Note that the UEFI spec for x86 requires user-modifiable keys (after public outcry), but the spec for ARM requires NO user-modifiable keys. (Edit: actually this may only be a Windows requirement)
UEFI spec insists in root of trust being specified by vendor, Microsoft requires ability to set completely owner-controlled keys because they offer that as part of highest security mode on Windows for corporate clients.
"Lockdown: The coming war on general-purpose computing"
https://boingboing.net/2012/01/10/lockdown.html
Note that the UEFI spec for x86 requires user-modifiable keys (after public outcry), but the spec for ARM requires NO user-modifiable keys. (Edit: actually this may only be a Windows requirement)