Similarly this could be an X/Y problem, so if you think I'm going about this the wrong way, feel free to suggest changes. Similarly, I could use UEFI Secure Boot to restrict booting onto only my honey trap and "true" kernels and initial ramdisks, but my laptop isn't UEFI-compatible :( Is this possible - if so, how can I do this/where can I find suitable documentation? Everywhere I've looked suggests using PLoP, LILO or some other software, when I'm sure this should be possible from GRUB alone. If you would like your USB drive to be able to boot from multiple computers, both BIOS and UEFI: Use mkusb to make a Live system on the Installer USB (2GB or larger). If I do this, I won't be able to boot from my USB - so I'll need a way to chainload GRUB on my USB from GRUB on my hard drive. Obviously this wouldn't stop them removing the HDD and wiping it, but it's a step against a low-level thief. To stop a potential thief from wiping the hard drive, I'm going to apply a BIOS password and disable booting from external devices.
PUT JUST GRUB ON USB INSTALL
I'll install a copy of Tiny Core Linux (Or dare I say - Windows) on my laptop which will only boot when I don't plug in my USB stick. To do this, I want to move the standard GRUB, kernel and inital ramdisk onto a USB stick that I'll keep with me at all times. For this reason, I want to configure a honey-trap that will allow the laptop to run Prey if a thief boots the laptop. In the case of my laptop being stolen, I don't have anything set up at the moment that would help me/the police recover it. I currently have full disk encryption with LUKS set up through the installer - this is pretty much a vanilla configuration as per installer defaults, with an unencrypted boot partition that asks me to unlock the disk.
I'm taking steps to secure my laptop - from both a data security and physical security point of view.