Google started with verified booting right around Android KitKat, where the device-mapper-verity (dm-verity) kernel feature was doing things behind the scenes. In Marshmallow, verified boot started to move into the light, notifying users if their installation of Android had integrity or not. In Android Nougat, Google has announced that verified boot will be “strictly enforced” – this means that your device will not be allowed to boot if software has been compromised.
Verified boot happens this way – from your phone’s starts up process, the dm-verity kernel driver checks your system block by block against a signed hash to make sure there’s no corruption. Simply put, a phone running Nougat with errors in the system not matching to the hash — like if they have malware in the system or something that changed the system in any way — it won’t boot up. The user will be offered an option to boot into a limited functionality mode (like Windows’ “safe mode”).
In reality, Google says that devices having Android 7.0 out of the box will surely have this feature, but only the ones with locked bootloaders will have the strictly enforced mode on. Of course, this spells two things for users and aftermarket developers. Users will have that extra layer of security, but this will be a headache for developers of aftermarket software and third-party custom ROMs.
At this point, the possibilities are narrowing down. If you want to install a custom ROM or recovery, that would most likely still be possible on a device with an unlocked bootloader to begin with. There are some devices with locked bootloaders but can still be rooted in Android Lollipop and Marshmallow. This might not be possible anymore in Android Nougat. So we win some, we lose some.