At present, there are well-known ways of testing for the proper working of the functional elements of an integrated circuit. This is done by the imposition and/or determination, at predefined instants, of the values of data present at certain internal points of this integrated circuit.
A technique of this kind for testing the internal paths of an integrated circuit, known as a “scanpath” or “internal scan method” is described for example in M. Williams and J. Angel, “Enhancing Testability of LSI Circuits Via Test Points and Additional Logic”, IEEE Transactions on Computers, Vol. C-22, No. 1; Jan. 1973, which is incorporated by reference.
In this technique, each of the flip-flop circuits of the logic circuit, for which it is necessary to know the state and/or dictate the content during the standard operation of the integrated circuit, is provided at one input with a multiplexer. The different flip-flop circuits and the multiplexers that are associated with them thus constitute an equivalent number of configurable cells whose access points are controlled by these multiplexers.
The multiplexers of these different configurable cells are collectively controlled by a TAP (test access port) controller which, depending on a command signal defining a selected mode of operation, uses this set of configurable cells either as a standard functional circuit integrated with the logic circuit that it forms with the logic cells, or as a test circuit.
To do this, the TAP controller receives control signals on different command lines and/or address lines by which it is connected to the different configurable cells. These command signals are for example a mode command signal, a chaining command signal or again a data-propagation command signal that permits the modification of and/or modifies the data circulation paths within the integrated circuit and also enables the controller to capture data for subsequent analysis.
In standard operating mode, the TAP controller therefore drives the multiplexers of the configurable cells so that the flip-flop circuits of these cells are connected to surrounding logic cells to define one or more functional sub-units of the integrated circuit.
In the test mode, which is normally activated upon reception by the TAP controller of a command signal commanding passage into a test mode, this controller produces a chaining command signal to set up a series connection of the flip-flop circuits of the configurable cells so as to form a shift register.
This register has a series input and a series output respectively connected to one output and to one input of the TAP controller, as well as a clock input receiving a clock signal to set the rate of the datastream.
Initially, the TAP controller serially loads data into the flip-flop circuits of the configurable cells through the input of the shift register formed by these configurable cells.
Then, the TAP controller changes the switching of the multiplexers to form the functional circuit, and commands the execution of one of more clock cycles by this functional circuit. In this phase, the data loaded into the flip-flop circuits of the configurable cells are processed by the functional circuit.
The controller then changes the switching of the multiplexers once again to form the shift register once again and serially retrieves, at the output of this shift register, the data stored in the flip-flop circuits of the configurable cells during the last clock cycle.
Despite the confirmed value of this testing technique, its practical application can be a problem in certain circumstances, especially in integrated circuits that process secret data.
Because the activation of the test mode may enable an individual intent on fraud to read the contents of the flip-flop circuits of the configurable cells, this test technique has the drawback, in principle, of making such circuits very vulnerable to fraudulent use.
For example, by stopping a process of internal loading of secret data into the integrated circuit at various points in time, and by unloading the contents of the shift register, an individual intent on fraud could obtain information on secret data or even reconstitute this secret data.
By activating the test mode, an individual intent on fraud could also obtain write access to the flip-flop circuits of the configurable cells to insert fraudulent data or else to place the integrated circuit in an unauthorized configuration. He could thus, for example, access a register controlling a security element such as a sensor to deactivate it. He could also inject a piece of erroneous data in order to obtain information on a piece of secret data.
The individual intent on fraud may actually adopt two different strategies: the first strategy consists in taking control of the TAP controller and observing the contents of the cells of the shift register at the external pads; the second strategy consists in taking control of the configurable cells by exciting them by micro-probing so as to simulate the driving of these cells by the command signals emitted by the TAP controller.