Secure Boot (or whatever it's called on each hardware platform) relies on trusted cryptographic keys to sign "the next step" in the boot chain, all the way back to the bootrom. This is how the higher-level SafetyNet attestations work on Android, and equivalent features on iOS, XBONE, etc.
There's no crypto, as far as I know, in all the binary blobs in the kernel, yet we still can't re-implement enough of them to even have a true Linux phone without reusing the manufacturer's kernel.