You could make use of the secure boot feature present in many computers, if the netbook does support it and the manufacturer hasn't locked it to Microsoft Boot Keys.
What you could do then, is clearing the Secure Boot key database, and then making your own signing key and installing in the BIOS as PK (Platform Key) and KEK (Key Exchange Key).
After this, you sign the /boot/ software on the USB with these keys.
This will not lock out any other USBes from booting your vomputer, so if someone manage to copy your USB key, they can use their own copy.
But they can't modify the boot software to for example leak the FDE key, log the password or insert exploits in your encrypted OS.