OEMs: you need to ship hashes of your golden images. Read NIST SP 147 (and 193). You should be OpenPGP-signing them, as well.
I want to update the BIOS on my <OEM> motherboard as this hopefully solves a problem. However, the archive containing the BIOS update and flashing tool can only be downloaded over http and there is no way to verify it’s integrity as neither signed or non-signed checksums are available. I’m extremely uncomfortable with just installing the update without being able to verify it’s integrity, as I would forever think about if the BIOS has been modified in case the download server has been compromised or by MITM attack while I’m downloading. What can I do?