[calgarymicro]

You can load your own Secure Boot keys and sign your bootloader yourself; as for why the Microsoft ones are preloaded, probably because they're the only entity that interacts with all of these OEMs and had enough leverage over them to force Secure Boot adoption in the first place.

[jeroenhd]

Thanks to the incredible combination of Lenovo and Nvidia, I cannot remove the Microsoft keys from my laptop. Not because Microsoft backdoored my computer, but because the Nvidia boot ROM is signed by an MS cert and that runs before you can access the UEFI setup.

I hope the firmware either doesn't check the expiry date or that the firmware itself has been upgraded, or several years worth of Thinkpad are about to stop booting in the near future.

[PunchyHamster]

It should be just "hey, do you trust this install media" -> "yes" -> boot key is automatically added at this step. Instead the whole ecosystem is at microsoft whim

[calgarymicro]

If it becomes this easy then Secure Boot just becomes Vista-era UAC. Sometimes making the security bypass an intentional act that requires some knowledge is a good thing. Most PC users, were their bootloader compromised and they saw such a screen on startup, would instantly press yes and forget about it within 5 minutes.

Not to say that having Microsoft as the custodian of the keys preloaded on all PCs is the optimal solution, but I don't think a token yes/no to add any random key on boot is a good idea either.