You can't encrypt an entire HDD and still boot from it without being able to access the data. I mean, if the bootloader can access it, anyone can. What you want to look into is creating a boot loader that has access to just enough to boot, and make the rest secure.
Preferably you want to compile your OS/program to a state where decompile becomes something so time consuming they'd be better of developing something themselves. Perhaps it is an idea to make the code run solely on specific hardware tags. If the hardware is not present it gives a weird error.