Initial Secure Boot in Manufacturing for Apalis iMX6

I am working on designing a carrier board for a custom product that will use the Apalis iMX6. Our manufacturing team needs a way to flash the iMX6 with our software for the initial install into the product. Cyber security is a big concern for our product, and we noticed that there was no mention of a Secure Boot and there is no JTAG header on the SOM. Is there a recommended way to securely flash our initial proprietary software to the iMX6 in manufacturing without creating a cyber security risk?

Greetings @jcorey018,

At Toradex we do not have a unique mechanism for secure boot. Typically we recommend customers to use the SoC provided feature of NXP’s “High Assurance Boot” (HAB). More information about this feature can be found in this application note from NXP: https://www.nxp.com/docs/en/application-note/AN4581.pdf

As for secure flashing of your software once an i.MX SoC has been locked via HAB it is only possible to flash and boot software that has then been signed as part of the HAB process. I’m not sure if this quite fulfills what you are looking for but if you could provide more details on your requirements/use case I’d be happy to try and recommend what might be best.

Best Regards,
Jeremias

Apalis modules have a JTAG pads. Please check chapter 5.26 JTAG of https://docs.toradex.com/101770-apalis-imx6-datasheet.pdf