Standard Boot integration - script validation before execution

[Patryk]

Hi
I would like to integrate Standard Boot on our custom board based on
NXP LS1028a, as it currently uses a so-called distro boot.
Normally I would just follow the instructions in the doc about
converting from distro boot to standard boot, but things are in fact a
bit more complicated. My board supports dual rootfs following the A/B
update scheme, so I need a place where I can check the boot state,
boot counter and so on, so as to set the final rootfs partition to
pass to the kernel. That's actually not a problem - I can just use the
bootmeth script and put all the logic there. The problem is that on a
production system, the devics will be protected by the Secure Boot
procedure, so the script to be executed should also be verified before
the execution. In the current solution (distro boot), the boot
command, first loads the script, then calls esbc_validate over the
script header and if the validation passes it sources the script so
the OS can be loaded. In current bootmeth_script there is no place (or
I'm not aware of) that would allow me to do vendor-specific validation
over the script. What would you advise in this case? Is there any way
to "inject" some plugins into the existing boot methods, like  e.g. a
plugin that would be overriding or adding some functionalities to
existing bootmeth_script? I can of course patch the existing
bootmeth_script with a command that would perform the validation but
this would no longer be a generic boot method. Or perhaps should I
create my own boot method?

I would be grateful for any suggestion
Best regards
Patryk