Some Sony Android phones apparently use your third model, with Linux pushing the firmware image to the wifi card. The MAC address is in that image, but not baked in to the distributed file, so something has to fetch the unique MAC from somewhere and write it in to be sent to the wifi chip. And the MAC seems to be unprotected by signatures.

At least this is what I gathered from looking at CyanogenMod source awhile back. mac-update[0] reads the MAC (multiple of them, apparently) from some files on /data[1] (which I think are put there by a proprietary blob that got them from a separate partition dedicated to storing provisioning data), copying the firmware image from /system and writing the patched version to /data (which path the kernel loads from to send into the wifi card.) As I recall, changing my MAC address "permanently" was as easy as changing the MAC file on /data, but I don't have the phone anymore.

[0] https://github.com/CyanogenMod/android_device_sony_qcom-comm... [1] https://github.com/CyanogenMod/android_device_sony_qcom-comm...