How to verify boot firmware integrity if you prioritize neutralizing Intel ME?

I have a multi-stage strategy.

First and most important, physical security. My computer is valuable enough that if I left it unattended in public, someone would probably nick it and put it on ebay. So I only leave it unattended in places with good enough physical security.

Secondly, I avoid doing anything that would impose spy-thriller-movie-level security requirements on my equipment. My employer wants to secure a critical code signing key? I'll be happy to sort them out with their own HSM in their own properly secured data centre, or their own USB stick in a bank vault, or whatever their requirements dictate. My personal security research? I anonymously publish anything interesting I find right away. And I strictly avoid going to countries where I think the government ought to be overthrown.

Therefore, the chances of an attack targeting my boot firmware are exceptionally small.

Finally, I embrace the reality that the TPM wouldn't have helped me anyway. Firstly the security the TPM offers depends on the security of the BIOS, and we all know that's a joke. Secondly, even if the TPM worked perfectly and the BIOS was secure and so on, an attacker in a position to mess with my firmware could just as easily install a physical keylogger, or a hidden camera pointing at my keyboard, or just have masked goons hit me with a $5 wrench until I tell them the password.

Tbh, I for myself would not care for physical intrusion. If someone (private or state sponsored) has the willingness to intrude into my home, them tampering with my PC is the least of my concerns. As someone else also mentioned: A $5 wrench will be more effective than any measures you can do by modifying your pc.

Regarding tamper evidence, there have been multiple Defcon / Blackhat talks about tamper evidence. One thing that comes into mind is vacuum sealing a notebook into a bag with colored beans and taking a photo. This way, it will be impossible to access the pc without disturbing the pattern of beans surrounding the PC. You just need the software to compare photos to know if the sealed bag has been tampered with.

s/TPM/fTPM/

Some laptops have a discrete pTPM in addition to the ME's firmware TPM, which can be used for firmware validation, disk encryption, etc.

Some OEMs can detect when the chassis is opened, e.g. HP TamperLock, https://h20195.www2.hp.com/v2/getpdf.aspx/4AA7-8167ENW.pdf

I'd recommend taking a very high res photo of the welds so you can compare later if tampering is suspected.

What's the goal here? Why can't the same super-powered evil maid just create a visually-identical replica of your entire computer, login UI included, then MITM your password / unlock sequence ?

Then go through your original computer at their leisure with the captured password, while you ponder why "your" computer just crashed after login...

There was an article [0] posted some days ago, they reccomended a transparent container and a mixture of red and brown lentils, and work just as with the glitter nail polish.

[0] https://www.anarsec.guide/posts/tamper/

Buy a random older computer with cash. Nothing critical needs more than 512mb anyway.

Faraday caged, WIFI/Bluetooth/EM sensitive heartbeat monitors, decentralized fail-safe Live feeds,full air gapped setup with UPS, white-noise machines, and only transmit data via QR codes.

Hope the monitor you chose to display QR and the web-camera are also faraday'd.

Hope the computer you are using to display the QR never gets compromised, and the QR-code reader, at the same time.

It's easier to send a squid-team with a $5 wrench.