Users can generate key pairs themselves, once, and the public keys can be used to sign architectural enclaves post factum. Each enclave's cryptographic hash of the contents is only generated then.

This way, the users are only as secure as they want to be. The code would need to be signed using each one's public key, but we're talking about specialised software here.

Compare this to the de facto standard, where US corporations hold the private keys to everything hardware (off the top of my head, processor, UEFI) and everything software (SSL root keys, IP addresses, DNS).

We already have libpairip and play integrity on android, let's not bring it over to desktop processors.