"MS have also specified in their documentation that safe boot must be able to be switched off"
That goes against what I've read in the past, that the ability to be switched off was NOT a requirement of the specification. Now to get the specification you have to give them your name, company name, and email address, and then agree to this;
"I understand that I may download and read the UEFI 2.0, 2.1, 2.2, 2.3, 2.3.1 specifications, and Shell Specification 2.0 without the requirement of a license, and doing so creates no obligations or commitments on my part. I further understand and acknowledge that any distribution, additional reproduction, implementation or other use of the specification requires a license, which can be obtained by executing the UEFI Adopters' Agreement.
I understand that I may download and examine the UEFI 2.3 and 2.1 SCT materials without the requirement of a license, and doing so creates no obligations or commitments on my part. I further understand and acknowledge that any distribution, additional reproduction, running the test binaries or other use of the materials is not permitted except pursuant to my agreement to the terms and conditions of the license that can be obtained upon execution of the UEFI Adopters' Agreement."
I especially like (not) that the license, along with it's terms and conditions, is obtained by executing the "Adopters Agreement" (the text to which appears to be not freely available). Agreements that you must accept in order to obtain access to a license that you then must also agree to; no warm fuzzy feeling there, looks like an NDA but you won't find out for certain until it's too late. I smell a trap.