Intel and everyone else knows that restricted boot environments for personal computers (desktops and laptops) will be hugely profitable. Entertainment companies love it -- they can deploy a new kind of DRM that won't be defeated for years (see: PS3).
SecureBoot is not a DRM system (for now). If SecureBoot is on, the requirement is that the code executed before ExitBootServices() has to be signed. All code executed after that doesn't. So for example one can create a Boot Loader like EFILinux that will be signed and conform to the specification, and that can load unsigned kernels, and those unsigned kernels can contain any code. The kernel may emulate an EFI interface (like loaders for osx on BIOS), and load Windows kernel, patching it and then starting.
Or, you on PCs that have it turned off, you can create your own EFI application that will load instead of windows's boot loader that will override the GetVariables() functions, so that if the windows kernel queries it, it will return that the SecureBoot is On. It can also patch the kernel itself in memory before starting it.
He has not acquired a fortune; the fortune has acquired him. -- Bion