Fixed.

That is, as long as you don't allow changing the GRUB command line

To me Secure Boot is just a means introduced my MS to hamper installation of alternate operating systems (Linux, BSD, older Windows versions, whatever). Moreover UEFI is a large, bloated mess.


Sorry? I winced when I saw it the first time on a laptop, that they do have to have an extra VFAT boot partition now. I thought FAT was something from the dark middle ages... In my opinion the FW's job is just to boot and bring up the hardware and then look at a specified media(s) for the magic $ of a bootloader and give control to it.

And why should a FW-located boot option menu be so much better than e.g. a GRUB? Especially since you have to be able to read data on partition and file system level then. And that means you need more code in the FW - and are forced to use that very FS on your boot partition. Furthermore having VFAT capabilities anywhere might tempt MS to sue you for license payments for their ancient crutches-of-an-FS-with-added-crutches patents related to VFAT. (Iirc. TomTom was stupid enough to pay...)
Besides, can you update your FW's bootloader as easily as writing to a HDD/SSD? (No, you can't. Especially when you do not have means to get access to the very flash chip.)

If you use Ubuntu which is a derivative of Debian then you will still have UEFI Secure Boot support.

While I agree with it being an anti-feature, please do consider that there are systems where you can't disable Secure Boot. Those people aren't able to use Debian 9.0 And with more systems (sadly) adopting a BIOS where you can't disable SB, it isn't going to help Debian adoption.

Lolwut? If one can't disable Secure Boot, then single-booting Debian 9.0 isn't going to work either.

If you install Debian testing + XFCE and the amd unstable kernels and also wicd then Secure Boot will boot that and refuse to boot Windows.

Because Debian Testing + XFCE is that awesome.

/sarcasm

I had to disable those "security" features at the BIOS, otherwise, DKMS kernel modules does not work.
I think that it also include this "security boot" mode.
This "security" is crap, I always use just regular, old school, "BIOS boot".
I use LUKS encryption anyway...

Yes, correct. Kernel modules (just as kernel/bootloader/shim) need to be signed if you use SecureBoot, so stuff out of tree or proprietary drivers might not work.

Only if you boot directly to kernel. If you use grub, then only grub needs to be signed. Kernel does not need to be signed. Ideally, kernel would be encrypted, so safe anyway.