Present: Antonio De Angelis (Arm) Bharath Subramanian (Arm) Dan Handley (Arm) Dominik Ermel (Nordic) Pierre-Julien Bringer (ProvenRun) Michael Thomas (Renesas) Andrew Davis (TI) Julius Werner (Google) Moritz Fisher (Google) Ruchika Gupta (NXP) Eric Finco (ST) David Brown (Linaro)

Agenda: * Firmware-A roadmap (Bharath) * Discussion on use of AI tools for code generation at tf.org

Action from last time: Antonio:: We shared the TF-PSACrypto-Driver repo Antonio: Gerrit permissions should be set up Antonio: Let me know if any issues

Firmware-A roadmap (Bharath): Bharath presented attached slides Dan: Clarification: Arcadia CPU is Cortex-A320. Eric: When is MbedTLS 4.0? Antonio: Planned in September. TF-A release after that will pick it up.

Dan: The FW-handoff spec is close to reaching its 1.0 release (just closing out final PRs). Dan: The corresponding libTL reference library has all the approvals it needs and will be pushed to TF.org Gerrit very soon.

Discussion on use of AI tools for code generation at tf.org: (Dan presented the slides on the use of AI generated code at Trusted Firmware.org, attached to last month's minutes) Dan: Already discussed at board but seeing if there's any further input at TSC. Dan: The plan is to for board/TSC reps to find out their company position on using these tools for code generation. Dan: This is separate to the use of AI tools for other purposes, e.g. code review, debugging, ... Dan: A non-binding poll will be sent out to find out whether members think TF.org should be broadly in favour of using these tools, broadly against using these tool, or think we can remain neutral (no official policy). Dan: Once we know the general direction we can refine this into a specific policy, perhaps leveraging other organization's policies. Dan: At the same time we should privately gather the opinion of the projects' core maintainers to ensure alignment. (rest of conversation redacted)

AOB: Julius: Regarding the security vulnerability process Julius: I noticed some notifications to ESS for CVEs I don't know anything about. Julius I would like to receive the underlying vulnerability info as Arm PSIRT distribute to a different group in Google. Dan: This is specifically for workarounds to vulnerabilities in hardware IP. Dan: There's some conflict due to overloading this process for both SW and HW vulnerabilities. Dan: The distribution for the latter (Arm IP licensees) does not necessarily match the TF-A ESS/TS list. Dan: I'm OK with your proposal as long as it's a one-way channel and all questions go to Arm PSIRT. Dan: I don't want TF.org security people supporting issues with Arm HW IP. Dan: We'll try to improve this process in future.