Hello everyone,
A new security vulnerability has been identified in TF-A X.509 parser, used for trusted boot in BL1 and BL2.
Please note that this vulnerability is *not* exploitable in TF-A upstream code. Only downstream code might be affected under specific circumstances.
The security advisory has been published in TF-A documentation and has all the details:
https://trustedfirmware-a.readthedocs.io/en/latest/security_advisories/secur...
Patches to fix the identified bugs have already been merged in TF-A tree. The advisory lists the relevant patches.
I would like to thank Demi Marie Obenour from Invisible Things Lab for responsibly disclosing this security vulnerability to TrustedFirmware.org, for providing patches to fix the identified bugs and further harden the X.509 parser, for providing a detailed impact analysis and for helping put this security advisory together.
Best regards, Sandrine Bailleux, on behalf of TF-A security team.