> making sure even root cannot compromise the kernel
Shall root be able to modify the restore image, so that at least root can check that this modified image is not restored because the "boot time protections" works?
If not, how are you proposing to test things? Create a super-root?
How are you recovering the files in a totally broken system?
Better not to need root for any "user" thing, when you type the root password in an Xterm you know you will do very dangerous things.