Thank you for sharing your insights in this forum and how contibutions are handled. I wish I could share some working code, but the problem here is, that the hardware as it is delivered today isn't in the condition to run secure code as the relevant fuses are burnt by paul's fixture, so that the hardware runs as "non secure" device. For High Assurance Boot to work it needs a device that can be "closed" after provisioning it with the hash of "super root keys" in order to become a "secured device". So in order to write some working code, that can be shared, it needs a device that is not locked when shipped.
Paul mentioned somewhere, that he could imagine to provide special boards with only those fuses burnt that are relevant for the hardware configuration, but security related fuses still open. He mentioned also, that those boards, if ever existing, will clearly be marked as such.
So the question to Paul is how much effort it takes to adapt his fixture, to not burn the security related fuses and whether he is willing at all to build those boards.
I would also like to discuss with him, whether he has any plans or ideas for code security and what degree of openness he can imagine imagine to provide for his chips, which definately depends on the prospective goals of his product and is thus dependent on various factors. So todays driving factor seams to be uncomplicated usability by the average killed user. That's also a reason why it is supported by the arduino IDE. A main goal seams to be, that the devices cannot be bricked easily by any mistaken code.
In my opinion it is not easy for a average experienced developer to mistakenly burn fuses so that the device gets bricked. The reason is that NXP / Freescale provided their chips with a special unlocking mechanism "In order to avoid rogue code performing erroneous writes to OTP" as they say. But on the other hand, if locks are left open, you definately can brick your device trying to burn fuses. Another way to brick your device is to provision it with a public key and loosing your matching private key. In this case you are no longer able to update the software.
So my suggestion is to provide a fool-proove solution, maybe a library or special firmware image, that allows the unexperienced user to perform the write of selected fuses with values that might be validated by the firmware/lib. This could be an option to prevent a lot of users destroying their devices when trying to apply secure boot.
A real life analogy is that you can by a car and if you, for example, try to perform a chip-tuning by yourself, you will probably brick your car, if you are not experienced and absolutely sure what you do. So if you want a chip-tuning for your car you need an experienced repair shop which has the proper tools to do the job. Also if you loos the keys to your car, you cannot drive it anymore. Anyway the manufacturers sell cars with all those options to brick it.
So having said all this, I hope Paul can answer to this thread.