They also require TPM, which I think facilitates remote attestation for secure boot.