Comment by gorgoiler

Sorry, I wasn’t clear enough. We’re talking about three things here:

(1) Encryption: fast and fantastic, and a must-have for at-rest data protection.

It is vulnerable to password theft though. An attacker might insert evil code between power-on and disk-password-entry. With a locked down BIOS / UEFI, the only way to insert the code is to take the boot drive out of the device, modify it, put it back, and hope no one notices. “Noticing” in this case is done by either:

(2) Trust chaining: verify the signatures of the entire boot process to detect evil code.

(3) Tamper detection: verify the physical integrity of the device.

My point is that (1) is a given, and out of (2) or (3), I’d rather have the latter than deal with the shoddiness of the former