Testing the correct operation of functional elements of an integrated circuit is well known today by setting or determining, at predefined times, data values present at certain internal points of the integrated circuit. Such a technique for testing internal paths of an integrated circuit (referred to as the “scanpath” or the “internal scan method”) is described, for example, in the publication of M. Williams and J. Angel, entitled “Enhancing Testability of LSI Circuits Via Test Points and Additional Logic,” IEEE Transactions on Computers, vol. C-22, no. 1, January 1973.
According to this technique, each of the flip-flops of the logic circuit, of which it is useful to know the state or to set the content during the normal operating mode of the integrated circuit, is furnished with a multiplexer at its input. The various flip-flops and the multiplexers that are associated with them therefore constitute many configurable units, the accesses of which are individually controlled by these multiplexers. The multiplexers of these different configurable units are collectively controlled by an access controller or “TAP controller” (“TAP” for “Test Access Port”) which, according to a chosen operating mode, utilizes this group of configurable units either as a normal functional circuit integrated into the logical circuit that it forms with the logic units or as a test circuit. To do this, the TAP controller addresses command signals to various command drivers, through which it is connected to the various configurable units. The command signals may include a mode command signal, a chaining command signal or even a data propagation command signal, which modifies the circulation paths of data within the integrated circuit and thus allows the capture of these data by the controller for their analysis.
In standard operating mode, the TAP controller therefore drives the multiplexers of the configurable units so that the flip-flops of these units are connected to surrounding logic units to define one or a plurality of functional sub-groups of the integrated circuit.
In the test mode, which is normally activated with the receipt by the TAP controller of a test execution command, this controller produces a chaining command signal to connect the flip-flops of the configurable units in a series so as to form a shift register. This register includes, in particular, a serial input and a serial output respectively connected with an output and an input of the TAP controller, as well as a clock input receiving a clock signal to synchronize the data flow. First, the TAP controller serially loads data into the flip-flops of the configurable units through the input of the shift register that these units form. Then the TAP controller changes the switching of the multiplexers to form the functional circuit and commands the execution of one or a plurality of clock cycles by this functional circuit. The data loaded into the flip-flops of the configurable units are then processed by the functional circuit. The controller then changes the switching of the multiplexers to form the shift register again and recovers, serially from the output of the shift register, the data memorized in the flip-flops of the configurable units during the final clock cycle.
Despite the confirmed advantage of this testing technique, its practical application can in certain circumstances prove to be problematic, in particular on integrated circuits that process secure data. Indeed, insofar as the activation of the test mode can allow an unauthorized user to read the contents of the flip-flops of the configurable units, this testing technique presents, in principle, the drawback of making such circuits very vulnerable to unauthorized use. For example, by stopping an internal loading process for secret data into the integrated circuit and by unloading the contents of the shift register, an unauthorized user can determine that the units whose flip-flops are changing state contain the secret data. The unloading of the shift register at an opportune moment then allows the unauthorized user to recover the secret data. By activating the test mode, an unauthorized user could also obtain write-access to the flip-flops of the configurable units in order to insert fraudulent data or to place the integrated circuit into a non-authorized configuration. He or she could thus, for example, access a register controlling a security component such as a sensor or could deactivate it. He or she could also inject erroneous data in order to obtain information on a secret data item.
The unauthorized access can in fact adopt two different strategies. The first strategy consists of taking control of the TAP controller and observing the contents of the shift register's units through external contacts. The second strategy consists of taking control of the configurable units by exciting them through a microprobe so as to simulate the driving of these units by the command signals that the TAP controller transmits, as illustrated in FIG. 1. A microprobe for a single unit then allows one to obtain the collection of data placed upstream in the shift register. If the units of the shift register are synchronous, it would not even be necessary to take control of the test clock, as the standard functioning mode clock permits the generation of the shift.
As shown in FIG. 1, an unauthorized user can relatively easily identify one of the units 3 belonging to the shift register 1 and its input receiving the command signal from the TAP controller 2. It is then relatively easy to follow the electronic trail linking this input to reach the source of the command signal from the TAP controller (output 21 of the TAP controller 2 or connection contact of a TAP controller). A microprobe 4 applied at the level of the source of the command signal allows one to simulate a test mode with the group of shift register units.
There exists therefore a need for an electronic circuit that overcomes one or a plurality of these drawbacks.