Good explanation @eadams, thanks.
I wanted to point out something that it says in the Ubuntu wiki link you shared;
Most x86 hardware comes from the factory pre-loaded with Microsoft keys. This means we can generally rely on the firmware on these systems to trust binaries that are signed by Microsoft, and the Linux community heavily relies on this assumption for Secure Boot to work.
If you’re truly paranoid, you might not want to trust MSFT keys. Also, many who value software freedom and security want to have greater control of the boot process because it is proprietary and subject to supply chain attacks. This is why there is a need for tools like Coreboot which gives you control over the keys that live on the Trusted Platform Module and are used at boot time. That way you can use your own keys, created by you, in firmware, on your device.