1. Field of the Invention
The invention relates to devices that include a Joint Test Action Group (JTAG) interface. More particularly, the invention relates to methods and devices for controlling the enablement of JTAG interfaces on such devices.
2. Description of the Related Art
The Joint Test Action Group (JTAG) interface is an interface often included as part of many end user communication devices to allow access to device processors and other integrated circuit components within the device. For example, for developers of firmware and other code embedded within a particular end user communication device, the JTAG interface can be used to allow the use of a debugger on the processor embedded within the device. Therefore, enabling the JTAG interface to allow access to the debugger can improve the firmware development cycle.
However, once the end user communication device has been shipped to a customer, an enabled JTAG interface poses a security risk, especially for devices using a digital rights management (DRM) system for protecting content contained within or accessible by the device. Therefore, control of the JTAG interface should be such that the JTAG interface is enabled or turned on during development and production of the end user communication device but disabled or turned off once production is complete and the device is shipped to customers. But, it also may be desirable for the JTAG interface to be enabled after the end user communication device has been shipped to a customer. For example, if an end user reports problems with a device, the device may be taken to a repair facility and the JTAG interface may be unlocked to allow engineers to diagnose the problem.
Some conventional embedded processor platforms allow the JTAG interface to be enabled when the user provides a key or password unique to the end user communication device. A secure encrypted object can be used to securely deliver such a unique key or password. For example, access tokens that contain debugging rights for a specific device or list of devices can be used for this purpose.
Alternatively, other conventional platforms are based on a JTAG control block in the signed boot code. As the boot code is loaded during the device's secure boot process, the value of the JTAG control block determines whether or not the JTAG interface is enabled. However, the use of this JTAG control block mechanism does not bind the signed code to the particular device containing the JTAG interface. Therefore, access to the signed boot code containing the JTAG control block could allow a user to enable the JTAG interfaces of other end user communication devices.
Other conventional platforms are based on a flag in the boot code image determining whether or not the JTAG interface is enabled. The JTAG on/off flag is included in the boot module and is loaded during the device's boot process. The boot module can be both signed and encrypted to prevent tampering and disclosure.
Once the boot code image has been created, signed and encrypted with a JTAG=ON enablement flag, the boot code image would have to be kept secret. Because the enablement of the JTAG interface is intended for development and debugging, end user communication devices shipped to customers (production devices) must have a different version of the boot code than the boot code of development devices, i.e., a version of the boot code with a JTAG=OFF enablement flag.
However, it is undesirable to base device security on a single global value. In this particular case, a signed and encrypted boot code image with a JTAG=ON enablement flag constitutes the one global value that can compromise the security of all other devices that are based on this particular security system, and that share the same boot public key, which is used to verify the signature on the boot code image, and the same global encryption key (GEK), which is used to decrypt the boot code image.
One way to address this problem is to make sure that development devices and production devices have different boot public keys and/or different GEKs. In this manner, a boot code image with a JTAG=ON enablement flag that is signed and encrypted for development devices will not work on production devices. However, such approach does not allow for JTAG interface enablement on production devices. Therefore, if a production device shipped to a customer needs to be debugged, a developer would not be able to access the code for debugging because the JTAG interface can not be enabled.
Accordingly, there has been a need to provide a method and device for controlling JTAG interface enablement to a single device or specified group of devices that overcomes the disadvantages associated with conventional JTAG interface enablement mechanisms.