The best solution to reduce the likelihood of firmware-level attacks and rootkits is to implement measured boot. Measured boot is a hardware-assisted security mechanism that leverages Trusted Platform Module (TPM) and Secure Boot processes. It records cryptographic measurements of each stage of the boot process—from firmware to operating system loaders—and stores them in the TPM. Security software, such as attestation services, can then verify that the system booted into a known, trusted state. If firmware or boot-level code has been tampered with, the measurements will not match expected values, alerting administrators to compromise.

Option A (software integrity checks) validates application-level integrity but does not address firmware rootkits that load before the operating system. Option B (self-encrypting drives) protects data at rest but does not prevent rootkits. Option D (host-based encryption) ensures confidentiality but does not detect or mitigate firmware-level persistence.

Measured boot specifically targets low-level tampering, making it the most relevant control to defend against rootkits and firmware exploits.