Verilog Design of Programmable JTAG Controller for Digital VLSI IC’s

The objective of this work is to design and implement a custom reconfigurable JTAG controller in Verilog. It can be directly inserted in to a new digital IC designs with little modifications. It is fully compatible with IEEE 1149.1 standards. Additional programmable private instructions can also be added in to the design. A secure access mechanism is provided in to the controller which helps in protecting the system by preventing the un-authorized users from interfering with the system functions. A locking and opening mechanism and a password key based access control were incorporated as part of the JTAG controller module. The controller was configured to fit into different ISCAS’89 digital VLSI benchmark designs and results are analysed. It is observed that as the design size increases the area and power overhead decreases but the number of boundary scan vectors increases. All the designs were written in Verilog and RTL simulations were performed using Cadence NC-Sim Simulator. Cadence Encounter Test Architect 13.1 was used to check the boundary scan flow and analysis. A line graph to depict the power and area overhead is also shown. Complete performance analysis of the ISCAS’89 designs with and without the JTAG controller was performed. The power and area overhead was found to be negligible as the size of the VLSI designs increases.


Introduction
JTAG/IEEE 1149.1 is a common platform for device, board and system level testing and debugging 1,2 .JTAG port act as the interaction point between the external world and the devices and it also provides access to the internal components for the purpose of circuit debug and configuration.In JTAG, testing and debugging is carried through one of the main hardware component Test Access Port (TAP) which contains four mandatory pins (TDI, TMS, TCK, TDO) and an optional pin for asynchronous reset (TRST).Some of the IEEE standards use 1149.1 infrastructures for configuring Programmable Logic Devices (PLDs) 3 .
A TAP/JTAG controller is a module that controls and co-ordinates the operations of the entire test architecture.Similar to a logic design module a TAP controller can also be designs using a Hardware Description Language (HDL).Almost all the current day VLSI IC's manufactured have TAP/JTAG controller as part of them.Since the TAP controller operations are standardized by IEEE 1149.1 it is possible to create a programmable TAP controller that can be modified and used on several designs 4 .
In earlier times JTAG was designed as a test interface standard without any security concern.But with the increasing capability of hardware attackers, more and more side-channels that can compromise the security of the device have been discovered.Improper use of JTAG port is one of the available side channels.Usually JTAG is disabled after initialization of products.But in some device applications, it is kept enabled for the code or firmware updates 2 .This functionality of the JTAG makes scan-based attacks easier and can be used to upload corrupted firmware and read out internal contents of the device 5 .For example, set top box firmware updates occur through the JTAG port.Thus if the JTAG port is insecure, unauthorized users can either reprogram part of the system according to their will or steal the (Intellectual Property) IP information of the system.Generally, security problems can occur due to the discrepancy between the expected operation and practical operations of electronic systems.Most of the digital hardware systems contain test interfaces through which the system can be hacked.
Test interfaces are necessary to make the system testable.So testability is a very important property that allows the user to verify correct functionality of the hardware device.Testability measures make the system more testable, and hence increase test coverage, but module may loss its security.So there is always a conflict between security and testability 6 .
The objective of this paper is to design and implement a programmable JTAG controller with access control mechanism.This security scheme consists of a locking mechanism with different levels of protection that prevents the unauthorized users from accessing the private and confidential information of a device.Different users have different access levels.Proposed architecture requires only minimal hardware and meets all the specifications of IEEE 1149.1 standards.
Section 2 of this paper discuss about the need for a programmable JTAG controller, JTAG security and related past work.Section 3 gives details about the implementation of proposed JTAG controller design.Section 4 shows results and analysis.Section 5 concludes the paper with performance highlights of the proposed method.

JTAG Controller and Security Issues
It is common practice that a separate JTAG controller is designed for every new VLSI design implemented.Since much of the JTAG architecture is uniform to every design implemented it is possible to have a single JTAG controller designed in a Hardware Description Language (HDL) and can be programmed to adapt to various designs.Every product must be tested before it has been introduced into the market.Every VLSI IC manufactured, is to be tested but many times testability enhancement of the design may lead to reduction in system security.SoCs used in various applications contains the IPs which stores confidential information about the devices.SoC designs are usually heterogeneous in nature, with predesigned modules from different vendors embedded in it.Since modules come from different vendors, different testing techniques are used for testing each module.Such testing makes security assurance even more challenging.SoC development presents new security challenges in how to test, configure, and debug the modules within the chip 6 .Data confidentiality and IP protection can be broken through testing 7 .
Most of the device debugging operations and uploading of powerful features in the system occurs through the JTAG port.To ensure the security of sensitive information without disturbing the debugging functionality, one have to limit the device access to only authorized users by introducing secure JTAG port 8,9 .
In 10 , a locking/unlocking mechanism for controlling access to the system is proposed.If the system is locked, then user will not have access to any of the JTAG instruction and if the system gets unlocked, user will have complete access to all JTAG instruction.But it doesn't given any feasible implementation overhead details in terms of area, power and speed.
Debugging ability of the JTAG test structure makes it vulnerable to various kinds of attacks.There are different ways by which an attacker can attack the devices during testing and debugging.It includes controlling the TMS/TCK signals, sniffing and modifying the TDI/TDO signals, and by accessing the secret keys.Different types of JTAG based attacks includes sniff secret data, readout attack, true vector collection attacks, modify state of authentication part, return false responses to test were discussed in 11 .In 11 a security scheme that employs three standard security primitives which includes a hash function, a stream cipher and a message authentication code was presented.
Security attacks can be passive attacks or active attacks.A passive attack allows learning or making use of information from system without affecting the system resources whereas an active attack may either alter the system resources or affect their operation 12 .
Several solutions were being proposed for securing JTAG during debugging and testing.Multilevel Secure JTAG Architecture is proposed in 13 for monitoring and controlling individual scan chain and hence restricts the malicious data being loaded into the JTAG controller.In 14 a Protected JTAG that controls protection level of the device and hence limits the acceptable interaction that takes place through JTAG port during different phase of product development has been discussed.An Anti-tamper JTAG TAP design using a True Random Number Generator (TRNG) and a Secure Hash (SHA-256) for IC test and on-chip internals is described in 15 .A security enhancement scheme for SoC test access which maintains economy of shared wiring while achieving security benefits of star topology test access wiring is discussed in 16 .A real-life complete software solution for a JTAG security system was proposed in 17 .Multilevel Security for JTAG Architecture using AES encryption/decryption was proposed in 18 but will lead to considerable area, power and speed overhead.In 19 a reconfigurable 2D LFSR was used for generating test patterns for BIST used in SoC type designs.This method is useful for testing SoC with a large numbers of cores within it.This solution does not include TAP controller programmability for testing the multiple cores.A flipped scan chain architecture by inserting an inverter as a security measure to reduce the possible scan based attacks in the ICs was discussed in 20 .Credentials based security system for JTAG test structure is discussed in 21 .In 22 a secure access to reconfigurable scan network is presented and is made possible by extending the TAP with sequence filter.
Different security features has been proposed in the JTAG in various above methods, but most of these security features adds a large area overhead to the device.This makes the feature difficult to implement.This paper suggests an access control mechanism using a lock/open register and authentication scheme.It is shown that this method has less area overhead even for small sized ISCAS'89 designs.

Proposed Programmable Secure JTAG Architecture
A programmable controller with security scheme is implemented.A typical JTAG block diagram with a locking mechanism added is shown in the Figure 1.The proposed architecture consist of two PRIVATE instructions: LOCK and OPEN.When the LOCK instructions is active, then TAP controller maps all the instructions except OPEN instruction to a harmless bypass logic until the OPEN instruction with a valid key code is applied.In addition to locking TAP controller, it also provides different levels of access to the system.Once the tap controller gets opened, a security code has to be entered which selects the amount of access that the user can have on the system functions.
The internal logic circuit of the security system is shown in Figure 2. It consists of key/lock shift register, key register, lock register, comparator, Private Instruction (PI) register and associated multiplexers.It also includes three level selecting registers (register A, register B, register C) with keys embedded in it.Level select registers will determine the level of access given to the users.How different registers are selected is shown in Table 1.
This paper defines four level of entry for the JTAG port.Protection level includes: A first level without any protection mechanism and a second level with permission to all operations except   hardware configurable capability and a third level which permits only running the JTAG flow and a fourth level which fully locks the system.

Steps Involved in Locking the TAP Controller
LOCK instruction can be applied during any time 1.
when the TAP controller is in the normal active working state.LOCK instruction is entered into the instruction 2.
register through TDI.Decoder associated with IR decodes the instruction.Key/lock shift register and lock register are enabled.

3.
Lock code is entered into the key/lock shift register 4.
through TDI.
Lock code is transferred from key/lock shift register to 5.
the lock register.
Comparator compares the contents of the key register 6.
and lock register.
The contents are different then locked status fed to the 7.
decoder gets activated.Decoder logic maps all instructions except OPEN to bypass instruction.Locked status can be released only by executing OPEN 8.
instruction with valid key code.

Steps Involved in Opening the TAP Controller
1. OPEN instruction can be applied only when the TAP controller is in the locked state.2. OPEN instruction is entered into the instruction register through TDI.Decoder associated with IR decodes the instruction.3. Key/lock shift register and key register are enabled.4. Key code is entered into the key/lock shift register through TDI. 5. Key code is transferred from key/lock shift register to the key register.
6. Comparator compares the contents of the key register and lock register.7. If the contents are same, then a locked status is fed into the decoder get deactivated.8. Security code is entered into the key/lock shift register through TDI. 9. Security code is transferred from key/lock shift register to PI register.10.Contents of PI register are compared with the contents of level select registers (register A, register B, register C). 11.Contents of which level select register matches with that of PI register, corresponding level will be high.12. Based on the level enable signals, corresponding logic only enabled for the user.User will have that level of access to the circuit logic.13.Test instruction entered through the TDI can be executed.
It should be noted that the LOCK register should contains a non-zero value at the time of reset.Each operations in the JTAG is controlled by a 16 state finite state machine called TAP controller.Incorporating security features defined two additional states to the TAP controller.State machine of the TAP controller is modified as shown in Figure 3. Two additional states included are

Results and Analysis
ISCAS_89 consists of sequential benchmark circuits.Boundary scan/JTAG is applied to many benchmark circuits of ISCAS_89 designs.A TAP controller is written in Verilog HDL and simulated using Model sim RTL simulator.Boundary scan is inserted in the benchmark designs using RTL complier 13.10 (RC) and verified using Encounter test Architect 13.1.100(ET).
Table 2 shows no. of PI, PO, BC cells, area, power, number of gates, boundary scan vectors after boundary scan insertion to the '89 designs.Table 3 indicates the results after the addition of the PRIVATE instruction modules.It shows a small increase in area, power, number of gates and boundary scan vectors.Table 4 indicates the increase in area and power after adding the proposed access scheme to ISCAS_89 designs.Security enhancement adds not even 1% to the total area of the circuits.A line graph to show the amount of percentage overhead when adding the security module is shown in Figure 4. Though this method does not employ any encryption or decryption techniques but it has two stage controls to access in to the JTAG structure and has negligible area and power overhead comparing to the size of the VLSI designs.

Conclusion
A programmable JTAG controller in Verilog is designed and implemented.This design can be easily employed in many different VLSI designs of varying sizes.A security scheme is also employed.The first stage has a lock and open mechanism where the key to open the TAP controller can be dynamically set by the user locking the system.A second stage three level privilege based access is also implemented.It adds different levels of security to different users.This security scheme adds only small hardware overhead to the designs in comparison to many of the other methods which acquire a large overhead on area, power and speed of the designs.This JTAG controller is equipped to add new PRIVATE instructions and this method is fully conformable with IEEE std.1149.1.

Figure 2 .
Figure 2. Structure of dual-stage multilevel security system.

Figure 3 .
Figure 3. Modified state machine of TAP controller with security features.

Figure 4 .
Figure 4. Graph showing the % overhead of the security module.

Table 1 .
Register Selection Table

Table 2 .
Details of Some ISCAS_89 Designs with Standard Boundary scan

Table 3 .
ISCAS_89 Designs with Private Instruction Added and Without Security Scheme Entry permission checking state checks whether the TAP (JTAG) controller is opened or not by monitoring value on the TMS.Access checking state checks the level of user access to the JTAG and internal logic circuits.

Table 4 .
Performance Overhead After Incorporating JTAG Security Scheme