I’ve got two machines, one with, one without. The one without is a glorified media box. The one with has documents and emails and such

Yes. I have fully self-managed keys too.

No, everything I have is connected to the internet anyway so has far more easily compromised vectors. If I had any data sensitive enough I would not trust any security other than physical with it. I assume with physical access, a motivated enough attacker could gain access, there’s loopholes in everything.

So, if I had that sort of data, it would be on an offline machine, no wireless, never connected to a network. I would only trust it in so far as I could guarantee I am the only one who can access it.

I am but with self enrolled keys. People wildly misunderstand secure boot, it’s more for kernel/boot level malware and so it can be used with module signing.

Configured it successfully on my Laptop, then bricked my PCs MB trying to configure it on that. Never tried again. After all, it only works for you if you trust the closed source UEFI anyway. If you want actual security, desolder the flash chip

Nothing else about me is secure, why should my boot get to be?

no. Full disk encryption is enough to protect my privacy from anyone stealing my computer/disks, it’s what matters to me.

If some secret agency want to access said data, they would just need to ask me, with a smile and a nice warrant. At least here in France, not complying is severely punished.

I never even used it on Windows.

If someone can plant a camera somewhere that they can see your keyboard, they can probably obtain your password.

Nope. Things break on my system when it gets turned on. I just updated the BIOS last week, which somehow resulted in it getting turned back on. That silently broke my graphics card driver and it took me like an hour to figure out what was going on since there was no obvious error message.

no

A partial solution to this evil-maid attack vector is Heads firmware (a replacement for the bios/uefi itself), which lets you sign the contents of your unencrypted boot partition using a gpg key on a hardware token, and verify the integrity of the firmware itself using a totp/hotp key stored in the tpm.

All the benefits of secure boot, but you get to control the signing keys yourself instead of relying on a vendor. It’s great stuff.

look up CIS Benchmark for your OS and it will tell you how to harden your linux system against intrusion

Well, I’m running Asahi Linux on a Macbook which can’t boot from USB even if I wanted to.

However, if you’re really worried about state-level threat actors, like FBI or CIA, I don’t believe there is much you could do to protect yourself anyway. They likely have entire catalogs of unpublished and undisclosed side-band attack exploits they could draw from to gain access to your machine and execute a privilege escalation to install whatever they want.

I don’t see it as necessary. I have full disk encryption set up, which is sufficient to protect my data at rest. Even if I had secure boot set up, a sufficiently skilled agent could physically install a USB sniffer in my keyboard, flash a malicious BIOS to my motherboard, or just install a hidden camera to watch me type my password. And many TPMs have vulnerabilities that I’m sure government agencies are able to exploit.