I explored this issue many years ago and, at least at the time, it was my understanding that for many motherboards it's simply not possible to introduce unsigned code through software alone.
I did run an older version of binwalk on the firmware image, but it was unable to unpack anything and only printed false positives. I have now tried the newest version and it's able to unpack everything and display a lot of information. The PE modules in UEFI seems to be signed as these signatures are found many times:
Certificate in DER format (x509 v3)
SHA256 hash constants, little endian
Very interesting to dig around in the firmware, I even found the boot splash image. Definitely a time sink, but fun.
you could always check if there is a signature with binwalk or smtg if it makes you feel safer