Probably worth to take a look at:
https://www.kernel.org/doc/html/v4.14/admin-guide/LSM/LoadPin.html
LoadPin is a Linux Security Module that ensures all kernel-loaded files (modules, firmware, etc) all originate from the same filesystem, with the expectation that such a filesystem is backed by a read-only device such as dm-verity or CDROM. This allows systems that have a verified and/or unchangeable filesystem to enforce module and firmware loading restrictions without needing to sign the files individually.
I find IMA in particular interesting:
https://en.opensuse.org/SDB:Ima_evm
This document describes the IMA and EVM technologies from the Linux integrity subsystem, and how they can be utilized on SUSE Linux distributions.
Basically IMA and EVM provide the following functionality:
measurement (hashing) of file content as it is accessed and keeping track of this information in an audit log.
appraisal of files, which allows to prevent access when a measurement (hash) or digital signature does not match the expected value.
The options are not in the default Debian kernel and also IMA has some overhead. So would require a custom kernel.