I would imagine secureboot work this way - you start machine, UEFI detects that signature of bootloader or kernel or whatever fails signature verification. If it fails - ask user if he wants to save new signature instead or if he did not install any updates to kernel/boot/etc.
This way it will be:
- universally between OSes
- will allow GPL code to be used
- will not lock people into particular software platform
Yes. The classic "People ignore popups" dilemma. The thing is, 99% of people on the planet either wouldn't know what a change to their boot sector is, or what to do if one occurs. So they would just leave it and go on with their root kit installed.
The same reason why browsers are now making it so tough to get to a website without a "valid" SSL certificate -- the average user will ignore the warnings and accept anything to get to their objective. This is one of the reasons why Google Chrome now prevents users from accepting invalid SSL certificates for some Google properties.
This way it will be:
Are there any problems with my approach?