Put a key on a piece of hardware and provide it with the car. The firmware will not update without that key. Now the owner can update their firmware, or hand the key to their mechanic to do it for them. If they lose the key, they get to pay their mechanic to source and install a new controller that comes with a new key.
Or heck, just put a switch on the controller that must be manually closed for a firmware update to proceed. What matters most is preventing quiet firmware updates over the air.
Even if the update is not quiet, how do you know that it's authentic? If the hackers can trigger a "update available, please flip the update switch and restart your car"- notification, you will not be able to tell if this came from the manufacturer or the hacker.
In my first idea, the hardware "key" holds two cryptographic keys. One is a private key, whose public counterpart is held by the manufacturer. This authenticates the vehicle to the manufacturer. The other key is a public key, whose private counterpart is also at the manufacturer. This authenticates the manufacturer to the vehicle.
My second idea does not accomplish any new authentication (beyond what over the air updates already do). However it does prevent silent updates, which is an improvement over today.
Today, not only can a vehicle owner not tell if an update came from the manufacturer or hacker, they can't even tell that an update happened at all.
Or heck, just put a switch on the controller that must be manually closed for a firmware update to proceed. What matters most is preventing quiet firmware updates over the air.