Like if your PC is compromised by an attacker and then you pull the hard drive and [assuming there's a way to get a hash from SMART/ATAPI) you can compare the hash of the firmware that the drive is running to the list of published firmwares at the vendor's site.
Why does the malware have to respond with the actual hash of the firmware? Respond with one of the "known good" hashes.
If you're reading the firmware and calculating a hash, the firmware does not have to give you the firmware that is actually running. Respond with a "known good" firmware image.
Depending on the design of the firmware and the controller chips, even JTAG may not help you - they don't have to actually give you raw access to the device's memory. They're supposed to, but we're not talking about the laws of physics here. The "rules" can be violated.
The vendors may need to move operations outside of five-eyes to remain commercially viable.
Yeah, only five-eyes nations do this kind of thing.