alt Hacker NewsAlternatively, just make it illegal to ship any kind of initial bootloader as part of a CPU's/SoC's mask ROM in any computing device that is marketed as a general-purpose one.
No, you just need to make it illegal to have the bootloader contain hardcoded key material and use it for verifying the code it loads.
Most of those are less "hardcoded" and more "fused into internal non-eraseable memory at manufacturing time".
Not that it changes much. It really should be illegal to enforce "secure boot" with no way for the device owner to opt out of it or enroll his own keys.