Don't be so dramatic lol, that's cringe

I thought SecureBoot and TPM are M$'s crap. Why show it now?

Secure Boot is cool but its implementations are nonsense. I've tried enrolling user keys and signing the kernel on a few machines, and the story was the same --- verification was working ok, but a fw reset (removing CMOS battery, proper switch on the motherboard) was enough to jump back to the default SB state with my keys deleted.
So it is either this or using a machine with MS keys baked in, with a MS-approved bootloader blob, not a substantially tempting option.

I suspect the same story applies to all other switches this tool checks; without coreboot one has to trust the firmware, and these are traditionally totally unreliable, most vendors are more concerned with bloating them with kitsch fan animations that moving their quality anywhere higher than "somewhat seems to work for us".

Nice, I hope they'll continue borrowing features from KDE Plasma and maybe one day Gnome will become a usable DE.

SecureBoot protects against unauthorized changes of the kernel (and if you use a Unified Kernel Image, the initramfs as well). This authorization is done by the platform owner which is usually the owner of the machine, so in the case of your laptop/desktop it would be you.

As far as re-signing the kernel, that depends on how you manage the SecureBoot keys and how the private keys are protected. If you leave the keys on the machine and they are unprotected, without being encrypted with a passphrase or some other mechanism, then yes it's a significantly weaker security enhancement but does still prevent drive-by kernel/initramfs changes.

Physical access is a whole other can of worms, but with firmware integrity features on newer chips (for Intel things like FD0V, BootGuard) the situation is getting better.

The most unfortunate reality of current SecureBoot implementations is that you usually have to keep the Microsoft certificate as a KEK or you may not be able to run certain hardware option ROMs (used for UEFI device drivers, like if you want to network boot,configure hardware RAID, etc) as they are typically signed for the widest compatibility. Sometimes you get vendors who re-sign them to their certificate (I've experienced that with HPE in particular) which isn't much better but it's not Microsoft.

When this lands I'll probably take the time to actually switch over to systemd-boot with a UKI and enable SecureBoot finally. Been coasting for too long with GRUB.

It's GNOME and Red Hat, what did you expect?

Secure boot in Linux is a security theater anyways because only the kernel image and its modules are signed. Everything else is not, not a single binary or library on the disk.

GNOME is used in RHEL in enterprise environments that often force more security requirements than your PC at home.

It's just a warning that could be disabled, stop being so dramatic..

Indeed, it's a uefi feature provided by hardware producers. Matter is if it useful or not.

On the other hand 'security' on Windows is non existent. For dozens of years It was revealing user name and password:



2016
Amazing tech!