Completely TPM based if it's available.
Secureboot will still shit the bed if an EFI module is loaded that isn't properly digitally signed, and will make you recover the key through various methods, which would tip off literally anybody that something's amiss.
Anyway -- SPI should be locked on most systems from being flashed UNLESS the binary is signed with the same key.
HP encrypts the whole UEFI with their own RSA key, and that should be an industry standard IMHO.