Make interrupt counters visible in release for cvms

[sluck-msft]

No description provided.

[Copilot]

Pull request overview

This PR adjusts the inspect sensitivity metadata across the CVM (confidential VM) path so that interrupt/LAPIC-related counters can be surfaced in release diagnostics, while still respecting the sensitivity filtering model used by Underhill/OpenHCL.

Changes:

• Mark LAPIC/APIC interrupt counters (and the relevant containment chain) as Safe in inspect so they appear under SensitivityLevel::Safe requests.
• Add per-state-unit inspect sensitivity control in vmm_core::state_unit, and set the partition unit’s inspect sensitivity to Safe in Underhill.
• Mark selected top-level inspect fields (e.g., VP list) as Safe so Safe-only inspection can traverse into CVM-safe subtrees.

Reviewed changes

Copilot reviewed 9 out of 9 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
vmm_core/virt_support_apic/src/lib.rs	Marks Local APIC stats/counters as #[inspect(safe)] so interrupt counters can be visible under Safe inspection.
vmm_core/state_unit/src/lib.rs	Adds inspect_sensitivity to state units and uses sensitivity_child to gate each unit’s inspect subtree.
vmm_core/src/partition_unit/vp_set.rs	Marks the VP list field as Safe to allow Safe inspection to enumerate VP nodes.
openhcl/virt_mshv_vtl/src/processor/tdx/mod.rs	Attempts to mark the CVM subtree safe at the TDX backing level (but note flatten+sensitivity limitation).
openhcl/virt_mshv_vtl/src/processor/snp/mod.rs	Attempts to mark the CVM subtree safe at the SNP backing level (but note flatten+sensitivity limitation).
openhcl/virt_mshv_vtl/src/processor/mod.rs	Marks the backing field as Safe and marks LAPIC state’s LocalApic as Safe.
openhcl/virt_mshv_vtl/src/lib.rs	Marks CVM LAPIC array as Safe to expose LAPIC state that is explicitly marked safe.
openhcl/underhill_core/src/worker.rs	Sets the partition state unit’s inspect sensitivity to SensitivityLevel::Safe.
openhcl/underhill_core/src/lib.rs	Marks the VM worker handle as Safe for inspection.

[Copilot]

#[inspect(flatten, safe)] is misleading here: the inspect derive currently ignores sensitivity attributes on flatten fields (flatten just emits resp.merge(...)). This means safe has no effect, and only inner fields explicitly marked safe will be visible under a SensitivityLevel::Safe request. Consider removing safe from this attribute, or (if you need the whole subtree to be safe) wrap it as a named child via Response::sensitivity_child(...)/a non-flatten field so the sensitivity is actually applied.

Suggested change

	#[inspect(flatten, safe)]
	#[inspect(flatten)]

[Copilot]

#[inspect(flatten, safe)] does not currently apply safe sensitivity: the inspect derive ignores sensitivity attributes on flatten fields and only emits resp.merge(...). If the intent is to make this subtree visible for SensitivityLevel::Safe requests, you’ll need to mark the specific inner fields as #[inspect(safe)] (as done for LAPIC stats) or restructure to use a sensitivity-aware child/field instead of flatten. Otherwise, consider dropping safe here to avoid confusion.

Suggested change

	#[inspect(flatten, safe)]
	#[inspect(flatten)]

[Copilot]

This change introduces a new public builder API (UnitBuilder::inspect_sensitivity) and changes the inspect tree construction to use sensitivity_child(...), but there are no unit tests exercising the sensitivity behavior (e.g., that SensitivityLevel::Safe requests include Safe units and exclude Unspecified ones). Adding a focused test would help prevent regressions in inspect filtering semantics.