i.MX RT1060 encrypted boot with MCUBoot and Zephyr

jnaczyk · ‎08-12-2025

Hello,

I am currently working on a project that is going to use i.MX RT1060 with external FLASH. The goal is to utilize encrypted boot (XIP from external FLASH) and MCUBoot to provide means for update. The ultimate goal of this encrypted boot is to protect the content residing on the external FLASH so that noone is able to easily download and analyze the content of the FLASH.

I came across of dozens of materials and demos that would explain the usage of the BEE, but usually they describe the scenario in which we provision the board with the encrypted image, without an option for convenient update (using i.e. MCUBoot).

Could you please help me find materials that could be useful for my use-case (if there are any) or provide any tips on how to do that?

Omar_Anguiano · ‎08-13-2025

Unfortunately, there are no specific materials for this. If the image is encrypted, then your bootloader must consider the headers for it. This document details how to generate the encrypted image as well as how it is composed: Implement Second Bootloader on i.MX RT10xx Series

MCUBoot has the option to use and update an encrypted image; however, If I understood correctly, it uses decryption by sw instead of BEE: mcuboot | Secure boot for 32-bit Microcontrollers!

BR,
Omar

i.MX RT1060 encrypted boot with MCUBoot and Zephyr

i.MX RT1060 encrypted boot with MCUBoot and Zephyr

i.MXRT 106x