>As long as you have a security hole in the system, which allows anybody to get superuser rights, it matters very little if you are able to secure the boot process or not. If you do, any malware can still gain root privileges just after bootup and hide itself from all security scans.
IF the hole allows the attacking software to subvert the kernel very close to boot up (say before your anti-virus starts) then a secure boot is not going to help you.
This potential for 'runtime hole' is the significant flaw to the system.
But it still provides you a advantage over the malware in that you can do things like update your kernel to a newer version and still be able to trust it. So if you find out that you have a security hole in your kernel and manage to patch it then you get a good chance of defeating the malware. Especially if your kernel has some anti-malware features built into it.
> A real remedy to most common security problems would be locking down applications, not the kernel.
Yes, ideally, you will want to only run perfectly secure applications with perfectly secure configurations and be a perfectly competent administrator.. but we know that is not going to be possible.
So this means that you still have a problem of detecting compromised systems when they occur. Right now Linux does not a effective solution. Having a 'secure chain of trust' at boot up is not a total solution in itself, but I think it's a necessary component.