The actual problem is (and has been for a long time) the enormous amount of absolute trash-level uefi implementations.
Updating keys is easy. Alas… a lot of them are completely broken beyond repair and fail everything but running with the pre-installed keys, which includes updating (or adding new) keys (bonus points for the really screwed up devices that even sign some their own hardware with the pre-installed MS keys thus bricking themselves if those keys are changed).
The actual problem is (and has been for a long time) the enormous amount of absolute trash-level uefi implementations.
Updating keys is easy. Alas… a lot of them are completely broken beyond repair and fail everything but running with the pre-installed keys, which includes updating (or adding new) keys (bonus points for the really screwed up devices that even sign some their own hardware with the pre-installed MS keys thus bricking themselves if those keys are changed).