How much of the system is secure boot going to cover?
Background: We're developing for a Debian 9.8 system on an x86, but most of us here are more used to dealing with embedded devices.
according to wikipedia, secure boot can "secure the boot process by preventing the loading of drivers or OS loaders that are not signed with an acceptable digital signature". I take this to mean that kernel-level code is protected, but that user-level code is not.
I am having some terminology confusion with my boss, who is under the impression that Secure Boot can protect the entire system. I believe that Secure Boot can secure the entire system only when the computer-in-question is an embedded device (you will never receive software updates, therefore you can group all the executable stuff together and sign that). If the device is your typical PC, secure boot cannot practically keep it secure (your PC is getting software updates all the time, meaning that an executable block would be changing all the time, meaning that you'd have to recalculate/re-sign the entire block with each update).
Am I right, or is he? Is there an easy way to extend the protections of Secure Boot to our custom user-level software? Is there something similar to secure boot that I should be looking at to secure user-level software?
