Attendees David Brown - Linaro Bill Fletcher - Linaro Joakim Bech - Linaro Bill Mills - TI Matteo Carlini - Arm Eric Finco - ST Mark Groesen - TI Shebu Kirakose - Arm Abhishek Pandit - Arm Julius Werner - Google Christian Daudt - Cypress Andrew Davis - TI Dean Arnold - Arm

Actions noted Binary repository implementation proposal (name, path, mechanism) - Dan Propose slot for TSC call co-timed with Connect - Abhishek Proposal on incident handling list - Dan Reconcile mailing lists with attendees - Bill Attestation script home - Abhishek to talk with David Dean to send test cases running on MPS2 to Christian

Agenda 1. CI system discussion. 2. Security Incident Process. 3. Binary Contribution Policy. Draft has already been circulated. 4. Attestation Token Validation script Arm team has created a validation script for checking the initial attestation token (CBOR/COSE). We would like to open source this script as it helps TF-M users. Would it make sense to have this in tf.org? 5. TF-M Documentation Proposal We have been working on a better documentation proposal for TF-M. I can briefly introduce this to TSC then it can be followed by mailing list discussion. 6. Next meeting – BKK19 F2F? 7. Mailing list subscription status. 8. If time permits we can discus major work items for the next quarter. 9. AOB

Minutes

Binary Contribution Policy JW: Circulated via Board. Already have some instances. Will have separate repository for TF Binaries. Policy describes rules that need to be followed to upload to the repository. We review case-by-case. Policy describes the process where they discuss with the TSC. How to technically implement this - propose it should be a git submodule. Board has already approved the policy. AP: Expect to send some questions by email. Any other questions? JW: Can we start implementing - creating the repository? DH: All we need is a location and a name for the repo. Do we have a generic (non TF-A, TF-M) namespace? Unified repo. JW: Need someone from Arm to create the submodule repo. Action: Dan to suggest path/name

Incident Handling DH: TF-A has an incident handling process. So does OP-TEE (different). TF-M doesn’t have one. Need to have (need from hyperscalers) a very restricted list for who can contribute to the fix before publicizing it. Similar to kernel. MC: In the kernel - restricted to non-disclosed list of security experts. Second list of people for controlled disclosure that are under a linux distro mailing alias. CD: Not quite clear on the distinction. Board discussion was a single entry point. Think the grand goal was to make it simpler reporting. Don’t create artificial separation. Should be obvious to submitter. If could have 2-3 triagers forwarding to TF-A and TF-M. Who are those 2-3 people? DH: Arm looking for them to be Arm people. MC: Distinction is based on individual merit rather than specific companies. Core developers for A & M are currently Arm. Disclosure comes afterwards. CD: 3rd level - an inform list? DH: Yes. Currently would be people with an NDA with Arm. CD: If there’s an embargo don’t want it going to even a semi-open list. Action: Dan to come up with a proposal MC: cf Linux kernel policy. Aim is to push the fix as soon as possible but acknowledge the needs of hyperscalers JB: For OPTEE initial proposal was seen as too tight. Google has 90 days. Difference is if the problem is out in the wild and then fix as quickly as possible. DH: Feedback from hyperscaler vendors that they only need 2 weeks. Even Linux distros only ask for another 2 weeks on top. For TF-A, 4 weeks after initial disclosure it goes public. In kernel process don’t get involved in CVE and severity scoring. Leave that to reports. Anyone have any initial thoughts JB: Not saying TF should use same policy as OPTEE but if there are no other ideas. DH: Reason OPTEE doesn’t use CVSS? JB: Not really. Needed to tweak it with OPTEE wording. JW: Propose to follow Linux policy of releasing the patch as soon as possible. Some project, patching is public

Mailing list subscription service AP: Please can everyone check their subscription status. BF: If any issues with lists.trustedfirmware.org then mail BillF Action: Bill to reconcile the mailing lists vs attendees CD: Should maybe consider TSC to be TSC “announce”. BF: TSC was aimed to be as open/transparent as possible

Attestation token: AP: Team in Arm has been working on a script. Team have asked if it can be upstreamed somewhere. TF-M generates this token. Does it make sense to create a repo to host this script. Would be someone assigned as maintainer from Arm side. CD: Already a tools directory in TF-M with some Python scripts. Why not there? AP: Might apply to other projects SK: It’s an ITF standard. Just happens that TF-M uses that format DB: Suggest to put it in the repo CD: What open source project do you want it to live under, or does it need it’s own project? Don’t see why it would be in TF. Can import it into TF for use. DB: Cbor implementations tend to be for specific uses. Not sure it’s the trend we want to follow. CD: But if not, someone needs to make sure it’s generic enough. Level of ownership needed. Otherwise throw it in TF-M. DB: Question - who is going to work on generalising it. Will only be when someone has the resources AP: Propose to take input from David [action]

CI DA: Have a set up of Jenkins/Build Slaves and LAVA. Will meet with Linaro next week to see how to move that onto their infrastructure. CD: Test cycle is via a LAVA instance testing DA: Yes via MPS2 CD: Is just boot? DA: Have a couple of test cases. Can find out. [action] CD: Is the plan to move this to the LAVA lab? BF: There are a few options, as well as physical location in the lab we have a federated/distributed lab instance concept. Builds and results are central but board farm has instances at vendor sites. Helps avoid lab bottlenecks and shipping boards. CD: Like kernel CI? BF: Yes. Will look at putting together a deck with some more information MG: Does the CI use simulation? i.e. qemu or fast model? DA: TF-A use fast models. Qemu - not done anything at the moment. BF: Does TF-A Test support qemu? DH: Can check MG: Recently has been some more support pushed. CD: LAVA supports qemu. EF: Distributed instance supports TF-A and TF-M? BF: For LAVA infrastructure - yes

AP: Next meeting. Board is meeting at Linaro Connect. Any interest in a TSC meeting? (confirmed several TSC members will be there) EF: Yes. Welcome opportunity to discuss work items for the next quarter

AP: Documentation - brief overview. Slides to be circulated by email. JB: Done same activity for OPTEE and done same activity. Nice think with Sphinx - interlinking within the documentation is very easy. Like this idea. CD: If RFC discussed in gerrit code review then that could get lost. AP: Should still say in draft folder in the doc. CD: Basically the history of thingks that were discussed by not accepted. AP: review happens on the mailing list CD: So there is history in git if something is turned down AP: And mailing list has the discussion. DB: Reference: https://github.com/rust-lang/rfcs