> It does prevent potential abuse of the signed shim that's not very difficult to get signed by. E.g. nobody can install the signed shim to rootkit a Windows installation.
How would that worked if combined with FDE + TPM ?
For the average user, FDE is unlikely to be enabled by default. But yes, Secure Boot's measurements with BitLocker would prevent this as well.
Though seeing a recovery screen will not inform you that your bootloader has been tampered with and by entering a recovery key you're basically authorizing the malware to run.
Without FDE, modification of the file system to create autoruns and system services is so easy that you wouldn't need to go through the effort of using a bootloader. Just pop out the storage device or boot a Windows install disk and run some software.
How would that worked if combined with FDE + TPM ?