Many of these attacks target the bios.

BIOS is usually a SPI chip. It'd make sense to perhaps tie the write enable line so that it cannot be written to, unless jumpered.

It used to be a thing motherboards did. A BIOS flash enable jumper.

They kept the CMOS reset one, but for some reason got rid of the flash write enable.