But in this case we still need a bootloader private ECC key hardcoded in the bootloader FW in order to generate the secret.
My recommendation is to use public key cryptography and hardcode the public key in the bootloader. The key cannot be used for signing so it isn’t a problem if people extract it from your firmware, and if you need to rotate it you simply OTA the whole bootloader with one that has a new key.