threat_model/firmware_threat_model/threat_model.rst

26 - All TF-A images are run from either ROM or on-chip trusted SRAM. This means
27   TF-A is not vulnerable to an attacker that can probe or tamper with off-chip
163   to tamper with a hardware (e.g. "rewiring" a chip using a focused
164   ion beam (FIB) workstation or decapsulate the chip using chemicals) is
168   chip, notably those like Power Analysis Attacks, are out-of-scope. Power
801 |                        |   in the middle of the off-chip images, they could    |
825 | Mitigations            | Copy image to on-chip memory before authenticating    |
832 |                        |   arranging images to be loaded in on-chip memory.    |
848 |                        |   ROTPK, which is the key stored inside the chip and  |
926      the Event Log which is located on the secure on-chip memory of the AP. The
939      |HES| secure on-chip memory. |HES| implements protection against tampering
940      its on-chip memory. |HES| interface is available for BL1 and BL2.
942      are stored in |RSE| secure on-chip memory. |RSE| implements protection
943      against tampering its on-chip memory. DPE provides additional protection