Arm CoreSight components use four control signals, DBGEN, NIDEN, SPIDEN, and SPNIDEN to authenticate invasive and non-invasive debug based on a TrustZone secure or non-secure status. An invasive debug is any debug operation that can cause the behavior of the system to be modified. A non-invasive debug, such as trace, is unaffected.
Note: References to secure and non-secure state in this section refer to the TrustZone state and have nothing to do with boot security.
The authentication rules are as follows.
•If DBGEN is Low, then no invasive debug must be permitted.
•If NIDEN is Low and DBGEN is Low, then no debug is permitted.
•If NIDEN is Low and DBGEN is High, then invasive and non-invasive debug are permitted.
•If SPIDEN is Low, then no secure invasive debug must be permitted.
•If SPNIDEN is Low and SPIDEN is Low, then no secure debug is permitted.
•If SPNIDEN is Low and SPIDEN is High, then invasive and non-invasive secure debug is permitted.
Table: Debug Authentication shows the debug authentication logic.