I always wondered why malware doesn't simply replace the windows loader with a secure boot signed grub (kindly paid by redhat) and then load an arbitrary payload.

If microsoft accepts signing a grub bootloader which in turn can load an user built linux image and initrd, then malware could do the same.

Furthermore, if the concern is to avoid unauthorized modification of the boot record, why don't create an hardware filter that prevents writes to the boot sector unless a special hardware key (for example on the laptop case) is activated.

Or, nstead of preventing the write, this hardware key could sign the boot record using a key which is recognized by the firmware. Actually vendors could implement this and get the microsoft windows 8 logo + have a competitive advantage because they show they care for the freedom of their users. (The cost is negligible I guess ... with respect the plethora of multimedia keys, wifi/bluetooth disable toggles etc)

Sorry if it's a stupid question, but the amount of fud around this topic makes it difficult to quickly find relevant info.

A perfectly legitimate question! This certainly would fix MOST of the malware problems. It is only when the user can't be trusted to decide this by them self i.e they are tricked into install something bad.

Or it might be that the security reason, isn't the only reason for Microsoft to push this?