> How do you do this on modern commodity hardware without secure boot?
It’s not necessarily easy without Secure Boot, sadly. The actual straightforward solution is boot ROM. It would be nifty if someone made SD cards, eMMC devices and such meant for this use case for independent use. Most Android vendors manage to use boot ROM.
How do you do this on modern commodity hardware without secure boot?
Or do you assume something in the category of embedded systems that allow to blow some efuses to get similar trusted boot?