The real problem is lately we've been seeing malware that lives in UEFI from APT (Edit: Advanced Persistent Threat actor, usually state sponsored) groups. That means it is persistent and will typically disallow updating the UEFI once infected. And almost everyone hates OS updates, and the smallest percentage are willing to update firmware, because it can brick a device, so UEFI isn't going to get updated. This is one of the few things you MUST trust, even if you want to follow zero trust.
Firmware should have a physical switch to enable updating it. Fuck self checked signatures. There, fixed all the BIOS and firmware exploits for you. You're welcome.
Firmware vulnerabilities aren't necessarily used to target the firmware or to try to gain persistence - vulnerabilities in SMM handlers, for instance, can be used for privilege escalation at runtime.
Limit, but it doesn't remove all avenues of attack. Firmware config needs to be writable at runtime (things like cold boot attack protection require state to persist over power cycles, even if you don't think other firmware config should be modifiable without physical presence), and the code that parses that could still contain vulnerabilities. Making firmware mostly read-only would mitigate certain classes of attack, but not all of them.
I'm responding to "There, fixed all the BIOS and firmware exploits for you". It doesn't actually fix all the potential exploits, and it makes it more difficult to apply the updates that would be required to fix them.
That only works for IT-managed devices (and even then, is very expensive in terms of labor). Consumer devices need auto-update to protect them from known vulnerabilities. Auto-update is hard to get right, but your product is defective by design if it doesn't support it.
Sometimes firmware updates make the system worse or even completely bricked. If the machine already working and stable, I've learned it's a risky / bad idea to eagerly apply firmware updates.
Flash media is cheap nowadays, and HP EliteBook series laptops store a couple of previous BIOS versions on board to make rollback possible. Also these higher end laptops can try previous version of their firmware if they fail to boot with the latest one.
Failing to see how Lenovo can't implement something like that.
Bad idea because firmware bugs are a growing attack vector and you are leaving yourself exposed to known, easily-exploited vulnerabilities by not staying up to date.
I mean sure, but no one is forcing users to install software from APT groups. That's a choice people make. The general point is that you should be able to use hardware for general computing. There can be a switch that by default limits to software signed by your original manufacturer but that should toggleable by the end user.
OP probably misunderstood it as Advanced Pacakge Tool, the system Debian uses for package management (ie APT sources) instead of Advanced Persistent Threat which is what the quote is talking about (ie sophisticated hackers, usually state backed/state owned that attack your machine).
