Comment by kbolino

This is not about Linux vs Windows and it's perfectly possible (in fact, much more likely) to ship malware via Windows-derived install media. Secure Boot does not protect against post-boot vulnerabilities but it does protect against persisting those vulnerabilities through bootkits. I do not endorse any position which makes claims about the security benefits of Secure Boot beyond simply protecting the boot process. I also don't think Secure Boot is flawless or not in need of revision. I'm also not talking about protecting power users or otherwise knowledgeable people, but rather the average user.

The default trust list can certainly be expanded beyond just Microsoft, but as the vast majority of PC users are running Windows, obviously Microsoft should be in there. In the real world, install media gets shared around and reused as much as it gets freshly downloaded for every install. And even a fresh download on a pwned PC can be modified in situ or when imaged so it can't necessarily be trusted anyway. Even if default-trusting Microsoft has allowed exploits like you describe, that is not a regression compared to not using Secure Boot, and most (all?) of those machines had Windows installed already so would've been trusting Microsoft anyway.

There's an avenue of argument here about whether Secure Boot as currently architected is really offering enough benefit to even justify its existence, but that seems tangential at best to the question of whose certificates to trust. The ideological and anticompetitive issues about Microsoft are not relevant to the point I'm making.