(no title)

There are a few projects working on creating a good root of trust at boot time.

For example, there's Raptor Computing Systems' Talos platform (1) with libre bootware for a desktop computing experience; Bunnie Huang's precursor (2) which is a handheld and mostly solves your problem, and variations on libreboot/coreboot which can be shoe-horned into existing hardware such as Dasharo(3) on to the PC Engines APU2.

(1) https://www.raptorcs.com/blog/08212017001.php (2) https://www.crowdsupply.com/sutajio-kosagi/precursor (3) https://pcengines.github.io/

On the other hand, you may not need to trust your computer if you don't connect it to a network and all information flows only towards it on read-only media.