/pkg/validation/spec/response.go
index 9fd717ec3..f01364b75 100644
--- a/vendor/k8s.io/kube-openapi/pkg/validation/spec/response.go
+++ b/vendor/k8s.io/kube-openapi/pkg/validation/spec/response.go
@@ -18,6 +18,8 @@ import (
 	"encoding/json"
 
 	"github.com/go-openapi/swag"
+	"k8s.io/kube-openapi/pkg/internal"
+	jsonv2 "k8s.io/kube-openapi/pkg/internal/third_party/go-json-experiment/json"
 )
 
 // ResponseProps properties specific to a response
@@ -39,13 +41,46 @@ type Response struct {
 
 // UnmarshalJSON hydrates this items instance with the data from JSON
 func (r *Response) UnmarshalJSON(data []byte) error {
+	if internal.UseOptimizedJSONUnmarshaling {
+		return jsonv2.Unmarshal(data, r)
+	}
+
 	if err := json.Unmarshal(data, &r.ResponseProps); err != nil {
 		return err
 	}
 	if err := json.Unmarshal(data, &r.Refable); err != nil {
 		return err
 	}
-	return json.Unmarshal(data, &r.VendorExtensible)
+	if err := json.Unmarshal(data, &r.VendorExtensible); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (r *Response) UnmarshalNextJSON(opts jsonv2.UnmarshalOptions, dec *jsonv2.Decoder) error {
+	var x struct {
+		ResponseProps
+		Extensions
+	}
+
+	if err := opts.UnmarshalNext(dec, &x); err != nil {
+		return err
+	}
+
+	r.Extensions = x.Extensions
+	r.ResponseProps = x.ResponseProps
+
+	if err := r.Refable.Ref.fromMap(r.Extensions); err != nil {
+		return err
+	}
+
+	r.Extensions.sanitize()
+	if len(r.Extensions) == 0 {
+		r.Extensions = nil
+	}
+
+	return nil
 }
 
 // MarshalJSON converts this items object to JSON
diff --git a/vendor/k8s.io/kube-openapi/pkg/validation/spec/responses.go b/vendor/k8s.io/kube-openapi/pkg/validation/spec/responses.go
index b2c3883a9..c3fa68191 100644
--- a/vendor/k8s.io/kube-openapi/pkg/validation/spec/responses.go
+++ b/vendor/k8s.io/kube-openapi/pkg/validation/spec/responses.go
@@ -16,10 +16,13 @@ package spec
 
 import (
 	"encoding/json"
+	"fmt"
 	"reflect"
 	"strconv"
 
 	"github.com/go-openapi/swag"
+	"k8s.io/kube-openapi/pkg/internal"
+	jsonv2 "k8s.io/kube-openapi/pkg/internal/third_party/go-json-experiment/json"
 )
 
 // Responses is a container for the expected responses of an operation.
@@ -42,6 +45,10 @@ type Responses struct {
 
 // UnmarshalJSON hydrates this items instance with the data from JSON
 func (r *Responses) UnmarshalJSON(data []byte) error {
+	if internal.UseOptimizedJSONUnmarshaling {
+		return jsonv2.Unmarshal(data, r)
+	}
+
 	if err := json.Unmarshal(data, &r.ResponsesProps); err != nil {
 		return err
 	}
@@ -90,21 +97,90 @@ func (r ResponsesProps) MarshalJSON() ([]byte, error) {
 
 // UnmarshalJSON unmarshals responses from JSON
 func (r *ResponsesProps) UnmarshalJSON(data []byte) error {
-	var res map[string]Response
+	if internal.UseOptimizedJSONUnmarshaling {
+		return jsonv2.Unmarshal(data, r)
+	}
+	var res map[string]json.RawMessage
 	if err := json.Unmarshal(data, &res); err != nil {
-		return nil
+		return err
 	}
 	if v, ok := res["default"]; ok {
-		r.Default = &v
+		value := Response{}
+		if err := json.Unmarshal(v, &value); err != nil {
+			return err
+		}
+		r.Default = &value
 		delete(res, "default")
 	}
 	for k, v := range res {
+		// Take all integral keys
 		if nk, err := strconv.Atoi(k); err == nil {
 			if r.StatusCodeResponses == nil {
 				r.StatusCodeResponses = map[int]Response{}
 			}
-			r.StatusCodeResponses[nk] = v
+			value := Response{}
+			if err := json.Unmarshal(v, &value); err != nil {
+				return err
+			}
+			r.StatusCodeResponses[nk] = value
 		}
 	}
 	return nil
 }
+
+func (r *Responses) UnmarshalNextJSON(opts jsonv2.UnmarshalOptions, dec *jsonv2.Decoder) (err error) {
+	tok, err := dec.ReadToken()
+	if err != nil {
+		return err
+	}
+	var ext any
+	var resp Response
+	switch k := tok.Kind(); k {
+	case 'n':
+		return nil // noop
+	case '{':
+		for {
+			tok, err := dec.ReadToken()
+			if err != nil {
+				return err
+			}
+			if tok.Kind() == '}' {
+				return nil
+			}
+			switch k := tok.String(); {
+			case isExtensionKey(k):
+				ext = nil
+				if err := opts.UnmarshalNext(dec, &ext); err != nil {
+					return err
+				}
+
+				if r.Extensions == nil {
+					r.Extensions = make(map[string]any)
+				}
+				r.Extensions[k] = ext
+			case k == "default":
+				resp = Response{}
+				if err := opts.UnmarshalNext(dec, &resp); err != nil {
+					return err
+				}
+
+				respCopy := resp
+				r.ResponsesProps.Default = &respCopy
+			default:
+				if nk, err := strconv.Atoi(k); err == nil {
+					resp = Response{}
+					if err := opts.UnmarshalNext(dec, &resp); err != nil {
+						return err
+					}
+
+					if r.StatusCodeResponses == nil {
+						r.StatusCodeResponses = map[int]Response{}
+					}
+					r.StatusCodeResponses[nk] = resp
+				}
+			}
+		}
+	default:
+		return fmt.Errorf("unknown JSON kind: %v", k)
+	}
+}
diff --git a/vendor/k8s.io/kube-openapi/pkg/validation/spec/schema.go b/vendor/k8s.io/kube-openapi/pkg/validation/spec/schema.go
index b0aeeb0d0..9add0c163 100644
--- a/vendor/k8s.io/kube-openapi/pkg/validation/spec/schema.go
+++ b/vendor/k8s.io/kube-openapi/pkg/validation/spec/schema.go
@@ -21,6 +21,8 @@ import (
 	"strings"
 
 	"github.com/go-openapi/swag"
+	"k8s.io/kube-openapi/pkg/internal"
+	jsonv2 "k8s.io/kube-openapi/pkg/internal/third_party/go-json-experiment/json"
 )
 
 // BooleanProperty creates a boolean property
@@ -465,6 +467,10 @@ func (s Schema) MarshalJSON() ([]byte, error) {
 
 // UnmarshalJSON marshal this from JSON
 func (s *Schema) UnmarshalJSON(data []byte) error {
+	if internal.UseOptimizedJSONUnmarshaling {
+		return jsonv2.Unmarshal(data, s)
+	}
+
 	props := struct {
 		SchemaProps
 		SwaggerSchemaProps
@@ -511,3 +517,38 @@ func (s *Schema) UnmarshalJSON(data []byte) error {
 
 	return nil
 }
+
+func (s *Schema) UnmarshalNextJSON(opts jsonv2.UnmarshalOptions, dec *jsonv2.Decoder) error {
+	var x struct {
+		Extensions
+		SchemaProps
+		SwaggerSchemaProps
+	}
+	if err := opts.UnmarshalNext(dec, &x); err != nil {
+		return err
+	}
+
+	if err := x.Ref.fromMap(x.Extensions); err != nil {
+		return err
+	}
+
+	if err := x.Schema.fromMap(x.Extensions); err != nil {
+		return err
+	}
+
+	delete(x.Extensions, "$ref")
+	delete(x.Extensions, "$schema")
+
+	for _, pn := range swag.DefaultJSONNameProvider.GetJSONNames(s) {
+		delete(x.Extensions, pn)
+	}
+	if len(x.Extensions) == 0 {
+		x.Extensions = nil
+	}
+
+	s.ExtraProps = x.Extensions.sanitizeWithExtra()
+	s.VendorExtensible.Extensions = x.Extensions
+	s.SchemaProps = x.SchemaProps
+	s.SwaggerSchemaProps = x.SwaggerSchemaProps
+	return nil
+}
diff --git a/vendor/k8s.io/kube-openapi/pkg/validation/spec/security_scheme.go b/vendor/k8s.io/kube-openapi/pkg/validation/spec/security_scheme.go
index 563b9b95e..34723fb71 100644
--- a/vendor/k8s.io/kube-openapi/pkg/validation/spec/security_scheme.go
+++ b/vendor/k8s.io/kube-openapi/pkg/validation/spec/security_scheme.go
@@ -18,6 +18,7 @@ import (
 	"encoding/json"
 
 	"github.com/go-openapi/swag"
+	jsonv2 "k8s.io/kube-openapi/pkg/internal/third_party/go-json-experiment/json"
 )
 
 // SecuritySchemeProps describes a swagger security scheme in the securityDefinitions section
@@ -62,3 +63,20 @@ func (s *SecurityScheme) UnmarshalJSON(data []byte) error {
 	}
 	return json.Unmarshal(data, &s.VendorExtensible)
 }
+
+func (s *SecurityScheme) UnmarshalNextJSON(opts jsonv2.UnmarshalOptions, dec *jsonv2.Decoder) error {
+	var x struct {
+		Extensions
+		SecuritySchemeProps
+	}
+	if err := opts.UnmarshalNext(dec, &x); err != nil {
+		return err
+	}
+	x.Extensions.sanitize()
+	if len(x.Extensions) == 0 {
+		x.Extensions = nil
+	}
+	s.VendorExtensible.Extensions = x.Extensions
+	s.SecuritySchemeProps = x.SecuritySchemeProps
+	return nil
+}
diff --git a/vendor/k8s.io/kube-openapi/pkg/validation/spec/swagger.go b/vendor/k8s.io/kube-openapi/pkg/validation/spec/swagger.go
index be66d1ddd..f6cb7da3f 100644
--- a/vendor/k8s.io/kube-openapi/pkg/validation/spec/swagger.go
+++ b/vendor/k8s.io/kube-openapi/pkg/validation/spec/swagger.go
@@ -19,6 +19,8 @@ import (
 	"fmt"
 
 	"github.com/go-openapi/swag"
+	"k8s.io/kube-openapi/pkg/internal"
+	jsonv2 "k8s.io/kube-openapi/pkg/internal/third_party/go-json-experiment/json"
 )
 
 // Swagger this is the root document object for the API specification.
@@ -46,6 +48,10 @@ func (s Swagger) MarshalJSON() ([]byte, error) {
 
 // UnmarshalJSON unmarshals a swagger spec from json
 func (s *Swagger) UnmarshalJSON(data []byte) error {
+	if internal.UseOptimizedJSONUnmarshaling {
+		return jsonv2.Unmarshal(data, s)
+	}
+
 	var sw Swagger
 	if err := json.Unmarshal(data, &sw.SwaggerProps); err != nil {
 		return err
@@ -57,6 +63,30 @@ func (s *Swagger) UnmarshalJSON(data []byte) error {
 	return nil
 }
 
+func (s *Swagger) UnmarshalNextJSON(opts jsonv2.UnmarshalOptions, dec *jsonv2.Decoder) error {
+	// Note: If you're willing to make breaking changes, it is possible to
+	// optimize this and other usages of this pattern:
+	// https://github.com/kubernetes/kube-openapi/pull/319#discussion_r983165948
+	var x struct {
+		Extensions
+		SwaggerProps
+	}
+
+	if err := opts.UnmarshalNext(dec, &x); err != nil {
+		return err
+	}
+
+	s.Extensions = x.Extensions
+	s.SwaggerProps = x.SwaggerProps
+
+	s.Extensions.sanitize()
+	if len(s.Extensions) == 0 {
+		s.Extensions = nil
+	}
+
+	return nil
+}
+
 // SwaggerProps captures the top-level properties of an Api specification
 //
 // NOTE: validation rules
@@ -108,6 +138,10 @@ func (s SchemaOrBool) MarshalJSON() ([]byte, error) {
 
 // UnmarshalJSON converts this bool or schema object from a JSON structure
 func (s *SchemaOrBool) UnmarshalJSON(data []byte) error {
+	if internal.UseOptimizedJSONUnmarshaling {
+		return jsonv2.Unmarshal(data, s)
+	}
+
 	var nw SchemaOrBool
 	if len(data) >= 4 {
 		if data[0] == '{' {
@@ -123,6 +157,26 @@ func (s *SchemaOrBool) UnmarshalJSON(data []byte) error {
 	return nil
 }
 
+func (s *SchemaOrBool) UnmarshalNextJSON(opts jsonv2.UnmarshalOptions, dec *jsonv2.Decoder) error {
+	switch k := dec.PeekKind(); k {
+	case '{':
+		err := opts.UnmarshalNext(dec, &s.Schema)
+		if err != nil {
+			return err
+		}
+		s.Allows = true
+		return nil
+	case 't', 'f':
+		err := opts.UnmarshalNext(dec, &s.Allows)
+		if err != nil {
+			return err
+		}
+		return nil
+	default:
+		return fmt.Errorf("expected object or bool, not '%v'", k.String())
+	}
+}
+
 // SchemaOrStringArray represents a schema or a string array
 type SchemaOrStringArray struct {
 	Schema   *Schema
@@ -142,6 +196,10 @@ func (s SchemaOrStringArray) MarshalJSON() ([]byte, error) {
 
 // UnmarshalJSON converts this schema object or array from a JSON structure
 func (s *SchemaOrStringArray) UnmarshalJSON(data []byte) error {
+	if internal.UseOptimizedJSONUnmarshaling {
+		return jsonv2.Unmarshal(data, s)
+	}
+
 	var first byte
 	if len(data) > 1 {
 		first = data[0]
@@ -163,6 +221,18 @@ func (s *SchemaOrStringArray) UnmarshalJSON(data []byte) error {
 	return nil
 }
 
+func (s *SchemaOrStringArray) UnmarshalNextJSON(opts jsonv2.UnmarshalOptions, dec *jsonv2.Decoder) error {
+	switch dec.PeekKind() {
+	case '{':
+		return opts.UnmarshalNext(dec, &s.Schema)
+	case '[':
+		return opts.UnmarshalNext(dec, &s.Property)
+	default:
+		_, err := dec.ReadValue()
+		return err
+	}
+}
+
 // Definitions contains the models explicitly defined in this spec
 // An object to hold data types that can be consumed and produced by operations.
 // These data types can be primitives, arrays or models.
@@ -193,6 +263,10 @@ func (s StringOrArray) Contains(value string) bool {
 
 // UnmarshalJSON unmarshals this string or array object from a JSON array or JSON string
 func (s *StringOrArray) UnmarshalJSON(data []byte) error {
+	if internal.UseOptimizedJSONUnmarshaling {
+		return jsonv2.Unmarshal(data, s)
+	}
+
 	var first byte
 	if len(data) > 1 {
 		first = data[0]
@@ -223,6 +297,23 @@ func (s *StringOrArray) UnmarshalJSON(data []byte) error {
 	}
 }
 
+func (s *StringOrArray) UnmarshalNextJSON(opts jsonv2.UnmarshalOptions, dec *jsonv2.Decoder) error {
+	switch k := dec.PeekKind(); k {
+	case '[':
+		*s = StringOrArray{}
+		return opts.UnmarshalNext(dec, (*[]string)(s))
+	case '"':
+		*s = StringOrArray{""}
+		return opts.UnmarshalNext(dec, &(*s)[0])
+	case 'n':
+		// Throw out null token
+		_, _ = dec.ReadToken()
+		return nil
+	default:
+		return fmt.Errorf("expected string or array, not '%v'", k.String())
+	}
+}
+
 // MarshalJSON converts this string or array to a JSON array or JSON string
 func (s StringOrArray) MarshalJSON() ([]byte, error) {
 	if len(s) == 1 {
@@ -264,6 +355,10 @@ func (s SchemaOrArray) MarshalJSON() ([]byte, error) {
 
 // UnmarshalJSON converts this schema object or array from a JSON structure
 func (s *SchemaOrArray) UnmarshalJSON(data []byte) error {
+	if internal.UseOptimizedJSONUnmarshaling {
+		return jsonv2.Unmarshal(data, s)
+	}
+
 	var nw SchemaOrArray
 	var first byte
 	if len(data) > 1 {
@@ -284,3 +379,15 @@ func (s *SchemaOrArray) UnmarshalJSON(data []byte) error {
 	*s = nw
 	return nil
 }
+
+func (s *SchemaOrArray) UnmarshalNextJSON(opts jsonv2.UnmarshalOptions, dec *jsonv2.Decoder) error {
+	switch dec.PeekKind() {
+	case '{':
+		return opts.UnmarshalNext(dec, &s.Schema)
+	case '[':
+		return opts.UnmarshalNext(dec, &s.Schemas)
+	default:
+		_, err := dec.ReadValue()
+		return err
+	}
+}
diff --git a/vendor/k8s.io/kube-openapi/pkg/validation/spec/tag.go b/vendor/k8s.io/kube-openapi/pkg/validation/spec/tag.go
index ddd1eac7e..69e93b60b 100644
--- a/vendor/k8s.io/kube-openapi/pkg/validation/spec/tag.go
+++ b/vendor/k8s.io/kube-openapi/pkg/validation/spec/tag.go
@@ -18,6 +18,8 @@ import (
 	"encoding/json"
 
 	"github.com/go-openapi/swag"
+	"k8s.io/kube-openapi/pkg/internal"
+	jsonv2 "k8s.io/kube-openapi/pkg/internal/third_party/go-json-experiment/json"
 )
 
 // TagProps describe a tag entry in the top level tags section of a swagger spec
@@ -52,8 +54,29 @@ func (t Tag) MarshalJSON() ([]byte, error) {
 
 // UnmarshalJSON marshal this from JSON
 func (t *Tag) UnmarshalJSON(data []byte) error {
+	if internal.UseOptimizedJSONUnmarshaling {
+		return jsonv2.Unmarshal(data, t)
+	}
+
 	if err := json.Unmarshal(data, &t.TagProps); err != nil {
 		return err
 	}
 	return json.Unmarshal(data, &t.VendorExtensible)
 }
+
+func (t *Tag) UnmarshalNextJSON(opts jsonv2.UnmarshalOptions, dec *jsonv2.Decoder) error {
+	var x struct {
+		Extensions
+		TagProps
+	}
+	if err := opts.UnmarshalNext(dec, &x); err != nil {
+		return err
+	}
+	x.Extensions.sanitize()
+	if len(x.Extensions) == 0 {
+		x.Extensions = nil
+	}
+	t.VendorExtensible.Extensions = x.Extensions
+	t.TagProps = x.TagProps
+	return nil
+}
diff --git a/vendor/modules.txt b/vendor/modules.txt
index fcfcd3f2a..7983572cd 100644
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@@ -1,4 +1,4 @@
-# github.com/IBM/keyprotect-go-client v0.9.1
+# github.com/IBM/keyprotect-go-client v0.9.2
 ## explicit; go 1.15
 github.com/IBM/keyprotect-go-client
 github.com/IBM/keyprotect-go-client/iam
@@ -14,7 +14,7 @@ github.com/armon/go-metrics
 # github.com/armon/go-radix v1.0.0
 ## explicit
 github.com/armon/go-radix
-# github.com/aws/aws-sdk-go v1.44.146
+# github.com/aws/aws-sdk-go v1.44.172
 ## explicit; go 1.11
 github.com/aws/aws-sdk-go/aws
 github.com/aws/aws-sdk-go/aws/awserr
@@ -59,7 +59,7 @@ github.com/aws/aws-sdk-go/service/sso
 github.com/aws/aws-sdk-go/service/sso/ssoiface
 github.com/aws/aws-sdk-go/service/sts
 github.com/aws/aws-sdk-go/service/sts/stsiface
-# github.com/aws/aws-sdk-go-v2 v1.17.2
+# github.com/aws/aws-sdk-go-v2 v1.17.3
 ## explicit; go 1.15
 github.com/aws/aws-sdk-go-v2/aws
 github.com/aws/aws-sdk-go-v2/aws/defaults
@@ -76,16 +76,16 @@ github.com/aws/aws-sdk-go-v2/internal/sdk
 github.com/aws/aws-sdk-go-v2/internal/strings
 github.com/aws/aws-sdk-go-v2/internal/sync/singleflight
 github.com/aws/aws-sdk-go-v2/internal/timeconv
-# github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.26
+# github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.27
 ## explicit; go 1.15
 github.com/aws/aws-sdk-go-v2/internal/configsources
-# github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.20
+# github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.21
 ## explicit; go 1.15
 github.com/aws/aws-sdk-go-v2/internal/endpoints/v2
-# github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.20
+# github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.21
 ## explicit; go 1.15
 github.com/aws/aws-sdk-go-v2/service/internal/presigned-url
-# github.com/aws/aws-sdk-go-v2/service/sts v1.17.6
+# github.com/aws/aws-sdk-go-v2/service/sts v1.17.7
 ## explicit; go 1.15
 github.com/aws/aws-sdk-go-v2/service/sts
 github.com/aws/aws-sdk-go-v2/service/sts/internal/endpoints
@@ -122,7 +122,7 @@ github.com/cenkalti/backoff/v3
 github.com/ceph/ceph-csi/api/deploy/kubernetes/nfs
 github.com/ceph/ceph-csi/api/deploy/kubernetes/rbd
 github.com/ceph/ceph-csi/api/deploy/ocp
-# github.com/ceph/go-ceph v0.18.0
+# github.com/ceph/go-ceph v0.19.0
 ## explicit; go 1.17
 github.com/ceph/go-ceph/cephfs/admin
 github.com/ceph/go-ceph/common/admin/manager
@@ -378,8 +378,8 @@ github.com/kubernetes-csi/csi-lib-utils/connection
 github.com/kubernetes-csi/csi-lib-utils/metrics
 github.com/kubernetes-csi/csi-lib-utils/protosanitizer
 github.com/kubernetes-csi/csi-lib-utils/rpc
-# github.com/kubernetes-csi/external-snapshotter/client/v6 v6.1.0
-## explicit; go 1.18
+# github.com/kubernetes-csi/external-snapshotter/client/v6 v6.2.0
+## explicit; go 1.19
 github.com/kubernetes-csi/external-snapshotter/client/v6/apis/volumesnapshot/v1
 github.com/kubernetes-csi/external-snapshotter/client/v6/clientset/versioned/scheme
 github.com/kubernetes-csi/external-snapshotter/client/v6/clientset/versioned/typed/volumesnapshot/v1
@@ -620,7 +620,7 @@ golang.org/x/crypto/pbkdf2
 golang.org/x/crypto/scrypt
 golang.org/x/crypto/ssh
 golang.org/x/crypto/ssh/internal/bcrypt_pbkdf
-# golang.org/x/net v0.4.0
+# golang.org/x/net v0.5.0
 ## explicit; go 1.17
 golang.org/x/net/context
 golang.org/x/net/context/ctxhttp
@@ -639,17 +639,17 @@ golang.org/x/net/trace
 ## explicit; go 1.17
 golang.org/x/oauth2
 golang.org/x/oauth2/internal
-# golang.org/x/sys v0.3.0
+# golang.org/x/sys v0.4.0
 ## explicit; go 1.17
 golang.org/x/sys/cpu
 golang.org/x/sys/internal/unsafeheader
 golang.org/x/sys/plan9
 golang.org/x/sys/unix
 golang.org/x/sys/windows
-# golang.org/x/term v0.3.0
+# golang.org/x/term v0.4.0
 ## explicit; go 1.17
 golang.org/x/term
-# golang.org/x/text v0.5.0
+# golang.org/x/text v0.6.0
 ## explicit; go 1.17
 golang.org/x/text/cases
 golang.org/x/text/encoding
@@ -800,7 +800,7 @@ gopkg.in/yaml.v2
 # gopkg.in/yaml.v3 v3.0.1
 ## explicit
 gopkg.in/yaml.v3
-# k8s.io/api v0.25.4 => k8s.io/api v0.25.4
+# k8s.io/api v0.26.0 => k8s.io/api v0.25.4
 ## explicit; go 1.19
 k8s.io/api/admission/v1
 k8s.io/api/admission/v1beta1
@@ -854,7 +854,7 @@ k8s.io/api/storage/v1beta1
 ## explicit; go 1.19
 k8s.io/apiextensions-apiserver/pkg/apis/apiextensions
 k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1
-# k8s.io/apimachinery v0.25.4 => k8s.io/apimachinery v0.25.4
+# k8s.io/apimachinery v0.26.0 => k8s.io/apimachinery v0.25.4
 ## explicit; go 1.19
 k8s.io/apimachinery/pkg/api/equality
 k8s.io/apimachinery/pkg/api/errors
@@ -1229,12 +1229,14 @@ k8s.io/klog/v2/internal/clock
 k8s.io/klog/v2/internal/dbg
 k8s.io/klog/v2/internal/serialize
 k8s.io/klog/v2/internal/severity
-# k8s.io/kube-openapi v0.0.0-20220803164354-a70c9af30aea
+# k8s.io/kube-openapi v0.0.0-20221012153701-172d655c2280
 ## explicit; go 1.18
 k8s.io/kube-openapi/pkg/builder3/util
 k8s.io/kube-openapi/pkg/common
 k8s.io/kube-openapi/pkg/handler3
+k8s.io/kube-openapi/pkg/internal
 k8s.io/kube-openapi/pkg/internal/handler
+k8s.io/kube-openapi/pkg/internal/third_party/go-json-experiment/json
 k8s.io/kube-openapi/pkg/openapiconv
 k8s.io/kube-openapi/pkg/schemaconv
 k8s.io/kube-openapi/pkg/schemamutation