Quote Originally Posted by crazycheese View Post
Make /boot and / RO.
Doesn't help. If someone's gained root access they can just modify /dev/sda directly.

CRC the /boot partition and make independent system check-verify it, before booting it.
That'd work, though you'd want to use a cryptographic signature instead of a CRC - it's easy to force a CRC to match. The easiest thing to do would be to have the firmware verify the signature, that way you don't need a second computer to verify your laptop every time you want to boot it. And... you've just reinvented Secure Boot.