Can I secure the bootloader without a TPM?

Question

I have a lot of PCs without a TPM installed. Buying TPMs for all of them is not an option, but I still want to do encryption on them.

From what I've studied so far, the entire system/boot partition can be encrypted. The bootloader (or the ESP partition), however, must remain unencrypted. It is the first program ran after the firmware -- if it is encrypted, the firmware simply cannot load it because the firmware does not understand encryption at all.

Without a TPM, is there anything I can do to ensure that my bootloader has not been tampered with? I use LUKS on Linux machines and Bitlocker on Windows machines, if that matters.

Answer 1

Well, you could keep your bootloader on an external device and set your computer to boot from that device, but that would not protect from other forms of tampering such as a backdoor BIOS. Such a backdoor could allow you to load your genuine bootloader, but surreptitiously inject malicious code into it while it is being run. Generally, anyone who can modify the bootloader can modify the BIOS.

You need something that cannot be modified by a privileged user. Given that even the BIOS can be modified (save the read-only CRTM, which is used by the TPM if you have one), there's no way to ensure your bootloader has not been tampered with. You need either a TPM, or a trusted system that provides equivalent functionality. Luckily, most modern Intel chipsets come with a built-in one, called the fTPM. It provides the same functionality as a discrete hardware TPM and adheres to the same specifications. Check if any of your computers have that feature (smx flag in /proc/cpuinfo).