This sure reminds me of the days of TCPA proposing its TPM platform, where DRM protected music, video, etc. would be decrypted and protected by the TPM hardware to prevent software attempting to access the decrypted audio/video and make it much more difficult to crack the DRM, since it’s much more difficult to reverse engineer hardware decryption.
Surely protecting the bootloader does not require having it signed. Instead, make it read only! What I mean is, improve the BIOS where specific hard disk sectors can be flagged as “read only” (e.g. sectors storing the boot records/loader, kernel code, etc.) and the only way to unlock them would be to disable the protection in the BIOS, such as to install another OS, update the bootloader, etc. This would still prevent rootkit malware from overwriting the vulnerable sectors containing the bootloader, kernel, etc. without requiring these to be securely signed.