Gersen: The master key that is only available from Microsoft IS Microsoft master key; it's like saying that Verisign master key is only available from Verisign.
Ms doesn't have the exclusivity on master keys, technically anybody could have its own master key installed by default given of course that they convince manufacturers to do it.
If they use Ms key it's mostly because it's easier and much cheaper than buying your own master key and then convince every single "bios" manufacturer to include it.
But saying that secure boot in itself is "DRM" is silly, it's like saying that SSL is also a DRM because you have to rely on some external trusted root key before you can sign anything.
Where I do kind of agree however is that
all bios should have the option to let users install they own master keys for secure boot in the same way that most OSes let you install you own root key if you want to use self sign certificate or simply don't want to buy a key from Verisign.
At least there should be a list of certificate authorities able to issues key that would then be included by default in all UEFI bios but we are not there yet.
1) De facto only MS has access, so its exclusive access. Machine will refuse to boot your code, unless you have a key issued by them or crack the machine in a very similar way to how DRM is cracked even by legal owners for legal purposes.
2) Its DRM - not SSL, because you can't use your own crafted key. Encryption is an access restriction technology. Its a lock, only those who have key or break the lock - gain access. DRM very often uses encryption. The difference is that you don't get the key. SSL allows you to craft your own certificates, its just browsers would warn anyone because you yourself was not added to the whitelist of "valid" certificate makers. You can add yourself to the list also easily, either globally ($$$ or contacts to browser manufacturers)
or locally in very few steps. Many sites crafted own certificates and applied them to global websites to get the "s" in https working.
So its a DRM (digital restriction management), a hardware DRM, a utterly useless no-value hardware DRM. There can only be some use in corporate environiment, provided a corporation purchases a certificate ($$$), but it does not allow you to use the technology right away. So its not a "secure boot", its a DRM boot. If you could craft your own certificate and hardware would accept it - adhering to the owner, then it would be "secure boot". But it does not offer anything like this, only thing it allows is code blocks which were signed by some group a regular hardware owner is not part of. There is nothing "secure" in this boot, only DRM, its only secure what they want to secure. Much "personal computing".
Where is the difference between "secure boot" and old "securom" if applied to earlier boot sequence? There is none. There is a purposely optional deactivated mode and a purposely required activated mode. The optional deactivated mode is on purpose disabled in non-x86. Everything this will indeed make you more secure... to them.
This is not your guard dog, is someone else guard dog, which will bark at you when others want it to. Thats a huge difference. And now its a good time to also remember Paladium, TPM and Vista. So much MS "change" right here.
But please do buy and use windows, because you enjoy them screwing not only the software stack but also hardware anyway. Don't cha?
