The kernel already includes facilities for signing modules, if you are looking for a way to sign and verify things, it seems like it would make sense to adapt that to sign the entire image.