Best way to protect against harmful firmware in your drives is to:
>encrypt the filesystem
This doesn't nessairly protect you, but heavily reduces risk of less sophisticated attacks like cacheing or altering files in transfer.
>configure libreboot/coreboot to only run signed kernel images
This ensurses that the drive has not tampered with your kernel, which is one rout it could take to get net access. If you use full disk encryption including your /boot partition, this might not be nessary. If you don't use libreboot/coreboot and just configure grub on mbr/efi to check signatures then it's not really protecting much, as the kernel and keys are both being read from the drive, though it might be worth doing since it's easy and might thwart some simple scripted attacks that didn't accout for signed images. If you have a TPM and use UEFI booting you could sign the grub efi image and enable secureboot, which should prevent the drive from altering the signature file, thus being effectivly like libreboot/coreboot in regard to signed kernels. UEFI is it's own can of worms in regard to security though, and some question the integrity of TPMs.
>connect the drive over USB or use a cpu/mobo with iommu features enabled
This will prevent the drive from getting direct memmory access (and thus net access, access to encryption keys, access to pretty much what ever it wants)
If you do all of these it still isn't perfect, but it prevents the drive from preforming more trivial exploits and from getting access to system memmory or a network stack. Thus redusing the risk to fairly sophisticated, probobly targeted attacks that require physical access to recover data from.