@@ -954,6 +954,15 @@ Potential additional sources of security requirements
*[CHERI BSD](https://www.cheribsd.org/)
*[ETSI EN 103 732](https://portal.etsi.org/webapp/workprogram/Report_WorkItem.asp?WKI_ID=69549)
**Hardware-Based Countermeasures**
* Secure boot with HW Root of Trust: Ensures that only authenticated firmware is executed, anchored in immutable hardware
* Hardware-backed Key Storage (e.g., TPM, Secure Enclave): Protects cryptographic keys from software-level attacks and unauthorized access
* Memory Protection Units (MPU and/or MMU): Enforces access control policies at hardware level, isolating critical OS components
* Hardware-enforced Execution Zones (e.g., ARM TEE): Enables secure execution environments for sensitive operations.
* Bootloader Locking and Firmware/SW Anti-rollback: Prevents downgrading to vulnerable firmware/SW versions.
* Hardware Watchdog Timers: Detects and recovers from system hangs or malicious loops
* Secure Debug Interface Management: Disabling or restricting access through state-of-the-art security mechanisms debug access
## 5.3 Risk Mitigations
> **TODO**: Connect the technical security requirements in Section 5.2 to specific Risk Factors, and define these as sets of Risk Mitigations that will be referenced in section 6.
