I'd have Secure Boot, and then one root for an user-modifiable regular Linux installation, and another root that is read-only, signed, custom kernel etc.