@niggy >read-only SPI flash can't get security updates
So dyke out the old ROM chip and solder in an updated ROM chip?

>grub verifying a kernel doesn't matter when there's nothing verifying grub
You verified grub and burned it into a ROM chip - the impossibility of changing that ROM chip from software verifies grub pretty hard.

>that's the point of secure boot
The problem with secure boot is that it assumes the proprietary UEFI is verified, when really I haven't come across a single proprietary UEFI that has been properly verified - even though you should NEVER trust a proprietary UEFI.

>if you're secure-boot signing your own bootloader, the signing key is on the machine, which defeats the point
You can have the signing key on a different machine with a slight inconvenience - it's probably better to have the key on another computer of yours, rather than relying in the utter clowns that all OEM's are, who probably have the signing key on a windows computer (the NSA probably has direct access to all signing keys for every single OEM for this reason and how on earth are you meant to tell the difference between the manufacturers signed proprietary malware and the NSA's signed proprietary malware when both verify just fine?).

>the entire chain of trust falls apart when it doesn't start from secure digitally-signed firmware,
A single piece of proprietary software makes all chains of trust crumble.