The major OEMs might allow adding new keys with secure boot, it really depends on how many enterprise customers want the ability. But if you buy your components separately and put them together yourself I fully expect the manufacturers to not only allow turning of secure boot but adding keys and probably even deleting and modifying the system in-line with the specification.
Lets not underestimate how much MS would like to lock other OS's out of computers, it has long been speculated that was the goal with palladium and other initiatives. But secure boot can most certainly be used for good. Its possible to secure a system with kernel and a signed key that could be used with and IDS system that would prevent the running of any non signed binary. This could essentially eliminate all trojans as long as the keys are handled securely and if you have access to add the keys yourself you could be fully responsible for locking out every binary you haven't personally signed.
Secure boot isn't evil, it's like any tool though in that it can be used for evil.