Hi Kumar, All,
Thanks for bringing this topic up. At the moment there is no plan for issuing the release v1.2.1 because of lack of policy for such hot fix releases. The release policy upgrade proposal shall be reviewed and agreed in the Steering Committee with the main questions: 1. What is the hot fix baseline? 2. What is the testing scope of the fix? 3. On which platform(s) the fix shall be tested?
The policy is under discussion and the community input is welcome. Please share your thoughts on the topic.
The release v1.3.0 is expected by end of March-beginning of April, which will include the fix.
Thanks, Anton
-----Original Message----- From: TF-M tf-m-bounces@lists.trustedfirmware.org On Behalf Of Kumar Gala via TF-M Sent: Friday, March 5, 2021 5:36 PM To: Ken Liu Ken.Liu@arm.com Cc: nd nd@arm.com; tf-m@lists.trustedfirmware.org Subject: Re: [TF-M] Security vulnerability notice - SVC handler fetches incorrect caller stack pointer under specific cases.
On Mar 5, 2021, at 9:28 AM, Ken Liu via TF-M tf-m@lists.trustedfirmware.org wrote:
Hi Everyone, There is a new security vulnerability reported about the SVC handler fetches a wrong caller stack pointer under specific cases, which impacts the subsequent execution. Please find the security advisory specific to TF-M and patches that have been developed as per the TrustedFirmware.org security process[1] below :
- TF-M Security advisory: https://review.trustedfirmware.org/c/TF-M/trusted-firmware-m/+/9005
- Fix based on the latest master has been merged into TF-M repo. The patch also can be found in Gerrit:https://review.trustedfirmware.org/c/TF-M/trusted-firmware-m/+/8575 and https://review.trustedfirmware.org/c/TF-M/trusted-firmware-m/+/8576.
Please let us know if you have any comments. BR /Ken Liu [1] https://developer.trustedfirmware.org/w/collaboration/security_center/report... -- TF-M mailing list TF-M@lists.trustedfirmware.org https://lists.trustedfirmware.org/mailman/listinfo/tf-m
Is there plans for a security release of TFM v1.2 with this fix?
- k