As a first approach, I will briefly describe what happens in a computer from the power on to the working state.
First, the POST1.2is issued. Then the machine try to boot on a bootable medium1.3. Then, one or more boot loaders1.4 are loaded, the kernel is loaded and booted. The kernel boot initializes the different devices of the computer, creates task 0 and forks and execs init.
Until this moment, if you secured the two ore three physical vulnerabilities of your box, no interaction can compromise the correct boot1.5.
Then the problems begin with foreign interactions1.6. init has some network interfaces and routes mounted, some daemons executed, etc. The first question that must be asked are ``who init is able to execute'' 1.7. Then comes ``which rights the new processes have'', ``which binaries they can execute'', ``which operations they can perform'', ``which files they can read'', etc.