Not if you want your OS to "just boot" on typical hardware without fudging around in each machine's setup. Which is what most people expect from an OS.
That is not a problem inherent in UEFI SecureBoot, but an issue that results from the demand for Windows-based machines completely eclipsing most alternatives.
You are basically turning things around: you have expectations for the OS, while the hardware you buy is specifically designed for and bundled with another OS.
Why would you even expect an OS to run on machines that were never designed to run that OS?
No, but there are obvious practical reasons. Unfortunately in the real world practical reasons win out.
Indeed, if you just want to be practical, buy a Windows machine and run Windows on it. Or buy a linux machine and run linux on it, etc.
Interesting point. Long term Microsoft could even add a second key required for future versions of Windows, slowly migrate to the new key, refuse to sign any third party loaders with that, and then eventually drop the old (current) key leaving everyone else hanging out to dry. And once Microsoft stops signing for the old key, that would be a problem for other OSes that want to continue trying to support older hardware.
I don't follow your logic here.
Older hardware already has the older key, and there are already signed bootloaders available with that older key.
So even if new hardware and new OSes use a new key, that won't affect older hardware and older OSes. It will only affect newer hardware and OSes not available with a new key.
And it will only affect it so far, as in, things won't work out-of-the-box. You can still install the older key onto newer hardware and make it work.
The problem here is that the linux vendors are apathic about SecureBoot. If they just take care of signing themselves, and get their keys distributed by the large OEMs out-of-the-box, the dependency with Microsoft's key simply will not exist. THere was never meant to be a dependency on the key of a single vendor, but the linux vendors have manouvred themselves into that position.
Very idealistic. Microsoft will always want to dominate the market, and still has enough power to dictate, or more likely "encourage", OEMs to drop this ability. Similarly OEMs, with a perhaps a few exceptions, have no reason to support anything other than Microsoft Windows.
In case you didn't notice, Microsoft specifically states that SecureBoot must have a disable-option on x86 machines (not ARM machines), in order to qualify for the 'Windows logo' program.
See here:
https://msdn.microsoft.com/en-us/library/jj128256(v=vs.85).aspx
Enable/Disable Secure Boot. On non-ARM systems, it is required to implement the ability to disable Secure Boot via firmware setup.
Likewise, they are VERY SPECIFIC about having the option to modify the key store:
On non-ARM systems, the platform MUST implement the ability for a physically present user to select between two Secure Boot modes in firmware setup: "Custom" and "Standard". Custom Mode allows for more flexibility as specified in the following:
A.It shall be possible for a physically present user to use the Custom Mode firmware setup option to modify the contents of the Secure Boot signature databases and the PK. This may be implemented by simply providing the option to clear all Secure Boot databases (PK, KEK, db, dbx), which puts the system into setup mode.
B.If the user ends up deleting the PK then, upon exiting the Custom Mode firmware setup, the system is operating in Setup Mode with SecureBoot turned off.
C.The firmware setup shall indicate if Secure Boot is turned on, and if it is operated in Standard or Custom Mode. The firmware setup must provide an option to return from Custom to Standard Mode which restores the factory defaults. On an ARM system, it is forbidden to enable Custom Mode. Only Standard Mode may be enabled.
So these are *specific requirements* for x86 systems. You can't get the "Windows logo" on your hardware if you don't allow keys to be installed by the users or SecureBoot to be turned off. Which in a twist of irony means that the "Windows logo" guarantees that you can run other/legacy OSes on it.
It's easy to guess the reason behind this: Microsoft has a monopoly position on x86, and if they hadn't done this, they would likely have been sued.
So that leaves us with two options:
1) In a future where Microsoft no longer has a monopoly position, they can try to 'encourage' OEMs to drop the ability. Nobody would care, since Microsoft doesn't have a monopoly anyway, so apparently there is enough demand for other systems, and Microsoft's pull with OEMs won't be that strong.
2) In case Microsoft still has a monopoly and tries to pull a stunt like that, they will get an antitrust lawsuit, which they will lose.
Either way, it's not going to happen.
