First some definitions and common understanding.
The premise of secure boot is that each binary get's verified before it is loaded. This starts with the firmware in ROM verifying the EFI application.
For the case of a Linux boot that EFI application is shim which is signed with a Microsoft key embedded in most x86/64 hardware. The rom verifies and runs shim.
Shim verifies and runs grub (the most commonly used bootloader for Linux in x86).
Grub then verifies and runs the kernel, which verifies and mounts the rootfs and handles control to user-space apps.
The problem is grub usually has a config file grub.cfg which is accessible from user-space. By allowing user-space to modify this file the chain of trust gets broken and a malicious user-space app can now enable installation of a compromised kernel.
It is true that the userspace loaded will initially be coming from a verified kernel, but userspace has a much larger attack surface then just the boot process. So a compromised userspace allows for installation of a compromised kernel and an even more compromised userspace.
How is grub.cfg usually protected?
