Taking the disk as an example, a disk does not typically have loadable firmware because otherwise you have a chicken-and-egg problem. So, the disk presumably has embedded firmware, and the firmware is blackbox and noone has ever seen it and you can’t necessarily change it or know what it does. So if the disk has a serial number, it is up to the disk whether your computer can read the serial number (you typically can) and up to the disk whether you can write it. You have no control over either.
By the way, I notice that even the memory cards on my computer have a serial number.
In an open source system, the main point of exposure is the web browser. If the web browser allows e.g. JavaScript to read an “id” then you are in trouble. The good news is that that gives you two places to keep the id a secret. You can have the operating system lie to the browser and you can have the browser lie to JavaScript. The bad news is that JavaScript / the web browser already expose more than enough information to fingerprint you - without access to HWIDs.