Comment Wrong (Score 4, Insightful) 210
To replace the key and the boot-loader you have to disable "Secure Boot" in the firmware (Disabling by software is not allowed), then update the key (Means flashing a new version of the firmware) and the boot-loader and then reactivate "Secure Boot".
Now think of Average Joe or your grand mother and tell me how someone like them will accomplish this.
Replacing the keys doesn't require reflashing the firmware, you just need go into the UEFI setup screen and add or delete the keys you're interested in. If the key gets compromised, you just go to the setup, add the new key, boot and update the bootloader and go into the setup and remove the old key. Or, even easier, you update the boot-loader on a working system, then go into the UEFI setup and remove the old key and add the new key. The procedure you outlined is unnecessarily complex even assuming that you have to reflash the firmware to get new keys.