How would one go about learning these things? I have no illusions that I will be coming up with new exploits, but I am curious about the tools that are used to find them. How do you write code that winds up on a Thunderbolt device? How do you read from -- let alone write to -- EFI?
Lots and lots of reading of lots and lots of sometimes obscure documentation. For writing code that ends up on a thunderbolt device, you need to keep in mind that other than the endpoint, thunderbolt devices are essentially PCIe devices. So, a device with an easily writable firmware, like certain broadcom chips that come with a lot of apple hardware [1] can be easily programmed to suit the whims of the attacker. Regarding reading, and writing, there is a ton of info that is kept on a partition on disk, actually, in the EFI system partition [2]. Additionally, there are basic uefi development tools out there that let you write your own uefi payloads [3]. Finally, take a look at TianoCore for an Open reference implementation of UEFI, as it has a lot more ins and outs as how to do all this [4].