[will4274]

It's what you can do with the TPM. With the TPM to hold keys, you can require that e.g. bootloader changes be signed by the vendor. It's hard for malware to convince an ordinary person to go into BIOS and disable vendor locked bootloaders. Of course, Microsoft also gets into trouble here, because sometimes the vendors (and Microsoft itself) don't put the option to disable locking in the BIOS.

[Kye]

Bingo. I've seen multiple instances in the last year or so where people were advised to reboot their devices to make sure a newly identified and patched out malware was removed.

[gruez]

but why does malware need to mess with the bootloader when you can launch DDoS attacks from userspace?

[Kye]

It's a lot easier for something like Windows Defender to untangle something confined to user space than something that can prevent the OS from protecting its files by taking over the boot process.