Most embedded devices provide a JTAG interface for debugging purposes. However, if left unprotected, this interface can become an important attack vector on the system.
The JTAG port on the STM32MP13 is managed as follows:
-
JTAG port is enabled on open devices
-
JTAG port is initially disabled on closed devices
Although the JTAG port is initially disabled on closed devices, it could be enabled from the secure world.
Optionally, on a closed device, you can secure the JTAG port in two modes:
-
Disable boundary scan: This mode protects boundary scan against control and sampling.
-
Disable JTAG port: This mode disables access to all test outputs (including JTDO). JTDO output and input paths are blocked. JTMS output path (for SWDIO) is blocked. BSCAN is disabled.
Disable boundary scan
This mode protects boundary scan against control and sampling.
| You can only disable boundary scan on closed devices. See Set up secure boot for information on securing and closing a device. |
| Disabling boundary scan requires burning e-fuses. This is an irreversible operation. |
To disable boundary scan, run the following command in U-Boot:
=> trustfence prog_jtag disable-bscanReset the device, and check the result of command trustfence status:
=> reset
(...)
=> trustfence status
* PKHTH fuses: [PROGRAMMED] [LOCKED]
* EDMK fuses: [NOT PROGRAMMED] [NOT LOCKED]
* Secure boot: [CLOSED]
* JTAG: [BSCAN disabled]Disable JTAG port
This mode disables access to all test outputs (including JTDO). JTDO output and input paths are blocked. JTMS output path (for SWDIO) is blocked. BSCAN is disabled.
| You can only disable the JTAG port on closed devices. See Set up secure boot for information on securing and closing a device. |
| Disabling the JTAG port requires burning e-fuses. This is an irreversible operation. |
To disable the JTAG port completely, run the following command in U-Boot:
=> trustfence prog_jtag disable-jtagReset the device, and check the result of command trustfence status:
=> reset
(...)
=> trustfence status
* PKHTH fuses: [PROGRAMMED] [LOCKED]
* EDMK fuses: [NOT PROGRAMMED] [NOT LOCKED]
* Secure boot: [CLOSED]
* JTAG: [DISABLED]
