Thank you for this. Sensationalist journalism to stir the pot doesn't bring answers, it just confuses more.

"An OS with a Pkek matching that installed in the firmware may add additional keys to the whitelist."

Does this mean you can just add you own key and self sign any code you want?

Presumably you have to sign a pkek key with the firmware key. Even then, you don't actually have full control of your OS's kernel, so it may not be easy to insert a key.