The Versal device allows for debug enablement of a secure system via an external interface (i.e., JTAG). JTAG is not fully enabled by default when using Asymmetric Hardware Root of Trust Secure Boot or Symmetric Hardware Root of Trust Secure Boot. The JTAG port listens for a cryptographically signed AUTH_JTAG message (RSA or ECDSA signed). If such a message is received and the signature is authenticated, the JTAG port is enabled by the PMC. Improperly authenticated messages can be ignored or can place the device into a secure lockdown. The authenticated JTAG feature is disabled by default, automatically enabled when a PPK hash is programmed, and can be permanently disabled using eFUSEs. A high-level overview of this method is shown in the following figure.
For futher details, see the Versal ACAP Security Manual (UG1508). This manual requires an active NDA to download from the Design Security Lounge.