I have resigned myself to HAOS only instead of installing HA Supervised. This is the second deprecation I’ve had to endure - Ubuntu was booted off the supported list and Debian stock used to be mandated. Now that is gone too. I look after several HA instances.
HAOS does not support Secureboot. You “just” have to ensure that you use Shim or similar and sign the kernel and modules. It is a bit complicated but far from rocket science. It is not the be and end all of security mechanisms either but it is available and I suggest that it ought to be used because there is a good chance that hardware will eventually mandate it.
I do get that you will have to get a set of signing keys that chain back to the UEFI built in keys (MS) or persuade someone else to sign kernels and modules on your behalf.
It might be wise to dive in now on this instead of waiting until the only hardware available is a grey market board with SB switched off. Think of it like the coming SSL/TLS certificate lifespan shrinking. You will have to get to grips with ACME and cert. recycling within 45 days or your browser will refuse to show you a website.
I’ve just had to switch off SB on my smart new HA box and I felt a bit annoyed. I could put Proxmox on it and run HA as a VM and perhaps I might but I think that if you are going to enforce the OS choice for your users then you should be fully responsible for that decision and do the whole job and not simply skip the inconvenient bits.
There are three quite major issues with secure boot:
the certificates/ signing services cost real money, quite a lot, yearly and for each signature by MS
you need to split out the whole critical path (at least shim) from the normal package builds, so they can be (rarely) sent up to MS for signing - and then have to re-integrate the binary results into your image, keep in mind that each signature process takes weeks++
it makes ‘just rebuilding from source’ and development much harder, as you suddenly need a signed- and unsigned build process (doubling the chance of bugs)
On top of that, setting up the whole process (packaging, buildd network, certificate chain of trust, who can do what, how to handle remote signing securely, etc. pp.) is quite some effort. I would recommend against this, as it’s an expensive and bottomless pit - and effectively hands MS a killswitch.
There is a fair chance that it might become mandatory or close to mandatory in the not so distant future. If hardware enforces SB then all your arguements are moot.
I mentioned TLS. I’m sure you are aware that TLS certificate lifespans will be enforced down to 47 days: TLS Certificate Lifetimes Will Officially Reduce to 47 Days | DigiCert Already you can get in a bit of a state with your own browser trying to access your own stuff. SB is likely to follow this sort of wankery “for your own good”.