Disabling secure boot is one thing you should be able to do with hardware you own. Of course that's not a good idea if you want to run a non-Windows OS in a secure manner. Installing your own CA cert should also be possible. That's what we do at work with current UEFI implementations.