from known good sources....
Bullshit. What it means is that malicious code will run when it has been signed by a pilfered code-signing certificate.
Microsoft has extended the Secured-core concept it applied to PCs in 2019 to servers, and to Windows Server and Azure Stack HCI. Secured-core sees Microsoft work with hardware manufacturers to ensure that their products include TPM 2.0 modules, ship with Secure Boot enabled by default in BIOS, and use the Dynamic Root of Trust …
Again, if you RTFA that's clearly not the case.
This is mandating a set of hardware specs which make a machine less susceptible to certain classes of firmware attacks. The hardware already exists now, and I've used machines which would meet this specification to run Linux (with SecureBoot enabled to prevent unauthorised kernel alterations).