This issue has been publicly known about in the Linux world since at least May 2011. In fact Jake Edge wrote a long article about it in the June 15th issue of
LWN. Moreover, Red Hat participated in the UEFI 2.3.1 specification. If they are now just waking up and realized what they signed off in this version of the specification then somebody in Red Hat badly missed the ball.
All Microsoft is saying is that if a PC vendor wants ship systems with Windows 8 pre-installed they must have secure boot enabled by default, that firmware not allow programmatic control of secure boot (to prevent malware from disabling security policies in firmware), and that PC vendor prevent unauthorized attempts at updating firmware that could compromise system integrity. That is all goodness from a security point of view.
Low end PCs will probably end up without a means to add keys. That is simply the nature of low end low margin manufacturing. High end server-type systems will almost certainly have the right tools to add the appropriate public KEKs (Key Exchange Key) into the platform firmware. See Section 27.5 of UEFI 2.3.1 for all the gory details.