I always wondered why malware doesn't simply replace the windows loader with a secure boot signed grub (kindly paid by redhat) and then load an arbitrary payload.<p>If microsoft accepts signing a grub bootloader which in turn can load an user built linux image and initrd, then malware could do the same.<p>Furthermore, if the concern is to avoid unauthorized modification of the boot record, why don't create an hardware filter that prevents writes to the boot sector unless a special hardware key (for example on the laptop case) is activated.<p>Or, nstead of preventing the write, this hardware key could sign the boot record using a key which is recognized by the firmware.
Actually vendors could implement this and get the microsoft windows 8 logo + have a competitive advantage because they show they care for the freedom of their users. (The cost is negligible I guess ... with respect the plethora of multimedia keys, wifi/bluetooth disable toggles etc)<p>Sorry if it's a stupid question, but the amount of fud around this topic makes it difficult to quickly find relevant info.