I added this as a comment in a related thread on XDA, but it seems relevant here:
Brief background - my name is Matthew Garrett. I'm a Linux kernel developer working for Red Hat. I bought an original Nook back in 2009 and was responsible for getting Barnes and Noble to release the full kernel source code. When the Nook Color was released I did the same. I've been active in enforcement of the GPL and have a keen interest in helping (or making) companies comply with their obigaitons.
Having said that.
One of the significant differences between GPLv2 and GPLv3 is that GPLv3 makes explicit the requirement that signing keys be shipped. It has been argued that the GPLv2 implicitly requires the same, in the form of the requirement for the scripts required for installation. I'm sympathetic to that claim, and I will not personally distribute any code that requires a private signing key. But I'm not a lawyer and I'm certainly not a judge. Many people who are active in GPL enforcement will agree that vendors should provide the signing keys - but I don't think you'll find any who will actually make that the basis of a case.
B&N are not the only company to require signed kernel images. Many Android devices have locked bootloaders. I think this is a despicable anti-consumer design choice, but nobody's taking action against it. B&N have provided you with the kernel source code. They've done better than many by also providing you with the configuration file. They have a strong argument that by doing so they've complied with the requirements of GPLv2, and while you (and I) may disagree, that's almost certainly going to be as much as they'll be required to do. Consensus at the moment is that they don't need to do any more.
If it went to court then you may end up finding a judge who would rule that they're in violation, but I wouldn't put money on it. I think it's far too extreme to claim that they're actively violating.
As a bit of further clarification, I've downloaded the source tarball and checked it out. The kernel source appears as complete as I'd expect it to be. I don't have a Nook Tablet to check the filesystem, but the userspace code at least roughly matches what ought to be there. The bootloader source seems to match the hardware. As far as I can tell the only argument is that the NT will only boot with a signed bootloader and kernel, and the signing keys aren't included. There's no broad consensus that GPLv2 requires those keys.
Actually, it seems that there's one missing file that prevents u-boot from building:
Given the relative path, I'm betting that this is an error rather than malicious - they simply didn't tar it up with the other files. It should be fixed, but the fact that it isn't is not a showstopper.
"Many Android devices have locked bootloaders. I think this is a despicable anti-consumer design choice, but nobody's taking action against it."
This struck a cord with me.
I own an iPhone, and an Acer Iconia tablet, both of which are locked down. I've jail-broken, or rooted the devices, but the fact that I can't legitimately install custom roms, etc, frustrates the hell out of me.
One advantage I see (but don't agree with) for the iPhone being locked down is users locked into the app store, but for the Iconia?