chore: enable BTF debug info in guest debug config

[bane-stealthium]

Changes

Enable CONFIG_DEBUG_INFO_BTF in the guest debug kernel config to support extended eBPF functionality in guest VMs.

Reason

BTF (BPF Type Format) is a metadata format that embeds rich type information into the kernel and BPF programs. Without it, eBPF is limited to basic tracing and simple programs. With BTF enabled, guests gain access to CO-RE (Compile Once – Run Everywhere), which allows eBPF programs to adapt to different kernel versions at load time without recompilation. It also unlocks advanced program types (e.g. fentry/fexit, LSM hooks), map introspection, and tools like bpftool that depend on type information to inspect running programs and maps. Enabling CONFIG_DEBUG_INFO_BTF in the guest debug config is the prerequisite for all of this extended eBPF functionality inside Firecracker guest VMs.

Enabling BTF does increase the kernel image size: measured builds show vmlinux on 6.1 kernel growing from 51 MB to 55 MB (~4 MB / ~8%). Guest RAM usage reflects a similar uptick, as the .BTF section is mapped into kernel memory at boot. The 4 MB is largely read-only, page-cache-friendly data that the kernel shares efficiently across cores and does not compete with guest workload memory. Firecracker guests are routinely provisioned with hundreds of megabytes to several gigabytes of RAM, making a fixed 4 MB kernel metadata cost negligible, well under 1% of any realistic guest configuration. The tradeoff is asymmetric: a one-time, bounded memory cost in exchange for unlocking the full modern eBPF stack (CO-RE, fentry/fexit, LSM, bpftool introspection) that would otherwise require per-kernel-version BPF bytecode or be unavailable entirely.

Why enable it on the stock config, instead of letting end-user enable it when necessary? It resolves an in-between state of currently released Firecracker VM kernels. In current shape eBPF support is built in but is only partial and forces eBPF programs to use manual offsets or per-kernel compilation. This proposed change brings stock Firecracker kernels to modern eBPF support, enabling easy use of threat detection and monitoring tools within microVMs.

License Acceptance

By submitting this pull request, I confirm that my contribution is made under
the terms of the Apache 2.0 license. For more information on following Developer
Certificate of Origin and signing off your commits, please check CONTRIBUTING.md.

PR Checklist

• I have read and understand CONTRIBUTING.md.
• I have run tools/devtool checkbuild --all to verify that the PR passes
  build checks on all supported architectures.
• I have run tools/devtool checkstyle to verify that the PR passes the
  automated style checks.
• I have described what is done in these changes, why they are needed, and
  how they are solving the problem in a clear and encompassing way.

[na] I have updated any relevant documentation (both in code and in the docs)
in the PR.

[na] I have mentioned all user-facing changes in CHANGELOG.md.

[na] If a specific issue led to this PR, this PR closes the issue.

[na] When making API changes, I have followed the Runbook for Firecracker API changes.

• I have tested all new and changed functionalities in unit tests and/or
  integration tests.

[na] I have linked an issue to every new TODO.

---

[na] This functionality cannot be added in rust-vmm.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 82.79%. Comparing base (6785376) to head (072f9f1).

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #5857   +/-   ##
=======================================
  Coverage   82.79%   82.79%           
=======================================
  Files         276      276           
  Lines       29764    29764           
=======================================
  Hits        24643    24643           
  Misses       5121     5121           

Flag	Coverage Δ
5.10-m5n.metal	83.08% <ø> (-0.02%)	⬇️
5.10-m6a.metal	82.41% <ø> (-0.01%)	⬇️
5.10-m6g.metal	79.70% <ø> (ø)
5.10-m6i.metal	83.08% <ø> (-0.01%)	⬇️
5.10-m7a.metal-48xl	82.40% <ø> (-0.01%)	⬇️
5.10-m7g.metal	79.70% <ø> (ø)
5.10-m7i.metal-24xl	83.05% <ø> (-0.01%)	⬇️
5.10-m7i.metal-48xl	83.06% <ø> (ø)
5.10-m8g.metal-24xl	79.70% <ø> (ø)
5.10-m8g.metal-48xl	79.70% <ø> (+<0.01%)	⬆️
5.10-m8i.metal-48xl	83.06% <ø> (ø)
5.10-m8i.metal-96xl	83.06% <ø> (ø)
6.1-m5n.metal	83.11% <ø> (ø)
6.1-m6a.metal	82.44% <ø> (+<0.01%)	⬆️
6.1-m6g.metal	79.70% <ø> (ø)
6.1-m6i.metal	83.11% <ø> (-0.01%)	⬇️
6.1-m7a.metal-48xl	82.43% <ø> (ø)
6.1-m7g.metal	79.70% <ø> (+<0.01%)	⬆️
6.1-m7i.metal-24xl	83.12% <ø> (-0.02%)	⬇️
6.1-m7i.metal-48xl	83.12% <ø> (ø)
6.1-m8g.metal-24xl	79.70% <ø> (ø)
6.1-m8g.metal-48xl	79.70% <ø> (+<0.01%)	⬆️
6.1-m8i.metal-48xl	83.13% <ø> (+<0.01%)	⬆️
6.1-m8i.metal-96xl	83.12% <ø> (-0.01%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.