Diagnostic ports, such as a JTAG (Joint Test Action Group) port, are provided on microprocessor-controlled systems to permit diagnosing of hardware or software problems. Standard, off-the-shelf equipment can be connected to a system through these ports to directly control the connected microprocessor, memory, and/or peripheral ports, for performing CPU commands, tracing program execution, stopping at breakpoints, etc. Such diagnostic ports are invaluable tools for searching for the cause of unexpected behavior of a system. Therefore, these ports should be built into the system and not permanently disabled or removed after manufacturing.
While diagnostic ports support the diagnosis of problems in microprocessor-controlled systems, they are also a source of vulnerability. An adversary can connect a debugger to the port and access all the secrets on the security system. Therefore, the use of these ports must be controlled. Methods and devices which protect sensitive data by making it inaccessible (either ab initio or by active erasure) when access to a diagnostic port is attempted have been described.
Other control solutions include fuses, which can be blown to permanently disable the diagnostic ports after their use. However, security systems using permanent changes (such as fuses), cannot be reused after diagnosis.
Hardware or software authentication mechanisms such as passwords, tokens, biometrics etc., could also be used. Special software (or firmware) versions can be authenticated and loaded to open up the ports. Switches or jumpers can be used to activate special resident firmware versions, which open up the ports. The main drawback of these methods is that activation of the diagnostic ports requires functional authentication, so problems affecting that function cannot be diagnosed.
After opening up the ports, all the confidential data that was stored in the system, which might not have been deleted because of a system failure, become available. Therefore, it would be desirable to delete confidential data before enabling the diagnostic port and to restore the confidential data after the diagnostic operation is completed.
This invention provides a system having a diagnostic port, wherein access to secure components of the system is prevented.