flowey: use dev manifests for mi-secure CI gate#3216
Open
will-j-wright wants to merge 1 commit intomicrosoft:mainfrom
Open
flowey: use dev manifests for mi-secure CI gate#3216will-j-wright wants to merge 1 commit intomicrosoft:mainfrom
will-j-wright wants to merge 1 commit intomicrosoft:mainfrom
Conversation
Contributor
Author
|
Okay I tried to have Copilot do this one itself from my phone but clearly that’s too difficult |
Contributor
There was a problem hiding this comment.
Pull request overview
This PR fixes the mi-secure CI gate selecting the wrong IGVM manifest set by decoupling “how we compile OpenHCL” (build profile) from “which IGVM configuration/manifests we generate” (release vs dev manifests), allowing mi-secure to use the ship build profile while still using dev manifests (larger VTL2 memory).
Changes:
- Add an explicit boolean on
OpenhclIgvmBuildParamsto driverelease_cfgselection instead of deriving it fromOpenvmmHclBuildProfile. - Wire the new flag through the checkin gates and reproducible build pipelines.
- Force mi-secure to use dev manifests (
release_profile: false) even when building with the ship profile.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| flowey/flowey_lib_hvlite/src/_jobs/build_and_publish_openhcl_igvm_from_recipe.rs | Adds a new build param and uses it to set release_cfg explicitly when requesting IGVM builds. |
| flowey/flowey_hvlite/src/pipelines/checkin_gates.rs | Passes the new flag for normal OpenHCL builds and forces dev manifests for the mi-secure gate. |
| flowey/flowey_hvlite/src/pipelines/build_reproducible.rs | Passes the new flag to keep manifest selection consistent with the chosen pipeline “release” mode. |
flowey/flowey_lib_hvlite/src/_jobs/build_and_publish_openhcl_igvm_from_recipe.rs
Outdated
Show resolved
Hide resolved
flowey/flowey_lib_hvlite/src/_jobs/build_and_publish_openhcl_igvm_from_recipe.rs
Show resolved
Hide resolved
will-j-wright
force-pushed
the
fix-mi-secure-vtl2-memory
branch
from
eed2af3 to
80e2e1b
Compare
Move release_cfg from being derived inside build_and_publish to being set explicitly by callers. This allows the mi-secure CI gate to use the ship profile (to catch optimization bugs) while using dev manifests (with larger VTL2 memory) since mi-secure adds overhead that doesn't fit in the release memory budget. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
will-j-wright
force-pushed
the
fix-mi-secure-vtl2-memory
branch
from
80e2e1b to
8419be7
Compare
flowey/flowey_lib_hvlite/src/_jobs/build_and_publish_openhcl_igvm_from_recipe.rs
Show resolved
Hide resolved
smalis-msft
added
the
release-ci-required
Contributor
|
how much overhead does mi-secure add? |
Contributor
Author
I'm not sure how to measure that exactly, do you have any suggestions? |
Contributor
|
Maybe message Daniel Paliulis and ask? He's done it a fair bit. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The mi-secure CI gate was using release manifests (70MB VTL2 memory) when building with ship profile, but the mi-secure binary doesn't fit. Add explicit release_cfg to OpenhclIgvmBuildParams so the mi-secure gate can use the ship profile while selecting dev manifests (512MB VTL2 memory).