250
Microsoft’s Secure Boot has been broken for a decade and no one noticed until now
(www.welivesecurity.com)
This is a most excellent place for technology news and articles.
Universal Blue distros do that. For some reason you need to enter a password though.
This is the MOK (Machine Owner Key), which is part of the shim bootloader, not UEFI secure boot.
The shim bootloader is signed by Microsoft UEFI secure boot keys, so Microsoft is the root of trust there.
On some systems you can delete all Secure Boot keys, and provision your own, then you don't need the shim bootloader and can sign your own bootloader or Linux kernel directly. Windows would not be able to boot on those systems.