Malware author takes a bootloader, pays the $99 to get it signed, uses the now signed bootloader to load malware and infect computer with rootkit.

Any system is only as secure as it's weakest link, and in the case of "Secure" Boot, the weakest link is right at the top.

Oh baloney. Verisign is entirely in Microsoft's pocket. It's a proxy, kind of like how Microsoft uses patent troll proxies to attack free software with software patents. In practice, Microsoft is the signing authority, they just have Verisign act as a front.

Oh and one more thing: Microsoft doesn't allow signing of any binaries that are licensed under GPLv3 "or similar" licenses. If that isn't an open act of hostility towards free software I don't know what is.

Yes _reported_ severe vulnerabilities! Most issues remain unreported for commercial/proprietary software and thus there is a high black number of 0day-exploits. Overall, we shouldn't wonder why most servers run on GNU/Linux. The reason is that it is overall the safest operating system.

Bootloader's signature is revoked, malware stops working.

The key from Verisign is used for identity validation, it's not the signing key you need to produce a working binary.

I'd say it's more an open act of hostility towards licenses that might oblige them to provide the private key they signed it with, to be honest.

They could just use redhats key. Is MS really going to revoke that one? Then you get caught in a catch 22. Your OS's key is revoked so you need to boot up to it and download a new update which provides a new key to boot with but the old key is revoked so you can't boot....

The same catch22 is the exact reason why no bluray keys have ever been revoked. Even though there have now been dozens of keys that have been hacked. The same thing is -going- to happen with Secureboot. Keys will be found and used with malicious intent. Its gonna happen.

How would they get hold of Red Hat's key?

There is already a large group of hackers already working on it. Secureboot will be compromised. Sooner or later somebody will take the body of knowledge that is being developed right now underground and roll it all up into a nice little executable that strips the key off of whatever you're currently booted up to. Once those keys are known and published they will be used with malicious intent.

You see Secureboot provided a nice big target for hackers to gain notoriety with. (A nice big target that wouldnt have otherwise existed... Thanks MS) Somebody is going to hit the bullseye. What was once a small community of special purpose hackers has grown dramatically. Because Secureboot provided the incentive for it to grow.

We are on the verge of seeing the largest influx of malware than ever seen before all thanks to Secureboot. And the root of that malware will be untouchable as it will exist outside the OS.

That's not how asymmetric cryptography works. The signing key never leaves Red Hat.

Just wait and see. If something can be encrypted then it can be decrypted as well.