Don't buy this if you expect any real development to happen on it. The only possible way is through kexec, and that's a lot of trouble to go through considering all the other tablet options.
For what it's worth, the u-boot in the recently posted update image from the Kindle Fire does not appear to have the signed header that the one on the NT has.
Things I learned in the process:
-USB boot is enabled, as is SD boot
-I can boot from a microSD if I format it the same as for Nook Color (modified CHS, fat on p1) and copy the MLO, u-boot, and boot.img renamed to flashing_boot.img
-There is a serial port inside that will let you at the u-boot console and a shell after the OS boots
-x-loader is signed. A known-good x-loader on microsd will not even execute, and the next item in the boot list checked (emmc)
-u-boot is signed. I know this because a known-good u-boot from Pandaboard that should be close enough to boot causes x-loader to take the code path where the secure ROM call with a pointer to the image returns nonzero
-kernel and ramdisk are signed individually in the boot.img. I can modify a byte in the boot.img on the microsd that's in the middle of the kernel or the ramdisk section and u-boot will fail the same exact call that x-loader uses to validate u-boot, but this time emitting a message complaining that the image is corrupt
-Comparing the first part of u-boot grabbed from the NC, NT, and the KF, shows that the signature that's at address 0 of the KF and NC versions is seen about 300 bytes into the NT version, with some unknown junk above. I assume that's the signature, and that the call to the secure ROM returns the image pointer (which is passed by reference, a good clue) plus the size of the header.