Well, disagree about SecureBoot, there’s nothing secure about MS signing your binaries. It’s just proof they are signed by MS. Setting TPM under Linux is, eh, something I’ve never done.

that’s the difficult part of SecureBoot: you need to set up MOK and somehow sign the bootloader, kernel, modules with it.
but against small scale intrusions even the MS signed things could work