microsoft · Camelron · Feb 11, 2025 · Feb 11, 2025 · Feb 11, 2025 · Feb 11, 2025
@@ -223,6 +223,10 @@ clean:
 	rm -rf $(TARGET_ROOTFS_MARKER) $(TARGET_ROOTFS) $(TARGET_IMAGE) $(TARGET_INITRD) $(DRACUT_OVERLAY_DIR) $(TARGET_IGVM) $(TARGET_IGVM_DEBUG) $(TARGET_IGVM_MSMT) $(TARGET_IGVM_DEBUG_MSMT) $(TARGET_IGVM_LOG)
 	rm -rf $(IGVM_TOOL_SRC)
 
+.PHONY: clean-rootfs
+clean-rootfs:
+	rm -rf $(TARGET_ROOTFS_MARKER) $(TARGET_ROOTFS)
+
 # Prints the name of the variable passed as suffix to the print- target,
 # E.g., if Makefile contains:
 # MY_MAKE_VAR := foobar

@@ -174,6 +174,9 @@ This section describes how to build and deploy in debug mode.
    release mode, or `debug` to build it in debug mode.
  * `AGENT_POLICY_FILE`: Specify `allow-set-policy.rego` (default) to use
    a restrictive policy, or `allow-all.rego` to use a permissive policy.
+ * `UVM_BUILD_TYPE`: Specify `release` (default) to build the UVM with
+   a minimal set of packages, or `debug` to build it with extra utility
+   packages for debug.
 
 `make deploy-confpods` takes the following variable:
 

@@ -12,12 +12,14 @@ OS_VERSION=$(sort -r /etc/*-release | gawk 'match($0, /^(VERSION_ID=(.*))$/, a)
 
 ([[ "${OS_VERSION}" == "2.0" ]] || [[ "${OS_VERSION}" == "3.0" ]]) || die "OS_VERSION: value '${OS_VERSION}' must equal 3.0 (default) or 2.0"
 
+SHIM_CONFIG_LINK_NAME="configuration.toml"
 if [ "${CONF_PODS}" == "yes" ]; then
 	INSTALL_PATH_PREFIX="/opt/confidential-containers"
 	UVM_TOOLS_PATH_OSB="${INSTALL_PATH_PREFIX}/uvm/tools/osbuilder"
 	UVM_TOOLS_PATH_SRC="${INSTALL_PATH_PREFIX}/uvm/src"
 	UVM_PATH_DEFAULT="${INSTALL_PATH_PREFIX}/share/kata-containers"
 	IMG_FILE_NAME="kata-containers.img"
+	IMG_DBG_FILE_NAME="kata-containers-debug.img"
 	IGVM_FILE_NAME="kata-containers-igvm.img"
 	IGVM_DBG_FILE_NAME="kata-containers-igvm-debug.img"
 	UVM_MEASUREMENT_FILE_NAME="igvm-measurement.cose"
@@ -36,9 +38,12 @@ else
 	UVM_TOOLS_PATH_SRC="/opt/kata-containers/uvm/src"
 	UVM_PATH_DEFAULT="${INSTALL_PATH_PREFIX}/share/kata-containers"
 	IMG_FILE_NAME="kata-containers.img"
+	IMG_DBG_FILE_NAME="kata-containers-debug.img"
 	SHIM_CONFIG_PATH="${INSTALL_PATH_PREFIX}/share/defaults/kata-containers"
 	SHIM_CONFIG_FILE_NAME="configuration-clh.toml"
-	SHIM_CONFIG_INST_FILE_NAME="configuration.toml"
+	SHIM_CONFIG_INST_FILE_NAME="${SHIM_CONFIG_FILE_NAME}"
+	SHIM_DBG_CONFIG_FILE_NAME="configuration-clh-debug.toml"
+	SHIM_DBG_CONFIG_INST_FILE_NAME="${SHIM_DBG_CONFIG_FILE_NAME}"
 	DEBUGGING_BINARIES_PATH="${INSTALL_PATH_PREFIX}/local/bin"
 	SHIM_BINARIES_PATH="${INSTALL_PATH_PREFIX}/local/bin"
 	SHIM_BINARY_NAME="containerd-shim-kata-v2"

@@ -77,14 +77,17 @@ fi
 popd
 
 pushd src/runtime/config/
-if [ "${CONF_PODS}" == "yes" ]; then
 
+cp "${SHIM_CONFIG_FILE_NAME}" "${SHIM_DBG_CONFIG_FILE_NAME}"
+
+if [ "${CONF_PODS}" == "yes" ]; then
 	echo "Creating SNP shim debug configuration"
-	cp "${SHIM_CONFIG_FILE_NAME}" "${SHIM_DBG_CONFIG_FILE_NAME}"
 	sed -i "s|${IGVM_FILE_NAME}|${IGVM_DBG_FILE_NAME}|g" "${SHIM_DBG_CONFIG_FILE_NAME}"
-	sed -i '/^#enable_debug =/s|^#||g' "${SHIM_DBG_CONFIG_FILE_NAME}"
-	sed -i '/^#debug_console_enabled =/s|^#||g' "${SHIM_DBG_CONFIG_FILE_NAME}"
 fi
+
+sed -i '/^#enable_debug =/s|^#||g' "${SHIM_DBG_CONFIG_FILE_NAME}"
+sed -i '/^#debug_console_enabled =/s|^#||g' "${SHIM_DBG_CONFIG_FILE_NAME}"
+sed -i "s|${IMG_FILE_NAME}|${IMG_DBG_FILE_NAME}|g" "${SHIM_DBG_CONFIG_FILE_NAME}"
 popd
 
 echo "Building agent binary and generating service files"

@@ -39,25 +39,18 @@ if [ "${CONF_PODS}" == "yes" ]; then
 	mkdir -p ${PREFIX}/usr/lib/systemd/system/
 	cp -a --backup=numbered src/tardev-snapshotter/tardev-snapshotter.service ${PREFIX}/usr/lib/systemd/system/
 
-	if [ "${SHIM_REDEPLOY_CONFIG}" == "yes" ]; then
-		echo "Installing SNP shim debug configuration"
-		cp -a --backup=numbered src/runtime/config/"${SHIM_DBG_CONFIG_FILE_NAME}" "${PREFIX}/${SHIM_CONFIG_PATH}"/"${SHIM_DBG_CONFIG_INST_FILE_NAME}"
-	else
-		echo "Skipping installation of SNP shim debug configuration"
-	fi
-
-	if [ "${SHIM_USE_DEBUG_CONFIG}" == "yes" ]; then
-		# We simply override the release config with the debug config,
-		# which is probably fine when debugging.
-		ln -sf src/runtime/config/"${SHIM_DBG_CONFIG_FILE_NAME}" src/runtime/config/"${SHIM_CONFIG_FILE_NAME}" 
-	fi
-
 	echo "Enabling and starting snapshotter service"
 	if [ "${START_SERVICES}" == "yes" ]; then
 		systemctl enable tardev-snapshotter && systemctl daemon-reload && systemctl restart tardev-snapshotter
 	fi
 fi
 
+if [ "${SHIM_USE_DEBUG_CONFIG}" == "yes" ]; then
+	ln -sf src/runtime/config/"${SHIM_DBG_CONFIG_FILE_NAME}" src/runtime/config/"${SHIM_CONFIG_LINK_NAME}" 
+else
+	ln -sf src/runtime/config/"${SHIM_CONFIG_FILE_NAME}" src/runtime/config/"${SHIM_CONFIG_LINK_NAME}" 
+fi
+
 echo "Installing diagnosability binaries (monitor, runtime, collect-data script)"
 cp -a --backup=numbered src/runtime/kata-monitor "${PREFIX}/${DEBUGGING_BINARIES_PATH}"
 cp -a --backup=numbered src/runtime/kata-runtime "${PREFIX}/${DEBUGGING_BINARIES_PATH}"
@@ -70,6 +63,8 @@ cp -a --backup=numbered src/runtime/containerd-shim-kata-v2 "${PREFIX}/${SHIM_BI
 if [ "${SHIM_REDEPLOY_CONFIG}" == "yes" ]; then
 	echo "Installing shim configuration"
 	cp -a --backup=numbered src/runtime/config/"${SHIM_CONFIG_FILE_NAME}" "${PREFIX}/${SHIM_CONFIG_PATH}/${SHIM_CONFIG_INST_FILE_NAME}"
+	cp -a --backup=numbered src/runtime/config/"${SHIM_DBG_CONFIG_FILE_NAME}" "${PREFIX}/${SHIM_CONFIG_PATH}/${SHIM_DBG_CONFIG_INST_FILE_NAME}"
+	cp -a --backup=numbered src/runtime/config/"${SHIM_CONFIG_LINK_NAME}" "${PREFIX}/${SHIM_CONFIG_PATH}/${SHIM_CONFIG_LINK_NAME}"
 else
 	echo "Skipping installation of shim configuration"
 fi

@@ -10,6 +10,49 @@ set -o errtrace
 
 [ -n "$DEBUG" ] && set -x
 
+build_uvm() {
+	local mode=$1
+
+	echo "Building ${mode} rootfs and including pre-built agent binary"
+	pushd tools/osbuilder
+	# This command requires sudo because of dnf-installing packages into rootfs. As a suite, following commands require sudo as well as make clean
+	sudo -E PATH=$PATH UVM_BUILD_TYPE=${mode} make ${rootfs_make_flags} -B DISTRO=cbl-mariner rootfs
+	ROOTFS_PATH="$(readlink -f ./cbl-mariner_rootfs)"
+	popd
+
+	echo "Installing agent service files into rootfs"
+	sudo cp ${AGENT_INSTALL_DIR}/usr/lib/systemd/system/kata-containers.target ${ROOTFS_PATH}/usr/lib/systemd/system/kata-containers.target
+	sudo cp ${AGENT_INSTALL_DIR}/usr/lib/systemd/system/kata-agent.service ${ROOTFS_PATH}/usr/lib/systemd/system/kata-agent.service
+
+	if [ "${CONF_PODS}" == "yes" ]; then
+		echo "Building tarfs kernel driver and installing into rootfs"
+		pushd src/tarfs
+		make KDIR=${UVM_KERNEL_HEADER_DIR}
+		sudo make KDIR=${UVM_KERNEL_HEADER_DIR} KVER=${UVM_KERNEL_VERSION} INSTALL_MOD_PATH=${ROOTFS_PATH} install
+		popd
+		echo "Building dm-verity protected image based on rootfs"
+		pushd tools/osbuilder
+		sudo -E PATH=$PATH make DISTRO=cbl-mariner MEASURED_ROOTFS=yes DM_VERITY_FORMAT=kernelinit image
+		popd
+
+		echo "Building IGVM and UVM measurement files"
+		pushd tools/osbuilder
+		sudo chmod o+r root_hash.txt
+		sudo make igvm DISTRO=cbl-mariner IGVM_SVN=${IGVM_SVN}
+		popd
+	else
+		echo "Building image based on rootfs"
+		pushd tools/osbuilder
+		sudo -E PATH=$PATH make DISTRO=cbl-mariner image
+		popd
+	fi
+
+	echo "Cleaning rootfs build"
+	pushd tools/osbuilder
+	sudo -E PATH=$PATH make DISTRO=cbl-mariner clean-rootfs
+	popd
+}
+
 AGENT_POLICY_FILE="${AGENT_POLICY_FILE:-allow-set-policy.rego}"
 CONF_PODS=${CONF_PODS:-no}
 IGVM_SVN=${IGVM_SVN:-0}
@@ -38,39 +81,7 @@ fi
 
 pushd "${repo_dir}"
 
-echo "Building rootfs and including pre-built agent binary"
-pushd tools/osbuilder
-# This command requires sudo because of dnf-installing packages into rootfs. As a suite, following commands require sudo as well as make clean
-sudo -E PATH=$PATH make ${rootfs_make_flags} -B DISTRO=cbl-mariner rootfs
-ROOTFS_PATH="$(readlink -f ./cbl-mariner_rootfs)"
-popd
-
-echo "Installing agent service files into rootfs"
-sudo cp ${AGENT_INSTALL_DIR}/usr/lib/systemd/system/kata-containers.target ${ROOTFS_PATH}/usr/lib/systemd/system/kata-containers.target
-sudo cp ${AGENT_INSTALL_DIR}/usr/lib/systemd/system/kata-agent.service ${ROOTFS_PATH}/usr/lib/systemd/system/kata-agent.service
-
-if [ "${CONF_PODS}" == "yes" ]; then
-	echo "Building tarfs kernel driver and installing into rootfs"
-	pushd src/tarfs
-	make KDIR=${UVM_KERNEL_HEADER_DIR}
-	sudo make KDIR=${UVM_KERNEL_HEADER_DIR} KVER=${UVM_KERNEL_VERSION} INSTALL_MOD_PATH=${ROOTFS_PATH} install
-	popd
-
-	echo "Building dm-verity protected image based on rootfs"
-	pushd tools/osbuilder
-	sudo -E PATH=$PATH make DISTRO=cbl-mariner MEASURED_ROOTFS=yes DM_VERITY_FORMAT=kernelinit image
-	popd
-
-	echo "Building IGVM and UVM measurement files"
-	pushd tools/osbuilder
-	sudo chmod o+r root_hash.txt
-	sudo make igvm DISTRO=cbl-mariner IGVM_SVN=${IGVM_SVN}
-	popd
-else
-	echo "Building image based on rootfs"
-	pushd tools/osbuilder
-	sudo -E PATH=$PATH make DISTRO=cbl-mariner image
-	popd
-fi
+build_uvm "release"
+build_uvm "debug"
 
 popd
@@ -35,7 +35,8 @@ if [ "${CONF_PODS}" == "yes" ]; then
 	cp -a --backup=numbered "${UVM_DBG_MEASUREMENT_FILE_NAME}" "${UVM_PATH}"
 fi
 
-cp -a --backup=numbered "${IMG_FILE_NAME}" "${UVM_PATH}"
+cp -a --backup=numbered "${IMG_FILE_NAME}" "${UVM_PATH}/${IMG_FILE_NAME}"
+cp -a --backup=numbered "${IMG_DBG_FILE_NAME}" "${UVM_PATH}/${IMG_DBG_FILE_NAME}"
 
 popd
 

@@ -6,6 +6,8 @@ OS_NAME=cbl-mariner
 OS_VERSION=${OS_VERSION:-3.0}
 LIBC="gnu"
 PACKAGES="kata-packages-uvm"
+
+[ "$UVM_BUILD_TYPE" = debug ] && PACKAGES+=" kata-packages-uvm-debug"
 [ "$CONF_GUEST" = yes ] && PACKAGES+=" kata-packages-uvm-coco"
 [ "$AGENT_INIT" = no ] && PACKAGES+=" systemd"
 [ "$SECCOMP" = yes ] && PACKAGES+=" libseccomp"