Since his comments seem to be broken (or he just does not accept any) i will comment here:

I believe it is very well possible (using the UEFI IP stack) to write a tiny and portable BIOS malware that loads hardware and OS probing code, filesystem drivers and OS specific payload from a c&c server.

Also i suspect that the checksums might be breakable, but i don't know which algorithms are used to calculate them.