If the developers really wanted to you have the key, they could just write the per device unique key in the box or on the pcb. What you’re suggesting is more or less possible, the problem is you represent a very niche case. 99.9% of consumers don’t want to reprogram a chip already soldered to a board and it’s not worth the time catering to them. Also some IOT devices are left in physically insecure places like on the exterior of the home, you’d never want some to be able to extract the firmware key or re-flash those devices.
This is explicitly for IoT manufacturers that want to lock out people easily modifying a device (or bringing it back to life after it receives an "update of death") or the kinds of industrial customers that need to check a box for a cybersecurity audit.
These IoT manufacturers keep making all of these new products but the thing is, an ESP32 from several years ago is not that much different than one from today. They don't need much compute, anything difficult can take place on the cloud. So how do you sell someone new hardware if the first gen device is still perfectly capable? How do you sell a premium version if it's just the same parts inside? For the former, you can EoL a product by blocking it from cloud services (like Nest this week). If the firmware is locked, a hobbyist can't just flash modified gen 2 firmware and have the device functioning like normal. For the latter, you can lock the bootloader firmware so that it will only load the firmware that you want it to run (i.e. the basic or premium version).
When you say “this is explicitly for iot manufacturers…” are you referring to secure boot? That’s what I was referring to. I’ve done embedded development for about a decade, 6 at an IOT company, and our main motivation for using secure boot was to keep our firmware secure. The last thing we want is someone writing an article on the internet about how with this one easy trick you can break the security of the device and do whatever you want ( the devices are related to access control). If the company went out of business we’d have the option of publishing the signing key but it’d render all the devices vulnerable to malicious OTAs. Point is we’re not trying to lock folks out of tinkering, we’re trying to keep the devices secure. I understand as a side effect it means you can’t flash the device to whatever you want.
Also for what it’s worth these ESP chips are unbelievably cheap when bought at scale. The box the product comes in is probably more expensive
You obviously apply to the latter of my first paragraph. There are certainly applications where a device absolutely cannot be modified because then it defeats the purpose (i.e. security systems). What I'm talking about is something like a zigbee widget where it's job is non-critical. Not allowing user OTA updates is probably a good idea but preventing any changes to firmware for a non-critical device seems questionable.
