I have a lot of PCs without a TPM installed. Buying TPMs for all of them is not an option, but I still want to do encryption on them.
From what I've studied so far, the entire system/boot partition can be encrypted. The bootloader (or the ESP partition), however, must remain unencrypted. It is the first program ran after the firmware -- if it is encrypted, the firmware simply cannot load it because the firmware does not understand encryption at all.
Without a TPM, is there anything I can do to ensure that my bootloader has not been tampered with? I use LUKS on Linux machines and Bitlocker on Windows machines, if that matters.