In many of these cases, however, it’s still possible to run a software tool freely available from the IBV or device vendor website that reflashes the firmware from the OS. To pass security checks, the tool installs the same cryptographically signed UEFI firmware already in use, with only the logo image, which doesn’t require a valid digital signature, changed.
The worst part it persists through reinstalls (if i understood correctly)
This is also my understanding, at least of you keep the EFI partition.
It can outlast those too.