I note that the BIOS on my new P8H61-MX Asus-motherboarded desktop machine (which came with a prominent Windows 8 Ready sticker) has a secure boot option but has no visible way to enroll new keys. None. Maybe there is one, but it's not obvious, and the only documentation for this motherboard is a thick manual written in such extreme Chinglish that it is almost entirely incomprehensible, and which is so sketchy that major Asus-specific options you can flip in the BIOS are entirely undocumented (the help for the features in the BIOS itself is also incomprehensible). Naturally secure boot and key enrollment go entirely unmentioned. Thankfully I can turn all this ferociously overcomplicated EFI nonsense off and just boot in BIOS mode, but I don't know if that'll work on the next machine I buy.
(The motherboard's sensors are also unsupported by Linux, so all I get is temperature, even though the sensors can do some sort of intricate variable-speed thing. Apparently Asus refers people asking for programming information to the sensor chip manufacturer, who says it was special for Asus and refers them straight back to Asus again. Great. Asus used to make Linux-friendly motherboards... :( )
So mjg59's feelings about trusting firmware vendors to get this right are quite correct. They won't. They don't.