Does pureboot have mitigations against cold boot attack to steal full disk encryption key?

Coreboot and Seabios don’t support passwords, but PureBoot has a TPM admin password, to block the Pureboot firmware from being overwritten or changed.

By default you can’t boot from a USB device, unless you select that option.
See: https://docs.puri.sm/PureBoot/GettingStarted.html