As I have stated in another thread, I have a procedure that I am confident will work, but it will require significant development time to get kexec working.
The procedure would not be easy (if you think lafsploit is hard to do .. you haven't seen anything yet). Also, it would be a tethered root .. meaning you would need a PC every time your phone is powered off. If you just needed to restart the OS, that could be done without a PC, but a cold boot would need a PC to enter some commands via a shell.
If all of that sounds like something you are willing to deal with, then start a bounty thread and I will try to get an exact estimate on the amount of dev hours I would have to put into writing the code.
If you Google "kexec loading a kernel from a kernel" you will get an idea of the amount of work I would have to put in.
By using kexec, we would use a validated kernel (one that passes dm-verity) to load another kernel with dm-verity disabled. Since the first kernel already passed the checks .. the second kernel would be loaded without the full boot process, and therefore aboot wouldn't verify it.
EDIT: Oh yeah, you would also need an SD card in your phone with a partition to hold kexec, the kernels, and TWRP. You could use the rest of the SD card for the OS, and the partition wouldn't need to be very big .. but just throwing that out there.
-- Brian