wolfSSL is excited to announce that wolfBoot, our secure bootloader, now supports NXP’s MCX A and MCX W microcontroller families. This means developers can bring wolfBoot’s robust secure boot and firmware update capabilities to NXP’s latest low-power and wireless-enabled chips. The MCX A and MCX W series are NXP’s next-generation Arm Cortex-M33 based MCUs, designed for edge and IoT applications. Some topics we will explore today include:
- Secure boot and firmware authentication
- MCX A and MCX W series support in wolfBoot
- TrustZone-M support: supervising security
- Quantum-resistant cryptography
- Hybrid Dual-signature authentication
The MCX A series delivers a cost-effective, small-footprint MCU solution with autonomous, low-power peripherals for a wide range of industrial and IoT uses?.
The MCX W series, on the other hand, builds on that foundation by adding integrated wireless connectivity – a unified, pin-compatible platform supporting standards like Matter, Thread, Zigbee, and Bluetooth LE.?
Notably, the MCX W devices also incorporate NXP’s EdgeLock secure enclave technology, providing a built-in hardware security core (a hardware root-of-trust) for key storage and cryptography.?
These new MCUs combine efficient performance, ultra-low power operation, and advanced security features, making them an ideal match for wolfBoot’s secure boot capabilities.
With wolfBoot now running on MCX A and MCX W devices, manufacturers and developers using these chips can ensure that only authenticated, trusted firmware runs on their hardware. wolfBoot performs cryptographic signature verification of firmware at boot time, preventing unauthorized or malicious code from taking control of the device. This addition expands wolfBoot’s platform support and underscores our commitment to securing even the most resource-constrained embedded systems.
Coming soon, WolfSSL will further integrate wolfBoot with the TrustZone-M and hardware security features of the MCX family. In practical terms, this upcoming enhancement will allow wolfBoot to act as the TrustZone-M secure supervisor on these microcontrollers – running in the isolated secure world while the main application runs in the non-secure domain. By leveraging TrustZone, wolfBoot can maintain control over critical security resources: for example, cryptographic keys and operations can be confined to the secure domain. wolfBoot uses this isolation to implement a kind of lightweight hypervisor, meaning applications in the non-secure domain can invoke cryptographic functions without ever directly accessing the secret keys?.
This architecture greatly enhances security – even if an application or network-exposed code is compromised, the attacker cannot extract or misuse the most sensitive assets. Additionally, wolfBoot will make use of the MCX hardware root-of-trust capabilities (such as the EdgeLock secure enclave on the MCX W series) to anchor the boot process in silicon. This hardware-based trust anchor will let wolfBoot verify firmware authenticity using keys stored in tamper-resistant memory and even interface with secure key management services?.
The result is an extremely robust secure boot chain that takes full advantage of the MCX series’ built-in security features.
Another key advantage of wolfBoot on NXP MCX is its forward-looking cryptography, which is increasingly important for longevity in IoT products. wolfBoot already supports several post-quantum cryptography (PQC) signature algorithms – the kinds of digital signatures designed to withstand attacks by quantum computers. This includes hash-based signature schemes like LMS (Leighton-Micali Signature) and XMSSML-DSA, the newly standardized module-lattice-based signature algorithm (derived from the CRYSTALS-Dilithium PQC scheme)?.
These algorithms are quantum-resistant, meaning that unlike RSA or ECC, they are not known to be breakable by quantum computing. This is a critical consideration for future-proofing devices: experts warn that a sufficiently powerful quantum computer could one day defeat classical cryptography by solving the mathematical problems underpinning RSA/ECC much faster than a classical computer?.
By adopting PQC signatures, wolfBoot ensures that devices can remain secure even in a post-quantum future where older algorithms might be vulnerable.
What’s more, wolfBoot supports a hybrid dual-signature approach to firmware authentication.
In hybrid mode, each firmware image can be signed with both a traditional algorithm (e.g. ECDSA or RSA) and a post-quantum algorithm (like LMS or Dilithium). wolfBoot will verify both signatures, and it only boots the new firmware if both cryptographic checks pass. This dual-signing strategy provides defense-in-depth during the transition to PQC. Even if one of the signature algorithms were to be compromised (for instance, a future quantum breakthrough against ECC, or an unforeseen weakness in a new PQC scheme), the second signature still stands as a guardrail. Hybrid signatures also help with adoption: they allow new devices to be compatible with existing classical cryptography infrastructure while gradually introducing PQC, offering a graceful migration path?. wolfBoot’s support for hybrid authentication means developers don’t have to choose between today’s standards and tomorrow’s security – they can have both, ensuring firmware updates are secure against both conventional and quantum threats.
By extending wolfBoot to the NXP MCX A and MCX W families, WolfSSL is empowering developers to build the next generation of connected devices with strong confidence in their boot security. These MCUs are built to drive innovation in smart home gadgets, industrial sensors, wearables, and more – and with wolfBoot, each of those devices can boot up safely, verify its software integrity, and even perform field updates securely with minimal overhead. The combination of NXP’s silicon (with its low-power efficiency, wireless connectivity, and built-in security) and wolfBoot’s advanced secure boot features (from TrustZone supervision to post-quantum signatures) offers a powerful platform for long-term, resilient IoT deployments. As support for TrustZone-M and hardware root-of-trust on MCX devices rolls out, wolfBoot will fully harness the security architecture of these chips – essentially acting as a guardian in the secure world that oversees and protects the entire system from reset to runtime. With optional post-quantum and hybrid signature verification, wolfBoot on MCX is not only securing today’s devices but also future-proofing them for the cryptographic challenges of the years ahead.
WolfSSL’s focus remains on providing easy-to-use, strong security solutions for embedded developers. If you are developing on NXP’s MCX microcontrollers or are interested in bolstering your device’s boot security (with features like TrustZone isolation or quantum-resistant crypto), now is a great time to explore wolfBoot. Feel free to reach out to us at facts@wolfSSL.com to learn more, get sample projects for MCX A/W, or discuss how wolfBoot can help secure your next project. We’re excited to see what innovations the community will build on these new NXP platforms – and even more excited that wolfBoot will be there to keep those devices secure from the moment they power on.
If you have questions about any of the above, please contact us at facts@wolfSSL.com or call us at +1 425 245 8247.
Download wolfSSL Now