I have a multi-stage strategy.

First and most important, physical security. My computer is valuable enough that if I left it unattended in public, someone would probably nick it and put it on ebay. So I only leave it unattended in places with good enough physical security.

Secondly, I avoid doing anything that would impose spy-thriller-movie-level security requirements on my equipment. My employer wants to secure a critical code signing key? I'll be happy to sort them out with their own HSM in their own properly secured data centre, or their own USB stick in a bank vault, or whatever their requirements dictate. My personal security research? I anonymously publish anything interesting I find right away. And I strictly avoid going to countries where I think the government ought to be overthrown.

Therefore, the chances of an attack targeting my boot firmware are exceptionally small.

Finally, I embrace the reality that the TPM wouldn't have helped me anyway. Firstly the security the TPM offers depends on the security of the BIOS, and we all know that's a joke. Secondly, even if the TPM worked perfectly and the BIOS was secure and so on, an attacker in a position to mess with my firmware could just as easily install a physical keylogger, or a hidden camera pointing at my keyboard, or just have masked goons hit me with a $5 wrench until I tell them the password.

I'm saying you shouldn't do things so risky that a squad of spies would get sent to monitor you, learn your routine, pick your house's locks while you're at work, sneak in, dismantle your computer, image your encrypted hard disk, overwrite the bootloader with a special version that will record the FDE password next time you enter it and send it to them, reassemble your computer and sneak out undetected.

Because that's what an "evil maid attack" means, once you've got basic physical security in place.

As I'm not Ross Ulbricht or Julian Assange, I'm willing to take my chances.

It's also common knowledge that all adversaries view people who have higher security than the average person as a person of interest or a mark. If they are spies they think you don't need privacy if you have nothing to hide and if you are trying to hard to hide then you must have something important to hide. Criminals think if you have security then you must have something valuable to protect.

Also some of the methods described her this thread seem impractical and extreme but one you go down this rabbit hole of security and privacy, you become used to gradually putting in a little more extra effort for better security and privacy. Normal users can't understand how someone can survive with having to toggle scripts on/off with the noscripts extension but for most people who are interested in security and privacy that is easy and effortless like breathing air.

Tbh, I for myself would not care for physical intrusion. If someone (private or state sponsored) has the willingness to intrude into my home, them tampering with my PC is the least of my concerns. As someone else also mentioned: A $5 wrench will be more effective than any measures you can do by modifying your pc.

Regarding tamper evidence, there have been multiple Defcon / Blackhat talks about tamper evidence. One thing that comes into mind is vacuum sealing a notebook into a bag with colored beans and taking a photo. This way, it will be impossible to access the pc without disturbing the pattern of beans surrounding the PC. You just need the software to compare photos to know if the sealed bag has been tampered with.

That methods goal is to be tamper evident. You are referring to tamper proofing which opens up another whole can of worms.

s/TPM/fTPM/

Some laptops have a discrete pTPM in addition to the ME's firmware TPM, which can be used for firmware validation, disk encryption, etc.

Some OEMs can detect when the chassis is opened, e.g. HP TamperLock, https://h20195.www2.hp.com/v2/getpdf.aspx/4AA7-8167ENW.pdf

I'd recommend taking a very high res photo of the welds so you can compare later if tampering is suspected.

What's the goal here? Why can't the same super-powered evil maid just create a visually-identical replica of your entire computer, login UI included, then MITM your password / unlock sequence ?

Then go through your original computer at their leisure with the captured password, while you ponder why "your" computer just crashed after login...

Or do you mean to do everything on my computer without having access to any hardware/firmware? You would just simply boot up the computer and somehow hack it? How?

There was an article [0] posted some days ago, they reccomended a transparent container and a mixture of red and brown lentils, and work just as with the glitter nail polish.

[0] https://www.anarsec.guide/posts/tamper/

Or do you mean to encrypt your data and upload to the cloud? Then download the data when you need to use it? And how are you managing all the passwords and encryption keys? I think you would need to keep quite a bit of sensitive data on that travel computer so you would need tamper evidence on it as well.

Or I think I must be completely missing out on something here what you are saying. Maybe you can elaborate a bit? It sounds interesting.

Buy a random older computer with cash. Nothing critical needs more than 512mb anyway.

Faraday caged, WIFI/Bluetooth/EM sensitive heartbeat monitors, decentralized fail-safe Live feeds,full air gapped setup with UPS, white-noise machines, and only transmit data via QR codes.

Hope the monitor you chose to display QR and the web-camera are also faraday'd.

Hope the computer you are using to display the QR never gets compromised, and the QR-code reader, at the same time.

It's easier to send a squid-team with a $5 wrench.