[razighter777]

How about just allowing key enrollment with a physical button?

[kogepathic]

This is very much not an option on most embedded devices. They allow one key to be burned once.

IIRC, a certain Marvell SoC datasheet says multiple key slots are supported, but the boot ROM only supports reading the first entry (so really, only one key is supported).

[nullpoint420]

Unless it becomes a law, and the hardware makers adapt.

[palata]

My Google Pixel allows adding custom keys, which GrapheneOS uses. So I guess that's technically feasible?

[nullpoint420]

That adds your custom keys to the fastboot bootloader, not the boot ROM. This means you'd still have to chain your boot through fastboot.

You couldn't boot straight from boot ROM -> UEFI for instance.

[palata]

Interesting! What's the consequence of that? Like is that a problem?