Sometimes there are tpm type chips that work as follows:
Manufacturer creates the chip and it's OS and access code and turns it over to the vendor.
Vendor creates his access code and destroys the Manufacturer's access code. The manufacturer cannot access the vendor code.
The vendor prepares the software that is required, for the end-user and seals it with his password, he can, if he deems it necessary destroy his code
The end-user can have controlled access to the tpm type device's contents.
The chip can be programmed so that 3 bad access attempts destroys all future access.
Now, use the chip contents to checksum the bios, and some critical security software. If the result is OK, life goes on.