I could easily see reasons to have a box that can boot a signed kernel but the signing keys are held by me offline.