The Versal device allows for debug enablement of a secure system via an external interface (i.e., JTAG). JTAG is not fully enabled by default when using Asymmetric Hardware Root of Trust Secure Boot or Symmetric Hardware Root of Trust Secure Boot. The JTAG port listens for a cryptographically signed AUTH_JTAG message ( LMS, RSA, or ECDSA signed). If such a message is received and the signature is authenticated, the JTAG port is enabled by the PMC. Improperly authenticated messages can be logged and ignored, or can place the device into a secure lockdown. The authenticated JTAG feature is disabled by default, automatically enabled when a PPK hash is programmed, and can be permanently disabled using eFUSEs. A high-level overview of the communication paths is shown in the following figure.
