I am very interested in verified boot latetly. For VMs:
Could be implemented using similar to this idea in this very post: enable Linux kernel gpg verification in grub and/or enable Secure Boot by default - #15 by Patrick
In essence initially boot from a readonly boot medium, do verification and chainload (kexec) (boot) regular disk if verification was ok.
Also described a bit in Are non-perfect Defenses that defeat off-the-shelf Viruses a worthwhile Development Goal?
For host: not sure yet. Perhaps using Secure Boot. Perhaps similar to above. Should be possible though becauseā¦
SilverBlue and ClearLinux do interesting things related to it. They call it stateless.
This blog describes it very well.
Once stateless, verified boot gets a lot simpler.