On the most basic level, UEFI Secure Boot prevents running unsigned boot loaders. The effect of running the boot loader obviously depends on that boot loader. The following refers to the Fedora implementation of Secure Boot. The Microsoft implementation is different, see Section 1.2, “Microsoft Requirements for Secure Boot”.

Fedora has extended the chain of trust from the UEFI environment into the kernel. Verification happens before loading kernel modules, but it does not extend to user space applications. We can be certain that no unsigned executable code is present until the initial ramdisk (initrd) is loaded. Since initrd contents are not cryptographically signed and contain executable code, booting a signed Fedora boot loader can eventually lead to arbitrary effects.

The Fedora Secure Boot implementation simplifies verification of the boot path in digital forensics. Legacy BIOS booting executes potentially malicious code loaded from the disk in a very early stage, which makes it difficult to rule out that the operating system has been tampered with at a very low level. (Parts of this benefit comes from the more declarative nature of the UEFI boot configuration on disk.)