AN 759: Using Secure Boot in Intel® Arria® 10 SoC Devices

ID 683060
Date 3/29/2021
Document Table of Contents

What are the secure configurations for HPS JTAG debug and access?

Two efuse bits, dbg_disable_access and dbg_lock_JTAG, control the secure JTAG debug configurations. You can read the programmed efuse values for your device through the HPS_fusesec register. A bit value of 1 in the HPS_fusesec register represents a "blown" fuse state and a 0 represents an "unblown" fuse state.

The table below describes the possible HPS configurations with JTAG. The dbg_access_f and dbg_lock_JTAG columns reflect the efuse value of these bits in the HPS_fusesec register. If both efuse are unblown then after the device exits reset, full JTAG access is possible. This configuration is the default configuration.
Table 5.  JTAG Security Configuration Options
JTAG Configuration dbg_disable_access dbg_lock_JTAG Description
HPS JTAG include 0 1
  • This configuration includes the HPS in the JTAG chain by default.
  • Your software application cannot remove the HPS from the JTAG chain.
  • This configuration allows HPS debug from power-on reset.
HPS JTAG exclude 1 1 Permanently exclude the HPS from the JTAG chain.
Default 0 0 Enable JTAG with software debug programmability.