Obviously, with a state adversary, you’d be fucked.
But how about, if I want to prevent a douchbag sibling or roommate from replacing the bootloader of an encrypted laptop, with a malicious version they got from some dark web site as a “prank”? Assuming you can’t just lock the device in a safe.
With phones, they all have verified boot.
But with Windows + Veracrypt, an attacker can just replace the Veracrypt Bootloader.
Is there an alternative? Or do I just have to use Bitlocker? (again, non-state adversaries)
As another poster mentioned, QubesOS with anti evil maid will work, but that’s the defense against state actors too and is overkill for this threat model.
BitLocker or any FDE using SecureBoot and PCR 7 will be sufficient for this (with Linux you also need PCRs 8+9 to protect against grub and initramfs attacks). Even if they can replace something in the boot chain with something trusted, it’ll change PCR 7 and you’d be prompted to unlock with a recovery key (don’t blindly enter it without verifying the boot chain and knowing why you’re being prompted).
With Secure Boot alone, the malicious bootloader would still need to be trusted (something like BlackLotus).
Also make sure you have a strong BIOS password and disable boot from USB, PXE, and anything else that isn’t the specific EFI bootloader used by your OS(es).