I just now came across a blog post written by Peter Jones from LAST MONTH on that “Microsoft Secure Boot Golden Key” news reports that is worth reading. Peter owns the Linux shim, so he knows a bit about UEFI’s boot process.
https://blog.uncooperative.org/blog/2016/08/18/secure-boot-failures-and-mitigation/
Especially because I’ve had nearly nothing useful in this blog on this post:
Also note other articles in Peter’s blog: he makes regular canary posts about the state of his Shim code. I wish all of the boot/firmware code required all contributes to have canaries!
Firmware Security 