It's right there in the article : " In the general purpose Linux world, we use an intermediate bootloader called Shim to bridge from the Microsoft signing authority to a distribution one. "
So you need to trust Microsoft for the first keys :)
We do that for convenience, so you can boot Linux without having to hunt through firmware menus to reconfigure them. But every machine /should/ let the user enroll their own keys[1], so users are free to shift to a different signing authority.
[1] Every machine I've ever had access to has. If anyone has an x86 machine with a Windows 8 or later sticker that implements secure boot but doesn't let you modify the secure boot key database, I have a standing offer that I'll buy one myself and do what I can to rectify this. I just need a model number and some willingness on your part to chip in if it turns out you were wrong.
I have been trying to improve the usability of secure boot key management on Linux for the past year by writing some libraries from scratch and sbctl. I have even started writing full integration testing with tianocore/ovmf!
It should hopefully end up being an improvement on efitools and sbsigntools. Tried posting about this on HN but somehow it's a topic with little to no interest, strange world!
Most Surface Pro x86 devices do not let you enroll user keys through the firmware. In fact the original Surface Pro doesn't even have the UEFI MS key, so it can't even boot Shim. Following Surface devices do allow you to enroll the MS UEFI key through a firmware update (requires Windows), and starting from Surface Pro 3 iirc the UEFI MS key is builtin (but still no option to enroll your keys through the firmware).
However, they all do have the option to disable Secure Boot entirely (and you get a permanent red boot screen for the privilege).
“ Dan would eventually find out about the free kernels, even entire free operating systems, that had existed around the turn of the century. But not only were they illegal, like debuggers—you could not install one if you had one, without knowing your computer's root password. And neither the FBI nor Microsoft Support would tell you that.”
So you need to trust Microsoft for the first keys :)