Hi all,
This email is a notification of a new security vulnerability reported to TF-M. In TF-M v1.4.0, NSPE may access secure keys stored in TF-M Crypto service in Profile Small with Crypto key ID encoding disabled. This vulnerability impacts Profile Small in TF-M v1.4.0.
Please check the details in the security advisoryhttps://review.trustedfirmware.org/c/TF-M/trusted-firmware-m/+/12608/1/docs/security/security_advisories/profile_small_key_id_encoding_vulnerability.rst. The advisory has been merged in v1.5.0 release and will be port back to master branch.
The fix has been merged on the master branchhttps://review.trustedfirmware.org/plugins/gitiles/TF-M/trusted-firmware-m/+/42e77b561fcfe19819ff1e63cb7c0b672ee8ba41 and patch release v1.4.1https://git.trustedfirmware.org/TF-M/trusted-firmware-m.git/commit/?h=TF-Mv1.4.x&id=5b408e8621c5fe325829e877971178c2533d8736.
Thanks.
Best regards, Hu Ziji