[crotchfire]

Yes of course you can. Just run `signify -V` in userspace under the pre-kexec() kernel to check the signature on the post-kexec() kernel/initrd.

You can network boot too; just run `busybox udhcpc`.

I think you misread my comment. I never described signature-checking or network boot as bloat. I said it was stupid to have to implement these things twice (once in mainline Linux and then all over again in kooky UEFI-land with its bizzarre API, ABI, and wacky rules).

I still think it is stupid to do that, because it is. We have working, high-quality, battle-tested implementations of all this stuff. Use them.