Open eriktaubeneck opened 2 years ago
I think that we want to be direct about the threat model that a TEE is developed under. That is, physical access to the hardware might, with some non-trivial effort, be used to access the active state, which would otherwise be protected.
And we have to consider that the operator has physical access. This is precisely why some of us find use of a TEE uncomfortable/unacceptable.
I don't think we win by prevaricating on this point. We win by acknowledging it and tackling it head-on. That means strict requirements on operational practices by TEE operators, audits, and other such non-technical measures.
_Originally posted by @martinthomson in https://github.com/patcg/docs-and-reports/pull/14#discussion_r1001404869_
I've opened this issue, as I'd like to get more input from others. TEEs have multiple different configurations which have different models, and I'm not an expert across them.
_Originally posted by @eriktaubeneck in https://github.com/patcg/docs-and-reports/pull/14#discussion_r1000966180_