From 4903139bc43436d8684cc837a399cc6d92d6440b Mon Sep 17 00:00:00 2001
From: Tom Cosgrove <tom.cosgrove@arm.com>
Date: Wed, 22 Mar 2023 12:20:36 +0000
Subject: [PATCH] Add security entry to ChangeLog for AES-NI

Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
---
 ChangeLog.d/aes-ni-security-notice.txt | 6 ++++++
 1 file changed, 6 insertions(+)
 create mode 100644 ChangeLog.d/aes-ni-security-notice.txt

diff --git a/ChangeLog.d/aes-ni-security-notice.txt b/ChangeLog.d/aes-ni-security-notice.txt
new file mode 100644
index 0000000000..ccf8c9a67f
--- /dev/null
+++ b/ChangeLog.d/aes-ni-security-notice.txt
@@ -0,0 +1,6 @@
+Security
+   * MBEDTLS_AESNI_C, which is enabled by default, was silently ignored on
+     builds that couldn't compile the GCC-style assembly implementation
+     (most notably builds with Visual Studio), leaving them vulnerable to
+     timing side-channel attacks. There is now an intrinsics-based AES-NI
+     implementation as a fallback for when the assembly one cannot be used.