diff --git a/initrd/.ash_history b/initrd/.ash_history
index 99690053..d3dab524 100644
--- a/initrd/.ash_history
+++ b/initrd/.ash_history
@@ -1,3 +1,7 @@
+#mount /boot in read-only by default
+mount /boot
+#verify detached signature of /boot content
+find /boot/kexec*.txt | gpg --verify /boot/kexec.sig -
 #remove invalid kexec_* signed files
 mount /dev/sda1 /boot && mount -o remount,rw /boot && rm /boot/kexec* && mount -o remount,ro /boot
 #Generate keys from GPG smartcard: