In theory, yes. In practice, what control do you have over the hardware? Can't basically anyone with a few million dollars to throw at the problem compromise any form of Secure Boot? If you're NSA, no need to go so far... they've probably got access to the Microsoft root signing key.

If the schematics and code to the TPM were free and there were "tamper evidence" mechanisms in place, we could argue secure boot had some benefits for security. But in its current forms, it's just preventing users from owning their devices with little evidence for security for determined attackers.

Machines should be simpler and auditable: that's how reliable security works. Adding piles of shit on top the other piles of shit is just producing more overall shit.

> Can't basically anyone with a few million dollars to throw at the problem compromise any form of Secure Boot?

Probably. But if my laptop gets stolen I would rather have the thief needing to spend a few million dollars in order to defeat Secure Boot.

Now if I were to worry about state level espionage I would combine the secure boot with a strong password for device theft, and not bring the device anywhere a long-term evil maid attack might occur. But in that case I am still happy if my stolen laptop requires a few million dollars, and that an evil maid also needs to somehow defeat secure boot before being able to do anything to some of my device.

Secure boot isn't perfect. But no practical security measure is. Secure boot is effective at making attacks more difficult, and that means it has value.

It just so happens that such value is most relevant for company-based security. And sadly it seems to be pushed on private devices for other reasons. But the move towards abuse of secure boot does not mean we should ignore the security benefits it gives to company-issued laptops.