Change the bootloader and /bin/init so that it captures the disk encryption password as you enter it. It could then send it to me, or add a second password that I know so that I can decrypt it with later physical access.
Actually, on second thought, it's secure boot that protects against this attack, which doesn't require or use a TPM? So maybe I'm wrong
Actually, on second thought, it's secure boot that protects against this attack, which doesn't require or use a TPM? So maybe I'm wrong