John C. Potter

Don't forget to lock your SIB: Hiding instruments using P16871

IEEE P1687 is a valuable tool for accessing on-chip instruments during test, diagnosis, debug, and board configuration. However, most of these instruments should not be available to an end user in the field. We propose a method for hiding instruments in a P1687 network that utilizes a “locking” segment insertion bit (LSIB) that can only be opened when pre-defined values, corresponding to a key, are present in particular bits in the chain. We also introduce “trap” bits, which can further reduce the effectiveness of brute force attacks by permanently locking an LSIB when an incorrect value is written to the traps update register. Only a global reset will allow the LSIB to become operable again. In this paper, we investigate the cost and effectiveness of LSIBs and traps in several different configurations and show that these relatively small modifications to the P1687 network can make undocumented instrument access exceedingly difficult.

The testability features of the 3rd generation ColdFire/sup (R)/ family of microprocessors

A description of the DFT and test challenges faced, and the solutions applied, to the newest member of the ColdFire/sup (R)/ microprocessor family, the MCF5307, is described. The MCF5307 is the first member of the family to have on-chip, PLL-sourced, dual clock domains where the bus interface and the internal core microprocessor operate at different, but selectable, frequency ratios; and the internal microprocessor core of the MCF5307 was designed as a separate stand-alone core that contained multiple embedded memory arrays. The DFT challenges and solutions described involve the development of the at-speed AC scan test architecture and scan vectors in a multiple clock domain environment; the application of memory BIST to multiple embedded memories in a cost effective manner; and the handling of an on-chip PLL clock source.

Board security enhancement using new locking SIB-based architectures

Circuit boards are especially vulnerable to security attacks. Many routes and pins can be probed directly. Other pins may be controlled and observed through the JTAG boundary scan port. The JTAG port may also provide access to each chips internal scan chains. Furthermore, modern chips may include embedded instruments that can be accessed through the chips JTAG port and an internal IEEE P1687 scan network. If accessed by an attacker, these instruments may allow data to be leaked from the chips themselves or allow the attacker to drive other chips on the board. Finally, FPGA firmware is often stored in on-board memories and must be protected to prevent IP theft. In this paper, we describe some of the security issues facing boards. We then describe new chip access protocols that harness the use of licensed software and locking segment insertion bits (LSIBs) for secure Chip ID extraction. These methods enable authorized access while helping to prevent unauthorized access and counterfeiting of chips and IP on the board.

Making it harder to unlock an LSIB: Honeytraps and misdirection in a P1687 network

Todays chips often contain a wealth of embedded instruments and data, including sensors, hardware monitors, built-in self test (BIST) engines, and chip IDs, among others. IEEE P1687 was specifically designed to provide access to such instruments in an efficient manner, and some companies are already implementing the proposed standard on their chips. However, while instruments provide valuable information and features to authorized users who need to harness them for test, debug, diagnosis, and possibly counterfeit detection, it may be desirable to restrict unauthorized access to certain instruments through the P1687 network. Previous work proposed replacing some of the segment insertion bits (SIBs), which add scan path segments in a P1687 network, with locking SIBs (LSIBs). LSIBs use the data that is naturally scanned through the network as keys to hide instruments from attackers. However, that previous work did not investigate many of the techniques and structures that can be used to significantly increase the time an attacker is likely to need to unlock LSIBs and gain access to hidden instruments. In this work, we explore some of these techniques and show how simple modifications to a P1687 network protected with LSIBs can significantly increase the difficulty an attacker faces in attempting to access protected instruments.

FPGA-Based Embedded Tester with a P1687 Command, Control, and Observe-System

This article discusses the embedding of a tester on an FPGA, which uses IJTAG to enable flexible and dynamic access to test configurations of the on-chip instruments.

Test development for a third-version ColdFire microprocessor

The design-for-test methodology of the MCF5307 device is described, illustrating issues faced, how solutions were derived, and results.

Invited - A box of dots: using scan-based path delay test for timing verification

In this paper, we describe the use of manufacturing scan-based vectors to structurally assess the frequency of any given semiconductor design, as opposed to the complex and costly effort of creating a functional set of vectors that can actually exercise all of the functions needed to accurately determine if the chip really operates at its rated or advertised frequency. Structural techniques reduce the problem to one of a finite measureable and deterministic set of tests whereas functional vectors can be somewhat subjective unless analyzed, simulated and assessed. The techniques developed and described here were developed on microprocessor designs and were then expanded to cover the general case of an ASIC, SoC, and even FPGA by using static timing analysis, automatic test pattern generation (ATPG) against a path-delay fault model, path selection from STA and using path filtering to eliminate false-paths that would result in an incorrect frequency assessment.