What's stopping firmware from patching GRUB to patch the kernel to do things it's not supposed to do? There is nothing inherent to Linux that makes it invulnerable to this kind of thing.
If you can't trust the underlying hardware or firmware, you cannot trust the machine.
But there's no technical reason this behavior must be Windows-only; it's just that way now because Linux isn't a business priority. The fundamental architecture, where UEFI software can write to a filesystem on the disk, applies to Linux installs just as much as Windows.
Using Linux is likely a good move, and encrypting your filesystem even better. But both of these could be defeated by an appropriately targeted UEFI program. I get the appeal for an enterprise that wants a chance at remotely tracking a stolen laptop, but now we can see how much power can be misappropriated when the system is compromised.
The problem here is not UEFI software being able to do nasty things to your OS disk.
Anything launched prior to your OS can do that, like boot-sector viruses of the old days.
What’s different here is how someone (with luck) can infect your firmware stealthily and deploy a UEFI payload (typically intended to provide base HW drivers with a machine) which Windows will actively detect and install and run without question.
And thus the initial agent gets deployed and installed.
Windows installs the root kit into its own FS, all by itself.
But only on Windows, because Linux does NOT look for or use that UEFI driver payload.
Linux is immune to this attack. Really.
If your entire firmware gets corrupted and replaced by a hostile material, obviously you’re screwed, but what is the chances of that happening and your machine booting?
Certainly not. The exploit depends on Windows-specific and Windows-only behavior[1].
[1] https://hackertimes.com/item?id=10039870