Secure Debug Flow
The mechanisms for handling debug certificates are very similar to the mechanisms for handling the key and content certificates mentioned in Secure Boot Flow.
However, in this case, rather than deciding if an application is valid to be executed, the purpose of the debug certificate chain is to configure the debug port and other features governed by the Debug Control Unit (DCU).
As indicated in Secure RoT Resources, the debug certificate chain normally consists of the following:
- A key certificate which has been signed with a private key associated with a specific RoT in the system
- The key certificate is optional, as it is possible instead to sign the debug enabler certificate with the RoT private key. However, this is not recommended.
- A debug enabler certificate that identifies which specific DCU bits can be unlocked, and the LCS of the device being debugged
- A debug developer certificate that identifies the requested DCU bits being unlocked and the SOC ID of the device being debugged
The flow chart in the "Secure Debug Flow" figure shows the stages of verification debug certificate chains.
At the end of the secure debug flow, the DCU mask bits and DCU lock bits are both set to one of three conditions:
- If there are no debug certificates, the default states for the DCU Mask and lock bits are set.
- If there is a problem with the provided debug certificates, or a request to transition to LCS_RMA, the DCU mask bits are cleared and all lock bits are set.
- If there is a valid set of debug certificates, the DCU mask and lock bits are set based on the values in the certificates.