Generally, there are some trivial precautions that will frustrate all but the most concentrated effort. Things like TRESOR, grsecurity, /boot on an USB stick, etc.
Uh huh. What if I have a deal with Intel and your TRESOR code compiled into the kernel is easily profiled by the microcode and the key is itself silently transmitted/stored by the CPU?
Same with your USB stick.
Go read up on how the CIA sabotaged the Iranian nuclear enrichment centrifuges by compromising the supply chain of the power supplies (not the computer controls).
In that case, airgap and strict media discipline (once media touches the secure network, it's never used on insecure networks again) should do, no?
But my point is that most us aren't foreign states trying to make nuclear reactors against the wishes of a superpower. We're more worried about things like common theft and border seizures.
Same with your USB stick.
Go read up on how the CIA sabotaged the Iranian nuclear enrichment centrifuges by compromising the supply chain of the power supplies (not the computer controls).