@marypcbuk @iFixit TPM 2.0 and Secure Boot are not enough threat mitigation to warrant potentially the biggest addition to the e-waste bin ever. TPM 2.0 has multiple well documented exploits, depending on the vendor, that can render it largely useless. Secure Boot is good in theory, but boot sector malware isn't a particularly common attack vector in modern times and the downsides to running Secure Boot can be massive. Users already struggle to install Linux so throwing up another barrier by requiring them to add and manage their own secure boot keys is pretty unreasonable. You then end up with a system where larger distros are the only ones that work out of the box because mother board manufacturers include Microsoft keys by default, so Ubuntu and Fedora have Microsoft-provided shims that allow them to boot that other distros simply cannot provide by default. That's to say your system even allows you to modify your secure boot keys, which is not a Microsoft requirement for Windows 11 on x86 system and has never been a requirement on ARM systems (hence why so many of them have a locked bootloader using Secure Boot as the mechanism for doing so).

People have different threat models and for some people, sure, preventing boot sector malware is important. That said, it's neither a common attack vector nor are TPM and Secure Boot the security panacea that Microsoft wants you to think they are, and they come with real downsides. Security uses the Swiss cheese model, and I find it impossible to believe that throwing down this particular slice is at all worth the cost in doing so.