Add OpenHCL telemetry for VMGS provisioning #2024
Open
+498
−59
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
mingweishih
reviewed
Sep 19, 2025
stunes-ms
force-pushed
the
user/mikestunes/telemetry
branch
from
20afa23 to
44bfa47
Compare
There was a problem hiding this comment.
Pull Request Overview
This PR adds comprehensive telemetry logging for VMGS provisioning and TPM operations in OpenHCL. The goal is to provide structured, queryable logs that can track provisioning success and indicate whether Trusted Launch features are being enabled.
Key changes include:
- Added operation-specific telemetry logs with timing metrics across TPM and VMGS operations
- Enhanced logging for AK cert provisioning, NV read/write operations, and GSP callbacks
- Added BIOS GUID tracking to TPM device resources for better telemetry correlation
Reviewed Changes
Copilot reviewed 13 out of 14 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| vm/vmgs/vmgs/src/vmgs_impl.rs | Changed log level and added op_type for VMGS provisioning telemetry |
| vm/devices/tpm_resources/src/lib.rs | Added bios_guid field to TpmDeviceHandle for logging purposes |
| vm/devices/tpm/src/tpm_helper.rs | Added comprehensive telemetry for TPM NV read/write operations with timing |
| vm/devices/tpm/src/lib.rs | Added detailed AK cert and key provisioning telemetry with error handling |
| vm/devices/get/guest_emulation_transport/src/client.rs | Added GSP callback operation telemetry |
| openhcl/underhill_attestation/src/lib.rs | Added VMGS decryption telemetry with GSP type tracking |
| Various config files | Updated to pass bios_guid parameter and added dependencies |
mingweishih
reviewed
Sep 23, 2025
smalis-msft
reviewed
Sep 25, 2025
smalis-msft
reviewed
Sep 25, 2025
stunes-ms
changed the title
stunes-ms
force-pushed
the
user/mikestunes/telemetry
branch
from
b39f77b to
e66b622
Compare
smalis-msft
previously approved these changes
Oct 1, 2025
mebersol
reviewed
Oct 3, 2025
openvmm/openvmm_entry/src/lib.rs
Outdated
| guest_secret_key: None, | ||
| logger: None, | ||
| is_confidential_vm: false, | ||
| // TODO: generate an actual BIOS guid and put it here |
stunes-ms
force-pushed
the
user/mikestunes/telemetry
branch
from
121bace to
966436e
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This change adds telemetry (in the form of event markers in our logs) around operations of interest for VMGS provisioning and certain vTPM features (AKPub, AKCert, etc.). The goal of this approach is to have structured, easily queryable data that can show that provisioning is successful and indicate whether Trusted Launch features (OpenHCL-provisioned VMGS, GSP key) are being enabled.
This PR is intended to match a corresponding legacy HCL change as closely as possible, given the differences in their logging implementations. In particular, the operation names (here, added as an
op_typeproperty on traces) and other metadata properties should match.