In a layman terms, secure boot protects a device from running an unsigned binary image i.e. verification at time of load. Secure boot is a process where an initial boot phase is executed from an immutable memory such as internal ROM and where image binary is authenticated before being authorized to run.Immutable here means, it is static and can not be overridden. So if some chip manufacturer is implementing secure boot from flash , its not a true secure boot because flash is not immutable.
Secure boot is a process which verifies each image of firmware is authenticated and its integrity is checked before it is allowed to run on system. Each authenticated image binary/module can authenticate additional firmware binaries /module before executing them thus forming a "chain of trust". If any module fails its security check , it will not be allowed to run and system would halt.
The first link in the "chain of trust" is "root of trust". As we know chain is as stronger as its weakest link , if origin of this chain i.e. "root of trust" is weak it will weaken the security of entire chain of trust. So thats why emphasize is on making "root of trust" as immutable. To have strongest "root of trust" , its recommended that its boot code firmware originates from ROM and uses signing key that also originates from ROM.
So in summary secure boot is designed to prevent an untrusted application from running on the device. When secure boot is enabled, bootloader enforces the cryptographic signature verification of the application image to make sure that application image was signed by a trusted party before authorizing it to execute. The public key of the device is used to verify the signature of the application binary. This public key is programmed into the device during device manufacturing.
In order to enable secure boot on a given device, generally an asymmetric key pair is generated , private key is secured in a safe place like HSM(Hardware Security Module) which is used to sign the image binaries and public key is provisioned to the device in OTP (One Time Programmable memory). Usually the signing key is provisioned into the device during manufacturing of the device.
