- Production config, where all the default secure boot options are enabled and it has its own private key that is kept in a secret. Images are signed remotely.
- Development config, where we have a separate dev key, UART ROM Download, JTAG and eFuse modifications are enabled.
Documentation is somewhat unclear. It says that bootloader cannot be updated in one place (item 5 of How To Enable Secure Boot V2) and implies that the bootloader can be updated in another (item 1 of Restrictions after Secure Boot is enabled).
My assumption is that if the UART ROM download is enabled, we can update the bootloader as log as it is signed with the same private key that was used to enable the secure boot the first time?