After CIA leak, Intel Security releases detection tool for EFI rootkits (pcworld.com)
No amount of EFI rootkit detection will ever remove the possibility that malicious code is running inside the Intel Management Engine (ME), because code inside the ME would run side-by-side with the bootloader and with unlimited permissions.

Unless Intel provides source code for the ME, it is impossible to 100% know whether unauthorized code is running.

This is a better link (it is Intel's original blog post):

https://securingtomorrow.mcafee.com/business/chipsec-support...

It includes a few more details about what was released:

  It extracts EFI firmware from flash ROM memory
  automatically if the firmware file is not
  specified.

  We recommend generating an EFI whitelist after
  purchasing a system or when you are sure it has
  not been infected:

  # chipsec_main -m tools.uefi.whitelist -a generate

  Then check the EFI firmware on your system
  periodically or whenever you are concerned, such
  as when a laptop was left unattended:
...

An analysis of the approach they are taking would lead to some pretty easy improvements.

And what if intel is compromised? Mass rootkit installation!

You can reverse engineer the EFI modules, build a whitelist based on known safe code, and then detect subversion at Intel, so this is not a good strategy for serious adversaries.

My thoughts exactly! What a great way to get rootkits on people who want to protect themselves.

The code is here: https://github.com/chipsec/chipsec

