Hi all
Can you please let me know if you have any topics for tomorrow's TSC meeting? So far I have:
* Change in Arm TSC representation and chair (see separate mail)
* Proposal for migrating Mbed TLS GitHub location
* Perhaps also revisit the wider TF.org GitHub presence
* Lightning talk on NXM usage of TF. Kevin - are you ready to do this?
* Identify any future lightning talks
Regards
Dan.
Hi All,
FYI, per Shebu, I'm adding both mbed-tls(a)lists.trustedfirmware.org and
psa-crypto(a)lists.trustedfirmware.org to the MBed TLS Tech Forum invites.
Please look for this in your inbox and accept it if you would like the
series added to your calendar.
- Note that this is a monthly meeting but you will see two invites, one
that is for Asia timezones and one for Europe/US. Just delete the series
that isn't timezone friendly for you.
- FYI, recall that this and other tech forums can be found in the meeting
calendar on the TF website <https://www.trustedfirmware.org/meetings/>.
If you see a meeting in that calendar, click on the entry and an option
comes up saying "copy to my calendar." It will import that single instance
into your personal calendar from there if you wish. I wasn't able to test
this feature with outlook, but it worked fine for google calendar.
Please let me know if you have any questions.
Best regards,
Don Harbin
TrustedFirmware Community Manager
don.harbin(a)linaro.org
Hi Abhishek, TSC representatives,
We're doing some changes when it comes to the Linaro TF TSC representatives.
- I'm stepping out (but I'm still around in Linaro).
- David Brown becomes the main Linaro TF TSC rep.
- Ruchika Gupta steps in as the backfill for David when he is unable to
attend.
Please update mailing-lists and meeting invitations etc accordingly.
Regards,
Joakim
Hi All,
Please find the minutes from this morning's meeting below.
Also, find attached Ruchika's presentation.
Best regards
Don Harbin - Sent on behalf of the TSC Chair
=================================================
Attendees: Don, Kevin Townsend(Linaro), Ruchika Gupta(Linaro), Julius
Werner(Google), Miklos Balint, David Brown(Linaro), Joakim Bech(Linaro),
Gyorgy Szing, Kangkang Shen(Futurewei), Abhishek Pandit(Arm), Lionel
DEBIEVE(ST),
Konstantin Karasev(OMP), Andrej Butok(NXP), Matteo, Kevin Oerton(NXM Labs)
Minutes:
-
OP-TEE Roadmap: Ruchika - Linaro Security Working Group Tech Lead
-
GET SLIDES
-
Reviewed Focus areas
-
OP-TEE and Virtualization
-
Functional Safety Updates
-
Proposal of task ownership shown
-
Share H/W resources
-
Roadmap - Details
-
Note the Jira Tickets are public and accessible by the team
-
Ruchika provided a brief overview of Stratos
<https://www.linaro.org/projects/#automotive_STR> (Linaro driven
Virtualization Project) and TS
<https://www.linaro.org/projects/#trusted-substrate_TS>(Linaro driven
Trusted Substrate project).
-
KK: Re: Trusted Substrate - it’s a platform to support
firmware-level security features. Related to SOAFEE. Edge focused
-
Abhishek: Partner Lightning Talks - round robin usage of TF
-
Interest in lightning talks and sharing how their company is using
the output of TF.org, one Member share monthly in this meeting.
-
Will push out the vote for doing this.
-
KO: Initial target is to start in December?
-
AP: Suggest starting in January
-
KO: Will talk thru email, but pencil in Kevin for January
<end>
Hi All,
Sorry a bit late for this week's meeting. We have -
* OPTEE roadmap presentation. (Please note that meeting has been moved 2 hours earlier.)
* Revisit - lightning talks proposal?
*
Any other agenda suggestions?
Thanks,
Abhishek
Hi All,
Please find the minutes from yesterday's TSC Tech Form below.
Best regards,
Don - Sent on behalf of the TSC Chair
==============================================
Attendees: Joakim Bech(Linaro), Don, Abhishek Pandit(Arm), Anton Komlev
<Anton.Komlev(a)arm.com>(Arm), Dan Handley(Arm), Kevin Oerton(NXM Labs),
David Brown(Linaro), Julius Werner <jwerner(a)google.com>(Google), Andrej
Butok(NXP), Eric Finco(ST), Michael T(Renesas)
Minutes:
-
Security Incident Reporting Review
-
Reference Joakims email thread
-
Joakim shared the background. Working to simplify. Walked thru a
sample incident process spreadsheet.
-
DB: How consistent in alerting additional Stakeholders?
-
Joakim: reference Phabricator page to answer the question.
-
Joakim: Process requires discipline. Shared checklist.
-
Each issue would have its own checklist.
-
KO: Looks good and provides the picture we need
-
KO: Why manual process?
-
JB: See checklist - must add dates
-
DanH: New tab for each checklist may be hard to sustain.
-
KO: Automation would be nice
-
AP: What is this solving?
-
KO: From Technical oversight, this provides a high-level view of
security robustness and responsiveness to issues. May be a
useful mgt tool
to understand security state and velocity is sufficient.
-
DB: With Zephyr, a checklist for each issue has caught things that
would have been missed, like publishing to MITRE.
-
DanH, AP: Agree checklists seem useful.
-
AP: Doesn’t include effort. What metric is needed?
-
DB: Need a start and an end, which doesn’t happen in this.
-
MT: Renesas uses Jira. Excel is tough - not scalable and can’t export
-
AP: What is the use of date for each transition?
-
DB: Checklists, and states in Jira. Jira is not trivial either and
must be tuned when changes are made. Clickup or Airtable might be good
choices. Scriptable is helpful. Not free solutions.
-
KO: Air table is $60 / month. Development/maintenance is the real
cost.
-
DanH: Corner cases are abundant and can skew statistics.
-
DB: Current sheet is a report, the data is the dates.
-
AP: Only stats that matter is when Opened and When closed. If
lock-on purpose, then can decide what data is needed.
-
DB: On zephyr, patches are done by others rather than the security
team, which makes it difficult. What happens when a 3rd party comes in?
-
DanH: Could be a case but hasn’t happened.
-
Agreed to table this and discuss again in a month
-
Phabricator Deprecation:
-
Noted raised and not discussed. Will discuss later
-
TF-M Release cadence change
-
Anton: From 4 to 6 months. Minimizes overhead associated with
releases
-
KO: Keeping the window open allows better synchronization.
-
Anton: Each project is different. Smaller windows have a better
chance to overlap.
-
EF: How aligns w/ MCUBoot?
-
Anton: No formal plan there, we pick it up asap.
-
EF: 2 versions in a time window. Make sure MCUBoot release is done 6
weeks before, for example, so can be merged in
-
Anton: This aligns with the purpose of this proposal. TF-A also has 6
months schedule.
-
AP: MBed TLS starting open tech Forum.
-
AP: ADAC repo - top-level repo now available. Expect a tech talk in the
future
-
AP: Roadmap discussions: None this month as it was covered last month,
plan to do every month. If can have lightning talks from Member reps on
how they’re using TF.org projects and are public. Still deciding if useful
and how to organize?
-
KO: A sense of how this is getting leveraged is the ultimate end
goal. A google project w/ BOM is being tracked for security issues that
impact other projects.
-
AP: Feel free to provide Abhishek feedback outside this forum
-
AP: Funding approval for Open CI. All aware
-
DonH: FYI includes reduction of Community Mgr to 0.3 to maintain a
healthy surplus. Also, the majority votes are in and it has passed.
-
Joakim: Can now compile OP TEE TA’s in Rust
<end>
Hi All,
Any agenda suggestions for this week's meeting?
Couple of potential topics :
* Security incident monitoring
* Phabricator deprecation
Thanks,
Abhishek
Hi All,
In case you missed a session of interest at Linaro Connect, the recorded
sessions and accompanying presentations are now posted on line
<https://connect.linaro.org/resources/lvc21f/lvc21f-212>.
I've attached a Session Resource List to this email as well that has been
created to quickly find sessions of interest based upon topics.
Best regards,
Don
Attendees:
Dan Handley (Arm, chair)
Joanna Farley (Arm)
Shebu Varghese Kuriakose (Arm)
Matteo Carlini (Arm)
Joakim Bech (Linaro)
David Brown (Linaro)
Don Harbin (Linaro)
Eric Finco (ST)
Lionel Debieve (ST)
KangKang Shen (Futurewei)
Michael Thomas (Renesas)
Julius Werner (Google)
Kevin Oerton (NXMLabs)
Andrey Butok (NXP)
Shebu presented Mbed TLS roadmap (attached)
KO: How will the Crypto Driver API be used.
SK: This is a back-end HAL interface for crypto-processors to plug in to. The front-end interface will always be the PSA Crypto API.
KO: Will this driver API help add support for certs that Mbed TLS doesn't support yet?
Shebu: No, the fron- end interface will always be via the Mbed TLS and PSA Crypto APIs. Adding new cert support would be a separate work item. Currently we're more focussed on new crypto algorithm support.
KO: For A-profile, is there a dependency on the Trusted Services (TS) project?
SVK: TS uses PSA Crypto, as does TF-A. There is some plumbing still to do with FF-A if you want to call PSA Crypto APIs from the normal world and route that through to TS or a Secure Element backend.
MT: When will there be a 3.x LTS branch?
SVK: Will consider the next LTS in 2022. The last 2.x branch will be an LTS. We don't have firm plans for a 3.x LTS branch yet.
MT: Even if you update Mbed TLS to use the PSA Crypto API, some partners will continue to use the legacy Mbed TLS crypto APIs (via Mbed TLS) since they will only use LTS branches. They will not move until there is an LTS that uses the PSA Crypto APIs.
DH: The strategy is to clean up the dependencies on the legacy crypto APIs through the 3.x series of releases. Eventually Mbed TLS will not have a dependency on the legacy APIs. Even then, backwards compatibility will be maintained in the legacy APIs. Support for the legacy APIs would not be removed until a (TBD) 4.0 release.
KO: Is there any overhead to using PSA Crypto API.
SVK: We haven't actually measured this.
DH: There will be a small overhead in the current implementation as these effectively wrap the legacy API implementations. There's no overhead due to the APIs themselves. Through the 3.x series of releases, the implementation will be inverted so that the legacy APIs will wrap the PSA Crypto API implementations. Then the overhead will be in the legacy implementation instead.
Matteo presented the TF-A roadmap: https://developer.trustedfirmware.org/w/tf_a/roadmap/
EF: What is firmware transparency? Is it a device side or server side technology?
MC: It's related to firmware attestation, which is about collecting firmware measurements and providing them to a relying party in the form of an attestation token.
DH: Actually, it’s a bit orthogonal to attestation. Attestation is about providing evidence to a (possibly remote) relying party in order enable functionality (e.g. provisioning of secrets).
DH: Firmware transparency is about making that evidence (in the form of certificates) available to anyone in a verifiable data store, so they can trust the firmware on a device is what it says it is
JB: So it's similar to TPM?
DH: Hmm, not exactly but the measurements may be stored in a TPM on the device.
DH: The project we’re interested in here is Google Trillian: https://opensource.google/projects/trillian
DH: This is really a server side technology but there may be some alignment activities to do on the device side
EF: What is the 32-bit support about in the roadmap?
SVK: This is related to Trusted Services (TS). It's about running legacy 32-bit TAs within TS, which is extra work
MC: Phabricator page for this: https://developer.trustedfirmware.org/w/tf_a/roadmap/
MC: Plan is to create a common landing page with Don for all roadmaps
AOB:
DH: Someone in Arm pointed out that the tagline on the tf.org website is not strictly accurate:
"OPEN SOURCE SECURE WORLD SOFTWARE"
DH: Some of the software does not necessarily reside in the secure world (e.g. Mbed TLS, Trusted Services, Future CCA support)
DH: Proposal is to just remove the word "World".
JK: Makes sense. I thought that too.
(No-one disagreed)
SVK: There's another reference on that page too.
DH: Yes, we may need to remove this in several places on the website.
ACTION: Dan to work with Don on changing "secure world" to "secure" on the website
JB: Board wanted more visibility into the security process, e.g. how fast are we to respond, what issues are in flight, etc...
DH: OK, as long as this isn't leaking security critical info to people who are not necessarily part of the security teams.
JB: Yes, of course. This is just about seeing how well the process is working, not the issues themselves
DH: My other concern is not putting too much extra process on the security teams.
JB: I have an action to propose something that is workable here.
DonH: Would like more of the tech people on the teams to propose topics at future conferences, e.g. the OSFC
DH: Arm folk have quite a few presentations at last week's LVC but perhaps not OSFC.
DonH: Yes, I was looking for more than just Arm people.
Regards
Dan.
-----Original Appointment-----
From: Don Harbin <don.harbin(a)linaro.org<mailto:don.harbin@linaro.org>>
Sent: 14 April 2021 15:08
To: Don Harbin; Joakim Bech; Bill Fletcher (bill.fletcher(a)linaro.org<mailto:bill.fletcher@linaro.org>); lionel.debieve(a)st.com<mailto:lionel.debieve@st.com>; andrey.butok(a)nxp.com<mailto:andrey.butok@nxp.com>; Nicusor Penisoara; Abhishek Pandit; Eric Finco (eric.finco(a)st.com<mailto:eric.finco@st.com>); k.karasev(a)omprussia.ru<mailto:k.karasev@omprussia.ru>; kevin(a)nxmlabs.com<mailto:kevin@nxmlabs.com>; David Brown; David Cocca; kangkang.shen(a)futurewei.com<mailto:kangkang.shen@futurewei.com>; Dan Handley; roman.baker(a)cypress.com<mailto:roman.baker@cypress.com>; Kevin Townsend (kevin.townsend(a)linaro.org<mailto:kevin.townsend@linaro.org>); reinauer(a)google.com<mailto:reinauer@google.com>; Serban Constantinescu; a.rybakov(a)omprussia.ru<mailto:a.rybakov@omprussia.ru>; Julius Werner; roman.baker(a)infineon.com<mailto:roman.baker@infineon.com>
Subject: Trusted Firmware TSC
When: 16 September 2021 09:00-09:55 America/Los_Angeles.
Where: https://linaro-org.zoom.us/j/96393644990?pwd=VXlGeFF1Z2U3UTlwbmNhRTZYeE5lZz…
This event has been changed with this note:
"Adjusting due to time zone changes"
Trusted Firmware TSC
When
Changed: Monthly from 9am to 9:55am on the third Thursday 9 times Mountain Standard Time - Phoenix
Where
https://linaro-org.zoom.us/j/96393644990?pwd=VXlGeFF1Z2U3UTlwbmNhRTZYeE5lZz… (map<https://www.google.com/url?q=https%3A%2F%2Flinaro-org.zoom.us%2Fj%2F9639364…>)
Calendar
dan.handley(a)arm.com<mailto:dan.handley@arm.com>
Who
•
Don Harbin - organizer
•
Joakim Bech
•
Bill Fletcher
•
lionel.debieve(a)st.com<mailto:lionel.debieve@st.com>
•
andrey.butok(a)nxp.com<mailto:andrey.butok@nxp.com>
•
nicusor.penisoara(a)nxp.com<mailto:nicusor.penisoara@nxp.com>
•
abhishek.pandit(a)arm.com<mailto:abhishek.pandit@arm.com>
•
eric.finco(a)st.com<mailto:eric.finco@st.com>
•
k.karasev(a)omprussia.ru<mailto:k.karasev@omprussia.ru>
•
kevin(a)nxmlabs.com<mailto:kevin@nxmlabs.com>
•
David Brown
•
david.cocca(a)renesas.com<mailto:david.cocca@renesas.com>
•
kangkang.shen(a)futurewei.com<mailto:kangkang.shen@futurewei.com>
•
dan.handley(a)arm.com<mailto:dan.handley@arm.com>
•
roman.baker(a)cypress.com<mailto:roman.baker@cypress.com>
•
kevin.townsend(a)linaro.org<mailto:kevin.townsend@linaro.org>
•
reinauer(a)google.com<mailto:reinauer@google.com>
•
Serban Constantinescu
•
a.rybakov(a)omprussia.ru<mailto:a.rybakov@omprussia.ru>
•
Julius Werner
•
roman.baker(a)infineon.com<mailto:roman.baker@infineon.com>
more details »<https://calendar.google.com/calendar/event?action=VIEW&eid=c2NxdnQzczZubWpt…>
Trusted Firmware is inviting you to a scheduled Zoom meeting.
Topic: TrustedFirmware TSC
Time: Dec 17, 2020 05:00 PM London
Every month on the Third Thu, 12 occurrence(s)
Dec 17, 2020 05:00 PM
Jan 21, 2021 05:00 PM
Feb 18, 2021 05:00 PM
Mar 18, 2021 05:00 PM
Apr 15, 2021 05:00 PM
May 20, 2021 05:00 PM
Jun 17, 2021 05:00 PM
Jul 15, 2021 05:00 PM
Aug 19, 2021 05:00 PM
Sep 16, 2021 05:00 PM
Oct 21, 2021 05:00 PM
Nov 18, 2021 05:00 PM
Please download and import the following iCalendar (.ics) files to your calendar system.
Monthly: https://linaro-org.zoom.us/meeting/tJIufuquqj8jE9QUXZNeFMnKKzozNj9SWM72/ics…<https://www.google.com/url?q=https%3A%2F%2Flinaro-org.zoom.us%2Fmeeting%2Ft…>
Join Zoom Meeting
https://linaro-org.zoom.us/j/96393644990?pwd=VXlGeFF1Z2U3UTlwbmNhRTZYeE5lZz…<https://www.google.com/url?q=https%3A%2F%2Flinaro-org.zoom.us%2Fj%2F9639364…>
Meeting ID: 963 9364 4990
Passcode: roadRunner
One tap mobile
+13462487799,,96393644990# US (Houston)
+16699009128,,96393644990# US (San Jose)
Dial by your location
+1 346 248 7799 US (Houston)
+1 669 900 9128 US (San Jose)
+1 253 215 8782 US (Tacoma)
+1 312 626 6799 US (Chicago)
+1 646 558 8656 US (New York)
+1 301 715 8592 US (Washington D.C)
877 853 5247 US Toll-free
888 788 0099 US Toll-free
Meeting ID: 963 9364 4990
Find your local number: https://linaro-org.zoom.us/u/aegtEd7Roj<https://www.google.com/url?q=https%3A%2F%2Flinaro-org.zoom.us%2Fu%2FaegtEd7…>
Going (dan.handley(a)arm.com<mailto:dan.handley@arm.com>)? All events in this series: Yes<https://calendar.google.com/calendar/event?action=RESPOND&eid=c2NxdnQzczZub…> - Maybe<https://calendar.google.com/calendar/event?action=RESPOND&eid=c2NxdnQzczZub…> - No<https://calendar.google.com/calendar/event?action=RESPOND&eid=c2NxdnQzczZub…> more options »<https://calendar.google.com/calendar/event?action=VIEW&eid=c2NxdnQzczZubWpt…>
Invitation from Google Calendar<https://calendar.google.com/calendar/>
You are receiving this courtesy email at the account dan.handley(a)arm.com<mailto:dan.handley@arm.com> because you are an attendee of this event.
To stop receiving future updates for this event, decline this event. Alternatively you can sign up for a Google account at https://calendar.google.com/calendar/ and control your notification settings for your entire calendar.
Forwarding this invitation could allow any recipient to send a response to the organizer and be added to the guest list, or invite others regardless of their own invitation status, or to modify your RSVP. Learn More<https://support.google.com/calendar/answer/37135#forwarding>.
