| Karl Zhang | fa86a2c | 2020-12-04 14:22:28 +0800 | [diff] [blame] | 1 | Security Handling |
| 2 | ================= |
| 3 | |
| 4 | Security Disclosures |
| 5 | -------------------- |
| 6 | |
| 7 | Trusted Firmware-M(TF-M) disclose all security vulnerabilities, or are advised |
| 8 | about, that are relevant to TF-M. TF-M encourage responsible disclosure of |
| 9 | vulnerabilities and try the best to inform users about all possible issues. |
| 10 | |
| 11 | The TF-M vulnerabilities are disclosed as Security Advisories, all of which are |
| 12 | listed at the bottom of this page. |
| 13 | |
| 14 | Found a Security Issue? |
| 15 | ----------------------- |
| 16 | |
| 17 | Although TF-M try to keep secure, it can only do so with the help of the |
| 18 | community of developers and security researchers. |
| 19 | |
| 20 | .. warning:: |
| 21 | If any security vulnerability was found, please **do not** |
| 22 | report it in the `issue tracker`_ or on the `mailing list`_. Instead, please |
| 23 | follow the `TrustedFirmware.org security incident process`_. |
| 24 | |
| 25 | One of the goals of this process is to ensure providers of products that use |
| 26 | TF-M have a chance to consider the implications of the vulnerability and its |
| 27 | remedy before it is made public. As such, please follow the disclosure plan |
| 28 | outlined in the `Security Incident Process`_. TF-M do the best to respond and |
| 29 | fix any issues quickly. |
| 30 | |
| 31 | Afterwards, write-up all the findings about the TF-M source code is highly |
| 32 | encouraged. |
| 33 | |
| 34 | Attribution |
| 35 | ----------- |
| 36 | |
| 37 | TF-M values researchers and community members who report vulnerabilities and |
| 38 | TF-M policy is to credit the contributor's name in the published security advisory. |
| 39 | |
| 40 | Security Advisories |
| 41 | ------------------- |
| 42 | |
| 43 | +------------+-----------------------------------------------------------------+ |
| 44 | | ID | Title | |
| 45 | +============+=================================================================+ |
| 46 | | |TFMV-1| | NS world may cause the CPU to perform an unexpected return | |
| 47 | | | operation due to unsealed stacks. | |
| 48 | +------------+-----------------------------------------------------------------+ |
| Ken Liu | 975e0b3 | 2021-03-04 08:34:33 +0800 | [diff] [blame] | 49 | | |TFMV-2| | Invoking Secure functions from handler mode may cause TF-M IPC | |
| 50 | | | model to behave unexpectedly. | |
| 51 | +------------+-----------------------------------------------------------------+ |
| Karl Zhang | fa86a2c | 2020-12-04 14:22:28 +0800 | [diff] [blame] | 52 | |
| 53 | .. _issue tracker: https://developer.trustedfirmware.org/project/view/2/ |
| 54 | .. _mailing list: https://lists.trustedfirmware.org/mailman/listinfo/tf-m |
| 55 | |
| 56 | .. |TFMV-1| replace:: :ref:`docs/reference/security_advisories/stack_seal_vulnerability:Advisory TFMV-1` |
| Ken Liu | 975e0b3 | 2021-03-04 08:34:33 +0800 | [diff] [blame] | 57 | .. |TFMV-2| replace:: :ref:`docs/reference/security_advisories/svc_caller_sp_fetching_vulnerability:Advisory TFMV-2` |
| Karl Zhang | fa86a2c | 2020-12-04 14:22:28 +0800 | [diff] [blame] | 58 | |
| 59 | .. _TrustedFirmware.org security incident process: https://developer.trustedfirmware.org/w/collaboration/security_center/ |
| 60 | |
| 61 | .. _Security Incident Process: https://developer.trustedfirmware.org/w/collaboration/security_center/reporting/ |
| 62 | |
| 63 | -------------- |
| 64 | |
| 65 | *Copyright (c) 2020, Arm Limited. All rights reserved.* |