I was robbed...
That included my Linux notebook and my company's notebook. Both are encrypted. Mine is encrypted with LVM over LUKS, using a passphrase to unlock the hard drive once the kernel has been started by the UEFI. But Secure Boot was disabled on the machine.
The company uses Bitlocker in Transparent Operation Mode. They claim the computer would not boot if the hardware configuration is changed, and it was an HP notebook, which has special extra security.
However, for the thief who's not much interested in data, all this is not very concerning. On my setup, a simple USB stick containing an OS would allow them to reinstall an OS on the drive and sell the notebook. If I had activated the Secure Boot and set a password on the BIOS, it could have been more complicated. But not impossible. Whatever the security layer, all that is needed is to unplug the CMOS battery for long enough to reset the BIOS settings, and all that extra layer is gone.
One could think that the company's computer is a bit more secure, but recent issues with a patch by Microsoft showed that actually a reset of the BIOS is still possible to get access to the computer (not necessarily the data).
My new laptop has Secure Boot and a TPM (ASUS UX433 if that matters, but my question is more generic). Is it possible to configure the UEFI and TPM so that a tampering of the configuration really locks the computer to those that doesn't have the necessary (recovery) secret?
(Let's consider for the question that really complicated manipulations such as unsoldering and replacing a complete component is outside of the scope. The issue here is rather that it is actually simple to reset the CMOS. On my desktop computer, it is even worse: moving a jumper at boot is enough, and it is well documented in the manual!)