diff --git a/image.go b/image.go
index 3c58b64d2b..7318e04bda 100644
--- a/image.go
+++ b/image.go
@@ -421,11 +421,6 @@ func (i *containerImageRef) NewImageSource(ctx context.Context, sc *types.System
 		if err != nil {
 			return nil, fmt.Errorf("unable to locate layer %q: %w", layerID, err)
 		}
-		// If we're up to the final layer, but we don't want to include
-		// a diff for it, we're done.
-		if i.emptyLayer && layerID == i.layerID {
-			continue
-		}
 		// If we already know the digest of the contents of parent
 		// layers, reuse their blobsums, diff IDs, and sizes.
 		if !i.confidentialWorkload.Convert && !i.squash && layerID != i.layerID && layer.UncompressedDigest != "" {
@@ -479,6 +474,11 @@ func (i *containerImageRef) NewImageSource(ctx context.Context, sc *types.System
 				return nil, err
 			}
 		} else {
+			// If we're up to the final layer, but we don't want to
+			// include a diff for it, we're done.
+			if i.emptyLayer && layerID == i.layerID {
+				continue
+			}
 			// Extract this layer, one of possibly many.
 			rc, err = i.store.Diff("", layerID, diffOptions)
 			if err != nil {
@@ -927,7 +927,7 @@ func (b *Builder) makeContainerImageRef(options CommitOptions) (*containerImageR
 		squash:                options.Squash,
 		confidentialWorkload:  options.ConfidentialWorkloadOptions,
 		omitHistory:           options.OmitHistory,
-		emptyLayer:            options.EmptyLayer && !options.Squash,
+		emptyLayer:            options.EmptyLayer && !options.Squash && !options.ConfidentialWorkloadOptions.Convert,
 		idMappingOptions:      &b.IDMappingOptions,
 		parent:                parent,
 		blobDirectory:         options.BlobDirectory,
diff --git a/tests/mkcw.bats b/tests/mkcw.bats
index c2a8d76e3a..1aa32c1c9c 100644
--- a/tests/mkcw.bats
+++ b/tests/mkcw.bats
@@ -7,9 +7,9 @@ function mkcw_check_image() {
   local expectedEnv="$2"
   # Mount the container and take a look at what it got from the image.
   run_buildah from "$imageID"
-  ctrID="$output"
+  local ctrID="$output"
   run_buildah mount "$ctrID"
-  mountpoint="$output"
+  local mountpoint="$output"
   # Should have a /disk.img file.
   test -s "$mountpoint"/disk.img
   # Should have a krun-sev.json file.
@@ -33,6 +33,8 @@ function mkcw_check_image() {
   fi
   # Should have a /tmp directory, at least.
   test -d "$TEST_SCRATCH_DIR"/mount/tmp
+  # Should have a /bin/sh file from the base image, at least.
+  test -s "$TEST_SCRATCH_DIR"/mount/bin/sh || test -L "$TEST_SCRATCH_DIR"/mount/bin/sh
 
   # Clean up.
   umount "$TEST_SCRATCH_DIR"/mount
@@ -83,6 +85,13 @@ function mkcw_check_image() {
   echo -n "mkcw build" > "$TEST_SCRATCH_DIR"/key
   run_buildah build --iidfile "$TEST_SCRATCH_DIR"/iid --cw type=SEV,ignore_attestation_errors,passphrase="mkcw build" -f bud/env/Dockerfile.check-env bud/env
   mkcw_check_image $(cat "$TEST_SCRATCH_DIR"/iid)
+
   run_buildah build --iidfile "$TEST_SCRATCH_DIR"/iid --cw type=sev,ignore_attestation_errors,passphrase="mkcw build" -f bud/env/Dockerfile.check-env bud/env
   mkcw_check_image $(cat "$TEST_SCRATCH_DIR"/iid)
+
+  # the key thing about this next bit is mixing --layers with a final
+  # instruction in the Dockerfile that normally wouldn't produce a layer
+  echo -n "mkcw build --layers" > "$TEST_SCRATCH_DIR"/key
+  run_buildah build --iidfile "$TEST_SCRATCH_DIR"/iid --cw type=SEV,ignore_attestation_errors,passphrase="mkcw build --layers" --layers -f bud/env/Dockerfile.check-env bud/env
+  mkcw_check_image $(cat "$TEST_SCRATCH_DIR"/iid)
 }