I don't want to pull back the curtain too much or tramp on everyone's hopes, but Linux can't compete with Microsoft because of UEFI. The PCs being sold today only allow Microsoft's software to run. In order to distribute a Linux distro, you have to ask Microsoft to give you a shim where they've signed your private key, so that you can share your own signed kernel builds with others. Therefore you can't publish a Linux desktop for consumers without being in league with the adversary.
That's why I was used the word consumers. Rolling your own crypto will let you work around the requirement of asking Microsoft for permission to install our own operating system. But it limits the audience for your work to the technical class.
I think this is the first time someone has ever reacted non-negatively towards me online after I brought up the subject. UEFI has good PR and I think people refuse to believe the implications of what happened. It would be like having Google officially be the only CA for HTTPS certificates and then removing HTTP from Chrome. That's basically what the security community did with PCs.
That surprises me. Much better in my opinion to listen then to assume I know better - especially because I'm familiar with your work.
Even though Secure Boot can be disabled on most hardware afaict [0] that's still a step consumers won't take so the point still stands easily. Especially with the amount of "you will break everything and kick a a puppy" that manufacturers throw in there to disuade anyone who manages to get to the menu.
[0] worked at a repair ahop until 1.5ish weeks ago, have disabled SB on a lot of hardware.
Source? I've installed Ubuntu on half a dozen newish UEFI computers, some of which came with OEM Windows, over the past few years with no trouble https://wiki.ubuntu.com/UEFI/SecureBoot
The source is in your own link. Also note, the person you replied to went on to emphasize 'consumer' in a followup comment, which I think makes the point much more salient.
[1]: "On Ubuntu, all pre-built binaries intended to be loaded as part of the boot process, with the exception of the initrd image, are signed by Canonical's UEFI certificate, which itself is implicitly trusted by being embedded in the shim loader, itself signed by Microsoft.
On architectures or systems where pre-loaded signing certificates from Microsoft are not available or loaded in firmware, users may replace the existing signatures on shim or grub and load them as they wish, verifying against their own certificates imported in the system's firmware."