"The Microsoft's UEFI rules _require_ that you be able to install your own keys."
No you are wrong, here are the 2 policies for OEMs:
- on x86/AMD64: secure boot enabled by default, Microsoft keys installed and a way to disabled secure boot and install user supplied keys
- on ARM: secure boot enabled, Microsoft keys install and NO way to disable secure boot and NO way to install user supplied keys. In practise this means you can't even install Linux, even when signed !, on Windows RT/ARM-device like the "Surface": http://mjg59.dreamwidth.org/21189.html