Signing ELF binaries

I'm not sure that really works out in practice because there are all sorts of ways to get an OS up and running in an "insecure" manner, running in a VM or other contrived environment for example. This isn't about protecting against compromise in any arbitrary case, it's about a very specific case of booting the primary OS on bare metal. You could certainly "secure boot" a small core system, windows or linux or whatever, and use that to make a contrived environment for booting your arbitrarily compromised OS (linux or windows or whatever) and I think this case is out side the scope and threat model that Secure Boot is intended to address.

You can't win them all 8-)