> > If an evil made came by and got access to my machine, they would still > be able to tamper with the bootloader code to harvest the FDE password > when I returned. > > I want to put the whole bootloader (including the code used to decrypt > the softraid-FDE-encrypted root-partition-containing media) on a USB > disk. > > This way the evil maid would have nothing to tamper with.
I recently finished my masterthesis that solves this problem by including the Trusted Platform Module (TPM) in the bootprocess of OpenBSD. It extends the Chain of Trust up to boot(8) and allows you to seal a secret of your choice to the platform state. To check wether the unencrypted bootcomponents got tampered with, you can unseal and verify the secret to ensure that the contents of the MBR, PBR and boot(8) are unchanged. it is not exactly the solution you were looking for but it should solves the problem that you describe. Does this sound like something you were willing to try and does your machine have a TPM 1.2 Chip? Best regards Julius