I believe that the Windows 10 logo requirements are exactly the opposite of that.

If you look at the UEFI requirements for Windows 10[1], specifically clauses 19 and 20, it says for non-ARM systems the user MUST be able to put Secure Boot into Custom signature-checking mode.

[1] https://msdn.microsoft.com/windows/hardware/commercialize/de...

They're not opposites. PCs are required to have secure boot and they're required to have MS's cert installed and they're required to be able to disable secure boot.

This was true in Windows 8 times, but with Windows 10 the requirement to be able to turn off Secure Boot vanished: https://arstechnica.com/information-technology/2015/03/windo...

The whole story around Secure Boot could be understood (even without a tinfoil hat) as a part of a slippery slope to lock out alternative OSes, highly recommended post: https://www.phoronix.com/forums/forum/phoronix/general-discu...

Thanks, I have to wonder how much of bureaucratic headache that is to get your bootloader signed.

James Bottomley navigated the bureaucracy and lived to tell about it: https://blog.hansenpartnership.com/adventures-in-microsoft-u...

Oh interesting, thanks for the link.