Reliable kexec for nix-infect

(The question is general Linux, not NixOS-specific, but the use case is. Users of other Linuxes would say “we do not need that, and mark WONTFIX”)

You might known about nix-infect and nix-lustrate techniques. There are plenty of implementations of both, so I will not refer to particular implementations but the 2 techniques in general.

  1. nix-infect uses kexec to run NixOS’s kernel and initrd, where initrd has either installation script or ssh server which one could login, repartition/reencrypt disk and install full NixOS.
  2. nix-lustrate uses grub to install NixOS’s kernel and initrd and after reboot we get almost the same.
    Advantage of nix-infect is if something went wrong (absent device driver on initrd, wrong network setting), we won’t brick the server. We first getting working NixOS and then start changing data on disk.
    Advantage of nix-lustrate is we keep files from the previous OS and even can switch back to old OS.

For dealing with remote servers I prefer nix-infect as a “safer” choice, which won’t result in calling remote hands to reinstall.

The problem:
kexec works well when versions of old and new kernels are the same, or relatively close to each other.
But victim system might be CentOS with 3.0 or even 2.6 kernel.

The question:
is there a technique to allow kexec'ing such setups?
May be in multiple steps, upgrading kernel in small steps?
Or may be there is something relevant in rootkit/malware world?

No help to offer here, but a question: Does that „safety“ really make any difference if you have a remote management console (such as a BMC, or if you have a vServer), where you can just reinstall the vanilla OS your hosting service supports? Sounds kind of hard to brick a server these days. I happily use lustration.

There are many servers without BMC, and hosting service supports’s remote hands might be slow or costly.
Anyway, it requires custom approaches for each hosting (even if there are BMC, they are different, some require ISO image of vanilla OS being on Samba share open to Internet, and I still have maintain even that), while nix-infect approach is uniform and easily scalable and scrtiptable.