@freakazoid Does it, though? What is the actual threat model here? Because this whole boot security panic started with BIOS malware - which needs to get installed somehow, which is usually going to be done by something run *within the OS*. If the OS does not permit that, nothing *can* get between the two.

The only threat models that firmware-level protections actually protect against are those that involve someone with physical access - and even then if the whole thing is configured in a watertight way and there's zero vulnerabilities in the system, and absolutely nothing except for a specific boot image is allowed to boot.

That leaves us with roughly three categories of beneficiaries:
- Particularly tech-savvy high-profile activists,
- Corporations trying to keep out employees, and
- Manufacturers trying to implement DRM.

There are other categories of people who would benefit from protection against physical attacks (folks with abusive partners, for example), but they are vanishingly unlikely to be able to set up boot security in such a way that it actually *would* protect them. And the vast majority of people are not high-profile activists.

So who is this firmware-level protection actually *for*?