I haven’t made up my mind yet. Here are some information which are conflicting.
Some thing for https://www.whonix.org/wiki/Advanced_Security_Guide.
coreboot / libreboot should be preferred above all else since it is Libre Software / Open Source.
But since coreboot / libreboot has very limited hardware support, the other options also need some documentation / recommendation.
There is no feature like secure boot for coreboot / libreboot yet?
EFI should be discouraged because it is more open and standardized yet it is still obscure closed source like BIOS.
- For BIOS, there is no off-the-shelf backdoor code.
- For EFI, off-she-shelf backdoor code is readily available from github. - https://github.com/Cr4sh/SmmBackdoor
So infections that persist even reinstallations are more likely when using EFI. Therefore, In the question is only EFI vs BIOS, it would mean a clear recommendation for BIOS.
EFI and secure boot should be encouraged. AEM can measure malicious modifications, but secure boot can provide a chain of verification from the processor the the firmware (EFI) to the bootloader to the kernel.
There is an issue when secure boot gets implemented as restricted boot, but one could use the presigned shim bootloader or deploy its own secure boot keys.
Debian is working on secure boot.
Qubes does not have it yet. Other linux operating systems may already support it.