The specifications in the company's Windows Hardware Certification Requirements make this clear, according to tech blogger Glynn Moody.
The issue of secure boot on Windows 8 was raised in September when Linux developer Matthew Garrett pointed out that this feature, implemented as per the Unified Extensible Firmware Interface guidelines, could be used to ensure that only Microsoft operating systems were loadable on a given device.
The system firmware can contain one or more signed keys and any executable that is not signed by these keys cannot boot on said system. Another set of keys - called Pkek - allows for communication between the operating system and the firmware.
An operating system with matching Pkek keys can add more keys to a whitelist - or a blacklist. In the latter case, any executable which has a key on the blacklist will not boot.
The Linux Foundation later provided a list of ways in which this could be bypassed, provided hardware vendors cooperated.
The Windows Hardware Certification Requirements (PDF) say, on Page 116:
20. MANDATORY: On non-ARM systems, the platform MUST implement the ability for a physically present user to select between two Secure Boot modes in firmware setup: "Custom" and "Standard". Custom Mode allows for more flexibility as specified in the following:
a) It shall be possible for a physically present user to use the Custom Mode firmware setup option to modify the contents of the Secure Boot signature databases and the PK.
b) If the user ends up deleting the PK then, upon exiting the Custom Mode firmware setup, the system will be operating in Setup Mode with Secure Boot turned off.
c) The firmware setup shall indicate if Secure Boot is turned on, and if it is operated in Standard or Custom Mode. The firmware setup must provide an option to return from Custom to Standard Mode which restores the factory defaults.
On an ARM system, it is forbidden to enable Custom Mode. Only Standard Mode may be enable (sic).