docs: add security model and clarify the diff-from-upstream convention#12
Merged
Merged
Conversation
Adds docs/security-model.md documenting that this repository is entirely part of its consumers' Trusted Computing Base (every crate is linked into the trusted side of an SGX enclave or TrustZone TA), that the review unit is the diff from pristine upstream (the `Download ... from crates.io` commit for full imports, the `*.patch` over a pinned `Base-Commit` for patch bundles), the target-dependent security primitives to scrutinize (randomness, untrusted filesystem, time, libc/syscalls, std), the supply-chain and provenance considerations (upstream-fix drift, binary artifacts, build-time code execution, publish provenance), and guidance for both developers and automated security reviewers. Also adds a SECURITY.md (reporting policy + link) and cleans up the README: fixes the layout example to match the actual root-level directory structure and documents the per-approach diff conventions. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Adds
docs/security-model.md(a security model for this repository), adds aSECURITY.md, and cleans up theREADME.md. The repository previously had noSECURITY.mdand no security-model documentation.Why
This repository is special: it hosts dependency crates that are linked into the trusted side of TEE applications (SGX enclaves via the SGX SDK, TrustZone TAs via the TrustZone SDK). That means the entire repository is part of its consumers' Trusted Computing Base, and a weakness in any crate here propagates to every downstream application. A document that states this explicitly — and tells reviewers (human or LLM) what the review unit is — helps keep security review focused and avoids false positives from re-auditing unmodified upstream code.
Contents
docs/security-model.mdcovers:getrandomrandomness source,libcOP-TEE syscall surface, the Ruststdpatch,ringcrypto + prebuilt artifacts).README cleanup
crates/subdirectory that does not exist; crates actually live at the repository root.<crate>-<version>for full imports,<crate>-<version>-<base-commit>for patch bundles).Download <crate> <version> from crates.iocommit preserves the pristine upstream so the adaptation isgit diff <download-commit> HEAD -- <crate-dir>/.This is documentation only; no crate source or behavior changes.
🤖 Generated with Claude Code