There used to be a requirement by MS mandating secure boot to be disable-able. Though I think they scrapped that requirement later on. No idea if third party CA enabling also has such a requirement.
Disabling secure boot is one thing you should be able to do with hardware you own. Of course that's not a good idea if you want to run a non-Windows OS in a secure manner. Installing your own CA cert should also be possible. That's what we do at work with current UEFI implementations.
