Garrett: Secure Boot and Restricted Boot

Whereas we have the same goals, I think we differ on strategy. My take on this is that once "Secure Boot" is entrenched, it's very easy for it to become the default. The OEMs just say "look, kid, you want to build your own kernel or boot loader, go talk to a signing authority" -- as far as they're concerned, there's a "go away, not our problem" answer they can give you. And if in practice it means only large distributions can get their kernels signed, well, does it mean ASUS or MSI or Gigabyte is selling fewer motherboards? If not, they'll have a very nice forum thread for you to preach to the choir on for as long as you like.

Without straying too far into Godwin's Law territory, I think "Secure Boot" is one of those things we have to treat as an abomination. Just because some of us can find a workable solution doesn't mean the whole thing shouldn't be burned to the ground. Half measures and workarounds just make it easier for the OEMs to make the business case to make "Always On Secure Boot" a feature list item on the box.