Turns out that sysrq does have powerful functionality that allows kernel modding which has implicaitons for secure boot, (but if only root can do it then I don’t see the point of forbidding it). As far as secure boot is concerned, I think we need to decide if the effort to make it work is worth it vs the real benefit we get. The signed shim key from MS was leaked in the past an allowed anyone to bypass their ARM non-Windows restrictions. Even if it didn’t leak, you can bet your stars that they shared it with the certain entities. So those should be able to run their code on your “secure” machine. Self signing the kernel is not even practical on an individual or UX level.
Advanced attackers don;t even have to load their extra code to attack the machine and can re-purpose code already there to carry out their instructions. This is known as data-only attacks.
https://wiki.debian.org/SecureBoot#Secure_Boot_limitations
Using SB activates “lockdown” mode in the Linux kernel. This disables various features that can be used to modify the kernel:
Lockdown mode can be disabled by pressing Alt-SysRq-x. (See “How do I use the magic SysRq key” if you have difficulty with this.) This will re-enable the above features until the next boot.