They could conceivably just restrict it to certain kernels and checksum stuff couldn’t they? Like restrict it to the last three Ubuntu LTS releases and the last N updates of the mainline kernel?
What I don’t know about this is a lot, so I will admit I am speaking out of my ass here.
Sure, but those specific kernels would require some sort of verification method to make sure they are actually the kernel it says it is (and not a modified version pretending to not be modified) which would require code signing by a trusted third pasty, use of Trusted Platform Modules, and restrictions on what modifications a user can make to their kernel.
All of these things are pretty much non-starters for Linux users. You might as well just use windows if you are going to go that route.
What I don’t know about this is a lot, so I will admit I am speaking out of my ass here.