Secure Boot
Secure boot throws away any hope of security. Old style BIOS is sufficiently small and stupid that it cannot do much more than read and execute a boot sector. Secure boot is huge. The chances are that the copy you have is based source code released by Intel, with whatever additions the manufacturer's government insisted on plus two huge binary blobs from Intel big enough to hide something that can man-in-the-middle an ethernet port and provide remote exfiltration invisible from inside the computer.
Bit locker keys can be read by an external device via a 1394 or thunderbolt DMA channel. If all else fails, reset the machine and boot from an external device. The keys can often be found in memory left over from the previous boot.
Securing a computer against physical access by a rich and determined attacker is really difficult. Grub's password feature is only a significant barrier if you have covered all the other bases.
Biting the hand that feeds IT
