From 7bba265eed2fcd3940ef407b6c301868f73ede25 Mon Sep 17 00:00:00 2001
From: David Horstmann <david.horstmann@arm.com>
Date: Fri, 30 Jan 2026 12:23:16 +0000
Subject: [PATCH] Add link to TF-PSA-Crypto SECURITY.md

To avoid confusion about the threat model of cryptographic code, add a
link to the SECURITY.md of TF-PSA-Crypto. This should help users who are
unaware that the cryptography has been split into a separate repository.

Signed-off-by: David Horstmann <david.horstmann@arm.com>
---
 SECURITY.md | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/SECURITY.md b/SECURITY.md
index 98cb59bd1c..7059970bb8 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -19,6 +19,12 @@ Only the maintained branches, as listed in [`BRANCHES.md`](BRANCHES.md),
 get security fixes.
 Users are urged to always use the latest version of a maintained branch.
 
+## Use of TF-PSA-Crypto
+
+Note that Mbed TLS uses the cryptography API provided by TF-PSA-Crypto. Its
+security policy can be found
+[here](https://github.com/Mbed-TLS/TF-PSA-Crypto/blob/development/SECURITY.md).
+
 ## Threat model
 
 We classify attacks based on the capabilities of the attacker.