From 7bba265eed2fcd3940ef407b6c301868f73ede25 Mon Sep 17 00:00:00 2001
From: David Horstmann <david.horstmann@arm.com>
Date: Fri, 30 Jan 2026 12:23:16 +0000
Subject: [PATCH 1/2] Add link to TF-PSA-Crypto SECURITY.md

To avoid confusion about the threat model of cryptographic code, add a
link to the SECURITY.md of TF-PSA-Crypto. This should help users who are
unaware that the cryptography has been split into a separate repository.

Signed-off-by: David Horstmann <david.horstmann@arm.com>
---
 SECURITY.md | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/SECURITY.md b/SECURITY.md
index 98cb59bd1c..7059970bb8 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -19,6 +19,12 @@ Only the maintained branches, as listed in [`BRANCHES.md`](BRANCHES.md),
 get security fixes.
 Users are urged to always use the latest version of a maintained branch.
 
+## Use of TF-PSA-Crypto
+
+Note that Mbed TLS uses the cryptography API provided by TF-PSA-Crypto. Its
+security policy can be found
+[here](https://github.com/Mbed-TLS/TF-PSA-Crypto/blob/development/SECURITY.md).
+
 ## Threat model
 
 We classify attacks based on the capabilities of the attacker.

From 8b1d9e49d9032bf228e2008f5012bab0fc3a0554 Mon Sep 17 00:00:00 2001
From: David Horstmann <david.horstmann@arm.com>
Date: Fri, 30 Jan 2026 14:51:59 +0000
Subject: [PATCH 2/2] Reword to be more specific

Specify that the cryptographic operations of Mbed TLS are governed by
its threat model and point specifically to block ciphers as an important
case of this.

Signed-off-by: David Horstmann <david.horstmann@arm.com>
---
 SECURITY.md | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/SECURITY.md b/SECURITY.md
index 7059970bb8..e36162abd7 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -21,9 +21,13 @@ Users are urged to always use the latest version of a maintained branch.
 
 ## Use of TF-PSA-Crypto
 
-Note that Mbed TLS uses the cryptography API provided by TF-PSA-Crypto. Its
-security policy can be found
-[here](https://github.com/Mbed-TLS/TF-PSA-Crypto/blob/development/SECURITY.md).
+Note that Mbed TLS uses the cryptography API provided by TF-PSA-Crypto.
+Its
+[threat model](https://github.com/Mbed-TLS/TF-PSA-Crypto/blob/development/SECURITY.md#threat-model)
+applies to all cryptographic operations performed by Mbed TLS. In particular,
+users of Mbed TLS should note the considerations around
+[block ciphers](https://github.com/Mbed-TLS/TF-PSA-Crypto/blob/development/SECURITY.md#block-ciphers)
+since they apply to the block ciphers used in TLS.
 
 ## Threat model