DFT JTAG and ARM JTAG are discussed in our post of ARM JTAG and DFT JTAG as well as SWD and 1149.7
This post extends the discussion to security of DFT JTAG and ARM JTAG and the protection methodologies.
Let’s brief review DFT JTAG and ARM JTAG first. DFT JTAG port is used for DFT team to access chip for logic and memory test. This is achieved through the path of DFT JTAG Pins to TAP controller to Data Register 0 (DR0) and Data Register 1 (DR1) to LBIST and MBIST. Note this diagram is simplified. In fact there could be many Data Registers, multiple LBIST controllers, and multiple MBIST controllers.
DFT JTAG port can also be used to access normal function hardware modules. This is through DFT JTAG pins to TAP controller to DR3 to JTAG Bus Master to SoC NIC (network interconnect) to hardware blocks.
ARM JTAG is used to connect external ARM debugger to on-chip ARM processor for processor debug purpose. ARM JTAG pins are normally shared with other IO pins due to reduce pin/pad count. External ARM debugger can follow the path of GPIO pins, ARM DP (debug port), ARM AP (access port), ARM processor internal NIC, and finally accesses ARM’s on-chip debug modules such as ITM/ETM and also ARM processor core internal registers.
Next let’s take a look of what is security risk associated with DFT JTAG and ARM JTAG.
To gain access you can subscribe to this author's posts at Subscription of SD-RTL-DGN Posts. Subscription is valid for three months.