I don't know about you, but once I have a minimal working kernel or a coreboot fallback, I never really update them. So having no way to recover them without hardware intervention is fine. The kernel I may recompile, patch, etc would be somewhere else.
The job of this minimal kernel and initrd would just be to kexec the other kernel, and let you recover coreboot if needed.
Having both of them write protected is just fine, if the cmdline used for the kexec is be read from another part of the spi for when you have to add some kernel parameters