Skip to content

CVM: Audit tracing and add ALLOWED/CONFIDENTIAL where appropriate #1408

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 3 commits into
base: main
Choose a base branch
from

Conversation

smalis-msft
Copy link
Contributor

@smalis-msft smalis-msft commented May 23, 2025

Also includes some drive-by cleanups where I happened to see them.

Areas I did not audit because they are not relevant to CVMs:

  • trace and debug level statements
  • Non-CVM workers (debug & VNC)
  • Test only code (petri, vmm_tests, tmk*)
  • ARM-specific code
  • Non-CVM virt backends (including virt_mshv_vtl/mshv)
  • Host-only code (openvmm, GED, igvmfilegen, etc)
  • Gen 1 devices (vga, chipset, etc)
  • VirtIO

Areas that still need auditing by owners and area experts:

  • Mesh (@jstarks)
  • Networking (vm/devices/net/* & underhill_core/netvsp) (networking team)
  • Storage (vm/devices/storage/* & underhill_core/nvme_manager) (storage team)
  • VMBus (vm/devices/vmbus/*) (@SvenGroot)
  • VMGS (vm/vmgs/*) (@tjones60)

Part of #852

@smalis-msft smalis-msft requested a review from a team as a code owner May 23, 2025 21:30
@smalis-msft smalis-msft added the backport_2505 Change should be backported to the release/2505 branch label May 23, 2025
@smalis-msft smalis-msft requested a review from a team as a code owner May 23, 2025 21:30
@@ -606,7 +614,7 @@ async fn read_device_platform_settings(

// TODO: figure out if we really need to trace this. These are too long for
// the Underhill trace buffer.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can remove?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should probably leave as long as we're still logging it. But this is why I downgraded it.

@mebersol
Copy link
Collaborator

            panic!("Received unexpected SEV exit code {sev_error_code:x?}");

does this get logged in a debug-disabled CVM? If not, do we want a non-specific error message logged for this case?


Refers to: openhcl/virt_mshv_vtl/src/processor/snp/mod.rs:1575 in 8476372. [](commit_id = 8476372, deletion_comment = False)

@smalis-msft
Copy link
Contributor Author

Yes, panic messages should still get logged in a debug-disabled CVM. One of the things I'm working on this week is validating that.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
backport_2505 Change should be backported to the release/2505 branch
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants