Re: @h4rm0ny - When do we see an Windows phone with Android?
>>"Yes, very useful technology because it makes sure no other OS can't be booted unless Microsoft allows it."
That's provably false. You can turn Secure Boot off as you well know. And doing so is as easy as switching a boot device in the old BIOS. It's even, as shown, a requirement that a user be able to turn off Secure Boot. These are not debatable facts. Your statement is wrong.
>>"Can you please explain why there's only one Platform Key stored and even though end-user can add keys, only one (coincidentally Microsoft's) can be used as a master ?"
Yes, I can explain. There can only be one platform key and this can't be modified because that's how the technology works - the OEM creates a single key for their device. One might as well ask why you only have a single PGP key for a given email address. Yes, you could design it so you had more, but being able to say "my email is valid if it is signed by any of my three private keys" serves no purpose and in fact weakens security. These are at base the same technologies on the same principles. What would be the point in having three private keys for your email and signing your outgoing emails with different ones just because? Nothing. Same thing here with the Platform Key. It's not a conspiracy.
As to why Microsoft have a key in there, because they paid to create and maintain one. Any GNU/Linux distro could do the same if they wish. However, given that GNU/Linux doesn't have the capability to use Secure Boot currently (you can sign Grub or whatever other bootloader you wish, but it doesn't do any OS verification so there's no security advantage here), they don't bother. Only RedHat and Ubuntu do and that's really for trivial gain and in RedHat's case at least, they actually just outsourced key creation and maintenance to MS because MS already had the infrastructure set up for it. But as I say, RedHat and Ubuntu are only signing the boot loader which does an unverified sign-off so it's largely pointless.
>>"Sure, you can disable Secure Boot but Microsoft will guffaw and point any government or large enterprise that the machine is insecure and can't be trusted."
Relevant part is bolded - you are agreeing with everything that I have claimed: that Secure Boot doesn't stop anyone using GNU/Linux. As to the rest, you're claiming that Microsoft marketing will try to show their OS is more secure than others. Well, duh! Same as everyone else. And are you going to actually try and deny now that being able to verify that the OS you're booting hasn't been altered isn't a useful security feature now? Because you'd be wrong about that, too.