What’s really needed is some way you can easily tell that a device has been tampered with, but which is also extremely difficult to bypass. And also where even if the OEM was in on the scheme, you could still tell. Like how a hash is used to tell if someone made changes to a piece of software.
For consumer products this is a nonstarter because companies will almost never fully divulge info about all the parts of a device required for this.
For defence product where almost everything is fully specified by the customer, it might be possible. If you know all the components in a device, and you can prove they are all genuine, then you can prove the whole device is genuine.
Engraved hashes on every part comes to mind, but that would be ungainly to validate and fairly easy to bypass by simply copying codes from one device to another.
This doesn’t work because the hashes are controlled by the same party party you don’t trust. If you want this, you need to pay for trusted third-parties to audit the factory and random samples - otherwise it’s basically like all of the blockchain startups trying to reinvent supply chains only to learn that a chain of hashes showing package A was delivered to warehouse B don’t help if you don’t actually know what was in the box, who picked it up, or what happened to it in transit. I guarantee that the Mossad would have had valid hashes on every battery.
This isn’t even very effective for software: people have been working on commit signing, reproducible builds, etc. for ages but it’s just a cascade of trust problems where striking the balance between workable and effective can be extremely challenging. Something like xz or SolarWinds would have had valid signatures on everything, and you still wouldn’t know the real identity of the person responsible for the duplicitous code.
You’re not going to easily detect supply chain tampering of code, but you might be able to detect the covert inclusion of explosives in your devices with imaging (X Ray and CT) and random sampling tear downs.
For defence product where almost everything is fully specified by the customer, it might be possible. If you know all the components in a device, and you can prove they are all genuine, then you can prove the whole device is genuine.
Engraved hashes on every part comes to mind, but that would be ungainly to validate and fairly easy to bypass by simply copying codes from one device to another.