Yeah, but the malware can just wait for a system upgrade where you sign a new boot image and slip itself in then.
It works for Windows because theoretically only Microsoft would have the signing key and it’s not just sitting on disk somewhere. But then you’re just trusting Microsoft, and also subject to vendor lock-in.
Actually, I would love for you to explain to me how Secure Boot alone would protect someone from any of that. If you want to protect files, you need full disk encryption, not Secure Boot.
Or are you seriously expecting a government-level threat actor to bother to:
That’s the great thing about fascist governments, is they have no need to be that sneaky. They can just change the laws to make whatever you’re doing illegal and jail you until you agree to give up your documents, or simply hit you with a $5 wrench until you tell them the password.
For a home desktop that’s never left unattended with anyone untrustworthy, I don’t see that Secure Boot is worth the effort in setting up.
Given that you have to re-sign the boot image every time you upgrade, any malware already running with root privileges on the machine could easily slip itself into the new signed image.
The best security is not running untrusted software to begin with.
Normalize not naming new languages with a single letter.