So having secure boot enabled with unified kernel image is great, but how to integrate it into OS lifecycle management? And how to do it without compromising the security? The simplicity at one place causes complexity at another.
Tinfoil session 1: Enabling secure boot vector on linux
While being a strong proponent of security and privacy I for long neglected one particular security vector on my laptops - secureboot, relying on compensating controls I put in place. SecureBoot was pushed on me by Microsoft so I naturally reflexly rejected it. Now however is a time to reconsider the stance, especially in view of much higher pressure on privacy and as result much deeper penetration of foreing networked compute elements around us (this is the place we put our tinfoil hat on).