> If there is malware running on the system when it is hibernated then the malware will be written to the hibernate volume and restored with it so the system is no more or less compromised, it all seems like a no-op.
No, because crafting a special restore-image/swapfile and forcing a reboot you can, for instance, boot a whole another OS altogether, totally bypassing the "secure" boot nonsense.
> Even in the case where there is malware running on a system you should still be able to perform a clean boot with verification up to the point where your trust chain stops. Then the problem is post-boot (re)compromise and you can use many tools to combat that, if you can get them into your trusted base.
No, because at that point the "phantom" OS can just behave like the "original" OS with a rootkit, rendering symptoms of infection invisible to the original OS.
Suppose the machine is running Windows8, ok? The malware prepares an image that will run some OS that will run Windows8 in an emulated, censored environment that can make a lot of bad things, invisibly to W8. Everytime W8 tries to reboot, it goes thru the hoops again and boots instead the other OS.