Found
here.when Secure Boot is fully enabled in the firmware of a Microsoft device, it will only boot up an operating system that is cryptographically signed by Redmond. That stops you from booting up any OS you want on your Windows RT tablet, certain Windows Phones and so on.
Alongside this, there are Secure Boot policies, which are rules that are loaded and obeyed during early startup by the Windows boot manager. These policies must also be signed by Microsoft to be accepted, and are installed on devices and machines using a Microsoft-signed tool.
For internal debugging purposes, Microsoft created and signed a special Secure Boot policy that disables the operating system signature checks, presumably to allow programmers to boot and test fresh OS builds without having to sign each one.
If you provision this magic policy, that is, if you install it into your firmware, the Windows boot manager will not verify that it is booting an official Microsoft-signed operating system. It will boot anything you give it provided it is cryptographically signed, even a self-signed binary – like a shim that loads a Linux kernel.
Aside from the obvious idea of security through obscurity and the other implications of this leak and other systems with backdoors that only say government or law enforcement are meant to know about... this is good news since the future of locked devices by secure boot is now back in the control of the consumer for now.
The two researchers noted in the article (MY123 and Slipstream)
findings posted here (beware interesting graphics).