FAQs
English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

MCX A secure/signed mode in rom bootloader?

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

MCX A secure/signed mode in rom bootloader?

‎02-10-2026 05:26 AM
596 Views
dav1
Contributor V

Lets assume we want to design a system using MCX A-series that uses the ROM bootloader feature for end-customer firmware upgrades. 

Upgrades could happen via web-serial->usb or in-system updates via UART from another mcu, both talking directly to the rom boot code. 

I haven't looked in detail whats available in the newer MCX-series rom implementation, but the questions are:

  • is there a way to require a signed binary when using ROM boot?
    • i.e. write "otp-keys" to flash and force the bootloader to only accept valid binaries to be written

  • are there ways to prevent raw reads from flash while still having erase/write enabled?

 

in my case mcu pick would be: MCXA156VPJ

 

 

ps. fully aware I can write my own 2nd stage BL to achieve this, but the whole point here is to design a simple + brick-proof system.

0 Kudos
Reply
2 Replies

‎02-11-2026 02:23 AM
565 Views
Alice_Yang
NXP TechSupport
NXP TechSupport

Hello @dav1 

The MCXA series does not support secure or signed mode in the ROM bootloader.
Please consider using the MCXN series, which does support this feature.

https://www.nxp.com/products/processors-and-microcontrollers/arm-microcontrollers/general-purpose-mc... 

Thank you.

BR

Alice

0 Kudos
Reply

‎03-04-2026 07:32 AM
431 Views
dav1
Contributor V

1)

the N-series are too expensive for the application.
what other mcx'es do support secure rom-boot?

 

2)

are you 100% sure there isn't a way to achieve a secure update-path on A-series?

0 Kudos
Reply
%3CLINGO-SUB%20id%3D%22lingo-sub-2315623%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3EMCX%20A%20secure%2Fsigned%20mode%20in%20rom%20bootloader%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2315623%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3E%3CP%3ELets%20assume%20we%20want%20to%20design%20a%20system%20using%20MCX%20A-series%20that%20uses%20the%20ROM%20bootloader%20feature%20for%20end-customer%20firmware%20upgrades.%26nbsp%3B%3C%2FP%3E%3CP%3EUpgrades%20could%20happen%20via%20web-serial-%26gt%3Busb%20or%20in-system%20updates%20via%20UART%20from%20another%20mcu%2C%20both%20talking%20directly%20to%20the%20rom%20boot%20code.%26nbsp%3B%3C%2FP%3E%3CP%3EI%20haven't%20looked%20in%20detail%20whats%20available%20in%20the%20newer%20MCX-series%20rom%20implementation%2C%20but%20the%20questions%20are%3A%3C%2FP%3E%3CUL%3E%3CLI%3Eis%20there%20a%20way%20to%20require%20a%20signed%20binary%20when%20using%20ROM%20boot%3F%3CBR%20%2F%3E%3CUL%3E%3CLI%3Ei.e.%20write%20%22otp-keys%22%20to%20flash%20and%20force%20the%20bootloader%20to%20only%20accept%20valid%20binaries%20to%20be%20written%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FLI%3E%3C%2FUL%3E%3C%2FLI%3E%3CLI%3Eare%20there%20ways%20to%20prevent%20raw%20reads%20from%20flash%20while%20still%20having%20erase%2Fwrite%20enabled%3F%3C%2FLI%3E%3C%2FUL%3E%3CBR%20%2F%3E%3CP%3Ein%20my%20case%20mcu%20pick%20would%20be%3A%20MCXA156VPJ%3C%2FP%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3CP%3Eps.%20fully%20aware%20I%20can%20write%20my%20own%202nd%20stage%20BL%20to%20achieve%20this%2C%20but%20the%20whole%20point%20here%20is%20to%20design%20a%20simple%20%2B%20brick-proof%20system.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2315623%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3E%3CLINGO-LABEL%3EBoot%20ROM%7CBooting%20%7C%20Flash%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMCXA%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity(Edgelock%20%7C%20secure%20boot%20%7C%20OTP)%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2316189%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%20translate%3D%22no%22%3ERe%3A%20MCX%20A%20secure%2Fsigned%20mode%20in%20rom%20bootloader%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2316189%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3E%3CP%3EHello%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fcommunity.nxp.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F83226%22%20target%3D%22_blank%22%3E%40dav1%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CDIV%3EThe%20MCXA%20series%20does%20not%20support%20secure%20or%20signed%20mode%20in%20the%20ROM%20bootloader.%3CBR%20%2F%3EPlease%20consider%20using%20the%20MCXN%20series%2C%20which%20does%20support%20this%20feature.%3C%2FDIV%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fwww.nxp.com%2Fproducts%2Fprocessors-and-microcontrollers%2Farm-microcontrollers%2Fgeneral-purpose-mcus%2Fmcx-arm-cortex-m%2Fmcx-n-series-microcontrollers%3AMCX-N-SERIES%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.nxp.com%2Fproducts%2Fprocessors-and-microcontrollers%2Farm-microcontrollers%2Fgeneral-purpose-mcus%2Fmcx-arm-cortex-m%2Fmcx-n-series-microcontrollers%3AMCX-N-SERIES%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThank%20you.%3C%2FP%3E%0A%3CP%3EBR%3C%2FP%3E%0A%3CP%3EAlice%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2326451%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%20translate%3D%22no%22%3ERe%3A%20MCX%20A%20secure%2Fsigned%20mode%20in%20rom%20bootloader%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2326451%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3E%3CP%3E1)%3C%2FP%3E%3CP%3Ethe%20N-series%20are%20too%20expensive%20for%20the%20application.%3CBR%20%2F%3Ewhat%20other%20mcx'es%20do%20support%20secure%20rom-boot%3F%3C%2FP%3E%3CBR%20%2F%3E%3CP%3E2)%3C%2FP%3E%3CP%3Eare%20you%20100%25%20sure%20there%20isn't%20a%20way%20to%20achieve%20a%20secure%20update-path%20on%20A-series%3F%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E