RQ-SURFACE-007: independent verification requirment too unspecific

Standard Version (see README.md for info): 2f339c83

Line Number: 1654

Clause/Subclause: RQ-SURFACE-007

Comment:

The requirement only says:

The boot manager shall perform verification checks using at least two independent mechanisms.

This is too unspecific. It lacks use case (Boot chain integrity verification, credential verification, physical presence verification, decommissioning verification, ...), rationale, and indication of how independent verification must be.

Proposed Changes:

I would assume the requirement is inspired by some external standard. For example, from NIST 800-193 draft, Section 4.3.1

A successful attack which corrupts the active critical data or the firmware image, or subverts their protection mechanisms, shall not in and of itself result in a successful attack on the RTD or the information necessary to detect corruption of the firmware image.

or Section 3.3

A platform may need multiple independent Roots of Trust

Maybe cite the relevant external standard or copy their examples and rationale, and add an entry to Annex E (informative): Relation to NIST SP 800-193.