[JCattheATM]

What you've described in that comment is just kind of reinventing the wheel. You're solving the same problem a different way, in a way that has slightly more complexity than just using UEFI and secureboot.

[fsflover]

The main difference is that the user owns the root of trust and doesn't have to blindly trust a (buggy) proprietary software from a commercial company. Also, the community review.

[JCattheATM]

You could still have that with UEFI though.

[fsflover]

But not with Secure Boot AFAIK.

[JCattheATM]

Well, yeah, you could, that was the point of my comment.

Coreboot supports secure boot, so why isn't that sufficient?

[fsflover]

Secure Boot is closed and not auditable.

[JCattheATM]

Not so, the reference implementation is open source and incorporated into Coreboot, for a long time now.