Loading signed kernel modules

That approach would work equally well, insofar as root can replace the set of hashes as easily as the set of public keys. It doesn't work well if the vendor wants to supply out-of-tree modules since the kernel won't have the hashes of those modules, compared to just signing those modules with the appropriate vendor key. But for the most part it would work fine, and remove a pile of more complex crypto code from the kernel.