Debug Lock Overview#
Debug locking is a foundational security feature available on the SiWx917. Without it, unauthorized access to these devices is possible.
Both cores, the NWP and the M4, in the SiWx917 have standard Joint Test Action Group (JTAG) debug interfaces providing access to memory, registers, and firmware debugging capabilities. Unauthorized access to these debug interfaces can leave a system's sensitive data vulnerable to being read or modified. Locking debug ports helps to prevent this unauthorized access from reading or modifying data. Silicon Labs always recommends locking the debug ports of these devices as a final step of production.
Equally as important to locking a debug port is the process of securely unlocking the debug port. When a device is returned from field and needs to be analyzed to understand the failure, the debug port must be unlocked securely. Unlocking the debug port requires a challenge and authentication process to ensure the entity initiating the unlock is authorized to unlock and access any sensitive data that may be stored on the device.
On the SiWx917, signature validation must also be enabled on each core to enable debug locking. Refer to AN1442: SiWx917 Secure Boot with Anti-rollback for more information on signature validation.
Sequence for Locking and Unlocking Both Cores#
On the SiWx917, the debug lock feature is available for both the M4 application core and the NWP security core. Each core can be locked individually, or both can be locked together. Silicon Labs recommends for both cores to be locked as the final step of production.
When locking both cores, take special consideration to lock and unlock the debug ports. The following sequence should be used in these cases. If this sequence is not followed, an error may be thrown, or unexpected behavior may occur.
Lock NWP
Lock M4
Unlock M4
Unlock NWP
Secure Zone and Debug Lock#
Secure Zone is an optional feature that can be enabled with debug lock in order to isolate the M4 and NWP cores. When Secure Zone is disabled, the M4 can access the NWP via a mailbox interface. When Secure Zone is enabled, this mailbox interface is disabled, preventing M4 access to the NWP.
Special considerations should be taken when using the debug lock feature of the SiWx917 with and without Secure Zone. The tables below describe the expected behavior in each scenario.
Debug Lock Behavior when Secure Zone is Enabled#
| NWP Locked | NWP Unlocked |
|---|---|---|
M4 Locked | M4 and NWP JTAG cannot be accessed | NWP JTAG can be accessed, M4 JTAG cannot be accessed, Secure Zone is disabled in hardware by bootloader |
M4 Unlocked | M4 JTAG can be accessed, NWP JTAG cannot be accessed | M4 and NWP JTAG can be accessed, Secure Zone is disabled in hardware by bootloader |
Debug Lock Behavior when Secure Zone is Disabled#
| NWP Locked | NWP Unlocked |
|---|---|---|
M4 Locked | M4 and NWP JTAG cannot be accessed | NWP JTAG can be accessed, M4 JTAG cannot be accessed |
M4 Unlocked | M4 JTAG can be accessed, NWP JTAG cannot be accessed. However, M4 can access NWP memory, registers, etc. | M4 and NWP can be accessed |
Permanent Debug Lock#
Each core in the SiWx917 uses a corresponding firmware public key to verify the authenticity of debug tokens. To permanently lock the JTAG ports for each core, preventing the ability to unlock the NWP and M4 cores of the SiWx917, the corresponding firmware public keys must not be provisioned to the device, while the disable JTAG eFuses for each core are set in OTP.
Note: Permanently locking JTAG port(s) on the SiWx917 is a one-time operation and cannot be reversed.