Ahh, okay. So in order for win8 to show your usbkey in the list of bootable media options, your distro-image must be recognized by UEFI as bootable. But the UEFI is not going to check, at *that* stage (holding-shift-in-win8) whether the purportedly bootable media will pass the SecureBoot digisig check. Seems non-intuitive to me... methinks the better approach would be to show the UEFI-recognized-but-SecureBoot-improper boot devices in red, or something.
Along the same lines, presumably there are *some* sorts of nominally bootable media that UEFI firmware would not actually recognize as bootable? Such as a 1.44 floppy with MSDOS, or perhaps MBR-style partitions, or ZIP-disk style partitions? What are the limitations here? Are the documented somewhere, or are they firmware-specific, i.e. the Samsung firmware will not recognize (say) GPT on usbkey in a usb3 port, but some other vendor's firmware might do fine?
Re: SecureBoot setting, versus SecureBoot philosophy
Along the same lines, presumably there are *some* sorts of nominally bootable media that UEFI firmware would not actually recognize as bootable? Such as a 1.44 floppy with MSDOS, or perhaps MBR-style partitions, or ZIP-disk style partitions? What are the limitations here? Are the documented somewhere, or are they firmware-specific, i.e. the Samsung firmware will not recognize (say) GPT on usbkey in a usb3 port, but some other vendor's firmware might do fine?