I assumed they had jammed a new DXE into the UEFI capsule, which would probably be able to subvert secure boot.