Secure-boot projects often end up with a zoo of nearly-identical bootloader images for development, factory, and field use with each variant adding more risk.

This showcase illustrates how to avoid this entirely: one bootloader image that adapts securely to each lifecycle stage using fuse-based state transitions, device-bound unlock tokens, and policy-driven access control.

With barebox and OP-TEE, we’ll show how these mechanisms enforce secure operation while still allowing controlled debugging and recovery, without ever maintaining multiple images.