At present, there are well-known ways of testing for the proper working of the functional elements of an integrated circuit. This is done by the imposition and/or determination, at predefined instants, of the values of data present at certain internal points of this integrated circuit.
A technique of this kind for testing the internal paths of an integrated circuit, known as a “scanpath” or “internal scan method” is described for example in M. Williams and J. Angel, “Enhancing Testability of LSI Circuits Via Test Points and Additional Logic”, IEEE Transactions on Computers, Vol. C-22, No. 1; January 1973, which is incorporated by reference.
In this technique, each of the flip-flop circuits of the logic circuit, for which it is necessary to know the state and/or dictate the content during the standard operation of the integrated circuit, is provided at one input with a multiplexer.
The different flip-flop circuits and the multiplexers that are associated with them thus constitute an equivalent number of configurable cells whose access points are controlled by these multiplexers.
The multiplexers of these different configurable cells are collectively controlled by a TAP (test access port) controller which, depending on a chosen mode of operation, uses this set of configurable cells either as a standard functional circuit integrated with the logic circuit that it forms with the logic cells, or as a test circuit.
To do this, the TAP controller receives control signals on different command lines and/or address lines by which it is connected to the different configurable cells. These command signals are for example a signal for commanding a passage into test mode, a chaining command signal, or again a data-propagation command signal that permits the modification of and/or modifies the data circulation paths within the integrated circuit and also enables the controller to capture this data for subsequent analysis.
In standard operating mode, the TAP controller therefore drives the multiplexers of the configurable cells so that the flip-flop circuits of these cells are connected to surrounding logic cells to define one or more functional sub-units of the integrated circuit.
In the test mode, which is normally activated upon reception by the TAP controller of the command signal commanding passage into a test mode, this controller produces a chaining command signal to set up a series connection of the flip-flop circuits of the configurable cells so as to form a shift register.
This register has a series input and a series output respectively connected to one output and to one input of the TAP controller, as well as a clock input receiving the data propagation command signal to set the rate of the datastream.
Initially, the TAP controller serially loads data into the flip-flop circuits of the configurable cells through the input of the shift register formed by these cells.
Then, the TAP controller changes the switching of the multiplexers to form the functional circuit, and commands the execution of one of more clock cycles by this functional circuit. In this phase, the data loaded into the flip-flop circuits of the configurable cells are processed by the functional circuit.
The controller then again changes the switching of the multiplexers to form the shift register once again and serially retrieves, at the output of this shift register, the data stored in the flip-flop circuits of the configurable cells during the last clock cycle.
Despite the confirmed value of this testing technique, its practical application can be a problem in certain circumstances, especially in integrated circuits that process secret data.
Because the activation of the test mode may enable an individual intent on fraud to read the contents of the flip-flop circuits of the configurable cells, this test has the drawback, in principle, of making such circuits very vulnerable to fraudulent use.
For example, by stopping a process of internal loading of secret data into the integrated circuit at various points in time, and by unloading the content of the shift register, an individual intent on fraud could obtain information on secret data or even reconstitute this secret data.
By activating the test mode, an individual intent on fraud could also obtain write access to the flip-flop circuits of the configurable cells to insert fraudulent data or else to place the integrated circuit in an unauthorized configuration. He could thus, for example, access a register controlling a security element such as a sensor to deactivate it. He could also inject a piece of erroneous data in order to obtain information on a piece of secret data.
The individual intent on fraud may actually adopt two different strategies: the first strategy consists in taking control of the TAP controller and observing the content of the cells of the shift register at the external pads; the second strategy consists in taking control of the configurable cells by exciting them by micro-probing so as to simulate the driving of these cells by the command signals emitted by the TAP controller.
A fraud attempt based on the second strategy can be thwarted by a technique that is the object of a patent application FR04/00837, which is commonly owned with the present application and which is incorporated by reference. The electronic circuit includes a spy circuit connected to a set of several command lines: at least a first one of these command lines is assigned to the transmission of the chaining command signal configuring the configurable cells as a shift register, at least a second one of these command lines is assigned to the transmission of the passage-to-test-mode command signal which activates the controller, and at least a third one is assigned to the transmission of the mode signal indicating the mode of operation of the controller. The spy circuit is a combinatorial logic circuit comprising a set of logic gates. The spy circuit combines all the signals received and produces an output signal representing an attempt at intrusion if the passage-to-test-mode command signal or the mode signal is inactive while the chaining command signal is active.
The circuit of FR04/00837 is efficient in detecting any intrusion into the circuit and any attempt to take over control of the shift register. However, the implementation of the combinatorial logic circuit as a spy circuit entails considerable excess costs for the manufacture of the circuit. In particular, the process of placing-routing the elementary components on silicon becomes more complex with an increased risk of error. This is because the placing-routing of the spy circuit is typically done manually, after the automatic placing/routing of the other elementary components, because the spy circuit is typically of a unique type and very different from the other components of the integrated circuit. It is thus often necessary to perform the following operations manually: identify all the signal lines, place the spy circuit in the vicinity of the other elementary components, appropriately route some of the lines to the spy circuit, make sure that the additional connections made manually will not disturb the working of the other elementary components owing to parasitic radiation, if any, caused by manual connections etc. Furthermore, if the placing/routing must be reiterated to optimize the entire circuit, then it may be necessary to reiterate the manual placing/routing of the spy circuit after each operation for the automatic placing/routing of the other components of the circuit.