Well yes, there are ways of doing that (encrypt all partitions, query for key in ubiboot, pass the authenticated token somehow neatly into the starting kernel's memory area...)