malware living on the bios rom could possibly live through an internal bios flash (normal “update firmware” thing in the bios or things like ivyrain) if it somehow manages to manipulate that process.
however, it is always overwritten by an external bios flash (using a raspberry pi or something using flashrom), because then you’re directly communicating with the flash chip. (if you suspect that the flash chip has been replaced with a malicious one you’re probably a bit schizo)
one thing is though is that the flash on the embedded controller is left untouched in most operations like this, so it could possibly harbor malware, but the only thing that could possibly do is make your laptop unusable or die randomly. It can’t really affect the software running on it i’d think. What you’d want to do if you’re really schizo and suspect your EC is infected is to externally flash lenovo firmware and use something like this to update the EC before externally flashing Heads.
the chain of trust for your installer USB would be something you can’t really avoid though, just use the most trustworthy computer you have
i mean there’s a possibility of malware hiding in usb peripherals since they have flash, and for thinkpads I think the camera, touchpad, smartcard reader are usually usb. If they hypothetically acted as usb mice/keyboards/network adapters/display devices, they could possibly infect your system ig