[zeroflow]

My bigger question would be why do you need to verify boot firmware? If we know your goal, maybe there is a better way.

Tbh, I for myself would not care for physical intrusion. If someone (private or state sponsored) has the willingness to intrude into my home, them tampering with my PC is the least of my concerns. As someone else also mentioned: A $5 wrench will be more effective than any measures you can do by modifying your pc.

Regarding tamper evidence, there have been multiple Defcon / Blackhat talks about tamper evidence. One thing that comes into mind is vacuum sealing a notebook into a bag with colored beans and taking a photo. This way, it will be impossible to access the pc without disturbing the pattern of beans surrounding the PC. You just need the software to compare photos to know if the sealed bag has been tampered with.

[pistoleer]

What do you do if the beans are disturbed? Throw the laptop out presumably? Would it not be easier to not ship the laptop, instead buying a thin client locally?

[zeroflow]

"That is left as an exercise for the reader"

That methods goal is to be tamper evident. You are referring to tamper proofing which opens up another whole can of worms.

[sulandor]

imho the method is sound and consequences are separate topic