Is Secure Boot really Secure?

systemd-boot has to be signed as well. The original signed gummiboot respects the 'secure' boot process and requires that the binaries it is to launch are signed as well: https://www.rodsbooks.com/efi-bootloaders/secureboot.html

So it's not quite that trivial. But there are attacks on a different part of the boot process (called Secure Boot by Windows, but not part of the UEFI Secure Boot) that do override some protections:

• https://www.ghacks.net/2016/08/10/secure-boot-bypass-revealed/
• http://securityaffairs.co/wordpress/50182/hacking/backdoor-keys-uefi-secure-boot.html

The very term secure in relation to x86 architecture is always relative; It has to be viewed like car crash ratings - no car is crash-proof, some just take a bit more force to make it fatal.

This is to some degree inherent to all security, but with other designs there's a steep S-curve from "open wide" to "need an an electron microscope and a focused ion beam to crack". The efforts to secure a x86+Windows system are akin to plugging every hole on a sieve to make it seaworthy - with the proviso that every plug must open automatically when some legacy feature depends on the sieve's original function of letting the water through.

I think the theory is that each level only signs an instance of the next level if it implements signature checks correctly.

In other words systemd-boot is supposed to do signature checks, and only load files that pass validation.

Obviously there may be gaps between theory and practice...