Just make critical firmware read-only
Why not just move firmware to be read-only by default except when inside of the BIOS configuration utility.
Or set it up where all devices have some kind of ROM that stores a known-good copy of their code. When the system boots, the BIOS enumerates devices, then uploads any updated device code to a chunk of RAM running on the devices, then send an 'initialize with the software in RAM, ignore your ROM' (Or if the BIOS lacks any updated code, tell the device to initialize normally). When a user goes into BIOS, there is a big list of the firmware files that the BIOS has and the user has the ability to load updated firmware from external media, or disable/delete the existing firmware files. The OS would only have read-only access to the BIOS. All the firmware on the machine, including the BIOS itself, can be reset by opening the machine and shorting two pins, just like what you'd do to wipe the BIOS's configuration data.
A piece of electronics that can be forever tainted by having been in a system that had at one point run malicious code is a terrible model, and trying to fix it by doing anything other than just nuking it all and starting over properly is just foolishness itself. Especially when the proposed solution is to further reduce the owner's control over the machine.