[gizmo686]

It is possible to use Secure Boot as part of a fully verified bootchain. The firmware verified the bootloader. The bootloader verifies the kernel (and kernel arguments, and ramdisk...), the kernel verified all executables. Userspace programs verify critical data files.

There are systems out there that do this, and having something like Secure Boot is essential to their design (as is measured boot, which is the main mechanism TPMs leverage).

However, this solution is utterly unworkable for the personal computer market. Instead, we have a bunch of general purpose kernels signed to run on any computer, but which are willing to run any userspace you through at them.