Er. if you have access to the hardware you can just disable secureboot. If you don't— you'd have to first exploit the kernel to replace the bootloader/kernel, and if you can do that you don't have too much need to replace the bootloader/kernel. (Just put your rootkit in systemd so that it reexploits the system at every bootup).
(Though the the other person saying the keys cost $99— not so, you can manually install your own keys for free. The $99 is what it costs to get a key that will work on other people's hardware... though perhaps it's misleading to call it $99, it'll have to be $99 plus some kind of certification since I'm pretty sure malware authors can spare $99. I have no idea how they'll tell linux devs apart from malware authors other than by only licensing billion dollar Linux distributors)