You don't need the secure boot machinery for that though, a hardware security token would do and has the advantage that you need to acknowledge actions with a tap

Tangentially, soon all those will be replaced with new hardware supporting PQ signatures.