ToT firmware supports the FirmWare Management Parameters TPM space (FWMP), which can set some dev mode defaults.  The FWMP is can be created/deleted by cryptohome at a root shell when the TPM owner is still known.

One nifty thing that the FWMP supports is a kernel key hash.  If that's set, then dev mode will only boot kernels signed by a matching key.  Developers can use this to lock dev mode to only boot their own images.  This lets developers leave dev_boot_usb enabled without the risk some other random person will boot a malicious USB image.

But right now, there's no good way to figure out what SHA256 hash to feed to cryptohome when creating the FWMP with that option.  And if you guess wrong, you'll be locked out.

dev_debug_vboot should be able to print the FWMP (if it exists) and the hashes for the current kernel partitions.

Maybe make_dev_firmware.sh should have an option to create the FWMP.

(This only affects usability of the FWMP by developers.  FWMP use for enrolled devices is tracked separately.)