SoC security evaluation: Reflections on methodology and tooling