embraces the idea that security should be rooted in vendors, not customers
He’s simply describing the reality: unless you’re manually building and updating GNU/Linux kernels for Librem, you’re relying for security on the vendor called “Purism” - there’s simply no way around it without major time and resource investement unpractical for regular users.
the unauthenticated initrd - is fixed
That’s just one of the things I hope to clarify - looking at https://docs.puri.sm/PureBoot.html I don’t see details about what’s being verified during the boot process and what isn’t.
Does Heads uses Purism public key to verify the kernel? How is this key updated? What’s measured into TPM?
The particularly interesting use-case are users without Librem Key (which I presume are plenty) - how the SecureBoot looks in this case?
Having said that, I also like the clear separation between laptop-specific keys and the user-specific keys which allow for trivial and secure migration of user’s home between different machines by copying single file. Would be awesome to have that as part of PureOS too.