Goal/Non-Goal definition has multiple interpretations.

[alextok]

I interpret Non-Goal as "If OS supports the device binding, it should be secure, otherwise - no'. However, it is not clear for me, and I believe should be explicitly called out, if the following attack is goal to cover or not. Assume a device supports the hardware binding, but it doesn't stop a malware to generate an exportable key and use it for the binding of cookies, then export key with cookie on a controlled device, and forever use it from there. Is it goal to cover this attack or non-goal?