Eugen Leitl quotes Tom Ritter :

After reviewing the FIPs approval document for the drive[1], I've tried to put together a complete threat model outlining the major classes of attack on the hard drive in the interest of being rigorous.

Without wanting to sound too facetious, and mostly out of curiosity, what does FIPS 140 have to do with the threat modelling you've done? It doesn't address the vast majority of the stuff you've listed, so the threat-modelling is kind of a non-sequitur to "starting with FIPS 140". If you wanted to deal with this through a certification process you'd have to go with something like the CC (and an appropriate PP), assuming the sheer suckage of working with the CC doesn't tear a hole in the fabric of space-time in the process. Peter.