From 2f672a1907bc8607db4f679fc62d1bfcbefd53b6 Mon Sep 17 00:00:00 2001
From: Manuel Huber <mahuber@microsoft.com>
Date: Tue, 4 Jun 2024 13:16:51 -0700
Subject: [PATCH] tools: Improve igvm-builder and node-builder/azure-linux
 scripting

- Support for Mariner 3 builds using OS_VERSION variable
- Improvements to IGVM build process and flow as described in README
- Adoption of using only cloud-hypervisor-cvm on CBL-Mariner

Signed-off-by: Manuel Huber <mahuber@microsoft.com>
---
 src/runtime/Makefile                          |  6 --
 src/runtime/arch/amd64-options.mk             |  1 -
 src/runtime/arch/arm64-options.mk             |  1 -
 .../config/configuration-clh-snp.toml.in      |  6 +-
 tools/osbuilder/.gitignore                    |  2 +
 tools/osbuilder/Makefile                      |  2 -
 .../igvm-builder/azure-linux/config.sh        | 21 +++---
 .../igvm-builder/azure-linux/igvm_lib.sh      | 57 +++++++++++++--
 tools/osbuilder/igvm-builder/igvm_builder.sh  | 71 +++++++------------
 .../node-builder/azure-linux/Makefile         | 16 ++++-
 .../node-builder/azure-linux/README.md        | 20 ++++--
 .../node-builder/azure-linux/clean.sh         |  7 +-
 .../node-builder/azure-linux/common.sh        | 34 ++++++---
 .../node-builder/azure-linux/package_build.sh | 27 +++++--
 .../azure-linux/package_install.sh            | 35 +++++----
 .../node-builder/azure-linux/uvm_build.sh     | 21 ++----
 .../node-builder/azure-linux/uvm_install.sh   |  2 +-
 17 files changed, 203 insertions(+), 126 deletions(-)

diff --git a/src/runtime/Makefile b/src/runtime/Makefile
index 2077067e229b..7b1b5e821caf 100644
--- a/src/runtime/Makefile
+++ b/src/runtime/Makefile
@@ -175,9 +175,6 @@ QEMUVIRTIOFSPATH := $(QEMUBINDIR)/$(QEMUVIRTIOFSCMD)
 CLHPATH := $(CLHBINDIR)/$(CLHCMD)
 CLHVALIDHYPERVISORPATHS := [\"$(CLHPATH)\"]
 
-CLHSNPPATH := $(CLHBINDIR)/$(CLHSNPCMD)
-CLHSNPVALIDHYPERVISORPATHS := [\"$(CLHSNPPATH)\"]
-
 FCPATH = $(FCBINDIR)/$(FCCMD)
 FCVALIDHYPERVISORPATHS := [\"$(FCPATH)\"]
 FCJAILERPATH = $(FCBINDIR)/$(FCJAILERCMD)
@@ -566,9 +563,6 @@ USER_VARS += ACRNCTLPATH
 USER_VARS += ACRNVALIDCTLPATHS
 USER_VARS += CLHPATH
 USER_VARS += CLHVALIDHYPERVISORPATHS
-USER_VARS += CLHSNPCMD
-USER_VARS += CLHSNPPATH
-USER_VARS += CLHSNPVALIDHYPERVISORPATHS
 USER_VARS += FIRMWAREPATH_CLH
 USER_VARS += FCCMD
 USER_VARS += FCPATH
diff --git a/src/runtime/arch/amd64-options.mk b/src/runtime/arch/amd64-options.mk
index 0e3ff83b54c7..940e87a41a17 100644
--- a/src/runtime/arch/amd64-options.mk
+++ b/src/runtime/arch/amd64-options.mk
@@ -26,7 +26,6 @@ ACRNCTLCMD := acrnctl
 
 # cloud-hypervisor binary name
 CLHCMD := cloud-hypervisor
-CLHSNPCMD := cloud-hypervisor-snp
 
 DEFSTATICRESOURCEMGMT_CLH := false
 
diff --git a/src/runtime/arch/arm64-options.mk b/src/runtime/arch/arm64-options.mk
index bfac6071079d..895c93f82e9a 100644
--- a/src/runtime/arch/arm64-options.mk
+++ b/src/runtime/arch/arm64-options.mk
@@ -19,7 +19,6 @@ FCJAILERCMD := jailer
 
 # cloud-hypervisor binary name
 CLHCMD := cloud-hypervisor
-CLHSNPCMD := cloud-hypervisor-snp
 
 DEFSTATICRESOURCEMGMT_CLH := true
 
diff --git a/src/runtime/config/configuration-clh-snp.toml.in b/src/runtime/config/configuration-clh-snp.toml.in
index 33aa41db0c8d..d98fdd31ef27 100644
--- a/src/runtime/config/configuration-clh-snp.toml.in
+++ b/src/runtime/config/configuration-clh-snp.toml.in
@@ -11,7 +11,7 @@
 # XXX:   Type: @PROJECT_TYPE@
 
 [hypervisor.clh]
-path = "@CLHSNPPATH@"
+path = "@CLHPATH@"
 igvm = "@IGVMPATH@"
 image = "@IMAGEPATH@"
 
@@ -80,8 +80,8 @@ enable_annotations = @DEFENABLEANNOTATIONS@
 # List of valid annotations values for the hypervisor
 # Each member of the list is a path pattern as described by glob(3).
 # The default if not set is empty (all annotations rejected.)
-# Your distribution recommends: @CLHSNPVALIDHYPERVISORPATHS@
-valid_hypervisor_paths = @CLHSNPVALIDHYPERVISORPATHS@
+# Your distribution recommends: @CLHVALIDHYPERVISORPATHS@
+valid_hypervisor_paths = @CLHVALIDHYPERVISORPATHS@
 
 # Optional space-separated list of options to pass to the guest kernel.
 # For example, use `kernel_params = "vsyscall=emulate"` if you are having
diff --git a/tools/osbuilder/.gitignore b/tools/osbuilder/.gitignore
index becda8442895..365d32272eb4 100644
--- a/tools/osbuilder/.gitignore
+++ b/tools/osbuilder/.gitignore
@@ -9,3 +9,5 @@ kata-containers-initrd.img
 kata-containers.img
 rootfs-builder/centos/RPM-GPG-KEY-*
 typescript
+node-builder/azure-linux/agent-install
+igvm-builder/igvm-tooling
diff --git a/tools/osbuilder/Makefile b/tools/osbuilder/Makefile
index f7924a7c3497..ae7baf72054a 100644
--- a/tools/osbuilder/Makefile
+++ b/tools/osbuilder/Makefile
@@ -9,7 +9,6 @@ ROOTFS_BUILDER := $(MK_DIR)/rootfs-builder/rootfs.sh
 INITRD_BUILDER := $(MK_DIR)/initrd-builder/initrd_builder.sh
 IMAGE_BUILDER  := $(MK_DIR)/image-builder/image_builder.sh
 IGVM_BUILDER   := $(MK_DIR)/igvm-builder/igvm_builder.sh
-IGVM_TOOL_SRC  := $(MK_DIR)/igvm-tooling
 
 DISTRO                ?= ubuntu
 BUILD_METHOD          := distro
@@ -222,7 +221,6 @@ install-scripts:
 clean:
 	rm -rf $(TARGET_ROOTFS_MARKER) $(TARGET_ROOTFS) $(TARGET_IMAGE) $(TARGET_INITRD) $(DRACUT_OVERLAY_DIR) $(TARGET_IGVM) $(TARGET_IGVM_DEBUG) $(TARGET_IGVM_MSMT) $(TARGET_IGVM_DEBUG_MSMT) $(TARGET_IGVM_LOG)
 	rm -rf $(IGVM_TOOL_SRC)
-	pip3 uninstall -y msigvm
 
 # Prints the name of the variable passed as suffix to the print- target,
 # E.g., if Makefile contains:
diff --git a/tools/osbuilder/igvm-builder/azure-linux/config.sh b/tools/osbuilder/igvm-builder/azure-linux/config.sh
index bc6986f75adb..ade604dd6046 100644
--- a/tools/osbuilder/igvm-builder/azure-linux/config.sh
+++ b/tools/osbuilder/igvm-builder/azure-linux/config.sh
@@ -5,16 +5,21 @@
 # SPDX-License-Identifier: Apache-2.0
 
 # this is where the kernel-uvm package installation places bzImage, see SPEC file
-bzimage_bin="/usr/share/cloud-hypervisor/bzImage"
+BZIMAGE_BIN="/usr/share/cloud-hypervisor/bzImage"
 
-igvm_extract_folder="igvm-tooling"
-clh_acpi_tables_dir="${igvm_extract_folder}/src/igvm/acpi/acpi-clh/"
-igvmgen_py_file="${igvm_extract_folder}/src/igvm/igvmgen.py"
+IGVM_EXTRACT_FOLDER="${SCRIPT_DIR}/igvm-tooling"
+CLH_ACPI_TABLES_DIR="${IGVM_EXTRACT_FOLDER}/src/igvm/acpi/acpi-clh/"
+IGVM_PY_FILE="${IGVM_EXTRACT_FOLDER}/src/igvm/igvmgen.py"
 
-igvm_vars="-kernel ${bzimage_bin} -boot_mode x64 -vtl 0 -svme 1 -encrypted_page 1 -pvalidate_opt 1 -acpi ${clh_acpi_tables_dir}"
+IGVM_BUILD_VARS="-kernel ${BZIMAGE_BIN} -boot_mode x64 -vtl 0 -svme 1 -encrypted_page 1 -pvalidate_opt 1 -acpi ${CLH_ACPI_TABLES_DIR}"
 
-igvm_kernel_params_common="dm-mod.create=\"dm-verity,,,ro,0 ${data_sectors} verity 1 /dev/vda1 /dev/vda2 ${data_block_size} ${hash_block_size} ${data_blocks} 0 sha256 ${root_hash} ${salt}\" \
+IGVM_KERNEL_PARAMS_COMMON="dm-mod.create=\"dm-verity,,,ro,0 ${IMAGE_DATA_SECTORS} verity 1 /dev/vda1 /dev/vda2 ${IMAGE_DATA_BLOCK_SIZE} ${IMAGE_HASH_BLOCK_SIZE} ${IMAGE_DATA_BLOCKS} 0 sha256 ${IMAGE_ROOT_HASH} ${IMAGE_SALT}\" \
 	root=/dev/dm-0 rootflags=data=ordered,errors=remount-ro ro rootfstype=ext4 panic=1 no_timer_check noreplace-smp systemd.unit=kata-containers.target systemd.mask=systemd-networkd.service \
 	systemd.mask=systemd-networkd.socket agent.enable_signature_verification=false"
-igvm_kernel_prod_params="${igvm_kernel_params_common} quiet"
-igvm_kernel_debug_params="${igvm_kernel_params_common} console=hvc0 systemd.log_target=console agent.log=debug agent.debug_console agent.debug_console_vport=1026"
+IGVM_KERNEL_PROD_PARAMS="${IGVM_KERNEL_PARAMS_COMMON} quiet"
+IGVM_KERNEL_DEBUG_PARAMS="${IGVM_KERNEL_PARAMS_COMMON} console=hvc0 systemd.log_target=console agent.log=debug agent.debug_console agent.debug_console_vport=1026"
+
+IGVM_FILE_NAME="kata-containers-igvm.img"
+IGVM_DBG_FILE_NAME="kata-containers-igvm-debug.img"
+IGVM_MEASUREMENT_FILE_NAME="igvm-measurement.cose"
+IGVM_DBG_MEASUREMENT_FILE_NAME="igvm-debug-measurement.cose"
diff --git a/tools/osbuilder/igvm-builder/azure-linux/igvm_lib.sh b/tools/osbuilder/igvm-builder/azure-linux/igvm_lib.sh
index 06e6d8aafe2f..e5b13307445f 100644
--- a/tools/osbuilder/igvm-builder/azure-linux/igvm_lib.sh
+++ b/tools/osbuilder/igvm-builder/azure-linux/igvm_lib.sh
@@ -4,10 +4,11 @@
 #
 # SPDX-License-Identifier: Apache-2.0
 
-install_igvm()
+install_igvm_tool()
 {
-	if [ -d ${igvm_extract_folder} ]; then
-		echo "${igvm_extract_folder} folder already exists, assuming tool is already installed"
+	echo "Installing IGVM tool"
+	if [ -d ${IGVM_EXTRACT_FOLDER} ]; then
+		echo "${IGVM_EXTRACT_FOLDER} folder already exists, assuming tool is already installed"
 		return
 	fi
 
@@ -16,10 +17,54 @@ install_igvm()
 	echo "Determining and downloading latest IGVM tooling release, and extracting including ACPI tables"
 	IGVM_VER=$(curl -sL "https://api.github.com/repos/microsoft/igvm-tooling/releases/latest" | jq -r .tag_name | sed 's/^v//')
 	curl -sL "https://github.com/microsoft/igvm-tooling/archive/refs/tags/${IGVM_VER}.tar.gz" | tar --no-same-owner -xz
-	mv igvm-tooling-${IGVM_VER} ${igvm_extract_folder}
+	mv igvm-tooling-${IGVM_VER} ${IGVM_EXTRACT_FOLDER}
 
-	echo "Installing IGVM module msigvm via pip3"
-	pushd ${igvm_extract_folder}/src
+	echo "Installing IGVM module msigvm (${IGVM_VER}) via pip3"
+	pushd ${IGVM_EXTRACT_FOLDER}/src
 	pip3 install --no-deps ./
 	popd
 }
+
+uninstall_igvm_tool()
+{
+	echo "Uninstalling IGVM tool"
+
+	rm -rf ${IGVM_EXTRACT_FOLDER}
+	pip3 uninstall -y msigvm
+}
+
+build_igvm_files()
+{
+	echo "Reading Kata image dm_verity root hash information from root_hash file"
+	ROOT_HASH_FILE="${SCRIPT_DIR}/../root_hash.txt"
+
+	if [ ! -f "${ROOT_HASH_FILE}" ]; then
+		echo "Could no find image root hash file '${ROOT_HASH_FILE}', aborting"
+		exit 1
+	fi
+
+	IMAGE_ROOT_HASH=$(sed -e 's/Root hash:\s*//g;t;d' "${ROOT_HASH_FILE}")
+	IMAGE_SALT=$(sed -e 's/Salt:\s*//g;t;d' "${ROOT_HASH_FILE}")
+	IMAGE_DATA_BLOCKS=$(sed -e 's/Data blocks:\s*//g;t;d' "${ROOT_HASH_FILE}")
+	IMAGE_DATA_BLOCK_SIZE=$(sed -e 's/Data block size:\s*//g;t;d' "${ROOT_HASH_FILE}")
+	IMAGE_DATA_SECTORS_PER_BLOCK=$((IMAGE_DATA_BLOCK_SIZE / 512))
+	IMAGE_DATA_SECTORS=$((IMAGE_DATA_BLOCKS * IMAGE_DATA_SECTORS_PER_BLOCK))
+	IMAGE_HASH_BLOCK_SIZE=$(sed -e 's/Hash block size:\s*//g;t;d' "${ROOT_HASH_FILE}")
+
+	# reloading the config file as various variables depend on above values
+	load_config_distro
+
+	echo "Building (debug) IGVM files and creating their reference measurement files"
+	# we could call into the installed binary '~/.local/bin/igvmgen' when adding to PATH or, better, into 'python3 -m msigvm'
+	# however, as we still need the installation directory for the ACPI tables, we leave things as is for now
+	# at the same time we seem to need to call pip3 install for invoking the tool at all
+	python3 ${IGVM_PY_FILE} $IGVM_BUILD_VARS -o $IGVM_FILE_NAME -measurement_file $IGVM_MEASUREMENT_FILE_NAME -append "$IGVM_KERNEL_PROD_PARAMS" -svn $SVN
+	python3 ${IGVM_PY_FILE} $IGVM_BUILD_VARS -o $IGVM_DBG_FILE_NAME -measurement_file $IGVM_DBG_MEASUREMENT_FILE_NAME -append "$IGVM_KERNEL_DEBUG_PARAMS" -svn $SVN
+
+	if [ "${PWD}" -ef "$(readlink -f $OUT_DIR)" ]; then
+		echo "OUT_DIR matches with current dir, not moving build artifacts"
+	else
+		echo "Moving build artifacts to ${OUT_DIR}"
+		mv $IGVM_FILE_NAME $IGVM_DBG_FILE_NAME $IGVM_MEASUREMENT_FILE_NAME $IGVM_DBG_MEASUREMENT_FILE_NAME $OUT_DIR
+	fi
+}
diff --git a/tools/osbuilder/igvm-builder/igvm_builder.sh b/tools/osbuilder/igvm-builder/igvm_builder.sh
index 58bd38b63990..8e539f69d941 100755
--- a/tools/osbuilder/igvm-builder/igvm_builder.sh
+++ b/tools/osbuilder/igvm-builder/igvm_builder.sh
@@ -10,18 +10,18 @@ set -o errtrace
 
 [ -n "$DEBUG" ] && set -x
 
-script_dir="$(dirname $(readlink -f $0))"
+SCRIPT_DIR="$(dirname $(readlink -f $0))"
 
 # distro-specific config file
 typeset -r CONFIG_SH="config.sh"
 
 # Name of an optional distro-specific file which, if it exists, must implement the
-# install_igvm() function.
+# install_igvm_tool, build_igvm_files, and uninstall_igvm_tool functions.
 typeset -r LIB_SH="igvm_lib.sh"
 
-build_igvm_distro()
+load_config_distro()
 {
-	distro_config_dir="${script_dir}/${distro}"
+	distro_config_dir="${SCRIPT_DIR}/${DISTRO}"
 
 	[ -d "${distro_config_dir}" ] || die "Could not find configuration directory '${distro_config_dir}'"
 
@@ -31,50 +31,20 @@ build_igvm_distro()
 		source "${igvm_lib}"
 	fi
 
-	root_hash_file="${script_dir}/../root_hash.txt"
-
-	if [ ! -f "${root_hash_file}" ]; then
-		echo "Could no find image root hash file '${root_hash_file}', aborting"
-		exit 1
-	fi
-
-	echo "Reading image dm-verity root hash values"
-	root_hash=$(sed -e 's/Root hash:\s*//g;t;d' "${root_hash_file}")
-	salt=$(sed -e 's/Salt:\s*//g;t;d' "${root_hash_file}")
-	data_blocks=$(sed -e 's/Data blocks:\s*//g;t;d' "${root_hash_file}")
-	data_block_size=$(sed -e 's/Data block size:\s*//g;t;d' "${root_hash_file}")
-	data_sectors_per_block=$((data_block_size / 512))
-	data_sectors=$((data_blocks * data_sectors_per_block))
-	hash_block_size=$(sed -e 's/Hash block size:\s*//g;t;d' "${root_hash_file}")
-
 	# Source config.sh from distro, depends on root_hash based variables here
 	igvm_config="${distro_config_dir}/${CONFIG_SH}"
 	source "${igvm_config}"
-
-	echo "Install IGVM tool"
-	install_igvm
-
-	echo "Build IGVM (debug) file and calculate reference measurements"
-	# we could call into the installed binary '~/.local/bin/igvmgen' when adding to PATH or, better, into 'python3 -m msigvm'
-	# however, as we still need the installation directory for the ACPI tables, we leave things as is for now
-	# at the same time we seem to need to call pip3 install for invoking the tool at all
-	python3 ${igvmgen_py_file} $igvm_vars -o kata-containers-igvm.img -measurement_file igvm-measurement.cose -append "$igvm_kernel_prod_params" -svn $SVN
-	python3 ${igvmgen_py_file} $igvm_vars -o kata-containers-igvm-debug.img -measurement_file igvm-debug-measurement.cose -append "$igvm_kernel_debug_params" -svn $SVN
-
-	if [ "${PWD}" -ef "$(readlink -f $OUT_DIR)" ]; then
-		echo "OUT_DIR matches with current dir, not moving build artifacts"
-	else
-		echo "Moving build artifacts to ${OUT_DIR}"
-		mv igvm-measurement.cose kata-containers-igvm.img igvm-debug-measurement.cose kata-containers-igvm-debug.img $OUT_DIR
-	fi
 }
 
-distro="azure-linux"
+DISTRO="azure-linux"
+MODE="build"
 
-while getopts ":o:s:" OPTIONS; do
+while getopts ":o:s:iu" OPTIONS; do
 	case "${OPTIONS}" in
 		o ) OUT_DIR=$OPTARG ;;
 		s ) SVN=$OPTARG ;;
+		i ) MODE="install" ;;
+		u ) MODE="uninstall" ;;
 		\? )
 			echo "Error - Invalid Option: -$OPTARG" 1>&2
 			exit 1
@@ -89,11 +59,24 @@ done
 echo "IGVM builder script"
 echo "-- OUT_DIR -> $OUT_DIR"
 echo "-- SVN -> $SVN"
-echo "-- distro -> $distro"
+echo "-- DISTRO -> $DISTRO"
+echo "-- MODE -> $MODE"
 
-if [ -n "$distro" ]; then
-  build_igvm_distro
+if [ -n "$DISTRO" ]; then
+	load_config_distro
 else
-  echo "distro must be specified"
-  exit 1
+	echo "DISTRO must be specified"
+	exit 1
 fi
+
+case "$MODE" in
+	"install")
+		install_igvm_tool
+		;;
+	"uninstall")
+		uninstall_igvm_tool
+		;;
+	"build")
+		build_igvm_files
+		;;
+esac
diff --git a/tools/osbuilder/node-builder/azure-linux/Makefile b/tools/osbuilder/node-builder/azure-linux/Makefile
index 26c28bd18cde..6ef571a55fa2 100644
--- a/tools/osbuilder/node-builder/azure-linux/Makefile
+++ b/tools/osbuilder/node-builder/azure-linux/Makefile
@@ -33,11 +33,23 @@ clean-confpods:
 	CONF_PODS=yes ./clean.sh
 
 .PHONY: deploy
-deploy:
+deploy: deploy-package deploy-uvm
+
+.PHONY: deploy-package
+deploy-package:
 	./package_install.sh
+
+.PHONY: deploy-uvm
+deploy-uvm:
 	./uvm_install.sh
 
 .PHONY: deploy-confpods
-deploy-confpods:
+deploy-confpods: deploy-confpods-package deploy-confpods-uvm
+
+.PHONY: deploy-confpods-package
+deploy-confpods-package:
 	CONF_PODS=yes ./package_install.sh
+
+.PHONY: deploy-confpods-uvm
+deploy-confpods-uvm:
 	CONF_PODS=yes ./uvm_install.sh
diff --git a/tools/osbuilder/node-builder/azure-linux/README.md b/tools/osbuilder/node-builder/azure-linux/README.md
index 693f9a8ac9e2..16a9b84dd5a9 100644
--- a/tools/osbuilder/node-builder/azure-linux/README.md
+++ b/tools/osbuilder/node-builder/azure-linux/README.md
@@ -76,7 +76,7 @@ sudo tee -a /etc/containerd/config.toml 2&>1 <<EOF
 EOF
 ```
 
-Restart containerd (ensureing the configuration file is intact):
+Restart containerd (ensuring the configuration file is intact):
 
 ```sudo systemctl restart containerd```
 
@@ -84,9 +84,21 @@ Restart containerd (ensureing the configuration file is intact):
 
 ```
 sudo dnf -y makecache
-sudo dnf -y install git vim golang rust build-essential protobuf-compiler protobuf-devel expect openssl-devel clang-devel libseccomp-devel parted qemu-img btrfs-progs-devel device-mapper-devel cmake fuse-devel jq curl kata-packages-uvm-build kernel-uvm-devel
+sudo dnf -y install git vim golang rust cargo build-essential protobuf-compiler protobuf-devel expect openssl-devel clang-devel libseccomp-devel parted qemu-img btrfs-progs-devel device-mapper-devel cmake fuse-devel jq curl kata-packages-uvm-build kernel-uvm-devel
 ```
 
+**Note:** The kernel-uvm-devel package in step above is only required for Confidential Containers and can be omitted for regular Kata Containers builds.
+
+When intending to build the components for Confidential Containers, install the IGVM tool that will be used by the build tooling to create IGVM files with their reference measurements for the ConfPods UVM.
+
+```
+pushd kata-containers/tools/osbuilder/igvm-builder
+sudo ./igvm_builder.sh -i
+popd
+```
+
+This command installs the latest release of the [IGVM tooling](https://github.com/microsoft/igvm-tooling/) using `pip3 install`. The tool can be uninstalled at any time by calling the script using the -u parameter instead.
+
 # Optional: Build and deploy the containerd fork from scratch
 
 ```
@@ -123,12 +135,12 @@ sudo make deploy-confpods
 popd
 ```
 
-The `all[-confpods]` target runs the targets `package[-confpods]` and `uvm[-confpods]` in a single step (the `uvm[-confpods]` target depends on the `package[-confpods]` target). The `deploy[-confpods]` target moves the build artifacts to proper places.
+The `all[-confpods]` target runs the targets `package[-confpods]` and `uvm[-confpods]` in a single step (the `uvm[-confpods]` target depends on the `package[-confpods]` target). The `deploy[-confpods]` target moves the build artifacts to proper places (and calls into `deploy[-confpods]-package`, `deploy[-confpods]-uvm`).
 
 Notes:
   - To retrieve more detailed build output, prefix the make commands with `DEBUG=1`.
+  - To build for Mariner 3, prefix the make commands that build artifacts with `OS_VERSION=3.0`
   - For build and deployment of both Kata and Kata-CC artifacts, first run the `make all` and `make deploy` commands to build and install the Kata Containers for AKS components followed by `make clean`, and then run `make all-confpods` and `make deploy-confpods` to build and install the Confidential Containers for AKS components - or vice versa (using `make clean-confpods`).
-  - The `uvm-confpods` target includes a step that installs the latest release of the [IGVM tooling](https://github.com/microsoft/igvm-tooling/) using `pip3 install` while the `clean-confpods` target uninstalls the `msigvm` pip package. To modify this behavior, the scripting should be adapted according to individuals' needs.
 
 # Run Kata (Confidential) Containers
 
diff --git a/tools/osbuilder/node-builder/azure-linux/clean.sh b/tools/osbuilder/node-builder/azure-linux/clean.sh
index 4474df3ed9cd..08c13e88abf9 100755
--- a/tools/osbuilder/node-builder/azure-linux/clean.sh
+++ b/tools/osbuilder/node-builder/azure-linux/clean.sh
@@ -16,8 +16,6 @@ repo_dir="${script_dir}/../../../../"
 common_file="common.sh"
 source "${common_file}"
 
-agent_install_dir="${script_dir}/agent-install"
-
 pushd "${repo_dir}"
 
 echo "Clean runtime build"
@@ -30,13 +28,16 @@ pushd src/agent/
 make clean
 popd
 
-rm -rf ${agent_install_dir}
+rm -rf ${AGENT_INSTALL_DIR}
 
 echo "Clean UVM build"
 pushd tools/osbuilder/
 sudo -E PATH=$PATH make DISTRO=cbl-mariner clean
 popd
 
+echo "Clean IGVM tool installation"
+
+
 if [ "${CONF_PODS}" == "yes" ]; then
 
 	echo "Clean SNP debug shim config"
diff --git a/tools/osbuilder/node-builder/azure-linux/common.sh b/tools/osbuilder/node-builder/azure-linux/common.sh
index c96c8cfbefae..ce477c73e041 100755
--- a/tools/osbuilder/node-builder/azure-linux/common.sh
+++ b/tools/osbuilder/node-builder/azure-linux/common.sh
@@ -8,33 +8,47 @@ script_dir="$(dirname $(readlink -f $0))"
 lib_file="${script_dir}/../../scripts/lib.sh"
 source "${lib_file}"
 
+OS_VERSION=${OS_VERSION:-2.0}
+
+([[ "${OS_VERSION}" == "2.0" ]] || [[ "${OS_VERSION}" == "3.0" ]]) || die "OS_VERSION: must equal 2.0 (default) or 3.0"
+
 if [ "${CONF_PODS}" == "yes" ]; then
-	DEPLOY_PATH_PREFIX="/opt/confidential-containers"
-	UVM_PATH="${DEPLOY_PATH_PREFIX}/share/kata-containers"
+	INSTALL_PATH_PREFIX="/opt/confidential-containers"
+	UVM_PATH="${INSTALL_PATH_PREFIX}/share/kata-containers"
 	IMG_FILE_NAME="kata-containers.img"
 	IGVM_FILE_NAME="kata-containers-igvm.img"
 	IGVM_DBG_FILE_NAME="kata-containers-igvm-debug.img"
 	UVM_MEASUREMENT_FILE_NAME="igvm-measurement.cose"
 	UVM_DBG_MEASUREMENT_FILE_NAME="igvm-debug-measurement.cose"
-	SHIM_CONFIG_PATH="${DEPLOY_PATH_PREFIX}/share/defaults/kata-containers"
+	SHIM_CONFIG_PATH="${INSTALL_PATH_PREFIX}/share/defaults/kata-containers"
 	SHIM_CONFIG_FILE_NAME="configuration-clh-snp.toml"
 	SHIM_DBG_CONFIG_FILE_NAME="configuration-clh-snp-debug.toml"
-	DEBUGGING_BINARIES_PATH="${DEPLOY_PATH_PREFIX}/bin"
+	DEBUGGING_BINARIES_PATH="${INSTALL_PATH_PREFIX}/bin"
 	SHIM_BINARIES_PATH="/usr/local/bin"
 	SHIM_BINARY_NAME="containerd-shim-kata-cc-v2"
 else
-	DEPLOY_PATH_PREFIX="/usr"
+	INSTALL_PATH_PREFIX="/usr"
 	UVM_PATH="/var/cache/kata-containers/osbuilder-images/kernel-uvm"
-	initrd_file_name="kata-containers-initrd.img"
-	SHIM_CONFIG_PATH="${DEPLOY_PATH_PREFIX}/share/defaults/kata-containers"
+	INITRD_FILE_NAME="kata-containers-initrd.img"
+	SHIM_CONFIG_PATH="${INSTALL_PATH_PREFIX}/share/defaults/kata-containers"
 	SHIM_CONFIG_FILE_NAME="configuration-clh.toml"
-	DEBUGGING_BINARIES_PATH="${DEPLOY_PATH_PREFIX}/local/bin"
-	SHIM_BINARIES_PATH="${DEPLOY_PATH_PREFIX}/local/bin"
+	DEBUGGING_BINARIES_PATH="${INSTALL_PATH_PREFIX}/local/bin"
+	SHIM_BINARIES_PATH="${INSTALL_PATH_PREFIX}/local/bin"
 	SHIM_BINARY_NAME="containerd-shim-kata-v2"
 fi
 
+# this is where cloud-hypervisor-cvm gets installed (see package SPEC)
+CLOUD_HYPERVISOR_LOCATION="/usr/bin/cloud-hypervisor"
+# this is where kernel-uvm gets installed (see package SPEC)
 KERNEL_BINARY_LOCATION="/usr/share/cloud-hypervisor/vmlinux.bin"
-VIRTIOFSD_BINARY_LOCATION="/usr/libexec/virtiofsd-rs"
+# Mariner 3: different binary name
+if [ "${OS_VERSION}" == "2.0" ]; then
+	VIRTIOFSD_BINARY_LOCATION="/usr/libexec/virtiofsd-rs"
+else
+	VIRTIOFSD_BINARY_LOCATION="/usr/libexec/virtiofsd"
+fi
+
+AGENT_INSTALL_DIR="${script_dir}/agent-install"
 
 set_uvm_kernel_vars() {
 	UVM_KERNEL_VERSION=$(rpm -q --queryformat '%{VERSION}' kernel-uvm-devel)
diff --git a/tools/osbuilder/node-builder/azure-linux/package_build.sh b/tools/osbuilder/node-builder/azure-linux/package_build.sh
index 8c94b9cc9bb2..6df86102bb2d 100755
--- a/tools/osbuilder/node-builder/azure-linux/package_build.sh
+++ b/tools/osbuilder/node-builder/azure-linux/package_build.sh
@@ -20,15 +20,28 @@ source "${common_file}"
 
 # these options ensure we produce the proper CLH config file
 runtime_make_flags="SKIP_GO_VERSION_CHECK=1 QEMUCMD= FCCMD= ACRNCMD= STRATOVIRTCMD= DEFAULT_HYPERVISOR=cloud-hypervisor
-	DEFMEMSZ=256 DEFSTATICSANDBOXWORKLOADMEM=1792 DEFVIRTIOFSDAEMON=${VIRTIOFSD_BINARY_LOCATION} PREFIX=${DEPLOY_PATH_PREFIX}"
+	DEFMEMSZ=256 DEFSTATICSANDBOXWORKLOADMEM=1792 DEFVIRTIOFSDAEMON=${VIRTIOFSD_BINARY_LOCATION} PREFIX=${INSTALL_PATH_PREFIX}"
 
+# - for vanilla Kata we use the kernel binary. For ConfPods we use IGVM, so no need to provide kernel path.
+# - for vanilla Kata we explicitly set DEFSTATICRESOURCEMGMT_CLH. For ConfPods,
+#   the variable DEFSTATICRESOURCEMGMT_TEE is used which defaults to false
+# - for ConfPods we explicitly set the cloud-hypervisor path. The path is independent of the PREFIX variable
+#   as we have a single CLH binary for both vanilla Kata and ConfPods
 if [ "${CONF_PODS}" == "no" ]; then
 	runtime_make_flags+=" DEFSTATICRESOURCEMGMT_CLH=true KERNELPATH_CLH=${KERNEL_BINARY_LOCATION}"
+else
+	runtime_make_flags+=" CLHPATH=${CLOUD_HYPERVISOR_LOCATION}"
 fi
 
+# On Mariner 3.0 we use cgroupsv2 with a single sandbox cgroup
+if [ "${OS_VERSION}" == "3.0" ]; then
+	runtime_make_flags+=" DEFSANDBOXCGROUPONLY=true"
+	echo "test1"
+fi
+echo "test"
 # add BUILD_TYPE=debug to build a debug agent (result in significantly increased agent binary size)
 # this will require to add same flag to the `make install` section for the agent in uvm_build.sh
-agent_make_flags="LIBC=gnu OPENSSL_NO_VENDOR=Y"
+agent_make_flags="LIBC=gnu OPENSSL_NO_VENDOR=Y DESTDIR=${AGENT_INSTALL_DIR}"
 
 if [ "${CONF_PODS}" == "yes" ]; then
 	agent_make_flags+=" AGENT_POLICY=yes"
@@ -56,10 +69,11 @@ fi
 
 echo "Building shim binary and configuration"
 pushd src/runtime/
-if [ "${CONF_PODS}" == "yes" ]; then
+if [ "${CONF_PODS}" == "yes" ] || [ "${OS_VERSION}" == "3.0" ]; then
 	make ${runtime_make_flags}
 else
-	# cannot add the kernelparams in initial assignment, quotation issue
+	# Mariner 2 pod sandboxing uses cgroupsv1 - note: cannot add the kernelparams in above assignments,
+	# leads to quotation issue. Hence, implementing the conditional check right here at the time of the make command
 	make ${runtime_make_flags} KERNELPARAMS="systemd.legacy_systemd_cgroup_controller=yes systemd.unified_cgroup_hierarchy=0"
 fi
 popd
@@ -75,13 +89,14 @@ if [ "${CONF_PODS}" == "yes" ]; then
 else
 	# We currently use the default config snippet from upstream that defaults to IMAGEPATH/image for the config.
 	# If we shift to using an image for vanilla Kata, we can use IMAGEPATH to set the proper path (or better make sure the image file gets placed so that default values can be used).
-	sed -i -e "s|image = .*$|initrd = \"${UVM_PATH}/${initrd_file_name}\"|" "${SHIM_CONFIG_FILE_NAME}"
+	sed -i -e "s|image = .*$|initrd = \"${UVM_PATH}/${INITRD_FILE_NAME}\"|" "${SHIM_CONFIG_FILE_NAME}"
 fi
 popd
 
-echo "Building agent binary"
+echo "Building agent binary and generating service files"
 pushd src/agent/
 make ${agent_make_flags}
+make install ${agent_make_flags}
 popd
 
 popd
diff --git a/tools/osbuilder/node-builder/azure-linux/package_install.sh b/tools/osbuilder/node-builder/azure-linux/package_install.sh
index 796c77a52a81..29011be28873 100755
--- a/tools/osbuilder/node-builder/azure-linux/package_install.sh
+++ b/tools/osbuilder/node-builder/azure-linux/package_install.sh
@@ -11,6 +11,8 @@ set -o errtrace
 [ -n "$DEBUG" ] && set -x
 
 CONF_PODS=${CONF_PODS:-no}
+PREFIX=${PREFIX:-}
+START_SERVICES=${START_SERVICES:-yes}
 
 script_dir="$(dirname $(readlink -f $0))"
 repo_dir="${script_dir}/../../../../"
@@ -21,33 +23,38 @@ source "${common_file}"
 pushd "${repo_dir}"
 
 echo "Creating target directories"
-mkdir -p "${SHIM_CONFIG_PATH}"
-mkdir -p "${DEBUGGING_BINARIES_PATH}"
-mkdir -p "${SHIM_BINARIES_PATH}"
+mkdir -p "${PREFIX}/${SHIM_CONFIG_PATH}"
+mkdir -p "${PREFIX}/${DEBUGGING_BINARIES_PATH}"
+mkdir -p "${PREFIX}/${SHIM_BINARIES_PATH}"
 
 if [ "${CONF_PODS}" == "yes" ]; then
 	echo "Installing tardev-snapshotter binaries and service file"
-	cp -a --backup=numbered src/utarfs/target/release/utarfs /usr/sbin/mount.tar
-	cp -a --backup=numbered src/overlay/target/release/kata-overlay /usr/bin/
-	cp -a --backup=numbered src/tardev-snapshotter/target/release/tardev-snapshotter /usr/bin/
-	cp -a --backup=numbered src/tardev-snapshotter/tardev-snapshotter.service /usr/lib/systemd/system/
+	mkdir -p ${PREFIX}/usr/sbin
+	cp -a --backup=numbered src/utarfs/target/release/utarfs ${PREFIX}/usr/sbin/mount.tar
+	mkdir -p ${PREFIX}/usr/bin
+	cp -a --backup=numbered src/overlay/target/release/kata-overlay ${PREFIX}/usr/bin/
+	cp -a --backup=numbered src/tardev-snapshotter/target/release/tardev-snapshotter ${PREFIX}/usr/bin/
+	mkdir -p ${PREFIX}/usr/lib/systemd/system/
+	cp -a --backup=numbered src/tardev-snapshotter/tardev-snapshotter.service ${PREFIX}/usr/lib/systemd/system/
 
 	echo "Installing SNP shim debug configuration"
-	cp -a --backup=numbered src/runtime/config/"${SHIM_DBG_CONFIG_FILE_NAME}" "${SHIM_CONFIG_PATH}"
+	cp -a --backup=numbered src/runtime/config/"${SHIM_DBG_CONFIG_FILE_NAME}" "${PREFIX}/${SHIM_CONFIG_PATH}"
 
 	echo "Enabling and starting snapshotter service"
-	systemctl enable tardev-snapshotter && systemctl daemon-reload && systemctl restart tardev-snapshotter
+	if [ "${START_SERVICES}" == "yes" ]; then
+		systemctl enable tardev-snapshotter && systemctl daemon-reload && systemctl restart tardev-snapshotter
+	fi
 fi
 
 echo "Installing diagnosability binaries (monitor, runtime, collect-data script)"
-cp -a --backup=numbered src/runtime/kata-monitor "${DEBUGGING_BINARIES_PATH}"
-cp -a --backup=numbered src/runtime/kata-runtime "${DEBUGGING_BINARIES_PATH}"
+cp -a --backup=numbered src/runtime/kata-monitor "${PREFIX}/${DEBUGGING_BINARIES_PATH}"
+cp -a --backup=numbered src/runtime/kata-runtime "${PREFIX}/${DEBUGGING_BINARIES_PATH}"
 chmod +x src/runtime/data/kata-collect-data.sh
-cp -a --backup=numbered src/runtime/data/kata-collect-data.sh "${DEBUGGING_BINARIES_PATH}"
+cp -a --backup=numbered src/runtime/data/kata-collect-data.sh "${PREFIX}/${DEBUGGING_BINARIES_PATH}"
 
 echo "Installing shim binary and configuration"
-cp -a --backup=numbered src/runtime/containerd-shim-kata-v2 "${SHIM_BINARIES_PATH}"/"${SHIM_BINARY_NAME}"
+cp -a --backup=numbered src/runtime/containerd-shim-kata-v2 "${PREFIX}/${SHIM_BINARIES_PATH}"/"${SHIM_BINARY_NAME}"
 
-cp -a --backup=numbered src/runtime/config/"${SHIM_CONFIG_FILE_NAME}" "${SHIM_CONFIG_PATH}"
+cp -a --backup=numbered src/runtime/config/"${SHIM_CONFIG_FILE_NAME}" "${PREFIX}/${SHIM_CONFIG_PATH}"
 
 popd
diff --git a/tools/osbuilder/node-builder/azure-linux/uvm_build.sh b/tools/osbuilder/node-builder/azure-linux/uvm_build.sh
index e2a63cc03a80..3a6c2d066927 100755
--- a/tools/osbuilder/node-builder/azure-linux/uvm_build.sh
+++ b/tools/osbuilder/node-builder/azure-linux/uvm_build.sh
@@ -18,10 +18,8 @@ repo_dir="${script_dir}/../../../../"
 common_file="common.sh"
 source "${common_file}"
 
-agent_install_dir="${script_dir}/agent-install"
-
 # This ensures that a pre-built agent binary is being injected into the rootfs
-rootfs_make_flags="AGENT_SOURCE_BIN=${agent_install_dir}/usr/bin/kata-agent"
+rootfs_make_flags="AGENT_SOURCE_BIN=${AGENT_INSTALL_DIR}/usr/bin/kata-agent"
 
 if [ "${CONF_PODS}" == "yes" ]; then
 	# AGENT_POLICY_FILE=allow-all.rego would build a UVM with permissive security policy.
@@ -39,23 +37,16 @@ fi
 
 pushd "${repo_dir}"
 
-echo "Moving agent build artifacts to staging directory"
-pushd src/agent/
-make install LIBC=gnu DESTDIR=${agent_install_dir}
-popd
-
-echo "Building rootfs and including pre-built agent binary from staging directory"
+echo "Building rootfs and including pre-built agent binary"
 pushd tools/osbuilder
 # This command requires sudo because of dnf-installing packages into rootfs. As a suite, following commands require sudo as well as make clean
 sudo -E PATH=$PATH make ${rootfs_make_flags} -B DISTRO=cbl-mariner rootfs
 ROOTFS_PATH="$(readlink -f ./cbl-mariner_rootfs)"
 popd
 
-# Could call make install-services but above make install already calls make install-services which copied the service files to the staging area
-# Further, observing some rustup error when directly calling make install-services
-echo "Installing agent service files from staging directory into rootfs"
-sudo cp ${agent_install_dir}/usr/lib/systemd/system/kata-containers.target ${ROOTFS_PATH}/usr/lib/systemd/system/kata-containers.target
-sudo cp ${agent_install_dir}/usr/lib/systemd/system/kata-agent.service ${ROOTFS_PATH}/usr/lib/systemd/system/kata-agent.service
+echo "Installing agent service files into rootfs"
+sudo cp ${AGENT_INSTALL_DIR}/usr/lib/systemd/system/kata-containers.target ${ROOTFS_PATH}/usr/lib/systemd/system/kata-containers.target
+sudo cp ${AGENT_INSTALL_DIR}/usr/lib/systemd/system/kata-agent.service ${ROOTFS_PATH}/usr/lib/systemd/system/kata-agent.service
 
 if [ "${CONF_PODS}" == "yes" ]; then
 	echo "Building tarfs kernel driver and installing into rootfs"
@@ -72,7 +63,7 @@ if [ "${CONF_PODS}" == "yes" ]; then
 	echo "Building IGVM and UVM measurement files"
 	pushd tools/osbuilder
 	sudo chmod o+r root_hash.txt
-	make igvm DISTRO=cbl-mariner
+	sudo make igvm DISTRO=cbl-mariner
 	popd
 else
 	echo "Creating initrd based on rootfs"
diff --git a/tools/osbuilder/node-builder/azure-linux/uvm_install.sh b/tools/osbuilder/node-builder/azure-linux/uvm_install.sh
index 2fbf9c4ad0e4..7763cbea1fb3 100755
--- a/tools/osbuilder/node-builder/azure-linux/uvm_install.sh
+++ b/tools/osbuilder/node-builder/azure-linux/uvm_install.sh
@@ -33,7 +33,7 @@ if [ "${CONF_PODS}" == "yes" ]; then
 	cp -a --backup=numbered "${UVM_MEASUREMENT_FILE_NAME}" "${UVM_PATH}"
 	cp -a --backup=numbered "${UVM_DBG_MEASUREMENT_FILE_NAME}" "${UVM_PATH}"
 else
-	cp -a --backup=numbered "${initrd_file_name}" "${UVM_PATH}"
+	cp -a --backup=numbered "${INITRD_FILE_NAME}" "${UVM_PATH}"
 fi
 popd