Hi TSC,
As discussed in the last TSC meeting, we would like to add Cypress devs as platform maintainers for PSoC6 code in TF-M. Given that (afaik) we are the first non-ARM maintainer, I'd like to formalize the proposal.
---
Proposal to enhance maintainership of trusted-firmware-m repository to allow additional approvers
Step 1: Add a MAINTAINERS file to the root of the tf-m repository. This file will follow the same format as the linux kernel MAINTAINERS file, but will only support a subset of options. Exact subset TBD but likely 'M', 'L', 'S', 'F' options will be supported. This MAINTAINERS file will initially be populated with the current designated +2 devs as having maintainer status over the complete tree. It is assume that current devs are already being notified of gerrit reviews so they don't need that step.
Step 2: All tsc representatives will be granted +2/merge permissions into trusted-firmware-m. Allowable uses of this +2 are as follows:
a) For gerrit reviews that exclusively involve changes to files+directories where the tsc rep's company is listed as maintainer in the MAINTAINERS file
b) For gerrit reviews that involve changes to files+directories where the tsc rep's company is listed as maintainer in the MAINTAINERS file + other changes: only once other maintainers have +1 their portions (i.e. once all maintainers have +1, any of the companies involved in the patch can +2/merge it).
Abuse of this privilege will be escalated to board for resolution.
Step 3: on any patch that requires a change to maintainers (i.e. a new platform being added):
a) the patch will include an update to the MAINTAINERS file indicating it.
b) the maintainers will add themselves to get notifications from gerrit for appropriate subtrees.
Responsibility of maintainers:
- Ensure MAINTAINERS file and your gerrit notifications are kept up-to-date
- Provide review in a timely fashion for any reviews that involve your subtree (preferably within a week)
- Notify your tsc rep once a review has sufficient approvals to be +2ed.
Let me know of any comments, concerns, issues. If there is agreement on the above, I'll outline the steps with more detail + examples (in phabricator possibly or as a documentation patch to the code itself).
Thanks,
Christian.
This message and any attachments may contain confidential information from Cypress or its subsidiaries. If it has been received in error, please advise the sender and immediately delete this message.
Attendees
Abhishek Pandit (Arm)
Christian Daudt (Cypress)
Dan Handley (Arm)
David Brown (Linaro)
Kevin Townsend (Linaro)
Joakim Bech (Linaro)
Mark Grosen (TI)
Julius Werner (Google)
Bill Fletcher (Linaro Community Projects)
Notes
Provisioning. This is now running as a separate meeting, hopefully you have
received the invite for that. We can have a quick summary of the status.
DB: SDO spec is a good option for device provisioning. Having a solution
where we can store private keys and signatures - may not work with smallest
devices as signatures are big. There is work on a more compact
representation.
AP: SDO has relationship to multiple domain signing. We could add more
specifics on this from Arm.
DB: Having a separate meeting is reasonable.
AP: Maybe you could send an email to people setting expectations. Could
just open the meeting to everyone.
DB: Don’t see a problem to be open.
CD: Is the aim to come up with a provisioning flow agnostic to TF-M and TF-A
DB: Don’t think so - aim is to see the implications for TF-M. At the moment
need to build a separate binary for each device. Some approach for
provisioning. Then for public key need to load into each device or have it
signed so know which device to trust. Need to know what more is needed from
TF-M. e.g. key needs to be updatable for ‘device onboarding’ step.
CD: Trying to see where requirements coming from and what activity is
trying satisfy and what activity is creating requirements.
DB: Don’t see is influencing SDO. How much insight do you get on
provisioning from people who buy devices?
CD: A lot. Have our own private flows. Understanding what we’re trying to
standardise would be useful - whether it fits with our models.
(discussion handed off to specific meeting)
TF-M coding standard. Following up from the mailing list thread about weak
symbols.
AP: Had an email discussion - Chris saying there’s an on-the-fly coding
standard discussion on his patch. Dan was on the discussion - using weak
symbols. Caused retrospective pain if going for MISRA compliance. Maybe
it’s time we look at industry standards we want to meet.
DB: Is the concern with MISRA - extensions?
DH: Yes. Some weak symbols fail when run through checkers.
Mandatory/required etc rules.
MG: We’ve been going through MISRA. Customers - if you justify deviations
and waivers they don’t have an issue if consistent. Document why. How do we
want to set our coding standards - CERT, JPL …? Don’t do on an ad hoc
basis.
AP: How do we enforce it. Depoy in CI.
MG: First step to document expectations. Tools will do better but do it
right first time.
DB: Have existing body of code - tools would be informative.
MG: Start and say mandatory and required. Not look at 10,000s of
‘advisories’. Use Clockwork internally.
AP: Who would do the initial proposal. Volunteer engineer?
MG: Do we have any overall standards-based goals we want to be aiming for.
Formal requirements, traceability?
AP: Safety and security. How to take it forward?
CD: Ad hoc at this point. Don’t have a grand plan. If someone wants to
propose a specific standard with a reason. Can have a vote on it. Don’t
want to spend weeks and months. Let’s go case by case.
MG: Would always start from existing place - Zephyr going through it for
safety. There is a first draft.
AP: Post something on TSC mailing list?
MG: Propose look at what Zephyr’s doing
https://docs.zephyrproject.org/latest/contribute/index.html#coding-style
MG: There’s a new spec that isn’t public. Can take the action to look at
how to get that.
CD: Been caught for weeks now with reviews. Nobody +2 code reviews.
DH: Made rule you’re only allowed 1 definition of a week symbol.
Enabling IDE support for TF-M. This topic was raised in the workshop in
Lyon. I would like to summarize and discuss possible options, next steps
etc.
AP: Raised in Lyon. Tool needs to be accessible to everyone. Arm’s CMSIS
team attended.
DB: CMSIS packs proposed as definition. Other people proposed CMake file
that generated CMSIS packs.
AP: Need someone to take this discussion forward. Let someone take it
forward
DB: Is CMSIS pack format public.
AP: Yes public
MG: Prefer open tools so CMake, Devicetree. If you want to generate CMSIS
Zone can do that. Generating manifests etc - not sure how that’s going to
work with IDEs. Want to keep it general. Not a fan of specific tools.
CD: Second that.
DB: So summarize - support CMSIS Pack and Zone by generating from e.g.
Devicetree or CMake as a source of truth.
AP: Someone would need to maintain the generation.
DB: Suggest CMake files are checked in.
AP: Should we allow a separate git to be created for CMSIS Pack and CMSIS
zone?
MG: Developers are all Linux people, even if the users are mainly Windows
players. Like the idea of a separate utilities repo.
Adding +2 reviewers for subtrees in TF-M.
CD: The requirement is be clear how we’re going to add new approvers. How
to add a couple of approvers.
AP: Take the contribution of the platform - how to ensure platforms all
move along. How to manage non compatible changes. Platform owners -
companies nominate.
CD: Two separate topics. TF-A has a process. Send a patch where you add
yourself to the file for the maintainer list. If that patch is accepted,
then you’re a maintainer for the subsystem. What do we want the process to
be?
CD: Then can tell people to look at the maintainer list. Can send an email
stating the process. How does the +2 rights get added?
AP: With core maintainers who are currently Arm only.
CD: Fine for me to put the onus on the Arm maintainers as long as there
isn’t a time lag.
AP: Option can have TSC approve it.
Reminder for TF-M Tech forum open call (5th December)
--
[image: Linaro] <http://www.linaro.org/>
*Bill Fletcher* | *Field Engineering*
T: +44 7833 498336 <+44+7833+498336>
bill.fletcher(a)linaro.org | Skype: billfletcher2020
All,
We had a specific topic in TF-M workshop on build system and tooling. The attached slides were presented to guide the discussion. This was an open discussion lasting about an hour and many attendees provided inputs and feedback on the topics.
I plan to follow up in the TSC meetings and have added IDE topic to this week's meeting agenda. Just circulating the slides to help the discussion.
Thanks
Abhishek
Hi All,
Any agenda items for this week?
I have following on my list
* Provisioning. This is now running as a separate meeting, hopefully you have received invite for that. We can have a quick summary of the status.
* TF-M coding standard. Following up from the mailing list thread about weak symbols.
* Enabling IDE support for TF-M. This topic was raised in the workshop in Lyon. I would like to summarize and discuss possible options, next steps etc.
Thanks,
Abhishek
Attendees
Abhishek Pandit (Arm)
Christian Daudt (Cypress)
Dan Handley (Arm)
David Brown (Linaro)
Kevin Townsend (Linaro)
Joakim Bech (Linaro)
Eric Finco (ST)
Mark Grosen (TI)
Bill Mills (TI)
Bill Fletcher (Linaro Community Projects)
Agenda
CNA training
Provisioning
ELC TF-M workshop in Lyon
Git process flow
OP-TEE git update
Notes
DB: CNA training? CVE Numbering Authorities. Able to assign CVEs in blocks
of 10 without going through a minder. No charge. Same amount of time as we
should be spending on CVEs anyway.
JB/DH: Think it’s a good idea.
DH: Would like to establish who is on the security mailing lists.
JB: Have had bad experience working through Mitre.
CD: To clarify this the scope is TF-A, TF-M, OP-TEE
DB: Yes.
CD: Not much purpose to get CVEs if we don’t have anyone to do anything on
them.
DB: CF Zephyr …
DH: Will send email to allow people to formally sign off on this
DB: I would like to have a discussion about provisioning. Right now, it
seems that the only way we specify a device identifying itself is by giving
its public key, which would require that every device to be provisioned be
entered into some kind of database before it could be known. Instead I'd
like to propose that we have a way of storing and retrieving an X.509
certificate, which would have that public key in it, along with a signature
chain that could be used to indicate that this device is trusted. This is
commonly done in deployed devices, and we might as well add this
functionality now.
AP: Had proposed a provisioning-specific slot, but no one registered
interest. Will still schedule this.
DB: Have defined attestation token signed with a private key internal to
device. There is also a public key. If only this, it has to be known by the
entity on the other side to know a valid device. Preferred approach is a
certificate - that public key signed by an authority.
https://github.com/microbuilder/zephyr/blob/tfm-psa-level-1/samples/tfm_int…
Need to “get a certificate” … is this a trusted device?
DB: Different to e.g. MQTT using a TLS certificate. Need to be flexible
allowing a public key registration.
KT: How to know if a device should be joining the network with just public
key.
DB: Unless a channel from the factory with a list of trusted devices.
DB: May also need a mechanism to update these keys
BM: Overlap with Intel?
JB: Yes. Pelion was the collaboration between Intel and Arm
BM: Think the base concept was simpler.
JB: Talk to Reed Hinkel about the LEDGE presentation session on this.
EF: Got it through the mailing list of LEDGE.
AP: Would like to do this as a provisioning subgroup and then ask the TSC
if they want to proceed. Happy for David or Kevin to lead the discussion.
CD: Shall we see if can have a similar discussion to the one we had at
Connect
JB: Can ask Francois or Reed to see if they can help us.
AP: If you know someone who is interested, we should extend to wider than
TSC. Will schedule the meeting.
MG:
https://www.intel.com/content/dam/www/public/us/en/documents/idz/iot/briefs…
AP: TF-M workshop in Lyon after ELC. Will discuss the outcomes at next TSC.
MG: Git flow. How to know when it’s a good time to integrate with the TF-M
workflow. Aren’t many tags etc. Have tried with some issues. Are there
engineering builds, alpha builds?
AP: Can take guidance as TF-A which is more mature. Need to decide if 6
monthly test cycle as TF-A. Need solid branches to base work on. Dual core
work ongoing on a branch. Posted requests for review but there were no
reviews. Has been no drive to fix the methodology yet.
AP: CI running but it’s problematic with MPS2 at the moment.
CD: But no formal cycles yet
AP: Arm stretched to support the feature requests at the moment. Will talk
to Shebu to structure the roadmap in order to have something stable.
JB: Forked OP-TEE gits are now at git.trustedfirmware.org
--
[image: Linaro] <http://www.linaro.org/>
*Bill Fletcher* | *Field Engineering*
T: +44 7833 498336 <+44+7833+498336>
bill.fletcher(a)linaro.org | Skype: billfletcher2020
I would like to have a discussion about provisioning. Right now, it seems
that the only way we specify a device identifying itself is by giving its
public key, which would require that every device to be provisioned be
entered into some kind of database before it could be known.
Instead I'd like to propose that we have a way of storing and retrieving an
X.509 certificate, which would have that public key in it, along with a
signature chain that could be used to indicate that this device is trusted.
This is commonly done in deployed devices, and we might as well add this
functionality now.
David
On Tue, Oct 8, 2019 at 5:00 PM Abhishek Pandit via TSC <
tsc(a)lists.trustedfirmware.org> wrote:
> Hi All,
>
>
>
> Any agenda items for the meeting this week?
>
>
>
> Thanks,
>
> Abhishek
> --
> TSC mailing list
> TSC(a)lists.trustedfirmware.org
> https://lists.trustedfirmware.org/mailman/listinfo/tsc
>
Attendees
Abhishek Pandit (Arm)
Chris (Cypress)
Ray Ngun (Cypress)
Christian Daudt (Cypress)
Dan Handley (Arm)
David Brown (Linaro)
Joakim Bech (Linaro)
Julius Werner (Google)
Lionel Debieve (ST)
Rajeev Gulati (Data I/O)
Bill Fletcher (Linaro Community Projects)
Notes
Ray: Cypress TF M enablement on PSoC6 dual core (slides circulated
separately)
Chris: PSoC as SMPUs based on v6/v7 ones. Has alignment/size constraints.
Difficult to arrange 1M flash to manage protection regions. Much easier
with the v8.
Build system work complicated.
AP: Getting feedback on build system elsewhere. Not sure if it is CMake.
What’s your view?
Chris: CMake isn’t particularly intuitive. Building secure side veneers -
had to figure out to separate those out.
AP: V8m crashes are hard to debug. Maybe worth having a focus group on
build system.
CD: Implicit assumptin that secure and non-secure are the same ilk and not
the case for PSoC6. Does not have the same facilities/options.
AP: Assumed secured binary comes from one entity and non-secure from
another. That’s how it evolved. Secure people give config and API. Agreed
it’s very v8m centric.
CD: Patches should fix that
AP: Will follow up on why the patches are still pending.
Rajeev: Data I/O Security provisioning (slides circulated separately)
AP: Need to have a follow up task on this. This is just a prelude to what
the TF teams need to do in this area.
Rajeev: We can talk about the provisioning usecases next time.
Joakim: OP-TEE
Pending actions for creating branches for TF gerrit. Not done but have a
clear idea after talking to Dan
Linking TF.org to OP-TEE.org done one way. Plan to fix the other way with a
sit down with Web Admin at Connect.
Security sessions at Connect http://bit.ly/san19swg They will be added to
the public schedule (WIP)
Linaro has PoR (Plan of Record) process to say what work is done. Too early
to say what this will mean but things that are expected to continue:
- Keymaster work. Will look at new features in keymaster4.
- Prototyping work on Armv8 virtualisation.
- PKCS11.
- Widevine work
DH: Expecting that a lot of work will be followed up at Connect.
AP: When will incident handling be finalised?
DH: Not received any comments for a while. Also need steps to make it
active. Which projects will use it? Can spend some time to nail it down at
Connect. Then look to make it active.
--
[image: Linaro] <http://www.linaro.org/>
*Bill Fletcher* | *Field Engineering*
T: +44 7833 498336 <+44+7833+498336>
bill.fletcher(a)linaro.org | Skype: billfletcher2020
Hi All,
Any agenda items? We have following at present:
* Update on Twin CPU enablement work in TF-M (Chris Brand, Cypress)
* Secure provisioning discussion (Data I/O)
Thanks,
Abhishek
This screencast goes through the process I used to manage a CVE as part of
being the CNA for the Zephyr project. Not all of the links will be
accessible, but this should give a rough idea of the kind of work involved
in being a CNA.
https://www.youtube.com/watch?v=PksNzJXVDDA
David
