JTAG Interface Protections

Zynq UltraScale+ Device Technical Reference Manual (UG1085)

Document ID
Release Date
2.4 English

On power-up, the default boot state is secure, and the JTAG interface only accepts a limited set of commands. These commands are listed here.


HIGHZ_I/O (applies only to PS I/O)




The device can boot up in secure and non-secure mode. The two secure boot modes are hardware root of trust and encrypt only.

This Figure shows the JTAG capabilities throughout the secure and non-secure boot process. For non-secure boots, once the boot is complete, either successfully or unsuccessfully, the full suite of JTAG commands are enabled.

For secure boots, if the boot is completed successfully, the authenticated software is capable of enabling the additional JTAG commands. Otherwise, only the IDCODE, HIGHZ_IO, BYPASS, JTAG_STATUS, and PS_ERROR_STATUS commands are available. Since the PS_ERROR_STATUS pin is driven by GPO of the PMU, when the PMU is reset the PS_ERROR_STATUS will be cleared. However, at the end of the secure lockdown, if the option to reboot into JTAG for boundary scan debug is on, then the PMU will get reset and the ERROR_STATUS pin will be deserted. It should be noted that this reset event doesn’t clear the JTAG_ERROR_STATUS register, which can be read via the JTAG_ERROR_STATUS instruction on the JTAG TAP. In the event of a failed secure boot, the JTAG capabilities are dependent on how the device was provisioned.

Programming the SEC_LK eFUSE forces every failed secure boot to enter secure lockdown.

In the event that SEC_LK is not programmed:

°User integration and test is supported via commanding authentication and encryption through the boot header. See Integration and Test Support (BH RSA Option) for more details. In the event of a failed secure boot, JTAG is enabled.

°For fielded systems, where authentication or encryption is forced upon every boot, the device enables the BSCAN capabilities only to support continuity testing. In this state, internal memory and registers are zeroized, and both the A53s and the R5s are held in reset.

Figure 12-7:      JTAG Interface Protections

X-Ref Target - Figure 12-7


In addition to disabling specific JTAG commands, specific JTAG sites are disabled by default on power-on by software-controlled security gates. Triple redundancy is used to maintain the state of these security gates. The location of these gates is shown in This Figure in System Test and Debug.

Finally, there is an eFUSE that completely disables the JTAG interface in all situations. Only BYPASS and IDCODE are allowed when the JTAG_DIS eFUSE is programmed.