Why not just go the more conventional approach of having a small stage-0 non-Linux loader stored in ROM which can validate an entire kernel stored on disk? If your goals are solely around trusted boot chain it makes more sense to keep the trust root (initial bootloader and verification) as small and possible to audit as possible, right? Even the Linux kernel seems like a pretty big attack surface to keep in ROM