@niggy I could go that far, but I really just settle for a 100% free software BIOS with a SPI flash chip that can't be written without root access and no proprietary software runs as root either, as I doubt the glowers have dedicated resources to getting me...yet.

"Secure boot" is not a basic security feature, as it gives a false sense of security, as it's extremely trivial to bypass, as clowns have signed every proprietary binary under the sun under the root UEFI certificates.

Although there are revocation lists for known buggy binaries, those revocation lists are extremely rarely ever implemented.

Really, the only way to achieve a similar level of security than Grub gpg signing is to disable all the default UEFI root certificates and load up your own keys.