I'm using a thinkpad t400, it's one of those lucky computers where libreboot is aviable. With libreboot and debian installed, there should be no propietary software running on this machine (except things like hdd firmware, but afaik theres no way to avoid that). I configured the included grub payload to check the kernel's pgp signed signature before booting, and set a grub password so that an attacker hopefully can't turn this off. As grub is stored inside the flash chip together with libreboot, and this is set to read only, the only possibility here is to disassemble the whole laptop, flash a infected libreboot version which no longer checks the signature and logs the encryption password. Are i am right or are there other possibilities to circumvent this? Imho this libreboot setup should be one of the most secure boot setups one can have, especially because it's 100% foss..