EFI-enabled systems will see some nice improvements with the upcoming Linux 4.6 kernel.
One of the big EFI changes for Linux 4.6 that was already delayed twice before is using separate EFI page tables when executing EFI firmware code, which is done in order to isolate the EFI context from the rest of the kernel. This obviously is a big help from a security perspective.
Read more at Phoronix