So put malware in the BIOS itself, or one of the other chips or ROMs available.
I think I remember reading a story recently about Thunderbolt or maybe USB being connected to an Option ROM over PCIe (must have been Thunderbolt I guess) that allowed an attacker to simply plug in a USB stick and permanently and irrevocably pwn the system - right down to securing the flaw that allowed flashing of the ROM over the PCIe connection. I think the malware overwrote some bit that allowed any further writing, so even attaching physical chip flashing device to the ROM wouldn't clear the malware. The machine was effectively permanently compromised and could only be thrown away.
Yes, it was Thunderbolt.[0] Firewire had the same issue. As does PCIe. But maybe USB 2.0 can be secured. If so, just fill other ports with epoxy. And use metal-flake nail polish to tamper protect seams. If USB isn't securable, give up, I guess.
I think I remember reading a story recently about Thunderbolt or maybe USB being connected to an Option ROM over PCIe (must have been Thunderbolt I guess) that allowed an attacker to simply plug in a USB stick and permanently and irrevocably pwn the system - right down to securing the flaw that allowed flashing of the ROM over the PCIe connection. I think the malware overwrote some bit that allowed any further writing, so even attaching physical chip flashing device to the ROM wouldn't clear the malware. The machine was effectively permanently compromised and could only be thrown away.