I agree that this seems like the best compromise: Have the bootloader load the squashfs (or whatever) to RAM, and then unmount and prompt you to remove the media before executing the kernel. In order to compromise that, you'd have to corrupt the process which creates the flash drive originally; if that's been achieved then it's game over regardless.
I agree that this seems like the best compromise: Have the bootloader load the squashfs (or whatever) to RAM, and then unmount and prompt you to remove the media before executing the kernel. In order to compromise that, you'd have to corrupt the process which creates the flash drive originally; if that's been achieved then it's game over regardless.