[Canada]

If you have access to more than one identical system they can be compared. Or there could be a public list of known good hashes as you suggest.

In any case having a tool to even perform the check is great.

[throwaway91111]

This doesn't preclude the infect-at-the-factory issue: you'd end up verifying you HAVE the rootkit (and reverting to that if it changes).

[Canada]

I'm assuming not all of the machines from the factory will be infected. Because if that were so, then the chances of being found out is high and consequences would be dire for the manufacturer.

If my assumption is correct then buying a retail machine and comparing its firmware to the one you order with your credit card should be fine.