You could, if the code came from a signed blob that is verified. No need for a blockchain to allow that, it's basically what Mobile OSes are doing, and with multisig you can verify both the developer and the OS vendor.
well then you are trusting the signer, that is the ultimate promise of decentralization. especially coupled with deterministic builds by gcc you could have a end-to-end verified firmware running on a device.