Likely sitting on an unencrypted /boot, waiting to be replaced by one with a keylogger, am I right? Of course a sane person doesn't trust a system that's been compromised before nuking it and reloading from a clean image.
There is unfortunately relatively little you can do to thwart such an attack, apart from keeping your notebook with you at all/most times.
Though using a USB key for /boot might be an idea, it is a little less clunky than a ThinkPad and since I suspend to RAM most of the time, it could even be practical. Hm.
Can't TPM be used for this? It could verify your /boot with keys external to the disk itself. I'm not sure if somebody has actually built a solution that uses it yet.
Sure it can, as can its evolution in the form of UEFI's Secure Boot, the problem is everyone wants to label these as technologies to enable lock-in instead of technologies to provide a trusted boot chain to ensure your system isn't compromised.
It could (the same goes for Secure Boot, in some sense). But the three-letter agencies from whom you want to protect yourself here likely have backdoor keys</paranoia>.
Likely sitting on an unencrypted /boot, waiting to be replaced by one with a keylogger, am I right? Of course a sane person doesn't trust a system that's been compromised before nuking it and reloading from a clean image.