> The problem with secure boot is that the implementation is entirely self serving to the vendors. It is not really intended to make the computer more reliable, it is intended to throw obstructions in the way of competition. In particular, Linux and Google/Android.
Well, it does actually kinda solves a problem... having a insecure boot.
Things like NT Kernel and LKM rootkits are a real problem. Bootloader malware is a real problem also.
Having a insecure boot means that it is trivial for any attack to gain the sort of control over a system that would render any sort of anti-virus, root kit detector script, kernel level defense, or any other sort of host-based intrusion detection software completely and utterly useless. No matter what the level of sophistication of the anti-malware software you may be running on your desktop or running your enterprise systems.
Unfortunately it is just one part of a 'total solution'. By itself it is vulnerable to different approaches.. so it's not really making things that much better. It is, however, a necessary part of securing a system during boot up. Without it you couldn't do it. It's just a part of a larger system.
I don't know what all else is needed. Probably a TPM-type chip on your system + signed kernel modules and such things.
Once we get those pieces sorted out then it opens up the possibility for host-based intrusion systems to not be almost totally worthless.