Another problem with UEFI Secure Boot is that boot images can apparently only be signed by one key, which is why we see crazy things like Canonical going to Microsoft to get their Ubuntu images signed. (It's a nice, subtle, anti-competitive trick, IMHO.)