[vbezhenar]

There are ways to solve that issue. But I think that you're correct, pinpointing the core issue with popular Linux distributions. It doesn't have to be this way, though.

1. You can sign and verify initramfs, it's supported by bootloaders.

2. You can merge kernel and initramfs into UKI and sign the whole image.

I don't know why that's not implemented.

[ChocolateGod]

For UKI I imagine a big hurdle is the size of the images (given /boot/efi is usually only big enough for bootloaders, not kernels and initram) and custom kernel modules (e.g. Nvidia).

There was some systemd work on a spec for a boot partition to extend the efi partition for storing kernel images and initramfs, but I don't think any distro currently defaults to it on.

I think hibernation is currently also broken, since the hibernation file is stored unencrypted by default and thus can't be used with secure boot.