This screencast goes through the process I used to manage a CVE as part of
being the CNA for the Zephyr project. Not all of the links will be
accessible, but this should give a rough idea of the kind of work involved
in being a CNA.
https://www.youtube.com/watch?v=PksNzJXVDDA
David
Attendees
AbhishekP - Arm
DanH - Arm
DavidB - Linaro
MarkG - TI
JoakimB - Linaro OP-TEE
ChristianD - Cypress
JuliusW - Google
KumarG - Linaro LITE
KevinT - Linaro LITE
BillF - Linaro Community Projects
Agenda
OP-TEE
How to add more maintainers
AOB
Notes:
OP-TEE (Joakim’s slides)
BF: OP-TEE now visible via trustedfirmware.org
DH: No links to code etc
BF: Yes, just a first step that we can reference in any press release/blog
post. It links back to the main material at op-tee.org
JB: Have cleaned up op-tee.org content and not a big job to move it to
trustedfirmware.org
JB: Certifications. Should now revisit. However - there are many - need to
figure out what to spend the money on.
CD: Don’t certify in a vacuum
JB: Yes - video, payment ...
DH: … common criteria, safety. Generally need to certify a product, but
helps if know what you’re aiming for.
JB: Previously aimed at GC test suite that benefits everyone.
DB: FIPS certification
AP: At Arm have often focussed on ‘certifiable’ rather than certified.
JB: Sounds sane
AP: A lot of certifications have some common stuff - e.g. basic MISRA, some
threat model, lifecycle.
JB: If you clone the git repo you’ll get a test suite - xtest. You will not
get anything from GlobalPlatform. You can include it but you have to be a
member or buy it. It’s $6000 and includes support for 2 years. In Linaro we
have relied on member’s access to use the test suite.
DH: Code audits are good but take a hit - need to have all requirements in
place first like incident handling and lifecycle. They are expensive.
DH: For vulnerability reporting, have discussed increasing embargo period &
especially sensitive stakeholders.
DB: Zephyr is now a CNA. Organisation has to be a CNA but in the scope of
particular project(s). We’re receiving CVEs for the Zephyr project. It
might make sense for TF to become one.
DH: Process supposed to use for OSS doesn’t seem to work at all.
DB: End up going to the CNA of last resort. Much more responsive to CNAs
than random projects.
JB: tf.org/security should go to the various security centres and this
policy that we’re trying to approve.
Action DH to give BF an outline of what should be on the security front page
JB: Any interest on TF TSC that I present the plan for the coming cycle?
Action: JB to check with Mark Orvek if ok to share the OP-TEE information
from the project heathcheck.
CD: Generally take same approach as TF-A and TF-M. Share the information
but TF TSC not to be a bottleneck and have to ‘approve’. If there’s a
specific issue can discuss it at TSC.
DH: For the fork, we’d be trying to keep up with op-tee master and submit
back through the op-tee process. Don’t want to run on a branch for the long
term.
DH: Encrypted TEEs. Has always been a provision for encrypted TA’s.
Architecture allows for it but have had no strong pull for implementing it.
JB: Tricky part is key management
DH: May be a requirement on TF-A to help here.
JB: Haven’t really planned on this but seeing requirements. No requirements
from PSA?
DH: no - the requirements are on authentication, not encryption.
DH: (Next steps) Expand the list of acceptable licenses.
AP: (Documenting answers and decisions) Both TF projects are using
Phabricator.
Action: JB to contact Ben and try out the Phabricator sandbox.
DH: Anything holding back to setup an op-tee project in gerrit?
JB: Have an action to talk to Ben about setting that up
Maintainers
AP: Looking at ways to expand maintainers list since have gaps during
vacation period
JB: Where is the list?
AP: Keep the maintainer list in gerrit
AP: Ask other members to talk about non-confidential items. If there are
external companies - maintainers should be able to invite them to attend.
Action: BF to add link to review.trustedfirmware.org to Nav bar
DB: If I go to developer.trustedfirmware.org and click on
https://developer.trustedfirmware.org/project/ only see TF-A.
CD: Seems that project takes the first query
https://developer.trustedfirmware.org/project/query/edit/. Can an
administrator change the order of the queries?
Action: Move the usability discussion to the mailing list since there are
people actively working on Phabricator.
Attendance:
DH: (In response to KT) anyone should be able to join as long as we know
who they are from a member company. When it comes to voting that’s specific
to reps.
AP: If someone additional invited announce it at the start of the meeting.
Date for the next meeting?
AP: 12th Sept.
--
[image: Linaro] <http://www.linaro.org/>
*Bill Fletcher* | *Field Engineering*
T: +44 7833 498336 <+44+7833+498336>
bill.fletcher(a)linaro.org | Skype: billfletcher2020
