1###################
2Security Advisories
3###################
4
5.. toctree::
6    :maxdepth: 1
7    :hidden:
8
9    stack_seal_vulnerability
10    svc_caller_sp_fetching_vulnerability
11    crypto_multi_part_ops_abort_fail
12    profile_small_key_id_encoding_vulnerability
13    fwu_write_vulnerability
14    cc3xx_partial_tag_compare_on_chacha20_poly1305
15    debug_log_vulnerability
16    user_pointers_mailbox_vectors_vulnerability
17    fwu_tlv_payload_out_of_bounds_vulnerability
18
19+------------+-----------------------------------------------------------------+
20| ID         | Title                                                           |
21+============+=================================================================+
22|  |TFMV-1|  | NS world may cause the CPU to perform an unexpected return      |
23|            | operation due to unsealed stacks.                               |
24+------------+-----------------------------------------------------------------+
25|  |TFMV-2|  | Invoking Secure functions from handler mode may cause TF-M IPC  |
26|            | model to behave unexpectedly.                                   |
27+------------+-----------------------------------------------------------------+
28|  |TFMV-3|  | ``abort()`` function may not take effect in TF-M Crypto         |
29|            | multi-part MAC/hashing/cipher operations.                       |
30+------------+-----------------------------------------------------------------+
31|  |TFMV-4|  | NSPE may access secure keys stored in TF-M Crypto service       |
32|            | in Profile Small with Crypto key ID encoding disabled.          |
33+------------+-----------------------------------------------------------------+
34|  |TFMV-5|  | ``psa_fwu_write()`` may cause buffer overflow in SPE.           |
35+------------+-----------------------------------------------------------------+
36|  |TFMV-6|  | Partial tag comparison when using Chacha20-Poly1305 on the PSA  |
37|            | driver API interface in CryptoCell enabled platforms            |
38+------------+-----------------------------------------------------------------+
39|  |TFMV-7|  | ARoT can access PRoT data via debug logging functionality       |
40+------------+-----------------------------------------------------------------+
41|  |TFMV-8|  | Unchecked user-supplied pointer via mailbox messages may cause  |
42|            | write of arbitrary address                                      |
43+------------+-----------------------------------------------------------------+
44|  |TFMV-9|  | FWU does not check the length of the TLV's payload              |
45+------------+-----------------------------------------------------------------+
46
47.. |TFMV-1| replace:: :doc:`TFMV-1 <stack_seal_vulnerability>`
48.. |TFMV-2| replace:: :doc:`TFMV-2 <svc_caller_sp_fetching_vulnerability>`
49.. |TFMV-3| replace:: :doc:`TFMV-3 <crypto_multi_part_ops_abort_fail>`
50.. |TFMV-4| replace:: :doc:`TFMV-4 <profile_small_key_id_encoding_vulnerability>`
51.. |TFMV-5| replace:: :doc:`TFMV-5 <fwu_write_vulnerability>`
52.. |TFMV-6| replace:: :doc:`TFMV-6 <cc3xx_partial_tag_compare_on_chacha20_poly1305>`
53.. |TFMV-7| replace:: :doc:`TFMV-7 <debug_log_vulnerability>`
54.. |TFMV-8| replace:: :doc:`TFMV-8 <user_pointers_mailbox_vectors_vulnerability>`
55.. |TFMV-9| replace:: :doc:`TFMV-9 <fwu_tlv_payload_out_of_bounds_vulnerability>`
56
57--------------
58
59*SPDX-License-Identifier: BSD-3-Clause*
60
61*SPDX-FileCopyrightText: Copyright The TrustedFirmware-M Contributors*
62