microsoft · sprt · Aug 26, 2024 · Jul 26, 2024
@@ -28,6 +28,10 @@ src/tarfs/**/*.o
 src/tarfs/**/modules.order
 src/tarfs/**/Module.symvers
 src/tarfs-cvm/
+tools/osbuilder/kata-containers-igvm.img
+tools/osbuilder/kata-containers-igvm-debug.img
+tools/osbuilder/igvm-debug-measurement.cose
+tools/osbuilder/igvm-measurement.cose
 tools/osbuilder/root_hash.txt
 tools/osbuilder/igvm.log
 tools/osbuilder/kata-opa.service

@@ -2,6 +2,18 @@
 #
 # SPDX-License-Identifier: Apache-2.0
 #
+BUILD_TYPE := release
+
+ifeq ($(BUILD_TYPE),debug)
+	export AGENT_BUILD_TYPE := debug
+	export AGENT_POLICY_FILE := allow-all.rego
+	export SHIM_USE_DEBUG_CONFIG := yes
+else
+	export AGENT_BUILD_TYPE := release
+	export AGENT_POLICY_FILE := allow-set-policy.rego
+	export SHIM_USE_DEBUG_CONFIG := no
+endif
+
 .PHONY: all
 all: package uvm
 

@@ -148,6 +148,37 @@ Notes:
   - To build an IGVM file for CondPods with a non-default SVN of 0, prefix the `make uvm-confpods` command with `IGVM_SVN=<number>`
   - For build and deployment of both Kata and Kata-CC artifacts, first run the `make all` and `make deploy` commands to build and install the Kata Containers for AKS components followed by `make clean`, and then run `make all-confpods` and `make deploy-confpods` to build and install the Confidential Containers for AKS components - or vice versa (using `make clean-confpods`).
 
+## Debug build
+
+`make all-confpods` takes the following variables:
+
+ * `AGENT_BUILD_TYPE`: Specify `release` (default) to build the agent in
+   release mode, or `debug` to build it in debug mode.
+ * `AGENT_POLICY_FILE`: Specify `allow-set-policy.rego` (default) to use
+   a restrictive policy, or `allow-all.rego` to use a permissive policy.
+
+`make deploy-confpods` takes the following variable:
+
+ * `SHIM_USE_DEBUG_CONFIG`: Specify `no` (default) to use the production
+   configuration, or `yes` to use the debug configuration (all debug
+   logging enabled). In this case you'll want to enable debug logging
+   in containerd as well.
+
+In general, you can specify the debug configuration for all the above
+variables by using `BUILD_TYPE=debug` as such:
+
+```shell
+sudo make BUILD_TYPE=debug all-confpods deploy-confpods
+```
+
+Also note that make still lets you override the other variables even
+after setting `BUILD_TYPE`. For example, you can use the production shim
+config with `BUILD_TYPE=debug`:
+
+```shell
+sudo make BUILD_TYPE=debug SHIM_USE_DEBUG_CONFIG=no all-confpods deploy-confpods
+```
+
 # Run Kata (Confidential) Containers
 
 ## Run via CRI or via containerd API

@@ -10,6 +10,7 @@ set -o errtrace
 
 [ -n "$DEBUG" ] && set -x
 
+AGENT_BUILD_TYPE=${AGENT_BUILD_TYPE:-release}
 CONF_PODS=${CONF_PODS:-no}
 
 script_dir="$(dirname $(readlink -f $0))"
@@ -38,9 +39,7 @@ if [ "${OS_VERSION}" == "3.0" ]; then
 	runtime_make_flags+=" DEFSANDBOXCGROUPONLY=true"
 fi
 
-# add BUILD_TYPE=debug to build a debug agent (result in significantly increased agent binary size)
-# this will require to add same flag to the `make install` section for the agent in uvm_build.sh
-agent_make_flags="LIBC=gnu OPENSSL_NO_VENDOR=Y DESTDIR=${AGENT_INSTALL_DIR}"
+agent_make_flags="LIBC=gnu OPENSSL_NO_VENDOR=Y DESTDIR=${AGENT_INSTALL_DIR} BUILD_TYPE=${AGENT_BUILD_TYPE}"
 
 if [ "${CONF_PODS}" == "yes" ]; then
 	agent_make_flags+=" AGENT_POLICY=yes"

@@ -12,6 +12,7 @@ set -o errtrace
 
 CONF_PODS=${CONF_PODS:-no}
 PREFIX=${PREFIX:-}
+SHIM_USE_DEBUG_CONFIG=${SHIM_USE_DEBUG_CONFIG:-no}
 START_SERVICES=${START_SERVICES:-yes}
 
 script_dir="$(dirname $(readlink -f $0))"
@@ -40,6 +41,12 @@ if [ "${CONF_PODS}" == "yes" ]; then
 	echo "Installing SNP shim debug configuration"
 	cp -a --backup=numbered src/runtime/config/"${SHIM_DBG_CONFIG_FILE_NAME}" "${PREFIX}/${SHIM_CONFIG_PATH}"/"${SHIM_DBG_CONFIG_INST_FILE_NAME}"
 
+	if [ "${SHIM_USE_DEBUG_CONFIG}" == "yes" ]; then
+		# We simply override the release config with the debug config,
+		# which is probably fine when debugging.
+		ln -sf src/runtime/config/"${SHIM_DBG_CONFIG_FILE_NAME}" src/runtime/config/"${SHIM_CONFIG_FILE_NAME}" 
+	fi
+
 	echo "Enabling and starting snapshotter service"
 	if [ "${START_SERVICES}" == "yes" ]; then
 		systemctl enable tardev-snapshotter && systemctl daemon-reload && systemctl restart tardev-snapshotter

@@ -10,6 +10,7 @@ set -o errtrace
 
 [ -n "$DEBUG" ] && set -x
 
+AGENT_POLICY_FILE="${AGENT_POLICY_FILE:-allow-set-policy.rego}"
 CONF_PODS=${CONF_PODS:-no}
 IGVM_SVN=${IGVM_SVN:-0}
 
@@ -23,10 +24,7 @@ source "${common_file}"
 rootfs_make_flags="AGENT_SOURCE_BIN=${AGENT_INSTALL_DIR}/usr/bin/kata-agent"
 
 if [ "${CONF_PODS}" == "yes" ]; then
-	# AGENT_POLICY_FILE=allow-all.rego would build a UVM with permissive security policy.
-	# The current variable assignment builds a UVM with prohibitive security policy which is the default on
-	# Confidential Containers on AKS
-	rootfs_make_flags+=" AGENT_POLICY=yes CONF_GUEST=yes AGENT_POLICY_FILE=allow-set-policy.rego"
+	rootfs_make_flags+=" AGENT_POLICY=yes CONF_GUEST=yes AGENT_POLICY_FILE=${AGENT_POLICY_FILE}"
 fi
 
 if [ "${CONF_PODS}" == "yes" ]; then