It depends on whether “secure boot” intends to mean a (the) specific implementation or a general concept.
I think the answers for 1. and 2. are “no” and “not applicable”. Instead you disable “secure boot” in the “BIOS” and away you go (this is the approach on non-Librem devices).
The way PureOS (on Librem devices) handles the general concept of “secure boot” is completely different.
For those Linux distros that do work with “secure boot”, they handle it in a manner that is closer to Windows but still not the same.
The specific implementation of “secure boot” is usually taken to mean: a succession of software images are run where each software image except the first is digitally signed and the signer of one software image is recognized by the previous software image in the sequence and the validity of the software image can be affirmed before transferring control to it.
So for Windows: “BIOS” runs at power on. BIOS loads an image that is purportedly signed by Microsoft and BIOS can recognize that signature and verify that the image has not been tampered with. The rest is Windows.
For Linux distros that support this (like Ubuntu): “BIOS” runs at power on. BIOS loads a shim image that is purportedly signed by Microsoft, and verified as above. The shim image then loads and verifies some part of Linux (usually GRUB). GRUB loads the Linux kernel.
Any self-respecting Linux user would at least have pause for thought over the idea that the entire thing depends on the goodwill of Microsoft.
Which isn’t really what anyone who only wants to run Linux wants!!!
I think the answer for Linux distros that support “secure boot” is that this is on the GRUB menu. So: BIOS to shim to GRUB to BIOS.
I don’t speak for Purism but I think Purism’s approach and philosophy is that anything that is dependent on something being centrally signed, even signed by Purism itself, is flawed.
Purism’s approach to ensuring a secure boot process (tamper detection) uses an external hardware device called the Librem Key, which also provides secure protected storage for encryption keys.