Won't work. See the modification of Cisco hardware intercepted between manufacture and delivery.
Open-source the whole stack. Require access to reflash the firmware securely by independent means.
Previously I would have thought this a pipedream, but with China looking to deny access to its markets to insecure equipment, I'm hopeful that this will happen.