Garrett: Why UEFI secure boot is difficult for Linux

As a protection and control engineer, it is necessary to now where the weak link in any chain of devices (protection scheme); and it is folly to think there is not a weak link, but you minimize the impact or security concerns when something fails (and failure is when, not if).
The whole chain of securing any application must start at the hardware (like true identity of a person as recorded by a system ultimately must fall back to metrics at birth, or false identities abound).

Once the key signing (identity privilege) of the boot process is established and 'trusted', the privilege can be passed up the instance chain, to where every process must by privileged (key signed) in order to execute. This has huge ramifications for F/OSS up to the application level (no more firefox on company computer =). Of course, vulnerabilities will always exist in the chain, privileged (or not?).

UEFI secure boot seems to be a 'fait accompli', and being touted as security, seems more about hardware control and thus no more hand me downs or reuse for that ARM mesh/cluster from cheap discarded phones. The freedom I have enjoyed (sweat and tears =) with linux is again being swindled into a compromise of privileges and immunities in the hope of security. It seems all we got left is a small voice to change the OEM hardware vendors to give us 'custom' mode options, but all the hardware that doesn't will be non-reusable garbage.

So at the end of this privilege chain, is me being able to use my hardware at someone else's behest. And the other end is tied to the physical hardware, which will require a physical device (castle, drawbridge) I have to interact with to gain its use. I hope and will support hardware vendors who will provide at least a dipswitch or maybe a 'cartridge' to plug-in enabling my free use and access.

I agree with the article authors comments as this is the compromise we are left with to get whats left, a privilege (not a right).