Actually secure boot (on Fedora)
blog.nil.imI'm confused what the threat model is here. The signing key is available to the running system, so it doesn't protect against remote malware gaining persistence by compromising the boot process. And a physically present user can change the keys in UEFI or disable Secure Boot entirely, so it doesn't protect against evil maids either. So what does it protect against?
Yes, it does not protect the running system from being compromized, but that was never the idea behind Secure Boot anyway: You could just backdoor a binary, why even bother with the kernel.
As for evil maid, yes, it does help: You can't just change keys if you have a UEFI password. Sure, a determined attacker could externally reprogram your SPI flash. But that is a lot more effort. Absolute security doesn't exist, but you can make it as hard as possible :).
Another use case is actually dual booting with Windows: You can add Microsoft's cert to the DB and only the DB. This way, Windows can not add any new certs. And you can only load bootloaders signed by Microsoft (no shim etc, as MS was clever enough to use a different key for that). That way, Windows could only compromise your Linux if Microsoft signs a malicious Linux kernel. I would hope they have their key on an HSM and don't sign everything lightly ;).