Skip to content

Gap: there is no written threat model #2

Description

@AwaleSagar

The security page (docs/architecture/security.md) lists mechanisms but admits we have no written threat model. We should write one before the security claims can be taken as more than design intent.

Open questions to pin down:

  • What is the attacker assumed to control?
  • What's explicitly out of scope (physical attacks? side channels? malicious firmware below EL3)?
  • Which guarantees survive a compromised user-space driver vs. a compromised service?

Good entry point for someone with a security background.

Metadata

Metadata

Assignees

No one assigned

    Labels

    designArchitecture / design discussionhelp wantedExtra attention is neededsecuritySecurity model / hardening

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions