For those not wanting to read anything historical. The confrontation comes because the Secure Boot option of UEFI (if enabled) only ships with Microsoft keys in the firmware. Thus, Microsoft's signing service is the only practical signing service and will only sign a PE executable. The solution that Matt and company came up with was to have a module vendor wrap their keys in a PE executable, have Microsoft sign them, and then ship the signed PE executable with the signed Linux kernel module. Verification of the signed Linux module thus requires the Linux kernel to load the PE executable, verify its signature, then extract the vendor keys and continue on.
Linus rightly called out the idea as moronic and stupid. The retorts basically came in the form of "Microsoft created the standard, and is the only viable signing service for the standard". Even though alternative options could of been had, they were deemed to complicated and involved.
Life would of been much easier of Microsoft would just sign X.509 certificates like the rest of the world.
Read more about it here.