Attendees
Abhishek Pandit (Arm)
Dan Handley (Arm)
David Brown (Linaro)
Kevin Townsend (Linaro)
Joakim Bech (Linaro)
Eric FInco (ST)
Julius Werner (Google)
Kangkang (Futurewei)
Bill Fletcher (Linaro Community Projects)
notes
AP: Reduce number of pending items.
Coding standard.
Decided we could have a couple of experienced SW guys in charge of
resolving any conflicts. Looking for a few volunteers who would clarify
(for TF-M) the standard.
EF: Timescale for closing this?
AP: No specific timeline but feel just need a small group who have the
judgement. They need prior experience with larger projects. Can send out an
email after to close nominations. Also have action to close coding
standards for platform (raised by ST).
EF: Will discuss with Michel - believe ST can contribute something here.
Maintainers
AP: Had long discussion last time for both TF-M and TF-A. How would people
prefer to close this topic? Otherwise ask one of the TF-A and TF-M
engineers from Arm to make a mailing list from a patch. Based on Dan’s
comment.
Security incident response process
DH: Stalling due to my time and discussion about Mbed TLS and Crypto
projects moving into the project. Can’t deliver patches to a small audience
for export control reasons. Still can have some sort of embargo on
reporting issue. Fix has to be available to anyone. Want them to decouple
fix from advisory. This is aligned to the link from JB - Google Project
Zero.
AP: First draft for open review - end of Jan?
DH: Have a draft ready now. Should be able to send it next week.
AP: Need to inform internal people at the same time.
DH: More of a problem at the moment for TF-M that doesn’t have a process.
OP-TEE etc should continue to follow their own process.
Regional differences for Crypto
KK: Example of TPM - TPM 2.0 allowed regional differences. Previous TPM was
banned in China. Should have an architecture that allows crypto
implementation to plug in.
DH: Hope that PSA crypto interface is suitable for anyone, even if the
underlying implementations are not. Generally should not have export
control issue. May be relying on feedback from Futurewei and other
contributors to say what is permissable in China.
KK: Suggest to review with Arm China.
DH: Need to improve the process before start on any feature improvements.
Provisioning
KT: Did not meet yet. Can put together an RFC by the end of the month.
DB: seeing a conflict between the academic view - X.509 too heavy vs Data
I/O saying everyone uses it even in the smallest devices. See what feedback
we get.
AP: Potentially raise it as a voting point, but have an open RFC discussion
first.
Trusted Firmware Website
AP: Have you browsed through the project website? See if there’s a need for
improvement. Main home page doesn’t have much information. A lot of the
material is via indirection (links?). TF-M needs more documentation. Also
people can’t find things on Phabricator.
JB: Always thought the font sizes are too big on all the project websites
that Linaro is creating. Have a problem with page layout
https://www.op-tee.org/security-advisories/
DB: Feel navigation text is too small and body text is too large.
JB: On OP-TEE website we got rid of a lot of information and just pointed
to readthedocs.
BF: Also have a staging website staging.trustedfirmware.org
AP: think first need some people to do some analysis first.
DB: Left hand navigation would be easier than dropdowns with 2 or 3 items.
KT: Think the documentation for TF-M has improved over the past couple of
months.
AP: Can find the docs via the dropdown. Discussing with Shebu, feel the
experience for getting started can be improved.
KT: People just want to know the git clone and CMake commands.
DB: There’s navigation of the sections of the doc, and there’s navigation
of the website. These are two different things.
KT: Have to click on user guide from getting started.
DB: Realise have to click on each level of the dropdown - make them just
mouse-over.
BF: Happy to collate data from a mailing list.
AP: Shall we share a document? On Phabricator there is a Q&A page. Anyone
object to mailing list? No.
Action on Abhishek to kick off the thread
Next meeting 20th Feb
--
[image: Linaro] <http://www.linaro.org/>
*Bill Fletcher* | *Field Engineering*
T: +44 7833 498336 <+44+7833+498336>
bill.fletcher(a)linaro.org | Skype: billfletcher2020
Thanks for forwarding, Joakim. I'm happy to say this seems aligned with my proposed TF disclosure policy (e.g. encourage a high quality fix ASAP but disclose after 90 days).
Regarding the status of the TF disclosure policy, I'm still making changes to this in the light of new information, e.g.
* The disclosure timeline is largely controlled by the reporter so we need some acknowledgement of that.
* In some cases it may not be possible to release a fix to a restricted audience for export control reasons. Although the incident can be discussed among a restricted audience, the fix may have to be issued publicly.
I can elaborate on this at the next TSC if needed.
Regards
Dan.
From: TSC <tsc-bounces(a)lists.trustedfirmware.org> On Behalf Of Joakim Bech via TSC
Sent: 07 January 2020 17:44
To: tsc(a)lists.trustedfirmware.org
Subject: [TF-TSC] Project Zero disclosure policy updates
Hi,
I thought this was interesting enough to share it with you guys, especially since we've had this up for discussion a couple of times.
https://googleprojectzero.blogspot.com/2020/01/policy-and-disclosure-2020-e…
Regards,
Joakim
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you. IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
