Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Incident reporting: clarify the role of the OP-TEE project #147

Merged

Conversation

jbech-linaro
Copy link
Contributor

We have recently had a couple of security incidents being reported to
the OP-TEE project. With these reports it's clear that there is a need
to clarify the role of the OP-TEE project as well as adding some extra
pointers to the vulnerability reporting.

All in all it boils down to that the OP-TEE project serves as a
reference implementation for developers and device manufacturers. A
consequence of using a reference implementation is that the one using it
in end products must understand that there are certain changes that
needs to be done for the final product. These changes are not always
available nor applicable in the vanilla and default OP-TEE reference
implementation.

It is important to understand that for two reasons. First is to make
sure that the end product is configured to be secure. The second reason
is that when there are security issues, the issue might, or might not be
applicable in the OP-TEE reference implementation, in the platform code
or in some cases just in a particular device or in a mix of all of them.
Hence the reported should give an extra thought regarding the before
filing a security report.

Signed-off-by: Joakim Bech joakim.bech@linaro.org

@jbech-linaro jbech-linaro force-pushed the reference-imp-clarifications-2 branch from f613054 to 15d0975 Compare November 18, 2021 12:25
Copy link
Contributor

@jenswi-linaro jenswi-linaro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

@ruchi393
Copy link
Contributor

Thanks for adding this @jbech-linaro

Reviewed-by: Ruchika Gupta <ruchika.gupta@linaro.org>

We have recently had a couple of security incidents being reported to
the OP-TEE project. With these reports it's clear that there is a need
to clarify the role of the OP-TEE project as well as adding some extra
pointers to the vulnerability reporting.

All in all it boils down to that the OP-TEE project serves as a
reference implementation for developers and device manufacturers. A
consequence of using a reference implementation is that the one using it
in end products must understand that there are certain changes that
needs to be done for the final product. These changes are not always
available nor applicable in the vanilla and default OP-TEE reference
implementation.

It is important to understand that for two reasons. First is to make
sure that the end product is configured to be secure. The second reason
is that when there are security issues, the issue might, or might not be
applicable in the OP-TEE reference implementation, in the platform code
or in some cases just in a particular device or in a mix of all of them.
Hence the reporter should give an extra thought regarding that before
filing a security report.

Signed-off-by: Joakim Bech <joakim.bech@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Ruchika Gupta <ruchika.gupta@linaro.org>
@jbech-linaro jbech-linaro force-pushed the reference-imp-clarifications-2 branch from 15d0975 to 7e38447 Compare November 18, 2021 12:45
@jbech-linaro jbech-linaro merged commit 90b5ca1 into OP-TEE:master Nov 18, 2021
@jbech-linaro jbech-linaro deleted the reference-imp-clarifications-2 branch November 18, 2021 12:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants