If you were a serious virus writer you'd already want to use the Microsoft CA to sign your rootkit so you can install it as a signed driver in Windows. Secure Boot moves the vulnerability down the stack, but even now a compromised Microsoft signing key is still massively desirable to virus authors.

Microsoft have told me that they'll revoke certification for any vendor who doesn't provide the appropriate options. If you have examples of machines that have certification and which don't allow any modification of the key database, let me know so we can find out if they were telling the truth.

You've linked to a story about a traditional MBR bootkit that doesn't even run under UEFI. Secure Boot is, as far as anyone knows, not yet cracked.

It's not DRM. You can turn it off in the firmware and there's no way for the OS to know that you did.

BIOS boot sector protection has never prevented writes to the MBR unless you're running DOS - any actual OS uses direct hardware access instead of using the BIOS, and so it can't be blocked. It'd be possible for the BIOS to complain that the MBR's been modified, but it has no way of verifying that the partition boot code or the actual bootloader are still secure. Unsurprisingly, malware authors take advantage of this - https://support.kaspersky.com/viruses/solutions?qid=208280748 has a list of modern bootkits.

Sure. The user shouldn't enrol keys unless they trust whoever provided it and the chain of trust that they assert exists.

Well, that's the point. Nothing you run before reboot will be able to run in the firmware, because it doesn't have the right signature.

No, only the first time you install a given key.

It must be possible to install your own keys, but that may be implemented by allowing you to clear the platform key and switch back to setup mode.

It'll only boot grub if grub is signed with a key that a physically present user has manually enrolled. If you choose to enrol a key that's been used to sign a grub that'll then boot anything (including viruses) then you're vulnerable, but such a virus would only be able to infect systems with that key installed - anyone who hasn't installed that key still gets the protection.

Given that I've been working with the Microsoft people who manage the signing for the best part of a year now, I'm pretty sure they know who I am and what I was getting signed.

If your system currently has Windows 8 installed, then do this:

1) Insert the install media
2) Mouse to the bottom right
3) Select "Settings"
4) Click "Power"
5) While holding down shift, click "Restart"
6) Click "Use a device"
7) Click your install media

This is a little more involved than ideal, but it's got the huge benefit that it's consistent between systems rather than requiring you to use different hotkeys for different platforms.

"With a UEFI Secure Boot that requires a Microsoft signed key, how does one generate a self-signed key that works?"

openssl req -new -nodes x509 -outform DER -out sig.crt -keyout signing_key.priv

And then enrol it with mokutil or MokManager from shim.