You don't really need to validate the channel over which the update is downloaded (which would essentially require validating the entire Internet). You just need to validate the signature on the update itself before applying it, which can be done with a much smaller core of verified code.
The unverified code could _block_ the update, of course, but that could happen anyway: upstream ISP blocks the connection, someone pulls the physical ethernet plug, system experiences a DoS attack, etc. If this is a problem, the secure boot code could require a new, signed update after a given number of reset cycles. The update server would need to attest that the update is current, e.g. by signing the reset count at the time the update was downloaded, signed in turn by the boot code.