Hi,
Our iMXRT1060 product runs with a bootloader of our design. The delivered units will be authenticated HAB (closed) and SRK + SEC_CFG eFuses active. In this state, the device starts and runs the signed bootloader normally, which means vectoring to an active flash bank that will run the main app.
Firmware updates for the main app are via a flash card. The boot process is put into MSD mode and a new signed image is written to the SD card, bootloader identifies this and writes image to available flash bank then flips banks. The new image is executed and previous bank becomes available.
The problem is that the new firmware image is not authenticated, a plain image runs the same as a signed image. I have looked at your security documents, AN12681, AN12079, RT1050 HAB Encrypted, IMXMCUMFUUG, etc. They all refer to the use of your serial boot utility tools, SPTool, MCUBootUtilityTool, MfgTool, blhost.exe, etc. As you know these serial boot tools can only be used once. When the HAB is closed they have no further use.
Can you please show an example of how firmware update images can be authenticated programmatically, so that security is maintained.
Even in HAB, it is possible to access Serial Downloader mode, it can be deactivated by burning certain fuses.
A signed image can be generated through tools like elftosb and then you can put it on your device: User Guide - nxpimage — SPSDK documentation.
If Serial Download is not available you will need to write the image directly on your device without the use of ROM like those tools.
If you have more questions do not hesitate to ask me.
Best regards,
Omar