Just FYI to the OP, and others: they have recently found exploits in the wild (more than just talks) of writing to special persistent memory in the BIOS that remains even after a BIOS flash.
I recently posted a topic to Purism to see if these machines are open to the same attack.