From patchwork Wed Jun 10 15:46:17 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Jon Mason <jon.mason@arm.com>
X-Patchwork-Id: 89677
Return-Path: <jon.mason@arm.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id C76FFCD8CB2
	for <webhook@archiver.kernel.org>; Wed, 10 Jun 2026 15:46:29 +0000 (UTC)
Received: from foss.arm.com (foss.arm.com [217.140.110.172])
 by mx.groups.io with SMTP id smtpd.msgproc01-g2.23598.1781106387972951677
 for <meta-arm@lists.yoctoproject.org>;
 Wed, 10 Jun 2026 08:46:28 -0700
Authentication-Results: mx.groups.io;
 dkim=fail reason="dkim: body hash did not verify" header.i=@arm.com
 header.s=foss header.b=jtCKgLgt;
 spf=pass (domain: arm.com, ip: 217.140.110.172, mailfrom: jon.mason@arm.com)
Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14])
	by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 88B792008
	for <meta-arm@lists.yoctoproject.org>; Wed, 10 Jun 2026 08:46:22 -0700 (PDT)
Received: from H24V3P4C17.arm.com (usa-sjc-imap-foss1.foss.arm.com
 [10.121.207.14])
	by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPA id 2E40F3F99C
	for <meta-arm@lists.yoctoproject.org>; Wed, 10 Jun 2026 08:46:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=arm.com; s=foss;
	t=1781106387; bh=iPHO46kpU3NB9Yr+ezY/qCSIudhnKgPMUN3pevnCObA=;
	h=From:To:Subject:Date:From;
	b=jtCKgLgtZzJWoPK7/jrk1Mhnjfs87zT1fZAynj0H6Xv2HxUI2gv5gycv14CronnLP
	 NzCnug+zKvAGMP1YGbjHHRk8ZTJmf+RTg+3v9x0uLr/uHB8ck4YkEh0XNsfwGGpNIm
	 rthF+ICzkZe8LQehqIDGIxfXhVL31uf4W1+ogPMs=
From: Jon Mason <jon.mason@arm.com>
To: meta-arm@lists.yoctoproject.org
Subject: [PATCH 1/4] arm/optee: modify CVE_PRODUCT
Date: Wed, 10 Jun 2026 11:46:17 -0400
Message-ID: <20260610154620.8533-1-jon.mason@arm.com>
X-Mailer: git-send-email 2.50.1
MIME-Version: 1.0
List-Id: <meta-arm.lists.yoctoproject.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <meta-arm@lists.yoctoproject.org>; Wed, 10 Jun 2026 15:46:29 -0000
X-Groupsio-URL: https://lists.yoctoproject.org/g/meta-arm/message/7072

Per https://nvd.nist.gov/products/cpe/detail/EB42962B-24FD-4716-B3E2-69F3258A57CF
adding "trustedfirmware:op-tee"

We can probably remove "linaro:op-tee", since it has been depreciated.
Fearing unintended issues, leaving it in for now.

Signed-off-by: Jon Mason <jon.mason@arm.com>
---
 meta-arm/recipes-security/optee/optee-os.inc | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/meta-arm/recipes-security/optee/optee-os.inc b/meta-arm/recipes-security/optee/optee-os.inc
index 076e482bf10b..95c41fb13a58 100644
--- a/meta-arm/recipes-security/optee/optee-os.inc
+++ b/meta-arm/recipes-security/optee/optee-os.inc
@@ -8,7 +8,9 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=c1f21c4f72f372ef38a5a4aee55ec173"
 inherit deploy python3native
 require optee.inc
 
-CVE_PRODUCT = "linaro:op-tee op-tee:op-tee_os"
+CVE_PRODUCT = "linaro:op-tee \
+               op-tee:op-tee_os \
+               trustedfirmware:op-tee"
 
 DEPENDS = "python3-pyelftools-native python3-cryptography-native"
 

From patchwork Wed Jun 10 15:46:18 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Jon Mason <jon.mason@arm.com>
X-Patchwork-Id: 89676
Return-Path: <jon.mason@arm.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id DC186CD98C6
	for <webhook@archiver.kernel.org>; Wed, 10 Jun 2026 15:46:29 +0000 (UTC)
Received: from foss.arm.com (foss.arm.com [217.140.110.172])
 by mx.groups.io with SMTP id smtpd.msgproc02-g2.23894.1781106388158888763
 for <meta-arm@lists.yoctoproject.org>;
 Wed, 10 Jun 2026 08:46:28 -0700
Authentication-Results: mx.groups.io;
 dkim=fail reason="dkim: body hash did not verify" header.i=@arm.com
 header.s=foss header.b=n+MCyo1f;
 spf=pass (domain: arm.com, ip: 217.140.110.172, mailfrom: jon.mason@arm.com)
Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14])
	by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id D80E828C7
	for <meta-arm@lists.yoctoproject.org>; Wed, 10 Jun 2026 08:46:22 -0700 (PDT)
Received: from H24V3P4C17.arm.com (usa-sjc-imap-foss1.foss.arm.com
 [10.121.207.14])
	by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPA id 80D113F99C
	for <meta-arm@lists.yoctoproject.org>; Wed, 10 Jun 2026 08:46:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=arm.com; s=foss;
	t=1781106387; bh=b0E9bhWlVHYEJIXWUhEaheqD3+RZeuonyxTxMtouACY=;
	h=From:To:Subject:Date:In-Reply-To:References:From;
	b=n+MCyo1fLECGvIAyxWQ0a6F0RxUtGB9PVOCcfECiCueXsjY1jwtB9f8abvvZYTHXU
	 +c0cP7ZnITTzANUNaL58Bm+D1SHKM5iKiLcffntaMRDtXOhTZ/BZYaBqCQd2JMhE2x
	 53Aor874mDFClcUWTVg96JgX87wvtk3LqNV6ZAsk=
From: Jon Mason <jon.mason@arm.com>
To: meta-arm@lists.yoctoproject.org
Subject: [PATCH 2/4] arm/trusted-firmware-a: modify CVE_PRODUCT
Date: Wed, 10 Jun 2026 11:46:18 -0400
Message-ID: <20260610154620.8533-2-jon.mason@arm.com>
X-Mailer: git-send-email 2.50.1
In-Reply-To: <20260610154620.8533-1-jon.mason@arm.com>
References: <20260610154620.8533-1-jon.mason@arm.com>
MIME-Version: 1.0
List-Id: <meta-arm.lists.yoctoproject.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <meta-arm@lists.yoctoproject.org>; Wed, 10 Jun 2026 15:46:29 -0000
X-Groupsio-URL: https://lists.yoctoproject.org/g/meta-arm/message/7073

Per https://nvd.nist.gov/products/cpe/detail/2E1BD3E8-DF65-42E3-A0BA-747137D6DEF2
Adding "trustedfirmware:trusted_firmware-a"

We can probably remove "arm:trusted_firmware-a", since it has been
depreciated.  Fearing unintended issues, leaving it in for now.

Signed-off-by: Jon Mason <jon.mason@arm.com>
---
 meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a.inc | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a.inc b/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a.inc
index 62204042cbab..503d7a02ffb5 100644
--- a/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a.inc
+++ b/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a.inc
@@ -245,4 +245,5 @@ INSANE_SKIP:${PN}-dbg += "buildpaths"
 CVE_PRODUCT = "arm:arm-trusted-firmware \
                arm:trusted_firmware-a \
                arm:arm_trusted_firmware \
-               arm_trusted_firmware_project:arm_trusted_firmware"
+               arm_trusted_firmware_project:arm_trusted_firmware \
+               trustedfirmware:trusted_firmware-a"

From patchwork Wed Jun 10 15:46:19 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Jon Mason <jon.mason@arm.com>
X-Patchwork-Id: 89679
Return-Path: <jon.mason@arm.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id DE677CD98CC
	for <webhook@archiver.kernel.org>; Wed, 10 Jun 2026 15:46:29 +0000 (UTC)
Received: from foss.arm.com (foss.arm.com [217.140.110.172])
 by mx.groups.io with SMTP id smtpd.msgproc01-g2.23599.1781106388695931964
 for <meta-arm@lists.yoctoproject.org>;
 Wed, 10 Jun 2026 08:46:28 -0700
Authentication-Results: mx.groups.io;
 dkim=fail reason="dkim: body hash did not verify" header.i=@arm.com
 header.s=foss header.b=V6kpGZzF;
 spf=pass (domain: arm.com, ip: 217.140.110.172, mailfrom: jon.mason@arm.com)
Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14])
	by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 37C4B3025
	for <meta-arm@lists.yoctoproject.org>; Wed, 10 Jun 2026 08:46:23 -0700 (PDT)
Received: from H24V3P4C17.arm.com (usa-sjc-imap-foss1.foss.arm.com
 [10.121.207.14])
	by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPA id D09203F99C
	for <meta-arm@lists.yoctoproject.org>; Wed, 10 Jun 2026 08:46:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=arm.com; s=foss;
	t=1781106388; bh=Ki94ZrDCagTXHtfnwePHC7Cx0PLoqvljP5aCQ7SAUis=;
	h=From:To:Subject:Date:In-Reply-To:References:From;
	b=V6kpGZzFuEMyNsN3x6IpZVctkOCoS/43I2pqUPsitbGB3j80HrumJCU5L05169tKB
	 R0u+1gpvHns7wlyLGf+ASla/A3cgN1BTm6N/NzEP8RGRGIPH7K1Ka/eKhol6YjcKzI
	 YZGL3E32otLg77jxLV2sf5X9RqxUrE9y//WK2/2E=
From: Jon Mason <jon.mason@arm.com>
To: meta-arm@lists.yoctoproject.org
Subject: [PATCH 3/4] arm/trusted-firmware-m: add CVE_PRODUCT
Date: Wed, 10 Jun 2026 11:46:19 -0400
Message-ID: <20260610154620.8533-3-jon.mason@arm.com>
X-Mailer: git-send-email 2.50.1
In-Reply-To: <20260610154620.8533-1-jon.mason@arm.com>
References: <20260610154620.8533-1-jon.mason@arm.com>
MIME-Version: 1.0
List-Id: <meta-arm.lists.yoctoproject.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <meta-arm@lists.yoctoproject.org>; Wed, 10 Jun 2026 15:46:29 -0000
X-Groupsio-URL: https://lists.yoctoproject.org/g/meta-arm/message/7074

Per https://nvd.nist.gov/products/cpe/detail/C0F7CF14-9ACD-42C5-A1F8-839937F8C4DC
add CVE_PRODUCT entry.  Since there wasn't one existing, there is no
need to remove anything.

Signed-off-by: Jon Mason <jon.mason@arm.com>
---
 meta-arm/recipes-bsp/trusted-firmware-m/trusted-firmware-m.inc | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/meta-arm/recipes-bsp/trusted-firmware-m/trusted-firmware-m.inc b/meta-arm/recipes-bsp/trusted-firmware-m/trusted-firmware-m.inc
index 3b6dce22069d..2fbd0c41a32e 100644
--- a/meta-arm/recipes-bsp/trusted-firmware-m/trusted-firmware-m.inc
+++ b/meta-arm/recipes-bsp/trusted-firmware-m/trusted-firmware-m.inc
@@ -136,3 +136,5 @@ INSANE_SKIP:${PN}-dbg += "buildpaths"
 # Target binaries will be 32-bit Arm
 INSANE_SKIP:${PN} += "arch"
 INSANE_SKIP:${PN}-dbg += "arch"
+
+CVE_PRODUCT = "trustedfirmware:trusted_firmware-m"

From patchwork Wed Jun 10 15:46:20 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Jon Mason <jon.mason@arm.com>
X-Patchwork-Id: 89678
Return-Path: <jon.mason@arm.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 0B22DCD98CE
	for <webhook@archiver.kernel.org>; Wed, 10 Jun 2026 15:46:30 +0000 (UTC)
Received: from foss.arm.com (foss.arm.com [217.140.110.172])
 by mx.groups.io with SMTP id smtpd.msgproc01-g2.23601.1781106388856545097
 for <meta-arm@lists.yoctoproject.org>;
 Wed, 10 Jun 2026 08:46:28 -0700
Authentication-Results: mx.groups.io;
 dkim=fail reason="dkim: body hash did not verify" header.i=@arm.com
 header.s=foss header.b=OagaYvyA;
 spf=pass (domain: arm.com, ip: 217.140.110.172, mailfrom: jon.mason@arm.com)
Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14])
	by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 872CB2008
	for <meta-arm@lists.yoctoproject.org>; Wed, 10 Jun 2026 08:46:23 -0700 (PDT)
Received: from H24V3P4C17.arm.com (usa-sjc-imap-foss1.foss.arm.com
 [10.121.207.14])
	by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPA id 2E0A83F99C
	for <meta-arm@lists.yoctoproject.org>; Wed, 10 Jun 2026 08:46:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=arm.com; s=foss;
	t=1781106388; bh=InubGw8OCdOfc8kySvadrzFpMiYf/rneo5SmNbp4MqU=;
	h=From:To:Subject:Date:In-Reply-To:References:From;
	b=OagaYvyAat98yUbRyoC1nOEYYBX7gYuYK4AMzk5ZuDtjcuHDj+zgb03guW8wN/eXU
	 2nSqkUHtaLWxgN0gsyaotCGBOI4ZPISdY7aOAxMS5aQJMGoU6uDPX76eBy4llKl2z+
	 Dr6KaKRiQdbUJAeAlfDK/VAxcrS5+V5OAZMOpctU=
From: Jon Mason <jon.mason@arm.com>
To: meta-arm@lists.yoctoproject.org
Subject: [PATCH 4/4] arm/scp-firmware: add CVE_PRODUCT
Date: Wed, 10 Jun 2026 11:46:20 -0400
Message-ID: <20260610154620.8533-4-jon.mason@arm.com>
X-Mailer: git-send-email 2.50.1
In-Reply-To: <20260610154620.8533-1-jon.mason@arm.com>
References: <20260610154620.8533-1-jon.mason@arm.com>
MIME-Version: 1.0
List-Id: <meta-arm.lists.yoctoproject.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <meta-arm@lists.yoctoproject.org>; Wed, 10 Jun 2026 15:46:30 -0000
X-Groupsio-URL: https://lists.yoctoproject.org/g/meta-arm/message/7075

Per https://nvd.nist.gov/products/cpe/detail/593B1385-F4BE-452B-AE3B-51627F6CAE45
add CVE_PRODUCT entry.  Since there wasn't one existing, there is no
need to remove anything.

Signed-off-by: Jon Mason <jon.mason@arm.com>
---
 meta-arm/recipes-bsp/scp-firmware/scp-firmware.inc | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/meta-arm/recipes-bsp/scp-firmware/scp-firmware.inc b/meta-arm/recipes-bsp/scp-firmware/scp-firmware.inc
index 4623afe81ff2..032445b3bd6a 100644
--- a/meta-arm/recipes-bsp/scp-firmware/scp-firmware.inc
+++ b/meta-arm/recipes-bsp/scp-firmware/scp-firmware.inc
@@ -96,3 +96,6 @@ do_install() {
 INSANE_SKIP:${PN}-dbg += "arch"
 INHIBIT_PACKAGE_DEBUG_SPLIT = "1"
 INHIBIT_PACKAGE_STRIP = "1"
+
+CVE_PRODUCT = "arm:scp-firmware \
+               arm:scp_firmware"