I theory you could add a BIOS password, turn off booting from USB, sign your Grub bootloader, import the signing key, use full disk LUKS (including boot) via the Grub-Luks unlocking module (you need a key for your partition in your initrd too if you don't want to enter your password twice) and enable TPM.
In that setup, even if someone stole your laptop, it would be unusable, short of opening it up and fully resetting the BIOS/UEFI to its factory state, correct?
(My laptop has full-disk LUKS, a BIOS/UEFI password and doesn't boot from USB, but I still have TPM disabled and haven't signed my Grub bootloader yet.)
In that setup, even if someone stole your laptop, it would be unusable, short of opening it up and fully resetting the BIOS/UEFI to its factory state, correct?
(My laptop has full-disk LUKS, a BIOS/UEFI password and doesn't boot from USB, but I still have TPM disabled and haven't signed my Grub bootloader yet.)