Accessing a secure device over JTAG with TRACE32

- TDA4/DRA8xx SOCs come in a secure and non-secure flavor.
- A non-secure device is known as a general-purpose-device (GP) and a high-secure-device is known as (HS)
- HS software development tends to happen in a couple of stages (HS_FS, HS_SE). The functions enabled and necessary credentials vary per stage.
- Both device types (GP, HS) can function with JTAG based HW debuggers used in SW development activities such as flashing, board checkout, SW debug, and system profiling
- At power on reset (POR), the hardware determines the device type based on SOC internal EFUSE settings. A GP device tears down HW firewalls where an HS device leaves them in place
- For JTAG to connect to a secured device, a credential must be presented to the secure controller which then grants access to features. This credential is must be verified by HW as part of an authentication protocol
- The credential can be presented to the secure controller in multiple ways:
	-- it can be downloaded via JTAG into a secure access port (secure-ap)
	-- it can be included in the system boot image
	-- depending on the security software, an API call cab be made at run time
- The certificate which is used in the authentication protocol’s format will vary depending on the which mix of keys are in use and the features being enabled for a specific usage scenario
- Typical JTAG debug of non-secure cores uses a certificate emended in the bootloader.  This credential can be used across devices.
- Debug of secure cores, or accesses before any software is on the device, will require including the devices unique ID (UID) into the certificate
- The UID will be emitted on the system UART or can be read from the secure-ap if the EMU0, EMU1 pins are set to 0, 1 at the power on reset
	-- the EMU0/1 pins can be controlled on the EVM by the EMU_SW DIP switches.  This 2 pin DIP switch is near the MIPI-60 debug header 
- Scripts to extract the UID used in signing and to present the certificate exist in TI examples at:
	-- ./cmm-ti/cmm-dra/cmm-tda4_dra829/x_gel_to_cmm_public/j7es_secure_getuid.cmm
	-- ./T32/cmm-ti/cmm-dra/cmm-tda4_dra829/x_gel_to_cmm_public/j7es_secure_unlock.cmm
- Consult TI's secure software for information on how the various types of credentials and how to sign them
- See the example video for an example where a device's UID is extracted and use of the credential to unlock a device before raw accessing the parts OSPI flash

	
