A bit of a tangent, but your worst case answer here is the culmination of all the secure boot and remote attestation concepts.
What would stop it is a combination of not being able to buy new hardware that will even boot the modified kernel, and not being able to get vintage hardware to connect to any public ISP etc. due to being unable to attest its validated boot chain information, signed by a required modern hardware OEM key.
So you would be stuck in some kind of underworld of vintage folks attempting mesh networking between themselves. Then, because of basic market forces/economics, there will be a dwindling amount of software that is able to run in such environments. It will become the esoteric realm of old-school hobbyists who don't need to run any commercial apps which require ABI/API features of the modern commercial OSs which require this boot chain of the modern commercial hardware, etc.
What would stop it is a combination of not being able to buy new hardware that will even boot the modified kernel, and not being able to get vintage hardware to connect to any public ISP etc. due to being unable to attest its validated boot chain information, signed by a required modern hardware OEM key.
So you would be stuck in some kind of underworld of vintage folks attempting mesh networking between themselves. Then, because of basic market forces/economics, there will be a dwindling amount of software that is able to run in such environments. It will become the esoteric realm of old-school hobbyists who don't need to run any commercial apps which require ABI/API features of the modern commercial OSs which require this boot chain of the modern commercial hardware, etc.