Librem announced a safe key with a really interesting feature:
"Just boot with the Librem Key inserted. If it blinks green you are safe, if it blinks red you’ve been tampered with"
It isn't mandatory to boot with that key always plugged in, albeit it can do other things such as adding the key for unlocking a disk (still have to type a PIN that can be shorter than the disk encryption key).
Being able to check if the BIOS was tampered at boot up time is not a bad feature. I'm wondering anyways we couldn't do the same without a key, just with a normal program.
https://puri.sm/post...the-librem-key/