OpenBSD can do FDE with just the MBR and softraid meta-data left unencrypted,
on i386, amd64, and sparc64. No need for messing with the BIOS.
With UEFI a DOS partition for the EFI files is required as well.
Using a USB key disk instead of a password is possible.
It is vulnerable to the boot loader (or anything below) being swapped out with malicious code,
but that’s as good as OS-provided FDE can get with off-the-shelf hardware.
The only thing I’m missing is FDE for some additional hardware platforms supported by OpenBSD.
OpenBSD can do FDE with just the MBR and softraid meta-data left unencrypted, on i386, amd64, and sparc64. No need for messing with the BIOS. With UEFI a DOS partition for the EFI files is required as well. Using a USB key disk instead of a password is possible.
https://www.openbsd.org/papers/eurobsdcon2015-softraid-boot.pdf
It is vulnerable to the boot loader (or anything below) being swapped out with malicious code, but that’s as good as OS-provided FDE can get with off-the-shelf hardware.
The only thing I’m missing is FDE for some additional hardware platforms supported by OpenBSD.