@dangoodin I think this shows a critical difference in boot protection schemes:

Anti-evil-maid makes the system validate itself to the user. If anything loaded up to that point doesn't match what was used to seal the all-clear phrase, then nothing the malware does will be able to cryptographically unseal the phrase. In a sense it doesn't matter if malware was loaded, as long as the user is diligent enough to watch for the phrase. That's a significant payoff for a small amount of extra effort!

Secureboot validates the fw to an absent authority (the OEM) so there can be no out-of-band check performed. This reminds me a lot of DRM's weaknesses.