[keenerd]

> Not Developer mode. I want the full security of verified boot.

So you ran something inside of ChromeOS? It seems like a better option would be to replace the bootloader with CoreBoot (which doesn't have a dev mode) and you can add your own keys for whatever OS you choose.

[wiredfool]

Which seems the hard way to get to an os that I have to manage myself. If I wanted a linux machine, I'd get a thinkpad or something and do it that way.

I have to trust something, somewhere. With ChromeOS + ssh and the keys stored on a yubi key,I'm pretty sure that if someone lifts the machine without the key, there's not a whole lot they can do with it, other then factory reset it and move on.

In doing that though, I am trusting a few bits of software from the chrome app store, and that's probably the weakest link. But it's an order of magnitude less code than a linux distro.