Vendor-specificity of KEK

Many of the problems mjg59 talks about in 2012 were solved, with shim and mokutil for example so you can load locally built kernel modules with a local keypair using akmods that are trusted enough, you have to subscribe the key on the machine from the local console, it can't be done remotely, so you can only use this mechanism to hose your own machine, and it doesn't cause problems with the security boundary SecureBoot is trying to create, which is malware coming in over the network and modifying the boot process in a way that is silent to the user, like malware could go through the akmods dance to boot into mokutil to authorize a key, but you can just say "no" and it's stuck.

And at the time they didn't have a use case for using SecureBoot for virtualization guests but now that is something which is used to help validate the kernel booted cleanly even for servers, it's not trying to protect against the hypervisor vendor which owns the underlying hardware anyway, but still trying to keep malware from modifying the server OS in ways that aren't detectable.