I compare the Chromebook secure boot to be very similar to how Android secure boot works for Nexus devices.
With Android, if I want install a custom ROM, I have to unlock the bootloader. When I do so, it wipes the user data partition and performs a factory reset. From that point forward, the device will show an unlocked symbol at the bottom of the screen while the device boots. Chromebooks go one step further by changing the boot cycle cadence so that it is obvious that the device is unlocked.
Now if I'm running my custom ROM on Android, it might be possible to flash a compromised ROM while I'm not looking, suffering the same fate as running your Chromebook insecure. The Chromebook, with its ability to boot from as SD Card means that you can keep the SD Card physically secure when your device is not. You can then boot from that SD Card, still seeing the "Unverified ROM" screen, but knowing that the ROM you are booting from IS trusted.
I'm not sure I understand how having user keys is a security advantage. While I can understand that this might allow you to run user signed ROMs without the unverified ROM warning screen, it opens the door for someone to install a ROM that they've signed and install the user key for validation. Booting such a ROM would give no real indication to the user that they are running a compromised system.
If you are going to take a Chromebook and run Linux on it, I have no problem if I have to press CTRL-D if its presence makes it clear when a Chromebook is running a verified ROM.
Re: Wow
With Android, if I want install a custom ROM, I have to unlock the bootloader. When I do so, it wipes the user data partition and performs a factory reset. From that point forward, the device will show an unlocked symbol at the bottom of the screen while the device boots. Chromebooks go one step further by changing the boot cycle cadence so that it is obvious that the device is unlocked.
Now if I'm running my custom ROM on Android, it might be possible to flash a compromised ROM while I'm not looking, suffering the same fate as running your Chromebook insecure. The Chromebook, with its ability to boot from as SD Card means that you can keep the SD Card physically secure when your device is not. You can then boot from that SD Card, still seeing the "Unverified ROM" screen, but knowing that the ROM you are booting from IS trusted.
I'm not sure I understand how having user keys is a security advantage. While I can understand that this might allow you to run user signed ROMs without the unverified ROM warning screen, it opens the door for someone to install a ROM that they've signed and install the user key for validation. Booting such a ROM would give no real indication to the user that they are running a compromised system.
If you are going to take a Chromebook and run Linux on it, I have no problem if I have to press CTRL-D if its presence makes it clear when a Chromebook is running a verified ROM.