(no title)

Chromebooks use kernel signing to prevent this. The problem is, Google doesn't give you keys to your hardware so you have to replace them yourself or use devmode which disables kernel verification.

Another possible solution is to keep the kernel on an external, physically secured pendrive and never forget to press CTRL-U during boot (to stop a hypothetical attack involving a malicious kernel installed to the internal flash which exfiltrates your FDE passphrase or something like that).