LOL @ chain of trust when Microsoft is involved.
That's the very reason why I not only disable Secure Boot on my own computers, yet also any of those that I work on for others at no charge, including simple things like installing security, setting a backup software program, cleansing of Malware, usually being a reinstall because once infected, the computer is untrusted. Secure Boot does not prevent nor block Malware from loading on a system. If Secure Boot is so great, then why is security any longer needed? The security features that the modern 64 bit CPU offers provides more security than Secure Boot, furthermore, so would simply placing a padlock on a tower PC.
Personally, I think SecureBoot is overrated.
Paragraph above is living proof of this.
Many who has Secure Boot (the ones who realizes that it's on their computers) has a misconception of what it represents. It can & often does prevent the install of a graphics or sound card, where there are no 'unsigned' drivers, yet are generally seen as safe, and Malware scans will prove it's the case. So Secure Boot has to be disabled to install & keep the components in the computer, otherwise, it's an expensive paperweight.
As far as any 'chain of trust' when Microsoft is involved, I'll simply reserve my comments, because some will not like (or approve) of how I feel about it being forced upon consumers & it's hard for me to hold back. This has been discussed long ago in a long Topic in regards to Privacy & Security (in the Speak Easy Forum here), where one of the valuable links were taken down (though not by this site). Nick introduced us to the article, where I spread as far as possible, not just here, on many sites in response to articles pertaining to Secure Boot & Microsoft in general. Unfortunately, I didn't print nor download the article, why it was taken down, I have no idea, yet have one as to who & why.
One thing that Secure Boot has done was to fuel the PC building industry, including rises in self-builds & custom builds by PC shops (certified shops & hobbyists). Though many of the MB's has the option of Secure Boot available (it's getting harder not to find newer ones that doesn't), the majority doesn't want it enabled & the builder will honor the paying customer's choice. Those who builds their own has total control over everything, and while may have to load Windows 7 (one can do so legally for 30 days w/out entering a COA) to install drivers & ensure all is OK, or to benchmark & upload for bragging rights, then format if HDD or secure erase the SSD & install the Linux distro of their choosing. UEFI firmware (or BIOS updates) can be performed by a bootable USB stick or by CD, with USB stick being the faster & most popular option, Windows isn't needed for this.
If one wants to install Ubuntu, if the option is available, simply disable Secure Boot in the UEFI settings, be sure to press F10 to save settings (usually the key for most computers) & when it reboots, you're Free, Secure Boot is disabled. Install the OS, including Ubuntu, to your now unshackled computer & enjoy!
I don't recommend the disabling of GPT & reverting to MBR though, because GPT partitioning has some advantages over MBR, in performance, and because the bootloader is stored on more than one place on the drive. Plus it makes creating Logical/Extended partitions obsolete. One can have up to 128 Primary partitions, on a large drive, one for most everything. SSD's also sees some performance advantages. Any performance advantage, no matter how slight, is still a positive gain.
The only thing I see 'threatened' by the disabling of Secure Boot is Windows user share, which doesn't mean anything outside of Microsoft corporate headquarters. Ubuntu is plenty secure enough to not be seen as a threat & many world governments & leading financial sectors (think Wall Street) are running modified versions of Ubuntu for their needs. So does many services we depend on daily runs some form of Linux for day to day operations, from your local banks, retailers (physical & online), medical offices, and in many instances, the ISP one's running is Linux powered.
All of this is 'smoke & mirrors', Microsoft & their partners looking for an excuse to bake Secure Boot into new computers, taking away the right to disable the plague. You own the hardware, yet will not have full rights over it. That's the real agenda, and was discussed in the article that JohnC posted above. Consumers will have to rally for change, inaction equates acceptance.