Turn SecureBoot off. Secure the UEFI and harddrive itself!
Requirements
State of he art UEFI implementation and usually a harddrive from the professional series. In case of a ThinkPad it should be possible for more than a decade.
How To
1.) Set an UEFI-Password to protect the UEFI (formerly BIOS) itself
2.) Set a Harddrive-Password within the UEFI, which requires a harddrive with built-in encryption
This protects the UEFI itself from manipulation, the bootloader, the kernel and the howl system. It is simple, therefore less error prone. Transparent to the operating-system, therefore any operating system is supported. It doesn't affect performance because professional harddrives actually encrypt always all data - they just don't ask for a key. You need to trust into the UEFI implementation and the harddrive manufacturer, which you hopefully do.
Bonus
No Certificate Authority (CA) and certificates involved. This reduces the error surface because it is error prone. You could even add LUKS (or whatever you prefer) on top of it. Because of the transparent built-in encryption you will not have a conflict. Probably a touch too much? But upon your decision.
> You need to trust into the UEFI implementation and the harddrive manufacturer, which you hopefully do.
Trusting hardware encryption on consumer SSD's has been proven to be a pretty disastrous idea[0], with even Bitlocker disabling hardware encryption by default.
From what I understand, a lot of encryption implementations were really really bad, with massive security vulnerabilities and issues. I suppose if you're an enterprise you have the money to test if the SSD is actually encrypting the data on the NAND, but a consumer would be none the wiser.
Yes. I just didn't remember the specific models affeced:
Crucial: MX100, MX200 und MX300
Samsung: 840 EVO und 850 EVO
Curcial fixed it later with an firmware update. I think people got mad on Samsung because they didn't fixed it? Not affected where Intel, Micron, Samsung's own more expensive PRO-Series (interesting?) and others. We also rely on hardware based encryption on iPhones and Androids? Finally we need to trust the CPU and the random number generator, TPM, Pluton and that the keyboard or whatever is not manipulated. By the way - I don't trust Microsoft's Pluton! And interestingly Dell and Lenovo decided to turn it off by default.
I have to admit that I have hope for Pluton: it seems like it's going to increase the security of computing, which would obviously be beneficial to all of us. What they're talking about isn't exactly a new concept (I believe Apple call their the Secure Enclave) but it's one of those "Why didn't we have this already things?" where PC's just feel a bit behind.
Requirements
State of he art UEFI implementation and usually a harddrive from the professional series. In case of a ThinkPad it should be possible for more than a decade.
How To
This protects the UEFI itself from manipulation, the bootloader, the kernel and the howl system. It is simple, therefore less error prone. Transparent to the operating-system, therefore any operating system is supported. It doesn't affect performance because professional harddrives actually encrypt always all data - they just don't ask for a key. You need to trust into the UEFI implementation and the harddrive manufacturer, which you hopefully do.Bonus
No Certificate Authority (CA) and certificates involved. This reduces the error surface because it is error prone. You could even add LUKS (or whatever you prefer) on top of it. Because of the transparent built-in encryption you will not have a conflict. Probably a touch too much? But upon your decision.
https://support.lenovo.com/ie/en/solutions/ht002240