Matthew Garrett published the first patches this week that take an initial stab at the Linux kernel UEFI Secure Boot support.
An "RFC" (Request For Comments) patch series was published entitled First attempt at kernel secure boot support
by Red Hat's Matthew Garrett.
The UEFI Secure Boot trust model is based on it not being possible for a user to cause a signed OS to boot an unsigned OS, even if that user has administrative privileges. This is an initial attempt at a set of patches to reduce root's ability to modify the kernel. We've done this with an additional capability for a couple of reasons:
1) CAP_SYS_RAWIO already covers pretty much everything we want, but also disables a lot of functionality that we don't want to lose. Following the same model seems reasonable.
2) This capability may be more generically useful for some use-cases. Adding a set of hardcoded is_secure_boot() checks in the same places would prevent that.
See more UEFI SecureBoot coverage
for those not up to speed on the Linux implementation.