Minimal Hardware Access

Physical access options to interfaces that provide access to sensitive device functionality (e.g. DMA capabilities or OS boot) should be removed as far as possible in the production system design. This applies in particular to interfaces which are often used for debugging in development (such as JTAG, SPI, or I2C). If they cannot be removed, they should be disabled logically or make them harder to access (e.g. by using TSOP vs BGA chip beds.

Chips should be designed in a way that relevant communication buses do not run close to the edges.

https://downloads.cloudsecurityalliance.org/assets/research/internet-of-things/future-proofing-the-connected-world.pdf
http://www.uefi.org/sites/default/files/resources/2014_UEFI_Plugfest_06_Phoenix.pdf
http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp953.pdf

Minimal Hardware Access

Further Reading: