My bios knowledge it's pretty base but everytime that I read some documents about UEFI and I don't understand why the SEC phase is the Root of trust in UEFI bios procedures.
The SEC phase performs validation of PEI but I don't understand who or in wich way the SEC phase is authenticated and validated. Can someone give me some explaination ?
When CPU starts it executes only a few very specific instructions at a very specific address. Nothing is initialized yet, not south/north bridge, not memory itself (dram), so there is simply not enough resources to start any code but sec. And sec initializes it all. Only then you have enough resources to execute code.
Another thing. In order to update the UEFI firmware (BIOS) from the OS or UEFI shell the capsule has to be signed. So no tempering on this phase ether.
You can rip out the chip and reprogram it with your tempered firmware but that is another story and writing your own bios is not a trivial task.
So, all that said, that's why Sec Phase is ROT.