I try to find out how far I can secure my laptop from physical access and tampering attempts.
Setup: ThinkPad with Linux installation
What I have done so far:
- disk encryption using cryptsetup for everything except /boot
- entering UEFI setup menu is protected by supervisor password
- all boot devices are disabled except primary SSD with Linux installation
- Bottom cover tamper detection is enabled
Due to the disk encryption, it is not possible to access the data without tampering with the device to sniff the password. Implanting a hardware keylogger should be very hard due to Lenovo's bottom cover tamper detection, which warns me when the cover had been removed. Booting a live system to modify the unencrypted /boot partition is not possible because all other boot devices are disabled. Changing the respective settings in UEFI is not possible due to the supervisor password.
But the attacker is able to boot the system until the grub bootloader appears. Does grub offer any possibilities to tamper with the unencrypted /boot partition?