Guarding the Gate: How PolarFire® FPGAs Use Layered JTAG Security

The JTAG interface—used for debugging and boundary scan—is often the most exposed physical attack surface in embedded systems. Unauthorized access to JTAG can lead to firmware theft, reverse engineering or complete system compromise. Our PolarFire^® Field-Programmable Gate Arrays (FPGAs) and PolarFire System-on-Chip (SoC) FPGAs, as well as their radiation-tolerant counterparts—RT PolarFire FPGA and RT PolarFire SoC—implement a layered security approach to JTAG protection, combining static JTAG Locks with a dynamic JTAG Security Monitor. This defense-in-depth strategy offers both preventive access control and active tamper detection—going beyond industry norms and offering robust protection in industrial, automotive, defense and aerospace applications.

The Debug Interface: A Doorway to Physical Attack

The JTAG interface was never designed with security in mind. Originally intended for boundary scan and device configuration, it provides deep access to internal registers, memory and firmware—making it a prime target for attackers with physical access.

At DEF CON, one of the world’s most prestigious cybersecurity conferences, skilled hackers and researchers have demonstrated the devastating potential of unprotected JTAG interfaces on embedded systems. These live, real-world demonstrations reveal how unchecked JTAG access can rapidly lead to full device compromise—enabling firmware extraction, root-level control, key retrieval and privilege escalation—all performed with striking speed and stealth, often bypassing traditional software defenses entirely.

Real-World Incidents:

• PlayStation 3: Debug port access enabled reverse engineering that broke the system's cryptographic model.
• Medical Devices: FDA investigations have uncovered vulnerabilities in pacemakers where test interfaces were improperly locked down.
• Military Systems¹: Rogue access to debug ports has led to potential IP theft in radar and secure communications hardware.

Microchip’s Layered Defense: JTAG Locks + JTAG Monitor

JTAG Locks: The First Line of Defense

PolarFire FPGAs allow users to lock the JTAG interface using non-volatile configuration bits (commonly referred to as “fuses”; these are flash memory bits and are reprogrammable unless set as permanent). Importantly, flash-based security bits in PolarFire are immune to Single Event Upset (SEU), so a random radiation event cannot unintentionally unlock the interface. These security features:

• Disable access to test and programming functions 
• Can be conditionally controlled by user logic
• Remain effective across power cycles (permanently, if desired)

This static defense ensures that even if someone physically connects to the debug pins, the interface remains non-functional without explicit authorization.

JTAG Security Monitor: The Watchful Eye

Our JTAG Security Monitor continuously observes the JTAG state machine and its access patterns. It does not simply rely on password protection or security by obscurity. Instead, it actively flags suspicious or unauthorized JTAG behavior, such as:

• Probing attempts during runtime
• State transitions inconsistent with the device’s secured mode
• Connections without valid passcode authentication

Once a threat is detected, the JTAG Security Monitor reports this status to the user logic within the FPGA fabric. This enables the user design to implement appropriate responses, such as generating tamper alerts, triggering system zeroization or logging intrusion attempts. The JTAG Security Monitor is integrated within the System Controller—the secure subsystem responsible for key management, bitstream decryption and device configuration—and remains active at all times, regardless of whether specific debug protections have been enabled.

Response Capabilities: What Happens When a Breach is Detected?

Many FPGAs offer only one mechanism: either a JTAG lock or a way to disable access through user-defined logic. Few implement a monitor to detect interface-level anomalies. PolarFire FPGAs implement both, offering a layered, responsive defense that resists brute-force attacks and stealthy probes.

Our architecture allows for robust and customizable tamper response actions:

• Zeroization: Instantly erases cryptographic keys and sensitive data stored in sNVM/pNVM
• Device Lockdown: Disables I/O and interface access to prevent further intrusion
• Fabric Interrupts: Signals the user logic to log, respond or escalate alerts
• System Reset: Gracefully reboots into a safe, known-good state

If the JTAG port is permanently locked, it cannot be re-enabled. However, if it’s secured using a Debug Pass Key rather than fully disabled, it can be temporarily unlocked for debugging. This would allow rework or updates, provided the correct pass key is available.

These customizable tamper responses are executed at runtime with no external software intervention—providing protection of the whole system even if some of it is compromised.

Use Case Spotlight: Aerospace and Defense

In space-borne and ground-based defense systems, debug interfaces are often sealed post-production—but that’s not always enough. Environmental tampering, insider threats or radiation-induced faults can unintentionally trigger these interfaces.

• Phase 1: Use JTAG Lock to disable interface post-deployment
• Phase 2: Enable JTAG Monitor to remain alert in case someone tries to bypass the lock
  If a probe is detected mid-mission, the monitor can notify the secure enclave and execute a tamper response, such as a full system lockdown.

This model also suits avionics and satellite systems, industrial control units and automotive Electronic Control Units (ECU) with over-the-air update paths.

Conclusion: Physical Security Starts at the Interface

In the security world, “lock it down” is no longer good enough. True resilience comes from being able to detect, respond and recover—not just block access, but to act when an attempt is made.

By offering both JTAG Locks and a real-time JTAG Security Monitor, our PolarFire FPGAs offer a level of debug interface protection that meets the needs of tomorrow’s secure systems. Learn more at PolarFire Family FPGA Security User Guide

In the age of advanced threats, physical security is the foundation of cybersecurity.