If Mbed TLS is running in an SGX enclave and the adversary has
control of the main operating system, they can launch a side
channel attack to recover the RSA private key when it is being
imported.
The attack only requires access to fine grained measurements to
cache usage. Therefore the attack might be applicable to a scenario
where Mbed TLS is running in TrustZone secure world and the
attacker controls the normal world or possibly when Mbed TLS is
part of a hypervisor and the adversary has full control of a guest
OS.