Question regarding Pureboot's tampering detection on L14

I am wondering how Pureboot could protect itself against the following attack:

  1. Attacker with root access to local operating system (e.g. through exploitating software bugs).
  2. Attacker with physical access to the laptop.

In both cases, the attacker has access to flashrom and is able to read/re-flash the BIOS. Then the attacker can re-flash pureboot with backdoored measured-boot and the attacker’s payload. So that the backdoored code “lies” to the TPM about the measurements. In this case, tampering detection is bypassed and the attacker can even achieve persistency.
I think the only solution is the hardware write-protect switch. But seems the latest Pureboot still does not support it.

If the attacker has physical access, I don’t think this will help.

In this case, the attacker has to remove the case in order to toggle the WP switch, which can be detected (e.g., by applying glitter nail polish on the bottom screws).

Sure, but not prevented. I guess I have a more stringent definition of “protect.”