Most existing PC hardware root of trust solutions rely on permanently locking the hardware to only running software signed by a private key corresponding to a public key that has been permanently loaded (usually called fused but it's not always implemented with fuses) into the hardware. That process is often done by the OEM and thus a customer can do nothing but trust them and the firmware they provide.

One of the reasons I advocated for designing our own hardware root of trust at Oxide was to see far we could go with providing trust while also giving customers a choice in whether to trust us. This is challenging work full of subtleties and trade-offs. While Oxide servers aren't PCs and so the design won't be directly applicable, I'm hopeful that customers and the industry take notice and try to do better.