Most distros will run just fine without disabling secure boot. I don't think the *BSDs are supported by the shim loader yet, but even Gentoo boots with secure boot enabled, without loading any user keys.
Because it can lock the door behind itself in an opaque hardware-dependent layer users have no control over.
If i were to design security from the ground up it would be a small external sdcard for firmware and kernel (with a hardware r/w toggle), and optionally a external sdcard adapter that verifies the hash of the content.
Everything else is as dumb as bricks and gets its firmware loaded from the sdcard.
We didn't do that because secure boot was solving the problem of large orgs with remote administration in mind, and designed by orgs happy to sell yearly advanced cybersecurity protection shield plus certification subscriptions.
Designing for remote administration by an IT department will.. increase the attack surface for attackers to remote administrate my device.
You only need disable it until you've got that OS installed, and then you can re-enable it. All the major linux distros have supported Secure Boot for years (which I was not aware of, and will now look into setting up!)
Is the implication that anything that is more complicated is necessarily less secure? Because I think that turns security on its head. A deadbolt is more complicated than a door with no lock.
We can argue about whether there is sufficient user demand and benefit to make secure boot easier for lay people. But that is completely orthogonal to whether it increases or decreases security of the system.
