Hi Christoper,
No, unfortunately you cannot implement secure boot on RPi3, because we have no control of the root key (if there is any) and therefore you cannot get any true chain of trust. Then there is no (memory) firewall (like TZASC), which means that normal side can both read and write memory that are assigned to secure side. Another challenge is that there is not much documentation available for the Pi itself in this area and I don't believe Broadcom have any plans to release it either (Broadcom hasn't been involved in this work).
The RPi3 is a good device if you want to get started with TEE development, learn how to create and run the full stack, everything from user space, to Linux kernel to the monitor code, to the TEE core itself and Trusted Applications. But again, you cannot create any secure products based on this setup, since there are gaps in the hardware design itself (and lack of documentation about it). If you have the ability to run OP-TEE on another device that actually _are_ secure, then it would be almost effortless to transfer the work you've done on the RPi3 to that particular device.
We also have plans together with Sequitur Labs to put up some documentation how to use cheap JTAG debuggers and OpenOCD for this setup. All in all, you can have complete TEE development environment with JTAG capabilities for under $100USD.