vmgs: Write a diagnostic marker when provisioning the VMGS#2727
Merged
stunes-ms merged 8 commits intomicrosoft:mainfrom Feb 6, 2026
Merged
Conversation
stunes-ms
force-pushed
the
user/mikestunes/provisioning-marker-json
branch
from
3c9e7bf to
7179c67
Compare
Contributor
There was a problem hiding this comment.
Pull request overview
This PR adds diagnostic provisioning markers to VMGS (Virtual Machine Guest State) files to track when and how they were provisioned by OpenHCL, including details about the vTPM configuration.
Changes:
- Introduces a new
vmgs_extcrate with types for tracking provisioning information (provisioner type, reason, TPM details) - Refactors VMGS provisioning tracking from a boolean to an
Option<VmgsProvisioningReason>to capture why provisioning occurred - Extracts TPM-related constants and helper functions to improve code reusability
- Adds logic in OpenHCL to write a JSON-formatted provisioning marker when a VMGS file is newly provisioned
Reviewed changes
Copilot reviewed 12 out of 13 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| vm/vmgs/vmgs_ext/src/lib.rs | New crate defining provisioning marker types and enums |
| vm/vmgs/vmgs_ext/Cargo.toml | Cargo configuration for the new vmgs_ext crate |
| vm/vmgs/vmgs_format/src/lib.rs | Adds PROVISIONING_MARKER FileId (18) to the VMGS format |
| vm/vmgs/vmgs/src/vmgs_impl.rs | Refactors provisioning tracking to use VmgsProvisioningReason enum and adds provisioning_reason() method |
| vm/vmgs/vmgs/Cargo.toml | Adds vmgs_ext dependency |
| vm/devices/tpm/tpm_protocol/src/lib.rs | Extracts platform_akcert_attributes() helper and TPM default constants |
| vm/devices/tpm/tpm_protocol/src/tpm20proto.rs | Updates test to use extracted platform_akcert_attributes() helper |
| vm/devices/tpm/tpm_lib/src/lib.rs | Uses extracted constants and helper function instead of local duplicates |
| openhcl/underhill_core/src/worker.rs | Implements write_provisioning_marker() to write diagnostic information when VMGS is provisioned |
| openhcl/underhill_core/Cargo.toml | Adds tpm_protocol and vmgs_ext dependencies |
| opentmk/Cargo.toml | Adds tpm_protocol dependency |
| Cargo.toml | Registers vmgs_ext workspace member |
| Cargo.lock | Updates with vmgs_ext and new dependencies |
tjones60
reviewed
Feb 4, 2026
tjones60
reviewed
Feb 4, 2026
tjones60
reviewed
Feb 4, 2026
tjones60
reviewed
Feb 4, 2026
tjones60
reviewed
Feb 4, 2026
tjones60
reviewed
Feb 5, 2026
tjones60
previously approved these changes
Feb 5, 2026
chris-oo
approved these changes
Feb 6, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
We want to leave a marker in a VMGS file that indicates that it was provisioned originally by HCL, with some diagnostic details (vTPM version, etc.) This is intended to be information-only: the marker is written once when a new VMGS file is provisioned by OpenHCL. It causes no functional changes, so OpenHCL does not need to read the marker when loading a VMGS file. Its purpose is to help us track down the origin of a VMGS file when debugging.
The marker is a JSON string containing parameters of interest from the initial creation of the VMGS file. Example (this is pretty-printed for readability; the actual marker is not):
{
"provisioner": "openhcl",
"reason": "empty",
"tpm_version": "1.38",
"tpm_nvram_size": 32768,
"akcert_size": 4096,
"akcert_attrs": "0x42060004",
"hcl_version": "f85a038845b4fd5c74726be38f4be690c99db8c6"
}
This adds dependencies on serde to vmgs_format (to make the VmgsProvisioningMarker struct serializable) and on serde_json to vmgs (to convert a VmgsProvisioningMarker to a string to write it to the VMGS file).