My point is that to secure the BIOS you must latch this WP bit after the "press whatever to enter setup" message is gone and you must not accept SWAWARD as wildcard password.
If you fail at these, your system is insecure even in presence of BIOS signing.
If you implement these properly, your system is secure even without BIOS signing.
Ergo, BIOS signing is pointless as a security measure and author's whining about this leak putting users at risk is unjustified.
Well, BIOS flash tools would work in this case by flashing the new BIOS on reboot using a feature of the existing BIOS, which is when the BIOS signature would be validated.
If you fail at these, your system is insecure even in presence of BIOS signing.
If you implement these properly, your system is secure even without BIOS signing.
Ergo, BIOS signing is pointless as a security measure and author's whining about this leak putting users at risk is unjustified.