All,
We had a specific topic in TF-M workshop on build system and tooling. The attached slides were presented to guide the discussion. This was an open discussion lasting about an hour and many attendees provided inputs and feedback on the topics.
I plan to follow up in the TSC meetings and have added IDE topic to this week's meeting agenda. Just circulating the slides to help the discussion.
Thanks
Abhishek
Hi All,
Any agenda items for this week?
I have following on my list
* Provisioning. This is now running as a separate meeting, hopefully you have received invite for that. We can have a quick summary of the status.
* TF-M coding standard. Following up from the mailing list thread about weak symbols.
* Enabling IDE support for TF-M. This topic was raised in the workshop in Lyon. I would like to summarize and discuss possible options, next steps etc.
Thanks,
Abhishek
Attendees
Abhishek Pandit (Arm)
Christian Daudt (Cypress)
Dan Handley (Arm)
David Brown (Linaro)
Kevin Townsend (Linaro)
Joakim Bech (Linaro)
Eric Finco (ST)
Mark Grosen (TI)
Bill Mills (TI)
Bill Fletcher (Linaro Community Projects)
Agenda
CNA training
Provisioning
ELC TF-M workshop in Lyon
Git process flow
OP-TEE git update
Notes
DB: CNA training? CVE Numbering Authorities. Able to assign CVEs in blocks
of 10 without going through a minder. No charge. Same amount of time as we
should be spending on CVEs anyway.
JB/DH: Think it’s a good idea.
DH: Would like to establish who is on the security mailing lists.
JB: Have had bad experience working through Mitre.
CD: To clarify this the scope is TF-A, TF-M, OP-TEE
DB: Yes.
CD: Not much purpose to get CVEs if we don’t have anyone to do anything on
them.
DB: CF Zephyr …
DH: Will send email to allow people to formally sign off on this
DB: I would like to have a discussion about provisioning. Right now, it
seems that the only way we specify a device identifying itself is by giving
its public key, which would require that every device to be provisioned be
entered into some kind of database before it could be known. Instead I'd
like to propose that we have a way of storing and retrieving an X.509
certificate, which would have that public key in it, along with a signature
chain that could be used to indicate that this device is trusted. This is
commonly done in deployed devices, and we might as well add this
functionality now.
AP: Had proposed a provisioning-specific slot, but no one registered
interest. Will still schedule this.
DB: Have defined attestation token signed with a private key internal to
device. There is also a public key. If only this, it has to be known by the
entity on the other side to know a valid device. Preferred approach is a
certificate - that public key signed by an authority.
https://github.com/microbuilder/zephyr/blob/tfm-psa-level-1/samples/tfm_int…
Need to “get a certificate” … is this a trusted device?
DB: Different to e.g. MQTT using a TLS certificate. Need to be flexible
allowing a public key registration.
KT: How to know if a device should be joining the network with just public
key.
DB: Unless a channel from the factory with a list of trusted devices.
DB: May also need a mechanism to update these keys
BM: Overlap with Intel?
JB: Yes. Pelion was the collaboration between Intel and Arm
BM: Think the base concept was simpler.
JB: Talk to Reed Hinkel about the LEDGE presentation session on this.
EF: Got it through the mailing list of LEDGE.
AP: Would like to do this as a provisioning subgroup and then ask the TSC
if they want to proceed. Happy for David or Kevin to lead the discussion.
CD: Shall we see if can have a similar discussion to the one we had at
Connect
JB: Can ask Francois or Reed to see if they can help us.
AP: If you know someone who is interested, we should extend to wider than
TSC. Will schedule the meeting.
MG:
https://www.intel.com/content/dam/www/public/us/en/documents/idz/iot/briefs…
AP: TF-M workshop in Lyon after ELC. Will discuss the outcomes at next TSC.
MG: Git flow. How to know when it’s a good time to integrate with the TF-M
workflow. Aren’t many tags etc. Have tried with some issues. Are there
engineering builds, alpha builds?
AP: Can take guidance as TF-A which is more mature. Need to decide if 6
monthly test cycle as TF-A. Need solid branches to base work on. Dual core
work ongoing on a branch. Posted requests for review but there were no
reviews. Has been no drive to fix the methodology yet.
AP: CI running but it’s problematic with MPS2 at the moment.
CD: But no formal cycles yet
AP: Arm stretched to support the feature requests at the moment. Will talk
to Shebu to structure the roadmap in order to have something stable.
JB: Forked OP-TEE gits are now at git.trustedfirmware.org
--
[image: Linaro] <http://www.linaro.org/>
*Bill Fletcher* | *Field Engineering*
T: +44 7833 498336 <+44+7833+498336>
bill.fletcher(a)linaro.org | Skype: billfletcher2020
I would like to have a discussion about provisioning. Right now, it seems
that the only way we specify a device identifying itself is by giving its
public key, which would require that every device to be provisioned be
entered into some kind of database before it could be known.
Instead I'd like to propose that we have a way of storing and retrieving an
X.509 certificate, which would have that public key in it, along with a
signature chain that could be used to indicate that this device is trusted.
This is commonly done in deployed devices, and we might as well add this
functionality now.
David
On Tue, Oct 8, 2019 at 5:00 PM Abhishek Pandit via TSC <
tsc(a)lists.trustedfirmware.org> wrote:
> Hi All,
>
>
>
> Any agenda items for the meeting this week?
>
>
>
> Thanks,
>
> Abhishek
> --
> TSC mailing list
> TSC(a)lists.trustedfirmware.org
> https://lists.trustedfirmware.org/mailman/listinfo/tsc
>
Attendees
Abhishek Pandit (Arm)
Chris (Cypress)
Ray Ngun (Cypress)
Christian Daudt (Cypress)
Dan Handley (Arm)
David Brown (Linaro)
Joakim Bech (Linaro)
Julius Werner (Google)
Lionel Debieve (ST)
Rajeev Gulati (Data I/O)
Bill Fletcher (Linaro Community Projects)
Notes
Ray: Cypress TF M enablement on PSoC6 dual core (slides circulated
separately)
Chris: PSoC as SMPUs based on v6/v7 ones. Has alignment/size constraints.
Difficult to arrange 1M flash to manage protection regions. Much easier
with the v8.
Build system work complicated.
AP: Getting feedback on build system elsewhere. Not sure if it is CMake.
What’s your view?
Chris: CMake isn’t particularly intuitive. Building secure side veneers -
had to figure out to separate those out.
AP: V8m crashes are hard to debug. Maybe worth having a focus group on
build system.
CD: Implicit assumptin that secure and non-secure are the same ilk and not
the case for PSoC6. Does not have the same facilities/options.
AP: Assumed secured binary comes from one entity and non-secure from
another. That’s how it evolved. Secure people give config and API. Agreed
it’s very v8m centric.
CD: Patches should fix that
AP: Will follow up on why the patches are still pending.
Rajeev: Data I/O Security provisioning (slides circulated separately)
AP: Need to have a follow up task on this. This is just a prelude to what
the TF teams need to do in this area.
Rajeev: We can talk about the provisioning usecases next time.
Joakim: OP-TEE
Pending actions for creating branches for TF gerrit. Not done but have a
clear idea after talking to Dan
Linking TF.org to OP-TEE.org done one way. Plan to fix the other way with a
sit down with Web Admin at Connect.
Security sessions at Connect http://bit.ly/san19swg They will be added to
the public schedule (WIP)
Linaro has PoR (Plan of Record) process to say what work is done. Too early
to say what this will mean but things that are expected to continue:
- Keymaster work. Will look at new features in keymaster4.
- Prototyping work on Armv8 virtualisation.
- PKCS11.
- Widevine work
DH: Expecting that a lot of work will be followed up at Connect.
AP: When will incident handling be finalised?
DH: Not received any comments for a while. Also need steps to make it
active. Which projects will use it? Can spend some time to nail it down at
Connect. Then look to make it active.
--
[image: Linaro] <http://www.linaro.org/>
*Bill Fletcher* | *Field Engineering*
T: +44 7833 498336 <+44+7833+498336>
bill.fletcher(a)linaro.org | Skype: billfletcher2020
Hi All,
Any agenda items? We have following at present:
* Update on Twin CPU enablement work in TF-M (Chris Brand, Cypress)
* Secure provisioning discussion (Data I/O)
Thanks,
Abhishek
This screencast goes through the process I used to manage a CVE as part of
being the CNA for the Zephyr project. Not all of the links will be
accessible, but this should give a rough idea of the kind of work involved
in being a CNA.
https://www.youtube.com/watch?v=PksNzJXVDDA
David
Attendees
AbhishekP - Arm
DanH - Arm
DavidB - Linaro
MarkG - TI
JoakimB - Linaro OP-TEE
ChristianD - Cypress
JuliusW - Google
KumarG - Linaro LITE
KevinT - Linaro LITE
BillF - Linaro Community Projects
Agenda
OP-TEE
How to add more maintainers
AOB
Notes:
OP-TEE (Joakim’s slides)
BF: OP-TEE now visible via trustedfirmware.org
DH: No links to code etc
BF: Yes, just a first step that we can reference in any press release/blog
post. It links back to the main material at op-tee.org
JB: Have cleaned up op-tee.org content and not a big job to move it to
trustedfirmware.org
JB: Certifications. Should now revisit. However - there are many - need to
figure out what to spend the money on.
CD: Don’t certify in a vacuum
JB: Yes - video, payment ...
DH: … common criteria, safety. Generally need to certify a product, but
helps if know what you’re aiming for.
JB: Previously aimed at GC test suite that benefits everyone.
DB: FIPS certification
AP: At Arm have often focussed on ‘certifiable’ rather than certified.
JB: Sounds sane
AP: A lot of certifications have some common stuff - e.g. basic MISRA, some
threat model, lifecycle.
JB: If you clone the git repo you’ll get a test suite - xtest. You will not
get anything from GlobalPlatform. You can include it but you have to be a
member or buy it. It’s $6000 and includes support for 2 years. In Linaro we
have relied on member’s access to use the test suite.
DH: Code audits are good but take a hit - need to have all requirements in
place first like incident handling and lifecycle. They are expensive.
DH: For vulnerability reporting, have discussed increasing embargo period &
especially sensitive stakeholders.
DB: Zephyr is now a CNA. Organisation has to be a CNA but in the scope of
particular project(s). We’re receiving CVEs for the Zephyr project. It
might make sense for TF to become one.
DH: Process supposed to use for OSS doesn’t seem to work at all.
DB: End up going to the CNA of last resort. Much more responsive to CNAs
than random projects.
JB: tf.org/security should go to the various security centres and this
policy that we’re trying to approve.
Action DH to give BF an outline of what should be on the security front page
JB: Any interest on TF TSC that I present the plan for the coming cycle?
Action: JB to check with Mark Orvek if ok to share the OP-TEE information
from the project heathcheck.
CD: Generally take same approach as TF-A and TF-M. Share the information
but TF TSC not to be a bottleneck and have to ‘approve’. If there’s a
specific issue can discuss it at TSC.
DH: For the fork, we’d be trying to keep up with op-tee master and submit
back through the op-tee process. Don’t want to run on a branch for the long
term.
DH: Encrypted TEEs. Has always been a provision for encrypted TA’s.
Architecture allows for it but have had no strong pull for implementing it.
JB: Tricky part is key management
DH: May be a requirement on TF-A to help here.
JB: Haven’t really planned on this but seeing requirements. No requirements
from PSA?
DH: no - the requirements are on authentication, not encryption.
DH: (Next steps) Expand the list of acceptable licenses.
AP: (Documenting answers and decisions) Both TF projects are using
Phabricator.
Action: JB to contact Ben and try out the Phabricator sandbox.
DH: Anything holding back to setup an op-tee project in gerrit?
JB: Have an action to talk to Ben about setting that up
Maintainers
AP: Looking at ways to expand maintainers list since have gaps during
vacation period
JB: Where is the list?
AP: Keep the maintainer list in gerrit
AP: Ask other members to talk about non-confidential items. If there are
external companies - maintainers should be able to invite them to attend.
Action: BF to add link to review.trustedfirmware.org to Nav bar
DB: If I go to developer.trustedfirmware.org and click on
https://developer.trustedfirmware.org/project/ only see TF-A.
CD: Seems that project takes the first query
https://developer.trustedfirmware.org/project/query/edit/. Can an
administrator change the order of the queries?
Action: Move the usability discussion to the mailing list since there are
people actively working on Phabricator.
Attendance:
DH: (In response to KT) anyone should be able to join as long as we know
who they are from a member company. When it comes to voting that’s specific
to reps.
AP: If someone additional invited announce it at the start of the meeting.
Date for the next meeting?
AP: 12th Sept.
--
[image: Linaro] <http://www.linaro.org/>
*Bill Fletcher* | *Field Engineering*
T: +44 7833 498336 <+44+7833+498336>
bill.fletcher(a)linaro.org | Skype: billfletcher2020
