Having http as an alternative to tftp is a nice win. The range of things that can run an http server is much bigger than tftp

>Additionally, adding the TLS layer brings back the missing integrity and confidentiality guarantees and thus paves the way to move critical boot components out of the trusted network, possibly even to a remote location/Cloud.

Doesn't secure boot already provide this or am I misunderstanding something? I suppose secure boot only provides integrity but not confidentiality although I'm not sure how much confidentiality matters given we're just talking about the kernel here

▲

LooseMarmoset an hour ago | parent [-]

Secure boot is designed to verify software signatures. The UEFI bios might support loading software over https, but it isn't part of secure boot. Secure boot would verify any kernels/etc loaded from https.

	▲	RulerOf 33 minutes ago \| parent [-]
		That was the point as I read it. Payload signature verification is a good and sometimes desirable alternative to transport encryption when the payload itself isn't secret. Highly-cacheable resources like game and OS updates are often intentionally delivered over http as signed payloads to facilitate middlebox caching.