Macs lack Secure Boot. This tools seems to be for non-Secure Boot computers. IF it's a Secure Boot system, rootkits aren't supposed to happen, and if they do then there's a hole somewhere that needs fixing.
I'd like to think the existing firmware verifies the signature of a replacement firmware before permitting the replacement. Otherwise we have problems. But at runtime, I'm not aware if there's any such thing as firmware doing a self verification.
EFI binaries though are expected to be signed or they won't execute, that's the point of Secure Boot, and it includes bootloaders and the kernel all being signed. Most Linux distros I'm aware of also sign their modules because permitting unsigned modules could allow you to inject malware right into the kernel just by loading a compromised kernel module.