I’ve made the effort to secure mine and am aware of how the trusted protection module works with keys, Fedora’s Anaconda system, the shim, etc. I’ve seen where some here have mentioned they do not care or enable secure boot. Out of open minded curiosity for questioning my biases, I would like to know if there is anything I’ve overlooked or never heard of. Are you hashing and reflashing with a CH341/Rπ/etc, or is there some other strategy like super serious network isolation?
You can use measured boot as part of the firmware boot process, store a hash of the known good boot files on a trusted media and compare that.
This is done with the Heads payload in Coreboot. But support is like only Thinkpads and now also soon Novacustom, Nitrokey and maybe System76 laptops.
The thing is, then you know your kernel is safe, but what about the rest? Depending on the attack vector, a system like on Android with full immutability and a recovery that verified the whole OS root partition would be safer.
But this means that you have no ability to customize, without breaking things.