When will we learn that this argument is not good enough for this sort of security boondoggle? The fact it is possible and even probable to happen in the future means it needs safeguards against. Preferrably mathematical safeguards, not just the say-so of a party with considerable market power and no obligation to care for anyone its measures leave out in the cold.
I'm not making an argument, just stating a fact.
That said, what this basically comes down to is the age-old practicality vs. idealism problem. A cryptographically verified boot process, as a basic concept, is beneficial to everyone. Bootkits are a real thing and this is a barrier against them.
If we're going to do this, we run very quickly in to the same usability problem as SSL. Most users don't have any interest in verifying and installing certificates, they just want to use the software they've bought. Even the mjg59 public shim that prompts you to install the cert off the boot media if you trust it is too much for the general market. To appease this majority you have to have a certain later of base trusted certificates which can then sign further content. Unfortunately unlike SSL where there's a massive market of domain owners who want to be able to prove they are who they say they are, there's a very small market interested in paying for signed bootloaders. Apple and all the proprietary hardware vendors don't care, they can make their EFI implementations trust whoever they want. As far as generic PC type hardware goes Microsoft is the 800 pound gorilla, with the Linux distros that care about commercial users as a very distant second class and the end-users who actually want to compile kernels somewhere out near Pluto as far as the certificate vendors are concerned.
There just isn't the market to get the certificate vendors to care, which means none of them work with the OEMs to have their certificates trusted, which ends up where we are now with Microsoft's certificate being the only one you can guarantee to be on Secure Boot capable hardware. Without a mandate from some legal authority (unlikely) or from some licensing body in control of something important to PC hardware (more unlikely) I just don't see how the situation ends up any different at this point in time. Any of the big CAs could theoretically get in this game, but why would they care to?
So, do you:
1. Throw out the entire concept, even though it has definite benefits when implemented in a fashion that respects the rights of the owner of the hardware.
2. Figure out some way to mandate that all hardware allow user management of keys.
3. Form some organization that will somehow get enough influence to get their signing key added to the default trust lists of enough major vendors to matter, then operate a signing service of your own.
4. Use the system that exists, that effectively achieves its goals, that generally supports custom keys, and that in the event custom keys are not available the one vendor who's all but guaranteed to be preinstalled offers an open signing service for...
---
To me the current situation is of course not ideal, but I can't see any practical way it could have ended up any better. Expecting every motherboard manufacturer to include keys for all the major distros is absurd. I don't expect major x86 vendors, especially those targeting businesses or the DIY market, to disable key management because it opens them up to nerd rage without any real benefits. Even if they do I don't expect Microsoft to shut down their signing service, nor do I expect them to change keys in such a way that the existing solutions stop working on new hardware because that would also break all existing UEFI Secure Boot compatible Windows install media. It's theoretically possible that all these things combine, but I consider it unlikely enough to not be worth worrying about.