I see that Mr. Pid Eins embraces the idea that security should be rooted in vendors, not customers.
He takes UEFI as a given, and (though not saying this explicitey) assumes this situation cannot be changed so it must be embraced.
I do not like it one bit, that’s why I’m here. I ditched UEFI in favor of PureBoot, and suddenly a major drawback on which the whole post hinges - the unauthenticated initrd - is fixed!.
One thing I have to give him, though. Purism product are not “a generic linux distribution running on generic hardware”.
But my solution to admittedly incomplete security of generic linux distribution on generic hardware is not to give my keys to the vendor, not to lose flexibility to vendor pre-made initrd images which would become obsolete in no time, but to ditch the generics altogether and have solid, up-to-date security immune to vendor key leaks/breaks/bugs. I’m better of that way. Peace of mind is invaluable.