restore changes missed during merge#185
Merged
Merged
Conversation
A hostile VMM can complete a tdvmcall_migtd_receive with status=VMM_SUCCESS but data_length=0. The previous implementation let this propagate as Ok(0) through VmcallRaw::recv, which would stall the caller's read loop indefinitely (no forward progress, no error). Reject zero-length success inside the receive poll_fn closure with VmcallRawError::Malformed, which surfaces to upstream callers as a network error instead of an infinite spin. Also stop relying on the post-completion data_length on the send path (per spec, data_length is owned by MigTD when status=0 and is not a meaningful VMM-reported value after completion). The previously returned value was already discarded by VmcallRaw::send, so this is a no-op in behavior but makes the spec contract explicit. Document this in the poll_vmcall_completion doc comment. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Signed-off-by: Haitao Huang <haitaohuang@microsoft.com>
Public connection state variant State::Establised was misspelled. Rename to State::Established across vmcall_raw and vsock. No behavior change. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Signed-off-by: Haitao Huang <haitaohuang@microsoft.com>
When the migration context has been destroyed (no entry in VMCALL_MIG_CONTEXT_FLAGS for the request id), any interrupt injection from the VMM should be rejected. Previously the else branch discarded the error with `let _ = ...`, allowing execution to fall through and treat DMA buffer contents as a valid VMM response. Return an error immediately so the caller rejects the stale injection. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Signed-off-by: Haitao Huang <haitaohuang@microsoft.com>
align_up() computed `(size & !(PAGE_SIZE - 1)) + PAGE_SIZE` for non-page-aligned input, which silently wraps to 0 near usize::MAX, and vmcall_raw_transport_enqueue() blindly downcast buf.len() to u32 and added the 12-byte header without overflow checks. A pathological caller could end up allocating a 0-page SharedMemory and writing past it. Switch align_up() to checked_add and propagate None to the caller as VmcallRawError::Illegal; size the data buffer via checked_add(12) and reject buf.len() that does not fit a u32 data_length. Add unit tests for the boundary cases. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Signed-off-by: Haitao Huang <haitaohuang@microsoft.com>
parse_events() indexed event_data[1..1 + desc_size] for EV_EFI_PLATFORM_FIRMWARE_BLOB2 and event_data[..4] for EV_EVENT_TAG without first validating length. A truncated or malformed event payload caused a panic instead of being skipped. Replace the raw slice indexing with .get(...) and propagate None, so a short event is dropped rather than aborting the parse. Add unit tests for both code paths. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Signed-off-by: Haitao Huang <haitaohuang@microsoft.com>
HelloPacketPayload is serialized via as_bytes() (a raw pointer cast over the struct) and parsed via read_from_bytes() with hard-coded offsets, both of which assume C layout. Without #[repr(C)] the compiler is free to reorder fields, breaking the wire format. Annotate the struct to match the sibling PreSessionMessage. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Signed-off-by: Haitao Huang <haitaohuang@microsoft.com>
…om_quote find(PEM_CERT_END) searched from offset 0 of the lossy-decoded quote string, so if any byte sequence matching the END marker appeared before the BEGIN marker (or BEGIN was absent), end_index < start_index and the subsequent slice operation panicked. Search for END strictly after the end of BEGIN, and return InvalidQuote on malformed input. Real hardware quotes never trigger the bug, but the parser should not panic on hostile input. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Signed-off-by: Haitao Huang <haitaohuang@microsoft.com>
get_event_log() returns &raw[..size + 1] as a workaround for an upstream bug in cc_measurement::log::CcEvents::next() (uses `<` instead of `<=`), which silently drops the last event when the slice ends exactly on an event boundary. In MigTD that last event is the tagged policy event, so removing the +1 has previously broken AzCVMEmu integration tests. Document the workaround in code next to the slice expression and add last_event_visible_only_with_trailing_padding as a regression test mirroring the upstream reproducer (confidential-containers/td-shim#848). The test fails loudly both if anyone re-applies the "cleanup" and once the upstream iterator is fixed and the workaround can be removed. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Signed-off-by: Haitao Huang <haitaohuang@microsoft.com>
Restore quote-retry and peer cert chain validation changes that were silently overwritten when intel/main was merged. Also fix missing imports in rebinding.rs that broke the vmcall-raw + policy_v2 build. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Signed-off-by: Haitao Huang <haitaohuang@microsoft.com>
Remove tracked policy_v2_signed.json and policy_issuer_chain.pem from config/AzCVMEmu/; add them to .gitignore. Enable jq installation for rebind scenarios that now auto-generate policy files. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Signed-off-by: Haitao Huang <haitaohuang@microsoft.com>
There was a problem hiding this comment.
Pull request overview
This PR restores a set of fixes that were missed during a merge, primarily aimed at stabilizing CI and improving robustness in MigTD’s policy-v2, event log parsing, and transport layers.
Changes:
- Improve robustness of event log parsing and add regression/unit tests for previously panicking/truncation cases.
- Harden vmcall-raw transport against integer overflow and malformed VMM responses; add tests for page-alignment helper.
- Update emulation CI workflow to (re)generate policy artifacts at runtime and ignore generated policy files in git.
Reviewed changes
Copilot reviewed 14 out of 16 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| src/policy/src/v2/collaterals.rs | Fix PEM end-marker search to occur after the begin marker when extracting PCK cert. |
| src/migtd/src/spdm/spdm_req.rs | Rename remote_policy to peer_data in SPDM requester flow to reflect broader peer payload usage. |
| src/migtd/src/migration/session.rs | Update call site to match peer_data rename for SPDM policy-v2 flows. |
| src/migtd/src/migration/rebinding.rs | Update imports to use explicit pre-session packet helpers. |
| src/migtd/src/migration/pre_session_data.rs | Add #[repr(C)] to HelloPacketPayload to stabilize layout for byte-casting. |
| src/migtd/src/mig_policy.rs | Switch to get_quote_with_retry to handle transient quote/attestation failures. |
| src/migtd/src/event_log.rs | Add +1 slicing workaround and tests; improve truncation handling in parse_events(). |
| src/devices/vsock/src/stream.rs | Fix typo in state variant name (Established). |
| src/devices/vsock/src/lib.rs | Fix typo in state variant name (Established). |
| src/devices/vmcall_raw/src/transport/vmcall.rs | Harden buffer sizing and completion polling; add malformed/zero-length receive handling. |
| src/devices/vmcall_raw/src/lib.rs | Make align_up overflow-safe (Option) and add unit tests. |
| config/AzCVMEmu/policy_v2_signed.json | Remove generated policy artifact from repo. |
| config/AzCVMEmu/policy_issuer_chain.pem | Remove generated issuer chain artifact from repo. |
| Cargo.lock | Update spin dependency version in lockfile. |
| .gitignore | Ignore generated policy artifacts and review-tooling directories. |
| .github/workflows/integration-emu.yml | Ensure policy artifacts are generated in CI for scenarios that require them. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
ksayid
approved these changes
May 26, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Previously merged intel patches overwrote some changes, restored those in this PR and make all ci passes.
Improved ci and some small fixes for hardening on checking host controlled interfaces