@suetanvil @mhoye it can also be used as defense against 'abusive spouse/parent covertly installs stalkerware on their victim' but none of the implementations care avout this sort of threat of course. (so many chip datasheets only talk about preventing readout and modification of 'intellectual property', lmao)
in non-embedded computers, secure boot is often meant to be used in conduction with the TPM. disabling secure boot would change the PCR measurements, and thus render (for example) the disk encryption keys inaccessible