Poettering has been tinkering with a mechanism for tightening up the security of the system startup process on Linux machines, using TPM 2.0 hardware. What he thinks is the problem is loading the initrd.
For those not in the know, the initrd is the "initial RAM disk" and it allows Linux distributions to boot on different hardware without needing a custom kernel for every individual machine.
The bootloader loads the kernel and the initrd into memory, and then as the kernel starts to run, it has a temporary filesystem ready for it in memory, from which it can load any additional device drivers it needs.
But since things like graphics drivers have to be in the initrd everytime the drivers are updated, the distro builds a new initrd. While this works, it is not secure as malware or an intruder could insert malicious code into the initrd, and it will be loaded every time your system boots, even if no other copy of that malicious code exists anywhere else on your hard disk.
Matters get worse when you apply full-disk encryption into the mix. Some forms of full-disk encryption can unlock encrypted disks without a password using information stored in the TPM chip's Platform Configuration Registers. Agent P is very concerned about the way that code in the initrd has access to TPM PCRs.
Poettering suggests creating a Unified Kernel Image built from a combination of a Linux kernel image, an initrd, a UEFI boot stub program and the blood of a virgin into a single UEFI PE file. Oddly this is similar to a Microsoft "Portable Executable." So, what he has come up with is a boot component originating in the Linux world, which extends the SecureBoot public key database .