>if users want to lock themselves into only using vendor firmware that's something that users should be able to opt into.
But even this is a potential risk all by itself if you aren't making sure this can only be done by someone with physical access to the hardware. Case in point is Dell and AMD EPYC CPUs that were locked to Dell firmware if they had been booted on a Dell motherboard in the past. It's bad enough that processors were being locked to Dell only without the user making the choice but that also allows for the possibility of some pretty potent ransomware. Not just holding data for ransom but holding hardware as well and with the same durable cryptographic guarantees.
But even this is a potential risk all by itself if you aren't making sure this can only be done by someone with physical access to the hardware. Case in point is Dell and AMD EPYC CPUs that were locked to Dell firmware if they had been booted on a Dell motherboard in the past. It's bad enough that processors were being locked to Dell only without the user making the choice but that also allows for the possibility of some pretty potent ransomware. Not just holding data for ransom but holding hardware as well and with the same durable cryptographic guarantees.