Suppose the firmware of an SSD or HDD has been compromised by rogue actors either through "interdiction" (interception) or via the internet. They are able to exfiltrate data and conduct surveillance at will without my knowledge.
Can I mitigate the effects of the compromise by having the entire disk encrypted using tools such as Linux's Luks or Microsoft Windows Bitlocker? Or would installing Qubes-Whonix be a better option than LUKS and Bitlocker?
Partially. Full disk encryption, when done through software (e.g. LUKS), means that a compromised storage device will only ever see encrypted data, never decrypted data. It will never have access to the key. However, it would still be able to tamper with data by exploiting the malleability of non-authenticated modes which could potentially be abused to compromise the operating system (for example, the storage device could randomize any 16 byte block in XTS by toggling a single bit in the ciphertext, which can be very bad in some situations), or by exploiting weaknesses in XTS when snapshots are available to an attacker over time to leak information. Additionally, if you are booting from the drive, then a malicious MBR could be sent to the computer from the drive, loading a bootkit. Another issue is the capabilities of the storage device interface. SATA, for example, should not make a DMA attack possible, but a drive connected directly over PCIe might be able to write to system memory.
