I'll agree that you can use TPM and GPT to your advantage, and even SecureBoot can fill an actual need for a small number of PC owners.
But with GPT it was strongly recommended by Microsoft as more secure by having no unused sectors on the drive when it is partitioned according to GPT.
The unused sectors of a traditional MBR-partitioned drive had been identified as the preferred location of malicious "root-kits" that were capable of executing before the OS even had a chance to boot, were not actually on the Windows partiton and therefore difficult to scan for, and were resistant to reformatting the partition which did not delete the rootkit. To be really sure you got rid of a BIOS/MBR rootkit completely you would have to zero the entire drive, or at least the sectors containing the root kit. Full reinstallation of Windows or even zeroing the entire partition itself didn't help at all.
But using GPT there are usually way more unused sectors on the same drive compared to MBR partitioning. Always have been. That's just one of the original lies propagated by Microsoft, endorsing the migration away from a more well-proven traditional BIOS.
And here we have a defect in one of the supposedly true security improvements baked into UEFI, with ridiculous false-sense-of-security implications since day zero, now-confirmed and it's exactly a vector for a rootkit no differently than under good old-fashioned BIOS.
Except zeroing the entire physical drive still wouldn't get rid of a UEFI rootkit which can now be even more stealthy, enough to reside in the firmware itself. Even at this late date, how many users are scanning their firmware and what apps would they use for that anyway?
When truthiness is not a way of life, there can not be actual trust.
But with GPT it was strongly recommended by Microsoft as more secure by having no unused sectors on the drive when it is partitioned according to GPT.
The unused sectors of a traditional MBR-partitioned drive had been identified as the preferred location of malicious "root-kits" that were capable of executing before the OS even had a chance to boot, were not actually on the Windows partiton and therefore difficult to scan for, and were resistant to reformatting the partition which did not delete the rootkit. To be really sure you got rid of a BIOS/MBR rootkit completely you would have to zero the entire drive, or at least the sectors containing the root kit. Full reinstallation of Windows or even zeroing the entire partition itself didn't help at all.
But using GPT there are usually way more unused sectors on the same drive compared to MBR partitioning. Always have been. That's just one of the original lies propagated by Microsoft, endorsing the migration away from a more well-proven traditional BIOS.
And here we have a defect in one of the supposedly true security improvements baked into UEFI, with ridiculous false-sense-of-security implications since day zero, now-confirmed and it's exactly a vector for a rootkit no differently than under good old-fashioned BIOS.
Except zeroing the entire physical drive still wouldn't get rid of a UEFI rootkit which can now be even more stealthy, enough to reside in the firmware itself. Even at this late date, how many users are scanning their firmware and what apps would they use for that anyway?
When truthiness is not a way of life, there can not be actual trust.