@feld There is security and there are digital handcuffs.

There is no security risk posed by the user deciding to boot off an external storage medium on their computer.

If the user would like only approved software to externally boot, then the user should be able to remove any vendor keys and set their own key as to what software is authorized to externally boot.

Anything else is a form of digital handcuffs.

You have no security if apple can decide to load up malware onto your computer and have it execute (oh wait, that's exactly what macos is).


In the land of freedom, you can have real security, as you can put a gnupg signature in the cbfs of GNUboot and configure GRUB to only boot kernels signed with that signature and therefore refuse to boot any proprietary kernels.