Microsoft has asked Lenovo to make it harder to boot Linux on their computers.
obviously I know some really cool people who work at Microsoft but it's very funny to me that people have been harping on us FOSS types for not instantly forgiving them for 20 years of malice, and now we've got this. 
when Microsoft is asking manufacturers to prevent people from booting other OSes and not communicating as to why, they are positioning themselves as the enemy. it's that simple. if they want to be trusted by Linux users, they need to earn that trust.
we're about 2y away, by my estimation, from living in a bizarro world where x86 PCs are less open to free desktops than ARM Macs.
To rebut some of the talking points that inevitably crop up:
"it concerns only a tiny fraction of devices" (so what? This is part of a long-term strategy to consolidate control),
"it's good for security" (nope, single points of trust or failure never are),
"majority don't need or want alternate OSes" (or maybe they just don't know they maybe would, and now never will???)
iirc: on my laptop it goes like this: it starts off in "user mode", where keys are predefined and unchangeable. booting a system signed with the wrong key fails. but i can enter "setup mode", in which the uefi allows you to add other allowed keys. once the keys are added, the system goes back into "user mode" and prohibits other keys, but allows the ones you've added.
i added some hooks to make the linux kernel compile with my own personal key whenever it's updated, added the key to uefi using a special tool and now it will boot my distro, but not a third-party kernel.
this is useful if you have an encrypted drive setup, because you can't encrypt the boot partition, so if you think someone can use that to slip in a counterfeit bootloader/kernel that'll leak the encryption keys, you need to prevent that by using secure boot and signing the kernel with a key they don't have access to.