@niggy >Chinese/Russian/US intelligence have all been using BIOS implants since the 2000's.
I don't see how codemonkey rolled signature checking is meant to stop state level actors from writing UEFI injecting malware (as evidenced by all the articles about UEFI level malware being found on hardware even with such digital handcuffs).

State level actors are less common than free boot software enthusiasts, although such actors all together may have numerically more employees.

If you want to actually stop such attacks, you need a 100% free software BIOS which is checked for vulnerabilities and them maybe optionally the ability for the user to set signing keys.