The OTA firmware update keys ideally shouldn't be the same as the secure boot keys.

…how do the updates get booted then?

	▲	bigfatkitten 7 minutes ago \| parent [-]
		ROM bootloader loads a second stage bootloader. The ROM bootloader verifies that the second stage loader is signed with keys fused into the MCU. The second stage bootloader in turn verifies application images shipped by the vendor, using a different set of keys. When the vendor discontinues support for the device, they make available to their customers an optional signed update to the second stage bootloader that allows any application image to run, not just images signed by the vendor. They make it so this update can only be installed with some sort of local interaction with the device, not automatically over the air. Devices in the field running ordinary OEM firmware continue to be protected from malicious OTA updates. Customers who wish to unlock their devices also have the means to do so.