Matthew Garrett blogged one more time about UEFI isses. To cite the most criticial problem:

“This is a little awkward for a couple of reasons. First, it means that any updates to the bootloader would require the user to manually accept the binary again. Second, as we’ve seen with https, there’s the risk of uesrs just blindly accepting things. If it’s acceptable to do this off internal media⁵ then malware could just rely on some number of users saying “yes”. And thirdly, we’ve been told that Microsoft’s Windows logo requirements forbid this option.”

blog post