[sanlyx]

In most Secure Boot-enabled PCs you can manage keys and certificates on the firmware KEK/DB variables by using utilities such as KeyTool, so that you can safely boot any EFI-compliant OS with a custom certificate.

I'm not sure how this would work on Apple devices. It seems to me they have reinvented the whole security infrastructure of their services, which it's not a bad thing, but also requires some serious hacking if you don't want your device locked down with Apple-only software. Is there any way you could possibly manage the trust chain of secure boot on devices with the T2?

[floatboth]

> some serious hacking

I guess "Reboot into Recovery, Open the Secure Startup Utility and allow booting from external media and Set it to No Security" counts as serious hacking now :)

[the_why_of_y]

That simply disables Secure Boot, which is not what sanlyx wants because you don't get the security benefit of replacing the manufacturer provided PK and/or KEK with your own so that only images you signed will boot.

[floatboth]

Sure, you don't get your own secure boot, but the point is, it's not "omg apple lockdown no third party OS possible at all"