We are attempting to disable both UART and NVJTAG.
We are trying to disable all UART connections. We already attempted to disable the GPIOs in the PinMux and we removed the console parameters from the kernel command line. The console is disabled once the kernel boots, but we are trying to disable it during cboot and uboot as well. I attempted to add CONFIG_SILENT_CONSOLE=y to the uboot config but the uboot output is still seen on the UART serial console. Is there a config we can make to disable this completely?
The other suggestion we have been given is to disable NVJTAG to close it as an attack surface. We know the ARM JTAG is disabled when we burn the fuses in production mode but the team doing tests were able to see traffic on the NVJTAG pads. We have seen in some documentation that there is a FUSE_OPT_NVJTAG_PROTECTION_ENABLE fuse but we are not sure where it is accessible to be set. Has anyone ever set this fuse? We are trying to avoid attackers being able to access the scan chain.
We are using a custom board. This is disabling UART and NVJTAG on our production units that get shipped to customers, we keep it on on our dev and test units for debugging the solution. It was security requirements that we are following to disable.
We have referred to that solution, and it works to disable UART in the kernel. But we need to disable it from the start, if we follow that guide cboot and uboot are both still writing to the console, we need to disable all IO from the board other than our solution API.
Well I created this topic for disabling any debug IO on production units for security. UART is one part, and NVJTAG is the other. ARM JTAG is disabled when we burn the secure boot and production fuses.