All boards with Secure Boot use UEFI, so the boot sector is irrelevant. There is the possibility that an exploit (which gets root privileges) modifies the bootloader itself, which would result in a non-booting system with Secure Boot enabled, unless the modified bootloader is signed with a key that is present in the firmware. It is however (or should be) not possible to change keys from a running OS.
With Secure Boot disabled there is nothing to prevent a hacked system from booting.

This question does not make much sense in this form. Mainboards without Secure Boot (which are available) do not need a feature to disable Secure Boot.

What stops the part-time admin from disabling Secure Boot? It seems like the only way Secure Boot can be useful against an attacker with physical access is if it's impossible to disable it.

Sorry for derailing your thread. The answer to the question is yes, such software has existed in the past, exploiting vulnerabilities that have since been fixed.

The boot sector does not enjoy any special protection under Linux (or Windows, for that matter). If you can write to the boot device, you can modify the boot sector. Assuming the user lacks the necessary privileges to write directly to the device, there are two common attack vectors:

1. Application vulnerability > OS privilege escalation vulnerability > boot sector modification
2. Network-exploitable OS vulnerability [ > OS privilege escalation vulnerability ] > boot sector modification

In the first scenario, the user is tricked into opening a specially-crafted file or visiting a compromised website. An application vulnerability causes code in the file/content to be executed. The code exploits an OS vulnerability to gain root privileges and alters the boot sector.

In the second scenario the user isn't really involved at all, but this will only work if the attacker can access a service on the computer remotely. A vulnerability in the OS or a remotely accessible service is exploited to inject malicious code, which then proceeds to obtain root privileges (if necessary). It then modifies the boot sector.

There are lots of motherboards without Secure Boot. Any non-UEFI board will do, as well as boards supporting UEFI versions older than 2.2.

Do you need it?
No

Is it useful?
Yes

Frankly a motherboard manufacturer would be foolish to NOT have SecureBoot available in their UEFI products. Without it Windows 8 will not run and they will loose out on what is unarguably their largest market segment.

As I understand it SecureBoot is only enabled by default in systems sold with Windows 8 preinstalled, and even then there is a BIOS option to disable it (though Win 8 will refuse to boot if you do).

The biggest problem is for those who wish to dual boot Win 8 and Linux.

I have to correct that. Windows 8 will run fine without Secure Boot and also on non-UEFI machines (you can easily test that with Virtualbox). Microsoft wouldn't leave the market of people that are upgrading the OS on their older machines behind.

In order to get the Windows 8 Logo certification, so that you can put a sticker on the box, the mainboard must use UEFI, support Secure Boot (with an option to disable it on non-ARM systems) and has to be shipped with enabled by default Secure Boot (not true for servers, Secure Boot may be disabled).
That means that a machine that ships with Windows 8 pre-installed can be shipped without having UEFI or Secure Boot, but can also be shipped with Secure Boot enabled without an option to disable it, as long as it does not have the Windows 8 Logo certification.

Sounds counter-intuitive and a little bit ironic, but having a Windows logo is the best way to make sure that you can install Linux.

You are of course correct regarding older systems, and self-built. I had based it on what seemed to be a discussion of commercially purchased systems with Windows pre-installed. I daresay with the possible exception of smaller makers such as local shops and such, all the major players are going to be certified/logo bearing products.

I don't get the impression that Secure Boot / UEFI was designed by seasoned cryptologists. I'm not persuaded that it will prove to be as technically successful as hoped, and I will hereby wager a beer that it will be gone from Windows-8 as a requirement by, say, June of 2013.

Having signed (and free of cost) Windows keys can be useful for Linux as well.
It's not just the bootloader but the entire boot chain that needs to work with it.

Handling UEFI Secure Boot in smaller distributions:
http://mjg59.dreamwidth.org/17542.html
https://www.suse.com/blogs/uefi-secure-boot-details/
https://github.com/mjg59/shim/tree/mok

Really - depending on Microsoft for the ability to use Linux is, at least for me, NOT an option.

Yeah, the problem with all such crypto-based systems is ... who do you trust as "the ultimate authority?" Alas, there really isn't an acceptable solution, not even in the world of SSL, where a few companies (e.g. Thawte) found themselves "in the right place at the right time" business-wise, but tasked with a role that realistically can't be met. (It is centralized in a way that probably has no real-world meaning.) Microsoft might dream of being the big-man on campus in this new space that they'd like to carve out for themselves, but I don't think that "Secure Boot" is going to survive for long as a technologically viable strategy. There are simply too many points of vulnerability, although it might be better than nothing-at-all... (which is the situation right now).