'MANDATORY. On non-ARM systems, the platform MUST implement the ability for a
physically present user to select between two Secure Boot modes in firmware setup: "Custom" and "Standard". Custom Mode allows for more flexibility as specified in the following:'
Followed by a requirement that it be possible to clear PK, which guarantees you the ability to enrol whatever set of keys you want.