First is secure boot. Secure Boot means that only authorized firmware can be put on the machine. So in essence, no matter who is updating ones firmware, no one can add a few lines of code here and there, or install some malware because if it is not authorized, it is not making it onto that machine.