From what the article says, you basically can't be sure, unless you check the hardware. I would advise at least flashing the original firmware that you can get from Ledger themselves.
Am I correct in understanding that the exploit would most likely be cleared by re-flashing the firmware to a known good image before you use it? Especially if you did so using JTAG it seems like it'd be very difficult (albeit probably not impossible) for the firmware modifications described in the article to persist through a reflash as long as you're reasonably confident that the hardware itself hasn't been altered. That doesn't get rid of the evil maid scenario, but it does get rid of the supply chain attack, which is IMO the more concerning one. Evil maid attacks can be mitigated by physical security, but the supply chain attack is out of your control.
Yes, and that's what the update does. Since the bootloader wasn't modified (at least with this particular attack), flashing a known-good image fixes it.
The problem is, if you flash with JTAG you're basically just trusting your host computer not to be compromised. And isn't not having to trust your host computer the entire point of a hardware wallet?
Big difference, you're only trusting the host computer (and the JTAG dongle) once. This is manageable, use an airgapped junk laptop with no HDD or similar if you're ultra paranoid. Sure perhaps the firmware is compromised and leaking data through some super exotic attack but I mean come on. That should give you a pretty reasonable level of confidence. You can never 100% trust a device you didn't design and fabricate every aspect of yourself, there's always some risk with any hardware token.
I'd also argue that trusting your host computer is certainly better than trusting the supplier. Shifting the burden of trust from a device you don't control to one you do is at least an improvement.
