As I understand it, that's both the whole point of, and limitation to, the hardware root of trust - it can't be changed even with a firmware update.
Of course, if the key used to sign the firmware is compromised, the root of trust is still technically what it is supposed to do - verifying signatures, it's just that that it becomes irrelevant in terms of security / integrity.
They'd also need to know every user has upgraded the boot loader such that the system doesn't depend on those compromised keys!
That does make it quite difficult to pull off any kind of key rotation. I'm not sure, but I think (well known Secure Boot tool) sbctl is saying that you can sign a bootloader with multiple keys, which would permit creating a bootloader that would work with the compromised & the new root-of-trust, which at least opens some window of possibility. https://github.com/Foxboron/sbctl/blob/master/docs/sbctl.8.t...
This consumer (me) values security highly enough that he would prefer for the firmware update to render the machine unbootable (as long as it remains possible to render the machine bootable again by re-installing software).
Of course, if the key used to sign the firmware is compromised, the root of trust is still technically what it is supposed to do - verifying signatures, it's just that that it becomes irrelevant in terms of security / integrity.