There are things you can do to mitigate this problem, but once someone has physical access to a computer they have many pathways to gaining access to data and control.
The FBI have trouble compromising iphones despite having unlimited physical access so that isn't true in general.
What I'm worried about is closing these holes while preserving the ability to run whatever software I want.
And also preserving the ability to provide consistent instruction to people on how to install other operating systems. In other words if every laptop has a different magic keyboard sequence to bypass boot security it's going to be a pain to write the Debian install instructions.
That's true, but it's what encrypted filesystems are supposed to prevent. The lesson is that sleep/low power modes are not enough. You should be powering-off or hibernating any time the computer is not in use.
Unfortunately this is against many enterprise policies for desktops, because they like to apply updates during off-hours and need the computers to be on (or at least able to wake up from sleep) to do that.
For laptops, you should configure them to hibernate when the lid is closed, not just sleep.
If their slides are correct, then disabling boot from USB is enough. But then they state
> Using a simple tool, Olle and Pasi learned how to rewrite the non-volatile memory chip that contains these settings, disable memory overwriting, and enable booting from external devices
The phrasing is confusing in that had they find a way to switch 'boot from USB' BIOS setting 'using a simple tool'.