My technical understanding of this may be wrong, so please educate me. This whole thing seems like the Content Scrambling System of 1996. A computer just starting to boot can't check the Internet for someone's public keys, and even if it could, that could be spoofed. The system can ask (1) itself, and (2) the boot binary, whether that binary has permission to boot, and it seems like both those things should be gullible. What am I missing?