[SteveNuts]

This one makes sense to me, if someone has access to the console during boot, there's not much sense in preventing them from logging in. At that point they could just pull the drive and mount it in a different computer and replace passwd and shadow.

If you want to prevent this you need full disk encryption

[vbezhenar]

Just full disk encryption does not solve the problem fundamentally. Malicious user with physical access could just install keylogger into bootloader which would log the password on the next boot.

To protect from that threat you need secure boot which verifies checksums from BIOS to kernel.

[rocqua]

Full disk encryption alone suffices against device theft, presuming the device is turned off. More complicated threat models like an evil-maid attack are much harder to defend against.

Secure boot, and temper-evident device seals, form the outline of a solution. As far as I know though, these are still far from foolproof. Really I would say defending from an evil maid attack is still an open problem.

Something very similar holds for theft of devices that are still on.