What for?
It's a requirement as part of the
Windows 8 hardware certification (applies not just to laptops and desktops, but to anything that the manufacturer wants to put the 'works with Windows 8' logo on, e.g. motherboards) that:
a) You be able to disable secure boot
b) You be able to enter your own keys into secure boot (either through adding them to the existing keychain, or wiping the keychain and adding keys)
Here's the relevant legalese from MS:
Mandatory. On non-ARM systems, the platform MUST implement the ability for a physically present user to select between two Secure Boot modes in firmware setup: "Custom" and "Standard". Custom Mode allows for more flexibility as specified in the following:
It shall be possible for a physically present user to use the Custom Mode firmware setup option to modify the contents of the Secure Boot signature databases and the PK. This may be implemented by simply providing the option to clear all Secure Boot databases (PK, KEK, db, dbx), which puts the system into setup mode.