We added a new option in #PureBoot called Restricted Boot that only boots self-signed kernels and distro-signed ISOs. I talk about how we approached this feature at length in this blog post: https://puri.sm/posts/introducing-pureboot-restricted-boot/ #firmware #security #coreboot #heads