https://wiki.freebsd.org/SecureBoot
Secure Boot requires that all boot-time code be signed by a private key whose public counterpart is known to the boot firmware. Currently the only key that is guaranteed to be present in any given system is Microsoft's. Additionally, to be certified for the Windows 8 logo program, systems must be have Secure Boot enabled, although they must provide a way to disable it and they must allow the user to add keys to the system. Microsoft also provides a service where binaries can be forwarded to them for signing with their key.