As the tweet mentions, there is a disparity for OS-level access to UEFI runtime services.
Some General changes in latest NetBSD release:
* USB stack rework, USB3 support added.
* PaX MPROTECT (W^X) memory protection enforced by default on some architectures with fine-grained memory protection and suitable ELF formats: i386, amd64, evbarm, landisk.
* PaX ASLR (Address Space Layout Randomization) enabled by default on: i386, amd64, evbarm, landisk, sparc64.
Some Intel/AMD-centric changes:
* Meltdown mitigation: SVS (Separate Virtual Space), enabled by default.
* SpectreV2 mitigation: retpoline (support in gcc), used by default for kernels. Other hardware mitigations are also available.
* SpectreV4 mitigations available for Intel and AMD.
* PopSS workaround: user access to debug registers is turned off by default.
* Lazy FPU saving disabled on vulnerable Intel CPUs (“eagerfpu”).
* Improvement and hardening of the memory layout: W^X, fewer writable pages, better consistency, better performance.
* (U)EFI bootloader.