Okay, a few augmentations to Qubes OS security benefit from firmware and hardware (root of trust), particularily Coreboot, an open-source boot firmware. Qubes-certified hardware requires Coreboot among its certification criteria, but leaves the rest of the Coreboot payload implementation details up to the manufacturer. Currently, the situation is split into two mutually exclusive pathways:
Secure Boot
Measured/Sovereign/Verified Boot
@maltfield provided a detailed analysis of the benefits and tradeoffs of each approach in a blog article:
Here are additional related topics:
Currently, the latest in Secure Boot development is Dasharo TrustRoot, and the latest in Measured/Verified Boot development is Flashkeeper: