NXP AN13133 Application Note

AN13133

Secure JTAG for i.MXRT1170

Rev. 0 — 02/2021

by: NXP Semiconductors

Contents

1 Introduction

This document describes how the Secure JTAG on the i.MX RT1170 MCU
family can be used.

The i.MX RT series JTAG Controller (JTAGC) provides a possibility to regulate
the JTAG access. The three JTAG security modes are available in the i.MX
RT series:

• No Debug mode—Maximum security is provided in this mode. All
security-sensitive JTAG features are permanently blocked, preventing any debug.

• Secure JTAG mode—High security is provided in this mode. Secret key-based challenge/response authentication
mechanism is used for JTAG access

• JTAG Enabled mode—Low security is provided in this mode. It is the default mode of operation for the JTAGC.

Moreover, you can also fully disable the JTAGC functionality. For configuration of these JTAG modes, One Time Programmable
(OTP) eFuses are used and burned after packaging. The fuse burning process is irreversible. It is impossible to revert the fuse
back to the unburned state. To explain, Secure JTAG mode is used in this document. The aim is to allow return/field testing.
Authorized reactivation of the JTAG port is allowed in this mode.

1 Introduction......................................1

2 i.MX RT1170 Secure JTAG support

........................................................ 1

3 Secret response key approaches....6

4 Debugging with the Secure JTAG

enabled............................................7

5 Conclusion.....................................10

6 References....................................11

Application Note

There are several hardware modifications that must be made to fully enable the JTAG on an RT1170-EVK. The resistors R37,
R41, R42, R43, and R44 must to be soldered on. The resistors R78, R187, R195, and R208 must be removed. See the hardware
design manual and the EVKB schematic for more details.

Before the Secure JTAG can be enabled, enable also the HAB and set it to the HAB Closed mode. You can find the step-by-step
guide for enabling HAB in the i.MX RT1170 security application note.

2 i.MX RT1170 Secure JTAG support

JTAG access is limited in the Secure JTAG mode by using a challenge/response-based authentication. Any access to JTAG port is
internally checked. Only the devices authorized for debugging (with the right response) can access the JTAG port, otherwise JTAG
access is denied. The external debugger tools (such as SEGGER J-Link, Lauterbach Trace32, Arm RVDS/DS5, etc.) supporting
the challenge/response-based authentication mechanism can be used. The secure JTAG mode is typically enabled in the factory
manufacturing and not used during the development.

2.1 How to put the chip in Secure JTAG mode

There is only one JTAG interface on the chip with two JTAG modes. The modes can be switched via the JTAG_MOD signal
(GPIO_LPSR_13 Alt0). When JTAG_MOD is in log. 0, the JTAG interface is in the debug mode and the DAP and JTAGC are
enabled. When JTAG_MOD is in log. 1, the JTAG interface is in the test mode and only TESTDP is enabled. For more information,
see the

Chip and Arm Platform Debug Architecture

chapter in the reference manual.

NXP Semiconductors

i.MX RT1170 Secure JTAG support

Figure 1. System Level Debug Architecture

2.2 i.MX RT JTAGC security modes

The i.MX RT1170 JTAG Controller (JTAGC) supports three different security modes. JTAG enabled is the default mode of
operation for JTAGC. The user can select the Secure JTAG mode by programing a value 0x1 to the eFuse labeled JTAG_SMODE,
described in Table 1. The eFuse has the default value 0x0, which means that the JTAG controller is unsecured by default.
Further details on eFuses are available in the Fusemap and On-Chip OTP Controller (OCOTP_CTRL) chapters in the appropriate
SRM_RT1170 Security Reference Manual for the i.MX RT1170 available at www.nxp.com upon a request.

To lock a specific fuse word and prevent further modifications to all the fuses inside the fuse word, set the WORDLOCK bit of the
OCOTP register to 0x1 before writing into one of the fuses inside the chosen word. When the writing operation is completed, the
whole word is prevented from changing forever.

For more information, see the
(document IMXRT1170RM).

Programming these fuses disables access to functions and JTAG Security Mode fuse bits. Users should ensure

that it is programmed last, once the final fuse configuration has been decided.

Bank redundancy vs ECC

and

Lock Bits

NOTE

chapters of the

i.MX RT1170 Processor Reference Manual

Secure JTAG for i.MXRT1170, Rev. 0, 02/2021

Application Note 2 / 12

NXP Semiconductors

i.MX RT1170 Secure JTAG support

Table 1. eFuses associated with the Secure JTAG feature

Addr[bits] Fuse Name Fuse Function Settings

0x960[9] JTAG_HEO

0x960[1] SEC_CONFIG[1]

0x960[7:6] JTAG_SMODE[1:0]

JTAG HAB Enable Override.
Disallows HAB JTAG
enabling. The HAB may
normally enable JTAG
debugging by means of
the HAB_JDE-bit in the
OCOTP SCS register. The
JTAG_HEO-bit can override
this behavior

Security Configuration
Mode (together
with SEC_CONFIG[0])

JTAG Security Mode. Controls
the security mode of the JTAG
debug interface

0 - HAB may enable JTAG
debug access 1 - HAB
JTAG enable is overridden
(HAB may not enable JTAG
debug access)

SEC_CONFIG[1:0]:

00 - FAB (Open)

01 - Open - allows any code to
be flashed and executed, even
if it has no valid signature.

1x - Closed (Security On)

This is programmed during the
HAB enablement phase (By
setting the HAB Closed mode)

00 - JTAG enable
mode (Default)

01 - Secure JTAG mode

0x960[11] JTAG_DISABLE

0x880[14:11]

JTAG_RESP_RLOCK[3:0] JTAG_RESP_RLOCK[0]:

Table continues on the next page...

Additional JTAG mode with
the highest level of JTAG
protection, thereby overriding
the JTAG_SMODE eFuses. In
this mode all JTAG features
are disabled including Secure
JTAG and Boundary Scan

Read lock
of JTAG_RESP[31:0]

JTAG_RESP_RLOCK[1]:
Read lock
of JTAG_RESP[63:32]

JTAG_RESP_RLOCK[2]:
Read lock
of JTAG_RESP[95:64]

JTAG_RESP_RLOCK[3]:
Read lock
of JTAG_RESP[127:96]

11 - No debug mode

0 - JTAG is enabled

1 - JTAG is disabled

Read Lock

0000 - Unlock (The controlled
field can be read in the
corresponded IIM register)

1111 - Lock (The controlled
field can't be read in the
corresponded IIM register)

others - should not be set

Secure JTAG for i.MXRT1170, Rev. 0, 02/2021

Application Note 3 / 12

NXP Semiconductors

i.MX RT1170 Secure JTAG support

Table 1. eFuses associated with the Secure JTAG feature (continued)

Addr[bits] Fuse Name Fuse Function Settings

0xCB0-0xCE0 JTAG_RESP[127:0]

Response reference value for

-

the secure JTAG controller

NOTE
The level of security cannot be reduced but only increased. Since debug modes are controlled by OTP (Hardware

fuses), bits can only be blown once.

For example, following mode changes are possible:

− “JTAG Enabled” to “Secure JTAG”

− “Secure JTAG” to “No debug”

2.3 Secure JTAG eFuses

The challenge/response mechanism used to authenticate the JTAG accesses uses a challenge value and the associated secret
response key. The keys are stored in eFuses inside the IC. The i.MX RT1170 series eFuses used to store the challenge value
and the secret response key are listed below:

• The challenge value is the “Device Unique ID” which is programmed into the eFuses. This Device ID is unique for
each IC and can be read from the OCOTP registers by their Fuse Row Index as follows: OCOTP->FUSE016 and
OCOTP->FUSE017. The eFuses are programmed during manufacturing.

• The user program the secret response key (128 bits) into the eFuses marked JTAG_RESP.

After programming the secret response key, the user must disable the ability of software running on the Arm core to read or
overwrite the response key. This is done by programming 0x1111 to the associated lock eFuse JTAG_RESP_RLOCK.

The definition of the response value is left to the user. The Arm core cannot read the value once the response fuse field is
provisioned and locked.

2.4 SW Enabled JTAG

The Secure JTAG authentication may be bypassed in SW by writing '1' to HAB_JDE (HAB JTAG DEBUG ENABLE) bit in the
e-fuse controller module. By this JTAG is opened, regardless of its security mode. The S/W JTAG enable allows JTAG enabling
without activating the challenge-Response mechanism.

The platform initialization software should set the LOCK bit for JDE bit before transferring control to the application code to ensure
that only the trusted SW can set the JDE bit.

The JTAG SW enable does not allow debug in case of boot or memory fault as it requires reset before entering debug.

The JTAG_JDE bit SW enable backdoor access can be permanently disabled by burning the JTAG_HEO fuse.

NOTE
The S/W enabled JTAG feature reduces the overall security level of the system as it relies on S/W protections. If

this feature is not required, it is strongly recommended to burn the JTAG_HEO e-fuse which disables this feature.

2.4.1 JDE bit control in HAB (High Assurance Boot)

The HAB_JDE can be set to ‘1’ by ROM boot SW after unlocking by the Authenticate CSF command.

Before generating of the signed program image, the user must edit the UNLOCK section in the .sb file and provide the device
specific UID in the proper format as a sequence of 8-bytes, see the below example for UID = 0x63e1841b440b81d2, please:

Secure JTAG for i.MXRT1170, Rev. 0, 02/2021

Application Note 4 / 12