1. Either build your new system yourself from retail purchased parts, or acquire a used laptop locally. In other words, you go give money and get a machine, not have someone send it to you where it might be intercepted or modified. YOU pick the hardware seller randomly and then YOU take it home unintercepted.
2. This is the part that hurts. Lock your machine PHYSICALLY so nobody can mess with it without making it obvious. I recommend a BIOS-PASSWORD, and then epoxy the case so nobody can mess with the chips without you knowing about it.
3. Lock the operating system down so that nobody can enter single-user mode, or boot from alternate devices. I recommend whole-disk encryption, disabling single-user-mode or rescue mode, and eliminating the bootloader menu (I use GRUB, but the concept carries over).
4. Lock the privileged access so that nobody can execute privileged commands, load drivers, etc. unless IT'S REALLY YOU doing it NOT UNDER DURESS. That means have alternatives so if there's a gun or warrant to your head you can appear to be cooperative but the end result is less useful for the villain.
5. Once you have a configuration you like, consider it LOCKED, STATIC, FROZEN, and do not update operating system components, drivers, applications, etc. If you install new applications ensure you trust the source.
FINALLY, now that you have the hardware and software set, realize that you're still emitting lots of data whether screen, network, audio, etc. ENSURE that ALL your outside access is encrypted. If you're able to, route it through a VPN or TOR. You may think "Oh I don't need to encrypt everything... I'll just use the web normally for nonsensitive stuff." This is a fallacy. It both shows what you DON'T put out publicly (black box take shape the more you do public stuff but then don't do some stuff publicly) and it removes your ability to claim that encrypting is not purposefully deceptive, because --as you should-- you encrypt everything.
Also you've probably figured this out by now... but the COSTS to this security may include your destroying the device if it either fails to boot or appears to have been taken over or opened. It's a high cost in dollars, but it keeps your security absolute.
Ok, there's one more thing. Don't be a dipshit and enter in privileged passwords anywhere where someone is using a cellphone camera, Google Glass, or security cams are in play. It's not like "everyone" has those magic keep-zooming-forever-on-stored-video-because-resolution-is-unlimited cameras, but you don't know who does and who doesn't. If someone really wants your root or administrative password and they think you're gun/warrant proof, a few hidden spy cams are nothing in comparison.
Ehud