Hi everyone,
I am sending this email to all tf.org project mailing lists to ensure all maintainers are aware and on board regarding this matter. If you have any concerns or questions, please reply on tf.org Discord #general channel, where I'll create a thread, as I think it will be much easier than dealing with cross-mailing lists emails.
Background
When a security vulnerability is discovered in one of the trustedfirmware.org projects, it is common to request a "Common Vulnerabilities and Exposures" (CVE) number. This number uniquely references the issue, which can then be searched in the vulnerability databases. One of these databases is NIST's "National Vulnerability Database" (NVD): https://nvd.nist.gov<https://nvd.nist.gov/vuln/detail/CVE-2023-51712>
Entering a specific CVE number in NVD search engine will allow you to easily find the details of a specific issue, for example:
https://nvd.nist.gov/vuln/detail/CVE-2023-51712
However, sometimes one is not looking for a specific CVE number but rather wants to list all known vulnerabilities affecting a particular project. For this, one can use the Common Platform Enumerations (CPE) search engine:
https://nvd.nist.gov/products/cpe/search
CPE is a structured naming scheme that includes information like the vendor name, the project name, the version / tag, and so on.
See https://nvd.nist.gov/products/cpe for more details.
So for example, https://nvd.nist.gov/vuln/detail/CVE-2023-51712 referenced above has the following CPE:
cpe:2.3:o:arm:trusted_firmware-m:*:*:*:*:*:*:*:*
This basically means
*
CPE version 2.3 is in use
*
'o is the type of project, in this case it stands for Operating Systems (which is probably the closest match for low-level code like TF-M)
*
'arm' is the vendor (that is wrong, see below)
*
'trusted_firmware-m' is the project name,
Problem statement
It appears that CPEs used in NVD to reference vulnerabilities in tf.org projects differ a lot across projects. For some projects, there's even multiple of them. Sometimes the vendor is "arm", sometimes it's "linaro", or something else.
Some of the TF-A and MbedTLS maintainers have initiated discussions with NVD to get this simplified and unified, but it would make sense to align other tf.org projects as well.
Proposal
CPE naming rules are that the vendor name should the parent organization of the project. Thus the proposal would be for all tf.org projects to use "trustedfirmware" as the vendor name in their CPE.
For example:
cpe:2.3:o:trustedfirmware:trusted_firmware-m:*:*:*:*:*:*:*:*
cpe:2.3:a:trustedfirmware:mbed_tls:*:*:*:*:*:*:*:*
We're only proposing to change the vendor name here ; each project is then free to choose how they want the project name or the type of software project they want to encode there.
Thanks for reading,
Best regards,
Sandrine Afsa
Forwarding to TF-RMM list.
From: Google Calendar <calendar-notification(a)google.com> on behalf of Olivier Deprez via TF-A <tf-a(a)lists.trustedfirmware.org>
Date: Monday, 8 June 2026 at 14:15
To: tf-a(a)lists.trustedfirmware.org <tf-a(a)lists.trustedfirmware.org>; Olivier Deprez <Olivier.Deprez(a)arm.com>
Subject: [TF-A] TF-A Tech Forum - Fuzzing TF-RMM Jun 11th 2026 4.00pm UK
Hi,
On Jun 11th 2026 4.00pm UK, Rustam Ismayilov will present the topic of TF-RMM fuzzing with the following agenda:
Fuzzed Interfaces
fake_host
AFL++
seed generation
statefull fuzzing
Results and performance
Limitations and planned improvements
Regards,
Olivier.
TF-A Tech Forum
Thursday Jun 11, 2026 ⋅ 5pm – 6pm (Central European Time - Paris)
Trusted Firmware is inviting you to a scheduled Zoom meeting.
Topic: TF-A Tech Forum
Time: May 15, 2025 02:00 PM London
Every 2 weeks on Thu, 78 occurrence(s)
Please download and import the following iCalendar (.ics) files to your calendar system.
Weekly: https://linaro-org.zoom.us/meeting/tJcocu6gqDgjEtOkyBhSQauR1sUyFwIcNKLa/ics…<https://www.google.com/url?q=https%3A%2F%2Flinaro-org.zoom.us%2Fmeeting%2Ft…>
Join Zoom Meeting
https://linaro-org.zoom.us/j/93557863987?pwd=56a1l8cBnetDTZ6eazHGaE1Ctk4W34…<https://www.google.com/url?q=https%3A%2F%2Flinaro-org.zoom.us%2Fj%2F9355786…>
Meeting ID: 935 5786 3987
Passcode: 939141
---
One tap mobile
+12532158782,,93557863987# US (Tacoma)
+13017158592,,93557863987# US (Washington DC)
---
Dial by your location
• +1 253 215 8782 US (Tacoma)
• +1 301 715 8592 US (Washington DC)
• +1 305 224 1968 US
• +1 309 205 3325 US
• +1 312 626 6799 US (Chicago)
• +1 346 248 7799 US (Houston)
• +1 360 209 5623 US
• +1 386 347 5053 US
• +1 507 473 4847 US
• +1 564 217 2000 US
• +1 646 558 8656 US (New York)
• +1 646 931 3860 US
• +1 669 444 9171 US
• +1 669 900 9128 US (San Jose)
• +1 689 278 1000 US
• +1 719 359 4580 US
• +1 253 205 0468 US
• 833 548 0276 US Toll-free
• 833 548 0282 US Toll-free
• 833 928 4608 US Toll-free
• 833 928 4609 US Toll-free
• 833 928 4610 US Toll-free
• 877 853 5247 US Toll-free
• 888 788 0099 US Toll-free
Meeting ID: 935 5786 3987
Find your local number: https://linaro-org.zoom.us/u/adoz9mILli<https://www.google.com/url?q=https%3A%2F%2Flinaro-org.zoom.us%2Fu%2Fadoz9mI…>
Location
https://linaro-org.zoom.us/j/93557863987?pwd=56a1l8cBnetDTZ6eazHGaE1Ctk4W34…
View map<https://www.google.com/url?q=https%3A%2F%2Flinaro-org.zoom.us%2Fj%2F9355786…>
Guests
d82620130(a)gmail.com<mailto:d82620130@gmail.com>
namyoon(a)google.com<mailto:namyoon@google.com>
shaikadnanafrid(a)gmail.com<mailto:shaikadnanafrid@gmail.com>
tf-a(a)lists.trustedfirmware.org<mailto:tf-a@lists.trustedfirmware.org>
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
Hi all,
We will be upgrading Cloudbees CI and clusters hosting review.trustedfirmware.org and ci.trustedfirmware.org on Wednesday, 3rd June 2025 at 16:00 GMT+1.
During this maintenance window, both services will be unavailable for approximately 8 hours.
A follow-up email will be sent once the services are fully restored.
Best regards,
Saheer
[LOGO SMALL]
Saheer Babu
Principal Software Engineer
CESW – Engineering Infrastructure
