Complete section "1.9 Operators of TEEs"

[eriktaubeneck]

I wasn't quite sure how to approach this (and I'm unsure if the text immediately above is appropriate.) I'm not sure if we should write this out assuming the operator can actually see inside the TEE, and then call out the hardware as a mitigation? Any suggestions here would certainly be appreciated! (cc @martinthomson @marianapr @palenica)

_Originally posted by @eriktaubeneck in https://github.com/patcg/docs-and-reports/pull/14#discussion_r1000966180_

[eriktaubeneck]

I think that we want to be direct about the threat model that a TEE is developed under. That is, physical access to the hardware might, with some non-trivial effort, be used to access the active state, which would otherwise be protected.

And we have to consider that the operator has physical access. This is precisely why some of us find use of a TEE uncomfortable/unacceptable.

I don't think we win by prevaricating on this point. We win by acknowledging it and tackling it head-on. That means strict requirements on operational practices by TEE operators, audits, and other such non-technical measures.

_Originally posted by @martinthomson in https://github.com/patcg/docs-and-reports/pull/14#discussion_r1001404869_

[eriktaubeneck]

I've opened this issue, as I'd like to get more input from others. TEEs have multiple different configurations which have different models, and I'm not an expert across them.