Alternatively, just make it illegal to ship any kind of initial bootloader as part of a CPU's/SoC's mask ROM in any computing device that is marketed as a general-purpose one.

No, you just need to make it illegal to have the bootloader contain hardcoded key material and use it for verifying the code it loads.