This is avery controversal topic. I'll try to stick to the facts to avoid a flame war.

Secure boot basically stores a public key in the BIOS and only boots things signed by this key. Anyone who has the private key can boot anything they'd like.

Each new kernel will need to be signed by some key that your BIOS trusts. If you are compiling your own kernel, you will need to sign each one. If you are installing a signed RedHat kernel, you need to have RedHat's public key in your BIOS and RedHat needs to sign each release.

The main threat it is trying to defend against is people who have physical access to your machine.

The critics of secure boot will point out that a vulnerability in the BIOS (which are very common) undermines all security provided by secure boot.

If you are interested in diving deeper, I'd recommend reading about what Qubes says about secure boot and why they chose an alternative to secure boot.