Can't TPM be used for this? It could verify your /boot with keys external to the disk itself. I'm not sure if somebody has actually built a solution that uses it yet.
Sure it can, as can its evolution in the form of UEFI's Secure Boot, the problem is everyone wants to label these as technologies to enable lock-in instead of technologies to provide a trusted boot chain to ensure your system isn't compromised.
It could (the same goes for Secure Boot, in some sense). But the three-letter agencies from whom you want to protect yourself here likely have backdoor keys</paranoia>.
https://en.wikipedia.org/wiki/Trusted_Platform_Module