when you boot from CD, you are running on OS, not OS loader.
And no one uses BIOS now.
To make is 'really' secure, you have to started from a 'secure' SoC, which means when the CPU/SoC powered up, it will pass the chain of trust to only authorized loader, then load authorized image, and boot into a secured environment.
Anything wrong in this process, it lost the chain of trust.