MCX A secure/signed mode in rom bootloader?

dav1 · ‎02-10-2026

Lets assume we want to design a system using MCX A-series that uses the ROM bootloader feature for end-customer firmware upgrades.

Upgrades could happen via web-serial->usb or in-system updates via UART from another mcu, both talking directly to the rom boot code.

I haven't looked in detail whats available in the newer MCX-series rom implementation, but the questions are:

is there a way to require a signed binary when using ROM boot?
- i.e. write "otp-keys" to flash and force the bootloader to only accept valid binaries to be written
are there ways to prevent raw reads from flash while still having erase/write enabled?

in my case mcu pick would be: MCXA156VPJ

ps. fully aware I can write my own 2nd stage BL to achieve this, but the whole point here is to design a simple + brick-proof system.

Alice_Yang · ‎02-11-2026

Hello @dav1

The MCXA series does not support secure or signed mode in the ROM bootloader.
Please consider using the MCXN series, which does support this feature.

Thank you.

BR

Alice

dav1 · ‎03-04-2026

1)

the N-series are too expensive for the application.
what other mcx'es do support secure rom-boot?

2)

are you 100% sure there isn't a way to achieve a secure update-path on A-series?