[kachapopopow]

the hardware is made by asus, asus signs with their key backed by a trusted company.

asus gives out keys to sign bios firmware, now aliexpress can not only counterfeit, but provide tampered hardware.

you can enroll your own secure boot keys so that's not really relevant.

[fc417fc802]

Secureboot was being used as an example to illustrate the issue with your claim that a user controlling the keys must necessarily undermine security.

I'll grant that if the user is given control then compromise within the supply chain does become possible. However the same hypothetical malicious aliexpress vendor could also enroll a custom secure boot key, install "definitely totally legit windows", and unless the user inspects he might well never realize the deception. Or the supply chain could embed a keylogger. Or ...

[kachapopopow]

you don't have to trust software, but you have to trust your firmware and hardware.