I am curious about something regarding evil maid attacks. We know that these attacks consist of an intruder accessing the encrypted computer, and modifying the boot loader to include a keylogger or a bootkit. It will then wait until the user power on the computer again, and enters the pass phrase. The keylogger will now remember this pass phrase, and write it down somewhere so that it can be later retrieved.
My question is where would such a key logger write down this pass phrase, and how it can be detected. It's possible to do a binary comparison of the boot sector(s) against a backup, but some boot kits will attempt to disguise themselves, so that the bootloader appears to be untouched. Assuming the disk firmware has not been modified, we can detect it by booting from an uninfected device i.e. a live CD, and doing the comparison there.
Okay, but putting that aside I'm curious to know where would such a bootkit put the collected data. If we're talking about hard disks, most modern operating systems will leave the first 2048 sectors (512B each) free before the first partition starts, so that's a potential candidate. There's also inter-partition space, there is unused disk space at the end of the disk, and there may be HPA.
But okay, would it be technically feasable to protect yourself against this type of attack by eliminating free space i.e. remove HPA, repartition the HDD, so that there is no free space left at the end of the disk, nor any inter-partition space. And make it so that the first partition starts right after the boot loader data. In this case the bootkit will be unable to replace the bootloader, because it will need some extra space for the keylogger code. And since there is none left on the HDD, it's a no-go.