The attacker does this when the drive is already unlocked & the OS is running.
replyBackdooring your kernel is much, much more difficult to recover from than a typical user-mode malware infection.
> The attacker does this when the drive is already unlocked & the OS is running.
replyBut then you're screwed regardless. They could extract the FDE key from memory, re-encrypt the unlocked drive with a new one, disable secureboot and replace the kernel with one that doesn't care about it, copy all the data to another machine of the same model with compromised firmware, etc.