NXP Security Solutions

Enable compliance and resilience with trusted security, tailored to your needs

Security must be designed in from the start—and sustained across the entire product lifecycle. With regulations such as the EU Cyber Resilience Act (CRA) raising the bar for cybersecurity, embedded designers need a clear way to establish trust at the silicon level and maintain it over time.

NXP EdgeLock® security provides a hardware‑based foundation that enables secure embedded designs from first boot through deployment and in‑field operation. Built on hardware roots of trust, EdgeLock technologies help protect critical security functions while supporting secure boot, device identity, protected communications, and runtime integrity across NXP MCUs, MPUs, and secure elements.

Combined with security enablement tools, lifecycle services, and certification‑ready capabilities, EdgeLock helps engineers right‑size security to their application, reduce integration effort, and support CRA‑aligned requirements for secure design, vulnerability handling, and long‑term resilience.

  • Hardware Foundation
  • Security Technologies
  • Enablement
  • Certifications and Compliance

EdgeLock® Security Built Across the NXP Portfolio: Embedded Protection for Every Design

i.MX 91 Series Applications Processors

NXP energy-efficient applications processors bring essential Linux® capabilities for thousands of Edge applications.

i.MX 93 Applications Processors

NXP's power-efficient applications processors feature AI acceleration and advanced security for next-gen edge computing, now featuring the FRDM-IMX93 development board.

i.MX 8ULP Applications Processor

NXP's applications processor features ultra-low-power processing, real-time domain, and advanced security for connected Edge computing.

i.MX 95 Applications Processor

The i.MX 95 applications processor family delivers safe, secure, power efficient edge computing for use in aerospace, automotive edge, commercial IoT, industrial, medical and network platforms.

i.MX RT1180 Crossover MCUs

i.MX RT1180 is a crossover MCU with a Gb time-sensitive networking (TSN) switch, enabling real-time networking for both TSN-based and industrial real-time communications.

i.MX RT500 Crossover MCUs

Dual-core devices featuring an Arm® Cortex®-M33 and Cadence® Xtensa® Fusion F1 DSP, designed for low power wearable and consumer IoT applications.

i.MX RT600 Crossover MCUs

Dual-core devices featuring an Arm® Cortex®-M33 and Cadence® Xtensa® HiFi4 Audio DSP CPU designed for audio, voice and consumer IoT applications.

i.MX RT700 Crossover MCUs

Features up to five computing cores designed to power smart AI-enabled edge devices such as wearables, consumer medical, smart home and HMI devices.

MCX N Series Microcontrollers

MCX N series are high-performance, low-power microcontrollers with intelligent peripherals and accelerators, providing multitasking capabilities and efficient performance.

MCX E24X Series Connected MCUs

MCX E24 series supports robust operation at 5.5 V for electrically noisy environments and features a 112 MHz Arm® Cortex®-M4F core with up to 2 MB Flash and 256 KB SRAM.

MCX E31 Microcontroller

MCX E31 microcontroller (MCU) is designed for developers creating highly reliable and safe industrial IoT (IIoT) applications.

MCX W Series Microcontrollers

NXP’s microcontrollers offer narrowband connectivity for point-to-point and networked communications.

RW61X Wi-Fi 6 Tri-Radio

RW61x Tri-Radio MCUs and MCX W multiprotocol MCUs offer developers a complete solution for wireless IoT.

LPC5500 Series

The LPC5500 MCU series leverages Arm’s most recent Cortex®-M33 technology, combining significant product architecture enhancements, greater integration and advanced security over previous generations.

EdgeLock® SE050

The EdgeLock SE050, part of the Certified EdgeLock Assurance program, is designed to meet industry standards and follows NXP's security-by-design approach. It has been certified by an independent lab.

EdgeLock® SE052

With the EdgeLock SE052F, devices targeting smart city, smart factory, healthcare and other industrial use cases can provide highly secure functionality while complying with the latest FIPS requirements.

Hardware-anchored security with optional crypto acceleration

The EdgeLock Secure Enclave is a dedicated security unit, providing Hardware Root of trust, physical isolation of critical security functions and secure storage of essential credentials. It protects SoC integrity, prevents application cores from gaining direct access to sensitive data, and provides enhanced isolation for execution of critical and sensitive security functions. For applications requiring very high bandwidth or ultra‑low‑latency encryption and authentication, dedicated EdgeLock® Accelerators complement the enclave by providing application‑level cryptographic performance without compromising the protection of secrets anchored in the enclave.

EdgeLock Secure Enclave

We equip many of our latest generations of MCUs, MPUs and crossover processors with a dedicated security unit, called the EdgeLock Secure Enclave.

What is EdgeLock Secure Enclave?

Learn how the EdgeLock® secure enclave protects the entire system against attacks.

Physical attacks cover a wide range, from invasive techniques to subtle, non‑destructive methods such as side‑channel and fault‑injection attacks. To counter these threats, NXP implements advanced chip‑level tamper‑resistance technologies that help prevent unauthorized access, modification, or device disablement and reduce reliance on additional system‑level protections. The company also builds defenses against logical attacks that exploit software bugs or decision‑making flaws. When combined, physical and logical techniques can simplify attacks overall, enabling remote and automated exploitation.

Resistance against physical and logical attacks

NXP has developed advanced tamper‑resistance technologies designed to make it difficult to bypass security protections.

Trust Provisioning Supports CRA essential cybersecurity requirements for secure supply‑chain practices by enabling controlled, traceable, and tamper‑resistant provisioning of unique device identities, certificates, and credentials.

Trust Provisioning

Secure, certified provisioning of root-of-trust keys, credentials and secret data at NXP silicon manufacturing.

Device Hardware Security Module Trust Provisioning

With NXP microcontrollers equipped with the Device HSM trust provisioning feature, OEMs’ assets and their software IP can be transferred securely to production factories.

Smart Card Trust Provisioning

Security enablement for original equipment manufacturers (OEMs) to manage their production process with contract manufacturers (CMs).

EdgeLock 2GO

Securely install keys and certificates into your devices and then keep credentials up to date during the device lifecycle.

NXP offers the SEC Tool and SPSDK to manage processor life‑cycle transitions and credentials generation (keys, certificates) during production. In the field, EdgeLock 2GO extends this capability by enabling secure remote connectivity and ongoing lifecycle and key management.

EdgeLock 2GO

NXP’s service platform for provisioning and managing IoT devices.

SEC Tool

GUI-based application provided to simplify generation and provisioning of bootable executables on NXP MCU devices.

Secure Provisioning SDK

Open source development kit with its source code released Github and PyPI.

Quantum computing delivers dramatic gains in processing power but could break today’s public‑key cryptography. To address this, NXP contributes to new cryptographic algorithms, standards, and migration paths that protect current platforms against future quantum threats.

Post-Quantum Cryptography

With new standards, NXP will secure today's classical computing platforms against emerging quantum computing threats.

Securing the Future: An Introduction to PQC

Post-Quantum Cryptography (PQC) is the next frontier in securing digital communications against the power of quantum computing.

NXP’s Post-Quantum Cryptography Strategy

Explore how NXP’s portfolio enables seamless PQC adoption across new and existing products.

Migration Challenges for Embedded Devices

Learn how NXP ensures cryptographic agility is considered from the beginning

NXP enables robust runtime security and secure update across both MCUs and i.MX application processors. For MCUs, Arm® TrustZone® isolation, Trusted Firmware‑M (TF‑M) secure services, and MbedTLS crypto libraries provide secure boot, authenticated firmware update, and protected runtime execution, all available through the MCUXpresso SDK and security provisioning tools.

For i.MX processors, Arm® TrustZone® forms the foundation of a Trusted Execution Environment (TEE) implemented via OP‑TEE, supporting secure key management, memory protection, and trusted applications. Hardware modules such as Central Security Unit (CSU), Resource Domain Controllers (RDC/XRDC), and TrustZone Address Space Controller (TZASC) further enforce system isolation, while secure and encrypted boot establish a strong chain of trust for firmware updates. Developers can access OP‑TEE, secure boot tools, and security configurations through NXP’s BSPs, Yocto layers, and security documentation.

Secure development tools and resources

MCUXpresso Suite of SW & Tools

The MCUXpresso SDK, IDEs, secure provisioning and configuration tools provide a leading developer experience, speeding up development time with high-quality software and tools for general purpose Arm® Cortex®- M-based products from NXP.

Software Development Kits

The MCUXpresso SDK is a comprehensive software enablement package designed to simplify and accelerate application development with Arm® Cortex®-M based devices from NXP, including its general purpose, crossover and wireless-enabled MCUs.

Secure Provisioning Tool

The MCUXpresso Secure Provisioning Tool is a GUI-based application provided to simplify generation and provisioning of bootable executables on NXP MCU devices.

Configuration Tools

MCUXpresso Config Tools, an integrated suite of configuration tools, is designed to guide customers from first evaluation to production software development.

Application Code Hub

The Application Code Hub (ACH) repository enables engineers to easily find software examples, Zephyr applications and demos for microcontrollers and microprocessors.

Secure Provisioning SDK

NXP provides MCUXpresso Secure Provisioning (SEC) and Secure Provisioning SDK (SPSDK) for trial run and mass production use. Both SEC tool and SPSDK support secure programming and device provisioning on NXP’s microcontrollers and i.MX 9 applications processors at the production stage.

GoPoint for Streamlined Linux Development

Streamline your Linux development with GoPoint for i.MX Application Processors. GoPoint is an intuitive interface that provides developers with easy access to application-specific demos for i.MX processors.

Application Code Hub

The Application Code Hub (ACH) repository enables engineers to easily find software examples, Zephyr applications and demos for microcontrollers and microprocessors.

The EdgeLock SE05x Plug & Trust middleware package offers easy integration with different MCUs and MPUs simplifying design-in and reducing time-to-market.

In addition, the GitHub software packages are derivatives of the full Plug & Trust middleware package for specific use cases. For development purposes still look at the full package as well as it contains large amounts of examples, tools and additional documentation.

  • The Plug and Trust middleware mini package is a subset of the Plug & Trust middleware for Linux use
  • The Plug and Trust middleware nano package is a minimalistic version of the Plug & Trust middleware optimized for constrained devices. It also provides an integration with Zephyr OS and an example of Qi 1.3 authentication

EdgeLock SE05x Plug & Trust Middleware Package

Easy Integration with different MCUs and MPUs

Plug and Trust Github

Github Software Packages

Plug and Trust Middleware Mini Package

Subset of the Plug & Trust middleware for Linux use

Plug and Trust Middleware Nano Package

Minimalistic version of the Plug & Trust middleware optimized for constrained devices

NXP simplifies compliance while reducing the complexity of security implementation

Stay CRA-Ready with NXP. NXP's compliance and security certifications are supported by NXP's EdgeLock® Assurance Program and validated through a broad range of security compliance certifications.

Our processes support the key principles of the CRA, including:

  • Operating a current Secure Development Lifecycle
  • Implementing robust security testing and vulnerability management
  • Maintaining security across all operations
  • Completing a comprehensive risk management assessment

EU Cyber Resilience Act (CRA)

NXP commits to compliance with all applicable laws and regulations. This includes the Cyber Resilience Act (CRA) as it applies to semiconductors. NXP is actively preparing for CRA implementation.

XP’s cybersecurity engineering processes are certified as compliant with the industrial cybersecurity standard IEC 62443-4-1, which specifies requirements for the secure development of products used in industrial automation and control systems.

Industrial Security

NXP and its products are designed to be compliant with relevant standards and regulations, including IEC62443.

Securing Your Industrial Systems with IEC62443

Smart technologies increase productivity, efficiency and reduce costs in manufacturing. However, their autonomous nature also increases the potential attack surface.

The new standard ISO/SAE 21434 provides a well-defined cybersecurity framework and establishes cybersecurity as an integral element of engineering throughout the life of a vehicle, from concept through decommissioning. The policies and processes of NXP have been certified to comply with this standard.

Secure Vehicle Architecture

Modern cars connect to external networks, offering safer, more convenient and enjoyable driving experiences. But this can also leave cars vulnerable to cyberattacks. To mitigate these risks, NXP delivers a comprehensive, multilayer approach for automotive security.

Other Key Standards and Certifications

ISO/IEC 27001
TISAX
CAVP, CMVP
Common Criteria
ISO/SAE 21434
IEC 81001
GSMA SAS

Blog

U.S. Cyber Trust Mark: NXP Is Ready for the Paradigm Shift with EdgeLock® Assurance Program

Featured Resources

Six Steps to Secure Your IP with MCUXpresso SEC

This video explains the importance of IP protection and malware prevention in embedded development. Discover how NXP’s MCUXpresso SEC Tool enables secure bootloader setup in six simple steps.

Cyber Resilience Act (CRA): What it Means for Manufacturers

This video provides an overview of the Cyber Resilience Act (CRA)—a new EU regulation governing digital products—and explains how NXP’s MCX family helps manufacturers meet its requirements. It covers the CRA’s objectives, product categories and conformity obligations.

Secure Boot: Ensuring Trusted Software

This video covers the fundamentals of Secure Boot in embedded systems, showing how it ensures that only trusted, authorized software can run on a device. It explains the roles of authenticity and integrity, how digital signatures and hash functions work, and the practical steps involved in signing and verifying firmware.

FAQ

Even though no company can formally claim CRA conformance yet (notified bodies are not accredited), the CRA explicitly recognizes SESIP-, PSA- and Common Criteria-certified products as ready for conformance.In practice, these certifications, combined with our EdgeLock Assurance program and our IEC 62443 / ISO 21434-certified development processes, already provide customers with the level of assurance expected under the CRA and position NXP as a low risk, CRA ready supplier.

A product must comply with the CRA if all three conditions are met:

  1. It is a product with digital elements (hardware/software that processes, stores, or transmits digital data)
  2. It has direct or indirect logical or physical connectivity
  3. It is placed on the EU market (sold or made available as part of a commercial activity)

Additional guidance: The European Commission has published detailed technical descriptions for “Important” and “Critical” product classes under the CRA (Implementing Regulation (EU) 2025/2392), helping manufacturers determine whether their product falls into a higher risk category requiring stricter conformity assessment.

All categories meet the same essential cybersecurity requirements, but the proof mechanism differs:

  • Default category: Self assessment
  • Important Class I: Self declaration (if harmonized standards are applied)
  • Important Class II: Third party conformity assessment
  • Critical: EU certification (e.g., EU Common Criteria)

Secure Boot is essential, but not sufficient on its own for CRA compliance. Secure Boot contributes to protecting software integrity, which is required by the CRA, but CRA compliance also requires additional capabilities such as:

  • Secure configuration
  • Data protection
  • Secure updates
  • Access control
  • Monitoring
  • Vulnerability handling
  • Lifecycle security processes

Each requirement must be addressed based on a product level risk assessment, and manufacturers must justify any measures that are not implemented.

CRA conformance means demonstrating that a product meets the Essential Cybersecurity Requirements of the Cyber Resilience Act and is therefore eligible for the CE mark, which is required for selling products in Europe.To achieve CRA conformance, manufacturers must:

  • Conduct a risk assessment covering all essential cybersecurity requirements and justify how each requirement is implemented (or why it is not applicable).
  • Implement a vulnerability management system and maintain a complete SBOM.
  • Perform a conformity assessment and keep all supporting evidence for up to 10 years after placing the product on the market.
  • Provide users with information on residual risk, intended use, support conditions, and vulnerability-handling processes.
  • Prepare full technical documentation (standards, tests, evidence).
  • Sign the Declaration of Conformity (DoC) and affix the CE mark.
  • A product can only be considered CRA conformant when all these steps have been fully completed.