Hence the part of the TPM and other DRM-capable technologies (Secure Boot, I think). You can sign and seal the boot code, so just owning the firmware doesn't get you there. (Of course the NSA might also compromise the Windows boot keys, but then that's a detectable, major incident.)