Notes:
OP-TEE (Joakim’s slides)
BF: OP-TEE now visible via trustedfirmware.org
DH: No links to code etc
BF: Yes, just a first step that we can reference in any press release/blog post. It links back to the main material at op-tee.org
JB: Have cleaned up op-tee.org content and not a big job to move it to trustedfirmware.org
JB: Certifications. Should now revisit. However - there are many - need to figure out what to spend the money on.
CD: Don’t certify in a vacuum
JB: Yes - video, payment ...
DH: … common criteria, safety. Generally need to certify a product, but helps if know what you’re aiming for.
JB: Previously aimed at GC test suite that benefits everyone.
DB: FIPS certification
AP: At Arm have often focussed on ‘certifiable’ rather than certified.
JB: Sounds sane
AP: A lot of certifications have some common stuff - e.g. basic MISRA, some threat model, lifecycle.
JB: If you clone the git repo you’ll get a test suite - xtest. You will not get anything from GlobalPlatform. You can include it but you have to be a member or buy it. It’s $6000 and includes support for 2 years. In Linaro we have relied on member’s access to use the test suite.
DH: Code audits are good but take a hit - need to have all requirements in place first like incident handling and lifecycle. They are expensive.
DH: For vulnerability reporting, have discussed increasing embargo period & especially sensitive stakeholders.
DB: Zephyr is now a CNA. Organisation has to be a CNA but in the scope of particular project(s). We’re receiving CVEs for the Zephyr project. It might make sense for TF to become one.
DH: Process supposed to use for OSS doesn’t seem to work at all.
DB: End up going to the CNA of last resort. Much more responsive to CNAs than random projects.
JB: tf.org/security should go to the various security centres and this policy that we’re trying to approve.
Action DH to give BF an outline of what should be on the security front page
JB: Any interest on TF TSC that I present the plan for the coming cycle?
Action: JB to check with Mark Orvek if ok to share the OP-TEE information from the project heathcheck.
CD: Generally take same approach as TF-A and TF-M. Share the information but TF TSC not to be a bottleneck and have to ‘approve’. If there’s a specific issue can discuss it at TSC.
DH: For the fork, we’d be trying to keep up with op-tee master and submit back through the op-tee process. Don’t want to run on a branch for the long term.
DH: Encrypted TEEs. Has always been a provision for encrypted TA’s. Architecture allows for it but have had no strong pull for implementing it.
JB: Tricky part is key management
DH: May be a requirement on TF-A to help here.
JB: Haven’t really planned on this but seeing requirements. No requirements from PSA?
DH: no - the requirements are on authentication, not encryption.
DH: (Next steps) Expand the list of acceptable licenses.
AP: (Documenting answers and decisions) Both TF projects are using Phabricator.
Action: JB to contact Ben and try out the Phabricator sandbox.
DH: Anything holding back to setup an op-tee project in gerrit?
JB: Have an action to talk to Ben about setting that up
Maintainers
AP: Looking at ways to expand maintainers list since have gaps during vacation period
JB: Where is the list?
AP: Keep the maintainer list in gerrit
AP: Ask other members to talk about non-confidential items. If there are external companies - maintainers should be able to invite them to attend.
Action: BF to add link to review.trustedfirmware.org to Nav bar
DB: If I go to developer.trustedfirmware.org and click on https://developer.trustedfirmware.org/project/ only see TF-A.
CD: Seems that project takes the first query https://developer.trustedfirmware.org/project/query/edit/. Can an administrator change the order of the queries?
Action: Move the usability discussion to the mailing list since there are people actively working on Phabricator.
Attendance:
DH: (In response to KT) anyone should be able to join as long as we know who they are from a member company. When it comes to voting that’s specific to reps.
AP: If someone additional invited announce it at the start of the meeting.
Date for the next meeting?
AP: 12th Sept.
 |
|