The firmware has to allow it, so if you’ve got physical access to the machine that’s possible. Remote access root, on the other hand, can’t tell the firmware to register new keys as long as it’s configured correctly