I’ve made the effort to secure mine and am aware of how the trusted protection module works with keys, Fedora’s Anaconda system, the shim, etc. I’ve seen where some here have mentioned they do not care or enable secure boot. Out of open minded curiosity for questioning my biases, I would like to know if there is anything I’ve overlooked or never heard of. Are you hashing and reflashing with a CH341/Rπ/etc, or is there some other strategy like super serious network isolation?
You don’t. There’s no replacement when your secure boot configuration is buggy or turned off.
Not everyone cares that someone could alter their bootloader and extract their encryption keys. Others have laptops from shitty companies with known-broken secure boot implementations. If your secure boot can be bypassed because your laptop manufacturer imported “test key do not trust” as their root of trust, there’s nothing you can do to replace secure boot, except for maybe reflashing the firmware to something like Coreboot.
In theory one could write a bootloader that uses something like SGX or some other super privileged system to do hardware attestation before exchanging encryption keys with a server, but I don’t know of anything like that on a bootloader level. Before Intel dropped SGX (SGX being broken completely by side channel attacks like meltdown and spectre), getting Intel to sign your SGX blob was difficult and expensive , so that would bar relatively simple criminals from bypassing your boot configuration, but it’d cost a pretty penny.