The BMC usually has full access to system memory as well, so if you can get the timing right, you could replace the secure boot verified image with your own after verification.
Also, re: BusinessWeek, hey look a hardware backdoor installed on servers. Pretty sure IPMI vulnerability fits the bill for most of what was described.