There is no need to make UEFI to solve that - just scrap the badly
outdated "real mode" and start code running in "sane mode" (I've
forgotten what that is called in modern x86 parlance - enhanced long
mode, or something). The only thing that is needed to make this work is
a very simple default setup in the memory management unit. Coreboot has
perhaps three or four instructions in "ancient mode" before jumping
straight to "sane mode" for everything else. There is no early reason
why BIOSes should do anything else. And there is certainly no need for
shells, hidden partitions, "extensible" firmware that is never extended,
"trusted encryption", or any of the other complicating twaddle of UEFI.

UEFI was created for one purpose, and one purpose only - it was invented
by Microsoft in order to make life difficult for anyone who wanted to
put something other than Windows on a computer. Everything else is just
an excuse with no real benefit to anyone.

Look at it this way - how often have you ever used your computer's UEFI
BIOS in a way that is different from a "traditional BIOS" ? Apart from
the inconvenience of having to waste a little disk space on a pointless
UEFI partition, what difference does it make? The answer is /none/.
I think we should be clear here on the terms, and what we mean by them -
then it will be easier to see what I mean here.

The original PC BIOS had three functions. It would do the initial setup
of the system (ram initialisation, chipset configuration, etc.). It
would find and start the bootloader from the beginning of the disk. And
it provided services (such as INT 13, if my memory serves me) for the OS
to access hardware.

After a while, this third function was effectively useless as OS's
handled the hardware themselves.

BIOS's continued to be developed in an idiotic manner - often in
assembly, and invariably in real mode. That was the choice / fault of
the BIOS designers - there was no requirement to do so, and no purpose
in doing so. (They'd still need some real mode and assembly code to
support INT 13 and the rest, as long as they wanted to support DOS.)

Intel tried to change this by starting the EFI project. It petered out
from lack of support. Intel, Microsoft and some manufacturers got
together to make the UEFI specifications. These were full of a range of
ideas, features and complications which have never been used in
practice. Much of the point - for Microsoft - was to make sure Linux
would not work. Intel hoped it would let them scrap the silly old
compatibility modes on their cpus. Manufacturers hoped it would mean
the BIOS writers would use tools from this century and make BIOSes that
didn't look like DOS programs.

None of the complications of UEFI add anything of use. Almost none of
the new features are used. (There are a couple of things that OS's read
from it about motherboard and cpu setup, which could have been handled
in other ways.) None of the claimed benefits of UEFI, such as support
for sane cpu modes, big disks and C programming are in any way a feature
of UEFI - they could all have been part of any kind of BIOS.

The only things that are particular to UEFI are the signed firmware
stuff, and the ability to run different programs from a specific
dedicated partition. Those are the bits designed to be inconvenient,
and the provide no benefit.
That doesn't need UEFI - it needs a simple default "all memory mapped
directly and fully accessible" default to the memory management unit in
the x86 cpu, as is done on sensible processors, and then all the other
silly old compatibility modes can be scrapped (other processors never
had them).
That doesn't need UEFI. People were using bootloaders to handle
multiple operating systems long before UEFI was conceived.
UEFI is no longer a problem (it was, when it was introduced). You make
sure you have your pointless little partition, then install your OS of
choice like normal. But that does not stop it being a useless waste of
effort.

Cruft that was once useful, but could later have been removed /without/
adding a trainload of new UEFI cruft that has never been not used.

First, let me repeat - there is nothing that the UEFI BIOS can do that
another BIOS cannot. There is nothing hindering a non-UEFI BIOS being
able to access files. A Coreboot BIOS, for example, has as much of a
Linux system as you choose to compile into it. It is not UEFI - it does
not provide the UEFI-specified services, or need the UEFI partition.

Secondly, a UEFI BIOS cannot access files except on a very simplistic
and limited filesystem (fat32). It can't work with files on NTFS, ext4,
btrfs, raid, or anything else.
Traditional BIOSes have been able to block writes to boot sectors
(previous to that, boot sector viruses were "popular". The only virus I
have ever had on a computer was a boot sector virus). And updates to
BIOS were protected by "security by obscurity" - updates were so
inconvenient that you didn't do it by mistake or malware.

When you have unnecessarily features that are not used (and therefore
people don't get familiar with them and spot flaws), and an overly
complex design, then security failures are almost inevitable.

If you're worried about horrible things happening on your /boot/efi
filesystem, may I suggest
https://linuxconfig.org/intrusion-detection-systems-using-tripwire-on-linux
I have used this in the distant past when in a corporate network where a
sysadmin was known to have dubious morals and can say that you need to
be very careful which filesystems you use this on - a "differences"
report of half a million lines is useless for practical purposes, even
/boot/efi is updated quite frequently with the distribution I use.

On Tue, 23 Mar 2021 19:40:38 -0000 (UTC)
Thanks. I won't be buying a Lenovo.