docs/threat_model/supply_chain_threat_model.rst

38 contributors as well as libraries imported from other open-source projects,
46 - *zlib*: zlib is a data compression library imported from [2]_.
48 - *compiler-rt*: This is a collection of runtime libraries from the LLVM
50   provides low-level, target-specific compiler builtins from compiler-rt.
57   loaded by TF-A from non-volatile platform storage.
76 - *Mbed TLS Library*: This is a cryptography library from trustedfirmware.org
106 description of each component and where they are sourced from.
109   Arm SCP team built from the source from the GitHub repository [6]_.
111 - *OP-TEE*: Trusted Execution Environment (TEE) from tf.org that runs as
112   Secure EL1. We use OP-TEE built from source or binaries supplied with Arm
115 - *EDK2 UEFI*: Normal world bootloader from the EDK2 project [7]_. We use EDK2
119 MCP, and file systems, all sourced from the Arm Reference Platforms teams.
133 repository, and their dependencies are downloaded from the internet at the
279   |             |     maintainer (e.g. maintainer can move from one           |
317   |             | | If successful, the impact can range from low to high      |
348   |             |   that are downloaded from external repositories and used   |
354   |             |   libraries are periodically updated by copying them from   |
356   |             |   possible for a contributor to copy the libraries from the |
381   |             |   from dependencies only arises when we upgrade them        |
382   |             | - Monitor alerts for vulnerable dependencies from GitHub    |
403   | impact      |   downloaded from external repositories by end-users.       |
407   |             |   where to get the dependencies from. As such, the          |
411   |             | | The impact of an attack ranges from low to critical       |
497   |             | downloading from that repository.                           |
569   |             | | If successful, the impact can range from low to high      |
577   |             | - Execute Node.js tools in the CI only from within a        |
599   | Jenkins    | - Jenkins is built | - Use oauth from   | - Monitor CVE’s    |
647   | Gerrit     | - Gerrit package   | - Use oauth from   | - Keep plugins up- |
649   | plugins)   |   from Linaro top  | - The password     |   is up to the     |
655   |            |   from Ansible     | - Gerrit has ACL   |                    |
656   |            |   playbook, from   |   setup within the |                    |
660   |            |   downloaded from  |   enabled          |                    |
664   |            |   plugin           |   from Jenkins     |                    |
666   | Git        | - Package is from  | - All credentials  | - Monitor all      |
678   | Mailman    | - Installed from   | - It has           | - Plan to monitor  |
692   |            | from a Jekyll git  | permissions        |   AWS CloudFront   |
700   |            |                    |                    |   from GitHub when |