The "setup your own PK without vendor or even Microsoft keys" is part of Microsoft's offering for some big dollar clients in Enterprise, which is why it's included in certification these days.
And I mean using your own keys, not running without SecureBoot, which was the topic linked in the 2012 discussion.
(1) A system locked by Microsoft, who benevolently allows some users to achieve freedom by setting up new Platform Keys.
If the big dollar clients demand standardization and openness, then it might curtail the typical Microsoft antitrust shenanigans.
(2) A system that is owned by the purchaser, who may choose to deploy Microsoft or other security solutions, and then remove them, at will.
We already have (2), so any attempt to subvert it is by definition untrustworthy.
Item (1) is what is called "trustworthy computing," and Microsoft still openly celebrates it [1].
Item (2) is what is being obscured.
[1] https://www.microsoft.com/en-us/security/blog/2022/01/21/cel...
Trustworthy computing, even in Microsoft way, involves owner deciding what's running and being able to verify that. Funnily enough Microsoft's "solution" here involves removing Microsoft keys and owner signing specific binaries they allow to run.
We don't have yours (2) because of various gaps you could drive an American freight train through. The options that exists are all even more closed down than SecureBoot (which is just one leg of Trustworthy Computing).
N.B. the main subversive component in all of this, and tellingly implemented because stakeholders of "trustworthy computing" actually care about owner control, is protected media path, foisted by MPAA and streaming industry through closed blobs in Intel ME and AMD PSP
