Re: when Secure Boot can't be turned off
Already ran into this drama.... Win10 certified hardware is Secureboot only, you cant turn it off.
It finally force me to update my PXE boot environment to UEFI, a confusing nightmare, as I was used to how everything operated before.
GPT tools vs standard disk partitioning is not too hard to grok, just beware of the partitions uuid in disk cloning are not the uuids that ms uses in the partition names (Useful if your having boot issues)
Start of with Memtest86 not memtest86+, they offer a UEFI bootable version. That GPT disk structre is everwhere, so you should be able to split out of each version the GPT disk image, etc and figure out how it works.
ipxe romomatic, only allowed the efi option, and point it to the core binary in the GPT image, I forget all the details, but once youve cracked that nut your on your way. The key is that the bootloader is UEFI signed and you don't use some component in the boot process that use older bios calls(or so it seems)
What you'll find is that UEFI support at the moment is patchy Memtest86 supports it but Memtest86+ dosn't, ipxe not gpxe etc.... The new vesrions of the major distros support it. Having a computer that actually flashes up momentary error messages is rare, but a boon if you find one. It's getting easier as more things support it.
Ramifications: what if MS start charging an arm and a leg to use their code to get things signed? Your initial loader may have that problem, but you probably can build something like ipxe's rom-o-matic. Yes you have the one static loader or similar that you have to get going with but after that anything can be autoamaticly generated from that initial version, so sharing a single signature across an entire community.
Security: A small step. (is it actually worth it?)
Benefit for MS: Killing off its competition. The enemy here isn't linux (small pc market share) but older versions of windows! Replacement hardware requires a newer OS. Motherboards that support 2000, XP, Vista and Windows 7 are going to be thin on the ground shortly.
Weirdness: One of the systems that I've come across, was locked to secure boot only had an option for windows 10, or an older windows version in the motherboards uefi menu screen (It still required secure boot so older means windows8)