SPRUJC1 April   2024

 

  1.   1
  2.   Abstract
  3.   Trademarks
  4. 1Introduction
    1. 1.1 Unlocking JTAG With Jacinto7 Security Enabled Devices
  5. 2Steps to Unlock JTAG for HSM Core With TRACE32
    1. 2.1 Modifying the SCI Client Default Security Board Configuration
      1. 2.1.1 PROCESSOR-SDK-RTOS
      2. 2.1.2 PROCESSOR-SDK-LINUX
    2. 2.2 Building the SCI Client Security Board Configuration
      1. 2.2.1 PROCESSOR-SDK-RTOS
      2. 2.2.2 PROCESSOR-SDK-LINUX
    3. 2.3 Modifying the Secondary Bootloader’s x509 Certificate
      1. 2.3.1 Windows Build Environment
      2. 2.3.2 Ubuntu Build Environment
    4. 2.4 Building the Secondary Bootloader
    5. 2.5 Verifying Secondary Bootloader and TIFS is Executing
    6. 2.6 Creating a Downloadable x509 Certificate With a Debug Extension
    7. 2.7 Execution of TRACE32 Unlock Script
    8. 2.8 Attaching to HSM Core With TRACE32

2.3 Modifying the Secondary Bootloader’s x509 Certificate

JTAG access is controlled by using a debug extension field located in the x509 certificate. By default, for an easy out of the box user experience, the PROCESSOR-SDK-RTOS enables debug via JTAG on HS-SE devices in the Secondary Bootloader’s (SBL) x509 certificate. In order to disable or change the level of JTAG access on HS-SE devices, the user must manually change the debug extension that is used in the PROCESSOR-SDK-RTOS x509 signing scripts and templates when building the SBL. Since the ROM Loader does not support the unlocking of JTAG for debugging the HSM, it is necessary for the user to delete the debug extension that is located in the SBL’s x509 certificate. The following steps describe how to delete the SBL’s debug extension in the PROCESSOR-SDK-RTOS when performing a build within a Windows or Ubuntu environment.