Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVM: Updated traces to log by default, unless trace is tagged with CVM_CONFIDENTIAL #515

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

CVM: Updated traces to log by default, unless trace is tagged with CVM_CONFIDENTIAL #515

wants to merge 2 commits into from

Conversation

jazzybluesea
Copy link
Contributor

No description provided.

@jazzybluesea jazzybluesea self-assigned this Dec 17, 2024
@jazzybluesea jazzybluesea requested review from a team as code owners December 17, 2024 19:31
smalis-msft
smalis-msft reviewed Dec 17, 2024
View reviewed changes
Copy link
Contributor

@smalis-msft smalis-msft left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There's a lot of changes here in crates that aren't included as part of OpenHCL. Those should all be reverted, as they aren't going to exist in CVMs.

@jazzybluesea jazzybluesea force-pushed the users/sewong/cvm_allowed branch from 4a5d652 to c58accd Compare December 17, 2024 20:48
smalis-msft
smalis-msft reviewed Dec 17, 2024
View reviewed changes
vm/cvm_tracing/src/lib.rs
pub fn confidential_event_filter<S: Subscriber>() -> impl Filter<S> {
FilterFn::new(move |m| m.fields().field("CVM_ALLOWED").is_some())
FilterFn::new(move |m| m.fields().field("CVM_CONFIDENTIAL").is_some().not())
Copy link
Contributor

@smalis-msft smalis-msft Dec 17, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Definitely not. The design here was intentional. We can not allow un-audited tracing statements to be logged in a CVM.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The auditing will be done during code review correct? Given that most of the traces are not confidential, it is easier to maintain if we change it to behave this way.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The problem is all the tracing statements that already exist that may log sensitive or confidential information. The auditing needs to be opt-in on a per-statement level. I agree that this would be easier, but it is also an unacceptable level of risk to meet our CVM confidentiality guarantees.

smalis-msft
smalis-msft requested changes Dec 17, 2024
View reviewed changes
Copy link
Contributor

@smalis-msft smalis-msft left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See comment

smalis-msft
smalis-msft requested changes Dec 17, 2024
View reviewed changes
Copy link
Contributor

@smalis-msft smalis-msft left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Filter inversion

@jazzybluesea jazzybluesea changed the title Adding CVM_ALLOWED to critical errors CVM: Updated traces to log by default, unless trace is tagged with CVM_CONFIDENTIAL Dec 17, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@smalis-msft smalis-msft smalis-msft requested changes

@mingweishih mingweishih Awaiting requested review from mingweishih

Requested changes must be addressed to merge this pull request.

Assignees

@jazzybluesea jazzybluesea

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@jazzybluesea @smalis-msft