@Eternal_Light@mastodon.social @nixCraft@mastodon.social with the assumption that the firmware supports user-defined variables/keys
there are x86 models that enforce SB and TPM with only MS key and Vendor key
one can't even revoke a known exploited key.