No they do not, so I don't know where you're getting this from.
The Windows 8 Hardware Certification requirements published by Microsoft. To quote the relevant section:
Mandatory. On non-ARM systems, the platform MUST implement the ability for a physically present user to select between two Secure Boot modes in firmware setup: "Custom" and "Standard". Custom Mode allows for more flexibility as specified in the following: It shall be possible for a physically present user to use the Custom Mode firmware setup option to modify the contents of the Secure Boot signature databases and the PK. This may be implemented by simply providing the option to clear all Secure Boot databases (PK, KEK, db, dbx), which puts the system into setup mode.
Mandatory. Enable/Disable Secure Boot. On non-ARM systems, it is required to implement the ability to disable Secure Boot via firmware setup. A physically present user must be allowed to disable Secure Boot via firmware setup without possession of PKpriv.
fixed so that it isn't so wholly Microsoft centric
Good news, it's already fixed then!
So who decides what keys can be added to the bootloader? The end user, in the case of every x86 board. Microsoft requires any system vendor to allow end users to add their own keys (either directly, or by wiping the existing keys and requiring the user to add their own and microsofts back in). No user-modifiable Secure Boot, no Windows 8 for you. No windwos 8 certification? The manufacturer can do whatever they want, from locking down the loader to only one key of their choice, or not implementing secure boot at all/ Basically, the current state of affairs.
If key handling were decentralized
It is decentralised. It's so decentralised, that it's handled on a per-end-device basis. Because you manage the keys on your device by entering them.
and adding your own key wasn't mutually exclusive with other keys (as it effectively is now,)
No, it isn't. If you can add your own keys, you can add any keys.
The level of FUD over Secure Boot, and it's non-relation to Windows 8, is astounding.
we haven't even got D-T going yet
Not above break-even, but actually performing D-T fusion is relatively easy, to the point it has been done as a high-school science experiment using the old Farnsworth-Hirsch 'fusor' IEC design.
Well, I can see your point but by making it a product with visibility and all that, people are more inclined to standardize on a particular way of doing things.
There already is a standard way of doing things, and it's built into Android! Introducing an additional way to connect a bluetooth controller to an Android phone only means a game now has to support two bluetooth controller APIs, rather than one. A total waste of time and effort.
It's a Dick Move, but a Dick Move in line with the Dick Moves of every other portable-ARM-device manufacturer.
If you could generate a self-signed key for free
Not only is this EXACTLY what you can do, the Win8 certification requires OEMs to allow you to do this.
The better question to ask is "who the hell does MS think it is?" They don't and cannot control the HW manufacturers.
The irony is, MS specifically require manufacturers to allow you (the end user) to modify the Secure Boot keys, or they don't get Win8 certification. They're enforcing the exact opposite of what you think they are.
Variables don't; constants aren't.