Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Incident reporting: clarify the role of the OP-TEE project
We have recently had a couple of security incidents being reported to the OP-TEE project. With these reports it's clear that there is a need to clarify the role of the OP-TEE project as well as adding some extra pointers to the vulnerability reporting. All in all it boils down to that the OP-TEE project serves as a reference implementation for developers and device manufacturers. A consequence of using a reference implementation is that the one using it in end products must understand that there are certain changes that needs to be done for the final product. These changes are not always available nor applicable in the vanilla and default OP-TEE reference implementation. It is important to understand that for two reasons. First is to make sure that the end product is configured to be secure. The second reason is that when there are security issues, the issue might, or might not be applicable in the OP-TEE reference implementation, in the platform code or in some cases just in a particular device or in a mix of all of them. Hence the reporter should give an extra thought regarding that before filing a security report. Signed-off-by: Joakim Bech <joakim.bech@linaro.org> Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org> Reviewed-by: Ruchika Gupta <ruchika.gupta@linaro.org>
- Loading branch information