Comment 18 for bug 2040137

That's fine Seth if secure boot is disabled you can pretty much fiddle the knobs from everywhere.

If you turn it to setup mode you can conveniently replace the keys from inside Linux too.

It mostly boils down to the efi shell being easy to manipulate over the serial console by a script whereas to go into uefi and toggle secure boot off you'd likely have to be human or do some machine learning to recognise the screens (or toggle stuff blindly).

Outside of FDE the effects probably are negligible because it's much easier to attack the systems by booting them with init=/bin/bash and just rootkit the OS...