Comment by digiown

I don't disagree. I just don't want the trusted entity to be other than me.

Note that secure boot doesn't become worthless just because you can flash something different. The TPM should notice SB is turned off, and should refuse to decrypt, but there should be a way for the user to back up the key and use it to recover the data later.