It is really frustrating that they do not ship checksums for immutable sections of the UEFI image, as this would require almost no effort on their part [1]. Of course enterprise out of the extreme HAP universe doesn't care because it won't invest the effort to image their chips.
[1] https://github.com/LongSoft/UEFITool