I never tried to make a bootloader for decryption and I guess this is something very complex. There might be a simpler method to ensure a safe transfer of a new software.
Since each Sam3x8e has its own Unique Identifier (128 bits), prior to deliver a new version of a software for a device you sold with a Sam3x8e, you will be using the different parts of its Unique Identifier at several check points of the software, then release a binary file. Of course the software will have a Unique Identifier reader in its setup().
The customer will upload the binary successfully only with the device you previously sold and any decompiler could only give glimpses of the actual code.