Our preference is to use GitHub for communication. The reason for that is that it is an open source project, so there should be no real reason to hide discussions from other people. GitHub also makes it possible for anyone to chime in into discussion etc. So besides sending patches as pull requests on GitHub we also encourage people to use the “issues” to report bugs, give suggestions, ask questions etc.
Please try to use the “issues” in the relevant git. I.e., if you want to discuss something related to optee_client, then use “issues” at optee_client and so on. If you have a general question etc about OP-TEE that doesn’t really belong to a specific git, then please use issues at optee_os in that case.
You can reach the Core Team by sending an email to
op-tee[at]lists.trustedfirmware.org. However note that it’s a public
mailinglist and not just TrustedFirmware engineers behind that email
For pure Linux kernel patches, please use the appropriate Linux kernel
mailinglist, basically run the
get_maintainer.pl script in the Linux kernel
tree to figure out where to send your patches.
$ cd <linux-kernel> $ ./scripts/get_maintainer.pl drivers/tee/
Some of the OP-TEE developers can be reached at Freenode (
#linaro-security. Having that said, the activity there is a bit
limited, so it is probably not the best place to discuss OP-TEE.
The OP-TEE project as part of the TrustedFirmware.org organization is using the security incident process as described at the TrustedFirmware.org security incident page. To report an issue, please follow the process as specified here. The email address to use can be found at the Mailing Aliases page.
Note that OP-TEE is a reference implementation for developers and device manufacturers and by being a reference implementation it is not always running a secure device configuration by default (see Platform ports for more information). Therefore we ask people to think twice whether the security incident report should go to:
- The OP-TEE project? Is it an issue in the generic code?
- The chipmaker? Does it only affect a certain platform? Is it a configuration described only under NDA?
- The ones making the end product? Is the issue only present on a certain device?
The OP-TEE team are in some cases are working directly with chipmakers. But it’s not uncommon that products are made using OP-TEE that the OP-TEE project is unaware of. In those cases we would recommend sending the security issue report to the company making the end product and that they in turn and if needed reach out to the OP-TEE project and/or the chipmaker.