@Kyle_Rankin i see one issue with your approach to tampering detection:
-
thanks to systemd there is no longer /bin /sbin /lib /libx32 /lib32 /lib64
all those are symlinks to /usr/*
times where system was cut into 2 pieces (boot/startup critical + core system tools in /, rest of userspace in /usr) ended… -
what is the sense of tampering detection on / if i have whole system encrypted
and more rethorical question:
why we keep /boot uncencrypted?
technically ore wise would be keep entire disk encrypted, and use TPM LUKS Unseal.