Can someone please dumb this down for me? Who does this affect and what does this mean for them?

Part of the secure boot chain of trust. Makes it possible for machine owners that also use their own Certificate Authority to forbid keys not signed by their internal trusted CA key. This is mostly for corporations that have large fleets of Linux machines and need a central point of (internally controlled) trust. It's one extra hurdle to prevent anyone trying to usurp the trusted boot chain from inserting their own shim, kernel, or kernel modules from doing so. Not only would they have to insert their own key into the MOK, but they'd also have to compromise the corporate CA root key which can even be internally created and signed. It requires no external authorities.

This has nothing to do with DRM encryption. It's a security layer to help verify the kernel being booted and any subsequently loaded modules haven't been compromised by someone outside the organization.

Edit to add: This can also be used to forbid Microsoft signed keys or any other external keys regardless of source. Anyone about to go incendiary about Microsoft secure boot conspiracies and CA root authority corporations can save it. You don't like secure boot, big deal. Turn it off. This patch is opt-in anyway. Sane people will evaluate their own options and threat models and act accordingly.

If I'm understanding this correctly, we'll finally be be to use sbctl to sign modules?

stormcrow thank you!