The security page (docs/architecture/security.md) lists mechanisms but admits we have no written threat model. We should write one before the security claims can be taken as more than design intent.
Open questions to pin down:
- What is the attacker assumed to control?
- What's explicitly out of scope (physical attacks? side channels? malicious firmware below EL3)?
- Which guarantees survive a compromised user-space driver vs. a compromised service?
Good entry point for someone with a security background.
The security page (docs/architecture/security.md) lists mechanisms but admits we have no written threat model. We should write one before the security claims can be taken as more than design intent.
Open questions to pin down:
Good entry point for someone with a security background.