Where is this "extremely well documented process" to enroll new signing keys on an embedded device? I don't see one for any of these embedded processors with secure boot.

https://pip-assets.raspberrypi.com/categories/1214-rp2350/do...

https://documentation.espressif.com/esp32_technical_referenc...

https://docs.amd.com/v/u/en-US/ug1085-zynq-ultrascale-trm

It's fair to think of secure boot in only the PC context but the model very much extends to phones. It seems ridiculous to me that to use a coupon for a big mac I have to compromise on what features my phone can run (either by turning on secure boot and limiting myself to stock os or limiting myself to the features and pricing of the 1 or 2 phones that allow re-locking).