“It’s a big problem,” said Martin Smolár, a malware analyst specializing in rootkits who reviewed the Binarly research and spoke to me about it. “It’s basically an unlimited Secure Boot bypass for these devices that use this platform key. So until device manufacturers or OEMs provide firmware updates, anyone can basically… execute any malware or untrusted code during system boot. Of course, privileged access is required, but that’s not a problem in many cases.”

I mean, I don't really have much interest in requiring that my BIOS code be signed, but I have a hard time believing that this Martin Smolár guy is correct. Just entirely disable firmware updates in the BIOS, and re-enable just for the one boot where you update your BIOS while booting off a trusted USB key. You'd never put your OS in a position of being able to push an update to the BIOS.

EDIT: Actually, if current BIOSes can update without booting to an OS at all, just selecting a file on a filesystem that they can understand -- IIRC my last Asus motherboard could do that -- you never need to enable it for even that.