Zeronights 2018 talks of interest.
Turning your BMC into a revolving door
Synacktiv/Airbus/Medallia (Perigaud, Gazet & Czarny) Slides, video. HP iLO4 had really bad firmware validation code that allowed trivial buffer overflows in the signature checks (!) and no ASLR or NX features were enabled (!!), so it was an easy escalation. As usual no checks were done at boot time, only firmware update time. iLO5 added some secure boot methods to the Cortex-A9 CPU, which made things more difficult. However, they could enable recovery mode in the flash chip and then backdoor the userland code.
embedi (Ermolov/Zakirov) Slides. Multiple issues with AMI use of Bootguard, including some trivial bypasses. Also a flaw in the firmware update routines allows any firmware to be flashed (although bootguard will prevent booting if it is enabled).