They charge a fee to get a certificate that you can use to submit binaries to be signed with the Microsoft signing service. If you're a user of a distribution you won't have this problem, because distributions have already paid and have a hack "shim" which effectively enrols the distribution's own keys into the trustdb. But if you wanted to make your own distribution you would have to pay.

Nope. It should be normally possible to disable Secure Boot.

In fact, many distributions don't support Secure Boot at all.

> Nope. It should be normally possible to disable Secure Boot.

This is only true on x86. On arm, Microsoft's requirements state that it should not be possible for users to disable Secure Boot.

But is there any interesting ARM hardware that is certified for Windows? (Honest question, I have no idea.)

For Windows RT, looks like there wasn't that many certified devices.[1]

[1]: https://en.wikipedia.org/wiki/Windows_RT#Devices