The present application relates generally to an improved data processing apparatus and method and more specifically to mechanisms for collecting debug data in a secure chip implementation.
Modern processor chips typically include debug interfaces, e.g., Joint Test Action Group (JTAG) debug interface, IBM Field Replaceable Unit (FRU) Service Interface (available from International Business Machines (IBM) Corporation of Armonk, N.Y.), I2C Slave, etc., which are used during manufacturing, testing and operation to extract debug information from the processor chip in order to ensure that the processor chip functions properly. However, once a processor chip is installed in a secure product, i.e. a computing or electronic device, and thus is “in the field”, these debug interfaces are typically locked so that the processor chip operates in a secure mode. This is to eliminate a pathway by which intruders may obtain access to the processor and control it in an undesirable manner. As a result, debug information cannot be obtained via these debug interfaces after the processor chip has been put into service due to the secure mode of operation and the disablement of the debug interfaces.
In order to address this issue, some solutions have been offered but all of them suffer from various drawbacks. For example, IBM RiscWatch, available from IBM Corporation, ARM EJTAG, and Extended Debug Probe (XDP) available from Intel Corporation, all use a JTAG (IEEE 1194.1) interface built into the processor to gain access from an external debug probe to processor internal registers for extracting debug information from the processor chip. Security is very difficult to implement and verify for such JTAG interfaces. Access protection, i.e. no access or read-only access, has to be determined at chip design time for every individual register bit. Logic side-effects or missed functionality easily break either security or function of the chip, which results in a new silicon release of the processor chip being required. For example, assume that a particular register needs to be accessed even in secure chip operation, i.e. after the secure chip is fabricated and deployed in a product. Instead of keeping the debug-interface fully closed an exception may be made for the particular register. However, this solution does not allow one to add any other register exceptions later on due to the fact that the exceptions must be implemented “in silicon.”
Another solution in the x86 processor chip based systems is the Non-Maskable Interrupt (NMI) debugger. The NMI debugger is a piece of code in the basic input/output system (BIOS) that is started when a fatal error occurs or a physical button on the front of the computing device is pressed. The NMI debugger provides a debugger that accesses all registers in-band, i.e. within the processor chip itself having full control of the processor. The NMI debugger is implemented as part of the operating system, where when pressing a physical button on the computing device, the operating system would jump to a special exception vector where the operating system placed debugging code. With the NMI debugger, there is no hardware access protection and the NMI debugger is dependent on a fully functional main processor, i.e. non-failing, executing code.