tools: k3_gen_x509_cert: Set default early HS JTAG access to disabled

When authenticating the initial boot binary the ROM will check a debug
type value in the certificate and based on that open JTAG access to that
core. This only effects HS devices as non-HS device ROM allows JTAG
by default.

This can be useful for HS developers working in the early boot stage,
before SYSFW is loaded. After that point the JTAG access can be
changed based on board configurations passed to SYSFW.

This access can also be a large security problem as JTAG access on
HS devices can be used to circumvent the chain-of-trust controls.
Accidentally leaving this open defeats the security on HS, due to this
change the default to disabled.

This should only effect those working on early HS boot code, which
is a limited crowd who will already know how to re-enable this access
as needed.

Signed-off-by: Andrew F. Davis <afd@ti.com>

diff --git a/tools/k3_gen_x509_cert.sh b/tools/k3_gen_x509_cert.sh
index c6361720d36c2c8cdafe5e7509236aa7ee8e6858..298cec13137a5d85d1e03f2fadb268f992fe8a9e 100755 (executable)
--- a/tools/k3_gen_x509_cert.sh
+++ b/tools/k3_gen_x509_cert.sh
@@ -12,7 +12,7 @@ RAND_KEY=eckey.pem
 LOADADDR=0x41c00000
 BOOTCORE_OPTS=0
 BOOTCORE=16
-DEBUG_TYPE=4
+DEBUG_TYPE=0
 
 gen_degen_template() {
 cat << 'EOF' > degen-template.txt
@@ -152,7 +152,7 @@ options_help[k]="key_file:file with key inside it. If not provided script genera
 options_help[o]="output_file:Name of the final output file. default to $OUTPUT"
 options_help[c]="core_id:target core id on which the image would be running. Default to $BOOTCORE"
 options_help[l]="loadaddr: Target load address of the binary in hex. Default to $LOADADDR"
-options_help[d]="debug_type: Debug type, set to 0 to disable early JTAG. Default to $DEBUG_TYPE"
+options_help[d]="debug_type: Debug type, set to 4 to enable early JTAG. Default to $DEBUG_TYPE"
 
 while getopts "b:k:o:c:l:d:h" opt
 do