microsoft
Mark tracing statements across the codebase as CVM_ALLOWED or CVM_CONFIDENTIAL
By default, when operating within a CVM, OpenHCL will allow all of its internal tracing statements from reaching the host. This is necessary to allow us to debug failure scenarios. However this creates a confidentiality challenge, as it's very easy to accidentally log something we shouldn't. To solve this we have a marker, CVM_CONFIDENTIAL, that can be added to a tracing statement to attest that it contains information that is not safe to disclose to the host. We need to go through all of our tracing statements and determine which are safe to log, which are not, and annotate them appropriately.
(We also have a CVM_ALLOWED marker to mark statements that can freely go to the host, however this is the same as the default behavior, and thus is a functional no-op. It is intended just to provide a signal that the tracing statement has been audited.)
See the documentation in the cvm_tracing crate and this guide section for more information.
Areas:
- [x] Core (@smalis-msft)
- [x] Mesh (@jstarks)
- [x] Networking (vm/devices/net/* & underhill_core/netvsp) (@erfrimod)
- [ ] Storage (vm/devices/storage/* & underhill_core/nvme_manager) (@eric135)
- [ ] VMBus (vm/devices/vmbus/*) (@SvenGroot)
- [ ] VMGS (vm/vmgs/*) (@tjones60)
We should also look at any places we're using inspect internally and decide if it's safe for those calls to inspect sensitive state or not.
edit: this is done.
I didn't see anything that I would consider sensitive data in the vmbus tracing.
