Using my broken english, I think I meant the same question as
Bequimão and DeepDayze:
A TPM chip enabled secure boot should give me assurance in for example such a case: I am for example a high business manager travelling to Iran. The iranian intelligence service should not be able to implement a rootkit in a moment of my unawareness, when they have hardware access to my notebook.
If I use Linux:
With shim they woold be able to install their own manipulated Linux kernel on my notebook?
If I use Windows:
They would not be able (but of cause the CIA will have their own keys) ?