my approach is to make two stages of the boot process
the layout is like this:
luks encrypted /boot with the luks header for the rest of the system
dm-crypt for the rest, with btrfs to make the sys more granulated, like for a compressed /home
the 1st stage is to unlock /boot from /boot/efi, and then i can see if its my composition there, as it can only be changed entirely, and i can make there any kinda magic to make it hard to copy its interface (style+whatever hard to figure out generated code to display). then check if the /boot/efi is intact, and then i can enter the pw for the dm-crypt’d part with all of my treasures.
actually it wont protect against firmware hacking, but i could lock the house with whatever sticker that will be destroyed in case of messing with it, and also, it wont protect against entering from the sw side, but thats an another thing…
(btw it is under construction at the moment, with a custom one-time-effort void linux installer that will make everything i need on a fresh system (ok, 2 times, im writing it in bash, but i plan to write it later in lua with more flexibility and automagic, as i orient there everything, but now i just want to make it ready sooner than later, and all the resources are in bash…))
all the bests to all of u!