"Technically the keys don't have to come from Microsoft: you are supposed to be able to install your own keys if you want to (at least on x86).
However, thanks to OEM deals the only keys that come pre-installed when the hardware is shipped are Microsoft's keys. If you want to run Linux "out of the box" without the user meddling with the BIOS settings (sorry, UEFI settings) then the only solution is to use a Microsoft (sub-)key."
Quoted for truth.
So what's to stop the various linux "manufacturers" (for want of a better word) negotiating with the OEMs to includes their keys in the UEFI firmware out of the box? IE, Why does RedHat not engage with the OEMs and provide it's key so that Red Hat variants are supported out-of-the-box on certain equipment? Seems a nice way to differentiate your product from the sea of alternatives for your customers.
To me, it looks like this:
* UEFI Secure Boot is an industry option, not a MS technology
* Microsoft want to increase security by leveraging it to prevent rootkits (which all non-MS-fanbois cry about Windows being susceptible to)
* Microsoft spend time and money engaging with the OEM partners to get their keys loaded in by the OEM, and to have Secure Boot enabled by default. This probably takes years and a lot of experimentation
* Linux people cry about this, and expect Microsoft to come up with a solution for them, for free
Am I missing something?