build_igvm: Separate release configuration from build profile (#1867)

This PR adds a new flag to local invocations of `xflowey build-igvm`,
`--release-cfg`. This flag controls various bits of configuration around
how the final IGVM file is produced, such as the json file used and the
features compiled in. This separates these configuration pieces from
`--release`, which now only control the build profile. This allows for
building an optimized binary with debug options still available. It also
allows for building an unoptimized output without debug options, but
this is weird, so it outputs a warning if you ask for it.

This PR then removes the debug configurations from the cvm-release json.
This means that running `xflowey build-igvm x64-cvm --release` locally
will still produce an optimized binary with the debug bits set, but it
means the binaries we ship to the OS will now have the debug bit unset
by default, as the publishing step is effectively running with
`--release --release-cfg`.

Author: smalis-msft

flowey/flowey_hvlite/src/pipelines/build_igvm.rs

@@ -50,14 +50,18 @@ where
     /// into a VTL2 initrd, what `igvmfilegen` manifest is being used, etc...
     pub recipe: Recipe,
 
-    /// Build using release variants of all constituent components.
+    /// Build using release variants of all constituent binary components.
     ///
     /// Uses --profile=boot-release for openhcl_boot, --profile=openhcl-ship
-    /// when building openvmm_hcl, `--min-interactive` vtl2 initrd
-    /// configuration, `-release.json` manifest variant, etc...
+    /// when building openvmm_hcl, etc...
     #[clap(long)]
     pub release: bool,
 
+    /// Configure the IGVM file with the appropriate `-release.json`
+    /// manifest variant, and disable debug-only features.
+    #[clap(long)]
+    pub release_cfg: bool,
+
     /// pass `--verbose` to cargo
     #[clap(long)]
     pub verbose: bool,
@@ -230,6 +234,7 @@ impl IntoPipeline for BuildIgvmCli {
         let Self {
             recipe,
             release,
+            release_cfg,
             verbose,
             locked,
             install_missing_deps,
@@ -257,11 +262,7 @@ impl IntoPipeline for BuildIgvmCli {
         } = self;
 
         if with_perf_tools {
-            custom_extra_rootfs.push(
-                crate::repo_root()
-                    .join("openhcl/perftoolsfs.config")
-                    .clone(),
-            );
+            custom_extra_rootfs.push(crate::repo_root().join("openhcl/perftoolsfs.config"));
         }
 
         let mut pipeline = Pipeline::new();
@@ -309,6 +310,7 @@ impl IntoPipeline for BuildIgvmCli {
                     OpenhclRecipeCli::Aarch64Devkern => OpenhclIgvmRecipe::Aarch64Devkern,
                 },
                 release,
+                release_cfg,
 
                 customizations: flowey_lib_hvlite::_jobs::local_build_igvm::Customizations {
                     build_label,

flowey/flowey_lib_hvlite/src/_jobs/build_and_publish_openhcl_igvm_from_recipe.rs

@@ -70,7 +70,13 @@ impl SimpleFlowNode for Node {
             let (read_built_sidecar, built_sidecar) = ctx.new_var();
             ctx.req(crate::build_openhcl_igvm_from_recipe::Request {
                 custom_target,
-                profile,
+                build_profile: profile,
+                release_cfg: match profile {
+                    OpenvmmHclBuildProfile::Debug => false,
+                    OpenvmmHclBuildProfile::Release | OpenvmmHclBuildProfile::OpenvmmHclShip => {
+                        true
+                    }
+                },
                 recipe: recipe.clone(),
                 built_openvmm_hcl,
                 built_openhcl_boot,

flowey/flowey_lib_hvlite/src/_jobs/build_and_publish_openvmm_hcl_baseline.rs

@@ -36,7 +36,7 @@ impl SimpleFlowNode for Node {
                 target: CommonTriple::X86_64_LINUX_MUSL,
                 profile: OpenvmmHclBuildProfile::OpenvmmHclShip,
                 features: (OpenhclIgvmRecipe::X64)
-                    .recipe_details(OpenvmmHclBuildProfile::OpenvmmHclShip)
+                    .recipe_details(true)
                     .openvmm_hcl_features,
                 no_split_dbg_info: false,
             },

flowey/flowey_lib_hvlite/src/_jobs/check_openvmm_hcl_size.rs

@@ -60,7 +60,7 @@ impl SimpleFlowNode for Node {
                 target: target.clone(),
                 profile: OpenvmmHclShip,
                 features: (OpenhclIgvmRecipe::X64)
-                    .recipe_details(OpenvmmHclShip)
+                    .recipe_details(true)
                     .openvmm_hcl_features,
                 no_split_dbg_info: false,
             },

flowey/flowey_lib_hvlite/src/_jobs/local_build_and_run_nextest_vmm_tests.rs

@@ -393,7 +393,8 @@ impl SimpleFlowNode for Node {
                 let (read_built_openhcl_boot, built_openhcl_boot) = ctx.new_var();
                 let (read_built_sidecar, built_sidecar) = ctx.new_var();
                 ctx.req(crate::build_openhcl_igvm_from_recipe::Request {
-                    profile: openvmm_hcl_profile,
+                    build_profile: openvmm_hcl_profile,
+                    release_cfg: release,
                     recipe: recipe.clone(),
                     custom_target: None,
                     built_openvmm_hcl,

flowey/flowey_lib_hvlite/src/_jobs/local_build_igvm.rs

@@ -49,6 +49,7 @@ flowey_request! {
 
         pub base_recipe: OpenhclIgvmRecipe,
         pub release: bool,
+        pub release_cfg: bool,
 
         pub customizations: Customizations,
     }
@@ -70,6 +71,7 @@ impl SimpleFlowNode for Node {
 
             base_recipe,
             release,
+            release_cfg,
 
             customizations,
         } = request;
@@ -97,13 +99,20 @@ impl SimpleFlowNode for Node {
             custom_extra_rootfs,
         } = customizations;
 
-        let profile = if release {
+        if release_cfg && !release {
+            log::warn!(
+                "You are building a debug binary with a release configuration.\n\
+                The produced binary likely will not function properly due to memory restrictions."
+            )
+        }
+
+        let build_profile = if release {
             OpenvmmHclBuildProfile::OpenvmmHclShip
         } else {
             OpenvmmHclBuildProfile::Debug
         };
+        let mut recipe_details = base_recipe.recipe_details(release_cfg);
 
-        let mut recipe_details = base_recipe.recipe_details(profile);
         {
             let OpenhclIgvmRecipeDetails {
                 local_only,
@@ -125,8 +134,8 @@ impl SimpleFlowNode for Node {
                 *with_sidecar_details = true;
             }
 
-            // Debug builds include --interactive by default, for busybox, gdbserver, and perf.
-            *with_interactive = matches!(profile, OpenvmmHclBuildProfile::Debug) || with_perf_tools;
+            // Debug configurations include --interactive by default, for busybox, gdbserver, and perf.
+            *with_interactive = !release_cfg || with_perf_tools;
 
             assert!(local_only.is_none());
             *local_only = Some(OpenhclIgvmRecipeDetailsLocalOnly {
@@ -212,8 +221,9 @@ impl SimpleFlowNode for Node {
         let (built_sidecar, write_built_sidecar) = ctx.new_var();
 
         ctx.req(crate::build_openhcl_igvm_from_recipe::Request {
-            profile,
-            recipe: OpenhclIgvmRecipe::LocalOnlyCustom(recipe_details.clone()),
+            build_profile,
+            release_cfg,
+            recipe: OpenhclIgvmRecipe::LocalOnlyCustom(recipe_details),
             custom_target: None,
             built_openvmm_hcl: write_built_openvmm_hcl,
             built_openhcl_boot: write_built_openhcl_boot,
@@ -231,7 +241,7 @@ impl SimpleFlowNode for Node {
             move |rt| {
                 let output_dir = rt
                     .read(artifact_dir)
-                    .join(match profile {
+                    .join(match build_profile {
                         OpenvmmHclBuildProfile::Debug => "debug",
                         OpenvmmHclBuildProfile::Release => "release",
                         OpenvmmHclBuildProfile::OpenvmmHclShip => "ship",

flowey/flowey_lib_hvlite/src/build_openhcl_igvm_from_recipe.rs

@@ -95,29 +95,29 @@ pub enum OpenhclIgvmRecipe {
 }
 
 impl OpenhclIgvmRecipe {
-    pub fn recipe_details(&self, profile: OpenvmmHclBuildProfile) -> OpenhclIgvmRecipeDetails {
+    pub fn recipe_details(&self, release_cfg: bool) -> OpenhclIgvmRecipeDetails {
         let base_openvmm_hcl_features = || {
             let mut m = BTreeSet::new();
 
             m.insert(OpenvmmHclFeature::Tpm);
 
-            if matches!(profile, OpenvmmHclBuildProfile::Debug) {
+            if !release_cfg {
                 m.insert(OpenvmmHclFeature::Gdb);
             }
 
             m
         };
 
         let in_repo_template = |debug_manifest: &'static str, release_manifest: &'static str| {
-            IgvmManifestPath::InTree(if matches!(profile, OpenvmmHclBuildProfile::Debug) {
-                debug_manifest.into()
-            } else {
+            IgvmManifestPath::InTree(if release_cfg {
                 release_manifest.into()
+            } else {
+                debug_manifest.into()
             })
         };
 
-        // Debug builds include --interactive by default, for busybox, gdbserver, and perf.
-        let with_interactive = matches!(profile, OpenvmmHclBuildProfile::Debug);
+        // Debug configurations include --interactive by default, for busybox, gdbserver, and perf.
+        let with_interactive = !release_cfg;
 
         match self {
             Self::LocalOnlyCustom(details) => details.clone(),
@@ -229,16 +229,12 @@ impl OpenhclIgvmRecipe {
             },
         }
     }
-
-    pub fn to_custom_mut(&mut self, profile: OpenvmmHclBuildProfile) {
-        let details = self.recipe_details(profile);
-        *self = Self::LocalOnlyCustom(details);
-    }
 }
 
 flowey_request! {
     pub struct Request {
-        pub profile: OpenvmmHclBuildProfile,
+        pub build_profile: OpenvmmHclBuildProfile,
+        pub release_cfg: bool,
         pub recipe: OpenhclIgvmRecipe,
         pub custom_target: Option<CommonTriple>,
 
@@ -270,7 +266,8 @@ impl SimpleFlowNode for Node {
 
     fn process_request(request: Self::Request, ctx: &mut NodeCtx<'_>) -> anyhow::Result<()> {
         let Request {
-            profile,
+            build_profile,
+            release_cfg,
             recipe,
             custom_target,
             built_openvmm_hcl,
@@ -289,7 +286,7 @@ impl SimpleFlowNode for Node {
             with_uefi,
             with_interactive,
             with_sidecar,
-        } = recipe.recipe_details(profile);
+        } = recipe.recipe_details(release_cfg);
 
         let OpenhclIgvmRecipeDetailsLocalOnly {
             openvmm_hcl_no_strip,
@@ -423,7 +420,7 @@ impl SimpleFlowNode for Node {
                 ctx.reqv(|v| crate::build_sidecar::Request {
                     build_params: crate::build_sidecar::SidecarBuildParams {
                         arch,
-                        profile: match profile {
+                        profile: match build_profile {
                             OpenvmmHclBuildProfile::Debug => {
                                 crate::build_sidecar::SidecarBuildProfile::Debug
                             }
@@ -448,7 +445,7 @@ impl SimpleFlowNode for Node {
             crate::build_openvmm_hcl::Request {
                 build_params: crate::build_openvmm_hcl::OpenvmmHclBuildParams {
                     target: target.clone(),
-                    profile,
+                    profile: build_profile,
                     features: openvmm_hcl_features,
                     // manually strip later, depending on provided igvm flags
                     no_split_dbg_info: true,
@@ -492,7 +489,7 @@ impl SimpleFlowNode for Node {
             ctx.reqv(|v| crate::build_openhcl_boot::Request {
                 build_params: crate::build_openhcl_boot::OpenhclBootBuildParams {
                     arch,
-                    profile: match profile {
+                    profile: match build_profile {
                         OpenvmmHclBuildProfile::Debug => {
                             crate::build_openhcl_boot::OpenhclBootBuildProfile::Debug
                         }

vm/loader/manifests/openhcl-x64-cvm-release.json

@@ -8,13 +8,13 @@
                 "snp": {
                     "shared_gpa_boundary_bits": 46,
                     "policy": 196639,
-                    "enable_debug": true,
+                    "enable_debug": false,
                     "injection_type": "normal"
                 }
             },
             "image": {
                 "openhcl": {
-                    "command_line": "OPENHCL_CONFIDENTIAL_DEBUG=1",
+                    "command_line": "",
                     "memory_page_count": 163840,
                     "memory_page_base": 32768,
                     "uefi": true
@@ -26,7 +26,7 @@
             "max_vtl": 2,
             "isolation_type": {
                 "tdx": {
-                    "enable_debug": true,
+                    "enable_debug": false,
                     "sept_ve_disable": true
                 }
             },
@@ -44,12 +44,12 @@
             "max_vtl": 2,
             "isolation_type": {
                 "vbs": {
-                    "enable_debug": true
+                    "enable_debug": false
                 }
             },
             "image": {
                 "openhcl": {
-                    "command_line": "OPENHCL_CONFIDENTIAL_DEBUG=1",
+                    "command_line": "",
                     "memory_page_count": 32768,
                     "memory_page_base": 32768,
                     "uefi": true

vm/loader/manifests/openhcl-x64-release.json

@@ -7,7 +7,6 @@
             "isolation_type": "none",
             "image": {
                 "openhcl": {
-                    "initrd_path": "./underhill.cpio.gz",
                     "command_line": "",
                     "memory_page_count": 17920,
                     "uefi": true