True. I never mentioned it (by or of itself, that is) would prevent it; the MacBook, afaik, was one of the first consumer machines to mass ship with an EFI (extensible firmware interface) implementation, and in business, machines like the Itanium and HPCompaq/EliteBook notebooks had it. Everything from diagnostic tools to whatever one could write in that space was possible. And Tianocore remains free to study. Whether it’s welcome or not, though, depends on who is asked.
Yes, as of right now, per spec 2.3. I’m not worried about what is happening right now, where keys can be enrolled into the system manually or where there is a switch to turn it off (and to turn CSM on) but the upcoming spec. No need to lecture me on this; in Gnu/Linux, we can create and provision keys for a SB system, like on my Pavilion. It seems everyone here keeps mentioning present-day.
The freaky question is this: Will the upcoming changes restrict Secure Boot further? I don’t know, and until the rumors become more clear as the date gets closer, we won’t know. That’s what scares me. The only thing I do know so far is that CSM is being deprecated in favor of booting using UEFI mode only. When this happens (rumored to be 2020) — that is when I’m worried that an improved Secure Boot will be in place. Have you ever tried to boot anything other than Windows 8 on some tablets? I have. Fedora or Ubuntu is the only other thing I have found that will boot on those, where compatibility modes aren’t an option. And as much as I like Apple, it really stinks that iPad can only boot iOS for the same reason. One of my side projects is to at least write a shell over the browser that will allow running apps in it, but that doesn’t remove the fact it’ll still be running iOS.
I can’t repeat it enough — locked up devices is the future I’m scared of. Only time will tell whether or not this fear is founded or not. It could all be nothing. Because I’m only speculating. And could be wrong.