I've been trying to understand the risk of an unprotected BIOS being the victim of an UEFI attack using Meltdown and what the risks are compared to the bug being unpatched in the OS.
What is required in order to insert UEFI malware? Is this possible from within the OS, to load code up into UEFI or does it require a physical presence at the machine with a bootable device?
There is no relation between Meltdown and UEFI attacks.
Meltdown allows to read kernel memory by using a a cache side-channel used during speculative execution. It does not write anything into privileged memory, or processor microcode.
Previous answer is wrong in-part. Yes there is no direct correlation between Meltdown and UEFI attacks (yet) being seen in practice or in theory. But based on the fact that meltdown allows you to read kernel protected memory, the possibility to read any data in memory by incorrectly training the branch predictions.
Secure boot, UEFI and BIOS all rely on total integrity and confidentiality of data within the computational environment. More importantly these vulnerabilities totally subvert Trusted-Execution Environments which are supposed to be cryptographically secure processing units logically separated from the CPU. But speculative execution vulnerabilities allow you to bypass that encryption.
It's only a matter of time before some APT group produces the next Strontium UEFI bootkit and leverages this vulnerability.
