Comment by soks86

Usually you want to boot from a cryptographic-ally verified medium where a checksum can be verified before you execute the system.

The emphasis is on running the correct software. If you have to input cryptographic data every time you boot that's okay because you're offline and should be in a secure room (no internet connected devices).

But yeah, malware attack is still possible if you don't have a secure chain and that's a long one.