[hollerith]

Yes, but when an individual hacker needs a secure computer and is deciding which computer to buy, it does him no good to tell him that if the whole industry had evolved in a more convenient way over the last 4 decades, he would have been able to avoid secure boot: in the actual world, the only user-facing computers on the market with decent security use secure boot to help deliver that decent security where "user-facing" means "used to browse the web and maybe other things".

Also remote attestation has pro-social uses. Without it, photographs will soon become useless as evidence because soon there will be no way to distinguish a photo of a real scene from the output of generative AI.

[naasking]

My point is that secure boot isn't the only way forward, and depending on your circumstances, a foundation built on something like seL4 could suffice for particular applications. And it doesn't even require a whole new OS or foundation like seL4, even Windows has the right core primitives if they're used in the right way [1]. And that work was from 2005, not 40 years ago, but still long before any of this really became an issue.

[1] https://cacm.acm.org/research/polaris-2/

[fsflover]

Coreboot with Heads exists and works fine for me with Qubes OS. So it's not a hypothetical.

[hollerith]

Coreboot with Heads and Qubes prevents malware that has inserted itself into the firmware of your ethernet driver, keyboard or block-storage device from modifying your software?

[fsflover]

Yes? Qubes provides compartmentalization for the hardware you listed.