I'd like to think the existing firmware verifies the signature of a replacement firmware before permitting the replacement. Otherwise we have problems. But at runtime, I'm not aware if there's any such thing as firmware doing a self verification.
EFI binaries though are expected to be signed or they won't execute, that's the point of Secure Boot, and it includes bootloaders and the kernel all being signed. Most Linux distros I'm aware of also sign their modules because permitting unsigned modules could allow you to inject malware right into the kernel just by loading a compromised kernel module.
EFI binaries though are expected to be signed or they won't execute, that's the point of Secure Boot, and it includes bootloaders and the kernel all being signed. Most Linux distros I'm aware of also sign their modules because permitting unsigned modules could allow you to inject malware right into the kernel just by loading a compromised kernel module.