Circumvent EFI's SecureBoot

(Oops. Sent this to cctech by accident. It really belongs here as this isn?t exactly ?classic?) Evening all, I?ve been thinking (I don?t actually have a secureboot-capable device nor have I read the spec) about one would theoretically circumvent it. I was initially thinking of it in terms of how TSX as booted on the PDP-11 (starting at RT-11, loading TSX as ash application and having it replace RT-11). That approach has some flaws, however: 1). In the case of WinRT, user mode apps wouldn?t have the privileges to replace WinRT?s memory. 2). Kernel modules providing a shim would need to be signed else they wouldn?t load. 3). You couldn?t modify a driver without the checksum matching. Which brings me to this: Does SecureBoot actually check if the checksum matches, or just the public and private key? Alternatively, how securely is the key stored? Would it be possible to retrieve the key from memory? If that?s doable, it would be easier to implement this. Are there any steps in the modern NT boot procedure I?m forgetting that would let you inject a ?boot loader? to ?jump? to either windows or Another OS that would circumvent SecureBoot? Thoughts/comments greatly appreciated!.