Shouldn't this be an non-issue in any sane setup (ie. secureboot + TPM + FDE)? If the TPM is doing its job, it should be measuring the signature of the bootloader, so whether it's signed or not is irrelevant. Even if you could get stuff to boot, it wouldn't do you any good because you can't access the decryption keys. On the off chance that you're using secureboot without TPM + FDE, you'd be screwed anyways, because a bad guy could easily disable secureboot inside bios settings, or use shim loader to bypass it.

So is there any reason for secure boot to exist, other than to make it harder to boot an operating system other than Windows? I am all for verified boot (like implemented on some smartphones like Pixels), but UEFI secure boot doesn't seem particularly useful to me.

The fundamental problem is that someone somewhere decided that setting up signing keys was too hard, and that because of this the manufacturer should be in charge of setting up the keys. so now instead of you owning your hardware and setting up the keys on first boot, Microsoft owns your hardware and the keys are theirs. And in a case of self fulfilling prophecy, because they decided that initializing and owning your own keys was not going to be a normal part of the user experience, it is now hard(almost impossible) to do.

If instead the decision had been made to have the user set up some keys and authorize the OS, the process would have to be streamlined and easy.

In conclusion, signing your operating system is too hard, unless you are in the happy path where your OS is signed by Microsoft it is far easier to just disable the infernal subsystem as it gets in the way.

> And in a case of self fulfilling prophecy, because they decided that initializing and owning your own keys was not going to be a normal part of the user experience, it is now hard(almost impossible) to do.

This is false.

The issue is that nobody has written user-friendly tooling to manage keys and sign stuff. Not that actually implementing this is hard.

https://github.com/Foxboron/sbctl