I am currently working with the i.MX RT1020 board.
The current boot image is configured as an XIP image. However, part of the image—specifically the region between 0x6002_0000 ~ 0x6003_0000 — is designed to be copied into SDRAM during runtime. After the copy, execution jumps to the entry point within SDRAM.
This SDRAM-resident code includes logic to communicate with a host PC (e.g., via Ethernet) to download a new firmware segment. Based on the received data, it performs a firmware update by overwriting the corresponding region in external Flash (0x6002_0000 ~ 0x6003_0000).
My concern arises because the Flash content is originally stored in encrypted form, and I have enabled BEE (Bus Encryption Engine) for on-the-fly decryption of this region during XIP.
In this setup, if I use a standard function like flexspi_nor_flash_program() (as provided in the SDK examples) to program the updated image from SDRAM to Flash, will the data be stored in encrypted form?
Or, do I need to manually encrypt the data using the same AES algorithm and key configuration before calling flexspi_nor_flash_program(), to ensure the Flash contents remain encrypted?
In the RM(RT1020 reference manual) section 7.10, the BEE is clearly described as an on-the-fly decryption engine, and there is no mention of encryption support during write operations. This raises concerns about secure firmware update handling in field deployments.
Could you please confirm:
Whether the Flash programming API will automatically encrypt the written data under BEE,
Or if the application must manually encrypt data before writing, in order to maintain BEE compatibility.
Thank you in advance for your support.
