specification: Clarify TSM in security requirement

Signed-off-by: Jiewen Yao <[email protected]>

specification/05-security_model.adoc

@@ -6,19 +6,20 @@ The CoVE-IO security model is built on the following assumptions:
 - The host platform physical devices are owned by untrusted domain software
   components (e.g. the host VMM or the hypervisor) that are not part of any
   TVM TCB and are thus untrusted by TVMs.
+- The TSM is the security policy enforcer.
 - Only the TVM owner can assess of a TDI trustworthiness. Based on that
   assessment, it explicitly accepts or rejects a TDI into its TCB.
 - A TDI may access a TVM confidential memory through DMA only when all the
   following conditions are met:
   * The TVM owner has explicitly allowed the TDI to access its confidential
     memory by accepting it.
   * The TDI is exclusively assigned to the TVM, i.e. it must not be shared
-    with other TVMs or any host software component.
+    with other TVMs or any host software component. This is enforced by the TSM.
 - A TVM may access a TDI trusted MMIO space only when all the following
   conditions are met:
   * The TVM owner has explicitly accepted the TDI.
   * The TDI is exclusively assigned to the TVM, i.e. it must not be shared
-    with other TVMs or any host software component.
+    with other TVMs or any host software component. This is enforced by the TSM.
 - Until a TDI is accepted by the TVM:
   * The TDI is not allowed to DMA into the TVM confidential memory.
   * Trusted MMIO access to the TDI is blocked by TSM.