Yes, locked and encrypted, like all Motorola devices, but the way the OMAP dual core security is setup it is actually the mbmloader that contains the digital signature that is checked against the OTO bits on the OMAP SoC itself or what you defined as the boot ROM and is often referred to as an E-fuse.
There is a special bootloader that allows mbmloader flashing that is part of every firmware update and both types of mbmloader.bin HS (Hardware Secure/stock) and NS (Non Secure/engineering) are included. The updater-script checks the ro.secure status of the target board and flashes the appropriate mbmloader for the device. The mbm (bootloader) is the same for both types of hardware.
The other components of the boot chain are also signed, in particular the cdt.bin, and are incremented by upgrades with new signatures and cannot be reverted to prior versions.
If you are unfamiliar with the security on Motorola devices, as would be assumed by your question, then you are in for a major challenge and a very steep learning curve perhaps.