TSC minutes 2021-09-16 - TSC

21 Sep 2021


      Attendees:
Dan Handley (Arm, chair)
Joanna Farley (Arm)
Shebu Varghese Kuriakose (Arm)
Matteo Carlini (Arm)
Joakim Bech (Linaro)
David Brown (Linaro)
Don Harbin (Linaro)
Eric Finco (ST)
Lionel Debieve (ST)
KangKang Shen (Futurewei)
Michael Thomas (Renesas)
Julius Werner (Google)
Kevin Oerton (NXMLabs)
Andrey Butok (NXP)
Shebu presented Mbed TLS roadmap (attached)
KO: How will the Crypto Driver API be used.
SK: This is a back-end HAL interface for crypto-processors to plug in to. The front-end interface will always be the PSA Crypto API.
KO: Will this driver API help add support for certs that Mbed TLS doesn't support yet?
Shebu: No, the fron- end interface will always be via the Mbed TLS and PSA Crypto APIs. Adding new cert support would be a separate work item. Currently we're more focussed on new crypto algorithm support.
KO: For A-profile, is there a dependency on the Trusted Services (TS) project?
SVK: TS uses PSA Crypto, as does TF-A. There is some plumbing still to do with FF-A if you want to call PSA Crypto APIs from the normal world and route that through to TS or a Secure Element backend.
MT: When will there be a 3.x LTS branch?
SVK: Will consider the next LTS in 2022. The last 2.x branch will be an LTS. We don't have firm plans for a 3.x LTS branch yet.
MT: Even if you update Mbed TLS to use the PSA Crypto API, some partners will continue to use the legacy Mbed TLS crypto APIs (via Mbed TLS) since they will only use LTS branches. They will not move until there is an LTS that uses the PSA Crypto APIs.
DH: The strategy is to clean up the dependencies on the legacy crypto APIs through the 3.x series of releases. Eventually Mbed TLS will not have a dependency on the legacy APIs. Even then, backwards compatibility will be maintained in the legacy APIs. Support for the legacy APIs would not be removed until a (TBD) 4.0 release.
KO: Is there any overhead to using PSA Crypto API.
SVK: We haven't actually measured this.
DH: There will be a small overhead in the current implementation as these effectively wrap the legacy API implementations. There's no overhead due to the APIs themselves. Through the 3.x series of releases, the implementation will be inverted so that the legacy APIs will wrap the PSA Crypto API implementations. Then the overhead will be in the legacy implementation instead.
Matteo presented the TF-A roadmap: https://developer.trustedfirmware.org/w/tf_a/roadmap/
EF: What is firmware transparency? Is it a device side or server side technology?
MC: It's related to firmware attestation, which is about collecting firmware measurements and providing them to a relying party in the form of an attestation token.
DH: Actually, it’s a bit orthogonal to attestation. Attestation is about providing evidence to a (possibly remote) relying party in order enable functionality (e.g. provisioning of secrets).
DH: Firmware transparency is about making that evidence (in the form of certificates) available to anyone in a verifiable data store, so they can trust the firmware on a device is what it says it is
JB: So it's similar to TPM?
DH: Hmm, not exactly but the measurements may be stored in a TPM on the device.
DH: The project we’re interested in here is Google Trillian: https://opensource.google/projects/trillian
DH: This is really a server side technology but there may be some alignment activities to do on the device side
EF: What is the 32-bit support about in the roadmap?
SVK: This is related to Trusted Services (TS). It's about running legacy 32-bit TAs within TS, which is extra work
MC: Phabricator page for this: https://developer.trustedfirmware.org/w/tf_a/roadmap/
MC: Plan is to create a common landing page with Don for all roadmaps
AOB:
DH: Someone in Arm pointed out that the tagline on the tf.org website is not strictly accurate:
"OPEN SOURCE SECURE WORLD SOFTWARE"
DH: Some of the software does not necessarily reside in the secure world (e.g. Mbed TLS, Trusted Services, Future CCA support)
DH: Proposal is to just remove the word "World".
JK: Makes sense. I thought that too.
(No-one disagreed)
SVK: There's another reference on that page too.
DH: Yes, we may need to remove this in several places on the website.
ACTION: Dan to work with Don on changing "secure world" to "secure" on the website
JB: Board wanted more visibility into the security process, e.g. how fast are we to respond, what issues are in flight, etc...
DH: OK, as long as this isn't leaking security critical info to people who are not necessarily part of the security teams.
JB: Yes, of course. This is just about seeing how well the process is working, not the issues themselves
DH: My other concern is not putting too much extra process on the security teams.
JB: I have an action to propose something that is workable here.
DonH: Would like more of the tech people on the teams to propose topics at future conferences, e.g. the OSFC
DH: Arm folk have quite a few presentations at last week's LVC but perhaps not OSFC.
DonH: Yes, I was looking for more than just Arm people.
Regards
Dan.
-----Original Appointment-----
From: Don Harbin <don.harbin@linaro.orgmailto:don.harbin@linaro.org>
Sent: 14 April 2021 15:08
To: Don Harbin; Joakim Bech; Bill Fletcher (bill.fletcher@linaro.orgmailto:bill.fletcher@linaro.org); lionel.debieve@st.commailto:lionel.debieve@st.com; andrey.butok@nxp.commailto:andrey.butok@nxp.com; Nicusor Penisoara; Abhishek Pandit; Eric Finco (eric.finco@st.commailto:eric.finco@st.com); k.karasev@omprussia.rumailto:k.karasev@omprussia.ru; kevin@nxmlabs.commailto:kevin@nxmlabs.com; David Brown; David Cocca; kangkang.shen@futurewei.commailto:kangkang.shen@futurewei.com; Dan Handley; roman.baker@cypress.commailto:roman.baker@cypress.com; Kevin Townsend (kevin.townsend@linaro.orgmailto:kevin.townsend@linaro.org); reinauer@google.commailto:reinauer@google.com; Serban Constantinescu; a.rybakov@omprussia.rumailto:a.rybakov@omprussia.ru; Julius Werner; roman.baker@infineon.commailto:roman.baker@infineon.com
Subject: Trusted Firmware TSC
When: 16 September 2021 09:00-09:55 America/Los_Angeles.
Where: https://linaro-org.zoom.us/j/96393644990?pwd=VXlGeFF1Z2U3UTlwbmNhRTZYeE5lZz0...
This event has been changed with this note:
"Adjusting due to time zone changes"
Trusted Firmware TSC
When
Changed: Monthly from 9am to 9:55am on the third Thursday 9 times Mountain Standard Time - Phoenix
Where
https://linaro-org.zoom.us/j/96393644990?pwd=VXlGeFF1Z2U3UTlwbmNhRTZYeE5lZz0... (maphttps://www.google.com/url?q=https%3A%2F%2Flinaro-org.zoom.us%2Fj%2F96393644990%3Fpwd%3DVXlGeFF1Z2U3UTlwbmNhRTZYeE5lZz09&sa=D&ust=1618841274240000&usg=AOvVaw2uSsanE9VtPOL9JjunQyY9)
Calendar
dan.handley@arm.commailto:dan.handley@arm.com
Who
•
Don Harbin - organizer
•
Joakim Bech
•
Bill Fletcher
•
lionel.debieve@st.commailto:lionel.debieve@st.com
•
andrey.butok@nxp.commailto:andrey.butok@nxp.com
•
nicusor.penisoara@nxp.commailto:nicusor.penisoara@nxp.com
•
abhishek.pandit@arm.commailto:abhishek.pandit@arm.com
•
eric.finco@st.commailto:eric.finco@st.com
•
k.karasev@omprussia.rumailto:k.karasev@omprussia.ru
•
kevin@nxmlabs.commailto:kevin@nxmlabs.com
•
David Brown
•
david.cocca@renesas.commailto:david.cocca@renesas.com
•
kangkang.shen@futurewei.commailto:kangkang.shen@futurewei.com
•
dan.handley@arm.commailto:dan.handley@arm.com
•
roman.baker@cypress.commailto:roman.baker@cypress.com
•
kevin.townsend@linaro.orgmailto:kevin.townsend@linaro.org
•
reinauer@google.commailto:reinauer@google.com
•
Serban Constantinescu
•
a.rybakov@omprussia.rumailto:a.rybakov@omprussia.ru
•
Julius Werner
•
roman.baker@infineon.commailto:roman.baker@infineon.com
more details »https://calendar.google.com/calendar/event?action=VIEW&eid=c2NxdnQzczZubWptcWFvYzhxNDRsbmsxNzkgZGFuLmhhbmRsZXlAYXJtLmNvbQ&tok=MjEjZG9uLmhhcmJpbkBsaW5hcm8ub3JnNjc5NDQ5YWEwZjIwMzU1OTYxZmQ4MjY2NzNkMjc1YzkwYWFjOTFmOQ&ctz=America%2FPhoenix&hl=en&es=0
Trusted Firmware is inviting you to a scheduled Zoom meeting.
Topic: TrustedFirmware TSC
Time: Dec 17, 2020 05:00 PM London
        Every month on the Third Thu, 12 occurrence(s)
        Dec 17, 2020 05:00 PM
        Jan 21, 2021 05:00 PM
        Feb 18, 2021 05:00 PM
        Mar 18, 2021 05:00 PM
        Apr 15, 2021 05:00 PM
        May 20, 2021 05:00 PM
        Jun 17, 2021 05:00 PM
        Jul 15, 2021 05:00 PM
        Aug 19, 2021 05:00 PM
        Sep 16, 2021 05:00 PM
        Oct 21, 2021 05:00 PM
        Nov 18, 2021 05:00 PM
Please download and import the following iCalendar (.ics) files to your calendar system.
Monthly: https://linaro-org.zoom.us/meeting/tJIufuquqj8jE9QUXZNeFMnKKzozNj9SWM72/ics?...https://www.google.com/url?q=https%3A%2F%2Flinaro-org.zoom.us%2Fmeeting%2FtJIufuquqj8jE9QUXZNeFMnKKzozNj9SWM72%2Fics%3FicsToken%3D98tyKuCurTIpHNCRuRCHRowAA4r4b-7wiClEj_psqSffLSV1Tw3dHfhNKJx1Sevn&sa=D&ust=1618841274226000&usg=AOvVaw0mKnF7gazBGX_VSIDQWs2q
Join Zoom Meeting
https://linaro-org.zoom.us/j/96393644990?pwd=VXlGeFF1Z2U3UTlwbmNhRTZYeE5lZz0...https://www.google.com/url?q=https%3A%2F%2Flinaro-org.zoom.us%2Fj%2F96393644990%3Fpwd%3DVXlGeFF1Z2U3UTlwbmNhRTZYeE5lZz09&sa=D&ust=1618841274228000&usg=AOvVaw0XgLGu_50EAEwKDLwQ4POA
Meeting ID: 963 9364 4990
Passcode: roadRunner
One tap mobile
+13462487799,,96393644990# US (Houston)
+16699009128,,96393644990# US (San Jose)
Dial by your location
        +1 346 248 7799 US (Houston)
        +1 669 900 9128 US (San Jose)
        +1 253 215 8782 US (Tacoma)
        +1 312 626 6799 US (Chicago)
        +1 646 558 8656 US (New York)
        +1 301 715 8592 US (Washington D.C)
        877 853 5247 US Toll-free
        888 788 0099 US Toll-free
Meeting ID: 963 9364 4990
Find your local number: https://linaro-org.zoom.us/u/aegtEd7Rojhttps://www.google.com/url?q=https%3A%2F%2Flinaro-org.zoom.us%2Fu%2FaegtEd7Roj&sa=D&ust=1618841274230000&usg=AOvVaw22POUkt6a_sIhQXmUBzZto
Going (dan.handley@arm.commailto:dan.handley@arm.com)?   All events in this series:   Yeshttps://calendar.google.com/calendar/event?action=RESPOND&eid=c2NxdnQzczZubWptcWFvYzhxNDRsbmsxNzkgZGFuLmhhbmRsZXlAYXJtLmNvbQ&rst=1&tok=MjEjZG9uLmhhcmJpbkBsaW5hcm8ub3JnNjc5NDQ5YWEwZjIwMzU1OTYxZmQ4MjY2NzNkMjc1YzkwYWFjOTFmOQ&ctz=America%2FPhoenix&hl=en&es=0 - Maybehttps://calendar.google.com/calendar/event?action=RESPOND&eid=c2NxdnQzczZubWptcWFvYzhxNDRsbmsxNzkgZGFuLmhhbmRsZXlAYXJtLmNvbQ&rst=3&tok=MjEjZG9uLmhhcmJpbkBsaW5hcm8ub3JnNjc5NDQ5YWEwZjIwMzU1OTYxZmQ4MjY2NzNkMjc1YzkwYWFjOTFmOQ&ctz=America%2FPhoenix&hl=en&es=0 - Nohttps://calendar.google.com/calendar/event?action=RESPOND&eid=c2NxdnQzczZubWptcWFvYzhxNDRsbmsxNzkgZGFuLmhhbmRsZXlAYXJtLmNvbQ&rst=2&tok=MjEjZG9uLmhhcmJpbkBsaW5hcm8ub3JnNjc5NDQ5YWEwZjIwMzU1OTYxZmQ4MjY2NzNkMjc1YzkwYWFjOTFmOQ&ctz=America%2FPhoenix&hl=en&es=0    more options »https://calendar.google.com/calendar/event?action=VIEW&eid=c2NxdnQzczZubWptcWFvYzhxNDRsbmsxNzkgZGFuLmhhbmRsZXlAYXJtLmNvbQ&tok=MjEjZG9uLmhhcmJpbkBsaW5hcm8ub3JnNjc5NDQ5YWEwZjIwMzU1OTYxZmQ4MjY2NzNkMjc1YzkwYWFjOTFmOQ&ctz=America%2FPhoenix&hl=en&es=0
Invitation from Google Calendarhttps://calendar.google.com/calendar/
You are receiving this courtesy email at the account dan.handley@arm.commailto:dan.handley@arm.com because you are an attendee of this event.
To stop receiving future updates for this event, decline this event. Alternatively you can sign up for a Google account at https://calendar.google.com/calendar/ and control your notification settings for your entire calendar.
Forwarding this invitation could allow any recipient to send a response to the organizer and be added to the guest list, or invite others regardless of their own invitation status, or to modify your RSVP. Learn Morehttps://support.google.com/calendar/answer/37135#forwarding.