OEMs generate random rsaPubKey, Key.
they also compute HMAC of rsaPubKey: signedData = HMAC(Key, rsaPubKey)
finally, they burn OTP_key = (signedData ⊕ Key) into devices.
This means OTP_key is derived from rsaPubKey and Key:
OTP_key = (HMAC(Key, rsaPubKey) ⊕ Key)

At runtime, bootROM ensures rsaPubKey is original by generating HMAC
of rsaPubKey :
signedDataRuntime = HMAC(signedData ⊕ OTP_key, rsaPubKey)

And finally, it compares 'signedDataRuntime' to provided HMAC 'signedData' :
signedData == signedDataRuntime

So yes, attacker can change rsaPubKey & signedData, and retrieve Key,
but OTP_key cannot be changed.

I guess it's hard for an attacker to find X & Y such as :
X == HMAC((X ⊕ OTP_key), Y)