The only theoretical value I see in Secure Boot is if you're trying to build a tamper-resistant laptop. You'd have to only run Linux, you'd have to disable everything except your own signing keys (rather than using the shim, or anything else signed by Microsoft, because they'll sign (or can be coerced into signing) basically anything), you'd probably want to skip GRUB and boot an EFI executable directly without editable kernel arguments, and you'd have to manually sign every kernel update or module that you wanted to load.
But even then, I see no reason to trust that a given UEFI implementation won't quietly accept some secret hard-coded key even after all of the defaults have been removed, so now I guess we're stuck with older machines that can be flashed with Coreboot?
Yeesh. The number of people who can get this to work has got to be vanishingly small...
But even then, I see no reason to trust that a given UEFI implementation won't quietly accept some secret hard-coded key even after all of the defaults have been removed, so now I guess we're stuck with older machines that can be flashed with Coreboot?
Yeesh. The number of people who can get this to work has got to be vanishingly small...