Program JTAG security mode
JTAG functionality is enabled by default. Digi's U-Boot provides the trustfence jtag command that allows you to permanently change the secure JTAG mode.
CAUTION! Programming eFuses is an irreversible operation and should only be done at the final stages of product manufacturing. OTP confguration can still be overwritten using the shadow registers unless the JTAG mode is locked.
To permanently program the JTAG configuration by burning the eFuses, execute the following command sequence:
# trustfence jtag prog <mode>
In this sequence, mode can be one of the following strings:
- disable-jtag, to block all JTAG features.
- disable-debug, to disable JTAG debugging while allowing boundary scan.
- secure, for secure JTAG mode. In this mode, the response key also needs to be programmed into the eFuses as follows:
# trustfence jtag prog_key <high> <low>
A quick way to generate a random response key on a Linux machine is:
openssl rand -hex 7 | sed 's,^\([[:xdigit:]]\{6\}\)\([[:xdigit:]]\{8\}\),0x00\1 0x\2,g'
PDF
