CVE-2021-40327

Name of the Vulnerable Software and Affected Versions Trusted Firmware-M (TF-M) version 1.4.0

Description The issue is related to incorrect access control in Trusted Firmware-M (TF-M) when Profile Small is used. Specifically, the Non-Secure Processing Environment (NSPE) can access a secure key held by the Crypto service based solely on knowledge of its key ID, without any authorization check associated with the relationship between a caller and a key owner.

Recommendations For Trusted Firmware-M (TF-M) version 1.4.0, consider restricting access to the Crypto service to minimize the risk of exploitation until a patch is available. As a temporary workaround, consider implementing additional authorization checks for key access to ensure that only authorized callers can access secure keys.