I have a potentially dumb question.
Why does Secure Boot involve a rooted PKI, with shim workarounds etc.?
Why try to stop stuff from booting at all? Can’t it just measure all the blobs and/or keys and unlock secrets based on them?
Seems to work for Apple devices. Asahi is not signed by Apple.
