[Vogtinator]

> If, for example, a company wants to issue fleet computers to workers or school to students, you want to have secure boot on those devices to prevent tampering. Secure boot makes it so that physical access is not the end all of security.

Measured boot is actually better for that: You can still boot whatever you want however you want, but hashes are different which can be used for e.g. remote attestation. Secure boot has to prevent that "unauthorized" code (whatever that means for each setup) can ever run. If it does, game over. That means less freedom and flexibility.

[josephcsible]

Measured boot isn't any better. Look at Android phones, where it's technically possible to unlock your bootloader, but a ton of apps (e.g., McDonald's and most banking apps) use remote attestation to see whether you did so and will refuse to work if you did.

[chii]

Yep.

Exactly why i said

> turn off these measures in a way that is undetectable.

If you own the device, you ought to have the means to make such configuration/changes in undetectable ways. Otherwise, you don't truly own the device.

Some apps want to run on devices that you don't "own", because they are doing something the owner would not want done (in secret or what not).

[shibapuppie]

McDonald's does that? Their App works fine on Lineage 22.