> Oh, I see.

No, you don't.

Because of the SMI/ACPI/Intel Management Engine/AMD Secure Technology/UEFI, and optionally AMT-complex, where usually only parts of can be deactivated partially, but never all of it.

It's actually more bad than the above mentioned ARM-stuff, which is misinformed(maybe because of raspberry piish broadcomisms, or locked down dumbphones), because on ARM, you either can disable that stuff, or even can run your own instead.

https://www.trustedfirmware.org/projects/op-tee/

https://github.com/OP-TEE

https://docs.kernel.org/next/tee/op-tee.html