I never looked deep into the boot process of a Raspberry Pi, but it looks decently well documented here. https://deepwiki.com/raspberrypi/firmware/2-boot-process

There's a ROM that kicks off the whole process. As the name implies, this is Read Only, so in order for it to be backdoored, it'd have to be done at the factory. I'll also note that it's a pain in the ass to write a payload when the hardware isn't configured yet. Still, it's a binary blob that we don't have access to and can't change. Attacking this would be done via a malformed SD card image, with a needed up partition table or something.

The next stage is bootcode.bin, which is loaded from the SD card. At this point, I believe it'd be possible to put your own bootloader there and control the rest of the boot process. I don't know if anyone has done that much work, but if you want as much of a guarantee as possible, that's going to be your best path. I don't think it'd be worth that level of effort, but we all have our own opinions on that.

In my opinion, here's what would make the most sense for analyzing seedsigner in particular. Read the python code looking for any logic errors. Build your own image and flash it. I'd stop there, but you could go one step further and inspect the contents of the SD to basically reverse engineer it to verify it's doing what is expected.

Obviously most people won't have the skills to do this analysis, but you could hire someone you trust to be competent to do this analysis. Most likely it'll result in no major findings, but what you're really paying for is the ability to have confidence in the system.

All of this is looking for errors or malicious code. And if someone gains covert access to your SD card, they could flash on a malicious firmware image. If you are using hardware without and wireless chips, they'd have to have their payload record a secret to the SD card and them gain physical access again. This "someone flashing a malicious image onto your SD card" is by far the easiest way for an attacker to get your secrets from a seedsigner. It may take the form of infecting your computer to modify the tools used to build the image that you flash on there, but the key is to get you to run code that is not the legit seedsigner code.

Deep analysis of the boot process is masive overkill as compared to having a multi-sig setup with three (or more) different signing devices (as in, different models, different manufacturers, etc.).

At the end of the day, it doesn't make sense to spend $80,000 to audit a raspberry pi that holds 1BTC. And if you have a fat stack, I'd suggest the multi-sig approach. I mean, if you want to pay to audit all of these things, more power to you though! Maybe have them publish the report if you do? 🙏😂