Maybe, it is possible to use both a firmware unlock against an OPAL encrypted drive, and validate the signature of the initrd/UKI as part of secure boot. Either or both protect against this to a certain extent depending on configuration.
As does of measuring all of the above into PCRs that are unlocked with by the utility prompting for a pin used alongside the PCRs to unlock the key.
As does of measuring all of the above into PCRs that are unlocked with by the utility prompting for a pin used alongside the PCRs to unlock the key.