[titannet]

Secure Boot makes persisting malware in the kernel fairly difficult. Which IMHO made sense coming from Windows 7 where driver rootkits and boot kits where trivial. With today's main threat model being encryption malware I would agree that it doesn't add all that much for most people.

[AshamedCaptain]

It really doesn't prevent anything like that, not even remotely. First, to do any type of persistence that would be detected by Secure Boot, you already require unencrypted, block-level access to the disk drive, possibly even to partitions outside the system drive. There are a gazillion other ways that malware can persist if you already have this level of access and none would be detected by Secure Boot. If you were able to tamper with the kernel enough to do this in the first place, you can likely do it on each boot even if launched from a "plain old" service.